|
Liberty Front Press is a fake news network that has been operating since Trump’s administration and was said to be designed to leverage liberal resentment against the former U.S. president while promoting pro-Iranian foreign policy narratives via social media. For years, it has been present on Facebook, Twitter, Pinterest, and Reddit, for so-called “activism.”
Our security researcher Dancho Danchev has been tracking the fake news network and provided indicators of compromise (IoCs), specifically 27 domains known to have taken part in the network’s disinformation campaigns, that individuals and organizations alike may want to avoid accessing.
We dug deeper using domain and IP intelligence tools to expand the list of IoCs in hopes of providing better user protection.
Running the 27 domains on a DNS lookup tool provided a list of 19 unique IP addresses. Their connection to the Liberty Front Press should make them suspicious. One IP address (81[.]169[.]145[.]149), in particular, should definitely be avoided, as our Threat Intelligence Platform (TIP) checks revealed it is a malware host.
An IP geolocation lookup for 81[.]169[.]145[.]149 revealed that the device it is assigned to is located in Germany. It is also associated with at least five domains, namely:
While none of the domains above are tagged malicious to date, avoiding accessing them may be a good idea as well, at least until proper verification and monitoring can be executed.
Using the 19 IP addresses as search terms for reverse IP/DNS lookups gave us a list of an additional 985 domains that could be tied to the campaign. Some of these share strings with those in the original investigation’s IoC list such as:
What’s more, users should watch out most especially for 11 domains that host malware, namely:
A closer look at each of the malicious domains via a screenshot lookup tool showed that:
WHOIS lookups using the malicious domains as search terms revealed that:
While fake news sites are not typically categorized by malware database sites as malicious, they may still present risks in the form of false information. Detecting such sites is possible with a website categorization tool. Take the domain alzouzougroup[.]com, which is included in the original list of IoCs. The web categorization tool classified it under Sensitive Topics and Spam or Harmful Content.
While this method may not be foolproof, blocking access to sites that fall under the two categories cites would provide organizations an extra layer of protection against threats.
As you’ve seen in this post, looking deeper into domains and IP addresses listed as threat IoCs can reveal so much more information and possible threat vectors that may require blocking on networks.
Contact us if you’d like to get a copy of the complete list of Liberty Front Press IoCs or the possibly connected web properties featured in this post. And if you’re a security analyst or researcher looking to partner for a study, we’d like to hear from you as well.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC
Sponsored byIPv4.Global