ThreatConnect Research Roundup: Belarus, Ecuador, and Russia "News" Sites

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Belarus, Ecuador, and Russia “News” Sites

Screenshot of a “news” site identified in 20201005A: Ecuador, Russia, and Belarus “News” Sites Registered Through Njalla

Our highlight in this Roundup is Incident 20201005A: Ecuador, Russia, and Belarus “News” Sites Registered Through Njalla. ThreatConnect Research and external researcher Taylor Staunton (@Taylor_Signals) identified two sets of Ecuador and Russia themed “news” domains that most likely are associated with an ongoing series of news site registrations focusing on various countries that may be part of a larger information operation. Both sets of domains were registered in early September 2020 through Njalla and began resolving to a probable dedicated server at OVH IP 51.210.1.17 in early October 2020.

Ecuador

The Ecuador focused domains were registered through Njalla on September 1 2020 and include the following domains resolving at the time of analysis:

20minutosec[.]com

boletinecuador[.]com

diario-opinion[.]com

el-mercurio[.]news

elconfidencial-ecuador[.]com

eltelegrafo-ecuador[.]com

eltiempo-noticias[.]com

expresoec[.]com

guayaquil-informe[.]com

hoy-ecuador[.]com

lahoraecuador[.]com

lanacion-ec[.]com

laradioec[.]com

larepublicaec[.]com

lavozec[.]com

noticias-ecuador[.]com

Related but not resolving at the time of analysis:

noticias-eluniverso[.]com

opiniondelecuador[.]com

politico-ec[.]com

television-ecuador[.]com

Russia and Belarus

The predominantly Russia focused domains were registered through Njalla on September 2 2020 and include the following domains resolving at the time of analysis:

delovoy-peterburg[.]com

kommersantrussia[.]com

komsomolskaya-pravda[.]news

metrorussia[.]tv

moskovskiye[.]com

moskovskykomsomolets[.]com

rbcdaily[.]net

respublikabelorussiya[.]com

rossiyskaya-gazeta[.]com

russiaizvestia[.]com

sanktpeterburgskie[.]com

sovetskaya-belorussiya[.]com

sovetskysport[.]news

spvesti[.]com

trudrussia[.]com

vedomosti-post[.]com

zvyazda[.]com

The resolving domains also began hosting “news” content similar to the previous domains; however, we do not know whether the hosted articles are legitimate. For additional Incidents associated to this activity, see the Campaign Possible Information Operations “News” Domains For Various Countries in ThreatConnect:

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20200930A: Domains Registered Through MonoVM Used with Various Malware On September 24 and 25 2020 Twitter user Bryce (@bryceabdo) identified a series of domains associated with Cobalt Strike, Beacon shellcode loader, and Bazar activity. The identified domains were registered through MonoVM in late September 2020 and hosted in one of a few CIDR blocks. ThreatConnect Research identified additional domains registered using the same email addresses and a third that most likely are related to the same actor based on its recent use of MonoVM to register domains hosted in some of the same CIDR blocks.
  • Update 10/5/20: ThreatConnect Research and external researchers identified additional sets of infrastructure associated with the previously identified domains and IPs. These domains had registration consistencies, like the use of a Protonmail email address to register domains through MonoVM, or reused SSL certificate strings that were used for the previously identified domains domains. Similar to the aforementioned, various samples — largely Cobalt Strike – were found communicating with the identified domains.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.