ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10454006-r2.v1 SEASPY Backdoor | CISA

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006

Show in Graph

Common Information

Type	Value
UUID	2a394d86-8755-4ab8-ae54-d490d39d924d
Fingerprint	714394b45fb198b
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 28, 2023, noon
Added to db	Aug. 12, 2023, 1:30 a.m.
Last updated	Nov. 17, 2024, 5:57 p.m.
Headline	MAR-10454006-r2.v1 SEASPY Backdoor
Title	MAR-10454006-r2.v1 SEASPY Backdoor \| CISA
Detected Hints/Tags/Attributes	49/2/17

Source URLs

	Redirection	Url
Details	Source	https://www.cisa.gov/news-events/analysis-reports/ar23-209b

URL Provider

Details	Provider	Source level domain
Details	cisa.gov	www.cisa.gov

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	85	✔	—	https://cisa.gov/uscert/ncas/analysis-reports.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	CVE	117		cve-2023-2868
Details	Domain	469		www.cisa.gov
Details	Domain	154		us-cert.cisa.gov
Details	Domain	84		malware.us-cert.gov
Details	Domain	84		ftp.malware.us-cert.gov
Details	Email	84		submit@malware.us-cert.gov
Details	md5	5		5d6cba7909980a7b424b133fbac634ac
Details	md5	2		32ffe48d1a8ced49c53033eb65eff6f3
Details	sha256	1		3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb
Details	sha256	2		69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192
Details	sha256	3		3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
Details	sha256	2		5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5
Details	sha256	2		10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81
Details	Url	43		http://www.cisa.gov/tlp.
Details	Url	53		https://us-cert.cisa.gov/forms/feedback
Details	Url	84		https://malware.us-cert.gov
Details	Yara rule	2		rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components { meta: Author = "CISA Code & Media Analysis" Incident = "10452108" Date = "2023-06-20" Last_Modified = "20230628_1000" Actor = "n/a" Family = "SEASPY" Capabilities = "communicates-with-c2 installs-other-components" Malware_Type = "backdoor" Tool_Type = "unknown" Description = "Detects malicious Linux SEASPY samples" SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115" SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192" SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5" SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81" strings: $s0 = { 2E 2F 42 61 72 72 61 63 75 64 61 4D 61 69 6C 53 65 72 76 69 63 65 20 65 74 68 30 } $s1 = { 75 73 61 67 65 3A 20 2E 2F 42 61 72 72 61 63 75 64 61 4D 61 69 6C 53 65 72 76 69 63 65 20 3C 4E 65 74 77 6F 72 6B 2D 49 6E 74 65 72 66 61 63 65 } $s2 = { 65 6E 74 65 72 20 6F 70 65 6E 20 74 74 79 20 73 68 65 6C 6C } $s3 = { 25 64 00 4E 4F 20 70 6F 72 74 20 63 6F 64 65 } $s4 = { 70 63 61 70 5F 6C 6F 6F 6B 75 70 6E 65 74 3A 20 25 73 } $s5 = { 43 68 69 6C 64 20 70 72 6F 63 65 73 73 20 69 64 3A 25 64 } $s6 = { 5B 2A 5D 53 75 63 63 65 73 73 21 } $a7 = { BF 90 47 90 EC 18 FE E3 83 E2 A9 F7 8D 85 18 1D } $a8 = { 81 35 1E F0 94 AB 2A BA 5D F0 37 76 69 19 9F 1E } $a9 = { 6A 8E C7 89 CE C1 FE 64 78 A6 E1 C5 FE 03 D1 A7 } $a10 = { C2 FF D1 0D 24 23 EC C0 57 F9 8D 4B 05 34 41 B8 } condition: uint32(0) == 0x464c457f and (all of ($s)) or (all of ($a)) }