Even top security researchers can be fished

Google recently announced a “New campaign targeting security researchers“.
“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.”

IOCs below:

Actor controlled sites and accounts

Research Blog

https://blog.br0vvnn[.]io

Twitter Accounts

https://twitter.com/br0vvnn


https://twitter.com/djokovic808
https://twitter.com/henya290




LinkedIn Accounts

https://www.linkedin.com/in/billy-brown-a6678b1b8/
https://www.linkedin.com/in/guo-zhang-b152721bb/
https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
https://www.linkedin.com/in/linshuang-li-aa696391bb/
https://www.linkedin.com/in/rimmer-trajan-2806b21bb/

Keybase

https://keybase.io/zhangguo

Telegram

https://t.me/james50d

Sample Hashes

https://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection (VS Project DLL)
https://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection (VS Project DLL)
https://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection (VS Project Dropped DLL)
https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection (VS Project Dropped DLL)
https://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection (Service DLL)

C2 Domains: Attacker-Owned

angeldonationblog[.]com
codevexillium[.]org
investbooking[.]de
krakenfolio[.]com
opsonew3org[.]sg
transferwiser[.]io
transplugin[.]io

C2 Domains: Legitimate but Compromised

trophylab[.]com
www.colasprint[.]com
www.dronerc[.]it
www.edujikim[.]com
www.fabioluciani[.]com

C2 URLs

https[:]//angeldonationblog[.]com/image/upload/upload.php
https[:]//codevexillium[.]org/image/download/download.asp
https[:]//investbooking[.]de/upload/upload.asp
https[:]//transplugin[.]io/upload/upload.asp
https[:]//www.dronerc[.]it/forum/uploads/index.php
https[:]//www.dronerc[.]it/shop_testbr/Core/upload.php
https[:]//www.dronerc[.]it/shop_testbr/upload/upload.php
https[:]//www.edujikim[.]com/intro/blue/insert.asp
https[:]//www.fabioluciani[.]com/es/include/include.asp
http[:]//trophylab[.]com/notice/images/renewal/upload.asp
http[:]//www.colasprint[.]com/_vti_log/upload.asp

Host IOCs

Registry Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update

File Paths

C:\Windows\System32\Nwsapagent.sys

C:\Windows\System32\helpsvc.sys

C:\ProgramData\USOShared\uso.bin

C:\ProgramData\VMware\vmnat-update.bin

C:\ProgramData\VirtualBox\update.bin

Leave a Comment