threatconnect.com
Open in
urlscan Pro
192.124.249.3
Public Scan
URL:
https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/
Submission: On June 16 via api from DE — Scanned from DE
Submission: On June 16 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Login
* Marketplace
* Contact
* Search
* Platform
* Platform Overview
* By Product
* Cyber Risk Quantification
* Threat Intelligence Platform
* Security Orchestration, Automation and Response
* Browser Extension
* Solution
* * Solution Overview
* * By Impact
* Maximum Insights
* Maximum Collaboration
* Maximum Efficiency
* By Role
* Threat Intel Analysts
* Security Operations
* Incident Response
* Security Leadership
* * By Need
* Automated EDR
* Automation & Orchestration
* Brand Monitoring
* Case Management
* Dashboards and Reporting
* Intelligence Sharing
* MITRE ATT&CK
* Phishing Analysis & Response
* Vulnerability Management
* * By Use Case
* Continuous Evaluation
* CVE Prioritization
* Quantify Cyber Risk
* Tactical Threat Hunting
* Building a Threat Library
* * Get A Demo
* We offer flexibility to our customers with a full set of deployment and
purchasing options.
Learn More
* Partners
* Partners Overview
* Technology Partners
* Channel Partners
* MSSPs
* Community Partners
* Become a Partner
* Resources
* * Library
* Case Studies
* Data Sheets
* Solution Briefs
* Infographics
* Success Stories
* ThreatConnect Podcast
* Videos
* Webinars
* White Papers
* Why Risk, Threat, Response?
* * News
* Blog
* Media Coverage
* Press Releases
* Events
* * Other
* Learning Portal
* Knowledge Base
* Dev Documents
* * Free Account
* We offer flexibility to our customers with a full set of deployment and
purchasing options.
Learn More
* Company
* Company Overview
* Leadership
* Customer Success
* Community
* Methodology
* Careers
* Privacy and Security
* Book a Demo
* Platform
* Platform Overview
* By Product
* Cyber Risk Quantification
* Threat Intelligence Platform
* Security Orchestration, Automation and Response
* Browser Extension
* Solution
* * Solution Overview
* * By Impact
* Maximum Insights
* Maximum Collaboration
* Maximum Efficiency
* By Role
* Threat Intel Analysts
* Security Operations
* Incident Response
* Security Leadership
* * By Need
* Automated EDR
* Automation & Orchestration
* Brand Monitoring
* Case Management
* Dashboards and Reporting
* Intelligence Sharing
* MITRE ATT&CK
* Phishing Analysis & Response
* Vulnerability Management
* * By Use Case
* Continuous Evaluation
* CVE Prioritization
* Quantify Cyber Risk
* Tactical Threat Hunting
* Building a Threat Library
* * Get A Demo
* We offer flexibility to our customers with a full set of deployment and
purchasing options.
Learn More
* Partners
* Partners Overview
* Technology Partners
* Channel Partners
* MSSPs
* Community Partners
* Become a Partner
* Resources
* * Library
* Case Studies
* Data Sheets
* Solution Briefs
* Infographics
* Success Stories
* ThreatConnect Podcast
* Videos
* Webinars
* White Papers
* Why Risk, Threat, Response?
* * News
* Blog
* Media Coverage
* Press Releases
* Events
* * Other
* Learning Portal
* Knowledge Base
* Dev Documents
* * Free Account
* We offer flexibility to our customers with a full set of deployment and
purchasing options.
Learn More
* Company
* Company Overview
* Leadership
* Customer Success
* Community
* Methodology
* Careers
* Privacy and Security
* Book a Demo
* Login
* Marketplace
* Contact
* Search
09.11.20
RESEARCH ROUNDUP: ACTIVITY ON PREVIOUSLY IDENTIFIED APT33 DOMAINS
in Threat Research | by ThreatConnect Research Team
Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent
findings by our Research Team and items from open source publications that have
resulted in Observations of related indicators across ThreatConnect’s CAL™
(Collective Analytics Layer).
