Modus operandi UAC-0177 (JokerDPR) on the example of one of the cyber attacks [Thursday, December 21, 2023]

Modus operandi UAC-0177 (JokerDPR) on the example of one of the cyber attacks [Thursday, December 21, 2023]
Report

Modus operandi UAC-0177 (JokerDPR) on the example of one of the cyber attacks

Description :
CERT-UA investigated incidents involving phishing attacks targeting Google, Ukr.Net, Outlook, EXMO, and Binance accounts, revealing the use of distinctive domain names created with Tucows/Namecheap registrars and email distribution from compromised accounts for malicious purposes.

Published Created Modified
2023-12-21 16:31:10 2023-12-21 16:31:10 2023-12-21 16:35:41

Tags

Indicators

IPv4s :
  • 80.78.22.194
  • 185.196.9.215
  • 179.43.162.29
URLs :
  • www.authssl.online
  • www.getssl.ink
  • www.ssl2.link
  • www3.google2.certifiedauth.in
  • http://edisk.ukr.net.ssl2.link/shared/
  • www.binance.com.personlog.in
  • www.connectssl.in
  • www2.certifiedauth.in
  • www.certifiedauth.in
  • www.binance.com.exmo.day
  • www2.google2.certifiedauth.in
  • www3.google.com.getssl.click
  • www.ssl2.in
  • www.personlog.in
  • www.ssl4.site
  • www.authssl.in
  • www2.google.com.getssl.click
  • www.hsts.online
  • www.google2.certifiedauth.in
  • www.authcheck.in
Domains :
  • bin.binance.com.personlog.in
  • outlook.live.com.exmo.day
  • fonts.google2.certifiedauth.in
  • myaccount.google.com.getssl.click
  • accounts.ukr.net.ssl2.in
  • drive.certifiedauth.in
  • exceptions.exmo.day
  • static.personlog.in
  • drive.googie.com.ssl2.site
  • docs.ukr.net.ssl2.in
  • accounts.certifiedauth.in
  • hnd.stats.certifiedauth.in
  • apis.google.com.getssl.click
  • login.live.com.exmo.day
  • account.certifiedauth.in
  • outlook.exmo.day
  • ns2.authssl.online
  • com.ssl4.online
  • net.ssl3.online
  • shared.drive.googie.com.ssl4.online
  • gdrive.com.ssl2.online
  • files.ukr.net.ssl2.in
  • com.ssl3.site
  • mail.certifiedauth.in
  • ssl1.online
  • getssl.ink
  • connectssl.in
  • googie.com.connectssl.in
  • outlook.outlook.live.com.exmo.day
  • data.certifiedauth.in
  • docs.ukr.net.ssl4.site
  • sensors.binance.com.personlog.in
  • shared.document.drive.googie.com.ssl4.site
  • ssl2.link
  • events.data.exmo.day
  • login.live.com.getssl.click
  • ssl2.site
  • ssl4.site
  • docs.googie.com.ssl2.site
  • ssl2.online
  • ns2.authssl.org
  • account.google.com.getssl.ink
  • gdocs.com.authssl.site
  • messenger.certifiedauth.in
  • static.certifiedauth.in
  • accounts.google2.certifiedauth.in
  • analytics.google.com.getssl.click
  • content.google.com.getssl.click
  • ns2.passport2.zip
  • mail.google2.certifiedauth.in
  • com.connectssl.in
  • authssl.in
  • googie.com.ssl3.online
  • gdrive.com.authssl.site
  • c6.certifiedauth.in
  • data.live.com.getssl.click
  • ns1.exmo.day
  • ukr.net.ssl3.site
  • fonts.certifiedauth.in
  • azwus1-client-s.gateway.messenger.live.com.getssl.click
  • share.ukr.net.ssl1.site
