admin / SAynapse-Horizon
publicSelf Hosted Cyber Threat Intelligence Hub
SAynapse-Horizon / Synapse-Horizon-v2 / backend / src / sources / threatfox.js
2102 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | import { makeIoc, fetchWithTimeout, ok, unconfigured, clampConfidence, SEVERITY } from '../normalize.js' // ThreatFox (abuse.ch) — recent IOCs (C2 nodes, payload infra). Auth-Key required. const URL = 'https://threatfox-api.abuse.ch/api/v1/' const LIMIT = 25 const RANSOMWARE = /lockbit|alphv|blackcat|akira|rhysida|medusa|play|clop|royal|black basta/i export const meta = { key: 'threatfox', requiresKey: true } export function configured() { return Boolean(process.env.ABUSE_CH_AUTH_KEY) } export async function fetchSource() { const key = process.env.ABUSE_CH_AUTH_KEY if (!key) return unconfigured('Set ABUSE_CH_AUTH_KEY (free abuse.ch account) to enable ThreatFox.') const res = await fetchWithTimeout(URL, { method: 'POST', headers: { 'Auth-Key': key, 'Content-Type': 'application/json' }, body: JSON.stringify({ query: 'get_iocs', days: 1 }), }) const data = await res.json() const rows = Array.isArray(data?.data) ? data.data : [] const iocs = rows.slice(0, LIMIT).map((r) => { const malware = r.malware_printable || r.malware || 'unknown malware' const isC2 = /botnet_cc|c2/i.test(r.threat_type || '') const ransomware = RANSOMWARE.test(malware) return makeIoc('threatfox', { detectedAt: r.first_seen || r.first_seen_utc, severity: ransomware ? SEVERITY.CRITICAL : SEVERITY.HIGH, category: isC2 ? 'Malware Infrastructure' : 'Malware Indicator', indicator: r.ioc, indicatorType: r.ioc_type || 'ioc', target: malware, confidence: clampConfidence(r.confidence_level, 80), mitre: [{ id: 'T1583.004', name: 'Acquire Infrastructure: Server' }], headline: isC2 ? `Malware Infrastructure: Active ${malware} C2 node identified on ${r.ioc} by ThreatFox` : `Malware Indicator: ${r.ioc} associated with ${malware} reported by ThreatFox`, raw: r, stix: { type: 'indicator', pattern: `[x-ioc:value = '${r.ioc}']`, pattern_type: 'stix', labels: [isC2 ? 'command-and-control' : 'malicious-activity'], }, }) }) return ok(iocs) } |