| 1 | from __future__ import annotations |
| 2 | |
| 3 | from cti import mitre |
| 4 | from cti.feeds.base import Feed, load_json |
| 5 | from cti.models import Indicator |
| 6 | |
| 7 | |
| 8 | class FeodoTracker(Feed): |
| 9 | name = "feodo" |
| 10 | url = "https://feodotracker.abuse.ch/downloads/ipblocklist.json" |
| 11 | |
| 12 | def parse(self, raw: str) -> list[Indicator]: |
| 13 | entries = load_json(raw) |
| 14 | indicators: list[Indicator] = [] |
| 15 | for entry in entries: |
| 16 | ip = entry.get("ip_address") |
| 17 | if not ip: |
| 18 | continue |
| 19 | malware = entry.get("malware") |
| 20 | techniques = mitre.techniques_for_malware(malware) |
| 21 | techniques += mitre.techniques_for_threat_type("botnet_cc") |
| 22 | indicators.append( |
| 23 | Indicator( |
| 24 | type="ip", |
| 25 | value=ip, |
| 26 | source=self.name, |
| 27 | threat_type="botnet_cc", |
| 28 | confidence=90, |
| 29 | malware=malware, |
| 30 | techniques=sorted(set(techniques)), |
| 31 | tags=[entry.get("status", "")], |
| 32 | first_seen=entry.get("first_seen"), |
| 33 | ) |
| 34 | ) |
| 35 | return indicators |