{ "type": "Domain", "indicator": "rannd.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rannd.org", "alexa": "http://www.alexa.com/siteinfo/rannd.org", "indicator": "rannd.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 217601733, "indicator": "rannd.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5a2ec3fac5ea9f2d416a9c07", "name": "Untangling the Patchwork Cyberespionage Group", "description": "Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets. Patchwork\u2019s moniker is from its notoriety for rehashing off-the-rack tools and malware for its own campaigns. The attack vectors they use may not be groundbreaking\u2014what with other groups exploiting zero-days or adjusting their tactics\u2014but the group\u2019s repertoire of infection vectors and payloads makes them a credible threat.\n\nWe trailed Patchwork\u2019s activities over the course of its campaigns in 2017. The diversity of their methods is notable\u2014from the social engineering hooks, attack chains, and backdoors they deployed. They\u2019ve also joined the Dynamic Data Exchange (DDE) and Windows Script Component (SCT) abuse bandwagons and started exploiting recently reported vulnerabilities. These imply they\u2019re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attem", "modified": "2019-01-23T11:00:14.800000", "created": "2017-12-11T17:44:26.080000", "tags": [ "Patchwork", "xRAT", "NDiskMonitor", "Socksbot", "Badnews" ], "references": [ "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/" ], "public": 1, "adversary": "Dropping Elephant", "targeted_countries": [ "China", "United Kingdom", "Turkey", "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "government", "retail", "telecommunications", "media", "aerospace", "finance" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-SHA256": 41, "CVE": 5 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 386837, "modified_text": "2686 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5acdd6b00930323aa00fbbd3", "name": "Continued White Elephant Spearphishes", "description": "", "modified": "2018-04-11T09:34:39.730000", "created": "2018-04-11T09:34:39.730000", "tags": [ "india", "white elephant", "pathwork", "appin" ], "references": [ "http://stock.jrj.com.cn/2018/03/31000024362600.shtml", "https://www.hybrid-analysis.com/sample/21f5514d6256a20dcf9af315ee742d6d2a5b07009b200b447c45b2e8f057361d?environmentId=100" ], "public": 1, "adversary": "Dropping Elephant", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 4, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386742, "modified_text": "2973 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5a143066e6ecbc245110c200", "name": "Continued Hangover Activity", "description": "Spearphishes impersonating RAND", "modified": "2018-01-16T12:27:22.452000", "created": "2017-11-21T13:55:50.735000", "tags": [ "india", "appin", "hangover", "patchwork" ], "references": [ "https://www.gov.il/he/Departments/publications/reports/rand", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#", "https://www.ci-project.org/blog/2017/9/26/incident-report-malicious-document-with-bangladesh-theme-possibly-linked-to-patchwork-actor", "https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cyberespionage-group.pdf" ], "public": 1, "adversary": "Hangover", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 80, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 45, "FileHash-SHA256": 61, "hostname": 82, "FileHash-MD5": 14, "FileHash-SHA1": 8, "domain": 29 }, "indicator_count": 239, "is_author": false, "is_subscribing": null, "subscriber_count": 386741, "modified_text": "3058 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cyberespionage-group.pdf", "http://stock.jrj.com.cn/2018/03/31000024362600.shtml", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#", "https://www.ci-project.org/blog/2017/9/26/incident-report-malicious-document-with-bangladesh-theme-possibly-linked-to-patchwork-actor", "https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/", "https://www.gov.il/he/Departments/publications/reports/rand", "https://www.hybrid-analysis.com/sample/21f5514d6256a20dcf9af315ee742d6d2a5b07009b200b447c45b2e8f057361d?environmentId=100", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "related": { "alienvault": { "adversary": [ "Dropping Elephant", "Hangover" ], "malware_families": [], "industries": [ "Finance", "Aerospace", "Government", "Media", "Telecommunications", "Retail" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5a2ec3fac5ea9f2d416a9c07", "name": "Untangling the Patchwork Cyberespionage Group", "description": "Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets. Patchwork\u2019s moniker is from its notoriety for rehashing off-the-rack tools and malware for its own campaigns. The attack vectors they use may not be groundbreaking\u2014what with other groups exploiting zero-days or adjusting their tactics\u2014but the group\u2019s repertoire of infection vectors and payloads makes them a credible threat.\n\nWe trailed Patchwork\u2019s activities over the course of its campaigns in 2017. The diversity of their methods is notable\u2014from the social engineering hooks, attack chains, and backdoors they deployed. They\u2019ve also joined the Dynamic Data Exchange (DDE) and Windows Script Component (SCT) abuse bandwagons and started exploiting recently reported vulnerabilities. These imply they\u2019re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attem", "modified": "2019-01-23T11:00:14.800000", "created": "2017-12-11T17:44:26.080000", "tags": [ "Patchwork", "xRAT", "NDiskMonitor", "Socksbot", "Badnews" ], "references": [ "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/" ], "public": 1, "adversary": "Dropping Elephant", "targeted_countries": [ "China", "United Kingdom", "Turkey", "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "government", "retail", "telecommunications", "media", "aerospace", "finance" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 28, "FileHash-SHA256": 41, "CVE": 5 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 386837, "modified_text": "2686 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5acdd6b00930323aa00fbbd3", "name": "Continued White Elephant Spearphishes", "description": "", "modified": "2018-04-11T09:34:39.730000", "created": "2018-04-11T09:34:39.730000", "tags": [ "india", "white elephant", "pathwork", "appin" ], "references": [ "http://stock.jrj.com.cn/2018/03/31000024362600.shtml", "https://www.hybrid-analysis.com/sample/21f5514d6256a20dcf9af315ee742d6d2a5b07009b200b447c45b2e8f057361d?environmentId=100" ], "public": 1, "adversary": "Dropping Elephant", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 4, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386742, "modified_text": "2973 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5a143066e6ecbc245110c200", "name": "Continued Hangover Activity", "description": "Spearphishes impersonating RAND", "modified": "2018-01-16T12:27:22.452000", "created": "2017-11-21T13:55:50.735000", "tags": [ "india", "appin", "hangover", "patchwork" ], "references": [ "https://www.gov.il/he/Departments/publications/reports/rand", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#", "https://www.ci-project.org/blog/2017/9/26/incident-report-malicious-document-with-bangladesh-theme-possibly-linked-to-patchwork-actor", "https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cyberespionage-group.pdf" ], "public": 1, "adversary": "Hangover", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 80, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 45, "FileHash-SHA256": 61, "hostname": 82, "FileHash-MD5": 14, "FileHash-SHA1": 8, "domain": 29 }, "indicator_count": 239, "is_author": false, "is_subscribing": null, "subscriber_count": 386741, "modified_text": "3058 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rannd.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rannd.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780320421.3749392 }