The Silent Librarian advanced persistent threat (APT) actors have been detected once again, as the academic year started in September. With online classes increasingly becoming the norm, the group’s phishing campaigns that aim to steal research data and intellectual property could have a high success rate.

Dozens of phishing domain names have been reported, although some may have already been taken down. Still, the Silent Librarian APT group could have more weaponized domains in their arsenal, so we tried to uncover some connections throughout this investigative analysis using domain and IP intelligence.

The IoCs: Commonalities and Characteristics

Malwarebytes has identified 25 phishing subdomains and three IP addresses that targeted 21 universities and colleges worldwide.

IP Geolocation

Using IP geolocation, we identified that two malicious IP addresses were assigned to Iran, and another one to India.

The Use of Subdomains

The phishing subdomains used the same strings found in the universities’ legitimate domains but at the third-level domain under a different root domain. The phishing domain library[.]adelaide[.]crev[.]me, for example, looks much like the University of Adelaide Library’s legitimate domain library[.]adelaide[.]edu[.]au.

Instances when the threat actors used the full legitimate domain, such as idpz[.]utorauth[.]utoronto[.]ca[.]itlf[.]cf, which targets the University of Toronto (legitimate domain: idpz[.]utorauth[.]utoronto[.]ca), were also found.

TLD and Registrar Distribution of Root Domains

Out of the 25 phishing subdomains, 14 root domains were identified. Ten of them are in the .me generic top-level domain (gTLD) space, two used .tk, while another two used .cf.

WHOIS data showed that as of 5 November 2020, the two .cf domains (itlf[.]cf and sftt[.]cf) have already been dropped. All of the other domains remain active and have the following details:

• Their registrar is NameCheap, Inc.
• The .me domains use WhoisGuard, Inc. protection, while the .tk domains use Freedom Registry, Inc.
• The registrant countries reflect that of the domains’ privacy protection services—Panama for WhoisGuard and the U.S. for Freedom Registry.
• All of the domains were recently registered with dates within 14 August and 2 October.

Uncovering More Digital Footprints

Noting the number of times the root domains were used as Silent Library indicators of compromise (IoCs), we discovered many possibly suspicious subdomains. The numbers are reflected in the table below.

We focused on investigating the second to fourth root domains in the list above:

• itlt[.]tk
• itlib[.]me
• iftl[.]tk

These domains had way more subdomains that were not used as IoCs. The first on the list, itlf[.]cf, is no longer active.

Looking up subdomain and DNS data, we found 11 more subdomains that could be used to target universities, along with two IP addresses. The chart below shows the subdomains of the three root domains. The subdomains in red have already been reported as Silent Library IoCs, while the rest could still figure in future attacks.

The table below lists the potential subdomains that may be used to target the corresponding academic institutions in the future. Some may currently be undetected.

Some of the Silent Library APT members have already been indicted in 2018, yet what remains of the group seem to continue targeting different universities across several continents. Constant investigation and monitoring are required to keep up.