Home / Industry

Uncovering More Artifacts Related to the Endless Mayfly Disinformation Campaign

Many reports have released indicators of compromise (IoCs) regarding the Endless Mayfly disinformation campaign. But for those who don’t know what it is, Endless Mayfly uses fake social media accounts and media websites to spread false information that has to do with U.S., Israel, and Saudi Arabia relations.

Among the published Endless Mayfly IoCs to date are typosquatting domains, malicious file names and hashes, host IP addresses, and social media handles.

As usual, we sought to expand the list of IoCs to help organizations ensure utmost protection for their networks. We also took the investigation deeper by comparing related domains’ WHOIS records at the time the comprehensive report about the threat was published (May 2019) and now.

Data Set

We used the list of Endless Mayfly domains on GitHub as the basis of our analysis. This list contains 73 domains, including several internationalized ones (i.e., those that use punycode).

Analysis and Findings

Subjecting these domains to a bulk WHOIS history lookup provided a list of 38 registrant email addresses. Also, DNS lookups using the domains as search terms gave us a list of 198 IP addresses. Finally, using the registrant email addresses as inputs, we obtained 173 additional domains containing them in their historical WHOIS records.

We looked at which of the domains had their WHOIS records changed over the past year, specifically between January and May 2021. For that, we employed WHOIS History Search under the Domain Research Suite (DRS).

A total of 15 of the domains had recently modified WHOIS records. These are:

  • al-jazirah[.]org
  • alarabyia[.]org
  • bbc-arabic[.]com
  • belfercenter[.]net
  • bloomberq[.]com
  • indepnedent[.]co
  • israelhayom[.]net
  • israelnationalnews[.]co
  • israelnationalnews[.]net
  • lesoir[.]info
  • policito[.]com
  • thaguardian[.]com
  • theatlatnic[.]com
  • theguaradian[.]com
  • washnigtonexaminer[.]com

Details about their WHOIS record changes are given below.

  • A total of 13 domains changed registrars. The top registrars were GoDaddy.com, LLC and NameCheap, Inc. with three domains each.
  • All 15 domains changed registrants although mostly from a named organization or individual to an undisclosed owner. It is interesting to note, however, that bloomberq[.]com was acquired by Bloomberg, possibly as part of a brand protection strategy.
  • Only five of the domains had publicly attributable registrants, including bloomberq[.]com. The four other domains with identifiable owners were indepnedent[.]co, lesoir[.]info, policito[.]com, and theatlatnic[.]com.
  • A total of 14 domains changed countries. Only alarabyia[.]org didn’t.

We used advanced reverse historical WHOIS searches on the 15 domains using the Domain Research Suite (DRS). That gave us an additional 83 variants of the domains sporting different top-level domain (TLD) extensions.

Examples include:

  • al-jazirah[.]link
  • alarabyia[.]online
  • bbc-arabic[.]net
  • belfercenter[.]org
  • bloomberq[.]org
  • israelhayom[.]us
  • israelnationalnews[.]tk
  • lesoir[.]name
  • thaguardian[.]co[.]uk

Organizations and individuals that don’t want to get exposed to disinformation or more sinister threats may want to add these to their blocklists.

Figure 2

Running Maltego-WhoisXML API Historical Reverse WHOIS Search transforms on the additional domains revealed that six (i.e., al-jazirah[.]com, alarabyia[.]com, israelnationalnews[.]com, lesoir[.]be, lesoir[.]com, and lesoir[.]com[.]au).

Here’s a sample Maltego historical reverse WHOIS search map for al-jazirah[.]com (see Figure 2).

Our search provided another 85 connected domains that may be worth blocking access to and from as well. Examples of these are s4t[.]me, al-dhahry-group[.]com, al-jazirahonline[.]com, awjournalplus[.]com, leeemag[.]com, awjonline[.]com, alkawaaeb[.]com, suhuf[.]com, world4today[.]com, and arab4today[.]com.

Screenshot lookups for the additional domains revealed that a majority of them (38 to be exact) are unreachable, nine are parked, four are for sale, and three are under construction or have errors. A total of 15 are live with various kinds of content. Some look like news sites while others e-commerce, academic, and corporate sites.

Figure 3: Screenshot of israelnationalnews[.]com
Figure 4: Screenshot of esotericluxury[.]com
Figure 5: Screenshot of belfercenter[.]org (left) and snappet[.]es (right)

As we’ve seen in this post, more artifacts that could be connected to an ongoing campaign are unrecoverable via reverse WHOIS record lookups and searches for the same domain names sporting other TLDs. Scrutinizing changes in WHOIS records could lead to interesting discoveries as well like one of the former Endless Mayfly domains now belonging to Bloomberg. Finally, screenshot lookups could reveal the current state of connected domains without putting researchers in danger of malware infection while conducting investigations. Findings about the websites hosted on potentially erring domains can also reveal trends like the type of site they typically host.

If you wish to obtain a copy of the entire list of artifacts uncovered in this post, please feel free to contact us. They may be useful in your Endless Mayfly investigation efforts or enhance your network security.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global