[
  {
    "instruction": "Tell me about the following threat: Operation Epic Manchago Maldocs Used for Infostealer Delivery\nNVISO has detected malicious Excel documents delivering VBA-activated spreadsheets. In a blog post, researchers analyzed the campaign and the intricacies built into the maldocs discussed.\n\nProvide threat type, overview, describe IoCs if exists, recommandations, related MITRE ATT&CK TTPs and references if exists.",
    "context": "",
    "output": "Sure! Here is the information I have about the threat: Operation Epic Manchago Maldocs Used for Infostealer Delivery\nNVISO has detected malicious Excel documents delivering VBA-activated spreadsheets. In a blog post, researchers analyzed the campaign and the intricacies built into the maldocs discussed.\n\n# Threat Type\n\n  * Malware, Infostealer\n\n\n\n\n# Overview\n\nNVISO detected malicious Excel documents in July 2020 that are able to deliver malware through VBA-activated spreadsheets. Unlike most malicious excel documents, these particular samples were created using EPPlus software. It is believed the campaign is being carried out by a single threat actor based on the number of samples provided to services such as VirusTotal. Additionally, delivery of payloads supports this theory. The lack of Office metadata led researchers to conclude the files were created in EPPlus as well as the uncompiled code contained within the spreadsheets. All of the sample maldocs contain a password protected VBA project. Efforts to recover the passwords were unsuccessful. A handful of samples were obtained and it was determined the VBA code will use either PowerShell or ActiveX to download the payload. These payloads are hosted on various websites. There is a common pattern to the second stage downloader. The stage 2 EXE loads a DLL. This DLL extracts and decodes steganography encoded images from the EXE. Finally, the DLL loads the stage 3 EXE. This is the final payload. These final stages included such malware as AgentTesla, Azorult, Formbook, Matiex, and njRAT. There does not appear to be a pattern in the targeting of victims. Further technical details can be found in the blog post contained within the Reference section below.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. \n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "Operation Epic Manchago Maldocs Used for Infostealer Delivery\nNVISO has detected malicious Excel documents delivering VBA-activated spreadsheets. In a blog post, researchers analyzed the campaign and the intricacies built into the maldocs discussed.",
      "xfe_report": "# Threat Type\n\n  * Malware, Infostealer\n\n\n\n\n# Overview\n\nNVISO detected malicious Excel documents in July 2020 that are able to deliver malware through VBA-activated spreadsheets. Unlike most malicious excel documents, these particular samples were created using EPPlus software. It is believed the campaign is being carried out by a single threat actor based on the number of samples provided to services such as VirusTotal. Additionally, delivery of payloads supports this theory. The lack of Office metadata led researchers to conclude the files were created in EPPlus as well as the uncompiled code contained within the spreadsheets. All of the sample maldocs contain a password protected VBA project. Efforts to recover the passwords were unsuccessful. A handful of samples were obtained and it was determined the VBA code will use either PowerShell or ActiveX to download the payload. These payloads are hosted on various websites. There is a common pattern to the second stage downloader. The stage 2 EXE loads a DLL. This DLL extracts and decodes steganography encoded images from the EXE. Finally, the DLL loads the stage 3 EXE. This is the final payload. These final stages included such malware as AgentTesla, Azorult, Formbook, Matiex, and njRAT. There does not appear to be a pattern in the targeting of victims. Further technical details can be found in the blog post contained within the Reference section below.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. \n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/>"
    }
  },
  {
    "instruction": "Tell me everything you know the following threat: DoJ Allows FBI Login to Exchange Server WebShells\nIn a ruling on April 13, 2021, the U.S. Department of Justice (DoJ) allowed the Federal Bureau of Investigation (FBI) to log into exploited Microsoft Exchange Servers in order to disrupt and remove web shells providing backdoor access to the servers.",
    "context": "",
