Kaspersky APT Reports CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.2 |
| Compatible with ThreatQ Versions | >= 4.28.0 |
| Support Tier | ThreatQ Supported |
Introduction
Kaspersky has discovered some of the most relevant APT attacks ever. However, not all Advanced Persistent Threat discoveries are reported immediately, and many are never publicly announced. Be the first to know, and exclusively in the know, with our in-depth, actionable intelligence reporting on APTs. As a subscriber to Kaspersky APT Intelligence Reporting, we provide you with unique ongoing access to our investigations and discoveries, including full technical data, provided in a range of formats, on each APT as it’s revealed, including all those threats that will never be made public.
The Kaspersky APT Reports CDF provides the following feeds:
- Kaspersky APT Report Get List -
https://tip.kaspersky.com/api/publications/get_list - Kaspersky APT Report Get One -
https://tip.kaspersky.com/api/publications/get_one
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Username Kaspersky Username Password Kaspersky Password Client Private Key Kaspersky Client Private Key Client Certificate Kaspersky Client Certificate Language Language in which the execsum and pdf files are fetched. Available languages: English, Portuguese, Russian, and Spanish. If a file is not available in the selected language, the file will not be downloaded.
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Get List
High-level summary of what info the feed does
GET http://xxx
Sample Response:
{
"status": "ok",
"status_msg": "",
"return_data": {
"count": 1,
"publications": [
{
"id": "28-fin",
"updated": 1508878740,
"published": 1508792340,
"name": "Latin America bank contractors and employees under Cobalt Strike attack",
"desc": "In the first week of September, an unknown threat actor registered a domain ...",
"report_group": "fin",
"tags": [
"Chile",
"Financial institutions",
"Mexico"
],
"tags_actors": [
"BlueNoroff",
"Lazarus"
],
"tags_industry": [
"Financial institutions"
],
"tags_geo": [
"Chile",
"Mexico"
],
"pdfs": [
"en"
],
"exec_sums": [
"en"
]
}
]
}
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .name | report.value | Report Title | "Latin America bank contractors ..." | |
| .desc | report.description | Report Description | "In the first week of September, an ..." | |
| .published | report.published_at | Report Published At | 1508792340 | formatted |
| .id | report.attribute | Publication ID | "28-fin" | |
| .updated | report.attribute | Updated At | 1508878740 | formatted |
| .report_group | report.attribute | Report Group | "fin" | |
| .tags_industry | report.attribute | Industry | ["Financial institutions"] | |
| .tags_geo | report.attribute | Geography | ["Chile", "Mexico"] | |
| .tags_actors | adversary.name | Adversary Name | ["BlueNoroff", "Lazarus"] |
Get One
{
"status": "ok",
"status_msg": "",
"return_data": {
"id": "28-fin",
"report_group": "fin",
"updated": 1508878740,
"published": 1508792340,
"name": "Latin America bank contractors and employees under Cobalt Strike attack",
"desc": "In the first week of September, an unknown threat actor registered a domain ...",
"tags": [
"Chile",
"Financial institutions",
"Mexico"
],
"tags_industry": [
"Financial institutions"
],
"tags_geo": [
"Chile",
"Mexico"
],
"tags_actors": [
"BlueNoroff",
"Lazarus"
],
"report_yara": "<yara_base_64_encoded_gziped_data>",
"report_iocs": "<iocs_base_64_encoded_gziped_data>",
"report_pdf": "<pdf_base_64_encoded_gziped_data>",
"report_execsum": "<execsum_base_64_encoded_gziped_data>"
}
}yara_base_64_encoded_gziped_data
Decoded and unzipped yara_base_64_encoded_gziped_data.
