{ "type": "URL", "indicator": "https://m1.uptime66.com/fetch.json", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://m1.uptime66.com/fetch.json", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2897590691, "indicator": "https://m1.uptime66.com/fetch.json", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "604b990ff0abcadfb2e0efec", "name": "Netbounce Threat Actor Tries to Get Added to Whitelists to Evade Detection", "description": "On the 12th of February, FortiGuard Labs received a request via email from a person representing a company called Packity Networks asking to whitelist their software. The sender claimed it to be a false-positive that inflicts a significant impact on their business. Fortinet's investigation led to the discovery of a new group Fortinet has labeled \"Netbounce\" and it also exposed their malware delivery infrastructure. What made this stand out among others is their unique set of tools and techniques. Fortinet was able to find several variants developed in-house by this group, each serving a different purpose.\n\nThis blog post, presents the measures taken by the Netbounce group to make the campaign look as legitimate as possible, and the actions FortiGuard Labs took to discover the real intentions of this threat actor.", "modified": "2021-04-10T00:05:45.332000", "created": "2021-03-12T16:38:39.453000", "tags": [ "Netbounce", "Windows", "Mac", "Linux", "Golang", "Vidar", "FickerStealer" ], "references": [ "https://www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection" ], "public": 1, "adversary": "Netbounce", "targeted_countries": [], "malware_families": [ { "id": "W64/NetBounce", "display_name": "W64/NetBounce", "target": null }, { "id": "FickerStealer", "display_name": "FickerStealer", "target": null }, { "id": "Trojan:Win32/Vidar", "display_name": "Trojan:Win32/Vidar", "target": "/malware/Trojan:Win32/Vidar" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 264, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 10, "URL": 22, "FileHash-MD5": 95, "FileHash-SHA256": 95, "FileHash-SHA1": 95 }, "indicator_count": 317, "is_author": false, "is_subscribing": null, "subscriber_count": 377563, "modified_text": "1835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection" ], "related": { "alienvault": { "adversary": [ "Netbounce" ], "malware_families": [ "Fickerstealer", "Trojan:win32/vidar", "W64/netbounce" ], "industries": [], "unique_indicators": 320 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/uptime66.com", "whois": "http://whois.domaintools.com/uptime66.com", "domain": "uptime66.com", "hostname": "m1.uptime66.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "604b990ff0abcadfb2e0efec", "name": "Netbounce Threat Actor Tries to Get Added to Whitelists to Evade Detection", "description": "On the 12th of February, FortiGuard Labs received a request via email from a person representing a company called Packity Networks asking to whitelist their software. The sender claimed it to be a false-positive that inflicts a significant impact on their business. Fortinet's investigation led to the discovery of a new group Fortinet has labeled \"Netbounce\" and it also exposed their malware delivery infrastructure. What made this stand out among others is their unique set of tools and techniques. Fortinet was able to find several variants developed in-house by this group, each serving a different purpose.\n\nThis blog post, presents the measures taken by the Netbounce group to make the campaign look as legitimate as possible, and the actions FortiGuard Labs took to discover the real intentions of this threat actor.", "modified": "2021-04-10T00:05:45.332000", "created": "2021-03-12T16:38:39.453000", "tags": [ "Netbounce", "Windows", "Mac", "Linux", "Golang", "Vidar", "FickerStealer" ], "references": [ "https://www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection" ], "public": 1, "adversary": "Netbounce", "targeted_countries": [], "malware_families": [ { "id": "W64/NetBounce", "display_name": "W64/NetBounce", "target": null }, { "id": "FickerStealer", "display_name": "FickerStealer", "target": null }, { "id": "Trojan:Win32/Vidar", "display_name": "Trojan:Win32/Vidar", "target": "/malware/Trojan:Win32/Vidar" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 264, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 10, "URL": 22, "FileHash-MD5": 95, "FileHash-SHA256": 95, "FileHash-SHA1": 95 }, "indicator_count": 317, "is_author": false, "is_subscribing": null, "subscriber_count": 377563, "modified_text": "1835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://m1.uptime66.com/fetch.json", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://m1.uptime66.com/fetch.json", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630253.6058023 }