{ "Event": { "analysis": "1", "date": "2014-07-07", "extends_uuid": "", "info": "[Threat Intel] Dragonfly: Cyberespionage Attacks Against Energy Suppliers", "protected": false, "publish_timestamp": "1772420105", "published": true, "threat_level_id": "2", "timestamp": "1772420101", "uuid": "fc7a92cc-88f9-44c5-ba91-8b263e40c322", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ENERGETIC BEAR\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Greece\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Italy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Romania\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Serbia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Spain\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Turkey\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Havex RAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Dragonfly\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Backdoor.Oldrea, Havex\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748196", "to_ids": false, "type": "link", "uuid": "560e65fa-b0bc-46a6-b422-2aaf1868536d", "value": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748234", "to_ids": false, "type": "threat-actor", "uuid": "1f312343-5525-419f-b959-a7a9a3e3a43f", "value": "Dragonfly" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748351", "to_ids": false, "type": "vulnerability", "uuid": "57c5c3c7-5bc0-4c03-a50c-817d778d0494", "value": "CVE-2012-1723" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748351", "to_ids": false, "type": "vulnerability", "uuid": "aad8b300-2824-4305-aa2c-2c3ef8e27345", "value": "CVE-2013-2465" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748351", "to_ids": false, "type": "vulnerability", "uuid": "939609e0-85ef-4b37-bbd2-375052b20a3d", "value": "CVE-2012-4792" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771748351", "to_ids": false, "type": "vulnerability", "uuid": "a2c11594-6fb8-4358-924f-4d9c6e1ff757", "value": "CVE-2013-1347" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772419077", "to_ids": true, "type": "hostname", "uuid": "8d22238a-3c2a-48f9-8174-661115fef91e", "value": "toons.freesexycomics.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772419099", "to_ids": true, "type": "hostname", "uuid": "4b2e904a-6033-499f-ab8c-3c9c1de8717e", "value": "host.alexsieff.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772419120", "to_ids": true, "type": "url", "uuid": "87c6ae79-7e4b-43ec-aeb3-27603c23bd55", "value": "http://93.188.161.235/check2/muees27jxt/shot.jpg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772419141", "to_ids": true, "type": "url", "uuid": "5d179542-464b-4aec-8f2f-14203be14566", "value": "http://93.188.161.235/check2/muees27jxt/tl.jpg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772419163", "to_ids": true, "type": "url", "uuid": "6c3ff5f0-8317-440f-a489-6d5654001455", "value": "http://93.188.161.235/check2/muees27jxt/fl.jpg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772419184", "to_ids": true, "type": "url", "uuid": "30777526-9a75-4d83-8df4-de319f79342e", "value": "http://93.188.161.235/check2/muees27jxt/pdump.jpg", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772420101", "to_ids": true, "type": "url", "uuid": "e9b6739d-6b7c-4c71-b8ae-53901a7adede", "value": "http://93.188.161.235/check2/muees27j", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419226", "to_ids": true, "type": "hostname", "uuid": "29be56cc-e7af-4448-b58c-bb4b9bdab128", "value": "blog.olioboard.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419249", "to_ids": true, "type": "hostname", "uuid": "4366d1f1-d9d4-4317-8e70-803f16e7f34a", "value": "www.manshur.ir", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419270", "to_ids": true, "type": "domain", "uuid": "81e67ed9-7264-42b7-8b0a-47d1d79dcfff", "value": "realstars.ir", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419291", "to_ids": true, "type": "hostname", "uuid": "27b38120-bbf0-4b7b-beee-8627fc2d2d6b", "value": "aptguide.3dtour.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419312", "to_ids": true, "type": "domain", "uuid": "9652195b-c2d5-4105-ad41-6a2b541deb64", "value": "seductionservice.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419335", "to_ids": true, "type": "domain", "uuid": "97fc7fdd-7f34-4e0e-bcf3-9f6d48248bea", "value": "mahsms.ir", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exploit site", "deleted": false, "disable_correlation": false, "timestamp": "1772419356", "to_ids": true, "type": "domain", "uuid": "6214ad2f-7cfe-40f9-bba1-580db116ba97", "value": "keeleux.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Trojan.Karagany", "deleted": false, "disable_correlation": false, "timestamp": "1772419378", "to_ids": true, "type": "ip-dst", "uuid": "b6d9f04e-dd15-4975-ab97-f1f9911198b2", "value": "91.203.6.71", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Trojan.Karagany", "deleted": false, "disable_correlation": false, "timestamp": "1772419400", "to_ids": true, "type": "ip-dst", "uuid": "b983f5ea-8660-4c18-957e-87b60cfd7f0a", "value": "93.171.216.118", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Trojan.Karagany", "deleted": false, "disable_correlation": false, "timestamp": "1772419421", "to_ids": true, "type": "ip-dst", "uuid": "ff87df73-ce94-4785-b176-e3674a95025f", "value": "93.188.161.235", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771748575", "uuid": "42d92f85-720c-4516-b536-28d984516962", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771748575", "to_ids": false, "type": "text", "uuid": "5e720d7f-98d5-4eb3-8863-01494563a6c3", "value": "Trojan _ Karagany" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771748575", "to_ids": false, "type": "comment", "uuid": "e008593f-094c-408f-b676-b4ab24e68994", "value": "Dreamloader" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771748575", "to_ids": true, "type": "yara", "uuid": "effc2648-bf1c-40a1-8c8d-8f230a0e8d34", "value": "private rule isPE\r\n{\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550\r\n}\r\nrule Trojan _ Karagany\r\n{\r\n meta:\r\n alias = \u201cDreamloader\u201d\r\n strings:\r\n $s1 = \u201cneosphere\u201d wide ascii\r\n $s2 = \u201c10000000000051200\u201d wide ascii\r\n $v1 = \u201c&fichier\u201d wide ascii\r\n $v2 = \u201c&identifiant\u201d wide ascii\r\n $c1 = \u201cxmonstart\u201d wide ascii\r\n $c2 = \u201cxmonstop\u201d wide ascii\r\n $c3 = \u201cxgetfile\u201d wide ascii\r\n $c4 = \u201cdownadminexec\u201d wide ascii\r\n $c5 = \u201cxdiex\u201d wide ascii\r\n $c6 = \u201cxrebootx\u201d wide ascii\r\n condition:\r\n isPE and (($s1 and $s2) or ($v1 and $v2) or (any of ($c*)))\r\n}" } ] } ] } }