Home / Industry

Probing Lorec53 Phishing through the DNS Microscope

Lorec53, a relatively new APT group according to NSFocus, actively targeted various Eastern European government institutions in 2021. The threat actors used well-crafted phishing campaigns to gather and steal data from their targets. Two years after their heyday, is the threat Lorec53 poses gone? Or has the group left still-active traces in the DNS?

Using the 21 indicators of compromise (IoCs)—19 domains and two IP addresses—NSFocus shared via AlienVault OTX as jump-off points, the WhoisXML API research team sought to find digital bread crumbs the APT group may have left behind in the DNS. Our analysis found:

  • 21 domains that were registered using the same email address as two of the IoCs, two of which turned out to be malicious
  • 12 unique IP addresses to which the domains identified as IoCs resolved
  • 1,818 domains that shared the IoCs’ IP hosts
  • 168 domains that shared unique strings with some of the IoCs

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Lorec53 Campaign Tidbits

Lorec53 used various lures in their targeted phishing campaigns, including:

  • A supposed document confirming the target’s agreement to a disease prevention and control-related proposal
  • Proof of being chosen as a bitcoin recipient
  • Evidence of a fake COVID variant dubbed “COVID-21”
  • A supposed update for Adobe Acrobat Reader DC
  • A fake Android app

All of the email file attachments above, along with others sent by Lorec53, were laced with malware meant to exfiltrate confidential data.

NSFocus shared the list of IoCs they collated via AlienVault OTX, which we listed in the table below.

DomainsIP Addresses
• name4050[.]com
• name1d[.]site
• 2330[.]site
• 1833[.]site
• 1221[.]site
• 1000020[.]xyz
• smm2021[.]net
• greatgardenplantsblog[.]com
• intelpropertyrd[.]com
• citylimitshog[.]com
• eyedealrealty[.]com
• cabiria[.]biz
• 33655990[.]cyou
• 2215[.]site
• 16868138130[.]space
• 1681683130[.]website
• stun[.]site
• eumr[.]site
• 3237[.]site
• 45[.]146[.]165[.]91
• 194[.]147[.]142[.]232

Collating Lorec53 Digital Bread Crumbs

We began our investigation by determining which of the domain IoCs remained live via screenshot lookups. Only two of the domain IoCs continued to host live content to this day.

The other live page—eyedealrealty[.]com—hosts a real estate company site consistent with its name.

To trace Lorec53’s digital footprint, we then sifted through the domain IoCs’ WHOIS records. The current WHOIS records of the two domains above also indicated their registrants’ personal email addresses.

Reverse WHOIS searches for the email addresses revealed they were historically used to register 21 domains in total, two of which turned out to be malicious. An example would be matosariasrealstate[.]com.

Next, DNS lookups for the domain IoCs showed they resolved to nine unique IP addresses, giving us a total of 11 IP hosts when combined with the two identified as IoCs. Six of these were shared hosts, three were dedicated, and two had no matching DNS records.

The 11 resolving IP addresses were scattered across five countries. The U.S. accounted for five IP hosts, followed by the Netherlands and Russia with two each.

Reverse IP lookups for the 11 IP addresses led to the discovery of 1,818 domains. A huge majority of these sites were parked.

A couple of connected domains also contained at least three well-known brands—CNN, Google, Intel, and Visa. Examples include:

  • 0[.]www[.]cnn[.]jobs[.]com—indeed[.]com
  • 0078d3ff03b13d29f710d0e6602bcc4a[.]safeframe[.]googlesyndication[.]co
  • mail[.]intelpropertyrd[.]com
  • 108visa[.}online

These could figure in phishing and other malware-enabled campaigns targeting job seekers, syndication customers, real estate investors, and credit card holders.

Finally, we noticed that some of the domains tagged as IoCs had unique strings listed in the following table. We sought to find how many other domains contained each string but used different top-level domain (TLD) extensions via Domains & Subdomains Discovery.

IoCString Found in an IoCNumber of Domains Containing the String with a Different TLD Extension
smm2021[.]netsmm2021.4
cabiria[.]bizcabiria.20
stun[.]sitestun.128
eumr[.]siteeumr.16

While none of them were confirmed to be malware hosts, their close resemblance to the IoCs may warrant close monitoring for signs of suspicious activity.

Conclusion

Based on the continued existence of live sites either identified as Lorec53 IoCs in 2021 and those that may be part of the threat group’s infrastructure through email, IP address, or string usage connections, the risks they pose may not be gone. That is especially true for the two malicious domains we identified that were registered using the same email addresses as two of the original IoCs.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix