fireeye-operation-saffron-rose

Command-and-Control InfrastructureThe CnC infrastructure consists of distinct, but linked, clusters that have targeted both the usersof anti-censorship tools in Iran as well as defense contractor companies in the U.S.The first cluster contains the domain used in the Aerospace Conference attack as well as thedomains used in phishing attacks designed to capture user credentials:Figure 11: Ajax Security Team’sPhishing InfrastructureThe website used in the Aerospace Conference attack was aeroconf2014[.]org, which isregistered to info@usa.gov[.]us. However, historical WHOIS information shows that the domainwas registered by keyvan.ajaxtm@gmail[.]com—the same domain used to register ajaxtm[.]org,the website of the Ajax Security Team. The same email addresses were used to register variations ofdomain names associated with popular services provided by companies such as Google, Facebook,Yahoo and LinkedIn.FireEye, Inc. Operation Saffron Rose 13