← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Fancy Bear Pens the Worst Blog Posts Ever
WHITE Sofacy AlienVault 2017-11-02 Modified: 2017-11-02
92
IOCs
HIGH VOLUME
Our friends over at Bellingcat, which conducts open source investigations and writes extensively on Russia-related issues, recently shared a new tranche of spear-phishing emails they had received. Spoiler alert: they originated from Fancy Bear actors. Using the ThreatConnect platform we ingested the spear-phishing emails Bellingcat provided, processed out the relevant indicators, and compared them to previously known Fancy Bear activity. It turns out that this campaign had an association to 2016 Fancy Bear activity previously identified by the German Federal Office for the Protection of the Constitution (BfV). More interestingly however, Fancy Bear employed a new tactic we hadn't previously seen: using Blogspot-hosted URLs in their spear-phishing email messages. The Blogspot page contained a javascript window location that redirected the visitor to a second URL hosted on a dedicated server.
Indicators of Compromise (92)
All domain URL hostname
TYPEINDICATORDESCRIPTIONCREATED
domain access-apple-login-account.gq 2017-11-02
domain account-activity-verification-login.ga 2017-11-02
domain account-verify-comfirmation-info-login.ga 2017-11-02
domain account-verify-comfirmation-info-login.gq 2017-11-02
domain accountlogin-inc.ga 2017-11-02
domain accountverify-disableinfo-login.gq 2017-11-02
domain alert-new-login-com.ga 2017-11-02
domain apple-realertlogin.gq 2017-11-02
domain appleid-login-appleid.ga 2017-11-02
domain appleid-manageaccountloginupdated.ga 2017-11-02
domain appleidcustomer-servicess-com-loginaccount.ga 2017-11-02
domain appleidcustomer-servicess-com-loginaccount.gq 2017-11-02
domain browsersecurity.ga 2017-11-02
domain change-password.gq 2017-11-02
domain cleantarea-customerlogin-com.ga 2017-11-02
domain clientareasecurity1.gq 2017-11-02
domain clientareasecurity4.gq 2017-11-02
domain com-recoverylogin.gq 2017-11-02
domain com-supportlogin-adminverification.ga 2017-11-02
domain darksecurity.ga 2017-11-02
domain dns-sec-login-apple-invoice-confirmations.ga 2017-11-02
domain dns-webapps-login-account-secure-servers.ga 2017-11-02
domain documentation.gq 2017-11-02
domain documentshandler.ga 2017-11-02
domain emailloginerror.gq 2017-11-02
domain facebook-login-page.gq 2017-11-02
domain failure-login.ga 2017-11-02
domain fileshelp.ga 2017-11-02
domain fileshelp.gq 2017-11-02
domain fileshelpprotut.ga 2017-11-02
domain fileshelpprotut.gq 2017-11-02
domain filestore.gq 2017-11-02
domain goldsecurity.ga 2017-11-02
domain info-apple-login-security.gq 2017-11-02
domain jp-login.gq 2017-11-02
domain locked-service-security.ga 2017-11-02
domain login-bancochile-cl.ga 2017-11-02
domain login-pap-web-access.ga 2017-11-02
domain login-recovery.gq 2017-11-02
domain login-sec-apple-secure-account-updated.ga 2017-11-02
domain login-secure1-mobile.ga 2017-11-02
domain login-unlock-account.ga 2017-11-02
domain login-update-unlock.gq 2017-11-02
domain loginapps-info.ga 2017-11-02
domain loginpaypaas-securityuserid.ga 2017-11-02
domain loginservice-maintanceserversecurity.gq 2017-11-02
domain manage-login.gq 2017-11-02
domain manage-logins.gq 2017-11-02
domain mod-files.ga 2017-11-02
domain mydocuments.gq 2017-11-02
domain newaction-loginactivituresource.ga 2017-11-02
domain newfiles.ga 2017-11-02
domain ns-secures-login-accountjp-updates-community.gq 2017-11-02
domain nursingdocumentation.gq 2017-11-02
domain ourfiles.ga 2017-11-02
domain passwordreset.gq 2017-11-02
domain pdf-document.ga 2017-11-02
domain protector-files.ga 2017-11-02
domain recoverylogin-access.ga 2017-11-02
domain reset-password-com.ga 2017-11-02
domain restore-login-account.gq 2017-11-02
domain review-quilogin.ga 2017-11-02
domain secure-bankofamerica--login-com.ga 2017-11-02
domain secure-bankofamerica--login-com.gq 2017-11-02
domain secure-login-helpid-locked.gq 2017-11-02
domain secure-management-login-account-index-webpass.gq 2017-11-02
domain secure-mobile-login1.gq 2017-11-02
domain secure1-client-login.ga 2017-11-02
domain secure1-client-login.gq 2017-11-02
domain secure1-login-apps.gq 2017-11-02
domain secure5647login-com.ga 2017-11-02
domain security-login-information.gq 2017-11-02
domain securitycenter.ga 2017-11-02
domain service-account-home-login.gq 2017-11-02
domain service-autoreset-password-youraccount.ga 2017-11-02
domain service-login-apple-verify-account-locked.gq 2017-11-02
domain servicelogin-access-failed.gq 2017-11-02
domain services-loginaccount.ga 2017-11-02
domain sharefiles.gq 2017-11-02
domain signin-login-php.ga 2017-11-02
domain smtprelayhost.com 2017-11-02
domain srilankadocuments.ga 2017-11-02
domain statement-login-update-info.ga 2017-11-02
domain summary-loginconfirmation.ga 2017-11-02
domain unsecured-login-attempt.ga 2017-11-02
domain verify-login-account-iinformation.ga 2017-11-02
domain verify-login-account-iinformation.gq 2017-11-02
domain welcome-apple-protectyourpassword.gq 2017-11-02
domain www-logined-apple-authsecure.ga 2017-11-02
URL https://google.com.account-password.ga/security/signinoptions/password 2017-11-02
hostname accounts.google.com.securitymail.gq 2017-11-02
hostname google.com.account-password.ga 2017-11-02
References (1)
↗ https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/