OpenDNS has received numerous questions about the Invincea “Fessleak” report. We have been tracking this “actor”, who went by the name of Michael Zont, for several months, and saw a major uptick in previous weeks. The name “Fessleak” actually comes from the actor’s email address (fessleak@qip[.]ru) used to register the domains.
OpenDNS first became aware of malicious activity around this registrant in April 2014 starting with the creation of prosoknf[.]com, and began an active monitoring campaign to identify, and block, any domains registered by “Fessleak”. Using various techniques such as WhoIs monitoring, the OpenDNS Investigate tool, and our Spike Detection Algorithm (SDA), we were able to keep pace with the deployment of nefarious websites with almost real-time speed, including the sites in the aforementioned report.
Sites we were first monitoring appeared mainly geared towards the hosting of more common types of malware and exploit kits such as Angler, Kovter, and Rig (ex: prosoknf[.]com). More recently, we noticed a shift into forms of malvertising (ex: tunim[.]net and podin[.]net), with the most recent iterations hosting Flash ‘zero day’ exploits (ex: retilio[.]net). These domains were used for a short amount of time, usually in the way of just a few hours, and then discarded, showing no signs of re-use later.
All sites monitored were hosted on Peer1 Networks (AS 13768) and registered under PDR LTD.
The following images provide some insight into the traffic patterns of domains we were tracking during this campaign.
The complete list of domains tracked during this campaign are shown below. All of the following link to the respective OpenDNS Investigate analysis for each tracked domain. These allow customers can view the full analysis of the campaign information:
The following image is a screenshot of the Fessleak domains as graphed in OpenGraphiti.
Towards the end of 2014 we noticed, on average, two domains registered every 1-2 days. However, since the Invincea report came out, the actor has not registered any new domains using this email address.
Photo source: https://www.flickr.com/photos/sfxeric/4086743445/