ThreatConnect reviews continuing Fancy Bear activity targeting citizen journalism organization Bellingcat and identifies a new tactic leveraging Blogspot to mask their credential harvesting links.
Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received. Spoiler alert: they originated from Fancy Bear actors. Using the ThreatConnect platform we ingested the spear-phishing emails Bellingcat provided, processed out the relevant indicators, and compared them to previously known Fancy Bear activity. It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution (BfV). More interestingly however, Fancy Bear employed a new tactic we hadn’t previously seen: using Blogspot-hosted URLs in their spear-phishing email messages. The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.
Delivery Stage
The phishing email used to deliver the malicious URLs pretends to be a password change for the target’s Google account or a link to view a folder shared via Dropbox. The collection of indicators related to this campaign have been shared with ThreatConnect’s Common Community here.
Example of the Google account themed variant
Example of the Dropbox themed variant
The phishing email contains a link hosted on Blogspot such as this: hxxps://pkfnmugfdsveskjtb[.]blogspot[.]com. This URL also contains a query parameter, “uid”, that is unique per phishing email. The full format for the URL is the following:
https?://[a-z0-9]{11,17}.blogspot.(?:com|pt)?uid=[a-z0-9]{10}
Importing the malicious email into ThreatConnect
Redirect
The blogspot page contains a small snippet of Javascript near the top of the source html that includes a Javascript window location redirect. An example of this javascript is:
The landing page URL in this redirect, hxxps://google[.]com[.]account-password[.]ga/security/signinoptions/password is hosted on google[.]com[.]account-password[.]ga which currently resolves to the IP address 80.255.12[.]231. This IP is a dedicated VPS hosted by MonoVM, a company based in Dubai. Honestly, this is quite low quality content for a blog. Here is some good advice for authoring blog content, and if so inclined, here is a good example to study.
Passive DNS Analysis
Using Farsight’s passive DNSDB integration in ThreatConnect, a number of other similar hostnames were found resolving to 80.255.12[.]231. One in particular, accounts[.]google[.]com[.]securitymail[.]gq, stands out from the rest. The base domain of this host, securitymail[.]gq, has a previous resolution to IP 95.153.32[.]52. This IP address is a broadband connection located in Estonia on TELE2’s network that was also used to host the domain smtprelayhost[.]com from December 2015 to December 2016. This overlaps with the time that securitymail[.]gq resolved to the same broadband IP address in March 2016. In case you may have missed it, smtprelayhost[.]com is called out as being Fancy Bear infrastructure in BfV Cyber-Brief Nr. 01/2016.
Screenshot showing passive DNS overlap
Overview of the phishing campaign – highlighting infrastructure overlap
Bedecked in Blogspot
The use of Blogspot URLs has similarities with the notional tactics identified in a September Salon article on Fancy Bear leveraging Google’s Accelerated Mobile Pages (AMP) to create URLs for their credential harvesting pages. Doing so likely allowed some Fancy Bear spear-phishing messages to avoid security filters that would have otherwise identified the malicious URLs. In this same way, a URL hosted on Google’s own systems, in this case Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname.
Exploiting Their Behavior
Several of the domains that host the credential harvesting pages identified above use .ga or .gq top level domains (TLDs) and were registered through Freenom. This reminded us of Fancy Bear’s .ga Freenom infrastructure that they also employed against Bellingcat in October 2016. Looking closer at the domains identified in their recent attacks using our DomainTools Spaces App, we see that most of the domains were registered in the last three months.
ThreatConnect’s DomainTools Spaces App results for account-password[.]ga and passwordreset[.]gq
What’s more, the use of strings like “security,” “login,” “password,” and “files” are another component of the registration tactics that they are employing and we may potentially be able to exploit. To that end, we decided to take a look at other domains that were registered using Freenom since July 2017 and contained one of those strings.
Using DomainTools Iris, we conducted a search for any domains that use a Freenom name server, use a .ga or .gq TLD, and contained one of the four strings previously mentioned.
DomainTools Iris query for Freenom domains.
