Incoming feed - Group-IB Malware C2#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

Group-IB Malware C2

Content type

GroupIB Malware CNC JSON

Ingested data

Ingests the Indicators from Group-IB.

Endpoint(s)

/api/v2/malware/cnc

Processed data

See Data mapping.

Requirements#

  • Email address registered with Group-IB.

  • Group-IB API key.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Group-IB Malware C2 from the drop-down menu.

    Content type*

    Select GroupIB Malware CNC JSON from the drop-down menu.

    API URL*

    By default, this is set to https://bt.group-ib.com.

    API key*

    Set this to your Group-IB API key.

    Email*

    Set this to the email address associated with your Group-IB account.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem
    

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data mapping#

The sections below contain non-exhaustive information about how Group-IB Malware C2 data is mapped to EclecticIQ Platform entities and observables.

For more information about the Group-IB API schema, see the Group-IB API documentation.

Map to Indicators#

Indicator field name

Mapped from GroupIB Malware CNC JSON

Example value

Description

Title

  • items[].cnc

http://10.0.0.1/

This is the title of the ingested Indicator.

Analysis

  • items[].file[].hashes

  • items[].file[].name

  • items[].file[].size

  • items[].ipv4[].region

  • items[].malwareList[].name

  • items[].threatActor.isAPT

  • items[].threatActor.name

Malware C2

Associated Malware:

- …

Associated Threat Actor:

- …

Associated Files:

- …

Region:

- …

Contains information about the malware C2 indicator.

Types

  • Always set to URL Watchlist and C2

URL Watchlist, C2

Type of Indicator.

Confidence

  • Always set to Unknown

Unknown

Indicator confidence

Estimated time

  • Various

Various

See Map timestamps.

Tags

  • items[].ipv4[].region

  • items[].malwareList[].name

  • items[].threatActor.isAPT

  • items[].threatActor.name

Various

If items[].threatActor.isAPT is present, sets a Is APT - <isAPT> tag.

Producer

  • Various

Various

See Producer/Information source.

Data marking

  • Various

Various

See Data marking.

Map timestamps#

The following table describes how GroupIB Malware CNC JSON timestamps are mapped to Indicator and Incident timestamps on the platform.

Indicator estimated time field

GroupIB Malware CNC JSON field

Estimated threat start time

items[].dateDetected

Estimated threat end time

items[].dateLastSeen

Estimated observed time

items[].dateDetected

Half-life

items[].evaluation.ttl

Ingested

Date and time ingested.

Producer/Information source#

Field name

Mapped from GroupIB Malware CNC JSON

Example value

Description

Identity

  • N/A

Group-IB

Name of organization or person that created the information.

Always set to “Group-IB”.

Roles

  • N/A

Initial Author

Role of information source. Always set to “Initial Author”.

References

  • items[].portalLink

  • https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

One or more links that lead to source information.

Data marking#

Field name

Mapped from GroupIB Malware CNC JSON

Description

TLP

items[].evaluation.tlp

This sets the entity TLP color using values in GroupIB Malware CNC JSON.

Supported observables#

The following table describes the observable types supported for this feed, and how they’re mapped from GroupIB Malware CNC JSON:

ASN

Unknown

  • items[].ipv4.asn (Extracts only ASN number)

Indicator

City

Safe

  • items[].ipv4[].city

Indicator

Country

Safe

  • items[].ipv4.countryName

Indicator

Country Code

Safe

  • items[].ipv4.countryCode

Indicator

Domain

High

items[].domain (If this field contains an IPv4 string, no Domain observable is created)

Indicator

Hash-md5

Unknown

items[].file[].hashes.md5

Indicator

Hash-sha1

Unknown

items[].file[].hashes.sha1

Indicator

Hash-sha256

Unknown

items[].file[].hashes.sha256

Indicator

Hash-sha512

Unknown

items[].file[].hashes.sha512

Indicator

IPv4

Low

  • items[].ipv4[].ip

Indicator

Organisation

Unknown

  • items[].ipv4[].provider

Indicator

URI

High

  • items[].url

Indicator

Map severity to observable maliciousness and as entity tag#

Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.

severity in observables#

When Group-IB intelligence objects are ingested to produce observables on the EcleciticIQ Platform, its severity value is used to set the Maliciousness of the observable.

The table below describes how severity values are translated to observable maliciousness:

Group-IB severity value

EclecticIQ Platform observable maliciousness value

red

Malicious (High confidence)

orange

Malicious (Medium confidence)

green

Malicious (Low confidence)

severity added to entities as tags#

When Group-IB intelligence objects are ingested to produce entities on EclecticIQ Platform, its severity value is translated to a corresponding value and added as a tag to entities produced from it:

Group-IB severity value

EclecticIQ Platform tags

red

Severity - red

orange

Severity - orange

green

Severity - green