Posted
Below is this week’s edition of ThreatConnect’s Research Roundup: Threat Intel Update, a collection of recent noteworthy findings from the ThreatConnect Research Team. The items below were created or updated March 11-23, 2021.
This week’s findings include intelligence related to the following threats and/or topics:
20210324A: Possible FIN7 Domain eyebrowaholic[.]com
ThreatConnect Research identified possible FIN7 domain eyebrowaholic[.]com (85.217.171[.]19), which was registered through NameCheap on 3/20/21. This domain has non-definitive consistencies with previously identified FIN7 infrastructure including registrar, hosting ISP, Let’s Encrypt SSL certificate, and naming convention. At this time we have no indication of the extent to which this domain has been used maliciously.
20210323A: Possible FIN7 Domains Registered in March 2021
ThreatConnect Research identified the following possible FIN7 domains, which were registered separately through NameCheap in March 2021 and are hosted on dedicated servers:
- offspringance[.]com (109.234.37[.]28)
- coincidencious[.]com (185.206.145[.]227)
- uncertaintology[.]com (5.199.139[.]206)
- wisecrackism[.]com (92.63.105[.]58)
- associationable[.]com (89.163.214[.]57)
These domains have non-definitive consistencies with previously identified FIN7 infrastructure including registrar, hosting ISP, and naming convention. Some of the domains — offspringance[.]com and associationable[.]com — have a corresponding Let’s Encrypt SSL certificate akin to previously identified FIN7 registrations.
Some of the aforementioned domains are hosted at IPs where an SSL certificate with subject string “C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com” is/was in use, including coincidencious[.]com and wisecrackism[.]com. We have less confidence in these domains’ association to FIN7 as this appears anomalous compared to their previously identified registrations that we are aware of.
In a review of older registrations at newly identified ISPs of note, we also identified the following possible FIN7 domains that were registered in 2021 prior to March:
- consolidatology[.]com (89.163.214[.]57)
- hilariousology[.]com (89.163.213[.]249)
- keywordsance[.]com (149.154.68[.]48)
At this time we have no indication of the extent to which these domains have been used maliciously.
20210317A: Suspicious Domain sync-firewall[.]com
- ThreatConnect Research identified suspicious domain sync-firewall[.]com, which was registered through NameCheap on 3/5/21 and is hosted on a dedicated server at Sia Nano IT IP 185.82.127[.]65. Per Censys, a Sectigo RSA SSL certificate was created for the domain on 3/16/21, while an earlier 3/9 self-signed certificate used the subject string “C=US, ST=New York, L=New York City, O=Bouncy Castles, Inc., OU=Ministry of Water Slides, CN=www.sync-firewall[.]com, emailAddress=fire@gmail[.]com.” These strings appear to be consistent with various openly available documentation detailing how to create SSL certificates, and not indicative of a single actor. At this time, we have no indication on the extent to which sync-firewall[.]com has been used maliciously.
20210312A: Probable UNC1878 Domain geamac[.]com
ThreatConnect Research identified a probable UNC1878 / Wizard Spider domain — geamac[.]com — that was registered through NameCheap on 3/10/21 and is hosted on a dedicated server at Vultr IP 95.179.237[.]115. An SSL certificate was created for this domain on 3/10/21 that uses a “C=US, ST=VA, L=Roanoke, O=Balanced, OU=,” subject string, which is consistent with previously identified UNC1878 infrastructure using various SSL cert strings registered in early 2021. At this time, we don’t have any information on any related files or the extent to which this infrastructure has been operationalized.
Related Research Posts: /blog/threatconnect-research-roundup-wizard-spider-unc1878-ryuk-campaign/