Unfortunately, WHOIS records for Freenom-registered domains don’t capture the create date showing when the domain was registered. From there, we reviewed the WHOIS history for each of the domains returned from the Iris query to identify when it was registered based on the earliest available record. The following domains were the result of that research:
access-apple-login-account[.]gq | fileshelpprotut[.]ga | reset-password-com[.]ga |
account-activity-verification-login[.]ga | fileshelpprotut[.]gq | restore-login-account[.]gq |
account-verify-comfirmation-info-login[.]ga | filestore[.]gq | review-quilogin[.]ga |
account-verify-comfirmation-info-login[.]gq | goldsecurity[.]ga | secure-bankofamerica–login-com[.]ga |
accountlogin-inc[.]ga | info-apple-login-security[.]gq | secure-bankofamerica–login-com[.]gq |
accountverify-disableinfo-login[.]gq | jp-login[.]gq | secure-login-helpid-locked[.]gq |
alert-new-login-com[.]ga | locked-service-security[.]ga | secure-management-login-account-index-webpass[.]gq |
apple-realertlogin[.]gq | login-bancochile-cl[.]ga | secure-mobile-login1[.]gq |
appleid-login-appleid[.]ga | login-pap-web-access[.]ga | secure1-client-login[.]ga |
appleid-manageaccountloginupdated[.]ga | login-recovery[.]gq | secure1-client-login[.]gq |
appleidcustomer-servicess-com-loginaccount[.]ga | login-sec-apple-secure-account-updated[.]ga | secure1-login-apps[.]gq |
appleidcustomer-servicess-com-loginaccount[.]gq | login-secure1-mobile[.]ga | secure5647login-com[.]ga |
browsersecurity[.]ga | login-unlock-account[.]ga | security-login-information[.]gq |
change-password[.]gq | login-update-unlock[.]gq | securitycenter[.]ga |
cleantarea-customerlogin-com[.]ga | loginapps-info[.]ga | service-account-home-login[.]gq |
clientareasecurity1[.]gq | loginpaypaas-securityuserid[.]ga | service-autoreset-password-youraccount[.]ga |
clientareasecurity4[.]gq | loginservice-maintanceserversecurity[.]gq | service-login-apple-verify-account-locked[.]gq |
com-recoverylogin[.]gq | manage-login[.]gq | servicelogin-access-failed[.]gq |
com-supportlogin-adminverification[.]ga | manage-logins[.]gq | services-loginaccount[.]ga |
darksecurity[.]ga | mod-files[.]ga | sharefiles[.]gq |
dns-sec-login-apple-invoice-confirmations[.]ga | mydocuments[.]gq | signin-login-php[.]ga |
dns-webapps-login-account-secure-servers[.]ga | newaction-loginactivituresource[.]ga | srilankadocuments[.]ga |
documentation[.]gq | newfiles[.]ga | statement-login-update-info[.]ga |
documentshandler[.]ga | ns-secures-login-accountjp-updates-community[.]gq | summary-loginconfirmation[.]ga |
emailloginerror[.]gq | nursingdocumentation[.]gq | unsecured-login-attempt[.]ga |
facebook-login-page[.]gq | ourfiles[.]ga | verify-login-account-iinformation[.]ga |
failure-login[.]ga | pdf-document[.]ga | verify-login-account-iinformation[.]gq |
fileshelp[.]ga | protector-files[.]ga | welcome-apple-protectyourpassword[.]gq |
fileshelp[.]gq | recoverylogin-access[.]ga |
www-logined-apple-authsecure[.]ga |
While not definitively attributable to Fancy Bear, given some consistencies with their identified infrastructure, organizations that are concerned about Fancy Bear activity should thoroughly scrutinize any network activity identified with these domains. These domains have been shared in the ThreatConnect platform in Incident 20171031A: Additional .ga and .gq Freenom Infrastructure Similar to Fancy Bear’s.
Bear with a Bone
At this point, this Russian advanced persistent threat (APT) has consistently targeted Bellingcat for at least two-and-a-half years, ever since the first identified activity in February 2015. Whatever your organization’s biggest threat is, we’d argue that understanding their tactics and defending against and exploiting those tactics is the pinnacle of incorporating threat intelligence into your defenses. From our ThreatConnect Intelligence source to our extensive integrations, the ThreatConnect Platform enables organizations to not only identify their relevant threats, but proactively capitalize on their known tactics and automagically incorporate that intelligence into their defenses. In this case, we used the ThreatConnect platform to understand how an attack attempted to compromise an organization, connect information from that attack to a previous one, attribute the activity, and memorialize intelligence derived from the operation.