{ "type": "URL", "indicator": "http://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 64278414, "indicator": "http://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "59a6d0c44dcb1c0ef0e76f8b", "name": "Gazing at Gazer - Turlas new second stage backdoor", "description": "Many domains in this report are compromised domains - traffic to them may not be malicious.\n\nHerein we release our analysis of a previously undocumented backdoor that has been targeted\nagainst embassies and consulates around the world leads us to attribute it, with high confidence,\nto the Turla group. Turla is a notorious group that has been targeting governments, government\nofficials and diplomats for years. They are known to run watering hole and spearphishing campaigns\nto better pinpoint their targets. Although this backdoor has been actively deployed since at least\n2016, it has not been documented anywhere. Based on strings found in the samples we analyzed,\nwe have named this backdoor \u201cGazer\u201d.", "modified": "2019-01-14T12:44:07.001000", "created": "2017-08-30T14:50:44.049000", "tags": [ "turla", "snake", "russia" ], "references": [ "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" ], "public": 1, "adversary": "Turla Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 5, "URL": 22, "YARA": 2, "FileHash-SHA1": 46, "IPv4": 2, "email": 1 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 386677, "modified_text": "2694 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6645e430dd6a9505cb9cd9ca", "name": "To the Moon and back(doors): Lunar landing in diplomatic missions", "description": "ESET Research has identified two backdoors used by the infamous Russian-aligned cyberespionage group, Turla, to compromise European diplomatic institutions in the Middle East and other parts of the world.", "modified": "2024-06-15T10:04:30.773000", "created": "2024-05-16T10:47:12.433000", "tags": [ "lunarweb", "lunarmail", "strong", "c server", "eset research", "turla", "stage", "outlook", "aes256", "http", "powershell", "persistence", "win64", "format", "first", "tips", "snake", "defense", "smskey", "stages", "loader", "lightneuron", "execution", "ebury", "webglobe", "lunarloader", "gazer loader", "welivesecurity", "crypto", "compromise", "ltmanager", "carbon", "gazer", "mosquito", "armenia", "star", "dllinjector", "dropper", "comrat", "crutch", "footer" ], "references": [ "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/", "https://github.com/eset/malware-ioc/tree/master/turla#to-the-moon-and-backdoors-lunar-landing-in-diplomatic-missionsindicators-of-compromise" ], "public": 1, "adversary": "Turla", "targeted_countries": [], "malware_families": [ { "id": "Turla", "display_name": "Turla", "target": null }, { "id": "Webglobe", "display_name": "Webglobe", "target": null }, { "id": "LunarLoader", "display_name": "LunarLoader", "target": null }, { "id": "LunarWeb", "display_name": "LunarWeb", "target": null }, { "id": "LunarMail", "display_name": "LunarMail", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "URL": 25, "FileHash-MD5": 59, "FileHash-SHA1": 128, "FileHash-SHA256": 59, "domain": 47, "email": 2 }, "indicator_count": 347, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "715 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/eset/malware-ioc/tree/master/turla#to-the-moon-and-backdoors-lunar-landing-in-diplomatic-missionsindicators-of-compromise" ], "related": { "alienvault": { "adversary": [ "Turla Group" ], "malware_families": [], "industries": [ "Government" ], "unique_indicators": 78 }, "other": { "adversary": [ "Turla" ], "malware_families": [ "Lunarloader", "Webglobe", "Lunarweb", "Turla", "Lunarmail" ], "industries": [ "Government", "Diplomatic" ], "unique_indicators": 362 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/simplecreative.design", "whois": "http://whois.domaintools.com/simplecreative.design", "domain": "simplecreative.design", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "59a6d0c44dcb1c0ef0e76f8b", "name": "Gazing at Gazer - Turlas new second stage backdoor", "description": "Many domains in this report are compromised domains - traffic to them may not be malicious.\n\nHerein we release our analysis of a previously undocumented backdoor that has been targeted\nagainst embassies and consulates around the world leads us to attribute it, with high confidence,\nto the Turla group. Turla is a notorious group that has been targeting governments, government\nofficials and diplomats for years. They are known to run watering hole and spearphishing campaigns\nto better pinpoint their targets. Although this backdoor has been actively deployed since at least\n2016, it has not been documented anywhere. Based on strings found in the samples we analyzed,\nwe have named this backdoor \u201cGazer\u201d.", "modified": "2019-01-14T12:44:07.001000", "created": "2017-08-30T14:50:44.049000", "tags": [ "turla", "snake", "russia" ], "references": [ "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" ], "public": 1, "adversary": "Turla Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 5, "URL": 22, "YARA": 2, "FileHash-SHA1": 46, "IPv4": 2, "email": 1 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 386677, "modified_text": "2694 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6645e430dd6a9505cb9cd9ca", "name": "To the Moon and back(doors): Lunar landing in diplomatic missions", "description": "ESET Research has identified two backdoors used by the infamous Russian-aligned cyberespionage group, Turla, to compromise European diplomatic institutions in the Middle East and other parts of the world.", "modified": "2024-06-15T10:04:30.773000", "created": "2024-05-16T10:47:12.433000", "tags": [ "lunarweb", "lunarmail", "strong", "c server", "eset research", "turla", "stage", "outlook", "aes256", "http", "powershell", "persistence", "win64", "format", "first", "tips", "snake", "defense", "smskey", "stages", "loader", "lightneuron", "execution", "ebury", "webglobe", "lunarloader", "gazer loader", "welivesecurity", "crypto", "compromise", "ltmanager", "carbon", "gazer", "mosquito", "armenia", "star", "dllinjector", "dropper", "comrat", "crutch", "footer" ], "references": [ "https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/", "https://github.com/eset/malware-ioc/tree/master/turla#to-the-moon-and-backdoors-lunar-landing-in-diplomatic-missionsindicators-of-compromise" ], "public": 1, "adversary": "Turla", "targeted_countries": [], "malware_families": [ { "id": "Turla", "display_name": "Turla", "target": null }, { "id": "Webglobe", "display_name": "Webglobe", "target": null }, { "id": "LunarLoader", "display_name": "LunarLoader", "target": null }, { "id": "LunarWeb", "display_name": "LunarWeb", "target": null }, { "id": "LunarMail", "display_name": "LunarMail", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "URL": 25, "FileHash-MD5": 59, "FileHash-SHA1": 128, "FileHash-SHA256": 59, "domain": 47, "email": 2 }, "indicator_count": 347, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "715 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://simplecreative.design/wp-content/plugins/calculated-fields-form/single.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780274248.7429633 }