Home / Blogs

An Investigative Analysis of the Silent Librarian IoCs

The Silent Librarian advanced persistent threat (APT) actors have been detected once again, as the academic year started in September. With online classes increasingly becoming the norm, the group's phishing campaigns that aim to steal research data and intellectual property could have a high success rate.

Dozens of phishing domain names have been reported, although some may have already been taken down. Still, the Silent Librarian APT group could have more weaponized domains in their arsenal, so we tried to uncover some connections throughout this investigative analysis using domain and IP intelligence.

The IoCs: Commonalities and Characteristics

Malwarebytes has identified 25 phishing subdomains and three IP addresses that targeted 21 universities and colleges worldwide.

IP Geolocation

Using IP geolocation, we identified that two malicious IP addresses were assigned to Iran, and another one to India.

The Use of Subdomains

The phishing subdomains used the same strings found in the universities' legitimate domains but at the third-level domain under a different root domain. The phishing domain library[.]adelaide[.]crev[.]me, for example, looks much like the University of Adelaide Library's legitimate domain library[.]adelaide[.]edu[.]au.

Instances when the threat actors used the full legitimate domain, such as idpz[.]utorauth[.]utoronto[.]ca[.]itlf[.]cf, which targets the University of Toronto (legitimate domain: idpz[.]utorauth[.]utoronto[.]ca), were also found.

TLD and Registrar Distribution of Root Domains

Out of the 25 phishing subdomains, 14 root domains were identified. Ten of them are in the .me generic top-level domain (gTLD) space, two used .tk, while another two used .cf.

TLD Distribution of Phishing Root Domains (%)

WHOIS data showed that as of 5 November 2020, the two .cf domains (itlf[.]cf and sftt[.]cf) have already been dropped. All of the other domains remain active and have the following details:

  • Their registrar is NameCheap, Inc.
  • The .me domains use WhoisGuard, Inc. protection, while the .tk domains use Freedom Registry, Inc.
  • The registrant countries reflect that of the domains' privacy protection services — Panama for WhoisGuard and the U.S. for Freedom Registry.
  • All of the domains were recently registered with dates within 14 August and 2 October.

Uncovering More Digital Footprints

Noting the number of times the root domains were used as Silent Library indicators of compromise (IoCs), we discovered many possibly suspicious subdomains. The numbers are reflected in the table below.

Root DomainNumber of Times Used as a Silent Library IoCNumber of Subdomains Found through Subdomains Lookup
itlf[.]cf217
itlt[.]tk113
itlib[.]me58
iftl[.]tk58
aroe[.]me14
crir[.]me14
canm[.]me13
crev[.]me23
rres[.]me13
cvrr[.]me12
ernn[.]me12
nrni[.]me12
sftt[.]cf22
ninu[.]me11

We focused on investigating the second to fourth root domains in the list above:

  • itlt[.]tk
  • itlib[.]me
  • iftl[.]tk

These domains had way more subdomains that were not used as IoCs. The first on the list, itlf[.]cf, is no longer active.

Looking up subdomain and DNS data, we found 11 more subdomains that could be used to target universities, along with two IP addresses. The chart below shows the subdomains of the three root domains. The subdomains in red have already been reported as Silent Library IoCs, while the rest could still figure in future attacks.

Chart 1: Root domain "iftl[.]tk"

Chart 2: Root domain "itlib[.]me"

Chart 3: Root domain "itit[.]tk"

The table below lists the potential subdomains that may be used to target the corresponding academic institutions in the future. Some may currently be undetected.

Possible Phishing SubdomainsTarget
library[.]libproxy[.]kcl[.]ac[.]uk[.]itlt[.]tkKing's College London
www[.]login[.]libproxy[.]kcl[.]ac[.]uk[.]itlt[.]tkKing's College London
www[.]library[.]libproxy[.]kcl[.]ac[.]uk[.]itlt[.]tkKing's College London
www[.]login.ki[.]se[.]itlt[.]tkKarolinska Institutet
login[.]ki[.]se[.]itlt[.]tkKarolinska Institutet
www[.]login[.]ki[.]se[.]iftl[.]tkKarolinska Institutet
www.sso[.]id[.]kent[.]ac[.]uk[.]iftl[.]tkUniversity of Kent
www[.]shibboleth[.]mcgill[.]ca[.]iftl[.]tkMcGill University
www[.]shib[.]york[.]ac[.]uk[.]iftl[.]tkUniversity of York
auth[.]wright[.]edu[.]itlib[.]meWright State University
sso[.]acu[.]edu[.]au[.]itlib[.]meAustralian Catholic University


Some of the Silent Library APT members have already been indicted in 2018, yet what remains of the group seem to continue targeting different universities across several continents. Constant investigation and monitoring are required to keep up.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

Cybercrime

Sponsored byThreat Intelligence Platform

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias