medica-tradefair[.]co is the outlier in this list, as it was not compromised but was operated by the attackers themselves.
It was hosted at ServerAstra, as were all the other C&C servers used in 2020.
It mimics the legitimate website medica-tradefair.com, which is the website of the World Forum for Medicine’s MEDICA Trade Fair held in Düsseldorf (Germany) each year.
The operators simply cloned the original website and added a small piece of JavaScript code.
The content doesn’t seem to have been modified.
It is likely that attackers were not able to compromise the legitimate website and had to set up a fake one in order to inject their malicious code.
It is interesting to note that the malicious domains mimic genuine web analytics, URL shortener or content delivery network domains and URLs.
This is a characteristic of this threat actor.