#1275981: Iranian phishing against Universities - Additional IOCs

Description: In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian associates for compromising hundreds of universities to steal intellectual property and benefit financially. Secureworks® Counter Threat Unit™ (CTU) researchers assigned the name COBALT DICKENS to this likely Iranian government-directed threat group. Despite this indictment and other disclosures of COBALT DICKENS campaigns, the threat group (also known as Silent Librarian) shows no signs of stopping its activity as of this publication. CTU™ researchers have observed the threat actors using free online services as part of their operations, including free certificates, domains, and publicly available tools.

REFERENCES:
https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again
https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff
First Aid: IOCs: (516 in total - selection provided here)

hostname mail.unir.gq
hostname weblogin.utoronto.ca.mlibo.ml
hostname www.weblogin.utoronto.ca.mlibo.ml
hostname magellan.cc.sunysb.mlibo.ml
hostname www.magellan.cc.sunysb.mlibo.ml
hostname login.libproxy.kcl.ac.uk.elll.cf
hostname login.silk.library.umass.edu.elll.cf
hostname www.login.silk.library.umass.edu.elll.cf
hostname login.proxy.lib.uiowa.edu.elll.cf
hostname login.ezproxy.uta.edu.zedviros.ir
hostname uthidp.uth.edu.elll.cf
hostname elearning.villanova.euca.cf
hostname www.login.libproxy.kcl.ac.uk.elll.cf
hostname libcat.library.qut.nsae.ml
hostname www.login.proxy.lib.uiowa.edu.elll.cf
hostname www.libcat.library.qut.nsae.ml
hostname www.uthidp.uth.edu.elll.cf
hostname login.ezproxy3.lhl.uab.edu.flil.cf
hostname sso.id.kent.ac.uk.ills.cf
hostname login.oregonstate.edu.flil.cf
hostname www.sso.id.kent.ac.uk.ills.cf
hostname shib.ncsu.edu.lllf.nl
hostname login.ucsc.edu.jlll.cf
hostname shibboleth.sc.edu.lllf.nl
hostname login.www.libproxy.wvu.edu.jlll.cf
hostname login.ki.se.lllf.nl
hostname www.lib.hku.hk.jlll.cf
hostname moodle.vle.monash.nuec.ml
hostname www.login.ucsc.edu.jlll.cf
hostname www.moodle.vle.monash.nuec.ml
More info: https://otx.alienvault.com/pulse/5d78eaf37b37c503fb07d45a?source=email_notification

Date added Sept. 11, 2019, 6:23 p.m.
Source AlienVault
Subjects
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Iran - New Reports in
  • Iran - Cobalt Dickens
  • Phishing Alerts - Non-Banking