Verizon Dark Web Threat Hunters locate Russian-controlled phishing websites.

Published: November 22, 2019

This week, Verizon Dark Web Threat Hunters identified a likely Russian-controlled server hosting a phishing website posing as a LinkedIn sign-in page (figure 1). Further enumeration revealed a PHP Base64 encoded webshell on the server open to anyone who browsed to the URL. An analysis of other websites owned by the same network provider linked to other phishing websites.

The webshell, identified as WebShellOrb 2.6 (figure 2)  was found at manchomperle[.]com with an IP address of 91[.]234[.]99[.]117. The Russian actor is believed to be spreading crimeware via directed phishing campaigns. So far, Verizon Dark Web Threat Hunters have identified at least one case directed toward our customers. A list of aggregated indicators of compromise have been added to our threat intelligence library and have been added below for convenience.

Recommendations

Verizon strongly suggests educating employees of the risks associated with targeted phishing―especially those that spoof well-known social media brands―along with providing them with tools to identify malicious content sent via phishing. Additionally, we suggest adding the aggregated IOCs to block lists to prevent potential risk of compromise

Aggregated Indicators of Compromise

91[.]234[.]99[.]30 
http://alamujakoise[.]com/client/service/
http://enfoumacunsse[.]com/norply/service/
http://fanswinse[.]com/reseaux/service/
http://jfionphr[.]com/appli/service/
http://kandounystsionse[.]com/reso/service/
http://khangoutuser[.]com/time/service/
http://kjoupointh[.]com/connexion/service/
http://kjoupointhyser[.]com/controole/service/
http://knystsionse[.]com/secure/service/
http://kouhangoutuser[.]com/alert/service/
http://lanyantuser[.]com/miseajour/service/
http://linnewjerseyoutg[.]com/center/service/
http://mhounitedkingdomar[.]com/upload/service/
http://moukadezanvuser[.]com/verify/service/
http://nhanjoulanxres[.]com/compte/service/service/
http://noupaganh[.]com/customers/service/

91[.]234[.]99[.]71
http://connectingid[.]com/Release/now/
http://powers-tech[.]com/processing/success/
http://qelazur[.]com/purchase-order/

91[.]234[.]99[.]77

http://dbbe[.]duckdns[.]org/webmail[.]emailsrvr[.]com/logins[.]php
http://dcgh[.]duckdns[.]org/bestwish/excel/quotation/
http://dcgh[.]duckdns[.]org/bestwish/excel%20(1)[.]zip
http://dcgh[.]duckdns[.]org/SIAVL/excel/quotation/
http://dcgh[.]duckdns[.]org/SIAVL/1019/inc/inc/
http://edws[.]duckdns[.]org/1[.]jpg
http://edws[.]duckdns[.]org/WS0[.]php
http://etvgb[.]duckdns[.]org/sorter/sorter/Chriz%20Mail%20Sort%202[.]0[.]html
http://etvgb[.]duckdns[.]org/sorter/sorter[.]zip
http://etvgb[.]duckdns[.]org/Imports/page[.]php
http://etvgb[.]duckdns[.]org/exports/officeme/office/
http://etvgb[.]duckdns[.]org/exports/newgbeoffi[.]zip
http://ghfhgj[.]duckdns[.]org/liiek/lodg/ahjs/
http://ghfhgj[.]duckdns[.]org/ente/e
http://mjkiu[.]duckdns[.]org/New%20folder%20(4)/newtruexfinity/
http://mshd[.]duckdns[.]org/feree/lite/dinner/
http://plrfgt[.]duckdns[.]org/natru/
http://plrfgt[.]duckdns[.]org/aye/enu/oge/
http://plsnd[.]duckdns[.]org/8004/8004/0992/
http://plthd[.]duckdns[.]org/webmail-std/
http://pluj[.]duckdns[.]org/alberta/excel/quotation/
http://pluj[.]duckdns[.]org/alberta/excel[.]zip
http://pwled[.]duckdns[.]org/DRV/8004/8004/0992/
http://pwudn[.]duckdns[.]org/webmail-std
http://qasgb[.]duckdns[.]org/New%20folder%20(4)/newtruexfinity/
http://rtinh[.]duckdns[.]org/good/excel/quotation/
http://rtinh[.]duckdns[.]org/good/excel[.]zip
http://rtinh[.]duckdns[.]org/Blood/excel/quotation/
http://rtinh[.]duckdns[.]org/Blood/excel[.]zip
http://rtinh[.]duckdns[.]org/CASHY/excel/quotation/
http://rtinh[.]duckdns[.]org/CASHY/excel[.]zip
http://rtinh[.]duckdns[.]org/Good/excel/quotation/
http://rtinh[.]duckdns[.]org/Good/excel[.]zip
http://rtinh[.]duckdns[.]org/Kingdom/excel/quotation/
http://rtinh[.]duckdns[.]org/Kingdom/excel[.]zip
http://rtinh[.]duckdns[.]org/damoke/excel/quotation/
http://rtinh[.]duckdns[.]org/damoke/excel[.]zip
http://sdfbth[.]duckdns[.]org/mmm/
http://sdfbth[.]duckdns[.]org/er/
http://sdfbth[.]duckdns[.]org/m/update/
http://sdfbth[.]duckdns[.]org/m/update[.]zip
http://ugfd[.]duckdns[.]org/test/
http://ugfd[.]duckdns[.]org/ali/
http://ugfd[.]duckdns[.]org/roy/
http://ugfd[.]duckdns[.]org/storage_quote/Upgrade_Quote[.]html
http://wdfvh[.]duckdns[.]org/tlo/daln/
http://wdfvh[.]duckdns[.]org/glsc/jla/
http://wdfwdfv[.]duckdns[.]org/nun/driv/
http://wdfwdfv[.]duckdns[.]org/nun/driv[.]zip
http://wdfwdfv[.]duckdns[.]org/hnh/driv/
http://wdfwdfv[.]duckdns[.]org/hnh/driv[.]zip
http://wdgh[.]duckdns[.]org/oloro/takeit/tapit/
http://wsybm[.]duckdns[.]org/webmail-std/
http://wuty[.]duckdns[.]org/golo/nulog/
http://xcvfr[.]duckdns[.]org/verification/
http://xcvfr[.]duckdns[.]org/logs/upload/
http://xcvfr[.]duckdns[.]org/updates/
http://ygrg[.]duckdns[.]org/otaa/

