{ "Event": { "analysis": "1", "date": "2024-07-24", "extends_uuid": "", "info": "[Threat Intel] Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware", "protected": false, "publish_timestamp": "1772407348", "published": true, "threat_level_id": "2", "timestamp": "1772407346", "uuid": "5dd48f6e-1cc1-4275-9b21-41f2565c50ee", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"FrostyGoop\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772362840", "to_ids": false, "type": "link", "uuid": "36e5b09c-62c6-4019-9a8e-97274c246d1f", "value": "https://www.nozominetworks.com/blog/protecting-against-frostygoop-bustleberm-malware", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1772362919", "uuid": "6f52f07e-fc36-406e-97de-e3989b9410e5", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1772362919", "to_ids": false, "type": "text", "uuid": "2454ea7a-6c44-4918-b817-2a2e95458a3d", "value": "Mal_Hacktool_Win64_Bustleberm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1772362919", "to_ids": false, "type": "comment", "uuid": "d2e1faa6-1879-44a9-8589-ecd5dbd8b9a5", "value": "Detects the BUSTLEBERM ICS Hacktool (also known as FrostyGoop)" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1772362919", "to_ids": true, "type": "yara", "uuid": "836ef1d4-665f-4444-a712-ca51b171367a", "value": "rule Mal_Hacktool_Win64_Bustleberm\r\n{\r\nmeta:\r\n name = \"BUSTLEBERM ICS Hacktool\"\r\n author = \"Nozomi Networks Labs\"\r\n description = \"Detects the BUSTLEBERM ICS Hacktool (also known as FrostyGoop)\"\r\n date = \"2024-07-24\"\r\n tlp = \"clear\"\r\n x_threat_name = \"BUSTLEBERM\"\r\n x_mitre_technique = \"T1007, T1012, T1033, T1112, T1543, T0869, T0855\"\r\n reference = \"https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_.pdf\"\r\n hash1 = \"5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb\"\r\n hash2 = \"a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c\"\r\nstrings:\r\n $go = \"Go build ID:\" ascii fullword\r\n $modbus_1 = \"github.com/rolfl/modbus\" ascii fullword\r\n $modbus_2 = \"\\x00main.MbConfig.writeMultiple\\x00\" ascii\r\n $rtn_1 = \"\\x00main.TaskList.executeCommand\\x00\" ascii\r\n $rtn_2 = \"\\x00main.TaskList.getTaskIpList\\x00\" ascii\r\n $rtn_3 = \"\\x00main.TaskList.getIpList\\x00\" ascii\r\n $rtn_4 = \"\\x00main.TargetList.getTargetIpList\\x00\" ascii\r\ncondition:\r\n uint16(0) == 0x5a4d and\r\n filesize <= 10MB and\r\n $go and\r\n any of ($modbus_*) and\r\n 2 of ($rtn_*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368800", "uuid": "8d21ca83-88a0-489c-8b7b-17e03db80cb3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368800", "to_ids": true, "type": "md5", "uuid": "e91ba3f0-cce4-4d5f-9e06-5db8a60d0260", "value": "0f302500bf0565737f09e75cd56b8088", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367770", "to_ids": true, "type": "sha1", "uuid": "072e649c-6689-4d63-bc05-6185f3843d02", "value": "6a572f0395439e3ba00e1b32c3dfb729d7a197cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367770", "to_ids": true, "type": "sha256", "uuid": "5b9fc9d5-e855-4344-b3ce-b45767975e0d", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367093", "to_ids": true, "type": "ssdeep", "uuid": "273798c6-3da5-49d5-9281-acca0525da07", "value": "49152:zZ02M3iGhwlrb/TlvO90d7HjmAFd4A64nsfJ2tDgsAwe9kSPgaS7r/a++lD1H54b:Whka4uNoPy5stb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367093", "to_ids": false, "type": "size-in-bytes", "uuid": "5004298e-7d93-4be6-91be-fd4496c3aa50", "value": "3699200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367093", "to_ids": true, "type": "vhash", "uuid": "20f465c9-9ee6-45a1-a4b6-4154b3cbde87", "value": "0360d6655d15557575157az28!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367093", "to_ids": true, "type": "filename", "uuid": "de4cce12-c9f3-4ee6-8383-bf3197f98aa1", "value": "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb (2).exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 27/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367093", "to_ids": false, "type": "text", "uuid": "1a09c2e1-8c0c-43d3-a0c2-7133dcdba0ad", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/FrostyGoop.A!MTB\nVT Total Detection:54/72\nFirst Submission:2023-10-30T16:13:12.000000+00:00\nLast Submission:2026-02-27T08:27:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772368821", "uuid": "2a85bc1f-ef43-4ea8-bbb9-071e968717b0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772368821", "to_ids": true, "type": "md5", "uuid": "19cc5b8d-782d-429f-9888-67c2d6be84b3", "value": "db210c39721c58c4c3fbf0c8d6cb3d0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772367771", "to_ids": true, "type": "sha1", "uuid": "e377414d-37bf-4736-a60d-06919261c5d7", "value": "a469583ded8d2cc7c5388a10c5f7a10331f38c16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772367771", "to_ids": true, "type": "sha256", "uuid": "81b731cd-915a-475e-9788-8c8c254401b2", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772367116", "to_ids": true, "type": "ssdeep", "uuid": "ad914759-d1e6-47b6-a7db-79234a1688e0", "value": "49152:0TpI9F/cfr6XcJrb/TkvO90d7HjmAFd4A64nsfJyhrQRhdyg1a5SJZpIMgD1:BU6qHQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772367116", "to_ids": false, "type": "size-in-bytes", "uuid": "5ee7d70c-25ee-495f-82fd-61c6fbe07f3b", "value": "2439680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772367116", "to_ids": true, "type": "vhash", "uuid": "e2475482-a190-4c26-85d3-5a37bfd399d0", "value": "026066655d1d15541az27!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772367116", "to_ids": true, "type": "filename", "uuid": "64773d43-c66d-4ddf-bdc7-db41e4df9ec5", "value": "a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 09/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772367116", "to_ids": false, "type": "text", "uuid": "5ab58fc5-d77f-463d-9bc5-9f480f6548a6", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/CryptInject!MSR\nVT Total Detection:48/70\nFirst Submission:2023-10-30T09:27:04.000000+00:00\nLast Submission:2026-02-27T08:36:13.000000+00:00" } ] } ] } }