Joe Slowik, a Senior Security Researcher at DomainTools, discussed their research team's discovery based on their theory that identifying infrastructure in adversary operations by tracking identifiers related to major events and conflict zones can yield insights into defense and response for upcoming incidents.
During the initial investigation, the research team discovered that a document reflecting very specific themes related to the conflict in the Caucasus region between Armenia and Azerbijan. The document was masquerading as a news article and attempted to communicate with a certain domain.
The team found an unusually long string of numbers as a template object trying to attempt to communicate a domain: msofficeupate.org. Also, the template item is serving as a signifier to identify additional samples similarly constructed.
Based on the characteristics found, DomainTools researchers identified 35 domains matching the patterns associated with the initially observed malicious domain.
Overall, the adversary operations were related to political, military, and related subjects in the Caucasus region. By tracking identifiers and pivoting the investigation, the researcher were able to link to a phishing email that is state sponsored.
The lessons the team discovered is that the analysis of both the malicious documents and related network infrastructure by tracking identifiers can be used to gain insight to deploy defensive countermeasure that is coming in the near future because it is unlikely that adversaries will completely change their life cycle.
No comments:
Post a Comment