Research Roundup: Suspicious Domain Redirects to Google Account Security Page

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

• Suspicious Redirect to Google Account Security
• APT33 / Elfin / Refined Kitten
• Mustang Panda PlugX
• RedDelta PlugX
• Operation PowerFall
• Emotet
• SBA Loan Relief Phishing

Roundup Highlight: Suspicious Domain Redirects to Google Account Security Page

Our highlight in this Roundup is Incident 20200811B: Suspicious Domain safe-redirecting[.]com Redirects to Google Account Security. ThreatConnect Research identified the suspicious domain safe-redirecting[.]com (188.214.30[.]39), which was registered through THCservers on March 3 2020 using little.steve@gmx[.]com. Two other domains — domain-checking[.]com and forward3r[.]com (both hosted at 173.44.42[.]131) — were registered through THCservers using little.steve@gmx[.]com.

The safe-redirecting[.]com domain first began resolving to 188.214.30[.]39 around August 9 2020. That IP hosts also domains registered through THCservers using jackjacko@tutamail[.]com that were detailed in Incident 20200623A: Spoofed Google Support Domain Registered Using jackjacko@tutamail[.]com.

Similar to the googlesupporting[.]com identified in the above incident, per urlscan.io, safe-redirecting[.]com redirects to a Google Account Security URL (shown above). At this time, we don’t have any additional information on the extent to which, if any, this infrastructure has been used maliciously.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

• 20200806A: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research identified a file via a YARA rule as a Mustang Panda PlugX binary and extracted the C2 locations in the embedded configuration.
• 20200807A: Previous APT33 Domain service-norton[.]com Hosted at 193.34.167[.]96 A domain previously identified in a Trend Micro report on APT33 (https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) is now hosted on a probable dedicated server.
• 20200812A: Possible APT33 Domain relaxingsports[.]com ThreatConnect Research identified a possible APT33 / Elfin / Refined Kitten domain which was registered on August 4 2020. As of August 11 2020, this domain is hosted on a probable dedicated server.
• 20200812B: Additional Infrastructure Possibly Related to Operation PowerFall ThreatConnect Research reviewed the infrastructure identified in Kaspersky’s Operation PowerFall report and identified three additional domains that are possibly associated with this activity.
• 20200812D: File Matching YARA Rule Associated to RedDelta PlugX ThreatConnect Research identified a file via a YARA rule as a RedDelta PlugX binary and extracted the C2 locations in the embedded configuration.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

• Daily Emotet IoCs and Notes for 08/05/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/05/emotet-malware-IoCs_08-05-20.html)
• Daily Emotet IoCs and Notes for 08/06/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/06/emotet-malware-IoCs_08-06-20.html)
• Threat Roundup for July 31 to August 7 (Source: https://blog.talosintelligence.com/2020/08/tru-0731-0807.html)
• Scanning Activity Include Netcat Listener, (Sat, Aug 8th) (Source: https://isc.sans.edu/diary/rss/26442)
• Weekend Emotet IoCs and Notes for 08/07/20-08/09/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/09/09-emotet-malware-IoCs_08-07-09-20.html)
• Daily Emotet IoCs and Notes for 08/10/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/10/emotet-malware-IoCs_08-10-20.html)
• Daily Emotet IoCs and Notes for 08/11/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/11/emotet-malware-IoCs_08-11-20.html)
• CISA alerts of phishing attack targeting SBA loan relief accounts (Source: https://www.bleepingcomputer.com/news/security/cisa-alerts-of-phishing-attack-targeting-sba-loan-relief-accounts/)