Document toolboxDocument toolbox

CCB (Cyber Campaign Briefs) API

Owned by Gary Leicht
Last updated: Jun 21, 2023
5 min read

CCB (Cyber Campaign Briefs)

The Infoblox Cyber Intelligence team ATP produces weekly Cyber Campaign Briefs (CCBs), a short write-up that a watch desk analyst writes about an interesting or notable threat campaign. This source returns a list of reports that a given indicator appears in.


Data Structure:


{
   “reports”: [
       {
                 “document_id”: string,
                 “id”: string,
                  “indicators”: [
                       {
                              “description”: string,
                              “id”: string,
                              “indicator”: string,
                              “indicator_type”: string,
                       },
       ],
       “keyword”: [string],
       “overview”: string,
       “publish_date”: string,
       “title”: string
      }
   ]
}


Example:

Given an indicator of “185.117.89.145”, CCB will turn the following:

{
   “reports”: [
       {
                 “"document_id": "CCB-2019-50",
                 "id": "1a8f258a-0df9-43ec-918d-a7927a83b630",
                 "indicators": [
                       {
                              “description": "FlawedAmmyy C2 IP",
                              "id": "27d08fe5-fe62-4824-9a29-47addedb77f4",
                              "indicator": "185.117.89.145",
                              "indicator_type": "ip", 
                       },
                       {
                              “description": "FlawedAmmyy C2 IP",
                              "id": "27d08fe5-fe62-4824-9a29-47addedb77f4",
                              "indicator": "185.117.89.145",
                               "indicator_type": "ip", 
                       },
       ],
       “keyword”: [string],
              "AndroMut",
              "FlawedAmmyy",
              "RAT",
              "TA50",
              "South Korea",
              "U.A.E.",
              "U.S.",
              "Andromeda",
              "Gamarue",
              "mutshellmy777",
              "Ammyy Admin",
              "Invoice",
              "financial quote"
       “overview”: "From 22 to 24 July, we observed a malicious email
       campaign distributing the new AndroMut downloader, which in
       turn dropped the FlawedAmmyy remote access trojan
       (RAT).Proofpoint attributed the campaign to threat actor
       TA505, which they assess is also linked to other
       Prevalent malware such as the Dridex banking trojan, Locky
       ransomware, and Jaff ransomware.",
       “publish_date”: "2019-08-07T00:00:00Z",
       “title”: "Cyber Campaign Brief: AndroMut Drops FlawedAmmyy"
      }
   ]
}

Back