# COBALT DICKENS Goes Back to School…Again **[secureworks.com/blog/cobalt-dickens-goes-back-to-school-again](https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again)** Counter Threat Unit Research Team _The COBALT DICKENS threat group persists despite law enforcement actions and public_ _disclosures, conducting another global campaign targeting universities. Wednesday,_ September 11, 2019 By: Counter Threat Unit Research Team _In March 2018, the U.S. Department of Justice_ _[indicted the Mabna Institute and nine Iranian](https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary)_ _associates for compromising hundreds of universities to steal intellectual property and_ _benefit financially. Secureworks® Counter Threat Unit™ (CTU) researchers assigned the_ ----- _name COBALT DICKENS to this likely Iranian government-directed threat group. Despite this_ _indictment and other disclosures of COBALT DICKENS campaigns, the threat group (also_ _known as Silent Librarian) shows no signs of stopping its activity as of this publication._ _CTU™ researchers have observed the threat actors using free online services as part of_ _their operations, including free certificates, domains, and publicly available tools._ In July and August 2019, CTU researchers discovered a new large global phishing operation launched by COBALT DICKENS. This operation is similar to the threat group's August 2018 campaign, using compromised university resources to send library-themed phishing emails. The messages contain links to spoofed login pages for resources associated with the targeted universities. Unlike previous campaigns that contained shortened links to obscure the attackers' infrastructure, these messages contain the spoofed URL (see Figure 1). _Figure 1. Phishing message containing a link to a COBALT DICKENS domain (circled in red)._ _(Source: Secureworks)_ Recipients who click this link are directed to a web page that looks identical or similar to the spoofed library resource. After the victims enter their credentials, their web browsers are redirected to the next.php file, where the credentials are stored locally in the pass.txt file. The victim's browser is then sent to the legitimate site being spoofed (see Figure 2). ----- _Figure 2. Lifecycle of a COBALT DICKENS credential-harvesting phishing operation._ _(Source: Secureworks)_ For this campaign, the threat actors registered at least 20 new domains targeting over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland. These domains were registered using the Freenom domain provider, which administers the following free top-level domains (TLDs) unless the domain is considered ["special":](https://www.freenom.com/en/freeandpaiddomains.html) .ml .ga .cf .gq .tk Many of these domains use valid SSL certificates, likely to make the spoofed pages appear authentic. The overwhelming majority of the certificates observed in 2019 were issued by Let's Encrypt, a nonprofit organization that programmatically issues free certificates. However, past campaigns used certificates issued by the Comodo certificate authority. ----- [COBALT DICKENS uses publicly available tools, including the SingleFile plugin available on](https://github.com/gildas-lormeau/SingleFile) GitHub and the free [HTTrack Website Copier standalone application, to copy the login pages](http://www.httrack.com/) of targeted university resources. Metadata in a spoofed login page created on August 1 suggests that COBALT DICKENS sometimes uses older copied versions of target websites. A comment left in the source code indicates it was originally copied on May 1, 2017 (see Figure 3). However, the university was targeted by numerous COBALT DICKENS operations, including the August 2018 and August 2019 campaigns. _Figure 3. A comment in the source code of a spoofed page created by COBALT DICKENS._ _(Source: Secureworks)_ Metadata in other spoofed web pages supports the assessment that the threat actors are of Iranian origin. Specifically, a page copied on August 3 reveals an Iranian-related timestamp (see Figure 4). _Figure 4. Metadata in COBALT DICKENS spoofed web page indicating that an Iran-based_ _threat actor may have copied the legitimate website. (Source: Secureworks)_ As of this publication, CTU researchers observed COBALT DICKENS targeting at least 380 universities in over 30 countries. Many universities have been targeted multiple times. The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity. [Some educational institutions have implemented multi-factor authentication (MFA) to](https://www.itnews.com.au/news/monash-uni-deploys-mfa-after-iran-attacks-targeting-universities-528055) specifically address this threat. While implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, singlepassword accounts are insecure. CTU researchers recommend that all organizations protect Internet-facing resources with MFA to mitigate credential-focused threats. To provide broader awareness of the threat group's campaigns and curtail its activities, CTU researchers listed all known domains associated with COBALT DICKENS operations in Table 1. Several domains used prior to the indictment remain in use as of this publication. CTU researchers recommend that organizations use available controls to review and restrict access to these domains. They may contain malicious content, so consider the risks before opening them in a browser. **Indicator** **Type** **Context** ----- mlibo.ml Domain name blibo.ga Domain name azll.cf Domain name azlll.cf Domain name lzll.cf Domain name jlll.cf Domain name elll.cf Domain name lllib.cf Domain name tsll.cf Domain name ulll.tk Domain name tlll.cf Domain name libt.ga Domain name libk.ga Domain name libf.ga Domain name libe.ga Domain name liba.gq Domain name libver.ml Domain name Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations ----- ntll.tk Domain name ills.cf Domain name vtll.cf Domain name clll.tk Domain name stll.tk Domain name llii.xyz Domain name lill.pro Domain name eduv.icu Domain name univ.red Domain name unir.cf Domain name unir.gq Domain name unisv.xyz Domain name unir.ml Domain name unin.icu Domain name unie.ml Domain name unip.gq Domain name unie.ga Domain name Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS for August/July 2019 operations Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- unip.cf Domain name nimc.ga Domain name nimc.ml Domain name savantaz.cf Domain name unie.gq Domain name unip.ga Domain name unip.ml Domain name unir.ga Domain name untc.me Domain name jhbn.me Domain name unts.me Domain name uncr.me Domain name libservice.com Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS unvc.me Domain name untf.me Domain name nimc.cf Domain name anvc.me Domain name ----- ebookfafa.com Domain name nicn.gq Domain name untc.ir Domain name librarylog.in Domain name llli.nl Domain name lllf.nl Domain name libg.tk Domain name ttil.nl Domain name llil.nl Domain name lliv.nl Domain name llit.site Domain name flil.cf Domain name e-library.me Domain name cill.ml Domain name fill.cf Domain name libm.ga Domain name eill.cf Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- llib.cf Domain name eill.ga Domain name nuec.cf Domain name illl.cf Domain name cnen.cf Domain name aill.nl Domain name eill.nl Domain name mlib.cf Domain name ulll.cf Domain name nlll.cf Domain name clll.nl Domain name llii.cf Domain name etll.cf Domain name 1edu.in Domain name aill.cf Domain name atna.cf Domain name atti.cf Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- aztt.tk Domain name cave.gq Domain name ccli.cf Domain name cnma.cf Domain name cntt.cf Domain name crll.tk Domain name csll.cf Domain name ctll.tk Domain name cvnc.ga Domain name cvve.cf Domain name czll.tk Domain name cztt.tk Domain name euca.cf Domain name euce.in Domain name ezll.tk Domain name ezplog.in Domain name ezproxy.tk Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- eztt.tk Domain name flll.cf Domain name iell.tk Domain name iull.tk Domain name izll.tk Domain name lett.cf Domain name lib1.bid Domain name lib1.pw Domain name libb.ga Domain name libe.ml Domain name libg.cf Domain name libg.ga Domain name libg.gq Domain name libloan.xyz Domain name libnicinfo.xyz Domain name libraryme.ir Domain name libt.ml Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- libu.gq Domain name lill.gq Domain name llbt.tk Domain name llib.ga Domain name llic.cf Domain name llic.tk Domain name llil.cf Domain name llit.cf Domain name lliv.tk Domain name llse.cf Domain name ncll.tk Domain name ncnc.cf Domain name nctt.tk Domain name necr.ga Domain name nika.ga Domain name nsae.ml Domain name nuec.ml Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- rill.cf Domain name rnva.cf Domain name rtll.tk Domain name sctt.cf Domain name shibboleth.link Domain name sitl.tk Domain name slli.cf Domain name till.cf Domain name titt.cf Domain name uill.cf Domain name uitt.tk Domain name ulibe.ml Domain name ulibr.ga Domain name umlib.ml Domain name umll.tk Domain name uni-lb.com Domain name unll.tk Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS ----- utll.tk Domain name vsre.cf Domain name web2lib.info Domain name xill.tk Domain name zedviros.ir Domain name zill.cf Domain name Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS Hosting phishing website used by COBALT DICKENS _Table 1. Indicators associated with COBALT DICKENS operations._ -----