  • gdocs.com.ssl2.online
  • secure.certifiedauth.in
  • notifications.google.com.getssl.click
  • edisk.ukr.net.ssl3.site
  • authssl.site
  • ogs.certifiedauth.in
  • analytics.certifiedauth.in
  • content.google2.certifiedauth.in
  • googles.com.personlog.in
  • google.com.ssl3.site
  • shared.drive.googie.com.ssl4.site
  • account.live.com.exmo.day
  • ns1.authssl.org
  • apis.google2.certifiedauth.in
  • ns1.goaccount.link
  • drive.googie.com.connectssl.in
  • google.com.getssl.click
  • gateway.messenger.certifiedauth.in
  • ns2.goaccount.link
  • ws.exmo.day
  • com.getssl.click
  • authcheck.in
  • browser.events.data.certifiedauth.in
  • frontend-m.binance.com.personlog.in
  • images.exmo.day
  • hsts.online
  • files.ukr.net.ssl2.online
  • google.com.getssl.ink
  • ns1.authssl.link
  • drive.gdocs.com.personlog.in
  • monitor.personlog.in
  • login.outlook.live.com.exmo.day
  • blogger.google.com.getssl.click
  • lh3.google2.certifiedauth.in
  • drive.googie.com.ssl4.online
  • ssl.certifiedauth.in
  • com.exmo.day
  • ssl3.site
  • docs.googleauth.com.ssl3.site
  • binance.com.personlog.in
  • docs.google.com.ssl3.site
  • ns1.passport2.zip
  • analytics.google2.certifiedauth.in
  • ukr.net.ssl2.online
  • stats.certifiedauth.in
  • account.coinbase.exmo.day
  • net.ssl2.in
  • myaccount.google2.certifiedauth.in
  • com.authssl.online
  • drive.gdocs.com.authssl.site
  • coinbase.exmo.day
  • ukr.net.ssl2.in
  • ukr.net.ssl1.site
  • logincdn.certifiedauth.in
  • edisk.ukr.net.ssl2.link
  • ogs.google2.certifiedauth.in
  • live.com.getssl.click
  • ssl.google2.certifiedauth.in
  • events.data.certifiedauth.in
  • docs.google.com.ssl2.site
  • ns1.authssl.in
  • play.google2.certifiedauth.in
  • ns2.exmo.day
  • r4.res.certifiedauth.in
  • outlook.certifiedauth.in
  • ssl1.site
  • drive.google2.certifiedauth.in
  • net.ssl2.site
  • ukr.net.ssl2.link
  • docs.googie.com.ssl3.online
  • messenger.live.com.getssl.click
  • static.binance.com.personlog.in
  • docs.ukr.net.ssl2.site
  • ns2.connectssl.in
  • ukr.net.ssl1.online
  • cdn.live.com.getssl.click
  • gateway.messenger.exmo.day
  • goaccount.link
  • ns2.certifiedauth.in
  • drive.googles.com.personlog.in
  • com.ssl2.online
  • net.ssl1.online
  • googie.com.authssl.site
  • getssl.click
  • api.personlog.in
  • static.binance.com.exmo.day
  • data.exmo.day
  • googledrive.com.ssl2.site
  • browser.events.data.live.com.getssl.click
  • admin.certifiedauth.in
  • net.ssl2.online
  • docs.gdrive.com.ssl2.site
  • certifiedauth.in
  • googletag.exmo.day
  • cdn.certifiedauth.in
  • mail.google.com.getssl.click
  • content.exmo.day
  • logincdn.exmo.day
  • azwus1-client-s.gateway.messenger.certifiedauth.in
  • res.live.com.getssl.click
  • docs.gdrive.com.authssl.site
  • events.data.live.com.getssl.click
  • passport2.zip
  • ns2.authssl.link
  • com.personlog.in
  • net.ssl3.site
  • r4.res.live.com.getssl.click
  • ns2.authcheck.in
  • googie.com.ssl2.site
