Threat Research

NetTraveler in OpenIOC Format

We noticed some chatter on Twitter that folks were interested in converting elements of Kaspersky's NetTraveler report into the OpenIOC format. The NetTraveler report details a set of backdoors, phishing and spear phishing campaigns, and command and control infrastructure for a certain APT group. Mandiant has been tracking this particular group for a number of years.

Kaspersky's report contains a large set of actionable information consisting of host- and network-based indicators that can be captured in the OpenIOC format. This includes file hashes, file names and paths, PE metadata, DNS names, and IP addresses. Given our prior interest in this threat group, we have already converted the information from the NetTraveler report into the OpenIOC format.

With the large volume of information contained in the report, we utilized some tools to automate the IOC creation process where possible. These will be demonstrated at the Black Hat Arsenal at the end of July in Las Vegas, NV.