    "output": "\n# Threat Type\n\n  * Vulnerability\n\n\n\n\n# Overview\n\nAccording to multiple sources, including the DoJ, the FBI has been permitted to log into, copy, and remove malicious web shells from vulnerable Microsoft Exchange Servers. Throughout January and February 2021, threat actors have been exploiting a zero-day vulnerability in an effort to gain access to these servers. The vulnerability allowed for the installation of web shells for continued access. Although many owners of the vulnerable servers were able to remove the web shells, many more still appear to be vulnerable to this zero-day exploit. Some of the vulnerable server owners attempted to remove the web shells but were, ultimately, unsuccessful. The FBI then conducted the removal by issuing a command through the web shell to delete only the web shell itself as identified by its unique file path. This action did not include the patching of the servers in question but only the removal of the malicious web shells. Officials from the DoJ and FBI are urging owners to patch the affected systems immediately by reviewing Microsoft's remediation guide published in March in a Joint Advisory. Many security sources are urging owners to not only patch vulnerable systems but to remove any web shells left behind. Further details can be found in the links located within the Reference section below.\n\n# Recommendations\n\n  * Review the source article for full details.\n\n  * Apply applicable patches, updates, or workarounds as necessary. \n\n\n\n\n# Reference\n\n  * <https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>\n\n  * <https://therecord.media/fbi-operation-removed-web-shells-from-hacked-exchange-servers-across-the-us/>\n  * <https://www.bleepingcomputer.com/news/security/nsa-discovers-critical-exchange-server-vulnerabilities-patch-now/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "DoJ Allows FBI Login to Exchange Server WebShells\nIn a ruling on April 13, 2021, the U.S. Department of Justice (DoJ) allowed the Federal Bureau of Investigation (FBI) to log into exploited Microsoft Exchange Servers in order to disrupt and remove web shells providing backdoor access to the servers.",
      "xfe_report": "# Threat Type\n\n  * Vulnerability\n\n\n\n\n# Overview\n\nAccording to multiple sources, including the DoJ, the FBI has been permitted to log into, copy, and remove malicious web shells from vulnerable Microsoft Exchange Servers. Throughout January and February 2021, threat actors have been exploiting a zero-day vulnerability in an effort to gain access to these servers. The vulnerability allowed for the installation of web shells for continued access. Although many owners of the vulnerable servers were able to remove the web shells, many more still appear to be vulnerable to this zero-day exploit. Some of the vulnerable server owners attempted to remove the web shells but were, ultimately, unsuccessful. The FBI then conducted the removal by issuing a command through the web shell to delete only the web shell itself as identified by its unique file path. This action did not include the patching of the servers in question but only the removal of the malicious web shells. Officials from the DoJ and FBI are urging owners to patch the affected systems immediately by reviewing Microsoft's remediation guide published in March in a Joint Advisory. Many security sources are urging owners to not only patch vulnerable systems but to remove any web shells left behind. Further details can be found in the links located within the Reference section below.\n\n# Recommendations\n\n  * Review the source article for full details.\n\n  * Apply applicable patches, updates, or workarounds as necessary. \n\n\n\n\n# Reference\n\n  * <https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>\n\n  * <https://therecord.media/fbi-operation-removed-web-shells-from-hacked-exchange-servers-across-the-us/>\n  * <https://www.bleepingcomputer.com/news/security/nsa-discovers-critical-exchange-server-vulnerabilities-patch-now/>"
    }
  },
  {
    "instruction": "I have encountered the following information: NCAS Malware Analysis Report AR20-239B - VIVACIOUSGIFT\nA Cybersecurity and Infrastructure Security Agency (CISA) malware analysis report, AR20-239B, has been published through the National Cyber Awareness System. The report is a joint publication from Department of Homeland Security, the Federal Bureau of Investigation, and the Department of Defense. The report provides information on the North Korean network proxy tool, VIVACIOUSGIFT.\n\nWhat can you tell me about it? I need overview, related mitre attack informations if exists, IoCs, recommandations and possible references.",
    "context": "",
    "output": "You are asking about a specific threat report. Below is the information I have about the given report\n\n# Threat Type\n\n  * Malware, APT\n\n\n\n\n# Overview\n\n **From the Malware Analysis Report (AR20-239B)**  \n **MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT**\n\n  \n\n\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as VIVACIOUSGIFT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\n\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.\n\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.\n\nThis report looks at the malware samples known as VIVACIOUSGIFT that is used by advanced persistent threat (APT) cyber actors as a network proxy tool. The proxy requires an encrypted command line argument for its source and destination Internet Protocol (IP) addresses and has command and control (C2) functionality to retrieve and set the destination IP. The command line argument can also contain a source proxy IP, port, and password. The source proxy is used as an additional proxy when communicating with the source IP. The library libcurl version 7.94.1 is used when communicating with the source proxy.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. for Yara Rules.\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "NCAS Malware Analysis Report AR20-239B - VIVACIOUSGIFT\nA Cybersecurity and Infrastructure Security Agency (CISA) malware analysis report, AR20-239B, has been published through the National Cyber Awareness System. The report is a joint publication from Department of Homeland Security, the Federal Bureau of Investigation, and the Department of Defense. The report provides information on the North Korean network proxy tool, VIVACIOUSGIFT.",
      "xfe_report": "# Threat Type\n\n  * Malware, APT\n\n\n\n\n# Overview\n\n **From the Malware Analysis Report (AR20-239B)**  \n **MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT**\n\n  \n\n\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as VIVACIOUSGIFT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\n\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.\n\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.\n\nThis report looks at the malware samples known as VIVACIOUSGIFT that is used by advanced persistent threat (APT) cyber actors as a network proxy tool. The proxy requires an encrypted command line argument for its source and destination Internet Protocol (IP) addresses and has command and control (C2) functionality to retrieve and set the destination IP. The command line argument can also contain a source proxy IP, port, and password. The source proxy is used as an additional proxy when communicating with the source IP. The library libcurl version 7.94.1 is used when communicating with the source proxy.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. for Yara Rules.\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b>"
    }
  },
  {
    "instruction": "Tell me everything you know the following threat: IoCs for Active Cryptomining from TeamTNT\nFollowing up on a report from June, more indicators of compromise have been disclosed by Tolisec. The previous report is located [here](https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/) and a TAR from IBM is located [here](https://exchange.xforce.ibmcloud.com/threats/guid:17b90419e06922902c280ddb85665ad7).",
    "context": "",
    "output": "\n# Threat Type\n\n  * Cryptomining\n\n\n\n\n# Overview\n\nAdditions to Indicators of Compromise (IoCs) for TeamTNT's cryptomining operation have been released by Tolisec. No new details were provided, therefore, this report contains only the latest in IoCs. XMR pools and an XMR wallet are also included in the below IoCs text file.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. \n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://tolisec.com/active-crypto-mining-operation-by-teamtnt/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "IoCs for Active Cryptomining from TeamTNT\nFollowing up on a report from June, more indicators of compromise have been disclosed by Tolisec. The previous report is located [here](https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/) and a TAR from IBM is located [here](https://exchange.xforce.ibmcloud.com/threats/guid:17b90419e06922902c280ddb85665ad7).",
      "xfe_report": "# Threat Type\n\n  * Cryptomining\n\n\n\n\n# Overview\n\nAdditions to Indicators of Compromise (IoCs) for TeamTNT's cryptomining operation have been released by Tolisec. No new details were provided, therefore, this report contains only the latest in IoCs. XMR pools and an XMR wallet are also included in the below IoCs text file.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. \n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://tolisec.com/active-crypto-mining-operation-by-teamtnt/>"
    }
  },
  {
    "instruction": "Tell me about the following threat: P.A.S. Fork v. 1.0\nA blog from Sucuri has an analysis of the P.A.S. Fork V. 1.0, a PHP web shell that originally appeared in 2013.\n\nProvide threat type, overview, describe IoCs if exists, recommandations, related MITRE ATT&CK TTPs and references if exists.",
    "context": "",
    "output": "Sure! Here is the information I have about the threat: P.A.S. Fork v. 1.0\nA blog from Sucuri has an analysis of the P.A.S. Fork V. 1.0, a PHP web shell that originally appeared in 2013.\n\n# Threat Type\n\n  * Malware\n\n\n\n\n# Overview\n\nSucuri has published a blog with information on P.A.S. Fork V 1.0. A version of the PHP web shell has been making the rounds since at least late 2016 when DHS and the FBI issued a joint report (linked below) on the malware with several IoCs for detection of the web shell. The initial version of the web shell was retired in 2013 due to accusations made against the authors of the shell. The latest variant was first seen in January 2020 in a new thread on a forum. Interest in the P.A.S. web shell was renewed after disclosure of new capabilities. These capabilities were mainly related to evasion tactics to avoid detection from web application firewalls and IDS systems. First verifiable usage of the new version came in March 2020 on a compromised website. Other changes included a different packer/obfuscator and the addition of random ASCII characters, which makes the PHP code difficult to read without proper editing tools. By removing the added strings, analysis could more easily be performed. Other modifications exist and can be seen by comparing older versions with the newest in a side-by-side editor. Backdoor commands are contained within the attacker's HTTP request as cookies. Hash values are set to facilitate obfuscation and are applied to a string containing the server IP and backdoor file. Hashed passwords can also be encoded. Further details can be found in the blog post located within the Reference section below.\n\n# CVEs\n\n  * N/A\n\n\n\n\n# Recommendations\n\n  * Review the source article for full details.\n\n  * Apply applicable patches, updates, or workarounds as necessary. \n\n\n\n\n# Reference\n\n  * <https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html>\n\n  * <https://us-cert.cisa.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "P.A.S. Fork v. 1.0\nA blog from Sucuri has an analysis of the P.A.S. Fork V. 1.0, a PHP web shell that originally appeared in 2013.",
      "xfe_report": "# Threat Type\n\n  * Malware\n\n\n\n\n# Overview\n\nSucuri has published a blog with information on P.A.S. Fork V 1.0. A version of the PHP web shell has been making the rounds since at least late 2016 when DHS and the FBI issued a joint report (linked below) on the malware with several IoCs for detection of the web shell. The initial version of the web shell was retired in 2013 due to accusations made against the authors of the shell. The latest variant was first seen in January 2020 in a new thread on a forum. Interest in the P.A.S. web shell was renewed after disclosure of new capabilities. These capabilities were mainly related to evasion tactics to avoid detection from web application firewalls and IDS systems. First verifiable usage of the new version came in March 2020 on a compromised website. Other changes included a different packer/obfuscator and the addition of random ASCII characters, which makes the PHP code difficult to read without proper editing tools. By removing the added strings, analysis could more easily be performed. Other modifications exist and can be seen by comparing older versions with the newest in a side-by-side editor. Backdoor commands are contained within the attacker's HTTP request as cookies. Hash values are set to facilitate obfuscation and are applied to a string containing the server IP and backdoor file. Hashed passwords can also be encoded. Further details can be found in the blog post located within the Reference section below.\n\n# CVEs\n\n  * N/A\n\n\n\n\n# Recommendations\n\n  * Review the source article for full details.\n\n  * Apply applicable patches, updates, or workarounds as necessary. \n\n\n\n\n# Reference\n\n  * <https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html>\n\n  * <https://us-cert.cisa.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf>"
    }
  },
  {
    "instruction": "Tell me everything you know the following threat: Adobe Document Cloud Phishing Campaign\nDocument sharing services are increasingly being impersonated in order to harvest credentials. In one such case analyzed by Cofense in a recent blog post, Adobe Document Cloud is the targeted service.",
    "context": "",
    "output": "\n# Threat Type\n\n  * Phishing\n\n\n\n\n# Overview\n\nCofense has published a blog post analyzing a phishing email using an Adobe Document Cloud lure. The email originates from a Gmail account and claims to be from a government agency, providing legitimate contact details to support this. Attached, is what the body of the email states, is a purchase order that can be accessed via Adobe Document Cloud login or by downloading the latest version of Adobe Acrobat Reader, hoping they'll opt for the easier login choice. Opening the attachment results in an HTML page stored locally that gathers its resources from the legitimate Adobe website. After bypassing a popup stating that the document is electronically encrypted and requires the recipient to log in with their email to view, they are directed to a fake Adobe Document Cloud sign in page. Any submitted credentials are exfiltrated to a remote URL controlled by the attacker. Finally, the victim is redirected to the legitimate Adobe Acrobat webpage. For more information, see the Cofense blog post in the Reference section.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report.   \n\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://cofense.com/document-sharing-services-represent-a-vector-for-phishing-campaigns/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "Adobe Document Cloud Phishing Campaign\nDocument sharing services are increasingly being impersonated in order to harvest credentials. In one such case analyzed by Cofense in a recent blog post, Adobe Document Cloud is the targeted service.",
