NordVPN Promotion

Home / Industry

A Look at Actinium/Gamaredon’s Infrastructure: More Artifacts Revealed

Actinium/Gamaredon, reported as a Russian advanced persistent threat (APT) group that has been active for almost a decade now, had started trailing their sights on Ukrainian organizations back in February 2022. At least three major cybersecurity service providers—Microsoft Security, Palo Alto Networks, and Symantec—published indicators of compromise (IoCs) related to the threat over the years. Their reports gave us 151 unique domains, which served as the starting point for our in-depth investigation.

Our analysis uncovered several other IoCs and artifacts that could be related to the threat, namely:

  • 19 unique IP addresses the domain IoCs resolved to, one of which was dubbed “dangerous” by various malware engines
  • 67 unique domains that shared IP hosts with the domain IoCs
  • 218 unique domains that shared a domain IoC’s registrant email address
  • 57 connected domains found to be malicious

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

A Look at Actinium/Gamaredon’s IoCs

Our initial data gathering originally gave us 157 domain names from three reports—133 from Microsoft, 19 from Palo Alto, and five from Symantec. Six were duplicates, leaving us with 151 unique domain IoCs.

Domain Name System (DNS) lookups for the 151 domain IoCs led to the discovery of 19 unique IP resolutions, including:

  • 194[.]58[.]92[.]102
  • 2a00[:]f940[:]4[::]10
  • 194[.]67[.]71[.]103
  • 178[.]21[.]11[.]27
  • 194[.]67[.]71[.]178

Reverse IP lookups for these resulted in 67 unique domains that could be connected to the threat. There could be hundreds more possibly connected domains, as our search results were limited to a sample of five domain names per IP address. Examples of connected domains include:

  • 4727potrero[.]com
  • abczoo[.]ru
  • c3lt[.]host
  • dr0neb0ys[.]ru
  • eaudeakvavit[.]com
  • gold-02[.]online
  • jolotras[.]ru
  • korovacentr[.]ru
  • mixdodgerblue[.]me
  • safeguardblog[.]org[.]uk

A bulk WHOIS lookup for the domains from our original IoC list and reverse IP lookups allowed us to find one unredacted registrant email address. Using that as a search term for reverse WHOIS lookups limited to currently active domains gave us an additional 218 possibly connected domains, including:

  • gurmou[.]site
  • homoptera[.]online
  • cerambycidae[.]online
  • fanniidae[.]online
  • asilidae[.]online
  • blattodea[.]online
  • stealheada[.]site
  • merostomata[.]online
  • polyphemus[.]online
  • limulusa[.]online

All in all, we managed to obtain an additional 19 IP addresses, 285 domains, and one email address.

Our investigation didn’t stop there. We also subjected the additional web properties we found to the various checks available in Threat Intelligence Platform (TIP) and found that:

  • One of the IP addresses the domain IoCs resolved to—194[.]58[.]92[.]102—was dubbed “dangerous” by various malware engines.
  • A total of 57 domains possibly connected to the threat are categorized as malicious. Examples include:
    • 0204[.]ru
    • graphosoma[.]online
    • cerambycidae[.]online
    • biblidinae[.]online
    • apidaet[.]online
    • scorpiones[.]online
    • merostomata[.]online
    • eryxis[.]online
    • latesa[.]online
    • discouti[.]online
  • Sixteen of the 19 IP addresses our analysis exposed had Secure Sockets Layer (SSL) issues or misconfigurations.
  • According to TIP checks, nine of the 57 malicious connected domains had SSL vulnerabilities, 17 had WHOIS record issues, and nine had nameserver misconfigurations.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

NordVPN Promotion