'From Russia with a 71': Uncovering Gamaredon's fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered.
Key points
- Silent Push explores the extent of the Gamaredon Group’s fast flux operation.
- 300+ new apex domain IOCs discovered from a single Gamaredon domain.
- Proprietary fingerprinting techniques used to expose the deployment of new attacker infrastructure using wildcard A records
Background
Gamaredon – also known as Primitive Bear, Actinium or Shuckworm – are a Russian Advanced Persistent Threat (APT) group that has been active since at least 2013, historically across the US and the Indian Subcontinent, and more recently in Ukraine, including reported attacks on Western government entities:
Gamaredon are a highly-belligerent threat group who deviate from the standard-hit and-run tactics used by other APT groups, by propagating sustained attacks that are both heavily obfuscated and uniquely aggressive.
Gamaredon TTPs
The group uses spear phishing and social engineering to deliver malware hidden within MS Word documents:
Using MS Word combats static analysis by hosting the payload on a template that is downloaded from an attacker-controlled server, once the document is opened and the user has met one or more conditions – such as geographic location, device type and system specification – prior to delivery.
A large amount of Gamaredon subdomains used in spear phishing attacks are linked to the TLD .ru, registered via REGRU-RU and contain the number 71.
Use of fast fluxing
Gamaredon operates with an innumerable amount of IP addresses, and uses wildcard A records in place of definable subdomains to evade detection in a technique known as fast fluxing.
A large group of IPs are associated with a single Fully Qualified Domain Name (FQDN), and rotated through an attack at an extremely high frequency via automated DNS resource record (RR) amendments in the zone file.
Fast fluxing is used by APT groups to circumvent traditional methods of threat detection that rely on threat feeds containing full domain names, including subdomains.
Rather than relying on lists of isolated IOCs, organizations need to deploy countermeasures that track the underlying infrastructure that accommodates an attack – apex domains, ASNs, registrars, authoritative nameservers etc. – and extrapolate correlative datasets that allow security teams to identify patterns in attacker behaviour – ASN and IP diversity data, naming conventions etc.
In order to defend themselves against fast flux TTPs, organizations need to identify and block apex domains, regardless of the subdomain. Let’s take a look at how we used Silent Push to do just that…
Deep dive: samiseto[.]ru
Every investigation begins with a series of observables. Several online sources have reported recent attempts by Gamaredon to inject malware, using an MS Word template, from the following domains:
- http://encyclopedia83.samiseto[.]ru/HOME-PC/registry/amiable/prick/sorry[.]83glf
- http://relation46.samiseto[.]ru/DESKTOP-UVHG99D/percy[.]46rra
Checking Virus Total confirms that the domains have been flagged as malicious, largely due to the domains being reported on Twitter as post-breach intelligence:
Traversing Gamaredon’s infrastructure
We took one of the above domains – encyclopedia83.samiseto[.]ru (hosted on REGRU-RU) – and analysed it by cross-referencing WHOIS information, IP diversity data, and reverse lookups that laid bare a fresh list of domain IOCs:
We discovered 98 A records associated with *samiseto[.]ru, that were used in constant rotation:
Further analysis revealed that IP addresses are used for no more than 4 days before being substituted by a fresh IP (along with new subdomains), helping the threat actors to evade detection and rendering most isolated IOCs obsolete upon discovery:
To extract actionable IOCs, we then created a list of all the IP addresses that a subdomain of samiseto[.]ru has ever pointed to and applied a reverse lookup to uncover all domains associated with those IPs, before matching the domains to threat activity using a series of key indicators.
The results returned a list of 375 apex domains, which we used to populate our Gamaredon early detection feed, available to Silent Push Enterprise customers
Use of wildcard records
We noticed that any string combination added before .samiseto[.]ru pointed to 5.44.42[.]154. After running a dig command, we were able to ascertain that attackers are using a wildcard A record to point to the aforementioned domain:
IP diversity and ASN analysis
Using IP diversity data, we established that samiseto[.]ru has pointed to 15 IP addresses within a 30-day period, all of them bar one being hosted on the the Russian ASN GIR-AS, RU (207713), with the remainder hosted via Kazakhstan on IT-GRAD, KZ (212819):
Whilst the majority of IPs over a 90-day period were traced back to GIR-AS RU, we discovered that DIGITALOCEAN US, the New York-based cloud services organization, was also used:
Using Silent Push to combat Gamaredon’s fast flux techniques
Our Threat Analysts used IP/ANS diversity data and advanced DNS fingerprinting techniques to reveal the extent of Gamaredon’s fast flux infrastructure, and populate an early detection feed with hundreds of unique malicious apex domains, using a single reported subdomain as the target IOC.
Silent Push Enterprise users are able to ingest curated threat feeds containing IOCs related to the Gamaredon group’s fast flux infrastructure using the tags #russo, #gamaredon and #apt.
The Silent Push Community Edition also contains many of the lookups that we used in our research. Sign up here for free.
Email [email protected] for further guidance on any of the countermeasures we’ve talked about in this article.
Explore our Knowledge Base for in-depth articles on how to use Silent Push to defend against attacks.
IOCs
A full list of IOCs is available with a Silent Push Enterprise subscription.
- quyenzo[.]ru
- ulitron[.]ru
- bromumo[.]ru
- erinaceuso[.]ru
- ayrympo[.]ru
- caccabius[.]ru
- madzhidgo[.]ru
- amalsa[.]ru
- dedspac[.]ru
- 141.98.233.109
- 46.29.234.119
- 141.98.233.103