Investigating Crimeware Name Servers

Human evolution graph

Very few security products and services give enough consideration to the reputation and quality of the name server associated with the domains they are looking at.

Example

In this example, we pick a High Value Suspicious Domain and check what else is on the same name server to examine what is discovered through the process.

Our seeding domain will be service-update[.]link  
Looking at the name server info from our API

“domain”: “service-update[.]link”,

      “ns_avg_ttl”: 4149,

      “ns_domain”: “dendrite.network”,

      “num_domains”: 203,

This is a low density name server where we have only seen 203 domains on it. It has a very low average TTL across all the domains on there which may suggest a lot of changes compared to other name servers.

A quick lookup using our explore API gives us a number of suspicious domains with matching characteristics. These appear to be in two groups.

Group 1:

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Have an A record-AS holder ColoCrossing- Registrar Namesilo- “address”: “Tavernier St., Wall House”,

      “city”: “Loubiere”,

      “country”: “DM”,

DomainPTR RecordPotential TargetRegistrar
update-support[.]network*colocrossing.com3 Mobile UKRegistrar
service-update[.]link*colocrossing.comLive soonRegistrar
hs-securealerts[.]com*colocrossing.comHSBCRegistrar
ref0948a[.]com*colocrossing.comunknownRegistrar
ref0948a[.]com*colocrossing.comHMRCRegistrar
aem-new[.]com*colocrossing.com3 Mobile UKRegistrar
aempath[.]com*colocrossing.com3 Mobile UKRegistrar
com-gb[.]mobi*colocrossing.comMobile UKRegistrar

It appears that Group 1 have either been used maliciously already or are waiting to be used maliciously. Monitoring the “waiting” group for changes is key as this may lead to being able to block their activity once the domain moves into an actively malicious mode. There are a number of ways to do this, such as monitoring for new changes in DNS or associated records. Moving of infrastructure can often mark an activation of a malicious domain. A good example of this is when the domain avsvmcloud[.]com was activated for the Solarwinds breach, it switched to its own name servers for the active part of the campaign.

Group 2:

This group seems to lead to more and more indicators so I’ll post them over time.

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Domains have been aged. Have an A record-AS holder Nice IT Services Group Inc.

– Registrar Namesilo- “address”: “Tavernier St., Wall House”,

      “city”: “Loubiere””country”: “DM

DomainAS Name of IPPotential TargetRegistrar
Paypalservice[.]supportNice IT ServicesPaypalNamesilo
small-url[.]ccNice IT Servicesadobe and othersNamesilo
election[.]financeNice IT Servicesmalware downloadNamesilo
Ulsterbankonlineltd[.]comNice IT ServicesUlster Bank(RBS)Namesilo
Choicebank[.]onlineNice IT ServicesChoice Bank/First ChoiceNamesilo
Documentcloud[.]pwNice IT Servicesadobe and othersNamesilo
rbscotland-online[.]comNice IT ServicesRoyal Bank of ScotlandNamesilo
Btctools[.]netNice IT ServicesBitcoin Wallet stealerNamesilo
gb-kpmg[.]comNice IT ServicesKPMGNamesilo
secure-id[.]cloudNice IT ServicesSecure IDNamesilo
service-ca-verification[.]comNice IT ServicesFlagged as spammerNamesilo
Teamtnt[.]redNice IT ServicesMalware DownloadsNamesilo

So just touching on these two groups based on similarities, these of course could be one group, this name server is very heavily used by malicious actors and definitely one threat actor group called Team TNT.

How can I use this information?

All the information above was collected by our API and can be leveraged for threat hunting or detections. The information is pre-collected and cached so new lookups don’t have to be done each time you have a new indicator to check. We’ve already collected all this information and run some analysis on it to give things like reputation scores for the name server, the AS number reputation, the subnet reputation etc.

A security team can use Yara rules over this information to try and find “High Value Malicious Domains “ in their logs or associated IP addresses.

We also have threat hunting API endpoints that gather behavioral clusters for you so you can quickly create your own new intelligence, or we can do it for you.