{ "type": "Domain", "indicator": "vmware-cdn.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/vmware-cdn.com", "alexa": "http://www.alexa.com/siteinfo/vmware-cdn.com", "indicator": "vmware-cdn.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1657937958, "indicator": "vmware-cdn.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "5f4fd46ac0f4e7ee5448bd40", "name": "OpBlueRaven: Unveiling Fin7/Carbanak - Part II: BadUSB Attacks", "description": "This article aims to provide its readers with the details about PRODAFT & INVICTUS Threat Intelligence (PTI) team's latest operation on different threat actors; who have been detected to be working in cooperation with the notorious FIN7 APT group.\n\nWe appreciate all your support after the first part of this series. Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware victims. Until reaching all necessary parties, we will continue to publish articles about FIN7 attackers' tools.", "modified": "2020-10-02T00:04:12.395000", "created": "2020-09-02T17:20:42.241000", "tags": [ "FIN7", "Carbanak", "BadUSB", "Bella RAT", "Tirion Loader", "macOS" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Russian Federation", "Spain", "Sweden", "Switzerland", "Israel", "Italy", "Mexico", "Netherlands", "Panama", "Poland", "Chile", "Slovakia" ], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Bella RAT", "display_name": "Bella RAT", "target": null }, { "id": "BadUSB", "display_name": "BadUSB", "target": null }, { "id": "Tirion Loader", "display_name": "Tirion Loader", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1544", "name": "Remote File Copy", "display_name": "T1544 - Remote File Copy" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387093, "modified_text": "2070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d9620fe94859e82197a1750", "name": "Magecart Group 4: A link with Cobalt Group?", "description": "Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript code designed to steal any information entered by victims on the checkout page.", "modified": "2019-10-03T16:25:34.329000", "created": "2019-10-03T16:25:34.329000", "tags": [ "Magecart" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 19, "URL": 95, "IPv6": 1, "hostname": 24, "FileHash-SHA256": 1, "domain": 56 }, "indicator_count": 196, "is_author": false, "is_subscribing": null, "subscriber_count": 387114, "modified_text": "2434 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cb46aba498cfc2a71bb2936", "name": "Possible FIN7 Domains", "description": "", "modified": "2019-06-09T00:03:53.558000", "created": "2019-04-15T11:27:54.782000", "tags": [], "references": [ "https://twitter.com/kyleehmke/status/1117729975484993536" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 23, "FileHash-SHA256": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 387134, "modified_text": "2551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cd2ab4fa31b77a6a4c0a84f", "name": "FIN7.5 the infamous cybercrime rig FIN7 continues its activities", "description": "On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.", "modified": "2019-05-23T08:40:10.199000", "created": "2019-05-08T10:11:26.836000", "tags": [ "fin7", "carbanak" ], "references": [ "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://twitter.com/HONKONE_K/status/1131432019940917248" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 47, "hostname": 6, "FileHash-MD5": 1 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 387128, "modified_text": "2568 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d615a3fa213074f805deaa", "name": "OpBlueRaven IOC", "description": "These IOCs were released as part of our threat intelligence research on the OpBlueRaven. Between the months of May and July 2020; four members of PRODAFT Threat Intelligence team have conducted operation BlueRaven. A case study which originated from discovering a minor OpSec failure of a seemingly unimportant group of threat actors. Of course these threat actors have later been found to have ties with the notorious Fin7 / Carbanak threat actors. The full report will be available in references.", "modified": "2022-02-04T00:00:10.799000", "created": "2022-01-05T22:03:15.460000", "tags": [ "carbanak", "backdoor" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Carbanak", "display_name": "Carbanak", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 425, "domain": 16 }, "indicator_count": 441, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1580 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/kyleehmke/status/1117729975484993536", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/", "https://twitter.com/HONKONE_K/status/1131432019940917248", "https://github.com/kdaoudieh/Bella" ], "related": { "alienvault": { "adversary": [ "Magecart", "FIN7" ], "malware_families": [ "Bella rat", "Badusb", "Tirion loader", "Carbanak - s0030" ], "industries": [ "Retail" ] }, "other": { "adversary": [], "malware_families": [ "Carbanak" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "5f4fd46ac0f4e7ee5448bd40", "name": "OpBlueRaven: Unveiling Fin7/Carbanak - Part II: BadUSB Attacks", "description": "This article aims to provide its readers with the details about PRODAFT & INVICTUS Threat Intelligence (PTI) team's latest operation on different threat actors; who have been detected to be working in cooperation with the notorious FIN7 APT group.