This repository contains indicators and methods for detecting malware and other malicious online activity. Indicators are listed here when our investigative teams strongly believe that they are tied to malicious activity. We recommend that all indicators listed in this repository be reviewed before taking action within your organization.
indicators
- Holds indicators in CSV, TSV, STIX v1, and JSON formatssignatures
- Hold detection signaturessignatures/yara
- YARA (https://virustotal.github.io/yara/) signatures to detect malware and other files
indicator_type
- References the type of indicator (e.g.android_package_name
)indicator_value
- The actual indicatorcomment
- Any comments, very often the "name" of an appds
- Datestamp (yyyy-mm-dd) related to this indicator. Very often the date of publication not the date of detection
android_package_name
- An Android package name (e.g. com.example.app) For STIX v1 this is placed within a File object in the "Filename" fieldios_app_id
- An iOS App ID (e.g. 10000000001) For STIX v1 this is placed within a File object in the "Filename" fielddomain_name
- A domain namemd5
- An MD5 Hashsha256
- A SHA256 Haship
- An IP Addressphishing_url
- A URL associated with phishingcib_url
- A URL associated with Coordinated Inauthentic Behavior (CIB)telegram_url
- A URL to a Telegram Channel
The file index.json
can be used to programatically consume our indicators. The file is JSON formatted and contains an array of JSON objects, one for each "entry" in this repository. All paths in this file are relative to the root of the repo. The schema is as follows:
{
"id" : "id_of_the_entry",
"added_ds" : "yyyy-mm-dd that this entry was added to the repo",
"reported_ds" : "yyyy-mm-dd that this entry was first reported by Meta",
"reference_urls" : ["Array of URLs where you can learn more"],
"indicators" : {
"csv_files" : ["paths to CSV files associated with this entry"],
"json_files" : ["paths to JSON files associated with this entry"],
"tsv_files" : ["paths to TSV files associated with this entry"],
"stix1_files" : ["paths to XML STIX v1 files associated with this entry"],
"stix2_files" : ["paths to JSON STIX v2 files associated with this entry"]
},
"signatures" : {
"yara_files" : ["paths to YARA files associated with this entry"]
}
}
Please see https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/ to learn more
Meta uses a wide variety of techniques to find and combat malware and malicious activity. Exact detection methods are generally not shared publicly.
We have high confidence in our indicators. We manually vet all indicators before they are published to this repository. There still remains a very low chance that an indicator may be a false positive, so we recommend users review the indicators before taking action.
Open an Issue on Github and we'll look into it
Under the MIT License (see LICENSE
)
- 2022_malicious_mobile_apps (csv, json, stix1, tsv) - https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/
- 2022_09_removing_coordinated_inauthentic_behavior_from_china_and_russia (csv, json, stix1, tsv) - https://about.fb.com/news/2022/09/removing-coordinated-inauthentic-behavior-from-china-and-russia/
- 2022_08_metas_adversarial_threat_report_q2 (csv, json, stix1, tsv, yara) - https://about.fb.com/news/2022/08/metas-adversarial-threat-report-q2-2022/
- 2022_04_metas_adversarial_threat_report_q1 (csv, json, stix1, tsv, yara) - https://about.fb.com/news/2022/04/metas-adversarial-threat-report-q1-2022/
- 2021_12_taking_action_against_surveillance_for_hire (csv, json, stix1, tsv) - https://about.fb.com/news/2021/12/taking-action-against-surveillance-for-hire/
- 2021_11_action_against_hackers_in_pakistan_and_syria (csv, json, stix1, tsv) - https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/
- 2021_07_taking_action_against_hackers_in_iran (csv, json, stix1, tsv) - https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/
- 2021_04_taking_action_against_hackers_in_palestine (csv, json, stix1, tsv) - https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
- 2021_03_taking_action_against_hackers_in_china (csv, json, stix1, tsv) - https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
- 2020_12_taking_action_against_hackers_in_bangladesh_and_vietnam (csv, json, stix1, tsv, yara) - https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/