Executive Summary
- As reported by Resident.NGO, Belarusian politician Yury Hubarevich was recently targeted in a Gmail phishing email sent by Belarus-linked threat actor UNC1151.
- The same campaign also included phishing pages for at least three popular Ukrainian portals.
- Censys pivots show that this phishing email was part of a much wider campaign, and that the actor is very actively phishing for credentials.
Introduction
UNC1151, also referred to as Ghostwriter and various other names, is a threat actor whose interests align with those of the government of Belarus (and, by extension, Russia, due to Russia and Belarus’s frequently aligned interests).
The group first rose to prominence in 2020 when it hacked into legitimate media sites to publish fake stories (which earned it the name ‘Ghostwriter’). Since then it has remained very active, mostly in spear-phishing campaigns targeting individuals in Poland and Ukraine.
Earlier this month, Resident.NGO, which calls itself a “group of security practitioners helping NGOs, human rights defenders, media outlets, and activists” and focuses on Eastern Europe, published a brief analysis of a UNC1151-related spear-phishing attack targeting Belarusian pro-democracy politician Yury Hubarevich. Censys certificate and infrastructure pivots identify additional UNC1151 (Ghostwriter/FrostyNeighbor) phishing infrastructure linked to credential theft campaigns targeting Belarus and Ukraine, suggesting that this was not a one-off political attack, but rather part of a much broader credential phishing operation.
Spear-Phishing a Gmail Account
In the phishing campaign, Yury Hubarevich received an email claiming to come from Google about “suspicious activity” that required him to verify his account — a classic phishing lure.
The phishing link went to a compromised Ukrainian website which then redirected to hxxps://account[.]check-profile[.]digital/Verify, which displayed a fake Google login page.
If someone were to enter anything on this login page, in the background, a websocket would relay anything entered in real time to wss://account-emails-verification[.]cc[.]cd/ws. This would allow the operators to bypass SMS or OTP-based multi-factor authentication.
Both hostnames use the legitimate Bunny CDN to hide the real IP addresses where they were hosted (this can be seen in the DNS records), but Resident.NGO found — using Censys! — that a certificate for account[.]check-profile[.]digital was, at the time of the attack, hosted on the IP address 45[.]194[.]44[.]44, which belongs to Datagear (AS200758) and is hosted in Poland. This “unmasks” the real IP address for this hostname while it was “hiding” behind a CDN.
Follow Along in Censys
View the certificate that revealed the real IP address for account[.]check-profile[.]digital
It turns out that making that certificate publicly available on that IP address wasn’t a one-off error: since it came online in late April, the IP address has hosted several certificates for hostnames that all use Bunny CDN or Cloudflare, another CDN. Examples include mail-secure-login[.]digital and check-account[.]digital.
If we hadn’t already been certain that these domains were linked to UNC1151, the domain pattern and TLD usage would have definitely made us certain.
This was a simple way to use Censys certificate data to find more domains used by the same actor. But there is more!
Additional Pivots
The aforementioned IP address hosts web servers on ports 3001 and 3002. An HTTP request for the latter port returns a 404 error and a very short body: “VPS2 endpoint only for WebSocket.” This is a rather unique body response: only three other IP addresses provide the same body response, all on port 3002.
And not only that, each of them shows the same pattern as above, where various certificates for different hostnames following similar patterns were visible on the IP address. For example:
- On 45[.]194[.]44[.]46, we saw mail.account-security[.]digital.
- On 45[.]197[.]133[.]104 there was mail[.]service-support[.]digital.
- On 111[.]88[.]74[.]246 there was account-protection-team[.]icu.
The full list of certificates and hostnames can be found in the IOC table at the end of this blog post.
One hostname stands out, though: i-ua[.]cc[.]cd, for which a certificate was hosted, albeit very briefly, on 45[.]194[.]44[.]46. This is a clear impersonation of I.UA, a popular Ukrainian portal that, among other things, offers email services, which shows targeting of Ukrainians in this campaign as well. On the same IP address, we also saw a certificate for bigmir-net[.]cc[.]cd, an impersonation of bigmir)net, a second Ukrainian portal.
Interestingly, in 2022, UNC1151 also targeted I.UA email accounts, as well as a third popular Ukrainian portal, META.UA (no relation to the tech giant). We did find a certificate registered for the hostname meta-ua[.]cc[.]cd. While we did not see it active on any IP address, a curl lookup on the same IP address, 45[.]194[.]44[.]46, setting the hostname to meta-ua[.]cc[.]cd does return a still active impersonation site for META.UA, establishing the phishing domain as part of the same campaign.
% curl -sk --resolve i-ua.cc.cd:443:45.194.44.46 https://i-ua.cc.cd/ -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Паспорт - I.UA </title>
<meta charset="UTF-8"/>
% curl -sk --resolve meta-ua.cc.cd:443:45.194.44.46 https://meta-ua.cc.cd/ -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
<!DOCTYPE html><html class="no-js" lang="Array"><head><meta charset="utf-8"/>
<title><МЕТА> - Україна. Паспорт. Логін</title>
Using the same curl trick, we also confirmed mail-alert[.]cc[.]cd to be part of the same campaign, and a quick search for certificates for similar hostnames finds many more likely candidates.
We can thus conclude that the phishing attempt against Yury Hubarevich is part of a very wide campaign that certainly targeted more than just a few individuals, including Ukrainians. Indeed, both CERT Polska and ESET (who refer to the actor as FrostyNeighbor) recently wrote about UNC1151 campaigns; the former, in particular, shows some patterns very similar to the campaign described in this blog post.
We want to thank Resident.NGO for their help in answering some questions.
Indicators of Compromise
| IP address | SHA256 of certificate | Hostname |
| 45.197.133[.]104 | 2434e1a88cf2effa13fc4eb335560e3cf49790ddd4bd0df7e100de9867a19748 | mail[.]service-support[.]digital |
| 6542f8fa3e1f00a3c0e9994c34d8b49d2c3d2684cf73c23a0b1030daaaaa4786 | accounts-verification[.]cc[.]cd | |
| cb5230b57589132f63441244183f24ce727d1a2f5454d7636a3548207a5859cc | mail[.]account-check[.]digital | |
| 700ddccaa2aa1c4871f23cc59ba6aefdd7b11f4136f578fd3f40c8d2c762b37c | verification-service[.]cc[.]cd | |
| 84e7c3cfba6b368f75d4124bcf750dce96e71448924aa6b110c08d0d24da6885 | verification-credentials[.]cc[.]cd | |
| 45.194.44[.]44 | c30ccd8d66ea757121c036e76408e8ee9fe122bf4d048e2744abf56ecdd8e019 | account-email-verification[.]cc[.]cd |
| e86d364d794c7a42d122fdedbddb60b14c815a5708b5b3f4a622d1f66fb3dbba | mail-security-login[.]digital | |
| 3ea96a0086f0540bcd84820a8f65ee6c6df41979497e4291ba8ac59601535d91 | mail-secure-login[.]digital | |
| 3a2cd6a8e2c76c91aa04260df46a95df0e9799100d23cd32fdee9415bf1b3971 | check-account[.]digital | |
| 7a1a3a5f31df23053bfd5a03a63f19dd28561a9e41122d26a5413f46e9160664 | account-emails-verification[.]cc[.]cd | |
| 4b80681cd444cf9679d7e4d715489f6ddbe4580a9d110bd1952e54e8193afefd | account[.]check-profile[.]digital | |
| 45.194.44[.]46 | 0cb6bf1fd758f78f7e78baf4df85b5dbd236232011ed4eed685df852ab70a19a | mail[.]account-security[.]digital |
| b2fd49c1a72db79ca3be5a6370a353ea6105697b20017606572697c98c3b9629 | mail-alerts[.]cc[.]cd | |
| 9280780cde1623fcb712b3d0f34cacedb77973dc8cac7f01c5338fe6fd22ad5c | mail-verification[.]cc[.]cd | |
| b2fd49c1a72db79ca3be5a6370a353ea6105697b20017606572697c98c3b9629 | i-ua[.]cc[.]cd | |
| eefc039a84cb1276a8b76e09150d188de3aa262e7c7149e8a3cd1b07eb868460 | bigmir-net[.]cc[.]cd | |
| 111.88.74[.]246 | 5778fb76f3e1024cf3b6b8b298c4ac3607c869d5516ba7f8b274e9709fbfd0a5 | account-protection-team[.]icu |
| a29de1229b408e47af2a926bce7db5c6bc5d9208f1fc10226748dd65071e064e | support-accounts-checker[.]cc[.]cd | |
| bd90a95c7b698c7680c3c64eb578cdda686dd33029e60ca74b8a67502bab72e9 | account-protection-support[.]icu |
Further Reading
- The Package That Never Shipped: Following a USPS Smishing Kit Through Censys DNS Data
- Voicemail Trap: German-Language Voicemail Lure Leads to Remote Access
- Oluomo: Microsoft OAuth AiTM Phishing Using a Naturalization-Form Lure
