SecureWorks: Domains Linked to Phishing Attacks Targeting Ukraine

Secureworks® Counter Threat Unit™ (CTU) researchers investigated a warning from the Computer Emergency Response Team of Ukraine (CERT-UA) about phishing activity posted on Facebook on February 25, 2022 (see Figure 1). CERT-UA attributed the activity to the Minsk-based threat group UNC1151. UNC1511 is said to be linked to the Belarusian government and responsible for Ghostwriter influence campaigns. At the time of this publication, CTU™ researchers have not validated this attribution assessment. CTU researchers attribute this activity to the MOONSCAPE threat group.


Figure 1. CERT-UA issues warning on Facebook against phishing attacks. (Source: SecureWorks)

The crude phishing message tricks the target into using a malicious phishing link. It is possible that the phishing messages included images that were not included in the Facebook post.

CTU researchers analyzed the two domains listed in the Facebook post and identified seven additional domains based on passive WHOIS and DNS data. This cluster uses the Top Level Domain (TLD) “.space”, shares a common registrant “Apolena Zorka”, was registered through Public Domain Registry Ltd. and is primarily hosted behind Cloudflare infrastructure. Each of the domains aligns with a small set of common themes typical of the MOONSCAPE framework. Topics include news portals, email validation, cloud services, or government entities. The Apolena Zorka cluster is a mix of generic email validation and domain spoofing of popular Ukrainian news services (see Figure 2). This combination suggests that the websites may have been created for Ukrainian targets, including those that triggered the CERT-UA warning.


Figure 2. Apolena Zorka domain group used in phishing attacks against Ukrainian targets. (Source: SecureWorks)

CTU researchers identified another set of domains with similar characteristics to the Apolena Zorka cluster, although this cluster used the “Radka Dominika” registrant (see Figure 3). These domains included similar themes but used Polish words for verification (weryfikacja) and validation (walidacja) in several generic email validation themed domains. Another identified domain (ron-mil . space) seems to usurp the legitimate domain of the Polish Ministry of National Defense (ron . mil . pl).


Figure 3. Radka Dominika domain group likely used in phishing attacks against Polish-speaking targets. (Source: SecureWorks)

When ranked by creation date, threat actors switch between domains aligned with Ukrainian targets and domains likely aligned with Polish-speaking targets. This diagram illustrates a steady cadence of creating new domains (see Figure 4). This activity likely reflects operational rotation involving multiple target demographics.


Figure 4. Domains associated with MOONSCAPE ordered by creation date. (Source: SecureWorks)

MOONSCAPE creates a new infrastructure but retains a preference for specific keywords and reuses the old infrastructure. For example, the ‘verify-email . space’ was created on February 2 and resolves to IP address 185 . 244 . 180 . 13. This IP also hosted ‘ua-passport . site’, which was created on June 22, 2021. With the exception of the TLD, the ‘ua-passport . site’ is identical to the domain ‘ua-passport . space’ premiered on December 15, 2021.

MOONSCAPE has been running phishing campaigns for years, targeting military, diplomatic and government personnel in NATO countries in Eastern Europe such as Poland, Lithuania and Latvia, as well as countries bordering Belarus such as Ukraine. The February phishing attacks demonstrate that the group’s espionage activity continues and potentially contributes to intelligence gathering on Ukrainian entities in support of the Russian military invasion of Ukraine that began on February 24, 2022.

To mitigate exposure to this malware, CTU researchers recommend that organizations use the controls available to review and restrict access using the indicators listed in Table 1. Domains May Contain Malicious Content , so consider the risks before opening them in a browser.

Indicator

Type

The context

ua-passport.space

Domain name

Used in MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

bigmir space

Domain name

Used in MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

mirrorhost.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

mil-gov.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

verify-email.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

check-mail.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

credits-email.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

meta-ua.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

i-ua.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Ukrainian government and military personnel

kontrola-poczty.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

walidacja-poczty.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

weryfikacja-poczty.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

konto-verify.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

weryfikacja-konta.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

walidacja-uzytkownika.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

akademia-mil.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

ron-mil.space

Domain name

Linked to MOONSCAPE phishing attacks targeting Polish speakers

Table 1. Indicators of this threat.

Comments are closed.