Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.
Roundup Highlight: SLOTHFULMEDIA RAT and Ryuk
In this Roundup, we highlight Incident 20201116A: Suspicious Domains Registered Through NameCheap and Hosted at FranTech. ThreatConnect Research identified a set of domains registered through NameCheap on 11/13/20 at essentially the same time and hosted on probable dedicated servers in FranTech ISP IP space. This combination of registration and hosting has also been seen in recent sets of Ryuk / Wizard Spider / UNC1878 registrations; however, it is not unique to them and at this time we cannot confidently assess that this infrastructure is associated with Ryuk. Notably, the domain name strings are inconsistent with those in previously identified Ryuk sets, no SSL certificates have been seen, and no related malicious files could be identified. Future reuse of these domain strings or additional information on related SSL certificates and files would help determine whether this infrastructure is related to Ryuk.
The identified domains and their hosting IPs include the following:
ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.
- 20201116B: APT35 Domain cover-home-panel[.]xyz ThreatConnect Research identified a most likely APT35 / Phosphorus / Charming Kitten domain registered through OnlineNIC Inc. on 11/15/20 and hosted on a dedicated server at a Hetzner IP. Per urlscan.io, this domain currently redirects to China Central Television’s domain. The domain’s registration and hosting characteristics are consistent with previously identified APT35 infrastructure. At this time we have no additional information on the extent to which this domain has been used maliciously.
- 20201118A: Possible CloudAtlas Infrastructure ThreatConnect Research reviewed recently identified CloudAtlas / RedOctober files and related infrastructure. Based on domain reseller, string, and/or email domain reuse, we have identified several other domains and hosting IPs that also possibly are associated with CloudAtlas.
Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
- Another Credit Card Stealer That Pretends to Be Sucuri (Source: https://blog.sucuri.net/?p=27319)
- Emotet C2 Deltas from 2020/11/12 as of 14:00EST or 19:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/12/emotet-C2-Deltas-1900-1400_11-12-20.html)
- Threat Roundup for November 6 to November 13 (Source: https://blog.talosintelligence.com/2020/11/threat-roundup-1106-1113.html)
- Emotet C2 Deltas from 2020/11/16 as of 17:00EST or 22:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/16/emotet-C2-Deltas-1700-2200_11-16-20.html)
- Emotet C2 Deltas from 2020/11/18 as of 11:00EST or 16:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/11/18/emotet-C2-Deltas-1100-1600_11-18-20.html)
To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.