Iranian IHU EWCD Malware Domains

ICNA have already posted about the links between malware here, and the Iranian State. We have done some further research.

In early March 2017 the Kaspersky report identified several domains associated with malware, including:

  • eservic.com
  • actdire.com
  • securityupdated.com and
  • chromup.com

Further research identified the IP addresses that these websites were hosted on. Querying these addresses on the sites gives information on SSL certificates used by IPs/websites.

Having the same SSL certificate is a definite sign that the server is owned by the same person. ICNA found that there was one particular SSL certificate that was common to these four IP addresses and also three additional domains:

  • reconnectedbrowser.com
  • microsoftupdated.net and
  • windosecurity.com

reconnectedbrowser.com

Online WHOIS information on reconnectedbrowser.com shows the registrant of the website used the Iranian -Tehran- phone number 98-21-22444784 and email address of: [email protected]. This phone number is associated with the email address of [email protected] which appears on the website http://conf.ihu.ac.ir/node/147 under the article “Intelligent Security C4I network to identify invaders” and is listed as a “Security expert at the Research Center Afaq“.

Reconnectedbrowser.com can be linked to the Imam Hossein University -IHU- through research. The IHU is funded by the IRGC; this provides a clear direct link to the Iranian State.

Kaspersky only tentatively suggested a link to Iran, through the use of Farsi language text. The link ICNA has found is more direct.

Imam Hossein University EWCD

The IHU is known to have its own Electronic Warfare and Cyber Defense -EWCD- department. The EWCD also hosts the Iranian National Cyber Defense Conference, which covers topics such as cyber strategies, cyber attacks, vulnerabilities, cyber risks, cyber command and management principles, cyber defense tactics and techniques and Basij cyber training.

Considering the malware, the link to IHU and the term “Electronic Warfare” in the department’s name, it is reasonable to think that the IHU’s EWCD department is linked to these destructive cyber operations. It is clear that the attackers have made security mistakes throughout their operations, exposing many details. Kaspersky say they are going to continue to monitor the malware attacks, as will other security organizations, we are sure.

The IRGC spyware program is obviously disorganized and careless, and far from enhancing the reputation of the State, it is exposing itself and its operators to revalations by those with the most basic of research skills.

8 thoughts on “Iranian IHU EWCD Malware Domains

  1. I think that what you published made a great deal of sense.

    But, what about this? suppose you added a little information? I mean, I don’t wish to
    tell you how to run your website, however what if you added something that grabbed folk’s attention?
    I mean Iranian IHU EWCD Malware Domains – ICNA is kinda plain. You might peek at Yahoo’s front
    page and note how they create article headlines to grab viewers
    to open the links. You might try adding a video or a pic or two to grab readers interested about everything’ve written.
    In my opinion, it might bring your posts a little bit more
    interesting.

  2. Great article! That is the kind of info that are meant to be shared
    across the internet. Shame on the search engines for no longer positioning
    this post higher! Come on over and consult with my site . Thank you
    =)

  3. I like what you guys are up also. Such smart work and reporting!
    Carry on the excellent works guys I’ve incorporated you guys to my
    blogroll. I think it will improve the value of my website :).

Leave a Reply

Your email address will not be published. Required fields are marked *