      "xfe_report": "# Threat Type\n\n  * Phishing\n\n\n\n\n# Overview\n\nCofense has published a blog post analyzing a phishing email using an Adobe Document Cloud lure. The email originates from a Gmail account and claims to be from a government agency, providing legitimate contact details to support this. Attached, is what the body of the email states, is a purchase order that can be accessed via Adobe Document Cloud login or by downloading the latest version of Adobe Acrobat Reader, hoping they'll opt for the easier login choice. Opening the attachment results in an HTML page stored locally that gathers its resources from the legitimate Adobe website. After bypassing a popup stating that the document is electronically encrypted and requires the recipient to log in with their email to view, they are directed to a fake Adobe Document Cloud sign in page. Any submitted credentials are exfiltrated to a remote URL controlled by the attacker. Finally, the victim is redirected to the legitimate Adobe Acrobat webpage. For more information, see the Cofense blog post in the Reference section.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report.   \n\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://cofense.com/document-sharing-services-represent-a-vector-for-phishing-campaigns/>"
    }
  },
  {
    "instruction": "Tell me about the following threat: K-Electric in Pakistan Suffers Netwalker Ransomware Attack\nBreach / Leak Notification: An electricity provider in Pakistan, K-Electric, has suffered a Netwalker ransomware attack. According to a media report the, the attack has impacted online services, including billing.\n\nProvide threat type, overview, describe IoCs if exists, recommandations, related MITRE ATT&CK TTPs and references if exists.",
    "context": "",
    "output": "Sure! Here is the information I have about the threat: K-Electric in Pakistan Suffers Netwalker Ransomware Attack\nBreach / Leak Notification: An electricity provider in Pakistan, K-Electric, has suffered a Netwalker ransomware attack. According to a media report the, the attack has impacted online services, including billing.\n\n# Threat Type\n\n  * Breach/Leak \n\n\n\n\n# Overview\n\n  \nK-Electric, the sole electricity provider for Karachi, Pakistan, has suffered a Netwalker ransomware attack that led to the disruption of billing and online services. K-Electric is Pakistan's largest power supplier, serving 2.5 million customers and employing over 10 thousand people. Starting yesterday, K-Electric customers have been unable to access the online services for their account.\n\n# Reference\n\n  * <https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-pakistans-largest-private-power-utility/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "K-Electric in Pakistan Suffers Netwalker Ransomware Attack\nBreach / Leak Notification: An electricity provider in Pakistan, K-Electric, has suffered a Netwalker ransomware attack. According to a media report the, the attack has impacted online services, including billing.",
      "xfe_report": "# Threat Type\n\n  * Breach/Leak \n\n\n\n\n# Overview\n\n  \nK-Electric, the sole electricity provider for Karachi, Pakistan, has suffered a Netwalker ransomware attack that led to the disruption of billing and online services. K-Electric is Pakistan's largest power supplier, serving 2.5 million customers and employing over 10 thousand people. Starting yesterday, K-Electric customers have been unable to access the online services for their account.\n\n# Reference\n\n  * <https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-pakistans-largest-private-power-utility/>"
    }
  },
  {
    "instruction": "Tell me everything you know the following threat: Campaign Targeting Cryptocurrency Users\nIntezer discovered a campaign targeting cryptocurrency users that they estimate began in early 2020. A new RAT associated with the campaign has been named ElectroRAT by Intezer. It is written in Golang and can run on Linux, MacOS, and Windows.",
    "context": "",
    "output": "\n# Threat Type\n\n  * Malware\n\n\n\n\n# Overview\n\nA campaign that targets cryptocurrency users was discovered by Intezer in late 2020. Intezer estimates the campaign began around January 2020. Three Trojanized applications (DaoPoker, eTrade, and Jamm) built using the Electron framework are used in the campaign to deliver a RAT that has been named ElectroRAT by Intezer. The applications have been promoted through fake user accounts on social media and online forums that focus on cryptocurrency, and are hosted on websites created for the campaign. ElectroRAT uses raw Pastebin pages to determine its C&C address and Intezer estimates, from the number of pages views, that there may be several thousand victims. While ElectroRAT can log keystrokes, take screenshots, upload and download files, and execute commands, its primary goal is to obtain access to the victim's crypto wallets. Further information is available from the link in the Reference section below.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report.   \n\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "Campaign Targeting Cryptocurrency Users\nIntezer discovered a campaign targeting cryptocurrency users that they estimate began in early 2020. A new RAT associated with the campaign has been named ElectroRAT by Intezer. It is written in Golang and can run on Linux, MacOS, and Windows.",
      "xfe_report": "# Threat Type\n\n  * Malware\n\n\n\n\n# Overview\n\nA campaign that targets cryptocurrency users was discovered by Intezer in late 2020. Intezer estimates the campaign began around January 2020. Three Trojanized applications (DaoPoker, eTrade, and Jamm) built using the Electron framework are used in the campaign to deliver a RAT that has been named ElectroRAT by Intezer. The applications have been promoted through fake user accounts on social media and online forums that focus on cryptocurrency, and are hosted on websites created for the campaign. ElectroRAT uses raw Pastebin pages to determine its C&C address and Intezer estimates, from the number of pages views, that there may be several thousand victims. While ElectroRAT can log keystrokes, take screenshots, upload and download files, and execute commands, its primary goal is to obtain access to the victim's crypto wallets. Further information is available from the link in the Reference section below.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report.   \n\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/>"
    }
  },
  {
    "instruction": "I have encountered the following information: HabitsRAT Used to Target Linux and Windows Servers\nHabitsRAT is a simple backdoor identified to be targeting Microsoft Exchange servers by exploiting the ProxyLogon vulnerability. Intezer has discovered newer Windows variants as well as a Linux variant.\n\nWhat can you tell me about it? I need overview, related mitre attack informations if exists, IoCs, recommandations and possible references.",
    "context": "",
    "output": "You are asking about a specific threat report. Below is the information I have about the given report\n\n# Threat Type\n\n  * Malware, RAT\n\n\n\n\nOverview\n\nIntezer published a blog post analyzing the HabitsRAT backdoor, which was previously observed exploiting the ProxyLogon vulnerability. With their discovery, they also found a Linux variant of the malware, although the exploit leveraged to deliver this version is unknown. The malware is written in Go, allowing the same main code base to be shared between the variants with separate files to handle operating system-specific code. Once on the system, it attempts to establish persistence via a systemd unit file on Linux or a scheduled task on Windows. C2 communication is rather sophisticated as it uses public-key cryptography for encryption and authentication. The C2 server is polled every 10 seconds to check whether a command should be executed. Along with version 11 of the malware, a version 12 was found for Windows, with a different C2 public key in use and support for multiple C2 addresses. For more information, see the Intezer blog post in the Reference section.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. \n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n\n\n\n# Reference\n\n  * <https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "HabitsRAT Used to Target Linux and Windows Servers\nHabitsRAT is a simple backdoor identified to be targeting Microsoft Exchange servers by exploiting the ProxyLogon vulnerability. Intezer has discovered newer Windows variants as well as a Linux variant.",
      "xfe_report": "# Threat Type\n\n  * Malware, RAT\n\n\n\n\nOverview\n\nIntezer published a blog post analyzing the HabitsRAT backdoor, which was previously observed exploiting the ProxyLogon vulnerability. With their discovery, they also found a Linux variant of the malware, although the exploit leveraged to deliver this version is unknown. The malware is written in Go, allowing the same main code base to be shared between the variants with separate files to handle operating system-specific code. Once on the system, it attempts to establish persistence via a systemd unit file on Linux or a scheduled task on Windows. C2 communication is rather sophisticated as it uses public-key cryptography for encryption and authentication. The C2 server is polled every 10 seconds to check whether a command should be executed. Along with version 11 of the malware, a version 12 was found for Windows, with a different C2 public key in use and support for multiple C2 addresses. For more information, see the Intezer blog post in the Reference section.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report. \n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n\n\n\n# Reference\n\n  * <https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/>"