Note: Viewing the pages linked in this blog post requires a ThreatConnect
account.
In this edition, we cover:
* APT33
* RedDelta PlugX
* Domains Spoofing CDN, News, and File Sharing Sites
* Emotet
Roundup Highlight: Activity on Previously Identified APT33 Domains
20200908A: Previously Identified APT33 Domains Resolving to 109.230.199[.]157
Our highlight in this Roundup in Incident 20200908A: Previously Identified APT33
Domains Resolving to 109.230.199[.]157. A number of APT33 domains previously
identified in a TrendMicro report on obfuscated command and control
infrastructure — zeverco[.]com (oliverleftley@inbox[.]com), service-eset[.]com
(wata.nakatsu@mail[.]com), simsoshop[.]com (tsuda2016@mail[.]com), and
qualitweb[.]com (tsuyukisogawa@inbox[.]lv) — began resolving to
109.230.199[.]157 starting in late July 2020. At this time, we do not know if
this IP address is a sinkhole or parking IP used for previous malicious
infrastructure. Further, we don’t know the extent to which the aforementioned
domains are still under APT33’s control. If 109.230.199[.]157 is a sinkhole or
not under APT33’s control, then the following additional infrastructure is not
necessarily associated with APT33 and may be associated with a different actor.
Several additional domains not previously associated with APT33 or other actors’
activity also began resolving to this IP in the last two months. The identified
domains (and their registrants when known) include the following:
publicsecur[.]com
akadnsplugin[.]com (joshua.toon1978@mail[.]com)
service-houston[.]com
support-newyork[.]com
ocsp-support[.]com (warren.jones2626@mail[.]com)
Given our uncertainty on whether the previous domains and 109.230.199[.]157 IP
address are under APT33’s control, we do not know if these domains are also
associated with APT33. Regardless, they merit further scrutiny as some of them
were registered through suspicious resellers like THCservers that various state
and criminal actors have used to procure infrastructure.
Also of note, the ocsp-support[.]com domain may be associated with two other
domains — prefmsedge[.]com (warren.jones6363@inbox[.]lv) and
tracking-protection[.]net (warrenjones39458@protonmail[.]com) — based on the
reuse of the “Warren Jones” strings in the email address. Unlike
ocsp-support[.]com, these domains were registered through AminServe.
ThreatConnect Research Team Intelligence: Items recently created or updated in
the ThreatConnect Common Community by our Research Team.
* 20200908B: File Matching YARA Rule Associated to RedDelta PlugX ThreatConnect
Research identified a RedDelta PlugX binary and extracted Command and Control
locations from the embedded configuration.
* 20200909A: CDN and News-spoofing Probable Phishing Domains Hosted at
185.228.83[.]110 ThreatConnect Research identified a set of suspicious
domains hosted on a probable dedicated server that spoof various content
delivery networks (CDNs), news organizations, and file sharing sites. At
least one of the domains was identified in phishing activity spoofing an
Italian organization. Additional associated domains were identified based on
SSL certificate reuse.
Technical Blogs and Reports Incidents with Active and Observed Indicators:
Incidents associated to one or more Indicators with an Active status and at
least one global Observation across the ThreatConnect community. These analytics
are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).
* Emotet C2 Deltas from 2020/09/09 as of 8:00EDT or 12:00UTC (Source:
https://paste.cryptolaemus.com/emotet/2020/09/09/emotet-C2-Deltas-0800-1200_09-09-20.html)
* Threat Roundup for August 28 to September 4 (Source:
https://blog.talosintelligence.com/2020/09/threat-roundup-0828-0904.html)
To receive ThreatConnect notifications about any of the above, remember to check
the “Follow Item” box on that item’s Details page.
SHARE
About the Author
ThreatConnect Research Team
The ThreatConnect Research Team: is an elite group of globally-acknowledged
cybersecurity experts, dedicated to tracking down existing and emerging cyber
threats. We scrutinize trends, technology and socio-political motivators to
develop comprehensive knowledge of the cyber landscape. Then, we share what
we’ve learned so that you can protect your organization, and your team can take
precise action against threats.
previous Post
09.10.20
THREATCONNECT: THE BRAIN OF SECURITY
next Post
09.14.20
TOP SESSIONS TO ATTEND AT GARTNER SRM 2020!
SHARE
YOU MAY ALSO LIKE
1. ThreatConnect Research Roundup: Possible APT33 Infrastructure
2. ThreatConnect Research Roundup: Suspected Naikon DGA Domains
3. ThreatConnect Research Roundup: Microsoft-Spoofing Domains
4. ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
5. Research Roundup: Mustang Panda and RedDelta PlugX Using Same C2
6. Research Roundup: Microsoft Strontium Sinkhole Domain Sibling
SUBSCRIBE
INTERESTED IN LEARNING MORE ABOUT HOW THREATCONNECT CAN HELP UNITE YOUR SECURITY
TEAM AND PROTECT YOUR ENTERPRISE?
Contact Us
* -
* Platform
* Platform Overview
* CRQ
* Tip
* Soar
* Browser
* -
* Solution
* By Impact
* Maximum Insights
* Maximum Efficiency
* Maximum Collaboration
* By Use Case
* Partners
* Partners Overview
* -
* Resources
* Blog
* Resources
* News
* Events
* Learning Portal
* Knowledge Base
* Github Repository
* -
* Company
* About
* Leadership
* Methodology
* Research Team
* Careers
* Privacy Policy
* -
* Contact
* Sales
* Support
* PR
* Training
USA HQ
3865 Wilson Blvd., Suite 550
Arlington, VA 22203
CONTACT
UK OFFICE
15 Bishopsgate, London, EC2N 3AR
United Kingdom
CONTACT
ROMANIA OFFICE
The Office Cluj-Napoca, Bulevardul 21 Decembrie 1989 77,
Cluj-Napoca 400124, Romania
CONTACT
©2012- 2022 ThreatConnect, Inc. All Rights Reserved
Privacy Policy | Sitemap | Terms of Service
* Twitter
* Youtube
* Facebook
* Linkedin
Scroll to top
To give you the easiest possible experience, this site uses cookies. Find out
more about our Privacy Policy and Cookie Policy. By continuing to use this site,
you are giving us your consent to do this.
Close
COOKIE AND PRIVACY SETTINGS
How we use cookies
Essential Website Cookies
Other external services
How we use cookies
We may request cookies to be set on your device. We use cookies to let us know
when you visit our websites, how you interact with us, to enrich your user
experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change
some of your preferences. Note that blocking some types of cookies may impact
your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available
through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing
them will have impact how our site functions. You always can block or delete
cookies by changing your browser settings and force blocking all cookies on this
website. But this will always prompt you to accept/refuse cookies when
revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and
again kindly allow us to store a cookie for that. You are free to opt out any
time or opt in for other cookies to get a better experience. If you refuse
cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so
you can check what we stored. Due to security reasons we are not able to show or
modify cookies from other domains. You can check these in your browser security
settings.
Check to enable permanent hiding of message bar and refuse all cookies if you do
not opt in. We need 2 cookies to store this setting. Otherwise you will be
prompted again when opening a new browser window or new a tab.
Click to enable/disable essential site cookies.
Other external services
We also use different external services like Google Webfonts, Google Maps, and
external Video providers. Since these providers may collect personal data like
your IP address we allow you to block them here. Please be aware that this might
heavily reduce the functionality and appearance of our site. Changes will take
effect once you reload the page.
Google Webfont Settings:
Click to enable/disable Google Webfonts.
Google Map Settings:
Click to enable/disable Google Maps.
Google reCaptcha Settings:
Click to enable/disable Google reCaptcha.
Vimeo and Youtube video embeds:
Click to enable/disable video embeds.
Accept settingsHide notification only
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences