{ "type": "Domain", "indicator": "app-support.work", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/app-support.work", "alexa": "http://www.alexa.com/siteinfo/app-support.work", "indicator": "app-support.work", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2130330897, "indicator": "app-support.work", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5d6d754babe6ca295f94cb1b", "name": "Credential Phishing Campaign targetting Governments", "description": "During its investigations and with the cooperation of multiple partners, ANSSI has discovered several clusters of\nmalicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with\ntraces going back to 2017. The threat actor registered multiple domain names, and created several subdomains\nwith a naming pattern revealing its potential targets.", "modified": "2019-09-03T06:19:04.874000", "created": "2019-09-02T20:02:19.049000", "tags": [ "north korea", "kimsuky" ], "references": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Poland", "France" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 91, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 14, "domain": 87, "FileHash-SHA256": 1, "hostname": 973, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "IPv4": 18 }, "indicator_count": 1098, "is_author": false, "is_subscribing": null, "subscriber_count": 387230, "modified_text": "2465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d5d6f5c5f0e4d2b7f5f3208", "name": "Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks", "description": "Anomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the French government. Further analysis of the threat actor\u2019s infrastructure uncovered a broader phishing campaign targeting three different countries\u2019 Ministry of Foreign Affairs agencies. Also targeted were four research-oriented organisations including: Stanford University, the Royal United Services Institute (RUSI), a United Kingdom-based think tank, Congressional Research Service (CRS), a United States-based think tank, and five different email service providers. There is an overlap of infrastructure with known North Korean actors, including the same domain and shared hosting provider. Because of the links between one of the victims and their work on North Korean sanctions, they expect to see malicious actors continue to target the international staff involved in a similar official capacity.", "modified": "2019-08-21T16:20:44.883000", "created": "2019-08-21T16:20:44.883000", "tags": [ "DPRK" ], "references": [ "https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z" ], "public": 1, "adversary": "", "targeted_countries": [ "France", "United Kingdom", "United States" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "technology" ], "TLP": "white", "cloned_from": null, "export_count": 110, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 8, "hostname": 75, "domain": 4 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 387230, "modified_text": "2478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [], "industries": [ "Technology", "Ngo", "Government", "Education" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5d6d754babe6ca295f94cb1b", "name": "Credential Phishing Campaign targetting Governments", "description": "During its investigations and with the cooperation of multiple partners, ANSSI has discovered several clusters of\nmalicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with\ntraces going back to 2017. The threat actor registered multiple domain names, and created several subdomains\nwith a naming pattern revealing its potential targets.", "modified": "2019-09-03T06:19:04.874000", "created": "2019-09-02T20:02:19.049000", "tags": [ "north korea", "kimsuky" ], "references": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Poland", "France" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 91, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 14, "domain": 87, "FileHash-SHA256": 1, "hostname": 973, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "IPv4": 18 }, "indicator_count": 1098, "is_author": false, "is_subscribing": null, "subscriber_count": 387230, "modified_text": "2465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d5d6f5c5f0e4d2b7f5f3208", "name": "Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks", "description": "Anomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the French government. Further analysis of the threat actor\u2019s infrastructure uncovered a broader phishing campaign targeting three different countries\u2019 Ministry of Foreign Affairs agencies. Also targeted were four research-oriented organisations including: Stanford University, the Royal United Services Institute (RUSI), a United Kingdom-based think tank, Congressional Research Service (CRS), a United States-based think tank, and five different email service providers. There is an overlap of infrastructure with known North Korean actors, including the same domain and shared hosting provider. Because of the links between one of the victims and their work on North Korean sanctions, they expect to see malicious actors continue to target the international staff involved in a similar official capacity.", "modified": "2019-08-21T16:20:44.883000", "created": "2019-08-21T16:20:44.883000", "tags": [ "DPRK" ], "references": [ "https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z" ], "public": 1, "adversary": "", "targeted_countries": [ "France", "United Kingdom", "United States" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "technology" ], "TLP": "white", "cloned_from": null, "export_count": 110, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 8, "hostname": 75, "domain": 4 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 387230, "modified_text": "2478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "app-support.work", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "app-support.work", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780524663.3622582 }