{ "type": "Domain", "indicator": "outl00k.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/outl00k.net", "alexa": "http://www.alexa.com/siteinfo/outl00k.net", "indicator": "outl00k.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 881633883, "indicator": "outl00k.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5d88e9ca5293654ab1f90e1a", "name": "xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations", "description": "Between May and June 2019, Unit 42 observed previously unknown tools used in the targeting of transportation and shipping organizations based in Kuwait.\n\nThe first known attack in this campaign targeted a Kuwait transportation and shipping company in which the actors installed a backdoor tool named Hisoka. Several custom tools were later downloaded to the system in order to carry out post-exploitation activities. All of these tools appear to have been created by the same developer. We were able to collect several variations of these tools including one dating back to July 2018.", "modified": "2019-09-23T15:50:34.406000", "created": "2019-09-23T15:50:34.406000", "tags": [ "oilrig" ], "references": [ "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "Kuwait" ], "malware_families": [], "attack_ids": [], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 10, "FileHash-SHA256": 1, "hostname": 15, "email": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386560, "modified_text": "2441 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5b23461fb45c923a8bba290d", "name": "Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor", "description": "The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro. In March 2018, we provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater.\n\nIn May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload. One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files.", "modified": "2018-06-15T04:52:47.733000", "created": "2018-06-15T04:52:47.733000", "tags": [ "powershell", "muddywater", "telltale", "middle east", "microsoft word", "word", "saudi", "trendmicro" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "2907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/", "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" ], "related": { "alienvault": { "adversary": [ "OilRig", "MuddyWater" ], "malware_families": [], "industries": [ "Energy" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5d88e9ca5293654ab1f90e1a", "name": "xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations", "description": "Between May and June 2019, Unit 42 observed previously unknown tools used in the targeting of transportation and shipping organizations based in Kuwait.\n\nThe first known attack in this campaign targeted a Kuwait transportation and shipping company in which the actors installed a backdoor tool named Hisoka. Several custom tools were later downloaded to the system in order to carry out post-exploitation activities. All of these tools appear to have been created by the same developer. We were able to collect several variations of these tools including one dating back to July 2018.", "modified": "2019-09-23T15:50:34.406000", "created": "2019-09-23T15:50:34.406000", "tags": [ "oilrig" ], "references": [ "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "Kuwait" ], "malware_families": [], "attack_ids": [], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 10, "FileHash-SHA256": 1, "hostname": 15, "email": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386560, "modified_text": "2441 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5b23461fb45c923a8bba290d", "name": "Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor", "description": "The MuddyWater campaign was first sighted in 2017 when it targeted the Saudi government using an attack involving PowerShell scripts deployed via Microsoft Office Word macro. In March 2018, we provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater.\n\nIn May 2018, we found a new sample (Detected as W2KM_DLOADR.UHAOEEN) that may be related to this campaign. Like the previous campaigns, these samples again involve a Microsoft Word document embedded with a malicious macro that is capable of executing PowerShell (PS) scripts leading to a backdoor payload. One notable difference in the analyzed samples is that they do not directly download the Visual Basic Script(VBS) and PowerShell component files, and instead encode all the scripts on the document itself. The scripts will then be decoded and dropped to execute the payload without needing to download the component files.", "modified": "2018-06-15T04:52:47.733000", "created": "2018-06-15T04:52:47.733000", "tags": [ "powershell", "muddywater", "telltale", "middle east", "microsoft word", "word", "saudi", "trendmicro" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "2907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "outl00k.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "outl00k.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780231903.6454017 }