91[.]234[.]99[.]110
http://airlinessubject[.]top/ygtds/verified-china/chn/
http://airlinessubject[.]top/ygtds/verified-china[.]zip
http://airlinessubject[.]top/SITE/onedrive/
http://airlinessubject[.]top/admin/upgrade/
http://airlinessubject[.]top/bbb/Adobe1/Adobe1/
http://airlinessubject[.]top/frontend/login[.]php
http://airlinessubject[.]top/mail/onedrive/
http://airlinessubject[.]top/sf/login[.]php
http://airlinessubject[.]top/vvv/login[.]php
http://airlinessubject[.]top/web/onedrive/
http://airlinessubject[.]top/xup/Adobe1/Adobe1/
netflixvstacc[.]supportverificationteam[.]com 
paypalsvtacc[.]supportverificationteam[.]com
supportverificationteam[.]com

91[.]234[.]99[.]117
http://astimelosdime[.]xyz/dan/hotoffice/
http://astimelosdime[.]xyz/dan/hotofficejoo[.]zip
http://astimelosdime[.]xyz/sof/hotoffice/
http://astimelosdime[.]xyz/sof/hotofficejoo[.]zip
http://astimelosdime[.]xyz/xx/hotjo/
http://astimelosdime[.]xyz/xx/hotjo[.]zip
http://astimelosdime[.]xyz/6i5aiewuz0xprm8htmrrhhz9[.]php

91[.]234[.]99[.]123
http://muitlmeat[.]com/ew/tr/an/sf/er/ed/
http://onmetolast[.]top/we/tr/an/sf/er/ed/
http://ralient-int[.]com/ms/wo/rd/st/ar/
http://runword[.]top/ms/wo/rd/st/ar/tt/
http://wetranfer[.]top/n/we/tr/an/sf/er/
http://wetrnsfer[.]top/xx/tr/aw/et/ra/ns/fer/
http://zorhatrading[.]com/vve/tr/an/sf/er/

91[.]234[.]99[.]130
http://discountadwheelwarehouse[.]com/we/tr/an/sf/er/ed/
http://efifinance[.]com/we/tr/an/sf/er/ed/
http://forline[.]top/so/ne/dr/iv/ee/
http://jovicstar[.]top/fi/le/tr/an/sf/er/
http://thaco-vn[.]com/c/o/m/p/l/e/t/e/d/
http://tranferredwe[.]top/za/mp/ed/ea/sy/

91[.]234[.]99[.]147
http://copag-br[.]com/v/e/r/i/f/y/t/h/i/s/
http://copag-br[.]com/n/e/w/p/e/n/d/i/n/g/
http://muxieutoparts[.]com/pe/nd/in/mg/ss/

91[.]234[.]99[.]149
http://eq-ev[.]com/no/ne/dr/iv/ee/
http://prendergastfasteners-au[.]com/se/cu/tr/an/sf/er/

91[.]234[.]99[.]187
http://localarearouterqunsseares[.]com/user/service/