cyber_threat_intelligence/actors/Novter

Novter - Cyber Threat Intelligence

These indicators were collected during the VulDB CTI analysis of the actor known as Novter. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model is able to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.novter

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Novter:

• PL
• CN
• US
• ...

There are 5 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Novter.

ID	IP address	Hostname	Campaign	Confidence
1	1.88.24.27	-	-	High
2	2.58.80.150	-	-	High
3	2.196.217.25	-	-	High
4	3.128.83.132	ec2-3-128-83-132.us-east-2.compute.amazonaws.com	-	Medium
5	5.61.40.95	-	-	High
6	5.61.42.103	-	-	High
7	5.61.42.111	box.invfx.eu	-	High
8	5.61.42.116	-	-	High
9	5.61.48.155	-	-	High
10	5.61.48.156	192.64.119.156	-	High
11	6.217.158.104	-	-	High
12	7.130.244.4	-	-	High
13	13.158.242.227	-	-	High
14	20.56.162.154	-	-	High
15	...	...	...	...

There are 54 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected ATT&CK techniques used by Novter. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Weakness	Description	Confidence
1	T1059.007	CWE-79, CWE-80	Cross Site Scripting	High
2	T1068	CWE-250, CWE-264, CWE-284	Execution with Unnecessary Privileges	High
3	T1110.001	CWE-798	Improper Restriction of Excessive Authentication Attempts	High
4	...	...	...	...

There are 5 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Novter. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	/adfs/ls	Medium
2	File	/getcfg.php	Medium
3	File	/index.php/weblinks-categories	High
4	File	/iwguestbook/admin/messages_edit.asp	High
5	File	/public/plugins/	High
6	File	/scripts/iisadmin/bdir.htr	High
7	File	/wp-content/plugins/updraftplus/admin.php	High
8	File	add.php	Low
9	File	admin.cgi/config.cgi	High
10	File	admin/admin.guestbook.php	High
11	File	admin/auth.php	High
12	File	admin/backupdb.php	High
13	File	admin/login.asp	High
14	File	admin/preview.php	High
15	File	administrator/components/com_media/helpers/media.php	High
16	File	archive_read_support_format_rar.c	High
17	File	auth.py	Low
18	File	authenticate.php	High
19	File	auto/glob_new.php	High
20	...	...	...

There are 165 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

• https://github.com/hvs-consulting/ioc_signatures/blob/main/Novter/HvS_Novter_2021-02_IOCs.csv

Literature

The following articles explain our unique predictive cyber threat intelligence:

• VulDB Cyber Threat Intelligence Documentation
• Cyber Threat Intelligence - Early Anticipation of Attacks

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!