ThreatConnect Research Roundup: Threat Intelligence Update 3/15/21

Below is this week’s edition of ThreatConnect’s Research Roundup: Threat Intelligence Update, a collection of recent noteworthy findings from the ThreatConnect Research Team. The items below were created or updated in the last week (March 3 – March 10).

This week’s findings include intelligence related to the following threats and/or topics:

• Information Operations
• UNC1878 / Wizard Spider
• Cobalt Strike
• CloudAtlas / RedOctober

20210308A: News Front Associated Information Operations Infrastructure

A report from journalist Elise Thomas and the Institute for Strategic Dialogue (ISD) in February 2021 identified links between News Front (news-front[.]info), a purported pro-Kremlin disinformation/influence operations, and related digital assets Summury News (summurynews[.]com) and Real Bomb (realbomb[.]info). According to Thomas’ report, these additional sites “present themselves as separate news organisations, but whose content is identical to one another and to some (though not all) of News Front’s content.”

ThreatConnect Research further reviewed the identified infrastructure and found several registration and name server characteristics that lead to additional sites almost certainly related to Summury News and Real Bomb. Notably, all three of the aforementioned domains use the Josh/Mona Cloudflare name server combination. While not unique to a single Cloudflare user, sites administered under the same Cloudflare account will often use the same combination of specific name servers. Additionally, both realbomb[.]info and summurynews[.]com were registered through Reg.ru on 3/19/18 at essentially the same time. The WHOIS history identifies the use of Molise as the Registrant State/Province for both the sites; while Paul Pomerleau and dozennews.ca@gmail[.]com are seen as a registrant and email address for summurynews[.]com.

At least five other domains almost certainly are related with the Summury News and Real Bomb sites. Of note, two of the domains — dozennews[.]info and unitedeurope.online — were registered Reg.ru at essentially the same time as the other 3/19/18 domains. The additional domains and the relevant consistencies include the following:

• dozennews[.]info (3/19/18 Reg.ru Registration, Molise State/Province, Josh/Mona Cloudflare NS)
• unitedeurope.online (3/19/18 Reg.ru Registration, dozennews.ca@gmail[.]com, Molise State/Province, Josh/Mona Cloudflare NS)
• eho[.]md (Paul Pomerleau Registrant, dozennews.ca@gmail[.]com)
• ehonews[.]kz (Paul Pomerleau Registrant, tdveurope@gmail[.]com, Molise State/Province, MX IP: 78.40.108.108, Josh/Mona Cloudflare NS; previously Vladimir Myshevskiy Registrant ,tolstokorovweb@gmail[.]com)
• ehokg[.]info (MX IP: 78.40.108.108, Josh/Mona Cloudflare NS)

At least two other domains — kherson[.]site and kherson[.]life — use the same Josh/Mona Cloudflare name server combination and host “news” content. We assess that these domains, lacking any other consistencies with the aforementioned, possibly are related to the same actor behind Summury News and Real Bomb.

At this time we cannot assess the legitimacy of the articles on the above sites nor do we have any additional insight into the actor behind the sites. Of note, the identified sites purport to provide news related to a variety of countries, specifically referencing Germany, Moldova, Kazakhstan, Kyrgyzstan, and the Kherson region in Ukraine.

20210306A: Probable UNC1878 Domains Registered on 3/3/21

ThreatConnect Research identified some most likely UNC1878 / Wizard Spider domains registered on 3/3/21 at essentially the same time and have registration, hosting, and SSL certificate consistencies with previously identified UNC1878 domains. Early 2021 sets of UNC1878 domains in some cases were registered through NameCheap or OpenProvider, have used their own name servers, are hosted on dedicated servers in Media Land LLC IP, and use various SSL certificate strings, as is the case with most of the following:

• addiggen[.]com (45.141.87[.]47)
• dorkedit[.]com (45.141.87[.]76)
• retumele[.]com (45.141.87[.]77)
• uradorek[.]com (prev. 140.82.30[.]242, 217.69.14[.]63)

20210304A: UNC1878 Domains Registered in Early March 2021

ThreatConnect Research identified some most likely UNC1878 / Wizard Spider domains registered on 3/2/21 at essentially the same time and have registration, hosting, and SSL certificate consistencies with previously identified UNC1878 domains. Early 2021 sets of UNC1878 domains in some cases were registered through NameCheap or OpenProvider, have used their own name servers, are hosted on dedicated servers in Media Land LLC IP, and use various SSL certificate strings, as is the case with the following:

• apoula[.]com (45.141.84[.]206)
• bacynx[.]com (194.26.29[.]149, related Cobalt Strike: 719aca4dd4673a8b5564a3641986e61e)

Another most likely UNC1878 domain, rertai[.]com (45.141.84[.]204) was registered separately on 3/1/21 and was identified in behavioral information for Cobalt Strike executable de57189286a9aa8880fe7459eaf6b10a.

Update 3/5/21

At least three other domains were registered as part of the above 3/2/21 set:

• eochea[.]com (194.26.29[.]245, rel Cobalt Strike: 755c388efdf5b333ebdab34c11d5e6b3)
• inctot[.]com (194.26.29[.]246)
• ptambi[.]com (194.26.29[.]226)

20210302C: Probable CloudAtlas Domain ms-officeupdate[.]org

ThreatConnect Research identified a probable CloudAtlas / RedOctober domain ms-officeupdate[.]org, which was registered through BitDomain on 3/1/21 using khalid.hussain@tutanota[.]com. As of 3/2/21, this domain and its mx mail server subdomain are hosted on a dedicated server at OVH IP 192.99.221[.]76. These registration and hosting characteristics are consistent with previously identified CloudAtlas infrastructure detailed in 20201118A: Possible CloudAtlas Infrastructure; however, at this time we don’t have any information on the extent to which this infrastructure has been operationalized.