{ "type": "Domain", "indicator": "bounceclick.live", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bounceclick.live", "alexa": "http://www.alexa.com/siteinfo/bounceclick.live", "indicator": "bounceclick.live", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3429347372, "indicator": "bounceclick.live", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "62b9567d4bbaf0aec8971c44", "name": "Energy and Power Sector Cyber Threat Intel - Key Insights (May 2022)", "description": "In May, an updated version of the ArguePatch malware loader was used in the Industroyer2 attack against a Ukrainian energy provider. It was used in several attack campaigns such as data wiping malware, CaddyWiper. The group behind the attacks was Sandworm APT group that regularly updates its arsenal for campaigns targeting Ukraine.\n \nOther Major Incidents\nTo target Russia, the Anonymous collective regularly targeted Russia with cyberattacks. The attacks were aimed at the state\u2019s institutions and business entities. An e-mail was discovered using a tactic where the message was delivered to a coffee company in Ukraine that was seemingly sent by an oil provider in Saudi Arabia. Pretending to be a purchase order, a PDF file image was shown in the body of the email, a link to an ISO file (GuLoader). The fluctuations in the energy market motivated the attackers to use exploit the global interest.", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T07:04:29.931000", "tags": [ "arguepatch", "compromise", "filename", "sha1 hash", "eset detection", "orcshred", "awfulshred", "soloshred", "tailjump", "caddywiper", "Energy and Power Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [ { "id": "ArguePatch", "display_name": "ArguePatch", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 8, "FileHash-SHA256": 11, "URL": 1, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "1404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d0726c82dfff3f11802aed", "name": "Spoofed Saudi Purchase Order Drops GuLoader \u2013 Part 2 | FortiGuard Labs", "description": "In the second part of a blog series, FortiGuard Labs examines GuLoader, a type of malware known as \u201cCloudEye\u201d and how it deploys itself to target victims.", "modified": "2022-07-14T19:45:48.722000", "created": "2022-07-14T19:45:48.722000", "tags": [ "agent tesla", "lokibot", "threat research", "fortiguard labs", "social engineering", "fortinet", "guloader sample", "guloader", "formbook", "conclusion", "fortiguard", "antivirus" ], "references": [ "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lokibot", "display_name": "Lokibot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 1, "domain": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1416 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628f40e740af9b831f89b8f0", "name": "bro4.biz CVE-2021-22941 SSL/Cert Issue", "description": "Have some victims", "modified": "2022-06-25T00:02:42.269000", "created": "2022-05-26T08:57:11.471000", "tags": [ "date", "found", "network traffic", "subid", "zoneid", "zonetype", "malware", "vxstream", "trojan", "apt", "api key", "vetting process" ], "references": [ "10.bro4.biz/", "http://10.bro4.biz", "https://hybrid-analysis.com/sample/d333cfee6301d781603eec990d427241a8bbdca0850ca006efbaabf72108d31a", "100/100" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "hostname": 166, "domain": 89, "FileHash-SHA256": 52, "CVE": 1, "email": 1 }, "indicator_count": 817, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628f11958c9720a493e8d3ce", "name": "Spoofed Saudi Purchase Order Drops GuLoader Executable to Deploy Malware Variants via Phishing Email", "description": "Researchers recently discovered an e-mail using a tactic where the message was delivered to a coffee company in Ukraine that an oil provider seemingly sent in Saudi Arabia. With the current fluctuations in the energy market and the related rise in prices for consumers, threat actors (TAs) are using lures to exploit the global interest.\n\nAffected platforms\nWindows.\n\nGuLoader executable\nPurporting to be a purchase order, the partial PDF file image displayed in the body of the email was actually a link to an ISO file. This file is hosted in the cloud that contained an executable for GuLoader. Also known as CloudEye and vbdropper, GuLoader dates to at least 2019. It is used to deploy malware variants like Agent Tesla, Formbook, and Lokibot.", "modified": "2022-05-26T05:35:17.647000", "created": "2022-05-26T05:35:17.647000", "tags": [ "iocs filenames", "sha256", "spam url", "Malware", "GuLoader", "Spoofing" ], "references": [ "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 1, "domain": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1466 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "10.bro4.biz/", "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader", "https://hybrid-analysis.com/sample/d333cfee6301d781603eec990d427241a8bbdca0850ca006efbaabf72108d31a", "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two", "100/100", "http://10.bro4.biz" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Malware Advisory", "Informational" ], "malware_families": [ "Lokibot", "Agent tesla", "Arguepatch" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "62b9567d4bbaf0aec8971c44", "name": "Energy and Power Sector Cyber Threat Intel - Key Insights (May 2022)", "description": "In May, an updated version of the ArguePatch malware loader was used in the Industroyer2 attack against a Ukrainian energy provider. It was used in several attack campaigns such as data wiping malware, CaddyWiper. The group behind the attacks was Sandworm APT group that regularly updates its arsenal for campaigns targeting Ukraine.\n \nOther Major Incidents\nTo target Russia, the Anonymous collective regularly targeted Russia with cyberattacks. The attacks were aimed at the state\u2019s institutions and business entities. An e-mail was discovered using a tactic where the message was delivered to a coffee company in Ukraine that was seemingly sent by an oil provider in Saudi Arabia. Pretending to be a purchase order, a PDF file image was shown in the body of the email, a link to an ISO file (GuLoader). The fluctuations in the energy market motivated the attackers to use exploit the global interest.", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T07:04:29.931000", "tags": [ "arguepatch", "compromise", "filename", "sha1 hash", "eset detection", "orcshred", "awfulshred", "soloshred", "tailjump", "caddywiper", "Energy and Power Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [ { "id": "ArguePatch", "display_name": "ArguePatch", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 8, "FileHash-SHA256": 11, "URL": 1, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "1404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d0726c82dfff3f11802aed", "name": "Spoofed Saudi Purchase Order Drops GuLoader \u2013 Part 2 | FortiGuard Labs", "description": "In the second part of a blog series, FortiGuard Labs examines GuLoader, a type of malware known as \u201cCloudEye\u201d and how it deploys itself to target victims.", "modified": "2022-07-14T19:45:48.722000", "created": "2022-07-14T19:45:48.722000", "tags": [ "agent tesla", "lokibot", "threat research", "fortiguard labs", "social engineering", "fortinet", "guloader sample", "guloader", "formbook", "conclusion", "fortiguard", "antivirus" ], "references": [ "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lokibot", "display_name": "Lokibot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 1, "domain": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1416 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628f40e740af9b831f89b8f0", "name": "bro4.biz CVE-2021-22941 SSL/Cert Issue", "description": "Have some victims", "modified": "2022-06-25T00:02:42.269000", "created": "2022-05-26T08:57:11.471000", "tags": [ "date", "found", "network traffic", "subid", "zoneid", "zonetype", "malware", "vxstream", "trojan", "apt", "api key", "vetting process" ], "references": [ "10.bro4.biz/", "http://10.bro4.biz", "https://hybrid-analysis.com/sample/d333cfee6301d781603eec990d427241a8bbdca0850ca006efbaabf72108d31a", "100/100" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "hostname": 166, "domain": 89, "FileHash-SHA256": 52, "CVE": 1, "email": 1 }, "indicator_count": 817, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1436 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628f11958c9720a493e8d3ce", "name": "Spoofed Saudi Purchase Order Drops GuLoader Executable to Deploy Malware Variants via Phishing Email", "description": "Researchers recently discovered an e-mail using a tactic where the message was delivered to a coffee company in Ukraine that an oil provider seemingly sent in Saudi Arabia. With the current fluctuations in the energy market and the related rise in prices for consumers, threat actors (TAs) are using lures to exploit the global interest.\n\nAffected platforms\nWindows.\n\nGuLoader executable\nPurporting to be a purchase order, the partial PDF file image displayed in the body of the email was actually a link to an ISO file. This file is hosted in the cloud that contained an executable for GuLoader. Also known as CloudEye and vbdropper, GuLoader dates to at least 2019. It is used to deploy malware variants like Agent Tesla, Formbook, and Lokibot.", "modified": "2022-05-26T05:35:17.647000", "created": "2022-05-26T05:35:17.647000", "tags": [ "iocs filenames", "sha256", "spam url", "Malware", "GuLoader", "Spoofing" ], "references": [ "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 1, "domain": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1466 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bounceclick.live", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bounceclick.live", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205988.574529 }