Void Balaur | The Sprawling Infrastructure of a Careless Mercenary

2022-9-23 07:55:34 Author: www.sentinelone.com(查看原文) 阅读量:7 收藏

Executive Summary

  • The cyber mercenary group known as Void Balaur continues to expand their hack-for-hire campaigns into 2022 unphased by disruptions to their online advertising personas.
  • New targets include a wide variety of industries, often with particular business or political interests tied to Russia. Void Balaur also goes after targets valuable for prepositioning or facilitating future attacks. Their targets span the United States, Russia, Ukraine, and various other countries.
  • Attacks are often very generic in theme, may appear opportunistic in nature, and account for targets making use of multi-factor authentication. The group seeks access to well-known email services (Gmail, Outlook, Yahoo), social media (Facebook, Instagram), messaging (Telegram), and corporate accounts.
  • A unique and short-lived connection links Void Balaur’s infrastructure to the Russian Federal Protective Service (FSO), a low-confidence indication of a potential customer relationship or resource sharing between the two.

Overview

Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.

Void Balaur was first reported in 2019 (eQualitie), then again in 2020 (Amnesty International). In November 2021, our colleagues at Trend Micro profiled the larger set of malicious activity and named the actor “Void Balaur” based on a monster of Eastern European folklore. Most recently Google’s TAG highlighted some of their activity earlier this year. Building on top of analysis from each of our above colleagues, the purpose here is to share our analysis of interesting findings based on newer activity and the large scale set of attacker infrastructure.

During our inaugural LABScon event today I presented on this very topic – a careless mercenary group known as Void Balaur. Attendees of the conference were given a more detailed overview of the content shared here, including specific details on attribution to individuals in Latvia. In the spirit of LABScon, I look forward to further tracking of this actor alongside our industry colleagues to better protect society.

The Hack-for-Hire Business

The hack-for-hire service offering linked to Void Balaur has been advertised through various brand names, as also noted by previous reporting. These are only two early examples of likely others run by the same entity.

First is Hacknet, or “Hackernet-Service”, which began operating in late 2016. In these early years of activity, the group advertised their “Professional Hacking to Order” service for good and to help meet the needs others can not meet. The name can be found advertising across many darkweb forums.

The section on legality of their service provides insight into the mindset and justification of the attacker.

Hacknet-Service legality section - Original
Hacknet-Service legality section – Original
Hacknet-Service legality section - Translated
Hacknet-Service legality section – Translated

Services first offered for hacking at the time included Yandex, Rambler, Mail.ru, Gmail, UKR.net, Yahoo, Outlook, corporate email, Instagram, VK.com, OK.ru, Facebook, and Skype, in addition to “Hacking Training”.

A year later in 2017 the group removed the services of hacking Outlook, Facebook, and UKR.net while adding ICQ messages. In 2018, the group updated their legality pitch noting that corporate email and other requests outside of their advertised list would be considered. Additionally, the group began offering services around content modification/uploading to email and social media networks.

Hacknet-Service Offerings Section - Translated
Hacknet-Service Offerings Section – Translated

Ultimately, the Hacknet persona and their service ended around early 2020 following bans across services and brand collapse after failing to follow through with hacking services they were paid for.

The second example is “RocketHack”, which became active in early 2018, acting as a second persona operated by the same entity.

The RocketHack persona and offerings were thoroughly documented in the TrendMicro report. Interestingly, in our screenshot of their landing page, they used a quote from Nikolay Kononov’s book Kod Durova, a story on the creation of the Russian VK social network.

Around 2019, Hacknet and RocketHack began offering services through various hacker forums to provide information on individuals, including banking and government documents. The personas also begin to offer services for:

  • Remote access or perform requested actions on target PCs
  • Remove content from any blogs, forums, YouTube Channels, news sites or databases “of any institution”.
  • Cleanup information online, and manipulate search engine results.
  • Remote access to iPhones, mobile tracking, manulating associated data.
  • SMS historical records of targets.
  • Real time location tracking through mobile networks.

Void Balaur Infrastructure

As of this blog, Void Balaur has operated over 5,000 unique domains used against individual targets. With a quantity of actor controlled domains in the thousands, each provides us an opportunity for the attacker to make mistakes and lead us to a new set of useful clues. Focusing on the most recent activity from Void Balaur, the set of domains follow a repeating generic set of patterns.

  • Free Email Services
    • E.g., mail-my-accounts-gmail[.]com
  • Email Security / Privacy
    • E.g., security-my-account[.]ru
  • Email Authentication / OAuth
    • accounts-oauth-gmail[.]com
  • Passports / Local Government (Limited, often Russian focus)
    • E.g., no-reply-gosuslugi[.]ru

The collection of associated attacker infrastructure, such as domains and non-shared IPs, is quite large and requires automated methods of tracking to keep up.

Synapse Visual Representation of Domain Scale
Synapse Visual Representation of Domain Scale

Based on our collection of all known Void Balaur domains, we can determine the creation time of each based on year for an estimate of actor campaign activity. While early years activity was generally a very small set of infrastructure, we can note the explosion of activity in 2019. Around this time is when the group was gaining a bad reputation and abandoning brands (Hacknet). This indicates that the group remained highly active without a well known brand, potentially fulfilling requests for customers without the need to publicly advertise anymore.

It’s worth noting that the 2022 quantity is lower than expected at this time. However, the group historically has registered domains in bulk rather than evenly throughout the year. Additionally, we have observed a new set of infrastructure and campaigns we believe may be Void Balaur; however, technical links are not yet confident enough to publicly share at this time. Such activity could be an entirely unique group, or a new phase of Void Balaur attempting to evade further tracking.

Domain Count by Year
Domain Count by Year

Intriguing Relationships

A potential indicator of the careless OPSEC in the Void Balaur infrastructure is a low confidence connection to the Russian Federal Protective / Guard Service (FSO). The FSO institution operates with a range of capabilities, including the right to conduct surveillance, monitor communications, and operate clandestine activities. Was this a customer-confidentiality oversight by Void Balaur? Perhaps a mistake in the workflow of expanding their infrastructure? The meaning and exact technical reason behind this connection is unclear; however, based on our attribution to technical operators outside of Russia, it is potentially a clue that Russian intelligence agencies are somehow involved with Void Balaur and the FSO is either directly using the services or supporting the use of the services internally.

Specifically, one domain in the thousands of those created and operated by Void Balaur over the years was seen immediately resolving to the Russian FSO network after it was registered. In early 2022 the domain accounts-my-mail-gmail[.]com resolved to 95.173.132[.]1 for four days following its registration, then quickly shifting to the traditional Void Balaur cluster of infrastructure. The IP 95.173.132[.]1 is owned and operated by the Russian FSO, typically reserved for official .ru government websites. To reiterate, this connection is only observed once in the entirety of Void Balaur infrastructure.

Visualization of link between Void Balaur Infrastructure and FSO
Visualization of link between Void Balaur Infrastructure and FSO

Targeting

Void Balaur continues their known targeting of a wide variety of individuals and organizations across the globe. The vast majority of known 2022 targets hold a special interest or involvement in business and political situations relevant to organizations inside Russia. Examples include individuals heavily involved in geopolitics, legal, business transactions, technology, human rights and more. Locations of these individuals include:

  • Russia
  • United States
  • United Kingdom
  • Taiwan
  • Brazil
  • Kazakhstan
  • Ukraine
  • Moldova
  • Georgia
  • Spain
  • Central African Republic
  • Sudan
2022 Target Map
2022 Target Map

We observed continued targeting in 2022 making use of generic, highly reproducible, phishing emails to lure targets into providing account credentials. Based on thousands of phishing domains we collected, Google owned services are the most common targets and attack themes.

However, in most cases the phishing emails are somewhat more relevant to the target of choice. For example, this includes emails designed to mimic local government services, or online websites common to a particular target, such as banking or social media. Void Balaur has made use of this approach for much of its existence. Examples include a 2016 attempt at phishing on the Moscow motorcycle road racing Youtuber Alexey Naberezhny, and in 2017 the Russian journalist and social media personality Ilya Varlamov. These individuals were targeted by Void Balaur with phishing emails spoofing Russian Public Services traffic fines.

Void Balaur Traffic Fine Phishing Message Targeting Ilya Varlamov
Void Balaur Traffic Fine Phishing Message Targeting Ilya Varlamov
Void Balaur Traffic Fine Phishing Message Targeting Alexey Naberezhny
Void Balaur Traffic Fine Phishing Message Targeting Alexey Naberezhny

In this case, the payment link goes to srv-gm[.]ru, accountc-gooogle.com, and others, which returns an illicit Google login page.

Google Phishing Page
Google Phishing Page

In 2022, we observed cases in which Void Balaur sought to compromise Google accounts with multi-factor authentication enabled as well. For example, some phishing pages would ask the target to enter backup codes Google provides during the initial 2-Step verification setup process.

llicit 2-Step Verification Backup Code Request
llicit 2-Step Verification Backup Code Request

Conclusion

Void Balaur remains a highly active and evolving threat to individuals across the globe. From the targeting of well known email services to the offering of hacking corporate networks, the group represents a clear example of the hack-for-hire market. We expect this type of actor to be increasingly common to observe in the wild.

Recent IOCs

account-mail-passport[.]ru
account-my-mail-gmail[.]com
account-my-oauths-mail[.]ru
account-oauth-gmail[.]com
accounts-mail-passport[.]ru
accounts-my-mail-gmail[.]com
accounts-my-oauth-mail[.]ru
accounts-oauth-gmail[.]com
cloud-account-mail[.]ru
cloud-accounts-goglemail[.]com
cloud-accounts-mail[.]ru
cloud-my-accounts-mail[.]ru
cloud-myaccount-goglemail[.]com
cloud-myaccount-mail[.]ru
community-experience-manager[.]ru
community-experience-my-community[.]ru
community-experience-permission[.]ru
community-experience-preference[.]ru
community-experience-types[.]ru
community-experience[.]ru
community-manager-experience[.]ru
community-manager-place[.]ru
community-manager-preference[.]ru
community-manager-safety[.]ru
community-manager-smartlink[.]ru
community-manager-types[.]ru
community-manager[.]ru
community-my-permission[.]ru
community-my-place[.]ru
community-my-safe[.]ru
community-my-safety[.]ru
community-my-source[.]ru
community-my-types[.]ru
community-online-experience[.]ru
community-online-manager[.]ru
community-online-permission[.]ru
community-online-place[.]ru
community-online-types[.]ru
community-permission-experience[.]ru
community-permission-manager[.]ru
community-permission-preference[.]ru
community-permission-source[.]ru
community-permission[.]ru
community-place-community[.]ru
community-place-manager[.]ru
community-place-permission[.]ru
community-place-preference[.]ru
community-place-types[.]ru
community-place[.]ru
community-preference-manager[.]ru
community-preference-permission[.]ru
community-preference-place[.]ru
community-safe-manager[.]ru
community-safe-permission[.]ru
community-safe-place[.]ru
community-safe-types[.]ru
community-safety-manager[.]ru
community-safety-my-experience[.]ru
community-safety-permission[.]ru
community-safety-place[.]ru
community-safety-preference[.]ru
community-safety-types[.]ru
community-smartlink-experience[.]ru
community-smartlink-manager[.]ru
community-smartlink-permission[.]ru
community-smartlink-types[.]ru
community-source-manager[.]ru
community-source-permission[.]ru
community-source-place[.]ru
community-source-preference[.]ru
community-types-experience[.]ru
community-types-manager[.]ru
community-types-permission[.]ru
community-types[.]ru
experience-community-manager[.]ru
experience-community-my-smartlink[.]ru
experience-community-permission[.]ru
experience-community-preference[.]ru
experience-manager-community[.]ru
experience-manager-permission[.]ru
experience-manager-place[.]ru
experience-manager-safety[.]ru
experience-manager-smartlink[.]ru
experience-manager-types[.]ru
experience-manager[.]ru
experience-my-community-smartlink[.]ru
experience-my-manager[.]ru
experience-my-online-smartlink[.]ru
experience-my-permission[.]ru
experience-my-place[.]ru
experience-my-preference-smartlink[.]ru
experience-my-preference[.]ru
experience-my-safe-smartlink[.]ru
experience-my-safe[.]ru
experience-my-safety[.]ru
experience-my-source-smartlink[.]ru
experience-my-source[.]ru
experience-online-manager[.]ru
experience-online-my-smartlink[.]ru
experience-online-permission[.]ru
experience-online-place[.]ru
experience-online-preference[.]ru
experience-online-smartlink[.]ru
experience-online-types[.]ru
experience-permission-community[.]ru
experience-permission-manager[.]ru
experience-permission-place[.]ru
experience-permission-preference[.]ru
experience-permission-smartlink[.]ru
experience-permission-source[.]ru
experience-permission[.]ru
experience-place-smartlink[.]ru
experience-place-types[.]ru
experience-place[.]ru
experience-preference-manager[.]ru
experience-preference-my-smartlink[.]ru
experience-preference-permission[.]ru
experience-preference-place[.]ru
experience-preference-smartlink[.]ru
experience-safe-manager[.]ru
experience-safe-my-smartlink[.]ru
experience-safe-permission[.]ru
experience-safe-place[.]ru
experience-safe-preference[.]ru
experience-safe-smartlink[.]ru
experience-safe-types[.]ru
experience-safety-manager[.]ru
experience-safety-my-smartlink[.]ru
experience-safety-permission[.]ru
experience-safety-place[.]ru
experience-safety-preference[.]ru
experience-safety-smartlink[.]ru
experience-safety-types[.]ru
experience-smartlink-manager[.]ru
experience-smartlink-permission[.]ru
experience-smartlink-preference[.]ru
experience-source-my-smartlink[.]ru
experience-source-place[.]ru
experience-source-preference[.]ru
experience-source-smartlink[.]ru
experience-types-place[.]ru
experience-types-smartlink[.]ru
experience-types[.]ru
login-account-cloud-mail[.]ru
login-accounts-mail[.]ru
login-auth-account-mail[.]ru
login-auth-accounts-mail[.]ru
login-cloud-account-mail[.]ru
login-cloud-myaccount-mail[.]ru
login-my-acounts-mail[.]ru
login-myaccount-cloud-mail[.]ru
login-oauth-mail[.]ru
mail-auth-account[.]ru
mail-auth-myacount[.]ru
mail-ems[.]ru
mail-login-auth[.]ru
mail-login-oauth[.]ru
mail-my-acounts-mail[.]ru
mail-my-passport-account[.]ru
mail-security-myaccount[.]ru
mail-security-myaccounts[.]ru
manager-community-permission[.]ru
manager-community-place[.]ru
manager-community-types[.]ru
manager-experience-permission[.]ru
manager-experience-place[.]ru
manager-experience-preference[.]ru
manager-experience-types[.]ru
manager-my-community[.]ru
manager-my-experience[.]ru
manager-my-preference[.]ru
manager-my-safe[.]ru
manager-my-smartlink[.]ru
manager-my-source[.]ru
manager-online-community[.]ru
manager-online-permission[.]ru
manager-online-place[.]ru
manager-online-preference[.]ru
manager-online-smartlink[.]ru
manager-online-types[.]ru
manager-permission-place[.]ru
manager-permission-preference[.]ru
manager-permission-source[.]ru
manager-permission-types[.]ru
manager-place-community[.]ru
manager-place-experience[.]ru
manager-place-permission[.]ru
manager-place-preference[.]ru
manager-place-smartlink[.]ru
manager-place-types[.]ru
manager-preference-community[.]ru
manager-preference-permission[.]ru
manager-preference-place[.]ru
manager-preference-smartlink[.]ru
manager-preference-types[.]ru
manager-safe-community[.]ru
manager-safe-experience[.]ru
manager-safe-permission[.]ru
manager-safe-place[.]ru
manager-safe-preference[.]ru
manager-safe-smartlink[.]ru
manager-safe-types[.]ru
manager-safety-community[.]ru
manager-safety-permission[.]ru
manager-safety-place[.]ru
manager-safety-smartlink[.]ru
manager-smartlink-permission[.]ru
manager-smartlink-place[.]ru
manager-smartlink-types[.]ru
manager-source-community[.]ru
manager-source-permission[.]ru
manager-source-place[.]ru
manager-source-preference[.]ru
manager-source-smartlink[.]ru
manager-types-community[.]ru
manager-types-experience[.]ru
manager-types-permission[.]ru
manager-types-place[.]ru
my-account-auth-mail[.]ru
my-account-mail-passport[.]ru
my-account-my-cloud-mail[.]ru
my-account-oauth-mail[.]ru
my-accounts-mail-passport[.]ru
my-acount-oauths[.]ru
my-cloud-accounts-mail[.]ru
my-community-experience[.]ru
my-community-manager[.]ru
my-community-permission[.]ru
my-community-place[.]ru
my-community-smartlink[.]ru
my-community[.]ru
my-experience-manager[.]ru
my-experience-permission[.]ru
my-experience-place[.]ru
my-experience-preference[.]ru
my-mail-account-mail[.]ru
my-mail-account-yahoo[.]com
my-mail-accounts-mail[.]ru
my-manager-community[.]ru
my-manager-experience[.]ru
my-manager-place[.]ru
my-manager-preference[.]ru
my-manager-safety[.]ru
my-manager-smartlink[.]ru
my-oauth-account-gmail[.]com
my-oauth-account-mail[.]ru
my-oauth-accounts-mail[.]ru
my-oauths-account-mail[.]ru
my-oauths-accounts-mail[.]ru
my-online-experience[.]ru
my-online-permission[.]ru
my-online-place[.]ru
my-permission-community[.]ru
my-permission-experience[.]ru
my-permission-manager[.]ru
my-permission-place[.]ru
my-permission-preference[.]ru
my-permission-smartlink[.]ru
my-place-smartlink[.]ru
my-preference-experience[.]ru
my-preference-manager[.]ru
my-preference-permission[.]ru
my-preference-place[.]ru
my-preference[.]ru
my-safe-community[.]ru
my-safe-experience[.]ru
my-safe-permission[.]ru
my-safe-place[.]ru
my-safety-community[.]ru
my-safety-experience[.]ru
my-safety-permission[.]ru
my-safety-place[.]ru
my-signin-account-gmail[.]com
my-signin-accounts-gmail[.]com
my-smartlink-experience[.]ru
my-smartlink-manager[.]ru
my-smartlink-permission[.]ru
my-smartlink-place[.]ru
my-smartlink[.]ru
my-source-community[.]ru
my-source-place[.]ru
my-types-community[.]ru
my-types-permission[.]ru
my-types-place[.]ru
myaccount-mail-passport[.]ru
myaccount-my-mail-gmail[.]com
myaccount-oauths[.]ru
myaccounts-auth[.]ru
myaccounts-mail-passport[.]ru
myaccounts-my-mail-gmail[.]com
no-reply-gosuslugi[.]ru
oauth-login-account-mail[.]ru
oauth-login-accounts-mail[.]ru
permission-community-experience[.]ru
permission-community-manager[.]ru
permission-community-place[.]ru
permission-community-preference[.]ru
permission-community-types[.]ru
permission-experience-manager[.]ru
permission-experience-preference[.]ru
permission-manager-community[.]ru
permission-manager-experience[.]ru
permission-manager-place[.]ru
permission-manager-preference[.]ru
permission-manager-smartlink[.]ru
permission-manager-types[.]ru
permission-my-community[.]ru
permission-my-experience[.]ru
permission-my-manager[.]ru
permission-my-place[.]ru
permission-my-preference[.]ru
permission-my-safe[.]ru
permission-my-smartlink[.]ru
permission-my-source[.]ru
permission-my-types[.]ru
permission-online-experience[.]ru
permission-online-manager[.]ru
permission-online-place[.]ru
permission-online-preference[.]ru
permission-online-types[.]ru
permission-place-community[.]ru
permission-place-experience[.]ru
permission-place-manager[.]ru
permission-place-smartlink[.]ru
permission-place-types[.]ru
permission-place[.]ru
permission-preference-manager[.]ru
permission-preference-types[.]ru
permission-safe-experience[.]ru
permission-safe-manager[.]ru
permission-safe-place[.]ru
permission-safe-preference[.]ru
permission-safe-types[.]ru
permission-safety-experience[.]ru
permission-safety-manager[.]ru
permission-safety-place[.]ru
permission-safety-preference[.]ru
permission-safety-smartlink[.]ru
permission-safety-types[.]ru
permission-smartlink-experience[.]ru
permission-smartlink-manager[.]ru
permission-smartlink-preference[.]ru
permission-smartlink-types[.]ru
permission-smartlink[.]ru
permission-source-manager[.]ru
permission-source-preference[.]ru
permission-types-place[.]ru
place-community-experience[.]ru
place-community-manager[.]ru
place-community-permission[.]ru
place-community-safe[.]ru
place-community-safety[.]ru
place-community-smartlink[.]ru
place-community-source[.]ru
place-community-types[.]ru
place-community[.]ru
place-experience-community[.]ru
place-experience-manager[.]ru
place-experience-permission[.]ru
place-experience-place[.]ru
place-experience-safe[.]ru
place-experience-safety[.]ru
place-experience-source[.]ru
place-experience-types[.]ru
place-experience[.]ru
place-manager-community[.]ru
place-manager-permission[.]ru
place-manager-safe[.]ru
place-manager-safety[.]ru
place-manager-smartlink[.]ru
place-manager-source[.]ru
place-manager-types[.]ru
place-manager[.]ru
place-my-community[.]ru
place-my-experience[.]ru
place-my-manager[.]ru
place-my-permission[.]ru
place-my-preference[.]ru
place-my-safe[.]ru
place-my-smartlink[.]ru
place-my-types[.]ru
place-online-community[.]ru
place-online-experience[.]ru
place-online-manager[.]ru
place-online-permission[.]ru
place-online-safety[.]ru
place-online-smartlink[.]ru
place-online-source[.]ru
place-online-types[.]ru
place-permission-community[.]ru
place-permission-experience[.]ru
place-permission-safety[.]ru
place-permission-smartlink[.]ru
place-permission-source[.]ru
place-permission-types[.]ru
place-permission[.]ru
place-preference-community[.]ru
place-preference-experience[.]ru
place-preference-manager[.]ru
place-preference-place[.]ru
place-preference-safe[.]ru
place-preference-smartlink[.]ru
place-preference-source[.]ru
place-preference-types[.]ru
place-preference[.]ru
place-safe-community[.]ru
place-safe-experience[.]ru
place-safe-manager[.]ru
place-safe-permission[.]ru
place-safe-safety[.]ru
place-safe-smartlink[.]ru
place-safe-source[.]ru
place-safe-types[.]ru
place-safety-community[.]ru
place-safety-experience[.]ru
place-safety-permission[.]ru
place-safety-smartlink[.]ru
place-safety-source[.]ru
place-safety-types[.]ru
place-smartlink-community[.]ru
place-smartlink-experience[.]ru
place-smartlink-manager[.]ru
place-smartlink-preference[.]ru
place-smartlink-safe[.]ru
place-smartlink-safety[.]ru
place-smartlink-source[.]ru
place-smartlink-types[.]ru
place-smartlink[.]ru
place-source-community[.]ru
place-source-experience[.]ru
place-source-permission[.]ru
place-source-safety[.]ru
place-source-smartlink[.]ru
place-types-community[.]ru
place-types-experience[.]ru
place-types-permission[.]ru
place-types-smartlink[.]ru
preference-community-experience[.]ru
preference-community-manager[.]ru
preference-community-place[.]ru
preference-manager-community[.]ru
preference-manager-experience[.]ru
preference-manager-permission[.]ru
preference-manager-smartlink[.]ru
preference-manager-types[.]ru
preference-my-manager[.]ru
preference-my-permission[.]ru
preference-my-source[.]ru
preference-online-manager[.]ru
preference-online-permission[.]ru
preference-online-place[.]ru
preference-online-types[.]ru
preference-permission-place[.]ru
preference-permission[.]ru
preference-place-community[.]ru
preference-place-smartlink[.]ru
preference-place-types[.]ru
preference-safe-experience[.]ru
preference-safe-manager[.]ru
preference-safe-place[.]ru
preference-safety-permission[.]ru
preference-safety-place[.]ru
preference-smartlink-experience[.]ru
preference-smartlink-permission[.]ru
preference-smartlink-place[.]ru
preference-source-experience[.]ru
preference-source-permission[.]ru
preference-source-place[.]ru
preference-types-place[.]ru
safe-manager-experience[.]ru
safe-manager-smartlink[.]ru
safe-online-experience[.]ru
safe-permission-experience[.]ru
safe-permission-source[.]ru
safe-place-community[.]ru
safe-place-experience[.]ru
safe-place-permission[.]ru
safe-place-preference[.]ru
safe-place-smartlink[.]ru
safe-safety-experience[.]ru
safe-smartlink-experience[.]ru
