{ "type": "Domain", "indicator": "clients2-google.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/clients2-google.com", "alexa": "http://www.alexa.com/siteinfo/clients2-google.com", "indicator": "clients2-google.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 678689, "indicator": "clients2-google.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5b61f47f4ed88a31e35493db", "name": "On the Hunt for FIN7", "description": "On Aug. 1, 2018, the United States District Attorney\u2019s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as \u201cCarbanak Group,\u201d although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the range of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward.", "modified": "2020-12-04T15:24:32.306000", "created": "2018-08-01T17:57:19.394000", "tags": [ "FIN7" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "hospitality", "Education", "Construction", "energy", "retail", "Finance", "Telecommunications", "High-tech", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 386687, "modified_text": "2004 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "57afef900fee2901359fe75b", "name": "Visa Alert and Update on the Oracle MICROS Breach", "description": "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle\u2018s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.", "modified": "2016-08-14T04:12:00.026000", "created": "2016-08-14T04:12:00.026000", "tags": [ "micros", "oracle", "visa", "pos", "point of sales", "Carbanak", "MalumPOS" ], "references": [ "http://krebsonsecurity.com/wp-content/uploads/2016/08/Visa-PFD-MICROS-Alert-12AUG16.pdf", "http://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/" ], "public": 1, "adversary": null, "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 56, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 11, "FileHash-SHA1": 7 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "3577 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707afb9b990a36c7e4dcd0", "name": "On the Hunt for FIN7", "description": "", "modified": "2023-12-06T13:45:31.089000", "created": "2023-12-06T13:45:31.089000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "http://krebsonsecurity.com/wp-content/uploads/2016/08/Visa-PFD-MICROS-Alert-12AUG16.pdf", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", "http://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/" ], "related": { "alienvault": { "adversary": [ "FIN7" ], "malware_families": [], "industries": [ "Finance", "Hospitality", "Government", "High-tech", "Energy", "Telecommunications", "Retail", "Education", "Construction" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5b61f47f4ed88a31e35493db", "name": "On the Hunt for FIN7", "description": "On Aug. 1, 2018, the United States District Attorney\u2019s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as \u201cCarbanak Group,\u201d although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the range of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward.", "modified": "2020-12-04T15:24:32.306000", "created": "2018-08-01T17:57:19.394000", "tags": [ "FIN7" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "hospitality", "Education", "Construction", "energy", "retail", "Finance", "Telecommunications", "High-tech", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 386687, "modified_text": "2004 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "57afef900fee2901359fe75b", "name": "Visa Alert and Update on the Oracle MICROS Breach", "description": "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle\u2018s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.", "modified": "2016-08-14T04:12:00.026000", "created": "2016-08-14T04:12:00.026000", "tags": [ "micros", "oracle", "visa", "pos", "point of sales", "Carbanak", "MalumPOS" ], "references": [ "http://krebsonsecurity.com/wp-content/uploads/2016/08/Visa-PFD-MICROS-Alert-12AUG16.pdf", "http://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/" ], "public": 1, "adversary": null, "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 56, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 11, "FileHash-SHA1": 7 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "3577 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707afb9b990a36c7e4dcd0", "name": "On the Hunt for FIN7", "description": "", "modified": "2023-12-06T13:45:31.089000", "created": "2023-12-06T13:45:31.089000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "clients2-google.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "clients2-google.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780264941.9159355 }