Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account.
Roundup Highlight: Belarus, Ecuador, and Russia “News” Sites
Screenshot of a “news” site identified in 20201005A: Ecuador, Russia, and Belarus “News” Sites Registered Through Njalla
Our highlight in this Roundup is Incident 20201005A: Ecuador, Russia, and Belarus “News” Sites Registered Through Njalla. ThreatConnect Research and external researcher Taylor Staunton (@Taylor_Signals) identified two sets of Ecuador and Russia themed “news” domains that most likely are associated with an ongoing series of news site registrations focusing on various countries that may be part of a larger information operation. Both sets of domains were registered in early September 2020 through Njalla and began resolving to a probable dedicated server at OVH IP 18.104.22.168 in early October 2020.
The Ecuador focused domains were registered through Njalla on September 1 2020 and include the following domains resolving at the time of analysis:
Related but not resolving at the time of analysis:
Russia and Belarus
The predominantly Russia focused domains were registered through Njalla on September 2 2020 and include the following domains resolving at the time of analysis:
The resolving domains also began hosting “news” content similar to the previous domains; however, we do not know whether the hosted articles are legitimate. For additional Incidents associated to this activity, see the Campaign Possible Information Operations “News” Domains For Various Countries in ThreatConnect:
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20200930A: Domains Registered Through MonoVM Used with Various Malware On September 24 and 25 2020 Twitter user Bryce (@bryceabdo) identified a series of domains associated with Cobalt Strike, Beacon shellcode loader, and Bazar activity. The identified domains were registered through MonoVM in late September 2020 and hosted in one of a few CIDR blocks. ThreatConnect Research identified additional domains registered using the same email addresses and a third that most likely are related to the same actor based on its recent use of MonoVM to register domains hosted in some of the same CIDR blocks.
- Update 10/5/20: ThreatConnect Research and external researchers identified additional sets of infrastructure associated with the previously identified domains and IPs. These domains had registration consistencies, like the use of a Protonmail email address to register domains through MonoVM, or reused SSL certificate strings that were used for the previously identified domains domains. Similar to the aforementioned, various samples — largely Cobalt Strike – were found communicating with the identified domains.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Emotet C2 Deltas from 2020/10/05 as of 09:10EDT or 13:10UTC (Source: https://paste.cryptolaemus.com/emotet/2020/10/05/emotet-C2-Deltas-1310-0910_01-05-20.html)
- Daily Emotet IoCs and Notes for 10/05/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/05/emotet-malware-IoCs_10-05-20.html)
- Weekend Emotet IoCs and Notes for 10/02-04/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/04/04-emotet-malware-IoCs_10-02-04-20.html)
- Scanning for SOHO Routers, (Sat, Oct 3rd) (Source: https://isc.sans.edu/diary/rss/26638)
- Threat Roundup for September 25 to October 2 (Source: https://blog.talosintelligence.com/2020/10/threat-roundup-0925-1002.html)
- Daily Emotet IoCs and Notes for 10/01/20 (Source: https://paste.cryptolaemus.com/emotet/2020/10/01/emotet-malware-IoCs_10-01-20.html)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.