safe-source-experience[.]ru
safety-community-source[.]ru
safety-manager-source[.]ru
safety-my-smartlink[.]ru
safety-permission-community[.]ru
safety-place-community[.]ru
safety-place-experience[.]ru
safety-place-permission[.]ru
safety-place-preference[.]ru
safety-place-smartlink[.]ru
safety-preference-experience[.]ru
safety-preference-source[.]ru
safety-smartlink-source[.]ru
security-my-account[.]ru
security-myaccount[.]ru
security-myaccounts[.]ru
smartlink-communit-safety[.]ru
smartlink-experience-place[.]ru
smartlink-experience[.]ru
smartlink-manager-permission[.]ru
smartlink-manager-place[.]ru
smartlink-manager-safety[.]ru
smartlink-manager-types[.]ru
smartlink-manager[.]ru
smartlink-my-manager[.]ru
smartlink-my-permission[.]ru
smartlink-my-place[.]ru
smartlink-my-safe[.]ru
smartlink-my-safety[.]ru
smartlink-my-source[.]ru
smartlink-online-permission[.]ru
smartlink-online-place[.]ru
smartlink-online-safety[.]ru
smartlink-online-types[.]ru
smartlink-permission-community[.]ru
smartlink-permission-experience[.]ru
smartlink-permission-safety[.]ru
smartlink-permission-source[.]ru
smartlink-permission[.]ru
smartlink-place-community[.]ru
smartlink-place-manager[.]ru
smartlink-place-permission[.]ru
smartlink-place-types[.]ru
smartlink-place[.]ru
smartlink-safe-manager[.]ru
smartlink-safe-permission[.]ru
smartlink-safe-place[.]ru
smartlink-safe-safety[.]ru
smartlink-safe-types[.]ru
smartlink-safety-place[.]ru
smartlink-safety-types[.]ru
smartlink-source-manager[.]ru
smartlink-source-permission[.]ru
smartlink-source-place[.]ru
smartlink-source-safety[.]ru
smartlink-types-place[.]ru
smartlink-types[.]ru
source-community-preference[.]ru
source-experience-preference[.]ru
source-place-community[.]ru
source-place-experience[.]ru
source-place-permission[.]ru
source-place-preference[.]ru
source-place-smartlink[.]ru
source-safe-preference[.]ru
source-safety-preference[.]ru
source-source-preference[.]ru
types-community-experience[.]ru
types-community-permission[.]ru
types-community-place[.]ru
types-community-preference[.]ru
types-community[.]ru
types-experience-place[.]ru
types-experience[.]ru
types-manager-permission[.]ru
types-manager-place[.]ru
types-manager-preference[.]ru
types-manager-smartlink[.]ru
types-my-permission[.]ru
types-my-place[.]ru
types-my-smartlink[.]ru
types-online-community[.]ru
types-online-experience[.]ru
types-online-permission[.]ru
types-online-place[.]ru
types-online-preference[.]ru
types-online-smartlink[.]ru
types-palce-experience[.]ru
types-palce-smartlink[.]ru
types-permission-experience[.]ru
types-permission-place[.]ru
types-place-community[.]ru
types-place-experience[.]ru
types-place-permission[.]ru
types-place-preference[.]ru
types-place-smartlink[.]ru
types-place[.]ru
types-preference-experience[.]ru
types-preference-place[.]ru
types-safe-experience[.]ru
types-safe-smartlink[.]ru
types-safety-experience[.]ru
types-safety-smartlink[.]ru
types-smartlink-community[.]ru
types-smartlink-experience[.]ru
types-smartlink-manager[.]ru
types-smartlink-place[.]ru
types-smartlink[.]ru
yandex-account-mail-passport[.]ru
yandex-account-passport[.]ru
yandex-accounts-mail-passport[.]ru
yandex-auth-passport[.]ru
yandex-my-account-passport[.]ru
yandex-my-accounts-passport[.]ru
yandex-my-passport-accounts[.]ru
yandex-my-profile-passport[.]ru
yandex-myaccount-mail-passport[.]ru
yandex-myaccount-passport[.]ru
yandex-myaccounts-mail-passport[.]ru
yandex-myaccounts-passport[.]ru
yandex-mypassport-account[.]ru
yandex-mypassport-accounts[.]ru
yandex-myprofile-passport[.]ru
yandex-oauth-passport[.]ru
yandex-passport-my-account[.]ru
yandex-profile-passport[.]ru

文章来源: https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/
如有侵权请联系:admin#unsafe.sh