Lorec53, a relatively new APT group according to NSFocus, actively targeted various Eastern European government institutions in 2021. The threat actors used well-crafted phishing campaigns to gather and steal data from their targets. Two years after their heyday, is the threat Lorec53 poses gone? Or has the group left still-active traces in the DNS?

Using the 21 indicators of compromise (IoCs)—19 domains and two IP addresses—NSFocus shared via AlienVault OTX as jump-off points, the WhoisXML API research team sought to find digital bread crumbs the APT group may have left behind in the DNS. Our analysis found:

• 21 domains that were registered using the same email address as two of the IoCs, two of which turned out to be malicious
• 12 unique IP addresses to which the domains identified as IoCs resolved
• 1,818 domains that shared the IoCs’ IP hosts
• 168 domains that shared unique strings with some of the IoCs

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Lorec53 Campaign Tidbits

Lorec53 used various lures in their targeted phishing campaigns, including:

• A supposed document confirming the target’s agreement to a disease prevention and control-related proposal
• Proof of being chosen as a bitcoin recipient
• Evidence of a fake COVID variant dubbed “COVID-21”
• A supposed update for Adobe Acrobat Reader DC
• A fake Android app

All of the email file attachments above, along with others sent by Lorec53, were laced with malware meant to exfiltrate confidential data.

NSFocus shared the list of IoCs they collated via AlienVault OTX, which we listed in the table below.

Collating Lorec53 Digital Bread Crumbs

We began our investigation by determining which of the domain IoCs remained live via screenshot lookups. Only two of the domain IoCs continued to host live content to this day.

The other live page—eyedealrealty[.]com—hosts a real estate company site consistent with its name.

To trace Lorec53’s digital footprint, we then sifted through the domain IoCs’ WHOIS records. The current WHOIS records of the two domains above also indicated their registrants’ personal email addresses.

Reverse WHOIS searches for the email addresses revealed they were historically used to register 21 domains in total, two of which turned out to be malicious. An example would be matosariasrealstate[.]com.

Next, DNS lookups for the domain IoCs showed they resolved to nine unique IP addresses, giving us a total of 11 IP hosts when combined with the two identified as IoCs. Six of these were shared hosts, three were dedicated, and two had no matching DNS records.

The 11 resolving IP addresses were scattered across five countries. The U.S. accounted for five IP hosts, followed by the Netherlands and Russia with two each.

Reverse IP lookups for the 11 IP addresses led to the discovery of 1,818 domains. A huge majority of these sites were parked.

A couple of connected domains also contained at least three well-known brands—CNN, Google, Intel, and Visa. Examples include:

• 0[.]www[.]cnn[.]jobs[.]com—indeed[.]com
• 0078d3ff03b13d29f710d0e6602bcc4a[.]safeframe[.]googlesyndication[.]co
• mail[.]intelpropertyrd[.]com
• 108visa[.}online

These could figure in phishing and other malware-enabled campaigns targeting job seekers, syndication customers, real estate investors, and credit card holders.

Finally, we noticed that some of the domains tagged as IoCs had unique strings listed in the following table. We sought to find how many other domains contained each string but used different top-level domain (TLD) extensions via Domains & Subdomains Discovery.

While none of them were confirmed to be malware hosts, their close resemblance to the IoCs may warrant close monitoring for signs of suspicious activity.

Conclusion

Based on the continued existence of live sites either identified as Lorec53 IoCs in 2021 and those that may be part of the threat group’s infrastructure through email, IP address, or string usage connections, the risks they pose may not be gone. That is especially true for the two malicious domains we identified that were registered using the same email addresses as two of the original IoCs.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.