close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Fancy Bear Pens the Worst Blog Posts Ever

ThreatConnect reviews continuing Fancy Bear activity targeting citizen journalism organization Bellingcat and identifies a new tactic leveraging Blogspot to mask their credential harvesting links.

Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received. Spoiler alert: they originated from Fancy Bear actors. Using the ThreatConnect platform we ingested the spear-phishing emails Bellingcat provided, processed out the relevant indicators, and compared them to previously known Fancy Bear activity. It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution (BfV). More interestingly however, Fancy Bear employed a new tactic we hadn't previously seen: using Blogspot-hosted URLs in their spear-phishing email messages. The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.

Delivery Stage

The phishing email used to deliver the malicious URLs pretends to be a password change for the target's Google account or a link to view a folder shared via Dropbox. The collection of indicators related to this campaign have been shared with ThreatConnect's Common Community here.

phishing-email-fancy-bear

Example of the Google account themed variant

 

 

Example of the Dropbox themed variant

 

The phishing email contains a link hosted on Blogspot such as this: hxxps://pkfnmugfdsveskjtb[.]blogspot[.]com. This URL also contains a query parameter, "uid", that is unique per phishing email. The full format for the URL is the following:

https?://[a-z0-9]{11,17}\.blogspot\.(?:com|pt)\?uid=[a-z0-9]{10}

 

email-import-threatconnect-fancy-bear

Importing the malicious email into ThreatConnect

Redirect

The blogspot page contains a small snippet of Javascript near the top of the source html that includes a Javascript window location redirect. An example of this javascript is:

blog-redirect-script

The landing page URL in this redirect, hxxps://google[.]com[.]account-password[.]ga/security/signinoptions/password is hosted on google[.]com[.]account-password[.]ga which currently resolves to the IP address 80.255.12[.]231. This IP is a dedicated VPS hosted by MonoVM, a company based in Dubai. Honestly, this is quite low quality content for a blog. Here is some good advice for authoring blog content, and if so inclined, here is a good example to study.

Passive DNS Analysis

Using  Farsight's passive DNSDB integration in ThreatConnect, a number of other similar hostnames were found resolving to 80.255.12[.]231. One in particular, accounts[.]google[.]com[.]securitymail[.]gq, stands out from the rest. The base domain of this host, securitymail[.]gq, has a previous resolution to IP 95.153.32[.]52. This IP address is a broadband connection located in Estonia on TELE2's network that was also used to host the domain smtprelayhost[.]com from December 2015 to December 2016. This overlaps with the time that securitymail[.]gq resolved to the same broadband IP address in March 2016. In case you may have missed it, smtprelayhost[.]com is called out as being Fancy Bear infrastructure in BfV Cyber-Brief Nr. 01/2016.

 

Screenshot showing passive DNS overlap

 

 

FB-Bellingcat-Blogspot-Phishing-Campaign

Overview of the phishing campaign - highlighting infrastructure overlap

Bedecked in Blogspot

The use of Blogspot URLs has similarities with the notional tactics identified in a September Salon article on Fancy Bear leveraging Google's Accelerated Mobile Pages (AMP) to create URLs for their credential harvesting pages. Doing so likely allowed some Fancy Bear spear-phishing messages to avoid security filters that would have otherwise identified the malicious URLs. In this same way, a URL hosted on Google's own systems, in this case Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname.

 

Exploiting Their Behavior

Several of the domains that host the credential harvesting pages identified above use .ga or .gq top level domains (TLDs) and were registered through Freenom. This reminded us of Fancy Bear's .ga Freenom infrastructure that they also employed against Bellingcat in October 2016. Looking closer at the domains identified in their recent attacks using our DomainTools Spaces App, we see that most of the domains were registered in the last three months.

 

tcs-domaintools-threatconnect

 

threatconnect-domaintools-spaces-app

ThreatConnect's DomainTools Spaces App results for account-password[.]ga and passwordreset[.]gq

 

What's more, the use of strings like "security," "login," "password," and "files" are another component of the registration tactics that they are employing and we may potentially be able to exploit. To that end, we decided to take a look at other domains that were registered using Freenom since July 2017 and contained one of those strings.

 

Using DomainTools Iris, we conducted a search for any domains that use a Freenom name server, use a .ga or .gq TLD, and contained one of the four strings previously mentioned.

 

domiantools-query-freenom-domains

DomainTools Iris query for Freenom domains.

