Exposing FBI's Most Wanted Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

In this post I've decided to share actionable intelligence on the online infrastructure of FBI's Most Wanted Iran's Mabna Hackers for the purpose of assisting everyone in their cyber attack and cyber threat actor attribution campaigns.

mlibo[.]ml

blibo[.]ga

azll[.]cf

azlll[.]cf

lzll[.]cf

jlll[.]cf

elll[.]cf

lllib[.]cf

tsll[.]cf

ulll[.]tk

tlll[.]cf

libt[.]ga

libk[.]ga

libf[.]ga

libe[.]ga

liba[.]gq

libver[.]ml

ntll[.]tk

ills[.]cf

vtll[.]cf

clll[.]tk

stll[.]tk

llii[.]xyz

lill[.]pro

eduv[.]icu

univ[.]red

unir[.]cf

unir[.]gq

unisv[.]xyz

unir[.]ml

unin[.]icu

unie[.]ml

unip[.]gq

unie[.]ga

unip[.]cf

nimc[.]ga

nimc[.]ml

savantaz[.]cf

unie[.]gq

unip[.]ga

unip[.]ml

unir[.]ga

untc[.]me

jhbn[.]me

unts[.]me

uncr[.]me

lib-service[.]com

unvc[.]me

untf[.]me

nimc[.]cf

anvc[.]me

ebookfafa[.]com

nicn[.]gq

untc[.]ir

librarylog[.]in

llli[.]nl

lllf[.]nl

libg[.]tk

ttil[.]nl

llil[.]nl

lliv[.]nl

llit[.]site

flil[.]cf

e-library[.]me

cill[.]ml

fill[.]cf

libm[.]ga

eill[.]cf

llib[.]cf

eill[.]ga

nuec[.]cf

illl[.]cf

cnen[.]cf

aill[.]nl

eill[.]nl

mlib[.]cf

ulll[.]cf

nlll[.]cf

clll[.]nl

llii[.]cf

etll[.]cf

1edu[.]in

aill[.]cf

atna[.]cf

atti[.]cf

aztt[.]tk

cave[.]gq

ccli[.]cf

cnma[.]cf

cntt[.]cf

crll[.]tk

csll[.]cf

ctll[.]tk

cvnc[.]ga

cvve[.]cf

czll[.]tk

cztt[.]tk

euca[.]cf

euce[.]in

ezll[.]tk

ezplog[.]in

ezproxy[.]tk

eztt[.]tk

flll[.]cf

iell[.]tk

iull[.]tk

izll[.]tk

lett[.]cf

lib1[.]bid

lib1[.]pw

libb[.]ga

libe[.]ml

libg[.]cf

libg[.]ga

libg[.]gq

libloan[.]xyz

libnicinfo[.]xyz

libraryme[.]ir

libt[.]ml

libu[.]gq

lill[.]gq

llbt[.]tk

llib[.]ga

llic[.]cf

llic[.]tk

llil[.]cf

llit[.]cf

lliv[.]tk

llse[.]cf

ncll[.]tk

ncnc[.]cf

nctt[.]tk

necr[.]ga

nika[.]ga

nsae[.]ml

nuec[.]ml

rill[.]cf

rnva[.]cf

rtll[.]tk

sctt[.]cf

shibboleth[.]link

sitl[.]tk

slli[.]cf

till[.]cf

titt[.]cf

uill[.]cf

uitt[.]tk

ulibe[.]ml

ulibr[.]ga

umlib[.]ml

umll[.]tk

uni-lb[.]com

unll[.]tk

utll[.]tk

vsre[.]cf

web2lib[.]info

xill[.]tk

zedviros[.]ir

zill[.]cf

Sample URL structure for the rogue and fraudulent online phishing infrastructure for the campaign:

ezvpn[.]mskcc[.]saea[.]ga

library[.]asu[.]saea[.]ga

library[.]lehigh[.]saea[.]ga

moodle[.]ucl[.]ac[.]saea[.]ga

saea[.]ga

unex[.]learn[.]saea[.]ga

unomaha[.]on[.]saea[.]ga

www[.]uvic[.]saea[.]ga

catalog[.]lib[.]usm[.]edu[.]seae[.]tk

elearning[.]uky[.]edu[.]seae[.]tk

www[.]aladin[.]wrlc[.]org[.]seae[.]tk

alexandria[.]rice[.]ulibr[.]ga

cmich[.]ulibr[.]ga

columbia[.]ulibr[.]ga

edu[.]edu[.]libt[.]cf

ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga

login[.]revproxy[.]brown[.]edu[.]edu[.]libt[.]cf

ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga

ezproxy-f[.]deakin[.]au[.]ulibr[.]ga

lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga

cas[.]usherbrooke[.]ca[.]cavc[.]tk

catalog[.]lib[.]ksu[.]edu[.]cavc[.]tk

isa[.]epfl[.]ch[.]cavc[.]tk

login[.]vcu[.]edu[.]cavc[.]tk

www[.]med[.]unc[.]edu[.]cavc[.]tk

cas[.]iu[.]edu[.]cavc[.]tk

ltuvpn[.]latrobe[.]edu[.]au[.]reactivation[.]in

passport[.]pitt[.]edu[.]reactivation[.]in

edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf

shibboleth[.]nyu[.]edu[.]reactivation[.]in

login[.]revproxy[.]brown[.]edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf

weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in

webmail[.]reactivation[.]in

www[.]ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in

www[.]ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in

www[.]lib[.]just[.]edu[.]jo[.]reactivation[.]in

www[.]passport[.]pitt[.]edu[.]reactivation[.]in

http://shib[.]ncsu[.]ulibr[.]cf/idp/profile/SAML2/POST/SSO

www[.]shibboleth[.]nyu[.]edu[.]reactivation[.]in

www[.]weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in

ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in

login[.]revproxy[.]brown[.]edu[.]libt[.]cf

weblogin[.]umich[.]edu[.]lib2[.]ml

catalog[.]sju[.]edu[.]mncr[.]tk

ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in

lib[.]just[.]edu[.]jo[.]reactivation[.]in

login[.]ezproxy[.]lib[.]purdue[.]edu[.]reactivation[.]in

login[.]libproxy[.]temple[.]shibboleth2[.]uchicago[.]ulibr[.]cf

shib[.]ncsu[.]shibboleth2[.]uchicago[.]ulibr[.]cf

shibboleth2[.]uchicago[.]shibboleth2[.]uchicago[.]ulibr[.]cf

singlesignon[.]gwu[.]shibboleth2[.]uchicago[.]ulibr[.]cf

webauth[.]ox[.]ac[.]uk[.]shibboleth2[.]uchicago[.]ulibr[.]cf

edu[.]libt[.]cf

login[.]libproxy[.]temple[.]ulibr[.]cf

shib[.]ncsu[.]ulibr[.]cf

singlesignon[.]gwu[.]ulibr[.]cf

webauth[.]ox[.]ac[.]uk[.]ulibr[.]cf

library[.]cornell[.]ulibr[.]ga

login[.]ezproxy[.]gsu[.]ulibr[.]ga

shibboleth2[.]uchicago[.]ulibr[.]cf

login[.]library[.]nyu[.]ulibr[.]ga

mail[.]ulibr[.]ga

webcat[.]lib[.]unc[.]ulibr[.]ga

www[.]ulibr[.]ga

www[.]alexandria[.]rice[.]ulibr[.]ga

www[.]cmich[.]ulibr[.]ga

www[.]columbia[.]ulibr[.]ga

www[.]ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga

www[.]ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga

www[.]ezproxy-f[.]deakin[.]au[.]ulibr[.]ga

www[.]lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga

www[.]library[.]cornell[.]ulibr[.]ga

www[.]login[.]ezproxy[.]gsu[.]ulibr[.]ga

www[.]login[.]library[.]nyu[.]ulibr[.]ga

auth[.]berkeley[.]edu[.]libna[.]ml

sso[.]lib[.]uts[.]edu[.]au[.]libna[.]ml

bb[.]uvm[.]edu[.]cvre[.]tk

cline[.]lib[.]nau[.]edu[.]cvre[.]tk

illiad[.]lib[.]binghamton[.]edu[.]cvre[.]tk

libcat[.]smu[.]edu[.]cvre[.]tk

login[.]brandeis[.]edu[.]cvre[.]tk

msim[.]cvre[.]tk

libcat[.]library[.]qut[.]nsae[.]ml

www[.]webcat[.]lib[.]unc[.]ulibr[.]ga

Stay tuned!

No comments:

Post a Comment