Skip to content

Instantly share code, notes, and snippets.

@nicdev

nicdev/casefiles.json

Created September 25, 2018 15:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nicdev/6b53ea7c88d712869b1034265682be57 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nicdev/6b53ea7c88d712869b1034265682be57 to your computer and use it in GitHub Desktop.
Download ZIP
[RFI] GET /xfe/casefiles/c96eca2a00ac32586643f1d68766e1cc
Raw
casefiles.json
{
"created": "2018-09-25T14:20:25.491Z",
"owner": {
"name": "Chris R",
"uuid": "http://www.ibm.com/310002HES8",
"verified": "iris",
"isDisabled": false
},
"title": "Fake Finance Apps Found in Google's Play Store",
"caseFileID": "c96eca2a00ac32586643f1d68766e1cc",
"tags": [
"campaign",
"x-risk:23",
"xftas",
"advisory",
"phishing",
"threat-actor"
],
"links": [],
"tlpColor": {
"tlpColorName": "TLP_WHITE",
"tlpColorCode": "white",
"tlpIsUserDefined": true
},
"writeable": false,
"deletable": false,
"shared": "public",
"mine": false,
"coOwner": false,
"extensions": [],
"titleChange": false,
"nPeople": 0,
"nGroups": 2,
"contents": {
"editorType": "draft",
"rawContentState": {
"blocks": [
{
"key": "1988j",
"text": "Summary ",
"type": "header-one",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "a8q79",
"text": "Fake finance apps have been identified in Google's Play Store. These apps lead to information disclosure such as login or credit card information.",
"type": "unstyled",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "37b8e",
"text": "Threat Type",
"type": "header-one",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "a5fjn",
"text": "Information disclosure",
"type": "unstyled",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "4cckk",
"text": "Overview",
"type": "header-one",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "e9kdl",
"text": "Security researchers at ESET provided details about recently discovered, fake finance apps located in the Google Play Store. Six banks have from the following countries have had apps impersonated: New Zealand, the United Kingdom, Australia, Poland, and Switzerland. It was also reported that the Australian cryptocurrency exchange Bitpanda had a fraudulent app created as well. The fake apps, when downloaded by an unsuspecting victim, will phish for credentials, such as login or credit card information. After the data is collected by the app, it is transmitted back to the adversary's server. The apps were uploaded to Google Play in June of this year. They have been downloaded over a thousand times and have since been removed from Google's Play Store. For full technical details we encourage our readers to review ESET's article. ",
"type": "unstyled",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "73loq",
"text": "Indicators of Compromise",
"type": "header-one",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "3ge65",
"text": " ",
"type": "unstyled",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "2jmju",
"text": " 651A3734103472297A2C65C81757FB5820AD2AB7 \t",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 0
}
],
"data": {}
},
{
"key": "78kka",
"text": " DE09F03C401141BEB05F229515ABB64811DDB853 \t",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 1
}
],
"data": {}
},
{
"key": "fgaag",
"text": " B6D70983C28B8A0059B454065D599B4E18E8097C \t",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 2
}
],
"data": {}
},
{
"key": "2n9df",
"text": " 91692607FB529218ADF00F256D5D1862DF90DAAF \t",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 3
}
],
"data": {}
},
{
"key": "4bpvu",
"text": " FE1B2799B65D36F19484930FAF0DA17A0DBE9868 \t",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 4
}
],
"data": {}
},
{
"key": "drh7t",
"text": " C43E7A28E1B807225F1E188C6DA51D24DCC54F5F \t",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 5
}
],
"data": {}
},
{
"key": "fs2fa",
"text": " 7D80158C8C893E46DC15E6D92ED2FECFDB12BF9F ",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 1,
"length": 40,
"key": 6
}
],
"data": {}
},
{
"key": "7ua1h",
"text": "Recommendations",
"type": "header-one",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "1fnn",
"text": "Keep applications and operating systems running at the current released patch level",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "argn",
"text": "Ensure anti-virus software and associated files are up to date",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "1r18a",
"text": "Verify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can not validate",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "2sce8",
"text": "Search for existing signs of the indicated IOCs in your environment",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "4uk69",
"text": "Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices",
"type": "unordered-list-item",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "l9da",
"text": "Reference",
"type": "header-one",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [],
"data": {}
},
{
"key": "78bt3",
"text": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/ ",
"type": "unstyled",
