Based on TrendMicro's recently released report on the Eastern European cybercrime syndicate known as "Void Balaur" I've decided to proceed further and enrich the original IoCs (Indicators of Compromise) using public sources including my employer's -- WhoisXML API's -- real-time and historical WHOIS database and look for additional clues and offer an in-depth analysis and practical and relevant threat intelligence that could assist you in potential cyber attack and cyber threat actor attribution campaigns.
Sample related domain registrant personal email accounts known to have been involved in the campaign include:
joah.jn.hatcher9@yahoo.com
aasod@intopwa.com
newdata.inc@yahoo.com
bas@viciousinertia.com
a@180180.com
dizain.alto@yandex.ru
k.staromoskovskaya@ya.ru
bady3617@gmail.com
koolfootball_guy@hotmail.com
slava.solgalov.87@mail.ru
x430249@pm.me
poxxpoz@pm.me
edi80112@gmail.com
mikhaylovich_andreyka@bk.ru
b.adan1@walla.co.il
1144199676@qq.com
alinaabramova419@yandex.ru
sylilac7@naver.com
osintdmarc@pm.me
ANONSPF@GMAIL.COM
it@sms191.com
belov.alekey@mail.ru
mailhelpi@mail.com
didichenkodmitrana@protonmail.com
gqe5rg2435hg456g@gmail.com
enkay448@gmail.com
remoterdp5575@pm.me
smokapokas@gmail.com
samirnet2@gmail.com
denismininlan@gmail.com
zoakotovic@gmail.com
asad11112@gmail.com
angelahourston098@outlook.com
velikpnov.1992@mail.ru
kiyera7657@gameqo.com
qbproadvisors@gmail.com
maksymkhmarskyi23@gmail.com
yasuokajiro@yahoo.co.jp
including the following related malicious and rogue and fraudulent domains known to have been registered using the same email accounts:
acccount-login-google.com
go-plans.info
cloud-account-goglemail.com
myaccounts-profile-gmail.com
go-living.info
myaccounts-cloud-goglemail.com
passport-yandex.com
go-commands.info
my-account-login-gmail.com
go-halves.info
account-mail-goglemail.com
go-features.info
mysecurity-goglemail.com
mycloud-goglemail.com
security-goglemail.com
goplans.info
accounts-login-gmail.com
notice-56750007.online
myaccount-security-goglemail.com
simple-controls.info
my-account-login-google.com
myacccount-login-google.com
verifsecuritu.online
go-gadgets.info
mail-yahoo-account.com
account-login-google.com
go-automation.info
fixerman.top
com-a2.icu
mail-auth.top
secretonline.top
house-of-ella.com
sevis.top
fwerifw4589g6uwrt.icu
simplecontrol.info
checkid.top
ru-h4.icu
blotckcnain.com
scvrs.top
blpockcnain.com
idhelp.top
bindwalk.com
go-home-automation.info
lockto.top
blohckcnain.com
in-apple.top
fwerfo23450tgi24e5t.com
go-plan.info
id-src.top
blockchain.ru.com
my-lock.top
go-automatic.info
attachment3421.xyz
lockgo.top
go-clouds.info
id-act.top
reauth.site
my-id.top
n101.site
usersessioncheck.rest
usersessioncheck.space
usersessioncheck.online
my-acounts-gooogle.com
idf1.site
id101.best
acountc-mail.com
id102.rest
myacountc-gooogle.com
guards.fun
myacounts-mail.com
signid.fun
myacountc-mail.com
idf2.site
myacounts-gooogle.com
n101.fun
myacount-mail.com
id7.fun
myaccountsc-gmail.com
id101.site
myacountc-email.com
s04.fun
signid.site
accountsc-gmail.com
ids1.site
admin-gogle.site
admin-goo.site
gosecurity.info
mail-maga.site
index0.site
go-climate.info
mailmaga.site
calendar-jp.site
go-media.info
admin-jp.site
infopack.site
go-docs.info
no-reply-jp.site
no-replys.site
gobuttons.info
2rel.site
mail-magazines.site
go-connect.info
mail-magazine-jp.site
new-jp.site
go-bank.info
magazine-jp.site
mail-magazine.site
go-music.info
nordopl.site
andr24-3.xyz
fo4tool.xyz
tox24h.xyz
andr24-1.xyz
forpros.site
go-control.info
online24-shop.website
toxmag24.xyz
go-security.info
dostavkasafety.site
multi-kuxnya.website
go-vids.info
mailer-daemon.site
dostavkasafety.space
go-comfort.info
sc-noreply.site
info-jpp.site
go-buttons.info
mail-daemon.site
announce-jp.site
go-lighting.info
only-true.site
big-top.site
cooltop.online
over-mag.site
andr24-2.xyz
hot-top.site
kristinaleonova.xyz
24h-tool.xyz
and1mag.xyz
only24hs.com
new-online24.fun
skifltd.site
ondiman-keit.space
news24online.fun
tvoe24na7.site
fo24tool.xyz
simple-control.info
myaccounts-login-google.com
email-redir.space
go-command.info
defaultsetup.space
go-halfs.info
redir-email.space
smartresponder.space
go-reward.info
redirect-email.space
smartrespond.space
go-lights.info
rusfssp.space
defaultsettings.space
go-custom.info
email-redirect.space
newtop24.site
topers24.site
mango24.site
go-pics.info
top24mag.site
go-button.info
smalluser.org
iinfoacccounts.org
inboxlimiteds.org
infostory.org
accountschain.org
iinfoacccount.org
accountslink.org
i-info-acc-count.org
accountsassociate.org
in-box-limited.org
infoaccounts.org
storylinks.org
in-hit-limited.org
inhitlimited.org
infohistory.org
localuser.org
lil2.top
lil3.top
googurl-jp.site
limitedusers.net
historyshort.net
onlineloginaccount.net
loginbook.net
bestlimiinfo.net
beshortaccount.net
infoaccountant.net
accountsupportgroup.net
in-box-limiteds.org
i-info-acc-counts.org
limi-note.net
litmonger.com
4ll.site
2li.site
l-jp.site
i-l.site
i-e.site
i-k.site
mu64.xyz
j-jp.site
iri6.xyz
llu2.xyz
ijs8.xyz
garant-sms.com
lui7.xyz
oi99.xyz
iil4.xyz
lid4.xyz
juicegame.site
iel5.xyz
lik2.site
git9.site
go-safety.info
oll7.site
index7.site
go-feeds.info
9-jp.site
8-jp.site
go-controls.info
c-jp.site
s-jp.site
go-tunes.info
il-com.site
es-co.site
go-buttons.com
e-7.site
2-jp.site
go-controls.com
i-01.site
1-jp.site
u-jp.site
liyt.site
go-button.net
accounts-link.org
iknowacccounts.org
i-know-acc-counts.org
inboxshort.org
iinfoaccnumber.org
storysupport.org
inboxlocal.org
info-accounts.org
servershort.com
townlimiteds.com
storysupport.net
slavelimiteds.net
globallimitedaccount.com
local-accounts.org
web-locals.com
serverlimiteds.com
limited-user.org
info-accs.org
i-info-acc-total.org
info-acc.org
infoaccs.org
knowacc.org
iinfoacctotal.org
noteacc.org
myaccountsupports.org
infoacc.org
accounts-links.org
i-info-acc-result.org
limitedcustomer.org
iinfoaccresult.org
accountslinks.org
limiteduser.org
infoaccount.org
inboxlimited.org
webinfoacc.org
limitedusers.org
limitedusergroup.org
shortuser.org
note-acc.org
historysupport.org
history-link.org
messageacc.org
knowaccs.org
incaselimiteds.org
knowaccount.org
accountslinktech.org
incaselimited.org
know-account.org
infoaccountant.org
accountantsupport.org
shortusers.org
infoacctech.org
limited-users.org
note-account.org
historysupports.org
messageaccount.org
iknowacccount.org
accountsupportgroup.org
web-info-acc.org
accountsupports.org
interestlink.org
accountsnetwork.org
inpacklimited.org
noteaccount.org
mawuewye.pro
mondohorse.com
servicehelpsonline.net
limitedlinkservers.net
story-support.net
gameigy.pro
limitedbuyer.org
noteaccounts.org
adviceaccounts.net
in-box-short.com
server-onlines.com
historylimiteds.com
serverservicesinc.com
interally.info
mondohound.com
gleewizard.org
inboxsmall.org
dosugcentr.com
accounts-my-yahoo.com
account-my-gogle.com
myaccounts-yahoo.com
account-my-yahoo.com
mail-my-gogle.com
mysecurity-gogle.com
my-accounts-gogle.com
myaccount-mail-gogle.com
acount-my-google.com
myaccounts-google.com
my-account-gogle.com
mailer-exmo.site
fssprus.ru.com
usersignin.site
mailer-exmo.host
myacountc-google.com
aabsnjdmhmp1li43o.space
myaccountc-google.com
xaxtfnrga4giugue0.space
tpdacmyd3pnt5xzpt.space
acountsc-google.com
ecyyi601gprwlm08b.space
d2xduzcumareyybza.space
qpfrit3ela5v6icsa.space
yfoad9wcfjt8c1umz.space
servicelogin.site
fssprus.space
0gew2cnnfi18tcz8o.space
jimoddrw9aav7lvzc.space
nurmohammod.com
b0lav8kzmjvfi4gbg.space
Case in point is hxxp://historyshort.net where we have the following malicious and fraudulent MD5s known to have phoned back to the same C&C (Command and Control) server domain:
e5f640f5e6d66b24941e0eb1288c6d1dc701ee2b2a1ed0d13cfdbc3c7d544537
ca4b0ec3bdccab86ded98ddfeedb2168f78c4e90cebb841a21c285941bcadab4
7a48881967f88284e6cdd70a8f241be9109d6fe7086fbc6c5b8232cd70fd360c
3cc2668d4c7f1e292ee905d6318fe85851935124b01620549a56a9b40e8adb07
43f34271eab8f00dccefe59450f4958d30cf6f269128c5668b91f82396b4aa81
4ed9411b9a88c6c17fa5e33a24dd01df1bf03470261d02b036673be68029be15
e0ecc9229dd6a36286ebfcce127414ad0ba11276bc6f46ee94a7b1bce40717f2
3f502dd72fb8811c049ee5a4a4f8f53a65ede05c66838652eb121737d742ae20
2bc197b47b81a852d8d6ce87d93b83c2a6c4f2b4d70085f3435f7caaa552a5b8
d364b7e65bcc5348c6153be54b3d46ee614be32de475e74b161165d586bcb756
ded6081876e5e27fc0acf0406fcd0d779304fcd532a960dd1b91eb8ce8bcf891
629b5909b0de8437c470b36b267c962dc0a3e1fa53948e2a713b3573732460c9
09af2bcd87d75c0269f48bd1b8099dbca48a05617c58074ff0b05506e4ddb3db
a3f35d4908ffeb6a35e8ca502e4d9b8f470b6750fe5849033812cfb763d4054f
e3fa4f7404698776ddbae0c8c192d3c59f9e2877b266318703f816db3ff85ce1
4c1a553fa890979ed433984c478dc84b269c450d42e09dc7b2f2980e836c8c1e
4bfb90ebd7478bab9a19381b092cad5c9f5351091f3bd668614598f038ffa130
3302019e94ca862959814418bda60db06c185918e2c5f79a52530dd4d92eda1c
180a429f1d98306cadac4453f900bb3ff76f7a54da8cc300380af055b92217dc
5cee25f5fdc7327f590b3da7818346ba471cc856643bf0762f1cc16cd0bd48ea
b54a786c73e596f930b88bb775e56a6fe472c7e812b971adac3985b87bf282f5
44dfd9a5ab0147248bc43a44794407b6cf927e1a6267f92b5e93ec79668ee589
88e99009c0ca934949576adfca19e602f4b2f75448d3dd196e675ba9c3e5a7d1
b8eb6e094553a827fdec58aed17bb0c0c9215ad4119833880dfae030a99440d5
38481c8b5d86923946a393aeaf2d6bc6e916259738a415cd9fb92077c345be70
707b2fffe1568ae355dc9e0fcd76ead25bb22fec46ad8cf8a33e5ccdd48d97b6
0c6b75c69a73d582ab64378624d3e1e9c514ef03f0a05a399797655510ad034d
2cb10ef17ea8204e81dc425fdf442a9e9dd457e11733ab9158057b44aa232f38
106a724fd95a5fc6f17247aed46068f9f6ccc11d62bb1001c2a0cd28bdebe249
c3ac9c963945e4389dd0b8e39ff1a4de4addb8b065584f48e810e1d12c032954
a412e6c886d70cafe8acb0076c121ba574b80b2111878ae79fa2681e554ec746
f7af2b25a3f1a765b5b1ca56478db7c297071368aaaf3f48b83f78898dd4a28d
70600a363a7458d7962af27cdef1d683e212ee78b4b7c981c8ffdb3724d01608
485b7e024c956b88f4570669a81fdea29ca3745d7bb3fc7bcdfd50df004f3896
1bda2b544bf90f7eece869a4fba88ea761e598bf159a799b2135bea4ca8242f8
977b4e0b097ab6c455a47018658857d3d1e4c4a70c6776cfac39db124a3f4c88
bc3312ec1322713b51e2319745f6070beb09cbb0033501be2d58933f879be81e
bc2f434f8fc66d13a85a077570bad230851297dca0eade40e26ec72dc7c55dfb
391ca088a04ccbe938e8a0cc9f6259924d1e31539adaa7337674baffa9ee3e96
b0220128177613213e2bc2d0fd3d4040f1fce97b8dbd509f450c75cfb8d94604
4c349905e97d11cba75eccd447b80579fbf941a8c36f9de9dae66f88e9905cdb
3600a9baa16553fb471dc693b5bd33f4adc26dcf87a80ab7e1736768390c5580
a8e09e4e965bb65f2fda114c5b83b9e6d6b1b6f63dadf4e639e66caa83c86a34
b1bb9d827b9120bbb1a8820b7f0f493dacb74527f1e8956b489866623c5a748a
12739953d06fed1a90ad6e3852aed3f16adb54e406f061f23ac70f2ea8fc4b12
a8447ac07182f6ca0037c7b46dfacec009523b79f8642c42249a6d5653ac10e0
a8f95feeb607994db3239e2dfa48f9bf7c317d57cfd3dedf87e75b22e2916785
df03dbfff5b2f5745e5e7d9e58bfe4a8249fa6221d15e1d9fd9fcc1b3ff2665f
ac56d82315564401ddcd8e832f7b7b26ab6fdf4e85b87831e20692a2d9e1faf5
67d02e17e1f385927d6195d7f78a846caac124a25004baddd0827ee34164b884
66e094af1c8136e3e4ca18d63f8f365800592fcce92adce11e309cd6bce09499
df1c4116471a7d2ee020369623f7c4ee0a57c5c80cc96a25a1b7ddb88c45bc8a
932af35f952e782838daf79e720cf3b22a742a6b9b84c404cb612266aaa5b691
e0be1d27b425cf73e2007cb25e052b7aa4e93299fc69311c994bc32a7c1c53fa
e90db87ae9efb8f5f01da5aec0eceeb72c4579f166879a118b964f9279101580
68d1f4fddea2b3227676115afecf859247b0bebf40c55705f00eb53d7508be6c
8c5372f16c1c5e505bb34f33e95a5d6a6f13c9dae05a4aa9f757f1783987d72a
fc7461ec6bd665dc08800d1a9c50f85858668ef023a6c81498c0e3748f50e671
141171357bbe9fe15e53a058a49d44abd4e95a51b63c74ee22d424f9bee6e5c5
792138f32f6a1a94d64a9a0941f4ca5ec5ea26fd342ae7a44c762405ae5d643c
06e71f61a58724b1acd7761e671623605d51742704cb49b01c1fff6f96de9d6e
37e88a05a5455bf4f2d080482d6fa3e71f3b97c53853c2f3118067bb8c10c552
b59a0e02e1db6984b55f079256dd541bd61e0c2629c63147ca98d9c43cf32b0b
c14a537e9217276965e080b4b14a96e3589be380dae2c3168a86f6695f023946
603444fa38db8a88a94b2a5f1f24e461c804d368d73d31e3bdcdea7c80a8ae31
08600974031f79c35c5d18e95e9c66760c14fb1cac7ed00fec40d7615bc3b1b3
c9b56077effc58eed00d7921b788af2bc6c92894028e218ab1d49f6d47c95f41
b189d0126528c8b2e1b31df3da66307b6123e2e40d0b4f8c58c6777e98bbca26
bada9099b2d637bb8663061d5aa9ca5ec103731270b0b1cb11eaa13ba4c9e2ce
3f2c9c80ee3d443165c2c868078b43782d3aff5946382c5ebfe86a5266ccb26e
c389bedbb58ea7d76e1ec7f061bd7b3191ee011e52b45aa4123922654436e135
7732051e9d1bdc0b722b33248f337007582d4b5381622206cd6028512d9e929f
59e76392109a9cc5c43f125054384310ea836c9c831cc9567f6a987b1fc90a80
3b4a8416112c4b07bec0c58f85e4e04ab6566914acc66567e2c2a61b8687727b
5fdb67f0a11e5495f9f280da87766e03618e1f9852e79195c6218fe29ddea882
ebb66474957a8355fd5ebd19693f28b61421e2b7a5fcd65f234ddd5c35023a68
2fb47c12ed32e40b94d7eb7083bb20752b9fadf0874241237b2fd32bc98f384c
b6c76909f5114097d77fc5f3726575df625e0828aa09748fa4c2f9491f9bf1e9
5334a8e9ed0cc9dfd22446082c8ac6c918466bf1973e6d8a9314e2f4ca0f1f49
08d56e00f0f0abe99297c2b4817bafb90ea88e8b338d5d2918a5e1c1dd7aea5d
39ecf934a975b478efe0fc28b1e02882d633fa2bf705e98bfffb31aef2ac95d8
568c6a406ddb74d5eb13c5be8bff318730da2a929fcfd7c38809539e1670ed50
320c57e5edbc3f5d4735037e06b15c14151e8182f8a914971c1d3b1b534618a0
c6a6b0508d3018c214ad347e8b87e4e26e9b00c4049bc69df347d50839fb02ad
4ccf83919578882ff8930b0e7afe53de59a8a8c8008811a13ba241a26f6eedcf
502908bb99c3bb34fb41faced3d0b75428562cc9e633db474cbb4627c7410205
70a82507baa7dc6197bc0b0b8cac2745a0eb7bd97e569364db6bfcaae4962206
09bddf69ec92d4cc615273ea078af77f1ba4212e10224292bde24a0842f1b9dc
388810eb6ec85227c45b671b2a0d0e64e4db0f7c534fc6e8e12be22b59924f47
7f546328f073f76097277b84a9d117c5a6414948dbafe3a535980e81347cbd64
426455c87bd3dca6ce0bcd05e6c9e5ad450cb02d25658fee76fcf31c0f32c27b
5aca56445a778ab328f3086ff7a06823a66518226966f0c9f1723a1c740f0dff
4e839b34c9d5b664e8976d9ac1280c227122c5405ef03ecf2eb2f9261e27887b
092afaa4d7ea20bf0327b8b9688f26fc4590c1de946542df20b617b1bc768400
ef5d7bf437ed03486bba83bfe1b4a38da62bbe40878e9318bf53c2f5725a39d2
d4cf88d5c22fe052591df8dab551006c4813993ef4e9ac2a7cc2fade1a44f2cc
bca421826f2f2e95a0b01d2e429f51027c84a98e2f94d23781bc7b3d7e1a7225
ae44ad7b277eef1b7e028bc112a842ea15bf2322926335f113e70768a278086c
11e5bbfd28f6e16b7b714b38665277b4bfcb9472b45dbc8d077af8b0cf52e891
5b2c02c09d6519b62ee3651b9dafcd9d3c85869b315e6c67f68a1b57196d0ad6
Stay tuned!
No comments:
Post a Comment