    }
  },
  {
    "instruction": "Tell me everything you know the following threat: An Egregor Ransomware Profile\nA report from Malwarebytes Labs provides a profile of the Egregor ransomware which was first observed in September 2020. Egregor is reportedly a variant of the Sekhmet ransomware.",
    "context": "",
    "output": "\n# Threat Type\n\n  * Ransomware\n\n\n\n\n# Overview\n\nAs the Egregor ransomware-as-a-service (RaaS) operation emerged, Maze affiliates began migrating to it. Some high profile attacks of large organizations have already been attributed to Egregor. Due to Egregor being ransomware-as-a-service with multiple affiliates the methods of Egregor distribution can vary. According to Malwarebytes Labs, the primary method is through comprising hosts by various means and installing Cobalt Strike which is ultimately used to deliver the Egregor payload. Other methods observed include phishing emails which deliver Qakbot and then Egregor installed manually by the attacker. Malwarebytes Labs also notes that there are reports of vulnerabilities in Microsoft's Exchange and VBScript Engine, and Adobe Flash Player, being used to compromise targets. Once a foothold inside a target is attained, the attackers will carry out a number of actions including, attempting to move laterally, identifying the high value systems, exfiltrating data, and finally executing the Egregor payload. While the ransom note provides details and a timeframe for paying the ransom (3 days) it also offers to provide information on the victim's security, such as how the initial breach occurred, etc. As is common in ransomware now, there is also the threat that if the ransom is not paid, the victim's sensitive data will be published. Further details are available from the report linked in the Reference section below.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report.   \n\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/>",
    "category": "XFEReportsFlan",
    "instruction_type": "xfe_report_simple",
    "parsed_raw_data": {
      "xfe_q": "An Egregor Ransomware Profile\nA report from Malwarebytes Labs provides a profile of the Egregor ransomware which was first observed in September 2020. Egregor is reportedly a variant of the Sekhmet ransomware.",
      "xfe_report": "# Threat Type\n\n  * Ransomware\n\n\n\n\n# Overview\n\nAs the Egregor ransomware-as-a-service (RaaS) operation emerged, Maze affiliates began migrating to it. Some high profile attacks of large organizations have already been attributed to Egregor. Due to Egregor being ransomware-as-a-service with multiple affiliates the methods of Egregor distribution can vary. According to Malwarebytes Labs, the primary method is through comprising hosts by various means and installing Cobalt Strike which is ultimately used to deliver the Egregor payload. Other methods observed include phishing emails which deliver Qakbot and then Egregor installed manually by the attacker. Malwarebytes Labs also notes that there are reports of vulnerabilities in Microsoft's Exchange and VBScript Engine, and Adobe Flash Player, being used to compromise targets. Once a foothold inside a target is attained, the attackers will carry out a number of actions including, attempting to move laterally, identifying the high value systems, exfiltrating data, and finally executing the Egregor payload. While the ransom note provides details and a timeframe for paying the ransom (3 days) it also offers to provide information on the victim's security, such as how the initial breach occurred, etc. As is common in ransomware now, there is also the threat that if the ransom is not paid, the victim's sensitive data will be published. Further details are available from the report linked in the Reference section below.\n\n# Indicators of Compromise\n\n  * Associated indicators of compromise are provided alongside this report.   \n\n\n\n\n# Recommendations\n\n  * Ensure anti-virus software and associated files are up to date.\n  * Search for existing signs of the indicated IoCs in your environment.\n  * Consider blocking and or setting up detection for all URL and IP based IoCs.\n  * Keep applications and operating systems running at the current released patch level.\n  * Exercise caution with attachments and links in emails.\n\n\n\n# Reference\n\n  * <https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/>"
    }
  }
]