admin / SAynapse-Horizon
publicSelf Hosted Cyber Threat Intelligence Hub
SAynapse-Horizon / Synapse-Horizon / backend / src / sources / feodo.js
1795 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | import { makeIoc, fetchWithTimeout, ok, unconfigured, SEVERITY } from '../normalize.js' // Feodo Tracker (abuse.ch) — active botnet C2 IP blocklist. Auth-Key required. const URL = 'https://feodotracker.abuse.ch/downloads/ipblocklist.json' const LIMIT = 25 export const meta = { key: 'feodo', requiresKey: true } export function configured() { return Boolean(process.env.ABUSE_CH_AUTH_KEY) } export async function fetchSource() { const key = process.env.ABUSE_CH_AUTH_KEY if (!key) return unconfigured('Set ABUSE_CH_AUTH_KEY (free abuse.ch account) to enable Feodo Tracker.') const res = await fetchWithTimeout(URL, { headers: { 'Auth-Key': key } }) const rows = await res.json() const list = Array.isArray(rows) ? rows : [] const iocs = list .filter((r) => /online/i.test(r.status || 'online')) .sort((a, b) => new Date(b.last_online || b.first_seen) - new Date(a.last_online || a.first_seen)) .slice(0, LIMIT) .map((r) => { const botnet = r.malware || 'Feodo' const indicator = r.port ? `${r.ip_address}:${r.port}` : r.ip_address return makeIoc('feodo', { detectedAt: r.last_online || r.first_seen, severity: SEVERITY.HIGH, category: 'Botnet C2', indicator, indicatorType: r.port ? 'ip:port' : 'ip', target: botnet, confidence: 90, mitre: [{ id: 'T1071.001', name: 'Application Layer Protocol: Web Protocols' }], headline: `Botnet C2: ${botnet} command-and-control server online at ${indicator} tracked by Feodo Tracker`, raw: r, stix: { type: 'indicator', pattern: `[ipv4-addr:value = '${r.ip_address}']`, pattern_type: 'stix', labels: ['command-and-control'], }, }) }) return ok(iocs) } |