Request a Demo

Research Roundup: Recent Probable Charming Kitten Infrastructure

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

  • APT35 / Charming Kitten / Phosphorus
  • Mustang Panda PlugX
  • TAIDOOR
  • Emotet
  • WastedLocker
  • WordPress Vulnerabilities

 

Roundup Highlight: Recent Probable Charming Kitten Infrastructure

20200803B: Microsoft Phosphorus Sinkhole Domain Siblings

 

Our highlight in this Roundup is Incident 20200803B: Microsoft Phosphorus Sinkhole Domain Siblings. ThreatConnect Research reviewed the following domains (and the notable IPs that previously hosted them) that began resolving to Microsoft’s Phosphorus sinkhole in late July 2020:

googel.email

app-view-support.club (5.9.162.156)

g-shorturl.com

on-dr.com

mailerdaemon.me (138.201.102.239)

mail-instgram.com (51.91.200.193)

verifychecking.com (148.251.85.50)

support-myservice.com (148.251.85.50)

cmailco.xyz (148.251.85.50)

We identified several additional domains that probably are related to Phosphorus / APT35 / Charming Kitten based on co-locations with the aforementioned domains on likely dedicated servers. The relevant IPs, the additional domains, and other notable IPs hosting those domains include the following:

148.251.85.50

email-checker.xyz

5.9.162.156

view-external-page.best (5.9.162.157, 88.99.10.237, 88.99.10.236, 88.99.10.235)

support-following-page.club

support-viewing-page.club

page-support-view.club

name-file-support.best (5.9.162.157)

Finally, we reviewed those additional, likely dedicated IPs identified from the hosting history for the co-located domains. This identified another set of domains that probably are associated with Phosphorus based on those co-locations and naming convention reuse:

88.99.10.237

reload-cover-page.live

reload-page-cover.site

88.99.10.236

cover-home-page.site

control-user-activity.club

view-control-page.club

preview-control-support.club

control-view-sharing.club

88.99.10.235

view-control-support.club

view-panel-control.club

fatservice.site (prev 51.89.156.7)

5.9.162.157

verify-identity-service.best

 

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

 

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.