Dear blog readers,
In this post I've decided to share actionable intelligence on the online infrastructure of FBI's Most Wanted Iran's Mabna Hackers for the purpose of assisting everyone in their cyber attack and cyber threat actor attribution campaigns.
mlibo[.]ml
blibo[.]ga
azll[.]cf
azlll[.]cf
lzll[.]cf
jlll[.]cf
elll[.]cf
lllib[.]cf
tsll[.]cf
ulll[.]tk
tlll[.]cf
libt[.]ga
libk[.]ga
libf[.]ga
libe[.]ga
liba[.]gq
libver[.]ml
ntll[.]tk
ills[.]cf
vtll[.]cf
clll[.]tk
stll[.]tk
llii[.]xyz
lill[.]pro
eduv[.]icu
univ[.]red
unir[.]cf
unir[.]gq
unisv[.]xyz
unir[.]ml
unin[.]icu
unie[.]ml
unip[.]gq
unie[.]ga
unip[.]cf
nimc[.]ga
nimc[.]ml
savantaz[.]cf
unie[.]gq
unip[.]ga
unip[.]ml
unir[.]ga
untc[.]me
jhbn[.]me
unts[.]me
uncr[.]me
lib-service[.]com
unvc[.]me
untf[.]me
nimc[.]cf
anvc[.]me
ebookfafa[.]com
nicn[.]gq
untc[.]ir
librarylog[.]in
llli[.]nl
lllf[.]nl
libg[.]tk
ttil[.]nl
llil[.]nl
lliv[.]nl
llit[.]site
flil[.]cf
e-library[.]me
cill[.]ml
fill[.]cf
libm[.]ga
eill[.]cf
llib[.]cf
eill[.]ga
nuec[.]cf
illl[.]cf
cnen[.]cf
aill[.]nl
eill[.]nl
mlib[.]cf
ulll[.]cf
nlll[.]cf
clll[.]nl
llii[.]cf
etll[.]cf
1edu[.]in
aill[.]cf
atna[.]cf
atti[.]cf
aztt[.]tk
cave[.]gq
ccli[.]cf
cnma[.]cf
cntt[.]cf
crll[.]tk
csll[.]cf
ctll[.]tk
cvnc[.]ga
cvve[.]cf
czll[.]tk
cztt[.]tk
euca[.]cf
euce[.]in
ezll[.]tk
ezplog[.]in
ezproxy[.]tk
eztt[.]tk
flll[.]cf
iell[.]tk
iull[.]tk
izll[.]tk
lett[.]cf
lib1[.]bid
lib1[.]pw
libb[.]ga
libe[.]ml
libg[.]cf
libg[.]ga
libg[.]gq
libloan[.]xyz
libnicinfo[.]xyz
libraryme[.]ir
libt[.]ml
libu[.]gq
lill[.]gq
llbt[.]tk
llib[.]ga
llic[.]cf
llic[.]tk
llil[.]cf
llit[.]cf
lliv[.]tk
llse[.]cf
ncll[.]tk
ncnc[.]cf
nctt[.]tk
necr[.]ga
nika[.]ga
nsae[.]ml
nuec[.]ml
rill[.]cf
rnva[.]cf
rtll[.]tk
sctt[.]cf
shibboleth[.]link
sitl[.]tk
slli[.]cf
till[.]cf
titt[.]cf
uill[.]cf
uitt[.]tk
ulibe[.]ml
ulibr[.]ga
umlib[.]ml
umll[.]tk
uni-lb[.]com
unll[.]tk
utll[.]tk
vsre[.]cf
web2lib[.]info
xill[.]tk
zedviros[.]ir
zill[.]cf
Sample URL structure for the rogue and fraudulent online phishing infrastructure for the campaign:
ezvpn[.]mskcc[.]saea[.]ga
library[.]asu[.]saea[.]ga
library[.]lehigh[.]saea[.]ga
moodle[.]ucl[.]ac[.]saea[.]ga
saea[.]ga
unex[.]learn[.]saea[.]ga
unomaha[.]on[.]saea[.]ga
www[.]uvic[.]saea[.]ga
catalog[.]lib[.]usm[.]edu[.]seae[.]tk
elearning[.]uky[.]edu[.]seae[.]tk
www[.]aladin[.]wrlc[.]org[.]seae[.]tk
alexandria[.]rice[.]ulibr[.]ga
cmich[.]ulibr[.]ga
columbia[.]ulibr[.]ga
edu[.]edu[.]libt[.]cf
ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga
login[.]revproxy[.]brown[.]edu[.]edu[.]libt[.]cf
ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga
ezproxy-f[.]deakin[.]au[.]ulibr[.]ga
lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga
cas[.]usherbrooke[.]ca[.]cavc[.]tk
catalog[.]lib[.]ksu[.]edu[.]cavc[.]tk
isa[.]epfl[.]ch[.]cavc[.]tk
login[.]vcu[.]edu[.]cavc[.]tk
www[.]med[.]unc[.]edu[.]cavc[.]tk
cas[.]iu[.]edu[.]cavc[.]tk
ltuvpn[.]latrobe[.]edu[.]au[.]reactivation[.]in
passport[.]pitt[.]edu[.]reactivation[.]in
edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf
shibboleth[.]nyu[.]edu[.]reactivation[.]in
login[.]revproxy[.]brown[.]edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf
weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in
webmail[.]reactivation[.]in
www[.]ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in
www[.]ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in
www[.]lib[.]just[.]edu[.]jo[.]reactivation[.]in
www[.]passport[.]pitt[.]edu[.]reactivation[.]in
http://shib[.]ncsu[.]ulibr[.]cf/idp/profile/SAML2/POST/SSO
www[.]shibboleth[.]nyu[.]edu[.]reactivation[.]in
www[.]weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in
ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in
login[.]revproxy[.]brown[.]edu[.]libt[.]cf
weblogin[.]umich[.]edu[.]lib2[.]ml
catalog[.]sju[.]edu[.]mncr[.]tk
ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in
lib[.]just[.]edu[.]jo[.]reactivation[.]in
login[.]ezproxy[.]lib[.]purdue[.]edu[.]reactivation[.]in
login[.]libproxy[.]temple[.]shibboleth2[.]uchicago[.]ulibr[.]cf
shib[.]ncsu[.]shibboleth2[.]uchicago[.]ulibr[.]cf
shibboleth2[.]uchicago[.]shibboleth2[.]uchicago[.]ulibr[.]cf
singlesignon[.]gwu[.]shibboleth2[.]uchicago[.]ulibr[.]cf
webauth[.]ox[.]ac[.]uk[.]shibboleth2[.]uchicago[.]ulibr[.]cf
edu[.]libt[.]cf
login[.]libproxy[.]temple[.]ulibr[.]cf
shib[.]ncsu[.]ulibr[.]cf
singlesignon[.]gwu[.]ulibr[.]cf
webauth[.]ox[.]ac[.]uk[.]ulibr[.]cf
library[.]cornell[.]ulibr[.]ga
login[.]ezproxy[.]gsu[.]ulibr[.]ga
shibboleth2[.]uchicago[.]ulibr[.]cf
login[.]library[.]nyu[.]ulibr[.]ga
mail[.]ulibr[.]ga
webcat[.]lib[.]unc[.]ulibr[.]ga
www[.]ulibr[.]ga
www[.]alexandria[.]rice[.]ulibr[.]ga
www[.]cmich[.]ulibr[.]ga
www[.]columbia[.]ulibr[.]ga
www[.]ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga
www[.]ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga
www[.]ezproxy-f[.]deakin[.]au[.]ulibr[.]ga
www[.]lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga
www[.]library[.]cornell[.]ulibr[.]ga
www[.]login[.]ezproxy[.]gsu[.]ulibr[.]ga
www[.]login[.]library[.]nyu[.]ulibr[.]ga
auth[.]berkeley[.]edu[.]libna[.]ml
sso[.]lib[.]uts[.]edu[.]au[.]libna[.]ml
bb[.]uvm[.]edu[.]cvre[.]tk
cline[.]lib[.]nau[.]edu[.]cvre[.]tk
illiad[.]lib[.]binghamton[.]edu[.]cvre[.]tk
libcat[.]smu[.]edu[.]cvre[.]tk
login[.]brandeis[.]edu[.]cvre[.]tk
msim[.]cvre[.]tk
libcat[.]library[.]qut[.]nsae[.]ml
www[.]webcat[.]lib[.]unc[.]ulibr[.]ga
Stay tuned!
No comments:
Post a Comment