{ "type": "Domain", "indicator": "rnfacebook.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rnfacebook.com", "alexa": "http://www.alexa.com/siteinfo/rnfacebook.com", "indicator": "rnfacebook.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3109739609, "indicator": "rnfacebook.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "62fe1aca9fef9f5519488495", "name": "Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors", "description": "Security researchers have been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. UNC3890 uses at least two unique tools: a backdoor named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services, named SUGARDUMP.", "modified": "2022-09-17T00:02:49.667000", "created": "2022-08-18T10:56:09.526000", "tags": [ "sugarush", "sugardump", "iran", "yahoo", "gmail" ], "references": [ "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "public": 1, "adversary": "", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "SUGARUSH", "display_name": "SUGARUSH", "target": null }, { "id": "SUGARDUMP", "display_name": "SUGARDUMP", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Aviation", "Healthcare", "Energy", "Government", "Shipping" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 1, "domain": 9 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386789, "modified_text": "1354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6304de13238b2a4d19408803", "name": "Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security software provider, which provides insights into the threat posed by hackers and those seeking to steal data from the public and private sector, at the same time.", "modified": "2022-09-22T00:02:31.511000", "created": "2022-08-23T14:02:59.391000", "tags": [ "sugarush", "sugardump", "unc3890", "mandiant", "appdata", "iran", "yahoo", "israel", "gmail", "yandex", "facebook", "april", "metasploit", "service", "malware", "powershell", "shell", "capture", "malicious" ], "references": [ "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "SUGARUSH", "display_name": "SUGARUSH", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Aviation", "Healthcare", "Energy", "Government", "Shipping" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "URL": 1, "domain": 9 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fcf98f342ed361898c0c77", "name": "UNC3890 IOCs", "description": "Malware/Tools Hosting, Watering Hole C2, Fake Login Pages, and ReverseShell are all part of the same malicious software, which can be used to spread malware and spread malicious code.", "modified": "2022-09-16T00:05:57.569000", "created": "2022-08-17T14:22:07.333000", "tags": [ "fake domain", "sugarush md5", "c2 server", "sugardump smtp", "domain", "sugardump", "sugardump http", "northstar c2", "domain domain", "type value" ], "references": [ "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "domain": 9 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "1355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping", "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Sugardump", "Sugarush" ], "industries": [ "Energy", "Healthcare", "Shipping", "Government", "Aviation" ] }, "other": { "adversary": [], "malware_families": [ "Sugarush" ], "industries": [ "Energy", "Healthcare", "Shipping", "Government", "Aviation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "62fe1aca9fef9f5519488495", "name": "Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors", "description": "Security researchers have been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. UNC3890 uses at least two unique tools: a backdoor named SUGARUSH, and a browser credential stealer, which exfiltrates stolen data via Gmail, Yahoo and Yandex email services, named SUGARDUMP.", "modified": "2022-09-17T00:02:49.667000", "created": "2022-08-18T10:56:09.526000", "tags": [ "sugarush", "sugardump", "iran", "yahoo", "gmail" ], "references": [ "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "public": 1, "adversary": "", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "SUGARUSH", "display_name": "SUGARUSH", "target": null }, { "id": "SUGARDUMP", "display_name": "SUGARDUMP", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Aviation", "Healthcare", "Energy", "Government", "Shipping" ], "TLP": "white", "cloned_from": null, "export_count": 512, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 1, "domain": 9 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386789, "modified_text": "1354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6304de13238b2a4d19408803", "name": "Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant", "description": "Find out more about Mandiant, the world's leading cyber security software provider, which provides insights into the threat posed by hackers and those seeking to steal data from the public and private sector, at the same time.", "modified": "2022-09-22T00:02:31.511000", "created": "2022-08-23T14:02:59.391000", "tags": [ "sugarush", "sugardump", "unc3890", "mandiant", "appdata", "iran", "yahoo", "israel", "gmail", "yandex", "facebook", "april", "metasploit", "service", "malware", "powershell", "shell", "capture", "malicious" ], "references": [ "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "SUGARUSH", "display_name": "SUGARUSH", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Aviation", "Healthcare", "Energy", "Government", "Shipping" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "URL": 1, "domain": 9 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fcf98f342ed361898c0c77", "name": "UNC3890 IOCs", "description": "Malware/Tools Hosting, Watering Hole C2, Fake Login Pages, and ReverseShell are all part of the same malicious software, which can be used to spread malware and spread malicious code.", "modified": "2022-09-16T00:05:57.569000", "created": "2022-08-17T14:22:07.333000", "tags": [ "fake domain", "sugarush md5", "c2 server", "sugardump smtp", "domain", "sugardump", "sugardump http", "northstar c2", "domain domain", "type value" ], "references": [ "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "domain": 9 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "1355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rnfacebook.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rnfacebook.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780363832.427885 }