Turning Cobalt Into Diamonds: Building an Actor Profile For Hunting

Summary

Hunting adversaries begins with understanding their behavior through data. In this blog post, we’ll use the Diamond Model as a vehicle to create an actor profile for the criminal group Cobalt Gang. We’ll start by reviewing what is known about the adversary, orienting ourselves to their typical operations, and extracting data from their identified capabilities and infrastructure. We’ll then analyze that data to identify potentially exploitable tactics and strategic considerations for addressing the adversary.

In summary, we were able to identify opportunities for proactively hunting for Cobalt Gang infrastructure based on consistent registrar and ISP usage, which helped us identify four new potentially related domains. We also identified several relevant strategic considerations:

  • The average time between command and control (C2) domain registration to certificate creation is under five hours.
  • Within five days on average, Cobalt Gang compiles malware leveraging the C2 infrastructure they’ve created.
  • An uptick in identified activity occurred in October 2019 with apparent targeting in Southeast Asia.

Building the Actor Profile

Group Overview

First, we start by constructing a preliminary profile and diamond model for the threat actor from open source intelligence (OSINT).  The goal here is to gain familiarity with the actor. Below is a simple diamond model put together from OSINT sources and from this blog’s research.

Reporting indicates that  Cobalt Gang traditionally targets the financial sector and their suppliers with a notable focus on Eastern Europe and Southeast Asia.  The Malpedia CobInt/COOLPANTS report indicates that the group is expanding their toolset by developing their own malware. Kayslice malware is often seen in conjunction with CobInt malware.  Focusing on these malware samples, we’ll further our ability to go from reactively to proactively hunting for this adversary.

Figure 1: Diamond Model

Please note, the above information is based on our insight into Cobalt Gang; however, if you have additional intel, please consider adding details to our Cobalt Gang Threat in ThreatConnect or creating a new Incident and associating it to the Threat.

In general, this group is known for using phishing emails to deliver malicious documents that download and execute malware; sometimes in multiple stages.  Kayslice’s primary responsibility is to reach out and download the next stage, CobInt.  These tools are a starting point for data extraction.

Capabilities Node – Data Extraction and Analysis

Next, we focus on the capabilities node of the diamond model and focus on the tools attributed to Cobalt Gang. In this case, we’ll be focusing on Kayslice and CobInt.  After we identify and collect as many samples as possible using both YARA rules and pivoting in VirusTotal Graph, we then identify the command and control domain from each using static and dynamic analysis. See the IOC section at the bottom for the list of samples inspected. Notably, Kayslice executes well in a sandbox while CobInt may need some additional work depending on the sandbox’s configuration as it’s a dll versus an executable and thus needs to be executed differently.  Following malware analysis, these domains were identified (see Appendix IOC section).

It’s worth noting that while Kayslice and CobInt are the focus here, it does not mean something similar could not be done for other objects.  Malicious documents or phishing pages work as well, it all depends on the capabilities employed by the actor you’re focusing on.

Capabilities Node – File Attributes

Portable Executable (PE) file attributes provide a rich source of information that can potentially identify file characteristics specifically relevant to the actor behind the file. It’s important to consider when extracting PE attributes, notably timestamps, that data can be manipulated.  In reviewing CobInt and Kayslice samples (initial list pulled in February 2020), two things stand out when extracting the PE compile timestamp:

  • CobInt appears to be time-stomped as they all read 2019-01-15 17:38:40. This is potentially a unique attribute that we can use to hunt for additional CobInt files.
  • The bulk of the Kayslice samples were compiled in the last quarter of 2019.

See table 1 for the extracted data.

Malware Family SHA256 Compile Time
CobInt F916A20817BBEEC2951B6905388FA6C3758DEFA29A0F8ACDAE2309C64302581F 2019-01-15 17:38:40+00:00
CobInt 65A5C5FA49C8709924F14486843DE8BDEE764340C7892492C3A03F610ECF3823 2019-01-15 17:38:40+00:00
CobInt E01645BBC69DD86A8E57AC99D898E4583CE5DECE3380B7F0C1E2EB980E463BB6 2019-01-15 17:38:40+00:00
CobInt 49B64B19193BB87648A76FE37CE698EDA205ED717105D1E53707EE746B6755EF 2019-01-15 17:38:40+00:00
CobInt A310A4A897071A320ECB8A1503B6ADE265F2E9B201AA406910A58DEEF97ACFEC 2019-01-15 17:38:40+00:00
CobInt 22E33C5F607B8C1A4D61CFA5ECB2213666176B0BCD32B94F6122C7F94E6AE976 2019-01-15 17:38:40+00:00
CobInt CDD87D3CC8807C18D7FB2F67768F4DB76506DEAABFC57A47FF2F5F5C798E9951 2019-01-15 17:38:40+00:00
CobInt B14419E960CA44820A9E83038590E54F33C97B76205D60E8CADBA4F05698DDFD 2019-01-15 17:38:40+00:00
CobInt F7869F9F08F1D130EC6E4902B81B1B1C9816CE18C19E2830822514ABE737BB56 2019-01-15 17:38:40+00:00
CobInt 13683756A8BD37F197E9EF208E42C2BC21C0A3EF9E5405A466A35A7855622DFF 2019-01-15 17:38:40+00:00
CobInt 82C55624DD8E02D0E640EFB28318B5DBAE9EF0A87894A0D97CBDA12ABA5100EC 2019-01-15 17:38:40+00:00
CobInt C9725A79C50FD164FB4EE58FBF9FB2EF046B0F19FF2B63526C3B1388D0A0E5A7 2019-01-15 17:38:40+00:00
CobInt F3C8A9E06B08767D5DE27BEAED7504E7C06649842F70516B640EEC2B1F1D3116 2019-01-15 17:38:40+00:00
CobInt BDFE0204E08BAD3292F4D75378763A98CC20477D432D025B639092F3D801B676 2019-01-15 17:38:40+00:00
CobInt AB2D1C35F75A370907FE3EB54CB44F725DB75436166C7D16FA210DE512D6C613 2019-01-15 17:38:40+00:00
CobInt 6908941580BFA5759FF93C0F2807EBEC8CF110E7630DEA9C5267B835E52083DE 2019-01-15 17:38:40+00:00
Kayslice 6bf0bbe9097582c50c03cba8b317d118e6066a2ab535f64bb959161ac4b41220 2019-09-23 12:44:48+00:00
Kayslice 17b36695dd78448572548c48cb24a2971ba591f68ff9aae42c57b5b89bf87f74 2019-10-02 09:30:10+00:00
Kayslice 3ebd76b2ee9bae0465a8a9eec5a0f76e4b4f04a0aabebb70b513966732e7133f 2019-10-04 07:04:19+00:00
Kayslice 3d953b5ecfd5125569b18bbf2757343e77d7035188f1854cdcd20b42eec6c187 2019-10-04 07:04:19+00:00
Kayslice 1d772438392b1e84d3ce800e181603646ae675e8572f7f741184b83537c5451f 2019-10-07 20:46:12+00:00
Kayslice a9198f8ed7f04e9ab7d474ada065850b5dce457ea2ddd86ddf513ca0f5adaebd 2019-10-11 08:51:14+00:00
Kayslice 6e1aa2550edd3deded2018786547ec6613dd9af8ac978eb422e2a220cd91b3e7 2019-10-13 17:14:27+00:00
Kayslice 72125933265f884ceb8ab64ab303ea76aaeb7877faee8976d398acd0d0b7356b 2019-10-13 17:14:27+00:00
Kayslice 23c708efa99aa8abcf666be4ba653e8946e89b65711a2e8ad198c9c29fbe9620 2019-10-13 17:14:27+00:00
Kayslice b79600b47408182b9017ea95516f28e44382e5f0bae0f9fd37cdc10800c59836 2019-10-16 11:40:52+00:00
Kayslice 3c34bbf641df25f9accd05b27b9058e25554fdfea0e879f5ca21ffa460ad2b01 2019-10-16 11:40:52+00:00
Kayslice d2f5f2f3aed499c9985895452e7ceb72a4910cb66bf24f22b01f00a7f93f6b2e 2019-10-16 11:51:17+00:00
Kayslice fe16a85a3f0094134eef4ba209c188a186ed269de90a6b5a84bcc4b90470cc79 2019-10-22 11:03:23+00:00
Kayslice bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c 2019-10-22 11:07:46+00:00
Kayslice 893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7 2019-10-22 11:11:46+00:00
Kayslice 2c542c38d15d6e25cf33e742716bf1ca14db791d568686ccd8ca09cadda83c7e 2019-10-22 11:11:46+00:00
Kayslice 614e2555e87052bd095630d408e8217814307a3ad9ddec832414628276e7014f 2019-11-19 18:32:23+00:00
Kayslice 9f3e650e5e69afcfeff0f776f721ce992100a2227ad968599e0b5b289146a12d 2019-11-20 21:00:52+00:00
Kayslice 1d83bde0871506ec2f6eb789851b0acdd725ab9c928c5b6643dd1d7a319ea7bd 2019-11-29 10:06:32+00:00
Kayslice 4b7a401fa27ead525cf8ffbfb09f1763054850fe1f61d828aed2d8c779f02141 2019-11-29 10:06:32+00:00
Kayslice a19113332a53aaf54cc1e0608611858587063454f5cbb2a9035b7fa1eea5a20f 2019-12-09 10:04:32+00:00
Kayslice 0c85c1045899291cba47c7171599446642b87015a76d5b22f8cc51f4a6e45a90 2019-12-18 14:23:41+00:00
Kayslice 64d16900fce924da101744edce28b9ee648192486d9062c427c17589b5f204fb 2019-12-18 14:23:41+00:00
Kayslice 212e1853d7aa98d66a864f7280635554c8a57e89ec2d76a21588bcdf2ed44f00 2020-01-23 20:10:36+00:00