import "pe"
rule APT_ZZ_CobaltStrike_Cometer {
meta:
copyright = "Kaspersky Lab"
description = "Attack through Central Bank of Chile fake web-sites"
last_modified = "2017-10-18"
author = "Kaspersky Lab"
hash = "0344EEEBFD183AA48E049BB3A8101CCE"
hash = "5890917A52314280E0FC6D999104491B"
hash = "AE8CFD1A33F604FEE0A48CA0B51CC538"
hash = "ef6f128eb6f4167a494ac6c085cdf4e4"
version = "1.0"
strings:
$a1 = {69 60 69 6A 69 E9 24 06 13 00 05 05 08 46 5? 47 59 49 41 0A 06 04 19 08 1D 00 0B 05 0C 52 49 24 3A 20 2C 49}
condition:
uint16(0) == 0x5A4D and
filesize < 1000000 and
1 of them and
(pe.exports ("SystemUpdater") or pe.exports ("_SystemUpdater"))
}iocs_base_64_encoded_gziped_data
Decoded and unzipped iocs_base_64_encoded_gziped_data.
<?xml version="1.0" encoding="utf-8"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="59f72c61-f830-44ae-860f-3b73c0a85a81" last-modified="2017-10-23T00:00:00" xmlns="http://schemas.mandiant.com/2010/ioc">
<short_description>DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM</short_description>
<description>Latin America bank contractors and employees under Cobalt Strike attack IOCs v.1.0</description>
<keywords />
<authored_by>Kaspersky Lab</authored_by>
<authored_date>2017-10-23T00:00:00</authored_date>
<links />
<definition>
<Indicator operator="OR" id="59f9e930-50b4-4499-b215-0f44c0a85a81">
<IndicatorItem id="59f72d35-aef8-4089-b3a4-3b5fc0a85a81" condition="is">
<Context document="FileItem" search="FileItem/Md5sum" type="mir" />
<Content type="md5">86f8787f891eaaae5bcc62e892d503f3</Content>
<IndicatorItem id="59f72d95-fab8-450d-9017-3c3fc0a85a81" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string">banco-central.cl</Content>
</IndicatorItem>
</IndicatorItem>
</Indicator>
</definition>
</ioc>
Kaspersky to ThreatQ Indicator Type Mapping
Only indicators that can be mapped using the Kaspersky to ThreatQ Indicator Type Mapping are ingested into ThreatQ.
| Kaspersky | ThreatQ |
|---|---|
| md5 | MD5 |
| sha256 | SHA-256 |
| IP | IP Address |
| URLHistoryItem/URL | URL |
| Network/DNS | FQDN |
| FileItem/Md4sum | MD5 |
| FileItem/Sha256sum | SHA-256 |
| FileItem/FileName | Filename |
| RegistryItem/KeyPath | Registry Key |
| RouteEntryItem/Destination | FQDN |
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .report_yara | signature.value | Signature Value | <base_64_encoded _gziped_data> |
YARA - parsed |
| .report_pdf | attachment | Threat File | <pdf_base_64_encoded _gziped_data> |
* |
| .report_execsum | attachment | Threat File | <execsum_base_64_ encoded_gziped_data> |
* |
* Kaspersky_PDF_ <lang>.pdf / Kaspersky_Execsum _ .pdf files are created where is the id of the publication and is the language of the documents.
| Feed Data Path (.Report_iocs.ioc) | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .description | indicator. attribute |
Report Name | "Latin America bank contractors..." |
|
| .authored_date | indicator. attribute |
Detection Date | "2017-10-23T00 :00:00" |
|
| .definition. Indicator. IndicatorItem .Content['#text'] |
indicator. value |
Indicator Value | "86f8787f891 eaaae5bcc62 e892d503f3" |
|
| .definition.Indicator .IndicatorItem. Content['@type'] / Context['@search'] |
indicator .type |
Indicator Type | "md5" | * |
| .definition.Indicator. IndicatorItem['@id'] |
indicator.attribute | UID | "59f72d95-fab8-450d-9017-3c3fc0a85a81" |
Change Log
- Version 1.0.2
- N/A
- Version 1.0.1
- N/A
- Version 1.0.2
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Kaspersky APT Reports CDF v1.0.2 | 4.28 or Greater |
| Kaspersky APT Reports CDF v1.0.1 | 4.27 or Greater |
| Kaspersky APT Reports CDF v1.0.0 | 4.27 or Greater |