  • bin.personlog.in
  • ns2.getssl.click
  • play.google.com.getssl.click
  • net.ssl1.site
  • net.ssl4.online
  • com.getssl.ink
  • com.ssl2.site
  • notifications.google2.certifiedauth.in
  • binance.com.exmo.day
  • ukr.net.ssl3.online
  • ns1.certifiedauth.in
  • geolocation.authcheck.in
  • accounts.ukr.net.ssl2.link
  • googleauth.com.ssl3.site
  • com.ssl3.online
  • ukr.net.ssl4.online
  • ns2.authssl.in
  • lh3.google.com.getssl.click
  • t.certifiedauth.in
  • ns2.authssl.site
  • blogger.certifiedauth.in
  • ns1.authssl.site
  • frontend-m.binance.com.exmo.day
  • docs.googie.com.connectssl.in
  • messenger.exmo.day
  • docs.gdrive.com.ssl2.online
  • authssl.online
  • frontend-m.personlog.in
  • files.ukr.net.ssl4.online
  • drive.gdocs.com.ssl2.online
  • gdrive.com.ssl2.site
  • outlook.live.com.getssl.click
  • googie.com.authssl.online
  • ns1.authcheck.in
  • browser.events.data.exmo.day
  • monitor.binance.com.personlog.in
  • sensors.binance.com.exmo.day
  • com.authssl.site
  • ns1.personlog.in
  • ssl2.in
  • personlog.in
  • ns2.personlog.in
  • authssl.org
  • gateway.messenger.live.com.getssl.click
  • ukr.net.ssl2.site
  • csp.exmo.day
  • docs.googledrive.com.ssl2.site
  • live.com.exmo.day
  • api.binance.com.exmo.day
  • sensors.personlog.in
  • ssl3.online
  • outlook-1.cdn.live.com.getssl.click
  • m.personlog.in
  • google2.certifiedauth.in
  • outlook-1.cdn.certifiedauth.in
  • ns1.connectssl.in
  • csp.live.com.getssl.click
  • net.ssl4.site
  • exmo.day
  • login.certifiedauth.in
  • drive.google.com.getssl.click
  • monitor.binance.com.exmo.day
  • ukr.net.ssl4.site
  • c.certifiedauth.in
  • outlook-1.cdn.exmo.day
  • share.ukr.net.ssl3.online
  • cdn.exmo.day
  • accounts.personlog.in
  • docs.googie.com.authssl.site
  • accounts.google.com.getssl.click
  • googie.com.ssl4.online
  • bin.binance.com.exmo.day
  • gdocs.com.personlog.in
  • fonts.google.com.getssl.click
  • account.outlook.live.com.exmo.day
  • m.binance.com.personlog.in
  • docs.googie.com.authssl.online
  • res.certifiedauth.in
  • b.stats.certifiedauth.in
  • res.exmo.day
  • ssl.google.com.getssl.click
  • m.binance.com.exmo.day
  • r4.res.exmo.day
  • google.com.ssl2.site
  • ogs.google.com.getssl.click
  • dynamic.exmo.day
  • accounts.binance.com.exmo.day
  • ns1.getssl.click
  • login.exmo.day
  • authssl.link
  • accounts.binance.com.personlog.in
  • edisk.ukr.net.ssl1.online
  • blogger.google2.certifiedauth.in
  • azwus1-client-s.gateway.messenger.exmo.day
  • content.certifiedauth.in
  • ssl4.online
  • apis.certifiedauth.in
  • account.live.com.getssl.click
  • api.binance.com.personlog.in
  • edisk.ukr.net.ssl2.in
  • myaccount.certifiedauth.in
  • play.certifiedauth.in
  • net.ssl2.link
  • ns1.authssl.online
  • google.exmo.day
  • csp.certifiedauth.in
  • docs.googie.com.ssl4.online
  • notifications.certifiedauth.in
MITRE ATT&CK Techniques :

External References

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.