{ "type": "URL", "indicator": "https://sepa-cloud.com/file/Documents/document_78219.jpg.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sepa-cloud.com/file/Documents/document_78219.jpg.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 1487663777, "indicator": "https://sepa-cloud.com/file/Documents/document_78219.jpg.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "5b882e5ba58afc0e76b3b79c", "name": "New Cobalt Group campaign targeting eastern Europe and Russian institutions", "description": "Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT banking system which costs millions in damages to the impacted entities.\n\nOn August 13, ASERT observed the financially-motivated hacking group actively pushing a new campaign. We believe the targeted institutions for the ongoing campaign are located in eastern Europe and Russia. The active campaigns utilize spear phishing messages to gain entry. The emails appear to come from a financial vendor or partner, increasing the likelihood of infection. The group uses tools that can bypass Window\u2019s defenses.", "modified": "2018-08-30T17:50:56.796000", "created": "2018-08-30T17:50:19.155000", "tags": [ "malware", "cobalt group", "TEMP.Metastrike", "phishing" ], "references": [ "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" ], "public": 1, "adversary": "Cobalt group", "targeted_countries": [ "Russian Federation" ], "malware_families": [], "attack_ids": [], "industries": [ "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 12, "domain": 11, "hostname": 2, "FileHash-MD5": 13 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 376796, "modified_text": "2784 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" ], "related": { "alienvault": { "adversary": [ "Cobalt group" ], "malware_families": [], "industries": [ "Financial" ], "unique_indicators": 38 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sepa-cloud.com", "whois": "http://whois.domaintools.com/sepa-cloud.com", "domain": "sepa-cloud.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "5b882e5ba58afc0e76b3b79c", "name": "New Cobalt Group campaign targeting eastern Europe and Russian institutions", "description": "Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT banking system which costs millions in damages to the impacted entities.\n\nOn August 13, ASERT observed the financially-motivated hacking group actively pushing a new campaign. We believe the targeted institutions for the ongoing campaign are located in eastern Europe and Russia. The active campaigns utilize spear phishing messages to gain entry. The emails appear to come from a financial vendor or partner, increasing the likelihood of infection. The group uses tools that can bypass Window\u2019s defenses.", "modified": "2018-08-30T17:50:56.796000", "created": "2018-08-30T17:50:19.155000", "tags": [ "malware", "cobalt group", "TEMP.Metastrike", "phishing" ], "references": [ "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" ], "public": 1, "adversary": "Cobalt group", "targeted_countries": [ "Russian Federation" ], "malware_families": [], "attack_ids": [], "industries": [ "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 12, "domain": 11, "hostname": 2, "FileHash-MD5": 13 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 376796, "modified_text": "2784 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sepa-cloud.com/file/Documents/document_78219.jpg.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sepa-cloud.com/file/Documents/document_78219.jpg.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776223138.627919 }