ioc[.]one - OSINT Cyber Threat Intelligence Database

The UNC2529 Triple Double: A Trifecta Phishing Campaign | Mandiant

Tags

cmtmf-attack-pattern:	Application Layer Protocol Command And Scripting Interpreter Compromise Infrastructure Develop Capabilities Masquerading Obfuscated Files Or Information Obtain Capabilities Process Injection
country:	Australia Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Archive Via Utility - T1560.001 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Command And Scripting Interpreter - T1623 Compromise Infrastructure - T1584 Develop Capabilities - T1587 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 File Deletion - T1070.004 File Deletion - T1630.002 Indicator Removal On Host - T1630 Javascript - T1059.007 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Msiexec - T1218.007 Obtain Capabilities - T1588 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Scheduled Task - T1053.005 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Discovery - T1518 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Visual Basic - T1059.005 Web Protocols - T1071.001 Web Protocols - T1437.001 Account Discovery - T1087 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 File Deletion - T1107 Indicator Removal On Host - T1070 Masquerading - T1036 Modify Registry - T1112 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Process Injection - T1055 Scheduled Task - T1053 Screen Capture - T1113 Spearphishing Link - T1192 System Information Discovery - T1082 System Owner/User Discovery - T1033 User Execution - T1204 Indicator Removal On Host Masquerading Screen Capture User Execution

Show in Graph

Common Information

Type	Value
UUID	06136835-07f2-491d-b1f1-95831fff171c
Fingerprint	a414881344b30941
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 4, 2021, midnight
Added to db	Oct. 22, 2023, 11:22 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	The UNC2529 Triple Double: A Trifecta Phishing Campaign
Title	The UNC2529 Triple Double: A Trifecta Phishing Campaign \| Mandiant
Detected Hints/Tags/Attributes	160/4/133

Source URLs

	Redirection	Url
Details	Source	https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html
Details	Source	https://www.mandiant.com/resources/blog/unc2529-triple-double-trifecta-phishing-campaign
Details	Redirection	https://www.mandiant.com/resources/unc2529-triple-double-trifecta-phishing-campaign

