Exposing FBI's Most Wanted Iran's Mabna Hackers - An OSINT Analysis
0
Dear blog readers,
In this post I've decided to share actionable intelligence on the online infrastructure of FBI's Most Wanted Iran's Mabna Hackers for the purpose of assisting everyone in their cyber attack and cyber threat actor attribution campaigns.
mlibo[.]ml
blibo[.]ga
azll[.]cf
azlll[.]cf
lzll[.]cf
jlll[.]cf
elll[.]cf
lllib[.]cf
tsll[.]cf
ulll[.]tk
tlll[.]cf
libt[.]ga
libk[.]ga
libf[.]ga
libe[.]ga
liba[.]gq
libver[.]ml
ntll[.]tk
ills[.]cf
vtll[.]cf
clll[.]tk
stll[.]tk
llii[.]xyz
lill[.]pro
eduv[.]icu
univ[.]red
unir[.]cf
unir[.]gq
unisv[.]xyz
unir[.]ml
unin[.]icu
unie[.]ml
unip[.]gq
unie[.]ga
unip[.]cf
nimc[.]ga
nimc[.]ml
savantaz[.]cf
unie[.]gq
unip[.]ga
unip[.]ml
unir[.]ga
untc[.]me
jhbn[.]me
unts[.]me
uncr[.]me
lib-service[.]com
unvc[.]me
untf[.]me
nimc[.]cf
anvc[.]me
ebookfafa[.]com
nicn[.]gq
untc[.]ir
librarylog[.]in
llli[.]nl
lllf[.]nl
libg[.]tk
ttil[.]nl
llil[.]nl
lliv[.]nl
llit[.]site
flil[.]cf
e-library[.]me
cill[.]ml
fill[.]cf
libm[.]ga
eill[.]cf
llib[.]cf
eill[.]ga
nuec[.]cf
illl[.]cf
cnen[.]cf
aill[.]nl
eill[.]nl
mlib[.]cf
ulll[.]cf
nlll[.]cf
clll[.]nl
llii[.]cf
etll[.]cf
1edu[.]in
aill[.]cf
atna[.]cf
atti[.]cf
aztt[.]tk
cave[.]gq
ccli[.]cf
cnma[.]cf
cntt[.]cf
crll[.]tk
csll[.]cf
ctll[.]tk
cvnc[.]ga
cvve[.]cf
czll[.]tk
cztt[.]tk
euca[.]cf
euce[.]in
ezll[.]tk
ezplog[.]in
ezproxy[.]tk
eztt[.]tk
flll[.]cf
iell[.]tk
iull[.]tk
izll[.]tk
lett[.]cf
lib1[.]bid
lib1[.]pw
libb[.]ga
libe[.]ml
libg[.]cf
libg[.]ga
libg[.]gq
libloan[.]xyz
libnicinfo[.]xyz
libraryme[.]ir
libt[.]ml
libu[.]gq
lill[.]gq
llbt[.]tk
llib[.]ga
llic[.]cf
llic[.]tk
llil[.]cf
llit[.]cf
lliv[.]tk
llse[.]cf
ncll[.]tk
ncnc[.]cf
nctt[.]tk
necr[.]ga
nika[.]ga
nsae[.]ml
nuec[.]ml
rill[.]cf
rnva[.]cf
rtll[.]tk
sctt[.]cf
shibboleth[.]link
sitl[.]tk
slli[.]cf
till[.]cf
titt[.]cf
uill[.]cf
uitt[.]tk
ulibe[.]ml
ulibr[.]ga
umlib[.]ml
umll[.]tk
uni-lb[.]com
unll[.]tk
utll[.]tk
vsre[.]cf
web2lib[.]info
xill[.]tk
zedviros[.]ir
zill[.]cf
Sample URL structure for the rogue and fraudulent online phishing infrastructure for the campaign:
ezvpn[.]mskcc[.]saea[.]ga
library[.]asu[.]saea[.]ga
library[.]lehigh[.]saea[.]ga
moodle[.]ucl[.]ac[.]saea[.]ga
saea[.]ga
unex[.]learn[.]saea[.]ga
unomaha[.]on[.]saea[.]ga
www[.]uvic[.]saea[.]ga
catalog[.]lib[.]usm[.]edu[.]seae[.]tk
elearning[.]uky[.]edu[.]seae[.]tk
www[.]aladin[.]wrlc[.]org[.]seae[.]tk
alexandria[.]rice[.]ulibr[.]ga
cmich[.]ulibr[.]ga
columbia[.]ulibr[.]ga
edu[.]edu[.]libt[.]cf
ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga
login[.]revproxy[.]brown[.]edu[.]edu[.]libt[.]cf
ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga
ezproxy-f[.]deakin[.]au[.]ulibr[.]ga
lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga
cas[.]usherbrooke[.]ca[.]cavc[.]tk
catalog[.]lib[.]ksu[.]edu[.]cavc[.]tk
isa[.]epfl[.]ch[.]cavc[.]tk
login[.]vcu[.]edu[.]cavc[.]tk
www[.]med[.]unc[.]edu[.]cavc[.]tk
cas[.]iu[.]edu[.]cavc[.]tk
ltuvpn[.]latrobe[.]edu[.]au[.]reactivation[.]in
passport[.]pitt[.]edu[.]reactivation[.]in
edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf
shibboleth[.]nyu[.]edu[.]reactivation[.]in
login[.]revproxy[.]brown[.]edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf
weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in
webmail[.]reactivation[.]in
www[.]ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in
www[.]ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in
www[.]lib[.]just[.]edu[.]jo[.]reactivation[.]in
www[.]passport[.]pitt[.]edu[.]reactivation[.]in
http://shib[.]ncsu[.]ulibr[.]cf/idp/profile/SAML2/POST/SSO
www[.]shibboleth[.]nyu[.]edu[.]reactivation[.]in
www[.]weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in
ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in
login[.]revproxy[.]brown[.]edu[.]libt[.]cf
weblogin[.]umich[.]edu[.]lib2[.]ml
catalog[.]sju[.]edu[.]mncr[.]tk
ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in
lib[.]just[.]edu[.]jo[.]reactivation[.]in
login[.]ezproxy[.]lib[.]purdue[.]edu[.]reactivation[.]in
login[.]libproxy[.]temple[.]shibboleth2[.]uchicago[.]ulibr[.]cf
shib[.]ncsu[.]shibboleth2[.]uchicago[.]ulibr[.]cf
shibboleth2[.]uchicago[.]shibboleth2[.]uchicago[.]ulibr[.]cf
singlesignon[.]gwu[.]shibboleth2[.]uchicago[.]ulibr[.]cf
webauth[.]ox[.]ac[.]uk[.]shibboleth2[.]uchicago[.]ulibr[.]cf
edu[.]libt[.]cf
login[.]libproxy[.]temple[.]ulibr[.]cf
shib[.]ncsu[.]ulibr[.]cf
singlesignon[.]gwu[.]ulibr[.]cf
webauth[.]ox[.]ac[.]uk[.]ulibr[.]cf
library[.]cornell[.]ulibr[.]ga
login[.]ezproxy[.]gsu[.]ulibr[.]ga
shibboleth2[.]uchicago[.]ulibr[.]cf
login[.]library[.]nyu[.]ulibr[.]ga
mail[.]ulibr[.]ga
webcat[.]lib[.]unc[.]ulibr[.]ga
www[.]ulibr[.]ga
www[.]alexandria[.]rice[.]ulibr[.]ga
www[.]cmich[.]ulibr[.]ga
www[.]columbia[.]ulibr[.]ga
www[.]ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga
www[.]ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga
www[.]ezproxy-f[.]deakin[.]au[.]ulibr[.]ga
www[.]lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga
www[.]library[.]cornell[.]ulibr[.]ga
www[.]login[.]ezproxy[.]gsu[.]ulibr[.]ga
www[.]login[.]library[.]nyu[.]ulibr[.]ga
auth[.]berkeley[.]edu[.]libna[.]ml
sso[.]lib[.]uts[.]edu[.]au[.]libna[.]ml
bb[.]uvm[.]edu[.]cvre[.]tk
cline[.]lib[.]nau[.]edu[.]cvre[.]tk
illiad[.]lib[.]binghamton[.]edu[.]cvre[.]tk
libcat[.]smu[.]edu[.]cvre[.]tk
login[.]brandeis[.]edu[.]cvre[.]tk
msim[.]cvre[.]tk
libcat[.]library[.]qut[.]nsae[.]ml
www[.]webcat[.]lib[.]unc[.]ulibr[.]ga
Stay tuned!
About Dancho Danchev
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
0 Comments: