{ "type": "URL", "indicator": "http://46.17.97.37/Servermac.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://46.17.97.37/Servermac.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2322518, "indicator": "http://46.17.97.37/Servermac.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5898b01819378c100b653e63", "name": "IKITTENS: IRANIAN ACTOR RESURFACES WITH MALWARE FOR MAC (MACDOWNLOADER)", "description": "A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.", "modified": "2017-02-06T17:22:32.238000", "created": "2017-02-06T17:19:19.674000", "tags": [ "MacDownloader", "macosx", "iran", "sayad", "stealer", "malware", "iranthreats" ], "references": [ "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "hostname": 1, "domain": 1, "URL": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386641, "modified_text": "3401 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da2d1813167f78ac4ac9a7", "name": "iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)", "description": "An Iranian state-sponsored cyber-espionage group is believed to be developing an agent that targets Apple computers and targets the human rights community, according to research published by the BBC's Iran Threats team.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:52:40.117000", "tags": [ "macos", "flying kitten", "iran", "keychains", "zenderod", "malware" ], "references": [ "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "public": 1, "adversary": "Cyber Security", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "ExtremeDownloader", "display_name": "ExtremeDownloader", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Industrial", "Defense", "Human Rights" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 3, "email": 2, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "related": { "alienvault": { "adversary": [ "Charming Kitten" ], "malware_families": [], "industries": [], "unique_indicators": 5 }, "other": { "adversary": [ "Cyber Security" ], "malware_families": [ "Extremedownloader", "Macos", "Windows" ], "industries": [ "Industrial", "Human rights", "Defense" ], "unique_indicators": 13 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/46.17.97.37", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5898b01819378c100b653e63", "name": "IKITTENS: IRANIAN ACTOR RESURFACES WITH MALWARE FOR MAC (MACDOWNLOADER)", "description": "A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.", "modified": "2017-02-06T17:22:32.238000", "created": "2017-02-06T17:19:19.674000", "tags": [ "MacDownloader", "macosx", "iran", "sayad", "stealer", "malware", "iranthreats" ], "references": [ "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "hostname": 1, "domain": 1, "URL": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386641, "modified_text": "3401 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da2d1813167f78ac4ac9a7", "name": "iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)", "description": "An Iranian state-sponsored cyber-espionage group is believed to be developing an agent that targets Apple computers and targets the human rights community, according to research published by the BBC's Iran Threats team.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:52:40.117000", "tags": [ "macos", "flying kitten", "iran", "keychains", "zenderod", "malware" ], "references": [ "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "public": 1, "adversary": "Cyber Security", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "ExtremeDownloader", "display_name": "ExtremeDownloader", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Industrial", "Defense", "Human Rights" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 3, "email": 2, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://46.17.97.37/Servermac.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://46.17.97.37/Servermac.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780285638.0357907 }