{ "type": "Domain", "indicator": "barricks.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/barricks.org", "alexa": "http://www.alexa.com/siteinfo/barricks.org", "indicator": "barricks.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3624582837, "indicator": "barricks.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "63dbfeee919a77dec64e84c9", "name": "OneNote Documents Increasingly Used to Deliver Malware", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.", "modified": "2023-03-04T18:01:50.354000", "created": "2023-02-02T18:20:28.978000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "quasar", "xworm", "agenttesla", "redline", "netwire", "powershell", "lnk file" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Netwire", "display_name": "Netwire", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 429, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386699, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dbba3db89d0976b0215e5a", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest cyber threats and security threats at a wide range of sites.", "modified": "2023-03-04T13:00:43.098000", "created": "2023-02-02T13:27:25.874000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "january", "sha256", "december", "proofpoint", "asyncrat c2", "english", "ta577", "quasar rat", "agenttesla", "redline", "netwire", "protect", "small", "tools", "february", "virustotal", "christmas", "powershell", "quasarrat", "download", "open", "wind", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "URL": 40, "domain": 17, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dabad25d22ffe348071e47", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.", "modified": "2023-03-03T19:01:18.095000", "created": "2023-02-01T19:17:38.250000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "asyncrat c2", "ta577", "quasar rat", "agenttesla", "redline", "tools", "powershell", "quasarrat" ], "references": [ "https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sbik_intel", "id": "210787", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 40, "domain": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "1185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware", "https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "related": { "alienvault": { "adversary": [ "TA577" ], "malware_families": [ "Asyncrat", "Netwire", "Qbot", "Quasar", "Xworm", "Redline", "Doubleback" ], "industries": [ "Education", "Manufacturing", "Industrial" ] }, "other": { "adversary": [ "TA577" ], "malware_families": [ "Asyncrat", "Qbot", "Onenote", "Quasar", "Bec", "Xworm", "Doubleback" ], "industries": [ "Education", "Manufacturing", "Industrial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "63dbfeee919a77dec64e84c9", "name": "OneNote Documents Increasingly Used to Deliver Malware", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.", "modified": "2023-03-04T18:01:50.354000", "created": "2023-02-02T18:20:28.978000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "quasar", "xworm", "agenttesla", "redline", "netwire", "powershell", "lnk file" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Netwire", "display_name": "Netwire", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 429, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386699, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dbba3db89d0976b0215e5a", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest cyber threats and security threats at a wide range of sites.", "modified": "2023-03-04T13:00:43.098000", "created": "2023-02-02T13:27:25.874000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "january", "sha256", "december", "proofpoint", "asyncrat c2", "english", "ta577", "quasar rat", "agenttesla", "redline", "netwire", "protect", "small", "tools", "february", "virustotal", "christmas", "powershell", "quasarrat", "download", "open", "wind", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "URL": 40, "domain": 17, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63dabad25d22ffe348071e47", "name": "OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK", "description": "Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs.", "modified": "2023-03-03T19:01:18.095000", "created": "2023-02-01T19:17:38.250000", "tags": [ "qbot", "onenote", "doubleback", "asyncrat", "bec", "quasar", "xworm", "asyncrat c2", "ta577", "quasar rat", "agenttesla", "redline", "tools", "powershell", "quasarrat" ], "references": [ "https://www.proofpoint.com/uk/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BEC", "display_name": "BEC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DOUBLEBACK", "display_name": "DOUBLEBACK", "target": null }, { "id": "OneNote", "display_name": "OneNote", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Industrial", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sbik_intel", "id": "210787", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 40, "domain": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27, "hostname": 7 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "1185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "barricks.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "barricks.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780326683.8166108 }