Table 1: Compile Timestamps

Correlate Infrastructure Node Data to Distill Information

Our next step is to inspect characteristics of the identified domains to draw some insights as to how Cobalt Gang registers domains, sets up their infrastructure, and against whom they deploy malware leveraging that infrastructure. In the course of our research, we used data from sources like DomainTools, Cisco Umbrella, and crt.sh, to better analyze and enrich the identified infrastructure.

For purposes of this research, we’ll restrict the data to just the domains registered from 2019 to now.  Let’s see what can be extrapolated from the infrastructure side of the diamond model.

Infrastructure Node – WHOIS Review

Focusing on domain enrichment, there are three key areas that we’ll focus on to better understand how Cobalt Gang is leveraging their infrastructure — WHOIS, hosting, and certificates. Starting with the WHOIS information, you might notice that the identified domains employ privacy protection and don’t have an email address or other singular, pivotable characteristics. For example, take the expiredmaggio[.]info domain below:

Figure 2: Whois info in ThreatConnect

While this singular WHOIS record may not reveal any notable insight on Cobalt Gang’s registration tactics, reviewing the characteristics for all the identified domains illuminates some preferences. Using DomainTools Iris, we pulled out registration and hosting information for the identified domains and created charts to illustrate the findings.

The registrar count below shows the number of times each registrar was used to procure a domain. While several different registrars were used, Cobalt Gang used reg[.]ru for 11 out of the 15 domains registered from 2019 to now.  The registrar is typically indicative of what name server will be used, reg[.]ru in this case.

Figure 3: Domain Registrars

In terms of top level domain (TLD) usage, Cobalt Gang demonstrated a clear preference for [.]info domains. Price and the availability of the underlying domains most likely are the main motivators behind using [.]info TLDs.

Figure 4: TLD Used

Finally, in reviewing the ISP information for the IPs where the domains are hosted, we see that 8 of the 15 domains were hosted at a Beget LLC IP.

Figure 5: Hosting ISPs

Individually, none of these preferences are unique enough to help us hunt for or proactively address Cobalt Gang. However, when their powers combine, the strength of all of these data points is realized.

Figure 6: Powers Combined

In 2019, this actor favored:

  • Beget LLC – IP Hosting
  • .info – TLD
  • reg[.]ru – Registrar

Figure 1 reflects these data points in the diamond model.

Infrastructure Node – Certificate Review

Following the WHOIS review, we inspected the available certificate information for the domains using crt.sh. For domains that had more than one certificate created, we reviewed those created earliest. Our hope is to identify any potentially unique certificate strings, certificate authority usage, or relevant timing with respect to domain creation. See Table 2 for the data points of interest.

Domain Issuer Common Name Cert Registration Date
centos-update[.]info GlobalSign RSA DV SSL CA 2018 2019-08-30 13:25:44+00:00
0345432456[.]info Let’s Encrypt Authority X3 2019-10-02 10:51:21+00:00
paysimcard[.]info Let’s Encrypt Authority X3 2019-10-02 10:54:24+00:00
hunvenbinusa[.]info GlobalSign RSA DV SSL CA 2018 2019-10-05 21:49:04+00:00
5571875[.]info GlobalSign RSA DV SSL CA 2018 2019-10-05 22:04:02+00:00
segwitfeesavings[.]info GlobalSign RSA DV SSL CA 2018 2019-10-15 21:48:18+00:00
fraud-bank[.]host Let’s Encrypt Authority X3 2019-10-16 07:30:49+00:00
adminassistance[.]info GlobalSign RSA DV SSL CA 2018 2019-10-21 20:07:44+00:00
bestguesspass[.]info GlobalSign RSA DV SSL CA 2018 2019-10-21 20:18:11+00:00
boomedon[.]info Let’s Encrypt Authority X3 2019-11-19 08:37:39+00:00
recreationbike[.]info Let’s Encrypt Authority X3 2019-11-19 08:47:49+00:00
cari-properti[.]info Let’s Encrypt Authority X3 2019-11-20 18:51:25+00:00
telekom-support[.]info GlobalSign RSA DV SSL CA 2018 2019-12-17 20:31:10+00:00
expiredmaggio[.]info GlobalSign RSA DV SSL CA 2018 2020-01-22 19:25:02+00:00

Table 2: Certificate Information

Reviewing the data shows two certificate authorities — Let’s Encrypt and GlobalSign — being used with no clear favorite between the two; however, these authorities are widely used and not singularly sufficient to proactively hunt for Cobalt Gang.

When we review the certificate’s temporal information in conjunction with their domains’ creation timestamps, we see a notable trend. All of Cobalt Gang’s domains that we reviewed had an SSL certificate created within thirteen hours.

Figure 7: Time from Domain Registration to Certificate Creation

The closeness in time between domain registration and certificate creation can be used to help hunt the actor, which will be covered in a later section.

Victim Node – Deducing Primary Target Region

Cisco’s Umbrella can provide hints on the geographical areas the actor is targeting through DNS telemetry.  Cisco’s OpenDNS sees 140 billion DNS requests a day.  This level of visibility provides insights into regions of the world where DNS activity is being seen.  With this in mind, still remember to approach this technique with caution as it’s from the view of a single DNS provider — the machine could be accessing the domain for other reasons, such as the operator setting it up or malware running in a sandbox connected to the Internet through a proxy.

Umbrella breaks down the DNS request into percentages (Figure 8).

Figure 8: DNS Telemetry from Cisco Umbrella

Start with a simple approach: take the highest percentage for each domain and use that country as the primary target region. The domain securegrandix[.]com is tied at 33.33% between Russia and Malaysia so one entry for each was added.

Most DNS Lookups to this Country Bulk DNS Queries Resolved Here For Domain Count
Malaysia 0345432456[.]info, 5571875[.]info, cari-properti[.]info, centos-update[.]info, expiredmaggio[.]info, hunvenbinusa[.]info, paysimcard[.]info, securegrandix[.]com, segwitfeesavings[.]info, telekom-support[.]info 10
Laos boomedon[.]info, recreationbike[.]info 2
Poland adminassistance[.]info 1
Viet Nam bestguesspass[.]info 1
Canada fraud-bank[.]host 1
Russian Federation securegrandix[.]com 1

Table 3: Primary DNS Resolution for each Domain by Country 

Figure 9 shows this data mapped out.

Figure 9: Countries with the highest DNS requests per domain

Notice that most of the countries highlighted with more than one hit are located in Southeast Asia; which, when reviewing our diamond model, is consistent with previously identified Cobalt Gang activity.

Interlinking the Diamond Model

The corners of the diamond model all combine to help form an overall picture.   Overlaying data points from the infrastructure and capabilities is one way to gain visibility into the behavior of an actor.  For example, take the timestamps gathered from the infrastructure analysis and the capabilities analysis and superimpose them together, as in Figure 10.  Viewing these data points in unison allows an analyst to quickly see behavior patterns like the one between domain registration and Kayslice compile time.  Kayslice is compiled just under 2 days (median) after the domain is registered; giving us a two day window to identify domains before they are weaponized. This graphic also provides evidence that Kayslice is not time-stomped due to the closeness of time between domain registration and the compilation time.

Figure 10: Domain Registration to Event (in Hours)

The final graph, Figure 11, plots domain registrations and certificate creation against a calendar.

Figure 11: Domain / Certificate Creation Date Time Overview

Some domains appear to be registered back to back within hours of each other.

Flipping the Tables: Operationalizing Analysis

Tactical Intelligence and Hunting

Now it’s time to use what was gathered against the actor to identify potential domains before they are compiled into a binary (just under 2 days median turnaround time).

