Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.
In this edition, we cover:
- Fancy Bear / APT28 / Strontium
- Suspicious Domains with Server, Cloud, Player, Time
- Possible Information Operations “News” Domains For Various Countries
- North Korea
- COVID-19 Loan Relief Spoof
Roundup Highlight: Suspicious Infrastructure on ASN Related to FBI / NSA Report on Drovorub Malware
Our highlight in this Roundup is Incident 20200813A: Suspicious Infrastructure on ASN Related to FBI / NSA Report on Drovorub Malware. ThreatConnect Research reviewed the IPs — 82.118.242[.]171 and 185.86.149[.]125 — detailed in the joint FBI / NSA report on Russian GRU 85th GTsSS’ (Fancy Bear / APT28 / Strontium) previously undisclosed Drovorub malware. The 185.86.149[.]125 address previously hosted the Njalla-registered domain ignitereatlime[.]org during the relevant timeframe (April 2019) stated in the report.
Less than 20 domains were registered through Njalla and are currently hosted in the same ASN (52173) of which 185.86.149[.]125 is a part. Notable domains include sportever[.]org (X-Agent, 185.86.150[.]205), ciscosupports[.]com (185.82.126[.]98), travelerupdate[.]com (185.86.149[.]143), and wwwco4testmcsoft[.]com (185.82.126[.]210).
Reviewing other the ASN for domains registered through other resellers Fancy Bear has previously used, such as NewLovingDomains and ITitch, we identify about 36 total domains. Notable results include fastfilmsbucket[.]com (marco_knight@protonmail[.]com, 185.86.150[.]91), logisticamazon[.]org (melangeur1923@inbox[.]lv, 185.82.126[.]180), and edgedns[.]info (caban2009@clovermail[.]net, 185.82.126[.]180).
Beyond those domains already attributed to Fancy Bear, at this time we don’t have any additional insight into whether the domains are related to the Drovorub malware or Fancy Bear in general; however, they merit additional scrutiny given those non-unique registration and hosting consistencies.
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20200825A: Suspicious “Server,” “Cloud,” “Player,” and “Time” Domains Registered Through THCservers ThreatConnect Research identified two sets of suspicious infrastructure registered through THCservers in June and July 2020 that probably associated with a single actor. The identified domains were registered using two different Protonmail email addresses and have been hosted at various probable dedicated servers.
- 20200826A: Taiwan and China “News” Sites Registered Through Njalla External researchers Joe Slowik (@jfslowik) and Taylor Staunton (@Taylor_Signals), along with ThreatConnect Research identified a set of over 40 Taiwan and China-themed “news” domains that were registered through Njalla on August 19 2020. The identified domains are part of a series of ongoing “news” site registrations focusing on various countries that may be part of a larger information operation. The Campaign Possible Information Operations “News” Domains For Various Countries (below) and its associated Incidents captures the findings.
- Possible Information Operations “News” Domains For Various Countries ThreatConnect Research and various external researchers have identified several sets of related “news” domains that were registered in batches through Njalla and other resellers. Given the magnitude and breadth of the identified domains, they may be part of an information operation; however, at this time we do not have any information indicating the sites have pushed misinformation, disinformation, or coordinated content.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Daily Emotet IoCs and Notes for 08/24/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/24/emotet-malware-IoCs_08-24-20.html)
- AR20-232A: MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN (Source: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a)
- AA20-225A: Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails (Source: https://us-cert.cisa.gov/ncas/alerts/aa20-225a)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.