Many reports have released indicators of compromise (IoCs) regarding the Endless Mayfly disinformation campaign. But for those who don’t know what it is, Endless Mayfly uses fake social media accounts and media websites to spread false information that has to do with U.S., Israel, and Saudi Arabia relations.

Among the published Endless Mayfly IoCs to date are typosquatting domains, malicious file names and hashes, host IP addresses, and social media handles.

As usual, we sought to expand the list of IoCs to help organizations ensure utmost protection for their networks. We also took the investigation deeper by comparing related domains’ WHOIS records at the time the comprehensive report about the threat was published (May 2019) and now.

Data Set

We used the list of Endless Mayfly domains on GitHub as the basis of our analysis. This list contains 73 domains, including several internationalized ones (i.e., those that use punycode).

Analysis and Findings

Subjecting these domains to a bulk WHOIS history lookup provided a list of 38 registrant email addresses. Also, DNS lookups using the domains as search terms gave us a list of 198 IP addresses. Finally, using the registrant email addresses as inputs, we obtained 173 additional domains containing them in their historical WHOIS records.

We looked at which of the domains had their WHOIS records changed over the past year, specifically between January and May 2021. For that, we employed WHOIS History Search under the Domain Research Suite (DRS).

A total of 15 of the domains had recently modified WHOIS records. These are:

• al-jazirah[.]org
• alarabyia[.]org
• bbc-arabic[.]com
• belfercenter[.]net
• bloomberq[.]com
• indepnedent[.]co
• israelhayom[.]net
• israelnationalnews[.]co
• israelnationalnews[.]net
• lesoir[.]info
• policito[.]com
• thaguardian[.]com
• theatlatnic[.]com
• theguaradian[.]com
• washnigtonexaminer[.]com

Details about their WHOIS record changes are given below.

• A total of 13 domains changed registrars. The top registrars were GoDaddy.com, LLC and NameCheap, Inc. with three domains each.
• All 15 domains changed registrants although mostly from a named organization or individual to an undisclosed owner. It is interesting to note, however, that bloomberq[.]com was acquired by Bloomberg, possibly as part of a brand protection strategy.
• Only five of the domains had publicly attributable registrants, including bloomberq[.]com. The four other domains with identifiable owners were indepnedent[.]co, lesoir[.]info, policito[.]com, and theatlatnic[.]com.
• A total of 14 domains changed countries. Only alarabyia[.]org didn’t.

We used advanced reverse historical WHOIS searches on the 15 domains using the Domain Research Suite (DRS). That gave us an additional 83 variants of the domains sporting different top-level domain (TLD) extensions.

Examples include:

• al-jazirah[.]link
• alarabyia[.]online
• bbc-arabic[.]net
• belfercenter[.]org
• bloomberq[.]org
• israelhayom[.]us
• israelnationalnews[.]tk
• lesoir[.]name
• thaguardian[.]co[.]uk

Organizations and individuals that don’t want to get exposed to disinformation or more sinister threats may want to add these to their blocklists.

Running Maltego-WhoisXML API Historical Reverse WHOIS Search transforms on the additional domains revealed that six (i.e., al-jazirah[.]com, alarabyia[.]com, israelnationalnews[.]com, lesoir[.]be, lesoir[.]com, and lesoir[.]com[.]au).

Here’s a sample Maltego historical reverse WHOIS search map for al-jazirah[.]com (see Figure 2).

Our search provided another 85 connected domains that may be worth blocking access to and from as well. Examples of these are s4t[.]me, al-dhahry-group[.]com, al-jazirahonline[.]com, awjournalplus[.]com, leeemag[.]com, awjonline[.]com, alkawaaeb[.]com, suhuf[.]com, world4today[.]com, and arab4today[.]com.

Screenshot lookups for the additional domains revealed that a majority of them (38 to be exact) are unreachable, nine are parked, four are for sale, and three are under construction or have errors. A total of 15 are live with various kinds of content. Some look like news sites while others e-commerce, academic, and corporate sites.

As we’ve seen in this post, more artifacts that could be connected to an ongoing campaign are unrecoverable via reverse WHOIS record lookups and searches for the same domain names sporting other TLDs. Scrutinizing changes in WHOIS records could lead to interesting discoveries as well like one of the former Endless Mayfly domains now belonging to Bloomberg. Finally, screenshot lookups could reveal the current state of connected domains without putting researchers in danger of malware infection while conducting investigations. Findings about the websites hosted on potentially erring domains can also reveal trends like the type of site they typically host.

If you wish to obtain a copy of the entire list of artifacts uncovered in this post, please feel free to contact us. They may be useful in your Endless Mayfly investigation efforts or enhance your network security.