\n\nWe appreciate all your support after the first part of this series. Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware victims. Until reaching all necessary parties, we will continue to publish articles about FIN7 attackers' tools.", "modified": "2020-10-02T00:04:12.395000", "created": "2020-09-02T17:20:42.241000", "tags": [ "FIN7", "Carbanak", "BadUSB", "Bella RAT", "Tirion Loader", "macOS" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Russian Federation", "Spain", "Sweden", "Switzerland", "Israel", "Italy", "Mexico", "Netherlands", "Panama", "Poland", "Chile", "Slovakia" ], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Bella RAT", "display_name": "Bella RAT", "target": null }, { "id": "BadUSB", "display_name": "BadUSB", "target": null }, { "id": "Tirion Loader", "display_name": "Tirion Loader", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1544", "name": "Remote File Copy", "display_name": "T1544 - Remote File Copy" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387093, "modified_text": "2070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d9620fe94859e82197a1750", "name": "Magecart Group 4: A link with Cobalt Group?", "description": "Magecart is a term that has become a household name, and it refers to the theft of credit card data via online stores. The most common scenario is for criminals to compromise e-commerce sites by injecting rogue JavaScript code designed to steal any information entered by victims on the checkout page.", "modified": "2019-10-03T16:25:34.329000", "created": "2019-10-03T16:25:34.329000", "tags": [ "Magecart" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 19, "URL": 95, "IPv6": 1, "hostname": 24, "FileHash-SHA256": 1, "domain": 56 }, "indicator_count": 196, "is_author": false, "is_subscribing": null, "subscriber_count": 387114, "modified_text": "2434 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cb46aba498cfc2a71bb2936", "name": "Possible FIN7 Domains", "description": "", "modified": "2019-06-09T00:03:53.558000", "created": "2019-04-15T11:27:54.782000", "tags": [], "references": [ "https://twitter.com/kyleehmke/status/1117729975484993536" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 23, "FileHash-SHA256": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 387134, "modified_text": "2551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5cd2ab4fa31b77a6a4c0a84f", "name": "FIN7.5 the infamous cybercrime rig FIN7 continues its activities", "description": "On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts.", "modified": "2019-05-23T08:40:10.199000", "created": "2019-05-08T10:11:26.836000", "tags": [ "fin7", "carbanak" ], "references": [ "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://twitter.com/HONKONE_K/status/1131432019940917248" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 47, "hostname": 6, "FileHash-MD5": 1 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 387128, "modified_text": "2568 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d615a3fa213074f805deaa", "name": "OpBlueRaven IOC", "description": "These IOCs were released as part of our threat intelligence research on the OpBlueRaven. Between the months of May and July 2020; four members of PRODAFT Threat Intelligence team have conducted operation BlueRaven. A case study which originated from discovering a minor OpSec failure of a seemingly unimportant group of threat actors. Of course these threat actors have later been found to have ties with the notorious Fin7 / Carbanak threat actors. The full report will be available in references.", "modified": "2022-02-04T00:00:10.799000", "created": "2022-01-05T22:03:15.460000", "tags": [ "carbanak", "backdoor" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Carbanak", "display_name": "Carbanak", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 425, "domain": 16 }, "indicator_count": 441, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1580 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "vmware-cdn.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "vmware-cdn.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780490793.9108775 }