{ "type": "URL", "indicator": "https://safesecurefiles.com/doc041791.pdf", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://safesecurefiles.com/doc041791.pdf", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 1569935961, "indicator": "https://safesecurefiles.com/doc041791.pdf", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5c004f29c22edc0434c88d2c", "name": "Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It", "description": "Since September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a specific timeframe but exhibit enough differences to attribute them to separate threat actors. This blog post provides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape. It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we dubbed Golden Chickens: GC01 and GC02. The success of GC operations heavily relies on a specific MaaS sold in underground forums, which provides customers with the malwares and the infrastructure they need for targeted attacks. The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus building kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra Loader, SpicyOmelette) backdoor for taking full control of the infected computer.", "modified": "2018-11-29T20:42:17.253000", "created": "2018-11-29T20:42:17.253000", "tags": [ "more_eggs", "SpicyOmelette", "Terra Loader" ], "references": [ "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], "public": 1, "adversary": "Cobalt gang", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 10, "domain": 10, "hostname": 10 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386919, "modified_text": "2741 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5bd1ec192b8f5f0e68fa2188", "name": "New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed", "description": "Nowadays, it\u2019s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).", "modified": "2018-10-25T19:23:12.063000", "created": "2018-10-25T16:15:21.777000", "tags": [], "references": [ "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" ], "public": 1, "adversary": "Cobalt group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29, "FileHash-SHA256": 38, "URL": 10, "hostname": 1, "YARA": 2 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 386958, "modified_text": "2776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" ], "related": { "alienvault": { "adversary": [ "Cobalt gang", "Cobalt group" ], "malware_families": [], "industries": [ "Finance" ], "unique_indicators": 103 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/safesecurefiles.com", "whois": "http://whois.domaintools.com/safesecurefiles.com", "domain": "safesecurefiles.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5c004f29c22edc0434c88d2c", "name": "Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It", "description": "Since September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a specific timeframe but exhibit enough differences to attribute them to separate threat actors. This blog post provides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape. It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we dubbed Golden Chickens: GC01 and GC02. The success of GC operations heavily relies on a specific MaaS sold in underground forums, which provides customers with the malwares and the infrastructure they need for targeted attacks. The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus building kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra Loader, SpicyOmelette) backdoor for taking full control of the infected computer.", "modified": "2018-11-29T20:42:17.253000", "created": "2018-11-29T20:42:17.253000", "tags": [ "more_eggs", "SpicyOmelette", "Terra Loader" ], "references": [ "https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648" ], "public": 1, "adversary": "Cobalt gang", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 10, "domain": 10, "hostname": 10 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386919, "modified_text": "2741 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5bd1ec192b8f5f0e68fa2188", "name": "New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed", "description": "Nowadays, it\u2019s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).", "modified": "2018-10-25T19:23:12.063000", "created": "2018-10-25T16:15:21.777000", "tags": [], "references": [ "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" ], "public": 1, "adversary": "Cobalt group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29, "FileHash-SHA256": 38, "URL": 10, "hostname": 1, "YARA": 2 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 386958, "modified_text": "2776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://safesecurefiles.com/doc041791.pdf", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://safesecurefiles.com/doc041791.pdf", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780397997.9571235 }