{ "type": "Domain", "indicator": "google2-ssl.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/google2-ssl.com", "alexa": "http://www.alexa.com/siteinfo/google2-ssl.com", "indicator": "google2-ssl.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1793339, "indicator": "google2-ssl.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "5873d8c98b9df17ba207bbb4", "name": "The Digital Plagiarist Campaign: TelePorting the Carbanak Crew to a New Dimension", "description": "Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed "TelePort Crew".\nWe believe the TelePort Crew Threat Actor is operating out of Russia or Eastern Europe with the groups major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.\nWe have dubbed the groups latest campaign Digital Plagiarist for its signature practice of mirroring legitimate sites (using Tenmaxs TelePort Pro and TelePort Ultra site mirroring software) onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.\nThe Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.\nCorerrelation of the TelePort Crews TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.", "modified": "2017-08-30T17:34:49.513000", "created": "2017-01-09T18:39:04.932000", "tags": [ "TelePort Ultra", "office", "word", "spearphishing", "tr1adx" ], "references": [ "https://www.tr1adx.net/intel/TIB-00002.html" ], "public": 1, "adversary": "Anunak", "targeted_countries": [ "Australia", "United Kingdom", "United States", "Ireland", "Switzerland", "Bahamas" ], "malware_families": [], "attack_ids": [], "industries": [ "Hospitality", "Restaurant Chains", "Food Production", "Nutritional Supplements", "Agriculture", "BioTechnology", "Marketing / Public Relations", "Manufacturing", "Logistics", "Software Development", "Utilities & Electric", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386810, "modified_text": "3196 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.tr1adx.net/intel/TIB-00002.html" ], "related": { "alienvault": { "adversary": [ "Anunak" ], "malware_families": [], "industries": [ "Software development", "Agriculture", "Logistics", "Biotechnology", "Manufacturing", "Restaurant chains", "Marketing / public relations", "Nutritional supplements", "Utilities & electric", "Hospitality", "Government", "Food production" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "5873d8c98b9df17ba207bbb4", "name": "The Digital Plagiarist Campaign: TelePorting the Carbanak Crew to a New Dimension", "description": "Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed "TelePort Crew".\nWe believe the TelePort Crew Threat Actor is operating out of Russia or Eastern Europe with the groups major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.\nWe have dubbed the groups latest campaign Digital Plagiarist for its signature practice of mirroring legitimate sites (using Tenmaxs TelePort Pro and TelePort Ultra site mirroring software) onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.\nThe Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.\nCorerrelation of the TelePort Crews TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.", "modified": "2017-08-30T17:34:49.513000", "created": "2017-01-09T18:39:04.932000", "tags": [ "TelePort Ultra", "office", "word", "spearphishing", "tr1adx" ], "references": [ "https://www.tr1adx.net/intel/TIB-00002.html" ], "public": 1, "adversary": "Anunak", "targeted_countries": [ "Australia", "United Kingdom", "United States", "Ireland", "Switzerland", "Bahamas" ], "malware_families": [], "attack_ids": [], "industries": [ "Hospitality", "Restaurant Chains", "Food Production", "Nutritional Supplements", "Agriculture", "BioTechnology", "Marketing / Public Relations", "Manufacturing", "Logistics", "Software Development", "Utilities & Electric", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386810, "modified_text": "3196 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "google2-ssl.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "google2-ssl.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780334873.6903083 }