Returning to DomainTools, construct a query to look for:

  • TLD: info
  • Name Server: reg[.]ru
  • Hosting IP: Beget LLC
  • Created on or after: 10-01-2019
    • Choose this month based off of when the bulk of the activity was first seen.

Here is the saved Iris query for those who want to run it:

U2FsdGVkX19YR09dcAT4ZnziqiW9+PNHN5E3EOz+ZrvUvcnSPmf9mEV673xCC0JKVSdmlXvUhXClSI7/5dGcnRsTqipkYGl1q
UnOlsQqefyxgZs/q7YPsA2FgafnufkdJA91oUaHQXSKnv4F1XiwhY/P5DJH3p7aCyKAldmhDW7rFDiG/MptCa44weYvRfoTZCzo
vxDzrILJ+iJ5Zc1b3WBEu3hmAJqqXDzriNxOgnSq0C6qFcBL57bKJdXcgOAjIACoCRtl87lprAT12EC4D1XsHl69UujgmSX6MNt
Q9X8DzPTmxiHKS6GGmByRk7I9teFC8F5Hh2nw2fIxzWNx16WDyr5M1w73PviG9LUcBr5JZyZ6BM/hSvS9QdsQ7ajqO5HHTt
nxanxthIBfCVBJWFq857hKtNU8xM4vH8B7pc81l/qsmE0NXkG8Euvm7HBhwVqkVxcINOYVsCB7wIfbWKpdaZPGDJL5X2Jnk
2AOiP82omiGY8giaCW9eaI3pSWiJkPRu788drbpc2Ce6Z9l5npZCC6gaWZ8ZtT3cRaT04HEvXIscwluEybyuwv/h8Z8EHjUx89H
SWwB5aeDA1MxUKKQBdfDRAim0fN1bNM274J8KjOe7MwUqCL87ciBFlVivs8AJmTFlDYccNq/mvwa/8tRwRbpg5/FIosCk4Pr
OZc9l3UU5r5qeYWtl9EMfvUK

A similar query can also be constructed on VirusTotal like so:
entity:domain tld:info ns:”reg.ru” aso:”beget llc” creation_date:2019-10-01+

The above two queries combined return 37 unique domains, including some already known Kayslice and CobInt domains. There are still a few to weed through so let’s check to see which ones have a corresponding certificate created within a 13 hour window of the domain being registered.  Table 6 is the final output.

Domain Cert Issuer Common Name Domain Creation Date Time Certificate Registration Domain Certificate Time Delta
menso-blog[.]info GlobalSign RSA DV SSL CA 2018 2020-02-05 13:49:45.716000+00:00 2020-02-05 14:35:00+00:00 0:45:14
vtbcapital[.]info Let’s Encrypt Authority X3 2020-01-28 16:09:38.735000+00:00 2020-01-28 16:48:29+00:00 0:38:50
turkbazar[.]info GlobalSign RSA DV SSL CA 2018 2020-01-25 16:18:04.180000+00:00 2020-01-26 01:36:51+00:00 9:18:47
advokatu[.]info Let’s Encrypt Authority X3 2019-11-26 11:38:48.549000+00:00 2019-11-26 16:30:23+00:00 4:51:34
mnogoskidok[.]info GlobalSign RSA DV SSL CA 2018 2019-11-29 13:43:19.377000+00:00 2019-11-29 14:45:54+00:00 1:02:35
zamkadom[.]info GlobalSign RSA DV SSL CA 2018 2020-02-18 08:02:53.816000+00:00 2020-02-18 08:48:12+00:00 0:45:18
inet-hoster[.]info GlobalSign RSA DV SSL CA 2018 2020-01-19 11:52:27.049000+00:00 2020-01-19 13:39:31+00:00 1:47:04
cloud-america[.]info GlobalSign RSA DV SSL CA 2018 2019-12-17 20:33:19.974000+00:00 2019-12-17 21:23:52+00:00 0:50:32
segwitfeesavings[.]info GlobalSign RSA DV SSL CA 2018 2019-10-15 20:15:21.289000+00:00 2019-10-15 21:48:18+00:00 1:32:57
hunvenbinusa[.]info GlobalSign RSA DV SSL CA 2018 2019-10-05 21:33:09.016000+00:00 2019-10-05 21:49:04+00:00 0:15:55
5571875[.]info GlobalSign RSA DV SSL CA 2018 2019-10-05 21:17:14.399000+00:00 2019-10-05 22:04:02+00:00 0:46:48
recreationbike[.]info Let’s Encrypt Authority X3 2019-11-18 20:30:49.764000+00:00 2019-11-19 08:47:49+00:00 12:16:59

Table 6: Cobalt Gang Hunting

The bottom four domains have already been associated with Cobalt Gang. A researcher on Twitter called out cloud-america[.]info as a suspected Cobalt Gang domain back in December however, there is no known malware at this time [3]. The remaining domains have no associated malware in VirusTotal either.

Domain Umbrella DNS Percent
inet-hoster[.]info Russia 100%
vtbcapital[.]info Poland 100%
meso-blog[.]info NA NA
turkbazar[.]info Viet Nam 100%
advokatu[.]info Ukraine 100%
zamkadom[.]info Canada 100%
cloud-america[.]info Russia 100%
mnogoskidok[.]info Russia 100%

Table 7: Could be Cobalt Gang Domains DNS Telemetry

Interestingly, turkbazar dns telemetry shows Viet Nam as the number one location matching the confirmed domain bestguesspass[.]info (taken 2020-03-03).  Note the DNS telemetry info appears to change over time based upon the underlying window, so your results may differ. Overall, ThreatConnect recommends monitoring these domains along with repeating/updating this process as more information becomes available.

From a capabilities perspective, the time-stomped CobInt tool makes for a nice pivot point.  This can be done with a YARA rule or a custom query in VirusTotal. ThreatConnect exposes this pivot point through the Browse screen.  Figure 12 shows the results from pivoting on 2019-01-15T17:38:40Z in ThreatConnect.

Figure 12: Compilation Time-Stomp Pivot in ThreatConnect

Strategic Intelligence

Patterns in timing information help an analyst in multiple ways; not only at a tactical level but also at a strategic level.  At the strategic level, time deltas can give insight into a threat actor’s operation that an analyst can exploit. In the case of Cobalt Gang, this insight allows us to determine the window of opportunity we have to find the infrastructure while it is still being set up; aka before it’s operationalized.  Figure 10 shows us that there is about a 2 day median between the domain being registered and the malware being compiled. Discovering windows like this allows us to fine tune and prioritize hunting efforts to stay a step ahead of the adversary and ultimately neutralize domains before they become active.

Conclusion

Studying the behavior and tools of adversaries aids both defenders and threat hunters in spotting and stopping adversary attacks. Data is key!  Extracting and understanding the data provided is a must to understand one’s adversaries. The same data can be viewed through multiple lenses. An analyst can plot out the domain and certificate creation timestamps to see when the activity occurred and then do a time delta on those same dates to gain insight into the threat actor’s behavior.  This strategic intelligence helps the threat hunter to understand what window they have to find infrastructure before it’s used. All of this is an effort to exploit patterns of human behavior to stay one step ahead. At ThreatConnect, we consistently employ techniques like these to protect our users.

For more on the Cobalt Gang, listen to Episode 5 of It’s 5-O’SOC Somewhere, our podcast.

