ThreatConnect Research Roundup: Possible APT33 Infrastructure

May 21 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Possible APT33 Infrastructure

Our highlight in this Roundup is Incident 20200518A: Suspicious Realhosters Name Server Domain taskreminder[.]net, which identifies network infrastructure possibly related to APT33. The domain taskreminder[.]net was registered on May 14 2020 using wayne.williams1986@protonmail[.]com and uses a ns1.realhosters.com name server. As of May 18 2020, this domain is hosted on a probable dedicated server at OVH IP 137.74.157[.]84.

While not definitive in terms of attribution, it’s worth noting that some APT33 related infrastructure like times-sync[.]com has previously used the same name server and OVH IP space for hosting. For example, the 137.74.157[.]84 IP was identified in a December 2019 Trend Micro report on APT33 obfuscated botnets. Previously identified infrastructure was documented in 20200106A: Suspicious Realhosters Name Server Domains.

We don’t have any information on the extent to which, if any, this domain has been used maliciously. However, given the minimal use of the ns1.realhosters.com name server and APT33’s potential reuse of it, any domains using it merit scrutiny as possible APT33 domains.

Update 5/21/20: The taskreminder[.]net domain is now hosted on a probable dedicated server at OVH IP 91.134.187[.]25. To receive ThreatConnect notifications about updates to Host DNS changes, remember to check the “Follow Item” box on that item’s Details page. 

 

ThreatConnect Research Team Intelligence:

These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities. This week, we highlight new infrastructure registered using previously observed APT33 techniques, suspicious domains spoofing Poste Italiane, and an update to previously reported domains using “msupdate” strings.

Update 5/13/20: The aforementioned domains are now hosted on a probable dedicated server at OVH IP 158.69.30.194. Additionally, the domains are also now using their own name servers.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.