The Sofacy plot thickens

20 April 2015

 View Tom Lancaster's profile on LinkedIn

 View Chris Doman's profile on LinkedIn

 

Background

There has been some recent news regarding further activities of a group variously described as Sofacy[1]. We are releasing this flash bulletin containing network indicators to aid security professionals in detecting this activity.

Please contact us on threatintelligence@uk.pwc.com and we would be happy to send you a TLP-GREEN version of this report containing further indicators that you are welcome to distribute further in line with US-CERT definition for TLP.

You can download a PDF version of this Threat Intelligence Bulletin here.

 

Recent Reports

In the past few days Trend Micro and FireEye have both released reports relating to similar activity:

  • Trend[2] described spear phishes containing links to malicious websites that deploy malware through apparent browser exploits and phishing for web-mail credentials.
  • FireEye[3] have recently described the use of CVE-2015-3043 and CVE-2015-1701 exploits in suspected Sofacy attacks.

Interestingly, despite the use of zero-day exploits for delivery, there is some evidence that the attackers continue to use old variants of their malware[4].

PwC Threat Intelligence subscribers can refer to CTO-TIB-20150306B published in March 2015 for further details on some of the novel methods we are seeing Sofacy currently employ and the wider context to this activity.

Please review our earlier bulletin[5] or contact us for further information on analysis, targeting and recommended actions relating to Sofacy’s credential phishing.

 

Network Indicators

Below we list a number of domains which you may wish to review network logs for.  Typically registered domains are employed for phishing and/or malware command and control.

This is a redacted list of domains that are likely related to Sofacy and we note that related domains have been observed by others[6], as well as in the cited reports.

 

Appendix 1 Domains

TLP WHITE

defencereview[.]net

brnlv-gv[.]eu

militaryobserver[.]net

netassistcache[.]com

asus-service[.]net

aolnets[.]com

natopress[.]org

natopress[.]com

defencereview[.]eu

intelsupport[.]net

globalnewsweekly[.]com

osce-oscc[.]org

enisa-europa[.]com

enisa-europa[.]org

techcruncln[.]com

nato-hq[.]com

iacr-tcc[.]org

nato-int[.]com

nato-info[.]com

bmlv-gv[.]eu

foreignreview[.]com

mediarea[.]org

osce-military[.]org

europeanda[.]com

softupdates[.]info

settings-yahoo[.]com

settings-live[.]com

delivery-yahoo[.]com

privacy-yahoo[.]com

privacy-live[.]com

westinqhousenuclear[.]com

webmail.westinqhousenuclear[.]com

 

References

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.