Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.
In this edition, we cover:
- Microsoft-Spoofing Domains
- Probable Konni Domains
- .ics Calendar Phishing
- Lucifer Cryptojacking/DDoS
Roundup Highlight: Microsoft-Spoofing Domains
Our highlight in this Roundup is Incident 20200624A: Microsoft Spoofing Domains Registered Through Google and Hosted on a DigitalOcean IP. On June 24 2020, ThreatConnect Research identified three Microsoft-spoofing domains that were registered through Google on June 16 and 17 2020 and are or were hosted on a probable dedicated server at DigitalOcean IP addresses.
The identified domains and their hosting IPs include the following:
Per urlscan.io, as of June 24 2020, login-onmicrosoft[.]online redirects to a Microsoft Online login URL. The login-onmicrosoftonline[.]com domain redirects to a legitimate Microsoft domain.
These domains are possibly related to a series of similar registrations through Google that are captured in associated Incidents in ThreatConnect.
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20200629B: Probable Konni Domains Registered by tiosuakiwn34@rambler[.]ru ThreatConnect Research identified a series of suspicious, probable Konni domains registered through THCservers and QHoster using the email address tiosuakiwn34@rambler[.]ru. Several of the domains spoof and/or redirect to Korean mail services.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- “You’re Invited!” to Phishing Links Inside .ics Calendar Attachments (Source: https://cofense.com/youre-invited-phishing-links-inside-ics-calendar-attachments/)
- Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities t… (Source: https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/)
- DarkCrewBot – The Return of the Bot Shop Crew (Source: https://research.checkpoint.com/2020/the-return-of-the-bot-shop-crew/)
- Emotet C2 and RSA Key Update – 06/26/2020 11:50 (Source: https://paste.cryptolaemus.com/emotet/2020/06/26/emotet-c2-rsa-update-06-26-20-1.html)
- WastedLocker (Source: https://id-ransomware.blogspot.com/2020/06/wastedlocker-ransomware.html)
- Threat Roundup for June 19 to June 26 (Source: https://blog.talosintelligence.com/2020/06/threat-roundup-0619-0626.html)
- Emotet C2 and RSA Key Update – 06/29/2020 13:40 (Source: https://paste.cryptolaemus.com/emotet/2020/06/29/emotet-c2-rsa-update-06-29-20-1.html)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.