Posted
Below is this week’s edition of ThreatConnect’s Research Roundup: Threat Intel Update, a collection of recent noteworthy findings from the ThreatConnect Research Team. The items below were created or updated March 24 – April 1, 2021.
This week’s findings include intelligence related to the following threats and/or topics:
- Possible Ghostwriter Infrastructure
- Possible FIN7 Domain
- Suspicious Gmail Spoofing Domains
- Suspicious Yahoo Spoofing Domains
20210329B: Possible Ghostwriter Infrastructure
Hakan Tanriverdi, an investigative journalist at BR Recherche, identified a series of domains related to a phishing campaign targeting various politicians in Germany and Poland that some external researchers have attributed to Ghostwriter. In one identified instance, the actors behind the campaign used garnered access to publish social media messages and damage public reputation. A review of the identified domains and subdomains also suggests related infrastructure that spoofs military organizations in Poland and Ukraine.
According to an article describing the activity (https://www.tagesschau.de/investigativ/wdr/hackerangriffe-105.html), FireEye is tracking these domains as related to Ghostwriter; however, that association has not been formalized in any public reporting from FireEye as of yet. At this time, we do not have appropriate insight to assess the extent to which this infrastructure is associated with Ghostwriter.
Reviewing the domains Tanriverdi identified showed consistent use of “OOH” as a registrant organization along with an “RU” or “UA” country code. Only about 33 domains currently use this combination, and we assess that they probably are related to a single actor. Additionally, many of the domains have a hyphen in their string and use a Cloudflare or Regway name server — further consistencies suggesting a single origin. Notably, in reviewing the Cloudflare name servers, we did identified only one reuse of specific Cloudflare name server combinations among the domains, suggesting that the actors largely used different Cloudflare accounts for administering each domain or otherwise actively changed the name servers.
The identified domains include the following:
- account-inbox[.]online
- accounts-telekom[.]online
- com-account[.]website
- credentials-telekom[.]online
- google-com[.]online
- inbox-admin[.]site
- interia-pl[.]website
- login-inbox[.]online
- login-mail[.]online
- login-telekom[.]online
- login-verify[.]online
- logowanie-pl[.]site
- meta-ua[.]online
- net-account[.]online
- net-account[.]space
- net-support[.]site
- net-verification[.]online
- net-verify[.]site
- net-verify[.]website
- onet-pl[.]online
- ron-mil-pl[.]space
- ru-mailbox[.]site
- ru-passport[.]online
- signin-telekom[.]online
- ua-agreements[.]online
- ua-login[.]site
- ua-passport[.]online
- ukroboronprom-com[.]site
- ukroboronprom[.]online
- verify-ua[.]online
- verify-ua[.]site
- wp-agreements[.]online
- wp-pl-potwierdz-dostep[.]site
Notable subdomains include the following:
- dc-f87c0aa063b8.ron-mil-pl[.]space
- dc-d6285ab00b08.ron-mil-pl[.]space
- poczta.ron-mil-pl[.]space
- postmilgov.ua-login[.]site
- fpyfjhostmaster.verify-ua[.]site
20210330A: Gmail Spoofing Domains Using SecureFastServer NS
ThreatConnect Research identified two likely phishing domains — gmail-login-user-intjiifdhsiuhui[.]com and accounts-gmail-login-user-servicelogin[.]com — that were registered in late March 2021 and use Qhoster’s SecureFastServer name server. As of 3/30/21, both the domains are hosted on a dedicated server at 86.106.131[.]121 and previously resolved to 45.58.122[.]67.
Several subdomains for the two domains have also resolved to the aforementioned IPs. The identified subdomains include the following:
- youtube.accounts-gmail-login-user-servicelogin[.]com
- lh3.accounts-gmail-login-user-servicelogin[.]com
- mail.accounts-gmail-login-user-servicelogin[.]com
- api.accounts-gmail-login-user-servicelogin[.]com
- notifications.accounts-gmail-login-user-servicelogin[.]com
- wallet-helper.accounts-gmail-login-user-servicelogin[.]com
- fonts.accounts-gmail-login-user-servicelogin[.]com
- login.accounts-gmail-login-user-servicelogin[.]com
- drive.accounts-gmail-login-user-servicelogin[.]com
- leak.accounts-gmail-login-user-servicelogin[.]com
- ogs.accounts-gmail-login-user-servicelogin[.]com
- play.accounts-gmail-login-user-servicelogin[.]com
- content.accounts-gmail-login-user-servicelogin[.]com
- accounts.gmail-login-user-intjiifdhsiuhui[.]com
- apis.gmail-login-user-intjiifdhsiuhui[.]com
- content.gmail-login-user-intjiifdhsiuhui[.]com
- drive.gmail-login-user-intjiifdhsiuhui[.]com
- example.gmail-login-user-intjiifdhsiuhui[.]com
- fonts.gmail-login-user-intjiifdhsiuhui[.]com
- leak.gmail-login-user-intjiifdhsiuhui[.]com
- lh3.gmail-login-user-intjiifdhsiuhui[.]com
- mail.gmail-login-user-intjiifdhsiuhui[.]com
- myaccount.gmail-login-user-intjiifdhsiuhui[.]com
- notifications.gmail-login-user-intjiifdhsiuhui[.]com
- ogs.gmail-login-user-intjiifdhsiuhui[.]com
- play.gmail-login-user-intjiifdhsiuhui[.]com
- portal-cdn.gmail-login-user-intjiifdhsiuhui[.]com
- rgfup91mgjfbpmm5pm1g.gmail-login-user-intjiifdhsiuhui[.]com
- ssl.gmail-login-user-intjiifdhsiuhui[.]com
20210329A: Gmail and Yahoo Spoofing Domains Registered Through Njalla on 3/25/21
ThreatConnect Research identified Gmail and Yahoo spoofing domains admin-gmall-na-reset[.]click and yahoousersecurity[.]com, which were registered at essentially the same time through Njalla on 3/25/21. The admin-gmall-na-reset[.]click previously resolved to a dedicated server at 207.148.10[.]117, while yahoousersecurity[.]com hasn’t resolved. Both domains are set up to use Protonmail mail servers, suggesting their use in phishing activity.
20210326A: Possible FIN7 Domain foundationious[.]com
ThreatConnect Research identified possible FIN7 domain foundationious[.]com (195.2.84[.]5), which was registered through NameCheap on 3/22/21. This domain has non-definitive consistencies with previously identified FIN7 infrastructure including registrar, hosting ISP, Let’s Encrypt SSL certificate, and naming convention. At this time we have no indication of the extent to which this domain has been used maliciously.