{ "Event": { "analysis": "1", "date": "2022-04-13", "extends_uuid": "", "info": "[Threat Intel] INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems", "protected": false, "publish_timestamp": "1772407523", "published": true, "threat_level_id": "2", "timestamp": "1772407520", "uuid": "0d9d1da8-710b-478a-954b-7964321bbbbe", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INCONTROLLER\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Field Controller/RTU/PLC/IED\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772336481", "to_ids": false, "type": "link", "uuid": "204312dd-3819-449e-bb47-3b92e00531aa", "value": "https://cloud.google.com/blog/topics/threat-intelligence/incontroller-state-sponsored-ics-tool/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772336650", "to_ids": false, "type": "other", "uuid": "71092a32-d26c-4d8c-809f-389cba41234a", "value": "TAGRUN MITRE ATT&CK for ICS mapping", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Commonly Used Port\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Monitor Process State\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Point & Tag Identification\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Scripting\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Standard Application Layer Protocol\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Theft of Operational Information\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Valid Accounts\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772336759", "to_ids": false, "type": "other", "uuid": "c196b9ed-8882-4497-947b-09d7d0278d10", "value": "CODECALL MITRE ATT&CK for ICS mapping", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Commonly Used Port\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Damage to Property\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Default Credentials\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Safety\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Manipulation of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Modify Parameter\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Monitor Process State\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Program Download\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Program Upload\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Scripting\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Service Stop\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Standard Application Layer Protocol\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"System Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Theft of Operational Information\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Unauthorized Command Message\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Valid Accounts\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772337240", "to_ids": false, "type": "link", "uuid": "421c2492-9a0c-4e4b-9324-75e824fac5ce", "value": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772345744", "to_ids": false, "type": "link", "uuid": "1feed356-0d66-4082-b931-f4e70774d0f2", "value": "https://www.txone.com/blog/analysis-of-the-pipedream-local-exploit/" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772336996", "uuid": "97a697a6-fe49-4d3c-ad10-4020dc5fbb4e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772336996", "to_ids": false, "type": "text", "uuid": "d73afa74-ffc0-4051-8238-0fce76a95d11", "value": "MTI_Hunting_AsRockDriver_Exploit_PDB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772336996", "to_ids": false, "type": "comment", "uuid": "2b553be2-e64b-475d-b83e-6164965e67eb", "value": "Searching for executables containing strings associated with AsRock driver Exploit." }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772336996", "to_ids": true, "type": "yara", "uuid": "4129e3a2-3c3d-427e-8223-69ed34cb1dd1", "value": "rule MTI_Hunting_AsRockDriver_Exploit_PDB\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"03-23-2022\"\r\n description = \"Searching for executables containing strings associated with AsRock driver Exploit.\"\r\n strings:\r\n $dos_stub = \"This program cannot be run in DOS mode\"\r\n $pdb_bad = \"dev projects\\\\SignSploit1\\\\x64\\\\Release\\\\AsrDrv_exploit.pdb\"\r\n $pdb_good = \"c:\\\\asrock\\\\work\\\\asrocksdk_v0.0.69\\\\asrrw\\\\src\\\\driver\\\\src\\\\objfre_win7_amd64\\\\amd64\\\\AsrDrv103.pdb\"\r\n condition:\r\n all of them and (@pdb_bad < @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772337024", "uuid": "2fa0a9e1-8635-4062-85a1-1bbe5ab2d323", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772337024", "to_ids": false, "type": "text", "uuid": "4b25b990-850f-4e38-a6d0-ff33f84d7bff", "value": "MTI_Hunting_AsRockDriver_Exploit_Generic" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772337024", "to_ids": false, "type": "comment", "uuid": "c73f895f-b9ee-42fb-b7cd-6e86ba5623dc", "value": "Searching for executables containing strings associated with AsRock driver Exploit." }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772337024", "to_ids": true, "type": "yara", "uuid": "0ebddac0-4d6c-43e5-8338-08d091b63c33", "value": "rule MTI_Hunting_AsRockDriver_Exploit_Generic\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"03-23-2022\"\r\n description = \"Searching for executables containing strings associated with AsRock driver Exploit.\"\r\n strings:\r\n $dos_stub = \"This program cannot be run in DOS mode\"\r\n $pdb_good = \"c:\\\\asrock\\\\work\\\\asrocksdk_v0.0.69\\\\asrrw\\\\src\\\\driver\\\\src\\\\objfre_win7_amd64\\\\amd64\\\\AsrDrv103.pdb\"\r\n condition:\r\n all of them and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])\r\n}" } ] } ] } }