DNS Deep Dive: TA416 European Government Espionage Campaigns

DNS Deep Dive: TA416 European Government Espionage Campaigns
Proofpoint reported that TA416 has resumed espionage campaigns targeting European governments, and the research identified extensive DNS and email infrastructure linked to the activity. The investigation also surfaced new malicious artifacts, including domains connected to phishing and malware distribution such as 100viagra[.]com, cisco-us[.]com, and downloadfreak[.]top. #TA416 #Proofpoint #100viagra #cisco-us #downloadfreak

Keypoints

  • Proofpoint said TA416 resumed espionage operations against European government targets about a month before the report.
  • The research analyzed 96 network IoCs and the authors narrowed them to 91 unique items for deeper analysis.
  • DNS and infrastructure analysis uncovered 122 unique client IP addresses communicating with five domain IoCs and multiple bulk-registered look-alike domains.
  • Subdomain review showed several entries hosted on legitimate infrastructure but flagged as suspicious or confirmed malware hosts, including zones under web.core.windows.net.
  • WHOIS and DNS Chronicle data showed the domain set had long-lived historical activity, with 15,317 domain-to-IP resolutions recorded over time.
  • Seven email IoCs were examined, but only two remained active and both were Gmail addresses.
  • Further hunting found 45,197 email-connected domains, 15 of which were already weaponized for phishing or malware distribution.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – TA416 used numerous domains and look-alike registrations to support campaign infrastructure (‘three domain IoCs were bulk-registered with 5—15 look-alikes each’).
  • [T1584.001 ] Compromise Infrastructure: Domains – The activity leveraged domain infrastructure that had been previously associated with malicious use and continued resolution (‘confirmed malicious hostnames’ and ‘active to this year’).
  • [T1036 ] Masquerading – Some domains and subdomains appeared designed to imitate legitimate services or organizations (‘possibly impersonates Google’ and look-alike domains in typosquatting groups).
  • [T1566 ] Phishing – Malicious email-connected domains were explicitly associated with phishing campaigns (‘chjq168[.]com’ and ‘e-brane[.]com’ were linked to Phishing).
  • [T1588.001 ] Obtain Capabilities: Malware – Infrastructure was linked to malware distribution, indicating delivery support for malicious payloads (‘flagged for malware distribution’ and ‘confirmed malware host’).
  • [T1090 ] Proxy: External Proxy – The analysis highlighted client IPs and DNS communications through hosted infrastructure consistent with remote access and routing through intermediary systems (‘122 unique client IP addresses … communicated with five of the domain IoCs’).

Indicators of Compromise

  • [Subdomains] TA416-related subdomain infrastructure, some hosted on Windows Azure-style web.core.windows.net naming – attd[.]z23[.]web[.]core[.]windows[.]net, filestoretome[.]z23[.]web[.]core[.]windows[.]net, and other suspicious subdomains
  • [Domains] Domain IoCs and look-alike registrations used in typosquatting and DNS activity – subusiness[.]org, aaitile[.]com, and bobbush[.]org
  • [Email addresses] Email IoCs examined for activity and registration use – Gmail-based addresses; two remained active
  • [IP addresses] Client and infrastructure IPs observed in DNS and domain-to-IP resolution data – 122 unique client IP addresses, 69 unique IP addresses
  • [Email-connected domains] Domains derived from historical email records, some weaponized – 100viagra[.]com, cisco-us[.]com, and 15 confirmed malicious domains total
  • [Typosquatting look-alikes] Bulk-registered look-alike domains associated with subusiness[.]org – jmbusiness[.]solutions, cnbusiness[.]net, and 14 other members


Read more: https://circleid.com/posts/dns-deep-dive-ta416-european-government-espionage-campaigns