{ "type": "Domain", "indicator": "cdn-googleapi.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cdn-googleapi.com", "alexa": "http://www.alexa.com/siteinfo/cdn-googleapi.com", "indicator": "cdn-googleapi.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 888819124, "indicator": "cdn-googleapi.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "5b61f47f4ed88a31e35493db", "name": "On the Hunt for FIN7", "description": "On Aug. 1, 2018, the United States District Attorney\u2019s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as \u201cCarbanak Group,\u201d although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the range of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward.", "modified": "2020-12-04T15:24:32.306000", "created": "2018-08-01T17:57:19.394000", "tags": [ "FIN7" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "hospitality", "Education", "Construction", "energy", "retail", "Finance", "Telecommunications", "High-tech", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 386746, "modified_text": "2004 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d9620fe94859e82197a1750", "name": "Magecart Group 4: A link with Cobalt Group?", "description": "Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript code designed to steal any information entered by victims on the checkout page.", "modified": "2019-10-03T16:25:34.329000", "created": "2019-10-03T16:25:34.329000", "tags": [ "Magecart" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 19, "URL": 95, "IPv6": 1, "hostname": 24, "FileHash-SHA256": 1, "domain": 56 }, "indicator_count": 196, "is_author": false, "is_subscribing": null, "subscriber_count": 386669, "modified_text": "2432 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cd2ab4fa31b77a6a4c0a84f", "name": "FIN7.5 the infamous cybercrime rig FIN7 continues its activities", "description": "On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.", "modified": "2019-05-23T08:40:10.199000", "created": "2019-05-08T10:11:26.836000", "tags": [ "fin7", "carbanak" ], "references": [ "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://twitter.com/HONKONE_K/status/1131432019940917248" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 47, "hostname": 6, "FileHash-MD5": 1 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386683, "modified_text": "2565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5b69d37292f5ac2b98346cf3", "name": "FIN7 Recent Bateleur Malware Campaigns", "description": "While much reporting indicates that APT cyberattacks are espionage\nmotivated, financially motivated cyber criminals have also been stepping\nup their game since as early as 2013. Using TTPs akin to their espionage\ncounterparts, groups such as Cobalt Group and FIN7 have been targeting\nlarge financial institutions and restaurant chains with much success. The\nCobalt Group alone is said to be responsible for causing 1 billion euros\nworth (US$1.17 billion) of damage to the financial sector.", "modified": "2018-11-22T08:52:20.561000", "created": "2018-08-07T17:14:26.937000", "tags": [ "fin7", "Bateleur" ], "references": [ "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "email": 1, "domain": 5, "URL": 4, "hostname": 1, "FileHash-SHA256": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386709, "modified_text": "2747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707afb9b990a36c7e4dcd0", "name": "On the Hunt for FIN7", "description": "", "modified": "2023-12-06T13:45:31.089000", "created": "2023-12-06T13:45:31.089000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", "https://twitter.com/HONKONE_K/status/1131432019940917248", "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" ], "related": { "alienvault": { "adversary": [ "Magecart", "FIN7" ], "malware_families": [], "industries": [ "Government", "Retail", "Construction", "Energy", "Finance", "High-tech", "Telecommunications", "Education", "Hospitality" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "5b61f47f4ed88a31e35493db", "name": "On the Hunt for FIN7", "description": "On Aug. 1, 2018, the United States District Attorney\u2019s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as \u201cCarbanak Group,\u201d although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the range of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward.", "modified": "2020-12-04T15:24:32.306000", "created": "2018-08-01T17:57:19.394000", "tags": [ "FIN7" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "hospitality", "Education", "Construction", "energy", "retail", "Finance", "Telecommunications", "High-tech", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 386746, "modified_text": "2004 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d9620fe94859e82197a1750", "name": "Magecart Group 4: A link with Cobalt Group?", "description": "Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript code designed to steal any information entered by victims on the checkout page.", "modified": "2019-10-03T16:25:34.329000", "created": "2019-10-03T16:25:34.329000", "tags": [ "Magecart" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 19, "URL": 95, "IPv6": 1, "hostname": 24, "FileHash-SHA256": 1, "domain": 56 }, "indicator_count": 196, "is_author": false, "is_subscribing": null, "subscriber_count": 386669, "modified_text": "2432 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cd2ab4fa31b77a6a4c0a84f", "name": "FIN7.5 the infamous cybercrime rig FIN7 continues its activities", "description": "On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.", "modified": "2019-05-23T08:40:10.199000", "created": "2019-05-08T10:11:26.836000", "tags": [ "fin7", "carbanak" ], "references": [ "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://twitter.com/HONKONE_K/status/1131432019940917248" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 47, "hostname": 6, "FileHash-MD5": 1 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386683, "modified_text": "2565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5b69d37292f5ac2b98346cf3", "name": "FIN7 Recent Bateleur Malware Campaigns", "description": "While much reporting indicates that APT cyberattacks are espionage\nmotivated, financially motivated cyber criminals have also been stepping\nup their game since as early as 2013. Using TTPs akin to their espionage\ncounterparts, groups such as Cobalt Group and FIN7 have been targeting\nlarge financial institutions and restaurant chains with much success. The\nCobalt Group alone is said to be responsible for causing 1 billion euros\nworth (US$1.17 billion) of damage to the financial sector.", "modified": "2018-11-22T08:52:20.561000", "created": "2018-08-07T17:14:26.937000", "tags": [ "fin7", "Bateleur" ], "references": [ "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "email": 1, "domain": 5, "URL": 4, "hostname": 1, "FileHash-SHA256": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386709, "modified_text": "2747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707afb9b990a36c7e4dcd0", "name": "On the Hunt for FIN7", "description": "", "modified": "2023-12-06T13:45:31.089000", "created": "2023-12-06T13:45:31.089000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cdn-googleapi.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cdn-googleapi.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780301806.3070421 }