Secureworks® Counter Threat Unit™ (CTU) researchers investigated infrastructure and malware artifacts likely used in ongoing phishing operations targeting governmental, non-governmental organizations (NGOs), and intergovernmental organizations (IGOs) based in the United States, Ukraine, and the European Union. The missions of these organizations include anti-corruption activism and conflict mediation in Ukraine as well as disinformation awareness in the European Union.
On May 26, 2021, CTU™ researchers identified two Cobalt Strike Beacon samples that used command and control (C2) servers at dataplane . theyardservice . com and worldhomeoutlet . com (see Figure 1). At analysis time, these domains resolved to 83 . 171 . 237 . 173 and 192 . 99 . 221 . 77, respectively.
Figure 1. Cobalt Strike Beacon configured to use C2 server theyardservice . com. (Source: Secureworks)
Analysis of the theyardservice . com domain revealed multiple URLs containing the “usaid” subdomain, a reference to the United States Agency for International Development (USAID). Shodan historical records for 83 . 171 . 237 . 173 show redirects to USAID's main website at https: //usaid . gov on port 443 (see Figure 2). This activity is likely part of a USAID-themed phishing campaign.
Figure 2. HTTPS queries to theyardservice . com redirect to USAID website. (Source: Secureworks)
The URLs identify specific targets based on the email address appended to the URLs. The targets include the U.S. Atlantic Council, the Organization for Security and Co-operation in Europe (OSCE), the Ukrainian Anti-Corruption Action Center (ANTAC), the EU DisinfoLab, and the Government of Ireland's Department of Foreign Affairs. The timestamps associated with some of these URLs indicate that the campaign is ongoing as of this publication.
These URLs yielded a set of correspon ..
Support the originator by clicking the read the rest link below.
