ThreatConnect Research Roundup: Threat Intel Update April 8th, 2021

Below is this week’s Threat Intel Update, a collection of recent noteworthy findings from the ThreatConnect Research Team. The items below were created or updated April 1-7, 2021.

This week’s findings include intelligence related to the following threats and/or topics:

  • UNC1878
  • Thallium

20210407A: Additional Entertainment Industry Spoofed Infrastructure

ThreatConnect ResearchThreatConnect Research identified additional domains and subdomains from late 2020 and early 2021 related to an ongoing campaign using infrastructure that spoofs organizations in or related to the entertainment industry. While we do not know if or how these domains have been used in operations, these domains and subdomains are consistent with previously identified credential harvesting and/or phishing infrastructure from 2019-2020 used to target entertainment organizations. Identified domains, their registrant email addresses, and hosting IPs include the following:

  • msauth[.]email (newfunstuff1@protonmail[.]com, 185.162.131[.]23)
  • owaauth[.]email (104.193.252[.]185)
  • dreamerproductions.uk[.]com (xiuliuzhu@protonmail[.]com, 104.193.252[.]207)
  • sso-godaddy[.]com (fornewyearsfun@protonmail[.]com, prev 104.193.252[.]185)
  • sendimages[.]to (104.193.252[.]185)
  • sendimage[.]to (104.193.252[.]185)
  • sendpix[.]to (104.193.252[.]207)
  • deliverpix[.]to (104.193.252[.]207)
  • bridgemanimages.us[.]com (eyevineuk@protonmail[.]com, 104.193.252[.]207)
  • bridgemanimages[.]uk (eyevineuk@protonmail[.]com, 104.193.252[.]207)
  • pro-df[.]studio (45.159.188[.]10)
  • dfslink[.]to (45.159.188[.]10)
  • narrativepr-la[.]com (xiuliuzhu@protonmail[.]com)
  • trunklicensing[.]com (forfia@protonmail[.]com)
  • polaris-images[.]com (forpostpics1@protonmail[.]com, 204.155.31[.]130)
  • mirrorpix.uk[.]com (forpostpics1@protonmail[.]com, 204.155.31[.]130)
  • sonymusicint[.]com (xingliuzhang@protonmail[.]com)
  • graylockpotos[.]com (xingliuzhang@protonmail[.]com, 162.244.32[.]131)
  • nationalarchives.uk[.]com (ganapeurijason@protonmail[.]com, 104.193.252[.]207)
  • image-data.co[.]uk (xiuliuzhu@protonmail[.]com, 162.244.32[.]131)

Identified subdomains for the msauth[.]email domain include the following:

  • augustimage.revalidate.external-website.msauth[.]email
  • external-website.msauth[.]email
  • latimes.revalidate.external-website.msauth[.]email
  • revalidate.external-website.msauth[.]email
  • rollingstone.revalidate.external-website.msauth[.]email

Identified subdomains for the owaauth[.]email domain include the following:

  • aac.endeavorco.revalidate.external-website.owaauth[.]email
  • abg.revalidate.external-website.owaauth[.]email
  • artandcommerce.revalidate.external-website.owaauth[.]email
  • attacurated.revalidate.external-website.owaauth[.]email
  • augustimage.okta.revalidate.external-website.owaauth[.]email
  • augustimage.revalidate.external-website.owaauth[.]email
  • billboard.revalidate.external-website.owaauth[.]email
  • endeavorco.external-website.owaauth[.]email
  • endeavorco.revalidate.external-website.owaauth[.]email
  • essence.revalidate.external-website.owaauth[.]email
  • exg7.exghost.owaauth[.]email
  • exghost.owaauth[.]email
  • external-site.owaauth[.]email
  • external-website.owaauth[.]email
  • fentycorp.revalidate.external-website.owaauth[.]email
  • fs.pressassociation.revalidate.external-website.owaauth[.]email
  • fyibrandgroup.revalidate.external-website.owaauth[.]email
  • gettyimages.okta.revalidate.external-website.owaauth[.]email
  • greatbowery.okta.revalidate.external-website.owaauth[.]email
  • id-pr.revalidate.external-website.owaauth[.]email
  • immediate.revalidate.external-website.owaauth[.]email
  • independentpr.us.exg7.exghost.owaauth[.]email
  • jlopezent.revalidate.external-website.owaauth[.]email
  • latimes.revalidate.external-website.owaauth[.]email
  • ledecompany.revalidate.external-website.owaauth[.]email
  • marymccartney.revalidate.external-website.owaauth[.]email
  • meredith.revalidate.external-website.owaauth[.]email
  • narrativepr.revalidate.external-website.owaauth[.]email
  • ngpeiabg.revalidate.external-website.owaauth[.]email
  • okta.revalidate.external-website.owaauth[.]email
  • paperentertainment.revalidate.external-website.owaauth[.]email
  • personalpr.revalidate.external-website.owaauth[.]email
  • pressassociation.revalidate.external-website.owaauth[.]email
  • revalidate.external-site.owaauth[.]email
  • revalidate.external-website.owaauth[.]email
  • rollingstone.revalidate.external-website.owaauth[.]email
  • slate-pr.revalidate.external-website.owaauth[.]email
  • sonymusic.revalidate.external-website.owaauth[.]email
  • sts.immediate.revalidate.external-website.owaauth[.]email
  • sts1.aac.endeavorco.revalidate.external-website.owaauth[.]email
  • sts1.endeavorco.external-website.owaauth[.]email
  • sunshinesachs.revalidate.external-website.owaauth[.]email
  • umgconnect.umusic.revalidate.external-site.owaauth[.]email
  • umusic.revalidate.external-site.owaauth[.]email
  • us.exg7.exghost.owaauth[.]email
  • variety.revalidate.external-website.owaauth[.]email
  • visionpr.revalidate.external-website.owaauth[.]email
  • Vmagazine.revalidate.external-website.owaauth[.]email

20210406B: Azure-Spoofing Infrastructure Registered Through NameCheap

ThreatConnect Research identified a pair of suspicious Microsoft Azure-spoofing domains registered through NameCheap in late March 2021 and hosted on dedicated servers in VPS.BG IP Space. While the domains were registered on different days, given the name string and hosting consistencies, they most likely are associated with a single actor. The identified domains and their hosting IPs include the following:

  • azurefilescloud[.]com (3/27/21, 31.13.195[.]102)
  • azuredatacloud[.]com (3/26/21, 87.120.8[.]165)

Of note, per urlscan.io, azurefilescloud[.]com currently redirects to the legitimate Microsoft Azure product site. At this time, we have no information on the extent to which this infrastructure has been used maliciously.

20210406A: Possible UNC1878 Domain presidentofschool14[.]com

ThreatConnect Research identified a possible UNC1878 / Wizard Spider domain — presidentofschool14[.]com — that was registered through OpenProvider on 4/2/21 and is hosted on a dedicated server at BAcloud IP 213.252.245[.]19. An SSL certificate was created for this domain on 4/5/21 that uses a “C=, ST=, L=, O=, OU=, CN=” subject string, which is consistent with, but not definitively indicative of, previously identified UNC1878 infrastructure registered through OpenProvider and used with Cobalt Strike to deploy Ryuk. At this time, we don’t have any information on any related files or the extent to which this infrastructure has been operationalized.

20210405A: Thallium Infrastructure Registered in Early 2021 Through MonoVM

ThreatConnect Research identified several domains registered through MonoVM on 4/3/21 using 8979ksg@protonmail[.]com that most likely are associated with Thallium activity. At this time we have no information on the extent to which this infrastructure has been used maliciously; however, the identified domains have registration and naming consistencies with previously identified Thallium infrastructure, specifically several domains previously identified in Incident 20201109B: Thallium Infrastructure Registered Through MonoVM. The 4/3 domains include:

  • diplomatictraining[.]com (45.147.228[.]63)
  • hpronto-login[.]com (212.114.52[.]230)
  • knowledgeofworld[.]org (212.114.52[.]129)
  • mid-service[.]com (212.114.52[.]230)
  • mid-service[.]org (45.147.228[.]63)
  • unosa[.]org (45.147.228[.]63)

Per urlscan.io, one of the identified domains, knowledgeofworld[.]org, currently redirects to the legitimate Security Council Report site.

The 8979ksg@protonmail[.]com email address was also used to register at least three other domains on 3/15/21 through MonoVM. The following domains have since been suspended:

  • ssidnaver[.]com
  • stategov[.]biz (prev. 45.147.228[.]63)
  • vpsino[.]org

Several of the aforementioned domains also have hosting overlaps with additional, most likely Thallium infrastructure registered through MonoVM in late 2020 and early 2021 using donaldxxxtrump@yandex[.]ru. These domains/subdomains and their hosting IPs include the following:

  • deioncube[.]biz (152.89.247[.]240, prev. 136.144.41[.]110)
  • pronto-login[.]info (211.104.160[.]79, prev. 108.177.235[.]137, subdomains: 45.147.228[.]63, 222.118.183[.]131)
  • mid.pronto-login[.]info
  • mail.pronto-login[.]info
  • zoom.mid.pronto-login[.]info
  • statedept.pronto-login[.]info
  • securityforcastreport[.]com (212.114.52[.]129, prev. 45.11.19[.]218, 108.177.235[.]137)
  • russia.securityforcastreport[.]com
  • webofknowledg[.]com (211.104.160[.]79, prev. 45.11.19[.]218, 108.177.235[.]137)
  • policy.webofknowledg[.]com
  • mail.webofknowledg[.]com
  • securitysettings[.]info (Suspended, prev. 108.177.235[.]137)

Of note, the 211.104.160[.]79 hosting IP identified above also hosted infrastructure in the associated Incident 20201109B: Thallium Infrastructure Registered Through MonoVM.

20210401B: Possible UNC1878 Domains

ThreatConnect Research identified some possible UNC1878 / Wizard Spider domains registered on various dates in March 2021 through OpenProvider. The identified domains are hosted on a dedicated server at BAcloud IP space. SSL certificates was using a “C=, ST=, L=, O=, OU=, CN=” subject string were identified for the three domains, which is consistent with previously identified UNC1878 infrastructure registered through OpenProvider and used with Cobalt Strike to deploy Ryuk.

The identified domains and their hosting IPs, and any related files include the following:

  • fastpighostmerch[.]com (3/2/21, 213.252.247[.]132)
  • shopdsld-invoce[.]com (3/22/21, 185.25.51[.]10, rel. Cobalt Strike Powershell: e73673efb2816913596e285623e1f6d3)
  • fastpic-domain[.]com (3/31/21, 185.25.51[.]67)

20210401A: Google Update on Campaign Targeting Security Researchers

ThreatConnect Research further reviewed the infrastructure reported by Google and identified that several of the domains have the following characteristics:

  • Registration through NameCheap
  • Use of Leaseweb, combahton GmbH, GWY IT Pty Ltd, or iS-Fun Internet Services GmbH ISPs
  • Sectigo RSA SSL certificates
  • Registration creation timestamps between 0100 and 0900 UTC
  • In some cases, hosting a Windows IIS web server
  • Several of the identified domains were registered on 1/23/21 at different times

While we cannot narrow a single query down to all the aforementioned characteristics, using DomainTools Iris, we can identify that about 240 domains registered through NameCheap since December 2020 use one of the above ISPs for hosting and have an available SSL certificate. Not all of these 240 domains are related to the North Korean activity Google identified; however, there are several that merit additional scrutiny as such and have other non-definitive characteristics in common with the infrastructure previously identified. At this time we are assessing this additional infrastructure as possibly being related to the domains Google identified. Additionally, we have no information on the extent to which this additional infrastructure has been used maliciously.

One domain, specialbooklib[.]org (23.81.246[.]145), was registered the same day (1/23/21) as the bulk of those in Google’s report and has registrar, ISP, registration timing, and SSL certificate consistencies with those domains.

The following domains were registered the day before (1/22/21) the bulk of those in Google’s report and have registrar, ISP, registration timing, SSL certificate, and in some cases hosted server consistencies with the above:

  • veteranlifeshop[.]com (45.147.228[.]34)
  • smartboxship[.]com (45.138.172[.]82)
  • ringtonbox[.]com (45.11.19[.]169)
  • medofficeshop[.]com (23.106.215[.]233)
  • economytransfer[.]net (45.147.228[.]80)
  • dcm-server-upd[.]com (45.147.228[.]253)
  • culturerelation[.]com (45.11.19[.]202)
  • consultmedical[.]net (45.147.229[.]176)
  • amdsata-dns[.]com (45.138.172[.]14)
  • afunix-update[.]com (45.147.228[.]218)

Another set of domains from 12/11/20 have registrar, ISP, registration timing, SSL certificate, and in some cases hosted server consistencies with the above:

  • antishipmissile[.]net (45.138.172[.]207)
  • aitechmill[.]com (212.114.52[.]29)
  • artillery-guide[.]com (45.138.172[.]123)
  • navaltechology[.]org (45.11.19[.]57)

Finally, the following domains have registrar, ISP, registration timing, and SSL certificate consistencies and spoof organizations focusing on or assessing North Korean issues:

  • csiskorea[.]org (23.81.246[.]115)
  • ncnkevents[.]org (23.106.215[.]109)
About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.