{ "type": "Domain", "indicator": "apptaskserver.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/apptaskserver.com", "alexa": "http://www.alexa.com/siteinfo/apptaskserver.com", "indicator": "apptaskserver.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1617024, "indicator": "apptaskserver.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5c73a72a027c1b7031f26b36", "name": "Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets", "description": "Word document found in the wild that is likely associated with the SNAKEMACKEREL (APT28/Sofacy/Fancy Bear) threat group. iDefense assesses with moderate confidence that the actors may be targeting attendees and sponsors of the upcoming\nUnderwater Defence & Security 2019 event occurring March 5-7, 2019, in Southampton, United\nKingdom. This event draws attendees from government, military and private sector entities across the globe, allowing this global event to represent a unique opportunity for SNAKEMACKEREL actors to conduct targeted intrusion operations against a wide array of organizations falling under its collection requirements.", "modified": "2020-11-13T00:00:32.402000", "created": "2019-02-25T08:28:26.206000", "tags": [ "sofacy", "russia", "gru", "apt28", "fancy bear" ], "references": [ "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://twitter.com/kyleehmke/status/1171111104149368836" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-SHA256": 5, "hostname": 24, "FileHash-MD5": 2, "FileHash-SHA1": 1, "domain": 149, "email": 20 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 376790, "modified_text": "1979 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5aba0db05a072b37f7ab0ab6", "name": "Fancy Bear Infrastructure", "description": "", "modified": "2018-08-22T10:44:26.594000", "created": "2018-03-27T09:23:59.998000", "tags": [ "sofacy", "fancy bear" ], "references": [ "https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 46, "FileHash-SHA256": 1 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 376822, "modified_text": "2792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58540a695fb0fc4c5df265c6", "name": "Let It Ride: The Sofacy Group\u2019s DealersChoice Attacks Continue", "description": "Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called \u201cDealersChoice\u201d in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.", "modified": "2016-12-16T15:40:07.581000", "created": "2016-12-16T15:38:17.492000", "tags": [ "sofacy", "apt28", "STRONTIUM", "fancy bear", "DealersChoice", "flash", "Carberp", "NATO" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "Turkey", "Lithuania", "Armenia" ], "malware_families": [], "attack_ids": [], "industries": [ "government", "defence" ], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 11, "CVE": 2, "email": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 376759, "modified_text": "3406 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/", "https://twitter.com/kyleehmke/status/1171111104149368836" ], "related": { "alienvault": { "adversary": [ "Sofacy" ], "malware_families": [], "industries": [ "Military", "Defence", "Government" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5c73a72a027c1b7031f26b36", "name": "Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets", "description": "Word document found in the wild that is likely associated with the SNAKEMACKEREL (APT28/Sofacy/Fancy Bear) threat group. iDefense assesses with moderate confidence that the actors may be targeting attendees and sponsors of the upcoming\nUnderwater Defence & Security 2019 event occurring March 5-7, 2019, in Southampton, United\nKingdom. This event draws attendees from government, military and private sector entities across the globe, allowing this global event to represent a unique opportunity for SNAKEMACKEREL actors to conduct targeted intrusion operations against a wide array of organizations falling under its collection requirements.", "modified": "2020-11-13T00:00:32.402000", "created": "2019-02-25T08:28:26.206000", "tags": [ "sofacy", "russia", "gru", "apt28", "fancy bear" ], "references": [ "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", "https://twitter.com/kyleehmke/status/1171111104149368836" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-SHA256": 5, "hostname": 24, "FileHash-MD5": 2, "FileHash-SHA1": 1, "domain": 149, "email": 20 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 376790, "modified_text": "1979 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5aba0db05a072b37f7ab0ab6", "name": "Fancy Bear Infrastructure", "description": "", "modified": "2018-08-22T10:44:26.594000", "created": "2018-03-27T09:23:59.998000", "tags": [ "sofacy", "fancy bear" ], "references": [ "https://www.threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 46, "FileHash-SHA256": 1 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 376822, "modified_text": "2792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58540a695fb0fc4c5df265c6", "name": "Let It Ride: The Sofacy Group\u2019s DealersChoice Attacks Continue", "description": "Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called \u201cDealersChoice\u201d in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.", "modified": "2016-12-16T15:40:07.581000", "created": "2016-12-16T15:38:17.492000", "tags": [ "sofacy", "apt28", "STRONTIUM", "fancy bear", "DealersChoice", "flash", "Carberp", "NATO" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "Turkey", "Lithuania", "Armenia" ], "malware_families": [], "attack_ids": [], "industries": [ "government", "defence" ], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 11, "CVE": 2, "email": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 376759, "modified_text": "3406 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "apptaskserver.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "apptaskserver.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776222665.055906 }