Appendix

IOCs

Malware Family SHA256 Domain
CobInt F916A20817BBEEC2951B6905388FA6C3758DEFA29A0F8ACDAE2309C64302581F securegrandix[.]com
CobInt 65A5C5FA49C8709924F14486843DE8BDEE764340C7892492C3A03F610ECF3823 fraud-bank[.]host
CobInt E01645BBC69DD86A8E57AC99D898E4583CE5DECE3380B7F0C1E2EB980E463BB6 bestguesspass[.]info
CobInt A310A4A897071A320ECB8A1503B6ADE265F2E9B201AA406910A58DEEF97ACFEC 5571875[.]info
CobInt 22E33C5F607B8C1A4D61CFA5ECB2213666176B0BCD32B94F6122C7F94E6AE976 hunvenbinusa[.]info
CobInt F7869F9F08F1D130EC6E4902B81B1B1C9816CE18C19E2830822514ABE737BB56 hunvenbinusa[.]info
CobInt CDD87D3CC8807C18D7FB2F67768F4DB76506DEAABFC57A47FF2F5F5C798E9951 recreationbike[.]info
CobInt B14419E960CA44820A9E83038590E54F33C97B76205D60E8CADBA4F05698DDFD hunvenbinusa[.]info
CobInt 49B64B19193BB87648A76FE37CE698EDA205ED717105D1E53707EE746B6755EF cari-properti[.]info
CobInt 13683756A8BD37F197E9EF208E42C2BC21C0A3EF9E5405A466A35A7855622DFF segwitfeesavings[.]info
CobInt 82C55624DD8E02D0E640EFB28318B5DBAE9EF0A87894A0D97CBDA12ABA5100EC paysimcard[.]info
CobInt C9725A79C50FD164FB4EE58FBF9FB2EF046B0F19FF2B63526C3B1388D0A0E5A7 hunvenbinusa[.]info
CobInt F3C8A9E06B08767D5DE27BEAED7504E7C06649842F70516B640EEC2B1F1D3116 telekom-support[.]info
CobInt BDFE0204E08BAD3292F4D75378763A98CC20477D432D025B639092F3D801B676 0345432456[.]info
CobInt AB2D1C35F75A370907FE3EB54CB44F725DB75436166C7D16FA210DE512D6C613 expiredmaggio[.]info
CobInt 6908941580BFA5759FF93C0F2807EBEC8CF110E7630DEA9C5267B835E52083DE recreationbike[.]info
Kayslice 17b36695dd78448572548c48cb24a2971ba591f68ff9aae42c57b5b89bf87f74 0345432456[.]info
Kayslice 6bf0bbe9097582c50c03cba8b317d118e6066a2ab535f64bb959161ac4b41220 centos-update[.]info
Kayslice 3ebd76b2ee9bae0465a8a9eec5a0f76e4b4f04a0aabebb70b513966732e7133f paysimcard[.]info
Kayslice 2c542c38d15d6e25cf33e742716bf1ca14db791d568686ccd8ca09cadda83c7e fraud-bank[.]host
Kayslice bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c adminassistance[.]info
Kayslice b79600b47408182b9017ea95516f28e44382e5f0bae0f9fd37cdc10800c59836 fraud-bank[.]host
Kayslice fe16a85a3f0094134eef4ba209c188a186ed269de90a6b5a84bcc4b90470cc79 bestguesspass[.]info
Kayslice a9198f8ed7f04e9ab7d474ada065850b5dce457ea2ddd86ddf513ca0f5adaebd 5571875[.]info
Kayslice 3d953b5ecfd5125569b18bbf2757343e77d7035188f1854cdcd20b42eec6c187 paysimcard[.]info
Kayslice 3c34bbf641df25f9accd05b27b9058e25554fdfea0e879f5ca21ffa460ad2b01 fraud-bank[.]host
Kayslice 4b7a401fa27ead525cf8ffbfb09f1763054850fe1f61d828aed2d8c779f02141 cari-properti[.]info
Kayslice 64d16900fce924da101744edce28b9ee648192486d9062c427c17589b5f204fb telekom-support[.]info
Kayslice 614e2555e87052bd095630d408e8217814307a3ad9ddec832414628276e7014f recreationbike[.]info
Kayslice 23c708efa99aa8abcf666be4ba653e8946e89b65711a2e8ad198c9c29fbe9620 hunvenbinusa[.]info
Kayslice 72125933265f884ceb8ab64ab303ea76aaeb7877faee8976d398acd0d0b7356b hunvenbinusa[.]info
Kayslice 6e1aa2550edd3deded2018786547ec6613dd9af8ac978eb422e2a220cd91b3e7 hunvenbinusa[.]info
Kayslice 893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7 fraud-bank[.]host
Kayslice 0c85c1045899291cba47c7171599446642b87015a76d5b22f8cc51f4a6e45a90 telekom-support[.]info
Kayslice 1d772438392b1e84d3ce800e181603646ae675e8572f7f741184b83537c5451f 5571875[.]info
Kayslice d2f5f2f3aed499c9985895452e7ceb72a4910cb66bf24f22b01f00a7f93f6b2e segwitfeesavings[.]info
Kayslice a19113332a53aaf54cc1e0608611858587063454f5cbb2a9035b7fa1eea5a20f cari-properti[.]info
Kayslice 212e1853d7aa98d66a864f7280635554c8a57e89ec2d76a21588bcdf2ed44f00 expiredmaggio[.]info
Kayslice 1d83bde0871506ec2f6eb789851b0acdd725ab9c928c5b6643dd1d7a319ea7bd cari-properti[.]info
Kayslice 9f3e650e5e69afcfeff0f776f721ce992100a2227ad968599e0b5b289146a12d boomedon[.]info

 

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.