URL Provider

Details	Provider	Source level domain
Details	fireeye.com	www.fireeye.com
Details	mandiant.com	www.mandiant.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	330	✔	Threat Intelligence	https://www.mandiant.com/resources/blog/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	totallyhealth-wealth.com
Details	Domain	1	p-leh.com
Details	Domain	1	clanvisits.com
Details	Domain	1	klikbets.net
Details	Domain	1	lasartoria.net
Details	Domain	1	towncentrehotels.com
Details	Domain	1	barrel1999.com
Details	Domain	1	widestaticsinfo.com
Details	Domain	1	secureinternet20.com
Details	Domain	1	adsinfocoast.com
Details	Domain	1	adupla.net
Details	Domain	1	aibemarle.com
Details	Domain	1	ceylonbungalows.net
Details	Domain	1	bestwalletforbitcoin.com
Details	Domain	1	chandol.com
Details	Domain	1	bitcoinsacks.com
Details	Domain	1	closetdeal.com
Details	Domain	1	digitalagencyleeds.com
Details	Domain	1	daldhillon.com
Details	Domain	1	erbilmarriott.com
Details	Domain	1	desmoncreative.com
Details	Domain	1	ethernetpedia.com
Details	Domain	1	farmpork.com
Details	Domain	1	fileamazon.com
Details	Domain	1	gemralph.com
Details	Domain	1	gamesaccommodationscotland.com
Details	Domain	1	isjustlunch.com
Details	Domain	1	greathabibgroup.com
Details	Domain	1	logicmyass.com
Details	Domain	1	infomarketx.com
Details	Domain	1	lottoangels.com
Details	Domain	1	jagunconsult.com
Details	Domain	1	mangoldsengers.com
Details	Domain	1	khodaycontrolsystem.com
Details	Domain	1	oconeeveteransmemorial.com
Details	Domain	1	maninashop.com
Details	Domain	1	scottishhandcraft.com
Details	Domain	1	onceprojects.com
Details	Domain	1	seathisons.com
Details	Domain	1	simcardhosting.com
Details	Domain	1	skysatcam.com
Details	Domain	1	stayzarentals.com
Details	Domain	1	smartnhappy.com
Details	Domain	1	touristboardaccommodation.com
Details	Domain	1	stepearn.com
Details	Domain	1	towncentrehotel.com
Details	Domain	1	sugarmummylove.com
Details	Domain	1	vacuumcleanerpartsstore.com
Details	Domain	1	techooze.com
Details	Domain	1	zmrtu.com
Details	Domain	1	tigertigerbeads.com
Details	Domain	1	towncenterhotel.com
Details	Domain	1	uaeworkpermit.com
Details	Domain	6	backdoor.win
Details	Domain	18	generic.mg
Details	File	1	document_ohio_client-id_8902.zip
Details	File	1	update_java.dat
Details	File	3	mini.dat
Details	File	11	client.php
Details	File	2	ps1.dat
Details	File	1208	powershell.exe
Details	File	409	c:\windows\system32\cmd.exe
Details	File	269	msiexec.exe
Details	File	50	hashlib.md5
Details	File	119	avp.exe
Details	File	27	avpui.exe
Details	File	42	bdagent.exe
Details	File	1	bdservbdagent.exe
Details	File	8	bdservicehost.exe
Details	File	9	downloader.js
Details	File	3	dropper.ps1
Details	File	17	malware.bin
Details	File	1	ary.xls
Details	File	52	trojan.js
Details	md5	1	39fc804566d02c35f3f9d67be52bee0d
Details	md5	1	44f7af834ee7387ac5d99a676a03cfdd
Details	md5	1	4e5583e34ad54fa7d1617f400281ba56
Details	md5	1	e80dc4c3e26deddcc44e66bb19b6fb58
Details	md5	1	169c4d96138d3ff73097c2a9aab5b1c0
Details	md5	1	e70502d020ba707095d46810fd32ee49
Details	md5	1	62fb99dc271abc104504212157a4ba91
Details	md5	1	1d3fcb7808495bd403973a0472291da5
Details	md5	1	6a1da7ee620c638bd494f4e24f6f1ca9
Details	md5	1	a28236b43f014c15f7ad4c2b4daf1490
Details	md5	1	d594b3bce66b8b56881febd38aa075fb
Details	md5	1	4b32115487b4734f2723d461856af155
Details	md5	1	9e3f7e6697843075de537a8ba83da541
Details	md5	1	cc17e0a3a15da6a83b06b425ed79d84c
Details	md5	1	1aeecb2827babb42468d8257aa6afdeb
Details	md5	1	1bdf780ea6ff3abee41fe9f48d355592
Details	md5	1	1f285e496096168fbed415e6496a172f
Details	md5	1	6a3a0d3d239f04ffd0666b522b8fcbaa
Details	md5	1	ce02ef6efe6171cd5d1b4477e40a3989
Details	md5	1	fa9e686b811a1d921623947b8fd56337
Details	Mandiant Uncategorized Groups	1	UNC2529
Details	MITRE ATT&CK Techniques	56	T1587
Details	MITRE ATT&CK Techniques	26	T1587.003
Details	MITRE ATT&CK Techniques	145	T1588
Details	MITRE ATT&CK Techniques	18	T1588.004
Details	MITRE ATT&CK Techniques	409	T1566
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	106	T1204.001
Details	MITRE ATT&CK Techniques	695	T1059
Details	MITRE ATT&CK Techniques	137	T1059.005
Details	MITRE ATT&CK Techniques	93	T1059.007
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	179	T1087
Details	MITRE ATT&CK Techniques	185	T1518
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	157	T1560
Details	MITRE ATT&CK Techniques	116	T1560.001
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	Url	1	http://totallyhealth-wealth.com/downld-id_mw
Details	Url	1	http://p-leh.com/update_java.dat
Details	Url	1	http://clanvisits.com/mini.dat
Details	Url	1	https://klikbets.net/admin/client.php
Details	Url	1	https://lasartoria.net/admin/client.php
Details	Url	1	https://towncentrehotels.com/ps1.dat
Details	Url	1	https://barrel1999.com/admin4/client.php
Details	Url	1	https://widestaticsinfo.com/admin4/client.php
Details	Url	1	https://secureinternet20.com/admin5/client.php
Details	Url	1	https://adsinfocoast.com/admin5/client.php
Details	Windows Registry Key	7	HKLM\Software\Classes\CLSID