Exposing FBI’s Most Wanted Iran’s Mabna Hackers – An OSINT Analysis
Dear blog readers,
In this post I’ve decided to share actionable intelligence on the online infrastructure of FBI’s Most Wanted Iran’s Mabna Hackers for the purpose of assisting everyone in their cyber attack and cyber threat actor attribution campaigns.
mlibo[.]ml
blibo[.]ga
azll[.]cf
azlll[.]cf
lzll[.]cf
jlll[.]cf
elll[.]cf
lllib[.]cf
tsll[.]cf
ulll[.]tk
tlll[.]cf
libt[.]ga
libk[.]ga
libf[.]ga
libe[.]ga
liba[.]gq
libver[.]ml
ntll[.]tk
ills[.]cf
vtll[.]cf
clll[.]tk
stll[.]tk
llii[.]xyz
lill[.]pro
eduv[.]icu
univ[.]red
unir[.]cf
unir[.]gq
unisv[.]xyz
unir[.]ml
unin[.]icu
unie[.]ml
unip[.]gq
unie[.]ga
unip[.]cf
nimc[.]ga
nimc[.]ml
savantaz[.]cf
unie[.]gq
unip[.]ga
unip[.]ml
unir[.]ga
untc[.]me
jhbn[.]me
unts[.]me
uncr[.]me
lib-service[.]com
unvc[.]me
untf[.]me
nimc[.]cf
anvc[.]me
ebookfafa[.]com
nicn[.]gq
untc[.]ir
librarylog[.]in
llli[.]nl
lllf[.]nl
libg[.]tk
ttil[.]nl
llil[.]nl
lliv[.]nl
llit[.]site
flil[.]cf
e-library[.]me
cill[.]ml
fill[.]cf
libm[.]ga
eill[.]cf
llib[.]cf
eill[.]ga
nuec[.]cf
illl[.]cf
cnen[.]cf
aill[.]nl
eill[.]nl
mlib[.]cf
ulll[.]cf
nlll[.]cf
clll[.]nl
llii[.]cf
etll[.]cf
1edu[.]in
aill[.]cf
atna[.]cf
atti[.]cf
aztt[.]tk
cave[.]gq
ccli[.]cf
cnma[.]cf
cntt[.]cf
crll[.]tk
csll[.]cf
ctll[.]tk
cvnc[.]ga
cvve[.]cf
czll[.]tk
cztt[.]tk
euca[.]cf
euce[.]in
ezll[.]tk
ezplog[.]in
ezproxy[.]tk
eztt[.]tk
flll[.]cf
iell[.]tk
iull[.]tk
izll[.]tk
lett[.]cf
lib1[.]bid
lib1[.]pw
libb[.]ga
libe[.]ml
libg[.]cf
libg[.]ga
libg[.]gq
libloan[.]xyz
libnicinfo[.]xyz
libraryme[.]ir
libt[.]ml
libu[.]gq
lill[.]gq
llbt[.]tk
llib[.]ga
llic[.]cf
llic[.]tk
llil[.]cf
llit[.]cf
lliv[.]tk
llse[.]cf
ncll[.]tk
ncnc[.]cf
nctt[.]tk
necr[.]ga
nika[.]ga
nsae[.]ml
nuec[.]ml
rill[.]cf
rnva[.]cf
rtll[.]tk
sctt[.]cf
shibboleth[.]link
sitl[.]tk
slli[.]cf
till[.]cf
titt[.]cf
uill[.]cf
uitt[.]tk
ulibe[.]ml
ulibr[.]ga
umlib[.]ml
umll[.]tk
uni-lb[.]com
unll[.]tk
utll[.]tk
vsre[.]cf
web2lib[.]info
xill[.]tk
zedviros[.]ir
zill[.]cf
Sample URL structure for the rogue and fraudulent online phishing infrastructure for the campaign:
ezvpn[.]mskcc[.]saea[.]ga
library[.]asu[.]saea[.]ga
library[.]lehigh[.]saea[.]ga
moodle[.]ucl[.]ac[.]saea[.]ga
saea[.]ga
unex[.]learn[.]saea[.]ga
unomaha[.]on[.]saea[.]ga
www[.]uvic[.]saea[.]ga
catalog[.]lib[.]usm[.]edu[.]seae[.]tk
elearning[.]uky[.]edu[.]seae[.]tk
www[.]aladin[.]wrlc[.]org[.]seae[.]tk
alexandria[.]rice[.]ulibr[.]ga
cmich[.]ulibr[.]ga
columbia[.]ulibr[.]ga
edu[.]edu[.]libt[.]cf
ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga
login[.]revproxy[.]brown[.]edu[.]edu[.]libt[.]cf
ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga
ezproxy-f[.]deakin[.]au[.]ulibr[.]ga
lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga
cas[.]usherbrooke[.]ca[.]cavc[.]tk
catalog[.]lib[.]ksu[.]edu[.]cavc[.]tk
isa[.]epfl[.]ch[.]cavc[.]tk
login[.]vcu[.]edu[.]cavc[.]tk
www[.]med[.]unc[.]edu[.]cavc[.]tk
cas[.]iu[.]edu[.]cavc[.]tk
ltuvpn[.]latrobe[.]edu[.]au[.]reactivation[.]in
passport[.]pitt[.]edu[.]reactivation[.]in
edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf
shibboleth[.]nyu[.]edu[.]reactivation[.]in
login[.]revproxy[.]brown[.]edu[.]login[.]revproxy[.]brown[.]edu[.]libt[.]cf
weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in
webmail[.]reactivation[.]in
www[.]ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in
www[.]ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in
www[.]lib[.]just[.]edu[.]jo[.]reactivation[.]in
www[.]passport[.]pitt[.]edu[.]reactivation[.]in
http://shib[.]ncsu[.]ulibr[.]cf/idp/profile/SAML2/POST/SSO
www[.]shibboleth[.]nyu[.]edu[.]reactivation[.]in
www[.]weblogin[.]pennkey[.]upenn[.]edu[.]reactivation[.]in
ezlibproxy1[.]ntu[.]edu[.]sg[.]reactivation[.]in
login[.]revproxy[.]brown[.]edu[.]libt[.]cf
weblogin[.]umich[.]edu[.]lib2[.]ml
catalog[.]sju[.]edu[.]mncr[.]tk
ezpa[.]library[.]ualberta[.]ca[.]reactivation[.]in
lib[.]just[.]edu[.]jo[.]reactivation[.]in
login[.]ezproxy[.]lib[.]purdue[.]edu[.]reactivation[.]in
login[.]libproxy[.]temple[.]shibboleth2[.]uchicago[.]ulibr[.]cf
shib[.]ncsu[.]shibboleth2[.]uchicago[.]ulibr[.]cf
shibboleth2[.]uchicago[.]shibboleth2[.]uchicago[.]ulibr[.]cf
singlesignon[.]gwu[.]shibboleth2[.]uchicago[.]ulibr[.]cf
webauth[.]ox[.]ac[.]uk[.]shibboleth2[.]uchicago[.]ulibr[.]cf
edu[.]libt[.]cf
login[.]libproxy[.]temple[.]ulibr[.]cf
shib[.]ncsu[.]ulibr[.]cf
singlesignon[.]gwu[.]ulibr[.]cf
webauth[.]ox[.]ac[.]uk[.]ulibr[.]cf
library[.]cornell[.]ulibr[.]ga
login[.]ezproxy[.]gsu[.]ulibr[.]ga
shibboleth2[.]uchicago[.]ulibr[.]cf
login[.]library[.]nyu[.]ulibr[.]ga
mail[.]ulibr[.]ga
webcat[.]lib[.]unc[.]ulibr[.]ga
www[.]ulibr[.]ga
www[.]alexandria[.]rice[.]ulibr[.]ga
www[.]cmich[.]ulibr[.]ga
www[.]columbia[.]ulibr[.]ga
www[.]ezproxy-authcate[.]lib[.]monash[.]ulibr[.]ga
www[.]ezproxy-authcate[.]monash[.]lib[.]ulibr[.]ga
www[.]ezproxy-f[.]deakin[.]au[.]ulibr[.]ga
www[.]lib[.]dundee[.]ac[.]uk[.]ulibr[.]ga
www[.]library[.]cornell[.]ulibr[.]ga
www[.]login[.]ezproxy[.]gsu[.]ulibr[.]ga
www[.]login[.]library[.]nyu[.]ulibr[.]ga
auth[.]berkeley[.]edu[.]libna[.]ml
sso[.]lib[.]uts[.]edu[.]au[.]libna[.]ml
bb[.]uvm[.]edu[.]cvre[.]tk
cline[.]lib[.]nau[.]edu[.]cvre[.]tk
illiad[.]lib[.]binghamton[.]edu[.]cvre[.]tk
libcat[.]smu[.]edu[.]cvre[.]tk
login[.]brandeis[.]edu[.]cvre[.]tk
msim[.]cvre[.]tk
libcat[.]library[.]qut[.]nsae[.]ml
www[.]webcat[.]lib[.]unc[.]ulibr[.]ga
Stay tuned!
*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: http://ddanchev.blogspot.com/2022/01/exposing-fbis-most-wanted-irans-mabna.html