ioc[.]one - OSINT Cyber Threat Intelligence Database

Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns | Volexity

Tags

country:	United States Of America
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Dns - T1071.004 Dns - T1590.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Connection Proxy - T1090

Show in Graph

Common Information

Type	Value
UUID	f1b7c5c7-d180-4412-b858-34a9327f9920
Fingerprint	ac31a9192b2b05c7
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 27, 2021, midnight
Added to db	Sept. 11, 2022, 12:39 p.m.
Last updated	Nov. 18, 2024, 7:31 a.m.
Headline	UNKNOWN
Title	Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns \| Volexity
Detected Hints/Tags/Attributes	56/3/49

Source URLs

	Redirection	Url
Details	Source	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

URL Provider

Details	Provider	Source level domain
Details	volexity.com	www.volexity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	396	✔	Blog \| Threat Intelligence & Memory Forensics \| Volexity	https://www.volexity.com/blog/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	rs6.net
Details	Domain	5	usaid.theyardservice.com
Details	Domain	2	dni.gov
Details	Domain	5	dataplane.theyardservice.com
Details	Domain	5	cdn.theyardservice.com
Details	Domain	5	static.theyardservice.com
Details	Domain	7	worldhomeoutlet.com
Details	Domain	1	refreshauthtoken-default-rtdb.firebaseio.com
Details	Domain	7	theyardservice.com
Details	File	5	tn.jsp
Details	File	5	ica-declass.iso
Details	File	4	ica-declass.pdf
Details	File	5	documents.dll
Details	File	3	document.dll
Details	File	3	%windir%\syswow64\dllhost.exe
Details	File	2	%windir%\sysnative\dllhost.exe
Details	File	1	dbgview.dll
Details	File	1	goog.dll
Details	File	2	%s.json
Details	md5	1	2f163ef9db5234bd45b49c41f2dbdb61
Details	md5	1	29e2ef8ef5c6ff95e98bff095e63dc05
Details	md5	2	1c3b8ae594cb4ce24c2680b47cebf808
Details	md5	1	b40b30329489d342b2aa5ef8309ad388
Details	md5	1	dcfd60883c73c3d92fceb6ac910d5b80
Details	md5	1	cca50cd497970977a5e880f2e921db72
Details	sha1	1	bf7b36c521e52093360a4df0dd131703b7b3d648
Details	sha1	1	738c20a2cc825ae51b2a2f786248f850c8bab6f5
Details	sha1	1	1cb1c2cd9f59d4e83eb3c950473a772406ec6f1a
Details	sha1	2	1fb12e923bdb71a1f34e98576b780ab2840ba22e
Details	sha1	1	38c99e8cd95f28b8d79b758cb940cf139e09f6ae
Details	sha256	5	ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330
Details	sha256	1	b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c
Details	sha256	1	ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c
Details	sha256	7	94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916
Details	sha256	4	7d34f25ad8099bd069c5a04799299f17d127a3866b77ee34ffb59cfd36e29673
Details	sha256	6	48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0
Details	IPv4	6	83.171.237.173
Details	IPv4	5	192.99.221.77
Details	Pdb	3	c:\users\dev\desktop\나타나게 하다\dll6\x64\release\dll6.pdb
Details	Threat Actor Identifier - APT	666	APT29
Details	Url	2	https://r20.rs6.net/tn.jsp?f=001r6x5duwxla513it3wolvtyzj3ojypr9nwpwzkb3x68sgrfzuvnur4mdenuxj_c4poo1hx_rff79p1nsaze
Details	Url	3	https://usaid.theyardservice.com/d
Details	Url	1	https://dataplane.theyardservice.com/jquery-3.3.1.min.woff2
Details	Url	1	https://cdn.theyardservice.com/jquery-3.3.1.min.woff2
Details	Url	1	https://static.theyardservice.com/jquery-3.3.1.min.woff2
Details	Url	1	https://worldhomeoutlet.com/jquery-3.3.1.min.woff2
Details	Yara rule	1	rule apt_win_flipflop_ldr : APT29 { meta: author = " [email protected] " date = "2021-05-25" description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload." hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330" strings: $s1 = "irnjadle" $s2 = "BADCFEHGJILKNMPORQTSVUXWZY" $s3 = "iMrcsofo taBesC yrtpgoarhpciP orived r1v0." condition: all of ($s*) }
Details	Yara rule	1	rule trojan_win_cobaltstrike : Commodity { meta: author = " [email protected] " date = "2021-05-25" description = "The CobaltStrike malware family." hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c" strings: $s1 = "%s (admin)" fullword $s2 = { 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00 } $s3 = "d/d/d d:d:d" fullword $s4 = "%s as %s\\%s: %d" fullword $s5 = "%s&%s=%s" fullword $s6 = "rijndael" fullword $s7 = "(null)" condition: all of them }
Details	Yara rule	1	import "pe" rule apt_win_freshfire : APT29 { meta: author = " [email protected] " date = "2021-05-27" description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server." hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c" strings: $uniq1 = "UlswcXJJWhtHIHrVqWJJ" $uniq2 = "gyibvmt\x00" $path1 = "root/time/%d/%s.json" $path2 = "C:\\dell.sdr" $path3 = "root/data/%d/%s.json" condition: (pe.number_of_exports == 1 and pe.exports("WaitPrompt")) or any of ($uniq) or 2 of ($path) }