{ "type": "URL", "indicator": "https://193.42.32.58/python/pp", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://193.42.32.58/python/pp", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3709659764, "indicator": "https://193.42.32.58/python/pp", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1027 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1034 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1042 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "IOCs BlackCat Ransowmare.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "BlackCat ransomware" ], "malware_families": [ "Trojanspy", "Cobalt strike", "Blackcat", "Nitrogen" ], "industries": [], "unique_indicators": 229 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/193.42.32.58", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1027 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1034 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1042 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://193.42.32.58/python/pp", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://193.42.32.58/python/pp", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780309108.3794234 }