 

Unfortunately, WHOIS records for Freenom-registered domains don't capture the create date showing when the domain was registered. From there, we reviewed the WHOIS history for each of the domains returned from the Iris query to identify when it was registered based on the earliest available record. The following domains were the result of that research:

 

 

access-apple-login-account[.]gq fileshelpprotut[.]ga reset-password-com[.]ga
account-activity-verification-login[.]ga fileshelpprotut[.]gq restore-login-account[.]gq
account-verify-comfirmation-info-login[.]ga filestore[.]gq review-quilogin[.]ga
account-verify-comfirmation-info-login[.]gq goldsecurity[.]ga secure-bankofamerica--login-com[.]ga
accountlogin-inc[.]ga info-apple-login-security[.]gq secure-bankofamerica--login-com[.]gq
accountverify-disableinfo-login[.]gq jp-login[.]gq secure-login-helpid-locked[.]gq
alert-new-login-com[.]ga locked-service-security[.]ga secure-management-login-account-index-webpass[.]gq
apple-realertlogin[.]gq login-bancochile-cl[.]ga secure-mobile-login1[.]gq
appleid-login-appleid[.]ga login-pap-web-access[.]ga secure1-client-login[.]ga
appleid-manageaccountloginupdated[.]ga login-recovery[.]gq secure1-client-login[.]gq
appleidcustomer-servicess-com-loginaccount[.]ga login-sec-apple-secure-account-updated[.]ga secure1-login-apps[.]gq
appleidcustomer-servicess-com-loginaccount[.]gq login-secure1-mobile[.]ga secure5647login-com[.]ga
browsersecurity[.]ga login-unlock-account[.]ga security-login-information[.]gq
change-password[.]gq login-update-unlock[.]gq securitycenter[.]ga
cleantarea-customerlogin-com[.]ga loginapps-info[.]ga service-account-home-login[.]gq
clientareasecurity1[.]gq loginpaypaas-securityuserid[.]ga service-autoreset-password-youraccount[.]ga
clientareasecurity4[.]gq loginservice-maintanceserversecurity[.]gq service-login-apple-verify-account-locked[.]gq
com-recoverylogin[.]gq manage-login[.]gq servicelogin-access-failed[.]gq
com-supportlogin-adminverification[.]ga manage-logins[.]gq services-loginaccount[.]ga
darksecurity[.]ga mod-files[.]ga sharefiles[.]gq
dns-sec-login-apple-invoice-confirmations[.]ga mydocuments[.]gq signin-login-php[.]ga
dns-webapps-login-account-secure-servers[.]ga newaction-loginactivituresource[.]ga srilankadocuments[.]ga
documentation[.]gq newfiles[.]ga statement-login-update-info[.]ga
documentshandler[.]ga ns-secures-login-accountjp-updates-community[.]gq summary-loginconfirmation[.]ga
emailloginerror[.]gq nursingdocumentation[.]gq unsecured-login-attempt[.]ga
facebook-login-page[.]gq ourfiles[.]ga verify-login-account-iinformation[.]ga
failure-login[.]ga pdf-document[.]ga verify-login-account-iinformation[.]gq
fileshelp[.]ga protector-files[.]ga welcome-apple-protectyourpassword[.]gq
fileshelp[.]gq recoverylogin-access[.]ga

www-logined-apple-authsecure[.]ga

 

While not definitively attributable to Fancy Bear, given some consistencies with their identified infrastructure, organizations that are concerned about Fancy Bear activity should thoroughly scrutinize any network activity identified with these domains. These domains have been shared in the ThreatConnect platform in Incident 20171031A: Additional .ga and .gq Freenom Infrastructure Similar to Fancy Bear's.

Bear with a Bone

At this point, this Russian advanced persistent threat (APT) has consistently targeted Bellingcat for at least two-and-a-half years, ever since the first identified activity in February 2015. Whatever your organization's biggest threat is, we'd argue that understanding their tactics and defending against and exploiting those tactics is the pinnacle of incorporating threat intelligence into your defenses. From our ThreatConnect Intelligence source to our extensive integrations, the ThreatConnect Platform enables organizations to not only identify their relevant threats, but proactively capitalize on their known tactics and automagically incorporate that intelligence into their defenses. In this case, we used the ThreatConnect platform to understand how an attack attempted to compromise an organization, connect information from that attack to a previous one, attribute the activity, and memorialize intelligence derived from the operation.

ABOUT THE AUTHOR

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.