{ "type": "Domain", "indicator": "google4-ssl.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/google4-ssl.com", "alexa": "http://www.alexa.com/siteinfo/google4-ssl.com", "indicator": "google4-ssl.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1793350, "indicator": "google4-ssl.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5b61f47f4ed88a31e35493db", "name": "On the Hunt for FIN7", "description": "On Aug. 1, 2018, the United States District Attorney\u2019s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as \u201cCarbanak Group,\u201d although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the range of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward.", "modified": "2020-12-04T15:24:32.306000", "created": "2018-08-01T17:57:19.394000", "tags": [ "FIN7" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "hospitality", "Education", "Construction", "energy", "retail", "Finance", "Telecommunications", "High-tech", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 386747, "modified_text": "2004 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5873d8c98b9df17ba207bbb4", "name": "The Digital Plagiarist Campaign: TelePorting the Carbanak Crew to a New Dimension", "description": "Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed "TelePort Crew".\nWe believe the TelePort Crew Threat Actor is operating out of Russia or Eastern Europe with the groups major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.\nWe have dubbed the groups latest campaign Digital Plagiarist for its signature practice of mirroring legitimate sites (using Tenmaxs TelePort Pro and TelePort Ultra site mirroring software) onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.\nThe Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.\nCorerrelation of the TelePort Crews TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.", "modified": "2017-08-30T17:34:49.513000", "created": "2017-01-09T18:39:04.932000", "tags": [ "TelePort Ultra", "office", "word", "spearphishing", "tr1adx" ], "references": [ "https://www.tr1adx.net/intel/TIB-00002.html" ], "public": 1, "adversary": "Anunak", "targeted_countries": [ "Australia", "United Kingdom", "United States", "Ireland", "Switzerland", "Bahamas" ], "malware_families": [], "attack_ids": [], "industries": [ "Hospitality", "Restaurant Chains", "Food Production", "Nutritional Supplements", "Agriculture", "BioTechnology", "Marketing / Public Relations", "Manufacturing", "Logistics", "Software Development", "Utilities & Electric", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386734, "modified_text": "3196 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707afb9b990a36c7e4dcd0", "name": "On the Hunt for FIN7", "description": "", "modified": "2023-12-06T13:45:31.089000", "created": "2023-12-06T13:45:31.089000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", "https://www.tr1adx.net/intel/TIB-00002.html", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "related": { "alienvault": { "adversary": [ "Anunak", "FIN7" ], "malware_families": [], "industries": [ "High-tech", "Nutritional supplements", "Manufacturing", "Hospitality", "Finance", "Education", "Utilities & electric", "Biotechnology", "Marketing / public relations", "Logistics", "Government", "Retail", "Agriculture", "Telecommunications", "Energy", "Food production", "Restaurant chains", "Software development", "Construction" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5b61f47f4ed88a31e35493db", "name": "On the Hunt for FIN7", "description": "On Aug. 1, 2018, the United States District Attorney\u2019s Office for the Western District of Washington unsealed indictments and announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity we have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors as \u201cCarbanak Group,\u201d although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the range of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a glimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what their success means for the threat landscape moving forward.", "modified": "2020-12-04T15:24:32.306000", "created": "2018-08-01T17:57:19.394000", "tags": [ "FIN7" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "hospitality", "Education", "Construction", "energy", "retail", "Finance", "Telecommunications", "High-tech", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 386747, "modified_text": "2004 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5873d8c98b9df17ba207bbb4", "name": "The Digital Plagiarist Campaign: TelePorting the Carbanak Crew to a New Dimension", "description": "Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed "TelePort Crew".\nWe believe the TelePort Crew Threat Actor is operating out of Russia or Eastern Europe with the groups major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.\nWe have dubbed the groups latest campaign Digital Plagiarist for its signature practice of mirroring legitimate sites (using Tenmaxs TelePort Pro and TelePort Ultra site mirroring software) onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.\nThe Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.\nCorerrelation of the TelePort Crews TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.", "modified": "2017-08-30T17:34:49.513000", "created": "2017-01-09T18:39:04.932000", "tags": [ "TelePort Ultra", "office", "word", "spearphishing", "tr1adx" ], "references": [ "https://www.tr1adx.net/intel/TIB-00002.html" ], "public": 1, "adversary": "Anunak", "targeted_countries": [ "Australia", "United Kingdom", "United States", "Ireland", "Switzerland", "Bahamas" ], "malware_families": [], "attack_ids": [], "industries": [ "Hospitality", "Restaurant Chains", "Food Production", "Nutritional Supplements", "Agriculture", "BioTechnology", "Marketing / Public Relations", "Manufacturing", "Logistics", "Software Development", "Utilities & Electric", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386734, "modified_text": "3196 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707afb9b990a36c7e4dcd0", "name": "On the Hunt for FIN7", "description": "", "modified": "2023-12-06T13:45:31.089000", "created": "2023-12-06T13:45:31.089000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 336, "FileHash-MD5": 167, "YARA": 1, "FileHash-SHA256": 15 }, "indicator_count": 519, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "google4-ssl.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "google4-ssl.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780302645.2807348 }