Cobalt Dickens: Cobalt Dickens, a name assigned to an Iranian threat group identified in 2018, has revamped and picked up right where they had left off. Primarily known for phishing universities in the United States, Australia, and the UK, nine of their members were indicted by the United States for compromising hundreds of universities to steal intellectual property and financial gain. A new large global phishing campaign was discovered in August and has been credited to the group. The new operation mirrors the original operation in 2018 by using compromised university recourses to send phishing emails that were related to the library. The emails contained spoofed login pages that paralleled the login sites of actual resources the university library used. The emails contained the spoofed URL for targets to click on and give away their university credentials. After the user gives away their credentials, they get redirected to the next[.]php file, where credentials get stored locally in a file called pass[.]txt, the user is redirected to the legitimate resource page to log in to. The group registers top-level domains (TLDs) such as .ml, .ga, .cf, .gq and .tk to fake the library resource pages. These registered domains make it harder for the victim to recognize it is not the legitimate website since the domain name will be the same as the legitimate website with a different TLD. All of the spoofed pages contained a valid SSL certificate to add to the page’s authenticity. In the past, the group has used open-source resources to copy the source code of the target website to use in the spoofed domain, making it look legitimate.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased