{ "type": "URL", "indicator": "https://167.88.164.40/python/pp2", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://167.88.164.40/python/pp2", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3709659756, "indicator": "https://167.88.164.40/python/pp2", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1026 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3e9b64725708e5124cd22", "name": "Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator", "description": "Trend Security provides a comprehensive guide to how to protect your data, devices, and networks in the cloud and multi-cloud world. \u00c2\u00a31.5bn of research, development and development.", "modified": "2023-08-03T09:03:00.586000", "created": "2023-07-04T09:43:18.620000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b22606458254aa21ea37", "name": "Malicious Malvertising: The WinSCP Cloned Webpage Attack", "description": "The malicious actors employed malvertising techniques to distribute malware through cloned webpages of legitimate organizations. Specifically, they targeted the webpage of WinSCP, a well-known open-source Windows application for file transfer. By exploiting advertising platforms like Google Ads, these malicious actors abused the functionality to display deceptive ads that enticed unsuspecting users searching for \"WinSCP Download\" on Bing. The malicious ad redirected users to a cloned download webpage of WinSCP, leading them to download an infected ISO file from a compromised WordPress webpage.", "modified": "2023-08-02T11:00:08.290000", "created": "2023-07-03T11:33:58.052000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b571bd5482a8fe6c6d06", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.\n\n\"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations,\" Trend Micro researchers said in an analysis published last week. \"In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.\"", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-03T11:48:01.709000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 307, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3ce94c613b75e1c3d976c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:47:32.895000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a2b571bd5482a8fe6c6d06", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3cefe7ab90999f69f835c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:49:18.498000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a3ce94c613b75e1c3d976c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1042 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "IOCs BlackCat Ransowmare.txt", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "BlackCat ransomware" ], "malware_families": [ "Trojanspy", "Blackcat", "Dll rcdata", "Cobalt strike", "Nitrogen" ], "industries": [], "unique_indicators": 229 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/167.88.164.40", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1026 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3e9b64725708e5124cd22", "name": "Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator", "description": "Trend Security provides a comprehensive guide to how to protect your data, devices, and networks in the cloud and multi-cloud world. \u00c2\u00a31.5bn of research, development and development.", "modified": "2023-08-03T09:03:00.586000", "created": "2023-07-04T09:43:18.620000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b22606458254aa21ea37", "name": "Malicious Malvertising: The WinSCP Cloned Webpage Attack", "description": "The malicious actors employed malvertising techniques to distribute malware through cloned webpages of legitimate organizations. Specifically, they targeted the webpage of WinSCP, a well-known open-source Windows application for file transfer. By exploiting advertising platforms like Google Ads, these malicious actors abused the functionality to display deceptive ads that enticed unsuspecting users searching for \"WinSCP Download\" on Bing. The malicious ad redirected users to a cloned download webpage of WinSCP, leading them to download an infected ISO file from a compromised WordPress webpage.", "modified": "2023-08-02T11:00:08.290000", "created": "2023-07-03T11:33:58.052000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b571bd5482a8fe6c6d06", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.\n\n\"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations,\" Trend Micro researchers said in an analysis published last week. \"In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.\"", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-03T11:48:01.709000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 307, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3ce94c613b75e1c3d976c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:47:32.895000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a2b571bd5482a8fe6c6d06", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3cefe7ab90999f69f835c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:49:18.498000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a3ce94c613b75e1c3d976c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://167.88.164.40/python/pp2", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://167.88.164.40/python/pp2", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780297061.9049025 }