"depth": 0,
"inlineStyleRanges": [],
"entityRanges": [
{
"offset": 0,
"length": 92,
"key": 7
}
],
"data": {}
}
],
"entityMap": {
"0": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "651A3734103472297A2C65C81757FB5820AD2AB7"
}
},
"1": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "DE09F03C401141BEB05F229515ABB64811DDB853"
}
},
"2": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "B6D70983C28B8A0059B454065D599B4E18E8097C"
}
},
"3": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "91692607FB529218ADF00F256D5D1862DF90DAAF"
}
},
"4": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "FE1B2799B65D36F19484930FAF0DA17A0DBE9868"
}
},
"5": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "C43E7A28E1B807225F1E188C6DA51D24DCC54F5F"
}
},
"6": {
"type": "OBSERVABLE",
"mutability": "IMMUTABLE",
"data": {
"type": "MAL",
"id": "7D80158C8C893E46DC15E6D92ED2FECFDB12BF9F"
}
},
"7": {
"type": "HYPERLINK",
"mutability": "MUTABLE",
"data": {
"target": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"
}
}
}
},
"wiki": "<h1>Summary&nbsp;</h1>\n<p>Fake finance apps have been identified in Google's Play Store. These apps lead to information disclosure such as login or credit card information.</p>\n<h1>Threat Type</h1>\n<p>Information disclosure</p>\n<h1>Overview</h1>\n<p>Security researchers at ESET provided details about recently discovered, fake finance apps located in the Google Play Store. Six banks have from the following countries have had apps impersonated: New Zealand, the United Kingdom, Australia, Poland, and Switzerland. It was also reported that the Australian cryptocurrency exchange Bitpanda had a fraudulent app created as well. The fake apps, when downloaded by an unsuspecting victim, will phish for credentials, such as login or credit card information. After the data is collected by the app, it is transmitted back to the adversary's server. The apps were uploaded to Google Play in June of this year. They have been downloaded over a thousand times and have since been removed from Google's Play Store. For full technical details we encourage our readers to review ESET's article.&nbsp;</p>\n<h1>Indicators of Compromise</h1>\n<p>&nbsp;</p>\n<ul>\n<li>&nbsp;651A3734103472297A2C65C81757FB5820AD2AB7 \t</li>\n<li>&nbsp;DE09F03C401141BEB05F229515ABB64811DDB853 \t</li>\n<li>&nbsp;B6D70983C28B8A0059B454065D599B4E18E8097C \t</li>\n<li>&nbsp;91692607FB529218ADF00F256D5D1862DF90DAAF \t</li>\n<li>&nbsp;FE1B2799B65D36F19484930FAF0DA17A0DBE9868 \t</li>\n<li>&nbsp;C43E7A28E1B807225F1E188C6DA51D24DCC54F5F \t</li>\n<li>&nbsp;7D80158C8C893E46DC15E6D92ED2FECFDB12BF9F&nbsp;</li>\n</ul>\n<h1>Recommendations</h1>\n<ul>\n<li>Keep applications and operating systems running at the current released patch level</li>\n<li>Ensure anti-virus software and associated files are up to date</li>\n<li>Verify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can not validate</li>\n<li>Search for existing signs of the indicated IOCs in your environment</li>\n<li>Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices</li>\n</ul>\n<h1>Reference</h1>\n<p>https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/&nbsp;</p>\n",
"plainText": "Summary \nFake finance apps have been identified in Google's Play Store. These apps lead to information disclosure such as login or credit card information.\nThreat Type\nInformation disclosure\nOverview\nSecurity researchers at ESET provided details about recently discovered, fake finance apps located in the Google Play Store. Six banks have from the following countries have had apps impersonated: New Zealand, the United Kingdom, Australia, Poland, and Switzerland. It was also reported that the Australian cryptocurrency exchange Bitpanda had a fraudulent app created as well. The fake apps, when downloaded by an unsuspecting victim, will phish for credentials, such as login or credit card information. After the data is collected by the app, it is transmitted back to the adversary's server. The apps were uploaded to Google Play in June of this year. They have been downloaded over a thousand times and have since been removed from Google's Play Store. For full technical details we encourage our readers to review ESET's article. \nIndicators of Compromise\n \n 651A3734103472297A2C65C81757FB5820AD2AB7 \t\n DE09F03C401141BEB05F229515ABB64811DDB853 \t\n B6D70983C28B8A0059B454065D599B4E18E8097C \t\n 91692607FB529218ADF00F256D5D1862DF90DAAF \t\n FE1B2799B65D36F19484930FAF0DA17A0DBE9868 \t\n C43E7A28E1B807225F1E188C6DA51D24DCC54F5F \t\n 7D80158C8C893E46DC15E6D92ED2FECFDB12BF9F \nRecommendations\nKeep applications and operating systems running at the current released patch level\nEnsure anti-virus software and associated files are up to date\nVerify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you can not validate\nSearch for existing signs of the indicated IOCs in your environment\nBlock all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices\nReference\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/ ",
"reports": []
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment