|
Lorec53, a relatively new APT group according to NSFocus, actively targeted various Eastern European government institutions in 2021. The threat actors used well-crafted phishing campaigns to gather and steal data from their targets. Two years after their heyday, is the threat Lorec53 poses gone? Or has the group left still-active traces in the DNS?
Using the 21 indicators of compromise (IoCs)—19 domains and two IP addresses—NSFocus shared via AlienVault OTX as jump-off points, the WhoisXML API research team sought to find digital bread crumbs the APT group may have left behind in the DNS. Our analysis found:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Lorec53 used various lures in their targeted phishing campaigns, including:
All of the email file attachments above, along with others sent by Lorec53, were laced with malware meant to exfiltrate confidential data.
NSFocus shared the list of IoCs they collated via AlienVault OTX, which we listed in the table below.
Domains | IP Addresses |
---|---|
• name4050[.]com • name1d[.]site • 2330[.]site • 1833[.]site • 1221[.]site • 1000020[.]xyz • smm2021[.]net • greatgardenplantsblog[.]com • intelpropertyrd[.]com • citylimitshog[.]com • eyedealrealty[.]com • cabiria[.]biz • 33655990[.]cyou • 2215[.]site • 16868138130[.]space • 1681683130[.]website • stun[.]site • eumr[.]site • 3237[.]site | • 45[.]146[.]165[.]91 • 194[.]147[.]142[.]232 |
We began our investigation by determining which of the domain IoCs remained live via screenshot lookups. Only two of the domain IoCs continued to host live content to this day.
The other live page—eyedealrealty[.]com—hosts a real estate company site consistent with its name.
To trace Lorec53’s digital footprint, we then sifted through the domain IoCs’ WHOIS records. The current WHOIS records of the two domains above also indicated their registrants’ personal email addresses.
Reverse WHOIS searches for the email addresses revealed they were historically used to register 21 domains in total, two of which turned out to be malicious. An example would be matosariasrealstate[.]com.
Next, DNS lookups for the domain IoCs showed they resolved to nine unique IP addresses, giving us a total of 11 IP hosts when combined with the two identified as IoCs. Six of these were shared hosts, three were dedicated, and two had no matching DNS records.
The 11 resolving IP addresses were scattered across five countries. The U.S. accounted for five IP hosts, followed by the Netherlands and Russia with two each.
Reverse IP lookups for the 11 IP addresses led to the discovery of 1,818 domains. A huge majority of these sites were parked.
A couple of connected domains also contained at least three well-known brands—CNN, Google, Intel, and Visa. Examples include:
These could figure in phishing and other malware-enabled campaigns targeting job seekers, syndication customers, real estate investors, and credit card holders.
Finally, we noticed that some of the domains tagged as IoCs had unique strings listed in the following table. We sought to find how many other domains contained each string but used different top-level domain (TLD) extensions via Domains & Subdomains Discovery.
IoC | String Found in an IoC | Number of Domains Containing the String with a Different TLD Extension |
---|---|---|
smm2021[.]net | smm2021. | 4 |
cabiria[.]biz | cabiria. | 20 |
stun[.]site | stun. | 128 |
eumr[.]site | eumr. | 16 |
While none of them were confirmed to be malware hosts, their close resemblance to the IoCs may warrant close monitoring for signs of suspicious activity.
Based on the continued existence of live sites either identified as Lorec53 IoCs in 2021 and those that may be part of the threat group’s infrastructure through email, IP address, or string usage connections, the risks they pose may not be gone. That is especially true for the two malicious domains we identified that were registered using the same email addresses as two of the original IoCs.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix